diff options
author | Haibo Huang <hhb@google.com> | 2020-04-11 03:28:16 +0000 |
---|---|---|
committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2020-04-11 03:28:16 +0000 |
commit | 87d68cbad3ed48681c29a6e1fd6d9e79478cc153 (patch) | |
tree | ef49de4fb5296d789464ed0df0aa3c1a99a93de2 | |
parent | 86d12905ea78941ba167fb7ca249e5ec1a869704 (diff) | |
parent | 0842be9b62cd9dad9d24bf761f518dbc5570591b (diff) | |
download | tpm2-tss-87d68cbad3ed48681c29a6e1fd6d9e79478cc153.tar.gz |
Upgrade tpm2-tss to '2.4.0' am: 64890da02c am: 0842be9b62
Change-Id: I22c888c09b0f8de41901619f280610e413fa86cd
-rw-r--r-- | CHANGELOG.md | 3 | ||||
-rw-r--r-- | METADATA | 13 | ||||
-rw-r--r-- | Makefile-test.am | 8 | ||||
-rw-r--r-- | configure.ac | 2 | ||||
-rw-r--r-- | dist/fapi-config.json.in | 2 | ||||
-rw-r--r-- | src/tss2-esys/api/Esys_Clear.c | 5 | ||||
-rw-r--r-- | src/tss2-esys/esys_iutil.c | 1 | ||||
-rw-r--r-- | test/integration/esys-encrypt-decrypt.int.c | 6 | ||||
-rw-r--r-- | test/integration/esys-tpm-clear-auth.int.c | 135 |
9 files changed, 166 insertions, 9 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 47833421..afa075bb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,7 +3,7 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/) -## [2.4.0-rc3] - 2020-02-24 +## [2.4.0] - 2020-03-11 ### Added - Added a new Feature API (FAPI) implementation - Added Esys_TRSess_GetAuthRequired() ESAPI function @@ -22,6 +22,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/) - Changed tcti-device in non-async mode to allways block ### Fixed +- Fixed hmac calculation for tpm2_clear command in ESAPI - Fixed mixing salted and unsalted sessions in the same ESAPI context - Removed use of VLAs from TPML marshal code - Fixed setting C++ compiler for non-fuzzing builds at configure @@ -1,8 +1,5 @@ name: "tpm2-tss" -description: - "This repository hosts source code implementing the Trusted Computing " - "Group's (TCG) TPM2 Software Stack (TSS)." - +description: "This repository hosts source code implementing the Trusted Computing Group\'s (TCG) TPM2 Software Stack (TSS)." third_party { url { type: HOMEPAGE @@ -12,6 +9,10 @@ third_party { type: GIT value: "https://github.com/tpm2-software/tpm2-tss" } - version: "a34dd0ed5a9cc91e3e084f941a859bc61863050b" - last_upgrade_date { year: 2020 month: 1 day: 17 } + version: "2.4.0" + last_upgrade_date { + year: 2020 + month: 4 + day: 10 + } } diff --git a/Makefile-test.am b/Makefile-test.am index 5ccdd4a1..e619d98a 100644 --- a/Makefile-test.am +++ b/Makefile-test.am @@ -145,6 +145,7 @@ if ESAPI ESYS_TESTS_INTEGRATION_DESTRUCTIVE = \ test/integration/esys-change-eps.int \ test/integration/esys-clear.int \ + test/integration/esys-tpm-clear-auth.int \ test/integration/esys-clear-session.int \ test/integration/esys-field-upgrade.int \ test/integration/esys-firmware-read.int \ @@ -1306,6 +1307,13 @@ test_integration_esys_auto_session_flags_int_SOURCES = \ test/integration/esys-auto-session-flags.int.c \ test/integration/main-esapi.c test/integration/test-esapi.h +test_integration_esys_tpm_clear_auth_int_CFLAGS = $(TESTS_CFLAGS) +test_integration_esys_tpm_clear_auth_int_LDADD = $(TESTS_LDADD) +test_integration_esys_tpm_clear_auth_int_LDFLAGS = $(TESTS_LDFLAGS) +test_integration_esys_tpm_clear_auth_int_SOURCES = \ + test/integration/esys-tpm-clear-auth.int.c \ + test/integration/main-esapi.c test/integration/test-esapi.h + endif #ESAPI test_integration_sapi_policy_template_int_CFLAGS = $(TESTS_CFLAGS) diff --git a/configure.ac b/configure.ac index b8c3c069..4d7b6b26 100644 --- a/configure.ac +++ b/configure.ac @@ -4,7 +4,7 @@ # All rights reserved. AC_INIT([tpm2-tss], - [2.4.0-rc3], + [2.4.0], [https://github.com/tpm2-software/tpm2-tss/issues], [], [https://github.com/tpm2-software/tpm2-tss]) diff --git a/dist/fapi-config.json.in b/dist/fapi-config.json.in index 72fe38e2..e32a3c36 100644 --- a/dist/fapi-config.json.in +++ b/dist/fapi-config.json.in @@ -5,5 +5,5 @@ "system_dir": "@localstatedir@/lib/tpm2-tss/system/keystore", "tcti": "", "system_pcrs" : [], - "log_dir" : "@runstatedir@/tpm2-tss/eventlog/", + "log_dir" : "@runstatedir@/tpm2-tss/eventlog/" } diff --git a/src/tss2-esys/api/Esys_Clear.c b/src/tss2-esys/api/Esys_Clear.c index f5c0b827..0f43f7e9 100644 --- a/src/tss2-esys/api/Esys_Clear.c +++ b/src/tss2-esys/api/Esys_Clear.c @@ -199,6 +199,11 @@ Esys_Clear_Async( return_state_if_error(r, _ESYS_STATE_INTERNALERROR, "Finish (Execute Async)"); + /* If the command authorization is LOCKOUT we need to + * recompute session value with an empty auth */ + if (authHandle == ESYS_TR_RH_LOCKOUT) + iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); + esysContext->state = _ESYS_STATE_SENT; return r; diff --git a/src/tss2-esys/esys_iutil.c b/src/tss2-esys/esys_iutil.c index 9234a3fc..8046a307 100644 --- a/src/tss2-esys/esys_iutil.c +++ b/src/tss2-esys/esys_iutil.c @@ -151,6 +151,7 @@ iesys_DeleteAllResourceObjects(ESYS_CONTEXT * esys_context) next_node_rsrc = node_rsrc->next; SAFE_FREE(node_rsrc); } + esys_context->rsrc_list = NULL; } /** Compute the TPM nonce of the session used for parameter encryption. * diff --git a/test/integration/esys-encrypt-decrypt.int.c b/test/integration/esys-encrypt-decrypt.int.c index 3204a549..e357f0bb 100644 --- a/test/integration/esys-encrypt-decrypt.int.c +++ b/test/integration/esys-encrypt-decrypt.int.c @@ -207,6 +207,12 @@ test_esys_encrypt_decrypt(ESYS_CONTEXT * esys_context) &outPrivate2, &outPublic2, &creationData2, &creationHash2, &creationTicket2); + + if (r == 0x2c2) { /*<< tpm:parameter(2):inconsistent attributes */ + LOG_WARNING("Unsupported symmetric cipher."); + failure_return = EXIT_SKIP; + goto error; + } goto_if_error(r, "Error esys create ", error); LOG_INFO("AES key created."); diff --git a/test/integration/esys-tpm-clear-auth.int.c b/test/integration/esys-tpm-clear-auth.int.c new file mode 100644 index 00000000..a9ee336b --- /dev/null +++ b/test/integration/esys-tpm-clear-auth.int.c @@ -0,0 +1,135 @@ +/* SPDX-License-Identifier: BSD-2-Clause */ +/******************************************************************************* + * Copyright (c) 2020, Intel Corporation + * All rights reserved. + *******************************************************************************/ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <stdlib.h> + +#include "tss2_esys.h" + +#include "esys_iutil.h" +#include "test-esapi.h" +#define LOGDEFAULT LOGLEVEL_INFO +#define LOGMODULE test +#include "util/log.h" +#include "util/aux_util.h" + +/** Test auth verification in clear command + * + * After TPM2_Clear command is executed all auth values for + * owner, platofrm and lockout are set to empty buffers and + * the empty auth values should be used fot HMAC verification + * in the response. + * + * @param[in,out] esys_context The ESYS_CONTEXT. + * @retval EXIT_SUCCESS + * @retval EXIT_SKIP + * @retval EXIT_FAILURE + */ +int +test_esys_clear_auth(ESYS_CONTEXT * esys_context) +{ + TSS2_RC r; + ESYS_TR session = ESYS_TR_NONE; + int failure_return = EXIT_FAILURE; + + TPMT_SYM_DEF symmetric = {.algorithm = TPM2_ALG_XOR, + .keyBits = { .exclusiveOr = TPM2_ALG_SHA1 }, + .mode = {.aes = TPM2_ALG_CFB}}; + + /* Test lockout authorization */ + LOG_DEBUG("Test LOCKOUT authorization"); + LOG_DEBUG("Start Auth Session"); + r = Esys_StartAuthSession(esys_context, ESYS_TR_NONE, ESYS_TR_NONE, + ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, + NULL, + TPM2_SE_HMAC, &symmetric, TPM2_ALG_SHA1, + &session); + goto_if_error(r, "Error: During initialization of session", error); + + TPM2B_AUTH auth = { + .size = 16, + .buffer = "deadbeefdeadbeef", + }; + + LOG_DEBUG("Set Auth"); + r = Esys_HierarchyChangeAuth(esys_context, ESYS_TR_RH_LOCKOUT, + ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE, + &auth); + + goto_if_error(r, "Error: During Esys_ObjectChangeAuth", error); + Esys_TR_SetAuth(esys_context, ESYS_TR_RH_LOCKOUT, &auth); + + LOG_DEBUG("Clear"); + r = Esys_Clear(esys_context, ESYS_TR_RH_LOCKOUT, session, + ESYS_TR_NONE, ESYS_TR_NONE); + goto_if_error(r, "Error: During Esys_Clear", error); + + r = Esys_FlushContext(esys_context, session); + goto_if_error(r, "Error: During Esys_FlushContext", error); + + /* Test platform authorization */ + LOG_DEBUG("Test PLATFORM authorization"); + LOG_DEBUG("Start Auth Session"); + r = Esys_StartAuthSession(esys_context, ESYS_TR_NONE, ESYS_TR_NONE, + ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, + NULL, + TPM2_SE_HMAC, &symmetric, TPM2_ALG_SHA1, + &session); + goto_if_error(r, "Error: During initialization of session", error); + + LOG_DEBUG("Set Auth"); + r = Esys_HierarchyChangeAuth(esys_context, ESYS_TR_RH_PLATFORM, + ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE, + &auth); + + if ((r & ~TPM2_RC_N_MASK) == TPM2_RC_BAD_AUTH || + (r & ~TPM2_RC_N_MASK) == TPM2_RC_HIERARCHY) { + /* Platform authorization not possible test will be skipped */ + LOG_WARNING("Platform authorization not possible."); + failure_return = EXIT_SKIP; + goto error; + } + goto_if_error(r, "Error: During Esys_ObjectChangeAuth", error); + + Esys_TR_SetAuth(esys_context, ESYS_TR_RH_PLATFORM, &auth); + + LOG_DEBUG("Clear"); + r = Esys_Clear(esys_context, ESYS_TR_RH_PLATFORM, session, + ESYS_TR_NONE, ESYS_TR_NONE); + goto_if_error(r, "Error: During Esys_Clear", error); + + r = Esys_FlushContext(esys_context, session); + goto_if_error(r, "Error: During Esys_FlushContext", error); + + Esys_TR_SetAuth(esys_context, ESYS_TR_RH_PLATFORM, &auth); + + LOG_DEBUG("Set Auth"); + r = Esys_HierarchyChangeAuth(esys_context, ESYS_TR_RH_PLATFORM, + ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE, + NULL); + + goto_if_error(r, "Error: During Esys_ObjectChangeAuth", error); + + return EXIT_SUCCESS; + + error: + LOG_ERROR("\nError Code: %x\n", r); + + if (session != ESYS_TR_NONE) { + if (Esys_FlushContext(esys_context, session) != TSS2_RC_SUCCESS) { + LOG_ERROR("Cleanup session failed."); + } + } + return failure_return; +} + +int +test_invoke_esapi(ESYS_CONTEXT * esys_context) { + return test_esys_clear_auth(esys_context); +} |