Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var ( App *app.App TPM tpm2.TrustedPlatformModule CAParams *ca.CAParams InitParams *app.AppInitParams )
View Source
var DestroyCmd = &cobra.Command{ Use: "destroy", Short: "Destroy the platform", Long: `This command deletes all platform data, including TPM keys, Certificate Authority keys, certifiates, secrets, and blob storage. A TPM2_Clear command is sent to the TPM, restoring it to the TPM manufacturer and OEM factory settings.`, Run: func(cmd *cobra.Command, args []string) { prompt.PrintBanner(app.Version) App, err = App.Init(InitParams) if err != nil { cmd.PrintErrln(err) return } fmt.Println("") color.Red( "Are you sure you want to delete all platform data?\n" + "This operation can not be reversed!") fmt.Println("") fmt.Printf("Platform Data: %s\n", App.PlatformDir) fmt.Println("") answer := prompt.Prompt("Delete platform data? (y/n)") YorN := strings.ToLower(strings.TrimSpace(string(answer))) App.Logger.Info(YorN) if YorN == "y" { lockoutAuth := prompt.PasswordPrompt("Lockout Hierarchy Password") endorsementAuth := prompt.PasswordPrompt("Endorsement Hierarchy Password") ownerAuth := prompt.PasswordPrompt("Owner Hierarchy Password") if err := App.FS.RemoveAll(App.PlatformDir); err != nil { App.Logger.Errorf("Failed to delete platform data") cmd.PrintErrln(err) return } App.Logger.Info("Platform data successfully destroyed") if App.TPM == nil { App.Logger.Fatal("TPM not initialized") } else { if err := App.TPM.Clear(lockoutAuth, tpm2.TPMRHLockout); err != nil { App.Logger.Errorf("Failed to clear Lockout hierarchy") cmd.PrintErrln(err) return } if err := App.TPM.Clear(endorsementAuth, tpm2.TPMRHEndorsement); err != nil { App.Logger.Errorf("Failed to clear Endorsement hierarchy") cmd.PrintErrln(err) return } if err := App.TPM.Clear(ownerAuth, tpm2.TPMRHOwner); err != nil { App.Logger.Errorf("Failed to clear Owner hierarchy") cmd.PrintErrln(err) return } App.Logger.Info("TPM 2.0 successfully cleared") } } }, }
View Source
var InstallCmd = &cobra.Command{ Use: "install", Short: "Safely provisions the platform", Long: `Perform a modified version of the TCG recommended provisioning guidance procedure, intended for platforms with a pre-provisioned TPM, either from the TPM Manufacturer or Owner. Instead of clearing the hierarchies, setting hierarchy authorizations and provisioning new keys and certificates from scratch, this operation will use pre-existing EK, Shared SRK and IAK keys and certificates if they already exist. The Security Officer PIN is required and used as Endorsement and Storage hierarchy authorization values during installation. This operation is safe and idempotent, and will not modify or destroy existing data.`, Run: func(cmd *cobra.Command, args []string) { var soPIN, userPIN keystore.Password if App.CA == nil { soPIN, userPIN, err = App.ParsePINs(InitParams.SOPin, InitParams.Pin) if err != nil { App.Logger.Error(err) cmd.PrintErrln(err) return } } App.OpenTPM(false) if err := App.TPM.Install(soPIN); err != nil { if err == tpm2.ErrEndorsementCertNotFound { if App.CA == nil { if _, err := App.InitCA(soPIN, userPIN, InitParams); err != nil { cmd.PrintErrln(err) return } } cert, err := App.ImportEndorsementKeyCertificate() if err != nil { cmd.PrintErrln(err) return } pem, err := certstore.EncodePEM(cert.Raw) if err != nil { cmd.PrintErrln(err) return } cmd.Println(string(pem)) } else { cmd.PrintErrln(err) return } } }, }
View Source
var KeyringCmd = &cobra.Command{ Use: "keyring [action] [cn] [store] [algorithm]", Short: "Keyring operations", Long: `Perform keyring operations`, Args: cobra.MinimumNArgs(3), PreRunE: func(cmd *cobra.Command, args []string) error { if len(args) > 4 { cmd.Help() os.Exit(0) } return nil }, Run: func(cmd *cobra.Command, args []string) { App, err = App.Init(InitParams) if err != nil { cmd.PrintErrln(err) return } action := args[0] cn := args[1] store := args[2] algorithm := args[3] storeType, err := keystore.ParseStoreType(store) if err != nil { cmd.PrintErrln(err) return } keyAlg, err := keystore.ParseKeyAlgorithm(algorithm) if err != nil { cmd.PrintErrln(err) return } var keyType keystore.KeyType if krCA { keyType = keystore.KEY_TYPE_CA } if krTLS { keyType = keystore.KEY_TYPE_TLS } if krHMAC || !krCA && !krTLS && !krHMAC { keyType = keystore.KEY_TYPE_HMAC } parentHandle := tpm2.TPMHandle(krParentHandle) parentAttrs, err := App.TPM.KeyAttributes(parentHandle) if err != nil { cmd.PrintErrln(err) return } if InitParams.SOPin != nil { parentAttrs.TPMAttributes.HierarchyAuth = keystore.NewClearPassword([]byte(InitParams.SOPin)) } if krParentPassword != "" { parentAttrs.Password = keystore.NewClearPassword([]byte(krParentPassword)) } parentAttrs.PlatformPolicy = krParentPolicy keyAttrs := &keystore.KeyAttributes{ CN: cn, StoreType: storeType, KeyAlgorithm: keyAlg, KeyType: keyType, Parent: parentAttrs, PlatformPolicy: krParentPolicy, } if krPassword != "" { keyAttrs.Password = keystore.NewClearPassword([]byte(krPassword)) } switch action { case "generate": opaqueKey, err := App.PlatformKS.GenerateKey(keyAttrs) if err != nil { cmd.PrintErrln(err) return } der, err := x509.MarshalPKIXPublicKey(opaqueKey.Public()) if err != nil { cmd.PrintErrln(err) return } pem, err := keystore.EncodePEM(der) if err != nil { cmd.PrintErrln(err) return } cmd.Println(string(pem)) case "delete": err := App.PlatformKS.Delete(keyAttrs) if err != nil { cmd.PrintErrln(err) return } default: opaqueKey, err := App.PlatformKS.Key(keyAttrs) if err != nil { cmd.PrintErrln(err) return } der, err := x509.MarshalPKIXPublicKey(opaqueKey.Public()) if err != nil { cmd.PrintErrln(err) return } pem, err := keystore.EncodePEM(der) if err != nil { cmd.PrintErrln(err) return } cmd.Println(string(pem)) } }, }
View Source
var PasswordCmd = &cobra.Command{ Use: "password", Short: "Retrieves a sealed password", Long: `Performs a TPM password unseal operation on the requested key.`, Run: func(cmd *cobra.Command, args []string) { App, err = App.Init(InitParams) if err != nil { cmd.PrintErrln(err) return } if err := App.OpenTPM(InitParams.Initialize); err != nil { App.Logger.FatalError(err) } store, err := keystore.ParseStoreType(storeType) if err != nil { App.Logger.FatalError(err) } keyAlg, err := keystore.ParseKeyAlgorithm(algorithm) if err != nil { App.Logger.FatalError(err) } srkAttrs := App.PlatformKS.SRKAttributes() if authValue != "" { srkAttrs.Password = keystore.NewClearPassword([]byte(authValue)) } keyAttrs := &keystore.KeyAttributes{ CN: cn, KeyAlgorithm: keyAlg, Parent: srkAttrs, PlatformPolicy: policy, KeyType: keystore.KEY_TYPE_HMAC, StoreType: store, } password, err := App.TPM.Unseal(keyAttrs, nil) if err != nil { App.Logger.FatalError(err) } fmt.Println(string(password)) }, }
View Source
var PolicyCmd = &cobra.Command{ Use: "policy [action]", Short: "Platform PCR policy operations", Long: `Perform platform PCR policy operations.`, Run: func(cmd *cobra.Command, args []string) { App, err = App.Init(InitParams) if err != nil { cmd.PrintErrln(err) return } var digestHash []byte var err error if len(args) == 0 { digestHash, err = App.TPM.PlatformPolicyDigestHash() if err != nil { cmd.PrintErrln(err) return } cmd.Printf("Hash: %x\n", digestHash) return } switch args[0] { case "create": if err := App.TPM.CreatePlatformPolicy(); err != nil { cmd.PrintErrln(err) return } digestHash, err = App.TPM.PlatformPolicyDigestHash() if err != nil { cmd.PrintErrln(err) return } case "session": session, closer, err := App.TPM.PlatformPolicySession() if err != nil { cmd.PrintErrln(err) return } defer closer() digestHash, err = App.TPM.PlatformPolicyDigestHash() if err != nil { cmd.PrintErrln(err) return } pgd, err := tpm2.PolicyGetDigest{ PolicySession: session.Handle(), }.Execute(App.TPM.Transport()) cmd.Printf("PolicyDigest.Buffer: %x\n", pgd.PolicyDigest.Buffer) cmd.Printf("Hash: %x\n", digestHash) } }, }
View Source
var ProvisionCmd = &cobra.Command{ Use: "provision", Short: "Performs initial platform provisioning", Long: `Initializes the platform by establishing an initial Security Officer whose credentials are used to take ownership of the TPM and key stores. The TPM is provisioned per TCG recommended guidance, with an EK and SRK persisted to their recommended storage hierarchy handle indexes. Key stores, services and components referenced in the platform configuration file are initialized.`, Run: func(cmd *cobra.Command, args []string) { prompt.PrintBanner(app.Version) InitParams.Initialize = true App, err = App.Init(InitParams) if err != nil { cmd.PrintErrln(err) return } props, err := App.TPM.FixedProperties() if err != nil { cmd.PrintErrln(err) return } cmd.Println("TPM Information") cmd.Printf("Manufacturer: %s\n", props.Manufacturer) cmd.Printf("Vendor ID: %s\n", props.VendorID) cmd.Printf("Family: %s\n", props.Family) cmd.Printf("Revision: %s\n", props.Revision) cmd.Printf("Firmware: %d.%d\n", props.FwMajor, props.FwMinor) cmd.Printf("FIPS 140-2: %t\n", props.Fips1402) }, }
Functions ¶
This section is empty.
Types ¶
This section is empty.
Source Files
Click to show internal directories.
Click to hide internal directories.