diff --git a/security/tpm2-openssl-engine/tpm2-openssl-engine/e_tpm2.c b/security/tpm2-openssl-engine/tpm2-openssl-engine/e_tpm2.c index 5b5ca2e44..488f6a682 100644 --- a/security/tpm2-openssl-engine/tpm2-openssl-engine/e_tpm2.c +++ b/security/tpm2-openssl-engine/tpm2-openssl-engine/e_tpm2.c @@ -312,6 +312,14 @@ static int tpm_engine_init(ENGINE * e) * N.B: This assumes that the kernel-modules-tpm * pkg is installed with the modified tpm_crb KLM */ + if ((result = p_tpm2_Set_Property(hContext, + TPM_INTERFACE_TYPE, "dev"))) { + DBG("Failed to set Resource Manager in context (%p): rc %d", + hContext, (int)result); + TSSerr(TPM_F_TPM_ENGINE_INIT, TPM_R_UNIT_FAILURE); + goto err; + } + if ((result = p_tpm2_Set_Property(hContext, TPM_DEVICE, "/dev/tpmrm0"))) { DBG("Failed to set Resource Manager in context (%p): rc %d", diff --git a/security/wrs-ssl/files/tpmdevice-setup b/security/wrs-ssl/files/tpmdevice-setup index 5fa10772c..e47e989b3 100644 --- a/security/wrs-ssl/files/tpmdevice-setup +++ b/security/wrs-ssl/files/tpmdevice-setup @@ -7,6 +7,8 @@ # TPM setup (both active controller and remote) +export TPM_INTERFACE_TYPE=dev + CERTIFICATE_FILE="server-cert.pem" LOGFILE="/etc/ssl/private/.install.log" ORIGINAL_KEY=$1 @@ -53,8 +55,7 @@ declare -a helper_scripts=("tss2_createprimary" "tss2_contextsave" "tss2_evictcontrol" "tss2_flushcontext" - "create_tpm2_key" - "resourcemgr") + "create_tpm2_key") for src in "${helper_scripts[@]}"; do if ! type "$src" &>/dev/null; then error_exit "ERROR: Cannot find $src. Needed for TPM configuration" @@ -62,41 +63,6 @@ for src in "${helper_scripts[@]}"; do done } -startResourceMgr () { -resourcemgr &>> $LOGFILE 2>&1 & - -# ensure the resourcemgr is started -for i in {1..5} -do - sleep 0.5 - MGR_RUNNING=`pidof resourcemgr` - if [ ! -z $MGR_RUNNING ]; then - break - fi -done -[ ! -z $MGR_RUNNING ] || error_exit "Unable to start TPM resourcemgr" - -# check to see if the resourcemgr port is open -IS_OPEN=0 -for i in {1..5} -do - sleep 0.5 - _test=`netstat -an | grep $RESOURCEMGR_DEFAULT_PORT | grep -i listen` - if [ ! -z "$_test" ]; then - IS_OPEN=1 - break - fi -done -[ $IS_OPEN -ne 0 ] || error_exit "Unable to initialize resourcemgr" -} - -stopResourceMgr () { -# Kill any previous instances of resourcemgr -pkill -c -TERM resourcemgr &> /dev/null 2>&1 -} - - - ### Main ### # remove previous object context rm -f $TPM_OBJECT_CONTEXT &> /dev/null @@ -115,14 +81,10 @@ if [ "$TPM_VERSION" != "2.0" ]; then error_exit "ERROR: TPM Device is not version 2.0 compatible" fi -# Start the Intel ResourceMgr to clear the NV +# Clear the NV # as well as all stale transient handles in # the endorsement hierarchy. -# Since ResourceMgr has a number of stability, -# and security issues, we will stop it after it -# initializes the NV and Handle space -startResourceMgr -stopResourceMgr +tss2_clear -hi l # Create the Endorsement Primary Key hierarchy which will be used # for wrapping the private key. Use RSA as the primary key encryption @@ -136,14 +98,14 @@ PRIMARY_HANDLE="0x$PRIMARY_HANDLE" # be persistently stored in TPM NV. # evict the persistent handle if it exists previously tss2_evictcontrol -hi o -ho $TPM_KEY_HIERARCHY_HANDLE -hp $TPM_KEY_HIERARCHY_HANDLE -tss2_evictcontrol -hi o -ho $PRIMARY_HANDLE -hp $TPM_KEY_HIERARCHY_HANDLE &>> $LOGFILE +tss2_evictcontrol -hi o -ho $PRIMARY_HANDLE -hp $TPM_KEY_HIERARCHY_HANDLE >> $LOGFILE [ $? -eq 0 ] || error_exit "Unable to persist Key Hierarchy in TPM memory" tss2_flushcontext -ha $PRIMARY_HANDLE # wrap the original private key in TPM's Endorsement key hierarchy # this will generate a TSS key blob in ASN 1 encoding -create_tpm2_key -p $TPM_KEY_HIERARCHY_HANDLE -w $ORIGINAL_KEY $TPM_OBJECT_CONTEXT &>> $LOGFILE +create_tpm2_key -p $TPM_KEY_HIERARCHY_HANDLE -w $ORIGINAL_KEY $TPM_OBJECT_CONTEXT >> $LOGFILE [ $? -eq 0 ] || error_exit "Unable to wrap provided private key into TPM Key Hierarchy" # the apps will also need to the public key, place it in