trunks: Fix NVspace creation
This CL adds TPMA_NV_AUTHWRITE to the NVSpace creation attributes. This
is necessary because the Tpm2.0 spec v1.16 introduces the need to define
this attribute to use HMAC authorization.
BUG=None
TEST=trunks_client --regression_test on device
Change-Id: I051603739c773656f3df1b69e454bc325fb2fb6e
diff --git a/tpm_constants.h b/tpm_constants.h
index 53a483a..52bc24a 100644
--- a/tpm_constants.h
+++ b/tpm_constants.h
@@ -34,9 +34,11 @@
// TPM NV Index Attributes, defined in TPM Spec Part 2 section 13.2.
const TPMA_NV TPMA_NV_OWNERWRITE = 1U << 1;
+const TPMA_NV TPMA_NV_AUTHWRITE = 1U << 2;
const TPMA_NV TPMA_NV_WRITELOCKED = 1U << 11;
const TPMA_NV TPMA_NV_WRITEDEFINE = 1U << 13;
const TPMA_NV TPMA_NV_AUTHREAD = 1U << 18;
+const TPMA_NV TPMA_NV_NO_DA = 1U << 25;
const TPMA_NV TPMA_NV_WRITTEN = 1U << 29;
} // namespace trunks
diff --git a/tpm_utility_impl.cc b/tpm_utility_impl.cc
index 095e8aa..d3c861c 100644
--- a/tpm_utility_impl.cc
+++ b/tpm_utility_impl.cc
@@ -1165,7 +1165,16 @@
TPMS_NV_PUBLIC public_data;
public_data.nv_index = nv_index;
public_data.name_alg = TPM_ALG_SHA256;
- public_data.attributes = TPMA_NV_OWNERWRITE |
+ // We define the following attributes for NVSpaces created:
+ // TPMA_NV_NO_DA: Dictionary attack does not trigger on authorization errors.
+ // TPMA_NV_OWNERWRITE: Owner authorization must be provided on write actions.
+ // TPMA_NV_AUTHWRITE: Write authorizations can be provided by HMAC sessions.
+ // TPMA_NV_WRITEDEFINE: NVSpace is write lockable.
+ // TPMA_NV_AUTHREAD: The index authValue (default: "") can be used to
+ // authorize read actions.
+ public_data.attributes = TPMA_NV_NO_DA |
+ TPMA_NV_OWNERWRITE |
+ TPMA_NV_AUTHWRITE |
TPMA_NV_WRITEDEFINE |
TPMA_NV_AUTHREAD;
public_data.auth_policy = Make_TPM2B_DIGEST("");
diff --git a/trunks_client_test.cc b/trunks_client_test.cc
index 2be8839..2d38fba 100644
--- a/trunks_client_test.cc
+++ b/trunks_client_test.cc
@@ -826,7 +826,7 @@
std::string new_nvdata;
session->SetEntityAuthorizationValue("");
result = utility->ReadNVSpace(index, 0, nv_data.size(),
- &new_nvdata, session->GetDelegate());
+ &new_nvdata, session->GetDelegate());
if (result != TPM_RC_SUCCESS) {
LOG(ERROR) << "Error reading nvram: " << GetErrorString(result);
return false;