From 145e5d82186eb5344fe783919073f62725d597ee Mon Sep 17 00:00:00 2001 From: friedrichsenm <15720856+friedrichsenm@users.noreply.github.com> Date: Tue, 20 May 2025 09:16:55 -0500 Subject: [PATCH 1/2] Allow policy session to be extended more programatically This PR updates the PolicyCommand interface to add ExecutePolicyInSession. This new method extends the given policy session with the policy command and returns the response. --- tpm2/test/policy_test.go | 7 ++- tpm2/tpm2.go | 100 ++++++++++++++++++++++++++++++++++----- 2 files changed, 91 insertions(+), 16 deletions(-) diff --git a/tpm2/test/policy_test.go b/tpm2/test/policy_test.go index b3fa3a4a..7a4731d2 100644 --- a/tpm2/test/policy_test.go +++ b/tpm2/test/policy_test.go @@ -235,9 +235,8 @@ func TestPolicySignedUpdate(t *testing.T) { }() policySigned := PolicySigned{ - AuthObject: sk, - PolicySession: sess.Handle(), - PolicyRef: TPM2BNonce{Buffer: []byte{5, 6, 7, 8}}, + AuthObject: sk, + PolicyRef: TPM2BNonce{Buffer: []byte{5, 6, 7, 8}}, Auth: TPMTSignature{ SigAlg: TPMAlgECDSA, Signature: NewTPMUSignature( @@ -249,7 +248,7 @@ func TestPolicySignedUpdate(t *testing.T) { }, } - if _, err := policySigned.Execute(thetpm); err != nil { + if _, err := policySigned.ExecutePolicyInSession(thetpm, sess); err != nil { t.Fatalf("executing PolicySigned: %v", err) } diff --git a/tpm2/tpm2.go b/tpm2/tpm2.go index 4a2ebae0..742c4555 100644 --- a/tpm2/tpm2.go +++ b/tpm2/tpm2.go @@ -69,10 +69,13 @@ type Command[R any, PR *R] interface { } // PolicyCommand is a TPM command that can be part of a TPM policy. -type PolicyCommand interface { +type PolicyCommand[R any, PR *R] interface { // Update updates the given policy hash according to the command // parameters. Update(policy *PolicyCalculator) error + // ExecutePolicyInSession executes the given policy command, + // using the given session as PolicySession. + ExecutePolicyInSession(t transport.TPM, s Session) (PR, error) } // Shutdown is the input to TPM2_Shutdown. @@ -573,7 +576,7 @@ type ECDHZGenResponse struct { // Hash is the input to TPM2_Hash. // See definition in Part 3, Commands, section 15.4 type Hash struct { - //data to be hashed + // data to be hashed Data TPM2BMaxBuffer // algorithm for the hash being computed - shall not be TPM_ALH_NULL HashAlg TPMIAlgHash @@ -1150,11 +1153,17 @@ func policyUpdate(policy *PolicyCalculator, cc TPMCC, arg2, arg3 []byte) error { return policy.Update(arg3) } -// Update implements the PolicyCommand interface. +// Update updates the policy calculator with the policy command. func (cmd PolicySigned) Update(policy *PolicyCalculator) error { return policyUpdate(policy, TPMCCPolicySigned, cmd.AuthObject.KnownName().Buffer, cmd.PolicyRef.Buffer) } +// ExecutePolicyInSession extends the session with the policy command and returns the response. +func (cmd PolicySigned) ExecutePolicyInSession(t transport.TPM, s Session) (*PolicySignedResponse, error) { + cmd.PolicySession = s.Handle() + return cmd.Execute(t) +} + // PolicySignedResponse is the response from TPM2_PolicySigned. type PolicySignedResponse struct { // implementation-specific time value used to indicate to the TPM when the ticket expires @@ -1193,11 +1202,17 @@ func (cmd PolicySecret) Execute(t transport.TPM, s ...Session) (*PolicySecretRes return &rsp, nil } -// Update implements the PolicyCommand interface. +// Update updates the policy calculator with the policy command. func (cmd PolicySecret) Update(policy *PolicyCalculator) error { return policyUpdate(policy, TPMCCPolicySecret, cmd.AuthHandle.KnownName().Buffer, cmd.PolicyRef.Buffer) } +// ExecutePolicyInSession extends the session with the policy command and returns the response. +func (cmd PolicySecret) ExecutePolicyInSession(t transport.TPM, s Session) (*PolicySecretResponse, error) { + cmd.PolicySession = s.Handle() + return cmd.Execute(t) +} + // PolicySecretResponse is the response from TPM2_PolicySecret. type PolicySecretResponse struct { // implementation-specific time value used to indicate to the TPM when the ticket expires @@ -1228,7 +1243,7 @@ func (cmd PolicyOr) Execute(t transport.TPM, s ...Session) (*PolicyOrResponse, e return &rsp, nil } -// Update implements the PolicyCommand interface. +// Update updates the policy calculator with the policy command. func (cmd PolicyOr) Update(policy *PolicyCalculator) error { policy.Reset() var digests bytes.Buffer @@ -1238,6 +1253,12 @@ func (cmd PolicyOr) Update(policy *PolicyCalculator) error { return policy.Update(TPMCCPolicyOR, digests.Bytes()) } +// ExecutePolicyInSession extends the session with the policy command and returns the response. +func (cmd PolicyOr) ExecutePolicyInSession(t transport.TPM, s Session) (*PolicyOrResponse, error) { + cmd.PolicySession = s.Handle() + return cmd.Execute(t) +} + // PolicyOrResponse is the response from TPM2_PolicyOr. type PolicyOrResponse struct{} @@ -1266,11 +1287,17 @@ func (cmd PolicyPCR) Execute(t transport.TPM, s ...Session) (*PolicyPCRResponse, return &rsp, nil } -// Update implements the PolicyCommand interface. +// Update updates the policy calculator with the policy command. func (cmd PolicyPCR) Update(policy *PolicyCalculator) error { return policy.Update(TPMCCPolicyPCR, cmd.Pcrs, cmd.PcrDigest.Buffer) } +// ExecutePolicyInSession extends the session with the policy command and returns the response. +func (cmd PolicyPCR) ExecutePolicyInSession(t transport.TPM, s Session) (*PolicyPCRResponse, error) { + cmd.PolicySession = s.Handle() + return cmd.Execute(t) +} + // PolicyPCRResponse is the response from TPM2_PolicyPCR. type PolicyPCRResponse struct{} @@ -1299,6 +1326,12 @@ func (cmd PolicyAuthValue) Update(policy *PolicyCalculator) error { return policy.Update(TPMCCPolicyAuthValue) } +// ExecutePolicyInSession extends the session with the policy command and returns the response. +func (cmd PolicyAuthValue) ExecutePolicyInSession(t transport.TPM, s Session) (*PolicyAuthValueResponse, error) { + cmd.PolicySession = s.Handle() + return cmd.Execute(t) +} + // PolicyAuthValueResponse is the response from TPM2_PolicyAuthValue. type PolicyAuthValueResponse struct{} @@ -1333,6 +1366,13 @@ func (cmd PolicyDuplicationSelect) Update(policy *PolicyCalculator) error { return policy.Update(TPMCCPolicyDuplicationSelect, cmd.NewParentName.Buffer, cmd.IncludeObject) } +// ExecutePolicyInSession extends the session with the policy command and returns the response. +func (cmd PolicyDuplicationSelect) ExecutePolicyInSession(t transport.TPM, s Session) (*PolicyDuplicationSelectResponse, + error) { + cmd.PolicySession = s.Handle() + return cmd.Execute(t) +} + // PolicyDuplicationSelectResponse is the response from TPM2_PolicyDuplicationSelect. type PolicyDuplicationSelectResponse struct{} @@ -1366,7 +1406,7 @@ func (cmd PolicyNV) Execute(t transport.TPM, s ...Session) (*PolicyNVResponse, e return &rsp, nil } -// Update implements the PolicyCommand interface. +// Update updates the policy calculator with the policy command. func (cmd PolicyNV) Update(policy *PolicyCalculator) error { alg, err := policy.alg.Hash() if err != nil { @@ -1380,6 +1420,12 @@ func (cmd PolicyNV) Update(policy *PolicyCalculator) error { return policy.Update(TPMCCPolicyNV, args, cmd.NVIndex.KnownName().Buffer) } +// ExecutePolicyInSession extends the session with the policy command and returns the response. +func (cmd PolicyNV) ExecutePolicyInSession(t transport.TPM, s Session) (*PolicyNVResponse, error) { + cmd.PolicySession = s.Handle() + return cmd.Execute(t) +} + // PolicyNVResponse is the response from TPM2_PolicyPCR. type PolicyNVResponse struct{} @@ -1405,11 +1451,17 @@ func (cmd PolicyCommandCode) Execute(t transport.TPM, s ...Session) (*PolicyComm return &rsp, nil } -// Update implements the PolicyCommand interface. +// Update updates the policy calculator with the policy command. func (cmd PolicyCommandCode) Update(policy *PolicyCalculator) error { return policy.Update(TPMCCPolicyCommandCode, cmd.Code) } +// ExecutePolicyInSession extends the session with the policy command and returns the response. +func (cmd PolicyCommandCode) ExecutePolicyInSession(t transport.TPM, s Session) (*PolicyCommandCodeResponse, error) { + cmd.PolicySession = s.Handle() + return cmd.Execute(t) +} + // PolicyCommandCodeResponse is the response from TPM2_PolicyCommandCode. type PolicyCommandCodeResponse struct{} @@ -1435,11 +1487,17 @@ func (cmd PolicyCPHash) Execute(t transport.TPM, s ...Session) (*PolicyCPHashRes return &rsp, nil } -// Update implements the PolicyCommand interface. +// Update updates the policy calculator with the policy command. func (cmd PolicyCPHash) Update(policy *PolicyCalculator) error { return policy.Update(TPMCCPolicyCpHash, cmd.CPHashA.Buffer) } +// ExecutePolicyInSession extends the session with the policy command and returns the response. +func (cmd PolicyCPHash) ExecutePolicyInSession(t transport.TPM, s Session) (*PolicyCPHashResponse, error) { + cmd.PolicySession = s.Handle() + return cmd.Execute(t) +} + // PolicyCPHashResponse is the response from TPM2_PolicyCpHash. type PolicyCPHashResponse struct{} @@ -1471,11 +1529,17 @@ func (cmd PolicyAuthorize) Execute(t transport.TPM, s ...Session) (*PolicyAuthor return &rsp, nil } -// Update implements the PolicyCommand interface. +// Update updates the policy calculator with the policy command. func (cmd PolicyAuthorize) Update(policy *PolicyCalculator) error { return policyUpdate(policy, TPMCCPolicyAuthorize, cmd.KeySign.Buffer, cmd.PolicyRef.Buffer) } +// ExecutePolicyInSession extends the session with the policy command and returns the response. +func (cmd PolicyAuthorize) ExecutePolicyInSession(t transport.TPM, s Session) (*PolicyAuthorizeResponse, error) { + cmd.PolicySession = s.Handle() + return cmd.Execute(t) +} + // PolicyAuthorizeResponse is the response from TPM2_PolicyAuthorize. type PolicyAuthorizeResponse struct{} @@ -1526,11 +1590,17 @@ func (cmd PolicyNVWritten) Execute(t transport.TPM, s ...Session) (*PolicyNVWrit return &rsp, nil } -// Update implements the PolicyCommand interface. +// Update updates the policy calculator with the policy command. func (cmd PolicyNVWritten) Update(policy *PolicyCalculator) error { return policy.Update(TPMCCPolicyNvWritten, cmd.WrittenSet) } +// ExecutePolicyInSession extends the session with the policy command and returns the response. +func (cmd PolicyNVWritten) ExecutePolicyInSession(t transport.TPM, s Session) (*PolicyNVWrittenResponse, error) { + cmd.PolicySession = s.Handle() + return cmd.Execute(t) +} + // PolicyNVWrittenResponse is the response from TPM2_PolicyNvWritten. type PolicyNVWrittenResponse struct { } @@ -1559,12 +1629,18 @@ func (cmd PolicyAuthorizeNV) Execute(t transport.TPM, s ...Session) (*PolicyAuth return &rsp, nil } -// Update implements the PolicyCommand interface. +// Update updates the policy calculator with the policy command. func (cmd PolicyAuthorizeNV) Update(policy *PolicyCalculator) error { policy.Reset() return policy.Update(TPMCCPolicyAuthorizeNV, cmd.NVIndex.KnownName().Buffer) } +// ExecutePolicyInSession extends the session with the policy command and returns the response. +func (cmd PolicyAuthorizeNV) ExecutePolicyInSession(t transport.TPM, s Session) (*PolicyAuthorizeNVResponse, error) { + cmd.PolicySession = s.Handle() + return cmd.Execute(t) +} + // PolicyAuthorizeNVResponse is the response from TPM2_PolicyAuthorizeNV. type PolicyAuthorizeNVResponse struct{} From beb426be06c6e905b3c5074631926c4eddf6233e Mon Sep 17 00:00:00 2001 From: friedrichsenm <15720856+friedrichsenm@users.noreply.github.com> Date: Tue, 27 May 2025 08:02:13 -0500 Subject: [PATCH 2/2] remove generics from PolicyCommand interface --- tpm2/tpm2.go | 29 ++++++++++++++--------------- 1 file changed, 14 insertions(+), 15 deletions(-) diff --git a/tpm2/tpm2.go b/tpm2/tpm2.go index 742c4555..986a63dc 100644 --- a/tpm2/tpm2.go +++ b/tpm2/tpm2.go @@ -69,13 +69,13 @@ type Command[R any, PR *R] interface { } // PolicyCommand is a TPM command that can be part of a TPM policy. -type PolicyCommand[R any, PR *R] interface { +type PolicyCommand interface { // Update updates the given policy hash according to the command // parameters. Update(policy *PolicyCalculator) error // ExecutePolicyInSession executes the given policy command, // using the given session as PolicySession. - ExecutePolicyInSession(t transport.TPM, s Session) (PR, error) + ExecutePolicyInSession(t transport.TPM, s Session) (any, error) } // Shutdown is the input to TPM2_Shutdown. @@ -1159,7 +1159,7 @@ func (cmd PolicySigned) Update(policy *PolicyCalculator) error { } // ExecutePolicyInSession extends the session with the policy command and returns the response. -func (cmd PolicySigned) ExecutePolicyInSession(t transport.TPM, s Session) (*PolicySignedResponse, error) { +func (cmd PolicySigned) ExecutePolicyInSession(t transport.TPM, s Session) (any, error) { cmd.PolicySession = s.Handle() return cmd.Execute(t) } @@ -1208,7 +1208,7 @@ func (cmd PolicySecret) Update(policy *PolicyCalculator) error { } // ExecutePolicyInSession extends the session with the policy command and returns the response. -func (cmd PolicySecret) ExecutePolicyInSession(t transport.TPM, s Session) (*PolicySecretResponse, error) { +func (cmd PolicySecret) ExecutePolicyInSession(t transport.TPM, s Session) (any, error) { cmd.PolicySession = s.Handle() return cmd.Execute(t) } @@ -1254,7 +1254,7 @@ func (cmd PolicyOr) Update(policy *PolicyCalculator) error { } // ExecutePolicyInSession extends the session with the policy command and returns the response. -func (cmd PolicyOr) ExecutePolicyInSession(t transport.TPM, s Session) (*PolicyOrResponse, error) { +func (cmd PolicyOr) ExecutePolicyInSession(t transport.TPM, s Session) (any, error) { cmd.PolicySession = s.Handle() return cmd.Execute(t) } @@ -1293,7 +1293,7 @@ func (cmd PolicyPCR) Update(policy *PolicyCalculator) error { } // ExecutePolicyInSession extends the session with the policy command and returns the response. -func (cmd PolicyPCR) ExecutePolicyInSession(t transport.TPM, s Session) (*PolicyPCRResponse, error) { +func (cmd PolicyPCR) ExecutePolicyInSession(t transport.TPM, s Session) (any, error) { cmd.PolicySession = s.Handle() return cmd.Execute(t) } @@ -1327,7 +1327,7 @@ func (cmd PolicyAuthValue) Update(policy *PolicyCalculator) error { } // ExecutePolicyInSession extends the session with the policy command and returns the response. -func (cmd PolicyAuthValue) ExecutePolicyInSession(t transport.TPM, s Session) (*PolicyAuthValueResponse, error) { +func (cmd PolicyAuthValue) ExecutePolicyInSession(t transport.TPM, s Session) (any, error) { cmd.PolicySession = s.Handle() return cmd.Execute(t) } @@ -1367,8 +1367,7 @@ func (cmd PolicyDuplicationSelect) Update(policy *PolicyCalculator) error { } // ExecutePolicyInSession extends the session with the policy command and returns the response. -func (cmd PolicyDuplicationSelect) ExecutePolicyInSession(t transport.TPM, s Session) (*PolicyDuplicationSelectResponse, - error) { +func (cmd PolicyDuplicationSelect) ExecutePolicyInSession(t transport.TPM, s Session) (any, error) { cmd.PolicySession = s.Handle() return cmd.Execute(t) } @@ -1421,7 +1420,7 @@ func (cmd PolicyNV) Update(policy *PolicyCalculator) error { } // ExecutePolicyInSession extends the session with the policy command and returns the response. -func (cmd PolicyNV) ExecutePolicyInSession(t transport.TPM, s Session) (*PolicyNVResponse, error) { +func (cmd PolicyNV) ExecutePolicyInSession(t transport.TPM, s Session) (any, error) { cmd.PolicySession = s.Handle() return cmd.Execute(t) } @@ -1457,7 +1456,7 @@ func (cmd PolicyCommandCode) Update(policy *PolicyCalculator) error { } // ExecutePolicyInSession extends the session with the policy command and returns the response. -func (cmd PolicyCommandCode) ExecutePolicyInSession(t transport.TPM, s Session) (*PolicyCommandCodeResponse, error) { +func (cmd PolicyCommandCode) ExecutePolicyInSession(t transport.TPM, s Session) (any, error) { cmd.PolicySession = s.Handle() return cmd.Execute(t) } @@ -1493,7 +1492,7 @@ func (cmd PolicyCPHash) Update(policy *PolicyCalculator) error { } // ExecutePolicyInSession extends the session with the policy command and returns the response. -func (cmd PolicyCPHash) ExecutePolicyInSession(t transport.TPM, s Session) (*PolicyCPHashResponse, error) { +func (cmd PolicyCPHash) ExecutePolicyInSession(t transport.TPM, s Session) (any, error) { cmd.PolicySession = s.Handle() return cmd.Execute(t) } @@ -1535,7 +1534,7 @@ func (cmd PolicyAuthorize) Update(policy *PolicyCalculator) error { } // ExecutePolicyInSession extends the session with the policy command and returns the response. -func (cmd PolicyAuthorize) ExecutePolicyInSession(t transport.TPM, s Session) (*PolicyAuthorizeResponse, error) { +func (cmd PolicyAuthorize) ExecutePolicyInSession(t transport.TPM, s Session) (any, error) { cmd.PolicySession = s.Handle() return cmd.Execute(t) } @@ -1596,7 +1595,7 @@ func (cmd PolicyNVWritten) Update(policy *PolicyCalculator) error { } // ExecutePolicyInSession extends the session with the policy command and returns the response. -func (cmd PolicyNVWritten) ExecutePolicyInSession(t transport.TPM, s Session) (*PolicyNVWrittenResponse, error) { +func (cmd PolicyNVWritten) ExecutePolicyInSession(t transport.TPM, s Session) (any, error) { cmd.PolicySession = s.Handle() return cmd.Execute(t) } @@ -1636,7 +1635,7 @@ func (cmd PolicyAuthorizeNV) Update(policy *PolicyCalculator) error { } // ExecutePolicyInSession extends the session with the policy command and returns the response. -func (cmd PolicyAuthorizeNV) ExecutePolicyInSession(t transport.TPM, s Session) (*PolicyAuthorizeNVResponse, error) { +func (cmd PolicyAuthorizeNV) ExecutePolicyInSession(t transport.TPM, s Session) (any, error) { cmd.PolicySession = s.Handle() return cmd.Execute(t) }