Improved parameter validation for the 'create_nv()' function.

Author: danieltrick

CHANGELOG.md

@@ -14,6 +14,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/).
 ### Changed
 
 - Docker images used for testing/building have been updated to the latest version.
+- The parameter validation for the function `create_nv()` has been improved.
 
 ## [0.12.2] - 2026-03-03
 

src/context.rs

@@ -355,24 +355,30 @@ impl FapiContext {
 
     /// This command creates an NV index in the TPM using a given path and type.
     ///
+    /// If the size of the NV index is specified *implicitly* by the `nvi_type` parameter, then the `nvi_size` parameter **must** be `None`; otherwise, the `nvi_size` parameter **must** be `Some(size)` with a `size` that is greater than zero.
+    ///
     /// *See also:* [`Fapi_CreateNv()`](https://tpm2-tss.readthedocs.io/en/stable/group___fapi___create_nv.html)
     pub fn create_nv(
         &mut self,
         nv_path: &str,
         nvi_type: Option<&[NvFlags]>,
-        nvi_size: usize,
+        nvi_size: Option<NonZeroUsize>,
         pol_path: Option<&str>,
         auth_val: Option<&str>,
     ) -> Result<(), ErrorCode> {
         fail_if_opt_empty!(nvi_type);
+        if nvi_type.is_some_and(|flags| flags.iter().any(|&flag| matches!(flag, NvFlags::BitField | NvFlags::Counter | NvFlags::PCR))) != nvi_size.is_none() {
+            return Err(ERR_INVALID_ARGUMENTS);
+        }
 
         let cstr_path = CStringHolder::try_from(nv_path)?;
         let cstr_type = CStringHolder::try_from(Flags::as_string(nvi_type)?)?;
         let cstr_poli = CStringHolder::try_from(pol_path)?;
         let cstr_auth = CStringHolder::try_from(auth_val)?;
+        let nvi_bytes = nvi_size.map(NonZeroUsize::get).unwrap_or(0usize);
 
         self.fapi_call(false, |context| unsafe {
-            fapi_sys::Fapi_CreateNv(context, cstr_path.as_ptr(), cstr_type.as_ptr(), nvi_size, cstr_poli.as_ptr(), cstr_auth.as_ptr())
+            fapi_sys::Fapi_CreateNv(context, cstr_path.as_ptr(), cstr_type.as_ptr(), nvi_bytes, cstr_poli.as_ptr(), cstr_auth.as_ptr())
         })
     }
 
@@ -711,7 +717,7 @@ impl FapiContext {
 
     /// Creates a sealed object and stores it in the FAPI metadata store.
     ///
-    /// The [`data`](crate::SealData) to be sealed can be given as a *non-empty* `&[u8]` slice. Alternatively, a [`NoneZeroUsize`](std::num::NonZeroUsize) size can be specified.
+    /// The [`data`](crate::SealedData) to be sealed can be given as a *non-empty* `&[u8]` slice. Alternatively, a [`NoneZeroUsize`](std::num::NonZeroUsize) size can be specified.
     ///
     /// If **no** explicit data is provided (i.e., only the size), the TPM generates random data to fill the sealed object.
     ///

src/flags.rs

@@ -83,7 +83,7 @@ impl Flags for KeyFlags {
 
 /// NV index creation flags, as used by the [`create_nv()`](crate::FapiContext::create_nv) function.
 ///
-/// *Note:* The Flags [`BitField`](NvFlags::BitField), [`Counter`](NvFlags::Counter) and [`PCR`](NvFlags::PCR) are mutually exclusive! If **no** type flag is given, an "ordinary" NV index is created.
+/// *Note:* The type flags [`BitField`](NvFlags::BitField), [`Counter`](NvFlags::Counter) and [`PCR`](NvFlags::PCR) are mutually exclusive! If one of these flags is given, then the size of the NV index is *implicit* defined; otherwise, if **no** type flag is given, an "ordinary" NV index of application-defined size is created.
 #[derive(Clone, Copy, Debug, Eq, Ord, PartialEq, PartialOrd, Hash)]
 #[non_exhaustive]
 pub enum NvFlags {
@@ -114,7 +114,7 @@ impl Flags for NvFlags {
     }
 
     fn validate_set(flags: &BTreeSet<Self>) -> bool {
-        flags.iter().copied().filter(|flag| matches!(*flag, Self::BitField | Self::Counter | Self::PCR)).count() < 2usize
+        flags.iter().copied().filter(|&flag| matches!(flag, Self::BitField | Self::Counter | Self::PCR)).count() < 2usize
     }
 }
 

tests/08_nv_test.rs

@@ -6,6 +6,8 @@
 
 pub mod common;
 
+use std::num::NonZeroUsize;
+
 use common::{
     callback::MyCallbacks,
     param::PASSWORD,
@@ -50,7 +52,7 @@ fn test_nv_write() {
         tpm_initialize!(context, PASSWORD, MyCallbacks::new(PASSWORD, None));
 
         // Create NV index, if not already created
-        match context.create_nv(nv_path, Some(NV_ORDINARY_FLAGS), data.len(), None, None) {
+        match context.create_nv(nv_path, Some(NV_ORDINARY_FLAGS), NonZeroUsize::new(data.len()), None, None) {
             Ok(_) => debug!("NV index created."),
             Err(error) => panic!("NV index creation has failed: {:?}", error),
         }
@@ -96,7 +98,7 @@ fn test_nv_read() {
         tpm_initialize!(context, PASSWORD, MyCallbacks::new(PASSWORD, None));
 
         // Create NV index, if not already created
-        match context.create_nv(nv_path, Some(NV_ORDINARY_FLAGS), data.len(), None, None) {
+        match context.create_nv(nv_path, Some(NV_ORDINARY_FLAGS), NonZeroUsize::new(data.len()), None, None) {
             Ok(_) => debug!("NV index created."),
             Err(error) => panic!("NV index creation has failed: {:?}", error),
         }
@@ -142,7 +144,7 @@ fn test_nv_counter() {
         tpm_initialize!(context, PASSWORD, MyCallbacks::new(PASSWORD, None));
 
         // Create NV index, if not already created
-        match context.create_nv(nv_path, Some(NV_COUNTER_FLAGS), 0usize, None, None) {
+        match context.create_nv(nv_path, Some(NV_COUNTER_FLAGS), None, None, None) {
             Ok(_) => debug!("NV index created."),
             Err(error) => panic!("NV index creation has failed: {:?}", error),
         }
@@ -200,7 +202,7 @@ fn test_nv_bitset() {
         tpm_initialize!(context, PASSWORD, MyCallbacks::new(PASSWORD, None));
 
         // Create NV index, if not already created
-        match context.create_nv(nv_path, Some(NV_BITFIELD_FLAGS), 0usize, None, None) {
+        match context.create_nv(nv_path, Some(NV_BITFIELD_FLAGS), None, None, None) {
             Ok(_) => debug!("NV index created."),
             Err(error) => panic!("NV index creation has failed: {:?}", error),
         }
@@ -275,7 +277,7 @@ fn test_nv_pcr() {
         tpm_initialize!(context, PASSWORD, MyCallbacks::new(PASSWORD, None));
 
         // Create NV index, if not already created
-        match context.create_nv(nv_path, Some(NV_PCR_FLAGS), 0usize, None, None) {
+        match context.create_nv(nv_path, Some(NV_PCR_FLAGS), None, None, None) {
             Ok(_) => debug!("NV index created."),
             Err(error) => panic!("NV index creation has failed: {:?}", error),
         }

tests/09_policy_test.rs

@@ -20,11 +20,11 @@ use rand::SeedableRng;
 use rand_chacha::ChaChaRng;
 use serial_test::serial;
 use sha2::{Digest, Sha256};
-use std::{fs, path::Path};
+use std::{fs, num::NonZeroUsize, path::Path};
 use tss2_fapi_rs::{FapiCallbacks, FapiContext, ImportData, KeyFlags, json::JsonValue};
 
 const KEY_FLAGS_SIGN: &[KeyFlags] = &[KeyFlags::NoDA, KeyFlags::Sign];
-const POLICY_NV_AUTH_SIZE: usize = 34usize;
+const POLICY_NV_AUTH_SIZE: NonZeroUsize = NonZeroUsize::new(34usize).unwrap();
 
 // ==========================================================================
 // Test cases
@@ -285,7 +285,7 @@ fn test_write_authorize_nv() {
         };
 
         // Create NV index, if not already created
-        match context.create_nv(nv_path, Some(&[tss2_fapi_rs::NvFlags::NoDA]), POLICY_NV_AUTH_SIZE, None, None) {
+        match context.create_nv(nv_path, Some(&[tss2_fapi_rs::NvFlags::NoDA]), Some(POLICY_NV_AUTH_SIZE), None, None) {
             Ok(_) => debug!("NV index created."),
             Err(error) => panic!("NV index creation has failed: {:?}", error),
         }