Vadim Bendebury | 5679752 | 2015-05-20 10:32:25 -0700 | [diff] [blame] | 1 | // This file was extracted from the TCG Published |
| 2 | // Trusted Platform Module Library |
| 3 | // Part 4: Supporting Routines |
| 4 | // Family "2.0" |
| 5 | // Level 00 Revision 01.16 |
| 6 | // October 30, 2014 |
| 7 | |
| 8 | #include "InternalRoutines.h" |
| 9 | #include "NV_spt_fp.h" |
| 10 | // |
| 11 | // |
| 12 | // Fuctions |
| 13 | // |
| 14 | // NvReadAccessChecks() |
| 15 | // |
| 16 | // Common routine for validating a read Used by TPM2_NV_Read(), TPM2_NV_ReadLock() and |
| 17 | // TPM2_PolicyNV() |
| 18 | // |
| 19 | // Error Returns Meaning |
| 20 | // |
| 21 | // TPM_RC_NV_AUTHORIZATION autHandle is not allowed to authorize read of the index |
| 22 | // TPM_RC_NV_LOCKED Read locked |
| 23 | // TPM_RC_NV_UNINITIALIZED Try to read an uninitialized index |
| 24 | // |
| 25 | TPM_RC |
| 26 | NvReadAccessChecks( |
| 27 | TPM_HANDLE authHandle, // IN: the handle that provided the |
| 28 | // authorization |
| 29 | TPM_HANDLE nvHandle // IN: the handle of the NV index to be written |
| 30 | ) |
| 31 | { |
| 32 | NV_INDEX nvIndex; |
| 33 | // Get NV index info |
| 34 | NvGetIndexInfo(nvHandle, &nvIndex); |
| 35 | // This check may be done before doing authorization checks as is done in this |
| 36 | // version of the reference code. If not done there, then uncomment the next |
| 37 | // three lines. |
| 38 | // // If data is read locked, returns an error |
| 39 | // if(nvIndex.publicArea.attributes.TPMA_NV_READLOCKED == SET) |
| 40 | // return TPM_RC_NV_LOCKED; |
| 41 | // If the authorization was provided by the owner or platform, then check |
| 42 | // that the attributes allow the read. If the authorization handle |
| 43 | // is the same as the index, then the checks were made when the authorization |
| 44 | // was checked.. |
| 45 | if(authHandle == TPM_RH_OWNER) |
| 46 | { |
| 47 | // If Owner provided auth then ONWERWRITE must be SET |
| 48 | if(! nvIndex.publicArea.attributes.TPMA_NV_OWNERREAD) |
| 49 | return TPM_RC_NV_AUTHORIZATION; |
| 50 | } |
| 51 | else if(authHandle == TPM_RH_PLATFORM) |
| 52 | { |
| 53 | // If Platform provided auth then PPWRITE must be SET |
| 54 | if(!nvIndex.publicArea.attributes.TPMA_NV_PPREAD) |
| 55 | return TPM_RC_NV_AUTHORIZATION; |
| 56 | } |
| 57 | // If neither Owner nor Platform provided auth, make sure that it was |
| 58 | // provided by this index. |
| 59 | else if(authHandle != nvHandle) |
| 60 | return TPM_RC_NV_AUTHORIZATION; |
| 61 | // If the index has not been written, then the value cannot be read |
| 62 | // NOTE: This has to come after other access checks to make sure that |
| 63 | // the proper authorization is given to TPM2_NV_ReadLock() |
| 64 | if(nvIndex.publicArea.attributes.TPMA_NV_WRITTEN == CLEAR) |
| 65 | return TPM_RC_NV_UNINITIALIZED; |
| 66 | return TPM_RC_SUCCESS; |
| 67 | } |
| 68 | // |
| 69 | // |
| 70 | // NvWriteAccessChecks() |
| 71 | // |
| 72 | // Common routine for validating a write Used by TPM2_NV_Write(), TPM2_NV_Increment(), |
| 73 | // TPM2_SetBits(), and TPM2_NV_WriteLock() |
| 74 | // |
| 75 | // |
| 76 | // |
| 77 | // |
| 78 | // Error Returns Meaning |
| 79 | // |
| 80 | // TPM_RC_NV_AUTHORIZATION Authorization fails |
| 81 | // TPM_RC_NV_LOCKED Write locked |
| 82 | // |
| 83 | TPM_RC |
| 84 | NvWriteAccessChecks( |
| 85 | TPM_HANDLE authHandle, // IN: the handle that provided the |
| 86 | // authorization |
| 87 | TPM_HANDLE nvHandle // IN: the handle of the NV index to be written |
| 88 | ) |
| 89 | { |
| 90 | NV_INDEX nvIndex; |
| 91 | // Get NV index info |
| 92 | NvGetIndexInfo(nvHandle, &nvIndex); |
| 93 | // This check may be done before doing authorization checks as is done in this |
| 94 | // version of the reference code. If not done there, then uncomment the next |
| 95 | // three lines. |
| 96 | // // If data is write locked, returns an error |
| 97 | // if(nvIndex.publicArea.attributes.TPMA_NV_WRITELOCKED == SET) |
| 98 | // return TPM_RC_NV_LOCKED; |
| 99 | // If the authorization was provided by the owner or platform, then check |
| 100 | // that the attributes allow the write. If the authorization handle |
| 101 | // is the same as the index, then the checks were made when the authorization |
| 102 | // was checked.. |
| 103 | if(authHandle == TPM_RH_OWNER) |
| 104 | { |
| 105 | // If Owner provided auth then ONWERWRITE must be SET |
| 106 | if(! nvIndex.publicArea.attributes.TPMA_NV_OWNERWRITE) |
| 107 | return TPM_RC_NV_AUTHORIZATION; |
| 108 | } |
| 109 | else if(authHandle == TPM_RH_PLATFORM) |
| 110 | { |
| 111 | // If Platform provided auth then PPWRITE must be SET |
| 112 | if(!nvIndex.publicArea.attributes.TPMA_NV_PPWRITE) |
| 113 | return TPM_RC_NV_AUTHORIZATION; |
| 114 | } |
| 115 | // If neither Owner nor Platform provided auth, make sure that it was |
| 116 | // provided by this index. |
| 117 | else if(authHandle != nvHandle) |
| 118 | return TPM_RC_NV_AUTHORIZATION; |
| 119 | return TPM_RC_SUCCESS; |
| 120 | } |