store: implemented tss2 scheme for loading FAPI keys

Fixes: #27

.github/workflows/clang-asan-check.yml

@@ -16,7 +16,7 @@ jobs:
     - uses: actions/checkout@v2
 
     - name: Install dependencies
-      run: sudo apt-get install curl autoconf-archive libtss2-dev libtss2-tcti-tabrmd0 tpm2-abrmd tpm2-tools
+      run: sudo apt-get install -y autoconf-archive libcurl4-openssl-dev libjson-c-dev libtss2-dev libtss2-tcti-tabrmd0 tpm2-abrmd tpm2-tools
 
     - name: Build TPM2 simulator
       run: |

.github/workflows/codeql.yml

@@ -26,7 +26,7 @@ jobs:
       - name: Install Packages
         run: |
           sudo apt-get update
-          sudo apt-get install --yes autoconf-archive libtss2-dev
+          sudo apt-get install -y autoconf-archive libcurl4-openssl-dev libjson-c-dev libtss2-dev
 
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v2

.github/workflows/coverity-scan.yml

@@ -13,7 +13,7 @@ jobs:
     - uses: actions/checkout@v2
 
     - name: Install dependencies
-      run: sudo apt-get install autoconf-archive libtss2-dev
+      run: sudo apt-get install -y autoconf-archive libcurl4-openssl-dev libjson-c-dev libtss2-dev
 
     - name: Download Coverity Build Tool
       run: |

.github/workflows/gcc-distcheck.yml

@@ -9,7 +9,7 @@ jobs:
     - uses: actions/checkout@v2
 
     - name: Install dependencies
-      run: sudo apt-get install curl autoconf-archive lcov libtss2-dev libtss2-tcti-tabrmd0 tpm2-abrmd tpm2-tools
+      run: sudo apt-get install -y autoconf-archive lcov libcurl4-openssl-dev libjson-c-dev libtss2-dev libtss2-tcti-tabrmd0 tpm2-abrmd tpm2-tools
 
     - name: Build TPM2 simulator
       run: |

Makefile.am

@@ -47,6 +47,10 @@ endif
 
 tpm2_la_CFLAGS = $(TSS2_ESYS_CFLAGS) $(TSS2_TCTILDR_CFLAGS) $(COMMON_CFLAGS) $(CODE_COVERAGE_CFLAGS)
 tpm2_la_LIBADD = $(TSS2_ESYS_LIBS) $(TSS2_TCTILDR_LIBS) $(LIBS) $(CODE_COVERAGE_LIBS)
+if TSS2_FAPI
+tpm2_la_SOURCES += src/tpm2-provider-store-tss2.c
+tpm2_la_LIBADD += $(TSS2_FAPI_LIBS)
+endif
 if TSS2_RC
 tpm2_la_LIBADD += $(TSS2_RC_LIBS)
 endif
@@ -115,6 +119,9 @@ TESTS_SHELL += test/cipher_aes128_ecb.sh \
                test/cipher_aes256_nopad.sh \
                test/cipher_camellia128.sh
 endif
+if TSS2_FAPI
+TESTS_SHELL += test/rsa_fapi_sign.sh
+endif
 
 TEST_EXTENSIONS = .sh
 SH_LOG_COMPILER = $(srcdir)/test/run

README.md

@@ -146,9 +146,9 @@ and
 [OSSL_DECODER](https://www.openssl.org/docs/manmaster/man3/OSSL_DECODER.html) API
 to load (TPM2_Load) a private key from a previously generated file, as well as
 persistent keys generated with the
-[tpm2-tools](https://github.com/tpm2-software/tpm2-tools). Both the hexadecimal
-key `handle` as well as the serialized `object` file may be used. These URI
-prefixes may be used with any openssl command.
+[tpm2-tools](https://github.com/tpm2-software/tpm2-tools). The hexadecimal key
+`handle`, the serialized `object` file as well as the `tss2` metadata path may
+be used. These URI prefixes may be used with any openssl command.
 
 The corresponding public key can be stored using the
 [`openssl pkey`](https://www.openssl.org/docs/manmaster/man1/openssl-pkey.html)

configure.ac

@@ -42,6 +42,10 @@ AC_ARG_ENABLE([asan],
     AS_HELP_STRING([--enable-asan], [Enable asan build, useful for testing]))
 AM_CONDITIONAL(WITH_ASAN, test "x$enable_asan" = "xyes")
 
+AC_ARG_ENABLE([tss2-fapi],
+    AS_HELP_STRING([--disable-tss2-fapi], [Disable support for the FAPI key paths]))
+AM_CONDITIONAL(TSS2_FAPI, test "x$enable_tss2_fapi" != "xno")
+
 AC_ARG_ENABLE([tss2-rc],
     AS_HELP_STRING([--disable-tss2-rc], [Disable verbose TSS2 return code reporting]))
 AM_CONDITIONAL(TSS2_RC, test "x$enable_tss2_rc" != "xno")
@@ -58,6 +62,10 @@ AC_SUBST(MODULESDIR, "$with_modulesdir")
 
 PKG_CHECK_MODULES([TSS2_ESYS], [tss2-esys >= 3.2.0])
 PKG_CHECK_MODULES([TSS2_TCTILDR], [tss2-tctildr])
+AS_IF([test "x$enable_tss2_fapi" != "xno"], [
+    PKG_CHECK_MODULES([TSS2_FAPI], [tss2-fapi >= 3.2.0])
+    AC_DEFINE(WITH_TSS2_FAPI)
+    ])
 AS_IF([test "x$enable_tss2_rc" != "xno"], [
     PKG_CHECK_MODULES([TSS2_RC], [tss2-rc >= 3.2.0])
     AC_DEFINE(WITH_TSS2_RC)

docs/CHANGELOG.md

@@ -5,7 +5,9 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/)
 
 ## [1.3.0] - 2023-xx-yy
 ### Added
-- Added support for RSA-OAEP decryption
+- Implemented loading keys from the FAPI metadata store using the `tss2:` prefix,
+  followed by the key path, e.g. `tss2:HS/SRK/testkey`.
+- Added support for RSA-OAEP decryption.
 
 ## [1.2.0] - 2023-10-14
 ### Added

docs/INSTALL.md

@@ -10,8 +10,8 @@ are required:
  * [GNU Autoconf Archive](https://www.gnu.org/software/autoconf-archive/),
    version >= 2017.03.21
  * C compiler and C library
- * [TPM2.0 TSS ESAPI library](https://github.com/tpm2-software/tpm2-tss)
-   (libtss2-esys) >= 3.2.0 with header files
+ * [TPM2.0 TSS libraries](https://github.com/tpm2-software/tpm2-tss)
+   (libtss2-esys, libtss2-fapi) >= 3.2.0 with header files
  * [OpenSSL](https://www.openssl.org/) >= 3.0.0 with header files
 
 Although the software can run with the in-kernel resource manager (`/dev/tpmrm`)

docs/keys.md

@@ -167,6 +167,7 @@ loaders:
  * **handle**, to load persistent keys, or data (public keys or certificates)
    from NV indices;
  * **object**, to load serialized object representing a persistent handle.
+ * **tss2**, to load persistent or transient objects from the FAPI metadata store.
 
 These are used by the
 [OSSL_STORE](https://www.openssl.org/docs/manmaster/man7/ossl_store.html)
@@ -246,3 +247,17 @@ To load a persistent key using the serialized object, specify the prefix
 ```
 openssl rsa -provider tpm2 -modulus -noout -in object:ak_rsa.obj
 ```
+
+### Using FAPI Metadata Store
+
+The `tss2_createkey` creates a key inside the TPM and stores it in the FAPI
+metadata store:
+```
+tss2_createkey --path=HS/SRK/testkey --type="noDa,sign"
+```
+
+To load a key from the FAPI metadata store, specify the prefix `tss2:` and then
+the object path:
+```
+openssl rsa -provider tpm2 -modulus -noout -in tss2:HS/SRK/testkey
+```