fapi: fix usage of policy_nv (3.2.x).

Currently it was not possible to define a policy nv with a TPM nv index.
the callback to get the public nv data related to the policy was extended
to get public nv data from the TPM in this case.
Addresses tpm2-software#2383.

Signed-off-by: Juergen Repp <juergen_repp@web.de>

src/tss2-fapi/fapi_int.h

@@ -145,6 +145,13 @@ enum IFAPI_CLEANUP_STATE {
     CLEANUP_SRK
 };
 
+/** The states for the FAPI's reading nv public*/
+enum IFAPI_READ_NV_PUBLIC_STATE {
+    READ_NV_PUBLIC_INIT = 0,
+    READ_NV_PUBLIC_GET_ESYS_TR,
+    READ_NV_PUBLIC_GET_PUBLIC
+};
+
 #define IFAPI_MAX_CAP_INFO 17
 
 typedef struct {
@@ -1137,6 +1144,7 @@ struct FAPI_CONTEXT {
     enum IFAPI_GET_CERT_STATE get_cert_state;
     enum _FAPI_FLUSH_STATE flush_object_state;  /**< The current state of a flush operation */
     enum IFAPI_CLEANUP_STATE cleanup_state;     /**< The state of cleanup after command execution */
+    enum IFAPI_READ_NV_PUBLIC_STATE read_nv_public_state;
     IFAPI_CONFIG config;             /**< The profile independent configuration data */
     UINT32 nv_buffer_max;            /**< The maximal size for transfer of nv buffer content */
     IFAPI_CMD_STATE cmd;             /**< The state information of the currently executed

src/tss2-fapi/ifapi_policy_callbacks.c

@@ -210,7 +210,11 @@ ifapi_get_object_name(
 
 /** Get public data of a NV object from keystore.
  *
- * @param[in] path The relative path of the NV object.
+ * @param[in] path The relative path of the NV object. The path will
+              be used to get the public from the keystore if no nv_index is
+              passed.
+ * @param[in] nv_index The index of the NV object. The index will be used to
+ *            get the public data if nv_index > 0.
  * @param[out] nv_public The caller allocated public structure.
  * @param[in,out] ctx The context to access io and keystore module and to store
  *                the io state.
@@ -238,42 +242,79 @@ ifapi_get_object_name(
 TSS2_RC
 ifapi_get_nv_public(
     const char *path,
+    TPMI_RH_NV_INDEX nv_index,
     TPM2B_NV_PUBLIC *nv_public,
     void *ctx)
 {
     TSS2_RC r = TSS2_RC_SUCCESS;
     IFAPI_OBJECT object;
     FAPI_CONTEXT *context = ctx;
+    TPM2B_NV_PUBLIC *nv_public_esys;
+    ESYS_TR esys_tr;
+
+    if (nv_index) {
+        switch (context->read_nv_public_state) {
+            statecase(context->read_nv_public_state, READ_NV_PUBLIC_INIT)
+                r = Esys_TR_FromTPMPublic_Async(context->esys, nv_index, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE);
+                goto_if_error(r, "Error: tr from public", cleanup);
+                fallthrough;
+
+            statecase(context->read_nv_public_state, READ_NV_PUBLIC_GET_ESYS_TR)
+                r = Esys_TR_FromTPMPublic_Finish(context->esys, &esys_tr);
+                try_again_or_error_goto(r, "Error: tr from public finish", cleanup);
+
+                r = Esys_NV_ReadPublic_Async(context->esys, esys_tr,
+                                             ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE);
+                goto_if_error(r, "Error: nv read public async", cleanup);
+                fallthrough;
+
+            statecase(context->read_nv_public_state, READ_NV_PUBLIC_GET_PUBLIC)
+                r = Esys_NV_ReadPublic_Finish(context->esys,
+                                              &nv_public_esys,
+                                              NULL);
+                try_again_or_error_goto(r, "Error: nv read public finish", cleanup);
+
+                *nv_public = *nv_public_esys;
+                SAFE_FREE(nv_public_esys);
+                context->io_state = IO_INIT;
+                break;
 
-    switch (context->io_state) {
-    statecase(context->io_state, IO_INIT)
-        /* Prepare the loading of the NV object. */
-        r = ifapi_keystore_load_async(&context->keystore, &context->io, path);
-        return_if_error2(r, "Could not open: %s", path);
-        fallthrough;
-
-    statecase(context->io_state, IO_ACTIVE)
-        /* Finalize or retry the reading and check the object type */
-        r = ifapi_keystore_load_finish(&context->keystore, &context->io,
-                                       &object);
-        return_try_again(r);
-        return_if_error(r, "read_finish failed");
-
-        if (object.objectType != IFAPI_NV_OBJ) {
-            goto_error(r, TSS2_FAPI_RC_BAD_VALUE, "Object %s is not a key.",
-                       cleanup, path);
+            statecasedefault(context->state);
         }
 
-        *nv_public = object.misc.nv.public;
-        context->io_state = IO_INIT;
-        break;
+    } else {
+        switch (context->io_state) {
+            statecase(context->io_state, IO_INIT)
+                /* Prepare the loading of the NV object. */
+                r = ifapi_keystore_load_async(&context->keystore, &context->io, path);
+                return_if_error2(r, "Could not open: %s", path);
+                fallthrough;
+
+            statecase(context->io_state, IO_ACTIVE)
+                /* Finalize or retry the reading and check the object type */
+                r = ifapi_keystore_load_finish(&context->keystore, &context->io,
+                                               &object);
+                return_try_again(r);
+                return_if_error(r, "read_finish failed");
+
+                if (object.objectType != IFAPI_NV_OBJ) {
+                    goto_error(r, TSS2_FAPI_RC_BAD_VALUE, "Object %s is not a key.",
+                               cleanup, path);
+                }
 
-    statecasedefault(context->state);
+                *nv_public = object.misc.nv.public;
+                context->io_state = IO_INIT;
+                break;
+
+            statecasedefault(context->state);
+        }
     }
 
 cleanup:
     context->io_state = IO_INIT;
-    ifapi_cleanup_ifapi_object(&object);
+    if (!nv_index) {
+        ifapi_cleanup_ifapi_object(&object);
+    }
     return r;
 }
 

src/tss2-fapi/ifapi_policy_callbacks.h

@@ -53,6 +53,7 @@ ifapi_get_object_name(
 TSS2_RC
 ifapi_get_nv_public(
     const char *path,
+    TPMI_RH_NV_INDEX nv_index,
     TPM2B_NV_PUBLIC *nv_public,
     void *context);
 

src/tss2-fapi/ifapi_policy_instantiate.c

@@ -294,9 +294,9 @@ ifapi_policyeval_instantiate_finish(
                 break;
             }
 
-            CHECK_TEMPLATE_PATH(pol_element->element.PolicyNV.nvPath, "PolicyNv");
             /* Object name will be added to policy. */
             r = context->callbacks.cbnvpublic(pol_element->element.PolicyNV.nvPath,
+                                              pol_element->element.PolicyNV.nvIndex,
                                               &pol_element->element.PolicyNV.nvPublic,
                                               context->callbacks.cbnvpublic_userdata);
             return_try_again(r);
@@ -346,7 +346,7 @@ ifapi_policyeval_instantiate_finish(
             CHECK_TEMPLATE_PATH(pol_element->element.PolicyAuthorizeNv.nvPath,
                                 "PolicyAuthorizeNv");
             /* Object name will be added to policy. */
-            r = context->callbacks.cbnvpublic(pol_element->element.PolicyAuthorizeNv.nvPath,
+            r = context->callbacks.cbnvpublic(pol_element->element.PolicyAuthorizeNv.nvPath, 0,
                                               &pol_element->element.PolicyAuthorizeNv.nvPublic,
                                               context->callbacks.cbnvpublic_userdata);
             return_try_again(r);

src/tss2-fapi/ifapi_policy_instantiate.h

@@ -36,6 +36,7 @@ typedef TSS2_RC (*ifapi_policyeval_cbnvindex) (
 
 typedef TSS2_RC (*ifapi_policyeval_cbnvpublic) (
     const char *path,
+    TPMI_RH_NV_INDEX nv_index,
     TPM2B_NV_PUBLIC *nv_public,
     void *userdata);   /* e.g. for FAPI_CONTEXT */