Skip to content

Example for Secure Boot solution to store root of trust in NV#276

Merged
jpbland1 merged 9 commits intowolfSSL:masterfrom
dgarske:secure_rot
Aug 10, 2023
Merged

Example for Secure Boot solution to store root of trust in NV#276
jpbland1 merged 9 commits intowolfSSL:masterfrom
dgarske:secure_rot

Conversation

@dgarske
Copy link
Copy Markdown
Contributor

@dgarske dgarske commented Jul 6, 2023
edited
Loading

  • TPM based toot of trust for secure boot. Provides authentication and tamper protection.
  • Fixed uses of arg= in examples
  • Add support for encrypting secret using ECC key. Allows using ECC for parameter encryption and importing ECC keys with custom seed. Requires Enable math API's for wolfTPM wolfssl#6683
  • Add support for NV lock.
  • Cleanup wrapper function order/groups.
  • Added wolfTPM2_ChangePlatformAuth wrapper to help set the platform auth. This is useful from the bootloader to make sure no one can use the platform hierarchy from application.
  • Sanitize the IO TX/RX buffers (make sure they are zero initialized).
  • Fixes for building with NO_HMAC.
  • Update wolfSSL test certs.
  • Added TPM_TIS_MAX_WAIT.
  • Fix build with WOLFTPM_DEBUG_VERBOSE only.

@dgarske dgarske self-assigned this Jul 6, 2023
@dgarske dgarske force-pushed the secure_rot branch 2 times, most recently from 3a6d7b1 to 1107654 Compare July 20, 2023 20:44
@dgarske dgarske force-pushed the secure_rot branch 3 times, most recently from a99b5a2 to 33f9873 Compare July 28, 2023 18:20
dgarske added a commit to dgarske/wolfBoot that referenced this pull request Aug 7, 2023
@dgarske
wolfBoot TPM improvements:
cebec8f 
* Added TPM SPI wait state support and debug logging.
* Added platform auth ownership (change platform password to random value before boot). Can be disabled using `WOLFBOOT_TPM_NO_CHG_PLAT_AUTH`.
* Added parameter encryption support.
* Added TPM based root of trust based on wolfSSL/wolfTPM#276
* Removed the TPM hashing feature (not practical).
* Fixed RSA with wolfTPM build.
* Fixed cleanup wolfTPM objects on make clean.
dgarske added a commit to dgarske/wolfBoot that referenced this pull request Aug 7, 2023
@dgarske
wolfBoot TPM improvements:
90c0dd5 
* Added TPM SPI wait state support and debug logging.
* Added platform auth ownership (change platform password to random value before boot). Can be disabled using `WOLFBOOT_TPM_NO_CHG_PLAT_AUTH`.
* Added parameter encryption support.
* Added TPM based root of trust based on wolfSSL/wolfTPM#276
* Removed the TPM hashing feature (not practical).
* Fixed RSA with wolfTPM build.
* Fixed cleanup wolfTPM objects on make clean.
@dgarske dgarske marked this pull request as ready for review August 7, 2023 20:18
@dgarske dgarske mentioned this pull request Aug 7, 2023
Merged
4 tasks
@dgarske dgarske force-pushed the secure_rot branch 4 times, most recently from 6e3e301 to 7c3e9f1 Compare August 8, 2023 22:50
@dgarske
Add support for encrypting secret using ECC key. Allows using ECC for…
3f29c59 
… parameter encryption and importing ECC keys with custom seed. Requires wolfSSL/wolfssl#6683
@dgarske dgarske requested a review from jpbland1 August 8, 2023 23:19
@dgarske dgarske assigned jpbland1 and dgarske and unassigned dgarske and jpbland1 Aug 8, 2023
@dgarske dgarske assigned jpbland1 and unassigned dgarske Aug 10, 2023
jpbland1
jpbland1 approved these changes Aug 10, 2023
View reviewed changes
Copy link
Copy Markdown
Contributor

@jpbland1 jpbland1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed and tested, confirmed that the index is locked by running a second time to see the write fail to overwrite the locked index

@jpbland1 jpbland1 merged commit c349986 into wolfSSL:master Aug 10, 2023
dgarske added a commit to dgarske/wolfBoot that referenced this pull request Aug 10, 2023
@dgarske
wolfBoot TPM improvements:
336dab2 
* Added TPM SPI wait state support and debug logging.
* Added platform auth ownership (change platform password to random value before boot). Can be disabled using `WOLFBOOT_TPM_NO_CHG_PLAT_AUTH`.
* Added parameter encryption support.
* Added TPM based root of trust based on wolfSSL/wolfTPM#276
* Removed the TPM hashing feature (not practical).
* Fixed RSA with wolfTPM build.
* Fixed cleanup wolfTPM objects on make clean.
dgarske added a commit to dgarske/wolfBoot that referenced this pull request Aug 15, 2023
@dgarske
wolfBoot TPM improvements:
371834c 
* Added TPM SPI wait state support and debug logging.
* Added platform auth ownership (change platform password to random value before boot). Can be disabled using `WOLFBOOT_TPM_NO_CHG_PLAT_AUTH`.
* Added parameter encryption support.
* Added TPM based root of trust based on wolfSSL/wolfTPM#276
* Removed the TPM hashing feature (not practical).
* Fixed RSA with wolfTPM build.
* Fixed cleanup wolfTPM objects on make clean.
danielinux pushed a commit to wolfSSL/wolfBoot that referenced this pull request Aug 17, 2023
@dgarske @danielinux
wolfBoot TPM improvements:
69adb25 
* Added TPM SPI wait state support and debug logging.
* Added platform auth ownership (change platform password to random value before boot). Can be disabled using `WOLFBOOT_TPM_NO_CHG_PLAT_AUTH`.
* Added parameter encryption support.
* Added TPM based root of trust based on wolfSSL/wolfTPM#276
* Removed the TPM hashing feature (not practical).
* Fixed RSA with wolfTPM build.
* Fixed cleanup wolfTPM objects on make clean.
@dgarske dgarske deleted the secure_rot branch December 29, 2023 17:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@jpbland1 jpbland1 jpbland1 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@jpbland1 jpbland1

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dgarske @jpbland1