Skip to content

Commit 5d3fa95

Browse files
baloobaloo
committed
ek: fixup auth policies
For a reason I'm not clear about, the templates used for the EK were incorrect for anything but NistP256 and Rsa2048. I'm fairly convinced the authPolicy should always be the values of PolicyA (Table 15 in the [spec]). [spec]: https://trustedcomputinggroup.org/wp-content/uploads/EK-Credential-Profile-For-TPM-Family-2.0-Level-0-V2.5-R1.0_28March2022.pdf#page=55
1 parent 8f906d6 commit 5d3fa95

File tree

1 file changed

+26
-4
lines changed
  • tss-esapi/src/abstraction

1 file changed

+26
-4
lines changed

tss-esapi/src/abstraction/ek.rs

Lines changed: 26 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,27 @@ const AUTHPOLICY_A_SHA256: [u8; 32] = [
3838
0x83, 0x71, 0x97, 0x67, 0x44, 0x84, 0xb3, 0xf8, 0x1a, 0x90, 0xcc, 0x8d, 0x46, 0xa5, 0xd7, 0x24,
3939
0xfd, 0x52, 0xd7, 0x6e, 0x06, 0x52, 0x0b, 0x64, 0xf2, 0xa1, 0xda, 0x1b, 0x33, 0x14, 0x69, 0xaa,
4040
];
41+
const AUTHPOLICY_A_SHA384: [u8; 48] = [
42+
0x8b, 0xbf, 0x22, 0x66, 0x53, 0x7c, 0x17, 0x1c, 0xb5, 0x6e, 0x40, 0x3c, 0x4d, 0xc1, 0xd4, 0xb6,
43+
0x4f, 0x43, 0x26, 0x11, 0xdc, 0x38, 0x6e, 0x6f, 0x53, 0x20, 0x50, 0xc3, 0x27, 0x8c, 0x93, 0x0e,
44+
0x14, 0x3e, 0x8b, 0xb1, 0x13, 0x38, 0x24, 0xcc, 0xb4, 0x31, 0x05, 0x38, 0x71, 0xc6, 0xdb, 0x53,
45+
];
46+
const AUTHPOLICY_A_SHA512: [u8; 64] = [
47+
0x1e, 0x3b, 0x76, 0x50, 0x2c, 0x8a, 0x14, 0x25, 0xaa, 0x0b, 0x7b, 0x3f, 0xc6, 0x46, 0xa1, 0xb0,
48+
0xfa, 0xe0, 0x63, 0xb0, 0x3b, 0x53, 0x68, 0xf9, 0xc4, 0xcd, 0xde, 0xca, 0xff, 0x08, 0x91, 0xdd,
49+
0x68, 0x2b, 0xac, 0x1a, 0x85, 0xd4, 0xd8, 0x32, 0xb7, 0x81, 0xea, 0x45, 0x19, 0x15, 0xde, 0x5f,
50+
0xc5, 0xbf, 0x0d, 0xc4, 0xa1, 0x91, 0x7c, 0xd4, 0x2f, 0xa0, 0x41, 0xe3, 0xf9, 0x98, 0xe0, 0xee,
51+
];
52+
const AUTHPOLICY_A_SM3_256: [u8; 32] = [
53+
0xc6, 0x7f, 0x7d, 0x35, 0xf6, 0x6f, 0x3b, 0xec, 0x13, 0xc8, 0x9f, 0xe8, 0x98, 0x92, 0x1c, 0x65,
54+
0x1b, 0x0c, 0xb5, 0xa3, 0x8a, 0x92, 0x69, 0x0a, 0x62, 0xa4, 0x3c, 0x00, 0x12, 0xe4, 0xfb, 0x8b,
55+
];
56+
57+
/*
58+
const AUTHPOLICY_B_SHA256: [u8; 32] = [
59+
0xca, 0x3d, 0x0a, 0x99, 0xa2, 0xb9, 0x39, 0x06, 0xf7, 0xa3, 0x34, 0x24, 0x14, 0xef, 0xcf, 0xb3,
60+
0xa3, 0x85, 0xd4, 0x4c, 0xd1, 0xfd, 0x45, 0x90, 0x89, 0xd1, 0x9b, 0x50, 0x71, 0xc0, 0xb7, 0xa0,
61+
];
4162
const AUTHPOLICY_B_SHA384: [u8; 48] = [
4263
0xb2, 0x6e, 0x7d, 0x28, 0xd1, 0x1a, 0x50, 0xbc, 0x53, 0xd8, 0x82, 0xbc, 0xf5, 0xfd, 0x3a, 0x1a,
4364
0x07, 0x41, 0x48, 0xbb, 0x35, 0xd3, 0xb4, 0xe4, 0xcb, 0x1c, 0x0a, 0xd9, 0xbd, 0xe4, 0x19, 0xca,
@@ -53,6 +74,7 @@ const AUTHPOLICY_B_SM3_256: [u8; 32] = [
5374
0x16, 0x78, 0x60, 0xa3, 0x5f, 0x2c, 0x5c, 0x35, 0x67, 0xf9, 0xc9, 0x27, 0xac, 0x56, 0xc0, 0x32,
5475
0xf3, 0xb3, 0xa6, 0x46, 0x2f, 0x8d, 0x03, 0x79, 0x98, 0xe7, 0xa1, 0x0f, 0x77, 0xfa, 0x45, 0x4a,
5576
];
77+
*/
5678

5779
/// Get the [`Public`] representing a default Endorsement Key
5880
///
@@ -104,7 +126,7 @@ pub fn create_ek_public_from_default_template<IKC: IntoKeyCustomization>(
104126
),
105127
RsaKeyBits::Rsa3072 | RsaKeyBits::Rsa4096 => (
106128
HashingAlgorithm::Sha384,
107-
AUTHPOLICY_B_SHA384.into(),
129+
AUTHPOLICY_A_SHA384.into(),
108130
SymmetricDefinitionObject::AES_256_CFB,
109131
PublicKeyRsa::new_empty(),
110132
),
@@ -140,19 +162,19 @@ pub fn create_ek_public_from_default_template<IKC: IntoKeyCustomization>(
140162
),
141163
EccCurve::NistP384 => (
142164
HashingAlgorithm::Sha384,
143-
AUTHPOLICY_B_SHA384.into(),
165+
AUTHPOLICY_A_SHA384.into(),
144166
SymmetricDefinitionObject::AES_256_CFB,
145167
0,
146168
),
147169
EccCurve::NistP521 => (
148170
HashingAlgorithm::Sha512,
149-
AUTHPOLICY_B_SHA512.into(),
171+
AUTHPOLICY_A_SHA512.into(),
150172
SymmetricDefinitionObject::AES_256_CFB,
151173
0,
152174
),
153175
EccCurve::Sm2P256 => (
154176
HashingAlgorithm::Sm3_256,
155-
AUTHPOLICY_B_SM3_256.into(),
177+
AUTHPOLICY_A_SM3_256.into(),
156178
SymmetricDefinitionObject::SM4_128_CFB,
157179
0,
158180
),

0 commit comments

Comments
 (0)