Desktop version

Home arrow Computer Science arrow A Practical Guide to TPM 2.0

Changing a Password Authorization for an Already Created Entity

To change the password of an entity, these commands are used:

• TPM2_ObjectChangeAuth: Can be used to change the authorization of objects that aren't primary objects.

• TPM2_HierarchyChangeAuth: Used to change the authorization for a hierarchy (platform, owner, or endorsement) or for the lockout authority.

• TPM2_NV_ChangeAuth: Changes the authorization value for an NV index.

6All of these commands have the ability to set the authorization to use an authValue and/or a policy, but only the use of authValue is described here.

Now let's look at step 2, authorizing actions using a password authorization.

Using a Password Authorization

A password authorization is the simplest authorization. To use a password authorization, no session needs to be started. The caller simply fills in the command authorization block as shown in Figure 13-8.

Figure 13-8. Password authorization command [1]

The response authorization area looks like Figure 13-9.

Figure 13-9. Password acknowledgement in response[2][3]

Code Example: Password Session

Listing 13-1 shows a code example of a password session using the password session test from the TSS SAPI test code. This code uses the TSS System API that was described in Chapter 7. Because you hadn't yet learned about authorizations and sessions, a description of the authorization-related structures and functions was deferred until this chapter. In order to follow the code example, you need to understand these session and authorization related System API data structures:

• TSS2_SYS_CMD_AUTHS: Specifies the number of authorization areas for the command and the specific authorization areas to be used. The structure looks like this:

typedef struct { uint8_t cmdAuthsCount; TPMS_AUTH_COMMAND **cmdAuths; } TSS2_SYS_CMD_AUTHS;

• TSS2_SYS_RSP_AUTHS: In a like manner, specifies the number of authorization areas in a response and the specific response authorization areas. The structure looks like this:

typedef struct {uint8_t rspAuthsCount; TPMS_AUTH_RESPONSE **rspAuths;} TSS2_SYS_RSP_AUTHS;

■ Note

the CheckPassed and CheckFailed functions used in the code example are the

same as those described in the code example in the sapi section of Chapter 7.

Now that you understand the new structures, let's look at the code. I've added notes for each major block of the code to help you follow it better.

Listing 13-1. Password Authorization: Code Example

// Password used to authorize access to the NV index. char password[] = "test password";

// NV Index used for the password test.

#define TPM20_INDEX_PASSWORD_TEST 0x01500020

void PasswordTest()

{

UINT32 rval; int i;

Create an authorization area for the command and response.

// Authorization structure for command. TPMS_AUTH_COMMAND sessionData;

// Authorization structure for response. TPMS_AUTH_RESPONSE sessionDataOut;

// Create and init authorization area for command:

// only 1 authorization area.

TPMS_AUTH_COMMAND *sessionDataArray[1] = { &sessionData };

// Create authorization area for response:

// only 1 authorization area.

TPMS_AUTH_RESPONSE *sessionDataOutArray[1] = { &sessionDataOut };

// Authorization array for command (only has one auth structure). TSS2_SYS_CMD_AUTHS sessionsData = { 1, &sessionDataArray[0] };

// Authorization array for response (only has one auth structure). TSS2_SYS_RSP_AUTHS sessionsDataOut = { 1, &sessionDataOutArray[0] }; TPM2B_MAX_NV_BUFFER nvWriteData;

printf( " PASSWORD TESTS: " );

Create an nV index.

// Create an NV index that will use password

// authorizations. The password will be

// "test password".

CreatePasswordTestNV( TPM20_INDEX_PASSWORD_TEST, password );

//

// Initialize the command authorization area.

//

// Init sessionHandle, nonce, session

// attributes, and hmac (password). sessionData.sessionHandle = TPM_RS_PW;

// Set zero sized nonce. sessionData.nonce.t.size = 0;

// sessionAttributes is a bit field. To initialize

// it to 0, cast to a pointer to UINT8 and

// write 0 to that pointer.

*( (UINT8 *)&sessionData.sessionAttributes ) = 0;

// Init password (HMAC field in authorization structure). sessionData.hmac.t.size = strlen( password );

memcpy( &( sessionData.hmac.t.buffer[0] ),

&( password[0] ), sessionData.hmac.t.size );

do writes, one with the correct password and one with an incorrect one; then verify the results.

// Initialize write data. nvWriteData.t.size = 4;

for(i = 0; i < nvWriteData.t.size; i++ ) nvWriteData.t.buffer[i] = 0xff i;

// Attempt write with the correct password.

// It should pass.

rval = Tss2_Sys_NV_Write( sysContext, TPM20_INDEX_PASSWORD_TEST, TPM20_INDEX_PASSWORD_TEST,

&sessionsData, &nvWriteData, 0,

&sessionsDataOut );

// Check that the function passed as

// expected. Otherwise, exit. CheckPassed( rval );

// Alter the password so it's incorrect. sessionData.hmac.t.buffer[4] = 0xff; rval = Tss2_Sys_NV_Write( sysContext,

TPM20_INDEX_PASSWORD_TEST, TPM20_INDEX_PASSWORD_TEST,

&sessionsData, &nvWriteData, 0,

&sessionsDataOut );

// Check that the function failed as expected,

// since password was incorrect. If wrong

// response code received, exit. CheckFailed( rval,

TPM_RC_S + TPM_RC_1 + TPM_RC_AUTH_FAIL );

delete the nV index.

// Change hmac to null one, since null auth is

// used to undefine the index. sessionData.hmac.t.size = 0;

// Now undefine the index.

rval = Tss2_Sys_NV_UndefineSpace( sysContext, TPM_RH_PLATFORM, TPM20_INDEX_PASSWORD_TEST, &sessionsData, 0 );

CheckPassed( rval );

}

A good understanding of password authorizations and the data structures used to enable them provides a foundation for understanding the other types of authorizations. Next I describe HMAC and policy authorizations: specifically, how to start them.

  • [1] Because the password session is always available, continueSession has no effect.
  • [2] The continueSession flag is an exception to this. For password sessions, the continueSession flag is always set in the response.
  • [3] This field is called hmac in the specification, but it isn't really an HMAC. Actually it's not anything at all, because it's a zero-length buffer. Probably the specification writers called it hmac to keep it consistent with HMAC authorization areas.
 
Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >

Related topics