1 // 2 // Copyright (C) 2015 The Android Open Source Project 3 // 4 // Licensed under the Apache License, Version 2.0 (the "License"); 5 // you may not use this file except in compliance with the License. 6 // You may obtain a copy of the License at 7 // 8 // http://www.apache.org/licenses/LICENSE-2.0 9 // 10 // Unless required by applicable law or agreed to in writing, software 11 // distributed under the License is distributed on an "AS IS" BASIS, 12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 // See the License for the specific language governing permissions and 14 // limitations under the License. 15 // 16 17 #ifndef ATTESTATION_COMMON_TPM_UTILITY_H_ 18 #define ATTESTATION_COMMON_TPM_UTILITY_H_ 19 20 #include <string> 21 22 #include "attestation/common/interface.pb.h" 23 24 namespace attestation { 25 26 // A class which provides helpers for TPM-related tasks. 27 class TpmUtility { 28 public: 29 virtual ~TpmUtility() = default; 30 31 // Returns true iff the TPM is enabled, owned, and ready for attestation. 32 virtual bool IsTpmReady() = 0; 33 34 // Activates an attestation identity key. Effectively this decrypts a 35 // certificate or some other type of credential with the endorsement key. The 36 // |delegate_blob| and |delegate_secret| must be authorized to activate with 37 // owner privilege. The |identity_key_blob| is the key to which the credential 38 // is bound. The |asym_ca_contents| and |sym_ca_attestation| parameters are 39 // encrypted TPM structures, typically created by a CA (TPM_ASYM_CA_CONTENTS 40 // and TPM_SYM_CA_ATTESTATION respectively). On success returns true and 41 // populates the decrypted |credential|. 42 virtual bool ActivateIdentity(const std::string& delegate_blob, 43 const std::string& delegate_secret, 44 const std::string& identity_key_blob, 45 const std::string& asym_ca_contents, 46 const std::string& sym_ca_attestation, 47 std::string* credential) = 0; 48 49 // Generates and certifies a non-migratable key in the TPM. The new key will 50 // correspond to |key_type| and |key_usage|. The parent key will be the 51 // storage root key. The new key will be certified with the attestation 52 // identity key represented by |identity_key_blob|. The |external_data| will 53 // be included in the |key_info|. On success, returns true and populates 54 // |public_key_tpm_format| with the public key of |key_blob| in TPM_PUBKEY 55 // format, |key_info| with the TPM_CERTIFY_INFO that was signed, and |proof| 56 // with the signature of |key_info| by the identity key. 57 virtual bool CreateCertifiedKey(KeyType key_type, 58 KeyUsage key_usage, 59 const std::string& identity_key_blob, 60 const std::string& external_data, 61 std::string* key_blob, 62 std::string* public_key, 63 std::string* public_key_tpm_format, 64 std::string* key_info, 65 std::string* proof) = 0; 66 67 // Seals |data| to the current value of PCR0 with the SRK and produces the 68 // |sealed_data|. Returns true on success. 69 virtual bool SealToPCR0(const std::string& data, 70 std::string* sealed_data) = 0; 71 72 // Unseals |sealed_data| previously sealed with the SRK and produces the 73 // unsealed |data|. Returns true on success. 74 virtual bool Unseal(const std::string& sealed_data, std::string* data) = 0; 75 76 // Reads the endorsement public key from the TPM. 77 virtual bool GetEndorsementPublicKey(std::string* public_key) = 0; 78 79 // Unbinds |bound_data| with the key loaded from |key_blob| by decrypting 80 // using the TPM_ES_RSAESOAEP_SHA1_MGF1 scheme. The input must be in the 81 // format of a TPM_BOUND_DATA structure. On success returns true and provides 82 // the decrypted |data|. 83 virtual bool Unbind(const std::string& key_blob, 84 const std::string& bound_data, 85 std::string* data) = 0; 86 87 // Signs |data_to_sign| with the key loaded from |key_blob| using the 88 // TPM_SS_RSASSAPKCS1v15_DER scheme with SHA-256. On success returns true and 89 // provides the |signature|. 90 virtual bool Sign(const std::string& key_blob, 91 const std::string& data_to_sign, 92 std::string* signature) = 0; 93 }; 94 95 } // namespace attestation 96 97 #endif // ATTESTATION_COMMON_TPM_UTILITY_H_ 98