|
 |
9ec757 |
From 3d3808c3eb02c27f1b114baddd03960892044909 Mon Sep 17 00:00:00 2001
|
|
|
9ec757 |
From: Tadeusz Struk <tadeusz.struk@intel.com>
|
|
|
9ec757 |
Date: Mon, 2 Mar 2020 14:45:52 -0800
|
|
|
9ec757 |
Subject: [PATCH] esys: fix hmac calculation for tpm2_clear command
|
|
|
9ec757 |
|
|
|
9ec757 |
After tpm2_clear command is executed it sets all ownerAuth,
|
|
|
9ec757 |
endorsementAuth, and lockoutAuth to the Empty Buffer and then
|
|
|
9ec757 |
this is used for a response auth calculation.
|
|
|
9ec757 |
This requires to recalculate the esys session auth value after
|
|
|
9ec757 |
tpm2_clear is executed or the calculated response HMAC value
|
|
|
9ec757 |
will be invalid and the command will fail with
|
|
|
9ec757 |
err: 0x0007001b "Authorizing the TPM response failed"
|
|
|
9ec757 |
|
|
|
9ec757 |
Fixes: #1641
|
|
|
9ec757 |
|
|
|
9ec757 |
Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
|
|
|
9ec757 |
---
|
|
|
9ec757 |
src/tss2-esys/api/Esys_Clear.c | 5 +++++
|
|
|
9ec757 |
1 file changed, 5 insertions(+)
|
|
|
9ec757 |
|
|
|
9ec757 |
diff --git a/src/tss2-esys/api/Esys_Clear.c b/src/tss2-esys/api/Esys_Clear.c
|
|
|
9ec757 |
index f5c0b827425a..0f43f7e9b85f 100644
|
|
|
9ec757 |
--- a/src/tss2-esys/api/Esys_Clear.c
|
|
|
9ec757 |
+++ b/src/tss2-esys/api/Esys_Clear.c
|
|
|
9ec757 |
@@ -199,6 +199,11 @@ Esys_Clear_Async(
|
|
|
9ec757 |
return_state_if_error(r, _ESYS_STATE_INTERNALERROR,
|
|
|
9ec757 |
"Finish (Execute Async)");
|
|
|
9ec757 |
|
|
|
9ec757 |
+ /* If the command authorization is LOCKOUT we need to
|
|
|
9ec757 |
+ * recompute session value with an empty auth */
|
|
|
9ec757 |
+ if (authHandle == ESYS_TR_RH_LOCKOUT)
|
|
|
9ec757 |
+ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL);
|
|
|
9ec757 |
+
|
|
|
9ec757 |
esysContext->state = _ESYS_STATE_SENT;
|
|
|
9ec757 |
|
|
|
9ec757 |
return r;
|
|
|
9ec757 |
--
|
|
|
9ec757 |
2.30.1
|
|
|
9ec757 |
|