Renamed some variables and methods to highlight that only RSA EKs are (#330)

currently supported.

This is the first step towards supporting ECC EKs.

attest/attest_simulated_tpm20_test.go

@@ -250,20 +250,20 @@ func TestSimTPM20Persistence(t *testing.T) {
 	sim, tpm := setupSimulatedTPM(t)
 	defer sim.Close()
 
-	ekHnd, _, err := tpm.tpm.(*wrappedTPM20).getPrimaryKeyHandle(commonEkEquivalentHandle)
+	ekHnd, _, err := tpm.tpm.(*wrappedTPM20).getPrimaryKeyHandle(commonRSAEkEquivalentHandle)
 	if err != nil {
 		t.Fatalf("getPrimaryKeyHandle() failed: %v", err)
 	}
-	if ekHnd != commonEkEquivalentHandle {
-		t.Fatalf("bad EK-equivalent handle: got 0x%x, wanted 0x%x", ekHnd, commonEkEquivalentHandle)
+	if ekHnd != commonRSAEkEquivalentHandle {
+		t.Fatalf("bad EK-equivalent handle: got 0x%x, wanted 0x%x", ekHnd, commonRSAEkEquivalentHandle)
 	}
 
-	ekHnd, p, err := tpm.tpm.(*wrappedTPM20).getPrimaryKeyHandle(commonEkEquivalentHandle)
+	ekHnd, p, err := tpm.tpm.(*wrappedTPM20).getPrimaryKeyHandle(commonRSAEkEquivalentHandle)
 	if err != nil {
 		t.Fatalf("second getPrimaryKeyHandle() failed: %v", err)
 	}
-	if ekHnd != commonEkEquivalentHandle {
-		t.Fatalf("bad EK-equivalent handle: got 0x%x, wanted 0x%x", ekHnd, commonEkEquivalentHandle)
+	if ekHnd != commonRSAEkEquivalentHandle {
+		t.Fatalf("bad EK-equivalent handle: got 0x%x, wanted 0x%x", ekHnd, commonRSAEkEquivalentHandle)
 	}
 	if p {
 		t.Fatalf("generated a new key the second time; that shouldn't happen")

attest/tpm.go

@@ -37,12 +37,12 @@ const (
 	tpmPtFwVersion1   = 0x00000100 + 11 // PT_FIXED + offset of 11
 
 	// Defined in "Registry of reserved TPM 2.0 handles and localities".
-	nvramCertIndex    = 0x1c00002
-	nvramEkNonceIndex = 0x1c00003
+	nvramRSACertIndex    = 0x1c00002
+	nvramRSAEkNonceIndex = 0x1c00003
 
 	// Defined in "Registry of reserved TPM 2.0 handles and localities", and checked on a glinux machine.
-	commonSrkEquivalentHandle = 0x81000001
-	commonEkEquivalentHandle  = 0x81010001
+	commonSrkEquivalentHandle   = 0x81000001
+	commonRSAEkEquivalentHandle = 0x81010001
 )
 
 var (
@@ -72,9 +72,9 @@ var (
 			KeyBits:    2048,
 		},
 	}
-	// Default EK template defined in:
+	// Default RSA EK template defined in:
 	// https://trustedcomputinggroup.org/wp-content/uploads/Credential_Profile_EK_V2.0_R14_published.pdf
-	defaultEKTemplate = tpm2.Public{
+	defaultRSAEKTemplate = tpm2.Public{
 		Type:    tpm2.AlgRSA,
 		NameAlg: tpm2.AlgSHA256,
 		Attributes: tpm2.FlagFixedTPM | tpm2.FlagFixedParent | tpm2.FlagSensitiveDataOrigin |
@@ -223,7 +223,7 @@ func intelEKURL(ekPub *rsa.PublicKey) string {
 	return intelEKCertServiceURL + url.QueryEscape(base64.URLEncoding.EncodeToString(pubHash.Sum(nil)))
 }
 
-func readEKCertFromNVRAM20(tpm io.ReadWriter) (*x509.Certificate, error) {
+func readEKCertFromNVRAM20(tpm io.ReadWriter, nvramCertIndex tpmutil.Handle) (*x509.Certificate, error) {
 	// By passing nvramCertIndex as our auth handle we're using the NV index
 	// itself as the auth hierarchy, which is the same approach
 	// tpm2_getekcertificate takes.

attest/wrapped_tpm20.go

@@ -32,26 +32,26 @@ import (
 
 // wrappedTPM20 interfaces with a TPM 2.0 command channel.
 type wrappedTPM20 struct {
-	interf        TPMInterface
-	rwc           CommandChannelTPM20
-	tpmEkTemplate *tpm2.Public
+	interf           TPMInterface
+	rwc              CommandChannelTPM20
+	tpmRSAEkTemplate *tpm2.Public
 }
 
-func (t *wrappedTPM20) ekTemplate() tpm2.Public {
-	if t.tpmEkTemplate != nil {
-		return *t.tpmEkTemplate
+func (t *wrappedTPM20) rsaEkTemplate() tpm2.Public {
+	if t.tpmRSAEkTemplate != nil {
+		return *t.tpmRSAEkTemplate
 	}
 
-	nonce, err := tpm2.NVReadEx(t.rwc, nvramEkNonceIndex, tpm2.HandleOwner, "", 0)
+	nonce, err := tpm2.NVReadEx(t.rwc, nvramRSAEkNonceIndex, tpm2.HandleOwner, "", 0)
 	if err != nil {
-		t.tpmEkTemplate = &defaultEKTemplate // No nonce, use the default template
+		t.tpmRSAEkTemplate = &defaultRSAEKTemplate // No nonce, use the default template
 	} else {
-		template := defaultEKTemplate
+		template := defaultRSAEKTemplate
 		copy(template.RSAParameters.ModulusRaw, nonce)
-		t.tpmEkTemplate = &template
+		t.tpmRSAEkTemplate = &template
 	}
 
-	return *t.tpmEkTemplate
+	return *t.tpmRSAEkTemplate
 }
 
 func (t *wrappedTPM20) tpmVersion() TPMVersion {
@@ -96,8 +96,8 @@ func (t *wrappedTPM20) getPrimaryKeyHandle(pHnd tpmutil.Handle) (tpmutil.Handle,
 	switch pHnd {
 	case commonSrkEquivalentHandle:
 		keyHnd, _, err = tpm2.CreatePrimary(t.rwc, tpm2.HandleOwner, tpm2.PCRSelection{}, "", "", defaultSRKTemplate)
-	case commonEkEquivalentHandle:
-		keyHnd, _, err = tpm2.CreatePrimary(t.rwc, tpm2.HandleEndorsement, tpm2.PCRSelection{}, "", "", t.ekTemplate())
+	case commonRSAEkEquivalentHandle:
+		keyHnd, _, err = tpm2.CreatePrimary(t.rwc, tpm2.HandleEndorsement, tpm2.PCRSelection{}, "", "", t.rsaEkTemplate())
 	}
 	if err != nil {
 		return 0, false, fmt.Errorf("ReadPublic failed (%v), and then CreatePrimary failed: %v", rerr, err)
@@ -113,14 +113,14 @@ func (t *wrappedTPM20) getPrimaryKeyHandle(pHnd tpmutil.Handle) (tpmutil.Handle,
 }
 
 func (t *wrappedTPM20) eks() ([]EK, error) {
-	if cert, err := readEKCertFromNVRAM20(t.rwc); err == nil {
+	if cert, err := readEKCertFromNVRAM20(t.rwc, nvramRSACertIndex); err == nil {
 		return []EK{
 			{Public: crypto.PublicKey(cert.PublicKey), Certificate: cert},
 		}, nil
 	}
 
 	// Attempt to create an EK.
-	ekHnd, _, err := tpm2.CreatePrimary(t.rwc, tpm2.HandleEndorsement, tpm2.PCRSelection{}, "", "", t.ekTemplate())
+	ekHnd, _, err := tpm2.CreatePrimary(t.rwc, tpm2.HandleEndorsement, tpm2.PCRSelection{}, "", "", t.rsaEkTemplate())
 	if err != nil {
 		return nil, fmt.Errorf("EK CreatePrimary failed: %v", err)
 	}
@@ -417,7 +417,7 @@ func (k *wrappedKey20) activateCredential(tb tpmBase, in EncryptedCredential) ([
 	}
 	secret := in.Secret[2:]
 
-	ekHnd, _, err := t.getPrimaryKeyHandle(commonEkEquivalentHandle)
+	ekHnd, _, err := t.getPrimaryKeyHandle(commonRSAEkEquivalentHandle)
 	if err != nil {
 		return nil, err
 	}