Trusted Platform Module PCR support on Atmel-8528-TPM-I2C-SP

Discussions about all user software around SAM Series.

Moderator: nferre

ghostrider
Posts: 3
Joined: Wed Feb 10, 2016 8:02 pm

Trusted Platform Module PCR support on Atmel-8528-TPM-I2C-SP

Fri Apr 22, 2016 12:39 am

I have an Atmel-8528-TPM-I2C-censored-Development Kit, which is composed of a ATSAM4S8B. I like to extend one of the functions in the demo which came with the board. Here is the function...

Code: Select all

void sealFunc( TPM_Command *pCommand )
{
// meta function to do perform TPM_Seal on user-supplied data

	int 		slotNum;
	uint8_t		authBuf[INBUFSIZE];
	uint8_t		*pU8;

	printf("\r\n    sealFunc sequence:\r\n");

	// input / output overlay setup
	SealIn_a	*pSealIn_a = (SealIn_a*) xferBuf;
	SealIn_b	*pSealIn_b;

	// account for any pcrInfo (none used here!)
	pSealIn_b = (SealIn_b*) (&pSealIn_a->pcrInfo + convertArrayToLong(pSealIn_a->pcrInfoSize));

   	// let the user pick a parent key if any are available
	slotNum = selectHandleSlot(workBuf0, ((void*)"\r\n\r\n    pick a sealing key (0=SRK): "), includeSRK);
	if(slotNum == INVALID_HANDLE)
		return;

	// start an OSAP session using a parent key (must be storage key!)
	currentAuthSession = 0;						// using authSession[0]

	// setup OSAP parameters
	convertIntToArray(TPM_ET_KEYHANDLE, OSAPparms.entityType);

	if(slotNum == 0)
	{
		convertLongToArray(TPM_KH_SRK, OSAPparms.entityValue);
		getSRKAuth(OSAPparms.entityAuth);
	}
	else
	{
		getLoadedKeyHandle(slotNum-1, OSAPparms.entityValue);
		getLoadedKeyAuth(slotNum-1, OSAPparms.entityAuth);
	}

	// send the command and create the authSession
	if(commandHandler("OSAP"))
	{
		printf("\r\n    could not create authSession!");
		printf("\r\n    aborting...\r\n");
		return;
	}

	// reload numBytes for this command
	numBytes = pCommand->commandSize;

	// reload xferBuf with command template data
	memcpy(&xferBuf,pCommand->commandBytes,pCommand->commandSize);	

	printf("\r\n    sealFunc called");

	// setup correct keyHandle
	memmove(pSealIn_a->keyHandle, OSAPparms.entityValue, sizeof(pSealIn_a->keyHandle));

	// create the blob authorization value
	printf("\r\n    enter auth value for sealed blob: ");
	get_user_input((char*) authBuf,sizeof(authBuf), 0, USER_STRING);
    sha1_csum( authBuf, strlen((char*) authBuf), pSealIn_a->encAuth );

	// calculate encAuth for sealed blob
	printf("\r\n\r\n    encAuth calculation:");
	encAuthHandler(	authSessions[currentAuthSession].nonceEven,
					authSessions[currentAuthSession].HMACKey,
					pSealIn_a->encAuth);

	// get data to seal
	printf("\r\n\r\n    enter data to seal (40 chars max): ");
	// arbitrary data size limit, could be up to OAEP_SHA1_MGF1 limit for 2048 bit key: 192 bytes
	get_user_input((char*) &pSealIn_b->inData, INBUFSIZE, 0,USER_STRING);
	//flushBS((char*) &pSealIn_b->inData);	// handle backspaces
	convertLongToArray(strlen((char*) &pSealIn_b->inData) +1, pSealIn_b->inDataSize);	// account for string terminator

	// calculate / update paramSize
	// easiest to "walk" a pointer then subtract to get size
	pU8 = &pSealIn_a->pcrInfo;
	pU8 += convertArrayToLong(pSealIn_a->pcrInfoSize);
	pU8 += sizeof(pSealIn_b->inDataSize);
	pU8 += convertArrayToLong(pSealIn_b->inDataSize);
	pU8 += AUTH1_SIZE;
	convertLongToArray(pU8 - pSealIn_a->tag, pSealIn_a->parmamSize);

	// now update numBytes for sendCommand
	numBytes = convertArrayToLong(pSealIn_a->parmamSize);

	// get a nonceOdd
	getNonceOdd(authSessions[currentAuthSession].nonceOdd, fixedNonce);

	// calculate the input HMAC
	inAuthHandler(pCommand->numAuths, pCommand->numInHandles);

	printf("\r\n    sealFunc called");

	// send/receive TPM bytes
	sendCommand(getResponse, getLog);

	// check for TPM error responses
	if( convertArrayToLong(((TPM_return*) xferBuf)->returnCode) != TPM_SUCCESS )
	{
		printf("\r\ncould not get sealed data");
		printf("\r\naborting...\r\n");
		return;
	}

	// call output auth Handler
	if(outAuthHandler(pCommand->numAuths, pCommand->numOutHandles))
	{
		printf("\r\noutput auth validation error!\r\n");
		printf("\r\naborting!!\r\n");
		return;
	}

	// save blob in EEPROM
	do
	{
		printf("\r\nstore data blob in which cacheSlot (1-5)? ");
		get_user_input(NULL, 0,  &slotNum, USER_NUM);
		
		if((slotNum >= 1) && (	slotNum <= 5))
			break;
		else
			printf("\r\nInvalid casheSlot ");

	} while (1);

	saveBlobToEE((uint8_t) (slotNum-1));
	printf("\r\n    TPM Seal Completed Successfully!\r\n");	
	
}

I like to leverage the PCR functionality of the Seal function as it is intended by the TCG. The demo just has the pcrinfo variable defined. I do not see any of the recommended data structures of the TCG in the project as it relates to the PCR and the sealing functionality. I also do not see any other function leveraging the PCRs; instead there are 5 cache slots which some data is saved in. Does anyone know if this board supports PCRs, and whether I need to add the required structures to the project in order to save the hash of a content or hardware configuration to a PCR?

Return to “Software”

Who is online

Users browsing this forum: No registered users and 1 guest