Google Git
Sign in
cos / mirrors / cros / chromiumos / platform2 / refs/heads/factory-dedede-13683.B / . / trunks / policy_session_impl.h
blob: ea25fc306ffe695ede0fe17a7bfdf6ab86fd2bf9 [file] [log] [blame]
// Copyright 2015 The Chromium OS Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef TRUNKS_POLICY_SESSION_IMPL_H_
#define TRUNKS_POLICY_SESSION_IMPL_H_
#include "trunks/policy_session.h"
#include <map>
#include <memory>
#include <string>
#include <vector>
#include "trunks/hmac_authorization_delegate.h"
#include "trunks/session_manager.h"
#include "trunks/trunks_factory.h"
namespace trunks {
// This class implements the PolicySession interface. It is used for
// keeping track of the HmacAuthorizationDelegate used for commands, and to
// provide authorization for commands that need it. It can also be used to
// create custom policies to restrict the usage of keys.
// PolicySessionImpl session(factory);
// session.StartBoundSession(bind_entity, bind_authorization, true, true);
// session.PolicyPCR(pcr_index, pcr_value);
// factory.GetTpm()->RSA_EncrpytSync(_,_,_,_, session.GetDelegate());
// NOTE: StartBoundSession/StartUnboundSession should not be called before
// TPM Ownership is taken. This is because starting a session uses the
// SaltingKey, which is only created after ownership is taken.
class TRUNKS_EXPORT PolicySessionImpl : public PolicySession {
public:
explicit PolicySessionImpl(const TrunksFactory& factory);
// |session_type| specifies what type of session this is. It can only
// be TPM_SE_TRIAL or TPM_SE_POLICY. If other values are used,
// StartBoundSession will return SAPI_RC_INVALID_SESSIONS.
PolicySessionImpl(const TrunksFactory& factory, TPM_SE session_type);
PolicySessionImpl(const PolicySessionImpl&) = delete;
PolicySessionImpl& operator=(const PolicySessionImpl&) = delete;
~PolicySessionImpl() override;
// PolicySession methods
AuthorizationDelegate* GetDelegate() override;
TPM_RC StartBoundSession(TPMI_DH_ENTITY bind_entity,
const std::string& bind_authorization_value,
bool salted,
bool enable_encryption) override;
TPM_RC StartUnboundSession(bool salted, bool enable_encryption) override;
TPM_RC GetDigest(std::string* digest) override;
TPM_RC PolicyOR(const std::vector<std::string>& digests) override;
TPM_RC PolicyPCR(const std::map<uint32_t, std::string>& pcr_map) override;
TPM_RC PolicyCommandCode(TPM_CC command_code) override;
TPM_RC PolicySecret(TPMI_DH_ENTITY auth_entity,
const std::string& auth_entity_name,
const std::string& nonce,
const std::string& cp_hash,
const std::string& policy_ref,
int32_t expiration,
AuthorizationDelegate* delegate) override;
TPM_RC PolicySigned(TPMI_DH_ENTITY auth_entity,
const std::string& auth_entity_name,
const std::string& nonce,
const std::string& cp_hash,
const std::string& policy_ref,
int32_t expiration,
const trunks::TPMT_SIGNATURE& signature,
AuthorizationDelegate* delegate) override;
TPM_RC PolicyAuthValue() override;
TPM_RC PolicyRestart() override;
void SetEntityAuthorizationValue(const std::string& value) override;
TPM_RC PolicyFidoSigned(TPMI_DH_ENTITY auth_entity,
const std::string& auth_entity_name,
const std::string& auth_data,
const std::vector<FIDO_DATA_RANGE>& auth_data_descr,
const TPMT_SIGNATURE& signature,
AuthorizationDelegate* delegate) override;
private:
// This factory is only set in the constructor and is used to instantiate
// the TPM class to forward commands to the TPM chip.
const TrunksFactory& factory_;
// This field determines if this session is of type TPM_SE_TRIAL or
// TPM_SE_POLICY.
TPM_SE session_type_;
// This delegate is what provides authorization to commands. It is what is
// returned when the GetDelegate method is called.
HmacAuthorizationDelegate hmac_delegate_;
// This object is used to manage the TPM session associated with this
// AuthorizationSession.
std::unique_ptr<SessionManager> session_manager_;
friend class PolicySessionTest;
};
} // namespace trunks
#endif // TRUNKS_POLICY_SESSION_IMPL_H_