[WIP] Add initial TPM2 support to libspdm

CMakeLists.txt

@@ -36,6 +36,7 @@ set(GCOV ${GCOV} CACHE STRING "Choose the target of Gcov: ON  OFF, and default i
 set(STACK_USAGE ${STACK_USAGE} CACHE STRING "Choose the target of STACK_USAGE: ON  OFF, and default is OFF" FORCE)
 set(BUILD_LINUX_SHARED_LIB ${BUILD_LINUX_SHARED_LIB} CACHE STRING "Choose if libspdm shared library should be built for linux: ON OFF, and default is OFF" FORCE)
 set(X509_IGNORE_CRITICAL ${X509_IGNORE_CRITICAL} CACHE STRING "Choose if libspdm-provided cryptography libraries (OpenSSL and MbedTLS) ignore unsupported critical extensions in certificates : ON OFF, and default is OFF" FORCE)
+set(DEVICE ${DEVICE} CACHE STRING "Choose the test device: sample tpm, and default is sample" FORCE)
 
 if(NOT GCOV)
     set(GCOV "OFF")
@@ -53,6 +54,11 @@ if(NOT X509_IGNORE_CRITICAL)
     set(X509_IGNORE_CRITICAL "OFF")
 endif()
 
+if (NOT DEVICE)
+    set(DEVICE "sample")
+endif()
+
+
 set(LIBSPDM_DIR ${PROJECT_SOURCE_DIR})
 
 #
@@ -62,6 +68,7 @@ set(COMPILED_LIBCRYPTO_PATH ${COMPILED_LIBCRYPTO_PATH} CACHE STRING "Optionally
 set(COMPILED_LIBSSL_PATH ${COMPILED_LIBSSL_PATH} CACHE STRING "Optionally provide a path to libssl" FORCE)
 
 message("CMAKE_GENERATOR = ${CMAKE_GENERATOR}")
+message("DEVICE = ${DEVICE}")
 
 if(ARCH STREQUAL "x64")
     message("ARCH = x64")
@@ -981,7 +988,7 @@ if(ENABLE_CODEQL STREQUAL "ON")
     add_subdirectory(os_stub/platform_lib)
     add_subdirectory(os_stub/platform_lib_null)
     add_subdirectory(os_stub/malloclib)
-    add_subdirectory(os_stub/spdm_device_secret_lib_sample)
+    add_subdirectory(os_stub/spdm_device_secret_lib_${DEVICE})
     add_subdirectory(os_stub/spdm_device_secret_lib_null)
     add_subdirectory(os_stub/spdm_cert_verify_callback_sample)
     add_subdirectory(os_stub/cryptlib_null)
@@ -1020,7 +1027,7 @@ else()
         add_subdirectory(os_stub/platform_lib)
         add_subdirectory(os_stub/platform_lib_null)
         add_subdirectory(os_stub/malloclib)
-        add_subdirectory(os_stub/spdm_device_secret_lib_sample)
+        add_subdirectory(os_stub/spdm_device_secret_lib_${DEVICE})
         add_subdirectory(os_stub/spdm_device_secret_lib_null)
         add_subdirectory(os_stub/spdm_cert_verify_callback_sample)
 

include/hal/library/cryptlib/cryptlib_tpm.h

@@ -0,0 +1,24 @@
+/**
+ *  Copyright Notice:
+ *  Copyright 2021-2025 DMTF. All rights reserved.
+ *  License: BSD 3-Clause License. For full text see link: https://github.com/DMTF/libspdm/blob/main/LICENSE.md
+ **/
+
+#ifndef __CRYPTLIB_TPM_H__
+#define __CRYPTLIB_TPM_H__
+
+#include <stdbool.h>
+
+bool libspdm_tpm_device_init();
+
+bool libspdm_tpm_get_private_key(void *handle, void **context);
+
+bool libspdm_tpm_get_public_key(void *handle, void **context);
+
+bool libspdm_tpm_get_certificate(void *handle, void **context);
+
+bool libspdm_tpm_dump_certificate(void *context, void **buffer, size_t *size);
+
+bool libspdm_tpm_read_pcr(uint32_t hash_algo, uint32_t index, void *buffer, size_t *size);
+
+#endif

os_stub/cryptlib_openssl/CMakeLists.txt

@@ -52,3 +52,10 @@ target_sources(cryptlib_openssl
 target_compile_options(cryptlib_openssl PRIVATE ${OPENSSL_FLAGS})
 
 target_link_libraries(cryptlib_openssl PUBLIC openssllib memlib)
+
+if (${DEVICE} STREQUAL "tpm")
+  target_sources(cryptlib_openssl PRIVATE
+        tpm/tpm.c
+  )
+  target_link_libraries(cryptlib_openssl PUBLIC tss2-esys tss2-tctildr)
+endif()

os_stub/cryptlib_openssl/pk/ec.c

@@ -681,6 +681,13 @@ bool libspdm_ecdsa_sign(void *ec_context, size_t hash_nid,
         return false;
     }
 
+    char buffer[4096];
+    BIO *bio = BIO_new(BIO_s_mem());
+    EVP_PKEY_print_public(bio, evp_pkey, 4, NULL);
+    int len = BIO_read(bio, (void*) buffer, sizeof(buffer));
+    buffer[len] = '\0';
+    printf("SIGN PUBLIC KEY: %s\n", buffer);
+
     half_size = evp_pkey_get_half_size(evp_pkey);
     if (*sig_size < (size_t)(half_size * 2)) {
         *sig_size = half_size * 2;
@@ -828,6 +835,13 @@ bool libspdm_ecdsa_verify(void *ec_context, size_t hash_nid,
         return false;
     }
 
+    char buffer[4096];
+    BIO *bio = BIO_new(BIO_s_mem());
+    EVP_PKEY_print_public(bio, evp_pkey, 4, NULL);
+    int len = BIO_read(bio, (void*) buffer, sizeof(buffer));
+    buffer[len] = '\0';
+    printf("VERIFY PUBLIC KEY: %s\n", buffer);
+
     half_size = evp_pkey_get_half_size(evp_pkey);
     if (sig_size != (size_t)(half_size * 2)) {
         return false;

os_stub/cryptlib_openssl/pk/x509.c

@@ -35,6 +35,26 @@
 static const uint8_t m_libspdm_oid_ext_key_usage[] = OID_EXT_KEY_USAGE;
 static const uint8_t m_libspdm_oid_basic_constraints[] = OID_BASIC_CONSTRAINTS;
 
+static void dump_hex(const char* id, const unsigned char *buf, long buflen)
+{
+    char buffer[4096];
+    const unsigned char *p = buf;
+    X509 *cert = d2i_X509(NULL, &p, buflen);
+    if (!cert) {
+        printf("Not an X.509 cert inside this ASN.1 object.\n");
+        return;
+    }
+
+    /* Print certificate */
+    BIO *bio = BIO_new(BIO_s_mem());
+    X509_print(bio, cert);
+    int s = BIO_read(bio, (void*) buffer, sizeof(buffer));
+    buffer[s] = '\0';
+    printf("%s CERT: %s\n", id, buffer);
+    X509_free(cert);
+}
+
+// 
 /**
  * Construct a X509 object from DER-encoded certificate data.
  *
@@ -2037,6 +2057,8 @@ bool libspdm_x509_verify_cert_chain(const uint8_t *root_cert, size_t root_cert_l
 
         /* Verify current_cert with preceding cert;*/
 
+        dump_hex("CURRENT", current_cert, current_cert_len);
+        dump_hex("PRECEDING", preceding_cert, preceding_cert_len);
         verify_flag =
             libspdm_x509_verify_cert(current_cert, current_cert_len,
                                      preceding_cert, preceding_cert_len);
@@ -2458,6 +2480,7 @@ bool libspdm_gen_x509_csr_with_pqc(
     X509_NAME *x509_name;
     EVP_PKEY *private_key;
     EVP_PKEY *public_key;
+    bool owned_keys = false;
     EVP_MD *md;
     uint8_t *csr_p;
     STACK_OF(X509_EXTENSION) *exts;
@@ -2536,11 +2559,13 @@ bool libspdm_gen_x509_csr_with_pqc(
             EVP_PKEY_free(private_key);
             EVP_PKEY_free(public_key);
 
-            private_key = EVP_PKEY_dup(ec_pkey);
-            public_key = EVP_PKEY_dup(ec_pkey);
+            // Can't DUP hardware backed keys
+            private_key = ec_pkey;
+            public_key = ec_pkey;
             if (private_key == NULL || public_key == NULL) {
                 goto free_all;
             }
+            owned_keys = true;
             break;
         }
         case LIBSPDM_CRYPTO_NID_SM2_DSA_P256: {
@@ -2763,8 +2788,10 @@ bool libspdm_gen_x509_csr_with_pqc(
         EVP_MD_free((EVP_MD *)md);
     }
     X509_REQ_free(x509_req);
-    EVP_PKEY_free(private_key);
-    EVP_PKEY_free(public_key);
+    if (!owned_keys) {
+        EVP_PKEY_free(private_key);
+        EVP_PKEY_free(public_key);
+    }
 
     return (ret != 0);
 }