ESAPI: add context manager to flush ESAPI handles.

With this is possible to explicity flush transient handles. Useful with temporary handles, for example a primary key handle when just loading a key and when there are no resource manager available. Fixes #595 Signed-off-by: Erik Larsson <[email protected]>
tpm2-software · Oct 1, 2024 · b766e2c · b766e2c
1 parent ceed7a7
commit b766e2c
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 8 deletions.
diff --git a/src/tpm2_pytss/ESAPI.py b/src/tpm2_pytss/ESAPI.py
@@ -1,4 +1,6 @@
 # SPDX-License-Identifier: BSD-2
+
+import contextlib
 from .types import *
 from .constants import *
 from .internal.utils import (
@@ -7204,6 +7206,28 @@ def tr_deserialize(self, buffer: bytes) -> ESYS_TR:
 
         return ESYS_TR(esys_handle[0])
 
+    @contextlib.contextmanager
+    def flush_handle(self, handle: ESYS_TR) -> ESYS_TR:
+        """Context manager which flushes handle.
+
+        Makes flushing of an handle explicit after use, regardless of any raised exceptions.
+        Useful for scenarios where there is no resource manager available.
+
+        Args:
+            handle (ESYS_TR): The ESYS_TR handle to flush.
+
+        Returns:
+            handle (ESYS_TR): the handle passed to this method.
+        """
+
+        tpm_handle = self.tr_get_tpm_handle(handle)
+        is_transient = (tpm_handle & 0xFF000000) == TPM2_HT.TRANSIENT
+        try:
+            yield handle
+        finally:
+            if is_transient:
+                self.flush_context(handle)
+
     @staticmethod
     def _fixup_hierarchy(hierarchy: ESYS_TR) -> Union[TPM2_RH, ESYS_TR]:
         """Fixup ESYS_TR values to TPM2_RH constants to work around tpm2-tss API change in 3.0.0.

diff --git a/src/tpm2_pytss/tsskey.py b/src/tpm2_pytss/tsskey.py
@@ -232,7 +232,8 @@ def load(self, ectx, password=None):
         elif password and self.empty_auth:
             warnings.warn("password specified but empty_auth is true")
         phandle = self._getparent(ectx, self.public.publicArea.type, self.parent)
-        handle = ectx.load(phandle, self.private, self.public)
+        with ectx.flush_handle(phandle) as phandle:
+            handle = ectx.load(phandle, self.private, self.public)
         ectx.tr_set_auth(handle, password)
         return handle
 
@@ -258,13 +259,14 @@ def create(cls, ectx, template, parent=lib.TPM2_RH_OWNER, password=None):
             insens.sensitive.userAuth = password
             emptyauth = False
         phandle = cls._getparent(ectx, template.type, parent)
-        private, public, _, _, _ = ectx.create(
-            parent_handle=phandle,
-            in_sensitive=insens,
-            in_public=TPM2B_PUBLIC(publicArea=template),
-            outside_info=TPM2B_DATA(),
-            creation_pcr=TPML_PCR_SELECTION(),
-        )
+        with ectx.flush_handle(phandle) as phandle:
+            private, public, _, _, _ = ectx.create(
+                parent_handle=phandle,
+                in_sensitive=insens,
+                in_public=TPM2B_PUBLIC(publicArea=template),
+                outside_info=TPM2B_DATA(),
+                creation_pcr=TPML_PCR_SELECTION(),
+            )
         return cls(private, public, emptyauth, parent)
 
     @classmethod