def read_key_nvram(self):
with tempfile.NamedTemporaryFile() as nvpath:
owner_pw = self.get_tpm_metadata('owner_pw')
retDict = self.__run("nv_readvalue -pwdd %s -in 1 -sz %d -of %s"%(owner_pw,common.BOOTSTRAP_KEY_SIZE,nvpath.name),raiseOnError=False,outputpaths=nvpath.name)
output = common.list_convert(retDict['retout'])
code = retDict['code']
key = retDict['fileouts'][nvpath.name]
if code!= tpm_abstract.AbstractTPM.EXIT_SUCESS and len(output)>0 and (output[0].startswith("Error Illegal index from NV_ReadValue") or output[0].startswith("Error Authentication failed")):
logger.debug("No stored U in TPM NVRAM")
return None
elif code!= tpm_abstract.AbstractTPM.EXIT_SUCESS:
raise Exception("nv_readvalue failed with code "+str(code)+": "+str(output))
if len(key)!=common.BOOTSTRAP_KEY_SIZE:
logger.debug("Invalid key length from NVRAM: %d"%(len(key)))
return None
return key
def __create_ek(self):
# this function is intended to be idempotent
retDict = self.__run("createek", raiseOnError=False)
output = common.list_convert(retDict['retout'])
code = retDict['code']
if code != tpm_abstract.AbstractTPM.EXIT_SUCESS:
if len(output) > 0 and output[0].startswith(
"Error Target command disabled from TPM_CreateEndorsementKeyPair"
):
logger.debug("TPM EK already created.")
elif len(output) > 0 and output[0].startswith(
"Error Defend lock running from TPM_CreateEndorsementKeyPair"
):
logger.debug(
"createek failed. TPM locked, will attempt unlock during while taking ownership. To manually repair run resetlockvalue -pwdo [owner_password]"
)
else:
raise Exception("createek failed with code " + str(code) +
": " + str(output))
return
def __test_ownerpw(self,owner_pw,reentry=False):
#make a temp file for the output
with tempfile.NamedTemporaryFile() as tmppath:
retDict = self.__run("getpubek -pwdo %s -ok %s"%(owner_pw,tmppath.name),raiseOnError=False,outputpaths=tmppath.name)
output = common.list_convert(retDict['retout'])
code = retDict['code']
if code!= tpm_abstract.AbstractTPM.EXIT_SUCESS:
if len(output)>0 and output[0].startswith("Error Authentication failed (Incorrect Password) from TPM_OwnerReadPubek"):
return False
elif len(output)>0 and output[0].startswith("Error Defend lock running from TPM_OwnerReadPubek"):
if reentry:
logger.error("Unable to unlock TPM")
return False
# tpm got locked. lets try to unlock it
logger.error("TPM is locked from too many invalid owner password attempts, attempting to unlock with password: %s"%owner_pw)
# i have no idea why, but runnig this twice seems to actually work
self.__run("resetlockvalue -pwdo %s"%owner_pw,raiseOnError=False)
self.__run("resetlockvalue -pwdo %s"%owner_pw,raiseOnError=False)
return self.__test_ownerpw(owner_pw,True)
else:
raise Exception("test ownerpw, getpubek failed with code "+str(code)+": "+str(output))
return True
def read_ekcert_nvram(self):
#make a temp file for the quote
with tempfile.NamedTemporaryFile() as nvpath:
owner_pw = self.get_tpm_metadata('owner_pw')
retDict = self.__run(
"nv_readvalue -pwdo %s -in 1000f000 -cert -of %s" %
(owner_pw, nvpath.name),
raiseOnError=False,
outputpaths=nvpath.name)
output = common.list_convert(retDict['retout'])
code = retDict['code']
ekcert = retDict['fileouts'][nvpath.name]
if code != tpm_abstract.AbstractTPM.EXIT_SUCESS and len(
output) > 0 and output[0].startswith(
"Error Illegal index from NV_ReadValue"):
logger.warn("No EK certificate found in TPM NVRAM")
return None
elif code != tpm_abstract.AbstractTPM.EXIT_SUCESS:
raise Exception("nv_readvalue for ekcert failed with code " +
str(code) + ": " + str(output))
return base64.b64encode(ekcert)
def check_mounted(secdir):
whatsmounted = cmd_exec.run("mount", lock=False)['retout']
whatsmounted_converted = common.list_convert(whatsmounted)
for line in whatsmounted_converted:
tokens = line.split()
tmpfs = False
if len(tokens) < 3:
continue
if tokens[0] == 'tmpfs':
tmpfs = True
if tokens[2] == secdir:
if not tmpfs:
logger.error(
"secure storage location %s already mounted on wrong file system type: %s. Unmount to continue."
% (secdir, tokens[0]))
raise Exception(
"secure storage location %s already mounted on wrong file system type: %s. Unmount to continue."
% (secdir, tokens[0]))
logger.debug(
"secure storage location %s already mounted on tmpfs" % secdir)
return True
logger.debug("secure storage location %s not mounted " % secdir)
return False