Commit Graph

231 Commits

Author SHA1 Message Date
Tom D'Netto
2b73321d17 AKPublic.Verify: return error if a provided PCR was missing from the quote 2022-01-20 13:24:38 -08:00
dependabot[bot]
21f642c3c7 Copybara import of the project:
--
54a86af398 by dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>:

Bump github.com/google/go-tpm-tools from 0.2.1 to 0.3.1

Bumps [github.com/google/go-tpm-tools](https://github.com/google/go-tpm-tools) from 0.2.1 to 0.3.1.
- [Release notes](https://github.com/google/go-tpm-tools/releases)
- [Commits](https://github.com/google/go-tpm-tools/compare/v0.2.1...v0.3.1)

---
updated-dependencies:
- dependency-name: github.com/google/go-tpm-tools
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
COPYBARA_INTEGRATE_REVIEW=https://github.com/google/go-attestation/pull/250 from google:dependabot/go_modules/github.com/google/go-tpm-tools-0.3.1 54a86af398
PiperOrigin-RevId: 415136926
2022-01-11 16:29:12 -08:00
Brandon Weeks
d114f3922f Copybara import of the project:
--
501de37b33 by Brandon Weeks <bweeks@google.com>:

Restore changes accidentally reverted during reconciliation

COPYBARA_INTEGRATE_REVIEW=https://github.com/google/go-attestation/pull/256 from brandonweeks:fix_reconciliation 501de37b33
PiperOrigin-RevId: 415128139
2022-01-11 16:29:01 -08:00
dependabot[bot]
b92e2746d6
Bump github.com/google/go-tpm-tools from 0.2.1 to 0.3.1 (#250)
Bumps [github.com/google/go-tpm-tools](https://github.com/google/go-tpm-tools) from 0.2.1 to 0.3.1.
- [Release notes](https://github.com/google/go-tpm-tools/releases)
- [Commits](https://github.com/google/go-tpm-tools/compare/v0.2.1...v0.3.1)

---
updated-dependencies:
- dependency-name: github.com/google/go-tpm-tools
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2021-12-08 17:24:29 -08:00
Brandon Weeks
2f8dbfc94e
Restore changes accidentally reverted during reconciliation (#256) 2021-12-08 16:43:38 -08:00
copybara-service[bot]
f1f1b84491
Revert "Internal change"
PiperOrigin-RevId: 415106054

Co-authored-by: Brandon Weeks <bweeks@google.com>
2021-12-08 15:06:48 -08:00
Brandon Weeks
57a6cb587a Internal change
PiperOrigin-RevId: 415099842
2021-12-08 14:37:13 -08:00
Tom D'Netto
0393b91867 Implement CombineEventlogs().
PiperOrigin-RevId: 410914994
2021-11-18 15:36:36 -08:00
Brandon Weeks
be496f1149 Internal change
PiperOrigin-RevId: 394330027
2021-09-01 15:39:03 -07:00
Eric Chiang
a35bd36e42
attest: fix test build for MacOS (#241)
Windows still requires openssl due to tpm-tools simulator. Will try to
figure out that next.
2021-09-01 13:24:57 -07:00
Alex Wu
505680f536
Invert 'notspi' build tag to 'tspi' (#237)
This change allows users to specify TPM1.2 support rather than remove it.
go-attestation will build without needing Trousers/TSPI support.
The flip-side of this is that TPM1.2 does not just work; TPM1.2 users need to
include the `tspi` build tag.
2021-09-01 12:55:02 -07:00
Eric Chiang
7cf0af2beb
.github: add initial github action for CI (#239)
Goal is to switch current builder run internally by Google over to
GitHub Actions.
2021-09-01 11:15:26 -07:00
copybara-service[bot]
5410759ddc
Consider a nonce in NVRAM when computing the EK Template (Fixes #236). (#238)
PiperOrigin-RevId: 394112776

Co-authored-by: Tom D'Netto <jsonp@google.com>
2021-08-31 17:45:37 -07:00
Tom D
cc52e2d143
Handle EFI_ACTION events signalling DMA protection is disabled. (#235) 2021-08-23 14:03:58 -07:00
Timo Lindfors
7d128657ca Fix misleading comment 2021-08-10 12:18:55 -07:00
Timo Lindfors
e8c5dc4fd5 Fix minor spelling issues in comments 2021-08-10 12:18:55 -07:00
tracefinder
5df8a8e979
Add a build tag to turn off TPM12 support and avoid tspi dependency (#232)
* Add build tag to turn off TPM12 support and avoid tspi dependency

* Add notspi build flag related information in README.md
2021-07-30 12:26:45 -07:00
dependabot[bot]
9ff0d31d3c
Bump github.com/google/go-cmp from 0.5.5 to 0.5.6 (#221)
Bumps [github.com/google/go-cmp](https://github.com/google/go-cmp) from 0.5.5 to 0.5.6.
- [Release notes](https://github.com/google/go-cmp/releases)
- [Commits](https://github.com/google/go-cmp/compare/v0.5.5...v0.5.6)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2021-07-02 11:17:17 -07:00
Eric Chiang
fa6830fc2f
update go-tspi dependency (#231)
This fixes go-attestation builds on 32 bit architectures.
2021-07-02 10:45:08 -07:00
Brandon Weeks
7ec6228f59 Rollback using certificatetransparency/x509 for the CI code
PiperOrigin-RevId: 380897258
2021-06-22 14:48:41 -07:00
copybara-service[bot]
bec58f2406
Internal change (#227)
PiperOrigin-RevId: 380891920

Co-authored-by: Brandon Weeks <bweeks@google.com>
2021-06-22 14:33:47 -07:00
Go-Attestation Team
20a9e4b381 Internal change
PiperOrigin-RevId: 380881515
2021-06-22 20:41:11 +00:00
Tom D
1b4849d2c3
Make possibly-missing WBCL values ternary-typed (#226) 2021-06-21 14:10:45 -07:00
Alex Wu
0a3c6e82bf
Ignore SBAT events in ParseUEFIVariableAuthority (#222)
As part of the Boothole fixes, shim has introduced an
SBAT feature https://github.com/rhboot/shim/blob/main/SBAT.md.
SBAT configuration is configured to log to PCR7 using
EV_EFI_VARIABLE_AUTHORITY.
493bd940e5/mok.c (L228-L247)

This causes issue with ParseUEFIVariableAuthority, as
it asssumes that an event with type EV_EFI_VARIABLE_AUTHORITY
can be parsed as EFI_SIGNATURE_DATA, per section 3.3.4.8
of the TCG PC Client Platform Firmware Profile Specification.
2021-06-03 14:28:24 -07:00
Paweł Szałachowski
c4760bd1c6
Validate the RSA-PSS salt length argument. (#219) 2021-05-21 15:28:56 -07:00
Paweł Szałachowski
0b7298fb18
Support RSA application keys (#218) 2021-05-20 11:15:09 -07:00
Paweł Szałachowski
7f6fec6b36
add ecdsa configuration options (#217)
Add configuration options for ECDSA key generation.
2021-05-19 11:32:54 -07:00
Tom D
ee5bb94c43
WIP processing image load events (#216) 2021-05-10 12:11:58 -07:00
Paweł Szałachowski
9b857465d0
Handle to interface{} in *windowsKey12.certify() (#214) 2021-04-23 16:13:10 -07:00
Paweł Szałachowski
6848928436
Add AK.Certify() and use CertifyEx() for certification (#210)
* replace CertifyCreation() by CertifyEx() to handle certification of objects for which we cannot extract CreationData
* add AK.Certify(handle) allowing to certify externally-created keys
2021-04-23 14:41:30 -07:00
Tom D
e24a847d44
Add initial docs for attest-tool (#213) 2021-04-15 12:14:18 -07:00
Brandon Weeks
b6c6a0c365
Parse TCG_PCClientPCREvent structures with an eventSize of 0 (#212) 2021-04-14 13:59:06 -07:00
Brandon Weeks
31ad4f57fd
Fix integer overflow in digest parsing (#211) 2021-04-13 15:57:16 -07:00
Dmitrii Okunev
b89180c3eb
bugfix(eventlog): Assume TPM1.2 events if NO_ACTION is too short (#208) 2021-04-13 10:46:15 -07:00
Tom D
1ceeedc8dc
win_events: Determine if the WBCL was for a cold boot (as opposed to a resume from hibernation) (#209) 2021-04-07 16:08:29 -07:00
Paweł Szałachowski
1bbba0bdfd
Minor fixes and additions (#207)
* replace ReadPublic() by DecodePublic() when creating and loading keys: the current implementation calls ReadPublic() even if public data is already accessible
* drop handle() from the ak interface: it is unnecessary
* add Blobs() to attest.Key: to allow agnostic key marshaling
2021-04-01 19:29:45 -07:00
Paweł Szałachowski
611c6598b2
testKeySign: small fix (#206) 2021-04-01 09:53:30 -07:00
Brandon Weeks
9fc6c7504a
Bump Go version to 1.16, update dependencies (#205) 2021-03-17 15:05:37 -07:00
Paweł Szałachowski
1379a4f766
Verify(): ensure that the hash function is available (#204) 2021-03-09 09:30:11 -08:00
Paweł Szałachowski
440d34a877
Support for application signing keys (#201) 2021-03-08 12:27:00 -08:00
dependabot[bot]
328912c0ae
Bump github.com/google/go-cmp from 0.5.4 to 0.5.5 (#203)
Bumps [github.com/google/go-cmp](https://github.com/google/go-cmp) from 0.5.4 to 0.5.5.
- [Release notes](https://github.com/google/go-cmp/releases)
- [Commits](https://github.com/google/go-cmp/compare/v0.5.4...v0.5.5)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2021-03-08 11:09:05 -08:00
Paweł Szałachowski
d436f3c9c5
attestPCRs(): make sure that the return values are consistent (#199) 2021-01-12 16:21:21 -08:00
Eric Chiang
339bdb245a
attest: add bounds checks for slice indexes (#197)
Found manually looking through the code. The activate credential could
crash the client, the secureboot and challenge generation could crash
the server.
2020-12-30 19:33:55 +01:00
dependabot[bot]
0ee6160aab
Bump github.com/google/go-tpm-tools from 0.2.0 to 0.2.1 (#196)
Bumps [github.com/google/go-tpm-tools](https://github.com/google/go-tpm-tools) from 0.2.0 to 0.2.1.
- [Release notes](https://github.com/google/go-tpm-tools/releases)
- [Commits](https://github.com/google/go-tpm-tools/compare/v0.2.0...v0.2.1)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2020-12-14 12:49:45 +01:00
dependabot[bot]
f98225cdc5
Bump github.com/google/go-tpm from 0.3.1 to 0.3.2 (#195)
Bumps [github.com/google/go-tpm](https://github.com/google/go-tpm) from 0.3.1 to 0.3.2.
- [Release notes](https://github.com/google/go-tpm/releases)
- [Commits](https://github.com/google/go-tpm/compare/v0.3.1...v0.3.2)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2020-12-14 12:44:47 +01:00
Deepika Rajani
dfe63791df
Update tpm_windows.go (#194) 2020-12-14 12:37:04 +01:00
Deepika Rajani
2f809d0330
Deepikarajani24 patch 1 (#193)
* tbs.dll to not initialize on start up
so that it's not initialized when tpm support is not required

Changed author to my google.com user

* initialize tbs.dll and proc Tbsi_GetDeviceInfo during probeSystemTPMs

initialization is done in probeSystemTPMs as it's called before openTPM which requires support of the dll
changed author to my google.com user

* tbs.dll to load once

Changed the author to my google.com email

* Tbsi_GetDeviceInfo check to happen once
changed the author of the commit
2020-12-02 11:09:22 -08:00
dependabot[bot]
9632df6f12
Bump github.com/google/go-cmp from 0.5.3 to 0.5.4 (#191)
Bumps [github.com/google/go-cmp](https://github.com/google/go-cmp) from 0.5.3 to 0.5.4.
- [Release notes](https://github.com/google/go-cmp/releases)
- [Commits](https://github.com/google/go-cmp/compare/v0.5.3...v0.5.4)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Tom D <40675700+twitchy-jsonp@users.noreply.github.com>
2020-11-30 12:27:08 -08:00
Eric Chiang
0efaf4b19f
attest: improve event log debugging (#190)
Event log verification is terrible and easy to mess up. Even if you
replay against the PCRs there are still values that can be tampered with
or reordered. PCRs also shouldn't be trusted unless they're attested to
have come from the correct TPM.

Given this, it seems advantageous to add some ability to consume raw
event logs, even if it's just for debugging.
2020-11-30 12:22:43 -08:00
Aditya Prakash
63c5188962
Export InvalidPCRs field in ReplayError (#189)
* Export InvalidPCRs field in ReplayError

In order to retrieve the Invalid PCRs which couldn't be replayed against the Event log, we need this field to be exported as this gives the exact and true information. Replay error events will give all the events, but doesn't give the exact PCR index which doesn't get replayed. 

Following is the test to extend PCR 7 and verify the PCRs 7,8,9 against the Event log. Output:
```
event log failed to verify: the following registers failed to replay: [7]
ReplayError Events:=[107]
Replay Error Events PCR indexes=[0 7 2 3 6 9 8 1 4 5]
```

* Add Comment to the exported field
2020-11-30 11:56:55 -08:00