Documentation
¶
Overview ¶
Package server contains functions to be ran on a server (no TPM needed), as oppose to a client (with TPM).
Index ¶
- Variables
- func CreateEKPublicAreaFromKey(k crypto.PublicKey) (tpm2.Public, error)
- func CreateImportBlob(ekPub crypto.PublicKey, sensitive []byte, pcrs *pb.PCRs) (*pb.ImportBlob, error)
- func CreateSigningKeyImportBlob(ekPub crypto.PublicKey, signingKey crypto.PrivateKey, pcrs *pb.PCRs) (*pb.ImportBlob, error)
- func GCEInstanceURL(i *pb.GCEInstanceInfo) string
- func ParseAndVerifyEventLog(rawEventLog []byte, pcrs *pb.PCRs) ([]attest.Event, error)
Examples ¶
Constants ¶
This section is empty.
Variables ¶
var ( //go:embed secure-boot/GcePk.crt GceDefaultPKCert []byte //go:embed secure-boot/MicCorKEKCA2011_2011-06-24.crt MicrosoftKEKCA2011Cert []byte //go:embed secure-boot/MicWinProPCA2011_2011-10-19.crt WindowsProductionPCA2011Cert []byte //go:embed secure-boot/MicCorUEFCA2011_2011-06-27.crt MicrosoftUEFICA2011Cert []byte )
Standard Secure Boot certificates (DER encoded)
var ( //go:embed secure-boot/canonical-boothole.crt RevokedCanonicalBootholeCert []byte //go:embed secure-boot/debian-boothole.crt RevokedDebianBootholeCert []byte //go:embed secure-boot/cisco-boothole.crt RevokedCiscoCert []byte )
Revoked Signing certificates (DER encoded)
Functions ¶
func CreateEKPublicAreaFromKey ¶
CreateEKPublicAreaFromKey creates a public area from a go interface PublicKey. Supports RSA and ECC keys.
func CreateImportBlob ¶
func CreateImportBlob(ekPub crypto.PublicKey, sensitive []byte, pcrs *pb.PCRs) (*pb.ImportBlob, error)
CreateImportBlob uses the provided public EK to encrypt the sensitive data. The returned ImportBlob can then be decrypted and imported using the client Key.Import() method. A non-nil pcrs parameter adds a requirement that the TPM must have specific PCR values for Import() to succeed.
func CreateSigningKeyImportBlob ¶
func CreateSigningKeyImportBlob(ekPub crypto.PublicKey, signingKey crypto.PrivateKey, pcrs *pb.PCRs) (*pb.ImportBlob, error)
CreateSigningKeyImportBlob uses the provided public EK to encrypt the signing key into import blob format. The returned import blob can be used to import the signing key into the TPM associated with the provided EK without exposing the private area to the TPM's OS using the client Key.ImportSigningKey() method. A non-nil pcrs parameter adds a requirement that the TPM must have specific PCR values to use the signing key.
func GCEInstanceURL ¶
func GCEInstanceURL(i *pb.GCEInstanceInfo) string
GCEInstanceURL returns a Google API URL to the specified instance. This URL can then be used with GCE instance APIs.
func ParseAndVerifyEventLog ¶
ParseAndVerifyEventLog parses a raw event log and replays the parsed event log against the given PCR values. It returns the events verified particular PCR indexes/digests and an error if the replay for any PCR index does not match the provided value.
It is the caller's responsibility to call server.Verify with those PCRs, a trusted public key, and a quote using the private part of the trusted key to ensure that the PCRs are generated by a known TPM.
Example ¶
// On client machine, generate the TPM quote.
// TODO: use real TPM.
simulator, err := simulator.Get()
if err != nil {
log.Fatalf("failed to initialize simulator: %v", err)
}
defer simulator.Close()
evtLog, err := client.GetEventLog(simulator)
if err != nil {
log.Fatalf("failed to get event log: %v", err)
}
pcrs, err := client.ReadPCRs(simulator, client.FullPcrSel(tpm2.AlgSHA1))
if err != nil {
log.Fatalf("failed to read PCRs: %v", err)
}
// TODO: send event log and PCRs to verifier, potentially in an Attestation proto.
// Verifier replays the event log.
// TODO: validate the PCRs against a quote. See the Quote examle.
_, err = ParseAndVerifyEventLog(evtLog, pcrs)
if err != nil {
// TODO: handle parsing or replay error.
log.Fatalf("failed to read PCRs: %v", err)
}
// TODO: use events output of ParseAndVerifyEventLog.
// Note that replayed PCRs are difficult to use in a trustworthy manner.
// Prefer to use higher level APIs that operate on events, such as
// go-attestation's ParseSecurebootState.
Output:
Types ¶
This section is empty.
Source Files