From cf63f6bb2128a181b3486d2cf09b8421b16d5dbc Mon Sep 17 00:00:00 2001 From: Chris Coulson Date: Mon, 20 Nov 2023 15:54:43 +0000 Subject: [PATCH] tpm2: simplify TPMConnection.init and remove the EndorsementKey method --- tpm2/provisioning_test.go | 13 +------------ tpm2/tpm.go | 25 ++++++++----------------- tpm2/tpm_test.go | 9 --------- 3 files changed, 9 insertions(+), 38 deletions(-) diff --git a/tpm2/provisioning_test.go b/tpm2/provisioning_test.go index a3daeb3a..38e860a8 100644 --- a/tpm2/provisioning_test.go +++ b/tpm2/provisioning_test.go @@ -97,7 +97,6 @@ type testProvisionNewTPMData struct { } func (s *provisioningSimulatorSuite) testProvisionNewTPM(c *C, data *testProvisionNewTPMData) { - origEk, _ := s.TPM().EndorsementKey() origHmacSession := s.TPM().HmacSession() c.Check(s.TPM().EnsureProvisioned(data.mode, data.lockoutAuth), IsNil) @@ -139,11 +138,6 @@ func (s *provisioningSimulatorSuite) testProvisionNewTPM(c *C, data *testProvisi c.Check(s.TPM().HmacSession().Handle().Type(), Equals, tpm2.HandleTypeHMACSession) c.Check(s.TPM().HmacSession(), Not(Equals), origHmacSession) - ek, err := s.TPM().EndorsementKey() - c.Check(err, IsNil) - c.Check(ek.Handle(), Equals, tcg.EKHandle) - c.Check(ek, Not(Equals), origEk) - // Make sure ProvisionTPM didn't leak transient objects handles, err := s.TPM().GetCapabilityHandles(tpm2.HandleTypeTransient.BaseHandle(), tpm2.CapabilityMaxProperties) c.Check(err, IsNil) @@ -301,10 +295,10 @@ func (s *provisioningSuite) testProvisionRecreateEK(c *C, mode ProvisionMode) { s.HierarchyChangeAuth(c, tpm2.HandleLockout, nil) }) - origEk, _ := s.TPM().EndorsementKey() origHmacSession := s.TPM().HmacSession() ek, err := s.TPM().CreateResourceContextFromTPM(tcg.EKHandle) + c.Assert(err, IsNil) s.EvictControl(c, tpm2.HandleOwner, ek, ek.Handle()) c.Check(s.TPM().EnsureProvisioned(mode, lockoutAuth), IsNil) @@ -316,11 +310,6 @@ func (s *provisioningSuite) testProvisionRecreateEK(c *C, mode ProvisionMode) { c.Check(s.TPM().HmacSession().Handle().Type(), Equals, tpm2.HandleTypeHMACSession) c.Check(s.TPM().HmacSession(), Not(Equals), origHmacSession) c.Check(origHmacSession.Handle(), Equals, tpm2.HandleUnassigned) - - ek, err = s.TPM().EndorsementKey() - c.Check(err, IsNil) - c.Check(ek.Handle(), Equals, tcg.EKHandle) - c.Check(ek, Not(Equals), origEk) } func (s *provisioningSuite) TestRecreateEKFull(c *C) { diff --git a/tpm2/tpm.go b/tpm2/tpm.go index a998fcfa..c23a0d0c 100644 --- a/tpm2/tpm.go +++ b/tpm2/tpm.go @@ -33,7 +33,6 @@ import ( // Connection corresponds to a connection to a TPM device, and is a wrapper around *tpm2.TPMContext. type Connection struct { *tpm2.TPMContext - ek tpm2.ResourceContext provisionedSrk tpm2.ResourceContext hmacSession tpm2.SessionContext } @@ -58,16 +57,6 @@ func (t *Connection) LockoutAuthSet() bool { return tpm2.PermanentAttributes(value)&tpm2.AttrLockoutAuthSet > 0 } -// EndorsementKey returns a reference to the TPM's persistent endorsement key, if one exists. If the endorsement key certificate has -// been verified, the returned ResourceContext will correspond to the object for which the certificate was issued and can safely be -// used to share secrets with the TPM. -func (t *Connection) EndorsementKey() (tpm2.ResourceContext, error) { - if t.ek == nil { - return nil, ErrTPMProvisioning - } - return t.ek, nil -} - // HmacSession returns a HMAC session instance which was created in order to conduct a proof-of-ownership check of the private part // of the endorsement key on the TPM. It is retained in order to reduce the number of sessions that need to be created during unseal // operations, and is created with a symmetric algorithm so that it is suitable for parameter encryption. @@ -88,18 +77,21 @@ func (t *Connection) Close() error { return t.TPMContext.Close() } -func (t *Connection) init() error { +func (t *Connection) init() (err error) { // Allow init to be called more than once by flushing the previous session if t.hmacSession != nil && t.hmacSession.Handle() != tpm2.HandleUnassigned { t.FlushContext(t.hmacSession) t.hmacSession = nil } - t.ek = nil t.provisionedSrk = nil - ek, _ := t.CreateResourceContextFromTPM(tcg.EKHandle) - - if ek != nil { + ek, err := t.CreateResourceContextFromTPM(tcg.EKHandle) + switch { + case tpm2.IsResourceUnavailableError(err, tcg.EKHandle): + // ok + case err != nil: + return xerrors.Errorf("cannot obtain EK context: %w", err) + default: // Do a sanity check that the public area returned from the TPM has the expected properties. // If it doesn't, then don't use it, as TPM2_StartAuthSession might fail. if ok, err := isObjectPrimaryKeyWithTemplate(t.TPMContext, t.EndorsementHandleContext(), ek, tcg.EKTemplate); err != nil { @@ -127,7 +119,6 @@ func (t *Connection) init() error { succeeded = true - t.ek = ek t.hmacSession = session return nil } diff --git a/tpm2/tpm_test.go b/tpm2/tpm_test.go index 7ca37831..c18ebc46 100644 --- a/tpm2/tpm_test.go +++ b/tpm2/tpm_test.go @@ -120,15 +120,6 @@ func (s *tpmSuiteCommon) testConnectToDefaultTPM(c *C, hasEk bool) { c.Check(tpm.Close(), IsNil) }() - ek, err := tpm.EndorsementKey() - if !hasEk { - c.Check(ek, IsNil) - c.Check(err, Equals, ErrTPMProvisioning) - } else { - c.Check(ek.Handle(), Equals, tcg.EKHandle) - c.Check(err, IsNil) - } - session := tpm.HmacSession() c.Check(session, NotNil) c.Check(session.Handle().Type(), Equals, tpm2.HandleTypeHMACSession)