Re: [tpm2] [RFC] Session Handling/Policy Support in Tools

[Desai, Imran <imran.desai at intel.com>]

[-- Attachment #1: Type: text/plain, Size: 2600 bytes --]

Hello Bill,

This (attached diagram) is what my thought process was, when designing the createpolicy tool.
I concur the startauthsession and flushcontext can be separate tools that are currently clubbed in the createpolicy tool.

[cid:CC18E3F2-C642-4662-9CEC-C1091AA18831(a)amr.corp.intel.com]

Thanks and Regards,

Imran Desai  | imran.desai(a)intel.com<mailto:imran.desai(a)intel.com>




On Dec 19, 2017, at 11:01 AM, Roberts, William C <william.c.roberts(a)intel.com<mailto:william.c.roberts(a)intel.com>> wrote:

There are two main parts to the direction I see the tools policy/session support heading:

1. The first is cleaning up all the code around session support and policy building.  I think now that I understand the topic better, I can organize this code a little better. This is rather trivial and beside the main point.

2. Since abrmd 1.3 we have support for sessions across RM IPC connections and direct tpm communications (/dev/tmp0) also has the same support. We have tools like tpm2_createpolicy that are made up of multiple
commands to work around session flushing on IPC RM disconnections. tpm2_createpolicy is really comprised of 3 commands: tpm2_startauthsession, tpm2_policypcr and tpm2_flushcontext.

I'm proposing we leave tpm2_createpolicy, for in-kernel-rm users, but add tpm2_startauthsession and tpm2_policypcr for the abrmd and direct tpm usages. Abrmd works by using Tss2_Sys_ContextSave as the
marker of NOT flushing a session handle. Granted you also need the sessionAttributes set to continue so the TPM doesn't kill it.

I think the flow for using the new tools would be something like this:

1. tpm2_createpolicy - create a pcr policy and spit out the policy digest
2. tpm2_create - create an object and set its policy digest as obtained in step 1
3. tpm2_startauthsession - create a pcr policy and spit out the session handle
4. tpm2_policypcr - satisfy policy via policy digest and pcr list obtained/used in step 1 as well as taking the session handle from step 3
5. tpm2_<tool> - use some tool passing the session handle from step 3
6. tpm2_flushcontext - flushes the handle from step 3

With that said, since tpm2_createpolicy is really a combination of the tpm2_startauthsession, tpm2_pcrlist, tpm2_policypcr and tpm2_flushcontext, all that could be moved into lib, so each new tool and
create policy are really just calling into the same code.

Thoughts, am I missing something here?

This is a lot of work, so I would like to start it now, as it would be the major feature set going towards 4.0 release.

Bill


[-- Attachment #2: attachment.html --]
[-- Type: text/html, Size: 4756 bytes --]

[-- Attachment #3: PastedGraphic-1.png --]
[-- Type: image/png, Size: 343937 bytes --]