Creating the Entity to Use the Policy Digest
Now we need to create the index in such a way as to allow writes with the policy authorization; this step corresponds to the Create Entity time interval described previously. This is done by sending a TPM2_NV_DefineSpace command with the following inputs (this is done by the call to the DefineNvIndex function):
• auth = TPM2B that contains the authValue used to access this NV index (lines 42-44).
• publicInfo.t.nvPublic.nvIndex = 0x01400001 (lines 115-117).
• publicInfo.t.nvPublic.nameAlg = TPM_ALG_SHA256. This is the hash algorithm used to calculate the index's name, and this algorithm must be the same as the policyAlg used to calculate the policyDigest, whether this was done by a trial session or by software. See lines 115-117.
• publicInfo.t.nvPublic.attributes.TPMA_NV_POLICYWRITE = 1
= 1. This configures the index to allow reads and writes only if the policy is satisfied. See lines 109–110.
• publicInfo.t.nvPublic.authPolicy = the TPM2B that contains the policyDigest, digestps. See lines 83-85 and 115-117.
• publicInfo.t.nvPublic.dataSize = 32. This indicates the size of the data contained in the NV index; in this case, the index is configured to be only 32 bytes wide. See lines 115-117.
• Set the NV index's auth value. See lines 42–44.
This command creates an NV index that can only be written if the policy is satisfied. The next step is to create a real—that is, non-trial—policy session and use it to authorize writes to the NV index.
Starting the Real Policy Session
Start a real policy session using the TPM2_StartAuthSession command. The main inputs of concern for a policy session are as follows (see lines 152 and 154-156):
• tpmKey = TPM_RH_NULL
• bind = TPM_RH_NULL
■ Note the tpmKey and bind settings mean this is an unbound and unsalted session.
these settings were chosen in order to keep this example as simple as possible; they're also the most common way that policy sessions are used. the goal here is to understand the process and avoid low-level details as much as possible.
• sessionType = TPM_SE_POLICY. This is what configures the session as a real—that is, non-trial—policy session.
• authHash = TPM_ALG_SHA256. This sets the hashing algorithm used for generating the policyDigest. Because we used SHA256 when creating the policyDigest, we must use this same algorithm when starting the real policy session.
This command returns a policy session handle, Hps. Now we can use this policy session to send commands to authorize actions on the NV index.