1// 2// Copyright (C) 2015 The Android Open Source Project 3// 4// Licensed under the Apache License, Version 2.0 (the "License"); 5// you may not use this file except in compliance with the License. 6// You may obtain a copy of the License at 7// 8// http://www.apache.org/licenses/LICENSE-2.0 9// 10// Unless required by applicable law or agreed to in writing, software 11// distributed under the License is distributed on an "AS IS" BASIS, 12// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13// See the License for the specific language governing permissions and 14// limitations under the License. 15// 16 17#ifndef TRUNKS_POLICY_SESSION_H_ 18#define TRUNKS_POLICY_SESSION_H_ 19 20#include <string> 21#include <vector> 22 23#include <base/macros.h> 24 25#include "trunks/tpm_generated.h" 26 27namespace trunks { 28 29class AuthorizationDelegate; 30 31// PolicySession is an interface for managing policy backed sessions for 32// authorization and parameter encryption. 33class PolicySession { 34 public: 35 PolicySession() {} 36 virtual ~PolicySession() {} 37 38 // Returns an authorization delegate for this session. Ownership of the 39 // delegate pointer is retained by the session. 40 virtual AuthorizationDelegate* GetDelegate() = 0; 41 42 // Starts a salted session which is bound to |bind_entity| with 43 // |bind_authorization_value|. Encryption is enabled if |enable_encryption| is 44 // true. The session remains active until this object is destroyed or another 45 // session is started with a call to Start*Session. 46 virtual TPM_RC StartBoundSession(TPMI_DH_ENTITY bind_entity, 47 const std::string& bind_authorization_value, 48 bool enable_encryption) = 0; 49 50 // Starts a salted, unbound session. Encryption is enabled if 51 // |enable_encryption| is true. The session remains active until this object 52 // is destroyed or another session is started with a call to Start*Session. 53 virtual TPM_RC StartUnboundSession(bool enable_encryption) = 0; 54 55 // This method is used to get the current PolicyDigest of the PolicySession. 56 virtual TPM_RC GetDigest(std::string* digest) = 0; 57 58 // This method is used to construct a complex policy. It takes a list 59 // of policy digests. After the command is executed, the policy represented 60 // by this session is the OR of the provided policies. 61 virtual TPM_RC PolicyOR(const std::vector<std::string>& digests) = 0; 62 63 // This method binds the PolicySession to a provided PCR value. If the empty 64 // string is provided, the PolicySession is bound to the current PCR value. 65 virtual TPM_RC PolicyPCR(uint32_t pcr_index, 66 const std::string& pcr_value) = 0; 67 68 // This method binds the PolicySession to a specified CommandCode. 69 // Once called, this Session can only be used to authorize actions on the 70 // provided CommandCode. 71 virtual TPM_RC PolicyCommandCode(TPM_CC command_code) = 0; 72 73 // This method specifies that Authorization Values need to be included in 74 // HMAC computation done by the AuthorizationDelegate. 75 virtual TPM_RC PolicyAuthValue() = 0; 76 77 // Reset a policy session to its original state. 78 virtual TPM_RC PolicyRestart() = 0; 79 80 // Sets the current entity authorization value. This can be safely called 81 // while the session is active and subsequent commands will use the value. 82 virtual void SetEntityAuthorizationValue(const std::string& value) = 0; 83 84 private: 85 DISALLOW_COPY_AND_ASSIGN(PolicySession); 86}; 87 88} // namespace trunks 89 90#endif // TRUNKS_POLICY_SESSION_H_ 91