-
Notifications
You must be signed in to change notification settings - Fork 381
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
policy: Support TPMLess commands #2762
base: master
Are you sure you want to change the base?
policy: Support TPMLess commands #2762
Conversation
For now this works with policysecret, owner hiearchy and NULL auth. It's hardcoded to ignore the TPM. tpm2 policysecret -S session.ctx -c o 0d84f55daf6e43ac97966e62c9bb989d3397777d25c5f749868055d65394f952 TODO: For each policy command: - Support --tcti=none - When --tcti is none, require: --name/-n -L/--policy for old value -- Require hash algorithm. - Don't output a TICKET, since we can't? Todo, consider creating a session.ctx structure that can be passed from startauthsession with --tcti=none? This was we can encapsulate the state instead of requiring -L and hash algorithm? Signed-off-by: William Roberts <[email protected]>
@williamcroberts are we intending for these new modules to be called from individual policy tools or be part of the tpm2_createpolicy tool? |
@williamcroberts calculating cphash when rphash isn't required could also use a similar approach. In that case though, cphash alg has to specified using the provision halg:/path/to/cphash.dat |
For this, I think we could to something like: tpm2 startauthsession --tcti=none --trial-session-no-tpm -S session.ctx
# this will propagate a new session.ctx format that can store halg and current policy hash
# do we want to enforce that if --trial-session-no-tpm is specified that --tcti=none is also specified?
# Policy tools then can load the new session format, and get the halg/policy hash WHEN --tcti=none
tpm2 policytoolX --tcti=none -S session.ctx
# flush will just ignore these contexts or error? Thoughts here? |
How about this approach:
|
Yes:
No, I think that's implied. Even if
That works, but presumably the policy tools could tell that the session is a |
I think we would have to go with |
For now this works with policysecret, owner hiearchy and NULL auth.
It's hardcoded to ignore the TPM.
tpm2 policysecret -S session.ctx -c o
0d84f55daf6e43ac97966e62c9bb989d3397777d25c5f749868055d65394f952
TODO:
For each policy command:
--name/-n
-L/--policy for old value
-- Require hash algorithm.
Todo, consider creating a session.ctx structure that can be passed
from startauthsession with --tcti=none? This was we can encapsulate
the state instead of requiring -L and hash algorithm?
Signed-off-by: William Roberts [email protected]