Desktop version

Home arrow Computer Science arrow A Practical Guide to TPM 2.0

Compound Policies: Using Logical OR in a Policy

The TPM2_PolicyOR command completes the logical constructions that can be done with policies and makes it possible to create useful policies that will do anything logically feasible. It lets you join more than one policy in multiple branches, any of which can be taken in satisfying a compound policy, as shown in Figure 14-5.

Although TPM2_PolicyOR commands can be used in more complicated settings, it's easiest to create individual policies for specific means of authorizing use of an entity and then use TPM2_PolicyOR to create a compound policy. Usually this is done by creating simple policies by ANDing assertions together to represent either a person or a role, and then ORing the simple policies together.

Suppose the following things happen:

1. Dave authorizes himself using a policy created by a fingerprint together with a password when at one machine.

2. Dave authorizes himself using a password and smart card.

3. Sally uses her smart card and an iris scanner to authorize herself.

4. The IT administrator can only use his authorization to duplicate a key and must use a smart card when the system is in a state defined by PCR0-5 having specific values.

This can be represented pictorially using circuit diagrams as follows.

Figure 14-5. A Compound Policy as a Circuit Diagram

The easy way to create this compound policy is to start by creating four individual branch policies corresponding in the picture to Dave1, Dave2, Sally, and IT.

The first policy (Dave1) defines that Dave must authenticate himself with an external device (a fingerprint reader) and have it testify that Dave has authenticated himself. Dave must then present a password to the TPM. As you have seen, this is as simple as doing the following:

1. Start a trial session.

2. Use TPM2_PolicySigned (with the fingerprint reader's public key and appropriate policyRef).

3. Use TPM2_PolicyAuthValue.

4. Get the value of the policy from the TPM. Call this policyDave1.

5. End the session.

The second policy (Dave2) has Dave present a password to the TPM and then use his smart card to sign a nonce from the TPM to prove his is the authorized owner of the smart card:

1. Start a trial session.

2. Use TPM2_PolicyAuthValue.

3. Use TPM2_PolicySigned (with the smart card's public key).

4. Get the value of the policy from the TPM. Call this policyDave2.

5. End the session.

The third policy states that Sally must first use her smart card to sign a nonce from the TPM to prove she is the authorized owner of her smart card and then authorize herself to an external device, an iris scanner, and have the external device testify to the TPM that Sally has authenticated herself:

1. Start a trial session.

2. Use TPM2_PolicySigned (with the smart card's public key).

3. Use TPM2_PolicySigned (with the iris scanner's public key and appropriate policyRef).

4. Get the value of the policy from the TPM. Call this policySally.

5. End the session.

Finally, the IT administrator's policy requires the administrator to use his smart card to sign a nonce produced by the TPM and then also check that PCRs 0–5 are in the expected state. Furthermore, the IT administrator can only use this authorization to duplicate the key:

1. Start a trial session.

2. Use TPM2_PolicySigned (with the smart card's public key).

3. Use TPM2_PolicyPCR (with PCRs selected and their required digest).

4. Use TPM2_PolicyCommandCode with TPM_CC_Duplicate.

5. Get the value of the policy from the TPM. Call this policyIT.

6. End the session.

 
< Prev   CONTENTS   Next >

Related topics