1 // This file was extracted from the TCG Published
2 // Trusted Platform Module Library
3 // Part 4: Supporting Routines
4 // Family "2.0"
5 // Level 00 Revision 01.16
6 // October 30, 2014
7 
8 #include "InternalRoutines.h"
9 #include "NV_spt_fp.h"
10 //
11 //
12 //           Fuctions
13 //
14 //          NvReadAccessChecks()
15 //
16 //      Common routine for validating a read Used by TPM2_NV_Read(), TPM2_NV_ReadLock() and
17 //      TPM2_PolicyNV()
18 //
19 //     Error Returns                     Meaning
20 //
21 //     TPM_RC_NV_AUTHORIZATION           autHandle is not allowed to authorize read of the index
22 //     TPM_RC_NV_LOCKED                  Read locked
23 //     TPM_RC_NV_UNINITIALIZED           Try to read an uninitialized index
24 //
25 TPM_RC
NvReadAccessChecks(TPM_HANDLE authHandle,TPM_HANDLE nvHandle)26 NvReadAccessChecks(
27    TPM_HANDLE          authHandle,             // IN: the handle that provided the
28                                                //     authorization
29    TPM_HANDLE          nvHandle                // IN: the handle of the NV index to be written
30    )
31 {
32    NV_INDEX            nvIndex;
33    // Get NV index info
34    NvGetIndexInfo(nvHandle, &nvIndex);
35 // This check may be done before doing authorization checks as is done in this
36 // version of the reference code. If not done there, then uncomment the next
37 // three lines.
38 //    // If data is read locked, returns an error
39 //    if(nvIndex.publicArea.attributes.TPMA_NV_READLOCKED == SET)
40 //        return TPM_RC_NV_LOCKED;
41    // If the authorization was provided by the owner or platform, then check
42    // that the attributes allow the read. If the authorization handle
43    // is the same as the index, then the checks were made when the authorization
44    // was checked..
45    if(authHandle == TPM_RH_OWNER)
46    {
47        // If Owner provided auth then ONWERWRITE must be SET
48        if(! nvIndex.publicArea.attributes.TPMA_NV_OWNERREAD)
49            return TPM_RC_NV_AUTHORIZATION;
50    }
51    else if(authHandle == TPM_RH_PLATFORM)
52    {
53        // If Platform provided auth then PPWRITE must be SET
54        if(!nvIndex.publicArea.attributes.TPMA_NV_PPREAD)
55            return TPM_RC_NV_AUTHORIZATION;
56    }
57    // If neither Owner nor Platform provided auth, make sure that it was
58    // provided by this index.
59    else if(authHandle != nvHandle)
60            return TPM_RC_NV_AUTHORIZATION;
61    // If the index has not been written, then the value cannot be read
62    // NOTE: This has to come after other access checks to make sure that
63    // the proper authorization is given to TPM2_NV_ReadLock()
64    if(nvIndex.publicArea.attributes.TPMA_NV_WRITTEN == CLEAR)
65        return TPM_RC_NV_UNINITIALIZED;
66    return TPM_RC_SUCCESS;
67 }
68 //
69 //
70 //         NvWriteAccessChecks()
71 //
72 //     Common routine for validating a write               Used    by    TPM2_NV_Write(),          TPM2_NV_Increment(),
73 //     TPM2_SetBits(), and TPM2_NV_WriteLock()
74 //
75 //
76 //
77 //
78 //     Error Returns                  Meaning
79 //
80 //     TPM_RC_NV_AUTHORIZATION        Authorization fails
81 //     TPM_RC_NV_LOCKED               Write locked
82 //
83 TPM_RC
NvWriteAccessChecks(TPM_HANDLE authHandle,TPM_HANDLE nvHandle)84 NvWriteAccessChecks(
85      TPM_HANDLE        authHandle,           // IN: the handle that provided the
86                                              //     authorization
87      TPM_HANDLE        nvHandle              // IN: the handle of the NV index to be written
88      )
89 {
90      NV_INDEX          nvIndex;
91      // Get NV index info
92      NvGetIndexInfo(nvHandle, &nvIndex);
93 // This check may be done before doing authorization checks as is done in this
94 // version of the reference code. If not done there, then uncomment the next
95 // three lines.
96 //    // If data is write locked, returns an error
97 //    if(nvIndex.publicArea.attributes.TPMA_NV_WRITELOCKED == SET)
98 //        return TPM_RC_NV_LOCKED;
99      // If the authorization was provided by the owner or platform, then check
100      // that the attributes allow the write. If the authorization handle
101      // is the same as the index, then the checks were made when the authorization
102      // was checked..
103      if(authHandle == TPM_RH_OWNER)
104      {
105          // If Owner provided auth then ONWERWRITE must be SET
106          if(! nvIndex.publicArea.attributes.TPMA_NV_OWNERWRITE)
107              return TPM_RC_NV_AUTHORIZATION;
108      }
109      else if(authHandle == TPM_RH_PLATFORM)
110      {
111          // If Platform provided auth then PPWRITE must be SET
112          if(!nvIndex.publicArea.attributes.TPMA_NV_PPWRITE)
113              return TPM_RC_NV_AUTHORIZATION;
114      }
115      // If neither Owner nor Platform provided auth, make sure that it was
116      // provided by this index.
117      else if(authHandle != nvHandle)
118              return TPM_RC_NV_AUTHORIZATION;
119      return TPM_RC_SUCCESS;
120 }
121