From 9a8bc170152d605b78f0baa905ffa754208d8b5f Mon Sep 17 00:00:00 2001
From: Paul-Emile Element <Paul-Emile.Element@windriver.com>
Date: Wed, 12 Dec 2018 14:08:51 -0500
Subject: [PATCH] fix tpm certificate handling

fixed handling of security certificates in tpm mode

The code that handles the installation of tpm security
certificates stopped working after recent updates to
other packages

This commit updates the code to properly work with the
current system configuration

Closes-Bug: #1808163

Change-Id: I76e10cf1ed68cfeb0ce3ee560df0c34711f57af2
Signed-off-by: Paul-Emile Element <Paul-Emile.Element@windriver.com>
---
 security/stx-ssl/files/tpmdevice-setup        | 52 +++----------------
 .../tpm2-openssl-engine/e_tpm2.c              |  8 +++
 2 files changed, 15 insertions(+), 45 deletions(-)

diff --git a/security/stx-ssl/files/tpmdevice-setup b/security/stx-ssl/files/tpmdevice-setup
index 5fa10772..e47e989b 100644
--- a/security/stx-ssl/files/tpmdevice-setup
+++ b/security/stx-ssl/files/tpmdevice-setup
@@ -7,6 +7,8 @@
 
 # TPM setup (both active controller and remote)
 
+export TPM_INTERFACE_TYPE=dev
+
 CERTIFICATE_FILE="server-cert.pem"
 LOGFILE="/etc/ssl/private/.install.log"
 ORIGINAL_KEY=$1
@@ -53,8 +55,7 @@ declare -a helper_scripts=("tss2_createprimary"
                            "tss2_contextsave"
                            "tss2_evictcontrol"
                            "tss2_flushcontext"
-                           "create_tpm2_key"
-                           "resourcemgr")
+                           "create_tpm2_key")
 for src in "${helper_scripts[@]}"; do
     if ! type "$src" &>/dev/null; then
         error_exit "ERROR: Cannot find $src. Needed for TPM configuration"
@@ -62,41 +63,6 @@ for src in "${helper_scripts[@]}"; do
 done
 }
 
-startResourceMgr () {
-resourcemgr &>> $LOGFILE 2>&1 &
-
-# ensure the resourcemgr is started
-for i in {1..5}
-do
-    sleep 0.5
-    MGR_RUNNING=`pidof resourcemgr`
-    if [ ! -z $MGR_RUNNING ]; then
-        break
-    fi
-done
-[ ! -z $MGR_RUNNING ] || error_exit "Unable to start TPM resourcemgr"
-
-# check to see if the resourcemgr port is open
-IS_OPEN=0
-for i in {1..5}
-do
-   sleep 0.5
-  _test=`netstat -an | grep $RESOURCEMGR_DEFAULT_PORT | grep -i listen`
-  if [ ! -z "$_test" ]; then
-      IS_OPEN=1
-      break
-  fi
-done
-[ $IS_OPEN -ne 0 ] || error_exit "Unable to initialize resourcemgr"
-}
-
-stopResourceMgr () {
-# Kill any previous instances of resourcemgr
-pkill -c -TERM resourcemgr &> /dev/null 2>&1
-}
-
-
-
 ### Main ###
 # remove previous object context
 rm -f $TPM_OBJECT_CONTEXT &> /dev/null
@@ -115,14 +81,10 @@ if [ "$TPM_VERSION" != "2.0" ]; then
     error_exit "ERROR: TPM Device is not version 2.0 compatible"
 fi
 
-# Start the Intel ResourceMgr to clear the NV 
+# Clear the NV 
 # as well as all stale transient handles in 
 # the endorsement hierarchy.
-# Since ResourceMgr has a number of stability,
-# and security issues, we will stop it after it
-# initializes the NV and Handle space 
-startResourceMgr
-stopResourceMgr
+tss2_clear -hi l
  
 # Create the Endorsement Primary Key hierarchy which will be used
 # for wrapping the private key. Use RSA as the primary key encryption
@@ -136,14 +98,14 @@ PRIMARY_HANDLE="0x$PRIMARY_HANDLE"
 # be persistently stored in TPM NV.
 # evict the persistent handle if it exists previously
 tss2_evictcontrol -hi o -ho $TPM_KEY_HIERARCHY_HANDLE -hp $TPM_KEY_HIERARCHY_HANDLE
-tss2_evictcontrol -hi o -ho $PRIMARY_HANDLE -hp $TPM_KEY_HIERARCHY_HANDLE &>> $LOGFILE
+tss2_evictcontrol -hi o -ho $PRIMARY_HANDLE -hp $TPM_KEY_HIERARCHY_HANDLE >> $LOGFILE
 [ $? -eq 0 ] || error_exit "Unable to persist Key Hierarchy in TPM memory"
 
 tss2_flushcontext -ha $PRIMARY_HANDLE
 
 # wrap the original private key in TPM's Endorsement key hierarchy
 # this will generate a TSS key blob in ASN 1 encoding
-create_tpm2_key -p $TPM_KEY_HIERARCHY_HANDLE -w $ORIGINAL_KEY $TPM_OBJECT_CONTEXT &>> $LOGFILE
+create_tpm2_key -p $TPM_KEY_HIERARCHY_HANDLE -w $ORIGINAL_KEY $TPM_OBJECT_CONTEXT >> $LOGFILE
 [ $? -eq 0 ] || error_exit "Unable to wrap provided private key into TPM Key Hierarchy"
 
 # the apps will also need to the public key, place it in
diff --git a/security/tpm2-openssl-engine/tpm2-openssl-engine/e_tpm2.c b/security/tpm2-openssl-engine/tpm2-openssl-engine/e_tpm2.c
index 5b5ca2e4..488f6a68 100644
--- a/security/tpm2-openssl-engine/tpm2-openssl-engine/e_tpm2.c
+++ b/security/tpm2-openssl-engine/tpm2-openssl-engine/e_tpm2.c
@@ -312,6 +312,14 @@ static int tpm_engine_init(ENGINE * e)
     * N.B: This assumes that the kernel-modules-tpm
     * pkg is installed with the modified tpm_crb KLM
     */
+    if ((result = p_tpm2_Set_Property(hContext, 
+                    TPM_INTERFACE_TYPE, "dev"))) {
+        DBG("Failed to set Resource Manager in context (%p): rc %d",
+            hContext, (int)result);
+        TSSerr(TPM_F_TPM_ENGINE_INIT, TPM_R_UNIT_FAILURE);
+        goto err;
+    }
+
     if ((result = p_tpm2_Set_Property(hContext, 
                     TPM_DEVICE, "/dev/tpmrm0"))) {
         DBG("Failed to set Resource Manager in context (%p): rc %d",