On Mon, 2018-10-22 at 11:50 -0400, Ken Goldman wrote: > On 10/22/2018 10:18 AM, James Bottomley wrote: > > > 1 - Any policy that requires a password (policypassword) can > > > substitute > > > an HMAC (policyauthvalue) at the callers discretion. They result > > > in the same policy digest. > > > > Right but this requires the co-operation of the policy handle > > creator, so it's an API change. > > > > In case it wasn't clear: The choice is not made at the time the > policy is calculated, nor is it made at startauthsession (when > the policy is created). > > The choice is made when the policy is being satisfied. > > policypassword tells the TPM to expect a plaintext password, while > policyauthvalue tells the TPM to expect an HMAC. > > It's subtle that either policy command results in the same policy > digest. I understand, but the API just has a policy handle from a fully constructed policy passed in. There's no way to deconstruct this even to know if it has auth requirements and what type. To get that info we have to see the policy commands that go into building up the policy session ... this means the API needs to change. James
