tpmdriver

package
v0.8.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 25, 2025 License: Apache-2.0 Imports: 35 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	SHA1_DIGEST_LEN    = 20
	SHA256_DIGEST_LEN  = 32
	SHA384_DIGEST_LEN  = 48
	SHA512_DIGEST_LEN  = 64
	SM3_256_DIGEST_LEN = 32
	MAX_TCG_EVENT_LEN  = 1024
	EVENT_TYPE         = "Bios Measurement"
)

Constants for digests and TCG Events

Variables

View Source 
var (
	STARTUP_LOCALITY_SIGNATURE = [16]byte{0x53, 0x74, 0x61, 0x72, 0x74, 0x75, 0x70, 0x4C, 0x6F, 0x63, 0x61, 0x6C, 0x69, 0x74, 0x79, 0x0}
	EV_PREBOOT_CERT            = uint32(0)
	EV_POST_CODE               = uint32(1)
	EV_UNUSED                  = uint32(2)
	EV_NO_ACTION               = uint32(3)
	EV_SEPARATOR               = uint32(4)
	EV_ACTION                  = uint32(5)
	EV_EVENT_TAG               = uint32(6)
	EV_S_CRTM_CONTENTS         = uint32(7)
	EV_S_CRTM_VERSION          = uint32(8)
	EV_CPU_MICROCODE           = uint32(9)
	EV_PLATFORM_CONFIG_FLAGS   = uint32(10)
	EV_TABLE_OF_DEVICES        = uint32(11)
	EV_COMPACT_HASH            = uint32(12)
	EV_IPL                     = uint32(13)
	EV_IPL_PARTITION_DATA      = uint32(14)
	EV_NONHOST_CODE            = uint32(15)
	EV_NONHOST_CONFIG          = uint32(16)
	EV_NONHOST_INFO            = uint32(17)
	EV_OMIT_BOOT_DEVICE_EVENTS = uint32(18)
	EV_POST_CODE2              = uint32(19)

	EV_EFI_EVENT_BASE                = uint32(0x80000000)
	EV_EFI_VARIABLE_DRIVER_CONFIG    = uint32(0x80000001)
	EV_EFI_VARIABLE_BOOT             = uint32(0x80000002)
	EV_EFI_BOOT_SERVICES_APPLICATION = uint32(0x80000003)
	EV_EFI_BOOT_SERVICES_DRIVER      = uint32(0x80000004)
	EV_EFI_RUNTIME_SERVICES_DRIVER   = uint32(0x80000005)
	EV_EFI_GPT_EVENT                 = uint32(0x80000006)
	EV_EFI_ACTION                    = uint32(0x80000007)
	EV_EFI_PLATFORM_FIRMWARE_BLOB    = uint32(0x80000008)
	EV_EFI_HANDOFF_TABLES            = uint32(0x80000009)
	EV_EFI_PLATFORM_FIRMWARE_BLOB2   = uint32(0x8000000a)
	EV_EFI_HANDOFF_TABLES2           = uint32(0x8000000b)
	EV_EFI_VARIABLE_BOOT2            = uint32(0x8000000c)
	EV_EFI_GPT_EVENT2                = uint32(0x8000000d)

	EV_EFI_HCRTM_EVENT = uint32(0x80000010)

	EV_EFI_VARIABLE_AUTHORITY    = uint32(0x800000E0)
	EV_EFI_SPDM_FIRMWARE_BLOB    = uint32(0x800000e1)
	EV_EFI_SPDM_FIRMWARE_CONFIG  = uint32(0x800000e2)
	EV_EFI_SPDM_DEVICE_POLICY    = uint32(0x800000e3)
	EV_EFI_SPDM_DEVICE_AUTHORITY = uint32(0x800000e4)
)

Constants

View Source 
var ErrUnsupportedAlgorithm = errors.New("x509: cannot verify signature: algorithm unimplemented")

ErrUnsupportedAlgorithm results from attempting to perform an operation that involves algorithms that are not currently implemented.

View Source 
var (
	TPM *attest.TPM = nil
)

Functions

func ActivateCredential added in v0.6.0 

func ActivateCredential(
	tpm *attest.TPM, ak *attest.AK,
	activationCredential, activationSecret []byte,
) ([]byte, error)

func CloseTpm 

func CloseTpm() error

CloseTpm closes the TPM

func CreateCertificateRequest added in v0.6.0 

func CreateCertificateRequest(rand io.Reader, template *x509.CertificateRequest, priv any) (csr []byte, err error)

CreateCertificateRequest creates a new certificate request based on a template. The following members of template are used:

  • SignatureAlgorithm
  • Subject
  • DNSNames
  • EmailAddresses
  • IPAddresses
  • URIs
  • ExtraExtensions
  • Attributes (deprecated)

priv is the private key to sign the CSR with, and the corresponding public key will be included in the CSR. It must implement crypto.Signer and its Public() method must return a *rsa.PublicKey or a *ecdsa.PublicKey or a ed25519.PublicKey. (A *rsa.PrivateKey, *ecdsa.PrivateKey or ed25519.PrivateKey satisfies this.)

The returned slice is the certificate request in DER encoding.

This is a modified version of x509.CreateCertificateRequest which does not perform hashing and can therefore be used to create CSRs for restricted keys

func GetAkQualifiedName 

func GetAkQualifiedName() ([]byte, error)

GetAkQualifiedName gets the Attestation Key Qualified Name. According to Trusted Platform Module Library Part 1: Architecture: 

Name = nameAlg || HASH (TPMS_NV_PUBLIC)
QName = HASH(QName_parent || Name)

func GetBiosMeasurements added in v0.6.0 

func GetBiosMeasurements(file string) ([]ar.ReferenceValue, error)

GetBiosMeasurements retrieves the measurements recorded into the TPM PCRs by BIOS, UEFI and IPL. The file with the binary measurements (usually /sys/kernel/security/tpm0/binary_bios_measurements) must be specified

func GetMeasurement added in v0.6.0 

func GetMeasurement(t *Tpm, nonce []byte, pcrs []int) ([]attest.PCR, *attest.Quote, error)

GetMeasurement retrieves the specified PCRs as well as a Quote over the PCRs and returns the TPM quote as well as the single PCR values

func GetTpmInfo added in v0.4.0 

func GetTpmInfo() (*attest.TPMInfo, error)

GetTpmInfo retrieves general TPM infos

func IsTpmProvisioningRequired 

func IsTpmProvisioningRequired(storagePath string) (bool, error)

IsTpmProvisioningRequired checks if the Storage Root Key (SRK) is persisted at 0x810000001 and the encrypted AK blob is present, which is used as an indicator that the TPM is provisioned and the AK can directly be loaded. This function uses the low-level go-tpm library directly as go-attestation does not provide such a functionality.

func OpenTpm 

func OpenTpm() error

OpenTpm opens the TPM and stores the handle internally

Types

type ConstraintViolationError added in v0.6.0 

type ConstraintViolationError struct{}

ConstraintViolationError results when a requested usage is not permitted by a certificate. For example: checking a signature when the public key isn't a certificate signing key.

func (ConstraintViolationError) Error added in v0.6.0 

func (ConstraintViolationError) Error() string

type ExtKeyUsage added in v0.6.0 

type ExtKeyUsage int

ExtKeyUsage represents an extended set of actions that are valid for a given key. Each of the ExtKeyUsage* constants define a unique action. 

const (
	ExtKeyUsageAny ExtKeyUsage = iota
	ExtKeyUsageServerAuth
	ExtKeyUsageClientAuth
	ExtKeyUsageCodeSigning
	ExtKeyUsageEmailProtection
	ExtKeyUsageIPSECEndSystem
	ExtKeyUsageIPSECTunnel
	ExtKeyUsageIPSECUser
	ExtKeyUsageTimeStamping
	ExtKeyUsageOCSPSigning
	ExtKeyUsageMicrosoftServerGatedCrypto
	ExtKeyUsageNetscapeServerGatedCrypto
	ExtKeyUsageMicrosoftCommercialCodeSigning
	ExtKeyUsageMicrosoftKernelCodeSigning
)

type KeyUsage added in v0.6.0 

type KeyUsage int

KeyUsage represents the set of actions that are valid for a given key. It's a bitmap of the KeyUsage* constants. 

const (
	KeyUsageDigitalSignature KeyUsage = 1 << iota
	KeyUsageContentCommitment
	KeyUsageKeyEncipherment
	KeyUsageDataEncipherment
	KeyUsageKeyAgreement
	KeyUsageCertSign
	KeyUsageCRLSign
	KeyUsageEncipherOnly
	KeyUsageDecipherOnly
)

type TCG_EVENT added in v0.6.0 

type TCG_EVENT struct {
	PcrIndex      uint32
	EventType     uint32
	Digest        [20]byte
	EventDataSize uint32
}

TCG_EVENT is a TCG Event as specified by the TPM specification

type TCG_EVENT2 added in v0.6.0 

type TCG_EVENT2 struct {
	PcrIndex           uint32
	EventType          uint32
	TPML_DIGEST_VALUES []byte
	EventDataSize      uint32
}

TCG_EVENT2 is a TCG Event as specified by the TPM specification

type TPM2B_EVENT added in v0.6.0 

type TPM2B_EVENT struct {
	Size uint16
	Buf  []byte
}

TPM2B_EVENT is a TPM event as specified by the TPM specificatoin

type TPML_DIGEST_VALUES added in v0.6.0 

type TPML_DIGEST_VALUES struct {
	Count   uint32
	Digests []TPMT_HA
}

TPML_DIGEST_VALUES are a List of digests extended to PCRIndex

type TPMT_HA added in v0.6.0 

type TPMT_HA struct {
	AlgorithmId uint16
	Digest      []uint8
}

type Tpm 

type Tpm struct {
	Mu             sync.Mutex
	Pcrs           []int
	IkChain        []*x509.Certificate
	AkChain        []*x509.Certificate
	Ima            bool
	ImaPcr         int
	MeasurementLog bool
	Ctr            bool
	CtrPcr         int
	CtrLog         string
	Serializer     ar.Serializer
}

Tpm is a structure that implements the Measure method of the attestation report Measurer interface

func (*Tpm) GetCertChain added in v0.4.0 

func (t *Tpm) GetCertChain(sel ar.KeySelection) ([]*x509.Certificate, error)

GetCertChain returns the certificate chain for the specified key

func (*Tpm) GetKeyHandles added in v0.8.0 

func (t *Tpm) GetKeyHandles(sel ar.KeySelection) (crypto.PrivateKey, crypto.PublicKey, error)

GetKeyHandles returns private and public key handles as a generic crypto interface

func (*Tpm) Init added in v0.6.0 

func (t *Tpm) Init(c *ar.DriverConfig) error

Init opens and initializes a TPM object, checks if provosioning is required and if so, provisions the TPM

func (*Tpm) Lock added in v0.4.0 

func (t *Tpm) Lock() error

func (*Tpm) Measure 

func (t *Tpm) Measure(nonce []byte) (ar.Measurement, error)

Measure implements the attestation reports generic Measure interface to be called as a plugin during attestation report generation

func (*Tpm) Name added in v0.8.0 

func (t *Tpm) Name() string

Name returns the name of the driver

func (*Tpm) Unlock added in v0.4.0 

func (t *Tpm) Unlock() error

type UnhandledCriticalExtension added in v0.6.0 

type UnhandledCriticalExtension struct{}

func (UnhandledCriticalExtension) Error added in v0.6.0 

func (h UnhandledCriticalExtension) Error() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.