mirror of
https://github.com/google/go-attestation.git
synced 2025-03-22 12:05:22 +00:00
Move AIK to Storage hierarchy (#10)
Moving AIK to storage hierarchy so that the key blob can be saved and loaded instead of recreating the aik each time.
This commit is contained in:
DenisKarch
Tom D
parent
b15816bdc8
commit
b128fd7448
@ -54,6 +54,20 @@ var (
|
||||
Modulus: big.NewInt(0),
|
||||
},
|
||||
}
|
||||
defaultSRKTemplate = tpm2.Public{
|
||||
Type: tpm2.AlgRSA,
|
||||
NameAlg: tpm2.AlgSHA256,
|
||||
Attributes: tpm2.FlagStorageDefault,
|
||||
RSAParameters: &tpm2.RSAParams{
|
||||
Symmetric: &tpm2.SymScheme{
|
||||
Alg: tpm2.AlgAES,
|
||||
KeyBits: 128,
|
||||
Mode: tpm2.AlgCFB,
|
||||
},
|
||||
KeyBits: 2048,
|
||||
Modulus: big.NewInt(0),
|
||||
},
|
||||
}
|
||||
// Default EK template defined in:
|
||||
// https://trustedcomputinggroup.org/wp-content/uploads/Credential_Profile_EK_V2.0_R14_published.pdf
|
||||
defaultEKTemplate = tpm2.Public{
|
||||
|
||||
@ -190,15 +190,21 @@ func (t *TPM) getPrimaryKeyHandle(pHnd tpmutil.Handle) (tpmutil.Handle, bool, er
|
||||
return pHnd, false, nil
|
||||
}
|
||||
|
||||
ekHnd, _, err := tpm2.CreatePrimary(t.rwc, tpm2.HandleEndorsement, tpm2.PCRSelection{}, "", "", defaultEKTemplate)
|
||||
if err != nil {
|
||||
return 0, false, fmt.Errorf("EK CreatePrimary failed: %v", err)
|
||||
var keyHnd tpmutil.Handle
|
||||
switch pHnd {
|
||||
case commonSrkEquivalentHandle:
|
||||
keyHnd, _, err = tpm2.CreatePrimary(t.rwc, tpm2.HandleOwner, tpm2.PCRSelection{}, "", "", defaultSRKTemplate)
|
||||
case commonEkEquivalentHandle:
|
||||
keyHnd, _, err = tpm2.CreatePrimary(t.rwc, tpm2.HandleEndorsement, tpm2.PCRSelection{}, "", "", defaultEKTemplate)
|
||||
}
|
||||
defer tpm2.FlushContext(t.rwc, ekHnd)
|
||||
|
||||
err = tpm2.EvictControl(t.rwc, "", tpm2.HandleOwner, ekHnd, pHnd)
|
||||
if err != nil {
|
||||
return 0, false, fmt.Errorf("EK EvictControl failed: %v", err)
|
||||
return 0, false, fmt.Errorf("CreatePrimary failed: %v", err)
|
||||
}
|
||||
defer tpm2.FlushContext(t.rwc, keyHnd)
|
||||
|
||||
err = tpm2.EvictControl(t.rwc, "", tpm2.HandleOwner, keyHnd, pHnd)
|
||||
if err != nil {
|
||||
return 0, false, fmt.Errorf("EvictControl failed: %v", err)
|
||||
}
|
||||
|
||||
return pHnd, true, nil
|
||||
@ -380,11 +386,19 @@ func (t *TPM) MintAIK(opts *MintOptions) (*Key, error) {
|
||||
|
||||
case TPMVersion20:
|
||||
// TODO(jsonp): Abstract choice of hierarchy & parent.
|
||||
keyHandle, pub, creationData, creationHash, tix, _, err := tpm2.CreatePrimaryEx(t.rwc, tpm2.HandleEndorsement, tpm2.PCRSelection{}, "", "", aikTemplate)
|
||||
srk, _, err := t.getPrimaryKeyHandle(commonSrkEquivalentHandle)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("CreatePrimaryEx failed: %v", err)
|
||||
return nil, fmt.Errorf("failed to get SRK handle: %v", err)
|
||||
}
|
||||
|
||||
_, blob, pub, creationData, creationHash, tix, err := tpm2.CreateKey(t.rwc, srk, tpm2.PCRSelection{}, "", "", aikTemplate)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("CreateKeyEx failed: %v", err)
|
||||
}
|
||||
keyHandle, _, err := tpm2.Load(t.rwc, srk, "", pub, blob)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("Load failed: %v", err)
|
||||
}
|
||||
// If any errors occur, free the AIK's handle.
|
||||
defer func() {
|
||||
if err != nil {
|
||||
@ -393,7 +407,7 @@ func (t *TPM) MintAIK(opts *MintOptions) (*Key, error) {
|
||||
}()
|
||||
|
||||
// We can only certify the creation immediately afterwards, so we cache the result.
|
||||
attestation, sig, err := tpm2.CertifyCreation(t.rwc, "", keyHandle, keyHandle, nil, creationHash, tpm2.SigScheme{tpm2.AlgRSASSA, tpm2.AlgSHA256, 0}, tix)
|
||||
attestation, sig, err := tpm2.CertifyCreation(t.rwc, "", keyHandle, keyHandle, nil, creationHash, tpm2.SigScheme{tpm2.AlgRSASSA, tpm2.AlgSHA256, 0}, &tix)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("CertifyCreation failed: %v", err)
|
||||
}
|
||||
@ -405,9 +419,10 @@ func (t *TPM) MintAIK(opts *MintOptions) (*Key, error) {
|
||||
|
||||
return &Key{
|
||||
hnd: keyHandle,
|
||||
KeyEncoding: KeyEncodingParameterized,
|
||||
KeyEncoding: KeyEncodingEncrypted,
|
||||
TPMVersion: t.version,
|
||||
Purpose: AttestationKey,
|
||||
KeyBlob: blob,
|
||||
Public: pub,
|
||||
CreateData: creationData,
|
||||
CreateAttestation: attestation,
|
||||
@ -444,11 +459,16 @@ func (t *TPM) LoadKey(opaqueBlob []byte) (*Key, error) {
|
||||
}
|
||||
|
||||
case TPMVersion20:
|
||||
if k.KeyEncoding != KeyEncodingParameterized {
|
||||
if k.KeyEncoding != KeyEncodingEncrypted {
|
||||
return nil, fmt.Errorf("unsupported key encoding: %x", k.KeyEncoding)
|
||||
}
|
||||
if k.hnd, _, _, _, _, _, err = tpm2.CreatePrimaryEx(t.rwc, tpm2.HandleEndorsement, tpm2.PCRSelection{}, "", "", aikTemplate); err != nil {
|
||||
return nil, fmt.Errorf("CreatePrimaryEx failed: %v", err)
|
||||
|
||||
srk, _, err := t.getPrimaryKeyHandle(commonSrkEquivalentHandle)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to get SRK handle: %v", err)
|
||||
}
|
||||
if k.hnd, _, err = tpm2.Load(t.rwc, srk, "", k.Public, k.KeyBlob); err != nil {
|
||||
return nil, fmt.Errorf("Load failed: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
2
go.mod
2
go.mod
@ -4,7 +4,7 @@ go 1.12
|
||||
|
||||
require (
|
||||
github.com/google/certificate-transparency-go v1.0.22-0.20190403155334-84853901c6b8
|
||||
github.com/google/go-tpm v0.1.2-0.20190409004434-20331edb0a91
|
||||
github.com/google/go-tpm v0.1.2-0.20190410172553-e84d59d0589e
|
||||
github.com/google/go-tpm-tools v0.0.0-20190328013357-5d2fd7f4b3e5
|
||||
github.com/google/go-tspi v0.2.0
|
||||
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a
|
||||
|
||||
4
go.sum
4
go.sum
@ -4,8 +4,8 @@ github.com/google/certificate-transparency-go v1.0.22-0.20190403155334-84853901c
|
||||
github.com/google/certificate-transparency-go v1.0.22-0.20190403155334-84853901c6b8/go.mod h1:QeJfpSbVSfYc7RgB3gJFj9cbuQMMchQxrWXz8Ruopmg=
|
||||
github.com/google/go-tpm v0.1.1 h1:Qwvy1ZQsQElHIb/7PCqE4OpiBwDRMMHpu2a2q16S2hI=
|
||||
github.com/google/go-tpm v0.1.1/go.mod h1:OGEdc1XfzTyNEQyahgeXVq+E0lMq3Vu/Y3bT9EfpRnE=
|
||||
github.com/google/go-tpm v0.1.2-0.20190409004434-20331edb0a91 h1:j37OZK/AlfYPxv4nMu3Mh9pxfqrjMswpSzWoWCt5uEY=
|
||||
github.com/google/go-tpm v0.1.2-0.20190409004434-20331edb0a91/go.mod h1:OGEdc1XfzTyNEQyahgeXVq+E0lMq3Vu/Y3bT9EfpRnE=
|
||||
github.com/google/go-tpm v0.1.2-0.20190410172553-e84d59d0589e h1:cbbVm1AQhiczA2kTjpROSbTZf2XVSS/DrnSjrqOo2wo=
|
||||
github.com/google/go-tpm v0.1.2-0.20190410172553-e84d59d0589e/go.mod h1:OGEdc1XfzTyNEQyahgeXVq+E0lMq3Vu/Y3bT9EfpRnE=
|
||||
github.com/google/go-tpm-tools v0.0.0-20190328013357-5d2fd7f4b3e5 h1:/moKuMi+BJ+OEva3jTms88ruyRkxaZn+f9EIZoGpQeY=
|
||||
github.com/google/go-tpm-tools v0.0.0-20190328013357-5d2fd7f4b3e5/go.mod h1:ApmLTU8fd5JJJ4J67y9sV16nOTR00GW2OabMwk7kSnE=
|
||||
github.com/google/go-tspi v0.2.0 h1:PMrHThARFgHtsCF6B8YNjLlnnGMDdFjVHZnxaqkcbzQ=
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user