Merge "fix tpm certificate handling"

security/tpm2-openssl-engine/tpm2-openssl-engine/e_tpm2.c

@@ -312,6 +312,14 @@ static int tpm_engine_init(ENGINE * e)
     * N.B: This assumes that the kernel-modules-tpm
     * pkg is installed with the modified tpm_crb KLM
     */
+    if ((result = p_tpm2_Set_Property(hContext, 
+                    TPM_INTERFACE_TYPE, "dev"))) {
+        DBG("Failed to set Resource Manager in context (%p): rc %d",
+            hContext, (int)result);
+        TSSerr(TPM_F_TPM_ENGINE_INIT, TPM_R_UNIT_FAILURE);
+        goto err;
+    }
+
     if ((result = p_tpm2_Set_Property(hContext, 
                     TPM_DEVICE, "/dev/tpmrm0"))) {
         DBG("Failed to set Resource Manager in context (%p): rc %d",

security/wrs-ssl/files/tpmdevice-setup

@@ -7,6 +7,8 @@
 
 # TPM setup (both active controller and remote)
 
+export TPM_INTERFACE_TYPE=dev
+
 CERTIFICATE_FILE="server-cert.pem"
 LOGFILE="/etc/ssl/private/.install.log"
 ORIGINAL_KEY=$1
@@ -53,8 +55,7 @@ declare -a helper_scripts=("tss2_createprimary"
                            "tss2_contextsave"
                            "tss2_evictcontrol"
                            "tss2_flushcontext"
-                           "create_tpm2_key"
+                           "create_tpm2_key")
-                           "resourcemgr")
 for src in "${helper_scripts[@]}"; do
     if ! type "$src" &>/dev/null; then
         error_exit "ERROR: Cannot find $src. Needed for TPM configuration"
@@ -62,41 +63,6 @@ for src in "${helper_scripts[@]}"; do
 done
 }
 
-startResourceMgr () {
-resourcemgr &>> $LOGFILE 2>&1 &
-
-# ensure the resourcemgr is started
-for i in {1..5}
-do
-    sleep 0.5
-    MGR_RUNNING=`pidof resourcemgr`
-    if [ ! -z $MGR_RUNNING ]; then
-        break
-    fi
-done
-[ ! -z $MGR_RUNNING ] || error_exit "Unable to start TPM resourcemgr"
-
-# check to see if the resourcemgr port is open
-IS_OPEN=0
-for i in {1..5}
-do
-   sleep 0.5
-  _test=`netstat -an | grep $RESOURCEMGR_DEFAULT_PORT | grep -i listen`
-  if [ ! -z "$_test" ]; then
-      IS_OPEN=1
-      break
-  fi
-done
-[ $IS_OPEN -ne 0 ] || error_exit "Unable to initialize resourcemgr"
-}
-
-stopResourceMgr () {
-# Kill any previous instances of resourcemgr
-pkill -c -TERM resourcemgr &> /dev/null 2>&1
-}
-
-
-
 ### Main ###
 # remove previous object context
 rm -f $TPM_OBJECT_CONTEXT &> /dev/null
@@ -115,14 +81,10 @@ if [ "$TPM_VERSION" != "2.0" ]; then
     error_exit "ERROR: TPM Device is not version 2.0 compatible"
 fi
 
-# Start the Intel ResourceMgr to clear the NV 
+# Clear the NV 
 # as well as all stale transient handles in 
 # the endorsement hierarchy.
-# Since ResourceMgr has a number of stability,
+tss2_clear -hi l
-# and security issues, we will stop it after it
-# initializes the NV and Handle space 
-startResourceMgr
-stopResourceMgr
  
 # Create the Endorsement Primary Key hierarchy which will be used
 # for wrapping the private key. Use RSA as the primary key encryption
@@ -136,14 +98,14 @@ PRIMARY_HANDLE="0x$PRIMARY_HANDLE"
 # be persistently stored in TPM NV.
 # evict the persistent handle if it exists previously
 tss2_evictcontrol -hi o -ho $TPM_KEY_HIERARCHY_HANDLE -hp $TPM_KEY_HIERARCHY_HANDLE
-tss2_evictcontrol -hi o -ho $PRIMARY_HANDLE -hp $TPM_KEY_HIERARCHY_HANDLE &>> $LOGFILE
+tss2_evictcontrol -hi o -ho $PRIMARY_HANDLE -hp $TPM_KEY_HIERARCHY_HANDLE >> $LOGFILE
 [ $? -eq 0 ] || error_exit "Unable to persist Key Hierarchy in TPM memory"
 
 tss2_flushcontext -ha $PRIMARY_HANDLE
 
 # wrap the original private key in TPM's Endorsement key hierarchy
 # this will generate a TSS key blob in ASN 1 encoding
-create_tpm2_key -p $TPM_KEY_HIERARCHY_HANDLE -w $ORIGINAL_KEY $TPM_OBJECT_CONTEXT &>> $LOGFILE
+create_tpm2_key -p $TPM_KEY_HIERARCHY_HANDLE -w $ORIGINAL_KEY $TPM_OBJECT_CONTEXT >> $LOGFILE
 [ $? -eq 0 ] || error_exit "Unable to wrap provided private key into TPM Key Hierarchy"
 
 # the apps will also need to the public key, place it in