2:42 p.m.
Hello,
I'm currently attempting to combine multiple policy assertions
together using a logical AND into a single signed policy that can be
used to control access to a TPM2 nvindex. I currently have a working
simple example with a single policy assertion based on PCR values, but
I'm struggling trying to add an additional policy assertion (I would
like to control access both based on PCR values and a second nvindex
value).
My current, single assertion example is shown below, any help you can
provide on how to add a tpm2_policynv assertion would be greatly appreciated.
*** locking/sealing the nvindex
tpm2_pcrread $PCRS -o /tmp/pcr.bin
tpm2_startauthsession -S /tmp/session.ctx
tpm2_policypcr -S /tmp/session.ctx \
-l $PCRS -f /tmp/pcr.bin -L /tmp/pcr.policy
tpm2_policyauthorize -S /tmp/session.ctx \
-L /tmp/nvindex.policy -n signing_key.name
tpm2_nvdefine -a "ownerwrite|ownerread|policyread" \
-P $PASSWD -L /tmp/nvindex.policy $NVINDEX
tpm2_flushcontext /tmp/session.ctx
openssl dgst -sha256 --sign signing_key_private.pem \
-out pcr.signature /tmp/pcr.policy
echo "storedsecret" | tpm2_nvwrite -C o -P $PASSWD \
-i- $NVINDEX
*** reading the nvindex using the signed policy
tpm2_loadexternal -C o -G rsa -u signing_key_public.pem \
-c /tmp/key.ctx -n /tmp/key.name
tpm2_startauthsession -S /tmp/session.ctx --policy-session
tpm2_policypcr -S /tmp/session.ctx \
-l $PCRS -L /tmp/pcr.policy
tpm2_verifysignature -c /tmp/key.ctx \
-f rsassa -g sha256 \
-m /tmp/pcr.policy -s pcr.signature -t /tmp/sigverify.tkt
tpm2_policyauthorize -S /tmp/session.ctx \
-i /tmp/pcr.policy -n /tmp/key.name -t /tmp/sigverify.tkt
tpm2_nvread -P "session:/tmp/session.ctx" -s 64 $NVINDEX
tpm2_flushcontext /tmp/session.ctx
rm -f /tmp/sigverify.tkt
--
paul moore
www.paul-moore.com
8:06 a.m.
-----Original Message-----
From: Paul Moore <paul(a)paul-moore.com>
Sent: Thursday, December 3, 2020 3:42 PM
To: tpm2(a)lists.01.org
Subject: [tpm2] Help combining multiple policy assertions (logical AND)
Hello,
I'm currently attempting to combine multiple policy assertions together using a
logical AND into a single signed policy that can be used to control access to a TPM2
nvindex. I currently have a working simple example with a single policy assertion
based on PCR values, but I'm struggling trying to add an additional policy assertion
(I would like to control access both based on PCR values and a second nvindex
value).
My current, single assertion example is shown below, any help you can provide
on how to add a tpm2_policynv assertion would be greatly appreciated.
For logical AND you just extend the current policy hash by calling tpm2_policynv. So
After calling tpm2_policypcr, just call tpm2_policynv with the NV index, and the operand,
like eq for equal. See this for more details on the operands and operators:
https://github.com/tpm2-software/tpm2-tools/blob/master/man/tpm2_policynv...
Then to access the NV index, run the policy commands in the same order and pass the
session like normal, as you do below via the 'tpm2_nvread -P
"session:/tmp/session.ctx" ...'
command.
Is their another question I'm missing here, I usually am missing something obvious
people ask :-p
Another thing to consider, can you use tss2_ tools? They have a policy language that
manages
this all for you with a WYSIWIG policy builder:
https://tpm2-software.github.io/fapipolicies/
>
>
> *** locking/sealing the nvindex
>
>
> tpm2_pcrread $PCRS -o /tmp/pcr.bin
>
> tpm2_startauthsession -S /tmp/session.ctx tpm2_policypcr -S /tmp/session.ctx \
> -l $PCRS -f /tmp/pcr.bin -L /tmp/pcr.policy tpm2_policyauthorize -S
> /tmp/session.ctx \
> -L /tmp/nvindex.policy -n signing_key.name tpm2_nvdefine -a
> "ownerwrite|ownerread|policyread" \
> -P $PASSWD -L /tmp/nvindex.policy $NVINDEX tpm2_flushcontext
> /tmp/session.ctx
>
> openssl dgst -sha256 --sign signing_key_private.pem \
> -out pcr.signature /tmp/pcr.policy
>
> echo "storedsecret" | tpm2_nvwrite -C o -P $PASSWD \
> -i- $NVINDEX
>
>
> *** reading the nvindex using the signed policy
>
>
> tpm2_loadexternal -C o -G rsa -u signing_key_public.pem \
> -c /tmp/key.ctx -n /tmp/key.name
>
> tpm2_startauthsession -S /tmp/session.ctx --policy-session tpm2_policypcr -S
> /tmp/session.ctx \
> -l $PCRS -L /tmp/pcr.policy
> tpm2_verifysignature -c /tmp/key.ctx \
> -f rsassa -g sha256 \
> -m /tmp/pcr.policy -s pcr.signature -t /tmp/sigverify.tkt tpm2_policyauthorize -S
> /tmp/session.ctx \
> -i /tmp/pcr.policy -n /tmp/key.name -t /tmp/sigverify.tkt tpm2_nvread -P
> "session:/tmp/session.ctx" -s 64 $NVINDEX tpm2_flushcontext
/tmp/session.ctx
> rm -f /tmp/sigverify.tkt
>
>
> --
> paul moore
> www.paul-moore.com
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
10:11 a.m.
On Fri, Dec 4, 2020 at 10:06 AM Roberts, William C
<william.c.roberts(a)intel.com> wrote:
> -----Original Message-----
> From: Paul Moore <paul(a)paul-moore.com>
> Sent: Thursday, December 3, 2020 3:42 PM
> To: tpm2(a)lists.01.org
> Subject: [tpm2] Help combining multiple policy assertions (logical AND)
>
> Hello,
>
> I'm currently attempting to combine multiple policy assertions together using a
> logical AND into a single signed policy that can be used to control access to a
TPM2
> nvindex. I currently have a working simple example with a single policy assertion
> based on PCR values, but I'm struggling trying to add an additional policy
assertion
> (I would like to control access both based on PCR values and a second nvindex
> value).
>
> My current, single assertion example is shown below, any help you can provide
> on how to add a tpm2_policynv assertion would be greatly appreciated.
For logical AND you just extend the current policy hash by calling tpm2_policynv. So
After calling tpm2_policypcr, just call tpm2_policynv with the NV index ...
Hmm, so the policy that is output via the '-L <policy>' argument is
the combination of all previous policies in the session AND'd
together? That's good to know, thank you.
So basically I would need to do this to lock/seal the nvindex:
# lock the nvindex
tpm2_startauthsession -S /tmp/session.ctx
tpm2_policypcr -S /tmp/session.ctx ... -L /tmp/A.policy
tpm2_policynv -S /tmp/session.ctx ... -L /tmp/B.policy
tpm2_policyauthorize -S /tmp/session.ctx ... -L /tmp/C.policy
tpm2_nvdefine -a "ownerwrite|ownerread|policyread" \
... -L /tmp/C.policy
tpm2_flushcontext /tmp/session.ctx
# use /tmp/C.policy to generate the signature
openssl dgst -sha256 --sign key.pem \
-out policy.signature /tmp/C.policy
Yes?
Is their another question I'm missing here, I usually am missing
something obvious
people ask :-p
No that's it, assuming the above works :)
Another thing to consider, can you use tss2_ tools? They have a
policy language that manages
this all for you with a WYSIWIG policy builder:
https://tpm2-software.github.io/fapipolicies/
The policy builder isn't that interesting to me, but expressing a
policy via JSON may be useful, I'll have to take a look. Thanks.
--
paul moore
www.paul-moore.com
8:04 a.m.
-----Original Message-----
From: Paul Moore <paul(a)paul-moore.com>
Sent: Friday, December 4, 2020 11:11 AM
To: Roberts, William C <william.c.roberts(a)intel.com>
Cc: tpm2(a)lists.01.org
Subject: Re: [tpm2] Help combining multiple policy assertions (logical AND)
On Fri, Dec 4, 2020 at 10:06 AM Roberts, William C <william.c.roberts(a)intel.com>
wrote:
> > -----Original Message-----
> > From: Paul Moore <paul(a)paul-moore.com>
> > Sent: Thursday, December 3, 2020 3:42 PM
> > To: tpm2(a)lists.01.org
> > Subject: [tpm2] Help combining multiple policy assertions (logical
> > AND)
> >
> > Hello,
> >
> > I'm currently attempting to combine multiple policy assertions
> > together using a logical AND into a single signed policy that can be
> > used to control access to a TPM2 nvindex. I currently have a
> > working simple example with a single policy assertion based on PCR
> > values, but I'm struggling trying to add an additional policy
> > assertion (I would like to control access both based on PCR values and a
second nvindex value).
> >
> > My current, single assertion example is shown below, any help you
> > can provide on how to add a tpm2_policynv assertion would be greatly
appreciated.
>
> For logical AND you just extend the current policy hash by calling
> tpm2_policynv. So After calling tpm2_policypcr, just call tpm2_policynv with the
NV index ...
Hmm, so the policy that is output via the '-L <policy>' argument is the
combination of all previous policies in the session AND'd together? That's good
to
know, thank you.
So basically I would need to do this to lock/seal the nvindex:
# lock the nvindex
tpm2_startauthsession -S /tmp/session.ctx tpm2_policypcr -S /tmp/session.ctx
... -L /tmp/A.policy tpm2_policynv -S /tmp/session.ctx ... -L /tmp/B.policy
tpm2_policyauthorize -S /tmp/session.ctx ... -L /tmp/C.policy tpm2_nvdefine -a
"ownerwrite|ownerread|policyread" \
... -L /tmp/C.policy
tpm2_flushcontext /tmp/session.ctx
# use /tmp/C.policy to generate the signature openssl dgst -sha256 --sign
key.pem \
-out policy.signature /tmp/C.policy
Yes?
I think so. I think you can also drop the -L output until you end up with the policy you
want. A policy is only a single
hash, so every time you invoke a successful policy command, the little register in the TPM
that keeps the current policy value
gets extended. Then you capture that value with the -L output. Then you can use that when
creating the object, so later when
you need to use the object, that hash value has to match and all the steps must succeed,
like checking PCR state, policy signed,
etc. Because you're always extending the policy hash, it's a logical AND. The
first thing when I saw policyOR was that I wanted
policyAND and couldn't find it. Then Imran pointed this out to me. When you think
about it, it's just like extending a PCR, you
measure this and this and this ...
> Is their another question I'm missing here, I usually am missing
> something obvious people ask :-p
No that's it, assuming the above works :)
> Another thing to consider, can you use tss2_ tools? They have a policy
> language that manages this all for you with a WYSIWIG policy builder:
> https://tpm2-software.github.io/fapipolicies/
The policy builder isn't that interesting to me, but expressing a policy via JSON
may be useful, I'll have to take a look. Thanks.
--
paul moore
www.paul-moore.com
10:38 a.m.
On Mon, Dec 7, 2020 at 10:04 AM Roberts, William C
<william.c.roberts(a)intel.com> wrote:
> -----Original Message-----
> From: Paul Moore <paul(a)paul-moore.com>
> Sent: Friday, December 4, 2020 11:11 AM
...
> So basically I would need to do this to lock/seal the nvindex:
>
> # lock the nvindex
> tpm2_startauthsession -S /tmp/session.ctx
> tpm2_policypcr -S /tmp/session.ctx ... -L /tmp/A.policy
> tpm2_policynv -S /tmp/session.ctx ... -L /tmp/B.policy
> tpm2_policyauthorize -S /tmp/session.ctx ... -L /tmp/C.policy
> tpm2_nvdefine -a "ownerwrite|ownerread|policyread" \
> ... -L /tmp/C.policy
> tpm2_flushcontext /tmp/session.ctx
>
> # use /tmp/C.policy to generate the signature
> openssl dgst -sha256 --sign key.pem \
> -out policy.signature /tmp/C.policy
>
> Yes?
I think so. I think you can also drop the -L output until you end up with the policy you
want.
A quick update for the list archives and anyone following this thread
- the above example is close, but not correct. The problem lies in
the policy that is signed using openssl. The example above signs the
output from tpm2_policyauthorize (/tmp/C.policy) when it should sign
the output from tpm2_policynv (/tmp/B.policy); it looks like you need
to sign the last policy in the chain *before* you call
tpm2_policyauthorize. To be honest, this makes sense, but it seems
like an easy mistake to make and I'm guessing I'm not the first (or
the last) to screw this up :)
> > Another thing to consider, can you use tss2_ tools? They
have a policy
> > language that manages this all for you with a WYSIWIG policy builder:
> > https://tpm2-software.github.io/fapipolicies/
Are there any docs, examples, blog posts, etc. talking about the FAPI
JSON policies? I see a variety of manpages (which are pretty sparse
if I'm honest) and the web-based policy editor you mentioned, but
other than that there doesn't seem to be much in the way of docs.
Help?
--
paul moore
www.paul-moore.com
535
days inactive
540
days old
4 comments
2 participants
participants (2)
-
Paul Moore -
Roberts, William C