diff options
Diffstat (limited to 'trunks/tpm_utility.h')
-rw-r--r-- | trunks/tpm_utility.h | 46 |
1 files changed, 37 insertions, 9 deletions
diff --git a/trunks/tpm_utility.h b/trunks/tpm_utility.h index bb61cfe..b282fa3 100644 --- a/trunks/tpm_utility.h +++ b/trunks/tpm_utility.h @@ -18,6 +18,7 @@ #define TRUNKS_TPM_UTILITY_H_ #include <string> +#include <vector> #include <base/macros.h> @@ -110,7 +111,7 @@ class TRUNKS_EXPORT TpmUtility { AuthorizationDelegate* delegate, std::string* ciphertext) = 0; - // This method performs a decyption operating using a loaded RSA key + // This method performs a decryption operating using a loaded RSA key // referenced by its handle |key_handle|. The |ciphertext| is then decrypted // to give us the |plaintext|. |scheme| refers to the decryption scheme // used. By default it is OAEP, but TPM_ALG_RSAES can be specified. @@ -247,11 +248,15 @@ class TRUNKS_EXPORT TpmUtility { // This method defines a non-volatile storage area in the TPM, referenced // by |index| of size |num_bytes|. This command needs owner authorization. - // By default non-volatile space created is unlocked and anyone can write to - // it. The space can be permanently locked for writing by calling the - // LockNVSpace method. + // The |attributes| of the space must be specified as a combination of + // TPMA_NV_* values. Optionally, an |authorization_value| and / or + // |policy_digest| can be specified which will be associated with the space. + // These values must either be a valid SHA256 digest (or empty). virtual TPM_RC DefineNVSpace(uint32_t index, size_t num_bytes, + TPMA_NV attributes, + const std::string& authorization_value, + const std::string& policy_digest, AuthorizationDelegate* delegate) = 0; // This method destroys the non-volatile space referred to by |index|. @@ -259,26 +264,34 @@ class TRUNKS_EXPORT TpmUtility { virtual TPM_RC DestroyNVSpace(uint32_t index, AuthorizationDelegate* delegate) = 0; - // This method locks the non-volatile space referred to by |index|. After a - // non-volatile space has been locked, it cannot be written to. Locked spaces - // can still be freely read. This command needs owner authorization. + // This method locks the non-volatile space referred to by |index|. The caller + // needs indicate whether they want to |lock_read| and / or |lock_write|. They + // also need to indicate if they are |using_owner_authorization|. virtual TPM_RC LockNVSpace(uint32_t index, + bool lock_read, + bool lock_write, + bool using_owner_authorization, AuthorizationDelegate* delegate) = 0; // This method writes |nvram_data| to the non-volatile space referenced by - // |index|, at |offset| bytes from the start of the non-volatile space. + // |index|, at |offset| bytes from the start of the non-volatile space. The + // caller needs to indicate if they are |using_owner_authorization|. If + // |extend| is set, the value will be extended and offset ignored. virtual TPM_RC WriteNVSpace(uint32_t index, uint32_t offset, const std::string& nvram_data, + bool using_owner_authorization, + bool extend, AuthorizationDelegate* delegate) = 0; // This method reads |num_bytes| of data from the |offset| located at the // non-volatile space defined by |index|. This method returns an error if // |length| + |offset| is larger than the size of the defined non-volatile - // space. + // space. The caller needs to indicate if they are |using_owner_authorization| virtual TPM_RC ReadNVSpace(uint32_t index, uint32_t offset, size_t num_bytes, + bool using_owner_authorization, std::string* nvram_data, AuthorizationDelegate* delegate) = 0; @@ -291,6 +304,21 @@ class TRUNKS_EXPORT TpmUtility { virtual TPM_RC GetNVSpacePublicArea(uint32_t index, TPMS_NV_PUBLIC* public_data) = 0; + // Lists all defined NV indexes. + virtual TPM_RC ListNVSpaces(std::vector<uint32_t>* index_list) = 0; + + // Sets dictionary attack parameters. Requires lockout authorization. + // Parameters map directly to TPM2_DictionaryAttackParameters in the TPM 2.0 + // specification. + virtual TPM_RC SetDictionaryAttackParameters( + uint32_t max_tries, + uint32_t recovery_time, + uint32_t lockout_recovery, + AuthorizationDelegate* delegate) = 0; + + // Reset dictionary attack lockout. Requires lockout authorization. + virtual TPM_RC ResetDictionaryAttackLock(AuthorizationDelegate* delegate) = 0; + private: DISALLOW_COPY_AND_ASSIGN(TpmUtility); }; |