ractools

package
v0.0.0-...-9b07614 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 7, 2023 License: MulanPSL-2.0 Imports: 20 Imported by: 0

Documentation

Overview

ractools is responsible for obtaining various data information required for RA

Index

Constants

View Source 
const (
	//   on TCG EK Credential Profile For TPM Family 2.0
	//   Level 0 Version 2.4 Revision 3
	//   https://trustedcomputinggroup.org/resource/tcg-ek-credential-profile-for-tpm-family-2-0/
	//      0x01C00002      RSA 2048 EK Certificate
	//      0x01C00003      RSA 2048 EK Nonce
	//      0x01C00004      RSA 2048 EK Template
	//      0x01C0000A      ECC NIST P256 EK Certificate
	//      0x01C0000B      ECC NIST P256 EK Nonce
	//      0x01C0000C      ECC NIST P256 EK Template
	//      0x01C00012      RSA 2048 EK Certificate (H-1)
	//      0x01C00014      ECC NIST P256 EK Certificate (H-2)
	//      0x01C00016      ECC NIST P384 EK Certificate (H-3)
	//      0x01C00018      ECC NIST P512 EK Certificate (H-4)
	//      0x01C0001A      ECC SM2_P256 EK Certificate (H-5)
	//      0x01C0001C      RSA 3072 EK Certificate (H-6)
	//      0x01C0001E      RSA 4096 EK Certificate (H-7)
	// IndexRsa2048EKCert means RSA 2048 EK Certificate index
	IndexRsa2048EKCert uint32 = 0x01C00002
	// IndexRsa2048EKNonce means RSA 2048 EK Nonce index
	IndexRsa2048EKNonce uint32 = 0x01C00003
	// IndexRsa2048EKTemplate means RSA 2048 EK Template index
	IndexRsa2048EKTemplate uint32 = 0x01C00004
	// IndexECCP256EKCert means ECC NIST P256 EK Certificate index
	IndexECCP256EKCert uint32 = 0x01C0000A
	// IndexECCP256EKNonce means ECC NIST P256 EK Nonce index
	IndexECCP256EKNonce uint32 = 0x01C0000B
	// IndexECCP256EKTemplate means ECC NIST P256 EK Template index
	IndexECCP256EKTemplate uint32 = 0x01C0000C
	// IndexRsa2048EKCertH1 means RSA 2048 EK Certificate (H-1) index
	IndexRsa2048EKCertH1 uint32 = 0x01C00012
	// IndexECCP256EKCertH2 means ECC NIST P256 EK Certificate (H-2) index
	IndexECCP256EKCertH2 uint32 = 0x01C00014
	// IndexECCP384EKCertH3 means ECC NIST P384 EK Certificate (H-3) index
	IndexECCP384EKCertH3 uint32 = 0x01C00016
	// IndexECCP512EKCertH4 means ECC NIST P512 EK Certificate (H-4) index
	IndexECCP512EKCertH4 uint32 = 0x01C00018
	// IndexSM2P256EKCertH5 means ECC SM2_P256 EK Certificate (H-5) index
	IndexSM2P256EKCertH5 uint32 = 0x01C0001A
	// IndexRsa3072EKCertH6 means RSA 3072 EK Certificate (H-6) index
	IndexRsa3072EKCertH6 uint32 = 0x01C0001C
	// IndexRsa4096EKCertH7 means RSA 4096 EK Certificate (H-7) index
	IndexRsa4096EKCertH7 uint32 = 0x01C0001E

	// TestImaLogPath means the path to the test case ima log
	TestImaLogPath = "./ascii_runtime_measurements"
	// TestBiosLogPath means the path to the test case bios log
	TestBiosLogPath = "./binary_bios_measurements"
	// TestSeedPath means the path to the test case seed
	TestSeedPath = "./simulator_seed"
	// ImaLogPath means the path to the ima log
	ImaLogPath = "/sys/kernel/security/ima/ascii_runtime_measurements"
	// BiosLogPath means the path to the bios log
	BiosLogPath = "/sys/kernel/security/tpm0/binary_bios_measurements"
	// AlgSM3 means the code name of the SM3 algorithm
	AlgSM3 = 0x0012
)

Variables

View Source 
var (
	// ErrWrongParams means wrong input parameter error
	ErrWrongParams = errors.New("wrong input parameter")
	// ErrFailTPMInit means couldn't start tpm or init key/certificate
	ErrFailTPMInit = errors.New("couldn't start tpm or init key/certificate")
	// ErrReadPCRFail means failed to read all PCRs
	ErrReadPCRFail = errors.New("failed to read all PCRs")
	// ErrNotSupportedHashAlg means the set hash algorithm  is not supported
	ErrNotSupportedHashAlg = errors.New("the set hash algorithm  is not supported")

	// according to TCG specification, B.3.3  Template L-1: RSA 2048 (Storage)
	// https://trustedcomputinggroup.org/wp-content/uploads/TCG_IWG_EKCredentialProfile_v2p4_r3.pdf
	// EKParams means ek parameters
	EKParams = tpm2.Public{
		Type:    tpm2.AlgRSA,
		NameAlg: tpm2.AlgSHA256,
		Attributes: tpm2.FlagFixedTPM | tpm2.FlagFixedParent | tpm2.FlagSensitiveDataOrigin |
			tpm2.FlagAdminWithPolicy | tpm2.FlagDecrypt | tpm2.FlagRestricted,

		AuthPolicy: tpmutil.U16Bytes{0x83, 0x71, 0x97, 0x67, 0x44, 0x84,
			0xB3, 0xF8, 0x1A, 0x90, 0xCC, 0x8D,
			0x46, 0xA5, 0xD7, 0x24, 0xFD, 0x52,
			0xD7, 0x6E, 0x06, 0x52, 0x0B, 0x64,
			0xF2, 0xA1, 0xDA, 0x1B, 0x33, 0x14,
			0x69, 0xAA},
		RSAParameters: &tpm2.RSAParams{
			Symmetric: &tpm2.SymScheme{
				Alg:     tpm2.AlgAES,
				KeyBits: 128,
				Mode:    tpm2.AlgCFB,
			},
			KeyBits:     2048,
			ExponentRaw: 0,
			ModulusRaw: tpmutil.U16Bytes{
				0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
				0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
				0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
				0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
				0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
				0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
				0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
				0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
				0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
				0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
				0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
				0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
				0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
				0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
				0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
				0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
		},
	}

	// according to TCG specification, 7.3.4.2 Template H-1: RSA 2048
	// https://trustedcomputinggroup.org/wp-content/uploads/TPM-2p0-Keys-for-Device-Identity-and-Attestation_v1_r12_pub10082021.pdf
	// IKParams means ik parameters
	IKParams = tpm2.Public{
		Type:    tpm2.AlgRSA,
		NameAlg: tpm2.AlgSHA256,
		Attributes: tpm2.FlagFixedTPM | tpm2.FlagFixedParent | tpm2.FlagSensitiveDataOrigin |
			tpm2.FlagUserWithAuth | tpm2.FlagSign | tpm2.FlagRestricted,

		RSAParameters: &tpm2.RSAParams{
			Sign: &tpm2.SigScheme{
				Alg:  tpm2.AlgRSASSA,
				Hash: tpm2.AlgSHA256,
			},
			KeyBits:     2048,
			ExponentRaw: 0,
		},
	}
)

Functions

func ActivateIKCert 

func ActivateIKCert(in *IKCertInput) ([]byte, error)

ActivateIKCert decrypts the IkCert from the input, and return it in PEM format

func CloseTPM 

func CloseTPM()

CloseTPM closes an open tpm device and flushes tpm resources.

func DefineNVRAM 

func DefineNVRAM(idx uint32, size uint16) error

DefineNVRAM defines the index space as size length in the NVRAM

func GenerateEKey 

func GenerateEKey() error

GenerateEKey generates the ek key by tpm2, gets the handle and public part

func GenerateIKey 

func GenerateIKey() error

GenerateIKey generates the ik key as a primary key by tpm2, gets the handle, public and name fields to use later

func GetClientInfo 

func GetClientInfo() (string, error)

GetClientInfo returns json format client information.

func GetEKPub 

func GetEKPub() crypto.PublicKey

GetEKPub returns EK public key

func GetIKName 

func GetIKName() []byte

GetIKName returns IK name

func GetIKPub 

func GetIKPub() crypto.PublicKey

GetIKPub returns IK public key

func GetTrustReport 

func GetTrustReport(
	clientID int64,
	nonce uint64,
	algStr string,
	taTestMode bool,
	qcaserver string) (*typdefs.TrustReport, error)

GetTrustReport takes a nonce input, generates the current trust report

func OpenTPM 

func OpenTPM(useHW bool, conf *TPMConfig, seed int64) error

OpenTPM uses either a physical TPM device(default/useHW=true) or a simulator(-t/useHW=false), returns a global TPM object variable.

func PreparePCRsTest 

func PreparePCRsTest() error

PreparePCRsTest method replay the bios/ima manifests into pcrs in test mode.

func ReadNVRAM 

func ReadNVRAM(idx uint32) ([]byte, error)

ReadNVRAM reads the data at index from the NVRAM

func SetDigestAlg 

func SetDigestAlg(alg string) error

SetDigestAlg method update the Digest alg used to get pcrs and to do the quote.

func UndefineNVRAM 

func UndefineNVRAM(idx uint32) error

UndefineNVRAM frees the index space in the NVRAM

func WriteNVRAM 

func WriteNVRAM(idx uint32, data []byte) error

WriteNVRAM writes the data at index into the NVRAM

Types

type IKCertInput 

type IKCertInput struct {
	// CredBlob & EncryptedSecret are created by MakeCredential, and will be given as input to ActivateCredential
	CredBlob        []byte // the protected key used to encrypt IK Cert
	EncryptedSecret []byte // the pretected secret related to protection of CredBlob
	// EncryptedCert is the encrypted IK Cert,
	// will be decypted with the key recovered from CredBlob & EncryptedSecret,
	// decrypted Cert will be in PEM format
	EncryptedCert []byte
	// if DecryptAlg == "AES128-CBC"
	// then it is the IV used to decrypt IK Cert together with the key recovered from CredBlob & EncryptedSecret
	DecryptAlg   string // the algorithm & scheme used to decrypt the IK Cert
	DecryptParam []byte // the parameter required by the decrypt algorithm to decrypt the IK Cert
}

IKCertInput means ik cert information, and will be used to activate ik cert

type TPMConfig 

type TPMConfig struct {
	IMALogPath    string
	BIOSLogPath   string
	ReportHashAlg string
	SeedPath      string
}

TPMConfig means tpm config information

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.