Have Quote return TPM_QUOTE_INFO (#17)

2025-05-31 22:40:49 +00:00 · 2019-04-24 13:18:36 -07:00 · 2019-04-24 13:18:36 -07:00 · 0d33e753a1
commit 0d33e753a1
parent 3829815b47
2 changed files with 38 additions and 10 deletions
--- a/attest/tpm_linux.go
+++ b/attest/tpm_linux.go
@ -341,21 +341,14 @@ func (k *Key) ActivateCredential(t *TPM, in EncryptedCredential) ([]byte, error)
 }

 func (k *Key) quote12(ctx *tspi.Context, nonce []byte) (*Quote, error) {
-	quoteInfo, rawSig, err := attestation.GetQuote(ctx, k.KeyBlob, nonce)
+	quote, rawSig, err := attestation.GetQuote(ctx, k.KeyBlob, nonce)
 	if err != nil {
 		return nil, fmt.Errorf("GetQuote() failed: %v", err)
 	}
-	// go-tspi returns TPM_QUOTE_INFO. We only want the digest of the PCRs
-	var version [4]byte
-	var quot [4]byte
-	var digest [20]byte
-	if _, err := tpmutil.Unpack(quoteInfo, &version, &quot, &digest); err != nil {
-		return nil, fmt.Errorf("unable to parse PCR digest from TPM_QUOTE_INFO: %v", err)
-	}

 	return &Quote{
 		Version:   TPMVersion12,
-		Quote:     digest[:],
+		Quote:     quote,
 		Signature: rawSig,
 	}, nil
 }
--- a/attest/tpm_windows.go
+++ b/attest/tpm_windows.go
@ -266,6 +266,35 @@ func (k *Key) ActivateCredential(tpm *TPM, in EncryptedCredential) ([]byte, erro
 	}
 }

+func constructQuote(data, nonce []byte) ([]byte, error) {
+	composite := struct {
+		Mask tpmutil.U16Bytes
+		Data tpmutil.U32Bytes
+	}{
+		Mask: []byte{0xff, 0xff, 0xff},
+		Data: data,
+	}
+	compositeBytes, err := tpmutil.Pack(composite)
+	if err != nil {
+		return nil, fmt.Errorf("failed to pack TPM_PCR_COMPOSITE: %v", err)
+	}
+
+	version := [4]byte{0x01, 0x01, 0x00, 0x00}
+	QUOT := [4]byte{'Q', 'U', 'O', 'T'}
+	info := struct {
+		Version [4]byte
+		QUOT    [4]byte
+		Digest  [20]byte
+		Nonce   [20]byte
+	}{
+		version,
+		QUOT,
+		sha1.Sum(compositeBytes),
+		sha1.Sum(nonce),
+	}
+	return tpmutil.Pack(info)
+}
+
 func (k *Key) quote12(tpm io.ReadWriter, nonce []byte) (*Quote, error) {
 	selectedPCRs := make([]int, 24)
 	for pcr, _ := range selectedPCRs {
@ -276,7 +305,13 @@ func (k *Key) quote12(tpm io.ReadWriter, nonce []byte) (*Quote, error) {
 	if err != nil {
 		return nil, fmt.Errorf("Quote() failed: %v", err)
 	}
-	quote := sha1.Sum(pcrc)
+	// Construct and return TPM_QUOTE_INFO
+	// Returning TPM_QUOTE_INFO allows us to verify the Quote at a higher resolution
+	// and matches what go-tspi returns.
+	quote, err := constructQuote(pcrc, nonce)
+	if err != nil {
+		return nil, fmt.Errorf("failed to construct Quote Info: %v", err)
+	}
 	return &Quote{
 		Quote:     quote,
 		Signature: sig,