From 9a0d618ad5e04c51f6c142510164ef2be54ad00b Mon Sep 17 00:00:00 2001
From: Ceping Sun <cepingx.sun@intel.com>
Date: Tue, 19 Sep 2023 22:57:43 -0400
Subject: [PATCH] clear the sensitive key data after using

Signed-off-by: Ceping Sun <cepingx.sun@intel.com>
---
 src/tpm/src/tpm2_ca_cert.rs   |  8 +++++---
 src/tpm/src/tpm2_provision.rs | 10 +++++++---
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/src/tpm/src/tpm2_ca_cert.rs b/src/tpm/src/tpm2_ca_cert.rs
index 3aedca2..b10a2cd 100644
--- a/src/tpm/src/tpm2_ca_cert.rs
+++ b/src/tpm/src/tpm2_ca_cert.rs
@@ -9,7 +9,7 @@ use crypto::{
     resolve::{generate_ecdsa_keypairs, ResolveError},
 };
 use eventlog::eventlog::{event_log_size, get_event_log};
-use global::{VtpmError, VtpmResult, GLOBAL_TPM_DATA};
+use global::{sensitive_data_cleanup, VtpmError, VtpmResult, GLOBAL_TPM_DATA};
 use ring::{
     digest,
     signature::{EcdsaKeyPair, KeyPair},
@@ -48,7 +48,7 @@ pub fn gen_tpm2_ca_cert() -> VtpmResult {
         log::error!("Failed to generate pkcs8.\n");
         return Err(VtpmError::CaCertError);
     }
-    let pkcs8 = pkcs8.unwrap();
+    let mut pkcs8 = pkcs8.unwrap();
 
     let key_pair = EcdsaKeyPair::from_pkcs8(
         &ring::signature::ECDSA_P384_SHA384_ASN1_SIGNING,
@@ -59,7 +59,7 @@ pub fn gen_tpm2_ca_cert() -> VtpmResult {
         log::error!("Failed to generate ecdsa keypair from pkcs8.\n");
         return Err(VtpmError::CaCertError);
     }
-    let key_pair = key_pair.unwrap();
+    let mut key_pair = key_pair.unwrap();
 
     // get td_quote
     let td_quote = get_td_quote(key_pair.public_key().as_ref());
@@ -90,5 +90,7 @@ pub fn gen_tpm2_ca_cert() -> VtpmResult {
         .map_err(|_| VtpmError::CaCertError)?;
     GLOBAL_TPM_DATA.lock().set_ca_cert_pkcs8(pkcs8.as_ref())?;
 
+    sensitive_data_cleanup(&mut key_pair);
+    sensitive_data_cleanup(&mut pkcs8);
     Ok(())
 }
diff --git a/src/tpm/src/tpm2_provision.rs b/src/tpm/src/tpm2_provision.rs
index 03acf65..5d023f3 100644
--- a/src/tpm/src/tpm2_provision.rs
+++ b/src/tpm/src/tpm2_provision.rs
@@ -14,7 +14,7 @@ use crate::{
 };
 use alloc::{slice, vec::Vec};
 use crypto::ek_cert::generate_ek_cert;
-use global::{VtpmError, VtpmResult, GLOBAL_TPM_DATA, VTPM_MAX_BUFFER_SIZE};
+use global::{sensitive_data_cleanup, VtpmError, VtpmResult, GLOBAL_TPM_DATA, VTPM_MAX_BUFFER_SIZE};
 use ring::signature;
 
 const TPM2_EK_ECC_SECP384R1_HANDLE: u32 = 0x81010016;
@@ -507,7 +507,7 @@ pub fn tpm2_provision_ek() -> VtpmResult {
             break;
         }
 
-        let pkcs8 = GLOBAL_TPM_DATA.lock().get_ca_cert_pkcs8();
+        let mut pkcs8 = GLOBAL_TPM_DATA.lock().get_ca_cert_pkcs8();
         if pkcs8.is_empty() {
             break;
         }
@@ -519,7 +519,7 @@ pub fn tpm2_provision_ek() -> VtpmResult {
         if key_pair.is_err() {
             break;
         }
-        let key_pair = key_pair.unwrap();
+        let mut key_pair = key_pair.unwrap();
 
         // then generate ek-cert
         let ek_cert = generate_ek_cert(ek_pub.as_slice(), &key_pair);
@@ -528,6 +528,10 @@ pub fn tpm2_provision_ek() -> VtpmResult {
         }
         let ek_cert = ek_cert.unwrap();
 
+        //should clear the sensitive key data after generate_ek_cert.
+        GLOBAL_TPM_DATA.lock().clean_ca_cert_pkcs8();
+        sensitive_data_cleanup(&mut key_pair);
+        sensitive_data_cleanup(&mut pkcs8);
         // save ek-cert into NV
         if ek_cert.as_slice().len() > max_nv_index_size as usize {
             log::error!(