evetpm

package
v0.0.0-...-3407011 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 29, 2024 License: Apache-2.0 Imports: 25 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	//TpmPasswdHdl is the well known TPM NVIndex for TPM Credentials
	TpmPasswdHdl tpmutil.Handle = 0x1600000

	//TpmEKHdl is the well known TPM permanent handle for Endorsement key
	TpmEKHdl tpmutil.Handle = 0x81000001

	//TpmSRKHdl is the well known TPM permanent handle for Storage key
	TpmSRKHdl tpmutil.Handle = 0x81000002

	//TpmAKHdl is the well known TPM permanent handle for AIK key
	TpmAKHdl tpmutil.Handle = 0x81000003

	//TpmQuoteKeyHdl is the well known TPM permanent handle for PCR Quote signing key
	TpmQuoteKeyHdl tpmutil.Handle = 0x81000004

	//TpmEcdhKeyHdl is the well known TPM permanent handle for ECDH key
	TpmEcdhKeyHdl tpmutil.Handle = 0x81000005

	//TpmDeviceKeyHdl is the well known TPM permanent handle for device key
	TpmDeviceKeyHdl tpmutil.Handle = 0x817FFFFF

	//TpmCredentialsFileName is the file that holds the dynamically created TPM credentials
	TpmCredentialsFileName = types.IdentityDirname + "/tpm_credential"

	//MaxPasswdLength is the max length allowed for a TPM password
	MaxPasswdLength = 7 //limit TPM password to this length

	//TpmDiskKeyHdl is the handle for constructing disk encryption key
	TpmDiskKeyHdl tpmutil.Handle = 0x1700000

	//TpmDeviceCertHdl is the well known TPM NVIndex for device cert
	TpmDeviceCertHdl tpmutil.Handle = 0x1500000

	//TpmSealedDiskPrivHdl is the handle for constructing disk encryption key
	TpmSealedDiskPrivHdl tpmutil.Handle = 0x1800000

	//TpmSealedDiskPubHdl is the handle for constructing disk encryption key
	TpmSealedDiskPubHdl tpmutil.Handle = 0x1900000

	//EmptyPassword is an empty string
	EmptyPassword = ""
)

Variables

View Source 
var (
	//EcdhKeyFile is the location of the ecdh private key
	//on devices without a TPM. It is not a constant due to test usage
	EcdhKeyFile = types.CertificateDirname + "/ecdh.key.pem"

	//DiskKeySealingPCRs represents PCRs that we use for sealing
	DiskKeySealingPCRs = tpm2.PCRSelection{Hash: tpm2.AlgSHA256, PCRs: []int{0, 1, 2, 3, 4, 6, 7, 8, 9, 13, 14}}

	// TpmDevicePath is the TPM device file path, it is not a constant due to
	// test usage.
	TpmDevicePath = "/dev/tpmrm0"
)

Functions

func AESDecrypt 

func AESDecrypt(plaintext, ciphertext, key, iv []byte) error

AESDecrypt decrypts ciphertext, and returns it in plaintext using the key and initial value given. Uses AES CFB cipher.

func AESEncrypt 

func AESEncrypt(ciphertext, plaintext, key, iv []byte) error

AESEncrypt encrypts plaintext, and returns it in ciphertext by using the key and initial value given. Uses a AES CFB cipher.

func DecryptSecretWithEcdhKey 

func DecryptSecretWithEcdhKey(log *base.LogObject, X, Y *big.Int, edgeNodeCert *types.EdgeNodeCert,
	iv, ciphertext, plaintext []byte) error

DecryptSecretWithEcdhKey recovers plaintext from the given ciphertext X, Y are the Z point coordinates in Ellyptic Curve Diffie Hellman(ECDH) Exchange edgeNodeCert points to the certificate that Controller used to calculate the shared secret iv is the Initial Value used in the ECDH exchange. Sha256FromECPoint() is used as KDF on the shared secret, and the derived key is used in AESDecrypt(), to apply the cipher on ciphertext, and recover plaintext

func EncryptDecryptUsingTpm 

func EncryptDecryptUsingTpm(in []byte, encrypt bool) ([]byte, error)

EncryptDecryptUsingTpm uses AES key to encrypt/decrypt a given secret The AES key is derived from a seed, which is further derived from device certificate and ECDH private key, which is protected inside the TPM. IOW, to decrypt secret successfully, one will need to be on the same device.

func FetchSealedVaultKey 

func FetchSealedVaultKey(log *base.LogObject) ([]byte, error)

FetchSealedVaultKey fetches Vault key sealed into TPM2.0

func FetchTpmHwInfo 

func FetchTpmHwInfo() (string, error)

FetchTpmHwInfo returns TPM Hardware properties in a string

func FetchTpmSwStatus 

func FetchTpmSwStatus() info.HwSecurityModuleStatus

FetchTpmSwStatus returns states reflecting SW usage of TPM

func FetchVaultKey 

func FetchVaultKey(log *base.LogObject) ([]byte, error)

FetchVaultKey retrieves TPM part of the vault key

func GetDevicePrivateKey 

func GetDevicePrivateKey() (*ecdsa.PrivateKey, error)

GetDevicePrivateKey is for a device with no TPM and get the file-based device key

func GetFirmwareVersion 

func GetFirmwareVersion(v1 uint32, v2 uint32) string

GetFirmwareVersion converts v1, v2 values from TPM properties to string

func GetModelName 

func GetModelName(vendorValue1 uint32, vendorValue2 uint32) string

GetModelName combines vendor1 and vendor2 values into a string

func GetPrivateKeyFromFile 

func GetPrivateKeyFromFile(keyFile string) (*ecdsa.PrivateKey, error)

GetPrivateKeyFromFile reads a private key file on a device with no TPM

func GetPublicKeyFromCert 

func GetPublicKeyFromCert(certFile string) (crypto.PublicKey, error)

GetPublicKeyFromCert gets public key from a X.509 cert

func GetRandom 

func GetRandom(numBytes uint16) ([]byte, error)

GetRandom returns a random []byte of requested length

func GetTpmProperty 

func GetTpmProperty(propID tpm2.TPMProp) (uint32, error)

GetTpmProperty fetches a given property id, and returns it as uint32

func IsTpmEnabled 

func IsTpmEnabled() bool

IsTpmEnabled checks if TPM is being used by software for creating device cert Note that this must not be called before the device certificate has been generated

func PCRBankSHA256Enabled 

func PCRBankSHA256Enabled() bool

PCRBankSHA256Enabled checks if SHA256 PCR Bank is enabled

func PolicyPCRSession 

func PolicyPCRSession(rw io.ReadWriteCloser, pcrSel tpm2.PCRSelection) (tpmutil.Handle, []byte, error)

PolicyPCRSession prepares TPM2 Auth Policy session, with PCR as the policy

func ReadOwnerCrdl 

func ReadOwnerCrdl() (string, error)

ReadOwnerCrdl returns credential specific to this device

func SealDiskKey 

func SealDiskKey(log *base.LogObject, key []byte, pcrSel tpm2.PCRSelection) error

SealDiskKey seals key into TPM2.0, with provided PCRs

func SetDevicePublicKey 

func SetDevicePublicKey(pubkey crypto.PublicKey)

SetDevicePublicKey is needed for the self-signed bootstrap

func SetECDHPrivateKeyFile 

func SetECDHPrivateKeyFile(filename string)

SetECDHPrivateKeyFile is used by tpmmgr_test.go

func Sha256FromECPoint 

func Sha256FromECPoint(X, Y *big.Int, pubKey *ecdsa.PublicKey) ([32]byte, error)

Sha256FromECPoint is the KDF

func TpmSign 

func TpmSign(digest []byte) (*big.Int, *big.Int, error)

TpmSign is used by external packages to get a digest signed by device key in TPM

func UnsealDiskKey 

func UnsealDiskKey(pcrSel tpm2.PCRSelection) ([]byte, error)

UnsealDiskKey unseals key from TPM2.0

func WipeOutStaleSealedKeyIfAny 

func WipeOutStaleSealedKeyIfAny() error

WipeOutStaleSealedKeyIfAny checks and deletes sealed vault key

Types

type PCRBank256Status 

type PCRBank256Status uint32

PCRBank256Status stores info about support for SHA256 PCR bank on this device 

const (
	PCRBank256StatusUnknown PCRBank256Status = iota + 0
	PCRBank256StatusSupported
	PCRBank256StatusNotSupported
)

Different values for PCRBank256Status

type SealedKeyType 

type SealedKeyType uint32

SealedKeyType holds different types of sealed key defined below 

const (
	SealedKeyTypeUnknown     SealedKeyType = iota + 0 //Invalid
	SealedKeyTypeReused                               //Sealed key is cloned from legacy key
	SealedKeyTypeNew                                  //Sealed key is not cloned from legacy key
	SealedKeyTypeUnprotected                          //Sealed key is not available, using legacy key
)

Different sealed key types, for logging purposes

func CompareLegacyandSealedKey 

func CompareLegacyandSealedKey() SealedKeyType

CompareLegacyandSealedKey compares legacy and sealed keys to record if we are using a new key for sealed vault

func (SealedKeyType) String 

func (s SealedKeyType) String() string

String returns verbose string for SealedKeyType value

type TpmPrivateKey 

type TpmPrivateKey struct {
	PublicKey crypto.PublicKey
}

TpmPrivateKey is Custom implementation of crypto.PrivateKey interface

func (TpmPrivateKey) Public 

func (s TpmPrivateKey) Public() crypto.PublicKey

Public implements crypto.PrivateKey interface

func (TpmPrivateKey) Sign 

func (s TpmPrivateKey) Sign(r io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error)

Sign implements crypto.PrivateKey interface

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.