[PATCH v2 1/8] tss: Fix handling of TPM_RH_NULL in intel-tss

James Bottomley <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx> · Sun, 04 Aug 2024 09:42:39 -0400

The design of the intel-tss shim is to hide the difference between the
internal and the external handles by doing the internal to external
transform on entry.  Unfortunately, the NULL handle (TPM_RH_NULL,
40000007) has two possible internal representations depending on
whether it's used to indicate no session or the null hierarcy.

There is a bug in the intel-tss in that it uses the wrong internal
NULL handle to try to create the NULL seed primary (and thus fails).
Now that we're going to be using the NULL primary to salt sessions,
the Intel TSS shim needs fixing to cope with thi correctly.

The fix is to do the correct transform to the internal hierarchy
representation on NULL hierarchy creation and to do the session handle
conversion everywhere else.  Additionally remove the intel_handle()
code which was supposed to do this: it's unused because 0 is never
passed in as a handle number.

Signed-off-by: James Bottomley <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx>

---
v2: reword commit message

---
 src/include/intel-tss.h | 18 +++++-------------
 1 file changed, 5 insertions(+), 13 deletions(-)

diff --git a/src/include/intel-tss.h b/src/include/intel-tss.h
index 1870b4e..5b8db20 100644
--- a/src/include/intel-tss.h
+++ b/src/include/intel-tss.h
@@ -251,14 +251,6 @@ intel_sess_helper(TSS_CONTEXT *tssContext,
TPM_HANDLE auth, TPMA_SESSION flags)
 				  TPMA_SESSION_CONTINUESESSION |
flags);
 }
 
-static inline TPM_HANDLE
-intel_handle(TPM_HANDLE h)
-{
-	if (h == 0)
-		return ESYS_TR_NONE;
-	return h;
-}
-
 static inline void
 TSS_Delete(TSS_CONTEXT *tssContext)
 {
@@ -937,8 +929,10 @@ tpm2_CreatePrimary(TSS_CONTEXT *tssContext,
TPM_HANDLE primaryHandle,
 	TPM2B_PUBLIC *opub;
 	TPM_RC rc;
 
-	/* FIXME will generate wrong value for NULL hierarchy */
-	primaryHandle = intel_handle(primaryHandle);
+
+	/* TPM_RH_NULL is mapped to ESYS_TR_NONE, which won't work
here */
+	if (primaryHandle == TPM_RH_NULL)
+		primaryHandle = INT_TPM_RH_NULL;
 
 	outsideInfo.size = 0;
 	creationPcr.count = 0;
@@ -993,9 +987,7 @@ tpm2_StartAuthSession(TSS_CONTEXT *tssContext,
TPM_HANDLE tpmKey,
 		      TPM_HANDLE *sessionHandle,
 		      const char *bindPassword)
 {
-	bind = intel_handle(bind);
-	tpmKey = intel_handle(tpmKey);
-	if (bind != ESYS_TR_NONE)
+	if (bind != TPM_RH_NULL)
 		intel_auth_helper(tssContext, bind, bindPassword);
 
 	return Esys_StartAuthSession(tssContext, tpmKey, bind,
ESYS_TR_NONE,
-- 
2.35.3









