utils: add function to generate an EK

Signed-off-by: Erik Larsson <who+github@cnackers.org>

test/test_utils.py

@@ -5,6 +5,7 @@
 from tpm2_pytss import *
 from tpm2_pytss.internal.crypto import _generate_seed, private_to_key, public_to_key
 from tpm2_pytss.utils import *
+from tpm2_pytss.templates import ek
 from .TSS2_BaseTest import TSS2_EsapiTest
 
 from cryptography.hazmat.primitives import hashes
@@ -101,6 +102,27 @@
 -----END EC PRIVATE KEY-----
 """
 
+ek_test_template = TPMT_PUBLIC(
+    type=TPM2_ALG.KEYEDHASH,
+    nameAlg=TPM2_ALG.SHA256,
+    objectAttributes=TPMA_OBJECT.FIXEDTPM
+    | TPMA_OBJECT.FIXEDPARENT
+    | TPMA_OBJECT.SENSITIVEDATAORIGIN
+    | TPMA_OBJECT.ADMINWITHPOLICY
+    | TPMA_OBJECT.RESTRICTED
+    | TPMA_OBJECT.SIGN_ENCRYPT,
+    parameters=TPMU_PUBLIC_PARMS(
+        keyedHashDetail=TPMS_KEYEDHASH_PARMS(
+            scheme=TPMT_KEYEDHASH_SCHEME(
+                scheme=TPM2_ALG.HMAC,
+                details=TPMU_SCHEME_KEYEDHASH(
+                    hmac=TPMS_SCHEME_HASH(hashAlg=TPM2_ALG.SHA256),
+                ),
+            )
+        ),
+    ),
+)
+
 
 class TestUtils(TSS2_EsapiTest):
     def test_generate_seed_rsa(self):
@@ -430,6 +452,147 @@ def test_tpm_export_rsa_child_rsa_parent_with_inner_key(self):
             hashes.SHA256(),
         )
 
+    def test_create_ek_ecc(self):
+        nv_read = nv_read_ek(self.ectx)
+        _, ecc_template = create_ek_template("EK-ECC256", nv_read)
+        _, ecc, _, _, _ = self.ectx.create_primary(
+            TPM2B_SENSITIVE_CREATE(), ecc_template, ESYS_TR.ENDORSEMENT
+        )
+
+        self.assertEqual(ecc.publicArea.type, TPM2_ALG.ECC)
+
+        ecc_nv_nonce = TPM2B_NV_PUBLIC(
+            nvPublic=TPMS_NV_PUBLIC(
+                nvIndex=0x1C0000B,
+                nameAlg=TPM2_ALG.SHA256,
+                attributes=TPMA_NV.AUTHWRITE | TPMA_NV.AUTHREAD,
+                dataSize=15,
+            )
+        )
+        eh = self.ectx.nv_define_space(b"", ecc_nv_nonce, ESYS_TR.OWNER)
+        self.ectx.nv_write(eh, b"\xFF" * 15)
+        nv_read = nv_read_ek(self.ectx)
+        _, ecc_nonce_template = create_ek_template("EK-ECC256", nv_read)
+        _, ecc_nonce, _, _, _ = self.ectx.create_primary(
+            TPM2B_SENSITIVE_CREATE(), ecc_nonce_template, ESYS_TR.ENDORSEMENT
+        )
+        self.assertNotEqual(
+            ecc_nonce.publicArea.unique.ecc.x, ecc.publicArea.unique.ecc.x
+        )
+        self.assertNotEqual(
+            ecc_nonce.publicArea.unique.ecc.y, ecc.publicArea.unique.ecc.y
+        )
+
+    def test_create_ek_rsa(self):
+        nv_read = nv_read_ek(self.ectx)
+        _, rsa_template = create_ek_template("EK-RSA2048", nv_read)
+        _, rsa, _, _, _ = self.ectx.create_primary(
+            TPM2B_SENSITIVE_CREATE(), rsa_template, ESYS_TR.ENDORSEMENT
+        )
+        self.assertEqual(rsa.publicArea.type, TPM2_ALG.RSA)
+
+        rsa_nv_nonce = TPM2B_NV_PUBLIC(
+            nvPublic=TPMS_NV_PUBLIC(
+                nvIndex=0x1C00003,
+                nameAlg=TPM2_ALG.SHA256,
+                attributes=TPMA_NV.AUTHWRITE | TPMA_NV.AUTHREAD,
+                dataSize=127,
+            )
+        )
+        rh = self.ectx.nv_define_space(b"", rsa_nv_nonce, ESYS_TR.OWNER)
+        self.ectx.nv_write(rh, b"\xFF" * 127)
+        nv_read = nv_read_ek(self.ectx)
+        _, rsa_nonce_template = create_ek_template("EK-RSA2048", nv_read)
+        _, rsa_nonce, _, _, _ = self.ectx.create_primary(
+            TPM2B_SENSITIVE_CREATE(), rsa_nonce_template, ESYS_TR.ENDORSEMENT
+        )
+        self.assertNotEqual(rsa_nonce.publicArea.unique.rsa, rsa.publicArea.unique.rsa)
+
+    def test_create_ek_template(self):
+        template = TPMT_PUBLIC(
+            type=TPM2_ALG.KEYEDHASH,
+            nameAlg=TPM2_ALG.SHA256,
+            objectAttributes=TPMA_OBJECT.FIXEDTPM
+            | TPMA_OBJECT.FIXEDPARENT
+            | TPMA_OBJECT.SENSITIVEDATAORIGIN
+            | TPMA_OBJECT.ADMINWITHPOLICY
+            | TPMA_OBJECT.RESTRICTED
+            | TPMA_OBJECT.SIGN_ENCRYPT,
+            parameters=TPMU_PUBLIC_PARMS(
+                keyedHashDetail=TPMS_KEYEDHASH_PARMS(
+                    scheme=TPMT_KEYEDHASH_SCHEME(
+                        scheme=TPM2_ALG.HMAC,
+                        details=TPMU_SCHEME_KEYEDHASH(
+                            hmac=TPMS_SCHEME_HASH(hashAlg=TPM2_ALG.SHA256),
+                        ),
+                    )
+                ),
+            ),
+        )
+        tb = ek_test_template.marshal()
+        nv_template = TPM2B_NV_PUBLIC(
+            nvPublic=TPMS_NV_PUBLIC(
+                nvIndex=0x1C0000C,
+                nameAlg=TPM2_ALG.SHA256,
+                attributes=TPMA_NV.AUTHWRITE | TPMA_NV.AUTHREAD,
+                dataSize=len(tb),
+            )
+        )
+        tnh = self.ectx.nv_define_space(b"", nv_template, ESYS_TR.OWNER)
+        self.ectx.nv_write(tnh, tb)
+        nv_read = nv_read_ek(self.ectx)
+        _, templpub = create_ek_template("EK-ECC256", nv_read)
+        _, templ, _, _, _ = self.ectx.create_primary(
+            TPM2B_SENSITIVE_CREATE(), templpub, ESYS_TR.ENDORSEMENT
+        )
+        self.assertEqual(templ.publicArea.type, TPM2_ALG.KEYEDHASH)
+
+    def test_create_ek_bad(self):
+        nv_read = nv_read_ek(self.ectx)
+        with self.assertRaises(ValueError) as e:
+            create_ek_template("EK-DES", nv_read)
+        self.assertEqual(str(e.exception), "unknown EK type EK-DES")
+
+    def test_create_ek_high_rsa2048(self):
+        nv_read = nv_read_ek(self.ectx)
+        with self.assertRaises(ValueError) as e:
+            create_ek_template("EK-HIGH-RSA2048", nv_read)
+        self.assertEqual(str(e.exception), "no certificate found for EK-HIGH-RSA2048")
+
+        cert_index, def_template = ek.EK_HIGH_RSA2048
+        nv_cert = TPM2B_NV_PUBLIC(
+            nvPublic=TPMS_NV_PUBLIC(
+                nvIndex=cert_index,
+                nameAlg=TPM2_ALG.SHA256,
+                attributes=TPMA_NV.AUTHWRITE | TPMA_NV.AUTHREAD,
+                dataSize=len(b"I am a certificate"),
+            )
+        )
+        cnh = self.ectx.nv_define_space(b"", nv_cert, ESYS_TR.OWNER)
+        self.ectx.nv_write(cnh, b"I am a certificate")
+        nv_read = nv_read_ek(self.ectx)
+        cert, template = create_ek_template("EK-HIGH-RSA2048", nv_read)
+        self.assertEqual(cert, b"I am a certificate")
+        self.assertEqual(template.marshal(), def_template.marshal())
+
+        tb = ek_test_template.marshal()
+        nv_template = TPM2B_NV_PUBLIC(
+            nvPublic=TPMS_NV_PUBLIC(
+                nvIndex=cert_index + 1,
+                nameAlg=TPM2_ALG.SHA256,
+                attributes=TPMA_NV.AUTHWRITE | TPMA_NV.AUTHREAD,
+                dataSize=len(tb),
+            )
+        )
+        tnh = self.ectx.nv_define_space(b"", nv_template, ESYS_TR.OWNER)
+        self.ectx.nv_write(tnh, tb)
+        nv_read = nv_read_ek(self.ectx)
+        cert, template = create_ek_template("EK-HIGH-RSA2048", nv_read)
+        self.assertEqual(cert, b"I am a certificate")
+        self.assertEqual(
+            template.marshal(), TPM2B_PUBLIC(publicArea=ek_test_template).marshal()
+        )
+
 
 if __name__ == "__main__":
     unittest.main()

tpm2_pytss/templates.py

@@ -0,0 +1,113 @@
+from collections import namedtuple
+from .types import (
+    TPMT_SYM_DEF_OBJECT,
+    TPMU_SYM_KEY_BITS,
+    TPMU_SYM_MODE,
+    TPM2B_PUBLIC,
+    TPMT_PUBLIC,
+    TPMU_PUBLIC_PARMS,
+    TPMS_RSA_PARMS,
+    TPMT_RSA_SCHEME,
+    TPMU_PUBLIC_ID,
+    TPMS_ECC_PARMS,
+    TPMT_ECC_SCHEME,
+    TPMT_KDF_SCHEME,
+    TPMS_ECC_POINT,
+)
+from .constants import (
+    TPM2_ALG,
+    TPMA_OBJECT,
+    TPM2_ECC,
+)
+
+
+class ek:
+    _ek_tuple = namedtuple("_ek_tuple", ["cert_index", "ek_template"])
+    _low_symmetric = TPMT_SYM_DEF_OBJECT(
+        algorithm=TPM2_ALG.AES,
+        keyBits=TPMU_SYM_KEY_BITS(aes=128),
+        mode=TPMU_SYM_MODE(aes=TPM2_ALG.CFB),
+    )
+    _low_attrs = (
+        TPMA_OBJECT.FIXEDTPM
+        | TPMA_OBJECT.FIXEDPARENT
+        | TPMA_OBJECT.SENSITIVEDATAORIGIN
+        | TPMA_OBJECT.ADMINWITHPOLICY
+        | TPMA_OBJECT.RESTRICTED
+        | TPMA_OBJECT.DECRYPT
+    )
+    _low_policy = b"\x83q\x97gD\x84\xb3\xf8\x1a\x90\xcc\x8dF\xa5\xd7$\xfdR\xd7n\x06R\x0bd\xf2\xa1\xda\x1b3\x14i\xaa"
+    _ek_rsa2048_template = TPM2B_PUBLIC(
+        publicArea=TPMT_PUBLIC(
+            type=TPM2_ALG.RSA,
+            nameAlg=TPM2_ALG.SHA256,
+            objectAttributes=_low_attrs,
+            authPolicy=_low_policy,
+            parameters=TPMU_PUBLIC_PARMS(
+                rsaDetail=TPMS_RSA_PARMS(
+                    symmetric=_low_symmetric,
+                    scheme=TPMT_RSA_SCHEME(scheme=TPM2_ALG.NULL),
+                    keyBits=2048,
+                ),
+            ),
+            unique=TPMU_PUBLIC_ID(rsa=b"\x00" * 256),
+        )
+    )
+    _ek_ecc256_template = TPM2B_PUBLIC(
+        publicArea=TPMT_PUBLIC(
+            type=TPM2_ALG.ECC,
+            nameAlg=TPM2_ALG.SHA256,
+            objectAttributes=_low_attrs,
+            authPolicy=_low_policy,
+            parameters=TPMU_PUBLIC_PARMS(
+                eccDetail=TPMS_ECC_PARMS(
+                    symmetric=_low_symmetric,
+                    scheme=TPMT_ECC_SCHEME(scheme=TPM2_ALG.NULL),
+                    curveID=TPM2_ECC.NIST_P256,
+                    kdf=TPMT_KDF_SCHEME(scheme=TPM2_ALG.NULL),
+                )
+            ),
+            unique=TPMU_PUBLIC_ID(ecc=TPMS_ECC_POINT(x=b"\x00" * 32, y=b"\x00" * 32)),
+        )
+    )
+    _high_attrs = (
+        TPMA_OBJECT.FIXEDTPM
+        | TPMA_OBJECT.FIXEDPARENT
+        | TPMA_OBJECT.SENSITIVEDATAORIGIN
+        | TPMA_OBJECT.USERWITHAUTH
+        | TPMA_OBJECT.ADMINWITHPOLICY
+        | TPMA_OBJECT.RESTRICTED
+        | TPMA_OBJECT.DECRYPT
+    )
+    _sha256_policy = "ca3d0a99a2b93906f7a3342414efcfb3a385d44cd1fd459089d19b5071c0b7a0"
+    _ek_high_rsa2048_template = TPM2B_PUBLIC(
+        publicArea=TPMT_PUBLIC(
+            type=TPM2_ALG.RSA,
+            nameAlg=TPM2_ALG.SHA256,
+            objectAttributes=_high_attrs,
+            authPolicy=_sha256_policy,
+            parameters=TPMU_PUBLIC_PARMS(
+                rsaDetail=TPMS_RSA_PARMS(
+                    symmetric=_low_symmetric,
+                    scheme=TPMT_RSA_SCHEME(scheme=TPM2_ALG.NULL),
+                    keyBits=2048,
+                ),
+            ),
+        )
+    )
+    _ek_high_ecc256_template = None
+    _ek_high_ecc384_template = None
+    _ek_high_ecc521_template = None
+    _ek_high_eccsm2p521_template = None
+    _ek_high_rsa3072_template = None
+    _ek_high_rsa4096_template = None
+    # values are (cert nv index, default template)
+    EK_RSA2048 = _ek_tuple(0x01C00002, _ek_rsa2048_template)
+    EK_ECC256 = _ek_tuple(0x01C0000A, _ek_ecc256_template)
+    EK_HIGH_RSA2048 = _ek_tuple(0x01C00012, _ek_high_rsa2048_template)
+    EK_HIGH_ECC256 = _ek_tuple(0x01C00014, _ek_high_ecc256_template)
+    EK_HIGH_ECC384 = _ek_tuple(0x01C00016, _ek_high_ecc384_template)
+    EK_HIGH_ECC521 = _ek_tuple(0x01C00018, _ek_high_ecc521_template)
+    EK_HIGH_ECCSM2P521 = _ek_tuple(0x01C0001A, _ek_high_eccsm2p521_template)
+    EK_HIGH_RSA3072 = _ek_tuple(0x01C0001C, _ek_high_rsa3072_template)
+    EK_HIGH_RSA4096 = _ek_tuple(0x01C0001E, _ek_high_rsa4096_template)