Desktop version

Home arrow Computer Science arrow A Practical Guide to TPM 2.0

Authorization Roles

Authorization roles for each command are specified in Part 3's descriptions of commands. These roles and the rules related to them act in a manner similar to access control lists (ACLs) for computer directories. Authorization roles control the types of authorizations that can be used to run commands, which essentially means they control who gets to run specific commands and under what circumstances.

There are three possible roles: USER, ADMIN, and DUP. USER is used for normal uses of

the entity, ADMIN role is used for system management tasks, and DUP, a narrowly focused role, is the only role allowed for the TPM2_Duplicate command.

Two attributes of entities that determine the type of authorization required are userWithAuth and adminWithPolicy. These attributes either are set explicitly (at object creation time for objects) or determined by other means for certain permanent handles and NV indices:

• userWithAuth:

• Set means USER role authorization can be provided by a password, HMAC, or policy session.

• Clear means USER role authorization must be provided by a policy session.

• adminWithPolicy:

• Set means ADMIN role authorization must be provided by a policy session. [1]

• Clear means ADMIN role authorization can be provided by a password, HMAC, or policy session.

If the authorization role is ADMIN:

• For object handles, the required authorization is determined by the object's adminWithPolicy attribute, which is set when the object is created.

• For the handles TPM_RH_OWNER, TPM_RH_ENDORSEMENT, and TPM_RH_PLATFORM, the required authorization is as if adminWithPolicy is set.

• For NV indices, the required authorization is as if the adminWithPolicy attribute was set when the NV index was created.

If authorization role is USER:

• For object handles, the required authorization is determined by the object's userWithAuth attribute, which is set when the object is created.

• For the handles TPM_RH_OWNER, TPM_RH_ENDORSEMENT, and TPM_RH_PLATFORM, the required authorization is as if userWithAuth is set.

• For NV index handles, the required authorization is determined by the following NV index attributes:

TPMA_NV_POLICYWRITE, TPMA_NV_POLICYREAD, TPMA_NV_

AUTHWRITE, and TPMA_NV_AUTHREAD. These attributes are set when the NV index is created.

If the authorization role is DUP:

• The authorization must be a policy authorization.

• The DUP role is only used for objects.

If the authorization role is DUP or ADMIN, the command being authorized must be specified in the policy.

Now that you understand roles, let's look at the authorization area.

  • [1] A more accurate name for this attribute would have been adminOnlyWithPolicy.
 
< Prev   CONTENTS   Next >

Related topics