-
-
Save williamcroberts/7a3bba2f45bf28c5a19c5e13e5c8da21 to your computer and use it in GitHub Desktop.
Example doing a complex policy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Create a policy but tether it to the auth of the owner hierarchy | |
do_policy_secret() { | |
# Create a policy for password 1 which is binding it to ownerauth | |
tpm2_startauthsession -S session.ctx | |
tpm2_policysecret -S session.ctx -L secret.policy -c o ownerpass | |
tpm2_flushcontext session.ctx | |
} | |
# create a policy for an object that is both policypassword AND policypcr (ie need both) | |
do_policy_pcr_and_pass() { | |
# Create a policy for password 2 (use policy password for this one so we can use -p for password auth) AND PCR | |
tpm2_startauthsession -S session.ctx | |
tpm2_policypassword -S session.ctx | |
tpm2_policypcr -S session.ctx -l sha256:0,1,2 -L pcr.policy | |
tpm2_flushcontext session.ctx | |
} | |
# or the two policies together, note that subsequent auth just needs events performed on one of the OR branches. | |
# Policy hashes are stable. | |
do_policy_or() { | |
tpm2_startauthsession -S session.ctx | |
tpm2_policyor -S session.ctx sha256:secret.policy,pcr.policy -L or.policy | |
tpm2_flushcontext session.ctx | |
} | |
# Create the object but turn off userwithauth so force both PCR and password | |
do_create() { | |
echo "mysecret" | tpm2_create -i- -C primary.ctx -c key.ctx -p password -L or.policy -a 'fixedtpm|fixedparent' | |
} | |
do_unseal_pcr() { | |
# unseal with password AND PCR | |
tpm2_startauthsession -S session.ctx --policy-session | |
tpm2_policypassword -S session.ctx | |
tpm2_policypcr -S session.ctx -l sha256:0,1,2 | |
tpm2_policyor -S session.ctx sha256:secret.policy,pcr.policy | |
tpm2_unseal -p 'session:session.ctx+password' -c key.ctx | |
tpm2_flushcontext session.ctx | |
} | |
do_break_pcr() { | |
# twiddle PCR so it fails | |
echo foo > data | |
tpm2_pcrevent 0 data | |
} | |
do_unseal_recovery() { | |
tpm2_startauthsession -S session.ctx --policy-session | |
tpm2_policysecret -S session.ctx -c o ownerpass -L secret.policy | |
tpm2_policyor -S session.ctx sha256:secret.policy,pcr.policy | |
tpm2_unseal -p 'session:session.ctx' -c key.ctx | |
tpm2_flushcontext session.ctx | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment