Improve get_ek_certs to handle indices

Author: dgarske

examples/endorsement/get_ek_certs.c

@@ -237,7 +237,81 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[])
         /* Get Endorsement Public Key template using NV index */
         rc = wolfTPM2_GetKeyTemplate_EKIndex(nvIndex, &publicTemplate);
         if (rc != 0) {
-            printf("EK Index 0x%08x not valid\n", nvIndex);
+            const char* indexType = "Unknown";
+            word32 offset = nvIndex - TPM_20_TCG_NV_SPACE;
+            
+            /* Identify the type of NV index based on offset */
+            if (nvIndex < TPM_20_TCG_NV_SPACE) {
+                indexType = "Non-TCG (below TCG NV space)";
+            }
+            else if (offset >= 0x2 && offset <= 0xC) {
+                indexType = "EK Low Range";
+                if (offset == 0x2) indexType = "EK Low Range (RSA 2048 Cert)";
+                else if (offset == 0x3) indexType = "EK Low Range (RSA 2048 Nonce)";
+                else if (offset == 0x4) indexType = "EK Low Range (RSA 2048 Template)";
+                else if (offset == 0xA) indexType = "EK Low Range (ECC P256 Cert)";
+                else if (offset == 0xB) indexType = "EK Low Range (ECC P256 Nonce)";
+                else if (offset == 0xC) indexType = "EK Low Range (ECC P256 Template)";
+            }
+            else if (offset >= 0x12 && offset < 0x100) {
+                indexType = "EK High Range";
+                if (offset == 0x12) indexType = "EK High Range (RSA 2048 Cert)";
+                else if (offset == 0x14) indexType = "EK High Range (ECC P256 Cert)";
+                else if (offset == 0x16) indexType = "EK High Range (ECC P384 Cert)";
+                else if (offset == 0x18) indexType = "EK High Range (ECC P521 Cert)";
+                else if (offset == 0x1A) indexType = "EK High Range (ECC SM2 Cert)";
+                else if (offset == 0x1C) indexType = "EK High Range (RSA 3072 Cert)";
+                else if (offset == 0x1E) indexType = "EK High Range (RSA 4096 Cert)";
+                else if ((offset & 1) == 0) indexType = "EK High Range (Cert, even index)";
+                else indexType = "EK High Range (Template, odd index)";
+            }
+            else if (offset >= 0x100 && offset < 0x200) {
+                indexType = "EK Certificate Chain";
+            }
+            else if (offset >= 0x7F01 && offset <= 0x7F04) {
+                indexType = "EK Policy Index";
+                if (offset == 0x7F01) indexType = "EK Policy Index (SHA256)";
+                else if (offset == 0x7F02) indexType = "EK Policy Index (SHA384)";
+                else if (offset == 0x7F03) indexType = "EK Policy Index (SHA512)";
+                else if (offset == 0x7F04) indexType = "EK Policy Index (SM3_256)";
+            }
+            else if (nvIndex > TPM_20_TCG_NV_SPACE + 0x7FFF) {
+                indexType = "Vendor-specific (beyond TCG range)";
+            }
+            
+            printf("NV Index 0x%08x: %s (not a recognized EK certificate index)\n", 
+                nvIndex, indexType);
+
+            /* Try to read the NV public info to show what it contains */
+            rc = wolfTPM2_NVReadPublic(&dev, nvIndex, &nvPublic);
+            if (rc == 0) {
+                const char* hashName = TPM2_GetAlgName(nvPublic.nameAlg);
+                printf("  NV Size: %u bytes, Attributes: 0x%08x, Name Alg: %s\n",
+                    nvPublic.dataSize, (unsigned int)nvPublic.attributes, hashName);
+
+                /* Check if this looks like a policy digest based on size and hash */
+                if ((nvPublic.dataSize == 32 && nvPublic.nameAlg == TPM_ALG_SHA256) ||
+                    (nvPublic.dataSize == 48 && nvPublic.nameAlg == TPM_ALG_SHA384) ||
+                    (nvPublic.dataSize == 64 && nvPublic.nameAlg == TPM_ALG_SHA512) ||
+                    (nvPublic.dataSize == 32 && nvPublic.nameAlg == TPM_ALG_SM3_256)) {
+                    printf("  Content type: Likely a policy digest (%s hash)\n", hashName);
+                }
+                else if (nvPublic.dataSize > 100) {
+                    printf("  Content type: Likely a certificate or template (large data)\n");
+                }
+
+                /* Attempt to read a small amount of data to identify type */
+                certSz = (nvPublic.dataSize < 32) ? nvPublic.dataSize : 32;
+                if (certSz > 0) {
+                    rc = wolfTPM2_NVReadAuth(&dev, &nv, nvIndex, certBuf, &certSz, 0);
+                    if (rc == 0) {
+                        printf("  First %u bytes:\n", certSz);
+                        dump_hex_bytes(certBuf, certSz);
+                    }
+                }
+            }
+
+            rc = 0; /* Reset error code to continue processing */
             continue;
         }
 

src/tpm2_wrap.c

@@ -6446,9 +6446,9 @@ int wolfTPM2_GetKeyTemplate_EKIndex(word32 nvIndex,
     uint32_t keyBits = 0;
     int highRange = 0;
 
-    /* validate index is in NV EK range */
+    /* validate index is in TCG NV space range (0x01C00000 - 0x01C07FFF) */
     if (nvIndex < TPM_20_TCG_NV_SPACE ||
-        nvIndex > TPM_20_TCG_NV_SPACE + 0x1FF) {
+        nvIndex > TPM_20_TCG_NV_SPACE + 0x7FFF) {
         return BAD_FUNC_ARG;
     }
 

wolftpm/tpm2.h

@@ -1708,6 +1708,12 @@ typedef struct TPM2_AUTH_SESSION {
 /* EK Certificate Chains (0x100 - 0x1FF) - Not common */
 #define TPM2_NV_EK_CHAIN               (TPM_20_TCG_NV_SPACE + 0x100)
 
+/* EK Policy Indices for PolicyAuthorizeNV (0x7F01 - 0x7F04) */
+#define TPM2_NV_EK_POLICY_SHA256       (TPM_20_TCG_NV_SPACE + 0x7F01)
+#define TPM2_NV_EK_POLICY_SHA384       (TPM_20_TCG_NV_SPACE + 0x7F02)
+#define TPM2_NV_EK_POLICY_SHA512       (TPM_20_TCG_NV_SPACE + 0x7F03)
+#define TPM2_NV_EK_POLICY_SM3_256      (TPM_20_TCG_NV_SPACE + 0x7F04)
+
 /* Predetermined TPM 2.0 Endorsement policy auth templates */
 /* SHA256 (Low Range) */
 static const BYTE TPM_20_EK_AUTH_POLICY[] = {