Code: Select all
void sealFunc( TPM_Command *pCommand )
{
// meta function to do perform TPM_Seal on user-supplied data
int slotNum;
uint8_t authBuf[INBUFSIZE];
uint8_t *pU8;
printf("\r\n sealFunc sequence:\r\n");
// input / output overlay setup
SealIn_a *pSealIn_a = (SealIn_a*) xferBuf;
SealIn_b *pSealIn_b;
// account for any pcrInfo (none used here!)
pSealIn_b = (SealIn_b*) (&pSealIn_a->pcrInfo + convertArrayToLong(pSealIn_a->pcrInfoSize));
// let the user pick a parent key if any are available
slotNum = selectHandleSlot(workBuf0, ((void*)"\r\n\r\n pick a sealing key (0=SRK): "), includeSRK);
if(slotNum == INVALID_HANDLE)
return;
// start an OSAP session using a parent key (must be storage key!)
currentAuthSession = 0; // using authSession[0]
// setup OSAP parameters
convertIntToArray(TPM_ET_KEYHANDLE, OSAPparms.entityType);
if(slotNum == 0)
{
convertLongToArray(TPM_KH_SRK, OSAPparms.entityValue);
getSRKAuth(OSAPparms.entityAuth);
}
else
{
getLoadedKeyHandle(slotNum-1, OSAPparms.entityValue);
getLoadedKeyAuth(slotNum-1, OSAPparms.entityAuth);
}
// send the command and create the authSession
if(commandHandler("OSAP"))
{
printf("\r\n could not create authSession!");
printf("\r\n aborting...\r\n");
return;
}
// reload numBytes for this command
numBytes = pCommand->commandSize;
// reload xferBuf with command template data
memcpy(&xferBuf,pCommand->commandBytes,pCommand->commandSize);
printf("\r\n sealFunc called");
// setup correct keyHandle
memmove(pSealIn_a->keyHandle, OSAPparms.entityValue, sizeof(pSealIn_a->keyHandle));
// create the blob authorization value
printf("\r\n enter auth value for sealed blob: ");
get_user_input((char*) authBuf,sizeof(authBuf), 0, USER_STRING);
sha1_csum( authBuf, strlen((char*) authBuf), pSealIn_a->encAuth );
// calculate encAuth for sealed blob
printf("\r\n\r\n encAuth calculation:");
encAuthHandler( authSessions[currentAuthSession].nonceEven,
authSessions[currentAuthSession].HMACKey,
pSealIn_a->encAuth);
// get data to seal
printf("\r\n\r\n enter data to seal (40 chars max): ");
// arbitrary data size limit, could be up to OAEP_SHA1_MGF1 limit for 2048 bit key: 192 bytes
get_user_input((char*) &pSealIn_b->inData, INBUFSIZE, 0,USER_STRING);
//flushBS((char*) &pSealIn_b->inData); // handle backspaces
convertLongToArray(strlen((char*) &pSealIn_b->inData) +1, pSealIn_b->inDataSize); // account for string terminator
// calculate / update paramSize
// easiest to "walk" a pointer then subtract to get size
pU8 = &pSealIn_a->pcrInfo;
pU8 += convertArrayToLong(pSealIn_a->pcrInfoSize);
pU8 += sizeof(pSealIn_b->inDataSize);
pU8 += convertArrayToLong(pSealIn_b->inDataSize);
pU8 += AUTH1_SIZE;
convertLongToArray(pU8 - pSealIn_a->tag, pSealIn_a->parmamSize);
// now update numBytes for sendCommand
numBytes = convertArrayToLong(pSealIn_a->parmamSize);
// get a nonceOdd
getNonceOdd(authSessions[currentAuthSession].nonceOdd, fixedNonce);
// calculate the input HMAC
inAuthHandler(pCommand->numAuths, pCommand->numInHandles);
printf("\r\n sealFunc called");
// send/receive TPM bytes
sendCommand(getResponse, getLog);
// check for TPM error responses
if( convertArrayToLong(((TPM_return*) xferBuf)->returnCode) != TPM_SUCCESS )
{
printf("\r\ncould not get sealed data");
printf("\r\naborting...\r\n");
return;
}
// call output auth Handler
if(outAuthHandler(pCommand->numAuths, pCommand->numOutHandles))
{
printf("\r\noutput auth validation error!\r\n");
printf("\r\naborting!!\r\n");
return;
}
// save blob in EEPROM
do
{
printf("\r\nstore data blob in which cacheSlot (1-5)? ");
get_user_input(NULL, 0, &slotNum, USER_NUM);
if((slotNum >= 1) && ( slotNum <= 5))
break;
else
printf("\r\nInvalid casheSlot ");
} while (1);
saveBlobToEE((uint8_t) (slotNum-1));
printf("\r\n TPM Seal Completed Successfully!\r\n");
}
I like to leverage the PCR functionality of the Seal function as it is intended by the TCG. The demo just has the pcrinfo variable defined. I do not see any of the recommended data structures of the TCG in the project as it relates to the PCR and the sealing functionality. I also do not see any other function leveraging the PCRs; instead there are 5 cache slots which some data is saved in. Does anyone know if this board supports PCRs, and whether I need to add the required structures to the project in order to save the hash of a content or hardware configuration to a PCR?