Commit Graph

276 Commits

Author SHA1 Message Date
smo4201
8af5f4e7de
attest: Make PCRs included in quote configurable (#311)
Change the low-level Quote() functions so that the PCRs to be
included in the quote is selectable. Does not change the
high-level attestPlatform functions, which still retrieve
all PCRs.
2023-06-26 23:04:59 +00:00
zhsh
b92d1c69bf
Add TPM.EKCertificates() method, it returns all certificates from TPM's NVRAM (#333) 2023-06-23 15:10:34 -07:00
zhsh
d29df30553
Add EK as a field to AK struct. (#332)
The change is a no-op for existing clients, and it will simplify
adding the support for ECC EKs. The activation code no longer makes
assumptions about EK's type and handle (i.e. RSA and 0x81010001),
and instead relies on TPM.EKs() to provide the EK's details.
2023-06-22 13:17:47 -07:00
Brandon Weeks
63dd90f699
Bump github.com/google/go-tpm from 0.3.4 to 0.9.0 (#337) 2023-06-21 16:18:54 +02:00
dependabot[bot]
ac9aa2497f
Bump golang.org/x/sys from 0.8.0 to 0.9.0 (#335)
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.8.0 to 0.9.0.
- [Commits](https://github.com/golang/sys/compare/v0.8.0...v0.9.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-06-20 16:40:32 +00:00
Ludovic Fernandez
2788b541c7
Fix golangci-lint workflow (#336) 2023-06-20 09:35:01 -07:00
Chris Fenner
a9b6eb1eb8
use legacy tpm2 at its new path (#331) 2023-06-13 07:43:38 -07:00
zhsh
50c1e1e03b
Renamed some variables and methods to highlight that only RSA EKs are (#330)
currently supported.

This is the first step towards supporting ECC EKs.
2023-06-12 18:36:51 -07:00
juanvallejo
258084d04e Add support for generating TPM2.0 challenges using AttestedCertifyInfo
Fixes: issues/320.

Adds support for generating an activation challenge using
CertificationParameters.
Achieves symmetry with challenge-generation in
AttestationParameters, in order to provide a challenge to a
TPM to activate a TPM-certified key.

`attest.Activation` currently supports verifying and
generating a challenge given attestationData, an EK, an AK,
and a signature. In the attestationData, the CreationInfo
field is used to further validate and create the resulting
challenge.
In this change, `attest.Certification` will now support
generating a challenge given attestationData, an EK, a
TPM-certified public key, and a signature, in addition to
an AK used to verify the certification of the provided
public key we are generating an activation challenge for.
2023-06-06 10:46:12 -07:00
Herman Slatman
89884d0a74
Fix Intel EK certificate URL (#310)
* Fix Intel EK certificate URL

To download the certificate for an Intel TPM, the base64 padding
in the URL needs to be replaced with `%3D`. If it's not replaced,
requesting the URL will result in HTTP 403 Forbidden.

* Use `url.QueryEscape` to escape base64 padding
2023-06-02 09:17:59 -07:00
zhsh
b474b712d4
wrappedTPM20.ekTemplate() never returns an error. (#327) 2023-05-29 10:16:09 -07:00
dependabot[bot]
a4b579bcf0
Bump github.com/google/go-tpm-tools from 0.3.9 to 0.3.12 (#324)
Bumps [github.com/google/go-tpm-tools](https://github.com/google/go-tpm-tools) from 0.3.9 to 0.3.12.
- [Release notes](https://github.com/google/go-tpm-tools/releases)
- [Commits](https://github.com/google/go-tpm-tools/compare/v0.3.9...v0.3.12)

---
updated-dependencies:
- dependency-name: github.com/google/go-tpm-tools
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-05-22 11:14:50 -07:00
dependabot[bot]
62a036b369
Bump golang.org/x/sys from 0.0.0-20220209214540-3681064d5158 to 0.8.0 (#316)
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.0.0-20220209214540-3681064d5158 to 0.8.0.
- [Commits](https://github.com/golang/sys/commits/v0.8.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-05-22 11:03:00 -07:00
Brandon Weeks
10dd5f7a05
Bump Go version to 1.19 (#325) 2023-05-22 10:52:09 -07:00
Noah Stride
3ef3949b46 Fix comments referring to .Serialize() instead of .Marshal() 2023-05-15 10:56:35 -07:00
José Martínez
1f9c436d57 Parse TCG_PCR_EVENT2 structures with an eventSize of 0 2023-05-15 09:19:59 -07:00
dependabot[bot]
270ecbab1f
Bump github.com/google/go-tspi (#307)
Bumps [github.com/google/go-tspi](https://github.com/google/go-tspi) from 0.2.1-0.20190423175329-115dea689aad to 0.3.0.
- [Release notes](https://github.com/google/go-tspi/releases)
- [Commits](https://github.com/google/go-tspi/commits/v0.3.0)

---
updated-dependencies:
- dependency-name: github.com/google/go-tspi
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-03-10 10:28:28 -08:00
Brandon Weeks
0ccbb50494
Handle multiple ELAM events (#309) 2023-03-08 13:32:50 -08:00
Mike Gerow
68deb4ce55 Use NV cert index as auth hierarchy for EK cert
This is the same approach tpm2_getekcertificate uses, with its
`TPM2_HANDLE_FLAGS_NV` flag.

The main impetus here is is ChromeOS's vtpm implementation[1], which
doesn't have a concept of an "owner" or "platform" password and expects
the NV index itself as the auth hierarchy. In either case, as this is
the same approach tpm2_getekcertificate uses this should provide a more
standard/common approach as opposed to relying on the owner password to
be empty.

Tested with both CrOS's vTPM and a real TPM on Debian.

b/258300352

[1]: https://source.chromium.org/chromiumos/chromiumos/codesearch/+/main:src/platform2/vtpm/commands/nv_read_command.cc;l=64-68;drc=1efd0c8f36050d56b8550354a4c7af925e44118a
2023-01-05 12:25:14 -08:00
Marcin Wielgoszewski
5238453493 Truncate digests to the left most bits to match the bit-length of the order of the curve 2022-11-15 15:26:00 -08:00
Mike Gerow
b93151db1f
Preserve error logic in getPrimaryKeyHandle (#296)
In `wrappedTPM20.getPrimaryKeyHandle()`, preserve any error from the
short-circuit `tpm2.ReadPublic()` logic, so that we can return it
alongside any failure in `tpm2.CreatePrimary()`

Co-authored-by: Justin King-Lacroix <justinkl@google.com>
2022-11-04 14:57:37 -07:00
Brandon Weeks
0dc056af7d Fix golangci-lint findings 2022-11-01 13:38:49 -07:00
Brandon Weeks
19d3c4de97 Run golangci-lint as part of CI
https://golangci-lint.run/usage/install/#ci-installation
2022-11-01 13:38:49 -07:00
Brandon Weeks
438907edb0
Fix lints; run gofmt (#293)
$ gofmt -s -w .
2022-11-01 12:19:57 -07:00
hansinator
17f9c05652
fix returning wrong error in ParseWinEvents (#291)
Co-authored-by: Hans-Gert Dahmen <hans-gert.dahmen@immu.ne>
2022-10-11 09:22:10 -07:00
hansinator
d98599d257
Fix decoding of uints in windows events (#290)
Co-authored-by: Hans-Gert Dahmen <hans-gert.dahmen@immu.ne>
2022-10-07 13:01:04 -07:00
dependabot[bot]
053c50e8ad
Bump github.com/google/go-cmp from 0.5.8 to 0.5.9 (#286)
Bumps [github.com/google/go-cmp](https://github.com/google/go-cmp) from 0.5.8 to 0.5.9.
- [Release notes](https://github.com/google/go-cmp/releases)
- [Commits](https://github.com/google/go-cmp/compare/v0.5.8...v0.5.9)

---
updated-dependencies:
- dependency-name: github.com/google/go-cmp
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-09-12 11:14:05 -04:00
Malte Poll
e99c3e104e
Ignore MokListTrusted events in ParseUEFIVariableAuthority (#284) 2022-09-09 15:58:48 -07:00
dependabot[bot]
dff2daeaf0
Bump github.com/google/go-tpm-tools from 0.3.8 to 0.3.9 (#285) 2022-08-22 19:31:56 +00:00
Brandon Weeks
f5d560164e
Set NoDa flag on the AK template (#280)
Resolves an issue where a TPM in DA lockout mode cannot generate an AK.
2022-06-03 12:51:56 -07:00
Brandon Weeks
cb976082a3
x509ext: initial version of package (#279) 2022-06-02 15:05:51 -07:00
Brandon Weeks
50e72a4743
attest: fix OSS-Fuzz build (#278) 2022-05-31 21:50:58 -07:00
Brandon Weeks
f1ff544e51
attest: restore change from a35bd36 mistakingly removed in be496f1 (#277) 2022-05-31 13:12:21 -07:00
dependabot[bot]
e0bd974e4e
Bump github.com/google/go-cmp from 0.5.7 to 0.5.8 (#275)
Bumps [github.com/google/go-cmp](https://github.com/google/go-cmp) from 0.5.7 to 0.5.8.
- [Release notes](https://github.com/google/go-cmp/releases)
- [Commits](https://github.com/google/go-cmp/compare/v0.5.7...v0.5.8)

---
updated-dependencies:
- dependency-name: github.com/google/go-cmp
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-05-16 12:44:25 -07:00
dependabot[bot]
ad58dc770e
Bump github.com/google/go-tpm-tools from 0.3.7 to 0.3.8 (#276)
Bumps [github.com/google/go-tpm-tools](https://github.com/google/go-tpm-tools) from 0.3.7 to 0.3.8.
- [Release notes](https://github.com/google/go-tpm-tools/releases)
- [Commits](https://github.com/google/go-tpm-tools/compare/v0.3.7...v0.3.8)

---
updated-dependencies:
- dependency-name: github.com/google/go-tpm-tools
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-05-16 12:44:06 -07:00
dependabot[bot]
8235370483
Bump github.com/google/go-tpm-tools from 0.3.1 to 0.3.7 (#273)
Bumps [github.com/google/go-tpm-tools](https://github.com/google/go-tpm-tools) from 0.3.1 to 0.3.7.
- [Release notes](https://github.com/google/go-tpm-tools/releases)
- [Commits](https://github.com/google/go-tpm-tools/compare/v0.3.1...v0.3.7)

---
updated-dependencies:
- dependency-name: github.com/google/go-tpm-tools
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-04-18 08:39:55 -07:00
Joe Richey
8820d49b18 CI: Allow SHA1 on Go 1.18
Signed-off-by: Joe Richey <joerichey@google.com>
2022-04-04 13:48:39 -07:00
Joe Richey
0961a88d7c parseEfiSignature: Don't rely on type of error code
The specific error type is not part of x509.ParseCertificate documented
API. So we shouldn't rely on it for this workaround.

Signed-off-by: Joe Richey <joerichey@google.com>
2022-04-04 13:48:39 -07:00
Joe Richey
df6b91cbdb test: Use Fatalf instead of Errorf to prevent segfault
Signed-off-by: Joe Richey <joerichey@google.com>
2022-04-04 13:48:39 -07:00
Joe Richey
03018e6828 Remove certificate-transparency-go dependancy
Signed-off-by: Joe Richey <joerichey@google.com>
2022-04-04 13:48:39 -07:00
Joe Richey
0a9ecdcf7c Run CI for Go 1.18
Signed-off-by: Joe Richey <joerichey@google.com>
2022-03-25 13:55:33 -07:00
Joe Richey
4b44082d2c ci: ONly run on pushes to master
This prevents running the CI twice when opening a PR with a non-master
branch.

Signed-off-by: Joe Richey <joerichey@google.com>
2022-03-25 13:55:33 -07:00
dependabot[bot]
2a5dfec7cf
Bump github.com/google/go-cmp from 0.5.5 to 0.5.7 (#261)
Bumps [github.com/google/go-cmp](https://github.com/google/go-cmp) from 0.5.5 to 0.5.7.
- [Release notes](https://github.com/google/go-cmp/releases)
- [Commits](https://github.com/google/go-cmp/compare/v0.5.5...v0.5.7)

---
updated-dependencies:
- dependency-name: github.com/google/go-cmp
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-03-23 21:08:15 -07:00
Jiankun Lü
83d71b1c53
Bump go-tpm version (#264)
Certify now returns raw TPMT_SIGNATURE, so no need to pack it.
2022-02-14 16:31:48 -08:00
Tom D
277c40ca1d
AKPublic.VerifyAll: Additionally validate input parameters (#263) 2022-01-31 09:32:19 -08:00
Tom D
82f2c9c2c7
Merge pull request from GHSA-99cg-575x-774p
* AKPublic.Verify: Return an error if a provided PCR of the correct
   digest was not included in the quote.
 * AKPublic.VerifyAll: Implement VerifyAll method, which can cross-check
   that provided PCRs were covered by quotes across PCR banks.
 * PCR.QuoteVerified(): Introduce getter method to expose whether a
   PCR value was covered during quote verification.
2022-01-31 09:10:07 -08:00
dependabot[bot]
21f642c3c7 Copybara import of the project:
--
54a86af398 by dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>:

Bump github.com/google/go-tpm-tools from 0.2.1 to 0.3.1

Bumps [github.com/google/go-tpm-tools](https://github.com/google/go-tpm-tools) from 0.2.1 to 0.3.1.
- [Release notes](https://github.com/google/go-tpm-tools/releases)
- [Commits](https://github.com/google/go-tpm-tools/compare/v0.2.1...v0.3.1)

---
updated-dependencies:
- dependency-name: github.com/google/go-tpm-tools
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
COPYBARA_INTEGRATE_REVIEW=https://github.com/google/go-attestation/pull/250 from google:dependabot/go_modules/github.com/google/go-tpm-tools-0.3.1 54a86af398
PiperOrigin-RevId: 415136926
2022-01-11 16:29:12 -08:00
Brandon Weeks
d114f3922f Copybara import of the project:
--
501de37b33 by Brandon Weeks <bweeks@google.com>:

Restore changes accidentally reverted during reconciliation

COPYBARA_INTEGRATE_REVIEW=https://github.com/google/go-attestation/pull/256 from brandonweeks:fix_reconciliation 501de37b33
PiperOrigin-RevId: 415128139
2022-01-11 16:29:01 -08:00
dependabot[bot]
b92e2746d6
Bump github.com/google/go-tpm-tools from 0.2.1 to 0.3.1 (#250)
Bumps [github.com/google/go-tpm-tools](https://github.com/google/go-tpm-tools) from 0.2.1 to 0.3.1.
- [Release notes](https://github.com/google/go-tpm-tools/releases)
- [Commits](https://github.com/google/go-tpm-tools/compare/v0.2.1...v0.3.1)

---
updated-dependencies:
- dependency-name: github.com/google/go-tpm-tools
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2021-12-08 17:24:29 -08:00
Brandon Weeks
2f8dbfc94e
Restore changes accidentally reverted during reconciliation (#256) 2021-12-08 16:43:38 -08:00