tpmutil

package
v1.8.10 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 5, 2024 License: Apache-2.0 Imports: 15 Imported by: 2

Documentation

Index

Constants

View Source
const EKCertificateHandleRSA = tpmutil.Handle(0x01c00002)

ekRSACertificateHandle is the default handle for RSA endorsement key according to the TCG TPM v2.0 Provisioning Guidance, section 7.8 https://trustedcomputinggroup.org/resource/tcg-tpm-v2-0-provisioning-guidance/

Variables

View Source
var OpenTPM = openTPM

Functions

func AutoDetectTPMPath

func AutoDetectTPMPath(baseTPMDir string) (string, error)

func SRKTemplateHighECC

func SRKTemplateHighECC() tpm2.Public

SRKTemplateHighECC returns the default high range SRK template (called H-2 in the specification). https://trustedcomputinggroup.org/wp-content/uploads/TCG_IWG_EKCredentialProfile_v2p3_r2_pub.pdf#page=42

func SRKTemplateHighRSA

func SRKTemplateHighRSA() tpm2.Public

SRKTemplateHighRSA returns the default high range SRK template (called H-1 in the specification). https://trustedcomputinggroup.org/wp-content/uploads/TCG_IWG_EKCredentialProfile_v2p3_r2_pub.pdf#page=41

Types

type Session

type Session struct {
	// contains filtered or unexported fields
}

Session represents a TPM with loaded DevID credentials and exposes methods to perform cryptographic operations relevant to the SPIRE node attestation workflow.

func NewSession

func NewSession(scfg *SessionConfig) (*Session, error)

NewSession opens a connection to a TPM and configures it to be used for node attestation.

func (*Session) CertifyDevIDKey

func (c *Session) CertifyDevIDKey() ([]byte, []byte, error)

CertifyDevIDKey proves that the DevID Key is in the same TPM than Attestation Key.

func (*Session) Close

func (c *Session) Close()

Close unloads TPM loaded objects and closes the connection to the TPM.

func (*Session) GetAKPublic

func (c *Session) GetAKPublic() []byte

GetAKPublic returns the public part of the attestation key encoded in TPM wire format.

func (*Session) GetEKCert

func (c *Session) GetEKCert() ([]byte, error)

GetEKCert returns TPM endorsement certificate.

func (*Session) GetEKPublic

func (c *Session) GetEKPublic() ([]byte, error)

GetEKPublic returns the public part of the Endorsement Key encoded in TPM wire format.

func (*Session) SolveCredActivationChallenge

func (c *Session) SolveCredActivationChallenge(credentialBlob, secret []byte) ([]byte, error)

SolveCredActivationChallenge runs credential activation on the TPM. It proves that the attestation key resides on the same TPM as the endorsement key.

func (*Session) SolveDevIDChallenge

func (c *Session) SolveDevIDChallenge(nonce []byte) ([]byte, error)

SolveDevIDChallenge requests the TPM to sign the provided nonce using the loaded DevID credentials.

type SessionConfig

type SessionConfig struct {
	// in future iterations of tpm libraries, TPM will accept a
	// list of device paths (https://github.com/google/go-tpm/pull/256)
	DevicePath string
	DevIDPriv  []byte
	DevIDPub   []byte
	Passwords  TPMPasswords
	Log        hclog.Logger
}

type SigningKey

type SigningKey struct {
	Handle tpmutil.Handle
	// contains filtered or unexported fields
}

SigningKey represents a TPM loaded key

func (*SigningKey) Certify

func (k *SigningKey) Certify(object tpmutil.Handle, objectPassword string) ([]byte, []byte, error)

Certify calls tpm2.Certify using the current key as signer and the provided handle as object.

func (*SigningKey) Close

func (k *SigningKey) Close() error

Close removes the key from the TPM

func (*SigningKey) Sign

func (k *SigningKey) Sign(data []byte) ([]byte, error)

Sign requests the TPM to sign the given data using this key

type TPMPasswords

type TPMPasswords struct {
	EndorsementHierarchy string
	OwnerHierarchy       string
	DevIDKey             string
}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL