[WIP] Add initial TPM2 support to libspdm

CMakeLists.txt

@@ -35,11 +35,16 @@ set(GCOV ${GCOV} CACHE STRING "Choose the target of Gcov: ON  OFF, and default i
 set(STACK_USAGE ${STACK_USAGE} CACHE STRING "Choose the target of STACK_USAGE: ON  OFF, and default is OFF" FORCE)
 set(BUILD_LINUX_SHARED_LIB ${BUILD_LINUX_SHARED_LIB} CACHE STRING "Choose if libspdm shared library should be built for linux: ON OFF, and default is OFF" FORCE)
 set(X509_IGNORE_CRITICAL ${X509_IGNORE_CRITICAL} CACHE STRING "Choose if libspdm-provided cryptography libraries (OpenSSL and MbedTLS) ignore unsupported critical extensions in certificates : ON OFF, and default is OFF" FORCE)
+set(DEVICE ${DEVICE} CACHE STRING "Choose the device of build: sample tpm" FORCE)
 
 if(NOT GCOV)
     set(GCOV "OFF")
 endif()
 
+if(NOT DEVICE)
+    set(DEVICE "sample")
+endif()
+
 if(NOT STACK_USAGE)
     set(STACK_USAGE "OFF")
 endif()
@@ -61,6 +66,7 @@ set(COMPILED_LIBCRYPTO_PATH ${COMPILED_LIBCRYPTO_PATH} CACHE STRING "Optionally
 set(COMPILED_LIBSSL_PATH ${COMPILED_LIBSSL_PATH} CACHE STRING "Optionally provide a path to libssl" FORCE)
 
 message("CMAKE_GENERATOR = ${CMAKE_GENERATOR}")
+message("DEVICE = ${DEVICE}")
 
 if(ARCH STREQUAL "x64")
     message("ARCH = x64")
@@ -936,7 +942,7 @@ if(ENABLE_CODEQL STREQUAL "ON")
     add_subdirectory(os_stub/platform_lib)
     add_subdirectory(os_stub/platform_lib_null)
     add_subdirectory(os_stub/malloclib)
-    add_subdirectory(os_stub/spdm_device_secret_lib_sample)
+    add_subdirectory(os_stub/spdm_device_secret_lib_${DEVICE})
     add_subdirectory(os_stub/spdm_device_secret_lib_null)
     add_subdirectory(os_stub/spdm_cert_verify_callback_sample)
     add_subdirectory(os_stub/cryptlib_null)
@@ -975,7 +981,7 @@ else()
         add_subdirectory(os_stub/platform_lib)
         add_subdirectory(os_stub/platform_lib_null)
         add_subdirectory(os_stub/malloclib)
-        add_subdirectory(os_stub/spdm_device_secret_lib_sample)
+        add_subdirectory(os_stub/spdm_device_secret_lib_${DEVICE})
         add_subdirectory(os_stub/spdm_device_secret_lib_null)
         add_subdirectory(os_stub/spdm_cert_verify_callback_sample)
 

os_stub/spdm_device_secret_lib_tpm/CMakeLists.txt

@@ -0,0 +1,33 @@
+cmake_minimum_required(VERSION 3.5)
+
+add_library(spdm_device_secret_lib_tpm STATIC "")
+
+target_include_directories(spdm_device_secret_lib_tpm
+    PRIVATE
+        ${LIBSPDM_DIR}/os_stub/spdm_device_secret_lib_tpm
+        ${LIBSPDM_DIR}/include
+        ${LIBSPDM_DIR}/include/hal
+        ${LIBSPDM_DIR}/os_stub
+)
+
+target_sources(spdm_device_secret_lib_tpm
+    PRIVATE
+        lib.c
+        sign.c
+        chal.c
+        measurment.c
+        key_pair.c
+
+        crypto_stub.c
+
+        ../spdm_device_secret_lib_sample/read_priv_key_pem.c
+        ../spdm_device_secret_lib_sample/read_priv_key_pem_pqc.c
+        ../spdm_device_secret_lib_sample/read_priv_key_raw_data.c
+        ../spdm_device_secret_lib_sample/read_priv_key_raw_data_pqc.c
+        ../spdm_device_secret_lib_sample/read_pub_cert.c
+        ../spdm_device_secret_lib_sample/read_pub_cert_pqc.c
+        ../spdm_device_secret_lib_sample/read_pub_key_der.c
+        ../spdm_device_secret_lib_sample/read_pub_key_der_pqc.c
+        ../spdm_device_secret_lib_sample/read_special_cert.c
+        # ../spdm_device_secret_lib_sample/set_cert.c
+)

os_stub/spdm_device_secret_lib_tpm/chal.c

@@ -0,0 +1,54 @@
+#include "spdm_device_secret_lib_internal.h"
+#include "crypto_stub_internal.h"
+
+
+#if LIBSPDM_ENABLE_CAPABILITY_CHAL_CAP
+size_t libspdm_secret_lib_challenge_opaque_data_size;
+bool libspdm_challenge_opaque_data(
+    void *spdm_context,
+    spdm_version_number_t spdm_version,
+    uint8_t slot_id,
+    uint8_t *measurement_summary_hash,
+    size_t measurement_summary_hash_size,
+    void *opaque_data,
+    size_t *opaque_data_size)
+{
+    size_t index;
+
+    LIBSPDM_ASSERT(libspdm_secret_lib_challenge_opaque_data_size <= *opaque_data_size);
+
+    *opaque_data_size = libspdm_secret_lib_challenge_opaque_data_size;
+
+    for (index = 0; index < *opaque_data_size; index++)
+    {
+        ((uint8_t *)opaque_data)[index] = (uint8_t)index;
+    }
+
+    return true;
+}
+#endif /* LIBSPDM_ENABLE_CAPABILITY_CHAL_CAP */
+
+#if LIBSPDM_ENABLE_CAPABILITY_CHAL_CAP
+bool libspdm_encap_challenge_opaque_data(
+    void *spdm_context,
+    spdm_version_number_t spdm_version,
+    uint8_t slot_id,
+    uint8_t *measurement_summary_hash,
+    size_t measurement_summary_hash_size,
+    void *opaque_data,
+    size_t *opaque_data_size)
+{
+    size_t index;
+
+    LIBSPDM_ASSERT(libspdm_secret_lib_challenge_opaque_data_size <= *opaque_data_size);
+
+    *opaque_data_size = libspdm_secret_lib_challenge_opaque_data_size;
+
+    for (index = 0; index < *opaque_data_size; index++)
+    {
+        ((uint8_t *)opaque_data)[index] = (uint8_t)index;
+    }
+
+    return true;
+}
+#endif /* LIBSPDM_ENABLE_CAPABILITY_CHAL_CAP */

os_stub/spdm_device_secret_lib_tpm/crypto_stub.c

@@ -0,0 +1,86 @@
+/*
+ * TODO: APIs in this file need to be the part of crypto libraries
+ */
+
+#include <dlfcn.h>
+
+#include "crypto_stub_internal.h"
+
+
+bool g_tpm_device_initialized = false;
+OSSL_LIB_CTX* g_libctx = NULL;
+
+void libspdm_tpm_device_init() {
+    if (g_tpm_device_initialized)
+        return;
+
+    g_libctx = OSSL_LIB_CTX_new();
+
+    void *handle = dlopen("tpm2.so", RTLD_GLOBAL | RTLD_NOW);
+    if (handle == NULL){
+        fprintf(stderr, "dlopen: %s\n", dlerror());
+        exit(EXIT_FAILURE);
+    }
+
+    OSSL_provider_init_fn *fun = (OSSL_provider_init_fn *)dlsym(handle, "OSSL_provider_init");
+    if (fun == NULL){
+        fprintf(stderr, "dlsym: %s\n", dlerror());
+        exit(EXIT_FAILURE);
+    }
+
+    if (OSSL_PROVIDER_add_builtin(g_libctx, "tpm2", fun) <= 0){
+        fprintf(stderr, "ERROR: failed to add builtin\n");
+        exit(EXIT_FAILURE);
+    }
+
+    OSSL_PROVIDER *tpm_provider = NULL;
+
+    if ((tpm_provider = OSSL_PROVIDER_load(g_libctx, "tpm2")) == NULL){
+        fprintf(stderr, "ERROR: failed to load tpm2\n");
+        exit(EXIT_FAILURE);
+    }
+
+    fprintf(stdout, "SELF TEST %d\n", OSSL_PROVIDER_self_test(tpm_provider));
+
+    fprintf(stdout, "************************************\n"
+            " Loaded tpm2 module successfully\n");
+    fprintf(stdout, "TPM2: %p\n", (void *)tpm_provider);
+
+    g_tpm_device_initialized = true;
+}
+
+
+bool libspdm_read_private_key_from_tpm(const char *handle, void **context)
+{
+    OSSL_STORE_CTX *store_ctx = NULL;
+    OSSL_STORE_INFO *info = NULL;
+    EVP_PKEY *pkey = NULL;
+
+    fprintf(stdout, "IS TPM AVAIABLE %d\n", OSSL_PROVIDER_available(g_libctx, "tpm2"));
+
+    /* handle must look like: "tpm2tss:0x81010002" */
+    store_ctx = OSSL_STORE_open_ex("handle:0x81010003", g_libctx, "provider=tpm2", NULL, NULL, NULL, NULL, NULL);
+    if (!store_ctx){
+        return false;
+    }
+
+    while ((info = OSSL_STORE_load(store_ctx)) != NULL)
+    {
+        if (OSSL_STORE_INFO_get_type(info) == OSSL_STORE_INFO_PKEY){
+            pkey = OSSL_STORE_INFO_get1_PKEY(info);
+            OSSL_STORE_INFO_free(info);
+            break;
+        }
+        OSSL_STORE_INFO_free(info);
+    }
+
+    OSSL_STORE_close(store_ctx);
+
+    if (pkey == NULL){
+        fprintf(stderr, "no private key found in tpm handle %s\n", handle);
+        return false;
+    }
+
+    *context = pkey;
+    return true;
+}

os_stub/spdm_device_secret_lib_tpm/crypto_stub_internal.h

@@ -0,0 +1,13 @@
+#ifndef __CRYPTO_SUB_INTERNAL_H__
+#define __CRYPTO_SUB_INTERNAL_H__
+
+#include <stdbool.h>
+
+#include "openssllib/openssl/include/openssl/provider.h"
+#include "openssllib/openssl/include/openssl/store.h"
+
+void libspdm_tpm_device_init();
+
+bool libspdm_read_private_key_from_tpm(const char *handle, void **context);
+
+#endif

os_stub/spdm_device_secret_lib_tpm/key_pair.c

@@ -0,0 +1,59 @@
+#include "spdm_device_secret_lib_internal.h"
+#include "crypto_stub_internal.h"
+
+
+#if LIBSPDM_ENABLE_CAPABILITY_GET_KEY_PAIR_INFO_CAP
+
+/**
+ * read the key pair info of the key_pair_id.
+ *
+ * @param  spdm_context               A pointer to the SPDM context.
+ * @param  key_pair_id                Indicate which key pair ID's information to retrieve.
+ *
+ * @param  capabilities               Indicate the capabilities of the requested key pairs.
+ * @param  key_usage_capabilities     Indicate the key usages the responder allows.
+ * @param  current_key_usage          Indicate the currently configured key usage for the requested key pairs ID.
+ * @param  asym_algo_capabilities     Indicate the asymmetric algorithms the Responder supports for this key pair ID.
+ * @param  current_asym_algo          Indicate the currently configured asymmetric algorithm for this key pair ID.
+ * @param  assoc_cert_slot_mask       This field is a bit mask representing the currently associated certificate slots.
+ * @param  public_key_info_len        On input, indicate the size in bytes of the destination buffer to store.
+ *                                    On output, indicate the size in bytes of the public_key_info.
+ *                                    It can be NULL, if public_key_info is not required.
+ * @param  public_key_info            A pointer to a destination buffer to store the public_key_info.
+ *                                    It can be NULL, if public_key_info is not required.
+ *
+ * @retval true  get key pair info successfully.
+ * @retval false get key pair info failed.
+ **/
+bool libspdm_read_key_pair_info(
+    void *spdm_context,
+    uint8_t key_pair_id,
+    uint16_t *capabilities,
+    uint16_t *key_usage_capabilities,
+    uint16_t *current_key_usage,
+    uint32_t *asym_algo_capabilities,
+    uint32_t *current_asym_algo,
+    uint32_t *pqc_asym_algo_capabilities,
+    uint32_t *current_pqc_asym_algo,
+    uint8_t *assoc_cert_slot_mask,
+    uint16_t *public_key_info_len,
+    uint8_t *public_key_info)
+{
+    return false;
+}
+#endif /* LIBSPDM_ENABLE_CAPABILITY_GET_KEY_PAIR_INFO_CAP */
+
+#if LIBSPDM_ENABLE_CAPABILITY_SET_KEY_PAIR_INFO_CAP
+bool libspdm_write_key_pair_info(
+    void *spdm_context,
+    uint8_t key_pair_id,
+    uint8_t operation,
+    uint16_t desired_key_usage,
+    uint32_t desired_asym_algo,
+    uint32_t desired_pqc_asym_algo,
+    uint8_t desired_assoc_cert_slot_mask,
+    bool *need_reset)
+{
+    return false;
+}
+#endif /* #if LIBSPDM_ENABLE_CAPABILITY_SET_KEY_PAIR_INFO_CAP */