Desktop version

Home arrow Computer Science arrow A Practical Guide to TPM 2.0

NV Password

A subtlety of the TPM is that a user can't really change an object's password. The TPM2_ObjectChangeAuth command can create an object with the new password, but the original object still exists. The user can delete all existing copies of the object, but the TPM can't enforce this.

This quirk isn't true of an NV index. The index exists only on the TPM. It can never be context-saved or in any way moved off the TPM. Thus, TPM2_NV_ChangeAuth really does change the password.

Separate Commands

The TPM API defines a set of commands dedicated to NV. TPM2_NV_DefineSpace creates an NV index. The caller specifies the NV metadata, including the size for an ordinary index, the policy, attributes, and the password. As explained earlier, a newly created index isn't initialized, or written, yet. It has no data.

The write commands are as follows:

• TPM2_NV_Write writes an ordinary index. Depending on the attributes, partial writes may or may not be permitted.

• TPM2_NV_Increment increments a counter index. Depending on the attributes and the count value, this may cause a write to nonvolatile memory.

• TPM2_NV_Extend extends arbitrary data (not necessarily a hash value) to an extend index.

• TPM2_NV_SetBits sets bits in a bit-field index. It ORs the current value and the input. An input of all zero is legally and useful. It makes the index written and initializes it to all zero.

TPM2_NV_Read reads any index data. A read can only occur after the index has been written at least once. TPM2_NV_ReadPublic reads the index public data. In combination with the session audit feature, a user can get a signature over the public area to prove its properties.

Several commands are dedicated to locking an index. The index attributes determine whether these locks can be set against a particular index:

• TPM2_NV_WriteLock can lock an index, forbidding further writes until the next boot cycle or forever.

• TPM2_NV_GlobalWriteLock can lock a set of indexes, again either forever or until the next boot cycle.

• TPM2_NV_ReadLock locks an index, preventing further reads until the next boot cycle.

TPM2_NV_ChangeAuth changes the index password. TPM2_NV_Certify can create a signature over index data. This command is optional in the PC Client specification. However, a similar result can be obtained by reading the index in an audit session and then getting a signed audit digest.


TPM 2.0 has four types of NV indexes: ordinary (unstructured data), bit-field, counter, and extend data indexes. An index can be read or written using the standard TPM password and policy controls. Hybrid indexes normally exist in volatile memory, but an orderly shutdown can save them to NV memory. They can avoid performance and wearout issues. When an index is created, its state is “not written”. Its data can't be read or used in a policy until it's written, and the “not written” state itself can be used on a policy.

Basic applications include provisioning with certificates or public keys. More advanced applications use an NV authorization in a policy, permitting it to be shared among entities. A policy referring to a bit-field or counter index value can be used for key revocation. An extend index offers PCR equivalents with different algorithms, authorizations, or lifetimes.

NV indexes have a separate set of commands and unique attributes to control authorization, read and write locking, and dictionary-attack protection.

< Prev   CONTENTS   Next >

Related topics