mcias/vendor/github.com/google/go-tpm/tpm2/tpm2.go

// Package tpm2 contains TPM 2.0 commands and structures.
package tpm2

import (
	"bytes"
	"encoding/binary"

	"github.com/google/go-tpm/tpm2/transport"
)

// handle represents a TPM handle as comprehended in Part 3: Commands.
// In the context of TPM commands, handles are special parameters for which
// there is a known associated name.
// This is not an exported interface, because the reflection logic has special
// behavior for AuthHandle, due to the fact that referencing Session from this
// interface would break the ability to make TPMHandle implement it.
type handle interface {
	// HandleValue is the numeric concrete handle value in the TPM.
	HandleValue() uint32
	// KnownName is the TPM Name of the associated entity. See Part 1, section 16.
	KnownName() *TPM2BName
}

// NamedHandle represents an associated pairing of TPM handle and known Name.
type NamedHandle struct {
	Handle TPMHandle
	Name   TPM2BName
}

// HandleValue implements the handle interface.
func (h NamedHandle) HandleValue() uint32 {
	return h.Handle.HandleValue()
}

// KnownName implements the handle interface.
func (h NamedHandle) KnownName() *TPM2BName {
	return &h.Name
}

// AuthHandle allows the caller to add an authorization session onto a handle.
type AuthHandle struct {
	Handle TPMHandle
	Name   TPM2BName
	Auth   Session
}

// HandleValue implements the handle interface.
func (h AuthHandle) HandleValue() uint32 {
	return h.Handle.HandleValue()
}

// KnownName implements the handle interface.
// If Name is not provided (i.e., only Auth), then rely on the underlying
// TPMHandle.
func (h AuthHandle) KnownName() *TPM2BName {
	if len(h.Name.Buffer) != 0 {
		return &h.Name
	}
	return h.Handle.KnownName()
}

// invalidHandleValue is the sentinel value used for handles that have been
// reconstructed from unmarshalling.
// This value is intentionally invalid to prevent accidental use with a real TPM.
const invalidHandleValue TPMHandle = 0xFFFFFFFF

// UnmarshalledHandle represents a handle reconstructed from unmarshalling.
// This type is used for audit and inspection purposes where only the Name is
// available, not the actual TPM handle value.
//
// The HandleValue() method returns [invalidHandleValue] to prevent accidental
// use of these handles with a real TPM.
type UnmarshalledHandle struct {
	Name TPM2BName
}

// HandleValue implements the handle interface.
// Returns invalidHandleValue since unmarshalled handles don't have real TPM handle values.
func (h UnmarshalledHandle) HandleValue() uint32 {
	return uint32(invalidHandleValue)
}

// KnownName implements the handle interface.
func (h UnmarshalledHandle) KnownName() *TPM2BName {
	return &h.Name
}

// Command is an interface for any TPM command, parameterized by its response
// type.
type Command[R any, PR *R] interface {
	// The TPM command code associated with this command.
	Command() TPMCC
	// Executes the command and returns the response.
	Execute(t transport.TPM, s ...Session) (PR, error)
}

// PolicyCommand is a TPM command that can be part of a TPM policy.
type PolicyCommand interface {
	// Update updates the given policy hash according to the command
	// parameters.
	Update(policy *PolicyCalculator) error
}

// Shutdown is the input to TPM2_Shutdown.
// See definition in Part 3, Commands, section 9.4.
type Shutdown struct {
	// TPM_SU_CLEAR or TPM_SU_STATE
	ShutdownType TPMSU
}

// Command implements the Command interface.
func (Shutdown) Command() TPMCC { return TPMCCShutdown }

// Execute executes the command and returns the response.
func (cmd Shutdown) Execute(t transport.TPM, s ...Session) (*ShutdownResponse, error) {
	var rsp ShutdownResponse
	err := execute[ShutdownResponse](t, cmd, &rsp, s...)
	if err != nil {
		return nil, err
	}
	return &rsp, nil
}

// ShutdownResponse is the response from TPM2_Shutdown.
type ShutdownResponse struct{}

// Startup is the input to TPM2_Startup.
// See definition in Part 3, Commands, section 9.3.
type Startup struct {
	// TPM_SU_CLEAR or TPM_SU_STATE
	StartupType TPMSU
}

// Command implements the Command interface.
func (Startup) Command() TPMCC { return TPMCCStartup }

// Execute executes the command and returns the response.
func (cmd Startup) Execute(t transport.TPM, s ...Session) (*StartupResponse, error) {
	var rsp StartupResponse
	err := execute[StartupResponse](t, cmd, &rsp, s...)
	if err != nil {
		return nil, err
	}
	return &rsp, nil
}

// StartupResponse is the response from TPM2_Startup.
type StartupResponse struct{}

// StartAuthSession is the input to TPM2_StartAuthSession.
// See definition in Part 3, Commands, section 11.1
type StartAuthSession struct {
	// handle of a loaded decrypt key used to encrypt salt
	// may be TPM_RH_NULL
	TPMKey handle `gotpm:"handle"`
	// entity providing the authValue
	// may be TPM_RH_NULL
	Bind handle `gotpm:"handle"`
	// initial nonceCaller, sets nonceTPM size for the session
	// shall be at least 16 octets
	NonceCaller TPM2BNonce
	// value encrypted according to the type of tpmKey
	// If tpmKey is TPM_RH_NULL, this shall be the Empty Buffer.
	EncryptedSalt TPM2BEncryptedSecret
	// indicates the type of the session; simple HMAC or policy (including
	// a trial policy)
	SessionType TPMSE
	// the algorithm and key size for parameter encryption
	// may select transport.TPM_ALG_NULL
	Symmetric TPMTSymDef
	// hash algorithm to use for the session
	// Shall be a hash algorithm supported by the TPM and not transport.TPM_ALG_NULL
	AuthHash TPMIAlgHash
}

// Command implements the Command interface.
func (StartAuthSession) Command() TPMCC { return TPMCCStartAuthSession }

// Execute executes the command and returns the response.
func (cmd StartAuthSession) Execute(t transport.TPM, s ...Session) (*StartAuthSessionResponse, error) {
	var rsp StartAuthSessionResponse
	if err := execute[StartAuthSessionResponse](t, cmd, &rsp, s...); err != nil {
		return nil, err
	}
	return &rsp, nil
}

// StartAuthSessionResponse is the response from TPM2_StartAuthSession.
type StartAuthSessionResponse struct {
	// handle for the newly created session
	SessionHandle TPMISHAuthSession `gotpm:"handle"`
	// the initial nonce from the TPM, used in the computation of the sessionKey
	NonceTPM TPM2BNonce
}

// Create is the input to TPM2_Create.
// See definition in Part 3, Commands, section 12.1
type Create struct {
	// handle of parent for new object
	ParentHandle handle `gotpm:"handle,auth"`
	// the sensitive data
	InSensitive TPM2BSensitiveCreate
	// the public template
	InPublic TPM2BPublic
	// data that will be included in the creation data for this
	// object to provide permanent, verifiable linkage between this
	// object and some object owner data
	OutsideInfo TPM2BData
	// PCR that will be used in creation data
	CreationPCR TPMLPCRSelection
}

// Command implements the Command interface.
func (Create) Command() TPMCC { return TPMCCCreate }

// Execute executes the command and returns the response.
func (cmd Create) Execute(t transport.TPM, s ...Session) (*CreateResponse, error) {
	var rsp CreateResponse
	if err := execute[CreateResponse](t, cmd, &rsp, s...); err != nil {
		return nil, err
	}
	return &rsp, nil
}

// CreateResponse is the response from TPM2_Create.
type CreateResponse struct {
	// the private portion of the object
	OutPrivate TPM2BPrivate
	// the public portion of the created object
	OutPublic TPM2BPublic
	// contains a TPMS_CREATION_DATA
	CreationData tpm2bCreationData
	// digest of creationData using nameAlg of outPublic
	CreationHash TPM2BDigest
	// ticket used by TPM2_CertifyCreation() to validate that the
	// creation data was produced by the TPM.
	CreationTicket TPMTTKCreation
}

// Load is the input to TPM2_Load.
// See definition in Part 3, Commands, section 12.2
type Load struct {
	// handle of parent for new object
	ParentHandle handle `gotpm:"handle,auth"`
	// the private portion of the object
	InPrivate TPM2BPrivate
	// the public portion of the object
	InPublic TPM2BPublic
}

// Command implements the Command interface.
func (Load) Command() TPMCC { return TPMCCLoad }

// Execute executes the command and returns the response.
func (cmd Load) Execute(t transport.TPM, s ...Session) (*LoadResponse, error) {
	var rsp LoadResponse
	if err := execute[LoadResponse](t, cmd, &rsp, s...); err != nil {
		return nil, err
	}
	return &rsp, nil
}

// LoadResponse is the response from TPM2_Load.
type LoadResponse struct {
	// handle of type TPM_HT_TRANSIENT for loaded object
	ObjectHandle TPMHandle `gotpm:"handle"`
	// Name of the loaded object
	Name TPM2BName
}

// LoadExternal is the input to TPM2_LoadExternal.
// See definition in Part 3, Commands, section 12.3
type LoadExternal struct {
	// the sensitive portion of the object (optional)
	InPrivate TPM2BSensitive `gotpm:"optional"`
	// the public portion of the object
	InPublic TPM2BPublic
	// hierarchy with which the object area is associated
	Hierarchy TPMIRHHierarchy `gotpm:"nullable"`
}

// Command implements the Command interface.
func (LoadExternal) Command() TPMCC { return TPMCCLoadExternal }

// Execute executes the command and returns the response.
func (cmd LoadExternal) Execute(t transport.TPM, s ...Session) (*LoadExternalResponse, error) {
	var rsp LoadExternalResponse
	if err := execute[LoadExternalResponse](t, cmd, &rsp, s...); err != nil {
		return nil, err
	}
	return &rsp, nil
}

// LoadExternalResponse is the response from TPM2_LoadExternal.
type LoadExternalResponse struct {
	// handle of type TPM_HT_TRANSIENT for loaded object
	ObjectHandle TPMHandle `gotpm:"handle"`
	// Name of the loaded object
	Name TPM2BName
}

// ReadPublic is the input to TPM2_ReadPublic.
// See definition in Part 3, Commands, section 12.4
type ReadPublic struct {
	// TPM handle of an object
	ObjectHandle handle `gotpm:"handle"`
}

// Command implements the Command interface.
func (ReadPublic) Command() TPMCC { return TPMCCReadPublic }

// Execute executes the command and returns the response.
func (cmd ReadPublic) Execute(t transport.TPM, s ...Session) (*ReadPublicResponse, error) {
	var rsp ReadPublicResponse
	if err := execute[ReadPublicResponse](t, cmd, &rsp, s...); err != nil {
		return nil, err
	}
	return &rsp, nil
}

// ReadPublicResponse is the response from TPM2_ReadPublic.
type ReadPublicResponse struct {
	// structure containing the public area of an object
	OutPublic TPM2BPublic
	// name of object
	Name TPM2BName
	// the Qualified Name of the object
	QualifiedName TPM2BName
}

// ActivateCredential is the input to TPM2_ActivateCredential.
// See definition in Part 3, Commands, section 12.5.
type ActivateCredential struct {
	// handle of the object associated with certificate in credentialBlob
	ActivateHandle handle `gotpm:"handle,auth"`
	// loaded key used to decrypt the TPMS_SENSITIVE in credentialBlob
	KeyHandle handle `gotpm:"handle,auth"`
	// the credential
	CredentialBlob TPM2BIDObject
	// keyHandle algorithm-dependent encrypted seed that protects credentialBlob
	Secret TPM2BEncryptedSecret
}

// Command implements the Command interface.
func (ActivateCredential) Command() TPMCC { return TPMCCActivateCredential }

// Execute executes the command and returns the response.
func (cmd ActivateCredential) Execute(t transport.TPM, s ...Session) (*ActivateCredentialResponse, error) {
	var rsp ActivateCredentialResponse
	if err := execute[ActivateCredentialResponse](t, cmd, &rsp, s...); err != nil {
		return nil, err
	}
	return &rsp, nil
}

// ActivateCredentialResponse is the response from TPM2_ActivateCredential.
type ActivateCredentialResponse struct {
	// the decrypted certificate information
	CertInfo TPM2BDigest
}

// MakeCredential is the input to TPM2_MakeCredential.
// See definition in Part 3, Commands, section 12.6.
type MakeCredential struct {
	// loaded public area, used to encrypt the sensitive area containing the credential key
	Handle TPMIDHObject `gotpm:"handle"`
	// the credential information
	Credential TPM2BDigest
	// Name of the object to which the credential applies
	ObjectName TPM2BName
}

// Command implements the Command interface.
func (MakeCredential) Command() TPMCC { return TPMCCMakeCredential }

// Execute executes the command and returns the response.
func (cmd MakeCredential) Execute(t transport.TPM, s ...Session) (*MakeCredentialResponse, error) {
	var rsp MakeCredentialResponse
	if err := execute[MakeCredentialResponse](t, cmd, &rsp, s...); err != nil {
		return nil, err
	}
	return &rsp, nil
}

// MakeCredentialResponse is the response from TPM2_MakeCredential.
type MakeCredentialResponse struct {
	// the credential
	CredentialBlob TPM2BIDObject
	// handle algorithm-dependent data that wraps the key that encrypts credentialBlob
	Secret TPM2BEncryptedSecret
}

// Unseal is the input to TPM2_Unseal.
// See definition in Part 3, Commands, section 12.7
type Unseal struct {
	ItemHandle handle `gotpm:"handle,auth"`
}

// Command implements the Command interface.
func (Unseal) Command() TPMCC { return TPMCCUnseal }

// Execute executes the command and returns the response.
func (cmd Unseal) Execute(t transport.TPM, s ...Session) (*UnsealResponse, error) {
	var rsp UnsealResponse
	if err := execute[UnsealResponse](t, cmd, &rsp, s...); err != nil {
		return nil, err
	}
	return &rsp, nil
}

// UnsealResponse is the response from TPM2_Unseal.
type UnsealResponse struct {
	OutData TPM2BSensitiveData
}

// ObjectChangeAuth is the input to TPM2_ObjectChangeAuth.
// See definition in Part 3, Commands, section 12.8
type ObjectChangeAuth struct {
	// TPM handle of an object
	ObjectHandle handle `gotpm:"handle,auth"`
	// handle of the parent
	ParentHandle handle `gotpm:"handle"`
	// new authorization value
	NewAuth TPM2BAuth
}

// Command implements the Command interface.
func (ObjectChangeAuth) Command() TPMCC { return TPMCCObjectChangeAuth }

// Execute executes the command and returns the response.
func (cmd ObjectChangeAuth) Execute(t transport.TPM, s ...Session) (*ObjectChangeAuthResponse, error) {
	var rsp ObjectChangeAuthResponse
	if err := execute[ObjectChangeAuthResponse](t, cmd, &rsp, s...); err != nil {
		return nil, err
	}
	return &rsp, nil
}

// ObjectChangeAuthResponse the response from TPM2_ObjectChangeAuth.
type ObjectChangeAuthResponse struct {
	// private area containing the new authorization value
	OutPrivate TPM2BPrivate
}

// CreateLoaded is the input to TPM2_CreateLoaded.
// See definition in Part 3, Commands, section 12.9
type CreateLoaded struct {
	// Handle of a transient storage key, a persistent storage key,
	// TPM_RH_ENDORSEMENT, TPM_RH_OWNER, TPM_RH_PLATFORM+{PP}, or TPM_RH_NULL
	ParentHandle handle `gotpm:"handle,auth"`
	// the sensitive data, see TPM 2.0 Part 1 Sensitive Values
	InSensitive TPM2BSensitiveCreate
	// the public template
	InPublic TPM2BTemplate
}

// Command implements the Command interface.
func (CreateLoaded) Command() TPMCC { return TPMCCCreateLoaded }

// Execute executes the command and returns the response.
func (cmd CreateLoaded) Execute(t transport.TPM, s ...Session) (*CreateLoadedResponse, error) {
	var rsp CreateLoadedResponse
	if err := execute[CreateLoadedResponse](t, cmd, &rsp, s...); err != nil {
		return nil, err
	}
	return &rsp, nil
}

// CreateLoadedResponse is the response from TPM2_CreateLoaded.
type CreateLoadedResponse struct {
	// handle of type TPM_HT_TRANSIENT for loaded object
	ObjectHandle TPMHandle `gotpm:"handle"`
	// the sensitive area of the object (optional)
	OutPrivate TPM2BPrivate `gotpm:"optional"`
	// the public portion of the created object
	OutPublic TPM2BPublic
	// the name of the created object
	Name TPM2BName
}

// EncryptDecrypt2 is the input to TPM2_EncryptDecrypt2
type EncryptDecrypt2 struct {
	// reference to public portion of symmetric key to use for encryption
	KeyHandle handle `gotpm:"handle,auth"`
	Message   TPM2BMaxBuffer
	Decrypt   TPMIYesNo
	Mode      TPMIAlgSymMode `gotpm:"nullable"`
	IV        TPM2BIV
}

// Command implements the Command interface.
func (EncryptDecrypt2) Command() TPMCC { return TPMCCEncryptDecrypt2 }

// Execute executes the command and returns the response.
func (cmd EncryptDecrypt2) Execute(t transport.TPM, s ...Session) (*EncryptDecrypt2Response, error) {
	var rsp EncryptDecrypt2Response
	err := execute[EncryptDecrypt2Response](t, cmd, &rsp, s...)
	if err != nil {
		return nil, err
	}
	return &rsp, nil
}

// EncryptDecrypt2Response is the response from TPM2_EncryptDecrypt2.
type EncryptDecrypt2Response struct {
	OutData TPM2BMaxBuffer
	IV      TPM2BIV
}

// RSAEncrypt is the input to TPM2_RSA_Encrypt
// See definition in Part 3, Commands, section 14.2.
type RSAEncrypt struct {
	// reference to public portion of RSA key to use for encryption
	KeyHandle handle `gotpm:"handle"`
	// message to be encrypted
	Message TPM2BPublicKeyRSA
	// the padding scheme to use if scheme associated with keyHandle is TPM_ALG_NULL
	InScheme TPMTRSADecrypt `gotpm:"nullable"`
	// optional label L to be associated with the message
	Label TPM2BData `gotpm:"optional"`
}

// Command implements the Command interface.
func (RSAEncrypt) Command() TPMCC { return TPMCCRSAEncrypt }

// Execute executes the command and returns the response.
func (cmd RSAEncrypt) Execute(t transport.TPM, s ...Session) (*RSAEncryptResponse, error) {
	var rsp RSAEncryptResponse
	if err := execute[RSAEncryptResponse](t, cmd, &rsp, s...); err != nil {
		return nil, err
	}
	return &rsp, nil
}

// RSAEncryptResponse is the response from TPM2_RSA_Encrypt
type RSAEncryptResponse struct {
	// encrypted output
	OutData TPM2BPublicKeyRSA
}

// RSADecrypt is the input to TPM2_RSA_Decrypt
// See definition in Part 3, Commands, section 14.3.
type RSADecrypt struct {
	// RSA key to use for decryption
	KeyHandle handle `gotpm:"handle,auth"`
	// cipher text to be decrypted
	CipherText TPM2BPublicKeyRSA
	// the padding scheme to use if scheme associated with keyHandle is TPM_ALG_NULL
	InScheme TPMTRSADecrypt `gotpm:"nullable"`
	// label whose association with the message is to be verified
	Label TPM2BData `gotpm:"optional"`
}

// Command implements the Command interface.
func (RSADecrypt) Command() TPMCC { return TPMCCRSADecrypt }

// Execute executes the command and returns the response.
func (cmd RSADecrypt) Execute(t transport.TPM, s ...Session) (*RSADecryptResponse, error) {
	var rsp RSADecryptResponse
	if err := execute[RSADecryptResponse](t, cmd, &rsp, s...); err != nil {
		return nil, err
	}
	return &rsp, nil
}

// RSADecryptResponse is the response from TPM2_RSA_Decrypt
type RSADecryptResponse struct {
	// decrypted output
	Message TPM2BPublicKeyRSA
}

// ECDHZGen is the input to TPM2_ECDHZGen.
// See definition in Part 3, Commands, section 14.5
type ECDHZGen struct {
	// handle of a loaded ECC key
	KeyHandle handle `gotpm:"handle,auth"`
	// a public key
	InPoint TPM2BECCPoint
}

// Command implements the Command interface.
func (ECDHZGen) Command() TPMCC { return TPMCCECDHZGen }

// Execute executes the command and returns the response.
func (cmd ECDHZGen) Execute(t transport.TPM, s ...Session) (*ECDHZGenResponse, error) {
	var rsp ECDHZGenResponse
	if err := execute[ECDHZGenResponse](t, cmd, &rsp, s...); err != nil {
		return nil, err
	}
	return &rsp, nil
}

// ECDHZGenResponse is the response from TPM2_ECDHZGen.
type ECDHZGenResponse struct {
	// X and Y coordinates of the product of the multiplication
	OutPoint TPM2BECCPoint
}

// Hash is the input to TPM2_Hash.
// See definition in Part 3, Commands, section 15.4
type Hash struct {
	//data to be hashed
	Data TPM2BMaxBuffer
	// algorithm for the hash being computed - shall not be TPM_ALH_NULL
	HashAlg TPMIAlgHash
	// hierarchy to use for the ticket (TPM_RH_NULL_allowed)
	Hierarchy TPMIRHHierarchy `gotpm:"nullable"`
}

// Command implements the Command interface.
func (Hash) Command() TPMCC { return TPMCCHash }

// Execute executes the command and returns the response.
func (cmd Hash) Execute(t transport.TPM, s ...Session) (*HashResponse, error) {
	var rsp HashResponse
	if err := execute[HashResponse](t, cmd, &rsp, s...); err != nil {
		return nil, err
	}
	return &rsp, nil
}

// HashResponse is the response from TPM2_Hash.
type HashResponse struct {
	// results
	OutHash TPM2BDigest
	// ticket indicating that the sequence of octets used to
	// compute outDigest did not start with TPM_GENERATED_VALUE
	Validation TPMTTKHashCheck
}

// Hmac is the input to TPM2_HMAC.
// See definition in Part 3, Commands, section 15.5.
type Hmac struct {
	// HMAC key handle requiring an authorization session for the USER role
	Handle AuthHandle `gotpm:"handle,auth"`
	// HMAC data
	Buffer TPM2BMaxBuffer
	// Algorithm to use for HMAC
	HashAlg TPMIAlgHash
}

// Command implements the Command interface.
func (Hmac) Command() TPMCC { return TPMCCHMAC }

// Execute executes the command and returns the response.
func (cmd Hmac) Execute(t transport.TPM, s ...Session) (*HmacResponse, error) {
	var rsp HmacResponse
	if err := execute[HmacResponse](t, cmd, &rsp, s...); err != nil {
		return nil, err
	}
	return &rsp, nil
}

// HmacResponse is the response from TPM2_HMAC.
type HmacResponse struct {
	// the returned HMAC in a sized buffer
	OutHMAC TPM2BDigest
}

// GetRandom is the input to TPM2_GetRandom.
// See definition in Part 3, Commands, section 16.1
type GetRandom struct {
	// number of octets to return
	BytesRequested uint16
}

// Command implements the Command interface.
func (GetRandom) Command() TPMCC { return TPMCCGetRandom }

// Execute executes the command and returns the response.
func (cmd GetRandom) Execute(t transport.TPM, s ...Session) (*GetRandomResponse, error) {
	var rsp GetRandomResponse
	if err := execute[GetRandomResponse](t, cmd, &rsp, s...); err != nil {
		return nil, err
	}
	return &rsp, nil
}

// GetRandomResponse is the response from TPM2_GetRandom.
type GetRandomResponse struct {
	// the random octets
	RandomBytes TPM2BDigest
}

// HashSequenceStart is the input to TPM2_HashSequenceStart.
// See definition in Part 3, Commands, section 17.3
type HashSequenceStart struct {
	// authorization value for subsequent use of the sequence
	Auth TPM2BAuth
	// the hash algorithm to use for the hash sequence
	// An Event Sequence starts if this is TPM_ALG_NULL.
	HashAlg TPMIAlgHash
}

// Command implements the Command interface.
func (HashSequenceStart) Command() TPMCC { return TPMCCHashSequenceStart }

// Execute executes the command and returns the response.
func (cmd HashSequenceStart) Execute(t transport.TPM, s ...Session) (*HashSequenceStartResponse, error) {
	var rsp HashSequenceStartResponse
	if err := execute[HashSequenceStartResponse](t, cmd, &rsp, s...); err != nil {
		return nil, err
	}
	return &rsp, nil
}

// HashSequenceStartResponse is the response from TPM2_StartHashSequence.
type HashSequenceStartResponse struct {
	// a handle to reference the sequence
	SequenceHandle TPMIDHObject
}

// HmacStart is the input to TPM2_HMAC_Start.
// See definition in Part 3, Commands, section 17.2.2
type HmacStart struct {
	// HMAC key handle
	Handle handle `gotpm:"handle,auth"`
	// authorization value for subsequent use of the sequence
	Auth TPM2BAuth
	// the hash algorithm to use for the hmac sequence
	HashAlg TPMIAlgHash `gotpm:"nullable"`
}

// Command implements the Command interface.
func (HmacStart) Command() TPMCC { return TPMCCHMACStart }

// Execute executes the command and returns the response.
func (cmd HmacStart) Execute(t transport.TPM, s ...Session) (*HmacStartResponse, error) {
	var rsp HmacStartResponse
	if err := execute[HmacStartResponse](t, cmd, &rsp, s...); err != nil {
		return nil, err
	}
	return &rsp, nil
}

// HmacStartResponse is the response from TPM2_HMAC_Start.
// See definition in Part 3, Commands, section 17.2.2
type HmacStartResponse struct {
	// a handle to reference the sequence
	SequenceHandle TPMIDHObject `gotpm:"handle"`
}

// SequenceUpdate is the input to TPM2_SequenceUpdate.
// See definition in Part 3, Commands, section 17.4
type SequenceUpdate struct {
	// handle for the sequence object
	SequenceHandle handle `gotpm:"handle,auth,anon"`
	// data to be added to hash
	Buffer TPM2BMaxBuffer
}

// Command implements the Command interface.
func (SequenceUpdate) Command() TPMCC { return TPMCCSequenceUpdate }

// Execute executes the command and returns the response.
func (cmd SequenceUpdate) Execute(t transport.TPM, s ...Session) (*SequenceUpdateResponse, error) {
	var rsp SequenceUpdateResponse
	if err := execute[SequenceUpdateResponse](t, cmd, &rsp, s...); err != nil {
		return nil, err
	}
	return &rsp, nil
}

// SequenceUpdateResponse is the response from TPM2_SequenceUpdate.
type SequenceUpdateResponse struct{}

// SequenceComplete is the input to TPM2_SequenceComplete.
// See definition in Part 3, Commands, section 17.5
type SequenceComplete struct {
	// authorization for the sequence
	SequenceHandle handle `gotpm:"handle,auth,anon"`
	// data to be added to the hash/HMAC
	Buffer TPM2BMaxBuffer
	// hierarchy of the ticket for a hash
	Hierarchy TPMIRHHierarchy `gotpm:"nullable"`
}

// Command implements the Command interface.
func (SequenceComplete) Command() TPMCC { return TPMCCSequenceComplete }

// Execute executes the command and returns the response.
func (cmd SequenceComplete) Execute(t transport.TPM, s ...Session) (*SequenceCompleteResponse, error) {
	var rsp SequenceCompleteResponse
	if err := execute[SequenceCompleteResponse](t, cmd, &rsp, s...); err != nil {
		return nil, err
	}
	return &rsp, nil
}

// SequenceCompleteResponse is the response from TPM2_SequenceComplete.
type SequenceCompleteResponse struct {
	// the returned HMAC or digest in a sized buffer
	Result TPM2BDigest
	// 	ticket indicating that the sequence of octets used to
	// compute outDigest did not start with TPM_GENERATED_VALUE
	Validation TPMTTKHashCheck
}

// Certify is the input to TPM2_Certify.
// See definition in Part 3, Commands, section 18.2.
type Certify struct {
	// handle of the object to be certified
	ObjectHandle handle `gotpm:"handle,auth"`
	// handle of the key used to sign the attestation structure
	SignHandle handle `gotpm:"handle,auth"`
	// user provided qualifying data
	QualifyingData TPM2BData
	// signing scheme to use if the scheme for signHandle is TPM_ALG_NULL
	InScheme TPMTSigScheme
}

// Command implements the Command interface.
func (Certify) Command() TPMCC { return TPMCCCertify }

// Execute executes the command and returns the response.
func (cmd Certify) Execute(t transport.TPM, s ...Session) (*CertifyResponse, error) {
	var rsp CertifyResponse
	if err := execute[CertifyResponse](t, cmd, &rsp, s...); err != nil {
		return nil, err
	}
	return &rsp, nil
}

// CertifyResponse is the response from TPM2_Certify.
type CertifyResponse struct {
	// the structure that was signed
	CertifyInfo TPM2BAttest
	// the asymmetric signature over certifyInfo using the key referenced by signHandle
	Signature TPMTSignature
}

// CertifyCreation is the input to TPM2_CertifyCreation.
// See definition in Part 3, Commands, section 18.3.
type CertifyCreation struct {
	// handle of the key that will sign the attestation block
	SignHandle handle `gotpm:"handle,auth"`
	// the object associated with the creation data
	ObjectHandle handle `gotpm:"handle"`
	// user-provided qualifying data
	QualifyingData TPM2BData
	// hash of the creation data produced by TPM2_Create() or TPM2_CreatePrimary()
	CreationHash TPM2BDigest
	// signing scheme to use if the scheme for signHandle is TPM_ALG_NULL
	InScheme TPMTSigScheme
	// ticket produced by TPM2_Create() or TPM2_CreatePrimary()
	CreationTicket TPMTTKCreation
}

// Command implements the Command interface.
func (CertifyCreation) Command() TPMCC { return TPMCCCertifyCreation }

// Execute executes the command and returns the response.
func (cmd CertifyCreation) Execute(t transport.TPM, s ...Session) (*CertifyCreationResponse, error) {
	var rsp CertifyCreationResponse
	if err := execute[CertifyCreationResponse](t, cmd, &rsp, s...); err != nil {
		return nil, err
	}
	return &rsp, nil
}

// CertifyCreationResponse is the response from TPM2_CertifyCreation.
type CertifyCreationResponse struct {
	// the structure that was signed
	CertifyInfo TPM2BAttest
	// the signature over certifyInfo
	Signature TPMTSignature
}

// Quote is the input to TPM2_Quote.
// See definition in Part 3, Commands, section 18.4
type Quote struct {
	// handle of key that will perform signature
	SignHandle handle `gotpm:"handle,auth"`
	// data supplied by the caller
	QualifyingData TPM2BData
	// signing scheme to use if the scheme for signHandle is TPM_ALG_NULL
	InScheme TPMTSigScheme
	// PCR set to quote
	PCRSelect TPMLPCRSelection
}

// Command implements the Command interface.
func (Quote) Command() TPMCC { return TPMCCQuote }

// Execute executes the command and returns the response.
func (cmd Quote) Execute(t transport.TPM, s ...Session) (*QuoteResponse, error) {
	var rsp QuoteResponse
	if err := execute[QuoteResponse](t, cmd, &rsp, s...); err != nil {
		return nil, err
	}
	return &rsp, nil
}

// QuoteResponse is the response from TPM2_Quote.
type QuoteResponse struct {
	// the quoted information
	Quoted TPM2BAttest
	// the signature over quoted
	Signature TPMTSignature
}

// GetSessionAuditDigest is the input to TPM2_GetSessionAuditDigest.
// See definition in Part 3, Commands, section 18.5
type GetSessionAuditDigest struct {
	// handle of the privacy administrator (TPM_RH_ENDORSEMENT)
	PrivacyAdminHandle handle `gotpm:"handle,auth"`
	// handle of the signing key
	SignHandle handle `gotpm:"handle,auth"`
	// handle of the audit session
	SessionHandle handle `gotpm:"handle"`
	// user-provided qualifying data – may be zero-length
	QualifyingData TPM2BData
	// signing scheme to use if the scheme for signHandle is TPM_ALG_NULL
	InScheme TPMTSigScheme
}

// Command implements the Command interface.
func (GetSessionAuditDigest) Command() TPMCC { return TPMCCGetSessionAuditDigest }

// Execute executes the command and returns the response.
func (cmd GetSessionAuditDigest) Execute(t transport.TPM, s ...Session) (*GetSessionAuditDigestResponse, error) {
	var rsp GetSessionAuditDigestResponse
	if err := execute[GetSessionAuditDigestResponse](t, cmd, &rsp, s...); err != nil {
		return nil, err
	}
	return &rsp, nil
}

// GetSessionAuditDigestResponse is the response from
// TPM2_GetSessionAuditDigest.
type GetSessionAuditDigestResponse struct {
	// the audit information that was signed
	AuditInfo TPM2BAttest
	// the signature over auditInfo
	Signature TPMTSignature
}

// Commit is the input to TPM2_Commit.
// See definition in Part 3, Commands, section 19.2.
type Commit struct {
	// handle of the key that will be used in the signing operation
	SignHandle handle `gotpm:"handle,auth"`
	// a point (M) on the curve used by signHandle
	P1 TPM2BECCPoint
	// octet array used to derive x-coordinate of a base point
	S2 TPM2BSensitiveData
	// y coordinate of the point associated with s2
	Y2 TPM2BECCParameter
}

// Command implements the Command interface.
func (Commit) Command() TPMCC { return TPMCCCommit }

// Execute executes the command and returns the response.
func (cmd Commit) Execute(t transport.TPM, s ...Session) (*CommitResponse, error) {
	var rsp CommitResponse
	if err := execute[CommitResponse](t, cmd, &rsp, s...); err != nil {
		return nil, err
	}

	return &rsp, nil
}

// CommitResponse is the response from TPM2_Commit.
type CommitResponse struct {
	// ECC point K ≔ [ds](x2, y2)
	K TPM2BECCPoint
	// ECC point L ≔ [r](x2, y2)
	L TPM2BECCPoint
	// ECC point E ≔ [r]P1
	E TPM2BECCPoint
	// least-significant 16 bits of commitCount
	Counter uint16
}

// VerifySignature is the input to TPM2_VerifySignature.
// See definition in Part 3, Commands, section 20.1
type VerifySignature struct {
	// handle of public key that will be used in the validation
	KeyHandle handle `gotpm:"handle"`
	// digest of the signed message
	Digest TPM2BDigest
	// signature to be tested
	Signature TPMTSignature
}

// Command implements the Command interface.
func (VerifySignature) Command() TPMCC { return TPMCCVerifySignature }

// Execute executes the command and returns the response.
func (cmd VerifySignature) Execute(t transport.TPM, s ...Session) (*VerifySignatureResponse, error) {
	var rsp VerifySignatureResponse
	if err := execute[VerifySignatureResponse](t, cmd, &rsp, s...); err != nil {
		return nil, err
	}
	return &rsp, nil
}

// VerifySignatureResponse is the response from TPM2_VerifySignature.
type VerifySignatureResponse struct {
	Validation TPMTTKVerified
}

// Sign is the input to TPM2_Sign.
// See definition in Part 3, Commands, section 20.2.
type Sign struct {
	// Handle of key that will perform signing
	KeyHandle handle `gotpm:"handle,auth"`
	// digest to be signed
	Digest TPM2BDigest
	// signing scheme to use if the scheme for keyHandle is TPM_ALG_NULL
	InScheme TPMTSigScheme `gotpm:"nullable"`
	// proof that digest was created by the TPM.
	// If keyHandle is not a restricted signing key, then this
	// may be a NULL Ticket with tag = TPM_ST_CHECKHASH.
	Validation TPMTTKHashCheck
}

// Command implements the Command interface.
func (Sign) Command() TPMCC { return TPMCCSign }

// Execute executes the command and returns the response.
func (cmd Sign) Execute(t transport.TPM, s ...Session) (*SignResponse, error) {
	var rsp SignResponse
	if err := execute[SignResponse](t, cmd, &rsp, s...); err != nil {
		return nil, err
	}
	return &rsp, nil
}

// SignResponse is the response from TPM2_Sign.
type SignResponse struct {
	// the signature
	Signature TPMTSignature
}

// PCRExtend is the input to TPM2_PCR_Extend.
// See definition in Part 3, Commands, section 22.2
type PCRExtend struct {
	// handle of the PCR
	PCRHandle handle `gotpm:"handle,auth"`
	// list of tagged digest values to be extended
	Digests TPMLDigestValues
}

// Command implements the Command interface.
func (PCRExtend) Command() TPMCC { return TPMCCPCRExtend }

// Execute executes the command and returns the response.
func (cmd PCRExtend) Execute(t transport.TPM, s ...Session) (*PCRExtendResponse, error) {
	var rsp PCRExtendResponse
	err := execute[PCRExtendResponse](t, cmd, &rsp, s...)
	if err != nil {
		return nil, err
	}
	return &rsp, nil
}

// PCRExtendResponse is the response from TPM2_PCR_Extend.
type PCRExtendResponse struct{}

// PCREvent is the input to TPM2_PCR_Event.
// See definition in Part 3, Commands, section 22.3
type PCREvent struct {
	// Handle of the PCR
	PCRHandle handle `gotpm:"handle,auth"`
	// Event data in sized buffer
	EventData TPM2BEvent
}

// Command implements the Command interface.
func (PCREvent) Command() TPMCC { return TPMCCPCREvent }

// Execute executes the command and returns the response.
func (cmd PCREvent) Execute(t transport.TPM, s ...Session) (*PCREventResponse, error) {
	var rsp PCREventResponse
	err := execute[PCREventResponse](t, cmd, &rsp, s...)
	if err != nil {
		return nil, err
	}
	return &rsp, nil
}

// PCREventResponse is the response from TPM2_PCR_Event.
type PCREventResponse struct{}

// PCRRead is the input to TPM2_PCR_Read.
// See definition in Part 3, Commands, section 22.4
type PCRRead struct {
	// The selection of PCR to read
	PCRSelectionIn TPMLPCRSelection
}

// Command implements the Command interface.
func (PCRRead) Command() TPMCC { return TPMCCPCRRead }

// Execute executes the command and returns the response.
func (cmd PCRRead) Execute(t transport.TPM, s ...Session) (*PCRReadResponse, error) {
	var rsp PCRReadResponse
	if err := execute[PCRReadResponse](t, cmd, &rsp, s...); err != nil {
		return nil, err
	}
	return &rsp, nil
}

// PCRReadResponse is the response from TPM2_PCR_Read.
type PCRReadResponse struct {
	// the current value of the PCR update counter
	PCRUpdateCounter uint32
	// the PCR in the returned list
	PCRSelectionOut TPMLPCRSelection
	// the contents of the PCR indicated in pcrSelectOut-> pcrSelection[] as tagged digests
	PCRValues TPMLDigest
}

// PCRReset is the input to TPM2_PCRReset.
// See definition in Part 3, Commands, section 22.8.
type PCRReset struct {
	// the PCR to reset
	PCRHandle handle `gotpm:"handle,auth"`
}

// Command implements the Command interface.
func (PCRReset) Command() TPMCC { return TPMCCPCRReset }

// Execute executes the command and returns the response.
func (cmd PCRReset) Execute(t transport.TPM, s ...Session) (*PCRResetResponse, error) {
	var rsp PCRResetResponse
	if err := execute[PCRResetResponse](t, cmd, &rsp, s...); err != nil {
		return nil, err
	}
	return &rsp, nil
}

// PCRResetResponse is the response from TPM2_PCRReset.
type PCRResetResponse struct{}

// PolicySigned is the input to TPM2_PolicySigned.
// See definition in Part 3, Commands, section 23.3.
type PolicySigned struct {
	// handle for an entity providing the authorization
	AuthObject handle `gotpm:"handle"`
	// handle for the policy session being extended
	PolicySession handle `gotpm:"handle"`
	// the policy nonce for the session
	NonceTPM TPM2BNonce
	// digest of the command parameters to which this authorization is limited
	CPHashA TPM2BDigest
	// a reference to a policy relating to the authorization – may be the Empty Buffer
	PolicyRef TPM2BNonce
	// time when authorization will expire, measured in seconds from the time
	// that nonceTPM was generated
	Expiration int32
	// signed authorization (not optional)
	Auth TPMTSignature
}

// Command implements the Command interface.
func (PolicySigned) Command() TPMCC { return TPMCCPolicySigned }

// Execute executes the command and returns the response.
func (cmd PolicySigned) Execute(t transport.TPM, s ...Session) (*PolicySignedResponse, error) {
	var rsp PolicySignedResponse
	if err := execute[PolicySignedResponse](t, cmd, &rsp, s...); err != nil {
		return nil, err
	}
	return &rsp, nil
}

// policyUpdate implements the PolicyUpdate helper for the several TPM policy
// commands as described in Part 3, 23.2.3.
func policyUpdate(policy *PolicyCalculator, cc TPMCC, arg2, arg3 []byte) error {
	if err := policy.Update(cc, arg2); err != nil {
		return err
	}
	return policy.Update(arg3)
}

// Update implements the PolicyCommand interface.
func (cmd PolicySigned) Update(policy *PolicyCalculator) error {
	return policyUpdate(policy, TPMCCPolicySigned, cmd.AuthObject.KnownName().Buffer, cmd.PolicyRef.Buffer)
}

// PolicySignedResponse is the response from TPM2_PolicySigned.
type PolicySignedResponse struct {
	// implementation-specific time value used to indicate to the TPM when the ticket expires
	Timeout TPM2BTimeout
	// produced if the command succeeds and expiration in the command was non-zero
	PolicyTicket TPMTTKAuth
}

// PolicySecret is the input to TPM2_PolicySecret.
// See definition in Part 3, Commands, section 23.4.
type PolicySecret struct {
	// handle for an entity providing the authorization
	AuthHandle handle `gotpm:"handle,auth"`
	// handle for the policy session being extended
	PolicySession handle `gotpm:"handle"`
	// the policy nonce for the session
	NonceTPM TPM2BNonce
	// digest of the command parameters to which this authorization is limited
	CPHashA TPM2BDigest
	// a reference to a policy relating to the authorization – may be the Empty Buffer
	PolicyRef TPM2BNonce
	// time when authorization will expire, measured in seconds from the time
	// that nonceTPM was generated
	Expiration int32
}

// Command implements the Command interface.
func (PolicySecret) Command() TPMCC { return TPMCCPolicySecret }

// Execute executes the command and returns the response.
func (cmd PolicySecret) Execute(t transport.TPM, s ...Session) (*PolicySecretResponse, error) {
	var rsp PolicySecretResponse
	if err := execute[PolicySecretResponse](t, cmd, &rsp, s...); err != nil {
		return nil, err
	}
	return &rsp, nil
}

// Update implements the PolicyCommand interface.
func (cmd PolicySecret) Update(policy *PolicyCalculator) error {
	return policyUpdate(policy, TPMCCPolicySecret, cmd.AuthHandle.KnownName().Buffer, cmd.PolicyRef.Buffer)
}

// PolicySecretResponse is the response from TPM2_PolicySecret.
type PolicySecretResponse struct {
	// implementation-specific time value used to indicate to the TPM when the ticket expires
	Timeout TPM2BTimeout
	// produced if the command succeeds and expiration in the command was non-zero
	PolicyTicket TPMTTKAuth
}

// PolicyOr is the input to TPM2_PolicyOR.
// See definition in Part 3, Commands, section 23.6.
type PolicyOr struct {
	// handle for the policy session being extended
	PolicySession handle `gotpm:"handle"`
	// the list of hashes to check for a match
	PHashList TPMLDigest
}

// Command implements the Command interface.
func (PolicyOr) Command() TPMCC { return TPMCCPolicyOR }

// Execute executes the command and returns the response.
func (cmd PolicyOr) Execute(t transport.TPM, s ...Session) (*PolicyOrResponse, error) {
	var rsp PolicyOrResponse
	err := execute[PolicyOrResponse](t, cmd, &rsp, s...)
	if err != nil {
		return nil, err
	}
	return &rsp, nil
}

// Update implements the PolicyCommand interface.
func (cmd PolicyOr) Update(policy *PolicyCalculator) error {
	policy.Reset()
	var digests bytes.Buffer
	for _, digest := range cmd.PHashList.Digests {
		digests.Write(digest.Buffer)
	}
	return policy.Update(TPMCCPolicyOR, digests.Bytes())
}

// PolicyOrResponse is the response from TPM2_PolicyOr.
type PolicyOrResponse struct{}

// PolicyPCR is the input to TPM2_PolicyPCR.
// See definition in Part 3, Commands, section 23.7.
type PolicyPCR struct {
	// handle for the policy session being extended
	PolicySession handle `gotpm:"handle"`
	// expected digest value of the selected PCR using the
	// hash algorithm of the session; may be zero length
	PcrDigest TPM2BDigest
	// the PCR to include in the check digest
	Pcrs TPMLPCRSelection
}

// Command implements the Command interface.
func (PolicyPCR) Command() TPMCC { return TPMCCPolicyPCR }

// Execute executes the command and returns the response.
func (cmd PolicyPCR) Execute(t transport.TPM, s ...Session) (*PolicyPCRResponse, error) {
	var rsp PolicyPCRResponse
	err := execute[PolicyPCRResponse](t, cmd, &rsp, s...)
	if err != nil {
		return nil, err
	}
	return &rsp, nil
}

// Update implements the PolicyCommand interface.
func (cmd PolicyPCR) Update(policy *PolicyCalculator) error {
	return policy.Update(TPMCCPolicyPCR, cmd.Pcrs, cmd.PcrDigest.Buffer)
}

// PolicyPCRResponse is the response from TPM2_PolicyPCR.
type PolicyPCRResponse struct{}

// PolicyAuthValue is the input to TPM2_PolicyAuthValue.
// See definition in Part 3, Commands, section 23.17.
type PolicyAuthValue struct {
	// handle for the policy session being extended
	PolicySession handle `gotpm:"handle"`
}

// Command implements the Command interface.
func (PolicyAuthValue) Command() TPMCC { return TPMCCPolicyAuthValue }

// Execute executes the command and returns the response.
func (cmd PolicyAuthValue) Execute(t transport.TPM, s ...Session) (*PolicyAuthValueResponse, error) {
	var rsp PolicyAuthValueResponse
	err := execute[PolicyAuthValueResponse](t, cmd, &rsp, s...)
	if err != nil {
		return nil, err
	}
	return &rsp, nil
}

// Update implements the PolicyAuthValue interface.
func (cmd PolicyAuthValue) Update(policy *PolicyCalculator) error {
	return policy.Update(TPMCCPolicyAuthValue)
}

// PolicyAuthValueResponse is the response from TPM2_PolicyAuthValue.
type PolicyAuthValueResponse struct{}

// PolicyDuplicationSelect is the input to TPM2_PolicyDuplicationSelect.
// See definition in Part 3, Commands, section 23.15.
type PolicyDuplicationSelect struct {
	// handle for the policy session being extended
	PolicySession handle `gotpm:"handle"`
	ObjectName    TPM2BName
	NewParentName TPM2BName
	IncludeObject TPMIYesNo
}

// Command implements the Command interface.
func (PolicyDuplicationSelect) Command() TPMCC { return TPMCCPolicyDuplicationSelect }

// Execute executes the command and returns the response.
func (cmd PolicyDuplicationSelect) Execute(t transport.TPM, s ...Session) (*PolicyDuplicationSelectResponse, error) {
	var rsp PolicyDuplicationSelectResponse
	err := execute[PolicyDuplicationSelectResponse](t, cmd, &rsp, s...)
	if err != nil {
		return nil, err
	}
	return &rsp, nil
}

// Update implements the PolicyDuplicationSelect interface.
func (cmd PolicyDuplicationSelect) Update(policy *PolicyCalculator) error {
	if cmd.IncludeObject {
		return policy.Update(TPMCCPolicyDuplicationSelect, cmd.ObjectName.Buffer, cmd.NewParentName.Buffer, cmd.IncludeObject)
	}
	return policy.Update(TPMCCPolicyDuplicationSelect, cmd.NewParentName.Buffer, cmd.IncludeObject)
}

// PolicyDuplicationSelectResponse is the response from TPM2_PolicyDuplicationSelect.
type PolicyDuplicationSelectResponse struct{}

// PolicyNV is the input to TPM2_PolicyNV.
// See definition in Part 3, Commands, section 23.9.
type PolicyNV struct {
	// handle indicating the source of the authorization value
	AuthHandle handle `gotpm:"handle,auth"`
	// the NV Index of the area to read
	NVIndex handle `gotpm:"handle"`
	// handle for the policy session being extended
	PolicySession handle `gotpm:"handle"`
	// the second operand
	OperandB TPM2BOperand
	// the octet offset in the NV Index for the start of operand A
	Offset uint16
	// the comparison to make
	Operation TPMEO
}

// Command implements the Command interface.
func (PolicyNV) Command() TPMCC { return TPMCCPolicyNV }

// Execute executes the command and returns the response.
func (cmd PolicyNV) Execute(t transport.TPM, s ...Session) (*PolicyNVResponse, error) {
	var rsp PolicyNVResponse
	err := execute[PolicyNVResponse](t, cmd, &rsp, s...)
	if err != nil {
		return nil, err
	}
	return &rsp, nil
}

// Update implements the PolicyCommand interface.
func (cmd PolicyNV) Update(policy *PolicyCalculator) error {
	alg, err := policy.alg.Hash()
	if err != nil {
		return err
	}
	h := alg.New()
	h.Write(cmd.OperandB.Buffer)
	binary.Write(h, binary.BigEndian, cmd.Offset)
	binary.Write(h, binary.BigEndian, cmd.Operation)
	args := h.Sum(nil)
	return policy.Update(TPMCCPolicyNV, args, cmd.NVIndex.KnownName().Buffer)
}

// PolicyNVResponse is the response from TPM2_PolicyPCR.
type PolicyNVResponse struct{}

// PolicyCommandCode is the input to TPM2_PolicyCommandCode.
// See definition in Part 3, Commands, section 23.11.
type PolicyCommandCode struct {
	// handle for the policy session being extended
	PolicySession handle `gotpm:"handle"`
	// the allowed commandCode
	Code TPMCC
}

// Command implements the Command interface.
func (PolicyCommandCode) Command() TPMCC { return TPMCCPolicyCommandCode }

// Execute executes the command and returns the response.
func (cmd PolicyCommandCode) Execute(t transport.TPM, s ...Session) (*PolicyCommandCodeResponse, error) {
	var rsp PolicyCommandCodeResponse
	err := execute[PolicyCommandCodeResponse](t, cmd, &rsp, s...)
	if err != nil {
		return nil, err
	}
	return &rsp, nil
}

// Update implements the PolicyCommand interface.
func (cmd PolicyCommandCode) Update(policy *PolicyCalculator) error {
	return policy.Update(TPMCCPolicyCommandCode, cmd.Code)
}

// PolicyCommandCodeResponse is the response from TPM2_PolicyCommandCode.
type PolicyCommandCodeResponse struct{}

// PolicyCPHash is the input to TPM2_PolicyCpHash.
// See definition in Part 3, Commands, section 23.13.
type PolicyCPHash struct {
	// handle for the policy session being extended
	PolicySession handle `gotpm:"handle"`
	// the cpHash added to the policy
	CPHashA TPM2BDigest
}

// Command implements the Command interface.
func (PolicyCPHash) Command() TPMCC { return TPMCCPolicyCpHash }

// Execute executes the command and returns the response.
func (cmd PolicyCPHash) Execute(t transport.TPM, s ...Session) (*PolicyCPHashResponse, error) {
	var rsp PolicyCPHashResponse
	err := execute[PolicyCPHashResponse](t, cmd, &rsp, s...)
	if err != nil {
		return nil, err
	}
	return &rsp, nil
}

// Update implements the PolicyCommand interface.
func (cmd PolicyCPHash) Update(policy *PolicyCalculator) error {
	return policy.Update(TPMCCPolicyCpHash, cmd.CPHashA.Buffer)
}

// PolicyCPHashResponse is the response from TPM2_PolicyCpHash.
type PolicyCPHashResponse struct{}

// PolicyAuthorize is the input to TPM2_PolicySigned.
// See definition in Part 3, Commands, section 23.16.
type PolicyAuthorize struct {
	// handle for the policy session being extended
	PolicySession handle `gotpm:"handle"`
	// digest of the policy being approved
	ApprovedPolicy TPM2BDigest
	// a policy qualifier
	PolicyRef TPM2BDigest
	// Name of a key that can sign a policy addition
	KeySign TPM2BName
	// ticket validating that approvedPolicy and policyRef were signed by keySign
	CheckTicket TPMTTKVerified
}

// Command implements the Command interface.
func (PolicyAuthorize) Command() TPMCC { return TPMCCPolicyAuthorize }

// Execute executes the command and returns the response.
func (cmd PolicyAuthorize) Execute(t transport.TPM, s ...Session) (*PolicyAuthorizeResponse, error) {
	var rsp PolicyAuthorizeResponse
	err := execute[PolicyAuthorizeResponse](t, cmd, &rsp, s...)
	if err != nil {
		return nil, err
	}
	return &rsp, nil
}

// Update implements the PolicyCommand interface.
func (cmd PolicyAuthorize) Update(policy *PolicyCalculator) error {
	return policyUpdate(policy, TPMCCPolicyAuthorize, cmd.KeySign.Buffer, cmd.PolicyRef.Buffer)
}

// PolicyAuthorizeResponse is the response from TPM2_PolicyAuthorize.
type PolicyAuthorizeResponse struct{}

// PolicyGetDigest is the input to TPM2_PolicyGetDigest.
// See definition in Part 3, Commands, section 23.19.
type PolicyGetDigest struct {
	// handle for the policy session
	PolicySession handle `gotpm:"handle"`
}

// Command implements the Command interface.
func (PolicyGetDigest) Command() TPMCC { return TPMCCPolicyGetDigest }

// Execute executes the command and returns the response.
func (cmd PolicyGetDigest) Execute(t transport.TPM, s ...Session) (*PolicyGetDigestResponse, error) {
	var rsp PolicyGetDigestResponse
	if err := execute[PolicyGetDigestResponse](t, cmd, &rsp, s...); err != nil {
		return nil, err
	}
	return &rsp, nil
}

// PolicyGetDigestResponse is the response from TPM2_PolicyGetDigest.
type PolicyGetDigestResponse struct {
	// the current value of the policySession→policyDigest
	PolicyDigest TPM2BDigest
}

// PolicyNVWritten is the input to TPM2_PolicyNvWritten.
// See definition in Part 3, Commands, section 23.20.
type PolicyNVWritten struct {
	// handle for the policy session being extended
	PolicySession handle `gotpm:"handle"`
	// YES if NV Index is required to have been written
	// NO if NV Index is required not to have been written
	WrittenSet TPMIYesNo
}

// Command implements the Command interface.
func (PolicyNVWritten) Command() TPMCC { return TPMCCPolicyNvWritten }

// Execute executes the command and returns the response.
func (cmd PolicyNVWritten) Execute(t transport.TPM, s ...Session) (*PolicyNVWrittenResponse, error) {
	var rsp PolicyNVWrittenResponse
	if err := execute[PolicyNVWrittenResponse](t, cmd, &rsp, s...); err != nil {
		return nil, err
	}
	return &rsp, nil
}

// Update implements the PolicyCommand interface.
func (cmd PolicyNVWritten) Update(policy *PolicyCalculator) error {
	return policy.Update(TPMCCPolicyNvWritten, cmd.WrittenSet)
}

// PolicyNVWrittenResponse is the response from TPM2_PolicyNvWritten.
type PolicyNVWrittenResponse struct {
}

// PolicyAuthorizeNV is the input to TPM2_PolicyAuthorizeNV.
// See definition in Part 3, Commands, section 23.22.
type PolicyAuthorizeNV struct {
	// handle indicating the source of the authorization value
	AuthHandle handle `gotpm:"handle,auth"`
	// the NV Index of the area to read
	NVIndex handle `gotpm:"handle"`
	// handle for the policy session being extended
	PolicySession handle `gotpm:"handle"`
}

// Command implements the Command interface.
func (PolicyAuthorizeNV) Command() TPMCC { return TPMCCPolicyAuthorizeNV }

// Execute executes the command and returns the response.
func (cmd PolicyAuthorizeNV) Execute(t transport.TPM, s ...Session) (*PolicyAuthorizeNVResponse, error) {
	var rsp PolicyAuthorizeNVResponse
	err := execute[PolicyAuthorizeNVResponse](t, cmd, &rsp, s...)
	if err != nil {
		return nil, err
	}
	return &rsp, nil
}

// Update implements the PolicyCommand interface.
func (cmd PolicyAuthorizeNV) Update(policy *PolicyCalculator) error {
	policy.Reset()
	return policy.Update(TPMCCPolicyAuthorizeNV, cmd.NVIndex.KnownName().Buffer)
}

// PolicyAuthorizeNVResponse is the response from TPM2_PolicyAuthorizeNV.
type PolicyAuthorizeNVResponse struct{}

// CreatePrimary is the input to TPM2_CreatePrimary.
// See definition in Part 3, Commands, section 24.1
type CreatePrimary struct {
	// TPM_RH_ENDORSEMENT, TPM_RH_OWNER, TPM_RH_PLATFORM+{PP},
	// TPM_RH_NULL, TPM_RH_FW_ENDORSEMENT, TPM_RH_FW_OWNER
	// TPM_RH_FW_PLATFORM+{PP}  or TPM_RH_FW_NULL
	PrimaryHandle handle `gotpm:"handle,auth"`
	// the sensitive data
	InSensitive TPM2BSensitiveCreate
	// the public template
	InPublic TPM2BPublic
	// data that will be included in the creation data for this
	// object to provide permanent, verifiable linkage between this
	// object and some object owner data
	OutsideInfo TPM2BData
	// PCR that will be used in creation data
	CreationPCR TPMLPCRSelection
}

// Command implements the Command interface.
func (CreatePrimary) Command() TPMCC { return TPMCCCreatePrimary }

// Execute executes the command and returns the response.
func (cmd CreatePrimary) Execute(t transport.TPM, s ...Session) (*CreatePrimaryResponse, error) {
	var rsp CreatePrimaryResponse
	if err := execute[CreatePrimaryResponse](t, cmd, &rsp, s...); err != nil {
		return nil, err
	}
	return &rsp, nil
}

// CreatePrimaryResponse is the response from TPM2_CreatePrimary.
type CreatePrimaryResponse struct {
	// handle of type TPM_HT_TRANSIENT for created Primary Object
	ObjectHandle TPMHandle `gotpm:"handle"`
	// the public portion of the created object
	OutPublic TPM2BPublic
	// contains a TPMS_CREATION_DATA
	CreationData tpm2bCreationData
	// digest of creationData using nameAlg of outPublic
	CreationHash TPM2BDigest
	// ticket used by TPM2_CertifyCreation() to validate that the
	// creation data was produced by the TPM.
	CreationTicket TPMTTKCreation
	// the name of the created object
	Name TPM2BName
}

// Clear is the input to TPM2_Clear.
// See definition in Part 3, Commands, section 24.6
type Clear struct {
	// TPM_RH_LOCKOUT or TPM_RH_PLATFORM+{PP}
	AuthHandle handle `gotpm:"handle,auth"`
}

// Command implements the Command interface.
func (Clear) Command() TPMCC { return TPMCCClear }

// Execute executes the command and returns the response.
func (cmd Clear) Execute(t transport.TPM, s ...Session) (*ClearResponse, error) {
	var rsp ClearResponse
	err := execute[ClearResponse](t, cmd, &rsp, s...)
	if err != nil {
		return nil, err
	}
	return &rsp, nil
}

// ClearResponse is the response from TPM2_Clear.
type ClearResponse struct{}

// HierarchyChangeAuth is the input to TPM2_HierarchyChangeAuth.
// See definition in Part 3, Commands, section 24.8
type HierarchyChangeAuth struct {
	// TPM_RH_ENDORSEMENT, TPM_RH_LOCKOUT, TPM_RH_OWNER or TPM_RH_PLATFORM+{PP}
	AuthHandle handle `gotpm:"handle,auth"`
	// new authorization value
	NewAuth TPM2BAuth
}

// Command implements the Command interface.
func (HierarchyChangeAuth) Command() TPMCC { return TPMCCHierarchyChanegAuth }

// Execute executes the command and returns the response.
func (cmd HierarchyChangeAuth) Execute(t transport.TPM, s ...Session) (*HierarchyChangeAuthResponse, error) {
	var rsp HierarchyChangeAuthResponse
	if err := execute[HierarchyChangeAuthResponse](t, cmd, &rsp, s...); err != nil {
		return nil, err
	}
	return &rsp, nil
}

// HierarchyChangeAuthResponse is the response from TPM2_HierarchyChangeAuth.
type HierarchyChangeAuthResponse struct{}

// ContextSave is the input to TPM2_ContextSave.
// See definition in Part 3, Commands, section 28.2
type ContextSave struct {
	// handle of the resource to save
	SaveHandle TPMIDHContext
}

// Command implements the Command interface.
func (ContextSave) Command() TPMCC { return TPMCCContextSave }

// Execute executes the command and returns the response.
func (cmd ContextSave) Execute(t transport.TPM, s ...Session) (*ContextSaveResponse, error) {
	var rsp ContextSaveResponse
	if err := execute[ContextSaveResponse](t, cmd, &rsp, s...); err != nil {
		return nil, err
	}
	return &rsp, nil
}

// ContextSaveResponse is the response from TPM2_ContextSave.
type ContextSaveResponse struct {
	Context TPMSContext
}

// ContextLoad is the input to TPM2_ContextLoad.
// See definition in Part 3, Commands, section 28.3
type ContextLoad struct {
	// the context blob
	Context TPMSContext
}

// Command implements the Command interface.
func (ContextLoad) Command() TPMCC { return TPMCCContextLoad }

// Execute executes the command and returns the response.
func (cmd ContextLoad) Execute(t transport.TPM, s ...Session) (*ContextLoadResponse, error) {
	var rsp ContextLoadResponse
	if err := execute[ContextLoadResponse](t, cmd, &rsp, s...); err != nil {
		return nil, err
	}
	return &rsp, nil
}

// ContextLoadResponse is the response from TPM2_ContextLoad.
type ContextLoadResponse struct {
	// the handle assigned to the resource after it has been successfully loaded
	LoadedHandle TPMIDHContext
}

// FlushContext is the input to TPM2_FlushContext.
// See definition in Part 3, Commands, section 28.4
type FlushContext struct {
	// the handle of the item to flush
	FlushHandle handle `gotpm:"handle"`
}

// Command implements the Command interface.
func (FlushContext) Command() TPMCC { return TPMCCFlushContext }

// Execute executes the command and returns the response.
func (cmd FlushContext) Execute(t transport.TPM, s ...Session) (*FlushContextResponse, error) {
	var rsp FlushContextResponse
	err := execute[FlushContextResponse](t, cmd, &rsp, s...)
	if err != nil {
		return nil, err
	}
	return &rsp, nil
}

// FlushContextResponse is the response from TPM2_FlushContext.
type FlushContextResponse struct{}

// EvictControl is the input to TPM2_EvictControl.
// See definition in Part 3, Commands, section 28.5
type EvictControl struct {
	// TPM_RH_OWNER or TPM_RH_PLATFORM+{PP}
	Auth             handle `gotpm:"handle,auth"`
	ObjectHandle     handle `gotpm:"handle"`
	PersistentHandle TPMIDHPersistent
}

// EvictControlResponse is the response from TPM2_EvictControl.
type EvictControlResponse struct{}

// Command implements the Command interface.
func (EvictControl) Command() TPMCC { return TPMCCEvictControl }

// Execute executes the command and returns the response.
func (cmd EvictControl) Execute(t transport.TPM, s ...Session) (*EvictControlResponse, error) {
	var rsp EvictControlResponse
	if err := execute[EvictControlResponse](t, cmd, &rsp, s...); err != nil {
		return nil, err
	}
	return &rsp, nil
}

// Duplicate is the input to TPM2_Duplicate.
// See definition in Part 3, Commands, section 13.1
type Duplicate struct {
	// ObjectHandle is the handle of the object to dupliate.
	ObjectHandle handle `gotpm:"handle,auth"`

	// NewParentHandle is the handle of the new parent.
	NewParentHandle handle `gotpm:"handle"`

	// EncryptionKeyIn is the optional symmetric encryption key used as the
	// inner wrapper. If SymmetricAlg is TPM_ALG_NULL, then this parameter
	// shall be the Empty Buffer.
	EncryptionKeyIn TPM2BData

	// Definition of the symmetric algorithm to use for the inner wrapper.
	// It may be TPM_ALG_NULL if no inner wrapper is applied.
	Symmetric TPMTSymDef
}

// DuplicateResponse is the response from TPM2_Duplicate.
type DuplicateResponse struct {
	// EncryptionKeyOut is the symmetric encryption key used as the
	// inner wrapper. If SymmetricAlg is TPM_ALG_NULL, this value
	// shall be the Empty Buffer.
	EncryptionKeyOut TPM2BData

	// Duplicate is the private area of the object. It may be encrypted by
	// EncryptionKeyIn and may be doubly encrypted.
	Duplicate TPM2BPrivate

	// OutSymSeed is the seed protected by the asymmetric algorithms of new
	// parent.
	OutSymSeed TPM2BEncryptedSecret
}

// Command implements the Command interface.
func (Duplicate) Command() TPMCC { return TPMCCDuplicate }

// Execute executes the command and returns the response.
func (cmd Duplicate) Execute(t transport.TPM, s ...Session) (*DuplicateResponse, error) {
	var rsp DuplicateResponse
	if err := execute[DuplicateResponse](t, cmd, &rsp, s...); err != nil {
		return nil, err
	}
	return &rsp, nil
}

// Import is the input to TPM2_Import.
// See definition in Part 3, Commands, section 13.3
type Import struct {
	// handle of parent for new object
	ParentHandle handle `gotpm:"handle,auth"`

	// The optional symmetric encryption key used as the inner wrapper for duplicate
	// If SymmetricAlg is TPM_ALG_NULL, then this parametert shall be the Empty Buffer
	EncryptionKey TPM2BData

	// The public area of the object to be imported
	ObjectPublic TPM2BPublic

	// The symmetrically encrypted duplicate object that may contain an inner
	// symmetric wrapper
	Duplicate TPM2BPrivate

	// The seed for the symmetric key and HMAC key
	InSymSeed TPM2BEncryptedSecret

	// Definition of the symmetric algorithm to use for the inner wrapper
	Symmetric TPMTSymDef
}

// ImportResponse is the response from TPM2_Import.
type ImportResponse struct {
	// the private portion of the object
	OutPrivate TPM2BPrivate
}

// Command implements the Command interface.
func (Import) Command() TPMCC { return TPMCCImport }

// Execute executes the command and returns the response.
func (cmd Import) Execute(t transport.TPM, s ...Session) (*ImportResponse, error) {
	var rsp ImportResponse
	if err := execute[ImportResponse](t, cmd, &rsp, s...); err != nil {
		return nil, err
	}
	return &rsp, nil
}

// ReadClock is the input to TPM2_ReadClock.
// See definition in Part 3, Commands, section 29.1
type ReadClock struct{}

// Command implements the Command interface.
func (ReadClock) Command() TPMCC { return TPMCCReadClock }

// Execute executes the command and returns the response.
func (cmd ReadClock) Execute(t transport.TPM, s ...Session) (*ReadClockResponse, error) {
	var rsp ReadClockResponse
	if err := execute[ReadClockResponse](t, cmd, &rsp, s...); err != nil {
		return nil, err
	}
	return &rsp, nil
}

// ReadClockResponse is the response from TPM2_ReadClock.
type ReadClockResponse struct {
	CurrentTime TPMSTimeInfo
}

// GetCapability is the input to TPM2_GetCapability.
// See definition in Part 3, Commands, section 30.2
type GetCapability struct {
	// group selection; determines the format of the response
	Capability TPMCap
	// further definition of information
	Property uint32
	// number of properties of the indicated type to return
	PropertyCount uint32
}

// Command implements the Command interface.
func (GetCapability) Command() TPMCC { return TPMCCGetCapability }

// Execute executes the command and returns the response.
func (cmd GetCapability) Execute(t transport.TPM, s ...Session) (*GetCapabilityResponse, error) {
	var rsp GetCapabilityResponse
	if err := execute[GetCapabilityResponse](t, cmd, &rsp, s...); err != nil {
		return nil, err
	}
	return &rsp, nil
}

// GetCapabilityResponse is the response from TPM2_GetCapability.
type GetCapabilityResponse struct {
	// flag to indicate if there are more values of this type
	MoreData TPMIYesNo
	// the capability data
	CapabilityData TPMSCapabilityData
}

// TestParms is the input to TPM2_TestParms.
// See definition in Part 3, Commands, section 30.3
type TestParms struct {
	// Algorithms parameters to be validates
	Parameters TPMTPublicParms
}

// Command implements the Command interface.
func (TestParms) Command() TPMCC { return TPMCCTestParms }

// Execute executes the command and returns the response.
func (cmd TestParms) Execute(t transport.TPM, s ...Session) (*TestParmsResponse, error) {
	var rsp TestParmsResponse
	if err := execute[TestParmsResponse](t, cmd, &rsp, s...); err != nil {
		return nil, err
	}
	return &rsp, nil
}

// TestParmsResponse is the response from TPM2_TestParms.
type TestParmsResponse struct{}

// NVDefineSpace is the input to TPM2_NV_DefineSpace.
// See definition in Part 3, Commands, section 31.3.
type NVDefineSpace struct {
	// TPM_RH_OWNER or TPM_RH_PLATFORM+{PP}
	AuthHandle handle `gotpm:"handle,auth"`
	// the authorization value
	Auth TPM2BAuth
	// the public parameters of the NV area
	PublicInfo TPM2BNVPublic
}

// Command implements the Command interface.
func (NVDefineSpace) Command() TPMCC { return TPMCCNVDefineSpace }

// Execute executes the command and returns the response.
func (cmd NVDefineSpace) Execute(t transport.TPM, s ...Session) (*NVDefineSpaceResponse, error) {
	var rsp NVDefineSpaceResponse
	err := execute[NVDefineSpaceResponse](t, cmd, &rsp, s...)
	if err != nil {
		return nil, err
	}
	return &rsp, nil
}

// NVDefineSpaceResponse is the response from TPM2_NV_DefineSpace.
type NVDefineSpaceResponse struct{}

// NVUndefineSpace is the input to TPM2_NV_UndefineSpace.
// See definition in Part 3, Commands, section 31.4.
type NVUndefineSpace struct {
	// TPM_RH_OWNER or TPM_RH_PLATFORM+{PP}
	AuthHandle handle `gotpm:"handle,auth"`
	// the NV Index to remove from NV space
	NVIndex handle `gotpm:"handle"`
}

// Command implements the Command interface.
func (NVUndefineSpace) Command() TPMCC { return TPMCCNVUndefineSpace }

// Execute executes the command and returns the response.
func (cmd NVUndefineSpace) Execute(t transport.TPM, s ...Session) (*NVUndefineSpaceResponse, error) {
	var rsp NVUndefineSpaceResponse
	err := execute[NVUndefineSpaceResponse](t, cmd, &rsp, s...)
	if err != nil {
		return nil, err
	}
	return &rsp, nil
}

// NVUndefineSpaceResponse is the response from TPM2_NV_UndefineSpace.
type NVUndefineSpaceResponse struct{}

// NVUndefineSpaceSpecial is the input to TPM2_NV_UndefineSpaceSpecial.
// See definition in Part 3, Commands, section 31.5.
type NVUndefineSpaceSpecial struct {
	// Index to be deleted
	NVIndex handle `gotpm:"handle,auth"`
	// TPM_RH_PLATFORM+{PP}
	Platform handle `gotpm:"handle,auth"`
}

// Command implements the Command interface.
func (NVUndefineSpaceSpecial) Command() TPMCC { return TPMCCNVUndefineSpaceSpecial }

// Execute executes the command and returns the response.
func (cmd NVUndefineSpaceSpecial) Execute(t transport.TPM, s ...Session) (*NVUndefineSpaceSpecialResponse, error) {
	var rsp NVUndefineSpaceSpecialResponse
	err := execute[NVUndefineSpaceSpecialResponse](t, cmd, &rsp, s...)
	if err != nil {
		return nil, err
	}
	return &rsp, nil
}

// NVUndefineSpaceSpecialResponse is the response from TPM2_NV_UndefineSpaceSpecial.
type NVUndefineSpaceSpecialResponse struct{}

// NVReadPublic is the input to TPM2_NV_ReadPublic.
// See definition in Part 3, Commands, section 31.6.
type NVReadPublic struct {
	// the NV index
	NVIndex handle `gotpm:"handle"`
}

// Command implements the Command interface.
func (NVReadPublic) Command() TPMCC { return TPMCCNVReadPublic }

// Execute executes the command and returns the response.
func (cmd NVReadPublic) Execute(t transport.TPM, s ...Session) (*NVReadPublicResponse, error) {
	var rsp NVReadPublicResponse
	if err := execute[NVReadPublicResponse](t, cmd, &rsp, s...); err != nil {
		return nil, err
	}
	return &rsp, nil
}

// NVReadPublicResponse is the response from TPM2_NV_ReadPublic.
type NVReadPublicResponse struct {
	NVPublic TPM2BNVPublic
	NVName   TPM2BName
}

// NVWrite is the input to TPM2_NV_Write.
// See definition in Part 3, Commands, section 31.7.
type NVWrite struct {
	// handle indicating the source of the authorization value
	AuthHandle handle `gotpm:"handle,auth"`
	// the NV index of the area to write
	NVIndex handle `gotpm:"handle"`
	// the data to write
	Data TPM2BMaxNVBuffer
	// the octet offset into the NV Area
	Offset uint16
}

// Command implements the Command interface.
func (NVWrite) Command() TPMCC { return TPMCCNVWrite }

// Execute executes the command and returns the response.
func (cmd NVWrite) Execute(t transport.TPM, s ...Session) (*NVWriteResponse, error) {
	var rsp NVWriteResponse
	err := execute[NVWriteResponse](t, cmd, &rsp, s...)
	if err != nil {
		return nil, err
	}
	return &rsp, nil
}

// NVWriteResponse is the response from TPM2_NV_Write.
type NVWriteResponse struct{}

// NVIncrement is the input to TPM2_NV_Increment.
// See definition in Part 3, Commands, section 31.8.
type NVIncrement struct {
	// handle indicating the source of the authorization value
	AuthHandle handle `gotpm:"handle,auth"`
	// the NV index of the area to write
	NVIndex handle `gotpm:"handle"`
}

// Command implements the Command interface.
func (NVIncrement) Command() TPMCC { return TPMCCNVIncrement }

// Execute executes the command and returns the response.
func (cmd NVIncrement) Execute(t transport.TPM, s ...Session) (*NVIncrementResponse, error) {
	var rsp NVIncrementResponse
	err := execute[NVIncrementResponse](t, cmd, &rsp, s...)
	if err != nil {
		return nil, err
	}
	return &rsp, nil
}

// NVIncrementResponse is the response from TPM2_NV_Increment.
type NVIncrementResponse struct{}

// NVWriteLock is the input to TPM2_NV_WriteLock.
// See definition in Part 3, Commands, section 31.11.
type NVWriteLock struct {
	// handle indicating the source of the authorization value
	AuthHandle handle `gotpm:"handle,auth"`
	// the NV index of the area to lock
	NVIndex handle `gotpm:"handle"`
}

// Command implements the Command interface.
func (NVWriteLock) Command() TPMCC { return TPMCCNVWriteLock }

// Execute executes the command and returns the response.
func (cmd NVWriteLock) Execute(t transport.TPM, s ...Session) (*NVWriteLockResponse, error) {
	var rsp NVWriteLockResponse
	err := execute[NVWriteLockResponse](t, cmd, &rsp, s...)
	if err != nil {
		return nil, err
	}
	return &rsp, nil
}

// NVWriteLockResponse is the response from TPM2_NV_WriteLock.
type NVWriteLockResponse struct{}

// NVRead is the input to TPM2_NV_Read.
// See definition in Part 3, Commands, section 31.13.
type NVRead struct {
	// handle indicating the source of the authorization value
	AuthHandle handle `gotpm:"handle,auth"`
	// the NV index to read
	NVIndex handle `gotpm:"handle"`
	// number of octets to read
	Size uint16
	// octet offset into the NV area
	Offset uint16
}

// Command implements the Command interface.
func (NVRead) Command() TPMCC { return TPMCCNVRead }

// Execute executes the command and returns the response.
func (cmd NVRead) Execute(t transport.TPM, s ...Session) (*NVReadResponse, error) {
	var rsp NVReadResponse
	if err := execute[NVReadResponse](t, cmd, &rsp, s...); err != nil {
		return nil, err
	}
	return &rsp, nil
}

// NVReadResponse is the response from TPM2_NV_Read.
type NVReadResponse struct {
	// the data read
	Data TPM2BMaxNVBuffer
}

// NVReadLock is the input to TPM2_NV_NVReadLock.
// See definition in Part 3, Commands, section 31.14.
type NVReadLock struct {
	// handle indicating the source of the authorization value
	AuthHandle handle `gotpm:"handle,auth"`
	// the NV index of the area to lock
	NVIndex handle `gotpm:"handle"`
}

// Command implements the Command interface.
func (NVReadLock) Command() TPMCC { return TPMCCNVReadLock }

// Execute executes the command and returns the response.
func (cmd NVReadLock) Execute(t transport.TPM, s ...Session) (*NVReadLockResponse, error) {
	var rsp NVReadLockResponse
	err := execute[NVReadLockResponse](t, cmd, &rsp, s...)
	if err != nil {
		return nil, err
	}
	return &rsp, nil
}

// NVReadLockResponse is the response from TPM2_NV_ReadLock.
type NVReadLockResponse struct{}

// NVCertify is the input to TPM2_NV_Certify.
// See definition in Part 3, Commands, section 31.16.
type NVCertify struct {
	// handle of the key used to sign the attestation structure
	SignHandle handle `gotpm:"handle,auth"`
	// handle indicating the source of the authorization value
	AuthHandle handle `gotpm:"handle,auth"`
	// Index for the area to be certified
	NVIndex handle `gotpm:"handle"`
	// user-provided qualifying data
	QualifyingData TPM2BData
	// signing scheme to use if the scheme for signHandle is TPM_ALG_NULL
	InScheme TPMTSigScheme `gotpm:"nullable"`
	// number of octets to certify
	Size uint16
	// octet offset into the NV area
	Offset uint16
}

// Command implements the Command interface.
func (NVCertify) Command() TPMCC { return TPMCCNVCertify }

// Execute executes the command and returns the response.
func (cmd NVCertify) Execute(t transport.TPM, s ...Session) (*NVCertifyResponse, error) {
	var rsp NVCertifyResponse
	if err := execute[NVCertifyResponse](t, cmd, &rsp, s...); err != nil {
		return nil, err
	}
	return &rsp, nil
}

// NVCertifyResponse is the response from TPM2_NV_Read.
type NVCertifyResponse struct {
	// the structure that was signed
	CertifyInfo TPM2BAttest
	// the asymmetric signature over certifyInfo using the key referenced by signHandle
	Signature TPMTSignature
}

// GetTime is the input to TPM2_GetTime.
// See definition in Part 3, Commands, section 18.7.
type GetTime struct {
	// handle of the privacy administrator (Must be the value TPM_RH_ENDORSEMENT or command will fail)
	PrivacyAdminHandle TPMIRHEndorsement `gotpm:"handle,auth"`
	// the keyHandle identifier of a loaded key that can perform digital signatures
	SignHandle handle `gotpm:"handle,auth"`
	// data to "tick stamp"
	QualifyingData TPM2BData
	// signing scheme to use if the scheme for signHandle is TPM_ALG_NULL
	InScheme TPMTSigScheme `gotpm:"nullable"`
}

// Command implements the Command interface.
func (GetTime) Command() TPMCC { return TPMCCGetTime }

// Execute executes the command and returns the response.
func (cmd GetTime) Execute(t transport.TPM, s ...Session) (*GetTimeResponse, error) {
	var rsp GetTimeResponse
	if err := execute[GetTimeResponse](t, cmd, &rsp, s...); err != nil {
		return nil, err
	}
	return &rsp, nil
}

// GetTimeResponse is the response from TPM2_GetTime.
type GetTimeResponse struct {
	// standard TPM-generated attestation block
	TimeInfo TPM2BAttest
	// the signature over timeInfo
	Signature TPMTSignature
}