/* Microsoft Reference Implementation for TPM 2.0 * * The copyright in this software is being made available under the BSD License, * included below. This software may be subject to other third party and * contributor rights, including patent rights, and no such rights are granted * under this license. * * Copyright (c) Microsoft Corporation * * All rights reserved. * * BSD License * * Redistribution and use in source and binary forms, with or without modification, * are permitted provided that the following conditions are met: * * Redistributions of source code must retain the above copyright notice, this list * of conditions and the following disclaimer. * * Redistributions in binary form must reproduce the above copyright notice, this * list of conditions and the following disclaimer in the documentation and/or * other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ""AS IS"" * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ //** Introduction // This file contains the subsystem that process the authorization sessions // including implementation of the Dictionary Attack logic. ExecCommand() uses // ParseSessionBuffer() to process the authorization session area of a command and // BuildResponseSession() to create the authorization session area of a response. //** Includes and Data Definitions #define SESSION_PROCESS_C #include "Tpm.h" #include "ACT.h" // //** Authorization Support Functions // //*** IsDAExempted() // This function indicates if a handle is exempted from DA logic. // A handle is exempted if it is: // a) a primary seed handle; // b) an object with noDA bit SET; // c) an NV Index with TPMA_NV_NO_DA bit SET; or // d) a PCR handle. // // Return Type: BOOL // TRUE(1) handle is exempted from DA logic // FALSE(0) handle is not exempted from DA logic BOOL IsDAExempted( TPM_HANDLE handle // IN: entity handle ) { BOOL result = FALSE; // switch(HandleGetType(handle)) { case TPM_HT_PERMANENT: // All permanent handles, other than TPM_RH_LOCKOUT, are exempt from // DA protection. result = (handle != TPM_RH_LOCKOUT); break; // When this function is called, a persistent object will have been loaded // into an object slot and assigned a transient handle. case TPM_HT_TRANSIENT: { TPMA_OBJECT attributes = ObjectGetPublicAttributes(handle); result = IS_ATTRIBUTE(attributes, TPMA_OBJECT, noDA); break; } case TPM_HT_NV_INDEX: { NV_INDEX *nvIndex = NvGetIndexInfo(handle, NULL); result = IS_ATTRIBUTE(nvIndex->publicArea.attributes, TPMA_NV, NO_DA); break; } case TPM_HT_PCR: // PCRs are always exempted from DA. result = TRUE; break; default: break; } return result; } //*** IncrementLockout() // This function is called after an authorization failure that involves use of // an authValue. If the entity referenced by the handle is not exempt from DA // protection, then the failedTries counter will be incremented. // // Return Type: TPM_RC // TPM_RC_AUTH_FAIL authorization failure that caused DA lockout to increment // TPM_RC_BAD_AUTH authorization failure did not cause DA lockout to // increment static TPM_RC IncrementLockout( UINT32 sessionIndex ) { TPM_HANDLE handle = s_associatedHandles[sessionIndex]; TPM_HANDLE sessionHandle = s_sessionHandles[sessionIndex]; SESSION *session = NULL; // // Don't increment lockout unless the handle associated with the session // is DA protected or the session is bound to a DA protected entity. if(sessionHandle == TPM_RS_PW) { if(IsDAExempted(handle)) return TPM_RC_BAD_AUTH; } else { session = SessionGet(sessionHandle); // If the session is bound to lockout, then use that as the relevant // handle. This means that an authorization failure with a bound session // bound to lockoutAuth will take precedence over any other // lockout check if(session->attributes.isLockoutBound == SET) handle = TPM_RH_LOCKOUT; if(session->attributes.isDaBound == CLEAR && (IsDAExempted(handle) || session->attributes.includeAuth == CLEAR)) // If the handle was changed to TPM_RH_LOCKOUT, this will not return // TPM_RC_BAD_AUTH return TPM_RC_BAD_AUTH; } if(handle == TPM_RH_LOCKOUT) { pAssert(gp.lockOutAuthEnabled == TRUE); // lockout is no longer enabled gp.lockOutAuthEnabled = FALSE; // For TPM_RH_LOCKOUT, if lockoutRecovery is 0, no need to update NV since // the lockout authorization will be reset at startup. if(gp.lockoutRecovery != 0) { if(NV_IS_AVAILABLE) // Update NV. NV_SYNC_PERSISTENT(lockOutAuthEnabled); else // No NV access for now. Put the TPM in pending mode. s_DAPendingOnNV = TRUE; } } else { if(gp.recoveryTime != 0) { gp.failedTries++; if(NV_IS_AVAILABLE) // Record changes to NV. NvWrite will SET g_updateNV NV_SYNC_PERSISTENT(failedTries); else // No NV access for now. Put the TPM in pending mode. s_DAPendingOnNV = TRUE; } } // Register a DA failure and reset the timers. DARegisterFailure(handle); return TPM_RC_AUTH_FAIL; } //*** IsSessionBindEntity() // This function indicates if the entity associated with the handle is the entity, // to which this session is bound. The binding would occur by making the "bind" // parameter in TPM2_StartAuthSession() not equal to TPM_RH_NULL. The binding only // occurs if the session is an HMAC session. The bind value is a combination of // the Name and the authValue of the entity. // // Return Type: BOOL // TRUE(1) handle points to the session start entity // FALSE(0) handle does not point to the session start entity static BOOL IsSessionBindEntity( TPM_HANDLE associatedHandle, // IN: handle to be authorized SESSION *session // IN: associated session ) { TPM2B_NAME entity; // The bind value for the entity // // If the session is not bound, return FALSE. if(session->attributes.isBound) { // Compute the bind value for the entity. SessionComputeBoundEntity(associatedHandle, &entity); // Compare to the bind value in the session. return MemoryEqual2B(&entity.b, &session->u1.boundEntity.b); } return FALSE; } //*** IsPolicySessionRequired() // Checks if a policy session is required for a command. If a command requires // DUP or ADMIN role authorization, then the handle that requires that role is the // first handle in the command. This simplifies this checking. If a new command // is created that requires multiple ADMIN role authorizations, then it will // have to be special-cased in this function. // A policy session is required if: // a) the command requires the DUP role; // b) the command requires the ADMIN role and the authorized entity // is an object and its adminWithPolicy bit is SET; // c) the command requires the ADMIN role and the authorized entity // is a permanent handle or an NV Index; or // d) the authorized entity is a PCR belonging to a policy group, and // has its policy initialized // Return Type: BOOL // TRUE(1) policy session is required // FALSE(0) policy session is not required static BOOL IsPolicySessionRequired( COMMAND_INDEX commandIndex, // IN: command index UINT32 sessionIndex // IN: session index ) { AUTH_ROLE role = CommandAuthRole(commandIndex, sessionIndex); TPM_HT type = HandleGetType(s_associatedHandles[sessionIndex]); // if(role == AUTH_DUP) return TRUE; if(role == AUTH_ADMIN) { // We allow an exception for ADMIN role in a transient object. If the object // allows ADMIN role actions with authorization, then policy is not // required. For all other cases, there is no way to override the command // requirement that a policy be used if(type == TPM_HT_TRANSIENT) { OBJECT *object = HandleToObject(s_associatedHandles[sessionIndex]); if(!IS_ATTRIBUTE(object->publicArea.objectAttributes, TPMA_OBJECT, adminWithPolicy)) return FALSE; } return TRUE; } if(type == TPM_HT_PCR) { if(PCRPolicyIsAvailable(s_associatedHandles[sessionIndex])) { TPM2B_DIGEST policy; TPMI_ALG_HASH policyAlg; policyAlg = PCRGetAuthPolicy(s_associatedHandles[sessionIndex], &policy); if(policyAlg != TPM_ALG_NULL) return TRUE; } } return FALSE; } //*** IsAuthValueAvailable() // This function indicates if authValue is available and allowed for USER role // authorization of an entity. // // This function is similar to IsAuthPolicyAvailable() except that it does not // check the size of the authValue as IsAuthPolicyAvailable() does (a null // authValue is a valid authorization, but a null policy is not a valid policy). // // This function does not check that the handle reference is valid or if the entity // is in an enabled hierarchy. Those checks are assumed to have been performed // during the handle unmarshaling. // // Return Type: BOOL // TRUE(1) authValue is available // FALSE(0) authValue is not available static BOOL IsAuthValueAvailable( TPM_HANDLE handle, // IN: handle of entity COMMAND_INDEX commandIndex, // IN: command index UINT32 sessionIndex // IN: session index ) { BOOL result = FALSE; // switch(HandleGetType(handle)) { case TPM_HT_PERMANENT: switch(handle) { // At this point hierarchy availability has already been // checked so primary seed handles are always available here case TPM_RH_OWNER: case TPM_RH_ENDORSEMENT: case TPM_RH_PLATFORM: #ifdef VENDOR_PERMANENT // This vendor defined handle associated with the // manufacturer's shared secret case VENDOR_PERMANENT: #endif // The DA checking has been performed on LockoutAuth but we // bypass the DA logic if we are using lockout policy. The // policy would allow execution to continue an lockoutAuth // could be used, even if direct use of lockoutAuth is disabled case TPM_RH_LOCKOUT: // NullAuth is always available. case TPM_RH_NULL: result = TRUE; break; FOR_EACH_ACT(CASE_ACT_HANDLE) { // The ACT auth value is not available if the platform is disabled result = g_phEnable == SET; break; } default: // Otherwise authValue is not available. break; } break; case TPM_HT_TRANSIENT: // A persistent object has already been loaded and the internal // handle changed. { OBJECT *object; TPMA_OBJECT attributes; // object = HandleToObject(handle); attributes = object->publicArea.objectAttributes; // authValue is always available for a sequence object. // An alternative for this is to // SET_ATTRIBUTE(object->publicArea, TPMA_OBJECT, userWithAuth) when the // sequence is started. if(ObjectIsSequence(object)) { result = TRUE; break; } // authValue is available for an object if it has its sensitive // portion loaded and // a) userWithAuth bit is SET, or // b) ADMIN role is required if(object->attributes.publicOnly == CLEAR && (IS_ATTRIBUTE(attributes, TPMA_OBJECT, userWithAuth) || (CommandAuthRole(commandIndex, sessionIndex) == AUTH_ADMIN && !IS_ATTRIBUTE(attributes, TPMA_OBJECT, adminWithPolicy)))) result = TRUE; } break; case TPM_HT_NV_INDEX: // NV Index. { NV_REF locator; NV_INDEX *nvIndex = NvGetIndexInfo(handle, &locator); TPMA_NV nvAttributes; // pAssert(nvIndex != 0); nvAttributes = nvIndex->publicArea.attributes; if(IsWriteOperation(commandIndex)) { // AuthWrite can't be set for a PIN index if(IS_ATTRIBUTE(nvAttributes, TPMA_NV, AUTHWRITE)) result = TRUE; } else { // A "read" operation // For a PIN Index, the authValue is available as long as the // Index has been written and the pinCount is less than pinLimit if(IsNvPinFailIndex(nvAttributes) || IsNvPinPassIndex(nvAttributes)) { NV_PIN pin; if(!IS_ATTRIBUTE(nvAttributes, TPMA_NV, WRITTEN)) break; // return false // get the index values pin.intVal = NvGetUINT64Data(nvIndex, locator); if(pin.pin.pinCount < pin.pin.pinLimit) result = TRUE; } // For non-PIN Indexes, need to allow use of the authValue else if(IS_ATTRIBUTE(nvAttributes, TPMA_NV, AUTHREAD)) result = TRUE; } } break; case TPM_HT_PCR: // PCR handle. // authValue is always allowed for PCR result = TRUE; break; default: // Otherwise, authValue is not available break; } return result; } //*** IsAuthPolicyAvailable() // This function indicates if an authPolicy is available and allowed. // // This function does not check that the handle reference is valid or if the entity // is in an enabled hierarchy. Those checks are assumed to have been performed // during the handle unmarshaling. // // Return Type: BOOL // TRUE(1) authPolicy is available // FALSE(0) authPolicy is not available static BOOL IsAuthPolicyAvailable( TPM_HANDLE handle, // IN: handle of entity COMMAND_INDEX commandIndex, // IN: command index UINT32 sessionIndex // IN: session index ) { BOOL result = FALSE; // switch(HandleGetType(handle)) { case TPM_HT_PERMANENT: switch(handle) { // At this point hierarchy availability has already been checked. case TPM_RH_OWNER: if(gp.ownerPolicy.t.size != 0) result = TRUE; break; case TPM_RH_ENDORSEMENT: if(gp.endorsementPolicy.t.size != 0) result = TRUE; break; case TPM_RH_PLATFORM: if(gc.platformPolicy.t.size != 0) result = TRUE; break; #define ACT_GET_POLICY(N) \ case TPM_RH_ACT_##N: \ if(go.ACT_##N.authPolicy.t.size != 0) \ result = TRUE; \ break; FOR_EACH_ACT(ACT_GET_POLICY) case TPM_RH_LOCKOUT: if(gp.lockoutPolicy.t.size != 0) result = TRUE; break; default: break; } break; case TPM_HT_TRANSIENT: { // Object handle. // An evict object would already have been loaded and given a // transient object handle by this point. OBJECT *object = HandleToObject(handle); // Policy authorization is not available for an object with only // public portion loaded. if(object->attributes.publicOnly == CLEAR) { // Policy authorization is always available for an object but // is never available for a sequence. if(!ObjectIsSequence(object)) result = TRUE; } break; } case TPM_HT_NV_INDEX: // An NV Index. { NV_INDEX *nvIndex = NvGetIndexInfo(handle, NULL); TPMA_NV nvAttributes = nvIndex->publicArea.attributes; // // If the policy size is not zero, check if policy can be used. if(nvIndex->publicArea.authPolicy.t.size != 0) { // If policy session is required for this handle, always // uses policy regardless of the attributes bit setting if(IsPolicySessionRequired(commandIndex, sessionIndex)) result = TRUE; // Otherwise, the presence of the policy depends on the NV // attributes. else if(IsWriteOperation(commandIndex)) { if(IS_ATTRIBUTE(nvAttributes, TPMA_NV, POLICYWRITE)) result = TRUE; } else { if(IS_ATTRIBUTE(nvAttributes, TPMA_NV, POLICYREAD)) result = TRUE; } } } break; case TPM_HT_PCR: // PCR handle. if(PCRPolicyIsAvailable(handle)) result = TRUE; break; default: break; } return result; } //** Session Parsing Functions //*** ClearCpRpHashes() void ClearCpRpHashes( COMMAND *command ) { // The macros expand according to the implemented hash algorithms. An IDE may // complain that COMMAND does not contain SHA1CpHash or SHA1RpHash because of the // complexity of the macro expansion where the data space is defined; but, if SHA1 // is implemented, it actually does and the compiler is happy. #define CLEAR_CP_HASH(HASH, Hash) command->Hash##CpHash.b.size = 0; FOR_EACH_HASH(CLEAR_CP_HASH) #define CLEAR_RP_HASH(HASH, Hash) command->Hash##RpHash.b.size = 0; FOR_EACH_HASH(CLEAR_RP_HASH) } //*** GetCpHashPointer() // Function to get a pointer to the cpHash of the command static TPM2B_DIGEST * GetCpHashPointer( COMMAND *command, TPMI_ALG_HASH hashAlg ) { TPM2B_DIGEST *retVal; // // Define the macro that will expand for each implemented algorithm in the switch // statement below. #define GET_CP_HASH_POINTER(HASH, Hash) \ case ALG_##HASH##_VALUE: \ retVal = (TPM2B_DIGEST *)&command->Hash##CpHash; \ break; switch(hashAlg) { // For each implemented hash, this will expand as defined above // by GET_CP_HASH_POINTER. Your IDE may complain that // 'struct "COMMAND" has no field "SHA1CpHash"' but the compiler says // it does, so... FOR_EACH_HASH(GET_CP_HASH_POINTER) default: retVal = NULL; break; } return retVal; } //*** GetRpHashPointer() // Function to get a pointer to the RpHash of the command static TPM2B_DIGEST * GetRpHashPointer( COMMAND *command, TPMI_ALG_HASH hashAlg ) { TPM2B_DIGEST *retVal; // // Define the macro that will expand for each implemented algorithm in the switch // statement below. #define GET_RP_HASH_POINTER(HASH, Hash) \ case ALG_##HASH##_VALUE: \ retVal = (TPM2B_DIGEST *)&command->Hash##RpHash; \ break; switch(hashAlg) { // For each implemented hash, this will expand as defined above // by GET_RP_HASH_POINTER. Your IDE may complain that // 'struct "COMMAND" has no field 'SHA1RpHash'" but the compiler says // it does, so... FOR_EACH_HASH(GET_RP_HASH_POINTER) default: retVal = NULL; break; } return retVal; } //*** ComputeCpHash() // This function computes the cpHash as defined in Part 2 and described in Part 1. static TPM2B_DIGEST * ComputeCpHash( COMMAND *command, // IN: command parsing structure TPMI_ALG_HASH hashAlg // IN: hash algorithm ) { UINT32 i; HASH_STATE hashState; TPM2B_NAME name; TPM2B_DIGEST *cpHash; // // cpHash = hash(commandCode [ || authName1 // [ || authName2 // [ || authName 3 ]]] // [ || parameters]) // A cpHash can contain just a commandCode only if the lone session is // an audit session. // Get pointer to the hash value cpHash = GetCpHashPointer(command, hashAlg); if(cpHash->t.size == 0) { cpHash->t.size = CryptHashStart(&hashState, hashAlg); // Add commandCode. CryptDigestUpdateInt(&hashState, sizeof(TPM_CC), command->code); // Add authNames for each of the handles. for(i = 0; i < command->handleNum; i++) CryptDigestUpdate2B(&hashState, &EntityGetName(command->handles[i], &name)->b); // Add the parameters. CryptDigestUpdate(&hashState, command->parameterSize, command->parameterBuffer); // Complete the hash. CryptHashEnd2B(&hashState, &cpHash->b); } return cpHash; } //*** GetCpHash() // This function is used to access a precomputed cpHash. static TPM2B_DIGEST * GetCpHash( COMMAND *command, TPMI_ALG_HASH hashAlg ) { TPM2B_DIGEST *cpHash = GetCpHashPointer(command, hashAlg); // pAssert(cpHash->t.size != 0); return cpHash; } //*** CompareTemplateHash() // This function computes the template hash and compares it to the session // templateHash. It is the hash of the second parameter // assuming that the command is TPM2_Create(), TPM2_CreatePrimary(), or // TPM2_CreateLoaded() // Return Type: BOOL // TRUE(1) template hash equal to session->templateHash // FALSE(0) template hash not equal to session->templateHash static BOOL CompareTemplateHash( COMMAND *command, // IN: parsing structure SESSION *session // IN: session data ) { BYTE *pBuffer = command->parameterBuffer; INT32 pSize = command->parameterSize; TPM2B_DIGEST tHash; UINT16 size; // // Only try this for the three commands for which it is intended if(command->code != TPM_CC_Create && command->code != TPM_CC_CreatePrimary #if CC_CreateLoaded && command->code != TPM_CC_CreateLoaded #endif ) return FALSE; // Assume that the first parameter is a TPM2B and unmarshal the size field // Note: this will not affect the parameter buffer and size in the calling // function. if(UINT16_Unmarshal(&size, &pBuffer, &pSize) != TPM_RC_SUCCESS) return FALSE; // reduce the space in the buffer. // NOTE: this could make pSize go negative if the parameters are not correct but // the unmarshaling code does not try to unmarshal if the remaining size is // negative. pSize -= size; // Advance the pointer pBuffer += size; // Get the size of what should be the template if(UINT16_Unmarshal(&size, &pBuffer, &pSize) != TPM_RC_SUCCESS) return FALSE; // See if this is reasonable if(size > pSize) return FALSE; // Hash the template data tHash.t.size = CryptHashBlock(session->authHashAlg, size, pBuffer, sizeof(tHash.t.buffer), tHash.t.buffer); return(MemoryEqual2B(&session->u1.templateHash.b, &tHash.b)); } //*** CompareNameHash() // This function computes the name hash and compares it to the nameHash in the // session data. BOOL CompareNameHash( COMMAND *command, // IN: main parsing structure SESSION *session // IN: session structure with nameHash ) { HASH_STATE hashState; TPM2B_DIGEST nameHash; UINT32 i; TPM2B_NAME name; // nameHash.t.size = CryptHashStart(&hashState, session->authHashAlg); // Add names. for(i = 0; i < command->handleNum; i++) CryptDigestUpdate2B(&hashState, &EntityGetName(command->handles[i], &name)->b); // Complete hash. CryptHashEnd2B(&hashState, &nameHash.b); // and compare return MemoryEqual(session->u1.nameHash.t.buffer, nameHash.t.buffer, nameHash.t.size); } //*** CheckPWAuthSession() // This function validates the authorization provided in a PWAP session. It // compares the input value to authValue of the authorized entity. Argument // sessionIndex is used to get handles handle of the referenced entities from // s_inputAuthValues[] and s_associatedHandles[]. // // Return Type: TPM_RC // TPM_RC_AUTH_FAIL authorization fails and increments DA failure // count // TPM_RC_BAD_AUTH authorization fails but DA does not apply // static TPM_RC CheckPWAuthSession( UINT32 sessionIndex // IN: index of session to be processed ) { TPM2B_AUTH authValue; TPM_HANDLE associatedHandle = s_associatedHandles[sessionIndex]; // // Strip trailing zeros from the password. MemoryRemoveTrailingZeros(&s_inputAuthValues[sessionIndex]); // Get the authValue with trailing zeros removed EntityGetAuthValue(associatedHandle, &authValue); // Success if the values are identical. if(MemoryEqual2B(&s_inputAuthValues[sessionIndex].b, &authValue.b)) { return TPM_RC_SUCCESS; } else // if the digests are not identical { // Invoke DA protection if applicable. return IncrementLockout(sessionIndex); } } //*** ComputeCommandHMAC() // This function computes the HMAC for an authorization session in a command. /*(See part 1 specification -- this tag keeps this comment from showing up in // merged document which is probably good because this comment doesn't look right. // The sessionAuth value // authHMAC := HMACsHash((sessionKey | authValue), // (pHash | nonceNewer | nonceOlder | nonceTPMencrypt-only // | nonceTPMaudit | sessionAttributes)) // Where: // HMACsHash() The HMAC algorithm using the hash algorithm specified // when the session was started. // // sessionKey A value that is computed in a protocol-dependent way, // using KDFa. When used in an HMAC or KDF, the size field // for this value is not included. // // authValue A value that is found in the sensitive area of an entity. // When used in an HMAC or KDF, the size field for this // value is not included. // // pHash Hash of the command (cpHash) using the session hash. // When using a pHash in an HMAC computation, only the // digest is used. // // nonceNewer A value that is generated by the entity using the // session. A new nonce is generated on each use of the // session. For a command, this will be nonceCaller. // When used in an HMAC or KDF, the size field is not used. // // nonceOlder A TPM2B_NONCE that was received the previous time the // session was used. For a command, this is nonceTPM. // When used in an HMAC or KDF, the size field is not used. // // nonceTPMdecrypt The nonceTPM of the decrypt session is included in // the HMAC, but only in the command. // // nonceTPMencrypt The nonceTPM of the encrypt session is included in // the HMAC but only in the command. // // sessionAttributes A byte indicating the attributes associated with the // particular use of the session. */ static TPM2B_DIGEST * ComputeCommandHMAC( COMMAND *command, // IN: primary control structure UINT32 sessionIndex, // IN: index of session to be processed TPM2B_DIGEST *hmac // OUT: authorization HMAC ) { TPM2B_TYPE(KEY, (sizeof(AUTH_VALUE) * 2)); TPM2B_KEY key; BYTE marshalBuffer[sizeof(TPMA_SESSION)]; BYTE *buffer; UINT32 marshalSize; HMAC_STATE hmacState; TPM2B_NONCE *nonceDecrypt; TPM2B_NONCE *nonceEncrypt; SESSION *session; // nonceDecrypt = NULL; nonceEncrypt = NULL; // Determine if extra nonceTPM values are going to be required. // If this is the first session (sessionIndex = 0) and it is an authorization // session that uses an HMAC, then check if additional session nonces are to be // included. if(sessionIndex == 0 && s_associatedHandles[sessionIndex] != TPM_RH_UNASSIGNED) { // If there is a decrypt session and if this is not the decrypt session, // then an extra nonce may be needed. if(s_decryptSessionIndex != UNDEFINED_INDEX && s_decryptSessionIndex != sessionIndex) { // Will add the nonce for the decrypt session. SESSION *decryptSession = SessionGet(s_sessionHandles[s_decryptSessionIndex]); nonceDecrypt = &decryptSession->nonceTPM; } // Now repeat for the encrypt session. if(s_encryptSessionIndex != UNDEFINED_INDEX && s_encryptSessionIndex != sessionIndex && s_encryptSessionIndex != s_decryptSessionIndex) { // Have to have the nonce for the encrypt session. SESSION *encryptSession = SessionGet(s_sessionHandles[s_encryptSessionIndex]); nonceEncrypt = &encryptSession->nonceTPM; } } // Continue with the HMAC processing. session = SessionGet(s_sessionHandles[sessionIndex]); // Generate HMAC key. MemoryCopy2B(&key.b, &session->sessionKey.b, sizeof(key.t.buffer)); // Check if the session has an associated handle and if the associated entity // is the one to which the session is bound. If not, add the authValue of // this entity to the HMAC key. // If the session is bound to the object or the session is a policy session // with no authValue required, do not include the authValue in the HMAC key. // Note: For a policy session, its isBound attribute is CLEARED. // // Include the entity authValue if it is needed if(session->attributes.includeAuth == SET) { TPM2B_AUTH authValue; // Get the entity authValue with trailing zeros removed EntityGetAuthValue(s_associatedHandles[sessionIndex], &authValue); // add the authValue to the HMAC key MemoryConcat2B(&key.b, &authValue.b, sizeof(key.t.buffer)); } // if the HMAC key size is 0, a NULL string HMAC is allowed if(key.t.size == 0 && s_inputAuthValues[sessionIndex].t.size == 0) { hmac->t.size = 0; return hmac; } // Start HMAC hmac->t.size = CryptHmacStart2B(&hmacState, session->authHashAlg, &key.b); // Add cpHash CryptDigestUpdate2B(&hmacState.hashState, &ComputeCpHash(command, session->authHashAlg)->b); // Add nonces as required CryptDigestUpdate2B(&hmacState.hashState, &s_nonceCaller[sessionIndex].b); CryptDigestUpdate2B(&hmacState.hashState, &session->nonceTPM.b); if(nonceDecrypt != NULL) CryptDigestUpdate2B(&hmacState.hashState, &nonceDecrypt->b); if(nonceEncrypt != NULL) CryptDigestUpdate2B(&hmacState.hashState, &nonceEncrypt->b); // Add sessionAttributes buffer = marshalBuffer; marshalSize = TPMA_SESSION_Marshal(&(s_attributes[sessionIndex]), &buffer, NULL); CryptDigestUpdate(&hmacState.hashState, marshalSize, marshalBuffer); // Complete the HMAC computation CryptHmacEnd2B(&hmacState, &hmac->b); return hmac; } //*** CheckSessionHMAC() // This function checks the HMAC of in a session. It uses ComputeCommandHMAC() // to compute the expected HMAC value and then compares the result with the // HMAC in the authorization session. The authorization is successful if they // are the same. // // If the authorizations are not the same, IncrementLockout() is called. It will // return TPM_RC_AUTH_FAIL if the failure caused the failureCount to increment. // Otherwise, it will return TPM_RC_BAD_AUTH. // // Return Type: TPM_RC // TPM_RC_AUTH_FAIL authorization failure caused failureCount increment // TPM_RC_BAD_AUTH authorization failure did not cause failureCount // increment // static TPM_RC CheckSessionHMAC( COMMAND *command, // IN: primary control structure UINT32 sessionIndex // IN: index of session to be processed ) { TPM2B_DIGEST hmac; // authHMAC for comparing // // Compute authHMAC ComputeCommandHMAC(command, sessionIndex, &hmac); // Compare the input HMAC with the authHMAC computed above. if(!MemoryEqual2B(&s_inputAuthValues[sessionIndex].b, &hmac.b)) { // If an HMAC session has a failure, invoke the anti-hammering // if it applies to the authorized entity or the session. // Otherwise, just indicate that the authorization is bad. return IncrementLockout(sessionIndex); } return TPM_RC_SUCCESS; } //*** CheckPolicyAuthSession() // This function is used to validate the authorization in a policy session. // This function performs the following comparisons to see if a policy // authorization is properly provided. The check are: // a) compare policyDigest in session with authPolicy associated with // the entity to be authorized; // b) compare timeout if applicable; // c) compare commandCode if applicable; // d) compare cpHash if applicable; and // e) see if PCR values have changed since computed. // // If all the above checks succeed, the handle is authorized. // The order of these comparisons is not important because any failure will // result in the same error code. // // Return Type: TPM_RC // TPM_RC_PCR_CHANGED PCR value is not current // TPM_RC_POLICY_FAIL policy session fails // TPM_RC_LOCALITY command locality is not allowed // TPM_RC_POLICY_CC CC doesn't match // TPM_RC_EXPIRED policy session has expired // TPM_RC_PP PP is required but not asserted // TPM_RC_NV_UNAVAILABLE NV is not available for write // TPM_RC_NV_RATE NV is rate limiting static TPM_RC CheckPolicyAuthSession( COMMAND *command, // IN: primary parsing structure UINT32 sessionIndex // IN: index of session to be processed ) { SESSION *session; TPM2B_DIGEST authPolicy; TPMI_ALG_HASH policyAlg; UINT8 locality; // // Initialize pointer to the authorization session. session = SessionGet(s_sessionHandles[sessionIndex]); // If the command is TPM2_PolicySecret(), make sure that // either password or authValue is required if(command->code == TPM_CC_PolicySecret && session->attributes.isPasswordNeeded == CLEAR && session->attributes.isAuthValueNeeded == CLEAR) return TPM_RC_MODE; // See if the PCR counter for the session is still valid. if(!SessionPCRValueIsCurrent(session)) return TPM_RC_PCR_CHANGED; // Get authPolicy. policyAlg = EntityGetAuthPolicy(s_associatedHandles[sessionIndex], &authPolicy); // Compare authPolicy. if(!MemoryEqual2B(&session->u2.policyDigest.b, &authPolicy.b)) return TPM_RC_POLICY_FAIL; // Policy is OK so check if the other factors are correct // Compare policy hash algorithm. if(policyAlg != session->authHashAlg) return TPM_RC_POLICY_FAIL; // Compare timeout. if(session->timeout != 0) { // Cannot compare time if clock stop advancing. An TPM_RC_NV_UNAVAILABLE // or TPM_RC_NV_RATE error may be returned here. This doesn't mean that // a new nonce will be created just that, because TPM time can't advance // we can't do time-based operations. RETURN_IF_NV_IS_NOT_AVAILABLE; if((session->timeout < g_time) || (session->epoch != g_timeEpoch)) return TPM_RC_EXPIRED; } // If command code is provided it must match if(session->commandCode != 0) { if(session->commandCode != command->code) return TPM_RC_POLICY_CC; } else { // If command requires a DUP or ADMIN authorization, the session must have // command code set. AUTH_ROLE role = CommandAuthRole(command->index, sessionIndex); if(role == AUTH_ADMIN || role == AUTH_DUP) return TPM_RC_POLICY_FAIL; } // Check command locality. { BYTE sessionLocality[sizeof(TPMA_LOCALITY)]; BYTE *buffer = sessionLocality; // Get existing locality setting in canonical form sessionLocality[0] = 0; TPMA_LOCALITY_Marshal(&session->commandLocality, &buffer, NULL); // See if the locality has been set if(sessionLocality[0] != 0) { // If so, get the current locality locality = _plat__LocalityGet(); if(locality < 5) { if(((sessionLocality[0] & (1 << locality)) == 0) || sessionLocality[0] > 31) return TPM_RC_LOCALITY; } else if(locality > 31) { if(sessionLocality[0] != locality) return TPM_RC_LOCALITY; } else { // Could throw an assert here but a locality error is just // as good. It just means that, whatever the locality is, it isn't // the locality requested so... return TPM_RC_LOCALITY; } } } // end of locality check // Check physical presence. if(session->attributes.isPPRequired == SET && !_plat__PhysicalPresenceAsserted()) return TPM_RC_PP; // Compare cpHash/nameHash if defined, or if the command requires an ADMIN or // DUP role for this handle. if(session->u1.cpHash.b.size != 0) { BOOL OK; if(session->attributes.isCpHashDefined) // Compare cpHash. OK = MemoryEqual2B(&session->u1.cpHash.b, &ComputeCpHash(command, session->authHashAlg)->b); else if(session->attributes.isTemplateSet) OK = CompareTemplateHash(command, session); else OK = CompareNameHash(command, session); if(!OK) return TPM_RCS_POLICY_FAIL; } if(session->attributes.checkNvWritten) { NV_REF locator; NV_INDEX *nvIndex; // // If this is not an NV index, the policy makes no sense so fail it. if(HandleGetType(s_associatedHandles[sessionIndex]) != TPM_HT_NV_INDEX) return TPM_RC_POLICY_FAIL; // Get the index data nvIndex = NvGetIndexInfo(s_associatedHandles[sessionIndex], &locator); // Make sure that the TPMA_WRITTEN_ATTRIBUTE has the desired state if((IS_ATTRIBUTE(nvIndex->publicArea.attributes, TPMA_NV, WRITTEN)) != (session->attributes.nvWrittenState == SET)) return TPM_RC_POLICY_FAIL; } return TPM_RC_SUCCESS; } //*** RetrieveSessionData() // This function will unmarshal the sessions in the session area of a command. The // values are placed in the arrays that are defined at the beginning of this file. // The normal unmarshaling errors are possible. // // Return Type: TPM_RC // TPM_RC_SUCCSS unmarshaled without error // TPM_RC_SIZE the number of bytes unmarshaled is not the same // as the value for authorizationSize in the command // static TPM_RC RetrieveSessionData( COMMAND *command // IN: main parsing structure for command ) { int i; TPM_RC result; SESSION *session; TPMA_SESSION sessionAttributes; TPM_HT sessionType; INT32 sessionIndex; TPM_RC errorIndex; // s_decryptSessionIndex = UNDEFINED_INDEX; s_encryptSessionIndex = UNDEFINED_INDEX; s_auditSessionIndex = UNDEFINED_INDEX; for(sessionIndex = 0; command->authSize > 0; sessionIndex++) { errorIndex = TPM_RC_S + g_rcIndex[sessionIndex]; // If maximum allowed number of sessions has been parsed, return a size // error with a session number that is larger than the number of allowed // sessions if(sessionIndex == MAX_SESSION_NUM) return TPM_RCS_SIZE + errorIndex; // make sure that the associated handle for each session starts out // unassigned s_associatedHandles[sessionIndex] = TPM_RH_UNASSIGNED; // First parameter: Session handle. result = TPMI_SH_AUTH_SESSION_Unmarshal( &s_sessionHandles[sessionIndex], &command->parameterBuffer, &command->authSize, TRUE); if(result != TPM_RC_SUCCESS) return result + TPM_RC_S + g_rcIndex[sessionIndex]; // Second parameter: Nonce. result = TPM2B_NONCE_Unmarshal(&s_nonceCaller[sessionIndex], &command->parameterBuffer, &command->authSize); if(result != TPM_RC_SUCCESS) return result + TPM_RC_S + g_rcIndex[sessionIndex]; // Third parameter: sessionAttributes. result = TPMA_SESSION_Unmarshal(&s_attributes[sessionIndex], &command->parameterBuffer, &command->authSize); if(result != TPM_RC_SUCCESS) return result + TPM_RC_S + g_rcIndex[sessionIndex]; // Fourth parameter: authValue (PW or HMAC). result = TPM2B_AUTH_Unmarshal(&s_inputAuthValues[sessionIndex], &command->parameterBuffer, &command->authSize); if(result != TPM_RC_SUCCESS) return result + errorIndex; sessionAttributes = s_attributes[sessionIndex]; if(s_sessionHandles[sessionIndex] == TPM_RS_PW) { // A PWAP session needs additional processing. // Can't have any attributes set other than continueSession bit if(IS_ATTRIBUTE(sessionAttributes, TPMA_SESSION, encrypt) || IS_ATTRIBUTE(sessionAttributes, TPMA_SESSION, decrypt) || IS_ATTRIBUTE(sessionAttributes, TPMA_SESSION, audit) || IS_ATTRIBUTE(sessionAttributes, TPMA_SESSION, auditExclusive) || IS_ATTRIBUTE(sessionAttributes, TPMA_SESSION, auditReset)) return TPM_RCS_ATTRIBUTES + errorIndex; // The nonce size must be zero. if(s_nonceCaller[sessionIndex].t.size != 0) return TPM_RCS_NONCE + errorIndex; continue; } // For not password sessions... // Find out if the session is loaded. if(!SessionIsLoaded(s_sessionHandles[sessionIndex])) return TPM_RC_REFERENCE_S0 + sessionIndex; sessionType = HandleGetType(s_sessionHandles[sessionIndex]); session = SessionGet(s_sessionHandles[sessionIndex]); // Check if the session is an HMAC/policy session. if((session->attributes.isPolicy == SET && sessionType == TPM_HT_HMAC_SESSION) || (session->attributes.isPolicy == CLEAR && sessionType == TPM_HT_POLICY_SESSION)) return TPM_RCS_HANDLE + errorIndex; // Check that this handle has not previously been used. for(i = 0; i < sessionIndex; i++) { if(s_sessionHandles[i] == s_sessionHandles[sessionIndex]) return TPM_RCS_HANDLE + errorIndex; } // If the session is used for parameter encryption or audit as well, set // the corresponding Indexes. // First process decrypt. if(IS_ATTRIBUTE(sessionAttributes, TPMA_SESSION, decrypt)) { // Check if the commandCode allows command parameter encryption. if(DecryptSize(command->index) == 0) return TPM_RCS_ATTRIBUTES + errorIndex; // Encrypt attribute can only appear in one session if(s_decryptSessionIndex != UNDEFINED_INDEX) return TPM_RCS_ATTRIBUTES + errorIndex; // Can't decrypt if the session's symmetric algorithm is TPM_ALG_NULL if(session->symmetric.algorithm == TPM_ALG_NULL) return TPM_RCS_SYMMETRIC + errorIndex; // All checks passed, so set the index for the session used to decrypt // a command parameter. s_decryptSessionIndex = sessionIndex; } // Now process encrypt. if(IS_ATTRIBUTE(sessionAttributes, TPMA_SESSION, encrypt)) { // Check if the commandCode allows response parameter encryption. if(EncryptSize(command->index) == 0) return TPM_RCS_ATTRIBUTES + errorIndex; // Encrypt attribute can only appear in one session. if(s_encryptSessionIndex != UNDEFINED_INDEX) return TPM_RCS_ATTRIBUTES + errorIndex; // Can't encrypt if the session's symmetric algorithm is TPM_ALG_NULL if(session->symmetric.algorithm == TPM_ALG_NULL) return TPM_RCS_SYMMETRIC + errorIndex; // All checks passed, so set the index for the session used to encrypt // a response parameter. s_encryptSessionIndex = sessionIndex; } // At last process audit. if(IS_ATTRIBUTE(sessionAttributes, TPMA_SESSION, audit)) { // Audit attribute can only appear in one session. if(s_auditSessionIndex != UNDEFINED_INDEX) return TPM_RCS_ATTRIBUTES + errorIndex; // An audit session can not be policy session. if(HandleGetType(s_sessionHandles[sessionIndex]) == TPM_HT_POLICY_SESSION) return TPM_RCS_ATTRIBUTES + errorIndex; // If this is a reset of the audit session, or the first use // of the session as an audit session, it doesn't matter what // the exclusive state is. The session will become exclusive. if(!IS_ATTRIBUTE(sessionAttributes, TPMA_SESSION, auditReset) && session->attributes.isAudit == SET) { // Not first use or reset. If auditExlusive is SET, then this // session must be the current exclusive session. if(IS_ATTRIBUTE(sessionAttributes, TPMA_SESSION, auditExclusive) && g_exclusiveAuditSession != s_sessionHandles[sessionIndex]) return TPM_RC_EXCLUSIVE; } s_auditSessionIndex = sessionIndex; } // Initialize associated handle as undefined. This will be changed when // the handles are processed. s_associatedHandles[sessionIndex] = TPM_RH_UNASSIGNED; } command->sessionNum = sessionIndex; return TPM_RC_SUCCESS; } //*** CheckLockedOut() // This function checks to see if the TPM is in lockout. This function should only // be called if the entity being checked is subject to DA protection. The TPM // is in lockout if the NV is not available and a DA write is pending. Otherwise // the TPM is locked out if checking for lockoutAuth ('lockoutAuthCheck' == TRUE) // and use of lockoutAuth is disabled, or 'failedTries' >= 'maxTries' // Return Type: TPM_RC // TPM_RC_NV_RATE NV is rate limiting // TPM_RC_NV_UNAVAILABLE NV is not available at this time // TPM_RC_LOCKOUT TPM is in lockout static TPM_RC CheckLockedOut( BOOL lockoutAuthCheck // IN: TRUE if checking is for lockoutAuth ) { // If NV is unavailable, and current cycle state recorded in NV is not // SU_NONE_VALUE, refuse to check any authorization because we would // not be able to handle a DA failure. if(!NV_IS_AVAILABLE && NV_IS_ORDERLY) return g_NvStatus; // Check if DA info needs to be updated in NV. if(s_DAPendingOnNV) { // If NV is accessible, RETURN_IF_NV_IS_NOT_AVAILABLE; // ... write the pending DA data and proceed. NV_SYNC_PERSISTENT(lockOutAuthEnabled); NV_SYNC_PERSISTENT(failedTries); s_DAPendingOnNV = FALSE; } // Lockout is in effect if checking for lockoutAuth and use of lockoutAuth // is disabled... if(lockoutAuthCheck) { if(gp.lockOutAuthEnabled == FALSE) return TPM_RC_LOCKOUT; } else { // ... or if the number of failed tries has been maxed out. if(gp.failedTries >= gp.maxTries) return TPM_RC_LOCKOUT; #if USE_DA_USED // If the daUsed flag is not SET, then no DA validation until the // daUsed state is written to NV if(!g_daUsed) { RETURN_IF_NV_IS_NOT_AVAILABLE; g_daUsed = TRUE; gp.orderlyState = SU_DA_USED_VALUE; NV_SYNC_PERSISTENT(orderlyState); return TPM_RC_RETRY; } #endif } return TPM_RC_SUCCESS; } //*** CheckAuthSession() // This function checks that the authorization session properly authorizes the // use of the associated handle. // // Return Type: TPM_RC // TPM_RC_LOCKOUT entity is protected by DA and TPM is in // lockout, or TPM is locked out on NV update // pending on DA parameters // // TPM_RC_PP Physical Presence is required but not provided // TPM_RC_AUTH_FAIL HMAC or PW authorization failed // with DA side-effects (can be a policy session) // // TPM_RC_BAD_AUTH HMAC or PW authorization failed without DA // side-effects (can be a policy session) // // TPM_RC_POLICY_FAIL if policy session fails // TPM_RC_POLICY_CC command code of policy was wrong // TPM_RC_EXPIRED the policy session has expired // TPM_RC_PCR // TPM_RC_AUTH_UNAVAILABLE authValue or authPolicy unavailable static TPM_RC CheckAuthSession( COMMAND *command, // IN: primary parsing structure UINT32 sessionIndex // IN: index of session to be processed ) { TPM_RC result = TPM_RC_SUCCESS; SESSION *session = NULL; TPM_HANDLE sessionHandle = s_sessionHandles[sessionIndex]; TPM_HANDLE associatedHandle = s_associatedHandles[sessionIndex]; TPM_HT sessionHandleType = HandleGetType(sessionHandle); BOOL authUsed; // pAssert(sessionHandle != TPM_RH_UNASSIGNED); // Take care of physical presence if(associatedHandle == TPM_RH_PLATFORM) { // If the physical presence is required for this command, check for PP // assertion. If it isn't asserted, no point going any further. if(PhysicalPresenceIsRequired(command->index) && !_plat__PhysicalPresenceAsserted()) return TPM_RC_PP; } if(sessionHandle != TPM_RS_PW) { session = SessionGet(sessionHandle); // Set includeAuth to indicate if DA checking will be required and if the // authValue will be included in any HMAC. if(sessionHandleType == TPM_HT_POLICY_SESSION) { // For a policy session, will check the DA status of the entity if either // isAuthValueNeeded or isPasswordNeeded is SET. session->attributes.includeAuth = session->attributes.isAuthValueNeeded || session->attributes.isPasswordNeeded; } else { // For an HMAC session, need to check unless the session // is bound. session->attributes.includeAuth = !IsSessionBindEntity(s_associatedHandles[sessionIndex], session); } authUsed = session->attributes.includeAuth; } else // Password session authUsed = TRUE; // If the authorization session is going to use an authValue, then make sure // that access to that authValue isn't locked out. if(authUsed) { // See if entity is subject to lockout. if(!IsDAExempted(associatedHandle)) { // See if in lockout result = CheckLockedOut(associatedHandle == TPM_RH_LOCKOUT); if(result != TPM_RC_SUCCESS) return result; } } // Policy or HMAC+PW? if(sessionHandleType != TPM_HT_POLICY_SESSION) { // for non-policy session make sure that a policy session is not required if(IsPolicySessionRequired(command->index, sessionIndex)) return TPM_RC_AUTH_TYPE; // The authValue must be available. // Note: The authValue is going to be "used" even if it is an EmptyAuth. // and the session is bound. if(!IsAuthValueAvailable(associatedHandle, command->index, sessionIndex)) return TPM_RC_AUTH_UNAVAILABLE; } else { // ... see if the entity has a policy, ... // Note: IsAuthPolicyAvalable will return FALSE if the sensitive area of the // object is not loaded if(!IsAuthPolicyAvailable(associatedHandle, command->index, sessionIndex)) return TPM_RC_AUTH_UNAVAILABLE; // ... and check the policy session. result = CheckPolicyAuthSession(command, sessionIndex); if(result != TPM_RC_SUCCESS) return result; } // Check authorization according to the type if((TPM_RS_PW == sessionHandle) || (session->attributes.isPasswordNeeded == SET)) result = CheckPWAuthSession(sessionIndex); else result = CheckSessionHMAC(command, sessionIndex); // Do processing for PIN Indexes are only three possibilities for 'result' at // this point: TPM_RC_SUCCESS, TPM_RC_AUTH_FAIL, and TPM_RC_BAD_AUTH. // For all these cases, we would have to process a PIN index if the // authValue of the index was used for authorization. if((TPM_HT_NV_INDEX == HandleGetType(associatedHandle)) && authUsed) { NV_REF locator; NV_INDEX *nvIndex = NvGetIndexInfo(associatedHandle, &locator); NV_PIN pinData; TPMA_NV nvAttributes; // pAssert(nvIndex != NULL); nvAttributes = nvIndex->publicArea.attributes; // If this is a PIN FAIL index and the value has been written // then we can update the counter (increment or clear) if(IsNvPinFailIndex(nvAttributes) && IS_ATTRIBUTE(nvAttributes, TPMA_NV, WRITTEN)) { pinData.intVal = NvGetUINT64Data(nvIndex, locator); if(result != TPM_RC_SUCCESS) pinData.pin.pinCount++; else pinData.pin.pinCount = 0; NvWriteUINT64Data(nvIndex, pinData.intVal); } // If this is a PIN PASS Index, increment if we have used the // authorization value. // NOTE: If the counter has already hit the limit, then we // would not get here because the authorization value would not // be available and the TPM would have returned before it gets here else if(IsNvPinPassIndex(nvAttributes) && IS_ATTRIBUTE(nvAttributes, TPMA_NV, WRITTEN) && result == TPM_RC_SUCCESS) { // If the access is valid, then increment the use counter pinData.intVal = NvGetUINT64Data(nvIndex, locator); pinData.pin.pinCount++; NvWriteUINT64Data(nvIndex, pinData.intVal); } } return result; } #ifdef TPM_CC_GetCommandAuditDigest //*** CheckCommandAudit() // This function is called before the command is processed if audit is enabled // for the command. It will check to see if the audit can be performed and // will ensure that the cpHash is available for the audit. // Return Type: TPM_RC // TPM_RC_NV_UNAVAILABLE NV is not available for write // TPM_RC_NV_RATE NV is rate limiting static TPM_RC CheckCommandAudit( COMMAND *command ) { // If the audit digest is clear and command audit is required, NV must be // available so that TPM2_GetCommandAuditDigest() is able to increment // audit counter. If NV is not available, the function bails out to prevent // the TPM from attempting an operation that would fail anyway. if(gr.commandAuditDigest.t.size == 0 || GetCommandCode(command->index) == TPM_CC_GetCommandAuditDigest) { RETURN_IF_NV_IS_NOT_AVAILABLE; } // Make sure that the cpHash is computed for the algorithm ComputeCpHash(command, gp.auditHashAlg); return TPM_RC_SUCCESS; } #endif //*** ParseSessionBuffer() // This function is the entry function for command session processing. // It iterates sessions in session area and reports if the required authorization // has been properly provided. It also processes audit session and passes the // information of encryption sessions to parameter encryption module. // // Return Type: TPM_RC // various parsing failure or authorization failure // TPM_RC ParseSessionBuffer( COMMAND *command // IN: the structure that contains ) { TPM_RC result; UINT32 i; INT32 size = 0; TPM2B_AUTH extraKey; UINT32 sessionIndex; TPM_RC errorIndex; SESSION *session = NULL; // // Check if a command allows any session in its session area. if(!IsSessionAllowed(command->index)) return TPM_RC_AUTH_CONTEXT; // Default-initialization. command->sessionNum = 0; result = RetrieveSessionData(command); if(result != TPM_RC_SUCCESS) return result; // There is no command in the TPM spec that has more handles than // MAX_SESSION_NUM. pAssert(command->handleNum <= MAX_SESSION_NUM); // Associate the session with an authorization handle. for(i = 0; i < command->handleNum; i++) { if(CommandAuthRole(command->index, i) != AUTH_NONE) { // If the received session number is less than the number of handles // that requires authorization, an error should be returned. // Note: for all the TPM 2.0 commands, handles requiring // authorization come first in a command input and there are only ever // two values requiring authorization if(i > (command->sessionNum - 1)) return TPM_RC_AUTH_MISSING; // Record the handle associated with the authorization session s_associatedHandles[i] = command->handles[i]; } } // Consistency checks are done first to avoid authorization failure when the // command will not be executed anyway. for(sessionIndex = 0; sessionIndex < command->sessionNum; sessionIndex++) { errorIndex = TPM_RC_S + g_rcIndex[sessionIndex]; // PW session must be an authorization session if(s_sessionHandles[sessionIndex] == TPM_RS_PW) { if(s_associatedHandles[sessionIndex] == TPM_RH_UNASSIGNED) return TPM_RCS_HANDLE + errorIndex; // a password session can't be audit, encrypt or decrypt if(IS_ATTRIBUTE(s_attributes[sessionIndex], TPMA_SESSION, audit) || IS_ATTRIBUTE(s_attributes[sessionIndex], TPMA_SESSION, encrypt) || IS_ATTRIBUTE(s_attributes[sessionIndex], TPMA_SESSION, decrypt)) return TPM_RCS_ATTRIBUTES + errorIndex; session = NULL; } else { session = SessionGet(s_sessionHandles[sessionIndex]); // A trial session can not appear in session area, because it cannot // be used for authorization, audit or encrypt/decrypt. if(session->attributes.isTrialPolicy == SET) return TPM_RCS_ATTRIBUTES + errorIndex; // See if the session is bound to a DA protected entity // NOTE: Since a policy session is never bound, a policy is still // usable even if the object is DA protected and the TPM is in // lockout. if(session->attributes.isDaBound == SET) { result = CheckLockedOut(session->attributes.isLockoutBound == SET); if(result != TPM_RC_SUCCESS) return result; } // If this session is for auditing, make sure the cpHash is computed. if(IS_ATTRIBUTE(s_attributes[sessionIndex], TPMA_SESSION, audit)) ComputeCpHash(command, session->authHashAlg); } // if the session has an associated handle, check the authorization if(s_associatedHandles[sessionIndex] != TPM_RH_UNASSIGNED) { result = CheckAuthSession(command, sessionIndex); if(result != TPM_RC_SUCCESS) return RcSafeAddToResult(result, errorIndex); } else { // a session that is not for authorization must either be encrypt, // decrypt, or audit if(!IS_ATTRIBUTE(s_attributes[sessionIndex], TPMA_SESSION, audit) && !IS_ATTRIBUTE(s_attributes[sessionIndex], TPMA_SESSION, encrypt) && !IS_ATTRIBUTE(s_attributes[sessionIndex], TPMA_SESSION, decrypt)) return TPM_RCS_ATTRIBUTES + errorIndex; // no authValue included in any of the HMAC computations pAssert(session != NULL); session->attributes.includeAuth = CLEAR; // check HMAC for encrypt/decrypt/audit only sessions result = CheckSessionHMAC(command, sessionIndex); if(result != TPM_RC_SUCCESS) return RcSafeAddToResult(result, errorIndex); } } #ifdef TPM_CC_GetCommandAuditDigest // Check if the command should be audited. Need to do this before any parameter // encryption so that the cpHash for the audit is correct if(CommandAuditIsRequired(command->index)) { result = CheckCommandAudit(command); if(result != TPM_RC_SUCCESS) return result; // No session number to reference } #endif // Decrypt the first parameter if applicable. This should be the last operation // in session processing. // If the encrypt session is associated with a handle and the handle's // authValue is available, then authValue is concatenated with sessionKey to // generate encryption key, no matter if the handle is the session bound entity // or not. if(s_decryptSessionIndex != UNDEFINED_INDEX) { // If this is an authorization session, include the authValue in the // generation of the decryption key if(s_associatedHandles[s_decryptSessionIndex] != TPM_RH_UNASSIGNED) { EntityGetAuthValue(s_associatedHandles[s_decryptSessionIndex], &extraKey); } else { extraKey.b.size = 0; } size = DecryptSize(command->index); result = CryptParameterDecryption(s_sessionHandles[s_decryptSessionIndex], &s_nonceCaller[s_decryptSessionIndex].b, command->parameterSize, (UINT16)size, &extraKey, command->parameterBuffer); if(result != TPM_RC_SUCCESS) return RcSafeAddToResult(result, TPM_RC_S + g_rcIndex[s_decryptSessionIndex]); } return TPM_RC_SUCCESS; } //*** CheckAuthNoSession() // Function to process a command with no session associated. // The function makes sure all the handles in the command require no authorization. // // Return Type: TPM_RC // TPM_RC_AUTH_MISSING failure - one or more handles require // authorization TPM_RC CheckAuthNoSession( COMMAND *command // IN: command parsing structure ) { UINT32 i; TPM_RC result = TPM_RC_SUCCESS; // // Check if the command requires authorization for(i = 0; i < command->handleNum; i++) { if(CommandAuthRole(command->index, i) != AUTH_NONE) return TPM_RC_AUTH_MISSING; } #ifdef TPM_CC_GetCommandAuditDigest // Check if the command should be audited. if(CommandAuditIsRequired(command->index)) { result = CheckCommandAudit(command); if(result != TPM_RC_SUCCESS) return result; } #endif // Initialize number of sessions to be 0 command->sessionNum = 0; return TPM_RC_SUCCESS; } //** Response Session Processing //*** Introduction // // The following functions build the session area in a response and handle // the audit sessions (if present). // //*** ComputeRpHash() // Function to compute rpHash (Response Parameter Hash). The rpHash is only // computed if there is an HMAC authorization session and the return code is // TPM_RC_SUCCESS. static TPM2B_DIGEST * ComputeRpHash( COMMAND *command, // IN: command structure TPM_ALG_ID hashAlg // IN: hash algorithm to compute rpHash ) { TPM2B_DIGEST *rpHash = GetRpHashPointer(command, hashAlg); HASH_STATE hashState; // if(rpHash->t.size == 0) { // rpHash := hash(responseCode || commandCode || parameters) // Initiate hash creation. rpHash->t.size = CryptHashStart(&hashState, hashAlg); // Add hash constituents. CryptDigestUpdateInt(&hashState, sizeof(TPM_RC), TPM_RC_SUCCESS); CryptDigestUpdateInt(&hashState, sizeof(TPM_CC), command->code); CryptDigestUpdate(&hashState, command->parameterSize, command->parameterBuffer); // Complete hash computation. CryptHashEnd2B(&hashState, &rpHash->b); } return rpHash; } //*** InitAuditSession() // This function initializes the audit data in an audit session. static void InitAuditSession( SESSION *session // session to be initialized ) { // Mark session as an audit session. session->attributes.isAudit = SET; // Audit session can not be bound. session->attributes.isBound = CLEAR; // Size of the audit log is the size of session hash algorithm digest. session->u2.auditDigest.t.size = CryptHashGetDigestSize(session->authHashAlg); // Set the original digest value to be 0. MemorySet(&session->u2.auditDigest.t.buffer, 0, session->u2.auditDigest.t.size); return; } //*** UpdateAuditDigest // Function to update an audit digest static void UpdateAuditDigest( COMMAND *command, TPMI_ALG_HASH hashAlg, TPM2B_DIGEST *digest ) { HASH_STATE hashState; TPM2B_DIGEST *cpHash = GetCpHash(command, hashAlg); TPM2B_DIGEST *rpHash = ComputeRpHash(command, hashAlg); // pAssert(cpHash != NULL); // digestNew := hash (digestOld || cpHash || rpHash) // Start hash computation. digest->t.size = CryptHashStart(&hashState, hashAlg); // Add old digest. CryptDigestUpdate2B(&hashState, &digest->b); // Add cpHash CryptDigestUpdate2B(&hashState, &cpHash->b); // Add rpHash CryptDigestUpdate2B(&hashState, &rpHash->b); // Finalize the hash. CryptHashEnd2B(&hashState, &digest->b); } //*** Audit() //This function updates the audit digest in an audit session. static void Audit( COMMAND *command, // IN: primary control structure SESSION *auditSession // IN: loaded audit session ) { UpdateAuditDigest(command, auditSession->authHashAlg, &auditSession->u2.auditDigest); return; } #ifdef TPM_CC_GetCommandAuditDigest //*** CommandAudit() // This function updates the command audit digest. static void CommandAudit( COMMAND *command // IN: ) { // If the digest.size is one, it indicates the special case of changing // the audit hash algorithm. For this case, no audit is done on exit. // NOTE: When the hash algorithm is changed, g_updateNV is set in order to // force an update to the NV on exit so that the change in digest will // be recorded. So, it is safe to exit here without setting any flags // because the digest change will be written to NV when this code exits. if(gr.commandAuditDigest.t.size == 1) { gr.commandAuditDigest.t.size = 0; return; } // If the digest size is zero, need to start a new digest and increment // the audit counter. if(gr.commandAuditDigest.t.size == 0) { gr.commandAuditDigest.t.size = CryptHashGetDigestSize(gp.auditHashAlg); MemorySet(gr.commandAuditDigest.t.buffer, 0, gr.commandAuditDigest.t.size); // Bump the counter and save its value to NV. gp.auditCounter++; NV_SYNC_PERSISTENT(auditCounter); } UpdateAuditDigest(command, gp.auditHashAlg, &gr.commandAuditDigest); return; } #endif //*** UpdateAuditSessionStatus() // This function updates the internal audit related states of a session. It will: // a) initialize the session as audit session and set it to be exclusive if this // is the first time it is used for audit or audit reset was requested; // b) report exclusive audit session; // c) extend audit log; and // d) clear exclusive audit session if no audit session found in the command. static void UpdateAuditSessionStatus( COMMAND *command // IN: primary control structure ) { UINT32 i; TPM_HANDLE auditSession = TPM_RH_UNASSIGNED; // // Iterate through sessions for(i = 0; i < command->sessionNum; i++) { SESSION *session; // // PW session do not have a loaded session and can not be an audit // session either. Skip it. if(s_sessionHandles[i] == TPM_RS_PW) continue; session = SessionGet(s_sessionHandles[i]); // If a session is used for audit if(IS_ATTRIBUTE(s_attributes[i], TPMA_SESSION, audit)) { // An audit session has been found auditSession = s_sessionHandles[i]; // If the session has not been an audit session yet, or // the auditSetting bits indicate a reset, initialize it and set // it to be the exclusive session if(session->attributes.isAudit == CLEAR || IS_ATTRIBUTE(s_attributes[i], TPMA_SESSION, auditReset)) { InitAuditSession(session); g_exclusiveAuditSession = auditSession; } else { // Check if the audit session is the current exclusive audit // session and, if not, clear previous exclusive audit session. if(g_exclusiveAuditSession != auditSession) g_exclusiveAuditSession = TPM_RH_UNASSIGNED; } // Report audit session exclusivity. if(g_exclusiveAuditSession == auditSession) { SET_ATTRIBUTE(s_attributes[i], TPMA_SESSION, auditExclusive); } else { CLEAR_ATTRIBUTE(s_attributes[i], TPMA_SESSION, auditExclusive); } // Extend audit log. Audit(command, session); } } // If no audit session is found in the command, and the command allows // a session then, clear the current exclusive // audit session. if(auditSession == TPM_RH_UNASSIGNED && IsSessionAllowed(command->index)) { g_exclusiveAuditSession = TPM_RH_UNASSIGNED; } return; } //*** ComputeResponseHMAC() // Function to compute HMAC for authorization session in a response. /*(See part 1 specification) // Function: Compute HMAC for response sessions // The sessionAuth value // authHMAC := HMACsHASH((sessionAuth | authValue), // (pHash | nonceTPM | nonceCaller | sessionAttributes)) // Where: // HMACsHASH() The HMAC algorithm using the hash algorithm specified when // the session was started. // // sessionAuth A TPMB_MEDIUM computed in a protocol-dependent way, using // KDFa. In an HMAC or KDF, only sessionAuth.buffer is used. // // authValue A TPM2B_AUTH that is found in the sensitive area of an // object. In an HMAC or KDF, only authValue.buffer is used // and all trailing zeros are removed. // // pHash Response parameters (rpHash) using the session hash. When // using a pHash in an HMAC computation, both the algorithm ID // and the digest are included. // // nonceTPM A TPM2B_NONCE that is generated by the entity using the // session. In an HMAC or KDF, only nonceTPM.buffer is used. // // nonceCaller a TPM2B_NONCE that was received the previous time the // session was used. In an HMAC or KDF, only // nonceCaller.buffer is used. // // sessionAttributes A TPMA_SESSION that indicates the attributes associated // with a particular use of the session. */ static void ComputeResponseHMAC( COMMAND *command, // IN: command structure UINT32 sessionIndex, // IN: session index to be processed SESSION *session, // IN: loaded session TPM2B_DIGEST *hmac // OUT: authHMAC ) { TPM2B_TYPE(KEY, (sizeof(AUTH_VALUE) * 2)); TPM2B_KEY key; // HMAC key BYTE marshalBuffer[sizeof(TPMA_SESSION)]; BYTE *buffer; UINT32 marshalSize; HMAC_STATE hmacState; TPM2B_DIGEST *rpHash = ComputeRpHash(command, session->authHashAlg); // // Generate HMAC key MemoryCopy2B(&key.b, &session->sessionKey.b, sizeof(key.t.buffer)); // Add the object authValue if required if(session->attributes.includeAuth == SET) { // Note: includeAuth may be SET for a policy that is used in // UndefineSpaceSpecial(). At this point, the Index has been deleted // so the includeAuth will have no meaning. However, the // s_associatedHandles[] value for the session is now set to TPM_RH_NULL so // this will return the authValue associated with TPM_RH_NULL and that is // and empty buffer. TPM2B_AUTH authValue; // // Get the authValue with trailing zeros removed EntityGetAuthValue(s_associatedHandles[sessionIndex], &authValue); // Add it to the key MemoryConcat2B(&key.b, &authValue.b, sizeof(key.t.buffer)); } // if the HMAC key size is 0, the response HMAC is computed according to the // input HMAC if(key.t.size == 0 && s_inputAuthValues[sessionIndex].t.size == 0) { hmac->t.size = 0; return; } // Start HMAC computation. hmac->t.size = CryptHmacStart2B(&hmacState, session->authHashAlg, &key.b); // Add hash components. CryptDigestUpdate2B(&hmacState.hashState, &rpHash->b); CryptDigestUpdate2B(&hmacState.hashState, &session->nonceTPM.b); CryptDigestUpdate2B(&hmacState.hashState, &s_nonceCaller[sessionIndex].b); // Add session attributes. buffer = marshalBuffer; marshalSize = TPMA_SESSION_Marshal(&s_attributes[sessionIndex], &buffer, NULL); CryptDigestUpdate(&hmacState.hashState, marshalSize, marshalBuffer); // Finalize HMAC. CryptHmacEnd2B(&hmacState, &hmac->b); return; } //*** UpdateInternalSession() // This function updates internal sessions by: // a) restarting session time; and // b) clearing a policy session since nonce is rolling. static void UpdateInternalSession( SESSION *session, // IN: the session structure UINT32 i // IN: session number ) { // If nonce is rolling in a policy session, the policy related data // will be re-initialized. if(HandleGetType(s_sessionHandles[i]) == TPM_HT_POLICY_SESSION && IS_ATTRIBUTE(s_attributes[i], TPMA_SESSION, continueSession)) { // When the nonce rolls it starts a new timing interval for the // policy session. SessionResetPolicyData(session); SessionSetStartTime(session); } return; } //*** BuildSingleResponseAuth() // Function to compute response HMAC value for a policy or HMAC session. static TPM2B_NONCE * BuildSingleResponseAuth( COMMAND *command, // IN: command structure UINT32 sessionIndex, // IN: session index to be processed TPM2B_AUTH *auth // OUT: authHMAC ) { // Fill in policy/HMAC based session response. SESSION *session = SessionGet(s_sessionHandles[sessionIndex]); // // If the session is a policy session with isPasswordNeeded SET, the // authorization field is empty. if(HandleGetType(s_sessionHandles[sessionIndex]) == TPM_HT_POLICY_SESSION && session->attributes.isPasswordNeeded == SET) auth->t.size = 0; else // Compute response HMAC. ComputeResponseHMAC(command, sessionIndex, session, auth); UpdateInternalSession(session, sessionIndex); return &session->nonceTPM; } //*** UpdateAllNonceTPM() // Updates TPM nonce for all sessions in command. static void UpdateAllNonceTPM( COMMAND *command // IN: controlling structure ) { UINT32 i; SESSION *session; // for(i = 0; i < command->sessionNum; i++) { // If not a PW session, compute the new nonceTPM. if(s_sessionHandles[i] != TPM_RS_PW) { session = SessionGet(s_sessionHandles[i]); // Update nonceTPM in both internal session and response. CryptRandomGenerate(session->nonceTPM.t.size, session->nonceTPM.t.buffer); } } return; } //*** BuildResponseSession() // Function to build Session buffer in a response. The authorization data is added // to the end of command->responseBuffer. The size of the authorization area is // accumulated in command->authSize. // When this is called, command->responseBuffer is pointing at the next location // in the response buffer to be filled. This is where the authorization sessions // will go, if any. command->parameterSize is the number of bytes that have been // marshaled as parameters in the output buffer. void BuildResponseSession( COMMAND *command // IN: structure that has relevant command // information ) { pAssert(command->authSize == 0); // Reset the parameter buffer to point to the start of the parameters so that // there is a starting point for any rpHash that might be generated and so there // is a place where parameter encryption would start command->parameterBuffer = command->responseBuffer - command->parameterSize; // Session nonces should be updated before parameter encryption if(command->tag == TPM_ST_SESSIONS) { UpdateAllNonceTPM(command); // Encrypt first parameter if applicable. Parameter encryption should // happen after nonce update and before any rpHash is computed. // If the encrypt session is associated with a handle, the authValue of // this handle will be concatenated with sessionKey to generate // encryption key, no matter if the handle is the session bound entity // or not. The authValue is added to sessionKey only when the authValue // is available. if(s_encryptSessionIndex != UNDEFINED_INDEX) { UINT32 size; TPM2B_AUTH extraKey; // extraKey.b.size = 0; // If this is an authorization session, include the authValue in the // generation of the encryption key if(s_associatedHandles[s_encryptSessionIndex] != TPM_RH_UNASSIGNED) { EntityGetAuthValue(s_associatedHandles[s_encryptSessionIndex], &extraKey); } size = EncryptSize(command->index); CryptParameterEncryption(s_sessionHandles[s_encryptSessionIndex], &s_nonceCaller[s_encryptSessionIndex].b, (UINT16)size, &extraKey, command->parameterBuffer); } } // Audit sessions should be processed regardless of the tag because // a command with no session may cause a change of the exclusivity state. UpdateAuditSessionStatus(command); #if CC_GetCommandAuditDigest // Command Audit if(CommandAuditIsRequired(command->index)) CommandAudit(command); #endif // Process command with sessions. if(command->tag == TPM_ST_SESSIONS) { UINT32 i; // pAssert(command->sessionNum > 0); // Iterate over each session in the command session area, and create // corresponding sessions for response. for(i = 0; i < command->sessionNum; i++) { TPM2B_NONCE *nonceTPM; TPM2B_DIGEST responseAuth; // Make sure that continueSession is SET on any Password session. // This makes it marginally easier for the management software // to keep track of the closed sessions. if(s_sessionHandles[i] == TPM_RS_PW) { SET_ATTRIBUTE(s_attributes[i], TPMA_SESSION, continueSession); responseAuth.t.size = 0; nonceTPM = (TPM2B_NONCE *)&responseAuth; } else { // Compute the response HMAC and get a pointer to the nonce used. // This function will also update the values if needed. Note, the nonceTPM = BuildSingleResponseAuth(command, i, &responseAuth); } command->authSize += TPM2B_NONCE_Marshal(nonceTPM, &command->responseBuffer, NULL); command->authSize += TPMA_SESSION_Marshal(&s_attributes[i], &command->responseBuffer, NULL); command->authSize += TPM2B_DIGEST_Marshal(&responseAuth, &command->responseBuffer, NULL); if(!IS_ATTRIBUTE(s_attributes[i], TPMA_SESSION, continueSession)) SessionFlush(s_sessionHandles[i]); } } return; } //*** SessionRemoveAssociationToHandle() // This function deals with the case where an entity associated with an authorization // is deleted during command processing. The primary use of this is to support // UndefineSpaceSpecial(). void SessionRemoveAssociationToHandle( TPM_HANDLE handle ) { UINT32 i; // for(i = 0; i < MAX_SESSION_NUM; i++) { if(s_associatedHandles[i] == handle) { s_associatedHandles[i] = TPM_RH_NULL; } } }