[2/8] libcommon: add ability to create a signing primary key

Commit Message

James Bottomley Aug. 2, 2024, 8:26 p.m. UTC

Having a primary key that can sign things is useful for conducting
certification and quoting operations without having to go through the
makecredential/activatecredential dance, which is unnecessary for a
local TPM where you don't need privacy separated attestation keys.
Add the ability to use the signing key template to tpm2_load_srk().

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
---
 src/include/tpm2-common.h   |  1 +
 src/libcommon/tpm2-common.c | 23 ++++++++++++++++++-----
 2 files changed, 19 insertions(+), 5 deletions(-)

Patch

diff --git a/src/include/tpm2-common.h b/src/include/tpm2-common.h
index 4520f76..97b60f2 100644
--- a/src/include/tpm2-common.h
+++ b/src/include/tpm2-common.h
@@ -23,6 +23,7 @@  enum tpm2_type {
 	TPM2_LOADABLE = 1,
 	TPM2_IMPORTABLE = 2,
 	TPM2_SEALED = 3,
+	TPM2_SIGNING = 4,
 };
 
 struct policies {
diff --git a/src/libcommon/tpm2-common.c b/src/libcommon/tpm2-common.c
index 3b9f785..b70ac27 100644
--- a/src/libcommon/tpm2-common.c
+++ b/src/libcommon/tpm2-common.c
@@ -743,17 +743,30 @@  TPM_RC tpm2_load_srk(TSS_CONTEXT *tssContext, TPM_HANDLE *h, const char *auth,
 		TPMA_OBJECT_NODA |
 		TPMA_OBJECT_SENSITIVEDATAORIGIN |
 		TPMA_OBJECT_USERWITHAUTH |
-		TPMA_OBJECT_DECRYPT |
 		TPMA_OBJECT_RESTRICTED;
+	if (type == TPM2_SIGNING)
+		VAL(inPublic.publicArea.objectAttributes) |=
+			TPMA_OBJECT_SIGN;
+	else
+		VAL(inPublic.publicArea.objectAttributes) |=
+			TPMA_OBJECT_DECRYPT;
 	if (type != TPM2_LEGACY)
 		VAL(inPublic.publicArea.objectAttributes) |=
 			TPMA_OBJECT_FIXEDPARENT |
 			TPMA_OBJECT_FIXEDTPM;
 
-	inPublic.publicArea.parameters.eccDetail.symmetric.algorithm = TPM_ALG_AES;
-	inPublic.publicArea.parameters.eccDetail.symmetric.keyBits.aes = 128;
-	inPublic.publicArea.parameters.eccDetail.symmetric.mode.aes = TPM_ALG_CFB;
-	inPublic.publicArea.parameters.eccDetail.scheme.scheme = TPM_ALG_NULL;
+	if (type != TPM2_SIGNING) {
+		inPublic.publicArea.parameters.eccDetail.symmetric.algorithm = TPM_ALG_AES;
+		inPublic.publicArea.parameters.eccDetail.symmetric.keyBits.aes = 128;
+		inPublic.publicArea.parameters.eccDetail.symmetric.mode.aes = TPM_ALG_CFB;
+		inPublic.publicArea.parameters.eccDetail.scheme.scheme = TPM_ALG_NULL;
+	} else {
+		inPublic.publicArea.parameters.eccDetail.symmetric.algorithm = TPM_ALG_NULL;
+		inPublic.publicArea.parameters.eccDetail.symmetric.keyBits.aes = 0;
+		inPublic.publicArea.parameters.eccDetail.symmetric.mode.aes = TPM_ALG_NULL;
+		inPublic.publicArea.parameters.eccDetail.scheme.scheme = TPM_ALG_ECDSA;
+		inPublic.publicArea.parameters.eccDetail.scheme.details.ecdsa.hashAlg = TPM_ALG_SHA256;
+	}
 	inPublic.publicArea.parameters.eccDetail.curveID = TPM_ECC_NIST_P256;
 	inPublic.publicArea.parameters.eccDetail.kdf.scheme = TPM_ALG_NULL;