Skip to content

tpm2: Add WithLockoutAuthValue and WithLockoutAuthData options for EnsureProvisioned #533

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
chrisccoulson merged 7 commits into from
Apr 22, 2026
Merged

tpm2: Add WithLockoutAuthValue and WithLockoutAuthData options for EnsureProvisioned #533

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
36e4bf2
tpm2: Add WithLockoutAuthValue and WithLockoutAuthData options for En…
chrisccoulson Mar 31, 2026
3c93e10
tpm2: Fix a couple of test failures
chrisccoulson Apr 9, 2026
e8589f4
tpm2: add a comment to authorizeLockout
chrisccoulson Apr 9, 2026
13bdb01
tpm2: Fix one remaining test failure
chrisccoulson Apr 9, 2026
60a85c7
Merge branch 'master' into tpm2-add-with-lockout-auth-options
chrisccoulson Apr 9, 2026
c40b1ee
Merge branch 'master' into tpm2-add-with-lockout-auth-options
chrisccoulson Apr 22, 2026
910ac30
internal/compattest: Fix test failure
chrisccoulson Apr 22, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ require (
github.com/canonical/go-kbkdf v0.0.0-20250104172618-3b1308f9acf9
github.com/canonical/go-password-validator v0.0.0-20250617132709-1b205303ca54
github.com/canonical/go-sp800.90a-drbg v0.0.0-20210314144037-6eeb1040d6c3
github.com/canonical/go-tpm2 v1.15.0
github.com/canonical/go-tpm2 v1.16.0
github.com/canonical/tcglog-parser v0.0.0-20240924110432-d15eaf652981
github.com/jessevdk/go-flags v1.5.0
github.com/snapcore/snapd v0.0.0-20220714152900-4a1f4c93fc85
Expand Down
2 changes: 2 additions & 0 deletions go.sum
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,8 @@ github.com/canonical/go-tpm2 v1.13.0 h1:Ka9VmUVwoz9pJef5JXP6Gd4CIhxFE70X26K8x3Le
github.com/canonical/go-tpm2 v1.13.0/go.mod h1:P50xMwC7y5/uxPikzWdK4d9pW9orKi8+ZL5sBifxoBQ=
github.com/canonical/go-tpm2 v1.15.0 h1:T4dVCO8qCs76vDDs4vWNpvPdh7UHuSORPH4Scq7N2gw=
github.com/canonical/go-tpm2 v1.15.0/go.mod h1:P50xMwC7y5/uxPikzWdK4d9pW9orKi8+ZL5sBifxoBQ=
github.com/canonical/go-tpm2 v1.16.0 h1:AX+hpmdPgR8i3VFe3DVgKO46S5EpnumKP0yS5ND/Tz8=
github.com/canonical/go-tpm2 v1.16.0/go.mod h1:P50xMwC7y5/uxPikzWdK4d9pW9orKi8+ZL5sBifxoBQ=
github.com/canonical/tcglog-parser v0.0.0-20210824131805-69fa1e9f0ad2/go.mod h1:QoW2apR2tBl6T/4czdND/EHjL1Ia9cCmQnIj9Xe0Kt8=
github.com/canonical/tcglog-parser v0.0.0-20240924110432-d15eaf652981 h1:vrUzSfbhl8mzdXPzjxq4jXZPCCNLv18jy6S7aVTS2tI=
github.com/canonical/tcglog-parser v0.0.0-20240924110432-d15eaf652981/go.mod h1:ywdPBqUGkuuiitPpVWCfilf2/gq+frhq4CNiNs9KyHU=
Expand Down
2 changes: 1 addition & 1 deletion internal/compattest/v0_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@ func (s *compatTestV0Suite) TestUnseal2(c *C) {

func (s *compatTestV0Suite) TestUnsealAfterReprovision(c *C) {
// Test that reprovisioning doesn't touch the legacy lock NV index if it is valid
c.Assert(s.TPM().EnsureProvisioned(secboot_tpm2.ProvisionWithoutLockout()), IsNil)
c.Assert(s.TPM().EnsureProvisioned(), IsNil)
s.testUnseal(c, s.absPath("pcrSequence.1"))
}

Expand Down
2 changes: 1 addition & 1 deletion internal/compattest/v1_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ func (s *compatTestV1Suite) TestUnseal2(c *C) {

func (s *compatTestV1Suite) TestUnsealAfterReprovision(c *C) {
// This should still work because the primary key doesn't change.
c.Assert(s.TPM().EnsureProvisioned(secboot_tpm2.ProvisionWithoutLockout()), IsNil)
c.Assert(s.TPM().EnsureProvisioned(), IsNil)
s.testUnseal(c, s.absPath("pcrSequence.1"))
}

Expand Down
13 changes: 9 additions & 4 deletions tpm2/export_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -150,16 +150,21 @@ func NewPcrPolicyData_v3(v2 *PcrPolicyData_v2) *PcrPolicyData_v3 {

type PlatformKeyDataHandler = platformKeyDataHandler

// TODO: Remove this and ProvisionMode.Option in favour of just updating the tests
// to use the correct options instead.
type ProvisionMode = provisionMode

func (m ProvisionMode) Option() EnsureProvisionedOption {
func (m ProvisionMode) Option(lockoutAuthValue []byte) EnsureProvisionedOption {
switch m {
case provisionModeWithoutLockout:
return ProvisionWithoutLockout()
return func(_ *ensureProvisionedParams) {}
case provisionModeClear:
return WithClearBeforeProvision()
return func(p *ensureProvisionedParams) {
WithLockoutAuthValue(lockoutAuthValue)(p)
WithClearBeforeProvision()(p)
}
default:
return func(_ *ensureProvisionedParams) {}
return WithLockoutAuthValue(lockoutAuthValue)
}
}

Expand Down
2 changes: 1 addition & 1 deletion tpm2/key_sealer_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ func (s *sealedObjectKeySealerSuite) SetUpSuite(c *C) {
func (s *sealedObjectKeySealerSuite) SetUpTest(c *C) {
s.TPMTest.SetUpTest(c)

c.Assert(s.TPM().EnsureProvisioned(ProvisionWithoutLockout()),
c.Assert(s.TPM().EnsureProvisioned(),
testutil.InSlice(Equals), []error{ErrTPMProvisioningRequiresLockout, nil})
}

Expand Down
60 changes: 46 additions & 14 deletions tpm2/lockoutauth.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -115,46 +115,78 @@ func (p *lockoutAuthParams) UnmarshalJSON(data []byte) error {
return nil
}

func (t *Connection) resetDictionaryAttackLockImpl(params *lockoutAuthParams) error {
if len(params.NewAuthValue) > 0 || params.NewAuthPolicy != nil {
return errors.New("lockout hierarchy auth value change not supported yet")
// authorizeLockout authorizes the use of the lockout hierarchy using the supplied parameters for the
// specified command code. On success, a session is returned that can be used to authorize the specified
// command. The session is either a newly created policy session or the HMAC session returned from
// Connection.HmacSession.
//
// After using the authorization, the caller must execute the returned callback.
func (t *Connection) authorizeLockout(authParams *lockoutAuthParams, command tpm2.CommandCode) (session tpm2.SessionContext, lockoutAuthSet bool, done func(), err error) {
Copy link
Copy Markdown
Collaborator

@pedronis pedronis Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this probably needs a doc comment now to explain what done is for

if len(authParams.NewAuthValue) > 0 || authParams.NewAuthPolicy != nil {
return nil, false, nil, errors.New("lockout hierarchy auth value change not supported yet")
}

var authValue []byte

val, err := t.GetCapabilityTPMProperty(tpm2.PropertyPermanent)
if err != nil {
return fmt.Errorf("cannot obtain value of TPM_PT_PERMANENT: %w", err)
return nil, false, nil, fmt.Errorf("cannot obtain value of TPM_PT_PERMANENT: %w", err)
}
lockoutAuthSet := tpm2.PermanentAttributes(val)&tpm2.AttrLockoutAuthSet > 0
lockoutAuthSet = tpm2.PermanentAttributes(val)&tpm2.AttrLockoutAuthSet > 0
if lockoutAuthSet {
authValue = params.AuthValue
authValue = authParams.AuthValue
}

var session tpm2.SessionContext
switch {
case params.AuthPolicy == nil:
case authParams.AuthPolicy == nil:
session = t.HmacSession()
default:
session, err = t.StartAuthSession(nil, nil, tpm2.SessionTypePolicy, nil, defaultSessionHashAlgorithm)
if err != nil {
return fmt.Errorf("cannot start policy session: %w", err)
return nil, false, nil, fmt.Errorf("cannot start policy session: %w", err)
}
defer t.FlushContext(session)
sessionInternal := session
defer func() {
if err == nil {
return
}
t.FlushContext(sessionInternal)
Copy link
Copy Markdown
Collaborator

@pedronis pedronis Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we flush only on error now, does this need a comment?

Copy link
Copy Markdown
Contributor Author

@chrisccoulson chrisccoulson Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The session needs to live past the end of the function, so it returns a callback to flush the session in the non-error case.

}()

// Execute policy session, constraining the use to the TPM2_DictionaryAttackLockReset command so
// that the correct branch executes.
_, err := params.AuthPolicy.Execute(
_, err := authParams.AuthPolicy.Execute(
policyutil.NewPolicyExecuteSession(t.TPMContext, session),
policyutil.WithSessionUsageCommandConstraint(tpm2.CommandDictionaryAttackLockReset, []policyutil.NamedHandle{t.LockoutHandleContext()}),
policyutil.WithSessionUsageCommandCodeConstraint(command),
)
if err != nil {
return ErrInvalidLockoutAuthPolicy
return nil, false, nil, ErrInvalidLockoutAuthPolicy
}
}

origAuthValue := t.LockoutHandleContext().AuthValue()
t.LockoutHandleContext().SetAuthValue(authValue)
defer t.LockoutHandleContext().SetAuthValue(nil)
defer func() {
if err == nil {
return
}
t.LockoutHandleContext().SetAuthValue(origAuthValue)
}()

return session, lockoutAuthSet, func() {
if authParams.AuthPolicy != nil {
t.FlushContext(session)
Copy link
Copy Markdown
Collaborator

@pedronis pedronis Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is the positive case flush now?

Copy link
Copy Markdown
Contributor Author

@chrisccoulson chrisccoulson Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is.

}
t.LockoutHandleContext().SetAuthValue(origAuthValue)
}, nil
}

func (t *Connection) resetDictionaryAttackLockImpl(params *lockoutAuthParams) error {
session, lockoutAuthSet, done, err := t.authorizeLockout(params, tpm2.CommandDictionaryAttackLockReset)
if err != nil {
return err
}
defer done()

switch err := t.DictionaryAttackLockReset(t.LockoutHandleContext(), session); {
case isAuthFailError(err, tpm2.CommandDictionaryAttackLockReset, 1):
Expand Down
38 changes: 27 additions & 11 deletions tpm2/lockoutauth_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,12 @@ func (*lockoutauthSuiteMixin) newDefaultLockoutAuthPolicy(c *C, alg tpm2.HashAlg
n.AddBranch("", func(b *policyutil.PolicyBuilderBranch) {
b.PolicyCommandCode(tpm2.CommandClear)
})

// XXX: This is here temporarily to make provisioningSuite.TestProvisionWithLockoutAuthData
// pass and will be removed in the next PR.
n.AddBranch("", func(b *policyutil.PolicyBuilderBranch) {
b.PolicyCommandCode(tpm2.CommandHierarchyChangeAuth)
})
})
b.PolicyAuthValue()
})
Expand Down Expand Up @@ -103,6 +109,20 @@ func (*lockoutauthSuiteMixin) newRotateAuthValueLockoutAuthPolicy(c *C, alg tpm2
return digest, policy
}

func (*lockoutauthSuiteMixin) makeLockoutAuthData(c *C, params *LockoutAuthParams) []byte {
data, err := json.Marshal(params)
c.Assert(err, IsNil)
return data
}

func (m *lockoutauthSuiteMixin) makeDefaultLockoutAuthData(c *C, alg tpm2.HashAlgorithmId, val []byte) (tpm2.Digest, []byte) {
digest, policy := m.newDefaultLockoutAuthPolicy(c, alg)
return digest, m.makeLockoutAuthData(c, &LockoutAuthParams{
AuthValue: val,
AuthPolicy: policy,
})
}

type lockoutauthSuiteNoTPM struct {
lockoutauthSuiteMixin
}
Expand Down Expand Up @@ -135,12 +155,6 @@ func (s *lockoutauthSuite) SetUpTest(c *C) {
c.Assert(s.TPM().DictionaryAttackParameters(s.TPM().LockoutHandleContext(), 32, 7200, 86400, nil), IsNil)
}

func (s *lockoutauthSuite) makeLockoutAuthData(c *C, params *LockoutAuthParams) []byte {
data, err := json.Marshal(params)
c.Assert(err, IsNil)
return data
}

var _ = Suite(&lockoutauthSuiteNoTPM{})
var _ = Suite(&lockoutauthSuite{})

Expand All @@ -152,7 +166,7 @@ func (s *lockoutauthSuiteNoTPM) TestLockoutAuthParamsMarshalJSON(c *C) {

data, err := json.Marshal(params)
c.Check(err, IsNil)
c.Check(data, DeepEquals, []byte(`{"auth-value":"x9oO1va6Pz6nQeeGOgoXSBOLbsyw4IQTKwSpyXbw0LE=","auth-policy":"AAAAAAAAAAEAC5xRENPNjPxvymnylptEkkmB67kMJSALrpC4PA2joYWCAAAAAAAAAAEgAQFxAAAAAQAAAAAAAQAL+21OPQovgBAFA+/1biwvpZu8ItTlnZBiGL/DKXTgoIIAAAACIAEBcQAAAAQAAAAAAAEAC7bFwF5YGQnN6n33pfkcDy7tN/128VUi7uW1X4lvLVY/AAAAAQAAAWwAAAE5AAAAAAABAAscaCd8nWVk3YG8z35Wuj7cqziPxgzpWzpEK9JyWPYN/AAAAAEAAAFsAAABOgAAAAAAAQALlAz7Qhe7Htz3+0GTfKl0qmjmmKt4uBJLBwET4hH9RvwAAAABAAABbAAAAScAAAAAAAEAC8Tfq87ajeg2yVZhlSiSsd73IDr7Rv7+xD/8/JO+VAcwAAAAAQAAAWwAAAEmAAABaw=="}`))
c.Check(data, DeepEquals, []byte(`{"auth-value":"x9oO1va6Pz6nQeeGOgoXSBOLbsyw4IQTKwSpyXbw0LE=","auth-policy":"AAAAAAAAAAEAC/cbf1/nUkzaClt4ysmVL5cqWE67D7Brmd7cgdwi7ztVAAAAAAAAAAEgAQFxAAAAAQAAAAAAAQALufUnMhfDMA5sLu0OUIPoKx2NNK4laaj7SfVnqdZFDjYAAAACIAEBcQAAAAUAAAAAAAEAC7bFwF5YGQnN6n33pfkcDy7tN/128VUi7uW1X4lvLVY/AAAAAQAAAWwAAAE5AAAAAAABAAscaCd8nWVk3YG8z35Wuj7cqziPxgzpWzpEK9JyWPYN/AAAAAEAAAFsAAABOgAAAAAAAQALlAz7Qhe7Htz3+0GTfKl0qmjmmKt4uBJLBwET4hH9RvwAAAABAAABbAAAAScAAAAAAAEAC8Tfq87ajeg2yVZhlSiSsd73IDr7Rv7+xD/8/JO+VAcwAAAAAQAAAWwAAAEmAAAAAAABAAu+aY2L0UknzX7Xvdk75B8n/yYmvS2KFUDi+URfLuWrLgAAAAEAAAFsAAABKQAAAWs="}`))
}

func (s *lockoutauthSuiteNoTPM) TestLockoutAuthParamsMarshalJSONNoPolicy(c *C) {
Expand All @@ -176,12 +190,11 @@ func (s *lockoutauthSuiteNoTPM) TestLockoutAuthParamsMarshalJSONForChangeAuth(c

data, err := json.Marshal(params)
c.Check(err, IsNil)
c.Check(data, DeepEquals, []byte(`{"auth-value":"x9oO1va6Pz6nQeeGOgoXSBOLbsyw4IQTKwSpyXbw0LE=","auth-policy":"AAAAAAAAAAEAC5xRENPNjPxvymnylptEkkmB67kMJSALrpC4PA2joYWCAAAAAAAAAAEgAQFxAAAAAQAAAAAAAQAL+21OPQovgBAFA+/1biwvpZu8ItTlnZBiGL/DKXTgoIIAAAACIAEBcQAAAAQAAAAAAAEAC7bFwF5YGQnN6n33pfkcDy7tN/128VUi7uW1X4lvLVY/AAAAAQAAAWwAAAE5AAAAAAABAAscaCd8nWVk3YG8z35Wuj7cqziPxgzpWzpEK9JyWPYN/AAAAAEAAAFsAAABOgAAAAAAAQALlAz7Qhe7Htz3+0GTfKl0qmjmmKt4uBJLBwET4hH9RvwAAAABAAABbAAAAScAAAAAAAEAC8Tfq87ajeg2yVZhlSiSsd73IDr7Rv7+xD/8/JO+VAcwAAAAAQAAAWwAAAEmAAABaw==","new-auth-value":"24LL69EOvYMbSP+K5ydaIwKQdLpiLAQW2XzTTdONgYY=","new-auth-policy":"AAAAAAAAAAEAC8iuOzJsfCEvz5HdnLSO98fhopBFpLgo9fX7/1TF/6KqAAAAAAAAAAEgAQFxAAAAAgAAAAAAAQAL+21OPQovgBAFA+/1biwvpZu8ItTlnZBiGL/DKXTgoIIAAAACIAEBcQAAAAQAAAAAAAEAC7bFwF5YGQnN6n33pfkcDy7tN/128VUi7uW1X4lvLVY/AAAAAQAAAWwAAAE5AAAAAAABAAscaCd8nWVk3YG8z35Wuj7cqziPxgzpWzpEK9JyWPYN/AAAAAEAAAFsAAABOgAAAAAAAQALlAz7Qhe7Htz3+0GTfKl0qmjmmKt4uBJLBwET4hH9RvwAAAABAAABbAAAAScAAAAAAAEAC8Tfq87ajeg2yVZhlSiSsd73IDr7Rv7+xD/8/JO+VAcwAAAAAQAAAWwAAAEmAAABawAAAAAAAQALDDnMvDFtHshfTn3M6F3KHOta8q5u4GWsqsqB8JnLJCYAAAACAAABbAAAASkAAAFgACMACwAEAAAAAAAQABAAAwAQACC2BaF5zNUOUWsO9Vxdw5PNDslawcvHjS3x54a1VHxZfAAgaOCKN2rpEFpajypuc/XSGSr0LnK/e8W9IyZMM8DufpUAC0NIQU5HRS1BVVRIAAAAAAAA"}`))
c.Check(data, DeepEquals, []byte(`{"auth-value":"x9oO1va6Pz6nQeeGOgoXSBOLbsyw4IQTKwSpyXbw0LE=","auth-policy":"AAAAAAAAAAEAC/cbf1/nUkzaClt4ysmVL5cqWE67D7Brmd7cgdwi7ztVAAAAAAAAAAEgAQFxAAAAAQAAAAAAAQALufUnMhfDMA5sLu0OUIPoKx2NNK4laaj7SfVnqdZFDjYAAAACIAEBcQAAAAUAAAAAAAEAC7bFwF5YGQnN6n33pfkcDy7tN/128VUi7uW1X4lvLVY/AAAAAQAAAWwAAAE5AAAAAAABAAscaCd8nWVk3YG8z35Wuj7cqziPxgzpWzpEK9JyWPYN/AAAAAEAAAFsAAABOgAAAAAAAQALlAz7Qhe7Htz3+0GTfKl0qmjmmKt4uBJLBwET4hH9RvwAAAABAAABbAAAAScAAAAAAAEAC8Tfq87ajeg2yVZhlSiSsd73IDr7Rv7+xD/8/JO+VAcwAAAAAQAAAWwAAAEmAAAAAAABAAu+aY2L0UknzX7Xvdk75B8n/yYmvS2KFUDi+URfLuWrLgAAAAEAAAFsAAABKQAAAWs=","new-auth-value":"24LL69EOvYMbSP+K5ydaIwKQdLpiLAQW2XzTTdONgYY=","new-auth-policy":"AAAAAAAAAAEAC8iuOzJsfCEvz5HdnLSO98fhopBFpLgo9fX7/1TF/6KqAAAAAAAAAAEgAQFxAAAAAgAAAAAAAQAL+21OPQovgBAFA+/1biwvpZu8ItTlnZBiGL/DKXTgoIIAAAACIAEBcQAAAAQAAAAAAAEAC7bFwF5YGQnN6n33pfkcDy7tN/128VUi7uW1X4lvLVY/AAAAAQAAAWwAAAE5AAAAAAABAAscaCd8nWVk3YG8z35Wuj7cqziPxgzpWzpEK9JyWPYN/AAAAAEAAAFsAAABOgAAAAAAAQALlAz7Qhe7Htz3+0GTfKl0qmjmmKt4uBJLBwET4hH9RvwAAAABAAABbAAAAScAAAAAAAEAC8Tfq87ajeg2yVZhlSiSsd73IDr7Rv7+xD/8/JO+VAcwAAAAAQAAAWwAAAEmAAABawAAAAAAAQALDDnMvDFtHshfTn3M6F3KHOta8q5u4GWsqsqB8JnLJCYAAAACAAABbAAAASkAAAFgACMACwAEAAAAAAAQABAAAwAQACC2BaF5zNUOUWsO9Vxdw5PNDslawcvHjS3x54a1VHxZfAAgaOCKN2rpEFpajypuc/XSGSr0LnK/e8W9IyZMM8DufpUAC0NIQU5HRS1BVVRIAAAAAAAA"}`))
}

func (s *lockoutauthSuiteNoTPM) TestLockoutAuthParamsUnmarshalJSON(c *C) {
data := []byte(`{"auth-value":"x9oO1va6Pz6nQeeGOgoXSBOLbsyw4IQTKwSpyXbw0LE=","auth-policy":"AAAAAAAAAAEAC5xRENPNjPxvymnylptEkkmB67kMJSALrpC4PA2joYWCAAAAAAAAAAEgAQFxAAAAAQAAAAAAAQAL+21OPQovgBAFA+/1biwvpZu8ItTlnZBiGL/DKXTgoIIAAAACIAEBcQAAAAQAAAAAAAEAC7bFwF5YGQnN6n33pfkcDy7tN/128VUi7uW1X4lvLVY/AAAAAQAAAWwAAAE5AAAAAAABAAscaCd8nWVk3YG8z35Wuj7cqziPxgzpWzpEK9JyWPYN/AAAAAEAAAFsAAABOgAAAAAAAQALlAz7Qhe7Htz3+0GTfKl0qmjmmKt4uBJLBwET4hH9RvwAAAABAAABbAAAAScAAAAAAAEAC8Tfq87ajeg2yVZhlSiSsd73IDr7Rv7+xD/8/JO+VAcwAAAAAQAAAWwAAAEmAAABaw=="}`)

data := []byte(`{"auth-value":"x9oO1va6Pz6nQeeGOgoXSBOLbsyw4IQTKwSpyXbw0LE=","auth-policy":"AAAAAAAAAAEAC/cbf1/nUkzaClt4ysmVL5cqWE67D7Brmd7cgdwi7ztVAAAAAAAAAAEgAQFxAAAAAQAAAAAAAQALufUnMhfDMA5sLu0OUIPoKx2NNK4laaj7SfVnqdZFDjYAAAACIAEBcQAAAAUAAAAAAAEAC7bFwF5YGQnN6n33pfkcDy7tN/128VUi7uW1X4lvLVY/AAAAAQAAAWwAAAE5AAAAAAABAAscaCd8nWVk3YG8z35Wuj7cqziPxgzpWzpEK9JyWPYN/AAAAAEAAAFsAAABOgAAAAAAAQALlAz7Qhe7Htz3+0GTfKl0qmjmmKt4uBJLBwET4hH9RvwAAAABAAABbAAAAScAAAAAAAEAC8Tfq87ajeg2yVZhlSiSsd73IDr7Rv7+xD/8/JO+VAcwAAAAAQAAAWwAAAEmAAAAAAABAAu+aY2L0UknzX7Xvdk75B8n/yYmvS2KFUDi+URfLuWrLgAAAAEAAAFsAAABKQAAAWs="}`)
expected := &LockoutAuthParams{
AuthValue: testutil.DecodeHexString(c, "c7da0ed6f6ba3f3ea741e7863a0a1748138b6eccb0e084132b04a9c976f0d0b1"),
AuthPolicy: s.newDefaultLockoutAuthPolicy(c, tpm2.HashAlgorithmSHA256),
Expand All @@ -193,7 +206,7 @@ func (s *lockoutauthSuiteNoTPM) TestLockoutAuthParamsUnmarshalJSON(c *C) {
}

func (s *lockoutauthSuiteNoTPM) TestLockoutAuthParamsUnmarshalJSONForChangeAuth(c *C) {
data := []byte(`{"auth-value":"x9oO1va6Pz6nQeeGOgoXSBOLbsyw4IQTKwSpyXbw0LE=","auth-policy":"AAAAAAAAAAEAC5xRENPNjPxvymnylptEkkmB67kMJSALrpC4PA2joYWCAAAAAAAAAAEgAQFxAAAAAQAAAAAAAQAL+21OPQovgBAFA+/1biwvpZu8ItTlnZBiGL/DKXTgoIIAAAACIAEBcQAAAAQAAAAAAAEAC7bFwF5YGQnN6n33pfkcDy7tN/128VUi7uW1X4lvLVY/AAAAAQAAAWwAAAE5AAAAAAABAAscaCd8nWVk3YG8z35Wuj7cqziPxgzpWzpEK9JyWPYN/AAAAAEAAAFsAAABOgAAAAAAAQALlAz7Qhe7Htz3+0GTfKl0qmjmmKt4uBJLBwET4hH9RvwAAAABAAABbAAAAScAAAAAAAEAC8Tfq87ajeg2yVZhlSiSsd73IDr7Rv7+xD/8/JO+VAcwAAAAAQAAAWwAAAEmAAABaw==","new-auth-value":"24LL69EOvYMbSP+K5ydaIwKQdLpiLAQW2XzTTdONgYY=","new-auth-policy":"AAAAAAAAAAEAC8iuOzJsfCEvz5HdnLSO98fhopBFpLgo9fX7/1TF/6KqAAAAAAAAAAEgAQFxAAAAAgAAAAAAAQAL+21OPQovgBAFA+/1biwvpZu8ItTlnZBiGL/DKXTgoIIAAAACIAEBcQAAAAQAAAAAAAEAC7bFwF5YGQnN6n33pfkcDy7tN/128VUi7uW1X4lvLVY/AAAAAQAAAWwAAAE5AAAAAAABAAscaCd8nWVk3YG8z35Wuj7cqziPxgzpWzpEK9JyWPYN/AAAAAEAAAFsAAABOgAAAAAAAQALlAz7Qhe7Htz3+0GTfKl0qmjmmKt4uBJLBwET4hH9RvwAAAABAAABbAAAAScAAAAAAAEAC8Tfq87ajeg2yVZhlSiSsd73IDr7Rv7+xD/8/JO+VAcwAAAAAQAAAWwAAAEmAAABawAAAAAAAQALDDnMvDFtHshfTn3M6F3KHOta8q5u4GWsqsqB8JnLJCYAAAACAAABbAAAASkAAAFgACMACwAEAAAAAAAQABAAAwAQACC2BaF5zNUOUWsO9Vxdw5PNDslawcvHjS3x54a1VHxZfAAgaOCKN2rpEFpajypuc/XSGSr0LnK/e8W9IyZMM8DufpUAC0NIQU5HRS1BVVRIAAAAAAAA"}`)
data := []byte(`{"auth-value":"x9oO1va6Pz6nQeeGOgoXSBOLbsyw4IQTKwSpyXbw0LE=","auth-policy":"AAAAAAAAAAEAC/cbf1/nUkzaClt4ysmVL5cqWE67D7Brmd7cgdwi7ztVAAAAAAAAAAEgAQFxAAAAAQAAAAAAAQALufUnMhfDMA5sLu0OUIPoKx2NNK4laaj7SfVnqdZFDjYAAAACIAEBcQAAAAUAAAAAAAEAC7bFwF5YGQnN6n33pfkcDy7tN/128VUi7uW1X4lvLVY/AAAAAQAAAWwAAAE5AAAAAAABAAscaCd8nWVk3YG8z35Wuj7cqziPxgzpWzpEK9JyWPYN/AAAAAEAAAFsAAABOgAAAAAAAQALlAz7Qhe7Htz3+0GTfKl0qmjmmKt4uBJLBwET4hH9RvwAAAABAAABbAAAAScAAAAAAAEAC8Tfq87ajeg2yVZhlSiSsd73IDr7Rv7+xD/8/JO+VAcwAAAAAQAAAWwAAAEmAAAAAAABAAu+aY2L0UknzX7Xvdk75B8n/yYmvS2KFUDi+URfLuWrLgAAAAEAAAFsAAABKQAAAWs=","new-auth-value":"24LL69EOvYMbSP+K5ydaIwKQdLpiLAQW2XzTTdONgYY=","new-auth-policy":"AAAAAAAAAAEAC8iuOzJsfCEvz5HdnLSO98fhopBFpLgo9fX7/1TF/6KqAAAAAAAAAAEgAQFxAAAAAgAAAAAAAQAL+21OPQovgBAFA+/1biwvpZu8ItTlnZBiGL/DKXTgoIIAAAACIAEBcQAAAAQAAAAAAAEAC7bFwF5YGQnN6n33pfkcDy7tN/128VUi7uW1X4lvLVY/AAAAAQAAAWwAAAE5AAAAAAABAAscaCd8nWVk3YG8z35Wuj7cqziPxgzpWzpEK9JyWPYN/AAAAAEAAAFsAAABOgAAAAAAAQALlAz7Qhe7Htz3+0GTfKl0qmjmmKt4uBJLBwET4hH9RvwAAAABAAABbAAAAScAAAAAAAEAC8Tfq87ajeg2yVZhlSiSsd73IDr7Rv7+xD/8/JO+VAcwAAAAAQAAAWwAAAEmAAABawAAAAAAAQALDDnMvDFtHshfTn3M6F3KHOta8q5u4GWsqsqB8JnLJCYAAAACAAABbAAAASkAAAFgACMACwAEAAAAAAAQABAAAwAQACC2BaF5zNUOUWsO9Vxdw5PNDslawcvHjS3x54a1VHxZfAAgaOCKN2rpEFpajypuc/XSGSr0LnK/e8W9IyZMM8DufpUAC0NIQU5HRS1BVVRIAAAAAAAA"}`)

authValue := testutil.DecodeHexString(c, "c7da0ed6f6ba3f3ea741e7863a0a1748138b6eccb0e084132b04a9c976f0d0b1")
expected := &LockoutAuthParams{
Expand Down Expand Up @@ -348,6 +361,9 @@ func (s *lockoutauthSuite) TestResetDictionaryAttackLockWithAuthValue(c *C) {
c.Check(s.TPM().LockoutHandleContext().AuthValue(), DeepEquals, []byte(nil))

cmds := s.CommandLog()
for _, cmd := range cmds {
c.Logf("%v", cmd.CmdCode)
}
c.Assert(len(cmds) > 1, testutil.IsTrue)
cmd := cmds[len(cmds)-2]
c.Check(cmd.CmdCode, Equals, tpm2.CommandDictionaryAttackLockReset)
Expand Down
2 changes: 1 addition & 1 deletion tpm2/platform_legacy_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ func (s *platformLegacySuite) SetUpSuite(c *C) {
func (s *platformLegacySuite) SetUpTest(c *C) {
s.TPMTest.SetUpTest(c)

c.Check(s.TPM().EnsureProvisioned(ProvisionWithoutLockout()), Equals, ErrTPMProvisioningRequiresLockout)
c.Check(s.TPM().EnsureProvisioned(), Equals, ErrTPMProvisioningRequiresLockout)
}

var _ = Suite(&platformLegacySuite{})
Expand Down
2 changes: 1 addition & 1 deletion tpm2/platform_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ func (s *platformSuite) SetUpSuite(c *C) {
func (s *platformSuite) SetUpTest(c *C) {
s.TPMTest.SetUpTest(c)

c.Check(s.TPM().EnsureProvisioned(ProvisionWithoutLockout()), Equals, ErrTPMProvisioningRequiresLockout)
c.Check(s.TPM().EnsureProvisioned(), Equals, ErrTPMProvisioningRequiresLockout)

s.lastEncryptedPayload = nil
s.AddCleanup(MockSecbootNewKeyData(func(params *secboot.KeyParams) (*secboot.KeyData, error) {
Expand Down
Loading
Loading