I actually really liked this question. I had to think about it.
The answer is separate from any particular TSS.
AFAIK, You could do
((A or B) and C) or ((A or B) and D))
However, this would require 5 calls to the TPM:
A, B, or, C, or
Your plan B only requires 3 TPM commands. I.e., it looks
more complicated but it will perform better.
Date: 02/17/2021 03:36 PM
Subject: [EXTERNAL] [tpm2] policies in conjunctive normal form
Question: is it possible to structure a policy using tpm2-tools in
the following form?
policy = (a OR b) AND (c OR d)
- where a, b, c, d are simple pcr policies.
I tried this, and apparently creating an *AND* of policy *OR* did
not work as i thought. "and.policy" will contain the hash of the
second tpm2_policyor instead of generating a new hash
tpm2_startauthsession --session session.ctx
tpm2_policyor --session session.ctx sha256:a.policy,b.policy
tpm2_policyor --session session.ctx sha256:c.policy,d.policy --
Plan B would be to structure the policy in the equivalent
disjunctive normal form, which works but is less scalable. i.e.:
policy = (a AND c) OR (a AND d) OR (b AND c) OR (b AND d)
tpm2 mailing list -- tpm2(a)lists.01.org
To unsubscribe send an email to tpm2-leave(a)lists.01.org