added use of persisted IAK and IDevID and authorisation values

Signed-off-by: Isaac-Matthews <[email protected]>

Author: Isaac-Matthews

keylime-agent.conf

@@ -228,7 +228,7 @@ tpm_signing_alg = "rsassa"
 ek_handle = "generate"
 
 # Enable IDevID and IAK usage 
-enable_iak_idevid = true
+enable_iak_idevid = false
 
 # Select IDevID and IAK templates or algorithms for regenerating the keys.
 # By default the template will be detected automatically from the certificates. This will happen if iak_idevid_template is left empty or set as "default" or "detect".

keylime-agent/src/config.rs

@@ -341,19 +341,16 @@ impl EnvConfig {
             );
         }
         if let Some(ref v) = self.idevid_password {
-            _ = agent.insert(
-                "idevid_password".to_string(),
-                v.to_string().into(),
-            );
+            _ = agent
+                .insert("idevid_password".to_string(), v.to_string().into());
         }
         if let Some(ref v) = self.iak_password {
-            _ = agent.insert(
-                "iak_password".to_string(),
-                v.to_string().into(),
-            );
+            _ = agent
+                .insert("iak_password".to_string(), v.to_string().into());
         }
         if let Some(ref v) = self.idevid_handle {
-            _ = agent.insert("idevid_handle".to_string(), v.to_string().into());
+            _ = agent
+                .insert("idevid_handle".to_string(), v.to_string().into());
         }
         if let Some(ref v) = self.iak_handle {
             _ = agent.insert("iak_handle".to_string(), v.to_string().into());

keylime-agent/src/main.rs

@@ -378,8 +378,9 @@ async fn main() -> Result<()> {
         iak_cert = None;
         idevid_cert = None;
     }
-    /// Regenerate the IAK and IDevID and check that the keys match the certificates that have been loaded
+    /// Regenerate the IAK and IDevID keys or collect and authorise persisted ones and check that the keys match the certificates that have been loaded
     let (iak, idevid) = if config.agent.enable_iak_idevid {
+        /// Try to detect which template has been used by checking the certificate
         let (asym_alg, name_alg) = tpm::get_idevid_template(
             &crypto::match_cert_to_template(
                 &iak_cert.clone().ok_or(Error::Other(
@@ -392,31 +393,58 @@ async fn main() -> Result<()> {
             config.agent.iak_idevid_name_alg.as_str(),
         )?;
 
-        let idevid = ctx.create_idevid(asym_alg, name_alg)?;
-        info!("IDevID created.");
-        // Flush after creating to make room for AK and EK and IAK
-        ctx.as_mut().flush_context(idevid.handle.into())?;
+        /// IDevID recreation/collection
+        let idevid = if config.agent.idevid_handle.trim().is_empty() {
+            /// If handle is not set in config, recreate IDevID according to template
+            info!("Recreating IDevID.");
+            let regen_idev = ctx.create_idevid(asym_alg, name_alg)?;
+            ctx.as_mut().flush_context(regen_idev.handle.into())?;
+            // Flush after creating to make room for AK and EK and IAK
+            regen_idev
+        } else {
+            info!("Collecting persisted IDevID.");
+            ctx.idevid_from_handle(
+                config.agent.idevid_handle.as_str(),
+                config.agent.idevid_password.as_str(),
+            )?
+        };
+        /// Check that recreated/collected IDevID key matches the one in the certificate
         if crypto::check_x509_key(
             &idevid_cert.clone().ok_or(Error::Other(
-                "IAK/IDevID enabled but cert could not be used".to_string(),
+                "IAK/IDevID enabled but IDevID cert could not be used"
+                    .to_string(),
             ))?,
             idevid.clone().public,
         )? {
-            info!("Regenerated IDevID matches certificate.");
+            info!("IDevID matches certificate.");
         } else {
             error!("IDevID template does not match certificate. Check template in configuration.");
             return Err(Error::Configuration("IDevID template does not match certificate. Check template in configuration.".to_string()));
         }
 
-        let iak = ctx.create_iak(asym_alg, name_alg)?;
-        info!("IAK created.");
+        /// IAK recreation/collection
+        let iak = if config.agent.iak_handle.trim().is_empty() {
+            /// If handle is not set in config, recreate IAK according to template
+            info!("Recreating IAK.");
+            ctx.create_iak(asym_alg, name_alg)?
+        } else {
+            /// If a handle has been set, try to collect from the handle
+            /// If there is an IAK password, add the password to the handle
+            info!("Collecting persisted IAK.");
+            ctx.iak_from_handle(
+                config.agent.iak_handle.as_str(),
+                config.agent.iak_password.as_str(),
+            )?
+        };
+        /// Check that recreated/collected IAK key matches the one in the certificate
         if crypto::check_x509_key(
             &iak_cert.clone().ok_or(Error::Other(
-                "IAK/IDevID enabled but cert could not be used".to_string(),
+                "IAK/IDevID enabled but IAK cert could not be used"
+                    .to_string(),
             ))?,
             iak.clone().public,
         )? {
-            info!("Regenerated IAK matches certificate.");
+            info!("IAK matches certificate.");
         } else {
             error!("IAK template does not match certificate. Check template in configuration.");
             return Err(Error::Configuration("IAK template does not match certificate. Check template in configuration.".to_string()));

keylime/src/tpm.rs

@@ -43,7 +43,7 @@ use tss_esapi::{
         structure_tags::AttestationType,
     },
     structures::{
-        Attest, AttestInfo, Data, Digest, DigestValues, EccParameter,
+        Attest, AttestInfo, Auth, Data, Digest, DigestValues, EccParameter,
         EccPoint, EccScheme, EncryptedSecret, HashScheme, IdObject,
         KeyDerivationFunctionScheme, Name, PcrSelectionList,
         PcrSelectionListBuilder, PcrSlot, PublicBuilder,
@@ -140,6 +140,13 @@ pub enum TpmError {
         source: tss_esapi::Error,
     },
 
+    /// Error setting auth for persistent TPM handle
+    #[error("Error setting auth for persistent TPM handle {handle}")]
+    TSSHandleSetAuthError {
+        handle: String,
+        source: tss_esapi::Error,
+    },
+
     /// Error returned in case of error creating new Primary Key
     #[error("Error creating primary key")]
     TSSCreatePrimaryError { source: tss_esapi::Error },
@@ -339,6 +346,10 @@ pub enum TpmError {
     #[error("base64 decode error")]
     Base64Decode(#[from] base64::DecodeError),
 
+    /// Hex decoding error
+    #[error("hex decode error")]
+    HexDecodeError(String),
+
     /// Malformed PCR selection mask
     #[error("Malformed PCR selection mask: {0}")]
     MalformedPCRSelectionMask(String),
@@ -613,6 +624,99 @@ impl Context {
         Ok(ak_handle)
     }
 
+    /// Load a key handle from a string of the handle location
+    /// If a password is supplied, authorise the handle
+    /// # Arguments
+    ///
+    /// `handle` : The string of the handle, eg. from config
+    /// `password` ; The string password, to be converted to hex if there is the "hex:" prefix
+    ///
+    /// # Return
+    /// The corresponding KeyHandle, or a TPMError
+    fn get_key_handle(
+        &mut self,
+        handle: &str,
+        password: &str,
+    ) -> Result<KeyHandle> {
+        let handle = u32::from_str_radix(handle.trim_start_matches("0x"), 16)
+            .map_err(|source| TpmError::NumParse {
+                origin: handle.to_string(),
+                source,
+            })?;
+        let key_handle: KeyHandle = self
+            .inner
+            .tr_from_tpm_public(TpmHandle::Persistent(
+                PersistentTpmHandle::new(handle).map_err(|source| {
+                    TpmError::TSSNewPersistentHandleError {
+                        handle: handle.to_string(),
+                        source,
+                    }
+                })?,
+            ))
+            .map_err(|source| TpmError::TSSHandleFromPersistentHandleError {
+                handle: handle.to_string(),
+                source,
+            })?
+            .into();
+        if !password.is_empty() {
+            let auth = if password.starts_with("hex:") {
+                let (_, hex_password) = password.split_at(4);
+                let decoded_password =
+                    hex::decode(hex_password).map_err(|_| {
+                        TpmError::HexDecodeError(
+                            "Hex decode error for identity auth value."
+                                .to_string(),
+                        )
+                    })?;
+                Auth::try_from(decoded_password)?
+            } else {
+                Auth::try_from(password.as_bytes())?
+            };
+            self.as_mut().tr_set_auth(key_handle.into(), auth).map_err(
+                |source| TpmError::TSSHandleSetAuthError {
+                    handle: handle.to_string(),
+                    source,
+                },
+            )?;
+        };
+
+        Ok(key_handle)
+    }
+
+    /// Create an IDevID object from one persisted in TPM using its handle
+    pub fn idevid_from_handle(
+        &mut self,
+        handle: &str,
+        password: &str,
+    ) -> Result<IDevIDResult> {
+        let idevid_handle = self.get_key_handle(handle, password)?;
+        let (idevid_pub, _, _) = self
+            .inner
+            .read_public(idevid_handle)
+            .map_err(|source| TpmError::TSSReadPublicError { source })?;
+        Ok(IDevIDResult {
+            public: idevid_pub,
+            handle: idevid_handle,
+        })
+    }
+
+    /// Create an IAK object from one persisted in TPM using its handle
+    pub fn iak_from_handle(
+        &mut self,
+        handle: &str,
+        password: &str,
+    ) -> Result<IAKResult> {
+        let iak_handle = self.get_key_handle(handle, password)?;
+        let (iak_pub, _, _) = self
+            .inner
+            .read_public(iak_handle)
+            .map_err(|source| TpmError::TSSReadPublicError { source })?;
+        Ok(IAKResult {
+            public: iak_pub,
+            handle: iak_handle,
+        })
+    }
+
     /// Creates an IDevID
     pub fn create_idevid(
         &mut self,