write protect key

thistletech · Feb 25, 2025 · 7d9ebf7 · 7d9ebf7
1 parent 3e276e4
commit 7d9ebf7
Show file tree

Hide file tree

Showing 3 changed files with 117 additions and 8 deletions.
diff --git a/Makefile b/Makefile
@@ -20,6 +20,6 @@ build-all::
 	echo '```' > builds/buildout
 	echo $(TM_TOOL) >> builds/buildout
 	rustc --version >> builds/buildout
-	sha256sum builds/* >> builds/buildout
+	sha256sum builds/tmtool* >> builds/buildout
 	echo '```' >> builds/buildout
 	cat builds/buildout
diff --git a/src/args.rs b/src/args.rs
@@ -11,9 +11,14 @@ use clap::{Parser, Subcommand};
     version = option_env!("TM_TOOL").unwrap_or("unknown"),
     long_about = None,
     about = "
-TrustM Userland tooling
+TrustM Userland tooling.
+Designed to help integration with Thistle Verified Boot: https://docs.thistle.tech/tvb
+
 This tool can read and write keys to the Infineon TrustM chip.
-Requires a direct i2c connection to the chip.",
+Requires a direct i2c connection to the chip.
+
+Currently limited to reading 64B keys at slots 0xe0e8 and 0xe0e9.
+The key writing operation expects a PEM formatted key file.",
     verbatim_doc_comment,
 )]
 pub struct Args {

diff --git a/src/cmds.rs b/src/cmds.rs
@@ -88,7 +88,8 @@ pub fn read(device: String, slot: u16) -> Result<()> {
     tm.read_bytes(&mut pk)?;
 
     let pk = &pk[9..73];
-    println!("~~ key {:x?}", pk);
+    println!("~~ key at slot {:#04x}", slot);
+    println!("{:x?}", pk);
 
     Ok(())
 }
@@ -222,7 +223,7 @@ pub fn write(device: String, slot: u16, keypath: PathBuf) -> Result<()> {
     let data = [0x80, 0x81, 0x00, 0x00, 0x56, 0x30];
     tm.write_bytes(&data)?;
 
-    println!("~~ wrote key");
+    println!("~~ key successfuly written to slot {:#04x}", slot);
 
     Ok(())
 }
@@ -232,17 +233,120 @@ pub fn lock(device: String, slot: u16, force: bool) -> Result<()> {
 
     if !force {
         // prompt user to make sure they're sure
-        println!("Are you sure you want to lock the key? This can only be done once per slot.");
+        println!("Are you sure you want to lock the key? This can only be done once per slot. Type 'yes' to proceed.");
         let mut input = String::new();
         std::io::stdin().read_line(&mut input)?;
         if input.trim() != "yes" {
             return Err(anyhow!("user aborted"));
         }
     }
 
-    tm.write_byte(slot as u8)?;
+    // tested on 0xe0e9
 
-    // TODO
+    tm.write_byte(0x82)?;
+
+    let mut data = [0; 4];
+    tm.read_bytes(&mut data)?;
+
+    let data = [0x88, 0x00, 0x00];
+    tm.write_bytes(&data)?;
+
+    tm.write_byte(0x84)?;
+
+    let mut data = [0; 4];
+    tm.read_bytes(&mut data)?;
+
+    let data = [0x81, 0x01, 0x15];
+    tm.write_bytes(&data)?;
+
+    tm.write_byte(0x81)?;
+
+    let mut data = [0; 2];
+    tm.read_bytes(&mut data)?;
+
+    let data = [0x80, 0x03, 0x00, 0x16, 0x08, 0x20, 0xf0, 0x00, 0x00, 0x10, 0xd2, 0x76, 0x00, 0x00, 0x04, 0x47, 0x65, 0x6e, 0x41, 0x75, 0x74, 0x68, 0x41, 0x70, 0x70, 0x6c, 0xbe, 0x40];
+    tm.write_bytes(&data)?;
+
+    tm.write_byte(0x82)?;
+
+    let mut data = [0; 4];
+    tm.read_bytes(&mut data)?;
+
+    let mut data = [0; 5];
+    tm.read_bytes(&mut data)?;
+
+    tm.write_byte(0x82)?;
+
+    let mut data = [0; 4];
+    tm.read_bytes(&mut data)?;
+
+    tm.write_byte(0x80)?;
+
+    let mut data = [0; 11];
+    tm.read_bytes(&mut data)?;
+
+    let data = [0x80, 0x80, 0x00, 0x00, 0x0c, 0xec];
+    tm.write_bytes(&data)?;
+
+    let mut data = [0x80, 0x04, 0x00, 0x0f, 0x08, 0x20, 0x82, 0x01, 0x00, 0x09, 0xe0, 0xe9, 0x00, 0x00, 0x20, 0x03, 0xd0, 0x01, 0xff, 0x5d, 0xd8];
+    if slot == TM_SLOT1 {
+        data[10] = 0xe0;
+        data[11] = 0xe8;
+        data[19] = 0xdc;
+        data[20] = 0x67;
+    } else if slot == TM_SLOT2 {
+        data[10] = 0xe0;
+        data[11] = 0xe9;
+        data[19] = 0x5d;
+        data[20] = 0xd8;
+    }
+
+    tm.write_bytes(&data)?;
+
+    tm.write_byte(0x82)?;
+
+    let mut data = [0; 4];
+    tm.read_bytes(&mut data)?;
+
+    tm.write_byte(0x80)?;
+
+    let mut data = [0; 5];
+    tm.read_bytes(&mut data)?;
+
+    tm.write_byte(0x82)?;
+
+    let mut data = [0; 4];
+    tm.read_bytes(&mut data)?;
+
+    tm.write_byte(0x82)?;
+
+    let mut data = [0; 4];
+    tm.read_bytes(&mut data)?;
+
+    tm.write_byte(0x82)?;
+
+    let mut data = [0; 4];
+    tm.read_bytes(&mut data)?;
+
+    tm.write_byte(0x82)?;
+
+    let mut data = [0; 4];
+    tm.read_bytes(&mut data)?;
+
+    tm.write_byte(0x82)?;
+
+    let mut data = [0; 4];
+    tm.read_bytes(&mut data)?;
+
+    tm.write_byte(0x80)?;
+
+    let mut data = [0; 11];
+    tm.read_bytes(&mut data)?;
+
+    let data = [0x80, 0x81, 0x00, 0x00, 0x56, 0x30];
+    tm.write_bytes(&data)?;
+
+    println!("~~ key at slot {:#04x} is now write-protected", slot);
 
     Ok(())
 }