How to protect an nvindex from tpm2_nvundefine

[mageshgv]

I am trying to find a wat to protect data stored in tpm from being cleared without a valid password.

• No access to platform hierarchy (UEFI sets some random password and no way to overcome this)

• tpm2_clear can be restricted by setting a lockout password

• We can also protect a tpm nvindex from being written by an unauthorized user by defining nvindex with a password set

tpm2 nvdefine -C o -p myNVpassword -a "authread|ownerread|authwrite|write_stclear" $NVINDEX
tpm2_nvwrite $NVINDEX -i filetowrite -P myNVpassword  # This would fail if someone who doesnt know the password tries to write

However the password is not required to run tpm2_nvundefine for the same handle. Anyone without the handle password can run

tpm2_nvundefine $NVINDEX 

Is there a way to restrict tpm2_nvundefine for owner hierarchy ?

I see a policydelete option, but all the examples seem to use platform hierarchy when using policy delete and it gives inconsistent attributes when using owner hierarchy + olicydelete for nvdefine.

[idesai]

Define with attribute TPMA_NV_POLICY_DELETE. You can have a policy set to policy secret to point to owner hierarchy auth.

[JuergenReppSIT]

But if the attribute TPMA_NV_POLICY_DELETE is defined it will not be possible to create an NV index in the owner hierarchy. See: https://github.com/microsoft/ms-tpm-20-ref/blob/e9fc7b89d865536c46deb63f9c7d0121a3ded49c/TPMCmd/tpm/src/command/NVStorage/NV_DefineSpace.c#L206-L208

So I think the deletion of the NV index in the owner hierarchy can only be protected with the auth value or policy of the owner hierarchy.