Skip to content

Allow policy session to be extended more programatically #403

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Allow policy session to be extended more programatically #403

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
145e5d8
Allow policy session to be extended more programatically
friedrichsenm May 20, 2025
beb426b
remove generics from PolicyCommand interface
friedrichsenm May 27, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 3 additions & 4 deletions tpm2/test/policy_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -235,9 +235,8 @@ func TestPolicySignedUpdate(t *testing.T) {
}()

policySigned := PolicySigned{
AuthObject: sk,
PolicySession: sess.Handle(),
PolicyRef: TPM2BNonce{Buffer: []byte{5, 6, 7, 8}},
AuthObject: sk,
PolicyRef: TPM2BNonce{Buffer: []byte{5, 6, 7, 8}},
Auth: TPMTSignature{
SigAlg: TPMAlgECDSA,
Signature: NewTPMUSignature(
Expand All @@ -249,7 +248,7 @@ func TestPolicySignedUpdate(t *testing.T) {
},
}

if _, err := policySigned.Execute(thetpm); err != nil {
if _, err := policySigned.ExecutePolicyInSession(thetpm, sess); err != nil {
t.Fatalf("executing PolicySigned: %v", err)
}

Expand Down
97 changes: 86 additions & 11 deletions tpm2/tpm2.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,9 @@ type PolicyCommand interface {
// Update updates the given policy hash according to the command
// parameters.
Update(policy *PolicyCalculator) error
// ExecutePolicyInSession executes the given policy command,
// using the given session as PolicySession.
ExecutePolicyInSession(t transport.TPM, s Session) (any, error)
}

// Shutdown is the input to TPM2_Shutdown.
Expand Down Expand Up @@ -573,7 +576,7 @@ type ECDHZGenResponse struct {
// Hash is the input to TPM2_Hash.
// See definition in Part 3, Commands, section 15.4
type Hash struct {
//data to be hashed
// data to be hashed
Data TPM2BMaxBuffer
// algorithm for the hash being computed - shall not be TPM_ALH_NULL
HashAlg TPMIAlgHash
Expand Down Expand Up @@ -1150,11 +1153,17 @@ func policyUpdate(policy *PolicyCalculator, cc TPMCC, arg2, arg3 []byte) error {
return policy.Update(arg3)
}

// Update implements the PolicyCommand interface.
// Update updates the policy calculator with the policy command.
func (cmd PolicySigned) Update(policy *PolicyCalculator) error {
return policyUpdate(policy, TPMCCPolicySigned, cmd.AuthObject.KnownName().Buffer, cmd.PolicyRef.Buffer)
}

// ExecutePolicyInSession extends the session with the policy command and returns the response.
func (cmd PolicySigned) ExecutePolicyInSession(t transport.TPM, s Session) (any, error) {
cmd.PolicySession = s.Handle()
return cmd.Execute(t)
}

// PolicySignedResponse is the response from TPM2_PolicySigned.
type PolicySignedResponse struct {
// implementation-specific time value used to indicate to the TPM when the ticket expires
Expand Down Expand Up @@ -1193,11 +1202,17 @@ func (cmd PolicySecret) Execute(t transport.TPM, s ...Session) (*PolicySecretRes
return &rsp, nil
}

// Update implements the PolicyCommand interface.
// Update updates the policy calculator with the policy command.
func (cmd PolicySecret) Update(policy *PolicyCalculator) error {
return policyUpdate(policy, TPMCCPolicySecret, cmd.AuthHandle.KnownName().Buffer, cmd.PolicyRef.Buffer)
}

// ExecutePolicyInSession extends the session with the policy command and returns the response.
func (cmd PolicySecret) ExecutePolicyInSession(t transport.TPM, s Session) (any, error) {
cmd.PolicySession = s.Handle()
return cmd.Execute(t)
}

// PolicySecretResponse is the response from TPM2_PolicySecret.
type PolicySecretResponse struct {
// implementation-specific time value used to indicate to the TPM when the ticket expires
Expand Down Expand Up @@ -1228,7 +1243,7 @@ func (cmd PolicyOr) Execute(t transport.TPM, s ...Session) (*PolicyOrResponse, e
return &rsp, nil
}

// Update implements the PolicyCommand interface.
// Update updates the policy calculator with the policy command.
func (cmd PolicyOr) Update(policy *PolicyCalculator) error {
policy.Reset()
var digests bytes.Buffer
Expand All @@ -1238,6 +1253,12 @@ func (cmd PolicyOr) Update(policy *PolicyCalculator) error {
return policy.Update(TPMCCPolicyOR, digests.Bytes())
}

// ExecutePolicyInSession extends the session with the policy command and returns the response.
func (cmd PolicyOr) ExecutePolicyInSession(t transport.TPM, s Session) (any, error) {
cmd.PolicySession = s.Handle()
return cmd.Execute(t)
}

// PolicyOrResponse is the response from TPM2_PolicyOr.
type PolicyOrResponse struct{}

Expand Down Expand Up @@ -1266,11 +1287,17 @@ func (cmd PolicyPCR) Execute(t transport.TPM, s ...Session) (*PolicyPCRResponse,
return &rsp, nil
}

// Update implements the PolicyCommand interface.
// Update updates the policy calculator with the policy command.
func (cmd PolicyPCR) Update(policy *PolicyCalculator) error {
return policy.Update(TPMCCPolicyPCR, cmd.Pcrs, cmd.PcrDigest.Buffer)
}

// ExecutePolicyInSession extends the session with the policy command and returns the response.
func (cmd PolicyPCR) ExecutePolicyInSession(t transport.TPM, s Session) (any, error) {
cmd.PolicySession = s.Handle()
return cmd.Execute(t)
}

// PolicyPCRResponse is the response from TPM2_PolicyPCR.
type PolicyPCRResponse struct{}

Expand Down Expand Up @@ -1299,6 +1326,12 @@ func (cmd PolicyAuthValue) Update(policy *PolicyCalculator) error {
return policy.Update(TPMCCPolicyAuthValue)
}

// ExecutePolicyInSession extends the session with the policy command and returns the response.
func (cmd PolicyAuthValue) ExecutePolicyInSession(t transport.TPM, s Session) (any, error) {
cmd.PolicySession = s.Handle()
return cmd.Execute(t)
}

// PolicyAuthValueResponse is the response from TPM2_PolicyAuthValue.
type PolicyAuthValueResponse struct{}

Expand Down Expand Up @@ -1333,6 +1366,12 @@ func (cmd PolicyDuplicationSelect) Update(policy *PolicyCalculator) error {
return policy.Update(TPMCCPolicyDuplicationSelect, cmd.NewParentName.Buffer, cmd.IncludeObject)
}

// ExecutePolicyInSession extends the session with the policy command and returns the response.
func (cmd PolicyDuplicationSelect) ExecutePolicyInSession(t transport.TPM, s Session) (any, error) {
cmd.PolicySession = s.Handle()
return cmd.Execute(t)
}

// PolicyDuplicationSelectResponse is the response from TPM2_PolicyDuplicationSelect.
type PolicyDuplicationSelectResponse struct{}

Expand Down Expand Up @@ -1366,7 +1405,7 @@ func (cmd PolicyNV) Execute(t transport.TPM, s ...Session) (*PolicyNVResponse, e
return &rsp, nil
}

// Update implements the PolicyCommand interface.
// Update updates the policy calculator with the policy command.
func (cmd PolicyNV) Update(policy *PolicyCalculator) error {
alg, err := policy.alg.Hash()
if err != nil {
Expand All @@ -1380,6 +1419,12 @@ func (cmd PolicyNV) Update(policy *PolicyCalculator) error {
return policy.Update(TPMCCPolicyNV, args, cmd.NVIndex.KnownName().Buffer)
}

// ExecutePolicyInSession extends the session with the policy command and returns the response.
func (cmd PolicyNV) ExecutePolicyInSession(t transport.TPM, s Session) (any, error) {
cmd.PolicySession = s.Handle()
return cmd.Execute(t)
}

// PolicyNVResponse is the response from TPM2_PolicyPCR.
type PolicyNVResponse struct{}

Expand All @@ -1405,11 +1450,17 @@ func (cmd PolicyCommandCode) Execute(t transport.TPM, s ...Session) (*PolicyComm
return &rsp, nil
}

// Update implements the PolicyCommand interface.
// Update updates the policy calculator with the policy command.
func (cmd PolicyCommandCode) Update(policy *PolicyCalculator) error {
return policy.Update(TPMCCPolicyCommandCode, cmd.Code)
}

// ExecutePolicyInSession extends the session with the policy command and returns the response.
func (cmd PolicyCommandCode) ExecutePolicyInSession(t transport.TPM, s Session) (any, error) {
cmd.PolicySession = s.Handle()
return cmd.Execute(t)
}

// PolicyCommandCodeResponse is the response from TPM2_PolicyCommandCode.
type PolicyCommandCodeResponse struct{}

Expand All @@ -1435,11 +1486,17 @@ func (cmd PolicyCPHash) Execute(t transport.TPM, s ...Session) (*PolicyCPHashRes
return &rsp, nil
}

// Update implements the PolicyCommand interface.
// Update updates the policy calculator with the policy command.
func (cmd PolicyCPHash) Update(policy *PolicyCalculator) error {
return policy.Update(TPMCCPolicyCpHash, cmd.CPHashA.Buffer)
}

// ExecutePolicyInSession extends the session with the policy command and returns the response.
func (cmd PolicyCPHash) ExecutePolicyInSession(t transport.TPM, s Session) (any, error) {
cmd.PolicySession = s.Handle()
return cmd.Execute(t)
}

// PolicyCPHashResponse is the response from TPM2_PolicyCpHash.
type PolicyCPHashResponse struct{}

Expand Down Expand Up @@ -1471,11 +1528,17 @@ func (cmd PolicyAuthorize) Execute(t transport.TPM, s ...Session) (*PolicyAuthor
return &rsp, nil
}

// Update implements the PolicyCommand interface.
// Update updates the policy calculator with the policy command.
func (cmd PolicyAuthorize) Update(policy *PolicyCalculator) error {
return policyUpdate(policy, TPMCCPolicyAuthorize, cmd.KeySign.Buffer, cmd.PolicyRef.Buffer)
}

// ExecutePolicyInSession extends the session with the policy command and returns the response.
func (cmd PolicyAuthorize) ExecutePolicyInSession(t transport.TPM, s Session) (any, error) {
cmd.PolicySession = s.Handle()
return cmd.Execute(t)
}

// PolicyAuthorizeResponse is the response from TPM2_PolicyAuthorize.
type PolicyAuthorizeResponse struct{}

Expand Down Expand Up @@ -1526,11 +1589,17 @@ func (cmd PolicyNVWritten) Execute(t transport.TPM, s ...Session) (*PolicyNVWrit
return &rsp, nil
}

// Update implements the PolicyCommand interface.
// Update updates the policy calculator with the policy command.
func (cmd PolicyNVWritten) Update(policy *PolicyCalculator) error {
return policy.Update(TPMCCPolicyNvWritten, cmd.WrittenSet)
}

// ExecutePolicyInSession extends the session with the policy command and returns the response.
func (cmd PolicyNVWritten) ExecutePolicyInSession(t transport.TPM, s Session) (any, error) {
cmd.PolicySession = s.Handle()
return cmd.Execute(t)
}

// PolicyNVWrittenResponse is the response from TPM2_PolicyNvWritten.
type PolicyNVWrittenResponse struct {
}
Expand Down Expand Up @@ -1559,12 +1628,18 @@ func (cmd PolicyAuthorizeNV) Execute(t transport.TPM, s ...Session) (*PolicyAuth
return &rsp, nil
}

// Update implements the PolicyCommand interface.
// Update updates the policy calculator with the policy command.
func (cmd PolicyAuthorizeNV) Update(policy *PolicyCalculator) error {
policy.Reset()
return policy.Update(TPMCCPolicyAuthorizeNV, cmd.NVIndex.KnownName().Buffer)
}

// ExecutePolicyInSession extends the session with the policy command and returns the response.
func (cmd PolicyAuthorizeNV) ExecutePolicyInSession(t transport.TPM, s Session) (any, error) {
cmd.PolicySession = s.Handle()
return cmd.Execute(t)
}

// PolicyAuthorizeNVResponse is the response from TPM2_PolicyAuthorizeNV.
type PolicyAuthorizeNVResponse struct{}

Expand Down