vtsp.c

xen虚拟机源代码安装包

  srkPub.PCRInfo = 0;
  srkPub.pubKey.keyLength= 0;
  srkPub.encDataSize = 0;
  
  srkText.data = (BYTE *) malloc(sizeof(BYTE) * TCPA_MAX_BUFFER_LENGTH);
  srkText.size = BSG_Pack(BSG_TPM_KEY, (BYTE *) &srkPub, srkText.data);
  
  paramText = (BYTE *) malloc(sizeof(BYTE) *  TCPA_MAX_BUFFER_LENGTH);
  
  paramTextSize = BSG_PackList(paramText, 5,
			       BSG_TPM_COMMAND_CODE,&command,
			       BSG_TPM_PROTOCOL_ID, &proto_id,
			       BSG_TPM_SIZE32_DATA, &encOwnerAuth,
			       BSG_TPM_SIZE32_DATA, &encSrkAuth,
			       BSG_TPM_KEY, &srkPub);
  
  TPMTRYRETURN( GenerateAuth( paramText, paramTextSize, ownerAuth, auth) );
  
  new_srk = srkText.data;
  TPMTRYRETURN( TCSP_TakeOwnership ( hContext,
				     proto_id,
				     encOwnerAuth.size, 
				     encOwnerAuth.data,
				     encSrkAuth.size,
				     encSrkAuth.data,
				     &srkText.size,
				     &new_srk, 
				     auth ) );
  
  
  paramTextSize = BSG_PackList(paramText, 2, 
			       BSG_TPM_RESULT, &status,
			       BSG_TPM_COMMAND_CODE, &command);
  memcpy(paramText + paramTextSize, new_srk, srkText.size);
  paramTextSize += srkText.size;
  
  
  TPMTRYRETURN( VerifyAuth(  paramText, paramTextSize,
			     ownerAuth, auth, 
			     hContext) );
  
  goto egress;
  
 abort_egress:
  
 egress:
  
  free(srkText.data);
  free(encSrkAuth.data);
  free(encOwnerAuth.data);
  free(paramText);
  
  TCS_FreeMemory(hContext, new_srk);
  
  return status;
}

TPM_RESULT VTSP_DisablePubekRead( const TCS_CONTEXT_HANDLE    hContext,
                                  const TPM_AUTHDATA          *ownerAuth, 
                                  TCS_AUTH                    *auth) {
  
  vtpmloginfo(VTPM_LOG_VTSP, "Disabling Pubek Read.\n");
  
  TPM_RESULT status = TPM_SUCCESS;
  TPM_COMMAND_CODE command = TPM_ORD_DisablePubekRead;
  
  BYTE *paramText;        // Digest to make Auth.
  UINT32 paramTextSize;
    
  paramText = (BYTE *) malloc(sizeof(BYTE) * TCPA_MAX_BUFFER_LENGTH);
  
  paramTextSize = BSG_PackList(paramText, 1,
			       BSG_TPM_COMMAND_CODE, &command);
  
  TPMTRYRETURN( GenerateAuth( paramText, paramTextSize,
			      ownerAuth, auth) );
  
  // Call TCS
  TPMTRYRETURN( TCSP_DisablePubekRead ( hContext, // in
                                        auth) );
  
  // Verify Auth
  paramTextSize = BSG_PackList(paramText, 2,
			       BSG_TPM_RESULT, &status,
			       BSG_TPM_COMMAND_CODE, &command);
  
  TPMTRYRETURN( VerifyAuth( paramText, paramTextSize,
			    ownerAuth, auth, 
			    hContext) );
  goto egress;
  
 abort_egress:
 egress:
  free(paramText);
  return status;
}

TPM_RESULT VTSP_CreateWrapKey(  const TCS_CONTEXT_HANDLE hContext,
                                const TPM_KEY_USAGE      usage,
                                const TPM_AUTHDATA       *newKeyAuth,
                                const TCS_KEY_HANDLE     parentHandle, 
                                const TPM_AUTHDATA       *osapSharedSecret,
                                buffer_t                 *pubKeyBuf,
                                TCS_AUTH                 *auth) {
  
  int i;
  TPM_RESULT status = TPM_SUCCESS;
  TPM_COMMAND_CODE command = TPM_ORD_CreateWrapKey;
  
  vtpmloginfo(VTPM_LOG_VTSP, "Creating new key of type %d.\n", usage);
  
  // vars for Calculate encUsageAuth
  BYTE *paramText;      
  UINT32 paramTextSize;
  
  // vars for Calculate encUsageAuth
  BYTE XORbuffer[sizeof(TPM_SECRET) + sizeof(TPM_NONCE)];
  TPM_DIGEST XORKey1;
  UINT32 XORbufferSize;
  TPM_SECRET encUsageAuth, encMigrationAuth;
  
  // vars for Flatten newKey prototype
  BYTE *flatKey = (BYTE *) malloc(sizeof(BYTE) *  TCPA_MAX_BUFFER_LENGTH);
  UINT32 flatKeySize = TCPA_MAX_BUFFER_LENGTH;                                    
  struct pack_buf_t newKeyText;
  
  // Fill in newKey
  TPM_KEY newKey;
  
  BYTE RSAkeyInfo[12] = { 0x00, 0x00, (RSA_KEY_SIZE >> 8), 0x00,   0x00, 0x00, 0x00, 0x02,   0x00, 0x00, 0x00, 0x00};
  newKey.algorithmParms.algorithmID = TPM_ALG_RSA;
  newKey.algorithmParms.parms = (BYTE *) &RSAkeyInfo;
  newKey.algorithmParms.parmSize = 12;
  
  switch (usage) {
  case TPM_KEY_SIGNING:
    vtpmloginfo(VTPM_LOG_VTSP, "Creating Signing Key...\n");
    newKey.keyUsage = TPM_KEY_SIGNING;
    newKey.algorithmParms.encScheme = TPM_ES_NONE;
    newKey.algorithmParms.sigScheme = TPM_SS_RSASSAPKCS1v15_SHA1;
    break;
  case TPM_KEY_STORAGE:
    vtpmloginfo(VTPM_LOG_VTSP, "Creating Storage Key...\n");
    newKey.keyUsage = TPM_KEY_STORAGE;
    newKey.algorithmParms.encScheme = TPM_ES_RSAESOAEP_SHA1_MGF1;
    newKey.algorithmParms.sigScheme = TPM_SS_NONE;
    break;
  case TPM_KEY_BIND:
    vtpmloginfo(VTPM_LOG_VTSP, "Creating Binding Key...\n");
    newKey.keyUsage = TPM_KEY_BIND;
    newKey.algorithmParms.encScheme = TPM_ES_RSAESOAEP_SHA1_MGF1;
    newKey.algorithmParms.sigScheme = TPM_SS_NONE;
    break;
  default:
    vtpmloginfo(VTPM_LOG_VTSP, "Cannot create key. Invalid Key Type.\n");
    status = TPM_BAD_PARAMETER;
    goto abort_egress;
  }
  
  
  newKey.ver = TPM_STRUCT_VER_1_1;
  
  newKey.keyFlags = 0;
  newKey.authDataUsage = TPM_AUTH_ALWAYS;
  newKey.pubKey.keyLength= 0;
  newKey.encDataSize = 0;
  newKey.encData = NULL;
  
  // FIXME: Support PCR bindings
  newKey.PCRInfoSize = 0;
  newKey.PCRInfo = NULL;
  
  // Calculate encUsageAuth                                    
  XORbufferSize = BSG_PackList(  XORbuffer, 2, 
				 BSG_TPM_SECRET, osapSharedSecret,
				 BSG_TPM_NONCE, &auth->NonceEven);
  Crypto_SHA1Full(XORbuffer, XORbufferSize, (BYTE *) &XORKey1);
  
  // FIXME: No support for migratable keys.
  for (i=0; i < TPM_DIGEST_SIZE; i++) 
    ((BYTE *) &encUsageAuth)[i] = ((BYTE *) &XORKey1)[i] ^ ((BYTE *) newKeyAuth)[i];
  
  // Flatten newKey prototype
  flatKeySize = BSG_Pack(BSG_TPM_KEY, (BYTE *) &newKey, flatKey);
  newKeyText.data = flatKey;
  newKeyText.size = flatKeySize;
  
  // Generate HMAC
  paramText = (BYTE *) malloc(sizeof(BYTE) * TCPA_MAX_BUFFER_LENGTH);
  
  paramTextSize = BSG_PackList(paramText, 3,
			       BSG_TPM_COMMAND_CODE, &command,
			       BSG_TPM_AUTHDATA, &encUsageAuth,
			       BSG_TPM_AUTHDATA, &encMigrationAuth);
  memcpy(paramText + paramTextSize, newKeyText.data, newKeyText.size);
  paramTextSize += newKeyText.size;
  
  
  TPMTRYRETURN( GenerateAuth( paramText, paramTextSize,
			      osapSharedSecret, auth) );
  
  // Call TCS
  TPMTRYRETURN( TCSP_CreateWrapKey(  hContext, 
				     parentHandle,
				     encUsageAuth,
				     encMigrationAuth,
				     &newKeyText.size,
				     &newKeyText.data,
				     auth) );
  
  // Verify Auth
  paramTextSize = BSG_PackList(paramText, 2,
			       BSG_TPM_RESULT, &status,
			       BSG_TPM_COMMAND_CODE, &command);
  memcpy(paramText + paramTextSize, newKeyText.data, newKeyText.size);
  paramTextSize += newKeyText.size;
  
  TPMTRYRETURN( VerifyAuth( paramText, paramTextSize,
			    osapSharedSecret, auth, 0) );
  
  // Unpack/return key structure
  TPMTRYRETURN(buffer_init(pubKeyBuf, 0, 0) );
  TPMTRYRETURN(buffer_append_raw(pubKeyBuf, newKeyText.size, newKeyText.data) );
  
  goto egress;
  
 abort_egress:
  
 egress:
  
  free(flatKey);
  free(paramText);
  TCS_FreeMemory(hContext, newKeyText.data);
  
  return status;
}

TPM_RESULT VTSP_LoadKey(const TCS_CONTEXT_HANDLE    hContext,
                        const TCS_KEY_HANDLE        hUnwrappingKey,
                        const buffer_t              *rgbWrappedKeyBlob,
                        const TPM_AUTHDATA          *parentAuth,
                        TPM_HANDLE                  *newKeyHandle,
                        TCS_AUTH                    *auth,
                        CRYPTO_INFO                 *cryptoinfo,
                        const BOOL                  skipTPMLoad) { 
  
  
  vtpmloginfo(VTPM_LOG_VTSP, "Loading Key %s.\n", (!skipTPMLoad ? "into TPM" : "only into memory"));
  
  TPM_RESULT status = TPM_SUCCESS;
  TPM_COMMAND_CODE command = TPM_ORD_LoadKey;

  BYTE *paramText=NULL;        // Digest to make Auth.
  UINT32 paramTextSize;

  // SkipTPMLoad stops key from being loaded into TPM, but still generates CRYPTO_INFO for it
  if (! skipTPMLoad) { 
  
    if ((rgbWrappedKeyBlob == NULL) || (parentAuth == NULL) || 
        (newKeyHandle==NULL) || (auth==NULL)) {
      status = TPM_BAD_PARAMETER;
      goto abort_egress;
    }
  
    // Generate Extra TCS Parameters
    TPM_HANDLE phKeyHMAC;
  
    paramText = (BYTE *) malloc(sizeof(BYTE) *  TCPA_MAX_BUFFER_LENGTH);
  
    paramTextSize = BSG_PackList(paramText, 1,
  			         BSG_TPM_COMMAND_CODE, &command);
  
    memcpy(paramText + paramTextSize, rgbWrappedKeyBlob->bytes, buffer_len(rgbWrappedKeyBlob));
    paramTextSize += buffer_len(rgbWrappedKeyBlob);
  
    TPMTRYRETURN( GenerateAuth( paramText, paramTextSize,
			      parentAuth, auth) );
  
    // Call TCS
    TPMTRYRETURN( TCSP_LoadKeyByBlob(  hContext,
				       hUnwrappingKey,
				       buffer_len(rgbWrappedKeyBlob),
				       rgbWrappedKeyBlob->bytes,
				       auth,
				       newKeyHandle,
				       &phKeyHMAC) );
  
    // Verify Auth
    paramTextSize = BSG_PackList(paramText, 3,
			         BSG_TPM_RESULT, &status,
			         BSG_TPM_COMMAND_CODE, &command,
			         BSG_TPM_HANDLE, newKeyHandle);
  
    TPMTRYRETURN( VerifyAuth( paramText, paramTextSize,
			      parentAuth, auth, 
			      hContext) );
  } 
  
  // Build cryptoinfo structure for software crypto function. 
  if (cryptoinfo != NULL) {
    TPM_KEY newKey;
    
    // Unpack/return key structure
    BSG_Unpack(BSG_TPM_KEY, rgbWrappedKeyBlob->bytes , &newKey);
    TPM_RSA_KEY_PARMS rsaKeyParms;
    
    BSG_Unpack(BSG_TPM_RSA_KEY_PARMS, 
	       newKey.algorithmParms.parms, 
	       &rsaKeyParms);
    
    Crypto_RSABuildCryptoInfoPublic(rsaKeyParms.exponentSize, 
				    rsaKeyParms.exponent, 
				    newKey.pubKey.keyLength, 
				    newKey.pubKey.key, 
				    cryptoinfo);
    
    // Destroy rsaKeyParms
    BSG_Destroy(BSG_TPM_RSA_KEY_PARMS, &rsaKeyParms);
    
    // Set encryption scheme
    cryptoinfo->encScheme = CRYPTO_ES_RSAESOAEP_SHA1_MGF1;
  }
  
  goto egress;
  
 abort_egress:
  
 egress:
  
  free(paramText);
  return status;
}

TPM_RESULT VTSP_Unbind( const TCS_CONTEXT_HANDLE    hContext,
                        const TPM_KEY_HANDLE        key_handle,
                        const buffer_t              *bound_data,
                        const TPM_AUTHDATA          *usage_auth,
                        buffer_t                    *clear_data,
                        TCS_AUTH                    *auth) {
  
  vtpmloginfo(VTPM_LOG_VTSP, "Unbinding %d bytes of data.\n", buffer_len(bound_data));
  
  TPM_RESULT status = TPM_SUCCESS;
  TPM_COMMAND_CODE command = TPM_ORD_UnBind;
  
  BYTE *paramText;        // Digest to make Auth.
  UINT32 paramTextSize;