tpm2_ptool: add --policy to addkey/import/link

To specify the policy right on creation. Signed-off-by: Sergii Dmytruk <[email protected]>
tpm2-software · Mar 26, 2023 · 9667048 · 9667048
1 parent 0506e1e
commit 9667048
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/tools/tpm2_pkcs11/commandlets_keys.py b/tools/tpm2_pkcs11/commandlets_keys.py
@@ -59,6 +59,9 @@ def generate_options(self, group_parser):
             '--hierarchy-auth',
             help='The hierarchyauth, required for transient pobjects.\n',
             default='')
+        group_parser.add_argument(
+            '--policy',
+            help='Policy to apply on using the key (in JSON format).\n')
         pinopts = group_parser.add_mutually_exclusive_group()
         pinopts.add_argument('--sopin', help='The Administrator pin.\n'),
         pinopts.add_argument('--userpin', help='The User pin.\n'),
@@ -174,6 +177,7 @@ def __call__(self, args):
                 key_label = args['key_label']
                 tid = args['id']
                 hierarchyauth = args['hierarchy_auth']
+                policy = args['policy']
                 passin = args['passin'] if 'passin' in args else None
 
                 privkey = None
@@ -206,6 +210,9 @@ def __call__(self, args):
                 # handle options that can add additional attributes
                 always_auth = args['attr_always_authenticate']
                 priv_attrs = {CKA_ALWAYS_AUTHENTICATE : always_auth}
+                if policy is not None:
+                    validate_policy(policy)
+                    priv_attrs[CKA_TPM2_POLICY_JSON] = binascii.hexlify(policy.encode()).decode()
 
                 override_keylen = getattr(self, '_override_keylen', None)