diff --git a/doc/tpm_usage.md b/doc/tpm_usage.md index 5f34f2021e8..0f6fa181d26 100644 --- a/doc/tpm_usage.md +++ b/doc/tpm_usage.md @@ -4,6 +4,31 @@ This document describes how to use TPM-backed helper APIs with libspdm for secur --- +## CMake Configuration + +Configure TPM key handles and certificate chain NV indices at build time: + +```bash +cmake -B build \ + -D LIBSPDM_TPM_REQUESTER_HANDLES="0x81000011;0x81000012" \ + -D LIBSPDM_TPM_REQUESTER_CERTCHAINS="0x1500011;0x1500012" \ + -D LIBSPDM_TPM_RESPONDER_HANDLES="0x81000021;0x81000022" \ + -D LIBSPDM_TPM_RESPONDER_CERTCHAINS="0x1500021;0x1500022" +``` + +### Configuration Parameters + +| Parameter | Description | Format | +|-----------|-------------|--------| +| `LIBSPDM_TPM_REQUESTER_HANDLES` | TPM persistent key handles for requester | Semicolon-separated hex values | +| `LIBSPDM_TPM_REQUESTER_CERTCHAINS` | NV indices for requester certificate chains | Semicolon-separated hex values | +| `LIBSPDM_TPM_RESPONDER_HANDLES` | TPM persistent key handles for responder | Semicolon-separated hex values | +| `LIBSPDM_TPM_RESPONDER_CERTCHAINS` | NV indices for responder certificate chains | Semicolon-separated hex values | + +**Note:** Multiple handles/indices support multi-key scenarios. First handle maps to slot 0, second to slot 1, etc. + +--- + ## Overview The TPM integration layer provides: diff --git a/os_stub/cryptlib_openssl/tpm/tpm.c b/os_stub/cryptlib_openssl/tpm/tpm.c index cb1cc0a3945..a0f27372b52 100644 --- a/os_stub/cryptlib_openssl/tpm/tpm.c +++ b/os_stub/cryptlib_openssl/tpm/tpm.c @@ -291,7 +291,7 @@ bool libspdm_tpm_read_nv(uint32_t index, void **buffer, size_t *size) if (nv_name) Esys_Free(nv_name); if (nv_tr != ESYS_TR_NONE) - Esys_FlushContext(esys, nv_tr); + Esys_TR_Close(esys, &nv_tr); if (esys) Esys_Finalize(&esys); if (tcti) diff --git a/os_stub/spdm_device_secret_lib_tpm/CMakeLists.txt b/os_stub/spdm_device_secret_lib_tpm/CMakeLists.txt index 47748d12086..2961b45a35e 100644 --- a/os_stub/spdm_device_secret_lib_tpm/CMakeLists.txt +++ b/os_stub/spdm_device_secret_lib_tpm/CMakeLists.txt @@ -1,9 +1,70 @@ cmake_minimum_required(VERSION 3.5) +# Default values for backward compatibility (2 slots) +set(LIBSPDM_TPM_REQUESTER_HANDLES "0x81000011;0x81000011" CACHE STRING "Semicolon-separated list of TPM Requester Handle Strings") +set(LIBSPDM_TPM_REQUESTER_CERTCHAINS "0x1500011;0x1500011" CACHE STRING "Semicolon-separated list of TPM Requester Certificate Chain NV Indices") +set(LIBSPDM_TPM_RESPONDER_HANDLES "0x81000021;0x81000021" CACHE STRING "Semicolon-separated list of TPM Responder Handle Strings") +set(LIBSPDM_TPM_RESPONDER_CERTCHAINS "0x1500021;0x1500021" CACHE STRING "Semicolon-separated list of TPM Responder Certificate Chain NV Indices") + +# Count the number of slots (variables are already CMake lists) +list(LENGTH LIBSPDM_TPM_REQUESTER_HANDLES REQUESTER_SLOT_COUNT) +list(LENGTH LIBSPDM_TPM_REQUESTER_CERTCHAINS REQUESTER_CERTCHAIN_COUNT) +list(LENGTH LIBSPDM_TPM_RESPONDER_HANDLES RESPONDER_SLOT_COUNT) +list(LENGTH LIBSPDM_TPM_RESPONDER_CERTCHAINS RESPONDER_CERTCHAIN_COUNT) + +# Validate that handles and certchains have matching counts +if(NOT REQUESTER_SLOT_COUNT EQUAL REQUESTER_CERTCHAIN_COUNT) + message(FATAL_ERROR "LIBSPDM_TPM_REQUESTER_HANDLES and LIBSPDM_TPM_REQUESTER_CERTCHAINS must have the same number of entries") +endif() + +if(NOT RESPONDER_SLOT_COUNT EQUAL RESPONDER_CERTCHAIN_COUNT) + message(FATAL_ERROR "LIBSPDM_TPM_RESPONDER_HANDLES and LIBSPDM_TPM_RESPONDER_CERTCHAINS must have the same number of entries") +endif() + +message(STATUS "TPM Configuration:") +message(STATUS " Requester slots: ${REQUESTER_SLOT_COUNT}") +message(STATUS " Responder slots: ${RESPONDER_SLOT_COUNT}") + +# Generate keys.h content dynamically +set(KEYS_H_CONTENT "/**\n") +set(KEYS_H_CONTENT "${KEYS_H_CONTENT} * Copyright Notice:\n") +set(KEYS_H_CONTENT "${KEYS_H_CONTENT} * Copyright 2024-2025 DMTF. All rights reserved.\n") +set(KEYS_H_CONTENT "${KEYS_H_CONTENT} * License: BSD 3-Clause License. For full text see link: https://github.com/DMTF/libspdm/blob/main/LICENSE.md\n") +set(KEYS_H_CONTENT "${KEYS_H_CONTENT} **/\n\n") +set(KEYS_H_CONTENT "${KEYS_H_CONTENT}#pragma once\n\n") +set(KEYS_H_CONTENT "${KEYS_H_CONTENT}/* Auto-generated TPM handle configuration */\n\n") + +# Add slot count macros +set(KEYS_H_CONTENT "${KEYS_H_CONTENT}#define LIBSPDM_TPM_REQUESTER_SLOT_COUNT ${REQUESTER_SLOT_COUNT}\n") +set(KEYS_H_CONTENT "${KEYS_H_CONTENT}#define LIBSPDM_TPM_RESPONDER_SLOT_COUNT ${RESPONDER_SLOT_COUNT}\n\n") + +# Generate requester handle definitions +set(KEYS_H_CONTENT "${KEYS_H_CONTENT}/* TPM Requester Handles */\n") +math(EXPR REQUESTER_MAX_INDEX "${REQUESTER_SLOT_COUNT} - 1") +foreach(INDEX RANGE ${REQUESTER_MAX_INDEX}) + list(GET LIBSPDM_TPM_REQUESTER_HANDLES ${INDEX} HANDLE) + list(GET LIBSPDM_TPM_REQUESTER_CERTCHAINS ${INDEX} CERTCHAIN) + set(KEYS_H_CONTENT "${KEYS_H_CONTENT}#define LIBSPDM_TPM_HANDLE_REQUESTER_HANDLE_SLOT_${INDEX} \"handle:${HANDLE}\"\n") + set(KEYS_H_CONTENT "${KEYS_H_CONTENT}#define LIBSPDM_TPM_HANDLE_REQUESTER_CERTCHAIN_SLOT_${INDEX} ${CERTCHAIN}\n") +endforeach() + +set(KEYS_H_CONTENT "${KEYS_H_CONTENT}\n/* TPM Responder Handles */\n") +math(EXPR RESPONDER_MAX_INDEX "${RESPONDER_SLOT_COUNT} - 1") +foreach(INDEX RANGE ${RESPONDER_MAX_INDEX}) + list(GET LIBSPDM_TPM_RESPONDER_HANDLES ${INDEX} HANDLE) + list(GET LIBSPDM_TPM_RESPONDER_CERTCHAINS ${INDEX} CERTCHAIN) + set(KEYS_H_CONTENT "${KEYS_H_CONTENT}#define LIBSPDM_TPM_HANDLE_RESPONDER_HANDLE_SLOT_${INDEX} \"handle:${HANDLE}\"\n") + set(KEYS_H_CONTENT "${KEYS_H_CONTENT}#define LIBSPDM_TPM_HANDLE_RESPONDER_CERTCHAIN_SLOT_${INDEX} ${CERTCHAIN}\n") +endforeach() + +# Write the generated keys.h file +file(WRITE ${CMAKE_CURRENT_BINARY_DIR}/keys.h "${KEYS_H_CONTENT}") + add_library(spdm_device_secret_lib_tpm STATIC "") target_include_directories(spdm_device_secret_lib_tpm PRIVATE + ${CMAKE_CURRENT_BINARY_DIR} ${LIBSPDM_DIR}/os_stub/spdm_device_secret_lib_tpm ${LIBSPDM_DIR}/include ${LIBSPDM_DIR}/include/hal @@ -26,6 +87,7 @@ target_sources(spdm_device_secret_lib_tpm ../spdm_device_secret_lib_sample/read_special_cert.c ../spdm_device_secret_lib_sample/set_cert.c sign.c + ${CMAKE_CURRENT_BINARY_DIR}/keys.h ) if ((ARCH STREQUAL "arm") OR (ARCH STREQUAL "aarch64")) diff --git a/os_stub/spdm_device_secret_lib_tpm/csr.c b/os_stub/spdm_device_secret_lib_tpm/csr.c index f40297b4902..2fde0fd1a3a 100644 --- a/os_stub/spdm_device_secret_lib_tpm/csr.c +++ b/os_stub/spdm_device_secret_lib_tpm/csr.c @@ -17,6 +17,7 @@ #include "library/memlib.h" #include "internal/libspdm_device_secret_lib.h" #include "internal/libspdm_common_lib.h" +#include "library/spdm_crypt_lib.h" #include "library/spdm_crypt_ext_lib.h" #include "keys.h" @@ -116,19 +117,37 @@ bool libspdm_gen_csr_without_reset(uint32_t base_hash_algo, uint32_t base_asym_a csr_buffer_size = *csr_len; void *cert; + const uint8_t *x509_ca_cert_der; void *x509_ca_cert; + size_t x509_ca_cert_len; size_t cert_size; - if (!libspdm_tpm_get_pvt_key_handle(TPM_RESP_HANDLE, &context)) { - return false; + context = NULL; + cert = NULL; + x509_ca_cert_der = NULL; + x509_ca_cert = NULL; + result = false; + + if (!libspdm_tpm_get_pvt_key_handle(LIBSPDM_TPM_HANDLE_RESPONDER_HANDLE_SLOT_0, &context)) { + LIBSPDM_DEBUG((LIBSPDM_DEBUG_ERROR, "failed to load TPM responder key handle for CSR\n")); + goto cleanup; + } + + if (!libspdm_tpm_read_nv(LIBSPDM_TPM_HANDLE_RESPONDER_CERTCHAIN_SLOT_0, &cert, &cert_size)) { + LIBSPDM_DEBUG((LIBSPDM_DEBUG_ERROR, "failed to read TPM responder cert chain for CSR\n")); + goto cleanup; } - if (!libspdm_tpm_read_nv(TPM_RESP_CERT, &cert, &cert_size)) { - return false; + if (!libspdm_x509_get_cert_from_cert_chain(cert, cert_size, -1, &x509_ca_cert_der, + &x509_ca_cert_len)) { + LIBSPDM_DEBUG((LIBSPDM_DEBUG_ERROR, "failed to parse TPM responder cert chain for CSR\n")); + goto cleanup; } - if (!libspdm_x509_construct_certificate(cert, cert_size, (uint8_t**)&x509_ca_cert)) { - return false; + if (!libspdm_x509_construct_certificate(x509_ca_cert_der, x509_ca_cert_len, + (uint8_t **)&x509_ca_cert)) { + LIBSPDM_DEBUG((LIBSPDM_DEBUG_ERROR, "failed to construct X509 responder leaf cert for CSR\n")); + goto cleanup; } hash_nid = libspdm_get_hash_nid(base_hash_algo); @@ -140,12 +159,26 @@ bool libspdm_gen_csr_without_reset(uint32_t base_hash_algo, uint32_t base_asym_a result = libspdm_gen_x509_csr(hash_nid, asym_nid, pqc_asym_nid, requester_info, requester_info_length, !is_device_cert_model, context, subject_name, csr_len, csr_pointer, x509_ca_cert); + if (!result) { + LIBSPDM_DEBUG((LIBSPDM_DEBUG_ERROR, "failed to generate TPM-backed X509 CSR\n")); + } if (csr_buffer_size < *csr_len) { LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO,"csr buffer is too small to store generated csr! \n")); result = false; } +cleanup: + if (context != NULL) { + libspdm_asym_free(base_asym_algo, context); + } + if (cert != NULL) { + free(cert); + } + if (x509_ca_cert != NULL) { + libspdm_x509_free(x509_ca_cert); + } + return result; } diff --git a/os_stub/spdm_device_secret_lib_tpm/keys.h b/os_stub/spdm_device_secret_lib_tpm/keys.h deleted file mode 100644 index 34533f406b0..00000000000 --- a/os_stub/spdm_device_secret_lib_tpm/keys.h +++ /dev/null @@ -1,25 +0,0 @@ -/** - * Copyright Notice: - * Copyright 2024-2025 DMTF. All rights reserved. - * License: BSD 3-Clause License. For full text see link: https://github.com/DMTF/libspdm/blob/main/LICENSE.md - **/ - -#pragma once - -#define TPM_ROOT_CTX 0x81000000 -#define TPM_ROOT_KEY 0x81000001 - -#define TPM_REQU_CTX 0x81000010 -#define TPM_REQU_KEY 0x81000011 -#define TPM_REQU_HANDLE "handle:0x81000011" - -#define TPM_RESP_CTX 0x81000020 -#define TPM_RESP_KEY 0x81000021 -#define TPM_RESP_HANDLE "handle:0x81000021" - -#define TPM_ROOT_CERT 0x1500000 -#define TPM_REQU_CERT 0x1500010 -#define TPM_RESP_CERT 0x1500020 - -#define TPM_REQU_CERT_CHAIN 0x1500011 -#define TPM_RESP_CERT_CHAIN 0x1500021 diff --git a/os_stub/spdm_device_secret_lib_tpm/read_pub_cert.c b/os_stub/spdm_device_secret_lib_tpm/read_pub_cert.c index 5c3a69a1b1b..7e008497116 100644 --- a/os_stub/spdm_device_secret_lib_tpm/read_pub_cert.c +++ b/os_stub/spdm_device_secret_lib_tpm/read_pub_cert.c @@ -20,47 +20,59 @@ #include "library/spdm_crypt_ext_lib.h" #include "keys.h" -static bool get_certificate(uint32_t index, uint32_t base_hash_algo, uint32_t base_asym_algo, void **data, - size_t *size, void **hash, size_t *hash_size) +static bool get_root_certificate_from_chain(uint32_t chain_index, uint32_t base_hash_algo, + uint32_t base_asym_algo, void **data, + size_t *size, void **hash, size_t *hash_size) { bool result; - void *cert; - size_t cert_size; - spdm_cert_chain_t *cert_chain; + void *cert_chain_data; size_t cert_chain_size; + const uint8_t *root_cert; + size_t root_cert_len; + spdm_cert_chain_t *cert_chain; + size_t output_cert_chain_size; size_t digest_size; if (!libspdm_tpm_device_init()) return false; - result = libspdm_tpm_read_nv(index, &cert, &cert_size); + result = libspdm_tpm_read_nv(chain_index, &cert_chain_data, &cert_chain_size); if (!result) return false; + /* Extract root certificate from chain */ + result = libspdm_x509_get_cert_from_cert_chain(cert_chain_data, cert_chain_size, 0, + &root_cert, &root_cert_len); + if (!result) { + free(cert_chain_data); + return false; + } + digest_size = libspdm_get_hash_size(base_hash_algo); - cert_chain_size = sizeof(spdm_cert_chain_t) + digest_size + cert_size; - cert_chain = (void *)malloc(cert_chain_size); + /* Create cert chain with just root cert */ + output_cert_chain_size = sizeof(spdm_cert_chain_t) + digest_size + root_cert_len; + cert_chain = (void *)malloc(output_cert_chain_size); if (cert_chain == NULL){ - result = false; - goto cleanup_cert; + free(cert_chain_data); + return false; } - cert_chain->length = (uint32_t)cert_chain_size; + cert_chain->length = (uint32_t)output_cert_chain_size; - result = libspdm_hash_all(base_hash_algo, cert, cert_size, + result = libspdm_hash_all(base_hash_algo, root_cert, root_cert_len, (uint8_t *)(cert_chain + 1)); if (!result){ - result = false; free(cert_chain); - goto cleanup_cert; + free(cert_chain_data); + return false; } libspdm_copy_mem((uint8_t *)cert_chain + sizeof(spdm_cert_chain_t) + digest_size, - cert_chain_size - (sizeof(spdm_cert_chain_t) + digest_size), - cert, cert_size); + output_cert_chain_size - (sizeof(spdm_cert_chain_t) + digest_size), + root_cert, root_cert_len); *data = cert_chain; - *size = cert_chain_size; + *size = output_cert_chain_size; if (hash != NULL) *hash = (cert_chain + 1); @@ -68,10 +80,55 @@ static bool get_certificate(uint32_t index, uint32_t base_hash_algo, uint32_t ba if (hash_size != NULL) *hash_size = digest_size; -cleanup_cert: - free(cert); + free(cert_chain_data); + return true; +} - return result; +static bool get_leaf_certificate_from_chain(uint32_t chain_index, uint32_t base_asym_algo, + void **data, size_t *size) +{ + bool result; + void *cert_chain_data; + size_t cert_chain_size; + const uint8_t *leaf_cert; + size_t leaf_cert_len; + int32_t cert_count; + + if (!libspdm_tpm_device_init()) + return false; + + result = libspdm_tpm_read_nv(chain_index, &cert_chain_data, &cert_chain_size); + if (!result) + return false; + + /* Get certificate count */ + cert_count = libspdm_x509_get_cert_from_cert_chain(cert_chain_data, cert_chain_size, -1, + NULL, NULL); + if (cert_count <= 0) { + free(cert_chain_data); + return false; + } + + /* Extract leaf certificate (last in chain) */ + result = libspdm_x509_get_cert_from_cert_chain(cert_chain_data, cert_chain_size, + cert_count - 1, &leaf_cert, &leaf_cert_len); + if (!result) { + free(cert_chain_data); + return false; + } + + /* Allocate and copy leaf cert */ + *data = malloc(leaf_cert_len); + if (*data == NULL) { + free(cert_chain_data); + return false; + } + + libspdm_copy_mem(*data, leaf_cert_len, leaf_cert, leaf_cert_len); + *size = leaf_cert_len; + + free(cert_chain_data); + return true; } static bool get_certificate_chain(uint32_t index, uint32_t base_hash_algo, uint32_t base_asym_algo, void **data, @@ -149,37 +206,29 @@ bool libspdm_read_requester_root_public_certificate(uint32_t base_hash_algo, void **hash, size_t *hash_size) { - return get_certificate(TPM_ROOT_CERT, base_hash_algo, base_asym_algo, data, size, hash, hash_size); + return get_root_certificate_from_chain(LIBSPDM_TPM_HANDLE_REQUESTER_CERTCHAIN_SLOT_0, + base_hash_algo, base_asym_algo, data, size, hash, hash_size); } bool libspdm_read_requester_public_certificate_chain( uint32_t base_hash_algo, uint16_t req_base_asym_alg, void **data, size_t *size, void **hash, size_t *hash_size) { - return get_certificate_chain(TPM_REQU_CERT_CHAIN, base_hash_algo, req_base_asym_alg, data, size, hash, + return get_certificate_chain(LIBSPDM_TPM_HANDLE_REQUESTER_CERTCHAIN_SLOT_0, base_hash_algo, req_base_asym_alg, data, + size, hash, hash_size, false, true); } bool libspdm_read_responder_certificate(uint32_t base_asym_algo, void **data, size_t *size) { - bool result; - void *cert; - size_t cert_size; - if (base_asym_algo != SPDM_ALGORITHMS_BASE_ASYM_ALGO_TPM_ALG_ECDSA_ECC_NIST_P256){ LIBSPDM_DEBUG((LIBSPDM_DEBUG_ERROR, "unsupported asym algo %d\n", base_asym_algo)); return false; } - if (!libspdm_tpm_device_init()) - return false; - - result = libspdm_tpm_read_nv(TPM_RESP_CERT, &cert, &cert_size); - if (!result) - return false; - - return true; + return get_leaf_certificate_from_chain(LIBSPDM_TPM_HANDLE_RESPONDER_CERTCHAIN_SLOT_0, + base_asym_algo, data, size); } bool libspdm_read_responder_root_public_certificate(uint32_t base_hash_algo, @@ -188,14 +237,16 @@ bool libspdm_read_responder_root_public_certificate(uint32_t base_hash_algo, void **hash, size_t *hash_size) { - return get_certificate(TPM_ROOT_CERT, base_hash_algo, base_asym_algo, data, size, hash, hash_size); + return get_root_certificate_from_chain(LIBSPDM_TPM_HANDLE_RESPONDER_CERTCHAIN_SLOT_0, + base_hash_algo, base_asym_algo, data, size, hash, hash_size); } bool libspdm_read_responder_public_certificate_chain( uint32_t base_hash_algo, uint32_t base_asym_algo, void **data, size_t *size, void **hash, size_t *hash_size) { - return get_certificate_chain(TPM_RESP_CERT_CHAIN, base_hash_algo, base_asym_algo, data, size, hash, hash_size, + return get_certificate_chain(LIBSPDM_TPM_HANDLE_RESPONDER_CERTCHAIN_SLOT_0, base_hash_algo, base_asym_algo, data, + size, hash, hash_size, false, true); } @@ -206,14 +257,127 @@ bool libspdm_read_responder_root_public_certificate_slot(uint8_t slot_id, void **hash, size_t *hash_size) { - return get_certificate(TPM_ROOT_CERT, base_hash_algo, base_asym_algo, data, size, hash, hash_size); + uint32_t chain_index; + + /* Validate slot_id against configured slot count */ + if (slot_id >= LIBSPDM_TPM_RESPONDER_SLOT_COUNT) { + LIBSPDM_DEBUG((LIBSPDM_DEBUG_ERROR, "invalid slot_id %d (max: %d)\n", + slot_id, LIBSPDM_TPM_RESPONDER_SLOT_COUNT - 1)); + return false; + } + + /* Dynamic slot lookup using preprocessor concatenation */ + switch (slot_id) { +#if LIBSPDM_TPM_RESPONDER_SLOT_COUNT > 0 + case 0: + chain_index = LIBSPDM_TPM_HANDLE_RESPONDER_CERTCHAIN_SLOT_0; + break; +#endif +#if LIBSPDM_TPM_RESPONDER_SLOT_COUNT > 1 + case 1: + chain_index = LIBSPDM_TPM_HANDLE_RESPONDER_CERTCHAIN_SLOT_1; + break; +#endif +#if LIBSPDM_TPM_RESPONDER_SLOT_COUNT > 2 + case 2: + chain_index = LIBSPDM_TPM_HANDLE_RESPONDER_CERTCHAIN_SLOT_2; + break; +#endif +#if LIBSPDM_TPM_RESPONDER_SLOT_COUNT > 3 + case 3: + chain_index = LIBSPDM_TPM_HANDLE_RESPONDER_CERTCHAIN_SLOT_3; + break; +#endif +#if LIBSPDM_TPM_RESPONDER_SLOT_COUNT > 4 + case 4: + chain_index = LIBSPDM_TPM_HANDLE_RESPONDER_CERTCHAIN_SLOT_4; + break; +#endif +#if LIBSPDM_TPM_RESPONDER_SLOT_COUNT > 5 + case 5: + chain_index = LIBSPDM_TPM_HANDLE_RESPONDER_CERTCHAIN_SLOT_5; + break; +#endif +#if LIBSPDM_TPM_RESPONDER_SLOT_COUNT > 6 + case 6: + chain_index = LIBSPDM_TPM_HANDLE_RESPONDER_CERTCHAIN_SLOT_6; + break; +#endif +#if LIBSPDM_TPM_RESPONDER_SLOT_COUNT > 7 + case 7: + chain_index = LIBSPDM_TPM_HANDLE_RESPONDER_CERTCHAIN_SLOT_7; + break; +#endif + default: + LIBSPDM_DEBUG((LIBSPDM_DEBUG_ERROR, "invalid slot_id %d\n", slot_id)); + return false; + } + + return get_root_certificate_from_chain(chain_index, base_hash_algo, base_asym_algo, + data, size, hash, hash_size); } bool libspdm_read_responder_public_certificate_chain_per_slot( uint8_t slot_id, uint32_t base_hash_algo, uint32_t base_asym_algo, void **data, size_t *size, void **hash, size_t *hash_size) { - return get_certificate_chain(TPM_RESP_CERT_CHAIN, base_hash_algo, base_asym_algo, data, size, hash, hash_size, + uint32_t chain_index; + + /* Validate slot_id against configured slot count */ + if (slot_id >= LIBSPDM_TPM_RESPONDER_SLOT_COUNT) { + LIBSPDM_DEBUG((LIBSPDM_DEBUG_ERROR, "invalid slot_id %d (max: %d)\n", + slot_id, LIBSPDM_TPM_RESPONDER_SLOT_COUNT - 1)); + return false; + } + + /* Dynamic slot lookup using preprocessor concatenation */ + switch (slot_id) { +#if LIBSPDM_TPM_RESPONDER_SLOT_COUNT > 0 + case 0: + chain_index = LIBSPDM_TPM_HANDLE_RESPONDER_CERTCHAIN_SLOT_0; + break; +#endif +#if LIBSPDM_TPM_RESPONDER_SLOT_COUNT > 1 + case 1: + chain_index = LIBSPDM_TPM_HANDLE_RESPONDER_CERTCHAIN_SLOT_1; + break; +#endif +#if LIBSPDM_TPM_RESPONDER_SLOT_COUNT > 2 + case 2: + chain_index = LIBSPDM_TPM_HANDLE_RESPONDER_CERTCHAIN_SLOT_2; + break; +#endif +#if LIBSPDM_TPM_RESPONDER_SLOT_COUNT > 3 + case 3: + chain_index = LIBSPDM_TPM_HANDLE_RESPONDER_CERTCHAIN_SLOT_3; + break; +#endif +#if LIBSPDM_TPM_RESPONDER_SLOT_COUNT > 4 + case 4: + chain_index = LIBSPDM_TPM_HANDLE_RESPONDER_CERTCHAIN_SLOT_4; + break; +#endif +#if LIBSPDM_TPM_RESPONDER_SLOT_COUNT > 5 + case 5: + chain_index = LIBSPDM_TPM_HANDLE_RESPONDER_CERTCHAIN_SLOT_5; + break; +#endif +#if LIBSPDM_TPM_RESPONDER_SLOT_COUNT > 6 + case 6: + chain_index = LIBSPDM_TPM_HANDLE_RESPONDER_CERTCHAIN_SLOT_6; + break; +#endif +#if LIBSPDM_TPM_RESPONDER_SLOT_COUNT > 7 + case 7: + chain_index = LIBSPDM_TPM_HANDLE_RESPONDER_CERTCHAIN_SLOT_7; + break; +#endif + default: + LIBSPDM_DEBUG((LIBSPDM_DEBUG_ERROR, "invalid slot_id %d\n", slot_id)); + return false; + } + + return get_certificate_chain(chain_index, base_hash_algo, base_asym_algo, data, size, hash, hash_size, false, true); } diff --git a/os_stub/spdm_device_secret_lib_tpm/sign.c b/os_stub/spdm_device_secret_lib_tpm/sign.c index dc7b0920802..ae68744956a 100644 --- a/os_stub/spdm_device_secret_lib_tpm/sign.c +++ b/os_stub/spdm_device_secret_lib_tpm/sign.c @@ -36,7 +36,7 @@ bool libspdm_requester_data_sign( LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "Loading TPM device")); libspdm_tpm_device_init(); - result = libspdm_tpm_get_pvt_key_handle(TPM_REQU_HANDLE, &context); + result = libspdm_tpm_get_pvt_key_handle(LIBSPDM_TPM_HANDLE_REQUESTER_HANDLE_SLOT_0, &context); if (!result){ LIBSPDM_DEBUG((LIBSPDM_DEBUG_ERROR, "Failed to load requester handle")); return false; @@ -70,7 +70,7 @@ bool libspdm_responder_data_sign( bool result = false; libspdm_tpm_device_init(); - result = libspdm_tpm_get_pvt_key_handle(TPM_RESP_HANDLE, &context); + result = libspdm_tpm_get_pvt_key_handle(LIBSPDM_TPM_HANDLE_RESPONDER_HANDLE_SLOT_0, &context); if (!result){ LIBSPDM_DEBUG((LIBSPDM_DEBUG_ERROR, "Failed to load responder handle")); return false;