Skip to content

Commit cfceb4e

Browse files
dgarskedgarske
committed
Improve get_ek_certs to handle indices
1 parent 529e02b commit cfceb4e

3 files changed

Lines changed: 144 additions & 3 deletions

File tree

examples/endorsement/get_ek_certs.c

Lines changed: 136 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -57,6 +57,36 @@ static void usage(void)
5757
printf("./examples/endorsement/get_ek_certs\n");
5858
}
5959

60+
#ifdef DEBUG_WOLFTPM
61+
/* Decode and display NV attributes - only in debug mode */
62+
static void show_nv_attributes(TPMA_NV attr)
63+
{
64+
printf(" Attributes:");
65+
if (attr & TPMA_NV_PPWRITE) printf(" PPWRITE");
66+
if (attr & TPMA_NV_OWNERWRITE) printf(" OWNERWRITE");
67+
if (attr & TPMA_NV_AUTHWRITE) printf(" AUTHWRITE");
68+
if (attr & TPMA_NV_POLICYWRITE) printf(" POLICYWRITE");
69+
if (attr & TPMA_NV_POLICY_DELETE) printf(" POLICY_DELETE");
70+
if (attr & TPMA_NV_WRITELOCKED) printf(" WRITELOCKED");
71+
if (attr & TPMA_NV_WRITEALL) printf(" WRITEALL");
72+
if (attr & TPMA_NV_WRITEDEFINE) printf(" WRITEDEFINE");
73+
if (attr & TPMA_NV_WRITE_STCLEAR) printf(" WRITE_STCLEAR");
74+
if (attr & TPMA_NV_GLOBALLOCK) printf(" GLOBALLOCK");
75+
if (attr & TPMA_NV_PPREAD) printf(" PPREAD");
76+
if (attr & TPMA_NV_OWNERREAD) printf(" OWNERREAD");
77+
if (attr & TPMA_NV_AUTHREAD) printf(" AUTHREAD");
78+
if (attr & TPMA_NV_POLICYREAD) printf(" POLICYREAD");
79+
if (attr & TPMA_NV_NO_DA) printf(" NO_DA");
80+
if (attr & TPMA_NV_ORDERLY) printf(" ORDERLY");
81+
if (attr & TPMA_NV_CLEAR_STCLEAR) printf(" CLEAR_STCLEAR");
82+
if (attr & TPMA_NV_READLOCKED) printf(" READLOCKED");
83+
if (attr & TPMA_NV_WRITTEN) printf(" WRITTEN");
84+
if (attr & TPMA_NV_PLATFORMCREATE) printf(" PLATFORMCREATE");
85+
if (attr & TPMA_NV_READ_STCLEAR) printf(" READ_STCLEAR");
86+
printf("\n");
87+
}
88+
#endif
89+
6090
static void dump_hex_bytes(const byte* buf, word32 sz)
6191
{
6292
word32 i;
@@ -237,7 +267,112 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[])
237267
/* Get Endorsement Public Key template using NV index */
238268
rc = wolfTPM2_GetKeyTemplate_EKIndex(nvIndex, &publicTemplate);
239269
if (rc != 0) {
240-
printf("EK Index 0x%08x not valid\n", nvIndex);
270+
const char* indexType = "Unknown";
271+
word32 offset = nvIndex - TPM_20_TCG_NV_SPACE;
272+
273+
/* Identify the type of NV index based on offset */
274+
if (nvIndex < TPM_20_TCG_NV_SPACE) {
275+
indexType = "Non-TCG (below TCG NV space)";
276+
}
277+
else if (offset >= 0x2 && offset <= 0xC) {
278+
indexType = "EK Low Range";
279+
if (offset == 0x2) indexType = "EK Low Range (RSA 2048 Cert)";
280+
else if (offset == 0x3) indexType = "EK Low Range (RSA 2048 Nonce)";
281+
else if (offset == 0x4) indexType = "EK Low Range (RSA 2048 Template)";
282+
else if (offset == 0xA) indexType = "EK Low Range (ECC P256 Cert)";
283+
else if (offset == 0xB) indexType = "EK Low Range (ECC P256 Nonce)";
284+
else if (offset == 0xC) indexType = "EK Low Range (ECC P256 Template)";
285+
}
286+
else if (offset >= 0x12 && offset < 0x100) {
287+
indexType = "EK High Range";
288+
if (offset == 0x12) indexType = "EK High Range (RSA 2048 Cert)";
289+
else if (offset == 0x14) indexType = "EK High Range (ECC P256 Cert)";
290+
else if (offset == 0x16) indexType = "EK High Range (ECC P384 Cert)";
291+
else if (offset == 0x18) indexType = "EK High Range (ECC P521 Cert)";
292+
else if (offset == 0x1A) indexType = "EK High Range (ECC SM2 Cert)";
293+
else if (offset == 0x1C) indexType = "EK High Range (RSA 3072 Cert)";
294+
else if (offset == 0x1E) indexType = "EK High Range (RSA 4096 Cert)";
295+
else if ((offset & 1) == 0) indexType = "EK High Range (Cert, even index)";
296+
else indexType = "EK High Range (Template, odd index)";
297+
}
298+
else if (offset >= 0x100 && offset < 0x200) {
299+
indexType = "EK Certificate Chain";
300+
}
301+
else if (offset >= 0x7F01 && offset <= 0x7F04) {
302+
indexType = "EK Policy Index";
303+
if (offset == 0x7F01) indexType = "EK Policy Index (SHA256)";
304+
else if (offset == 0x7F02) indexType = "EK Policy Index (SHA384)";
305+
else if (offset == 0x7F03) indexType = "EK Policy Index (SHA512)";
306+
else if (offset == 0x7F04) indexType = "EK Policy Index (SM3_256)";
307+
}
308+
else if (nvIndex > TPM_20_TCG_NV_SPACE + 0x7FFF) {
309+
indexType = "Vendor-specific (beyond TCG range)";
310+
}
311+
312+
printf("NV Index 0x%08x: %s (not a recognized EK certificate index)\n",
313+
nvIndex, indexType);
314+
315+
/* Try to read the NV public info to show what it contains */
316+
rc = wolfTPM2_NVReadPublic(&dev, nvIndex, &nvPublic);
317+
if (rc == 0) {
318+
const char* hashName = TPM2_GetAlgName(nvPublic.nameAlg);
319+
int isPolicyDigest = 0;
320+
int showData = 0;
321+
322+
#ifdef DEBUG_WOLFTPM
323+
printf(" NV Size: %u bytes, Attributes: 0x%08x, Name Alg: %s\n",
324+
nvPublic.dataSize, (unsigned int)nvPublic.attributes, hashName);
325+
show_nv_attributes(nvPublic.attributes);
326+
showData = 1; /* Always show data in debug mode */
327+
#else
328+
printf(" NV Size: %u bytes, Name Alg: %s\n",
329+
nvPublic.dataSize, hashName);
330+
#endif
331+
332+
/* Check if this looks like a policy digest based on size and hash */
333+
if ((nvPublic.dataSize == 32 && nvPublic.nameAlg == TPM_ALG_SHA256) ||
334+
(nvPublic.dataSize == 48 && nvPublic.nameAlg == TPM_ALG_SHA384) ||
335+
(nvPublic.dataSize == 64 && nvPublic.nameAlg == TPM_ALG_SHA512) ||
336+
(nvPublic.dataSize == 32 && nvPublic.nameAlg == TPM_ALG_SM3_256)) {
337+
printf(" Type: Policy digest (%s hash)\n", hashName);
338+
isPolicyDigest = 1;
339+
showData = 1; /* Always show policy digests */
340+
}
341+
else if (nvPublic.dataSize > 100) {
342+
printf(" Type: Certificate or template\n");
343+
}
344+
else if (nvPublic.dataSize > 32) {
345+
printf(" Type: Data (%u bytes)\n", nvPublic.dataSize);
346+
}
347+
else {
348+
printf(" Type: Small data (%u bytes)\n", nvPublic.dataSize);
349+
#ifdef DEBUG_WOLFTPM
350+
showData = 1;
351+
#endif
352+
}
353+
354+
/* Read and display data if appropriate */
355+
if (showData && nvPublic.dataSize > 0) {
356+
certSz = nvPublic.dataSize;
357+
if (certSz > sizeof(certBuf)) {
358+
certSz = sizeof(certBuf);
359+
}
360+
361+
rc = wolfTPM2_NVReadAuth(&dev, &nv, nvIndex, certBuf, &certSz, 0);
362+
if (rc == 0) {
363+
if (nvPublic.dataSize <= 32 || isPolicyDigest) {
364+
printf(" Data (%u bytes):\n", certSz);
365+
dump_hex_bytes(certBuf, certSz);
366+
}
367+
else {
368+
printf(" First 32 bytes:\n");
369+
dump_hex_bytes(certBuf, (certSz > 32) ? 32 : certSz);
370+
}
371+
}
372+
}
373+
}
374+
375+
rc = 0; /* Reset error code to continue processing */
241376
continue;
242377
}
243378

src/tpm2_wrap.c

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6446,9 +6446,9 @@ int wolfTPM2_GetKeyTemplate_EKIndex(word32 nvIndex,
64466446
uint32_t keyBits = 0;
64476447
int highRange = 0;
64486448

6449-
/* validate index is in NV EK range */
6449+
/* validate index is in TCG NV space range (0x01C00000 - 0x01C07FFF) */
64506450
if (nvIndex < TPM_20_TCG_NV_SPACE ||
6451-
nvIndex > TPM_20_TCG_NV_SPACE + 0x1FF) {
6451+
nvIndex > TPM_20_TCG_NV_SPACE + 0x7FFF) {
64526452
return BAD_FUNC_ARG;
64536453
}
64546454

wolftpm/tpm2.h

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1708,6 +1708,12 @@ typedef struct TPM2_AUTH_SESSION {
17081708
/* EK Certificate Chains (0x100 - 0x1FF) - Not common */
17091709
#define TPM2_NV_EK_CHAIN (TPM_20_TCG_NV_SPACE + 0x100)
17101710

1711+
/* EK Policy Indices for PolicyAuthorizeNV (0x7F01 - 0x7F04) */
1712+
#define TPM2_NV_EK_POLICY_SHA256 (TPM_20_TCG_NV_SPACE + 0x7F01)
1713+
#define TPM2_NV_EK_POLICY_SHA384 (TPM_20_TCG_NV_SPACE + 0x7F02)
1714+
#define TPM2_NV_EK_POLICY_SHA512 (TPM_20_TCG_NV_SPACE + 0x7F03)
1715+
#define TPM2_NV_EK_POLICY_SM3_256 (TPM_20_TCG_NV_SPACE + 0x7F04)
1716+
17111717
/* Predetermined TPM 2.0 Endorsement policy auth templates */
17121718
/* SHA256 (Low Range) */
17131719
static const BYTE TPM_20_EK_AUTH_POLICY[] = {

0 commit comments

Comments
 (0)