Documentation ¶
Index ¶
- Constants
- Variables
- func AESDecrypt(plaintext, ciphertext, key, iv []byte) error
- func AESEncrypt(ciphertext, plaintext, key, iv []byte) error
- func DecryptSecretWithEcdhKey(log *base.LogObject, X, Y *big.Int, edgeNodeCert *types.EdgeNodeCert, ...) error
- func EncryptDecryptUsingTpm(in []byte, encrypt bool) ([]byte, error)
- func FetchSealedVaultKey(log *base.LogObject) ([]byte, error)
- func FetchTpmHwInfo() (string, error)
- func FetchTpmSwStatus() info.HwSecurityModuleStatus
- func FetchVaultKey(log *base.LogObject) ([]byte, error)
- func GetDevicePrivateKey() (*ecdsa.PrivateKey, error)
- func GetFirmwareVersion(v1 uint32, v2 uint32) string
- func GetModelName(vendorValue1 uint32, vendorValue2 uint32) string
- func GetPrivateKeyFromFile(keyFile string) (*ecdsa.PrivateKey, error)
- func GetPublicKeyFromCert(certFile string) (crypto.PublicKey, error)
- func GetRandom(numBytes uint16) ([]byte, error)
- func GetTpmProperty(propID tpm2.TPMProp) (uint32, error)
- func IsTpmEnabled() bool
- func PCRBankSHA256Enabled() bool
- func PolicyPCRSession(rw io.ReadWriteCloser, pcrSel tpm2.PCRSelection) (tpmutil.Handle, []byte, error)
- func ReadOwnerCrdl() (string, error)
- func SealDiskKey(log *base.LogObject, key []byte, pcrSel tpm2.PCRSelection) error
- func SetDevicePublicKey(pubkey crypto.PublicKey)
- func SetECDHPrivateKeyFile(filename string)
- func Sha256FromECPoint(X, Y *big.Int, pubKey *ecdsa.PublicKey) ([32]byte, error)
- func TpmSign(digest []byte) (*big.Int, *big.Int, error)
- func UnsealDiskKey(pcrSel tpm2.PCRSelection) ([]byte, error)
- func WipeOutStaleSealedKeyIfAny() error
- type PCRBank256Status
- type SealedKeyType
- type TpmPrivateKey
Constants ¶
const ( //TpmPasswdHdl is the well known TPM NVIndex for TPM Credentials TpmPasswdHdl tpmutil.Handle = 0x1600000 //TpmEKHdl is the well known TPM permanent handle for Endorsement key TpmEKHdl tpmutil.Handle = 0x81000001 //TpmSRKHdl is the well known TPM permanent handle for Storage key TpmSRKHdl tpmutil.Handle = 0x81000002 //TpmAKHdl is the well known TPM permanent handle for AIK key TpmAKHdl tpmutil.Handle = 0x81000003 //TpmQuoteKeyHdl is the well known TPM permanent handle for PCR Quote signing key TpmQuoteKeyHdl tpmutil.Handle = 0x81000004 //TpmEcdhKeyHdl is the well known TPM permanent handle for ECDH key TpmEcdhKeyHdl tpmutil.Handle = 0x81000005 //TpmDeviceKeyHdl is the well known TPM permanent handle for device key TpmDeviceKeyHdl tpmutil.Handle = 0x817FFFFF //TpmCredentialsFileName is the file that holds the dynamically created TPM credentials TpmCredentialsFileName = types.IdentityDirname + "/tpm_credential" //MaxPasswdLength is the max length allowed for a TPM password MaxPasswdLength = 7 //limit TPM password to this length //TpmDiskKeyHdl is the handle for constructing disk encryption key TpmDiskKeyHdl tpmutil.Handle = 0x1700000 //TpmDeviceCertHdl is the well known TPM NVIndex for device cert TpmDeviceCertHdl tpmutil.Handle = 0x1500000 //TpmSealedDiskPrivHdl is the handle for constructing disk encryption key TpmSealedDiskPrivHdl tpmutil.Handle = 0x1800000 //TpmSealedDiskPubHdl is the handle for constructing disk encryption key TpmSealedDiskPubHdl tpmutil.Handle = 0x1900000 //EmptyPassword is an empty string EmptyPassword = "" )
Variables ¶
var ( //EcdhKeyFile is the location of the ecdh private key //on devices without a TPM. It is not a constant due to test usage EcdhKeyFile = types.CertificateDirname + "/ecdh.key.pem" //DiskKeySealingPCRs represents PCRs that we use for sealing DiskKeySealingPCRs = tpm2.PCRSelection{Hash: tpm2.AlgSHA256, PCRs: []int{0, 1, 2, 3, 4, 6, 7, 8, 9, 13, 14}} // TpmDevicePath is the TPM device file path, it is not a constant due to // test usage. TpmDevicePath = "/dev/tpmrm0" )
Functions ¶
func AESDecrypt ¶
AESDecrypt decrypts ciphertext, and returns it in plaintext using the key and initial value given. Uses AES CFB cipher.
func AESEncrypt ¶
AESEncrypt encrypts plaintext, and returns it in ciphertext by using the key and initial value given. Uses a AES CFB cipher.
func DecryptSecretWithEcdhKey ¶
func DecryptSecretWithEcdhKey(log *base.LogObject, X, Y *big.Int, edgeNodeCert *types.EdgeNodeCert, iv, ciphertext, plaintext []byte) error
DecryptSecretWithEcdhKey recovers plaintext from the given ciphertext X, Y are the Z point coordinates in Ellyptic Curve Diffie Hellman(ECDH) Exchange edgeNodeCert points to the certificate that Controller used to calculate the shared secret iv is the Initial Value used in the ECDH exchange. Sha256FromECPoint() is used as KDF on the shared secret, and the derived key is used in AESDecrypt(), to apply the cipher on ciphertext, and recover plaintext
func EncryptDecryptUsingTpm ¶
EncryptDecryptUsingTpm uses AES key to encrypt/decrypt a given secret The AES key is derived from a seed, which is further derived from device certificate and ECDH private key, which is protected inside the TPM. IOW, to decrypt secret successfully, one will need to be on the same device.
func FetchSealedVaultKey ¶
FetchSealedVaultKey fetches Vault key sealed into TPM2.0
func FetchTpmHwInfo ¶
FetchTpmHwInfo returns TPM Hardware properties in a string
func FetchTpmSwStatus ¶
func FetchTpmSwStatus() info.HwSecurityModuleStatus
FetchTpmSwStatus returns states reflecting SW usage of TPM
func FetchVaultKey ¶
FetchVaultKey retrieves TPM part of the vault key
func GetDevicePrivateKey ¶
func GetDevicePrivateKey() (*ecdsa.PrivateKey, error)
GetDevicePrivateKey is for a device with no TPM and get the file-based device key
func GetFirmwareVersion ¶
GetFirmwareVersion converts v1, v2 values from TPM properties to string
func GetModelName ¶
GetModelName combines vendor1 and vendor2 values into a string
func GetPrivateKeyFromFile ¶
func GetPrivateKeyFromFile(keyFile string) (*ecdsa.PrivateKey, error)
GetPrivateKeyFromFile reads a private key file on a device with no TPM
func GetPublicKeyFromCert ¶
GetPublicKeyFromCert gets public key from a X.509 cert
func GetTpmProperty ¶
GetTpmProperty fetches a given property id, and returns it as uint32
func IsTpmEnabled ¶
func IsTpmEnabled() bool
IsTpmEnabled checks if TPM is being used by software for creating device cert Note that this must not be called before the device certificate has been generated
func PCRBankSHA256Enabled ¶
func PCRBankSHA256Enabled() bool
PCRBankSHA256Enabled checks if SHA256 PCR Bank is enabled
func PolicyPCRSession ¶
func PolicyPCRSession(rw io.ReadWriteCloser, pcrSel tpm2.PCRSelection) (tpmutil.Handle, []byte, error)
PolicyPCRSession prepares TPM2 Auth Policy session, with PCR as the policy
func ReadOwnerCrdl ¶
ReadOwnerCrdl returns credential specific to this device
func SealDiskKey ¶
SealDiskKey seals key into TPM2.0, with provided PCRs
func SetDevicePublicKey ¶
SetDevicePublicKey is needed for the self-signed bootstrap
func SetECDHPrivateKeyFile ¶
func SetECDHPrivateKeyFile(filename string)
SetECDHPrivateKeyFile is used by tpmmgr_test.go
func Sha256FromECPoint ¶
Sha256FromECPoint is the KDF
func UnsealDiskKey ¶
func UnsealDiskKey(pcrSel tpm2.PCRSelection) ([]byte, error)
UnsealDiskKey unseals key from TPM2.0
func WipeOutStaleSealedKeyIfAny ¶
func WipeOutStaleSealedKeyIfAny() error
WipeOutStaleSealedKeyIfAny checks and deletes sealed vault key
Types ¶
type PCRBank256Status ¶
type PCRBank256Status uint32
PCRBank256Status stores info about support for SHA256 PCR bank on this device
const ( PCRBank256StatusUnknown PCRBank256Status = iota + 0 PCRBank256StatusSupported PCRBank256StatusNotSupported )
Different values for PCRBank256Status
type SealedKeyType ¶
type SealedKeyType uint32
SealedKeyType holds different types of sealed key defined below
const ( SealedKeyTypeUnknown SealedKeyType = iota + 0 //Invalid SealedKeyTypeReused //Sealed key is cloned from legacy key SealedKeyTypeNew //Sealed key is not cloned from legacy key SealedKeyTypeUnprotected //Sealed key is not available, using legacy key )
Different sealed key types, for logging purposes
func CompareLegacyandSealedKey ¶
func CompareLegacyandSealedKey() SealedKeyType
CompareLegacyandSealedKey compares legacy and sealed keys to record if we are using a new key for sealed vault
func (SealedKeyType) String ¶
func (s SealedKeyType) String() string
String returns verbose string for SealedKeyType value
type TpmPrivateKey ¶
TpmPrivateKey is Custom implementation of crypto.PrivateKey interface
func (TpmPrivateKey) Public ¶
func (s TpmPrivateKey) Public() crypto.PublicKey
Public implements crypto.PrivateKey interface
func (TpmPrivateKey) Sign ¶
func (s TpmPrivateKey) Sign(r io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error)
Sign implements crypto.PrivateKey interface