locked
Using AdjustTokenPrivileges to allow a user application to access TPMv2.0 RRS feed

  • Question

  • I need to allow my application to access the TPMv2.0 and after initialization of the application disable this access.

    The application is executed with a user context (not administrator).

    I used the code from this link:

    enabling-and-disabling-privileges-in-c++

    Question 1: Is using AdjustTokenPrivileges the correct solution ?

    Question 2: What privileges do I need to enable with AdjustTokenPrivileges ?

    When I use AdjustTokenPrivileges, I first need to configure the Windows OS user with the proper permissions in order to execute this API.

    So I am trying to figure out this second issue, according to the link :

    using-tbs - It discusses the accounts that have access for various versions of Windows.

    According to 'using-tbs', I created the registry key Access with a string registry value name SecurityDescriptor.

    Now, I am trying to figure how to build the value similar to the example in 'using-tbs':

    O:BAG:BAD:(A;;0x00000001;;;BA)(A;;0x00000001;;;NS)(A;;0x00000001;;;LS)

    Question 3: What are the permissions I need to set? and how to set them?


    Roeig

    Thursday, May 7, 2020 7:11 AM

Answers

  • Hello,

    • Question 1: Is using AdjustTokenPrivileges the correct solution ?

    To preserve integrity of operations, certain TPM commands are not allowed to be executed by software on the platform. For example, some commands are only executed by system software. So before we are trying to find the solution, more information required to confirm for narrowing down this issue, like what kind of access of TPM do you want? And Which TPM API/command do you use?

    • Question 2: What privileges do I need to enable with AdjustTokenPrivileges ?

    It depends what's access of TPM you required. Enabling or disabling privileges using AdjustTokenPrivileges in an access token requires TOKEN_ADJUST_PRIVILEGES access. 

    • how to build the value similar to the example in 'using-tbs':O:BAG:BAD:(A;;0x00000001;;;BA)(A;;0x00000001;;;NS)(A;;0x00000001;;;LS)

    It is string format of security descriptor which contains four main components: owner (O:), primary group (G:), DACL (D:), and SACL (S:). You can refer to "Security Descriptor String Format", "Security Descriptor Definition Language" and "SID Strings" for understanding the security descriptor and how to build your own one.

    Best regards,

    Rita


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Friday, May 8, 2020 2:15 AM
  • Hello,

    After a computer user takes ownership of the TPM, the TPM owner can limit which TPM commands can be run by creating a list of blocked TPM commands. Refer to "Manage TPM commands".

    To connect to TBS, the client must run as administrator. Refer to "TBS_CONTEXT_PARAMS".

    Hope this helps.

    Best regards,

    Rita


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Tuesday, May 12, 2020 6:33 AM

All replies

  • Hello,

    • Question 1: Is using AdjustTokenPrivileges the correct solution ?

    To preserve integrity of operations, certain TPM commands are not allowed to be executed by software on the platform. For example, some commands are only executed by system software. So before we are trying to find the solution, more information required to confirm for narrowing down this issue, like what kind of access of TPM do you want? And Which TPM API/command do you use?

    • Question 2: What privileges do I need to enable with AdjustTokenPrivileges ?

    It depends what's access of TPM you required. Enabling or disabling privileges using AdjustTokenPrivileges in an access token requires TOKEN_ADJUST_PRIVILEGES access. 

    • how to build the value similar to the example in 'using-tbs':O:BAG:BAD:(A;;0x00000001;;;BA)(A;;0x00000001;;;NS)(A;;0x00000001;;;LS)

    It is string format of security descriptor which contains four main components: owner (O:), primary group (G:), DACL (D:), and SACL (S:). You can refer to "Security Descriptor String Format", "Security Descriptor Definition Language" and "SID Strings" for understanding the security descriptor and how to build your own one.

    Best regards,

    Rita


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Friday, May 8, 2020 2:15 AM
  • Rita - thanks for the detailed answer.

    Follow up questions:
    Q1.1 What kind of access of TPM do you want?
    We need to access the TPM Non-Volatile Memory and just to state it again, the application is executed with a user context (not administrator).

    Q1.2 And Which TPM API/command do you use?
    Commands (excluding the pre-fix TPM2):
    - NV_DefineSpace
    - NV_UndefineSpace
    - NV_Read
    - NV_ReadPublic
    - NV_Write
    - NV_ChangeAuth
    - HierarchyChangeAuth


    Roeig

    Sunday, May 10, 2020 6:27 AM
  • Hello,

    After a computer user takes ownership of the TPM, the TPM owner can limit which TPM commands can be run by creating a list of blocked TPM commands. Refer to "Manage TPM commands".

    To connect to TBS, the client must run as administrator. Refer to "TBS_CONTEXT_PARAMS".

    Hope this helps.

    Best regards,

    Rita


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Tuesday, May 12, 2020 6:33 AM