policy: Support TPMLess commands

[williamcroberts]

For now this works with policysecret, owner hiearchy and NULL auth.
It's hardcoded to ignore the TPM.

tpm2 policysecret -S session.ctx -c o
0d84f55daf6e43ac97966e62c9bb989d3397777d25c5f749868055d65394f952

TODO:
For each policy command:

• Support --tcti=none
• When --tcti is none, require:
  --name/-n
  -L/--policy for old value
  -- Require hash algorithm.
  • Don't output a TICKET, since we can't?

Todo, consider creating a session.ctx structure that can be passed
from startauthsession with --tcti=none? This was we can encapsulate
the state instead of requiring -L and hash algorithm?

Signed-off-by: William Roberts william.c.roberts@intel.com

[idesai]

@williamcroberts are we intending for these new modules to be called from individual policy tools or be part of the tpm2_createpolicy tool?

[idesai]

@williamcroberts calculating cphash when rphash isn't required could also use a similar approach. In that case though, cphash alg has to specified using the provision halg:/path/to/cphash.dat

[williamcroberts]

For this, I think we could to something like:

tpm2 startauthsession --tcti=none --trial-session-no-tpm -S session.ctx
# this will propagate a new session.ctx format that can store halg and current policy hash
# do we want to enforce that if --trial-session-no-tpm is specified that --tcti=none is also specified?

# Policy tools then can load the new session format, and get the halg/policy hash WHEN --tcti=none
tpm2 policytoolX --tcti=none -S session.ctx

# flush will just ignore these contexts or error?

Thoughts here?

[idesai]

For this, I think we could to something like:

tpm2 startauthsession --tcti=none --trial-session-no-tpm -S session.ctx
# this will propagate a new session.ctx format that can store halg and current policy hash
# do we want to enforce that if --trial-session-no-tpm is specified that --tcti=none is also specified?

# Policy tools then can load the new session format, and get the halg/policy hash WHEN --tcti=none
tpm2 policytoolX --tcti=none -S session.ctx

# flush will just ignore these contexts or error?

Thoughts here?

How about this approach:

1. Specify the policy halg with the file-path for policy using something like -L halg:/path/to/policyfile
2. Mandate this way of specifying the policy file path if tcti=none is specified
3. If the policyfile has non-zero content we extend the data in the policyfile with the one created by the policy tool consuming the inputs above.
4. Like cpHash, we don't actually execute the policy command and exit out writing out the policyfile.

[nicowilliams]

For this, I think we could to something like:

tpm2 startauthsession --tcti=none --trial-session-no-tpm -S session.ctx
# this will propagate a new session.ctx format that can store halg and current policy hash
# do we want to enforce that if --trial-session-no-tpm is specified that --tcti=none is also specified?

# Policy tools then can load the new session format, and get the halg/policy hash WHEN --tcti=none
tpm2 policytoolX --tcti=none -S session.ctx

# flush will just ignore these contexts or error?

Thoughts here?

Yes:

do we want to enforce that if --trial-session-no-tpm is specified that --tcti=none is also specified?

No, I think that's implied. Even if TPM2TOOLS_TCTI is set in the environment to something other than none. Alternatively, --tcti=none implies a trial, software session, and it's already used in tpm2 duplicate and tpm2 makecredential to signify "do a software-only operation that TPMs can do". So I would say "lose the -trial-session-no-tpm argument.

Policy tools then can load the new session format, and get the halg/policy hash WHEN --tcti=none

That works, but presumably the policy tools could tell that the session is a --tcti=none session, so maybe the --tcti=none option can be elided in this case. But it's OK --tcti=none is required anyways -- consistency.

[williamcroberts]

For this, I think we could to something like:

tpm2 startauthsession --tcti=none --trial-session-no-tpm -S session.ctx
# this will propagate a new session.ctx format that can store halg and current policy hash
# do we want to enforce that if --trial-session-no-tpm is specified that --tcti=none is also specified?

# Policy tools then can load the new session format, and get the halg/policy hash WHEN --tcti=none
tpm2 policytoolX --tcti=none -S session.ctx

# flush will just ignore these contexts or error?

Thoughts here?

Yes:

do we want to enforce that if --trial-session-no-tpm is specified that --tcti=none is also specified?

No, I think that's implied. Even if TPM2TOOLS_TCTI is set in the environment to something other than none. Alternatively, --tcti=none implies a trial, software session, and it's already used in tpm2 duplicate and tpm2 makecredential to signify "do a software-only operation that TPMs can do". So I would say "lose the -trial-session-no-tpm argument.

Policy tools then can load the new session format, and get the halg/policy hash WHEN --tcti=none

That works, but presumably the policy tools could tell that the session is a --tcti=none session, so maybe the --tcti=none option can be elided in this case. But it's OK --tcti=none is required anyways -- consistency.

I think we would have to go with --tcti=none. As that's understood by the common framework to not try and invoke a TPM connection. If we make it a different tool argument, the framework won't know about that and attempt to invoke a TPM connection which is what we want to avoid. So I think --tcti=none, starting in tpm2_startauthsession, will create a session.ctx file that maintains the state the TPM normally would (so we can track the hash, and alg). Then we can just run the hash commands an update the context file until someone does a -L to dump the policy.