xref: /illumos-gate/usr/src/cmd/cmd-crypto/tpmadm/admin_cmds.c (revision 304d8f901e34de2a80ef006bfa8a8a927d23d56c)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 #include <unistd.h>
28 #include <stdlib.h>
29 #include <stdio.h>
30 #include <strings.h>
31 #include <fcntl.h>
32 #include <sys/types.h>
33 #include <netinet/in.h>
34 #include <inttypes.h>
35 #include <sha1.h>
36 #include <uuid/uuid.h>
37 #include <sys/stat.h>
38 #include <libintl.h>
39 
40 #include <tss/tss_defines.h>
41 #include <tss/tspi.h>
42 
43 #include "tpmadm.h"
44 
45 int cmd_status(TSS_HCONTEXT hContext, TSS_HTPM hTPM, int argc, char *argv[]);
46 int cmd_init(TSS_HCONTEXT hContext, TSS_HTPM hTPM, int argc, char *argv[]);
47 int cmd_clear(TSS_HCONTEXT hContext, TSS_HTPM hTPM, int argc, char *argv[]);
48 int cmd_auth(TSS_HCONTEXT hContext, TSS_HTPM hTPM, int argc, char *argv[]);
49 int cmd_keyinfo(TSS_HCONTEXT hContext, TSS_HTPM hTPM, int argc, char *argv[]);
50 int cmd_deletekey(TSS_HCONTEXT hContext, TSS_HTPM hTPM, int argc, char *argv[]);
51 
52 cmdtable_t commands[] = {
53 	{"status", "", cmd_status},
54 	{"init", "", cmd_init},
55 	{"clear", "[owner | lock]", cmd_clear},
56 	{"auth", "", cmd_auth},
57 	{"keyinfo", "[uuid]", cmd_keyinfo},
58 	{"deletekey", "uuid", cmd_deletekey},
59 	{NULL, NULL, NULL},
60 };
61 
62 BYTE well_known[] = TSS_WELL_KNOWN_SECRET;
63 TSS_UUID srk_uuid = TSS_UUID_SRK;
64 
65 
66 /*
67  * TPM status
68  */
69 
70 static int
71 print_tpm_version(TSS_HCONTEXT hContext, TSS_HOBJECT hTPM)
72 {
73 	struct {
74 		TPM_CAP_VERSION_INFO vers_info;
75 		char extra[20]; /* vendor extensions */
76 	} info;
77 
78 	if (get_tpm_capability(hContext, hTPM, TSS_TPMCAP_VERSION_VAL,
79 	    0, &info, sizeof (info)))
80 		return (ERR_FAIL);
81 
82 	(void) printf(gettext("TPM Version: %d.%d (%c%c%c%c Rev: %d.%d, "
83 	    "SpecLevel: %d, ErrataRev: %d)\n"),
84 	    info.vers_info.version.major,
85 	    info.vers_info.version.minor,
86 	    info.vers_info.tpmVendorID[0],
87 	    info.vers_info.tpmVendorID[1],
88 	    info.vers_info.tpmVendorID[2],
89 	    info.vers_info.tpmVendorID[3],
90 	    info.vers_info.version.revMajor,
91 	    info.vers_info.version.revMinor,
92 	    (int)ntohs(info.vers_info.specLevel),
93 	    info.vers_info.errataRev);
94 
95 	return (0);
96 }
97 
98 static int
99 tpm_is_owned(TSS_HCONTEXT hContext, TSS_HOBJECT hTPM)
100 {
101 	BYTE owned;
102 
103 	if (get_tpm_capability(hContext, hTPM, TSS_TPMCAP_PROPERTY,
104 	    TSS_TPMCAP_PROP_OWNER, &owned, sizeof (owned)))
105 		return (0);
106 
107 	return (owned);
108 }
109 
110 static int
111 print_tpm_resources(TSS_HCONTEXT hContext, TSS_HOBJECT hTPM)
112 {
113 	UINT32 avail, max;
114 
115 	(void) printf(gettext("TPM resources\n"));
116 
117 	if (get_tpm_capability(hContext, hTPM, TSS_TPMCAP_PROPERTY,
118 	    TSS_TPMCAP_PROP_MAXCONTEXTS, &max, sizeof (max)))
119 		return (ERR_FAIL);
120 	if (get_tpm_capability(hContext, hTPM, TSS_TPMCAP_PROPERTY,
121 	    TSS_TPMCAP_PROP_CONTEXTS, &avail, sizeof (avail)))
122 		return (ERR_FAIL);
123 	(void) printf(gettext("\tContexts: %d/%d available\n"), avail, max);
124 
125 	if (get_tpm_capability(hContext, hTPM, TSS_TPMCAP_PROPERTY,
126 	    TSS_TPMCAP_PROP_MAXSESSIONS, &max, sizeof (max)))
127 		return (ERR_FAIL);
128 	if (get_tpm_capability(hContext, hTPM, TSS_TPMCAP_PROPERTY,
129 	    TSS_TPMCAP_PROP_SESSIONS, &avail, sizeof (avail)))
130 		return (ERR_FAIL);
131 	(void) printf(gettext("\tSessions: %d/%d available\n"), avail, max);
132 
133 	if (get_tpm_capability(hContext, hTPM, TSS_TPMCAP_PROPERTY,
134 	    TSS_TPMCAP_PROP_MAXAUTHSESSIONS, &max, sizeof (max)))
135 		return (ERR_FAIL);
136 	if (get_tpm_capability(hContext, hTPM, TSS_TPMCAP_PROPERTY,
137 	    TSS_TPMCAP_PROP_AUTHSESSIONS, &avail, sizeof (avail)))
138 		return (ERR_FAIL);
139 	(void) printf(gettext("\tAuth Sessions: %d/%d available\n"),
140 	    avail, max);
141 
142 	if (get_tpm_capability(hContext, hTPM, TSS_TPMCAP_PROPERTY,
143 	    TSS_TPMCAP_PROP_MAXKEYS, &max, sizeof (max)))
144 		return (ERR_FAIL);
145 	if (get_tpm_capability(hContext, hTPM, TSS_TPMCAP_PROPERTY,
146 	    TSS_TPMCAP_PROP_KEYS, &avail, sizeof (avail)))
147 		return (ERR_FAIL);
148 	(void) printf(gettext("\tLoaded Keys: %d/%d available\n"), avail, max);
149 
150 	return (0);
151 }
152 
153 static int
154 print_tpm_pcrs(TSS_HCONTEXT hContext, TSS_HOBJECT hTPM)
155 {
156 	UINT32 num_pcrs;
157 	int i;
158 
159 	if (get_tpm_capability(hContext, hTPM, TSS_TPMCAP_PROPERTY,
160 	    TSS_TPMCAP_PROP_PCR, &num_pcrs, sizeof (num_pcrs)))
161 		return (ERR_FAIL);
162 	(void) printf(gettext("Platform Configuration Registers (%u)\n"),
163 	    num_pcrs);
164 
165 	/* Print each PCR */
166 	for (i = 0; i < num_pcrs; i++) {
167 		TSS_RESULT ret;
168 		UINT32 datalen;
169 		BYTE *data;
170 
171 		ret = Tspi_TPM_PcrRead(hTPM, i, &datalen, &data);
172 		if (ret) {
173 			print_error(ret, gettext("Read PCR"));
174 			return (ret);
175 		}
176 
177 		(void) printf("\tPCR %u:\t", i);
178 		print_bytes(data, datalen, FALSE);
179 
180 		ret = Tspi_Context_FreeMemory(hContext, data);
181 		if (ret) {
182 			print_error(ret, gettext("Free PCR memory"));
183 			return (ret);
184 		}
185 	}
186 	return (0);
187 }
188 
189 /*ARGSUSED*/
190 int
191 cmd_status(TSS_HCONTEXT hContext, TSS_HTPM hTPM, int argc, char *argv[])
192 {
193 	if (set_object_policy(hTPM, TSS_SECRET_MODE_POPUP, NULL, 0, NULL))
194 		return (ERR_FAIL);
195 
196 	(void) print_tpm_version(hContext, hTPM);
197 	if (tpm_is_owned(hContext, hTPM)) {
198 		(void) print_tpm_resources(hContext, hTPM);
199 		(void) print_tpm_pcrs(hContext, hTPM);
200 	} else {
201 		(void) printf(gettext("No TPM owner installed.\n"));
202 	}
203 
204 	return (0);
205 }
206 
207 
208 /*
209  * Key Information
210  */
211 
212 typedef struct {
213 	UINT32 code;
214 	char *str;
215 } decode_map_t;
216 
217 decode_map_t key_usage[] = {
218 	{ TSS_KEYUSAGE_SIGN, "Signing" },
219 	{ TSS_KEYUSAGE_STORAGE, "Storage" },
220 	{ TSS_KEYUSAGE_IDENTITY, "Identity" },
221 	{ TSS_KEYUSAGE_AUTHCHANGE, "Authchange" },
222 	{ TSS_KEYUSAGE_BIND, "Bind" },
223 	{ TSS_KEYUSAGE_LEGACY, "Legacy" },
224 	{ TSS_KEYUSAGE_MIGRATE, "Migrate" },
225 	{ 0, NULL },
226 };
227 
228 decode_map_t key_algorithm[] = {
229 	{ TSS_ALG_RSA, "RSA" },
230 	{ TSS_ALG_DES, "DES" },
231 	{ TSS_ALG_3DES, "3-DES" },
232 	{ TSS_ALG_SHA, "SHA" },
233 	{ TSS_ALG_HMAC, "HMAC" },
234 	{ TSS_ALG_AES, "AES" },
235 	{ TSS_ALG_MGF1, "MGF1" },
236 	{ TSS_ALG_AES192, "AES192" },
237 	{ TSS_ALG_AES256, "AES256" },
238 	{ TSS_ALG_XOR, "XOR" },
239 	{ 0, NULL },
240 };
241 
242 decode_map_t key_sigscheme[] = {
243 	{ TSS_SS_NONE, "None" },
244 	{ TSS_SS_RSASSAPKCS1V15_SHA1, "RSASSAPKCS1v15_SHA1" },
245 	{ TSS_SS_RSASSAPKCS1V15_DER, "RSASSAPKCS1v15_DER" },
246 	{ 0, NULL },
247 };
248 
249 decode_map_t key_encscheme[] = {
250 	{ TSS_ES_NONE, "None" },
251 	{ TSS_ES_RSAESPKCSV15, "RSAESPKCSv15" },
252 	{ TSS_ES_RSAESOAEP_SHA1_MGF1, "RSAESOAEP_SHA1_MGF1" },
253 	{ TSS_ES_SYM_CNT, "SYM_CNT" },
254 	{ TSS_ES_SYM_OFB, "SYM_OFB" },
255 	{ 0, NULL },
256 };
257 
258 static char *
259 decode(decode_map_t *table, UINT32 code)
260 {
261 	static char buf[20];
262 	int i;
263 
264 	for (i = 0; table[i].str != NULL; i++) {
265 		if (table[i].code == code)
266 			return (table[i].str);
267 	}
268 
269 	(void) snprintf(buf, sizeof (buf), gettext("Unknown (%u)"), code);
270 	return (buf);
271 }
272 
273 static void
274 print_key_info(TSS_HCONTEXT hContext, TSS_HOBJECT hKey)
275 {
276 	TSS_RESULT ret;
277 	UINT32 attrib;
278 	UINT32 keyInfoSize;
279 	BYTE *keyInfo;
280 
281 	/* Key size */
282 	ret = Tspi_GetAttribUint32(hKey, TSS_TSPATTRIB_KEY_INFO,
283 	    TSS_TSPATTRIB_KEYINFO_SIZE, &attrib);
284 	if (ret) {
285 		print_error(ret, gettext("Get key size"));
286 	}
287 	(void) printf(gettext("Key Size: %d bits\n"), attrib);
288 
289 	/* Key usage */
290 	ret = Tspi_GetAttribUint32(hKey, TSS_TSPATTRIB_KEY_INFO,
291 	    TSS_TSPATTRIB_KEYINFO_USAGE, &attrib);
292 	if (ret) {
293 		print_error(ret, gettext("Get key usage"));
294 	}
295 	(void) printf(gettext("Key Usage: %s\n"), decode(key_usage, attrib));
296 
297 	/* Algorithm */
298 	ret = Tspi_GetAttribUint32(hKey, TSS_TSPATTRIB_KEY_INFO,
299 	    TSS_TSPATTRIB_KEYINFO_ALGORITHM, &attrib);
300 	if (ret) {
301 		print_error(ret, gettext("Get key algorithm"));
302 	}
303 	(void) printf(gettext("Algorithm: %s\n"),
304 	    decode(key_algorithm, attrib));
305 
306 	/* Authorization required */
307 	ret = Tspi_GetAttribUint32(hKey, TSS_TSPATTRIB_KEY_INFO,
308 	    TSS_TSPATTRIB_KEYINFO_AUTHUSAGE, &attrib);
309 	if (ret) {
310 		print_error(ret, gettext("Get key authusage"));
311 	}
312 	(void) printf(gettext("Authorization required: %s\n"),
313 	    attrib ? gettext("Yes") : gettext("No"));
314 
315 	/* Signature scheme */
316 	ret = Tspi_GetAttribUint32(hKey, TSS_TSPATTRIB_KEY_INFO,
317 	    TSS_TSPATTRIB_KEYINFO_SIGSCHEME, &attrib);
318 	if (ret) {
319 		print_error(ret, gettext("Get key signature scheme"));
320 	}
321 	(void) printf(gettext("Signature scheme: %s\n"),
322 	    decode(key_sigscheme, attrib));
323 
324 	/* Encoding scheme */
325 	ret = Tspi_GetAttribUint32(hKey, TSS_TSPATTRIB_KEY_INFO,
326 	    TSS_TSPATTRIB_KEYINFO_ENCSCHEME, &attrib);
327 	if (ret) {
328 		print_error(ret, gettext("Get key encoding scheme"));
329 	}
330 	(void) printf(gettext("Encoding scheme: %s\n"),
331 	    decode(key_encscheme, attrib));
332 
333 	/* Key blob */
334 	ret = Tspi_GetAttribData(hKey, TSS_TSPATTRIB_KEY_BLOB,
335 	    TSS_TSPATTRIB_KEYBLOB_BLOB, &keyInfoSize, &keyInfo);
336 	if (ret) {
337 		print_error(ret, gettext("Get key blob"));
338 	}
339 	(void) printf(gettext("TPM Key Blob:\n"));
340 	print_bytes(keyInfo, keyInfoSize, TRUE);
341 	ret = Tspi_Context_FreeMemory(hContext, keyInfo);
342 	if (ret) {
343 		print_error(ret, gettext("Free key info buffer"));
344 	}
345 }
346 
347 typedef struct hash_node {
348 	struct hash_node *next, *sibling, *child;
349 	TSS_UUID uuid;
350 	TSS_KM_KEYINFO2 *key_data;
351 } hash_node_t;
352 
353 #define	HASHSIZE 17
354 hash_node_t *hash_table[HASHSIZE];
355 
356 static hash_node_t *
357 hash_insert(TSS_UUID uuid, TSS_KM_KEYINFO2 *key_data)
358 {
359 	UINT32 i, index = 0;
360 	hash_node_t *node;
361 	char *cp;
362 
363 	cp = (char *)&uuid;
364 	for (i = 0; i < sizeof (TSS_UUID); i++)
365 		index += cp[i];
366 	index = index % HASHSIZE;
367 
368 	for (node = hash_table[index]; node != NULL; node = node->next) {
369 		if (memcmp(&(node->uuid), &uuid, sizeof (TSS_UUID)) == 0)
370 			break;
371 	}
372 
373 	if (node == NULL) {
374 		node = calloc(1, sizeof (hash_node_t));
375 		node->uuid = uuid;
376 		node->next = hash_table[index];
377 		hash_table[index] = node;
378 	}
379 	if (node->key_data == NULL)
380 		node->key_data = key_data;
381 
382 	return (node);
383 }
384 
385 static void
386 add_child(hash_node_t *parent, hash_node_t *child)
387 {
388 	hash_node_t *node;
389 
390 	for (node = parent->child; node != NULL; node = node->next) {
391 		if (node == child)
392 			return;
393 	}
394 
395 	child->sibling = parent->child;
396 	parent->child = child;
397 }
398 
399 static void
400 print_all(hash_node_t *parent, int indent)
401 {
402 	char uuidstr[UUID_PRINTABLE_STRING_LENGTH];
403 	hash_node_t *node;
404 	char *type, *loaded;
405 
406 	uuid_unparse(*(uuid_t *)&parent->uuid, uuidstr);
407 	type = (parent->key_data->persistentStorageType == TSS_PS_TYPE_USER) ?
408 	    "USER" : "SYSTEM";
409 	loaded = parent->key_data->fIsLoaded ? "(loaded)" : "";
410 	(void) printf("%*s[%s] %s %s\n", indent, "",
411 	    type, uuidstr, loaded);
412 
413 	for (node = parent->child; node != NULL; node = node->sibling)
414 		print_all(node, indent + 4);
415 }
416 
417 /*ARGSUSED*/
418 int
419 cmd_keyinfo(TSS_HCONTEXT hContext, TSS_HTPM hTPM, int argc, char *argv[])
420 {
421 	TSS_RESULT ret;
422 	UINT32 i, num_keys;
423 	TSS_KM_KEYINFO2 *keys;
424 	hash_node_t *parent, *child, *srk = NULL;
425 	TSS_HKEY hKey;
426 	union {
427 		uuid_t arr_uuid;
428 		TSS_UUID tss_uuid;
429 	} uuid;
430 
431 	switch (argc) {
432 	case 1:
433 		/* Print key hierarchy */
434 		ret = Tspi_Context_GetRegisteredKeysByUUID2(hContext,
435 		    TSS_PS_TYPE_USER, NULL, &num_keys, &keys);
436 		if (ret) {
437 			print_error(ret, gettext("Get key hierarchy"));
438 			return (ERR_FAIL);
439 		}
440 
441 		for (i = 0; i < num_keys; i++) {
442 			parent = hash_insert(keys[i].parentKeyUUID, NULL);
443 			child = hash_insert(keys[i].keyUUID, &keys[i]);
444 			add_child(parent, child);
445 			if (memcmp(&(keys[i].keyUUID), &srk_uuid,
446 			    sizeof (TSS_UUID)) == 0)
447 				srk = child;
448 		}
449 
450 		if (srk != NULL)
451 			print_all(srk, 0);
452 		ret = Tspi_Context_FreeMemory(hContext, (BYTE *) keys);
453 		if (ret) {
454 			print_error(ret, gettext("Free key list"));
455 			return (ERR_FAIL);
456 		}
457 		return (0);
458 
459 	case 2:
460 		/* Print detailed info about a single key */
461 		if (uuid_parse(argv[1], uuid.arr_uuid))
462 			return (ERR_FAIL);
463 		ret = Tspi_Context_GetKeyByUUID(hContext, TSS_PS_TYPE_USER,
464 		    uuid.tss_uuid, &hKey);
465 		if (ret == TSP_ERROR(TSS_E_PS_KEY_NOTFOUND)) {
466 			ret = Tspi_Context_GetKeyByUUID(hContext,
467 			    TSS_PS_TYPE_SYSTEM, uuid.tss_uuid, &hKey);
468 		}
469 		if (ret) {
470 			print_error(ret, gettext("Get key by UUID"));
471 			return (ERR_FAIL);
472 		}
473 		print_key_info(hContext, hKey);
474 		return (0);
475 
476 	default:
477 		(void) fprintf(stderr, gettext("Usage:\n"));
478 		(void) fprintf(stderr, "\tkeyinfo [uuid]\n");
479 		return (ERR_USAGE);
480 	}
481 }
482 
483 /*ARGSUSED*/
484 int
485 cmd_deletekey(TSS_HCONTEXT hContext, TSS_HTPM hTPM, int argc, char *argv[])
486 {
487 	TSS_RESULT ret;
488 	TSS_HOBJECT hKey;
489 	union {
490 		uuid_t arr_uuid;
491 		TSS_UUID tss_uuid;
492 	} uuid;
493 
494 	if (argc < 2) {
495 		(void) fprintf(stderr, gettext("Usage:\n"));
496 		(void) fprintf(stderr, "\tdeletekey [uuid]\n");
497 		return (ERR_USAGE);
498 	}
499 	if (uuid_parse(argv[1], uuid.arr_uuid))
500 		return (ERR_FAIL);
501 	ret = Tspi_Context_UnregisterKey(hContext, TSS_PS_TYPE_USER,
502 	    uuid.tss_uuid, &hKey);
503 	if (ret == TSP_ERROR(TSS_E_PS_KEY_NOTFOUND)) {
504 		ret = Tspi_Context_UnregisterKey(hContext, TSS_PS_TYPE_SYSTEM,
505 		    uuid.tss_uuid, &hKey);
506 	}
507 	if (ret) {
508 		print_error(ret, gettext("Unregister key"));
509 		return (ERR_FAIL);
510 	}
511 	return (0);
512 }
513 
514 /*
515  * Clear
516  */
517 
518 static int
519 clearowner(TSS_HTPM hTPM)
520 {
521 	TSS_RESULT ret;
522 
523 	if (set_object_policy(hTPM, TSS_SECRET_MODE_POPUP,
524 	    gettext("= TPM owner passphrase ="), 0, NULL))
525 		return (ERR_FAIL);
526 
527 	ret = Tspi_TPM_ClearOwner(hTPM, FALSE);
528 	if (ret) {
529 		print_error(ret, gettext("Clear TPM owner"));
530 		return (ERR_FAIL);
531 	}
532 	return (0);
533 }
534 
535 static int
536 resetlock(TSS_HTPM hTPM)
537 {
538 	TSS_RESULT ret;
539 
540 	if (set_object_policy(hTPM, TSS_SECRET_MODE_POPUP,
541 	    gettext("= TPM owner passphrase ="), 0, NULL))
542 		return (ERR_FAIL);
543 
544 	ret = Tspi_TPM_SetStatus(hTPM, TSS_TPMSTATUS_RESETLOCK, TRUE);
545 	if (ret) {
546 		print_error(ret, gettext("Reset Lock"));
547 		return (ERR_FAIL);
548 	}
549 	return (0);
550 }
551 
552 /*ARGSUSED*/
553 int
554 cmd_clear(TSS_HCONTEXT hContext, TSS_HTPM hTPM, int argc, char *argv[])
555 {
556 	char *subcmd = argv[1];
557 
558 	if (subcmd && strcmp(subcmd, "lock") == 0) {
559 		return (resetlock(hTPM));
560 	} else if (subcmd && strcmp(subcmd, "owner") == 0) {
561 		return (clearowner(hTPM));
562 	} else {
563 		(void) fprintf(stderr, gettext("Usage:\n"));
564 		(void) fprintf(stderr, "\tclear owner\n");
565 		(void) fprintf(stderr, "\tclear lock\n");
566 		return (ERR_USAGE);
567 	}
568 }
569 
570 
571 /*
572  * TPM initialization
573  */
574 
575 static int
576 get_random(UINT32 size,	BYTE *randomBytes)
577 {
578 	int fd, len;
579 	BYTE *buf;
580 
581 	fd = open("/dev/random", O_RDONLY);
582 	if (fd == -1) {
583 		(void) fprintf(stderr, gettext("Unable to open /dev/random"));
584 		return (-1);
585 	}
586 
587 	buf = randomBytes;
588 	while (size > 0) {
589 		len = read(fd, buf, size);
590 		if (len <= 0) {
591 			(void) close(fd);
592 			(void) fprintf(stderr,
593 			    gettext("Error reading /dev/random"));
594 			return (-1);
595 		}
596 		size -= len;
597 		buf += len;
598 	}
599 
600 	(void) close(fd);
601 	return (0);
602 }
603 
604 static int
605 createek(TSS_HCONTEXT hContext, TSS_HTPM hTPM)
606 {
607 	TSS_RESULT ret;
608 	TSS_HOBJECT hKeyEK;
609 	TSS_VALIDATION ValidationData;
610 	TPM_NONCE nonce;
611 	TPM_DIGEST digest;
612 
613 	/* Create the empty key struct for EK */
614 	ret = Tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_RSAKEY,
615 	    (TSS_KEY_NO_AUTHORIZATION | TSS_KEY_NON_VOLATILE |
616 	    TSS_KEY_NOT_MIGRATABLE | TSS_KEY_TYPE_STORAGE |
617 	    TSS_KEY_SIZE_2048 | TSS_KEY_NOT_CERTIFIED_MIGRATABLE |
618 	    TSS_KEY_STRUCT_KEY12 | TSS_KEY_EMPTY_KEY),
619 	    &hKeyEK);
620 	if (ret) {
621 		print_error(ret, gettext("Create endorsement key object"));
622 		return (ERR_FAIL);
623 	}
624 
625 	ValidationData.ulExternalDataLength = sizeof (nonce);
626 	ValidationData.rgbExternalData = (BYTE *) &nonce;
627 	ret = get_random(sizeof (nonce), (BYTE *) &nonce);
628 	if (ret)
629 		return (ERR_FAIL);
630 	ValidationData.ulValidationDataLength = sizeof (digest);
631 	ValidationData.rgbValidationData = (BYTE *) &digest;
632 
633 	ret = Tspi_TPM_CreateEndorsementKey(hTPM, hKeyEK, &ValidationData);
634 	if (ret) {
635 		print_error(ret, gettext("Create endorsement key"));
636 		return (ERR_FAIL);
637 	}
638 
639 	return (0);
640 }
641 
642 /*ARGSUSED*/
643 int
644 cmd_init(TSS_HCONTEXT hContext, TSS_HTPM hTPM, int argc, char *argv[])
645 {
646 	TSS_RESULT ret;
647 	TSS_HOBJECT hKeySRK;
648 
649 	if (set_object_policy(hTPM, TSS_SECRET_MODE_POPUP,
650 	    gettext("= TPM owner passphrase ="), 0, NULL))
651 		return (ERR_FAIL);
652 
653 	ret = Tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_RSAKEY,
654 	    TSS_KEY_TSP_SRK | TSS_KEY_AUTHORIZATION, &hKeySRK);
655 	if (ret) {
656 		print_error(ret, gettext("Create storage root key"));
657 		return (ERR_FAIL);
658 	}
659 
660 	if (set_object_policy(hKeySRK, TSS_SECRET_MODE_SHA1, NULL,
661 	    sizeof (well_known), well_known))
662 		return (ERR_FAIL);
663 
664 	ret = Tspi_TPM_TakeOwnership(hTPM, hKeySRK, NULL);
665 	if (ret == TPM_E_NO_ENDORSEMENT) {
666 		if (createek(hContext, hTPM))
667 			return (ERR_FAIL);
668 		ret = Tspi_TPM_TakeOwnership(hTPM, hKeySRK, NULL);
669 	}
670 	if (ret) {
671 		print_error(ret, gettext("Take ownership"));
672 		return (ERR_FAIL);
673 	}
674 
675 	return (0);
676 }
677 
678 /*
679  * Auth
680  */
681 
682 /*ARGSUSED*/
683 int
684 cmd_auth(TSS_HCONTEXT hContext, TSS_HTPM hTPM, int argc, char *argv[])
685 {
686 	TSS_RESULT ret;
687 	TSS_HPOLICY hNewPolicy;
688 
689 	if (set_object_policy(hTPM, TSS_SECRET_MODE_POPUP,
690 	    gettext("= TPM owner passphrase ="), 0, NULL))
691 		return (ERR_FAIL);
692 
693 	/* policy object for new passphrase */
694 	ret = Tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_POLICY,
695 	    TSS_POLICY_USAGE, &hNewPolicy);
696 	if (ret) {
697 		print_error(ret, gettext("Create policy object"));
698 		return (ERR_FAIL);
699 	}
700 	if (set_policy_options(hNewPolicy, TSS_SECRET_MODE_POPUP,
701 	    gettext("= New TPM owner passphrase ="), 0, NULL))
702 		return (ERR_FAIL);
703 
704 	ret = Tspi_ChangeAuth(hTPM, NULL, hNewPolicy);
705 	if (ret && ret != TSP_ERROR(TSS_E_POLICY_NO_SECRET)) {
706 		print_error(ret, gettext("Change authorization"));
707 		return (ERR_FAIL);
708 	}
709 
710 	return (0);
711 }
712