Add pcrauth status

Makefile.am

@@ -203,7 +203,8 @@ tpm2_tools = \
     tools/tpm2_ecdhzgen.c \
     tools/tpm2_zgen2phase.c \
     tools/tpm2_sessionconfig.c \
-    tools/tpm2_getpolicydigest.c
+    tools/tpm2_getpolicydigest.c \
+    tools/tpm2_pcrsetauthvalue.c
 
 # Create the symlinks for each tool to the tpm2 and optional tss2 bundled executables
 install-exec-hook:

lib/pcr.c

@@ -426,6 +426,25 @@ bool pcr_print_pcr_struct(TPML_PCR_SELECTION *pcr_select, tpm2_pcrs *pcrs) {
     return pcr_print_values(pcr_select, pcrs);
 }
 
+void pcr_print_taggedpcr_selections(TPML_TAGGED_PCR_PROPERTY *pcrProperties) {
+
+    tpm2_tool_output("  - PCR-Handles: [");
+    /* Iterate through the PCRs of the bank */
+    bool first = true;
+    unsigned j;
+    for (j = 0; j < pcrProperties->pcrProperty->sizeofSelect * 8; j++) {
+        if ((pcrProperties->pcrProperty->pcrSelect[j / 8] & 1 << (j % 8)) != 0) {
+            if (first) {
+                tpm2_tool_output(" %i", j);
+                first = false;
+            } else {
+                tpm2_tool_output(", %i", j);
+            }
+        }
+    }
+    tpm2_tool_output(" ]\n");
+}
+
 bool pcr_print_pcr_selections(TPML_PCR_SELECTION *pcr_selections) {
     tpm2_tool_output("selected-pcrs:\n");
 

lib/pcr.h

@@ -44,6 +44,15 @@ typedef struct tpm2_forwards {
  */
 bool pcr_print_pcr_struct(TPML_PCR_SELECTION *pcrSelect, tpm2_pcrs *pcrs);
 
+/**
+ * Echo out all the PCR indices that satisy a PCR property
+ * @param pcrProperties
+ *  Description of the selected pcr properties
+ * @return
+ *  None
+ */
+void pcr_print_taggedpcr_selections(TPML_TAGGED_PCR_PROPERTY *pcrProperties);
+
 /**
  * Echo out all PCR banks according to g_pcrSelection & g_pcrs->.
  * Assume that data structures are all little endian.

lib/tpm2.c

@@ -5842,6 +5842,28 @@ tool_rc tpm2_zgen2phase(ESYS_CONTEXT *esys_context,
         return tool_rc_success;
 }
 
+tool_rc tpm2_pcr_setauthvalue(ESYS_CONTEXT *esys_context,
+    tpm2_loaded_object *pcrindex_auth_obj, const TPM2B_AUTH *pcrindex_newauth) {
+
+    ESYS_TR shandle1 = ESYS_TR_NONE;
+    tool_rc rc = tpm2_auth_util_get_shandle(esys_context,
+        pcrindex_auth_obj->tr_handle, pcrindex_auth_obj->session, &shandle1);
+    if (rc != tool_rc_success) {
+        LOG_ERR("Failed to get shandle");
+        return rc;
+    }
+
+    TSS2_RC rval = Esys_PCR_SetAuthValue(esys_context,
+        pcrindex_auth_obj->tr_handle, shandle1, ESYS_TR_NONE, ESYS_TR_NONE,
+        pcrindex_newauth);
+    if (rval != TPM2_RC_SUCCESS) {
+        LOG_PERR(Esys_PCR_SetAuthValue, rval);
+        return tool_rc_from_tpm(rval);
+    }
+
+    return rc;
+}
+
 tool_rc tpm2_getsapicontext(ESYS_CONTEXT *esys_context,
     TSS2_SYS_CONTEXT **sys_context) {
 

lib/tpm2.h

@@ -552,6 +552,9 @@ tool_rc tpm2_zgen2phase(ESYS_CONTEXT *esys_context,
     TPM2B_ECC_POINT *Q2, TPM2B_ECC_POINT **Z1, TPM2B_ECC_POINT **Z2,
     TPMI_ECC_KEY_EXCHANGE keyexchange_scheme, UINT16 commit_counter);
 
+tool_rc tpm2_pcr_setauthvalue(ESYS_CONTEXT *esys_context,
+    tpm2_loaded_object *pcrindex_auth_obj, const TPM2B_AUTH *pcrindex_newauth);
+
 tool_rc tpm2_getsapicontext(ESYS_CONTEXT *esys_context,
     TSS2_SYS_CONTEXT **sys_context);
 

lib/tpm2_util.c

@@ -614,6 +614,77 @@ ESYS_TR tpm2_tpmi_hierarchy_to_esys_tr(TPMI_RH_PROVISION inh) {
     return ESYS_TR_NONE;
 }
 
+ESYS_TR tpm2_sys_pcrhandle_to_esys_tr(TPMI_DH_PCR sys_pcrhandle) {
+
+    switch (sys_pcrhandle) {
+    case 0:
+        return ESYS_TR_PCR0;
+    case 1:
+        return ESYS_TR_PCR1;
+    case 2:
+        return ESYS_TR_PCR2;
+    case 3:
+        return ESYS_TR_PCR3;
+    case 4:
+        return ESYS_TR_PCR4;
+    case 5:
+        return ESYS_TR_PCR5;
+    case 6:
+        return ESYS_TR_PCR6;
+    case 7:
+        return ESYS_TR_PCR7;
+    case 8:
+        return ESYS_TR_PCR8;
+    case 9:
+        return ESYS_TR_PCR9;
+    case 10:
+        return ESYS_TR_PCR10;
+    case 11:
+        return ESYS_TR_PCR11;
+    case 12:
+        return ESYS_TR_PCR12;
+    case 13:
+        return ESYS_TR_PCR13;
+    case 14:
+        return ESYS_TR_PCR14;
+    case 15:
+        return ESYS_TR_PCR15;
+    case 16:
+        return ESYS_TR_PCR16;
+    case 17:
+        return ESYS_TR_PCR17;
+    case 18:
+        return ESYS_TR_PCR18;
+    case 19:
+        return ESYS_TR_PCR19;
+    case 20:
+        return ESYS_TR_PCR20;
+    case 21:
+        return ESYS_TR_PCR21;
+    case 22:
+        return ESYS_TR_PCR22;
+    case 23:
+        return ESYS_TR_PCR23;
+    case 24:
+        return ESYS_TR_PCR24;
+    case 25:
+        return ESYS_TR_PCR25;
+    case 26:
+        return ESYS_TR_PCR26;
+    case 27:
+        return ESYS_TR_PCR27;
+    case 28:
+        return ESYS_TR_PCR28;
+    case 29:
+        return ESYS_TR_PCR29;
+    case 30:
+        return ESYS_TR_PCR30;
+    case 31:
+        return ESYS_TR_PCR31;
+    }
+    return ESYS_TR_NONE;
+}
+
 tool_rc tpm2_util_sys_handle_to_esys_handle(ESYS_CONTEXT *context,
         TPM2_HANDLE sys_handle, ESYS_TR *esys_handle) {
 
@@ -623,6 +694,12 @@ tool_rc tpm2_util_sys_handle_to_esys_handle(ESYS_CONTEXT *context,
         return tool_rc_success;
     }
 
+    h = tpm2_sys_pcrhandle_to_esys_tr(sys_handle);
+    if (h != ESYS_TR_NONE) {
+        *esys_handle = h;
+        return tool_rc_success;
+    }
+
     return tpm2_from_tpm_public(context, sys_handle, ESYS_TR_NONE, ESYS_TR_NONE,
             ESYS_TR_NONE, esys_handle);
 }

man/tpm2_getcap.1.md

@@ -53,6 +53,9 @@ argument to the tool. Currently supported capability groups are:
 - **handles-saved-session**:
   Display handles about saved sessions.
 
+- **pcrhandles-with-auth**:
+  Display PCR handles that are in the authorization set.
+
 - **vendor[:num]**:
   Displays the vendor properties as a hex buffer output. The string "vendor"
   can be suffixed with a colon followed by a number as understood by strtoul(3)

man/tpm2_pcrsetauthvalue.1.md

@@ -0,0 +1,56 @@
+% tpm2_pcrsetauthvalue(1) tpm2-tools | General Commands Manual
+
+# NAME
+
+**tpm2_pcrsetauthvalue**(1) - Add or change the authvalue of a PCR handle which
+is in the authorization set.
+
+# SYNOPSIS
+
+**tpm2_pcrsetauthvalue** [*OPTIONS*] [*ARGUMENT*]
+
+# DESCRIPTION
+
+**tpm2_pcrsetauthvalue**(1) - Add or change the authvalue of a PCR handle which
+is in the authorization set. Only those PCR handles which are in the
+authorization set can be specified. To retrieve which specific PCR handles in a
+given TPM implementation are in the authorization set, run **tpm2_getcap** with
+option **pcrhandles-with-auth**.
+
+# OPTIONS
+
+  * **-P**, **\--auth**=_AUTH_:
+
+    Specifies the existing authorization value for the PCR handle.
+
+  * **-p**, **\--newauth**=_AUTH_:
+
+    Specifies the new authorization value to be set for the PCR handle.
+
+  * **ARGUMENT** the command line argument specifies the PCR handle.
+
+## References
+
+[context object format](common/ctxobj.md) details the methods for specifying
+_OBJECT_.
+
+[authorization formatting](common/authorizations.md) details the methods for
+specifying _AUTH_.
+
+[common options](common/options.md) collection of common options that provide
+information many users may expect.
+
+[common tcti options](common/tcti.md) collection of options used to configure
+the various known TCTI modules.
+
+# EXAMPLES
+
+## Change authvalue of the PCR handle 20
+
+```bash
+tpm2_pcrsetauthvalue -p newauthvalue 0x00000014
+```
+
+[returns](common/returns.md)
+
+[footer](common/footer.md)

tools/tpm2_getcap.c

@@ -123,6 +123,12 @@ capability_map_entry_t capability_map[] = {
         .property          = TPM2_ACTIVE_SESSION_FIRST,
         .count             = TPM2_MAX_CAP_HANDLES,
     },
+    {
+        .capability_string = "pcrhandles-with-auth",
+        .capability        = TPM2_CAP_PCR_PROPERTIES,
+        .property          = TPM2_PT_PCR_AUTH,
+        .count             = TPM2_MAX_PCR_PROPERTIES,
+    },
 #if defined(ESYS_4_0)
     {
         .capability_string = "vendor",
@@ -812,6 +818,12 @@ static bool dump_tpm_capability(TPMU_CAPABILITIES *capabilities) {
     case TPM2_CAP_PCRS:
         pcr_print_pcr_selections(&capabilities->assignedPCR);
         break;
+    case TPM2_CAP_PCR_PROPERTIES:
+        if(options.property == TPM2_PT_PCR_AUTH) {
+            tpm2_tool_output("TPM2_PT_PCR_AUTH:\n");
+            pcr_print_taggedpcr_selections(&capabilities->pcrProperties);
+        }
+        break;
 #if defined(ESYS_4_0)
     case TPM2_CAP_VENDOR_PROPERTY: {