1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
|
// This file was extracted from the TCG Published
// Trusted Platform Module Library
// Part 4: Supporting Routines
// Family "2.0"
// Level 00 Revision 01.16
// October 30, 2014
#include "InternalRoutines.h"
#include "NV_spt_fp.h"
//
//
// Fuctions
//
// NvReadAccessChecks()
//
// Common routine for validating a read Used by TPM2_NV_Read(), TPM2_NV_ReadLock() and
// TPM2_PolicyNV()
//
// Error Returns Meaning
//
// TPM_RC_NV_AUTHORIZATION autHandle is not allowed to authorize read of the index
// TPM_RC_NV_LOCKED Read locked
// TPM_RC_NV_UNINITIALIZED Try to read an uninitialized index
//
TPM_RC
NvReadAccessChecks(
TPM_HANDLE authHandle, // IN: the handle that provided the
// authorization
TPM_HANDLE nvHandle // IN: the handle of the NV index to be written
)
{
NV_INDEX nvIndex;
// Get NV index info
NvGetIndexInfo(nvHandle, &nvIndex);
// This check may be done before doing authorization checks as is done in this
// version of the reference code. If not done there, then uncomment the next
// three lines.
// // If data is read locked, returns an error
// if(nvIndex.publicArea.attributes.TPMA_NV_READLOCKED == SET)
// return TPM_RC_NV_LOCKED;
// If the authorization was provided by the owner or platform, then check
// that the attributes allow the read. If the authorization handle
// is the same as the index, then the checks were made when the authorization
// was checked..
if(authHandle == TPM_RH_OWNER)
{
// If Owner provided auth then ONWERWRITE must be SET
if(! nvIndex.publicArea.attributes.TPMA_NV_OWNERREAD)
return TPM_RC_NV_AUTHORIZATION;
}
else if(authHandle == TPM_RH_PLATFORM)
{
// If Platform provided auth then PPWRITE must be SET
if(!nvIndex.publicArea.attributes.TPMA_NV_PPREAD)
return TPM_RC_NV_AUTHORIZATION;
}
// If neither Owner nor Platform provided auth, make sure that it was
// provided by this index.
else if(authHandle != nvHandle)
return TPM_RC_NV_AUTHORIZATION;
// If the index has not been written, then the value cannot be read
// NOTE: This has to come after other access checks to make sure that
// the proper authorization is given to TPM2_NV_ReadLock()
if(nvIndex.publicArea.attributes.TPMA_NV_WRITTEN == CLEAR)
return TPM_RC_NV_UNINITIALIZED;
return TPM_RC_SUCCESS;
}
//
//
// NvWriteAccessChecks()
//
// Common routine for validating a write Used by TPM2_NV_Write(), TPM2_NV_Increment(),
// TPM2_SetBits(), and TPM2_NV_WriteLock()
//
//
//
//
// Error Returns Meaning
//
// TPM_RC_NV_AUTHORIZATION Authorization fails
// TPM_RC_NV_LOCKED Write locked
//
TPM_RC
NvWriteAccessChecks(
TPM_HANDLE authHandle, // IN: the handle that provided the
// authorization
TPM_HANDLE nvHandle // IN: the handle of the NV index to be written
)
{
NV_INDEX nvIndex;
// Get NV index info
NvGetIndexInfo(nvHandle, &nvIndex);
// This check may be done before doing authorization checks as is done in this
// version of the reference code. If not done there, then uncomment the next
// three lines.
// // If data is write locked, returns an error
// if(nvIndex.publicArea.attributes.TPMA_NV_WRITELOCKED == SET)
// return TPM_RC_NV_LOCKED;
// If the authorization was provided by the owner or platform, then check
// that the attributes allow the write. If the authorization handle
// is the same as the index, then the checks were made when the authorization
// was checked..
if(authHandle == TPM_RH_OWNER)
{
// If Owner provided auth then ONWERWRITE must be SET
if(! nvIndex.publicArea.attributes.TPMA_NV_OWNERWRITE)
return TPM_RC_NV_AUTHORIZATION;
}
else if(authHandle == TPM_RH_PLATFORM)
{
// If Platform provided auth then PPWRITE must be SET
if(!nvIndex.publicArea.attributes.TPMA_NV_PPWRITE)
return TPM_RC_NV_AUTHORIZATION;
}
// If neither Owner nor Platform provided auth, make sure that it was
// provided by this index.
else if(authHandle != nvHandle)
return TPM_RC_NV_AUTHORIZATION;
return TPM_RC_SUCCESS;
}
|
