From 377099af098d6370389e12c8258f82273aa5371e Mon Sep 17 00:00:00 2001 From: David Garske Date: Mon, 22 Apr 2024 09:58:49 -0700 Subject: [PATCH 1/2] Added new API for allowing NV creation with policy. --- src/tpm2_wrap.c | 23 ++++++++++++++++++++--- wolftpm/tpm2_wrap.h | 31 +++++++++++++++++++++++++++++++ 2 files changed, 51 insertions(+), 3 deletions(-) diff --git a/src/tpm2_wrap.c b/src/tpm2_wrap.c index 6f1e95e4..b4e48785 100644 --- a/src/tpm2_wrap.c +++ b/src/tpm2_wrap.c @@ -4258,9 +4258,10 @@ int wolfTPM2_UnloadHandle(WOLFTPM2_DEV* dev, WOLFTPM2_HANDLE* handle) /* nv is the populated handle and auth */ /* auth and authSz are optional NV authentication */ -int wolfTPM2_NVCreateAuth(WOLFTPM2_DEV* dev, WOLFTPM2_HANDLE* parent, +/* authPolicy and authPolicySz are optional policy digest */ +int wolfTPM2_NVCreateAuthPolicy(WOLFTPM2_DEV* dev, WOLFTPM2_HANDLE* parent, WOLFTPM2_NV* nv, word32 nvIndex, word32 nvAttributes, word32 maxSize, - const byte* auth, int authSz) + const byte* auth, int authSz, const byte* authPolicy, int authPolicySz) { int rc, rctmp, alreadyExists = 0; NV_DefineSpace_In in; @@ -4275,7 +4276,7 @@ int wolfTPM2_NVCreateAuth(WOLFTPM2_DEV* dev, WOLFTPM2_HANDLE* parent, XMEMSET(&in, 0, sizeof(in)); in.authHandle = parent->hndl; - if (auth && authSz > 0) { + if (auth != NULL && authSz > 0) { if (authSz > (int)sizeof(in.auth.buffer)) authSz = (int)sizeof(in.auth.buffer); in.auth.size = authSz; @@ -4285,6 +4286,14 @@ int wolfTPM2_NVCreateAuth(WOLFTPM2_DEV* dev, WOLFTPM2_HANDLE* parent, in.publicInfo.nvPublic.nameAlg = WOLFTPM2_WRAP_DIGEST; in.publicInfo.nvPublic.attributes = nvAttributes; in.publicInfo.nvPublic.dataSize = (UINT16)maxSize; + if (authPolicy != NULL && authPolicySz > 0) { + if (authPolicySz > (int)sizeof(in.publicInfo.nvPublic.authPolicy.buffer)) { + authPolicySz = (int)sizeof(in.publicInfo.nvPublic.authPolicy.buffer); + } + in.publicInfo.nvPublic.authPolicy.size = authPolicySz; + XMEMCPY(in.publicInfo.nvPublic.authPolicy.buffer, authPolicy, + in.publicInfo.nvPublic.authPolicy.size); + } rc = TPM2_NV_DefineSpace(&in); if (rc == TPM_RC_NV_DEFINED) { @@ -4321,6 +4330,14 @@ int wolfTPM2_NVCreateAuth(WOLFTPM2_DEV* dev, WOLFTPM2_HANDLE* parent, return (rc == TPM_RC_SUCCESS && alreadyExists) ? TPM_RC_NV_DEFINED : rc; } +int wolfTPM2_NVCreateAuth(WOLFTPM2_DEV* dev, WOLFTPM2_HANDLE* parent, + WOLFTPM2_NV* nv, word32 nvIndex, word32 nvAttributes, word32 maxSize, + const byte* auth, int authSz) +{ + return wolfTPM2_NVCreateAuthPolicy(dev, parent, nv, nvIndex, nvAttributes, + maxSize, auth, authSz, NULL, 0); +} + /* older API kept for compatibility, recommend using wolfTPM2_NVCreateAuth */ int wolfTPM2_NVCreate(WOLFTPM2_DEV* dev, TPM_HANDLE authHandle, word32 nvIndex, word32 nvAttributes, word32 maxSize, diff --git a/wolftpm/tpm2_wrap.h b/wolftpm/tpm2_wrap.h index 4889a276..3d590b97 100644 --- a/wolftpm/tpm2_wrap.h +++ b/wolftpm/tpm2_wrap.h @@ -1862,6 +1862,7 @@ WOLFTPM_API int wolfTPM2_ExtendPCR(WOLFTPM2_DEV* dev, int pcrIndex, int hashAlg, \param auth pointer to a string constant, specifying the password authorization for this NV Index \param authSz integer value, specifying the size of the password authorization, in bytes + \sa wolfTPM2_NVCreateAuthPolicy \sa wolfTPM2_NVWriteAuth \sa wolfTPM2_NVReadAuth \sa wolfTPM2_NVDeleteAuth @@ -1871,6 +1872,36 @@ WOLFTPM_API int wolfTPM2_NVCreateAuth(WOLFTPM2_DEV* dev, WOLFTPM2_HANDLE* parent WOLFTPM2_NV* nv, word32 nvIndex, word32 nvAttributes, word32 maxSize, const byte* auth, int authSz); +/*! + \ingroup wolfTPM2_Wrappers + \brief Creates a new NV Index to be later used for storing data into the TPM's NVRAM + \note This is a wolfTPM2 wrapper around TPM2_NV_DefineSpace + + \return TPM_RC_SUCCESS: successful + \return TPM_RC_FAILURE: generic failure (check TPM IO and TPM return code) + \return BAD_FUNC_ARG: check the provided arguments + + \param dev pointer to a TPM2_DEV struct + \param parent pointer to a WOLFTPM2_HANDLE, specifying the TPM hierarchy for the new NV Index + \param nv pointer to an empty structure of WOLFTPM2_NV type, to hold the new NV Index + \param nvIndex integer value, holding the NV Index Handle given by the TPM upon success + \param nvAttributes integer value, use wolfTPM2_GetNvAttributesTemplate to create correct value + \param maxSize integer value, specifying the maximum number of bytes written at this NV Index + \param auth pointer to a string constant, specifying the password authorization for this NV Index + \param authSz integer value, specifying the size of the password authorization, in bytes + \param authPolicy optional policy for using this key (The policy is computed using the nameAlg of the object) + \param authPolicySz size of the authPolicy + + \sa wolfTPM2_NVCreateAuth + \sa wolfTPM2_NVWriteAuth + \sa wolfTPM2_NVReadAuth + \sa wolfTPM2_NVDeleteAuth + \sa wolfTPM2_NVOpen +*/ +WOLFTPM_API int wolfTPM2_NVCreateAuthPolicy(WOLFTPM2_DEV* dev, WOLFTPM2_HANDLE* parent, + WOLFTPM2_NV* nv, word32 nvIndex, word32 nvAttributes, word32 maxSize, + const byte* auth, int authSz, const byte* authPolicy, int authPolicySz); + /*! \ingroup wolfTPM2_Wrappers \brief Stores user data to a NV Index, at a given offset From 7a2a566b68adbb801d2af31f518d819e23ccba74 Mon Sep 17 00:00:00 2001 From: David Garske Date: Mon, 22 Apr 2024 14:57:31 -0700 Subject: [PATCH 2/2] Add comment about nvIndex name. --- src/tpm2.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/tpm2.c b/src/tpm2.c index 89f6b137..45ad5087 100644 --- a/src/tpm2.c +++ b/src/tpm2.c @@ -4831,6 +4831,9 @@ TPM_RC TPM2_NV_Write(NV_Write_In* in) TPM2_Packet_Init(ctx, &packet); TPM2_Packet_AppendU32(&packet, in->authHandle); + /* When using an HMAC or Policy session make sure the NV "name" is + * populated in the TPM2_AUTH_SESSION name.name. This is a computed + * hash (see TPM2_HashNvPublic) */ TPM2_Packet_AppendU32(&packet, in->nvIndex); TPM2_Packet_AppendAuth(&packet, ctx, &info);