From: Petko Manolov [mailto:firstname.lastname@example.org]
Sent: Saturday, January 5, 2019 10:43 AM
To: Roberts, William C <william.c.roberts(a)intel.com>
Cc: tpm2(a)lists.01.org; Desai, Imran <imran.desai(a)intel.com>
Subject: Re: [tpm2] facilitating BIOS update with seamless PCR policy change
On 19-01-04 21:50:13, Roberts, William C wrote:
> You can't change an existing objects policy AFAIK. So if you have
> objects sealed to PCR state and PCR state changes, you're out of luck.
> Imran, that statement is correct right?
This is not how i read "Non-Brittle PCRs (New in 2.0)" paragraph in "A
Guide to TPM2" book, page 34.
I quote, "In the TPM 2.0 specification, you can seal things to a PCR value approved
particular signer instead of to a particular PCR value"
That's what can be done with the policyauthorize command. In general that command
Any policy signed with key X is a valid policy. So you can mutate the policy as needed
Resign it. Whatever events are required to satisfy the policy, are policy specific.
Policy could be PCR specific, in which case you could:
1. make a PCR policy to specific PCR values and update policy with system changes
2. make a PCR policy specific to a set of PCR values via policy OR statements
Option 2 could allow rollback attacks
> You need to use policyauthorize when you build a new policy for an
> object, which Pretty much means, any policy signed by X is ok. Thus
> when PCR state changes, you Just sign a new PCR policy.
I really hope it is "policy signed by X _and_ these new PCR values" else it
no sense to use PCR values as policy, isn't it?
It's literally policy signed by X, the contents of the policy are mutable at that
> See this test for an example of usage:
Thanks for the reference. I guess i'll be back with more questions after i digest
the above example.
> > -----Original Message-----
> > From: tpm2 [mailto:email@example.com] On Behalf Of Petko Manolov
> > Sent: Friday, January 4, 2019 10:21 AM
> > To: tpm2(a)lists.01.org
> > Subject: [tpm2] facilitating BIOS update with seamless PCR policy change
> > Hello guys,
> > I'm trying to devise a way to change the PCR policy used to seal certain
> > TPM2 in case of BIOS change. So far i've run into this article (along with
> > references it suggests):
> > https://github.com/tpm2-software/tpm2-tss/issues/487
> > However, i did not find a definitive answer there. Could someone please
> > elaborate or point me in the right direction i can read more about how to
> > authorize the new PCR policy?
> > thanks a bunch,
> > Petko
> > _______________________________________________
> > tpm2 mailing list
> > tpm2(a)lists.01.org
> > https://lists.01.org/mailman/listinfo/tpm2