tpm2_protocol/message/
enhanced_authorization.rs

1// SPDX-License-Identifier: MIT OR Apache-2.0 Copyright (c) 2025 Opinsys Oy
2// Copyright (c) 2024-2025 Jarkko Sakkinen
3
4//! 23 Enhanced Authorization (EA) Commands
5//!
6//! 23.3 `TPM2_PolicySigned`
7//! 23.4 `TPM2_PolicySecret`
8//! 23.5 `TPM2_PolicyTicket`
9//! 23.6 `TPM2_PolicyOR`
10//! 23.7 `TPM2_PolicyPCR`
11//! 23.8 `TPM2_PolicyLocality`
12//! 23.9 `TPM2_PolicyNV`
13//! 23.10 `TPM2_PolicyCounterTimer`
14//! 23.11 `TPM2_PolicyCommandCode`
15//! 23.12 `TPM2_PolicyPhysicalPresence`
16//! 23.13 `TPM2_PolicyCpHash`
17//! 23.14 `TPM2_PolicyNameHash`
18//! 23.15 `TPM2_PolicyDuplicationSelect`
19//! 23.16 `TPM2_PolicyAuthorize`
20//! 23.17 `TPM2_PolicyAuthValue`
21//! 23.18 `TPM2_PolicyPassword`
22//! 23.19 `TPM2_PolicyGetDigest`
23//! 23.20 `TPM2_PolicyNvWritten`
24//! 23.21 `TPM2_PolicyTemplate`
25//! 23.22 `TPM2_PolicyAuthorizeNV`
26//! 23.23 `TPM2_PolicyCapability`
27//! 23.24 `TPM2_PolicyParameters`
28//! 23.25 `TPM2_PolicyTransportSPDM`
29
30use crate::{
31    data::{
32        Tpm2bDigest, Tpm2bMaxBuffer, Tpm2bName, Tpm2bNonce, Tpm2bTimeout, TpmCap, TpmCc, TpmEo,
33        TpmaLocality, TpmiYesNo, TpmlDigest, TpmlPcrSelection, TpmtSignature, TpmtTkAuth,
34        TpmtTkVerified,
35    },
36    tpm_struct,
37};
38use core::fmt::Debug;
39
40tpm_struct! (
41    #[derive(Debug, PartialEq, Eq, Clone)]
42    kind: Command,
43    name: TpmPolicySignedCommand,
44    cc: TpmCc::PolicySigned,
45    no_sessions: true,
46    with_sessions: true,
47    handles: {
48        pub auth_object: crate::data::TpmiDhObject,
49        pub policy_session: crate::data::TpmiShAuthSession,
50    },
51    parameters: {
52        pub nonce_tpm: Tpm2bNonce,
53        pub cp_hash_a: Tpm2bDigest,
54        pub policy_ref: Tpm2bNonce,
55        pub expiration: i32,
56        pub auth: TpmtSignature,
57    }
58);
59
60tpm_struct! (
61    #[derive(Debug, PartialEq, Eq, Clone)]
62    kind: Response,
63    name: TpmPolicySignedResponse,
64    cc: TpmCc::PolicySigned,
65    no_sessions: false,
66    with_sessions: true,
67    handles: {},
68    parameters: {
69        pub timeout: Tpm2bTimeout,
70        pub policy_ticket: TpmtTkAuth,
71    }
72);
73
74tpm_struct! (
75    #[derive(Debug, Default, PartialEq, Eq, Clone)]
76    kind: Command,
77    name: TpmPolicySecretCommand,
78    cc: TpmCc::PolicySecret,
79    no_sessions: false,
80    with_sessions: true,
81    handles: {
82        pub auth_handle: crate::data::TpmiDhObject,
83        pub policy_session: crate::data::TpmiShAuthSession,
84    },
85    parameters: {
86        pub nonce_tpm: Tpm2bNonce,
87        pub cp_hash_a: Tpm2bDigest,
88        pub policy_ref: Tpm2bNonce,
89        pub expiration: i32,
90    }
91);
92
93tpm_struct! (
94    #[derive(Debug, Default, PartialEq, Eq, Copy, Clone)]
95    kind: Response,
96    name: TpmPolicySecretResponse,
97    cc: TpmCc::PolicySecret,
98    no_sessions: false,
99    with_sessions: true,
100    handles: {},
101    parameters: {}
102);
103
104tpm_struct! (
105    #[derive(Debug, PartialEq, Eq, Clone)]
106    kind: Command,
107    name: TpmPolicyTicketCommand,
108    cc: TpmCc::PolicyTicket,
109    no_sessions: true,
110    with_sessions: true,
111    handles: {
112        pub policy_session: crate::data::TpmiShAuthSession,
113    },
114    parameters: {
115        pub timeout: Tpm2bTimeout,
116        pub cp_hash_a: Tpm2bDigest,
117        pub policy_ref: Tpm2bNonce,
118        pub auth_name: Tpm2bName,
119        pub ticket: TpmtTkAuth,
120    }
121);
122
123tpm_struct! (
124    #[derive(Debug, Default, PartialEq, Eq, Copy, Clone)]
125    kind: Response,
126    name: TpmPolicyTicketResponse,
127    cc: TpmCc::PolicyTicket,
128    no_sessions: false,
129    with_sessions: true,
130    handles: {},
131    parameters: {}
132);
133
134tpm_struct! (
135    #[derive(Debug, Default, PartialEq, Eq, Clone)]
136    kind: Command,
137    name: TpmPolicyOrCommand,
138    cc: TpmCc::PolicyOR,
139    no_sessions: true,
140    with_sessions: true,
141    handles: {
142        pub policy_session: crate::data::TpmiShAuthSession,
143    },
144    parameters: {
145        pub p_hash_list: TpmlDigest,
146    }
147);
148
149tpm_struct! (
150    #[derive(Debug, Default, PartialEq, Eq, Copy, Clone)]
151    kind: Response,
152    name: TpmPolicyOrResponse,
153    cc: TpmCc::PolicyOR,
154    no_sessions: false,
155    with_sessions: true,
156    handles: {},
157    parameters: {}
158);
159
160tpm_struct! (
161    #[derive(Debug, Default, PartialEq, Eq, Clone)]
162    kind: Command,
163    name: TpmPolicyPcrCommand,
164    cc: TpmCc::PolicyPcr,
165    no_sessions: false,
166    with_sessions: true,
167    handles: {
168        pub policy_session: crate::data::TpmiShAuthSession,
169    },
170    parameters: {
171        pub pcr_digest: Tpm2bDigest,
172        pub pcrs: TpmlPcrSelection,
173    }
174);
175
176tpm_struct! (
177    #[derive(Debug, Default, PartialEq, Eq, Copy, Clone)]
178    kind: Response,
179    name: TpmPolicyPcrResponse,
180    cc: TpmCc::PolicyPcr,
181    no_sessions: false,
182    with_sessions: true,
183    handles: {},
184    parameters: {}
185);
186
187tpm_struct! (
188    #[derive(Debug, PartialEq, Eq, Copy, Clone)]
189    kind: Command,
190    name: TpmPolicyLocalityCommand,
191    cc: TpmCc::PolicyLocality,
192    no_sessions: false,
193    with_sessions: true,
194    handles: {
195        pub policy_session: crate::data::TpmiShAuthSession,
196    },
197    parameters: {
198        pub locality: TpmaLocality,
199    }
200);
201
202tpm_struct! (
203    #[derive(Debug, Default, PartialEq, Eq, Copy, Clone)]
204    kind: Response,
205    name: TpmPolicyLocalityResponse,
206    cc: TpmCc::PolicyLocality,
207    no_sessions: false,
208    with_sessions: true,
209    handles: {},
210    parameters: {}
211);
212
213tpm_struct! {
214    #[derive(Debug, PartialEq, Eq, Clone)]
215    kind: Command,
216    name: TpmPolicyNvCommand,
217    cc: TpmCc::PolicyNv,
218    no_sessions: false,
219    with_sessions: true,
220    handles: {
221        pub auth_handle: crate::data::TpmiDhObject,
222        pub nv_index: u32,
223        pub policy_session: crate::data::TpmiShAuthSession,
224    },
225    parameters: {
226        pub operand_b: Tpm2bMaxBuffer,
227        pub offset: u16,
228        pub operation: TpmEo,
229    }
230}
231
232tpm_struct! {
233    #[derive(Debug, Default, PartialEq, Eq, Copy, Clone)]
234    kind: Response,
235    name: TpmPolicyNvResponse,
236    cc: TpmCc::PolicyNv,
237    no_sessions: false,
238    with_sessions: true,
239    handles: {},
240    parameters: {}
241}
242
243tpm_struct! {
244    #[derive(Debug, PartialEq, Eq, Clone)]
245    kind: Command,
246    name: TpmPolicyCounterTimerCommand,
247    cc: TpmCc::PolicyCounterTimer,
248    no_sessions: false,
249    with_sessions: true,
250    handles: {
251        pub policy_session: crate::data::TpmiShAuthSession,
252    },
253    parameters: {
254        pub operand_b: Tpm2bMaxBuffer,
255        pub offset: u16,
256        pub operation: TpmEo,
257    }
258}
259
260tpm_struct! {
261    #[derive(Debug, Default, PartialEq, Eq, Copy, Clone)]
262    kind: Response,
263    name: TpmPolicyCounterTimerResponse,
264    cc: TpmCc::PolicyCounterTimer,
265    no_sessions: false,
266    with_sessions: true,
267    handles: {},
268    parameters: {}
269}
270
271tpm_struct! {
272    #[derive(Debug, PartialEq, Eq, Clone, Copy)]
273    kind: Command,
274    name: TpmPolicyCommandCodeCommand,
275    cc: TpmCc::PolicyCommandCode,
276    no_sessions: false,
277    with_sessions: true,
278    handles: {
279        pub policy_session: crate::data::TpmiShAuthSession,
280    },
281    parameters: {
282        pub code: TpmCc,
283    }
284}
285
286tpm_struct! {
287    #[derive(Debug, Default, PartialEq, Eq, Copy, Clone)]
288    kind: Response,
289    name: TpmPolicyCommandCodeResponse,
290    cc: TpmCc::PolicyCommandCode,
291    no_sessions: false,
292    with_sessions: true,
293    handles: {},
294    parameters: {}
295}
296
297tpm_struct! {
298    #[derive(Debug, Default, PartialEq, Eq, Copy, Clone)]
299    kind: Command,
300    name: TpmPolicyPhysicalPresenceCommand,
301    cc: TpmCc::PolicyPhysicalPresence,
302    no_sessions: false,
303    with_sessions: true,
304    handles: {
305        pub policy_session: crate::data::TpmiShAuthSession,
306    },
307    parameters: {}
308}
309
310tpm_struct! {
311    #[derive(Debug, Default, PartialEq, Eq, Copy, Clone)]
312    kind: Response,
313    name: TpmPolicyPhysicalPresenceResponse,
314    cc: TpmCc::PolicyPhysicalPresence,
315    no_sessions: false,
316    with_sessions: true,
317    handles: {},
318    parameters: {}
319}
320
321tpm_struct! (
322    #[derive(Debug, PartialEq, Eq, Clone)]
323    kind: Command,
324    name: TpmPolicyCpHashCommand,
325    cc: TpmCc::PolicyCpHash,
326    no_sessions: false,
327    with_sessions: true,
328    handles: {
329        pub policy_session: crate::data::TpmiShAuthSession,
330    },
331    parameters: {
332        pub cp_hash_a: Tpm2bDigest,
333    }
334);
335
336tpm_struct! (
337    #[derive(Debug, Default, PartialEq, Eq, Copy, Clone)]
338    kind: Response,
339    name: TpmPolicyCpHashResponse,
340    cc: TpmCc::PolicyCpHash,
341    no_sessions: false,
342    with_sessions: true,
343    handles: {},
344    parameters: {}
345);
346
347tpm_struct! {
348    #[derive(Debug, PartialEq, Eq, Clone)]
349    kind: Command,
350    name: TpmPolicyNameHashCommand,
351    cc: TpmCc::PolicyNameHash,
352    no_sessions: false,
353    with_sessions: true,
354    handles: {
355        pub policy_session: crate::data::TpmiShAuthSession,
356    },
357    parameters: {
358        pub name_hash: Tpm2bDigest,
359    }
360}
361
362tpm_struct! {
363    #[derive(Debug, Default, PartialEq, Eq, Copy, Clone)]
364    kind: Response,
365    name: TpmPolicyNameHashResponse,
366    cc: TpmCc::PolicyNameHash,
367    no_sessions: false,
368    with_sessions: true,
369    handles: {},
370    parameters: {}
371}
372
373tpm_struct! {
374    #[derive(Debug, PartialEq, Eq, Clone)]
375    kind: Command,
376    name: TpmPolicyDuplicationSelectCommand,
377    cc: TpmCc::PolicyDuplicationSelect,
378    no_sessions: false,
379    with_sessions: true,
380    handles: {
381        pub policy_session: crate::data::TpmiShAuthSession,
382    },
383    parameters: {
384        pub object_name: Tpm2bName,
385        pub new_parent_name: Tpm2bName,
386        pub include_object: TpmiYesNo,
387    }
388}
389
390tpm_struct! {
391    #[derive(Debug, Default, PartialEq, Eq, Copy, Clone)]
392    kind: Response,
393    name: TpmPolicyDuplicationSelectResponse,
394    cc: TpmCc::PolicyDuplicationSelect,
395    no_sessions: false,
396    with_sessions: true,
397    handles: {},
398    parameters: {}
399}
400
401tpm_struct! {
402    #[derive(Debug, PartialEq, Eq, Clone)]
403    kind: Command,
404    name: TpmPolicyAuthorizeCommand,
405    cc: TpmCc::PolicyAuthorize,
406    no_sessions: false,
407    with_sessions: true,
408    handles: {
409        pub policy_session: crate::data::TpmiShAuthSession,
410    },
411    parameters: {
412        pub approved_policy: Tpm2bDigest,
413        pub policy_ref: Tpm2bNonce,
414        pub key_sign: Tpm2bName,
415        pub check_ticket: TpmtTkVerified,
416    }
417}
418
419tpm_struct! {
420    #[derive(Debug, Default, PartialEq, Eq, Copy, Clone)]
421    kind: Response,
422    name: TpmPolicyAuthorizeResponse,
423    cc: TpmCc::PolicyAuthorize,
424    no_sessions: false,
425    with_sessions: true,
426    handles: {},
427    parameters: {}
428}
429
430tpm_struct! {
431    #[derive(Debug, Default, PartialEq, Eq, Copy, Clone)]
432    kind: Command,
433    name: TpmPolicyAuthValueCommand,
434    cc: TpmCc::PolicyAuthValue,
435    no_sessions: false,
436    with_sessions: true,
437    handles: {
438        pub policy_session: crate::data::TpmiShAuthSession,
439    },
440    parameters: {}
441}
442
443tpm_struct! {
444    #[derive(Debug, Default, PartialEq, Eq, Copy, Clone)]
445    kind: Response,
446    name: TpmPolicyAuthValueResponse,
447    cc: TpmCc::PolicyAuthValue,
448    no_sessions: false,
449    with_sessions: true,
450    handles: {},
451    parameters: {}
452}
453
454tpm_struct! {
455    #[derive(Debug, Default, PartialEq, Eq, Copy, Clone)]
456    kind: Command,
457    name: TpmPolicyPasswordCommand,
458    cc: TpmCc::PolicyPassword,
459    no_sessions: false,
460    with_sessions: true,
461    handles: {
462        pub policy_session: crate::data::TpmiShAuthSession,
463    },
464    parameters: {}
465}
466
467tpm_struct! {
468    #[derive(Debug, Default, PartialEq, Eq, Copy, Clone)]
469    kind: Response,
470    name: TpmPolicyPasswordResponse,
471    cc: TpmCc::PolicyPassword,
472    no_sessions: false,
473    with_sessions: true,
474    handles: {},
475    parameters: {}
476}
477
478tpm_struct! {
479    #[derive(Debug, Default, PartialEq, Eq, Clone)]
480    kind: Response,
481    name: TpmPolicyGetDigestResponse,
482    cc: TpmCc::PolicyGetDigest,
483    no_sessions: false,
484    with_sessions: true,
485    handles: {},
486    parameters: {
487        pub policy_digest: Tpm2bDigest,
488    }
489}
490
491tpm_struct! {
492    #[derive(Debug, Default, PartialEq, Eq, Copy, Clone)]
493    kind: Command,
494    name: TpmPolicyGetDigestCommand,
495    cc: TpmCc::PolicyGetDigest,
496    no_sessions: true,
497    with_sessions: true,
498    handles: {
499        pub policy_session: crate::data::TpmiShAuthSession,
500    },
501    parameters: {}
502}
503
504tpm_struct! {
505    #[derive(Debug, PartialEq, Eq, Copy, Clone)]
506    kind: Command,
507    name: TpmPolicyNvWrittenCommand,
508    cc: TpmCc::PolicyNvWritten,
509    no_sessions: false,
510    with_sessions: true,
511    handles: {
512        pub policy_session: crate::data::TpmiShAuthSession,
513    },
514    parameters: {
515        pub written_set: TpmiYesNo,
516    }
517}
518
519tpm_struct! {
520    #[derive(Debug, Default, PartialEq, Eq, Copy, Clone)]
521    kind: Response,
522    name: TpmPolicyNvWrittenResponse,
523    cc: TpmCc::PolicyNvWritten,
524    no_sessions: false,
525    with_sessions: true,
526    handles: {},
527    parameters: {}
528}
529
530tpm_struct! {
531    #[derive(Debug, PartialEq, Eq, Clone)]
532    kind: Command,
533    name: TpmPolicyTemplateCommand,
534    cc: TpmCc::PolicyTemplate,
535    no_sessions: false,
536    with_sessions: true,
537    handles: {
538        pub policy_session: crate::data::TpmiShAuthSession,
539    },
540    parameters: {
541        pub template_hash: Tpm2bDigest,
542    }
543}
544
545tpm_struct! {
546    #[derive(Debug, Default, PartialEq, Eq, Copy, Clone)]
547    kind: Response,
548    name: TpmPolicyTemplateResponse,
549    cc: TpmCc::PolicyTemplate,
550    no_sessions: false,
551    with_sessions: true,
552    handles: {},
553    parameters: {}
554}
555
556tpm_struct! {
557    #[derive(Debug, Default, PartialEq, Eq, Copy, Clone)]
558    kind: Command,
559    name: TpmPolicyAuthorizeNvCommand,
560    cc: TpmCc::PolicyAuthorizeNv,
561    no_sessions: false,
562    with_sessions: true,
563    handles: {
564        pub auth_handle: crate::data::TpmiDhObject,
565        pub nv_index: u32,
566        pub policy_session: crate::data::TpmiShAuthSession,
567    },
568    parameters: {}
569}
570
571tpm_struct! {
572    #[derive(Debug, Default, PartialEq, Eq, Copy, Clone)]
573    kind: Response,
574    name: TpmPolicyAuthorizeNvResponse,
575    cc: TpmCc::PolicyAuthorizeNv,
576    no_sessions: false,
577    with_sessions: true,
578    handles: {},
579    parameters: {}
580}
581
582tpm_struct! {
583    #[derive(Debug, PartialEq, Eq, Clone)]
584    kind: Command,
585    name: TpmPolicyCapabilityCommand,
586    cc: TpmCc::PolicyCapability,
587    no_sessions: false,
588    with_sessions: true,
589    handles: {
590        pub policy_session: crate::data::TpmiShAuthSession,
591    },
592    parameters: {
593        pub capability: TpmCap,
594        pub property: u32,
595        pub op: TpmEo,
596        pub operand_b: Tpm2bMaxBuffer,
597    }
598}
599
600tpm_struct! {
601    #[derive(Debug, Default, PartialEq, Eq, Copy, Clone)]
602    kind: Response,
603    name: TpmPolicyCapabilityResponse,
604    cc: TpmCc::PolicyCapability,
605    no_sessions: false,
606    with_sessions: true,
607    handles: {},
608    parameters: {}
609}
610
611tpm_struct! {
612    #[derive(Debug, PartialEq, Eq, Clone)]
613    kind: Command,
614    name: TpmPolicyParametersCommand,
615    cc: TpmCc::PolicyParameters,
616    no_sessions: false,
617    with_sessions: true,
618    handles: {
619        pub policy_session: crate::data::TpmiShAuthSession,
620    },
621    parameters: {
622        pub p_hash: Tpm2bDigest,
623    }
624}
625
626tpm_struct! {
627    #[derive(Debug, Default, PartialEq, Eq, Copy, Clone)]
628    kind: Response,
629    name: TpmPolicyParametersResponse,
630    cc: TpmCc::PolicyParameters,
631    no_sessions: false,
632    with_sessions: true,
633    handles: {},
634    parameters: {}
635}
636
637tpm_struct! {
638    #[derive(Debug, PartialEq, Eq, Clone)]
639    kind: Command,
640    name: TpmPolicyTransportSpdmCommand,
641    cc: TpmCc::PolicyTransportSpdm,
642    no_sessions: false,
643    with_sessions: true,
644    handles: {
645        pub policy_session: crate::data::TpmiShAuthSession,
646    },
647    parameters: {
648        pub req_key_name: Tpm2bName,
649        pub tpm_key_name: Tpm2bName,
650    }
651}
652
653tpm_struct! {
654    #[derive(Debug, Default, PartialEq, Eq, Copy, Clone)]
655    kind: Response,
656    name: TpmPolicyTransportSpdmResponse,
657    cc: TpmCc::PolicyTransportSpdm,
658    no_sessions: false,
659    with_sessions: true,
660    handles: {},
661    parameters: {}
662}