Commit Graph

200 Commits

Author SHA1 Message Date
Tom D
0f650714d9
Fix verification errors for quotes generated using AK's with SigScheme.Hash = SHA1 (#105)
* Remove artificial requirement for composite digest to match PCR bank digest
2019-09-20 09:07:49 -07:00
Eric Chiang
6fb354c252
Merge pull request #104 from ericchiang/measurement-hash
attest: expose algorithms used in measurement log
2019-09-19 16:02:57 -07:00
Eric Chiang
33a0bbe4ea attest: expose algorithms used in measurement log
Expose the algorithms that are used in the measurement log. This lets
clients generate PCR measurements that match their log digests.
2019-09-19 15:28:22 -07:00
Eric Chiang
c251eb0fbd
Merge pull request #101 from ericchiang/api
attest: don't define exported API in files with build tags
2019-09-19 13:58:37 -07:00
Eric Chiang
39d2f6efff attest: don't define exported API in files with build tags
It's best practice to define as much code, especially exported API, in
files that can build on any platform. With as little code as possible in
OS specific files.

Ensure files with build tags don't contain any exported APIs. This helps
us not accidentally define API that only works on one platform, or have
incompatible method defintions between OSes.

TODO: follow up with an "unsupported" implementation so this builds on
Mac or without CGO (e.g. for servers)?
2019-09-19 13:50:38 -07:00
Tom D
a406c399ba
Add error for passing non-SHA1 algorithm to Quote() on TPM1.2, compute the go-tpm/tpm2 alg in more standard way (#100) 2019-09-18 10:16:00 -07:00
Tom D
e7e8befcc7
Fix 'failed to verify quote: quote used unknown tpm version 0x0' (#99) 2019-09-13 13:03:26 -07:00
Tom D'Netto
cb4db13ccf Upgrade go-tpm to v0.2.0 2019-09-09 12:06:23 -07:00
Eric Chiang
cbf14e4244 internal/eventlog: only trust the first time an event is written to the log (#95)
Ensure an attacker can't alter the value we interpret by appending an entry of
the same type to the eventlog. Don't worry about events that come before the
EV_SEPARATOR for now.
2019-09-06 10:20:43 -07:00
Tom D
6242485b62
Write overview of the credential activation procedure (#93) 2019-09-05 13:03:58 -07:00
Eric Chiang
2d51b89cfa
Merge pull request #94 from ericchiang/sb
internal/eventlog: add code for parsing secure boot variables
2019-09-04 16:47:47 -07:00
Eric Chiang
9021153e89 internal/eventlog: add code for parsing secure boot variables
This is being prototyped in an internal package as we start to open
source. This code will either live in attest, or in a separate eventlog
package in the future.
2019-09-04 14:25:48 -07:00
Tom D
07feb34890
Add example for AIKPublic.Verify (#89) 2019-08-29 11:26:42 -07:00
Tom D
0f580b1efd
Update README with installation notes (#88) 2019-08-29 09:36:35 -07:00
Tom D
4ef1479ae1
Separate quote verification from EventLog API #85 (#87) 2019-08-28 16:59:46 -07:00
Eric Chiang
2ad969b54a
Merge pull request #86 from ericchiang/mint
attest: rename MintAIK and MintOptions to NewAIK and AIKConfig
2019-08-28 09:32:37 -07:00
Eric Chiang
e688ff6d7f attest: rename MintAIK and MintOptions to NewAIK and AIKConfig
This helps the godoc read better and is more inline with Go's naming
scheme. No functional changes made, just naming.
2019-08-28 09:25:14 -07:00
Tom D
fefdb7d336
Add quote example, add note to Activation.Generate() about use of subtle to prevent timing attacks (#84) 2019-08-27 16:15:48 -07:00
Tom D
d2afca77f5
Implement example for AIK creation and activation. (#83) 2019-08-27 12:40:58 -07:00
Eric Chiang
78755e7a91 attest: remove Log statements from tests (#81)
Tests generally shouldn't print anything unless they fail.
2019-08-21 10:28:55 -07:00
Eric Chiang
9b6caf1273 attest: use provided randomness source when generating challenges (#80)
Currently the activation challenge lets a caller supply a source of
randomness other than crypto/rand, but it's not used in some places.
Plumb the source through the call chain.
2019-08-21 10:28:19 -07:00
Eric Chiang
bfcbe8f1e2 attest: re-work EK API (#79)
This PR adds:
* Renames 'PlatformEK' to 'EK'
* More consistant support of EKs without certificates
* Removes HTTP GET to Intel EK certificate service
* Always populates EK.Public
2019-08-21 10:26:55 -07:00
Eric Chiang
cd07b32602 attest: add testdata for crypto agile event (#82)
Test data copied from
https://github.com/mwiseman32/Attestation-annotation
2019-08-21 10:00:18 -07:00
Tom D
6e2e8693ad
75: Make PCRs() take the digest algorithm (#77) 2019-08-20 11:52:12 -07:00
Eric Chiang
6b09d5331a
Merge pull request #64 from ericchiang/eventlog
attest: add event log parsing logic
2019-08-20 10:09:48 -07:00
Eric Chiang
262599a8df attest: add event log parsing logic
This PR adds event log parsing logic. It's main goal is to require
validation at the same time as parsing, so structured events are always
verified against a quote. This new API replaces the exisitng "verifier"
package.

It's not a goal of this PR to parse the event data. This will be a
follow up, but since different users might want to parse different
events based on the OS, this API lets users of this package implement
custom event data parsing if they absolutely need to.
2019-08-19 23:50:31 -07:00
Pwpon500
e6f0fc6196 Turn appropriate RSAParameter calls into function calls (#71) 2019-08-16 07:33:28 -07:00
Tom D
a1822903b4
Add dump mode to attest-tool. (#70) 2019-08-13 14:53:38 -07:00
Tom D
3d58c70c6a
Add firmware version to TPMInfo for TPM 2.0 devices. (#67) 2019-08-08 11:31:09 +10:00
Eric Chiang
3a523cf51f
Merge pull request #62 from ericchiang/aik_pub
attest: move public key parsing server side
2019-08-07 08:05:08 -07:00
Tom D
55b3a2dc04
Update vendors list (#57) 2019-08-06 16:47:13 -07:00
Eric Chiang
7d7676beda attest: move public key parsing server side
Event log parsing requires knowning both the public key and signing
parameters. Symmantically, this information should be from an attested
public key blob, not additional data passed by the client.

Introduce a new method for parsing an AIK's public key blob, returning
a new AIKPublic struct.
2019-08-06 11:09:20 -07:00
Eric Chiang
59036c6bcb
Merge pull request #60 from ericchiang/key_purpose
attest: remove unused KeyPurpose exported type
2019-08-06 09:48:50 -07:00
Eric Chiang
8e83383df9 attest: improve documentation of ActivateCredential (#61) 2019-08-05 17:39:57 -07:00
Eric Chiang
9020140437 attest-tool: aik.json shouldn't be executable (#65) 2019-08-05 17:39:25 -07:00
Eric Chiang
26ea1966ce README.md: add godoc badge (#59) 2019-08-05 17:32:18 -07:00
Eric Chiang
833a7e119f attest: remove unused KeyPurpose exported type
Was going through the godoc and it's not clear that this is ever used.
To clean up the API, remove KeyPurpose for now. This could probably be
an internal validation anyway, right?
2019-07-30 07:42:42 -07:00
Tom D
f3f08037f8
Make SRK/AIK templates consistent with go-tpm-tools (#58) 2019-07-26 13:16:47 -07:00
Tom D
8f4f17e679
Implement credential activation API (#56) 2019-07-23 15:22:53 -07:00
Eric Chiang
2464131d7c Add a Public() method to the AIK that returns a public key (#55)
We plan to identify AIKs based on their public key. The raw blob should
be available via the AttestationParameters, but we hope that users will
only use that struct for generating challenges.

Because this parses the public key on AIK creation and loading, this PR
should have existing coverage.
2019-07-22 09:18:51 -07:00
Tom D
5f05ce5cec
Fix attest-tool (#54)
* Fix attest-tool
2019-07-19 14:07:02 -07:00
Tom D
90e37eacce
Refactor part 1: Refactor logic for keys into structs for each TPM/platform invariant. (#53)
* Refactor serialized keys into own structure, in preparation for making Key an interface.

* Refactor key logic into separate structures for each platform/TPMversion invariant.

* Implement review feedback
2019-07-19 13:05:18 -07:00
Matthew Garrett
ed3b03ef7f
Merge pull request #51 from twitchy-jsonp/intel
Implement fetch from ekcert server if no EKs are found + Intel TPM
2019-07-17 15:22:14 -07:00
Tom D'Netto
da446762c0 Implement fetch from ekcert server if no EKs are found, and the TPM is from intel. 2019-07-17 15:15:29 -07:00
Tom D
0f6a187a1c
Fix sig mismatch in AIK certification (#50) 2019-07-12 10:30:30 -07:00
Brandon Weeks
83cab51aec Remove protos only used internally, update package name 2019-07-09 16:02:52 -07:00
Tom D
709b568a93
Add two missing enums (#48)
* Add in two missing enum values.
2019-07-03 11:32:22 -07:00
Tom D
5c6b9242df
Add support for multiple certificate directories (#47) 2019-07-03 10:07:16 -07:00
Tom D
372fcf25d0
Try reading the EKCert from PCP_EKNVCERT (#46) 2019-06-25 15:19:12 -07:00
Tom D
113729bb8b
Add indication to EKCert error string for when NVRAM value was unwrapped (#45) 2019-06-20 10:58:41 -07:00