Restore changes accidentally reverted during reconciliation (#256)

2024-12-18 20:47:57 +00:00 · 2021-12-08 16:43:38 -08:00 · 2021-12-08 16:43:38 -08:00 · 2f8dbfc94e
commit 2f8dbfc94e
parent f1f1b84491
13 changed files with 120 additions and 16 deletions
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@ -0,0 +1,66 @@
+on: [push, pull_request]
+name: Test
+jobs:
+  test-linux:
+    strategy:
+      matrix:
+        go-version: [1.16.x, 1.17.x]
+    runs-on: ubuntu-latest
+    steps:
+    - name: Install Go
+      uses: actions/setup-go@v2
+      with:
+        go-version: ${{ matrix.go-version }}
+    - name: Checkout code
+      uses: actions/checkout@v2
+    - name: Test
+      run: go test ./...
+  test-linux-tpm12:
+    strategy:
+      matrix:
+        go-version: [1.16.x, 1.17.x]
+    runs-on: ubuntu-latest
+    steps:
+    - name: Install Go
+      uses: actions/setup-go@v2
+      with:
+        go-version: ${{ matrix.go-version }}
+    - name: Checkout code
+      uses: actions/checkout@v2
+    - name: Install libtspi
+      run: sudo apt-get install -y libtspi-dev
+    - name: Test
+      run: go test -tags tspi ./...
+  test-macos:
+    strategy:
+      matrix:
+        go-version: [1.16.x, 1.17.x]
+    runs-on: macos-latest
+    steps:
+    - name: Install Go
+      uses: actions/setup-go@v2
+      with:
+        go-version: ${{ matrix.go-version }}
+    - name: Checkout code
+      uses: actions/checkout@v2
+      # See https://github.com/google/go-tpm-tools#macos-dev
+    - name: Install openssl
+      run: brew install openssl@1.1
+    - name: Link openssl
+      run: sudo ln -s $(brew --prefix openssl@1.1)/include/openssl /usr/local/include
+    - name: Test
+      run: C_INCLUDE_PATH="$(brew --prefix openssl@1.1)/include" LIBRARY_PATH="$(brew --prefix openssl@1.1)/lib" go test ./...
+  test-windows:
+    strategy:
+      matrix:
+        go-version: [1.16.x, 1.17.x]
+    runs-on: windows-latest
+    steps:
+    - name: Install Go
+      uses: actions/setup-go@v2
+      with:
+        go-version: ${{ matrix.go-version }}
+    - name: Checkout code
+      uses: actions/checkout@v2
+    - name: Test
+      run: go build ./...
--- a/README.md
+++ b/README.md
@ -20,11 +20,19 @@ API changes at any time.

 Please note that this is not an official Google product.

+TPM 1.2 support is best effort, meaning we will accept fixes for TPM 1.2, but
+testing is not covered by CI.
+
 ## Installation

 The go-attestation package is installable using go get: `go get github.com/google/go-attestation/attest`

-Linux users must install `libtspi` and its headers. This can be installed on debian-based systems using: `sudo apt-get install libtspi-dev`.
+### TPM1.2
+By default, go-attestation does not build in TPM1.2 support on Linux.
+Linux users must install [`libtspi`](http://trousers.sourceforge.net/) and its headers if they need TPM 1.2 support. This can be installed on debian-based systems using: `sudo apt-get install libtspi-dev`.
+Then, build go-attestation with the `tspi` [build tag](https://pkg.go.dev/go/build#hdr-Build_Constraints) `go build --tags=tspi`.
+
+Windows users can use go-attestation with TPM1.2 by default.

 ## Example: device identity

--- a/attest/activation.go
+++ b/attest/activation.go
@ -36,11 +36,11 @@ type ActivationParameters struct {
 	// TPMVersion holds the version of the TPM, either 1.2 or 2.0.
 	TPMVersion TPMVersion

-	// EK, the endorsement key, describes an asymmetric key who's
-	// private key is permenantly bound to the TPM.
+	// EK, the endorsement key, describes an asymmetric key whose
+	// private key is permanently bound to the TPM.
 	//
 	// Activation will verify that the provided EK is held on the same
-	// TPM as the AK. However, it is the callers responsibility to
+	// TPM as the AK. However, it is the caller's responsibility to
 	// ensure the EK they provide corresponds to the the device which
 	// they are trying to associate the AK with.
 	EK crypto.PublicKey
--- a/attest/application_key_test.go
+++ b/attest/application_key_test.go
@ -12,7 +12,9 @@
 // License for the specific language governing permissions and limitations under
 // the License.

+//go:build (!localtest || !tpm12) && linux && cgo
 // +build !localtest !tpm12
+// +build linux
 // +build cgo

 // NOTE: simulator requires cgo, hence the build tag.
--- a/attest/attest-tool/attest-tool.go
+++ b/attest/attest-tool/attest-tool.go
@ -15,9 +15,9 @@ import (
 	"io/ioutil"
 	"os"

-	"github.com/google/go-attestation/attest"
-	"github.com/google/go-attestation/attest/attest_tool/internal"
 	"github.com/google/certificate-transparency-go/x509"
+	"github.com/google/go-attestation/attest"
+	"github.com/google/go-attestation/attest/attest-tool/internal"
 )

 var (
@ -83,7 +83,7 @@ func selftestCredentialActivation(tpm *attest.TPM, ak *attest.AK) error {

 func selftestAttest(tpm *attest.TPM, ak *attest.AK) error {
 	// This nonce is used in generating the quote. As this is a selftest,
-	// its set to an arbitrary value.
+	// it's set to an arbitrary value.
 	nonce := []byte{1, 2, 3, 4, 5, 6, 7, 8, 1, 2, 3, 4, 5, 6, 7, 8}

 	pub, err := attest.ParseAKPublic(tpm.Version(), ak.AttestationParameters().Public)
--- a/attest/attest-tool/internal/eventlog/secureboot_test.go
+++ b/attest/attest-tool/internal/eventlog/secureboot_test.go
@ -20,7 +20,7 @@ import (
 	"testing"

 	"github.com/google/go-attestation/attest"
-	"github.com/google/go-attestation/attest/attest_tool/internal"
+	"github.com/google/go-attestation/attest/attest-tool/internal"
 )

 func parseEvents(t *testing.T, testdata string) []attest.Event {
--- a/attest/attest_simulated_tpm20_test.go
+++ b/attest/attest_simulated_tpm20_test.go
@ -12,7 +12,9 @@
 // License for the specific language governing permissions and limitations under
 // the License.

+//go:build (!localtest || !tpm12) && linux && cgo
 // +build !localtest !tpm12
+// +build linux
 // +build cgo

 // NOTE: simulator requires cgo, hence the build tag.
--- a/attest/certification_test.go
+++ b/attest/certification_test.go
@ -12,6 +12,11 @@
 // License for the specific language governing permissions and limitations under
 // the License.

+//go:build (!localtest || !tpm12) && linux && cgo
+// +build !localtest !tpm12
+// +build linux
+// +build cgo
+
 package attest

 import (
--- a/attest/eventlog.go
+++ b/attest/eventlog.go
@ -115,10 +115,10 @@ func (e EventType) String() string {
 }

 // Event is a single event from a TCG event log. This reports descrete items such
-// as BIOs measurements or EFI states.
+// as BIOS measurements or EFI states.
 //
 // There are many pitfalls for using event log events correctly to determine the
-// state of a machine[1]. In general it's must safer to only rely on the raw PCR
+// state of a machine[1]. In general it's much safer to only rely on the raw PCR
 // values and use the event log for debugging.
 //
 // [1] https://github.com/google/go-attestation/blob/master/docs/event-log-disclosure.md
@ -222,7 +222,7 @@ func (e *EventLog) Events(hash HashAlg) []Event {
 // Verify replays the event log against a TPM's PCR values, returning the
 // events which could be matched to a provided PCR value.
 //
-// PCRs provide no security guarentees unless they're attested to have been
+// PCRs provide no security guarantees unless they're attested to have been
 // generated by a TPM. Verify does not perform these checks.
 //
 // An error is returned if the replayed digest for events with a given PCR
@ -407,7 +407,7 @@ func extend(pcr PCR, replay []byte, e rawEvent, locality byte) (pcrDigest []byte
 // replayPCR replays the event log for a specific PCR, using pcr and
 // event digests with the algorithm in pcr. An error is returned if the
 // replayed values do not match the final PCR digest, or any event tagged
-// with that PCR does not posess an event digest with the specified algorithm.
+// with that PCR does not possess an event digest with the specified algorithm.
 func replayPCR(rawEvents []rawEvent, pcr PCR) ([]Event, bool) {
 	var (
 		replay    []byte
@ -531,7 +531,7 @@ func ParseEventLog(measurementLog []byte) (*EventLog, error) {
 		// Switch to parsing crypto agile events. Don't include this in the
 		// replayed events since it intentionally doesn't extend the PCRs.
 		//
-		// Note that this doesn't actually guarentee that events have SHA256
+		// Note that this doesn't actually guarantee that events have SHA256
 		// digests.
 		parseFn = parseRawEvent2
 		el.specIDEvent = specID
--- a/attest/key_linux.go
+++ b/attest/key_linux.go
@ -12,7 +12,7 @@
 // License for the specific language governing permissions and limitations under
 // the License.

-// +build linux,!gofuzz,cgo
+// +build linux,!gofuzz,cgo,tspi

 package attest

--- a/attest/tpm.go
+++ b/attest/tpm.go
@ -256,7 +256,7 @@ func readAllPCRs20(tpm io.ReadWriter, alg tpm2.Algorithm) (map[uint32][]byte, er
 	out := map[uint32][]byte{}

 	// The TPM 2.0 spec says that the TPM can partially fulfill the
-	// request. As such, we repeat the command up to 8 times to get all
+	// request. As such, we repeat the command up to 24 times to get all
 	// 24 PCRs.
 	for i := 0; i < numPCRs; i++ {
 		// Build a selection structure, specifying all PCRs we do
--- a/attest/tpm12_linux.go
+++ b/attest/tpm12_linux.go
@ -12,7 +12,7 @@
 // License for the specific language governing permissions and limitations under
 // the License.

-// +build linux,!gofuzz,cgo
+// +build linux,!gofuzz,cgo,tspi

 package attest

--- a/ci/run.sh
+++ b/ci/run.sh
@ -0,0 +1,21 @@
+#!/bin/bash -e
+
+1>&2 echo "-----
+WARNING: The TPM 1.2 simulator no longer builds with newer versions of openssl.
+These scripts are kept for posterity, but likely won't build on new OS
+versions.
+----"
+
+export PROJECT_ROOT="$( pwd )"
+TMPDIR="$( mktemp -d )"
+SIM_DIR="${TMPDIR}/tpm12_sim"
+
+TEST_ROOT="${TMPDIR}/tests_base"
+
+mkdir -pv "${SIM_DIR}"
+./ci/setup_tpm12_simulator.sh "${SIM_DIR}"
+./ci/setup_tests_fs.sh "${TEST_ROOT}"
+
+go test -v ./... -- --testTPM12
+
+./ci/shutdown_tpm12_simulator.sh "${SIM_DIR}"