diff options
Diffstat (limited to 'roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testpolicy.bat')
| -rw-r--r-- | roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testpolicy.bat | 2715 |
1 files changed, 2715 insertions, 0 deletions
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testpolicy.bat b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testpolicy.bat new file mode 100644 index 000000000..8ec32e26f --- /dev/null +++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testpolicy.bat @@ -0,0 +1,2715 @@ +REM ############################################################################# +REM # # +REM # TPM2 regression test # +REM # Written by Ken Goldman # +REM # IBM Thomas J. Watson Research Center # +REM # # +REM # (c) Copyright IBM Corporation 2015 - 2020 # +REM # # +REM # All rights reserved. # +REM # # +REM # Redistribution and use in source and binary forms, with or without # +REM # modification, are permitted provided that the following conditions are # +REM # met: # +REM # # +REM # Redistributions of source code must retain the above copyright notice, # +REM # this list of conditions and the following disclaimer. # +REM # # +REM # Redistributions in binary form must reproduce the above copyright # +REM # notice, this list of conditions and the following disclaimer in the # +REM # documentation and/or other materials provided with the distribution. # +REM # # +REM # Neither the names of the IBM Corporation nor the names of its # +REM # contributors may be used to endorse or promote products derived from # +REM # this software without specific prior written permission. # +REM # # +REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS # +REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT # +REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR # +REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT # +REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # +REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT # +REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, # +REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY # +REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT # +REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE # +REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # +REM # # +REM ############################################################################# + +REM # used for the name in policy ticket + +REM if [ -z $TPM_DATA_DIR ]; then +REM TPM_DATA_DIR=. +REM fi + +setlocal enableDelayedExpansion + +echo "" +echo "Policy Command Code" +echo "" + +echo "Create a signing key under the primary key - policy command code - sign" +%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policyccsign.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Load the signing key under the primary key" +%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Sign a digest" +%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -pwdk sig > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +REM sign with correct policy command code + +echo "Start a policy session" +%TPM_EXE_PATH%startauthsession -se p > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Sign a digest - policy, should fail" +%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out +IF !ERRORLEVEL! EQU 0 ( + exit /B 1 +) + +echo "Policy command code - sign" +%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 15d > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Sign a digest - policy and wrong password" +%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 -pwdk xxx > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Sign a digest - policy, should fail, session used " +%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out +IF !ERRORLEVEL! EQU 0 ( + exit /B 1 +) + +REM quote with bad policy or bad command + +REM echo "Start a policy session" +REM ./startauthsession -se p > run.out +REM IF !ERRORLEVEL! NEQ 0 ( +REM exit /B 1 +REM ) + +echo "Policy command code - sign" +%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 15d > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Quote - PWAP" +%TPM_EXE_PATH%quote -hp 0 -hk 80000001 -os sig.bin -pwdk sig > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Quote - policy, should fail" +%TPM_EXE_PATH%quote -hp 0 -hk 80000001 -os sig.bin -se0 03000000 1 > run.out +IF !ERRORLEVEL! EQU 0 ( + exit /B 1 +) + +echo "Policy restart, set back to zero" +%TPM_EXE_PATH%policyrestart -ha 03000000 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +REM # echo "Flush the session" +REM # ./flushcontext -ha 03000000 > run.out +REM # IF !ERRORLEVEL! NEQ 0 ( +REM exit /B 1 +REM ) + + +REM # echo "Start a policy session" +REM # ./startauthsession -se p > run.out +REM # IF !ERRORLEVEL! NEQ 0 ( +REM exit /B 1 +REM ) + +echo "Policy command code - quote" +%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 158 > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + +echo "Quote - policy, should fail" +%TPM_EXE_PATH%quote -hp 0 -hk 80000001 -os sig.bin -se0 03000000 1 > run.out +IF !ERRORLEVEL! EQU 0 ( + exit /B 1 +) + + +REM # echo "Flush the session" +REM # ./flushcontext -ha 03000000 > run.out +REM # IF !ERRORLEVEL! NEQ 0 ( +REM exit /B 1 +REM ) + +echo "Flush the signing key" +%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "" +echo "Policy Command Code and Policy Password / Authvalue" +echo "" + +echo "Create a signing key under the primary key - policy command code - sign, auth" +%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policyccsign-auth.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Load the signing key under the primary key" +%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +REM # policypassword + +echo "Policy restart, set back to zero" +%TPM_EXE_PATH%policyrestart -ha 03000000 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Sign a digest - policy, should fail" +%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out +IF !ERRORLEVEL! EQU 0 ( + exit /B 1 +) + +echo "Policy command code - sign" +%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 15d > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Sign a digest - policy, should fail" +%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out +IF !ERRORLEVEL! EQU 0 ( + exit /B 1 +) + +echo "Policy password" +%TPM_EXE_PATH%policypassword -ha 03000000 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Sign a digest - policy, no password should fail" +%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out +IF !ERRORLEVEL! EQU 0 ( + exit /B 1 +) + +echo "Sign a digest - policy, password" +%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 -pwdk sig > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +REM # policyauthvalue + +REM # echo "Start a policy session" +REM # startauthsession -se p > run.out +REM # IF !ERRORLEVEL! NEQ 0 ( +REM exit /B 1 +REM ) + + +echo "Policy command code - sign" +%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 15d > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Policy authvalue" +%TPM_EXE_PATH%policyauthvalue -ha 03000000 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Sign a digest - policy, no password should fail" +%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out +IF !ERRORLEVEL! EQU 0 ( + exit /B 1 +) + +echo "Sign a digest - policy, password" +%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 -pwdk sig > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Flush the signing key" +%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "" +echo "Policy Password and Policy Authvalue flags" +echo "" + +for %%C in (policypassword policyauthvalue) do ( + + + echo "Create a signing key under the primary key - policy command code - sign, auth" + %TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policyccsign-auth.bin > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + + echo "Load the signing key under the primary key" + %TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + + echo "Start a policy session" + %TPM_EXE_PATH%startauthsession -se p > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + + echo "Policy command code - sign" + %TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 15d > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + + echo "Policy %%C" + %TPM_EXE_PATH%%%C -ha 03000000 > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + + echo "Sign a digest - policy, password" + %TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 -pwdk sig > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + + echo "Flush signing key" + %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + + echo "Create a signing key under the primary key - policy command code - sign" + %TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policyccsign.bin > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + + echo "Load the signing key under the primary key" + %TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + + echo "Policy command code - sign" + %TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 15d > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + + echo "Sign a digest - policy and wrong password" + %TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 -pwdk xxx > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + + echo "Flush signing key" + %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + + echo "Flush policy session" + %TPM_EXE_PATH%flushcontext -ha 03000000 > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + +) + +echo "" +echo "Policy Signed" +echo "" + +REM # create rsaprivkey.pem +REM # > openssl genrsa -out rsaprivkey.pem -aes256 -passout pass:rrrr 2048 +REM # extract the public key +REM # > openssl pkey -inform pem -outform pem -in rsaprivkey.pem -passin pass:rrrr -pubout -out rsapubkey.pem +REM # sign a test message msg.bin +REM # > openssl dgst -sha1 -sign rsaprivkey.pem -passin pass:rrrr -out pssig.bin msg.bin +REM # +REM # create the policy: +REM # use loadexternal -ns to get the name +REM +REM # sha1 +REM # 00044234c24fc1b9de6693a62453417d2734d7538f6f +REM # sha256 +REM # 000b64ac921a035c72b3aa55ba7db8b599f1726f52ec2f682042fc0e0d29fae81799 +REM # sha384 +REM # 000ca8bfb42e75b4c22b366b372cd9994bafe8558aa182cf12c258406d197dab63ac46f5a5255b1deb2993a4e9fc92b1e26c +REM # sha512 +REM # 000d0c36b2a951eccc7e3e12d03175a71304dc747f222a02af8fa2ac8b594ef973518d20b9a5452d0849e325710f587d8a55082e7ae321173619bc12122f3ad71466 +REM +REM # 00000160 plus the above name as text, add a blank line for empty policyRef +REM # to create policies/policysigned$HALG.txt +REM # +REM # 0000016000044234c24fc1b9de6693a62453417d2734d7538f6f +REM # 00000160000b64ac921a035c72b3aa55ba7db8b599f1726f52ec2f682042fc0e0d29fae81799 +REM # 00000160000ca8bfb42e75b4c22b366b372cd9994bafe8558aa182cf12c258406d197dab63ac46f5a5255b1deb2993a4e9fc92b1e26c +REM # 00000160000d0c36b2a951eccc7e3e12d03175a71304dc747f222a02af8fa2ac8b594ef973518d20b9a5452d0849e325710f587d8a55082e7ae321173619bc12122f3ad71466 +REM # +REM # use sha256 policies, policymaker default (policy session digest +REM # algorithm is separate from Name and signature hash algorithm) +REM # +REM # > policymaker -if policies/policysigned$HALG.txt -of policies/policysigned$HALG.bin -pr +REM # +REM # sha1 +REM # 9d 81 7a 4e e0 76 eb b5 cf ee c1 82 05 cc 4c 01 +REM # b3 a0 5e 59 a9 b9 65 a1 59 af 1e cd 3d bf 54 fb +REM # sha256 +REM # de bf 9d fa 3c 98 08 0b f1 7d d1 d0 7b 54 fd e1 +REM # 07 93 7f e5 40 50 9e 70 96 aa 73 27 53 b3 83 31 +REM # sha384 +REM # 45 c5 da 90 76 92 3a 70 03 6f df 56 ea e7 df db +REM # 41 e2 01 75 24 49 54 94 66 93 6b c4 fc 88 ab 5c +REM # sha512 +REM # cd 34 96 08 39 ea 40 88 5e fa 7f 37 8b a7 21 f1 +REM # 78 6d 52 bb 93 47 9c 73 45 88 3c dc 1f 09 06 6f +REM # +REM # 80000000 primary key +REM # 80000001 verification public key +REM # 80000002 signing key with policy +REM # 03000000 policy session + +for %%H in (%ITERATE_ALGS%) do ( + + echo "Load external just the public part of PEM at 80000001 - %%H" + %TPM_EXE_PATH%loadexternal -halg %%H -nalg %%H -ipem policies/rsapubkey.pem -ns > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + + echo "Sign a test message with openssl - %%H" + openssl dgst -%%H -sign policies/rsaprivkey.pem -passin pass:rrrr -out pssig.bin msg.bin + + echo "Verify the signature with 80000001 - %%H" + %TPM_EXE_PATH%verifysignature -hk 80000001 -halg %%H -if msg.bin -is pssig.bin -raw > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + + echo "Create a signing key under the primary key - policy signed - %%H" + %TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policysigned%%H.bin > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + + echo "Load the signing key under the primary key at 80000002" + %TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + + echo "Start a policy session" + %TPM_EXE_PATH%startauthsession -se p > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + + echo "Sign a digest - policy, should fail" + %TPM_EXE_PATH%sign -hk 80000002 -if msg.bin -os sig.bin -se0 03000000 1 > run.out + IF !ERRORLEVEL! EQU 0 ( + exit /B 1 + ) + + echo "Policy signed - sign with PEM key - %%H" + %TPM_EXE_PATH%policysigned -hk 80000001 -ha 03000000 -sk policies/rsaprivkey.pem -halg %%H -pwdk rrrr > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + + echo "Get policy digest" + %TPM_EXE_PATH%policygetdigest -ha 03000000 -of tmppol.bin > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + + echo "Sign a digest - policy signed" + %TPM_EXE_PATH%sign -hk 80000002 -if msg.bin -os sig.bin -se0 03000000 1 > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + + echo "Policy restart, set back to zero" + %TPM_EXE_PATH%policyrestart -ha 03000000 > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + + echo "Sign just expiration (uint32_t 4 zeros) with openssl - %%H" + openssl dgst -%%H -sign policies/rsaprivkey.pem -passin pass:rrrr -out pssig.bin policies/zero4.bin + + echo "Policy signed, signature generated externally - %%H" + %TPM_EXE_PATH%policysigned -hk 80000001 -ha 03000000 -halg %%H -is pssig.bin > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + + echo "Sign a digest - policy signed" + %TPM_EXE_PATH%sign -hk 80000002 -if msg.bin -os sig.bin -se0 03000000 0 > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + + echo "Start a policy session - save nonceTPM" + %TPM_EXE_PATH%startauthsession -se p -on noncetpm.bin > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + + echo "Policy signed with nonceTPM and expiration, create a ticket - %%H" + %TPM_EXE_PATH%policysigned -hk 80000001 -ha 03000000 -sk policies/rsaprivkey.pem -halg %%H -pwdk rrrr -in noncetpm.bin -exp -200 -tk tkt.bin -to to.bin > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + + echo "Sign a digest - policy signed" + %TPM_EXE_PATH%sign -hk 80000002 -if msg.bin -os sig.bin -se0 03000000 0 > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + + echo "Start a policy session" + %TPM_EXE_PATH%startauthsession -se p > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + + echo "Policy ticket" + %TPM_EXE_PATH%policyticket -ha 03000000 -to to.bin -na h80000001.bin -tk tkt.bin > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + + echo "Sign a digest - policy ticket" + %TPM_EXE_PATH%sign -hk 80000002 -if msg.bin -os sig.bin -se0 03000000 0 > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + + echo "Flush the verification public key" + %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + + echo "Flush the signing key" + %TPM_EXE_PATH%flushcontext -ha 80000002 > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + +) + +REM # getcapability -cap 1 -pr 80000000 +REM # getcapability -cap 1 -pr 02000000 +REM # getcapability -cap 1 -pr 03000000 + +REM # exit 0 + +echo "" +echo "Policy Secret" +echo "" + +REM # 4000000c platform +REM # 80000000 primary key +REM # 80000001 signing key with policy +REM # 03000000 policy session +REM # 02000001 hmac session + +echo "Change platform hierarchy auth" +%TPM_EXE_PATH%hierarchychangeauth -hi p -pwdn ppp > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Create a signing key under the primary key - policy secret using platform auth" +%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policysecretp.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Load the signing key under the primary key" +%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Start a policy session" +%TPM_EXE_PATH%startauthsession -se p -on noncetpm.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Sign a digest - policy, should fail" +%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out +IF !ERRORLEVEL! EQU 0 ( + exit /B 1 +) + +echo "Policy Secret with PWAP session, create a ticket" +%TPM_EXE_PATH%policysecret -ha 4000000c -hs 03000000 -pwde ppp -in noncetpm.bin -exp -200 -tk tkt.bin -to to.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Sign a digest - policy secret" +%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Start a policy session" +%TPM_EXE_PATH%startauthsession -se p -on noncetpm.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Policy Secret using primary key, create a ticket" +%TPM_EXE_PATH%policysecret -ha 4000000c -hs 03000000 -pwde ppp -in noncetpm.bin -exp -200 -tk tkt.bin -to to.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Sign a digest - policy secret" +%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Start a policy session" +%TPM_EXE_PATH%startauthsession -se p > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Policy ticket" +%TPM_EXE_PATH%policyticket -ha 03000000 -to to.bin -hi p -tk tkt.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Sign a digest - policy ticket" +%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Start a policy session" +%TPM_EXE_PATH%startauthsession -se p -on noncetpm.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Start an HMAC session" +%TPM_EXE_PATH%startauthsession -se h > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Policy Secret with HMAC session" +%TPM_EXE_PATH%policysecret -ha 4000000c -hs 03000000 -pwde ppp -se0 02000001 0 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Sign a digest - policy secret" +%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Change platform hierarchy auth back to null" +%TPM_EXE_PATH%hierarchychangeauth -hi p -pwda ppp > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Flush the signing key" +%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "" +echo "Policy Secret with NV Auth" +echo "" + +REM Name is +REM 00 0b e0 65 10 81 c2 fc da 30 69 93 da 43 d1 de +REM 5b 24 be 42 6e 2d 61 90 7b 42 83 54 69 13 6c 97 +REM 68 1f +REM +REM Policy is +REM c6 93 f9 b0 ef 1a b7 1e ca ae 00 af 1f 0b f4 88 +REM 37 9e ab 16 c1 f8 0d 9f f9 6d 90 41 4e 2f c6 b3 + +echo "NV Define Space 0100000" +%TPM_EXE_PATH%nvdefinespace -hi p -ha 01000000 -pwdn nnn -sz 16 -pwdn nnn > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Create a signing key under the primary key - policy secret NV auth" +%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policysecretnv.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Load the signing key under the primary key" +%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Start a policy session" +%TPM_EXE_PATH%startauthsession -se p -on noncetpm.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Sign a digest - policy, should fail" +%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out +IF !ERRORLEVEL! EQU 0 ( + exit /B 1 +) + +echo "Policy Secret with PWAP session" +%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde nnn -in noncetpm.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Sign a digest - policy secret" +%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Flush the signing key" +%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "NV Undefine Space 0100000" +%TPM_EXE_PATH%nvundefinespace -hi p -ha 01000000 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "" +echo "Policy Secret with Object" +echo "" + +REM # Use a externally generated object so that the Name is known and thus +REM # the policy can be precalculated + +REM # Name +REM # 00 0b 64 ac 92 1a 03 5c 72 b3 aa 55 ba 7d b8 b5 +REM # 99 f1 72 6f 52 ec 2f 68 20 42 fc 0e 0d 29 fa e8 +REM # 17 99 + +REM # 000001151 plus the above name as text, add a blank line for empty policyRef +REM # to create policies/policysecretsha256.txt +REM # 00000151000b64ac921a035c72b3aa55ba7db8b599f1726f52ec2f682042fc0e0d29fae81799 + +REM # 4b 7f ca c2 b7 c3 ac a2 7c 5c da 9c 71 e6 75 28 +REM # 63 d2 87 d2 33 ec 49 0e 7a be 88 f1 ef 94 5d 5c + +echo "Load the RSA openssl key pair in the NULL hierarchy 80000001" +%TPM_EXE_PATH%loadexternal -rsa -ider policies/rsaprivkey.der -pwdk rrrr > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Create a signing key under the primary key - policy secret of object 80000001" +%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -uwa -pol policies/policysecretsha256.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Load the signing key under the primary key 80000002" +%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Sign a digest - password auth - should fail" +%TPM_EXE_PATH%sign -hk 80000002 -if policies/aaa -pwdk sig > run.out +IF !ERRORLEVEL! EQU 0 ( + exit /B 1 +) + +echo "Start a policy session 03000000" +%TPM_EXE_PATH%startauthsession -se p > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Policy Secret with PWAP session" +%TPM_EXE_PATH%policysecret -ha 80000001 -hs 03000000 -pwde rrrr > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Sign a digest - policy secret" +%TPM_EXE_PATH%sign -hk 80000002 -if msg.bin -se0 03000000 1 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Flush the policysecret key" +%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Load the RSA openssl key pair in the NULL hierarchy, userWithAuth false 80000001" +%TPM_EXE_PATH%loadexternal -rsa -ider policies/rsaprivkey.der -pwdk rrrr -uwa > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Policy Secret with PWAP session - should fail" +%TPM_EXE_PATH%policysecret -ha 80000001 -hs 03000000 -pwde rrrr > run.out +IF !ERRORLEVEL! EQU 0 ( + exit /B 1 +) + +echo "Flush the policysecret key" +%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Flush the signing key" +%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Flush the session" +%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "" +echo "Policy Authorize" +echo "" + +REM # 80000000 primary +REM # 80000001 verification public key, openssl +REM # 80000002 signing key +REM # 03000000 policy session + +REM # Name for 80000001 0004 4234 c24f c1b9 de66 93a6 2453 417d 2734 d753 8f6f +REM # +REM # policyauthorizesha256.txt +REM # 0000016a000b64ac921a035c72b3aa55ba7db8b599f1726f52ec2f682042fc0e0d29fae81799 +REM # +REM # (need blank line for policyRef) +REM # +REM # > policymaker -if policies/policyauthorizesha256.txt -of policies/policyauthorizesha256.bin -pr +REM # +REM # eb a3 f9 8c 5e af 1e a8 f9 4f 51 9b 4d 2a 31 83 +REM # ee 79 87 66 72 39 8e 23 15 d9 33 c2 88 a8 e5 03 + +echo "Create a signing key with policy authorize" +%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policyauthorizesha256.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Load external just the public part of PEM authorizing key" +%TPM_EXE_PATH%loadexternal -hi p -halg sha256 -nalg sha256 -ipem policies/rsapubkey.pem > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Load the signing key under the primary key" +%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Start a policy session" +%TPM_EXE_PATH%startauthsession -se p > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Get policy digest, should be zero" +%TPM_EXE_PATH%policygetdigest -ha 03000000 -of policyapproved.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Policy command code - sign" +%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 15d > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Get policy digest, should be policy to approve, aHash input" +%TPM_EXE_PATH%policygetdigest -ha 03000000 -of policyapproved.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Openssl generate aHash" +openssl dgst -sha256 -sign policies/rsaprivkey.pem -passin pass:rrrr -out pssig.bin policyapproved.bin + +echo "Verify the signature to generate ticket" +%TPM_EXE_PATH%verifysignature -hk 80000001 -halg sha256 -if policyapproved.bin -is pssig.bin -raw -tk tkt.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Policy authorize using the ticket" +%TPM_EXE_PATH%policyauthorize -ha 03000000 -appr policyapproved.bin -skn h80000001.bin -tk tkt.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Get policy digest, should be policy authorize" +%TPM_EXE_PATH%policygetdigest -ha 03000000 -of policyapproved.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Sign a digest" +%TPM_EXE_PATH%sign -hk 80000002 -if msg.bin -os sig.bin -se0 03000000 0 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Flush the verification public key" +%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Flush the signing key" +%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +REM # getcapability -cap 1 -pr 80000000 +REM # getcapability -cap 1 -pr 02000000 +REM # getcapability -cap 1 -pr 03000000 + +REM # exit 0 + +echo "" +echo "Set Primary Policy" +echo "" + +echo "Platform policy empty" +%TPM_EXE_PATH%setprimarypolicy -hi p > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Platform policy empty, bad password" +%TPM_EXE_PATH%setprimarypolicy -hi p -pwda ppp > run.out +IF !ERRORLEVEL! EQU 0 ( + exit /B 1 +) + +echo "Set platform hierarchy auth" +%TPM_EXE_PATH%hierarchychangeauth -hi p -pwdn ppp > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Platform policy empty, bad password" +%TPM_EXE_PATH%setprimarypolicy -hi p > run.out +IF !ERRORLEVEL! EQU 0 ( + exit /B 1 +) + +echo "Platform policy empty" +%TPM_EXE_PATH%setprimarypolicy -hi p -pwda ppp > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Platform policy to policy secret platform auth" +%TPM_EXE_PATH%setprimarypolicy -hi p -pwda ppp -halg sha256 -pol policies/policysecretp.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Start a policy session" +%TPM_EXE_PATH%startauthsession -se p > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Policy Secret with PWAP session" +%TPM_EXE_PATH%policysecret -ha 4000000c -hs 03000000 -pwde ppp > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Change platform hierarchy auth to null with policy secret" +%TPM_EXE_PATH%hierarchychangeauth -hi p -se0 03000000 0 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "" +echo "Policy PCR no select" +echo "" + +REM # create AND term for policy PCR +REM # > policymakerpcr -halg sha1 -bm 0 -v -pr -of policies/policypcr.txt +REM # 0000017f00000001000403000000da39a3ee5e6b4b0d3255bfef95601890afd80709 +REM +REM # convert to binary policy +REM # > policymaker -halg sha1 -if policies/policypcr.txt -of policies/policypcrbm0.bin -pr -v +REM +REM # 6d 38 49 38 e1 d5 8b 56 71 92 55 94 3f 06 69 66 +REM # b6 fa 2c 23 + +echo "Create a signing key with policy PCR no select" +%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -nalg sha1 -pol policies/policypcrbm0.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Load the signing key under the primary key" +%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Start a policy session" +%TPM_EXE_PATH%startauthsession -halg sha1 -se p > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Policy PCR, update with the correct digest" +%TPM_EXE_PATH%policypcr -ha 03000000 -halg sha1 -bm 0 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Policy get digest - should be 6d 38 49 38 ... " +%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Sign, should succeed" +%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Policy restart, set back to zero" +%TPM_EXE_PATH%policyrestart -ha 03000000 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Policy PCR, update with the correct digest" +%TPM_EXE_PATH%policypcr -ha 03000000 -halg sha1 -bm 0 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "PCR extend PCR 0, updates pcr counter" +%TPM_EXE_PATH%pcrextend -ha 0 -halg sha1 -if policies/aaa > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Sign, should fail" +%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out +IF !ERRORLEVEL! EQU 0 ( + exit /B 1 +) + +echo "Flush the policy session" +%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Flush the key" +%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +REM # policypcr0.txt has 20 * 00 + +REM # create AND term for policy PCR +REM # > policymakerpcr -halg sha1 -bm 10000 -if policies/policypcr0.txt -v -pr -of policies/policypcr.txt + +REM # convert to binary policy +REM # > policymaker -halg sha1 -if policies/policypcr.txt -of policies/policypcr.bin -pr -v + +echo "" +echo "Policy PCR" +echo "" + +echo "Create a signing key with policy PCR PCR 16 zero" +%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -nalg sha1 -pol policies/policypcr.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Load the signing key under the primary key" +%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Reset PCR 16 back to zero" +%TPM_EXE_PATH%pcrreset -ha 16 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Read PCR 16, should be 00 00 00 00 ..." +%TPM_EXE_PATH%pcrread -ha 16 -halg sha1 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Start a policy session" +%TPM_EXE_PATH%startauthsession -se p -halg sha1 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Sign, policy not satisfied - should fail" +%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out +IF !ERRORLEVEL! EQU 0 ( + exit /B 1 +) + +echo "Policy PCR, update with the correct digest" +%TPM_EXE_PATH%policypcr -ha 03000000 -halg sha1 -bm 10000 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Policy get digest - should be 85 33 11 83" +%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Sign, should succeed" +%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "PCR extend PCR 16" +%TPM_EXE_PATH%pcrextend -ha 16 -halg sha1 -if policies/aaa > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Read PCR 0, should be 1d 47 f6 8a ..." +%TPM_EXE_PATH%pcrread -ha 16 -halg sha1 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Start a policy session" +%TPM_EXE_PATH%startauthsession -se p -halg sha1 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Policy PCR, update with the wrong digest" +%TPM_EXE_PATH%policypcr -ha 03000000 -halg sha1 -bm 10000 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Policy get digest - should be 66 dd e5 e3" +%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Sign - should fail" +%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out +IF !ERRORLEVEL! EQU 0 ( + exit /B 1 +) + +echo "Flush the policy session" +%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Flush the key" +%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +REM # 01000000 authorizing ndex +REM # 01000001 authorized index +REM # 03000000 policy session +REM # +REM # 4 byte NV index +REM # policynv.txt +REM # policy CC_PolicyNV || args || Name +REM # +REM # policynvargs.txt (binary) +REM # args = hash of 0000 0000 0000 0000 | 0000 | 0000 (eight bytes of zero | offset | op ==) +REM # hash -hi n -halg sha1 -if policies/policynvargs.txt -v +REM # openssl dgst -sha1 policies/policynvargs.txt +REM # 2c513f149e737ec4063fc1d37aee9beabc4b4bbf +REM # +REM # NV authorizing index +REM # +REM # after defining index and NV write to set written, use +REM # nvreadpublic -ha 01000000 -nalg sha1 +REM # to get name +REM # 00042234b8df7cdf8605ee0a2088ac7dfe34c6566c5c +REM # +REM # append Name to policynvnv.txt +REM # +REM # convert to binary policy +REM # > policymaker -halg sha1 -if policies/policynvnv.txt -of policies/policynvnv.bin -pr -v +REM # bc 9b 4c 4f 7b 00 66 19 5b 1d d9 9c 92 7e ad 57 e7 1c 2a fc +REM # +REM # file zero8.bin has 8 bytes of hex zero + +echo "" +echo "Policy NV, NV index authorizing" +echo "" + +echo "Define a setbits index, authorizing index" +%TPM_EXE_PATH%nvdefinespace -hi p -nalg sha1 -ha 01000000 -pwdn nnn -ty b > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "NV Read public, get Name, not written" +%TPM_EXE_PATH%nvreadpublic -ha 01000000 -nalg sha1 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "NV setbits to set written" +%TPM_EXE_PATH%nvsetbits -ha 01000000 -pwdn nnn > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "NV Read public, get Name, written" +%TPM_EXE_PATH%nvreadpublic -ha 01000000 -nalg sha1 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "NV Read, should be zero" +%TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz 8 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Define an ordinary index, authorized index, policyNV" +%TPM_EXE_PATH%nvdefinespace -hi p -nalg sha1 -ha 01000001 -pwdn nnn -sz 2 -ty o -pol policies/policynvnv.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "NV Read public, get Name, not written" +%TPM_EXE_PATH%nvreadpublic -ha 01000001 -nalg sha1 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "NV write to set written" +%TPM_EXE_PATH%nvwrite -ha 01000001 -pwdn nnn -ic aa > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Start policy session" +%TPM_EXE_PATH%startauthsession -se p -halg sha1 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "NV write, policy not satisfied - should fail" +%TPM_EXE_PATH%nvwrite -ha 01000001 -ic aa -se0 03000000 1 > run.out +IF !ERRORLEVEL! EQU 0 ( + exit /B 1 +) + +echo "Policy get digest, should be 0" +%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Policy NV to satisfy the policy" +%TPM_EXE_PATH%policynv -ha 01000000 -pwda nnn -hs 03000000 -if policies/zero8.bin -op 0 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Policy get digest, should be bc 9b 4c 4f ..." +%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "NV write, policy satisfied" +%TPM_EXE_PATH%nvwrite -ha 01000001 -ic aa -se0 03000000 1 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Set bit in authorizing NV index" +%TPM_EXE_PATH%nvsetbits -ha 01000000 -pwdn nnn -bit 0 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "NV Read, should be 1" +%TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz 8 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Policy NV to satisfy the policy - should fail" +%TPM_EXE_PATH%policynv -ha 01000000 -pwda nnn -hs 03000000 -if policies/zero8.bin -op 0 > run.out +IF !ERRORLEVEL! EQU 0 ( + exit /B 1 +) + +echo "Policy get digest, should be 00 00 00 00 ..." +%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "NV Undefine authorizing index" +%TPM_EXE_PATH%nvundefinespace -hi p -ha 01000000 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "NV Undefine authorized index" +%TPM_EXE_PATH%nvundefinespace -hi p -ha 01000001 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Flush policy session" +%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "" +echo "Policy NV Written" +echo "" + +echo "Define an ordinary index, authorized index, policyNV" +%TPM_EXE_PATH%nvdefinespace -hi p -nalg sha1 -ha 01000000 -pwdn nnn -sz 2 -ty o -pol policies/policywrittenset.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "NV Read public, get Name, not written" +%TPM_EXE_PATH%nvreadpublic -ha 01000000 -nalg sha1 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Start policy session" +%TPM_EXE_PATH%startauthsession -se p -halg sha1 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "NV write, policy not satisfied - should fail" +%TPM_EXE_PATH%nvwrite -ha 01000000 -ic aa -se0 03000000 1 > run.out +IF !ERRORLEVEL! EQU 0 ( + exit /B 1 +) + +echo "Policy NV Written no, does not satisfy policy" +%TPM_EXE_PATH%policynvwritten -hs 03000000 -ws n > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "NV write, policy not satisfied - should fail" +%TPM_EXE_PATH%nvwrite -ha 01000000 -ic aa -se0 03000000 1 > run.out +IF !ERRORLEVEL! EQU 0 ( + exit /B 1 +) + +echo "Flush policy session" +%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Start policy session" +%TPM_EXE_PATH%startauthsession -se p -halg sha1 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Policy NV Written yes, satisfy policy" +%TPM_EXE_PATH%policynvwritten -hs 03000000 -ws y > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "NV write, policy satisfied but written clear - should fail" +%TPM_EXE_PATH%nvwrite -ha 01000000 -ic aa -se0 03000000 1 > run.out +IF !ERRORLEVEL! EQU 0 ( + exit /B 1 +) + +echo "Flush policy session" +%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "NV write using password, set written" +%TPM_EXE_PATH%nvwrite -ha 01000000 -ic aa -pwdn nnn > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Start policy session" +%TPM_EXE_PATH%startauthsession -se p -halg sha1 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Policy NV Written yes, satisfy policy" +%TPM_EXE_PATH%policynvwritten -hs 03000000 -ws y > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "NV write, policy satisfied" +%TPM_EXE_PATH%nvwrite -ha 01000000 -ic aa -se0 03000000 1 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Flush policy session" +%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Start policy session" +%TPM_EXE_PATH%startauthsession -se p -halg sha1 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Policy NV Written no" +%TPM_EXE_PATH%policynvwritten -hs 03000000 -ws n > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Policy NV Written yes - should fail" +%TPM_EXE_PATH%policynvwritten -hs 03000000 -ws y > run.out +IF !ERRORLEVEL! EQU 0 ( + exit /B 1 +) + +echo "Flush policy session" +%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "NV Undefine authorizing index" +%TPM_EXE_PATH%nvundefinespace -hi p -ha 01000000 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "" +echo "Policy Signed externally signed cpHash" +echo "" + +REM # NV Index 01000000 has policy OR +REM +REM # Policy A - provisioning: policy written false + policysigned +REM # demo: authorizer signs NV write all zero +REM +REM # Policy B - application: policy written true + policysigned +REM # demo: authorizer signs NV write abcdefgh + +echo "Load external just the public part of PEM at 80000001" +%TPM_EXE_PATH%loadexternal -ipem policies/rsapubkey.pem > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Get the Name of the signing key at 80000001" +%TPM_EXE_PATH%readpublic -ho 80000001 -ns > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +REM # 000b64ac921a035c72b3aa55ba7db8b599f1726f52ec2f682042fc0e0d29fae81799 +REM +REM # construct policy A +REM +REM # policies/policywrittenclrsigned.txt +REM # 0000018f00 +REM # 00000160000b64ac921a035c72b3aa55ba7db8b599f1726f52ec2f682042fc0e0d29fae81799 +REM # Add the extra blank line here for policyRef +REM +REM # policymaker -if policies/policywrittenclrsigned.txt -of policies/policywrittenclrsigned.bin -pr -ns -v +REM # intermediate policy digest length 32 +REM # 3c 32 63 23 67 0e 28 ad 37 bd 57 f6 3b 4c c3 4d +REM # 26 ab 20 5e f2 2f 27 5c 58 d4 7f ab 24 85 46 6e +REM # intermediate policy digest length 32 +REM # 6b 0d 2d 2b 55 4d 68 ec bc 6c d5 b8 c0 96 c1 70 +REM # 57 5a 95 25 37 56 38 7e 83 d7 76 d9 5b 1b 8e f3 +REM # intermediate policy digest length 32 +REM # 48 0b 78 2e 02 82 c2 40 88 32 c4 df 9c 0e be 87 +REM # 18 6f 92 54 bd e0 5b 0c 2e a9 52 48 3e b7 69 f2 +REM # policy digest length 32 +REM # 48 0b 78 2e 02 82 c2 40 88 32 c4 df 9c 0e be 87 +REM # 18 6f 92 54 bd e0 5b 0c 2e a9 52 48 3e b7 69 f2 +REM # policy digest: +REM # 480b782e0282c2408832c4df9c0ebe87186f9254bde05b0c2ea952483eb769f2 +REM +REM # construct policy B +REM +REM # policies/policywrittensetsigned.txt +REM # 0000018f01 +REM # 00000160000b64ac921a035c72b3aa55ba7db8b599f1726f52ec2f682042fc0e0d29fae81799 +REM # Add the extra blank line here for policyRef +REM +REM # policymaker -if policies/policywrittensetsigned.txt -of policies/policywrittensetsigned.bin -pr -ns -v +REM # intermediate policy digest length 32 +REM # f7 88 7d 15 8a e8 d3 8b e0 ac 53 19 f3 7a 9e 07 +REM # 61 8b f5 48 85 45 3c 7a 54 dd b0 c6 a6 19 3b eb +REM # intermediate policy digest length 32 +REM # 7d c2 8f b0 dd 4f ee 97 78 2b 55 43 b1 dc 6b 1e +REM # e2 bc 79 05 d4 a1 f6 8d e2 97 69 5f a9 aa 78 5f +REM # intermediate policy digest length 32 +REM # 09 43 ba 3c 3b 4d b1 c8 3f c3 97 85 f9 dc 0a 82 +REM # 49 f6 79 4a 04 38 e6 45 0a 50 56 8f b4 eb d2 46 +REM # policy digest length 32 +REM # 09 43 ba 3c 3b 4d b1 c8 3f c3 97 85 f9 dc 0a 82 +REM # 49 f6 79 4a 04 38 e6 45 0a 50 56 8f b4 eb d2 46 +REM # policy digest: +REM # 0943ba3c3b4db1c83fc39785f9dc0a8249f6794a0438e6450a50568fb4ebd246 +REM +REM # construct the Policy OR of A and B +REM +REM # policyorwrittensigned.txt - command code plus two policy digests +REM # 00000171480b782e0282c2408832c4df9c0ebe87186f9254bde05b0c2ea952483eb769f20943ba3c3b4db1c83fc39785f9dc0a8249f6794a0438e6450a50568fb4ebd246 +REM # policymaker -if policies/policyorwrittensigned.txt -of policies/policyorwrittensigned.bin -pr +REM # policy digest length 32 +REM # 06 00 ae 34 7a 30 b0 67 36 d3 32 85 a0 cc ad 46 +REM # 54 1e 62 71 f5 d0 85 10 a7 ff 0e 90 30 54 d6 c9 + +echo "Define index 01000000 with the policy OR" +%TPM_EXE_PATH%nvdefinespace -ha 01000000 -hi o -sz 8 -pwdn "" -pol policies/policyorwrittensigned.bin -at aw > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Get the Name of the NV index not written, should be 00 0b ... bb 0b" +%TPM_EXE_PATH%nvreadpublic -ha 01000000 -ns > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +REM # 000b366258674dcf8aa16d344f24dde1c799fc60f9427a7286bb8cd1e4e9fd1fbb0b + +echo "Start a policy session 03000000" +%TPM_EXE_PATH%startauthsession -se p > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "" +echo "Policy A - not written" +echo "" + +REM # construct cpHash for Policy A - not written, writing zeros +REM +REM # (commandCode || authHandle Name || NV Index Name || data + offset) - data 8 bytes of 0's at offset 0000 +REM # For index auth, authHandle Name and index Name are the same +REM # policies/nvwritecphasha.txt +REM # 00000137000b366258674dcf8aa16d344f24dde1c799fc60f9427a7286bb8cd1e4e9fd1fbb0b000b366258674dcf8aa16d344f24dde1c799fc60f9427a7286bb8cd1e4e9fd1fbb0b000800000000000000000000 +REM # policymaker -nz -if policies/nvwritecphasha.txt -of policies/nvwritecphasha.bin -pr -ns +REM # policy digest length 32 +REM # cf 98 1e ee 68 04 3b dd ee 0c ab bc 75 b3 63 be +REM # 3c f9 ee 22 2a 78 b8 26 3f 06 7b b3 55 2c a6 11 +REM # policy digest: +REM # cf981eee68043bddee0cabbc75b363be3cf9ee222a78b8263f067bb3552ca611 +REM +REM # construct aHash for Policy A +REM +REM # expiration + cpHashA +REM # policies/nvwriteahasha.txt +REM # 00000000cf981eee68043bddee0cabbc75b363be3cf9ee222a78b8263f067bb3552ca611 +REM # just convert to binary, because openssl does the hash before signing +REM # xxd -r -p policies/nvwriteahasha.txt policies/nvwriteahasha.bin + +echo "Policy NV Written no, satisfy policy" +%TPM_EXE_PATH%policynvwritten -hs 03000000 -ws n > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Should be policy A first intermediate value 3c 32 63 23 ..." +%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Sign aHash with openssl 8813 6530 ..." +openssl dgst -sha256 -sign policies/rsaprivkey.pem -passin pass:rrrr -out sig.bin policies/nvwriteahasha.bin +echo "" + +echo "Policy signed, signature generated externally" +%TPM_EXE_PATH%policysigned -hk 80000001 -ha 03000000 -halg sha256 -cp policies/nvwritecphasha.bin -is sig.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Should be policy A final value 48 0b 78 2e ..." +%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Policy OR" +%TPM_EXE_PATH%policyor -ha 03000000 -if policies/policywrittenclrsigned.bin -if policies/policywrittensetsigned.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Should be policy OR final value 06 00 ae 34 " +%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "NV write to set written" +%TPM_EXE_PATH%nvwrite -ha 01000000 -if policies/zero8.bin -se0 03000000 1 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "" +echo "Policy B - written" +echo "" + +echo "Get the new (written) Name of the NV index not written, should be 00 0b f5 75" +%TPM_EXE_PATH%nvreadpublic -ha 01000000 -ns > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +REM # 000bf575f09107d38c4cb82e8ec054b1aca9a91e40a06ec074b578bdd9cdaf4b76c8 +REM +REM # construct cpHash for Policy B +REM +REM # (commandCode || authHandle Name || NV Index Name || data + offset) - data 8 bytes of abcdefgh at offset 00000 +REM # For index auth, authHandle Name and index Name are the same +REM # policies/nvwritecphashb.txt +REM # 00000137000bf575f09107d38c4cb82e8ec054b1aca9a91e40a06ec074b578bdd9cdaf4b76c8000bf575f09107d38c4cb82e8ec054b1aca9a91e40a06ec074b578bdd9cdaf4b76c8000861626364656667680000 +REM # policymaker -nz -if policies/nvwritecphashb.txt -of policies/nvwritecphashb.bin -pr -ns +REM # policy digest length 32 +REM # df 58 08 f9 ab cb 23 7f 8c d7 c9 09 1c 86 12 2d +REM # 88 6f 02 d4 6e db 53 c8 da 39 bf a2 d6 cf 07 63 +REM # policy digest: +REM # df5808f9abcb237f8cd7c9091c86122d886f02d46edb53c8da39bfa2d6cf0763 +REM +REM # construct aHash for Policy B +REM +REM # expiration + cpHashA +REM # policies/nvwriteahashb.txt +REM # 00000000df5808f9abcb237f8cd7c9091c86122d886f02d46edb53c8da39bfa2d6cf0763 +REM # just convert to binary, because openssl does the hash before signing +REM # xxd -r -p policies/nvwriteahashb.txt policies/nvwriteahashb.bin + +echo "Policy NV Written yes, satisfy policy" +%TPM_EXE_PATH%policynvwritten -hs 03000000 -ws y > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Should be policy A first intermediate value f7 88 7d 15 ..." +%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Sign aHash with openssl 3700 0a91 ..." +openssl dgst -sha256 -sign policies/rsaprivkey.pem -passin pass:rrrr -out sig.bin policies/nvwriteahashb.bin > run.out +echo "" + +echo "Policy signed, signature generated externally" +%TPM_EXE_PATH%policysigned -hk 80000001 -ha 03000000 -halg sha256 -cp policies/nvwritecphashb.bin -is sig.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Should be policy B final value 09 43 ba 3c ..." +%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Policy OR" +%TPM_EXE_PATH%policyor -ha 03000000 -if policies/policywrittenclrsigned.bin -if policies/policywrittensetsigned.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Should be policy OR final value 06 00 ae 34 " +%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "NV write new data" +%TPM_EXE_PATH%nvwrite -ha 01000000 -ic abcdefgh -se0 03000000 1 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "" +echo "Cleanup" +echo "" + +echo "Flush the policy session 03000000" +%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Flush the signature verification key 80000001" +%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Undefine the NV Index 01000000" +%TPM_EXE_PATH%nvundefinespace -hi o -ha 01000000 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +REM # test using clockrateadjust +REM # policycphashhash.txt is (hex) 00000130 4000000c 000 +REM # hash -if policycphashhash.txt -oh policycphashhash.bin -halg sha1 -v +REM # openssl dgst -sha1 policycphashhash.txt +REM # cpHash is +REM # b5f919bbc01f0ebad02010169a67a8c158ec12f3 +REM # append to policycphash.txt 00000163 + cpHash +REM # policymaker -halg sha1 -if policies/policycphash.txt -of policies/policycphash.bin -pr +REM # 06 e4 6c f9 f3 c7 0f 30 10 18 7c a6 72 69 b0 84 b4 52 11 6f + +echo "" +echo "Policy cpHash" +echo "" + +echo "Set the platform policy to policy cpHash" +%TPM_EXE_PATH%setprimarypolicy -hi p -pol policies/policycphash.bin -halg sha1 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Clockrate adjust using wrong password - should fail" +%TPM_EXE_PATH%clockrateadjust -hi p -pwdp ppp -adj 0 > run.out +IF !ERRORLEVEL! EQU 0 ( + exit /B 1 +) + +echo "Start policy session" +%TPM_EXE_PATH%startauthsession -se p -halg sha1 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Clockrate adjust, policy not satisfied - should fail" +%TPM_EXE_PATH%clockrateadjust -hi p -pwdp ppp -adj 0 -se0 03000000 1 > run.out +IF !ERRORLEVEL! EQU 0 ( + exit /B 1 +) + +echo "Policy cpHash, satisfy policy" +%TPM_EXE_PATH%policycphash -ha 03000000 -cp policies/policycphashhash.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Policy get digest, should be 06 e4 6c f9" +%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Clockrate adjust, policy satisfied but bad command params - should fail" +%TPM_EXE_PATH%clockrateadjust -hi p -pwdp ppp -adj 1 -se0 03000000 1 > run.out +IF !ERRORLEVEL! EQU 0 ( + exit /B 1 +) + +echo "Clockrate adjust, policy satisfied" +%TPM_EXE_PATH%clockrateadjust -hi p -pwdp ppp -adj 0 -se0 03000000 1 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Clear the platform policy" +%TPM_EXE_PATH%setprimarypolicy -hi p > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Flush policy session" +%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "" +echo "Policy Duplication Select with includeObject FALSE" +echo "" + +REM # These tests uses a new parent and object to be duplicated generated +REM # externally. This makes the Names repeatable and permits the +REM # policy to be pre-calculated and static. +REM +REM # command code 00000188 +REM # newParentName +REM # 000b 1a5d f667 7533 4527 37bc 79a5 5ab6 +REM # d9fa 9174 5c03 3dfe 3f82 cdf0 903b a9d6 +REM # 55f1 +REM # includeObject 00 +REM # policymaker -if policies/policydupsel-no.txt -of policies/policydupsel-no.bin -pr -v +REM # 5f 55 ba 2b 69 0f b0 38 ac 15 ff 2a 86 ef 65 66 +REM # be a8 23 68 43 97 4c 3f a7 36 37 72 56 ec bc 45 +REM +REM # 80000000 SK storage primary key +REM # 80000001 NP new parent, the target of the duplication +REM # 80000002 SI signing key, duplicate from SK to NP +REM # 03000000 policy session + +echo "Import the new parent storage key NP under the primary key" +%TPM_EXE_PATH%importpem -hp 80000000 -pwdp sto -ipem policies/rsaprivkey.pem -st -pwdk rrrr -opu tmpstpub.bin -opr tmpstpriv.bin -halg sha256 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Load the new parent TPM storage key NP at 80000001" +%TPM_EXE_PATH%load -hp 80000000 -pwdp sto -ipu tmpstpub.bin -ipr tmpstpriv.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Import a signing key SI under the primary key 80000000, with policy duplication select" +%TPM_EXE_PATH%importpem -hp 80000000 -pwdp sto -ipem policies/rsaprivkey.pem -si -pwdk rrrr -opr tmpsipriv.bin -opu tmpsipub.bin -pol policies/policydupsel-no.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Load the signing key SI at 80000002" +%TPM_EXE_PATH%load -hp 80000000 -pwdp sto -ipu tmpsipub.bin -ipr tmpsipriv.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Sign a digest" +%TPM_EXE_PATH%sign -hk 80000002 -halg sha256 -if policies/aaa -os tmpsig.bin -pwdk rrrr > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Verify the signature" +%TPM_EXE_PATH%verifysignature -hk 80000002 -halg sha256 -if policies/aaa -is tmpsig.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Start a policy session 03000000" +%TPM_EXE_PATH%startauthsession -se p > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Policy duplication select, object SI 80000002 to new parent NP 80000001" +%TPM_EXE_PATH%policyduplicationselect -ha 03000000 -inpn h80000001.bin -ion h80000002.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Get policy digest, should be 5f 55 ba 2b ...." +%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Duplicate signing key SI at 80000002 under new parent TPM storage key NP 80000001" +%TPM_EXE_PATH%duplicate -ho 80000002 -hp 80000001 -od tmpdup.bin -oss tmpss.bin -se0 03000000 0 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Flush the original SI at 80000002 to free object slot for import" +%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Import signing key SI under new parent TPM storage key NP 80000001" +%TPM_EXE_PATH%import -hp 80000001 -pwdp rrrr -ipu tmpsipub.bin -id tmpdup.bin -iss tmpss.bin -opr tmpsipriv1.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Load the signing key SI at 80000002" +%TPM_EXE_PATH%load -hp 80000001 -pwdp rrrr -ipu tmpsipub.bin -ipr tmpsipriv1.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Sign a digest" +%TPM_EXE_PATH%sign -hk 80000002 -halg sha256 -if policies/aaa -os tmpsig.bin -pwdk rrrr > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Verify the signature" +%TPM_EXE_PATH%verifysignature -hk 80000002 -halg sha256 -if policies/aaa -is tmpsig.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Flush the duplicated SI at 80000002" +%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "" +echo "Policy Duplication Select with includeObject TRUE" +echo "" + +REM # command code 00000188 +REM # SI objectName +REM # 000b 6319 28da 1624 3135 3a59 c03a 2ca7 +REM # dbb7 0989 1440 4236 3c7f a838 39d9 da6c +REM # 437a +REM # HP newParentName +REM # 000b +REM # 1a5d f667 7533 4527 37bc 79a5 5ab6 d9fa +REM # 9174 5c03 3dfe 3f82 cdf0 903b a9d6 55f1 +REM # includeObject 01 +REM +REM # policymaker -if policies/policydupsel-yes.txt -of policies/policydupsel-yes.bin -pr -v +REM # 14 64 06 4c 80 cb e3 4f f5 03 82 15 38 62 43 17 +REM # 93 94 8f f1 e8 8a c6 23 4d d1 b0 c5 4c 05 f7 3b +REM +REM # 80000000 SK storage primary key +REM # 80000001 NP new parent, the target of the duplication +REM # 80000002 SI signing key, duplicate from SK to NP +REM # 03000000 policy session + +echo "Import a signing key SI under the primary key 80000000, with policy authorize" +%TPM_EXE_PATH%importpem -hp 80000000 -pwdp sto -ipem policies/rsaprivkey.pem -si -pwdk rrrr -opr tmpsipriv.bin -opu tmpsipub.bin -pol policies/policyauthorizesha256.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Load the signing key SI with objectName 000b 6319 28da at 80000002" +%TPM_EXE_PATH%load -hp 80000000 -pwdp sto -ipu tmpsipub.bin -ipr tmpsipriv.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Sign a digest" +%TPM_EXE_PATH%sign -hk 80000002 -halg sha256 -if policies/aaa -os tmpsig.bin -pwdk rrrr > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Verify the signature" +%TPM_EXE_PATH%verifysignature -hk 80000002 -halg sha256 -if policies/aaa -is tmpsig.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Start a policy session 03000000" +%TPM_EXE_PATH%startauthsession -se p > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Policy duplication select, object SI 80000002 to new parent NP 80000001 with includeObject" +%TPM_EXE_PATH%policyduplicationselect -ha 03000000 -inpn h80000001.bin -ion h80000002.bin -io > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Get policy digest,should be policy to approve, aHash input 14 64 06 4c same as policies/policydupsel-yes.bin" +%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Flush the original SI at 80000002 to free object slot for loadexternal " +%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Openssl generate and sign aHash (empty policyRef)" +openssl dgst -sha256 -sign policies/rsaprivkey.pem -passin pass:rrrr -out pssig.bin policies/policydupsel-yes.bin + +echo "Load external just the public part of PEM authorizing key 80000002" +%TPM_EXE_PATH%loadexternal -hi p -halg sha256 -nalg sha256 -ipem policies/rsapubkey.pem > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Verify the signature against 80000002 to generate ticket" +%TPM_EXE_PATH%verifysignature -hk 80000002 -halg sha256 -if policies/policydupsel-yes.bin -is pssig.bin -raw -tk tkt.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Policy authorize using the ticket" +%TPM_EXE_PATH%policyauthorize -ha 03000000 -appr policies/policydupsel-yes.bin -skn h80000002.bin -tk tkt.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Get policy digest" +%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Flush the PEM authorizing verification key at 80000002 to free object slot for import" +%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Load the original signing key SI at 80000002" +%TPM_EXE_PATH%load -hp 80000000 -pwdp sto -ipu tmpsipub.bin -ipr tmpsipriv.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Duplicate signing key SI at 80000002 under new parent TPM storage key NP 80000001 000b 1a5d f667" +%TPM_EXE_PATH%duplicate -ho 80000002 -hp 80000001 -od tmpdup.bin -oss tmpss.bin -se0 03000000 0 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Flush the original SI at 80000002 to free object slot for import" +%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Import signing key SI under new parent TPM storage key NP 80000001" +%TPM_EXE_PATH%import -hp 80000001 -pwdp rrrr -ipu tmpsipub.bin -id tmpdup.bin -iss tmpss.bin -opr tmpsipriv1.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Load the signing key SI at 80000002" +%TPM_EXE_PATH%load -hp 80000001 -pwdp rrrr -ipu tmpsipub.bin -ipr tmpsipriv1.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Sign a digest" +%TPM_EXE_PATH%sign -hk 80000002 -halg sha256 -if policies/aaa -os tmpsig.bin -pwdk rrrr > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Verify the signature" +%TPM_EXE_PATH%verifysignature -hk 80000002 -halg sha256 -if policies/aaa -is tmpsig.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Flush the duplicated SI at 80000002" +%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Flush the new parent TPM storage key NP 80000001" +%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "" +echo "Policy Name Hash" +echo "" + +REM # signing key SI Name +REM # 000b +REM # 6319 28da 1624 3135 3a59 c03a 2ca7 dbb7 +REM # 0989 1440 4236 3c7f a838 39d9 da6c 437a +REM +REM # compute nameHash +REM +REM # nameHash - just a hash, not an extend +REM # policymaker -if policies/pnhnamehash.txt -of policies/pnhnamehash.bin -nz -pr -v -ns +REM # 18 e0 0c 62 77 18 d9 fc 81 22 3d 8a 56 33 7e eb +REM # 0e 7d 98 28 bd 7b c7 29 1d 3c 27 3f 7a c4 04 f1 +REM # 18e00c627718d9fc81223d8a56337eeb0e7d9828bd7bc7291d3c273f7ac404f1 +REM +REM # compute policy (based on +REM +REM # 00000170 TPM_CC_PolicyNameHash +REM # signing key SI Name +REM # 18e00c627718d9fc81223d8a56337eeb0e7d9828bd7bc7291d3c273f7ac404f1 +REM +REM # policymaker -if policies/policynamehash.txt -of policies/policynamehash.bin -pr -v +REM # 96 30 f9 00 c3 4c 66 09 c1 c5 92 41 78 c1 b2 3d +REM # 9f d4 93 f4 f9 c2 98 c8 30 4a e3 0f 97 a2 fd 49 +REM +REM # 80000000 SK storage primary key +REM # 80000001 SI signing key +REM # 80000002 Authorizing public key +REM # 03000000 policy session + +echo "Import a signing key SI under the primary key 80000000, with policy authorize" +%TPM_EXE_PATH%importpem -hp 80000000 -pwdp sto -ipem policies/rsaprivkey.pem -si -pwdk rrrr -opr tmpsipriv.bin -opu tmpsipub.bin -pol policies/policyauthorizesha256.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Load the signing key SI at 80000001" +%TPM_EXE_PATH%load -hp 80000000 -pwdp sto -ipu tmpsipub.bin -ipr tmpsipriv.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Sign a digest using the password" +%TPM_EXE_PATH%sign -hk 80000001 -halg sha256 -if policies/aaa -os tmpsig.bin -pwdk rrrr > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Verify the signature" +%TPM_EXE_PATH%verifysignature -hk 80000001 -halg sha256 -if policies/aaa -is tmpsig.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Start a policy session 03000000" +%TPM_EXE_PATH%startauthsession -se p > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Policy name hash, object SI 80000001" +%TPM_EXE_PATH%policynamehash -ha 03000000 -nh policies/pnhnamehash.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Get policy digest, should be policy to approve, 96 30 f9 00" +%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Openssl generate and sign aHash (empty policyRef)" +openssl dgst -sha256 -sign policies/rsaprivkey.pem -passin pass:rrrr -out pssig.bin policies/policynamehash.bin + +echo "Load external just the public part of PEM authorizing key 80000002" +%TPM_EXE_PATH%loadexternal -hi p -halg sha256 -nalg sha256 -ipem policies/rsapubkey.pem > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Verify the signature against 80000002 to generate ticket" +%TPM_EXE_PATH%verifysignature -hk 80000002 -halg sha256 -if policies/policynamehash.bin -is pssig.bin -raw -tk tkt.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Policy authorize using the ticket" +%TPM_EXE_PATH%policyauthorize -ha 03000000 -appr policies/policynamehash.bin -skn h80000002.bin -tk tkt.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Get policy digest, should be eb a3 f9 8c ...." +%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Sign a digest using the policy" +%TPM_EXE_PATH%sign -hk 80000001 -halg sha256 -if policies/aaa -os tmpsig.bin -se0 03000000 0 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Verify the signature" +%TPM_EXE_PATH%verifysignature -hk 80000001 -halg sha256 -if policies/aaa -is tmpsig.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Flush the signing key at 80000001" +%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Flush the authorizing key 80000002" +%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +REM # test using clockrateadjust and platform policy + +REM # operand A time is 64 bits at offset 0, operation GT (2) +REM # 0000016d 0000 0000 0000 0000 | 0000 | 0002 +REM # +REM # convert to binary policy +REM # > policymaker -halg sha1 -if policies/policycountertimer.txt -of policies/policycountertimer.bin -pr -v +REM # e6 84 81 27 55 c0 39 d3 68 63 21 c8 93 50 25 dd +REM # aa 26 42 9a + +echo "" +echo "Policy Counter Timer" +echo "" + +echo "Set the platform policy to policy " +%TPM_EXE_PATH%setprimarypolicy -hi p -pol policies/policycountertimer.bin -halg sha1 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Clockrate adjust using wrong password - should fail" +%TPM_EXE_PATH%clockrateadjust -hi p -pwdp ppp -adj 0 > run.out +IF !ERRORLEVEL! EQU 0 ( + exit /B 1 +) + +echo "Start policy session" +%TPM_EXE_PATH%startauthsession -se p -halg sha1 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Clockrate adjust, policy not satisfied - should fail" +%TPM_EXE_PATH%clockrateadjust -hi p -adj 0 -se0 03000000 1 > run.out +IF !ERRORLEVEL! EQU 0 ( + exit /B 1 +) + +echo "Policy counter timer, zero operandB, op EQ satisfy policy - should fail" +%TPM_EXE_PATH%policycountertimer -ha 03000000 -if policies/zero8.bin -op 0 > run.out +IF !ERRORLEVEL! EQU 0 ( + exit /B 1 +) + +echo "Policy counter timer, zero operandB, op GT satisfy policy" +%TPM_EXE_PATH%policycountertimer -ha 03000000 -if policies/zero8.bin -op 2 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Policy get digest, should be e6 84 81 27" +%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Clockrate adjust, policy satisfied" +%TPM_EXE_PATH%clockrateadjust -hi p -adj 0 -se0 03000000 1 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Clear the platform policy" +%TPM_EXE_PATH%setprimarypolicy -hi p > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Flush policy session" +%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +REM # policyccsign.txt 0000016c 0000015d (policy command code | sign) +REM # policyccquote.txt 0000016c 00000158 (policy command code | quote) +REM # +REM # > policymaker -if policies/policyccsign.txt -of policies/policyccsign.bin -pr -v +REM # cc6918b226273b08f5bd406d7f10cf160f0a7d13dfd83b7770ccbcd1aa80d811 +REM # +REM # > policymaker -if policies/policyccquote.txt -of policies/policyccquote.bin -pr -v +REM # a039cad5fe68870688f8233c3e3ee3cf27aac9e2efe3486aeb4e304c0e90cd27 +REM # +REM # policyor.txt is CC_PolicyOR || digests +REM # 00000171 | cc69 ... | a039 ... +REM # > policymaker -if policies/policyor.txt -of policies/policyor.bin -pr -v +REM # 6b fe c2 3a be 57 b0 2a ce 39 dd 13 bb 60 fa 39 +REM # 4d ac 7b 38 96 56 57 84 b3 73 fc 61 92 94 29 db + +echo "" +echo "PolicyOR" +echo "" + +echo "Create an unrestricted signing key, policy command code sign or quote" +%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policyor.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Load the signing key" +%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Start policy session" +%TPM_EXE_PATH%startauthsession -se p > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Policy get digest" +%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Sign a digest - should fail" +%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out +IF !ERRORLEVEL! EQU 0 ( + exit /B 1 +) + +echo "Quote - should fail" +%TPM_EXE_PATH%quote -hp 0 -hk 80000001 -se0 03000000 1 > run.out +IF !ERRORLEVEL! EQU 0 ( + exit /B 1 +) + +echo "Get time - should fail, policy not set" +%TPM_EXE_PATH%gettime -hk 80000001 -qd policies/aaa -se1 03000000 1 > run.out +IF !ERRORLEVEL! EQU 0 ( + exit /B 1 +) + +echo "Policy OR - should fail" +%TPM_EXE_PATH%policyor -ha 03000000 -if policies/policyccsign.bin -if policies/policyccquote.bin > run.out +IF !ERRORLEVEL! EQU 0 ( + exit /B 1 +) + +echo "Policy Command code - sign" +%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 0000015d > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Policy get digest, should be cc 69 18 b2" +%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Policy OR" +%TPM_EXE_PATH%policyor -ha 03000000 -if policies/policyccsign.bin -if policies/policyccquote.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Policy get digest, should be 6b fe c2 3a" +%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Sign with policy OR" +%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Policy Command code - sign" +%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 0000015d > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Policy OR" +%TPM_EXE_PATH%policyor -ha 03000000 -if policies/policyccsign.bin -if policies/policyccquote.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Quote - should fail, wrong command code" +%TPM_EXE_PATH%quote -hp 0 -hk 80000001 -se0 03000000 1 > run.out +IF !ERRORLEVEL! EQU 0 ( + exit /B 1 +) + +echo "Policy restart, set back to zero" +%TPM_EXE_PATH%policyrestart -ha 03000000 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Policy Command code - quote, digest a0 39 ca d5" +%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 00000158 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Policy OR, digest 6b fe c2 3a" +%TPM_EXE_PATH%policyor -ha 03000000 -if policies/policyccsign.bin -if policies/policyccquote.bin > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Quote with policy OR" +%TPM_EXE_PATH%quote -hp 0 -hk 80000001 -se0 03000000 1 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Policy Command code - gettime 7a 3e bd aa" +%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 0000014c > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Policy OR, gettime not an AND term - should fail" +%TPM_EXE_PATH%policyor -ha 03000000 -if policies/policyccsign.bin -if policies/policyccquote.bin > run.out +IF !ERRORLEVEL! EQU 0 ( + exit /B 1 +) + +echo "Flush policy session" +%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +echo "Flush signing key" +%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out +IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 +) + +REM # There are times that a policy creator has TPM, PEM, or DER format +REM # information, but does not have access to a TPM. The publicname +REM # utility accepts these inputs and outputs the name in the 'no spaces' +REM # format suitable for pasting into a policy. + +echo "" +echo "publicname RSA" +echo "" + +for %%H in (%ITERATE_ALGS%) do ( + + echo "Create an rsa %%H key under the primary key" + %TPM_EXE_PATH%create -hp 80000000 -rsa 2048 -nalg %%H -si -opr tmppriv.bin -opu tmppub.bin -pwdp sto > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + + echo "Load the rsa %%H key 80000001" + %TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + + echo "Compute the TPM2B_PUBLIC Name" + %TPM_EXE_PATH%publicname -ipu tmppub.bin -on tmp.bin > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + + echo "Verify the TPM2B_PUBLIC result" + diff tmp.bin h80000001.bin > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + + echo "Convert the rsa public key to PEM format" + %TPM_EXE_PATH%readpublic -ho 80000001 -opem tmppub.pem > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + + echo "Flush the rsa %%H key" + %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + + echo "loadexternal the rsa PEM public key" + %TPM_EXE_PATH%loadexternal -ipem tmppub.pem -si -rsa -nalg %%H -halg %%H -scheme rsassa > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + + echo "Compute the PEM Name" + %TPM_EXE_PATH%publicname -ipem tmppub.pem -rsa -si -nalg %%H -halg %%H -on tmp.bin > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + + echo "Verify the PEM result" + diff tmp.bin h80000001.bin > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + + echo "Convert the TPM PEM key to DER" + openssl pkey -inform pem -outform der -in tmppub.pem -out tmppub.der -pubin + echo "INFO:" + + echo "Compute the DER Name" + %TPM_EXE_PATH%publicname -ider tmppub.der -rsa -si -nalg %%H -halg %%H -on tmp.bin -v > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + + echo "Verify the DER result" + diff tmp.bin h80000001.bin > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + + echo "Flush the rsa %%H key" + %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + +) + +echo "" +echo "publicname ECC" +echo "" + +for %%H in (%ITERATE_ALGS%) do ( + + echo "Create an ecc nistp256 %%H key under the primary key" + %TPM_EXE_PATH%create -hp 80000000 -ecc nistp256 -nalg %%H -si -opr tmppriv.bin -opu tmppub.bin -pwdp sto > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + + echo "Load the ecc %%H key 80000001" + %TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + + echo "Compute the TPM2B_PUBLIC Name" + %TPM_EXE_PATH%publicname -ipu tmppub.bin -on tmp.bin > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + + echo "Verify the TPM2B_PUBLIC result" + diff tmp.bin h80000001.bin > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + + echo "Convert the ecc public key to PEM format" + %TPM_EXE_PATH%readpublic -ho 80000001 -opem tmppub.pem > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + + echo "Flush the ecc %%H key" + %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + + echo "loadexternal the ecc PEM public key" + %TPM_EXE_PATH%loadexternal -ipem tmppub.pem -si -ecc -nalg %%H -halg %%H > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + + echo "Compute the PEM Name" + %TPM_EXE_PATH%publicname -ipem tmppub.pem -ecc -si -nalg %%H -halg %%H -on tmp.bin > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + + echo "Verify the PEM result" + diff tmp.bin h80000001.bin > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + + echo "Convert the TPM PEM key to DER" + openssl pkey -inform pem -outform der -in tmppub.pem -out tmppub.der -pubin -pubout + echo "INFO:" + + echo "Compute the DER Name" + %TPM_EXE_PATH%publicname -ider tmppub.der -ecc -si -nalg %%H -halg %%H -on tmp.bin -v > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + + echo "Verify the DER result" + diff tmp.bin h80000001.bin > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + + echo "Flush the ecc %%H key" + %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + +) + +echo "" +echo "publicname NV" +echo "" + +for %%H in (%ITERATE_ALGS%) do ( + + echo "NV Define Space %%H" + %TPM_EXE_PATH%nvdefinespace -hi o -ha 01000000 -sz 16 -nalg %%H > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + + echo "NV Read Public" + %TPM_EXE_PATH%nvreadpublic -ha 01000000 -opu tmppub.bin -on tmpname.bin > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + + echo "Compute the NV Index Name" + %TPM_EXE_PATH%publicname -invpu tmppub.bin -on tmp.bin > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + + echo "Verify the NV Index result" + diff tmp.bin tmpname.bin > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + + echo "NV Undefine Space" + %TPM_EXE_PATH%nvundefinespace -hi o -ha 01000000 > run.out + IF !ERRORLEVEL! NEQ 0 ( + exit /B 1 + ) + +) + +rm pssig.bin +rm run.out +rm sig.bin +rm tkt.bin +rm tmp.bin +rm tmpdup.bin +rm tmphkey.bin +rm tmpname.bin +rm tmppol.bin +rm tmppriv.bin +rm tmppub.bin +rm tmppub.der +rm tmppub.pem +rm tmpsig.bin +rm tmpsipriv.bin +rm tmpsipriv1.bin +rm tmpsipub.bin +rm tmpss.bin +rm tmpstpriv.bin +rm tmpstpub.bin + +exit /B 0 + +REM # getcapability -cap 1 -pr 80000000 +REM # getcapability -cap 1 -pr 01000000 +REM # getcapability -cap 1 -pr 02000000 +REM # getcapability -cap 1 -pr 03000000 |