juanvallejo
258084d04e
Add support for generating TPM2.0 challenges using AttestedCertifyInfo
...
Fixes: issues/320.
Adds support for generating an activation challenge using
CertificationParameters.
Achieves symmetry with challenge-generation in
AttestationParameters, in order to provide a challenge to a
TPM to activate a TPM-certified key.
`attest.Activation` currently supports verifying and
generating a challenge given attestationData, an EK, an AK,
and a signature. In the attestationData, the CreationInfo
field is used to further validate and create the resulting
challenge.
In this change, `attest.Certification` will now support
generating a challenge given attestationData, an EK, a
TPM-certified public key, and a signature, in addition to
an AK used to verify the certification of the provided
public key we are generating an activation challenge for.
2023-06-06 10:46:12 -07:00
Herman Slatman
89884d0a74
Fix Intel EK certificate URL ( #310 )
...
* Fix Intel EK certificate URL
To download the certificate for an Intel TPM, the base64 padding
in the URL needs to be replaced with `%3D`. If it's not replaced,
requesting the URL will result in HTTP 403 Forbidden.
* Use `url.QueryEscape` to escape base64 padding
2023-06-02 09:17:59 -07:00
zhsh
b474b712d4
wrappedTPM20.ekTemplate() never returns an error. ( #327 )
2023-05-29 10:16:09 -07:00
dependabot[bot]
a4b579bcf0
Bump github.com/google/go-tpm-tools from 0.3.9 to 0.3.12 ( #324 )
...
Bumps [github.com/google/go-tpm-tools](https://github.com/google/go-tpm-tools ) from 0.3.9 to 0.3.12.
- [Release notes](https://github.com/google/go-tpm-tools/releases )
- [Commits](https://github.com/google/go-tpm-tools/compare/v0.3.9...v0.3.12 )
---
updated-dependencies:
- dependency-name: github.com/google/go-tpm-tools
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-05-22 11:14:50 -07:00
dependabot[bot]
62a036b369
Bump golang.org/x/sys from 0.0.0-20220209214540-3681064d5158 to 0.8.0 ( #316 )
...
Bumps [golang.org/x/sys](https://github.com/golang/sys ) from 0.0.0-20220209214540-3681064d5158 to 0.8.0.
- [Commits](https://github.com/golang/sys/commits/v0.8.0 )
---
updated-dependencies:
- dependency-name: golang.org/x/sys
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-05-22 11:03:00 -07:00
Brandon Weeks
10dd5f7a05
Bump Go version to 1.19 ( #325 )
2023-05-22 10:52:09 -07:00
Noah Stride
3ef3949b46
Fix comments referring to .Serialize()
instead of .Marshal()
2023-05-15 10:56:35 -07:00
José Martínez
1f9c436d57
Parse TCG_PCR_EVENT2 structures with an eventSize of 0
2023-05-15 09:19:59 -07:00
dependabot[bot]
270ecbab1f
Bump github.com/google/go-tspi ( #307 )
...
Bumps [github.com/google/go-tspi](https://github.com/google/go-tspi ) from 0.2.1-0.20190423175329-115dea689aad to 0.3.0.
- [Release notes](https://github.com/google/go-tspi/releases )
- [Commits](https://github.com/google/go-tspi/commits/v0.3.0 )
---
updated-dependencies:
- dependency-name: github.com/google/go-tspi
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-03-10 10:28:28 -08:00
Brandon Weeks
0ccbb50494
Handle multiple ELAM events ( #309 )
2023-03-08 13:32:50 -08:00
Mike Gerow
68deb4ce55
Use NV cert index as auth hierarchy for EK cert
...
This is the same approach tpm2_getekcertificate uses, with its
`TPM2_HANDLE_FLAGS_NV` flag.
The main impetus here is is ChromeOS's vtpm implementation[1], which
doesn't have a concept of an "owner" or "platform" password and expects
the NV index itself as the auth hierarchy. In either case, as this is
the same approach tpm2_getekcertificate uses this should provide a more
standard/common approach as opposed to relying on the owner password to
be empty.
Tested with both CrOS's vTPM and a real TPM on Debian.
b/258300352
[1]: https://source.chromium.org/chromiumos/chromiumos/codesearch/+/main:src/platform2/vtpm/commands/nv_read_command.cc;l=64-68;drc=1efd0c8f36050d56b8550354a4c7af925e44118a
2023-01-05 12:25:14 -08:00
Marcin Wielgoszewski
5238453493
Truncate digests to the left most bits to match the bit-length of the order of the curve
2022-11-15 15:26:00 -08:00
Mike Gerow
b93151db1f
Preserve error logic in getPrimaryKeyHandle ( #296 )
...
In `wrappedTPM20.getPrimaryKeyHandle()`, preserve any error from the
short-circuit `tpm2.ReadPublic()` logic, so that we can return it
alongside any failure in `tpm2.CreatePrimary()`
Co-authored-by: Justin King-Lacroix <justinkl@google.com>
2022-11-04 14:57:37 -07:00
Brandon Weeks
0dc056af7d
Fix golangci-lint findings
2022-11-01 13:38:49 -07:00
Brandon Weeks
19d3c4de97
Run golangci-lint as part of CI
...
https://golangci-lint.run/usage/install/#ci-installation
2022-11-01 13:38:49 -07:00
Brandon Weeks
438907edb0
Fix lints; run gofmt ( #293 )
...
$ gofmt -s -w .
2022-11-01 12:19:57 -07:00
hansinator
17f9c05652
fix returning wrong error in ParseWinEvents ( #291 )
...
Co-authored-by: Hans-Gert Dahmen <hans-gert.dahmen@immu.ne>
2022-10-11 09:22:10 -07:00
hansinator
d98599d257
Fix decoding of uints in windows events ( #290 )
...
Co-authored-by: Hans-Gert Dahmen <hans-gert.dahmen@immu.ne>
2022-10-07 13:01:04 -07:00
dependabot[bot]
053c50e8ad
Bump github.com/google/go-cmp from 0.5.8 to 0.5.9 ( #286 )
...
Bumps [github.com/google/go-cmp](https://github.com/google/go-cmp ) from 0.5.8 to 0.5.9.
- [Release notes](https://github.com/google/go-cmp/releases )
- [Commits](https://github.com/google/go-cmp/compare/v0.5.8...v0.5.9 )
---
updated-dependencies:
- dependency-name: github.com/google/go-cmp
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-09-12 11:14:05 -04:00
Malte Poll
e99c3e104e
Ignore MokListTrusted events in ParseUEFIVariableAuthority ( #284 )
2022-09-09 15:58:48 -07:00
dependabot[bot]
dff2daeaf0
Bump github.com/google/go-tpm-tools from 0.3.8 to 0.3.9 ( #285 )
2022-08-22 19:31:56 +00:00
Brandon Weeks
f5d560164e
Set NoDa flag on the AK template ( #280 )
...
Resolves an issue where a TPM in DA lockout mode cannot generate an AK.
2022-06-03 12:51:56 -07:00
Brandon Weeks
cb976082a3
x509ext: initial version of package ( #279 )
2022-06-02 15:05:51 -07:00
Brandon Weeks
50e72a4743
attest: fix OSS-Fuzz build ( #278 )
2022-05-31 21:50:58 -07:00
Brandon Weeks
f1ff544e51
attest: restore change from a35bd36
mistakingly removed in be496f1
( #277 )
2022-05-31 13:12:21 -07:00
dependabot[bot]
e0bd974e4e
Bump github.com/google/go-cmp from 0.5.7 to 0.5.8 ( #275 )
...
Bumps [github.com/google/go-cmp](https://github.com/google/go-cmp ) from 0.5.7 to 0.5.8.
- [Release notes](https://github.com/google/go-cmp/releases )
- [Commits](https://github.com/google/go-cmp/compare/v0.5.7...v0.5.8 )
---
updated-dependencies:
- dependency-name: github.com/google/go-cmp
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-05-16 12:44:25 -07:00
dependabot[bot]
ad58dc770e
Bump github.com/google/go-tpm-tools from 0.3.7 to 0.3.8 ( #276 )
...
Bumps [github.com/google/go-tpm-tools](https://github.com/google/go-tpm-tools ) from 0.3.7 to 0.3.8.
- [Release notes](https://github.com/google/go-tpm-tools/releases )
- [Commits](https://github.com/google/go-tpm-tools/compare/v0.3.7...v0.3.8 )
---
updated-dependencies:
- dependency-name: github.com/google/go-tpm-tools
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-05-16 12:44:06 -07:00
dependabot[bot]
8235370483
Bump github.com/google/go-tpm-tools from 0.3.1 to 0.3.7 ( #273 )
...
Bumps [github.com/google/go-tpm-tools](https://github.com/google/go-tpm-tools ) from 0.3.1 to 0.3.7.
- [Release notes](https://github.com/google/go-tpm-tools/releases )
- [Commits](https://github.com/google/go-tpm-tools/compare/v0.3.1...v0.3.7 )
---
updated-dependencies:
- dependency-name: github.com/google/go-tpm-tools
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-04-18 08:39:55 -07:00
Joe Richey
8820d49b18
CI: Allow SHA1 on Go 1.18
...
Signed-off-by: Joe Richey <joerichey@google.com>
2022-04-04 13:48:39 -07:00
Joe Richey
0961a88d7c
parseEfiSignature: Don't rely on type of error code
...
The specific error type is not part of x509.ParseCertificate documented
API. So we shouldn't rely on it for this workaround.
Signed-off-by: Joe Richey <joerichey@google.com>
2022-04-04 13:48:39 -07:00
Joe Richey
df6b91cbdb
test: Use Fatalf instead of Errorf to prevent segfault
...
Signed-off-by: Joe Richey <joerichey@google.com>
2022-04-04 13:48:39 -07:00
Joe Richey
03018e6828
Remove certificate-transparency-go dependancy
...
Signed-off-by: Joe Richey <joerichey@google.com>
2022-04-04 13:48:39 -07:00
Joe Richey
0a9ecdcf7c
Run CI for Go 1.18
...
Signed-off-by: Joe Richey <joerichey@google.com>
2022-03-25 13:55:33 -07:00
Joe Richey
4b44082d2c
ci: ONly run on pushes to master
...
This prevents running the CI twice when opening a PR with a non-master
branch.
Signed-off-by: Joe Richey <joerichey@google.com>
2022-03-25 13:55:33 -07:00
dependabot[bot]
2a5dfec7cf
Bump github.com/google/go-cmp from 0.5.5 to 0.5.7 ( #261 )
...
Bumps [github.com/google/go-cmp](https://github.com/google/go-cmp ) from 0.5.5 to 0.5.7.
- [Release notes](https://github.com/google/go-cmp/releases )
- [Commits](https://github.com/google/go-cmp/compare/v0.5.5...v0.5.7 )
---
updated-dependencies:
- dependency-name: github.com/google/go-cmp
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-03-23 21:08:15 -07:00
Jiankun Lü
83d71b1c53
Bump go-tpm version ( #264 )
...
Certify now returns raw TPMT_SIGNATURE, so no need to pack it.
2022-02-14 16:31:48 -08:00
Tom D
277c40ca1d
AKPublic.VerifyAll: Additionally validate input parameters ( #263 )
2022-01-31 09:32:19 -08:00
Tom D
82f2c9c2c7
Merge pull request from GHSA-99cg-575x-774p
...
* AKPublic.Verify: Return an error if a provided PCR of the correct
digest was not included in the quote.
* AKPublic.VerifyAll: Implement VerifyAll method, which can cross-check
that provided PCRs were covered by quotes across PCR banks.
* PCR.QuoteVerified(): Introduce getter method to expose whether a
PCR value was covered during quote verification.
2022-01-31 09:10:07 -08:00
dependabot[bot]
21f642c3c7
Copybara import of the project:
...
--
54a86af398
by dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>:
Bump github.com/google/go-tpm-tools from 0.2.1 to 0.3.1
Bumps [github.com/google/go-tpm-tools](https://github.com/google/go-tpm-tools ) from 0.2.1 to 0.3.1.
- [Release notes](https://github.com/google/go-tpm-tools/releases )
- [Commits](https://github.com/google/go-tpm-tools/compare/v0.2.1...v0.3.1 )
---
updated-dependencies:
- dependency-name: github.com/google/go-tpm-tools
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
COPYBARA_INTEGRATE_REVIEW=https://github.com/google/go-attestation/pull/250 from google:dependabot/go_modules/github.com/google/go-tpm-tools-0.3.1 54a86af398
PiperOrigin-RevId: 415136926
2022-01-11 16:29:12 -08:00
Brandon Weeks
d114f3922f
Copybara import of the project:
...
--
501de37b33
by Brandon Weeks <bweeks@google.com>:
Restore changes accidentally reverted during reconciliation
COPYBARA_INTEGRATE_REVIEW=https://github.com/google/go-attestation/pull/256 from brandonweeks:fix_reconciliation 501de37b33
PiperOrigin-RevId: 415128139
2022-01-11 16:29:01 -08:00
dependabot[bot]
b92e2746d6
Bump github.com/google/go-tpm-tools from 0.2.1 to 0.3.1 ( #250 )
...
Bumps [github.com/google/go-tpm-tools](https://github.com/google/go-tpm-tools ) from 0.2.1 to 0.3.1.
- [Release notes](https://github.com/google/go-tpm-tools/releases )
- [Commits](https://github.com/google/go-tpm-tools/compare/v0.2.1...v0.3.1 )
---
updated-dependencies:
- dependency-name: github.com/google/go-tpm-tools
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2021-12-08 17:24:29 -08:00
Brandon Weeks
2f8dbfc94e
Restore changes accidentally reverted during reconciliation ( #256 )
2021-12-08 16:43:38 -08:00
copybara-service[bot]
f1f1b84491
Revert "Internal change"
...
PiperOrigin-RevId: 415106054
Co-authored-by: Brandon Weeks <bweeks@google.com>
2021-12-08 15:06:48 -08:00
Brandon Weeks
57a6cb587a
Internal change
...
PiperOrigin-RevId: 415099842
2021-12-08 14:37:13 -08:00
Tom D'Netto
0393b91867
Implement CombineEventlogs().
...
PiperOrigin-RevId: 410914994
2021-11-18 15:36:36 -08:00
Brandon Weeks
be496f1149
Internal change
...
PiperOrigin-RevId: 394330027
2021-09-01 15:39:03 -07:00
Eric Chiang
a35bd36e42
attest: fix test build for MacOS ( #241 )
...
Windows still requires openssl due to tpm-tools simulator. Will try to
figure out that next.
2021-09-01 13:24:57 -07:00
Alex Wu
505680f536
Invert 'notspi' build tag to 'tspi' ( #237 )
...
This change allows users to specify TPM1.2 support rather than remove it.
go-attestation will build without needing Trousers/TSPI support.
The flip-side of this is that TPM1.2 does not just work; TPM1.2 users need to
include the `tspi` build tag.
2021-09-01 12:55:02 -07:00
Eric Chiang
7cf0af2beb
.github: add initial github action for CI ( #239 )
...
Goal is to switch current builder run internally by Google over to
GitHub Actions.
2021-09-01 11:15:26 -07:00
copybara-service[bot]
5410759ddc
Consider a nonce in NVRAM when computing the EK Template ( Fixes #236 ). ( #238 )
...
PiperOrigin-RevId: 394112776
Co-authored-by: Tom D'Netto <jsonp@google.com>
2021-08-31 17:45:37 -07:00