Commit Graph

240 Commits

Author SHA1 Message Date
Joe Richey
8820d49b18 CI: Allow SHA1 on Go 1.18
Signed-off-by: Joe Richey <joerichey@google.com>
2022-04-04 13:48:39 -07:00
Joe Richey
0961a88d7c parseEfiSignature: Don't rely on type of error code
The specific error type is not part of x509.ParseCertificate documented
API. So we shouldn't rely on it for this workaround.

Signed-off-by: Joe Richey <joerichey@google.com>
2022-04-04 13:48:39 -07:00
Joe Richey
df6b91cbdb test: Use Fatalf instead of Errorf to prevent segfault
Signed-off-by: Joe Richey <joerichey@google.com>
2022-04-04 13:48:39 -07:00
Joe Richey
03018e6828 Remove certificate-transparency-go dependancy
Signed-off-by: Joe Richey <joerichey@google.com>
2022-04-04 13:48:39 -07:00
Joe Richey
0a9ecdcf7c Run CI for Go 1.18
Signed-off-by: Joe Richey <joerichey@google.com>
2022-03-25 13:55:33 -07:00
Joe Richey
4b44082d2c ci: ONly run on pushes to master
This prevents running the CI twice when opening a PR with a non-master
branch.

Signed-off-by: Joe Richey <joerichey@google.com>
2022-03-25 13:55:33 -07:00
dependabot[bot]
2a5dfec7cf
Bump github.com/google/go-cmp from 0.5.5 to 0.5.7 (#261)
Bumps [github.com/google/go-cmp](https://github.com/google/go-cmp) from 0.5.5 to 0.5.7.
- [Release notes](https://github.com/google/go-cmp/releases)
- [Commits](https://github.com/google/go-cmp/compare/v0.5.5...v0.5.7)

---
updated-dependencies:
- dependency-name: github.com/google/go-cmp
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-03-23 21:08:15 -07:00
Jiankun Lü
83d71b1c53
Bump go-tpm version (#264)
Certify now returns raw TPMT_SIGNATURE, so no need to pack it.
2022-02-14 16:31:48 -08:00
Tom D
277c40ca1d
AKPublic.VerifyAll: Additionally validate input parameters (#263) 2022-01-31 09:32:19 -08:00
Tom D
82f2c9c2c7
Merge pull request from GHSA-99cg-575x-774p
* AKPublic.Verify: Return an error if a provided PCR of the correct
   digest was not included in the quote.
 * AKPublic.VerifyAll: Implement VerifyAll method, which can cross-check
   that provided PCRs were covered by quotes across PCR banks.
 * PCR.QuoteVerified(): Introduce getter method to expose whether a
   PCR value was covered during quote verification.
2022-01-31 09:10:07 -08:00
dependabot[bot]
21f642c3c7 Copybara import of the project:
--
54a86af398 by dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>:

Bump github.com/google/go-tpm-tools from 0.2.1 to 0.3.1

Bumps [github.com/google/go-tpm-tools](https://github.com/google/go-tpm-tools) from 0.2.1 to 0.3.1.
- [Release notes](https://github.com/google/go-tpm-tools/releases)
- [Commits](https://github.com/google/go-tpm-tools/compare/v0.2.1...v0.3.1)

---
updated-dependencies:
- dependency-name: github.com/google/go-tpm-tools
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
COPYBARA_INTEGRATE_REVIEW=https://github.com/google/go-attestation/pull/250 from google:dependabot/go_modules/github.com/google/go-tpm-tools-0.3.1 54a86af398
PiperOrigin-RevId: 415136926
2022-01-11 16:29:12 -08:00
Brandon Weeks
d114f3922f Copybara import of the project:
--
501de37b33 by Brandon Weeks <bweeks@google.com>:

Restore changes accidentally reverted during reconciliation

COPYBARA_INTEGRATE_REVIEW=https://github.com/google/go-attestation/pull/256 from brandonweeks:fix_reconciliation 501de37b33
PiperOrigin-RevId: 415128139
2022-01-11 16:29:01 -08:00
dependabot[bot]
b92e2746d6
Bump github.com/google/go-tpm-tools from 0.2.1 to 0.3.1 (#250)
Bumps [github.com/google/go-tpm-tools](https://github.com/google/go-tpm-tools) from 0.2.1 to 0.3.1.
- [Release notes](https://github.com/google/go-tpm-tools/releases)
- [Commits](https://github.com/google/go-tpm-tools/compare/v0.2.1...v0.3.1)

---
updated-dependencies:
- dependency-name: github.com/google/go-tpm-tools
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2021-12-08 17:24:29 -08:00
Brandon Weeks
2f8dbfc94e
Restore changes accidentally reverted during reconciliation (#256) 2021-12-08 16:43:38 -08:00
copybara-service[bot]
f1f1b84491
Revert "Internal change"
PiperOrigin-RevId: 415106054

Co-authored-by: Brandon Weeks <bweeks@google.com>
2021-12-08 15:06:48 -08:00
Brandon Weeks
57a6cb587a Internal change
PiperOrigin-RevId: 415099842
2021-12-08 14:37:13 -08:00
Tom D'Netto
0393b91867 Implement CombineEventlogs().
PiperOrigin-RevId: 410914994
2021-11-18 15:36:36 -08:00
Brandon Weeks
be496f1149 Internal change
PiperOrigin-RevId: 394330027
2021-09-01 15:39:03 -07:00
Eric Chiang
a35bd36e42
attest: fix test build for MacOS (#241)
Windows still requires openssl due to tpm-tools simulator. Will try to
figure out that next.
2021-09-01 13:24:57 -07:00
Alex Wu
505680f536
Invert 'notspi' build tag to 'tspi' (#237)
This change allows users to specify TPM1.2 support rather than remove it.
go-attestation will build without needing Trousers/TSPI support.
The flip-side of this is that TPM1.2 does not just work; TPM1.2 users need to
include the `tspi` build tag.
2021-09-01 12:55:02 -07:00
Eric Chiang
7cf0af2beb
.github: add initial github action for CI (#239)
Goal is to switch current builder run internally by Google over to
GitHub Actions.
2021-09-01 11:15:26 -07:00
copybara-service[bot]
5410759ddc
Consider a nonce in NVRAM when computing the EK Template (Fixes #236). (#238)
PiperOrigin-RevId: 394112776

Co-authored-by: Tom D'Netto <jsonp@google.com>
2021-08-31 17:45:37 -07:00
Tom D
cc52e2d143
Handle EFI_ACTION events signalling DMA protection is disabled. (#235) 2021-08-23 14:03:58 -07:00
Timo Lindfors
7d128657ca Fix misleading comment 2021-08-10 12:18:55 -07:00
Timo Lindfors
e8c5dc4fd5 Fix minor spelling issues in comments 2021-08-10 12:18:55 -07:00
tracefinder
5df8a8e979
Add a build tag to turn off TPM12 support and avoid tspi dependency (#232)
* Add build tag to turn off TPM12 support and avoid tspi dependency

* Add notspi build flag related information in README.md
2021-07-30 12:26:45 -07:00
dependabot[bot]
9ff0d31d3c
Bump github.com/google/go-cmp from 0.5.5 to 0.5.6 (#221)
Bumps [github.com/google/go-cmp](https://github.com/google/go-cmp) from 0.5.5 to 0.5.6.
- [Release notes](https://github.com/google/go-cmp/releases)
- [Commits](https://github.com/google/go-cmp/compare/v0.5.5...v0.5.6)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2021-07-02 11:17:17 -07:00
Eric Chiang
fa6830fc2f
update go-tspi dependency (#231)
This fixes go-attestation builds on 32 bit architectures.
2021-07-02 10:45:08 -07:00
Brandon Weeks
7ec6228f59 Rollback using certificatetransparency/x509 for the CI code
PiperOrigin-RevId: 380897258
2021-06-22 14:48:41 -07:00
copybara-service[bot]
bec58f2406
Internal change (#227)
PiperOrigin-RevId: 380891920

Co-authored-by: Brandon Weeks <bweeks@google.com>
2021-06-22 14:33:47 -07:00
Go-Attestation Team
20a9e4b381 Internal change
PiperOrigin-RevId: 380881515
2021-06-22 20:41:11 +00:00
Tom D
1b4849d2c3
Make possibly-missing WBCL values ternary-typed (#226) 2021-06-21 14:10:45 -07:00
Alex Wu
0a3c6e82bf
Ignore SBAT events in ParseUEFIVariableAuthority (#222)
As part of the Boothole fixes, shim has introduced an
SBAT feature https://github.com/rhboot/shim/blob/main/SBAT.md.
SBAT configuration is configured to log to PCR7 using
EV_EFI_VARIABLE_AUTHORITY.
493bd940e5/mok.c (L228-L247)

This causes issue with ParseUEFIVariableAuthority, as
it asssumes that an event with type EV_EFI_VARIABLE_AUTHORITY
can be parsed as EFI_SIGNATURE_DATA, per section 3.3.4.8
of the TCG PC Client Platform Firmware Profile Specification.
2021-06-03 14:28:24 -07:00
Paweł Szałachowski
c4760bd1c6
Validate the RSA-PSS salt length argument. (#219) 2021-05-21 15:28:56 -07:00
Paweł Szałachowski
0b7298fb18
Support RSA application keys (#218) 2021-05-20 11:15:09 -07:00
Paweł Szałachowski
7f6fec6b36
add ecdsa configuration options (#217)
Add configuration options for ECDSA key generation.
2021-05-19 11:32:54 -07:00
Tom D
ee5bb94c43
WIP processing image load events (#216) 2021-05-10 12:11:58 -07:00
Paweł Szałachowski
9b857465d0
Handle to interface{} in *windowsKey12.certify() (#214) 2021-04-23 16:13:10 -07:00
Paweł Szałachowski
6848928436
Add AK.Certify() and use CertifyEx() for certification (#210)
* replace CertifyCreation() by CertifyEx() to handle certification of objects for which we cannot extract CreationData
* add AK.Certify(handle) allowing to certify externally-created keys
2021-04-23 14:41:30 -07:00
Tom D
e24a847d44
Add initial docs for attest-tool (#213) 2021-04-15 12:14:18 -07:00
Brandon Weeks
b6c6a0c365
Parse TCG_PCClientPCREvent structures with an eventSize of 0 (#212) 2021-04-14 13:59:06 -07:00
Brandon Weeks
31ad4f57fd
Fix integer overflow in digest parsing (#211) 2021-04-13 15:57:16 -07:00
Dmitrii Okunev
b89180c3eb
bugfix(eventlog): Assume TPM1.2 events if NO_ACTION is too short (#208) 2021-04-13 10:46:15 -07:00
Tom D
1ceeedc8dc
win_events: Determine if the WBCL was for a cold boot (as opposed to a resume from hibernation) (#209) 2021-04-07 16:08:29 -07:00
Paweł Szałachowski
1bbba0bdfd
Minor fixes and additions (#207)
* replace ReadPublic() by DecodePublic() when creating and loading keys: the current implementation calls ReadPublic() even if public data is already accessible
* drop handle() from the ak interface: it is unnecessary
* add Blobs() to attest.Key: to allow agnostic key marshaling
2021-04-01 19:29:45 -07:00
Paweł Szałachowski
611c6598b2
testKeySign: small fix (#206) 2021-04-01 09:53:30 -07:00
Brandon Weeks
9fc6c7504a
Bump Go version to 1.16, update dependencies (#205) 2021-03-17 15:05:37 -07:00
Paweł Szałachowski
1379a4f766
Verify(): ensure that the hash function is available (#204) 2021-03-09 09:30:11 -08:00
Paweł Szałachowski
440d34a877
Support for application signing keys (#201) 2021-03-08 12:27:00 -08:00
dependabot[bot]
328912c0ae
Bump github.com/google/go-cmp from 0.5.4 to 0.5.5 (#203)
Bumps [github.com/google/go-cmp](https://github.com/google/go-cmp) from 0.5.4 to 0.5.5.
- [Release notes](https://github.com/google/go-cmp/releases)
- [Commits](https://github.com/google/go-cmp/compare/v0.5.4...v0.5.5)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2021-03-08 11:09:05 -08:00