Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This allows one to express complex policies (ones with alternations) using a simple language. The pattern is simply that conjunctions are {tpm2 policy*} command-lines joined with a ';' argument, and alternations are {tpm2 policyor} commands with arguments that are themselves policies surrounded by '(' and ')' arguments. For example: $ sbin/tpm2-policy \ tpm2 policyor \ '(' tpm2 policycommandcode TPM2_CC_Sign ')' \ '(' tpm2 policycommandcode TPM2_CC_RSA_Decrypt ')' ';' \ tpm2 policypcr -l "sha256:11" which allows an entity sporting such a policy to be used for signing or decryption only, and only when PCR#11 is cleared. The same, verbosely: $ sbin/tpm2-policy -v \ tpm2 policyor \ '(' tpm2 policycommandcode TPM2_CC_Sign ')' \ '(' tpm2 policycommandcode TPM2_CC_RSA_Decrypt ')' ';' \ tpm2 policypcr -l "sha256:11" Running: (AND) exec_policyOR_helper ( tpm2 policycommandcode TPM2_CC_Sign ) ( tpm2 policycommandcode TPM2_CC_RSA_Decrypt ) ; Running: (AND) tpm2 policycommandcode --session /tmp/tmp.jbXmSKOtzR/session-0-0 --policy /tmp/tmp.jbXmSKOtzR/policy-0-0 TPM2_CC_Sign cc6918b226273b08f5bd406d7f10cf160f0a7d13dfd83b7770ccbcd1aa80d811 cc6918b226273b08f5bd406d7f10cf160f0a7d13dfd83b7770ccbcd1aa80d811 Running: (AND) tpm2 policycommandcode --session /tmp/tmp.jbXmSKOtzR/session-0-1 --policy /tmp/tmp.jbXmSKOtzR/policy-0-1 TPM2_CC_RSA_Decrypt 3c29869a1312094782b86df5a430caae587f5dfb16dfa3f7204151054c1340d2 3c29869a1312094782b86df5a430caae587f5dfb16dfa3f7204151054c1340d2 ORing: cc6918b226273b08f5bd406d7f10cf160f0a7d13dfd83b7770ccbcd1aa80d811 3c29869a1312094782b86df5a430caae587f5dfb16dfa3f7204151054c1340d2 Running: tpm2 policyor --session /tmp/tmp.jbXmSKOtzR/session --policy /tmp/tmp.jbXmSKOtzR/policy sha256:/tmp/tmp.jbXmSKOtzR/policy-0-0,/tmp/tmp.jbXmSKOtzR/policy-0-1 39faada14fb6d5deba4315d8bce0247813262ebf15e1aee35477d26759f1b29e Running: (AND) tpm2 policypcr --session /tmp/tmp.jbXmSKOtzR/session --policy /tmp/tmp.jbXmSKOtzR/policy -l sha256:11 3b9ea8dca851fac5d077d7b6925b8cc38847619e4b9a0f026ca5cc6262ff8a1c 3b9ea8dca851fac5d077d7b6925b8cc38847619e4b9a0f026ca5cc6262ff8a1c $ Internally we have `exec_policy` in functions.sh that can execute a policy in either a trial session or in policy session, and if in a policy session then the caller must supply the indices of alternatives to take in the policy, otherwise the caller must not supply those. I.e., # Compute policyDigest of the policy above: tpm2_flushall tpm2 startauthsession --session session exec_policy session policy \ tpm2 policyor \ '(' tpm2 policycommandcode TPM2_CC_Sign ')' \ '(' tpm2 policycommandcode TPM2_CC_RSA_Decrypt ')' ';' \ tpm2 policypcr -l "sha256:11" # Execute the policy above with the second alternative: tpm2_flushall tpm2 startauthsession --session session exec_policy 1 session policy \ tpm2 policyor \ '(' tpm2 policycommandcode TPM2_CC_Sign ')' \ '(' tpm2 policycommandcode TPM2_CC_RSA_Decrypt ')' ';' \ tpm2 policypcr -l "sha256:11" This is recursive, so it generalizes to policies of arbitrary complexity, limited to nesting alternations up to nine (9) times, or the shell's recursion limit if it be lower. TODO: - Add option to `sbin/tpm2-policy` to execute a policy in a policy session?
- Loading branch information