Lines Matching refs:authorization
975 indicates that an authorization session is required for use of the entity associated with the handl…
976 If a handle does not have this symbol, then an authorization session is not allowed.
996 NOTE Any command that uses authorization may cause a write to NV if there is an authorization
1034 contain an “Auth Index:” entry for the handle. This entry indicates the number of the authorization
1035 session. The authorization sessions associated with handles will occur in the session area in the
1037 audit will follow the handles used for authorization.
1060 USER and the handle is an Object, the type of authorization is determined by the setting of
1062 type of authorization is determined by the setting of adminWithPolicy in the Object's attributes. If
1063 the DUP role is selected, authorization may only be with a policy session (DUP role only applies to
1068 TPM2_Certify requires the ADMIN role for the first handle (objectHandle). The policy authorization
1071 authorization in TPM2_Certify().
1094 command/response buffer to indicate the size of the authorization field or the parameter field. Thi…
1315 authorization session area.
1317 c) The TPM will unmarshal the authorization sessions and perform the following validations:
1344 4) The consistency of the authorization session attributes is checked.
1347 An authorization session is present for each of the handles with the “@” decoration
1354 decrypt but may not be a session that is also used for authorization;
1356 authorization sessions, or the audit session, or a session may be added for the single
1360 authorization sessions, or the audit session if present, ora session may be added for the
1372 After unmarshaling and validating the handles and the consistency of the authorization sessions, the
1398 c) If the object or NV Index is subject to DA protection, and the authorization is with an HMAC or
1420 …) If the command requires a handle to have DUP role authorization, then the associated authorizati…
1422 e) If the command requires a handle to have ADMIN role authorization:
1424 authorization session is a policy session (TPM_RC_POLICY_FAIL).
1427 If adminWithPolicy is CLEAR, then any type of authorization session is allowed .
1429 2) If the entity being authorized is an NV Index, then the associated authorization session is a po…
1433 The only commands that are currently defined that required use of ADMIN role authorization are
1450 If the command requires a handle to have USER role authorization:
1452 associated authorization session is a policy session (TPM_RC_POLICY_FAIL).
1456 if the authorization session is a policy session;
1464 if the authorization is an HMAC session or a password;
1470 g) If the authorization is provided by a policy session, then:
1519 7) if the authorization uses an HMAC, then the HMAC is properly constructed using the authValue
1543 If an authorization session has the TPMA_SESSION.decrypt attribute SET, and the command does not
1696 If the command completes successfully, the tag of the command determines if any authorization sessi…
1698 authorization attributes. The TPM will then generate a new nonce value for each session and, if
1716 The authorization attributes were validated during the session area validation to ensure that only
1722 No session nonce value is used for a password authorization but the session data is present.
1762 … logic associated with dictionary attack protection is allowed to be modified when an authorization
1828 command that uses authorization session that may need to update the dictionary
2005 If use of a handle requires authorization, the Password, HMAC, or Policy session associated with the
3494 This command is used to start an authorization session using alternative methods of establishing the
3495 session key (sessionKey). The session key is then used to derive values used for authorization and …
3507 No authorization is required for tpmKey or bind.
3510 The justification for using tpmKey without providing authorization is that the result o f using the…
3513 sessionKey value, it is an authorization failure that will trigger the dictionary attack logic.
3515 The entity referenced with the bind parameter contributes an authorization value to the sessionKey
3522 This command starts an authorization session and returns the session handle along with an initial
3537 authorization
3593 authorization may be given at any locality;
3597 authorization may apply to any command code;
3601 authorization may apply to any command parameters or handles;
3605 the authorization has no time limit;
3609 an authValue is not needed when the authorization is used;
3623 Additionally, if sessionType is TPM_SE_TRIAL, the session will not be usable for authorization but …
4028 This command allows a policy authorization session to be returned to its initial state. This comman…
5136 If nameAlg is TPM_ALG_NULL, then the Name is the Empty Buffer. When the authorization value for
5513 Use of the objectHandle does not require authorization.
6036 This command does not use any TPM secrets nor does it require authorization. It is a convenience
6286 The returned value may be encrypted using authorization session encryption.
6461 This command is used to change the authorization secret for a TPM-resident object.
6463 which includes the new authorization value.
6464 This command does not change the authorization of the TPM-resident object on which it operates.
6469 The returned outPrivate will need to be loaded before the new authorization will apply.
6473 The TPM-resident object may be persistent and changing the authorization value of the persistent
6479 … Root Key and the authorization of the key is a well known value so that the key can be used gener…
6482 This command may not be used to change the authorization value for an NV Index or a Primary Object.
6485 If an NV Index is to have a new authorization, it is done with TPM2_NV_ChangeAuth().
6489 If a Primary Object is to have a new authorization, it needs to be recreated (TPM2_CreatePrimary()).
6545 new authorization value
6575 private area containing the new authorization value
6764 The authorization for this command shall be with a policy session.
6768 to indicate that authorization for duplication has been provided. This indicates that the policy th…
7195 …command allows the TPM to serve in the role as a Duplication Authority. If proper authorization for
8669 This command uses the private key of keyHandle for this operation and authorization is required.
8916 of the key is loaded. This is assured because authorization is required
8917 to use the sensitive area of the key. In order to check the authorization,
8918 the sensitive area has to be loaded, even if authorization is with policy.
10669 The caller shall provide proper authorization for use of handle.
11276 The caller shall provide proper authorization for use of handle.
11427 authorization value for subsequent use of the sequence
11694 authorization value for subsequent use of the sequence
11820 Proper authorization for the sequence object associated with sequenceHandle is required. If an
11821 authorization or audit of this command requires computation of a cpHash and an rpHash, the Name
12107 Proper authorization for the sequence object associated with sequenceHandle is required. If an
12108 authorization or audit of this command requires computation of a cpHash and an rpHash, the Name
12151 authorization for the sequence
12450 Proper authorization for the sequence object associated with sequenceHandle is required. If an
12451 authorization or audit of this command requires computation of a cpHash and an rpHash, the Name
12500 authorization for the sequence
12849 Authorization for objectHandle requires ADMIN role authorization. If performed with a policy sessio…
13841 This command requires authorization from the privacy administrator of the TPM (expressed with
13842 endorsementAuth) as well as authorization to use the key associated with signHandle.
14197 This command requires authorization from the privacy administrator of the TPM (expressed with
14198 endorsementAuth) as well as authorization to use the key associated with signHandle.
16575 Change to a PCR requires authorization. The authorization may be with either an authorization value…
16576 an authorization policy. The platform-specific specifications determine which PCR may be controlled…
16577 policy. All other PCR are controlled by authorization.
16581 TPM_ALG_NULL, then no policy is present and the authorization requires an EmptyAuth.
16583 same authorization policy or authorization value.
16593 PCR may not be modified without the proper authorization. Updates of these PCR shall not cause the
17179 No authorization is required to read a PCR and any implemented PCR may be read from any locality.
17578 Empty Buffer for the authPolicy value. This will allow an EmptyAuth to be used as the authorization
17800 specification as allowing an authorization value. If the TPM implementation does not allow an
17801 authorization for pcrNum, the TPM shall return TPM_RC_VALUE. A platform-specific specification may
17802 group PCR so that they share a common authorization value. In such case, a pcrNum that selects any …
17804 The authorization setting is set to EmptyAuth on each STARTUP(CLEAR) or by TPM2_Clear(). The
17805 authorization setting is preserved by SHUTDOWN(STATE).
17846 handle for a PCR that may have an authorization value
17855 the desired authorization value
17935 authorization group
17991 If the attribute of a PCR allows the PCR to be reset and proper authorization is provided, then this
18678 other parts of a policy context so that the caller may constrain the scope of the authorization tha…
18752 authorization. The algorithm used to compute this hash is required to be the algorithm of the
18942 the authorization expires. The required computation for the digest in the authorization ticket is:
18985 using the creation time of the authorization session (TPM2_StartAuthSession()) as its
19020 This command includes a signed authorization in a policy. The command ties the policy to a signing …
19023 policySession→policyDigest as described in 25.2.3 as if a properly signed authorization was receive…
19027 The authorizing object will sign a digest of the authorization qualifiers: nonceTPM, expiration, cp…
19046 response. If the authorization is not limited to this session, the
19051 time limit on authorization set by authorizing object. This 32-bit
19058 an EmptyAuth if the authorization is not limited to a specific
19081 If tHash does not match the digest of the signed aHash, then the authorization fails and the TPM sh…
19160 If the nonce is not included in the authorization
19168 authorization is limited
19178 a reference to a policy relating to the authorization –
19187 time when authorization will expire, measured in
19195 signed authorization (not optional)
19380 providing authorization
19487 response If the authorization is not limited to this
19491 expiration time limit on authorization set by authorizing object.
19502 Set to NULLauth if the authorization is not limited
19634 This command includes a secret-based authorization to a policy. The caller proves knowledge of the
19635 secret value using an authorization session using the authValue associated with authHandle. A
19645 The authorization value for a hierarchy cannot be used in th is command if the hierarchy is disable…
19647 If the authorization check fails, then the normal dictionary attack logic is invoked.
19648 If the authorization provided by the authorization session is valid, the command parameters are che…
19659 If the session is a trial session, policySession→policyDigest is updated as if the authorization is…
19663 If an HMAC is used to convey the authorization, a separate session is needed for the authorization.
19664 Because the HMAC in that authorization will include a nonce that prevents replay of the
19665 authorization, the value of the nonceTPM parameter in this command is limited. It is retained mostly
19709 handle for an entity providing the authorization
19725 If the nonce is not included in the authorization
19733 authorization is limited
19743 a reference to a policy relating to the authorization –
19752 time when authorization will expire, measured in
20039 authorization. The ticket represents a validated authorization that had an expiration time associat…
20104 time when authorization will expire
20113 authorization is limited
20128 name of the object that provided the authorization
20134 an authorization ticket returned by the TPM in response
20271 // A ticket is used in place of a previously given authorization. Since
20274 // should use the intended authorization for which the ticket
20680 authorization. If the policy is constructed such that the PCR check comes before user authorization
20685 session is used for authorization and the PCR are not known to be correct.
20689 command is executed. When the policy is used for authorization, the current value of the counter is
20690 compared to the value in the policy session context and the authorization will fail if the values a…
21001 This command indicates that the authorization will be limited to a specific locality.
21019 When the policy session is used to authorize a command, the authorization will fail if the locality…
21340 An authorization session providing authorization to read the NV Index shall be provided.
21401 When an Index is written, it has a different authorization name than an Index that has not been
21443 handle indicating the source of the authorization value
21534 NV index authorization type is not correct
22505 This command indicates that the authorization will be limited to a specific command code.
22523 A TPM2_PolicyOR() would be used to allow an authorization to be used for multiple commands.
22528 role authorization.
22749 … command indicates that physical presence will need to be asserted at the time the authorization is
22752 required when the policy is used for authorization. Additionally, policySession→policyDigest is ext…
23487 authorization may be applied to the duplication of any number of other Objects. If the authorizing
23488 entity specifies both a new parent and the duplicated Object, then the authorization only applies to
23529 want to limit the authorization so that the approval allows only a specific object to be duplicated…
24163 This command allows a policy to be bound to the authorization value of the authorized object.
24165 the authValue will be included in hmacKey when the authorization HMAC is computed for this session.
24360 This command allows a policy to be bound to the authorization value of the authorized object.
24362 authValue of the authorized object will be checked when the session is used for authorization. The …
24363 will provide the authValue in clear text in the hmac parameter of the authorization. The comparison…
24364 hmac to authValue is performed as if the authorization is a password.
24367 The parameter field in the policy session where the authorization value is provided is called hmac.…
24380 …ason that two commands are present is to indicate to the TPM if the hmac field in the authorization
24723 authorization.
25009 This command requires authorization. Authorization for a Primary Object attached to the Platform Pr…
25378 allows phEnable, phEnableNV, shEnable, and ehEnable to be changed when the proper authorization is
25689 // Note: the authorization processing for this command may keep these
25691 // CLEAR, then platformAuth cannot be used for authorization. This
25759 This command allows setting of the authorization policy for the platform hierarchy (platformPolicy)…
25761 The command requires an authorization session. The session shall use the current authValue or satis…
25764 If the enable associated with authHandle is not SET, then the associated authorization values (auth…
25815 an authorization policy digest; may be the Empty Buffer
26925 authorization is not properly given
26978 This command allows the authorization secret for a hierarchy or lockout to be changed using the cur…
26979 authorization value as the command authorization.
26985 The authorization value may be no larger than the digest produced by the hash algorithm used for co…
26990 authorization value is 48 octets.
27040 new authorization value
27213 …s required to have support for logic that will help prevent a dictionary attack on an authorization
27214 value. The protection is provided by a counter that increments when a password authorization or an
27215 HMAC authorization fails. When the counter reaches a predefined value, the TPM will not accept, for
27216 some time interval, further requests that require authorization and the TPM is in Lockout mode. Whi…
27218 object’s or Index’s authValue unless the authorization applies to an entry in the Platform hierarch…
27226 If the TPM is continuously powered for the duration of newRecoveryTime and no authorization failures
27227 occur, the authorization failure counter will be decremented by one. This property is called “self-…
27239 This command cancels the effect of a TPM lockout due to a number of successive authorization failur…
27241 Only one authorization failure is allowed for this command during a lockoutRecovery interval (set u…
27409 …wRecoveryTime is zero, then DA protection is disabled. Authorizations are checked but authorization
27414 This command will set the authorization failure count (failedTries) to zero.
27415 Only one authorization failure is allowed for this command during a lockoutRecovery interval.
27464 count of authorization failures before the lockout is
27471 time in seconds before the authorization failure count
27622 authorization is TPM_RH_PLATFORM. The commands in clearList will no longer require assertion of
27632 asserted for either an HMAC or a Policy authorization.
28031 is from the TPM manufacturer and that proper authorization is provided using platformPolicy.
28038 If the proper authorization is given, the TPM will retain the signed digest and enter the Field Upg…
28117 Lockout authValue and authorization failure count values;
28162 authorization
28223 @authorization
28673 No authorization sessions of any type are allowed with this command and tag is required to be
28679 TPM and, because this capability would provide no application benefit, use of authorization ses sio…
29178 No authorization sessions of any type are allowed with this command and tag is required to be
29183 Contexts for authorization sessions and for sequence object s belong to the NULL hierarchy which is
29669 If the handle is for an authorization session and the handle does not reference a loaded or active …
30298 No authorization sessions of any type are allowed with this command and tag is required to be
30303 privacy sensitive. The values may be read without authorization because the TCB will not disclose
30305 authorization session, it is not possible for any entity, other than the TCB, to be assured that the
31051 Presence for confirmation of platform authorization. The list will start with the TPM_CC indicated …
31658 An Index may be modified if the proper write authorization is provided or read if the proper read
31659 authorization is provided. Different controls are available for reading and writing.
31668 If an operation on an NV index requires authorization, and the authHandle parameter is the handle o…
31673 This check ensures that the authorization that was provided is associated with the NV Index being
31686 authorization will fail (TPM_RC_NV_INITIALIZED). This check may be made before or after other
31687 authorization checks but shall be performed before checking the NV Index authValue. An authorization
31816 If platformAuth/platformPolicy is used for authorization, then TPMA_NV_PLATFORMCREATE shall be
31817 SET in publicInfo. If ownerAuth/ownerPolicy is used for authorization, TPMA_NV_PLATFORMCREATE
31818 shall be CLEAR in publicInfo. If TPMA_NV_PLATFORMCREATE is not set correctly for the authorization,
31820 If TPMA_NV_POLICY_DELETE is SET, then the authorization shall be with platformAuth or the TPM
31926 the authorization value
32756 not privacy-sensitive and no authorization is required to read this data.
32928 If authorization sessions are present, they are checked before checks to see if writes to the NV
32987 handle indicating the source of the authorization value
33060 the authorization was valid but the authorizing entity (authHandle) is
33290 handle indicating the source of the authorization value
33350 authorization failure
33519 If authorization sessions are present, they are checked before checks to see if writes to the NV
33586 handle indicating the source of the authorization value
33653 the authorization was valid but the authorizing entity (authHandle) is
33889 handle indicating the source of the authorization value
33958 the authorization was valid but the authorizing entity (authHandle) is
34113 Proper write authorization is required for this command as determined by TPMA_NV_PPWRITE,
34165 handle indicating the source of the authorization value
34279 the authorization was valid but the authorizing entity (authHandle) is
34573 If authorization sessions are present, they are checked before the read -lock status of the NV Index
34624 the handle indicating the source of the authorization
34703 the authorization was valid but the authorizing entity (authHandle) is
34869 the handle indicating the source of the authorization
34984 the authorization was valid but the authorizing entity (authHandle) is
35052 This command allows the authorization secret for an NV Index to be changed.
35053 If successful, the authorization secret (authValue) of the NV Index associated with nvIndex is chan…
35054 This command requires that a policy session be used for authorization of nvIndex so that the ADMIN …
35056 TPM_CC_NV_ChangeAuth. That is, the policy must contain a specific authorization for changing the
35057 authorization value of the referenced object.
35063 The size of the newAuth value may be no larger than the size of authorization indicated when the NV
35065 Since the NV Index authorization is changed before the response HMAC is calculated, the newAuth val…
35118 new authorization value
35259 If proper authorization for reading the NV Index is provided, the portion of the NV Index selected …
35316 handle indicating the source of the authorization value
35425 the authorization was valid but the authorizing entity (authHandle) is