3.3.6. Policies

Policies can be used to restrict & control the usage of session or objects.

../../_images/policy-types.png

3.3.6.1. Policies applicable to different objects

Object Type

Applet 3.x

Applet 6.x

Applet 7.x

common

forbid_All, can_Delete, req_Sm, req_pcr_val

forbid_All, can_Delete, req_Sm, req_pcr_val

forbid_All, can_Delete, req_Sm, req_pcr_val, can_Read, can_Write

symmetric objects

can_Sign, can_Verify, can_Encrypt, can_Decrypt, can_Import_Export, can_Wrap, can_Desfire_Auth, can_Desfire_Dump, can_KD, can_Write, can_Gen

can_Sign, can_Verify, can_Encrypt, can_Decrypt, can_Import_Export, forbid_Derived_Output, allow_kdf_ext_rnd, can_Wrap, can_Desfire_Auth, can_Desfire_Dump, can_KD, can_Write, can_Gen

can_Sign, can_Verify, can_Encrypt, can_Decrypt, can_Import_Export, forbid_Derived_Output, can_TLS_KDF, allow_kdf_ext_rnd, can_TLS_PMS_KD, can_HKDF, can_PBKDF, can_Wrap, can_Desfire_Auth, can_Desfire_Dump, can_Desfire_KD, forbid_external_iv, can_usage_hmac_pepper

Asymmetric objects

can_Sign, can_Verify, can_Encrypt, can_Decrypt, can_Import_Export, can_Gen, can_KA, can_Attest, can_Read, can_Write, can_KD, can_Wrap

can_Sign, can_Verify, can_Encrypt, can_Decrypt, can_Import_Export, forbid_Derived_Output, can_Gen, can_KA, can_Attest, can_Read, can_Write, can_KD, can_Wrap

can_Sign, can_Verify, can_Encrypt, can_Decrypt, can_Import_Export, forbid_Derived_Output, can_Gen, can_KA, can_Attest,

User Id

can_Write

can_Write

can_Write

File policy

can_Read, can_Write

can_Read, can_Write

can_Read, can_Write

Counter policy

can_Read, can_Write

can_Read, can_Write

can_Read, can_Write

PCR policy

can_Read, can_Write

can_Read, can_Write

can_Read, can_Write

Note

  1. can_Read and can_Write polices are moved from symmetric and asymmetric object policy to common policy in applet 7.x. PLEASE UPDATE THE APPLICATIONS ACCORDINGLY.

  2. Invalid policies on objects will be rejected at SSS software layer and only result in warning message.

3.3.6.2. Usage

Policy can be declared like below:

    /* Policies for key */
    const sss_policy_u key_withPol = {
        .type = KPolicy_Asym_Key,
        /*Authentication object based on SE05X_AUTH*/
        .auth_obj_id = EX_LOCAL_OBJ_AUTH_ID,
        .policy = {
            /*Asymmetric key policy*/
            .asymmkey = {
                /*Policy for sign*/
                .can_Sign = allow_sign,
                /*Policy for verify*/
                .can_Verify = allow_verify,
                /*Policy for encrypt*/
                .can_Encrypt = 1,
                /*Policy for decrypt*/
                .can_Decrypt = 1,
                /*Policy for Key Derivation*/
                .can_KD = 1,
                /*Policy for wrapped object*/
                .can_Wrap = 1,
                /*Policy to re-write object*/
                .can_Write = 1,
                /*Policy for reading object*/
                .can_Read = 1,
                /*Policy to use object for attestation*/
                .can_Attest = 1,
            }
        }
    };

    /* Common rules */
    const sss_policy_u common = {
        .type = KPolicy_Common,
        /*Authentication object based on SE05X_AUTH*/
        .auth_obj_id = EX_LOCAL_OBJ_AUTH_ID,
        .policy = {
        .common = {
        /*Secure Messaging*/
        .req_Sm = 0,
        /*Policy to Delete object*/
        .can_Delete = 1,
        /*Forbid all operations on object*/
        .forbid_All = 0,
    }
    }
    };

    /* create policy set */
    sss_policy_t policy_for_ec_key = {
        .nPolicies = 2,
        .policies = { &key_withPol, &common }
    };

To create an object with that policy, usage is as below:

    status = sss_key_store_generate_key(
        &pCtx->ks,
        &object,
        ECC_KEY_BIT_LEN,
        &policy_for_ec_key);

Note

When creating a policy with KPolicy_Common_PCR_Value, KPolicy_Desfire_Changekey_Auth_Id and KPolicy_Derive_Master_Key_Id, set the policies to sss_policy_t variable in the following order always,

`Common_PCR_Value` , `Desfire_Changekey_Auth_Id` , `Derive_Master_Key_Id`

Example,

const sss_policy_u pcr_val_policy = {
.type = KPolicy_Common_PCR_Value, .auth_obj_id = 0,
.policy = { .common_pcr_value = {} } };

const sss_policy_u desfire_change_key_auth_id_policy = {
.type = KPolicy_Desfire_Changekey_Auth_Id, .auth_obj_id = 0,
.policy = { .desfire_auth_id = {} } };

const sss_policy_u master_key_id_policy = {
.type = KPolicy_Derive_Master_Key_Id, .auth_obj_id = 0,
.policy = { .master_key_id = {} } };

// create policy as,
sss_policy_t key_policy = { .nPolicies = 3,.policies = { &pcr_val_policy, &desfire_change_key_auth_id_policy, &master_key_id_policy } };
// OR
sss_policy_t key_policy = { .nPolicies = 1,.policies = { &desfire_change_key_auth_id_policy } };
// OR
sss_policy_t key_policy = { .nPolicies = 2,.policies = { &pcr_val_policy, &master_key_id_policy } };

3.3.6.3. APIs

See SSS Policy types and APIs