tpmutil

package

v1.7.5 Latest Latest Go to latest Published: Nov 7, 2023 License: Apache-2.0 Imports: 15 Imported by: 2

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/spiffe/spire

Links

Open Source Insights

Documentation ¶

Rendered for

Index ¶

Constants
Variables
func AutoDetectTPMPath(baseTPMDir string) (string, error)
func SRKTemplateHighECC() tpm2.Public
func SRKTemplateHighRSA() tpm2.Public
type Session
- func NewSession(scfg *SessionConfig) (*Session, error)
type SessionConfig
type SigningKey
type TPMPasswords

Constants ¶

View Source

const EKCertificateHandleRSA = tpmutil.Handle(0x01c00002)

ekRSACertificateHandle is the default handle for RSA endorsement key according to the TCG TPM v2.0 Provisioning Guidance, section 7.8 https://trustedcomputinggroup.org/resource/tcg-tpm-v2-0-provisioning-guidance/

Variables ¶

View Source

var OpenTPM = openTPM

Functions ¶

func AutoDetectTPMPath ¶

func AutoDetectTPMPath(baseTPMDir string) (string, error)

func SRKTemplateHighECC ¶

func SRKTemplateHighECC() tpm2.Public

SRKTemplateHighECC returns the default high range SRK template (called H-2 in the specification). https://trustedcomputinggroup.org/wp-content/uploads/TCG_IWG_EKCredentialProfile_v2p3_r2_pub.pdf#page=42

func SRKTemplateHighRSA ¶

func SRKTemplateHighRSA() tpm2.Public

SRKTemplateHighRSA returns the default high range SRK template (called H-1 in the specification). https://trustedcomputinggroup.org/wp-content/uploads/TCG_IWG_EKCredentialProfile_v2p3_r2_pub.pdf#page=41

Types ¶

type Session ¶

type Session struct {
	// contains filtered or unexported fields
}

Session represents a TPM with loaded DevID credentials and exposes methods to perfom cryptographyc operations relevant to the SPIRE node attestation workflow.

func NewSession ¶

func NewSession(scfg *SessionConfig) (*Session, error)

NewSession opens a connection to a TPM and configures it to be used for node attestation.

func (*Session) CertifyDevIDKey ¶

func (c *Session) CertifyDevIDKey() ([]byte, []byte, error)

CertifyDevIDKey proves that the DevID Key is in the same TPM than Attestation Key.

func (*Session) Close ¶

func (c *Session) Close()

Close unloads TPM loaded objects and closes the connection to the TPM.

func (*Session) GetAKPublic ¶

func (c *Session) GetAKPublic() []byte

GetAKPublic returns the public part of the attestation key encoded in TPM wire format.

func (*Session) GetEKCert ¶

func (c *Session) GetEKCert() ([]byte, error)

GetEKCert returns TPM endorsement certificate.

func (*Session) GetEKPublic ¶

func (c *Session) GetEKPublic() ([]byte, error)

GetEKPublic returns the public part of the Endorsement Key encoded in TPM wire format.

func (*Session) SolveCredActivationChallenge ¶

func (c *Session) SolveCredActivationChallenge(credentialBlob, secret []byte) ([]byte, error)

SolveCredActivationChallenge runs credential activation on the TPM. It proves that the attestation key resides on the same TPM as the endorsement key.

func (*Session) SolveDevIDChallenge ¶

func (c *Session) SolveDevIDChallenge(nonce []byte) ([]byte, error)

SolveDevIDChallenge requests the TPM to sign the provided nonce using the loaded DevID credentials.

type SessionConfig ¶

type SessionConfig struct {
	// in future iterations of tpm libraries, TPM will accept a
	// list of device paths (https://github.com/google/go-tpm/pull/256)
	DevicePath string
	DevIDPriv  []byte
	DevIDPub   []byte
	Passwords  TPMPasswords
	Log        hclog.Logger
}

type SigningKey ¶

type SigningKey struct {
	Handle tpmutil.Handle
	// contains filtered or unexported fields
}

SigningKey represents a TPM loaded key

func (*SigningKey) Certify ¶

func (k *SigningKey) Certify(object tpmutil.Handle, objectPassword string) ([]byte, []byte, error)

Certify calls tpm2.Certify using the current key as signer and the provided handle as object.

func (*SigningKey) Close ¶

func (k *SigningKey) Close() error

Close removes the key from the TPM

func (*SigningKey) Sign ¶

func (k *SigningKey) Sign(data []byte) ([]byte, error)

Sign requests the TPM to sign the given data using this key

type TPMPasswords ¶

type TPMPasswords struct {
	EndorsementHierarchy string
	OwnerHierarchy       string
	DevIDKey             string
}

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL