tpm2-tss
tpm2-tss copied to clipboard
ESAPI: PCR_SetAuthValue deosn't remember auth values for subsequent calls
When writing the python binding tests, I had to explicitly call Esys_TR_SetAuth for subsequent calls or auth will fail.
self.ectx.PCR_SetAuthValue(ESYS_TR.PCR20, b'password')
self.ectx.setAuth(ESYS_TR.PCR20, b'password')
self.ectx.PCR_SetAuthValue(ESYS_TR.PCR20, 'password')
self.ectx.setAuth(ESYS_TR.PCR20, 'password')
self.ectx.PCR_SetAuthValue(ESYS_TR.PCR20, TPM2B_DIGEST('password'))
The command Esys_PCR_SetAuthValue works similar to the ChangeAuth commands. So the auth value should not be stored in the esys context when Esys_PCR_SetAuthValue is executed.
PCR_SetAuthValue is a disallowed function for any PC_Client TPM. So I assume we just never tested it. But if we actually do have ESYS_TRs for PCRs then we should also remember the password after a SetAuthValue call, similarly to NV auths and HierarchyAuths.
@williamcroberts The title says "NV auths". Does the problem occur there as well ?
PCR_SetAuthValue is a disallowed function for any PC_Client TPM. So I assume we just never tested it. But if we actually do have ESYS_TRs for PCRs then we should also remember the password after a SetAuthValue call, similarly to NV auths and HierarchyAuths.
@williamcroberts The title says "NV auths". Does the problem occur there as well ?
I don't know why the title was so out of sync, changed it to be in line. If I remember or stumble into the issue again ill file a separate ticket. Thanks.
@williamcroberts Since this is a Behavioral change, should we include this in 4.0 ?
@williamcroberts Since this is a Behavioral change, should we include this in 4.0 ?
We don't have to, but it would be nice I guess. It wouldn't be a breaking change so it wouldn't matter. Previous users of ESAPI would have to keep calling SetAuth, and everything would keep working where as new users just call it once.
@AndreasFuchsTPM or @JuergenReppSIT is anyone working on this or should I take it?
@williamcroberts I'm not working on this. I'm working on a new problem found when I did implement the integration test for PolicySecret.