From 4982af8c2bd39831aad9e12980609290d882241c Mon Sep 17 00:00:00 2001 From: David Garske Date: Tue, 19 Jul 2022 10:46:49 -0700 Subject: [PATCH] Improve the Windows TBS NV unavailable error handling. --- src/tpm2_wrap.c | 10 ++++++++++ wrapper/CSharp/wolfTPM-tests.cs | 24 +++++++++++++++--------- wrapper/CSharp/wolfTPM.cs | 9 +++++---- 3 files changed, 30 insertions(+), 13 deletions(-) diff --git a/src/tpm2_wrap.c b/src/tpm2_wrap.c index af39fa8..46550c2 100644 --- a/src/tpm2_wrap.c +++ b/src/tpm2_wrap.c @@ -2414,6 +2414,16 @@ int wolfTPM2_NVStoreKey(WOLFTPM2_DEV* dev, TPM_HANDLE primaryHandle, rc = TPM2_EvictControl(&in); if (rc != TPM_RC_SUCCESS) { + #ifdef WOLFTPM_WINAPI + if (rc == TPM_E_COMMAND_BLOCKED) { /* 0x80280400 */ + #ifdef DEBUG_WOLFTPM + printf("TPM2_EvictControl (storing key to NV) not allowed on " + "Windows TBS (err 0x%x)\n", rc); + #endif + rc = TPM_RC_NV_UNAVAILABLE; + } + #endif + #ifdef DEBUG_WOLFTPM printf("TPM2_EvictControl failed %d: %s\n", rc, wolfTPM2_GetRCString(rc)); diff --git a/wrapper/CSharp/wolfTPM-tests.cs b/wrapper/CSharp/wolfTPM-tests.cs index 87166a2..7f03279 100644 --- a/wrapper/CSharp/wolfTPM-tests.cs +++ b/wrapper/CSharp/wolfTPM-tests.cs @@ -526,8 +526,10 @@ namespace tpm_csharp_test rc = csr.SetCustomExtension(custOid, custOidVal, 0); /* if custom OID support is not compiled in then test is * inconclusive */ - if (rc == (int)Status.NOT_COMPILED_IN) + if (rc == (int)Status.NOT_COMPILED_IN) { + device.UnloadHandle(keyBlob); Assert.Inconclusive(); + } Assert.AreEqual((int)Status.TPM_RC_SUCCESS, rc); rc = csr.MakeAndSign(device, keyBlob, X509_Format.PEM, output); @@ -566,18 +568,22 @@ namespace tpm_csharp_test rc = device.LoadKey(keyBlob, parent_key); Assert.AreEqual((int)Status.TPM_RC_SUCCESS, rc); - /* Store key */ - rc = device.StoreKey(keyBlob, (ulong)TPM_RH.OWNER, testPersistentHandle); - if ((uint)rc == 0x80280400) { /* TPM_E_COMMAND_BLOCKED */ - /* Windows TBS does not allow storing keys to NV */ + /* Read public key */ + rc = device.ReadPublicKey(keyBlob, + device.GetHandleValue(keyBlob.GetHandle())); + if (rc == (int)Status.TPM_RC_HANDLE) { + /* valid error if the handle is not found */ rc = 0; /* ignore error */ } Assert.AreEqual((int)Status.TPM_RC_SUCCESS, rc); - /* Read public key */ - rc = device.ReadPublicKey(keyBlob, testPersistentHandle); - if (rc == (int)Status.TPM_RC_HANDLE) { - /* valid error if the handle is not found */ + /* Store key */ + rc = device.StoreKey(keyBlob, (ulong)TPM_RH.OWNER, testPersistentHandle); + if (rc == (int)Status.TPM_RC_NV_UNAVAILABLE) { + device.UnloadHandle(keyBlob); + + Assert.Inconclusive(); + /* Windows TBS does not allow storing keys to NV */ rc = 0; /* ignore error */ } Assert.AreEqual((int)Status.TPM_RC_SUCCESS, rc); diff --git a/wrapper/CSharp/wolfTPM.cs b/wrapper/CSharp/wolfTPM.cs index 697d994..953789a 100644 --- a/wrapper/CSharp/wolfTPM.cs +++ b/wrapper/CSharp/wolfTPM.cs @@ -66,6 +66,7 @@ namespace wolfTPM { TPM_RC_SUCCESS = 0, TPM_RC_HANDLE = 0x8B, + TPM_RC_NV_UNAVAILABLE = 0x923, BAD_FUNC_ARG = -173, NOT_COMPILED_IN = -174, } @@ -969,7 +970,7 @@ namespace wolfTPM int rc = wolfTPM2_NVStoreKey(device, primaryHandle, key.key, persistentHandle); if (rc != (int)Status.TPM_RC_SUCCESS && - (uint)rc != 0x80280400) { /* TPM_E_COMMAND_BLOCKED */ + rc != (int)Status.TPM_RC_NV_UNAVAILABLE) { throw new WolfTpm2Exception( "wolfTPM2_NVStoreKey", rc); } @@ -980,7 +981,7 @@ namespace wolfTPM int rc = wolfTPM2_NVStoreKey(device, primaryHandle, keyBlob.keyblob, persistentHandle); if (rc != (int)Status.TPM_RC_SUCCESS && - (uint)rc != 0x80280400) { /* TPM_E_COMMAND_BLOCKED */ + rc != (int)Status.TPM_RC_NV_UNAVAILABLE) { throw new WolfTpm2Exception( "wolfTPM2_NVStoreKey", rc); } @@ -1218,8 +1219,8 @@ namespace wolfTPM } [DllImport(DLLNAME, EntryPoint = "wolfTPM2_GetHandleValue")] - private static extern long wolfTPM2_GetHandleValue(IntPtr handle); - public long GetHandleValue(IntPtr handle) + private static extern uint wolfTPM2_GetHandleValue(IntPtr handle); + public uint GetHandleValue(IntPtr handle) { return wolfTPM2_GetHandleValue(handle); }