google · chrisccoulson · Jul 5, 2019 · Jul 5, 2019 · Jul 5, 2019 · Jul 5, 2019
@@ -304,22 +304,26 @@ var toGoCurve = map[EllipticCurve]elliptic.Curve{
 
 // Supported TPM operations.
 const (
-	cmdEvictControl       tpmutil.Command = 0x00000120
-	cmdUndefineSpace      tpmutil.Command = 0x00000122
-	cmdClockSet           tpmutil.Command = 0x00000128
-	cmdDefineSpace        tpmutil.Command = 0x0000012A
-	cmdPCRAllocate        tpmutil.Command = 0x0000012B
-	cmdCreatePrimary      tpmutil.Command = 0x00000131
-	cmdIncrementNVCounter tpmutil.Command = 0x00000134
-	cmdWriteNV            tpmutil.Command = 0x00000137
-	cmdPCREvent           tpmutil.Command = 0x0000013C
-	cmdStartup            tpmutil.Command = 0x00000144
-	cmdShutdown           tpmutil.Command = 0x00000145
-	cmdStirRandom         tpmutil.Command = 0x00000146
-	cmdActivateCredential tpmutil.Command = 0x00000147
-	cmdCertify            tpmutil.Command = 0x00000148
-	cmdCertifyCreation    tpmutil.Command = 0x0000014A
-	cmdReadNV             tpmutil.Command = 0x0000014E
+	cmdEvictControl               tpmutil.Command = 0x00000120
+	cmdUndefineSpace              tpmutil.Command = 0x00000122
+	cmdClear                      tpmutil.Command = 0x00000126
+	cmdClearControl		      tpmutil.Command = 0x00000127
+	cmdClockSet                   tpmutil.Command = 0x00000128
+	cmdHierarchyChangeAuth        tpmutil.Command = 0x00000129
+	cmdDefineSpace                tpmutil.Command = 0x0000012A
+	cmdPCRAllocate                tpmutil.Command = 0x0000012B
+	cmdCreatePrimary              tpmutil.Command = 0x00000131
+	cmdIncrementNVCounter         tpmutil.Command = 0x00000134
+	cmdWriteNV                    tpmutil.Command = 0x00000137
+	cmdPCREvent                   tpmutil.Command = 0x0000013C
+	cmdDictionaryAttackParameters tpmutil.Command = 0x0000013A
+	cmdStartup                    tpmutil.Command = 0x00000144
+	cmdShutdown                   tpmutil.Command = 0x00000145
+	cmdStirRandom                 tpmutil.Command = 0x00000146
+	cmdActivateCredential         tpmutil.Command = 0x00000147
+	cmdCertify                    tpmutil.Command = 0x00000148
+	cmdCertifyCreation            tpmutil.Command = 0x0000014A
+	cmdReadNV                     tpmutil.Command = 0x0000014E
 	// CmdPolicySecret is a command code for TPM2_PolicySecret.
 	// It's exported for computing of default AuthPolicy value.
 	CmdPolicySecret     tpmutil.Command = 0x00000151

@@ -507,6 +507,102 @@ func CreatePrimaryRawTemplate(rw io.ReadWriter, owner tpmutil.Handle, sel PCRSel
 	return hnd, pubKey, nil
 }
 
+func encodeClear(hierarchy tpmutil.Handle, password string) ([]byte, error) {
+	ha, err := tpmutil.Pack(hierarchy)
+	if err != nil {
+		return nil, err
+	}
+	auth, err := encodeAuthArea(AuthCommand{Session: HandlePasswordSession, Attributes: AttrContinueSession, Auth: []byte(password)})
+	if err != nil {
+		return nil, err
+	}
+	return concat(ha, auth)
+}
+
+func Clear(rw io.ReadWriter, hierarchy tpmutil.Handle, password string) error {
+	cmd, err := encodeClear(hierarchy, password)
+	if err != nil {
+		return err
+	}
+	_, err = runCommand(rw, TagSessions, cmdClear, tpmutil.RawBytes(cmd))
+	return err
+}
+
+func encodeDisableOwnerClear(password string) ([]byte, error) {
+	lockout, err := tpmutil.Pack(HandleLockout)
+	if err != nil {
+		return nil, err
+	}
+	auth, err := encodeAuthArea(AuthCommand{Session: HandlePasswordSession, Attributes: AttrContinueSession, Auth: []byte(password)})
+	if err != nil {
+		return nil, err
+	}
+	param, err := tpmutil.Pack(true)
+	if err != nil {
+		return nil, err
+	}
+	return concat(lockout, auth, param)
+}
+
+func DisableOwnerClear(rw io.ReadWriter, password string) error {
+	cmd, err := encodeDisableOwnerClear(password)
+	if err != nil {
+		return err
+	}
+	_, err = runCommand(rw, TagSessions, cmdClearControl, tpmutil.RawBytes(cmd))
+	return err
+}
+
+func encodeSetDAParameters(maxTries, recoveryTime, lockoutRecovery uint32, password string) ([]byte, error) {
+	lockout, err := tpmutil.Pack(HandleLockout)
+	if err != nil {
+		return nil, err
+	}
+	auth, err := encodeAuthArea(AuthCommand{Session: HandlePasswordSession, Attributes: AttrContinueSession, Auth: []byte(password)})
+	if err != nil {
+		return nil, err
+	}
+	params, err := tpmutil.Pack(maxTries, recoveryTime, lockoutRecovery)
+	if err != nil {
+		return nil, err
+	}
+	return concat(lockout, auth, params)
+}
+
+func SetDictionaryAttackParameters(rw io.ReadWriter, maxTries, recoveryTime, lockoutRecovery uint32, password string) error {
+	cmd, err := encodeSetDAParameters(maxTries, recoveryTime, lockoutRecovery, password)
+	if err != nil {
+		return err
+	}
+	_, err = runCommand(rw, TagSessions, cmdDictionaryAttackParameters, tpmutil.RawBytes(cmd))
+	return err
+}
+
+func encodeHierarchyChangeAuthParameters(hierarchy tpmutil.Handle, oldPassword, newPassword string) ([]byte, error) {
+	handle, err := tpmutil.Pack(hierarchy)
+	if err != nil {
+		return nil, err
+	}
+	auth, err := encodeAuthArea(AuthCommand{Session: HandlePasswordSession, Attributes: AttrContinueSession, Auth: []byte(oldPassword)})
+	if err != nil {
+		return nil, err
+	}
+	params, err := tpmutil.Pack(tpmutil.U16Bytes(newPassword))
+	if err != nil {
+		return nil, err
+	}
+	return concat(handle, auth, params)
+}
+
+func HierarchyChangeAuth(rw io.ReadWriter, hierarchy tpmutil.Handle, oldPassword, newPassword string) error {
+	cmd, err := encodeHierarchyChangeAuthParameters(hierarchy, oldPassword, newPassword)
+	if err != nil {
+		return err
+	}
+	_, err = runCommand(rw, TagSessions, cmdHierarchyChangeAuth, tpmutil.RawBytes(cmd))
+	return err
+}
+
 func decodeReadPublic(in []byte) (Public, []byte, []byte, error) {
 	var resp struct {
 		Public        tpmutil.U16Bytes

@@ -1363,3 +1363,56 @@ func TestCreatePrimaryRawTemplate(t *testing.T) {
 		t.Errorf("got key exponent %v, want %v", pubRSA.E, defaultKeyParams.RSAParameters.Exponent)
 	}
 }
+
+func TestClear(t *testing.T) {
+	rw := openTPM(t)
+	defer rw.Close()
+
+	rootHandle, _, err := CreatePrimary(rw, HandleOwner, pcrSelection7, emptyPassword, emptyPassword, defaultKeyParams)
+	if err != nil {
+		t.Fatalf("CreatePrimary failed: %v", err)
+	}
+	defer FlushContext(rw, rootHandle)
+
+	persistentHandle := tpmutil.Handle(0x817FFFFF)
+	// Evict persistent key, if there is one already (e.g. last test run failed).
+	if err := EvictControl(rw, emptyPassword, HandleOwner, persistentHandle, persistentHandle); err != nil {
+		t.Logf("(expected) EvictControl failed: %v", err)
+	}
+	// Make key persistent.
+	if err := EvictControl(rw, emptyPassword, HandleOwner, rootHandle, persistentHandle); err != nil {
+		t.Fatalf("EvictControl failed: %v", err)
+	}
+
+	if err := Clear(rw, HandleLockout, emptyPassword); err != nil {
+		if err := EvictControl(rw, emptyPassword, HandleOwner, persistentHandle, persistentHandle); err != nil {
+			t.Logf("EvictControl failed: %v", err)
+		}
+		t.Fatalf("Clear failed: %v", err)
+	}
+
+	vals, _, err := GetCapability(rw, CapabilityHandles, 1, uint32(persistentHandle))
+	if err != nil {
+		t.Fatalf("GetCapability failed: %v", err)
+	}
+
+	if len(vals) != 0 {
+		t.Errorf("Persistent handle wasn't cleared")
+	}
+}
+
+func TestHierarchyChangeAuth(t *testing.T) {
+	rw := openTPM(t)
+	defer rw.Close()
+
+	if err := HierarchyChangeAuth(rw, HandleOwner, emptyPassword, defaultPassword); err != nil {
+		t.Fatalf("HierarchyChangeAuth failed: %v", err)
+	}
+	defer HierarchyChangeAuth(rw, HandleOwner, defaultPassword, emptyPassword)
+
+	handle, _, err := CreatePrimary(rw, HandleOwner, pcrSelection7, defaultPassword, emptyPassword, defaultKeyParams)
+	if err != nil {
+		t.Errorf("CreatePrimary failed: %v", err)
+	}
+	FlushContext(rw, handle)
+}