Home | History | Annotate | Download | only in tpm2 
      1 // This file was extracted from the TCG Published
      2 // Trusted Platform Module Library
      3 // Part 4: Supporting Routines
      4 // Family "2.0"
      5 // Level 00 Revision 01.16
      6 // October 30, 2014
      7 
      8 #include "InternalRoutines.h"
      9 #include "NV_spt_fp.h"
     10 //
     11 //
     12 //           Fuctions
     13 //
     14 //          NvReadAccessChecks()
     15 //
     16 //      Common routine for validating a read Used by TPM2_NV_Read(), TPM2_NV_ReadLock() and
     17 //      TPM2_PolicyNV()
     18 //
     19 //     Error Returns                     Meaning
     20 //
     21 //     TPM_RC_NV_AUTHORIZATION           autHandle is not allowed to authorize read of the index
     22 //     TPM_RC_NV_LOCKED                  Read locked
     23 //     TPM_RC_NV_UNINITIALIZED           Try to read an uninitialized index
     24 //
     25 TPM_RC
     26 NvReadAccessChecks(
     27    TPM_HANDLE          authHandle,             // IN: the handle that provided the
     28                                                //     authorization
     29    TPM_HANDLE          nvHandle                // IN: the handle of the NV index to be written
     30    )
     31 {
     32    NV_INDEX            nvIndex;
     33    // Get NV index info
     34    NvGetIndexInfo(nvHandle, &nvIndex);
     35 // This check may be done before doing authorization checks as is done in this
     36 // version of the reference code. If not done there, then uncomment the next
     37 // three lines.
     38 //    // If data is read locked, returns an error
     39 //    if(nvIndex.publicArea.attributes.TPMA_NV_READLOCKED == SET)
     40 //        return TPM_RC_NV_LOCKED;
     41    // If the authorization was provided by the owner or platform, then check
     42    // that the attributes allow the read. If the authorization handle
     43    // is the same as the index, then the checks were made when the authorization
     44    // was checked..
     45    if(authHandle == TPM_RH_OWNER)
     46    {
     47        // If Owner provided auth then ONWERWRITE must be SET
     48        if(! nvIndex.publicArea.attributes.TPMA_NV_OWNERREAD)
     49            return TPM_RC_NV_AUTHORIZATION;
     50    }
     51    else if(authHandle == TPM_RH_PLATFORM)
     52    {
     53        // If Platform provided auth then PPWRITE must be SET
     54        if(!nvIndex.publicArea.attributes.TPMA_NV_PPREAD)
     55            return TPM_RC_NV_AUTHORIZATION;
     56    }
     57    // If neither Owner nor Platform provided auth, make sure that it was
     58    // provided by this index.
     59    else if(authHandle != nvHandle)
     60            return TPM_RC_NV_AUTHORIZATION;
     61    // If the index has not been written, then the value cannot be read
     62    // NOTE: This has to come after other access checks to make sure that
     63    // the proper authorization is given to TPM2_NV_ReadLock()
     64    if(nvIndex.publicArea.attributes.TPMA_NV_WRITTEN == CLEAR)
     65        return TPM_RC_NV_UNINITIALIZED;
     66    return TPM_RC_SUCCESS;
     67 }
     68 //
     69 //
     70 //         NvWriteAccessChecks()
     71 //
     72 //     Common routine for validating a write               Used    by    TPM2_NV_Write(),          TPM2_NV_Increment(),
     73 //     TPM2_SetBits(), and TPM2_NV_WriteLock()
     74 //
     75 //
     76 //
     77 //
     78 //     Error Returns                  Meaning
     79 //
     80 //     TPM_RC_NV_AUTHORIZATION        Authorization fails
     81 //     TPM_RC_NV_LOCKED               Write locked
     82 //
     83 TPM_RC
     84 NvWriteAccessChecks(
     85      TPM_HANDLE        authHandle,           // IN: the handle that provided the
     86                                              //     authorization
     87      TPM_HANDLE        nvHandle              // IN: the handle of the NV index to be written
     88      )
     89 {
     90      NV_INDEX          nvIndex;
     91      // Get NV index info
     92      NvGetIndexInfo(nvHandle, &nvIndex);
     93 // This check may be done before doing authorization checks as is done in this
     94 // version of the reference code. If not done there, then uncomment the next
     95 // three lines.
     96 //    // If data is write locked, returns an error
     97 //    if(nvIndex.publicArea.attributes.TPMA_NV_WRITELOCKED == SET)
     98 //        return TPM_RC_NV_LOCKED;
     99      // If the authorization was provided by the owner or platform, then check
    100      // that the attributes allow the write. If the authorization handle
    101      // is the same as the index, then the checks were made when the authorization
    102      // was checked..
    103      if(authHandle == TPM_RH_OWNER)
    104      {
    105          // If Owner provided auth then ONWERWRITE must be SET
    106          if(! nvIndex.publicArea.attributes.TPMA_NV_OWNERWRITE)
    107              return TPM_RC_NV_AUTHORIZATION;
    108      }
    109      else if(authHandle == TPM_RH_PLATFORM)
    110      {
    111          // If Platform provided auth then PPWRITE must be SET
    112          if(!nvIndex.publicArea.attributes.TPMA_NV_PPWRITE)
    113              return TPM_RC_NV_AUTHORIZATION;
    114      }
    115      // If neither Owner nor Platform provided auth, make sure that it was
    116      // provided by this index.
    117      else if(authHandle != nvHandle)
    118              return TPM_RC_NV_AUTHORIZATION;
    119      return TPM_RC_SUCCESS;
    120 }
    121