1 // 2 // Copyright (C) 2015 The Android Open Source Project 3 // 4 // Licensed under the Apache License, Version 2.0 (the "License"); 5 // you may not use this file except in compliance with the License. 6 // You may obtain a copy of the License at 7 // 8 // http://www.apache.org/licenses/LICENSE-2.0 9 // 10 // Unless required by applicable law or agreed to in writing, software 11 // distributed under the License is distributed on an "AS IS" BASIS, 12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 // See the License for the specific language governing permissions and 14 // limitations under the License. 15 // 16 17 #ifndef TRUNKS_POLICY_SESSION_IMPL_H_ 18 #define TRUNKS_POLICY_SESSION_IMPL_H_ 19 20 #include "trunks/policy_session.h" 21 22 #include <memory> 23 #include <string> 24 #include <vector> 25 26 #include "trunks/hmac_authorization_delegate.h" 27 #include "trunks/session_manager.h" 28 #include "trunks/trunks_factory.h" 29 30 namespace trunks { 31 32 // This class implements the PolicySession interface. It is used for 33 // keeping track of the HmacAuthorizationDelegate used for commands, and to 34 // provide authorization for commands that need it. It can also be used to 35 // create custom policies to restrict the usage of keys. 36 // PolicySessionImpl session(factory); 37 // session.StartBoundSession(bind_entity, bind_authorization, true); 38 // session.PolicyPCR(pcr_index, pcr_value); 39 // factory.GetTpm()->RSA_EncrpytSync(_,_,_,_, session.GetDelegate()); 40 // NOTE: StartBoundSession/StartUnboundSession should not be called before 41 // TPM Ownership is taken. This is because starting a session uses the 42 // SaltingKey, which is only created after ownership is taken. 43 class TRUNKS_EXPORT PolicySessionImpl : public PolicySession { 44 public: 45 explicit PolicySessionImpl(const TrunksFactory& factory); 46 // |session_type| specifies what type of session this is. It can only 47 // be TPM_SE_TRIAL or TPM_SE_POLICY. If other values are used, 48 // StartBoundSession will return SAPI_RC_INVALID_SESSIONS. 49 PolicySessionImpl(const TrunksFactory& factory, TPM_SE session_type); 50 ~PolicySessionImpl() override; 51 52 // PolicySession methods 53 AuthorizationDelegate* GetDelegate() override; 54 TPM_RC StartBoundSession(TPMI_DH_ENTITY bind_entity, 55 const std::string& bind_authorization_value, 56 bool enable_encryption) override; 57 TPM_RC StartUnboundSession(bool enable_encryption) override; 58 TPM_RC GetDigest(std::string* digest) override; 59 TPM_RC PolicyOR(const std::vector<std::string>& digests) override; 60 TPM_RC PolicyPCR(uint32_t pcr_index, const std::string& pcr_value) override; 61 TPM_RC PolicyCommandCode(TPM_CC command_code) override; 62 TPM_RC PolicyAuthValue() override; 63 TPM_RC PolicyRestart() override; 64 void SetEntityAuthorizationValue(const std::string& value) override; 65 66 private: 67 // This factory is only set in the constructor and is used to instantiate 68 // The TPM class to forward commands to the TPM chip. 69 const TrunksFactory& factory_; 70 // This field determines if this session is of type TPM_SE_TRIAL or 71 // TPM_SE_POLICY. 72 TPM_SE session_type_; 73 // This delegate is what provides authorization to commands. It is what is 74 // returned when the GetDelegate method is called. 75 HmacAuthorizationDelegate hmac_delegate_; 76 // This object is used to manage the TPM session associated with this 77 // AuthorizationSession. 78 std::unique_ptr<SessionManager> session_manager_; 79 80 friend class PolicySessionTest; 81 DISALLOW_COPY_AND_ASSIGN(PolicySessionImpl); 82 }; 83 84 } // namespace trunks 85 86 #endif // TRUNKS_POLICY_SESSION_IMPL_H_ 87
