Documentation
¶
Overview ¶
Package wellknown provides events, event data, other constants, and helper functions for parsing event information and enforcing policy decisions.
Index ¶
Constants ¶
const ( NoAction uint32 = 0x00000003 Separator uint32 = 0x00000004 SCRTMVersion uint32 = 0x00000008 IPL uint32 = 0x0000000D NonhostInfo uint32 = 0x00000011 EFIBootServicesApplication uint32 = 0x80000003 EFIAction uint32 = 0x80000007 )
Expected TCG Event Log Event Types.
Taken from TCG PC Client Platform Firmware Profile Specification, Table 14 Events.
const EventTagLoadedImageHex = "ed223b8f1a0000004c4f414445445f494d4147453a3a4c6f61644f7074696f6e7300"
EventTagLoadedImageHex used with type "EV_EVENT_TAG". This corresponds to a TLV struct of type LOAD_OPTIONS_EVENT_TAG_ID (0x8F3B22ED, reversed endian), length 0x1a (26), value `LOADED_IMAGE::LoadOptions\n`.
Variables ¶
var ( // GCENonHostInfoSignature identifies the GCE Non-Host info event, which // indicates if memory encryption is enabled. This event is 32-bytes consisting // of the below signature (16 bytes), followed by a byte indicating whether // it is a confidential vm, followed by 15 reserved bytes. GCENonHostInfoSignature = []byte("GCE NonHostInfo\x00") // GceVirtualFirmwarePrefix is the little-endian UCS-2 encoded string // "GCE Virtual Firmware v" without a null terminator. All GCE firmware // versions are UCS-2 encoded, start with this prefix, contain the firmware // version encoded as an integer, and end with a null terminator. GceVirtualFirmwarePrefix = []byte{0x47, 0x00, 0x43, 0x00, 0x45, 0x00, 0x20, 0x00, 0x56, 0x00, 0x69, 0x00, 0x72, 0x00, 0x74, 0x00, 0x75, 0x00, 0x61, 0x00, 0x6c, 0x00, 0x20, 0x00, 0x46, 0x00, 0x69, 0x00, 0x72, 0x00, 0x6d, 0x00, 0x77, 0x00, 0x61, 0x00, 0x72, 0x00, 0x65, 0x00, 0x20, 0x00, 0x76, 0x00} )
var ( //go:embed secure-boot/GcePk.crt GceDefaultPKCert []byte //go:embed secure-boot/MicCorKEKCA2011_2011-06-24.crt MicrosoftKEKCA2011Cert []byte //go:embed secure-boot/MicWinProPCA2011_2011-10-19.crt WindowsProductionPCA2011Cert []byte //go:embed secure-boot/MicCorUEFCA2011_2011-06-27.crt MicrosoftUEFICA2011Cert []byte )
Standard Secure Boot certificates (DER encoded)
var ( //go:embed secure-boot/canonical-boothole.crt RevokedCanonicalBootholeCert []byte //go:embed secure-boot/debian-boothole.crt RevokedDebianBootholeCert []byte //go:embed secure-boot/cisco-boothole.crt RevokedCiscoCert []byte )
Revoked Signing certificates (DER encoded)
var ( GceEKRoots []*x509.Certificate GceEKIntermediates []*x509.Certificate )
Certificates corresponding to the known CA certs for GCE.
Functions ¶
func ConvertGCEFirmwareVersionToSCRTMVersion ¶
ConvertGCEFirmwareVersionToSCRTMVersion creates the corresponding SCRTM version string from a numerical GCE firmware version. The returned string is UCS2 encoded with a null terminator. A version of 0 corresponds to an empty string (representing old GCE VMs that just used an empty string).
func ConvertSCRTMVersionToGCEFirmwareVersion ¶
ConvertSCRTMVersionToGCEFirmwareVersion attempts to parse the Firmware Version of a GCE VM from the bytes of the version string of the SCRTM. This data should come from a valid and verified EV_S_CRTM_VERSION event.
func ParseGCENonHostInfo ¶
func ParseGCENonHostInfo(nonHostInfo []byte) (pb.GCEConfidentialTechnology, error)
ParseGCENonHostInfo attempts to parse the Confidential VM technology used by a GCE VM from the GCE Non-Host info event. This data should come from a valid and verified EV_NONHOST_INFO event.
Types ¶
This section is empty.
Source Files