Skip to content

Commit

Permalink
FAPI: Fix usage of endorsement handle
Browse files Browse the repository at this point in the history
In several cases the wrong handle TPM2_RH_EK was used instead of
TPM2_RH_ENDORSEMENT.
This caused a wrong recreation of keys (except the EK) under the
endorsement hierarchy.
Now the correct hierarchy handle is used and a check whether the
recreated public key of the recreated primary corresponds to the
keystore.

Addresses: #2709

Signed-off-by: Juergen Repp <[email protected]>
  • Loading branch information
JuergenReppSIT authored and AndreasFuchsTPM committed Nov 30, 2023
1 parent 780e931 commit 718c478
Showing 1 changed file with 16 additions and 9 deletions.
25 changes: 16 additions & 9 deletions src/tss2-fapi/fapi_util.c
Original file line number Diff line number Diff line change
Expand Up @@ -944,17 +944,20 @@ ifapi_load_primary_finish(FAPI_CONTEXT *context, ESYS_TR *handle)
/* Check whether a persistent key was loaded.
In this case the handle has already been set. */
if (pkey_object->public.handle != ESYS_TR_NONE) {
if (pkey->creationTicket.hierarchy == TPM2_RH_EK) {
if (pkey->creationTicket.hierarchy == TPM2_RH_ENDORSEMENT &&
strcmp("/EK",
&pkey_object->rel_path[strlen(pkey_object->rel_path)-3]) == 0) {
context->ek_persistent = true;
} else {
} else if (strcmp("/SRK",
&pkey_object->rel_path[strlen(pkey_object->rel_path)-4]) == 0) {
context->srk_persistent = true;
}
/* It has to be checked whether the persistent handle exists. */
context->primary_state = PRIMARY_VERIFY_PERSISTENT;
return TSS2_FAPI_RC_TRY_AGAIN;
}
else {
if (pkey->creationTicket.hierarchy == TPM2_RH_EK) {
if (pkey->creationTicket.hierarchy == TPM2_RH_ENDORSEMENT) {
context->ek_persistent = false;
} else {
context->srk_persistent = false;
Expand All @@ -964,8 +967,7 @@ ifapi_load_primary_finish(FAPI_CONTEXT *context, ESYS_TR *handle)

statecase(context->primary_state, PRIMARY_READ_HIERARCHY);
/* The hierarchy object used for auth_session will be loaded from key store. */
if (pkey->creationTicket.hierarchy == TPM2_RH_EK ||
(pkey->ek_profile && pkey->creationTicket.hierarchy == TPM2_RH_ENDORSEMENT)) {
if (pkey->creationTicket.hierarchy == TPM2_RH_ENDORSEMENT) {
r = ifapi_keystore_load_async(&context->keystore, &context->io, "/HE");
return_if_error2(r, "Could not open hierarchy /HE");
} else if (pkey->creationTicket.hierarchy == TPM2_RH_NULL) {
Expand All @@ -985,10 +987,7 @@ ifapi_load_primary_finish(FAPI_CONTEXT *context, ESYS_TR *handle)
r = ifapi_initialize_object(context->esys, hierarchy);
goto_if_error_reset_state(r, "Initialize hierarchy object", error_cleanup);

if (pkey->creationTicket.hierarchy == TPM2_RH_EK) {
hierarchy->public.handle = ESYS_TR_RH_ENDORSEMENT;
} else if (pkey->creationTicket.hierarchy == TPM2_RH_ENDORSEMENT &&
pkey->ek_profile) {
if (pkey->creationTicket.hierarchy == TPM2_RH_ENDORSEMENT) {
hierarchy->public.handle = ESYS_TR_RH_ENDORSEMENT;
} else if (pkey->creationTicket.hierarchy == TPM2_RH_NULL) {
hierarchy->public.handle = ESYS_TR_RH_NULL;
Expand Down Expand Up @@ -1072,6 +1071,14 @@ ifapi_load_primary_finish(FAPI_CONTEXT *context, ESYS_TR *handle)
}
*handle = pkey_object->public.handle;
context->primary_state = PRIMARY_INIT;

/* Check whether the public key corresponds to key in key store. */
if (!ifapi_cmp_public_key(outPublic, &pkey_object->misc.key.public)) {
goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE,
"Public key for %s was not created correctly.",
error_cleanup, pkey_object->rel_path);
}

break;

statecase(context->primary_state, PRIMARY_VERIFY_PERSISTENT);
Expand Down

0 comments on commit 718c478

Please sign in to comment.