This section dives into the details of HMAC authorizations. It describes the high-level HMAC authorization lifetime and each of the steps in that lifetime: entity creation or alteration, HMAC session creation, and HMAC session use. The section ends with a description of the security properties of an HMAC session.
As you read this section, I recommend that you reference the example code section. The discussion refers to line numbers in the code where applicable. This section mainly focuses on describing the steps leading up to and including the NV index's write. The NV index's read code is very similar, and mapping of these steps to that code is left as a reader exercise.
HMAC Authorization Lifecycle
The steps for creating and authorizing actions on HMAC authorized entities are the following:
1. Create the entity that will use an authorization value, or change the authorization value for an existing entity. This step is typically performed once per entity.
2. Create an HMAC session.
3. Use the HMAC session to perform operations on the entity. This operation can occur any time after steps 1 and 2 and can occur multiple times. A single HMAC session can be used to authorize multiple actions.
Altering or Creating an Entity That Requires HMAC Authorization
For the purposes of entity creation, the method of specifying the authValue is exactly the same as described earlier in the password authorization lifecycle. The same is true for altering the authValue for an existing entity. In both of these operations, the authValue is treated exactly the same for HMAC and password authorizations.
In the example code, lines 19–26, 42–44, and 55 set up the authValue and authPolicy for creating the NV index. Lines 101, 104–105, and 112 set up the NV attributes. And lines 115–117 create the NV index that we're going to authorize.
Creating an HMAC Session
An HMAC session is started with a TPM2_StartAuthSession command that has the sessionType field set to TPM_SE_HMAC. When the HMAC session is started, the TPM creates a session key using the formula described previously. This session key is created in the TPM. After TPM2StartAuthSession returns, the caller also recreates the session key, using the bind entity's authValue, the salt, and the nonceCaller parameters sent to the TPM by the TPM2StartAuthSession command, and the nonceTPM returned by the TPM.
Lines 140, 143, and 150 set up the parameters for starting the session, and lines 154–156 actually create the session.