Command and Response Authorization Area Details
Chapter 5 described the command and response data schematics but purposely left out one important area in commands and responses: the authorization area. This area is where sessions and authorizations are specified in the command and response byte stream, and a detailed discussion was deferred until this chapter.
To make the concepts more practical, this section examines these two areas using the TPM2_NV_Read command. The same general format is followed for authorization areas for all commands that can have authorization areas.
Command Authorization Area
Figure 13-3 shows the TPM2_NV_Read command and response data schematics and the location of the authorization areas in the command. Note that these areas aren't specifically called out in the Part 3 schematics, but they're implied; this is why they're shown in boxes off to the left side of the command and response schematic tables. For all commands that take authorizations, the authorization area for the command is located after the handles area and before the parameters area. The authorization area for the response is located at the end of the response after the response parameters.
Figure 13-3. NV_Read command and response schematic from TPM 2.0 spec, Part 3, and the location of authorization areas. The boxes to the left indicate where the authorization areas are sandwiched in. This is often confusing to new readers of the specification but is very important to grasp.
For any command that can take authorizations, there can be up to three authorization structures in the authorization area. For a successful TPM 2.0 command, the number of authorization structures in the response is always equal to the number of authorization structures in the command. For a TPM 2.0 command that fails, the number of authorization structures in the response is always 0.
5The term octet is used in the TPM specification to denote 8 bits, which is often, although somewhat inaccurately, referred to as a byte. Because some computers use bytes that have a different number of bits, the TPM 2.0 architects used the term octet.
For the command, notice the @ sign in front of authHandle: this means an authorization structure is required to authorize actions on the entity corresponding to the authHandle. Further notation in the description column, “Auth role: USER,” indicates the authorization role required.
Command Authorization Structures
The command authorization structure, TPMS_AUTH_COMMAND, is illustrated in Figure 13-4. This shows the details of the command authorization area box from Figure 13-3.
Figure 13-4. Command authorization structure, TPMS_AUTH_COMMAND
Although not strictly part of the authorization structure in the current TPM 2.0 specification, the authorizationSize field in a command is present if the command tag is TPM_ST_SESSION, which indicates that the authorization area is present. This authorizationSize field allows code that is parsing the command to determine how many sessions are in the authorization area and where to find the parameters. The field immediately precedes the authorization area as shown in Figure 13-5.
Figure 13-5. Command structure showing where the command authorization area(s) are located
Response Authorization Structures
For a response, the authorization structure, TPMS_AUTH_RESPONSE, is shown in Figure 13-6. This shows the details of the response authorization area box from Figure 13-3.
Figure 13-6. Response authorization structure, TPMS_AUTH_RESPONSE
The response authorization area is at the very end of the response. To make it easy to find, a parameterSize field, a UINT32, is inserted before the response parameter area
for all responses that contain an authorization area. Code that is parsing the response can use the parameterSize field to skip past the response parameters to find the response authorization area. The parameterSize field isn't present when a response doesn't include an authorization area (see Figure 13-7).
Figure 13-7. Response Structure, showing where the response authorization area(s) and parameterSize fields are located
Now that you know what the authorization areas look like, let's look at the three types of authorizations in detail.