From 67e04b1da64d161bc8e7022c7ecb3cecb275ef66 Mon Sep 17 00:00:00 2001 From: Anton Antonov Date: Fri, 25 Mar 2022 13:35:14 +0000 Subject: [PATCH 1/3] Add generate randmon support into TPM provider Signed-off-by: Anton Antonov --- Cargo.lock | 6 ++---- Cargo.toml | 2 +- src/providers/tpm/generate_random.rs | 30 ++++++++++++++++++++++++++++ src/providers/tpm/mod.rs | 14 +++++++++++-- 4 files changed, 45 insertions(+), 7 deletions(-) create mode 100644 src/providers/tpm/generate_random.rs diff --git a/Cargo.lock b/Cargo.lock index 18ff7f2e..dc6f2236 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1850,8 +1850,7 @@ dependencies = [ [[package]] name = "tss-esapi" version = "7.0.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5f8548e2625314e8dc33696add27bff5dc3e6582fc94cedd1bc049efb315fd38" +source = "git+https://github.com/parallaxsecond/rust-tss-esapi.git?rev=b62029d36bac27761e166ab8e063573ef8005adf#b62029d36bac27761e166ab8e063573ef8005adf" dependencies = [ "bitfield", "enumflags2", @@ -1869,8 +1868,7 @@ dependencies = [ [[package]] name = "tss-esapi-sys" version = "0.3.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0e2f37914ec4d494d145cfa18bb8429498b238d63c47a08b89d09c1ec2545ff0" +source = "git+https://github.com/parallaxsecond/rust-tss-esapi.git?rev=b62029d36bac27761e166ab8e063573ef8005adf#b62029d36bac27761e166ab8e063573ef8005adf" dependencies = [ "pkg-config", "target-lexicon", diff --git a/Cargo.toml b/Cargo.toml index 63f7e47c..eeb5677c 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -29,7 +29,7 @@ log = { version = "0.4.14", features = ["serde"] } cryptoki = { version = "0.2.1", optional = true, features = ["psa-crypto-conversions"] } picky-asn1-der = { version = "0.2.4", optional = true } picky-asn1 = { version = "0.3.0", optional = true } -tss-esapi = { version = "7.0.0", optional = true } +tss-esapi = { git = "https://github.com/parallaxsecond/rust-tss-esapi.git", rev = "b62029d36bac27761e166ab8e063573ef8005adf", optional = true } bincode = "1.3.1" structopt = "0.3.21" derivative = "2.2.0" diff --git a/src/providers/tpm/generate_random.rs b/src/providers/tpm/generate_random.rs new file mode 100644 index 00000000..03e6e672 --- /dev/null +++ b/src/providers/tpm/generate_random.rs @@ -0,0 +1,30 @@ +// Copyright 2021 Contributors to the Parsec project. +// SPDX-License-Identifier: Apache-2.0 +use super::Provider; +use parsec_interface::operations::psa_generate_random; +use parsec_interface::requests::Result; + +impl Provider { + pub(super) fn psa_generate_random_internal( + &self, + op: psa_generate_random::Operation, + ) -> Result { + let size = op.size; + + let mut esapi_context = self + .esapi_context + .lock() + .expect("ESAPI Context lock poisoned"); + + let random_bytes = esapi_context + .as_mut() + .execute_without_session(|esapi_context| esapi_context.get_random(size)) + .expect("Failed to get random bytes") + .value() + .to_vec(); + + Ok(psa_generate_random::Result { + random_bytes: random_bytes.into(), + }) + } +} diff --git a/src/providers/tpm/mod.rs b/src/providers/tpm/mod.rs index 5e339b97..3ca40ea0 100644 --- a/src/providers/tpm/mod.rs +++ b/src/providers/tpm/mod.rs @@ -14,7 +14,7 @@ use log::{info, trace}; use parsec_interface::operations::{ attest_key, can_do_crypto, prepare_key_attestation, psa_asymmetric_decrypt, psa_asymmetric_encrypt, psa_destroy_key, psa_export_public_key, psa_generate_key, - psa_import_key, psa_sign_hash, psa_verify_hash, + psa_generate_random, psa_import_key, psa_sign_hash, psa_verify_hash, }; use parsec_interface::operations::{list_clients, list_keys, list_providers::ProviderInfo}; use parsec_interface::requests::{Opcode, ProviderId, ResponseStatus, Result}; @@ -32,12 +32,14 @@ use zeroize::Zeroize; mod asym_encryption; mod asym_sign; mod capability_discovery; +mod generate_random; mod key_attestation; mod key_management; mod utils; -const SUPPORTED_OPCODES: [Opcode; 11] = [ +const SUPPORTED_OPCODES: [Opcode; 12] = [ Opcode::PsaGenerateKey, + Opcode::PsaGenerateRandom, Opcode::PsaDestroyKey, Opcode::PsaSignHash, Opcode::PsaVerifyHash, @@ -139,6 +141,14 @@ impl Provide for Provider { }) } + fn psa_generate_random( + &self, + op: psa_generate_random::Operation, + ) -> Result { + trace!("psa_generate_random ingress"); + self.psa_generate_random_internal(op) + } + fn psa_generate_key( &self, application_identity: &ApplicationIdentity, From 80734676017ca5a217445df6cdcd9c9b7e296a45 Mon Sep 17 00:00:00 2001 From: Anton Antonov Date: Fri, 25 Mar 2022 13:35:14 +0000 Subject: [PATCH 2/3] Add generate randmon support into TPM provider Signed-off-by: Anton Antonov --- Cargo.lock | 6 ++---- Cargo.toml | 2 +- src/providers/tpm/generate_random.rs | 30 ++++++++++++++++++++++++++++ src/providers/tpm/mod.rs | 14 +++++++++++-- 4 files changed, 45 insertions(+), 7 deletions(-) create mode 100644 src/providers/tpm/generate_random.rs diff --git a/Cargo.lock b/Cargo.lock index 18ff7f2e..dc6f2236 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1850,8 +1850,7 @@ dependencies = [ [[package]] name = "tss-esapi" version = "7.0.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5f8548e2625314e8dc33696add27bff5dc3e6582fc94cedd1bc049efb315fd38" +source = "git+https://github.com/parallaxsecond/rust-tss-esapi.git?rev=b62029d36bac27761e166ab8e063573ef8005adf#b62029d36bac27761e166ab8e063573ef8005adf" dependencies = [ "bitfield", "enumflags2", @@ -1869,8 +1868,7 @@ dependencies = [ [[package]] name = "tss-esapi-sys" version = "0.3.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0e2f37914ec4d494d145cfa18bb8429498b238d63c47a08b89d09c1ec2545ff0" +source = "git+https://github.com/parallaxsecond/rust-tss-esapi.git?rev=b62029d36bac27761e166ab8e063573ef8005adf#b62029d36bac27761e166ab8e063573ef8005adf" dependencies = [ "pkg-config", "target-lexicon", diff --git a/Cargo.toml b/Cargo.toml index 63f7e47c..eeb5677c 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -29,7 +29,7 @@ log = { version = "0.4.14", features = ["serde"] } cryptoki = { version = "0.2.1", optional = true, features = ["psa-crypto-conversions"] } picky-asn1-der = { version = "0.2.4", optional = true } picky-asn1 = { version = "0.3.0", optional = true } -tss-esapi = { version = "7.0.0", optional = true } +tss-esapi = { git = "https://github.com/parallaxsecond/rust-tss-esapi.git", rev = "b62029d36bac27761e166ab8e063573ef8005adf", optional = true } bincode = "1.3.1" structopt = "0.3.21" derivative = "2.2.0" diff --git a/src/providers/tpm/generate_random.rs b/src/providers/tpm/generate_random.rs new file mode 100644 index 00000000..ab1020c7 --- /dev/null +++ b/src/providers/tpm/generate_random.rs @@ -0,0 +1,30 @@ +// Copyright 2022 Contributors to the Parsec project. +// SPDX-License-Identifier: Apache-2.0 +use super::Provider; +use parsec_interface::operations::psa_generate_random; +use parsec_interface::requests::Result; + +impl Provider { + pub(super) fn psa_generate_random_internal( + &self, + op: psa_generate_random::Operation, + ) -> Result { + let size = op.size; + + let mut esapi_context = self + .esapi_context + .lock() + .expect("ESAPI Context lock poisoned"); + + let random_bytes = esapi_context + .as_mut() + .execute_without_session(|esapi_context| esapi_context.get_random(size)) + .expect("Failed to get random bytes") + .value() + .to_vec(); + + Ok(psa_generate_random::Result { + random_bytes: random_bytes.into(), + }) + } +} diff --git a/src/providers/tpm/mod.rs b/src/providers/tpm/mod.rs index 5e339b97..3ca40ea0 100644 --- a/src/providers/tpm/mod.rs +++ b/src/providers/tpm/mod.rs @@ -14,7 +14,7 @@ use log::{info, trace}; use parsec_interface::operations::{ attest_key, can_do_crypto, prepare_key_attestation, psa_asymmetric_decrypt, psa_asymmetric_encrypt, psa_destroy_key, psa_export_public_key, psa_generate_key, - psa_import_key, psa_sign_hash, psa_verify_hash, + psa_generate_random, psa_import_key, psa_sign_hash, psa_verify_hash, }; use parsec_interface::operations::{list_clients, list_keys, list_providers::ProviderInfo}; use parsec_interface::requests::{Opcode, ProviderId, ResponseStatus, Result}; @@ -32,12 +32,14 @@ use zeroize::Zeroize; mod asym_encryption; mod asym_sign; mod capability_discovery; +mod generate_random; mod key_attestation; mod key_management; mod utils; -const SUPPORTED_OPCODES: [Opcode; 11] = [ +const SUPPORTED_OPCODES: [Opcode; 12] = [ Opcode::PsaGenerateKey, + Opcode::PsaGenerateRandom, Opcode::PsaDestroyKey, Opcode::PsaSignHash, Opcode::PsaVerifyHash, @@ -139,6 +141,14 @@ impl Provide for Provider { }) } + fn psa_generate_random( + &self, + op: psa_generate_random::Operation, + ) -> Result { + trace!("psa_generate_random ingress"); + self.psa_generate_random_internal(op) + } + fn psa_generate_key( &self, application_identity: &ApplicationIdentity, From 7b2dc18c7e4c60f4294811c32e3419283d3dd323 Mon Sep 17 00:00:00 2001 From: Anton Antonov Date: Fri, 25 Mar 2022 15:45:03 +0000 Subject: [PATCH 3/3] Fix list_opcodes test Signed-off-by: Anton Antonov --- e2e_tests/tests/all_providers/normal.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/e2e_tests/tests/all_providers/normal.rs b/e2e_tests/tests/all_providers/normal.rs index e5ac5a70..d7fcf7de 100644 --- a/e2e_tests/tests/all_providers/normal.rs +++ b/e2e_tests/tests/all_providers/normal.rs @@ -111,6 +111,7 @@ fn list_opcodes() { let mut crypto_providers_tpm = HashSet::from_iter(common_opcodes.clone()); let _ = crypto_providers_tpm.insert(Opcode::CanDoCrypto); let _ = crypto_providers_tpm.insert(Opcode::AttestKey); + let _ = crypto_providers_tpm.insert(Opcode::PsaGenerateRandom); let _ = crypto_providers_tpm.insert(Opcode::PrepareKeyAttestation); let mut crypto_providers_hsm = HashSet::from_iter(common_opcodes);