verification

package module
v0.0.0-...-bdb03a7 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 21, 2023 License: Apache-2.0 Imports: 32 Imported by: 0

README

DPE Verification Tests

This test suite is a userspace test-suite which exercises DPE commands end-to-end and ensures compliance with the DPE iRoT Profile.

Documentation

Overview

Package verification provides verification tests for implementations of the DPE iRoT profile.

This packages also includes a modular DPE client that can be used to communicate with DPE over different transports. A transport for the DPE rust simulator is provided in this package.

Index

Constants

View Source 
const (
	CmdMagic  uint32 = 0x44504543
	RespMagic uint32 = 0x44504552

	CurrentProfileMajorVersion uint16 = 0
	CurrentProfileMinorVersion uint16 = 8
)

Profile-defined constants

View Source 
const (
	DPESimulatorAutoInitLocality    uint32 = 0
	DPESimulatorOtherLocality       uint32 = 0x4f544852
	DPESimulatorMaxTCINodes         uint32 = 24
	DPESimulatorMajorProfileVersion uint16 = CurrentProfileMajorVersion
	DPESimulatorMinorProfileVersion uint16 = CurrentProfileMinorVersion
	DPESimulatorVendorID            uint32 = 0
	DPESimulatorVendorSKU           uint32 = 0
)

Constants for configuring expected values from the DPE simulator

View Source 
const (
	// MaxChunkSize is the max size of a DPE certificate chunk
	MaxChunkSize = 2048
)

Variables

View Source 
var (
	OidExtensionKeyUsage               = asn1.ObjectIdentifier{2, 5, 29, 15}
	OidExtensionAuthorityKeyIdentifier = asn1.ObjectIdentifier{2, 5, 29, 35}
	OidExtensionBasicConstraints       = asn1.ObjectIdentifier{2, 5, 29, 19}
	OidExtensionExtKeyUsage            = asn1.ObjectIdentifier{2, 5, 29, 37}
	OidExtensionTcgDiceUeid            = asn1.ObjectIdentifier{2, 23, 133, 5, 4, 4}
	OidExtensionTcgDiceMultiTcbInfo    = asn1.ObjectIdentifier{2, 23, 133, 5, 4, 5}
	OidExtensionTcgDiceKpIdentityInit  = asn1.ObjectIdentifier{2, 23, 133, 5, 4, 100, 6}
	OidExtensionTcgDiceKpIdentityLoc   = asn1.ObjectIdentifier{2, 23, 133, 5, 4, 100, 7}
	OidExtensionTcgDiceKpAttestInit    = asn1.ObjectIdentifier{2, 23, 133, 5, 4, 100, 8}
	OidExtensionTcgDiceKpAttestLoc     = asn1.ObjectIdentifier{2, 23, 133, 5, 4, 100, 9}
	OidExtensionTcgDiceKpAssertInit    = asn1.ObjectIdentifier{2, 23, 133, 5, 4, 100, 10}
	OidExtensionTcgDiceKpAssertLoc     = asn1.ObjectIdentifier{2, 23, 133, 5, 4, 100, 11}
	OidExtensionTcgDiceKpEca           = asn1.ObjectIdentifier{2, 23, 133, 5, 4, 100, 12}
	OidSHA256                          = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 1}
	OidSHA384                          = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 2}
)

This file is used to test the certify key command.

View Source 
var AllTestCases = []TestCase{
	CertifyKeyTestCase,
	CertifyKeyCsrTestCase,
	CertifyKeySimulationTestCase,
	GetCertificateChainTestCase,
	TpmPolicySigningTestCase,
	ExtendTCITestCase,
	ExtendDerivedTciTestCase,
	RotateContextTestCase,
	RotateContextSimulationTestCase,
	SignAsymmetricTestCase,
	SignSymmetricTestCase,
	SignSimulationTestCase,
	GetProfileTestCase,
	InitializeContextTestCase,
	InitializeContextSimulationTestCase,
	InvalidHandleTestCase,
	WrongLocalityTestCase,
}

AllTestCases contains all DPE test cases

View Source 
var CertifyKeyCsrTestCase = TestCase{
	"CertifyKeyCsr", TestCertifyKeyCsr, []string{"AutoInit", "Csr", "IsCA"},
}

CertifyKeyCsrTestCase tests CertifyKey with type = CSR

View Source 
var CertifyKeySimulationTestCase = TestCase{
	"CertifyKeySimulation", TestCertifyKeySimulation, []string{"AutoInit", "Simulation", "X509", "IsCA"},
}

CertifyKeySimulationTestCase tests CertifyKey on Simulation mode contexts

View Source 
var CertifyKeyTestCase = TestCase{
	"CertifyKey", TestCertifyKey, []string{"AutoInit", "X509", "IsCA"},
}

CertifyKeyTestCase tests CertifyKey

View Source 
var DefaultContextHandle = ContextHandle{0}

DefaultContextHandle is the default DPE context handle

View Source 
var ExtendDerivedTciTestCase = TestCase{
	"ExtendDerivedTciTestCase", TestExtendTciOnDerivedContexts, []string{"AutoInit", "ExtendTci"},
}

ExtendDerivedTciTestCase tests ExtendTci on derived child contexts

View Source 
var ExtendTCITestCase = TestCase{
	"ExtendTCITestCase", TestExtendTCI, []string{"AutoInit", "ExtendTci"},
}

ExtendTCITestCase tests ExtendTci

View Source 
var GetCertificateChainTestCase = TestCase{
	"GetCertificateChain", TestGetCertificateChain, []string{"AutoInit", "X509"},
}

GetCertificateChainTestCase tests GetCertificateChain

View Source 
var GetProfileTestCase = TestCase{
	"GetProfile", TestGetProfile, []string{},
}

GetProfileTestCase tests GetProfile

View Source 
var InitializeContextSimulationTestCase = TestCase{
	"InitializeContextSimulation", TestInitializeSimulation, []string{"Simulation"},
}

InitializeContextSimulationTestCase tests InitializeContext in simulation mode

View Source 
var InitializeContextTestCase = TestCase{
	"InitializeContext", TestInitializeContext, []string{},
}

InitializeContextTestCase tests InitializeContext

View Source 
var InvalidHandle = ContextHandle{0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15}

InvalidHandle is a sample DPE handle which is very unlikely to be valid

View Source 
var InvalidHandleTestCase = TestCase{
	"CheckInvalidHandle", TestInvalidHandle, []string{"Simulation", "RotateContext", "ExtendTci"},
}

InvalidHandleTestCase tests various commands with invalid context handles

View Source 
var RotateContextSimulationTestCase = TestCase{
	"RotateContextHandleSimulation", TestRotateContextHandleSimulation, []string{"Simulation", "RotateContext"},
}

RotateContextSimulationTestCase tests RotateContext with Simulation contexts

View Source 
var RotateContextTestCase = TestCase{
	"RotateContextHandle", TestRotateContextHandle, []string{"AutoInit", "RotateContext"},
}

RotateContextTestCase tests RotateContext

View Source 
var SignAsymmetricTestCase = TestCase{
	"Sign", TestAsymmetricSigning, []string{"AutoInit", "X509"},
}

SignAsymmetricTestCase tests Sign

View Source 
var SignSimulationTestCase = TestCase{
	"SignSimulation", TestSignSimulation, []string{"Simulation"},
}

SignSimulationTestCase tests Sign with Simulation contexts

View Source 
var SignSymmetricTestCase = TestCase{
	"SignSymmetric", TestSymmetricSigning, []string{"AutoInit", "IsSymmetric"},
}

SignSymmetricTestCase tests Sign with is-symmetric = true

View Source 
var TargetExe *string

TargetExe is the simulator executable to use for this test target

View Source 
var TcgDiceCriticalExtensions = [...]string{
	OidExtensionTcgDiceMultiTcbInfo.String(),
	OidExtensionTcgDiceUeid.String(),
}

TcgDiceCriticalExtensions are the OIDs of DICE extensions which must be marked as critical

View Source 
var TcgDiceExtendedKeyUsages = [...]string{
	OidExtensionTcgDiceKpIdentityLoc.String(),
	OidExtensionTcgDiceKpAttestLoc.String(),
}

TcgDiceExtendedKeyUsages are the DICE OIDs expected to be present in the DPE leaf EKU extension

View Source 
var TpmPolicySigningTestCase = TestCase{
	"TPMPolicySigning", TestTpmPolicySigning, []string{"AutoInit", "X509"},
}

TpmPolicySigningTestCase tests using DPE to satisfy TPM PolicySigned

View Source 
var UnsupportedCommand = TestCase{
	"CheckSupportForCommand", TestUnsupportedCommand, []string{"AutoInit"},
}

UnsupportedCommand tests calling unsupported commands

View Source 
var UnsupportedCommandFlag = TestCase{
	"CheckSupportForCommandFlag", TestUnsupportedCommandFlag, []string{"AutoInit", "RotateContext", "ExtendTci"},
}

UnsupportedCommandFlag tests calling unsupported commands flags

View Source 
var WrongLocalityTestCase = TestCase{
	"CheckWrongLocality", TestWrongLocality, []string{"AutoInit", "RotateContext", "ExtendTci"},
}

WrongLocalityTestCase tests various commands with invalid localities

Functions

func HasSupportNeeded 

func HasSupportNeeded(d TestDPEInstance, supportNeeded []string) bool

HasSupportNeeded returns whether `d` supports all the features in `support_needed`

func RunTargetTestCases 

func RunTargetTestCases(target TestTarget, t *testing.T)

RunTargetTestCases runs all test cases for target

func TestAsymmetricSigning 

func TestAsymmetricSigning(d TestDPEInstance, c DPEClient, t *testing.T)

TestAsymmetricSigning obtains and validates signature of asymmetric signing. Check whether the digital signature returned by Sign command can be verified using public key in signing key certificate returned by CertifyKey command. Inspite of the DPE profile supporting symmetric key, for symmetric signing it must be enabled explicitly in Sign command flags. Else asymmetric signing is used as default.

func TestCertifyKey 

func TestCertifyKey(d TestDPEInstance, c DPEClient, t *testing.T)

TestCertifyKey tests calling CertifyKey

func TestCertifyKeyCsr 

func TestCertifyKeyCsr(d TestDPEInstance, c DPEClient, t *testing.T)

TestCertifyKeyCsr tests calling CeritifyKey with type = CSR

func TestCertifyKeySimulation 

func TestCertifyKeySimulation(d TestDPEInstance, c DPEClient, t *testing.T)

TestCertifyKeySimulation tests calling CertifyKey on simulation contexts

func TestExtendTCI 

func TestExtendTCI(d TestDPEInstance, c DPEClient, t *testing.T)

TestExtendTCI checks whether the ExtendTCI command updates the current TCI and cumulative TCI.

func TestExtendTciOnDerivedContexts 

func TestExtendTciOnDerivedContexts(d TestDPEInstance, c DPEClient, t *testing.T)

TestExtendTciOnDerivedContexts checks whether the ExtendTCI command with derived child context.

func TestGetCertificateChain 

func TestGetCertificateChain(d TestDPEInstance, client DPEClient, t *testing.T)

TestGetCertificateChain tests calling GetCertificateChain

func TestGetProfile 

func TestGetProfile(d TestDPEInstance, client DPEClient, t *testing.T)

TestGetProfile tests calling GetProfile

func TestInitializeContext 

func TestInitializeContext(d TestDPEInstance, c DPEClient, t *testing.T)

TestInitializeContext tests calling InitializeContext

func TestInitializeSimulation 

func TestInitializeSimulation(d TestDPEInstance, c DPEClient, t *testing.T)

TestInitializeSimulation tests calling InitializeContext simulation mode

func TestInvalidHandle 

func TestInvalidHandle(d TestDPEInstance, c DPEClient, t *testing.T)

TestInvalidHandle checks whether error is reported when non-existent handle is passed as input to DPE commands. Exceptions are - GetProfile, InitializeContext, GetCertificateChain, commands which do not need context handle as input parameter.

func TestRotateContextHandle 

func TestRotateContextHandle(d TestDPEInstance, c DPEClient, t *testing.T)

TestRotateContextHandle tests the RotateContextHandle command

func TestRotateContextHandleSimulation 

func TestRotateContextHandleSimulation(d TestDPEInstance, c DPEClient, t *testing.T)

TestRotateContextHandleSimulation tests calling RotateContextHandle on simulation contexts

func TestSignSimulation 

func TestSignSimulation(d TestDPEInstance, c DPEClient, t *testing.T)

TestSignSimulation cheks command fails in simulated context because this context does not allow signing. This is because simulation context does not allow using context's private key.

func TestSymmetricSigning 

func TestSymmetricSigning(d TestDPEInstance, c DPEClient, t *testing.T)

TestSymmetricSigning obtains HMAC (symmetric signature) generated and compares for varying label inputs. Signature created is deterministic and depends on label passed to command. This is because label is used by DPE in symmetric key derivation. Invoking Sign command multiple times with same label and same content (TBS) should return same signature but it should return different signatures for different labels despite having the same content (To Be Signed content).

func TestTpmPolicySigning 

func TestTpmPolicySigning(d TestDPEInstance, c DPEClient, t *testing.T)

TestTpmPolicySigning tests using DPE to satisfy TPM PolicySigned

func TestUnsupportedCommand 

func TestUnsupportedCommand(d TestDPEInstance, c DPEClient, t *testing.T)

TestUnsupportedCommand checks whether error is reported while using commands that are turned off in DPE. DPE commands - RotateContextHandle, ExtendTCI, require support to be enabled in DPE profile before being called.

func TestUnsupportedCommandFlag 

func TestUnsupportedCommandFlag(d TestDPEInstance, c DPEClient, t *testing.T)

TestUnsupportedCommandFlag checks whether error is reported while enabling command flags that are turned off in DPE. The DPE command may be available but some of its flags may not be supported by DPE. DPE profile supports the below attributes. Simulation : Allows caller to request for context initialization in simulation mode IsCA : Allows caller to request the key cert of CA Csr : Allows caller to request the key cert in CSR format X509 : Allows caller to request the key cert in X509 format IsSymmetric : Allows caller to request for symmetric signing InternalInfo : Allows caller to derive child context with InternalInfo InternalDice : Allows caller to derive child context with InternalDice

func TestWrongLocality 

func TestWrongLocality(d TestDPEInstance, c DPEClient, t *testing.T)

TestWrongLocality checks whether error is reported when caller from one locality issues DPE commands in another locality. Exceptions are - GetProfile, InitializeContext, GetCertificateChain, commands which do not need context handle as input and hence locality is irrelevant.

Types

type BasicConstraints 

type BasicConstraints struct {
	IsCA              bool `asn1`
	PathLenConstraint int  `asn1:"optional"`
}

BasicConstraints represents an X.509 BasicConstraints extension

type CertifiedKey 

type CertifiedKey struct {
	Handle      ContextHandle
	Pub         DPEPubKey
	Certificate []byte
}

CertifiedKey is a response from DPE CertifyKey

type CertifyKeyFlags 

type CertifyKeyFlags uint32

CertifyKeyFlags is the input flags to CertifyKey 

const (
	CertifyAddIsCA CertifyKeyFlags = 1 << 30
)

Supported flags to CertifyKey

type CertifyKeyFormat 

type CertifyKeyFormat uint32

CertifyKeyFormat is the requested output format of the DPE key certification 

const (
	CertifyKeyX509 CertifyKeyFormat = 0
	CertifyKeyCsr  CertifyKeyFormat = 1
)

Supported CertifyKey formats

type CertifyKeyParams 

type CertifyKeyParams struct {
	Label []byte
	Flags CertifyKeyFlags
}

CertifyKeyParams holds configurable parameters to CertifyKey for test-cases

type CertifyKeyReq 

type CertifyKeyReq[Digest DigestAlgorithm] struct {
	ContextHandle ContextHandle
	Flags         CertifyKeyFlags
	Label         Digest
	Format        CertifyKeyFormat
}

CertifyKeyReq is the input request to CertifyKey

type CertifyKeyResp 

type CertifyKeyResp[CurveParameter Curve, Digest DigestAlgorithm] struct {
	NewContextHandle  ContextHandle
	DerivedPublicKeyX CurveParameter
	DerivedPublicKeyY CurveParameter
	Certificate       []byte
}

CertifyKeyResp is the output response from CertifyKey

type CommandCode 

type CommandCode uint32

CommandCode is a DPE command code 

const (
	CommandGetProfile          CommandCode = 0x1
	CommandInitializeContext   CommandCode = 0x7
	CommandDeriveChild         CommandCode = 0x8
	CommandCertifyKey          CommandCode = 0x9
	CommandSign                CommandCode = 0xa
	CommandRotateContextHandle CommandCode = 0xe
	CommandDestroyContext      CommandCode = 0xf
	CommandGetCertificateChain CommandCode = 0x80
	CommandExtendTCI           CommandCode = 0x81
)

All DPE profile command codes

type CommandHdr 

type CommandHdr struct {
	// contains filtered or unexported fields
}

CommandHdr is the DPE command header common to all commands

type ContextHandle 

type ContextHandle [16]byte

ContextHandle is a DPE context handle

type Curve 

type Curve interface {
	NISTP256Parameter | NISTP384Parameter

	Bytes() []byte
}

Curve is a type constraint enumerating the supported ECC curves for DPE profiles.

type DPEABI 

type DPEABI[CurveParameter Curve, Digest DigestAlgorithm] struct {
	Profile      Profile
	MajorVersion uint16
	MinorVersion uint16
	VendorID     uint32
	VendorSku    uint32
	MaxTciNodes  uint32
	Flags        uint32
	// contains filtered or unexported fields
}

DPEABI is a connection to a DPE instance, parameterized by hash algorithm and ECC curve.

func NewDPEABI256 

func NewDPEABI256(t Transport) (*DPEABI[NISTP256Parameter, SHA256Digest], error)

NewDPEABI256 is a convenience wrapper for NewDPEABI[NISTP256Parameter, SHA256Digest].

func NewDPEABI384 

func NewDPEABI384(t Transport) (*DPEABI[NISTP384Parameter, SHA384Digest], error)

NewDPEABI384 is a convenience wrapper for NewDPEABI[NISTP384Parameter, SHA384Digest].

func (*DPEABI[_, Digest]) CertifyKey 

func (c *DPEABI[_, Digest]) CertifyKey(handle *ContextHandle, label []byte, format CertifyKeyFormat, flags CertifyKeyFlags) (*CertifiedKey, error)

func (*DPEABI[CurveParameter, Digest]) CertifyKeyABI 

func (c *DPEABI[CurveParameter, Digest]) CertifyKeyABI(cmd *CertifyKeyReq[Digest]) (*CertifyKeyResp[CurveParameter, Digest], error)

CertifyKey calls the DPE CertifyKey command.

func (*DPEABI[_, Digest]) DeriveChild 

func (c *DPEABI[_, Digest]) DeriveChild(handle *ContextHandle, inputData []byte, flags DeriveChildFlags, tciType uint32, targetLocality uint32) (*DeriveChildResp, error)

func (*DPEABI[_, Digest]) DeriveChildABI 

func (c *DPEABI[_, Digest]) DeriveChildABI(cmd *DeriveChildReq[Digest]) (*DeriveChildResp, error)

DeriveChild calls DPE DeriveChild command.

func (*DPEABI[_, _]) DestroyContext 

func (c *DPEABI[_, _]) DestroyContext(handle *ContextHandle, flags DestroyCtxFlags) error

func (*DPEABI[_, _]) DestroyContextABI 

func (c *DPEABI[_, _]) DestroyContextABI(cmd *DestroyCtxCmd) error

Send the command to destroy a context.

func (*DPEABI[_, Digest]) ExtendTCI 

func (c *DPEABI[_, Digest]) ExtendTCI(handle *ContextHandle, inputData []byte) (*ContextHandle, error)

func (*DPEABI[_, Digest]) ExtendTCIABI 

func (c *DPEABI[_, Digest]) ExtendTCIABI(cmd *ExtendTCIReq[Digest]) (*ExtendTCIResp, error)

ExtendTCI calls the DPE ExtendTCI command.

func (*DPEABI[_, _]) GetCertificateChain 

func (c *DPEABI[_, _]) GetCertificateChain() ([]byte, error)

func (*DPEABI[_, _]) GetCertificateChainABI 

func (c *DPEABI[_, _]) GetCertificateChainABI() (*GetCertificateChainResp, error)

GetCertificateChain calls the DPE GetCertificateChain command.

func (*DPEABI[_, _]) GetProfile 

func (c *DPEABI[_, _]) GetProfile() (*GetProfileResp, error)

func (*DPEABI[_, _]) GetProfileABI 

func (c *DPEABI[_, _]) GetProfileABI() (*GetProfileResp, error)

func (*DPEABI[_, _]) InitializeContext 

func (c *DPEABI[_, _]) InitializeContext(flags InitCtxFlags) (*ContextHandle, error)

func (*DPEABI[_, _]) InitializeContextABI 

func (c *DPEABI[_, _]) InitializeContextABI(cmd *InitCtxCmd) (*InitCtxResp, error)

InitializeContextABI calls InitializeContext

func (*DPEABI[_, Digest]) RotateContextABI 

func (c *DPEABI[_, Digest]) RotateContextABI(cmd *RotateContextHandleCmd) (*RotatedContextHandle, error)

RotateContextHandle calls DPE RotateContextHandle command.

func (*DPEABI[_, _]) RotateContextHandle 

func (c *DPEABI[_, _]) RotateContextHandle(handle *ContextHandle, flags RotateContextHandleFlags) (*ContextHandle, error)

func (*DPEABI[_, Digest]) Sign 

func (c *DPEABI[_, Digest]) Sign(handle *ContextHandle, label []byte, flags SignFlags, toBeSigned []byte) (*DPESignedHash, error)

func (*DPEABI[_, Digest]) SignABI 

func (c *DPEABI[_, Digest]) SignABI(cmd *SignReq[Digest]) (*SignResp[Digest], error)

Sign calls the DPE Sign command.

type DPEABI256 

type DPEABI256 = DPEABI[NISTP256Parameter, SHA256Digest]

DPEABI256 is a client that implements DPE_PROFILE_IROT_P256_SHA256

type DPEABI384 

type DPEABI384 = DPEABI[NISTP384Parameter, SHA384Digest]

DPEABI384 is a client that implements DPE_PROFILE_IROT_P384_SHA384

type DPEClient 

type DPEClient interface {
	InitializeContext(flags InitCtxFlags) (*ContextHandle, error)
	GetProfile() (*GetProfileResp, error)
	CertifyKey(handle *ContextHandle, label []byte, format CertifyKeyFormat, flags CertifyKeyFlags) (*CertifiedKey, error)
	GetCertificateChain() ([]byte, error)
	DestroyContext(handle *ContextHandle, flags DestroyCtxFlags) error
	DeriveChild(handle *ContextHandle, inputData []byte, flags DeriveChildFlags, tciType uint32, targetLocality uint32) (*DeriveChildResp, error)
	RotateContextHandle(handle *ContextHandle, flags RotateContextHandleFlags) (*ContextHandle, error)
	Sign(handle *ContextHandle, label []byte, flags SignFlags, toBeSigned []byte) (*DPESignedHash, error)
	ExtendTCI(handle *ContextHandle, inputData []byte) (*ContextHandle, error)
}

DPEClient is a generic interface to a DPE instance

func NewClient 

func NewClient(t Transport, p Profile) (DPEClient, error)

NewClient returns a new DPE client

type DPEPubKey 

type DPEPubKey struct {
	X []byte
	Y []byte
}

DPEPubKey is an ECC public point TODO: Include curve

type DPESignedHash 

type DPESignedHash struct {
	Handle           ContextHandle
	HmacOrSignatureR []byte
	SignatureS       []byte
}

DPESignedHash is the response from DPE Sign

type DPETCI 

type DPETCI struct {
	CumulativeTCI []byte
	CurrentTCI    []byte
}

DPETCI holds the current and cumulative measurements for a DPE TCI node

type DeriveChildFlags 

type DeriveChildFlags uint32

DeriveChildFlags is the input flags to DeriveChild 

const (
	InternalInputInfo DeriveChildFlags = 1 << 31
	InternalInputDice DeriveChildFlags = 1 << 30
	RetainParent      DeriveChildFlags = 1 << 29
	MakeDefault       DeriveChildFlags = 1 << 28
	ChangeLocality    DeriveChildFlags = 1 << 27
	InputAllowCA      DeriveChildFlags = 1 << 26
	InputAllowX509    DeriveChildFlags = 1 << 25
)

Supported flags to DeriveChild

type DeriveChildReq 

type DeriveChildReq[Digest DigestAlgorithm] struct {
	ContextHandle  ContextHandle
	InputData      Digest
	Flags          DeriveChildFlags
	TciType        uint32
	TargetLocality uint32
}

DeriveChildReq is the input request to DeriveChild

type DeriveChildResp 

type DeriveChildResp struct {
	NewContextHandle    ContextHandle
	ParentContextHandle ContextHandle
}

DeriveChildResp is the output response from DeriveChild

type DestroyCtxCmd 

type DestroyCtxCmd struct {
	// contains filtered or unexported fields
}

DestroyCtxCmd is input parameters to DestroyContext

func NewDestroyCtx 

func NewDestroyCtx(handle ContextHandle, destroyDescendants bool) *DestroyCtxCmd

NewDestroyCtx creates a new DestroyContext command

type DestroyCtxFlags 

type DestroyCtxFlags uint32

DestroyCtxFlags is input flags to DestroyContext 

const (
	DestroyDescendants DestroyCtxFlags = 1 << 31
)

Supported flags to DestroyContext

type DiceTcbInfo 

type DiceTcbInfo struct {
	Vendor     string          `asn1:"optional,tag:0,utf8"`
	Model      string          `asn1:"optional,tag:1,utf8"`
	Version    string          `asn1:"optional,tag:2,utf8"`
	SVN        int             `asn1:"optional,tag:3"`
	Layer      int             `asn1:"optional,tag:4"`
	Index      int             `asn1:"optional,tag:5"`
	Fwids      []Fwid          `asn1:"optional,tag:6"`
	Flags      OperationalFlag `asn1:"optional,tag:7"`
	VendorInfo []byte          `asn1:"optional,tag:8"`
	Type       []byte          `asn1:"optional,tag:9"`
}

DiceTcbInfo represents the following ASN.1 structures tcg-dice-MultiTcbInfo OBJECT IDENTIFIER ::= {tcg-dice 5} DiceTcbInfoSeq ::= SEQUENCE SIZE (1..MAX) OF DiceTcbInfo

tcg-dice-TcbInfo OBJECT IDENTIFIER ::= {tcg-dice 1} 

DiceTcbInfo 	::== SEQUENCE {
		vendor		[0] IMPLICIT UTF8String OPTIONAL,
		model 		[1] IMPLICIT UTF8String OPTIONAL,
		version 	[2] IMPLICIT UTF8String OPTIONAL,
		svn 		[3] IMPLICIT INTEGER OPTIONAL,
		layer 		[4] IMPLICIT INTEGER OPTIONAL,
		index 		[5] IMPLICIT INTEGER OPTIONAL,
		fwids 		[6] IMPLICIT FWIDLIST OPTIONAL,
		flags 		[7] IMPLICIT OperationalFlags OPTIONAL,
		vendorInfo 	[8] IMPLICIT OCTET STRING OPTIONAL,
		type 		[9] IMPLICIT OCTET STRING OPTIONAL,
}

FWIDLIST ::== SEQUENCE SIZE (1..MAX) OF FWID 

FWID ::== SEQUENCE {
		hashAlg 	OBJECT IDENTIFIER,
		digest 		OCTET STRING
}

OperationalFlags ::= BIT STRING {
		notConfigured (0),
		notSecure (1),
		recovery (2),
 	debug (3)
}

type DigestAlgorithm 

type DigestAlgorithm interface {
	SHA256Digest | SHA384Digest

	Bytes() []byte
}

DigestAlgorithm is a type constraint enumerating the supported hashing algorithms for DPE profiles.

type DpeSimulator 

type DpeSimulator struct {
	Transport
	// contains filtered or unexported fields
}

DpeSimulator is a handle to a DPE simulator instance

func (*DpeSimulator) GetIsInitialized 

func (s *DpeSimulator) GetIsInitialized() bool

GetIsInitialized gets whether DPE is initialized

func (*DpeSimulator) GetLocality 

func (s *DpeSimulator) GetLocality() uint32

GetLocality gets the locality of the current caller

func (*DpeSimulator) GetMaxTciNodes 

func (s *DpeSimulator) GetMaxTciNodes() uint32

GetMaxTciNodes gets the max number of TCI nodes the DPE supports

func (*DpeSimulator) GetProfileMajorVersion 

func (s *DpeSimulator) GetProfileMajorVersion() uint16

GetProfileMajorVersion gets the major profile version supported by this DPE

func (*DpeSimulator) GetProfileMinorVersion 

func (s *DpeSimulator) GetProfileMinorVersion() uint16

GetProfileMinorVersion gets the minor profile version supported by this DPE

func (*DpeSimulator) GetProfileVendorID 

func (s *DpeSimulator) GetProfileVendorID() uint32

GetProfileVendorID gets the vendor ID of this DPE

func (*DpeSimulator) GetProfileVendorSku 

func (s *DpeSimulator) GetProfileVendorSku() uint32

GetProfileVendorSku gets the vendor SKU of this DPE

func (*DpeSimulator) GetSupport 

func (s *DpeSimulator) GetSupport() *Support

GetSupport gets supported DPE features from the simulator

func (*DpeSimulator) GetSupportedLocalities 

func (s *DpeSimulator) GetSupportedLocalities() []uint32

GetSupportedLocalities gets the list of localities the simulator supports

func (*DpeSimulator) HasLocalityControl 

func (s *DpeSimulator) HasLocalityControl() bool

HasLocalityControl returns whether the simulator can artificially set the locality of the caller. The simulator target can always control the locality.

func (*DpeSimulator) HasPowerControl 

func (s *DpeSimulator) HasPowerControl() bool

HasPowerControl returns whether the simulator can be started and stopped.

func (*DpeSimulator) PowerOff 

func (s *DpeSimulator) PowerOff() error

PowerOff kills the simulator in a way that it can cleanup before closing.

func (*DpeSimulator) PowerOn 

func (s *DpeSimulator) PowerOn() error

PowerOn starts the simulator.

func (*DpeSimulator) SendCmd 

func (s *DpeSimulator) SendCmd(buf []byte) ([]byte, error)

SendCmd sends a DPE command to the simulator

func (*DpeSimulator) SetIsInitialized 

func (s *DpeSimulator) SetIsInitialized(isInitialized bool)

SetIsInitialized sets whether DPE is initialized

func (*DpeSimulator) SetLocality 

func (s *DpeSimulator) SetLocality(locality uint32)

SetLocality sets the locality of this caller

type DpeTestFunc 

type DpeTestFunc func(d TestDPEInstance, c DPEClient, t *testing.T)

DpeTestFunc is the function template that a DPE test case must implement

type ExtendTCIReq 

type ExtendTCIReq[Digest DigestAlgorithm] struct {
	ContextHandle ContextHandle
	InputData     Digest
}

ExtendTCIReq is the input request to ExtendTCI

type ExtendTCIResp 

type ExtendTCIResp struct {
	NewContextHandle ContextHandle
}

ExtendTCIResp is the output response from ExtendTCI

type Fwid 

type Fwid struct {
	HashAlg asn1.ObjectIdentifier
	Digest  []byte
}

Fwid represents a TCG DICE FWID structure

type GetCertificateChainReq 

type GetCertificateChainReq struct {
	Offset uint32
	Size   uint32
}

GetCertificateChainReq is the input request to GetCertificateChain

type GetCertificateChainResp 

type GetCertificateChainResp struct {
	CertificateSize  uint32
	CertificateChain []byte
}

GetCertificateChainResp is the output response from GetCertificateChain

type GetProfileResp 

type GetProfileResp struct {
	Profile      Profile
	MajorVersion uint16
	MinorVersion uint16
	VendorID     uint32
	VendorSku    uint32
	MaxTciNodes  uint32
	Flags        uint32
}

GetProfileResp is the response from GetProfile

type InitCtxCmd 

type InitCtxCmd struct {
	// contains filtered or unexported fields
}

InitCtxCmd is the input parameters to InitializeContext

type InitCtxFlags 

type InitCtxFlags uint32

InitCtxFlags is the input flags to InitializeContext 

const (
	InitIsSimulation InitCtxFlags = 1 << 31
	InitIsDefault    InitCtxFlags = 1 << 30
)

Supported flags to InitializeContext

type InitCtxResp 

type InitCtxResp struct {
	Handle ContextHandle
}

InitCtxResp is the response parameters from InitializeContext

type NISTP256Parameter 

type NISTP256Parameter [32]byte

NISTP256Parameter represents a NIST P-256 curve parameter, i.e., an x, y, r, or s value.

func (NISTP256Parameter) Bytes 

func (p NISTP256Parameter) Bytes() []byte

Bytes returns a big-endian byte slice of a P256 int

type NISTP384Parameter 

type NISTP384Parameter [48]byte

NISTP384Parameter represents a NIST P-384 curve parameter, i.e., an x, y, r, or s value.

func (NISTP384Parameter) Bytes 

func (p NISTP384Parameter) Bytes() []byte

Bytes returns a big-endian byte slice of a P384 int

type OperationalFlag 

type OperationalFlag int

OperationalFlag represents the TCBInfo Operational Flags field 

const (
	NotConfigured OperationalFlag = iota
	NotSecure
	Debug
	Recovery
)

TCG spec-defined operational flags

type Profile 

type Profile uint32

Profile represents a supported algorithm profile (i.e., hash algorithm and ECC curve). 

const (
	// ProfileP256SHA256 is NIST P-256, SHA-256
	ProfileP256SHA256 Profile = 1
	// ProfileP384SHA384 is NIST P-384, SHA-384
	ProfileP384SHA384 Profile = 2
)

func GetTransportProfile 

func GetTransportProfile(t Transport) (Profile, error)

GetTransportProfile gets the profile for transport `t`

func (Profile) GetDigestSize 

func (p Profile) GetDigestSize() int

GetDigestSize gets the digest size of the profile's supported hash algorithm

func (Profile) GetECCIntSize 

func (p Profile) GetECCIntSize() int

GetECCIntSize gets the ECC int size of the profile's supported ECC curve

func (Profile) String 

func (p Profile) String() string

type RespHdr 

type RespHdr struct {
	Magic   uint32
	Status  Status
	Profile Profile
}

RespHdr is the DPE response header common to all responses

type RotateContextHandleCmd 

type RotateContextHandleCmd struct {
	Handle ContextHandle
	Flags  RotateContextHandleFlags
}

RotateContextHandleCmd is the input command to RotateContextHandle

type RotateContextHandleFlags 

type RotateContextHandleFlags uint32

RotateContextHandleFlags is the input flags to RotateContextHandle 

const (
	TargetIsDefault RotateContextHandleFlags = 1 << 31
)

Supported RotateContextHandle flags

type RotatedContextHandle 

type RotatedContextHandle struct {
	NewContextHandle ContextHandle
}

RotatedContextHandle is the response from RotateContextHandle

type SHA256Digest 

type SHA256Digest [32]byte

SHA256Digest represents a SHA-256 digest value.

func (SHA256Digest) Bytes 

func (d SHA256Digest) Bytes() []byte

Bytes returns a byte slice of the SHA256 digest

type SHA384Digest 

type SHA384Digest [48]byte

SHA384Digest represents a SHA-384 digest value.

func (SHA384Digest) Bytes 

func (d SHA384Digest) Bytes() []byte

Bytes returns a byte slice of the SHA384 digest

type SignFlags 

type SignFlags uint32

SignFlags is the input flags to Sign 

const (
	IsSymmetric SignFlags = 1 << 30
)

Supported Sign flags

type SignReq 

type SignReq[Digest DigestAlgorithm] struct {
	ContextHandle ContextHandle
	Label         Digest
	Flags         SignFlags
	ToBeSigned    Digest
}

SignReq is the input request to Sign

type SignResp 

type SignResp[Digest DigestAlgorithm] struct {
	NewContextHandle ContextHandle
	HmacOrSignatureR Digest
	SignatureS       Digest
}

SignResp is the output response from Sign

type Status 

type Status uint32

Status is a DPE status code 

const (
	StatusInternalError        Status = 1
	StatusInvalidCommand       Status = 2
	StatusInvalidArgument      Status = 3
	StatusArgumentNotSupported Status = 4
	StatusInvalidHandle        Status = 0x1000
	StatusInvalidLocality      Status = 0x1001
	StatusBadTag               Status = 0x1002
	StatusMaxTCIs              Status = 0x1003
	StatusPlatformError        Status = 0x1004
	StatusCryptoError          Status = 0x1005
	StatusHashError            Status = 0x1006
	StatusRandError            Status = 0x1007
)

All spec-defined DPE status codes

func (Status) Error 

func (s Status) Error() string

Error returns an informational string for all DPE error codes

type Support 

type Support struct {
	Simulation    bool
	ExtendTci     bool
	AutoInit      bool
	RotateContext bool
	X509          bool
	Csr           bool
	IsSymmetric   bool
	InternalInfo  bool
	InternalDice  bool
	IsCA          bool
}

Support is the set of features a DPE supports

func (*Support) ToFlags 

func (s *Support) ToFlags() uint32

ToFlags converts support to the profile-defined support flags format

type TcgMultiTcbInfo 

type TcgMultiTcbInfo = []DiceTcbInfo

TcgMultiTcbInfo represents a sequence of TCBInfos

type TcgUeidExtension 

type TcgUeidExtension struct {
	Ueid []uint8 `asn1:"ueid,implicit"`
}

TcgUeidExtension is tcg-dice-Ueid OBJECT IDENTIFIER ::= {tcg-dice 4} 

TcgUeid ::== SEQUENCE {
		ueid OCTET STRING
}

type TestCase 

type TestCase struct {
	Name          string
	Run           DpeTestFunc
	SupportNeeded []string
}

TestCase is metadata for a DPE test case

type TestDPEInstance 

type TestDPEInstance interface {
	Transport
	// If power control is unavailable for the given device, return false from
	// HasPowerControl and return an error from PowerOn and PowerOff. For devices
	// that don't support power control but do have reset capability, return true
	// from HasPowerControl leave PowerOn empty and execute the reset in PowerOff.
	HasPowerControl() bool
	// If supported, turns on the device or starts the emulator/simulator.
	PowerOn() error
	// If supported, turns of the device, stops the emulator/simulator, or resets.
	PowerOff() error
	// The Transport implementations are not expected to be able to set the values
	// it supports, but this function is used by tests to know how to test the DPE
	// instance.
	GetSupport() *Support
	// Whether the default context has been initialized.
	GetIsInitialized() bool
	// Set whether the default context has been initialized.
	SetIsInitialized(bool)
	// Returns a slice of all the localities the instance supports.
	GetSupportedLocalities() []uint32
	// Whether the target can artificially control the locality of the caller
	HasLocalityControl() bool
	// Sets the current locality.
	SetLocality(locality uint32)
	// Gets the current locality.
	GetLocality() uint32
	// Returns the Maximum number of the TCIs instance can have.
	GetMaxTciNodes() uint32
	// Returns the major version of the profile the instance implements.
	GetProfileMajorVersion() uint16
	// Returns the minor version of the profile the instance implements.
	GetProfileMinorVersion() uint16
	// Returns the Vendor ID of the profile.
	GetProfileVendorID() uint32
	// Returns the vendor's product SKU.
	GetProfileVendorSku() uint32
}

TestDPEInstance is an extension to the main DPE transport interface with test hooks.

func GetSimulatorTarget 

func GetSimulatorTarget(supportNeeded []string, targetExe string) TestDPEInstance

GetSimulatorTarget gets the simulator target

type TestTarget 

type TestTarget struct {
	Name      string
	D         TestDPEInstance
	TestCases []TestCase
}

TestTarget is a TestDPEInstance and corresponding list of test cases to run against that target.

func GetSimulatorTargets 

func GetSimulatorTargets() []TestTarget

GetSimulatorTargets gets different simulator targets with different support vectors to run the verification tests against

type Transport 

type Transport interface {
	// Send a command to the DPE instance.
	SendCmd(buf []byte) ([]byte, error)
}

Transport is an interface to define how to test and send messages to a DPE instance.

Source Files

View all Source files

Directories

Path Synopsis
client module
sim module
testing module

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.