Errata 1 to rev. 1.38

TPMCmd/Platform/include/PlatformData.h

@@ -67,11 +67,18 @@ extern BOOL              s_timerReset;
 // This value indicates that the timer was stopped. It causes a clock discontinuity.
 extern BOOL              s_timerStopped;
 
-// Assume that the nominal divisor is 30000
+// CLOCK_NOMINAL is the number of hardware ticks per mS. A value of 300000 means 
+// that the nominal clock rate used to drive the hardware clock is 30 MHz. The
+// adjustment rates are used to determine the conversion of the hardware ticks to
+// internal hardware clock value. In practice, we would expect that there woudl be
+// a hardware register will accumulated mS. It would be incremented by the output
+// of a pre-scaler. The pre-scaler would divide the ticks from the clock by some
+// value that would compensate for the difference between clock time and real time.
+// The code in Clock does the emulation of this function. 
 #define     CLOCK_NOMINAL           30000
 // A 1% change in rate is 300 counts
 #define     CLOCK_ADJUST_COARSE     300
-// A .1 change in rate is 30 counts
+// A 0.1% change in rate is 30 counts
 #define     CLOCK_ADJUST_MEDIUM     30
 // A minimum change in rate is 1 count
 #define     CLOCK_ADJUST_FINE       1

TPMCmd/Platform/src/Clock.c

@@ -53,7 +53,8 @@
 
 //***_plat__TimerReset()
 // This function sets current system clock time as t0 for counting TPM time.
-// This function is called at a power on event to reset the clock.
+// This function is called at a power on event to reset the clock. When the clock
+// is reset, the indication that the clock was stopped is also set.
 LIB_EXPORT void
 _plat__TimerReset(
     void
@@ -115,9 +116,6 @@ _plat__TimerRead(
     clock_t         timeDiff;
     uint64_t        adjusted;
 
-#   define  TOP     (THOUSAND * CLOCK_NOMINAL)
-#   define  BOTTOM  ((uint64_t)s_adjustRate * CLOCKS_PER_SEC)
-
     // Save the value previously read from the system clock
     timeDiff = s_realTimePrevious;
     // update with the current value of the system clock
@@ -137,14 +135,16 @@ _plat__TimerRead(
     timeDiff = s_realTimePrevious - timeDiff;
 
     // Do the time rate adjustment and conversion from CLOCKS_PER_SEC to mSec
-    adjusted = (((uint64_t)timeDiff * TOP) / BOTTOM);
+    adjusted = (((uint64_t)timeDiff * (THOUSAND * CLOCK_NOMINAL)) 
+                / ((uint64_t)s_adjustRate * CLOCKS_PER_SEC));
 
     s_tpmTime += (clock_t)adjusted;
 
     // Might have some rounding error that would loose CLOCKS. See what is not
     // being used. As mentioned above, this could result in putting back more than
     // is taken out
-    adjusted = (adjusted * BOTTOM) / TOP;
+    adjusted = (adjusted * ((uint64_t)s_adjustRate * CLOCKS_PER_SEC)) 
+        / (THOUSAND * CLOCK_NOMINAL);
 
     // If adjusted is not the same as timeDiff, then there is some rounding
     // error that needs to be pushed back into the previous sample.

TPMCmd/Platform/src/RunCommand.c

@@ -51,7 +51,7 @@
 #include "PlatformData.h"
 #include "Platform_fp.h"
 #include <setjmp.h>
-#include <ExecCommand_fp.h>
+#include "ExecCommand_fp.h"
 
 jmp_buf              s_jumpBuffer;
 

TPMCmd/tpm/include/Global.h

@@ -532,12 +532,7 @@ extern CLOCK_NONCE       g_timeEpoch;
 #else
 #define g_timeEpoch      gp.timeEpoch
 #endif
-
-//*** g_timeNewEpochNeeded
-// This flag is SET at startup if a new timer nonce is needed. This flag will cause
-// a new g_timeEpoch to be generated if it is needed by any of the ticket functions.
-extern BOOL             g_timeNewEpochNeeded;
-
+
 
 //*** g_phEnable
 // This is the platform hierarchy control and determines if the platform hierarchy
@@ -872,8 +867,21 @@ typedef struct orderly_data
     // accumulate.
     DRBG_STATE          drbgState;
 
+// These values allow the accumulation of self-healing time across orderly shutdown
+// of the TPM.
+#ifdef ACCUMULATE_SELF_HEAL_TIMER 
+    UINT64              selfHealTimer;  // current value of s_selfHealTimer
+    UINT64              lockoutTimer;   // current value of s_lockoutTimer
+    UINT64              time;           // current value of g_time at shutdown
+#endif // ACCUMULATE_SELF_HEAL_TIMER
+
 } ORDERLY_DATA;
 
+#ifdef ACCUMULATE_SELF_HEAL_TIMER
+#define     s_selfHealTimer     go.selfHealTimer
+#define     s_lockoutTimer      go.lockoutTimer
+#endif  // ACCUMULATE_SELF_HEAL_TIMER
+
 #  define drbgDefault go.drbgState
 
 extern ORDERLY_DATA     go;
@@ -1212,11 +1220,13 @@ extern BOOL             s_DAPendingOnNV;
 //*****************************************************************************
 // This variable holds the accumulated time since the last time
 // that 'failedTries' was decremented. This value is in millisecond.
+#ifndef ACCUMULATE_SELF_HEAL_TIMER
 extern UINT64       s_selfHealTimer;
 
 // This variable holds the accumulated time that the lockoutAuth has been
 // blocked.
 extern UINT64       s_lockoutTimer;
+#endif // ACCUMULATE_SELF_HEAL_TIMER
 
 #endif // DA_C
 

TPMCmd/tpm/include/GpMacros.h

@@ -46,10 +46,10 @@
 #include "swap.h"
 #include "VendorString.h"
 
-#ifdef SELF_TEST
 
 //** For Self-test
 // These macros are used in CryptUtil to invoke the incremental self test.
+#ifdef SELF_TEST
 #   define     TEST(alg) if(TEST_BIT(alg, g_toTest)) CryptTestAlgorithm(alg, NULL)
 
 // Use of TPM_ALG_NULL is reserved for RSAEP/RSADP testing. If someone is wanting
@@ -71,7 +71,7 @@
 #endif
 
 #ifdef NO_FAIL_TRACE
-#   define FAIL(errorCode) (TmpFAIL(errorCode))
+#   define FAIL(errorCode) (TpmFail(errorCode))
 #else
 #   define FAIL(errorCode) (TpmFail(FUNCTION_NAME, __LINE__, errorCode))
 #endif
@@ -90,27 +90,25 @@
 #endif
 
 // This macro tests that a condition is TRUE and puts the TPM into failure mode
-// if it is not. If longjmp is being used, then the FAIL(FATAL_ERROR_) macro makes a call from
-// which there is no return. Otherwise, it returns and the function will exit
-// with the appropriate return code.
+// if it is not. If longjmp is being used, then the FAIL(FATAL_ERROR_) macro makes 
+// a call from which there is no return. Otherwise, it returns and the function 
+// will exit with the appropriate return code.
 #define REQUIRE(condition, errorCode, returnCode)       \
     {                                                   \
         if(!!(condition))                               \
         {                                               \
-            FAIL(FATAL_ERROR_errorCode);                            \
+            FAIL(FATAL_ERROR_errorCode);                \
             FAIL_RETURN(returnCode);                    \
         }                                               \
     }
 
 #define PARAMETER_CHECK(condition, returnCode)          \
     REQUIRE((condition), PARAMETER, returnCode)
 
-#if defined(EMPTY_ASSERT)
+#if defined EMPTY_ASSERT
 #   define pAssert(a)  ((void)0)
 #else
-// The additional parameter following FAIL(FATAL_ERROR_) is so that the expression within
-// parenthesis has an lvalue. FAIL has no value so the expression is not complete.
-#   define pAssert(a) (!!(a) ? 1 : (FAIL(FATAL_ERROR_PARAMETER), 0))
+#   define pAssert(a) {if(!(a)) FAIL(FATAL_ERROR_PARAMETER);}
 #endif
 
 //** Derived from Vendor-specific values
@@ -123,7 +121,7 @@
 
 //** Compile-time Checks
 // In some cases, the relationship between two values may be dependent
-// on things that change based on various selections like the chosen crypto
+// on things that change based on various selections like the chosen cryptographic
 // libraries. It is possible that these selections will result in incompatible
 // settings. These are often detectable by the compiler but it isn't always 
 // possible to do the check in the preprocessor code. For example, when the
@@ -223,18 +221,19 @@
 #define CONTEXT_ENCRYPT_KEY_BYTES       ((CONTEXT_ENCRYPT_KEY_BITS+7)/8)
 #endif
 
-#ifndef MAX_ECC_KEY_BYTES
-#define MAX_ECC_KEY_BYTES 0
-#endif
-
-// Handle case when no ecc is defined
-#ifndef MAX_ECC_KEY_BYTES
-#   define MAX_ECC_KEY_BYTES    MAX_DIGEST_SIZE
+#if ALG_ECC
+#   define LABEL_MAX_BUFFER MAX_ECC_KEY_BYTES
+#else
+#   define LABEL_MAX_BUFFER MAX_DIGEST_SIZE
 #endif
-#define LABEL_MAX_BUFFER   MIN(MAX_ECC_KEY_BYTES, MAX_DIGEST_SIZE)
 
-#if LABEL_MAX_BUFFER < 32
-#error "The size allowed for the label is not large enough for interoperability."
-#endif
+// This bit is used to indicate that an authorization ticket expires on TPM Reset
+// and TPM Restart.It is added to the timeout value returned by TPM2_PoliySigned()
+// and TPM2_PolicySecret() and used by TPM2_PolicyTicket(). The timeout value is 
+// relative to Time (g_time). Time is reset whenever the TPM loses power and cannot
+// be moved forward by the user (as can Clock). g_time is a 64-bit value expressing
+// time in ms. Sealing the MSb for a flag means that the TPM needs to be reset
+// at least once every 292,471,208 years rather than once every 584,942,417 years.
+#define EXPIRATION_BIT ((UINT64)1 << 63)
 
 #endif // GP_MACROS_H

TPMCmd/tpm/include/TpmBuildSwitches.h

@@ -149,7 +149,7 @@
 #ifndef NDEBUG
 
 // In some cases, the relationship between two values may be dependent
-// on things that change based on various selections like the chosen crypto
+// on things that change based on various selections like the chosen cryptographic
 // libraries. It is possible that these selections will result in incompatible
 // settings. These are often detectable by the compiler but it isn't always 
 // possible to do the check in the preprocessor code. For example, when the
@@ -176,6 +176,18 @@
 //#  define DRBG_DEBUG_PRINT
 #endif
 
+// If an assertion event it not going to produce any trace information (function and
+// line number) then define NO_FAIL_TRACE
+#ifndef NO_FAIL_TRACE
+//#   define NO_FAIL_TRACE
+#endif
+
 #endif // NDEBUG
 
+// If the implementation is going to give lockout time credit for time up to the
+// last orderly shutdown, then uncomment this variable
+#ifndef ACCUMULATE_SELF_HEAL_TIMER
+#define ACCUMULATE_SELF_HEAL_TIMER
+#endif // ACCUMULATE_SELF_HEAL_TIMER
+
 #endif // _TPM_BUILD_SWITCHES_H_

TPMCmd/tpm/include/TpmTypes.h

@@ -58,9 +58,9 @@ typedef  UINT32             TPM_SPEC;
 #define  TPM_SPEC_LEVEL          (TPM_SPEC)(SPEC_LEVEL)
 #define  SPEC_VERSION            138
 #define  TPM_SPEC_VERSION        (TPM_SPEC)(SPEC_VERSION)
-#define  SPEC_YEAR               2016
+#define  SPEC_YEAR               2017
 #define  TPM_SPEC_YEAR           (TPM_SPEC)(SPEC_YEAR)
-#define  SPEC_DAY_OF_YEAR        273
+#define  SPEC_DAY_OF_YEAR        61
 #define  TPM_SPEC_DAY_OF_YEAR    (TPM_SPEC)(SPEC_DAY_OF_YEAR)
 
 // Table 2:7 - Definition of TPM_GENERATED Constants  (EnumTable)

TPMCmd/tpm/include/VendorString.h

@@ -75,7 +75,7 @@ string.
 // A vendor-specific FIRMWARE_V1 is required here. It is
 // the more significant 32-bits of a vendor-specific value
 // indicating the version of the firmware
-//#define   FIRMWARE_V1         (0x20160929)
+//#define   FIRMWARE_V1         (0x20170302)
 
 // A vendor-specific FIRMWARE_V2 may be provided here. If present, it is the less 
 // significant 32-bits of the version of the firmware. 

TPMCmd/tpm/include/prototypes/BnConvert_fp.h

@@ -34,7 +34,7 @@
  */
 /*(Auto)
     Automatically Generated by TpmPrototypes version 2.2 February 10, 2016 
-    Date: Sep 22, 2016 Time: 05:27:05 PM  
+    Date: Dec 12, 2016 Time: 03:42:13 PM  
 */
 
 #ifndef    _BNCONVERT_FP_H_
@@ -76,6 +76,11 @@ BnFromHex(
 // normalized value. If  'size' is an input 0, then the receiving buffer is
 // guaranteed to be large enough for the result and the size will be set to the
 // size required for bigNum (leading zeros suppressed).
+//
+// The conversion for a little-endian machine simply requires that all significant
+// bytes of the bigNum be reversed. For a big-endian machine, rather than process
+// unpack each word individually, the bigNum is converted to little-endian words,
+// copied, and then converted back to big-endian.
 LIB_EXPORT BOOL
 BnToBytes(
     bigConst             bn,

TPMCmd/tpm/include/prototypes/Entity_fp.h

@@ -34,7 +34,7 @@
  */
 /*(Auto)
     Automatically Generated by TpmPrototypes version 2.2 February 10, 2016 
-    Date: Sep 22, 2016 Time: 05:27:05 PM  
+    Date: Dec 12, 2016 Time: 03:42:13 PM  
 */
 
 #ifndef    _ENTITY_FP_H_
@@ -101,8 +101,6 @@ EntityGetName(
 //      2. An NV index belongs to TPM_RH_PLATFORM if TPMA_NV_PLATFORMCREATE,
 //         is SET, otherwise it belongs to TPM_RH_OWNER
 //      3. An object handle belongs to its hierarchy.
-// All other handles belong to the platform hierarchy.
-// or an NV Index.
 TPMI_RH_HIERARCHY
 EntityGetHierarchy(
     TPMI_DH_ENTITY   handle         // IN :handle of entity