Botan 3.6.1
Crypto and TLS for C&
tpm2_session.cpp
Go to the documentation of this file.
1/*
2* TPM 2 Auth Session Wrapper
3* (C) 2024 Jack Lloyd
4* (C) 2024 René Meusel, Amos Treiber - Rohde & Schwarz Cybersecurity GmbH, financed by LANCOM Systems GmbH
5*
6* Botan is released under the Simplified BSD License (see license.txt)
7*/
8
9#include <botan/tpm2_session.h>
10
11#include <botan/tpm2_key.h>
12
13#include <botan/internal/stl_util.h>
14#include <botan/internal/tpm2_algo_mappings.h>
15#include <botan/internal/tpm2_util.h>
16
17namespace Botan::TPM2 {
18
19namespace {
20
21using SessionAttributesWrapper =
22 AttributeWrapper<TPMA_SESSION,
23 SessionAttributes,
24 PropMap{&SessionAttributes::continue_session, TPMA_SESSION_CONTINUESESSION},
25 PropMap{&SessionAttributes::audit_exclusive, TPMA_SESSION_AUDITEXCLUSIVE},
26 PropMap{&SessionAttributes::audit_reset, TPMA_SESSION_AUDITRESET},
27 PropMap{&SessionAttributes::decrypt, TPMA_SESSION_DECRYPT},
28 PropMap{&SessionAttributes::encrypt, TPMA_SESSION_ENCRYPT},
29 PropMap{&SessionAttributes::audit, TPMA_SESSION_AUDIT}>;
30
31} // namespace
32
33SessionAttributes SessionAttributes::read(TPMA_SESSION attributes) {
34 return SessionAttributesWrapper::read(attributes);
35}
36
37TPMA_SESSION SessionAttributes::render(SessionAttributes attributes) {
38 return SessionAttributesWrapper::render(attributes);
39}
40
41// static
42std::shared_ptr<Session> Session::unauthenticated_session(const std::shared_ptr<Context>& ctx,
43 std::string_view sym_algo,
44 std::string_view hash_algo) {
45 Object session(ctx);
46 const auto auth_sym = get_tpm2_sym_cipher_spec(sym_algo);
47 const auto auth_hash_algo = get_tpm2_hash_type(hash_algo);
48
49 BOTAN_ASSERT_NONNULL(ctx);
50
51 check_rc("Esys_StartSession",
52 Esys_StartAuthSession(*ctx,
53 ESYS_TR_NONE,
54 ESYS_TR_NONE,
55 ESYS_TR_NONE,
56 ESYS_TR_NONE,
57 ESYS_TR_NONE,
58 nullptr /*NonceCaller generated automatically*/,
59 TPM2_SE_HMAC,
60 &auth_sym,
61 auth_hash_algo,
62 out_transient_handle(session)));
63
64 return std::shared_ptr<Session>(new Session(std::move(session),
65 {
66 .continue_session = true,
67 .decrypt = true,
68 .encrypt = true,
69 }));
70}
71
72std::shared_ptr<Session> Session::authenticated_session(const std::shared_ptr<Context>& ctx,
73 const TPM2::PrivateKey& tpm_key,
74 std::string_view sym_algo,
75 std::string_view hash_algo) {
76 Object session(ctx);
77 const auto auth_sym = get_tpm2_sym_cipher_spec(sym_algo);
78 const auto auth_hash_algo = get_tpm2_hash_type(hash_algo);
79
80 BOTAN_ASSERT_NONNULL(ctx);
81
82 check_rc("Esys_StartSession",
83 Esys_StartAuthSession(*ctx,
84 tpm_key.handles().transient_handle(),
85 tpm_key.handles().transient_handle(),
86 ESYS_TR_NONE,
87 ESYS_TR_NONE,
88 ESYS_TR_NONE,
89 nullptr /*NonceCaller generated automatically*/,
90 TPM2_SE_HMAC,
91 &auth_sym,
92 auth_hash_algo,
93 out_transient_handle(session)));
94
95 return std::shared_ptr<Session>(new Session(std::move(session),
96 {
97 .continue_session = true,
98 .decrypt = true,
99 .encrypt = true,
100 }));
101}
102
103Session::Session(Object session, SessionAttributes attributes) : m_session(std::move(session)) {
104 set_attributes(attributes);
105}
106
107SessionAttributes Session::attributes() const {
108 TPMA_SESSION attrs;
109 check_rc("Esys_TRSess_GetAttributes",
110 Esys_TRSess_GetAttributes(*m_session.context(), m_session.transient_handle(), &attrs));
111 return SessionAttributes::read(attrs);
112}
113
114void Session::set_attributes(SessionAttributes attributes) {
115 check_rc("Esys_TRSess_SetAttributes",
116 Esys_TRSess_SetAttributes(
117 *m_session.context(), m_session.transient_handle(), SessionAttributes::render(attributes), 0xFF));
118}
119
120secure_vector<uint8_t> Session::tpm_nonce() const {
121 unique_esys_ptr<TPM2B_NONCE> nonce;
122 check_rc("Esys_TRSess_GetNonceTPM",
123 Esys_TRSess_GetNonceTPM(*m_session.context(), m_session.transient_handle(), out_ptr(nonce)));
124 return copy_into<secure_vector<uint8_t>>(*nonce);
125}
126
127[[nodiscard]] detail::SessionHandle::operator ESYS_TR() && noexcept {
128 if(m_session) {
129 return m_session->get().transient_handle();
130 } else {
131 return ESYS_TR_NONE;
132 }
133}
134
135} // namespace Botan::TPM2
BOTAN_ASSERT_NONNULL
#define BOTAN_ASSERT_NONNULL(ptr)
Definition assert.h:86
Botan::TPM2::Object::context
const std::shared_ptr< Context > & context() const
Definition tpm2_object.h:110
Botan::TPM2::Object::transient_handle
ESYS_TR transient_handle() const noexcept
Definition tpm2_object.cpp:125
Botan::TPM2::Session::unauthenticated_session
static std::shared_ptr< Session > unauthenticated_session(const std::shared_ptr< Context > &ctx, std::string_view sym_algo="CFB(AES-256)", std::string_view hash_algo="SHA-256")
Definition tpm2_session.cpp:42
Botan::TPM2::Session::Session
Session(std::shared_ptr< Context > ctx, ESYS_TR session_handle)
Definition tpm2_session.h:139
Botan::TPM2::Session::set_attributes
void set_attributes(SessionAttributes attributes)
Definition tpm2_session.cpp:114
Botan::TPM2::Session::authenticated_session
static std::shared_ptr< Session > authenticated_session(const std::shared_ptr< Context > &ctx, const TPM2::PrivateKey &tpm_key, std::string_view sym_algo="CFB(AES-256)", std::string_view hash_algo="SHA-256")
Definition tpm2_session.cpp:72
Botan::TPM2::Session::tpm_nonce
secure_vector< uint8_t > tpm_nonce() const
Definition tpm2_session.cpp:120
Botan::TPM2::Session::attributes
SessionAttributes attributes() const
Definition tpm2_session.cpp:107
Botan::TPM2::PropMap
PropMap(MaskT, FieldPointerT) -> PropMap< MaskT, FieldPointerT >
Deduction guide to simplify the creation of PropMap instances.
Botan::TPM2::check_rc
constexpr void check_rc(std::string_view location, TSS2_RC rc)
Definition tpm2_util.h:54
Botan::TPM2::TPMA_SESSION
uint8_t TPMA_SESSION
Definition tpm2_session.h:20
Botan::TPM2::unique_esys_ptr
std::unique_ptr< T, esys_liberator > unique_esys_ptr
A unique pointer type for ESYS handles that automatically frees the handle.
Definition tpm2_util.h:154
Botan::TPM2::get_tpm2_hash_type
TPMI_ALG_HASH get_tpm2_hash_type(std::string_view hash_name)
Definition tpm2_algo_mappings.h:73
Botan::TPM2::out_transient_handle
constexpr auto out_transient_handle(Object &object)
Definition tpm2_util.h:209
Botan::TPM2::get_tpm2_sym_cipher_spec
TPMT_SYM_DEF get_tpm2_sym_cipher_spec(std::string_view algo_name)
Definition tpm2_algo_mappings.h:316
Botan::TPM2::copy_into
constexpr void copy_into(T &dest, std::span< const uint8_t > data)
Definition tpm2_util.h:117
Botan::out_ptr
constexpr auto out_ptr(T &outptr) noexcept
Definition stl_util.h:420
Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:61
Botan::TPM2::SessionAttributes::read
static SessionAttributes read(TPMA_SESSION attributes)
Definition tpm2_session.cpp:33
Botan::TPM2::SessionAttributes::audit_exclusive
bool audit_exclusive
Indicates that a command should only be executed if the session is exclusive.
Definition tpm2_session.h:34
Botan::TPM2::SessionAttributes::decrypt
bool decrypt
Indicates that the first parameter of the command is to be decrypted by the TPM.
Definition tpm2_session.h:40
Botan::TPM2::SessionAttributes::continue_session
bool continue_session
The session may or may not remain active after the successful completion of any command.
Definition tpm2_session.h:31
Botan::TPM2::SessionAttributes::encrypt
bool encrypt
Indicates that the first parameter of a command's response is to be encrypted by the TPM.
Definition tpm2_session.h:43
Botan::TPM2::SessionAttributes::audit_reset
bool audit_reset
Indicates that the audit digest should be initialized and exclusive status of the session SET.
Definition tpm2_session.h:37
Botan::TPM2::SessionAttributes::render
static TPMA_SESSION render(SessionAttributes attributes)
Definition tpm2_session.cpp:37
Botan::TPM2::SessionAttributes::audit
bool audit
Indicates that the session is fused for audit and that audit_exclusive and audit_reset have meaning.
Definition tpm2_session.h:46
ESYS_TR
uint32_t ESYS_TR
Forward declaration of TSS2 type for convenience.
Definition tpm2_context.h:23
Generated by doxygen 1.12.0