[PATCH tpm-work 3/3] tpm2: Make libtss directly linked

James Bottomley James.Bottomley at HansenPartnership.com
Sun Jul 29 23:31:48 CEST 2018


In the original proof of concept, the tpm2 handling library (libtss)
was dynamically pulled into gpg-agent if it existed.  Now that tpm2
handling has been moved out to a separate daemon, gpg-agent will do
the right thing if the daemon can't be spawned, so the tss library can
be directly linked to the tpm2daemon.

Signed-off-by: James Bottomley <James.Bottomley at HansenPartnership.com>
---
 configure.ac      |   5 +-
 tpm2d/Makefile.am |   2 +-
 tpm2d/tpm2.c      | 191 ++++++++++++++++++------------------------------------
 3 files changed, 67 insertions(+), 131 deletions(-)

diff --git a/configure.ac b/configure.ac
index 5797883b3..7ce050c15 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1593,10 +1593,13 @@ AC_SUBST(W32SOCKLIBS)
 #
 # TPM libtss library .. don't compile TPM support if we don't have it
 #
-AC_CHECK_LIB(tss, TSS_Create, [have_libtss=yes])
+AC_CHECK_LIB(tss, TSS_Create,
+		  [ LIBTSS_LIBS="-ltss $LIBTSS_LIBS"
+		    have_libtss=yes ])
 if test "$have_libtss" = yes; then
    AC_DEFINE(HAVE_LIBTSS, 1, [Defined if we have TPM2 support library])
 fi
+AC_SUBST(LIBTSS_LIBS)
 AM_CONDITIONAL(HAVE_LIBTSS, test "$have_libtss" = yes)
 
 #
diff --git a/tpm2d/Makefile.am b/tpm2d/Makefile.am
index 3507ae394..85e9f4267 100644
--- a/tpm2d/Makefile.am
+++ b/tpm2d/Makefile.am
@@ -14,5 +14,5 @@ tpm2daemon_SOURCES =  command.c \
 
 tpm2daemon_LDADD = $(libcommonpth) \
 	$(LIBGCRYPT_LIBS) $(LIBASSUAN_LIBS) $(NPTH_LIBS) \
-	$(GPG_ERROR_LIBS) $(LIBINTL) $(LIBICONV)
+	$(GPG_ERROR_LIBS) $(LIBINTL) $(LIBICONV) $(LIBTSS_LIBS)
 endif
diff --git a/tpm2d/tpm2.c b/tpm2d/tpm2.c
index 4eabcf57a..3b00f6e93 100644
--- a/tpm2d/tpm2.c
+++ b/tpm2d/tpm2.c
@@ -20,31 +20,6 @@
 #include <tss2/Unmarshal_fp.h>
 #include <tss2/tsscryptoh.h>
 
-/* List of tss2 functions we use.  This is macro jiggery-pokery:
- * the F argument gives us the ability to run an arbitrary macro over
- * the function list as for each function do macro F */
-#define _TSS2_LIST(F)                   \
-  F(TSS_Create);                        \
-  F(TSS_SetProperty);                   \
-  F(TSS_Execute);                       \
-  F(TSS_ResponseCode_toString);         \
-  F(TPM2B_PUBLIC_Unmarshal);            \
-  F(TPM2B_PRIVATE_Unmarshal);           \
-  F(TSS_TPM2B_PUBLIC_Marshal);          \
-  F(TSS_TPMT_PUBLIC_Marshal);           \
-  F(TSS_TPM2B_PRIVATE_Marshal);         \
-  F(TSS_UINT16_Marshal);                \
-  F(TSS_TPMT_SENSITIVE_Marshal);        \
-  F(TSS_SetProperty);                   \
-  F(TSS_GetDigestSize);                 \
-  F(TSS_Hash_Generate);                 \
-  F(TSS_Delete);
-
-/* create static declarations for the function pointers */
-#define _DL_DECLARE(func) \
-  static typeof(func) *p##func
-_TSS2_LIST(_DL_DECLARE);
-
 static const char *tpm2_dir;
 
 /* The TPM builds a small database of active files representing key
@@ -76,54 +51,12 @@ tpm2_set_unique_tssdir(void)
   return dir;
 }
 
-/* now dynamically load the tss library (if it exists) and resolve the
- * above symbols.  This allows us simply to return 0 for tpm2_init on
- * systems where there is no TPM library */
-static int
-tpm2_init(void)
-{
-  static int inited = 0;
-  const char *sym;
-  void *dl;
-
-  if (inited)
-    return 0;
-
-  dl = dlopen(TSS2_LIB, RTLD_LAZY);
-
-  if (!dl)
-    {
-      log_error("opening of tss2 library failed %s\n", strerror(errno));
-      return GPG_ERR_CARD_NOT_PRESENT;
-    }
-
-  /* load each symbol pointer and check for existence */
-# define _DL_SYM(func)                          \
-    sym = #func;                                \
-    p##func = dlsym(dl, #func);                 \
-      if (p##func == NULL)                      \
-        goto out_symfail
-
-  _TSS2_LIST(_DL_SYM);
-
-  tpm2_dir = tpm2_set_unique_tssdir();
-  if (!tpm2_dir)
-    /* make this non fatal */
-    log_error("Failed to set unique TPM directory\n");
-  inited = 1;
-  return 0;
-
- out_symfail:
-  log_error("Failed to find symbol %s in tss2 library\n", sym);
-  return GPG_ERR_CARD_NOT_PRESENT;
-}
-
 static void
 tpm2_error(TPM_RC rc, char *prefix)
 {
   const char *msg, *submsg, *num;
 
-  pTSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+  TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
   log_error("%s gave TPM2 Error: %s%s%s", prefix, msg, submsg, num);
 }
 
@@ -139,21 +72,21 @@ int
 tpm2_start(TSS_CONTEXT **tssc)
 {
   TPM_RC rc;
-  int ret;
 
-  ret = tpm2_init();
-  if (ret)
-    return ret;
+  tpm2_dir = tpm2_set_unique_tssdir();
+  if (!tpm2_dir)
+    /* make this non fatal */
+    log_error("Failed to set unique TPM directory\n");
 
-  _TSS_CHECK(pTSS_Create(tssc));
-  _TSS_CHECK(pTSS_SetProperty(*tssc, TPM_DATA_DIR, tpm2_dir));
+  _TSS_CHECK(TSS_Create(tssc));
+  _TSS_CHECK(TSS_SetProperty(*tssc, TPM_DATA_DIR, tpm2_dir));
   return 0;
 }
 
 void
 tpm2_end(TSS_CONTEXT *tssc)
 {
-  pTSS_Delete(tssc);
+  TSS_Delete(tssc);
 }
 
 void
@@ -165,11 +98,11 @@ tpm2_flush_handle(TSS_CONTEXT *tssc, TPM_HANDLE h)
                 return;
 
         in.flushHandle = h;
-        pTSS_Execute(tssc, NULL,
-                     (COMMAND_PARAMETERS *)&in,
-                     NULL,
-                     TPM_CC_FlushContext,
-                     TPM_RH_NULL, NULL, 0);
+        TSS_Execute(tssc, NULL,
+		    (COMMAND_PARAMETERS *)&in,
+		    NULL,
+		    TPM_CC_FlushContext,
+		    TPM_RH_NULL, NULL, 0);
 }
 
 static int
@@ -195,12 +128,12 @@ tpm2_get_hmac_handle(TSS_CONTEXT *tssc, TPM_HANDLE *handle,
     ReadPublic_Out rout;
 
     rin.objectHandle = salt_key;
-    rc = pTSS_Execute (tssc,
-                       (RESPONSE_PARAMETERS *)&rout,
-                       (COMMAND_PARAMETERS *)&rin,
-                       NULL,
-                       TPM_CC_ReadPublic,
-                       TPM_RH_NULL, NULL, 0);
+    rc = TSS_Execute (tssc,
+		      (RESPONSE_PARAMETERS *)&rout,
+		      (COMMAND_PARAMETERS *)&rin,
+		      NULL,
+		      TPM_CC_ReadPublic,
+		      TPM_RH_NULL, NULL, 0);
     if (rc) {
       tpm2_error(rc, "TPM2_ReadPublic");
       return GPG_ERR_CARD;
@@ -211,12 +144,12 @@ tpm2_get_hmac_handle(TSS_CONTEXT *tssc, TPM_HANDLE *handle,
      * construct the salt */
     in.tpmKey = salt_key;
   }
-  rc = pTSS_Execute(tssc,
-                    (RESPONSE_PARAMETERS *)&out,
-                    (COMMAND_PARAMETERS *)&in,
-                    (EXTRA_PARAMETERS *)&extra,
-                    TPM_CC_StartAuthSession,
-                    TPM_RH_NULL, NULL, 0);
+  rc = TSS_Execute(tssc,
+		   (RESPONSE_PARAMETERS *)&out,
+		   (COMMAND_PARAMETERS *)&in,
+		   (EXTRA_PARAMETERS *)&extra,
+		   TPM_CC_StartAuthSession,
+		   TPM_RH_NULL, NULL, 0);
   if (rc) {
     tpm2_error(rc, "TPM2_StartAuthSession");
     return GPG_ERR_CARD;
@@ -246,10 +179,10 @@ tpm2_exec_with_auth(ctrl_t ctrl, TSS_CONTEXT *tssc,
   if (rc)
     return rc;
 
-  rc = pTSS_Execute(tssc, out, in, NULL,
-                    cmd,
-                    ah, auth, 0,
-                    TPM_RH_NULL, NULL, 0);
+  rc = TSS_Execute(tssc, out, in, NULL,
+		   cmd,
+		   ah, auth, 0,
+		   TPM_RH_NULL, NULL, 0);
   gcry_free (auth);
   if (rc) {
     tpm2_error(rc, cmd_str);
@@ -329,21 +262,21 @@ tpm2_load_key(TSS_CONTEXT *tssc, const unsigned char *shadow_info,
 
   buf = (BYTE *)priv;
   size = priv_len;
-  pTPM2B_PRIVATE_Unmarshal(&in.inPrivate, &buf, &size);
+  TPM2B_PRIVATE_Unmarshal(&in.inPrivate, &buf, &size);
 
   buf = (BYTE *)pub;
   size = pub_len;
-  pTPM2B_PUBLIC_Unmarshal(&in.inPublic, &buf, &size, FALSE);
+  TPM2B_PUBLIC_Unmarshal(&in.inPublic, &buf, &size, FALSE);
 
   *type = in.inPublic.publicArea.type;
 
-  rc = pTSS_Execute(tssc,
-                    (RESPONSE_PARAMETERS *)&out,
-                    (COMMAND_PARAMETERS *)&in,
-                    NULL,
-                    TPM_CC_Load,
-                    TPM_RS_PW, NULL, 0,
-                    TPM_RH_NULL, NULL, 0);
+  rc = TSS_Execute(tssc,
+		   (RESPONSE_PARAMETERS *)&out,
+		   (COMMAND_PARAMETERS *)&in,
+		   NULL,
+		   TPM_CC_Load,
+		   TPM_RS_PW, NULL, 0,
+		   TPM_RH_NULL, NULL, 0);
   if (rc != TPM_RC_SUCCESS) {
     tpm2_error(rc, "TPM2_Load");
     return GPG_ERR_CARD;
@@ -701,16 +634,16 @@ tpm2_ObjectPublic_GetName(TPM2B_NAME *name,
   if (rc == 0) {
     INT32 size = MAX_RESPONSE_SIZE;
     uint8_t *buffer1 = buffer;
-    rc = pTSS_TPMT_PUBLIC_Marshal(tpmtPublic, &written, &buffer1, &size);
+    rc = TSS_TPMT_PUBLIC_Marshal(tpmtPublic, &written, &buffer1, &size);
   }
   /* hash the public area */
   if (rc == 0) {
-    sizeInBytes = pTSS_GetDigestSize(tpmtPublic->nameAlg);
+    sizeInBytes = TSS_GetDigestSize(tpmtPublic->nameAlg);
     digest.hashAlg = tpmtPublic->nameAlg;       /* Name digest algorithm */
     /* generate the TPMT_HA */
-    rc = pTSS_Hash_Generate(&digest,
-                            written, buffer,
-                            0, NULL);
+    rc = TSS_Hash_Generate(&digest,
+			   written, buffer,
+			   0, NULL);
   }
   if (rc == 0) {
     TPMI_ALG_HASH nameAlgNbo;
@@ -749,7 +682,7 @@ TPM_RC tpm2_SensitiveToDuplicate(TPMT_SENSITIVE *s,
   if (symdef->algorithm == TPM_ALG_AES
       && symdef->mode.aes == TPM_ALG_CFB) {
     TPMT_HA hash;
-    const int hlen = pTSS_GetDigestSize(nalg);
+    const int hlen = TSS_GetDigestSize(nalg);
     TPM2B *digest = (TPM2B *)buf;
     TPM2B *s2b;
     int32_t size;
@@ -771,16 +704,16 @@ TPM_RC tpm2_SensitiveToDuplicate(TPMT_SENSITIVE *s,
     buf = (BYTE *)&digest->size;
     bsize = hlen;
     size = 2;
-    pTSS_UINT16_Marshal(&bsize, &written, &buf, &size);
+    TSS_UINT16_Marshal(&bsize, &written, &buf, &size);
 
     /* marshal the unencrypted sensitive in place */
     size = sizeof(*s);
     bsize = 0;
     buf = s2b->buffer;
-    pTSS_TPMT_SENSITIVE_Marshal(s, &bsize, &buf, &size);
+    TSS_TPMT_SENSITIVE_Marshal(s, &bsize, &buf, &size);
     buf = (BYTE *)&s2b->size;
     size = 2;
-    pTSS_UINT16_Marshal(&bsize, &written, &buf, &size);
+    TSS_UINT16_Marshal(&bsize, &written, &buf, &size);
 
     bsize = bsize + sizeof(s2b->size);
     p->t.size += bsize;
@@ -788,9 +721,9 @@ TPM_RC tpm2_SensitiveToDuplicate(TPMT_SENSITIVE *s,
     /* compute hash of unencrypted marshalled sensitive and
      * write to the digest buffer */
     hash.hashAlg = nalg;
-    pTSS_Hash_Generate(&hash, bsize, s2b,
-                       name->t.size, name->t.name,
-                       0, NULL);
+    TSS_Hash_Generate(&hash, bsize, s2b,
+		      name->t.size, name->t.name,
+		      0, NULL);
     memcpy(digest->buffer, &hash.digest, hlen);
     gcry_cipher_open (&hd, GCRY_CIPHER_AES128,
 		      GCRY_CIPHER_MODE_CFB, GCRY_CIPHER_SECURE);
@@ -808,10 +741,10 @@ TPM_RC tpm2_SensitiveToDuplicate(TPMT_SENSITIVE *s,
     buf = s2b->buffer;
 
     /* marshal the unencrypted sensitive in place */
-    pTSS_TPMT_SENSITIVE_Marshal(s, &bsize, &buf, &size);
+    TSS_TPMT_SENSITIVE_Marshal(s, &bsize, &buf, &size);
     buf = (BYTE *)&s2b->size;
     size = 2;
-    pTSS_UINT16_Marshal(&bsize, &written, &buf, &size);
+    TSS_UINT16_Marshal(&bsize, &written, &buf, &size);
 
     p->b.size += bsize + sizeof(s2b->size);
   } else {
@@ -894,13 +827,13 @@ tpm2_import_key(ctrl_t ctrl, TSS_CONTEXT *tssc,
   if (rc)
     return GPG_ERR_CARD;
 
-  rc = pTSS_Execute(tssc,
-                    (RESPONSE_PARAMETERS *)&iout,
-                    (COMMAND_PARAMETERS *)&iin,
-                    NULL,
-                    TPM_CC_Import,
-                    ah, NULL, TPMA_SESSION_DECRYPT,
-                    TPM_RH_NULL, NULL, 0);
+  rc = TSS_Execute(tssc,
+		   (RESPONSE_PARAMETERS *)&iout,
+		   (COMMAND_PARAMETERS *)&iin,
+		   NULL,
+		   TPM_CC_Import,
+		   ah, NULL, TPMA_SESSION_DECRYPT,
+		   TPM_RH_NULL, NULL, 0);
   if (rc) {
     tpm2_error(rc, "TPM2_Import");
     /* failure means auth handle is not flushed */
@@ -911,15 +844,15 @@ tpm2_import_key(ctrl_t ctrl, TSS_CONTEXT *tssc,
   size = sizeof(TPM2B_PUBLIC);
   buffer = pub;
   len = 0;
-  pTSS_TPM2B_PUBLIC_Marshal(&iin.objectPublic,
+  TSS_TPM2B_PUBLIC_Marshal(&iin.objectPublic,
                             &len, &buffer, &size);
   *pub_len = len;
 
   size = sizeof(TPM2B_PRIVATE);
   buffer = priv;
   len = 0;
-  pTSS_TPM2B_PRIVATE_Marshal(&iout.outPrivate,
-                             &len, &buffer, &size);
+  TSS_TPM2B_PRIVATE_Marshal(&iout.outPrivate,
+			    &len, &buffer, &size);
   *priv_len = len;
 
   return 0;
-- 
2.13.7




More information about the Gnupg-devel mailing list