Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FAPI: Fix usage of endorsement handle #2711

Conversation

JuergenReppSIT
Copy link
Member

@JuergenReppSIT JuergenReppSIT commented Nov 21, 2023

In several cases the wrong handle TPM2_RH_EK was used instead of TPM2_RH_ENDORSEMENT.
This caused a wrong recreation of keys (except the EK) under the endorsement hierarchy.
Addresses: #2709

Signed-off-by: Juergen Repp [email protected]

@JuergenReppSIT JuergenReppSIT added this to the 4.0.2 milestone Nov 21, 2023
@JuergenReppSIT JuergenReppSIT added bug backport Issues to be backported to old-stable labels Nov 21, 2023
@JuergenReppSIT JuergenReppSIT force-pushed the fapi-fix-usage-of-endorsement-handle branch 2 times, most recently from e9f1178 to 65f82da Compare November 21, 2023 11:53
In several cases the wrong handle TPM2_RH_EK was used instead of
TPM2_RH_ENDORSEMENT.
This caused a wrong recreation of keys (except the EK) under the
endorsement hierarchy.
Now the correct hierarchy handle is used and a check whether the
recreated public key of the recreated primary corresponds to the
keystore.

Addresses: tpm2-software#2709

Signed-off-by: Juergen Repp <[email protected]>
@JuergenReppSIT JuergenReppSIT force-pushed the fapi-fix-usage-of-endorsement-handle branch from 65f82da to fb191f4 Compare November 21, 2023 13:56
Copy link

codecov bot commented Nov 21, 2023

Codecov Report

Attention: 2 lines in your changes are missing coverage. Please review.

Comparison is base (ede63dd) 82.60% compared to head (e9f1178) 82.58%.

❗ Current head e9f1178 differs from pull request most recent head fb191f4. Consider uploading reports for the commit fb191f4 to get more accurate results

Files Patch % Lines
src/tss2-fapi/fapi_util.c 80.00% 2 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##           master    #2711      +/-   ##
==========================================
- Coverage   82.60%   82.58%   -0.02%     
==========================================
  Files         368      368              
  Lines       43001    43006       +5     
==========================================
- Hits        35519    35517       -2     
- Misses       7482     7489       +7     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

context->ek_persistent = true;
} else {
} else if (strcmp("/SRK",
&pkey_object->rel_path[strlen(pkey_object->rel_path)-4]) == 0) {
context->srk_persistent = true;
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the no else possible after these two cases ?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes it's possible. ek_persistentand srk_persistentare only used in the provisioning cleanup for the EK and SRK and in the cleanup for sessions where the SRK is used as TPM key.

@AndreasFuchsTPM AndreasFuchsTPM merged commit 718c478 into tpm2-software:master Nov 30, 2023
26 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport Issues to be backported to old-stable bug
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants