Skip to content

feat(esapi): add missing TPM commands in authenticated_countdown_timer #652

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
hyperfinitism wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat(esapi): add missing TPM commands in authenticated_countdown_timer #652

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
81 changes: 79 additions & 2 deletions tss-esapi/src/context/tpm_commands/authenticated_countdown_timer.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,84 @@
// Copyright 2021 Contributors to the Parsec project.
// SPDX-License-Identifier: Apache-2.0
use crate::Context;
use crate::{Context, Result, ReturnCode, handles::ObjectHandle, tss2_esys::Esys_ACT_SetTimeout};
use log::error;

impl Context {
// Missing function: ACT_SetTimeout
/// Set the timeout for an Authenticated Countdown Timer (ACT).
///
/// # Arguments
///
/// * `act_handle` - An [ObjectHandle] of the ACT to set.
/// * `start_timeout` - The start timeout value in seconds.
///
/// # Details
///
/// *From the specification*
/// > This command is used to set the time remaining before an
/// > Authenticated Countdown Timer (ACT) expires.
///
/// # Example
///
/// <!--
/// This example is marked `no_run` because `TPM2_ACT_SetTimeout` is not
/// supported by swtpm/libtpms; it requires a TPM that provides ACT support.
/// -->
///
/// ```rust, no_run
/// # use tss_esapi::{
/// # Context, TctiNameConf,
/// # constants::SessionType,
/// # attributes::SessionAttributesBuilder,
/// # interface_types::algorithm::HashingAlgorithm,
/// # structures::SymmetricDefinition,
/// # };
/// use tss_esapi::{handles::ObjectHandle, tss2_esys::ESYS_TR_RH_ACT_0};
/// # // Create context
/// # let mut context =
/// # Context::new(
/// # TctiNameConf::from_environment_variable().expect("Failed to get TCTI"),
/// # ).expect("Failed to create Context");
/// # // Create a session for authorizing the ACT
/// # let session = context
/// # .start_auth_session(
/// # None,
/// # None,
/// # None,
/// # SessionType::Hmac,
/// # SymmetricDefinition::AES_256_CFB,
/// # HashingAlgorithm::Sha256,
/// # )
/// # .expect("Failed to create session")
/// # .expect("Received invalid handle");
/// # let (session_attributes, session_attributes_mask) = SessionAttributesBuilder::new()
/// # .with_decrypt(true)
/// # .with_encrypt(true)
/// # .build();
/// # context.tr_sess_set_attributes(session, session_attributes, session_attributes_mask)
/// # .expect("Failed to set attributes on session");
/// // ACT handles are vendor-specific; ACT 0 maps to ESYS_TR_RH_ACT_0.
/// let act_handle = ObjectHandle::from(ESYS_TR_RH_ACT_0);
/// // Set the ACT to expire 60 seconds from now.
/// context.execute_with_session(Some(session), |ctx| {
/// ctx.act_set_timeout(act_handle, 60)
/// .expect("Call to act_set_timeout failed");
/// });
/// ```
pub fn act_set_timeout(&mut self, act_handle: ObjectHandle, start_timeout: u32) -> Result<()> {

@Superhepper Superhepper Jun 4, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not so sure about this handle. I was working on something that had similar problems but for attached components. That creates a specific handle type that only allows for a handle in a specific range. I think something similar would be appropriate here as well or depending on the situation maybe it would be better to do something similar to what have been done for PCR handles.

ReturnCode::ensure_success(
unsafe {
Esys_ACT_SetTimeout(
self.mut_context(),
act_handle.into(),
self.required_session_1()?,
self.optional_session_2(),
self.optional_session_3(),
start_timeout,
)
},
|ret| {
error!("Error setting ACT timeout: {:#010X}", ret);
},
)
}
}
16 changes: 16 additions & 0 deletions ...tests/integration_tests/context_tests/tpm_commands/authenticated_countdown_timer_tests.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,2 +1,18 @@
// Copyright 2021 Contributors to the Parsec project.
// SPDX-License-Identifier: Apache-2.0
mod test_act_set_timeout {
use crate::common::create_ctx_with_session;
use tss_esapi::{handles::ObjectHandle, tss2_esys::ESYS_TR_RH_ACT_0};

#[test]
#[ignore = "swtpm does not support TPM2_ACT_SetTimeout"]
fn test_act_set_timeout() {
let mut context = create_ctx_with_session();

let act_handle = ObjectHandle::from(ESYS_TR_RH_ACT_0);

context
.act_set_timeout(act_handle, 60)
.expect("Failed to set ACT timeout");
}
}