1 //
2 // Copyright (C) 2015 The Android Open Source Project
3 //
4 // Licensed under the Apache License, Version 2.0 (the "License");
5 // you may not use this file except in compliance with the License.
6 // You may obtain a copy of the License at
7 //
8 //      http://www.apache.org/licenses/LICENSE-2.0
9 //
10 // Unless required by applicable law or agreed to in writing, software
11 // distributed under the License is distributed on an "AS IS" BASIS,
12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 // See the License for the specific language governing permissions and
14 // limitations under the License.
15 //
16 
17 #ifndef TRUNKS_POLICY_SESSION_H_
18 #define TRUNKS_POLICY_SESSION_H_
19 
20 #include <string>
21 #include <vector>
22 
23 #include <base/macros.h>
24 
25 #include "trunks/tpm_generated.h"
26 
27 namespace trunks {
28 
29 class AuthorizationDelegate;
30 
31 // PolicySession is an interface for managing policy backed sessions for
32 // authorization and parameter encryption.
33 class PolicySession {
34  public:
PolicySession()35   PolicySession() {}
~PolicySession()36   virtual ~PolicySession() {}
37 
38   // Returns an authorization delegate for this session. Ownership of the
39   // delegate pointer is retained by the session.
40   virtual AuthorizationDelegate* GetDelegate() = 0;
41 
42   // Starts a salted session which is bound to |bind_entity| with
43   // |bind_authorization_value|. Encryption is enabled if |enable_encryption| is
44   // true. The session remains active until this object is destroyed or another
45   // session is started with a call to Start*Session.
46   virtual TPM_RC StartBoundSession(
47       TPMI_DH_ENTITY bind_entity,
48       const std::string& bind_authorization_value,
49       bool enable_encryption) = 0;
50 
51   // Starts a salted, unbound session. Encryption is enabled if
52   // |enable_encryption| is true. The session remains active until this object
53   // is destroyed or another session is started with a call to Start*Session.
54   virtual TPM_RC StartUnboundSession(bool enable_encryption) = 0;
55 
56   // This method is used to get the current PolicyDigest of the PolicySession.
57   virtual TPM_RC GetDigest(std::string* digest) = 0;
58 
59   // This method is used to construct a complex policy. It takes a list
60   // of policy digests. After the command is executed, the policy represented
61   // by this session is the OR of the provided policies.
62   virtual TPM_RC PolicyOR(const std::vector<std::string>& digests) = 0;
63 
64   // This method binds the PolicySession to a provided PCR value. If the empty
65   // string is provided, the PolicySession is bound to the current PCR value.
66   virtual TPM_RC PolicyPCR(uint32_t pcr_index,
67                            const std::string& pcr_value) = 0;
68 
69   // This method binds the PolicySession to a specified CommandCode.
70   // Once called, this Session can only be used to authorize actions on the
71   // provided CommandCode.
72   virtual TPM_RC PolicyCommandCode(TPM_CC command_code) = 0;
73 
74   // This method specifies that Authorization Values need to be included in
75   // HMAC computation done by the AuthorizationDelegate.
76   virtual TPM_RC PolicyAuthValue() = 0;
77 
78   // Sets the current entity authorization value. This can be safely called
79   // while the session is active and subsequent commands will use the value.
80   virtual void SetEntityAuthorizationValue(const std::string& value) = 0;
81 
82  private:
83   DISALLOW_COPY_AND_ASSIGN(PolicySession);
84 };
85 
86 }  // namespace trunks
87 
88 #endif  // TRUNKS_POLICY_SESSION_H_
89