Code size reduction. Adds compile-time options to exclude groups of TPM2 commands. Combined some duplicate code.

Author: dgarske

.github/workflows/make-test-swtpm.yml

@@ -116,6 +116,21 @@ jobs:
             wolftpm_config: --disable-provisioning
             needs_swtpm: false
 
+          # No NV
+          - name: no-nv
+            wolftpm_config: --disable-nv
+            needs_swtpm: false
+
+          # No PCR policy
+          - name: no-pcr-policy
+            wolftpm_config: --disable-pcr-policy
+            needs_swtpm: false
+
+          # No attestation
+          - name: no-attestation
+            wolftpm_config: --disable-attestation
+            needs_swtpm: false
+
           # Symmetric encryption
           - name: symmetric
             wolftpm_cflags: "-DWOLFTPM_USE_SYMMETRIC"

CMakeLists.txt

@@ -119,6 +119,36 @@ if(WOLFTPM_PROVISIONING)
         "-DWOLFTPM_PROVISIONING")
 endif()
 
+# NV Storage
+set(WOLFTPM_NV "yes" CACHE STRING
+    "Enable NV storage commands (default: enabled)")
+set_property(CACHE WOLFTPM_NV
+    PROPERTY STRINGS "yes;no")
+if(NOT WOLFTPM_NV)
+    list(APPEND WOLFTPM_DEFINITIONS
+        "-DWOLFTPM_NO_NV")
+endif()
+
+# PCR and Policy
+set(WOLFTPM_PCR_POLICY "yes" CACHE STRING
+    "Enable extended PCR and Policy commands (default: enabled)")
+set_property(CACHE WOLFTPM_PCR_POLICY
+    PROPERTY STRINGS "yes;no")
+if(NOT WOLFTPM_PCR_POLICY)
+    list(APPEND WOLFTPM_DEFINITIONS
+        "-DWOLFTPM_NO_PCR_POLICY")
+endif()
+
+# Attestation commands (Quote, Certify, GetTime, etc.)
+set(WOLFTPM_ATTESTATION "yes" CACHE STRING
+    "Enable attestation commands Quote/Certify/GetTime (default: enabled)")
+set_property(CACHE WOLFTPM_ATTESTATION
+    PROPERTY STRINGS "yes;no")
+if(NOT WOLFTPM_ATTESTATION)
+    list(APPEND WOLFTPM_DEFINITIONS
+        "-DWOLFTPM_NO_ATTESTATION")
+endif()
+
 # Enable Debugging
 set(WOLFTPM_DEBUG "no" CACHE STRING
     "Enables option for debug (default: disabled)")

configure.ac

@@ -462,6 +462,39 @@ then
     AM_CFLAGS="$AM_CFLAGS -DWOLFTPM_PROVISIONING"
 fi
 
+# NV Storage support
+AC_ARG_ENABLE([nv],
+    [AS_HELP_STRING([--enable-nv],[Enable NV storage commands (default: enabled)])],
+    [ ENABLED_NV=$enableval ],
+    [ ENABLED_NV=yes ]
+    )
+if test "x$ENABLED_NV" = "xno"
+then
+    AM_CFLAGS="$AM_CFLAGS -DWOLFTPM_NO_NV"
+fi
+
+# PCR and Policy support
+AC_ARG_ENABLE([pcr-policy],
+    [AS_HELP_STRING([--enable-pcr-policy],[Enable extended PCR and Policy commands (default: enabled)])],
+    [ ENABLED_PCR_POLICY=$enableval ],
+    [ ENABLED_PCR_POLICY=yes ]
+    )
+if test "x$ENABLED_PCR_POLICY" = "xno"
+then
+    AM_CFLAGS="$AM_CFLAGS -DWOLFTPM_NO_PCR_POLICY"
+fi
+
+# Attestation commands (Quote, Certify, GetTime, etc.)
+AC_ARG_ENABLE([attestation],
+    [AS_HELP_STRING([--enable-attestation],[Enable attestation commands Quote/Certify/GetTime (default: enabled)])],
+    [ ENABLED_ATTESTATION=$enableval ],
+    [ ENABLED_ATTESTATION=yes ]
+    )
+if test "x$ENABLED_ATTESTATION" = "xno"
+then
+    AM_CFLAGS="$AM_CFLAGS -DWOLFTPM_NO_ATTESTATION"
+fi
+
 
 # HARDEN FLAGS
 AX_HARDEN_CC_COMPILER_FLAGS
@@ -492,6 +525,9 @@ AM_CONDITIONAL([BUILD_CHECKWAITSTATE], [test "x$ENABLED_CHECKWAITSTATE" = "xyes"
 AM_CONDITIONAL([BUILD_AUTODETECT], [test "x$ENABLED_AUTODETECT" = "xyes"])
 AM_CONDITIONAL([BUILD_FIRMWARE], [test "x$ENABLED_FIRMWARE" = "xyes"])
 AM_CONDITIONAL([BUILD_HAL], [test "x$ENABLED_EXAMPLE_HAL" = "xyes" || test "x$ENABLED_MMIO" = "xyes"])
+AM_CONDITIONAL([BUILD_NV], [test "x$ENABLED_NV" = "xyes"])
+AM_CONDITIONAL([BUILD_PCR_POLICY], [test "x$ENABLED_PCR_POLICY" = "xyes"])
+AM_CONDITIONAL([BUILD_ATTESTATION], [test "x$ENABLED_ATTESTATION" = "xyes"])
 
 
 CREATE_HEX_VERSION

examples/attestation/include.am

@@ -2,27 +2,30 @@
 # All paths should be given relative to the root
 
 if BUILD_EXAMPLES
-noinst_PROGRAMS += examples/attestation/make_credential \
-                   examples/attestation/activate_credential \
-                   examples/attestation/certify
-
 noinst_HEADERS  += examples/attestation/attestation.h
 
+noinst_PROGRAMS += examples/attestation/make_credential
 examples_attestation_make_credential_SOURCES      = examples/attestation/make_credential.c \
                                                     examples/tpm_test_keys.c
 examples_attestation_make_credential_LDADD        = src/libwolftpm.la $(LIB_STATIC_ADD)
 examples_attestation_make_credential_DEPENDENCIES = src/libwolftpm.la
 
+if BUILD_PCR_POLICY
+noinst_PROGRAMS += examples/attestation/activate_credential
 examples_attestation_activate_credential_SOURCES      = examples/attestation/activate_credential.c \
                                                         examples/tpm_test_keys.c
 examples_attestation_activate_credential_LDADD        = src/libwolftpm.la $(LIB_STATIC_ADD)
 examples_attestation_activate_credential_DEPENDENCIES = src/libwolftpm.la
 
+if BUILD_ATTESTATION
+noinst_PROGRAMS += examples/attestation/certify
 examples_attestation_certify_SOURCES      = examples/attestation/certify.c \
                                             examples/tpm_test_keys.c
 examples_attestation_certify_LDADD        = src/libwolftpm.la $(LIB_STATIC_ADD)
 examples_attestation_certify_DEPENDENCIES = src/libwolftpm.la
-endif
+endif BUILD_ATTESTATION
+endif BUILD_PCR_POLICY
+endif BUILD_EXAMPLES
 example_attestationdir = $(exampledir)/attestation
 dist_example_attestation_DATA = \
   examples/attestation/make_credential.c \

examples/boot/include.am

@@ -6,12 +6,15 @@ EXTRA_DIST += examples/boot/README.md
 if BUILD_EXAMPLES
 noinst_HEADERS  += examples/boot/boot.h
 
+if BUILD_NV
 noinst_PROGRAMS += examples/boot/secure_rot
 examples_boot_secure_rot_SOURCES      = examples/boot/secure_rot.c \
                                         examples/tpm_test_keys.c
 examples_boot_secure_rot_LDADD        = src/libwolftpm.la $(LIB_STATIC_ADD)
 examples_boot_secure_rot_DEPENDENCIES = src/libwolftpm.la
+endif BUILD_NV
 
+if BUILD_PCR_POLICY
 noinst_PROGRAMS += examples/boot/secret_seal
 examples_boot_secret_seal_SOURCES      = examples/boot/secret_seal.c \
                                          examples/tpm_test_keys.c
@@ -23,7 +26,8 @@ examples_boot_secret_unseal_SOURCES      = examples/boot/secret_unseal.c \
                                            examples/tpm_test_keys.c
 examples_boot_secret_unseal_LDADD        = src/libwolftpm.la $(LIB_STATIC_ADD)
 examples_boot_secret_unseal_DEPENDENCIES = src/libwolftpm.la
-endif
+endif BUILD_PCR_POLICY
+endif BUILD_EXAMPLES
 
 example_bootdir = $(exampledir)/boot
 dist_example_boot_DATA = examples/boot/secure_rot.c \

examples/endorsement/include.am

@@ -7,6 +7,7 @@ if BUILD_EXAMPLES
     examples/endorsement/trusted_certs.h \
     examples/endorsement/trusted_certs_der.h
 
+if BUILD_NV
   noinst_PROGRAMS += examples/endorsement/get_ek_certs
   examples_endorsement_get_ek_certs_SOURCES      = examples/endorsement/get_ek_certs.c
   examples_endorsement_get_ek_certs_LDADD        = src/libwolftpm.la $(LIB_STATIC_ADD)
@@ -16,7 +17,8 @@ if BUILD_EXAMPLES
   examples_endorsement_verify_ek_cert_SOURCES      = examples/endorsement/verify_ek_cert.c
   examples_endorsement_verify_ek_cert_LDADD        = src/libwolftpm.la $(LIB_STATIC_ADD)
   examples_endorsement_verify_ek_cert_DEPENDENCIES = src/libwolftpm.la
-endif
+endif BUILD_NV
+endif BUILD_EXAMPLES
 
 EXTRA_DIST+=examples/endorsement/README.md
 example_endorsementdir = $(exampledir)/endorsement

examples/keygen/create_primary.c

@@ -274,15 +274,16 @@ int TPM2_CreatePrimaryKey_Example(void* userCtx, int argc, char *argv[])
 #endif
 
     if (persistHandle > 0) {
-    #ifndef WOLFTPM_WINAPI
+    #if !defined(WOLFTPM_WINAPI) && !defined(WOLFTPM_NO_NV)
         /* Move storage key into persistent NV */
         printf("Storing Primary key to handle 0x%08x\n", persistHandle);
         rc = wolfTPM2_NVStoreKey(&dev, hierarchy, primary,
             persistHandle);
         if (rc != TPM_RC_SUCCESS) goto exit;
     #else
-        printf("Windows TBS does not allow persisting handles to "
-               "Non-Volatile (NV) Memory\n");
+        printf("Persisting handles to Non-Volatile (NV) Memory not "
+               "available\n");
+        (void)rc;
     #endif
     }
 

examples/keygen/keygen.c

@@ -287,6 +287,7 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
         if (rc != 0) goto exit;
     }
 
+#ifndef WOLFTPM_NO_PCR_POLICY
     if (endorseKey) {
         /* Endorsement Key requires authorization with Policy */
         rc = wolfTPM2_CreateAuthSession_EkPolicy(&dev, &tpmSession);
@@ -298,6 +299,7 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
         rc = wolfTPM2_SetAuthSession(&dev, 0, &tpmSession, 0);
         if (rc != 0) goto exit;
     }
+#endif /* !WOLFTPM_NO_PCR_POLICY */
 
     /* Create new key */
     if (bAIK) {
@@ -387,6 +389,7 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
         printf("wolfTPM2_CreateKey failed\n");
         goto exit;
     }
+#ifndef WOLFTPM_NO_PCR_POLICY
     if (endorseKey) {
         /* Endorsement policy session is closed after use, so start another */
         rc = wolfTPM2_CreateAuthSession_EkPolicy(&dev, &tpmSession);
@@ -395,6 +398,7 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
         }
         if (rc != 0) goto exit;
     }
+#endif /* !WOLFTPM_NO_PCR_POLICY */
     rc = wolfTPM2_LoadKey(&dev, &newKeyBlob, &primary->handle);
     if (rc != TPM_RC_SUCCESS) {
         printf("wolfTPM2_LoadKey failed\n");

examples/keygen/keyload.c

@@ -65,13 +65,15 @@ int TPM2_Keyload_Example(void* userCtx, int argc, char *argv[])
     WOLFTPM2_KEY storage; /* SRK */
     WOLFTPM2_KEY *primary = NULL;
     WOLFTPM2_KEYBLOB newKey;
+#ifndef WOLFTPM_NO_NV
     WOLFTPM2_KEY persistKey;
+    int persistent = 0;
+#endif
     TPM_ALG_ID alg;
     TPMI_ALG_PUBLIC srkAlg = TPM_ALG_ECC; /* prefer ECC, but allow RSA */
     TPM_ALG_ID paramEncAlg = TPM_ALG_NULL;
     WOLFTPM2_SESSION tpmSession;
     const char* inputFile = "keyblob.bin";
-    int persistent = 0;
     int endorseKey = 0;
 
 
@@ -97,9 +99,11 @@ int TPM2_Keyload_Example(void* userCtx, int argc, char *argv[])
         else if (XSTRCMP(argv[argc-1], "-xor") == 0) {
             paramEncAlg = TPM_ALG_XOR;
         }
+    #ifndef WOLFTPM_NO_NV
         else if (XSTRCMP(argv[argc-1], "-persistent") == 0) {
             persistent = 1;
         }
+    #endif
         else {
             printf("Warning: Unrecognized option: %s\n", argv[argc-1]);
         }
@@ -109,7 +113,9 @@ int TPM2_Keyload_Example(void* userCtx, int argc, char *argv[])
     XMEMSET(&endorse, 0, sizeof(endorse));
     XMEMSET(&storage, 0, sizeof(storage));
     XMEMSET(&newKey, 0, sizeof(newKey));
+#ifndef WOLFTPM_NO_NV
     XMEMSET(&persistKey, 0, sizeof(persistKey));
+#endif
     XMEMSET(&tpmSession, 0, sizeof(tpmSession));
 
     printf("TPM2.0 Key load example\n");
@@ -151,6 +157,7 @@ int TPM2_Keyload_Example(void* userCtx, int argc, char *argv[])
         primary = &storage;
     }
 
+#ifndef WOLFTPM_NO_PCR_POLICY
     if (endorseKey) {
         /* Fresh policy session for EK auth */
         rc = wolfTPM2_CreateAuthSession_EkPolicy(&dev, &tpmSession);
@@ -159,7 +166,9 @@ int TPM2_Keyload_Example(void* userCtx, int argc, char *argv[])
         rc = wolfTPM2_SetAuthSession(&dev, 0, &tpmSession, 0);
         if (rc != 0) goto exit;
     }
-    else if (paramEncAlg != TPM_ALG_NULL) {
+    else
+#endif
+    if (paramEncAlg != TPM_ALG_NULL) {
         WOLFTPM2_KEY* bindKey = &storage;
     #ifndef HAVE_ECC
         if (srkAlg == TPM_ALG_ECC)
@@ -198,6 +207,7 @@ int TPM2_Keyload_Example(void* userCtx, int argc, char *argv[])
     printf("Loaded key to 0x%x\n",
         (word32)newKey.handle.hndl);
 
+#ifndef WOLFTPM_NO_NV
     /* Make the TPM key persistent, so it remains loaded after example exit */
     if (persistent) {
         /* Prepare key in the format expected by the wolfTPM wrapper */
@@ -213,6 +223,7 @@ int TPM2_Keyload_Example(void* userCtx, int argc, char *argv[])
         }
         printf("Key was made persistent at 0x%X\n", persistKey.handle.hndl);
     }
+#endif
 
 exit:
 
@@ -222,8 +233,11 @@ int TPM2_Keyload_Example(void* userCtx, int argc, char *argv[])
 
     /* Close key handles */
     wolfTPM2_UnloadHandle(&dev, &primary->handle);
+#ifndef WOLFTPM_NO_NV
     /* newKey.handle is already flushed by wolfTPM2_NVStoreKey */
-    if (!persistent) {
+    if (!persistent)
+#endif
+    {
         wolfTPM2_UnloadHandle(&dev, &newKey.handle);
     }
     /* EK policy is destroyed after use, flush parameter encryption session */