diff --git a/TpmApi.py b/TpmApi.py new file mode 100644 index 0000000..32d1151 --- /dev/null +++ b/TpmApi.py @@ -0,0 +1,120 @@ +from pytss import tspi_defines +import pytss +from pytss import * +import pytss.tspi_exceptions as tspi_exceptions +import uuid +from pytss.tspi_defines import * +import binascii + +srk_uuid = uuid.UUID('{00000000-0000-0000-0000-000000000001}') +keyFlags = TSS_KEY_TYPE_BIND | TSS_KEY_SIZE_2048 | TSS_KEY_NO_AUTHORIZATION | TSS_KEY_NOT_MIGRATABLE +srkSecret = bytearray([0] * 20) +ownerSecret = bytearray([0] * 20) + +def idxToUUID(idx): + return uuid.UUID('{'+str(idx).zfill(8)+'-0000-0000-0000-000000000001}') + +def getSrkKey(context): + srk= context.load_key_by_uuid(TSS_PS_TYPE_SYSTEM, srk_uuid) + srkpolicy = srk.get_policy_object(TSS_POLICY_USAGE) + srkpolicy.set_secret(TSS_SECRET_MODE_SHA1, srkSecret) + return srk + +def getMasterkeyNumberArray(): + return [77, 65, 83, 84, 69, 82, 75, 69, 89] + +def getMasterkeyNumberArrayOne(): + return [77, 65, 83, 84, 69, 82, 75, 69, 89,49] + +def clearKeys(context): + try: + k1 = context.load_key_by_uuid(tss_lib.TSS_PS_TYPE_SYSTEM,old_uuid) + k1.unregisterKey() + k2 = context.load_key_by_uuid(tss_lib.TSS_PS_TYPE_SYSTEM,new_uuid) + k2.unregisterKey() + except: + pass + +def get_current_key(idx): + context=TspiContext() + context.connect() + srk = getSrkKey(context) + k= context.load_key_by_uuid(tss_lib.TSS_PS_TYPE_SYSTEM,idxToUUID(idx)) + return k + +def get_new_key_and_replace_current(idx,first_run=False): + + context=TspiContext() + context.connect() + srk = getSrkKey(context) + + if first_run==True: + k=context.create_wrap_key(keyFlags,srk.get_handle()) + k.load_key() + k.registerKey(idxToUUID(idx),srk_uuid) + return k + else: + kOld=context.load_key_by_uuid(tss_lib.TSS_PS_TYPE_SYSTEM,idxToUUID(idx)) + kNew=context.create_wrap_key(keyFlags,srk.get_handle()) + kOld.unregisterKey() + kNew.registerKey(idxToUUID(idx),srk_uuid) + kNew.load_key() + return kNew + +def get_registered_keys(): + + context=TspiContext() + context.connect() + keys=context.list_keys() + keys.remove(str(srk_uuid)) + indexes=[] + for k in keys: + #cut away leading 0 + indexes.append(str(int(k.split("-")[0]))) + return indexes + +def is_key_registered_to_idx(idx): + return str(idx) in get_registered_keys() + +def get_status(): + context=TspiContext() + context.connect() + take_ownership(context) + srk = getSrkKey(context) + tpm = context.get_tpm_object() + versionInfo = binascii.b2a_qp(tpm.get_capability(tss_lib.TSS_TPMCAP_VERSION_VAL,0)).decode("ascii").split("=") + chipVer=".".join(versionInfo[2:7]) + specLvl=versionInfo[7] + vendor=versionInfo[8] + statusStr="" + statusStr+=("ChipVersion={},SpecLevel={},SpecRevision={},Vendor={}".format(chipVer,specLvl,vendor[0:2],vendor[2:])) + tpmver=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_VERSION,0)).decode("ascii") + manufactInfo=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_PROP_MANUFACTURER,tss_lib.TSS_TCSCAP_PROP_MANUFACTURER_STR)).decode("ascii") + statusStr+=(",TPMVer={},ManufacturInfo={}".format(tpmver,manufactInfo)) + + maxkeyslots = binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_PROPERTY,tss_lib.TSS_TPMCAP_PROP_SLOTS)).decode("ascii") + maxKeys=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_PROPERTY,tss_lib.TSS_TPMCAP_PROP_MAXKEYS)).decode("ascii") + maxSess=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_PROPERTY,tss_lib.TSS_TPMCAP_PROP_MAXSESSIONS)).decode("ascii") + maxContexts=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_PROPERTY,tss_lib.TSS_TPMCAP_PROP_MAXCONTEXTS)).decode("ascii") + maxInputBuffer=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_PROPERTY,tss_lib.TSS_TPMCAP_PROP_INPUTBUFFERSIZE)).decode("ascii") + maxNVavail=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_PROPERTY,tss_lib.TSS_TPMCAP_PROP_MAXNVAVAILABLE)).decode("ascii") + statusStr+=(",KeySlots={},MaxKeys={},MaxSess={},MaxContexts={},InputBufferSize={},MaxNVSpace={}".format(maxkeyslots,maxKeys,maxSess,maxContexts,maxInputBuffer,maxNVavail)) + + #nvIndices=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_NV_LIST,0)).decode("ascii") + algsrsa=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_RSA)).decode("ascii") + algsdes=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_DES)).decode("ascii") + algs3des=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_3DES)).decode("ascii") + algssha=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_SHA)).decode("ascii") + #algssha256=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_SHA256)).decode("ascii") + algshmac=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_HMAC)).decode("ascii") + algsaes128=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_AES128)).decode("ascii") + algsmgf1=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_MGF1)).decode("ascii") + algsaes192=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_AES192)).decode("ascii") + algsaes256=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_AES256)).decode("ascii") + algsxor=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_XOR)).decode("ascii") + algsaes=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_AES)).decode("ascii") + statusStr+=(",RSA={},DES={},3DES={},SHA-1={},HMAC={},AES128={},MGF1={},AES192={},AES256={},XOR={},AES={}".format(algsrsa,algsdes,algs3des,algssha,algshmac,algsaes128,algsmgf1,algsaes192,algsaes256,algsxor,algsaes)) + flags=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_FLAG,0)).decode("ascii") + statusStr+=(",Flags={}".format(flags)) + statusStr+=",RegisteredKeys={}".format(get_registered_keys(context)) + return statusStr diff --git a/init_tpm.py b/init_tpm.py new file mode 100644 index 0000000..c9c3971 --- /dev/null +++ b/init_tpm.py @@ -0,0 +1,30 @@ +from pytss import tspi_defines +import pytss +from pytss import * +import pytss.tspi_exceptions as tspi_exceptions +from pytss.tspi_defines import * + +srkSecret = bytearray([0] * 20) +ownerSecret = bytearray([0] * 20) + +def take_ownership(): + """Take ownership of a TPM + :param context: The TSS context to use + :returns: True on ownership being taken, False if the TPM is already owned + """ + context=TspiContext() + context.connect() + tpm = context.get_tpm_object() + tpmpolicy = tpm.get_policy_object(TSS_POLICY_USAGE) + tpmpolicy.set_secret(TSS_SECRET_MODE_SHA1, srkSecret) + + srk = context.create_rsa_key(TSS_KEY_TSP_SRK | TSS_KEY_AUTHORIZATION) + srkpolicy = srk.get_policy_object(TSS_POLICY_USAGE) + srkpolicy.set_secret(TSS_SECRET_MODE_SHA1, ownerSecret) + + try: + tpm.take_ownership(srk) + except tspi_exceptions.TPM_E_DISABLED_CMD: + return False + + return True diff --git a/pytss/__init__.py b/pytss/__init__.py index eb75f22..1de1dfb 100644 --- a/pytss/__init__.py +++ b/pytss/__init__.py @@ -1,7 +1,9 @@ -from interface import tss_lib, ffi -import tspi_exceptions -import hashlib +from pytss.interface import tss_lib, ffi +import pytss.tspi_exceptions +import hashlib +import struct +import uuid def uuid_to_tss_uuid(uuid): """Converts a Python UUID into a TSS UUID""" @@ -20,7 +22,13 @@ def uuid_to_tss_uuid(uuid): return tss_uuid - +def tss_uuid_to_uuid(tss_uuid): + """Converts a TSS UUID to a Python UUID""" + node = struct.unpack(">Q", ffi.buffer(tss_uuid.rgbNode, 6)[:].rjust(8, '\00'.encode("ascii")))[0] + return uuid.UUID( + fields=(tss_uuid.ulTimeLow, tss_uuid.usTimeMid, tss_uuid.usTimeHigh, + tss_uuid.bClockSeqHigh, tss_uuid.bClockSeqLow, node) + ) class TspiObject(object): def __init__(self, context, ctype, tss_type, flags, handle=None): """ @@ -221,7 +229,6 @@ def sign(self, key): tss_lib.Tspi_Hash_Sign(self.get_handle(), key.get_handle(), csig_size, csig_data) return ffi.buffer(csig_data[0], csig_size[0]) - class TspiKey(TspiObject): def __init__(self, context, flags, handle=None): self.context = context @@ -236,6 +243,76 @@ def __del__(self): # operation except tspi_exceptions.TSS_E_INVALID_HANDLE: pass + except tspi_exceptions.TSS_E_KEY_NOT_LOADED: + pass + except tspi_exceptions.TPM_E_FAIL: + pass + def registerKey(self,keyUUID,parentUUID): + '''TSS_RESULT Tspi_Context_RegisterKey(TSS_HCONTEXT hContext, TSS_HKEY hKey, + TSS_FLAG persistentStorageType, TSS_UUID uuidKey, + TSS_FLAG persistentStorageTypeParent, TSS_UUID uuidParentKey);''' + self.uuid=uuid_to_tss_uuid(keyUUID) + tss_lib.Tspi_Context_RegisterKey(self.context,self.get_handle(), + tss_lib.TSS_PS_TYPE_SYSTEM, self.uuid, + tss_lib.TSS_PS_TYPE_SYSTEM, uuid_to_tss_uuid(parentUUID)) + return + def unregisterKey(self,uuid=None): + '''TSS_RESULT Tspi_Context_UnregisterKey(TSS_HCONTEXT hContext, TSS_FLAG persistentStorageType, + TSS_UUID uuidKey, TSS_HKEY* phKey);''' + if uuid is None: + tss_lib.Tspi_Context_UnregisterKey(self.context, tss_lib.TSS_PS_TYPE_SYSTEM, + self.uuid, self.handle) + else: + tss_lib.Tspi_Context_UnregisterKey(self.context, tss_lib.TSS_PS_TYPE_SYSTEM, + uuid_to_tss_uuid(uuid), self.handle) + #tss_lib.Tspi_Context_UnRegisterKey + return + + def bind(self,data): + """ + Seal data to the local TPM using this key + + :param data: The data to seal + + :returns: a bytearray of the encrypted data + """ + encdata = TspiObject(self.context, 'TSS_HENCDATA *', + tss_lib.TSS_OBJECT_TYPE_ENCDATA, + tss_lib.TSS_ENCDATA_BIND) + + cdata = ffi.new('BYTE[]', len(data)) + for i in range(len(data)): + cdata[i] = data[i] + + tss_lib.Tspi_Data_Bind(encdata.get_handle(), self.get_handle(), + len(data), cdata) + blob = encdata.get_attribute_data(tss_lib.TSS_TSPATTRIB_ENCDATA_BLOB, + tss_lib.TSS_TSPATTRIB_ENCDATABLOB_BLOB) + return bytearray(blob) + + def unbind(self, data): + """ + Unbind data from the local TPM using this key + + :param data: The data to unbind + + :returns: a bytearray of the unencrypted data + """ + encdata = TspiObject(self.context, 'TSS_HENCDATA *', + tss_lib.TSS_OBJECT_TYPE_ENCDATA, + tss_lib.TSS_ENCDATA_BIND) + + encdata.set_attribute_data(tss_lib.TSS_TSPATTRIB_ENCDATA_BLOB, + tss_lib.TSS_TSPATTRIB_ENCDATABLOB_BLOB, data) + + bloblen = ffi.new('UINT32 *') + blob = ffi.new('BYTE **') + + tss_lib.Tspi_Data_Unbind(encdata.get_handle(), self.get_handle(), + bloblen, blob) + ret = bytearray(blob[0][0:bloblen[0]]) + tss_lib.Tspi_Context_FreeMemory(self.context, blob[0]) + return ret def set_modulus(self, n): """ @@ -336,6 +413,9 @@ def __init__(self, context): self.handle = tpm self.context = context + def load_key_by_handle(self, keyHandle, wrappingKeyHandle): + tss_lib.Tspi_Key_LoadKey(keyHandle, wrappingKeyHandle) + def collate_identity_request(self, srk, pubkey, aik): """ Generate everything required to authenticate the TPM to a third party @@ -368,10 +448,15 @@ def get_capability(self, cap, sub): """ resp = ffi.new('BYTE **') resplen = ffi.new('UINT32 *') - csub = ffi.new('BYTE []', len(sub)) + ''' csub = ffi.new('BYTE []', len(sub)) for i in range(len(sub)): csub[i] = sub[i] - tss_lib.Tspi_TPM_Getcapability(self.handle[0], cap, len(sub), csub, + ''' + csub = ffi.new('BYTE [4]') + bytearr = [hex(sub >> i & 0xff) for i in (0,8,16,24)] + for i in range(4): + csub[i] =int(bytearr[i],16) + tss_lib.Tspi_TPM_GetCapability(self.handle[0], cap,4, csub, resplen, resp) ret = bytearray(resp[0][0:resplen[0]]) tss_lib.Tspi_Context_FreeMemory(self.context, resp[0]) @@ -474,6 +559,18 @@ def extend_pcr(self, pcr, data, event): tss_lib.Tspi_Context_FreeMemory(self.context, blob[0]) return ret +class TspiWrapKey(TspiKey): + def __init__(self, context, flags, wrappingKeyHandle): + self.context = context + self.parent=wrappingKeyHandle + super(TspiWrapKey, self).__init__(self.context, flags) + blaa = self.get_handle() + tss_lib.Tspi_Key_CreateKey(self.get_handle(),self.parent,0) + self.load_key() + + def load_key(self): + tss_lib.Tspi_Key_LoadKey(self.get_handle(), self.parent) + class TspiContext(): def __init__(self): self.context = ffi.new('TSS_HCONTEXT *') @@ -536,6 +633,10 @@ def create_hash(self, flags): obj = TspiHash(self.context, flags) return obj + def create_wrap_key(self,flags,wrappingkeyHandle): + obj = TspiWrapKey(self.context,flags,wrappingkeyHandle) + return obj + def create_rsa_key(self, flags): """ Create a Tspi key object associated with this context @@ -559,6 +660,7 @@ def load_key_by_uuid(self, storagetype, uuid): tss_lib.Tspi_Context_LoadKeyByUUID(self.context, storagetype, tss_uuid, tss_key) key = TspiKey(self.context, None, handle=tss_key) + key.uuid=tss_uuid return key def load_key_by_blob(self, srk, blob): @@ -582,7 +684,19 @@ def load_key_by_blob(self, srk, blob): def get_tpm_object(self): """Returns the TspiTPM associated with this context""" return self.tpm - + def list_keys(self): + """ + Return a tuple of uuid.UUID instances and storagetype values for all + available keys on the TPM. from @nresare + """ + count = ffi.new('UINT32 *') + key_info_value = ffi.new('TSS_KM_KEYINFO2**') + tss_lib.Tspi_Context_GetRegisteredKeysByUUID2(self.context, 1, ffi.NULL, count, key_info_value) + values = [] + for i in range(count[0]): + key_info = key_info_value[0][i] + values.append(str(tss_uuid_to_uuid(key_info.keyUUID))) + return values def _c_byte_array(data): """ @@ -592,7 +706,7 @@ def _c_byte_array(data): the contents of data """ cdata = ffi.new('BYTE []', len(data)) - if isinstance(data, basestring): + if isinstance(data, str): data = bytearray(data) for i in range(len(data)): cdata[i] = data[i] diff --git a/pytss/attestationutils.py b/pytss/attestationutils.py index 868deba..63805b6 100644 --- a/pytss/attestationutils.py +++ b/pytss/attestationutils.py @@ -437,12 +437,12 @@ def get_ekcert(context): # Verify that the certificate is well formed tag = blob[0] << 8 | blob[1] if tag != 0x1001: - print "Invalid tag %x %x\n" % (blob[0], blob[1]) + print("Invalid tag %x %x\n" % (blob[0], blob[1])) return None certtype = blob[2] if certtype != 0: - print "Not a full certificate\n" + print("Not a full certificate\n") return None ekbuflen = blob[3] << 8 | blob[4] @@ -450,7 +450,7 @@ def get_ekcert(context): blob = nv.read_value(offset, 2) if len(blob) < 2: - print "Invalid length" + print("Invalid length") return None tag = blob[0] << 8 | blob[1] @@ -458,7 +458,7 @@ def get_ekcert(context): offset += 2 ekbuflen -= 2 elif blob[0] != 0x30: - print "Invalid header %x %x" % (blob[0], blob[1]) + print("Invalid header %x %x" % (blob[0], blob[1])) return None ekbuf = bytearray() diff --git a/pytss/interface.py b/pytss/interface.py index 02d5363..f0c99be 100644 --- a/pytss/interface.py +++ b/pytss/interface.py @@ -1,6 +1,6 @@ import functools import os -from tspi_exceptions import * +from pytss.tspi_exceptions import * from cffi import FFI, VerificationError INTERFACE_H = os.path.dirname(os.path.abspath(__file__)) + '/interface.h' diff --git a/pytss/tspi_defines.py b/pytss/tspi_defines.py index 6e87d23..ae86686 100644 --- a/pytss/tspi_defines.py +++ b/pytss/tspi_defines.py @@ -1,4 +1,5 @@ -from interface import tss_lib + +from pytss.interface import tss_lib TSS_NV_DEFINED = tss_lib.TSS_NV_DEFINED TPM_NV_INDEX_LOCK = tss_lib.TPM_NV_INDEX_LOCK diff --git a/testTSS.py b/testTSS.py new file mode 100644 index 0000000..57ceefb --- /dev/null +++ b/testTSS.py @@ -0,0 +1,306 @@ +from pytss import tspi_defines +import pytss +from pytss import * +import pytss.tspi_exceptions as tspi_exceptions +import uuid +from pytss.tspi_defines import * +import binascii + +import os.path +import struct + +#from tspi_defines import * +#import interface +#from interface import tss_lib +#help(pytss) +srk_uuid = uuid.UUID('{00000000-0000-0000-0000-000000000001}') +old_uuid = uuid.UUID('{10000000-0000-0000-0000-000000000001}') +new_uuid = uuid.UUID('{20000000-0000-0000-0000-000000000001}') +masterKeyFilePath= "masterkey" + +keyFlags = TSS_KEY_TYPE_BIND | TSS_KEY_SIZE_2048 | TSS_KEY_NO_AUTHORIZATION | TSS_KEY_NOT_MIGRATABLE + +srkSecret = bytearray([0] * 20) +def idxToUUID(idx): + return uuid.UUID('{'+str(idx).zfill(8)+'-0000-0000-0000-000000000001}') + +def take_ownership(context): + """Take ownership of a TPM + :param context: The TSS context to use + :returns: True on ownership being taken, False if the TPM is already owned + """ + + tpm = context.get_tpm_object() + tpmpolicy = tpm.get_policy_object(TSS_POLICY_USAGE) + tpmpolicy.set_secret(TSS_SECRET_MODE_SHA1, srkSecret) + + srk = context.create_rsa_key(TSS_KEY_TSP_SRK | TSS_KEY_AUTHORIZATION) + srkpolicy = srk.get_policy_object(TSS_POLICY_USAGE) + srkpolicy.set_secret(TSS_SECRET_MODE_SHA1, srkSecret) + + try: + tpm.take_ownership(srk) + except tspi_exceptions.TPM_E_DISABLED_CMD: + return False + + return True + +def getSrkKey(context): + srk= context.load_key_by_uuid(TSS_PS_TYPE_SYSTEM, srk_uuid) + srkpolicy = srk.get_policy_object(TSS_POLICY_USAGE) + srkpolicy.set_secret(TSS_SECRET_MODE_SHA1, srkSecret) + return srk + +def getMasterkeyNumberArray(): + #return "MASTERKEY" + return [77, 65, 83, 84, 69, 82, 75, 69, 89] +def getMasterkeyNumberArrayOne(): + #return "MASTERKEY1" + return [77, 65, 83, 84, 69, 82, 75, 69, 89,49] +def clearKeys(context): + try: + k1 = context.load_key_by_uuid(tss_lib.TSS_PS_TYPE_SYSTEM,old_uuid) + k1.unregisterKey() + k2 = context.load_key_by_uuid(tss_lib.TSS_PS_TYPE_SYSTEM,new_uuid) + k2.unregisterKey() + except: + pass + +def get_current_key(idx,context=None): + if context is None: + context=TspiContext() + context.connect() + take_ownership(context) + srk = getSrkKey(context) + k= context.load_key_by_uuid(tss_lib.TSS_PS_TYPE_SYSTEM,idxToUUID(idx)) + return k + +def get_new_key_and_replace_current(idx,context=None,first_run=False): + if context is None: + context=TspiContext() + context.connect() + take_ownership(context) + srk = getSrkKey(context) + + if first_run==True: + k=context.create_wrap_key(keyFlags,srk.get_handle()) + k.load_key() + k.registerKey(idxToUUID(idx),srk_uuid) + return k + else: + kOld=context.load_key_by_uuid(tss_lib.TSS_PS_TYPE_SYSTEM,idxToUUID(idx)) + kNew=context.create_wrap_key(keyFlags,srk.get_handle()) + kOld.unregisterKey() + kNew.registerKey(idxToUUID(idx),srk_uuid) + kNew.load_key() + return kNew + +''' +#define TSS_TPMCAP_PROP_MAXNVAVAILABLE (0x2d) +#define TSS_TPMCAP_PROP_INPUTBUFFERSIZE (0x2e) +''' +def get_registered_keys(context=None): + if context is None: + context=TspiContext() + context.connect() + take_ownership(context) + keys=context.list_keys() + keys.remove(str(srk_uuid)) + indexes=[] + #print("ks:{}".format(keys)) + for k in keys: + #cut away leading 0 + indexes.append(str(int(k.split("-")[0]))) + #print(indexes) + return indexes +def is_key_registered_to_idx(idx): + return str(idx) in get_registered_keys() +def get_status(): + context=TspiContext() + context.connect() + take_ownership(context) + srk = getSrkKey(context) + tpm = context.get_tpm_object() + #get_new_key_and_replace_current(10,context,True) + versionInfo = binascii.b2a_qp(tpm.get_capability(tss_lib.TSS_TPMCAP_VERSION_VAL,0)).decode("ascii").split("=") + #print(versionInfo) + #chipVer=binascii.hexlify(versionInfo[5:6]).decode("utf-8") + chipVer=".".join(versionInfo[2:7]) + specLvl=versionInfo[7] + vendor=versionInfo[8] + statusStr="" + statusStr+=("ChipVersion={},SpecLevel={},SpecRevision={},Vendor={}".format(chipVer,specLvl,vendor[0:2],vendor[2:])) + tpmver=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_VERSION,0)).decode("ascii") + manufactInfo=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_PROP_MANUFACTURER,tss_lib.TSS_TCSCAP_PROP_MANUFACTURER_STR)).decode("ascii") + statusStr+=(",TPMVer={},ManufacturInfo={}".format(tpmver,manufactInfo)) + + maxkeyslots = binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_PROPERTY,tss_lib.TSS_TPMCAP_PROP_SLOTS)).decode("ascii") + maxKeys=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_PROPERTY,tss_lib.TSS_TPMCAP_PROP_MAXKEYS)).decode("ascii") + maxSess=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_PROPERTY,tss_lib.TSS_TPMCAP_PROP_MAXSESSIONS)).decode("ascii") + maxContexts=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_PROPERTY,tss_lib.TSS_TPMCAP_PROP_MAXCONTEXTS)).decode("ascii") + maxInputBuffer=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_PROPERTY,tss_lib.TSS_TPMCAP_PROP_INPUTBUFFERSIZE)).decode("ascii") + maxNVavail=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_PROPERTY,tss_lib.TSS_TPMCAP_PROP_MAXNVAVAILABLE)).decode("ascii") + statusStr+=(",KeySlots={},MaxKeys={},MaxSess={},MaxContexts={},InputBufferSize={},MaxNVSpace={}".format(maxkeyslots,maxKeys,maxSess,maxContexts,maxInputBuffer,maxNVavail)) + + #nvIndices=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_NV_LIST,0)).decode("ascii") + + #print("{}".format(nvIndices)) + + algsrsa=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_RSA)).decode("ascii") + algsdes=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_DES)).decode("ascii") + algs3des=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_3DES)).decode("ascii") + algssha=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_SHA)).decode("ascii") + #algssha256=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_SHA256)).decode("ascii") + algshmac=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_HMAC)).decode("ascii") + algsaes128=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_AES128)).decode("ascii") + algsmgf1=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_MGF1)).decode("ascii") + algsaes192=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_AES192)).decode("ascii") + algsaes256=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_AES256)).decode("ascii") + algsxor=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_XOR)).decode("ascii") + algsaes=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_AES)).decode("ascii") + statusStr+=(",RSA={},DES={},3DES={},SHA-1={},HMAC={},AES128={},MGF1={},AES192={},AES256={},XOR={},AES={}".format(algsrsa,algsdes,algs3des,algssha,algshmac,algsaes128,algsmgf1,algsaes192,algsaes256,algsxor,algsaes)) + flags=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_FLAG,0)).decode("ascii") + statusStr+=(",Flags={}".format(flags)) + return statusStr +def demo(): + print("Hi from Python-TPM interface!") + print("establishing connection to TPM") + context=TspiContext() + context.connect() + take_ownership(context) + srk = getSrkKey(context) + tpm = context.get_tpm_object() + #get_new_key_and_replace_current(10,context,True) + versionInfo = binascii.b2a_qp(tpm.get_capability(tss_lib.TSS_TPMCAP_VERSION_VAL,0)).decode("ascii").split("=") + #print(versionInfo) + #chipVer=binascii.hexlify(versionInfo[5:6]).decode("utf-8") + chipVer=".".join(versionInfo[2:7]) + specLvl=versionInfo[7] + vendor=versionInfo[8] + print("ChipVersion={},SpecLevel={},SpecRevision={},Vendor={}".format(chipVer,specLvl,vendor[0:2],vendor[2:])) + tpmver=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_VERSION,0)).decode("ascii") + manufactInfo=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_PROP_MANUFACTURER,tss_lib.TSS_TCSCAP_PROP_MANUFACTURER_STR)).decode("ascii") + print("TPMVer={},ManufacturInfo={}".format(tpmver,manufactInfo)) + + maxkeyslots = binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_PROPERTY,tss_lib.TSS_TPMCAP_PROP_SLOTS)).decode("ascii") + maxKeys=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_PROPERTY,tss_lib.TSS_TPMCAP_PROP_MAXKEYS)).decode("ascii") + maxSess=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_PROPERTY,tss_lib.TSS_TPMCAP_PROP_MAXSESSIONS)).decode("ascii") + maxContexts=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_PROPERTY,tss_lib.TSS_TPMCAP_PROP_MAXCONTEXTS)).decode("ascii") + maxInputBuffer=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_PROPERTY,tss_lib.TSS_TPMCAP_PROP_INPUTBUFFERSIZE)).decode("ascii") + maxNVavail=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_PROPERTY,tss_lib.TSS_TPMCAP_PROP_MAXNVAVAILABLE)).decode("ascii") + print("KeySlots={},MaxKeys={},MaxSess={},MaxContexts={},InputBufferSize={},MaxNVSpace={}".format(maxkeyslots,maxKeys,maxSess,maxContexts,maxInputBuffer,maxNVavail)) + + #nvIndices=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_NV_LIST,0)).decode("ascii") + + #print("{}".format(nvIndices)) + + algsrsa=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_RSA)).decode("ascii") + algsdes=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_DES)).decode("ascii") + algs3des=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_3DES)).decode("ascii") + algssha=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_SHA)).decode("ascii") + #algssha256=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_SHA256)).decode("ascii") + algshmac=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_HMAC)).decode("ascii") + algsaes128=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_AES128)).decode("ascii") + algsmgf1=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_MGF1)).decode("ascii") + algsaes192=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_AES192)).decode("ascii") + algsaes256=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_AES256)).decode("ascii") + algsxor=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_XOR)).decode("ascii") + algsaes=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_ALG,tss_lib.TSS_ALG_AES)).decode("ascii") + print("algs: rsa={},des={},3des={},sha={},hmac={},aes128={},mgf1={},aes192={},aes256={},xor={},aes={}".format(algsrsa,algsdes,algs3des,algssha,algshmac,algsaes128,algsmgf1,algsaes192,algsaes256,algsxor,algsaes)) + flags=binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_FLAG,0)).decode("ascii") + print("Flags={}".format(flags)) + + #print("version info {}".format(binascii.hexlify(tpm.get_capability(tss_lib.TSS_TPMCAP_VERSION_VAL,[tss_lib.TSS_TPMCAP_PROP_SLOTS])))) + + #print("version info {}".format()) + #print("version info {}".format((tpm.get_capability(tss_lib.TSS_TPMCAP_VERSION_VAL,[tss_lib.TSS_TPMCAP_PROP_SLOTS]))[2:6])) + + + #keyslots = tpm.get_capability(tss_lib.TSS_TPMCAP_PROPERTY,[tss_lib.TSS_TPMCAP_PROP_MAXNVAVAILABLE]) + #keyslots = tpm.get_capability(tss_lib.TSS_TPMCAP_PROPERTY,[tss_lib.TSS_TPMCAP_PROP_INPUTBUFFERSIZE]) + #keyslots = tpm.get_capability(tss_lib.TSS_TPMCAP_NV_LIST,[tss_lib.TSS_TPMCAP_PROP_SLOTS]) + + +#[tss_lib.TSS_TPMCAP_PROP_SLOTS]) + #print("slots: {}".format(keyslots)) + #print("blaa:"+struct.unpack(keyslots)) + + ''' + print("connected/logged in to TPM") + mk=getMasterkeyNumberArray() + print("master key={}".format(str(mk))) + #clearKeys(context) + + print("currently registered key uuids: "+str(get_registered_keys(context))) + idx="1" + if(idx in get_registered_keys(context)): + print("removed registered key with idx "+str(idx)) + k=get_current_key(idx,context) + k.unregisterKey() + print("currently registered key uuids: "+str(get_registered_keys(context))) + + print("generating/storing deletable key with idx="+str(1)) + dk=get_new_key_and_replace_current(idx,context,first_run=True) + print("deleteable key:\ndk={}".format(binascii.hexlify(dk.get_keyblob()))) + encry = dk.bind(mk) + print("encrypted master key:\nmk={}".format(binascii.hexlify(encry))) + print("unencrypted master key={}".format(dk.unbind(encry))) + print("Got a secure delete request! Key-Cascade rebuilt, generatink new mk") + mkk=getMasterkeyNumberArrayOne() + print("new master key={}".format(mkk)) + print("exchanging dk") + dkk=get_new_key_and_replace_current(idx,context,first_run=False) + print("new deletable key:\ndk={}".format(binascii.hexlify(dkk.get_keyblob()))) + encry = dkk.bind(mkk) + print("new encrypted masterkey:\nmk={}".format(binascii.hexlify(encry))) + print("new unencrypted mk={}".format(dkk.unbind(encry))) + print("Done!")''' + + + + + #keyslots = tpm.get_capability(tss_lib.TSS_TPMCAP_PROPERTY,[tss_lib.TSS_TPMCAP_PROP_SLOTS]) + #keyslots = tpm.get_capability(tss_lib.TSS_TPMCAP_PROPERTY,[tss_lib.TSS_TPMCAP_PROP_MAXNVAVAILABLE]) + #keyslots = tpm.get_capability(tss_lib.TSS_TPMCAP_PROPERTY,[tss_lib.TSS_TPMCAP_PROP_INPUTBUFFERSIZE]) + #keyslots = tpm.get_capability(tss_lib.TSS_TPMCAP_NV_LIST,[tss_lib.TSS_TPMCAP_PROP_SLOTS]) + + +#[tss_lib.TSS_TPMCAP_PROP_SLOTS]) + #print("slots: {}".format(keyslots)) + #print("blaa:"+struct.unpack(keyslots)) +#clearKeys() +#demo() +print("status: "+get_status()) +''' +k=get_current_key() +k2=get_new_key_and_replace_current() +k3=get_new_key_and_replace_current() +''' +''' +MKencrypted=True +if not os.path.isfile(masterKeyFilePath): + MKencrypted=False + +if MKencrypted: + #exchange keys: assumption old_uuid key exists, new_uuid key does not exist. oldkey encrypted masterkeyFile + kOld=context.load_key_by_uuid(tss_lib.TSS_PS_TYPE_SYSTEM,old_uuid) + kNew=context.create_wrap_key(keyFlags,srk.get_handle()) + with open(masterKeyFilePath, 'rb+') as f: + encryptedData = bytearray(f.read()) + f.seek(0) + #print("data: "+kOld.unbind(encryptedData)) + kNew.registerKey(new_uuid,srk_uuid) + f.write(kNew.bind(kOld.unbind(encryptedData))) + f.truncate() + kOld.unregisterKey() + kNew.registerKey(old_uuid,srk_uuid) + kNew.unregisterKey(new_uuid) + #kNew.loadkey if you want to use it further +else: + #encrypt and save + k=context.create_wrap_key(keyFlags,srk.get_handle()) + k.load_key() + k.registerKey(old_uuid,srk_uuid) + with open(masterKeyFilePath, 'wb') as f: + f.write(k.bind(getMasterkeyNumberArray())) +'''