% tpm2_policyor(1) tpm2-tools | General Commands Manual

NAME

tpm2_policyor(1) - logically OR's two policies together.

SYNOPSIS

tpm2_policyor [OPTIONS]

DESCRIPTION

tpm2_policyor(1) - Generates a policy_or event with the TPM. It expects a session to be already established via tpm2_startauthsession(1). If the input session is a trial session this tool generates a policy digest that compounds two or more input policy digests such that the resulting policy digest requires at least one of the policy events being true. If the input session is real policy session tpm2_policyor(1) authenticates the object successfully if at least one of the policy events are true.

OPTIONS

  • -L, --policy=FILE:

    File to save the compounded policy digest.

  • -S, --session=FILE:

    The policy session file generated via the -S option to tpm2_startauthsession(1).

  • ARGUMENT the command line argument specifies the list of files for the policy digests that has to be compounded resulting in individual policies being added to final policy digest that can authenticate the object. The list begins with the policy digest hash alg. Example sha256:policy1,policy2

  • -l, --policy-list=POLICY_FILE_LIST:

    This option is retained for backwards compatibility. Use the argument method instead.

References

common options collection of common options that provide information many users may expect.

common tcti options collection of options used to configure the various known TCTI modules.

EXAMPLES

Create an authorization policy for a sealing object that compounds a pcr policy and a policypassword in an OR fashion and show satisfying either policies could unseal the secret.

Create policypcr as first truth value for compounding the policies

tpm2_startauthsession -S session.ctx
tpm2_policypcr -S session.ctx -L policy.pcr -l sha256:0,1,2,3
tpm2_flushcontext session.ctx

Create policypassword as second truth value for compounding the policies

tpm2_startauthsession -S session.ctx
tpm2_policypassword -S session.ctx -L policy.pass
tpm2_flushcontext session.ctx

Compound the two policies in an OR fashion with tpm2_policyor command

tpm2_startauthsession -S session.ctx
tpm2_policyor -S session.ctx -L policy.or sha256:policy.pass,policy.pcr
tpm2_flushcontext session.ctx

Create a sealing object and attach the auth policy from tpm2_policyor command

tpm2_createprimary -c prim.ctx -Q
echo "secret" | tpm2_create -C prim.ctx -c key.ctx -u key.pub -r key.priv \
-L policy.or -i-

Satisfy auth policy using password and unseal the secret

tpm2_startauthsession -S session.ctx --policy-session
tpm2_policypassword -S session.ctx
tpm2_policyor -S session.ctx sha256:policy.pass,policy.pcr
tpm2_unseal -c key.ctx -p session:session.ctx
tpm2_flushcontext session.ctx

Satisfy auth policy using pcr and unseal the secret

tpm2_startauthsession -S session.ctx --policy-session
tpm2_policypcr -S session.ctx -l sha256:0,1,2,3
tpm2_policyor -S session.ctx sha256:policy.pass,policy.pcr
tpm2_unseal -c key.ctx -p session:session.ctx
tpm2_flushcontext session.ctx

returns

limitations

footer