Hello community, here is the log from the commit of package tpm2.0-tools for openSUSE:Factory checked in at 2019-03-06 15:52:18 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/tpm2.0-tools (Old) and /work/SRC/openSUSE:Factory/.tpm2.0-tools.new.28833 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tpm2.0-tools" Wed Mar 6 15:52:18 2019 rev:18 rq:682127 version:3.1.3 Changes: -------- --- /work/SRC/openSUSE:Factory/tpm2.0-tools/tpm2.0-tools.changes 2019-01-21 10:53:23.999797763 +0100 +++ /work/SRC/openSUSE:Factory/.tpm2.0-tools.new.28833/tpm2.0-tools.changes 2019-03-06 15:52:26.404423322 +0100 @@ -1,0 +2,12 @@ +Wed Mar 6 10:44:52 UTC 2019 - [email protected] + +- update to minor version 3.1.3: + - Restore support for the TPM2TOOLS_* env vars for TCTI configuration, in + addition to supporting the new unified TPM2TOOLS_ENV_TCTI + - Fix tpm2_getcap to print properties with the TPM_PT prefix, rather than + TPM2_PT + - Make test_tpm2_activecredential Python 3 compatible + - Fix tpm2_takeownership to only attempt to change the specified hierarchies +- use a _service file to sync with upstream tags + +------------------------------------------------------------------- Old: ---- tpm2-tools-3.1.2.tar.gz New: ---- _service tpm2-tools-3.1.3.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tpm2.0-tools.spec ++++++ --- /var/tmp/diff_new_pack.Z83glJ/_old 2019-03-06 15:52:28.156422969 +0100 +++ /var/tmp/diff_new_pack.Z83glJ/_new 2019-03-06 15:52:28.156422969 +0100 @@ -17,7 +17,7 @@ Name: tpm2.0-tools -Version: 3.1.2 +Version: 3.1.3 Release: 0 Summary: Trusted Platform Module (TPM) 2.0 administration tools License: BSD-3-Clause ++++++ _service ++++++ <services> <service name="tar_scm" mode="disabled"> <param name="url">https://github.com/intel/tpm2-tools.git</param> <param name="scm">git</param> <param name="revision">3.1.3</param> <param name="versionformat">@PARENT_TAG@</param> <param name="changesgenerate">disable</param> </service> <service name="set_version" mode="disabled"/> </services> ++++++ tpm2-tools-3.1.2.tar.gz -> tpm2-tools-3.1.3.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tools-3.1.2/CHANGELOG.md new/tpm2-tools-3.1.3/CHANGELOG.md --- old/tpm2-tools-3.1.2/CHANGELOG.md 2018-08-15 00:05:07.000000000 +0200 +++ new/tpm2-tools-3.1.3/CHANGELOG.md 2018-10-15 16:55:11.000000000 +0200 @@ -1,4 +1,12 @@ ## Changelog +### 3.1.3 - 2018-10-15 + * Restore support for the TPM2TOOLS_* env vars for TCTI configuration, in + addition to supporting the new unified TPM2TOOLS_ENV_TCTI + * Fix tpm2_getcap to print properties with the TPM_PT prefix, rather than + TPM2_PT + * Make test_tpm2_activecredential Python 3 compatible + * Fix tpm2_takeownership to only attempt to change the specified hierarchies + ### 3.1.2 - 2018-08-14 * Revert the change to use user supplied object attributes exclusively. This is an inappropriate behavioural change for a MINOR version number increment. * Fix inclusion of object attribute specifiers section in tpm2_create and tpm2_createprimary man pages. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tools-3.1.2/configure new/tpm2-tools-3.1.3/configure --- old/tpm2-tools-3.1.2/configure 2018-08-15 00:08:35.000000000 +0200 +++ new/tpm2-tools-3.1.3/configure 2018-10-15 16:55:25.000000000 +0200 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for tpm2-tools 3.1.2. +# Generated by GNU Autoconf 2.69 for tpm2-tools 3.1.3. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -587,8 +587,8 @@ # Identity of this package. PACKAGE_NAME='tpm2-tools' PACKAGE_TARNAME='tpm2-tools' -PACKAGE_VERSION='3.1.2' -PACKAGE_STRING='tpm2-tools 3.1.2' +PACKAGE_VERSION='3.1.3' +PACKAGE_STRING='tpm2-tools 3.1.3' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -1358,7 +1358,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures tpm2-tools 3.1.2 to adapt to many kinds of systems. +\`configure' configures tpm2-tools 3.1.3 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1428,7 +1428,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of tpm2-tools 3.1.2:";; + short | recursive ) echo "Configuration of tpm2-tools 3.1.3:";; esac cat <<\_ACEOF @@ -1558,7 +1558,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -tpm2-tools configure 3.1.2 +tpm2-tools configure 3.1.3 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1836,7 +1836,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by tpm2-tools $as_me 3.1.2, which was +It was created by tpm2-tools $as_me 3.1.3, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -11683,7 +11683,7 @@ # Define the identity of the package. PACKAGE='tpm2-tools' - VERSION='3.1.2' + VERSION='3.1.3' cat >>confdefs.h <<_ACEOF @@ -14427,7 +14427,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by tpm2-tools $as_me 3.1.2, which was +This file was extended by tpm2-tools $as_me 3.1.3, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -14484,7 +14484,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -tpm2-tools config.status 3.1.2 +tpm2-tools config.status 3.1.3 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tools-3.1.2/lib/tpm2_options.c new/tpm2-tools-3.1.3/lib/tpm2_options.c --- old/tpm2-tools-3.1.2/lib/tpm2_options.c 2018-08-15 00:05:07.000000000 +0200 +++ new/tpm2-tools-3.1.3/lib/tpm2_options.c 2018-10-15 16:55:11.000000000 +0200 @@ -52,6 +52,10 @@ #endif #define TPM2TOOLS_ENV_TCTI "TPM2TOOLS_TCTI" +#define TPM2TOOLS_ENV_TCTI_NAME "TPM2TOOLS_TCTI_NAME" +#define TPM2TOOLS_ENV_DEVICE "TPM2TOOLS_DEVICE_FILE" +#define TPM2TOOLS_ENV_SOCK_ADDR "TPM2TOOLS_SOCKET_ADDRESS" +#define TPM2TOOLS_ENV_SOCK_PORT "TPM2TOOLS_SOCKET_PORT" #define TPM2TOOLS_ENV_ENABLE_ERRATA "TPM2TOOLS_ENABLE_ERRATA" tpm2_options *tpm2_options_new(const char *short_opts, size_t len, @@ -136,13 +140,25 @@ } typedef struct tcti_conf tcti_conf; struct tcti_conf { - const char *name; - const char *opts; + char *name; + char *opts; }; +/* + * Some tcti names changed in TSS 2.0, so in order to not break the + * expected options of the 3.X tools series map: + * - abrmd -> tabrmd + * - socket -> mssim + */ static inline const char *fixup_name(const char *name) { - return !strcmp(name, "abrmd") ? "tabrmd" : name; + if (!strcmp(name, "abrmd")) { + return "tabrmd"; + } else if (!strcmp(name, "socket")) { + return "mssim"; + } + + return name; } static const char *find_default_tcti(void) { @@ -165,27 +181,14 @@ return NULL; } -static tcti_conf tcti_get_config(const char *optstr) { - - /* set up the default configuration */ - tcti_conf conf = { - .name = find_default_tcti() - }; - - /* no tcti config supplied, get it from env */ - if (!optstr) { - optstr = getenv (TPM2TOOLS_ENV_TCTI); - if (!optstr) { - /* nothing user supplied, use default */ - return conf; - } - } +/* Parse new-style, TSS 2.0, environment variables */ +static void parse_env_tcti(const char *optstr, tcti_conf *conf) { char *split = strchr(optstr, ':'); if (!split) { /* --tcti=device */ - conf.name = fixup_name(optstr); - return conf; + conf->name = strdup(fixup_name(optstr)); + return; } /* @@ -200,24 +203,99 @@ /* Case A */ if (!optstr[0] && !split[1]) { - return conf; + return; } /* Case B */ if (!optstr[0]) { - conf.opts = &split[1]; - return conf; + conf->opts = strdup(&split[1]); + return; } /* Case C */ if (!split[1]) { - conf.name = fixup_name(optstr); - return conf; + conf->name = strdup(fixup_name(optstr)); + return; } /* Case D */ - conf.name = fixup_name(optstr); - conf.opts = &split[1]; + conf->name = strdup(fixup_name(optstr)); + conf->opts = strdup(&split[1]); + return; +} + +static char* parse_device_tcti(void) { + const char *device = getenv(TPM2TOOLS_ENV_DEVICE); + return strdup(device); +} + +static char* parse_socket_tcti(void) { + + /* + * tpm2_tcti_ldr_load() expects conf->opts to be of the format + * "host=localhost,port=2321" for the mssim tcti + * + * Max IPV6 IP address, 45 characters (45) + * Ports are 16bit int, 5 characters (5) + * "host=", 5 characters (5) + * "port=", 5 characters (5) + * strlen = 60 + */ + size_t optlen = 60; + const char *host; + const char *port; + char *ret = malloc(optlen); + if (!ret) { + LOG_ERR ("OOM"); + return NULL; + } + + host = getenv(TPM2TOOLS_ENV_SOCK_ADDR); + port = getenv(TPM2TOOLS_ENV_SOCK_PORT); + + if (host && port) { + snprintf(ret, optlen, "host=%s,port=%s", host, port); + } else if (host) { + snprintf(ret, optlen, "host=%s", host); + } else if (port) { + snprintf(ret, optlen, "port=%s", port); + } + return ret; +} + +static tcti_conf tcti_get_config(const char *optstr) { + + tcti_conf conf = { + .name = NULL + }; + + /* no tcti config supplied, get it from env */ + if (!optstr) { + /* + * Check the "old" way of specifying TCTI, using a shared env var and + * per-tcti option variables. + */ + optstr = getenv (TPM2TOOLS_ENV_TCTI_NAME); + if (optstr) { + conf.name = strdup(fixup_name(optstr)); + if (!strcmp(conf.name, "mssim")) { + conf.opts = parse_socket_tcti(); + } else if (!strcmp(conf.name, "device")) { + conf.opts = parse_device_tcti(); + } + } else { + /* Check the new way of defining a TCTI using a shared env var */ + optstr = getenv (TPM2TOOLS_ENV_TCTI); + if (optstr) { + parse_env_tcti(optstr, &conf); + } + } + } + + if (!conf.name) { + conf.name = strdup(find_default_tcti()); + } + return conf; } @@ -418,6 +496,8 @@ if (!flags->enable_errata) { flags->enable_errata = !!getenv (TPM2TOOLS_ENV_ENABLE_ERRATA); } + free(conf.name); + free(conf.opts); } rc = tpm2_option_code_continue; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tools-3.1.2/man/man1/tpm2_policyauthorize.1 new/tpm2-tools-3.1.3/man/man1/tpm2_policyauthorize.1 --- old/tpm2-tools-3.1.2/man/man1/tpm2_policyauthorize.1 1970-01-01 01:00:00.000000000 +0100 +++ new/tpm2-tools-3.1.3/man/man1/tpm2_policyauthorize.1 2018-09-27 22:16:02.000000000 +0200 @@ -0,0 +1,500 @@ +.\" Automatically generated by Pandoc 2.0.6 +.\" +.TH "tpm2_policyauthorize" "1" "AUGUST 2018" "tpm2\-tools" "General Commands Manual" +.hy +.SH NAME +.PP +\f[B]tpm2_policyauthorize\f[](1) \- Generates/Creates a policy event +that authorizes a policy digest from TPM policy events. +.SH SYNOPSIS +.PP +\f[B]tpm2_policyauthorize\f[] [\f[I]OPTIONS\f[]] +.SH DESCRIPTION +.PP +\f[B]tpm2_policyauthorize\f[] Generates a policy_authorize event with +the TPM. +It expects a session to be already established via +\f[B]tpm2_startauthsession\f[] and requires extended session support +with tpm2\-abrmd. +1. +If the input session is a trial session this tool generates a policy +digest that associates a signing authority's public key name with the +policy being authorized. +2. +If the input session is real policy session +\f[B]tpm2_policyauthorize\f[] looks for a verification ticket from the +TPM to attest that the TPM has verified the signature on the policy +digest before authorizing the policy in the policy digest. +.SH OPTIONS +.IP \[bu] 2 +\f[B]\-o\f[], \f[B]\[en]policy\-file\f[]=\f[I]POLICY_FILE\f[]: +.RS 2 +.PP +File to save the policy digest. +.RE +.IP \[bu] 2 +\f[B]\-S\f[], \f[B]\[en]session\f[]=\f[I]SESSION_FILE\f[]: +.RS 2 +.PP +The policy session file generated via the \f[B]\-S\f[] option to +\f[B]tpm2_startauthsession\f[](1). +.RE +.IP \[bu] 2 +\f[B]\-f\f[], \f[B]\[en]input\-policy\-file\f[]=\f[I]POLICY_FILE\f[]: +.RS 2 +.PP +The policy digest that has to be authorized. +.RE +.IP \[bu] 2 +\f[B]\-q\f[], \f[B]\[en]qualifier\f[]=\f[I]DATA_FILE\f[]: +.RS 2 +.PP +The policy qualifier data signed in conjunction with the input policy +digest. +This is a unique data that the signer can choose to include in the +signature. +.RE +.IP \[bu] 2 +\f[B]\-n\f[], \f[B]\[en]name\f[]=\f[I]NAME_DATA_FILE\f[]: +.RS 2 +.PP +File containing the name of the verifying public key. +This ties the final policy digest with a signer. +This can be retrieved with \f[B]tpm2_readpublic\f[] +.RE +.IP \[bu] 2 +\f[B]\-t\f[], \f[B]\[en]ticket\f[]=\f[I]TICKET_FILE\f[]: +.RS 2 +.PP +The ticket file to record the validation structure. +This is generated with \f[B]tpm2_verifysignature\f[]. +.RE +.SH COMMON OPTIONS +.PP +This collection of options are common to many programs and provide +information that many users may expect. +.IP \[bu] 2 +\f[B]\-h\f[], \f[B]\[en]help=[man|no\-man]\f[]: Display the tools +manpage. +By default, it attempts to invoke the manpager for the tool, however, on +failure will output a short tool summary. +This is the same behavior if the \[lq]man\[rq] option argument is +specified, however if explicit \[lq]man\[rq] is requested, the tool will +provide errors from man on stderr. +If the \[lq]no\-man\[rq] option if specified, or the manpager fails, the +short options will be output to stdout. +.RS 2 +.PP +To successfully use the manpages feature requires the manpages to be +installed or on \f[I]MANPATH\f[], See man(1) for more details. +.RE +.IP \[bu] 2 +\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for +this tool, supported tctis and exit. +.IP \[bu] 2 +\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the +tool prints to the console during its execution. +When using this option the file and line number are printed. +.IP \[bu] 2 +\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. +.IP \[bu] 2 +\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of +errata fixups. +Useful if an errata fixup needs to be applied to commands sent to the +TPM. +Defining the environment TPM2TOOLS_ENABLE_ERRATA is equivalent. +.SH TCTI Configuration +.PP +The TCTI or \[lq]Transmission Interface\[rq] is the communication +mechanism with the TPM. +TCTIs can be changed for communication with TPMs across different +mediums. +.PP +To control the TCTI, the tools respect: +.IP "1." 3 +The command line option \f[B]\-T\f[] or \f[B]\[en]tcti\f[] +.IP "2." 3 +The environment variable: \f[I]TPM2TOOLS_TCTI\f[]. +.PP +\f[B]Note:\f[] The command line option always overrides the environment +variable. +.PP +The current known TCTIs are: +.IP \[bu] 2 +tabrmd \- The resource manager, called +tabrmd (https://github.com/tpm2-software/tpm2-abrmd). +Note that tabrmd and abrmd as a tcti name are synonymous. +.IP \[bu] 2 +mssim \- Typically used for communicating to the TPM software simulator. +.IP \[bu] 2 +device \- Used when talking directly to a TPM device file. +.PP +The arguments to either the command line option or the environment +variable are in the form: +.PP +\f[C]<tcti\-name>:<tcti\-option\-config>\f[] +.PP +Specifying an empty string for either the \f[C]<tcti\-name>\f[] or +\f[C]<tcti\-option\-config>\f[] results in the default being used for +that portion respectively. +.SS TCTI Defaults +.PP +When a TCTI is not specified, the default TCTI is searched for using +\f[I]dlopen(3)\f[] semantics. +The tools will search for \f[I]tabrmd\f[], \f[I]device\f[] and +\f[I]mssim\f[] TCTIs \f[B]IN THAT ORDER\f[] and \f[B]USE THE FIRST ONE +FOUND\f[]. +You can query what TCTI will be chosen as the default by using the +\f[B]\-v\f[] option to print the version information. +The \[lq]default\-tcti\[rq] key\-value pair will indicate which of the +aforementioned TCTIs is the default. +.SS Custom TCTIs +.PP +Any TCTI that implements the dynamic TCTI interface can be loaded. +The tools internally use \f[I]dlopen(3)\f[], and the raw +\f[I]tcti\-name\f[] value is used for the lookup. +Thus, this could be a path to the shared library, or a library name as +understood by \f[I]dlopen(3)\f[] semantics. +.SH TCTI OPTIONS +.PP +This collection of options are used to configure the various known TCTI +modules available: +.IP \[bu] 2 +\f[B]device\f[]: For the device TCTI, the TPM character device file for +use by the device TCTI can be specified. +The default is \f[I]/dev/tpm0\f[]. +.RS 2 +.PP +Example: \f[B]\-T device:/dev/tpm0\f[] or \f[B]export +\f[BI]TPM2TOOLS_TCTI\f[B]=\[lq]device:/dev/tpm0\[rq]\f[] +.RE +.IP \[bu] 2 +\f[B]mssim\f[]: +.IP \[bu] 2 +For the mssim TCTI, the domain name or IP address and port number used +by the simulator can be specified. +The default are 127.0.0.1 and 2321. +.RS 2 +.PP +Example: \f[B]\-T mssim:host=localhost,port=2321\f[] or \f[B]export +\f[BI]TPM2TOOLS_TCTI\f[B]=\[lq]mssim:host=localhost,port=2321\[rq]\f[] +.RE +.IP \[bu] 2 +\f[B]abrmd\f[]: For the abrmd TCTI, the configuration string format is a +series of simple key value pairs separated by a `,' character. +Each key and value string are separated by a `=' character. +.RS 2 +.IP \[bu] 2 +TCTI abrmd supports two keys: +.RS 2 +.IP "1." 3 +`bus_name' : The name of the tabrmd service on the bus (a string). +.IP "2." 3 +`bus_type' : The type of the dbus instance (a string) limited to +`session' and `system'. +.RE +.PP +Specify the tabrmd tcti name and a config string of +\f[C]bus_name=com.example.FooBar\f[]: +.IP +.nf +\f[C] +\-\-tcti=tabrmd:bus_name=com.example.FooBar +\f[] +.fi +.PP +Specify the default (abrmd) tcti and a config string of +\f[C]bus_type=session\f[]: +.IP +.nf +\f[C] +\-\-tcti:bus_type=session +\f[] +.fi +.PP +\f[B]NOTE\f[]: abrmd and tabrmd are synonymous. +.RE +.SH Supported Hash Algorithms +.PP +Supported hash algorithms are: +.IP \[bu] 2 +\f[B]0x4\f[] or \f[B]sha1\f[] for \f[B]TPM_ALG_SHA1\f[] +\f[B](default)\f[] +.IP \[bu] 2 +\f[B]0xB\f[] or \f[B]sha256\f[] for \f[B]TPM_ALG_SHA256\f[] +.IP \[bu] 2 +\f[B]0xC\f[] or \f[B]sha384\f[] for \f[B]TPM_ALG_SHA384\f[] +.IP \[bu] 2 +\f[B]0xD\f[] or \f[B]sha512\f[] for \f[B]TPM_ALG_SHA512\f[] +.IP \[bu] 2 +\f[B]0x12\f[] or \f[B]sm3_256\f[] for \f[B]TPM_ALG_SM3_256\f[] +.PP +\f[B]NOTE\f[]: Your TPM may not support all algorithms. +.SH Algorithm Specifiers +.PP +Options that take algorithms support \[lq]nice\-names\[rq]. +.PP +There are two major algorithm specification string classes, simple and +complex. +Only certain algorithms will be accepted by the TPM, based on usage and +conditions. +.SS Simple specifiers +.PP +These are strings with no additional specification data. +When creating objects, non\-specified portions of an object are assumed +to defaults. +You can find the list of known \[lq]Simple Specifiers Below\[rq]. +.SS Asymmetric +.IP \[bu] 2 +rsa +.IP \[bu] 2 +ecc +.SS Symmetric +.IP \[bu] 2 +aes +.IP \[bu] 2 +camellia +.SS Hashing Algorithms: +.IP \[bu] 2 +sha1 +.IP \[bu] 2 +sha256 +.IP \[bu] 2 +sha384 +.IP \[bu] 2 +sha512 +.IP \[bu] 2 +sm3_256 +.IP \[bu] 2 +sha3_256 +.IP \[bu] 2 +sha3_384 +.IP \[bu] 2 +sha3_512 +.SS Keyed Hash +.IP \[bu] 2 +hmac +.IP \[bu] 2 +xor +.SS Signing Schemes +.IP \[bu] 2 +rsassa +.IP \[bu] 2 +rsapss +.IP \[bu] 2 +ecdsa +.IP \[bu] 2 +ecdaa +.IP \[bu] 2 +ecschnorr +.SS Asymmetric Encryption Schemes +.IP \[bu] 2 +oaep +.IP \[bu] 2 +rsaes +.IP \[bu] 2 +ecdh +.SS Modes +.IP \[bu] 2 +ctr +.IP \[bu] 2 +ofb +.IP \[bu] 2 +cbc +.IP \[bu] 2 +cfb +.IP \[bu] 2 +ecb +.SS Misc +.IP \[bu] 2 +null +.SS Complex Specifiers +.PP +Objects, when specified for creation by the TPM, have numerous +algorithms to populate in the public data. +Things like type, scheme and asymmetric details, key size, etc. +Below is the general format for specifying this data: +\f[C]<type>:<scheme>:<symmetric\-details>\f[] +.SS Type Specifiers +.PP +This portion of the complex algorithm specifier is required. +The remaining scheme and symmetric details will default based on the +type specified and the type of the object being created. +.IP \[bu] 2 +aes \- Default AES: aes128cfb +.IP \[bu] 2 +aes128\f[C]<mode>\f[] \- 128 bit AES with optional mode +(\f[I]ctr\f[]|\f[I]ofb\f[]|\f[I]cbc\f[]|\f[I]cfb\f[]|\f[I]ecb\f[]). +If mode is not specified, defaults to \f[I]cfb\f[]. +.IP \[bu] 2 +aes256\f[C]<mode>\f[] \- Same as aes128\f[C]<mode>\f[], except for a 256 +bit key size. +.IP \[bu] 2 +ecc \- Elliptical Curve, defaults to ecc256. +.IP \[bu] 2 +ecc192 \- 192 bit ECC +.IP \[bu] 2 +ecc224 \- 224 bit ECC +.IP \[bu] 2 +ecc256 \- 256 bit ECC +.IP \[bu] 2 +ecc384 \- 384 bit ECC +.IP \[bu] 2 +ecc521 \- 521 bit ECC +.IP \[bu] 2 +rsa \- Default RSA: rsa2048 +.IP \[bu] 2 +rsa1024 \- RSA with 1024 bit keysize. +.IP \[bu] 2 +rsa2048 \- RSA with 2048 bit keysize. +.IP \[bu] 2 +rsa4096 \- RSA with 4096 bit keysize. +.SS Scheme Specifiers +.PP +Next, is an optional field, it can be skipped. +.PP +Schemes are usually \f[B]Signing Schemes\f[] or \f[B]Asymmetric +Encryption Schemes\f[]. +Most signing schemes take a hash algorithm directly following the +signing scheme. +If the hash algorithm is missing, it defaults to \f[I]sha256\f[]. +Some take no arguments, and some take multiple arguments. +.SS Hash Optional Scheme Specifiers +.PP +These scheme specifiers are followed immediately by a valid hash +algorithm, For example: \f[C]oaepsha256\f[]. +.IP \[bu] 2 +oaep +.IP \[bu] 2 +ecdh +.IP \[bu] 2 +rsassa +.IP \[bu] 2 +rsapss +.IP \[bu] 2 +ecdsa +.IP \[bu] 2 +ecschnorr +.SS Multiple Option Scheme Specifiers +.PP +This scheme specifier is followed by a count (max size UINT16) a +dash(\-) and a valid hash algorithm. +* ecdaa +.SS No Option Scheme Specifiers +.PP +This scheme specifier takes NO arguments. +* rsaes +.SS Symmetric Details Specifiers +.PP +This field is optional, and defaults based on the \f[I]type\f[] of +object being created and it's attributes. +Generally, any valid \f[B]Symmetric\f[] specifier from the \f[B]Type +Specifiers\f[] list should work. +If not specified, an asymmetric objects symmetric details defaults to +\f[I]aes128cfb\f[]. +.SS Examples: +.PP +Create an rsa2048 key with an rsaes asymmetric encryption scheme: +\f[C]tpm2_create\ \-C\ parent.ctx\ \-G\ rsa2048:rsaes\ \-u\ key.pub\ \-r\ key.priv\f[] +.PP +Create an ecc256 key with an ecdaa signing scheme with a count of 4 and +sha384 hash: +\f[C]/tpm2_create\ \-C\ parent.ctx\ \-G\ ecc256:ecdaa4\-sha384\ \-u\ key.pub\ \-r\ key.priv\f[] +.PP +\f[B]DEPRECATED\f[] The old numerical arguments are deprecated, and use +is discouraged and will not be officially supported going forward. +.SH EXAMPLES +.PP +Starts a \f[I]trial\f[] session, builds a PCR policy. +This pcr policy digest is then an input to the +\f[B]tpm2_policyauthorize\f[] along with policy qualifier data and a +signer public. +The resultant policy digest is then used in creation of objects. +Subsequently when the PCR change and so does the pcr policy digest, the +actual policy digest from the \f[B]tpm2_policyauthorize\f[] used in +creation of the object will not change. +At runtime the new pcr policy needs to be satisfied along with +verification of the signature on the pcr policy digest using +\f[B]tpm2_policyauthorize\f[] +.SS Create a signing authority +.IP \[bu] 2 +openssl genrsa \-out signing_key_private.pem 2048 +.IP \[bu] 2 +openssl rsa \-in signing_key_private.pem \-out signing_key_public.pem +\-pubout +.IP \[bu] 2 +tpm2_loadexternal \-G rsa \-A n \-u signing_key_public.pem \-o +signing_key.ctx +.PD 0 +.P +.PD +\-n signing_key.name +.SS Create a policy to be authorized like a pcr policy: +.IP \[bu] 2 +tpm2_pcrlist \-L sha256:0 \-o pcr0.sha256 +.IP \[bu] 2 +tpm2_startauthsession \-S session.ctx +.IP \[bu] 2 +tpm2_policypcr \-S session.ctx \-L sha256:0 \-F pcr0.sha256 \-f +pcr.policy +.IP \[bu] 2 +tpm2_flushcontext \-S session.ctx +.SS Sign the policy +.IP \[bu] 2 +openssl dgst \-sha256 \-sign signing_key_private.pem \-out pcr.signature +pcr.policy +.SS Authorize the policy in the policy digest: +.IP \[bu] 2 +tpm2_startauthsession \-S session.ctx +.IP \[bu] 2 +tpm2_policyauthorize \-S session.ctx \-o authorized.policy \-f +pcr.policy +.PD 0 +.P +.PD +\-n signing_key.name +.IP \[bu] 2 +tpm2_flushcontext \-S session.ctx +.SS Create a TPM object like a sealing object with the authorized policy +based authentication: +.IP \[bu] 2 +tpm2_createprimary \-Q \-A o \-g sha256 \-G rsa \-o prim.ctx +.IP \[bu] 2 +tpm2_create \-Q \-g sha256 \-u sealing_key.pub \-r sealing_key.pub \-I\- +\-C prim.ctx +.PD 0 +.P +.PD +\-L authorized.policy <<< \[lq]secret to seal\[rq] +.SS Satisfy policy and unseal the secret: +.IP \[bu] 2 +tpm2_verifysignature \-c signing_key.ctx \-G sha256 \-m pcr.policy +.PD 0 +.P +.PD +\-s pcr.signature \-t verification.tkt \-f rsassa +.IP \[bu] 2 +tpm2_startauthsession \-a \-S session.ctx +.IP \[bu] 2 +tpm2_policypcr \-Q \-S session.ctx \-L sha256:0 \-f pcr.policy +.IP \[bu] 2 +tpm2_policyauthorize \-S session.ctx \-o authorized.policy \-f +pcr.policy +.PD 0 +.P +.PD +\-n verifying_public_key.name \-t verification.tkt +.IP \[bu] 2 +unsealed=`tpm2_unseal \-p\[lq]session:session.ctx\[rq] \-c +sealing_key.ctx +.IP \[bu] 2 +tpm2_flushcontext \-S session.ctx +.SH RETURNS +.PP +0 on success or 1 on failure. +.SH BUGS +.PP +Github Issues (https://github.com/tpm2-software/tpm2-tools/issues) +.SH HELP +.PP +See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tools-3.1.2/test/system/test_tpm2_activecredential.sh new/tpm2-tools-3.1.3/test/system/test_tpm2_activecredential.sh --- old/tpm2-tools-3.1.2/test/system/test_tpm2_activecredential.sh 2018-08-15 00:05:07.000000000 +0200 +++ new/tpm2-tools-3.1.3/test/system/test_tpm2_activecredential.sh 2018-10-15 16:55:11.000000000 +0200 @@ -57,10 +57,12 @@ # Capture the yaml output and verify that its the same as the name output loaded_key_name_yaml=`python << pyscript +from __future__ import print_function import yaml + with open('ak.out', 'r') as f: doc = yaml.load(f) - print doc['loaded-key']['name'] + print(doc['loaded-key']['name']) pyscript` # Use -c in xxd so there is no line wrapping diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tools-3.1.2/test/system/test_tpm2_dictionarylockout.sh new/tpm2-tools-3.1.3/test/system/test_tpm2_dictionarylockout.sh --- old/tpm2-tools-3.1.2/test/system/test_tpm2_dictionarylockout.sh 2018-08-15 00:05:07.000000000 +0200 +++ new/tpm2-tools-3.1.3/test/system/test_tpm2_dictionarylockout.sh 2018-10-15 16:55:11.000000000 +0200 @@ -40,16 +40,16 @@ tpm2_dictionarylockout -s -n 5 -t 6 -l 7 -if [ "$(tpm2_getcap -c properties-variable | grep TPM2_PT_MAX_AUTH_FAIL | sed -e 's/TPM2_PT_MAX_AUTH_FAIL: \+//')" != "0x00000005" ];then +if [ "$(tpm2_getcap -c properties-variable | grep TPM_PT_MAX_AUTH_FAIL | sed -e 's/TPM_PT_MAX_AUTH_FAIL: \+//')" != "0x00000005" ]; then echo "Failure: setting up the number of allowed tries in the lockout parameters" exit 1 fi -if [ "$(tpm2_getcap -c properties-variable | grep TPM2_PT_LOCKOUT_INTERVAL | sed -e 's/TPM2_PT_LOCKOUT_INTERVAL: \+//')" != "0x00000006" ];then +if [ "$(tpm2_getcap -c properties-variable | grep TPM_PT_LOCKOUT_INTERVAL | sed -e 's/TPM_PT_LOCKOUT_INTERVAL: \+//')" != "0x00000006" ]; then echo "Failure: setting up the lockout period in the lockout parameters" fi -if [ "$(tpm2_getcap -c properties-variable | grep TPM2_PT_LOCKOUT_RECOVERY | sed -e 's/TPM2_PT_LOCKOUT_RECOVERY: \+//')" != "0x00000007" ];then +if [ "$(tpm2_getcap -c properties-variable | grep TPM_PT_LOCKOUT_RECOVERY | sed -e 's/TPM_PT_LOCKOUT_RECOVERY: \+//')" != "0x00000007" ]; then echo "Failure: setting up the lockout recovery period in the lockout parameters" fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tools-3.1.2/test/system/test_tpm2_nv.sh new/tpm2-tools-3.1.3/test/system/test_tpm2_nv.sh --- old/tpm2-tools-3.1.2/test/system/test_tpm2_nv.sh 2018-08-15 00:05:07.000000000 +0200 +++ new/tpm2-tools-3.1.3/test/system/test_tpm2_nv.sh 2018-10-15 16:55:11.000000000 +0200 @@ -153,7 +153,7 @@ # # Test large writes # -large_file_size=$(tpm2_getcap -c properties-fixed | grep TPM2_PT_NV_INDEX_MAX | sed -r -e 's/.*(0x[0-9a-f]+)/\1/g') +large_file_size=$(tpm2_getcap -c properties-fixed | grep TPM_PT_NV_INDEX_MAX | sed -r -e 's/.*(0x[0-9a-f]+)/\1/g') nv_test_index=0x1000000 # Create an nv space with attributes 1010 = TPMA_NV_PPWRITE and TPMA_NV_AUTHWRITE diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tools-3.1.2/test/system/test_tpm2_quote.sh new/tpm2-tools-3.1.3/test/system/test_tpm2_quote.sh --- old/tpm2-tools-3.1.2/test/system/test_tpm2_quote.sh 2018-08-15 00:05:07.000000000 +0200 +++ new/tpm2-tools-3.1.3/test/system/test_tpm2_quote.sh 2018-10-15 16:55:11.000000000 +0200 @@ -51,7 +51,7 @@ Handle_ek_quote=0x81010017 Handle_ak_quote2=0x81010018 -maxdigest=$(tpm2_getcap -c properties-fixed | grep TPM2_PT_MAX_DIGEST | sed -r -e 's/.*(0x[0-9a-f]+)/\1/g') +maxdigest=$(tpm2_getcap -c properties-fixed | grep TPM_PT_MAX_DIGEST | sed -r -e 's/.*(0x[0-9a-f]+)/\1/g') if ! [[ "$maxdigest" =~ ^(0x)*[0-9]+$ ]] ; then echo "error: not a number, got: \"$maxdigest\"" >&2 exit 1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tools-3.1.2/tools/tpm2_getcap.c new/tpm2-tools-3.1.3/tools/tpm2_getcap.c --- old/tpm2-tools-3.1.2/tools/tpm2_getcap.c 2018-08-15 00:05:07.000000000 +0200 +++ new/tpm2-tools-3.1.3/tools/tpm2_getcap.c 2018-10-15 16:55:11.000000000 +0200 @@ -196,7 +196,7 @@ void tpm2_tool_output_tpma_modes (TPMA_MODES modes) { - tpm2_tool_output ("TPM2_PT_MODES: 0x%08x\n", modes); + tpm2_tool_output ("TPM_PT_MODES: 0x%08x\n", modes); if (modes & TPMA_MODES_FIPS_140_2) tpm2_tool_output (" TPMA_MODES_FIPS_140_2\n"); if (modes& TPMA_MODES_RESERVED1_MASK) @@ -208,7 +208,7 @@ void dump_permanent_attrs (TPMA_PERMANENT attrs) { - tpm2_tool_output ("TPM2_PT_PERSISTENT:\n"); + tpm2_tool_output ("TPM_PT_PERSISTENT:\n"); tpm2_tool_output (" ownerAuthSet: %s\n", prop_str (attrs & TPMA_PERMANENT_OWNERAUTHSET)); tpm2_tool_output (" endorsementAuthSet: %s\n", prop_str (attrs & TPMA_PERMANENT_ENDORSEMENTAUTHSET)); tpm2_tool_output (" lockoutAuthSet: %s\n", prop_str (attrs & TPMA_PERMANENT_LOCKOUTAUTHSET)); @@ -224,7 +224,7 @@ void dump_startup_clear_attrs (TPMA_STARTUP_CLEAR attrs) { - tpm2_tool_output ("TPM2_PT_STARTUP_CLEAR:\n"); + tpm2_tool_output ("TPM_PT_STARTUP_CLEAR:\n"); tpm2_tool_output (" phEnable: %s\n", prop_str (attrs & TPMA_STARTUP_CLEAR_PHENABLE)); tpm2_tool_output (" shEnable: %s\n", prop_str (attrs & TPMA_STARTUP_CLEAR_SHENABLE)); tpm2_tool_output (" ehEnable: %s\n", prop_str (attrs & TPMA_STARTUP_CLEAR_EHENABLE)); @@ -248,30 +248,30 @@ switch (property) { case TPM2_PT_FAMILY_INDICATOR: get_uint32_as_chars (value, buf); - tpm2_tool_output ("TPM2_PT_FAMILY_INDICATOR:\n" + tpm2_tool_output ("TPM_PT_FAMILY_INDICATOR:\n" " as UINT32: 0x08%x\n" " as string: \"%s\"\n", value, buf); break; case TPM2_PT_LEVEL: - tpm2_tool_output ("TPM2_PT_LEVEL: %d\n", value); + tpm2_tool_output ("TPM_PT_LEVEL: %d\n", value); break; case TPM2_PT_REVISION: - tpm2_tool_output ("TPM2_PT_REVISION: %.2f\n", (float)value / 100); + tpm2_tool_output ("TPM_PT_REVISION: %.2f\n", (float)value / 100); break; case TPM2_PT_DAY_OF_YEAR: - tpm2_tool_output ("TPM2_PT_DAY_OF_YEAR: 0x%08x\n", value); + tpm2_tool_output ("TPM_PT_DAY_OF_YEAR: 0x%08x\n", value); break; case TPM2_PT_YEAR: - tpm2_tool_output ("TPM2_PT_YEAR: 0x%08x\n", value); + tpm2_tool_output ("TPM_PT_YEAR: 0x%08x\n", value); break; case TPM2_PT_MANUFACTURER: - tpm2_tool_output ("TPM2_PT_MANUFACTURER: 0x%08x\n", value); + tpm2_tool_output ("TPM_PT_MANUFACTURER: 0x%08x\n", value); break; case TPM2_PT_VENDOR_STRING_1: get_uint32_as_chars (value, buf); - tpm2_tool_output ("TPM2_PT_VENDOR_STRING_1:\n" + tpm2_tool_output ("TPM_PT_VENDOR_STRING_1:\n" " as UINT32: 0x%08x\n" " as string: \"%s\"\n", value, @@ -279,7 +279,7 @@ break; case TPM2_PT_VENDOR_STRING_2: get_uint32_as_chars (value, buf); - tpm2_tool_output ("TPM2_PT_VENDOR_STRING_2:\n" + tpm2_tool_output ("TPM_PT_VENDOR_STRING_2:\n" " as UINT32: 0x%08x\n" " as string: \"%s\"\n", value, @@ -287,7 +287,7 @@ break; case TPM2_PT_VENDOR_STRING_3: get_uint32_as_chars (value, buf); - tpm2_tool_output ("TPM2_PT_VENDOR_STRING_3:\n" + tpm2_tool_output ("TPM_PT_VENDOR_STRING_3:\n" " as UINT32: 0x%08x\n" " as string: \"%s\"\n", value, @@ -295,113 +295,113 @@ break; case TPM2_PT_VENDOR_STRING_4: get_uint32_as_chars (value, buf); - tpm2_tool_output ("TPM2_PT_VENDOR_STRING_4:\n" + tpm2_tool_output ("TPM_PT_VENDOR_STRING_4:\n" " as UINT32: 0x%08x\n" " as string: \"%s\"\n", value, buf); break; case TPM2_PT_VENDOR_TPM_TYPE: - tpm2_tool_output ("TPM2_PT_VENDOR_TPM_TYPE: 0x%08x\n", value); + tpm2_tool_output ("TPM_PT_VENDOR_TPM_TYPE: 0x%08x\n", value); break; case TPM2_PT_FIRMWARE_VERSION_1: - tpm2_tool_output ("TPM2_PT_FIRMWARE_VERSION_1: 0x%08x\n", value); + tpm2_tool_output ("TPM_PT_FIRMWARE_VERSION_1: 0x%08x\n", value); break; case TPM2_PT_FIRMWARE_VERSION_2: - tpm2_tool_output ("TPM2_PT_FIRMWARE_VERSION_2: 0x%08x\n", value); + tpm2_tool_output ("TPM_PT_FIRMWARE_VERSION_2: 0x%08x\n", value); break; case TPM2_PT_INPUT_BUFFER: - tpm2_tool_output ("TPM2_PT_INPUT_BUFFER: 0x%08x\n", value); + tpm2_tool_output ("TPM_PT_INPUT_BUFFER: 0x%08x\n", value); break; case TPM2_PT_TPM2_HR_TRANSIENT_MIN: - tpm2_tool_output ("TPM2_PT_TPM2_HR_TRANSIENT_MIN: 0x%08x\n", value); + tpm2_tool_output ("TPM_PT_TPM2_HR_TRANSIENT_MIN: 0x%08x\n", value); break; case TPM2_PT_TPM2_HR_PERSISTENT_MIN: - tpm2_tool_output ("TPM2_PT_TPM2_HR_PERSISTENT_MIN: 0x%08x\n", value); + tpm2_tool_output ("TPM_PT_TPM2_HR_PERSISTENT_MIN: 0x%08x\n", value); break; case TPM2_PT_HR_LOADED_MIN: - tpm2_tool_output ("TPM2_PT_HR_LOADED_MIN: 0x%08x\n", value); + tpm2_tool_output ("TPM_PT_HR_LOADED_MIN: 0x%08x\n", value); break; case TPM2_PT_ACTIVE_SESSIONS_MAX: - tpm2_tool_output ("TPM2_PT_ACTIVE_SESSIONS_MAX: 0x%08x\n", value); + tpm2_tool_output ("TPM_PT_ACTIVE_SESSIONS_MAX: 0x%08x\n", value); break; case TPM2_PT_PCR_COUNT: - tpm2_tool_output ("TPM2_PT_PCR_COUNT: 0x%08x\n", value); + tpm2_tool_output ("TPM_PT_PCR_COUNT: 0x%08x\n", value); break; case TPM2_PT_PCR_SELECT_MIN: - tpm2_tool_output ("TPM2_PT_PCR_SELECT_MIN: 0x%08x\n", value); + tpm2_tool_output ("TPM_PT_PCR_SELECT_MIN: 0x%08x\n", value); break; case TPM2_PT_CONTEXT_GAP_MAX: - tpm2_tool_output ("TPM2_PT_CONTEXT_GAP_MAX: 0x%08x\n", value); + tpm2_tool_output ("TPM_PT_CONTEXT_GAP_MAX: 0x%08x\n", value); break; case TPM2_PT_NV_COUNTERS_MAX: - tpm2_tool_output ("TPM2_PT_NV_COUNTERS_MAX: 0x%08x\n", value); + tpm2_tool_output ("TPM_PT_NV_COUNTERS_MAX: 0x%08x\n", value); break; case TPM2_PT_NV_INDEX_MAX: - tpm2_tool_output ("TPM2_PT_NV_INDEX_MAX: 0x%08x\n", value); + tpm2_tool_output ("TPM_PT_NV_INDEX_MAX: 0x%08x\n", value); break; case TPM2_PT_MEMORY: - tpm2_tool_output ("TPM2_PT_MEMORY: 0x%08x\n", value); + tpm2_tool_output ("TPM_PT_MEMORY: 0x%08x\n", value); break; case TPM2_PT_CLOCK_UPDATE: - tpm2_tool_output ("TPM2_PT_CLOCK_UPDATE: 0x%08x\n", value); + tpm2_tool_output ("TPM_PT_CLOCK_UPDATE: 0x%08x\n", value); break; case TPM2_PT_CONTEXT_HASH: /* this may be a TPM2_ALG_ID type */ - tpm2_tool_output ("TPM2_PT_CONTEXT_HASH: 0x%08x\n", value); + tpm2_tool_output ("TPM_PT_CONTEXT_HASH: 0x%08x\n", value); break; case TPM2_PT_CONTEXT_SYM: /* this is a TPM2_ALG_ID type */ - tpm2_tool_output ("TPM2_PT_CONTEXT_SYM: 0x%08x\n", value); + tpm2_tool_output ("TPM_PT_CONTEXT_SYM: 0x%08x\n", value); break; case TPM2_PT_CONTEXT_SYM_SIZE: - tpm2_tool_output ("TPM2_PT_CONTEXT_SYM_SIZE: 0x%08x\n", value); + tpm2_tool_output ("TPM_PT_CONTEXT_SYM_SIZE: 0x%08x\n", value); break; case TPM2_PT_ORDERLY_COUNT: - tpm2_tool_output ("TPM2_PT_ORDERLY_COUNT: 0x%08x\n", value); + tpm2_tool_output ("TPM_PT_ORDERLY_COUNT: 0x%08x\n", value); break; case TPM2_PT_MAX_COMMAND_SIZE: - tpm2_tool_output ("TPM2_PT_MAX_COMMAND_SIZE: 0x%08x\n", value); + tpm2_tool_output ("TPM_PT_MAX_COMMAND_SIZE: 0x%08x\n", value); break; case TPM2_PT_MAX_RESPONSE_SIZE: - tpm2_tool_output ("TPM2_PT_MAX_RESPONSE_SIZE: 0x%08x\n", value); + tpm2_tool_output ("TPM_PT_MAX_RESPONSE_SIZE: 0x%08x\n", value); break; case TPM2_PT_MAX_DIGEST: - tpm2_tool_output ("TPM2_PT_MAX_DIGEST: 0x%08x\n", value); + tpm2_tool_output ("TPM_PT_MAX_DIGEST: 0x%08x\n", value); break; case TPM2_PT_MAX_OBJECT_CONTEXT: - tpm2_tool_output ("TPM2_PT_MAX_OBJECT_CONTEXT: 0x%08x\n", value); + tpm2_tool_output ("TPM_PT_MAX_OBJECT_CONTEXT: 0x%08x\n", value); break; case TPM2_PT_MAX_SESSION_CONTEXT: - tpm2_tool_output ("TPM2_PT_MAX_SESSION_CONTEXT: 0x%08x\n", value); + tpm2_tool_output ("TPM_PT_MAX_SESSION_CONTEXT: 0x%08x\n", value); break; case TPM2_PT_PS_FAMILY_INDICATOR: - tpm2_tool_output ("TPM2_PT_PS_FAMILY_INDICATOR: 0x%08x\n", value); + tpm2_tool_output ("TPM_PT_PS_FAMILY_INDICATOR: 0x%08x\n", value); break; case TPM2_PT_PS_LEVEL: - tpm2_tool_output ("TPM2_PT_PS_LEVEL: 0x%08x\n", value); + tpm2_tool_output ("TPM_PT_PS_LEVEL: 0x%08x\n", value); break; case TPM2_PT_PS_REVISION: - tpm2_tool_output ("TPM2_PT_PS_REVISION: 0x%08x\n", value); + tpm2_tool_output ("TPM_PT_PS_REVISION: 0x%08x\n", value); break; case TPM2_PT_PS_DAY_OF_YEAR: - tpm2_tool_output ("TPM2_PT_PS_DAY_OF_YEAR: 0x%08x\n", value); + tpm2_tool_output ("TPM_PT_PS_DAY_OF_YEAR: 0x%08x\n", value); break; case TPM2_PT_PS_YEAR: - tpm2_tool_output ("TPM2_PT_PS_YEAR: 0x%08x\n", value); + tpm2_tool_output ("TPM_PT_PS_YEAR: 0x%08x\n", value); break; case TPM2_PT_SPLIT_MAX: - tpm2_tool_output ("TPM2_PT_SPLIT_MAX: 0x%08x\n", value); + tpm2_tool_output ("TPM_PT_SPLIT_MAX: 0x%08x\n", value); break; case TPM2_PT_TOTAL_COMMANDS: - tpm2_tool_output ("TPM2_PT_TOTAL_COMMANDS: 0x%08x\n", value); + tpm2_tool_output ("TPM_PT_TOTAL_COMMANDS: 0x%08x\n", value); break; case TPM2_PT_LIBRARY_COMMANDS: - tpm2_tool_output ("TPM2_PT_LIBRARY_COMMANDS: 0x%08x\n", value); + tpm2_tool_output ("TPM_PT_LIBRARY_COMMANDS: 0x%08x\n", value); break; case TPM2_PT_VENDOR_COMMANDS: - tpm2_tool_output ("TPM2_PT_VENDOR_COMMANDS: 0x%08x\n", value); + tpm2_tool_output ("TPM_PT_VENDOR_COMMANDS: 0x%08x\n", value); break; case TPM2_PT_NV_BUFFER_MAX: - tpm2_tool_output ("TPM2_PT_NV_BUFFER_MAX: 0x%08x\n", value); + tpm2_tool_output ("TPM_PT_NV_BUFFER_MAX: 0x%08x\n", value); break; case TPM2_PT_MODES: tpm2_tool_output_tpma_modes ((TPMA_MODES)value); @@ -429,61 +429,61 @@ dump_startup_clear_attrs ((TPMA_STARTUP_CLEAR)value); break; case TPM2_PT_TPM2_HR_NV_INDEX: - tpm2_tool_output ("TPM2_PT_TPM2_HR_NV_INDEX: 0x%08x\n", value); + tpm2_tool_output ("TPM_PT_TPM2_HR_NV_INDEX: 0x%08x\n", value); break; case TPM2_PT_HR_LOADED: - tpm2_tool_output ("TPM2_PT_HR_LOADED: 0x%08x\n", value); + tpm2_tool_output ("TPM_PT_HR_LOADED: 0x%08x\n", value); break; case TPM2_PT_HR_LOADED_AVAIL: - tpm2_tool_output ("TPM2_PT_HR_LOADED_AVAIL: 0x%08x\n", value); + tpm2_tool_output ("TPM_PT_HR_LOADED_AVAIL: 0x%08x\n", value); break; case TPM2_PT_HR_ACTIVE: - tpm2_tool_output ("TPM2_PT_HR_ACTIVE: 0x%08x\n", value); + tpm2_tool_output ("TPM_PT_HR_ACTIVE: 0x%08x\n", value); break; case TPM2_PT_HR_ACTIVE_AVAIL: - tpm2_tool_output ("TPM2_PT_HR_ACTIVE_AVAIL: 0x%08x\n", value); + tpm2_tool_output ("TPM_PT_HR_ACTIVE_AVAIL: 0x%08x\n", value); break; case TPM2_PT_TPM2_HR_TRANSIENT_AVAIL: - tpm2_tool_output ("TPM2_PT_TPM2_HR_TRANSIENT_AVAIL: 0x%08x\n", value); + tpm2_tool_output ("TPM_PT_TPM2_HR_TRANSIENT_AVAIL: 0x%08x\n", value); break; case TPM2_PT_TPM2_HR_PERSISTENT: - tpm2_tool_output ("TPM2_PT_TPM2_HR_PERSISTENT: 0x%08x\n", value); + tpm2_tool_output ("TPM_PT_TPM2_HR_PERSISTENT: 0x%08x\n", value); break; case TPM2_PT_TPM2_HR_PERSISTENT_AVAIL: - tpm2_tool_output ("TPM2_PT_TPM2_HR_PERSISTENT_AVAIL: 0x%08x\n", value); + tpm2_tool_output ("TPM_PT_TPM2_HR_PERSISTENT_AVAIL: 0x%08x\n", value); break; case TPM2_PT_NV_COUNTERS: - tpm2_tool_output ("TPM2_PT_NV_COUNTERS: 0x%08x\n", value); + tpm2_tool_output ("TPM_PT_NV_COUNTERS: 0x%08x\n", value); break; case TPM2_PT_NV_COUNTERS_AVAIL: - tpm2_tool_output ("TPM2_PT_NV_COUNTERS_AVAIL: 0x%08x\n", value); + tpm2_tool_output ("TPM_PT_NV_COUNTERS_AVAIL: 0x%08x\n", value); break; case TPM2_PT_ALGORITHM_SET: - tpm2_tool_output ("TPM2_PT_ALGORITHM_SET: 0x%08x\n", value); + tpm2_tool_output ("TPM_PT_ALGORITHM_SET: 0x%08x\n", value); break; case TPM2_PT_LOADED_CURVES: - tpm2_tool_output ("TPM2_PT_LOADED_CURVES: 0x%08x\n", value); + tpm2_tool_output ("TPM_PT_LOADED_CURVES: 0x%08x\n", value); break; case TPM2_PT_LOCKOUT_COUNTER: - tpm2_tool_output ("TPM2_PT_LOCKOUT_COUNTER: 0x%08x\n", value); + tpm2_tool_output ("TPM_PT_LOCKOUT_COUNTER: 0x%08x\n", value); break; case TPM2_PT_MAX_AUTH_FAIL: - tpm2_tool_output ("TPM2_PT_MAX_AUTH_FAIL: 0x%08x\n", value); + tpm2_tool_output ("TPM_PT_MAX_AUTH_FAIL: 0x%08x\n", value); break; case TPM2_PT_LOCKOUT_INTERVAL: - tpm2_tool_output ("TPM2_PT_LOCKOUT_INTERVAL: 0x%08x\n", value); + tpm2_tool_output ("TPM_PT_LOCKOUT_INTERVAL: 0x%08x\n", value); break; case TPM2_PT_LOCKOUT_RECOVERY: - tpm2_tool_output ("TPM2_PT_LOCKOUT_RECOVERY: 0x%08x\n", value); + tpm2_tool_output ("TPM_PT_LOCKOUT_RECOVERY: 0x%08x\n", value); break; case TPM2_PT_NV_WRITE_RECOVERY: - tpm2_tool_output ("TPM2_PT_NV_WRITE_RECOVERY: 0x%08x\n", value); + tpm2_tool_output ("TPM_PT_NV_WRITE_RECOVERY: 0x%08x\n", value); break; case TPM2_PT_AUDIT_COUNTER_0: - tpm2_tool_output ("TPM2_PT_AUDIT_COUNTER_0: 0x%08x\n", value); + tpm2_tool_output ("TPM_PT_AUDIT_COUNTER_0: 0x%08x\n", value); break; case TPM2_PT_AUDIT_COUNTER_1: - tpm2_tool_output ("TPM2_PT_AUDIT_COUNTER_1: 0x%08x\n", value); + tpm2_tool_output ("TPM_PT_AUDIT_COUNTER_1: 0x%08x\n", value); break; default: LOG_ERR("Unknown property: 0x%08x\n", properties[i].property); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tools-3.1.2/tools/tpm2_takeownership.c new/tpm2-tools-3.1.3/tools/tpm2_takeownership.c --- old/tpm2-tools-3.1.2/tools/tpm2_takeownership.c 2018-08-15 00:05:07.000000000 +0200 +++ new/tpm2-tools-3.1.3/tools/tpm2_takeownership.c 2018-10-15 16:55:11.000000000 +0200 @@ -59,6 +59,15 @@ UINT8 clear_auth : 1; UINT8 unused : 7; }; + + struct { + UINT8 o : 1; + UINT8 e : 1; + UINT8 l : 1; + UINT8 O : 1; + UINT8 E : 1; + UINT8 L : 1; + } flags; }; static takeownership_ctx ctx; @@ -111,12 +120,23 @@ static bool change_hierarchy_auth(TSS2_SYS_CONTEXT *sapi_context) { // change owner, endorsement and lockout auth. - return change_auth(sapi_context, &ctx.passwords.owner, - "Owner", TPM2_RH_OWNER) - && change_auth(sapi_context, &ctx.passwords.endorse, - "Endorsement", TPM2_RH_ENDORSEMENT) - && change_auth(sapi_context, &ctx.passwords.lockout, - "Lockout", TPM2_RH_LOCKOUT); + bool result = true; + if (ctx.flags.o || ctx.flags.O) { + result &= change_auth(sapi_context, &ctx.passwords.owner, + "Owner", TPM2_RH_OWNER); + } + + if (ctx.flags.e || ctx.flags.E) { + result &= change_auth(sapi_context, &ctx.passwords.endorse, + "Endorsement", TPM2_RH_ENDORSEMENT); + } + + if (ctx.flags.l || ctx.flags.L) { + result &= change_auth(sapi_context, &ctx.passwords.lockout, + "Lockout", TPM2_RH_LOCKOUT); + } + + return result; } static bool on_option(char key, char *value) { @@ -134,6 +154,7 @@ LOG_ERR("Invalid new owner password, got\"%s\"", optarg); return false; } + ctx.flags.o = 1; break; case 'e': result = tpm2_password_util_from_optarg(value, &ctx.passwords.endorse.new); @@ -141,6 +162,7 @@ LOG_ERR("Invalid new endorse password, got\"%s\"", optarg); return false; } + ctx.flags.e = 1; break; case 'l': result = tpm2_password_util_from_optarg(value, &ctx.passwords.lockout.new); @@ -148,6 +170,7 @@ LOG_ERR("Invalid new lockout password, got\"%s\"", optarg); return false; } + ctx.flags.l = 1; break; case 'O': result = tpm2_password_util_from_optarg(value, &ctx.passwords.owner.old); @@ -155,6 +178,7 @@ LOG_ERR("Invalid current owner password, got\"%s\"", optarg); return false; } + ctx.flags.O = 1; break; case 'E': result = tpm2_password_util_from_optarg(value, &ctx.passwords.endorse.old); @@ -162,6 +186,7 @@ LOG_ERR("Invalid current endorse password, got\"%s\"", optarg); return false; } + ctx.flags.E = 1; break; case 'L': result = tpm2_password_util_from_optarg(value, &ctx.passwords.lockout.old); @@ -169,6 +194,7 @@ LOG_ERR("Invalid current lockout password, got\"%s\"", optarg); return false; } + ctx.flags.L = 1; break; /*no default */ }
