├── Intel-SA-00086-Recovery-Tool ├── LICENSE ├── LICENSES └── iclsClient │ ├── License.txt │ ├── Readme.txt │ ├── Third Party Licenses.txt │ ├── development_tools.txt │ └── redist.txt ├── Packages └── iCLS │ ├── Intel(R) Trust Services.key │ ├── iclsClient-1.78.11.0-1.i386.rpm │ └── iclsClient-1.78.11.0-1.x86_64.rpm ├── README.md ├── SECURITY.md └── build.sh /Intel-SA-00086-Recovery-Tool: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | #;****************************************************************************; 3 | # Intel-SA-00086-Recovery-Tool 4 | # 5 | # BSD LICENSE 6 | # 7 | # Copyright (C) 2003-2012, 2020 Intel Corporation. All rights reserved. 8 | # All rights reserved. 9 | # 10 | # Redistribution and use in source and binary forms, with or without 11 | # modification, are permitted provided that the following conditions 12 | # are met: 13 | # 14 | # * Redistributions of source code must retain the above copyright 15 | # notice, this list of conditions and the following disclaimer. 16 | # * Redistributions in binary form must reproduce the above copyright 17 | # notice, this list of conditions and the following disclaimer in 18 | # the documentation and/or other materials provided with the 19 | # distribution. 20 | # * Neither the name Intel Corporation nor the names of its 21 | # contributors may be used to endorse or promote products derived 22 | # from this software without specific prior written permission. 23 | # 24 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 25 | # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 26 | # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 27 | # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 28 | # OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 29 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 30 | # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 31 | # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 32 | # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 33 | # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 34 | # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35 | # 36 | #;****************************************************************************; 37 | 38 | # 39 | # Requires tpm2-tss and tpm2-abrmd packages installed. 40 | # Run tpm2-abrmd prior to running this tool 41 | # This tool uses enforces use of persistent handles only when EPS is changed 42 | # NV Index 1C00002 will be overwritten during recertification 43 | # 44 | 45 | # 46 | # Configuration Variables 47 | # 48 | cfg_rsa_EK_DER_certificate="rsa_EK.der" 49 | cfg_rsa_EK_PEM_certificate="rsa_EK.pem" 50 | cfg_ecc_EK_DER_certificate="ecc_EK.der" 51 | cfg_ecc_EK_PEM_certificate="ecc_EK.pem" 52 | cfg_PTT_RECOVERY_APP="/opt/Intel/iclsClient/lib/IntelPTTEKRecertification" 53 | 54 | if $(uname -m | grep -q i);then 55 | cfg_PTT_RECOVERY_APP="/opt/Intel/iclsClient/lib32/IntelPTTEKRecertification" 56 | fi 57 | 58 | # 59 | # Global Variables 60 | # 61 | rsa_ekcertificate_NV_index="0x1C00002" 62 | ecc_ekcertificate_NV_index="0x1C0000a" 63 | #Flags 64 | flag_is_ecc_cert_required=0 65 | flag_TPM_EPS=0 66 | flag_rsa_NV=0 67 | flag_ecc_NV=0 68 | flag_rsa_EK_certificate_on_filesystem=0 69 | flag_ecc_EK_certificate_on_filesystem=0 70 | # Temporary Files 71 | rsa_EK_current="rsa_EK.bin" 72 | ecc_EK_current="ecc_EK.bin" 73 | root_PEM="root.pem" 74 | raw_rsa_EK_certificate="rsa_EK.crt" 75 | raw_ecc_EK_certificate="ecc_EK.crt" 76 | rsa_EK_in_certificate="rsa_EK_in_cert.bin" 77 | ecc_EK_in_certificate="ecc_EK_in_cert.bin" 78 | rsa_ek_ctx="/tmp/rsa_ek.ctx" 79 | ecc_ek_ctx="/tmp/ecc_ek.ctx" 80 | temp_parent_name="temp_parent_name" 81 | temp_cert_chain="" 82 | rsa_EK_certificate_CRL="rsa_EK.crl.pem" 83 | rsa_EK_certificate_chain="rsa_ek_chain.pem" 84 | reordered_rsa_EK_certificate_chain="reordered_rsa_ek_chain.pem" 85 | crl_reordered_rsa_EK_certificate_chain="crl_reordered_rsa_ek_chain.pem" 86 | ecc_EK_certificate_CRL="ecc_EK.crl.pem" 87 | ecc_EK_certificate_chain="ecc_ek_chain.pem" 88 | reordered_ecc_EK_certificate_chain="reordered_ecc_ek_chain.pem" 89 | crl_reordered_ecc_EK_certificate_chain="crl_reordered_ecc_ek_chain.pem" 90 | rsa_ek_offset_in_pub="60" 91 | rsa_ek_offset_in_cert="33" 92 | rsa_ek_pub_length="256" 93 | ecc_ek_offset_in_pub="58" 94 | ecc_ek_offset_in_cert="27" 95 | ecc_ek_pub_length="32" 96 | 97 | cleanup () { 98 | #Delete all temporary files 99 | rm -f *.bin *.cer *.crt *.crl *.cert \ 100 | $rsa_EK_current \ 101 | $ecc_EK_current \ 102 | $root_PEM \ 103 | $raw_rsa_EK_certificate \ 104 | $raw_ecc_EK_certificate \ 105 | $rsa_EK_in_certificate \ 106 | $ecc_EK_in_certificate \ 107 | $rsa_ek_ctx \ 108 | $ecc_ek_ctx \ 109 | $temp_parent_name \ 110 | $temp_cert_chain \ 111 | $rsa_EK_certificate_CRL \ 112 | $rsa_EK_certificate_chain \ 113 | $reordered_rsa_EK_certificate_chain \ 114 | $crl_reordered_rsa_EK_certificate_chain \ 115 | $ecc_EK_certificate_CRL \ 116 | $ecc_EK_certificate_chain \ 117 | $reordered_ecc_EK_certificate_chain \ 118 | $crl_reordered_ecc_EK_certificate_chain \ 119 | $rsa_ek_offset_in_pub \ 120 | $rsa_ek_offset_in_cert \ 121 | $rsa_ek_pub_length \ 122 | $ecc_ek_offset_in_pub \ 123 | $ecc_ek_offset_in_cert \ 124 | $ecc_ek_pub_length 125 | } 126 | 127 | cleanup_and_exit_in_error() { 128 | 129 | cleanup 130 | echo "ERROR: EK certificates on filesystem inconsisten with current EK" 131 | echo "ERROR: Please move/ delete files: $cfg_rsa_EK_DER_certificate\ 132 | $cfg_ecc_EK_DER_certificatethe certificate files and try again" 133 | 134 | exit 1 135 | } 136 | 137 | is_ptt() { 138 | tpm2_getcap properties-fixed | grep TPM2_PT_MANUFACTURER -A 2 | grep INTC -q 139 | if [ $? != 0 ];then 140 | return 1 141 | fi 142 | return 0 143 | } 144 | 145 | is_EPS_TPM_generated() { 146 | tpm2_getcap properties-variable | grep tpmGeneratedEPS |\ 147 | awk '{print $2}' | grep 1 -q 148 | if [ $? != 0 ];then 149 | return 1 150 | fi 151 | flag_TPM_EPS=1 152 | return 0 153 | } 154 | 155 | is_nv_index_defined_and_written() { 156 | tpm2_nvreadpublic $1 2> /dev/null | grep attributes -A 1 |\ 157 | grep written -q 158 | if [ $? != 0 ];then 159 | return 1 160 | fi 161 | return 0 162 | } 163 | 164 | get_current_rsa_EK() { 165 | tpm2_createek -G rsa -c $rsa_ek_ctx -u $1 166 | if [ $? != 0 ];then 167 | return 1 168 | fi 169 | return 0 170 | } 171 | 172 | get_current_ecc_EK() { 173 | tpm2_createek -G ecc -c $ecc_ek_ctx -u $1 174 | if [ $? != 0 ];then 175 | return 1 176 | fi 177 | return 0 178 | } 179 | 180 | get_EK_Certificate_from_NV() { 181 | tpm2_nvread $1 -o $2 182 | if [ $? != 0 ];then 183 | return 1 184 | fi 185 | return 0 186 | } 187 | 188 | manufacturer_EK_certificate_to_standard_PEM_DER_format() { 189 | sed 's/-/+/g;s/_/\//g;s/%3D/=/g;s/^{.*certificate":"//g;s/"}$//g;' $1 | 190 | base64 --decode > $2 191 | openssl x509 -in $2 -out $3 -inform DER -outform PEM 2> /dev/null 192 | if [ $? != 0 ];then 193 | echo "ERROR: Failed processing raw EK certificate" 194 | return 1 195 | fi 196 | return 0 197 | } 198 | 199 | get_EK_certificate_based_on_manufacturer_generated_EPS() { 200 | #Check if cert is available 201 | tpm2_getekcertificate -X -x -u $2 \ 202 | https://ekop.intel.com/ekcertservice/ 2>/dev/null | \ 203 | grep "Certificate not found" -q 204 | if [ $? == 0 ];then 205 | echo "ERROR: Failed retrieving EK certificate" 206 | return 1 207 | fi 208 | #Download the cert 209 | tpm2_getekcertificate -X -x -u $2 -o $1 \ 210 | https://ekop.intel.com/ekcertservice/ 2>/dev/null 211 | if [ $? != 0 ];then 212 | echo "ERROR: Failed retrieving EK certificate" 213 | return 1 214 | fi 215 | #Process raw EK certificate data 216 | manufacturer_EK_certificate_to_standard_PEM_DER_format $1 $3 $4 217 | if [ $? != 0 ];then 218 | return 1 219 | fi 220 | 221 | return 0 222 | } 223 | 224 | get_offset_from_asn1_tag() { 225 | openssl asn1parse -in $1 -inform DER 2>/dev/null | grep "$2" -q 226 | if [ $? != 0 ];then 227 | return 1 228 | fi 229 | 230 | local __offset=$3 231 | local offset=$(openssl asn1parse -in $1 -inform DER 2>/dev/null| grep "$2" -A2 | 232 | grep STRING | grep -o '^[ ]\{1,\}[0-9]\{1,\}') 233 | if [ $? != 0 ];then 234 | echo "ERROR: Failed to retrieve offset for tag" 235 | return 1 236 | fi 237 | 238 | eval $__offset="'$offset'" 239 | 240 | return 0 241 | } 242 | 243 | #RSA/ ECC 244 | is_EK_from_cert_same_as_current_EK() { 245 | openssl x509 -pubkey -inform DER -in $1 -out /tmp/pub.pem 2>/dev/null 246 | if [ $? != 0 ];then 247 | echo "ERROR: Failed to read EK public" 248 | return 1 249 | fi 250 | openssl asn1parse -in /tmp/pub.pem -inform PEM -out $2 -noout 2>/dev/null 251 | if [ $? != 0 ];then 252 | echo "ERROR: Failed to read EK public" 253 | return 1 254 | fi 255 | #Check if EK from cert is same as current EK 256 | $(cmp -i $3:$4 -n $5 $6 $2 -s) 257 | if [ $? != 0 ];then 258 | return 1 259 | fi 260 | 261 | return 0 262 | } 263 | 264 | is_cert_root_certificate() { 265 | local rval=0 266 | 267 | get_offset_from_asn1_tag $1 "Authority Key Identifier" OFFSET 268 | if [ $? != 0 ];then 269 | echo "ERROR: Authority Key Identifier tag/ offset not found" 270 | return 1 271 | fi 272 | openssl asn1parse -in $1 -inform DER -out authority -noout \ 273 | -strparse $OFFSET 2> /dev/null 274 | if [ $? != 0 ];then 275 | echo "ERROR: Failed asn parsing" 276 | return 1 277 | fi 278 | 279 | get_offset_from_asn1_tag $1 "Subject Key Identifier" OFFSET 280 | if [ $? != 0 ];then 281 | echo "ERROR: Subject Key Identifier tag/ offset not found" 282 | return 1 283 | fi 284 | openssl asn1parse -in $1 -inform DER -strparse $OFFSET -out subject \ 285 | -noout 2>/dev/null 286 | if [ $? != 0 ];then 287 | echo "ERROR: Failed asn parsing" 288 | return 1 289 | fi 290 | 291 | cmp -i 4:2 authority subject -s 292 | rval=$? 293 | rm -f authority subject 294 | if [ $rval == 1 ];then 295 | echo "$1 is not a root certificate" 296 | return 1 297 | fi 298 | 299 | return 0 300 | } 301 | 302 | is_certificate_parent_downloaded() { 303 | get_offset_from_asn1_tag $1 "Authority Information Access" OFFSET 304 | if [ $? != 0 ];then 305 | echo "Authority Information Access tag/ offset not found" 306 | return 1 307 | fi 308 | 309 | local parent_cert 310 | parent_cert=$(openssl asn1parse -in $1 -inform DER -strparse $OFFSET \ 311 | -out /dev/stdout -noout 2>/dev/null | grep -o 'http.*') 312 | if [ $? != 0 ];then 313 | echo "ERROR: Failed asn parsing" 314 | return 1 315 | fi 316 | wget -N $parent_cert -q --no-cache 317 | if [ $? != 0 ];then 318 | echo "Failed to download $parent_cert" 319 | return 1 320 | fi 321 | 322 | local __certname=$2 323 | local certname=$(echo $parent_cert| grep -o "[a-zA-Z_0-9]*.cer$") 324 | eval $__certname="'$certname'" 325 | 326 | return 0 327 | } 328 | 329 | is_certificate_parent_exist() { 330 | #Look if cert has authority information access tag 331 | openssl asn1parse -in $1 -inform DER 2>/dev/null | \ 332 | grep -q "Authority Information Access" 333 | if [ $? != 0 ];then 334 | openssl x509 -in $1 -text 2>/dev/null| \ 335 | grep -q "Authority Information Access" 336 | if [ $? != 0 ];then 337 | #No parent certificate found 338 | return 1 339 | else 340 | openssl x509 -in $1 -inform PEM -out $1.cert -outform DER 2>/dev/null 341 | if [ $? != 0 ];then 342 | echo "ERROR: Failed PEM to DER conversion" 343 | return 1 344 | fi 345 | fi 346 | else 347 | cp $1 $1.cert 348 | fi 349 | 350 | is_certificate_parent_downloaded $1.cert testfile 351 | if [ $? != 0 ];then 352 | echo "Parent certificate could not be downloaded" 353 | return 1 354 | fi 355 | temp_parent_name=$testfile 356 | 357 | return 0 358 | } 359 | 360 | is_connectivity_ok() { 361 | wget http://upgrades.intel.com/content/CRL/ekcert/EKRootPublicKey.cer \ 362 | -q --timeout=5 --tries=3 --no-check-certificate --no-cache 363 | if [ $? != 0 ];then 364 | echo "ERROR: Cannot reach the hosting." 365 | echo \ 366 | "Please check your connectivity and proxy in \/etc/sudoers and system wide" 367 | cleanup_and_exit_in_error 368 | fi 369 | rm -f EKRootPublicKey.cer* 370 | return 0 371 | } 372 | 373 | convert_to_pem_and_add_to_chain() { 374 | openssl x509 -in $1 -inform DER -out $1.pem -outform PEM 2> /dev/null 375 | if [ $? != 0 ];then 376 | cp $1 $1.pem 377 | fi 378 | 379 | cat $1.pem >> $temp_cert_chain 380 | echo "" >> $temp_cert_chain 381 | 382 | rm -f $1.pem 383 | } 384 | 385 | build_EK_certificate_chain() { 386 | #EK Certificate 387 | temp_cert_chain="$2" 388 | convert_to_pem_and_add_to_chain $1 389 | #Non-root certificates in the chain 390 | local Child=$1 391 | local is_root=0 392 | while [[ $is_root == 0 ]];do 393 | is_certificate_parent_exist $Child 394 | if [ $? == 0 ];then 395 | convert_to_pem_and_add_to_chain $temp_parent_name 396 | Child=$temp_parent_name 397 | else 398 | is_cert_root_certificate $Child 399 | if [ $? != 0 ];then 400 | echo "ERROR: Root certificate not found" 401 | return 1 402 | else 403 | is_root=1 404 | fi 405 | fi 406 | done 407 | #Root Certificate 408 | openssl x509 -in $Child -inform DER -out $root_PEM -outform PEM 2>/dev/null 409 | if [ $? != 0 ];then 410 | cp $Child $root_PEM 411 | fi 412 | #Reorder non-root certificates 413 | sed '/./{H;d;};x;s/\n/={NL}=/g' $2 | 414 | sed -e 's/^={NL}=//' -e '1!G;h;$!d' | 415 | sed G | 416 | sed 's/={NL}=/\'$'\n/g' > $3 417 | #Certificate chain build successful 418 | return 0 419 | } 420 | 421 | update_platform_CRL_data_to_EK_certificate_chain () { 422 | local child_crl 423 | get_offset_from_asn1_tag $1 "CRL Distribution" OFFSET 424 | if [ $? != 0 ];then 425 | echo "CRL Distribution tag/ offset not found" 426 | return 1 427 | fi 428 | 429 | child_crl=$(openssl asn1parse -in $1 -inform DER -strparse $OFFSET \ 430 | -out /dev/stdout -noout 2>/dev/null| grep -o 'http.*') 431 | if [ $? != 0 ];then 432 | echo "ERROR: Fail asn parse" 433 | return 1 434 | fi 435 | wget -N $child_crl -q --no-cache 436 | local crl_name=$(echo $child_crl| grep -o "[a-zA-Z_0-9]*.crl$") 437 | 438 | grep BEGIN $crl_name -q 439 | if [ $? == 0 ];then 440 | cp $crl_name $2 441 | else 442 | openssl crl -in $crl_name -inform DER -out $2 \ 443 | -outform PEM 2>/dev/null 444 | if [ $? != 0 ];then 445 | echo "ERROR: Failed DER to PEM conversion" 446 | return 1 447 | fi 448 | fi 449 | 450 | cat $3 $2 > $4 451 | 452 | return 0 453 | } 454 | 455 | retrieve_ek_certificates_from_NV() { 456 | get_EK_Certificate_from_NV $1 $2 457 | if [ $? != 0 ];then 458 | echo "ERROR: EK Certificate could not be read from NV Index" 459 | cleanup_and_exit_in_error 460 | fi 461 | openssl x509 -in $2 -inform DER -out $3 -outform PEM > /dev/null 462 | if [ $? != 0 ];then 463 | echo "ERROR: EK certificate in NV not in DER format" 464 | cleanup_and_exit_in_error 465 | fi 466 | } 467 | 468 | retrieve_ek_certificates_from_iKGF() { 469 | get_EK_certificate_based_on_manufacturer_generated_EPS $1 $2 $3 $4 470 | if [ $? != 0 ];then 471 | echo "ERROR: EK Certificate could not be retrieved from manufacturer hosting" 472 | cleanup_and_exit_in_error 473 | fi 474 | } 475 | 476 | # 477 | # MAIN 478 | # 479 | : <<'PROTOCOL' 480 | SCENARIOS: (A) Platform with no EK certificate in FS/ NV/ Manufacturer-Backends 481 | (B) Platform with EK certificate revoked and tpmGeneratedEPS = 0 482 | (C) Platform with EK certificate revoked and tpmGeneratedEPS = 1 483 | 484 | # Evaluate Pre-Conditions 485 | # GET CERT: NV/ iKGF/ TSI 486 | # EK CERTIFICATE PKI VALIDATION 487 | PROTOCOL 488 | 489 | #===================================== 490 | # Evaluate Pre-Conditions 491 | #===================================== 492 | while getopts ':E' 'enableecc'; do 493 | case ${enableecc} in 494 | 'E') 495 | # Update the value of the option x flag we defined above 496 | flag_is_ecc_cert_required=1 497 | ;; 498 | '?') 499 | echo "INVALID OPTION -- ${OPTARG}" >&2 500 | exit 1 501 | ;; 502 | *) 503 | echo "UNIMPLEMENTED OPTION -- ${OPTKEY}" >&2 504 | exit 1 505 | ;; 506 | esac 507 | done 508 | shift $(( OPTIND - 1 )) 509 | [[ "${1}" == "--" ]] && shift 510 | 511 | is_ptt 512 | if [ $? != 0 ];then 513 | echo "ERROR: Active TPM manufacturer is not INTC. Exiting Intel\ 514 | EK Certification App." 515 | cleanup_and_exit_in_error 516 | fi 517 | 518 | is_EPS_TPM_generated 519 | 520 | is_nv_index_defined_and_written $rsa_ekcertificate_NV_index 521 | if [ $? == 0 ];then 522 | flag_rsa_NV=1 523 | fi 524 | 525 | if [ -f $cfg_rsa_EK_DER_certificate ]; then 526 | flag_rsa_EK_certificate_on_filesystem=1 527 | echo "Proceeding checks with RSA EK Certificate present on filesystem" 528 | fi 529 | 530 | get_current_rsa_EK $rsa_EK_current 531 | if [ $? != 0 ];then 532 | echo "ERROR: EKpublic of type RSA could not be read" 533 | cleanup_and_exit_in_error 534 | fi 535 | 536 | if [ $flag_is_ecc_cert_required == 1 ];then 537 | is_nv_index_defined_and_written $ecc_ekcertificate_NV_index 538 | if [ $? == 0 ];then 539 | flag_ecc_NV=1 540 | fi 541 | 542 | if [ -f $cfg_ecc_EK_DER_certificate ];then 543 | flag_ecc_EK_certificate_on_filesystem=1 544 | echo "Proceeding checks with ECC EK Certificate present on filesystem" 545 | fi 546 | 547 | get_current_ecc_EK $ecc_EK_current 548 | if [ $? != 0 ];then 549 | echo "ERROR: EKpublic of type ECC could not be read" 550 | cleanup_and_exit_in_error 551 | fi 552 | fi 553 | 554 | #===================================== 555 | # GET CERT: NV/ iKGF/ TSI 556 | #===================================== 557 | #NV 558 | 559 | if [[ $flag_rsa_EK_certificate_on_filesystem == 0 && 560 | $flag_rsa_NV == 1 ]];then 561 | echo "Reading RSA EK Certificate from NV Index" 562 | retrieve_ek_certificates_from_NV \ 563 | $rsa_ekcertificate_NV_index \ 564 | $cfg_rsa_EK_DER_certificate \ 565 | $cfg_rsa_EK_PEM_certificate 566 | fi 567 | if [[ $flag_ecc_EK_certificate_on_filesystem == 0 && 568 | $flag_is_ecc_cert_required == 1 && 569 | $flag_ecc_NV == 1 ]];then 570 | echo "Reading ECC EK Certificate from NV Index" 571 | retrieve_ek_certificates_from_NV \ 572 | $ecc_ekcertificate_NV_index \ 573 | $cfg_ecc_EK_DER_certificate \ 574 | $cfg_ecc_EK_PEM_certificate 575 | fi 576 | 577 | # Test connectivity for iKGF/ TSI and certificate-validation 578 | is_connectivity_ok 579 | 580 | #iKGF 581 | if [[ $flag_rsa_EK_certificate_on_filesystem == 0 && 582 | $flag_TPM_EPS == 0 ]];then 583 | echo "Retrieving RSA EK Certificate from iKGF backend" 584 | retrieve_ek_certificates_from_iKGF \ 585 | $raw_rsa_EK_certificate \ 586 | $rsa_EK_current \ 587 | $cfg_rsa_EK_DER_certificate \ 588 | $cfg_rsa_EK_PEM_certificate 589 | fi 590 | if [[ $flag_ecc_EK_certificate_on_filesystem == 0 && 591 | $flag_is_ecc_cert_required == 1 && 592 | $flag_TPM_EPS == 0 ]];then 593 | echo "Retrieving ECC EK Certificate from iKGF backend" 594 | retrieve_ek_certificates_from_iKGF \ 595 | $raw_ecc_EK_certificate \ 596 | $ecc_EK_current \ 597 | $cfg_ecc_EK_DER_certificate \ 598 | $cfg_ecc_EK_PEM_certificate 599 | fi 600 | 601 | 602 | #iCLS 603 | if [[ $flag_rsa_EK_certificate_on_filesystem == 0 || 604 | $flag_ecc_EK_certificate_on_filesystem == 0 ]];then 605 | 606 | if [[ $flag_rsa_NV == 0 && $flag_TPM_EPS == 1 ]];then 607 | if [ "$EUID" -ne 0 ];then 608 | echo "ERROR: Root permissions missing to run the recertification operation" 609 | cleanup_and_exit_in_error 610 | fi 611 | 612 | echo "Retrieving RSA/ ECC EK Certificate from iCLS backend" 613 | $cfg_PTT_RECOVERY_APP 614 | if [ $? != 0 ];then 615 | echo "ERROR: Recovery process failed. Check logs for details OR contact OEM" 616 | cleanup_and_exit_in_error 617 | fi 618 | echo "Recovery successful. Attempting to read new EK certificate from NV" 619 | 620 | is_nv_index_defined_and_written $rsa_ekcertificate_NV_index 621 | if [ $? == 0 ];then 622 | flag_rsa_NV=1 623 | else 624 | echo "ERROR: RSA EK NV index definition failure post recovery" 625 | cleanup_and_exit_in_error 626 | fi 627 | 628 | get_current_rsa_EK $rsa_EK_current 629 | if [ $? != 0 ];then 630 | echo "ERROR: EKpublic of type RSA could not be read" 631 | cleanup_and_exit_in_error 632 | fi 633 | 634 | if [ $flag_is_ecc_cert_required == 1 ];then 635 | is_nv_index_defined_and_written $ecc_ekcertificate_NV_index 636 | if [ $? == 0 ];then 637 | flag_ecc_NV=1 638 | else 639 | echo "ERROR: ECC EK NV index definition failure post recovery" 640 | cleanup_and_exit_in_error 641 | fi 642 | 643 | get_current_ecc_EK $ecc_EK_current 644 | if [ $? != 0 ];then 645 | echo "ERROR: EKpublic of type ECC could not be read" 646 | cleanup_and_exit_in_error 647 | fi 648 | fi 649 | 650 | if [ $flag_rsa_NV == 1 ];then 651 | echo "Reading RSA EK Certificate from NV Index" 652 | retrieve_ek_certificates_from_NV \ 653 | $rsa_ekcertificate_NV_index \ 654 | $cfg_rsa_EK_DER_certificate \ 655 | $cfg_rsa_EK_PEM_certificate 656 | fi 657 | if [[ $flag_is_ecc_cert_required == 1 && $flag_ecc_NV == 1 ]];then 658 | echo "Reading ECC EK Certificate from NV Index" 659 | retrieve_ek_certificates_from_NV \ 660 | $ecc_ekcertificate_NV_index \ 661 | $cfg_ecc_EK_DER_certificate \ 662 | $cfg_ecc_EK_PEM_certificate 663 | fi 664 | fi 665 | 666 | fi 667 | 668 | #===================================== 669 | # EK CERTIFICATE PKI VALIDATION 670 | #===================================== 671 | 672 | #check EK public in certificate 673 | is_EK_from_cert_same_as_current_EK \ 674 | $cfg_rsa_EK_DER_certificate \ 675 | $rsa_EK_in_certificate \ 676 | $rsa_ek_offset_in_pub \ 677 | $rsa_ek_offset_in_cert \ 678 | $rsa_ek_pub_length \ 679 | $rsa_EK_current 680 | if [ $? != 0 ];then 681 | echo "ERROR: RSA EKpublic from the EK certificate does not match the one from PTT" 682 | cleanup_and_exit_in_error 683 | fi 684 | if [ $flag_is_ecc_cert_required == 1 ];then 685 | is_EK_from_cert_same_as_current_EK \ 686 | $cfg_ecc_EK_DER_certificate \ 687 | $ecc_EK_in_certificate \ 688 | $ecc_ek_offset_in_pub \ 689 | $ecc_ek_offset_in_cert \ 690 | $ecc_ek_pub_length \ 691 | $ecc_EK_current 692 | if [ $? != 0 ];then 693 | echo "ERROR: ECC EKpublic from the EK certificate does not match the one from PTT" 694 | cleanup_and_exit_in_error 695 | fi 696 | fi 697 | 698 | #build certificate chain and download platform CRL 699 | echo "Downloading intermediate and root CA certificates" 700 | build_EK_certificate_chain \ 701 | $cfg_rsa_EK_DER_certificate \ 702 | $rsa_EK_certificate_chain \ 703 | $reordered_rsa_EK_certificate_chain 704 | if [ $? != 0 ];then 705 | echo "ERROR: PKI validation cannot continue, error building certificate chain" 706 | cleanup_and_exit_in_error 707 | fi 708 | if [ $flag_is_ecc_cert_required == 1 ];then 709 | build_EK_certificate_chain \ 710 | $cfg_ecc_EK_DER_certificate \ 711 | $ecc_EK_certificate_chain \ 712 | $reordered_ecc_EK_certificate_chain 713 | if [ $? != 0 ];then 714 | echo "ERROR: PKI validation cannot continue, error building certificate chain" 715 | cleanup_and_exit_in_error 716 | fi 717 | fi 718 | 719 | #check if platform certificate chain is valid 720 | echo "Validating EK certificate chain" 721 | openssl verify -CAfile $root_PEM \ 722 | $reordered_rsa_EK_certificate_chain > /dev/null 723 | if [ $? != 0 ];then 724 | echo "ERROR: Failed PKI validation for RSA EK certificate" 725 | cleanup_and_exit_in_error 726 | fi 727 | if [ $flag_is_ecc_cert_required == 1 ];then 728 | openssl verify -CAfile $root_PEM \ 729 | $reordered_ecc_EK_certificate_chain > /dev/null 730 | if [ $? != 0 ];then 731 | echo "ERROR: Failed PKI validation for ECC EK certificate" 732 | cleanup_and_exit_in_error 733 | fi 734 | fi 735 | 736 | #check if platform certificate is revoked in CRL 737 | echo "Downloading certificate revocation list information" 738 | update_platform_CRL_data_to_EK_certificate_chain \ 739 | $cfg_rsa_EK_DER_certificate \ 740 | $rsa_EK_certificate_CRL \ 741 | $reordered_rsa_EK_certificate_chain \ 742 | $crl_reordered_rsa_EK_certificate_chain 743 | if [ $? != 0 ];then 744 | echo "CAUTION: CRL for the RSA EK certificate not found" 745 | cleanup 746 | exit 0 747 | fi 748 | if [ $flag_is_ecc_cert_required == 1 ];then 749 | update_platform_CRL_data_to_EK_certificate_chain \ 750 | $cfg_ecc_EK_DER_certificate \ 751 | $ecc_EK_certificate_CRL \ 752 | $reordered_ecc_EK_certificate_chain \ 753 | $crl_reordered_ecc_EK_certificate_chain 754 | if [ $? != 0 ];then 755 | echo "CAUTION: CRL for the ECC EK certificate not found" 756 | cleanup 757 | exit 0 758 | fi 759 | fi 760 | 761 | echo "Checking certificate revocation list" 762 | openssl verify -crl_check -CAfile $crl_reordered_rsa_EK_certificate_chain \ 763 | $cfg_rsa_EK_PEM_certificate > /dev/null 764 | if [ $? != 0 ];then 765 | echo "CAUTION: Failed CRL checks for the RSA EK certificate" 766 | echo " Please update system time/ date to current and try again" 767 | echo " Contact OEM if problem persists" 768 | cleanup 769 | exit 0 770 | fi 771 | if [ $flag_is_ecc_cert_required == 1 ];then 772 | openssl verify -crl_check -CAfile $crl_reordered_ecc_EK_certificate_chain \ 773 | $cfg_ecc_EK_PEM_certificate > /dev/null 774 | if [ $? != 0 ];then 775 | echo "CAUTION: Failed CRL checks for the ECC EK certificate" 776 | echo " Please update system time/ date to current and try again" 777 | echo " Contact OEM if problem persists" 778 | cleanup 779 | exit 0 780 | fi 781 | fi 782 | 783 | echo "Endorsement key certificate download/ validation complete" 784 | 785 | cleanup 786 | exit 0 787 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Intel-SA-00086-Linux-Recovery-Tools is released under the BSD-3-Clause 2 | 3 | iCLSClient is released under the proprietary license found in /LICENSES/iclsClient/License.txt 4 | -------------------------------------------------------------------------------- /LICENSES/iclsClient/License.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/INTEL-SA-00086-Linux-Recovery-Tools/f953b2ab21d1cb17a0397bf00ed8e1423338fcee/LICENSES/iclsClient/License.txt -------------------------------------------------------------------------------- /LICENSES/iclsClient/Readme.txt: -------------------------------------------------------------------------------- 1 | Copyright (c) Intel Corporation. 2 | 3 | This iCLS Client ("Software") is furnished under license and may only be used 4 | or copied in accordance with the terms of that license. No license, express or 5 | implied, by estoppel or otherwise, to any intellectual property rights is 6 | granted by this document. The Software is subject to change without notice, 7 | and should not be construed as a commitment by Intel Corporation to market, 8 | license, sell or support any product or technology. Unless otherwise provided 9 | for in the license under which this Software is provided, the Software is 10 | provided AS IS, with no warranties of any kind, express or implied. Except 11 | as expressly permitted by the Software license, neither Intel Corporation nor 12 | its suppliers assumes any responsibility or liability for any errors or 13 | inaccuracies that may appear herein. Except as expressly permitted by the 14 | Software license, no part of the Software may be reproduced, stored in 15 | a retrieval system, transmitted in any form, or distributed by any means 16 | without the express written consent of Intel Corporation. 17 | -------------------------------------------------------------------------------- /LICENSES/iclsClient/Third Party Licenses.txt: -------------------------------------------------------------------------------- 1 |  LICENSE ISSUES 2 | ============== 3 | 4 | The OpenSSL toolkit stays under a dual license, i.e. both the conditions of 5 | the OpenSSL License and the original SSLeay license apply to the toolkit. 6 | See below for the actual license texts. Actually both licenses are BSD-style 7 | Open Source licenses. In case of any license issues related to OpenSSL 8 | please contact openssl-core@openssl.org. 9 | 10 | OpenSSL License 11 | --------------- 12 | 13 | /* ==================================================================== 14 | * Copyright (c) 1998-2008 The OpenSSL Project. All rights reserved. 15 | * 16 | * Redistribution and use in source and binary forms, with or without 17 | * modification, are permitted provided that the following conditions 18 | * are met: 19 | * 20 | * 1. Redistributions of source code must retain the above copyright 21 | * notice, this list of conditions and the following disclaimer. 22 | * 23 | * 2. Redistributions in binary form must reproduce the above copyright 24 | * notice, this list of conditions and the following disclaimer in 25 | * the documentation and/or other materials provided with the 26 | * distribution. 27 | * 28 | * 3. All advertising materials mentioning features or use of this 29 | * software must display the following acknowledgment: 30 | * "This product includes software developed by the OpenSSL Project 31 | * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 32 | * 33 | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 34 | * endorse or promote products derived from this software without 35 | * prior written permission. For written permission, please contact 36 | * openssl-core@openssl.org. 37 | * 38 | * 5. Products derived from this software may not be called "OpenSSL" 39 | * nor may "OpenSSL" appear in their names without prior written 40 | * permission of the OpenSSL Project. 41 | * 42 | * 6. Redistributions of any form whatsoever must retain the following 43 | * acknowledgment: 44 | * "This product includes software developed by the OpenSSL Project 45 | * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 46 | * 47 | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 48 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 49 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 50 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 51 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 52 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 53 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 54 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 55 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 56 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 57 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 58 | * OF THE POSSIBILITY OF SUCH DAMAGE. 59 | * ==================================================================== 60 | * 61 | * This product includes cryptographic software written by Eric Young 62 | * (eay@cryptsoft.com). This product includes software written by Tim 63 | * Hudson (tjh@cryptsoft.com). 64 | * 65 | */ 66 | 67 | Original SSLeay License 68 | ----------------------- 69 | 70 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 71 | * All rights reserved. 72 | * 73 | * This package is an SSL implementation written 74 | * by Eric Young (eay@cryptsoft.com). 75 | * The implementation was written so as to conform with Netscapes SSL. 76 | * 77 | * This library is free for commercial and non-commercial use as long as 78 | * the following conditions are aheared to. The following conditions 79 | * apply to all code found in this distribution, be it the RC4, RSA, 80 | * lhash, DES, etc., code; not just the SSL code. The SSL documentation 81 | * included with this distribution is covered by the same copyright terms 82 | * except that the holder is Tim Hudson (tjh@cryptsoft.com). 83 | * 84 | * Copyright remains Eric Young's, and as such any Copyright notices in 85 | * the code are not to be removed. 86 | * If this package is used in a product, Eric Young should be given attribution 87 | * as the author of the parts of the library used. 88 | * This can be in the form of a textual message at program startup or 89 | * in documentation (online or textual) provided with the package. 90 | * 91 | * Redistribution and use in source and binary forms, with or without 92 | * modification, are permitted provided that the following conditions 93 | * are met: 94 | * 1. Redistributions of source code must retain the copyright 95 | * notice, this list of conditions and the following disclaimer. 96 | * 2. Redistributions in binary form must reproduce the above copyright 97 | * notice, this list of conditions and the following disclaimer in the 98 | * documentation and/or other materials provided with the distribution. 99 | * 3. All advertising materials mentioning features or use of this software 100 | * must display the following acknowledgement: 101 | * "This product includes cryptographic software written by 102 | * Eric Young (eay@cryptsoft.com)" 103 | * The word 'cryptographic' can be left out if the rouines from the library 104 | * being used are not cryptographic related :-). 105 | * 4. If you include any Windows specific code (or a derivative thereof) from 106 | * the apps directory (application code) you must include an acknowledgement: 107 | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 108 | * 109 | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 110 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 111 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 112 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 113 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 114 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 115 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 116 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 117 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 118 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 119 | * SUCH DAMAGE. 120 | * 121 | * The licence and distribution terms for any publically available version or 122 | * derivative of this code cannot be changed. i.e. this code cannot simply be 123 | * copied and put under another distribution licence 124 | * [including the GNU Public Licence.] 125 | */ 126 | 127 | 128 | 129 | Trusted Computing Group TPM2: 130 | - Software Stack 131 | - Access Broker & Resource Management Daemon 132 | =============================================== 133 | 134 | Redistribution and use in source and binary forms, with or without 135 | modification, are permitted provided that the following conditions are met: 136 | 137 | 1. Redistributions of source code must retain the above copyright notice, 138 | this list of conditions and the following disclaimer. 139 | 140 | 2. Redistributions in binary form must reproduce the above copyright notice, 141 | this list of conditions and the following disclaimer in the documentation 142 | and/or other materials provided with the distribution. 143 | 144 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 145 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 146 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 147 | ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 148 | LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 149 | CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 150 | SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 151 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 152 | CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 153 | ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF 154 | THE POSSIBILITY OF SUCH DAMAGE. 155 | 156 | 157 | 158 | gSOAP License 159 | =============================================== 160 | 161 | Part of the software embedded in this product is gSOAP software. 162 | Portions created by gSOAP are Copyright (C) 2001–2009 Robert A. van Engelen, 163 | Genivia inc. All Rights Reserved. 164 | 165 | THE SOFTWARE IN THIS PRODUCT WAS IN PART PROVIDED BY GENIVIA INC AND ANY 166 | EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 167 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 168 | DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 169 | INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 170 | BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 171 | DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY 172 | OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 173 | NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, 174 | EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 175 | 176 | 177 | Intel(R) EPID SDK License 178 | =============================================== 179 | 180 | Copyright 2016-2020 Intel Corporation 181 | 182 | Licensed under the Apache License, Version 2.0 (the "License"); 183 | you may not use this file except in compliance with the License. 184 | You may obtain a copy of the License at 185 | 186 | http://www.apache.org/licenses/LICENSE-2.0 187 | 188 | Unless required by applicable law or agreed to in writing, software 189 | distributed under the License is distributed on an "AS IS" BASIS, 190 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 191 | See the License for the specific language governing permissions and 192 | limitations under the License. -------------------------------------------------------------------------------- /LICENSES/iclsClient/development_tools.txt: -------------------------------------------------------------------------------- 1 | [no entries] 2 | -------------------------------------------------------------------------------- /LICENSES/iclsClient/redist.txt: -------------------------------------------------------------------------------- 1 | [no entries] 2 | -------------------------------------------------------------------------------- /Packages/iCLS/Intel(R) Trust Services.key: -------------------------------------------------------------------------------- 1 | -----BEGIN PGP PUBLIC KEY BLOCK----- 2 | 3 | mQGNBGRCYFABDADfKvzNNaApY4I5Bkx/kOw/JsFwHP/5WulE7sphg7crvXi/4F8NKKVZ/n4RaSzV 4 | 1L3WMSp6OQEqducTtCVAl0RLJ6W057uzb4tZpQ3PY44kcYuHJvxFrZ+zL7aeQXTFH5oZuKdD8ecb 5 | p1XuK06nuRaESJ795I63F2kmqGUI0CjLLAr7LrLS2xlqHo2csJIKSvQGIG+KnkLdhXtkBhzoQi20 6 | aeupgD4gKD7Gvo05P0xOQcbec9dWxks4JiGH/VDfKApc4C+DAMvYapDc7CeCBoPgGj1WmhS0J9zA 7 | kJAsos3JX1JJ5ZJ/VmJtLlvXfaBPh9gZS+RHXoOH9g+rxUq94IfKrXT57JpX5Gx2SDt8qPuKiIkw 8 | EE2LzNydVNuqO2cvTgw09tqJGEjRaK4VIsc4lOin/W+hLTVnZjMQNxAH7fT2WHbgAlWGZKUwyvUF 9 | xQgKHHCbaPpy6xjpiNULUinGLRNvIAfPO6bDC3QoLaGkOD2bu7K83KLb9Ia1wpwHwbRaeQ0AEQEA 10 | AbUAGkNOPUludGVsKFIpIFRydXN0IFNlcnZpY2VziQG+BBMBCAAoBQJkQmBQAhsDBQkFpOwABgsJ 11 | CAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAz2LjghGYBUSUODACqET9q86WkhPj5g6phwS4ts9QU 12 | PjZ7bshhiWIijtXAxx/HBnnms/aiwGde+RTudGEEdCSQ9wlG2yq44/mruFqxPWe5AzUZA0N701GE 13 | pwcZJ3sUWhPl7ojgG9VYLUVAZY3Kd3WPrgnBYsPkiUKsmBQ4HYnl1+kSZeiwXowm9Tvi7ckhKPVU 14 | jLb0oZ62WGIsY4TqyBLR00NWDbrKS63TfaJq8Luc1uwHuBU8Ajk7YzAEqIc5c5M8HNiLIOg/VKSV 15 | gWv0bP1xHI4pY57pYYCbclJV+xu9vYRVEzdmEORY5Yke21QF1ez96dau5F2WPmSh7Cg7hbJ8/UCE 16 | gfRO1ICQcQtAvJLZJa4Vds8p+t2Zrd6kZJ095voVQEa8DJb5n5mUgK/5UMhA7fWutTDQqXgN89Vl 17 | ydm5RciRgsJfz1nEmtMj8x1fk0lePv17Q5yVTVAc3Q+3PQ1sxJNqZhP8Qf1mpEg57RzQ5q/r0oOh 18 | ZLc7OTYUtm9rUZPo0ARoRLksU0kvipk= 19 | =qv+e 20 | -----END PGP PUBLIC KEY BLOCK----- -------------------------------------------------------------------------------- /Packages/iCLS/iclsClient-1.78.11.0-1.i386.rpm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/INTEL-SA-00086-Linux-Recovery-Tools/f953b2ab21d1cb17a0397bf00ed8e1423338fcee/Packages/iCLS/iclsClient-1.78.11.0-1.i386.rpm -------------------------------------------------------------------------------- /Packages/iCLS/iclsClient-1.78.11.0-1.x86_64.rpm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/INTEL-SA-00086-Linux-Recovery-Tools/f953b2ab21d1cb17a0397bf00ed8e1423338fcee/Packages/iCLS/iclsClient-1.78.11.0-1.x86_64.rpm -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Intel (R) SA-00086-Recovery-Tool For Linux* OS 2 | 3 | ## Purpose: 4 | This utility is intended for re-provisioning of the platform keys AFTER applying 5 | the Intel (R) ME/ TXE firmware update in response to security advisory SA-00086. 6 | More information on the Intel (R) ME/ TXE update and security advisory can be found at 7 | https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr. 8 | At the link above there is also an INTEL-SA-00086 Detection Tool that assists in 9 | discovering the platform vulnerability status described in INTEL-SA-00086. 10 | Please refer the link for a full list of affected platforms. 11 | 12 | ## Prerequisites: 13 | 1. Ensure Intel (R) PTT is enabled in BIOS. 14 | 2. Ensure TPM CRB kernel driver is enabled on your Linux. 15 | You can check if the device exists with "ls /dev/tpm*" after PTT is enabled 16 | in BIOS. 17 | 3. Intel (R) MEI driver needs to be installed on the system. 18 | You can check this with "ls /dev/mei*"" 19 | 4. Following dependencies may need to be installed prior to tpm2-software install. 20 | (names may vary per your Linux distribution). 21 | rpm, autoconf-archive, curl, net-tools, build-essential, pkg-config, gcc, 22 | g++, m4, libtool, automake, libgcrypt20-dev, libssl-dev, autoconf, gnulib, 23 | wget, libdbus-1-dev, libglib2.0-dev, libcurl4-openssl-dev, dbus-x11, 24 | iproute2, libtasn1-6-dev, socat, libseccomp-dev, gawk, libyaml-dev, uuid-dev 25 | 5. Install tpm2-software: tpm2-tss v3.1.0, tpm2-abrmd v2.4.0 and tpm2-tools v4.1.1 26 | by executing the "build.sh" script as "sudo". 27 | 6. If the dependency packages were installed appropriately, the build.sh should 28 | proceed to indicate the appropriate icls package versions ( i386/ x86_64 ) 29 | to install from the packages directory. 30 | 7. Prior to installing the icls client libraries you can verify the rpm signatures 31 | To do this import the public key to verify the signature from packages/iCLS dir 32 | `rpm --import "Intel(R) Trust Services.key" && rpm -K iclsClient-..rpm"` 33 | 8. Install iCLS client libraries from the Packages folder. 34 | Instructions based on the package manager 35 | * rpm --> "rpm -i -nodeps iclsClient..rpm" 36 | * alien --> "alien -i -nodeps –-script iclsClient..rpm" 37 | * yum --> "yum install iclsClient..rpm" 38 | 9. Please make sure system wide proxy has been setup and the platform is connected. 39 | 9. After installing above dependencies a reboot is required. 40 | 41 | ## Instructions to run the Intel (R) SA-00086-Recovery-Tool For Linux* OS: 42 | 1. Please run the TPM access broker and resource manager daemon 43 | `sudo -u tss tpm2-abrmd --tcti=device &` 44 | 2. Run the Intel-SA-00086-Recovery-Tool to launch the provisioning bash script. 45 | If the platform supports, an ECC based EK certificate can be retrieved by 46 | specifying "-E" option. 47 | 3. If you have received the necessary Intel (R) ME/ TXE firmware update then: 48 | * You must see the message "EPS generated by Intel (R) PTT" 49 | * At this point the recovery application should re-provision the keys. 50 | * After successful recovery, An NV Index for Intel (R) PTT Endorsement Key 51 | certificate is created at index 0x1c00002 for an RSA EK certificate and if 52 | the platform supports it, at index 0x1c0000a for an ECC EK certificate. 53 | A copy of it is read to the file system path indicated in the bash script, 54 | Intel-SA-00086-Recovery-Tool . 55 | 4. OR,If you have not received the necessary Intel (R) ME/ TXE firmware update then: 56 | * You must see the message "EPS is generated by Manufacturer" 57 | * At this point the platform does not trigger the recovery process. 58 | * The recovery tool instead tries to retrieve the Intel (R) PTT Endorsement 59 | Key certificate through non recovery process. 60 | 61 | NOTE: Affected platform MUST receive the Intel (R) ME/ TXE firmware update to 62 | fully mitigate the issue. An indication of this being completed is that the 63 | tpmGeneratedEPS bit is set and can be read with `tpm2_getcap properties-variable` 64 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | # Security Policy 2 | Intel is committed to rapidly addressing security vulnerabilities affecting our customers and providing clear guidance on the solution, impact, severity and mitigation. 3 | 4 | ## Reporting a Vulnerability 5 | Please report any security vulnerabilities in this project utilizing the guidelines [here](https://www.intel.com/content/www/us/en/security-center/vulnerability-handling-guidelines.html). -------------------------------------------------------------------------------- /build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | #;****************************************************************************; 3 | # Intel-SA-00086 build script 4 | # 5 | # BSD LICENSE 6 | # 7 | # Copyright (C) 2003-2012, 2018 Intel Corporation. All rights reserved. 8 | # All rights reserved. 9 | # 10 | # Redistribution and use in source and binary forms, with or without 11 | # modification, are permitted provided that the following conditions 12 | # are met: 13 | # 14 | # * Redistributions of source code must retain the above copyright 15 | # notice, this list of conditions and the following disclaimer. 16 | # * Redistributions in binary form must reproduce the above copyright 17 | # notice, this list of conditions and the following disclaimer in 18 | # the documentation and/or other materials provided with the 19 | # distribution. 20 | # * Neither the name Intel Corporation nor the names of its 21 | # contributors may be used to endorse or promote products derived 22 | # from this software without specific prior written permission. 23 | # 24 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 25 | # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 26 | # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 27 | # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 28 | # OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 29 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 30 | # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 31 | # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 32 | # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 33 | # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 34 | # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35 | # 36 | #;****************************************************************************; 37 | 38 | pushd Packages 39 | 40 | #TSS 41 | wget https://github.com/tpm2-software/tpm2-tss/releases/download/4.0.1/tpm2-tss-4.0.1.tar.gz 42 | tar -xvzf tpm2-tss-4.0.1.tar.gz 43 | pushd tpm2-tss-4.0.1 44 | ./configure --with-udevrulesdir=/etc/udev/rules.d/ 45 | if [ $? != 0 ];then 46 | echo "ERROR: Missing package dependencies for tss installation." 47 | echo "Please refer https://github.com/tpm2-software/tpm2-tss/blob/master/INSTALL.md" 48 | exit 1 49 | fi 50 | make -j8 51 | if [ $? != 0 ];then 52 | echo "ERROR: Failed TSS build/install. Exiting." 53 | exit 1 54 | fi 55 | sudo make install 56 | sudo ldconfig 57 | sudo udevadm control --reload-rules && sudo udevadm trigger 58 | sudo mkdir -p /var/lib/tpm 59 | sudo groupadd tss && sudo useradd -M -d /var/lib/tpm -s /bin/false -g tss tss 60 | sudo pkill -HUP dbus-daemon 61 | popd 62 | 63 | #ABRMD 64 | wget https://github.com/tpm2-software/tpm2-abrmd/releases/download/3.0.0/tpm2-abrmd-3.0.0.tar.gz 65 | tar -xvzf tpm2-abrmd-3.0.0.tar.gz 66 | pushd tpm2-abrmd-3.0.0 67 | ./configure --with-dbuspolicydir=/etc/dbus-1/system.d 68 | if [ $? != 0 ];then 69 | echo "ERROR: Missing package dependencies for tpm2-abrmd installation." 70 | echo "Please refer https://github.com/tpm2-software/tpm2-abrmd/blob/master/INSTALL.md" 71 | exit 1 72 | fi 73 | make -j8 74 | if [ $? != 0 ];then 75 | echo "ERROR: Failed ABRMD build. Exiting." 76 | exit 1 77 | fi 78 | sudo make install 79 | sudo ldconfig 80 | popd 81 | 82 | #TOOLS 83 | wget https://github.com/tpm2-software/tpm2-tools/releases/download/5.5/tpm2-tools-5.5.tar.gz 84 | tar -xvzf tpm2-tools-5.5.tar.gz 85 | pushd tpm2-tools-5.5 86 | ./configure 87 | if [ $? != 0 ];then 88 | echo "ERROR: Missing package dependencies for tpm2-tools installation." 89 | echo "Please refer https://github.com/tpm2-software/tpm2-tools/blob/master/INSTALL.md" 90 | exit 1 91 | fi 92 | make -j8 93 | if [ $? != 0 ];then 94 | echo "ERROR: Failed tpm2-tools build/install. Exiting." 95 | exit 1 96 | fi 97 | sudo make install 98 | sudo ldconfig 99 | popd 100 | 101 | popd 102 | 103 | #iCLS 104 | ARCH=$(uname -m) 105 | echo "Please install the iCLS package from $ARCH folder with your package manager command" 106 | echo "Example:" 107 | echo "1. Verify package signature: rpm --import \"Intel(R) Trust Services.key\" && rpm -K iclsClient-..rpm" 108 | echo "2. Install package: rpm -i -nodeps iclsClient.rpm" 109 | 110 | #Pre-run instructions. 111 | echo "Now run the resource manager daemon prior to running the tool/ script." 112 | echo "sudo -u tss tpm2-abrmd --tcti=device" 113 | echo "Please make sure the udev rules are installed as well." 114 | --------------------------------------------------------------------------------