We need to make sure the EID can always be obtained. This may be problematic once the key to the TPM has been thrown away. We discussed maybe allowing a delegate to get the public EK's modulus even after that key has been thrown away.

We may also want to make sure that once an AIK certificate has been produced, we only return the EID from that cert even if the device stable secret changes, so they are the same value.

We should implement comment #1 in a new CL. It is really important that we can always get the EID, and that it matches what Asbestos will send. So this is what I propose:

1. Add an enrollment_id field in the database proto.
2. When calling GetEnrollmentId() check the local cache (enterprise_enrollment_id_) if you want as is, but if there is no local cache, check the database field and read from this.
3. In ComputeEnrollmentId, use the delegate if there is one to read the EK, so we can read it even after first boot.
4. When an AIK is obtained, get the enrollment ID from it (decode the certfrom the response in Attestation::Enroll() and extract the EID), cache it in the database and also in the local cache field.

Re #3 Item 3. Given that the delegate and the enrollment_id will be stored in the same database proto, we may avoid needing the delegate. It is likely sufficient to generate and save enrollment_id in the db when preparing for enrollment, when the owner password is still available. If the db is lost somehow after that, the delegate would be lost anyways, so it's as safe as relying on a delegate.

Need to make sure that it still works in case of interrupted initialization, of course. But generating enrollment_id before creating the delegate and releasing the dependency on the owner password seems to be sufficient.

When asbestos sends back EID in the cert, we can read it from there and update the db, which normally shouldn't be necessary since it should be the same value. In fact, if we compare the values and find out that they are different, we may want to panic and abort enrollment instead?

stored in the same database proto, we may avoid needing the delegate. It is
likely sufficient to generate and save enrollment_id in the db when
preparing for enrollment, when the owner password is still available. If
the db is lost somehow after that, the delegate would be lost anyways, so
it's as safe as relying on a delegate.

The problem is a scenario where we cache an enrollment ID, then change the
stable device secret, then ask for the EID and it doesn't match. If we get
the AIK after that, we'll have the wrong EID again. Granted, this should
not happen on real machines (non dev) but I'd rather have something that is
robust in all scenarios since it's not that much more complicated.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/627bbff32d8b94abd252989b4765c115b9f1d57a

commit 627bbff32d8b94abd252989b4765c115b9f1d57a
Author: Igor <igorcov@chromium.org>
Date: Tue Jan 09 22:14:28 2018

cryptohome: Compute the enrollmentId.

The enrollmentId (eid) is required for zero-touch enrollment. It
is computed according to document:
https://docs.google.com/document/d/1scoDCRXjZZglelCtust8OjAj9mTe-Kk-3xCFLsw64Tg/edit

This is the implementation that allows to compute the id with a
D-Bus call from cryptohomed.

The implementation for service_distributed will come in a follow-up CL.

BUG= chromium:793326 
TEST=cryptohome --action=get_enrollment_id

Change-Id: I12f552cc0cb1a80ab40a836029a1fff337ca6e21
Reviewed-on: https://chromium-review.googlesource.com/827064
Commit-Ready: Igor <igorcov@chromium.org>
Tested-by: Igor <igorcov@chromium.org>
Reviewed-by: Yves Arrouye <drcrash@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>

[modify] https://crrev.com/627bbff32d8b94abd252989b4765c115b9f1d57a/cryptohome/service_distributed.h
[modify] https://crrev.com/627bbff32d8b94abd252989b4765c115b9f1d57a/cryptohome/tpm2_impl.cc
[modify] https://crrev.com/627bbff32d8b94abd252989b4765c115b9f1d57a/cryptohome/attestation.cc
[modify] https://crrev.com/627bbff32d8b94abd252989b4765c115b9f1d57a/cryptohome/attestation.h
[modify] https://crrev.com/627bbff32d8b94abd252989b4765c115b9f1d57a/cryptohome/etc/Cryptohome.conf
[modify] https://crrev.com/627bbff32d8b94abd252989b4765c115b9f1d57a/cryptohome/cryptohome.cc
[modify] https://crrev.com/627bbff32d8b94abd252989b4765c115b9f1d57a/cryptohome/service_monolithic.cc
[modify] https://crrev.com/627bbff32d8b94abd252989b4765c115b9f1d57a/cryptohome/service_monolithic.h
[modify] https://crrev.com/627bbff32d8b94abd252989b4765c115b9f1d57a/cryptohome/service.h
[modify] https://crrev.com/627bbff32d8b94abd252989b4765c115b9f1d57a/cryptohome/interface.cc
[modify] https://crrev.com/627bbff32d8b94abd252989b4765c115b9f1d57a/cryptohome/interface.h
[modify] https://crrev.com/627bbff32d8b94abd252989b4765c115b9f1d57a/cryptohome/service_distributed.cc
[modify] https://crrev.com/627bbff32d8b94abd252989b4765c115b9f1d57a/cryptohome/attestation_unittest.cc
[modify] https://crrev.com/627bbff32d8b94abd252989b4765c115b9f1d57a/cryptohome/dbus_bindings/org.chromium.CryptohomeInterface.xml

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform/system_api/+/82429d7133c5acaf11dfe8de7e8d6ba7b0bc7ba1

commit 82429d7133c5acaf11dfe8de7e8d6ba7b0bc7ba1
Author: Igor <igorcov@chromium.org>
Date: Fri Jan 26 03:23:58 2018

system_api: D-Bus constant for TpmAttestationGetEnrollmentId

Constant for the new D-Bus API TpmAttestationGetEnrollmentId

BUG= chromium:793326 
TEST=None
CQ-DEPEND=CL:827064

Change-Id: Ie2c3ae475bbd56d488a9883f4836424135a41fe7
Reviewed-on: https://chromium-review.googlesource.com/832485
Commit-Ready: Igor <igorcov@chromium.org>
Tested-by: Igor <igorcov@chromium.org>
Reviewed-by: Yves Arrouye <drcrash@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>

[modify] https://crrev.com/82429d7133c5acaf11dfe8de7e8d6ba7b0bc7ba1/dbus/cryptohome/dbus-constants.h

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/83078cdce51e3fcb6066e8b4312953fec00c99ce

commit 83078cdce51e3fcb6066e8b4312953fec00c99ce
Author: Igor <igorcov@chromium.org>
Date: Fri Jan 26 03:23:57 2018

attestation: Obtaining the device enrollment ID

Extended the D-Bus interface to accept call to GetEnrollmentId.
It helps the request to GetEnrollmentId that goes through
service_distributed to be processed.

BUG= chromium:793326 
TEST=cryptohome --action=get_enrollment_id
CQ-DEPEND=CL:827064

Change-Id: I0298006dde03b81b66393c7824f93a22326839f5
Reviewed-on: https://chromium-review.googlesource.com/847472
Commit-Ready: Igor <igorcov@chromium.org>
Tested-by: Igor <igorcov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>

[modify] https://crrev.com/83078cdce51e3fcb6066e8b4312953fec00c99ce/attestation/server/attestation_service_test.cc
[modify] https://crrev.com/83078cdce51e3fcb6066e8b4312953fec00c99ce/attestation/common/dbus_interface.h
[modify] https://crrev.com/83078cdce51e3fcb6066e8b4312953fec00c99ce/attestation/common/mock_attestation_interface.h
[modify] https://crrev.com/83078cdce51e3fcb6066e8b4312953fec00c99ce/attestation/common/interface.proto
[modify] https://crrev.com/83078cdce51e3fcb6066e8b4312953fec00c99ce/attestation/common/tpm_utility_v2.cc
[modify] https://crrev.com/83078cdce51e3fcb6066e8b4312953fec00c99ce/attestation/server/attestation_service.h
[modify] https://crrev.com/83078cdce51e3fcb6066e8b4312953fec00c99ce/attestation/server/attestation_service.cc
[modify] https://crrev.com/83078cdce51e3fcb6066e8b4312953fec00c99ce/attestation/server/dbus_service.cc
[modify] https://crrev.com/83078cdce51e3fcb6066e8b4312953fec00c99ce/attestation/common/tpm_utility_v2_test.cc
[modify] https://crrev.com/83078cdce51e3fcb6066e8b4312953fec00c99ce/attestation/client/dbus_proxy.cc
[modify] https://crrev.com/83078cdce51e3fcb6066e8b4312953fec00c99ce/attestation/common/attestation_interface.h
[modify] https://crrev.com/83078cdce51e3fcb6066e8b4312953fec00c99ce/attestation/server/dbus_service.h
[modify] https://crrev.com/83078cdce51e3fcb6066e8b4312953fec00c99ce/attestation/client/dbus_proxy.h

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/64371d73031a310ede5f1e5fe1f549c40610e5bd

commit 64371d73031a310ede5f1e5fe1f549c40610e5bd
Author: Igor <igorcov@chromium.org>
Date: Sat Jan 27 02:17:20 2018

cryptohome: ServiceDistributed implementation for GetEnrollmentId

A D-Bus call to attestation to get the enrollment Id.

BUG= chromium:793326 
TEST=cryptohome --action=get_enrollment_id
CQ-DEPEND=CL:847472

Change-Id: Iea8cac326722ffc9308bfd5238e445986e2ca2d6
Reviewed-on: https://chromium-review.googlesource.com/846988
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Tested-by: Igor <igorcov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>

[modify] https://crrev.com/64371d73031a310ede5f1e5fe1f549c40610e5bd/cryptohome/service_distributed.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/trousers/+/418dbebdef6ea0fb7ad4001f12b9cb67fa62e5fb

commit 418dbebdef6ea0fb7ad4001f12b9cb67fa62e5fb
Author: Maksim Ivanov <emaxx@google.com>
Date: Wed Jan 31 16:29:44 2018

Trousers bugfix: TPM delegates with CMKs and PUBEK

Add missing code into a bunch of Trousers functions, in order to make
them work correctly when authorization via TPM owner delegates is used
(as opposed to authorization via owner password).

Without this fix, the affected TPM functions break with
TSS_E_TSP_AUTHFAIL when attempting to use them with owner delegates.

Some technical details:

TPM 1.2 specification provides two binary
protocols for issuing TPM commands: OIAP and DSAP. The first one is
more light-weight and is therefore preferred usually, but it only
supports owner authorization via password. The second one is heaiver,
but supports owner authorization via delegates.

Therefore many operations in Trousers that require owner authorization
contain the logic that chooses between OIAP and DSAP depending on
whether a delegate is used. But such logic is missing for several
functions.

This CL fixes it for the functions that we are going to use on Chrome OS
(we didn't set the goal of going through all functions and finding all
buggy ones) :
* TPM_CMK_ApproveMA,
* TPM_AuthorizeMigrationKey,
* TPM_CMK_CreateTicket,
* TPM_OwnerReadInternalPub,
* TPM_ReadPubek.

Note: We haven't found any fix for these bugs in upstream, nor bug
reports for these issues (most likely due to that the prerequisites for
the bug are involving TPM features that are not widely used). According
to some blame'ing, the bugs were in the code for at least 10 years.

BUG=chromium:806788,  chromium:793326 
TEST=manual: write code that uses CMKs and/or PUBEK with
     delegate authorization and test it on a real device

Change-Id: I8d7f86d716f1da76f4cabcd9f401c3ccc9a031ee
Reviewed-on: https://chromium-review.googlesource.com/721380
Commit-Ready: Maksim Ivanov <emaxx@chromium.org>
Tested-by: Maksim Ivanov <emaxx@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>

[modify] https://crrev.com/418dbebdef6ea0fb7ad4001f12b9cb67fa62e5fb/src/tspi/tspi_cmk.c
[modify] https://crrev.com/418dbebdef6ea0fb7ad4001f12b9cb67fa62e5fb/src/tspi/tspi_migration.c
[modify] https://crrev.com/418dbebdef6ea0fb7ad4001f12b9cb67fa62e5fb/src/tspi/tsp_ek.c
[modify] https://crrev.com/418dbebdef6ea0fb7ad4001f12b9cb67fa62e5fb/src/tspi/tsp_auth.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/a10f9c8616087a2b111a407f92bf3fda67ea5630

commit a10f9c8616087a2b111a407f92bf3fda67ea5630
Author: Igor <igorcov@chromium.org>
Date: Wed Feb 07 23:04:26 2018

cryptohome: Use delegate to get endorsement key for locked TPM

After the TPM gets locked, and the password is deleted, the
endorsement key is removed from attestation data. This change
gives the right to delegate to get the endorsement key.

BUG= chromium:793326 
TEST=cryptohome --action=get_enrollment_id

Change-Id: Idee3b45d985b88ddca44d5e23c4de0b38efca74a
Reviewed-on: https://chromium-review.googlesource.com/887024
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Tested-by: Igor <igorcov@chromium.org>
Reviewed-by: Igor <igorcov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>

[modify] https://crrev.com/a10f9c8616087a2b111a407f92bf3fda67ea5630/cryptohome/tpm2_impl.cc
[modify] https://crrev.com/a10f9c8616087a2b111a407f92bf3fda67ea5630/cryptohome/attestation.cc
[modify] https://crrev.com/a10f9c8616087a2b111a407f92bf3fda67ea5630/cryptohome/tpm_impl.cc
[modify] https://crrev.com/a10f9c8616087a2b111a407f92bf3fda67ea5630/cryptohome/attestation_unittest.cc
[modify] https://crrev.com/a10f9c8616087a2b111a407f92bf3fda67ea5630/cryptohome/tpm2_impl.h
[modify] https://crrev.com/a10f9c8616087a2b111a407f92bf3fda67ea5630/cryptohome/tpm_impl.h
[modify] https://crrev.com/a10f9c8616087a2b111a407f92bf3fda67ea5630/cryptohome/stub_tpm.h
[modify] https://crrev.com/a10f9c8616087a2b111a407f92bf3fda67ea5630/cryptohome/mock_tpm.h
[modify] https://crrev.com/a10f9c8616087a2b111a407f92bf3fda67ea5630/cryptohome/tpm.h

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/e6093895d4e7c5f1758d4d005a43bce068a0ed09

commit e6093895d4e7c5f1758d4d005a43bce068a0ed09
Author: Igor <igorcov@chromium.org>
Date: Sat Feb 10 03:03:19 2018

attestation: Cache enrollment ID in attestation database at enrollment

The enrollment ID is cached in attestation database at the enrollment.
This allows to have the same ID even if the device secret has been
changed later.

BUG= chromium:793326 
TEST=cryptohome --action=get_enrollment_id

Change-Id: I452a9911f3c72b984973f8b8e9de92c5885f3108
Reviewed-on: https://chromium-review.googlesource.com/908888
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Tested-by: Igor <igorcov@chromium.org>
Reviewed-by: Igor <igorcov@chromium.org>
Reviewed-by: Yves Arrouye <drcrash@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>

[modify] https://crrev.com/e6093895d4e7c5f1758d4d005a43bce068a0ed09/attestation/server/attestation_service.cc
[modify] https://crrev.com/e6093895d4e7c5f1758d4d005a43bce068a0ed09/attestation/server/attestation_service_test.cc
[modify] https://crrev.com/e6093895d4e7c5f1758d4d005a43bce068a0ed09/attestation/common/database.proto

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/72ce3430b9f65e51d43aaffa9550123972d935ee

commit 72ce3430b9f65e51d43aaffa9550123972d935ee
Author: Igor <igorcov@chromium.org>
Date: Wed Feb 14 05:16:11 2018

cryptohome: Cache enrollment ID in attestation database at enrollment

The enrollment ID depends on the device secret and is used for zero
touch enrollment or for re-enrollment. When the device is enrolled
the computed enrollment ID has to be cached in the attestation database.

This allows to avoid problems in a scenario when the device secret is
changed after the device is enrolled. If the enrollment ID would be
computed after that, it would be different from the value used at the
enrollment. Having it stored in attestation database allows to be sure
the enrollment ID remains the same.

In this CL the enrollment ID is computed at the enrollment and stored
in attestation database. When it is requested, we check the value from
the database. If it is present there, then that's the value returned.

BUG= chromium:793326 
TEST=cryptohome --action=get_enrollment_id

Change-Id: Ic53d4b1aef73b3983947d082e10406715db65f29
Reviewed-on: https://chromium-review.googlesource.com/906630
Commit-Ready: Igor <igorcov@chromium.org>
Tested-by: Igor <igorcov@chromium.org>
Reviewed-by: Igor <igorcov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>

[modify] https://crrev.com/72ce3430b9f65e51d43aaffa9550123972d935ee/cryptohome/attestation_unittest.cc
[modify] https://crrev.com/72ce3430b9f65e51d43aaffa9550123972d935ee/cryptohome/attestation.proto
[modify] https://crrev.com/72ce3430b9f65e51d43aaffa9550123972d935ee/cryptohome/attestation.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/aosp/platform/system/tpm/+/917324d9d0e2fb2704ed78ec639139df653ef857

commit 917324d9d0e2fb2704ed78ec639139df653ef857
Author: Igor <igorcov@chromium.org>
Date: Thu May 31 18:49:29 2018

attestation: Obtaining the device enrollment ID

Extended the D-Bus interface to accept call to GetEnrollmentId.
It helps the request to GetEnrollmentId that goes through
service_distributed to be processed.

BUG= chromium:793326 
TEST=cryptohome --action=get_enrollment_id
CQ-DEPEND=CL:827064

Change-Id: I0298006dde03b81b66393c7824f93a22326839f5
Reviewed-on: https://chromium-review.googlesource.com/847472
Commit-Ready: Igor <igorcov@chromium.org>
Tested-by: Igor <igorcov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>

[modify] https://crrev.com/917324d9d0e2fb2704ed78ec639139df653ef857/attestation/server/attestation_service_test.cc
[modify] https://crrev.com/917324d9d0e2fb2704ed78ec639139df653ef857/attestation/common/dbus_interface.h
[modify] https://crrev.com/917324d9d0e2fb2704ed78ec639139df653ef857/attestation/common/mock_attestation_interface.h
[modify] https://crrev.com/917324d9d0e2fb2704ed78ec639139df653ef857/attestation/common/interface.proto
[modify] https://crrev.com/917324d9d0e2fb2704ed78ec639139df653ef857/attestation/common/tpm_utility_v2.cc
[modify] https://crrev.com/917324d9d0e2fb2704ed78ec639139df653ef857/attestation/server/attestation_service.h
[modify] https://crrev.com/917324d9d0e2fb2704ed78ec639139df653ef857/attestation/server/attestation_service.cc
[modify] https://crrev.com/917324d9d0e2fb2704ed78ec639139df653ef857/attestation/server/dbus_service.cc
[modify] https://crrev.com/917324d9d0e2fb2704ed78ec639139df653ef857/attestation/common/tpm_utility_v2_test.cc
[modify] https://crrev.com/917324d9d0e2fb2704ed78ec639139df653ef857/attestation/client/dbus_proxy.cc
[modify] https://crrev.com/917324d9d0e2fb2704ed78ec639139df653ef857/attestation/common/attestation_interface.h
[modify] https://crrev.com/917324d9d0e2fb2704ed78ec639139df653ef857/attestation/server/dbus_service.h
[modify] https://crrev.com/917324d9d0e2fb2704ed78ec639139df653ef857/attestation/client/dbus_proxy.h

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/bb3edd6fe4bc36f507a24f61469bd796fbd98044

commit bb3edd6fe4bc36f507a24f61469bd796fbd98044
Author: Igor <igorcov@chromium.org>
Date: Mon Jun 04 23:13:06 2018

cryptohome: ServiceDistributed implementation for GetEnrollmentId

A D-Bus call to attestation to get the enrollment Id.

BUG= chromium:793326 
TEST=cryptohome --action=get_enrollment_id
CQ-DEPEND=CL:847472

Change-Id: Iea8cac326722ffc9308bfd5238e445986e2ca2d6
Reviewed-on: https://chromium-review.googlesource.com/846988
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Tested-by: Igor <igorcov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1081188
Reviewed-by: Igor <igorcov@chromium.org>
Commit-Queue: Pat Erley <perley@chromium.org>
Tested-by: Pat Erley <perley@chromium.org>

[modify] https://crrev.com/bb3edd6fe4bc36f507a24f61469bd796fbd98044/cryptohome/service_distributed.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/aosp/platform/system/tpm/+/c75f1afb48b1cd79876ff17434a5d5a4fd16c4a9

commit c75f1afb48b1cd79876ff17434a5d5a4fd16c4a9
Author: Igor <igorcov@chromium.org>
Date: Tue Jun 05 07:49:40 2018

attestation: Cache enrollment ID in attestation database at enrollment

The enrollment ID is cached in attestation database at the enrollment.
This allows to have the same ID even if the device secret has been
changed later.

BUG= chromium:793326 
TEST=cryptohome --action=get_enrollment_id

Change-Id: I452a9911f3c72b984973f8b8e9de92c5885f3108
Reviewed-on: https://chromium-review.googlesource.com/908888
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Tested-by: Igor <igorcov@chromium.org>
Reviewed-by: Igor <igorcov@chromium.org>
Reviewed-by: Yves Arrouye <drcrash@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>

[modify] https://crrev.com/c75f1afb48b1cd79876ff17434a5d5a4fd16c4a9/attestation/server/attestation_service_test.cc
[modify] https://crrev.com/c75f1afb48b1cd79876ff17434a5d5a4fd16c4a9/attestation/common/database.proto