feat: add HierarchyChangeAuth command (#357)

see definition in Part 3, Commands, section 24.8
google · May 14, 2024 · 58e3e47 · 58e3e47
1 parent 5c2f088
commit 58e3e47
Show file tree

Hide file tree

Showing 2 changed files with 89 additions and 0 deletions.
diff --git a/tpm2/test/hierarchy_change_auth_test.go b/tpm2/test/hierarchy_change_auth_test.go
@@ -0,0 +1,65 @@
+package tpm2test
+
+import (
+	"errors"
+	"testing"
+
+	. "github.com/google/go-tpm/tpm2"
+	"github.com/google/go-tpm/tpm2/transport/simulator"
+)
+
+func TestHierarchyChangeAuth(t *testing.T) {
+	thetpm, err := simulator.OpenSimulator()
+	if err != nil {
+		t.Fatalf("could not connect to TPM simulator: %v", err)
+	}
+	defer thetpm.Close()
+
+	authKey := []byte("authkey")
+	newAuthKey := []byte("newAuthKey")
+
+	t.Run("HierarchyChangeAuthOwner", func(t *testing.T) {
+		hca := HierarchyChangeAuth{
+			AuthHandle: TPMRHOwner,
+			NewAuth: TPM2BAuth{
+				Buffer: authKey,
+			},
+		}
+
+		_, err := hca.Execute(thetpm)
+		if err != nil {
+			t.Errorf("failed HierarchyChangeAuth: %v", err)
+		}
+	})
+
+	t.Run("HierarchyChangeAuthOwnerUnauth", func(t *testing.T) {
+		hca := HierarchyChangeAuth{
+			AuthHandle: TPMRHOwner,
+			NewAuth: TPM2BAuth{
+				Buffer: newAuthKey,
+			},
+		}
+
+		_, err := hca.Execute(thetpm)
+		if !errors.Is(err, TPMRCBadAuth) {
+			t.Errorf("failed HierarchyChangeAuthWithoutAuth: want TPM_RC_BAD_AUTH, got %v", err)
+		}
+	})
+
+	t.Run("HierarchyChangeAuthOwnerAuth", func(t *testing.T) {
+		hca := HierarchyChangeAuth{
+			AuthHandle: AuthHandle{
+				Handle: TPMRHOwner,
+				Auth:   PasswordAuth(authKey),
+			},
+			NewAuth: TPM2BAuth{
+				Buffer: newAuthKey,
+			},
+		}
+
+		_, err := hca.Execute(thetpm)
+		if err != nil {
+			t.Errorf("failed HierarchyChangeAuthWithAuth: %v", err)
+		}
+	})
+}
diff --git a/tpm2/tpm2.go b/tpm2/tpm2.go
@@ -1518,6 +1518,30 @@ func (cmd Clear) Execute(t transport.TPM, s ...Session) (*ClearResponse, error)
 // ClearResponse is the response from TPM2_Clear.
 type ClearResponse struct{}
 
+// HierarchyChangeAuth is the input to TPM2_HierarchyChangeAuth.
+// See definition in Part 3, Commands, section 24.8
+type HierarchyChangeAuth struct {
+	// TPM_RH_ENDORSEMENT, TPM_RH_LOCKOUT, TPM_RH_OWNER or TPM_RH_PLATFORM+{PP}
+	AuthHandle handle `gotpm:"handle,auth"`
+	// new authorization value
+	NewAuth TPM2BAuth
+}
+
+// Command implements the Command interface.
+func (HierarchyChangeAuth) Command() TPMCC { return TPMCCHierarchyChanegAuth }
+
+// Execute executes the command and returns the response.
+func (cmd HierarchyChangeAuth) Execute(t transport.TPM, s ...Session) (*HierarchyChangeAuthResponse, error) {
+	var rsp HierarchyChangeAuthResponse
+	if err := execute[HierarchyChangeAuthResponse](t, cmd, &rsp, s...); err != nil {
+		return nil, err
+	}
+	return &rsp, nil
+}
+
+// HierarchyChangeAuthResponse is the response from TPM2_HierarchyChangeAuth.
+type HierarchyChangeAuthResponse struct{}
+
 // ContextSave is the input to TPM2_ContextSave.
 // See definition in Part 3, Commands, section 28.2
 type ContextSave struct {