Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

policy: Support TPMLess commands #2762

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

williamcroberts
Copy link
Member

For now this works with policysecret, owner hiearchy and NULL auth.
It's hardcoded to ignore the TPM.

tpm2 policysecret -S session.ctx -c o
0d84f55daf6e43ac97966e62c9bb989d3397777d25c5f749868055d65394f952

TODO:
For each policy command:

  • Support --tcti=none
  • When --tcti is none, require:
    --name/-n
    -L/--policy for old value
    -- Require hash algorithm.
    • Don't output a TICKET, since we can't?

Todo, consider creating a session.ctx structure that can be passed
from startauthsession with --tcti=none? This was we can encapsulate
the state instead of requiring -L and hash algorithm?

Signed-off-by: William Roberts [email protected]

For now this works with policysecret, owner hiearchy and NULL auth.
It's hardcoded to ignore the TPM.

tpm2 policysecret -S session.ctx -c o
0d84f55daf6e43ac97966e62c9bb989d3397777d25c5f749868055d65394f952

TODO:
For each policy command:
  - Support --tcti=none
  - When --tcti is none, require:
    --name/-n
    -L/--policy for old value
    -- Require hash algorithm.
    - Don't output a TICKET, since we can't?

Todo, consider creating a session.ctx structure that can be passed
from startauthsession with --tcti=none? This was we can encapsulate
the state instead of requiring -L and hash algorithm?

Signed-off-by: William Roberts <[email protected]>
@williamcroberts williamcroberts linked an issue Jun 10, 2021 that may be closed by this pull request
@williamcroberts williamcroberts marked this pull request as draft June 10, 2021 00:47
@idesai
Copy link
Member

idesai commented Jun 10, 2021

@williamcroberts are we intending for these new modules to be called from individual policy tools or be part of the tpm2_createpolicy tool?

@idesai
Copy link
Member

idesai commented Jun 10, 2021

@williamcroberts calculating cphash when rphash isn't required could also use a similar approach. In that case though, cphash alg has to specified using the provision halg:/path/to/cphash.dat

@williamcroberts
Copy link
Member Author

For this, I think we could to something like:

tpm2 startauthsession --tcti=none --trial-session-no-tpm -S session.ctx
# this will propagate a new session.ctx format that can store halg and current policy hash
# do we want to enforce that if --trial-session-no-tpm is specified that --tcti=none is also specified?

# Policy tools then can load the new session format, and get the halg/policy hash WHEN --tcti=none
tpm2 policytoolX --tcti=none -S session.ctx

# flush will just ignore these contexts or error?

Thoughts here?

@idesai
Copy link
Member

idesai commented Jun 11, 2021

For this, I think we could to something like:

tpm2 startauthsession --tcti=none --trial-session-no-tpm -S session.ctx
# this will propagate a new session.ctx format that can store halg and current policy hash
# do we want to enforce that if --trial-session-no-tpm is specified that --tcti=none is also specified?

# Policy tools then can load the new session format, and get the halg/policy hash WHEN --tcti=none
tpm2 policytoolX --tcti=none -S session.ctx

# flush will just ignore these contexts or error?

Thoughts here?

How about this approach:

  1. Specify the policy halg with the file-path for policy using something like -L halg:/path/to/policyfile
  2. Mandate this way of specifying the policy file path if tcti=none is specified
  3. If the policyfile has non-zero content we extend the data in the policyfile with the one created by the policy tool consuming the inputs above.
  4. Like cpHash, we don't actually execute the policy command and exit out writing out the policyfile.

@nicowilliams
Copy link

For this, I think we could to something like:

tpm2 startauthsession --tcti=none --trial-session-no-tpm -S session.ctx
# this will propagate a new session.ctx format that can store halg and current policy hash
# do we want to enforce that if --trial-session-no-tpm is specified that --tcti=none is also specified?

# Policy tools then can load the new session format, and get the halg/policy hash WHEN --tcti=none
tpm2 policytoolX --tcti=none -S session.ctx

# flush will just ignore these contexts or error?

Thoughts here?

Yes:

do we want to enforce that if --trial-session-no-tpm is specified that --tcti=none is also specified?

No, I think that's implied. Even if TPM2TOOLS_TCTI is set in the environment to something other than none. Alternatively, --tcti=none implies a trial, software session, and it's already used in tpm2 duplicate and tpm2 makecredential to signify "do a software-only operation that TPMs can do". So I would say "lose the -trial-session-no-tpm argument.

Policy tools then can load the new session format, and get the halg/policy hash WHEN --tcti=none

That works, but presumably the policy tools could tell that the session is a --tcti=none session, so maybe the --tcti=none option can be elided in this case. But it's OK --tcti=none is required anyways -- consistency.

@williamcroberts
Copy link
Member Author

For this, I think we could to something like:

tpm2 startauthsession --tcti=none --trial-session-no-tpm -S session.ctx
# this will propagate a new session.ctx format that can store halg and current policy hash
# do we want to enforce that if --trial-session-no-tpm is specified that --tcti=none is also specified?

# Policy tools then can load the new session format, and get the halg/policy hash WHEN --tcti=none
tpm2 policytoolX --tcti=none -S session.ctx

# flush will just ignore these contexts or error?

Thoughts here?

Yes:

do we want to enforce that if --trial-session-no-tpm is specified that --tcti=none is also specified?

No, I think that's implied. Even if TPM2TOOLS_TCTI is set in the environment to something other than none. Alternatively, --tcti=none implies a trial, software session, and it's already used in tpm2 duplicate and tpm2 makecredential to signify "do a software-only operation that TPMs can do". So I would say "lose the -trial-session-no-tpm argument.

Policy tools then can load the new session format, and get the halg/policy hash WHEN --tcti=none

That works, but presumably the policy tools could tell that the session is a --tcti=none session, so maybe the --tcti=none option can be elided in this case. But it's OK --tcti=none is required anyways -- consistency.

I think we would have to go with --tcti=none. As that's understood by the common framework to not try and invoke a TPM connection. If we make it a different tool argument, the framework won't know about that and attempt to invoke a TPM connection which is what we want to avoid. So I think --tcti=none, starting in tpm2_startauthsession, will create a session.ctx file that maintains the state the TPM normally would (so we can track the hash, and alg). Then we can just run the hash commands an update the context file until someone does a -L to dump the policy.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

tpm2 policy creation tools without TCTI
3 participants