Skip to content

Commit

Permalink
fix impl to prioritize low range certificate
Browse files Browse the repository at this point in the history
Signed-off-by: loic.sikidi <loic.sikidi@gmail.com>
  • Loading branch information
loicsikidi authored and JuergenReppSIT committed Dec 14, 2024
1 parent 1852ace commit 9ec5a5d
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 2 deletions.
8 changes: 8 additions & 0 deletions test/integration/tests/getekcertificate.sh
Original file line number Diff line number Diff line change
Expand Up @@ -172,4 +172,12 @@ diff nv_ecc_ek_cert.der ecc_ek_cert.der

rm nv_rsa_ek_cert.der rsa_ek_cert.der nv_ecc_ek_cert.der ecc_ek_cert.der priv_key.pem -f

## Make sure that if there are several certificates of the same type, then the one belonging to low range has priority
openssl x509 -in ecc_ek_cert.bin -out ecc_low_range_ek_cert.der -outform DER
define_ek_cert_nv_index ecc_low_range_ek_cert.der $ECC_EK_CERT_NV_INDEX

tpm2 getekcertificate -o nv_ecc_ek_cert.der

diff nv_ecc_ek_cert.der ecc_low_range_ek_cert.der

exit 0
7 changes: 5 additions & 2 deletions tools/tpm2_getekcertificate.c
Original file line number Diff line number Diff line change
Expand Up @@ -665,6 +665,9 @@ tool_rc get_tpm_properties(ESYS_CONTEXT *ectx) {
goto get_tpm_properties_out;
}

ctx.rsa_ek_cert_nv_location = 0xffffffff;
ctx.ecc_ek_cert_nv_location = 0xffffffff;

UINT32 i;
for (i = 0; i < capability_data->data.handles.count; i++) {
TPMI_RH_NV_INDEX index = capability_data->data.handles.handle[i];
Expand All @@ -673,12 +676,12 @@ tool_rc get_tpm_properties(ESYS_CONTEXT *ectx) {
continue;
}

if (m->key_type == KTYPE_RSA) {
if (m->key_type == KTYPE_RSA && index < ctx.rsa_ek_cert_nv_location) {
LOG_INFO("Found pre-provisioned RSA EK certificate at %u [type=%s]", index, m->name);
ctx.is_rsa_ek_cert_nv_location_defined = true;
ctx.rsa_ek_cert_nv_location = m->index;
}
if (m->key_type == KTYPE_ECC) {
if (m->key_type == KTYPE_ECC && index < ctx.ecc_ek_cert_nv_location) {
LOG_INFO("Found pre-provisioned ECC EK certificate at %u [type=%s]", index, m->name);
ctx.is_ecc_ek_cert_nv_location_defined = true;
ctx.ecc_ek_cert_nv_location = m->index;
Expand Down

0 comments on commit 9ec5a5d

Please sign in to comment.