You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
While working on #110 I came across the "TPM2_GetTag" helper function. It is used for about 20 TPM2 commands that can be executed with or without Authorization Session. "TPM2_GetTag" checks for an indication whether the Authorization Area is present. This would then reqiure the TPM_ST_SESSIONS tag. Otherwise, we will get the TPM_ST_NO_SESSIONS tag.
The issue here is that "TPM2_GetTag" will not return TPM_ST_SESSIONS, even when the TPM context(user) has set it. Because there are extra checks for parameter encryption attributes that are not actually needed for Authorization Session check.
"TPM2_GetTag" is always used like this:
st = TPM2_GetTag(ctx);
if (st == TPM_ST_SESSIONS) {
TPM2_Packet_AppendAuth(&packet, ctx->authCmd, 1);
}
This is the helper in its current form "TPM2_GetTag"
static TPM_ST TPM2_GetTag(TPM2_CTX* ctx)
{
TPM_ST st = TPM_ST_NO_SESSIONS;
if (ctx && ctx->authCmd &&
(ctx->authCmd->sessionAttributes &
(TPMA_SESSION_decrypt | TPMA_SESSION_encrypt))) {
st = TPM_ST_SESSIONS;
}
return st;
}
The fix is straightforward, making the if rule "if (ctx && ctx->authCmd)". However, when the proper check is made, the native tests break. Therefore, I do not submit a patch with this fix. Right now, this bug makes no user impact, because none of the 20 TPM2 commands has been used with Auth Session in our examples and AFAIK no user has reported the issue. So, we are catching this on time.
@dgarske After #110 is done, I would like to fix this. Currently, I think we can put it as low to medium priority. Just marking it as found :)
The text was updated successfully, but these errors were encountered:
This issue is solved in the new version of TPM2_GetTag that uses the new auth session handling introduced by #133 and additional check added by @dgarske in #129
While working on #110 I came across the "TPM2_GetTag" helper function. It is used for about 20 TPM2 commands that can be executed with or without Authorization Session. "TPM2_GetTag" checks for an indication whether the Authorization Area is present. This would then reqiure the TPM_ST_SESSIONS tag. Otherwise, we will get the TPM_ST_NO_SESSIONS tag.
The issue here is that "TPM2_GetTag" will not return TPM_ST_SESSIONS, even when the TPM context(user) has set it. Because there are extra checks for parameter encryption attributes that are not actually needed for Authorization Session check.
"TPM2_GetTag" is always used like this:
This is the helper in its current form "TPM2_GetTag"
The fix is straightforward, making the if rule
"if (ctx && ctx->authCmd)"
. However, when the proper check is made, the native tests break. Therefore, I do not submit a patch with this fix. Right now, this bug makes no user impact, because none of the 20 TPM2 commands has been used with Auth Session in our examples and AFAIK no user has reported the issue. So, we are catching this on time.@dgarske After #110 is done, I would like to fix this. Currently, I think we can put it as low to medium priority. Just marking it as found :)
The text was updated successfully, but these errors were encountered: