how to use nv_read_public()?

[bingzhux]

I have a TPM NV handle value, e.g. 0x01500047, and I'm pretty sure that it is already created inside TPM.

However, I don't know how to call this nv_read_public() below by passing this handle value (0x01500047) as parameter, to get this nv's public information.

rust-tss-esapi/tss-esapi/src/context/tpm_commands/non_volatile_storage.rs

Line 458 in 2dfc315

pub fn nv_read_public(&mut self, nv_index_handle: NvIndexHandle) -> Result<(NvPublic, Name)> {

because this function requires a handle NvIndexHandle value, which is not the u32 value of 0x01500047.

I understand that, please correct me if I am wrong, we can use this code below to convert this u32 value to NvIndexTpmHandle value:
let nvtpmhandle = NvIndexTpmHandle::new(0x01500047).unwrap();

But now, the question is how to convert the value (nvtpmhandle) type of NvIndexTpmHandle to the type of NvIndexHandle, which is required to be passed into function nv_read_public()?

Actually, there are too many handles, which is quite confusing to me.
For example, NvIndexTpmHandle, NvIndexHandle, TpmHandle, ObjectHandle...

[Superhepper]

So if you want to skip to do the steps that are required when dealing with NV memory in the TPM, I suggest you look at abstractions feature where you have several functions which can help you dealing with NV memory.

About the handles yes. There are a lot of handles. Because the specification specifies a lot of handles and they can be a bit confusing. They are there in order to some extent mimic the specification.

ESAPI:
ObjectHandle - General handle type that can point to anything.
NvIndexHandle - A handle associated with a NV space. It is returned when the NV memory is defined and is used in all interactions with nv context methods.

TPM:
TpmHandle - A TPM handle as it is defined in the standard.
NvIndexTpmHandle - A Tpm,Handle in NV range of TPM Handles.

So how would one go about looking up a TPM handle then and start interacting with the NV memory?

Something like this.

1. Create NvTpmIndexHandle.

let nv_tpm_index_handle = NvIndexTpmHandle::new(0x01500047).expect("Failed to create nv index tom handle.");

2. Look up the object handle associated with this tpm handle and convert into an nv index handle.

let new_nv_index_handle = context
    .tr_from_tpm_public(nv_tpm_index_handle .into())
    .map(NvIndexHandle::from)
    .expect("Failed to retrieve nv index handle");

Now you have the handle needed in order to call the nv context methods.

I hope this helps.

[bingzhux]

Thank you so much. But with this code, i got an issue:

WARNING:esys:src/tss2-esys/api/Esys_NV_ReadPublic.c:309:Esys_NV_ReadPublic_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/esys_tr.c:209:Esys_TR_FromTPMPublic_Finish() Error NV_ReadPublic ErrorCode (0x00000982)
ERROR:esys:src/tss2-esys/esys_tr.c:320:Esys_TR_FromTPMPublic() Error TR FromTPMPublic ErrorCode (0x00000982)
thread 'main' panicked at src/main.rs:62:10:
Failed to retrieve nv index handle: TssError(Tpm(FormatOne(TpmFormatOneResponseCode { error_number: Attributes, argument_number: Session(1) })))
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

the error code is 0x00000982, which is decoded as below. I've no idea what is "inconsistent attributes" here.

Format Error:
Session: 0x1
Error: TPM_RC_ATTRIBUTES
Description: inconsistent attributes

Here is my code snippet.

fn nv_test(){
    let mut context =
        Context::new(TctiNameConf::Mssim(Default::default())).expect("Failed to create Context");
    context
        .startup(StartupType::Clear)
        .expect("Failed to startup TPM2!");

    let session = context
        .start_auth_session(
            None,
            None,
            None,
            SessionType::Hmac,
            SymmetricDefinition::AES_256_CFB,
            HashingAlgorithm::Sha256,
        )
        .expect("Failed to create session")
        .expect("Received invalid handle");

    context.set_sessions((Some(session), None, None));

    let nv_tpm_handle =
        NvIndexTpmHandle::new(NV_HANDLE_VALUE).expect("Failed to create nv index tom handle.");

    let _new_nv_index_handle = context
        .tr_from_tpm_public(nv_tpm_handle.into())
        .map(NvIndexHandle::from)
        .expect("Failed to retrieve nv index handle");
}

I'm pretty sure my index 0x01500047 was created, because when I recreate it with nv_define_space(), I got an error code 0x0000014c (NV index or persisted object already defined).

[bingzhux]

looks like this same discussion here: #401

i will compare and check what's wrong here since the same answer works for #401

[bingzhux]

looks like if I remove the "session" code below from fn nv_test()

    let session = context
        .start_auth_session(
            None,
            None,
            None,
            SessionType::Hmac,
            SymmetricDefinition::AES_256_CFB,
            HashingAlgorithm::Sha256,
        )
        .expect("Failed to create session")
        .expect("Received invalid handle");

    context.set_sessions((Some(session), None, None));

then run the nv_test() again, it works as @Superhepper suggested.

Quite interesting. anyone can help explain this? Thank you.

[bingzhux]

maybe i knew the answer now. (please correct me?)

the function tr_from_tpm_public() depends on TPM2_NV_ReadPublic().

unlike TPM2_NV_Read(), TPM2_NV_ReadPublic() doesn't need session for calling, but in my original code, I set session before calling it.

More actually, I just checked this TPM2 spec, and found that NV_ReadPublic is the only function (among all the NV related functions) that may not need "session" to call.

[Superhepper]

No that is incorrect.

tr_from_tpm_public is the Context method wrapper for the ESAPI specific API Esys_TR_FromTPMPublic.
TSS Enhanced System API (ESAPI) Specification Version 1.00 Revision 14, Section 7.3

The Esys_TR_FromTPMPublic() function constructs an ESYS_TR object for a given TPM2_HANDLE.

I can be mistaken here but the way I see it is that the _ReadPublic functions does not give access to any confidential data so it is not required authenticate anything and therefor an auth session is not required. So in that part we agree.

[bingzhux]

Thanks for your info and help.