/src/tpm2/NV_spt.c

Source
// This file was extracted from the TCG Published
// Trusted Platform Module Library
// Part 4: Supporting Routines
// Family "2.0"
// Level 00 Revision 01.16
// October 30, 2014

#include "InternalRoutines.h"
#include "NV_spt_fp.h"
//
//
//           Fuctions
//
//          NvReadAccessChecks()
//
//      Common routine for validating a read Used by TPM2_NV_Read(), TPM2_NV_ReadLock() and
//      TPM2_PolicyNV()
//
//     Error Returns                     Meaning
//
//     TPM_RC_NV_AUTHORIZATION           autHandle is not allowed to authorize read of the index
//     TPM_RC_NV_LOCKED                  Read locked
//     TPM_RC_NV_UNINITIALIZED           Try to read an uninitialized index
//
TPM_RC
NvReadAccessChecks(
   TPM_HANDLE          authHandle,             // IN: the handle that provided the
                                               //     authorization
   TPM_HANDLE          nvHandle                // IN: the handle of the NV index to be written
   )
{
   NV_INDEX            nvIndex;
   // Get NV index info
   NvGetIndexInfo(nvHandle, &nvIndex);
// This check may be done before doing authorization checks as is done in this
// version of the reference code. If not done there, then uncomment the next
// three lines.
//    // If data is read locked, returns an error
//    if(nvIndex.publicArea.attributes.TPMA_NV_READLOCKED == SET)
//        return TPM_RC_NV_LOCKED;
   // If the authorization was provided by the owner or platform, then check
   // that the attributes allow the read. If the authorization handle
   // is the same as the index, then the checks were made when the authorization
   // was checked..
   if(authHandle == TPM_RH_OWNER)
   {
       // If Owner provided auth then ONWERWRITE must be SET
       if(! nvIndex.publicArea.attributes.TPMA_NV_OWNERREAD)
           return TPM_RC_NV_AUTHORIZATION;
   }
   else if(authHandle == TPM_RH_PLATFORM)
   {
       // If Platform provided auth then PPWRITE must be SET
       if(!nvIndex.publicArea.attributes.TPMA_NV_PPREAD)
           return TPM_RC_NV_AUTHORIZATION;
   }
   // If neither Owner nor Platform provided auth, make sure that it was
   // provided by this index.
   else if(authHandle != nvHandle)
           return TPM_RC_NV_AUTHORIZATION;
   // If the index has not been written, then the value cannot be read
   // NOTE: This has to come after other access checks to make sure that
   // the proper authorization is given to TPM2_NV_ReadLock()
   if(nvIndex.publicArea.attributes.TPMA_NV_WRITTEN == CLEAR)
       return TPM_RC_NV_UNINITIALIZED;
   return TPM_RC_SUCCESS;
}
//
//
//         NvWriteAccessChecks()
//
//     Common routine for validating a write               Used    by    TPM2_NV_Write(),          TPM2_NV_Increment(),
//     TPM2_SetBits(), and TPM2_NV_WriteLock()
//
//
//
//
//     Error Returns                  Meaning
//
//     TPM_RC_NV_AUTHORIZATION        Authorization fails
//     TPM_RC_NV_LOCKED               Write locked
//
TPM_RC
NvWriteAccessChecks(
     TPM_HANDLE        authHandle,           // IN: the handle that provided the
                                             //     authorization
     TPM_HANDLE        nvHandle              // IN: the handle of the NV index to be written
     )
{
     NV_INDEX          nvIndex;

     // Get NV index info
     NvGetIndexInfo(nvHandle, &nvIndex);
// This check may be done before doing authorization checks as is done in this
// version of the reference code. If not done there, then uncomment the next
// three lines.
//    // If data is write locked, returns an error
//    if(nvIndex.publicArea.attributes.TPMA_NV_WRITELOCKED == SET)
//        return TPM_RC_NV_LOCKED;
     // If the authorization was provided by the owner or platform, then check
     // that the attributes allow the write. If the authorization handle
     // is the same as the index, then the checks were made when the authorization
     // was checked..
     if(authHandle == TPM_RH_OWNER)
     {
         // If Owner provided auth then ONWERWRITE must be SET
         if(! nvIndex.publicArea.attributes.TPMA_NV_OWNERWRITE)
             return TPM_RC_NV_AUTHORIZATION;
     }
     else if(authHandle == TPM_RH_PLATFORM)
     {
         // If Platform provided auth then PPWRITE must be SET
         if(!nvIndex.publicArea.attributes.TPMA_NV_PPWRITE)
             return TPM_RC_NV_AUTHORIZATION;
     }
     // If neither Owner nor Platform provided auth, make sure that it was
     // provided by this index.
     else if(authHandle != nvHandle)
             return TPM_RC_NV_AUTHORIZATION;
     return TPM_RC_SUCCESS;
}

Coverage Report

Created: 2026-02-26 06:47

Line	Count	Source
1		// This file was extracted from the TCG Published
2		// Trusted Platform Module Library
3		// Part 4: Supporting Routines
4		// Family "2.0"
5		// Level 00 Revision 01.16
6		// October 30, 2014
7
8		#include "InternalRoutines.h"
9		#include "NV_spt_fp.h"
10		//
11		//
12		// Fuctions
13		//
14		// NvReadAccessChecks()
15		//
16		// Common routine for validating a read Used by TPM2_NV_Read(), TPM2_NV_ReadLock() and
17		// TPM2_PolicyNV()
18		//
19		// Error Returns Meaning
20		//
21		// TPM_RC_NV_AUTHORIZATION autHandle is not allowed to authorize read of the index
22		// TPM_RC_NV_LOCKED Read locked
23		// TPM_RC_NV_UNINITIALIZED Try to read an uninitialized index
24		//
25		TPM_RC
26		NvReadAccessChecks(
27		TPM_HANDLE authHandle, // IN: the handle that provided the
28		// authorization
29		TPM_HANDLE nvHandle // IN: the handle of the NV index to be written
30		)
31	0	{
32	0	NV_INDEX nvIndex;
33		// Get NV index info
34	0	NvGetIndexInfo(nvHandle, &nvIndex);
35		// This check may be done before doing authorization checks as is done in this
36		// version of the reference code. If not done there, then uncomment the next
37		// three lines.
38		// // If data is read locked, returns an error
39		// if(nvIndex.publicArea.attributes.TPMA_NV_READLOCKED == SET)
40		// return TPM_RC_NV_LOCKED;
41		// If the authorization was provided by the owner or platform, then check
42		// that the attributes allow the read. If the authorization handle
43		// is the same as the index, then the checks were made when the authorization
44		// was checked..
45	0	if(authHandle == TPM_RH_OWNER)
46	0	{
47		// If Owner provided auth then ONWERWRITE must be SET
48	0	if(! nvIndex.publicArea.attributes.TPMA_NV_OWNERREAD)
49	0	return TPM_RC_NV_AUTHORIZATION;
50	0	}
51	0	else if(authHandle == TPM_RH_PLATFORM)
52	0	{
53		// If Platform provided auth then PPWRITE must be SET
54	0	if(!nvIndex.publicArea.attributes.TPMA_NV_PPREAD)
55	0	return TPM_RC_NV_AUTHORIZATION;
56	0	}
57		// If neither Owner nor Platform provided auth, make sure that it was
58		// provided by this index.
59	0	else if(authHandle != nvHandle)
60	0	return TPM_RC_NV_AUTHORIZATION;
61		// If the index has not been written, then the value cannot be read
62		// NOTE: This has to come after other access checks to make sure that
63		// the proper authorization is given to TPM2_NV_ReadLock()
64	0	if(nvIndex.publicArea.attributes.TPMA_NV_WRITTEN == CLEAR)
65	0	return TPM_RC_NV_UNINITIALIZED;
66	0	return TPM_RC_SUCCESS;
67	0	}
68		//
69		//
70		// NvWriteAccessChecks()
71		//
72		// Common routine for validating a write Used by TPM2_NV_Write(), TPM2_NV_Increment(),
73		// TPM2_SetBits(), and TPM2_NV_WriteLock()
74		//
75		//
76		//
77		//
78		// Error Returns Meaning
79		//
80		// TPM_RC_NV_AUTHORIZATION Authorization fails
81		// TPM_RC_NV_LOCKED Write locked
82		//
83		TPM_RC
84		NvWriteAccessChecks(
85		TPM_HANDLE authHandle, // IN: the handle that provided the
86		// authorization
87		TPM_HANDLE nvHandle // IN: the handle of the NV index to be written
88		)
89	0	{
90	0	NV_INDEX nvIndex;
91
92		// Get NV index info
93	0	NvGetIndexInfo(nvHandle, &nvIndex);
94		// This check may be done before doing authorization checks as is done in this
95		// version of the reference code. If not done there, then uncomment the next
96		// three lines.
97		// // If data is write locked, returns an error
98		// if(nvIndex.publicArea.attributes.TPMA_NV_WRITELOCKED == SET)
99		// return TPM_RC_NV_LOCKED;
100		// If the authorization was provided by the owner or platform, then check
101		// that the attributes allow the write. If the authorization handle
102		// is the same as the index, then the checks were made when the authorization
103		// was checked..
104	0	if(authHandle == TPM_RH_OWNER)
105	0	{
106		// If Owner provided auth then ONWERWRITE must be SET
107	0	if(! nvIndex.publicArea.attributes.TPMA_NV_OWNERWRITE)
108	0	return TPM_RC_NV_AUTHORIZATION;
109	0	}
110	0	else if(authHandle == TPM_RH_PLATFORM)
111	0	{
112		// If Platform provided auth then PPWRITE must be SET
113	0	if(!nvIndex.publicArea.attributes.TPMA_NV_PPWRITE)
114	0	return TPM_RC_NV_AUTHORIZATION;
115	0	}
116		// If neither Owner nor Platform provided auth, make sure that it was
117		// provided by this index.
118	0	else if(authHandle != nvHandle)
119	0	return TPM_RC_NV_AUTHORIZATION;
120	0	return TPM_RC_SUCCESS;
121	0	}