Desktop version

Home arrow Computer Science arrow A Practical Guide to TPM 2.0

Making a Compound Policy

Each of these policies, by itself, could be assigned to a TPM entity such as a key. However, you wish to allow any of the policies to be used to authenticate access to a key, and you do this using the TPM2_PolicyOR command:

1. Start a trial session.

2. Use TPM2_PolicyOR, giving it the list of policies to be allowed:

policyDave1, policyDave2, policySally, and policyIT.

3. Get the value of the policy from the TPM. Call this policyOR.

4. End the session.

Policies created this way on one TPM will work fine on any TPM. One restriction on PolicyOr is that it can only be used to OR together up to eight policies. However, just as with electronic circuit design, PolicyORs can be compounded together to create the equivalent of an unlimited number of ORs. For example, if X is the result of 8 policies ORed together with TPM2_PolicyOR, and Y is the result of a different 8 policies ORed together with PolicyOR, you can apply TPM2_PolicyOR to X and Y to create the equivalent of a PolicyOr of 16 different policies.

Example: A Policy for Work or Home Computers

John has a home PC with a fingerprint reader and a work PC with a smart-card reader. He wants to authorize reading his cloud-based encrypted data from either computer. He does this by locking a key to a policy that requires a fingerprint reader from his home computer and his smart card (using his work PC's smart-card reader) for work.

He first creates a policy for his home computer. He gets the public key of the fingerprint reader and sets it up to sign “John's fingerprint” when he swipes his finger on that reader:

1. Start a trial session.

2. Use TPM2_LoadExternal to load the fingerprint reader's public key into the home computer's TPM.

3. Use TPM2_PolicySigned (with the fingerprint reader's public key and appropriate policyRef).

4. Get the value of the policy from the TPM. Call this

HomeFingerprintPolicy.

5. End the session.

John now goes to his work computer:

1. Start a trial session.

2. Use TPM2_LoadExternal to load the smart card's public key into the work computer's TPM.

3. Use TPM2_PolicySigned (with the smart card's public key and NULL policyRef).

4. Get the value of the policy from the TPM. Call this policy

WorkSmart cardPolicy.

5. End the session.

Now John can create the combined policy, which can be satisfied with both computers:

1. Start a trial session.

2. Use TPM2_PolicyOr with both HomeFingerprintPolicy and

WorkSmart cardPolicy listed.

3. Get the value of the policy from the TPM. Call this policy

WorkOrHomePolicy.

4. End the session.

This is the policy John uses when creating a key that he will use to identify himself to the cloud. He duplicates this key to his other computer, and then he can securely use this key on either computer.

 
< Prev   CONTENTS   Next >

Related topics