go-tpm-tools

module

v0.4.4 Latest Latest Go to latest Published: Mar 29, 2024 License: Apache-2.0, BSD-3-Clause

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/google/go-tpm-tools

Links

Open Source Insights

README ¶

Go-TPM tools

GitHub go.mod Go version

The go-tpm-tools module is a TPM 2.0 support library designed to complement Go-TPM.

It contains the following public packages:

client: A Go package providing simplified abstractions and utility functions for interacting with a TPM 2.0, including:
- Signing
- Attestation
- Reading PCRs
- Sealing/Unsealing data
- Importing Data and Keys
- Reading NVData
- Getting the TCG Event Log
server: A Go package providing functionality for a remote server to send, receive, and interpret TPM 2.0 data. None of the commands in this package issue TPM commands, but instead handle:
- TCG Event Log parsing
- Attestation verification
- Creating data for Importing into a TPM
proto: Common Protocol Buffer messages that are exchanged between the client and server libraries. This package also contains helper methods for validating these messages.
simulator: Go bindings to the Microsoft's TPM 2.0 simulator.

This repository also contains gotpm, a command line tool for using the TPM. Run gotpm --help and gotpm <command> --help for more documentation.

Use prebuilt `gotpm` binary

You can download the binary from a release directly.

# VERSION: 0.4.4 ARCH: Linux_x86_64
curl -L https://github.com/google/go-tpm-tools/releases/download/[VERSION]/go-tpm-tools_[ARCH].tar.gz -o go-tpm-tools.tar.gz
tar xvf go-tpm-tools.tar.gz
# You may need to copy the binary to a directory with executable permissions.
# NOTE: on Container-Optimized OS, /var/lib/google/ is executable
./gotpm --help

Building and Installing `gotpm`

gotpm can be directly installed from this repo by running:

go install github.com/google/go-tpm-tools/cmd/gotpm@latest
# gotpm will be installed to $GOBIN
gotpm --help

Alternatively, to build gotpm from a cloned version of this repo, run:

cd /my/path/to/cloned/go-tpm-tools/cmd/gotpm
go build
# gotpm will be in the cmd/gotpm subdirectory of the repo
./gotpm --help

Minimum Required Go Version

This project currently requires Go 1.20 or newer. Any update to the minimum required Go version will be released as a minor version update.

`openssl` errors when building `simulator`

Similarly, when building the simulator library (or tests), you may get an error that looks like:

fatal error: openssl/aes.h: No such file or directory
   47 | // #include <openssl/aes.h>
      |           ^~~~~~~~~~~~~~~~
compilation terminated.

This is because the simulator library depends on having the OpenSSL headers installed. To fix this error, install the appropriate header package:

Linux

# Ubuntu/Debian based systems
sudo apt install libssl-dev
# Redhat/Centos based systems
sudo yum install openssl-devel
# Arch Linux (headers/library in the same package)
sudo pacman -S openssl

macOS

First, install Homebrew. Then run:

brew install openssl

Windows

First, install Chocolatey. Then run:

choco install openssl

Custom install location

If you want to use a different installation of OpenSSL, or you are getting linker errors like ld: library not found for -lcrypto, you can directly point Go your installation. We will assume your installation is located at $OPENSSL_PATH (with lib and include subdirectories).

Add OpenSSL to the include and library path at the command line

This solution does not require modifying go-tpm-tools code and is useful when working on other projects that depend on go-tpm-tools/simulator.

C_INCLUDE_PATH="$OPENSSL_PATH/include" LIBRARY_PATH="$OPENSSL_PATH/lib" go test ...

Add OpenSSL to the include and library path in the code

This solution modifies your local copy of the go-tpm-tools simulator source and removes the need to provide the paths on the command line.

Modify the CFLAGS/LDFLAGS options beginning with #cgo darwin or #cgo windows in simulator/internal/internal.go to point at your installation. This could look something like:

// #cgo darwin CFLAGS: -I $OPENSSL_PATH/include
// #cgo darwin LDFLAGS: -L $OPENSSL_PATH/lib

Remember to revert your modifications to simulator/internal/internal.go before committing your changes.

No TPM 1.2 support

Unlike Go-TPM (which supports TPM 1.2 and TPM 2.0), this module explicitly only supports TPM 2.0. Users should avoid use of TPM 1.2 due to the inherent reliance on SHA1 (which is quite broken).

Confidential VMs with Intel TDX

For Ubuntu image, the tdx_guest module was moved to linux-modules-extra package in the 1016 and newer kernels. You should be able to install the module, and either manually load the module or reboot.

To install the linux-modules-extra package, run:

sudo apt-get install linux-modules-extra-gcp

To manually load the module, run:

sudo modprobe tdx_guest

Legal

Copyright 2018 Google Inc. under the Apache 2.0 License. Microsoft's TPM simulator code is licensed under a 3-clause BSD license and the TCG software license. See the LICENSE file for more information.

This is not an official Google product.

Directories ¶

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL

Path	Synopsis
cel Package cel contains some basic operations of Canonical Eventlog.	Package cel contains some basic operations of Canonical Eventlog.
client Package client contains some high-level TPM 2.0 functions.	Package client contains some high-level TPM 2.0 functions.
cmd module
internal Package internal contains private helper functions needed in client and server	Package internal contains private helper functions needed in client and server
test Package test provides helper methods for testing.	Package test provides helper methods for testing.
util Package util provides helper funtions to prepare materials for talking to attestation verifiers.	Package util provides helper funtions to prepare materials for talking to attestation verifiers.
launcher module
proto Package proto contains protocol buffers that are exchanged between the client and server.	Package proto contains protocol buffers that are exchanged between the client and server.
attest
tpm
server Package server contains functions to be ran on a server (no TPM needed), as oppose to a client (with TPM).	Package server contains functions to be ran on a server (no TPM needed), as oppose to a client (with TPM).
simulator Package simulator provides a go interface to the Microsoft TPM2 simulator.	Package simulator provides a go interface to the Microsoft TPM2 simulator.
internal Package internal provides low-level bindings to the Microsoft TPM2 simulator.	Package internal provides low-level bindings to the Microsoft TPM2 simulator.
verifier Package verifier contains clients for various attestation verifiers.	Package verifier contains clients for various attestation verifiers.
fake Package fake is a fake implementation of the Client interface for testing.	Package fake is a fake implementation of the Client interface for testing.
oci Package oci contains functionalities to interact with OCI image signatures.	Package oci contains functionalities to interact with OCI image signatures.
oci/cosign Package cosign contains functionalities to interact with signatures generated by cosign.	Package cosign contains functionalities to interact with signatures generated by cosign.
rest Package rest contains the code to use the REST-based Google API	Package rest contains the code to use the REST-based Google API