[RFC] tools: add tpm2_policy tool for invoking libpolicy

Create a tpm2_policy tool that can read the FAPI JSON style policies
and:

1. Instantiate them -> This process fills in anything missing in the
template. TODO: How does this get handled, do we need to tweak any
of the callbacks?

2. Calculate them -> This process produces a list of hashes... TODO:
   Why? Is this a list of all the subordinate policies or can the json file
   have N policies where N > 1?

3. Execute them -> Execute the policy on a session. TODO: Who is
supposed to start the policy session as it seems to be 0?

Their are a lot of TODO items in this code. I'm looking for how we want
to use this, different tools, like tpm2_policyinit tpm2_policycalc and
tpm2_policyexec? Or an all in-one tool. Currently note that ONLY the
Execute needs an ESYS context, but instantiate should be filling stuff
in so it likely needs a context or the callbacks handled?

Signed-off-by: William Roberts <william.c.roberts@intel.com>

Author: William Roberts

Makefile.am

@@ -19,13 +19,13 @@ LIB_COMMON := lib/libcommon.a
 AM_CFLAGS := \
     $(INCLUDE_DIRS) $(EXTRA_CFLAGS) $(TSS2_ESYS_CFLAGS) $(TSS2_MU_CFLAGS) \
     $(CRYPTO_CFLAGS) $(CODE_COVERAGE_CFLAGS) $(TSS2_TCTILDR_CFLAGS) \
-    $(TSS2_RC_CFLAGS) $(TSS2_SYS_CFLAGS)
+    $(TSS2_RC_CFLAGS) $(TSS2_SYS_CFLAGS) $(TSS2_POLICY_CFLAGS)
 
 AM_LDFLAGS   := $(EXTRA_LDFLAGS) $(CODE_COVERAGE_LIBS)
 
 LDADD = \
     $(LIB_COMMON) $(TSS2_ESYS_LIBS) $(TSS2_MU_LIBS) $(CRYPTO_LIBS) $(TSS2_TCTILDR_LIBS) \
-    $(TSS2_RC_LIBS) $(TSS2_SYS_LIBS) $(EFIVAR_LIBS)
+    $(TSS2_RC_LIBS) $(TSS2_SYS_LIBS) $(EFIVAR_LIBS) $(TSS2_POLICY_LIBS)
 
 AM_DISTCHECK_CONFIGURE_FLAGS = --with-bashcompdir='$$(datarootdir)/bash-completion/completions'
 
@@ -104,6 +104,7 @@ tpm2_tools = \
     tools/misc/tpm2_certifyX509certutil.c \
     tools/misc/tpm2_checkquote.c \
     tools/misc/tpm2_eventlog.c \
+    tools/misc/tpm2_policy.c \
     tools/misc/tpm2_print.c \
     tools/misc/tpm2_rc_decode.c \
     tools/tpm2_activatecredential.c \

configure.ac

@@ -58,6 +58,7 @@ PKG_CHECK_MODULES([TSS2_TCTILDR], [tss2-tctildr])
 PKG_CHECK_MODULES([TSS2_MU], [tss2-mu])
 PKG_CHECK_MODULES([TSS2_RC], [tss2-rc])
 PKG_CHECK_MODULES([TSS2_SYS], [tss2-sys])
+PKG_CHECK_MODULES([TSS2_POLICY], [tss2-policy])
 PKG_CHECK_MODULES([CRYPTO], [libcrypto >= 1.1.0])
 PKG_CHECK_MODULES([CURL], [libcurl])
 

tools/misc/tpm2_policy.c

@@ -0,0 +1,93 @@
+/* SPDX-License-Identifier: BSD-3-Clause */
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <string.h>
+
+#include <tss2/tss2_policy.h>
+
+#include "log.h"
+#include "tpm2_tool.h"
+#include "tpm2_util.h"
+
+typedef struct tpm2_policy_ctx tpm2_policy_ctx;
+struct tpm2_policy_ctx {
+    ifapi_policyeval_INST_CB cb;
+    const char *policy_file;
+};
+
+static tpm2_policy_ctx ctx;
+
+static bool on_arg(int argc, char *argv[]) {
+
+    if (argc != 1) {
+        LOG_ERR("Expected single file path argument");
+        return false;
+    }
+
+    ctx.policy_file = argv[0];
+
+    return true;
+}
+
+static bool tpm2_tool_onstart(tpm2_options **opts) {
+//    static const struct option topts[] = {
+//        { "type",   required_argument, NULL, 't' },
+//        { "format", required_argument, NULL, 'f' },
+//    };
+
+    *opts = tpm2_options_new(NULL, 0, NULL, NULL, on_arg,
+            0);
+
+    return *opts != NULL;
+}
+
+static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
+    UNUSED(flags);
+
+    TPMS_POLICY *policy_ctx;
+
+    TSS2_RC rc = Tss2_PolicyInstantiate(
+        ctx.policy_file,
+        &ctx.cb,
+        &policy_ctx);
+    if (rc) {
+        LOG_ERR("Instantiate failed");
+        return tool_rc_general_error;
+    }
+
+    rc = Tss2_PolicyCalculate(
+            policy_ctx->policy, /* could we just pass context and drop these? */
+            &policy_ctx->policyDigests, /* same as above */
+            TPM2_ALG_SHA256,
+            32, /* this could be computed from alg... */
+            0); /* I can't figure out what this is for, looks like some kind of recursion in the tss2 lib */
+    if (rc) {
+        LOG_ERR("Calculate failed");
+        return tool_rc_general_error;
+    }
+
+    /* Why doesn't calculate give us the aggregate hash? */
+    printf("hash: ");
+    tpm2_util_hexdump2(stdout, policy_ctx->policyDigests.digests[0].digest.sha256, 32);
+    printf("\n");
+
+    /*
+     * This fails as it looks like their is no session in the context, in the Esys Call the
+     * session is 0.
+     */
+    rc = Tss2_PolicyExecute(
+        TPM2_ALG_SHA256,
+        policy_ctx,
+        ectx);
+    if (rc) {
+        LOG_ERR("Execute failed");
+        return tool_rc_general_error;
+    }
+
+    return tool_rc_success;
+}
+
+// Register this tool with tpm2_tool.c
+TPM2_TOOL_REGISTER("policy", tpm2_tool_onstart, tpm2_tool_onrun, NULL, NULL)