wolfSSL · danielinux · Sep 10, 2024 · Sep 10, 2024
diff --git a/.github/workflows/test-build-sim-tpm.yml b/.github/workflows/test-build-sim-tpm.yml
@@ -67,8 +67,10 @@ jobs:
       - name: Create a PCR Policy
         run: |
           echo aaa > aaa.bin
+          echo bbb > bbb.bin
           ./tools/tpm/pcr_extend 0 aaa.bin
-          ./tools/tpm/policy_create -pcr=0 -out=policy.bin
+          ./tools/tpm/pcr_extend 1 bbb.bin
+          ./tools/tpm/policy_create -pcr=1 -pcr=0 -out=policy.bin
 
       - name: Build wolfboot
         run: |

diff --git a/docs/TPM.md b/docs/TPM.md
@@ -59,49 +59,54 @@ NOTE: The TPM's RSA verify requires ASN.1 encoding, so use SIGN=RSA2048ENC
 % make keytools
 % make tpmtools
 % echo aaa > aaa.bin
+% echo bbb > bbb.bin
 % ./tools/tpm/pcr_extend 0 aaa.bin
-% ./tools/tpm/policy_create -pcr=0
+% ./tools/tpm/pcr_extend 1 bbb.bin
+# hash for policy PCR is done 1 then 0
+% ./tools/tpm/policy_create -pcr=1 -pcr=0 -out=policy.bin
 # if ROT enabled
 % ./tools/tpm/rot -write [-auth=TestAuth]
 % make clean
 $ make POLICY_FILE=policy.bin [WOLFBOOT_TPM_KEYSTORE_AUTH=TestAuth] [WOLFBOOT_TPM_SEAL_AUTH=SealAuth]
 
 % ./wolfboot.elf get_version
-Simulator assigned ./internal_flash.dd to base 0x103378000
-Mfg IBM  (0), Vendor SW   TPM, Fw 8217.4131 (0x163636), FIPS 140-2 1, CC-EAL4 0
+Simulator assigned ./internal_flash.dd to base 0x107175000
+Mfg IBM  (0), Vendor SW   TPM, Fw 8228.293 (0x120000), FIPS 140-2 1, CC-EAL4 0
 Unlocking disk...
-Boot partition: 0x1033f8000
-Image size 54400
+Boot partition: 0x1071f5000 (size 21288, version 0x1)
 Error 395 reading blob from NV index 1400300 (error TPM_RC_HANDLE)
 Error 395 unsealing secret! (TPM_RC_HANDLE)
 Sealed secret does not exist!
 Creating new secret (32 bytes)
-430dee45553c4a8b75fbc6bcd0890765c48cab760b24b1aa6b633dc0538e0159
-Wrote 210 bytes to NV index 0x1400300
-Read 210 bytes from NV index 0x1400300
+7801a7fb716371c975a9a1bca6159a223bc7dba6adb2acf82781421062e498a5
+Error 395 deleting blob from NV index 1400300 (error TPM_RC_HANDLE)
+Wrote 242 bytes to NV index 0x1400300
+Read 242 bytes from NV index 0x1400300
 Secret Check 32 bytes
-430dee45553c4a8b75fbc6bcd0890765c48cab760b24b1aa6b633dc0538e0159
+7801a7fb716371c975a9a1bca6159a223bc7dba6adb2acf82781421062e498a5
 Secret 32 bytes
-430dee45553c4a8b75fbc6bcd0890765c48cab760b24b1aa6b633dc0538e0159
-Boot partition: 0x1033f8000
-Image size 54400
+7801a7fb716371c975a9a1bca6159a223bc7dba6adb2acf82781421062e498a5
+Boot partition: 0x1071f5000 (size 21288, version 0x1)
+Boot header magic 0x00000000 invalid at 0x107275000
+Boot partition: 0x1071f5000 (size 21288, version 0x1)
+Booting version: 0x1
 TPM Root of Trust valid (id 0)
-Simulator assigned ./internal_flash.dd to base 0x103543000
+Simulator assigned ./internal_flash.dd to base 0x1073cc000
 1
-
 % ./wolfboot.elf get_version
-Simulator assigned ./internal_flash.dd to base 0x10c01c000
-Mfg IBM  (0), Vendor SW   TPM, Fw 8217.4131 (0x163636), FIPS 140-2 1, CC-EAL4 0
+Simulator assigned ./internal_flash.dd to base 0x102f38000
+Mfg IBM  (0), Vendor SW   TPM, Fw 8228.293 (0x120000), FIPS 140-2 1, CC-EAL4 0
 Unlocking disk...
-Boot partition: 0x10c09c000
-Image size 54400
-Read 210 bytes from NV index 0x1400300
+Boot partition: 0x102fb8000 (size 21288, version 0x1)
+Read 242 bytes from NV index 0x1400300
 Secret 32 bytes
-430dee45553c4a8b75fbc6bcd0890765c48cab760b24b1aa6b633dc0538e0159
-Boot partition: 0x10c09c000
-Image size 54400
+7801a7fb716371c975a9a1bca6159a223bc7dba6adb2acf82781421062e498a5
+Boot partition: 0x102fb8000 (size 21288, version 0x1)
+Boot header magic 0x00000000 invalid at 0x103038000
+Boot partition: 0x102fb8000 (size 21288, version 0x1)
+Booting version: 0x1
 TPM Root of Trust valid (id 0)
-Simulator assigned ./internal_flash.dd to base 0x10c1e7000
+Simulator assigned ./internal_flash.dd to base 0x10318f000
 1
 ```
 

diff --git a/lib/wolfTPM b/lib/wolfTPM
diff --git a/src/tpm.c b/src/tpm.c
@@ -476,9 +476,9 @@ uint32_t wolfBoot_tpm_pcrmask_sel(uint32_t pcrMask, uint8_t* pcrArray,
     uint32_t pcrArraySzAct = 0;
     for (i=0; i<IMPLEMENTATION_PCR; i++) {
         if (pcrMask & (1 << i)) {
-            pcrArray[pcrArraySzAct++] = i;
-            if (pcrArraySzAct < pcrArraySz) { /* make sure we have room */
-                break;
+            /* add if we have room */
+            if (pcrArraySzAct < pcrArraySz) {
+                pcrArray[pcrArraySzAct++] = i;
             }
         }
     }

diff --git a/tools/tpm/policy_create.c b/tools/tpm/policy_create.c
@@ -116,9 +116,9 @@ uint32_t wolfBoot_tpm_pcrmask_sel(uint32_t pcrMask, uint8_t* pcrArray,
     uint32_t pcrArraySzAct = 0;
     for (i=0; i<IMPLEMENTATION_PCR; i++) {
         if (pcrMask & (1 << i)) {
-            pcrArray[pcrArraySzAct++] = i;
-            if (pcrArraySzAct < pcrArraySz) { /* make sure we have room */
-                break;
+            /* add if we have room */
+            if (pcrArraySzAct < pcrArraySz) {
+                pcrArray[pcrArraySzAct++] = i;
             }
         }
     }
+53 −9		.github/workflows/make-test-swtpm.yml
+2 −0		.gitignore
+9 −1		CMakeLists.txt
+27 −0		ChangeLog.md
+2 −2		IDE/Espressif/components/wolfssl/include/user_settings.h
+3 −1		IDE/Espressif/main/main.c
+0 −0		IDE/IAR-EWARM/source/main.c
+0 −0		IDE/IAR-EWARM/source/tpm_main.c
+7 −8		IDE/QNX/README.md
+1 −0		IDE/VisualStudio/user_settings.h
+4 −0		IDE/VisualStudio/wolftpm.vcxproj
+42 −6		README.md
+5 −5		configure.ac
+12 −11		docs/Doxyfile
+8 −6		docs/README.md
+1 −1		examples/README.md
+5 −1		examples/bench/bench.c
+3 −3		examples/boot/secret_seal.c
+3 −3		examples/boot/secret_unseal.c
+1 −0		examples/boot/secure_rot.c
+46 −0		examples/endorsement/README.md
+35 −0		examples/endorsement/endorsement.h
+423 −0		examples/endorsement/get_ek_certs.c
+20 −0		examples/endorsement/include.am
+581 −0		examples/endorsement/trusted_certs.h
+1 −1		examples/gpio/gpio_config.c
+1 −1		examples/gpio/gpio_read.c
+1 −0		examples/include.am
+13 −0		examples/keygen/external_import.c
+41 −51		examples/keygen/keygen.c
+28 −14		examples/keygen/keyimport.c
+20 −8		examples/keygen/keyload.c
+20 −11		examples/nvram/read.c
+7 −1		examples/nvram/store.c
+2 −2		examples/pcr/README.md
+22 −2		examples/pcr/policy_sign.c
+10 −1		examples/pcr/quote.c
+48 −24		examples/pkcs7/pkcs7.c
+306 −178		examples/run_examples.sh
+4 −1		examples/timestamp/signed_timestamp.c
+30 −5		examples/tls/tls_client.c
+38 −3		examples/tls/tls_common.h
+38 −5		examples/tls/tls_server.c
+1 −1		examples/tpm_test.h
+1 −1		examples/tpm_test_keys.c
+55 −23		examples/wrap/wrap_test.c
+26 −6		src/tpm2.c
+3 −4		src/tpm2_cryptocb.c
+2 −7		src/tpm2_linux.c
+221 −78		src/tpm2_wrap.c
+71 −9		tests/unit_tests.c
+72 −18		wolftpm/tpm2.h
+17 −10		wolftpm/tpm2_types.h
+63 −17		wolftpm/tpm2_wrap.h
+2 −2		wolftpm/version.h