Adds proper native types for TPMS_CONTEXT.

- Adds TPM context data structures. - Moves TpmsContext into structures and renames it to SavedTpmContext. Signed-off-by: Jesper Brynolf <jesper.brynolf@gmail.com>
Superhepper · Mar 16, 2024 · 52f3563 · 52f3563
1 parent 067702d
commit 52f3563
Show file tree

Hide file tree

Showing 12 changed files with 222 additions and 91 deletions.
diff --git a/tss-esapi/src/abstraction/transient/mod.rs b/tss-esapi/src/abstraction/transient/mod.rs
@@ -20,10 +20,11 @@ use crate::{
     structures::{
         Auth, CreateKeyResult, Data, Digest, EccPoint, EccScheme, Name, Public, PublicBuilder,
         PublicEccParametersBuilder, PublicKeyRsa, PublicRsaParametersBuilder, RsaExponent,
-        RsaScheme, Signature, SignatureScheme, SymmetricDefinitionObject, VerifiedTicket,
+        RsaScheme, SavedTpmContext, Signature, SignatureScheme, SymmetricDefinitionObject,
+        VerifiedTicket,
     },
     tcti_ldr::TctiNameConf,
-    utils::{create_restricted_decryption_rsa_public, PublicKey, TpmsContext},
+    utils::{create_restricted_decryption_rsa_public, PublicKey},
     Context, Error, Result, ReturnCode, WrapperErrorKind as ErrorKind,
 };
 
@@ -341,7 +342,7 @@ impl TransientKeyContext {
     /// just a public key.
     pub fn migrate_key_from_ctx(
         &mut self,
-        context: TpmsContext,
+        context: SavedTpmContext,
         auth: Option<Auth>,
     ) -> Result<KeyMaterial> {
         self.set_session_attrs()?;

diff --git a/tss-esapi/src/context/tpm_commands/context_management.rs b/tss-esapi/src/context/tpm_commands/context_management.rs
@@ -4,12 +4,12 @@ use crate::{
     context::handle_manager::HandleDropAction,
     handles::{handle_conversion::TryIntoNotNone, AuthHandle, ObjectHandle, PersistentTpmHandle},
     interface_types::{data_handles::Persistent, reserved_handles::Provision},
+    structures::SavedTpmContext,
     tss2_esys::{Esys_ContextLoad, Esys_ContextSave, Esys_EvictControl, Esys_FlushContext},
-    utils::TpmsContext,
     Context, Result, ReturnCode,
 };
 use log::error;
-use std::convert::{TryFrom, TryInto};
+use std::convert::TryFrom;
 use std::ptr::null_mut;
 
 impl Context {
@@ -18,32 +18,27 @@ impl Context {
     /// # Errors
     /// * if conversion from `TPMS_CONTEXT` to `TpmsContext` fails, a `WrongParamSize` error will
     /// be returned
-    pub fn context_save(&mut self, handle: ObjectHandle) -> Result<TpmsContext> {
+    pub fn context_save(&mut self, handle: ObjectHandle) -> Result<SavedTpmContext> {
         let mut context_ptr = null_mut();
         ReturnCode::ensure_success(
             unsafe { Esys_ContextSave(self.mut_context(), handle.into(), &mut context_ptr) },
             |ret| {
                 error!("Error in saving context: {:#010X}", ret);
             },
         )?;
-        TpmsContext::try_from(Context::ffi_data_to_owned(context_ptr))
+        SavedTpmContext::try_from(Context::ffi_data_to_owned(context_ptr))
     }
 
     /// Load a previously saved context into the TPM and return the object handle.
     ///
     /// # Errors
     /// * if conversion from `TpmsContext` to the native `TPMS_CONTEXT` fails, a `WrongParamSize`
     /// error will be returned
-    pub fn context_load(&mut self, context: TpmsContext) -> Result<ObjectHandle> {
+    pub fn context_load(&mut self, context: SavedTpmContext) -> Result<ObjectHandle> {
         let mut esys_loaded_handle = ObjectHandle::None.into();
+        let tpm_context = context.into();
         ReturnCode::ensure_success(
-            unsafe {
-                Esys_ContextLoad(
-                    self.mut_context(),
-                    &context.try_into()?,
-                    &mut esys_loaded_handle,
-                )
-            },
+            unsafe { Esys_ContextLoad(self.mut_context(), &tpm_context, &mut esys_loaded_handle) },
             |ret| {
                 error!("Error in loading context: {:#010X}", ret);
             },

diff --git a/tss-esapi/src/interface_types/data_handles.rs b/tss-esapi/src/interface_types/data_handles.rs
@@ -1,3 +1,5 @@
+// Copyright 2020 Contributors to the Parsec project.
+// SPDX-License-Identifier: Apache-2.0
 /// This module contains native representations of the TPMI_DH types.
 use crate::{
     handles::{
@@ -8,6 +10,7 @@ use crate::{
     Error, Result, WrapperErrorKind,
 };
 use std::convert::TryFrom;
+
 /// Enum representing the 'Object' data handles interface type.
 ///
 /// # Details
@@ -70,8 +73,7 @@ pub enum Pcr {
 /// Enum representing the 'Context' data handles interface type.
 ///
 /// # Details
-/// This corresponds to the TPMI_DH_CONTEXT interface type.
-/// This corresponds to the TPMI_DH_CONTEXT interface type. This only
+/// This corresponds to the `TPMI_DH_CONTEXT` interface type. This only
 /// exist for compatibility purposes the specification is not entirely
 /// clear on whether this should still be used or be completely replaced by
 /// [Saved].
@@ -116,13 +118,18 @@ impl TryFrom<TPMI_DH_CONTEXT> for ContextDataHandle {
 /// Enum representing the 'Saved' data handles interface type.
 ///
 /// # Details
-/// This corresponds to the TPMI_DH_SAVED interface type.
+/// This corresponds to the `TPMI_DH_SAVED` interface type.
 #[derive(Debug, Copy, Clone, Eq, PartialEq)]
 pub enum Saved {
+    /// A HMAC session context.
     Hmac(HmacSessionTpmHandle),
+    /// A policy session context.
     Policy(PolicySessionTpmHandle),
+    /// An ordinary transient object.
     Transient,
+    /// A sequence object.
     Sequence,
+    /// A transient object with stClear attribute SET.
     TransientClear,
 }
 
@@ -162,3 +169,15 @@ impl TryFrom<TPMI_DH_SAVED> for Saved {
         })
     }
 }
+
+impl From<Saved> for TPMI_DH_SAVED {
+    fn from(native: Saved) -> TPMI_DH_SAVED {
+        match native {
+            Saved::Hmac(handle) => handle.into(),
+            Saved::Policy(handle) => handle.into(),
+            Saved::Transient => TransientTpmHandle::SavedTransient.into(),
+            Saved::Sequence => TransientTpmHandle::SavedSequence.into(),
+            Saved::TransientClear => TransientTpmHandle::SavedTransientClear.into(),
+        }
+    }
+}
diff --git a/tss-esapi/src/structures/buffers.rs b/tss-esapi/src/structures/buffers.rs
@@ -390,3 +390,12 @@ pub mod symmetric_key {
 pub mod timeout {
     buffer_type!(Timeout, 8, TPM2B_TIMEOUT);
 }
+
+pub mod tpm_context_data {
+    use crate::tss2_esys::TPMS_CONTEXT_DATA;
+    buffer_type!(
+        TpmContextData,
+        std::mem::size_of::<TPMS_CONTEXT_DATA>(),
+        TPM2B_CONTEXT_DATA
+    );
+}
diff --git a/tss-esapi/src/structures/mod.rs b/tss-esapi/src/structures/mod.rs
@@ -41,7 +41,7 @@ pub use self::buffers::{
     private_key_rsa::PrivateKeyRsa, private_vendor_specific::PrivateVendorSpecific,
     public::PublicBuffer, public_key_rsa::PublicKeyRsa, sensitive::SensitiveBuffer,
     sensitive_create::SensitiveCreateBuffer, sensitive_data::SensitiveData,
-    symmetric_key::SymmetricKey, timeout::Timeout,
+    symmetric_key::SymmetricKey, timeout::Timeout, tpm_context_data::TpmContextData,
 };
 /////////////////////////////////////////////////////////
 /// The creation section
@@ -212,3 +212,8 @@ pub use nv::storage::{NvPublic, NvPublicBuilder};
 /////////////////////////////////////////////////////////
 mod algorithm;
 pub use algorithm::symmetric::sensitive_create::SensitiveCreate;
+/////////////////////////////////////////////////////////
+/// TPM context structures
+/////////////////////////////////////////////////////////
+mod tpm_context;
+pub use tpm_context::SavedTpmContext;
diff --git a/tss-esapi/src/structures/tagged/public.rs b/tss-esapi/src/structures/tagged/public.rs
@@ -495,7 +495,7 @@ impl TryFrom<TPMT_PUBLIC> for Public {
 impl_mu_standard!(Public, TPMT_PUBLIC);
 
 impl Serialize for Public {
-    /// Serialise the [Public] data into it's bytes representation of the TCG
+    /// Serialize the [Public] data into it's bytes representation of the TCG
     /// TPMT_PUBLIC structure.
     fn serialize<S>(&self, serializer: S) -> std::result::Result<S::Ok, S::Error>
     where

diff --git a/tss-esapi/src/structures/tpm_context.rs b/tss-esapi/src/structures/tpm_context.rs
@@ -0,0 +1,104 @@
+// Copyright 2024 Contributors to the Parsec project.
+// SPDX-License-Identifier: Apache-2.0
+use crate::{
+    handles::TpmHandle,
+    interface_types::{data_handles::Saved, reserved_handles::Hierarchy},
+    structures::TpmContextData,
+    traits::impl_mu_standard,
+    traits::{Marshall, UnMarshall},
+    tss2_esys::TPMS_CONTEXT,
+    Error, Result,
+};
+use serde::{Deserialize, Deserializer, Serialize, Serializer};
+use std::convert::TryFrom;
+
+/// Structure holding the content of a TPM context.
+#[derive(Debug, Clone)]
+pub struct SavedTpmContext {
+    sequence: u64,
+    saved_handle: Saved,
+    hierarchy: Hierarchy,
+    context_blob: TpmContextData,
+}
+
+impl SavedTpmContext {
+    /// The sequence parameter
+    ///
+    /// # Details
+    /// "The sequence parameter is used to differentiate the contexts and to allow the TPM to create a different
+    ///  encryption key for each context."
+    pub const fn sequence(&self) -> u64 {
+        self.sequence
+    }
+
+    /// The saved handle.
+    pub const fn saved_handle(&self) -> Saved {
+        self.saved_handle
+    }
+
+    /// The hierarchy for the saved context.
+    pub const fn hierarchy(&self) -> Hierarchy {
+        self.hierarchy
+    }
+
+    /// The context blob.
+    ///
+    /// # Details
+    /// "This is the hierarchy ([Hierarchy]) for the saved context and determines the proof value used
+    ///  in the construction of the encryption and integrity values for the context. For session and sequence
+    ///  contexts, the hierarchy is [Hierarchy::Null]. The hierarchy for a transient object may be [Hierarchy::Null]
+    ///  but it is not required."
+    pub fn context_blob(&self) -> &TpmContextData {
+        &self.context_blob
+    }
+}
+
+impl TryFrom<TPMS_CONTEXT> for SavedTpmContext {
+    type Error = Error;
+
+    fn try_from(tss: TPMS_CONTEXT) -> Result<SavedTpmContext> {
+        Ok(SavedTpmContext {
+            sequence: tss.sequence,
+            saved_handle: Saved::try_from(tss.savedHandle)?,
+            hierarchy: TpmHandle::try_from(tss.hierarchy).and_then(Hierarchy::try_from)?,
+            context_blob: TpmContextData::try_from(tss.contextBlob)?,
+        })
+    }
+}
+
+impl From<SavedTpmContext> for TPMS_CONTEXT {
+    fn from(native: SavedTpmContext) -> TPMS_CONTEXT {
+        TPMS_CONTEXT {
+            sequence: native.sequence,
+            savedHandle: native.saved_handle.into(),
+            hierarchy: TpmHandle::from(native.hierarchy).into(),
+            contextBlob: native.context_blob.into(),
+        }
+    }
+}
+
+impl_mu_standard!(SavedTpmContext, TPMS_CONTEXT);
+
+impl Serialize for SavedTpmContext {
+    /// Serialize the [SavedTpmContext] data into it's bytes representation of the TCG
+    /// TPMS_CONTEXT structure.
+    fn serialize<S>(&self, serializer: S) -> std::result::Result<S::Ok, S::Error>
+    where
+        S: Serializer,
+    {
+        let bytes = self.marshall().map_err(serde::ser::Error::custom)?;
+        serializer.serialize_bytes(&bytes)
+    }
+}
+
+impl<'de> Deserialize<'de> for SavedTpmContext {
+    /// Deserialize the [SavedTpmContext] data from it's bytes representation of the TCG
+    /// TPMS_CONTEXT structure.
+    fn deserialize<D>(deserializer: D) -> std::result::Result<Self, D::Error>
+    where
+        D: Deserializer<'de>,
+    {
+        let bytes = <Vec<u8>>::deserialize(deserializer)?;
+        Self::unmarshall(&bytes).map_err(serde::de::Error::custom)
+    }
+}
diff --git a/tss-esapi/src/utils/mod.rs b/tss-esapi/src/utils/mod.rs
@@ -19,76 +19,10 @@ use crate::structures::{
     EccPoint, EccScheme, Public, PublicBuilder, PublicEccParametersBuilder, PublicKeyRsa,
     PublicRsaParametersBuilder, RsaExponent, RsaScheme, SymmetricDefinitionObject,
 };
-use crate::tss2_esys::*;
 use crate::{Context, Error, Result, WrapperErrorKind};
 use serde::{Deserialize, Serialize};
-use std::convert::{TryFrom, TryInto};
-use zeroize::{Zeroize, ZeroizeOnDrop};
-
-/// Rust native wrapper for `TPMS_CONTEXT` objects.
-///
-/// This structure is intended to help with persisting object contexts. As the main reason for
-/// saving the context of an object is to be able to reuse it later, on demand, a serializable
-/// structure is most commonly needed. `TpmsContext` implements the `Serialize` and `Deserialize`
-/// defined by `serde`.
-#[derive(Debug, Serialize, Deserialize, Clone, Zeroize, ZeroizeOnDrop)]
-pub struct TpmsContext {
-    sequence: u64,
-    saved_handle: TPMI_DH_CONTEXT,
-    hierarchy: TPMI_RH_HIERARCHY,
-    context_blob: Vec<u8>,
-}
-
-impl TpmsContext {
-    /// Get a reference to the `context_blob` field
-    pub fn context_blob(&self) -> &Vec<u8> {
-        &self.context_blob
-    }
-}
-
-// TODO: Replace with `From`
-impl TryFrom<TPMS_CONTEXT> for TpmsContext {
-    type Error = Error;
-
-    fn try_from(tss2_context: TPMS_CONTEXT) -> Result<Self> {
-        let mut context = TpmsContext {
-            sequence: tss2_context.sequence,
-            saved_handle: tss2_context.savedHandle,
-            hierarchy: tss2_context.hierarchy,
-            context_blob: tss2_context.contextBlob.buffer.to_vec(),
-        };
-        context
-            .context_blob
-            .truncate(tss2_context.contextBlob.size.into());
-        Ok(context)
-    }
-}
-
-#[allow(clippy::needless_update)]
-impl TryFrom<TpmsContext> for TPMS_CONTEXT {
-    type Error = Error;
-
-    fn try_from(context: TpmsContext) -> Result<Self> {
-        let buffer_size = context.context_blob.len();
-        if buffer_size > 5188 {
-            return Err(Error::local_error(WrapperErrorKind::WrongParamSize));
-        }
-        let mut buffer = [0_u8; 5188];
-        for (i, val) in context.context_blob.iter().enumerate() {
-            buffer[i] = *val;
-        }
-        Ok(TPMS_CONTEXT {
-            sequence: context.sequence,
-            savedHandle: context.saved_handle,
-            hierarchy: context.hierarchy,
-            contextBlob: TPM2B_CONTEXT_DATA {
-                size: buffer_size.try_into().unwrap(), // should not panic given the check above
-                buffer,
-            },
-            ..Default::default()
-        })
-    }
-}
+use std::convert::TryFrom;
+use zeroize::Zeroize;
 
 /// Create the [Public] structure for a restricted decryption key.
 ///

diff --git a/tss-esapi/tests/integration_tests/common/tpm2b_types_equality_checks.rs b/tss-esapi/tests/integration_tests/common/tpm2b_types_equality_checks.rs
@@ -1,8 +1,8 @@
 // Copyright 2022 Contributors to the Parsec project.
 // SPDX-License-Identifier: Apache-2.0
 use tss_esapi::tss2_esys::{
-    TPM2B_AUTH, TPM2B_DATA, TPM2B_DIGEST, TPM2B_MAX_NV_BUFFER, TPM2B_NAME, TPM2B_SENSITIVE_CREATE,
-    TPM2B_SENSITIVE_DATA,
+    TPM2B_AUTH, TPM2B_CONTEXT_DATA, TPM2B_DATA, TPM2B_DIGEST, TPM2B_MAX_NV_BUFFER, TPM2B_NAME,
+    TPM2B_SENSITIVE_CREATE, TPM2B_SENSITIVE_DATA,
 };
 
 macro_rules! ensure_sized_buffer_equality {
@@ -60,3 +60,10 @@ pub fn ensure_tpm2b_sensitive_create_equality(
     );
     crate::common::ensure_tpms_sensitive_create_equality(&expected.sensitive, &actual.sensitive);
 }
+
+pub fn ensure_tpm2b_context_data_equality(
+    expected: &TPM2B_CONTEXT_DATA,
+    actual: &TPM2B_CONTEXT_DATA,
+) {
+    ensure_sized_buffer_equality!(expected, actual, buffer, TPM2B_CONTEXT_DATA);
+}