agent: ensure that EK is in PEM format when used as uuid

The keylime.conf states that when hash_ek is used the uuid is the EK public key in PEM format hashed with sha256. This was not the case instead the internal tss format base64 encoded was hashed. Now if the TPM has an EK certificate the uuid can be easily derived with: tpm2_nvread 0x1c00002 | openssl x509 -inform DER -pubkey -noout | sha256sum Signed-off-by: Thore Sommer <[email protected]>
THS-on · Sep 8, 2021 · 5cb243b · 5cb243b
1 parent a865889
commit 5cb243b
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/keylime/keylime_agent.py b/keylime/keylime_agent.py
@@ -27,6 +27,8 @@
 
 import simplejson as json
 
+from cryptography.hazmat.primitives import serialization
+
 from keylime import config
 from keylime import keylime_logging
 from keylime import cmd_exec
@@ -39,6 +41,7 @@
 from keylime import api_version as keylime_api_version
 from keylime.tpm.tpm_main import tpm
 from keylime.tpm.tpm_abstract import TPM_Utilities
+from keylime.tpm.tpm2_objects import pubkey_from_tpm2b_public
 
 # Configure logger
 logger = keylime_logging.init_logging('cloudagent')
@@ -527,7 +530,10 @@ def main():
     if agent_uuid == 'openstack':
         agent_uuid = openstack.get_openstack_uuid()
     elif agent_uuid == 'hash_ek':
-        agent_uuid = hashlib.sha256(ek_tpm).hexdigest()
+        ek_pubkey = pubkey_from_tpm2b_public(base64.b64decode(ek_tpm))
+        ek_pubkey_pem = ek_pubkey.public_bytes(encoding=serialization.Encoding.PEM,
+                                               format=serialization.PublicFormat.SubjectPublicKeyInfo)
+        agent_uuid = hashlib.sha256(ek_pubkey_pem).hexdigest()
     elif agent_uuid == 'generate' or agent_uuid is None:
         agent_uuid = str(uuid.uuid4())
     elif agent_uuid == 'dmidecode':