The go-tpm-tools
module is a TPM 2.0 support library designed to complement Go-TPM.
It contains the following public packages:
client
:
A Go package providing simplified abstractions and utility functions for interacting with a TPM 2.0, including:
- Signing
- Attestation
- Reading PCRs
- Sealing/Unsealing data
- Importing Data and Keys
- Reading NVData
- Getting the TCG Event Log
server
:
A Go package providing functionality for a remote server to send, receive, and interpret TPM 2.0 data. None of the commands in this package issue TPM commands, but instead handle:
- TCG Event Log parsing
- Attestation verification
- Creating data for Importing into a TPM
proto
:
Common Protocol Buffer messages that are exchanged between the client
and server
libraries. This package also contains helper methods for validating these messages.
simulator
:
Go bindings to the Microsoft's TPM 2.0 simulator.
This repository also contains gotpm
, a command line tool for using the TPM.
Run gotpm --help
and gotpm <command> --help
for more documentation.
Building and Installing gotpm
gotpm
can be directly installed from this repo by running:
go install github.com/google/go-tpm-tools/cmd/gotpm@latest
# gotpm will be installed to $GOBIN
gotpm --help
Alternatively, to build gotpm
from a cloned version of this repo, run:
cd /my/path/to/cloned/go-tpm-tools
go build ./cmd/gotpm
# gotpm will be in the root of the repo
./gotpm --help
Minimum Required Go Version
This project currently requires Go 1.16 or newer. Any update to the minimum required Go version will be released as a minor version update.
trousers
errors when building server
When building the server
library (or tests) you may get an error that looks like:
fatal error: trousers/tss.h: No such file or directory
17 | // #include <trousers/tss.h>
| ^~~~~~~~~~~~~~~~
compilation terminated.
This is because the server
library (indirectly) depends on the Trousers libtspi
library. This is a temporary dependency (tracking issue). To fix this error, install libtspi
by running:
sudo apt install libtspi-dev
openssl
errors when building simulator
Similarly, when building the simulator
library (or tests), you may get an error that looks like:
fatal error: openssl/aes.h: No such file or directory
47 | // #include <openssl/aes.h>
| ^~~~~~~~~~~~~~~~
compilation terminated.
This is because the simulator
library depends on having the OpenSSL headers installed. To fix this error, install them by running:
sudo apt install libssl-dev
macOS Dev
macOS fails to go build
and go test
by default with the error ld: library not found for -lcrypto
.
Fix it by installing OpenSSL and pointing cgo to the include and lib.
These commands were tested on macOS 10.15.7 (Catalina).
Install OpenSSL
- Install Homebrew
brew install openssl
cd /usr/local/include
sudo ln -s $(brew --prefix openssl)/include/openssl .
To point the simulator at openssl as provided by Homebrew, there are a couple
of options. Both of these use the output of $(brew --prefix openssl)
for
$OPENSSL_PATH
.
Add OpenSSL to the include and library path at the command line
This solution does not require modifying go-tpm-tools code and is useful when
working on other projects that depend on go-tpm-tools/simulator.
C_INCLUDE_PATH="$OPENSSL_PATH/include" LIBRARY_PATH="$OPENSSL_PATH/lib" go test ...
Add OpenSSL to the include and library path in the code
This solution modifies your local copy of the go-tpm-tools simulator source
and removes the need to provide the paths on the command line.
Remember to remove the lines from simulator/internal/internal.go
before
committing changes.
// #cgo CFLAGS: -I $OPENSSL_PATH/include
// #cgo LDFLAGS: -L$OPENSSL_PATH/lib
No TPM 1.2 support
Unlike Go-TPM (which supports TPM 1.2 and TPM 2.0), this module explicitly only supports TPM 2.0. Users should avoid use of TPM 1.2 due to the inherent reliance on SHA1 (which is quite broken).
Legal
Copyright 2018 Google Inc. under the
Apache 2.0 License. Microsoft's TPM simulator
code is licensed under a 3-clause BSD license and the TCG software license. See the LICENSE
file for more information.
This is not an official Google product.