Merge pull request #344 from dgarske/nv_auth_policy

Added new API for allowing NV creation with policy
wolfSSL · Apr 24, 2024 · 1126c2e · 1126c2e
2 parents eede95d + 7a2a566
commit 1126c2e
Show file tree

Hide file tree

Showing 3 changed files with 54 additions and 3 deletions.
diff --git a/src/tpm2.c b/src/tpm2.c
@@ -4831,6 +4831,9 @@ TPM_RC TPM2_NV_Write(NV_Write_In* in)
         TPM2_Packet_Init(ctx, &packet);
 
         TPM2_Packet_AppendU32(&packet, in->authHandle);
+        /* When using an HMAC or Policy session make sure the NV "name" is
+         * populated in the TPM2_AUTH_SESSION name.name. This is a computed
+         * hash (see TPM2_HashNvPublic) */
         TPM2_Packet_AppendU32(&packet, in->nvIndex);
         TPM2_Packet_AppendAuth(&packet, ctx, &info);
 

diff --git a/src/tpm2_wrap.c b/src/tpm2_wrap.c
@@ -4258,9 +4258,10 @@ int wolfTPM2_UnloadHandle(WOLFTPM2_DEV* dev, WOLFTPM2_HANDLE* handle)
 
 /* nv is the populated handle and auth */
 /* auth and authSz are optional NV authentication */
-int wolfTPM2_NVCreateAuth(WOLFTPM2_DEV* dev, WOLFTPM2_HANDLE* parent,
+/* authPolicy and authPolicySz are optional policy digest */
+int wolfTPM2_NVCreateAuthPolicy(WOLFTPM2_DEV* dev, WOLFTPM2_HANDLE* parent,
     WOLFTPM2_NV* nv, word32 nvIndex, word32 nvAttributes, word32 maxSize,
-    const byte* auth, int authSz)
+    const byte* auth, int authSz, const byte* authPolicy, int authPolicySz)
 {
     int rc, rctmp, alreadyExists = 0;
     NV_DefineSpace_In in;
@@ -4275,7 +4276,7 @@ int wolfTPM2_NVCreateAuth(WOLFTPM2_DEV* dev, WOLFTPM2_HANDLE* parent,
 
     XMEMSET(&in, 0, sizeof(in));
     in.authHandle = parent->hndl;
-    if (auth && authSz > 0) {
+    if (auth != NULL && authSz > 0) {
         if (authSz > (int)sizeof(in.auth.buffer))
             authSz = (int)sizeof(in.auth.buffer);
         in.auth.size = authSz;
@@ -4285,6 +4286,14 @@ int wolfTPM2_NVCreateAuth(WOLFTPM2_DEV* dev, WOLFTPM2_HANDLE* parent,
     in.publicInfo.nvPublic.nameAlg = WOLFTPM2_WRAP_DIGEST;
     in.publicInfo.nvPublic.attributes = nvAttributes;
     in.publicInfo.nvPublic.dataSize = (UINT16)maxSize;
+    if (authPolicy != NULL && authPolicySz > 0) {
+        if (authPolicySz > (int)sizeof(in.publicInfo.nvPublic.authPolicy.buffer)) {
+            authPolicySz = (int)sizeof(in.publicInfo.nvPublic.authPolicy.buffer);
+        }
+        in.publicInfo.nvPublic.authPolicy.size = authPolicySz;
+        XMEMCPY(in.publicInfo.nvPublic.authPolicy.buffer, authPolicy,
+            in.publicInfo.nvPublic.authPolicy.size);
+    }
 
     rc = TPM2_NV_DefineSpace(&in);
     if (rc == TPM_RC_NV_DEFINED) {
@@ -4321,6 +4330,14 @@ int wolfTPM2_NVCreateAuth(WOLFTPM2_DEV* dev, WOLFTPM2_HANDLE* parent,
     return (rc == TPM_RC_SUCCESS && alreadyExists) ? TPM_RC_NV_DEFINED : rc;
 }
 
+int wolfTPM2_NVCreateAuth(WOLFTPM2_DEV* dev, WOLFTPM2_HANDLE* parent,
+    WOLFTPM2_NV* nv, word32 nvIndex, word32 nvAttributes, word32 maxSize,
+    const byte* auth, int authSz)
+{
+    return wolfTPM2_NVCreateAuthPolicy(dev, parent, nv, nvIndex, nvAttributes,
+        maxSize, auth, authSz, NULL, 0);
+}
+
 /* older API kept for compatibility, recommend using wolfTPM2_NVCreateAuth */
 int wolfTPM2_NVCreate(WOLFTPM2_DEV* dev, TPM_HANDLE authHandle,
     word32 nvIndex, word32 nvAttributes, word32 maxSize,

diff --git a/wolftpm/tpm2_wrap.h b/wolftpm/tpm2_wrap.h
@@ -1862,6 +1862,7 @@ WOLFTPM_API int wolfTPM2_ExtendPCR(WOLFTPM2_DEV* dev, int pcrIndex, int hashAlg,
     \param auth pointer to a string constant, specifying the password authorization for this NV Index
     \param authSz integer value, specifying the size of the password authorization, in bytes
 
+    \sa wolfTPM2_NVCreateAuthPolicy
     \sa wolfTPM2_NVWriteAuth
     \sa wolfTPM2_NVReadAuth
     \sa wolfTPM2_NVDeleteAuth
@@ -1871,6 +1872,36 @@ WOLFTPM_API int wolfTPM2_NVCreateAuth(WOLFTPM2_DEV* dev, WOLFTPM2_HANDLE* parent
     WOLFTPM2_NV* nv, word32 nvIndex, word32 nvAttributes, word32 maxSize,
     const byte* auth, int authSz);
 
+/*!
+    \ingroup wolfTPM2_Wrappers
+    \brief Creates a new NV Index to be later used for storing data into the TPM's NVRAM
+    \note This is a wolfTPM2 wrapper around TPM2_NV_DefineSpace
+
+    \return TPM_RC_SUCCESS: successful
+    \return TPM_RC_FAILURE: generic failure (check TPM IO and TPM return code)
+    \return BAD_FUNC_ARG: check the provided arguments
+
+    \param dev pointer to a TPM2_DEV struct
+    \param parent pointer to a WOLFTPM2_HANDLE, specifying the TPM hierarchy for the new NV Index
+    \param nv pointer to an empty structure of WOLFTPM2_NV type, to hold the new NV Index
+    \param nvIndex integer value, holding the NV Index Handle given by the TPM upon success
+    \param nvAttributes integer value, use wolfTPM2_GetNvAttributesTemplate to create correct value
+    \param maxSize integer value, specifying the maximum number of bytes written at this NV Index
+    \param auth pointer to a string constant, specifying the password authorization for this NV Index
+    \param authSz integer value, specifying the size of the password authorization, in bytes
+    \param authPolicy optional policy for using this key (The policy is computed using the nameAlg of the object)
+    \param authPolicySz size of the authPolicy
+
+    \sa wolfTPM2_NVCreateAuth
+    \sa wolfTPM2_NVWriteAuth
+    \sa wolfTPM2_NVReadAuth
+    \sa wolfTPM2_NVDeleteAuth
+    \sa wolfTPM2_NVOpen
+*/
+WOLFTPM_API int wolfTPM2_NVCreateAuthPolicy(WOLFTPM2_DEV* dev, WOLFTPM2_HANDLE* parent,
+    WOLFTPM2_NV* nv, word32 nvIndex, word32 nvAttributes, word32 maxSize,
+    const byte* auth, int authSz, const byte* authPolicy, int authPolicySz);
+
 /*!
     \ingroup wolfTPM2_Wrappers
     \brief Stores user data to a NV Index, at a given offset