trunks: Have LockNVSpace depend on owner_password

By making LockNVSpace depend on owner_password, we can remove
TPMA_NV_AUTHWRITE.
BUG=None
TEST=trunks_client --regression_test

Change-Id: Ib725f35e554f5e7299afa9803b331d2a116541fa
diff --git a/tpm_constants.h b/tpm_constants.h
index 52bc24a..e06cc65 100644
--- a/tpm_constants.h
+++ b/tpm_constants.h
@@ -34,7 +34,6 @@
 
 // TPM NV Index Attributes, defined in TPM Spec Part 2 section 13.2.
 const TPMA_NV TPMA_NV_OWNERWRITE = 1U << 1;
-const TPMA_NV TPMA_NV_AUTHWRITE = 1U << 2;
 const TPMA_NV TPMA_NV_WRITELOCKED = 1U << 11;
 const TPMA_NV TPMA_NV_WRITEDEFINE = 1U << 13;
 const TPMA_NV TPMA_NV_AUTHREAD = 1U << 18;
diff --git a/tpm_utility.h b/tpm_utility.h
index 5aa68c1..c2db557 100644
--- a/tpm_utility.h
+++ b/tpm_utility.h
@@ -265,7 +265,7 @@
 
   // This method locks the non-volatile space referred to by |index|. After a
   // non-volatile space has been locked, it cannot be written to. Locked spaces
-  // can still be freely read.
+  // can still be freely read. This command needs owner authorization.
   virtual TPM_RC LockNVSpace(uint32_t index,
                              AuthorizationDelegate* delegate) = 0;
 
diff --git a/tpm_utility_impl.cc b/tpm_utility_impl.cc
index d3c861c..dfecc90 100644
--- a/tpm_utility_impl.cc
+++ b/tpm_utility_impl.cc
@@ -1168,13 +1168,12 @@
   // We define the following attributes for NVSpaces created:
   // TPMA_NV_NO_DA: Dictionary attack does not trigger on authorization errors.
   // TPMA_NV_OWNERWRITE: Owner authorization must be provided on write actions.
-  // TPMA_NV_AUTHWRITE: Write authorizations can be provided by HMAC sessions.
-  // TPMA_NV_WRITEDEFINE: NVSpace is write lockable.
+  // TPMA_NV_WRITEDEFINE: NVSpace is write lockable, and lock persists across
+  //                      reboot.
   // TPMA_NV_AUTHREAD: The index authValue (default: "") can be used to
   //                   authorize read actions.
   public_data.attributes = TPMA_NV_NO_DA |
                            TPMA_NV_OWNERWRITE |
-                           TPMA_NV_AUTHWRITE |
                            TPMA_NV_WRITEDEFINE |
                            TPMA_NV_AUTHREAD;
   public_data.auth_policy = Make_TPM2B_DIGEST("");
@@ -1253,8 +1252,8 @@
     return result;
   }
   uint32_t nv_index = NV_INDEX_FIRST + index;
-  result = factory_.GetTpm()->NV_WriteLockSync(nv_index,
-                                               nv_name,
+  result = factory_.GetTpm()->NV_WriteLockSync(TPM_RH_OWNER,
+                                               NameFromHandle(TPM_RH_OWNER),
                                                nv_index,
                                                nv_name,
                                                delegate);
diff --git a/trunks_client_test.cc b/trunks_client_test.cc
index 2d38fba..73b8a0c 100644
--- a/trunks_client_test.cc
+++ b/trunks_client_test.cc
@@ -835,11 +835,13 @@
     LOG(ERROR) << "NV space had different data than was written.";
     return false;
   }
+  session->SetEntityAuthorizationValue(owner_password);
   result = utility->LockNVSpace(index, session->GetDelegate());
   if (result != TPM_RC_SUCCESS) {
     LOG(ERROR) << "Error locking nvram: " << GetErrorString(result);
     return false;
   }
+  session->SetEntityAuthorizationValue("");
   result = utility->ReadNVSpace(index, 0, nv_data.size(),
                             &new_nvdata, session->GetDelegate());
   if (result != TPM_RC_SUCCESS) {