DA.c

// This file was extracted from the TCG Published
// Trusted Platform Module Library
// Part 4: Supporting Routines
// Family "2.0"
// Level 00 Revision 01.16
// October 30, 2014

#define DA_C
#include "InternalRoutines.h"
//
//
//           Functions
//
//            DAPreInstall_Init()
//
//      This function initializes the DA parameters to their manufacturer-default values. The default values are
//      determined by a platform-specific specification.
//      This function should not be called outside of a manufacturing or simulation environment.
//      The DA parameters will be restored to these initial values by TPM2_Clear().
//
void
DAPreInstall_Init(
     void
     )
{
     gp.failedTries = 0;
     // TODO(vbendeb): consider finer tuning of this value (crosbug.com/p/55708)
     gp.maxTries = 200;
     gp.recoveryTime = 1000;                  // in seconds (~16.67 minutes)
     gp.lockoutRecovery = 1000;               // in seconds
     gp.lockOutAuthEnabled = TRUE;            // Use of lockoutAuth is enabled
     // Record persistent DA parameter changes to NV
     NvWriteReserved(NV_FAILED_TRIES, &gp.failedTries);
     NvWriteReserved(NV_MAX_TRIES, &gp.maxTries);
     NvWriteReserved(NV_RECOVERY_TIME, &gp.recoveryTime);
     NvWriteReserved(NV_LOCKOUT_RECOVERY, &gp.lockoutRecovery);
     NvWriteReserved(NV_LOCKOUT_AUTH_ENABLED, &gp.lockOutAuthEnabled);
    return;
}
//
//
//          DAStartup()
//
//     This function is called by TPM2_Startup() to initialize the DA parameters. In the case of Startup(CLEAR),
//     use of lockoutAuth will be enabled if the lockout recovery time is 0. Otherwise, lockoutAuth will not be
//     enabled until the TPM has been continuously powered for the lockoutRecovery time.
//     This function requires that NV be available and not rate limiting.
//
void
DAStartup(
    STARTUP_TYPE         type               // IN: startup type
    )
{
    // For TPM Reset, if lockoutRecovery is 0, enable use of lockoutAuth.
    if(type == SU_RESET)
    {
        if(gp.lockoutRecovery == 0)
        {
            gp.lockOutAuthEnabled = TRUE;
            // Record the changes to NV
            NvWriteReserved(NV_LOCKOUT_AUTH_ENABLED, &gp.lockOutAuthEnabled);
        }
    }
    // If DA has not been disabled and the previous shutdown is not orderly
    // failedTries is not already at its maximum then increment 'failedTries'
    if(    gp.recoveryTime != 0
        && g_prevOrderlyState == SHUTDOWN_NONE
        && gp.failedTries < gp.maxTries)
    {
        gp.failedTries++;
        // Record the change to NV
        NvWriteReserved(NV_FAILED_TRIES, &gp.failedTries);
    }
    // Reset self healing timers
    s_selfHealTimer = g_time;
    s_lockoutTimer = g_time;
    return;
}
//
//
//          DARegisterFailure()
//
//     This function is called when a authorization failure occurs on an entity that is subject to dictionary-attack
//     protection. When a DA failure is triggered, register the failure by resetting the relevant self-healing timer
//     to the current time.
//
void
DARegisterFailure(
    TPM_HANDLE           handle             // IN: handle for failure
    )
{
    // Reset the timer associated with lockout if the handle is the lockout auth.
    if(handle == TPM_RH_LOCKOUT)
         s_lockoutTimer = g_time;
    else
         s_selfHealTimer = g_time;
//
   return;
}
//
//
//             DASelfHeal()
//
//      This function is called to check if sufficient time has passed to allow decrement of failedTries or to re-
//      enable use of lockoutAuth.
//      This function should be called when the time interval is updated.
//
void
DASelfHeal(
   void
   )
{
   // Regular auth self healing logic
   // If no failed authorization tries, do nothing. Otherwise, try to
   // decrease failedTries
   if(gp.failedTries != 0)
   {
       // if recovery time is 0, DA logic has been disabled. Clear failed tries
       // immediately
       if(gp.recoveryTime == 0)
       {
            gp.failedTries = 0;
            // Update NV record
            NvWriteReserved(NV_FAILED_TRIES, &gp.failedTries);
       }
       else
       {
            UINT64          decreaseCount;
               // In the unlikely event that failedTries should become larger than
               // maxTries
               if(gp.failedTries > gp.maxTries)
                   gp.failedTries = gp.maxTries;
               // How much can failedTried be decreased
               decreaseCount = ((g_time - s_selfHealTimer) / 1000) / gp.recoveryTime;
               if(gp.failedTries <= (UINT32) decreaseCount)
                   // should not set failedTries below zero
                   gp.failedTries = 0;
               else
                   gp.failedTries -= (UINT32) decreaseCount;
               // the cast prevents overflow of the product
               s_selfHealTimer += (decreaseCount * (UINT64)gp.recoveryTime) * 1000;
               if(decreaseCount != 0)
                   // If there was a change to the failedTries, record the changes
                   // to NV
                   NvWriteReserved(NV_FAILED_TRIES, &gp.failedTries);
         }
   }
   // LockoutAuth self healing logic
   // If lockoutAuth is enabled, do nothing. Otherwise, try to see if we
   // may enable it
   if(!gp.lockOutAuthEnabled)
   {
       // if lockout authorization recovery time is 0, a reboot is required to
       // re-enable use of lockout authorization. Self-healing would not
       // apply in this case.
       if(gp.lockoutRecovery != 0)
//
           {
                 if(((g_time - s_lockoutTimer)/1000) >= gp.lockoutRecovery)
                 {
                     gp.lockOutAuthEnabled = TRUE;
                     // Record the changes to NV
                     NvWriteReserved(NV_LOCKOUT_AUTH_ENABLED, &gp.lockOutAuthEnabled);
                 }
           }
     }
     return;
}