def create_quote(nonce, data=None, pcrmask=EMPTYMASK):
quote = ""
with tempfile.NamedTemporaryFile() as quotepath:
keyhandle = tpm_initialize.get_tpm_metadata('aik_handle')
aik_pw = tpm_initialize.get_tpm_metadata('aik_pw')
if pcrmask is None:
pcrmask = EMPTYMASK
with tpm_exec.tpmutilLock:
if data is not None:
# add PCR 16 to pcrmask
pcrmask = "0x%X" % (int(pcrmask, 0) +
(1 << common.TPM_DATA_PCR))
tpm_exec.run("pcrreset -ix %d" % common.TPM_DATA_PCR,
lock=False)
tpm_exec.run(
"extend -ix %d -ic %s" %
(common.TPM_DATA_PCR, hashlib.sha1(data).hexdigest()),
lock=False)
command = "tpmquote -hk %s -pwdk %s -bm %s -nonce %s -noverify -oq %s" % (
keyhandle, aik_pw, pcrmask, nonce, quotepath.name)
(retout, code, quoteraw) = tpm_exec.run(command,
lock=False,
outputpath=quotepath.name)
quote = base64.b64encode(quoteraw.encode("zlib"))
return 'r' + quote
def read_ekcert_nvram():
if common.STUB_TPM:
return common.TEST_EK_CERT
nvpath = None
try:
owner_pw = tpm_initialize.get_tpm_metadata('owner_pw')
#make a temp file for the quote
nvfd,nvpath = tempfile.mkstemp()
(output,code) = tpm_exec.run("nv_readvalue -pwdo %s -in 1000f000 -cert -of %s"%(owner_pw,nvpath),raiseOnError=False)
if code!=tpm_exec.EXIT_SUCESS and len(output)>0 and output[0].startswith("Error Illegal index from NV_ReadValue"):
logger.warn("No EK certificate found in TPM NVRAM")
return None
elif code!=tpm_exec.EXIT_SUCESS:
raise Exception("nv_readvalue for ekcert failed with code "+str(code)+": "+str(output))
# read in the cert
f = open(nvpath,"rb")
ekcert = f.read()
f.close()
os.close(nvfd)
finally:
if nvpath is not None:
os.remove(nvpath)
return base64.b64encode(ekcert)
def write_key_nvram(key):
owner_pw = tpm_initialize.get_tpm_metadata('owner_pw')
# write out quote
with tempfile.NamedTemporaryFile() as keyFile:
keyFile.write(key)
keyFile.flush()
tpm_exec.run(
"nv_definespace -pwdo %s -in 1 -sz %d -pwdd %s -per 40004" %
(owner_pw, common.BOOTSTRAP_KEY_SIZE, owner_pw))
tpm_exec.run("nv_writevalue -pwdd %s -in 1 -if %s" %
(owner_pw, keyFile.name))
return
def create_deep_quote(nonce, data=None, vpcrmask=EMPTYMASK, pcrmask=EMPTYMASK):
quote = ""
with tempfile.NamedTemporaryFile() as quotepath:
# read in the vTPM key handle
keyhandle = tpm_initialize.get_tpm_metadata('aik_handle')
owner_pw = tpm_initialize.get_tpm_metadata('owner_pw')
aik_pw = tpm_initialize.get_tpm_metadata('aik_pw')
if pcrmask is None:
pcrmask = EMPTYMASK
if vpcrmask is None:
vpcrmask = EMPTYMASK
# need to hold the lock while we reset and extend the pcr and then do the quote
with tpm_exec.tpmutilLock:
if data is not None:
# add PCR 16 to pcrmask
vpcrmask = "0x%X" % (int(vpcrmask, 0) +
(1 << common.TPM_DATA_PCR))
tpm_exec.run("pcrreset -ix %d" % common.TPM_DATA_PCR,
lock=False)
tpm_exec.run(
"extend -ix %d -ic %s" %
(common.TPM_DATA_PCR, hashlib.sha1(data).hexdigest()),
lock=False)
command = "deepquote -vk %s -hm %s -vm %s -nonce %s -pwdo %s -pwdk %s -oq %s" % (
keyhandle, pcrmask, vpcrmask, nonce, owner_pw, aik_pw,
quotepath.name)
#print("Executing %s"%(command))
(retout, code, quoteraw) = tpm_exec.run(command,
lock=False,
outputpath=quotepath.name)
quote = base64.b64encode(quoteraw.encode("zlib"))
return 'd' + quote
def main(argv=sys.argv):
nonce = "NABIL"
rsa_key = "somebase64data"
print "creating quote..."
quote = create_quote(nonce, rsa_key)
print "\tDONE"
print "checking quote..."
if common.STUB_TPM:
aik = '-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzpAAp0TEPftgRr0z0ZYV\nBtKz3yDAYE+lH8p6gE3hRcI/Vg9ngGfQJohc9wsy4ELSSKUVMBVOkw2ITKCH3UOo\ny6J+FPApp12oYGSKxUMeHH30cVKaFSXMKSYl4J67Uufv8rhuKbcp60EJNfo8ougv\nHV1n9fwSBsmYeU8InW3cC4qcOkkQW++zeQi6HhTvrXdajTSdoH9wO8olQvx+IW4n\nmWz74vYWt5u5whyIv2wDkGlOz1x5iAAcarxS3xPuQTu/Mv9QOVNqwcvQaAolps6z\n3ckOGyRrEUS7rKkkBGX4FATUq6XhbxyJ7ZLba83jEnGS9h8EO2t9SUmp7cNxV+A7\njQIDAQAB\n-----END PUBLIC KEY-----\n'
else:
aik = tpm_initialize.get_tpm_metadata('aik')
print "\tVerified %s" % check_quote(nonce, rsa_key, quote, aik)
print "creating full quote..."
# this is a quote for pcr 22,2
quote = create_quote(nonce, rsa_key, "0x400004")
print "\tDONE"
print "checking full quote..."
json_tpm_policy = '{"22":"ffffffffffffffffffffffffffffffffffffffff","02":"0000000000000000000000000000000000000000"}'
tpm_policy = readPolicy(json_tpm_policy)
print "\tVerified %s" % check_quote(nonce, rsa_key, quote, aik, tpm_policy)
print "\n========\n\nchecking deepquote"
TEST_DQ = 'deJxjYP7//z8jAwPD2YOCkba7vsoFf9ndFiVZtO7EGaG04uNiAn6W4rdCQuZO0FG4vW6vfZRZr9ln1+2s4mmTXYxPPXDW/Bjbcbo2tC+Q7W/tH4kvS3of1jq57gjQYWZ5OHXVvPN89ZeXnfPODjxz7tfZ0y9vvfOw+57Y/GmO7sMjxyQ6eabK7j6kHTCp8+bt+POPJksYeK3/NV2lcWfnxN4+XxWXr0zzc5WDf1jb7I1MtEosvcvREtn5MuuzJNPOnW62qk/DDhV+fiQmY6fh/IRJMEw5+VqpJkPlYR+u188lzvb2zra5+dRkJXvar+SZXId6V/94zrgmg/PUQhFJQeblnr+WrNG9wymsvvrsFumaA26hx62S/e+DwkDeSWO6ikneSua6jOji3aY/X+/IEmegAEgAsd+Jb/Xm6yUvHXG0ujLt9vOdiwVj8qIn716wLGW5QFCkV8HUTeyl5cyu3Kkf067PmMp7cb6p9dJXp2o3xJzS5sSmjq26/XUtL+/Ri+8PHpqX3br0sRTHwbrIrt93Xyle3HawqPJIG/e2Fu6H+tj0YhOjxH8DBf4PEMDqGAEgZgQjhq62J0933/cVvnl6JtsW/Rvu5hc+Vuyy/vdshjH72Yymf+LXn2xft93xkn3vbo6TbIrax/TmmLeuvp5TvlbofMS5qf+PH44ymy11QmRbB3tN+T5p54N2T/dMzHO6XhzdYCe52XXS9Vk2c5Sk2LZ/9XSsu/Lhsf6klZmsU3oCHBzjuJ5JRYtd/+Us3HUrYGMOg0rDAtt3pxNsnm10PsRt//ROqJlcS/p53okH2Z9MOP2wZ6k4k/sEM3H1S1mmEjGzdt2vMG7ZH6aw76F4cgNDF2fkbeG8LYoSDjMqw378yJj2ZonP4k3NFyas0PBT3Gn6ePdFmytJE07/WXvvgs1uVo7k+38Wb4v+eoHJnMWh+jwzAySQHjDCgoaViV5pYjiDgUrvxAIAoKts4Q=='
TEST_DQ_NONCE = '123456'
TEST_HAIK = '-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0Em0Y7CEPS1wjY4DwlbP\nnleKpKcViK54K5R2wghixKT+I17FqzCfZWR9oxgO7YrjasoNkd8q+IaPzNIwv8f0\nxBJPjJdZy+OKP2b1/Yl5vlArvhhA8v0/FJv6qBnzMsPhoIKFaVidE5Z5MHZdGBP9\nY3CeXHGxeFoulge8CQj/A2rKPzCJ78TDY8is5wkmiqbqV1nAV+oDgnzWniVP3Bg6\njaK6uGxeATWtpNPFyyxbS+F/p5vRr7fpz/6RjJrheW2xsMHo+8V8J6knNXoAUsFj\nWgNm6MWpEWtJ9kEopSAKNPr96JA50Ns3fPG2OlCPU4bG7rHB5zr8irjWwiJFtpiE\ncQIDAQAB\n-----END PUBLIC KEY-----\n'
TEST_VAIK = '-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsWZQSYGM03DPfaN9FgH/\nCZ9KHDY79VeVqnhBFk3NcnWQ515ld9cCunqfKLdCow4G3dNmTmsNhp7nNIK4UtSl\nzDCaH2/v1jk5eAPTS0w0E50oYSIMAfN+7PQDCNlzM4mKSiP4sj4uNYj/WVbuZxCM\nb37Cdj8q1Wh+lONUnBfPhIwBnjQ1o9Gzbq2/18xLKHiJvIPeCsNlVabPbbWg26eA\n5sRqeTyx8gSKX0u6fmgrf8KmiHeau8aU131SIZgdvYMv74ZB2i4qgZpNAXK3XvU+\nay5lOaYNr2//MdSSV43hQZvyh9hSb2r4BtoJfJ5eyubPC4hRQSC55/hI+2j3x0+z\nmQIDAQAB\n-----END PUBLIC KEY-----\n'
print "\tVerified %s" % check_deep_quote(common.TEST_DQ_NONCE, None,
common.TEST_DQ, common.TEST_VAIK,
common.TEST_HAIK, {}, {})
if True:
sys.exit(0)
print "creating a bunch of quotes"
for _ in range(1000):
create_quote(nonce, rsa_key)
check_quote(nonce, rsa_key, quote, aik, tpm_policy)
pass
print "done"
def create_deep_quote(nonce,data=None,vpcrmask=EMPTYMASK,pcrmask=EMPTYMASK):
# don't deep quote when developing
if common.DEVELOP_IN_ECLIPSE or common.STUB_TPM:
# if not using TPM, just return a canned quote
time.sleep(common.TEST_CREATE_DEEP_QUOTE_DELAY)
return common.TEST_DQ
quotepath = None
try:
# read in the vTPM key handle
keyhandle = tpm_initialize.load_aik()
owner_pw = tpm_initialize.get_tpm_metadata('owner_pw')
if pcrmask is None:
pcrmask = EMPTYMASK
if vpcrmask is None:
vpcrmask = EMPTYMASK
# need to hold the lock while we reset and extend the pcr and then do the quote
with tpm_exec.tpmutilLock:
if data is not None:
# add PCR 16 to pcrmask
pcrmask = "0x%X"%(int(pcrmask,0) + (1 << common.TPM_DATA_PCR))
tpm_exec.run("pcrreset -ix %d"%common.TPM_DATA_PCR,lock=False)
tpm_exec.run("extend -ix %d -ic %s"%(common.TPM_DATA_PCR,hashlib.sha1(data).hexdigest()),lock=False)
#make a temp file for the quote
quotefd,quotepath = tempfile.mkstemp()
command = "deepquote -vk %s -hm %s -vm %s -nonce %s -pwdo %s -oq %s" % (keyhandle, pcrmask, vpcrmask, nonce, owner_pw,quotepath)
#print("Executing %s"%(command))
tpm_exec.run(command,lock=False)
# read in the quote
f = open(quotepath,"rb")
quote = base64.b64encode(f.read().encode("zlib"))
f.close()
os.close(quotefd)
finally:
if quotepath is not None:
os.remove(quotepath)
return quote
def read_ekcert_nvram():
#make a temp file for the quote
with tempfile.NamedTemporaryFile() as nvpath:
owner_pw = tpm_initialize.get_tpm_metadata('owner_pw')
(output, code, ekcert) = tpm_exec.run(
"nv_readvalue -pwdo %s -in 1000f000 -cert -of %s" %
(owner_pw, nvpath.name),
raiseOnError=False,
outputpath=nvpath.name)
if code != tpm_exec.EXIT_SUCESS and len(output) > 0 and output[
0].startswith("Error Illegal index from NV_ReadValue"):
logger.warn("No EK certificate found in TPM NVRAM")
return None
elif code != tpm_exec.EXIT_SUCESS:
raise Exception("nv_readvalue for ekcert failed with code " +
str(code) + ": " + str(output))
return base64.b64encode(ekcert)
def main(argv=sys.argv):
nonce = "NABIL"
rsa_key = "somebase64data"
print "creating quote..."
quote = create_quote(nonce,rsa_key)
print "\tDONE"
print "checking quote..."
if common.STUB_TPM:
aik = common.TEST_AIK
else:
aik = tpm_initialize.get_tpm_metadata('aik')
print "\tVerified %s"%check_quote(nonce,rsa_key,quote,aik)
print "creating full quote..."
# this is a quote for pcr 22,2
quote = create_quote(nonce,rsa_key,"0x400004")
print "\tDONE"
print "checking full quote..."
json_tpm_policy = '{"22":"ffffffffffffffffffffffffffffffffffffffff","02":"0000000000000000000000000000000000000000"}'
tpm_policy = readPolicy(json_tpm_policy)
print "\tVerified %s"%check_quote(nonce,rsa_key,quote,aik,tpm_policy)
print "\n========\n\nchecking deepquote"
print "\tVerified %s"%check_deep_quote(common.TEST_DQ_NONCE, None, common.TEST_DQ, common.TEST_VAIK, common.TEST_HAIK, {}, {})
if True:
sys.exit(0)
print "creating a bunch of quotes"
for _ in range(1000):
create_quote(nonce,rsa_key)
check_quote(nonce,rsa_key,quote,aik,tpm_policy)
pass
print "done"
def write_key_nvram(key):
if common.STUB_TPM:
storage = open("tpm_nvram","wb")
storage.write(key)
storage.close()
return
owner_pw = tpm_initialize.get_tpm_metadata('owner_pw')
keyFile = None
try:
# write out quote
keyfd,keypath = tempfile.mkstemp()
keyFile = open(keypath,"wb")
keyFile.write(key)
keyFile.close()
os.close(keyfd)
tpm_exec.run("nv_definespace -pwdo %s -in 1 -sz %d -pwdd %s -per 40004"%(owner_pw,common.BOOTSTRAP_KEY_SIZE,owner_pw))
tpm_exec.run("nv_writevalue -pwdd %s -in 1 -if %s"%(owner_pw,keyFile.name))
finally:
if keyFile is not None:
os.remove(keyFile.name)
return
def read_key_nvram():
with tempfile.NamedTemporaryFile() as nvpath:
owner_pw = tpm_initialize.get_tpm_metadata('owner_pw')
(output, code, key) = tpm_exec.run(
"nv_readvalue -pwdd %s -in 1 -sz %d -of %s" %
(owner_pw, common.BOOTSTRAP_KEY_SIZE, nvpath.name),
raiseOnError=False,
outputpath=nvpath.name)
if code != tpm_exec.EXIT_SUCESS and len(output) > 0 and (
output[0].startswith("Error Illegal index from NV_ReadValue")
or output[0].startswith("Error Authentication failed")):
logger.debug("No stored U in TPM NVRAM")
return None
elif code != tpm_exec.EXIT_SUCESS:
raise Exception("nv_readvalue failed with code " + str(code) +
": " + str(output))
if len(key) != common.BOOTSTRAP_KEY_SIZE:
logger.debug("Invalid key length from NVRAM: %d" % (len(key)))
return None
return key
def read_key_nvram():
if common.STUB_TPM:
if not os.path.isfile("tpm_nvram"):
return None
storage = open("tpm_nvram","rb")
key = storage.read()
storage.close()
return key
nvpath = None
try:
owner_pw = tpm_initialize.get_tpm_metadata('owner_pw')
#make a temp file for the nvram return
nvfd,nvpath = tempfile.mkstemp()
(output,code) = tpm_exec.run("nv_readvalue -pwdd %s -in 1 -sz %d -of %s"%(owner_pw,common.BOOTSTRAP_KEY_SIZE,nvpath),raiseOnError=False)
if code!=tpm_exec.EXIT_SUCESS and len(output)>0 and (output[0].startswith("Error Illegal index from NV_ReadValue") or output[0].startswith("Error Authentication failed")):
logger.debug("No stored U in TPM NVRAM")
return None
elif code!=tpm_exec.EXIT_SUCESS:
raise Exception("nv_readvalue failed with code "+str(code)+": "+str(output))
# read in the cert
f = open(nvpath,"rb")
key = f.read()
f.close()
os.close(nvfd)
finally:
if nvpath is not None:
os.remove(nvpath)
if len(key)!=common.BOOTSTRAP_KEY_SIZE:
logger.debug("Invalid key length from NVRAM: %d"%(len(key)))
return None
return key