Google Git
Sign in
qemu / skiboot / b1e22c7c91185f230a734a74239f4d03fed500af / . / libstb / tss2 / ibmtpm20tss / utils / policymaker.c
blob: 7290ed722d6cdddcf25ee00365e0096ceb1cef79 [file] [log] [blame]
/********************************************************************************/
/* */
/* policymaker */
/* Written by Ken Goldman */
/* IBM Thomas J. Watson Research Center */
/* */
/* (c) Copyright IBM Corporation 2015 - 2019 */
/* */
/* All rights reserved. */
/* */
/* Redistribution and use in source and binary forms, with or without */
/* modification, are permitted provided that the following conditions are */
/* met: */
/* */
/* Redistributions of source code must retain the above copyright notice, */
/* this list of conditions and the following disclaimer. */
/* */
/* Redistributions in binary form must reproduce the above copyright */
/* notice, this list of conditions and the following disclaimer in the */
/* documentation and/or other materials provided with the distribution. */
/* */
/* Neither the names of the IBM Corporation nor the names of its */
/* contributors may be used to endorse or promote products derived from */
/* this software without specific prior written permission. */
/* */
/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS */
/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT */
/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR */
/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT */
/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, */
/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT */
/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, */
/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY */
/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT */
/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE */
/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
/********************************************************************************/
/*
policymaker calculates a TPM2 policy hash
Inputs are:
a hash algorithm
a file with lines in hexascii, to be extended into the policy digest, big endian
NOTE: Empty lines (lines with just a newline character) are permitted and cause a double hash.
This is useful for e.g. TPM2_PolicySigned when the policyRef is empty.
Outputs are:
if specified, a file with a binary digest
if specified, a print of the hash
Example input: policy command code with a command code of NV write
0000016c00000137
TPM2_PolicyCounterTimer is handled as a special case, where there is a double hash.
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <errno.h>
#include <ibmtss/tss.h>
#include <ibmtss/tssutils.h>
#include <ibmtss/tsscryptoh.h>
#include <ibmtss/tsscrypto.h>
static void printUsage(void);
static int Format_FromHexascii(unsigned char *binary,
const char *string,
size_t length);
static int Format_ByteFromHexascii(unsigned char *byte,
const char *string);
extern int tssUtilsVerbose;
int main(int argc, char *argv[])
{
TPM_RC rc = 0;
int i; /* argc iterator */
char *prc = NULL; /* pointer return code */
const char *inFilename = NULL;
const char *outFilename = NULL;
int pr = FALSE;
int nz = FALSE;
int noSpace = FALSE;
TPMT_HA digest;
/* initialized to suppress false gcc -O3 warning */
uint32_t sizeInBytes = 0; /* hash algorithm mapped to size */
uint32_t startSizeInBytes = 0; /* starting buffer for extend */
FILE *inFile = NULL;
FILE *outFile = NULL;
setvbuf(stdout, 0, _IONBF, 0); /* output may be going through pipe to log file */
TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
tssUtilsVerbose = FALSE;
/* command line defaults */
digest.hashAlg = TPM_ALG_SHA256;
for (i=1 ; (i<argc) && (rc == 0) ; i++) {
if (strcmp(argv[i],"-halg") == 0) {
i++;
if (i < argc) {
if (strcmp(argv[i],"sha1") == 0) {
digest.hashAlg = TPM_ALG_SHA1;
}
else if (strcmp(argv[i],"sha256") == 0) {
digest.hashAlg = TPM_ALG_SHA256;
}
else if (strcmp(argv[i],"sha384") == 0) {
digest.hashAlg = TPM_ALG_SHA384;
}
else if (strcmp(argv[i],"sha512") == 0) {
digest.hashAlg = TPM_ALG_SHA512;
}
else {
printf("Bad parameter %s for -halg\n", argv[i]);
printUsage();
}
}
else {
printf("Missing parameter for -hi\n");
printUsage();
}
}
else if (strcmp(argv[i],"-if") == 0) {
i++;
if (i < argc) {
inFilename = argv[i];
}
else {
printf("-if option needs a value\n");
printUsage();
}
}
else if (strcmp(argv[i],"-of") == 0) {
i++;
if (i < argc) {
outFilename = argv[i];
}
else {
printf("-of option needs a value\n");
printUsage();
}
}
else if (strcmp(argv[i],"-pr") == 0) {
pr = TRUE;
}
else if (strcmp(argv[i],"-nz") == 0) {
nz = TRUE;
}
else if (strcmp(argv[i],"-ns") == 0) {
noSpace = TRUE;
}
else if (strcmp(argv[i],"-h") == 0) {
printUsage();
}
else if (strcmp(argv[i],"-v") == 0) {
tssUtilsVerbose = TRUE;
TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
}
else {
printf("\n%s is not a valid option\n", argv[i]);
printUsage();
}
}
if (inFilename == NULL) {
printf("Missing input file parameter -if\n");
printUsage();
}
/* open the input file */
if (rc == 0) {
inFile = fopen(inFilename, "r");
if (inFile == NULL) {
printf("Error opening %s for %s, %s\n", inFilename, "r", strerror(errno));
rc = EXIT_FAILURE;
}
}
if (rc == 0) {
sizeInBytes = TSS_GetDigestSize(digest.hashAlg);
/* startauthsession sets session digest to zero */
if (!nz) {
startSizeInBytes = sizeInBytes;
memset((uint8_t *)&digest.digest, 0, sizeInBytes);
}
else { /* nz TRUE, start with empty buffer */
startSizeInBytes = 0;
}
}
/* iterate through each line */
do {
char lineString[10240]; /* returned line in hex ascii */
unsigned char lineBinary[5120]; /* returned line in binary */
size_t lineLength;
if (rc == 0) {
prc = fgets(lineString, sizeof(lineString), inFile);
}
if (prc != NULL) {
/* convert hex ascii to binary */
if (rc == 0) {
lineLength = strlen(lineString);
rc = Format_FromHexascii(lineBinary,
lineString, lineLength/2);
}
if (rc == 0) {
/* not TPM2_PolicyCounterTimer */
if (memcmp(lineString, "0000016d", 8) != 0) {
/* hash extend digest.digest with line */
if (rc == 0) {
rc = TSS_Hash_Generate(&digest,
startSizeInBytes, (uint8_t *)&digest.digest,
lineLength /2, lineBinary,
0, NULL);
}
}
/* TPM2_PolicyCounterTimer is a special case - double hash */
else {
TPMT_HA args;
args.hashAlg = digest.hashAlg;
if (rc == 0) {
/* args is a hash of the arguments excluding the command code */
rc = TSS_Hash_Generate(&args,
(lineLength /2) -4, lineBinary +4,
0, NULL);
}
if (rc == 0) {
uint8_t commandCode[] = {0x00, 0x00, 0x01, 0x6d};
rc = TSS_Hash_Generate(&digest,
startSizeInBytes, (uint8_t *)&digest.digest,
sizeof(commandCode), commandCode,
startSizeInBytes, (uint8_t *)&args.digest,
0, NULL);
}
}
}
if (rc == 0) {
if (tssUtilsVerbose) TSS_PrintAll("intermediate policy digest",
(uint8_t *)&digest.digest, sizeInBytes);
}
}
}
while ((rc == 0) && (prc != NULL));
if ((rc == 0) && pr) {
TSS_PrintAll("policy digest", (uint8_t *)&digest.digest, sizeInBytes);
}
if ((rc == 0) && noSpace) {
unsigned int b;
printf("policy digest:\n");
for (b = 0 ; b < sizeInBytes ; b++) {
printf("%02x", *(((uint8_t *)&digest.digest) + b));
}
printf("\n");
}
/* open the output file */
if ((rc == 0) && (outFilename != NULL)) {
outFile = fopen(outFilename, "wb");
if (outFile == NULL) {
printf("Error opening %s for %s, %s\n", outFilename , "W", strerror(errno));
rc = EXIT_FAILURE;
}
}
if ((rc == 0) && (outFilename != NULL)) {
fwrite((uint8_t *)&digest.digest, 1, sizeInBytes, outFile);
}
if (inFile != NULL) {
fclose(inFile);
}
if (outFile != NULL) {
fclose(outFile);
}
if (rc != 0) {
rc = EXIT_FAILURE;
}
return rc;
}
/* Format_FromHexAscii() converts 'string' in hex ascii to 'binary' of 'length'
It assumes that the string has enough bytes to accommodate the length.
*/
static int Format_FromHexascii(unsigned char *binary,
const char *string,
size_t length)
{
int rc = 0;
size_t i;
for (i = 0 ; (rc == 0) && (i < length) ; i++) {
rc = Format_ByteFromHexascii(binary + i,
string + (i * 2));
}
return rc;
}
/* Format_ByteFromHexAscii() converts two bytes of hex ascii to one byte of binary
*/
static int Format_ByteFromHexascii(unsigned char *byte,
const char *string)
{
int rc = 0;
size_t i;
char c;
*byte = 0;
for (i = 0 ; (rc == 0) && (i < 2) ; i++) {
(*byte) <<= 4; /* big endian, shift up the nibble */
c = *(string + i); /* extract the next character from the string */
if ((c >= '0') && (c <= '9')) {
*byte += c - '0';
}
else if ((c >= 'a') && (c <= 'f')) {
*byte += c + 10 - 'a';
}
else if ((c >= 'A') && (c <= 'F')) {
*byte += c + 10 - 'A';
}
else {
printf("Format_ByteFromHexascii: "
"Error: Line has non hex ascii character: %02x %c\n", c, c);
rc = EXIT_FAILURE;
}
}
return rc;
}
static void printUsage(void)
{
printf("\n");
printf("policymaker\n");
printf("\n");
printf("\t[-halg\thash algorithm (sha1 sha256 sha384 sha512) (default sha256)]\n");
printf("\t[-nz\tdo not extend starting with zeros, just hash the last line]\n");
printf("\t-if\tinput policy statements in hex ascii\n");
printf("\t[-of\toutput file - policy hash in binary]\n");
printf("\t[-pr\tstdout - policy hash in hex ascii]\n");
printf("\t[-ns\tadditionally print policy hash in hex ascii on one line]\n");
printf("\t\tUseful to paste into policy OR\n");
printf("\n");
exit(1);
}