3.3.6. Policies¶
Policies can be used to restrict & control the usage of session or objects.

3.3.6.1. Policies applicable to different objects¶
Object Type |
Applet 3.x |
Applet 6.x |
Applet 7.x |
---|---|---|---|
common |
forbid_All, can_Delete, req_Sm, req_pcr_val |
forbid_All, can_Delete, req_Sm, req_pcr_val |
forbid_All, can_Delete, req_Sm, req_pcr_val, can_Read, can_Write |
symmetric objects |
can_Sign, can_Verify, can_Encrypt, can_Decrypt, can_Import_Export, can_Wrap, can_Desfire_Auth, can_Desfire_Dump, can_KD, can_Write, can_Gen |
can_Sign, can_Verify, can_Encrypt, can_Decrypt, can_Import_Export, forbid_Derived_Output, allow_kdf_ext_rnd, can_Wrap, can_Desfire_Auth, can_Desfire_Dump, can_KD, can_Write, can_Gen |
can_Sign, can_Verify, can_Encrypt, can_Decrypt, can_Import_Export, forbid_Derived_Output, can_TLS_KDF, allow_kdf_ext_rnd, can_TLS_PMS_KD, can_HKDF, can_PBKDF, can_Wrap, can_Desfire_Auth, can_Desfire_Dump, can_Desfire_KD, forbid_external_iv, can_usage_hmac_pepper |
Asymmetric objects |
can_Sign, can_Verify, can_Encrypt, can_Decrypt, can_Import_Export, can_Gen, can_KA, can_Attest, can_Read, can_Write, can_KD, can_Wrap |
can_Sign, can_Verify, can_Encrypt, can_Decrypt, can_Import_Export, forbid_Derived_Output, can_Gen, can_KA, can_Attest, can_Read, can_Write, can_KD, can_Wrap |
can_Sign, can_Verify, can_Encrypt, can_Decrypt, can_Import_Export, forbid_Derived_Output, can_Gen, can_KA, can_Attest, |
User Id |
can_Write |
can_Write |
can_Write |
File policy |
can_Read, can_Write |
can_Read, can_Write |
can_Read, can_Write |
Counter policy |
can_Read, can_Write |
can_Read, can_Write |
can_Read, can_Write |
PCR policy |
can_Read, can_Write |
can_Read, can_Write |
can_Read, can_Write |
Note
can_Read and can_Write polices are moved from symmetric and asymmetric object policy to common policy in applet 7.x. PLEASE UPDATE THE APPLICATIONS ACCORDINGLY.
Invalid policies on objects will be rejected at SSS software layer and only result in warning message.
3.3.6.2. Usage¶
Policy can be declared like below:
/* Policies for key */
const sss_policy_u key_withPol = {
.type = KPolicy_Asym_Key,
/*Authentication object based on SE05X_AUTH*/
.auth_obj_id = EX_LOCAL_OBJ_AUTH_ID,
.policy = {
/*Asymmetric key policy*/
.asymmkey = {
/*Policy for sign*/
.can_Sign = allow_sign,
/*Policy for verify*/
.can_Verify = allow_verify,
/*Policy for encrypt*/
.can_Encrypt = 1,
/*Policy for decrypt*/
.can_Decrypt = 1,
/*Policy for Key Derivation*/
.can_KD = 1,
/*Policy for wrapped object*/
.can_Wrap = 1,
/*Policy to re-write object*/
.can_Write = 1,
/*Policy for reading object*/
.can_Read = 1,
/*Policy to use object for attestation*/
.can_Attest = 1,
}
}
};
/* Common rules */
const sss_policy_u common = {
.type = KPolicy_Common,
/*Authentication object based on SE05X_AUTH*/
.auth_obj_id = EX_LOCAL_OBJ_AUTH_ID,
.policy = {
.common = {
/*Secure Messaging*/
.req_Sm = 0,
/*Policy to Delete object*/
.can_Delete = 1,
/*Forbid all operations on object*/
.forbid_All = 0,
}
}
};
/* create policy set */
sss_policy_t policy_for_ec_key = {
.nPolicies = 2,
.policies = { &key_withPol, &common }
};
To create an object with that policy, usage is as below:
status = sss_key_store_generate_key(
&pCtx->ks,
&object,
ECC_KEY_BIT_LEN,
&policy_for_ec_key);
Note
When creating a policy with KPolicy_Common_PCR_Value, KPolicy_Desfire_Changekey_Auth_Id and KPolicy_Derive_Master_Key_Id, set the policies to sss_policy_t variable in the following order always,
`Common_PCR_Value` , `Desfire_Changekey_Auth_Id` , `Derive_Master_Key_Id`
Example,
const sss_policy_u pcr_val_policy = {
.type = KPolicy_Common_PCR_Value, .auth_obj_id = 0,
.policy = { .common_pcr_value = {} } };
const sss_policy_u desfire_change_key_auth_id_policy = {
.type = KPolicy_Desfire_Changekey_Auth_Id, .auth_obj_id = 0,
.policy = { .desfire_auth_id = {} } };
const sss_policy_u master_key_id_policy = {
.type = KPolicy_Derive_Master_Key_Id, .auth_obj_id = 0,
.policy = { .master_key_id = {} } };
// create policy as,
sss_policy_t key_policy = { .nPolicies = 3,.policies = { &pcr_val_policy, &desfire_change_key_auth_id_policy, &master_key_id_policy } };
// OR
sss_policy_t key_policy = { .nPolicies = 1,.policies = { &desfire_change_key_auth_id_policy } };
// OR
sss_policy_t key_policy = { .nPolicies = 2,.policies = { &pcr_val_policy, &master_key_id_policy } };