tools: add tpm2_startauthsession
Add a tool for starting an auth session with the tpm. Signed-off-by: William Roberts <william.c.roberts@intel.com>
Add a tool that can take an existing session and perform a policyPCR event. Signed-off-by: William Roberts <william.c.roberts@intel.com>
tools: tpm2_unseal add session file support
Support tpm2_unseal using a session file. Signed-off-by: William Roberts <william.c.roberts@intel.com>
tests: add cross client session support
abrmd since version 1.2 has the ability to keep sessions alive for clients across IPC connections if clients mark them with a ContextSave call. Test that this works with tpm2_startauthsession, tpm2_policypcr and tpm2_unseal as expected. Since this test is tcti specific, add an option to enable tcti specific test scripts to test.sh. Update test.sh to use getopt which drops the long option support. Signed-off-by: William Roberts <william.c.roberts@intel.com>
Enable the tcti specific tests for abrmd on the CI system. Signed-off-by: William Roberts <william.c.roberts@intel.com>
Add tests for: - tpm2_session_save() - tpm2_session_restore() Signed-off-by: William Roberts <william.c.roberts@intel.com>
tpm2_util: set session attributes default to continue
Commands using sessions should be chainable, so by default we want the session attribute "continue" bit set, so the tpm doesn't unload the session after a command invocation. Signed-off-by: William Roberts <william.c.roberts@intel.com>
tpm2_session: add a session restart command
Add and test a session interface to Tss2_Sys_PolicyRestart Signed-off-by: William Roberts <william.c.roberts@intel.com>
tpm2_unseal: only flush internal sessions
Don't flush externally generated sessions passed via -S option. Signed-off-by: William Roberts <william.c.roberts@intel.com>
Add a tool for restarting a policy session and add integration tests. Signed-off-by: William Roberts <william.c.roberts@intel.com>
tpm2_flushcontext: add session file support
Support passing the session file to tpm2_flushcontext as a way to pass the handle to be flushed. Signed-off-by: William Roberts <william.c.roberts@intel.com>
tpm2_session: add getters for session type
Add getters for tpm session type and test. Signed-off-by: William Roberts <william.c.roberts@intel.com>
tpm2_unseal: test that a session is not a trial
Trial sessions should not be used when authenticating for object use. Thus test that a session is a proper type and issue a friendly error to the user, rather than just an attribute error during the TPM call. Signed-off-by: William Roberts <william.c.roberts@intel.com>
tpm2_unseal: drop explicit CONTINUE_SESSION
Now that the TPMS_AUTH_COMMAND_INIT sets the attribute bits to continue, there is no need to set it again, so just delete it. Signed-off-by: William Roberts <william.c.roberts@intel.com>
tpm2_session: rename handle interface
tpm2_session_get_session_handle() was way too long and repetitive. Rename to tpm2_session_get_handle() Signed-off-by: William Roberts <william.c.roberts@intel.com>
tpm2_create: update -S to session file
Signed-off-by: William Roberts <william.c.roberts@intel.com>
tpm2_createpolicy: remove -S and -e options
There is no point to having session saving in tpm2_createpolicy, as tpm2_createpolicy is designed for environments where sessions would be flushed on IPC disconnection with the RM. In the case the RM supports sessions accross clients connections, or direct TPM access is used, then the decomposed policy tools can be used. They were also unused in tests: * -e was never used * -S was used, but it's output was never chained to anything. Signed-off-by: William Roberts <william.c.roberts@intel.com>
tpm2_createprimary: update -S to session file
Signed-off-by: William Roberts <william.c.roberts@intel.com>
tpm2_dictionarylockout: update -S to session file
Signed-off-by: William Roberts <william.c.roberts@intel.com>
tpm2_encryptdecrypt: update -S to session file
Signed-off-by: William Roberts <william.c.roberts@intel.com>
tpm2_evictcontrol: add session file support
Update tpm2_evictcontrol to take a session file and swap out the arguments so -S is consistent. Old -S becomes -p and -i becomes -S for a session file. Signed-off-by: William Roberts <william.c.roberts@intel.com>
tpm2_getmanufec: update -S to session file
Signed-off-by: William Roberts <william.c.roberts@intel.com>
tpm2_getpubek: update -S to session file
Signed-off-by: William Roberts <william.c.roberts@intel.com>
tpm2_hmac: update -S to session file
Signed-off-by: William Roberts <william.c.roberts@intel.com>
tpm2_load: update -S to session file
Signed-off-by: William Roberts <william.c.roberts@intel.com>
tpm2_nvdefine: update -S to session file
Signed-off-by: William Roberts <william.c.roberts@intel.com>
tpm2_nvread: update -S to session file
Signed-off-by: William Roberts <william.c.roberts@intel.com>
tpm2_nvreadlock: update -S to session file
Signed-off-by: William Roberts <william.c.roberts@intel.com>
tpm2_nvrelease: update -S to session file
Signed-off-by: William Roberts <william.c.roberts@intel.com>
tpm2_nvwrite: update -S to session file
Signed-off-by: William Roberts <william.c.roberts@intel.com>
tpm2_pcrevent: update -S to session file
Signed-off-by: William Roberts <william.c.roberts@intel.com>
tpm2_quote: update -S to session file
Signed-off-by: William Roberts <william.c.roberts@intel.com>
tpm2_rsadecrypt: update -S to session file
Signed-off-by: William Roberts <william.c.roberts@intel.com>
tpm2_rsaencrypt: remove -S option
Encryption with an RSA key requires no authentication to use the key, thus no command authorization array header is present. Therefore, -S makes no sense, and should be removed from the manpage. The tool never supported -S at any time, would issue an error if one tried. Signed-off-by: William Roberts <william.c.roberts@intel.com>
tpm2_sign: update -S to session file
Signed-off-by: William Roberts <william.c.roberts@intel.com>
tpm2_unseal: update headers and copyright
Signed-off-by: William Roberts <william.c.roberts@intel.com>