PolicyTemplate calculation incorrect

tpm2-software / tpm2-tss

OSS implementation of the TCG TPM2 Software Stack (TSS2)

https://tpm2-software.github.io

BSD 2-Clause "Simplified" License

725 stars 355 forks source link

PolicyTemplate calculation incorrect #2862

Closed joholl closed 1 week ago

joholl commented 2 weeks ago

Spec Command Spec:

policyDigest_new ≔ H_policyAlg(policyDigest_old || TPM_CC_PolicyTemplate || templateHash)

However, we do not include policyDigest_old in the policy digest calculation. I am working on a fix.

https://github.com/tpm2-software/tpm2-tss/blob/f5d851ef2f8ea9d43ef00e198cd40d7320154592/src/tss2-fapi/ifapi_policy_calculate.c#L1271-L1281

@JuergenReppSIT Please correct me if I have missed something

joholl commented 2 weeks ago

I think this was not caught by our tests due to a bug in tpm2-tss/test/integration/policy-execute.int.c where if an error occurs (see line 787), we do not set the return code variable r accordingly.

https://github.com/tpm2-software/tpm2-tss/blob/f5d851ef2f8ea9d43ef00e198cd40d7320154592/test/integration/policy-execute.int.c#L778-L809

I will also have this be part of the fix.