1// This file was extracted from the TCG Published
2// Trusted Platform Module Library
3// Part 4: Supporting Routines
4// Family "2.0"
5// Level 00 Revision 01.16
6// October 30, 2014
7
8#include "InternalRoutines.h"
9#include "NV_spt_fp.h"
10//
11//
12//           Fuctions
13//
14//          NvReadAccessChecks()
15//
16//      Common routine for validating a read Used by TPM2_NV_Read(), TPM2_NV_ReadLock() and
17//      TPM2_PolicyNV()
18//
19//     Error Returns                     Meaning
20//
21//     TPM_RC_NV_AUTHORIZATION           autHandle is not allowed to authorize read of the index
22//     TPM_RC_NV_LOCKED                  Read locked
23//     TPM_RC_NV_UNINITIALIZED           Try to read an uninitialized index
24//
25TPM_RC
26NvReadAccessChecks(
27   TPM_HANDLE          authHandle,             // IN: the handle that provided the
28                                               //     authorization
29   TPM_HANDLE          nvHandle                // IN: the handle of the NV index to be written
30   )
31{
32   NV_INDEX            nvIndex;
33   // Get NV index info
34   NvGetIndexInfo(nvHandle, &nvIndex);
35// This check may be done before doing authorization checks as is done in this
36// version of the reference code. If not done there, then uncomment the next
37// three lines.
38//    // If data is read locked, returns an error
39//    if(nvIndex.publicArea.attributes.TPMA_NV_READLOCKED == SET)
40//        return TPM_RC_NV_LOCKED;
41   // If the authorization was provided by the owner or platform, then check
42   // that the attributes allow the read. If the authorization handle
43   // is the same as the index, then the checks were made when the authorization
44   // was checked..
45   if(authHandle == TPM_RH_OWNER)
46   {
47       // If Owner provided auth then ONWERWRITE must be SET
48       if(! nvIndex.publicArea.attributes.TPMA_NV_OWNERREAD)
49           return TPM_RC_NV_AUTHORIZATION;
50   }
51   else if(authHandle == TPM_RH_PLATFORM)
52   {
53       // If Platform provided auth then PPWRITE must be SET
54       if(!nvIndex.publicArea.attributes.TPMA_NV_PPREAD)
55           return TPM_RC_NV_AUTHORIZATION;
56   }
57   // If neither Owner nor Platform provided auth, make sure that it was
58   // provided by this index.
59   else if(authHandle != nvHandle)
60           return TPM_RC_NV_AUTHORIZATION;
61   // If the index has not been written, then the value cannot be read
62   // NOTE: This has to come after other access checks to make sure that
63   // the proper authorization is given to TPM2_NV_ReadLock()
64   if(nvIndex.publicArea.attributes.TPMA_NV_WRITTEN == CLEAR)
65       return TPM_RC_NV_UNINITIALIZED;
66   return TPM_RC_SUCCESS;
67}
68//
69//
70//         NvWriteAccessChecks()
71//
72//     Common routine for validating a write               Used    by    TPM2_NV_Write(),          TPM2_NV_Increment(),
73//     TPM2_SetBits(), and TPM2_NV_WriteLock()
74//
75//
76//
77//
78//     Error Returns                  Meaning
79//
80//     TPM_RC_NV_AUTHORIZATION        Authorization fails
81//     TPM_RC_NV_LOCKED               Write locked
82//
83TPM_RC
84NvWriteAccessChecks(
85     TPM_HANDLE        authHandle,           // IN: the handle that provided the
86                                             //     authorization
87     TPM_HANDLE        nvHandle              // IN: the handle of the NV index to be written
88     )
89{
90     NV_INDEX          nvIndex;
91     // Get NV index info
92     NvGetIndexInfo(nvHandle, &nvIndex);
93// This check may be done before doing authorization checks as is done in this
94// version of the reference code. If not done there, then uncomment the next
95// three lines.
96//    // If data is write locked, returns an error
97//    if(nvIndex.publicArea.attributes.TPMA_NV_WRITELOCKED == SET)
98//        return TPM_RC_NV_LOCKED;
99     // If the authorization was provided by the owner or platform, then check
100     // that the attributes allow the write. If the authorization handle
101     // is the same as the index, then the checks were made when the authorization
102     // was checked..
103     if(authHandle == TPM_RH_OWNER)
104     {
105         // If Owner provided auth then ONWERWRITE must be SET
106         if(! nvIndex.publicArea.attributes.TPMA_NV_OWNERWRITE)
107             return TPM_RC_NV_AUTHORIZATION;
108     }
109     else if(authHandle == TPM_RH_PLATFORM)
110     {
111         // If Platform provided auth then PPWRITE must be SET
112         if(!nvIndex.publicArea.attributes.TPMA_NV_PPWRITE)
113             return TPM_RC_NV_AUTHORIZATION;
114     }
115     // If neither Owner nor Platform provided auth, make sure that it was
116     // provided by this index.
117     else if(authHandle != nvHandle)
118             return TPM_RC_NV_AUTHORIZATION;
119     return TPM_RC_SUCCESS;
120}
121