Documentation
¶
Index ¶
- Variables
- func AttestPlatform(nonce []byte) ([]byte, []byte, error)
- func FlushTransientHandles() error
- func GenerateSafeKey(size uint16) ([]byte, error)
- func GetAKPublic() ([]byte, error)
- func GetEKPublic() ([]byte, []byte, error)
- func GetMeasurementLog() ([]byte, error)
- func GetPCRs() ([][]byte, error)
- func Initialize(logger logging.Leveled) error
- func IsInitialized() bool
- func MakeAKChallenge(ekPubKey, akPub []byte, nonce []byte) ([]byte, []byte, error)
- func Seal(data []byte, pcrs []int) ([]byte, error)
- func SolveAKChallenge(credBlob, secretChallenge []byte) ([]byte, error)
- func Unseal(data []byte) ([]byte, error)
- func VerifyAttestPlatform(nonce, akPub, quote, signature []byte) (*tpm2.AttestationData, error)
- type TPM
Constants ¶
This section is empty.
Variables ¶
var ( // SecureBootPCRs are all PCRs that measure the current Secure Boot // configuration. This is what we want if we rely on secure boot to verify // boot integrity. The firmware hashes the secure boot policy and custom // keys into the PCR. // // This requires an extra step that provisions the custom keys. // // Some background: https://mjg59.dreamwidth.org/48897.html?thread=1847297 // (the initramfs issue mentioned in the article has been solved by // integrating it into the kernel binary, and we don't have a shim // bootloader) // // PCR7 alone is not sufficient - it needs to be combined with firmware // measurements. SecureBootPCRs = []int{7} // FirmwarePCRs are alle PCRs that contain the firmware measurements. See: // https://trustedcomputinggroup.org/wp-content/uploads/TCG_EFI_Platform_1_22_Final_-v15.pdf FirmwarePCRs = []int{ 0, 2, 3, } // FullSystemPCRs are all PCRs that contain any measurements up to the // currently running EFI payload. FullSystemPCRs = []int{ 0, 1, 2, 3, 4, } )
var ( // ErrNotExists is returned when no TPMs are available in the system ErrNotExists = errors.New("no TPMs found") // ErrNotInitialized is returned when this package was not initialized // successfully ErrNotInitialized = errors.New("no TPM was initialized") )
Functions ¶
func AttestPlatform ¶
AttestPlatform performs a PCR quote using the AK and returns the quote and its signature
func FlushTransientHandles ¶
func FlushTransientHandles() error
FlushTransientHandles flushes all sessions and non-persistent handles
func GenerateSafeKey ¶
GenerateSafeKey uses two sources of randomness (Kernel & TPM) to generate the key
func GetAKPublic ¶
GetAKPublic gets the TPM2T_PUBLIC of the AK key
func GetEKPublic ¶
GetEKPublic gets the public key and (if available) Certificate of the EK
func GetMeasurementLog ¶
GetMeasurementLog returns the binary log of all data hashed into PCRs. The result can be parsed by eventlog. As this library currently doesn't support extending PCRs it just returns the log as supplied by the EFI interface.
func Initialize ¶
Initialize finds and opens the TPM (if any). If there is no TPM available it returns ErrNotExists
func IsInitialized ¶
func IsInitialized() bool
IsInitialized returns true if Initialize was called an at least one TPM 2.0 was found and initialized. Otherwise it returns false.
func MakeAKChallenge ¶
MakeAKChallenge generates a challenge for TPM residency and attributes of the AK
func Seal ¶
Seal seals sensitive data and only allows access if the current platform configuration in matches the one the data was sealed on.
func SolveAKChallenge ¶
SolveAKChallenge solves a challenge for TPM residency of the AK
func Unseal ¶
Unseal unseals sensitive data if the current platform configuration allows and sealing constraints allow it.
func VerifyAttestPlatform ¶
func VerifyAttestPlatform(nonce, akPub, quote, signature []byte) (*tpm2.AttestationData, error)
VerifyAttestPlatform verifies a given attestation. You can rely on all data coming back as being from the TPM on which the AK is bound to.
Source Files
Directories