Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var ( App *app.App InitParams *app.AppInitParams )
View Source
var ClearCmd = &cobra.Command{ Use: "clear", Short: "TPM2_Clear", Long: `This command removes all TPM context associated with a specific Owner. The clear operation will: • flush resident objects (persistent and volatile) in the Storage and Endorsement hierarchies; • delete any NV Index with TPMA_NV_PLATFORMCREATE == CLEAR; • change the storage primary seed (SPS) to a new value from the TPM’s random number generator (RNG), • change shProof and ehProof, NOTE 1 The proof values are permitted to be set from the RNG or derived from the associated new Primary Seed. If derived from the Primary Seeds, the derivation of ehProof shall use both the SPS and EPS. The computation shall use the SPS as an HMAC key and the derived value may then be a parameter in a second HMAC in which the EPS is the HMAC key. The reference design uses values from the RNG. • SET shEnable and ehEnable; • set ownerAuth, endorsementAuth, and lockoutAuth to the Empty Buffer; • set ownerPolicy, endorsementPolicy, and lockoutPolicy to the Empty Buffer; • set Clock to zero; • set resetCount to zero; • set restartCount to zero; and • set Safe to YES. • increment pcrUpdateCounter This command requires Platform Authorization or Lockout Authorization. If TPM2_ClearControl() has disabled this command, the TPM shall return TPM_RC_DISABLED. If this command is authorized using lockoutAuth, the HMAC in the response shall use the new lockoutAuth value (that is, the Empty Buffer) when computing the response HMAC. See TPM 2.0 Part 3: Commands - Section 24.6: TPM2_Clear https://trustedcomputinggroup.org/wp-content/uploads/TPM-2.0-1.83-Part-3-Commands.pdf `, Run: func(cmd *cobra.Command, args []string) { if clrForce { deviceName := filepath.Base(clrDevicePath) file := fmt.Sprintf("/sys/class/tpm/%s/ppi/request", deviceName) err := os.WriteFile(file, []byte("5"), os.ModePerm) if err != nil { color.New(color.FgRed).Println(err) return } color.New(color.FgGreen).Println("Success, press any key to reboot...") prompt.NoOpPrompt() syscall.Reboot(syscall.LINUX_REBOOT_CMD_RESTART) return } App, err = App.Init(InitParams) if err != nil { cmd.PrintErrln(err) return } switch strings.ToLower(clrHierarchy) { case "e": err = App.TPM.Clear(InitParams.SOPin, tpm2.TPMRHEndorsement) case "o": err = App.TPM.Clear(InitParams.SOPin, tpm2.TPMRHOwner) case "l": err = App.TPM.Clear(InitParams.SOPin, tpm2.TPMRHLockout) } if err != nil { color.New(color.FgRed).Println(err) return } color.New(color.FgGreen).Printf("TPM successfully cleared") }, }
View Source
var EKCmd = &cobra.Command{ Use: "ek [action]", Short: "TPM 2.0 Endorsement Key Operations", Long: `Perform operations on a TPM 2.0 Endorsement Key`, Run: func(cmd *cobra.Command, args []string) { App, err = App.Init(InitParams) if err != nil { if err != tpm2.ErrNotInitialized { cmd.PrintErrln(err) return } } soPIN := keystore.NewClearPassword(InitParams.SOPin) keyAlg := x509.RSA template := libtpm2.RSASRKTemplate if ekECC { keyAlg = x509.ECDSA template = libtpm2.ECCSRKTemplate } if !ekRSA && !ekECC { fmt.Println("No algorithm flags, defaulting to RSA...") } handleType := libtpm2.TPMHTTransient if ekPersistent { handleType = libtpm2.TPMHTPersistent } var passwd keystore.Password if len(ekPassword) > 0 { passwd = keystore.NewClearPassword([]byte(ekPassword)) } ekAttrs := &keystore.KeyAttributes{ CN: ekCN, Password: passwd, KeyAlgorithm: keyAlg, KeyType: keystore.KEY_TYPE_ENDORSEMENT, PlatformPolicy: ekPolicy, TPMAttributes: &keystore.TPMAttributes{ Handle: libtpm2.TPMHandle(ekHandle), HandleType: handleType, Hierarchy: libtpm2.TPMRHEndorsement, HierarchyAuth: soPIN, Template: template, }, } if len(args) == 0 { keyAttrs, err := App.TPM.KeyAttributes(libtpm2.TPMHandle(ekHandle)) if err != nil { cmd.PrintErrln(err) return } keyAttrs.TPMAttributes.HandleType = libtpm2.TPMHTPersistent cmd.Println(keyAttrs) pem, err := keystore.EncodePEM(keyAttrs.TPMAttributes.PublicKeyBytes) if err != nil { cmd.PrintErrln(err) return } cmd.Println(string(pem)) return } switch args[0] { case "certificate": cert, err := App.TPM.EKCertificate() if err != nil { cmd.PrintErrln(err) return } pem, err := certstore.EncodePEM(cert.Raw) if err != nil { cmd.PrintErrln(err) return } cmd.Println(string(pem)) case "create-key": err := App.TPM.CreateEK(ekAttrs) if err != nil { cmd.PrintErrln(err) return } pem, err := keystore.EncodePEM(ekAttrs.TPMAttributes.PublicKeyBytes) if err != nil { cmd.PrintErrln(err) return } cmd.Println(string(pem)) case "delete-key": name, _, err := App.TPM.ReadHandle(libtpm2.TPMHandle(ekHandle)) ekAttrs.TPMAttributes.Name = name if err != nil { cmd.PrintErrln(err) return } if err := App.TPM.DeleteKey(ekAttrs, nil); err != nil { cmd.PrintErrln(err) return } case "import-certificate": cert, err := App.ImportEndorsementKeyCertificate() if err != nil { cmd.PrintErrln(err) return } pem, err := certstore.EncodePEM(cert.Raw) if err != nil { cmd.PrintErrln(err) return } cmd.Println(string(pem)) default: cmd.Help() return } }, }
View Source
var EventLogCmd = &cobra.Command{ Use: "eventlog", Short: "Dumps the local binary_bios_measurements log", Long: `Dumps the TPM system measurement log. Read permissions are required to the measurement file (/sys/kernel/security/tpm0/binary_bios_measurements).`, Run: func(cmd *cobra.Command, args []string) { events, err := tpm2.ParseEventLog(tpmEventLogPath) if err != nil { color.New(color.FgRed).Println(err) return } tpm2.PrintEvents(events) }, }
View Source
var InfoCmd = &cobra.Command{ Use: "info", Short: "Retrieve TPM 2.0 general information", Long: `Display TPM 2.0 Endorsement Public Key in PEM form`, Run: func(cmd *cobra.Command, args []string) { if _, err := App.Init(InitParams); err != nil { App.Logger.Error(err) cmd.PrintErrln(err) return } info, err := App.TPM.Info() if err != nil { cmd.PrintErrln(err) return } cmd.Println(info) }, }
View Source
var ProvisionCmd = &cobra.Command{ Use: "provision", Short: "Provision Trusted Platform Module", Long: `Provisions a Trusted Platform Module in alignment with the TCG provisioning guidance.`, Run: func(cmd *cobra.Command, args []string) { InitParams.Initialize = true App, err = App.Init(InitParams) if err != nil { cmd.PrintErrln(err) return } ekAttrs, err := App.TPM.EKAttributes() if err != nil { cmd.PrintErrln(err) return } cmd.Println(ekAttrs) ssrkAttrs, err := App.TPM.SSRKAttributes() if err != nil { cmd.PrintErrln(err) return } cmd.Println(ssrkAttrs) iakAttrs, err := App.TPM.IAKAttributes() if err != nil { cmd.PrintErrln(err) return } cmd.Println(iakAttrs) }, }
View Source
var SRKCmd = &cobra.Command{ Use: "srk [action]", Short: "TPM 2.0 Storage Root Key Operations", Long: `Perform operations on a TPM 2.0 Storage Root Key`, Run: func(cmd *cobra.Command, args []string) { App, err = App.Init(InitParams) if err != nil { cmd.PrintErrln(err) return } soPIN := keystore.NewClearPassword(InitParams.SOPin) keyAlg := x509.RSA template := tpm2.RSASRKTemplate if srkECDSA { keyAlg = x509.ECDSA template = tpm2.ECCSRKTemplate } if !srkRSA && !srkECDSA { fmt.Println("No algorithm flags, defaulting to RSA...") } handleType := tpm2.TPMHTTransient if srkPersistent { handleType = tpm2.TPMHTPersistent } // Set SRK password var passwd keystore.Password if len(srkPassword) > 0 { passwd = keystore.NewClearPassword([]byte(srkPassword)) } ekAttrs, err := App.TPM.KeyAttributes(tpm2.TPMHandle(srkParentHandle)) if err != nil { color.New(color.FgRed).Println(err) return } ekAttrs.KeyType = keystore.KEY_TYPE_ENDORSEMENT ekAttrs.Password = keystore.NewClearPassword([]byte(srkParentPassword)) keyAttrs := &keystore.KeyAttributes{ CN: srkCN, KeyAlgorithm: keyAlg, KeyType: keystore.KEY_TYPE_STORAGE, Parent: ekAttrs, Password: passwd, PlatformPolicy: srkPolicy, StoreType: keystore.STORE_TPM2, TPMAttributes: &keystore.TPMAttributes{ Handle: tpm2.TPMHandle(srkHandle), HandleType: handleType, Hierarchy: tpm2.TPMRHOwner, HierarchyAuth: soPIN, Template: template, }, } if len(args) == 0 { persistedKeyAttrs, err := App.TPM.KeyAttributes(tpm2.TPMHandle(srkHandle)) if err != nil { color.New(color.FgRed).Println(err) return } keyAttrs.TPMAttributes = persistedKeyAttrs.TPMAttributes cmd.Println(keyAttrs) pem, err := keystore.EncodePEM(keyAttrs.TPMAttributes.PublicKeyBytes) if err != nil { cmd.PrintErrln(err) return } cmd.Println(string(pem)) return } switch args[0] { case "create-key": err := App.TPM.CreateSRK(keyAttrs) if err != nil { cmd.PrintErrln(err) return } pem, err := keystore.EncodePEM(keyAttrs.TPMAttributes.PublicKeyBytes) if err != nil { cmd.PrintErrln(err) return } cmd.Println(string(pem)) case "delete-key": name, _, err := App.TPM.ReadHandle(tpm2.TPMHandle(srkHandle)) keyAttrs.KeyType = keystore.KEY_TYPE_STORAGE keyAttrs.TPMAttributes.Name = name if err != nil { cmd.PrintErrln(err) return } if err := App.TPM.DeleteKey(keyAttrs, nil); err != nil { cmd.PrintErrln(err) return } default: cmd.Help() return } }, }
View Source
var SealCmd = &cobra.Command{ Use: "seal [cn] [secret]", Short: "Seal a secret to the TPM", Long: `Seals a secret to a TPM keyed hash object`, Args: cobra.MinimumNArgs(1), Run: func(cmd *cobra.Command, args []string) { App, err = App.Init(InitParams) if err != nil { cmd.PrintErrln(err) return } cn := args[0] var secret []byte var size int64 stdin := os.Stdin fi, err := stdin.Stat() if err == nil { goto SEAL } size = fi.Size() if size > 0 { reader := bufio.NewReader(os.Stdin) text, err := reader.ReadString('\n') if err != nil { cmd.PrintErrln(err) return } secret = []byte(strings.TrimSpace(text)) } SEAL: if len(args) > 1 { secret = []byte(args[1]) } var passwd, parentPasswd keystore.Password if len(slParentPassword) > 0 { parentPasswd = keystore.NewClearPassword([]byte(slParentPassword)) } if len(slPassword) > 0 { passwd = keystore.NewClearPassword([]byte(slPassword)) } keyAttrs, _ := keystore.Template(x509.RSA) keyAttrs.CN = cn keyAttrs.KeyAlgorithm = x509.PublicKeyAlgorithm(tpm2.TPMAlgKeyedHash) keyAttrs.KeyType = keystore.KEY_TYPE_HMAC keyAttrs.Password = passwd keyAttrs.Parent = &keystore.KeyAttributes{ Password: parentPasswd, PlatformPolicy: slParentPolicy, TPMAttributes: &keystore.TPMAttributes{ Handle: tpm2.TPMHandle(slParentHandle), HandleType: tpm2.TPMHTTransient, Hierarchy: tpm2.TPMRHOwner, HierarchyAuth: keystore.NewClearPassword(InitParams.SOPin), }, } keyAttrs.PlatformPolicy = slPolicy keyAttrs.Secret = keystore.NewClearPassword(secret) keyAttrs.StoreType = keystore.STORE_TPM2 if _, err := App.TPM.Seal(keyAttrs, nil, slOverwrite); err != nil { cmd.PrintErrln(err) } }, }
View Source
var UnsealCmd = &cobra.Command{ Use: "unseal [cn]", Short: "Unseal a secret sealed to the TPM", Long: `Unseal a secret sealed to a TPM keyed hash object`, Args: cobra.MinimumNArgs(1), Run: func(cmd *cobra.Command, args []string) { App, err = App.Init(InitParams) if err != nil { cmd.PrintErrln(err) return } cn := args[0] var passwd, parentPasswd keystore.Password if len(slParentPassword) > 0 { parentPasswd = keystore.NewClearPassword([]byte(slParentPassword)) } if len(slPassword) > 0 { passwd = keystore.NewClearPassword([]byte(slPassword)) } srkAttrs := App.PlatformKS.SRKAttributes() if parentPasswd != nil { srkAttrs.Password = parentPasswd } srkAttrs.PlatformPolicy = slParentPolicy srkAttrs.TPMAttributes.HierarchyAuth = keystore.NewClearPassword(InitParams.SOPin) keyAttrs, _ := keystore.Template(x509.RSA) keyAttrs.CN = cn keyAttrs.KeyAlgorithm = x509.PublicKeyAlgorithm(tpm2.TPMAlgKeyedHash) keyAttrs.KeyType = keystore.KEY_TYPE_HMAC keyAttrs.Parent = srkAttrs keyAttrs.Password = passwd keyAttrs.PlatformPolicy = slPolicy keyAttrs.StoreType = keystore.STORE_TPM2 secret, err := App.TPM.Unseal(keyAttrs, nil) if err != nil { cmd.PrintErrln(err) return } cmd.Println(string(secret)) }, }
Functions ¶
This section is empty.
Types ¶
This section is empty.
Source Files
Click to show internal directories.
Click to hide internal directories.