Can I set up a TPM2 policy that ANDs multiple OR policies?

Question

I'd like to define a TPM access policy that allowlists multiple different values for certain PCRs. Hence, i'd like a policy like this:

(PolicyOR(PolicyPCR(value1,pcr4),PolicyPCR(value2,pcr4),PolicyPCR(value3,pcr4)) AND PolicyOR(PolicyPCR(value4,pcr7),PolicyPCR(value5,pcr7)) AND
PolicyOR(PolicyPCR(value6,pcr9),PolicyPCR(value7,pcr9)))

Or in other words: I want to list three different allowed hash values for PCR4, 2 values for PCR 7, and another two values for PCR 9.

Does TPM2 allow policy expressions like this? How would I fulfill them?

the part I don't get: let's say I pick the first option on each PCR, i.e. value1 on pcr4, value4 or pcr7 and value6 on pcr9. I can start with submitting PolicyPCR(value1,pcr4) to the TPM. Then I can submit PolicyOR to it, with hashes of the three branches. Good so far. But what do I do next? I'd need to start at zero now, for the second AND term, but I don#t want to lose the policy state I already set up. So how does this work? Does this work at all?

Answer 1

That is possible. Each policy assertion (using a TPM2_Policy... command) extends the existing policyDigest hash. Therefore, if you just chain policies, you archive a logical AND of these policies (in that exact order). Initially, policyDigest starts at 0x00..00. 1

PolicyAssertion is the result of a policy in the form of a hash. E.g. the PolicyAssertion of PolicyOr (which includes three PolicyPCRs) is as follows. D0, D1 and D2 you will probably have to pre-calculate on host side.

The end result of all your policies is a single hash value policyDigest which is stored in the authPolicy of the TPM entity to be access controlled.

When you want to access your TPM entity, you start a session (TPM2_StartAuthSession) and call the different TPM2_Policy... commands. Each policy command changes the policyDigest of your session. If you can archive that the policyDigest of the session is equal to the authPolicy of the entity, you can access the entity.