SoftwareDesign
/
csu3_am335x


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321
							/* SPDX-License-Identifier: BSD-3-Clause */

#ifndef TPM2_POLICY_H_
#define TPM2_POLICY_H_

#include <stdbool.h>

#include <tss2/tss2_esys.h>

#include "object.h"
#include "tpm2_session.h"

/**

 * Build a PCR policy via PolicyPCR.

 * @param context

 *  The Enhanced System API (ESAPI) context.

 * @param policy_session

 *  A session started with tpm2_session_new().

 * @param raw_pcrs_file

 *  The a file output from tpm2_pcrread -o option. Optional, can be NULL.

 *  If NULL, the PCR values are read via the pcr_selection value.

 * @param pcr_selections

 *  The pcr selections to use when building the pcr policy. It follows the PCR selection

 *  specifications in the man page for tpm2_listpcrs. If using a raw_pcrs_file, this spec

 *  must be the same as supplied to tpm2_listpcrs.

 * @return

 *  tool_rc indicating status.

 */
tool_rc tpm2_policy_build_pcr(ESYS_CONTEXT *context,
        tpm2_session *policy_session, const char *raw_pcrs_file,
        TPML_PCR_SELECTION *pcr_selections, TPM2B_DIGEST *raw_pcr_digest);

/**

 * Enables a signing authority to authorize policies

 * @param ectx

 *   The Enhanced system api context

 * @param policy_session

 *   The policy session that has the policy digest to be authorized

 * @param policy_digest_path

 *   The policy digest file that needs to be authorized by signing authority

 * @param policy_qualifier

 *   The policy qualifier data that concatenates with approved policies. Can be

 *   either a path to a file or a hex string.

 * @param verifying_pubkey_name_path

 *   The name of the public key that verifies the signature of the signer

 * @param ticket_path

 *   The verification ticket generated when TPM verifies the signature

 * @return

 *   tool_rc indicating status.

 */
tool_rc tpm2_policy_build_policyauthorize(ESYS_CONTEXT *ectx,
        tpm2_session *policy_session, const char *policy_digest_path,
        const char *policy_qualifier,
        const char *verifying_pubkey_name_path, const char *ticket_path);

/**

 * Compounds policies in an OR fashion

 *

 * @param ectx

 *   The Enhanced system api context

 * @param policy_session

 *   The policy session into which the policy digest is extended into

 * @param policy_list

 *   The list of policy policy digests

 *

 * @return

 *   tool_rc indicating status.

 */
tool_rc tpm2_policy_build_policyor(ESYS_CONTEXT *ectx,
        tpm2_session *policy_session, TPML_DIGEST *policy_list);

/**

 * Evaluates an authorization for specific named objects.

 *

 * @param ectx

 *  The Enhanced system api context

 * @param session

 *  The policy session into which the policy digest is extended into

 * @param name_hash

 *  The name hash

 *

 * @return

 *   tool_rc indicating status.

 */
tool_rc tpm2_policy_build_policynamehash(ESYS_CONTEXT *ectx,
    tpm2_session *session, const TPM2B_DIGEST *name_hash);

/**

 * Evaluates an authorization for object's public template data digest.

 *

 * @param ectx

 *  The Enhanced system api context

 * @param session

 *  The policy session into which the policy digest is extended into

 * @param template_hash

 *  The public template hash

 *

 * @return

 *   tool_rc indicating status.

 */
tool_rc tpm2_policy_build_policytemplate(ESYS_CONTEXT *ectx,
    tpm2_session *session, const TPM2B_DIGEST *template_hash);

/**

 * Evaluates an authorization for object's command parameter digest.

 *

 * @param ectx

 *  The Enhanced system api context

 * @param session

 *  The policy session into which the policy digest is extended into

 * @param cphash

 *  The command parameter hash

 *

 * @return

 *   tool_rc indicating status.

 */
tool_rc tpm2_policy_build_policycphash(ESYS_CONTEXT *ectx,
    tpm2_session *session, const TPM2B_DIGEST *cphash);

/**

 * Enables secret (password/hmac) based authorization to a policy.

 *

 * @param ectx

 *  The Enhanced system api (ESAPI) context

 * @param policy_session into which the policy digest is extended into

 *  The policy session

 * @param[in] secret_session

 *  The secret authentication data to update the policy session with.

 *  Must be a password session.

 * @param[in] handle

 *  The handle-id of the authentication object

 *

 * @return

 *  tool_rc indicating status.

 */
tool_rc tpm2_policy_build_policysecret(ESYS_CONTEXT *ectx,
        tpm2_session *policy_session, tpm2_loaded_object *auth_entity_obj,
        INT32 expiration, TPMT_TK_AUTH **policy_ticket,
        TPM2B_TIMEOUT **timeout, bool is_nonce_tpm,
        const char *policy_qualifier_path, TPM2B_DIGEST *cp_hash);

/**

 * Retrieves the policy digest for a session via PolicyGetDigest.

 * @param context

 *  The Enhanced System API (ESAPI) context.

 * @param session

 *  The session whose digest to query.

 * @param policy_digest

 *  The retrieved digest, only valid on true returns.

 * @return

 *  tool_rc indicating status.

 */
tool_rc tpm2_policy_get_digest(ESYS_CONTEXT *context, tpm2_session *session,
        TPM2B_DIGEST **policy_digest);

/**

 * Enables a policy that requires the object's authentication passphrase be

 * provided.

 * @param ectx

 *  The Enhanced system api (ESAPI_) context.

 * @param session

 *  The policy session which is extended with PolicyPassword command code

 * @return

 *  tool_rc indicating status.

 */
tool_rc tpm2_policy_build_policypassword(ESYS_CONTEXT *ectx,
        tpm2_session *session);

/**

 * Enables a policy that requires the object's authvalue be provided.

 * The authvalue can be transmitted as an HMAC

 * @param ectx

 *  The Enhanced system api (ESAPI_) context.

 * @param session

 *  The policy session which is extended with PolicyAuthValue command code

 * @return

 *  tool_rc indicating status.

 */
tool_rc tpm2_policy_build_policyauthvalue(ESYS_CONTEXT *ectx,
        tpm2_session *session);

/**

 * Enables a policy authorization by virtue of verifying a signature on optional

 * TPM2 parameters data - nonceTPM, cphashA, policyRef, expiration

 * @param ectx

 *  The Enhanced system api (ESAPI) context

 * @param session

 *  The policy session which is extended with PolicySigned command code

 * @param auth_entity_obj

 *  The loaded TPM2 key object public portion used for signature verification

 * @param signature

 *  The signature of the optional TPM2 parameters

 */
tool_rc tpm2_policy_build_policysigned(ESYS_CONTEXT *ectx,
        tpm2_session *policy_session, tpm2_loaded_object *auth_entity_obj,
        TPMT_SIGNATURE *signature, INT32 expiration, TPM2B_TIMEOUT **timeout,
        TPMT_TK_AUTH **policy_ticket, const char *policy_qualifier_path,
        bool is_nonce_tpm, const char *raw_data_path,
        const char *cphash_path);

/**

 * PolicyTicket assertion enables proxy authentication for either PolicySecret

 * or PolicySigned once the specific policy is validated.

 *

 * @param ectx

 *  The Enhanced system api (ESAPI) context

 * @param session

 *  The policy session which is being extended

 * @param policy_timeout_path

 *  The file containing the timeout data generated PolicySigned/ PolicySecret

 * @param qualifier_data_path

 *  The file containing the qualifier data or policyRef

  * @param policy_ticket_path

 *  The file containing the auth ticket

 * @param auth_name_file

 *  The auth name file containing the name of the auth object

 *

 * @return     { description_of_the_return_value }

 */
tool_rc tpm2_policy_build_policyticket(ESYS_CONTEXT *ectx,
    tpm2_session *policy_session, char *policy_timeout_path,
    const char *qualifier_data_path, char *policy_ticket_path,
    const char *auth_name_file);

/**

 * Parses the policy digest algorithm for the list of policies specified

 *

 * @param str

 *  The string specifying the policy digest algorithm and list of policies

 * @param policy_list

 *  The policy list structure that records all the policies from policy list

 * @return

 *  true on success, false otherwise.

 */
bool tpm2_policy_parse_policy_list(char *str, TPML_DIGEST *policy_list);

/**

 * Policy to restrict tpm object authorization to specific commands

 *

 * @param ectx

 *   The Enhanced system api (ESAPI_) context.

 * @param policy_session

 *   The policy session into which the policy digest is extended into

 * @param command_code

 *   The command code of the command authorized to use the object

 * @return

 *  A tool_rc indicating status.

 */
tool_rc tpm2_policy_build_policycommandcode(ESYS_CONTEXT *ectx,
        tpm2_session *session, uint32_t command_code);

/**

 * Policy to restrict authorization to written state of the NV Index

 *

 * @param ectx

 *   The Enhanced system api (ESAPI_) context.

 * @param policy_session

 *   The policy session into which the policy digest is extended into

 * @param written_set

 *   SET/ CLEAR TPMI_YES_NO value of the expected written state of NV index

 * @return

 *  A tool_rc indicating status.

 */
tool_rc tpm2_policy_build_policynvwritten(ESYS_CONTEXT *ectx,
        tpm2_session *session, TPMI_YES_NO written_set);

/**

 * Policy to restrict tpm object authorization to specific locality

 *

 * @param ectx

 *   The Enhanced system api (ESAPI_) context.

 * @param policy_session

 *   The policy session into which the policy digest is extended into

 * @param locality

 *   The locality of the command authorized to use the object

 * @return

 *   A tool_rc indicating status.

 */
tool_rc tpm2_policy_build_policylocality(ESYS_CONTEXT *ectx,
        tpm2_session *session, TPMA_LOCALITY locality);

/**

 * Policy to restrict tpm object authorization to specific duplication target

 *

 * @param ectx

 *   The Enhanced system api (ESAPI_) context.

 * @param policy_session

 *   The policy session into which the policy digest is extended into

 * @param obj_name_path

 *   The name of the tpm object to be duplicated

 * @param new_parent_name_path

 *   The name of the new parent to which the object is duplicated

 * @param is_include_obj

 *   the flag indicating whether object name is included in policyDigest

 * @return

 *  A tool_rc indicating status.

 */
tool_rc tpm2_policy_build_policyduplicationselect(ESYS_CONTEXT *ectx,
        tpm2_session *session, const char *obj_name_path,
        const char *new_parent_name_path, TPMI_YES_NO is_include_obj);

/**

 * Policy tools need to:

 *  - get the policy digest

 *  - print the policy digest

 *  - optionally save the digest to a file

 *  This routine serves a common helper so all policy tools

 *  behave in the same way.

 * @param ectx

 *  The Enhanced system api (ESAPI_) context.

 * @param session

 *  The policy session to get the digest of.

 * @param save_path

 *  The path to optionally save the digest too.

 * @return

 *  A tool_rc indicating status.

 */
tool_rc tpm2_policy_tool_finish(ESYS_CONTEXT *ectx, tpm2_session *session,
        const char *save_path);

#endif /* TPM2_POLICY_H_ */