1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
|
% tpm2_policyor(1) tpm2-tools | General Commands Manual
# NAME
**tpm2_policyor**(1) - logically OR's two policies together.
# SYNOPSIS
**tpm2_policyor** [*OPTIONS*]
# DESCRIPTION
**tpm2_policyor**(1) - Generates a policy_or event with the TPM. It expects a
session to be already established via **tpm2_startauthsession**(1). If
the input session is a trial session this tool generates a policy digest that
compounds two or more input policy digests such that the resulting policy digest
requires at least one of the policy events being true. If the input session is
real policy session **tpm2_policyor**(1) authenticates the object successfully
if at least one of the policy events are true.
# OPTIONS
* **-L**, **\--policy**=_FILE_:
File to save the compounded policy digest.
* **-S**, **\--session**=_FILE_:
The policy session file generated via the **-S** option to
**tpm2_startauthsession**(1).
* **ARGUMENT** the command line argument specifies the list of files for the
policy digests that has to be compounded resulting in individual policies
being added to final policy digest that can authenticate the object. The
list begins with the policy digest hash alg. Example sha256:policy1,policy2
* **-l**, **\--policy-list**=_POLICY\_FILE_\_LIST:
This option is retained for backwards compatibility. Use the argument method
instead.
## References
[common options](common/options.md) collection of common options that provide
information many users may expect.
[common tcti options](common/tcti.md) collection of options used to configure
the various known TCTI modules.
# EXAMPLES
Create an authorization policy for a sealing object that compounds a pcr policy
and a policypassword in an OR fashion and show satisfying either policies could
unseal the secret.
## Create policypcr as first truth value for compounding the policies
```bash
tpm2_startauthsession -S session.ctx
tpm2_policypcr -S session.ctx -L policy.pcr -l sha256:0,1,2,3
tpm2_flushcontext session.ctx
```
## Create policypassword as second truth value for compounding the policies
```bash
tpm2_startauthsession -S session.ctx
tpm2_policypassword -S session.ctx -L policy.pass
tpm2_flushcontext session.ctx
```
## Compound the two policies in an OR fashion with tpm2_policyor command
```bash
tpm2_startauthsession -S session.ctx
tpm2_policyor -S session.ctx -L policy.or sha256:policy.pass,policy.pcr
tpm2_flushcontext session.ctx
```
## Create a sealing object and attach the auth policy from tpm2_policyor command
```bash
tpm2_createprimary -c prim.ctx -Q
echo "secret" | tpm2_create -C prim.ctx -c key.ctx -u key.pub -r key.priv \
-L policy.or -i-
```
## Satisfy auth policy using password and unseal the secret
```bash
tpm2_startauthsession -S session.ctx --policy-session
tpm2_policypassword -S session.ctx
tpm2_policyor -S session.ctx sha256:policy.pass,policy.pcr
tpm2_unseal -c key.ctx -p session:session.ctx
tpm2_flushcontext session.ctx
```
## Satisfy auth policy using pcr and unseal the secret
```bash
tpm2_startauthsession -S session.ctx --policy-session
tpm2_policypcr -S session.ctx -l sha256:0,1,2,3
tpm2_policyor -S session.ctx sha256:policy.pass,policy.pcr
tpm2_unseal -c key.ctx -p session:session.ctx
tpm2_flushcontext session.ctx
```
[returns](common/returns.md)
[limitations](common/policy-limitations.md)
[footer](common/footer.md)
|