Skip to content

Commit

Permalink
clear the sensitive key data after using
Browse files Browse the repository at this point in the history
Signed-off-by: Ceping Sun <cepingx.sun@intel.com>
  • Loading branch information
sunceping committed Sep 20, 2023
1 parent d45c401 commit 2042c6a
Show file tree
Hide file tree
Showing 3 changed files with 19 additions and 9 deletions.
9 changes: 6 additions & 3 deletions src/spdm/src/crypto_callback.rs
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
// SPDX-License-Identifier: Apache-2.0

use core::panic;
use global::GLOBAL_SPDM_DATA;
use global::{sensitive_data_cleanup, GLOBAL_SPDM_DATA};
use spdmlib::protocol::{
SpdmBaseAsymAlgo, SpdmBaseHashAlgo, SpdmSignatureStruct, SPDM_MAX_ASYM_KEY_SIZE,
};
Expand Down Expand Up @@ -36,13 +36,13 @@ fn sign_ecdsa_asym_algo(
assert!(algorithm == &ring::signature::ECDSA_P384_SHA384_FIXED_SIGNING);

let binding = GLOBAL_SPDM_DATA.lock();
let pkcs8 = binding.pkcs8()?;
let mut pkcs8 = binding.pkcs8()?;

let key_pair = ring::signature::EcdsaKeyPair::from_pkcs8(algorithm, pkcs8);
if key_pair.is_err() {
return None;
}
let key_pair = key_pair.unwrap();
let mut key_pair = key_pair.unwrap();

let rng = ring::rand::SystemRandom::new();

Expand All @@ -57,6 +57,9 @@ fn sign_ecdsa_asym_algo(
let mut full_signature: [u8; SPDM_MAX_ASYM_KEY_SIZE] = [0u8; SPDM_MAX_ASYM_KEY_SIZE];
full_signature[..signature.len()].copy_from_slice(signature);

sensitive_data_cleanup(&mut key_pair);
sensitive_data_cleanup(&mut pkcs8);

Some(SpdmSignatureStruct {
data_size: signature.len() as u16,
data: full_signature,
Expand Down
8 changes: 5 additions & 3 deletions src/tpm/src/tpm2_ca_cert.rs
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ use crypto::{
resolve::{generate_ecdsa_keypairs, ResolveError},
};
use eventlog::eventlog::{event_log_size, get_event_log};
use global::{VtpmError, VtpmResult, GLOBAL_TPM_DATA};
use global::{sensitive_data_cleanup, VtpmError, VtpmResult, GLOBAL_TPM_DATA};
use ring::{
digest,
signature::{EcdsaKeyPair, KeyPair},
Expand Down Expand Up @@ -48,7 +48,7 @@ pub fn gen_tpm2_ca_cert() -> VtpmResult {
log::error!("Failed to generate pkcs8.\n");
return Err(VtpmError::CaCertError);
}
let pkcs8 = pkcs8.unwrap();
let mut pkcs8 = pkcs8.unwrap();

let key_pair = EcdsaKeyPair::from_pkcs8(
&ring::signature::ECDSA_P384_SHA384_ASN1_SIGNING,
Expand All @@ -59,7 +59,7 @@ pub fn gen_tpm2_ca_cert() -> VtpmResult {
log::error!("Failed to generate ecdsa keypair from pkcs8.\n");
return Err(VtpmError::CaCertError);
}
let key_pair = key_pair.unwrap();
let mut key_pair = key_pair.unwrap();

// get td_quote
let td_quote = get_td_quote(key_pair.public_key().as_ref());
Expand Down Expand Up @@ -90,5 +90,7 @@ pub fn gen_tpm2_ca_cert() -> VtpmResult {
.map_err(|_| VtpmError::CaCertError)?;
GLOBAL_TPM_DATA.lock().set_ca_cert_pkcs8(pkcs8.as_ref())?;

sensitive_data_cleanup(&mut key_pair);
sensitive_data_cleanup(&mut pkcs8);
Ok(())
}
11 changes: 8 additions & 3 deletions src/tpm/src/tpm2_provision.rs
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,9 @@ use crate::{
};
use alloc::{slice, vec::Vec};
use crypto::ek_cert::generate_ek_cert;
use global::{VtpmError, VtpmResult, GLOBAL_TPM_DATA, VTPM_MAX_BUFFER_SIZE};
use global::{
sensitive_data_cleanup, VtpmError, VtpmResult, GLOBAL_TPM_DATA, VTPM_MAX_BUFFER_SIZE,
};
use ring::signature;

const TPM2_EK_ECC_SECP384R1_HANDLE: u32 = 0x81010016;
Expand Down Expand Up @@ -507,7 +509,7 @@ pub fn tpm2_provision_ek() -> VtpmResult {
break;
}

let pkcs8 = GLOBAL_TPM_DATA.lock().get_ca_cert_pkcs8();
let mut pkcs8 = GLOBAL_TPM_DATA.lock().get_ca_cert_pkcs8();
if pkcs8.is_empty() {
break;
}
Expand All @@ -519,7 +521,7 @@ pub fn tpm2_provision_ek() -> VtpmResult {
if key_pair.is_err() {
break;
}
let key_pair = key_pair.unwrap();
let mut key_pair = key_pair.unwrap();

// then generate ek-cert
let ek_cert = generate_ek_cert(ek_pub.as_slice(), &key_pair);
Expand All @@ -528,6 +530,9 @@ pub fn tpm2_provision_ek() -> VtpmResult {
}
let ek_cert = ek_cert.unwrap();

//should clear the sensitive key data after generate_ek_cert.
sensitive_data_cleanup(&mut key_pair);
sensitive_data_cleanup(&mut pkcs8);
// save ek-cert into NV
if ek_cert.as_slice().len() > max_nv_index_size as usize {
log::error!(
Expand Down

0 comments on commit 2042c6a

Please sign in to comment.