Documentation ¶
Index ¶
Constants ¶
const ( // TPMOrgPersistentMin is the minimum handle SKS will use for persistent, // evicted objects. TPMOrgPersistentMin tpmutil.Handle = 0x8101fb00 // TPMOrgSRKHandle is the handle where the organization root key is // persisted. TPMOrgSRKHandle = TPMOrgPersistentMin + iota )
Variables ¶
var DefaultEKAuthPolicy = []byte{
0x83, 0x71, 0x97, 0x67, 0x44, 0x84,
0xB3, 0xF8, 0x1A, 0x90, 0xCC, 0x8D,
0x46, 0xA5, 0xD7, 0x24, 0xFD, 0x52,
0xD7, 0x6E, 0x06, 0x52, 0x0B, 0x64,
0xF2, 0xA1, 0xDA, 0x1B, 0x33, 0x14,
0x69, 0xAA,
}
DefaultEKAuthPolicy is the default auth policy for an Endorsement Key. See https://trustedcomputinggroup.org/resource/tcg-ek-credential-profile-for-tpm-family-2-0/ for details.
Functions ¶
func DefaultECCEKParameters ¶
DefaultECCEKParameters generates the default ECC parameters for use when generating an ECC Endorsement Key. See section 2.1.5.2 of https://fburl.com/tpmcredentialprofileekv14 for details. NOTE: Modifying these parameters will modify any primary key generated using them. Modify this function at your own peril.
func DefaultECCEKTemplate ¶
DefaultECCEKTemplate generates a default template for use when generating an ECC key. This template is suitable for use generating an organization Endorsement Key for a user. See section 2.1.5.2 of https://fburl.com/tpmcredentialprofileekv14 for details on the TSS standard ECC EK template, but note this differs. NOTE: Modifying this template will modify any primary key generated using it. Modify this function at your own peril.
func DefaultECCKeyTemplate ¶
DefaultECCKeyTemplate is the default template to use when generating an ECC signing key for general use. NOTE: Modifying this template will modify any primary key generated using it. Modify this function at your own peril.
Types ¶
type CryptoKey ¶
type CryptoKey interface { // GetHandle returns the handle to the key in the TPM. GetHandle() tpmutil.Handle // GetLoadedHandle returns the handle to the key in the TPM when loaded. // This differs from GetHandle; GetHandle is for the persistent handle of // the key in the TPM, GetLoadedHandle is for the handle where the key may // actually be used and may be 0 if the key is not loaded for use. GetLoadedHandle() tpmutil.Handle // SetLoadedHandle provides a way to set the TPM handle the key is currently // loaded at. Set to 0 to indicate the key is not loaded. SetLoadedHandle(handle tpmutil.Handle) // Close empties a key's fields to make it invalid for future use. Close() error // IsEmpty determines if a TPMKey is empty (has no usable key data). // Currently this only means the public area is empty. IsEmpty() bool // GetECPublicKey extracts the ECC public key parameters from the key's // public area and returns it to you. If this is not an ECC key, this // will return an error. GetECPublicKey() (*utils.ECCPublicKey, error) // GetPublicArea returns the key's public area. GetPublicArea() tpm2.Public // GetPublicBytes returns the raw bytes of the key's public area. // This may return nil if an error occurs. GetPublicBytes() []byte // GetPrivateArea returns the key's private area. This is not guaranteed to // be available, in which case the returned tpm2.Private struct will be // empty. GetPrivateArea() tpm2.Private // GetPrivateBytes returns the raw bytes of the key's private area. This is // not guaranteed to be available. GetPrivateBytes() []byte // FillKeyData provides a way to fill in key data not directly filled in // when a key is generated. FillKeyData(publicBytes, privateBytes, creationData, keyName []byte) error }
CryptoKey defines the interface any representation of a key to be used with the TPM must implement.
type Cryptoprocessor ¶
type Cryptoprocessor interface { // Initialize instantiates a new connection to the TPM. Initialize() error // CloseTPM shuts down a TPM session. This should always be called right // before the process exist. After calling `Close()`, calls to the TPM will // fail and you must fetch a new Cryptoprocessor instance. Close() error // FlushKey removes a key from TPM transient storage. FlushKey(key CryptoKey, closeKey bool) error // GenKeyPair generates a key pair given a label and a tag. The public key // is returned as X and Y in ASN.1 DER format. GenKeyPair(keyID string) ([]byte, error) // GetSecureHardwareVendorData gets vendor specific information from the secure // hardware implementation available for a given device GetSecureHardwareVendorData() (*attest.SecureHardwareVendorData, error) // FindPubKey looks for a key with the specified label and tag and return // the public key, as X and Y in ASN.1 DER format. FindPubKey(keyID string) ([]byte, error) // DeleteKey deletes a key from TPM persistent storage DeleteKey(keyID string) error // GetOrgRootKey fetches the organization root key, creating a new one if // needed. // Having the organization root key requires a primary key, but primary keys // cannot be stored. Fortunately, primary keys are generated using the // hierarchy seed, so the same template used to generate a key in the same // hierarchy will always generate the same key. And since we're using ECC // keys, generation is extremely fast. // This function wraps the logic of generating the primary key, loading the // organization root key if it exists (generating it if not) and returning // the organization root key. // NOTE: The organization root key will be loaded into the TPM ready for // use. This handle IS NOT FLUSHED AUTOMATICALLY! It is the responsibility // of the caller to flush the handle as early as possible. GetOrgRootKey() (CryptoKey, error) // GenerateKey generates a key in the TPM. Set persistentHandle to 0 if you // don't want the key persisted (it will not be evicted to persistent TPM // storage and the handle won't be recorded anywhere). keyID is ignored if // persistentHandle is 0. When parent is a hierarchy, both keyID and // persistentHandle are ignored. If you want to use the default template // (see templates.go; DefaultECCEKTemplate for the primary key and // DefaultECCKeyTemplate for other keys) set template to nil, or pass the // template to use. GenerateKey(parent tpmutil.Handle, keyID string, persistentHandle tpmutil.Handle, template *tpm2.Public) (CryptoKey, error) // LoadKey loads the key with the specified keyID, generating it if it // doesn't exist. The key will be loaded into the TPM ready to use. Set // persistentHandle to the handle the key should be persisted to if it // doesn't exist, and parentHandle to the parent to generate the key under // if it doesn't exist. To specify a specific template to use when // generating keys, use the template parameter. If set to nil, the default // key template will be used. // NOTE: Handles ARE NOT FLUSHED AUTOMATICALLY! It is the caller's // responsibility to flush these handles as early as possible. LoadKey(keyID string, parentHandle, persistentHandle tpmutil.Handle, template *tpm2.Public) (CryptoKey, error) // LoadDiskKey unmarshals a key from disk storage and returns it. An error is // returned for error conditions. Running a TPM simulator or not finding a key // in the database are not error conditions, callers should interpret a nil key // and error as a signal to generate a new key. LoadDiskKey(keyID string) (CryptoKey, error) // SignWithKey gets the key with the specified keyID and tag and signs the // provided data with it. The caller is expected to have hashed the data // and pass the digest here. The signature is returned in ASN.1 DER format // with only the R and S values. SignWithKey(keyID string, digest []byte) ([]byte, error) // AttestKey performs a TPM 2.0 handshake and attests the provided TPM key AttestKey(keyID string, attestor attest.Attestor) (*attest.Resp, error) }
Cryptoprocessor defines the interface to anything handling crypto operations for us. This could be a TPM, or for devices without a TPM it could be local storage with the crypto handled in code.
func GetCryptoprocessor ¶
func GetCryptoprocessor(path string) (Cryptoprocessor, error)
GetCryptoprocessor handles the logic of determining whether to use a physical TPM, on-disk implementation, or software implementation. Set `path` to the absolute path of the TPM device or the unix socket to interface with. Unless you have a good reason, this should be set to `/dev/tpmrm0`.
type KeyHandler ¶
type KeyHandler struct {
// contains filtered or unexported fields
}
KeyHandler stores mapping between key label and key handle.
func NewKeyHandler ¶
func NewKeyHandler(handles map[string]tpmutil.Handle) KeyHandler
NewKeyHandler returns an instance of KeyHandler.
func (*KeyHandler) Get ¶
Get returns handle for given keyID if present, otherwise return next available handle and callback which should be called after tpm key initialization. success indicates whether tpm key initialization was successful or not.
func (*KeyHandler) Remove ¶
func (h *KeyHandler) Remove(keyID string) func(success bool)
Remove deletes handle with given keyID from KeyHandler if present.