Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
security:OpenTC
tud-l4env
demo-hotfixes.diff
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File demo-hotfixes.diff of Package tud-l4env
Index: l4/pkg/lyon/include/lyon.h =================================================================== --- l4/pkg/lyon/include/lyon.h (revision 1811) +++ l4/pkg/lyon/include/lyon.h (working copy) @@ -32,7 +32,7 @@ /* ATTENTION: keep the #defines below in sync with values in lyon.idl */ #define LYON_HASH_SIZE TCG_HASH_SIZE #define LYON_ID_SIZE TCG_HASH_SIZE -#define LYON_MAX_BLOB_SIZE 8192 +#define LYON_MAX_BLOB_SIZE 0x2200 #define LYON_RSA_KEY_BITS 1024 #define LYON_RSA_KEY_BYTES (LYON_RSA_KEY_BITS / 8) Index: l4/pkg/lyon/server/src/lyon.c =================================================================== --- l4/pkg/lyon/server/src/lyon.c (revision 1811) +++ l4/pkg/lyon/server/src/lyon.c (working copy) @@ -330,21 +330,25 @@ crypto_aes_ctx_t aes_ctx; unsigned int aes_flags = 0, size; + printf("%s:%d: srclen=%u\n", __FILE__, __LINE__, srclen); size = FIT_SIZE(DATA_ARRAY_OFFSET(s) + nlen + srclen); if (src == NULL || dst == NULL || (nonce == NULL && nlen > 0) || size > dstlen) return -L4_EINVAL; + printf("%s:%d\n", __FILE__, __LINE__); owner = find_entry_by_id(id); creator = find_entry_by_task(client); if (owner == NULL || creator == NULL) return -L4_ENOTASK; + printf("%s:%d\n", __FILE__, __LINE__); s = (lyon_sealed_data_t *) malloc(size); if (s == NULL) return -L4_ENOMEM; + printf("%s:%d\n", __FILE__, __LINE__); /* we need to zero out at least the padding bytes at the end of the * buffer */ memset(s, 0, size); @@ -360,8 +364,10 @@ s->info.version = LYON_INVALID_VERSION; s->info.data_offset = nlen; s->info.data_len = srclen; + printf("%s:%d\n", __FILE__, __LINE__); if (nonce) memcpy(&s->data[0], nonce, nlen); + printf("%s:%d\n", __FILE__, __LINE__); memcpy(&s->data[nlen], src, srclen); /* calculate sanity checksum */ @@ -373,6 +379,7 @@ (const char *) s, dst, null_iv, size); free(s); + printf("%s:%d: (output) size=%u\n", __FILE__, __LINE__, size); return size; } @@ -390,14 +397,17 @@ lyon_hash_t real_checksum; unsigned int aes_flags = 0, data_len; + printf("%s:%d\n", __FILE__, __LINE__); if (src == NULL || dst == NULL || srclen < sizeof(*s) || srclen > dstlen || srclen % AES_BLOCK_SIZE != 0) return -L4_EINVAL; + printf("%s:%d\n", __FILE__, __LINE__); e = find_entry_by_task(client); if (e == NULL) return -L4_ENOTASK; + printf("%s:%d\n", __FILE__, __LINE__); /* decrypt data into output buffer */ aes_cipher_set_key(&aes_ctx, lyon_aes_key, AES128_KEY_SIZE, &aes_flags); crypto_cbc_decrypt(aes_cipher_decrypt, &aes_ctx, AES_BLOCK_SIZE, @@ -405,27 +415,34 @@ /* extract the total length of the data that has to be checksummed */ data_len = s->info.data_offset + s->info.data_len; + printf("%s:%d: data_len=%u srclen=%u\n", __FILE__, __LINE__, data_len, srclen); if (data_len > srclen - sizeof(*s)) { + printf("%s:%d\n", __FILE__, __LINE__); memset(dst, 0, srclen); return -L4_EINVAL; } /* calculate and verify sanity checksum */ + printf("%s:%d\n", __FILE__, __LINE__); calc_check_sum(s, data_len, real_checksum); if (memcmp(real_checksum, s->checksum, sizeof(real_checksum)) != 0) { + printf("%s:%d\n", __FILE__, __LINE__); memset(dst, 0, srclen); return -L4_EINVAL; } + printf("%s:%d\n", __FILE__, __LINE__); /* finally, check owner permission */ if ( !LYON_ID_EQUAL(e->data.id, s->info.owner)) { + printf("%s:%d\n", __FILE__, __LINE__); memset(dst, 0, srclen); return -L4_EPERM; } + printf("%s:%d\n", __FILE__, __LINE__); return sizeof(*s) + s->info.data_offset + s->info.data_len; } Index: l4/pkg/lyon/server/src/secrets.c =================================================================== --- l4/pkg/lyon/server/src/secrets.c (revision 1811) +++ l4/pkg/lyon/server/src/secrets.c (working copy) @@ -29,6 +29,7 @@ #include <l4/stpm/tcg/ord.h> #include <l4/stpm/tcg/basic.h> #include <l4/stpm/tcg/owner.h> +#include <l4/stpm/tcg/pcrs.h> #include <l4/lyon/lyon.h> /* local includes */ @@ -157,8 +158,6 @@ crypto_aes_ctx_t aes_ctx; unsigned int aes_flags = 0; int ret; - //FIXME set pcrs - unsigned char const seal_pcr_map[3] = { 0xff, 0xff, 0xff}; /* we put the secrets_stage2_t structure into a buffer whose size is a * multiple of the cipher block size, because it is to be used a input @@ -179,12 +178,34 @@ /* calculate plausibilty check sum */ calc_check_sum(&s1, sealed_secrets_out->stage2_blob, s1.check_sum); +#if 1 /* now use the TPM to seal the secrets completely */ + unsigned short select_count = 24 >> 3; + unsigned int pcrinfolen = 2 + select_count + 2 * TCG_HASH_SIZE; + unsigned char pcrinfo [pcrinfolen]; + unsigned char pcrmap [select_count]; + + //we want all PCRs + memset(pcrmap, 0xFF, select_count); + + //reads all PCRs + if (STPM_GenPCRInfo(select_count, pcrmap, pcrinfo, &pcrinfolen)) + return -2; + + ret = TPM_Seal(SRK_HANDLE, pcrinfo, /*pcrinfolen*/ 0, srk_auth, secrets_auth, + (unsigned char *) &s1, sizeof(s1), + (unsigned char *) sealed_secrets_out->stage1_blob, + &sealed_secrets_out->stage1_blob_size); +#else + //FIXME set pcrs + unsigned char const seal_pcr_map[3] = { 0xff, 0xff, 0xff}; + ret = TPM_Seal_CurrPCR(SRK_HANDLE, sizeof(seal_pcr_map), seal_pcr_map, (unsigned char *) srk_auth, (unsigned char *) secrets_auth, (unsigned char *) &s1, sizeof(s1), (unsigned char *) sealed_secrets_out->stage1_blob, &sealed_secrets_out->stage1_blob_size); +#endif LOG("TPM_Seal_CurrPCR(): ret=%d", ret); if (ret != 0) @@ -223,8 +244,8 @@ return -1; /* illegal data length */ ret = TPM_Unseal(SRK_HANDLE, (unsigned char *) srk_auth, (unsigned char *) secrets_auth, - (unsigned char *) sealed_secrets->stage1_blob, sealed_secrets->stage1_blob_size, - (unsigned char *) s1_buf, &stage1_size); + (unsigned char *) sealed_secrets->stage1_blob, sealed_secrets->stage1_blob_size, + (unsigned char *) s1_buf, &stage1_size); LOG("TPM_Unseal(): ret=%d", ret); if (ret != 0) return ret; Index: l4/pkg/stpm/server/tpmemu/glue.c =================================================================== --- l4/pkg/stpm/server/tpmemu/glue.c (revision 1811) +++ l4/pkg/stpm/server/tpmemu/glue.c (working copy) @@ -125,7 +125,7 @@ int namesize = strlen(slocal->vtpm_name); char * fname; - if (!names_waitfor_name(slocal->fprov_name, &fprov_id, 5000)) + if (!names_waitfor_name(slocal->fprov_name, &fprov_id, 300000)) { LOG("Fileprovider %s not found", slocal->fprov_name); return -1; @@ -151,7 +151,8 @@ size = data_length + 2048; if (size % 4096 != 0) size = ((size >> 12) + 1) << 12; - + + LOG("data_length=%zu", data_length); if (!(addr = l4dm_mem_ds_allocate_named(size, flags, fname, &ds))) { LOG("Allocating dataspace of size %d failed", size); @@ -194,7 +195,7 @@ return -3; } - LOG("File %s was written.", fname); + LOG("File %s with %zu bytes was written.", fname, size); free(fname); return 0; @@ -221,7 +222,7 @@ return -L4_ENODM; } - if (!names_waitfor_name(slocal->fprov_name, &fprov_id, 3000)) + if (!names_waitfor_name(slocal->fprov_name, &fprov_id, 300000)) { LOG("Failed to lookup specified file provider."); return -1; @@ -277,7 +278,7 @@ l4rm_detach(addr); l4dm_close(&ds); - LOG("File %s was loaded.", fname); + LOG("File %s was loaded (%zu bytes sealed, %zu unsealed).", fname, size, *data_length); free(fname); return 0; Index: l4/pkg/stpm/server/tpmemu/link_him.cc =================================================================== --- l4/pkg/stpm/server/tpmemu/link_him.cc (revision 1811) +++ l4/pkg/stpm/server/tpmemu/link_him.cc (working copy) @@ -9,6 +9,7 @@ * the terms of the GNU General Public Licence 2. Please see the * COPYING file for details. */ +#include <stdio.h> #include <l4/crypto/aes.h> //aes #include <l4/crypto/cbc.h> // cbc_encrypt #include <tcg/basic.h> //TCG_HASH_SIZE @@ -40,11 +41,12 @@ ByteArray dataBlob(indata, indatalen); ret = u.HIM_Store(stUUIDbyHIM, dataBlob, rEnCrData); err = ret || rEnCrData.data.length() == 0 || rEnCrData.data.blob() == 0; -// printf("%s- store : ret %d, encrypted data len 0x%lx at %p\n", -// (err ? "failure " : "success "), ret, rEnCrData.data.length(), -// rEnCrData.data.blob()); + printf("%s- store : ret %d, encrypted data len 0x%lx at %p\n", + (err ? "failure " : "success "), ret, rEnCrData.data.length(), + rEnCrData.data.blob()); if (!err) { + printf("%s:%d\n", __FILE__, __LINE__); //check buffer size, return error when not enough space available if (*outdatalen < rEnCrData.data.length()) return -1; @@ -52,7 +54,9 @@ //all fine, copy data memcpy(outdata, rEnCrData.data.blob(), rEnCrData.data.length()); *outdatalen = rEnCrData.data.length(); - } + printf("%s:%d\n", __FILE__, __LINE__); + } else + printf("%s:%d\n", __FILE__, __LINE__); return err; } @@ -75,11 +79,13 @@ //restore data, all done by HIM ret = u.HIM_Retrieve(stUUIDbyHIM, sBlob, rDeCrData); err = ret || rDeCrData.data.length() == 0 || rDeCrData.data.blob() == 0; -// printf("%s- retrieve : ret %d, encrypted data len 0x%lx at %p\n", -// (err ? "failure " : "success "), ret, rDeCrData.data.length(), -// rDeCrData.data.blob()); + printf("%s- retrieve : ret %d, encrypted data len 0x%lx at %p\n", + (err ? "failure " : "success "), ret, rDeCrData.data.length(), + rDeCrData.data.blob()); + printf("%s:%d\n", __FILE__, __LINE__); if (!err) { + printf("%s:%d\n", __FILE__, __LINE__); *unsealedlen = rDeCrData.data.length(); *unsealedblob = (unsigned char *)tpm_malloc(rDeCrData.data.length()); memcpy(*unsealedblob, rDeCrData.data.blob(), rDeCrData.data.length()); Index: l4/pkg/loader/server/src/main.c =================================================================== --- l4/pkg/loader/server/src/main.c (revision 1811) +++ l4/pkg/loader/server/src/main.c (working copy) @@ -39,7 +39,7 @@ const int l4thread_max_threads = 5; /**< limit number of threads */ #endif //const l4_size_t l4thread_stack_size = 16384; /**< limit stack size */ -const l4_size_t l4thread_stack_size = 0x10000; /**< limit stack size */ +const l4_size_t l4thread_stack_size = 0x14000; /**< limit stack size */ int use_events; int use_l4io; Index: l4/pkg/libmlrpc/contrib/mlrpc-l4.h =================================================================== --- l4/pkg/libmlrpc/contrib/mlrpc-l4.h (revision 1811) +++ l4/pkg/libmlrpc/contrib/mlrpc-l4.h (working copy) @@ -23,7 +23,7 @@ * *************************************************************************** */ -#define L4_MLRPC_MAX_TRANSMIT_BUFFER_SIZE 8192 +#define L4_MLRPC_MAX_TRANSMIT_BUFFER_SIZE 0x2200 /* * *************************************************************************** Index: l4/pkg/libmlrpc/lib/src/service-l4.c =================================================================== --- l4/pkg/libmlrpc/lib/src/service-l4.c (revision 1811) +++ l4/pkg/libmlrpc/lib/src/service-l4.c (working copy) @@ -58,7 +58,7 @@ int mlrpc_transmit_component(CORBA_Object _dice_corba_obj, unsigned int *size /* in, out */, - char msg[8192] /* in, out */, + char msg[0x2200] /* in, out */, CORBA_Server_Environment *_dice_corba_env) { mlrpc_message_t *request = (mlrpc_message_t *) msg; Index: l4/pkg/libmlrpc/idl/mlrpc.idl =================================================================== --- l4/pkg/libmlrpc/idl/mlrpc.idl (revision 1811) +++ l4/pkg/libmlrpc/idl/mlrpc.idl (working copy) @@ -19,7 +19,7 @@ * with mlrpcd. If not, see <http://www.gnu.org/licenses/>. */ -#define MLRPC_MAX_TRANSMIT_BUFFER_SIZE 8192 +#define MLRPC_MAX_TRANSMIT_BUFFER_SIZE 0x2200 interface mlrpc { /* Component management interface */ Index: l4/pkg/him/server/src/TPMService_L4.cc =================================================================== --- l4/pkg/him/server/src/TPMService_L4.cc (revision 1811) +++ l4/pkg/him/server/src/TPMService_L4.cc (working copy) @@ -100,13 +100,16 @@ BMSI_getIntegrityInterface(&i); + printf("%s:%d: sealedBlob.len=%lu\n", __FILE__, __LINE__, sealedBlob.length()); res = IntegrityInterface_unseal(i, sealedBlob.length(), (const byte *) sealedBlob.blob(), &blobLength, &blob); if (res != 0) throw HIMException(HIMException::TPMSERVICEERROR); + printf("%s:%d\n", __FILE__, __LINE__); UnsealedBlob plainBlob(blob, blobLength); IntegrityInterface_free(i); + printf("%s:%d\n", __FILE__, __LINE__); return plainBlob; } Index: l4/pkg/him/contrib/src/IntegrityService.cpp =================================================================== --- l4/pkg/him/contrib/src/IntegrityService.cpp (revision 1811) +++ l4/pkg/him/contrib/src/IntegrityService.cpp (working copy) @@ -175,6 +175,7 @@ /* steps #0-#3: collect measurements of all dependencies */ createConfigHash(UUID, 0, currentConfig); + printf("%s:%d UUID=%s\n", __FILE__, __LINE__, UUID.c_str()); try { /* step #4: record current state */ @@ -182,6 +183,7 @@ allData.append(data); /* step #5: seal using BMSI */ encryptedData = HIMService::Instance()->getTPMService().TPMService_Seal(allData); + printf("%s:%d encryptedData.len=%lu\n", __FILE__, __LINE__, encryptedData.length()); } catch (TPMServiceException e) { Utilities::HIM_LOG(e.getExceptionCode(), e.what(), false, true); throw HIMException(HIMException::TPMSERVICEERROR); @@ -199,25 +201,32 @@ createConfigHash(UUID, 0, currentConfig); try { + printf("%s:%d UUID=%s\n", __FILE__, __LINE__, UUID.c_str()); decryptedData = HIMService::Instance()->getTPMService().TPMService_Unseal(sealedBlob); if (decryptedData.length() < sizeof(currentConfig)) throw HIMException(HIMException::TPMSERVICEERROR); + printf("%s:%d\n", __FILE__, __LINE__); const HIMHashData *expectedConfig = (HIMHashData *) decryptedData.blob(); if (memcmp(expectedConfig->bundledMeasurement, currentConfig.bundledMeasurement, sizeof(expectedConfig->bundledMeasurement)) == 0) { + printf("%s:%d\n", __FILE__, __LINE__); // allowed, return playload only return SealedBlob(decryptedData.blob() + sizeof(*expectedConfig), decryptedData.length() - sizeof(*expectedConfig)); } else { + printf("%s:%d\n", __FILE__, __LINE__); // not allowed return SealedBlob(0, 0); } + printf("%s:%d\n", __FILE__, __LINE__); } catch (TPMServiceException e) { + printf("%s:%d\n", __FILE__, __LINE__); Utilities::HIM_LOG(e.getExceptionCode(), e.what(), false, true); throw HIMException(HIMException::TPMSERVICEERROR); } + printf("%s:%d\n", __FILE__, __LINE__); } HIMMeasurementReport IntegrityService::retrieveCCRs(string UUID) const {
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor