Re: [PATCH 1/8] tss: Fix handling of TPM_RH_NULL in intel-tss

"Jarkko Sakkinen" <jarkko.sakkinen@xxxxxx> · Sat, 03 Aug 2024 20:08:20 +0300

On Fri Aug 2, 2024 at 11:25 PM EEST, James Bottomley wrote:
> Now that we're going to be using the NULL primary to salt sessions,
> the Intel TSS shim needs fixing to cope with this.  In the Intel TSS,
> there are two internal handles representing NULL: ESYS_TR_NONE and
> ESYS_TR_RH_NULL.  We translate TPM_RH_NULL to ESYS_TR_NONE because

Can you split this into two paragraphs.

I'm lost why it has two representations.

> most of the time it does mean no value.  However, for the NULL primary
> handle we must use ESYS_TR_RH_NULL, so check for that specific case
> and fix it.  Additionally remove the intel_handle() code which was
> supposed to do this: it's unused because 0 is never passed in as a
> handle number.
>
> Signed-off-by: James Bottomley <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx>
> ---
>  src/include/intel-tss.h | 18 +++++-------------
>  1 file changed, 5 insertions(+), 13 deletions(-)
>
> diff --git a/src/include/intel-tss.h b/src/include/intel-tss.h
> index 1870b4e..5b8db20 100644
> --- a/src/include/intel-tss.h
> +++ b/src/include/intel-tss.h
> @@ -251,14 +251,6 @@ intel_sess_helper(TSS_CONTEXT *tssContext, TPM_HANDLE auth, TPMA_SESSION flags)
>  				  TPMA_SESSION_CONTINUESESSION | flags);
>  }
>  
> -static inline TPM_HANDLE
> -intel_handle(TPM_HANDLE h)
> -{
> -	if (h == 0)
> -		return ESYS_TR_NONE;
> -	return h;
> -}
> -
>  static inline void
>  TSS_Delete(TSS_CONTEXT *tssContext)
>  {
> @@ -937,8 +929,10 @@ tpm2_CreatePrimary(TSS_CONTEXT *tssContext, TPM_HANDLE primaryHandle,
>  	TPM2B_PUBLIC *opub;
>  	TPM_RC rc;
>  
> -	/* FIXME will generate wrong value for NULL hierarchy */
> -	primaryHandle = intel_handle(primaryHandle);
> +
> +	/* TPM_RH_NULL is mapped to ESYS_TR_NONE, which won't work here */

I simply don't understand what E

> +	if (primaryHandle == TPM_RH_NULL)
> +		primaryHandle = INT_TPM_RH_NULL;
>  
>  	outsideInfo.size = 0;
>  	creationPcr.count = 0;
> @@ -993,9 +987,7 @@ tpm2_StartAuthSession(TSS_CONTEXT *tssContext, TPM_HANDLE tpmKey,
>  		      TPM_HANDLE *sessionHandle,
>  		      const char *bindPassword)
>  {
> -	bind = intel_handle(bind);
> -	tpmKey = intel_handle(tpmKey);
> -	if (bind != ESYS_TR_NONE)
> +	if (bind != TPM_RH_NULL)
>  		intel_auth_helper(tssContext, bind, bindPassword);
>  
>  	return Esys_StartAuthSession(tssContext, tpmKey, bind, ESYS_TR_NONE,

BR, Jarkko