Replace TlclDefineSpace with SafeDefineSpace for extra paranoia.

tests/rollback_index_test.c

 /* Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
  * Use of this source code is governed by a BSD-style license that can be
  * found in the LICENSE file.
  */
 
 /* Exhaustive testing for correctness and integrity of TPM locking code from
  * all interesting initial conditions.
  *
  * This program iterates through a large number of initial states of the TPM at
  * power on, and executes the code related to initialing the TPM and managing
@@ skipping 137 matching lines @@
 static void reboot(void) {
   int status;
   Log("requesting reboot");
   status = system("/sbin/reboot");
   if (status != 0) {
     Log("reboot failed with status %d", status);
     exit(1);
   }
 }
 
+static uint32_t SafeWrite(uint32_t index, uint8_t* data, uint32_t length) {
+  uint32_t result = TlclWrite(index, data, length);
+  if (result == TPM_E_MAXNVWRITES) {
+    RETURN_ON_FAILURE(TPMClearAndReenable());
+    result = TlclWrite(index, data, length);
+    tpm_was_just_cleared = 0;
+  }
+  return result;
+}
+
+static uint32_t SafeDefineSpace(uint32_t index, uint32_t perm, uint32_t size) {
+  uint32_t result = TlclDefineSpace(index, perm, size);
+  if (result == TPM_E_MAXNVWRITES) {
+    RETURN_ON_FAILURE(TPMClearAndReenable());
+    result = TlclDefineSpace(index, perm, size);
+    tpm_was_just_cleared = 0;
+  }
+  return result;
+}
+
 static void RollbackTest_SaveState(FILE* file) {
   rewind(file);
   fprintf(file, RBTS_format,
           RBTS.advancing,
           RBTS.owned,
           RBTS.disable,
           RBTS.deactivated,
           RBTS.writecount,
           RBTS.TPM_IS_INITIALIZED_exists,
           RBTS.KERNEL_MUST_USE_BACKUP,
@@ skipping 128 matching lines @@
   }
   return TPM_SUCCESS;
 }
 
 /* Removes or creates the TPM_IS_INITIALIZED space.
  */
 static uint32_t RollbackTest_AdjustIsInitialized(void) {
   int initialized;
   RETURN_ON_FAILURE(GetSpacesInitialized(&initialized));
   if (RBTS.TPM_IS_INITIALIZED_exists && !initialized) {
-    RETURN_ON_FAILURE(TlclDefineSpace(TPM_IS_INITIALIZED_NV_INDEX,
+    RETURN_ON_FAILURE(SafeDefineSpace(TPM_IS_INITIALIZED_NV_INDEX,
                                       TPM_NV_PER_PPWRITE, sizeof(uint32_t)));
   }
   if (!RBTS.TPM_IS_INITIALIZED_exists && initialized) {
     RETURN_ON_FAILURE(RollbackTest_RemoveSpace(TPM_IS_INITIALIZED_NV_INDEX));
   }
   return TPM_SUCCESS;
 }
 
 /* Sets or clears KERNEL_MUST_USE_BACKUP.
  */
 static uint32_t RollbackTest_AdjustMustUseBackup(void) {
   uint32_t must_use_backup;
   RETURN_ON_FAILURE(TlclRead(KERNEL_MUST_USE_BACKUP_NV_INDEX,
                              (uint8_t*) &must_use_backup,
                              sizeof(must_use_backup)));
   if (RBTS.KERNEL_MUST_USE_BACKUP != must_use_backup) {
-    RETURN_ON_FAILURE(TlclWrite(KERNEL_MUST_USE_BACKUP_NV_INDEX,
+    RETURN_ON_FAILURE(SafeWrite(KERNEL_MUST_USE_BACKUP_NV_INDEX,
                                 (uint8_t*) &must_use_backup,
                                 sizeof(must_use_backup)));
   }
   return TPM_SUCCESS;
 }
 
 /* Adjusts KERNEL_VERSIONS space.
  */
 static uint32_t RollbackTest_AdjustKernelVersions(int* wrong_value) {
   uint8_t kdata[KERNEL_SPACE_SIZE];
   int exists;
   uint32_t result;
 
   result = TlclRead(KERNEL_VERSIONS_NV_INDEX, kdata, sizeof(kdata));
   if (result != TPM_SUCCESS && result != TPM_E_BADINDEX) {
     return result;
   }
   *wrong_value = Memcmp(kdata + sizeof(uint32_t), KERNEL_SPACE_UID,
                         KERNEL_SPACE_UID_SIZE);     /* for later use */
   exists = result == TPM_SUCCESS;
   if (RBTS.KERNEL_VERSIONS_exists && !exists) {
-    RETURN_ON_FAILURE(TlclDefineSpace(KERNEL_VERSIONS_NV_INDEX,
+    RETURN_ON_FAILURE(SafeDefineSpace(KERNEL_VERSIONS_NV_INDEX,
                                       TPM_NV_PER_PPWRITE, KERNEL_SPACE_SIZE));
   }
   if (!RBTS.KERNEL_VERSIONS_exists && exists) {
     RETURN_ON_FAILURE(RollbackTest_RemoveSpace(KERNEL_VERSIONS_NV_INDEX));
   }
   return TPM_SUCCESS;
 }
 
 /* Adjusts permissions of KERNEL_VERSIONS space.  Updates |wrong_value| to
  * reflect that currently the space contains the wrong value (i.e. does not
  * contain the GRWL identifier).
  */
 static uint32_t RollbackTest_AdjustKernelPermissions(int* wrong_value) {
   uint32_t perms;
 
   /* Wrong permissions */
   RETURN_ON_FAILURE(TlclGetPermissions(KERNEL_VERSIONS_NV_INDEX, &perms));
   if (RBTS.KERNEL_VERSIONS_wrong_permissions && perms == TPM_NV_PER_PPWRITE) {
     /* Redefines with wrong permissions. */
     RETURN_ON_FAILURE(RollbackTest_RemoveSpace(KERNEL_VERSIONS_NV_INDEX));
-    RETURN_ON_FAILURE(TlclDefineSpace(KERNEL_VERSIONS_NV_INDEX,
+    RETURN_ON_FAILURE(SafeDefineSpace(KERNEL_VERSIONS_NV_INDEX,
                                       TPM_NV_PER_PPWRITE |
                                       TPM_NV_PER_GLOBALLOCK,
                                       KERNEL_SPACE_SIZE));
     *wrong_value = 1;
   }
   if (!RBTS.KERNEL_VERSIONS_wrong_permissions &&
       perms != TPM_NV_PER_PPWRITE) {
     /* Redefines with right permissions. */
-    RETURN_ON_FAILURE(TlclDefineSpace(KERNEL_VERSIONS_NV_INDEX,
+    RETURN_ON_FAILURE(SafeDefineSpace(KERNEL_VERSIONS_NV_INDEX,
                                       TPM_NV_PER_PPWRITE, 0));
-    RETURN_ON_FAILURE(TlclDefineSpace(KERNEL_VERSIONS_NV_INDEX,
+    RETURN_ON_FAILURE(SafeDefineSpace(KERNEL_VERSIONS_NV_INDEX,
                                       TPM_NV_PER_PPWRITE,
                                       KERNEL_SPACE_SIZE));
     *wrong_value = 1;
   }
   return TPM_SUCCESS;
 }
 
 static uint32_t RollbackTest_AdjustKernelValue(int wrong_value) {
   if (!RBTS.KERNEL_VERSIONS_wrong_value && wrong_value) {
-    RETURN_ON_FAILURE(TlclWrite(KERNEL_VERSIONS_NV_INDEX,
+    RETURN_ON_FAILURE(SafeWrite(KERNEL_VERSIONS_NV_INDEX,
                                 KERNEL_SPACE_INIT_DATA, KERNEL_SPACE_SIZE));
   }
   if (RBTS.KERNEL_VERSIONS_wrong_value && !wrong_value) {
-    RETURN_ON_FAILURE(TlclWrite(KERNEL_VERSIONS_NV_INDEX,
+    RETURN_ON_FAILURE(SafeWrite(KERNEL_VERSIONS_NV_INDEX,
                                 (uint8_t*) "mickey mouse",
                                 KERNEL_SPACE_SIZE));
   }
   return TPM_SUCCESS;
 }
 
 /* Adjusts value of KERNEL_VERSIONS_BACKUP space.
  */
 static uint32_t RollbackTest_AdjustKernelBackup(void) {
   /* Same as backup */
   uint32_t kv, kvbackup;
   RETURN_ON_FAILURE(TlclRead(KERNEL_VERSIONS_NV_INDEX,
                              (uint8_t*) &kv, sizeof(kv)));
   RETURN_ON_FAILURE(TlclRead(KERNEL_VERSIONS_BACKUP_NV_INDEX,
                              (uint8_t*) &kvbackup, sizeof(kvbackup)));
   if (RBTS.KERNEL_VERSIONS_same_as_backup && kv != kvbackup) {
     kvbackup = kv;
-    RETURN_ON_FAILURE(TlclWrite(KERNEL_VERSIONS_BACKUP_NV_INDEX,
+    RETURN_ON_FAILURE(SafeWrite(KERNEL_VERSIONS_BACKUP_NV_INDEX,
                                 (uint8_t*) &kvbackup, sizeof(kvbackup)));
   }
   if (!RBTS.KERNEL_VERSIONS_same_as_backup && kv == kvbackup) {
     kvbackup = kv + 1;
-    RETURN_ON_FAILURE(TlclWrite(KERNEL_VERSIONS_BACKUP_NV_INDEX,
+    RETURN_ON_FAILURE(SafeWrite(KERNEL_VERSIONS_BACKUP_NV_INDEX,
                                 (uint8_t*) &kvbackup, sizeof(kvbackup)));
   }
   return TPM_SUCCESS;
 }
 
 /* Adjust the value in the developer mode transition space.
  */
 static uint32_t RollbackTest_AdjustDeveloperMode(void) {
   uint32_t dev;
   /* Developer mode transitions */
   RETURN_ON_FAILURE(TlclRead(DEVELOPER_MODE_NV_INDEX,
                              (uint8_t*) &dev, sizeof(dev)));
 
   if (RBTS.developer != dev) {
     dev = RBTS.developer;
-    RETURN_ON_FAILURE(TlclWrite(DEVELOPER_MODE_NV_INDEX,
+    RETURN_ON_FAILURE(SafeWrite(DEVELOPER_MODE_NV_INDEX,
                                 (uint8_t*) &dev, sizeof(dev)));
   }
   return TPM_SUCCESS;
 }
 
 /* Changes the unowned write count.
  */
 static uint32_t RollbackTest_AdjustWriteCount(void) {
   int i;
   if (!RBTS.owned) {
     /* Sets the unowned write count, but only if we think that it will make a
      * difference for the test. In other words: we're trying to reduce the
      * number if initial states with some reasoning that we hope is correct.
      */
     if (RBTS.writecount > low_writecount) {
       if (!tpm_was_just_cleared) {
         /* Unknown write count: must clear the TPM to reset to 0 */
         RETURN_ON_FAILURE(TPMClearAndReenable());
       }
       for (i = 0; i < RBTS.writecount; i++) {
         /* Changes the value to ensure that the TPM won't optimize away
          * writes.
          */
         uint8_t b = (uint8_t) i;
-        RETURN_ON_FAILURE(TlclWrite(WRITE_BUCKET_NV_INDEX, &b, 1));
+        RETURN_ON_FAILURE(SafeWrite(WRITE_BUCKET_NV_INDEX, &b, 1));
       }
     }
   }
   return TPM_SUCCESS;
 }
 
 /* Sets the TPM to the right state for the next test run.
  *
  * Functionally correct ordering is tricky.  Optimal ordering is even trickier
  * (no claim to this).  May succeed only partially and require a reboot to
@@ skipping 140 matching lines @@
   return TPM_SUCCESS;
 }
 
 /* One-time call to create the WRITE_BUCKET space.
  */
 static uint32_t RollbackTest_InitializeTPM(void) {
   TlclLibInit();
   RETURN_ON_FAILURE(TlclStartup());
   RETURN_ON_FAILURE(TlclContinueSelfTest());
   RETURN_ON_FAILURE(TlclAssertPhysicalPresence());
-  RETURN_ON_FAILURE(TlclDefineSpace(WRITE_BUCKET_NV_INDEX,
+  RETURN_ON_FAILURE(SafeDefineSpace(WRITE_BUCKET_NV_INDEX,
                                     TPM_NV_PER_PPWRITE, 1));
   RETURN_ON_FAILURE(RollbackTest_SetTPMState(0));
   return TPM_SUCCESS;
 }
 
 static void RollbackTest_Initialize(void) {
   Log("initializing");
   RollbackTest_InitializeState();
   if (RollbackTest_InitializeTPM() != TPM_SUCCESS) {
     Log("couldn't initialize TPM");
@@ skipping 113 matching lines @@
   } else if (argc == 2 && strcmp(argv[1], "sync") == 0) {
     RollbackTest_Sync();
   } else if (argc == 1) {
     RollbackTest_Run();
   } else {
     fprintf(stderr, "usage: rollback-test [ initialize ]\n");
     exit(1);
   }
   return 0;
 }