Merge pull request #194 from ionut-arm/tcti-conf

Add TCTI configuration functionality

Author: ionut-arm

Cargo.lock

@@ -33,7 +33,7 @@ log = { version = "0.4.8", features = ["serde"] }
 pkcs11 = { version = "0.4.0", optional = true }
 picky-asn1-der = { version = "0.2.2", optional = true }
 picky-asn1 = { version = "0.2.1", optional = true }
-tss-esapi = { version = "4.0.3-alpha.1", optional = true }
+tss-esapi = { version = "4.0.5-alpha.1", optional = true }
 bincode = "1.1.4"
 structopt = "0.3.5"
 derivative = "2.1.1"

Cargo.toml

@@ -73,10 +73,16 @@ key_info_manager = "on-disk-manager"
 #[[provider]]
 #provider_type = "Tpm"
 #key_info_manager = "on-disk-manager"
-# (Required) TPM TCTI device to use with this provider. Options are:
-# - "device": uses the TPM device on /dev/tpm0
-# - "mssim": uses the simulation TPM with the socket
-# - "tabrmd": uses the TPM2 Access Broker & Resource Management Daemon
+# (Required) TPM TCTI device to use with this provider. The string can include configuration values - if no
+# configuration value is given, the defaults are used. Options are:
+# - "device": uses a TPM device available as a file node; path can be given as a configuration string,
+# e.g "device:/path/to/tpm"; the default path is /dev/tpm0
+# - "mssim": uses the TPM simulator server with the socket; server path and/or port can be given as configuration values,
+# e.g. "mssim:host=168.0.1.1,port=1234"; "host" can be set to IPv4, IPv6 or a hostname; default values are 
+# "localhost" for "host" and 2321 for "port"
+# - "tabrmd": uses the TPM2 Access Broker & Resource Management Daemon; dbus name and type ("session" or 
+# "system") can be given as parameters: e.g. "tabrmd:bus_name=some.bus.Name,bus_type=session"; default
+# values are "com.intel.tss2.Tabrmd" for "bus_name" and "system" for "bus_type"
 #tcti = "mssim"
 # (Required) Authentication value for performing operations on the TPM Owner Hierarchy. The string can
 # be empty, however we strongly suggest that you use a secure passcode.

config.toml

@@ -16,5 +16,5 @@ manager_type = "OnDisk"
 [[provider]]
 provider_type = "Tpm"
 key_info_manager = "on-disk-manager"
-tcti = "mssim"
+tcti = "mssim:host=127.0.0.1,port=2321"
 owner_hierarchy_auth = "hex:74706d5f70617373" # "tpm_pass" in hex

e2e_tests/provider_cfg/tpm/config.toml

@@ -8,7 +8,7 @@ use super::Provide;
 use crate::authenticators::ApplicationName;
 use crate::key_info_managers::ManageKeyInfo;
 use derivative::Derivative;
-use log::{error, info, trace};
+use log::{info, trace};
 use parsec_interface::operations::list_providers::ProviderInfo;
 use parsec_interface::operations::{
     psa_destroy_key, psa_export_public_key, psa_generate_key, psa_import_key, psa_sign_hash,
@@ -17,9 +17,10 @@ use parsec_interface::operations::{
 use parsec_interface::requests::{Opcode, ProviderID, ResponseStatus, Result};
 use std::collections::HashSet;
 use std::io::ErrorKind;
+use std::str::FromStr;
 use std::sync::{Arc, Mutex, RwLock};
 use tss_esapi::utils::algorithm_specifiers::Cipher;
-use tss_esapi::Tcti;
+use tss_esapi::utils::tcti::Tcti;
 use uuid::Uuid;
 
 mod asym_sign;
@@ -154,7 +155,7 @@ impl Drop for TpmProvider {
 pub struct TpmProviderBuilder {
     #[derivative(Debug = "ignore")]
     key_info_store: Option<Arc<RwLock<dyn ManageKeyInfo + Send + Sync>>>,
-    tcti: Option<Tcti>,
+    tcti: Option<String>,
     owner_hierarchy_auth: Option<String>,
 }
 
@@ -177,17 +178,7 @@ impl TpmProviderBuilder {
     }
 
     pub fn with_tcti(mut self, tcti: &str) -> TpmProviderBuilder {
-        // Convert from a String to the enum.
-        self.tcti = match tcti {
-            "device" => Some(Tcti::Device),
-            "mssim" => Some(Tcti::Mssim),
-            _ => {
-                if crate::utils::GlobalConfig::log_error_details() {
-                    error!("The string {} does not match a TCTI device.", tcti);
-                }
-                None
-            }
-        };
+        self.tcti = Some(tcti.to_owned());
 
         self
     }
@@ -231,8 +222,15 @@ impl TpmProviderBuilder {
     unsafe fn find_default_context_cipher(&self) -> std::io::Result<Cipher> {
         let ciphers = [Cipher::aes_256_cfb(), Cipher::aes_128_cfb()];
         let mut ctx = tss_esapi::Context::new(
-            self.tcti
-                .ok_or_else(|| std::io::Error::new(ErrorKind::InvalidData, "missing TCTI"))?,
+            Tcti::from_str(self.tcti.as_ref().ok_or_else(|| {
+                std::io::Error::new(ErrorKind::InvalidData, "Invalid TCTI configuration string")
+            })?)
+            .or_else(|_| {
+                Err(std::io::Error::new(
+                    ErrorKind::InvalidData,
+                    "Invalid TCTI configuration string",
+                ))
+            })?,
         )
         .or_else(|e| {
             format_error!("Error when creating TSS Context", e);
@@ -264,9 +262,15 @@ impl TpmProviderBuilder {
     pub unsafe fn build(mut self) -> std::io::Result<TpmProvider> {
         let hierarchy_auth = self.get_hierarchy_auth()?;
         let default_cipher = self.find_default_context_cipher()?;
-        let tcti = self
-            .tcti
-            .ok_or_else(|| std::io::Error::new(ErrorKind::InvalidData, "missing TCTI"))?;
+        let tcti = Tcti::from_str(self.tcti.as_ref().ok_or_else(|| {
+            std::io::Error::new(ErrorKind::InvalidData, "Invalid TCTI configuration string")
+        })?)
+        .or_else(|_| {
+            Err(std::io::Error::new(
+                ErrorKind::InvalidData,
+                "Invalid TCTI configuration string",
+            ))
+        })?;
         TpmProvider::new(
             self.key_info_store.ok_or_else(|| {
                 std::io::Error::new(ErrorKind::InvalidData, "missing key info store")