def test_seal_with_policy(self):
handle = tpm2.start_auth_session(tpm2.TPM2_SE_TRIAL)
data = 'X' * 64
auth = 'A' * 15
pcrs = [16]
try:
tpm2.policy_pcr(handle, pcrs)
tpm2.policy_password(handle)
policy_dig = tpm2.get_policy_digest(handle)
finally:
tpm2.flush_context(handle)
blob = tpm2.seal(self.root_key, data, auth, policy_dig)
handle = tpm2.start_auth_session(tpm2.TPM2_SE_POLICY)
try:
tpm2.policy_pcr(handle, pcrs)
tpm2.policy_password(handle)
result = tpm2.unseal(self.root_key, blob, auth, handle)
except:
tpm2.flush_context(handle)
raise
self.assertEqual(data, result)
def test_seal_with_policy(self):
handle = tpm2.start_auth_session(tpm2.TPM2_SE_TRIAL)
data = 'X' * 64
auth = 'A' * 15
pcrs = [16]
try:
tpm2.policy_pcr(handle, pcrs)
tpm2.policy_password(handle)
policy_dig = tpm2.get_policy_digest(handle)
finally:
tpm2.flush_context(handle)
blob = tpm2.seal(self.root_key, data, auth, policy_dig)
handle = tpm2.start_auth_session(tpm2.TPM2_SE_POLICY)
try:
tpm2.policy_pcr(handle, pcrs)
tpm2.policy_password(handle)
result = tpm2.unseal(self.root_key, blob, auth, handle)
except:
tpm2.flush_context(handle)
raise
self.assertEqual(data, result)
def test_unseal_with_wrong_policy(self):
handle = tpm2.start_auth_session(tpm2.TPM2_SE_TRIAL)
data = 'X' * 64
auth = 'A' * 17
pcrs = [16]
try:
tpm2.policy_pcr(handle, pcrs)
tpm2.policy_password(handle)
policy_dig = tpm2.get_policy_digest(handle)
finally:
tpm2.flush_context(handle)
blob = tpm2.seal(self.root_key, data, auth, policy_dig)
# Extend first a PCR that is not part of the policy and try to unseal.
# This should succeed.
ds = tpm2.get_digest_size(tpm2.TPM2_ALG_SHA1)
tpm2.extend_pcr(1, 'X' * ds)
handle = tpm2.start_auth_session(tpm2.TPM2_SE_POLICY)
try:
tpm2.policy_pcr(handle, pcrs)
tpm2.policy_password(handle)
result = tpm2.unseal(self.root_key, blob, auth, handle)
except:
tpm2.flush_context(handle)
raise
self.assertEqual(data, result)
# Then, extend a PCR that is part of the policy and try to unseal.
# This should fail.
tpm2.extend_pcr(16, 'X' * ds)
handle = tpm2.start_auth_session(tpm2.TPM2_SE_POLICY)
rc = 0
try:
tpm2.policy_pcr(handle, pcrs)
tpm2.policy_password(handle)
result = tpm2.unseal(self.root_key, blob, auth, handle)
except ProtocolError, e:
rc = e.rc
tpm2.flush_context(handle)
def test_unseal_with_wrong_policy(self):
handle = tpm2.start_auth_session(tpm2.TPM2_SE_TRIAL)
data = 'X' * 64
auth = 'A' * 17
pcrs = [16]
try:
tpm2.policy_pcr(handle, pcrs)
tpm2.policy_password(handle)
policy_dig = tpm2.get_policy_digest(handle)
finally:
tpm2.flush_context(handle)
blob = tpm2.seal(self.root_key, data, auth, policy_dig)
# Extend first a PCR that is not part of the policy and try to unseal.
# This should succeed.
ds = tpm2.get_digest_size(tpm2.TPM2_ALG_SHA1)
tpm2.extend_pcr(1, 'X' * ds)
handle = tpm2.start_auth_session(tpm2.TPM2_SE_POLICY)
try:
tpm2.policy_pcr(handle, pcrs)
tpm2.policy_password(handle)
result = tpm2.unseal(self.root_key, blob, auth, handle)
except:
tpm2.flush_context(handle)
raise
self.assertEqual(data, result)
# Then, extend a PCR that is part of the policy and try to unseal.
# This should fail.
tpm2.extend_pcr(16, 'X' * ds)
handle = tpm2.start_auth_session(tpm2.TPM2_SE_POLICY)
rc = 0
try:
tpm2.policy_pcr(handle, pcrs)
tpm2.policy_password(handle)
result = tpm2.unseal(self.root_key, blob, auth, handle)
except ProtocolError, e:
rc = e.rc
tpm2.flush_context(handle)