Documentation
¶
Overview ¶
Taken and pruned from go-attestation under Apache 2.0
Index ¶
Constants ¶
This section is empty.
Variables ¶
Valid hash algorithms.
Functions ¶
This section is empty.
Types ¶
type Event ¶
type Event struct {
// PCR index of the event.
Index int
// Type of the event.
Type EventType
// Data of the event. For certain kinds of events, this must match the event
// digest to be valid.
Data []byte
// Digest is the verified digest of the event data. While an event can have
// multiple for different hash values, this is the one that was matched to the
// PCR value.
Digest []byte
// contains filtered or unexported fields
}
Event is a single event from a TCG event log. This reports descrete items such as BIOs measurements or EFI states.
type EventLog ¶
type EventLog struct {
// Algs holds the set of algorithms that the event log uses.
Algs []HashAlg
// contains filtered or unexported fields
}
EventLog is a parsed measurement log. This contains unverified data representing boot events that must be replayed against PCR values to determine authenticity.
func ParseEventLog ¶
ParseEventLog parses an unverified measurement log.
type PCR ¶
PCR encapsulates the value of a PCR at a point in time.
func ConvertRawPCRs ¶
ConvertRawPCRs converts from raw PCRs to eventlog PCR structures
type ReplayError ¶
type ReplayError struct {
Events []Event
// contains filtered or unexported fields
}
ReplayError describes the parsed events that failed to verify against a particular PCR.
func (ReplayError) Error ¶
func (e ReplayError) Error() string
Error returns a human-friendly description of replay failures.
type SecurebootState ¶
type SecurebootState struct {
Enabled bool
// PlatformKeys enumerates keys which can sign a key exchange key.
PlatformKeys []x509.Certificate
// PlatformKeys enumerates key hashes which can sign a key exchange key.
PlatformKeyHashes [][]byte
// ExchangeKeys enumerates keys which can sign a database of permitted or
// forbidden keys.
ExchangeKeys []x509.Certificate
// ExchangeKeyHashes enumerates key hashes which can sign a database or
// permitted or forbidden keys.
ExchangeKeyHashes [][]byte
// PermittedKeys enumerates keys which may sign binaries to run.
PermittedKeys []x509.Certificate
// PermittedHashes enumerates hashes which permit binaries to run.
PermittedHashes [][]byte
// ForbiddenKeys enumerates keys which must not permit a binary to run.
ForbiddenKeys []x509.Certificate
// ForbiddenKeys enumerates hashes which must not permit a binary to run.
ForbiddenHashes [][]byte
// PreSeparatorAuthority describes the use of a secure-boot key to authorize
// the execution of a binary before the separator.
PreSeparatorAuthority []x509.Certificate
// PostSeparatorAuthority describes the use of a secure-boot key to authorize
// the execution of a binary after the separator.
PostSeparatorAuthority []x509.Certificate
}
SecurebootState describes the secure boot status of a machine, as determined by processing its event log.
func ParseSecurebootState ¶
func ParseSecurebootState(events []Event) (*SecurebootState, error)
ParseSecurebootState parses a series of events to determine the configuration of secure boot on a device. An error is returned if the state cannot be determined, or if the event log is structured in such a way that it may have been tampered post-execution of platform firmware.
Source Files
Directories