tools/tpm2_createek: add sm2 ek template support.

Signed-off-by: mayuanchen <94815698+mayuanchenma@users.noreply.github.com>
tpm2-software · Dec 5, 2022 · 452c708 · 452c708
1 parent 05a5cbf
commit 452c708
Showing 1 changed file with 26 additions and 11 deletions.
diff --git a/tools/tpm2_createek.c b/tools/tpm2_createek.c
@@ -18,6 +18,7 @@
 #define RSA_EK_TEMPLATE_NV_INDEX 0x01c00004
 #define ECC_EK_NONCE_NV_INDEX 0x01c0000b
 #define ECC_EK_TEMPLATE_NV_INDEX 0x01c0000c
+#define ECC_SM2_EK_TEMPLATE_NV_INDEX 0x01c0001b
 
 #define DEFAULT_KEY_ALG "rsa2048"
 
@@ -175,7 +176,8 @@ static tool_rc init_ek_public(const char *key_alg, TPM2B_PUBLIC *public) {
     public->publicArea.authPolicy = *m->policy;
 
     if (public->publicArea.type == TPM2_ALG_ECC &&
-        public->publicArea.parameters.eccDetail.curveID == TPM2_ECC_NIST_P256) {
+        (public->publicArea.parameters.eccDetail.curveID == TPM2_ECC_NIST_P256 ||
+         public->publicArea.parameters.eccDetail.curveID == TPM2_ECC_SM2_P256)) {
         public->publicArea.unique.ecc.x.size = 32;
         public->publicArea.unique.ecc.y.size = 32;
     } else  if (public->publicArea.type == TPM2_ALG_RSA &&
@@ -195,8 +197,17 @@ static tool_rc set_ek_template(ESYS_CONTEXT *ectx, TPM2B_PUBLIC *input_public) {
         nonce_nv_index = RSA_EK_NONCE_NV_INDEX;
         break;
     case TPM2_ALG_ECC:
-        template_nv_index = ECC_EK_TEMPLATE_NV_INDEX;
-        nonce_nv_index = ECC_EK_NONCE_NV_INDEX;
+        if (input_public->publicArea.parameters.eccDetail.curveID == TPM2_ECC_NIST_P256) {
+            template_nv_index = ECC_EK_TEMPLATE_NV_INDEX;
+            nonce_nv_index = ECC_EK_NONCE_NV_INDEX;
+        } else if (input_public->publicArea.parameters.eccDetail.curveID == TPM2_ECC_SM2_P256) {
+            template_nv_index = ECC_SM2_EK_TEMPLATE_NV_INDEX;
+            // EK Nonces SHALL NOT be Populated in any NV Index in the High Range.
+            nonce_nv_index = 0;
+        } else {
+            template_nv_index = ECC_EK_TEMPLATE_NV_INDEX;
+            nonce_nv_index = ECC_EK_NONCE_NV_INDEX;
+        }
         break;
     default:
         LOG_ERR("EK template and EK nonce for algorithm type input(%4.4x)"
@@ -228,21 +239,25 @@ static tool_rc set_ek_template(ESYS_CONTEXT *ectx, TPM2B_PUBLIC *input_public) {
 
     // Read EK nonce
     UINT16 nonce_size = 0;
-    rc = tpm2_util_nv_read(ectx, nonce_nv_index, 0, 0,
-        &ctx.auth_owner_hierarchy.object, &nonce, &nonce_size, &cp_hash,
-        &rp_hash, TPM2_ALG_SHA256, 0, ESYS_TR_NONE, ESYS_TR_NONE, NULL);
-    if (rc != tool_rc_success) {
-        goto out;
+    if (nonce_nv_index) {
+        rc = tpm2_util_nv_read(ectx, nonce_nv_index, 0, 0,
+                &ctx.auth_owner_hierarchy.object, &nonce, &nonce_size, &cp_hash,
+                &rp_hash, TPM2_ALG_SHA256, 0, ESYS_TR_NONE, ESYS_TR_NONE, NULL);
+        if (rc != tool_rc_success) {
+            goto out;
+        }
     }
 
     if (input_public->publicArea.type == TPM2_ALG_RSA) {
         memcpy(&input_public->publicArea.unique.rsa.buffer, &nonce, nonce_size);
         input_public->publicArea.unique.rsa.size = 256;
     } else {
         // ECC is only other supported algorithm
-        memcpy(&input_public->publicArea.unique.ecc.x.buffer, &nonce, nonce_size);
-        input_public->publicArea.unique.ecc.x.size = 32;
-        input_public->publicArea.unique.ecc.y.size = 32;
+        if (nonce_size) {
+            memcpy(&input_public->publicArea.unique.ecc.x.buffer, &nonce, nonce_size);
+            input_public->publicArea.unique.ecc.x.size = 32;
+            input_public->publicArea.unique.ecc.y.size = 32;
+        }
     }
 
     out: if (template) {