From c942437f0416569d47da416bb8a791092cc6df0e Mon Sep 17 00:00:00 2001 From: brandhsn Date: Sun, 18 Dec 2016 20:41:34 +0100 Subject: [PATCH 01/17] fixes for python2->python3 --- pytss/__init__.py | 7 ++++--- pytss/attestationutils.py | 8 ++++---- pytss/interface.py | 2 +- pytss/tspi_defines.py | 3 ++- 4 files changed, 11 insertions(+), 9 deletions(-) diff --git a/pytss/__init__.py b/pytss/__init__.py index eb75f22..ae911f2 100644 --- a/pytss/__init__.py +++ b/pytss/__init__.py @@ -1,5 +1,6 @@ -from interface import tss_lib, ffi -import tspi_exceptions + +from pytss.interface import tss_lib, ffi +import pytss.tspi_exceptions import hashlib @@ -592,7 +593,7 @@ def _c_byte_array(data): the contents of data """ cdata = ffi.new('BYTE []', len(data)) - if isinstance(data, basestring): + if isinstance(data, str): data = bytearray(data) for i in range(len(data)): cdata[i] = data[i] diff --git a/pytss/attestationutils.py b/pytss/attestationutils.py index 868deba..63805b6 100644 --- a/pytss/attestationutils.py +++ b/pytss/attestationutils.py @@ -437,12 +437,12 @@ def get_ekcert(context): # Verify that the certificate is well formed tag = blob[0] << 8 | blob[1] if tag != 0x1001: - print "Invalid tag %x %x\n" % (blob[0], blob[1]) + print("Invalid tag %x %x\n" % (blob[0], blob[1])) return None certtype = blob[2] if certtype != 0: - print "Not a full certificate\n" + print("Not a full certificate\n") return None ekbuflen = blob[3] << 8 | blob[4] @@ -450,7 +450,7 @@ def get_ekcert(context): blob = nv.read_value(offset, 2) if len(blob) < 2: - print "Invalid length" + print("Invalid length") return None tag = blob[0] << 8 | blob[1] @@ -458,7 +458,7 @@ def get_ekcert(context): offset += 2 ekbuflen -= 2 elif blob[0] != 0x30: - print "Invalid header %x %x" % (blob[0], blob[1]) + print("Invalid header %x %x" % (blob[0], blob[1])) return None ekbuf = bytearray() diff --git a/pytss/interface.py b/pytss/interface.py index 02d5363..f0c99be 100644 --- a/pytss/interface.py +++ b/pytss/interface.py @@ -1,6 +1,6 @@ import functools import os -from tspi_exceptions import * +from pytss.tspi_exceptions import * from cffi import FFI, VerificationError INTERFACE_H = os.path.dirname(os.path.abspath(__file__)) + '/interface.h' diff --git a/pytss/tspi_defines.py b/pytss/tspi_defines.py index 6e87d23..ae86686 100644 --- a/pytss/tspi_defines.py +++ b/pytss/tspi_defines.py @@ -1,4 +1,5 @@ -from interface import tss_lib + +from pytss.interface import tss_lib TSS_NV_DEFINED = tss_lib.TSS_NV_DEFINED TPM_NV_INDEX_LOCK = tss_lib.TPM_NV_INDEX_LOCK From c3a267d32958466926398b156c3aae816c2ac807 Mon Sep 17 00:00:00 2001 From: brandhsn Date: Wed, 21 Dec 2016 02:37:20 +0100 Subject: [PATCH 02/17] example code --- testTSS.py | 149 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 149 insertions(+) create mode 100644 testTSS.py diff --git a/testTSS.py b/testTSS.py new file mode 100644 index 0000000..0840bb4 --- /dev/null +++ b/testTSS.py @@ -0,0 +1,149 @@ +from pytss import tspi_defines +import pytss +from pytss import * +import pytss.tspi_exceptions as tspi_exceptions +import uuid +from pytss.tspi_defines import * +import binascii + +#from tspi_defines import * +#import interface +#from interface import tss_lib +#help(pytss) +srk_uuid = uuid.UUID('{00000000-0000-0000-0000-000000000001}') +srkSecret = bytearray([0] * 20) +def take_ownership(context): + """Take ownership of a TPM + :param context: The TSS context to use + :returns: True on ownership being taken, False if the TPM is already owned + """ + tpm = context.get_tpm_object() + tpmpolicy = tpm.get_policy_object(TSS_POLICY_USAGE) + tpmpolicy.set_secret(TSS_SECRET_MODE_SHA1, srkSecret) + + srk = context.create_rsa_key(TSS_KEY_TSP_SRK | TSS_KEY_AUTHORIZATION) + srkpolicy = srk.get_policy_object(TSS_POLICY_USAGE) + srkpolicy.set_secret(TSS_SECRET_MODE_SHA1, srkSecret) + + try: + tpm.take_ownership(srk) + except tspi_exceptions.TPM_E_DISABLED_CMD: + return False + + return True + +def exchangeMKWrap(oldKeyBinFile,dataList): + newData=exchangeMasterKey(oldKeyBinFile,dataList) + + with open('newKey.bin', 'rb') as f: + newkblob=bytearray(f.read()) + + #exchange data with newData atomically, possible? or some critical section flag which is read on a crash restart + currentData=newData + with open(oldKeyBinFile, 'wb') as f: + f.write(newkblob) + return currentData + +def exchangeMasterKey(oldKeyBinFile,dataList): + context=TspiContext() + context.connect() + + take_ownership(context) + srk = context.load_key_by_uuid(TSS_PS_TYPE_SYSTEM, srk_uuid) + + srkpolicy = srk.get_policy_object(TSS_POLICY_USAGE) + srkpolicy.set_secret(TSS_SECRET_MODE_SHA1, srkSecret) + + + flags = TSS_KEY_TYPE_BIND | TSS_KEY_SIZE_2048 | TSS_KEY_NO_AUTHORIZATION | TSS_KEY_NOT_MIGRATABLE + k=context.create_wrap_key(flags,srk.get_handle()) + k.load_key() + with open('newKey.bin', 'wb') as f: + f.write(k.get_keyblob()) + + with open(oldKeyBinFile, 'rb') as f: + oldkblob= bytearray(f.read()) + + oldk=context.load_key_by_blob(srk, oldkblob) + + newDataList=[] + for data in dataList: + #TODO: load keys at each bind/unbind? + #oldk=context.load_key_by_blob(srk, oldkblob) + + tmpClearData=oldk.unbind(data) + print("clearData:"+str(tmpClearData)) + #k.load_key() + newDataList.append(k.bind(tmpClearData)) + + #with open(oldKeyBinFile, 'wb') as f: + #f.write(k.get_keyblob()) + print("ko:"+binascii.hexlify(oldkblob)) + print("kn:"+binascii.hexlify(k.get_keyblob())) + return newDataList +print("hi") +context=TspiContext() +context.connect() + +take_ownership(context) +srk = context.load_key_by_uuid(TSS_PS_TYPE_SYSTEM, srk_uuid) + +srkpolicy = srk.get_policy_object(TSS_POLICY_USAGE) +srkpolicy.set_secret(TSS_SECRET_MODE_SHA1, srkSecret) + + +flags = TSS_KEY_TYPE_BIND | TSS_KEY_SIZE_2048 | TSS_KEY_NO_AUTHORIZATION | TSS_KEY_NOT_MIGRATABLE +#hand= ffi.new(ctype) +#tss_lib.Tspi_Context_CreateObject(context, tss_type, flags, hand) +k=context.create_wrap_key(flags,srk.get_handle()) + +print("handle:"+str(k.get_handle())) + + +#kk=context.load_key_by_blob(srk, k.get_keyblob()) +k.load_key() +dat=[0x61,0x62,0x63] +encdat = k.bind(dat) +#tss_lib.Tspi_Data_Bind() +print("encry:"+encdat) + +decdat =k.unbind(encdat) +print("decry:"+decdat) + +with open('somefile.bin', 'wb') as f: + f.write(k.get_keyblob()) + +newk = None +with open('somefile.bin', 'rb') as f: + newk= bytearray(f.read()) +#print("k:"+binascii.hexlify(k.get_keyblob())) +#print("k:"+binascii.hexlify(newk)) + +kk=context.load_key_by_blob(srk, newk) +encdat = kk.bind(dat) +#tss_lib.Tspi_Data_Bind() +print("encry:"+encdat) + +decdat =kk.unbind(encdat) +print("decrysds:"+decdat) + +dataL=[kk.bind([0x61]),kk.bind([0x62]),kk.bind([0x63])] +print("dataL"+str(dataL)) +dataL=exchangeMKWrap('somefile.bin',dataL) +print("dataL"+str(dataL)) +print("=============================================1") +dataL=exchangeMKWrap('somefile.bin',dataL) +print("dataL"+str(dataL)) +print("=============================================2") +dataL=exchangeMKWrap('somefile.bin',dataL) +print("dataL"+str(dataL)) +print("=============================================3") + + +#print cap +#pytss.interface.Tspi_TPM_GetStatus(blaa.get_tpm_object(),1,1) +#print str(blaa.get_tpm_object()) +#print dir(pytss.interface) +#print "blaa:"+str(pytss.interface.Tspi_TPM_GetStatus()) +## +#print dir(pytss) From 7890e2dd2111d18be2b126ea77179e4ec3a3382d Mon Sep 17 00:00:00 2001 From: brandhsn Date: Wed, 21 Dec 2016 02:37:54 +0100 Subject: [PATCH 03/17] bind extensions --- pytss/__init__.py | 64 ++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 63 insertions(+), 1 deletion(-) diff --git a/pytss/__init__.py b/pytss/__init__.py index ae911f2..3503e95 100644 --- a/pytss/__init__.py +++ b/pytss/__init__.py @@ -222,7 +222,6 @@ def sign(self, key): tss_lib.Tspi_Hash_Sign(self.get_handle(), key.get_handle(), csig_size, csig_data) return ffi.buffer(csig_data[0], csig_size[0]) - class TspiKey(TspiObject): def __init__(self, context, flags, handle=None): self.context = context @@ -237,6 +236,51 @@ def __del__(self): # operation except tspi_exceptions.TSS_E_INVALID_HANDLE: pass + def bind(self,data): + """ + Seal data to the local TPM using this key + + :param data: The data to seal + + :returns: a bytearray of the encrypted data + """ + encdata = TspiObject(self.context, 'TSS_HENCDATA *', + tss_lib.TSS_OBJECT_TYPE_ENCDATA, + tss_lib.TSS_ENCDATA_BIND) + + cdata = ffi.new('BYTE[]', len(data)) + for i in range(len(data)): + cdata[i] = data[i] + + tss_lib.Tspi_Data_Bind(encdata.get_handle(), self.get_handle(), + len(data), cdata) + blob = encdata.get_attribute_data(tss_lib.TSS_TSPATTRIB_ENCDATA_BLOB, + tss_lib.TSS_TSPATTRIB_ENCDATABLOB_BLOB) + return bytearray(blob) + + def unbind(self, data): + """ + Unbind data from the local TPM using this key + + :param data: The data to unbind + + :returns: a bytearray of the unencrypted data + """ + encdata = TspiObject(self.context, 'TSS_HENCDATA *', + tss_lib.TSS_OBJECT_TYPE_ENCDATA, + tss_lib.TSS_ENCDATA_BIND) + + encdata.set_attribute_data(tss_lib.TSS_TSPATTRIB_ENCDATA_BLOB, + tss_lib.TSS_TSPATTRIB_ENCDATABLOB_BLOB, data) + + bloblen = ffi.new('UINT32 *') + blob = ffi.new('BYTE **') + + tss_lib.Tspi_Data_Unbind(encdata.get_handle(), self.get_handle(), + bloblen, blob) + ret = bytearray(blob[0][0:bloblen[0]]) + tss_lib.Tspi_Context_FreeMemory(self.context, blob[0]) + return ret def set_modulus(self, n): """ @@ -337,6 +381,9 @@ def __init__(self, context): self.handle = tpm self.context = context + def load_key_by_handle(self, keyHandle, wrappingKeyHandle): + tss_lib.Tspi_Key_LoadKey(keyHandle, wrappingKeyHandle) + def collate_identity_request(self, srk, pubkey, aik): """ Generate everything required to authenticate the TPM to a third party @@ -475,6 +522,17 @@ def extend_pcr(self, pcr, data, event): tss_lib.Tspi_Context_FreeMemory(self.context, blob[0]) return ret +class TspiWrapKey(TspiKey): + def __init__(self, context, flags, wrappingKeyHandle): + self.context = context + self.parent=wrappingKeyHandle + super(TspiWrapKey, self).__init__(self.context, flags) + blaa = self.get_handle() + tss_lib.Tspi_Key_CreateKey(self.get_handle(),self.parent,0) + self.load_key() + + def load_key(self): + tss_lib.Tspi_Key_LoadKey(self.get_handle(), self.parent) class TspiContext(): def __init__(self): self.context = ffi.new('TSS_HCONTEXT *') @@ -537,6 +595,10 @@ def create_hash(self, flags): obj = TspiHash(self.context, flags) return obj + def create_wrap_key(self,flags,wrappingkeyHandle): + obj = TspiWrapKey(self.context,flags,wrappingkeyHandle) + return obj + def create_rsa_key(self, flags): """ Create a Tspi key object associated with this context From b117ac86aeb5a6aacc9d3395ae47b72263b3851e Mon Sep 17 00:00:00 2001 From: brandhsn Date: Wed, 11 Jan 2017 02:15:53 +0100 Subject: [PATCH 04/17] added un_registerKey and use case --- testTSS.py | 161 ++++++++++++++++++----------------------------------- 1 file changed, 53 insertions(+), 108 deletions(-) diff --git a/testTSS.py b/testTSS.py index 0840bb4..9ea419d 100644 --- a/testTSS.py +++ b/testTSS.py @@ -6,11 +6,20 @@ from pytss.tspi_defines import * import binascii +import os.path + + #from tspi_defines import * #import interface #from interface import tss_lib #help(pytss) srk_uuid = uuid.UUID('{00000000-0000-0000-0000-000000000001}') +old_uuid = uuid.UUID('{10000000-0000-0000-0000-000000000001}') +new_uuid = uuid.UUID('{20000000-0000-0000-0000-000000000001}') +masterKeyFilePath= "masterkey" + +keyFlags = TSS_KEY_TYPE_BIND | TSS_KEY_SIZE_2048 | TSS_KEY_NO_AUTHORIZATION | TSS_KEY_NOT_MIGRATABLE + srkSecret = bytearray([0] * 20) def take_ownership(context): """Take ownership of a TPM @@ -32,118 +41,54 @@ def take_ownership(context): return True -def exchangeMKWrap(oldKeyBinFile,dataList): - newData=exchangeMasterKey(oldKeyBinFile,dataList) - - with open('newKey.bin', 'rb') as f: - newkblob=bytearray(f.read()) - - #exchange data with newData atomically, possible? or some critical section flag which is read on a crash restart - currentData=newData - with open(oldKeyBinFile, 'wb') as f: - f.write(newkblob) - return currentData - -def exchangeMasterKey(oldKeyBinFile,dataList): - context=TspiContext() - context.connect() - - take_ownership(context) - srk = context.load_key_by_uuid(TSS_PS_TYPE_SYSTEM, srk_uuid) - +def getSrkKey(context): + srk= context.load_key_by_uuid(TSS_PS_TYPE_SYSTEM, srk_uuid) srkpolicy = srk.get_policy_object(TSS_POLICY_USAGE) srkpolicy.set_secret(TSS_SECRET_MODE_SHA1, srkSecret) + return srk +def getMasterkeyNumberArray(): + #return "MASTERKEY" + return [77, 65, 83, 84, 69, 82, 75, 69, 89] +def clearKeys(): + try: + k1 = context.load_key_by_uuid(tss_lib.TSS_PS_TYPE_SYSTEM,old_uuid) + k1.unregisterKey() + k2 = context.load_key_by_uuid(tss_lib.TSS_PS_TYPE_SYSTEM,new_uuid) + k2.unregisterKey() + except: + pass - - flags = TSS_KEY_TYPE_BIND | TSS_KEY_SIZE_2048 | TSS_KEY_NO_AUTHORIZATION | TSS_KEY_NOT_MIGRATABLE - k=context.create_wrap_key(flags,srk.get_handle()) - k.load_key() - with open('newKey.bin', 'wb') as f: - f.write(k.get_keyblob()) - - with open(oldKeyBinFile, 'rb') as f: - oldkblob= bytearray(f.read()) - - oldk=context.load_key_by_blob(srk, oldkblob) - - newDataList=[] - for data in dataList: - #TODO: load keys at each bind/unbind? - #oldk=context.load_key_by_blob(srk, oldkblob) - - tmpClearData=oldk.unbind(data) - print("clearData:"+str(tmpClearData)) - #k.load_key() - newDataList.append(k.bind(tmpClearData)) - - #with open(oldKeyBinFile, 'wb') as f: - #f.write(k.get_keyblob()) - print("ko:"+binascii.hexlify(oldkblob)) - print("kn:"+binascii.hexlify(k.get_keyblob())) - return newDataList -print("hi") context=TspiContext() context.connect() take_ownership(context) -srk = context.load_key_by_uuid(TSS_PS_TYPE_SYSTEM, srk_uuid) - -srkpolicy = srk.get_policy_object(TSS_POLICY_USAGE) -srkpolicy.set_secret(TSS_SECRET_MODE_SHA1, srkSecret) - - -flags = TSS_KEY_TYPE_BIND | TSS_KEY_SIZE_2048 | TSS_KEY_NO_AUTHORIZATION | TSS_KEY_NOT_MIGRATABLE -#hand= ffi.new(ctype) -#tss_lib.Tspi_Context_CreateObject(context, tss_type, flags, hand) -k=context.create_wrap_key(flags,srk.get_handle()) - -print("handle:"+str(k.get_handle())) - - -#kk=context.load_key_by_blob(srk, k.get_keyblob()) -k.load_key() -dat=[0x61,0x62,0x63] -encdat = k.bind(dat) -#tss_lib.Tspi_Data_Bind() -print("encry:"+encdat) - -decdat =k.unbind(encdat) -print("decry:"+decdat) - -with open('somefile.bin', 'wb') as f: - f.write(k.get_keyblob()) - -newk = None -with open('somefile.bin', 'rb') as f: - newk= bytearray(f.read()) -#print("k:"+binascii.hexlify(k.get_keyblob())) -#print("k:"+binascii.hexlify(newk)) - -kk=context.load_key_by_blob(srk, newk) -encdat = kk.bind(dat) -#tss_lib.Tspi_Data_Bind() -print("encry:"+encdat) - -decdat =kk.unbind(encdat) -print("decrysds:"+decdat) - -dataL=[kk.bind([0x61]),kk.bind([0x62]),kk.bind([0x63])] -print("dataL"+str(dataL)) -dataL=exchangeMKWrap('somefile.bin',dataL) -print("dataL"+str(dataL)) -print("=============================================1") -dataL=exchangeMKWrap('somefile.bin',dataL) -print("dataL"+str(dataL)) -print("=============================================2") -dataL=exchangeMKWrap('somefile.bin',dataL) -print("dataL"+str(dataL)) -print("=============================================3") - - -#print cap -#pytss.interface.Tspi_TPM_GetStatus(blaa.get_tpm_object(),1,1) -#print str(blaa.get_tpm_object()) -#print dir(pytss.interface) -#print "blaa:"+str(pytss.interface.Tspi_TPM_GetStatus()) -## -#print dir(pytss) +srk = getSrkKey(context) + +#clearKeys() + +MKencrypted=True +if not os.path.isfile(masterKeyFilePath): + MKencrypted=False + +if MKencrypted: + #exchange keys: assumption old_uuid key exists, new_uuid key does not exist. oldkey encrypted masterkeyFile + kOld=context.load_key_by_uuid(tss_lib.TSS_PS_TYPE_SYSTEM,old_uuid) + kNew=context.create_wrap_key(keyFlags,srk.get_handle()) + with open(masterKeyFilePath, 'rb+') as f: + encryptedData = bytearray(f.read()) + f.seek(0) + #print("data: "+kOld.unbind(encryptedData)) + kNew.registerKey(new_uuid,srk_uuid) + f.write(kNew.bind(kOld.unbind(encryptedData))) + f.truncate() + kOld.unregisterKey() + kNew.registerKey(old_uuid,srk_uuid) + kNew.unregisterKey(new_uuid) + #kNew.loadkey if you want to use it further +else: + #encrypt and save + k=context.create_wrap_key(keyFlags,srk.get_handle()) + k.load_key() + k.registerKey(old_uuid,srk_uuid) + with open(masterKeyFilePath, 'wb') as f: + f.write(k.bind(getMasterkeyNumberArray())) From 9cc470c5ce1d920d6d9f78e5ecbdb8c8217b29e9 Mon Sep 17 00:00:00 2001 From: brandhsn Date: Wed, 11 Jan 2017 02:16:10 +0100 Subject: [PATCH 05/17] added un_registerKey and use case --- pytss/__init__.py | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/pytss/__init__.py b/pytss/__init__.py index 3503e95..460e0ce 100644 --- a/pytss/__init__.py +++ b/pytss/__init__.py @@ -236,6 +236,27 @@ def __del__(self): # operation except tspi_exceptions.TSS_E_INVALID_HANDLE: pass + def registerKey(self,keyUUID,parentUUID): + '''TSS_RESULT Tspi_Context_RegisterKey(TSS_HCONTEXT hContext, TSS_HKEY hKey, + TSS_FLAG persistentStorageType, TSS_UUID uuidKey, + TSS_FLAG persistentStorageTypeParent, TSS_UUID uuidParentKey);''' + self.uuid=uuid_to_tss_uuid(keyUUID) + tss_lib.Tspi_Context_RegisterKey(self.context,self.get_handle(), + tss_lib.TSS_PS_TYPE_SYSTEM, self.uuid, + tss_lib.TSS_PS_TYPE_SYSTEM, uuid_to_tss_uuid(parentUUID)) + return + def unregisterKey(self,uuid=None): + '''TSS_RESULT Tspi_Context_UnregisterKey(TSS_HCONTEXT hContext, TSS_FLAG persistentStorageType, + TSS_UUID uuidKey, TSS_HKEY* phKey);''' + if uuid is None: + tss_lib.Tspi_Context_UnregisterKey(self.context, tss_lib.TSS_PS_TYPE_SYSTEM, + self.uuid, self.handle) + else: + tss_lib.Tspi_Context_UnregisterKey(self.context, tss_lib.TSS_PS_TYPE_SYSTEM, + uuid_to_tss_uuid(uuid), self.handle) + #tss_lib.Tspi_Context_UnRegisterKey + return + def bind(self,data): """ Seal data to the local TPM using this key @@ -533,6 +554,7 @@ def __init__(self, context, flags, wrappingKeyHandle): def load_key(self): tss_lib.Tspi_Key_LoadKey(self.get_handle(), self.parent) + class TspiContext(): def __init__(self): self.context = ffi.new('TSS_HCONTEXT *') @@ -622,6 +644,7 @@ def load_key_by_uuid(self, storagetype, uuid): tss_lib.Tspi_Context_LoadKeyByUUID(self.context, storagetype, tss_uuid, tss_key) key = TspiKey(self.context, None, handle=tss_key) + key.uuid=tss_uuid return key def load_key_by_blob(self, srk, blob): From 0d961477fa820f40c178fcdbaa1fb3a72266fbdf Mon Sep 17 00:00:00 2001 From: brandhsn Date: Tue, 31 Jan 2017 15:17:13 +0100 Subject: [PATCH 06/17] added interface for mcm SDOS --- testTSS.py | 44 ++++++++++++++++++++++++++++++++++++++------ 1 file changed, 38 insertions(+), 6 deletions(-) diff --git a/testTSS.py b/testTSS.py index 9ea419d..bd9584b 100644 --- a/testTSS.py +++ b/testTSS.py @@ -46,9 +46,11 @@ def getSrkKey(context): srkpolicy = srk.get_policy_object(TSS_POLICY_USAGE) srkpolicy.set_secret(TSS_SECRET_MODE_SHA1, srkSecret) return srk + def getMasterkeyNumberArray(): #return "MASTERKEY" return [77, 65, 83, 84, 69, 82, 75, 69, 89] + def clearKeys(): try: k1 = context.load_key_by_uuid(tss_lib.TSS_PS_TYPE_SYSTEM,old_uuid) @@ -58,18 +60,47 @@ def clearKeys(): except: pass -context=TspiContext() -context.connect() +def get_current_key(): + context=TspiContext() + context.connect() + take_ownership(context) + srk = getSrkKey(context) -take_ownership(context) -srk = getSrkKey(context) + return context.load_key_by_uuid(tss_lib.TSS_PS_TYPE_SYSTEM,old_uuid) -#clearKeys() +def get_new_key_and_replace_current(first_run=False): + context=TspiContext() + context.connect() + take_ownership(context) + srk = getSrkKey(context) + + if first_run==True: + k=context.create_wrap_key(keyFlags,srk.get_handle()) + k.load_key() + k.registerKey(old_uuid,srk_uuid) + return k + else: + kOld=context.load_key_by_uuid(tss_lib.TSS_PS_TYPE_SYSTEM,old_uuid) + kNew=context.create_wrap_key(keyFlags,srk.get_handle()) + kNew.registerKey(new_uuid,srk_uuid) + kOld.unregisterKey() + + kNew.registerKey(old_uuid,srk_uuid) + kNew.unregisterKey(new_uuid) + return kNew +def demo(): + print("hi!") +#clearKeys() +demo() +k=get_current_key() +k2=get_new_key_and_replace_current() +k3=get_new_key_and_replace_current() +''' MKencrypted=True if not os.path.isfile(masterKeyFilePath): MKencrypted=False - + if MKencrypted: #exchange keys: assumption old_uuid key exists, new_uuid key does not exist. oldkey encrypted masterkeyFile kOld=context.load_key_by_uuid(tss_lib.TSS_PS_TYPE_SYSTEM,old_uuid) @@ -92,3 +123,4 @@ def clearKeys(): k.registerKey(old_uuid,srk_uuid) with open(masterKeyFilePath, 'wb') as f: f.write(k.bind(getMasterkeyNumberArray())) +''' From fc88c993da69253d1fee2c30b3dea0c56798789f Mon Sep 17 00:00:00 2001 From: brandhsn Date: Thu, 2 Feb 2017 14:05:13 +0100 Subject: [PATCH 07/17] added idx selection to key creation/retrieval --- testTSS.py | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/testTSS.py b/testTSS.py index bd9584b..b434279 100644 --- a/testTSS.py +++ b/testTSS.py @@ -21,6 +21,9 @@ keyFlags = TSS_KEY_TYPE_BIND | TSS_KEY_SIZE_2048 | TSS_KEY_NO_AUTHORIZATION | TSS_KEY_NOT_MIGRATABLE srkSecret = bytearray([0] * 20) +def idxToUUID(idx): + return uuid.UUID('{'+str(idx).zfill(8)+'-0000-0000-0000-000000000001}') + def take_ownership(context): """Take ownership of a TPM :param context: The TSS context to use @@ -60,15 +63,14 @@ def clearKeys(): except: pass -def get_current_key(): +def get_current_key(idx): context=TspiContext() context.connect() take_ownership(context) srk = getSrkKey(context) + return context.load_key_by_uuid(tss_lib.TSS_PS_TYPE_SYSTEM,idxToUUID(idx)) - return context.load_key_by_uuid(tss_lib.TSS_PS_TYPE_SYSTEM,old_uuid) - -def get_new_key_and_replace_current(first_run=False): +def get_new_key_and_replace_current(idx,first_run=False): context=TspiContext() context.connect() take_ownership(context) @@ -77,26 +79,26 @@ def get_new_key_and_replace_current(first_run=False): if first_run==True: k=context.create_wrap_key(keyFlags,srk.get_handle()) k.load_key() - k.registerKey(old_uuid,srk_uuid) + k.registerKey(idxToUUID(idx),srk_uuid) return k else: - kOld=context.load_key_by_uuid(tss_lib.TSS_PS_TYPE_SYSTEM,old_uuid) + kOld=context.load_key_by_uuid(tss_lib.TSS_PS_TYPE_SYSTEM,idxToUUID(idx)) kNew=context.create_wrap_key(keyFlags,srk.get_handle()) - - kNew.registerKey(new_uuid,srk_uuid) kOld.unregisterKey() - - kNew.registerKey(old_uuid,srk_uuid) - kNew.unregisterKey(new_uuid) + kNew.registerKey(idxToUUID(idx),srk_uuid) return kNew + def demo(): print("hi!") + #clearKeys() demo() +''' k=get_current_key() k2=get_new_key_and_replace_current() k3=get_new_key_and_replace_current() ''' +''' MKencrypted=True if not os.path.isfile(masterKeyFilePath): MKencrypted=False From 130093382de544ff50a8d266d2821125b90fa7f9 Mon Sep 17 00:00:00 2001 From: brandhsn Date: Mon, 6 Feb 2017 19:50:04 +0100 Subject: [PATCH 08/17] added key info --- testTSS.py | 31 ++++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/testTSS.py b/testTSS.py index b434279..192e816 100644 --- a/testTSS.py +++ b/testTSS.py @@ -7,7 +7,7 @@ import binascii import os.path - +import struct #from tspi_defines import * #import interface @@ -88,9 +88,38 @@ def get_new_key_and_replace_current(idx,first_run=False): kNew.registerKey(idxToUUID(idx),srk_uuid) return kNew +''' +#define TSS_TPMCAP_PROP_MAXNVAVAILABLE (0x2d) +#define TSS_TPMCAP_PROP_INPUTBUFFERSIZE (0x2e) +''' +def get_registered_keys(): + context=TspiContext() + context.connect() + keys=context.list_keys() + #keys.remove(str(srk_uuid)) + indexes=[] + for k in keys: + #cut away leading 0 + indexes.append(str(int(k.split("-")[0]))) + #print(indexes) + return indexes +def is_key_registered_to_idx(idx): + return str(idx) in get_registered_keys() def demo(): print("hi!") + context=TspiContext() + context.connect() + tpm=context.get_tpm_object() + get_registered_keys() + keyslots = tpm.get_capability(tss_lib.TSS_TPMCAP_PROPERTY,[tss_lib.TSS_TPMCAP_PROP_SLOTS]) + #keyslots = tpm.get_capability(tss_lib.TSS_TPMCAP_PROPERTY,[tss_lib.TSS_TPMCAP_PROP_MAXNVAVAILABLE]) + #keyslots = tpm.get_capability(tss_lib.TSS_TPMCAP_PROPERTY,[tss_lib.TSS_TPMCAP_PROP_INPUTBUFFERSIZE]) + #keyslots = tpm.get_capability(tss_lib.TSS_TPMCAP_NV_LIST,[tss_lib.TSS_TPMCAP_PROP_SLOTS]) + +#[tss_lib.TSS_TPMCAP_PROP_SLOTS]) + print("slots: {}".format(keyslots)) + #print("blaa:"+struct.unpack(keyslots)) #clearKeys() demo() ''' From bd1cd513ffbcc326a52ce299e2e125d295514d0e Mon Sep 17 00:00:00 2001 From: brandhsn Date: Mon, 6 Feb 2017 19:50:13 +0100 Subject: [PATCH 09/17] added key info --- pytss/__init__.py | 34 +++++++++++++++++++++++++++++----- 1 file changed, 29 insertions(+), 5 deletions(-) diff --git a/pytss/__init__.py b/pytss/__init__.py index 460e0ce..efc5878 100644 --- a/pytss/__init__.py +++ b/pytss/__init__.py @@ -2,7 +2,8 @@ from pytss.interface import tss_lib, ffi import pytss.tspi_exceptions import hashlib - +import struct +import uuid def uuid_to_tss_uuid(uuid): """Converts a Python UUID into a TSS UUID""" @@ -21,7 +22,13 @@ def uuid_to_tss_uuid(uuid): return tss_uuid - +def tss_uuid_to_uuid(tss_uuid): + """Converts a TSS UUID to a Python UUID""" + node = struct.unpack(">Q", ffi.buffer(tss_uuid.rgbNode, 6)[:].rjust(8, '\00'.encode("ascii")))[0] + return uuid.UUID( + fields=(tss_uuid.ulTimeLow, tss_uuid.usTimeMid, tss_uuid.usTimeHigh, + tss_uuid.bClockSeqHigh, tss_uuid.bClockSeqLow, node) + ) class TspiObject(object): def __init__(self, context, ctype, tss_type, flags, handle=None): """ @@ -437,10 +444,15 @@ def get_capability(self, cap, sub): """ resp = ffi.new('BYTE **') resplen = ffi.new('UINT32 *') - csub = ffi.new('BYTE []', len(sub)) + ''' csub = ffi.new('BYTE []', len(sub)) for i in range(len(sub)): csub[i] = sub[i] - tss_lib.Tspi_TPM_Getcapability(self.handle[0], cap, len(sub), csub, + ''' + csub = ffi.new('BYTE *') + for i in range(len(sub)): + csub[i] = sub[i] + #subCapLength might be different for other APIs, trousers fixes it to sizeof(uint32) + tss_lib.Tspi_TPM_GetCapability(self.handle[0], cap,4, csub, resplen, resp) ret = bytearray(resp[0][0:resplen[0]]) tss_lib.Tspi_Context_FreeMemory(self.context, resp[0]) @@ -668,7 +680,19 @@ def load_key_by_blob(self, srk, blob): def get_tpm_object(self): """Returns the TspiTPM associated with this context""" return self.tpm - + def list_keys(self): + """ + Return a tuple of uuid.UUID instances and storagetype values for all + available keys on the TPM. + """ + count = ffi.new('UINT32 *') + key_info_value = ffi.new('TSS_KM_KEYINFO2**') + tss_lib.Tspi_Context_GetRegisteredKeysByUUID2(self.context, 1, ffi.NULL, count, key_info_value) + values = [] + for i in range(count[0]): + key_info = key_info_value[0][i] + values.append(str(tss_uuid_to_uuid(key_info.keyUUID))) + return values def _c_byte_array(data): """ From b61d1f6827048e1469fb081567f7dbab4067aa91 Mon Sep 17 00:00:00 2001 From: brandhsn Date: Mon, 6 Feb 2017 19:51:43 +0100 Subject: [PATCH 10/17] added key info --- pytss/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pytss/__init__.py b/pytss/__init__.py index efc5878..23c4dcb 100644 --- a/pytss/__init__.py +++ b/pytss/__init__.py @@ -683,7 +683,7 @@ def get_tpm_object(self): def list_keys(self): """ Return a tuple of uuid.UUID instances and storagetype values for all - available keys on the TPM. + available keys on the TPM. from @nresare """ count = ffi.new('UINT32 *') key_info_value = ffi.new('TSS_KM_KEYINFO2**') From 549ffe3cc9269ac0efe3c8f2be94592f88fe52fb Mon Sep 17 00:00:00 2001 From: brandhsn Date: Wed, 8 Feb 2017 13:15:53 +0100 Subject: [PATCH 11/17] demo --- testTSS.py | 65 ++++++++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 53 insertions(+), 12 deletions(-) diff --git a/testTSS.py b/testTSS.py index 192e816..1bc7c46 100644 --- a/testTSS.py +++ b/testTSS.py @@ -53,8 +53,10 @@ def getSrkKey(context): def getMasterkeyNumberArray(): #return "MASTERKEY" return [77, 65, 83, 84, 69, 82, 75, 69, 89] - -def clearKeys(): +def getMasterkeyNumberArrayOne(): + #return "MASTERKEY1" + return [77, 65, 83, 84, 69, 82, 75, 69, 89,49] +def clearKeys(context): try: k1 = context.load_key_by_uuid(tss_lib.TSS_PS_TYPE_SYSTEM,old_uuid) k1.unregisterKey() @@ -68,12 +70,14 @@ def get_current_key(idx): context.connect() take_ownership(context) srk = getSrkKey(context) - return context.load_key_by_uuid(tss_lib.TSS_PS_TYPE_SYSTEM,idxToUUID(idx)) - -def get_new_key_and_replace_current(idx,first_run=False): - context=TspiContext() - context.connect() - take_ownership(context) + k= context.load_key_by_uuid(tss_lib.TSS_PS_TYPE_SYSTEM,idxToUUID(idx)) + return k + +def get_new_key_and_replace_current(idx,context=None,first_run=False): + if context is None: + context=TspiContext() + context.connect() + take_ownership(context) srk = getSrkKey(context) if first_run==True: @@ -86,6 +90,7 @@ def get_new_key_and_replace_current(idx,first_run=False): kNew=context.create_wrap_key(keyFlags,srk.get_handle()) kOld.unregisterKey() kNew.registerKey(idxToUUID(idx),srk_uuid) + kNew.load_key() return kNew ''' @@ -98,6 +103,7 @@ def get_registered_keys(): keys=context.list_keys() #keys.remove(str(srk_uuid)) indexes=[] + print("ks:{}".format(keys)) for k in keys: #cut away leading 0 indexes.append(str(int(k.split("-")[0]))) @@ -106,12 +112,47 @@ def get_registered_keys(): def is_key_registered_to_idx(idx): return str(idx) in get_registered_keys() def demo(): - print("hi!") + print("Hi from Python-TPM interface!") + print("establishing connection to TPM") context=TspiContext() context.connect() - tpm=context.get_tpm_object() - get_registered_keys() - keyslots = tpm.get_capability(tss_lib.TSS_TPMCAP_PROPERTY,[tss_lib.TSS_TPMCAP_PROP_SLOTS]) + take_ownership(context) + srk = getSrkKey(context) + print("connected/logged in to TPM") + mk=getMasterkeyNumberArray() + print("master key={}".format(str(mk))) + #clearKeys(context) + + print("currently registered key uuids: "+str(get_registered_keys())) + if(is_key_registered_to_idx(1)): + k=get_current_key(1) + k.bind(getMasterkeyNumberArray()) + tpm=context.get_tpm_object() + tpm.load_key_by_handle(k.get_handle(),srk.get_handle()) + print("currently registered key uuids: "+str(get_registered_keys())) + #print(""+str(k.uuid)) + k.unregisterKey() + print("generating/storing deletable key with idx="+str(1)) + dk=get_new_key_and_replace_current(1,first_run=True) + print("dk={}".format(dk.get_keyblob())) + encry = dk.bind(mk) + print("encrypted mk={}".format(encry)) + print("unencrypted mk={}".format(dk.unbind(encry))) + print("Got a secure delete request! Key-Cascade rebuilt, generatink new mk") + mk=getMasterkeyNumberArrayOne() + print("new master key={}".format(mk)) + print("exchanging dk") + dk=get_new_key_and_replace_current(1,first_run=False) + print("new dk={}".format(dk.get_keyblob())) + encry = dk.bind(mk) + print("new encrypted mk={}".format(encry)) + print("new unencrypted mk={}".format(dk.unbind(encry))) + print("Done!") + + + + + #keyslots = tpm.get_capability(tss_lib.TSS_TPMCAP_PROPERTY,[tss_lib.TSS_TPMCAP_PROP_SLOTS]) #keyslots = tpm.get_capability(tss_lib.TSS_TPMCAP_PROPERTY,[tss_lib.TSS_TPMCAP_PROP_MAXNVAVAILABLE]) #keyslots = tpm.get_capability(tss_lib.TSS_TPMCAP_PROPERTY,[tss_lib.TSS_TPMCAP_PROP_INPUTBUFFERSIZE]) #keyslots = tpm.get_capability(tss_lib.TSS_TPMCAP_NV_LIST,[tss_lib.TSS_TPMCAP_PROP_SLOTS]) From d7ec3020f232dd27ca25466b220ea2365b1295fe Mon Sep 17 00:00:00 2001 From: brandhsn Date: Wed, 8 Feb 2017 22:35:09 +0100 Subject: [PATCH 12/17] fixes --- testTSS.py | 60 ++++++++++++++++++++++++++++-------------------------- 1 file changed, 31 insertions(+), 29 deletions(-) diff --git a/testTSS.py b/testTSS.py index 1bc7c46..88a0f0c 100644 --- a/testTSS.py +++ b/testTSS.py @@ -65,9 +65,10 @@ def clearKeys(context): except: pass -def get_current_key(idx): - context=TspiContext() - context.connect() +def get_current_key(idx,context=None): + if context is None: + context=TspiContext() + context.connect() take_ownership(context) srk = getSrkKey(context) k= context.load_key_by_uuid(tss_lib.TSS_PS_TYPE_SYSTEM,idxToUUID(idx)) @@ -77,7 +78,7 @@ def get_new_key_and_replace_current(idx,context=None,first_run=False): if context is None: context=TspiContext() context.connect() - take_ownership(context) + take_ownership(context) srk = getSrkKey(context) if first_run==True: @@ -97,13 +98,15 @@ def get_new_key_and_replace_current(idx,context=None,first_run=False): #define TSS_TPMCAP_PROP_MAXNVAVAILABLE (0x2d) #define TSS_TPMCAP_PROP_INPUTBUFFERSIZE (0x2e) ''' -def get_registered_keys(): - context=TspiContext() - context.connect() +def get_registered_keys(context=None): + if context is None: + context=TspiContext() + context.connect() + take_ownership(context) keys=context.list_keys() - #keys.remove(str(srk_uuid)) + keys.remove(str(srk_uuid)) indexes=[] - print("ks:{}".format(keys)) + #print("ks:{}".format(keys)) for k in keys: #cut away leading 0 indexes.append(str(int(k.split("-")[0]))) @@ -123,30 +126,29 @@ def demo(): print("master key={}".format(str(mk))) #clearKeys(context) - print("currently registered key uuids: "+str(get_registered_keys())) - if(is_key_registered_to_idx(1)): - k=get_current_key(1) - k.bind(getMasterkeyNumberArray()) - tpm=context.get_tpm_object() - tpm.load_key_by_handle(k.get_handle(),srk.get_handle()) - print("currently registered key uuids: "+str(get_registered_keys())) - #print(""+str(k.uuid)) + print("currently registered key uuids: "+str(get_registered_keys(context))) + idx="1" + if(idx in get_registered_keys(context)): + print("removed registered key with idx "+str(idx)) + k=get_current_key(idx,context) k.unregisterKey() + print("currently registered key uuids: "+str(get_registered_keys(context))) + print("generating/storing deletable key with idx="+str(1)) - dk=get_new_key_and_replace_current(1,first_run=True) - print("dk={}".format(dk.get_keyblob())) + dk=get_new_key_and_replace_current(idx,context,first_run=True) + print("deleteable key:\ndk={}".format(binascii.hexlify(dk.get_keyblob()))) encry = dk.bind(mk) - print("encrypted mk={}".format(encry)) - print("unencrypted mk={}".format(dk.unbind(encry))) + print("encrypted master key:\nmk={}".format(binascii.hexlify(encry))) + print("unencrypted master key={}".format(dk.unbind(encry))) print("Got a secure delete request! Key-Cascade rebuilt, generatink new mk") - mk=getMasterkeyNumberArrayOne() - print("new master key={}".format(mk)) + mkk=getMasterkeyNumberArrayOne() + print("new master key={}".format(mkk)) print("exchanging dk") - dk=get_new_key_and_replace_current(1,first_run=False) - print("new dk={}".format(dk.get_keyblob())) - encry = dk.bind(mk) - print("new encrypted mk={}".format(encry)) - print("new unencrypted mk={}".format(dk.unbind(encry))) + dkk=get_new_key_and_replace_current(idx,context,first_run=False) + print("new deletable key:\ndk={}".format(binascii.hexlify(dkk.get_keyblob()))) + encry = dkk.bind(mkk) + print("new encrypted masterkey:\nmk={}".format(binascii.hexlify(encry))) + print("new unencrypted mk={}".format(dkk.unbind(encry))) print("Done!") @@ -159,7 +161,7 @@ def demo(): #[tss_lib.TSS_TPMCAP_PROP_SLOTS]) - print("slots: {}".format(keyslots)) + #print("slots: {}".format(keyslots)) #print("blaa:"+struct.unpack(keyslots)) #clearKeys() demo() From b42f6ccb1701ca3328b05d6f333c41c0923a2232 Mon Sep 17 00:00:00 2001 From: brandhsn Date: Wed, 8 Feb 2017 22:35:17 +0100 Subject: [PATCH 13/17] fixes --- pytss/__init__.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pytss/__init__.py b/pytss/__init__.py index 23c4dcb..c64ca49 100644 --- a/pytss/__init__.py +++ b/pytss/__init__.py @@ -243,6 +243,10 @@ def __del__(self): # operation except tspi_exceptions.TSS_E_INVALID_HANDLE: pass + except tspi_exceptions.TSS_E_KEY_NOT_LOADED: + pass + except tspi_exceptions.TPM_E_FAIL: + pass def registerKey(self,keyUUID,parentUUID): '''TSS_RESULT Tspi_Context_RegisterKey(TSS_HCONTEXT hContext, TSS_HKEY hKey, TSS_FLAG persistentStorageType, TSS_UUID uuidKey, From 0234c748cdf03d6596e767ab9e6bd931351faee6 Mon Sep 17 00:00:00 2001 From: brandhsn Date: Sun, 12 Feb 2017 22:20:02 +0100 Subject: [PATCH 14/17] added status string of TPM --- testTSS.py | 110 ++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 108 insertions(+), 2 deletions(-) diff --git a/testTSS.py b/testTSS.py index 88a0f0c..57ceefb 100644 --- a/testTSS.py +++ b/testTSS.py @@ -29,6 +29,7 @@ def take_ownership(context): :param context: The TSS context to use :returns: True on ownership being taken, False if the TPM is already owned """ + tpm = context.get_tpm_object() tpmpolicy = tpm.get_policy_object(TSS_POLICY_USAGE) tpmpolicy.set_secret(TSS_SECRET_MODE_SHA1, srkSecret) @@ -114,6 +115,53 @@ def get_registered_keys(context=None): return indexes def is_key_registered_to_idx(idx): return str(idx) in get_registered_keys() +def get_status(): + context=TspiContext() + context.connect() + take_ownership(context) + srk = getSrkKey(context) + tpm = context.get_tpm_object() + #get_new_key_and_replace_current(10,context,True) + versionInfo = binascii.b2a_qp(tpm.get_capability(tss_lib.TSS_TPMCAP_VERSION_VAL,0)).decode("ascii").split("=") + #print(versionInfo) + #chipVer=binascii.hexlify(versionInfo[5:6]).decode("utf-8") + chipVer=".".join(versionInfo[2:7]) + specLvl=versionInfo[7] + vendor=versionInfo[8] + statusStr="" + statusStr+=("ChipVersion={},SpecLevel={},SpecRevision={},Vendor={}".format(chipVer,specLvl,vendor[0:2],vendor[2:])) + tpmver=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_VERSION,0)).decode("ascii") + manufactInfo=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_PROP_MANUFACTURER,tss_lib.TSS_TCSCAP_PROP_MANUFACTURER_STR)).decode("ascii") + statusStr+=(",TPMVer={},ManufacturInfo={}".format(tpmver,manufactInfo)) + + maxkeyslots = binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_PROPERTY,tss_lib.TSS_TPMCAP_PROP_SLOTS)).decode("ascii") + maxKeys=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_PROPERTY,tss_lib.TSS_TPMCAP_PROP_MAXKEYS)).decode("ascii") + maxSess=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_PROPERTY,tss_lib.TSS_TPMCAP_PROP_MAXSESSIONS)).decode("ascii") + maxContexts=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_PROPERTY,tss_lib.TSS_TPMCAP_PROP_MAXCONTEXTS)).decode("ascii") + maxInputBuffer=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_PROPERTY,tss_lib.TSS_TPMCAP_PROP_INPUTBUFFERSIZE)).decode("ascii") + maxNVavail=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_PROPERTY,tss_lib.TSS_TPMCAP_PROP_MAXNVAVAILABLE)).decode("ascii") + statusStr+=(",KeySlots={},MaxKeys={},MaxSess={},MaxContexts={},InputBufferSize={},MaxNVSpace={}".format(maxkeyslots,maxKeys,maxSess,maxContexts,maxInputBuffer,maxNVavail)) + + #nvIndices=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_NV_LIST,0)).decode("ascii") + + #print("{}".format(nvIndices)) + + algsrsa=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_RSA)).decode("ascii") + algsdes=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_DES)).decode("ascii") + algs3des=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_3DES)).decode("ascii") + algssha=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_SHA)).decode("ascii") + #algssha256=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_SHA256)).decode("ascii") + algshmac=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_HMAC)).decode("ascii") + algsaes128=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_AES128)).decode("ascii") + algsmgf1=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_MGF1)).decode("ascii") + algsaes192=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_AES192)).decode("ascii") + algsaes256=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_AES256)).decode("ascii") + algsxor=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_XOR)).decode("ascii") + algsaes=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_AES)).decode("ascii") + statusStr+=(",RSA={},DES={},3DES={},SHA-1={},HMAC={},AES128={},MGF1={},AES192={},AES256={},XOR={},AES={}".format(algsrsa,algsdes,algs3des,algssha,algshmac,algsaes128,algsmgf1,algsaes192,algsaes256,algsxor,algsaes)) + flags=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_FLAG,0)).decode("ascii") + statusStr+=(",Flags={}".format(flags)) + return statusStr def demo(): print("Hi from Python-TPM interface!") print("establishing connection to TPM") @@ -121,6 +169,63 @@ def demo(): context.connect() take_ownership(context) srk = getSrkKey(context) + tpm = context.get_tpm_object() + #get_new_key_and_replace_current(10,context,True) + versionInfo = binascii.b2a_qp(tpm.get_capability(tss_lib.TSS_TPMCAP_VERSION_VAL,0)).decode("ascii").split("=") + #print(versionInfo) + #chipVer=binascii.hexlify(versionInfo[5:6]).decode("utf-8") + chipVer=".".join(versionInfo[2:7]) + specLvl=versionInfo[7] + vendor=versionInfo[8] + print("ChipVersion={},SpecLevel={},SpecRevision={},Vendor={}".format(chipVer,specLvl,vendor[0:2],vendor[2:])) + tpmver=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_VERSION,0)).decode("ascii") + manufactInfo=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_PROP_MANUFACTURER,tss_lib.TSS_TCSCAP_PROP_MANUFACTURER_STR)).decode("ascii") + print("TPMVer={},ManufacturInfo={}".format(tpmver,manufactInfo)) + + maxkeyslots = binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_PROPERTY,tss_lib.TSS_TPMCAP_PROP_SLOTS)).decode("ascii") + maxKeys=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_PROPERTY,tss_lib.TSS_TPMCAP_PROP_MAXKEYS)).decode("ascii") + maxSess=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_PROPERTY,tss_lib.TSS_TPMCAP_PROP_MAXSESSIONS)).decode("ascii") + maxContexts=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_PROPERTY,tss_lib.TSS_TPMCAP_PROP_MAXCONTEXTS)).decode("ascii") + maxInputBuffer=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_PROPERTY,tss_lib.TSS_TPMCAP_PROP_INPUTBUFFERSIZE)).decode("ascii") + maxNVavail=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_PROPERTY,tss_lib.TSS_TPMCAP_PROP_MAXNVAVAILABLE)).decode("ascii") + print("KeySlots={},MaxKeys={},MaxSess={},MaxContexts={},InputBufferSize={},MaxNVSpace={}".format(maxkeyslots,maxKeys,maxSess,maxContexts,maxInputBuffer,maxNVavail)) + + #nvIndices=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_NV_LIST,0)).decode("ascii") + + #print("{}".format(nvIndices)) + + algsrsa=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_RSA)).decode("ascii") + algsdes=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_DES)).decode("ascii") + algs3des=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_3DES)).decode("ascii") + algssha=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_SHA)).decode("ascii") + #algssha256=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_SHA256)).decode("ascii") + algshmac=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_HMAC)).decode("ascii") + algsaes128=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_AES128)).decode("ascii") + algsmgf1=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_MGF1)).decode("ascii") + algsaes192=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_AES192)).decode("ascii") + algsaes256=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_AES256)).decode("ascii") + algsxor=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_XOR)).decode("ascii") + algsaes=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_AES)).decode("ascii") + print("algs: rsa={},des={},3des={},sha={},hmac={},aes128={},mgf1={},aes192={},aes256={},xor={},aes={}".format(algsrsa,algsdes,algs3des,algssha,algshmac,algsaes128,algsmgf1,algsaes192,algsaes256,algsxor,algsaes)) + flags=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_FLAG,0)).decode("ascii") + print("Flags={}".format(flags)) + + #print("version info {}".format(binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_VERSION_VAL,[tss_lib.TSS_TPMCAP_PROP_SLOTS])))) + + #print("version info {}".format()) + #print("version info {}".format((tpm.get_capability(tss_lib.TSS_TPMCAP_VERSION_VAL,[tss_lib.TSS_TPMCAP_PROP_SLOTS]))[2:6])) + + + #keyslots = tpm.get_capability(tss_lib.TSS_TPMCAP_PROPERTY,[tss_lib.TSS_TPMCAP_PROP_MAXNVAVAILABLE]) + #keyslots = tpm.get_capability(tss_lib.TSS_TPMCAP_PROPERTY,[tss_lib.TSS_TPMCAP_PROP_INPUTBUFFERSIZE]) + #keyslots = tpm.get_capability(tss_lib.TSS_TPMCAP_NV_LIST,[tss_lib.TSS_TPMCAP_PROP_SLOTS]) + + +#[tss_lib.TSS_TPMCAP_PROP_SLOTS]) + #print("slots: {}".format(keyslots)) + #print("blaa:"+struct.unpack(keyslots)) + + ''' print("connected/logged in to TPM") mk=getMasterkeyNumberArray() print("master key={}".format(str(mk))) @@ -149,7 +254,7 @@ def demo(): encry = dkk.bind(mkk) print("new encrypted masterkey:\nmk={}".format(binascii.hexlify(encry))) print("new unencrypted mk={}".format(dkk.unbind(encry))) - print("Done!") + print("Done!")''' @@ -164,7 +269,8 @@ def demo(): #print("slots: {}".format(keyslots)) #print("blaa:"+struct.unpack(keyslots)) #clearKeys() -demo() +#demo() +print("status: "+get_status()) ''' k=get_current_key() k2=get_new_key_and_replace_current() From 72d17620560ac7b084068983193e715bf38914ff Mon Sep 17 00:00:00 2001 From: brandhsn Date: Sun, 12 Feb 2017 22:20:10 +0100 Subject: [PATCH 15/17] added status string of TPM --- pytss/__init__.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pytss/__init__.py b/pytss/__init__.py index c64ca49..1de1dfb 100644 --- a/pytss/__init__.py +++ b/pytss/__init__.py @@ -452,10 +452,10 @@ def get_capability(self, cap, sub): for i in range(len(sub)): csub[i] = sub[i] ''' - csub = ffi.new('BYTE *') - for i in range(len(sub)): - csub[i] = sub[i] - #subCapLength might be different for other APIs, trousers fixes it to sizeof(uint32) + csub = ffi.new('BYTE [4]') + bytearr = [hex(sub >> i & 0xff) for i in (0,8,16,24)] + for i in range(4): + csub[i] =int(bytearr[i],16) tss_lib.Tspi_TPM_GetCapability(self.handle[0], cap,4, csub, resplen, resp) ret = bytearray(resp[0][0:resplen[0]]) From cf1ab84dfd9bd4c48bd2acfac15c3adcdc6395c9 Mon Sep 17 00:00:00 2001 From: brandhsn Date: Sun, 12 Feb 2017 23:25:38 +0100 Subject: [PATCH 16/17] tpm api --- TpmApi.py | 120 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 120 insertions(+) create mode 100644 TpmApi.py diff --git a/TpmApi.py b/TpmApi.py new file mode 100644 index 0000000..32d1151 --- /dev/null +++ b/TpmApi.py @@ -0,0 +1,120 @@ +from pytss import tspi_defines +import pytss +from pytss import * +import pytss.tspi_exceptions as tspi_exceptions +import uuid +from pytss.tspi_defines import * +import binascii + +srk_uuid = uuid.UUID('{00000000-0000-0000-0000-000000000001}') +keyFlags = TSS_KEY_TYPE_BIND | TSS_KEY_SIZE_2048 | TSS_KEY_NO_AUTHORIZATION | TSS_KEY_NOT_MIGRATABLE +srkSecret = bytearray([0] * 20) +ownerSecret = bytearray([0] * 20) + +def idxToUUID(idx): + return uuid.UUID('{'+str(idx).zfill(8)+'-0000-0000-0000-000000000001}') + +def getSrkKey(context): + srk= context.load_key_by_uuid(TSS_PS_TYPE_SYSTEM, srk_uuid) + srkpolicy = srk.get_policy_object(TSS_POLICY_USAGE) + srkpolicy.set_secret(TSS_SECRET_MODE_SHA1, srkSecret) + return srk + +def getMasterkeyNumberArray(): + return [77, 65, 83, 84, 69, 82, 75, 69, 89] + +def getMasterkeyNumberArrayOne(): + return [77, 65, 83, 84, 69, 82, 75, 69, 89,49] + +def clearKeys(context): + try: + k1 = context.load_key_by_uuid(tss_lib.TSS_PS_TYPE_SYSTEM,old_uuid) + k1.unregisterKey() + k2 = context.load_key_by_uuid(tss_lib.TSS_PS_TYPE_SYSTEM,new_uuid) + k2.unregisterKey() + except: + pass + +def get_current_key(idx): + context=TspiContext() + context.connect() + srk = getSrkKey(context) + k= context.load_key_by_uuid(tss_lib.TSS_PS_TYPE_SYSTEM,idxToUUID(idx)) + return k + +def get_new_key_and_replace_current(idx,first_run=False): + + context=TspiContext() + context.connect() + srk = getSrkKey(context) + + if first_run==True: + k=context.create_wrap_key(keyFlags,srk.get_handle()) + k.load_key() + k.registerKey(idxToUUID(idx),srk_uuid) + return k + else: + kOld=context.load_key_by_uuid(tss_lib.TSS_PS_TYPE_SYSTEM,idxToUUID(idx)) + kNew=context.create_wrap_key(keyFlags,srk.get_handle()) + kOld.unregisterKey() + kNew.registerKey(idxToUUID(idx),srk_uuid) + kNew.load_key() + return kNew + +def get_registered_keys(): + + context=TspiContext() + context.connect() + keys=context.list_keys() + keys.remove(str(srk_uuid)) + indexes=[] + for k in keys: + #cut away leading 0 + indexes.append(str(int(k.split("-")[0]))) + return indexes + +def is_key_registered_to_idx(idx): + return str(idx) in get_registered_keys() + +def get_status(): + context=TspiContext() + context.connect() + take_ownership(context) + srk = getSrkKey(context) + tpm = context.get_tpm_object() + versionInfo = binascii.b2a_qp(tpm.get_capability(tss_lib.TSS_TPMCAP_VERSION_VAL,0)).decode("ascii").split("=") + chipVer=".".join(versionInfo[2:7]) + specLvl=versionInfo[7] + vendor=versionInfo[8] + statusStr="" + statusStr+=("ChipVersion={},SpecLevel={},SpecRevision={},Vendor={}".format(chipVer,specLvl,vendor[0:2],vendor[2:])) + tpmver=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_VERSION,0)).decode("ascii") + manufactInfo=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_PROP_MANUFACTURER,tss_lib.TSS_TCSCAP_PROP_MANUFACTURER_STR)).decode("ascii") + statusStr+=(",TPMVer={},ManufacturInfo={}".format(tpmver,manufactInfo)) + + maxkeyslots = binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_PROPERTY,tss_lib.TSS_TPMCAP_PROP_SLOTS)).decode("ascii") + maxKeys=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_PROPERTY,tss_lib.TSS_TPMCAP_PROP_MAXKEYS)).decode("ascii") + maxSess=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_PROPERTY,tss_lib.TSS_TPMCAP_PROP_MAXSESSIONS)).decode("ascii") + maxContexts=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_PROPERTY,tss_lib.TSS_TPMCAP_PROP_MAXCONTEXTS)).decode("ascii") + maxInputBuffer=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_PROPERTY,tss_lib.TSS_TPMCAP_PROP_INPUTBUFFERSIZE)).decode("ascii") + maxNVavail=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_PROPERTY,tss_lib.TSS_TPMCAP_PROP_MAXNVAVAILABLE)).decode("ascii") + statusStr+=(",KeySlots={},MaxKeys={},MaxSess={},MaxContexts={},InputBufferSize={},MaxNVSpace={}".format(maxkeyslots,maxKeys,maxSess,maxContexts,maxInputBuffer,maxNVavail)) + + #nvIndices=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_NV_LIST,0)).decode("ascii") + algsrsa=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_RSA)).decode("ascii") + algsdes=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_DES)).decode("ascii") + algs3des=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_3DES)).decode("ascii") + algssha=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_SHA)).decode("ascii") + #algssha256=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_SHA256)).decode("ascii") + algshmac=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_HMAC)).decode("ascii") + algsaes128=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_AES128)).decode("ascii") + algsmgf1=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_MGF1)).decode("ascii") + algsaes192=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_AES192)).decode("ascii") + algsaes256=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_AES256)).decode("ascii") + algsxor=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_XOR)).decode("ascii") + algsaes=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_AES)).decode("ascii") + statusStr+=(",RSA={},DES={},3DES={},SHA-1={},HMAC={},AES128={},MGF1={},AES192={},AES256={},XOR={},AES={}".format(algsrsa,algsdes,algs3des,algssha,algshmac,algsaes128,algsmgf1,algsaes192,algsaes256,algsxor,algsaes)) + flags=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_FLAG,0)).decode("ascii") + statusStr+=(",Flags={}".format(flags)) + statusStr+=",RegisteredKeys={}".format(get_registered_keys(context)) + return statusStr From 7252e551d9447ea8b690bd1e61ec13a98cacc338 Mon Sep 17 00:00:00 2001 From: brandhsn Date: Sun, 12 Feb 2017 23:25:42 +0100 Subject: [PATCH 17/17] tpm api --- init_tpm.py | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 init_tpm.py diff --git a/init_tpm.py b/init_tpm.py new file mode 100644 index 0000000..c9c3971 --- /dev/null +++ b/init_tpm.py @@ -0,0 +1,30 @@ +from pytss import tspi_defines +import pytss +from pytss import * +import pytss.tspi_exceptions as tspi_exceptions +from pytss.tspi_defines import * + +srkSecret = bytearray([0] * 20) +ownerSecret = bytearray([0] * 20) + +def take_ownership(): + """Take ownership of a TPM + :param context: The TSS context to use + :returns: True on ownership being taken, False if the TPM is already owned + """ + context=TspiContext() + context.connect() + tpm = context.get_tpm_object() + tpmpolicy = tpm.get_policy_object(TSS_POLICY_USAGE) + tpmpolicy.set_secret(TSS_SECRET_MODE_SHA1, srkSecret) + + srk = context.create_rsa_key(TSS_KEY_TSP_SRK | TSS_KEY_AUTHORIZATION) + srkpolicy = srk.get_policy_object(TSS_POLICY_USAGE) + srkpolicy.set_secret(TSS_SECRET_MODE_SHA1, ownerSecret) + + try: + tpm.take_ownership(srk) + except tspi_exceptions.TPM_E_DISABLED_CMD: + return False + + return True