[PATCH tpm-work 3/3] tpm2: Make libtss directly linked
James Bottomley
James.Bottomley at HansenPartnership.com
Sun Jul 29 23:31:48 CEST 2018
In the original proof of concept, the tpm2 handling library (libtss)
was dynamically pulled into gpg-agent if it existed. Now that tpm2
handling has been moved out to a separate daemon, gpg-agent will do
the right thing if the daemon can't be spawned, so the tss library can
be directly linked to the tpm2daemon.
Signed-off-by: James Bottomley <James.Bottomley at HansenPartnership.com>
---
configure.ac | 5 +-
tpm2d/Makefile.am | 2 +-
tpm2d/tpm2.c | 191 ++++++++++++++++++------------------------------------
3 files changed, 67 insertions(+), 131 deletions(-)
diff --git a/configure.ac b/configure.ac
index 5797883b3..7ce050c15 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1593,10 +1593,13 @@ AC_SUBST(W32SOCKLIBS)
#
# TPM libtss library .. don't compile TPM support if we don't have it
#
-AC_CHECK_LIB(tss, TSS_Create, [have_libtss=yes])
+AC_CHECK_LIB(tss, TSS_Create,
+ [ LIBTSS_LIBS="-ltss $LIBTSS_LIBS"
+ have_libtss=yes ])
if test "$have_libtss" = yes; then
AC_DEFINE(HAVE_LIBTSS, 1, [Defined if we have TPM2 support library])
fi
+AC_SUBST(LIBTSS_LIBS)
AM_CONDITIONAL(HAVE_LIBTSS, test "$have_libtss" = yes)
#
diff --git a/tpm2d/Makefile.am b/tpm2d/Makefile.am
index 3507ae394..85e9f4267 100644
--- a/tpm2d/Makefile.am
+++ b/tpm2d/Makefile.am
@@ -14,5 +14,5 @@ tpm2daemon_SOURCES = command.c \
tpm2daemon_LDADD = $(libcommonpth) \
$(LIBGCRYPT_LIBS) $(LIBASSUAN_LIBS) $(NPTH_LIBS) \
- $(GPG_ERROR_LIBS) $(LIBINTL) $(LIBICONV)
+ $(GPG_ERROR_LIBS) $(LIBINTL) $(LIBICONV) $(LIBTSS_LIBS)
endif
diff --git a/tpm2d/tpm2.c b/tpm2d/tpm2.c
index 4eabcf57a..3b00f6e93 100644
--- a/tpm2d/tpm2.c
+++ b/tpm2d/tpm2.c
@@ -20,31 +20,6 @@
#include <tss2/Unmarshal_fp.h>
#include <tss2/tsscryptoh.h>
-/* List of tss2 functions we use. This is macro jiggery-pokery:
- * the F argument gives us the ability to run an arbitrary macro over
- * the function list as for each function do macro F */
-#define _TSS2_LIST(F) \
- F(TSS_Create); \
- F(TSS_SetProperty); \
- F(TSS_Execute); \
- F(TSS_ResponseCode_toString); \
- F(TPM2B_PUBLIC_Unmarshal); \
- F(TPM2B_PRIVATE_Unmarshal); \
- F(TSS_TPM2B_PUBLIC_Marshal); \
- F(TSS_TPMT_PUBLIC_Marshal); \
- F(TSS_TPM2B_PRIVATE_Marshal); \
- F(TSS_UINT16_Marshal); \
- F(TSS_TPMT_SENSITIVE_Marshal); \
- F(TSS_SetProperty); \
- F(TSS_GetDigestSize); \
- F(TSS_Hash_Generate); \
- F(TSS_Delete);
-
-/* create static declarations for the function pointers */
-#define _DL_DECLARE(func) \
- static typeof(func) *p##func
-_TSS2_LIST(_DL_DECLARE);
-
static const char *tpm2_dir;
/* The TPM builds a small database of active files representing key
@@ -76,54 +51,12 @@ tpm2_set_unique_tssdir(void)
return dir;
}
-/* now dynamically load the tss library (if it exists) and resolve the
- * above symbols. This allows us simply to return 0 for tpm2_init on
- * systems where there is no TPM library */
-static int
-tpm2_init(void)
-{
- static int inited = 0;
- const char *sym;
- void *dl;
-
- if (inited)
- return 0;
-
- dl = dlopen(TSS2_LIB, RTLD_LAZY);
-
- if (!dl)
- {
- log_error("opening of tss2 library failed %s\n", strerror(errno));
- return GPG_ERR_CARD_NOT_PRESENT;
- }
-
- /* load each symbol pointer and check for existence */
-# define _DL_SYM(func) \
- sym = #func; \
- p##func = dlsym(dl, #func); \
- if (p##func == NULL) \
- goto out_symfail
-
- _TSS2_LIST(_DL_SYM);
-
- tpm2_dir = tpm2_set_unique_tssdir();
- if (!tpm2_dir)
- /* make this non fatal */
- log_error("Failed to set unique TPM directory\n");
- inited = 1;
- return 0;
-
- out_symfail:
- log_error("Failed to find symbol %s in tss2 library\n", sym);
- return GPG_ERR_CARD_NOT_PRESENT;
-}
-
static void
tpm2_error(TPM_RC rc, char *prefix)
{
const char *msg, *submsg, *num;
- pTSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+ TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
log_error("%s gave TPM2 Error: %s%s%s", prefix, msg, submsg, num);
}
@@ -139,21 +72,21 @@ int
tpm2_start(TSS_CONTEXT **tssc)
{
TPM_RC rc;
- int ret;
- ret = tpm2_init();
- if (ret)
- return ret;
+ tpm2_dir = tpm2_set_unique_tssdir();
+ if (!tpm2_dir)
+ /* make this non fatal */
+ log_error("Failed to set unique TPM directory\n");
- _TSS_CHECK(pTSS_Create(tssc));
- _TSS_CHECK(pTSS_SetProperty(*tssc, TPM_DATA_DIR, tpm2_dir));
+ _TSS_CHECK(TSS_Create(tssc));
+ _TSS_CHECK(TSS_SetProperty(*tssc, TPM_DATA_DIR, tpm2_dir));
return 0;
}
void
tpm2_end(TSS_CONTEXT *tssc)
{
- pTSS_Delete(tssc);
+ TSS_Delete(tssc);
}
void
@@ -165,11 +98,11 @@ tpm2_flush_handle(TSS_CONTEXT *tssc, TPM_HANDLE h)
return;
in.flushHandle = h;
- pTSS_Execute(tssc, NULL,
- (COMMAND_PARAMETERS *)&in,
- NULL,
- TPM_CC_FlushContext,
- TPM_RH_NULL, NULL, 0);
+ TSS_Execute(tssc, NULL,
+ (COMMAND_PARAMETERS *)&in,
+ NULL,
+ TPM_CC_FlushContext,
+ TPM_RH_NULL, NULL, 0);
}
static int
@@ -195,12 +128,12 @@ tpm2_get_hmac_handle(TSS_CONTEXT *tssc, TPM_HANDLE *handle,
ReadPublic_Out rout;
rin.objectHandle = salt_key;
- rc = pTSS_Execute (tssc,
- (RESPONSE_PARAMETERS *)&rout,
- (COMMAND_PARAMETERS *)&rin,
- NULL,
- TPM_CC_ReadPublic,
- TPM_RH_NULL, NULL, 0);
+ rc = TSS_Execute (tssc,
+ (RESPONSE_PARAMETERS *)&rout,
+ (COMMAND_PARAMETERS *)&rin,
+ NULL,
+ TPM_CC_ReadPublic,
+ TPM_RH_NULL, NULL, 0);
if (rc) {
tpm2_error(rc, "TPM2_ReadPublic");
return GPG_ERR_CARD;
@@ -211,12 +144,12 @@ tpm2_get_hmac_handle(TSS_CONTEXT *tssc, TPM_HANDLE *handle,
* construct the salt */
in.tpmKey = salt_key;
}
- rc = pTSS_Execute(tssc,
- (RESPONSE_PARAMETERS *)&out,
- (COMMAND_PARAMETERS *)&in,
- (EXTRA_PARAMETERS *)&extra,
- TPM_CC_StartAuthSession,
- TPM_RH_NULL, NULL, 0);
+ rc = TSS_Execute(tssc,
+ (RESPONSE_PARAMETERS *)&out,
+ (COMMAND_PARAMETERS *)&in,
+ (EXTRA_PARAMETERS *)&extra,
+ TPM_CC_StartAuthSession,
+ TPM_RH_NULL, NULL, 0);
if (rc) {
tpm2_error(rc, "TPM2_StartAuthSession");
return GPG_ERR_CARD;
@@ -246,10 +179,10 @@ tpm2_exec_with_auth(ctrl_t ctrl, TSS_CONTEXT *tssc,
if (rc)
return rc;
- rc = pTSS_Execute(tssc, out, in, NULL,
- cmd,
- ah, auth, 0,
- TPM_RH_NULL, NULL, 0);
+ rc = TSS_Execute(tssc, out, in, NULL,
+ cmd,
+ ah, auth, 0,
+ TPM_RH_NULL, NULL, 0);
gcry_free (auth);
if (rc) {
tpm2_error(rc, cmd_str);
@@ -329,21 +262,21 @@ tpm2_load_key(TSS_CONTEXT *tssc, const unsigned char *shadow_info,
buf = (BYTE *)priv;
size = priv_len;
- pTPM2B_PRIVATE_Unmarshal(&in.inPrivate, &buf, &size);
+ TPM2B_PRIVATE_Unmarshal(&in.inPrivate, &buf, &size);
buf = (BYTE *)pub;
size = pub_len;
- pTPM2B_PUBLIC_Unmarshal(&in.inPublic, &buf, &size, FALSE);
+ TPM2B_PUBLIC_Unmarshal(&in.inPublic, &buf, &size, FALSE);
*type = in.inPublic.publicArea.type;
- rc = pTSS_Execute(tssc,
- (RESPONSE_PARAMETERS *)&out,
- (COMMAND_PARAMETERS *)&in,
- NULL,
- TPM_CC_Load,
- TPM_RS_PW, NULL, 0,
- TPM_RH_NULL, NULL, 0);
+ rc = TSS_Execute(tssc,
+ (RESPONSE_PARAMETERS *)&out,
+ (COMMAND_PARAMETERS *)&in,
+ NULL,
+ TPM_CC_Load,
+ TPM_RS_PW, NULL, 0,
+ TPM_RH_NULL, NULL, 0);
if (rc != TPM_RC_SUCCESS) {
tpm2_error(rc, "TPM2_Load");
return GPG_ERR_CARD;
@@ -701,16 +634,16 @@ tpm2_ObjectPublic_GetName(TPM2B_NAME *name,
if (rc == 0) {
INT32 size = MAX_RESPONSE_SIZE;
uint8_t *buffer1 = buffer;
- rc = pTSS_TPMT_PUBLIC_Marshal(tpmtPublic, &written, &buffer1, &size);
+ rc = TSS_TPMT_PUBLIC_Marshal(tpmtPublic, &written, &buffer1, &size);
}
/* hash the public area */
if (rc == 0) {
- sizeInBytes = pTSS_GetDigestSize(tpmtPublic->nameAlg);
+ sizeInBytes = TSS_GetDigestSize(tpmtPublic->nameAlg);
digest.hashAlg = tpmtPublic->nameAlg; /* Name digest algorithm */
/* generate the TPMT_HA */
- rc = pTSS_Hash_Generate(&digest,
- written, buffer,
- 0, NULL);
+ rc = TSS_Hash_Generate(&digest,
+ written, buffer,
+ 0, NULL);
}
if (rc == 0) {
TPMI_ALG_HASH nameAlgNbo;
@@ -749,7 +682,7 @@ TPM_RC tpm2_SensitiveToDuplicate(TPMT_SENSITIVE *s,
if (symdef->algorithm == TPM_ALG_AES
&& symdef->mode.aes == TPM_ALG_CFB) {
TPMT_HA hash;
- const int hlen = pTSS_GetDigestSize(nalg);
+ const int hlen = TSS_GetDigestSize(nalg);
TPM2B *digest = (TPM2B *)buf;
TPM2B *s2b;
int32_t size;
@@ -771,16 +704,16 @@ TPM_RC tpm2_SensitiveToDuplicate(TPMT_SENSITIVE *s,
buf = (BYTE *)&digest->size;
bsize = hlen;
size = 2;
- pTSS_UINT16_Marshal(&bsize, &written, &buf, &size);
+ TSS_UINT16_Marshal(&bsize, &written, &buf, &size);
/* marshal the unencrypted sensitive in place */
size = sizeof(*s);
bsize = 0;
buf = s2b->buffer;
- pTSS_TPMT_SENSITIVE_Marshal(s, &bsize, &buf, &size);
+ TSS_TPMT_SENSITIVE_Marshal(s, &bsize, &buf, &size);
buf = (BYTE *)&s2b->size;
size = 2;
- pTSS_UINT16_Marshal(&bsize, &written, &buf, &size);
+ TSS_UINT16_Marshal(&bsize, &written, &buf, &size);
bsize = bsize + sizeof(s2b->size);
p->t.size += bsize;
@@ -788,9 +721,9 @@ TPM_RC tpm2_SensitiveToDuplicate(TPMT_SENSITIVE *s,
/* compute hash of unencrypted marshalled sensitive and
* write to the digest buffer */
hash.hashAlg = nalg;
- pTSS_Hash_Generate(&hash, bsize, s2b,
- name->t.size, name->t.name,
- 0, NULL);
+ TSS_Hash_Generate(&hash, bsize, s2b,
+ name->t.size, name->t.name,
+ 0, NULL);
memcpy(digest->buffer, &hash.digest, hlen);
gcry_cipher_open (&hd, GCRY_CIPHER_AES128,
GCRY_CIPHER_MODE_CFB, GCRY_CIPHER_SECURE);
@@ -808,10 +741,10 @@ TPM_RC tpm2_SensitiveToDuplicate(TPMT_SENSITIVE *s,
buf = s2b->buffer;
/* marshal the unencrypted sensitive in place */
- pTSS_TPMT_SENSITIVE_Marshal(s, &bsize, &buf, &size);
+ TSS_TPMT_SENSITIVE_Marshal(s, &bsize, &buf, &size);
buf = (BYTE *)&s2b->size;
size = 2;
- pTSS_UINT16_Marshal(&bsize, &written, &buf, &size);
+ TSS_UINT16_Marshal(&bsize, &written, &buf, &size);
p->b.size += bsize + sizeof(s2b->size);
} else {
@@ -894,13 +827,13 @@ tpm2_import_key(ctrl_t ctrl, TSS_CONTEXT *tssc,
if (rc)
return GPG_ERR_CARD;
- rc = pTSS_Execute(tssc,
- (RESPONSE_PARAMETERS *)&iout,
- (COMMAND_PARAMETERS *)&iin,
- NULL,
- TPM_CC_Import,
- ah, NULL, TPMA_SESSION_DECRYPT,
- TPM_RH_NULL, NULL, 0);
+ rc = TSS_Execute(tssc,
+ (RESPONSE_PARAMETERS *)&iout,
+ (COMMAND_PARAMETERS *)&iin,
+ NULL,
+ TPM_CC_Import,
+ ah, NULL, TPMA_SESSION_DECRYPT,
+ TPM_RH_NULL, NULL, 0);
if (rc) {
tpm2_error(rc, "TPM2_Import");
/* failure means auth handle is not flushed */
@@ -911,15 +844,15 @@ tpm2_import_key(ctrl_t ctrl, TSS_CONTEXT *tssc,
size = sizeof(TPM2B_PUBLIC);
buffer = pub;
len = 0;
- pTSS_TPM2B_PUBLIC_Marshal(&iin.objectPublic,
+ TSS_TPM2B_PUBLIC_Marshal(&iin.objectPublic,
&len, &buffer, &size);
*pub_len = len;
size = sizeof(TPM2B_PRIVATE);
buffer = priv;
len = 0;
- pTSS_TPM2B_PRIVATE_Marshal(&iout.outPrivate,
- &len, &buffer, &size);
+ TSS_TPM2B_PRIVATE_Marshal(&iout.outPrivate,
+ &len, &buffer, &size);
*priv_len = len;
return 0;
--
2.13.7
More information about the Gnupg-devel
mailing list