Beispiel #1
0
        /// <summary>
        /// This sample demonstrates how policies can be created in a standard
        /// form and then shared between hosts.
        /// </summary>
        static void PolicySerialization()
        {
            Console.WriteLine("Policy serialization and de-serialization sample:");

            //
            // Create a policy session with two branches
            //
            var policy0 = new PolicyTree(TpmAlgId.Sha256);

            policy0.CreateNormalizedPolicy(new[] {
                new PolicyAce[]
                {
                    new TpmPolicyPassword(),
                    //
                    // We can use an unsupported command when only serializing
                    // and deserializing. Execution of the policy might fail.
                    //
                    new TpmPolicyLocality(LocalityAttr.TpmLocZero),
                    new TpmPolicyChainId("branch_1")
                },
                new PolicyAce[]
                {
                    new TpmPolicyPassword(),
                    new TpmPolicyCommand(TpmCc.ChangeEPS),
                    "branch_2"
                }
            });

            //
            // And save it to disk as XML
            //
            const string fileName = "PolicySerialization.xml";

            policy0.SerializeToFile("Test Policy", PolicySerializationFormat.Xml, fileName);

            //
            // Now recover it into a new session
            //
            var policy1 = new PolicyTree(TpmAlgId.Sha256);

            policy1.DeserializeFromFile(PolicySerializationFormat.Xml, fileName);

            //
            // And check that the two policies are the same
            //
            if (policy0.GetPolicyDigest() != policy1.GetPolicyDigest())
            {
                throw new Exception("Policy library error");
            }

            Console.WriteLine("Serialized policy to {0}.", fileName);

            //
            // And now do the same, but serialized to JSON
            //
            const string fileNameJ = "PolicySerialization.json";

            policy0.SerializeToFile("Test Policy", PolicySerializationFormat.Json, fileNameJ);

            //
            // Now recover it into a new session
            //
            var policy1J = new PolicyTree(TpmAlgId.Sha256);

            policy1J.DeserializeFromFile(PolicySerializationFormat.Json, fileNameJ);

            //
            // And check that the two policies are the same
            //
            if (policy0.GetPolicyDigest() != policy1J.GetPolicyDigest())
            {
                throw new Exception("Policy library error");
            }

            Console.WriteLine("Serialized policy to {0}.", fileNameJ);
        }
Beispiel #2
0
        /// <summary>
        /// This sample illustrates the use of a TpmPolicyOr.
        /// </summary>
        static void PolicyOr(Tpm2 tpm)
        {
            Console.WriteLine("PolicyOr sample:");

            //
            // Check if policy commands are implemented by TPM. This list
            // could include all the other used commands as well.
            // This check here makes sense for policy commands, because
            // usually a policy has to be executed in full. If a command
            // out of the chain of policy commands is not implemented in the
            // TPM, the policy cannot be satisfied.
            //
            var usedCommands = new[] {
                TpmCc.PolicyPCR,
                TpmCc.PolicyAuthValue
            };

            foreach (var commandCode in usedCommands)
            {
                if (!tpm.Helpers.IsImplemented(commandCode))
                {
                    Console.WriteLine("Cancel Policy OR sample, because command {0} is not implemented by TPM.", commandCode);
                    return;
                }
            }

            var pcrs = new uint[] { 1, 2, 3 };
            var sel  = new PcrSelection(TpmAlgId.Sha, pcrs);

            PcrSelection[] selOut;
            Tpm2bDigest[]  pcrValues;

            //
            // First read the PCR values
            //
            tpm.PcrRead(new[] { sel }, out selOut, out pcrValues);

            //
            // Save the current PCR values in a convenient data structure
            //
            var expectedPcrVals = new PcrValueCollection(selOut, pcrValues);

            //
            // Tpm2Lib encapsulates a set of policy assertions as the PolicyTree class.
            //
            var policy = new PolicyTree(TpmAlgId.Sha256);

            //
            // First branch of PolicyOr
            //
            var branch1 = new PolicyAce[]
            {
                new TpmPolicyPcr(expectedPcrVals),
                "branch_1"
            };

            //
            // Second branch of PolicyOr
            //
            var branch2 = new PolicyAce[]
            {
                new TpmPolicyAuthValue(),
                "branch_2"
            };

            //
            // Create the policy. CreateNormalizedPolicy takes an array-of-arrays
            // of PolicyACEs that are to be OR'ed together (the branches themselves cannot
            // contain TpmPOlicyOrs). The library code constructs a policy tree with
            // minimum number of TpmPolicyOrs at the root.
            //
            policy.CreateNormalizedPolicy(new[] { branch1, branch2 });

            //
            // Ask Tpm2Lib for the expected policy-hash for this policy
            //
            TpmHash expectedPolicyHash = policy.GetPolicyDigest();

            //
            // Create a sealed primary object with the policy-hash we just calculated
            //
            var       dataToSeal = new byte[] { 1, 2, 3, 4, 5, 4, 3, 2, 1 };
            var       authVal    = new byte[] { 1, 2 };
            TpmHandle primHandle = CreateSealedPrimaryObject(tpm,
                                                             dataToSeal,
                                                             authVal,
                                                             expectedPolicyHash.HashData);
            //
            // Create an actual TPM policy session to evaluate the policy
            //
            AuthSession session = tpm.StartAuthSessionEx(TpmSe.Policy, TpmAlgId.Sha256);

            //
            // Run the policy on the TPM
            //
            session.RunPolicy(tpm, policy, "branch_1");

            //
            // And unseal the object
            //
            byte[] unsealedData = tpm[session].Unseal(primHandle);
            Console.WriteLine("Unsealed data for branch_1: " + BitConverter.ToString(unsealedData));

            //
            // Now run the other branch
            //
            tpm.PolicyRestart(session.Handle);
            session.RunPolicy(tpm, policy, "branch_2");

            //
            // And the session will be unusable
            //
            unsealedData = tpm[session].Unseal(primHandle);
            Console.WriteLine("Unsealed data for branch_2: " + BitConverter.ToString(unsealedData));

            //
            // Clean up
            //
            tpm.FlushContext(session.Handle);
            tpm.FlushContext(primHandle);
        }