tpm

package
v0.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 6, 2019 License: Apache-2.0 Imports: 15 Imported by: 108

Documentation

Overview

Package tpm supports direct communication with a tpm device under Linux.

Index

Constants

View Source
const PCRSize int = 20

PCRSize gives the fixed size (20 bytes) of a PCR.

Variables

This section is empty.

Functions

func ActivateIdentity added in v0.2.0

func ActivateIdentity(rw io.ReadWriter, aikAuth []byte, ownerAuth []byte, aik tpmutil.Handle, asym, sym []byte) ([]byte, error)

ActivateIdentity asks the TPM to decrypt an EKPub encrypted symmetric session key which it uses to decrypt the symmetrically encrypted secret.

func CloseKey

func CloseKey(rw io.ReadWriter, h tpmutil.Handle) error

CloseKey flushes the key associated with the tpmutil.Handle.

func CreateWrapKey

func CreateWrapKey(rw io.ReadWriter, srkAuth []byte, usageAuth digest, migrationAuth digest, pcrs []int) ([]byte, error)

CreateWrapKey creates a new RSA key for signatures inside the TPM. It is wrapped by the SRK (which is to say, the SRK is the parent key). The key can be bound to the specified PCR numbers so that it can only be used for signing if the PCR values of those registers match. The pcrs parameter can be nil in which case the key is not bound to any PCRs. The usageAuth parameter defines the auth key for using this new key. The migrationAuth parameter would be used for authorizing migration of the key (although this code currently disables migration).

func FetchPCRValues

func FetchPCRValues(rw io.ReadWriter, pcrVals []int) ([]byte, error)

FetchPCRValues gets a given sequence of PCR values.

func ForceClear

func ForceClear(rw io.ReadWriter) error

ForceClear is normally used by firmware but on some platforms vendors got it wrong and didn't call TPM_DisableForceClear. It removes forcefully the ownership of the TPM.

func GetKeys

func GetKeys(rw io.ReadWriter) ([]tpmutil.Handle, error)

GetKeys gets the list of handles for currently-loaded TPM keys.

func GetManufacturer added in v0.2.0

func GetManufacturer(rw io.ReadWriter) ([]byte, error)

GetManufacturer returns the manufacturer ID

func GetPubKey

func GetPubKey(rw io.ReadWriter, keyHandle tpmutil.Handle, srkAuth []byte) ([]byte, error)

GetPubKey retrieves an opaque blob containing a public key corresponding to a handle from the TPM.

func GetRandom

func GetRandom(rw io.ReadWriter, size uint32) ([]byte, error)

GetRandom gets random bytes from the TPM.

func LoadKey2

func LoadKey2(rw io.ReadWriter, keyBlob []byte, srkAuth []byte) (tpmutil.Handle, error)

LoadKey2 loads a key blob (a serialized TPM_KEY or TPM_KEY12) into the TPM and returns a handle for this key.

func MakeIdentity

func MakeIdentity(rw io.ReadWriter, srkAuth []byte, ownerAuth []byte, aikAuth []byte, pk crypto.PublicKey, label []byte) ([]byte, error)

MakeIdentity creates a new AIK with the given new auth value, and the given parameters for the privacy CA that will be used to attest to it. If both pk and label are nil, then the TPM_CHOSENID_HASH is set to all 0s as a special case. MakeIdentity returns a key blob for the newly-created key. The caller must be authorized to use the SRK, since the private part of the AIK is sealed against the SRK. TODO(tmroeder): currently, this code can only create 2048-bit RSA keys.

func NVReadValue added in v0.2.0

func NVReadValue(rw io.ReadWriter, index, offset, len uint32, ownAuth digest) ([]byte, error)

NVReadValue returns the value from a given index, offset, and length in NVRAM. See TPM-Main-Part-2-TPM-Structures 19.1.

func NewQuoteInfo added in v0.2.0

func NewQuoteInfo(data []byte, pcrNums []int, pcrs []byte) ([]byte, error)

NewQuoteInfo computes a quoteInfo structure for a given pair of data and PCR values.

func OpenTPM

func OpenTPM(path string) (io.ReadWriteCloser, error)

OpenTPM opens a channel to the TPM at the given path. If the file is a device, then it treats it like a normal TPM device, and if the file is a Unix domain socket, then it opens a connection to the socket.

func OwnerClear

func OwnerClear(rw io.ReadWriter, ownerAuth digest) error

OwnerClear uses owner auth to clear the TPM. After this operation, the TPM can change ownership.

func OwnerReadPubEK

func OwnerReadPubEK(rw io.ReadWriter, ownerAuth digest) ([]byte, error)

OwnerReadPubEK uses owner auth to get a blob representing the public part of the endorsement key.

func OwnerReadSRK

func OwnerReadSRK(rw io.ReadWriter, ownerAuth digest) ([]byte, error)

OwnerReadSRK uses owner auth to get a blob representing the SRK.

func PcrExtend

func PcrExtend(rw io.ReadWriter, pcrIndex uint32, pcr pcrValue) ([]byte, error)

PcrExtend extends a value into the right PCR by index.

func PcrReset

func PcrReset(rw io.ReadWriter, pcrs []int) error

PcrReset resets the given PCRs. Given typical locality restrictions, this can usually only be 16 or 23.

func Quote

func Quote(rw io.ReadWriter, handle tpmutil.Handle, data []byte, pcrNums []int, aikAuth []byte) ([]byte, []byte, error)

Quote produces a TPM quote for the given data under the given PCRs. It uses AIK auth and a given AIK handle.

func Quote2

func Quote2(rw io.ReadWriter, handle tpmutil.Handle, data []byte, pcrVals []int, addVersion byte, aikAuth []byte) ([]byte, error)

Quote2 performs a quote operation on the TPM for the given data, under the key associated with the handle and for the pcr values specified in the call.

func ReadEKCert added in v0.2.0

func ReadEKCert(rw io.ReadWriter, ownAuth digest) ([]byte, error)

ReadEKCert reads the EKCert from the NVRAM. The TCG PC Client specifies additional headers that are to be stored with the EKCert, we parse them here and return only the DER encoded certificate. TCG PC Client Specific Implementation Specification for Conventional BIOS 7.4.4 https://www.trustedcomputinggroup.org/wp-content/uploads/TCG_PCClientImplementation_1-21_1_00.pdf

func ReadPCR

func ReadPCR(rw io.ReadWriter, pcrIndex uint32) ([]byte, error)

ReadPCR reads a PCR value from the TPM.

func ReadPubEK

func ReadPubEK(rw io.ReadWriter) ([]byte, error)

ReadPubEK reads the public part of the endorsement key when no owner is established.

func Reseal

func Reseal(rw io.ReadWriter, locality byte, pcrs map[int][]byte, data []byte, srkAuth []byte) ([]byte, error)

Reseal takes a pre-calculated PCR map and locality in order to seal data with a srkAuth. This function is necessary for PCR pre-calculation and later sealing to provide a way of updating software which is part of a measured boot process.

func ResetLockValue

func ResetLockValue(rw io.ReadWriter, ownerAuth digest) error

ResetLockValue resets the dictionary-attack value in the TPM; this allows the TPM to start working again after authentication errors without waiting for the dictionary-attack defenses to time out. This requires owner authentication.

func Seal

func Seal(rw io.ReadWriter, locality byte, pcrs []int, data []byte, srkAuth []byte) ([]byte, error)

Seal encrypts data against a given locality and PCRs and returns the sealed data.

func Sign

func Sign(rw io.ReadWriter, keyAuth []byte, keyHandle tpmutil.Handle, hash crypto.Hash, hashed []byte) ([]byte, error)

Sign will sign a digest using the supplied key handle. Uses PKCS1v15 signing, which means the hash OID is prefixed to the hash before it is signed. Therefore the hash used needs to be passed as the hash parameter to determine the right prefix.

func TakeOwnership

func TakeOwnership(rw io.ReadWriter, newOwnerAuth digest, newSRKAuth digest, pubEK []byte) error

TakeOwnership takes over a TPM and inserts a new owner auth value and generates a new SRK, associating it with a new SRK auth value. This operation can only be performed if there isn't already an owner for the TPM. The pub EK blob can be acquired by calling ReadPubEK if there is no owner, or OwnerReadPubEK if there is.

func UnmarshalPubRSAPublicKey

func UnmarshalPubRSAPublicKey(keyBlob []byte) (*rsa.PublicKey, error)

UnmarshalPubRSAPublicKey takes in a blob containing a serialized RSA TPM_PUBKEY and converts it to a crypto/rsa.PublicKey.

func UnmarshalRSAPublicKey

func UnmarshalRSAPublicKey(keyBlob []byte) (*rsa.PublicKey, error)

UnmarshalRSAPublicKey takes in a blob containing a serialized RSA TPM_KEY and converts it to a crypto/rsa.PublicKey.

func Unseal

func Unseal(rw io.ReadWriter, sealed []byte, srkAuth []byte) ([]byte, error)

Unseal decrypts data encrypted by the TPM.

func VerifyQuote

func VerifyQuote(pk *rsa.PublicKey, data []byte, quote []byte, pcrNums []int, pcrs []byte) error

VerifyQuote verifies a quote against a given set of PCRs.

Types

This section is empty.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL