Added optional WOLFBOOT_TPM_KEYSTORE_AUTH for build-time NV auth.

dgarske · dgarske · commit 412e4d9e9505 · 2023-08-19T14:03:58.000-07:00
diff --git a/.github/workflows/test-build-sim-tpm.yml b/.github/workflows/test-build-sim-tpm.yml
@@ -16,6 +16,9 @@ on:
       rot-args:
         required: false
         type: string
+      authstr:
+        required: false
+        type: string
 
 jobs:
 
@@ -52,15 +55,15 @@ jobs:
 
       - name: Build wolfboot
         run: |
-          make ${{inputs.make-args}}
+          make ${{inputs.make-args}} WOLFBOOT_TPM_KEYSTORE_AUTH="${{inputs.authstr}}"
 
       - name: Build TPM tools
         run: |
           make tpmtools
 
       - name: Write TPM ROT to TPM
         run: |
-          ./tools/tpm/rot -write ${{inputs.rot-args}}
+          ./tools/tpm/rot -write ${{inputs.rot-args}} -auth="${{inputs.authstr}}"
 
       - name: Run wolfBoot
         run: |
diff --git a/.github/workflows/test-tpm.yml b/.github/workflows/test-tpm.yml
@@ -64,6 +64,7 @@ jobs:
       arch: host
       config-file: ./config/examples/sim-tpm-keystore.config
       make-args: SIGN=ECC256 HASH=SHA256
+      authstr: TestAuth
 
   sim_tpm_keystore_ecc384:
     uses: ./.github/workflows/test-build-sim-tpm.yml
@@ -72,10 +73,12 @@ jobs:
       config-file: ./config/examples/sim-tpm-keystore.config
       make-args: SIGN=ECC384 HASH=SHA384
       rot-args: -sha384
+      authstr: TestAuth
 
   sim_tpm_keystore_rsa2048:
     uses: ./.github/workflows/test-build-sim-tpm.yml
     with:
       arch: host
       config-file: ./config/examples/sim-tpm-keystore.config
       make-args: SIGN=RSA2048 HASH=SHA256
+      authstr: TestAuth
diff --git a/config/examples/sim-tpm-keystore.config b/config/examples/sim-tpm-keystore.config
@@ -20,6 +20,7 @@ WOLFBOOT_FIXED_PARTITIONS=1
 # Use NV for TPM based Root of Trust
 WOLFBOOT_TPM_KEYSTORE?=1
 WOLFBOOT_TPM_KEYSTORE_NV_INDEX?=0x01400200
+#WOLFBOOT_TPM_KEYSTORE_AUTH?=TestAuth
 
 # TPM Logging
 #CFLAGS_EXTRA+=-DDEBUG_WOLFTPM
diff --git a/options.mk b/options.mk
@@ -12,6 +12,7 @@ ifeq ($(WOLFBOOT_TPM_KEYSTORE),1)
     WOLFTPM:=1
     CFLAGS+=-DWOLFBOOT_TPM_KEYSTORE
     CFLAGS+=-DWOLFBOOT_TPM_KEYSTORE_NV_INDEX=$(WOLFBOOT_TPM_KEYSTORE_NV_INDEX)
+    CFLAGS+=-DWOLFBOOT_TPM_KEYSTORE_AUTH='"$(WOLFBOOT_TPM_KEYSTORE_AUTH)"'
   endif
 endif
 
diff --git a/src/image.c b/src/image.c
@@ -1269,9 +1269,9 @@ static int keyslot_id_by_sha(const uint8_t *hint)
     XMEMSET(&nv, 0, sizeof(nv));
     nv.handle.hndl = WOLFBOOT_TPM_KEYSTORE_NV_INDEX;
 
-#if 0 /* TODO: Add auth */
-    nv.handle.auth.size = sizeof(authBuf);
-    XMEMCPY(nv.handle.auth.buffer, authBuf, sizeof(authBuf));
+#ifdef WOLFBOOT_TPM_KEYSTORE_AUTH
+    nv.handle.auth.size = (UINT16)strlen(WOLFBOOT_TPM_KEYSTORE_AUTH);
+    memcpy(nv.handle.auth.buffer, WOLFBOOT_TPM_KEYSTORE_AUTH, nv.handle.auth.size);
 #endif
 
     rc = wolfTPM2_NVReadAuth(&wolftpm_dev, &nv, WOLFBOOT_TPM_KEYSTORE_NV_INDEX,
