attestation

package

v1.0.0 Latest Latest Go to latest Published: Feb 4, 2016 License: Apache-2.0, Apache-2.0, MIT Imports: 14 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/endocode/rkt

Documentation ¶

Index ¶

func AIKChallengeResponse(context *tspi.Context, aikblob []byte, asymchallenge []byte, ...) (secret []byte, err error)
func CreateAIK(context *tspi.Context) ([]byte, []byte, error)
func GenerateChallenge(context *tspi.Context, ekcert []byte, aikpub []byte, secret []byte) (asymenc []byte, symenc []byte, err error)
func GetEKCert(context *tspi.Context) (ekcert []byte, err error)
func QuoteVerify(data []byte, validation []byte, aikpub []byte, pcrvalues [][]byte, ...) error
func VerifyEKCert(ekcert []byte) error

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func AIKChallengeResponse ¶

func AIKChallengeResponse(context *tspi.Context, aikblob []byte, asymchallenge []byte, symchallenge []byte) (secret []byte, err error)

AIKChallengeResponse takes the output from GenerateChallenge along with the encrypted AIK key blob. The TPM then decrypts the asymmetric challenge with its EK in order to obtain the AES key, and uses the AES key to decrypt the symmetrically encrypted data. It verifies that this data blob corresponds to the AIK it was given, and if so hands back the secret contained within the symmetrically encrypted data.

func CreateAIK ¶

func CreateAIK(context *tspi.Context) ([]byte, []byte, error)

CreateAIK asks the TPM to generate an Attestation Identity Key. It returns the unencrypted public half of the AIK along with an encrypted blob containing both halves of the key, and any error.

func GenerateChallenge ¶

func GenerateChallenge(context *tspi.Context, ekcert []byte, aikpub []byte, secret []byte) (asymenc []byte, symenc []byte, err error)

GenerateChallenge takes a TSPI context, a copy of the EK certificate, the public half of the AIK to be challenged and a secret. It then symmetrically encrypts the secret with a randomly generated AES key and Asymmetrically encrypts the AES key with the public half of the EK. These can then be provided to the TPM in order to ensure that the AIK is under the control of the TPM. It returns the asymmetrically and symmetrically encrypted data, along with any error.

func GetEKCert ¶

func GetEKCert(context *tspi.Context) (ekcert []byte, err error)

GetEKCert reads the Endorsement Key certificate from the TPM's NVRAM and returns it, along with any error generated.

func QuoteVerify ¶

func QuoteVerify(data []byte, validation []byte, aikpub []byte, pcrvalues [][]byte, secret []byte) error

QuoteVerify verifies that a quote was genuinely provided by the TPM. It takes the quote data, quote validation blob, public half of the AIK, current PCR values and the nonce used in the original quote request. It then verifies that the validation block is a valid signature for the quote data, that the secrets are the same (in order to avoid replay attacks), and that the PCR values are the same. It returns an error if any stage of the validation fails.

func VerifyEKCert ¶

func VerifyEKCert(ekcert []byte) error

VerifyEKCert verifies that the provided EK certificate is signed by a trusted manufacturer.

Types ¶

This section is empty.

Source Files ¶

View all Source files

attestation.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL