Lines Matching full:policy
27 /** Copy the policy digests from a branch list to a digest list.
29 * @param[in] branches The list of policy branches.
79 /** Add a new authorization to a policy.
81 * The the signed hash computed from the policy digest and the policyRef together with
82 * the public key of the key used for signing will be stored in the policy.
84 * @param[in,out] policy The policy to be authorized.
94 TPMS_POLICY *policy, in ifapi_extend_authorization() argument
101 if (policy->policyAuthorizations) { in ifapi_extend_authorization()
103 n = policy->policyAuthorizations->count; in ifapi_extend_authorization()
104 save = policy->policyAuthorizations; in ifapi_extend_authorization()
105 policy->policyAuthorizations = in ifapi_extend_authorization()
108 return_if_null(policy->policyAuthorizations->authorizations, in ifapi_extend_authorization()
112 policy->policyAuthorizations->authorizations[i] = in ifapi_extend_authorization()
114 policy->policyAuthorizations->authorizations[n] = *authorization; in ifapi_extend_authorization()
115 policy->policyAuthorizations->count = n + 1; in ifapi_extend_authorization()
119 policy->policyAuthorizations = malloc(sizeof(TPMS_POLICYAUTHORIZATION) in ifapi_extend_authorization()
121 return_if_null(policy->policyAuthorizations->authorizations, in ifapi_extend_authorization()
124 policy->policyAuthorizations->count = 1; in ifapi_extend_authorization()
125 policy->policyAuthorizations->authorizations[0] = *authorization; in ifapi_extend_authorization()
134 * @param[in,out] digest_values The list of policy digests and corresponding
165 /** Execute policy PCR.
167 * This command is used to cause conditional gating of a policy based on PCR.
170 * policy command.
171 * @param[in,out] policy The PCR policy which will be executed. The policy
172 * digest will be added to the policy.
174 * policy computation.
175 * @param[in,out] current_policy The policy context which stores the state
176 * of the policy execution.
187 TPMS_POLICYPCR *policy, in execute_policy_pcr() argument
200 r = ifapi_compute_policy_digest(policy->pcrs, &pcr_selection, in execute_policy_pcr()
202 return_if_error(r, "Compute policy digest and selection."); in execute_policy_pcr()
206 /* Prepare the policy execution. */ in execute_policy_pcr()
215 /* Finalize the policy execution if possible. */ in execute_policy_pcr()
227 /** Execute policy duplicate.
230 * policy command.
231 * @param[in,out] policy The duplicate policy which will be executed. The policy
232 * digest will be added to the policy.
234 * policy computation.
235 * @param[in,out] current_policy The policy context which stores the state
236 * of the policy execution.
248 TPMS_POLICYDUPLICATIONSELECT *policy, in execute_policy_duplicate() argument
258 r = cb->cbdup(&policy->objectName, cb->cbdup_userdata); in execute_policy_duplicate()
259 return_if_error(r, "Get name for policy duplicate select."); in execute_policy_duplicate()
261 /* Prepare the policy execution. */ in execute_policy_duplicate()
266 &policy->objectName, in execute_policy_duplicate()
267 &policy->newParentName, in execute_policy_duplicate()
268 policy->includeObject); in execute_policy_duplicate()
273 /* Finalize the policy execution if possible. */ in execute_policy_duplicate()
285 /** Execute policy NV.
287 * A policy based on the contents of an NV Index will be executed. The
292 * policy command.
293 * @param[in,out] policy The NV policy which will be executed. The policy
294 * digest will be added to the policy.
296 * policy computation.
297 * @param[in,out] current_policy The policy context which stores the state
298 * of the policy execution.
310 TPMS_POLICYNV *policy, in execute_policy_nv() argument
319 r = ifapi_nv_get_name(&policy->nvPublic, ¤t_policy->name); in execute_policy_nv()
332 return_if_error(r, "Execute authorized policy."); in execute_policy_nv()
334 /* Prepare the policy execution. */ in execute_policy_nv()
340 &policy->operandB, policy->offset, in execute_policy_nv()
341 policy->operation); in execute_policy_nv()
346 /* Finalize the policy execution if possible. */ in execute_policy_nv()
358 /** Execute policy for signature based authorization.
360 * A signed authorization is included in this policy. The authorization hash
361 * of the policy data will be signed via a callback. For an example callback
365 * policy command.
366 * @param[in,out] policy The policy to be signed which will be executed. The policy
367 * digest will be added to the policy.
369 * policy computation.
370 * @param[in,out] current_policy The policy context which stores the state
371 * of the policy execution.
386 TPMS_POLICYSIGNED *policy, in execute_policy_signed() argument
402 + policy->cpHashA.size + policy->policyRef.size; in execute_policy_signed()
416 memcpy(¤t_policy->buffer[offset], &policy->cpHashA.buffer[0], in execute_policy_signed()
417 policy->cpHashA.size); in execute_policy_signed()
418 offset += policy->cpHashA.size; in execute_policy_signed()
419 memcpy(¤t_policy->buffer[offset], &policy->policyRef.buffer[0], in execute_policy_signed()
420 policy->policyRef.size); in execute_policy_signed()
421 offset += policy->policyRef.size; in execute_policy_signed()
432 tpm_public.publicArea = policy->keyPublic; in execute_policy_signed()
440 r = cb->cbsign(current_policy->pem_key, policy->publicKeyHint, in execute_policy_signed()
441 policy->keyPEMhashAlg, current_policy->buffer, in execute_policy_signed()
447 try_again_or_error_goto(r, "Execute policy signature callback.", cleanup); in execute_policy_signed()
450 r = ifapi_der_sig_to_tpm(&policy->keyPublic, signature_ossl, in execute_policy_signed()
451 signature_size, policy->keyPEMhashAlg, in execute_policy_signed()
452 &policy->signature_tpm); in execute_policy_signed()
459 inPublic.publicArea = policy->keyPublic; in execute_policy_signed()
472 /* Prepare the policy execution. */ in execute_policy_signed()
478 &policy->cpHashA, in execute_policy_signed()
479 &policy->policyRef, 0, &policy->signature_tpm); in execute_policy_signed()
485 /* Finalize the policy execution if possible. */ in execute_policy_signed()
514 /** Execute a policy that was signed by a certain key.
516 * All policies authorized by the key stored in the policy will be
517 * retrieved and one policy will be selected via a branch selection callback
518 * (see Fapi_SetBranchCB()) if more then one policy was found.
519 * The selected policy will be executed via a callback. For an example callback
522 * For an example callback implementation to executie of an authorized policy
526 * policy command.
527 * @param[in,out] policy The policy which defines the signing key and several
528 * additional parameters (nonce, policyRef ...). The policy
529 * digest will be added to the policy.
531 * policy computation.
532 * @param[in,out] current_policy The policy context which stores the state
533 * of the policy execution.
543 * @retval TSS2_FAPI_RC_POLICY_UNKNOWN if policy search for a certain policy digest
553 TPMS_POLICYAUTHORIZE *policy, in execute_policy_authorize() argument
576 /* Execute authorized policy. */ in execute_policy_authorize()
578 r = cb->cbauthpol(&policy->keyPublic, hash_alg, &policy->approvedPolicy, in execute_policy_authorize()
579 &policy->signature, cb->cbauthpol_userdata); in execute_policy_authorize()
581 goto_if_error(r, "Execute authorized policy.", cleanup); in execute_policy_authorize()
584 public2b.publicArea = policy->keyPublic; in execute_policy_authorize()
595 /* Save key name for policy execution */ in execute_policy_authorize()
598 policy->keyName = *tmp_name; in execute_policy_authorize()
601 /* Use policyRef and policy to compute authorization hash */ in execute_policy_authorize()
605 HASH_UPDATE_BUFFER(cryptoContext, &policy->approvedPolicy.buffer[0], in execute_policy_authorize()
607 HASH_UPDATE_BUFFER(cryptoContext, &policy->policyRef.buffer[0], in execute_policy_authorize()
608 policy->policyRef.size, r, cleanup); in execute_policy_authorize()
615 LOGBLOB_TRACE(&policy->policyRef.buffer[0], policy->policyRef.size, "policyRef"); in execute_policy_authorize()
618 /* Verify the signature retrieved from the authorized policy against in execute_policy_authorize()
623 &policy->signature); in execute_policy_authorize()
631 /* Execute policy authorize */ in execute_policy_authorize()
632 policy->checkTicket = *ticket; in execute_policy_authorize()
637 &policy->approvedPolicy, in execute_policy_authorize()
638 &policy->policyRef, in execute_policy_authorize()
639 &policy->keyName, in execute_policy_authorize()
640 &policy->checkTicket); in execute_policy_authorize()
641 goto_if_error(r, "Policy Authorize", cleanup); in execute_policy_authorize()
671 /** Execute a policy whose digest is stored in the NV ram.
673 * The policy will be retrieved from policy store based on the policy digest
675 * The authorization for the NV object, the policy retrieval, and the execution
680 * policy command.
681 * @param[in,out] policy The policy which defines the policy to be authorized
683 * The policy digest will be added to the policy.
685 * policy computation.
686 * @param[in,out] current_policy The policy context which stores the state
687 * of the policy execution.
696 * @retval TSS2_FAPI_RC_POLICY_UNKNOWN if policy search for a certain policy digest
703 TPMS_POLICYAUTHORIZENV *policy, in execute_policy_authorize_nv() argument
715 /* Execute the policy stored in the NV object. */ in execute_policy_authorize_nv()
716 r = cb->cbauthnv(&policy->nvPublic, hash_alg, cb->cbauthpol_userdata); in execute_policy_authorize_nv()
717 try_again_or_error(r, "Execute policy authorize nv callback."); in execute_policy_authorize_nv()
719 r = ifapi_nv_get_name(&policy->nvPublic, ¤t_policy->name); in execute_policy_authorize_nv()
724 /* Authorize the NV object for policy execution. */ in execute_policy_authorize_nv()
730 goto_if_error(r, "Execute authorized policy.", cleanup); in execute_policy_authorize_nv()
735 /* Prepare the policy execution. */ in execute_policy_authorize_nv()
746 /* Finalize the policy execution if possible. */ in execute_policy_authorize_nv()
758 /** Execute a policy based on a secret-based authorization.
760 * The policy defines an object whose secret is needed for policy execution.
765 * policy command.
766 * @param[in,out] policy The policy which defines the object whose secret
767 * is needed for policy execution.
768 * The policy digest will be added to the policy.
770 * policy computation.
771 * @param[in,out] current_policy The policy context which stores the state
772 * of the policy execution.
784 TPMS_POLICYSECRET *policy, in execute_policy_secret() argument
797 r = cb->cbauth(&policy->objectName, in execute_policy_secret()
810 policy->nonceTPM = *(current_policy->nonceTPM); in execute_policy_secret()
813 /* Prepare the policy execution. */ in execute_policy_secret()
818 ESYS_TR_NONE, &policy->nonceTPM, in execute_policy_secret()
819 &policy->cpHashA, &policy->policyRef, in execute_policy_secret()
825 /* Finalize the policy execution if possible. */ in execute_policy_secret()
839 /** Execute a policy depending on the TPM timers.
842 * policy command.
843 * @param[in,out] policy The policy which defines the values for the comparision
845 * The policy digest will be added to the policy.
847 * policy computation.
848 * @param[in,out] current_policy The policy context which stores the state
849 * of the policy execution.
860 TPMS_POLICYCOUNTERTIMER *policy, in execute_policy_counter_timer() argument
869 /* Prepare the policy execution. */ in execute_policy_counter_timer()
874 &policy->operandB, in execute_policy_counter_timer()
875 policy->offset, in execute_policy_counter_timer()
876 policy->operation); in execute_policy_counter_timer()
881 /* Finalize the policy execution if possible. */ in execute_policy_counter_timer()
893 /** Execute a policy depending on physical presence.
896 * policy command.
897 * @param[in,out] policy The policy indicating that physical presence is needed.
898 * @param[in,out] current_policy The policy context which stores the state
899 * of the policy execution.
910 TPMS_POLICYPHYSICALPRESENCE *policy, in execute_policy_physical_presence() argument
914 (void)policy; in execute_policy_physical_presence()
920 /* Prepare the policy execution. */ in execute_policy_physical_presence()
929 /* Finalize the policy execution if possible. */ in execute_policy_physical_presence()
941 /** Execute a policy for binding a authorization value of the authorized entity.
946 * policy command.
947 * @param[in,out] policy The policy indicating that a auth value is needed.
948 * @param[in,out] current_policy The policy context which stores the state
949 * of the policy execution.
960 TPMS_POLICYAUTHVALUE *policy, in execute_policy_auth_value() argument
964 (void)policy; in execute_policy_auth_value()
970 /* Prepare the policy execution. */ in execute_policy_auth_value()
979 /* Finalize the policy execution if possible. */ in execute_policy_auth_value()
991 /** Execute a policy for binding a authorization value of the authorized object.
997 * policy command.
998 * @param[in,out] policy The policy indicating that a auth value is needed.
999 * @param[in,out] current_policy The policy context which stores the state
1000 * of the policy execution.
1011 TPMS_POLICYPASSWORD *policy, in execute_policy_password() argument
1015 (void)policy; in execute_policy_password()
1021 /* Prepare the policy execution. */ in execute_policy_password()
1030 /* Finalize the policy execution if possible. */ in execute_policy_password()
1042 /** Execute a policy to limit an authorization to a specific command code.
1045 * policy command.
1046 * @param[in,out] policy The policy with the command code used fo limitting.
1047 * @param[in,out] current_policy The policy context which stores the state
1048 * of the policy execution.
1059 TPMS_POLICYCOMMANDCODE *policy, in execute_policy_command_code() argument
1068 /* Prepare the policy execution. */ in execute_policy_command_code()
1072 policy->code); in execute_policy_command_code()
1077 /* Finalize the policy execution if possible. */ in execute_policy_command_code()
1089 /** Execute a policy for binding the policy to a specific set of TPM entities.
1091 * Up to three entity names can be defined in the policy.
1094 * policy command.
1095 * @param[in,out] policy The policy with the entity names.
1096 * @param[in,out] current_policy The policy context which stores the state
1097 * of the policy execution.
1108 TPMS_POLICYNAMEHASH *policy, in execute_policy_name_hash() argument
1117 /* Prepare the policy execution. */ in execute_policy_name_hash()
1121 &policy->nameHash); in execute_policy_name_hash()
1126 /* Finalize the policy execution if possible. */ in execute_policy_name_hash()
1138 /** Execute a policy for binding the policy to command parameters.
1141 * policy command.
1142 * @param[in,out] policy The policy with the cp hash.
1143 * @param[in,out] current_policy The policy context which stores the state
1144 * of the policy execution.
1155 TPMS_POLICYCPHASH *policy, in execute_policy_cp_hash() argument
1164 /* Prepare the policy execution. */ in execute_policy_cp_hash()
1168 &policy->cpHash); in execute_policy_cp_hash()
1174 /* Finalize the policy execution if possible. */ in execute_policy_cp_hash()
1186 /** Execute a policy for binding the policy to a certain locality.
1189 * policy command.
1190 * @param[in,out] policy The policy with the locality.
1191 * @param[in,out] current_policy The policy context which stores the state
1192 * of the policy execution.
1203 TPMS_POLICYLOCALITY *policy, in execute_policy_locality() argument
1212 /* Prepare the policy execution. */ in execute_policy_locality()
1216 policy->locality); in execute_policy_locality()
1221 /* Finalize the policy execution if possible. */ in execute_policy_locality()
1233 /** Execute a policy for binding the policy to the NV written state.
1235 * The state NV written yes or NV written no can be defined in the policy.
1238 * policy command.
1239 * @param[in,out] policy The policy with the NV written switch YES or NO.
1240 * @param[in,out] current_policy The policy context which stores the state
1241 * of the policy execution.
1252 TPMS_POLICYNVWRITTEN *policy, in execute_policy_nv_written() argument
1261 /* Prepare the policy execution. */ in execute_policy_nv_written()
1265 policy->writtenSet); in execute_policy_nv_written()
1270 /* Finalize the policy execution if possible. */ in execute_policy_nv_written()
1282 /** Execute a policy for binding the policy to the NV written state.
1284 * The state NV written yes or NV written no can be defined in the policy.
1287 * policy command.
1288 * @param[in,out] policy The policy with the NV written switch YES or NO.
1289 * @param[in,out] current_policy The policy context which stores the state
1290 * of the policy execution.
1301 TPMS_POLICYOR *policy, in execute_policy_or() argument
1311 /* Prepare the policy execution. */ in execute_policy_or()
1312 r = compute_or_digest_list(policy->branches, current_hash_alg, in execute_policy_or()
1314 return_if_error(r, "Compute policy or digest list."); in execute_policy_or()
1323 /* Finalize the policy execution if possible. */ in execute_policy_or()
1333 /** Execute a policy for executing a callback during policy execution.
1335 * The action name stored in the policy name will be passed do the callback
1336 * function. The policy action callback has to be set with the function:
1340 * policy command.
1341 * @param[in,out] policy The policy with action name.
1342 * @param[in,out] current_policy The policy context which stores the state
1343 * of the policy execution.
1356 TPMS_POLICYACTION *policy, in execute_policy_action() argument
1368 r = cb->cbaction(policy->action, cb->cbaction_userdata); in execute_policy_action()
1369 try_again_or_error(r, "Execute policy action callback."); in execute_policy_action()
1376 /** Execute a policy element depending on the type.
1379 * policy command.
1380 * @param[in,out] policy The policy element with the policy to be executed and
1381 * the type of the policy.
1382 * @param[in,out] current_policy The policy context which stores the state
1383 * of the policy execution.
1392 TPMT_POLICYELEMENT *policy, in execute_policy_element() argument
1400 switch (policy->type) { in execute_policy_element()
1403 &policy->element.PolicySecret, in execute_policy_element()
1406 try_again_or_error_goto(r, "Execute policy authorize", error); in execute_policy_element()
1410 &policy->element.PolicyPCR, in execute_policy_element()
1412 try_again_or_error_goto(r, "Execute policy pcr", error); in execute_policy_element()
1416 &policy->element.PolicyAuthValue, in execute_policy_element()
1418 try_again_or_error_goto(r, "Execute policy auth value", error); in execute_policy_element()
1422 &policy->element.PolicyOr, in execute_policy_element()
1424 try_again_or_error_goto(r, "Execute policy or", error); in execute_policy_element()
1428 &policy->element.PolicySigned, in execute_policy_element()
1430 try_again_or_error_goto(r, "Execute policy signed", error); in execute_policy_element()
1434 &policy->element.PolicyAuthorize, in execute_policy_element()
1437 try_again_or_error_goto(r, "Execute policy authorize", error); in execute_policy_element()
1441 &policy->element.PolicyAuthorizeNv, in execute_policy_element()
1444 try_again_or_error_goto(r, "Execute policy authorize", error); in execute_policy_element()
1448 &policy->element.PolicyNV, in execute_policy_element()
1450 try_again_or_error_goto(r, "Execute policy nv", error); in execute_policy_element()
1454 &policy->element.PolicyDuplicationSelect, in execute_policy_element()
1456 try_again_or_error_goto(r, "Execute policy duplicate", error); in execute_policy_element()
1460 &policy->element.PolicyNvWritten, in execute_policy_element()
1462 try_again_or_error_goto(r, "Execute policy nv written", error); in execute_policy_element()
1466 &policy->element.PolicyLocality, in execute_policy_element()
1468 try_again_or_error_goto(r, "Execute policy locality", error); in execute_policy_element()
1472 &policy->element.PolicyCommandCode, in execute_policy_element()
1474 try_again_or_error_goto(r, "Execute policy command code", error); in execute_policy_element()
1478 &policy->element.PolicyNameHash, in execute_policy_element()
1480 try_again_or_error_goto(r, "Execute policy name hash", error); in execute_policy_element()
1484 &policy->element.PolicyCpHash, in execute_policy_element()
1486 try_again_or_error_goto(r, "Execute policy cp hash", error); in execute_policy_element()
1490 &policy->element.PolicyPhysicalPresence, in execute_policy_element()
1492 try_again_or_error_goto(r, "Execute policy physical presence", error); in execute_policy_element()
1496 &policy->element.PolicyPassword, in execute_policy_element()
1498 try_again_or_error_goto(r, "Execute policy password", error); in execute_policy_element()
1502 &policy->element.PolicyCounterTimer, in execute_policy_element()
1504 try_again_or_error_goto(r, "Execute policy counter timer", error); in execute_policy_element()
1508 &policy->element.PolicyAction, in execute_policy_element()
1510 try_again_or_error_goto(r, "Execute policy action", error); in execute_policy_element()
1515 "Policy not implemented"); in execute_policy_element()
1527 * To simplify asynncronous policy executiion a linked list of the policy structures
1551 return_if_error(r, "Select policy branch."); in compute_policy_list()
1552 or_elements = branches->authorizations[branch_idx].policy; in compute_policy_list()
1554 return_if_error(r, "Compute policy digest list for policy or."); in compute_policy_list()
1557 return_if_error(r, "Extend policy list."); in compute_policy_list()
1562 /** Initialize policy element list to be executed and store policy in context.
1564 * @param[in] pol_ctx Context for execution of a list of policy elements.
1565 * @param[in] hash_alg The hash algorithm used for the policy computation.
1566 * @param[in,out] policy The policy to be executed. Some policy elements will
1567 * be used to store computed parameters needed for policy
1583 TPMS_POLICY *policy) in ifapi_policyeval_execute_prepare() argument
1587 pol_ctx->policy = policy; in ifapi_policyeval_execute_prepare()
1589 r = compute_policy_list(pol_ctx, policy->policy); in ifapi_policyeval_execute_prepare()
1590 return_if_error(r, "Compute list of policy elements to be executed."); in ifapi_policyeval_execute_prepare()
1595 /** Execute all policy commands defined by a list of policy elements.
1600 * @retval TSS2_FAPI_RC_IO_ERROR If an error occurs during access to the policy
1602 * @retval TSS2_FAPI_RC_POLICY_UNKNOWN If policy search for a certain policy digest was
1604 * @retval TSS2_FAPI_RC_BAD_TEMPLATE In a invalid policy is loaded during execution.
1644 return_if_error(r, "Execute policy."); in ifapi_policyeval_execute()