Skip to content

Commit

Permalink
FAPI: Fix unnecessary writes to keystore.
Browse files Browse the repository at this point in the history
* A duplicate write operation to the keystore was executed by
  Fapi_NvWrite.
* A write operation to the keystore was only needed after the
  first call of Fapi_NvWrite because the NV_WRITTEN bit was set.
* A write operation to the keystore by Fapi_ChangeAuth was only needed
  if the value of the attribute with_auth was changed.

Addresses: #2881

Signed-off-by: Juergen Repp <juergen_repp@web.de>
  • Loading branch information
JuergenReppSIT committed Aug 2, 2024
1 parent ac930eb commit a9cef76
Show file tree
Hide file tree
Showing 3 changed files with 35 additions and 28 deletions.
26 changes: 22 additions & 4 deletions src/tss2-fapi/api/Fapi_ChangeAuth.c
Original file line number Diff line number Diff line change
Expand Up @@ -419,10 +419,19 @@ Fapi_ChangeAuth_Finish(
empty authorization or an actual password. */
object = command->key_object;

if (strlen(command->authValue) > 0)
if (strlen(command->authValue) > 0) {
if (object->misc.key.with_auth == TPM2_YES) {
context->state = ENTITY_CHANGE_AUTH_CLEANUP;
return TSS2_FAPI_RC_TRY_AGAIN;
}
object->misc.key.with_auth = TPM2_YES;
else
} else {
if (object->misc.key.with_auth == TPM2_NO) {
context->state = ENTITY_CHANGE_AUTH_CLEANUP;
return TSS2_FAPI_RC_TRY_AGAIN;
}
object->misc.key.with_auth = TPM2_NO;
}
fallthrough;

statecase(context->state, ENTITY_CHANGE_AUTH_WRITE_PREPARE)
Expand Down Expand Up @@ -502,10 +511,19 @@ Fapi_ChangeAuth_Finish(

/* Update the information about whether the new Auth is an empty
authorization or an actual password. */
if (strlen(command->authValue) > 0)
if (strlen(command->authValue) > 0) {
if (object->misc.key.with_auth == TPM2_YES) {
context->state = ENTITY_CHANGE_AUTH_CLEANUP;
return TSS2_FAPI_RC_TRY_AGAIN;
}
object->misc.nv.with_auth = TPM2_YES;
else
} else {
if (object->misc.key.with_auth == TPM2_NO) {
context->state = ENTITY_CHANGE_AUTH_CLEANUP;
return TSS2_FAPI_RC_TRY_AGAIN;
}
object->misc.nv.with_auth = TPM2_NO;
}

/* Jump over to the AUTH_WRITE_PREPARE state for storing the
new metadata to the keystore. */
Expand Down
24 changes: 0 additions & 24 deletions src/tss2-fapi/api/Fapi_NvWrite.c
Original file line number Diff line number Diff line change
Expand Up @@ -256,37 +256,13 @@ Fapi_NvWrite_Finish(

switch (context->state) {
statecase(context->state, NV_WRITE_READ);
/* First check whether the file in object store can be updated. */
r = ifapi_keystore_check_writeable(&context->keystore, command->nvPath);
goto_if_error_reset_state(r, "Check whether update object store is possible.", error_cleanup);

/* Write to the NV index. */
r = ifapi_nv_write(context, command->nvPath, command->offset,
command->data, command->numBytes);

return_try_again(r);
goto_if_error_reset_state(r, " FAPI NV Write", error_cleanup);


/* Perform esys serialization if necessary */
r = ifapi_esys_serialize_object(context->esys, &command->nv_object);
goto_if_error(r, "Prepare serialization", error_cleanup);

/* Start writing the NV object to the key store */
r = ifapi_keystore_store_async(&context->keystore, &context->io,
command->nvPath,
&command->nv_object);
goto_if_error_reset_state(r, "Could not open: %sh", error_cleanup,
command->nvPath);

fallthrough;

statecase(context->state, NV_WRITE_WRITE);
/* Finish writing the NV object to the key store */
r = ifapi_keystore_store_finish(&context->io);
return_try_again(r);
return_if_error_reset_state(r, "write_finish failed");

fallthrough;

statecase(context->state, NV_WRITE_CLEANUP)
Expand Down
13 changes: 13 additions & 0 deletions src/tss2-fapi/fapi_util.c
Original file line number Diff line number Diff line change
Expand Up @@ -2316,6 +2316,13 @@ ifapi_nv_write(
context->nv_cmd.esys_handle = nv_index;
context->nv_cmd.nv_obj = object->misc.nv;

/* Check whether the file in object store can be updated if necessary */
if (!(context->nv_cmd.nv_object.misc.nv.public.nvPublic.attributes &
TPMA_NV_WRITTEN) ){
r = ifapi_keystore_check_writeable(&context->keystore, nvPath);
goto_if_error_reset_state(r, "Check whether update object store is possible.", error_cleanup);
}

/* Determine the object which will be uses for authorization. */
if (object->misc.nv.public.nvPublic.attributes & TPMA_NV_PPWRITE) {
ifapi_init_hierarchy_object(auth_object, ESYS_TR_RH_PLATFORM);
Expand Down Expand Up @@ -2437,6 +2444,12 @@ ifapi_nv_write(
return TSS2_FAPI_RC_TRY_AGAIN;

}
if (context->nv_cmd.nv_object.misc.nv.public.nvPublic.attributes &
TPMA_NV_WRITTEN) {
LOG_DEBUG("success");
r = TSS2_RC_SUCCESS;
break;
}
fallthrough;

statecase(context->nv_cmd.nv_write_state, NV2_WRITE_WRITE_PREPARE);
Expand Down

0 comments on commit a9cef76

Please sign in to comment.