Commit Graph

268 Commits

Author SHA1 Message Date
juanvallejo
258084d04e Add support for generating TPM2.0 challenges using AttestedCertifyInfo
Fixes: issues/320.

Adds support for generating an activation challenge using
CertificationParameters.
Achieves symmetry with challenge-generation in
AttestationParameters, in order to provide a challenge to a
TPM to activate a TPM-certified key.

`attest.Activation` currently supports verifying and
generating a challenge given attestationData, an EK, an AK,
and a signature. In the attestationData, the CreationInfo
field is used to further validate and create the resulting
challenge.
In this change, `attest.Certification` will now support
generating a challenge given attestationData, an EK, a
TPM-certified public key, and a signature, in addition to
an AK used to verify the certification of the provided
public key we are generating an activation challenge for.
2023-06-06 10:46:12 -07:00
Herman Slatman
89884d0a74
Fix Intel EK certificate URL (#310)
* Fix Intel EK certificate URL

To download the certificate for an Intel TPM, the base64 padding
in the URL needs to be replaced with `%3D`. If it's not replaced,
requesting the URL will result in HTTP 403 Forbidden.

* Use `url.QueryEscape` to escape base64 padding
2023-06-02 09:17:59 -07:00
zhsh
b474b712d4
wrappedTPM20.ekTemplate() never returns an error. (#327) 2023-05-29 10:16:09 -07:00
dependabot[bot]
a4b579bcf0
Bump github.com/google/go-tpm-tools from 0.3.9 to 0.3.12 (#324)
Bumps [github.com/google/go-tpm-tools](https://github.com/google/go-tpm-tools) from 0.3.9 to 0.3.12.
- [Release notes](https://github.com/google/go-tpm-tools/releases)
- [Commits](https://github.com/google/go-tpm-tools/compare/v0.3.9...v0.3.12)

---
updated-dependencies:
- dependency-name: github.com/google/go-tpm-tools
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-05-22 11:14:50 -07:00
dependabot[bot]
62a036b369
Bump golang.org/x/sys from 0.0.0-20220209214540-3681064d5158 to 0.8.0 (#316)
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.0.0-20220209214540-3681064d5158 to 0.8.0.
- [Commits](https://github.com/golang/sys/commits/v0.8.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-05-22 11:03:00 -07:00
Brandon Weeks
10dd5f7a05
Bump Go version to 1.19 (#325) 2023-05-22 10:52:09 -07:00
Noah Stride
3ef3949b46 Fix comments referring to .Serialize() instead of .Marshal() 2023-05-15 10:56:35 -07:00
José Martínez
1f9c436d57 Parse TCG_PCR_EVENT2 structures with an eventSize of 0 2023-05-15 09:19:59 -07:00
dependabot[bot]
270ecbab1f
Bump github.com/google/go-tspi (#307)
Bumps [github.com/google/go-tspi](https://github.com/google/go-tspi) from 0.2.1-0.20190423175329-115dea689aad to 0.3.0.
- [Release notes](https://github.com/google/go-tspi/releases)
- [Commits](https://github.com/google/go-tspi/commits/v0.3.0)

---
updated-dependencies:
- dependency-name: github.com/google/go-tspi
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-03-10 10:28:28 -08:00
Brandon Weeks
0ccbb50494
Handle multiple ELAM events (#309) 2023-03-08 13:32:50 -08:00
Mike Gerow
68deb4ce55 Use NV cert index as auth hierarchy for EK cert
This is the same approach tpm2_getekcertificate uses, with its
`TPM2_HANDLE_FLAGS_NV` flag.

The main impetus here is is ChromeOS's vtpm implementation[1], which
doesn't have a concept of an "owner" or "platform" password and expects
the NV index itself as the auth hierarchy. In either case, as this is
the same approach tpm2_getekcertificate uses this should provide a more
standard/common approach as opposed to relying on the owner password to
be empty.

Tested with both CrOS's vTPM and a real TPM on Debian.

b/258300352

[1]: https://source.chromium.org/chromiumos/chromiumos/codesearch/+/main:src/platform2/vtpm/commands/nv_read_command.cc;l=64-68;drc=1efd0c8f36050d56b8550354a4c7af925e44118a
2023-01-05 12:25:14 -08:00
Marcin Wielgoszewski
5238453493 Truncate digests to the left most bits to match the bit-length of the order of the curve 2022-11-15 15:26:00 -08:00
Mike Gerow
b93151db1f
Preserve error logic in getPrimaryKeyHandle (#296)
In `wrappedTPM20.getPrimaryKeyHandle()`, preserve any error from the
short-circuit `tpm2.ReadPublic()` logic, so that we can return it
alongside any failure in `tpm2.CreatePrimary()`

Co-authored-by: Justin King-Lacroix <justinkl@google.com>
2022-11-04 14:57:37 -07:00
Brandon Weeks
0dc056af7d Fix golangci-lint findings 2022-11-01 13:38:49 -07:00
Brandon Weeks
19d3c4de97 Run golangci-lint as part of CI
https://golangci-lint.run/usage/install/#ci-installation
2022-11-01 13:38:49 -07:00
Brandon Weeks
438907edb0
Fix lints; run gofmt (#293)
$ gofmt -s -w .
2022-11-01 12:19:57 -07:00
hansinator
17f9c05652
fix returning wrong error in ParseWinEvents (#291)
Co-authored-by: Hans-Gert Dahmen <hans-gert.dahmen@immu.ne>
2022-10-11 09:22:10 -07:00
hansinator
d98599d257
Fix decoding of uints in windows events (#290)
Co-authored-by: Hans-Gert Dahmen <hans-gert.dahmen@immu.ne>
2022-10-07 13:01:04 -07:00
dependabot[bot]
053c50e8ad
Bump github.com/google/go-cmp from 0.5.8 to 0.5.9 (#286)
Bumps [github.com/google/go-cmp](https://github.com/google/go-cmp) from 0.5.8 to 0.5.9.
- [Release notes](https://github.com/google/go-cmp/releases)
- [Commits](https://github.com/google/go-cmp/compare/v0.5.8...v0.5.9)

---
updated-dependencies:
- dependency-name: github.com/google/go-cmp
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-09-12 11:14:05 -04:00
Malte Poll
e99c3e104e
Ignore MokListTrusted events in ParseUEFIVariableAuthority (#284) 2022-09-09 15:58:48 -07:00
dependabot[bot]
dff2daeaf0
Bump github.com/google/go-tpm-tools from 0.3.8 to 0.3.9 (#285) 2022-08-22 19:31:56 +00:00
Brandon Weeks
f5d560164e
Set NoDa flag on the AK template (#280)
Resolves an issue where a TPM in DA lockout mode cannot generate an AK.
2022-06-03 12:51:56 -07:00
Brandon Weeks
cb976082a3
x509ext: initial version of package (#279) 2022-06-02 15:05:51 -07:00
Brandon Weeks
50e72a4743
attest: fix OSS-Fuzz build (#278) 2022-05-31 21:50:58 -07:00
Brandon Weeks
f1ff544e51
attest: restore change from a35bd36 mistakingly removed in be496f1 (#277) 2022-05-31 13:12:21 -07:00
dependabot[bot]
e0bd974e4e
Bump github.com/google/go-cmp from 0.5.7 to 0.5.8 (#275)
Bumps [github.com/google/go-cmp](https://github.com/google/go-cmp) from 0.5.7 to 0.5.8.
- [Release notes](https://github.com/google/go-cmp/releases)
- [Commits](https://github.com/google/go-cmp/compare/v0.5.7...v0.5.8)

---
updated-dependencies:
- dependency-name: github.com/google/go-cmp
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-05-16 12:44:25 -07:00
dependabot[bot]
ad58dc770e
Bump github.com/google/go-tpm-tools from 0.3.7 to 0.3.8 (#276)
Bumps [github.com/google/go-tpm-tools](https://github.com/google/go-tpm-tools) from 0.3.7 to 0.3.8.
- [Release notes](https://github.com/google/go-tpm-tools/releases)
- [Commits](https://github.com/google/go-tpm-tools/compare/v0.3.7...v0.3.8)

---
updated-dependencies:
- dependency-name: github.com/google/go-tpm-tools
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-05-16 12:44:06 -07:00
dependabot[bot]
8235370483
Bump github.com/google/go-tpm-tools from 0.3.1 to 0.3.7 (#273)
Bumps [github.com/google/go-tpm-tools](https://github.com/google/go-tpm-tools) from 0.3.1 to 0.3.7.
- [Release notes](https://github.com/google/go-tpm-tools/releases)
- [Commits](https://github.com/google/go-tpm-tools/compare/v0.3.1...v0.3.7)

---
updated-dependencies:
- dependency-name: github.com/google/go-tpm-tools
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-04-18 08:39:55 -07:00
Joe Richey
8820d49b18 CI: Allow SHA1 on Go 1.18
Signed-off-by: Joe Richey <joerichey@google.com>
2022-04-04 13:48:39 -07:00
Joe Richey
0961a88d7c parseEfiSignature: Don't rely on type of error code
The specific error type is not part of x509.ParseCertificate documented
API. So we shouldn't rely on it for this workaround.

Signed-off-by: Joe Richey <joerichey@google.com>
2022-04-04 13:48:39 -07:00
Joe Richey
df6b91cbdb test: Use Fatalf instead of Errorf to prevent segfault
Signed-off-by: Joe Richey <joerichey@google.com>
2022-04-04 13:48:39 -07:00
Joe Richey
03018e6828 Remove certificate-transparency-go dependancy
Signed-off-by: Joe Richey <joerichey@google.com>
2022-04-04 13:48:39 -07:00
Joe Richey
0a9ecdcf7c Run CI for Go 1.18
Signed-off-by: Joe Richey <joerichey@google.com>
2022-03-25 13:55:33 -07:00
Joe Richey
4b44082d2c ci: ONly run on pushes to master
This prevents running the CI twice when opening a PR with a non-master
branch.

Signed-off-by: Joe Richey <joerichey@google.com>
2022-03-25 13:55:33 -07:00
dependabot[bot]
2a5dfec7cf
Bump github.com/google/go-cmp from 0.5.5 to 0.5.7 (#261)
Bumps [github.com/google/go-cmp](https://github.com/google/go-cmp) from 0.5.5 to 0.5.7.
- [Release notes](https://github.com/google/go-cmp/releases)
- [Commits](https://github.com/google/go-cmp/compare/v0.5.5...v0.5.7)

---
updated-dependencies:
- dependency-name: github.com/google/go-cmp
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-03-23 21:08:15 -07:00
Jiankun Lü
83d71b1c53
Bump go-tpm version (#264)
Certify now returns raw TPMT_SIGNATURE, so no need to pack it.
2022-02-14 16:31:48 -08:00
Tom D
277c40ca1d
AKPublic.VerifyAll: Additionally validate input parameters (#263) 2022-01-31 09:32:19 -08:00
Tom D
82f2c9c2c7
Merge pull request from GHSA-99cg-575x-774p
* AKPublic.Verify: Return an error if a provided PCR of the correct
   digest was not included in the quote.
 * AKPublic.VerifyAll: Implement VerifyAll method, which can cross-check
   that provided PCRs were covered by quotes across PCR banks.
 * PCR.QuoteVerified(): Introduce getter method to expose whether a
   PCR value was covered during quote verification.
2022-01-31 09:10:07 -08:00
dependabot[bot]
21f642c3c7 Copybara import of the project:
--
54a86af398 by dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>:

Bump github.com/google/go-tpm-tools from 0.2.1 to 0.3.1

Bumps [github.com/google/go-tpm-tools](https://github.com/google/go-tpm-tools) from 0.2.1 to 0.3.1.
- [Release notes](https://github.com/google/go-tpm-tools/releases)
- [Commits](https://github.com/google/go-tpm-tools/compare/v0.2.1...v0.3.1)

---
updated-dependencies:
- dependency-name: github.com/google/go-tpm-tools
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
COPYBARA_INTEGRATE_REVIEW=https://github.com/google/go-attestation/pull/250 from google:dependabot/go_modules/github.com/google/go-tpm-tools-0.3.1 54a86af398
PiperOrigin-RevId: 415136926
2022-01-11 16:29:12 -08:00
Brandon Weeks
d114f3922f Copybara import of the project:
--
501de37b33 by Brandon Weeks <bweeks@google.com>:

Restore changes accidentally reverted during reconciliation

COPYBARA_INTEGRATE_REVIEW=https://github.com/google/go-attestation/pull/256 from brandonweeks:fix_reconciliation 501de37b33
PiperOrigin-RevId: 415128139
2022-01-11 16:29:01 -08:00
dependabot[bot]
b92e2746d6
Bump github.com/google/go-tpm-tools from 0.2.1 to 0.3.1 (#250)
Bumps [github.com/google/go-tpm-tools](https://github.com/google/go-tpm-tools) from 0.2.1 to 0.3.1.
- [Release notes](https://github.com/google/go-tpm-tools/releases)
- [Commits](https://github.com/google/go-tpm-tools/compare/v0.2.1...v0.3.1)

---
updated-dependencies:
- dependency-name: github.com/google/go-tpm-tools
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2021-12-08 17:24:29 -08:00
Brandon Weeks
2f8dbfc94e
Restore changes accidentally reverted during reconciliation (#256) 2021-12-08 16:43:38 -08:00
copybara-service[bot]
f1f1b84491
Revert "Internal change"
PiperOrigin-RevId: 415106054

Co-authored-by: Brandon Weeks <bweeks@google.com>
2021-12-08 15:06:48 -08:00
Brandon Weeks
57a6cb587a Internal change
PiperOrigin-RevId: 415099842
2021-12-08 14:37:13 -08:00
Tom D'Netto
0393b91867 Implement CombineEventlogs().
PiperOrigin-RevId: 410914994
2021-11-18 15:36:36 -08:00
Brandon Weeks
be496f1149 Internal change
PiperOrigin-RevId: 394330027
2021-09-01 15:39:03 -07:00
Eric Chiang
a35bd36e42
attest: fix test build for MacOS (#241)
Windows still requires openssl due to tpm-tools simulator. Will try to
figure out that next.
2021-09-01 13:24:57 -07:00
Alex Wu
505680f536
Invert 'notspi' build tag to 'tspi' (#237)
This change allows users to specify TPM1.2 support rather than remove it.
go-attestation will build without needing Trousers/TSPI support.
The flip-side of this is that TPM1.2 does not just work; TPM1.2 users need to
include the `tspi` build tag.
2021-09-01 12:55:02 -07:00
Eric Chiang
7cf0af2beb
.github: add initial github action for CI (#239)
Goal is to switch current builder run internally by Google over to
GitHub Actions.
2021-09-01 11:15:26 -07:00
copybara-service[bot]
5410759ddc
Consider a nonce in NVRAM when computing the EK Template (Fixes #236). (#238)
PiperOrigin-RevId: 394112776

Co-authored-by: Tom D'Netto <jsonp@google.com>
2021-08-31 17:45:37 -07:00