1 /* SPDX-License-Identifier: BSD-2-Clause */
2 /*******************************************************************************
3 * Copyright 2017-2018, Fraunhofer SIT sponsored by Infineon Technologies AG
4 * All rights reserved.
5 *******************************************************************************/
6
7 #ifdef HAVE_CONFIG_H
8 #include <config.h>
9 #endif
10
11 #include <stdlib.h>
12
13 #include "tss2_esys.h"
14
15 #include "esys_iutil.h"
16 #define LOGMODULE test
17 #include "util/log.h"
18 #include "util/aux_util.h"
19
20 /** This test is intended to test the ESAPI commands PolicyAuthValue,
21 * PolicyCommandCode, Esys_PolicyGetDigest, and NV_ChangeAuth.
22 *
23 * First in a trial session the policy value to ensure that the auth value
24 * is included in the policy session used for NV_ChangeAuth is
25 * computed.
26 * A NV ram space with this policy is defined afterwards.
27 * With a real policy session the auth value of this NV ram space
28 * will be changed.
29 *
30 * Tested ESAPI commands:
31 * - Esys_FlushContext() (M)
32 * - Esys_NV_ChangeAuth() (M)
33 * - Esys_NV_DefineSpace() (M)
34 * - Esys_NV_UndefineSpace() (M)
35 * - Esys_PolicyAuthValue() (M)
36 * - Esys_PolicyCommandCode() (M)
37 * - Esys_PolicyGetDigest() (M)
38 * - Esys_StartAuthSession() (M)
39 *
40 * @param[in,out] esys_context The ESYS_CONTEXT.
41 * @retval EXIT_FAILURE
42 * @retval EXIT_SUCCESS
43 */
44
45 int
test_esys_policy_nv_changeauth(ESYS_CONTEXT * esys_context)46 test_esys_policy_nv_changeauth(ESYS_CONTEXT * esys_context)
47 {
48 TSS2_RC r;
49 ESYS_TR nvHandle = ESYS_TR_NONE;
50 ESYS_TR policySession = ESYS_TR_NONE;
51
52 TPM2B_DIGEST *policyDigestTrial = NULL;
53
54 /*
55 * Firth the policy value for changing the auth value of an NV index has to be
56 * determined with a policy trial session.
57 */
58 ESYS_TR sessionTrial = ESYS_TR_NONE;
59 TPMT_SYM_DEF symmetricTrial = {.algorithm = TPM2_ALG_AES,
60 .keyBits = {.aes = 128},
61 .mode = {.aes = TPM2_ALG_CFB}
62 };
63 TPM2B_NONCE nonceCallerTrial = {
64 .size = 20,
65 .buffer = {11, 12, 13, 14, 15, 16, 17, 18, 19, 11,
66 21, 22, 23, 24, 25, 26, 27, 28, 29, 30}
67 };
68
69 r = Esys_StartAuthSession(esys_context, ESYS_TR_NONE, ESYS_TR_NONE,
70 ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
71 &nonceCallerTrial,
72 TPM2_SE_TRIAL, &symmetricTrial, TPM2_ALG_SHA1,
73 &sessionTrial);
74 goto_if_error(r, "Error: During initialization of policy trial session", error);
75
76 r = Esys_PolicyAuthValue(esys_context,
77 sessionTrial,
78 ESYS_TR_NONE,
79 ESYS_TR_NONE,
80 ESYS_TR_NONE
81 );
82 goto_if_error(r, "Error: PolicyAuthValue", error);
83
84 r = Esys_PolicyCommandCode(esys_context,
85 sessionTrial,
86 ESYS_TR_NONE,
87 ESYS_TR_NONE,
88 ESYS_TR_NONE,
89 TPM2_CC_NV_ChangeAuth
90 );
91 goto_if_error(r, "Error: PolicyCommandCode", error);
92
93 r = Esys_PolicyGetDigest(esys_context,
94 sessionTrial,
95 ESYS_TR_NONE,
96 ESYS_TR_NONE,
97 ESYS_TR_NONE,
98 &policyDigestTrial
99 );
100 goto_if_error(r, "Error: PolicyGetDigest", error);
101
102 r = Esys_FlushContext(esys_context, sessionTrial);
103 goto_if_error(r, "Flushing context", error);
104
105 TPM2B_AUTH auth = {.size = 20,
106 .buffer={10, 11, 12, 13, 14, 15, 16, 17, 18, 19,
107 20, 21, 22, 23, 24, 25, 26, 27, 28, 29}};
108
109 TPM2B_NV_PUBLIC publicInfo = {
110 .size = 0,
111 .nvPublic = {
112 .nvIndex =TPM2_NV_INDEX_FIRST,
113 .nameAlg = TPM2_ALG_SHA1,
114 .attributes = (
115 TPMA_NV_OWNERWRITE |
116 TPMA_NV_AUTHWRITE |
117 TPMA_NV_WRITE_STCLEAR |
118 TPMA_NV_READ_STCLEAR |
119 TPMA_NV_AUTHREAD |
120 TPMA_NV_OWNERREAD
121 ),
122 .authPolicy = *policyDigestTrial,
123 .dataSize = 32,
124 }
125 };
126
127
128 r = Esys_NV_DefineSpace(esys_context,
129 ESYS_TR_RH_OWNER,
130 ESYS_TR_PASSWORD,
131 ESYS_TR_NONE,
132 ESYS_TR_NONE,
133 &auth,
134 &publicInfo,
135 &nvHandle);
136
137 goto_if_error(r, "Error esys define nv space", error);
138
139 TPM2B_AUTH newAuth = {.size = 20,
140 .buffer={30, 31, 32, 33, 34, 35, 36, 37, 38, 39,
141 40, 41, 42, 43, 44, 45, 46, 47, 48, 49}};
142
143 TPMT_SYM_DEF policySymmetric = {.algorithm = TPM2_ALG_AES,
144 .keyBits = {.aes = 128},
145 .mode = {.aes = TPM2_ALG_CFB}
146 };
147 TPM2B_NONCE policyNonceCaller = {
148 .size = 20,
149 .buffer = {11, 12, 13, 14, 15, 16, 17, 18, 19, 11,
150 21, 22, 23, 24, 25, 26, 27, 28, 29, 30}
151 };
152
153 r = Esys_StartAuthSession(esys_context, ESYS_TR_NONE, ESYS_TR_NONE,
154 ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
155 &policyNonceCaller,
156 TPM2_SE_POLICY, &policySymmetric, TPM2_ALG_SHA1,
157 &policySession);
158 goto_if_error(r, "Error: During initialization of policy trial session", error);
159
160
161 r = Esys_PolicyAuthValue(esys_context,
162 policySession,
163 ESYS_TR_NONE,
164 ESYS_TR_NONE,
165 ESYS_TR_NONE
166 );
167 goto_if_error(r, "Error: PolicyAuthValue", error);
168
169 r = Esys_PolicyCommandCode(esys_context,
170 policySession,
171 ESYS_TR_NONE,
172 ESYS_TR_NONE,
173 ESYS_TR_NONE,
174 TPM2_CC_NV_ChangeAuth
175 );
176 goto_if_error(r, "Error: PolicyCommandCode", error);
177
178 r = Esys_NV_ChangeAuth(esys_context,
179 nvHandle,
180 policySession,
181 ESYS_TR_NONE,
182 ESYS_TR_NONE,
183 &newAuth
184 );
185 goto_if_error(r, "Error: NV_ChangeAuth", error);
186
187 r = Esys_NV_UndefineSpace(esys_context,
188 ESYS_TR_RH_OWNER,
189 nvHandle,
190 ESYS_TR_PASSWORD,
191 ESYS_TR_NONE,
192 ESYS_TR_NONE
193 );
194 goto_if_error(r, "Error: NV_UndefineSpace", error);
195
196 r = Esys_FlushContext(esys_context, policySession);
197 goto_if_error(r, "Flushing context", error);
198
199 /* Check DefineSpace with auth equal NULL */
200
201 r = Esys_NV_DefineSpace(esys_context,
202 ESYS_TR_RH_OWNER,
203 ESYS_TR_PASSWORD,
204 ESYS_TR_NONE,
205 ESYS_TR_NONE,
206 NULL,
207 &publicInfo,
208 &nvHandle);
209
210 goto_if_error(r, "Error esys define nv space", error);
211
212 r = Esys_StartAuthSession(esys_context, ESYS_TR_NONE, ESYS_TR_NONE,
213 ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
214 &policyNonceCaller,
215 TPM2_SE_POLICY, &policySymmetric, TPM2_ALG_SHA1,
216 &policySession);
217 goto_if_error(r, "Error: During initialization of policy trial session", error);
218
219
220 r = Esys_PolicyAuthValue(esys_context,
221 policySession,
222 ESYS_TR_NONE,
223 ESYS_TR_NONE,
224 ESYS_TR_NONE
225 );
226 goto_if_error(r, "Error: PolicyAuthValue", error);
227
228 r = Esys_PolicyCommandCode(esys_context,
229 policySession,
230 ESYS_TR_NONE,
231 ESYS_TR_NONE,
232 ESYS_TR_NONE,
233 TPM2_CC_NV_ChangeAuth
234 );
235 goto_if_error(r, "Error: PolicyCommandCode", error);
236
237 r = Esys_NV_ChangeAuth(esys_context,
238 nvHandle,
239 policySession,
240 ESYS_TR_NONE,
241 ESYS_TR_NONE,
242 NULL
243 );
244 goto_if_error(r, "Error: NV_ChangeAuth", error);
245
246 r = Esys_NV_UndefineSpace(esys_context,
247 ESYS_TR_RH_OWNER,
248 nvHandle,
249 ESYS_TR_PASSWORD,
250 ESYS_TR_NONE,
251 ESYS_TR_NONE
252 );
253 goto_if_error(r, "Error: NV_UndefineSpace", error);
254
255 r = Esys_FlushContext(esys_context, policySession);
256 goto_if_error(r, "Flushing context", error);
257
258 Esys_Free(policyDigestTrial);
259 return EXIT_SUCCESS;
260
261 error:
262
263 if (sessionTrial != ESYS_TR_NONE) {
264 if (Esys_FlushContext(esys_context, sessionTrial) != TSS2_RC_SUCCESS) {
265 LOG_ERROR("Cleanup policySession failed.");
266 }
267 }
268
269 if (policySession != ESYS_TR_NONE) {
270 if (Esys_FlushContext(esys_context, policySession) != TSS2_RC_SUCCESS) {
271 LOG_ERROR("Cleanup policySession failed.");
272 }
273 }
274
275 if (nvHandle != ESYS_TR_NONE) {
276 if (Esys_NV_UndefineSpace(esys_context,
277 ESYS_TR_RH_OWNER,
278 nvHandle,
279 ESYS_TR_PASSWORD,
280 ESYS_TR_NONE,
281 ESYS_TR_NONE) != TSS2_RC_SUCCESS) {
282 LOG_ERROR("Cleanup nvHandle failed.");
283 }
284 }
285
286 Esys_Free(policyDigestTrial);
287 return EXIT_FAILURE;
288 }
289
290 int
test_invoke_esapi(ESYS_CONTEXT * esys_context)291 test_invoke_esapi(ESYS_CONTEXT * esys_context) {
292 return test_esys_policy_nv_changeauth(esys_context);
293 }
294