If the Policy Is Compound
If a policy is compound—that is, it's a logical OR of several branches—the user knows which branch they're going to try to satisfy. Once the user picks the branch, they satisfy that branch and then execute a TPM2_PolicyOR command with the TPM, which transforms the satisfied branch into the final policy, ready for execution. See Figure 14-6.
Figure 14-6. An example of using an OR policy
This figure shows that there are four different ways to satisfy this policy. You can satisfy it with the first branch, Dave1, by using a fingerprint reader and a password:
1. Start a policy session.
2. Satisfy the Dave1 branch of the policy:
a. Satisfy the fingerprint assertion using TPM2_ PolicySigned.
b. Satisfy the password assertion using TPM2_ PolicyPassword.
3. This sets a flag in the session, telling it that a password must be sent in when the final command is executed.
4. Transform the TPM's session policy buffer to the final session value using TPM2_PolicyOR.
5. Execute the command, including both the policy session and another session that satisfies the flag, by passing in the password (which can be done using the password [PWAP] permanent session).
Note: As a side note, the policy session can be told to automatically close after this command is completed. Failing that, you can close the session manually.
In order to satisfy the first assertion in the policy, you have to get the fingerprint reader to attest to the TPM that Dave's fingerprint has been matched by the reader with the public key aPub. To do this, you need to pass a message to sign in to the fingerprint reader, which is calculated in part from nonceTPM, which the TPM returned when you created the policy. This value is sent to the fingerprint reader. Then Dave swipes his finger along the fingerprint reader, and when the fingerprint reader matches his fingerprint, it signs
aHash = SHA256(nonceTPM || expiration=0 || cpHashA=NULL || state Of Remote Device)
using its private key aprivate. Note here the PolicyRef is the state of the remote device. In particular, the fingerprint reader needs to sign the fact that Dave has just swiped one of his fingerprints on the device and it has matched the template the device stored. The result is called fingerprint_Signature.
Next you have to load the fingerprint reader's public key into the TPM. Recall that this public key's handle is aPub.
Finally, the TPM is sent proof that the fingerprint reader successfully identified Dave using the command TPM2_PolicySigned, passing in aPub and fingerprint_Signature.
Next you execute the PolicyAuthValue command, which promises that when you eventually ask the TPM to perform a command with an object, that user will present evidence that they know the password associated with the object. This is done by executing TPM2_PolicyAuthValue.
Now that you've satisfied one of the branches of the policy, you can execute TPM2_PolicyOR to change the internal buffer of the session to equal the compound policy by passing it a list of the ORed policies.