diff --git a/attest/tpm.go b/attest/tpm.go index fc1fe59..f3dda26 100644 --- a/attest/tpm.go +++ b/attest/tpm.go @@ -54,6 +54,20 @@ var ( Modulus: big.NewInt(0), }, } + defaultSRKTemplate = tpm2.Public{ + Type: tpm2.AlgRSA, + NameAlg: tpm2.AlgSHA256, + Attributes: tpm2.FlagStorageDefault, + RSAParameters: &tpm2.RSAParams{ + Symmetric: &tpm2.SymScheme{ + Alg: tpm2.AlgAES, + KeyBits: 128, + Mode: tpm2.AlgCFB, + }, + KeyBits: 2048, + Modulus: big.NewInt(0), + }, + } // Default EK template defined in: // https://trustedcomputinggroup.org/wp-content/uploads/Credential_Profile_EK_V2.0_R14_published.pdf defaultEKTemplate = tpm2.Public{ diff --git a/attest/tpm_linux.go b/attest/tpm_linux.go index 62be265..2a896eb 100644 --- a/attest/tpm_linux.go +++ b/attest/tpm_linux.go @@ -190,15 +190,21 @@ func (t *TPM) getPrimaryKeyHandle(pHnd tpmutil.Handle) (tpmutil.Handle, bool, er return pHnd, false, nil } - ekHnd, _, err := tpm2.CreatePrimary(t.rwc, tpm2.HandleEndorsement, tpm2.PCRSelection{}, "", "", defaultEKTemplate) - if err != nil { - return 0, false, fmt.Errorf("EK CreatePrimary failed: %v", err) + var keyHnd tpmutil.Handle + switch pHnd { + case commonSrkEquivalentHandle: + keyHnd, _, err = tpm2.CreatePrimary(t.rwc, tpm2.HandleOwner, tpm2.PCRSelection{}, "", "", defaultSRKTemplate) + case commonEkEquivalentHandle: + keyHnd, _, err = tpm2.CreatePrimary(t.rwc, tpm2.HandleEndorsement, tpm2.PCRSelection{}, "", "", defaultEKTemplate) } - defer tpm2.FlushContext(t.rwc, ekHnd) - - err = tpm2.EvictControl(t.rwc, "", tpm2.HandleOwner, ekHnd, pHnd) if err != nil { - return 0, false, fmt.Errorf("EK EvictControl failed: %v", err) + return 0, false, fmt.Errorf("CreatePrimary failed: %v", err) + } + defer tpm2.FlushContext(t.rwc, keyHnd) + + err = tpm2.EvictControl(t.rwc, "", tpm2.HandleOwner, keyHnd, pHnd) + if err != nil { + return 0, false, fmt.Errorf("EvictControl failed: %v", err) } return pHnd, true, nil @@ -380,11 +386,19 @@ func (t *TPM) MintAIK(opts *MintOptions) (*Key, error) { case TPMVersion20: // TODO(jsonp): Abstract choice of hierarchy & parent. - keyHandle, pub, creationData, creationHash, tix, _, err := tpm2.CreatePrimaryEx(t.rwc, tpm2.HandleEndorsement, tpm2.PCRSelection{}, "", "", aikTemplate) + srk, _, err := t.getPrimaryKeyHandle(commonSrkEquivalentHandle) if err != nil { - return nil, fmt.Errorf("CreatePrimaryEx failed: %v", err) + return nil, fmt.Errorf("failed to get SRK handle: %v", err) } + _, blob, pub, creationData, creationHash, tix, err := tpm2.CreateKey(t.rwc, srk, tpm2.PCRSelection{}, "", "", aikTemplate) + if err != nil { + return nil, fmt.Errorf("CreateKeyEx failed: %v", err) + } + keyHandle, _, err := tpm2.Load(t.rwc, srk, "", pub, blob) + if err != nil { + return nil, fmt.Errorf("Load failed: %v", err) + } // If any errors occur, free the AIK's handle. defer func() { if err != nil { @@ -393,7 +407,7 @@ func (t *TPM) MintAIK(opts *MintOptions) (*Key, error) { }() // We can only certify the creation immediately afterwards, so we cache the result. - attestation, sig, err := tpm2.CertifyCreation(t.rwc, "", keyHandle, keyHandle, nil, creationHash, tpm2.SigScheme{tpm2.AlgRSASSA, tpm2.AlgSHA256, 0}, tix) + attestation, sig, err := tpm2.CertifyCreation(t.rwc, "", keyHandle, keyHandle, nil, creationHash, tpm2.SigScheme{tpm2.AlgRSASSA, tpm2.AlgSHA256, 0}, &tix) if err != nil { return nil, fmt.Errorf("CertifyCreation failed: %v", err) } @@ -405,9 +419,10 @@ func (t *TPM) MintAIK(opts *MintOptions) (*Key, error) { return &Key{ hnd: keyHandle, - KeyEncoding: KeyEncodingParameterized, + KeyEncoding: KeyEncodingEncrypted, TPMVersion: t.version, Purpose: AttestationKey, + KeyBlob: blob, Public: pub, CreateData: creationData, CreateAttestation: attestation, @@ -444,11 +459,16 @@ func (t *TPM) LoadKey(opaqueBlob []byte) (*Key, error) { } case TPMVersion20: - if k.KeyEncoding != KeyEncodingParameterized { + if k.KeyEncoding != KeyEncodingEncrypted { return nil, fmt.Errorf("unsupported key encoding: %x", k.KeyEncoding) } - if k.hnd, _, _, _, _, _, err = tpm2.CreatePrimaryEx(t.rwc, tpm2.HandleEndorsement, tpm2.PCRSelection{}, "", "", aikTemplate); err != nil { - return nil, fmt.Errorf("CreatePrimaryEx failed: %v", err) + + srk, _, err := t.getPrimaryKeyHandle(commonSrkEquivalentHandle) + if err != nil { + return nil, fmt.Errorf("failed to get SRK handle: %v", err) + } + if k.hnd, _, err = tpm2.Load(t.rwc, srk, "", k.Public, k.KeyBlob); err != nil { + return nil, fmt.Errorf("Load failed: %v", err) } } diff --git a/go.mod b/go.mod index 7c2b2cd..6819eaa 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.12 require ( github.com/google/certificate-transparency-go v1.0.22-0.20190403155334-84853901c6b8 - github.com/google/go-tpm v0.1.2-0.20190409004434-20331edb0a91 + github.com/google/go-tpm v0.1.2-0.20190410172553-e84d59d0589e github.com/google/go-tpm-tools v0.0.0-20190328013357-5d2fd7f4b3e5 github.com/google/go-tspi v0.2.0 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a diff --git a/go.sum b/go.sum index b896212..23f4647 100644 --- a/go.sum +++ b/go.sum @@ -4,8 +4,8 @@ github.com/google/certificate-transparency-go v1.0.22-0.20190403155334-84853901c github.com/google/certificate-transparency-go v1.0.22-0.20190403155334-84853901c6b8/go.mod h1:QeJfpSbVSfYc7RgB3gJFj9cbuQMMchQxrWXz8Ruopmg= github.com/google/go-tpm v0.1.1 h1:Qwvy1ZQsQElHIb/7PCqE4OpiBwDRMMHpu2a2q16S2hI= github.com/google/go-tpm v0.1.1/go.mod h1:OGEdc1XfzTyNEQyahgeXVq+E0lMq3Vu/Y3bT9EfpRnE= -github.com/google/go-tpm v0.1.2-0.20190409004434-20331edb0a91 h1:j37OZK/AlfYPxv4nMu3Mh9pxfqrjMswpSzWoWCt5uEY= -github.com/google/go-tpm v0.1.2-0.20190409004434-20331edb0a91/go.mod h1:OGEdc1XfzTyNEQyahgeXVq+E0lMq3Vu/Y3bT9EfpRnE= +github.com/google/go-tpm v0.1.2-0.20190410172553-e84d59d0589e h1:cbbVm1AQhiczA2kTjpROSbTZf2XVSS/DrnSjrqOo2wo= +github.com/google/go-tpm v0.1.2-0.20190410172553-e84d59d0589e/go.mod h1:OGEdc1XfzTyNEQyahgeXVq+E0lMq3Vu/Y3bT9EfpRnE= github.com/google/go-tpm-tools v0.0.0-20190328013357-5d2fd7f4b3e5 h1:/moKuMi+BJ+OEva3jTms88ruyRkxaZn+f9EIZoGpQeY= github.com/google/go-tpm-tools v0.0.0-20190328013357-5d2fd7f4b3e5/go.mod h1:ApmLTU8fd5JJJ4J67y9sV16nOTR00GW2OabMwk7kSnE= github.com/google/go-tspi v0.2.0 h1:PMrHThARFgHtsCF6B8YNjLlnnGMDdFjVHZnxaqkcbzQ=