|
 |
2b9cfb |
From 3d3808c3eb02c27f1b114baddd03960892044909 Mon Sep 17 00:00:00 2001
|
|
|
2b9cfb |
From: Tadeusz Struk <tadeusz.struk@intel.com>
|
|
|
2b9cfb |
Date: Mon, 2 Mar 2020 14:45:52 -0800
|
|
|
2b9cfb |
Subject: [PATCH] esys: fix hmac calculation for tpm2_clear command
|
|
|
2b9cfb |
|
|
|
2b9cfb |
After tpm2_clear command is executed it sets all ownerAuth,
|
|
|
2b9cfb |
endorsementAuth, and lockoutAuth to the Empty Buffer and then
|
|
|
2b9cfb |
this is used for a response auth calculation.
|
|
|
2b9cfb |
This requires to recalculate the esys session auth value after
|
|
|
2b9cfb |
tpm2_clear is executed or the calculated response HMAC value
|
|
|
2b9cfb |
will be invalid and the command will fail with
|
|
|
2b9cfb |
err: 0x0007001b "Authorizing the TPM response failed"
|
|
|
2b9cfb |
|
|
|
2b9cfb |
Fixes: #1641
|
|
|
2b9cfb |
|
|
|
2b9cfb |
Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
|
|
|
2b9cfb |
---
|
|
|
2b9cfb |
src/tss2-esys/api/Esys_Clear.c | 5 +++++
|
|
|
2b9cfb |
1 file changed, 5 insertions(+)
|
|
|
2b9cfb |
|
|
|
2b9cfb |
diff --git a/src/tss2-esys/api/Esys_Clear.c b/src/tss2-esys/api/Esys_Clear.c
|
|
|
2b9cfb |
index f5c0b827425a..0f43f7e9b85f 100644
|
|
|
2b9cfb |
--- a/src/tss2-esys/api/Esys_Clear.c
|
|
|
2b9cfb |
+++ b/src/tss2-esys/api/Esys_Clear.c
|
|
|
2b9cfb |
@@ -199,6 +199,11 @@ Esys_Clear_Async(
|
|
|
2b9cfb |
return_state_if_error(r, _ESYS_STATE_INTERNALERROR,
|
|
|
2b9cfb |
"Finish (Execute Async)");
|
|
|
2b9cfb |
|
|
|
2b9cfb |
+ /* If the command authorization is LOCKOUT we need to
|
|
|
2b9cfb |
+ * recompute session value with an empty auth */
|
|
|
2b9cfb |
+ if (authHandle == ESYS_TR_RH_LOCKOUT)
|
|
|
2b9cfb |
+ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL);
|
|
|
2b9cfb |
+
|
|
|
2b9cfb |
esysContext->state = _ESYS_STATE_SENT;
|
|
|
2b9cfb |
|
|
|
2b9cfb |
return r;
|
|
|
2b9cfb |
--
|
|
|
2b9cfb |
2.30.1
|
|
|
2b9cfb |
|