Improve TPM provider

This commit includes a couple of fixes in the TPM provider.
* the TSS crate used has been updated to the latest one, including a few
functionality updates; this now allows the session hash algorithm and
the cipher used for sessions and primary key
* more control over the format of the authentication value is now
offered to admins; more precisely, they can provide string versions of
hex values, prefixed by "hex:"

Signed-off-by: Ionut Mihalcea <ionut.mihalcea@arm.com>

Author: ionut-arm

Cargo.lock

@@ -33,11 +33,12 @@ log = { version = "0.4.8", features = ["serde"] }
 pkcs11 = { version = "0.4.0", optional = true }
 picky-asn1-der = { version = "0.2.2", optional = true }
 picky-asn1 = { version = "0.2.1", optional = true }
-tss-esapi = { version = "2.0.0", optional = true }
+tss-esapi = { version = "4.0.0-alpha.1", optional = true }
 bincode = "1.1.4"
 structopt = "0.3.5"
 derivative = "2.1.1"
 version = "3.0.0"
+hex = "0.4.2"
 
 [dev-dependencies]
 ring = "0.16.12"

Cargo.toml

@@ -116,6 +116,7 @@ This project uses the following third party crates:
 * lazy_static (MIT and Apache-2.0)
 * version (MIT and Apache-2.0)
 * sha2 (MIT and Apache-2.0)
+* hex (MIT and Apache-2.0)
 
 This project uses the following third party libraries:
 * [**Mbed Crypto**](https://github.com/ARMmbed/mbed-crypto) (Apache-2.0)

README.md

@@ -74,5 +74,8 @@ key_info_manager = "on-disk-manager"
 # - "tabrmd": uses the TPM2 Access Broker & Resource Management Daemon
 #tcti = "mssim"
 # (Required) Authentication value for performing operations on the TPM Owner Hierarchy. The string can
-# be empty, however we strongly suggest that you use a secure password.
+# be empty, however we strongly suggest that you use a secure passcode.
+# To align with TPM tooling, PARSEC allows "owner_hierarchy_auth" to have a prefix indicating a string value,
+# e.g. "str:password", or to represent a string version of a hex value, e.g. "hex:1a2b3c". If no prefix is
+# provided, the value is considered to be a string.
 #owner_hierarchy_auth = "password"

config.toml

@@ -16,7 +16,7 @@ RUN cd mbed-crypto-mbedcrypto-2.0.0 \
 
 WORKDIR /tmp
 # Download and install TSS 2.0
-RUN git clone https://github.com/tpm2-software/tpm2-tss.git --branch 2.3.1
+RUN git clone https://github.com/tpm2-software/tpm2-tss.git --branch 2.3.3
 RUN cd tpm2-tss \
 	&& ./bootstrap \
 	&& ./configure \

e2e_tests/provider_cfg/all/Dockerfile

@@ -3,7 +3,7 @@ FROM tpm2software/tpm2-tss:ubuntu-18.04
 ENV PKG_CONFIG_PATH /usr/local/lib/pkgconfig
 
 # Download and install TSS 2.0
-RUN git clone https://github.com/tpm2-software/tpm2-tss.git --branch 2.3.1
+RUN git clone https://github.com/tpm2-software/tpm2-tss.git --branch 2.3.3
 RUN cd tpm2-tss \
 	&& ./bootstrap \
 	&& ./configure \

e2e_tests/provider_cfg/tpm/Dockerfile

@@ -16,4 +16,4 @@ manager_type = "OnDisk"
 provider_type = "Tpm"
 key_info_manager = "on-disk-manager"
 tcti = "mssim"
-owner_hierarchy_auth = "tpm_pass"
+owner_hierarchy_auth = "hex:74706d5f70617373" # "tpm_pass" in hex

e2e_tests/provider_cfg/tpm/config.toml

@@ -34,8 +34,10 @@ const SUPPORTED_OPCODES: [Opcode; 7] = [
     Opcode::ListOpcodes,
 ];
 
-const ROOT_KEY_SIZE: usize = 2048;
+const ROOT_KEY_SIZE: u16 = 2048;
 const ROOT_KEY_AUTH_SIZE: usize = 32;
+const AUTH_STRING_PREFIX: &str = "str:";
+const AUTH_HEX_PREFIX: &str = "hex:";
 
 /// Provider for Trusted Platform Modules
 ///
@@ -49,7 +51,7 @@ pub struct TpmProvider {
     // The Mutex is needed both because interior mutability is needed to the ESAPI Context
     // structure that is shared between threads and because two threads are not allowed the same
     // ESAPI context simultaneously.
-    esapi_context: Mutex<tss_esapi::TransientObjectContext>,
+    esapi_context: Mutex<tss_esapi::TransientKeyContext>,
     // The Key Info Manager stores the key context and its associated authValue (a PasswordContext
     // structure).
     #[derivative(Debug = "ignore")]
@@ -60,7 +62,7 @@ impl TpmProvider {
     // Creates and initialise a new instance of TpmProvider.
     fn new(
         key_info_store: Arc<RwLock<dyn ManageKeyInfo + Send + Sync>>,
-        esapi_context: tss_esapi::TransientObjectContext,
+        esapi_context: tss_esapi::TransientKeyContext,
     ) -> Option<TpmProvider> {
         Some(TpmProvider {
             esapi_context: Mutex::new(esapi_context),
@@ -192,35 +194,64 @@ impl TpmProviderBuilder {
         self
     }
 
+    fn get_hierarchy_auth(&mut self) -> std::io::Result<Vec<u8>> {
+        match self.owner_hierarchy_auth.take() {
+            None => Err(std::io::Error::new(
+                ErrorKind::InvalidData,
+                "missing owner hierarchy auth",
+            )),
+            Some(mut auth) if auth.starts_with(AUTH_STRING_PREFIX) => {
+                Ok(auth.split_off(AUTH_STRING_PREFIX.len()).into())
+            }
+            Some(mut auth) if auth.starts_with(AUTH_HEX_PREFIX) => Ok(hex::decode(
+                auth.split_off(AUTH_STRING_PREFIX.len()),
+            )
+            .or_else(|_| {
+                Err(std::io::Error::new(
+                    ErrorKind::InvalidData,
+                    "invalid hex owner hierarchy auth",
+                ))
+            })?),
+            Some(auth) => Ok(auth.into()),
+        }
+    }
+
     /// Create an instance of TpmProvider
     ///
     /// # Safety
     ///
     /// Undefined behaviour might appear if two instances of TransientObjectContext are created
     /// using a same TCTI that does not handle multiple applications concurrently.
-    pub unsafe fn build(self) -> std::io::Result<TpmProvider> {
+    pub unsafe fn build(mut self) -> std::io::Result<TpmProvider> {
+        let hierarchy_auth = self.get_hierarchy_auth()?;
         TpmProvider::new(
             self.key_info_store.ok_or_else(|| {
                 std::io::Error::new(ErrorKind::InvalidData, "missing key info store")
             })?,
-            tss_esapi::TransientObjectContext::new(
-                self.tcti
-                    .ok_or_else(|| std::io::Error::new(ErrorKind::InvalidData, "missing TCTI"))?,
-                ROOT_KEY_SIZE,
-                ROOT_KEY_AUTH_SIZE,
-                self.owner_hierarchy_auth
-                    .ok_or_else(|| {
-                        std::io::Error::new(ErrorKind::InvalidData, "missing owner hierarchy auth")
-                    })?
-                    .as_bytes(),
-            )
-            .or_else(|e| {
-                error!("Error creating TSS Transient Object Context ({}).", e);
-                Err(std::io::Error::new(
-                    ErrorKind::InvalidData,
-                    "failed initializing TSS context",
-                ))
-            })?,
+            tss_esapi::abstraction::transient::TransientKeyContextBuilder::new()
+                .with_tcti(
+                    self.tcti.ok_or_else(|| {
+                        std::io::Error::new(ErrorKind::InvalidData, "missing TCTI")
+                    })?,
+                )
+                .with_root_key_size(ROOT_KEY_SIZE)
+                .with_root_key_auth_size(ROOT_KEY_AUTH_SIZE)
+                .with_hierarchy_auth(hierarchy_auth)
+                .with_hierarchy(tss_esapi::utils::Hierarchy::Owner)
+                .with_session_hash_alg(
+                    tss_esapi::utils::algorithm_specifiers::HashingAlgorithm::Sha256.into(),
+                )
+                .with_default_context_cipher(
+                    tss_esapi::utils::algorithm_specifiers::Cipher::aes_256_cfb(),
+                )
+                .build()
+                .or_else(|e| {
+                    error!("Error creating TSS Transient Object Context ({}).", e);
+                    Err(std::io::Error::new(
+                        ErrorKind::InvalidData,
+                        "failed initializing TSS context",
+                    ))
+                })?,
         )
         .ok_or_else(|| {
             std::io::Error::new(ErrorKind::InvalidData, "failed initializing TPM provider")