meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82

Upstream-Status: Pending

commit 16dac0cb7b73b8a7088300e45b98ac20819b03ed
Author: Junxian.Xiao <Junxian.Xiao@windriver.com>
Date:   Wed Jun 19 18:57:13 2013 +0800

support reading SRK password from env TPM_SRK_PW

Add "env TPM_SRK_PW=xxxx" to set password for libtpm.so. Specially,
use "env TPM_SRK_PW=#WELLKNOWN#" to set well known password.

Signed-off-by: Junxian.Xiao <Junxian.Xiao@windriver.com>

Index: git/src/e_tpm.c
===================================================================
--- git.orig/src/e_tpm.c
+++ git/src/e_tpm.c
@@ -38,6 +38,8 @@
 #include "e_tpm.h"
 #include "ssl_compat.h"
 
+#define TPM_WELL_KNOWN_KEY_LEN 20   /*well know key length is 20 bytes zero*/
+
 //#define DLOPEN_TSPI
 
 #ifndef OPENSSL_NO_HW
@@ -262,6 +264,10 @@ int tpm_load_srk(UI_METHOD *ui, void *cb
 	TSS_RESULT result;
 	UINT32 authusage;
 	BYTE *auth;
+	char *srkPasswd = NULL;
+	TSS_FLAG secretMode = secret_mode;
+	int authlen = 0;
+
 
 	if (hSRK != NULL_HKEY) {
 		DBGFN("SRK is already loaded.");
@@ -313,18 +319,36 @@ int tpm_load_srk(UI_METHOD *ui, void *cb
 		return 0;
 	}
 
-	if (!tpm_engine_get_auth(ui, (char *)auth, 128, "SRK authorization: ",
-				cb_data)) {
-		Tspi_Context_CloseObject(hContext, hSRK);
-		free(auth);
-		TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
-		return 0;
+	srkPasswd = getenv("TPM_SRK_PW");
+	if (NULL != srkPasswd) {
+		if (0 == strcmp(srkPasswd, "#WELLKNOWN#")) {
+			memset(auth, 0, TPM_WELL_KNOWN_KEY_LEN);
+			secretMode = TSS_SECRET_MODE_SHA1;
+			authlen = TPM_WELL_KNOWN_KEY_LEN;
+		} else {
+			int authbuflen = 128;
+			memset(auth, 0, authbuflen);
+			strncpy(auth, srkPasswd, authbuflen-1);
+			secretMode = TSS_SECRET_MODE_PLAIN;
+			authlen = strlen(auth);
+		}
+	}
+	else {
+		if (!tpm_engine_get_auth(ui, (char *)auth, 128,
+				"SRK authorization: ", cb_data)) {
+			Tspi_Context_CloseObject(hContext, hSRK);
+			free(auth);
+			TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
+			return 0;
+		}
+		secretMode = secret_mode;
+		authlen = strlen(auth);
 	}
 
 	/* secret_mode is a global that may be set by engine ctrl
 	 * commands.  By default, its set to TSS_SECRET_MODE_PLAIN */
-	if ((result = Tspi_Policy_SetSecret(hSRKPolicy, secret_mode,
-					      strlen((char *)auth), auth))) {
+	if ((result = Tspi_Policy_SetSecret(hSRKPolicy, secretMode,
+					      authlen, auth))) {
 		Tspi_Context_CloseObject(hContext, hSRK);
 		free(auth);
 		TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);