Home | History | Annotate | Download | only in common 
      1 //
      2 // Copyright (C) 2015 The Android Open Source Project
      3 //
      4 // Licensed under the Apache License, Version 2.0 (the "License");
      5 // you may not use this file except in compliance with the License.
      6 // You may obtain a copy of the License at
      7 //
      8 //      http://www.apache.org/licenses/LICENSE-2.0
      9 //
     10 // Unless required by applicable law or agreed to in writing, software
     11 // distributed under the License is distributed on an "AS IS" BASIS,
     12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     13 // See the License for the specific language governing permissions and
     14 // limitations under the License.
     15 //
     16 
     17 #ifndef ATTESTATION_COMMON_TPM_UTILITY_H_
     18 #define ATTESTATION_COMMON_TPM_UTILITY_H_
     19 
     20 #include <string>
     21 
     22 #include "attestation/common/interface.pb.h"
     23 
     24 namespace attestation {
     25 
     26 // A class which provides helpers for TPM-related tasks.
     27 class TpmUtility {
     28  public:
     29   virtual ~TpmUtility() = default;
     30 
     31   // Returns true iff the TPM is enabled, owned, and ready for attestation.
     32   virtual bool IsTpmReady() = 0;
     33 
     34   // Activates an attestation identity key. Effectively this decrypts a
     35   // certificate or some other type of credential with the endorsement key. The
     36   // |delegate_blob| and |delegate_secret| must be authorized to activate with
     37   // owner privilege. The |identity_key_blob| is the key to which the credential
     38   // is bound. The |asym_ca_contents| and |sym_ca_attestation| parameters are
     39   // encrypted TPM structures, typically created by a CA (TPM_ASYM_CA_CONTENTS
     40   // and TPM_SYM_CA_ATTESTATION respectively). On success returns true and
     41   // populates the decrypted |credential|.
     42   virtual bool ActivateIdentity(const std::string& delegate_blob,
     43                                 const std::string& delegate_secret,
     44                                 const std::string& identity_key_blob,
     45                                 const std::string& asym_ca_contents,
     46                                 const std::string& sym_ca_attestation,
     47                                 std::string* credential) = 0;
     48 
     49   // Generates and certifies a non-migratable key in the TPM. The new key will
     50   // correspond to |key_type| and |key_usage|. The parent key will be the
     51   // storage root key. The new key will be certified with the attestation
     52   // identity key represented by |identity_key_blob|. The |external_data| will
     53   // be included in the |key_info|. On success, returns true and populates
     54   // |public_key_tpm_format| with the public key of |key_blob| in TPM_PUBKEY
     55   // format, |key_info| with the TPM_CERTIFY_INFO that was signed, and |proof|
     56   // with the signature of |key_info| by the identity key.
     57   virtual bool CreateCertifiedKey(KeyType key_type,
     58                                   KeyUsage key_usage,
     59                                   const std::string& identity_key_blob,
     60                                   const std::string& external_data,
     61                                   std::string* key_blob,
     62                                   std::string* public_key,
     63                                   std::string* public_key_tpm_format,
     64                                   std::string* key_info,
     65                                   std::string* proof) = 0;
     66 
     67   // Seals |data| to the current value of PCR0 with the SRK and produces the
     68   // |sealed_data|. Returns true on success.
     69   virtual bool SealToPCR0(const std::string& data,
     70                           std::string* sealed_data) = 0;
     71 
     72   // Unseals |sealed_data| previously sealed with the SRK and produces the
     73   // unsealed |data|. Returns true on success.
     74   virtual bool Unseal(const std::string& sealed_data, std::string* data) = 0;
     75 
     76   // Reads the endorsement public key from the TPM.
     77   virtual bool GetEndorsementPublicKey(std::string* public_key) = 0;
     78 
     79   // Unbinds |bound_data| with the key loaded from |key_blob| by decrypting
     80   // using the TPM_ES_RSAESOAEP_SHA1_MGF1 scheme. The input must be in the
     81   // format of a TPM_BOUND_DATA structure. On success returns true and provides
     82   // the decrypted |data|.
     83   virtual bool Unbind(const std::string& key_blob,
     84                       const std::string& bound_data,
     85                       std::string* data) = 0;
     86 
     87   // Signs |data_to_sign| with the key loaded from |key_blob| using the
     88   // TPM_SS_RSASSAPKCS1v15_DER scheme with SHA-256. On success returns true and
     89   // provides the |signature|.
     90   virtual bool Sign(const std::string& key_blob,
     91                     const std::string& data_to_sign,
     92                     std::string* signature) = 0;
     93 };
     94 
     95 }  // namespace attestation
     96 
     97 #endif  // ATTESTATION_COMMON_TPM_UTILITY_H_
     98