ExternalVendorCode/go-attestation
1
0
Fork 0
mirror of https://github.com/google/go-attestation.git synced 2025-06-18 06:58:11 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

attest: re-work EK API (#79)

Browse Source 
This PR adds:
* Renames 'PlatformEK' to 'EK'
* More consistant support of EKs without certificates
* Removes HTTP GET to Intel EK certificate service
* Always populates EK.Public
This commit is contained in:
Eric Chiang
2019-08-21 10:26:55 -07:00
committed by Tom D
parent cd07b32602
commit bfcbe8f1e2
10 changed files with 181 additions and 122 deletions
Download Patch File Download Diff File Expand all files Collapse all files

62
attest/tpm_linux.go
View File

@ -17,6 +17,7 @@
package attest
import (
"crypto"
"crypto/rsa"
"encoding/binary"
"errors"
@ -221,51 +222,52 @@ func readEKCertFromNVRAM12(ctx *tspi.Context) (*x509.Certificate, error) {
if err != nil {
return nil, fmt.Errorf("reading EK cert: %v", err)
}
return parseCert(ekCert)
return ParseEKCertificate(ekCert)
}
// EKs returns the endorsement keys burned-in to the platform.
func (t *TPM) EKs() ([]PlatformEK, error) {
var cert *x509.Certificate
var err error
func (t *TPM) EKs() ([]EK, error) {
switch t.version {
case TPMVersion12:
cert, err = readEKCertFromNVRAM12(t.ctx)
cert, err := readEKCertFromNVRAM12(t.ctx)
if err != nil {
return nil, fmt.Errorf("readEKCertFromNVRAM failed: %v", err)
}
return []EK{
{Public: crypto.PublicKey(cert.PublicKey), Certificate: cert},
}, nil
case TPMVersion20:
cert, err = readEKCertFromNVRAM20(t.rwc)
if err != nil {
ekHnd, _, err := tpm2.CreatePrimary(t.rwc, tpm2.HandleEndorsement, tpm2.PCRSelection{}, "", "", defaultEKTemplate)
if err != nil {
return nil, fmt.Errorf("EK CreatePrimary failed: %v", err)
}
defer tpm2.FlushContext(t.rwc, ekHnd)
pub, _, _, err := tpm2.ReadPublic(t.rwc, ekHnd)
if err != nil {
return nil, fmt.Errorf("EK ReadPublic failed: %v", err)
}
if pub.RSAParameters == nil {
return nil, errors.New("ECC EK not yet supported")
}
return []PlatformEK{
{nil, &rsa.PublicKey{E: int(pub.RSAParameters.Exponent()), N: pub.RSAParameters.Modulus()}},
if cert, err := readEKCertFromNVRAM20(t.rwc); err == nil {
return []EK{
{Public: crypto.PublicKey(cert.PublicKey), Certificate: cert},
}, nil
}
// Attempt to create an EK.
ekHnd, _, err := tpm2.CreatePrimary(t.rwc, tpm2.HandleEndorsement, tpm2.PCRSelection{}, "", "", defaultEKTemplate)
if err != nil {
return nil, fmt.Errorf("EK CreatePrimary failed: %v", err)
}
defer tpm2.FlushContext(t.rwc, ekHnd)
pub, _, _, err := tpm2.ReadPublic(t.rwc, ekHnd)
if err != nil {
return nil, fmt.Errorf("EK ReadPublic failed: %v", err)
}
if pub.RSAParameters == nil {
return nil, errors.New("ECC EK not yet supported")
}
return []EK{
{
Public: &rsa.PublicKey{
E: int(pub.RSAParameters.Exponent()),
N: pub.RSAParameters.Modulus(),
},
},
}, nil
default:
return nil, fmt.Errorf("unsupported TPM version: %x", t.version)
}
return []PlatformEK{
{cert, cert.PublicKey},
}, nil
}
// MintAIK creates an attestation key.