Documentation
¶
Index ¶
- Constants
- Variables
- type Client
- func (t *Client) AttestationCollector(ctx context.Context) string
- func (t *Client) Clear() error
- func (t *Client) Close(ctx context.Context) error
- func (t *Client) EndorsementKeyCert() ([]byte, error)
- func (t *Client) EndorsementKeyPublic() ([]byte, error)
- func (t *Client) GetAttestation(nonce []byte, ak *tpm2.NamedHandle) (*pbattest.Attestation, error)
- func (t *Client) GetLocalAttestationPubKey() (crypto.PublicKey, error)
- func (t *Client) GetPath() string
- func (t *Client) GetQuote(nonce []byte, ak *tpm2.NamedHandle, pcrSelection *tpm2.TPMLPCRSelection) (*pbtpm.Quote, error)
- func (t *Client) GetSigner() crypto.Signer
- func (t *Client) Public() crypto.PublicKey
- func (t *Client) ReadPCRValues(measurements map[string]string) error
- func (t *Client) Sign(rand io.Reader, data []byte, opts crypto.SignerOpts) ([]byte, error)
- func (t *Client) UpdateNonce(nonce []byte) error
- func (t *Client) VendorInfo() ([]byte, error)
- func (t *Client) VendorInfoCollector(ctx context.Context) string
- type ClientConfig
- type TPM
Constants ¶
const (
MinNonceLength = 8
)
Variables ¶
var ( LDevIDTemplate = tpm2.TPMTPublic{ Type: tpm2.TPMAlgECC, NameAlg: tpm2.TPMAlgSHA256, ObjectAttributes: tpm2.TPMAObject{ FixedTPM: true, STClear: false, FixedParent: true, SensitiveDataOrigin: true, UserWithAuth: true, AdminWithPolicy: true, NoDA: false, EncryptedDuplication: false, Restricted: false, Decrypt: false, SignEncrypt: true, }, Parameters: tpm2.NewTPMUPublicParms( tpm2.TPMAlgECC, &tpm2.TPMSECCParms{ Scheme: tpm2.TPMTECCScheme{ Scheme: tpm2.TPMAlgECDSA, Details: tpm2.NewTPMUAsymScheme( tpm2.TPMAlgECDSA, &tpm2.TPMSSigSchemeECDSA{ HashAlg: tpm2.TPMAlgSHA256, }, ), }, CurveID: tpm2.TPMECCNistP256, }, ), Unique: tpm2.NewTPMUPublicID( tpm2.TPMAlgECC, &tpm2.TPMSECCPoint{ X: tpm2.TPM2BECCParameter{Buffer: make([]byte, 32)}, Y: tpm2.TPM2BECCParameter{Buffer: make([]byte, 32)}, }, ), } // AttestationKeyTemplate defines a standard attestation key template based on go-tpm-tools AKTemplateECC. // This creates an ECC restricted signing key suitable for TPM attestation operations. AttestationKeyTemplate = tpm2.TPMTPublic{ Type: tpm2.TPMAlgECC, NameAlg: tpm2.TPMAlgSHA256, ObjectAttributes: tpm2.TPMAObject{ SignEncrypt: true, Restricted: true, FixedTPM: true, FixedParent: true, SensitiveDataOrigin: true, UserWithAuth: true, }, Parameters: tpm2.NewTPMUPublicParms( tpm2.TPMAlgECC, &tpm2.TPMSECCParms{ Scheme: tpm2.TPMTECCScheme{ Scheme: tpm2.TPMAlgECDSA, Details: tpm2.NewTPMUAsymScheme( tpm2.TPMAlgECDSA, &tpm2.TPMSSigSchemeECDSA{ HashAlg: tpm2.TPMAlgSHA256, }, ), }, CurveID: tpm2.TPMECCNistP256, }, ), Unique: tpm2.NewTPMUPublicID( tpm2.TPMAlgECC, &tpm2.TPMSECCPoint{ X: tpm2.TPM2BECCParameter{Buffer: make([]byte, 32)}, Y: tpm2.TPM2BECCParameter{Buffer: make([]byte, 32)}, }, ), } )
This key template uses the Storage Root Key as the parent key. Other key attributes are aligned with definitions from https://trustedcomputinggroup.org/wp-content/uploads/TCG_TPM-2p0-DevID_v1p00_r10_12july2021.pdf. Specifically, for key attribute and parameter recommendations, see Sections 7.3.4.1 and 7.3.4.3.
Functions ¶
This section is empty.
Types ¶
type Client ¶ added in v0.9.0
type Client struct {
// contains filtered or unexported fields
}
Client represents a connection to a TPM device and manages TPM operations.
func NewClient ¶ added in v0.9.0
func NewClient(log *log.PrefixLogger, rw fileio.ReadWriter, config *agent_config.Config) (*Client, error)
NewClient creates a new TPM client with the given configuration.
func (*Client) AttestationCollector ¶ added in v0.9.0
AttestationCollector returns TPM attestation as a string for system info collection.
func (*Client) Close ¶ added in v0.9.0
Close closes the TPM connection and flushes any transient handles. It should be called when the TPM is no longer needed to free resources.
func (*Client) EndorsementKeyCert ¶
func (*Client) EndorsementKeyPublic ¶
func (*Client) GetAttestation ¶
func (t *Client) GetAttestation(nonce []byte, ak *tpm2.NamedHandle) (*pbattest.Attestation, error)
GetAttestation generates a TPM attestation using the provided nonce and attestation key. The nonce must be at least MinNonceLength bytes long for security.
func (*Client) GetLocalAttestationPubKey ¶
GetLocalAttestationPubKey returns the public key of the Local Attestation Key.
func (*Client) GetQuote ¶
func (t *Client) GetQuote(nonce []byte, ak *tpm2.NamedHandle, pcrSelection *tpm2.TPMLPCRSelection) (*pbtpm.Quote, error)
GetQuote generates a TPM quote using the provided nonce, attestation key, and PCR selection. The quote provides cryptographic evidence of the current PCR values.
func (*Client) ReadPCRValues ¶
ReadPCRValues reads PCR values from the TPM and populates the provided map. The map keys are formatted as "pcr01", "pcr02", etc., and values are hex-encoded.
func (*Client) Sign ¶ added in v0.9.0
Sign signs the given data using the TPM's LDevID key. The rand parameter is ignored as the TPM generates its own randomness internally. Opts is ignored as the only hash type supported is SHA256 (as defined by the creation of the key)
func (*Client) UpdateNonce ¶ added in v0.9.0
UpdateNonce updates the current nonce for attestation operations.
func (*Client) VendorInfo ¶
VendorInfo returns the TPM manufacturer information. This can be used to identify the TPM vendor and model.
type ClientConfig ¶
type ClientConfig struct {
Log *log.PrefixLogger
DeviceWriter fileio.ReadWriter
PersistencePath string
DevicePath string
}
ClientConfig contains configuration options for creating a TPM client.
type TPM ¶
type TPM struct {
// contains filtered or unexported fields
}
TPM represents a TPM device and its associated file paths.
Source Files