From d8a7a0678e48d9f10872c614614ea7e810b13eed Mon Sep 17 00:00:00 2001 From: Juergen Repp Date: Sat, 28 Sep 2024 10:50:06 +0200 Subject: [PATCH] Options: Add option to allow usage of password session. For authentication of an object always an HMAC session was used. For an unsalted session an openssl HMAC key with the size of the auth value was created. This caused problems with the OpenSSL FIPS mode if the key length is less than 112 bits. To avoid this the option --pwd-session (-z) is added. Here the session handle ESYS_TR_PASSWORD will be used. For example, now the EK can be used to create a salted session: tpm2_createek --pwd-session -Q --key-algorithm rsa --ek-context ek.ctx tpm2_startauthsession -Q --session salted_session.ctx --hmac-session --tpmkey-context ek.ctx tpm2_sessionconfig -Q salted_session.ctx --enable-decrypt tpm2_createprimary -c prim.ctx -P session:salted_session.ctx Adresses: #3420 Signed-off-by: Juergen Repp --- lib/tpm2_auth_util.c | 8 +++++++- lib/tpm2_options.c | 6 +++++- lib/tpm2_options.h | 2 ++ man/common/options.md | 7 ++++++- tools/misc/tpm2_encodeobject.c | 7 +++---- tools/tpm2_activatecredential.c | 8 ++++---- tools/tpm2_certify.c | 8 ++++---- tools/tpm2_certifycreation.c | 6 +++--- tools/tpm2_changeauth.c | 6 +++--- tools/tpm2_clear.c | 6 +++--- tools/tpm2_clearcontrol.c | 6 +++--- tools/tpm2_clockrateadjust.c | 6 +++--- tools/tpm2_commit.c | 6 +++--- tools/tpm2_create.c | 6 +++--- tools/tpm2_createek.c | 12 ++++++------ tools/tpm2_createprimary.c | 6 +++--- tools/tpm2_dictionarylockout.c | 6 +++--- tools/tpm2_duplicate.c | 6 +++--- tools/tpm2_ecdhzgen.c | 6 +++--- tools/tpm2_encryptdecrypt.c | 6 +++--- tools/tpm2_evictcontrol.c | 6 +++--- tools/tpm2_getcommandauditdigest.c | 8 ++++---- tools/tpm2_getsessionauditdigest.c | 8 ++++---- tools/tpm2_gettime.c | 8 ++++---- tools/tpm2_hierarchycontrol.c | 8 +++----- tools/tpm2_hmac.c | 6 +++--- tools/tpm2_import.c | 6 +++--- tools/tpm2_load.c | 6 +++--- tools/tpm2_nvcertify.c | 8 ++++---- tools/tpm2_nvdefine.c | 6 +++--- tools/tpm2_nvextend.c | 6 +++--- tools/tpm2_nvincrement.c | 6 +++--- tools/tpm2_nvread.c | 6 +++--- tools/tpm2_nvreadlock.c | 6 +++--- tools/tpm2_nvsetbits.c | 6 +++--- tools/tpm2_nvundefine.c | 6 +++--- tools/tpm2_nvwrite.c | 12 ++++++------ tools/tpm2_nvwritelock.c | 6 +++--- tools/tpm2_pcrallocate.c | 6 +++--- tools/tpm2_policyauthorizenv.c | 6 +++--- tools/tpm2_policynv.c | 6 +++--- tools/tpm2_policysecret.c | 6 +++--- tools/tpm2_quote.c | 6 +++--- tools/tpm2_rsadecrypt.c | 6 +++--- tools/tpm2_setclock.c | 6 +++--- tools/tpm2_setcommandauditstatus.c | 2 +- tools/tpm2_setprimarypolicy.c | 6 +++--- tools/tpm2_sign.c | 8 +++----- tools/tpm2_unseal.c | 6 +++--- tools/tpm2_zgen2phase.c | 6 +++--- 50 files changed, 168 insertions(+), 156 deletions(-) diff --git a/lib/tpm2_auth_util.c b/lib/tpm2_auth_util.c index 8fe6425ec..ace860645 100644 --- a/lib/tpm2_auth_util.c +++ b/lib/tpm2_auth_util.c @@ -467,7 +467,13 @@ tool_rc tpm2_auth_util_from_optarg(ESYS_CONTEXT *ectx, const char *password, } /* must be a password */ - return handle_password_session(ectx, password, session); + if (is_restricted) { + /* ESYS_TR_PASSWORD will be used as handle. */ + return handle_password_session(NULL, password, session); + } else { + /* A hmac session will be created. */ + return handle_password_session(ectx, password, session); + } } tool_rc tpm2_auth_util_get_shandle(ESYS_CONTEXT *ectx, ESYS_TR object, diff --git a/lib/tpm2_options.c b/lib/tpm2_options.c index e8bdaf5ea..c16881f9c 100644 --- a/lib/tpm2_options.c +++ b/lib/tpm2_options.c @@ -288,11 +288,12 @@ tpm2_option_code tpm2_handle_options(int argc, char **argv, { "quiet", no_argument, NULL, 'Q' }, { "version", no_argument, NULL, 'v' }, { "enable-errata", no_argument, NULL, 'Z' }, + { "pwd-session", no_argument, NULL, 'z' }, }; /* handle any options */ - const char* common_short_opts = "T:h::vVQZ"; + const char* common_short_opts = "T:h::vVQZz"; tpm2_options *opts = tpm2_options_new(common_short_opts, ARRAY_LEN(long_options), long_options, NULL, NULL, 0); if (!opts) { @@ -373,6 +374,9 @@ tpm2_option_code tpm2_handle_options(int argc, char **argv, case 'V': flags->verbose = 1; break; + case 'z': + flags->restricted_pwd_session = 1; + break; case 'Q': flags->quiet = 1; break; diff --git a/lib/tpm2_options.h b/lib/tpm2_options.h index 6909cd36c..16d67e643 100644 --- a/lib/tpm2_options.h +++ b/lib/tpm2_options.h @@ -22,6 +22,8 @@ union tpm2_option_flags { uint8_t quiet :1; uint8_t enable_errata :1; uint8_t tcti_none :1; + uint8_t restricted_pwd_session :1; + }; uint8_t all; }; diff --git a/man/common/options.md b/man/common/options.md index 8da93a4bb..ddf0dc2ad 100644 --- a/man/common/options.md +++ b/man/common/options.md @@ -22,11 +22,16 @@ information that many users may expect. * **-Q**, **\--quiet**: Silence normal tool output to stdout. - +x * **-Z**, **\--enable-errata**: Enable the application of errata fixups. Useful if an errata fixup needs to be applied to commands sent to the TPM. Defining the environment TPM2TOOLS\_ENABLE\_ERRATA is equivalent. + * **-z**, **\--pwd-session**: + Use password session instead of a HMAC session for authentication. A clear text password + is passed to the TPM to authorize the action. This option can be used to avoid problems + when unsalted sessions are used in OpenSSL FIPS mode. If auth values are used + a salted session should be used for authentication. * **-R**, **\--autoflush**: Enable autoflush for transient objects created by the command. If a parent object is loaded from a context file also the transient parent object will diff --git a/tools/misc/tpm2_encodeobject.c b/tools/misc/tpm2_encodeobject.c index eee939f82..3990a018c 100644 --- a/tools/misc/tpm2_encodeobject.c +++ b/tools/misc/tpm2_encodeobject.c @@ -113,7 +113,7 @@ static tool_rc check_opts(void) { return rc; } -static tool_rc init(ESYS_CONTEXT *ectx) { +static tool_rc init(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { bool res = files_load_public(ctx.object.pubpath, &ctx.object.public); if (!res) { return tool_rc_general_error; @@ -125,7 +125,7 @@ static tool_rc init(ESYS_CONTEXT *ectx) { } return tpm2_util_object_load_auth(ectx, ctx.parent.ctx_path, - ctx.parent.auth_str, &ctx.parent.object, false, + ctx.parent.auth_str, &ctx.parent.object, flags.restricted_pwd_session, TPM2_HANDLE_ALL_W_NV); } @@ -212,14 +212,13 @@ static int encode(ESYS_CONTEXT *ectx) { } static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { - UNUSED(flags); tool_rc rc = check_opts(); if (rc != tool_rc_success) { return rc; } - rc = init(ectx); + rc = init(ectx, flags); if (rc != tool_rc_success) { return rc; } diff --git a/tools/tpm2_activatecredential.c b/tools/tpm2_activatecredential.c index eee8a2101..499288e08 100644 --- a/tools/tpm2_activatecredential.c +++ b/tools/tpm2_activatecredential.c @@ -173,7 +173,7 @@ static bool read_cert_secret(void) { return result; } -static tool_rc process_inputs(ESYS_CONTEXT *ectx) { +static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 1. Object and auth initializations @@ -189,14 +189,14 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) { /* Object #1 */ tool_rc rc = tpm2_util_object_load_auth(ectx, ctx.credential_key.ctx_path, - ctx.credential_key.auth_str, &ctx.credential_key.object, false, + ctx.credential_key.auth_str, &ctx.credential_key.object, flags.restricted_pwd_session, TPM2_HANDLE_ALL_W_NV); if (rc != tool_rc_success) { return rc; } /* Object #2 */ rc = tpm2_util_object_load_auth(ectx, ctx.credentialed_key.ctx_path, - ctx.credentialed_key.auth_str, &ctx.credentialed_key.object, false, + ctx.credentialed_key.auth_str, &ctx.credentialed_key.object, flags.restricted_pwd_session, TPM2_HANDLE_ALL_W_NV); if (rc != tool_rc_success) { return rc; @@ -341,7 +341,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 2. Process inputs */ - rc = process_inputs(ectx); + rc = process_inputs(ectx, flags); if (rc != tool_rc_success) { return rc; } diff --git a/tools/tpm2_certify.c b/tools/tpm2_certify.c index ca1e468ad..c6c9f2cc9 100644 --- a/tools/tpm2_certify.c +++ b/tools/tpm2_certify.c @@ -137,7 +137,7 @@ static tool_rc process_output(ESYS_CONTEXT *ectx) { return is_file_op_success ? tool_rc_success : tool_rc_general_error; } -static tool_rc process_inputs(ESYS_CONTEXT *ectx) { +static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 1. Object and auth initializations @@ -152,7 +152,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) { */ /* Object #1 */ tool_rc rc = tpm2_util_object_load_auth(ectx, ctx.certified_key.ctx_path, - ctx.certified_key.auth_str, &ctx.certified_key.object, false, + ctx.certified_key.auth_str, &ctx.certified_key.object, flags.restricted_pwd_session, TPM2_HANDLE_ALL_W_NV); if (rc != tool_rc_success) { return rc; @@ -160,7 +160,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) { /* Object #2 */ rc = tpm2_util_object_load_auth(ectx, ctx.signing_key.ctx_path, - ctx.signing_key.auth_str, &ctx.signing_key.object, false, + ctx.signing_key.auth_str, &ctx.signing_key.object, flags.restricted_pwd_session, TPM2_HANDLE_ALL_W_NV); if (rc != tool_rc_success) { return rc; @@ -333,7 +333,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 2. Process inputs */ - rc = process_inputs(ectx); + rc = process_inputs(ectx, flags); if (rc != tool_rc_success) { return rc; } diff --git a/tools/tpm2_certifycreation.c b/tools/tpm2_certifycreation.c index b6dbc6fae..4d9e81b0e 100644 --- a/tools/tpm2_certifycreation.c +++ b/tools/tpm2_certifycreation.c @@ -135,7 +135,7 @@ static tool_rc process_output(void) { return is_file_op_success ? tool_rc_success : tool_rc_general_error; } -static tool_rc process_inputs(ESYS_CONTEXT *ectx) { +static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 1. Object and auth initializations @@ -149,7 +149,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) { * 1.b Add object names and their auth sessions */ tool_rc rc = tpm2_util_object_load_auth(ectx, ctx.signing_key.ctx_path, - ctx.signing_key.auth_str, &ctx.signing_key.object, false, + ctx.signing_key.auth_str, &ctx.signing_key.object, flags.restricted_pwd_session, TPM2_HANDLES_FLAGS_TRANSIENT|TPM2_HANDLES_FLAGS_PERSISTENT); if (rc != tool_rc_success) { LOG_ERR("Invalid signing key/ authorization."); @@ -413,7 +413,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 2. Process inputs */ - tool_rc rc = process_inputs(ectx); + tool_rc rc = process_inputs(ectx, flags); if (rc != tool_rc_success) { return rc; } diff --git a/tools/tpm2_changeauth.c b/tools/tpm2_changeauth.c index f2ad99fe2..339ecd571 100644 --- a/tools/tpm2_changeauth.c +++ b/tools/tpm2_changeauth.c @@ -181,7 +181,7 @@ static inline bool object_needs_parent(tpm2_loaded_object *obj) { return (h == TPM2_HR_TRANSIENT) || (h == TPM2_HR_PERSISTENT); } -static tool_rc process_inputs(ESYS_CONTEXT *ectx) { +static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 1. Object and auth initializations @@ -206,7 +206,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) { /* Object #1 */ rc = tpm2_util_object_load_auth(ectx, ctx.object.ctx, - ctx.object.auth_current, &ctx.object.obj, false, TPM2_HANDLE_ALL_W_NV); + ctx.object.auth_current, &ctx.object.obj, flags.restricted_pwd_session, TPM2_HANDLE_ALL_W_NV); if (rc != tool_rc_success) { return rc; } @@ -377,7 +377,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 2. Process inputs */ - rc = process_inputs(ectx); + rc = process_inputs(ectx, flags); if (rc != tool_rc_success) { return rc; } diff --git a/tools/tpm2_clear.c b/tools/tpm2_clear.c index 379d2e49f..4d68425a2 100644 --- a/tools/tpm2_clear.c +++ b/tools/tpm2_clear.c @@ -70,7 +70,7 @@ static tool_rc process_output(ESYS_CONTEXT *ectx) { } -static tool_rc process_inputs(ESYS_CONTEXT *ectx) { +static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 1. Object and auth initializations @@ -86,7 +86,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) { /* Object #1 */ tool_rc rc = tpm2_util_object_load_auth(ectx, ctx.auth_hierarchy.ctx_path, - ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, false, + ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, flags.restricted_pwd_session, TPM2_HANDLE_FLAGS_L | TPM2_HANDLE_FLAGS_P); if (rc != tool_rc_success) { LOG_ERR("Invalid lockout authorization"); @@ -199,7 +199,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 2. Process inputs */ - rc = process_inputs(ectx); + rc = process_inputs(ectx, flags); if (rc != tool_rc_success) { return rc; } diff --git a/tools/tpm2_clearcontrol.c b/tools/tpm2_clearcontrol.c index 5a78ba412..94c917c27 100644 --- a/tools/tpm2_clearcontrol.c +++ b/tools/tpm2_clearcontrol.c @@ -78,7 +78,7 @@ static tool_rc process_output(ESYS_CONTEXT *ectx) { return rc; } -static tool_rc process_inputs(ESYS_CONTEXT *ectx) { +static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 1. Object and auth initializations @@ -94,7 +94,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) { /* Object #1 */ tool_rc rc = tpm2_util_object_load_auth(ectx, ctx.auth_hierarchy.ctx_path, - ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, false, + ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, flags.restricted_pwd_session, TPM2_HANDLE_FLAGS_L | TPM2_HANDLE_FLAGS_P); if (rc != tool_rc_success) { LOG_ERR("Invalid lockout authorization"); @@ -233,7 +233,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 2. Process inputs */ - rc = process_inputs(ectx); + rc = process_inputs(ectx, flags); if (rc != tool_rc_success) { return rc; } diff --git a/tools/tpm2_clockrateadjust.c b/tools/tpm2_clockrateadjust.c index 6cddbb702..7d32129ca 100644 --- a/tools/tpm2_clockrateadjust.c +++ b/tools/tpm2_clockrateadjust.c @@ -77,7 +77,7 @@ static tool_rc process_output(ESYS_CONTEXT *ectx) { } -static tool_rc process_inputs(ESYS_CONTEXT *ectx) { +static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 1. Object and auth initializations @@ -93,7 +93,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) { /* Object #1 */ tool_rc rc = tpm2_util_object_load_auth(ectx, ctx.auth_hierarchy.ctx_path, - ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, false, + ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, flags.restricted_pwd_session, TPM2_HANDLE_FLAGS_O | TPM2_HANDLE_FLAGS_P); if (rc != tool_rc_success) { LOG_ERR("Invalid lockout authorization"); @@ -225,7 +225,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 2. Process inputs */ - rc = process_inputs(ectx); + rc = process_inputs(ectx, flags); if (rc != tool_rc_success) { return rc; } diff --git a/tools/tpm2_commit.c b/tools/tpm2_commit.c index 0a1bfc03a..180eeb918 100644 --- a/tools/tpm2_commit.c +++ b/tools/tpm2_commit.c @@ -110,7 +110,7 @@ static tool_rc process_outputs(ESYS_CONTEXT *ectx) { return tool_rc_success; } -static tool_rc process_inputs(ESYS_CONTEXT *ectx) { +static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { UNUSED(ectx); /* @@ -125,7 +125,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) { * 1.b Add object names and their auth sessions */ tool_rc rc = tpm2_util_object_load_auth(ectx, ctx.signing_key.ctx_path, - ctx.signing_key.auth_str, &ctx.signing_key.object, false, + ctx.signing_key.auth_str, &ctx.signing_key.object, flags.restricted_pwd_session, TPM2_HANDLES_FLAGS_TRANSIENT|TPM2_HANDLES_FLAGS_PERSISTENT); if (rc != tool_rc_success) { return rc; @@ -272,7 +272,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 2. Process inputs */ - rc = process_inputs(ectx); + rc = process_inputs(ectx, flags); if (rc != tool_rc_success) { return rc; } diff --git a/tools/tpm2_create.c b/tools/tpm2_create.c index cf25137a0..81085c0d8 100644 --- a/tools/tpm2_create.c +++ b/tools/tpm2_create.c @@ -344,7 +344,7 @@ static tool_rc process_output(ESYS_CONTEXT *ectx) { return rc; } -static tool_rc process_inputs(ESYS_CONTEXT *ectx) { +static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 1. Object and auth initializations @@ -368,7 +368,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) { * 1.b Add object names and their auth sessions */ rc = tpm2_util_object_load_auth(ectx, ctx.parent.ctx_path, - ctx.parent.auth_str, &ctx.parent.object, false, TPM2_HANDLE_ALL_W_NV); + ctx.parent.auth_str, &ctx.parent.object, flags.restricted_pwd_session, TPM2_HANDLE_ALL_W_NV); if (rc != tool_rc_success) { return rc; } @@ -626,7 +626,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 2. Process inputs */ - rc = process_inputs(ectx); + rc = process_inputs(ectx, flags); if (rc != tool_rc_success) { return rc; } diff --git a/tools/tpm2_createek.c b/tools/tpm2_createek.c index ea1229a5d..69168c071 100644 --- a/tools/tpm2_createek.c +++ b/tools/tpm2_createek.c @@ -101,6 +101,7 @@ struct createek_context { char *out_file_path; tpm2_convert_pubkey_fmt format; bool autoflush; + bool restricted_pwd_session; struct { UINT8 f :1; UINT8 t :1; @@ -120,7 +121,8 @@ static createek_context ctx = { }, .flags = { 0 }, .find_persistent_handle = false, - .autoflush = false + .autoflush = false, + .restricted_pwd_session = false, }; typedef struct alg_map alg_map; @@ -424,8 +426,6 @@ static bool tpm2_tool_onstart(tpm2_options **opts) { static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { - UNUSED(flags); - size_t i; tool_rc rc = tool_rc_general_error; @@ -472,7 +472,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { rc = tpm2_util_object_load_auth(ectx, "owner", ctx.auth_owner_hierarchy.auth_str, &ctx.auth_owner_hierarchy.object, - false, TPM2_HANDLE_FLAGS_O); + flags.restricted_pwd_session, TPM2_HANDLE_FLAGS_O); if (rc != tool_rc_success) { LOG_ERR("Invalid owner hierarchy authorization"); return rc; @@ -480,7 +480,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { rc = tpm2_util_object_load_auth(ectx, "endorsement", ctx.auth_endorse_hierarchy.auth_str, &ctx.auth_endorse_hierarchy.object, - false, TPM2_HANDLE_FLAGS_E); + flags.restricted_pwd_session, TPM2_HANDLE_FLAGS_E); if (rc != tool_rc_success) { LOG_ERR("Invalid endorsement hierarchy authorization"); return rc; @@ -491,7 +491,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { * The ek object attributes are setup to policy reference eh-auth */ rc = tpm2_auth_util_from_optarg(ectx, ctx.auth_ek.auth_str, - &ctx.auth_ek.object.session, false); + &ctx.auth_ek.object.session, flags.restricted_pwd_session); if (rc != tool_rc_success) { LOG_ERR("Invalid EK authorization"); goto out; diff --git a/tools/tpm2_createprimary.c b/tools/tpm2_createprimary.c index 61498f783..34afb6de7 100644 --- a/tools/tpm2_createprimary.c +++ b/tools/tpm2_createprimary.c @@ -169,7 +169,7 @@ static tool_rc process_output(ESYS_CONTEXT *ectx) { |TPMA_OBJECT_FIXEDTPM|TPMA_OBJECT_FIXEDPARENT \ |TPMA_OBJECT_SENSITIVEDATAORIGIN|TPMA_OBJECT_USERWITHAUTH -static tool_rc process_inputs(ESYS_CONTEXT *ectx) { +static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 1. Object and auth initializations @@ -197,7 +197,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) { /* Object #1 */ rc = tpm2_util_object_load_auth(ectx, ctx.auth_hierarchy.ctx_path, - ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, false, + ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, flags.restricted_pwd_session, TPM2_HANDLE_FLAGS_ALL_HIERACHIES); if (rc != tool_rc_success) { LOG_ERR("Invalid hierarchy authorization"); @@ -407,7 +407,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 2. Process inputs */ - rc = process_inputs(ectx); + rc = process_inputs(ectx, flags); if (rc != tool_rc_success) { return rc; } diff --git a/tools/tpm2_dictionarylockout.c b/tools/tpm2_dictionarylockout.c index 35ad010bb..5a41c2fd1 100644 --- a/tools/tpm2_dictionarylockout.c +++ b/tools/tpm2_dictionarylockout.c @@ -108,7 +108,7 @@ static tool_rc process_output(ESYS_CONTEXT *ectx) { } -static tool_rc process_inputs(ESYS_CONTEXT *ectx) { +static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 1. Object and auth initializations @@ -124,7 +124,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) { /* Object #1 */ tool_rc rc = tpm2_util_object_load_auth(ectx, ctx.auth_hierarchy.ctx_path, - ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, false, + ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, flags.restricted_pwd_session, TPM2_HANDLE_FLAGS_L); if (rc != tool_rc_success) { LOG_ERR("Invalid lockout authorization"); @@ -310,7 +310,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 2. Process inputs */ - rc = process_inputs(ectx); + rc = process_inputs(ectx, flags); if (rc != tool_rc_success) { return rc; } diff --git a/tools/tpm2_duplicate.c b/tools/tpm2_duplicate.c index 2c7c340c8..f91d79c58 100644 --- a/tools/tpm2_duplicate.c +++ b/tools/tpm2_duplicate.c @@ -328,7 +328,7 @@ static tool_rc process_output(ESYS_CONTEXT *ectx) { return rc; } -static tool_rc process_inputs(ESYS_CONTEXT *ectx) { +static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 3.a Command specific initializations @@ -354,7 +354,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) { /* Object #1 */ tool_rc rc = tpm2_util_object_load_auth(ectx, ctx.duplicable_key.ctx_path, - ctx.duplicable_key.auth_str, &ctx.duplicable_key.object, false, + ctx.duplicable_key.auth_str, &ctx.duplicable_key.object, flags.restricted_pwd_session, TPM2_HANDLE_ALL_W_NV); if (rc != tool_rc_success) { LOG_ERR("Invalid authorization"); @@ -594,7 +594,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 2. Process inputs */ - rc = process_inputs(ectx); + rc = process_inputs(ectx, flags); if (rc != tool_rc_success) { return rc; } diff --git a/tools/tpm2_ecdhzgen.c b/tools/tpm2_ecdhzgen.c index 219cdf7c6..1a6e0d1b7 100644 --- a/tools/tpm2_ecdhzgen.c +++ b/tools/tpm2_ecdhzgen.c @@ -87,7 +87,7 @@ static tool_rc process_outputs(ESYS_CONTEXT *ectx) { return tool_rc_success; } -static tool_rc process_inputs(ESYS_CONTEXT *ectx) { +static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { UNUSED(ectx); /* @@ -102,7 +102,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) { * 1.b Add object names and their auth sessions */ tool_rc rc = tpm2_util_object_load_auth(ectx, ctx.ecc_key.ctx_path, - ctx.ecc_key.auth_str, &ctx.ecc_key.object, false, + ctx.ecc_key.auth_str, &ctx.ecc_key.object, flags.restricted_pwd_session, TPM2_HANDLES_FLAGS_TRANSIENT|TPM2_HANDLES_FLAGS_PERSISTENT); if (rc != tool_rc_success) { LOG_ERR("Failed to load object/ auth"); @@ -241,7 +241,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 2. Process inputs */ - rc = process_inputs(ectx); + rc = process_inputs(ectx, flags); if (rc != tool_rc_success) { return rc; } diff --git a/tools/tpm2_encryptdecrypt.c b/tools/tpm2_encryptdecrypt.c index e9087dc8c..68454a6a7 100644 --- a/tools/tpm2_encryptdecrypt.c +++ b/tools/tpm2_encryptdecrypt.c @@ -303,7 +303,7 @@ static bool setup_alg_mode(ESYS_CONTEXT *ectx) { return true; } -static tool_rc process_inputs(ESYS_CONTEXT *ectx) { +static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 1. Object and auth initializations @@ -319,7 +319,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) { /* Object #1 */ tool_rc rc = tpm2_util_object_load_auth(ectx, ctx.encryption_key.ctx_path, - ctx.encryption_key.auth_str, &ctx.encryption_key.object, false, + ctx.encryption_key.auth_str, &ctx.encryption_key.object, flags.restricted_pwd_session, TPM2_HANDLE_ALL_W_NV); if (rc != tool_rc_success) { LOG_ERR("Invalid object key authorization"); @@ -530,7 +530,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 2. Process inputs */ - rc = process_inputs(ectx); + rc = process_inputs(ectx, flags); if (rc != tool_rc_success) { return rc; } diff --git a/tools/tpm2_evictcontrol.c b/tools/tpm2_evictcontrol.c index 73d477bc7..7633b340e 100644 --- a/tools/tpm2_evictcontrol.c +++ b/tools/tpm2_evictcontrol.c @@ -117,7 +117,7 @@ static tool_rc process_output(ESYS_CONTEXT *ectx) { } -static tool_rc process_inputs(ESYS_CONTEXT *ectx) { +static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 1. Object and auth initializations @@ -133,7 +133,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) { /* Object #1 */ tool_rc rc = tpm2_util_object_load_auth(ectx, ctx.auth_hierarchy.ctx_path, - ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, false, + ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, flags.restricted_pwd_session, TPM2_HANDLE_FLAGS_O | TPM2_HANDLE_FLAGS_P); if (rc != tool_rc_success) { return rc; @@ -298,7 +298,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 2. Process inputs */ - rc = process_inputs(ectx); + rc = process_inputs(ectx, flags); if (rc != tool_rc_success) { return rc; } diff --git a/tools/tpm2_getcommandauditdigest.c b/tools/tpm2_getcommandauditdigest.c index 31d2f839f..1db281c72 100644 --- a/tools/tpm2_getcommandauditdigest.c +++ b/tools/tpm2_getcommandauditdigest.c @@ -143,21 +143,21 @@ static bool check_input_options_and_args(void) { return true; } -static tool_rc process_inputs(ESYS_CONTEXT *ectx) { +static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * Load auths */ tool_rc rc = tpm2_util_object_load_auth(ectx, ctx.endorsement_hierarchy.ctx_path, ctx.endorsement_hierarchy.auth_str, - &ctx.endorsement_hierarchy.object, false, TPM2_HANDLE_FLAGS_E); + &ctx.endorsement_hierarchy.object, flags.restricted_pwd_session, TPM2_HANDLE_FLAGS_E); if (rc != tool_rc_success) { LOG_ERR("Invalid endorsement hierarchy authorization"); return rc; } rc = tpm2_util_object_load_auth(ectx, ctx.key.ctx_path, - ctx.key.auth_str, &ctx.key.object, false, + ctx.key.auth_str, &ctx.key.object, flags.restricted_pwd_session, TPM2_HANDLES_FLAGS_TRANSIENT|TPM2_HANDLES_FLAGS_PERSISTENT); if (rc != tool_rc_success) { LOG_ERR("Invalid key authorization"); @@ -214,7 +214,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { } //Process inputs - tool_rc rc = process_inputs(ectx); + tool_rc rc = process_inputs(ectx, flags); if (rc != tool_rc_success) { return rc; } diff --git a/tools/tpm2_getsessionauditdigest.c b/tools/tpm2_getsessionauditdigest.c index 7c3b472c8..365b8374d 100644 --- a/tools/tpm2_getsessionauditdigest.c +++ b/tools/tpm2_getsessionauditdigest.c @@ -157,7 +157,7 @@ static bool check_input_options_and_args(void) { return true; } -static tool_rc process_inputs(ESYS_CONTEXT *ectx) { +static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { tool_rc rc = tpm2_session_restore(ectx, ctx.audit_session_path, false, &ctx.audit_session); @@ -172,14 +172,14 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) { */ rc = tpm2_util_object_load_auth(ectx, ctx.endorsement_hierarchy.ctx_path, ctx.endorsement_hierarchy.auth_str, - &ctx.endorsement_hierarchy.object, false, TPM2_HANDLE_FLAGS_E); + &ctx.endorsement_hierarchy.object, flags.restricted_pwd_session, TPM2_HANDLE_FLAGS_E); if (rc != tool_rc_success) { LOG_ERR("Invalid endorsement hierarchy authorization"); return rc; } rc = tpm2_util_object_load_auth(ectx, ctx.key.ctx_path, - ctx.key.auth_str, &ctx.key.object, false, + ctx.key.auth_str, &ctx.key.object, flags.restricted_pwd_session, TPM2_HANDLES_FLAGS_TRANSIENT|TPM2_HANDLES_FLAGS_PERSISTENT); if (rc != tool_rc_success) { LOG_ERR("Invalid key authorization"); @@ -236,7 +236,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { } //Process inputs - tool_rc rc = process_inputs(ectx); + tool_rc rc = process_inputs(ectx, flags); if (rc != tool_rc_success) { return rc; } diff --git a/tools/tpm2_gettime.c b/tools/tpm2_gettime.c index 023bad5c1..edb585d9c 100644 --- a/tools/tpm2_gettime.c +++ b/tools/tpm2_gettime.c @@ -124,7 +124,7 @@ static tool_rc process_output(ESYS_CONTEXT *ectx) { } -static tool_rc process_inputs(ESYS_CONTEXT *ectx) { +static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 1. Object and auth initializations @@ -141,7 +141,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) { /* Object #1 */ /* set up the privacy admin (always endorsement) hard coded in ctx init */ tool_rc rc = tpm2_util_object_load_auth(ectx, ctx.privacy_admin.ctx_path, - ctx.privacy_admin.auth_str, &ctx.privacy_admin.object, false, + ctx.privacy_admin.auth_str, &ctx.privacy_admin.object, flags.restricted_pwd_session, TPM2_HANDLE_FLAGS_E); if (rc != tool_rc_success) { return rc; @@ -150,7 +150,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) { /* Object #2 */ /* load the signing key */ rc = tpm2_util_object_load_auth(ectx, ctx.signing_key.ctx_path, - ctx.signing_key.auth_str, &ctx.signing_key.object, false, + ctx.signing_key.auth_str, &ctx.signing_key.object, flags.restricted_pwd_session, TPM2_HANDLES_FLAGS_TRANSIENT|TPM2_HANDLES_FLAGS_PERSISTENT); if (rc != tool_rc_success) { LOG_ERR("Invalid key authorization"); @@ -309,7 +309,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 2. Process inputs */ - rc = process_inputs(ectx); + rc = process_inputs(ectx, flags); if (rc != tool_rc_success) { return rc; } diff --git a/tools/tpm2_hierarchycontrol.c b/tools/tpm2_hierarchycontrol.c index e0294d6cc..432a7eef8 100644 --- a/tools/tpm2_hierarchycontrol.c +++ b/tools/tpm2_hierarchycontrol.c @@ -144,10 +144,10 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) { return tool_rc_success; } -static tool_rc check_options(ESYS_CONTEXT *ectx) { +static tool_rc check_options(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { tool_rc rc = tpm2_util_object_load_auth(ectx, ctx.auth_hierarchy.ctx_path, - ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, false, + ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, flags.restricted_pwd_session, TPM2_HANDLE_FLAGS_P | TPM2_HANDLE_FLAGS_O | TPM2_HANDLE_FLAGS_E); if (rc != tool_rc_success) { LOG_ERR("Invalid authorization"); @@ -300,12 +300,10 @@ static bool tpm2_tool_onstart(tpm2_options **opts) { static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { - UNUSED(flags); - /* * 1. Process options */ - tool_rc rc = check_options(ectx); + tool_rc rc = check_options(ectx, flags); if (rc != tool_rc_success) { return rc; } diff --git a/tools/tpm2_hmac.c b/tools/tpm2_hmac.c index c5af8ae34..f7323b476 100644 --- a/tools/tpm2_hmac.c +++ b/tools/tpm2_hmac.c @@ -220,7 +220,7 @@ static tool_rc process_output(ESYS_CONTEXT *ectx) { return rc; } -static tool_rc process_inputs(ESYS_CONTEXT *ectx) { +static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 1. Object and auth initializations @@ -236,7 +236,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) { /* Object #1 */ tool_rc rc = tpm2_util_object_load_auth(ectx, ctx.hmac_key.ctx_path, - ctx.hmac_key.auth_str, &ctx.hmac_key.object, false, + ctx.hmac_key.auth_str, &ctx.hmac_key.object, flags.restricted_pwd_session, TPM2_HANDLE_ALL_W_NV); if (rc != tool_rc_success) { LOG_ERR("Invalid key handle authorization"); @@ -398,7 +398,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 2. Process inputs */ - rc = process_inputs(ectx); + rc = process_inputs(ectx, flags); if (rc != tool_rc_success) { return rc; } diff --git a/tools/tpm2_import.c b/tools/tpm2_import.c index 480ed89a3..48518315a 100644 --- a/tools/tpm2_import.c +++ b/tools/tpm2_import.c @@ -466,7 +466,7 @@ static tool_rc process_input_tpm_import(void) { return tool_rc_success; } -static tool_rc process_inputs(ESYS_CONTEXT *ectx) { +static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 1. Object and auth initializations @@ -478,7 +478,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) { * 1.b Add object names and their auth sessions */ tool_rc rc = tpm2_util_object_load_auth(ectx, ctx.parent.ctx_path, - ctx.parent.auth_str, &ctx.parent.object, false, TPM2_HANDLE_ALL_W_NV); + ctx.parent.auth_str, &ctx.parent.object, flags.restricted_pwd_session, TPM2_HANDLE_ALL_W_NV); if (rc != tool_rc_success) { LOG_ERR("Invalid parent key authorization"); return rc; @@ -695,7 +695,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 2. Process inputs */ - rc = process_inputs(ectx); + rc = process_inputs(ectx, flags); if (rc != tool_rc_success) { return rc; } diff --git a/tools/tpm2_load.c b/tools/tpm2_load.c index 0c01ee983..d689ab84a 100644 --- a/tools/tpm2_load.c +++ b/tools/tpm2_load.c @@ -129,7 +129,7 @@ static tool_rc process_output(ESYS_CONTEXT *ectx) { ctx.contextpath, ctx.autoflush); } -static tool_rc process_inputs(ESYS_CONTEXT *ectx) { +static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { UNUSED(ectx); /* @@ -162,7 +162,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) { * tssprivkey, the parent object is always loaded. */ tool_rc rc = tpm2_util_object_load_auth(ectx, objectstr, auth, - &ctx.parent.object, false, TPM2_HANDLE_ALL_W_NV); + &ctx.parent.object, flags.restricted_pwd_session, TPM2_HANDLE_ALL_W_NV); if (rc != tool_rc_success) { return rc; } @@ -340,7 +340,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 2. Process inputs */ - rc = process_inputs(ectx); + rc = process_inputs(ectx, flags); if (rc != tool_rc_success) { return rc; } diff --git a/tools/tpm2_nvcertify.c b/tools/tpm2_nvcertify.c index 72e604706..32f9c696e 100644 --- a/tools/tpm2_nvcertify.c +++ b/tools/tpm2_nvcertify.c @@ -162,7 +162,7 @@ static bool set_signature_format(char *value) { return true; } -static tool_rc process_inputs(ESYS_CONTEXT *ectx) { +static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 1. Object and auth initializations @@ -185,7 +185,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) { */ if (!ctx.is_tcti_none) { rc = tpm2_util_object_load_auth(ectx, ctx.signing_key.ctx_path, - ctx.signing_key.auth_str, &ctx.signing_key.object, false, + ctx.signing_key.auth_str, &ctx.signing_key.object, flags.restricted_pwd_session, TPM2_HANDLES_FLAGS_TRANSIENT|TPM2_HANDLES_FLAGS_PERSISTENT); if (rc != tool_rc_success) { LOG_ERR("Invalid signing key/ authorization."); @@ -213,7 +213,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) { tpm2_tpmi_hierarchy_to_esys_tr(ctx.nvindex_authobj.object.handle) : 0; } else { rc = tpm2_util_object_load_auth(ectx, ctx.nvindex_authobj.ctx_path, - ctx.nvindex_authobj.auth_str, &ctx.nvindex_authobj.object, false, + ctx.nvindex_authobj.auth_str, &ctx.nvindex_authobj.object, flags.restricted_pwd_session, TPM2_HANDLE_FLAGS_NV | TPM2_HANDLE_FLAGS_O | TPM2_HANDLE_FLAGS_P); } @@ -556,7 +556,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 2. Process inputs */ - rc = process_inputs(ectx); + rc = process_inputs(ectx, flags); if (rc != tool_rc_success) { return rc; } diff --git a/tools/tpm2_nvdefine.c b/tools/tpm2_nvdefine.c index 7b14b90f6..d38cb920f 100644 --- a/tools/tpm2_nvdefine.c +++ b/tools/tpm2_nvdefine.c @@ -278,7 +278,7 @@ static tool_rc validate_size(ESYS_CONTEXT *ectx) { return tool_rc_success; } -static tool_rc process_inputs(ESYS_CONTEXT *ectx) { +static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 1. Object and auth initializations @@ -304,7 +304,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) { */ rc = (!ctx.is_tcti_none) ? tpm2_util_object_load_auth(ectx, ctx.auth_hierarchy.ctx_path, - ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, false, + ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, flags.restricted_pwd_session, TPM2_HANDLE_FLAGS_O | TPM2_HANDLE_FLAGS_P) : tpm2_util_object_load(ectx, ctx.auth_hierarchy.ctx_path, @@ -514,7 +514,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 2. Process inputs */ - rc = process_inputs(ectx); + rc = process_inputs(ectx, flags); if (rc != tool_rc_success) { return rc; } diff --git a/tools/tpm2_nvextend.c b/tools/tpm2_nvextend.c index 3cf14550a..62ecec985 100644 --- a/tools/tpm2_nvextend.c +++ b/tools/tpm2_nvextend.c @@ -100,7 +100,7 @@ static tool_rc process_output(ESYS_CONTEXT *ectx) { } -static tool_rc process_inputs(ESYS_CONTEXT *ectx) { +static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 1. Object and auth initializations @@ -131,7 +131,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) { tpm2_tpmi_hierarchy_to_esys_tr(ctx.auth_hierarchy.object.handle) : 0; } else { rc = tpm2_util_object_load_auth(ectx, ctx.auth_hierarchy.ctx_path, - ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, false, + ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, flags.restricted_pwd_session, TPM2_HANDLE_FLAGS_NV | TPM2_HANDLE_FLAGS_O | TPM2_HANDLE_FLAGS_P); } @@ -302,7 +302,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 2. Process inputs */ - rc = process_inputs(ectx); + rc = process_inputs(ectx, flags); if (rc != tool_rc_success) { return rc; } diff --git a/tools/tpm2_nvincrement.c b/tools/tpm2_nvincrement.c index c411fa672..13575f774 100644 --- a/tools/tpm2_nvincrement.c +++ b/tools/tpm2_nvincrement.c @@ -96,7 +96,7 @@ static tool_rc process_output(ESYS_CONTEXT *ectx) { return rc; } -static tool_rc process_inputs(ESYS_CONTEXT *ectx) { +static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 1. Object and auth initializations @@ -133,7 +133,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) { tpm2_tpmi_hierarchy_to_esys_tr(ctx.auth_hierarchy.object.handle) : 0; } else { rc = tpm2_util_object_load_auth(ectx, ctx.auth_hierarchy.ctx_path, - ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, false, + ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, flags.restricted_pwd_session, TPM2_HANDLE_FLAGS_NV | TPM2_HANDLE_FLAGS_O | TPM2_HANDLE_FLAGS_P); } @@ -310,7 +310,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 2. Process inputs */ - rc = process_inputs(ectx); + rc = process_inputs(ectx, flags); if (rc != tool_rc_success) { return rc; } diff --git a/tools/tpm2_nvread.c b/tools/tpm2_nvread.c index d1d855d2c..717391863 100644 --- a/tools/tpm2_nvread.c +++ b/tools/tpm2_nvread.c @@ -119,7 +119,7 @@ static tool_rc process_output(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { return rc; } -static tool_rc process_inputs(ESYS_CONTEXT *ectx) { +static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 1. Object and auth initializations @@ -156,7 +156,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) { tpm2_tpmi_hierarchy_to_esys_tr(ctx.auth_hierarchy.object.handle) : 0; } else { rc = tpm2_util_object_load_auth(ectx, ctx.auth_hierarchy.ctx_path, - ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, false, + ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, flags.restricted_pwd_session, TPM2_HANDLE_FLAGS_NV | TPM2_HANDLE_FLAGS_O | TPM2_HANDLE_FLAGS_P); } @@ -391,7 +391,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 2. Process inputs */ - rc = process_inputs(ectx); + rc = process_inputs(ectx, flags); if (rc != tool_rc_success) { return rc; } diff --git a/tools/tpm2_nvreadlock.c b/tools/tpm2_nvreadlock.c index 387e6f383..d0493f86c 100644 --- a/tools/tpm2_nvreadlock.c +++ b/tools/tpm2_nvreadlock.c @@ -93,7 +93,7 @@ static tool_rc process_output(ESYS_CONTEXT *ectx) { return rc; } -static tool_rc process_inputs(ESYS_CONTEXT *ectx) { +static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 1. Object and auth initializations @@ -120,7 +120,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) { tpm2_tpmi_hierarchy_to_esys_tr(ctx.auth_hierarchy.object.handle) : 0; } else { rc = tpm2_util_object_load_auth(ectx, ctx.auth_hierarchy.ctx_path, - ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, false, + ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, flags.restricted_pwd_session, valid_handles); } @@ -298,7 +298,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 2. Process inputs */ - rc = process_inputs(ectx); + rc = process_inputs(ectx, flags); if (rc != tool_rc_success) { return rc; } diff --git a/tools/tpm2_nvsetbits.c b/tools/tpm2_nvsetbits.c index 841753a5b..ff1340d20 100644 --- a/tools/tpm2_nvsetbits.c +++ b/tools/tpm2_nvsetbits.c @@ -98,7 +98,7 @@ static tool_rc process_output(ESYS_CONTEXT *ectx) { return is_file_op_success ? tool_rc_success : tool_rc_general_error; } -static tool_rc process_inputs(ESYS_CONTEXT *ectx) { +static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 1. Object and auth initializations @@ -131,7 +131,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) { tpm2_tpmi_hierarchy_to_esys_tr(ctx.auth_hierarchy.object.handle) : 0; } else { rc = tpm2_util_object_load_auth(ectx, ctx.auth_hierarchy.ctx_path, - ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, false, + ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, flags.restricted_pwd_session, TPM2_HANDLE_FLAGS_NV | TPM2_HANDLE_FLAGS_O | TPM2_HANDLE_FLAGS_P); } @@ -303,7 +303,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 2. Process inputs */ - rc = process_inputs(ectx); + rc = process_inputs(ectx, flags); if (rc != tool_rc_success) { return rc; } diff --git a/tools/tpm2_nvundefine.c b/tools/tpm2_nvundefine.c index 3e8e77ea3..cfc64ec2c 100644 --- a/tools/tpm2_nvundefine.c +++ b/tools/tpm2_nvundefine.c @@ -112,7 +112,7 @@ static tool_rc process_output(ESYS_CONTEXT *ectx) { } -static tool_rc process_inputs(ESYS_CONTEXT *ectx) { +static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 1. Object and auth initializations @@ -139,7 +139,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) { tpm2_tpmi_hierarchy_to_esys_tr(ctx.auth_hierarchy.object.handle) : 0; } else { rc = tpm2_util_object_load_auth(ectx, ctx.auth_hierarchy.ctx_path, - ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, false, + ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, flags.restricted_pwd_session, valid_handles); } @@ -433,7 +433,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 2. Process inputs */ - rc = process_inputs(ectx); + rc = process_inputs(ectx, flags); if (rc != tool_rc_success) { return rc; } diff --git a/tools/tpm2_nvwrite.c b/tools/tpm2_nvwrite.c index e29ca8a3f..692fbe08e 100644 --- a/tools/tpm2_nvwrite.c +++ b/tools/tpm2_nvwrite.c @@ -63,7 +63,7 @@ static tpm_nvwrite_ctx ctx = { .aux_session_handle[1] = ESYS_TR_NONE, }; -static tool_rc nv_write(ESYS_CONTEXT *ectx) { +static tool_rc nv_write(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { TPM2B_MAX_NV_BUFFER nv_write_data; UINT16 data_offset = 0; @@ -93,7 +93,7 @@ static tool_rc nv_write(ESYS_CONTEXT *ectx) { } rc = tpm2_util_object_load_auth(ectx, ctx.auth_hierarchy.ctx_path, - ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, false, + ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, flags.restricted_pwd_session, TPM2_HANDLE_FLAGS_NV | TPM2_HANDLE_FLAGS_O | TPM2_HANDLE_FLAGS_P); if (rc != tool_rc_success) { LOG_ERR("Failed updating the auth"); @@ -152,7 +152,7 @@ static tool_rc process_output(ESYS_CONTEXT *ectx) { } -static tool_rc process_inputs(ESYS_CONTEXT *ectx) { +static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 1. Object and auth initializations @@ -189,7 +189,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) { tpm2_tpmi_hierarchy_to_esys_tr(ctx.auth_hierarchy.object.handle) : 0; } else { rc = tpm2_util_object_load_auth(ectx, ctx.auth_hierarchy.ctx_path, - ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, false, + ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, flags.restricted_pwd_session, TPM2_HANDLE_FLAGS_NV | TPM2_HANDLE_FLAGS_O | TPM2_HANDLE_FLAGS_P); } @@ -450,7 +450,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 2. Process inputs */ - rc = process_inputs(ectx); + rc = process_inputs(ectx, flags); if (rc != tool_rc_success) { return rc; } @@ -458,7 +458,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 3. TPM2_CC_ call */ - rc = nv_write(ectx); + rc = nv_write(ectx, flags); if (rc != tool_rc_success) { return rc; } diff --git a/tools/tpm2_nvwritelock.c b/tools/tpm2_nvwritelock.c index 52be0be14..b2e081f6c 100644 --- a/tools/tpm2_nvwritelock.c +++ b/tools/tpm2_nvwritelock.c @@ -101,7 +101,7 @@ static tool_rc process_output(ESYS_CONTEXT *ectx) { return rc; } -static tool_rc process_inputs(ESYS_CONTEXT *ectx) { +static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 1. Object and auth initializations @@ -138,7 +138,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) { tpm2_tpmi_hierarchy_to_esys_tr(ctx.auth_hierarchy.object.handle) : 0; } else { rc = tpm2_util_object_load_auth(ectx, ctx.auth_hierarchy.ctx_path, - ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, false, + ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, flags.restricted_pwd_session, valid_handles); } @@ -334,7 +334,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 2. Process inputs */ - rc = process_inputs(ectx); + rc = process_inputs(ectx, flags); if (rc != tool_rc_success) { return rc; } diff --git a/tools/tpm2_pcrallocate.c b/tools/tpm2_pcrallocate.c index 798d43301..29dcbc7b5 100644 --- a/tools/tpm2_pcrallocate.c +++ b/tools/tpm2_pcrallocate.c @@ -92,7 +92,7 @@ static tool_rc process_outputs(ESYS_CONTEXT *ectx) { return tool_rc_success; } -static tool_rc process_inputs(ESYS_CONTEXT *ectx) { +static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { UNUSED(ectx); /* @@ -107,7 +107,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) { * 1.b Add object names and their auth sessions */ tool_rc rc = tpm2_util_object_load_auth(ectx, ctx.auth_hierarchy.ctx_path, - ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, false, + ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, flags.restricted_pwd_session, TPM2_HANDLE_FLAGS_P); if (rc != tool_rc_success) { LOG_ERR("Invalid platform authorization format."); @@ -222,7 +222,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 2. Process inputs */ - rc = process_inputs(ectx); + rc = process_inputs(ectx, flags); if (rc != tool_rc_success) { return rc; } diff --git a/tools/tpm2_policyauthorizenv.c b/tools/tpm2_policyauthorizenv.c index 4f89e45eb..913264350 100644 --- a/tools/tpm2_policyauthorizenv.c +++ b/tools/tpm2_policyauthorizenv.c @@ -77,7 +77,7 @@ static tool_rc process_output(ESYS_CONTEXT *ectx) { return tpm2_policy_tool_finish(ectx, ctx.session, ctx.out_policy_dgst_path); } -static tool_rc process_inputs(ESYS_CONTEXT *ectx) { +static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { UNUSED(ectx); /* @@ -92,7 +92,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) { * 1.b Add object names and their auth sessions */ tool_rc rc = tpm2_util_object_load_auth(ectx, ctx.auth_hierarchy.ctx_path, - ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, false, + ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, flags.restricted_pwd_session, TPM2_HANDLE_FLAGS_NV | TPM2_HANDLE_FLAGS_O | TPM2_HANDLE_FLAGS_P); if (rc != tool_rc_success) { LOG_ERR("Invalid handle authorization"); @@ -220,7 +220,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 2. Process inputs */ - rc = process_inputs(ectx); + rc = process_inputs(ectx, flags); if (rc != tool_rc_success) { return rc; } diff --git a/tools/tpm2_policynv.c b/tools/tpm2_policynv.c index 889a2b163..bbe1796b0 100644 --- a/tools/tpm2_policynv.c +++ b/tools/tpm2_policynv.c @@ -83,7 +83,7 @@ static tool_rc process_output(ESYS_CONTEXT *ectx) { return tpm2_policy_tool_finish(ectx, ctx.session, ctx.policy_digest_path); } -static tool_rc process_inputs(ESYS_CONTEXT *ectx) { +static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { UNUSED(ectx); /* @@ -98,7 +98,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) { * 1.b Add object names and their auth sessions */ tool_rc rc = tpm2_util_object_load_auth(ectx, ctx.auth_hierarchy.ctx_path, - ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, false, + ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, flags.restricted_pwd_session, TPM2_HANDLE_FLAGS_NV | TPM2_HANDLE_FLAGS_O | TPM2_HANDLE_FLAGS_P); if (rc != tool_rc_success) { LOG_ERR("Invalid handle authorization"); @@ -323,7 +323,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 2. Process inputs */ - rc = process_inputs(ectx); + rc = process_inputs(ectx, flags); if (rc != tool_rc_success) { return rc; } diff --git a/tools/tpm2_policysecret.c b/tools/tpm2_policysecret.c index 13a785875..4c51dd96e 100644 --- a/tools/tpm2_policysecret.c +++ b/tools/tpm2_policysecret.c @@ -119,7 +119,7 @@ static tool_rc process_output(ESYS_CONTEXT *ectx) { return rc; } -static tool_rc process_inputs(ESYS_CONTEXT *ectx) { +static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { UNUSED(ectx); /* @@ -139,7 +139,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) { * a password session */ tool_rc rc = tpm2_util_object_load_auth(ectx, ctx.auth_entity.ctx_path, - ctx.auth_entity.auth_str, &ctx.auth_entity.object, false, + ctx.auth_entity.auth_str, &ctx.auth_entity.object, flags.restricted_pwd_session, TPM2_HANDLE_ALL_W_NV); if (rc != tool_rc_success) { return rc; @@ -301,7 +301,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 2. Process inputs */ - rc = process_inputs(ectx); + rc = process_inputs(ectx, flags); if (rc != tool_rc_success) { return rc; } diff --git a/tools/tpm2_quote.c b/tools/tpm2_quote.c index c0758ff77..55c3ef978 100644 --- a/tools/tpm2_quote.c +++ b/tools/tpm2_quote.c @@ -205,7 +205,7 @@ static tool_rc process_output(ESYS_CONTEXT *ectx) { return write_output_files(); } -static tool_rc process_inputs(ESYS_CONTEXT *ectx) { +static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { UNUSED(ectx); /* @@ -220,7 +220,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) { * 1.b Add object names and their auth sessions */ tool_rc rc = tpm2_util_object_load_auth(ectx, ctx.key.ctx_path, - ctx.key.auth_str, &ctx.key.object, false, TPM2_HANDLE_ALL_W_NV); + ctx.key.auth_str, &ctx.key.object, flags.restricted_pwd_session, TPM2_HANDLE_ALL_W_NV); if (rc != tool_rc_success) { LOG_ERR("Invalid key authorization"); return rc; @@ -405,7 +405,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 2. Process inputs */ - rc = process_inputs(ectx); + rc = process_inputs(ectx, flags); if (rc != tool_rc_success) { return rc; } diff --git a/tools/tpm2_rsadecrypt.c b/tools/tpm2_rsadecrypt.c index 8e2eed6c3..87f82419b 100644 --- a/tools/tpm2_rsadecrypt.c +++ b/tools/tpm2_rsadecrypt.c @@ -88,7 +88,7 @@ static tool_rc process_output(ESYS_CONTEXT *ectx) { return is_file_op_success ? tool_rc_success : tool_rc_general_error; } -static tool_rc process_inputs(ESYS_CONTEXT *ectx) { +static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { UNUSED(ectx); /* @@ -103,7 +103,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) { * 1.b Add object names and their auth sessions */ tool_rc rc = tpm2_util_object_load_auth(ectx, ctx.key.ctx_path, - ctx.key.auth_str, &ctx.key.object, false, + ctx.key.auth_str, &ctx.key.object, flags.restricted_pwd_session, TPM2_HANDLES_FLAGS_TRANSIENT|TPM2_HANDLES_FLAGS_PERSISTENT); if (rc != tool_rc_success) { return rc; @@ -275,7 +275,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 2. Process inputs */ - rc = process_inputs(ectx); + rc = process_inputs(ectx, flags); if (rc != tool_rc_success) { return rc; } diff --git a/tools/tpm2_setclock.c b/tools/tpm2_setclock.c index d56a23307..62b892bba 100644 --- a/tools/tpm2_setclock.c +++ b/tools/tpm2_setclock.c @@ -72,7 +72,7 @@ static tool_rc process_output(ESYS_CONTEXT *ectx) { return rc; } -static tool_rc process_inputs(ESYS_CONTEXT *ectx) { +static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { UNUSED(ectx); /* @@ -87,7 +87,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) { * 1.b Add object names and their auth sessions */ tool_rc rc = tpm2_util_object_load_auth(ectx, ctx.auth_hierarchy.ctx_path, - ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, false, + ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, flags.restricted_pwd_session, TPM2_HANDLE_FLAGS_P|TPM2_HANDLE_FLAGS_O); if (rc != tool_rc_success) { return rc; @@ -204,7 +204,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 2. Process inputs */ - rc = process_inputs(ectx); + rc = process_inputs(ectx, flags); if (rc != tool_rc_success) { return rc; } diff --git a/tools/tpm2_setcommandauditstatus.c b/tools/tpm2_setcommandauditstatus.c index 223df14d3..77db0744e 100644 --- a/tools/tpm2_setcommandauditstatus.c +++ b/tools/tpm2_setcommandauditstatus.c @@ -98,7 +98,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { UNUSED(flags); tool_rc rc = tpm2_util_object_load_auth(ectx, ctx.hierarchy.ctx_path, - ctx.hierarchy.auth_str , &ctx.hierarchy.object, false, + ctx.hierarchy.auth_str , &ctx.hierarchy.object, flags.restricted_pwd_session, TPM2_HANDLE_FLAGS_O|TPM2_HANDLE_FLAGS_P); if (rc != tool_rc_success) { return rc; diff --git a/tools/tpm2_setprimarypolicy.c b/tools/tpm2_setprimarypolicy.c index cdabcd9e3..4641d4b66 100644 --- a/tools/tpm2_setprimarypolicy.c +++ b/tools/tpm2_setprimarypolicy.c @@ -75,7 +75,7 @@ static tool_rc process_output(ESYS_CONTEXT *ectx) { return rc; } -static tool_rc process_inputs(ESYS_CONTEXT *ectx) { +static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { UNUSED(ectx); /* @@ -90,7 +90,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) { * 1.b Add object names and their auth sessions */ tool_rc rc = tpm2_util_object_load_auth(ectx, ctx.hierarchy.ctx_path, - ctx.hierarchy.auth_str, &ctx.hierarchy.object, false, + ctx.hierarchy.auth_str, &ctx.hierarchy.object, flags.restricted_pwd_session, TPM2_HANDLE_FLAGS_O|TPM2_HANDLE_FLAGS_P|TPM2_HANDLE_FLAGS_E| TPM2_HANDLE_FLAGS_L); if (rc != tool_rc_success) { @@ -232,7 +232,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 2. Process inputs */ - rc = process_inputs(ectx); + rc = process_inputs(ectx, flags); if (rc != tool_rc_success) { return rc; } diff --git a/tools/tpm2_sign.c b/tools/tpm2_sign.c index 77d7c2a8b..cd874e9ec 100644 --- a/tools/tpm2_sign.c +++ b/tools/tpm2_sign.c @@ -210,10 +210,10 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) { return rc; } -static tool_rc check_options(ESYS_CONTEXT *ectx) { +static tool_rc check_options(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { tool_rc rc = tpm2_util_object_load_auth(ectx, ctx.signing_key.ctx_path, - ctx.signing_key.auth_str, &ctx.signing_key.object, false, + ctx.signing_key.auth_str, &ctx.signing_key.object, flags.restricted_pwd_session, TPM2_HANDLE_ALL_W_NV); if (rc != tool_rc_success) { LOG_ERR("Invalid key authorization"); @@ -367,12 +367,10 @@ static bool tpm2_tool_onstart(tpm2_options **opts) { static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { - UNUSED(flags); - /* * 1. Process options */ - tool_rc rc = check_options(ectx); + tool_rc rc = check_options(ectx, flags); if (rc != tool_rc_success) { return rc; } diff --git a/tools/tpm2_unseal.c b/tools/tpm2_unseal.c index 0029341cb..1ae0157c3 100644 --- a/tools/tpm2_unseal.c +++ b/tools/tpm2_unseal.c @@ -107,7 +107,7 @@ static tool_rc process_output(ESYS_CONTEXT *ectx) { return is_file_op_success ? tool_rc_success : tool_rc_general_error; } -static tool_rc process_inputs(ESYS_CONTEXT *ectx) { +static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 1. Object and auth initializations @@ -121,7 +121,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) { * 1.b Add object names and their auth sessions */ tool_rc rc = tpm2_util_object_load_auth(ectx, ctx.sealkey.ctx_path, - ctx.sealkey.auth_str, &ctx.sealkey.object, false, + ctx.sealkey.auth_str, &ctx.sealkey.object, flags.restricted_pwd_session, TPM2_HANDLES_FLAGS_TRANSIENT | TPM2_HANDLES_FLAGS_PERSISTENT); if (rc != tool_rc_success) { LOG_ERR("Invalid item handle authorization"); @@ -245,7 +245,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { /* * 2. Process inputs */ - rc = process_inputs(ectx); + rc = process_inputs(ectx, flags); if (rc != tool_rc_success) { return rc; } diff --git a/tools/tpm2_zgen2phase.c b/tools/tpm2_zgen2phase.c index 44df59ff5..cc476fc49 100644 --- a/tools/tpm2_zgen2phase.c +++ b/tools/tpm2_zgen2phase.c @@ -130,10 +130,10 @@ static tool_rc check_options(void) { return tool_rc_success; } -static tool_rc process_inputs(ESYS_CONTEXT *ectx) { +static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { tool_rc rc = tpm2_util_object_load_auth(ectx, ctx.ecc_key.ctx_path, - ctx.ecc_key.auth_str, &ctx.ecc_key.object, false, + ctx.ecc_key.auth_str, &ctx.ecc_key.object, flags.restricted_pwd_session, TPM2_HANDLES_FLAGS_TRANSIENT|TPM2_HANDLES_FLAGS_PERSISTENT); if (rc != tool_rc_success) { return rc; @@ -183,7 +183,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { } // Process inputs - rc = process_inputs(ectx); + rc = process_inputs(ectx, flags); if (rc != tool_rc_success) { return rc; }