tpm2

package
v0.1.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 19, 2019 License: Apache-2.0 Imports: 16 Imported by: 295

README

TPM 2.0 client library

Integration tests

tpm2_test.go contains integration tests that run against a real TPM device (emulated or hardware).

By default, running go test will skip them. To run the tests on a host with available TPM device, run

go test --tpm-path=/dev/tpm0

where /dev/tpm0 is path to a TPM character device or a Unix socket.

Tip: if your TPM host is remote and you don't want to install Go on it, use go test -c to compile a test binary. It can be copied to remote host and run without extra dependencies.

Documentation

Overview

Package tpm2 supports direct communication with a TPM 2.0 device under Linux.

Index

Constants

View Source 
const (
	HandleOwner tpmutil.Handle = 0x40000001 + iota
	HandleRevoke
	HandleTransport
	HandleOperator
	HandleAdmin
	HandleEK
	HandleNull
	HandleUnassigned
	HandlePasswordSession
	HandleLockout
	HandleEndorsement
	HandlePlatform
)

Reserved Handles.

View Source 
const (
	TagNull           tpmutil.Tag = 0x8000
	TagNoSessions     tpmutil.Tag = 0x8001
	TagSessions       tpmutil.Tag = 0x8002
	TagAttestCertify  tpmutil.Tag = 0x8017
	TagAttestQuote    tpmutil.Tag = 0x8018
	TagAttestCreation tpmutil.Tag = 0x801a
	TagHashCheck      tpmutil.Tag = 0x8024
)

TPM Structure Tags. Tags are used to disambiguate structures, similar to Alg values: tag value defines what kind of data lives in a nested field.

View Source 
const (
	CurveNISTP192 = EllipticCurve(iota + 1)
	CurveNISTP224
	CurveNISTP256
	CurveNISTP384
	CurveNISTP521

	CurveBNP256 = EllipticCurve(iota + 10)
	CurveBNP638

	CurveSM2P256 = EllipticCurve(0x0020)
)

ECC curves supported by TPM 2.0 spec.

View Source 
const (

	// CmdPolicySecret is a command code for TPM2_PolicySecret.
	// It's exported for computing of default AuthPolicy value.
	CmdPolicySecret tpmutil.Command = 0x00000151

	// CmdPolicyPCR is the command code for TPM2_PolicyPCR.
	// It's exported for computing AuthPolicy values for PCR-based sessions.
	CmdPolicyPCR tpmutil.Command = 0x0000017F
)

Supported TPM operations.

View Source 
const (
	RCInitialize      RCFmt0 = 0x00
	RCFailure                = 0x01
	RCSequence               = 0x03
	RCPrivate                = 0x0B
	RCHMAC                   = 0x19
	RCDisabled               = 0x20
	RCExclusive              = 0x21
	RCAuthType               = 0x24
	RCAuthMissing            = 0x25
	RCPolicy                 = 0x26
	RCPCR                    = 0x27
	RCPCRChanged             = 0x28
	RCUpgrade                = 0x2D
	RCTooManyContexts        = 0x2E
	RCAuthUnavailable        = 0x2F
	RCReboot                 = 0x30
	RCUnbalanced             = 0x31
	RCCommandSize            = 0x42
	RCCommandCode            = 0x43
	RCAuthSize               = 0x44
	RCAuthContext            = 0x45
	RCNVRange                = 0x46
	RCNVSize                 = 0x47
	RCNVLocked               = 0x48
	RCNVAuthorization        = 0x49
	RCNVUninitialized        = 0x4A
	RCNVSpace                = 0x4B
	RCNVDefined              = 0x4C
	RCBadContext             = 0x50
	RCCPHash                 = 0x51
	RCParent                 = 0x52
	RCNeedsTest              = 0x53
	RCNoResult               = 0x54
	RCSensitive              = 0x55
)

Format 0 error codes.

View Source 
const (
	RCAsymmetric   = 0x01
	RCAttributes   = 0x02
	RCHash         = 0x03
	RCValue        = 0x04
	RCHierarchy    = 0x05
	RCKeySize      = 0x07
	RCMGF          = 0x08
	RCMode         = 0x09
	RCType         = 0x0A
	RCHandle       = 0x0B
	RCKDF          = 0x0C
	RCRange        = 0x0D
	RCAuthFail     = 0x0E
	RCNonce        = 0x0F
	RCPP           = 0x10
	RCScheme       = 0x12
	RCSize         = 0x15
	RCSymmetric    = 0x16
	RCTag          = 0x17
	RCSelector     = 0x18
	RCInsufficient = 0x1A
	RCSignature    = 0x1B
	RCKey          = 0x1C
	RCPolicyFail   = 0x1D
	RCIntegrity    = 0x1F
	RCTicket       = 0x20
	RCReservedBits = 0x21
	RCBadAuth      = 0x22
	RCExpired      = 0x23
	RCPolicyCC     = 0x24
	RCBinding      = 0x25
	RCCurve        = 0x26
	RCECCPoint     = 0x27
)

Format 1 error codes.

View Source 
const (
	RCContextGap     RCWarn = 0x01
	RCObjectMemory          = 0x02
	RCSessionMemory         = 0x03
	RCMemory                = 0x04
	RCSessionHandles        = 0x05
	RCObjectHandles         = 0x06
	RCLocality              = 0x07
	RCYielded               = 0x08
	RCCanceled              = 0x09
	RCTesting               = 0x0A
	RCReferenceH0           = 0x10
	RCReferenceH1           = 0x11
	RCReferenceH2           = 0x12
	RCReferenceH3           = 0x13
	RCReferenceH4           = 0x14
	RCReferenceH5           = 0x15
	RCReferenceH6           = 0x16
	RCReferenceS0           = 0x18
	RCReferenceS1           = 0x19
	RCReferenceS2           = 0x1A
	RCReferenceS3           = 0x1B
	RCReferenceS4           = 0x1C
	RCReferenceS5           = 0x1D
	RCReferenceS6           = 0x1E
	RCNVRate                = 0x20
	RCLockout               = 0x21
	RCRetry                 = 0x22
	RCNVUnavailable         = 0x23
)

Warning codes.

Variables

View Source 
var EmptyAuth []byte

EmptyAuth represents the empty authorization value.

View Source 
var OpenTPM = tpmutil.OpenTPM

OpenTPM opens a channel to the TPM at the given path. If the file is a device, then it treats it like a normal TPM device, and if the file is a Unix domain socket, then it opens a connection to the socket.

Functions

func ActivateCredential 

func ActivateCredential(rw io.ReadWriter, activeHandle, keyHandle tpmutil.Handle, activePassword, protectorPassword string, credBlob, secret []byte) ([]byte, error)

ActivateCredential associates an object with a credential. Returns decrypted certificate information.

func ActivateCredentialUsingAuth 

func ActivateCredentialUsingAuth(rw io.ReadWriter, auth []AuthCommand, activeHandle, keyHandle tpmutil.Handle, credBlob, secret []byte) ([]byte, error)

ActivateCredentialUsingAuth associates an object with a credential, using the given set of authorizations. Two authorization must be provided. Returns decrypted certificate information.

func Certify 

func Certify(rw io.ReadWriter, parentAuth, ownerAuth string, object, signer tpmutil.Handle, qualifyingData []byte) ([]byte, []byte, error)

Certify generates a signature of a loaded TPM object with a signing key signer. Returned values are: attestation data (TPMS_ATTEST), signature and error, if any.

func CertifyCreation 

func CertifyCreation(rw io.ReadWriter, objectAuth string, object, signer tpmutil.Handle, qualifyingData, creationHash []byte, sigScheme SigScheme, creationTicket *Ticket) (attestation, signature []byte, err error)

CertifyCreation generates a signature of a newly-created & loaded TPM object, using signer as the signing key.

func ContextLoad 

func ContextLoad(rw io.ReadWriter, saveArea []byte) (tpmutil.Handle, error)

ContextLoad reloads context data created by ContextSave.

func ContextSave 

func ContextSave(rw io.ReadWriter, handle tpmutil.Handle) ([]byte, error)

ContextSave returns an encrypted version of the session, object or sequence context for storage outside of the TPM. The handle references context to store.

func CreateKey 

func CreateKey(rw io.ReadWriter, owner tpmutil.Handle, sel PCRSelection, parentPassword, ownerPassword string, pub Public) ([]byte, []byte, error)

CreateKey creates a new key pair under the owner handle. Returns private key and public key blobs.

func CreatePrimary 

func CreatePrimary(rw io.ReadWriter, owner tpmutil.Handle, sel PCRSelection, parentPassword, ownerPassword string, p Public) (tpmutil.Handle, crypto.PublicKey, error)

CreatePrimary initializes the primary key in a given hierarchy. The second return value is the public part of the generated key.

func CreatePrimaryRawTemplate 

func CreatePrimaryRawTemplate(rw io.ReadWriter, owner tpmutil.Handle, sel PCRSelection, parentPassword, ownerPassword string, public []byte) (tpmutil.Handle, crypto.PublicKey, error)

CreatePrimaryRawTemplate is CreatePrimary, but with the public template (TPMT_PUBLIC) provided pre-encoded. This is commonly used with key templates stored in NV RAM.

func EvictControl 

func EvictControl(rw io.ReadWriter, ownerAuth string, owner, objectHandle, persistentHandle tpmutil.Handle) error

EvictControl toggles persistence of an object within the TPM.

func FlushContext 

func FlushContext(rw io.ReadWriter, handle tpmutil.Handle) error

FlushContext removes an object or session under handle to be removed from the TPM. This must be called for any loaded handle to avoid out-of-memory errors in TPM.

func GetCapability 

func GetCapability(rw io.ReadWriter, capa Capability, count, property uint32) (vals []interface{}, moreData bool, err error)

GetCapability returns various information about the TPM state.

Currently only CapabilityHandles (list active handles) and CapabilityAlgs (list supported algorithms) are supported. CapabilityHandles will return a []tpmutil.Handle for vals, CapabilityAlgs will return []AlgorithmDescription.

moreData is true if the TPM indicated that more data is available. Follow the spec for the capability in question on how to query for more data.

func GetRandom 

func GetRandom(rw io.ReadWriter, size uint16) ([]byte, error)

GetRandom gets random bytes from the TPM.

func Hash 

func Hash(rw io.ReadWriter, alg Algorithm, buf []byte) ([]byte, error)

Hash computes a hash of data in buf using the TPM.

func KDFa 

func KDFa(hashAlg Algorithm, key []byte, label string, contextU, contextV []byte, bits int) ([]byte, error)

KDFa implements TPM 2.0's default key derivation function, as defined in section 11.4.9.2 of the TPM revision 2 specification part 1. See: https://trustedcomputinggroup.org/resource/tpm-library-specification/ The key & label parameters must not be zero length, but contextU & contextV may be. Only SHA1 & SHA256 hash algorithms are implemented at this time.

func Load 

func Load(rw io.ReadWriter, parentHandle tpmutil.Handle, parentAuth string, publicBlob, privateBlob []byte) (tpmutil.Handle, []byte, error)

Load loads public/private blobs into an object in the TPM. Returns loaded object handle and its name.

func LoadExternal 

func LoadExternal(rw io.ReadWriter, pub Public, private Private, hierarchy tpmutil.Handle) (tpmutil.Handle, []byte, error)

LoadExternal loads a public (and optionally a private) key into an object in the TPM. Returns loaded object handle and its name.

func MakeCredential 

func MakeCredential(rw io.ReadWriter, protectorHandle tpmutil.Handle, credential, activeName []byte) ([]byte, []byte, error)

MakeCredential creates an encrypted credential for use in MakeCredential. Returns encrypted credential and wrapped secret used to encrypt it.

func NVDefineSpace 

func NVDefineSpace(rw io.ReadWriter, owner, handle tpmutil.Handle, ownerAuth, authString string, policy []byte, attributes NVAttr, dataSize uint16) error

NVDefineSpace creates an index in TPM's NV storage.

func NVIncrement 

func NVIncrement(rw io.ReadWriter, handle tpmutil.Handle, authString string) error

NVIncrement increments a counter in NVRAM.

func NVRead 

func NVRead(rw io.ReadWriter, index tpmutil.Handle) ([]byte, error)

NVRead reads a full data blob from an NV index. This function is deprecated; use NVReadEx instead.

func NVReadEx 

func NVReadEx(rw io.ReadWriter, index, authHandle tpmutil.Handle, password string, blockSize int) ([]byte, error)

NVReadEx reads a full data blob from an NV index, using the given authorization handle. NVRead commands are done in blocks of blockSize. If blockSize is 0, the TPM is queried for TPM_PT_NV_BUFFER_MAX, and that value is used.

func NVUndefineSpace 

func NVUndefineSpace(rw io.ReadWriter, ownerAuth string, owner, index tpmutil.Handle) error

NVUndefineSpace removes an index from TPM's NV storage.

func NVWrite 

func NVWrite(rw io.ReadWriter, owner, handle tpmutil.Handle, authString string, data []byte, offset uint16) error

NVWrite writes data into the TPM's NV storage.

func PCREvent 

func PCREvent(rw io.ReadWriter, pcr tpmutil.Handle, eventData []byte) error

PCREvent writes an update to the specified PCR.

func PCRExtend 

func PCRExtend(rw io.ReadWriter, pcr tpmutil.Handle, hashAlg Algorithm, hash []byte, password string) error

PCRExtend extends a value into the selected PCR

func PolicyGetDigest 

func PolicyGetDigest(rw io.ReadWriter, handle tpmutil.Handle) ([]byte, error)

PolicyGetDigest returns the current policyDigest of the session.

func PolicyPCR 

func PolicyPCR(rw io.ReadWriter, session tpmutil.Handle, expectedDigest []byte, sel PCRSelection) error

PolicyPCR sets PCR state binding for authorization on a session.

func PolicyPassword 

func PolicyPassword(rw io.ReadWriter, handle tpmutil.Handle) error

PolicyPassword sets password authorization requirement on the object.

func ReadClock 

func ReadClock(rw io.ReadWriter) (uint64, uint64, error)

ReadClock returns current clock values from the TPM.

First return value is time in milliseconds since TPM was initialized (since system startup).

Second return value is time in milliseconds since TPM reset (since Storage Primary Seed is changed).

func ReadPCR 

func ReadPCR(rw io.ReadWriter, pcr int, hashAlg Algorithm) ([]byte, error)

ReadPCR reads the value of the given PCR.

func ReadPCRs 

func ReadPCRs(rw io.ReadWriter, sel PCRSelection) (map[int][]byte, error)

ReadPCRs reads PCR values from the TPM.

func Seal 

func Seal(rw io.ReadWriter, parentHandle tpmutil.Handle, parentPassword, objectPassword string, objectAuthPolicy []byte, sensitiveData []byte) ([]byte, []byte, error)

Seal creates a data blob object that seals the sensitive data under a parent and with a password and auth policy. Access to the parent must be available with a simple password. Returns private and public portions of the created object.

func Shutdown 

func Shutdown(rw io.ReadWriter, typ StartupType) error

Shutdown shuts down a TPM (usually done by the OS).

func StartAuthSession 

func StartAuthSession(rw io.ReadWriter, tpmKey, bindKey tpmutil.Handle, nonceCaller, secret []byte, se SessionType, sym, hashAlg Algorithm) (tpmutil.Handle, []byte, error)

StartAuthSession initializes a session object. Returns session handle and the initial nonce from the TPM.

func Startup 

func Startup(rw io.ReadWriter, typ StartupType) error

Startup initializes a TPM (usually done by the OS).

func Unseal 

func Unseal(rw io.ReadWriter, itemHandle tpmutil.Handle, password string) ([]byte, error)

Unseal returns the data for a loaded sealed object.

func UnsealWithSession 

func UnsealWithSession(rw io.ReadWriter, sessionHandle, itemHandle tpmutil.Handle, password string) ([]byte, error)

UnsealWithSession returns the data for a loaded sealed object.

Types

type Algorithm 

type Algorithm uint16

Algorithm represents a TPM_ALG_ID value. 

const (
	AlgUnknown   Algorithm = 0x0000
	AlgRSA       Algorithm = 0x0001
	AlgSHA1      Algorithm = 0x0004
	AlgAES       Algorithm = 0x0006
	AlgKeyedHash Algorithm = 0x0008
	AlgSHA256    Algorithm = 0x000B
	AlgSHA384    Algorithm = 0x000C
	AlgSHA512    Algorithm = 0x000D
	AlgNull      Algorithm = 0x0010
	AlgRSASSA    Algorithm = 0x0014
	AlgRSAES     Algorithm = 0x0015
	AlgRSAPSS    Algorithm = 0x0016
	AlgOAEP      Algorithm = 0x0017
	AlgECDSA     Algorithm = 0x0018
	AlgECDH      Algorithm = 0x0019
	AlgECDAA     Algorithm = 0x001A
	AlgKDF2      Algorithm = 0x0021
	AlgECC       Algorithm = 0x0023
	AlgCTR       Algorithm = 0x0040
	AlgOFB       Algorithm = 0x0041
	AlgCBC       Algorithm = 0x0042
	AlgCFB       Algorithm = 0x0043
	AlgECB       Algorithm = 0x0044
)

Supported Algorithms.

func (Algorithm) HashConstructor 

func (a Algorithm) HashConstructor() (func() hash.Hash, error)

HashConstructor returns a function that can be used to make a hash.Hash using the specified algorithm. An error is returned if the algorithm is not a hash algorithm.

func (Algorithm) IsNull 

func (a Algorithm) IsNull() bool

IsNull returns true if a is AlgNull or zero (unset).

func (Algorithm) UsesCount 

func (a Algorithm) UsesCount() bool

UsesCount returns true if a signature algorithm uses count value.

type AlgorithmAttributes 

type AlgorithmAttributes uint32

AlgorithmAttributes represents a TPMA_ALGORITHM value.

type AlgorithmDescription 

type AlgorithmDescription struct {
	ID         Algorithm
	Attributes AlgorithmAttributes
}

AlgorithmDescription represents a TPMS_ALGORITHM_DESCRIPTION structure.

type AttestationData 

type AttestationData struct {
	Magic                uint32
	Type                 tpmutil.Tag
	QualifiedSigner      Name
	ExtraData            []byte
	ClockInfo            ClockInfo
	FirmwareVersion      uint64
	AttestedCertifyInfo  *CertifyInfo
	AttestedQuoteInfo    *QuoteInfo
	AttestedCreationInfo *CreationInfo
}

AttestationData contains data attested by TPM commands (like Certify).

func DecodeAttestationData 

func DecodeAttestationData(in []byte) (*AttestationData, error)

DecodeAttestationData decode a TPMS_ATTEST message. No error is returned if the input has extra trailing data.

func (AttestationData) Encode 

func (ad AttestationData) Encode() ([]byte, error)

Encode serializes an AttestationData structure in TPM wire format.

type AuthCommand 

type AuthCommand struct {
	Session    tpmutil.Handle
	Nonce      []byte
	Attributes SessionAttributes
	Auth       []byte
}

AuthCommand represents a TPMS_AUTH_COMMAND. This structure encapsulates parameters which authorize the use of a given handle or parameter.

type Capability 

type Capability uint32

Capability identifies some TPM property or state type. 

const (
	CapabilityAlgs Capability = iota
	CapabilityHandles
	CapabilityCommands
	CapabilityPPCommands
	CapabilityAuditCommands
	CapabilityPCRs
	CapabilityTPMProperties
	CapabilityPCRProperties
	CapabilityECCCurves
	CapabilityAuthPolicies
)

TPM Capabilities.

type CertifyInfo 

type CertifyInfo struct {
	Name          Name
	QualifiedName Name
}

CertifyInfo contains Certify-specific data for TPMS_ATTEST.

type ClockInfo 

type ClockInfo struct {
	Clock        uint64
	ResetCount   uint32
	RestartCount uint32
	Safe         byte
}

ClockInfo contains TPM state info included in AttestationData.

type CreationData 

type CreationData struct {
	PCRSelection        PCRSelection
	PCRDigest           []byte
	Locality            byte
	ParentNameAlg       Algorithm
	ParentName          Name
	ParentQualifiedName Name
	OutsideInfo         []byte
}

CreationData describes the attributes and environment for an object created on the TPM. This structure encodes/decodes to/from TPMS_CREATION_DATA.

func DecodeCreationData 

func DecodeCreationData(buf []byte) (*CreationData, error)

DecodeCreationData decodes a TPMS_CREATION_DATA message. No error is returned if the input has extra trailing data.

type CreationInfo 

type CreationInfo struct {
	Name Name
	// Most TPM2B_Digest structures contain a TPMU_HA structure
	// and get parsed to HashValue. This is never the case for the
	// digest in TPMS_CREATION_INFO.
	OpaqueDigest []byte
}

CreationInfo contains Creation-specific data for TPMS_ATTEST.

type ECCParams 

type ECCParams struct {
	Symmetric *SymScheme
	Sign      *SigScheme
	CurveID   EllipticCurve
	KDF       *KDFScheme
	Point     ECPoint
}

ECCParams represents parameters of an ECC key pair.

Symmetric, Sign and KDF may be nil, depending on key Attributes in Public.

type ECPoint 

type ECPoint struct {
	X, Y *big.Int
}

ECPoint represents a ECC coordinates for a point.

type EllipticCurve 

type EllipticCurve uint16

EllipticCurve identifies specific EC curves.

type Error added in v0.1.1 

type Error struct {
	Code RCFmt0
}

Error is returned for all Format 0 errors from the TPM. It is used for general errors not specific to a parameter, handle or session.

func (Error) Error added in v0.1.1 

func (e Error) Error() string

type HandleError added in v0.1.1 

type HandleError struct {
	Code   RCFmt1
	Handle RCIndex
}

HandleError describes an error related to a handle, and the handle number.

func (HandleError) Error added in v0.1.1 

func (e HandleError) Error() string

type HandleType added in v0.1.1 

type HandleType uint8

HandleType defines a type of handle. 

const (
	HandleTypePCR           HandleType = 0x00
	HandleTypeNVIndex       HandleType = 0x01
	HandleTypeHMACSession   HandleType = 0x02
	HandleTypeLoadedSession HandleType = 0x02
	HandleTypePolicySession HandleType = 0x03
	HandleTypeSavedSession  HandleType = 0x03
	HandleTypePermanent     HandleType = 0x40
	HandleTypeTransient     HandleType = 0x80
	HandleTypePersistent    HandleType = 0x81
)

Supported handle types

type HashValue 

type HashValue struct {
	Alg   Algorithm
	Value []byte
}

HashValue is an algorithm-specific hash value.

func (HashValue) Encode 

func (hv HashValue) Encode() ([]byte, error)

Encode represents the given hash value as a TPMT_HA structure.

type IDObject 

type IDObject struct {
	IntegrityHMAC []byte
	EncIdentity   []byte
}

IDObject represents an encrypted credential bound to a TPM object.

func (*IDObject) Encode 

func (o *IDObject) Encode() ([]byte, error)

Encode packs the IDObject into a byte stream representing a TPM2B_ID_OBJECT.

type KDFScheme 

type KDFScheme struct {
	Alg  Algorithm
	Hash Algorithm
}

KDFScheme represents a KDF (Key Derivation Function) scheme.

type KeyProp 

type KeyProp uint32

KeyProp is a bitmask used in Attributes field of key templates. Individual flags should be OR-ed to form a full mask. 

const (
	FlagFixedTPM            KeyProp = 0x00000002
	FlagFixedParent         KeyProp = 0x00000010
	FlagSensitiveDataOrigin KeyProp = 0x00000020
	FlagUserWithAuth        KeyProp = 0x00000040
	FlagAdminWithPolicy     KeyProp = 0x00000080
	FlagNoDA                KeyProp = 0x00000400
	FlagRestricted          KeyProp = 0x00010000
	FlagDecrypt             KeyProp = 0x00020000
	FlagSign                KeyProp = 0x00040000

	FlagSealDefault   = FlagFixedTPM | FlagFixedParent
	FlagSignerDefault = FlagSign | FlagRestricted | FlagFixedTPM |
		FlagFixedParent | FlagSensitiveDataOrigin | FlagUserWithAuth
	FlagStorageDefault = FlagDecrypt | FlagRestricted | FlagFixedTPM |
		FlagFixedParent | FlagSensitiveDataOrigin | FlagUserWithAuth
)

Key properties.

type NVAttr added in v0.1.0 

type NVAttr uint32

NVAttr is a bitmask used in Attributes field of NV indexes. Individual flags should be OR-ed to form a full mask. 

const (
	AttrPPWrite        NVAttr = 0x00000001
	AttrOwnerWrite     NVAttr = 0x00000002
	AttrAuthWrite      NVAttr = 0x00000004
	AttrPolicyWrite    NVAttr = 0x00000008
	AttrPolicyDelete   NVAttr = 0x00000400
	AttrWriteLocked    NVAttr = 0x00000800
	AttrWriteAll       NVAttr = 0x00001000
	AttrWriteDefine    NVAttr = 0x00002000
	AttrWriteSTClear   NVAttr = 0x00004000
	AttrGlobalLock     NVAttr = 0x00008000
	AttrPPRead         NVAttr = 0x00010000
	AttrOwnerRead      NVAttr = 0x00020000
	AttrAuthRead       NVAttr = 0x00040000
	AttrPolicyRead     NVAttr = 0x00080000
	AttrNoDA           NVAttr = 0x02000000
	AttrOrderly        NVAttr = 0x04000000
	AttrClearSTClear   NVAttr = 0x08000000
	AttrReadLocked     NVAttr = 0x10000000
	AttrWritten        NVAttr = 0x20000000
	AttrPlatformCreate NVAttr = 0x40000000
	AttrReadSTClear    NVAttr = 0x80000000
)

NV Attributes

type NVPublic 

type NVPublic struct {
	NVIndex    tpmutil.Handle
	NameAlg    Algorithm
	Attributes KeyProp
	AuthPolicy []byte
	DataSize   uint16
}

NVPublic contains the public area of an NV index.

func NVReadPublic added in v0.1.0 

func NVReadPublic(rw io.ReadWriter, index tpmutil.Handle) (NVPublic, error)

NVReadPublic reads the public data of an NV index.

type Name 

type Name struct {
	Handle *tpmutil.Handle
	Digest *HashValue
}

Name contains a name for TPM entities. Only one of Handle/Digest should be set.

func (Name) MatchesPublic 

func (n Name) MatchesPublic(p Public) (bool, error)

MatchesPublic compares Digest in Name against given Public structure. Note: this only works for regular Names, not Qualified Names.

type PCRSelection 

type PCRSelection struct {
	Hash Algorithm
	PCRs []int
}

PCRSelection contains a slice of PCR indexes and a hash algorithm used in them.

type ParameterError added in v0.1.1 

type ParameterError struct {
	Code      RCFmt1
	Parameter RCIndex
}

ParameterError describes an error related to a parameter, and the parameter number.

func (ParameterError) Error added in v0.1.1 

func (e ParameterError) Error() string

type Private 

type Private struct {
	Type      Algorithm
	AuthValue []byte
	SeedValue []byte
	Sensitive []byte
}

Private contains private section of a TPM key.

func (Private) Encode 

func (p Private) Encode() ([]byte, error)

Encode serializes a Private structure in TPM wire format.

type PropertyTag 

type PropertyTag uint32

PropertyTag represents a TPM_PT value.

type Public 

type Public struct {
	Type       Algorithm
	NameAlg    Algorithm
	Attributes KeyProp
	AuthPolicy []byte

	// If Type is AlgKeyedHash, then do not set these.
	// Otherwise, only one of the Parameters fields should be set. When encoding/decoding,
	// one will be picked based on Type.
	RSAParameters *RSAParams
	ECCParameters *ECCParams
}

Public contains the public area of an object.

func DecodePublic 

func DecodePublic(buf []byte) (Public, error)

DecodePublic decodes a TPMT_PUBLIC message. No error is returned if the input has extra trailing data.

func ReadPublic 

func ReadPublic(rw io.ReadWriter, handle tpmutil.Handle) (Public, []byte, []byte, error)

ReadPublic reads the public part of the object under handle. Returns the public data, name and qualified name.

func (Public) Encode 

func (p Public) Encode() ([]byte, error)

Encode serializes a Public structure in TPM wire format.

type QuoteInfo 

type QuoteInfo struct {
	PCRSelection PCRSelection
	PCRDigest    []byte
}

QuoteInfo represents a TPMS_QUOTE_INFO structure.

type RCFmt0 added in v0.1.1 

type RCFmt0 uint8

RCFmt0 holds Format 0 error codes

type RCFmt1 added in v0.1.1 

type RCFmt1 uint8

RCFmt1 holds Format 1 error codes

type RCIndex added in v0.1.1 

type RCIndex uint8

RCIndex is used to reference arguments, handles and sessions in errors 

const (
	RC1 RCIndex = iota + 1
	RC2
	RC3
	RC4
	RC5
	RC6
	RC7
	RC8
	RC9
	RCA
	RCB
	RCC
	RCD
	RCE
	RCF
)

Indexes for arguments, handles and sessions.

type RCWarn added in v0.1.1 

type RCWarn uint8

RCWarn holds error codes used in warnings

type RSAParams 

type RSAParams struct {
	Symmetric *SymScheme
	Sign      *SigScheme
	KeyBits   uint16

	Exponent   uint32
	ModulusRaw []byte
	Modulus    *big.Int
	// contains filtered or unexported fields
}

RSAParams represents parameters of an RSA key pair.

Symmetric and Sign may be nil, depending on key Attributes in Public.

One of Modulus and ModulusRaw must always be non-nil. Modulus takes precedence. ModulusRaw is used for key templates where the field named "unique" must be a byte array of all zeroes.

type SessionAttributes 

type SessionAttributes byte

SessionAttributes represents an attribute of a session. 

const (
	AttrContinueSession SessionAttributes = 1 << iota
	AttrAuditExclusive
	AttrAuditReset

	AttrDecrypt
	AttrEcrypt
	AttrAudit
)

type SessionError added in v0.1.1 

type SessionError struct {
	Code    RCFmt1
	Session RCIndex
}

SessionError describes an error related to a session, and the session number.

func (SessionError) Error added in v0.1.1 

func (e SessionError) Error() string

type SessionType 

type SessionType uint8

SessionType defines the type of session created in StartAuthSession. 

const (
	SessionHMAC   SessionType = 0x00
	SessionPolicy SessionType = 0x01
	SessionTrial  SessionType = 0x03
)

Supported session types.

type SigScheme 

type SigScheme struct {
	Alg   Algorithm
	Hash  Algorithm
	Count uint32
}

SigScheme represents a signing scheme.

type Signature 

type Signature struct {
	Alg Algorithm
	RSA *SignatureRSA
	ECC *SignatureECC
}

Signature combines all possible signatures from RSA and ECC keys. Only one of RSA or ECC will be populated.

func Quote 

func Quote(rw io.ReadWriter, signingHandle tpmutil.Handle, parentPassword, ownerPassword string, toQuote []byte, sel PCRSelection, sigAlg Algorithm) ([]byte, *Signature, error)

Quote returns a quote of PCR values. A quote is a signature of the PCR values, created using a signing TPM key.

Returns attestation data and the signature.

Note: currently only RSA signatures are supported.

func Sign 

func Sign(rw io.ReadWriter, key tpmutil.Handle, password string, digest []byte, sigScheme *SigScheme) (*Signature, error)

Sign computes a signature for digest using a given loaded key. Signature algorithm depends on the key type.

type SignatureECC 

type SignatureECC struct {
	HashAlg Algorithm
	R       *big.Int
	S       *big.Int
}

SignatureECC is an ECC-specific signature value.

type SignatureRSA 

type SignatureRSA struct {
	HashAlg   Algorithm
	Signature []byte
}

SignatureRSA is an RSA-specific signature value.

type StartupType 

type StartupType uint16

StartupType instructs the TPM on how to handle its state during Shutdown or Startup. 

const (
	StartupClear StartupType = iota
	StartupState
)

Startup types

type SymScheme 

type SymScheme struct {
	Alg     Algorithm
	KeyBits uint16
	Mode    Algorithm
}

SymScheme represents a symmetric encryption scheme.

type TPMProp 

type TPMProp uint32

TPMProp represents the index of a TPM property in a call to GetCapability(). 

const (
	NVMaxBufferSize    TPMProp = 0x100 + 44
	PCRFirst           TPMProp = 0x00000000
	HMACSessionFirst   TPMProp = 0x02000000
	LoadedSessionFirst TPMProp = 0x02000000
	PolicySessionFirst TPMProp = 0x03000000
	ActiveSessionFirst TPMProp = 0x03000000
	TransientFirst     TPMProp = 0x80000000
	PersistentFirst    TPMProp = 0x81000000
	PersistentLast     TPMProp = 0x81FFFFFF
	PlatformPersistent TPMProp = 0x81800000
	NVIndexFirst       TPMProp = 0x01000000
	NVIndexLast        TPMProp = 0x01FFFFFF
	PermanentFirst     TPMProp = 0x40000000
	PermanentLast      TPMProp = 0x4000010F
)

TPM Capability Properties.

type TaggedProperty 

type TaggedProperty struct {
	Tag   PropertyTag
	Value uint32
}

TaggedProperty represents a TPMS_TAGGED_PROPERTY structure.

type Ticket 

type Ticket struct {
	Type      tpmutil.Tag
	Hierarchy uint32
	Digest    []byte
}

Ticket represents evidence the TPM previously processed information.

func CreatePrimaryEx 

func CreatePrimaryEx(rw io.ReadWriter, owner tpmutil.Handle, sel PCRSelection, parentPassword, ownerPassword string, pub Public) (keyHandle tpmutil.Handle, public, creationData, creationHash []byte, ticket *Ticket, creationName []byte, err error)

CreatePrimaryEx initializes the primary key in a given hierarchy. This function differs from CreatePrimary in that all response elements are returned, and they are returned in relatively raw form.

func PolicySecret 

func PolicySecret(rw io.ReadWriter, entityHandle tpmutil.Handle, entityAuth AuthCommand, policyHandle tpmutil.Handle, policyNonce, cpHash, policyRef []byte, expiry int32) (*Ticket, error)

PolicySecret sets a secret authorization requirement on the provided entity. If expiry is non-zero, the authorization is valid for expiry seconds.

type VendorError added in v0.1.1 

type VendorError struct {
	Code uint32
}

VendorError represents a vendor-specific error response. These types of responses are not decoded and Code contains the complete response code.

func (VendorError) Error added in v0.1.1 

func (e VendorError) Error() string

type Warning added in v0.1.1 

type Warning struct {
	Code RCWarn
}

Warning is typically used to report transient errors.

func (Warning) Error added in v0.1.1 

func (w Warning) Error() string

Source Files

View all Source files

Directories

Path Synopsis
Package credactivation implements generation of data blobs to be used when invoking the ActivateCredential command, on a TPM.
 Package credactivation implements generation of data blobs to be used when invoking the ActivateCredential command, on a TPM.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.