Password Authorization: The Simplest Authorization
Password authorizations are the simplest authorizations, so I will describe them first. This section presents the password authorization lifecycle: how to create a password authorized entity, how to alter the authorization for an existing entity, and how to use a password authorization to authorize an action.
Password Authorization Lifecycle
A password authorization has a very simple lifecycle: create an entity using a password as the authorization, and then authorize actions on the entity. In more detail, the high-level steps required to create and use a password authorization are as follows:
1. Create an entity that will use an authorization value, or change the authorization value for an existing entity. This step is typically performed once per entity.
2. Authorize actions using the password authorized entity. This step can be performed multiple times for a particular entity and can occur any time after the entity's password has been set, whether by creating the entity or by changing its authorization.
First let's look at step 1, creating an entity to use a password authorization or altering the password for an existing entity.
Creating a Password Authorized Entity
To create an entity, use the following commands: TPM2_CreatePrimary, TPM2_Create, and TPM2_NV_DefineSpace.6 Each of these has a parameter field for passing in the authValue that will be used to authorize actions on the entity. This authValue can be used either as a simple plaintext password or as an input to an HMAC authorization, but since this section is describing a password session, it just describes its use as a password. HMAC authorizations are described after we finish with passwords.
Here are some more details about the three TPM commands used to create entities:
• TPM2_CreatePrimary is used to create primary objects (objects directly under the primary seed) in a hierarchy. The USER authorization can be a password authorization if the
inPublic parameter's userWithAuth attribute is set; this means authorization for actions that require the USER role can be performed by a password or HMAC. The authValue, a password in this case, is passed in by setting the userAuth field of the inSensitive parameter to the password.
• TPM2_Create is used to create objects that can be loaded into the TPM. The authorization type, userWithAuth, and the authValue are configured by setting the same fields used by TPM2_CreatePrimary.
• TPM2_NV_DefineSpace is used to define an NV index. A password authorization can be used if the attributes TPMA_NV_AUTHREAD and/or TPMA_NV_AUTHWRITE are set. The input parameter, authValue (the password), is passed in as the auth parameter of the TPM2_NV_DefineSpace command.