Module: Tem::Admin::Migrate

Included in:

Session

Defined in:

lib/tem/admin/migrate.rb

Overview

Logic for migrating SECpacks.

Class Method Summary

• .blank_ecert_verify_seclosure ⇒ Object

  Blank version of the SEClosure that verifies the destination TEM’s ECert.

• .blank_migrate_seclosure ⇒ Object

  Blank version of the SEClosure that verifies the destination TEM’s ECert.

• .blank_skey_load_seclosure ⇒ Object

  Blank version of the SEClosure that loads a symmetric key for execution.

• .ecert_verify_bytes_tag_key ⇒ Object

  The key storing the encrypted bytes of the ecert_verify SECpack in the TEM’s tag.

• .ecert_verify_seclosure(key_ps_addr, authz) ⇒ Object

  SEClosure that verifies the destination TEM’s ECert.

• .migrate_bytes_tag_key ⇒ Object

  The key storing the encrypted bytes of the migrate SECpack in the TEM’s tag.

• .migrate_seclosure(key_ps_addr, authz) ⇒ Object

  SEClosure that migrates a SECpack.

• .seclosures_from_tag_data(tem) ⇒ Object

  Recovers the migration-related SECpacks from the TEM’s tag data.

• .skey_load_seclosure(key_bytes) ⇒ Object

  SEClosure that loads a symmetric key exclusively for SECpack execution.

• .skey_load_tag_key ⇒ Object

  The key storing the encrypted bytes of the ecert_verify SECpack in the TEM’s tag.

• .tag_data(pubek, privek_authz) ⇒ Object

  Data to be included in a TEM’s tag to support migration.

Instance Method Summary

• #migrate(secpack, ecert) ⇒ Object

  Migrates a SECpack to another TEM.

Class Method Details

.blank_ecert_verify_seclosure ⇒ Object

Blank version of the SEClosure that verifies the destination TEM’s ECert.

The returned SEClosure is not suitable for execution. Its encrypted bytes should be replaced with the bytes from a SECpack generated with live data.

# File 'lib/tem/admin/migrate.rb', line 101

def self.blank_ecert_verify_seclosure
  ecert_verify_seclosure [0] * Tem::Abi.tem_ps_addr_length,
                         [0] * Tem::Abi.tem_hash_length
end

.blank_migrate_seclosure ⇒ Object

Blank version of the SEClosure that verifies the destination TEM’s ECert.

The returned SEClosure is not suitable for execution. Its encrypted bytes should be replaced with the bytes from a SECpack generated with live data.

# File 'lib/tem/admin/migrate.rb', line 178

def self.blank_migrate_seclosure
  migrate_seclosure [0] * Tem::Abi.tem_ps_addr_length,
                    [0] * Tem::Abi.tem_hash_length
end

.blank_skey_load_seclosure ⇒ Object

Blank version of the SEClosure that loads a symmetric key for execution.

The returned SEClosure is not suitable for execution. Its encrypted bytes should be replaced with the bytes from a SECpack generated with live data.

# File 'lib/tem/admin/migrate.rb', line 46

def self.blank_skey_load_seclosure
  skey_load_seclosure [0] * (Tem::Abi.tem_3des_key_string_length + 1)
end

.ecert_verify_bytes_tag_key ⇒ Object

The key storing the encrypted bytes of the ecert_verify SECpack in the TEM’s tag.

# File 'lib/tem/admin/migrate.rb', line 191

def self.ecert_verify_bytes_tag_key
  0x12
end

.ecert_verify_seclosure(key_ps_addr, authz) ⇒ Object

SEClosure that verifies the destination TEM’s ECert.

Args:

key_ps_addr:: the PStore address used to store the TEM key's ID
authz:: the authentication secret for the TEM's PrivEK

# File 'lib/tem/admin/migrate.rb', line 56

def self.ecert_verify_seclosure(key_ps_addr, authz)
  Tem::Assembler.assemble { |s|
    # TODO: some actual verification, jump to :failure if it doesn't work
    
    s.ldwc :const => :pubek        
    s.rdk
    s.authk :auth => :authz
    s.stw :to => :key_id
    s.pswrfxb :addr => :pstore_addr, :from => :key_id
    s.label :success
    s.ldbc :const => 1
    s.dupn :n => 1
    s.outnew
    s.outb
    s.halt
    
    s.label :failure
    s.ldbc :const => 1
    s.outnew
    s.ldbc :const => 0
    s.outb
    s.halt
    
    s.label :key_id
    s.zeros :tem_ps_value  # Will hold the ID of the loaded PubEK.
    
    s.label :secret
    s.label :authz  # The authentication key for the PrivEK.
    s.data :tem_ubyte, authz
    s.label :pstore_addr
    s.data :tem_ps_addr, key_ps_addr
    s.label :plain
    # ARG: the target TEM's public endorsement key.
    s.label :pubek
    s.zeros :tem_ubyte, 300
    # ARG: the target TEM's endorsement certificate.
    s.label :ecert
    s.stack 10
  }
end

.migrate_bytes_tag_key ⇒ Object

The key storing the encrypted bytes of the migrate SECpack in the TEM’s tag.

# File 'lib/tem/admin/migrate.rb', line 196

def self.migrate_bytes_tag_key
  0x13
end

.migrate_seclosure(key_ps_addr, authz) ⇒ Object

SEClosure that migrates a SECpack.

Args:

key_ps_addr:: the PStore address used to store the TEM key's ID
authz:: the authentication secret for the TEM's PrivEK

# File 'lib/tem/admin/migrate.rb', line 111

def self.migrate_seclosure(key_ps_addr, authz)
  Tem::Assembler.assemble { |s|
    s.ldbc :const => 0        # Authorize PrivEK.
    s.authk :auth => :authz
    s.dupn :n => 1             # Compute the size of the encrypted blob.
    s.ldw :from => :secpack_secret_size
    s.ldkel
    
    # Decrypt secpack.
    s.ldwc :const => :secpack_encrypted
    s.ldwc :const => :secpack_encrypted
    s.kdvb
    s.ldw :from => :secpack_secret_size  # Fail for wrong blob size.
    s.sub
    s.jnz :failure

    # Authorize target PubEK.
    s.psrdfxb :addr => :pstore_addr, :to => :key_id
    s.ldw :from => :key_id
    s.authk :auth => :authz
    
    s.dupn :n => 1  # Prepare output buffer.
    s.ldw :from => :secpack_secret_size
    s.ldkel
    s.outnew

    s.ldw :from => :secpack_secret_size  # Re-encrypt the blob.
    s.ldwc :const => :secpack_encrypted
    s.ldwc :const => -1
    s.kevb
    
    s.ldw :from => :key_id   # Clean up.
    s.relk
    s.ldbc :const => -1
    s.stw :to => :key_id
    s.pswrfxb :addr => :pstore_addr, :from => :key_id
    s.halt
    
    s.label :failure  # Communicate some failure.
    s.ldbc :const => 0
    s.outnew
    s.halt

    s.label :key_id
    s.zeros :tem_ps_value  # Will hold the ID of the loaded PubEK.
    
    s.label :secret
    s.label :authz  # The authentication key for the PrivEK.
    s.data :tem_ubyte, authz
    s.label :pstore_addr
    s.data :tem_ps_addr, key_ps_addr
    s.label :plain
    s.stack 20
    # ARG: the 'encrypted size' field in the SECpack header. 
    s.label :secpack_secret_size 
    s.zeros :tem_short, 1
    # ARG: the encrypted blob in the SECpack.
    s.label :secpack_encrypted
    s.zeros :tem_ubyte, 1
    s.label :secpack_encrypted_end
  }
end

.seclosures_from_tag_data(tem) ⇒ Object

Recovers the migration-related SECpacks from the TEM’s tag data.

# File 'lib/tem/admin/migrate.rb', line 225

def self.seclosures_from_tag_data(tem)
  tag_data = tem.tag
  
  skey_load = blank_skey_load_seclosure
  skey_load.fake_bind
  skey_load.encrypted_data = tag_data[skey_load_tag_key]
  
  ecert_verify = blank_ecert_verify_seclosure
  ecert_verify.fake_bind
  ecert_verify.encrypted_data = tag_data[ecert_verify_bytes_tag_key]
  
  migrate = blank_migrate_seclosure
  migrate.fake_bind
  migrate.encrypted_data = tag_data[migrate_bytes_tag_key]
  
  { :skey_load => skey_load, :ecert_verify => ecert_verify,
    :migrate => migrate }
end

.skey_load_seclosure(key_bytes) ⇒ Object

SEClosure that loads a symmetric key exclusively for SECpack execution.

Args:

key_bytes:: the key to be loaded in the TEM, serialized in TEM format

# File 'lib/tem/admin/migrate.rb', line 19

def self.skey_load_seclosure(key_bytes)
  Tem::Assembler.assemble { |s|      
    s.ldwc :const => :key
    s.rdk
    s.ldwc :const => Tem::Abi.tem_hash_length
    s.ldwc :const => :authz
    s.rnd
    s.authk :auth => :authz
    s.ldbc :const => 1
    s.outnew
    s.outb
    s.halt
    
    s.label :secret
    s.label :key
    s.data :tem_ubyte, key_bytes
    s.label :plain
    s.label :authz
    s.zeros :tem_hash, 1
    s.stack 8
  }
end

.skey_load_tag_key ⇒ Object

The key storing the encrypted bytes of the ecert_verify SECpack in the TEM’s tag.

# File 'lib/tem/admin/migrate.rb', line 185

def self.skey_load_tag_key
  0x11
end

.tag_data(pubek, privek_authz) ⇒ Object

Data to be included in a TEM’s tag to support migration.

Returns a hash of tag key-values to be included in the TEM’s tag during emission.

# File 'lib/tem/admin/migrate.rb', line 204

def self.tag_data(pubek, privek_authz)
  skey = Tem::Keys::Symmetric.generate
  ld_sec = skey_load_seclosure skey.to_tem_key
  ld_sec.bind pubek
  
  ps_addr = OpenSSL::Random.random_bytes(Tem::Abi.tem_ps_addr_length).
      unpack('C*')
  ev_sec = ecert_verify_seclosure ps_addr, privek_authz
  ev_sec.bind skey
  
  m_sec = migrate_seclosure ps_addr, privek_authz
  m_sec.bind skey
  
  {
    skey_load_tag_key => ld_sec.encrypted_data,
    ecert_verify_bytes_tag_key => ev_sec.encrypted_data,
    migrate_bytes_tag_key => m_sec.encrypted_data
  }
end

Instance Method Details

#migrate(secpack, ecert) ⇒ Object

Migrates a SECpack to another TEM.

Args:

secpack:: the SECpack to be migrated
ecert:: the Endorsement Certificate of the destination TEM

Returns the migrated SECpack, or nil if the Endorsement Certificate was rejected.

# File 'lib/tem/admin/migrate.rb', line 252

def migrate(secpack, ecert)
  migrated = secpack.copy
  secpacks = Tem::Admin::Migrate.seclosures_from_tag_data self

  skey_ld = secpacks[:skey_load]
  skey_id = Tem::Abi.read_tem_ubyte execute(skey_ld), 0
  
  verify = secpacks[:ecert_verify]
  verify.set_bytes :pubek,
                   Tem::Key.new_from_ssl_key(ecert.public_key).to_tem_key
  return nil if execute(verify, skey_id) != [1]
  
  migrate = secpacks[:migrate]
  migrate.set_value :secpack_secret_size, :tem_short, secpack.secret_bytes +
                    Tem::Abi.tem_hash_length
  migrate.set_bytes :secpack_encrypted, migrated.encrypted_data
  return nil unless new_encrypted_data = execute(migrate, skey_id)
  migrated.encrypted_data = new_encrypted_data
  
  release_key skey_id    
  migrated
end