policy_session.h revision b180754b429c078cbc99175a6059a8b5d0491002 
1//
2// Copyright (C) 2015 The Android Open Source Project
3//
4// Licensed under the Apache License, Version 2.0 (the "License");
5// you may not use this file except in compliance with the License.
6// You may obtain a copy of the License at
7//
8//      http://www.apache.org/licenses/LICENSE-2.0
9//
10// Unless required by applicable law or agreed to in writing, software
11// distributed under the License is distributed on an "AS IS" BASIS,
12// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13// See the License for the specific language governing permissions and
14// limitations under the License.
15//
16
17#ifndef TRUNKS_POLICY_SESSION_H_
18#define TRUNKS_POLICY_SESSION_H_
19
20#include <string>
21#include <vector>
22
23#include <base/macros.h>
24
25#include "trunks/tpm_generated.h"
26
27namespace trunks {
28
29class AuthorizationDelegate;
30
31// PolicySession is an interface for managing policy backed sessions for
32// authorization and parameter encryption.
33class PolicySession {
34 public:
35  PolicySession() {}
36  virtual ~PolicySession() {}
37
38  // Returns an authorization delegate for this session. Ownership of the
39  // delegate pointer is retained by the session.
40  virtual AuthorizationDelegate* GetDelegate() = 0;
41
42  // Starts a salted session which is bound to |bind_entity| with
43  // |bind_authorization_value|. Encryption is enabled if |enable_encryption| is
44  // true. The session remains active until this object is destroyed or another
45  // session is started with a call to Start*Session.
46  virtual TPM_RC StartBoundSession(TPMI_DH_ENTITY bind_entity,
47                                   const std::string& bind_authorization_value,
48                                   bool enable_encryption) = 0;
49
50  // Starts a salted, unbound session. Encryption is enabled if
51  // |enable_encryption| is true. The session remains active until this object
52  // is destroyed or another session is started with a call to Start*Session.
53  virtual TPM_RC StartUnboundSession(bool enable_encryption) = 0;
54
55  // This method is used to get the current PolicyDigest of the PolicySession.
56  virtual TPM_RC GetDigest(std::string* digest) = 0;
57
58  // This method is used to construct a complex policy. It takes a list
59  // of policy digests. After the command is executed, the policy represented
60  // by this session is the OR of the provided policies.
61  virtual TPM_RC PolicyOR(const std::vector<std::string>& digests) = 0;
62
63  // This method binds the PolicySession to a provided PCR value. If the empty
64  // string is provided, the PolicySession is bound to the current PCR value.
65  virtual TPM_RC PolicyPCR(uint32_t pcr_index,
66                           const std::string& pcr_value) = 0;
67
68  // This method binds the PolicySession to a specified CommandCode.
69  // Once called, this Session can only be used to authorize actions on the
70  // provided CommandCode.
71  virtual TPM_RC PolicyCommandCode(TPM_CC command_code) = 0;
72
73  // This method specifies that Authorization Values need to be included in
74  // HMAC computation done by the AuthorizationDelegate.
75  virtual TPM_RC PolicyAuthValue() = 0;
76
77  // Reset a policy session to its original state.
78  virtual TPM_RC PolicyRestart() = 0;
79
80  // Sets the current entity authorization value. This can be safely called
81  // while the session is active and subsequent commands will use the value.
82  virtual void SetEntityAuthorizationValue(const std::string& value) = 0;
83
84 private:
85  DISALLOW_COPY_AND_ASSIGN(PolicySession);
86};
87
88}  // namespace trunks
89
90#endif  // TRUNKS_POLICY_SESSION_H_
91