1 //
2 // Copyright (C) 2015 The Android Open Source Project
3 //
4 // Licensed under the Apache License, Version 2.0 (the "License");
5 // you may not use this file except in compliance with the License.
6 // You may obtain a copy of the License at
7 //
8 //      http://www.apache.org/licenses/LICENSE-2.0
9 //
10 // Unless required by applicable law or agreed to in writing, software
11 // distributed under the License is distributed on an "AS IS" BASIS,
12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 // See the License for the specific language governing permissions and
14 // limitations under the License.
15 //
16 
17 #ifndef ATTESTATION_COMMON_TPM_UTILITY_H_
18 #define ATTESTATION_COMMON_TPM_UTILITY_H_
19 
20 #include <string>
21 
22 #include "attestation/common/interface.pb.h"
23 
24 namespace attestation {
25 
26 // A class which provides helpers for TPM-related tasks.
27 class TpmUtility {
28  public:
29   virtual ~TpmUtility() = default;
30 
31   // Returns true iff the TPM is enabled, owned, and ready for attestation.
32   virtual bool IsTpmReady() = 0;
33 
34   // Activates an attestation identity key. Effectively this decrypts a
35   // certificate or some other type of credential with the endorsement key. The
36   // |delegate_blob| and |delegate_secret| must be authorized to activate with
37   // owner privilege. The |identity_key_blob| is the key to which the credential
38   // is bound. The |asym_ca_contents| and |sym_ca_attestation| parameters are
39   // encrypted TPM structures, typically created by a CA (TPM_ASYM_CA_CONTENTS
40   // and TPM_SYM_CA_ATTESTATION respectively). On success returns true and
41   // populates the decrypted |credential|.
42   virtual bool ActivateIdentity(const std::string& delegate_blob,
43                                 const std::string& delegate_secret,
44                                 const std::string& identity_key_blob,
45                                 const std::string& asym_ca_contents,
46                                 const std::string& sym_ca_attestation,
47                                 std::string* credential) = 0;
48 
49   // Generates and certifies a non-migratable key in the TPM. The new key will
50   // correspond to |key_type| and |key_usage|. The parent key will be the
51   // storage root key. The new key will be certified with the attestation
52   // identity key represented by |identity_key_blob|. The |external_data| will
53   // be included in the |key_info|. On success, returns true and populates
54   // |public_key_tpm_format| with the public key of |key_blob| in TPM_PUBKEY
55   // format, |key_info| with the TPM_CERTIFY_INFO that was signed, and |proof|
56   // with the signature of |key_info| by the identity key.
57   virtual bool CreateCertifiedKey(KeyType key_type,
58                                   KeyUsage key_usage,
59                                   const std::string& identity_key_blob,
60                                   const std::string& external_data,
61                                   std::string* key_blob,
62                                   std::string* public_key,
63                                   std::string* public_key_tpm_format,
64                                   std::string* key_info,
65                                   std::string* proof) = 0;
66 
67   // Seals |data| to the current value of PCR0 with the SRK and produces the
68   // |sealed_data|. Returns true on success.
69   virtual bool SealToPCR0(const std::string& data,
70                           std::string* sealed_data) = 0;
71 
72   // Unseals |sealed_data| previously sealed with the SRK and produces the
73   // unsealed |data|. Returns true on success.
74   virtual bool Unseal(const std::string& sealed_data, std::string* data) = 0;
75 
76   // Reads the endorsement public key from the TPM.
77   virtual bool GetEndorsementPublicKey(std::string* public_key) = 0;
78 
79   // Unbinds |bound_data| with the key loaded from |key_blob| by decrypting
80   // using the TPM_ES_RSAESOAEP_SHA1_MGF1 scheme. The input must be in the
81   // format of a TPM_BOUND_DATA structure. On success returns true and provides
82   // the decrypted |data|.
83   virtual bool Unbind(const std::string& key_blob,
84                       const std::string& bound_data,
85                       std::string* data) = 0;
86 
87   // Signs |data_to_sign| with the key loaded from |key_blob| using the
88   // TPM_SS_RSASSAPKCS1v15_DER scheme with SHA-256. On success returns true and
89   // provides the |signature|.
90   virtual bool Sign(const std::string& key_blob,
91                     const std::string& data_to_sign,
92                     std::string* signature) = 0;
93 };
94 
95 }  // namespace attestation
96 
97 #endif  // ATTESTATION_COMMON_TPM_UTILITY_H_
98