On Mon, 2019-12-09 at 16:04 -0800, James Bottomley wrote: [...] > The big problem with this patch is still that we can't yet combine > policy with authorization because that requires proper session > handling, but at least with this rewrite it becomes possible (whereas > it was never possible with the old external policy session code). > Thus, when we have the TPM 2.0 security patch upstream, we'll be able > to use the session logic from that patch to imlement authorizations. I had a discussion with Ken Goldman on Friday where he told me this wasn't true: we can actually persuade a policy session to do a non-HMAC authorization (for the interested, the trick is to use TPM2_PolicyPassword in place of TPM2_PolicyAuthValue. It hashes to the same policy but the former sets the session up for non-HMAC and the latter for HMAC) so I'll add password based authorization to policies when I respin the patch set. James
