Documentation ¶
Overview ¶
Package tpm supports direct communication with a tpm device under Linux.
Index ¶
- Constants
- func ActivateIdentity(rw io.ReadWriter, aikAuth []byte, ownerAuth []byte, aik tpmutil.Handle, ...) ([]byte, error)
- func CloseKey(rw io.ReadWriter, h tpmutil.Handle) error
- func CreateWrapKey(rw io.ReadWriter, srkAuth []byte, usageAuth digest, migrationAuth digest, ...) ([]byte, error)
- func FetchPCRValues(rw io.ReadWriter, pcrVals []int) ([]byte, error)
- func ForceClear(rw io.ReadWriter) error
- func GetKeys(rw io.ReadWriter) ([]tpmutil.Handle, error)
- func GetManufacturer(rw io.ReadWriter) ([]byte, error)
- func GetPubKey(rw io.ReadWriter, keyHandle tpmutil.Handle, srkAuth []byte) ([]byte, error)
- func GetRandom(rw io.ReadWriter, size uint32) ([]byte, error)
- func LoadKey2(rw io.ReadWriter, keyBlob []byte, srkAuth []byte) (tpmutil.Handle, error)
- func MakeIdentity(rw io.ReadWriter, srkAuth []byte, ownerAuth []byte, aikAuth []byte, ...) ([]byte, error)
- func NVReadValue(rw io.ReadWriter, index, offset, len uint32, ownAuth digest) ([]byte, error)
- func NewQuoteInfo(data []byte, pcrNums []int, pcrs []byte) ([]byte, error)
- func OpenTPM(path string) (io.ReadWriteCloser, error)
- func OwnerClear(rw io.ReadWriter, ownerAuth digest) error
- func OwnerReadPubEK(rw io.ReadWriter, ownerAuth digest) ([]byte, error)
- func OwnerReadSRK(rw io.ReadWriter, ownerAuth digest) ([]byte, error)
- func PcrExtend(rw io.ReadWriter, pcrIndex uint32, pcr pcrValue) ([]byte, error)
- func PcrReset(rw io.ReadWriter, pcrs []int) error
- func Quote(rw io.ReadWriter, handle tpmutil.Handle, data []byte, pcrNums []int, ...) ([]byte, []byte, error)
- func Quote2(rw io.ReadWriter, handle tpmutil.Handle, data []byte, pcrVals []int, ...) ([]byte, error)
- func ReadEKCert(rw io.ReadWriter, ownAuth digest) ([]byte, error)
- func ReadPCR(rw io.ReadWriter, pcrIndex uint32) ([]byte, error)
- func ReadPubEK(rw io.ReadWriter) ([]byte, error)
- func Reseal(rw io.ReadWriter, locality byte, pcrs map[int][]byte, data []byte, ...) ([]byte, error)
- func ResetLockValue(rw io.ReadWriter, ownerAuth digest) error
- func Seal(rw io.ReadWriter, locality byte, pcrs []int, data []byte, srkAuth []byte) ([]byte, error)
- func Sign(rw io.ReadWriter, keyAuth []byte, keyHandle tpmutil.Handle, hash crypto.Hash, ...) ([]byte, error)
- func TakeOwnership(rw io.ReadWriter, newOwnerAuth digest, newSRKAuth digest, pubEK []byte) error
- func UnmarshalPubRSAPublicKey(keyBlob []byte) (*rsa.PublicKey, error)
- func UnmarshalRSAPublicKey(keyBlob []byte) (*rsa.PublicKey, error)
- func Unseal(rw io.ReadWriter, sealed []byte, srkAuth []byte) ([]byte, error)
- func VerifyQuote(pk *rsa.PublicKey, data []byte, quote []byte, pcrNums []int, pcrs []byte) error
Constants ¶
const PCRSize int = 20
PCRSize gives the fixed size (20 bytes) of a PCR.
Variables ¶
This section is empty.
Functions ¶
func ActivateIdentity ¶ added in v0.2.0
func ActivateIdentity(rw io.ReadWriter, aikAuth []byte, ownerAuth []byte, aik tpmutil.Handle, asym, sym []byte) ([]byte, error)
ActivateIdentity asks the TPM to decrypt an EKPub encrypted symmetric session key which it uses to decrypt the symmetrically encrypted secret.
func CloseKey ¶
func CloseKey(rw io.ReadWriter, h tpmutil.Handle) error
CloseKey flushes the key associated with the tpmutil.Handle.
func CreateWrapKey ¶
func CreateWrapKey(rw io.ReadWriter, srkAuth []byte, usageAuth digest, migrationAuth digest, pcrs []int) ([]byte, error)
CreateWrapKey creates a new RSA key for signatures inside the TPM. It is wrapped by the SRK (which is to say, the SRK is the parent key). The key can be bound to the specified PCR numbers so that it can only be used for signing if the PCR values of those registers match. The pcrs parameter can be nil in which case the key is not bound to any PCRs. The usageAuth parameter defines the auth key for using this new key. The migrationAuth parameter would be used for authorizing migration of the key (although this code currently disables migration).
func FetchPCRValues ¶
func FetchPCRValues(rw io.ReadWriter, pcrVals []int) ([]byte, error)
FetchPCRValues gets a given sequence of PCR values.
func ForceClear ¶
func ForceClear(rw io.ReadWriter) error
ForceClear is normally used by firmware but on some platforms vendors got it wrong and didn't call TPM_DisableForceClear. It removes forcefully the ownership of the TPM.
func GetKeys ¶
func GetKeys(rw io.ReadWriter) ([]tpmutil.Handle, error)
GetKeys gets the list of handles for currently-loaded TPM keys.
func GetManufacturer ¶ added in v0.2.0
func GetManufacturer(rw io.ReadWriter) ([]byte, error)
GetManufacturer returns the manufacturer ID
func GetPubKey ¶
GetPubKey retrieves an opaque blob containing a public key corresponding to a handle from the TPM.
func GetRandom ¶
func GetRandom(rw io.ReadWriter, size uint32) ([]byte, error)
GetRandom gets random bytes from the TPM.
func LoadKey2 ¶
LoadKey2 loads a key blob (a serialized TPM_KEY or TPM_KEY12) into the TPM and returns a handle for this key.
func MakeIdentity ¶
func MakeIdentity(rw io.ReadWriter, srkAuth []byte, ownerAuth []byte, aikAuth []byte, pk crypto.PublicKey, label []byte) ([]byte, error)
MakeIdentity creates a new AIK with the given new auth value, and the given parameters for the privacy CA that will be used to attest to it. If both pk and label are nil, then the TPM_CHOSENID_HASH is set to all 0s as a special case. MakeIdentity returns a key blob for the newly-created key. The caller must be authorized to use the SRK, since the private part of the AIK is sealed against the SRK. TODO(tmroeder): currently, this code can only create 2048-bit RSA keys.
func NVReadValue ¶ added in v0.2.0
func NVReadValue(rw io.ReadWriter, index, offset, len uint32, ownAuth digest) ([]byte, error)
NVReadValue returns the value from a given index, offset, and length in NVRAM. See TPM-Main-Part-2-TPM-Structures 19.1.
func NewQuoteInfo ¶ added in v0.2.0
NewQuoteInfo computes a quoteInfo structure for a given pair of data and PCR values.
func OpenTPM ¶
func OpenTPM(path string) (io.ReadWriteCloser, error)
OpenTPM opens a channel to the TPM at the given path. If the file is a device, then it treats it like a normal TPM device, and if the file is a Unix domain socket, then it opens a connection to the socket.
func OwnerClear ¶
func OwnerClear(rw io.ReadWriter, ownerAuth digest) error
OwnerClear uses owner auth to clear the TPM. After this operation, the TPM can change ownership.
func OwnerReadPubEK ¶
func OwnerReadPubEK(rw io.ReadWriter, ownerAuth digest) ([]byte, error)
OwnerReadPubEK uses owner auth to get a blob representing the public part of the endorsement key.
func OwnerReadSRK ¶
func OwnerReadSRK(rw io.ReadWriter, ownerAuth digest) ([]byte, error)
OwnerReadSRK uses owner auth to get a blob representing the SRK.
func PcrExtend ¶
func PcrExtend(rw io.ReadWriter, pcrIndex uint32, pcr pcrValue) ([]byte, error)
PcrExtend extends a value into the right PCR by index.
func PcrReset ¶
func PcrReset(rw io.ReadWriter, pcrs []int) error
PcrReset resets the given PCRs. Given typical locality restrictions, this can usually only be 16 or 23.
func Quote ¶
func Quote(rw io.ReadWriter, handle tpmutil.Handle, data []byte, pcrNums []int, aikAuth []byte) ([]byte, []byte, error)
Quote produces a TPM quote for the given data under the given PCRs. It uses AIK auth and a given AIK handle.
func Quote2 ¶
func Quote2(rw io.ReadWriter, handle tpmutil.Handle, data []byte, pcrVals []int, addVersion byte, aikAuth []byte) ([]byte, error)
Quote2 performs a quote operation on the TPM for the given data, under the key associated with the handle and for the pcr values specified in the call.
func ReadEKCert ¶ added in v0.2.0
func ReadEKCert(rw io.ReadWriter, ownAuth digest) ([]byte, error)
ReadEKCert reads the EKCert from the NVRAM. The TCG PC Client specifies additional headers that are to be stored with the EKCert, we parse them here and return only the DER encoded certificate. TCG PC Client Specific Implementation Specification for Conventional BIOS 7.4.4 https://www.trustedcomputinggroup.org/wp-content/uploads/TCG_PCClientImplementation_1-21_1_00.pdf
func ReadPCR ¶
func ReadPCR(rw io.ReadWriter, pcrIndex uint32) ([]byte, error)
ReadPCR reads a PCR value from the TPM.
func ReadPubEK ¶
func ReadPubEK(rw io.ReadWriter) ([]byte, error)
ReadPubEK reads the public part of the endorsement key when no owner is established.
func Reseal ¶
func Reseal(rw io.ReadWriter, locality byte, pcrs map[int][]byte, data []byte, srkAuth []byte) ([]byte, error)
Reseal takes a pre-calculated PCR map and locality in order to seal data with a srkAuth. This function is necessary for PCR pre-calculation and later sealing to provide a way of updating software which is part of a measured boot process.
func ResetLockValue ¶
func ResetLockValue(rw io.ReadWriter, ownerAuth digest) error
ResetLockValue resets the dictionary-attack value in the TPM; this allows the TPM to start working again after authentication errors without waiting for the dictionary-attack defenses to time out. This requires owner authentication.
func Sign ¶
func Sign(rw io.ReadWriter, keyAuth []byte, keyHandle tpmutil.Handle, hash crypto.Hash, hashed []byte) ([]byte, error)
Sign will sign a digest using the supplied key handle. Uses PKCS1v15 signing, which means the hash OID is prefixed to the hash before it is signed. Therefore the hash used needs to be passed as the hash parameter to determine the right prefix.
func TakeOwnership ¶
func TakeOwnership(rw io.ReadWriter, newOwnerAuth digest, newSRKAuth digest, pubEK []byte) error
TakeOwnership takes over a TPM and inserts a new owner auth value and generates a new SRK, associating it with a new SRK auth value. This operation can only be performed if there isn't already an owner for the TPM. The pub EK blob can be acquired by calling ReadPubEK if there is no owner, or OwnerReadPubEK if there is.
func UnmarshalPubRSAPublicKey ¶
UnmarshalPubRSAPublicKey takes in a blob containing a serialized RSA TPM_PUBKEY and converts it to a crypto/rsa.PublicKey.
func UnmarshalRSAPublicKey ¶
UnmarshalRSAPublicKey takes in a blob containing a serialized RSA TPM_KEY and converts it to a crypto/rsa.PublicKey.
Types ¶
This section is empty.