Documentation
¶
Index ¶
- Variables
- func Decode(s string) ([]byte, error)
- func EKAttributesFromConfig(config EKConfig, policyDigest *tpm2.TPM2BDigest) (*keystore.KeyAttributes, error)
- func Encode(bytes []byte) string
- func EncodePCRs(pcrBanks []PCRBank) ([]byte, error)
- func EncodeQuote(quote Quote) ([]byte, error)
- func HierarchyName(hierarchy tpm2.TPMHandle) string
- func IAKAttributesFromConfig(soPIN keystore.Password, config *IAKConfig, policyDigest *tpm2.TPM2BDigest) (*keystore.KeyAttributes, error)
- func IDevIDAttributesFromConfig(config IDevIDConfig, policyDigest *tpm2.TPM2BDigest) (*keystore.KeyAttributes, error)
- func LDevIDAttributesFromConfig(config LDevIDConfig, policyDigest *tpm2.TPM2BDigest) (*keystore.KeyAttributes, error)
- func NewPlatformPassword(logger *logging.Logger, tpm TrustedPlatformModule, ...) keystore.Password
- func PackIDevIDCSR(csr *TCG_CSR_IDEVID) ([]byte, error)
- func PackIDevIDContent(content *TCG_IDEVID_CONTENT) ([]byte, error)
- func ParseHashAlg(hash crypto.Hash) (tpm2.TPMIAlgHash, error)
- func ParseHashAlgFromString(hash string) (tpm2.TPMIAlgHash, error)
- func ParseHashSize(hash crypto.Hash) (uint32, error)
- func ParseHierarchy(hierarchyType string) (tpm2.TPMIRHHierarchy, error)
- func SRKAttributesFromConfig(config SRKConfig, policyDigest *tpm2.TPM2BDigest) (*keystore.KeyAttributes, error)
- type AKProfile
- type Config
- type EKConfig
- type IAKConfig
- type IDevIDConfig
- type KeyStoreConfig
- type LAKConfig
- type LDevIDConfig
- type PCR
- type PCRBank
- type Params
- type PlatformPassword
- type PropertiesFixed
- type Quote
- type SRKConfig
- type TCGVendorID
- type TCG_CSR_IDEVID
- type TCG_CSR_LDEVID
- type TCG_IDEVID_CONTENT
- type TCG_LDEVID_CONTENT
- type TPM2
- func (tpm *TPM2) AKProfile() (AKProfile, error)
- func (tpm *TPM2) ActivateCredential(credentialBlob, encryptedSecret []byte) ([]byte, error)
- func (tpm *TPM2) Clear(hierarchyAuth []byte, hierarchy tpm2.TPMHandle) error
- func (tpm *TPM2) Close() error
- func (tpm *TPM2) Config() *Config
- func (tpm *TPM2) CreateECDSA(keyAttrs *keystore.KeyAttributes, backend keystore.KeyBackend) (*ecdsa.PublicKey, error)
- func (tpm *TPM2) CreateEK(ekAttrs *keystore.KeyAttributes) error
- func (tpm *TPM2) CreateIAK(ekAttrs *keystore.KeyAttributes) (*keystore.KeyAttributes, error)
- func (tpm *TPM2) CreateIDevID(akAttrs *keystore.KeyAttributes, ekCert *x509.Certificate) (*keystore.KeyAttributes, *TCG_CSR_IDEVID, error)
- func (tpm *TPM2) CreateKeySession(keyAttrs *keystore.KeyAttributes) (tpm2.Session, func() error, error)
- func (tpm *TPM2) CreatePlatformPolicy() error
- func (tpm *TPM2) CreateRSA(keyAttrs *keystore.KeyAttributes, backend keystore.KeyBackend) (*rsa.PublicKey, error)
- func (tpm *TPM2) CreateSRK(srkAttrs *keystore.KeyAttributes) error
- func (tpm *TPM2) CreateSecretKey(keyAttrs *keystore.KeyAttributes, backend keystore.KeyBackend) error
- func (tpm *TPM2) CreateSession(keyAttrs *keystore.KeyAttributes) (tpm2.Session, func() error, error)
- func (tpm *TPM2) CreateTCG_CSR_IDEVID(ekCert *x509.Certificate, akAttrs *keystore.KeyAttributes, ...) (TCG_CSR_IDEVID, error)
- func (tpm *TPM2) DeleteKey(keyAttrs *keystore.KeyAttributes, backend keystore.KeyBackend) error
- func (tpm *TPM2) DeleteKeyPair(keyAttrs *keystore.KeyAttributes, backend keystore.KeyBackend) error
- func (tpm *TPM2) Device() string
- func (tpm *TPM2) EK() crypto.PublicKey
- func (tpm *TPM2) EKAttributes() (*keystore.KeyAttributes, error)
- func (tpm *TPM2) EKCertificate() (*x509.Certificate, error)
- func (tpm *TPM2) EKECC() *ecdsa.PublicKey
- func (tpm *TPM2) EKPublic() (tpm2.TPM2BName, tpm2.TPMTPublic)
- func (tpm *TPM2) EKRSA() *rsa.PublicKey
- func (tpm *TPM2) EventLog() ([]byte, error)
- func (tpm *TPM2) FixedProperties() (*PropertiesFixed, error)
- func (tpm *TPM2) Flush(handle tpm2.TPMHandle)
- func (tpm *TPM2) GoldenMeasurements() []byte
- func (tpm *TPM2) HMAC(auth []byte) tpm2.Session
- func (tpm *TPM2) HMACSaltedSession(handle tpm2.TPMHandle, pub tpm2.TPMTPublic, auth []byte) (s tpm2.Session, close func() error, err error)
- func (tpm *TPM2) HMACSession(auth []byte) (s tpm2.Session, close func() error, err error)
- func (tpm *TPM2) Hash(keyAttrs *keystore.KeyAttributes, data []byte) ([]byte, []byte, error)
- func (tpm *TPM2) HashSequence(keyAttrs *keystore.KeyAttributes, data []byte) ([]byte, []byte, error)
- func (tpm *TPM2) IAK() crypto.PublicKey
- func (tpm *TPM2) IAKAttributes() (*keystore.KeyAttributes, error)
- func (tpm *TPM2) IDevID() crypto.PublicKey
- func (tpm *TPM2) IDevIDAttributes() (*keystore.KeyAttributes, error)
- func (tpm *TPM2) Info() (string, error)
- func (tpm *TPM2) Install(soPIN keystore.Password) error
- func (tpm *TPM2) IsFIPS140_2() (bool, error)
- func (tpm *TPM2) KeyAttributes(handle tpm2.TPMHandle) (*keystore.KeyAttributes, error)
- func (tpm *TPM2) LoadKeyPair(keyAttrs *keystore.KeyAttributes, session *tpm2.Session, ...) (*tpm2.LoadResponse, error)
- func (tpm *TPM2) MakeCredential(akName tpm2.TPM2BName, secret []byte) ([]byte, []byte, []byte, error)
- func (tpm *TPM2) NVRead(keyAttrs *keystore.KeyAttributes, dataSize uint16) ([]byte, error)
- func (tpm *TPM2) NVWrite(keyAttrs *keystore.KeyAttributes) error
- func (tpm *TPM2) NonceSession(hierarchyAuth keystore.Password) (tpm2.Session, func() error, error)
- func (tpm *TPM2) Open() error
- func (tpm *TPM2) ParsePublicKey(tpm2BPublic []byte) (crypto.PublicKey, error)
- func (tpm *TPM2) PlatformPolicyDigest() tpm2.TPM2BDigest
- func (tpm *TPM2) PlatformPolicyDigestHash() ([]byte, error)
- func (tpm *TPM2) PlatformPolicySession() (tpm2.Session, func() error, error)
- func (tpm *TPM2) PlatformQuote(keyAttrs *keystore.KeyAttributes) (Quote, []byte, error)
- func (tpm *TPM2) Provision(soPIN keystore.Password) error
- func (tpm *TPM2) ProvisionEKCert(hierarchyAuth, ekCertDER []byte) error
- func (tpm *TPM2) ProvisionOwner(soPIN keystore.Password) (*keystore.KeyAttributes, error)
- func (tpm *TPM2) Quote(pcrs []uint, nonce []byte) (Quote, error)
- func (tpm *TPM2) RSADecrypt(handle tpm2.TPMHandle, blob []byte) ([]byte, error)
- func (tpm *TPM2) RSAEncrypt(handle tpm2.TPMHandle, message []byte) ([]byte, error)
- func (tpm *TPM2) Random() ([]byte, error)
- func (tpm *TPM2) RandomBytes(fixedLength int) ([]byte, error)
- func (tpm *TPM2) RandomHex(fixedLength int) ([]byte, error)
- func (tpm *TPM2) Read(data []byte) (n int, err error)
- func (tpm *TPM2) ReadHandle(handle tpm2.TPMHandle) (tpm2.TPM2BName, tpm2.TPMTPublic, error)
- func (tpm *TPM2) ReadPCRs(pcrList []uint) ([]PCRBank, error)
- func (tpm *TPM2) SSRKAttributes() (*keystore.KeyAttributes, error)
- func (tpm *TPM2) SSRKPublic() (tpm2.TPM2BName, tpm2.TPMTPublic)
- func (tpm *TPM2) SaveKeyPair(keyAttrs *keystore.KeyAttributes, outPrivate tpm2.TPM2BPrivate, ...) error
- func (tpm *TPM2) Seal(keyAttrs *keystore.KeyAttributes, backend keystore.KeyBackend) (*tpm2.CreateResponse, error)
- func (tpm *TPM2) SetHierarchyAuth(oldPasswd, newPasswd keystore.Password, hierarchy *tpm2.TPMHandle) error
- func (tpm *TPM2) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) (signature []byte, err error)
- func (tpm *TPM2) SignValidate(keyAttrs *keystore.KeyAttributes, digest, validationDigest []byte) ([]byte, error)
- func (tpm *TPM2) Transport() transport.TPM
- func (tpm *TPM2) Unseal(keyAttrs *keystore.KeyAttributes, backend keystore.KeyBackend) ([]byte, error)
- func (tpm *TPM2) VerifyCSR(csr *TCG_CSR_IDEVID, signatureAlgorithm x509.SignatureAlgorithm) (*keystore.KeyAttributes, *UNPACKED_TCG_CSR_IDEVID, error)
- type TrustedPlatformModule
- type UNPACKED_TCG_CSR_IDEVID
- type UNPACKED_TCG_CSR_LDEVID
- type UNPACKED_TCG_IDEVID_CONTENT
- type UNPACKED_TCG_LDEVID_CONTENT
Constants ¶
This section is empty.
Variables ¶
var ( ErrInvalidHierarchyType = errors.New("tpm2: invalid hierarchy type") DefaultConfig = Config{ EncryptSession: false, UseEntropy: false, Device: "/dev/tpmrm0", UseSimulator: true, Hash: "SHA-256", EK: &EKConfig{ CertHandle: 0x01C00002, Handle: 0x81010001, HierarchyAuth: keystore.DEFAULT_PASSWORD, KeyAlgorithm: x509.RSA.String(), RSAConfig: &keystore.RSAConfig{ KeySize: 2048, }, }, FileIntegrity: []string{ "./", }, IAK: &IAKConfig{ CN: "device-id-001", Debug: true, Hash: crypto.SHA256.String(), Handle: uint32(0x81010002), KeyAlgorithm: x509.RSA.String(), RSAConfig: &keystore.RSAConfig{ KeySize: 2048, }, SignatureAlgorithm: x509.SHA256WithRSAPSS.String(), }, KeyStore: &KeyStoreConfig{ SRKAuth: "platform", SRKHandle: 0x81000002, PlatformPolicy: true, }, PlatformPCR: uint(16), SSRK: &SRKConfig{ Handle: 0x81000001, HierarchyAuth: keystore.DEFAULT_PASSWORD, KeyAlgorithm: x509.RSA.String(), RSAConfig: &keystore.RSAConfig{ KeySize: 2048, }, }, } )
var ( ErrInvalidAKAttributes = errors.New("tpm: invalid AK attributes") ErrInvalidEKCertFormat = errors.New("tpm: invalid endorsement certificate format") ErrInvalidEKAttributes = errors.New("tpm: invalid EK attributes") ErrInvalidEKCert = errors.New("tpm: failed to verify endorsement key certificate") ErrDeviceAlreadyOpen = errors.New("tpm: device already open") ErrOpeningDevice = errors.New("tpm: error opening device") ErrInvalidSessionType = errors.New("tpm: invalid session type") ErrInvalidSRKAuth = errors.New("tpm: invalid storage root key auth") ErrInvalidActivationCredential = errors.New("tpm: invalid activation credential") ErrHashAlgorithmNotSupported = errors.New("tpm: hash algorithm not supported") ErrInvalidPolicyDigest = errors.New("tpm: invalid policy digest") ErrInvalidHandle = errors.New("tpm: invalid entity handle") ErrUnexpectedRandomBytes = errors.New("tpm: unexpected number of random bytes read") ErrInvalidPCRIndex = errors.New("tpm: invalid PCR index") ErrInvalidNonce = errors.New("tpm: invalid nonce") ErrNotInitialized = errors.New("tpm: not initialized") ErrEndorsementCertNotFound = errors.New("tpm: endorsement certificate not found") ErrInvalidKeyStoreConfiguration = errors.New("tpm: invalid key store configuration") ErrInvalidHashFunction = errors.New("tpm: invalid hash function") ErrInvalidSessionAuthorization = errors.New("tpm: invalid session authorization") ErrMissingMeasurementLog = errors.New("tpm: binary measurement log not found") ErrRSAPSSNotSupported = errors.New("tpm: RSA-PSS not supported by this TPM") // TPM_RC errors ErrCommandNotSupported = tpm2.TPMRC(0xb0143) // RSA SSA Template RSASSATemplate = tpm2.TPMTPublic{ Type: tpm2.TPMAlgRSA, NameAlg: tpm2.TPMAlgSHA256, ObjectAttributes: tpm2.TPMAObject{ SignEncrypt: true, FixedTPM: true, FixedParent: true, SensitiveDataOrigin: true, UserWithAuth: true, }, AuthPolicy: tpm2.TPM2BDigest{}, Parameters: tpm2.NewTPMUPublicParms( tpm2.TPMAlgRSA, &tpm2.TPMSRSAParms{ Scheme: tpm2.TPMTRSAScheme{ Scheme: tpm2.TPMAlgRSASSA, Details: tpm2.NewTPMUAsymScheme( tpm2.TPMAlgRSASSA, &tpm2.TPMSSigSchemeRSASSA{ HashAlg: tpm2.TPMAlgSHA256, }, ), }, KeyBits: 2048, }, ), Unique: tpm2.NewTPMUPublicID( tpm2.TPMAlgRSA, &tpm2.TPM2BPublicKeyRSA{ Buffer: make([]byte, 256), }, ), } // RSA PSS Template RSAPSSTemplate = tpm2.TPMTPublic{ Type: tpm2.TPMAlgRSA, NameAlg: tpm2.TPMAlgSHA256, ObjectAttributes: tpm2.TPMAObject{ SignEncrypt: true, FixedTPM: true, FixedParent: true, SensitiveDataOrigin: true, UserWithAuth: true, }, AuthPolicy: tpm2.TPM2BDigest{}, Parameters: tpm2.NewTPMUPublicParms( tpm2.TPMAlgRSA, &tpm2.TPMSRSAParms{ Scheme: tpm2.TPMTRSAScheme{ Scheme: tpm2.TPMAlgRSAPSS, Details: tpm2.NewTPMUAsymScheme( tpm2.TPMAlgRSAPSS, &tpm2.TPMSSigSchemeRSAPSS{ HashAlg: tpm2.TPMAlgSHA256, }, ), }, KeyBits: 2048, }, ), Unique: tpm2.NewTPMUPublicID( tpm2.TPMAlgRSA, &tpm2.TPM2BPublicKeyRSA{ Buffer: make([]byte, 256), }, ), } // ECC P256 Template ECCP256Template = tpm2.TPMTPublic{ Type: tpm2.TPMAlgECC, NameAlg: tpm2.TPMAlgSHA256, ObjectAttributes: tpm2.TPMAObject{ SignEncrypt: true, FixedTPM: true, FixedParent: true, SensitiveDataOrigin: true, UserWithAuth: true, }, AuthPolicy: tpm2.TPM2BDigest{}, Parameters: tpm2.NewTPMUPublicParms( tpm2.TPMAlgECC, &tpm2.TPMSECCParms{ CurveID: tpm2.TPMECCNistP256, Scheme: tpm2.TPMTECCScheme{ Scheme: tpm2.TPMAlgECDSA, Details: tpm2.NewTPMUAsymScheme( tpm2.TPMAlgECDSA, &tpm2.TPMSSigSchemeECDSA{ HashAlg: tpm2.TPMAlgSHA256, }, ), }, }, ), } // RSA SSA AK Template (restricted signing, not decrypting, fixedtpm) RSASSAAKTemplate = tpm2.TPMTPublic{ Type: tpm2.TPMAlgRSA, NameAlg: tpm2.TPMAlgSHA256, ObjectAttributes: tpm2.TPMAObject{ FixedTPM: true, FixedParent: true, SensitiveDataOrigin: true, UserWithAuth: true, Restricted: true, SignEncrypt: true, }, Parameters: tpm2.NewTPMUPublicParms( tpm2.TPMAlgRSA, &tpm2.TPMSRSAParms{ Scheme: tpm2.TPMTRSAScheme{ Scheme: tpm2.TPMAlgRSASSA, Details: tpm2.NewTPMUAsymScheme( tpm2.TPMAlgRSASSA, &tpm2.TPMSSigSchemeRSASSA{ HashAlg: tpm2.TPMAlgSHA256, }, ), }, KeyBits: 2048, }, ), Unique: tpm2.NewTPMUPublicID( tpm2.TPMAlgRSA, &tpm2.TPM2BPublicKeyRSA{ Buffer: make([]byte, 256), }, ), } // RSA PSS AK Template (restricted signing, not decrypting, fixedtpm) RSAPSSAKTemplate = tpm2.TPMTPublic{ Type: tpm2.TPMAlgRSA, NameAlg: tpm2.TPMAlgSHA256, ObjectAttributes: tpm2.TPMAObject{ FixedTPM: true, FixedParent: true, SensitiveDataOrigin: true, UserWithAuth: true, Restricted: true, SignEncrypt: true, }, AuthPolicy: tpm2.TPM2BDigest{}, Parameters: tpm2.NewTPMUPublicParms( tpm2.TPMAlgRSA, &tpm2.TPMSRSAParms{ Scheme: tpm2.TPMTRSAScheme{ Scheme: tpm2.TPMAlgRSAPSS, Details: tpm2.NewTPMUAsymScheme( tpm2.TPMAlgRSAPSS, &tpm2.TPMSSigSchemeRSAPSS{ HashAlg: tpm2.TPMAlgSHA256, }, ), }, KeyBits: 2048, }, ), Unique: tpm2.NewTPMUPublicID( tpm2.TPMAlgRSA, &tpm2.TPM2BPublicKeyRSA{ Buffer: make([]byte, 256), }, ), } // ECC P256 AK Template (restricted signing, not decrypting, fixedtpm) ECCAKP256Template = tpm2.TPMTPublic{ Type: tpm2.TPMAlgECC, NameAlg: tpm2.TPMAlgSHA256, ObjectAttributes: tpm2.TPMAObject{ FixedTPM: true, FixedParent: true, SensitiveDataOrigin: true, UserWithAuth: true, Restricted: true, SignEncrypt: true, }, Parameters: tpm2.NewTPMUPublicParms( tpm2.TPMAlgECC, &tpm2.TPMSECCParms{ CurveID: tpm2.TPMECCNistP256, Scheme: tpm2.TPMTECCScheme{ Scheme: tpm2.TPMAlgECDSA, Details: tpm2.NewTPMUAsymScheme( tpm2.TPMAlgECDSA, &tpm2.TPMSSigSchemeECDSA{ HashAlg: tpm2.TPMAlgSHA256, }, ), }, }, ), } // RSA SSA IDevID Template (non-restricted signing, not decrypting, fixedtpm) RSASSAIDevIDTemplate = tpm2.TPMTPublic{ Type: tpm2.TPMAlgRSA, NameAlg: tpm2.TPMAlgSHA256, ObjectAttributes: tpm2.TPMAObject{ FixedTPM: true, FixedParent: true, SensitiveDataOrigin: true, UserWithAuth: true, SignEncrypt: true, }, Parameters: tpm2.NewTPMUPublicParms( tpm2.TPMAlgRSA, &tpm2.TPMSRSAParms{ Scheme: tpm2.TPMTRSAScheme{ Scheme: tpm2.TPMAlgRSASSA, Details: tpm2.NewTPMUAsymScheme( tpm2.TPMAlgRSASSA, &tpm2.TPMSSigSchemeRSASSA{ HashAlg: tpm2.TPMAlgSHA256, }, ), }, KeyBits: 2048, }, ), Unique: tpm2.NewTPMUPublicID( tpm2.TPMAlgRSA, &tpm2.TPM2BPublicKeyRSA{ Buffer: make([]byte, 256), }, ), } // RSA PSS IDevID Template (non-restricted signing, not decrypting, fixedtpm) RSAPSSIDevIDTemplate = tpm2.TPMTPublic{ Type: tpm2.TPMAlgRSA, NameAlg: tpm2.TPMAlgSHA256, ObjectAttributes: tpm2.TPMAObject{ FixedTPM: true, FixedParent: true, SensitiveDataOrigin: true, UserWithAuth: true, SignEncrypt: true, }, AuthPolicy: tpm2.TPM2BDigest{}, Parameters: tpm2.NewTPMUPublicParms( tpm2.TPMAlgRSA, &tpm2.TPMSRSAParms{ Scheme: tpm2.TPMTRSAScheme{ Scheme: tpm2.TPMAlgRSAPSS, Details: tpm2.NewTPMUAsymScheme( tpm2.TPMAlgRSAPSS, &tpm2.TPMSSigSchemeRSAPSS{ HashAlg: tpm2.TPMAlgSHA256, }, ), }, KeyBits: 2048, }, ), Unique: tpm2.NewTPMUPublicID( tpm2.TPMAlgRSA, &tpm2.TPM2BPublicKeyRSA{ Buffer: make([]byte, 256), }, ), } // ECC P256 IDevID Template (non-restricted signing, not decrypting, fixedtpm) ECCIDevIDP256Template = tpm2.TPMTPublic{ Type: tpm2.TPMAlgECC, NameAlg: tpm2.TPMAlgSHA256, ObjectAttributes: tpm2.TPMAObject{ FixedTPM: true, FixedParent: true, SensitiveDataOrigin: true, UserWithAuth: true, SignEncrypt: true, }, Parameters: tpm2.NewTPMUPublicParms( tpm2.TPMAlgECC, &tpm2.TPMSECCParms{ CurveID: tpm2.TPMECCNistP256, Scheme: tpm2.TPMTECCScheme{ Scheme: tpm2.TPMAlgECDSA, Details: tpm2.NewTPMUAsymScheme( tpm2.TPMAlgECDSA, &tpm2.TPMSSigSchemeECDSA{ HashAlg: tpm2.TPMAlgSHA256, }, ), }, }, ), } AES128CFBTemplate = tpm2.TPMTPublic{ Type: tpm2.TPMAlgSymCipher, NameAlg: tpm2.TPMAlgSHA256, ObjectAttributes: tpm2.TPMAObject{ FixedTPM: true, STClear: false, FixedParent: true, SensitiveDataOrigin: true, UserWithAuth: true, AdminWithPolicy: false, NoDA: true, EncryptedDuplication: false, Restricted: true, Decrypt: true, SignEncrypt: false, }, AuthPolicy: tpm2.TPM2BDigest{}, Parameters: tpm2.NewTPMUPublicParms( tpm2.TPMAlgSymCipher, &tpm2.TPMSSymCipherParms{ Sym: tpm2.TPMTSymDefObject{ Algorithm: tpm2.TPMAlgAES, Mode: tpm2.NewTPMUSymMode(tpm2.TPMAlgAES, tpm2.TPMAlgCFB), KeyBits: tpm2.NewTPMUSymKeyBits( tpm2.TPMAlgAES, tpm2.TPMKeyBits(128), ), }, }, ), } AES256CFBTemplate = tpm2.TPMTPublic{ Type: tpm2.TPMAlgSymCipher, NameAlg: tpm2.TPMAlgSHA256, ObjectAttributes: tpm2.TPMAObject{ FixedTPM: true, STClear: false, FixedParent: true, SensitiveDataOrigin: true, UserWithAuth: true, AdminWithPolicy: false, NoDA: true, EncryptedDuplication: false, Restricted: true, Decrypt: true, SignEncrypt: false, }, AuthPolicy: tpm2.TPM2BDigest{}, Parameters: tpm2.NewTPMUPublicParms( tpm2.TPMAlgSymCipher, &tpm2.TPMSSymCipherParms{ Sym: tpm2.TPMTSymDefObject{ Algorithm: tpm2.TPMAlgAES, Mode: tpm2.NewTPMUSymMode(tpm2.TPMAlgAES, tpm2.TPMAlgCFB), KeyBits: tpm2.NewTPMUSymKeyBits( tpm2.TPMAlgAES, tpm2.TPMKeyBits(256), ), }, }, ), } // Keyed hash / HMAC Template KeyedHashTemplate = tpm2.TPMTPublic{ Type: tpm2.TPMAlgKeyedHash, NameAlg: tpm2.TPMAlgSHA256, AuthPolicy: tpm2.TPM2BDigest{}, ObjectAttributes: tpm2.TPMAObject{ FixedTPM: true, FixedParent: true, UserWithAuth: true, }, } )
var ( // TPM_RC_SIGNATURE (parameter 2): the signature is not valid ErrInvalidSignature = errors.New("tpm: invalid signature") )
Functions ¶
func EKAttributesFromConfig ¶
func EKAttributesFromConfig(config EKConfig, policyDigest *tpm2.TPM2BDigest) (*keystore.KeyAttributes, error)
func EncodePCRs ¶
Encodes a PCR bank slice to binary using the encoding/gob package
func EncodeQuote ¶
Encodes a quote to binary using the encoding/gob package
func HierarchyName ¶
func IAKAttributesFromConfig ¶
func IAKAttributesFromConfig( soPIN keystore.Password, config *IAKConfig, policyDigest *tpm2.TPM2BDigest) (*keystore.KeyAttributes, error)
func IDevIDAttributesFromConfig ¶
func IDevIDAttributesFromConfig( config IDevIDConfig, policyDigest *tpm2.TPM2BDigest) (*keystore.KeyAttributes, error)
func LDevIDAttributesFromConfig ¶
func LDevIDAttributesFromConfig( config LDevIDConfig, policyDigest *tpm2.TPM2BDigest) (*keystore.KeyAttributes, error)
func NewPlatformPassword ¶
func NewPlatformPassword( logger *logging.Logger, tpm TrustedPlatformModule, keyAttrs *keystore.KeyAttributes, backend keystore.KeyBackend) keystore.Password
Just-in-time password retrieval of TPM keyed hash (HMAC) objects used for password storage. This object keeps the password sealed to the TPM and retrieves it when the String() or Bytes() method is called, using the platform PCR authorization session policy.
func PackIDevIDCSR ¶
func PackIDevIDCSR(csr *TCG_CSR_IDEVID) ([]byte, error)
Packs the TCG-CSR-IDEVID into a big endian binary byte array
func PackIDevIDContent ¶
func PackIDevIDContent(content *TCG_IDEVID_CONTENT) ([]byte, error)
Packs the TCG_IDEVID_CONTENT structure into a big endian byte array
func ParseHashAlg ¶
func ParseHashAlg(hash crypto.Hash) (tpm2.TPMIAlgHash, error)
func ParseHashAlgFromString ¶
func ParseHashAlgFromString(hash string) (tpm2.TPMIAlgHash, error)
func ParseHierarchy ¶
func ParseHierarchy(hierarchyType string) (tpm2.TPMIRHHierarchy, error)
func SRKAttributesFromConfig ¶
func SRKAttributesFromConfig(config SRKConfig, policyDigest *tpm2.TPM2BDigest) (*keystore.KeyAttributes, error)
Types ¶
type Config ¶
type Config struct {
Device string `yaml:"device" json:"device" mapstructure:"device"`
EncryptSession bool `yaml:"encrypt-sessions" json:"encrypt_sessions" mapstructure:"encrypt-sessions"`
EK *EKConfig `yaml:"ek" json:"ek" mapstructure:"ek"`
FileIntegrity []string `yaml:"file-integrity" json:"file_integrity" mapstructure:"file-integrity"`
Hash string `yaml:"hash" json:"hash" mapstructure:"hash"`
IAK *IAKConfig `yaml:"iak" json:"iak" mapstructure:"iak"`
IDevID *IDevIDConfig `yaml:"idevid" json:"idevid" mapstructure:"idevid"`
KeyStore *KeyStoreConfig `yaml:"keystore" json:"keystore" mapstructure:"keystore"`
LockoutAuth string `yaml:"lockout-auth" json:"lockout-auth" mapstructure:"lockout-auth"`
PlatformPCR uint `yaml:"platform-pcr" json:"platform_pcr" mapstructure:"platform-pcr"`
SSRK *SRKConfig `yaml:"ssrk" json:"ssrk" mapstructure:"ssrk"`
UseEntropy bool `yaml:"entropy" json:"entropy" mapstructure:"entropyr"`
UseSimulator bool `yaml:"simulator" json:"simulator" mapstructure:"simulator"`
}
type EKConfig ¶
type EKConfig struct {
CertHandle uint32 `yaml:"cert-handle" json:"cert-handle" mapstructure:"cert-handle"`
CN string `yaml:"cn" json:"cn" mapstructure:"cn"`
Debug bool `json:"debug" yaml:"debug" mapstructure:"debug"`
ECCConfig *keystore.ECCConfig `yaml:"ecc" json:"ecc" mapstructure:"ecc"`
Handle uint32 `yaml:"handle" json:"handle" mapstructure:"handle"`
HierarchyAuth string `yaml:"hierarchy-auth" json:"hierarchy_auth" mapstructure:"hierarchy-auth"`
KeyAlgorithm string `yaml:"algorithm" json:"algorithm" mapstructure:"algorithm"`
Password string `yaml:"password" json:"password" mapstructure:"password"`
PlatformPolicy bool `yaml:"platform-policy" json:"_platform_policy" mapstructure:"platform-policy"`
RSAConfig *keystore.RSAConfig `yaml:"rsa" json:"rsa" mapstructure:"rsa"`
}
type IAKConfig ¶
type IAKConfig struct {
CertHandle uint32 `yaml:"cert-handle" json:"cert-handle" mapstructure:"cert-handle"`
CN string `yaml:"cn" json:"cn" mapstructure:"cn"`
Debug bool `json:"debug" yaml:"debug" mapstructure:"debug"`
ECCConfig *keystore.ECCConfig `yaml:"ecc" json:"ecc" mapstructure:"ecc"`
Handle uint32 `yaml:"handle" json:"handle" mapstructure:"handle"`
Hash string `yaml:"hash" json:"hash" mapstructure:"hash"`
KeyAlgorithm string `yaml:"algorithm" json:"algorithm" mapstructure:"algorithm"`
Password string `yaml:"password" json:"password" mapstructure:"password"`
PlatformPolicy bool `yaml:"platform-policy" json:"_platform_policy" mapstructure:"platform-policy"`
RSAConfig *keystore.RSAConfig `yaml:"rsa" json:"rsa" mapstructure:"rsa"`
SignatureAlgorithm string `yaml:"signature-algorithm" json:"signature-algorithm" mapstructure:"signature-algorithm"`
}
type IDevIDConfig ¶
type IDevIDConfig struct {
CertHandle uint32 `yaml:"cert-handle" json:"cert-handle" mapstructure:"cert-handle"`
CN string `yaml:"cn" json:"cn" mapstructure:"cn"`
Debug bool `json:"debug" yaml:"debug" mapstructure:"debug"`
ECCConfig *keystore.ECCConfig `yaml:"ecc" json:"ecc" mapstructure:"ecc"`
Handle uint32 `yaml:"handle" json:"handle" mapstructure:"handle"`
Hash string `yaml:"hash" json:"hash" mapstructure:"hash"`
KeyAlgorithm string `yaml:"algorithm" json:"algorithm" mapstructure:"algorithm"`
Model string `yaml:"model" json:"model" mapstructure:"model"`
Pad bool `yaml:"pad" json:"pad" mapstructure:"pad"`
Password string `yaml:"password" json:"password" mapstructure:"password"`
PlatformPolicy bool `yaml:"platform-policy" json:"_platform_policy" mapstructure:"platform-policy"`
RSAConfig *keystore.RSAConfig `yaml:"rsa" json:"rsa" mapstructure:"rsa"`
Serial string `yaml:"serial" json:"serial" mapstructure:"serial"`
SignatureAlgorithm string `yaml:"signature-algorithm" json:"signature-algorithm" mapstructure:"signature-algorithm"`
}
type KeyStoreConfig ¶
type KeyStoreConfig struct {
CN string `yaml:"cn" json:"cn" mapstructure:"cn"`
SRKAuth string `yaml:"srk-auth" json:"srk_auth" mapstructure:"srk-auth"`
SRKHandle uint32 `yaml:"srk-handle" json:"srk-handle" mapstructure:"srk-handle"`
PlatformPolicy bool `yaml:"platform-policy" json:"platform_policy" mapstructure:"platform-policy"`
}
type LAKConfig ¶
type LAKConfig struct {
CertHandle uint32 `yaml:"cert-handle" json:"cert-handle" mapstructure:"cert-handle"`
CN string `yaml:"cn" json:"cn" mapstructure:"cn"`
Debug bool `json:"debug" yaml:"debug" mapstructure:"debug"`
ECCConfig *keystore.ECCConfig `yaml:"ecc" json:"ecc" mapstructure:"ecc"`
Handle uint32 `yaml:"handle" json:"handle" mapstructure:"handle"`
Hash string `yaml:"hash" json:"hash" mapstructure:"hash"`
KeyAlgorithm string `yaml:"algorithm" json:"algorithm" mapstructure:"algorithm"`
Password string `yaml:"password" json:"password" mapstructure:"password"`
PlatformPolicy bool `yaml:"platform-policy" json:"_platform_policy" mapstructure:"platform-policy"`
RSAConfig *keystore.RSAConfig `yaml:"rsa" json:"rsa" mapstructure:"rsa"`
SignatureAlgorithm string `yaml:"signature-algorithm" json:"signature-algorithm" mapstructure:"signature-algorithm"`
}
type LDevIDConfig ¶
type LDevIDConfig struct {
CertHandle uint32 `yaml:"cert-handle" json:"cert-handle" mapstructure:"cert-handle"`
CN string `yaml:"cn" json:"cn" mapstructure:"cn"`
Debug bool `json:"debug" yaml:"debug" mapstructure:"debug"`
ECCConfig *keystore.ECCConfig `yaml:"ecc" json:"ecc" mapstructure:"ecc"`
Handle uint32 `yaml:"handle" json:"handle" mapstructure:"handle"`
Hash string `yaml:"hash" json:"hash" mapstructure:"hash"`
KeyAlgorithm string `yaml:"algorithm" json:"algorithm" mapstructure:"algorithm"`
Model string `yaml:"model" json:"model" mapstructure:"model"`
Pad bool `yaml:"pad" json:"pad" mapstructure:"pad"`
Password string `yaml:"password" json:"password" mapstructure:"password"`
PlatformPolicy bool `yaml:"platform-policy" json:"_platform_policy" mapstructure:"platform-policy"`
RSAConfig *keystore.RSAConfig `yaml:"rsa" json:"rsa" mapstructure:"rsa"`
Serial string `yaml:"serial" json:"serial" mapstructure:"serial"`
SignatureAlgorithm string `yaml:"signature-algorithm" json:"signature-algorithm" mapstructure:"signature-algorithm"`
}
type PCRBank ¶
func DecodePCRs ¶
Decodes a PCR bank slice from binary using the encoding/gob package
type Params ¶
type Params struct {
Backend keystore.KeyBackend
BlobStore blob.BlobStorer
CertStore certstore.CertificateStorer
Config *Config
DebugSecrets bool
FQDN string
Logger *logging.Logger
SignerStore keystore.SignerStorer
}
type PlatformPassword ¶
func (PlatformPassword) Bytes ¶
func (p PlatformPassword) Bytes() ([]byte, error)
Returns the secret as bytes
func (PlatformPassword) Create ¶
func (p PlatformPassword) Create() error
Seals a password to the TPM as a keyed hash object. If the key attributes have the platform policy defined, a PlatformSecret is returned, otherwise, RequiredPassword which returns ErrPasswordRequired when it's member methods are invoked. If the provided password is the default platform password, a random 32 byte (AES-256) key is generated.
func (PlatformPassword) String ¶
func (p PlatformPassword) String() (string, error)
Returns the secret as a string
type PropertiesFixed ¶
type PropertiesFixed struct {
ActiveSessionsMax uint32
AuthSessionsActive uint32
AuthSessionsActiveAvail uint32
AuthSessionsLoaded uint32
AuthSessionsLoadedAvail uint32
Family string
Fips1402 bool
FwMajor int
FwMinor int
LoadedCurves uint32
LockoutCounter uint32
LockoutInterval uint32
LockoutRecovery uint32
Manufacturer string
Model string
MaxAuthFail uint32
Memory uint32
NVIndexesDefined uint32
NVIndexesMax uint32
NVWriteRecovery uint32
PersistentAvail uint32
PersistentLoaded uint32
PersistentMin uint32
Revision string
TransientAvail uint32
TransientMin uint32
VendorID string
}
type Quote ¶
func DecodeQuote ¶
Decodes a quote from binary using the encoding/gob package
type SRKConfig ¶
type SRKConfig struct {
CN string `yaml:"cn" json:"cn" mapstructure:"cn"`
Debug bool `json:"debug" yaml:"debug" mapstructure:"debug"`
ECCConfig *keystore.ECCConfig `yaml:"ecc" json:"ecc" mapstructure:"ecc"`
Handle uint32 `yaml:"handle" json:"handle" mapstructure:"handle"`
HierarchyAuth string `yaml:"hierarchy-auth" json:"hierarchy-auth" mapstructure:"hierarchy-auth"`
KeyAlgorithm string `yaml:"algorithm" json:"algorithm" mapstructure:"algorithm"`
Password string `yaml:"password" json:"password" mapstructure:"password"`
PlatformPolicy bool `yaml:"platform-policy" json:"_platform_policy" mapstructure:"platform-policy"`
RSAConfig *keystore.RSAConfig `yaml:"rsa" json:"rsa" mapstructure:"rsa"`
}
type TCGVendorID ¶
type TCGVendorID uint32
func (TCGVendorID) String ¶
func (id TCGVendorID) String() string
type TCG_CSR_IDEVID ¶
type TCG_CSR_IDEVID struct {
StructVer [4]byte
Contents [4]byte
SigSz [4]byte
CsrContents TCG_IDEVID_CONTENT
Signature []byte
}
TPM 2.0 Keys for Device Identity and Attestation - Section 13.1 - TCG-CSR-IDEVID
type TCG_CSR_LDEVID ¶
type TCG_CSR_LDEVID struct {
StructVer [4]byte
Contents [4]byte
SigSz [4]byte
CsrContents TCG_LDEVID_CONTENT
Signature []byte
}
type TCG_IDEVID_CONTENT ¶
type TCG_IDEVID_CONTENT struct {
StructVer [4]byte
HashAlgoId [4]byte
HashSz [4]byte
ProdModelSz [4]byte
ProdSerialSz [4]byte
ProdCaDataSz [4]byte
BootEvntLogSz [4]byte
EkCertSZ [4]byte
AttestPubSZ [4]byte
AtCreateTktSZ [4]byte
AtCertifyInfoSZ [4]byte
AtCertifyInfoSignatureSZ [4]byte
SigningPubSZ [4]byte
SgnCertifyInfoSZ [4]byte
SgnCertifyInfoSignatureSZ [4]byte
PadSz [4]byte
ProdModel []byte
ProdSerial []byte
ProdCaData []byte
BootEvntLog []byte
EkCert []byte
AttestPub []byte
AtCreateTkt []byte
AtCertifyInfo []byte
AtCertifyInfoSig []byte
SigningPub []byte
SgnCertifyInfo []byte
SgnCertifyInfoSig []byte
Pad []byte
}
type TCG_LDEVID_CONTENT ¶
type TCG_LDEVID_CONTENT struct {
StructVer [4]byte
HashAlgoId [4]byte
HashSz [4]byte
EkCertSZ [4]byte
IakCertSZ [4]byte
PlatCertSZ [4]byte
PubkeySZ [4]byte
AtCertifyInfoSZ [4]byte
AtCertifyInfoSignatureSZ [4]byte
PadSz [4]byte
EkCert []byte
IakCert []byte
PlatCert []byte
Pubkey []byte
AtCertifyInfo []byte
AtCertifyInfoSig []byte
}
type TPM2 ¶
type TPM2 struct {
TrustedPlatformModule
// contains filtered or unexported fields
}
func (*TPM2) ActivateCredential ¶
Activates a credential challenge previously initiated by MakeCredential
func (*TPM2) Clear ¶
Clears the TPM as described in TCG Part 3: Commands - Section 24.6 - TPM2_Clear https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-3-Commands-01.38.pdf
func (*TPM2) CreateECDSA ¶
func (tpm *TPM2) CreateECDSA( keyAttrs *keystore.KeyAttributes, backend keystore.KeyBackend) (*ecdsa.PublicKey, error)
Creates a new ECDSA child key using the provided key attributes
func (*TPM2) CreateEK ¶
func (tpm *TPM2) CreateEK( ekAttrs *keystore.KeyAttributes) error
Creates a TCG compliant persistent Endorsement Key under the Endorsement Hierarchy. Optionally encrypts bus communication between the CPU <-> TPM if enabled in the platform configuration file.
func (*TPM2) CreateIAK ¶
func (tpm *TPM2) CreateIAK( ekAttrs *keystore.KeyAttributes) (*keystore.KeyAttributes, error)
Create an Initial Attestation Key
func (*TPM2) CreateIDevID ¶
func (tpm *TPM2) CreateIDevID( akAttrs *keystore.KeyAttributes, ekCert *x509.Certificate) (*keystore.KeyAttributes, *TCG_CSR_IDEVID, error)
Creates an Initial Device IDentifier (IDevID) under the Endorsement Hierarchy per TCG - TPM 2.0 Keys for Device Identity and Attestation. The Endorsement Key (EK) attributes must contain the HierarchyAuth to authorize the creation of the IDevID key under the Endorsement hierarchy. The EK is also used to salt an HMAC session, and optionally encrypt the bus communication between the CPU <-> TPM if enabled in the platform configuration file. https://trustedcomputinggroup.org/wp-content/uploads/TCG_IWG_DevID_v1r2_02dec2020.pdf
func (*TPM2) CreateKeySession ¶
func (tpm *TPM2) CreateKeySession( keyAttrs *keystore.KeyAttributes) (tpm2.Session, func() error, error)
Returns an authorization session for a child key based on the provided key attributes. If the child PlatformPolicy is true, a PCR policy session is returned with a closer function that needs to be called to close the session when complete. If PlatformPolicy is false, a password authorization session is returned instead. If a password has not been defined, an empty password authorization session is returned. This function returns a session closer function that needs to be called to close the session when complete.
func (*TPM2) CreatePlatformPolicy ¶
Returns the Golden Integrity Measurement and Policy Digest ready to be attached to a key.
func (*TPM2) CreateRSA ¶
func (tpm *TPM2) CreateRSA( keyAttrs *keystore.KeyAttributes, backend keystore.KeyBackend) (*rsa.PublicKey, error)
Creates a new RSA child key using the provided key attributes
func (*TPM2) CreateSRK ¶
func (tpm *TPM2) CreateSRK( srkAttrs *keystore.KeyAttributes) error
Creates a persistent Storage Root Key (SRK) under the specified hierarchy using the Endorsement Key (EK) to salt an HMAC session. Optionally encrypts bus communication between the CPU <-> TPM if enabled in the platform configuration file. If the HandleType is set to TPMHTTransient, the created objects handles are left unflushed and the caller is responsible for flushing it when done.
func (*TPM2) CreateSecretKey ¶
func (tpm *TPM2) CreateSecretKey( keyAttrs *keystore.KeyAttributes, backend keystore.KeyBackend) error
Creates a new RSA child key using the provided key attributes
func (*TPM2) CreateSession ¶
func (tpm *TPM2) CreateSession( keyAttrs *keystore.KeyAttributes) (tpm2.Session, func() error, error)
Returns an authorization session for a key based on the provided parent key attributes and platform configuration file. If the parent PlatformPolicy is true, a PCR policy session is returned. If PlatformPolicy is false, a password authorization session is returned. If a password has not been defined, an empty password authorization session is returned. If PlatformPolicy is false and encryption is enabled in the platform configuration file, a salted, encrypted session is created using the EK. This function returns a session closer function that needs to be called to close the session when complete.
func (*TPM2) CreateTCG_CSR_IDEVID ¶
func (tpm *TPM2) CreateTCG_CSR_IDEVID( ekCert *x509.Certificate, akAttrs *keystore.KeyAttributes, idevidAttrs *keystore.KeyAttributes) (TCG_CSR_IDEVID, error)
Creates a TCG_CSR_IDEVID structure in alignment with the TCG TPM 2.0 Keys for Device Identity and Attestation - Section 13.1 - TCG-CSR-IDEVID.
func (*TPM2) DeleteKey ¶
func (tpm *TPM2) DeleteKey( keyAttrs *keystore.KeyAttributes, backend keystore.KeyBackend) error
func (*TPM2) DeleteKeyPair ¶
func (tpm *TPM2) DeleteKeyPair( keyAttrs *keystore.KeyAttributes, backend keystore.KeyBackend) error
Deletes the requested encrypted public and private blobs from the blob store.
func (*TPM2) EKAttributes ¶
func (tpm *TPM2) EKAttributes() (*keystore.KeyAttributes, error)
Returns the Endorsement Key atrributes using the handle defined in the platform configuration file.
func (*TPM2) EKCertificate ¶
func (tpm *TPM2) EKCertificate() (*x509.Certificate, error)
Retrieve the requested Endorsement Key Certificate from the Certificate Authority signed blob store. If the certificate can not be found, treat this as an initial setup and try to load the cert from TPM NVRAM. If that fails, try to download the certificate from the Manufacturer's EK cert service. If that fails, try to load the certificate from the current working directory as a final attempt, using the EKCert name defined in the platform configuration file.
func (*TPM2) EKPublic ¶
func (tpm *TPM2) EKPublic() (tpm2.TPM2BName, tpm2.TPMTPublic)
Returns the Endorsement Key name and public area. Errors are fatal.
func (*TPM2) EventLog ¶
Retrieves the raw event log from /sys/kernel/security/tpm*/binary_bios_measurements
func (*TPM2) FixedProperties ¶
func (tpm *TPM2) FixedProperties() (*PropertiesFixed, error)
func (*TPM2) GoldenMeasurements ¶
Captures platform Golden Integrity Measurements as described in TCG TPM 2.0 Provisioning Guidance - Section 7.6 - Golden Measurements.
Performs a sum across all PCR banks and their associated values using the hash function defined in the TPM section of the platform configuration file. Any errors encountered are treated as FatalError.
TCG-TPM-v2.0-Provisioning-Guidance-Published-v1r1.pdf https://trustedcomputinggroup.org/wp-content/uploads/TCG-TPM-v2.0-Provisioning-Guidance-Published-v1r1.pdf
func (*TPM2) HMAC ¶
Creates an unsalted, unauthenticated HMAC session with the TPM. If session encryption is enabled in the platform configuration file, the TPM <-> CPU bus is encrypted using AES-128 CFB.
func (*TPM2) HMACSaltedSession ¶
func (tpm *TPM2) HMACSaltedSession( handle tpm2.TPMHandle, pub tpm2.TPMTPublic, auth []byte) (s tpm2.Session, close func() error, err error)
Creates an authenticated, salted HMAC session with the TPM. If session encryption is enabled in the platform configuration file, the TPM <-> CPU bus is encrypted using AES-128 CFB.
func (*TPM2) HMACSession ¶
Creates an authenticated, unsalted HMAC session with the TPM. If session encryption is enabled in the platform configuration file, the TPM <-> CPU bus is encrypted using AES-128 CFB.
func (*TPM2) Hash ¶
Performs a TPM2_Hash on the requested data. If the length is greater than 1024 bytes, the data is hashed using HashSequence commands.
func (*TPM2) HashSequence ¶
func (tpm *TPM2) HashSequence( keyAttrs *keystore.KeyAttributes, data []byte) ([]byte, []byte, error)
Performs a hash sequence using TPM2_HashSequenceStart, TPM2_SequenceUpdate, TPM2_SequenceComplete under the Endorsement Hierarchy, using the Hierarchy Authorization provided in the key attributes Parent field.
func (*TPM2) IAKAttributes ¶
func (tpm *TPM2) IAKAttributes() (*keystore.KeyAttributes, error)
Returns the Initial Attestation Key Attributes
func (*TPM2) IDevIDAttributes ¶
func (tpm *TPM2) IDevIDAttributes() (*keystore.KeyAttributes, error)
Returns the Initial Device IDentifier Key Attributes
func (*TPM2) Install ¶
Install performs a safe, modified version of the TCG recommended provisioning guidance intended for platforms that have already been minimally provisioned by the TPM Manufacturer or Owner. Instead of clearing the hierarchies, setting hierarchy authorizations and provisioning new keys and certificates from scratch, this method will use pre-existing EK and SRK keys and certificates if they already exist. The provided soPIN parameter is used as the new Endorsement and Storage hierarchy authorizations during installation. The current hierarchy authorization is expected to be set to an empty password. You can use the included CLI or TPM2 tools to execute the TPM2_HierarchyChangeAuth command to set the password to an empty password.
func (*TPM2) IsFIPS140_2 ¶
func (*TPM2) KeyAttributes ¶
Reads the public area of the provided persistent TPM handle and returns a default set of KeyAttributes with the name, public area and algorithm set.
func (*TPM2) LoadKeyPair ¶
func (tpm *TPM2) LoadKeyPair( keyAttrs *keystore.KeyAttributes, session *tpm2.Session, backend keystore.KeyBackend) (*tpm2.LoadResponse, error)
Loads the requested TPMAlgKeyedHash encrypted public and private blobs from blob storage. The returned handle must be closed when finished to prevent memory leaks / exhaustion.
func (*TPM2) MakeCredential ¶
func (tpm *TPM2) MakeCredential( akName tpm2.TPM2BName, secret []byte) ([]byte, []byte, []byte, error)
Performs TPM2_MakeCredential, returning the new credential challenge for an Attestor. If the secret parameter is not provided, a random AES-256 secret will be generated.
func (*TPM2) NVWrite ¶
func (tpm *TPM2) NVWrite( keyAttrs *keystore.KeyAttributes) error
Seals a secret to an NV RAM index against the Platform Policy
func (*TPM2) NonceSession ¶
Creates a one-time use TPM nonce session
func (*TPM2) Open ¶
Opens a new logical connection with the underlying TPM using an instance of this TPM2 object that's already been instantiated.
func (*TPM2) ParsePublicKey ¶
Parses a tpm2.TPM2BPublic byte array and returns the crypto.PublicKey
func (*TPM2) PlatformPolicyDigest ¶
func (tpm *TPM2) PlatformPolicyDigest() tpm2.TPM2BDigest
Returns the platform policy digest used to satisfy platform PCR authorization values
func (*TPM2) PlatformPolicyDigestHash ¶
Reads the current PCR value and returns it's digest buffer
func (*TPM2) PlatformPolicySession ¶
Creates a new platform policy session with the platform PCR selected using the Owner child key created during platform provisioning under the SRK. Returns the policy session along with a session closer that needs to be called when finished with the session.
func (*TPM2) PlatformQuote ¶
Create a random nonce and issue a quote command to the TPM
func (*TPM2) Provision ¶
Provision the TPM as outlined in the TCG Provisioning Guidance - Section 11.1 - Provisioning the TPM. - Clear the TPM - Set Endorsement, Owner and Lockout authorizations - Create, verify & persist EK - Create, verify & persist IDevID - Create Initial Device Identity for touch-free provisioning - Create, & persist Shared SRK - Establish baseline PCRs - Capture Golden Integrity Measurements https://trustedcomputinggroup.org/wp-content/uploads/TCG-TPM-v2.0-Provisioning-Guidance-Published-v1r1.pdf
This operation requires hierarchy authorization to perform the TPM2_Clear command as the first step outlined in the TCG Provisioning Guidance, and assumes the auth parameter for these hierarchies to be set to an empty password. The TPM2_ChangeAuth command may be used prior to invoking this operation to set the hierarchy passwords to an empty value so this operation may complete. After this operation clears the TPM, the provided Security Officer PIN is used to set new Lockout, Endorsement and Owner authorization values. When this operation completes, the Lockout, Endorsement and Owner hierarchies are all owned by the Security Officer, the TPM is fully provisioned and ready for use. The hierarchy authorization values assigned during this operation may be safely modified to use authorization passwords and/or policies to align the platform with Enterprise or Platform Administrator requirements following this provisioning process.
func (*TPM2) ProvisionEKCert ¶
Writes an Endorsement Certificate to NV RAM. WARNING - this operation will overwrite an OEM certificate if it exists! If cert-handle is not provided, the certificate is saved to the x509 certificate store instead of writing to NV RAM. This provides to work around the 1024 byte limitation in the simulator and/or allows a user to conserve NV RAM in a real TPM.
func (*TPM2) ProvisionOwner ¶
Provisions a new Endorsement and Storage Root Key according to TCG Provisioning Guidance. The Endorsement Key (EK) is created and evicted to it's recommended persistent handle and a new Shared Storage Root Key (SRK) is created and evicted to it's recommended persistent handle.
func (*TPM2) Quote ¶
Performs a TPM 2.0 quote over the PCRs defined in the TPM section of the platform configuration file, used for local attestation. The quote, event log, and PCR state is optionally signed and saved to the CA blob store.
func (*TPM2) RSADecrypt ¶
Performs RSA decryption
func (*TPM2) RSAEncrypt ¶
Performs RSA encryption
func (*TPM2) RandomBytes ¶
Reads a random fixed length byte slice from RNG
func (*TPM2) RandomHex ¶
Reads a random fixed length byte slice from RNG and returns the resulting bytes encoded in hexidecimal format.
func (*TPM2) Read ¶
Reads random bytes from the TPM into the data buffer. Optionally uses the EK to encrypt the session between the CPU <-> TPM if session encryption is enabled in the platform configuration file. If the TPM Endorsement Hierarchy authorization has an authorization password set, and the EK has not been made persistent, the tpm.hierarchyAuth property must be set before reading so a transient EK can be created (under the Endorsement Hierarchy) to encrypt the session. The hierarchy auth is automatically set during provisioning - ie, when Provision() is called. After provisioning is complete, subsequent platform startups will have to explicitly provide the hierarchy password, since it's never saved, loaded, or cached during normal operation. The hierarchy password is only cached in memory during provisioning and wiped from memory when the program exits.
func (*TPM2) ReadHandle ¶
Returns the name and public area for the provided handle
func (*TPM2) ReadPCRs ¶
Reads Platform Configuration Register (PCR) values across all supported banks with the corresponding PCR ID. This method supports SHA1, SHA256, SHA386, and SHA512. If one of the banks are not supported, the function stops processing and returns the banks that were successfully parsed without an error.
func (*TPM2) SSRKAttributes ¶
func (tpm *TPM2) SSRKAttributes() (*keystore.KeyAttributes, error)
Returns the Shared Storage Root Key under the Owner hierarchy using it's persistent handle.
func (*TPM2) SSRKPublic ¶
func (tpm *TPM2) SSRKPublic() (tpm2.TPM2BName, tpm2.TPMTPublic)
Returns the Shared Storage Root Key name and public area. Errors are fatal.
func (*TPM2) SaveKeyPair ¶
func (tpm *TPM2) SaveKeyPair( keyAttrs *keystore.KeyAttributes, outPrivate tpm2.TPM2BPrivate, outPublic tpm2.TPM2B[tpm2.TPMTPublic, *tpm2.TPMTPublic], backend keystore.KeyBackend) error
Saves the requested TPMAlgKeyedHash encrypted public and private blobs to the blob store.
func (*TPM2) Seal ¶
func (tpm *TPM2) Seal( keyAttrs *keystore.KeyAttributes, backend keystore.KeyBackend) (*tpm2.CreateResponse, error)
Creates a new key under the provided Storage Root Key (SRK), optionally sealing a provided secret to the current Platform Golden Integrity Measurements. If a secret is not provided, a random AES-256 key will be generated. If the HandleType is marked as TPMHTTransient, the created objects handles are left unflushed and the caller is responsible for flushing it when done.
func (*TPM2) SetHierarchyAuth ¶
func (tpm *TPM2) SetHierarchyAuth(oldPasswd, newPasswd keystore.Password, hierarchy *tpm2.TPMHandle) error
Takes ownership of the TPM by setting the Owner, Endorsement and Lockout hierarchy authorization passwords, as described in TCG TPM 2.0 Part 1 - Architecture - Section 13.8.1 - Taking Ownership https://trustedcomputinggroup.org/wp-content/uploads/TPM-2.0-1.83-Part-1-Architecture.pdf
If the optional hierarchy is provided, only the authorization password for the specified hierarchy will be set. If not provided, all hierarchies will be set to the same authorization password.
func (*TPM2) Sign ¶
func (tpm *TPM2) Sign( rand io.Reader, digest []byte, opts crypto.SignerOpts) (signature []byte, err error)
Signs the requested data using the key attributes provided by SignerOpts. Supports RSA and ECDSA.
func (*TPM2) SignValidate ¶
func (tpm *TPM2) SignValidate( keyAttrs *keystore.KeyAttributes, digest, validationDigest []byte) ([]byte, error)
Performs a sequential hash on the provided data using the hash algorithm and authorization defined by akAttrs. This operation uses the Handle, HashAlg, Name, SignatureAlgorithm and Password provided by akAttrs.
func (*TPM2) Transport ¶
Returns the underlying transport.TPM used to facilitate the logical connection to the TPM.
func (*TPM2) Unseal ¶
func (tpm *TPM2) Unseal( keyAttrs *keystore.KeyAttributes, backend keystore.KeyBackend) ([]byte, error)
Returns sealed data for a keyed hash using the platform PCR Policy Session to satisfy the TPM to release the secret.
func (*TPM2) VerifyCSR ¶
func (tpm *TPM2) VerifyCSR( csr *TCG_CSR_IDEVID, signatureAlgorithm x509.SignatureAlgorithm) (*keystore.KeyAttributes, *UNPACKED_TCG_CSR_IDEVID, error)
Extracts the Attestation Public Key from TCG_CSR_IDEVID and performs verification per TCG TPM 2.0 Keys for Device Identity and Attestation - Section 6.1.2 - Procedure. 5. The CA verifies the received data: a. Verify the signature on the TCG-CSR-IDEVID: i. Extract the IAK Public Key from the IAK Public Area in the TCG-CSR-IDEVID. ii. Use the IAK public key to verify the signature on the TCG-CSR-IDEVID. b. Extract the EK certificate from the TCG-CSR-IDEVID and verify the EK Certificate using the indicated TPM manufacturer’s public key. c. Verify the attributes (TPMA_OBJECT bits) of the IAK Public Area to ensure that the key is a Restricted, fixedTPM, fixedParent signing key. Ensure all other attributes meet CA policy.
type TrustedPlatformModule ¶
type TrustedPlatformModule interface {
ActivateCredential(credentialBlob, encryptedSecret []byte) ([]byte, error)
AKProfile() (AKProfile, error)
Clear(hierarchyAuth []byte, hierarchy tpm2.TPMHandle) error
Close() error
Config() *Config
CreateECDSA(
keyAttrs *keystore.KeyAttributes,
backend keystore.KeyBackend) (*ecdsa.PublicKey, error)
CreateEK(keyAttrs *keystore.KeyAttributes) error
CreateSecretKey(
keyAttrs *keystore.KeyAttributes,
backend keystore.KeyBackend) error
CreateIAK(ekAttrs *keystore.KeyAttributes) (*keystore.KeyAttributes, error)
CreateIDevID(akAttrs *keystore.KeyAttributes, ekCert *x509.Certificate) (*keystore.KeyAttributes, *TCG_CSR_IDEVID, error)
CreatePlatformPolicy() error
CreateRSA(
keyAttrs *keystore.KeyAttributes,
backend keystore.KeyBackend) (*rsa.PublicKey, error)
CreateKeySession(
keyAttrs *keystore.KeyAttributes) (tpm2.Session, func() error, error)
CreateSession(
keyAttrs *keystore.KeyAttributes) (tpm2.Session, func() error, error)
CreateSRK(keyAttrs *keystore.KeyAttributes) error
CreateTCG_CSR_IDEVID(
ekCert *x509.Certificate,
akAttrs *keystore.KeyAttributes,
idevidAttrs *keystore.KeyAttributes) (TCG_CSR_IDEVID, error)
DeleteKey(keyAttrs *keystore.KeyAttributes, backend keystore.KeyBackend) error
Device() string
EK() crypto.PublicKey
EKPublic() (tpm2.TPM2BName, tpm2.TPMTPublic)
EKAttributes() (*keystore.KeyAttributes, error)
EKCertificate() (*x509.Certificate, error)
EKECC() *ecdsa.PublicKey
EKRSA() *rsa.PublicKey
EventLog() ([]byte, error)
FixedProperties() (*PropertiesFixed, error)
Flush(handle tpm2.TPMHandle)
GoldenMeasurements() []byte
HMAC(auth []byte) tpm2.Session
HMACSaltedSession(
handle tpm2.TPMHandle,
pub tpm2.TPMTPublic,
auth []byte) (s tpm2.Session, close func() error, err error)
HMACSession(auth []byte) (s tpm2.Session, close func() error, err error)
IAK() crypto.PublicKey
IAKAttributes() (*keystore.KeyAttributes, error)
IDevID() crypto.PublicKey
IDevIDAttributes() (*keystore.KeyAttributes, error)
Info() (string, error)
IsFIPS140_2() (bool, error)
Install(soPIN keystore.Password) error
KeyAttributes(handle tpm2.TPMHandle) (*keystore.KeyAttributes, error)
LoadKeyPair(
keyAttrs *keystore.KeyAttributes,
session *tpm2.Session,
backend keystore.KeyBackend) (*tpm2.LoadResponse, error)
MakeCredential(
akName tpm2.TPM2BName,
secret []byte) ([]byte, []byte, []byte, error)
NonceSession(secret keystore.Password) (tpm2.Session, func() error, error)
NVRead(keyAttrs *keystore.KeyAttributes, dataSize uint16) ([]byte, error)
NVWrite(keyAttrs *keystore.KeyAttributes) error
Open() error
ParseEKCertificate(ekCert []byte) (*x509.Certificate, error)
ParsePublicKey(tpm2BPublic []byte) (crypto.PublicKey, error)
PlatformPolicyDigestHash() ([]byte, error)
PlatformPolicyDigest() tpm2.TPM2BDigest
PlatformPolicySession() (tpm2.Session, func() error, error)
PlatformQuote(keyAttrs *keystore.KeyAttributes) (Quote, []byte, error)
Provision(soPIN keystore.Password) error
ProvisionEKCert(hierarchyAuth, ekCert []byte) error
ProvisionOwner(hierarchyAuth keystore.Password) (*keystore.KeyAttributes, error)
Quote(pcrs []uint, nonce []byte) (Quote, error)
Random() ([]byte, error)
RandomBytes(fixedLength int) ([]byte, error)
RandomHex(fixedLength int) ([]byte, error)
Read(data []byte) (n int, err error)
ReadHandle(handle tpm2.TPMHandle) (tpm2.TPM2BName, tpm2.TPMTPublic, error)
ReadPCRs(pcrList []uint) ([]PCRBank, error)
SaveKeyPair(
keyAttrs *keystore.KeyAttributes,
outPrivate tpm2.TPM2BPrivate,
outPublic tpm2.TPM2B[tpm2.TPMTPublic, *tpm2.TPMTPublic],
backend keystore.KeyBackend) error
Seal(
keyAttrs *keystore.KeyAttributes,
backend keystore.KeyBackend) (*tpm2.CreateResponse, error)
Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) (signature []byte, err error)
SetHierarchyAuth(oldSecret, newSecret keystore.Password, hierarchy *tpm2.TPMHandle) error
SRKPublic() (tpm2.TPM2BName, tpm2.TPMTPublic)
SSRKAttributes() (*keystore.KeyAttributes, error)
Transport() transport.TPM
Unseal(keyAttrs *keystore.KeyAttributes, backend keystore.KeyBackend) ([]byte, error)
WriteEKCert(ekCert []byte) error
VerifyCSR(
csr *TCG_CSR_IDEVID,
sigAlgo x509.SignatureAlgorithm) (*keystore.KeyAttributes, *UNPACKED_TCG_CSR_IDEVID, error)
SignValidate(
keyAttrs *keystore.KeyAttributes,
digest, validationDigest []byte) ([]byte, error)
HashSequence(
keyAttrs *keystore.KeyAttributes,
data []byte) ([]byte, []byte, error)
}
func NewTPM2 ¶
func NewTPM2(params *Params) (TrustedPlatformModule, error)
Creates a new TPM2 instance by opening a socket to a Trusted Platform Module (TPM). When this function returns the TPM is ready for use.
type UNPACKED_TCG_CSR_IDEVID ¶
type UNPACKED_TCG_CSR_IDEVID struct {
StructVer uint32
Contents uint32
SigSz uint32
CsrContents UNPACKED_TCG_IDEVID_CONTENT
RawBytes []byte
Signature []byte
}
Represents an unpacked TCG-CSR-IDEVID. All binary fields are unmarshalled to their native Golang types, including size fields which the TCG spec requires encoded as 4 bytes big endian. // https://trustedcomputinggroup.org/wp-content/uploads/TCG_IWG_DevID_v1r2_02dec2020.pdf
func TransformIDevIDCSR ¶
func TransformIDevIDCSR( tcgCSRIDevID *TCG_CSR_IDEVID) (*UNPACKED_TCG_CSR_IDEVID, error)
Unpacks a TCG_CSR_IDEVID big endian byte array
type UNPACKED_TCG_CSR_LDEVID ¶
type UNPACKED_TCG_CSR_LDEVID struct {
StructVer uint32
Contents uint32
SigSz uint32
CsrContents UNPACKED_TCG_IDEVID_CONTENT
Signature []byte
}
Represents an unpacked TCG-CSR-LDEVID. All binary fields are unmarshalled to their native Golang types, including size fields which the TCG spec requires encoded as 4 bytes big endian. https://trustedcomputinggroup.org/wp-content/uploads/TCG_IWG_DevID_v1r2_02dec2020.pdf
type UNPACKED_TCG_IDEVID_CONTENT ¶
type UNPACKED_TCG_IDEVID_CONTENT struct {
StructVer uint32
HashAlgoId uint32
HashSz uint32
ProdModelSz uint32
ProdSerialSz uint32
ProdCaDataSz uint32
BootEvntLogSz uint32
EkCertSZ uint32
AttestPubSZ uint32
AtCreateTktSZ uint32
AtCertifyInfoSZ uint32
AtCertifyInfoSignatureSZ uint32
SigningPubSZ uint32
SgnCertifyInfoSZ uint32
SgnCertifyInfoSignatureSZ uint32
PadSz uint32
ProdModel []byte
ProdSerial []byte
ProdCaData []byte
BootEvntLog []byte
EkCert []byte
AttestPub []byte
AtCreateTkt []byte
AtCertifyInfo []byte
AtCertifyInfoSig []byte
SigningPub []byte
SgnCertifyInfo []byte
SgnCertifyInfoSig []byte
Pad []byte
}
type UNPACKED_TCG_LDEVID_CONTENT ¶
type UNPACKED_TCG_LDEVID_CONTENT struct {
StructVer uint32
HashAlgoId uint32
HashSz uint32
EkCertSZ uint32
IakCertSZ uint32
PlatCertSZ uint32
PubkeySZ uint32
AtCertifyInfoSZ uint32
AtCertifyInfoSignatureSZ uint32
PadSz uint32
EkCert []byte
IakCert []byte
PlatCert []byte
Pubkey []byte
AtCertifyInfo []byte
AtCertifyInfoSig []byte
}
Source Files