Google Git
Sign in
android / platform / system / trunks / 707e3e1ac5185eac0c992fb6fbcae574fde9c4bb^! / .
commit707e3e1ac5185eac0c992fb6fbcae574fde9c4bb[log] [tgz]
authorUtkarsh Sanghi <usanghi@google.com>Mon Nov 02 14:40:22 2015 -0800
committerUtkarsh Sanghi <usanghi@google.com>Tue Nov 03 07:25:22 2015 -0800
tree6868dc66e5f3e487b1df7efdd44f8db510481f00
parent71a3396cdbeb336e4bf5996996c687284170b298 [diff]
trunks: Fix NVspace creation

This CL adds TPMA_NV_AUTHWRITE to the NVSpace creation attributes. This
is necessary because the Tpm2.0 spec v1.16 introduces the need to define
this attribute to use HMAC authorization.

BUG=None
TEST=trunks_client --regression_test on device

Change-Id: I051603739c773656f3df1b69e454bc325fb2fb6e

diff --git a/tpm_constants.h b/tpm_constants.h
index 53a483a..52bc24a 100644
--- a/tpm_constants.h
+++ b/tpm_constants.h

@@ -34,9 +34,11 @@
 
 // TPM NV Index Attributes, defined in TPM Spec Part 2 section 13.2.
 const TPMA_NV TPMA_NV_OWNERWRITE = 1U << 1;
+const TPMA_NV TPMA_NV_AUTHWRITE = 1U << 2;
 const TPMA_NV TPMA_NV_WRITELOCKED = 1U << 11;
 const TPMA_NV TPMA_NV_WRITEDEFINE = 1U << 13;
 const TPMA_NV TPMA_NV_AUTHREAD = 1U << 18;
+const TPMA_NV TPMA_NV_NO_DA = 1U << 25;
 const TPMA_NV TPMA_NV_WRITTEN = 1U << 29;
 
 }  // namespace trunks

diff --git a/tpm_utility_impl.cc b/tpm_utility_impl.cc
index 095e8aa..d3c861c 100644
--- a/tpm_utility_impl.cc
+++ b/tpm_utility_impl.cc

@@ -1165,7 +1165,16 @@
   TPMS_NV_PUBLIC public_data;
   public_data.nv_index = nv_index;
   public_data.name_alg = TPM_ALG_SHA256;
-  public_data.attributes = TPMA_NV_OWNERWRITE |
+  // We define the following attributes for NVSpaces created:
+  // TPMA_NV_NO_DA: Dictionary attack does not trigger on authorization errors.
+  // TPMA_NV_OWNERWRITE: Owner authorization must be provided on write actions.
+  // TPMA_NV_AUTHWRITE: Write authorizations can be provided by HMAC sessions.
+  // TPMA_NV_WRITEDEFINE: NVSpace is write lockable.
+  // TPMA_NV_AUTHREAD: The index authValue (default: "") can be used to
+  //                   authorize read actions.
+  public_data.attributes = TPMA_NV_NO_DA |
+                           TPMA_NV_OWNERWRITE |
+                           TPMA_NV_AUTHWRITE |
                            TPMA_NV_WRITEDEFINE |
                            TPMA_NV_AUTHREAD;
   public_data.auth_policy = Make_TPM2B_DIGEST("");

diff --git a/trunks_client_test.cc b/trunks_client_test.cc
index 2be8839..2d38fba 100644
--- a/trunks_client_test.cc
+++ b/trunks_client_test.cc

@@ -826,7 +826,7 @@
   std::string new_nvdata;
   session->SetEntityAuthorizationValue("");
   result = utility->ReadNVSpace(index, 0, nv_data.size(),
-                            &new_nvdata, session->GetDelegate());
+                                &new_nvdata, session->GetDelegate());
   if (result != TPM_RC_SUCCESS) {
     LOG(ERROR) << "Error reading nvram: " << GetErrorString(result);
     return false;