Lines Matching refs:authorization
601 …indicates that an authorization session is required for use of the entity associated with the hand…
602 If a handle does not have this symbol, then an authorization session is not allowed.
613 …NOTE Any command that uses authorization may cause a write to NV if there is an authorizati…
634 …contain an “Auth Index:” entry for the handle. This entry indicates the number of the authorization
635 … session. The authorization sessions associated with handles will occur in the session area in the
637 audit will follow the handles used for authorization.
651 … If the handle has the Auth Role of USER and the handle is an Object, the type of authorization is
657 … If the Auth Role is ADMIN and the handle is an Object, the type of authorization is determined by
661 …If the DUP role is selected, authorization may only be with a policy session (DUP role only applies
665 … TPM2_Certify requires the ADMIN role for the first handle (objectHandle). The policy authorization
668 authorization in TPM2_Certify().
688 command/response buffer to indicate the size of the authorization field or the parameter field. Thi…
695 When authorization is required to use the TPM entity associated with a handle, then at least one se…
776 NOTE 1 A TPM is required to perform the handle area validation before the authorization…
777 …authorization cannot be performed unless the authorization values and attributes for the referenc …
854 the authorization session area.
856 d) The TPM will unmarshal the authorization sessions and perform the following validations:
868 4) The consistency of the authorization session attributes is checked.
871 decrypt but may not be a session that is also used for authorization;
873 … authorization sessions, or the audit session, or a session may be added for the single
877 … authorization sessions, or the audit session if present, ora session may be added for the
888 …ii) If a session is not being used for authorization, at least one of decrypt, encrypt, or audit…
892 5) An authorization session is present for each of the handles with the “@” decoration
899 After unmarshaling and validating the handles and the consistency of the authorization sessions, the
906 c) If the object or NV Index is subject to DA protection, and the authorization is with an HMAC or
915 …) If the command requires a handle to have DUP role authorization, then the associated authorizati…
917 e) If the command requires a handle to have ADMIN role authorization:
919 then the authorization session is a policy session (TPM_RC_POLICY_FAIL).
921 …NOTE 3 If adminWithPolicy is CLEAR, then any type of authorization session is allowed .
923 …2) If the entity being authorized is an NV Index, then the associated authorization session is a p…
926 … The only commands that are currently defined that require use of ADMIN role authorization
929 f) If the command requires a handle to have USER role authorization:
931 associated authorization session is a policy session (TPM_RC_POLICY_FAIL).
936 i) if the authorization session is a policy session;
946 ii) if the authorization is an HMAC session or a password;
951 g) If the authorization is provided by a policy session, then:
964 h) if the authorization uses an HMAC, then the HMAC is properly constructed using the authValue
971 i) if the authorization uses a password, then the password matches the authValue associated with…
983 If an authorization session has the TPMA_SESSION.decrypt attribute SET, and the command does not
1072 If the command completes successfully, the tag of the command determines if any authorization sessi…
1074 authorization attributes. The TPM will then generate a new nonce value for each session and, if
1076 If authorization HMAC computations are performed on the response, the HMAC keys used in the
1091 NOTE 2 The authorization attributes were validated during the session area validation to en…
1095 NOTE 3 No session nonce value is used for a password authorization but the session data is …
1128 … logic associated with dictionary attack protection is allowed to be modified when an authorization
1172 … command that uses authorization session that may need to update the dictionary
1294 … If use of a handle requires authorization, the Password, HMAC, or Policy session associated wi…
2262 This command is used to start an authorization session using alternative methods of establishing the
2263 session key (sessionKey). The session key is then used to derive values used for authorization and …
2274 No authorization is required for tpmKey or bind.
2276 NOTE 2 The justification for using tpmKey without providing authorization is that the res…
2279 … sessionKey value, it is an authorization failure that will trigger the dictionary attack logic.
2281 The entity referenced with the bind parameter contributes an authorization value to the sessionKey
2288 This command starts an authorization session and returns the session handle along with an initial
2290 If the TPM does not have a free slot for an authorization session, …
2327 authorization may be given at any locality;
2328 authorization may apply to any command code;
2329 authorization may apply to any command parameters or handles;
2330 the authorization has no time limit;
2331 an authValue is not needed when the authorization is used;
2335 Additionally, if sessionType is TPM_SE_TRIAL, the session will not be usable for authorization but …
2547 This command allows a policy authorization session to be returned to its initial state. This comman…
3169 … If nameAlg is TPM_ALG_NULL, then the Name is the Empty Buffer. When the authorization value for
3367 Use of the objectHandle does not require authorization.
3644 This command does not use any TPM secrets nor does it require authorization. It is a convenience
3774 The returned value may be encrypted using authorization session encryption.
3877 This command is used to change the authorization secret for a TPM-resident object.
3879 which includes the new authorization value.
3880 This command does not change the authorization of the TPM-resident object on which it operates.
3884 NOTE 1 The returned outPrivate will need to be loaded before the new authorization will app…
3886 NOTE 2 The TPM-resident object may be persistent and changing the authorization value of th…
3890 EXAMPLE If a persistent key is being used as a Storage Root Key and the authorization of the…
3891 … known value so that the key can be used generally, then changing the authorization value in the
3894 This command may not be used to change the authorization value for an NV Index or a Primary Object.
3896 NOTE 3 If an NV Index is to have a new authorization, it is done with TPM2_NV_ChangeAuth().
3898 NOTE 4 If a Primary Object is to have a new authorization, it needs to be recreated (TPM2_C…
3924 TPM2B_AUTH newAuth new authorization value
3934 TPM2B_PRIVATE outPrivate private area containing the new authorization v…
4043 The authorization for this command shall be with a policy session.
4047 to indicate that authorization for duplication has been provided. This indicates that the policy th…
4262 …command allows the TPM to serve in the role as a Duplication Authority. If proper authorization for
5043 This command uses the private key of keyHandle for this operation and authorization is required.
5162 30 // of the key is loaded. This is assured because authorization is required
5163 31 // to use the sensitive area of the key. In order to check the authorization,
5164 32 // the sensitive area has to be loaded, even if authorization is with policy.
6147 The caller shall provide proper authorization for use of handle.
6479 The caller shall provide proper authorization for use of handle.
6524 TPM2B_AUTH auth authorization value for subsequent use of the sequence
6662 TPM2B_AUTH auth authorization value for subsequent use of the seque…
6733 Proper authorization for the sequence object associated with sequenceHandle is required. If an
6734 authorization or audit of this command requires computation of a cpHash and an rpHash, the Name
6896 Proper authorization for the sequence object associated with sequenceHandle is required. If an
6897 authorization or audit of this command requires computation of a cpHash and an rpHash, the Name
6919 authorization for the sequence
7079 Proper authorization for the sequence object associated with sequenceHandle is required. If an
7080 authorization or audit of this command requires computation of a cpHash and an rpHash, the Name
7105 authorization for the sequence
7312 Authorization for objectHandle requires ADMIN role authorization. If performed with a policy sessio…
7831 This command requires authorization from the privacy administrator of the TPM (expressed with
7832 Endorsement Authorization) as well as authorization to use the key associated with signHandle.
8023 This command requires authorization from the privacy administrator of the TPM (expressed with
8024 Endorsement Authorization) as well as authorization to use the key associated with signHandle.
9251 Change to a PCR requires authorization. The authorization may be with either an authorization value…
9252 an authorization policy. The platform-specific specifications determine which PCR may be controlled…
9253 policy. All other PCR are controlled by authorization.
9257 TPM_ALG_NULL, then no policy is present and the authorization requires an EmptyAuth.
9259 same authorization policy or authorization value.
9268 PCR may not be modified without the proper authorization. Updates of these PCR shall not cause the
9592 No authorization is required to read a PCR and any implemented PCR may be read from any locality.
9839 …Empty Buffer for the authPolicy value. This will allow an EmptyAuth to be used as the authorization
9958 specification as allowing an authorization value. If the TPM implementation does not allow an
9959 authorization for pcrNum, the TPM shall return TPM_RC_VALUE. A platform-specific specification may
9960 group PCR so that they share a common authorization value. In such case, a pcrNum that selects any …
9962 The authorization setting is set to EmptyAuth on each STARTUP(CLEAR) or by TPM2_Clear(). The
9963 authorization setting is preserved by SHUTDOWN(STATE).
9983 … handle for a PCR that may have an authorization value
9989 TPM2B_DIGEST auth the desired authorization value
10018 authorization group
10066 If the attribute of a PCR allows the PCR to be reset and proper authorization is provided, then this
10466 other parts of a policy context so that the caller may constrain the scope of the authorization tha…
10523 … authorization. The algorithm used to compute this hash is required to be the algorithm of the
10633 value indicating when the authorization expires. If expiration is non-negative, then the TPM will r…
10635 The required computation for the digest in the authorization ticket is:
10655 … using the creation time of the authorization session (TPM2_StartAuthSession()) as its
10677 This command includes a signed authorization in a policy. The command ties the policy to a signing …
10680 policySession→policyDigest as described in 23.2.3 as if a properly signed authorization was receive…
10684 The authorizing entity will sign a digest of the authorization qualifiers: nonceTPM, expiration, cp…
10695 … response. If the authorization is not limited to this session, the
10701 …expiration time limit on authorization set by authorizing object. This 3…
10705 … an EmptyAuth if the authorization is not limited to a specific
10725 If tHash does not match the digest of the signed aHash, then the authorization fails and the TPM sh…
10771 authorization is limited
10776 … a reference to a policy relating to the authorization –
10781 time when authorization will expire, measured in
10786 TPMT_SIGNATURE auth signed authorization (not optional)
10883 46 // response If the authorization is not limited to this
10885 48 // expiration time limit on authorization set by authorizing object.
10890 53 // Set to NULLauth if the authorization is not limited
10986 This command includes a secret-based authorization to a policy. The caller proves knowledge of the
10987 secret value using an authorization session using the authValue associated with authHandle. A passw…
10996 NOTE 1 The authorization value for a hierarchy cannot be used in this command if the hier…
10998 If the authorization check fails, then the normal dictionary attack logic is invoked.
10999 If the authorization provided by the authorization session is valid, the command parameters are che…
11007 If the session is a trial session, policySession→policyDigest is updated as if the authorization is…
11010 … If an HMAC is used to convey the authorization, a separate session is needed for the au…
11011 … Because the HMAC in that authorization will include a nonce that prevents replay of the
11012 …authorization, the value of the nonceTPM parameter in this command is limited. It is retained most…
11032 … handle for an entity providing the authorization
11043 authorization is limited
11048 … a reference to a policy relating to the authorization –
11053 … time when authorization will expire, measured in
11202 authorization. The ticket represents a validated authorization that had an expiration time associat…
11238 time when authorization will expire
11242 authorization is limited
11249 …B_NAME authName name of the object that provided the authorization
11250 … an authorization ticket returned by the TPM in response
11303 22 // A ticket is used in place of a previously given authorization. Since
11306 25 // should use the intended authorization for which the ticket
11549 …authorization. If the policy is constructed such that the PCR check comes before user authorization
11554 session is used for authorization and the PCR are not known to be correct.
11558 command is executed. When the policy is used for authorization, the current value of the counter is
11559 compared to the value in the policy session context and the authorization will fail if the values a…
11743 This command indicates that the authorization will be limited to a specific locality.
11757 When the policy session is used to authorize a command, the authorization will fail if the locality…
11930 An authorization session providing authorization to read the NV Index shall be provided.
11981 … handle indicating the source of the authorization value
12023 TPM_RC_AUTH_TYPE NV index authorization type is not correct
12495 This command indicates that the authorization will be limited to a specific command code.
12506 NOTE 2 A TPM2_PolicyOR() would be used to allow an authorization to be used for multiple c…
12511 role authorization.
12625 … command indicates that physical presence will need to be asserted at the time the authorization is
12628 required when the policy is used for authorization. Additionally, policySession→policyDigest is ext…
13030 … authorization may be applied to the duplication of any number of other Objects. If the authorizing
13031 …ntity specifies both a new parent and the duplicated Object, then the authorization only applies to
13058 …want to limit the authorization so that the approval allows on ly a specific object to be duplicat…
13235 to perform policy calculations but does not have a valid authorization ticket.
13393 This command allows a policy to be bound to the authorization value of the authorized object.
13395 the authValue will be included in hmacKey when the authorization HMAC is computed for the command
13500 This command allows a policy to be bound to the authorization value of the authorized object.
13502 authValue of the authorized object will be checked when the session is used for authorization. The …
13503 will provide the authValue in clear text in the hmac parameter of the authorization. The comparison…
13504 hmac to authValue is performed as if the authorization is a password.
13506 NOTE 1 The parameter field in the policy session where the authorization value is provided…
13515 …ason that two commands are present is to indicate to the TPM if the hmac field in the authorization
13699 authorization.
13713 NOTE 2 When an Index is written, it has a different authorization name than an Index that …
13865 This command requires authorization. Authorization for a Primary Object attached to the Platform Pr…
14047 allows phEnable, phEnableNV, shEnable, and ehEnable to be changed when the proper authorization is
14189 57 // Note: the authorization processing for this command may keep these
14191 59 // CLEAR, then platformAuth cannot be used for authorization. This
14255 This command allows setting of the authorization policy for the lockout (lockoutPolicy), the platfo…
14258 The command requires an authorization session. The session shall use the current authValue or satis…
14261 If the enable associated with authHandle is not SET, then the associated authorization values (auth…
14290 … an authorization policy digest; may be the Empty Buffer
14900 TPM_RC_AUTH_FAIL authorization is not properly given
14947 This command allows the authorization secret for a hierarchy or lockout to be changed using the cur…
14948 authorization value as the command authorization.
14954 The authorization value may be no larger than the digest produced by the hash algorithm used for co…
14958 authorization value is 48 octets.
14983 TPM2B_AUTH newAuth new authorization value
15076 …s required to have support for logic that will help prevent a dictionary attack on an authorization
15077 value. The protection is provided by a counter that increments when a password authorization or an
15078 HMAC authorization fails. When the counter reaches a predefined value, the TPM will not accept, for
15079 some time interval, further requests that require authorization and the TPM is in Lockout mode. Whi…
15081 object’s or Index’s authValue unless the authorization applies to an entry in the Platform hierarch…
15088 If the TPM is continuously powered for the duration of newRecoveryTime and no authorization failures
15089 occur, the authorization failure counter will be decremented by one. This property is called “self-…
15101 This command cancels the effect of a TPM lockout due to a number of successive authorization failur…
15103 Only one lockoutAuth authorization failure is allowed for this command during a lockoutRecovery int…
15196 …wRecoveryTime is zero, then DA protection is disabled. Authorizations are checked but authorization
15201 This command will set the authorization failure count (failedTries) to zero.
15202 Only one lockoutAuth authorization failure is allowed for this command during a lockoutRecovery int…
15226 count of authorization failures before the lockout is
15229 … time in seconds before the authorization failure count
15316 authorization is TPM_RH_PLATFORM. The commands in clearList will no longer require assertion of
15324 asserted for either an HMAC or a Policy authorization.
15541 is from the TPM manufacturer and that proper authorization is provided using platformPolicy.
15547 If the proper authorization is given, the TPM will retain the signed digest and enter the Field Upg…
15604 Lockout authValue and authorization failure count values;
15627 If the signature checks succeed, the authorization is valid and the TPM …
15654 TPMI_RH_PLATFORM @authorization Auth Index:1
15892 No authorization sessions of any type are allowed with this command and tag is required to be
15897 …PM and, because this capability would provide no application benefit, use of authorization sessions
16160 No authorization sessions of any type are allowed with this command and tag is required to be
16164 NOTE Contexts for authorization sessions and for sequence objects belong to the NULL hie…
16409 If the handle is for an authorization session and the handle does not reference a loaded or active …
16760 No authorization sessions of any type are allowed with this command and tag is required to be
16764 … privacy sensitive. The values may be read without authorization because the TCB will not disclose
16766 …authorization session, it is not possible for any entity, other than the TCB, to be assured that t…
17195 … Presence for confirmation of platform authorization. The list will start with the TPM_CC indicated
17506 An Index may be modified if the proper write authorization is provided or read if the proper read
17507 authorization is provided. Different controls are available for reading and writing.
17519 If an operation on an NV index requires authorization, and the authHandle parameter is the handle o…
17523 NOTE 1 This check ensures that the authorization that was provided is associated with the …
17536 authorization will fail (TPM_RC_NV_INITIALIZED). This check may be made before or after other
17537 authorization checks but shall be performed before checking the NV Index authValue. An authorization
17627 If platformAuth/platformPolicy is used for authorization, then TPMA_NV_PLATFORMCREATE shall be
17628 SET in publicInfo. If ownerAuth/ownerPolicy is used for authorization, TPMA_NV_PLATFORMCREATE
17629 shall be CLEAR in publicInfo. If TPMA_NV_PLATFORMCREATE is not set correctly for the authorization,
17631 If TPMA_NV_POLICY_DELETE is SET, then the authorization shall be with Platform Authorization or the
17679 TPM2B_AUTH auth the authorization value
18110 not privacy-sensitive and no authorization is required to read this data.
18203 NOTE 1 If authorization sessions are present, they are checked before checks to see if wri…
18239 … handle indicating the source of the authorization value
18278 …TPM_RC_NV_AUTHORIZATION the authorization was valid but the authorizing entity (authHandl…
18387 … handle indicating the source of the authorization value
18422 TPM_RC_NV_AUTHORIZATION authorization failure
18514 NOTE 2 If authorization sessions are present, they are checked before checks to see if wr…
18544 … handle indicating the source of the authorization value
18582 … TPM_RC_NV_AUTHORIZATION the authorization was valid but the authorizing entity (authHandle) is
18702 … handle indicating the source of the authorization value
18740 …TPM_RC_NV_AUTHORIZATION the authorization was valid but the authorizing entity (authHandle) …
18822 Proper write authorization is required for this command as determined by TPMA_NV_PPWRITE,
18850 … handle indicating the source of the authorization value
18887 …TPM_RC_NV_AUTHORIZATION the authorization was valid but the authorizing entity (authHandl…
19056 NOTE If authorization sessions are present, they are checked before the read -lock status…
19083 the handle indicating the source of the authorization
19126 …TPM_RC_NV_AUTHORIZATION the authorization was valid but the authorizing entity (authHand…
19213 … the handle indicating the source of the authorization
19251 …TPM_RC_NV_AUTHORIZATION the authorization was valid but the authorizing entity (authHandl…
19321 This command allows the authorization secret for an NV Index to be changed.
19322 If successful, the authorization secret (authValue) of the NV Index associated with nvIndex is chan…
19323 This command requires that a policy session be used for authorization of nvIndex so that the ADMIN …
19325 TPM_CC_NV_ChangeAuth. That is, the policy must contain a specific authorization for changing the
19326 authorization value of the referenced object.
19331 The size of the newAuth value may be no larger than the size of authorization indicated when the NV
19333 Since the NV Index authorization is changed before the response HMAC is calculated, the newAuth val…
19359 TPM2B_AUTH newAuth new authorization value
19438 If proper authorization for reading the NV Index is provided, the portion of the NV Index selected …
19467 … handle indicating the source of the authorization value
19518 …TPM_RC_NV_AUTHORIZATION the authorization was valid but the authorizing entity (authHand…