Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot define NVRAM area with simple permissions #949

Open
Melab opened this issue Nov 11, 2024 · 7 comments
Open

Cannot define NVRAM area with simple permissions #949

Melab opened this issue Nov 11, 2024 · 7 comments

Comments

@Melab
Copy link

Melab commented Nov 11, 2024

Trying to run tpm2_nvdefine -s 0x1 -a "write_stclear" 0x0 with SWTPM v0.6.3 results in this error:

WARNING:esys:src/tss2-esys/api/Esys_NV_DefineSpace.c:344:Esys_NV_DefineSpace_Finish() Received TPM Error 
ERROR:esys:src/tss2-esys/api/Esys_NV_DefineSpace.c:122:Esys_NV_DefineSpace() Esys Finish ErrorCode (0x000002c2) 
ERROR: Failed to define NV area at index 0x1000000
ERROR: Esys_NV_DefineSpace(0x2C2) - tpm:parameter(2):inconsistent attributes
ERROR: Failed to create NV index 0x1000000.
ERROR: Unable to run tpm2_nvdefine

What is inconsistent?
@stefanberger
Copy link
Owner

What is inconsistent?

You may need to read the specs: https://trustedcomputinggroup.org/wp-content/uploads/TPM-2.0-1.83-Part-3-Commands.pdf

There are required flags that you must set:

"At least one of TPMA_NV_PPREAD, TPMA_NV_OWNERREAD, TPMA_NV_AUTHREAD, or TPMA_NV_POLICYREAD shall be SET or the TPM shall return TPM_RC_ATTRIBUTES.
At least one of TPMA_NV_PPWRITE, TPMA_NV_OWNERWRITE, TPMA_NV_AUTHWRITE, or TPMA_NV_POLICYWRITE shall be SET or the TPM shall return TPM_RC_ATTRIBUTES.

If TPMA_NV_CLEAR_STCLEAR is SET, then nvIndexType shall not be TPM_NT_COUNTER or the TPM shall return TPM_RC_ATTRIBUTES.
[...]
"

@Melab
Copy link
Author

Melab commented Dec 6, 2024
edited
Loading

What is inconsistent?

You may need to read the specs: https://trustedcomputinggroup.org/wp-content/uploads/TPM-2.0-1.83-Part-3-Commands.pdf

There are required flags that you must set:

"At least one of TPMA_NV_PPREAD, TPMA_NV_OWNERREAD, TPMA_NV_AUTHREAD, or TPMA_NV_POLICYREAD shall be SET or the TPM shall return TPM_RC_ATTRIBUTES. At least one of TPMA_NV_PPWRITE, TPMA_NV_OWNERWRITE, TPMA_NV_AUTHWRITE, or TPMA_NV_POLICYWRITE shall be SET or the TPM shall return TPM_RC_ATTRIBUTES.

If TPMA_NV_CLEAR_STCLEAR is SET, then nvIndexType shall not be TPM_NT_COUNTER or the TPM shall return TPM_RC_ATTRIBUTES. [...] "

But I want it to be readable/writable without needing physical presence, owner authorization, policy validation, or providing "authdata". How can I make it like that? I want to be able to read with a simple tpm2_nvread -C o -s 0x1 0x0 and writable with a simple tpm2_nvwrite -C o -i data unless I've done a 0-length write to it, in which case I want it to be locked to writing until the next TPM power cycle.

@stefanberger
Copy link
Owner

But I want it to be readable/writable without needing physical presence, owner authorization, policy validation, or providing "authdata". How can I make it like that? I want to be able to read with a simple tpm2_nvread -C o -s 0x1 0x0 and writable with a simple tpm2_nvwrite -C o -i data unless I've done a 0-length write to it, in which case I want it to be locked to writing until the next TPM power cycle.

I am afraid the spec requires that you will have to set one of those flags for reading and writing. If you do not plan on giving the owner hierarchy a password then the read will always work as shown in the following (OWNERREAD/WRITE set implicitly):

# tpm2_nvdefine -C o -s 10 0x1000000
# echo test > input
# tpm2_nvwrite -C o -i input 0x1000000
# tpm2_nvread -C o -s 5 0x1000000
test
tpm2_nvundefine -C o 0x1000000

@Melab
Copy link
Author

Melab commented Dec 6, 2024

But I want it to be readable/writable without needing physical presence, owner authorization, policy validation, or providing "authdata". How can I make it like that? I want to be able to read with a simple tpm2_nvread -C o -s 0x1 0x0 and writable with a simple tpm2_nvwrite -C o -i data unless I've done a 0-length write to it, in which case I want it to be locked to writing until the next TPM power cycle.

I am afraid the spec requires that you will have to set one of those flags for reading and writing. If you do not plan on giving the owner hierarchy a password then the read will always work as shown in the following (OWNERREAD/WRITE set implicitly):

# tpm2_nvdefine -C o -s 10 0x1000000
# echo test > input
# tpm2_nvwrite -C o -i input 0x1000000
# tpm2_nvread -C o -s 5 0x1000000
test
tpm2_nvundefine -C o 0x1000000

Is "dropping owner authorization" not a thing in TPM 2.0 like it was in TPM 1.2?

@stefanberger
Copy link
Owner

Is "dropping owner authorization" not a thing in TPM 2.0 like it was in TPM 1.2?

I am not sure what you are asking.

@kgoldman
Copy link

An NV index cannot be created with no flags:

"At least one of TPMA_NV_PPREAD, TPMA_NV_OWNERREAD, TPMA_NV_AUTHREAD, or TPMA_NV_POLICYREAD shall be SET or the TPM shall return TPM_RC_ATTRIBUTES."

The closest you can get to 'nothing' is TPMA_NV_AUTHREAD and TPMA_NV_AUTHWRITE and an Empty Auth. You can then hard code the NULL Auth, 40 00 00 09 00 00 00 00 00.

You could create an all zero policy, but that's a bit more work, startauthsession and then specify the policy handle.

@kgoldman
Copy link

The TPM does not have the concept of optional authorization. If the command requires authorization, it must be present.

The closest you can get is a plaintext password session with a zero length password -> the NULL auth.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Melab @stefanberger @kgoldman