From 8dc711c3771e53f57754d53dcd7ab9a000539456 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Tue, 21 Nov 2023 09:50:53 +0100
Subject: [PATCH] FAPI: Fix usage of endorsement handle

In several cases the wrong handle TPM2_RH_EK was used instead of
TPM2_RH_ENDORSEMENT.
This caused a wrong recreation of keys under the endorsement hierarchy.
Addresses: #2709

Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
 src/tss2-fapi/fapi_util.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c
index 11e4c0ec6..1d4c7fca3 100644
--- a/src/tss2-fapi/fapi_util.c
+++ b/src/tss2-fapi/fapi_util.c
@@ -944,7 +944,7 @@ ifapi_load_primary_finish(FAPI_CONTEXT *context, ESYS_TR *handle)
         /* Check whether a persistent key was loaded.
            In this case the handle has already been set. */
         if (pkey_object->public.handle != ESYS_TR_NONE) {
-            if (pkey->creationTicket.hierarchy == TPM2_RH_EK) {
+            if (pkey->creationTicket.hierarchy == TPM2_RH_ENDORSEMENT) {
                 context->ek_persistent = true;
             } else {
                 context->srk_persistent = true;
@@ -954,7 +954,7 @@ ifapi_load_primary_finish(FAPI_CONTEXT *context, ESYS_TR *handle)
             return TSS2_FAPI_RC_TRY_AGAIN;
         }
         else {
-            if (pkey->creationTicket.hierarchy == TPM2_RH_EK) {
+            if (pkey->creationTicket.hierarchy == TPM2_RH_ENDORSEMENT) {
                 context->ek_persistent = false;
             } else {
                 context->srk_persistent = false;
@@ -964,8 +964,7 @@ ifapi_load_primary_finish(FAPI_CONTEXT *context, ESYS_TR *handle)
 
     statecase(context->primary_state, PRIMARY_READ_HIERARCHY);
         /* The hierarchy object used for auth_session will be loaded from key store. */
-        if (pkey->creationTicket.hierarchy == TPM2_RH_EK ||
-            (pkey->ek_profile && pkey->creationTicket.hierarchy == TPM2_RH_ENDORSEMENT)) {
+    if (pkey->creationTicket.hierarchy == TPM2_RH_ENDORSEMENT) {
             r = ifapi_keystore_load_async(&context->keystore, &context->io, "/HE");
             return_if_error2(r, "Could not open hierarchy /HE");
         } else if (pkey->creationTicket.hierarchy == TPM2_RH_NULL) {
@@ -985,7 +984,9 @@ ifapi_load_primary_finish(FAPI_CONTEXT *context, ESYS_TR *handle)
         r = ifapi_initialize_object(context->esys, hierarchy);
         goto_if_error_reset_state(r, "Initialize hierarchy object", error_cleanup);
 
-        if (pkey->creationTicket.hierarchy == TPM2_RH_EK) {
+        if (pkey->creationTicket.hierarchy == TPM2_RH_ENDORSEMENT) {
+            hierarchy->public.handle = ESYS_TR_RH_ENDORSEMENT;
+        } else if (pkey->creationTicket.hierarchy == TPM2_RH_ENDORSEMENT) {
             hierarchy->public.handle = ESYS_TR_RH_ENDORSEMENT;
         } else if (pkey->creationTicket.hierarchy == TPM2_RH_ENDORSEMENT &&
                    pkey->ek_profile) {