Menu
▾
▴
Re: [Trustedjava-support] Locality- and PCR-based access control for NV RAM
|
From: Michael G. <m.g...@tu...> - 2011-08-29 14:28:02
|
On 2011-08-26 20:11, Jonathan McCune wrote:
> Hello again. :)
Hi again :)
> I follow-up with a second question that is different, but related.
> Here I try to define space that exclusively depends upon the value of
> PCR 10:
>
> jtt nv_definespace --index 0x00011222 --size 64 -o tpm -e ASCII -p 10
> -w --permission 0x00000000
>
> additional info: no write permissions set
>
> at iaik.tc.tss.impl.java.tsp.TcNvRam.defineSpace(TcNvRam.java:168)
>
> In jtss_tsp/src/iaik/tc/tss/impl/java/tsp/TcNvRam.java, we see that
> this is an exception that is thrown if no write permissions are set:
>
> if (((permissions& TcTpmConstants.TPM_NV_PER_AUTHWRITE) == 0)
> && ((permissions&
> TcTpmConstants.TPM_NV_PER_OWNERWRITE) == 0)
> && ((permissions&
> TcTpmConstants.TPM_NV_PER_WRITEDEFINE) == 0)
> && ((permissions&
> TcTpmConstants.TPM_NV_PER_PPWRITE) == 0)
> && !writeLocalities) {
> throw new
> TcTcsException(TcTcsErrors.TCS_E_BAD_PARAMETER,
> "no write permissions set");
> }
>
> Again, what's the problem? I did specify PCR-based access control for
> writing. Is there any fundamental reason why this shouldn't work?
> The only thing I can think of is that NV space without any access
> control might be more susceptible to malicious wear-out.
The reason for this is that TPM Spec prohibits an index defined that way. You have
to specify a write access restriction by either
TPM_NV_PER_OWNERWRITE,
TPM_NV_PER_AUTHWRITE,
TPM_NV_PER_WRITEDEFINE,
TPM_NV_PER_PPWRITE
or by excluding at least one locality.
This is specified in TPM Spec Commands, Revision 116, lines 4093 to 4107. jTSS
just does the check before the command is actually send to the TPM.
You can either exclude one locality that you don't use (and won't be able to write
to this index using jTSS) or you use the TPM_NV_PER_AUTHWRITE method.
> Again, many thanks for your time and attention.
> -Jon
Best regards,
Michael
|
