Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable TPMA_NV_POLICY_DELETE when defining a new NV Index #3400

Open
alexxmos opened this issue May 28, 2024 · 2 comments
Open

Enable TPMA_NV_POLICY_DELETE when defining a new NV Index #3400

alexxmos opened this issue May 28, 2024 · 2 comments

Comments

@alexxmos
Copy link

Hello,
I am trying to protect an NV Index against being overwritten or deleted, by means of policies. While I managed to do the first, the latter is giving some problems.
I believe something on this topic has already been discussed as part of #3341, but the issue has since been closed without a clear indication.

In particular, creating the index with the following command works as expected:

tpm2_nvdefine -C o -s 32 -a "policywrite|ownerread|ownerwrite|authread|authwrite" -L policy_digest.bin -p mypassword 0x1800000
nv-index: 0x1800000

There is need to open a policyAuthValue session and provide the password "mypassword" in order to write to the index.

However, running the same command with the addition of the policydelete attribute terminates in error:

tpm2_nvdefine -C o -s 32 -a "policydelete|policywrite|ownerread|ownerwrite|authread|authwrite" -L policy_digest.bin -p mypassword 0x1800000
WARNING:esys:src/tss2-esys/api/Esys_NV_DefineSpace.c:345:Esys_NV_DefineSpace_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_NV_DefineSpace.c:121:Esys_NV_DefineSpace() Esys Finish ErrorCode (0x000002c2)
ERROR: Failed to define NV area at index 0x1800000
ERROR: Esys_NV_DefineSpace(0x2C2) - tpm:parameter(2):inconsistent attributes
ERROR: Failed to create NV index 0x1800000.
ERROR: Unable to run tpm2_nvdefine

This appears to be in line with TCG's TPM2.0 specifications (Part 3: Commands, 31.3 TPM2_NV_DefineSpace):

If TPMA_NV_POLICY_DELETE is SET, then the authorization shall be with Platform Authorization or the TPM shall return TPM_RC_ATTRIBUTES.

Does this mean that the attribute policydelete can only be specified with Platform Hierarchy?
Trying to run the command using Platform Authorisation also terminates in error (same message, different error code?):

tpm2_nvdefine -C p -s 32 -a "policydelete|policywrite|ownerread|ownerwrite|authread|authwrite" -L policy_digest.bin -p mypassword 0x1800000
WARNING:esys:src/tss2-esys/api/Esys_NV_DefineSpace.c:345:Esys_NV_DefineSpace_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_NV_DefineSpace.c:121:Esys_NV_DefineSpace() Esys Finish ErrorCode (0x00000182)
ERROR: Failed to define NV area at index 0x1800000
ERROR: Esys_NV_DefineSpace(0x182) - tpm:handle(1):inconsistent attributes
ERROR: Failed to create NV index 0x1800000.
ERROR: Unable to run tpm2_nvdefine

Is there perhaps some additional steps I am missing or am I using the wrong attributes?

Any help or clarification would be extremely appreciated, thanks!

@Melab
Copy link

Melab commented Jan 5, 2025

Someone should address this issue.

@JuergenReppSIT
Copy link
Member

If platformcreate is added to the attributes your last command should work:

tpm2_nvdefine -C p -s 32 -a "platformcreate|policydelete|policywrite|ownerread|ownerwrite|authread|authwrite" -L policy_digest.bin -p mypassword 0x1800000

Tt might have been better to set this automatically with -p.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants