Skip to content

Commit

Permalink
clear the sensitive key data after using
Browse files Browse the repository at this point in the history 
Signed-off-by: Ceping Sun <cepingx.sun@intel.com>
  • Loading branch information
@sunceping
sunceping committed Sep 20, 2023
1 parent d45c401 commit 138765a
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 6 deletions.
8 changes: 5 additions & 3 deletions src/tpm/src/tpm2_ca_cert.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ use crypto::{
resolve::{generate_ecdsa_keypairs, ResolveError},
};
use eventlog::eventlog::{event_log_size, get_event_log};
use global::{VtpmError, VtpmResult, GLOBAL_TPM_DATA};
use global::{sensitive_data_cleanup, VtpmError, VtpmResult, GLOBAL_TPM_DATA};
use ring::{
digest,
signature::{EcdsaKeyPair, KeyPair},
Expand Down Expand Up @@ -48,7 +48,7 @@ pub fn gen_tpm2_ca_cert() -> VtpmResult {
log::error!("Failed to generate pkcs8.\n");
return Err(VtpmError::CaCertError);
}
let pkcs8 = pkcs8.unwrap();
let mut pkcs8 = pkcs8.unwrap();

let key_pair = EcdsaKeyPair::from_pkcs8(
&ring::signature::ECDSA_P384_SHA384_ASN1_SIGNING,
Expand All @@ -59,7 +59,7 @@ pub fn gen_tpm2_ca_cert() -> VtpmResult {
log::error!("Failed to generate ecdsa keypair from pkcs8.\n");
return Err(VtpmError::CaCertError);
}
let key_pair = key_pair.unwrap();
let mut key_pair = key_pair.unwrap();

// get td_quote
let td_quote = get_td_quote(key_pair.public_key().as_ref());
Expand Down Expand Up @@ -90,5 +90,7 @@ pub fn gen_tpm2_ca_cert() -> VtpmResult {
.map_err(|_| VtpmError::CaCertError)?;
GLOBAL_TPM_DATA.lock().set_ca_cert_pkcs8(pkcs8.as_ref())?;

sensitive_data_cleanup(&mut key_pair);
sensitive_data_cleanup(&mut pkcs8);
Ok(())
}
12 changes: 9 additions & 3 deletions src/tpm/src/tpm2_provision.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,9 @@ use crate::{
};
use alloc::{slice, vec::Vec};
use crypto::ek_cert::generate_ek_cert;
use global::{VtpmError, VtpmResult, GLOBAL_TPM_DATA, VTPM_MAX_BUFFER_SIZE};
use global::{
sensitive_data_cleanup, VtpmError, VtpmResult, GLOBAL_TPM_DATA, VTPM_MAX_BUFFER_SIZE,
};
use ring::signature;

const TPM2_EK_ECC_SECP384R1_HANDLE: u32 = 0x81010016;
Expand Down Expand Up @@ -507,7 +509,7 @@ pub fn tpm2_provision_ek() -> VtpmResult {
break;
}

let pkcs8 = GLOBAL_TPM_DATA.lock().get_ca_cert_pkcs8();
let mut pkcs8 = GLOBAL_TPM_DATA.lock().get_ca_cert_pkcs8();
if pkcs8.is_empty() {
break;
}
Expand All @@ -519,7 +521,7 @@ pub fn tpm2_provision_ek() -> VtpmResult {
if key_pair.is_err() {
break;
}
let key_pair = key_pair.unwrap();
let mut key_pair = key_pair.unwrap();

// then generate ek-cert
let ek_cert = generate_ek_cert(ek_pub.as_slice(), &key_pair);
Expand All @@ -528,6 +530,10 @@ pub fn tpm2_provision_ek() -> VtpmResult {
}
let ek_cert = ek_cert.unwrap();

//should clear the sensitive key data after generate_ek_cert.
GLOBAL_TPM_DATA.lock().clean_ca_cert_pkcs8();
sensitive_data_cleanup(&mut key_pair);
sensitive_data_cleanup(&mut pkcs8);
// save ek-cert into NV
if ek_cert.as_slice().len() > max_nv_index_size as usize {
log::error!(
Expand Down

0 comments on commit 138765a

Please sign in to comment.