hwsec

package
v0.0.0-...-9474aff Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 28, 2022 License: BSD-3-Clause Imports: 29 Imported by: 0

Documentation

Overview

Package hwsec implements the libraries and utilities which are used for both local and remote bundles with the same name 'hwsec'.

Index

Constants

View Source 
const (
	// PollingInterval is the polling interval we use in this library and the libraries extending this.
	PollingInterval = 100 * time.Millisecond
	// DefaultTakingOwnershipTimeout is the default timeout while taking TPM ownership.
	DefaultTakingOwnershipTimeout = 40 * time.Second
	// DefaultPreparationForEnrolmentTimeout is the default timeout for attestation to be prepared.
	DefaultPreparationForEnrolmentTimeout = 40 * time.Second
	// AttestationDBPath is the path of attestation database.
	AttestationDBPath = "/mnt/stateful_partition/unencrypted/preserve/attestation.epb"
	// TpmManagerLocalDataPath is the path of tpm_manager local data (only applicable for distributed model).
	TpmManagerLocalDataPath = "/var/lib/tpm_manager/local_tpm_data"
	// OwnerPasswordLength is the owner password length we set by our implementation.
	OwnerPasswordLength = 20
)
View Source 
const (
	// DefaultCertProfile is the default cert profile we use when tesing.
	DefaultCertProfile apb.CertificateProfile = apb.CertificateProfile_ENTERPRISE_USER_CERTIFICATE
	// DefaultCertOrigin is the default value of the certificate origin.
	DefaultCertOrigin string = ""
	// DefaultCertLabel is the default label to identify the cert.
	DefaultCertLabel string = "aaa"
	// DefaultKeyPayload is the default key playload used for testing.
	DefaultKeyPayload string = "payload"
)
View Source 
const (
	// PassAuth is the constant for AuthConfig.AuthType, representing password authentication.
	PassAuth = iota
	// ChallengeAuth is the constant for AuthConfig.AuthType, representing challenge-response authenticating.
	ChallengeAuth = iota
)
View Source 
const (
	// GuestUser is the name representing a guest user account.
	// Defined in libbrillo/brillo/cryptohome.cc.
	GuestUser = "$guest"

	// KioskUser is the name representing a kiosk user account.
	KioskUser = "kiosk"

	// WaitForUserTimeout is the maximum time until a user mount is available.
	WaitForUserTimeout = 80 * time.Second
)
View Source 
const (
	// NVRAMAttributeWriteAuth is used by DefineSpace to indicate that writing this NVRAM index requires authorization with authValue.
	NVRAMAttributeWriteAuth = "WRITE_AUTHORIZATION"

	// NVRAMAttributeReadAuth is used by DefineSpace to indicate that reading this NVRAM index requires authorization with authValue.
	NVRAMAttributeReadAuth = "READ_AUTHORIZATION"
)

Variables

View Source 
var AttestationDaemon = &DaemonInfo{
	Name:       "attestation",
	DaemonName: "attestationd",
	HasDBus:    true,
	DBusName:   "org.chromium.Attestation",
}

AttestationDaemon represents the DaemonsInfo for attestation.

View Source 
var BootLockboxDaemon = &DaemonInfo{
	Name:       "bootlockbox",
	DaemonName: "bootlockboxd",
	HasDBus:    true,
	DBusName:   "org.chromium.BootLockbox",
	Optional:   true,
}

BootLockboxDaemon represents the DaemonsInfo for bootlockbox.

View Source 
var ChapsDaemon = &DaemonInfo{
	Name:       "chaps",
	DaemonName: "chapsd",
	HasDBus:    true,
	DBusName:   "org.chromium.Chaps",
}

ChapsDaemon represents the DaemonsInfo for chaps.

View Source 
var CryptohomeDaemon = &DaemonInfo{
	Name:       "cryptohome",
	DaemonName: "cryptohomed",
	HasDBus:    true,
	DBusName:   "org.chromium.UserDataAuth",
}

CryptohomeDaemon represents the DaemonsInfo for cryptohome.

View Source 
var ErrIneffectiveReset = errors.New("ineffective reset of TPM")

ErrIneffectiveReset is returned if the TPM is owned after reset attempt.

View Source 
var FakePCAAgentDaemon = &DaemonInfo{
	Name:       "fake_pca_agent",
	DaemonName: "fake_pca_agentd",
	HasDBus:    true,
	DBusName:   "org.chromium.PcaAgent",
}

FakePCAAgentDaemon represents the DaemonsInfo for fake_pca_agent. Note that fake_pca_agentd runs the same service as pca_agentd.

View Source 
var HighLevelTPMDaemons = []*DaemonInfo{
	TPMManagerDaemon,
	ChapsDaemon,
	BootLockboxDaemon,
	PCAAgentDaemon,
	AttestationDaemon,
	U2fdDaemon,
	CryptohomeDaemon,
}

HighLevelTPMDaemons represents the high level TPM daemons.

View Source 
var LowLevelTPMDaemons = []*DaemonInfo{
	TcsdDaemon,
	TrunksDaemon,
}

LowLevelTPMDaemons represents the low level TPM daemons.

View Source 
var PCAAgentDaemon = &DaemonInfo{
	Name:       "pca_agent",
	DaemonName: "pca_agentd",
	HasDBus:    true,
	DBusName:   "org.chromium.PcaAgent",
}

PCAAgentDaemon represents the DaemonsInfo for pca_agent.

View Source 
var SystemStateFiles = []string{
	"/home/.shadow",
	"/home/chronos/.oobe_completed",
	"/home/chronos/Local State",
	"/mnt/stateful_partition/.tpm_owned",
	"/run/cryptohome",
	"/run/lockbox/install_attributes.pb",
	"/run/tpm_manager",
	"/var/cache/app_pack",
	"/var/cache/shill/default.profile",
	"/var/lib/boot-lockbox",
	"/var/lib/bootlockbox",
	"/var/lib/chaps",
	"/var/lib/cryptohome",
	"/var/lib/public_mount_salt",
	"/var/lib/tpm_manager",
	"/var/lib/tpm",
	"/var/lib/u2f",
}

SystemStateFiles represents the files that contining system states.

View Source 
var SystemStateGlobs = []string{
	"/var/lib/devicesettings/*",
}

SystemStateGlobs extends SystemStateFiles and contains globs to list more files to remove. Entries must not contain spaces.

View Source 
var TPM2SimulatorDaemon = &DaemonInfo{
	Name:       "tpm2-simulator",
	DaemonName: "tpm2-simulator",
	HasDBus:    false,
}

TPM2SimulatorDaemon represents the DaemonsInfo for tpm2 simulator.

View Source 
var TPMManagerDaemon = &DaemonInfo{
	Name:       "tpm_manager",
	DaemonName: "tpm_managerd",
	HasDBus:    true,
	DBusName:   "org.chromium.TpmManager",
}

TPMManagerDaemon represents the DaemonsInfo for tpm_manager.

View Source 
var TcsdDaemon = &DaemonInfo{
	Name:       "tcsd",
	DaemonName: "tcsd",
	HasDBus:    false,
	Optional:   true,
}

TcsdDaemon represents the DaemonsInfo for tcsd.

View Source 
var TrunksDaemon = &DaemonInfo{
	Name:       "trunks",
	DaemonName: "trunksd",
	HasDBus:    true,
	DBusName:   "org.chromium.Trunks",
	Optional:   true,
}

TrunksDaemon represents the DaemonsInfo for trunks.

View Source 
var U2fdDaemon = &DaemonInfo{
	Name:       "u2fd",
	DaemonName: "u2fd",
	HasDBus:    false,
	Optional:   true,
}

U2fdDaemon represents the DaemonsInfo for u2fd.

View Source 
var UIDaemon = &DaemonInfo{
	Name:       "ui",
	DaemonName: "ui",
	HasDBus:    false,
}

UIDaemon represents the DaemonsInfo for ui.

Functions

func DoesUserTestFileExist 

func DoesUserTestFileExist(ctx context.Context, util *CryptohomeClient, cmdRunner CmdRunner, user, fileName string) (bool, error)

DoesUserTestFileExist checks and returns if the given test file exists in the given user's home dir.

func GetUserTestFilePath 

func GetUserTestFilePath(ctx context.Context, util *CryptohomeClient, user, fileName string) (string, error)

GetUserTestFilePath returns the full path of the given file under the given user's home dir.

func HexDecode 

func HexDecode(enc []byte) ([]byte, error)

HexDecode decode the hex-encoded enc into []byte; also returns encountered error if any

func ReadUserTestContent 

func ReadUserTestContent(ctx context.Context, util *CryptohomeClient, cmdRunner CmdRunner, user, fileName string) ([]byte, error)

ReadUserTestContent reads content from the given file under the given user's home dir. Returns the file contents if the read succeeded or an error if there's anything wrong.

func SendGetRequestTo 

func SendGetRequestTo(ctx context.Context, serverURL string) (string, error)

SendGetRequestTo sends GET request to serverURL

func SendPostRequestTo 

func SendPostRequestTo(ctx context.Context, body, serverURL string) (string, error)

SendPostRequestTo sends POST request with body to serverURL.

func UnmarshalSignedData 

func UnmarshalSignedData(d []byte) (*apb.SignedData, error)

UnmarshalSignedData unmarshal d into apb.SignedData; also returns encountered error if any

func WriteUserTestContent 

func WriteUserTestContent(ctx context.Context, util *CryptohomeClient, cmdRunner CmdRunner, user, fileName, content string) error

WriteUserTestContent writes the given content to the given file into the given user's home dir. The file is created if it doesn't exist.

Types

type ACAType 

type ACAType int

ACAType indicates the type ACA server, of which the possible value are default and test; see the const definition below. 

const (
	// DefaultACA indicates the default ACA server.
	DefaultACA ACAType = iota
	// TestACA indicates the test ACA server.
	TestACA
)

type AttestationClient 

type AttestationClient struct {
	// contains filtered or unexported fields
}

AttestationClient wraps and the functions of AttestationDBus.

func NewAttestationClient 

func NewAttestationClient(ac AttestationDBus) *AttestationClient

NewAttestationClient creates a new AttestationClient.

func (*AttestationClient) CreateCertRequest 

func (u *AttestationClient) CreateCertRequest(
	ctx context.Context,
	pcaType PCAType,
	profile apb.CertificateProfile,
	username,
	origin string) (string, error)

CreateCertRequest creates a cert request.

func (*AttestationClient) CreateEnrollRequest 

func (u *AttestationClient) CreateEnrollRequest(ctx context.Context, pcaType PCAType) (string, error)

CreateEnrollRequest creates enroll request.

func (*AttestationClient) DeleteKeys 

func (u *AttestationClient) DeleteKeys(ctx context.Context, username, prefix string) error

DeleteKeys delete all the |usernames|'s keys with label having prefix.

func (*AttestationClient) FinishCertRequest 

func (u *AttestationClient) FinishCertRequest(ctx context.Context, resp, username, label string) error

FinishCertRequest handles cert response.

func (*AttestationClient) FinishEnroll 

func (u *AttestationClient) FinishEnroll(ctx context.Context, pcaType PCAType, resp string) error

FinishEnroll handles enroll response.

func (*AttestationClient) GetEnrollmentID 

func (u *AttestationClient) GetEnrollmentID(ctx context.Context) (string, error)

GetEnrollmentID gets the enrollment ID.

func (*AttestationClient) GetKeyPayload 

func (u *AttestationClient) GetKeyPayload(
	ctx context.Context,
	username,
	label string) (string, error)

GetKeyPayload gets the payload associated with the specified key.

func (*AttestationClient) GetPublicKey 

func (u *AttestationClient) GetPublicKey(
	ctx context.Context,
	username,
	label string) (string, error)

GetPublicKey gets the public part of the key.

func (*AttestationClient) IsEnrolled 

func (u *AttestationClient) IsEnrolled(ctx context.Context) (bool, error)

IsEnrolled checks if DUT is enrolled.

func (*AttestationClient) IsPreparedForEnrollment 

func (u *AttestationClient) IsPreparedForEnrollment(ctx context.Context) (bool, error)

IsPreparedForEnrollment checks if prepared for enrollment.

func (*AttestationClient) RegisterKeyWithChapsToken 

func (u *AttestationClient) RegisterKeyWithChapsToken(
	ctx context.Context,
	username,
	label string) (bool, error)

RegisterKeyWithChapsToken registers the key into chaps.

func (*AttestationClient) SetKeyPayload 

func (u *AttestationClient) SetKeyPayload(
	ctx context.Context,
	username,
	label,
	payload string) (bool, error)

SetKeyPayload sets the payload associated with the specified key.

func (*AttestationClient) SignEnterpriseVAChallenge 

func (u *AttestationClient) SignEnterpriseVAChallenge(
	ctx context.Context,
	vaType VAType,
	username,
	label,
	domain,
	deviceID string,
	includeSignedPublicKey bool,
	challenge []byte) (string, error)

SignEnterpriseVAChallenge performs SPKAC for the challenge.

func (*AttestationClient) SignSimpleChallenge 

func (u *AttestationClient) SignSimpleChallenge(
	ctx context.Context,
	username,
	label string,
	challenge []byte) (string, error)

SignSimpleChallenge signs the challenge with the specified key.

type AttestationDBus 

type AttestationDBus interface {
	// GetStatus returns the attestation status.
	GetStatus(ctx context.Context, req *apb.GetStatusRequest) (*apb.GetStatusReply, error)

	// CreateEnrollRequest create enroll request.
	CreateEnrollRequest(ctx context.Context, req *apb.CreateEnrollRequestRequest) (*apb.CreateEnrollRequestReply, error)

	// FinishEnroll finish enroll request.
	FinishEnroll(ctx context.Context, req *apb.FinishEnrollRequest) (*apb.FinishEnrollReply, error)

	// CreateCertificateRequest create certificate request.
	CreateCertificateRequest(ctx context.Context, req *apb.CreateCertificateRequestRequest) (*apb.CreateCertificateRequestReply, error)

	// FinishCertificateRequest finish certificate request.
	FinishCertificateRequest(ctx context.Context, req *apb.FinishCertificateRequestRequest) (*apb.FinishCertificateRequestReply, error)

	// SignEnterpriseChallenge sign enterprise challenge.
	SignEnterpriseChallenge(ctx context.Context, req *apb.SignEnterpriseChallengeRequest) (*apb.SignEnterpriseChallengeReply, error)

	// SignSimpleChallenge sign simple challenge.
	SignSimpleChallenge(ctx context.Context, req *apb.SignSimpleChallengeRequest) (*apb.SignSimpleChallengeReply, error)

	// GetKeyInfo returns the key info.
	GetKeyInfo(ctx context.Context, req *apb.GetKeyInfoRequest) (*apb.GetKeyInfoReply, error)

	// GetEnrollmentID returns the enrollment id.
	GetEnrollmentID(ctx context.Context, req *apb.GetEnrollmentIdRequest) (*apb.GetEnrollmentIdReply, error)

	// GetEnrollmentID sets a payload for a key.
	SetKeyPayload(ctx context.Context, req *apb.SetKeyPayloadRequest) (*apb.SetKeyPayloadReply, error)

	// RegisterKeyWithChapsToken registers the key into chaps.
	RegisterKeyWithChapsToken(ctx context.Context, req *apb.RegisterKeyWithChapsTokenRequest) (*apb.RegisterKeyWithChapsTokenReply, error)

	// DeleteKeys delete user's keys.
	DeleteKeys(ctx context.Context, req *apb.DeleteKeysRequest) (*apb.DeleteKeysReply, error)
}

AttestationDBus is an interface of attestation D-Bus client.

type AttestationError 

type AttestationError struct {
	*errors.E
	apb.AttestationStatus
}

AttestationError wraps the attestation error status.

type AttestationHelper 

type AttestationHelper struct {
	// contains filtered or unexported fields
}

AttestationHelper provides various helper functions that could be shared across all hwsec integration test base on AttestationClient.

func NewAttestationHelper 

func NewAttestationHelper(ac AttestationDBus) *AttestationHelper

NewAttestationHelper creates a new AttestationHelper, with ac responsible for AttestationDBus.

func (*AttestationHelper) AttestationClient 

func (h *AttestationHelper) AttestationClient() *AttestationClient

AttestationClient exposes the attestation of helper

func (*AttestationHelper) EnsureIsPreparedForEnrollment 

func (h *AttestationHelper) EnsureIsPreparedForEnrollment(ctx context.Context, timeout time.Duration) error

EnsureIsPreparedForEnrollment ensures the DUT is prepareed for enrollment when the function returns |nil|. Otherwise, returns any encountered error.

type AttestationTest 

type AttestationTest struct {
	// contains filtered or unexported fields
}

AttestationTest provides the complex operations in the attestation flow along with validations

func NewAttestationTest 

func NewAttestationTest(ac attestationClient, pcaType PCAType) *AttestationTest

NewAttestationTest creates a new AttestationTest instance with the default PCA and VA objects that talk to the real servers used in production.

func NewAttestationTestWith 

func NewAttestationTestWith(ac attestationClient, pcaType PCAType, pca PCA, va VA) *AttestationTest

NewAttestationTestWith creates a new AttestationTest instance with the default PCA and VA instances that talk to the real servers used in production.

func (*AttestationTest) Enroll 

func (at *AttestationTest) Enroll(ctx context.Context) error

Enroll creates the enroll request, sends it to the corresponding PCA server, and finishes the request with the received response.

func (*AttestationTest) GetCertificate 

func (at *AttestationTest) GetCertificate(ctx context.Context, username, label string) error

GetCertificate creates the cert request, sends it to the corresponding PCA server, and finishes the request with the received response.

func (*AttestationTest) SignEnterpriseChallenge 

func (at *AttestationTest) SignEnterpriseChallenge(ctx context.Context, username, label string) error

SignEnterpriseChallenge gets the challenge from default VA server, perform SPKAC, and sends the signed challenge back to verify it

func (*AttestationTest) SignSimpleChallenge 

func (at *AttestationTest) SignSimpleChallenge(ctx context.Context, username, label string) error

SignSimpleChallenge signs a known, short data with the cert, and verify it using its public key

type AuthConfig 

type AuthConfig struct {
	// AuthType is the type of authentication.
	AuthType int

	// Username is the username for authentication.
	Username string

	// Password is the user's password.
	// Used only when AuthType is PassAuth
	Password string

	// KeyDelegateName is the dbus service name for the authentication delegate.
	// Used only when AuthType is ChallengeAuth
	KeyDelegateName string

	// KeyDelegatePath is the dbus service path for the authentication delegate.
	// Used only when AuthType is ChallengeAuth
	KeyDelegatePath string

	// ChallengeSPKI is the SPKI that contains the public key for challenge response. It's in DER format.
	// Used only when AuthType is ChallengeAuth
	ChallengeSPKI []byte

	// ChallengeAlg is the cryptographic algorithm to use when
	// Used only when AuthType is ChallengeAuth
	ChallengeAlg cpb.ChallengeSignatureAlgorithm
}

AuthConfig represents the data required to authenticate a user. It could be password authentication or challenge-response authentication.

func NewChallengeAuthConfig 

func NewChallengeAuthConfig(username, keyDelegateName, keyDelegatePath string, challengeSPKI []byte, challengeAlg cpb.ChallengeSignatureAlgorithm) *AuthConfig

NewChallengeAuthConfig creates an AuthConfig for Challenge-Response Authentication.

func NewPassAuthConfig 

func NewPassAuthConfig(username, password string) *AuthConfig

NewPassAuthConfig creates an AuthConfig for Password Authentication.

type CmdExitError 

type CmdExitError struct {
	*errors.E
	ExitCode int
}

CmdExitError is the error returned by CmdRunner when the command execution fail.

type CmdHelper 

type CmdHelper struct {
	// contains filtered or unexported fields
}

CmdHelper provides various helper functions that could be shared across all hwsec integration test base on CmdRunner.

func NewCmdHelper 

func NewCmdHelper(r CmdRunner) *CmdHelper

NewCmdHelper creates a new CmdHelper, with r responsible for CmdRunner.

func (*CmdHelper) CmdRunner 

func (h *CmdHelper) CmdRunner() CmdRunner

CmdRunner exposes the cmdRunner of helper

func (*CmdHelper) CryptohomeClient 

func (h *CmdHelper) CryptohomeClient() *CryptohomeClient

CryptohomeClient exposes the cryptohome of helper

func (*CmdHelper) DaemonController 

func (h *CmdHelper) DaemonController() *DaemonController

DaemonController exposes the daemonController of helper

func (*CmdHelper) DropResetLockPermissions 

func (h *CmdHelper) DropResetLockPermissions(ctx context.Context) (restoreFunc func(ctx context.Context) error, retErr error)

DropResetLockPermissions drops the reset lock permissions and return a callback to restore the permissions.

func (*CmdHelper) EnsureTPMIsReady 

func (h *CmdHelper) EnsureTPMIsReady(ctx context.Context, timeout time.Duration) error

EnsureTPMIsReady ensures the TPM is ready when the function returns |nil|. Otherwise, returns any encountered error.

func (*CmdHelper) GetTPMManagerLocalData 

func (h *CmdHelper) GetTPMManagerLocalData(ctx context.Context) ([]byte, error)

GetTPMManagerLocalData would read the tpm_manager local_tpm_data. Note: Get the data without stopping tpm_managerd may result stale data.

func (*CmdHelper) GetTPMVersion 

func (h *CmdHelper) GetTPMVersion(ctx context.Context) (string, error)

GetTPMVersion would rteurn the TPM version, for example: "1.2", "2.0"

func (*CmdHelper) ReadFile 

func (h *CmdHelper) ReadFile(ctx context.Context, filename string) ([]byte, error)

ReadFile would read data from the file

func (*CmdHelper) RemoveFile 

func (h *CmdHelper) RemoveFile(ctx context.Context, filename string) error

RemoveFile would delete the file

func (*CmdHelper) SetTPMManagerLocalData 

func (h *CmdHelper) SetTPMManagerLocalData(ctx context.Context, data []byte) error

SetTPMManagerLocalData would write the local_tpm_data. Because tpm_managerd may cache the local data in the memory, we would need to restart tpm_managerd after modifying the data.

func (*CmdHelper) TPMManagerClient 

func (h *CmdHelper) TPMManagerClient() *TPMManagerClient

TPMManagerClient exposes the tpmManager of helper

func (*CmdHelper) WriteFile 

func (h *CmdHelper) WriteFile(ctx context.Context, filename string, data []byte) error

WriteFile would write data into the file

type CmdRunner 

type CmdRunner interface {
	// Run runs the specified command and returns its standard output.
	Run(ctx context.Context, cmd string, args ...string) ([]byte, error)
	// RunWithCombinedOutput runs the specified command and returns its combined standard output and standard error.
	RunWithCombinedOutput(ctx context.Context, cmd string, args ...string) ([]byte, error)
}

CmdRunner declares interface that runs command on DUT.

type CmdTPMClearHelper 

type CmdTPMClearHelper struct {
	CmdHelper
	// contains filtered or unexported fields
}

CmdTPMClearHelper provides various helper functions that could be shared across all hwsec integration test base on CmdHelper & TPMClearer.

func NewCmdTPMClearHelper 

func NewCmdTPMClearHelper(ch *CmdHelper, tc TPMClearer) *CmdTPMClearHelper

NewCmdTPMClearHelper creates a new CmdTPMClearHelper, with ch responsible for CmdHelper and th responsible for TPMClearer.

func (*CmdTPMClearHelper) EnsureTPMAndSystemStateAreReset 

func (h *CmdTPMClearHelper) EnsureTPMAndSystemStateAreReset(ctx context.Context) error

EnsureTPMAndSystemStateAreReset ensures the TPM is reset and simulates a Powerwash.

func (*CmdTPMClearHelper) EnsureTPMIsReset 

func (h *CmdTPMClearHelper) EnsureTPMIsReset(ctx context.Context) error

EnsureTPMIsReset ensures the TPM is reset when the function returns nil. Otherwise, returns any encountered error.

func (*CmdTPMClearHelper) TPMClearer 

func (h *CmdTPMClearHelper) TPMClearer() TPMClearer

TPMClearer exposes the tpmClearer of helper

type CryptohomeClient 

type CryptohomeClient struct {
	// contains filtered or unexported fields
}

CryptohomeClient wraps and the functions of cryptohomeBinary and parses the outputs to structured data.

func NewCryptohomeClient 

func NewCryptohomeClient(r CmdRunner) *CryptohomeClient

NewCryptohomeClient creates a new CryptohomeClient.

func (*CryptohomeClient) AddAuthFactor 

func (u *CryptohomeClient) AddAuthFactor(ctx context.Context, authSessionID, label, password string) error

AddAuthFactor creates an auth factor for the user with given password.

func (*CryptohomeClient) AddCredentialsWithAuthSession 

func (u *CryptohomeClient) AddCredentialsWithAuthSession(ctx context.Context, user, password, authSessionID string, publicMount bool) error

AddCredentialsWithAuthSession creates the credentials for the user with given password. password is ignored if publicMount is set to true.

func (*CryptohomeClient) AddPinAuthFactor 

func (u *CryptohomeClient) AddPinAuthFactor(ctx context.Context, authSessionID, label, pin string) error

AddPinAuthFactor creates an auth factor for the user with given password.

func (*CryptohomeClient) AddVaultKey 

func (u *CryptohomeClient) AddVaultKey(ctx context.Context, username, password, label, newPassword, newLabel string, lowEntropy bool) error

AddVaultKey adds the key with newLabel and newPassword to the user specified by username, with password password and label label. nil is returned iff the operation is successful.

func (*CryptohomeClient) AuthenticateAuthFactor 

func (u *CryptohomeClient) AuthenticateAuthFactor(ctx context.Context, authSessionID, label, password string) error

AuthenticateAuthFactor authenticates an AuthSession with a given authSessionID via an auth factor.

func (*CryptohomeClient) AuthenticateAuthSession 

func (u *CryptohomeClient) AuthenticateAuthSession(ctx context.Context, password, authSessionID string, publicMount bool) error

AuthenticateAuthSession authenticates an AuthSession with a given authSessionID. password is ignored if publicMount is set to true.

func (*CryptohomeClient) AuthenticatePinAuthFactor 

func (u *CryptohomeClient) AuthenticatePinAuthFactor(ctx context.Context, authSessionID, label, pin string) error

AuthenticatePinAuthFactor authenticates an AuthSession with a given authSessionID via pin.

func (*CryptohomeClient) BackupFWMP 

func (u *CryptohomeClient) BackupFWMP(ctx context.Context) (*FirmwareManagementParametersInfo, error)

BackupFWMP backs up the current FWMP by returning the FWMP. The operation is successful iff error is nil.

func (*CryptohomeClient) ChangeVaultPassword 

func (u *CryptohomeClient) ChangeVaultPassword(ctx context.Context, username, password, label, newPassword string) error

ChangeVaultPassword changes the vault for user username with label and password to newPassword. nil is returned iff the operation is successful.

func (*CryptohomeClient) CheckTPMWrappedUserKeyset 

func (u *CryptohomeClient) CheckTPMWrappedUserKeyset(ctx context.Context, user string) error

CheckTPMWrappedUserKeyset checks if the given user's keyset is backed by TPM. Returns an error if the keyset is not TPM-backed or if there's anything wrong.

func (*CryptohomeClient) CheckVault 

func (u *CryptohomeClient) CheckVault(ctx context.Context, label string, authConfig *AuthConfig) (bool, error)

CheckVault checks the vault via |CheckKeyEx| dbus method.

func (*CryptohomeClient) CheckVaultAndUnlockWebAuthnSecret 

func (u *CryptohomeClient) CheckVaultAndUnlockWebAuthnSecret(ctx context.Context, label string, authConfig *AuthConfig) (bool, error)

CheckVaultAndUnlockWebAuthnSecret checks the vault via |CheckKeyEx| dbus method, and set the unlock_webauthn_secret param to true.

func (*CryptohomeClient) CreatePersistentUser 

func (u *CryptohomeClient) CreatePersistentUser(ctx context.Context, authSessionID string) error

CreatePersistentUser creates persistent user.

func (*CryptohomeClient) GetAccountDiskUsage 

func (u *CryptohomeClient) GetAccountDiskUsage(ctx context.Context, username string) (diskUsage int64, returnedError error)

GetAccountDiskUsage returns the disk space (in bytes) used by the username.

func (*CryptohomeClient) GetFirmwareManagementParameters 

func (u *CryptohomeClient) GetFirmwareManagementParameters(ctx context.Context) (flags, hash string, returnedError *FWMPError)

GetFirmwareManagementParameters retrieves the firmware parameter flags and hash. It returns (flags, hash, msg, errorCode, err), whereby flags and hash is part of FWMP, and will be valid iff err is nil; msg is the message from the command line; errorCode is the error code from dbus call, if available. The operation is successful iff err is nil.

func (*CryptohomeClient) GetHomeUserPath 

func (u *CryptohomeClient) GetHomeUserPath(ctx context.Context, username string) (string, error)

GetHomeUserPath retrieves the user specified by username's user home path.

func (*CryptohomeClient) GetKeyData 

func (u *CryptohomeClient) GetKeyData(ctx context.Context, user, keyLabel string) (string, error)

GetKeyData returns the key data for the specified user and label.

func (*CryptohomeClient) GetRootUserPath 

func (u *CryptohomeClient) GetRootUserPath(ctx context.Context, username string) (string, error)

GetRootUserPath retrieves the user specified by username's user root path.

func (*CryptohomeClient) GetSanitizedUsername 

func (u *CryptohomeClient) GetSanitizedUsername(ctx context.Context, username string, useDBus bool) (string, error)

GetSanitizedUsername computes the sanitized username for the given user. If useDBus is true, the sanitized username will be computed by cryptohome (through dbus). Otherwise, it'll be computed directly by libbrillo (without dbus).

func (*CryptohomeClient) GetSystemSalt 

func (u *CryptohomeClient) GetSystemSalt(ctx context.Context, useDBus bool) (string, error)

GetSystemSalt retrieves the system salt and return the hex encoded version of it. If useDBus is true, the system salt will be retrieved from cryptohome (through dbus). Otherwise, it'll be loaded directly by libbrillo (without dbus).

func (*CryptohomeClient) GetTokenForUser 

func (u *CryptohomeClient) GetTokenForUser(ctx context.Context, username string) (int, error)

GetTokenForUser retrieve the token slot for the user token if username is non-empty, or system token if username is empty.

func (*CryptohomeClient) GetTokenInfoForUser 

func (u *CryptohomeClient) GetTokenInfoForUser(ctx context.Context, username string) (returnedLabel, returnedPin string, returnedSlot int, returnedErr error)

GetTokenInfoForUser retrieve the token label, pin and slot for the user token if username is non-empty, or system token if username is empty.

func (*CryptohomeClient) GetUserHash 

func (u *CryptohomeClient) GetUserHash(ctx context.Context, username string) (string, error)

GetUserHash returns user's cryptohome hash.

func (*CryptohomeClient) InstallAttributesCount 

func (u *CryptohomeClient) InstallAttributesCount(ctx context.Context) (int, error)

InstallAttributesCount retrieves the number of entries in install attributes. It returns count and error. error is nil iff the operation completes successfully, and in this case count holds the number of entries in install attributes.

func (*CryptohomeClient) InstallAttributesFinalize 

func (u *CryptohomeClient) InstallAttributesFinalize(ctx context.Context) error

InstallAttributesFinalize finalizes the install attributes, and returns error encountered if any. error is nil iff the operation completes successfully.

func (*CryptohomeClient) InstallAttributesGet 

func (u *CryptohomeClient) InstallAttributesGet(ctx context.Context, attributeName string) (string, error)

InstallAttributesGet retrieves the install attributes with the name of attributeName, and returns the tuple (value, error), whereby value is the value of the attributes, and error is nil iff the operation is successful, otherwise error is the error that occurred.

func (*CryptohomeClient) InstallAttributesIsFirstInstall 

func (u *CryptohomeClient) InstallAttributesIsFirstInstall(ctx context.Context) (bool, error)

InstallAttributesIsFirstInstall checks if install attributes is the first install state, returns isFirstInstall and error. error is nil iff the operation completes successfully, and in this case isFirstInstall is whether install attributes is in the first install state.

func (*CryptohomeClient) InstallAttributesIsInvalid 

func (u *CryptohomeClient) InstallAttributesIsInvalid(ctx context.Context) (bool, error)

InstallAttributesIsInvalid checks if install attributes is invalid, returns isInvalid and error. error is nil iff the operation completes successfully, and in this case isInvalid is whether install attributes is invalid.

func (*CryptohomeClient) InstallAttributesIsReady 

func (u *CryptohomeClient) InstallAttributesIsReady(ctx context.Context) (bool, error)

InstallAttributesIsReady checks if install attributes is ready, returns isReady and error. error is nil iff the operation completes successfully, and in this case isReady is whether install attributes is ready.

func (*CryptohomeClient) InstallAttributesIsSecure 

func (u *CryptohomeClient) InstallAttributesIsSecure(ctx context.Context) (bool, error)

InstallAttributesIsSecure checks if install attributes is secure, returns isSecure and error. error is nil iff the operation completes successfully, and in this case isSecure is whether install attributes is secure.

func (*CryptohomeClient) InstallAttributesSet 

func (u *CryptohomeClient) InstallAttributesSet(ctx context.Context, attributeName, attributeValue string) error

InstallAttributesSet sets the install attributes with the name of attributeName with the value attributeValue, and returns error, whereby error is nil iff the operation is successful, otherwise error is the error that occurred.

func (*CryptohomeClient) InstallAttributesStatus 

func (u *CryptohomeClient) InstallAttributesStatus(ctx context.Context) (string, error)

InstallAttributesStatus retrieves the a status string from cryptohome. The status string is in JSON format and holds the various cryptohome related status.

func (*CryptohomeClient) InvalidateAuthSession 

func (u *CryptohomeClient) InvalidateAuthSession(ctx context.Context, authSessionID string) error

InvalidateAuthSession invalidates a user with AuthSessionID.

func (*CryptohomeClient) IsMounted 

func (u *CryptohomeClient) IsMounted(ctx context.Context) (bool, error)

IsMounted checks if any vault is mounted.

func (*CryptohomeClient) IsTPMWrappedKeySet 

func (u *CryptohomeClient) IsTPMWrappedKeySet(ctx context.Context, username string) (bool, error)

IsTPMWrappedKeySet checks if the current user vault is TPM-backed.

func (*CryptohomeClient) ListVaultKeys 

func (u *CryptohomeClient) ListVaultKeys(ctx context.Context, username string) ([]string, error)

ListVaultKeys queries the vault associated with user username and password password, and returns nil for error iff the operation is completed successfully, in that case, the returned slice of string contains the labels of keys belonging to that vault.

func (*CryptohomeClient) LockToSingleUserMountUntilReboot 

func (u *CryptohomeClient) LockToSingleUserMountUntilReboot(ctx context.Context, username string) error

LockToSingleUserMountUntilReboot will block users other than the specified from logging in if the call succeeds, and in that case, nil is returned.

func (*CryptohomeClient) MountGuest 

func (u *CryptohomeClient) MountGuest(ctx context.Context) error

MountGuest creates a mount point for a guest user; error is nil if the operation completed successfully.

func (*CryptohomeClient) MountKiosk 

func (u *CryptohomeClient) MountKiosk(ctx context.Context) error

MountKiosk creates a mount point for a kiosk; error is nil if the operation completed successfully.

func (*CryptohomeClient) MountVault 

func (u *CryptohomeClient) MountVault(ctx context.Context, label string, authConfig *AuthConfig, create bool, vaultConfig *VaultConfig) error

MountVault mounts the vault for username; creates a new vault if no vault yet if create is true. error is nil if the operation completed successfully.

func (*CryptohomeClient) MountWithAuthSession 

func (u *CryptohomeClient) MountWithAuthSession(ctx context.Context, authSessionID string, publicMount bool) error

MountWithAuthSession mounts a user with AuthSessionID.

func (*CryptohomeClient) PrepareEphemeralVault 

func (u *CryptohomeClient) PrepareEphemeralVault(ctx context.Context, authSessionID string) error

PrepareEphemeralVault prepares vault for ephemeral session.

func (*CryptohomeClient) PrepareGuestVault 

func (u *CryptohomeClient) PrepareGuestVault(ctx context.Context) error

PrepareGuestVault prepares vault for guest session.

func (*CryptohomeClient) PreparePersistentVault 

func (u *CryptohomeClient) PreparePersistentVault(ctx context.Context, authSessionID string, ecryptfs bool) error

PreparePersistentVault prepares vault for persistent user session.

func (*CryptohomeClient) PrepareVaultForMigration 

func (u *CryptohomeClient) PrepareVaultForMigration(ctx context.Context, authSessionID string) error

PrepareVaultForMigration prepares vault for migration.

func (*CryptohomeClient) RemoveFirmwareManagementParameters 

func (u *CryptohomeClient) RemoveFirmwareManagementParameters(ctx context.Context) (string, error)

RemoveFirmwareManagementParameters removes the firmware management parameters. msg is the command line output from cryptohome command; error is nil iff the operation is successful.

func (*CryptohomeClient) RemoveVault 

func (u *CryptohomeClient) RemoveVault(ctx context.Context, username string) (bool, error)

RemoveVault remove the vault for username.

func (*CryptohomeClient) RemoveVaultKey 

func (u *CryptohomeClient) RemoveVaultKey(ctx context.Context, username, password, removeLabel string) error

RemoveVaultKey removes the key with label removeLabel from user specified by username's vault. password for username is supplied so the operation can be proceeded. nil is returned iff the operation is successful.

func (*CryptohomeClient) RestoreFWMP 

func (u *CryptohomeClient) RestoreFWMP(ctx context.Context, fwmp *FirmwareManagementParametersInfo) error

RestoreFWMP restores the FWMP from fwmp in parameter, and return nil iff the operation is successful.

func (*CryptohomeClient) SetFirmwareManagementParameters 

func (u *CryptohomeClient) SetFirmwareManagementParameters(ctx context.Context, flags, hash string) (string, error)

SetFirmwareManagementParameters sets the firmware management parameters flags and hash (both as a hex string), then returns (msg, error). msg is the command line output from cryptohome command; error is nil iff the operation is successful.

func (*CryptohomeClient) StartAuthSession 

func (u *CryptohomeClient) StartAuthSession(ctx context.Context, user string, isEphemeral bool) (string, error)

StartAuthSession starts an AuthSession for a given user.

func (*CryptohomeClient) SupportsLECredentials 

func (u *CryptohomeClient) SupportsLECredentials(ctx context.Context) (bool, error)

SupportsLECredentials calls GetSupportedKeyPolicies and parses the output for low entropy credential support.

func (*CryptohomeClient) Unmount 

func (u *CryptohomeClient) Unmount(ctx context.Context, username string) (bool, error)

Unmount unmounts the vault for username.

func (*CryptohomeClient) UnmountAll 

func (u *CryptohomeClient) UnmountAll(ctx context.Context) error

UnmountAll unmounts all vault.

func (*CryptohomeClient) UnmountAndRemoveVault 

func (u *CryptohomeClient) UnmountAndRemoveVault(ctx context.Context, username string) error

UnmountAndRemoveVault attempts to unmount all vaults and remove the vault for username. This is a simple helper, and it's created because this is a commonly used combination.

func (*CryptohomeClient) UpdateCredentialWithAuthSession 

func (u *CryptohomeClient) UpdateCredentialWithAuthSession(ctx context.Context, password, authSessionID string, publicMount bool) error

UpdateCredentialWithAuthSession updated a credential using an AuthSession with a given authSessionID. password is ignored if publicMount is set to true.

func (*CryptohomeClient) WaitForUserToken 

func (u *CryptohomeClient) WaitForUserToken(ctx context.Context, username string) error

WaitForUserToken wait until the user token for the specified user is ready. Otherwise, return an error if the token is still unavailable.

type CryptohomeMountInfo 

type CryptohomeMountInfo struct {
	// contains filtered or unexported fields
}

CryptohomeMountInfo is a helper to get cryptohome mount information.

func NewCryptohomeMountInfo 

func NewCryptohomeMountInfo(r CmdRunner, c *CryptohomeClient) *CryptohomeMountInfo

NewCryptohomeMountInfo creates a new CryptohomeMountInfo

func (*CryptohomeMountInfo) CheckMountNamespace 

func (c *CryptohomeMountInfo) CheckMountNamespace(ctx context.Context) error

CheckMountNamespace checks whether the user session mount namespace has been created.

func (*CryptohomeMountInfo) CleanUpMount 

func (c *CryptohomeMountInfo) CleanUpMount(ctx context.Context, user string) error

CleanUpMount cleans up the mount point for the user, and check it's unmounted.

func (*CryptohomeMountInfo) IsMounted 

func (c *CryptohomeMountInfo) IsMounted(ctx context.Context, user string) (bool, error)

IsMounted checks if the vault for the user is mounted.

func (*CryptohomeMountInfo) MountedVaultPath 

func (c *CryptohomeMountInfo) MountedVaultPath(ctx context.Context, user string) (string, error)

MountedVaultPath returns the path where the decrypted data for the user is located.

func (*CryptohomeMountInfo) UserCryptohomePath 

func (c *CryptohomeMountInfo) UserCryptohomePath(ctx context.Context, user string) (string, error)

UserCryptohomePath returns the path where the cryptohome data for the user is located.

func (*CryptohomeMountInfo) WaitForUserMount 

func (c *CryptohomeMountInfo) WaitForUserMount(ctx context.Context, user string) error

WaitForUserMount waits for user's encrypted home directory to be mounted and validates that it is of permanent type for all users except guest.

func (*CryptohomeMountInfo) WaitForUserMountAndValidateType 

func (c *CryptohomeMountInfo) WaitForUserMountAndValidateType(ctx context.Context, user string, mountType MountType) error

WaitForUserMountAndValidateType waits for user's encrypted home directory to be mounted and validates that it is of correct type.

type DAInfo 

type DAInfo struct {
	// Counter is the dictionary attack lockout counter.
	Counter int

	// Threshold is the dictionary attack lockout threshold.
	Threshold int

	// InEffect indicates if dictionary attack lockout is in effect.
	InEffect bool

	// Remaining is the seconds remaining until we can reset the lockout.
	Remaining int
}

DAInfo contains the dictionary attack related information.

type DaemonController 

type DaemonController struct {
	// contains filtered or unexported fields
}

DaemonController controls the daemons via upstart commands.

func NewDaemonController 

func NewDaemonController(r CmdRunner) *DaemonController

NewDaemonController creates a new DaemonController object, where r is used to run the command internally.

func (*DaemonController) Ensure 

func (dc *DaemonController) Ensure(ctx context.Context, info *DaemonInfo) error

Ensure ensures a daemon is started and waits until the D-Bus interface is responsive if it has D-Bus interface.

func (*DaemonController) EnsureDaemons 

func (dc *DaemonController) EnsureDaemons(ctx context.Context, daemons []*DaemonInfo) error

EnsureDaemons ensures daemons started in order.

func (*DaemonController) Restart 

func (dc *DaemonController) Restart(ctx context.Context, info *DaemonInfo) error

Restart restarts a daemon and waits until the D-Bus interface is responsive if it has D-Bus interface.

func (*DaemonController) RestartTPMDaemons 

func (dc *DaemonController) RestartTPMDaemons(ctx context.Context) error

RestartTPMDaemons restarts all TPM-related daemons.

func (*DaemonController) Start 

func (dc *DaemonController) Start(ctx context.Context, info *DaemonInfo) error

Start starts a daemon and waits until the D-Bus interface is responsive if it has D-Bus interface.

func (*DaemonController) Status 

func (dc *DaemonController) Status(ctx context.Context, info *DaemonInfo) (goal DaemonGoal, state DaemonState, pid int, err error)

Status returns the status of daemon.

func (*DaemonController) Stop 

func (dc *DaemonController) Stop(ctx context.Context, info *DaemonInfo) error

Stop stops a daemon.

func (*DaemonController) TryStop 

func (dc *DaemonController) TryStop(ctx context.Context, info *DaemonInfo) error

TryStop stops a daemon if it exist and started.

func (*DaemonController) TryStopDaemons 

func (dc *DaemonController) TryStopDaemons(ctx context.Context, daemons []*DaemonInfo) error

TryStopDaemons tries to stop daemons in the reverse order.

func (*DaemonController) WaitForAllDBusServices 

func (dc *DaemonController) WaitForAllDBusServices(ctx context.Context) error

WaitForAllDBusServices waits for all D-Bus services of our interest to be running.

type DaemonGoal 

type DaemonGoal string

DaemonGoal describes a job's goal. See Section 10.1.6.19, "initctl status", in the Upstart Cookbook.

type DaemonInfo 

type DaemonInfo struct {
	Name       string
	DaemonName string
	HasDBus    bool
	DBusName   string
	Optional   bool
}

DaemonInfo represents the information for a daemon.

type DaemonState 

type DaemonState string

DaemonState describes a job's current state. See Section 4.1.2, "Job States", in the Upstart Cookbook.

type FWMPError 

type FWMPError struct {
	*errors.E

	// ErrorCode is the error code from FWMP methods.
	ErrorCode string
}

FWMPError is a custom error type that conveys the error as well as parsed ErrorCode from cryptohome API.

type FileWiper 

type FileWiper struct {
	// contains filtered or unexported fields
}

FileWiper wipes or restore a file on the DUT by renaming it.

func NewFileWiper 

func NewFileWiper(r CmdRunner) *FileWiper

NewFileWiper creates a new FileWiper with r running commands internally.

func (*FileWiper) Restore 

func (w *FileWiper) Restore(ctx context.Context, path string) error

Restore restores a file by moving the backup file back to its original filename.

func (*FileWiper) Wipe 

func (w *FileWiper) Wipe(ctx context.Context, path string) error

Wipe wipes a file by moving it to a new filename. To be specific, it appends the filename with a suffix. Note: be careful if you do have a file with the backup name.

type FirmwareManagementParametersInfo 

type FirmwareManagementParametersInfo struct {
	// contains filtered or unexported fields
}

FirmwareManagementParametersInfo contains the information regarding FWMP, so that it can be backed up and restored.

type FullHelper 

type FullHelper struct {
	CmdTPMClearHelper
	AttestationHelper
}

FullHelper is the full version of all kinds of helper that could be shared across all hwsec integration test regardless of run-type, i.e., remote or local.

func NewFullHelper 

func NewFullHelper(ch *CmdTPMClearHelper, ah *AttestationHelper) *FullHelper

NewFullHelper creates a new FullHelper, with ch responsible for CmdTPMClearHelper and ah responsible for AttestationHelper.

type MountType 

type MountType int

MountType is a type of the user mount. 

const (
	// Ephemeral is used to specify that the expected user mount type is ephemeral.
	Ephemeral MountType = iota
	// Permanent is used to specify that the expected user mount type is permanent.
	Permanent
)

type NonsensitiveStatusInfo 

type NonsensitiveStatusInfo struct {
	// Whether a TPM is enabled on the system.
	IsEnabled bool

	// Whether the TPM has been owned.
	IsOwned bool

	// Whether the owner password is still retained.
	IsOwnerPasswordPresent bool

	// Whether tpm manager is capable of reset DA.
	HasResetLockPermissions bool
}

NonsensitiveStatusInfo contains the dictionary attack related information.

type PCA 

type PCA interface {
	// GetDecodedPCAChallenge returns a new VA challenge.
	HandleEnrollRequest(ctx context.Context, request string, pcaType PCAType) (string, error)
	// VerifyEncodedPCAChallenge verifies the signed VA challenge response.
	HandleCertificateRequest(ctx context.Context, request string, pcaType PCAType) (string, error)
}

PCA declares functions that handle PCA requests by attestation.

type PCAGoLib 

type PCAGoLib struct{}

PCAGoLib implements the PCA functionality by talking to the real servers used in production. The underlying implementation sends the HTTP request using Go's built-in packages.

func NewPCAGoLib 

func NewPCAGoLib() *PCAGoLib

NewPCAGoLib creates a new instance of PCAGoLib.

func (*PCAGoLib) HandleCertificateRequest 

func (rp *PCAGoLib) HandleCertificateRequest(ctx context.Context, request string, pcaType PCAType) (string, error)

HandleCertificateRequest sends the request to the real PCA server in production directly.

func (*PCAGoLib) HandleEnrollRequest 

func (rp *PCAGoLib) HandleEnrollRequest(ctx context.Context, request string, pcaType PCAType) (string, error)

HandleEnrollRequest sends the request to the real PCA server in production directly.

type PCAType 

type PCAType ACAType

PCAType is basically an alias of ACAType from legacy cryptohome's terminology. 

const (
	// DefaultPCA indicates the default PCA server.
	DefaultPCA PCAType = iota
	// TestPCA indicates the test PCA server.
	TestPCA
)

type RealVA 

type RealVA struct{}

RealVA implements the VA functionality by talking to the real VA servers used in production.

func NewRealVA 

func NewRealVA() *RealVA

NewRealVA creates a new instance of RealVA.

func (*RealVA) GetDecodedVAChallenge 

func (rc *RealVA) GetDecodedVAChallenge(ctx context.Context) ([]byte, error)

GetDecodedVAChallenge get the VA challenge from the default VA server and decoded it. In case of any of any error, retries for a certain small number of times.

func (*RealVA) VerifyEncodedVAChallenge 

func (rc *RealVA) VerifyEncodedVAChallenge(ctx context.Context, signedChallenge string) error

VerifyEncodedVAChallenge sends the signed challenge to the default VA server.

type TPMClearer 

type TPMClearer interface {
	// PreClearTPM should be called before stop high-level TPM daemons
	PreClearTPM(ctx context.Context) error

	// ClearTPM should be called before clean the data on device
	ClearTPM(ctx context.Context) error

	// PostClearTPM should be called after clean the data on device
	PostClearTPM(ctx context.Context) error
}

TPMClearer is an interface of to clear the TPM.

type TPMManagerClient 

type TPMManagerClient struct {
	// contains filtered or unexported fields
}

TPMManagerClient wraps and the functions of tpmManagerBinary and parses the outputs to structured data.

func NewTPMManagerClient 

func NewTPMManagerClient(r CmdRunner) *TPMManagerClient

NewTPMManagerClient creates a new TPMManagerClient.

func (*TPMManagerClient) ClearOwnerPassword 

func (u *TPMManagerClient) ClearOwnerPassword(ctx context.Context) (string, error)

ClearOwnerPassword clears TPM owner password in the best effort.

func (*TPMManagerClient) DefineSpace 

func (u *TPMManagerClient) DefineSpace(ctx context.Context, size int, bindToPCR0 bool, index string, attributes []string, password string) (string, error)

DefineSpace defines (creates) an NVRAM space at index, of size size, with attributes attributes and password password, and the NVRAM space will be bound to PCR0 if bindToPCR0 is true. If password is "", it'll not be passed to the command. attributes should be a slice that contains only the const NVRAMAttribute*. Will return nil for error iff the operation completes successfully. The string returned, msg, is the message from the command line, if any.

func (*TPMManagerClient) DestroySpace 

func (u *TPMManagerClient) DestroySpace(ctx context.Context, index string) (string, error)

DestroySpace destroys (removes) an NVRAM space at index. Will return nil for error iff the operation completes successfully. The string returned, msg, is the message from the command line, if any.

func (*TPMManagerClient) GetDAInfo 

func (u *TPMManagerClient) GetDAInfo(ctx context.Context) (info *DAInfo, returnedError error)

GetDAInfo retrieves the dictionary attack counter, threshold, if lockout is in effect and seconds remaining. The returned err is nil iff the operation is successful.

func (*TPMManagerClient) GetNonsensitiveStatus 

func (u *TPMManagerClient) GetNonsensitiveStatus(ctx context.Context) (info *NonsensitiveStatusInfo, returnedError error)

GetNonsensitiveStatus retrieves the NonsensitiveStatusInfo.

func (*TPMManagerClient) GetNonsensitiveStatusIgnoreCache 

func (u *TPMManagerClient) GetNonsensitiveStatusIgnoreCache(ctx context.Context) (info *NonsensitiveStatusInfo, returnedError error)

GetNonsensitiveStatusIgnoreCache retrieves the NonsensitiveStatusInfo and ignore the cache.

func (*TPMManagerClient) GetOwnerPassword 

func (u *TPMManagerClient) GetOwnerPassword(ctx context.Context) (string, error)

GetOwnerPassword returns the owner password.

func (*TPMManagerClient) ReadSpaceToFile 

func (u *TPMManagerClient) ReadSpaceToFile(ctx context.Context, index, outputFile, password string) (string, error)

ReadSpaceToFile reads the content of NVRAM space at index into the file outputFile, with password (if not empty).

func (*TPMManagerClient) ResetDALock 

func (u *TPMManagerClient) ResetDALock(ctx context.Context) (string, error)

ResetDALock resets the dictionary attack lockout.

func (*TPMManagerClient) Status 

func (u *TPMManagerClient) Status(ctx context.Context) (string, error)

Status returns the status string.

func (*TPMManagerClient) TakeOwnership 

func (u *TPMManagerClient) TakeOwnership(ctx context.Context) (string, error)

TakeOwnership takes the TPM ownership.

func (*TPMManagerClient) WriteSpaceFromFile 

func (u *TPMManagerClient) WriteSpaceFromFile(ctx context.Context, index, inputFile, password string) (string, error)

WriteSpaceFromFile writes the content of file inputFile into the NVRAM space at index, with password password (if not empty).

type VA 

type VA interface {
	// GetDecodedVAChallenge returns a new VA challenge.
	GetDecodedVAChallenge(ctx context.Context) ([]byte, error)
	// VerifyEncodedVAChallenge verifies the signed VA challenge response.
	VerifyEncodedVAChallenge(ctx context.Context, signedChallenge string) error
}

VA declares a pair of functions that get and verify the VA challenge.

type VAType 

type VAType int

VAType indicates the type VA server, of which the possible value are default and test; see the const definition below. 

const (
	// DefaultVA indicates the default VA server.
	DefaultVA VAType = iota
	// TestVA indicates the test VA server.
	TestVA
)

type VaultConfig 

type VaultConfig struct {
	// Ephemeral is set to true if the vault is ephemeral, that is, the vault is erased after the user logs out.
	Ephemeral bool

	// Ecryptfs is set to true if the vault should be backed by eCryptfs.
	Ecryptfs bool
}

VaultConfig specifies the extra options to Mounting/Creating a vault.

func NewVaultConfig 

func NewVaultConfig() *VaultConfig

NewVaultConfig creates a default vault config.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.