tpm

package
v0.9.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 10, 2025 License: Apache-2.0 Imports: 34 Imported by: 0

Documentation

Overview

Package tpm is a generated GoMock package.

Index

Constants

View Source 
const (
	TCGAlgSHA256 = 0x000B
	TCGAlgSHA384 = 0x000C
	TCGAlgSHA512 = 0x000D
)

TCG Algorithm IDs (from TCG Algorithm Registry)

View Source 
const (
	MinNonceLength = 8
)

Variables

View Source 
var (
	ErrNotFound = errors.New("not found")
)
View Source 
var TCGCSRExtensionOID = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 7}

CSR Extension OID for TCG-CSR-IDEVID Using id-pkcs9-at-challengePassword temporarily - should be replaced with proper TCG OID

Functions

func AttestationKeyTemplate added in v0.9.0 

func AttestationKeyTemplate(keyAlgo KeyAlgorithm) (tpm2.TPMTPublic, error)

AttestationKeyTemplate generates a Local Attestation Key template based on the specified algorithm. Based on go-tpm-tools AKTemplateECC/AKTemplateRSA templates.

func BuildTCGCSRIDevID added in v0.9.0 

func BuildTCGCSRIDevID(
	standardCSR []byte,
	productModel string,
	productSerial string,
	ekCert []byte,
	attestationPub []byte,
	signingPub []byte,
	signingCertifyInfo []byte,
	signingCertifySignature []byte,
	signer crypto.Signer,
) ([]byte, error)

BuildTCGCSRIDevID creates a TCG-CSR-IDEVID structure with embedded TPM attestation data

func ConvertTPMSignatureToDER added in v0.9.0 

func ConvertTPMSignatureToDER(sig *tpm2.TPMTSignature) ([]byte, error)

ConvertTPMSignatureToDER handles TPM2 signatures for RSA and ECDSA keys.

func EmbedTCGCSRInX509 added in v0.9.0 

func EmbedTCGCSRInX509(standardCSR []byte, tcgCSRData []byte) ([]byte, error)

EmbedTCGCSRInX509 embeds TCG-CSR-IDEVID data as an extension in a standard X.509 CSR

func EndorsementKeyTemplate added in v0.9.0 

func EndorsementKeyTemplate(keyAlgo KeyAlgorithm) (tpm2.TPMTPublic, error)

EndorsementKeyTemplate generates an Endorsement Key template based on the specified algorithm. Endorsement keys are used for device identity and attestation operations.

func IsTCGCSRFormat added in v0.9.0 

func IsTCGCSRFormat(data []byte) bool

IsTCGCSRFormat checks if the provided data appears to be TCG-CSR-IDEVID format

func LDevIDTemplate added in v0.9.0 

func LDevIDTemplate(keyAlgo KeyAlgorithm) (tpm2.TPMTPublic, error)

LDevIDTemplate generates a Local Device Identity key template based on the specified algorithm. This key template uses the Storage Root Key as the parent key. Key attributes are aligned with definitions from https://trustedcomputinggroup.org/wp-content/uploads/TCG_TPM-2p0-DevID_v1p00_r10_12july2021.pdf. Specifically, for key attribute and parameter recommendations, see Sections 7.3.4.1 and 7.3.4.3.

func LoadCAsFromPaths added in v0.9.0 

func LoadCAsFromPaths(paths []string) (*x509.CertPool, error)

LoadCAsFromPaths loads CA certificates from a list of file paths

func NormalizeEnrollmentCSR added in v0.9.0 

func NormalizeEnrollmentCSR(csrString string) ([]byte, bool, error)

NormalizeEnrollmentCSR extracts the embedded standard X.509 CSR from a TCG CSR if present.

func ParseTCGCSRBytes added in v0.9.0 

func ParseTCGCSRBytes(raw string) ([]byte, bool)

ParseTCGCSRBytes returns the decoded TCG-formatted CSR bytes if valid, or false if not.

func VerifyTCGCSRChainOfTrust added in v0.9.0 

func VerifyTCGCSRChainOfTrust(csrData []byte) error

VerifyTCGCSRChainOfTrust verifies the complete chain of trust in a TCG-CSR-IDEVID

func VerifyTCGCSRChainOfTrustWithRoots added in v0.9.0 

func VerifyTCGCSRChainOfTrustWithRoots(csrData []byte, trustedRoots *x509.CertPool) error

VerifyTCGCSRChainOfTrustWithRoots verifies the complete chain of trust in a TCG-CSR-IDEVID including validation against trusted root CAs

Types

type CSRPayload added in v0.9.0 

type CSRPayload struct {
	// Product model string
	ProdModel []byte `json:"prodModel"`
	// Product serial number string
	ProdSerial []byte `json:"prodSerial"`
	// CA-specific data
	ProdCaData []byte `json:"prodCaData"`
	// Boot event log
	BootEvntLog []byte `json:"bootEvntLog"`
	// TPM EK certificate (DER format)
	EkCert []byte `json:"ekCert"`
	// Attestation key public area
	AttestPub []byte `json:"attestPub"`
	// TPM2_CertifyCreation ticket
	AtCreateTkt []byte `json:"atCreateTkt"`
	// TPM2_Certify info for attestation key (currently unused)
	AtCertifyInfo []byte `json:"atCertifyInfo"`
	// Signature over attestation certify info (currently unused)
	AtCertifyInfoSignature []byte `json:"atCertifyInfoSignature"`
	// Signing key public area
	SigningPub []byte `json:"signingPub"`
	// TPM2_Certify info for signing key
	SgnCertifyInfo []byte `json:"sgnCertifyInfo"`
	// Signature over signing certify info
	SgnCertifyInfoSignature []byte `json:"sgnCertifyInfoSignature"`
	// Padding
	Pad []byte `json:"pad"`
}

CSRPayload contains the actual payload data referenced by the content structure

type Client added in v0.9.0 

type Client struct {
	// contains filtered or unexported fields
}

Client represents a simplified TPM client that exposes signing capabilities and attestation data for CSR generation.

func NewClient added in v0.9.0 

func NewClient(log *log.PrefixLogger, rw fileio.ReadWriter, config *agent_config.Config) (*Client, error)

NewClient creates a new simplified TPM client with the given configuration.

func (*Client) AttestationCollector added in v0.9.0 

func (c *Client) AttestationCollector(ctx context.Context) string

AttestationCollector returns TPM attestation information for system info collection

func (*Client) Clear added in v0.9.0 

func (c *Client) Clear() error

Clear clears any stored TPM data

func (*Client) Close added in v0.9.0 

func (c *Client) Close(ctx context.Context) error

Close closes the TPM session.

func (*Client) GetSigner added in v0.9.0 

func (c *Client) GetSigner() crypto.Signer

GetSigner returns the crypto.Signer interface for this client

func (*Client) MakeCSR added in v0.9.0 

func (c *Client) MakeCSR(deviceName string, qualifyingData []byte) ([]byte, error)

MakeCSR generates a TCG-CSR-IDEVID structure for enrollment requests This combines standard CSR data with TPM attestation according to TCG specifications This is the primary CSR generation method for TPM clients

func (*Client) Public added in v0.9.0 

func (c *Client) Public() crypto.PublicKey

Public returns the public key corresponding to the LDevID private key.

func (*Client) Sign added in v0.9.0 

func (c *Client) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error)

Sign implements the crypto.Signer interface using the TPM's LDevID key. The rand parameter is ignored as the TPM generates its own randomness internally.

func (*Client) UpdateNonce added in v0.9.0 

func (c *Client) UpdateNonce(nonce []byte) error

UpdateNonce updates the nonce used for TPM operations

func (*Client) VendorInfoCollector added in v0.9.0 

func (c *Client) VendorInfoCollector(ctx context.Context) string

VendorInfoCollector returns TPM vendor information for system info collection

type IDevIDContent added in v0.9.0 

type IDevIDContent struct {
	StructVer  [4]byte `json:"-"` // Version 1.0 = 0x00000100
	HashAlgoId [4]byte `json:"-"` // TCG algorithm identifier for CSR hash
	HashSz     [4]byte `json:"-"` // Size, in bytes, of hash used

	// Hash of all that follows is placed here order must not change
	ProdModelSz               [4]byte `json:"-"` // Size of unterminated product model string
	ProdSerialSz              [4]byte `json:"-"` // Size of unterminated product serial number string
	ProdCaDataSz              [4]byte `json:"-"` // Size of CA-specific required data structure
	BootEvntLogSz             [4]byte `json:"-"` // Size of boot event log
	EkCertSz                  [4]byte `json:"-"` // TPM EK cert size
	AttestPubSz               [4]byte `json:"-"` // Attestation key public size
	AtCreateTktSz             [4]byte `json:"-"` // TPM2_CertifyCreation ticket size
	AtCertifyInfoSz           [4]byte `json:"-"` // TPM2_Certify info size
	AtCertifyInfoSignatureSz  [4]byte `json:"-"` // TPM2_CertifyInfo Signature size
	SigningPubSz              [4]byte `json:"-"` // Signing key public size
	SgnCertifyInfoSz          [4]byte `json:"-"` // TPM2_Certify info size
	SgnCertifyInfoSignatureSz [4]byte `json:"-"` // TPM2_CertifyInfo Signature size

	PadSz [4]byte `json:"-"` // Padding size
}

IDevIDContent represents the content portion of TCG-CSR-IDEVID

func (IDevIDContent) MarshalJSON added in v0.9.0 

func (t IDevIDContent) MarshalJSON() ([]byte, error)

MarshalJSON implements custom JSON marshaling for DevIDContent

func (*IDevIDContent) UnmarshalJSON added in v0.9.0 

func (t *IDevIDContent) UnmarshalJSON(data []byte) error

UnmarshalJSON implements custom JSON unmarshaling for TCGIDevIDContent

type KeyAlgorithm added in v0.9.0 

type KeyAlgorithm string

KeyAlgorithm represents the cryptographic algorithm used for keys 

const (
	ECDSA KeyAlgorithm = "ecdsa"
	RSA   KeyAlgorithm = "rsa"
)

type KeyType added in v0.9.0 

type KeyType string

KeyType represents the type of TPM key 

const (
	// LDevID (Local Device Identity Key) is a unique identity key for the device,
	// used to authenticate the device to external services.
	LDevID KeyType = "ldevid"

	// LAK (Local Attestation Key) is a restricted signing key used for TPM attestation operations.
	LAK KeyType = "lak"

	// SRK (Storage Root Key) is a well-known, persistent primary key in the TPM's storage hierarchy.
	SRK KeyType = "srk"
)

type MockSession added in v0.9.0 

type MockSession struct {
	// contains filtered or unexported fields
}

MockSession is a mock of Session interface.

func NewMockSession added in v0.9.0 

func NewMockSession(ctrl *gomock.Controller) *MockSession

NewMockSession creates a new mock instance.

func (*MockSession) CertifyKey added in v0.9.0 

func (m *MockSession) CertifyKey(keyType KeyType, qualifyingData []byte) ([]byte, []byte, error)

CertifyKey mocks base method.

func (*MockSession) Clear added in v0.9.0 

func (m *MockSession) Clear() error

Clear mocks base method.

func (*MockSession) Close added in v0.9.0 

func (m *MockSession) Close() error

Close mocks base method.

func (*MockSession) CreateKey added in v0.9.0 

func (m *MockSession) CreateKey(keyType KeyType) (*tpm2.CreateResponse, error)

CreateKey mocks base method.

func (*MockSession) EXPECT added in v0.9.0 

func (m *MockSession) EXPECT() *MockSessionMockRecorder

EXPECT returns an object that allows the caller to indicate expected use.

func (*MockSession) FlushAllTransientHandles added in v0.9.0 

func (m *MockSession) FlushAllTransientHandles() error

FlushAllTransientHandles mocks base method.

func (*MockSession) GetEndorsementKeyCert added in v0.9.0 

func (m *MockSession) GetEndorsementKeyCert() ([]byte, error)

GetEndorsementKeyCert mocks base method.

func (*MockSession) GetHandle added in v0.9.0 

func (m *MockSession) GetHandle(keyType KeyType) (*tpm2.NamedHandle, error)

GetHandle mocks base method.

func (*MockSession) GetPublicKey added in v0.9.0 

func (m *MockSession) GetPublicKey(keyType KeyType) (*tpm2.TPM2BPublic, error)

GetPublicKey mocks base method.

func (*MockSession) LoadKey added in v0.9.0 

func (m *MockSession) LoadKey(keyType KeyType) (*tpm2.NamedHandle, error)

LoadKey mocks base method.

func (*MockSession) Sign added in v0.9.0 

func (m *MockSession) Sign(keyType KeyType, digest []byte) ([]byte, error)

Sign mocks base method.

type MockSessionMockRecorder added in v0.9.0 

type MockSessionMockRecorder struct {
	// contains filtered or unexported fields
}

MockSessionMockRecorder is the mock recorder for MockSession.

func (*MockSessionMockRecorder) CertifyKey added in v0.9.0 

func (mr *MockSessionMockRecorder) CertifyKey(keyType, qualifyingData any) *gomock.Call

CertifyKey indicates an expected call of CertifyKey.

func (*MockSessionMockRecorder) Clear added in v0.9.0 

func (mr *MockSessionMockRecorder) Clear() *gomock.Call

Clear indicates an expected call of Clear.

func (*MockSessionMockRecorder) Close added in v0.9.0 

func (mr *MockSessionMockRecorder) Close() *gomock.Call

Close indicates an expected call of Close.

func (*MockSessionMockRecorder) CreateKey added in v0.9.0 

func (mr *MockSessionMockRecorder) CreateKey(keyType any) *gomock.Call

CreateKey indicates an expected call of CreateKey.

func (*MockSessionMockRecorder) FlushAllTransientHandles added in v0.9.0 

func (mr *MockSessionMockRecorder) FlushAllTransientHandles() *gomock.Call

FlushAllTransientHandles indicates an expected call of FlushAllTransientHandles.

func (*MockSessionMockRecorder) GetEndorsementKeyCert added in v0.9.0 

func (mr *MockSessionMockRecorder) GetEndorsementKeyCert() *gomock.Call

GetEndorsementKeyCert indicates an expected call of GetEndorsementKeyCert.

func (*MockSessionMockRecorder) GetHandle added in v0.9.0 

func (mr *MockSessionMockRecorder) GetHandle(keyType any) *gomock.Call

GetHandle indicates an expected call of GetHandle.

func (*MockSessionMockRecorder) GetPublicKey added in v0.9.0 

func (mr *MockSessionMockRecorder) GetPublicKey(keyType any) *gomock.Call

GetPublicKey indicates an expected call of GetPublicKey.

func (*MockSessionMockRecorder) LoadKey added in v0.9.0 

func (mr *MockSessionMockRecorder) LoadKey(keyType any) *gomock.Call

LoadKey indicates an expected call of LoadKey.

func (*MockSessionMockRecorder) Sign added in v0.9.0 

func (mr *MockSessionMockRecorder) Sign(keyType, digest any) *gomock.Call

Sign indicates an expected call of Sign.

type MockStorage added in v0.9.0 

type MockStorage struct {
	// contains filtered or unexported fields
}

MockStorage is a mock of Storage interface.

func NewMockStorage added in v0.9.0 

func NewMockStorage(ctrl *gomock.Controller) *MockStorage

NewMockStorage creates a new mock instance.

func (*MockStorage) ClearKey added in v0.9.0 

func (m *MockStorage) ClearKey(keyType KeyType) error

ClearKey mocks base method.

func (*MockStorage) ClearPassword added in v0.9.0 

func (m *MockStorage) ClearPassword() error

ClearPassword mocks base method.

func (*MockStorage) Close added in v0.9.0 

func (m *MockStorage) Close() error

Close mocks base method.

func (*MockStorage) EXPECT added in v0.9.0 

func (m *MockStorage) EXPECT() *MockStorageMockRecorder

EXPECT returns an object that allows the caller to indicate expected use.

func (*MockStorage) GetKey added in v0.9.0 

func (m *MockStorage) GetKey(keyType KeyType) (*tpm2.TPM2BPublic, *tpm2.TPM2BPrivate, error)

GetKey mocks base method.

func (*MockStorage) GetPassword added in v0.9.0 

func (m *MockStorage) GetPassword() ([]byte, error)

GetPassword mocks base method.

func (*MockStorage) StoreKey added in v0.9.0 

func (m *MockStorage) StoreKey(keyType KeyType, public tpm2.TPM2BPublic, private tpm2.TPM2BPrivate) error

StoreKey mocks base method.

func (*MockStorage) StorePassword added in v0.9.0 

func (m *MockStorage) StorePassword(password []byte) error

StorePassword mocks base method.

type MockStorageMockRecorder added in v0.9.0 

type MockStorageMockRecorder struct {
	// contains filtered or unexported fields
}

MockStorageMockRecorder is the mock recorder for MockStorage.

func (*MockStorageMockRecorder) ClearKey added in v0.9.0 

func (mr *MockStorageMockRecorder) ClearKey(keyType any) *gomock.Call

ClearKey indicates an expected call of ClearKey.

func (*MockStorageMockRecorder) ClearPassword added in v0.9.0 

func (mr *MockStorageMockRecorder) ClearPassword() *gomock.Call

ClearPassword indicates an expected call of ClearPassword.

func (*MockStorageMockRecorder) Close added in v0.9.0 

func (mr *MockStorageMockRecorder) Close() *gomock.Call

Close indicates an expected call of Close.

func (*MockStorageMockRecorder) GetKey added in v0.9.0 

func (mr *MockStorageMockRecorder) GetKey(keyType any) *gomock.Call

GetKey indicates an expected call of GetKey.

func (*MockStorageMockRecorder) GetPassword added in v0.9.0 

func (mr *MockStorageMockRecorder) GetPassword() *gomock.Call

GetPassword indicates an expected call of GetPassword.

func (*MockStorageMockRecorder) StoreKey added in v0.9.0 

func (mr *MockStorageMockRecorder) StoreKey(keyType, public, private any) *gomock.Call

StoreKey indicates an expected call of StoreKey.

func (*MockStorageMockRecorder) StorePassword added in v0.9.0 

func (mr *MockStorageMockRecorder) StorePassword(password any) *gomock.Call

StorePassword indicates an expected call of StorePassword.

type ParsedTCGCSR added in v0.9.0 

type ParsedTCGCSR struct {
	StructVer       uint32
	Contents        uint32
	SigSz           uint32
	CSRContents     *ParsedTCGContent
	Signature       []byte
	IsValid         bool
	ValidationError string
}

ParsedTCGCSR contains the parsed TCG-CSR-IDEVID data

func ParseTCGCSR added in v0.9.0 

func ParseTCGCSR(data []byte) (*ParsedTCGCSR, error)

ParseTCGCSR parses TCG-CSR-IDEVID format data

type ParsedTCGContent added in v0.9.0 

type ParsedTCGContent struct {
	StructVer                 uint32
	HashAlgoId                uint32
	HashSz                    uint32
	ProdModelSz               uint32
	ProdSerialSz              uint32
	ProdCaDataSz              uint32
	BootEvntLogSz             uint32
	EkCertSz                  uint32
	AttestPubSz               uint32
	AtCreateTktSz             uint32
	AtCertifyInfoSz           uint32
	AtCertifyInfoSignatureSz  uint32
	SigningPubSz              uint32
	SgnCertifyInfoSz          uint32
	SgnCertifyInfoSignatureSz uint32
	PadSz                     uint32
	Payload                   *ParsedTCGPayload
}

ParsedTCGContent contains the parsed content portion

type ParsedTCGPayload added in v0.9.0 

type ParsedTCGPayload struct {
	ProdModel               []byte
	ProdSerial              []byte
	ProdCaData              []byte
	BootEvntLog             []byte
	EkCert                  []byte
	AttestPub               []byte
	AtCreateTkt             []byte
	AtCertifyInfo           []byte
	AtCertifyInfoSignature  []byte
	SigningPub              []byte
	SgnCertifyInfo          []byte
	SgnCertifyInfoSignature []byte
	Pad                     []byte
}

ParsedTCGPayload contains the parsed payload data

type Session added in v0.9.0 

type Session interface {
	// GetHandle returns the active handle for a key type
	GetHandle(keyType KeyType) (*tpm2.NamedHandle, error)
	// CreateKey creates a new key of the specified type
	CreateKey(keyType KeyType) (*tpm2.CreateResponse, error)
	// LoadKey loads a key into the TPM and returns its handle
	LoadKey(keyType KeyType) (*tpm2.NamedHandle, error)
	// CertifyKey certifies a key with the LAK
	CertifyKey(keyType KeyType, qualifyingData []byte) (certifyInfo, signature []byte, err error)
	// Sign signs data with the specified key
	Sign(keyType KeyType, digest []byte) ([]byte, error)
	// GetPublicKey gets the public key for a key type
	GetPublicKey(keyType KeyType) (*tpm2.TPM2BPublic, error)
	// GetEndorsementKeyCert returns the endorsement key certificate
	GetEndorsementKeyCert() ([]byte, error)
	// FlushAllTransientHandles aggressively flushes all transient handles
	FlushAllTransientHandles() error
	// Clear performs a best-effort clear of the TPM, resetting keys and auth
	Clear() error
	// Close closes the session and flushes handles
	Close() error
}

Session manages active TPM state and operations

func NewSession added in v0.9.0 

func NewSession(conn io.ReadWriteCloser, rw fileio.ReadWriter, log *log.PrefixLogger, authEnabled bool, persistencePath string, keyAlgo KeyAlgorithm) (Session, error)

NewSession creates a new TPM session

type Storage added in v0.9.0 

type Storage interface {
	// GetKey retrieves stored key data for the specified key type
	// Returns nil values if key doesn't exist
	GetKey(keyType KeyType) (*tpm2.TPM2BPublic, *tpm2.TPM2BPrivate, error)
	// StoreKey stores key data for the specified key type
	StoreKey(keyType KeyType, public tpm2.TPM2BPublic, private tpm2.TPM2BPrivate) error
	// ClearKey clears key data for the specified key type
	ClearKey(keyType KeyType) error
	// GetPassword retrieves the stored storage hierarchy password
	GetPassword() ([]byte, error)
	// StorePassword stores the storage hierarchy password
	StorePassword(password []byte) error
	// ClearPassword removes the stored password
	ClearPassword() error
	// Close closes the storage and releases any resources
	Close() error
}

Storage handles pure disk persistence of TPM data on disk

func NewFileStorage added in v0.9.0 

func NewFileStorage(rw fileio.ReadWriter, path string, log *log.PrefixLogger) Storage

NewFileStorage creates a new file-based storage implementation

type TCGCSRIDevID added in v0.9.0 

type TCGCSRIDevID struct {
	// Version 1.0 = 0x01000100
	StructVer [4]byte `json:"-"`
	// Size of csrContents
	Contents [4]byte `json:"-"`
	// Size, in bytes, of signature
	SigSz [4]byte `json:"-"`
	// The actual content
	CSRContents IDevIDContent `json:"csrContents"`
	// DER encoded signature, including algorithm ID
	Signature []byte `json:"signature"`
}

TCG-CSR-IDEVID implementation according to TCG TPM 2.0 Keys for Device Identity and Attestation v1.0 Rev 12 Section 13.1: TCG-CSR Structures. TCGCSRIDevID represents the complete TCG-CSR-IDEVID structure The TCG-CSR-IDEVID uses Big Endian byte ordering. All sizes are in bytes.

func (TCGCSRIDevID) MarshalJSON added in v0.9.0 

func (t TCGCSRIDevID) MarshalJSON() ([]byte, error)

MarshalJSON implements custom JSON marshaling for TCGCSRIDevID

func (*TCGCSRIDevID) UnmarshalJSON added in v0.9.0 

func (t *TCGCSRIDevID) UnmarshalJSON(data []byte) error

UnmarshalJSON implements custom JSON unmarshaling for TCGCSRIDevID

type TCGCSRParser added in v0.9.0 

type TCGCSRParser struct {
	// contains filtered or unexported fields
}

TCGCSRParser provides functionality to parse TCG-CSR-IDEVID format

type TPMAttestationData added in v0.9.0 

type TPMAttestationData struct {
	EKCertificate          []byte
	LAKPublicKey           []byte
	LAKCertifyInfo         []byte // (currently unused)
	LAKCertifySignature    []byte // (currently unused)
	LDevIDPublicKey        []byte
	LDevIDCertifyInfo      []byte
	LDevIDCertifySignature []byte
	ProductModel           string
	ProductSerial          string
	StandardCSR            []byte // Embedded standard X.509 CSR if available
}

TPMAttestationData represents the extracted TPM data in a usable format

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.