From e838fc836b93f4e7a27e2248ca9eafc8bda51e91 Mon Sep 17 00:00:00 2001
From: Hendrik Hagendorn <hendrik@hagendorn.it>
Date: Mon, 1 Apr 2024 12:59:29 +0200
Subject: [PATCH] feat: add HierarchyChangeAuth command

see definition in Part 3, Commands, section 24.8
---
 tpm2/test/hierarchy_change_auth_test.go | 65 +++++++++++++++++++++++++
 tpm2/tpm2.go                            | 24 +++++++++
 2 files changed, 89 insertions(+)
 create mode 100644 tpm2/test/hierarchy_change_auth_test.go

diff --git a/tpm2/test/hierarchy_change_auth_test.go b/tpm2/test/hierarchy_change_auth_test.go
new file mode 100644
index 00000000..c7ae382e
--- /dev/null
+++ b/tpm2/test/hierarchy_change_auth_test.go
@@ -0,0 +1,65 @@
+package tpm2test
+
+import (
+	"errors"
+	"testing"
+
+	. "github.com/google/go-tpm/tpm2"
+	"github.com/google/go-tpm/tpm2/transport/simulator"
+)
+
+func TestHierarchyChangeAuth(t *testing.T) {
+	thetpm, err := simulator.OpenSimulator()
+	if err != nil {
+		t.Fatalf("could not connect to TPM simulator: %v", err)
+	}
+	defer thetpm.Close()
+
+	authKey := []byte("authkey")
+	newAuthKey := []byte("newAuthKey")
+
+	t.Run("HierarchyChangeAuthOwner", func(t *testing.T) {
+		hca := HierarchyChangeAuth{
+			AuthHandle: TPMRHOwner,
+			NewAuth: TPM2BAuth{
+				Buffer: authKey,
+			},
+		}
+
+		_, err := hca.Execute(thetpm)
+		if err != nil {
+			t.Errorf("failed HierarchyChangeAuth: %v", err)
+		}
+	})
+
+	t.Run("HierarchyChangeAuthOwnerUnauth", func(t *testing.T) {
+		hca := HierarchyChangeAuth{
+			AuthHandle: TPMRHOwner,
+			NewAuth: TPM2BAuth{
+				Buffer: newAuthKey,
+			},
+		}
+
+		_, err := hca.Execute(thetpm)
+		if !errors.Is(err, TPMRCBadAuth) {
+			t.Errorf("failed HierarchyChangeAuthWithoutAuth: want TPM_RC_BAD_AUTH, got %v", err)
+		}
+	})
+
+	t.Run("HierarchyChangeAuthOwnerAuth", func(t *testing.T) {
+		hca := HierarchyChangeAuth{
+			AuthHandle: AuthHandle{
+				Handle: TPMRHOwner,
+				Auth:   PasswordAuth(authKey),
+			},
+			NewAuth: TPM2BAuth{
+				Buffer: newAuthKey,
+			},
+		}
+
+		_, err := hca.Execute(thetpm)
+		if err != nil {
+			t.Errorf("failed HierarchyChangeAuthWithAuth: %v", err)
+		}
+	})
+}
diff --git a/tpm2/tpm2.go b/tpm2/tpm2.go
index 40c61160..23157ffb 100644
--- a/tpm2/tpm2.go
+++ b/tpm2/tpm2.go
@@ -1518,6 +1518,30 @@ func (cmd Clear) Execute(t transport.TPM, s ...Session) (*ClearResponse, error)
 // ClearResponse is the response from TPM2_Clear.
 type ClearResponse struct{}
 
+// HierarchyChangeAuth is the input to TPM2_HierarchyChangeAuth.
+// See definition in Part 3, Commands, section 24.8
+type HierarchyChangeAuth struct {
+	// TPM_RH_ENDORSEMENT, TPM_RH_LOCKOUT, TPM_RH_OWNER or TPM_RH_PLATFORM+{PP}
+	AuthHandle handle `gotpm:"handle,auth"`
+	// new authorization value
+	NewAuth TPM2BAuth
+}
+
+// Command implements the Command interface.
+func (HierarchyChangeAuth) Command() TPMCC { return TPMCCHierarchyChanegAuth }
+
+// Execute executes the command and returns the response.
+func (cmd HierarchyChangeAuth) Execute(t transport.TPM, s ...Session) (*HierarchyChangeAuthResponse, error) {
+	var rsp HierarchyChangeAuthResponse
+	if err := execute[HierarchyChangeAuthResponse](t, cmd, &rsp, s...); err != nil {
+		return nil, err
+	}
+	return &rsp, nil
+}
+
+// HierarchyChangeAuthResponse is the response from TPM2_HierarchyChangeAuth.
+type HierarchyChangeAuthResponse struct{}
+
 // ContextSave is the input to TPM2_ContextSave.
 // See definition in Part 3, Commands, section 28.2
 type ContextSave struct {