ExternalVendorCode/go-attestation
1
0
Fork 0
mirror of https://github.com/google/go-attestation.git synced 2024-12-18 20:47:57 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Split linuxTPM -> {trousersTPM,wrappedTPM20}, implement CommandChannel

Browse Source 
* Split linuxTPM -> {trousersTPM,wrappedTPM20} + prefix windows key type with windows

* Address feedback, implement CommandChannel
This commit is contained in:
Tom D 2020-05-05 16:56:57 -07:00 committed by GitHub
parent 1045ef6327
commit ebb0b62d80
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 424 additions and 361 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
attest/attest.go
View File

@ -19,6 +19,7 @@ import (
"crypto"
"errors"
"fmt"
"io"
"github.com/google/certificate-transparency-go/x509"
"github.com/google/go-tpm/tpm"
@ -45,14 +46,26 @@ const (
TPMInterfaceDirect TPMInterface = iota
TPMInterfaceKernelManaged
TPMInterfaceDaemonManaged
TPMInterfaceCommandChannel
)
// CommandChannelTPM20 represents a pipe along which TPM 2.0 commands
// can be issued, and measurement logs read.
type CommandChannelTPM20 interface {
io.ReadWriteCloser
MeasurementLog() ([]byte, error)
}
// OpenConfig encapsulates settings passed to OpenTPM().
type OpenConfig struct {
// TPMVersion indicates which TPM version the library should
// attempt to use. If the specified version is not available,
// ErrTPMNotAvailable is returned. Defaults to TPMVersionAgnostic.
TPMVersion TPMVersion
// CommandChannel provides a TPM 2.0 command channel, which can be
// used in-lieu of any TPM present on the platform.
CommandChannel CommandChannelTPM20
}
// keyEncoding indicates how an exported TPM key is represented.
@ -396,6 +409,18 @@ func OpenTPM(config *OpenConfig) (*TPM, error) {
if config == nil {
config = defaultOpenConfig
}
// As a special case, if the user provided us with a command channel,
// we should use that.
if config.CommandChannel != nil {
if config.TPMVersion > TPMVersionAgnostic && config.TPMVersion != TPMVersion20 {
return nil, errors.New("command channel can only be used as a TPM 2.0 device")
}
return &TPM{&wrappedTPM20{
interf: TPMInterfaceCommandChannel,
rwc: config.CommandChannel,
}}, nil
}
candidateTPMs, err := probeSystemTPMs()
if err != nil {
return nil, err

17
attest/attest_simulated_tpm20_test.go
View File

@ -33,12 +33,11 @@ func setupSimulatedTPM(t *testing.T) (*simulator.Simulator, *TPM) {
if err != nil {
t.Fatal(err)
}
return tpm, &TPM{tpm: &linuxTPM{
version: TPMVersion20,
interf: TPMInterfaceKernelManaged,
sysPath: "/dev/tpmrm0",
rwc: tpm,
}}
attestTPM, err := OpenTPM(&OpenConfig{CommandChannel: &linuxCmdChannel{tpm}})
if err != nil {
t.Fatal(err)
}
return tpm, attestTPM
}
func TestSimTPM20EK(t *testing.T) {
@ -87,7 +86,7 @@ func TestSimTPM20AKCreateAndLoad(t *testing.T) {
}
defer loaded.Close(tpm)
k1, k2 := ak.ak.(*key20), loaded.ak.(*key20)
k1, k2 := ak.ak.(*wrappedKey20), loaded.ak.(*wrappedKey20)
if !bytes.Equal(k1.public, k2.public) {
t.Error("Original & loaded AK public blobs did not match.")
@ -240,7 +239,7 @@ func TestSimTPM20Persistence(t *testing.T) {
sim, tpm := setupSimulatedTPM(t)
defer sim.Close()
ekHnd, _, err := tpm.tpm.(*linuxTPM).getPrimaryKeyHandle(commonEkEquivalentHandle)
ekHnd, _, err := tpm.tpm.(*wrappedTPM20).getPrimaryKeyHandle(commonEkEquivalentHandle)
if err != nil {
t.Fatalf("getPrimaryKeyHandle() failed: %v", err)
}
@ -248,7 +247,7 @@ func TestSimTPM20Persistence(t *testing.T) {
t.Fatalf("bad EK-equivalent handle: got 0x%x, wanted 0x%x", ekHnd, commonEkEquivalentHandle)
}
ekHnd, p, err := tpm.tpm.(*linuxTPM).getPrimaryKeyHandle(commonEkEquivalentHandle)
ekHnd, p, err := tpm.tpm.(*wrappedTPM20).getPrimaryKeyHandle(commonEkEquivalentHandle)
if err != nil {
t.Fatalf("second getPrimaryKeyHandle() failed: %v", err)
}

2
attest/attest_test.go
View File

@ -110,7 +110,7 @@ func TestAKCreateAndLoad(t *testing.T) {
}
defer loaded.Close(tpm)
k1, k2 := ak.ak.(*key20), loaded.ak.(*key20)
k1, k2 := ak.ak.(*wrappedKey20), loaded.ak.(*wrappedKey20)
if !bytes.Equal(k1.public, k2.public) {
t.Error("Original & loaded AK public blobs did not match.")

2
attest/attest_tpm12_test.go
View File

@ -24,7 +24,7 @@ import (
var (
testTPM12 = flag.Bool("testTPM12", false, "run tests for TPM1.2")
tpm12config = &OpenConfig{TPMVersion12}
tpm12config = &OpenConfig{TPMVersion: TPMVersion12}
)
func openTPM12(t *testing.T) *TPM {

119
attest/key_linux.go
View File

@ -19,19 +19,17 @@ package attest
import (
"fmt"
"github.com/google/go-tpm/tpm2"
"github.com/google/go-tpm/tpmutil"
"github.com/google/go-tspi/attestation"
)
// key12 represents a key bound to a TPM 1.2 device via tcsd.
type key12 struct {
// trousersKey12 represents a key bound to a TPM 1.2 device via tcsd.
type trousersKey12 struct {
blob []byte
public []byte
}
func newKey12(blob, public []byte) ak {
return &key12{
func newTrousersKey12(blob, public []byte) ak {
return &trousersKey12{
blob: blob,
public: public,
}
@ -39,7 +37,7 @@ func newKey12(blob, public []byte) ak {
// Marshal represents the key in a persistent format which may be
// loaded at a later time using tpm.LoadKey().
func (k *key12) marshal() ([]byte, error) {
func (k *trousersKey12) marshal() ([]byte, error) {
out := serializedKey{
Encoding: keyEncodingEncrypted,
TPMVersion: TPMVersion12,
@ -49,12 +47,12 @@ func (k *key12) marshal() ([]byte, error) {
return out.Serialize()
}
func (k *key12) close(tpm tpmBase) error {
func (k *trousersKey12) close(tpm tpmBase) error {
return nil // No state for tpm 1.2.
}
func (k *key12) activateCredential(tb tpmBase, in EncryptedCredential) ([]byte, error) {
t, ok := tb.(*linuxTPM)
func (k *trousersKey12) activateCredential(tb tpmBase, in EncryptedCredential) ([]byte, error) {
t, ok := tb.(*trousersTPM)
if !ok {
return nil, fmt.Errorf("expected *linuxTPM, got %T", tb)
}
@ -66,8 +64,8 @@ func (k *key12) activateCredential(tb tpmBase, in EncryptedCredential) ([]byte,
return cred, nil
}
func (k *key12) quote(tb tpmBase, nonce []byte, alg HashAlg) (*Quote, error) {
t, ok := tb.(*linuxTPM)
func (k *trousersKey12) quote(tb tpmBase, nonce []byte, alg HashAlg) (*Quote, error) {
t, ok := tb.(*trousersTPM)
if !ok {
return nil, fmt.Errorf("expected *linuxTPM, got %T", tb)
}
@ -87,104 +85,9 @@ func (k *key12) quote(tb tpmBase, nonce []byte, alg HashAlg) (*Quote, error) {
}, nil
}
func (k *key12) attestationParameters() AttestationParameters {
func (k *trousersKey12) attestationParameters() AttestationParameters {
return AttestationParameters{
Public: k.public,
UseTCSDActivationFormat: true,
}
}
// key20 represents a key bound to a TPM 2.0.
type key20 struct {
hnd tpmutil.Handle
blob []byte
public []byte // used by both TPM1.2 and 2.0
createData []byte
createAttestation []byte
createSignature []byte
}
func newKey20(hnd tpmutil.Handle, blob, public, createData, createAttestation, createSig []byte) ak {
return &key20{
hnd: hnd,
blob: blob,
public: public,
createData: createData,
createAttestation: createAttestation,
createSignature: createSig,
}
}
func (k *key20) marshal() ([]byte, error) {
return (&serializedKey{
Encoding: keyEncodingEncrypted,
TPMVersion: TPMVersion20,
Blob: k.blob,
Public: k.public,
CreateData: k.createData,
CreateAttestation: k.createAttestation,
CreateSignature: k.createSignature,
}).Serialize()
}
func (k *key20) close(t tpmBase) error {
tpm, ok := t.(*linuxTPM)
if !ok {
return fmt.Errorf("expected *linuxTPM, got %T", t)
}
return tpm2.FlushContext(tpm.rwc, k.hnd)
}
func (k *key20) activateCredential(tb tpmBase, in EncryptedCredential) ([]byte, error) {
t, ok := tb.(*linuxTPM)
if !ok {
return nil, fmt.Errorf("expected *linuxTPM, got %T", tb)
}
ekHnd, _, err := t.getPrimaryKeyHandle(commonEkEquivalentHandle)
if err != nil {
return nil, err
}
sessHandle, _, err := tpm2.StartAuthSession(
t.rwc,
tpm2.HandleNull, /*tpmKey*/
tpm2.HandleNull, /*bindKey*/
make([]byte, 16), /*nonceCaller*/
nil, /*secret*/
tpm2.SessionPolicy,
tpm2.AlgNull,
tpm2.AlgSHA256)
if err != nil {
return nil, fmt.Errorf("creating session: %v", err)
}
defer tpm2.FlushContext(t.rwc, sessHandle)
if _, err := tpm2.PolicySecret(t.rwc, tpm2.HandleEndorsement, tpm2.AuthCommand{Session: tpm2.HandlePasswordSession, Attributes: tpm2.AttrContinueSession}, sessHandle, nil, nil, nil, 0); err != nil {
return nil, fmt.Errorf("tpm2.PolicySecret() failed: %v", err)
}
return tpm2.ActivateCredentialUsingAuth(t.rwc, []tpm2.AuthCommand{
{Session: tpm2.HandlePasswordSession, Attributes: tpm2.AttrContinueSession},
{Session: sessHandle, Attributes: tpm2.AttrContinueSession},
}, k.hnd, ekHnd, in.Credential[2:], in.Secret[2:])
}
func (k *key20) quote(tb tpmBase, nonce []byte, alg HashAlg) (*Quote, error) {
t, ok := tb.(*linuxTPM)
if !ok {
return nil, fmt.Errorf("expected *linuxTPM, got %T", tb)
}
return quote20(t.rwc, k.hnd, tpm2.Algorithm(alg), nonce)
}
func (k *key20) attestationParameters() AttestationParameters {
return AttestationParameters{
Public: k.public,
CreateData: k.createData,
CreateAttestation: k.createAttestation,
CreateSignature: k.createSignature,
}
}

36
attest/key_windows.go
View File

@ -22,22 +22,22 @@ import (
tpm1 "github.com/google/go-tpm/tpm"
)
// key12 represents a Windows-managed key on a TPM1.2 TPM.
type key12 struct {
// windowsKey12 represents a Windows-managed key on a TPM1.2 TPM.
type windowsKey12 struct {
hnd uintptr
pcpKeyName string
public []byte
}
func newKey12(hnd uintptr, pcpKeyName string, public []byte) ak {
return &key12{
func newWindowsKey12(hnd uintptr, pcpKeyName string, public []byte) ak {
return &windowsKey12{
hnd: hnd,
pcpKeyName: pcpKeyName,
public: public,
}
}
func (k *key12) marshal() ([]byte, error) {
func (k *windowsKey12) marshal() ([]byte, error) {
out := serializedKey{
Encoding: keyEncodingOSManaged,
TPMVersion: TPMVersion12,
@ -47,7 +47,7 @@ func (k *key12) marshal() ([]byte, error) {
return out.Serialize()
}
func (k *key12) activateCredential(t tpmBase, in EncryptedCredential) ([]byte, error) {
func (k *windowsKey12) activateCredential(t tpmBase, in EncryptedCredential) ([]byte, error) {
tpm, ok := t.(*windowsTPM)
if !ok {
return nil, fmt.Errorf("expected *windowsTPM, got %T", t)
@ -59,7 +59,7 @@ func (k *key12) activateCredential(t tpmBase, in EncryptedCredential) ([]byte, e
return decryptCredential(secretKey, in.Secret)
}
func (k *key12) quote(tb tpmBase, nonce []byte, alg HashAlg) (*Quote, error) {
func (k *windowsKey12) quote(tb tpmBase, nonce []byte, alg HashAlg) (*Quote, error) {
if alg != HashSHA1 {
return nil, fmt.Errorf("only SHA1 algorithms supported on TPM 1.2, not %v", alg)
}
@ -101,18 +101,18 @@ func (k *key12) quote(tb tpmBase, nonce []byte, alg HashAlg) (*Quote, error) {
}, nil
}
func (k *key12) close(tpm tpmBase) error {
func (k *windowsKey12) close(tpm tpmBase) error {
return closeNCryptObject(k.hnd)
}
func (k *key12) attestationParameters() AttestationParameters {
func (k *windowsKey12) attestationParameters() AttestationParameters {
return AttestationParameters{
Public: k.public,
}
}
// key20 represents a key bound to a TPM 2.0.
type key20 struct {
// windowsKey20 represents a key bound to a TPM 2.0.
type windowsKey20 struct {
hnd uintptr
pcpKeyName string
@ -122,8 +122,8 @@ type key20 struct {
createSignature []byte
}
func newKey20(hnd uintptr, pcpKeyName string, public, createData, createAttest, createSig []byte) ak {
return &key20{
func newWindowsKey20(hnd uintptr, pcpKeyName string, public, createData, createAttest, createSig []byte) ak {
return &windowsKey20{
hnd: hnd,
pcpKeyName: pcpKeyName,
public: public,
@ -133,7 +133,7 @@ func newKey20(hnd uintptr, pcpKeyName string, public, createData, createAttest,
}
}
func (k *key20) marshal() ([]byte, error) {
func (k *windowsKey20) marshal() ([]byte, error) {
out := serializedKey{
Encoding: keyEncodingOSManaged,
TPMVersion: TPMVersion20,
@ -147,7 +147,7 @@ func (k *key20) marshal() ([]byte, error) {
return out.Serialize()
}
func (k *key20) activateCredential(t tpmBase, in EncryptedCredential) ([]byte, error) {
func (k *windowsKey20) activateCredential(t tpmBase, in EncryptedCredential) ([]byte, error) {
tpm, ok := t.(*windowsTPM)
if !ok {
return nil, fmt.Errorf("expected *windowsTPM, got %T", t)
@ -155,7 +155,7 @@ func (k *key20) activateCredential(t tpmBase, in EncryptedCredential) ([]byte, e
return tpm.pcp.ActivateCredential(k.hnd, append(in.Credential, in.Secret...))
}
func (k *key20) quote(tb tpmBase, nonce []byte, alg HashAlg) (*Quote, error) {
func (k *windowsKey20) quote(tb tpmBase, nonce []byte, alg HashAlg) (*Quote, error) {
t, ok := tb.(*windowsTPM)
if !ok {
return nil, fmt.Errorf("expected *windowsTPM, got %T", tb)
@ -172,11 +172,11 @@ func (k *key20) quote(tb tpmBase, nonce []byte, alg HashAlg) (*Quote, error) {
return quote20(tpm, tpmKeyHnd, alg.goTPMAlg(), nonce)
}
func (k *key20) close(tpm tpmBase) error {
func (k *windowsKey20) close(tpm tpmBase) error {
return closeNCryptObject(k.hnd)
}
func (k *key20) attestationParameters() AttestationParameters {
func (k *windowsKey20) attestationParameters() AttestationParameters {
return AttestationParameters{
Public: k.public,
CreateData: k.createData,

283
attest/tpm_linux.go
View File

@ -18,9 +18,7 @@ package attest
import (
"crypto"
"crypto/rsa"
"encoding/binary"
"errors"
"fmt"
"io"
"io/ioutil"
@ -29,31 +27,17 @@ import (
"strings"
"github.com/google/certificate-transparency-go/x509"
"github.com/google/go-tspi/attestation"
"github.com/google/go-tspi/tspi" //for tpm12 support
"github.com/google/go-tspi/tspiconst"
"github.com/google/go-tpm/tpm2"
"github.com/google/go-tpm/tpmutil"
"github.com/google/go-tspi/attestation"
)
const (
tpmRoot = "/sys/class/tpm"
)
// linuxTPM interfaces with a TPM device on the system.
type linuxTPM struct {
version TPMVersion
interf TPMInterface
sysPath string
rwc io.ReadWriteCloser
ctx *tspi.Context
}
func (*linuxTPM) isTPMBase() {}
func probeSystemTPMs() ([]probedTPM, error) {
var tpms []probedTPM
@ -84,27 +68,30 @@ func probeSystemTPMs() ([]probedTPM, error) {
return tpms, nil
}
func openTPM(tpm probedTPM) (*TPM, error) {
interf := TPMInterfaceDirect
var rwc io.ReadWriteCloser
var ctx *tspi.Context
var err error
type linuxCmdChannel struct {
io.ReadWriteCloser
}
// MeasurementLog implements CommandChannelTPM20.
func (cc *linuxCmdChannel) MeasurementLog() ([]byte, error) {
return ioutil.ReadFile("/sys/kernel/security/tpm0/binary_bios_measurements")
}
func openTPM(tpm probedTPM) (*TPM, error) {
switch tpm.Version {
case TPMVersion12:
// TPM1.2 must be using Daemon (Connect will fail if not the case)
interf = TPMInterfaceDaemonManaged
ctx, err = tspi.NewContext()
ctx, err := tspi.NewContext()
if err != nil {
return nil, err
}
err = ctx.Connect()
if err != nil {
if err = ctx.Connect(); err != nil {
return nil, err
}
return &TPM{tpm: &trousersTPM{ctx: ctx}}, nil
case TPMVersion20:
interf := TPMInterfaceDirect
// If the TPM has a kernel-provided resource manager, we should
// use that instead of communicating directly.
devPath := path.Join("/dev", path.Base(tpm.Path))
@ -118,36 +105,36 @@ func openTPM(tpm probedTPM) (*TPM, error) {
interf = TPMInterfaceKernelManaged
}
rwc, err = tpm2.OpenTPM(devPath)
rwc, err := tpm2.OpenTPM(devPath)
if err != nil {
return nil, err
}
}
return &TPM{tpm: &linuxTPM{
version: tpm.Version,
interf: interf,
sysPath: tpm.Path,
rwc: rwc,
ctx: ctx,
}}, nil
}
return &TPM{tpm: &wrappedTPM20{
interf: interf,
rwc: &linuxCmdChannel{rwc},
}}, nil
func (t *linuxTPM) tpmVersion() TPMVersion {
return t.version
}
func (t *linuxTPM) close() error {
switch t.version {
case TPMVersion12:
return t.ctx.Close()
case TPMVersion20:
return t.rwc.Close()
default:
return fmt.Errorf("unsupported TPM version: %x", t.version)
return nil, fmt.Errorf("unsuported TPM version: %v", tpm.Version)
}
}
// trousersTPM interfaces with a TPM 1.2 device via tcsd.
type trousersTPM struct {
ctx *tspi.Context
}
func (*trousersTPM) isTPMBase() {}
func (t *trousersTPM) tpmVersion() TPMVersion {
return TPMVersion12
}
func (t *trousersTPM) close() error {
return t.ctx.Close()
}
func readTPM12VendorAttributes(context *tspi.Context) (TCGVendorID, string, error) {
// TPM 1.2 doesn't seem to store vendor data (other than unique ID)
vendor, err := context.GetCapability(tspiconst.TSS_TPMCAP_PROPERTY, 4, tspiconst.TSS_TPMCAP_PROP_MANUFACTURER)
@ -162,61 +149,19 @@ func readTPM12VendorAttributes(context *tspi.Context) (TCGVendorID, string, erro
}
// Info returns information about the TPM.
func (t *linuxTPM) info() (*TPMInfo, error) {
func (t *trousersTPM) info() (*TPMInfo, error) {
tInfo := TPMInfo{
Version: t.version,
Interface: t.interf,
Version: TPMVersion12,
Interface: TPMInterfaceDaemonManaged,
}
var err error
switch t.version {
case TPMVersion12:
tInfo.Manufacturer, tInfo.VendorInfo, err = readTPM12VendorAttributes(t.ctx)
case TPMVersion20:
var t2Info tpm20Info
t2Info, err = readTPM2VendorAttributes(t.rwc)
tInfo.Manufacturer = t2Info.manufacturer
tInfo.VendorInfo = t2Info.vendor
tInfo.FirmwareVersionMajor = t2Info.fwMajor
tInfo.FirmwareVersionMinor = t2Info.fwMinor
default:
return nil, fmt.Errorf("unsupported TPM version: %x", t.version)
}
if err != nil {
if tInfo.Manufacturer, tInfo.VendorInfo, err = readTPM12VendorAttributes(t.ctx); err != nil {
return nil, err
}
return &tInfo, nil
}
// Return value: handle, whether we generated a new one, error
func (t *linuxTPM) getPrimaryKeyHandle(pHnd tpmutil.Handle) (tpmutil.Handle, bool, error) {
_, _, _, err := tpm2.ReadPublic(t.rwc, pHnd)
if err == nil {
// Found the persistent handle, assume it's the key we want.
return pHnd, false, nil
}
var keyHnd tpmutil.Handle
switch pHnd {
case commonSrkEquivalentHandle:
keyHnd, _, err = tpm2.CreatePrimary(t.rwc, tpm2.HandleOwner, tpm2.PCRSelection{}, "", "", defaultSRKTemplate)
case commonEkEquivalentHandle:
keyHnd, _, err = tpm2.CreatePrimary(t.rwc, tpm2.HandleEndorsement, tpm2.PCRSelection{}, "", "", defaultEKTemplate)
}
if err != nil {
return 0, false, fmt.Errorf("CreatePrimary failed: %v", err)
}
defer tpm2.FlushContext(t.rwc, keyHnd)
err = tpm2.EvictControl(t.rwc, "", tpm2.HandleOwner, keyHnd, pHnd)
if err != nil {
return 0, false, fmt.Errorf("EvictControl failed: %v", err)
}
return pHnd, true, nil
}
func readEKCertFromNVRAM12(ctx *tspi.Context) (*x509.Certificate, error) {
ekCert, err := attestation.GetEKCert(ctx)
if err != nil {
@ -225,98 +170,26 @@ func readEKCertFromNVRAM12(ctx *tspi.Context) (*x509.Certificate, error) {
return ParseEKCertificate(ekCert)
}
func (t *linuxTPM) eks() ([]EK, error) {
switch t.version {
case TPMVersion12:
cert, err := readEKCertFromNVRAM12(t.ctx)
if err != nil {
return nil, fmt.Errorf("readEKCertFromNVRAM failed: %v", err)
}
return []EK{
{Public: crypto.PublicKey(cert.PublicKey), Certificate: cert},
}, nil
case TPMVersion20:
if cert, err := readEKCertFromNVRAM20(t.rwc); err == nil {
return []EK{
{Public: crypto.PublicKey(cert.PublicKey), Certificate: cert},
}, nil
}
// Attempt to create an EK.
ekHnd, _, err := tpm2.CreatePrimary(t.rwc, tpm2.HandleEndorsement, tpm2.PCRSelection{}, "", "", defaultEKTemplate)
if err != nil {
return nil, fmt.Errorf("EK CreatePrimary failed: %v", err)
}
defer tpm2.FlushContext(t.rwc, ekHnd)
pub, _, _, err := tpm2.ReadPublic(t.rwc, ekHnd)
if err != nil {
return nil, fmt.Errorf("EK ReadPublic failed: %v", err)
}
if pub.RSAParameters == nil {
return nil, errors.New("ECC EK not yet supported")
}
return []EK{
{
Public: &rsa.PublicKey{
E: int(pub.RSAParameters.Exponent()),
N: pub.RSAParameters.Modulus(),
},
},
}, nil
default:
return nil, fmt.Errorf("unsupported TPM version: %x", t.version)
func (t *trousersTPM) eks() ([]EK, error) {
cert, err := readEKCertFromNVRAM12(t.ctx)
if err != nil {
return nil, fmt.Errorf("readEKCertFromNVRAM failed: %v", err)
}
return []EK{
{Public: crypto.PublicKey(cert.PublicKey), Certificate: cert},
}, nil
}
func (t *linuxTPM) newAK(opts *AKConfig) (*AK, error) {
switch t.version {
case TPMVersion12:
pub, blob, err := attestation.CreateAIK(t.ctx)
if err != nil {
return nil, fmt.Errorf("CreateAIK failed: %v", err)
}
return &AK{ak: newKey12(blob, pub)}, nil
case TPMVersion20:
// TODO(jsonp): Abstract choice of hierarchy & parent.
srk, _, err := t.getPrimaryKeyHandle(commonSrkEquivalentHandle)
if err != nil {
return nil, fmt.Errorf("failed to get SRK handle: %v", err)
}
blob, pub, creationData, creationHash, tix, err := tpm2.CreateKey(t.rwc, srk, tpm2.PCRSelection{}, "", "", akTemplate)
if err != nil {
return nil, fmt.Errorf("CreateKeyEx() failed: %v", err)
}
keyHandle, _, err := tpm2.Load(t.rwc, srk, "", pub, blob)
if err != nil {
return nil, fmt.Errorf("Load() failed: %v", err)
}
// If any errors occur, free the AK's handle.
defer func() {
if err != nil {
tpm2.FlushContext(t.rwc, keyHandle)
}
}()
// We can only certify the creation immediately afterwards, so we cache the result.
attestation, sig, err := tpm2.CertifyCreation(t.rwc, "", keyHandle, keyHandle, nil, creationHash, tpm2.SigScheme{tpm2.AlgRSASSA, tpm2.AlgSHA256, 0}, &tix)
if err != nil {
return nil, fmt.Errorf("CertifyCreation failed: %v", err)
}
// Pack the raw structure into a TPMU_SIGNATURE.
signature, err := tpmutil.Pack(tpm2.AlgRSASSA, tpm2.AlgSHA256, tpmutil.U16Bytes(sig))
if err != nil {
return nil, fmt.Errorf("failed to pack TPMT_SIGNATURE: %v", err)
}
return &AK{ak: newKey20(keyHandle, blob, pub, creationData, attestation, signature)}, nil
default:
return nil, fmt.Errorf("unsupported TPM version: %x", t.version)
func (t *trousersTPM) newAK(opts *AKConfig) (*AK, error) {
pub, blob, err := attestation.CreateAIK(t.ctx)
if err != nil {
return nil, fmt.Errorf("CreateAIK failed: %v", err)
}
return &AK{ak: newTrousersKey12(blob, pub)}, nil
}
func (t *linuxTPM) loadAK(opaqueBlob []byte) (*AK, error) {
sKey, err := deserializeKey(opaqueBlob, t.version)
func (t *trousersTPM) loadAK(opaqueBlob []byte) (*AK, error) {
sKey, err := deserializeKey(opaqueBlob, TPMVersion12)
if err != nil {
return nil, fmt.Errorf("deserializeKey() failed: %v", err)
}
@ -324,22 +197,7 @@ func (t *linuxTPM) loadAK(opaqueBlob []byte) (*AK, error) {
return nil, fmt.Errorf("unsupported key encoding: %x", sKey.Encoding)
}
switch sKey.TPMVersion {
case TPMVersion12:
return &AK{ak: newKey12(sKey.Blob, sKey.Public)}, nil
case TPMVersion20:
srk, _, err := t.getPrimaryKeyHandle(commonSrkEquivalentHandle)
if err != nil {
return nil, fmt.Errorf("failed to get SRK handle: %v", err)
}
var hnd tpmutil.Handle
if hnd, _, err = tpm2.Load(t.rwc, srk, "", sKey.Public, sKey.Blob); err != nil {
return nil, fmt.Errorf("Load() failed: %v", err)
}
return &AK{ak: newKey20(hnd, sKey.Blob, sKey.Public, sKey.CreateData, sKey.CreateAttestation, sKey.CreateSignature)}, nil
default:
return nil, fmt.Errorf("cannot load AK with TPM version: %v", sKey.TPMVersion)
}
return &AK{ak: newTrousersKey12(sKey.Blob, sKey.Public)}, nil
}
// allPCRs12 returns a map of all the PCR values on the TPM
@ -357,28 +215,13 @@ func allPCRs12(ctx *tspi.Context) (map[uint32][]byte, error) {
return PCRs, nil
}
func (t *linuxTPM) pcrs(alg HashAlg) ([]PCR, error) {
var PCRs map[uint32][]byte
var err error
switch t.version {
case TPMVersion12:
if alg != HashSHA1 {
return nil, fmt.Errorf("non-SHA1 algorithm %v is not supported on TPM 1.2", alg)
}
PCRs, err = allPCRs12(t.ctx)
if err != nil {
return nil, fmt.Errorf("failed to read PCRs: %v", err)
}
case TPMVersion20:
PCRs, err = readAllPCRs20(t.rwc, alg.goTPMAlg())
if err != nil {
return nil, fmt.Errorf("failed to read PCRs: %v", err)
}
default:
return nil, fmt.Errorf("unsupported TPM version: %x", t.version)
func (t *trousersTPM) pcrs(alg HashAlg) ([]PCR, error) {
if alg != HashSHA1 {
return nil, fmt.Errorf("non-SHA1 algorithm %v is not supported on TPM 1.2", alg)
}
PCRs, err := allPCRs12(t.ctx)
if err != nil {
return nil, fmt.Errorf("failed to read PCRs: %v", err)
}
out := make([]PCR, len(PCRs))
@ -393,6 +236,6 @@ func (t *linuxTPM) pcrs(alg HashAlg) ([]PCR, error) {
return out, nil
}
func (t *linuxTPM) measurementLog() ([]byte, error) {
func (t *trousersTPM) measurementLog() ([]byte, error) {
return ioutil.ReadFile("/sys/kernel/security/tpm0/binary_bios_measurements")
}

8
attest/tpm_windows.go
View File

@ -285,9 +285,9 @@ func (t *windowsTPM) newAK(opts *AKConfig) (*AK, error) {
switch t.version {
case TPMVersion12:
return &AK{ak: newKey12(kh, name, props.RawPublic)}, nil
return &AK{ak: newWindowsKey12(kh, name, props.RawPublic)}, nil
case TPMVersion20:
return &AK{ak: newKey20(kh, name, props.RawPublic, props.RawCreationData, props.RawAttest, props.RawSignature)}, nil
return &AK{ak: newWindowsKey20(kh, name, props.RawPublic, props.RawCreationData, props.RawAttest, props.RawSignature)}, nil
default:
return nil, fmt.Errorf("cannot handle TPM version: %v", t.version)
}
@ -309,9 +309,9 @@ func (t *windowsTPM) loadAK(opaqueBlob []byte) (*AK, error) {
switch t.version {
case TPMVersion12:
return &AK{ak: newKey12(hnd, sKey.Name, sKey.Public)}, nil
return &AK{ak: newWindowsKey12(hnd, sKey.Name, sKey.Public)}, nil
case TPMVersion20:
return &AK{ak: newKey20(hnd, sKey.Name, sKey.Public, sKey.CreateData, sKey.CreateAttestation, sKey.CreateSignature)}, nil
return &AK{ak: newWindowsKey20(hnd, sKey.Name, sKey.Public, sKey.CreateData, sKey.CreateAttestation, sKey.CreateSignature)}, nil
default:
return nil, fmt.Errorf("cannot handle TPM version: %v", t.version)
}

293
attest/wrapped_tpm20.go Normal file
View File

@ -0,0 +1,293 @@
// Copyright 2020 Google Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License"); you may not
// use this file except in compliance with the License. You may obtain a copy of
// the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
// License for the specific language governing permissions and limitations under
// the License.
package attest
import (
"crypto"
"crypto/rsa"
"errors"
"fmt"
"github.com/google/go-tpm/tpm2"
"github.com/google/go-tpm/tpmutil"
)
// wrappedTPM20 interfaces with a TPM 2.0 command channel.
type wrappedTPM20 struct {
interf TPMInterface
rwc CommandChannelTPM20
}
func (*wrappedTPM20) isTPMBase() {}
func (t *wrappedTPM20) tpmVersion() TPMVersion {
return TPMVersion20
}
func (t *wrappedTPM20) close() error {
return t.rwc.Close()
}
// Info returns information about the TPM.
func (t *wrappedTPM20) info() (*TPMInfo, error) {
var (
tInfo = TPMInfo{
Version: TPMVersion20,
Interface: t.interf,
}
t2Info tpm20Info
err error
)
if t2Info, err = readTPM2VendorAttributes(t.rwc); err != nil {
return nil, err
}
tInfo.Manufacturer = t2Info.manufacturer
tInfo.VendorInfo = t2Info.vendor
tInfo.FirmwareVersionMajor = t2Info.fwMajor
tInfo.FirmwareVersionMinor = t2Info.fwMinor
return &tInfo, nil
}
// Return value: handle, whether we generated a new one, error
func (t *wrappedTPM20) getPrimaryKeyHandle(pHnd tpmutil.Handle) (tpmutil.Handle, bool, error) {
_, _, _, err := tpm2.ReadPublic(t.rwc, pHnd)
if err == nil {
// Found the persistent handle, assume it's the key we want.
return pHnd, false, nil
}
var keyHnd tpmutil.Handle
switch pHnd {
case commonSrkEquivalentHandle:
keyHnd, _, err = tpm2.CreatePrimary(t.rwc, tpm2.HandleOwner, tpm2.PCRSelection{}, "", "", defaultSRKTemplate)
case commonEkEquivalentHandle:
keyHnd, _, err = tpm2.CreatePrimary(t.rwc, tpm2.HandleEndorsement, tpm2.PCRSelection{}, "", "", defaultEKTemplate)
}
if err != nil {
return 0, false, fmt.Errorf("CreatePrimary failed: %v", err)
}
defer tpm2.FlushContext(t.rwc, keyHnd)
err = tpm2.EvictControl(t.rwc, "", tpm2.HandleOwner, keyHnd, pHnd)
if err != nil {
return 0, false, fmt.Errorf("EvictControl failed: %v", err)
}
return pHnd, true, nil
}
func (t *wrappedTPM20) eks() ([]EK, error) {
if cert, err := readEKCertFromNVRAM20(t.rwc); err == nil {
return []EK{
{Public: crypto.PublicKey(cert.PublicKey), Certificate: cert},
}, nil
}
// Attempt to create an EK.
ekHnd, _, err := tpm2.CreatePrimary(t.rwc, tpm2.HandleEndorsement, tpm2.PCRSelection{}, "", "", defaultEKTemplate)
if err != nil {
return nil, fmt.Errorf("EK CreatePrimary failed: %v", err)
}
defer tpm2.FlushContext(t.rwc, ekHnd)
pub, _, _, err := tpm2.ReadPublic(t.rwc, ekHnd)
if err != nil {
return nil, fmt.Errorf("EK ReadPublic failed: %v", err)
}
if pub.RSAParameters == nil {
return nil, errors.New("ECC EK not yet supported")
}
return []EK{
{
Public: &rsa.PublicKey{
E: int(pub.RSAParameters.Exponent()),
N: pub.RSAParameters.Modulus(),
},
},
}, nil
}
func (t *wrappedTPM20) newAK(opts *AKConfig) (*AK, error) {
// TODO(jsonp): Abstract choice of hierarchy & parent.
srk, _, err := t.getPrimaryKeyHandle(commonSrkEquivalentHandle)
if err != nil {
return nil, fmt.Errorf("failed to get SRK handle: %v", err)
}
blob, pub, creationData, creationHash, tix, err := tpm2.CreateKey(t.rwc, srk, tpm2.PCRSelection{}, "", "", akTemplate)
if err != nil {
return nil, fmt.Errorf("CreateKeyEx() failed: %v", err)
}
keyHandle, _, err := tpm2.Load(t.rwc, srk, "", pub, blob)
if err != nil {
return nil, fmt.Errorf("Load() failed: %v", err)
}
// If any errors occur, free the AK's handle.
defer func() {
if err != nil {
tpm2.FlushContext(t.rwc, keyHandle)
}
}()
// We can only certify the creation immediately afterwards, so we cache the result.
attestation, sig, err := tpm2.CertifyCreation(t.rwc, "", keyHandle, keyHandle, nil, creationHash, tpm2.SigScheme{tpm2.AlgRSASSA, tpm2.AlgSHA256, 0}, &tix)
if err != nil {
return nil, fmt.Errorf("CertifyCreation failed: %v", err)
}
// Pack the raw structure into a TPMU_SIGNATURE.
signature, err := tpmutil.Pack(tpm2.AlgRSASSA, tpm2.AlgSHA256, tpmutil.U16Bytes(sig))
if err != nil {
return nil, fmt.Errorf("failed to pack TPMT_SIGNATURE: %v", err)
}
return &AK{ak: newWrappedKey20(keyHandle, blob, pub, creationData, attestation, signature)}, nil
}
func (t *wrappedTPM20) loadAK(opaqueBlob []byte) (*AK, error) {
sKey, err := deserializeKey(opaqueBlob, TPMVersion20)
if err != nil {
return nil, fmt.Errorf("deserializeKey() failed: %v", err)
}
if sKey.Encoding != keyEncodingEncrypted {
return nil, fmt.Errorf("unsupported key encoding: %x", sKey.Encoding)
}
srk, _, err := t.getPrimaryKeyHandle(commonSrkEquivalentHandle)
if err != nil {
return nil, fmt.Errorf("failed to get SRK handle: %v", err)
}
var hnd tpmutil.Handle
if hnd, _, err = tpm2.Load(t.rwc, srk, "", sKey.Public, sKey.Blob); err != nil {
return nil, fmt.Errorf("Load() failed: %v", err)
}
return &AK{ak: newWrappedKey20(hnd, sKey.Blob, sKey.Public, sKey.CreateData, sKey.CreateAttestation, sKey.CreateSignature)}, nil
}
func (t *wrappedTPM20) pcrs(alg HashAlg) ([]PCR, error) {
PCRs, err := readAllPCRs20(t.rwc, alg.goTPMAlg())
if err != nil {
return nil, fmt.Errorf("failed to read PCRs: %v", err)
}
out := make([]PCR, len(PCRs))
for index, digest := range PCRs {
out[int(index)] = PCR{
Index: int(index),
Digest: digest,
DigestAlg: alg.cryptoHash(),
}
}
return out, nil
}
func (t *wrappedTPM20) measurementLog() ([]byte, error) {
return t.rwc.MeasurementLog()
}
// wrappedKey20 represents a key manipulated through a *wrappedTPM20.
type wrappedKey20 struct {
hnd tpmutil.Handle
blob []byte
public []byte // used by both TPM1.2 and 2.0
createData []byte
createAttestation []byte
createSignature []byte
}
func newWrappedKey20(hnd tpmutil.Handle, blob, public, createData, createAttestation, createSig []byte) ak {
return &wrappedKey20{
hnd: hnd,
blob: blob,
public: public,
createData: createData,
createAttestation: createAttestation,
createSignature: createSig,
}
}
func (k *wrappedKey20) marshal() ([]byte, error) {
return (&serializedKey{
Encoding: keyEncodingEncrypted,
TPMVersion: TPMVersion20,
Blob: k.blob,
Public: k.public,
CreateData: k.createData,
CreateAttestation: k.createAttestation,
CreateSignature: k.createSignature,
}).Serialize()
}
func (k *wrappedKey20) close(t tpmBase) error {
tpm, ok := t.(*wrappedTPM20)
if !ok {
return fmt.Errorf("expected *wrappedTPM20, got %T", t)
}
return tpm2.FlushContext(tpm.rwc, k.hnd)
}
func (k *wrappedKey20) activateCredential(tb tpmBase, in EncryptedCredential) ([]byte, error) {
t, ok := tb.(*wrappedTPM20)
if !ok {
return nil, fmt.Errorf("expected *wrappedTPM20, got %T", tb)
}
ekHnd, _, err := t.getPrimaryKeyHandle(commonEkEquivalentHandle)
if err != nil {
return nil, err
}
sessHandle, _, err := tpm2.StartAuthSession(
t.rwc,
tpm2.HandleNull, /*tpmKey*/
tpm2.HandleNull, /*bindKey*/
make([]byte, 16), /*nonceCaller*/
nil, /*secret*/
tpm2.SessionPolicy,
tpm2.AlgNull,
tpm2.AlgSHA256)
if err != nil {
return nil, fmt.Errorf("creating session: %v", err)
}
defer tpm2.FlushContext(t.rwc, sessHandle)
if _, err := tpm2.PolicySecret(t.rwc, tpm2.HandleEndorsement, tpm2.AuthCommand{Session: tpm2.HandlePasswordSession, Attributes: tpm2.AttrContinueSession}, sessHandle, nil, nil, nil, 0); err != nil {
return nil, fmt.Errorf("tpm2.PolicySecret() failed: %v", err)
}
return tpm2.ActivateCredentialUsingAuth(t.rwc, []tpm2.AuthCommand{
{Session: tpm2.HandlePasswordSession, Attributes: tpm2.AttrContinueSession},
{Session: sessHandle, Attributes: tpm2.AttrContinueSession},
}, k.hnd, ekHnd, in.Credential[2:], in.Secret[2:])
}
func (k *wrappedKey20) quote(tb tpmBase, nonce []byte, alg HashAlg) (*Quote, error) {
t, ok := tb.(*wrappedTPM20)
if !ok {
return nil, fmt.Errorf("expected *wrappedTPM20, got %T", tb)
}
return quote20(t.rwc, k.hnd, tpm2.Algorithm(alg), nonce)
}
func (k *wrappedKey20) attestationParameters() AttestationParameters {
return AttestationParameters{
Public: k.public,
CreateData: k.createData,
CreateAttestation: k.createAttestation,
CreateSignature: k.createSignature,
}
}