You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hello,
I am trying to protect an NV Index against being overwritten or deleted, by means of policies. While I managed to do the first, the latter is giving some problems.
I believe something on this topic has already been discussed as part of #3341, but the issue has since been closed without a clear indication.
In particular, creating the index with the following command works as expected:
tpm2_nvdefine -C o -s 32 -a "policywrite|ownerread|ownerwrite|authread|authwrite" -L policy_digest.bin -p mypassword 0x1800000
nv-index: 0x1800000
There is need to open a policyAuthValue session and provide the password "mypassword" in order to write to the index.
However, running the same command with the addition of the policydelete attribute terminates in error:
tpm2_nvdefine -C o -s 32 -a "policydelete|policywrite|ownerread|ownerwrite|authread|authwrite" -L policy_digest.bin -p mypassword 0x1800000
WARNING:esys:src/tss2-esys/api/Esys_NV_DefineSpace.c:345:Esys_NV_DefineSpace_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_NV_DefineSpace.c:121:Esys_NV_DefineSpace() Esys Finish ErrorCode (0x000002c2)
ERROR: Failed to define NV area at index 0x1800000
ERROR: Esys_NV_DefineSpace(0x2C2) - tpm:parameter(2):inconsistent attributes
ERROR: Failed to create NV index 0x1800000.
ERROR: Unable to run tpm2_nvdefine
If TPMA_NV_POLICY_DELETE is SET, then the authorization shall be with Platform Authorization or the TPM shall return TPM_RC_ATTRIBUTES.
Does this mean that the attribute policydelete can only be specified with Platform Hierarchy?
Trying to run the command using Platform Authorisation also terminates in error (same message, different error code?):
tpm2_nvdefine -C p -s 32 -a "policydelete|policywrite|ownerread|ownerwrite|authread|authwrite" -L policy_digest.bin -p mypassword 0x1800000
WARNING:esys:src/tss2-esys/api/Esys_NV_DefineSpace.c:345:Esys_NV_DefineSpace_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_NV_DefineSpace.c:121:Esys_NV_DefineSpace() Esys Finish ErrorCode (0x00000182)
ERROR: Failed to define NV area at index 0x1800000
ERROR: Esys_NV_DefineSpace(0x182) - tpm:handle(1):inconsistent attributes
ERROR: Failed to create NV index 0x1800000.
ERROR: Unable to run tpm2_nvdefine
Is there perhaps some additional steps I am missing or am I using the wrong attributes?
Any help or clarification would be extremely appreciated, thanks!
The text was updated successfully, but these errors were encountered:
Hello,
I am trying to protect an NV Index against being overwritten or deleted, by means of policies. While I managed to do the first, the latter is giving some problems.
I believe something on this topic has already been discussed as part of #3341, but the issue has since been closed without a clear indication.
In particular, creating the index with the following command works as expected:
tpm2_nvdefine -C o -s 32 -a "policywrite|ownerread|ownerwrite|authread|authwrite" -L policy_digest.bin -p mypassword 0x1800000 nv-index: 0x1800000
There is need to open a
policyAuthValue
session and provide the password "mypassword" in order to write to the index.However, running the same command with the addition of the
policydelete
attribute terminates in error:This appears to be in line with TCG's TPM2.0 specifications (Part 3: Commands, 31.3 TPM2_NV_DefineSpace):
Does this mean that the attribute
policydelete
can only be specified with Platform Hierarchy?Trying to run the command using Platform Authorisation also terminates in error (same message, different error code?):
Is there perhaps some additional steps I am missing or am I using the wrong attributes?
Any help or clarification would be extremely appreciated, thanks!
The text was updated successfully, but these errors were encountered: