Merge pull request #486 from gomesj/main

ea_commands: add policy_authorize_nv

Author: wiktor-k

tss-esapi/src/context/tpm_commands/enhanced_authorization_ea_commands.rs

@@ -3,15 +3,15 @@
 use crate::{
     attributes::LocalityAttributes,
     constants::CommandCode,
-    handles::{AuthHandle, ObjectHandle, SessionHandle},
-    interface_types::{session_handles::PolicySession, YesNo},
+    handles::{AuthHandle, NvIndexHandle, ObjectHandle, SessionHandle},
+    interface_types::{resource_handles::NvAuth, session_handles::PolicySession, YesNo},
     structures::{
         AuthTicket, Digest, DigestList, Name, Nonce, PcrSelectionList, Signature, Timeout,
         VerifiedTicket,
     },
     tss2_esys::{
-        Esys_PolicyAuthValue, Esys_PolicyAuthorize, Esys_PolicyCommandCode, Esys_PolicyCpHash,
-        Esys_PolicyDuplicationSelect, Esys_PolicyGetDigest, Esys_PolicyLocality,
+        Esys_PolicyAuthValue, Esys_PolicyAuthorize, Esys_PolicyAuthorizeNV, Esys_PolicyCommandCode,
+        Esys_PolicyCpHash, Esys_PolicyDuplicationSelect, Esys_PolicyGetDigest, Esys_PolicyLocality,
         Esys_PolicyNameHash, Esys_PolicyNvWritten, Esys_PolicyOR, Esys_PolicyPCR,
         Esys_PolicyPassword, Esys_PolicyPhysicalPresence, Esys_PolicySecret, Esys_PolicySigned,
         Esys_PolicyTemplate,
@@ -593,5 +593,137 @@ impl Context {
             },
         )
     }
-    // Missing function: PolicyAuthorizeNV
+
+    /// Cause conditional gating of a policy based on an authorized policy
+    /// stored in non-volatile memory.
+    ///
+    /// # Arguments
+    /// * `policy_session` - The [policy session][PolicySession] being extended.
+    /// * `auth_handle` - Handle indicating the source of authorization value.
+    /// * `nv_index_handle` - The [NvIndexHandle] associated with NV memory
+    ///                       where the policy is stored.
+    ///
+    /// # Example
+    /// ```rust
+    /// # use std::convert::TryFrom;
+    /// # use tss_esapi::attributes::{NvIndexAttributes, SessionAttributes};
+    /// # use tss_esapi::constants::SessionType;
+    /// # use tss_esapi::handles::NvIndexTpmHandle;
+    /// # use tss_esapi::interface_types::{
+    /// #     algorithm::HashingAlgorithm,
+    /// #     resource_handles::{NvAuth, Provision},
+    /// #     session_handles::PolicySession,
+    /// # };
+    /// # use tss_esapi::structures::{NvPublic, SymmetricDefinition};
+    /// # use tss_esapi::{Context, TctiNameConf};
+    /// #
+    /// # let mut context = // ...
+    /// #     Context::new(
+    /// #         TctiNameConf::from_environment_variable().expect("Failed to get TCTI"),
+    /// #     ).expect("Failed to create Context");
+    /// #
+    /// # // Set owner session for NV space definition
+    /// # let owner_auth_session = context
+    /// #     .start_auth_session(
+    /// #         None,
+    /// #         None,
+    /// #         None,
+    /// #         SessionType::Hmac,
+    /// #         SymmetricDefinition::AES_256_CFB,
+    /// #         tss_esapi::interface_types::algorithm::HashingAlgorithm::Sha256,
+    /// #     )
+    /// #     .expect("Failed to create session")
+    /// #     .expect("Received invalid handle");
+    /// # let (session_attributes, session_attributes_mask) = SessionAttributes::builder()
+    /// #     .with_decrypt(true)
+    /// #     .with_encrypt(true)
+    /// #     .build();
+    /// # context.tr_sess_set_attributes(owner_auth_session, session_attributes, session_attributes_mask)
+    /// #     .expect("Failed to set attributes on session");
+    /// # context.set_sessions((Some(owner_auth_session), None, None));
+    /// #
+    /// # let trial_session = context
+    /// #     .start_auth_session(
+    /// #         None,
+    /// #         None,
+    /// #         None,
+    /// #         SessionType::Trial,
+    /// #         SymmetricDefinition::AES_256_CFB,
+    /// #         HashingAlgorithm::Sha256,
+    /// #     )
+    /// #     .expect("Start auth session failed")
+    /// #     .expect("Start auth session returned a NONE handle");
+    /// #
+    /// # let (policy_auth_session_attributes, policy_auth_session_attributes_mask) =
+    /// #     SessionAttributes::builder()
+    /// #         .with_decrypt(true)
+    /// #         .with_encrypt(true)
+    /// #         .build();
+    /// # context
+    /// #     .tr_sess_set_attributes(
+    /// #         trial_session,
+    /// #         policy_auth_session_attributes,
+    /// #         policy_auth_session_attributes_mask,
+    /// #     )
+    /// #     .expect("tr_sess_set_attributes call failed");
+    /// #
+    /// # let policy_session = PolicySession::try_from(trial_session)
+    /// #     .expect("Failed to convert auth session into policy session");
+    /// #
+    /// # let nv_index = NvIndexTpmHandle::new(0x01500600)
+    /// #     .expect("Failed to create NV index tpm handle");
+    /// #
+    /// # // Create NV index attributes
+    /// # let owner_nv_index_attributes = NvIndexAttributes::builder()
+    /// #     .with_owner_write(true)
+    /// #     .with_owner_read(true)
+    /// #     .build()
+    /// #     .expect("Failed to create owner nv index attributes");
+    /// #
+    /// # // Create owner nv public.
+    /// # let owner_nv_public = NvPublic::builder()
+    /// #     .with_nv_index(nv_index)
+    /// #     .with_index_name_algorithm(HashingAlgorithm::Sha256)
+    /// #     .with_index_attributes(owner_nv_index_attributes)
+    /// #     .with_data_area_size(32)
+    /// #     .build()
+    /// #     .expect("Failed to build NvPublic for owner");
+    /// #
+    /// let nv_index_handle = context
+    ///    .nv_define_space(Provision::Owner, None, owner_nv_public)
+    ///    .expect("Call to nv_define_space failed");
+    ///
+    /// context.policy_authorize_nv(
+    ///     policy_session,
+    ///     NvAuth::Owner,
+    ///     nv_index_handle,
+    /// ).expect("failed to extend policy with policy_authorize_nv");;
+    /// #
+    /// # context
+    /// #     .nv_undefine_space(Provision::Owner, nv_index_handle)
+    /// #     .expect("Call to nv_undefine_space failed");
+    /// ```
+    pub fn policy_authorize_nv(
+        &mut self,
+        policy_session: PolicySession,
+        auth_handle: NvAuth,
+        nv_index_handle: NvIndexHandle,
+    ) -> Result<()> {
+        ReturnCode::ensure_success(
+            unsafe {
+                Esys_PolicyAuthorizeNV(
+                    self.mut_context(),
+                    AuthHandle::from(auth_handle).into(),
+                    nv_index_handle.into(),
+                    SessionHandle::from(policy_session).into(),
+                    self.optional_session_1(),
+                    self.optional_session_2(),
+                    self.optional_session_3(),
+                )
+            },
+            |ret| {
+                error!("Error when computing policy authorize NV: {:#010X}", ret);
+            },
+        )
+    }
 }

tss-esapi/tests/integration_tests/abstraction_tests/nv_tests.rs

@@ -1,10 +1,7 @@
 // Copyright 2020 Contributors to the Parsec project.
 // SPDX-License-Identifier: Apache-2.0
 
-use std::{
-    convert::TryFrom,
-    io::{ErrorKind, Seek, SeekFrom, Write},
-};
+use std::io::{ErrorKind, Seek, SeekFrom, Write};
 use tss_esapi::{
     abstraction::nv,
     attributes::NvIndexAttributesBuilder,
@@ -13,52 +10,10 @@ use tss_esapi::{
         algorithm::HashingAlgorithm,
         resource_handles::{NvAuth, Provision},
     },
-    structures::{MaxNvBuffer, NvPublicBuilder},
-    Context,
+    structures::NvPublicBuilder,
 };
 
-use crate::common::create_ctx_with_session;
-
-fn write_nv_index(context: &mut Context, nv_index: NvIndexTpmHandle) -> NvIndexHandle {
-    // Create owner nv public.
-    let owner_nv_index_attributes = NvIndexAttributesBuilder::new()
-        .with_owner_write(true)
-        .with_owner_read(true)
-        .with_pp_read(true)
-        .with_owner_read(true)
-        .build()
-        .expect("Failed to create owner nv index attributes");
-
-    let owner_nv_public = NvPublicBuilder::new()
-        .with_nv_index(nv_index)
-        .with_index_name_algorithm(HashingAlgorithm::Sha256)
-        .with_index_attributes(owner_nv_index_attributes)
-        .with_data_area_size(1540)
-        .build()
-        .unwrap();
-
-    let owner_nv_index_handle = context
-        .nv_define_space(Provision::Owner, None, owner_nv_public)
-        .unwrap();
-
-    let value = [1, 2, 3, 4, 5, 6, 7];
-    let expected_data = MaxNvBuffer::try_from(value.to_vec()).unwrap();
-
-    // Write the data using Owner authorization
-    context
-        .nv_write(
-            NvAuth::Owner,
-            owner_nv_index_handle,
-            expected_data.clone(),
-            0,
-        )
-        .unwrap();
-    context
-        .nv_write(NvAuth::Owner, owner_nv_index_handle, expected_data, 1024)
-        .unwrap();
-
-    owner_nv_index_handle
-}
+use crate::common::{create_ctx_with_session, write_nv_index};
 
 #[test]
 fn list() {

tss-esapi/tests/integration_tests/common/mod.rs

@@ -10,22 +10,24 @@ use std::{
 use tss_esapi::{
     abstraction::{cipher::Cipher, pcr::PcrData},
     attributes::ObjectAttributes,
-    attributes::{ObjectAttributesBuilder, SessionAttributesBuilder},
+    attributes::{NvIndexAttributesBuilder, ObjectAttributesBuilder, SessionAttributesBuilder},
     constants::SessionType,
+    handles::{NvIndexHandle, NvIndexTpmHandle},
     interface_types::{
         algorithm::SymmetricMode,
         algorithm::{HashingAlgorithm, PublicAlgorithm, RsaSchemeAlgorithm},
         key_bits::RsaKeyBits,
         key_bits::{AesKeyBits, Sm4KeyBits},
-        resource_handles::Hierarchy,
+        resource_handles::{Hierarchy, NvAuth, Provision},
         session_handles::PolicySession,
     },
     structures::{
         Digest, EccParameter, EccPoint, EccScheme, EccSignature, HashAgile, HashScheme, HmacScheme,
-        KeyDerivationFunctionScheme, KeyedHashScheme, MaxBuffer, PcrSelectionListBuilder, PcrSlot,
-        Public, PublicBuilder, PublicEccParameters, PublicKeyRsa, PublicKeyedHashParameters,
-        PublicRsaParameters, RsaExponent, RsaScheme, RsaSignature, Sensitive, Signature,
-        SymmetricCipherParameters, SymmetricDefinition, SymmetricDefinitionObject,
+        KeyDerivationFunctionScheme, KeyedHashScheme, MaxBuffer, MaxNvBuffer, NvPublicBuilder,
+        PcrSelectionListBuilder, PcrSlot, Public, PublicBuilder, PublicEccParameters, PublicKeyRsa,
+        PublicKeyedHashParameters, PublicRsaParameters, RsaExponent, RsaScheme, RsaSignature,
+        Sensitive, Signature, SymmetricCipherParameters, SymmetricDefinition,
+        SymmetricDefinitionObject,
     },
     tcti_ldr::TctiNameConf,
     utils, Context,
@@ -432,3 +434,44 @@ pub fn create_public_sealed_object() -> Public {
         .build()
         .expect("Failed to create public structure.")
 }
+
+pub fn write_nv_index(context: &mut Context, nv_index: NvIndexTpmHandle) -> NvIndexHandle {
+    // Create owner nv public.
+    let owner_nv_index_attributes = NvIndexAttributesBuilder::new()
+        .with_owner_write(true)
+        .with_owner_read(true)
+        .with_pp_read(true)
+        .with_owner_read(true)
+        .build()
+        .expect("Failed to create owner nv index attributes");
+
+    let owner_nv_public = NvPublicBuilder::new()
+        .with_nv_index(nv_index)
+        .with_index_name_algorithm(HashingAlgorithm::Sha256)
+        .with_index_attributes(owner_nv_index_attributes)
+        .with_data_area_size(1540)
+        .build()
+        .unwrap();
+
+    let owner_nv_index_handle = context
+        .nv_define_space(Provision::Owner, None, owner_nv_public)
+        .unwrap();
+
+    let value = [1, 2, 3, 4, 5, 6, 7];
+    let expected_data = MaxNvBuffer::try_from(value.to_vec()).unwrap();
+
+    // Write the data using Owner authorization
+    context
+        .nv_write(
+            NvAuth::Owner,
+            owner_nv_index_handle,
+            expected_data.clone(),
+            0,
+        )
+        .unwrap();
+    context
+        .nv_write(NvAuth::Owner, owner_nv_index_handle, expected_data, 1024)
+        .unwrap();
+
+    owner_nv_index_handle
+}

tss-esapi/tests/integration_tests/context_tests/tpm_commands/enhanced_authorization_ea_commands_tests.rs

@@ -894,3 +894,68 @@ mod test_policy_template {
         assert_eq!(expected_policy_template, policy_digest);
     }
 }
+
+mod test_policy_authorize_nv {
+    use crate::common::{create_ctx_with_session, write_nv_index};
+    use std::convert::TryFrom;
+    use tss_esapi::{
+        attributes::SessionAttributesBuilder,
+        constants::SessionType,
+        handles::{NvIndexHandle, NvIndexTpmHandle},
+        interface_types::{
+            algorithm::HashingAlgorithm,
+            resource_handles::{NvAuth, Provision},
+            session_handles::PolicySession,
+        },
+        structures::SymmetricDefinition,
+    };
+
+    #[test]
+    fn test_policy_authorize_nv() {
+        let mut context = create_ctx_with_session();
+        let trial_policy_auth_session = context
+            .start_auth_session(
+                None,
+                None,
+                None,
+                SessionType::Trial,
+                SymmetricDefinition::AES_256_CFB,
+                HashingAlgorithm::Sha256,
+            )
+            .expect("Start auth session failed")
+            .expect("Start auth session returned a NONE handle");
+        let (trial_policy_auth_session_attributes, trial_policy_auth_session_attributes_mask) =
+            SessionAttributesBuilder::new()
+                .with_decrypt(true)
+                .with_encrypt(true)
+                .build();
+
+        let nv_index = NvIndexTpmHandle::new(0x01500500).unwrap();
+        let initial_owner_nv_index_handle = write_nv_index(&mut context, nv_index);
+
+        context
+            .tr_sess_set_attributes(
+                trial_policy_auth_session,
+                trial_policy_auth_session_attributes,
+                trial_policy_auth_session_attributes_mask,
+            )
+            .expect("tr_sess_set_attributes call failed");
+        let trial_policy_session = PolicySession::try_from(trial_policy_auth_session)
+            .expect("Failed to convert auth session into policy session");
+        // There should be no algorithm prefix error or actual NV content check for a TRIAL session
+        let policy_result = context.policy_authorize_nv(
+            trial_policy_session,
+            NvAuth::Owner,
+            initial_owner_nv_index_handle,
+        );
+
+        let owner_nv_index_handle = context
+            .tr_from_tpm_public(nv_index.into())
+            .map_or_else(|_| initial_owner_nv_index_handle, NvIndexHandle::from);
+        context
+            .nv_undefine_space(Provision::Owner, owner_nv_index_handle)
+            .expect("Call to nv_undefine_space failed");
+
+        policy_result.unwrap();
+    }
+}