trunks: Have LockNVSpace depend on owner_password
By making LockNVSpace depend on owner_password, we can remove
TPMA_NV_AUTHWRITE.
BUG=None
TEST=trunks_client --regression_test
Change-Id: Ib725f35e554f5e7299afa9803b331d2a116541fa
diff --git a/tpm_constants.h b/tpm_constants.h
index 52bc24a..e06cc65 100644
--- a/tpm_constants.h
+++ b/tpm_constants.h
@@ -34,7 +34,6 @@
// TPM NV Index Attributes, defined in TPM Spec Part 2 section 13.2.
const TPMA_NV TPMA_NV_OWNERWRITE = 1U << 1;
-const TPMA_NV TPMA_NV_AUTHWRITE = 1U << 2;
const TPMA_NV TPMA_NV_WRITELOCKED = 1U << 11;
const TPMA_NV TPMA_NV_WRITEDEFINE = 1U << 13;
const TPMA_NV TPMA_NV_AUTHREAD = 1U << 18;
diff --git a/tpm_utility.h b/tpm_utility.h
index 5aa68c1..c2db557 100644
--- a/tpm_utility.h
+++ b/tpm_utility.h
@@ -265,7 +265,7 @@
// This method locks the non-volatile space referred to by |index|. After a
// non-volatile space has been locked, it cannot be written to. Locked spaces
- // can still be freely read.
+ // can still be freely read. This command needs owner authorization.
virtual TPM_RC LockNVSpace(uint32_t index,
AuthorizationDelegate* delegate) = 0;
diff --git a/tpm_utility_impl.cc b/tpm_utility_impl.cc
index d3c861c..dfecc90 100644
--- a/tpm_utility_impl.cc
+++ b/tpm_utility_impl.cc
@@ -1168,13 +1168,12 @@
// We define the following attributes for NVSpaces created:
// TPMA_NV_NO_DA: Dictionary attack does not trigger on authorization errors.
// TPMA_NV_OWNERWRITE: Owner authorization must be provided on write actions.
- // TPMA_NV_AUTHWRITE: Write authorizations can be provided by HMAC sessions.
- // TPMA_NV_WRITEDEFINE: NVSpace is write lockable.
+ // TPMA_NV_WRITEDEFINE: NVSpace is write lockable, and lock persists across
+ // reboot.
// TPMA_NV_AUTHREAD: The index authValue (default: "") can be used to
// authorize read actions.
public_data.attributes = TPMA_NV_NO_DA |
TPMA_NV_OWNERWRITE |
- TPMA_NV_AUTHWRITE |
TPMA_NV_WRITEDEFINE |
TPMA_NV_AUTHREAD;
public_data.auth_policy = Make_TPM2B_DIGEST("");
@@ -1253,8 +1252,8 @@
return result;
}
uint32_t nv_index = NV_INDEX_FIRST + index;
- result = factory_.GetTpm()->NV_WriteLockSync(nv_index,
- nv_name,
+ result = factory_.GetTpm()->NV_WriteLockSync(TPM_RH_OWNER,
+ NameFromHandle(TPM_RH_OWNER),
nv_index,
nv_name,
delegate);
diff --git a/trunks_client_test.cc b/trunks_client_test.cc
index 2d38fba..73b8a0c 100644
--- a/trunks_client_test.cc
+++ b/trunks_client_test.cc
@@ -835,11 +835,13 @@
LOG(ERROR) << "NV space had different data than was written.";
return false;
}
+ session->SetEntityAuthorizationValue(owner_password);
result = utility->LockNVSpace(index, session->GetDelegate());
if (result != TPM_RC_SUCCESS) {
LOG(ERROR) << "Error locking nvram: " << GetErrorString(result);
return false;
}
+ session->SetEntityAuthorizationValue("");
result = utility->ReadNVSpace(index, 0, nv_data.size(),
&new_nvdata, session->GetDelegate());
if (result != TPM_RC_SUCCESS) {