tpm2: simplify TPMConnection.init and remove the EndorsementKey method

canonical · Nov 20, 2023 · cf63f6b · cf63f6b
1 parent ba09338
commit cf63f6b
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 38 deletions.
diff --git a/tpm2/provisioning_test.go b/tpm2/provisioning_test.go
@@ -97,7 +97,6 @@ type testProvisionNewTPMData struct {
 }
 
 func (s *provisioningSimulatorSuite) testProvisionNewTPM(c *C, data *testProvisionNewTPMData) {
-	origEk, _ := s.TPM().EndorsementKey()
 	origHmacSession := s.TPM().HmacSession()
 
 	c.Check(s.TPM().EnsureProvisioned(data.mode, data.lockoutAuth), IsNil)
@@ -139,11 +138,6 @@ func (s *provisioningSimulatorSuite) testProvisionNewTPM(c *C, data *testProvisi
 	c.Check(s.TPM().HmacSession().Handle().Type(), Equals, tpm2.HandleTypeHMACSession)
 	c.Check(s.TPM().HmacSession(), Not(Equals), origHmacSession)
 
-	ek, err := s.TPM().EndorsementKey()
-	c.Check(err, IsNil)
-	c.Check(ek.Handle(), Equals, tcg.EKHandle)
-	c.Check(ek, Not(Equals), origEk)
-
 	// Make sure ProvisionTPM didn't leak transient objects
 	handles, err := s.TPM().GetCapabilityHandles(tpm2.HandleTypeTransient.BaseHandle(), tpm2.CapabilityMaxProperties)
 	c.Check(err, IsNil)
@@ -301,10 +295,10 @@ func (s *provisioningSuite) testProvisionRecreateEK(c *C, mode ProvisionMode) {
 		s.HierarchyChangeAuth(c, tpm2.HandleLockout, nil)
 	})
 
-	origEk, _ := s.TPM().EndorsementKey()
 	origHmacSession := s.TPM().HmacSession()
 
 	ek, err := s.TPM().CreateResourceContextFromTPM(tcg.EKHandle)
+	c.Assert(err, IsNil)
 	s.EvictControl(c, tpm2.HandleOwner, ek, ek.Handle())
 
 	c.Check(s.TPM().EnsureProvisioned(mode, lockoutAuth), IsNil)
@@ -316,11 +310,6 @@ func (s *provisioningSuite) testProvisionRecreateEK(c *C, mode ProvisionMode) {
 	c.Check(s.TPM().HmacSession().Handle().Type(), Equals, tpm2.HandleTypeHMACSession)
 	c.Check(s.TPM().HmacSession(), Not(Equals), origHmacSession)
 	c.Check(origHmacSession.Handle(), Equals, tpm2.HandleUnassigned)
-
-	ek, err = s.TPM().EndorsementKey()
-	c.Check(err, IsNil)
-	c.Check(ek.Handle(), Equals, tcg.EKHandle)
-	c.Check(ek, Not(Equals), origEk)
 }
 
 func (s *provisioningSuite) TestRecreateEKFull(c *C) {

diff --git a/tpm2/tpm.go b/tpm2/tpm.go
@@ -33,7 +33,6 @@ import (
 // Connection corresponds to a connection to a TPM device, and is a wrapper around *tpm2.TPMContext.
 type Connection struct {
 	*tpm2.TPMContext
-	ek             tpm2.ResourceContext
 	provisionedSrk tpm2.ResourceContext
 	hmacSession    tpm2.SessionContext
 }
@@ -58,16 +57,6 @@ func (t *Connection) LockoutAuthSet() bool {
 	return tpm2.PermanentAttributes(value)&tpm2.AttrLockoutAuthSet > 0
 }
 
-// EndorsementKey returns a reference to the TPM's persistent endorsement key, if one exists. If the endorsement key certificate has
-// been verified, the returned ResourceContext will correspond to the object for which the certificate was issued and can safely be
-// used to share secrets with the TPM.
-func (t *Connection) EndorsementKey() (tpm2.ResourceContext, error) {
-	if t.ek == nil {
-		return nil, ErrTPMProvisioning
-	}
-	return t.ek, nil
-}
-
 // HmacSession returns a HMAC session instance which was created in order to conduct a proof-of-ownership check of the private part
 // of the endorsement key on the TPM. It is retained in order to reduce the number of sessions that need to be created during unseal
 // operations, and is created with a symmetric algorithm so that it is suitable for parameter encryption.
@@ -88,18 +77,21 @@ func (t *Connection) Close() error {
 	return t.TPMContext.Close()
 }
 
-func (t *Connection) init() error {
+func (t *Connection) init() (err error) {
 	// Allow init to be called more than once by flushing the previous session
 	if t.hmacSession != nil && t.hmacSession.Handle() != tpm2.HandleUnassigned {
 		t.FlushContext(t.hmacSession)
 		t.hmacSession = nil
 	}
-	t.ek = nil
 	t.provisionedSrk = nil
 
-	ek, _ := t.CreateResourceContextFromTPM(tcg.EKHandle)
-
-	if ek != nil {
+	ek, err := t.CreateResourceContextFromTPM(tcg.EKHandle)
+	switch {
+	case tpm2.IsResourceUnavailableError(err, tcg.EKHandle):
+		// ok
+	case err != nil:
+		return xerrors.Errorf("cannot obtain EK context: %w", err)
+	default:
 		// Do a sanity check that the public area returned from the TPM has the expected properties.
 		// If it doesn't, then don't use it, as TPM2_StartAuthSession might fail.
 		if ok, err := isObjectPrimaryKeyWithTemplate(t.TPMContext, t.EndorsementHandleContext(), ek, tcg.EKTemplate); err != nil {
@@ -127,7 +119,6 @@ func (t *Connection) init() error {
 
 	succeeded = true
 
-	t.ek = ek
 	t.hmacSession = session
 	return nil
 }

diff --git a/tpm2/tpm_test.go b/tpm2/tpm_test.go
@@ -120,15 +120,6 @@ func (s *tpmSuiteCommon) testConnectToDefaultTPM(c *C, hasEk bool) {
 		c.Check(tpm.Close(), IsNil)
 	}()
 
-	ek, err := tpm.EndorsementKey()
-	if !hasEk {
-		c.Check(ek, IsNil)
-		c.Check(err, Equals, ErrTPMProvisioning)
-	} else {
-		c.Check(ek.Handle(), Equals, tcg.EKHandle)
-		c.Check(err, IsNil)
-	}
-
 	session := tpm.HmacSession()
 	c.Check(session, NotNil)
 	c.Check(session.Handle().Type(), Equals, tpm2.HandleTypeHMACSession)