tpm2-tss icon indicating copy to clipboard operation
tpm2-tss copied to clipboard

Published 20 hours ago verified publisher icon tpm2-software

ESAPI: PCR_SetAuthValue deosn't remember auth values for subsequent calls

Open williamcroberts opened this issue 3 years ago • 3 comments

When writing the python binding tests, I had to explicitly call Esys_TR_SetAuth for subsequent calls or auth will fail.

self.ectx.PCR_SetAuthValue(ESYS_TR.PCR20, b'password')
self.ectx.setAuth(ESYS_TR.PCR20, b'password')
self.ectx.PCR_SetAuthValue(ESYS_TR.PCR20, 'password')
self.ectx.setAuth(ESYS_TR.PCR20, 'password')
self.ectx.PCR_SetAuthValue(ESYS_TR.PCR20, TPM2B_DIGEST('password'))

williamcroberts avatar Jun 18 '21 18:06 williamcroberts

The command Esys_PCR_SetAuthValue works similar to the ChangeAuth commands. So the auth value should not be stored in the esys context when Esys_PCR_SetAuthValue is executed.

JuergenReppSIT avatar Jun 23 '21 07:06 JuergenReppSIT

PCR_SetAuthValue is a disallowed function for any PC_Client TPM. So I assume we just never tested it. But if we actually do have ESYS_TRs for PCRs then we should also remember the password after a SetAuthValue call, similarly to NV auths and HierarchyAuths.

@williamcroberts The title says "NV auths". Does the problem occur there as well ?

AndreasFuchsTPM avatar Jun 25 '21 11:06 AndreasFuchsTPM

PCR_SetAuthValue is a disallowed function for any PC_Client TPM. So I assume we just never tested it. But if we actually do have ESYS_TRs for PCRs then we should also remember the password after a SetAuthValue call, similarly to NV auths and HierarchyAuths.

@williamcroberts The title says "NV auths". Does the problem occur there as well ?

I don't know why the title was so out of sync, changed it to be in line. If I remember or stumble into the issue again ill file a separate ticket. Thanks.

williamcroberts avatar Jun 25 '21 13:06 williamcroberts

@williamcroberts Since this is a Behavioral change, should we include this in 4.0 ?

AndreasFuchsTPM avatar Nov 02 '22 12:11 AndreasFuchsTPM

@williamcroberts Since this is a Behavioral change, should we include this in 4.0 ?

We don't have to, but it would be nice I guess. It wouldn't be a breaking change so it wouldn't matter. Previous users of ESAPI would have to keep calling SetAuth, and everything would keep working where as new users just call it once.

williamcroberts avatar Nov 02 '22 19:11 williamcroberts

@AndreasFuchsTPM or @JuergenReppSIT is anyone working on this or should I take it?

williamcroberts avatar Nov 03 '22 16:11 williamcroberts

@williamcroberts I'm not working on this. I'm working on a new problem found when I did implement the integration test for PolicySecret.

JuergenReppSIT avatar Nov 03 '22 16:11 JuergenReppSIT