Lines Matching refs:authorization
975 indicates that an authorization session is required for use of the entity associated with the handl…
976 If a handle does not have this symbol, then an authorization session is not allowed.
996 NOTE Any command that uses authorization may cause a write to NV if there is an authorization
1034 contain an “Auth Index:” entry for the handle. This entry indicates the number of the authorization
1035 session. The authorization sessions associated with handles will occur in the session area in the
1037 audit will follow the handles used for authorization.
1060 USER and the handle is an Object, the type of authorization is determined by the setting of
1062 type of authorization is determined by the setting of adminWithPolicy in the Object's attributes. If
1063 the DUP role is selected, authorization may only be with a policy session (DUP role only applies to
1068 TPM2_Certify requires the ADMIN role for the first handle (objectHandle). The policy authorization
1071 authorization in TPM2_Certify().
1094 command/response buffer to indicate the size of the authorization field or the parameter field. Thi…
1315 authorization session area.
1317 c) The TPM will unmarshal the authorization sessions and perform the following validations:
1344 4) The consistency of the authorization session attributes is checked.
1347 An authorization session is present for each of the handles with the “@” decoration
1354 decrypt but may not be a session that is also used for authorization;
1356 authorization sessions, or the audit session, or a session may be added for the single
1360 authorization sessions, or the audit session if present, ora session may be added for the
1372 After unmarshaling and validating the handles and the consistency of the authorization sessions, the
1398 c) If the object or NV Index is subject to DA protection, and the authorization is with an HMAC or
1420 …) If the command requires a handle to have DUP role authorization, then the associated authorizati…
1422 e) If the command requires a handle to have ADMIN role authorization:
1424 authorization session is a policy session (TPM_RC_POLICY_FAIL).
1427 If adminWithPolicy is CLEAR, then any type of authorization session is allowed .
1429 2) If the entity being authorized is an NV Index, then the associated authorization session is a po…
1433 The only commands that are currently defined that required use of ADMIN role authorization are
1450 If the command requires a handle to have USER role authorization:
1452 associated authorization session is a policy session (TPM_RC_POLICY_FAIL).
1456 if the authorization session is a policy session;
1464 if the authorization is an HMAC session or a password;
1470 g) If the authorization is provided by a policy session, then:
1519 7) if the authorization uses an HMAC, then the HMAC is properly constructed using the authValue
1543 If an authorization session has the TPMA_SESSION.decrypt attribute SET, and the command does not
1696 If the command completes successfully, the tag of the command determines if any authorization sessi…
1698 authorization attributes. The TPM will then generate a new nonce value for each session and, if
1716 The authorization attributes were validated during the session area validation to ensure that only
1722 No session nonce value is used for a password authorization but the session data is present.
1762 … logic associated with dictionary attack protection is allowed to be modified when an authorization
1828 command that uses authorization session that may need to update the dictionary
2005 If use of a handle requires authorization, the Password, HMAC, or Policy session associated with the
3494 This command is used to start an authorization session using alternative methods of establishing the
3495 session key (sessionKey). The session key is then used to derive values used for authorization and …
3507 No authorization is required for tpmKey or bind.
3510 The justification for using tpmKey without providing authorization is that the result o f using the…
3513 sessionKey value, it is an authorization failure that will trigger the dictionary attack logic.
3515 The entity referenced with the bind parameter contributes an authorization value to the sessionKey
3522 This command starts an authorization session and returns the session handle along with an initial
3537 authorization
3593 authorization may be given at any locality;
3597 authorization may apply to any command code;
3601 authorization may apply to any command parameters or handles;
3605 the authorization has no time limit;
3609 an authValue is not needed when the authorization is used;
3623 Additionally, if sessionType is TPM_SE_TRIAL, the session will not be usable for authorization but …
4026 This command allows a policy authorization session to be returned to its initial state. This comman…
5134 If nameAlg is TPM_ALG_NULL, then the Name is the Empty Buffer. When the authorization value for
5511 Use of the objectHandle does not require authorization.
6034 This command does not use any TPM secrets nor does it require authorization. It is a convenience
6282 The returned value may be encrypted using authorization session encryption.
6457 This command is used to change the authorization secret for a TPM-resident object.
6459 which includes the new authorization value.
6460 This command does not change the authorization of the TPM-resident object on which it operates.
6465 The returned outPrivate will need to be loaded before the new authorization will apply.
6469 The TPM-resident object may be persistent and changing the authorization value of the persistent
6475 … Root Key and the authorization of the key is a well known value so that the key can be used gener…
6478 This command may not be used to change the authorization value for an NV Index or a Primary Object.
6481 If an NV Index is to have a new authorization, it is done with TPM2_NV_ChangeAuth().
6485 If a Primary Object is to have a new authorization, it needs to be recreated (TPM2_CreatePrimary()).
6541 new authorization value
6571 private area containing the new authorization value
6760 The authorization for this command shall be with a policy session.
6764 to indicate that authorization for duplication has been provided. This indicates that the policy th…
7189 …command allows the TPM to serve in the role as a Duplication Authority. If proper authorization for
8658 This command uses the private key of keyHandle for this operation and authorization is required.
8905 of the key is loaded. This is assured because authorization is required
8906 to use the sensitive area of the key. In order to check the authorization,
8907 the sensitive area has to be loaded, even if authorization is with policy.
10658 The caller shall provide proper authorization for use of handle.
11265 The caller shall provide proper authorization for use of handle.
11416 authorization value for subsequent use of the sequence
11683 authorization value for subsequent use of the sequence
11809 Proper authorization for the sequence object associated with sequenceHandle is required. If an
11810 authorization or audit of this command requires computation of a cpHash and an rpHash, the Name
12096 Proper authorization for the sequence object associated with sequenceHandle is required. If an
12097 authorization or audit of this command requires computation of a cpHash and an rpHash, the Name
12140 authorization for the sequence
12439 Proper authorization for the sequence object associated with sequenceHandle is required. If an
12440 authorization or audit of this command requires computation of a cpHash and an rpHash, the Name
12487 authorization for the sequence
12838 Authorization for objectHandle requires ADMIN role authorization. If performed with a policy sessio…
13830 This command requires authorization from the privacy administrator of the TPM (expressed with
13831 endorsementAuth) as well as authorization to use the key associated with signHandle.
14186 This command requires authorization from the privacy administrator of the TPM (expressed with
14187 endorsementAuth) as well as authorization to use the key associated with signHandle.
16564 Change to a PCR requires authorization. The authorization may be with either an authorization value…
16565 an authorization policy. The platform-specific specifications determine which PCR may be controlled…
16566 policy. All other PCR are controlled by authorization.
16570 TPM_ALG_NULL, then no policy is present and the authorization requires an EmptyAuth.
16572 same authorization policy or authorization value.
16582 PCR may not be modified without the proper authorization. Updates of these PCR shall not cause the
17168 No authorization is required to read a PCR and any implemented PCR may be read from any locality.
17567 Empty Buffer for the authPolicy value. This will allow an EmptyAuth to be used as the authorization
17789 specification as allowing an authorization value. If the TPM implementation does not allow an
17790 authorization for pcrNum, the TPM shall return TPM_RC_VALUE. A platform-specific specification may
17791 group PCR so that they share a common authorization value. In such case, a pcrNum that selects any …
17793 The authorization setting is set to EmptyAuth on each STARTUP(CLEAR) or by TPM2_Clear(). The
17794 authorization setting is preserved by SHUTDOWN(STATE).
17835 handle for a PCR that may have an authorization value
17844 the desired authorization value
17924 authorization group
17980 If the attribute of a PCR allows the PCR to be reset and proper authorization is provided, then this
18667 other parts of a policy context so that the caller may constrain the scope of the authorization tha…
18741 authorization. The algorithm used to compute this hash is required to be the algorithm of the
18931 the authorization expires. The required computation for the digest in the authorization ticket is:
18974 using the creation time of the authorization session (TPM2_StartAuthSession()) as its
19009 This command includes a signed authorization in a policy. The command ties the policy to a signing …
19012 policySession→policyDigest as described in 25.2.3 as if a properly signed authorization was receive…
19016 The authorizing object will sign a digest of the authorization qualifiers: nonceTPM, expiration, cp…
19035 response. If the authorization is not limited to this session, the
19040 time limit on authorization set by authorizing object. This 32-bit
19047 an EmptyAuth if the authorization is not limited to a specific
19070 If tHash does not match the digest of the signed aHash, then the authorization fails and the TPM sh…
19149 If the nonce is not included in the authorization
19155 authorization is limited
19165 a reference to a policy relating to the authorization –
19174 time when authorization will expire, measured in
19182 signed authorization (not optional)
19369 providing authorization
19476 response If the authorization is not limited to this
19480 expiration time limit on authorization set by authorizing object.
19491 Set to NULLauth if the authorization is not limited
19623 This command includes a secret-based authorization to a policy. The caller proves knowledge of the
19624 secret value using an authorization session using the authValue associated with authHandle. A
19634 The authorization value for a hierarchy cannot be used in th is command if the hierarchy is disable…
19636 If the authorization check fails, then the normal dictionary attack logic is invoked.
19637 If the authorization provided by the authorization session is valid, the command parameters are che…
19648 If the session is a trial session, policySession→policyDigest is updated as if the authorization is…
19652 If an HMAC is used to convey the authorization, a separate session is needed for the authorization.
19653 Because the HMAC in that authorization will include a nonce that prevents replay of the
19654 authorization, the value of the nonceTPM parameter in this command is limited. It is retained mostly
19698 handle for an entity providing the authorization
19714 If the nonce is not included in the authorization
19720 authorization is limited
19730 a reference to a policy relating to the authorization –
19739 time when authorization will expire, measured in
20028 authorization. The ticket represents a validated authorization that had an expiration time associat…
20093 time when authorization will expire
20102 authorization is limited
20117 name of the object that provided the authorization
20123 an authorization ticket returned by the TPM in response
20260 // A ticket is used in place of a previously given authorization. Since
20263 // should use the intended authorization for which the ticket
20669 authorization. If the policy is constructed such that the PCR check comes before user authorization
20674 session is used for authorization and the PCR are not known to be correct.
20678 command is executed. When the policy is used for authorization, the current value of the counter is
20679 compared to the value in the policy session context and the authorization will fail if the values a…
20990 This command indicates that the authorization will be limited to a specific locality.
21008 When the policy session is used to authorize a command, the authorization will fail if the locality…
21329 An authorization session providing authorization to read the NV Index shall be provided.
21390 When an Index is written, it has a different authorization name than an Index that has not been
21432 handle indicating the source of the authorization value
21523 NV index authorization type is not correct
22494 This command indicates that the authorization will be limited to a specific command code.
22512 A TPM2_PolicyOR() would be used to allow an authorization to be used for multiple commands.
22517 role authorization.
22738 … command indicates that physical presence will need to be asserted at the time the authorization is
22741 required when the policy is used for authorization. Additionally, policySession→policyDigest is ext…
23476 authorization may be applied to the duplication of any number of other Objects. If the authorizing
23477 entity specifies both a new parent and the duplicated Object, then the authorization only applies to
23518 want to limit the authorization so that the approval allows only a specific object to be duplicated…
24152 This command allows a policy to be bound to the authorization value of the authorized object.
24154 the authValue will be included in hmacKey when the authorization HMAC is computed for this session.
24349 This command allows a policy to be bound to the authorization value of the authorized object.
24351 authValue of the authorized object will be checked when the session is used for authorization. The …
24352 will provide the authValue in clear text in the hmac parameter of the authorization. The comparison…
24353 hmac to authValue is performed as if the authorization is a password.
24356 The parameter field in the policy session where the authorization value is provided is called hmac.…
24369 …ason that two commands are present is to indicate to the TPM if the hmac field in the authorization
24712 authorization.
24998 This command requires authorization. Authorization for a Primary Object attached to the Platform Pr…
25367 allows phEnable, phEnableNV, shEnable, and ehEnable to be changed when the proper authorization is
25678 // Note: the authorization processing for this command may keep these
25680 // CLEAR, then platformAuth cannot be used for authorization. This
25748 This command allows setting of the authorization policy for the platform hierarchy (platformPolicy)…
25750 The command requires an authorization session. The session shall use the current authValue or satis…
25753 If the enable associated with authHandle is not SET, then the associated authorization values (auth…
25804 an authorization policy digest; may be the Empty Buffer
26914 authorization is not properly given
26967 This command allows the authorization secret for a hierarchy or lockout to be changed using the cur…
26968 authorization value as the command authorization.
26974 The authorization value may be no larger than the digest produced by the hash algorithm used for co…
26979 authorization value is 48 octets.
27029 new authorization value
27202 …s required to have support for logic that will help prevent a dictionary attack on an authorization
27203 value. The protection is provided by a counter that increments when a password authorization or an
27204 HMAC authorization fails. When the counter reaches a predefined value, the TPM will not accept, for
27205 some time interval, further requests that require authorization and the TPM is in Lockout mode. Whi…
27207 object’s or Index’s authValue unless the authorization applies to an entry in the Platform hierarch…
27215 If the TPM is continuously powered for the duration of newRecoveryTime and no authorization failures
27216 occur, the authorization failure counter will be decremented by one. This property is called “self-…
27228 This command cancels the effect of a TPM lockout due to a number of successive authorization failur…
27230 Only one authorization failure is allowed for this command during a lockoutRecovery interval (set u…
27398 …wRecoveryTime is zero, then DA protection is disabled. Authorizations are checked but authorization
27403 This command will set the authorization failure count (failedTries) to zero.
27404 Only one authorization failure is allowed for this command during a lockoutRecovery interval.
27453 count of authorization failures before the lockout is
27460 time in seconds before the authorization failure count
27611 authorization is TPM_RH_PLATFORM. The commands in clearList will no longer require assertion of
27621 asserted for either an HMAC or a Policy authorization.
28020 is from the TPM manufacturer and that proper authorization is provided using platformPolicy.
28027 If the proper authorization is given, the TPM will retain the signed digest and enter the Field Upg…
28106 Lockout authValue and authorization failure count values;
28151 authorization
28212 @authorization
28662 No authorization sessions of any type are allowed with this command and tag is required to be
28668 TPM and, because this capability would provide no application benefit, use of authorization ses sio…
29167 No authorization sessions of any type are allowed with this command and tag is required to be
29172 Contexts for authorization sessions and for sequence object s belong to the NULL hierarchy which is
29658 If the handle is for an authorization session and the handle does not reference a loaded or active …
30287 No authorization sessions of any type are allowed with this command and tag is required to be
30292 privacy sensitive. The values may be read without authorization because the TCB will not disclose
30294 authorization session, it is not possible for any entity, other than the TCB, to be assured that the
31040 Presence for confirmation of platform authorization. The list will start with the TPM_CC indicated …
31649 An Index may be modified if the proper write authorization is provided or read if the proper read
31650 authorization is provided. Different controls are available for reading and writing.
31659 If an operation on an NV index requires authorization, and the authHandle parameter is the handle o…
31664 This check ensures that the authorization that was provided is associated with the NV Index being
31677 authorization will fail (TPM_RC_NV_INITIALIZED). This check may be made before or after other
31678 authorization checks but shall be performed before checking the NV Index authValue. An authorization
31807 If platformAuth/platformPolicy is used for authorization, then TPMA_NV_PLATFORMCREATE shall be
31808 SET in publicInfo. If ownerAuth/ownerPolicy is used for authorization, TPMA_NV_PLATFORMCREATE
31809 shall be CLEAR in publicInfo. If TPMA_NV_PLATFORMCREATE is not set correctly for the authorization,
31811 If TPMA_NV_POLICY_DELETE is SET, then the authorization shall be with platformAuth or the TPM
31917 the authorization value
32747 not privacy-sensitive and no authorization is required to read this data.
32919 If authorization sessions are present, they are checked before checks to see if writes to the NV
32978 handle indicating the source of the authorization value
33051 the authorization was valid but the authorizing entity (authHandle) is
33281 handle indicating the source of the authorization value
33341 authorization failure
33510 If authorization sessions are present, they are checked before checks to see if writes to the NV
33577 handle indicating the source of the authorization value
33644 the authorization was valid but the authorizing entity (authHandle) is
33880 handle indicating the source of the authorization value
33949 the authorization was valid but the authorizing entity (authHandle) is
34104 Proper write authorization is required for this command as determined by TPMA_NV_PPWRITE,
34156 handle indicating the source of the authorization value
34270 the authorization was valid but the authorizing entity (authHandle) is
34564 If authorization sessions are present, they are checked before the read -lock status of the NV Index
34615 the handle indicating the source of the authorization
34694 the authorization was valid but the authorizing entity (authHandle) is
34860 the handle indicating the source of the authorization
34975 the authorization was valid but the authorizing entity (authHandle) is
35043 This command allows the authorization secret for an NV Index to be changed.
35044 If successful, the authorization secret (authValue) of the NV Index associated with nvIndex is chan…
35045 This command requires that a policy session be used for authorization of nvIndex so that the ADMIN …
35047 TPM_CC_NV_ChangeAuth. That is, the policy must contain a specific authorization for changing the
35048 authorization value of the referenced object.
35054 The size of the newAuth value may be no larger than the size of authorization indicated when the NV
35056 Since the NV Index authorization is changed before the response HMAC is calculated, the newAuth val…
35109 new authorization value
35250 If proper authorization for reading the NV Index is provided, the portion of the NV Index selected …
35307 handle indicating the source of the authorization value
35416 the authorization was valid but the authorizing entity (authHandle) is