FAPI: Add check whether auth values exist for hierarchies.

Currently FAPI provisioning tries to create the EK and SRK with the NULL auth value for the hierarchies. Now first the corresponding flag in TPM2_CAP_TPM_PROPERTIES with the property TPM2_PT_PERMANENT is checked. If an auth value is used for the hierarchy the auth value callback will be called. The "retry" code in the BAD_AUTH case is removed. Signed-off-by: Juergen Repp <[email protected]>
tpm2-software · May 8, 2024 · f9a09e4 · f9a09e4
1 parent 03726ba
commit f9a09e4
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 31 deletions.
diff --git a/src/tss2-fapi/api/Fapi_Provision.c b/src/tss2-fapi/api/Fapi_Provision.c
@@ -512,6 +512,16 @@ Fapi_Provision_Finish(FAPI_CONTEXT *context)
             command->auth_state =  (*capabilityData)->data.tpmProperties.tpmProperty[0].value;
             SAFE_FREE(*capabilityData);
 
+            if (command->auth_state & TPMA_PERMANENT_ENDORSEMENTAUTHSET) {
+                hierarchy_he->misc.hierarchy.with_auth = TPM2_YES;
+            }
+            if (command->auth_state & TPMA_PERMANENT_OWNERAUTHSET) {
+                hierarchy_hs->misc.hierarchy.with_auth = TPM2_YES;
+            }
+            if (command->auth_state & TPMA_PERMANENT_LOCKOUTAUTHSET) {
+                hierarchy_lockout->misc.hierarchy.with_auth = TPM2_YES;
+            }
+
             /* Check the TPM capabilities for the persistent handle. */
             if (command->public_templ.persistent_handle) {
                 r = Esys_GetCapability_Async(context->esys,

diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c
@@ -760,38 +760,8 @@ ifapi_init_primary_finish(FAPI_CONTEXT *context, TSS2_KEY_TYPE ktype, IFAPI_OBJE
         if (base_rc(r) == TSS2_BASE_RC_TRY_AGAIN)
             return TSS2_FAPI_RC_TRY_AGAIN;
 
-        /* Retry with authorization callback after trial with null auth */
-        if (number_rc(r) == TPM2_RC_BAD_AUTH
-            && hierarchy->misc.hierarchy.with_auth == TPM2_NO) {
-            char *description;
-            r = ifapi_get_description(hierarchy, &description);
-            return_if_error(r, "Get description");
+        goto_if_error_reset_state(r, "FAPI Provision", error_cleanup);
 
-            r = ifapi_set_auth(context, hierarchy, description);
-            SAFE_FREE(description);
-            goto_if_error_reset_state(r, "CreatePrimary", error_cleanup);
-
-            r = Esys_CreatePrimary_Async(context->esys, hierarchy->public.handle,
-                                         (context->session1 == ESYS_TR_NONE) ?
-                                         ESYS_TR_PASSWORD : context->session1,
-                                         ESYS_TR_NONE, ESYS_TR_NONE,
-                                         &context->cmd.Provision.inSensitive,
-                                         &context->cmd.Provision.public_templ.public,
-                                         &context->cmd.Provision.outsideInfo,
-                                         &context->cmd.Provision.creationPCR);
-            goto_if_error_reset_state(r, "CreatePrimary", error_cleanup);
-
-            if (ktype == TSS2_EK) {
-                context->state = PROVISION_AUTH_EK_AUTH_SENT;
-            } else {
-                context->state = PROVISION_AUTH_SRK_AUTH_SENT;
-            }
-            hierarchy->misc.hierarchy.with_auth = TPM2_YES;
-            return TSS2_FAPI_RC_TRY_AGAIN;
-
-        } else {
-            goto_if_error_reset_state(r, "FAPI Provision", error_cleanup);
-        }
         /* Set EK or SRK handle in context. */
         if (ktype == TSS2_EK) {
             context->ek_handle = primaryHandle;