policyutil: ensure Policy.Execute indicates cpHash has been set when …

…set by TPM2_PolicySigned
canonical · Apr 4, 2024 · f6499c3 · f6499c3
1 parent 5ea965f
commit f6499c3
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 6 deletions.
diff --git a/policyutil/policy.go b/policyutil/policy.go
@@ -1498,8 +1498,8 @@ type PolicyExecuteResult struct {
 	policyNvWritten   *bool
 }
 
-// CommandCode returns the command code if a TPM2_PolicyCommandCode assertion
-// was executed.
+// CommandCode returns the command code if a TPM2_PolicyCommandCode or
+// TPM2_PolicyDuplicationSelect assertion was executed.
 func (r *PolicyExecuteResult) CommandCode() (code tpm2.CommandCode, set bool) {
 	if r.policyCommandCode == nil {
 		return 0, false
@@ -1508,15 +1508,17 @@ func (r *PolicyExecuteResult) CommandCode() (code tpm2.CommandCode, set bool) {
 }
 
 // CpHash returns the command parameter hash if a TPM2_PolicyCpHash assertion
-// was executed.
+// was executed or a TPM2_PolicySecret or TPM2_PolicySigned assertion was executed
+// with a cpHash.
 func (r *PolicyExecuteResult) CpHash() (cpHashA tpm2.Digest, set bool) {
 	if len(r.policyCpHash) == 0 {
 		return nil, false
 	}
 	return r.policyCpHash, true
 }
 
-// CpHash returns the name hash if a TPM2_PolicyNameHash assertion was executed.
+// NameHash returns the name hash if a TPM2_PolicyNameHash or TPM2_PolicyDuplicationSelect
+// assertion was executed.
 func (r *PolicyExecuteResult) NameHash() (nameHash tpm2.Digest, set bool) {
 	if len(r.policyNameHash) == 0 {
 		return nil, false

diff --git a/policyutil/policy_test.go b/policyutil/policy_test.go
@@ -1420,8 +1420,14 @@ func (s *policySuite) testPolicySigned(c *C, data *testExecutePolicySignedData)
 	c.Check(result.Path, Equals, "")
 	_, set := result.CommandCode()
 	c.Check(set, internal_testutil.IsFalse)
-	_, set = result.CpHash()
-	c.Check(set, internal_testutil.IsFalse)
+	if len(data.cpHashA) > 0 {
+		cpHash, set := result.CpHash()
+		c.Check(set, internal_testutil.IsTrue)
+		c.Check(cpHash, DeepEquals, data.cpHashA)
+	} else {
+		_, set = result.CpHash()
+		c.Check(set, internal_testutil.IsFalse)
+	}
 	_, set = result.NameHash()
 	c.Check(set, internal_testutil.IsFalse)
 	_, set = result.NvWritten()

diff --git a/policyutil/session.go b/policyutil/session.go
@@ -626,6 +626,11 @@ func (s *recorderPolicySession) PolicySigned(authKey tpm2.ResourceContext, inclu
 		AuthName:  authKey.Name(),
 		PolicyRef: policyRef,
 	})
+	if len(cpHashA) > 0 {
+		if err := s.PolicyCpHash(cpHashA); err != nil {
+			return nil, nil, err
+		}
+	}
 	return nil, nil, nil
 }
 
@@ -634,6 +639,11 @@ func (s *recorderPolicySession) PolicySecret(authObject tpm2.ResourceContext, cp
 		AuthName:  authObject.Name(),
 		PolicyRef: policyRef,
 	})
+	if len(cpHashA) > 0 {
+		if err := s.PolicyCpHash(cpHashA); err != nil {
+			return nil, nil, err
+		}
+	}
 	return nil, nil, nil
 }