client

package module
v0.0.0-...-e0c847c Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 6, 2025 License: Apache-2.0 Imports: 5 Imported by: 2

Documentation

Overview

Package client provides a modular DPE client that can be used to communicate with DPE over different transports.

Index

Constants

View Source 
const (
	CmdMagic  uint32 = 0x44504543
	RespMagic uint32 = 0x44504552

	CurrentProfileMajorVersion uint16 = 0
	CurrentProfileMinorVersion uint16 = 12
)

Profile-defined constants

View Source 
const (
	// MaxChunkSize is the max size of a DPE certificate chunk
	MaxChunkSize = 2048
)

Variables

View Source 
var DefaultContextHandle = ContextHandle{0}

DefaultContextHandle is the default DPE context handle

Functions

func CertLen 

func CertLen[C DPECertificate]() int

CertLen returns the length of the certificate.

func CurveIntLen 

func CurveIntLen[C Curve]() int

CurveIntLen returns the length of the curve.

func DigestLen 

func DigestLen[D DigestAlgorithm]() int

DigestLen returns the length of the digest.

func HasSupportNeeded 

func HasSupportNeeded(d TestDPEInstance, supportNeeded []string) bool

HasSupportNeeded returns whether `d` supports all the features in `support_needed`

func NewDigest 

func NewDigest[D DigestAlgorithm](b []byte) (D, error)

NewDigest creates a new digest value from a byte slice.

Types

type CertifiedKey 

type CertifiedKey struct {
	Handle      ContextHandle
	Pub         DPEPubKey
	Certificate []byte
}

CertifiedKey is a response from DPE CertifyKey

type CertifyKeyFlags 

type CertifyKeyFlags uint32

CertifyKeyFlags is the input flags to CertifyKey

type CertifyKeyFormat 

type CertifyKeyFormat uint32

CertifyKeyFormat is the requested output format of the DPE key certification 

const (
	CertifyKeyX509 CertifyKeyFormat = 0
	CertifyKeyCsr  CertifyKeyFormat = 1
)

Supported CertifyKey formats

type CertifyKeyReq 

type CertifyKeyReq[Digest DigestAlgorithm] struct {
	ContextHandle ContextHandle
	Flags         CertifyKeyFlags
	Format        CertifyKeyFormat
	Label         Digest
}

CertifyKeyReq is the input request to CertifyKey

type CertifyKeyResp 

type CertifyKeyResp[CurveParameter Curve, Digest DigestAlgorithm] struct {
	NewContextHandle  ContextHandle
	DerivedPublicKeyX CurveParameter
	DerivedPublicKeyY CurveParameter
	Certificate       []byte
}

CertifyKeyResp is the output response from CertifyKey

type CommandCode 

type CommandCode uint32

CommandCode is a DPE command code

type CommandHdr 

type CommandHdr struct {
	// contains filtered or unexported fields
}

CommandHdr is the DPE command header common to all commands

type ContextHandle 

type ContextHandle [16]byte

ContextHandle is a DPE context handle

type Curve 

type Curve interface {
	NISTP256Parameter | NISTP384Parameter

	Bytes() []byte
}

Curve is a type constraint enumerating the supported ECC curves for DPE profiles.

type DPEABI 

type DPEABI[CurveParameter Curve, Digest DigestAlgorithm, Cert DPECertificate] struct {
	Profile      Profile
	MajorVersion uint16
	MinorVersion uint16
	VendorID     uint32
	VendorSku    uint32
	MaxTciNodes  uint32
	Flags        uint32
	// contains filtered or unexported fields
}

DPEABI is a connection to a DPE instance, parameterized by hash algorithm and ECC curve.

func NewDPEABI256 

func NewDPEABI256(t Transport) (*DPEABI[NISTP256Parameter, SHA256Digest, DPEFullCertificate], error)

NewDPEABI256 is a convenience wrapper for NewDPEABI[NISTP256Parameter, SHA256Digest, DPEFullCertificate].

func NewDPEABI256Min 

func NewDPEABI256Min(t Transport) (*DPEABI[NISTP256Parameter, SHA256Digest, DPEMinCertificate], error)

NewDPEABI256Min is a convenience wrapper for NewDPEABI[NISTP256Parameter, SHA256Digest, DPEMinCertificate].

func NewDPEABI384 

func NewDPEABI384(t Transport) (*DPEABI[NISTP384Parameter, SHA384Digest, DPEFullCertificate], error)

NewDPEABI384 is a convenience wrapper for NewDPEABI[NISTP384Parameter, SHA384Digest, DPEFullCertificate].

func NewDPEABI384Min 

func NewDPEABI384Min(t Transport) (*DPEABI[NISTP384Parameter, SHA384Digest, DPEMinCertificate], error)

NewDPEABI384Min is a convenience wrapper for NewDPEABI[NISTP384Parameter, SHA384Digest, DPEMinCertificate].

func (*DPEABI[_, Digest, _]) CertifyKey 

func (c *DPEABI[_, Digest, _]) CertifyKey(handle *ContextHandle, label []byte, format CertifyKeyFormat, flags CertifyKeyFlags) (*CertifiedKey, error)

CertifyKey calls the DPE CertifyKey command

func (*DPEABI[CurveParameter, Digest, Cert]) CertifyKeyABI 

func (c *DPEABI[CurveParameter, Digest, Cert]) CertifyKeyABI(cmd *CertifyKeyReq[Digest]) (*CertifyKeyResp[CurveParameter, Digest], error)

CertifyKeyABI calls the DPE CertifyKey command.

func (*DPEABI[_, Digest, _]) DeriveContext 

func (c *DPEABI[_, Digest, _]) DeriveContext(handle *ContextHandle, inputData []byte, flags DeriveContextFlags, tciType uint32, targetLocality uint32) (*DeriveContextResp, error)

DeriveContext calls DPE DeriveContext command

func (*DPEABI[_, Digest, Cert]) DeriveContextABI 

func (c *DPEABI[_, Digest, Cert]) DeriveContextABI(cmd *DeriveContextReq[Digest]) (*DeriveContextResp, error)

DeriveContextABI calls DPE DeriveContext command.

func (*DPEABI[_, _, _]) DestroyContext 

func (c *DPEABI[_, _, _]) DestroyContext(handle *ContextHandle) error

DestroyContext calls DPE DestroyContext command

func (*DPEABI[_, _, _]) DestroyContextABI 

func (c *DPEABI[_, _, _]) DestroyContextABI(cmd *DestroyCtxCmd) error

DestroyContextABI calls the DPE DestroyContext for this ABI

func (*DPEABI[_, _, _]) GetCertificateChain 

func (c *DPEABI[_, _, _]) GetCertificateChain() ([]byte, error)

GetCertificateChain calls DPE GetCertificateChain command

func (*DPEABI[_, _, _]) GetCertificateChainABI 

func (c *DPEABI[_, _, _]) GetCertificateChainABI() (*GetCertificateChainResp, error)

GetCertificateChainABI calls the DPE GetCertificateChain command.

func (*DPEABI[_, _, _]) GetProfile 

func (c *DPEABI[_, _, _]) GetProfile() (*GetProfileResp, error)

GetProfile calls the DPE GetProfile command

func (*DPEABI[_, _, _]) GetProfileABI 

func (c *DPEABI[_, _, _]) GetProfileABI() (*GetProfileResp, error)

GetProfileABI calls the DPE GetProfile for this ABI

func (*DPEABI[_, _, _]) InitializeContext 

func (c *DPEABI[_, _, _]) InitializeContext(flags InitCtxFlags) (*ContextHandle, error)

InitializeContext calls the DPE InitializeContext command

func (*DPEABI[_, _, _]) InitializeContextABI 

func (c *DPEABI[_, _, _]) InitializeContextABI(cmd *InitCtxCmd) (*InitCtxResp, error)

InitializeContextABI calls InitializeContext

func (*DPEABI[_, Digest, _]) RotateContextABI 

func (c *DPEABI[_, Digest, _]) RotateContextABI(cmd *RotateContextHandleCmd) (*RotatedContextHandle, error)

RotateContextABI calls DPE RotateContextHandle command.

func (*DPEABI[_, _, _]) RotateContextHandle 

func (c *DPEABI[_, _, _]) RotateContextHandle(handle *ContextHandle, flags RotateContextHandleFlags) (*ContextHandle, error)

RotateContextHandle calls DPE RotateContextHandle command

func (*DPEABI[_, Digest, _]) Sign 

func (c *DPEABI[_, Digest, _]) Sign(handle *ContextHandle, label []byte, flags SignFlags, toBeSigned []byte) (*DPESignedHash, error)

Sign calls DPE Sign command

func (*DPEABI[_, Digest, _]) SignABI 

func (c *DPEABI[_, Digest, _]) SignABI(cmd *SignReq[Digest]) (*SignResp[Digest], error)

SignABI calls the DPE Sign command.

type DPEABI256 

type DPEABI256 = DPEABI[NISTP256Parameter, SHA256Digest, DPEFullCertificate]

DPEABI256 is a client that implements DPE_PROFILE_IROT_P256_SHA256

type DPEABI256Min 

type DPEABI256Min = DPEABI[NISTP256Parameter, SHA256Digest, DPEMinCertificate]

DPEABI256Min is a client that implements DPE_PROFILE_IROT_P256_SHA256

type DPEABI384 

type DPEABI384 = DPEABI[NISTP384Parameter, SHA384Digest, DPEFullCertificate]

DPEABI384 is a client that implements DPE_PROFILE_IROT_P384_SHA384

type DPEABI384Min 

type DPEABI384Min = DPEABI[NISTP384Parameter, SHA384Digest, DPEMinCertificate]

DPEABI384Min is a client that implements DPE_PROFILE_IROT_P384_SHA384

type DPECertificate 

type DPECertificate interface {
	DPEMinCertificate | DPEFullCertificate

	Bytes() []byte
}

DPECertificate is a type constraint for DPE certificates.

type DPEClient 

type DPEClient interface {
	InitializeContext(flags InitCtxFlags) (*ContextHandle, error)
	GetProfile() (*GetProfileResp, error)
	CertifyKey(handle *ContextHandle, label []byte, format CertifyKeyFormat, flags CertifyKeyFlags) (*CertifiedKey, error)
	GetCertificateChain() ([]byte, error)
	DestroyContext(handle *ContextHandle) error
	DeriveContext(handle *ContextHandle, inputData []byte, flags DeriveContextFlags, tciType uint32, targetLocality uint32) (*DeriveContextResp, error)
	RotateContextHandle(handle *ContextHandle, flags RotateContextHandleFlags) (*ContextHandle, error)
	Sign(handle *ContextHandle, label []byte, flags SignFlags, toBeSigned []byte) (*DPESignedHash, error)
}

DPEClient is a generic interface to a DPE instance

func NewClient 

func NewClient(t Transport, p Profile) (DPEClient, error)

NewClient returns a new DPE client

type DPEFullCertificate 

type DPEFullCertificate [6144]byte

DPEFullCertificate represents a certificate for the DPE full iRoT profiles

func (DPEFullCertificate) Bytes 

func (c DPEFullCertificate) Bytes() []byte

Bytes returns a byte slice of the DPE full certificate

type DPEMinCertificate 

type DPEMinCertificate [2048]byte

DPEMinCertificate represents a certificate for the DPE minimal iRoT profiles

func (DPEMinCertificate) Bytes 

func (c DPEMinCertificate) Bytes() []byte

Bytes returns a byte slice of the DPE min certificate

type DPEPubKey 

type DPEPubKey struct {
	X []byte
	Y []byte
}

DPEPubKey is an ECC public point TODO: Include curve

type DPESignedHash 

type DPESignedHash struct {
	Handle     ContextHandle
	SignatureR []byte
	SignatureS []byte
}

DPESignedHash is the response from DPE Sign

type DPETCI 

type DPETCI struct {
	CumulativeTCI []byte
	CurrentTCI    []byte
}

DPETCI holds the current and cumulative measurements for a DPE TCI node

type DeriveContextFlags 

type DeriveContextFlags uint32

DeriveContextFlags is the input flags to DeriveContext 

const (
	InternalInputInfo   DeriveContextFlags = 1 << 31
	InternalInputDice   DeriveContextFlags = 1 << 30
	RetainParentContext DeriveContextFlags = 1 << 29
	MakeDefault         DeriveContextFlags = 1 << 28
	ChangeLocality      DeriveContextFlags = 1 << 27
	InputAllowCA        DeriveContextFlags = 1 << 26
	InputAllowX509      DeriveContextFlags = 1 << 25
	Recursive           DeriveContextFlags = 1 << 24
	CdiExport           DeriveContextFlags = 1 << 23
	CreateCertificate   DeriveContextFlags = 1 << 22
)

Supported flags to DeriveContext

type DeriveContextReq 

type DeriveContextReq[Digest DigestAlgorithm] struct {
	ContextHandle  ContextHandle
	InputData      Digest
	Flags          DeriveContextFlags
	TciType        uint32
	TargetLocality uint32
}

DeriveContextReq is the input request to DeriveContext

type DeriveContextResp 

type DeriveContextResp struct {
	NewContextHandle    ContextHandle
	ParentContextHandle ContextHandle
	ExportedCdi         ExportedCdi
	CertificateSize     uint32
	NewCertificate      []byte
}

DeriveContextResp is the output response from DeriveContext

type DestroyCtxCmd 

type DestroyCtxCmd struct {
	// contains filtered or unexported fields
}

DestroyCtxCmd is input parameters to DestroyContext

type DigestAlgorithm 

type DigestAlgorithm interface {
	SHA256Digest | SHA384Digest

	Bytes() []byte
}

DigestAlgorithm is a type constraint enumerating the supported hashing algorithms for DPE profiles.

type ExportedCdi 

type ExportedCdi [32]byte

ExportedCdi is a handle to an exported CDI

type GetCertificateChainReq 

type GetCertificateChainReq struct {
	Offset uint32
	Size   uint32
}

GetCertificateChainReq is the input request to GetCertificateChain

type GetCertificateChainResp 

type GetCertificateChainResp struct {
	CertificateSize  uint32
	CertificateChain []byte
}

GetCertificateChainResp is the output response from GetCertificateChain

type GetProfileResp 

type GetProfileResp struct {
	Profile      Profile
	MajorVersion uint16
	MinorVersion uint16
	VendorID     uint32
	VendorSku    uint32
	MaxTciNodes  uint32
	Flags        uint32
}

GetProfileResp is the response from GetProfile

type InitCtxCmd 

type InitCtxCmd struct {
	// contains filtered or unexported fields
}

InitCtxCmd is the input parameters to InitializeContext

type InitCtxFlags 

type InitCtxFlags uint32

InitCtxFlags is the input flags to InitializeContext 

const (
	InitIsSimulation InitCtxFlags = 1 << 31
	InitIsDefault    InitCtxFlags = 1 << 30
)

Supported flags to InitializeContext

type InitCtxResp 

type InitCtxResp struct {
	Handle ContextHandle
}

InitCtxResp is the response parameters from InitializeContext

type NISTP256Parameter 

type NISTP256Parameter [32]byte

NISTP256Parameter represents a NIST P-256 curve parameter, i.e., an x, y, r, or s value.

func (NISTP256Parameter) Bytes 

func (p NISTP256Parameter) Bytes() []byte

Bytes returns a big-endian byte slice of a P256 int

type NISTP384Parameter 

type NISTP384Parameter [48]byte

NISTP384Parameter represents a NIST P-384 curve parameter, i.e., an x, y, r, or s value.

func (NISTP384Parameter) Bytes 

func (p NISTP384Parameter) Bytes() []byte

Bytes returns a big-endian byte slice of a P384 int

type Profile 

type Profile uint32

Profile represents a supported algorithm profile (i.e., hash algorithm and ECC curve). 

const (
	// ProfileMinP256SHA256 is NIST P-256, SHA-256 "minimal profile"
	ProfileMinP256SHA256 Profile = 1
	// ProfileMinP384SHA384 is NIST P-384, SHA-384 "minimal" profile
	ProfileMinP384SHA384 Profile = 2
	// ProfileP256SHA256 is NIST P-256, SHA-256 "minimal profile"
	ProfileP256SHA256 Profile = 3
	// ProfileP384SHA384 is NIST P-384, SHA-384 "minimal" profile
	ProfileP384SHA384 Profile = 4
)

func GetTransportProfile 

func GetTransportProfile(t Transport) (Profile, error)

GetTransportProfile gets the profile for transport `t`

func (Profile) GetDigestSize 

func (p Profile) GetDigestSize() int

GetDigestSize gets the digest size of the profile's supported hash algorithm

func (Profile) GetECCIntSize 

func (p Profile) GetECCIntSize() int

GetECCIntSize gets the ECC int size of the profile's supported ECC curve

func (Profile) String 

func (p Profile) String() string

type RespHdr 

type RespHdr struct {
	Magic   uint32
	Status  Status
	Profile Profile
}

RespHdr is the DPE response header common to all responses

type RotateContextHandleCmd 

type RotateContextHandleCmd struct {
	Handle ContextHandle
	Flags  RotateContextHandleFlags
}

RotateContextHandleCmd is the input command to RotateContextHandle

type RotateContextHandleFlags 

type RotateContextHandleFlags uint32

RotateContextHandleFlags is the input flags to RotateContextHandle 

const (
	TargetIsDefault RotateContextHandleFlags = 1 << 31
)

Supported RotateContextHandle flags

type RotatedContextHandle 

type RotatedContextHandle struct {
	NewContextHandle ContextHandle
}

RotatedContextHandle is the response from RotateContextHandle

type SHA256Digest 

type SHA256Digest [32]byte

SHA256Digest represents a SHA-256 digest value.

func (SHA256Digest) Bytes 

func (d SHA256Digest) Bytes() []byte

Bytes returns a byte slice of the SHA256 digest

type SHA384Digest 

type SHA384Digest [48]byte

SHA384Digest represents a SHA-384 digest value.

func (SHA384Digest) Bytes 

func (d SHA384Digest) Bytes() []byte

Bytes returns a byte slice of the SHA384 digest

type SignFlags 

type SignFlags uint32

SignFlags is the input flags to Sign

type SignReq 

type SignReq[Digest DigestAlgorithm] struct {
	ContextHandle ContextHandle
	Label         Digest
	Flags         SignFlags
	ToBeSigned    Digest
}

SignReq is the input request to Sign

type SignResp 

type SignResp[Digest DigestAlgorithm] struct {
	NewContextHandle ContextHandle
	SignatureR       Digest
	SignatureS       Digest
}

SignResp is the output response from Sign

type Status 

type Status uint32

Status is a DPE status code 

const (
	StatusInternalError        Status = 1
	StatusInvalidCommand       Status = 2
	StatusInvalidArgument      Status = 3
	StatusArgumentNotSupported Status = 4
	StatusInvalidHandle        Status = 0x1000
	StatusInvalidLocality      Status = 0x1001
	StatusBadTag               Status = 0x1002
	StatusMaxTCIs              Status = 0x1003
	StatusPlatformError        Status = 0x1004
	StatusCryptoError          Status = 0x1005
	StatusHashError            Status = 0x1006
	StatusRandError            Status = 0x1007
)

All spec-defined DPE status codes

func (Status) Error 

func (s Status) Error() string

Error returns an informational string for all DPE error codes

type Support 

type Support struct {
	Simulation          bool
	Recursive           bool
	AutoInit            bool
	RotateContext       bool
	X509                bool
	Csr                 bool
	IsSymmetric         bool
	InternalInfo        bool
	InternalDice        bool
	RetainParentContext bool
	CdiExport           bool
}

Support is the set of features a DPE supports

func (*Support) ToFlags 

func (s *Support) ToFlags() uint32

ToFlags converts support to the profile-defined support flags format

type TestDPEInstance 

type TestDPEInstance interface {
	Transport
	// If power control is unavailable for the given device, return false from
	// HasPowerControl and return an error from PowerOn and PowerOff. For devices
	// that don't support power control but do have reset capability, return true
	// from HasPowerControl leave PowerOn empty and execute the reset in PowerOff.
	HasPowerControl() bool
	// If supported, turns on the device or starts the emulator/simulator.
	PowerOn() error
	// If supported, turns of the device, stops the emulator/simulator, or resets.
	PowerOff() error
	// The Transport implementations are not expected to be able to set the values
	// it supports, but this function is used by tests to know how to test the DPE
	// instance.
	GetSupport() *Support
	// Whether the default context has been initialized.
	GetIsInitialized() bool
	// Set whether the default context has been initialized.
	SetIsInitialized(bool)
	// Returns a slice of all the localities the instance supports.
	GetSupportedLocalities() []uint32
	// Whether the target can artificially control the locality of the caller
	HasLocalityControl() bool
	// Sets the current locality.
	SetLocality(locality uint32)
	// Gets the current locality.
	GetLocality() uint32
	// Returns the Maximum number of the TCIs instance can have.
	GetMaxTciNodes() uint32
	// Returns the major version of the profile the instance implements.
	GetProfileMajorVersion() uint16
	// Returns the minor version of the profile the instance implements.
	GetProfileMinorVersion() uint16
	// Returns the Vendor ID of the profile.
	GetProfileVendorID() uint32
	// Returns the vendor's product SKU.
	GetProfileVendorSku() uint32
}

TestDPEInstance is an extension to the main DPE transport interface with test hooks.

type Transport 

type Transport interface {
	// Send a command to the DPE instance.
	SendCmd(buf []byte) ([]byte, error)
}

Transport is an interface to define how to test and send messages to a DPE instance.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.