diff options
Diffstat (limited to 'roms/skiboot/libstb/tss2/ibmtpm20tss/utils/policymaker.c')
| -rw-r--r-- | roms/skiboot/libstb/tss2/ibmtpm20tss/utils/policymaker.c | 354 |
1 files changed, 354 insertions, 0 deletions
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/policymaker.c b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/policymaker.c new file mode 100644 index 000000000..7290ed722 --- /dev/null +++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/policymaker.c @@ -0,0 +1,354 @@ +/********************************************************************************/ +/* */ +/* policymaker */ +/* Written by Ken Goldman */ +/* IBM Thomas J. Watson Research Center */ +/* */ +/* (c) Copyright IBM Corporation 2015 - 2019 */ +/* */ +/* All rights reserved. */ +/* */ +/* Redistribution and use in source and binary forms, with or without */ +/* modification, are permitted provided that the following conditions are */ +/* met: */ +/* */ +/* Redistributions of source code must retain the above copyright notice, */ +/* this list of conditions and the following disclaimer. */ +/* */ +/* Redistributions in binary form must reproduce the above copyright */ +/* notice, this list of conditions and the following disclaimer in the */ +/* documentation and/or other materials provided with the distribution. */ +/* */ +/* Neither the names of the IBM Corporation nor the names of its */ +/* contributors may be used to endorse or promote products derived from */ +/* this software without specific prior written permission. */ +/* */ +/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS */ +/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT */ +/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR */ +/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT */ +/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, */ +/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT */ +/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, */ +/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY */ +/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT */ +/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE */ +/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ +/********************************************************************************/ + +/* + policymaker calculates a TPM2 policy hash + + Inputs are: + + a hash algorithm + a file with lines in hexascii, to be extended into the policy digest, big endian + + NOTE: Empty lines (lines with just a newline character) are permitted and cause a double hash. + This is useful for e.g. TPM2_PolicySigned when the policyRef is empty. + + Outputs are: + + if specified, a file with a binary digest + if specified, a print of the hash + + Example input: policy command code with a command code of NV write + + 0000016c00000137 + + TPM2_PolicyCounterTimer is handled as a special case, where there is a double hash. +*/ + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <stdint.h> +#include <errno.h> + +#include <ibmtss/tss.h> +#include <ibmtss/tssutils.h> +#include <ibmtss/tsscryptoh.h> +#include <ibmtss/tsscrypto.h> + +static void printUsage(void); +static int Format_FromHexascii(unsigned char *binary, + const char *string, + size_t length); +static int Format_ByteFromHexascii(unsigned char *byte, + const char *string); + +extern int tssUtilsVerbose; + +int main(int argc, char *argv[]) +{ + TPM_RC rc = 0; + int i; /* argc iterator */ + char *prc = NULL; /* pointer return code */ + const char *inFilename = NULL; + const char *outFilename = NULL; + int pr = FALSE; + int nz = FALSE; + int noSpace = FALSE; + TPMT_HA digest; + /* initialized to suppress false gcc -O3 warning */ + uint32_t sizeInBytes = 0; /* hash algorithm mapped to size */ + uint32_t startSizeInBytes = 0; /* starting buffer for extend */ + FILE *inFile = NULL; + FILE *outFile = NULL; + + setvbuf(stdout, 0, _IONBF, 0); /* output may be going through pipe to log file */ + TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1"); + tssUtilsVerbose = FALSE; + + /* command line defaults */ + digest.hashAlg = TPM_ALG_SHA256; + + for (i=1 ; (i<argc) && (rc == 0) ; i++) { + if (strcmp(argv[i],"-halg") == 0) { + i++; + if (i < argc) { + if (strcmp(argv[i],"sha1") == 0) { + digest.hashAlg = TPM_ALG_SHA1; + } + else if (strcmp(argv[i],"sha256") == 0) { + digest.hashAlg = TPM_ALG_SHA256; + } + else if (strcmp(argv[i],"sha384") == 0) { + digest.hashAlg = TPM_ALG_SHA384; + } + else if (strcmp(argv[i],"sha512") == 0) { + digest.hashAlg = TPM_ALG_SHA512; + } + else { + printf("Bad parameter %s for -halg\n", argv[i]); + printUsage(); + } + } + else { + printf("Missing parameter for -hi\n"); + printUsage(); + } + + } + else if (strcmp(argv[i],"-if") == 0) { + i++; + if (i < argc) { + inFilename = argv[i]; + } + else { + printf("-if option needs a value\n"); + printUsage(); + } + } + else if (strcmp(argv[i],"-of") == 0) { + i++; + if (i < argc) { + outFilename = argv[i]; + } + else { + printf("-of option needs a value\n"); + printUsage(); + } + } + else if (strcmp(argv[i],"-pr") == 0) { + pr = TRUE; + } + else if (strcmp(argv[i],"-nz") == 0) { + nz = TRUE; + } + else if (strcmp(argv[i],"-ns") == 0) { + noSpace = TRUE; + } + else if (strcmp(argv[i],"-h") == 0) { + printUsage(); + } + else if (strcmp(argv[i],"-v") == 0) { + tssUtilsVerbose = TRUE; + TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2"); + } + else { + printf("\n%s is not a valid option\n", argv[i]); + printUsage(); + } + } + if (inFilename == NULL) { + printf("Missing input file parameter -if\n"); + printUsage(); + } + /* open the input file */ + if (rc == 0) { + inFile = fopen(inFilename, "r"); + if (inFile == NULL) { + printf("Error opening %s for %s, %s\n", inFilename, "r", strerror(errno)); + rc = EXIT_FAILURE; + } + } + if (rc == 0) { + sizeInBytes = TSS_GetDigestSize(digest.hashAlg); + /* startauthsession sets session digest to zero */ + if (!nz) { + startSizeInBytes = sizeInBytes; + memset((uint8_t *)&digest.digest, 0, sizeInBytes); + } + else { /* nz TRUE, start with empty buffer */ + startSizeInBytes = 0; + } + } + /* iterate through each line */ + do { + char lineString[10240]; /* returned line in hex ascii */ + unsigned char lineBinary[5120]; /* returned line in binary */ + size_t lineLength; + + if (rc == 0) { + prc = fgets(lineString, sizeof(lineString), inFile); + } + if (prc != NULL) { + /* convert hex ascii to binary */ + if (rc == 0) { + lineLength = strlen(lineString); + rc = Format_FromHexascii(lineBinary, + lineString, lineLength/2); + } + if (rc == 0) { + /* not TPM2_PolicyCounterTimer */ + if (memcmp(lineString, "0000016d", 8) != 0) { + /* hash extend digest.digest with line */ + if (rc == 0) { + rc = TSS_Hash_Generate(&digest, + startSizeInBytes, (uint8_t *)&digest.digest, + lineLength /2, lineBinary, + 0, NULL); + } + } + /* TPM2_PolicyCounterTimer is a special case - double hash */ + else { + TPMT_HA args; + args.hashAlg = digest.hashAlg; + if (rc == 0) { + /* args is a hash of the arguments excluding the command code */ + rc = TSS_Hash_Generate(&args, + (lineLength /2) -4, lineBinary +4, + 0, NULL); + } + if (rc == 0) { + uint8_t commandCode[] = {0x00, 0x00, 0x01, 0x6d}; + rc = TSS_Hash_Generate(&digest, + startSizeInBytes, (uint8_t *)&digest.digest, + sizeof(commandCode), commandCode, + startSizeInBytes, (uint8_t *)&args.digest, + 0, NULL); + } + } + } + if (rc == 0) { + if (tssUtilsVerbose) TSS_PrintAll("intermediate policy digest", + (uint8_t *)&digest.digest, sizeInBytes); + } + } + } + while ((rc == 0) && (prc != NULL)); + + if ((rc == 0) && pr) { + TSS_PrintAll("policy digest", (uint8_t *)&digest.digest, sizeInBytes); + } + if ((rc == 0) && noSpace) { + unsigned int b; + printf("policy digest:\n"); + for (b = 0 ; b < sizeInBytes ; b++) { + printf("%02x", *(((uint8_t *)&digest.digest) + b)); + } + printf("\n"); + } + /* open the output file */ + if ((rc == 0) && (outFilename != NULL)) { + outFile = fopen(outFilename, "wb"); + if (outFile == NULL) { + printf("Error opening %s for %s, %s\n", outFilename , "W", strerror(errno)); + rc = EXIT_FAILURE; + } + } + if ((rc == 0) && (outFilename != NULL)) { + fwrite((uint8_t *)&digest.digest, 1, sizeInBytes, outFile); + } + if (inFile != NULL) { + fclose(inFile); + } + if (outFile != NULL) { + fclose(outFile); + } + if (rc != 0) { + rc = EXIT_FAILURE; + } + return rc; +} + +/* Format_FromHexAscii() converts 'string' in hex ascii to 'binary' of 'length' + + It assumes that the string has enough bytes to accommodate the length. +*/ + +static int Format_FromHexascii(unsigned char *binary, + const char *string, + size_t length) +{ + int rc = 0; + size_t i; + + for (i = 0 ; (rc == 0) && (i < length) ; i++) { + rc = Format_ByteFromHexascii(binary + i, + string + (i * 2)); + + } + return rc; +} + +/* Format_ByteFromHexAscii() converts two bytes of hex ascii to one byte of binary + */ + +static int Format_ByteFromHexascii(unsigned char *byte, + const char *string) +{ + int rc = 0; + size_t i; + char c; + *byte = 0; + + for (i = 0 ; (rc == 0) && (i < 2) ; i++) { + (*byte) <<= 4; /* big endian, shift up the nibble */ + c = *(string + i); /* extract the next character from the string */ + + if ((c >= '0') && (c <= '9')) { + *byte += c - '0'; + } + else if ((c >= 'a') && (c <= 'f')) { + *byte += c + 10 - 'a'; + } + else if ((c >= 'A') && (c <= 'F')) { + *byte += c + 10 - 'A'; + } + else { + printf("Format_ByteFromHexascii: " + "Error: Line has non hex ascii character: %02x %c\n", c, c); + rc = EXIT_FAILURE; + } + } + return rc; +} + + +static void printUsage(void) +{ + printf("\n"); + printf("policymaker\n"); + printf("\n"); + printf("\t[-halg\thash algorithm (sha1 sha256 sha384 sha512) (default sha256)]\n"); + printf("\t[-nz\tdo not extend starting with zeros, just hash the last line]\n"); + printf("\t-if\tinput policy statements in hex ascii\n"); + printf("\t[-of\toutput file - policy hash in binary]\n"); + printf("\t[-pr\tstdout - policy hash in hex ascii]\n"); + printf("\t[-ns\tadditionally print policy hash in hex ascii on one line]\n"); + printf("\t\tUseful to paste into policy OR\n"); + printf("\n"); + exit(1); +} |