ExternalVendorCode/go-attestation
1
0
Fork 0
mirror of https://github.com/google/go-attestation.git synced 2024-12-19 04:57:59 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Use NV cert index as auth hierarchy for EK cert

Browse Source 
This is the same approach tpm2_getekcertificate uses, with its
`TPM2_HANDLE_FLAGS_NV` flag.

The main impetus here is is ChromeOS's vtpm implementation[1], which
doesn't have a concept of an "owner" or "platform" password and expects
the NV index itself as the auth hierarchy. In either case, as this is
the same approach tpm2_getekcertificate uses this should provide a more
standard/common approach as opposed to relying on the owner password to
be empty.

Tested with both CrOS's vTPM and a real TPM on Debian.

b/258300352

[1]: https://source.chromium.org/chromiumos/chromiumos/codesearch/+/main:src/platform2/vtpm/commands/nv_read_command.cc;l=64-68;drc=1efd0c8f36050d56b8550354a4c7af925e44118a
This commit is contained in:
Mike Gerow 2023-01-05 17:47:59 +00:00 committed by Brandon Weeks
parent 5238453493
commit 68deb4ce55
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
attest/tpm.go
View File

@ -223,7 +223,10 @@ func intelEKURL(ekPub *rsa.PublicKey) string {
}
func readEKCertFromNVRAM20(tpm io.ReadWriter) (*x509.Certificate, error) {
ekCert, err := tpm2.NVReadEx(tpm, nvramCertIndex, tpm2.HandleOwner, "", 0)
// By passing nvramCertIndex as our auth handle we're using the NV index
// itself as the auth hierarchy, which is the same approach
// tpm2_getekcertificate takes.
ekCert, err := tpm2.NVReadEx(tpm, nvramCertIndex, nvramCertIndex, "", 0)
if err != nil {
return nil, fmt.Errorf("reading EK cert: %v", err)
}