Lines Matching full:policy
25 /** Copy policy digest.
27 * One digest is copied from certain position in a policy list to the
49 /** Logdefault policy digest.
64 /** Calculate a policy digest for a certain PCR selection.
67 * is computed. The passed policy digest will be extended with this data
68 * and also with the policy command code.
70 * @param[in] policy The policy with the list of selected PCRs.
72 * @param[in] current_hash_alg The hash algorithm used for the policy computation.
83 TPMS_POLICYPCR *policy, in ifapi_compute_policy_pcr() argument
102 /* Compute of the index of the current policy in the passed digest list */ in ifapi_compute_policy_pcr()
107 r = ifapi_compute_policy_digest(policy->pcrs, &pcr_selection, in ifapi_compute_policy_pcr()
109 return_if_error(r, "Compute policy digest and selection."); in ifapi_compute_policy_pcr()
111 LOG_TRACE("Compute policy pcr"); in ifapi_compute_policy_pcr()
115 /* Update the passed policy. */ in ifapi_compute_policy_pcr()
136 /** Calculate a policy digest for a TPM2B object name, and a policy reference.
138 * A policy hash based on a passed policy digest, the policy command code,
139 * optionally the name, and the policy reference will be computed.
143 * the final policy digest.
145 * @param[in] command_code The TPM command code of the policy command.
147 * @param[in] policyRef The policy reference value.
150 * @param[in,out] digest The policy digest which will be extended.
176 /* First compute hash from passed policy digest and command code in calculate_policy_key_param()
209 /** Calculate a policy digest for a signed policy.
211 * Based on the command code, the public key, and the policy reference
212 * stored in the policy the new policy digest is computed by the function
215 * @param[in] policy The policy with the public key and the policy reference.
217 * @param[in] current_hash_alg The hash algorithm used for the policy computation.
228 TPMS_POLICYSIGNED *policy, in ifapi_calculate_policy_signed() argument
244 /* Compute of the index of the current policy in the passed digest list */ in ifapi_calculate_policy_signed()
249 &policy->publicKey, in ifapi_calculate_policy_signed()
250 &policy->policyRef, hash_size, in ifapi_calculate_policy_signed()
259 /** Calculate a policy digest for a policy stored in an approved NV index.
261 * Based on the command code, and the computed NV name the new policy digest
264 * @param[in] policy The policy with the public information of the NV index.
266 * @param[in] current_hash_alg The hash algorithm used for the policy computation.
277 TPMS_POLICYAUTHORIZENV *policy, in ifapi_calculate_policy_authorize_nv() argument
288 /* Written flag has to be set for policy calculation, because during in ifapi_calculate_policy_authorize_nv()
289 policy execution it will be set. */ in ifapi_calculate_policy_authorize_nv()
290 policy->nvPublic.nvPublic.attributes |= TPMA_NV_WRITTEN; in ifapi_calculate_policy_authorize_nv()
292 r = ifapi_nv_get_name(&policy->nvPublic, &nv_name); in ifapi_calculate_policy_authorize_nv()
301 /* Compute of the index of the current policy in the passed digest list */ in ifapi_calculate_policy_authorize_nv()
315 /** Calculate a policy digest to allow duplication force a selected new parent.
318 * switch the new policy digest is computed.
320 * @param[in] policy The policy with the new parent information.
322 * @param[in] current_hash_alg The hash algorithm used for the policy computation.
333 TPMS_POLICYDUPLICATIONSELECT *policy, in ifapi_calculate_policy_duplicate() argument
350 /* Compute of the index of the current policy in the passed digest list */ in ifapi_calculate_policy_duplicate()
354 LOG_TRACE("Compute policy"); in ifapi_calculate_policy_duplicate()
358 /* Update the policy digest */ in ifapi_calculate_policy_duplicate()
364 LOGBLOB_DEBUG(&policy->newParentName.name[0], policy->newParentName.size, in ifapi_calculate_policy_duplicate()
365 "Policy Duplicate Parent Name"); in ifapi_calculate_policy_duplicate()
366 HASH_UPDATE_BUFFER(cryptoContext, &policy->newParentName.name[0], in ifapi_calculate_policy_duplicate()
367 policy->newParentName.size, r, cleanup); in ifapi_calculate_policy_duplicate()
368 HASH_UPDATE(cryptoContext, BYTE, policy->includeObject, r, cleanup); in ifapi_calculate_policy_duplicate()
376 hash_size, "Policy Duplicate digest"); in ifapi_calculate_policy_duplicate()
384 /** Calculate a policy digest for a placeholder policy.
386 * The placeholder policy can be extended during execution by a
387 * signed policy, which can be verified by using the parameters of
388 * this placeholder policy.
390 * a policy reference the new policy digest is computed by the
393 * @param[in] policy The policy with the name of the public key and the
394 * policy reference.
396 * @param[in] current_hash_alg The hash algorithm used for the policy computation.
407 TPMS_POLICYAUTHORIZE *policy, in ifapi_calculate_policy_authorize() argument
423 /* Compute of the index of the current policy in the passed digest list */ in ifapi_calculate_policy_authorize()
428 &policy->keyName, in ifapi_calculate_policy_authorize()
429 &policy->policyRef, hash_size, in ifapi_calculate_policy_authorize()
438 /** Calculate a policy for adding secret-based authorization.
441 * object is required. The name of this object and a policy reference is used
442 * for policy calculation.
443 * Based on the command code, the object name and a policy reference the new
444 * policy digest is computed by the function calculate_policy_key_param().
446 * @param[in] policy The policy with the object name of the object to be
447 * authorized and the policy reference.
449 * @param[in] current_hash_alg The hash algorithm used for the policy computation.
460 TPMS_POLICYSECRET *policy, in ifapi_calculate_policy_secret() argument
476 /* Compute of the index of the current policy in the passed digest list */ in ifapi_calculate_policy_secret()
480 /* Update the policy */ in ifapi_calculate_policy_secret()
482 (TPM2B_NAME *)&policy->objectName, in ifapi_calculate_policy_secret()
483 &policy->policyRef, hash_size, in ifapi_calculate_policy_secret()
492 /** Calculate a policy for for comparing current TPM timers with the policy.
494 * The timer value and the operation for comparison defined in the policy will
495 * bu used to update the policy digest.
496 * The offset which is supported by the TPM policy for FAPI will be 0.
498 * @param[in] policy The policy with the timer value and the operation for
501 * @param[in] current_hash_alg The hash algorithm used for the policy computation.
512 TPMS_POLICYCOUNTERTIMER *policy, in ifapi_calculate_policy_counter_timer() argument
530 /* Compute of the index of the current policy in the passed digest list */ in ifapi_calculate_policy_counter_timer()
538 HASH_UPDATE_BUFFER(cryptoContext, &policy->operandB.buffer[0], in ifapi_calculate_policy_counter_timer()
539 policy->operandB.size, r, cleanup); in ifapi_calculate_policy_counter_timer()
540 HASH_UPDATE(cryptoContext, UINT16, policy->offset, r, cleanup); in ifapi_calculate_policy_counter_timer()
541 HASH_UPDATE(cryptoContext, UINT16, policy->operation, r, cleanup); in ifapi_calculate_policy_counter_timer()
547 /* Extend the policy digest from the hash value computed above and the in ifapi_calculate_policy_counter_timer()
567 /** Update policy if only the command codes are used.
569 * Some simple policies use onle one or two command codes for policy calculation.
571 * @param[in] command_code1 The first command code for policy extension.
573 * @param[in] command_code2 The second command code for policy extension.
576 * @param[in] current_hash_alg The hash algorithm used for the policy computation.
605 /* Compute of the index of the current policy in the passed digest list */ in ifapi_calculate_simple_policy()
609 /* Update the policy */ in ifapi_calculate_simple_policy()
632 /** Update policy with command code policy physical presence.
634 * The policy will be updated with the function ifapi_calculate_simple_policy()
636 * @param[in] policy The policy physical presence.
638 * @param[in] current_hash_alg The hash algorithm used for the policy computation.
649 TPMS_POLICYPHYSICALPRESENCE *policy, in ifapi_calculate_policy_physical_presence() argument
654 (void)policy; in ifapi_calculate_policy_physical_presence()
660 return_if_error(r, "Calculate policy for command code."); in ifapi_calculate_policy_physical_presence()
665 /** Update policy with command code of policy auth value.
667 * The policy will be updated with the function ifapi_calculate_simple_policy()
669 * @param[in] policy The policy auth value.
671 * @param[in] current_hash_alg The hash algorithm used for the policy computation.
682 TPMS_POLICYAUTHVALUE *policy, in ifapi_calculate_policy_auth_value() argument
687 (void)policy; in ifapi_calculate_policy_auth_value()
693 return_if_error(r, "Calculate policy auth value."); in ifapi_calculate_policy_auth_value()
698 /** Update policy with the command code of policy password.
700 * The policy will be updated with the function ifapi_calculate_simple_policy()
702 * @param[in] policy The policy password.
704 * @param[in] current_hash_alg The hash algorithm used for the policy computation.
715 TPMS_POLICYPASSWORD *policy, in ifapi_calculate_policy_password() argument
720 (void)policy; in ifapi_calculate_policy_password()
726 return_if_error(r, "Calculate policy password."); in ifapi_calculate_policy_password()
731 /** Update policy command code with a command code defined in the policy.
734 * policy command code and the passed command code.
735 * The policy will be updated with the function ifapi_calculate_simple_policy()
737 * @param[in] policy The policy command code with the second command code.
739 * @param[in] current_hash_alg The hash algorithm used for the policy computation.
750 TPMS_POLICYCOMMANDCODE *policy, in ifapi_calculate_policy_command_code() argument
758 r = ifapi_calculate_simple_policy(TPM2_CC_PolicyCommandCode, policy->code, in ifapi_calculate_policy_command_code()
760 return_if_error(r, "Calculate policy for command code."); in ifapi_calculate_policy_command_code()
765 /** Compute policy if only a digest and a command code are needed for extension.
767 * @param[in] digest the digest which will be used for policy extension.
769 * @param[in] current_hash_alg The hash algorithm used for the policy computation.
799 /* Compute of the index of the current policy in the passed digest list */ in ifapi_calculate_policy_digest_hash()
803 /* Update the policy. */ in ifapi_calculate_policy_digest_hash()
822 /** Compute policy bound to a specific set of TPM entities.
824 * The policy digest will be updated with the function
828 * @param[in] policy The policy with the list of entity names.
830 * @param[in] current_hash_alg The hash algorithm used for the policy computation.
841 TPMS_POLICYNAMEHASH *policy, in ifapi_calculate_policy_name_hash() argument
858 /* Compute of the index of the current policy in the passed digest list */ in ifapi_calculate_policy_name_hash()
863 for (i = 0; i <= policy->count; i++) { in ifapi_calculate_policy_name_hash()
864 HASH_UPDATE_BUFFER(cryptoContext, &policy->objectNames[i].name[0], in ifapi_calculate_policy_name_hash()
865 policy->objectNames[i].size, r, in ifapi_calculate_policy_name_hash()
869 (uint8_t *) &policy->nameHash.buffer[0], in ifapi_calculate_policy_name_hash()
873 policy->nameHash.size = hash_size; in ifapi_calculate_policy_name_hash()
875 /* Update the policy with the computed hash value of the name list and in ifapi_calculate_policy_name_hash()
877 r = ifapi_calculate_policy_digest_hash(&policy->nameHash, in ifapi_calculate_policy_name_hash()
880 return_if_error(r, "Calculate digest hash for policy"); in ifapi_calculate_policy_name_hash()
888 /** Compute policy bound to a specific command and command parameters.
893 * @param[in] policy The policy with the cp hash value.
895 * @param[in] current_hash_alg The hash algorithm used for the policy computation.
906 TPMS_POLICYCPHASH *policy, in ifapi_calculate_policy_cp_hash() argument
914 r = ifapi_calculate_policy_digest_hash(&policy->cpHash, in ifapi_calculate_policy_cp_hash()
917 return_if_error(r, "Calculate digest hash for policy"); in ifapi_calculate_policy_cp_hash()
922 /** Compute policy which limits authorization to a specific locality.
924 * @param[in] policy The policy with the locality.
926 * @param[in] current_hash_alg The hash algorithm used for the policy computation.
937 TPMS_POLICYLOCALITY *policy, in ifapi_calculate_policy_locality() argument
954 /* Compute of the index of the current policy in the passed digest list */ in ifapi_calculate_policy_locality()
958 /* Update the policy */ in ifapi_calculate_policy_locality()
966 HASH_UPDATE(cryptoContext, BYTE, policy->locality, r, cleanup); in ifapi_calculate_policy_locality()
977 /** Compute policy bound to bound to the TPMA_NV_WRITTEN attributes.
979 * The expected value of the NV written attribute is part of the policy.
981 * @param[in] policy The policy with the expected attribute value.
983 * @param[in] current_hash_alg The hash algorithm used for the policy computation.
994 TPMS_POLICYNVWRITTEN *policy, in ifapi_calculate_policy_nv_written() argument
1011 /* Compute of the index of the current policy in the passed digest list */ in ifapi_calculate_policy_nv_written()
1015 /* Update the policy */ in ifapi_calculate_policy_nv_written()
1024 HASH_UPDATE(cryptoContext, BYTE, policy->writtenSet, r, cleanup); in ifapi_calculate_policy_nv_written()
1035 /** Compute policy bound to the content of an NV index.
1038 * offset for the NV index are part of the policy.
1040 * @param[in] policy The policy with the expected values used for comparison.
1042 * @param[in] current_hash_alg The hash algorithm used for the policy computation.
1053 TPMS_POLICYNV *policy, in ifapi_calculate_policy_nv() argument
1070 r = ifapi_nv_get_name(&policy->nvPublic, &nv_name); in ifapi_calculate_policy_nv()
1073 /* Compute of the index of the current policy in the passed digest list */ in ifapi_calculate_policy_nv()
1081 HASH_UPDATE_BUFFER(cryptoContext, &policy->operandB.buffer[0], in ifapi_calculate_policy_nv()
1082 policy->operandB.size, r, cleanup); in ifapi_calculate_policy_nv()
1083 HASH_UPDATE(cryptoContext, UINT16, policy->offset, r, cleanup); in ifapi_calculate_policy_nv()
1084 HASH_UPDATE(cryptoContext, UINT16, policy->operation, r, cleanup); in ifapi_calculate_policy_nv()
1091 /* Update the policy with the hash of the compare operation and the NV name. */ in ifapi_calculate_policy_nv()
1114 * First the policy digest will be computed for every branch.
1115 * After that the policy digest will be reset to zero and extended by the
1116 * list of computed policy digests of the branches.
1118 * @param[in] policyOr The policy with the possible policy branches.
1120 * @param[in] hash_alg The hash algorithm used for the policy computation.
1121 * @param[in] hash_size The size of the policy digest.
1122 * @param[in] digest_idx The index of the current policy in the passed digest list.
1144 /* Compute the policy digest for every branch. */ in ifapi_calculate_policy_or()
1149 r = ifapi_calculate_policy(policyOr->branches->authorizations[i].policy, in ifapi_calculate_policy_or()
1156 return_if_error(r, "Compute policy."); in ifapi_calculate_policy_or()
1158 /* Reset the or policy digest because the digest is included in all sub policies */ in ifapi_calculate_policy_or()
1203 /** Compute policy digest for a list of policies.
1205 * Every policy in the list will update the previous policy. Thus the final
1206 * policy digest will describe the sequential execution of the policy list.
1208 * @param[in] policy The policy with the policy list.
1210 * @param[in] hash_alg The hash algorithm used for the policy computation.
1211 * @param[in] hash_size The size of the policy digest.
1212 * @param[in] digest_idx The index of the current policy in the passed digest list.
1223 TPML_POLICYELEMENTS *policy, in ifapi_calculate_policy() argument
1232 for (i = 0; i < policy->count; i++) { in ifapi_calculate_policy()
1234 copy_policy_digest(&policy->elements[i].policyDigests, in ifapi_calculate_policy()
1236 "Copy policy digest (to)"); in ifapi_calculate_policy()
1238 switch (policy->elements[i].type) { in ifapi_calculate_policy()
1241 r = ifapi_compute_policy_pcr(&policy->elements[i].element.PolicyPCR, in ifapi_calculate_policy()
1242 &policy->elements[i].policyDigests, in ifapi_calculate_policy()
1244 return_if_error(r, "Compute policy pcr"); in ifapi_calculate_policy()
1248 r = ifapi_calculate_policy_signed(&policy->elements[i].element. in ifapi_calculate_policy()
1250 &policy->elements[i]. in ifapi_calculate_policy()
1252 return_if_error(r, "Compute policy nv"); in ifapi_calculate_policy()
1257 r = ifapi_calculate_policy_duplicate(&policy->elements[i].element. in ifapi_calculate_policy()
1259 &policy->elements[i]. in ifapi_calculate_policy()
1261 return_if_error(r, "Compute policy duplication select"); in ifapi_calculate_policy()
1266 r = ifapi_calculate_policy_authorize_nv(&policy->elements[i]. in ifapi_calculate_policy()
1268 &policy->elements[i]. in ifapi_calculate_policy()
1270 return_if_error(r, "Compute policy authorizeg"); in ifapi_calculate_policy()
1275 r = ifapi_calculate_policy_authorize(&policy->elements[i].element. in ifapi_calculate_policy()
1277 &policy->elements[i]. in ifapi_calculate_policy()
1279 return_if_error(r, "Compute policy authorizeg"); in ifapi_calculate_policy()
1284 r = ifapi_calculate_policy_secret(&policy->elements[i].element. in ifapi_calculate_policy()
1286 &policy->elements[i]. in ifapi_calculate_policy()
1288 return_if_error(r, "Compute policy nv"); in ifapi_calculate_policy()
1293 r = ifapi_calculate_policy_or(&policy->elements[i].element.PolicyOr, in ifapi_calculate_policy()
1294 &policy->elements[i].policyDigests, in ifapi_calculate_policy()
1296 return_if_error(r, "Compute policy or"); in ifapi_calculate_policy()
1301 r = ifapi_calculate_policy_nv(&policy->elements[i].element.PolicyNV, in ifapi_calculate_policy()
1302 &policy->elements[i].policyDigests, in ifapi_calculate_policy()
1304 return_if_error(r, "Compute policy nv"); in ifapi_calculate_policy()
1309 r = ifapi_calculate_policy_nv_written(&policy->elements[i].element. in ifapi_calculate_policy()
1311 &policy->elements[i]. in ifapi_calculate_policy()
1313 return_if_error(r, "Compute policy nv written"); in ifapi_calculate_policy()
1318 &policy->elements[i].element.PolicyCounterTimer, in ifapi_calculate_policy()
1319 &policy->elements[i].policyDigests, hash_alg); in ifapi_calculate_policy()
1320 return_if_error(r, "Compute policy counter timer"); in ifapi_calculate_policy()
1325 &policy->elements[i].element.PolicyPhysicalPresence, in ifapi_calculate_policy()
1326 &policy->elements[i].policyDigests, hash_alg); in ifapi_calculate_policy()
1327 return_if_error(r, "Compute policy physical presence"); in ifapi_calculate_policy()
1331 r = ifapi_calculate_policy_auth_value(&policy->elements[i].element.PolicyAuthValue, in ifapi_calculate_policy()
1332 &policy->elements[i].policyDigests, hash_alg); in ifapi_calculate_policy()
1333 return_if_error(r, "Compute policy auth value"); in ifapi_calculate_policy()
1337 r = ifapi_calculate_policy_password(&policy->elements[i].element.PolicyPassword, in ifapi_calculate_policy()
1338 &policy->elements[i].policyDigests, hash_alg); in ifapi_calculate_policy()
1339 return_if_error(r, "Compute policy password"); in ifapi_calculate_policy()
1343 r = ifapi_calculate_policy_command_code(&policy->elements[i].element.PolicyCommandCode, in ifapi_calculate_policy()
1344 &policy->elements[i].policyDigests, hash_alg); in ifapi_calculate_policy()
1345 return_if_error(r, "Compute policy physical presence"); in ifapi_calculate_policy()
1349 r = ifapi_calculate_policy_name_hash(&policy->elements[i].element.PolicyNameHash, in ifapi_calculate_policy()
1350 &policy->elements[i].policyDigests, hash_alg); in ifapi_calculate_policy()
1351 return_if_error(r, "Compute policy name hash"); in ifapi_calculate_policy()
1355 r = ifapi_calculate_policy_cp_hash(&policy->elements[i].element.PolicyCpHash, in ifapi_calculate_policy()
1356 &policy->elements[i].policyDigests, hash_alg); in ifapi_calculate_policy()
1357 return_if_error(r, "Compute policy cp hash"); in ifapi_calculate_policy()
1361 r = ifapi_calculate_policy_locality(&policy->elements[i].element.PolicyLocality, in ifapi_calculate_policy()
1362 &policy->elements[i].policyDigests, hash_alg); in ifapi_calculate_policy()
1363 return_if_error(r, "Compute policy locality"); in ifapi_calculate_policy()
1372 "Policy not implemented"); in ifapi_calculate_policy()
1375 copy_policy_digest(policyDigests, &policy->elements[i].policyDigests, in ifapi_calculate_policy()
1376 digest_idx, hash_size, "Copy policy digest (from)"); in ifapi_calculate_policy()