def ownerclear(self, ownerpass_digest):
""" clear TPM ownership """
nonce_even, auth_handle, ret = self.oiap()
if ret != 0:
return 1
nonce_odd = os.urandom(20)
fmt_auth = ">I20sB20s"
fmt = ">H II"
req = struct.pack(fmt, TPM_TAG_RQU_AUTH1_COMMAND,
struct.calcsize(fmt) + struct.calcsize(fmt_auth),
TPM_ORD_OWNER_CLEAR)
shainput = struct.unpack("%ds" % (len(req) - 6), req[6:len(req)])[0]
in_param_digest = sha1(shainput)
continue_auth_session = 0
in_auth_setup_params = struct.pack(">20s20sB", nonce_even, nonce_odd,
continue_auth_session)
macinput = struct.pack(">20s %ds" % len(in_auth_setup_params),
in_param_digest, in_auth_setup_params)
myhmac = hmac.HMAC(ownerpass_digest,
hashes.SHA1(),
backend=default_backend())
myhmac.update(macinput)
owner_auth = myhmac.finalize()
req += struct.pack(fmt_auth, auth_handle, nonce_odd,
continue_auth_session, owner_auth)
_, ret = self.transfer(req, "TPM_ClearOwner")
return ret
def tpm12_get_srkpass_digest(flags, srkpass):
""" Get the SRK password digest given the flags and possible SRK password """
if not srkpass:
if flags & SETUP_SRKPASS_ZEROS_F:
srkpass = ('\0' * 20)
else:
srkpass = DEFAULT_SRK_PASSWORD
#print("Using SRK password: %s\n" % srkpass)
return sha1(srkpass.encode())
def tpm12_get_ownerpass_digest(flags, ownerpass):
""" Get the owner password digest given the flags and possible owner password """
if not ownerpass:
if flags & SETUP_OWNERPASS_ZEROS_F:
ownerpass = ('\0' * 20)
else:
ownerpass = DEFAULT_OWNER_PASSWORD
#print("Using owner password: %s\n" % ownerpass)
return sha1(ownerpass.encode())
def take_ownership(self, ownerpass_digest, srkpass_digest, pubek):
""" Run TPM_TakeOwernship """
exponent = int('10001', 16)
modulus = int(pubek.hex(), 16)
pubekkey = RSAPublicNumbers(
exponent, modulus).public_key(backend=default_backend())
oaep = padding.OAEP(mgf=padding.MGF1(algorithm=hashes.SHA1()),
algorithm=hashes.SHA1(),
label="TCPA".encode())
enc_owner_auth = pubekkey.encrypt(ownerpass_digest, oaep)
enc_srk_auth = pubekkey.encrypt(srkpass_digest, oaep)
nonce_even, auth_handle, ret = self.oiap()
if ret != 0:
return 1
tpm_rsa_key_parms = struct.pack(
">III",
2048, # keyLength
2, # numPrimes
0) # exponentSize
tpm_key_parms = struct.pack(
">I HH I%ds" % (len(tpm_rsa_key_parms)),
TPM_ALG_RSA, # algorithmId
TPM_ES_RSAESOAEP_SHA1_MGF1, # encScheme
TPM_SS_NONE, # sigScheme
len(tpm_rsa_key_parms),
tpm_rsa_key_parms)
tpm_key12 = struct.pack(
">HH HIB %ds I I I" % (len(tpm_key_parms)),
TPM_TAG_KEY12,
0,
TPM_KEY_STORAGE, # keyUsage
0, # keyFlags
TPM_AUTH_ALWAYS, # authDataUsage
tpm_key_parms,
0,
0,
0)
fmt_auth = ">I20sB20s"
fmt = ">HII H I256s I256s %ds" % len(tpm_key12)
nonce_odd = os.urandom(20)
req = struct.pack(fmt, TPM_TAG_RQU_AUTH1_COMMAND,
struct.calcsize(fmt) + struct.calcsize(fmt_auth),
TPM_ORD_TAKE_OWNERSHIP, TPM_PID_OWNER,
len(enc_owner_auth), enc_owner_auth,
len(enc_srk_auth), enc_srk_auth, tpm_key12)
# req needs authhandle, nonceodd & ownerAuth appended
shainput = struct.unpack("%ds" % (len(req) - 6), req[6:len(req)])[0]
in_param_digest = sha1(shainput)
continue_auth_session = 0
in_auth_setup_params = struct.pack(">20s20sB", nonce_even, nonce_odd,
continue_auth_session)
macinput = struct.pack(">20s %ds" % len(in_auth_setup_params),
in_param_digest, in_auth_setup_params)
myhmac = hmac.HMAC(ownerpass_digest,
hashes.SHA1(),
backend=default_backend())
myhmac.update(macinput)
owner_auth = myhmac.finalize()
req += struct.pack(fmt_auth, auth_handle, nonce_odd,
continue_auth_session, owner_auth)
_, ret = self.transfer(req, "TPM_TakeOwnership")
return ret
