DavidWooten
commented
2 years ago When you load an object without a sensitive area, it can’t be used for authorization so the authPolicy size is moot.
From: Brian Granaghan @.*** Sent: Tuesday, June 7, 2022 6:36 PM To: microsoft/ms-tpm-20-ref Cc: Subscribed Subject: [microsoft/ms-tpm-20-ref] TPM2_LoadExternal does not validate authPolicy size if private area is not loaded. (Issue #71)
TPM2_LoadExternal https://github.com/microsoft/ms-tpm-20-ref/blob/b8e599267381badbe0571f8ace55b28a5f16457c/TPMCmd/tpm/src/command/Object/LoadExternal.c#L86 explicitly checked the authPolicy size in 1.16 https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-3-Commands-01.16-code.pdf and this was dropped in 1.38 https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-3-Commands-01.38-code.pdf . I have not been able to find an errata relating to it. PublicAttributesValidation https://github.com/microsoft/ms-tpm-20-ref/blob/b8e599267381badbe0571f8ace55b28a5f16457c/TPMCmd/tpm/src/command/Object/Object_spt.c#L618 checks this, but is only called is the private area is loaded here https://github.com/microsoft/ms-tpm-20-ref/blob/b8e599267381badbe0571f8ace55b28a5f16457c/TPMCmd/tpm/src/subsystem/Object.c#L422 .
Is this an intentional change?
— Reply to this email directly, view it on GitHub https://github.com/microsoft/ms-tpm-20-ref/issues/71 , or unsubscribe https://github.com/notifications/unsubscribe-auth/ACQTPGGXGZXGGJZCCGCTC5DVN7FEZANCNFSM5YEQE3MQ . You are receiving this because you are subscribed to this thread. https://github.com/notifications/beacon/ACQTPGBKAANAXZJZL3A53KTVN7FEZA5CNFSM5YEQE3M2YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4S2WRL3A.gif Message ID: @.***>
TPM2_LoadExternal explicitly checked the authPolicy size in 1.16 and this was dropped in 1.38. I have not been able to find an errata relating to it. PublicAttributesValidation checks this, but is only called is the private area is loaded here.
Is this an intentional change?