1 /* SPDX-License-Identifier: BSD-2-Clause */
2 /*******************************************************************************
3 * Copyright 2017-2018, Fraunhofer SIT sponsored by Infineon Technologies AG
4 * All rights reserved.
5 *******************************************************************************/
6
7 #ifdef HAVE_CONFIG_H
8 #include <config.h>
9 #endif
10
11 #include <stdlib.h>
12
13 #include "tss2_esys.h"
14
15 #include "esys_iutil.h"
16 #include "test-esapi.h"
17 #define LOGMODULE test
18 #include "util/log.h"
19 #include "util/aux_util.h"
20
21 /** This test is intended to test the ESAPI command Esys_NV_UndefineSpaceSpecial,
22 * The NV space attributes TPMA_NV_PLATFORMCREATE and TPMA_NV_POLICY_DELETE
23 * have to be set.
24 *
25 * A policy has to be defined for the command UndefineSpaceSpecial.
26 * The special handling whether the auth value is not used in the HMAC
27 * response verification will be checked.
28 *
29 *\b Note: platform authorization needed.
30 *
31 * Tested ESAPI commands:
32 * - Esys_FlushContext() (M)
33 * - Esys_NV_DefineSpace() (M)
34 * - Esys_NV_UndefineSpaceSpecial() (M)
35 * - Esys_PolicyAuthValue() (M)
36 * - Esys_PolicyCommandCode() (M)
37 * - Esys_PolicyGetDigest() (M)
38 * - Esys_StartAuthSession() (M)
39 *
40 * @param[in,out] esys_context The ESYS_CONTEXT.
41 * @retval EXIT_FAILURE
42 * @retval EXIT_SKIP
43 * @retval EXIT_SUCCESS
44 */
45 int
test_esys_policy_nv_undefine_special(ESYS_CONTEXT * esys_context)46 test_esys_policy_nv_undefine_special(ESYS_CONTEXT * esys_context)
47 {
48 TSS2_RC r;
49 ESYS_TR nvHandle = ESYS_TR_NONE;
50 ESYS_TR policySession = ESYS_TR_NONE;
51 ESYS_TR session = ESYS_TR_NONE;
52 int failure_return = EXIT_FAILURE;
53
54 TPM2B_DIGEST *policyDigestTrial = NULL;
55
56 /*
57 * First the policy value for NV_UndefineSpaceSpecial has to be
58 * determined with a policy trial session.
59 */
60 ESYS_TR sessionTrial = ESYS_TR_NONE;
61 TPMT_SYM_DEF symmetricTrial = {.algorithm = TPM2_ALG_AES,
62 .keyBits = {.aes = 128},
63 .mode = {.aes = TPM2_ALG_CFB}
64 };
65 TPM2B_NONCE nonceCallerTrial = {
66 .size = 20,
67 .buffer = {11, 12, 13, 14, 15, 16, 17, 18, 19, 11,
68 21, 22, 23, 24, 25, 26, 27, 28, 29, 30}
69 };
70
71 r = Esys_StartAuthSession(esys_context, ESYS_TR_NONE, ESYS_TR_NONE,
72 ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
73 &nonceCallerTrial,
74 TPM2_SE_TRIAL, &symmetricTrial, TPM2_ALG_SHA1,
75 &sessionTrial);
76 goto_if_error(r, "Error: During initialization of policy trial session", error);
77
78 r = Esys_PolicyAuthValue(esys_context,
79 sessionTrial,
80 ESYS_TR_NONE,
81 ESYS_TR_NONE,
82 ESYS_TR_NONE
83 );
84 goto_if_error(r, "Error: PolicyAuthValue", error);
85
86 r = Esys_PolicyCommandCode(esys_context,
87 sessionTrial,
88 ESYS_TR_NONE,
89 ESYS_TR_NONE,
90 ESYS_TR_NONE,
91 TPM2_CC_NV_UndefineSpaceSpecial
92 );
93 goto_if_error(r, "Error: PolicyCommandCode", error);
94
95 r = Esys_PolicyGetDigest(esys_context,
96 sessionTrial,
97 ESYS_TR_NONE,
98 ESYS_TR_NONE,
99 ESYS_TR_NONE,
100 &policyDigestTrial
101 );
102 goto_if_error(r, "Error: PolicyGetDigest", error);
103
104 TPM2B_AUTH auth = {.size = 20,
105 .buffer={10, 11, 12, 13, 14, 15, 16, 17, 18, 19,
106 20, 21, 22, 23, 24, 25, 26, 27, 28, 29}};
107
108 TPM2B_NV_PUBLIC publicInfo = {
109 .size = 0,
110 .nvPublic = {
111 .nvIndex =TPM2_NV_INDEX_FIRST,
112 .nameAlg = TPM2_ALG_SHA1,
113 .attributes = (
114 TPMA_NV_PLATFORMCREATE |
115 TPMA_NV_PPWRITE |
116 TPMA_NV_AUTHWRITE |
117 TPMA_NV_WRITE_STCLEAR |
118 TPMA_NV_READ_STCLEAR |
119 TPMA_NV_AUTHREAD |
120 TPMA_NV_PPREAD |
121 TPMA_NV_POLICY_DELETE /**< Undefine will only possible with policy */
122 ),
123 .authPolicy = *policyDigestTrial,
124 .dataSize = 32,
125 }
126 };
127
128 r = Esys_NV_DefineSpace(esys_context,
129 ESYS_TR_RH_PLATFORM,
130 ESYS_TR_PASSWORD,
131 ESYS_TR_NONE,
132 ESYS_TR_NONE,
133 &auth,
134 &publicInfo,
135 &nvHandle);
136
137 if ((r & ~TPM2_RC_N_MASK) == TPM2_RC_BAD_AUTH ||
138 (r & ~TPM2_RC_N_MASK) == TPM2_RC_HIERARCHY) {
139 /* Platform authorization not possible test will be skipped */
140 LOG_WARNING("Platform authorization not possible.");
141 failure_return = EXIT_SKIP;
142 goto error;
143 }
144
145 goto_if_error(r, "Error esys define nv space", error);
146
147 TPMT_SYM_DEF policySymmetric = {.algorithm = TPM2_ALG_AES,
148 .keyBits = {.aes = 128},
149 .mode = {.aes = TPM2_ALG_CFB}
150 };
151 TPM2B_NONCE policyNonceCaller = {
152 .size = 20,
153 .buffer = {11, 12, 13, 14, 15, 16, 17, 18, 19, 11,
154 21, 22, 23, 24, 25, 26, 27, 28, 29, 30}
155 };
156
157 /* Create HMAC session to test HMAC with session name for policy sessions */
158 r = Esys_StartAuthSession(esys_context, ESYS_TR_NONE, ESYS_TR_NONE,
159 ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
160 &policyNonceCaller,
161 TPM2_SE_HMAC, &policySymmetric, TPM2_ALG_SHA1,
162 &session);
163 goto_if_error(r, "Error: During initialization of session", error);
164
165 TPMA_SESSION sessionAttributes = TPMA_SESSION_AUDIT |
166 TPMA_SESSION_CONTINUESESSION;
167
168 r = Esys_TRSess_SetAttributes(esys_context, session, sessionAttributes, 0xFF);
169 goto_if_error(r, "Error: During SetAttributes", error);
170
171 r = Esys_StartAuthSession(esys_context, ESYS_TR_NONE, ESYS_TR_NONE,
172 ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
173 &policyNonceCaller,
174 TPM2_SE_POLICY, &policySymmetric, TPM2_ALG_SHA1,
175 &policySession);
176 goto_if_error(r, "Error: During initialization of policy trial session", error);
177
178 r = Esys_PolicyAuthValue(esys_context,
179 policySession,
180 session,
181 ESYS_TR_NONE,
182 ESYS_TR_NONE
183 );
184 goto_if_error(r, "Error: PolicyAuthValue", error);
185
186 r = Esys_PolicyCommandCode(esys_context,
187 policySession,
188 session,
189 ESYS_TR_NONE,
190 ESYS_TR_NONE,
191 TPM2_CC_NV_UndefineSpaceSpecial
192 );
193 goto_if_error(r, "Error: PolicyCommandCode", error);
194
195 r = Esys_NV_UndefineSpaceSpecial(esys_context,
196 nvHandle,
197 ESYS_TR_RH_PLATFORM,
198 policySession,
199 ESYS_TR_PASSWORD,
200 ESYS_TR_NONE
201 );
202
203 if ((r & ~TPM2_RC_N_MASK) == TPM2_RC_BAD_AUTH) {
204 /* Platform authorization not possible test will be skipped */
205 LOG_WARNING("Platform authorization not possible.");
206 failure_return = EXIT_SKIP;
207 goto error;
208 }
209
210 goto_if_error(r, "Error: NV_UndefineSpace", error);
211
212 r = Esys_FlushContext(esys_context, sessionTrial);
213 goto_if_error(r, "Flushing context", error);
214
215 r = Esys_FlushContext(esys_context, session);
216 goto_if_error(r, "Flushing context", error);
217
218 r = Esys_FlushContext(esys_context, policySession);
219 goto_if_error(r, "Flushing context", error);
220
221 Esys_Free(policyDigestTrial);
222 return EXIT_SUCCESS;
223
224 error:
225
226 if (sessionTrial != ESYS_TR_NONE) {
227 if (Esys_FlushContext(esys_context, sessionTrial) != TSS2_RC_SUCCESS) {
228 LOG_ERROR("Cleanup policySession failed.");
229 }
230 }
231
232 if (session != ESYS_TR_NONE) {
233 if (Esys_FlushContext(esys_context, session) != TSS2_RC_SUCCESS) {
234 LOG_ERROR("Cleanup session failed.");
235 }
236 }
237
238 if (policySession != ESYS_TR_NONE) {
239 if (Esys_FlushContext(esys_context, policySession) != TSS2_RC_SUCCESS) {
240 LOG_ERROR("Cleanup policySession failed.");
241 }
242 }
243
244 Esys_Free(policyDigestTrial);
245 return failure_return;
246 }
247
248 int
test_invoke_esapi(ESYS_CONTEXT * esys_context)249 test_invoke_esapi(ESYS_CONTEXT * esys_context) {
250 return test_esys_policy_nv_undefine_special(esys_context);
251 }
252