internal override TpmRc Execute(Tpm2 tpm, AuthSession sess, PolicyTree policy)
{
byte includeName = IncludeObjectNameInPolicyHash ? (byte)1 : (byte)0;
tpm.PolicyDuplicationSelect(sess, DupObjectName, NewParentName, includeName);
return(tpm._GetLastResponseCode());
}
internal override TpmRc Execute(Tpm2 tpm, AuthSession sess, PolicyTree policy)
{
TpmRc res;
if (AuthorizationHandle == null)
{
TpmHandle nvHandle, authHandle;
SessionBase nvAuth;
AssociatedPolicy.ExecutePolicyNvCallback(this, out authHandle,
out nvHandle, out nvAuth);
tpm[nvAuth].PolicyNV(authHandle, nvHandle, sess,
OperandB, Offset, Operation);
res = tpm._GetLastResponseCode();
if (!(nvAuth is Pwap))
{
tpm.FlushContext(nvAuth);
}
}
else
{
tpm[NvAccessAuth].PolicyNV(AuthorizationHandle, NvIndex, sess,
OperandB, Offset, Operation);
res = tpm._GetLastResponseCode();
}
return(res);
}
internal override TpmRc Execute(Tpm2 tpm, AuthSession sess, PolicyTree policy)
{
byte writtenName = IsNvIndexRequiredToHaveBeenWritten ? (byte)1 : (byte)0;
tpm.PolicyNvWritten(sess, writtenName);
return(tpm._GetLastResponseCode());
}
internal override TpmRc Execute(Tpm2 tpm, AuthSession sess, PolicyTree policy)
{
tpm.PolicyPassword(sess);
sess.SessIncludesAuth = true;
sess.PlaintextAuth = true;
return(tpm._GetLastResponseCode());
}
private TpmHandle[] GetAllLoadedEntities(Tpm2 tpm)
{
var handles = new List <TpmHandle>();
handles.AddRange(GetLoadedEntities(tpm, Ht.Transient));
handles.AddRange(GetLoadedEntities(tpm, Ht.LoadedSession));
handles.AddRange(GetLoadedEntities(tpm, TpmHelpers.GetEnumerator <Ht>("ActiveSession", "SavedSession")));
return(handles.ToArray());
}
internal override TpmRc Execute(Tpm2 tpm, AuthSession sess, PolicyTree policy)
{
if (ObjectName == null)
{
ObjectName = AuthorizingKey.GetName();
}
tpm.PolicyTicket(sess, ExpirationTime, CpHash, PolicyRef,
ObjectName, Ticket);
return(tpm._GetLastResponseCode());
}
public Tbs(Tpm2Device theUnderlyingTpm, bool tpmHasRm)
{
TpmDevice = theUnderlyingTpm;
Tpm = new Tpm2(TpmDevice);
ContextManager = new ObjectContextManager();
if (!tpmHasRm)
{
CleanTpm();
}
}
public Tbs(Tpm2Device theUnderlyingTpm, bool tpmHasRm)
{
TpmDevice = theUnderlyingTpm;
Tpm = new Tpm2(TpmDevice);
ContextManager = new ObjectContextManager();
if (!tpmHasRm)
{
CleanTpm();
}
}
/// <summary>
/// This sample demonstrates the creation and use of TPM NV-storage
/// </summary>
/// <param name="tpm">Reference to TPM object.</param>
void NVReadWrite(Tpm2 tpm)
{
//
// AuthValue encapsulates an authorization value: essentially a byte-array.
// OwnerAuth is the owner authorization value of the TPM-under-test. We
// assume that it (and other) auths are set to the default (null) value.
// If running on a real TPM, which has been provisioned by Windows, this
// value will be different. An administrator can retrieve the owner
// authorization value from the registry.
//
var ownerAuth = new AuthValue();
TpmHandle nvHandle = TpmHandle.NV(3001);
//
// Clean up any slot that was left over from an earlier run
//
tpm[ownerAuth]._AllowErrors().NvUndefineSpace(TpmHandle.RhOwner, nvHandle);
//
// Scenario 1 - write and read a 32-byte NV-slot
//
AuthValue nvAuth = AuthValue.FromRandom(8);
tpm[ownerAuth].NvDefineSpace(TpmHandle.RhOwner, nvAuth,
new NvPublic(nvHandle, TpmAlgId.Sha1,
NvAttr.Authread | NvAttr.Authwrite,
new byte[0], 32));
//
// Write some data
//
var nvData = new byte[] { 0, 1, 2, 3, 4, 5, 6, 7 };
tpm[nvAuth].NvWrite(nvHandle, nvHandle, nvData, 0);
//
// And read it back
//
byte[] nvRead = tpm[nvAuth].NvRead(nvHandle, nvHandle, (ushort)nvData.Length, 0);
//
// Is it correct?
//
bool correct = nvData.SequenceEqual(nvRead);
if (!correct)
{
throw new Exception("NV data was incorrect.");
}
this.textBlock.Text += "NV data written and read. ";
//
// And clean up
//
tpm[ownerAuth].NvUndefineSpace(TpmHandle.RhOwner, nvHandle);
}
/// <summary>
/// Get the date of the specification from which the TPM was built.
/// </summary>
/// <param name="manufacturer"></param>
/// <param name="year"></param>
/// <param name="dayOfYear"></param>
/// <param name="tpm"></param>
public static void GetTpmInfo(Tpm2 tpm, out string manufacturer, out uint year, out uint dayOfYear)
{
// ReSharper disable once RedundantAssignment
manufacturer = "";
year = GetProperty(tpm, Pt.Year);
dayOfYear = GetProperty(tpm, Pt.DayOfYear);
uint manX = GetProperty(tpm, Pt.Manufacturer);
var arr = Marshaller.GetTpmRepresentation(manX);
manufacturer = (new System.Text.UTF8Encoding()).GetString(arr, 0, arr.Length);
}
/// <summary>
/// Returns error number, i.e. what is left after masking out auxiliary data
/// (such as format selector, version, and bad parameter index) from the
/// response code returned by TPM.
/// </summary>
public static TpmRc ErrorNumber(TpmRc rawResponse)
{
if (Tpm2.IsTbsError(rawResponse) || Tpm2.IsTssError(rawResponse))
{
return(rawResponse);
}
const uint Fmt1 = (uint)TpmRc.RcFmt1; // Format 1 code (TPM 2 only)
const uint Ver1 = (uint)TpmRc.RcVer1; // TPM 1 code (format 0 only)
const uint Warn = (uint)TpmRc.RcWarn; // Code is a warning (format 0 only)
uint mask = IsFmt1(rawResponse) ? Fmt1 | 0x3F : Warn | Ver1 | 0x7F;
return((TpmRc)((uint)rawResponse & mask));
}
TkVerified SignApproval(Tpm2 tpm, byte[] approvedPolicy, byte[] policyRef,
TpmHandle hSigKey, ISigSchemeUnion scheme = null)
{
byte[] name, qname;
TpmPublic pub = tpm.ReadPublic(hSigKey, out name, out qname);
byte[] dataToSign = Globs.Concatenate(approvedPolicy, policyRef);
byte[] aHash = CryptoLib.HashData(pub.nameAlg, dataToSign);
// Create an authorization certificate for the "approvedPolicy"
var sig = tpm.Sign(hSigKey, aHash, scheme, new TkHashcheck());
return(tpm.VerifySignature(hSigKey, aHash, sig));
}
internal override TpmRc Execute(Tpm2 tpm, AuthSession sess, PolicyTree policy)
{
byte[] nonceTpm = UseNonceTpm ? Globs.CopyData(sess.NonceTpm) : new byte[0];
if (AuthSess != null)
{
tpm._SetSessions(AuthSess);
}
Timeout = tpm.PolicySecret(AuthEntity, sess, nonceTpm,
CpHash, PolicyRef, ExpirationTime,
out Ticket);
return(tpm._GetLastResponseCode());
}
/// <summary>
/// Check if this TPM implements the given command.
/// The method sends the GetCapability command the first time it is called,
/// and reuses its results during subsequent invocations.
/// </summary>
/// <param name="commandCode">The command code to check.</param>
/// <returns>true if the given command is supported by this TPM instance.</returns>
public bool IsImplemented(TpmCc commandCode)
{
if (ImplementedCommands == null || ImplementedCommands.Length == 0)
{
ICapabilitiesUnion caps;
uint totalCommands = Tpm2.GetProperty(Tpm, Pt.TotalCommands);
Tpm.GetCapability(Cap.Commands, (uint)TpmCc.First, totalCommands, out caps);
ImplementedCommands = Globs.ConvertAll((caps as CcaArray).commandAttributes,
cmdAttr => (TpmCc)(cmdAttr & CcAttr.commandIndexBitMask))
.ToArray();
Debug.Assert(ImplementedCommands.Length != 0);
}
return(ImplementedCommands.Contains(commandCode));
}
/// <summary>
/// Run a path on the policy tree. The path is identified by the leaf identifier string. A session is
/// created and returned. If allowErrors is true then errors returned do not cause an exception (but
/// are returned in the response code).
/// </summary>
/// <param name="tpm"></param>
/// <param name="policySession"></param>
/// <param name="branchToEvaluate"></param>
/// <param name="allowErrors"></param>
/// <returns></returns>
public TpmRc RunPolicy(Tpm2 tpm, PolicyTree policyTree, string branchToEvaluate = null, bool allowErrors = false)
{
policyTree.AllowErrorsInPolicyEval = allowErrors;
PolicyAce leafAce = null;
// First, check that the policy is OK.
policyTree.CheckPolicy(branchToEvaluate, ref leafAce);
if (leafAce == null)
{
Globs.Throw("RunPolicy: Branch identifier " + branchToEvaluate + " does not exist");
}
var responseCode = TpmRc.Success;
try
{
if (allowErrors)
{
tpm._DisableExceptions();
}
tpm._InitializeSession(this);
// Walk up the tree from the leaf..
PolicyAce nextAce = leafAce;
while (nextAce != null)
{
responseCode = nextAce.Execute(tpm, this, policyTree);
if (responseCode != TpmRc.Success)
{
break;
}
// ..and continue along the path to the root
nextAce = nextAce.PreviousAce;
}
}
finally
{
if (allowErrors)
{
tpm._EnableExceptions();
}
}
return(responseCode);
}
internal override TpmRc Execute(Tpm2 tpm, AuthSession sess, PolicyTree policy)
{
byte[] nonceTpm = UseNonceTpm ? Globs.CopyData(sess.NonceTpm) : new byte[0];
TpmHandle sigKey;
// If we have both the authorizing signature and the corresponding
// signing key handle, we are good to go.
if (AuthSig == null)
{
var dataToSign = new Marshaller();
dataToSign.Put(nonceTpm, "");
// If we have a signing key we can build the challenge here
// (else we need to call out)
if (SwSigningKey != null)
{
dataToSign.Put(ExpirationTime, "");
dataToSign.Put(CpHash, "");
dataToSign.Put(PolicyRef, "");
// Just ask the key to sign the challenge
AuthSig = SwSigningKey.Sign(dataToSign.GetBytes());
sigKey = tpm.LoadExternal(null, SigningKeyPub, TpmRh.Owner);
}
else
{
TpmPublic verifier;
AuthSig = AssociatedPolicy.ExecuteSignerCallback(this, nonceTpm,
out verifier);
sigKey = tpm.LoadExternal(null, verifier, TpmRh.Owner);
}
}
else
{
sigKey = tpm.LoadExternal(null, SigningKeyPub, TpmRh.Owner);
}
Timeout = tpm.PolicySigned(sigKey, sess, nonceTpm,
CpHash, PolicyRef, ExpirationTime,
AuthSig, out Ticket);
TpmRc responseCode = tpm._GetLastResponseCode();
tpm.FlushContext(sigKey);
if (!KeepAuth)
{
AuthSig = null;
}
return(responseCode);
}
public static byte[] GetPcrProperty(Tpm2 tpm, PtPcr prop)
{
ICapabilitiesUnion caps;
tpm.GetCapability(Cap.PcrProperties, (uint)prop, 1, out caps);
TaggedPcrSelect[] props = (caps as TaggedPcrPropertyArray).pcrProperty;
if (props.Length == 0)
{
return(null);
}
if (props.Length != 1)
{
Globs.Throw("Unexpected return from GetCapability");
}
return(props[0].pcrSelect);
}
public static uint GetProperty(Tpm2 tpm, Pt tagToGet)
{
ICapabilitiesUnion caps;
tpm.GetCapability(Cap.TpmProperties, (uint)tagToGet, 1, out caps);
var props = (TaggedTpmPropertyArray)caps;
TaggedProperty[] arr = props.tpmProperty;
if (arr.Length != 1)
{
throw new Exception("Unexpected return from GetCapability");
}
uint val = arr[0].value;
return(val);
}
/// <summary>
/// Executes the hashing functionality. After parsing arguments, the
/// function connects to the selected TPM device and invokes the TPM
/// commands on that connection.
/// </summary>
static void Main()
{
try
{
//
// Create the device according to the selected connection.
//
Tpm2Device tpmDevice = new TcpTpmDevice(DefaultSimulatorName, DefaultSimulatorPort);
//
// Connect to the TPM device. This function actually establishes the
// connection.
//
tpmDevice.Connect();
//
// Pass the device object used for communication to the TPM 2.0 object
// which provides the command interface.
//
var tpm = new Tpm2(tpmDevice);
//
// If we are using the simulator, we have to do a few things the
// firmware would usually do. These actions have to occur after
// the connection has been established.
//
tpmDevice.PowerCycle();
tpm.Startup(Su.Clear);
ResetDALogic(tpm);
ResourceManager(tpm);
PowerAndLocality(tpm);
//
// Clean up.
//
tpm.Dispose();
}
catch (Exception e)
{
Console.WriteLine("Exception occurred: {0}", e.Message);
}
Console.WriteLine("Press Any Key to continue.");
Console.ReadLine();
}
private TpmHandle[] GetLoadedEntities(Tpm2 tpm, Ht rangeToQuery)
{
const uint maxHandles = UInt32.MaxValue;
ICapabilitiesUnion h;
byte moreData = tpm.GetCapability(Cap.Handles, ((uint)rangeToQuery) << 24, maxHandles, out h);
if (moreData != 0)
{
throw new NotImplementedException("Too much data returned");
}
if (h.GetType() != typeof(HandleArray))
{
throw new Exception("Incorrect type");
}
var handles = (HandleArray)h;
return(handles.handle);
}
/// <summary>
/// Returns the cached name of an entity referenced by this handle. If the
/// name is not cached yet, retrieves it from the TPM (for a transient or
/// persistent object, or NV index) or computes it (for session, PCR or
/// permanent handles).
/// </summary>
public byte[] GetName(Tpm2 tpm)
{
Ht ht = GetType();
if (_Name == null)
{
if (ht == Ht.NvIndex)
{
tpm.NvReadPublic(this, out _Name);
return(_Name);
}
if (ht == Ht.Transient || ht == Ht.Persistent)
{
byte[] qName;
tpm.ReadPublic(this, out _Name, out qName);
return(_Name);
}
}
return(GetName());
}
public void Destroy()
{
TpmHandle nvHandle = new TpmHandle(AIOTH_PERSISTED_URI_INDEX + logicalDeviceId);
TpmHandle ownerHandle = new TpmHandle(TpmRh.Owner);
TpmHandle hmacKeyHandle = new TpmHandle(AIOTH_PERSISTED_KEY_HANDLE + logicalDeviceId);
// Open the TPM
Tpm2Device tpmDevice = new TbsDevice();
tpmDevice.Connect();
var tpm = new Tpm2(tpmDevice);
// Destyroy the URI
tpm.NvUndefineSpace(ownerHandle, nvHandle);
// Destroy the HMAC key
tpm.EvictControl(ownerHandle, hmacKeyHandle, hmacKeyHandle);
// Dispose of the TPM
tpm.Dispose();
}
public static uint GetProperty(Tpm2 tpm, Pt prop)
{
ICapabilitiesUnion caps;
tpm.GetCapability(Cap.TpmProperties, (uint)prop, 1, out caps);
var props = (TaggedTpmPropertyArray)caps;
TaggedProperty[] arr = props.tpmProperty;
if (arr.Length != 1)
{
Globs.Throw("Unexpected return from GetCapability");
if (arr.Length == 0)
{
return(0);
}
}
uint val = arr[0].value;
return(val);
}
TpmRc Execute(Tpm2 tpm, AuthSession sess, PolicyTree policy)
{
#if false
if (Ticket == null)
{
// create a dummy ticket = e.g. for a trial session
Ticket = new TkVerified(TpmRh.Owner, new byte[0]);
}
#endif
if (ParamsCallback != null)
{
ParamsCallback(tpm, sess, PolicyToReplace, PolicyRef, SigKeyName, Ticket);
}
if (policy.AllowErrorsInPolicyEval)
{
tpm._AllowErrors();
}
tpm.PolicyAuthorize(sess, PolicyToReplace, PolicyRef, SigKeyName, Ticket);
return(tpm._GetLastResponseCode());
}
/// <summary>
/// Executes the GetCapabilities functionality. After parsing arguments, the
/// function connects to the selected TPM device and invokes the GetCapabilities
/// command on that connection. If the command was successful, the retrieved
/// capabilities are displayed.
/// </summary>
/// <param name="args">Arguments to this program.</param>
static void Main(string[] args)
{
//
// Parse the program arguments. If the wrong arguments are given or
// are malformed, then instructions for usage are displayed and
// the program terminates.
//
string tpmDeviceName;
if (!ParseArguments(args, out tpmDeviceName))
{
WriteUsage();
return;
}
try
{
//
// Create the device according to the selected connection.
//
Tpm2Device tpmDevice;
switch (tpmDeviceName)
{
case DeviceSimulator:
tpmDevice = new TcpTpmDevice(DefaultSimulatorName, DefaultSimulatorPort);
break;
case DeviceWinTbs:
tpmDevice = new TbsDevice();
break;
default:
throw new Exception("Unknown device selected.");
}
//
// Connect to the TPM device. This function actually establishes the
// connection.
//
tpmDevice.Connect();
//
// Pass the device object used for communication to the TPM 2.0 object
// which provides the command interface.
//
var tpm = new Tpm2(tpmDevice);
if (tpmDevice is TcpTpmDevice)
{
//
// If we are using the simulator, we have to do a few things the
// firmware would usually do. These actions have to occur after
// the connection has been established.
//
tpmDevice.PowerCycle();
tpm.Startup(Su.Clear);
}
//
// Query different capabilities
//
ICapabilitiesUnion caps;
tpm.GetCapability(Cap.Algs, 0, 1000, out caps);
var algsx = (AlgPropertyArray)caps;
Console.WriteLine("Supported algorithms:");
foreach (var alg in algsx.algProperties)
{
Console.WriteLine(" {0}", alg.alg.ToString());
}
Console.WriteLine("Supported commands:");
tpm.GetCapability(Cap.TpmProperties, (uint)Pt.TotalCommands, 1, out caps);
tpm.GetCapability(Cap.Commands, (uint)TpmCc.First + 1, TpmCc.Last - TpmCc.First + 1, out caps);
var commands = (CcaArray)caps;
List<TpmCc> implementedCc = new List<TpmCc>();
foreach (var attr in commands.commandAttributes)
{
var commandCode = (TpmCc)((uint)attr & 0x0000FFFFU);
//
// Filter placehoder(s)
//
if(commandCode == TpmCc.None)
{
continue;
}
implementedCc.Add(commandCode);
Console.WriteLine(" {0}", commandCode.ToString());
}
Console.WriteLine("Commands from spec not implemented:");
foreach (var cc in Enum.GetValues(typeof(TpmCc)))
{
if (!implementedCc.Contains((TpmCc)cc) &&
//
// Fiter placeholder(s)
//
((TpmCc)cc != TpmCc.None) &&
((TpmCc)cc != TpmCc.First) &&
((TpmCc)cc != TpmCc.Last) )
{
Console.WriteLine(" {0}", cc.ToString());
}
}
//
// As an alternative: call GetCapabilities more than once to obtain all values
//
byte more;
var firstCommandCode = (uint)TpmCc.None;
do
{
more = tpm.GetCapability(Cap.Commands, firstCommandCode, 10, out caps);
commands = (CcaArray)caps;
//
// Commands are sorted; getting the last element as it will be the largest.
//
uint lastCommandCode = (uint)commands.commandAttributes[commands.commandAttributes.Length - 1] & 0x0000FFFFU;
firstCommandCode = lastCommandCode;
} while (more == 1);
//
// Read PCR attributes. Cap.Pcrs returns the list of PCRs which are supported
// in different PCR banks. The PCR banks are identified by the hash algorithm
// used to extend values into the PCRs of this bank.
//
tpm.GetCapability(Cap.Pcrs, 0, 255, out caps);
PcrSelection[] pcrs = ((PcrSelectionArray)caps).pcrSelections;
Console.WriteLine();
Console.WriteLine("Available PCR banks:");
foreach (PcrSelection pcrBank in pcrs)
{
var sb = new StringBuilder();
sb.AppendFormat("PCR bank for algorithm {0} has registers at index:", pcrBank.hash);
sb.AppendLine();
foreach (uint selectedPcr in pcrBank.GetSelectedPcrs())
{
sb.AppendFormat("{0},", selectedPcr);
}
Console.WriteLine(sb);
}
//
// Read PCR attributes. Cap.PcrProperties checks for certain properties of each PCR register.
//
tpm.GetCapability(Cap.PcrProperties, 0, 255, out caps);
Console.WriteLine();
Console.WriteLine("PCR attributes:");
TaggedPcrSelect[] pcrProperties = ((TaggedPcrPropertyArray)caps).pcrProperty;
foreach (TaggedPcrSelect pcrProperty in pcrProperties)
{
if ((PtPcr)pcrProperty.tag == PtPcr.None)
{
continue;
}
uint pcrIndex = 0;
var sb = new StringBuilder();
sb.AppendFormat("PCR property {0} supported by these registers: ", (PtPcr)pcrProperty.tag);
sb.AppendLine();
foreach (byte pcrBitmap in pcrProperty.pcrSelect)
{
for (int i = 0; i < 8; i++)
{
if ((pcrBitmap & (1 << i)) != 0)
{
sb.AppendFormat("{0},", pcrIndex);
}
pcrIndex++;
}
}
Console.WriteLine(sb);
}
//
// Clean up.
//
tpm.Dispose();
}
catch (Exception e)
{
Console.WriteLine("Exception occurred: {0}", e.Message);
}
Console.WriteLine("Press Any Key to continue.");
Console.ReadLine();
}
/// <summary>
/// Some policies can be evaluated solely from public parts of the policy.
/// Others needs a private keyholder to sign some data. Tpm2Lib provides
/// a callback facility for these cases.
///
/// This second sample illustrates the use of callbacks to provide authData.
/// </summary>
/// <param name="tpm">Reference to the TPM object to use.</param>
static void PolicyEvaluationWithCallback2(Tpm2 tpm)
{
Console.WriteLine("Policy evaluation with callback sample 2.");
//
// Check if policy commands are implemented by TPM. This list
// could include all the other used commands as well.
// This check here makes sense for policy commands, because
// usually a policy has to be executed in full. If a command
// out of the chain of policy commands is not implemented in the
// TPM, the policy cannot be satisfied.
//
var usedCommands = new[] {
TpmCc.PolicySecret,
TpmCc.PolicyGetDigest,
TpmCc.PolicyRestart
};
foreach (var commandCode in usedCommands)
{
if (!tpm.Helpers.IsImplemented(commandCode))
{
Console.WriteLine("Cancel Policy evaluation callback 2 sample, because command {0} is not implemented by TPM.", commandCode);
return;
}
}
//
// Create an object with an AuthValue. The type of object is immaterial
// (it can even be the owner). In order to construct the policy we will
// need the name and to prove that we know the AuthVal.
//
_publicAuthorizationValue = AuthValue.FromRandom(10);
var dataToSeal = new byte[] { 1, 2, 3, 4 };
_publicSealedObjectHandle = CreateSealedPrimaryObject(tpm,
dataToSeal,
_publicAuthorizationValue,
null);
byte[] objectName = _publicSealedObjectHandle.Name;
var policy = new PolicyTree(TpmAlgId.Sha256);
policy.Create(
new PolicyAce[]
{
new TpmPolicySecret(objectName, // Name of the obj that we will prove authData
true, // Include nonceTpm
new byte[0], // Not bound to a cpHash
new byte[0], // Null policyRef
0), // Never expires (in this session)
"leaf" // Name for this ACE
});
TpmHash expectedHash = policy.GetPolicyDigest();
//
// We are about to ask for the session to be evaluated, but in order
// to process TpmPolicySecret the caller will have to prove knowledge of
// the authValue associated with objectName. In this first version we
// do this with PWAP.
//
policy.SetPolicySecretCallback(PolicySecretCallback);
AuthSession authSession = tpm.StartAuthSessionEx(TpmSe.Policy, TpmAlgId.Sha256);
authSession.RunPolicy(tpm, policy, "leaf");
//
// The policy evaluated. But is the digest what we expect?
//
byte[] digestIs = tpm.PolicyGetDigest(authSession.Handle);
if (expectedHash != digestIs)
{
throw new Exception("Incorrect PolicyDigest");
}
//
// And now do the same thing but with an HMAC session.
//
_sharedTpm = tpm;
tpm.PolicyRestart(authSession.Handle);
policy.SetPolicySecretCallback(PolicySecretCallback2);
authSession.RunPolicy(tpm, policy, "leaf");
_sharedTpm = null;
//
// The policy evaluated. But is the digest what we expect?
//
digestIs = tpm.PolicyGetDigest(authSession.Handle);
if (expectedHash != digestIs)
{
throw new Exception("Incorrect PolicyDigest");
}
Console.WriteLine("TpmPolicySignature evaluated.");
tpm.FlushContext(authSession.Handle);
}
public ByteArrayComparer(Tpm2 tpm)
{
my_tpm = tpm;
}
internal override TpmRc Execute(Tpm2 tpm, AuthSession sess, PolicyTree policy)
{
Globs.Throw("Do not include PolicyRestart in running policies");
return(TpmRc.Policy);
}
internal override TpmRc Execute(Tpm2 tpm, AuthSession sess, PolicyTree policy)
{
tpm.PolicyPhysicalPresence(sess);
return(tpm._GetLastResponseCode());
}
internal override TpmRc Execute(Tpm2 tpm, AuthSession sess, PolicyTree policy)
{
tpm.PolicyCounterTimer(sess, OperandB, Offset, Operation);
return(tpm._GetLastResponseCode());
}
internal override TpmRc Execute(Tpm2 tpm, AuthSession sess, PolicyTree policy)
{
tpm.PolicyLocality(sess, AllowedLocality);
return(tpm._GetLastResponseCode());
}
/// <summary>
/// This sample demonstrates the creation and use of a storage root key that
/// behaves like the Storage Root Key (SRK) defined in TPM1.2.
/// To do this we need to create a new primary, and then use EvictControl
/// to make it NV-resident.
/// </summary>
/// <param name="tpm">Reference to TPM object</param>
static void StorageRootKey(Tpm2 tpm)
{
//
// This template asks the TPM to create an 2048 bit RSA storage key
// with an associated AES key for symmetric data protection. The term
// "SRKs" is not used in TPM2.0, but we use it here to
// not
//
var srkTemplate = new TpmPublic(TpmAlgId.Sha1, // Name algorithm
ObjectAttr.Restricted | // Storage keys must be restricted
ObjectAttr.Decrypt | // Storage keys are Decrypt keys
ObjectAttr.FixedParent | ObjectAttr.FixedTPM | // Non-duplicable (like 1.2)
ObjectAttr.UserWithAuth | ObjectAttr.SensitiveDataOrigin,
new byte[0], // No policy
new RsaParms(new SymDefObject(TpmAlgId.Aes, 128, TpmAlgId.Cfb),
new NullAsymScheme(), // No signature
2048, 0), // 2048-bit RSA
new Tpm2bPublicKeyRsa());
//
// Authorization for the key we are about to create
//
var srkAuth = new byte[0];
AuthValue childAuthVal = AuthValue.FromRandom(8);
TssObject swKey = TssObject.CreateStorageParent(srkTemplate, childAuthVal);
TpmPublic srkPublic;
CreationData srkCreationData;
TkCreation srkCreationTicket;
byte[] srkCreationHash;
//
// Ask the TPM to create a new primary RSA/AES primary storage key
//
TpmHandle keyHandle = tpm[_ownerAuth].CreatePrimary(
TpmHandle.RhOwner, // In the owner-hierarchy
new SensitiveCreate(srkAuth, new byte[0]), // With this auth-value
srkTemplate, // Describes key
new byte[0], // For creation ticket
new PcrSelection[0], // For creation ticket
out srkPublic, // Out pubKey and attrs
out srkCreationData, // Not used here
out srkCreationHash, // Ibid
out srkCreationTicket); // Ibid
//
// print out text-versions of the public key just created
//
Console.WriteLine("New SRK public key\n" + srkPublic.ToString());
//
// The caller provides the handle for persistent keys
//
TpmHandle srkHandle = TpmHandle.Persistent(0x5000);
//
// Ae will make the "SRK" persistent in an NV-slot, so clean up anything
// that is already there
//
tpm[_ownerAuth]._AllowErrors().EvictControl(TpmHandle.RhOwner, srkHandle, srkHandle);
TpmRc lastError = tpm._GetLastResponseCode();
//
// Make the SRK NV-resident
//
tpm[_ownerAuth].EvictControl(TpmHandle.RhOwner, keyHandle, srkHandle);
Console.WriteLine("SRK is persistent now.");
}
/// <summary>
/// This sample illustrates the creation and use of an RSA signing key to
/// "quote" PCR state
/// </summary>
/// <param name="tpm">Reference to the TPM object.</param>
static void QuotePcrs(Tpm2 tpm)
{
//
// First use a library routine to create an RSA/AES primary storage key
// with null user-auth.
//
TpmPublic rsaPrimaryPublic;
var primaryAuth = new byte[0];
TpmHandle primHandle = CreateRsaPrimaryStorageKey(tpm, primaryAuth, out rsaPrimaryPublic);
//
// Template for a signing key. We will make the key restricted so that we
// can quote with it too.
//
var signKeyPubTemplate = new TpmPublic(TpmAlgId.Sha1,
ObjectAttr.Sign | ObjectAttr.Restricted | // A "quoting" key
ObjectAttr.FixedParent | ObjectAttr.FixedTPM | // Non-duplicable
ObjectAttr.UserWithAuth | // Authorize with auth-data
ObjectAttr.SensitiveDataOrigin, // TPM will create a new key
new byte[0],
new RsaParms(new SymDefObject(), new SchemeRsassa(TpmAlgId.Sha1), 2048, 0),
new Tpm2bPublicKeyRsa());
//
// Auth-data for new key
//
var userAuth = new byte[] { 1, 2, 3, 4 };
var sensCreate = new SensitiveCreate(userAuth, new byte[0]);
//
// Creation data (not used in this sample)
//
CreationData childCreationData;
TkCreation creationTicket;
byte[] creationHash;
//
// Create the key
//
TpmPublic keyPub;
TpmPrivate keyPriv = tpm[primaryAuth].Create(primHandle, // Child of primary key created above
sensCreate, // Auth-data
signKeyPubTemplate, // Template created above
new byte[0], // Other parms are not used here
new PcrSelection[0],
out keyPub,
out childCreationData, out creationHash, out creationTicket);
Console.WriteLine("New public key\n" + keyPub.ToString());
//
// Load the key as a child of the primary that it
// was created under.
//
TpmHandle signHandle = tpm[primaryAuth].Load(primHandle, keyPriv, keyPub);
//
// Note that Load returns the "name" of the key and this is automatically
// associated with the handle.
//
Console.WriteLine("Name of key:" + BitConverter.ToString(signHandle.Name));
//
// Aome data to quote
//
TpmHash hashToSign = TpmHash.FromData(TpmAlgId.Sha1, new byte[] { 4, 3, 2, 1 });
//
// PCRs to quote. SHA-1 bank, PCR-indices 1, 2, and 3
//
var pcrsToQuote = new PcrSelection[]
{
new PcrSelection(TpmAlgId.Sha, new uint[] { 1, 2, 3 })
};
//
// Ask the TPM to quote the PCR (and the nonce). The TPM
// returns the quote-signature and the data that was signed
//
ISignatureUnion quoteSig;
Attest quotedInfo = tpm[userAuth].Quote(signHandle,
hashToSign.HashData,
new SchemeRsassa(TpmAlgId.Sha1),
pcrsToQuote,
out quoteSig);
//
// Print out what was quoted
//
var info = (QuoteInfo)quotedInfo.attested;
Console.WriteLine("PCRs that were quoted: " +
info.pcrSelect[0].ToString() +
"\nHash of PCR-array: " +
BitConverter.ToString(info.pcrDigest));
//
// Read the PCR to check the quoted value
//
PcrSelection[] outSelection;
Tpm2bDigest[] outValues;
tpm.PcrRead(new PcrSelection[] {
new PcrSelection(TpmAlgId.Sha, new uint[] { 1, 2, 3 })
},
out outSelection,
out outValues);
//
// Use the Tpm2Lib library to validate the quote against the
// values just read.
//
bool quoteOk = keyPub.VerifyQuote(TpmAlgId.Sha1,
outSelection,
outValues,
hashToSign.HashData,
quotedInfo,
quoteSig);
if (!quoteOk)
{
throw new Exception("Quote did not validate");
}
Console.WriteLine("Quote correctly validated.");
//
// Test other uses of the signing key. A restricted key can only
// sign data that the TPM knows does not start with a magic
// number (that identifies TPM internal data). So this does not
// work
//
var nullProof = new TkHashcheck(TpmHandle.RhNull, new byte[0]);
tpm[userAuth]._ExpectError(TpmRc.Ticket).Sign(signHandle,
hashToSign.HashData,
new SchemeRsassa(TpmAlgId.Sha1),
nullProof);
//
// But if we ask the TPM to hash the same data and then sign it
// then the TPM can be sure that the data is safe, so it will
// sign it.
//
TkHashcheck safeHashTicket;
TpmHandle hashHandle = tpm.HashSequenceStart(_nullAuth, TpmAlgId.Sha1);
//
// The ticket is only generated if the data is "safe."
//
tpm[_nullAuth].SequenceComplete(hashHandle,
new byte[] { 4, 3, 2, 1 },
TpmHandle.RhOwner,
out safeHashTicket);
//
// This will now work because the ticket proves to the
// TPM that the data that it is about to sign does not
// start with TPM_GENERATED
//
ISignatureUnion sig = tpm[userAuth].Sign(signHandle,
hashToSign.HashData,
new SchemeRsassa(TpmAlgId.Sha1),
safeHashTicket);
//
// And we can verify the signature
//
bool sigOk = keyPub.VerifySignatureOverData(new byte[] { 4, 3, 2, 1 }, sig);
if (!sigOk)
{
throw new Exception("Signature did not verify");
}
Console.WriteLine("Signature verified.");
//
// Clean up
//
tpm.FlushContext(primHandle);
tpm.FlushContext(signHandle);
}
/// <summary>
/// Use a hash sequence to concatenate and hash data that is bigger then
/// the communication buffer to the TPM.
/// </summary>
/// <param name="tpm">Reference to the TPM object.</param>
static void HashSequence(Tpm2 tpm)
{
//
// Create an auth-value to control later access to the hash object.
// The AuthValue class is a Tpm2Lib-provided helper object for managing
// authorization data. Here we ask the library to create a 10-byte
// random array.
//
AuthValue authVal = AuthValue.FromRandom(10);
//
// Create a hash sequence-object with the auth-value provided and
// based on SHA-1. This command returns a uint identifier that we call a handle.
//
TpmHandle hashHandle = tpm.HashSequenceStart(authVal, TpmAlgId.Sha1);
//
// Hash some data using the hash sequence object just created.
// It is normally the case that the use of TPM internal objects
// must be "authorized" by proof-of-knowledge of the authorization
// value that was set when the object was created. Authorization
// is communicated using a TPM construct called a "session."
// Every handle that requires authorization requires a session
// that conveys knowledge of the auth-value (or other authorization).
//
// The specific style of session used here is a "password authorization
// session, or PWAP session, where the password is communicated
// in plain text.
//
// Three styles of session creation are demonstrated.
// Style 1 (not preferred). The method _SetSessions() tells Tpm2Lib
// to use the authorization value authVal in a PWAP session
//
tpm._SetSessions(authVal);
tpm[authVal].SequenceUpdate(hashHandle, new byte[] { 0, 1 });
//
// Style 2 (not preferred). The method _SetSessions() returns "this"
// so the two lines above can be condensed. tpm._SetSessions(authVal);
//
tpm._SetSessions(authVal).SequenceUpdate(hashHandle, new byte[] { 2, 3 });
//
// Style 3 - RECOMMENDED
// In the command sequence below the [authValue] construct is
// NOT an array-accessor. Instead it is shorthand to associate
// a list of authorization sessions with the command (one session
// in this case.
//
tpm[authVal].SequenceUpdate(hashHandle, new byte[] { 4, 5 });
tpm[authVal].SequenceUpdate(hashHandle, new byte[] { 6, 7 });
//
// Add the final data block
//
TkHashcheck validation;
byte[] hashedData = tpm[authVal].SequenceComplete(hashHandle,
new byte[] { 4, 5 },
TpmHandle.RhOwner,
out validation);
Console.WriteLine("Hashed data (Sequence): " + BitConverter.ToString(hashedData));
}
/// <summary>
/// This sample demonstrates the async interface to the TPM for selected slow operations.
/// await-async is preferred when calling slow TPM functions on a UI-thread. Only a few TPM
/// functions have an async-form.
/// </summary>
/// <param name="tpm">Reference to TPM object</param>
/// <param name="Event">Synchronization object to signal calling function when we're done.</param>
static async void PrimarySigningKeyAsync(Tpm2 tpm, AutoResetEvent Event)
{
//
// The TPM needs a template that describes the parameters of the key
// or other object to be created. The template below instructs the TPM
// to create a new 2048-bit non-migratable signing key.
//
var keyTemplate = new TpmPublic(TpmAlgId.Sha1, // Name algorithm
ObjectAttr.UserWithAuth | ObjectAttr.Sign | // Signing key
ObjectAttr.FixedParent | ObjectAttr.FixedTPM | // Non-migratable
ObjectAttr.SensitiveDataOrigin,
new byte[0], // No policy
new RsaParms(new SymDefObject(),
new SchemeRsassa(TpmAlgId.Sha1), 2048, 0),
new Tpm2bPublicKeyRsa());
//
// Authorization for the key we are about to create
//
var keyAuth = new byte[] { 1, 2, 3 };
//
// Ask the TPM to create a new primary RSA signing key
//
var newPrimary = await tpm[_ownerAuth].CreatePrimaryAsync(
TpmHandle.RhOwner, // In the owner-hierarchy
new SensitiveCreate(keyAuth, new byte[0]), // With this auth-value
keyTemplate, // Describes key
new byte[0], // For creation ticket
new PcrSelection[0]); // For creation ticket
//
// Print out text-versions of the public key just created
//
Console.WriteLine("New public key\n" + newPrimary.outPublic.ToString());
//
// Use the key to sign some data
//
byte[] message = Encoding.Unicode.GetBytes("ABC");
TpmHash dataToSign = TpmHash.FromData(TpmAlgId.Sha1, message);
var sig = await tpm[keyAuth].SignAsync(newPrimary.objectHandle, // Handle of signing key
dataToSign.HashData, // Data to sign
new SchemeRsassa(TpmAlgId.Sha1), // Default scheme
TpmHashCheck.NullHashCheck());
//
// Print the signature. A different structure is returned for each
// signing scheme, so cast the interface to our signature type.
//
var actualSig = (SignatureRsassa)sig;
Console.WriteLine("Signature: " + BitConverter.ToString(actualSig.sig));
//
// Clean up
//
tpm.FlushContext(newPrimary.objectHandle);
//
// Tell caller, we're done.
//
Event.Set();
}
private void button_Click(object sender, Windows.UI.Xaml.RoutedEventArgs e)
{
try
{
Tpm2Device tpmDevice = new TbsDevice();
tpmDevice.Connect();
//
// Pass the device object used for communication to the TPM 2.0 object
// which provides the command interface.
//
var tpm = new Tpm2(tpmDevice);
NVReadWrite(tpm);
NVCounter(tpm);
tpm.Dispose();
}
catch (Exception ex)
{
this.textBlock.Text = "Exception occurred: " + ex.Message;
}
}
private TpmHandle[] GetAllLoadedEntities(Tpm2 tpm)
{
var handles = new List<TpmHandle>();
handles.AddRange(GetLoadedEntities(tpm, Ht.Transient));
handles.AddRange(GetLoadedEntities(tpm, Ht.LoadedSession));
handles.AddRange(GetLoadedEntities(tpm, TpmHelpers.GetEnumerator<Ht>("ActiveSession", "SavedSession")));
return handles.ToArray();
}
private TpmHandle[] GetLoadedEntities(Tpm2 tpm, Ht rangeToQuery)
{
const uint maxHandles = UInt32.MaxValue;
ICapabilitiesUnion h;
byte moreData = tpm.GetCapability(Cap.Handles, ((uint)rangeToQuery) << 24, maxHandles, out h);
if (moreData != 0)
{
throw new NotImplementedException("Too much data returned");
}
if (h.GetType() != typeof (HandleArray))
{
throw new Exception("Incorrect type");
}
var handles = (HandleArray)h;
return handles.handle;
}
/// <summary>
/// This sample illustrates the use of a TpmPolicyOr.
/// </summary>
static void PolicyOr(Tpm2 tpm)
{
Console.WriteLine("PolicyOr sample:");
//
// Check if policy commands are implemented by TPM. This list
// could include all the other used commands as well.
// This check here makes sense for policy commands, because
// usually a policy has to be executed in full. If a command
// out of the chain of policy commands is not implemented in the
// TPM, the policy cannot be satisfied.
//
var usedCommands = new[] {
TpmCc.PolicyLocality,
TpmCc.PolicyPCR,
TpmCc.PolicyAuthValue
};
foreach (var commandCode in usedCommands)
{
if (!tpm.Helpers.IsImplemented(commandCode))
{
Console.WriteLine("Cancel Policy OR sample, because command {0} is not implemented by TPM.", commandCode);
return;
}
}
var pcrs = new uint[] { 1, 2, 3 };
var sel = new PcrSelection(TpmAlgId.Sha, pcrs);
PcrSelection[] selOut;
Tpm2bDigest[] pcrValues;
//
// First read the PCR values
//
tpm.PcrRead(new[] { sel }, out selOut, out pcrValues);
//
// Save the current PCR values in a convenient data structure
//
var expectedPcrVals = new PcrValueCollection(selOut, pcrValues);
//
// Tpm2Lib encapsulates a set of policy assertions as the PolicyTree class.
//
var policyTree = new PolicyTree(TpmAlgId.Sha256);
//
// First branch of PolicyOr
//
var branch1 = new PolicyAce[]
{
new TpmPolicyLocality(LocalityAttr.TpmLocZero),
new TpmPolicyPcr(expectedPcrVals),
"branch_1"
};
//
// Second branch of PolicyOr
//
var branch2 = new PolicyAce[]
{
new TpmPolicyAuthValue(),
"branch_2"
};
//
// Create the policy. CreateNormalizedPolicy takes an array-of-arrays
// of PolicyACEs that are to be OR'ed together (the branches themselves cannot
// contain TpmPOlicyOrs). The library code constructs a policy tree with
// minimum number of TpmPolicyOrs at the root.
//
policyTree.CreateNormalizedPolicy(new[] {branch1, branch2});
//
// Ask Tpm2Lib for the expected policy-hash for this policy
//
TpmHash expectedPolicyHash = policyTree.GetPolicyDigest();
//
// Create a sealed primary object with the policy-hash we just calculated
//
var dataToSeal = new byte[] { 1, 2, 3, 4, 5, 4, 3, 2, 1 };
var authVal = new byte[] { 1, 2 };
TpmHandle primHandle = CreateSealedPrimaryObject(tpm,
dataToSeal,
authVal,
expectedPolicyHash.HashData);
//
// Create an actual TPM policy session to evaluate the policy
//
AuthSession session = tpm.StartAuthSessionEx(TpmSe.Policy, TpmAlgId.Sha256);
//
// Run the policy on the TPM
//
session.RunPolicy(tpm, policyTree, "branch_1");
//
// And unseal the object
//
byte[] unsealedData = tpm[session].Unseal(primHandle);
Console.WriteLine("Unsealed data for branch_1: " + BitConverter.ToString(unsealedData));
//
// Now run the other branch
//
tpm.PolicyRestart(session.Handle);
session.RunPolicy(tpm, policyTree, "branch_2");
//
// And the session will be unusable
//
unsealedData = tpm[session].Unseal(primHandle);
Console.WriteLine("Unsealed data for branch_2: " + BitConverter.ToString(unsealedData));
//
// Clean up
//
tpm.FlushContext(session.Handle);
tpm.FlushContext(primHandle);
}
/// <summary>
/// Very simple hash calculation.
/// We ask the TPM to calculate the hash of a 3-byte array.
/// </summary>
/// <param name="tpm">Reference to the TPM object.</param>
static void SimpleHash(Tpm2 tpm)
{
TkHashcheck validation;
byte[] hashData = tpm.Hash(new byte[] { 1, 2, 3 }, // Data to hash
TpmAlgId.Sha256, // Hash algorithm
TpmHandle.RhOwner, // Hierarchy for ticket (not used here)
out validation); // Ticket (not used in this example)
Console.WriteLine("Hashed data (Hash): " + BitConverter.ToString(hashData));
}
/// <summary>
/// This sample shows the use of HMAC sessions to authorize TPM actions.
/// HMAC sessions may be bound/unbound and seeded/unseeded. This sample
/// illustrates an unseeded and unbound session.
/// </summary>
/// <param name="tpm">Reference to the TPM object.</param>
static void HmacUnboundUnseeded(Tpm2 tpm)
{
//
// Create a hash-sequence with a random authorization value
//
AuthValue authVal = AuthValue.FromRandom(8);
TpmHandle hashHandle = tpm.HashSequenceStart(authVal, TpmAlgId.Sha256);
//
// Commands with the Ex modifier are library-provided wrappers
// around TPM functions to make programming easier. This version
// of StartAuthSessionEx calls StartAuthSession configured to
// create an unbound and unseeded auth session with the auth-value
// provided here.
//
AuthSession s0 = tpm.StartAuthSessionEx(TpmSe.Hmac, TpmAlgId.Sha256);
//
// The following calls show the use of the HMAC session in authorization.
// The session to use is communicated as a parameter in the [] overloaded
// function and the auth-value is that set during HMAC session creation.
//
TkHashcheck validate;
tpm[s0].SequenceUpdate(hashHandle, new byte[] { 0, 2, 1 });
byte[] hashedData = tpm[s0].SequenceComplete(hashHandle,
new byte[] { 2, 3, 4 },
TpmHandle.RhOwner,
out validate);
Console.WriteLine("Hashed data (HMAC authorized sequence): " + BitConverter.ToString(hashedData));
tpm.FlushContext(s0.Handle);
}
/// <summary>
/// Create an RSA primary storage key in the storage hierarchy and return the key-handle
/// to the caller. The key will be RSA2048 with a SHA256-name algorithm. The caller can
/// provide user-auth. The caller is responsible for disposing of this key.
/// </summary>
/// <returns></returns>
static TpmHandle CreateRsaPrimaryStorageKey(Tpm2 tpm, byte[] auth, out TpmPublic newKeyPub)
{
//
// Creation parameters (no external data for TPM-created objects)
//
var sensCreate = new SensitiveCreate(auth, // Auth-data provided by the caller
new byte[0]); // No external data (the TPM will create the new key).
var parms = new TpmPublic(TpmAlgId.Sha256,
ObjectAttr.Restricted | ObjectAttr.Decrypt | // Storage key
ObjectAttr.FixedParent | ObjectAttr.FixedTPM | // Non-duplicable
ObjectAttr.UserWithAuth | ObjectAttr.SensitiveDataOrigin,
new byte[0], // No policy, and Storage key should be RSA + AES128
new RsaParms(new SymDefObject(TpmAlgId.Aes, 128, TpmAlgId.Cfb),
new NullAsymScheme(), 2048, 0),
new Tpm2bPublicKeyRsa());
//
// The following are returned by the TPM in CreatePrimary (and Create)
// they are not used in this sample.
//
CreationData creationData;
TkCreation creationTicket;
byte[] creationHash;
TpmHandle primHandle = tpm[_ownerAuth].CreatePrimary(TpmHandle.RhOwner, // In storage hierarchy
sensCreate, // UserAuth
parms, // Creation parms set above
//
// The following parameters influence the creation of the
// creation-ticket. They are not used in this sample
//
new byte[0], // Null outsideInfo
new PcrSelection[0], // Do not record PCR-state
out newKeyPub, // Our outs
out creationData, out creationHash, out creationTicket);
return primHandle;
}
internal override TpmRc Execute(Tpm2 tpm, AuthSession sess, PolicyTree policy)
{
tpm.PolicyNameHash(sess, NameHash);
return(tpm._GetLastResponseCode());
}
/// <summary>
/// This sample demonstrates the use of the TPM Platform Configuration
/// Registers (PCR). Tpm2Lib provides several features to model PCR
/// semantics.
/// </summary>
/// <param name="tpm">Reference to the TPM object.</param>
static void Pcrs(Tpm2 tpm)
{
//
// Read the value of the SHA1 PCR 1 and 2
//
var valuesToRead = new PcrSelection[]
{
new PcrSelection(TpmAlgId.Sha1, new uint[] {1, 2})
};
PcrSelection[] valsRead;
Tpm2bDigest[] values;
tpm.PcrRead(valuesToRead, out valsRead, out values);
//
// Check that what we read is what we asked for (the TPM does not
// guarantee this)
//
if (valsRead[0] != valuesToRead[0])
{
Console.WriteLine("Unexpected PCR-set");
}
//
// Print out PCR-1
//
var pcr1 = new TpmHash(TpmAlgId.Sha1, values[0].buffer);
Console.WriteLine("PCR1: " + pcr1);
//
// Extend (event) PCR[1] in the TPM and in the external library and
// see if they match
//
var dataToExtend = new byte[] { 0, 1, 2, 3, 4 };
//
// Note that most PCR must be authorized with "null" authorization
//
tpm[_nullAuth].PcrEvent(TpmHandle.Pcr(1), dataToExtend);
//
// And read the current value
//
tpm.PcrRead(valuesToRead, out valsRead, out values);
//
// Update the "simulated" PCR
//
pcr1.Event(dataToExtend);
//
// And see whether the PCR has the value we expect
//
if (pcr1 != values[0].buffer)
{
throw new Exception("Event did not work");
}
//
// Update a resettable PCR
//
tpm[_nullAuth].PcrEvent(TpmHandle.Pcr(16), new byte[] { 1, 2 });
//
// And reset it
//
tpm[_nullAuth].PcrReset(TpmHandle.Pcr(16));
//
// And check that it is indeed zero
//
tpm.PcrRead(new PcrSelection[] {
new PcrSelection(TpmAlgId.Sha1, new uint[] {16})
},
out valsRead,
out values);
//
// Did it reset?
//
if (TpmHash.ZeroHash(TpmAlgId.Sha1) != values[0].buffer)
{
throw new Exception("PCR did not reset");
}
Console.WriteLine("PCR sample finished.");
}
public static uint GetProperty(Tpm2 tpm, Pt tagToGet)
{
ICapabilitiesUnion caps;
tpm.GetCapability(Cap.TpmProperties, (uint)tagToGet, 1, out caps);
var props = (TaggedTpmPropertyArray)caps;
TaggedProperty[] arr = props.tpmProperty;
if (arr.Length != 1)
{
throw new Exception("Unexpected return from GetCapability");
}
uint val = arr[0].value;
return val;
}
/// <summary>
/// This sample illustrates the use of a simple TPM policy session. The policy demands
/// PCR 1, 2, 3 set to current values, and the command be issued at locality zero.
/// </summary>
static void SimplePolicy(Tpm2 tpm)
{
Console.WriteLine("Simple Policy sample:");
//
// Check if policy commands are implemented by TPM. This list
// could include all the other used commands as well.
// This check here makes sense for policy commands, because
// usually a policy has to be executed in full. If a command
// out of the chain of policy commands is not implemented in the
// TPM, the policy cannot be satisfied.
//
var usedCommands = new[] {
TpmCc.PolicyLocality,
TpmCc.PolicyPCR
};
foreach (var commandCode in usedCommands)
{
if (!tpm.Helpers.IsImplemented(commandCode))
{
Console.WriteLine("Cancel Simple Policy sample, because command {0} is not implemented by TPM.", commandCode);
return;
}
}
//
// First read the PCR values
//
var pcrs = new uint[] { 1, 2, 3 };
var sel = new PcrSelection(TpmAlgId.Sha, pcrs);
PcrSelection[] selOut;
Tpm2bDigest[] pcrValues;
tpm.PcrRead(new[] { sel }, out selOut, out pcrValues);
Console.WriteLine("PCR Selections:\n");
foreach (PcrSelection s in selOut)
{
Console.WriteLine(s.ToString());
}
Console.WriteLine("PCR Values:\n");
foreach (var v in pcrValues)
{
Console.WriteLine(v.ToString());
}
//
// Save the current PCR values in a convenient data structure
//
var expectedPcrVals = new PcrValueCollection(selOut, pcrValues);
//
// Tpm2Lib encapsulates a set of policy assertions as the PolicyTree class.
//
var policyTree = new PolicyTree(TpmAlgId.Sha256);
//
// Set the policy: Locality AND PolicyPcr. This form of CreatePOlicy
// only creates a single chain. Note that all well-formed policy chains
// must have leaf identifiers. Leaf identifiers are just strings that
// are unique in a policy so that the framework can be told what
// chain to evaluate.
//
policyTree.Create(
new PolicyAce[]
{
new TpmPolicyLocality(LocalityAttr.TpmLocZero),
new TpmPolicyPcr(expectedPcrVals),
"leaf"
}
);
//
// Ask Tpm2Lib for the expected policy-hash for this policy
//
TpmHash expectedPolicyHash = policyTree.GetPolicyDigest();
//
// Create a sealed primary object with the policy-hash we just calculated
//
var dataToSeal = new byte[] { 1, 2, 3, 4, 5, 4, 3, 2, 1 };
TpmHandle primHandle = CreateSealedPrimaryObject(tpm,
dataToSeal,
null,
expectedPolicyHash.HashData);
//
// Create an actual TPM policy session to evaluate the policy
//
AuthSession session = tpm.StartAuthSessionEx(TpmSe.Policy, TpmAlgId.Sha256);
//
// Run the policy on the TPM
//
session.RunPolicy(tpm, policyTree, "leaf");
//
// Unseal the object
//
byte[] unsealedData = tpm[session].Unseal(primHandle);
Console.WriteLine("Unsealed data: " + BitConverter.ToString(unsealedData));
//
// Change a PCR and make sure that the policy no longer works
//
var nullAuth = new AuthValue();
tpm[nullAuth].PcrEvent(TpmHandle.Pcr(3), new byte[] { 1, 2, 3 });
tpm.PolicyRestart(session.Handle);
//
// Run the policy again - an error will be returned
//
TpmRc policyError = session.RunPolicy(tpm, policyTree, null, true);
//
// And the session will be unusable
//
unsealedData = tpm[session]._ExpectError(TpmRc.PolicyFail).Unseal(primHandle);
//
// Clean up
//
tpm.FlushContext(session.Handle);
tpm.FlushContext(primHandle);
}
/// <summary>
/// Create a sealed-object primary that can be accessed with the given policy. SHA256 is assumed.
/// </summary>
/// <param name="tpm"></param>
/// <param name="dataToSeal"></param>
/// <param name="authValue"></param>
/// <param name="policy"></param>
/// <returns></returns>
private static TpmHandle CreateSealedPrimaryObject(Tpm2 tpm, byte[] dataToSeal, byte[] authValue, byte[] policy)
{
ObjectAttr attrs = ObjectAttr.FixedTPM | ObjectAttr.FixedParent;
if (authValue != null)
{
attrs |= ObjectAttr.UserWithAuth;
}
byte[] policyVal = policy ?? new byte[0];
var sealedInPublic = new TpmPublic(TpmAlgId.Sha256,
attrs,
policyVal,
new KeyedhashParms(new NullSchemeKeyedhash()),
new Tpm2bDigestKeyedhash());
//
// Envelope for sealed data and auth
//
byte[] authVal = authValue ?? new byte[0];
var sealedInSensitive = new SensitiveCreate(authVal, dataToSeal);
TkCreation creationTicket;
byte[] creationHashSealed;
TpmPublic sealedPublic;
CreationData sealedCreationData;
//
// AuthValue encapsulates an authorization value: essentially a byte-array.
// OwnerAuth is the owner authorization value of the TPM-under-test. We
// assume that it (and other) auths are set to the default (null) value.
// If running on a real TPM, which has been provisioned by Windows, this
// value will be different. An administrator can retrieve the owner
// authorization value from the registry.
//
var ownerAuth = new AuthValue();
//
// Ask the TPM to create a primary containing the "sealed" data
//
TpmHandle primHandle = tpm[ownerAuth].CreatePrimary(TpmHandle.RhOwner,
sealedInSensitive,
sealedInPublic,
new byte[0],
new PcrSelection[0],
out sealedPublic,
out sealedCreationData,
out creationHashSealed,
out creationTicket);
return primHandle;
}
public static uint GetProperty(Tpm2 tpm, Pt prop)
{
ICapabilitiesUnion caps;
tpm.GetCapability(Cap.TpmProperties, (uint)prop, 1, out caps);
var props = (TaggedTpmPropertyArray)caps;
TaggedProperty[] arr = props.tpmProperty;
if (arr.Length != 1)
{
Globs.Throw("Unexpected return from GetCapability");
if (arr.Length == 0)
return 0;
}
uint val = arr[0].value;
return val;
}
/// <summary>
/// This sample demonstrates a policy containing ALL policy commands.
/// It also demonstrates serialization of the policy, and the use
/// of callbacks to satisfy the conditions in a policy (e.g. knowledge
/// of a private key, or the NV-index associated with a name.
/// </summary>
/// <param name="tpm">Reference to the TPM used.</param>
static void SamplePolicySerializationAndCallbacks(Tpm2 tpm)
{
Console.WriteLine("Policy sample that serializes all policy commands.");
//
// Check if policy commands are implemented by TPM. This list
// could include all the other used commands as well.
// This check here makes sense for policy commands, because
// usually a policy has to be executed in full. If a command
// out of the chain of policy commands is not implemented in the
// TPM, the policy cannot be satisfied.
//
var usedCommands = new[] {
TpmCc.PolicyPhysicalPresence,
TpmCc.PolicySigned,
TpmCc.PolicySecret,
TpmCc.PolicyPCR,
TpmCc.PolicyLocality,
TpmCc.PolicyNV,
TpmCc.PolicyCounterTimer,
TpmCc.PolicyCommandCode,
TpmCc.PolicyPassword,
TpmCc.PolicyAuthorize,
TpmCc.PolicyPhysicalPresence,
TpmCc.PolicyCpHash,
TpmCc.PolicyTicket,
TpmCc.PolicyNameHash,
TpmCc.PolicyCpHash,
TpmCc.PolicyDuplicationSelect,
TpmCc.PolicyAuthValue,
TpmCc.PolicyNvWritten
};
foreach (var commandCode in usedCommands)
{
if (!tpm.Helpers.IsImplemented(commandCode))
{
Console.WriteLine("Cancel Policy serialization and callback sample, because command {0} is not implemented by TPM.", commandCode);
return;
}
}
//
// AuthValue encapsulates an authorization value: essentially a byte-array.
// OwnerAuth is the owner authorization value of the TPM-under-test. We
// assume that it (and other) auths are set to the default (null) value.
// If running on a real TPM, which has been provisioned by Windows, this
// value will be different. An administrator can retrieve the owner
// authorization value from the registry.
//
var ownerAuth = new AuthValue();
var pInit = new PolicyTree(TpmAlgId.Sha256);
var p = new PolicyTree(TpmAlgId.Sha256);
//
// In the first part of this sample we establish keys, NV-slots,
// etc. that will be used in the policy.
//
//
// create a new RSA software signing key. We will use this for both
// TpmPolicySigned AND TpmPolicyAuthorize.
//
var signKeyPublicTemplate = new TpmPublic(TpmAlgId.Sha256,
ObjectAttr.Sign | ObjectAttr.Restricted | ObjectAttr.FixedTPM,
new byte[0],
new RsaParms(new SymDefObject(),
new SchemeRsassa(TpmAlgId.Sha256),
2048, 0),
new Tpm2bPublicKeyRsa());
_publicSigningKey = new AsymCryptoSystem(signKeyPublicTemplate);
//
// Get an authorization ticket for TpmPolicyAuthorize. We will authorize
// a policy-digest consisting of policyPhysPresense.
//
var tempPolicy = new PolicyTree(TpmAlgId.Sha256);
tempPolicy.Create(
new PolicyAce[]
{
new TpmPolicyPhysicalPresence(),
"leaf"
});
TpmHash initPolicyHash = tempPolicy.GetPolicyDigest();
var policyAuthRef = new byte[0];
byte[] dataToSign = Globs.Concatenate(initPolicyHash.HashData, policyAuthRef);
byte[] aHash = CryptoLib.HashData(TpmAlgId.Sha256,
Globs.Concatenate(initPolicyHash.HashData, policyAuthRef));
//
// Sign the simple policy just containing PolicyPhysPres so that
// we can change it to a new value with PolicyAuthorize.
//
ISignatureUnion policyAuthSig = _publicSigningKey.Sign(dataToSign);
//
// Get a ticket verifying the signature.
//
TpmHandle verifierHandle = tpm.LoadExternal(null, _publicSigningKey.GetPublicParms(), TpmHandle.RhOwner);
tpm.VerifySignature(verifierHandle, aHash, policyAuthSig);
tpm.FlushContext(verifierHandle);
//
// Get the value of PCR[1]
//
var pcrs = new uint[] { 1 };
var sel = new PcrSelection(TpmAlgId.Sha, pcrs);
PcrSelection[] selOut;
Tpm2bDigest[] pcrValues;
tpm.PcrRead(new[] { sel }, out selOut, out pcrValues);
//
// Save the current PCR values in a convenient data structure
//
var expectedPcrVals = new PcrValueCollection(selOut, pcrValues);
//
// Set up an NV slot
//
TpmHandle nvHandle = TpmHandle.NV(3001);
//
// Clean anything that might have been there before
//
tpm[ownerAuth]._AllowErrors().NvUndefineSpace(TpmHandle.RhOwner, nvHandle);
AuthValue nvAuth = AuthValue.FromRandom(8);
tpm[ownerAuth].NvDefineSpace(TpmHandle.RhOwner, nvAuth, new NvPublic(nvHandle, TpmAlgId.Sha1,
NvAttr.TpmaNvAuthread | NvAttr.TpmaNvAuthwrite, new byte[0], 32));
//
// write some data
//
var nvData = new byte[] { 0, 1, 2, 3, 4, 5, 6, 7 };
tpm[nvAuth].NvWrite(nvHandle, nvHandle, nvData, 0);
byte[] nvName;
tpm.NvReadPublic(nvHandle, out nvName);
//
// Install evaluation callback
// Note: generally the callback will check that the parameters are
// actions that it is willing to authorize. Those checks are omitted here.
//
p.SetNvCallback((PolicyTree policyTree,
TpmPolicyNV ace,
out SessionBase authorizingSession,
out TpmHandle authorizedEntityHandle,
out TpmHandle nvHandleIs) =>
{
authorizedEntityHandle = nvHandle;
nvHandleIs = nvHandle;
authorizingSession = nvAuth;
});
//
// counter-timer: The policy will check that the reset-count
// is the current value.
//
int start, end;
TimeInfo now = tpm.ReadClock();
Marshaller.GetFragmentInfo(now, "resetCount", out start, out end);
byte[] operandB = Marshaller.GetTpmRepresentation(now.clockInfo.resetCount);
//
// Get a cpHash for the command we want to execute
//
var cpHash = new TpmHash(TpmAlgId.Sha256);
tpm._GetCpHash(cpHash).HierarchyChangeAuth(TpmHandle.RhOwner, ownerAuth);
p.SetSignerCallback(SignerCallback);
//
// PolicySecret tests knowledge of ownerAuth. Note that the callback
// will generally check that it is prepared to authorize what it is
// being asked to authorize. Those checks are omitted here (we just
// provide a PWAP session containing ownerAuth.
//
p.SetPolicySecretCallback((PolicyTree policyTree,
TpmPolicySecret ace,
out SessionBase authorizingSession,
out TpmHandle authorizedEntityHandle,
out bool flushAuthEntity) =>
{
authorizingSession = ownerAuth;
authorizedEntityHandle = TpmHandle.RhOwner;
flushAuthEntity = false;
});
//
// If the policy contains a TpmPolicyAction then print out the
// action string on the console.
//
p.SetPolicyActionCallback((PolicyTree policy, TpmPolicyAction ace)
=> Console.WriteLine(ace.Action));
var policyRef = new byte[] { 1, 2, 3, 4 };
//
// Ticket expiration times have to be negative.
// Positive expiration times do not generate a ticket.
//
_expectedExpirationTime = -60;
//
// A normalized policy is an array of policy-chains written as
// arrays. Here "most" of the policy-ACEs are in the first chain, but some
// ACEs cannot co-exist, and some need a ticket from a prior evaluation.
//
pInit.CreateNormalizedPolicy(
new[]
{
new PolicyAce[]
{
new TpmPolicySigned(_publicSigningKey.GetPublicParms().GetName(),
// Newly created PubKey
true, // Nonce in signed data
_expectedExpirationTime, // expirationTime
new byte[0], // cpHash
policyRef) // policyRef
{NodeId = "Signing Key 1"}, // Distinguishing name
//
// Include owner-auth
//
new TpmPolicySecret(TpmHandle.RhOwner.GetName(), true,
new byte[0], new byte[] {1, 2, 3}, 0),
//
// Include PCR-values read earlier
//
new TpmPolicyPcr(expectedPcrVals),
//
// Command must be issued at locality two
//
new TpmPolicyLocality(LocalityAttr.TpmLocTwo),
//
// NV-data we set earlier must be present
//
new TpmPolicyNV(nvName, nvData, 0, Eo.Eq),
//
// This is a "dummy ACE" that is not executed on the TPM but
// a callback will be invoked at when the policy is executed.
// One use case for this is to increment a counter between two
// PolicyNV counter-checks.
//
new TpmPolicyAction("Output of TpmPolicyAction when executed."),
//
// Boot-count must be what we read earlier
//
new TpmPolicyCounterTimer(operandB, (ushort) start, Eo.Eq),
//
// Only authorize HierarchyChangeAuth
//
new TpmPolicyCommand(TpmCc.HierarchyChangeAuth),
//
// Include password
//
new TpmPolicyPassword(),
//
// Authorize a change from PolicyPP (last ACE below)
//
new TpmPolicyAuthorize(initPolicyHash.HashData,
policyAuthRef,
_publicSigningKey.GetPublicParms(),
TpmAlgId.Sha256,
policyAuthSig),
//
// Demand that the command be executed with PP asserted
//
new TpmPolicyPhysicalPresence(),
//
// Name for this branch
//
"branch_1"
},
new PolicyAce[]
{
//
// Bind to command/parameters
//
new TpmPolicyCpHash(cpHash),
//
// Name for this branch
//
"branch_2"
},
new PolicyAce[]
{
new TpmPolicyTicket(_publicSigningKey.GetPublicParms(),
policyRef,
TpmSt.AuthSigned)
//
// Distinguishing name for this node
//
{NodeId = "PolicyTicket"},
//
// Name for this branch
//
"branch_3"
},
//
// TODO: These ACEs are not evaluated yet in this sample
//
new PolicyAce[]
{
new TpmPolicyNameHash(),
new TpmPolicyCpHash(cpHash),
new TpmPolicyDuplicationSelect(new byte[0], new byte[0], true),
new TpmPolicyAuthValue(), // Include entity authValue in HMAC
new TpmPolicyNvWritten(),
"branch_4"
}
}
);
TpmHash policyHash = pInit.GetPolicyDigest();
//
// Check that we can serialize and deserialize the policy
//
const string fileName = @".\test1.xml";
pInit.SerializeToFile("Sample Policy",PolicySerializationFormat.Xml, fileName);
p.DeserializeFromFile(PolicySerializationFormat.Xml, fileName);
//
// And check that the policy hash is the same
//
TpmHash deserializedHash = p.GetPolicyDigest();
if (policyHash != deserializedHash)
{
throw new Exception("Serialization error");
}
//
// Execute the policy on the TPM. Start with "branch_1".
//
AuthSession s0 = tpm.StartAuthSessionEx(TpmSe.Policy, TpmAlgId.Sha256);
s0.RunPolicy(tpm, p, "branch_1");
//
// Check that the executed policy has the correct digest
//
byte[] actualPolicyDigest = tpm.PolicyGetDigest(s0.Handle);
if (policyHash != actualPolicyDigest)
{
throw new Exception("Policy Evaluation error");
}
//
// Set a command to use the policy
//
tpm[ownerAuth].SetPrimaryPolicy(TpmHandle.RhOwner, policyHash.HashData, TpmAlgId.Sha256);
//
// And then execute the command
//
tpm._AssertPhysicalPresence(true);
tpm._SetLocality(LocalityAttr.TpmLocTwo);
tpm[s0].HierarchyChangeAuth(TpmHandle.RhOwner, ownerAuth);
tpm._SetLocality(LocalityAttr.TpmLocZero);
tpm._AssertPhysicalPresence(false);
tpm.FlushContext(s0.Handle);
//
// Next, "branch_2".
//
s0 = tpm.StartAuthSessionEx(TpmSe.Policy, TpmAlgId.Sha256);
s0.RunPolicy(tpm, p, "branch_2");
tpm[s0].HierarchyChangeAuth(TpmHandle.RhOwner, ownerAuth);
tpm.FlushContext(s0.Handle);
//
// Now "branch_3" - ticket. Copy parms out of the ticket/ACE returned
// from TpmPolicySinged above.
//
var sigAce = p.GetAce<TpmPolicySigned>("Signing Key 1");
TkAuth signedTicket = p.GetTicket("Signing Key 1");
var tickAce = p.GetAce<TpmPolicyTicket>("PolicyTicket");
tickAce.CpHash = sigAce.CpHash;
tickAce.PolicyRef = sigAce.PolicyRef;
tickAce.ExpirationTime = sigAce.GetTimeout();
tickAce.SetTicket(signedTicket);
s0 = tpm.StartAuthSessionEx(TpmSe.Policy, TpmAlgId.Sha256);
s0.RunPolicy(tpm, p, "branch_3");
tpm[s0].HierarchyChangeAuth(TpmHandle.RhOwner, ownerAuth);
tpm.FlushContext(s0.Handle);
Console.WriteLine("Finished SamplePolicySerializationAndCallbacks.");
}
/// <summary>
/// Get the date of the specification from which the TPM was built.
/// </summary>
/// <param name="manufacturer"></param>
/// <param name="year"></param>
/// <param name="dayOfYear"></param>
/// <param name="tpm"></param>
public static void GetTpmInfo(Tpm2 tpm, out string manufacturer, out uint year, out uint dayOfYear)
{
// ReSharper disable once RedundantAssignment
manufacturer = "";
year = GetProperty(tpm, Pt.Year);
dayOfYear = GetProperty(tpm, Pt.DayOfYear);
uint manX = GetProperty(tpm, Pt.Manufacturer);
var arr = Marshaller.GetTpmRepresentation(manX);
manufacturer = (new System.Text.UTF8Encoding()).GetString(arr, 0, arr.Length);
}
/// <summary>
/// Some policies can be evaluated solely from public parts of the policy.
/// Others need a private keyholder to sign some data. Tpm2Lib provides a
/// callback facility for these cases. In this sample the callback
/// signs some data using a software key. But the callback might also
/// ask for a smartcard to sign a challenge, etc.
/// </summary>
/// <param name="tpm">reference to the TPM2 object to use.</param>
static void PolicyEvaluationWithCallback(Tpm2 tpm)
{
Console.WriteLine("Policy evaluation with callback sample.");
//
// Check if policy commands are implemented by TPM. This list
// could include all the other used commands as well.
// This check here makes sense for policy commands, because
// usually a policy has to be executed in full. If a command
// out of the chain of policy commands is not implemented in the
// TPM, the policy cannot be satisfied.
//
var usedCommands = new[] {
TpmCc.PolicySigned,
TpmCc.PolicyGetDigest
};
foreach (var commandCode in usedCommands)
{
if (!tpm.Helpers.IsImplemented(commandCode))
{
Console.WriteLine("Cancel Policy evaluation callback sample, because command {0} is not implemented by TPM.", commandCode);
return;
}
}
//
// Template for a software signing key
//
var signKeyPublicTemplate = new TpmPublic(TpmAlgId.Sha256,
ObjectAttr.Sign | ObjectAttr.Restricted,
new byte[0],
new RsaParms(SymDefObject.NullObject(),
new SchemeRsassa(TpmAlgId.Sha1),
2048, 0),
new Tpm2bPublicKeyRsa());
//
// Create a new random key
//
_publicSigningKey = new AsymCryptoSystem(signKeyPublicTemplate);
//
// Create a policy containing a TpmPolicySigned referring to the new
// software signing key.
//
_expectedExpirationTime = 60;
var policy = new PolicyTree(TpmAlgId.Sha256);
policy.Create(
new PolicyAce[]
{
new TpmPolicySigned(_publicSigningKey.GetPublicParms().GetName(),
// Newly created PubKey
true, // nonceTpm required, expiration time is given
_expectedExpirationTime, // expirationTime for policy
new byte[0], // cpHash
new byte[] {1, 2, 3, 4}) // policyRef
{NodeId = "Signing Key 1"}, // Distinguishing name
new TpmPolicyChainId("leaf") // Signed data
});
//
// Compute the expected hash for the policy session. This hash would be
// used in the object associated with the policy to confirm that the
// policy is actually fulfilled.
//
TpmHash expectedHash = policy.GetPolicyDigest();
//
// The use of the object associated with the policy has to evaluate the
// policy. In order to process TpmPolicySigned the caller will have to
// sign a data structure challenge from the TPM. Here we install a
// callback that will sign the challenge from the TPM.
//
policy.SetSignerCallback(SignerCallback);
//
// Evaluate the policy. Tpm2Lib will traverse the policy tree from leaf to
// root (in this case just TpmPolicySigned) and will call the signer callback
// to get a properly-formed challenge signed.
//
AuthSession authSession = tpm.StartAuthSessionEx(TpmSe.Policy, TpmAlgId.Sha256);
authSession.RunPolicy(tpm, policy, "leaf");
//
// And check that the TPM policy hash is what we expect
//
byte[] actualHash = tpm.PolicyGetDigest(authSession.Handle);
if (expectedHash != actualHash)
{
throw new Exception("Policy evaluation error");
}
Console.WriteLine("TpmPolicySignature evaluated.");
//
// Clean up
//
tpm.FlushContext(authSession.Handle);
}
internal abstract TpmRc Execute(Tpm2 tpm, AuthSession sess, PolicyTree policy);
/// <summary>
/// Demonstrate use of NV counters.
/// </summary>
/// <param name="tpm">Reference to the TPM object.</param>
static void NVCounter(Tpm2 tpm)
{
//
// AuthValue encapsulates an authorization value: essentially a byte-array.
// OwnerAuth is the owner authorization value of the TPM-under-test. We
// assume that it (and other) auths are set to the default (null) value.
// If running on a real TPM, which has been provisioned by Windows, this
// value will be different. An administrator can retrieve the owner
// authorization value from the registry.
//
var ownerAuth = new AuthValue();
TpmHandle nvHandle = TpmHandle.NV(3001);
//
// Clean up any slot that was left over from an earlier run
//
tpm[ownerAuth]._AllowErrors().NvUndefineSpace(TpmHandle.RhOwner, nvHandle);
//
// Scenario 2 - A NV-counter
//
AuthValue nvAuth = AuthValue.FromRandom(8);
tpm[ownerAuth].NvDefineSpace(TpmHandle.RhOwner, nvAuth,
new NvPublic(nvHandle, TpmAlgId.Sha1,
NvAttr.Counter |
NvAttr.Authread |
NvAttr.Authwrite,
new byte[0], 8));
//
// Must write before we can read
//
tpm[nvAuth].NvIncrement(nvHandle, nvHandle);
//
// Read the current value
//
byte[] nvRead = tpm[nvAuth].NvRead(nvHandle, nvHandle, 8, 0);
var initVal = Marshaller.FromTpmRepresentation<ulong>(nvRead);
//
// Increment
//
tpm[nvAuth].NvIncrement(nvHandle, nvHandle);
//
// Read again and see if the answer is what we expect
//
nvRead = tpm[nvAuth].NvRead(nvHandle, nvHandle, 8, 0);
var finalVal = Marshaller.FromTpmRepresentation<ulong>(nvRead);
if (finalVal != initVal + 1)
{
throw new Exception("NV-counter fail");
}
Console.WriteLine("Incremented counter from {0} to {1}.", initVal, finalVal);
//
// Clean up
//
tpm[ownerAuth].NvUndefineSpace(TpmHandle.RhOwner, nvHandle);
}
internal override TpmRc Execute(Tpm2 tpm, AuthSession sess, PolicyTree policy)
{
Tpm2bDigest[] branchList = GetPolicyHashArray(policy.PolicyHash.HashAlg);
tpm.PolicyOR(sess, branchList);
return(tpm._GetLastResponseCode());
}
/// <summary>
/// Dispatch a command to the underlying TPM. This method implements all
/// significant functionality. It examines the command stream and performs
/// (approximately) the following actions:
/// 1) If the command references a handle (session or transient object), then
/// TBS makes sure that the entity is loaded. If it is, then the handle is
/// "translated" to the underlying TPM handle. If it is not, then TBS checks
/// to see if it has a saved context for the entity, and if so, loads it.
/// 2) If the command will fill a slot, then TBS ensures that a slot is available.
/// It does this by ContextSaving the LRU entity of the proper type (that is
/// not used in this command).
/// </summary>
/// <param name="caller"></param>
/// <param name="active"></param>
/// <param name="inBuf"></param>
/// <param name="outBuf"></param>
/// <exception cref="Exception"></exception>
internal void DispatchCommand(TbsContext caller, CommandModifier active, byte[] inBuf, out byte[] outBuf)
{
lock (this)
{
CommandNumber++;
// ReSharper disable once CompareOfFloatsByEqualityOperator
if (StateSaveProbability != 0.0)
{
// S3 debug support
DebugStateSave();
LastStateSaveCommandNumber = CommandNumber;
}
CommandHeader commandHeader;
TpmHandle[] inHandles;
SessionIn[] inSessions;
byte[] commandParmsNoHandles;
bool legalCommand = CommandProcessor.CrackCommand(inBuf,
out commandHeader, out inHandles, out inSessions, out commandParmsNoHandles);
if (!legalCommand)
{
// Is a diagnostics command. Pass through to TPM (a real RM would refuse).
TpmDevice.DispatchCommand(active, inBuf, out outBuf);
return;
}
TpmCc cc = commandHeader.CommandCode;
// Lookup command
CommandInfo command = Tpm2.CommandInfoFromCommandCode(cc);
if (command == null)
{
throw new Exception("Unrecognized command");
}
if (cc == TpmCc.ContextLoad || cc == TpmCc.ContextSave)
{
Debug.WriteLine("ContextLoad and ContextSave are not supported in this build");
outBuf = Marshaller.GetTpmRepresentation(new Object[] {
TpmSt.NoSessions,
(uint)10,
TpmRc.NotUsed
});
}
// Look up referenced objects and sessions
ObjectContext[] neededObjects = GetReferencedObjects(caller, inHandles);
ObjectContext[] neededSessions = GetSessions(caller, inSessions);
ObjectContext[] neededEntities =
neededObjects != null
? neededSessions != null
? neededObjects.Concat(neededSessions).ToArray()
: neededObjects
: neededSessions;
#if false
// LibTester may intentionally use invalid handles, therefore it always
// work in the passthru mode (all correctness checks by TSS infra suppressed)
if (!Tpm2._TssBehavior.Passthrough &&
(neededObjects == null || neededSessions == null))
#endif
if (neededObjects == null || neededSessions == null)
{
// One or more of the handles was not registered for the context
byte[] ret = FormatError(TpmRc.Handle);
outBuf = ret;
return;
}
// Load referenced objects and sessions (free slots if needed)
// It's important to load all object and session handles in a single call
// to LoadEntities(), as for some commands (e.g. GetSessionAuditDigest)
// the objects array may contain session handles. In this case the session
// handles loaded by the invocation of LoadEntities for neededObjects
// may be evicted again during the subsequent call for neededSessions.
var expectedResponses = Tpm._GetExpectedResponses();
if (!LoadEntities(neededEntities))
{
throw new Exception("Failed to make space for objects or sessions");
}
else
{
// At this point everything referenced should be loaded, and
// there will be a free slot if needed so we can translate
// the input handles to the underlying handles
ReplaceHandlesIn(inHandles, inSessions, neededObjects, neededSessions);
}
// Re-create the command using translated object and session handles
byte[] commandBuf = CommandProcessor.CreateCommand(commandHeader.CommandCode,
inHandles, inSessions, commandParmsNoHandles);
if (!Tpm2._TssBehavior.Passthrough)
{
Debug.Assert(commandBuf.Length == inBuf.Length);
}
byte[] responseBuf;
// TODO: Virtualize TPM2_GetCapability() for handle enumeration.
//
// Execute command on underlying TPM device.
// If we get an ObjectMemory or SessionMemory error we try to make more space and try again
// Note: If the TPM device throws an error above we let it propagate out. There should be no side
// effects on TPM state that the TBS cares about.
//
ulong firstCtxSeqNum = 0;
while (true)
{
Tpm._ExpectResponses(expectedResponses);
TpmDevice.DispatchCommand(active, commandBuf, out responseBuf);
TpmRc res = GetResultCode(responseBuf);
if (res == TpmRc.Success ||
expectedResponses != null && expectedResponses.Contains(res))
{
break;
}
if (res == TpmRc.ContextGap)
{
ulong seqNum = ShortenSessionContextGap(firstCtxSeqNum);
if (seqNum == 0)
{
break; // Failed to handle CONTEXT_GAP error
}
if (firstCtxSeqNum == 0)
{
firstCtxSeqNum = seqNum;
}
//if (firstCtxSeqNum != 0)
// Console.WriteLine("DispatchCommand: CONTEXT_GAP handled");
continue;
}
var slotType = SlotType.NoSlot;
if (res == TpmRc.ObjectHandles || res == TpmRc.ObjectMemory)
{
slotType = SlotType.ObjectSlot;
}
else if (res == TpmRc.SessionHandles || res == TpmRc.SessionMemory)
{
slotType = SlotType.SessionSlot;
}
else
{
// Command failure not related to resources
break;
}
if (!MakeSpace(slotType, neededEntities))
{
// Failed to make an object slot in the TPM
responseBuf = TpmErrorHelpers.BuildErrorResponseBuffer(TpmRc.Memory);
break;
}
}
// Parse the response from the TPM
TpmSt responseTag;
uint responseParamSize;
TpmRc resultCode;
TpmHandle[] responseHandles;
SessionOut[] responseSessions;
byte[] responseParmsNoHandles, responseParmsWithHandles;
CommandProcessor.SplitResponse(responseBuf,
command.HandleCountOut,
out responseTag,
out responseParamSize,
out resultCode,
out responseHandles,
out responseSessions,
out responseParmsNoHandles,
out responseParmsWithHandles);
// In case of an error there is no impact on the loaded sessions, but
// we update the LRU values because the user will likely try again.
if (resultCode != TpmRc.Success)
{
outBuf = responseBuf;
UpdateLastUseCount(new[] { neededObjects, neededSessions });
return;
}
// Update TBS database with any newly created TPM objects
ProcessUpdatedTpmState(caller, command, responseHandles, neededObjects);
// And if there were any newly created objects use the new DB entries
// to translate the handles
ReplaceHandlesOut(responseHandles);
outBuf = CommandProcessor.CreateResponse(resultCode, responseHandles,
responseSessions, responseParmsNoHandles);
Debug.Assert(outBuf.Length == responseBuf.Length);
} // lock(this)
}
internal override TpmRc Execute(Tpm2 tpm, AuthSession sess, PolicyTree policy)
{
tpm.PolicyPCR(sess, Pcrs.GetSelectionHash(policy.PolicyHash),
Pcrs.GetPcrSelectionArray());
return(tpm._GetLastResponseCode());
}
public static byte[] GetPcrProperty(Tpm2 tpm, PtPcr prop)
{
ICapabilitiesUnion caps;
tpm.GetCapability(Cap.PcrProperties, (uint)prop, 1, out caps);
TaggedPcrSelect[] props = (caps as TaggedPcrPropertyArray).pcrProperty;
if (props.Length == 0)
{
return null;
}
if (props.Length != 1)
{
Globs.Throw("Unexpected return from GetCapability");
}
return props[0].pcrSelect;
}
/// <summary>
/// Executes the hashing functionality. After parsing arguments, the
/// function connects to the selected TPM device and invokes the TPM
/// commands on that connection.
/// </summary>
/// <param name="args">Arguments to this program.</param>
static void Main(string[] args)
{
//
// Parse the program arguments. If the wrong arguments are given or
// are malformed, then instructions for usage are displayed and
// the program terminates.
//
string tpmDeviceName;
if (!ParseArguments(args, out tpmDeviceName))
{
WriteUsage();
return;
}
try
{
//
// Create the device according to the selected connection.
//
Tpm2Device tpmDevice;
switch (tpmDeviceName)
{
case DeviceSimulator:
tpmDevice = new TcpTpmDevice(DefaultSimulatorName, DefaultSimulatorPort);
break;
case DeviceWinTbs:
tpmDevice = new TbsDevice();
break;
default:
throw new Exception("Unknown device selected.");
}
//
// Connect to the TPM device. This function actually establishes the
// connection.
//
tpmDevice.Connect();
//
// Pass the device object used for communication to the TPM 2.0 object
// which provides the command interface.
//
var tpm = new Tpm2(tpmDevice);
if (tpmDevice is TcpTpmDevice)
{
//
// If we are using the simulator, we have to do a few things the
// firmware would usually do. These actions have to occur after
// the connection has been established.
//
tpmDevice.PowerCycle();
tpm.Startup(Su.Clear);
}
Pcrs(tpm);
QuotePcrs(tpm);
StorageRootKey(tpm);
//
// Need a synchronization event to avoid disposing TPM object before
// asynchronous method completed.
//
var sync = new AutoResetEvent(false);
Console.WriteLine("Calling asynchronous method.");
PrimarySigningKeyAsync(tpm, sync);
Console.WriteLine("Waiting for asynchronous method to complete.");
sync.WaitOne();
//
// Clean up.
//
tpm.Dispose();
}
catch (Exception e)
{
Console.WriteLine("Exception occurred: {0}", e.Message);
}
Console.WriteLine("Press Any Key to continue.");
Console.ReadLine();
}
/// <summary>
/// Executes the GetRandom functionality. After parsing arguments, the function
/// connects to the selected TPM device and invokes the GetRandom command on
/// that connection. If the command was successful, the random byte stream
/// is displayed.
/// </summary>
/// <param name="args">Arguments to this program.</param>
static void Main(string[] args)
{
//
// Parse the program arguments. If the wrong arguments are given or
// are malformed, then instructions for usage are displayed and
// the program terminates.
//
string tpmDeviceName;
ushort bytesRequested;
if (!ParseArguments(args, out tpmDeviceName, out bytesRequested))
{
WriteUsage();
return;
}
try
{
//
// Create the device according to the selected connection.
//
Tpm2Device tpmDevice;
switch (tpmDeviceName)
{
case DeviceSimulator:
tpmDevice = new TcpTpmDevice(DefaultSimulatorName, DefaultSimulatorPort);
break;
case DeviceWinTbs:
tpmDevice = new TbsDevice();
break;
default:
throw new Exception("Unknown device selected.");
}
//
// Connect to the TPM device. This function actually establishes the
// connection.
//
tpmDevice.Connect();
//
// Pass the device object used for communication to the TPM 2.0 object
// which provides the command interface.
//
var tpm = new Tpm2(tpmDevice);
if (tpmDevice is TcpTpmDevice)
{
//
// If we are using the simulator, we have to do a few things the
// firmware would usually do. These actions have to occur after
// the connection has been established.
//
tpmDevice.PowerCycle();
tpm.Startup(Su.Clear);
}
//
// Execute the TPM2_GetRandom command. The function takes the requested
// number of bytes as input and returns the random bytes generated by
// the TPM.
//
byte[] randomBytes = tpm.GetRandom(bytesRequested);
//
// Output the generated random byte string to the console.
//
WriteBytes(randomBytes);
//
// Clean up.
//
tpm.Dispose();
}
catch (Exception e)
{
Console.WriteLine("Exception occurred: {0}", e.Message);
}
Console.WriteLine("Press Any Key to continue.");
Console.ReadLine();
}
/// <summary>
/// This sample demonstrates the creation of a signing "primary" key and use of this
/// key to sign data, and use of the TPM and Tpm2Lib to validate the signature.
/// </summary>
/// <param name="args">Arguments to this program.</param>
static void Main(string[] args)
{
string tpmDeviceName;
//
// Parse the program arguments. If the wrong arguments are given or
// are malformed, then instructions for usage are displayed and
// the program terminates.
//
if (!ParseArguments(args, out tpmDeviceName))
{
WriteUsage();
return;
}
try
{
//
// Create the device according to the selected connection.
//
Tpm2Device tpmDevice;
switch (tpmDeviceName)
{
case DeviceSimulator:
tpmDevice = new TcpTpmDevice(DefaultSimulatorName, DefaultSimulatorPort);
break;
case DeviceWinTbs:
tpmDevice = new TbsDevice();
break;
default:
throw new Exception("Unknown device selected.");
}
//
// Connect to the TPM device. This function actually establishes the connection.
//
tpmDevice.Connect();
//
// Pass the device object used for communication to the TPM 2.0 object
// which provides the command interface.
//
var tpm = new Tpm2(tpmDevice);
if (tpmDevice is TcpTpmDevice)
{
//
// If we are using the simulator, we have to do a few things the
// firmware would usually do. These actions have to occur after
// the connection has been established.
//
tpmDevice.PowerCycle();
tpm.Startup(Su.Clear);
}
//
// Run individual tests.
//
SimplePolicy(tpm);
PolicyOr(tpm);
PolicySerialization();
PolicyEvaluationWithCallback(tpm);
PolicyEvaluationWithCallback2(tpm);
SamplePolicySerializationAndCallbacks(tpm);
//
// Clean up.
//
tpm.Dispose();
}
catch (TpmException e)
{
//
// If a command fails because an unexpected return code is in the response,
// i.e., TPM returns an error code where success is expected or success
// where an error code is expected. Or if the response is malformed, then
// the unmarshaling code will throw a TPM exception.
// The Error string will contain a description of the return code. Usually the
// return code will be a known TPM return code. However, if using the TPM through
// TBS, TBS might encode internal error codes into the response code. For instance
// a return code of 0x80280400 indicates that a command is blocked by TBS. This
// error code is also returned if the command is not implemented by the TPM.
//
// You can see the information included in the TPM exception by removing the
// checks for available TPM commands above and running the sample on a TPM
// without the required commands.
//
Console.WriteLine("TPM exception occurred: {0}", e.ErrorString);
Console.WriteLine("Call stack: {0}", e.StackTrace);
}
catch (Exception e)
{
Console.WriteLine("Exception occurred: {0}", e.Message);
}
Console.WriteLine("Press Any Key to continue.");
Console.ReadLine();
}