From ef181aa8d8afc1e8c04fbfae04c1da771ea4900e Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Wed, 10 May 2023 01:14:50 +0200 Subject: [PATCH 01/18] Remove key prefix and some cleanup --- attest/application_key.go | 12 ++++-------- attest/attest.go | 10 ++-------- attest/tpm.go | 13 ++----------- attest/tpm_windows.go | 14 ++------------ 4 files changed, 10 insertions(+), 39 deletions(-) diff --git a/attest/application_key.go b/attest/application_key.go index 3f07c9d2..daf7ec84 100644 --- a/attest/application_key.go +++ b/attest/application_key.go @@ -72,17 +72,13 @@ type KeyConfig struct { // Size is used to specify the bit size of the key or elliptic curve. For // example, '256' is used to specify curve P-256. Size int - + // QualifyingData is data provided from outside to the TPM when an attestation + // operation is performed. The TPM doesn't interpret the data, but does sign over + // it. It can be used as a nonce to ensure freshness of an attestation. QualifyingData []byte - // Name is used to specify a name for the key, instead of generating - // a random one. If provided, the Prefix will be ignored. This property - // is only used on Windows. + // a random one. This property is only used on Windows. Name string - - // Prefix is used to specify a custom prefix for the key, instead of - // using the default `app`. This property is only used on Windows. - Prefix string } // defaultConfig is used when no other configuration is specified. diff --git a/attest/attest.go b/attest/attest.go index a7d6d8d9..f4728949 100644 --- a/attest/attest.go +++ b/attest/attest.go @@ -161,17 +161,11 @@ func (k *AK) Blobs() (pub, priv []byte, err error) { return k.ak.blobs() } -// AKConfig encapsulates parameters for minting keys. This type is defined -// now (despite being empty) for future interface compatibility. +// AKConfig encapsulates parameters for minting keys. type AKConfig struct { // Name is used to specify a name for the key, instead of generating - // a random one. If provided, the Prefix will be ignored. This property - // is only used on Windows. + // a random one. This property is only used on Windows. Name string - - // Prefix is used to specify a custom prefix for the key, instead of - // using the default `app`. This property is only used on Windows. - Prefix string } // EncryptedCredential represents encrypted parameters which must be activated diff --git a/attest/tpm.go b/attest/tpm.go index 24bb5fc5..53594c9e 100644 --- a/attest/tpm.go +++ b/attest/tpm.go @@ -22,7 +22,6 @@ import ( "encoding/asn1" "encoding/base64" "encoding/binary" - "errors" "fmt" "io" "strings" @@ -373,16 +372,8 @@ func (t *TPM) NewKey(ak *AK, opts *KeyConfig) (*Key, error) { opts = defaultConfig } if opts.Algorithm == "" && opts.Size == 0 { - opts = defaultConfig - } - // if _, ok := t.tpm.(*windowsTPM); !ok && opts.Name != "" { - // return nil, errors.New("providing a key name is only supported with Windows TPMs") - // } - // if _, ok := t.tpm.(*windowsTPM); !ok && opts.Prefix != "" { - // return nil, errors.New("providing a key prefix is only supported with Windows TPMs") - // } - if opts.Name != "" && opts.Prefix != "" { - return nil, errors.New("key prefix and name are incompatible") + opts.Algorithm = defaultConfig.Algorithm + opts.Size = defaultConfig.Size } return t.tpm.newKey(ak, opts) } diff --git a/attest/tpm_windows.go b/attest/tpm_windows.go index 84454b2a..e3ab2ea1 100644 --- a/attest/tpm_windows.go +++ b/attest/tpm_windows.go @@ -531,17 +531,12 @@ func getKeyName(config *KeyConfig) (string, error) { return config.Name, nil } - prefix := "app" - if config.Prefix != "" { - prefix = config.Prefix - } - nameHex := make([]byte, 5) if n, err := rand.Read(nameHex); err != nil || n != len(nameHex) { return "", fmt.Errorf("rand.Read() failed with %d/%d bytes read and error: %v", n, len(nameHex), err) } - return fmt.Sprintf("%s-%x", prefix, nameHex), nil + return fmt.Sprintf("app-%x", nameHex), nil } func getAKName(config *AKConfig) (string, error) { @@ -549,15 +544,10 @@ func getAKName(config *AKConfig) (string, error) { return config.Name, nil } - prefix := "ak" - if config.Prefix != "" { - prefix = config.Prefix - } - nameHex := make([]byte, 5) if n, err := rand.Read(nameHex); err != nil || n != len(nameHex) { return "", fmt.Errorf("rand.Read() failed with %d/%d bytes read and error: %v", n, len(nameHex), err) } - return fmt.Sprintf("%s-%x", prefix, nameHex), nil + return fmt.Sprintf("ak-%x", nameHex), nil } From 1f9c436d579a66e2dd28d8088e1684f1e45d2d57 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Mart=C3=ADnez?= Date: Mon, 15 May 2023 14:33:57 +0000 Subject: [PATCH 02/18] Parse TCG_PCR_EVENT2 structures with an eventSize of 0 --- attest/eventlog.go | 3 --- attest/eventlog_test.go | 37 +++++++++++++++++++++++++++++++++++++ 2 files changed, 37 insertions(+), 3 deletions(-) diff --git a/attest/eventlog.go b/attest/eventlog.go index bb267b30..766a96fd 100644 --- a/attest/eventlog.go +++ b/attest/eventlog.go @@ -751,9 +751,6 @@ func parseRawEvent2(r *bytes.Buffer, specID *specIDEvent) (event rawEvent, err e if err = binary.Read(r, binary.LittleEndian, &eventSize); err != nil { return event, err } - if eventSize == 0 { - return event, errors.New("event data size is 0") - } if eventSize > uint32(r.Len()) { return event, &eventSizeErr{eventSize, r.Len()} } diff --git a/attest/eventlog_test.go b/attest/eventlog_test.go index c6a04ac8..4d2c9a1c 100644 --- a/attest/eventlog_test.go +++ b/attest/eventlog_test.go @@ -174,6 +174,43 @@ func TestParseEventLogEventSizeZero(t *testing.T) { } } +func TestParseEventLog2EventSizeZero(t *testing.T) { + data := []byte{ + // PCR index + 0x0, 0x0, 0x0, 0x0, + + // type + 0x7, 0x0, 0x0, 0x0, + + // number of digests + 0x1, 0x0, 0x0, 0x0, + + // algorithm + 0xb, 0x0, + + // Digest + 0xc8, 0xe3, 0x88, 0xb4, 0x79, 0x12, 0x86, 0x0c, + 0x66, 0xa1, 0x5d, 0xad, 0xc4, 0x34, 0xf5, 0xdf, + 0x73, 0x6c, 0x3a, 0xb4, 0xbe, 0x52, 0x07, 0x08, + 0xdf, 0xac, 0x48, 0x2d, 0x71, 0xce, 0xa0, 0x73, + + // Event size (0 B) + 0x0, 0x0, 0x0, 0x0, + + // no "event data" + } + + specID := &specIDEvent{ + algs: []specAlgSize{ + {ID: uint16(tpm2.AlgSHA256), Size: 32}, + }, + } + + if _, err := parseRawEvent2(bytes.NewBuffer(data), specID); err != nil { + t.Fatalf("parsing event log: %v", err) + } +} + func TestParseShortNoAction(t *testing.T) { // https://trustedcomputinggroup.org/wp-content/uploads/TCG_PCClientSpecPlat_TPM_2p0_1p04_pub.pdf#page=110 // says: "For EV_NO_ACTION events other than the EFI Specification ID event From 3ef3949b469f67134f378dce34188cb85bec3823 Mon Sep 17 00:00:00 2001 From: Noah Stride Date: Fri, 14 Apr 2023 09:15:37 +0100 Subject: [PATCH 03/18] Fix comments referring to `.Serialize()` instead of `.Marshal()` --- attest/tpm.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/attest/tpm.go b/attest/tpm.go index 9adf955e..13057bf4 100644 --- a/attest/tpm.go +++ b/attest/tpm.go @@ -330,7 +330,7 @@ func (t *TPM) Info() (*TPMInfo, error) { // LoadAK loads a previously-created ak into the TPM for use. // A key loaded via this function needs to be closed with .Close(). -// Only blobs generated by calling AK.Serialize() are valid parameters +// Only blobs generated by calling AK.Marshal() are valid parameters // to this function. func (t *TPM) LoadAK(opaqueBlob []byte) (*AK, error) { return t.tpm.loadAK(opaqueBlob) @@ -373,7 +373,7 @@ func (t *TPM) NewKey(ak *AK, opts *KeyConfig) (*Key, error) { // LoadKey loads a previously-created application key into the TPM for use. // A key loaded via this function needs to be closed with .Close(). -// Only blobs generated by calling Key.Serialize() are valid parameters +// Only blobs generated by calling Key.Marshal() are valid parameters // to this function. func (t *TPM) LoadKey(opaqueBlob []byte) (*Key, error) { return t.tpm.loadKey(opaqueBlob) From 10dd5f7a058b80a999a6fd2bdd67d1e80470558b Mon Sep 17 00:00:00 2001 From: Brandon Weeks Date: Mon, 22 May 2023 10:52:09 -0700 Subject: [PATCH 04/18] Bump Go version to 1.19 (#325) --- .github/workflows/test.yml | 8 +++--- go.mod | 7 ++++- go.sum | 53 -------------------------------------- 3 files changed, 10 insertions(+), 58 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 1aafe884..00bb7627 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -13,7 +13,7 @@ jobs: test-linux: strategy: matrix: - go-version: [1.16.x, 1.17.x, 1.18.x] + go-version: [1.19.x, 1.20.x] runs-on: ubuntu-latest steps: - name: Install Go @@ -27,7 +27,7 @@ jobs: test-linux-tpm12: strategy: matrix: - go-version: [1.16.x, 1.17.x, 1.18.x] + go-version: [1.19.x, 1.20.x] runs-on: ubuntu-latest steps: - name: Install Go @@ -43,7 +43,7 @@ jobs: test-macos: strategy: matrix: - go-version: [1.16.x, 1.17.x, 1.18.x] + go-version: [1.19.x, 1.20.x] runs-on: macos-latest steps: - name: Install Go @@ -62,7 +62,7 @@ jobs: test-windows: strategy: matrix: - go-version: [1.16.x, 1.17.x, 1.18.x] + go-version: [1.19.x, 1.20.x] runs-on: windows-latest steps: - name: Install Go diff --git a/go.mod b/go.mod index 9446478c..a86acb23 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/google/go-attestation -go 1.16 +go 1.19 require ( github.com/google/go-cmp v0.5.9 @@ -9,3 +9,8 @@ require ( github.com/google/go-tspi v0.3.0 golang.org/x/sys v0.0.0-20220209214540-3681064d5158 ) + +require ( + github.com/google/certificate-transparency-go v1.1.2 // indirect + golang.org/x/crypto v0.0.0-20210817164053-32db794688a5 // indirect +) diff --git a/go.sum b/go.sum index 6603320a..0c30d617 100644 --- a/go.sum +++ b/go.sum @@ -15,7 +15,6 @@ cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6 cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc= cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk= cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs= -cloud.google.com/go v0.60.0/go.mod h1:yw2G51M9IfRboUH61Us8GqCeF1PzPblB823Mn2q2eAU= cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc= cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY= cloud.google.com/go v0.72.0/go.mod h1:M+5Vjvlc2wnp6tjzE102Dw08nGShTscUx2nZMufOKPI= @@ -45,8 +44,6 @@ cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2k cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw= cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA= cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU= -cloud.google.com/go/pubsub v1.5.0/go.mod h1:ZEwJccE3z93Z2HWvstpri00jOg7oO4UZDtKhwDwqF0w= -cloud.google.com/go/spanner v1.7.0/go.mod h1:sd3K2gZ9Fd0vMPLXzeCrF6fq4i63Q7aTLW/lBIfBkIk= cloud.google.com/go/spanner v1.17.0/go.mod h1:+17t2ixFwRG4lWRwE+5kipDR9Ef07Jkmc8z0IbMDKUs= cloud.google.com/go/spanner v1.18.0/go.mod h1:LvAjUXPeJRGNuGpikMULjhLj/t9cRvdc+fxRoLiugXA= cloud.google.com/go/spanner v1.25.0/go.mod h1:kQUft3x355hzzaeFbObjsvkzZDgpDkesp3v75WBnI8w= @@ -60,7 +57,6 @@ code.gitea.io/sdk/gitea v0.11.3/go.mod h1:z3uwDV/b9Ls47NGukYM9XhnHtqPh/J+t40lsUr contrib.go.opencensus.io/exporter/aws v0.0.0-20181029163544-2befc13012d0/go.mod h1:uu1P0UCM/6RbsMrgPa98ll8ZcHM858i/AD06a9aLRCA= contrib.go.opencensus.io/exporter/ocagent v0.5.0/go.mod h1:ImxhfLRpxoYiSq891pBrLVhN+qmP8BTVvdH2YLs7Gl0= contrib.go.opencensus.io/exporter/stackdriver v0.12.1/go.mod h1:iwB6wGarfphGGe/e5CWqyUk/cLzKnWsOKPVW3no6OTw= -contrib.go.opencensus.io/exporter/stackdriver v0.13.4/go.mod h1:aXENhDJ1Y4lIg4EUaVTwzvYETVNZk10Pu26tevFKLUc= contrib.go.opencensus.io/exporter/stackdriver v0.13.5/go.mod h1:aXENhDJ1Y4lIg4EUaVTwzvYETVNZk10Pu26tevFKLUc= contrib.go.opencensus.io/exporter/stackdriver v0.13.8/go.mod h1:huNtlWx75MwO7qMs0KrMxPZXzNNWebav1Sq/pm02JdQ= contrib.go.opencensus.io/integrations/ocsql v0.1.4/go.mod h1:8DsSdjz3F+APR+0z0WkU1aRorQCFfRxvqjUUPMbF3fE= @@ -97,7 +93,6 @@ github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRF github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho= github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c= -github.com/antihax/optional v0.0.0-20180407024304-ca021399b1a6/go.mod h1:V8iCPQYkqmusNa815XgQio277wI47sdRh1dUOLdyC6Q= github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= github.com/aokoli/goutils v1.0.1/go.mod h1:SijmP0QR8LtwsmDs8Yii5Z/S4trXFGFC2oO5g9DP+DQ= github.com/apache/beam v2.28.0+incompatible/go.mod h1:/8NX3Qi8vGstDLLaeaU7+lzVEu/ACaQhYjeefzQ0y1o= @@ -121,7 +116,6 @@ github.com/aws/aws-sdk-go v1.19.45/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpi github.com/aws/aws-sdk-go v1.20.6/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= github.com/aws/aws-sdk-go v1.23.20/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= github.com/aws/aws-sdk-go v1.25.11/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= -github.com/aws/aws-sdk-go v1.25.37/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= github.com/aws/aws-sdk-go v1.27.0/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= github.com/aws/aws-sdk-go v1.37.0/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro= github.com/aws/aws-sdk-go-v2 v0.18.0/go.mod h1:JWVYvqSMppoMJC0x5wdwiImzgXTI9FuZwxzkQq9wy+g= @@ -167,7 +161,6 @@ github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3Ee github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= -github.com/coreos/go-systemd v0.0.0-20190620071333-e64a0ec8b42a/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd/v22 v22.1.0/go.mod h1:xO0FLkIi5MaZafQlIrOotqXZ90ih+1atmu1JpKERPPk= github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= @@ -200,7 +193,6 @@ github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5y github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ= -github.com/envoyproxy/protoc-gen-validate v0.0.14/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/envoyproxy/protoc-gen-validate v0.3.0-java/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/etcd-io/gofail v0.0.0-20190801230047-ad7f989257ca/go.mod h1:49H/RkXP8pKaZy4h0d+NW16rSLhyVBt4o6VLJbmOqDE= @@ -214,7 +206,6 @@ github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHqu github.com/franela/goblin v0.0.0-20200105215937-c9ffbefa60db/go.mod h1:7dvUGVsVBjqR7JHJk0brhHOZYGmfBYOrK0ZhYMEtBr4= github.com/franela/goreq v0.0.0-20171204163338-bcd34c9993f8/go.mod h1:ZhphrRTfi2rbfLwlschooIH4+wKKDR4Pdxhh+TRoA20= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= -github.com/fullstorydev/grpcurl v1.6.0/go.mod h1:ZQ+ayqbKMJNhzLmbpCiurTVlaK2M/3nqZCxaQ2Ze/sM= github.com/fullstorydev/grpcurl v1.8.0/go.mod h1:Mn2jWbdMrQGJQ8UD62uNyMumT2acsZUCkZIqFxsQf1o= github.com/fullstorydev/grpcurl v1.8.1/go.mod h1:3BWhvHZwNO7iLXaQlojdg5NA6SxUDePli4ecpK1N7gw= github.com/fullstorydev/grpcurl v1.8.2/go.mod h1:YvWNT3xRp2KIRuvCphFodG0fKkMXwaxA9CJgKCcyzUQ= @@ -236,11 +227,9 @@ github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A= github.com/go-playground/locales v0.12.1/go.mod h1:IUMDtCfWo/w/mtMfIE/IG2K+Ey3ygWanZIBtBW0W2TM= github.com/go-playground/universal-translator v0.16.0/go.mod h1:1AnU7NaIRDWWzGEKwgtJRd2xk99HeFyHw3yid4rvQIY= -github.com/go-redis/redis v6.15.8+incompatible/go.mod h1:NAIEuMOZ/fxfXJIrKDQDz8wamY7mA7PouImQ2Jvg6kA= github.com/go-redis/redis v6.15.9+incompatible/go.mod h1:NAIEuMOZ/fxfXJIrKDQDz8wamY7mA7PouImQ2Jvg6kA= github.com/go-sql-driver/mysql v1.4.0/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w= github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w= -github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= github.com/go-sql-driver/mysql v1.6.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= github.com/godbus/dbus/v5 v5.0.3/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= @@ -268,7 +257,6 @@ github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4= github.com/golang/mock v1.5.0/go.mod h1:CWnOUgYIOo4TcNZ0wHX3YZCqsaM1I1Jvs6v3mP3KVu8= github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs= -github.com/golang/protobuf v1.1.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= @@ -292,13 +280,10 @@ github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Z github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA= github.com/google/certificate-transparency-go v1.0.21/go.mod h1:QeJfpSbVSfYc7RgB3gJFj9cbuQMMchQxrWXz8Ruopmg= -github.com/google/certificate-transparency-go v1.1.1/go.mod h1:FDKqPvSXawb2ecErVRrD+nfy23RCzyl7eqVCEmlT1Zs= github.com/google/certificate-transparency-go v1.1.2-0.20210422104406-9f33727a7a18/go.mod h1:6CKh9dscIRoqc2kC6YUFICHZMT9NrClyPrRVFrdw1QQ= github.com/google/certificate-transparency-go v1.1.2-0.20210512142713-bed466244fa6/go.mod h1:aF2dp7Dh81mY8Y/zpzyXps4fQW5zQbDu2CxfpJB6NkI= github.com/google/certificate-transparency-go v1.1.2 h1:4hE0GEId6NAW28dFpC+LrRGwQX5dtmXQGDbg8+/MZOM= github.com/google/certificate-transparency-go v1.1.2/go.mod h1:3OL+HKDqHPUfdKrHVQxO6T8nDLO0HF7LRTlkIWXaWvQ= -github.com/google/go-attestation v0.3.2/go.mod h1:N0ADdnY0cr7eLJyZ75o8kofGGTUF2XrZTJuTPo5acwk= -github.com/google/go-attestation v0.4.4-0.20220404204839-8820d49b18d9/go.mod h1:KDsPHk8a2MX9g20kYSdxB21t7je5NghSaFeVn0Zu3Ao= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= @@ -311,7 +296,6 @@ github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE= github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-github/v28 v28.1.1/go.mod h1:bsqJWQX05omyWVmc00nEUql9mhQyv38lDZ8kPZcQVoM= @@ -321,16 +305,12 @@ github.com/google/go-replayers/grpcreplay v0.1.0/go.mod h1:8Ig2Idjpr6gifRd6pNVgg github.com/google/go-replayers/httpreplay v0.1.0/go.mod h1:YKZViNhiGgqdBlUbI2MwGpq4pXxNmhJLPHQ7cv2b5no= github.com/google/go-tpm v0.1.2-0.20190725015402-ae6dd98980d4/go.mod h1:H9HbmUG2YgV/PHITkO7p6wxEEj/v5nlsVWIwumwH2NI= github.com/google/go-tpm v0.3.0/go.mod h1:iVLWvrPp/bHeEkxTFi9WG6K9w0iy2yIszHwZGHPbzAw= -github.com/google/go-tpm v0.3.2/go.mod h1:j71sMBTfp3X5jPHz852ZOfQMUOf65Gb/Th8pRmp7fvg= github.com/google/go-tpm v0.3.3 h1:P/ZFNBZYXRxc+z7i5uyd8VP7MaDteuLZInzrH2idRGo= github.com/google/go-tpm v0.3.3/go.mod h1:9Hyn3rgnzWF9XBWVk6ml6A6hNkbWjNFlDQL51BeghL4= github.com/google/go-tpm-tools v0.0.0-20190906225433-1614c142f845/go.mod h1:AVfHadzbdzHo54inR2x1v640jdi1YSi3NauM2DUsxk0= github.com/google/go-tpm-tools v0.2.0/go.mod h1:npUd03rQ60lxN7tzeBJreG38RvWwme2N1reF/eeiBk4= -github.com/google/go-tpm-tools v0.2.1/go.mod h1:npUd03rQ60lxN7tzeBJreG38RvWwme2N1reF/eeiBk4= -github.com/google/go-tpm-tools v0.3.1/go.mod h1:PSg+r5hSZI5tP3X7LBQx2sW1VSZUqZHBSrKyDqrB21U= github.com/google/go-tpm-tools v0.3.9 h1:66nkOHZtqmHXVnqonQvPDmiPRn8lcKW3FXzynJiBphg= github.com/google/go-tpm-tools v0.3.9/go.mod h1:22JvWmHcD5w55cs+nMeqDGDxgNS15/2pDq2cLqnc3rc= -github.com/google/go-tspi v0.2.1-0.20190423175329-115dea689aad/go.mod h1:xfMGI3G0PhxCdNVcYr1C4C+EizojDg/TXuX5by8CiHI= github.com/google/go-tspi v0.3.0 h1:ADtq8RKfP+jrTyIWIZDIYcKOMecRqNJFOew2IT0Inus= github.com/google/go-tspi v0.3.0/go.mod h1:xfMGI3G0PhxCdNVcYr1C4C+EizojDg/TXuX5by8CiHI= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= @@ -346,7 +326,6 @@ github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hf github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= -github.com/google/pprof v0.0.0-20200507031123-427632fa3b1c/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= @@ -359,7 +338,6 @@ github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLe github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/rpmpack v0.0.0-20191226140753-aa36bfddb3a0/go.mod h1:RaTPr0KUf2K7fnZYLNDrr8rxAamWs3iNywJLtQ2AzBg= github.com/google/subcommands v1.0.1/go.mod h1:ZjhPrFU+Olkh9WazFPsl27BQ4UPiG37m3yTrtFlrHVk= -github.com/google/trillian v1.3.11/go.mod h1:0tPraVHrSDkA3BO6vKX67zgLXs6SsOAbHEivX+9mPgw= github.com/google/trillian v1.3.14-0.20210409160123-c5ea3abd4a41/go.mod h1:1dPv0CUjNQVFEDuAUFhZql16pw/VlPgaX8qj+g5pVzQ= github.com/google/trillian v1.3.14-0.20210511103300-67b5f349eefa/go.mod h1:s4jO3Ai4NSvxucdvqUHON0bCqJyoya32eNw6XJwsmNc= github.com/google/trillian v1.4.0/go.mod h1:1Bja2nEgMDlEJWWRXBUemSPG9qYw84ZYX2gHRVHlR+g= @@ -380,7 +358,6 @@ github.com/gorilla/mux v1.6.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2z github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= -github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de4/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= @@ -391,7 +368,6 @@ github.com/grpc-ecosystem/grpc-gateway v1.8.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= github.com/grpc-ecosystem/grpc-gateway v1.9.2/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= -github.com/grpc-ecosystem/grpc-gateway v1.12.1/go.mod h1:8XEsbTttt/W+VvjtQhLACqCisSPWTxCZ7sBRjU6iH9c= github.com/grpc-ecosystem/grpc-gateway v1.14.6/go.mod h1:zdiPV4Yse/1gnckTHtghG4GkDEdKCRJduHpTxT3/jcw= github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q= @@ -442,7 +418,6 @@ github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHW github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= github.com/joho/godotenv v1.3.0/go.mod h1:7hK45KPybAkOC6peb+G5yklZfMxEjkZhHbwpqxOKXbg= github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= -github.com/jonboulle/clockwork v0.2.0/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8= github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8= github.com/jpillora/backoff v0.0.0-20180909062703-3050d21c67d7/go.mod h1:2iMrUgbbvHEiQClaW2NsSzMyGHqN+rDFqY705q49KG0= github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4= @@ -464,7 +439,6 @@ github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQL github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= -github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= @@ -477,7 +451,6 @@ github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+ github.com/leodido/go-urn v1.1.0/go.mod h1:+cyI34gQWZcE1eQU7NVgKkkzdXDQHr1dBMtdAPozLkw= github.com/letsencrypt/pkcs11key/v4 v4.0.0/go.mod h1:EFUvBDay26dErnNb70Nd0/VW3tJiIbETBPTl9ATXQag= github.com/lib/pq v1.1.1/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= -github.com/lib/pq v1.8.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= github.com/lightstep/lightstep-tracer-common/golang/gogo v0.0.0-20190605223551-bc2310a04743/go.mod h1:qklhhLq1aX+mtWk9cPHPzaBjWImj5ULL6C7HFJtXQMM= github.com/lightstep/lightstep-tracer-go v0.18.1/go.mod h1:jlF1pusYV4pidLvZ+XD0UBX0ZE6WURAspgAczcDHrL4= github.com/lyft/protoc-gen-validate v0.0.13/go.mod h1:XbGvPuh87YZc5TdIa2/I4pLk0QoUACkjt2znoq26NVQ= @@ -493,11 +466,8 @@ github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNx github.com/mattn/go-isatty v0.0.5/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= github.com/mattn/go-isatty v0.0.9/go.mod h1:YNRxwqDuOph6SZLI9vUUz6OYw3QyUt7WiY2yME+cCiQ= -github.com/mattn/go-isatty v0.0.10/go.mod h1:qgIWMr58cqv1PHHyhnkY9lrL7etaEgOFcMEpPG5Rm84= github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOAqxQCu2WE= github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= -github.com/mattn/go-runewidth v0.0.4/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= -github.com/mattn/go-runewidth v0.0.6/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI= github.com/mattn/go-runewidth v0.0.7/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI= github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI= github.com/mattn/go-shellwords v1.0.10/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lLtQsUlTZDWQ8Y= @@ -534,14 +504,11 @@ github.com/nats-io/nats.go v1.9.1/go.mod h1:ZjDU1L/7fJ09jvUSRVBR2e7+RnLiiIQyqyzE github.com/nats-io/nkeys v0.1.0/go.mod h1:xpnFELMwJABBLVhffcfd1MZx6VsNRFpEugbxziKVo7w= github.com/nats-io/nkeys v0.1.3/go.mod h1:xpnFELMwJABBLVhffcfd1MZx6VsNRFpEugbxziKVo7w= github.com/nats-io/nuid v1.0.1/go.mod h1:19wcPz3Ph3q0Jbyiqsd0kePYG7A95tJPxeL+1OSON2c= -github.com/nishanths/predeclared v0.0.0-20190419143655-18a43bb90ffc/go.mod h1:62PewwiQTlm/7Rj+cxVYqZvDIUc+JjZq6GHAC1fsObQ= github.com/nishanths/predeclared v0.0.0-20200524104333-86fad755b4d3/go.mod h1:nt3d53pc1VYcphSCIaYAJtnPYnr3Zyn8fMq2wvPGPso= github.com/oklog/oklog v0.3.2/go.mod h1:FCV+B7mhrz4o+ueLpx+KqkyXRGMWOYEvfiXtdGtbWGs= github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA= github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= github.com/olekukonko/tablewriter v0.0.0-20170122224234-a0225b3f23b5/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo= -github.com/olekukonko/tablewriter v0.0.1/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo= -github.com/olekukonko/tablewriter v0.0.2/go.mod h1:rSAaSIOAGT9odnlyGlUfAJaoc5w2fSBUmeGDbRWPxyQ= github.com/olekukonko/tablewriter v0.0.4/go.mod h1:zq6QwlOf5SlnkVbMSr5EoBv3636FWnp+qbPhuoO21uA= github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY= github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= @@ -612,7 +579,6 @@ github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4O github.com/prometheus/procfs v0.2.0/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU= github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU= -github.com/pseudomuto/protoc-gen-doc v1.3.2/go.mod h1:y5+P6n3iGrbKG+9O04V5ld71in3v/bX88wUwgt+U8EA= github.com/pseudomuto/protoc-gen-doc v1.4.1/go.mod h1:exDTOVwqpp30eV/EDPFLZy3Pwr2sn6hBC1WIYH/UbIg= github.com/pseudomuto/protoc-gen-doc v1.5.0/go.mod h1:exDTOVwqpp30eV/EDPFLZy3Pwr2sn6hBC1WIYH/UbIg= github.com/pseudomuto/protokit v0.2.0/go.mod h1:2PdH30hxVHsup8KpBTOXTBeMVhJZVio3Q8ViKSAXT0Q= @@ -706,11 +672,9 @@ github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9dec github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= -go.etcd.io/bbolt v1.3.4/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ= go.etcd.io/bbolt v1.3.5/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ= go.etcd.io/bbolt v1.3.6/go.mod h1:qXsaaIqmgQH0T+OPdb99Bf+PKfBBQVAdyD6TY9G8XM4= go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738/go.mod h1:dnLIgRNXwCJa5e+c6mIZCrds/GIG4ncV9HhK5PX7jPg= -go.etcd.io/etcd v0.0.0-20200513171258-e048e166ab9c/go.mod h1:xCI7ZzBfRuGgBXyXO6yfWfDmlWd35khcWpUa4L0xI/k= go.etcd.io/etcd/api/v3 v3.5.0-alpha.0/go.mod h1:mPcW6aZJukV6Aa81LSKpBjQXTWlXB5r74ymPoSWa3Sw= go.etcd.io/etcd/api/v3 v3.5.0/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs= go.etcd.io/etcd/client/pkg/v3 v3.5.0/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g= @@ -761,7 +725,6 @@ go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A= go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= go.uber.org/multierr v1.3.0/go.mod h1:VgVr7evmIr6uPjLBxg28wmKNXyqE9akIJ5XnfpiKl+4= -go.uber.org/multierr v1.4.0/go.mod h1:VgVr7evmIr6uPjLBxg28wmKNXyqE9akIJ5XnfpiKl+4= go.uber.org/multierr v1.5.0/go.mod h1:FeouvMocqHpRaaGuG9EjoKcStLC43Zu/fmqdUMPcKYU= go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU= go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee/go.mod h1:vJERXedbb3MVM5f9Ejo0C68/HhF8uaILCdgjnY+goOA= @@ -785,7 +748,6 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20191117063200-497ca9f6d64f/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.0.0-20210314154223-e6e6c4f2bb5b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= golang.org/x/crypto v0.0.0-20210817164053-32db794688a5 h1:HWj/xjIHfjYU5nVXpTM0s39J9CbLn7Cc5a7IC5rwsMQ= golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -931,7 +893,6 @@ golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191119060738-e882bf8e40c2/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -960,7 +921,6 @@ golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20201009025420-dfb3f7c4e634/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20201207223542-d4d67f95c62d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -968,7 +928,6 @@ golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210309074719-68d13333faf2/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210316092937-0b90fd5c4c48/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -979,7 +938,6 @@ golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210603125802-9665404d3644/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210629170331-7dc0b73dc9fb/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -999,7 +957,6 @@ golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxb golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20200630173020-3af7569d3a1e/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -1055,9 +1012,6 @@ golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roY golang.org/x/tools v0.0.0-20200522201501-cb1345f3a375/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20200626171337-aa94e735be7f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20200630154851-b2d8b0336632/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20200706234117-b22de6825cf7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20200717024301-6ddee64345a6/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= @@ -1136,7 +1090,6 @@ google.golang.org/genproto v0.0.0-20190620144150-6af8c5fc6601/go.mod h1:z3L6/3dT google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8= -google.golang.org/genproto v0.0.0-20190927181202-20e1ac93f88c/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8= google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= @@ -1157,8 +1110,6 @@ google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfG google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA= -google.golang.org/genproto v0.0.0-20200626011028-ee7919e894b5/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20200707001353-8e8330bf89df/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= @@ -1199,13 +1150,11 @@ google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ij google.golang.org/grpc v1.22.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.23.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= -google.golang.org/grpc v1.24.0/go.mod h1:XDChyiUovWa60DnaeDeZmSW86xtLtjtZbwvSiRnRtcA= google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60= -google.golang.org/grpc v1.29.0/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= @@ -1239,7 +1188,6 @@ google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp0 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.28.0 h1:w43yiav+6bVFTBQFZX0r7ipe9JQ1QsbMgHwbBziscLw= -google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= @@ -1265,7 +1213,6 @@ gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.2.6/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= From 62a036b369cee9ce5cd77dd2c412e2af9566e9d0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 May 2023 11:03:00 -0700 Subject: [PATCH 05/18] Bump golang.org/x/sys from 0.0.0-20220209214540-3681064d5158 to 0.8.0 (#316) Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.0.0-20220209214540-3681064d5158 to 0.8.0. - [Commits](https://github.com/golang/sys/commits/v0.8.0) --- updated-dependencies: - dependency-name: golang.org/x/sys dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index a86acb23..7c2ef13d 100644 --- a/go.mod +++ b/go.mod @@ -7,7 +7,7 @@ require ( github.com/google/go-tpm v0.3.3 github.com/google/go-tpm-tools v0.3.9 github.com/google/go-tspi v0.3.0 - golang.org/x/sys v0.0.0-20220209214540-3681064d5158 + golang.org/x/sys v0.8.0 ) require ( diff --git a/go.sum b/go.sum index 0c30d617..513b4fde 100644 --- a/go.sum +++ b/go.sum @@ -942,8 +942,8 @@ golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20210629170331-7dc0b73dc9fb/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210806184541-e5e7981a1069/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220209214540-3681064d5158 h1:rm+CHSpPEEW2IsXUib1ThaHIjuBVZjxNgSKmBLFfD4c= -golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.8.0 h1:EBmGv8NaZBZTWvrbjNoL6HVt+IVy3QDQpJs7VRIw3tU= +golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= From a4b579bcf08715d631432dac650cb67a2cb2ba3b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 May 2023 11:14:50 -0700 Subject: [PATCH 06/18] Bump github.com/google/go-tpm-tools from 0.3.9 to 0.3.12 (#324) Bumps [github.com/google/go-tpm-tools](https://github.com/google/go-tpm-tools) from 0.3.9 to 0.3.12. - [Release notes](https://github.com/google/go-tpm-tools/releases) - [Commits](https://github.com/google/go-tpm-tools/compare/v0.3.9...v0.3.12) --- updated-dependencies: - dependency-name: github.com/google/go-tpm-tools dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 4 ++-- go.sum | 13 +++++++++---- 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index 7c2ef13d..0944f3e4 100644 --- a/go.mod +++ b/go.mod @@ -5,12 +5,12 @@ go 1.19 require ( github.com/google/go-cmp v0.5.9 github.com/google/go-tpm v0.3.3 - github.com/google/go-tpm-tools v0.3.9 + github.com/google/go-tpm-tools v0.3.12 github.com/google/go-tspi v0.3.0 golang.org/x/sys v0.8.0 ) require ( github.com/google/certificate-transparency-go v1.1.2 // indirect - golang.org/x/crypto v0.0.0-20210817164053-32db794688a5 // indirect + golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e // indirect ) diff --git a/go.sum b/go.sum index 513b4fde..16d75571 100644 --- a/go.sum +++ b/go.sum @@ -303,18 +303,20 @@ github.com/google/go-licenses v0.0.0-20210329231322-ce1d9163b77d/go.mod h1:+TYOm github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck= github.com/google/go-replayers/grpcreplay v0.1.0/go.mod h1:8Ig2Idjpr6gifRd6pNVggX6TC1Zw6Jx74AKp7QNH2QE= github.com/google/go-replayers/httpreplay v0.1.0/go.mod h1:YKZViNhiGgqdBlUbI2MwGpq4pXxNmhJLPHQ7cv2b5no= +github.com/google/go-sev-guest v0.6.1 h1:NajHkAaLqN9/aW7bCFSUplUMtDgk2+HcN7jC2btFtk0= github.com/google/go-tpm v0.1.2-0.20190725015402-ae6dd98980d4/go.mod h1:H9HbmUG2YgV/PHITkO7p6wxEEj/v5nlsVWIwumwH2NI= github.com/google/go-tpm v0.3.0/go.mod h1:iVLWvrPp/bHeEkxTFi9WG6K9w0iy2yIszHwZGHPbzAw= github.com/google/go-tpm v0.3.3 h1:P/ZFNBZYXRxc+z7i5uyd8VP7MaDteuLZInzrH2idRGo= github.com/google/go-tpm v0.3.3/go.mod h1:9Hyn3rgnzWF9XBWVk6ml6A6hNkbWjNFlDQL51BeghL4= github.com/google/go-tpm-tools v0.0.0-20190906225433-1614c142f845/go.mod h1:AVfHadzbdzHo54inR2x1v640jdi1YSi3NauM2DUsxk0= github.com/google/go-tpm-tools v0.2.0/go.mod h1:npUd03rQ60lxN7tzeBJreG38RvWwme2N1reF/eeiBk4= -github.com/google/go-tpm-tools v0.3.9 h1:66nkOHZtqmHXVnqonQvPDmiPRn8lcKW3FXzynJiBphg= -github.com/google/go-tpm-tools v0.3.9/go.mod h1:22JvWmHcD5w55cs+nMeqDGDxgNS15/2pDq2cLqnc3rc= +github.com/google/go-tpm-tools v0.3.12 h1:hpWglH4RaZnGVbgOK3IThI5K++jnFvjQ94EIN34xrUU= +github.com/google/go-tpm-tools v0.3.12/go.mod h1:2OtmyPGPuaWWIOjr+IDhNQb6t5njjbSmZtzc350Q6Ro= github.com/google/go-tspi v0.3.0 h1:ADtq8RKfP+jrTyIWIZDIYcKOMecRqNJFOew2IT0Inus= github.com/google/go-tspi v0.3.0/go.mod h1:xfMGI3G0PhxCdNVcYr1C4C+EizojDg/TXuX5by8CiHI= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/licenseclassifier v0.0.0-20210325184830-bb04aff29e72/go.mod h1:qsqn2hxC+vURpyBRygGUuinTO42MFRLcsmQ/P8v94+M= +github.com/google/logger v1.1.1 h1:+6Z2geNxc9G+4D4oDO9njjjn2d0wN5d7uOo0vOIW1NQ= github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= github.com/google/martian v2.1.1-0.20190517191504-25dcb96d9e51+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= @@ -345,6 +347,7 @@ github.com/google/uuid v0.0.0-20161128191214-064e2069ce9c/go.mod h1:TIyPZe4Mgqvf github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= github.com/google/wire v0.3.0/go.mod h1:i1DMg/Lu8Sz5yYl25iOdmc5CT5qusaa+zmRWs16741s= github.com/googleapis/gax-go v2.0.2+incompatible/go.mod h1:SFVmujtThgffbyetf+mdk2eWhX2bMyUtNHzFKcPA9HY= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= @@ -533,6 +536,7 @@ github.com/otiai10/mint v1.3.0/go.mod h1:F5AjcsTsWUqX+Na9fpHb52P8pcRX2CI6A3ctIT9 github.com/otiai10/mint v1.3.1/go.mod h1:/yxELlJQ0ufhjUwhshSj+wFjZ78CnZ48/1wtmBH1OTc= github.com/pact-foundation/pact-go v1.0.4/go.mod h1:uExwJY4kCzNPcHRj+hCR/HBbOOIwwtUjcrb0b5/5kLM= github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= +github.com/pborman/uuid v1.2.0 h1:J7Q5mO4ysT1dv8hyrUGHb9+ooztCXu1D8MY8DZYsu3g= github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k= github.com/pelletier/go-buffruneio v0.2.0/go.mod h1:JkE26KsDizTr40EUHkXVtNPvgGtbSNq5BcowyYOWdKo= github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= @@ -541,6 +545,7 @@ github.com/pierrec/lz4 v1.0.2-0.20190131084431-473cd7ce01a1/go.mod h1:3/3N9NVKO0 github.com/pierrec/lz4 v2.0.5+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/profile v1.2.1/go.mod h1:hJw3o1OdXxsrSjjVksARp5W95eeEaEfptyVZyv6JUPA= github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= @@ -748,8 +753,8 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20191117063200-497ca9f6d64f/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.0.0-20210817164053-32db794688a5 h1:HWj/xjIHfjYU5nVXpTM0s39J9CbLn7Cc5a7IC5rwsMQ= -golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e h1:T8NU3HyQ8ClP4SEE+KbFlg6n0NhuTsN4MyznaarGsZM= +golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= From b474b712d48b964a7e40a4b5d45a82ecc5aa9786 Mon Sep 17 00:00:00 2001 From: zhsh Date: Tue, 30 May 2023 03:16:09 +1000 Subject: [PATCH 07/18] wrappedTPM20.ekTemplate() never returns an error. (#327) --- attest/wrapped_tpm20.go | 19 +++++-------------- 1 file changed, 5 insertions(+), 14 deletions(-) diff --git a/attest/wrapped_tpm20.go b/attest/wrapped_tpm20.go index 5d334f89..0fe6c78c 100644 --- a/attest/wrapped_tpm20.go +++ b/attest/wrapped_tpm20.go @@ -37,9 +37,9 @@ type wrappedTPM20 struct { tpmEkTemplate *tpm2.Public } -func (t *wrappedTPM20) ekTemplate() (tpm2.Public, error) { +func (t *wrappedTPM20) ekTemplate() tpm2.Public { if t.tpmEkTemplate != nil { - return *t.tpmEkTemplate, nil + return *t.tpmEkTemplate } nonce, err := tpm2.NVReadEx(t.rwc, nvramEkNonceIndex, tpm2.HandleOwner, "", 0) @@ -51,7 +51,7 @@ func (t *wrappedTPM20) ekTemplate() (tpm2.Public, error) { t.tpmEkTemplate = &template } - return *t.tpmEkTemplate, nil + return *t.tpmEkTemplate } func (t *wrappedTPM20) tpmVersion() TPMVersion { @@ -97,11 +97,7 @@ func (t *wrappedTPM20) getPrimaryKeyHandle(pHnd tpmutil.Handle) (tpmutil.Handle, case commonSrkEquivalentHandle: keyHnd, _, err = tpm2.CreatePrimary(t.rwc, tpm2.HandleOwner, tpm2.PCRSelection{}, "", "", defaultSRKTemplate) case commonEkEquivalentHandle: - var tmpl tpm2.Public - if tmpl, err = t.ekTemplate(); err != nil { - return 0, false, fmt.Errorf("ek template: %v", err) - } - keyHnd, _, err = tpm2.CreatePrimary(t.rwc, tpm2.HandleEndorsement, tpm2.PCRSelection{}, "", "", tmpl) + keyHnd, _, err = tpm2.CreatePrimary(t.rwc, tpm2.HandleEndorsement, tpm2.PCRSelection{}, "", "", t.ekTemplate()) } if err != nil { return 0, false, fmt.Errorf("ReadPublic failed (%v), and then CreatePrimary failed: %v", rerr, err) @@ -124,12 +120,7 @@ func (t *wrappedTPM20) eks() ([]EK, error) { } // Attempt to create an EK. - tmpl, err := t.ekTemplate() - if err != nil { - return nil, fmt.Errorf("ek template: %v", err) - } - - ekHnd, _, err := tpm2.CreatePrimary(t.rwc, tpm2.HandleEndorsement, tpm2.PCRSelection{}, "", "", tmpl) + ekHnd, _, err := tpm2.CreatePrimary(t.rwc, tpm2.HandleEndorsement, tpm2.PCRSelection{}, "", "", t.ekTemplate()) if err != nil { return nil, fmt.Errorf("EK CreatePrimary failed: %v", err) } From 89884d0a743044834e529fd3978b2d06fdd77508 Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Fri, 2 Jun 2023 18:17:59 +0200 Subject: [PATCH 08/18] Fix Intel EK certificate URL (#310) * Fix Intel EK certificate URL To download the certificate for an Intel TPM, the base64 padding in the URL needs to be replaced with `%3D`. If it's not replaced, requesting the URL will result in HTTP 403 Forbidden. * Use `url.QueryEscape` to escape base64 padding --- attest/tpm.go | 3 ++- attest/tpm_test.go | 25 +++++++++++++++---------- 2 files changed, 17 insertions(+), 11 deletions(-) diff --git a/attest/tpm.go b/attest/tpm.go index 13057bf4..5cf9426a 100644 --- a/attest/tpm.go +++ b/attest/tpm.go @@ -24,6 +24,7 @@ import ( "encoding/binary" "fmt" "io" + "net/url" "strings" "github.com/google/go-tpm/tpm2" @@ -219,7 +220,7 @@ func intelEKURL(ekPub *rsa.PublicKey) string { pubHash.Write(ekPub.N.Bytes()) pubHash.Write([]byte{0x1, 0x00, 0x01}) - return intelEKCertServiceURL + base64.URLEncoding.EncodeToString(pubHash.Sum(nil)) + return intelEKCertServiceURL + url.QueryEscape(base64.URLEncoding.EncodeToString(pubHash.Sum(nil))) } func readEKCertFromNVRAM20(tpm io.ReadWriter) (*x509.Certificate, error) { diff --git a/attest/tpm_test.go b/attest/tpm_test.go index 7699a989..1a385631 100644 --- a/attest/tpm_test.go +++ b/attest/tpm_test.go @@ -8,17 +8,22 @@ import ( "testing" ) -// Generated using the following command: +// Created by downloading the base64-url encoded PEM data from +// https://ekop.intel.com/ekcertservice/WVEG2rRwkQ7m3RpXlUphgo6Y2HLxl18h6ZZkkOAdnBE%3D, +// extracting its public key, and formatting it to PEM using // -// openssl genrsa 2048|openssl rsa -outform PEM -pubout +// openssl x509 -in ekcert.pem -pubkey +// +// This is the public key from the EK cert that's used for testing tpm2-tools: +// https://github.com/tpm2-software/tpm2-tools/blob/master/test/integration/tests/getekcertificate.sh var testRSAKey = mustParseRSAKey(`-----BEGIN PUBLIC KEY----- -MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq8zyTXCjVALZzjS8wgNH -nAVdt4ZGM3N450xOnLplx/RbCVwXyu83SWh0B3Ka+92aocqcHzo+j6e6Urppre/I -+7VVKTdUAr8t5gxgSLGvo+ev+zv70GF4DmJthb8JNheHCmk3RnoSFs5TnDuSdvGb -KcSzas0186LQyxvwfFjTxLweGrZKh/CTewD0/f5ozXmbTtJpl+qYrMi9GJamGlg6 -N6EsWKh1xos8J/cEmS2vbyCGGADyBwRV8Zkto5EU1HJaEli10HVZf0D06vuKzzxM -+6W7LzGqzAPeaWvHi07ezShqdr5q5y1KKhFJcy8HOpwN8iFfIw70y3FtMlrMprrU -twIDAQAB +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwyDi8kSoYBqs8+AdJsZl +JJk1Vi3h2hl+nn8HbEaWE8+2U+mOwsOG/B0TPyyMbMM4tzLwsgi9g4qHej5bvD4d +QIToNcfIkGocBbTS0w/b68HbrZUPprFlvUtqhkYDFGFkwMT1nUiQEe8fko3upukA +YfPTdeVkYnMVHvYiJSCYvhpKsB3AoSInxgn9rOsRWvQI1Gk6b0mRl3RpWwwSvBih +/3EgpzN7L7XxlR2Lt/CU1bVUwRyVI7MHKf5keH0KE7nmMEiNq039hmNKUnDscvzF +pE3GeajzKTjdgZfina6Dn1tMoPXeJ8lSLCPFThws5XhZUlEYvURwsYGA7veK5CZ7 +zQIDAQAB -----END PUBLIC KEY-----`) func mustParseRSAKey(data string) *rsa.PublicKey { @@ -45,7 +50,7 @@ func parseRSAKey(data string) (*rsa.PublicKey, error) { } func TestIntelEKURL(t *testing.T) { - want := "https://ekop.intel.com/ekcertservice/7YtWV2nT3LpvSCfJt7ENIznN1R1jYkj_3S6mez3yyzg=" + want := "https://ekop.intel.com/ekcertservice/WVEG2rRwkQ7m3RpXlUphgo6Y2HLxl18h6ZZkkOAdnBE%3D" got := intelEKURL(testRSAKey) if got != want { t.Fatalf("intelEKURL(), got=%q, want=%q", got, want) From 258084d04eb8950326d2a62b0471f17e55c910af Mon Sep 17 00:00:00 2001 From: juanvallejo Date: Tue, 30 May 2023 18:00:02 -0700 Subject: [PATCH 09/18] Add support for generating TPM2.0 challenges using AttestedCertifyInfo Fixes: issues/320. Adds support for generating an activation challenge using CertificationParameters. Achieves symmetry with challenge-generation in AttestationParameters, in order to provide a challenge to a TPM to activate a TPM-certified key. `attest.Activation` currently supports verifying and generating a challenge given attestationData, an EK, an AK, and a signature. In the attestationData, the CreationInfo field is used to further validate and create the resulting challenge. In this change, `attest.Certification` will now support generating a challenge given attestationData, an EK, a TPM-certified public key, and a signature, in addition to an AK used to verify the certification of the provided public key we are generating an activation challenge for. --- attest/certification.go | 79 ++++++++++++++++++++++ attest/certification_test.go | 123 +++++++++++++++++++++++++++++++++++ 2 files changed, 202 insertions(+) diff --git a/attest/certification.go b/attest/certification.go index 372da046..60f632d6 100644 --- a/attest/certification.go +++ b/attest/certification.go @@ -17,12 +17,14 @@ package attest import ( "bytes" "crypto" + "crypto/rand" "crypto/rsa" "errors" "fmt" "io" "github.com/google/go-tpm/tpm2" + "github.com/google/go-tpm/tpm2/credactivation" "github.com/google/go-tpm/tpmutil" ) @@ -62,6 +64,38 @@ type VerifyOpts struct { Hash crypto.Hash } +// ActivateOpts specifies options for the key certification's challenge generation. +type ActivateOpts struct { + // EK, the endorsement key, describes an asymmetric key whose + // private key is permanently bound to the TPM. + // + // Activation will verify that the provided EK is held on the same + // TPM as the key we're certifying. However, it is the caller's responsibility to + // ensure the EK they provide corresponds to the the device which + // they are trying to associate the certified key with. + EK crypto.PublicKey + // VerifierKeyNameDigest is the name digest of the public key we're using to + // verify the certification of the tpm-generated key being activated. + // The verifier key (usually the AK) that owns this digest should be the same + // key used in VerifyOpts.Public. + // Use tpm2.Public.Name() to produce the digest for a provided key. + VerifierKeyNameDigest *tpm2.HashValue +} + +// NewActivateOpts creates options for use in generating an activation challenge for a certified key. +// The computed hash is the name digest of the public key used to verify the certification of our key. +func NewActivateOpts(verifierPubKey tpm2.Public, ek crypto.PublicKey) (*ActivateOpts, error) { + pubName, err := verifierPubKey.Name() + if err != nil { + return nil, fmt.Errorf("unable to resolve a tpm2.Public Name struct from the given public key struct: %v", err) + } + + return &ActivateOpts{ + EK: ek, + VerifierKeyNameDigest: pubName.Digest, + }, nil +} + // Verify verifies the TPM2-produced certification parameters checking whether: // - the key length is secure // - the attestation parameters matched the attested key @@ -157,6 +191,51 @@ func (p *CertificationParameters) Verify(opts VerifyOpts) error { return nil } +// Generate returns a credential activation challenge, which can be provided +// to the TPM to verify the AK parameters given are authentic & the AK +// is present on the same TPM as the EK. +// +// The caller is expected to verify the secret returned from the TPM as +// as result of calling ActivateCredential() matches the secret returned here. +// The caller should use subtle.ConstantTimeCompare to avoid potential +// timing attack vectors. +func (p *CertificationParameters) Generate(rnd io.Reader, verifyOpts VerifyOpts, activateOpts ActivateOpts) (secret []byte, ec *EncryptedCredential, err error) { + if err := p.Verify(verifyOpts); err != nil { + return nil, nil, err + } + + if activateOpts.EK == nil { + return nil, nil, errors.New("no EK provided") + } + + secret = make([]byte, activationSecretLen) + if rnd == nil { + rnd = rand.Reader + } + if _, err = io.ReadFull(rnd, secret); err != nil { + return nil, nil, fmt.Errorf("error generating activation secret: %v", err) + } + + att, err := tpm2.DecodeAttestationData(p.CreateAttestation) + if err != nil { + return nil, nil, fmt.Errorf("DecodeAttestationData() failed: %v", err) + } + + if att.Type != tpm2.TagAttestCertify { + return nil, nil, fmt.Errorf("attestation does not apply to certify data, got %x", att.Type) + } + + cred, encSecret, err := credactivation.Generate(activateOpts.VerifierKeyNameDigest, activateOpts.EK, symBlockSize, secret) + if err != nil { + return nil, nil, fmt.Errorf("credactivation.Generate() failed: %v", err) + } + + return secret, &EncryptedCredential{ + Credential: cred, + Secret: encSecret, + }, nil +} + // certify uses AK's handle and the passed signature scheme to certify the key // with the `hnd` handle. func certify(tpm io.ReadWriteCloser, hnd, akHnd tpmutil.Handle, scheme tpm2.SigScheme) (*CertificationParameters, error) { diff --git a/attest/certification_test.go b/attest/certification_test.go index 8006eeac..c0f8babe 100644 --- a/attest/certification_test.go +++ b/attest/certification_test.go @@ -20,6 +20,7 @@ package attest import ( + "bytes" "crypto" "crypto/rand" "crypto/rsa" @@ -274,3 +275,125 @@ func testKeyCertification(t *testing.T, tpm *TPM) { }) } } + +func TestKeyActivationTPM20(t *testing.T) { + sim, tpm := setupSimulatedTPM(t) + defer sim.Close() + + ak, err := tpm.NewAK(nil) + if err != nil { + t.Fatalf("error creating a new AK using simulated TPM: %v", err) + } + akAttestParams := ak.AttestationParameters() + pub, err := tpm2.DecodePublic(akAttestParams.Public) + if err != nil { + t.Fatalf("unable to decode public struct from AK attestation params: %v", err) + } + if pub.Type != tpm2.AlgRSA { + t.Fatal("non-RSA verifying key") + } + + eks, err := tpm.EKs() + if err != nil { + t.Fatalf("unexpected error retrieving EK from tpm: %v", err) + } + + if len(eks) == 0 { + t.Fatal("expected at least one EK from the simulated TPM") + } + + pk := &rsa.PublicKey{E: int(pub.RSAParameters.Exponent()), N: pub.RSAParameters.Modulus()} + hash, err := pub.RSAParameters.Sign.Hash.Hash() + if err != nil { + t.Fatalf("unable to compute hash signature from verifying key's RSA parameters: %v", err) + } + verifyOpts := VerifyOpts{ + Public: pk, + Hash: hash, + } + + sk, err := tpm.NewKey(ak, nil) + if err != nil { + t.Fatalf("unable to create a new TPM-backed key to certify: %v", err) + } + + skCertParams := sk.CertificationParameters() + activateOpts, err := NewActivateOpts(pub, eks[0].Public) + if err != nil { + t.Fatalf("unable to create new ActivateOpts: %v", err) + } + + wrongPub, err := tpm2.DecodePublic(skCertParams.Public) + if err != nil { + t.Fatalf("unable to decode public struct from CertificationParameters: %v", err) + } + + wrongActivateOpts, err := NewActivateOpts(wrongPub, eks[0].Public) + if err != nil { + t.Fatalf("unable to create wrong ActivateOpts: %v", err) + } + + for _, test := range []struct { + name string + p *CertificationParameters + verifyOpts VerifyOpts + activateOpts ActivateOpts + generateErr error + activateErr error + }{ + { + name: "OK", + p: &skCertParams, + verifyOpts: verifyOpts, + activateOpts: *activateOpts, + generateErr: nil, + activateErr: nil, + }, + { + name: "invalid verify opts", + p: &skCertParams, + verifyOpts: VerifyOpts{}, + activateOpts: *activateOpts, + generateErr: cmpopts.AnyError, + activateErr: nil, + }, + { + name: "invalid activate opts", + p: &skCertParams, + verifyOpts: verifyOpts, + activateOpts: *wrongActivateOpts, + generateErr: nil, + activateErr: cmpopts.AnyError, + }, + } { + t.Run(test.name, func(t *testing.T) { + expectedSecret, encryptedCredentials, err := test.p.Generate(rand.Reader, test.verifyOpts, test.activateOpts) + if test.generateErr != nil { + if got, want := err, test.generateErr; !cmp.Equal(got, want, cmpopts.EquateErrors()) { + t.Errorf("p.Generate() err = %v, want = %v", got, want) + } + + return + } else if err != nil { + t.Errorf("unexpected p.Generate() error: %v", err) + return + } + + actualSecret, err := ak.ActivateCredential(tpm, *encryptedCredentials) + if test.activateErr != nil { + if got, want := err, test.activateErr; !cmp.Equal(got, want, cmpopts.EquateErrors()) { + t.Errorf("p.ActivateCredential() err = %v, want = %v", got, want) + } + + return + } else if err != nil { + t.Errorf("unexpected p.ActivateCredential() error: %v", err) + return + } + + if !bytes.Equal(expectedSecret, actualSecret) { + t.Fatalf("Unexpected bytes decoded, expected %x, but got %x", expectedSecret, actualSecret) + } + }) + } +} From 50c1e1e03be8d338c8ce376478de214b324e81d8 Mon Sep 17 00:00:00 2001 From: zhsh Date: Tue, 13 Jun 2023 11:36:51 +1000 Subject: [PATCH 10/18] Renamed some variables and methods to highlight that only RSA EKs are (#330) currently supported. This is the first step towards supporting ECC EKs. --- attest/attest_simulated_tpm20_test.go | 12 +++++----- attest/tpm.go | 14 ++++++------ attest/wrapped_tpm20.go | 32 +++++++++++++-------------- 3 files changed, 29 insertions(+), 29 deletions(-) diff --git a/attest/attest_simulated_tpm20_test.go b/attest/attest_simulated_tpm20_test.go index 1fbb45cb..77cb01e1 100644 --- a/attest/attest_simulated_tpm20_test.go +++ b/attest/attest_simulated_tpm20_test.go @@ -250,20 +250,20 @@ func TestSimTPM20Persistence(t *testing.T) { sim, tpm := setupSimulatedTPM(t) defer sim.Close() - ekHnd, _, err := tpm.tpm.(*wrappedTPM20).getPrimaryKeyHandle(commonEkEquivalentHandle) + ekHnd, _, err := tpm.tpm.(*wrappedTPM20).getPrimaryKeyHandle(commonRSAEkEquivalentHandle) if err != nil { t.Fatalf("getPrimaryKeyHandle() failed: %v", err) } - if ekHnd != commonEkEquivalentHandle { - t.Fatalf("bad EK-equivalent handle: got 0x%x, wanted 0x%x", ekHnd, commonEkEquivalentHandle) + if ekHnd != commonRSAEkEquivalentHandle { + t.Fatalf("bad EK-equivalent handle: got 0x%x, wanted 0x%x", ekHnd, commonRSAEkEquivalentHandle) } - ekHnd, p, err := tpm.tpm.(*wrappedTPM20).getPrimaryKeyHandle(commonEkEquivalentHandle) + ekHnd, p, err := tpm.tpm.(*wrappedTPM20).getPrimaryKeyHandle(commonRSAEkEquivalentHandle) if err != nil { t.Fatalf("second getPrimaryKeyHandle() failed: %v", err) } - if ekHnd != commonEkEquivalentHandle { - t.Fatalf("bad EK-equivalent handle: got 0x%x, wanted 0x%x", ekHnd, commonEkEquivalentHandle) + if ekHnd != commonRSAEkEquivalentHandle { + t.Fatalf("bad EK-equivalent handle: got 0x%x, wanted 0x%x", ekHnd, commonRSAEkEquivalentHandle) } if p { t.Fatalf("generated a new key the second time; that shouldn't happen") diff --git a/attest/tpm.go b/attest/tpm.go index 5cf9426a..f00db4b9 100644 --- a/attest/tpm.go +++ b/attest/tpm.go @@ -37,12 +37,12 @@ const ( tpmPtFwVersion1 = 0x00000100 + 11 // PT_FIXED + offset of 11 // Defined in "Registry of reserved TPM 2.0 handles and localities". - nvramCertIndex = 0x1c00002 - nvramEkNonceIndex = 0x1c00003 + nvramRSACertIndex = 0x1c00002 + nvramRSAEkNonceIndex = 0x1c00003 // Defined in "Registry of reserved TPM 2.0 handles and localities", and checked on a glinux machine. - commonSrkEquivalentHandle = 0x81000001 - commonEkEquivalentHandle = 0x81010001 + commonSrkEquivalentHandle = 0x81000001 + commonRSAEkEquivalentHandle = 0x81010001 ) var ( @@ -72,9 +72,9 @@ var ( KeyBits: 2048, }, } - // Default EK template defined in: + // Default RSA EK template defined in: // https://trustedcomputinggroup.org/wp-content/uploads/Credential_Profile_EK_V2.0_R14_published.pdf - defaultEKTemplate = tpm2.Public{ + defaultRSAEKTemplate = tpm2.Public{ Type: tpm2.AlgRSA, NameAlg: tpm2.AlgSHA256, Attributes: tpm2.FlagFixedTPM | tpm2.FlagFixedParent | tpm2.FlagSensitiveDataOrigin | @@ -223,7 +223,7 @@ func intelEKURL(ekPub *rsa.PublicKey) string { return intelEKCertServiceURL + url.QueryEscape(base64.URLEncoding.EncodeToString(pubHash.Sum(nil))) } -func readEKCertFromNVRAM20(tpm io.ReadWriter) (*x509.Certificate, error) { +func readEKCertFromNVRAM20(tpm io.ReadWriter, nvramCertIndex tpmutil.Handle) (*x509.Certificate, error) { // By passing nvramCertIndex as our auth handle we're using the NV index // itself as the auth hierarchy, which is the same approach // tpm2_getekcertificate takes. diff --git a/attest/wrapped_tpm20.go b/attest/wrapped_tpm20.go index 0fe6c78c..1a80a8e3 100644 --- a/attest/wrapped_tpm20.go +++ b/attest/wrapped_tpm20.go @@ -32,26 +32,26 @@ import ( // wrappedTPM20 interfaces with a TPM 2.0 command channel. type wrappedTPM20 struct { - interf TPMInterface - rwc CommandChannelTPM20 - tpmEkTemplate *tpm2.Public + interf TPMInterface + rwc CommandChannelTPM20 + tpmRSAEkTemplate *tpm2.Public } -func (t *wrappedTPM20) ekTemplate() tpm2.Public { - if t.tpmEkTemplate != nil { - return *t.tpmEkTemplate +func (t *wrappedTPM20) rsaEkTemplate() tpm2.Public { + if t.tpmRSAEkTemplate != nil { + return *t.tpmRSAEkTemplate } - nonce, err := tpm2.NVReadEx(t.rwc, nvramEkNonceIndex, tpm2.HandleOwner, "", 0) + nonce, err := tpm2.NVReadEx(t.rwc, nvramRSAEkNonceIndex, tpm2.HandleOwner, "", 0) if err != nil { - t.tpmEkTemplate = &defaultEKTemplate // No nonce, use the default template + t.tpmRSAEkTemplate = &defaultRSAEKTemplate // No nonce, use the default template } else { - template := defaultEKTemplate + template := defaultRSAEKTemplate copy(template.RSAParameters.ModulusRaw, nonce) - t.tpmEkTemplate = &template + t.tpmRSAEkTemplate = &template } - return *t.tpmEkTemplate + return *t.tpmRSAEkTemplate } func (t *wrappedTPM20) tpmVersion() TPMVersion { @@ -96,8 +96,8 @@ func (t *wrappedTPM20) getPrimaryKeyHandle(pHnd tpmutil.Handle) (tpmutil.Handle, switch pHnd { case commonSrkEquivalentHandle: keyHnd, _, err = tpm2.CreatePrimary(t.rwc, tpm2.HandleOwner, tpm2.PCRSelection{}, "", "", defaultSRKTemplate) - case commonEkEquivalentHandle: - keyHnd, _, err = tpm2.CreatePrimary(t.rwc, tpm2.HandleEndorsement, tpm2.PCRSelection{}, "", "", t.ekTemplate()) + case commonRSAEkEquivalentHandle: + keyHnd, _, err = tpm2.CreatePrimary(t.rwc, tpm2.HandleEndorsement, tpm2.PCRSelection{}, "", "", t.rsaEkTemplate()) } if err != nil { return 0, false, fmt.Errorf("ReadPublic failed (%v), and then CreatePrimary failed: %v", rerr, err) @@ -113,14 +113,14 @@ func (t *wrappedTPM20) getPrimaryKeyHandle(pHnd tpmutil.Handle) (tpmutil.Handle, } func (t *wrappedTPM20) eks() ([]EK, error) { - if cert, err := readEKCertFromNVRAM20(t.rwc); err == nil { + if cert, err := readEKCertFromNVRAM20(t.rwc, nvramRSACertIndex); err == nil { return []EK{ {Public: crypto.PublicKey(cert.PublicKey), Certificate: cert}, }, nil } // Attempt to create an EK. - ekHnd, _, err := tpm2.CreatePrimary(t.rwc, tpm2.HandleEndorsement, tpm2.PCRSelection{}, "", "", t.ekTemplate()) + ekHnd, _, err := tpm2.CreatePrimary(t.rwc, tpm2.HandleEndorsement, tpm2.PCRSelection{}, "", "", t.rsaEkTemplate()) if err != nil { return nil, fmt.Errorf("EK CreatePrimary failed: %v", err) } @@ -417,7 +417,7 @@ func (k *wrappedKey20) activateCredential(tb tpmBase, in EncryptedCredential) ([ } secret := in.Secret[2:] - ekHnd, _, err := t.getPrimaryKeyHandle(commonEkEquivalentHandle) + ekHnd, _, err := t.getPrimaryKeyHandle(commonRSAEkEquivalentHandle) if err != nil { return nil, err } From a9b6eb1eb8880c0edc51764f581b326c856fdd3d Mon Sep 17 00:00:00 2001 From: Chris Fenner Date: Tue, 13 Jun 2023 16:43:38 +0200 Subject: [PATCH 11/18] use legacy tpm2 at its new path (#331) --- .github/workflows/test.yml | 8 ++++---- attest/activation.go | 4 ++-- attest/attest-tool/internal/internal.go | 2 +- attest/attest.go | 2 +- attest/certification.go | 4 ++-- attest/certification_test.go | 2 +- attest/eventlog.go | 2 +- attest/eventlog_test.go | 2 +- attest/key_windows.go | 2 +- attest/tpm.go | 2 +- attest/tpm_linux.go | 2 +- attest/wrapped_tpm20.go | 2 +- go.mod | 4 ++-- go.sum | 9 ++------- 14 files changed, 21 insertions(+), 26 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 00bb7627..06e0d735 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -13,7 +13,7 @@ jobs: test-linux: strategy: matrix: - go-version: [1.19.x, 1.20.x] + go-version: [1.20.x] runs-on: ubuntu-latest steps: - name: Install Go @@ -27,7 +27,7 @@ jobs: test-linux-tpm12: strategy: matrix: - go-version: [1.19.x, 1.20.x] + go-version: [1.20.x] runs-on: ubuntu-latest steps: - name: Install Go @@ -43,7 +43,7 @@ jobs: test-macos: strategy: matrix: - go-version: [1.19.x, 1.20.x] + go-version: [1.20.x] runs-on: macos-latest steps: - name: Install Go @@ -62,7 +62,7 @@ jobs: test-windows: strategy: matrix: - go-version: [1.19.x, 1.20.x] + go-version: [1.20.x] runs-on: windows-latest steps: - name: Install Go diff --git a/attest/activation.go b/attest/activation.go index 752968ea..0cd884b6 100644 --- a/attest/activation.go +++ b/attest/activation.go @@ -9,11 +9,11 @@ import ( "fmt" "io" + "github.com/google/go-tpm/legacy/tpm2" tpm1 "github.com/google/go-tpm/tpm" - "github.com/google/go-tpm/tpm2" // TODO(jsonp): Move activation generation code to internal package. - "github.com/google/go-tpm/tpm2/credactivation" + "github.com/google/go-tpm/legacy/tpm2/credactivation" "github.com/google/go-tspi/verification" ) diff --git a/attest/attest-tool/internal/internal.go b/attest/attest-tool/internal/internal.go index 1bb38c99..3ec8bc32 100644 --- a/attest/attest-tool/internal/internal.go +++ b/attest/attest-tool/internal/internal.go @@ -3,7 +3,7 @@ package internal import ( "github.com/google/go-attestation/attest" - "github.com/google/go-tpm/tpm2" + "github.com/google/go-tpm/legacy/tpm2" ) // Dump describes the layout of serialized information from the dump command. diff --git a/attest/attest.go b/attest/attest.go index c2adb2f4..28afb75f 100644 --- a/attest/attest.go +++ b/attest/attest.go @@ -23,8 +23,8 @@ import ( "io" "strings" + "github.com/google/go-tpm/legacy/tpm2" "github.com/google/go-tpm/tpm" - "github.com/google/go-tpm/tpm2" ) // TPMVersion is used to configure a preference in diff --git a/attest/certification.go b/attest/certification.go index 60f632d6..809fac67 100644 --- a/attest/certification.go +++ b/attest/certification.go @@ -23,8 +23,8 @@ import ( "fmt" "io" - "github.com/google/go-tpm/tpm2" - "github.com/google/go-tpm/tpm2/credactivation" + "github.com/google/go-tpm/legacy/tpm2" + "github.com/google/go-tpm/legacy/tpm2/credactivation" "github.com/google/go-tpm/tpmutil" ) diff --git a/attest/certification_test.go b/attest/certification_test.go index c0f8babe..d1c8acfc 100644 --- a/attest/certification_test.go +++ b/attest/certification_test.go @@ -28,7 +28,7 @@ import ( "github.com/google/go-cmp/cmp" "github.com/google/go-cmp/cmp/cmpopts" - "github.com/google/go-tpm/tpm2" + "github.com/google/go-tpm/legacy/tpm2" ) func TestSimTPM20CertificationParameters(t *testing.T) { diff --git a/attest/eventlog.go b/attest/eventlog.go index 766a96fd..6cc7de8a 100644 --- a/attest/eventlog.go +++ b/attest/eventlog.go @@ -30,7 +30,7 @@ import ( // Ensure hashes are available. _ "crypto/sha256" - "github.com/google/go-tpm/tpm2" + "github.com/google/go-tpm/legacy/tpm2" "github.com/google/go-tpm/tpmutil" ) diff --git a/attest/eventlog_test.go b/attest/eventlog_test.go index 4d2c9a1c..36e5d78a 100644 --- a/attest/eventlog_test.go +++ b/attest/eventlog_test.go @@ -21,7 +21,7 @@ import ( "os" "testing" - "github.com/google/go-tpm/tpm2" + "github.com/google/go-tpm/legacy/tpm2" ) // Dump describes the layout of serialized information from the dump command. diff --git a/attest/key_windows.go b/attest/key_windows.go index 62b49aac..6c79b5f1 100644 --- a/attest/key_windows.go +++ b/attest/key_windows.go @@ -20,8 +20,8 @@ package attest import ( "fmt" + "github.com/google/go-tpm/legacy/tpm2" tpm1 "github.com/google/go-tpm/tpm" - "github.com/google/go-tpm/tpm2" ) // windowsKey12 represents a Windows-managed key on a TPM1.2 TPM. diff --git a/attest/tpm.go b/attest/tpm.go index f00db4b9..d995d7ca 100644 --- a/attest/tpm.go +++ b/attest/tpm.go @@ -27,7 +27,7 @@ import ( "net/url" "strings" - "github.com/google/go-tpm/tpm2" + "github.com/google/go-tpm/legacy/tpm2" "github.com/google/go-tpm/tpmutil" ) diff --git a/attest/tpm_linux.go b/attest/tpm_linux.go index 00915b3f..3c5ad184 100644 --- a/attest/tpm_linux.go +++ b/attest/tpm_linux.go @@ -25,7 +25,7 @@ import ( "path" "strings" - "github.com/google/go-tpm/tpm2" + "github.com/google/go-tpm/legacy/tpm2" ) const ( diff --git a/attest/wrapped_tpm20.go b/attest/wrapped_tpm20.go index 1a80a8e3..a563fff0 100644 --- a/attest/wrapped_tpm20.go +++ b/attest/wrapped_tpm20.go @@ -26,7 +26,7 @@ import ( "io" "math/big" - "github.com/google/go-tpm/tpm2" + "github.com/google/go-tpm/legacy/tpm2" "github.com/google/go-tpm/tpmutil" ) diff --git a/go.mod b/go.mod index 0944f3e4..3295d7b5 100644 --- a/go.mod +++ b/go.mod @@ -1,10 +1,10 @@ module github.com/google/go-attestation -go 1.19 +go 1.20 require ( github.com/google/go-cmp v0.5.9 - github.com/google/go-tpm v0.3.3 + github.com/google/go-tpm v0.3.4-0.20230613064043-511507721cb1 github.com/google/go-tpm-tools v0.3.12 github.com/google/go-tspi v0.3.0 golang.org/x/sys v0.8.0 diff --git a/go.sum b/go.sum index 16d75571..b1539516 100644 --- a/go.sum +++ b/go.sum @@ -304,12 +304,8 @@ github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO github.com/google/go-replayers/grpcreplay v0.1.0/go.mod h1:8Ig2Idjpr6gifRd6pNVggX6TC1Zw6Jx74AKp7QNH2QE= github.com/google/go-replayers/httpreplay v0.1.0/go.mod h1:YKZViNhiGgqdBlUbI2MwGpq4pXxNmhJLPHQ7cv2b5no= github.com/google/go-sev-guest v0.6.1 h1:NajHkAaLqN9/aW7bCFSUplUMtDgk2+HcN7jC2btFtk0= -github.com/google/go-tpm v0.1.2-0.20190725015402-ae6dd98980d4/go.mod h1:H9HbmUG2YgV/PHITkO7p6wxEEj/v5nlsVWIwumwH2NI= -github.com/google/go-tpm v0.3.0/go.mod h1:iVLWvrPp/bHeEkxTFi9WG6K9w0iy2yIszHwZGHPbzAw= -github.com/google/go-tpm v0.3.3 h1:P/ZFNBZYXRxc+z7i5uyd8VP7MaDteuLZInzrH2idRGo= -github.com/google/go-tpm v0.3.3/go.mod h1:9Hyn3rgnzWF9XBWVk6ml6A6hNkbWjNFlDQL51BeghL4= -github.com/google/go-tpm-tools v0.0.0-20190906225433-1614c142f845/go.mod h1:AVfHadzbdzHo54inR2x1v640jdi1YSi3NauM2DUsxk0= -github.com/google/go-tpm-tools v0.2.0/go.mod h1:npUd03rQ60lxN7tzeBJreG38RvWwme2N1reF/eeiBk4= +github.com/google/go-tpm v0.3.4-0.20230613064043-511507721cb1 h1:wGP91a6fiYbZhKlGcQD25K8XwXzoG4yHAEIjtpeV2QA= +github.com/google/go-tpm v0.3.4-0.20230613064043-511507721cb1/go.mod h1:Yj9bYgsIKoza8oMlxZqvqgUIDKFaExnuLaDdOtFCwG4= github.com/google/go-tpm-tools v0.3.12 h1:hpWglH4RaZnGVbgOK3IThI5K++jnFvjQ94EIN34xrUU= github.com/google/go-tpm-tools v0.3.12/go.mod h1:2OtmyPGPuaWWIOjr+IDhNQb6t5njjbSmZtzc350Q6Ro= github.com/google/go-tspi v0.3.0 h1:ADtq8RKfP+jrTyIWIZDIYcKOMecRqNJFOew2IT0Inus= @@ -944,7 +940,6 @@ golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210603125802-9665404d3644/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210629170331-7dc0b73dc9fb/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210806184541-e5e7981a1069/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0 h1:EBmGv8NaZBZTWvrbjNoL6HVt+IVy3QDQpJs7VRIw3tU= From 2788b541c773a8d717dbf8b97f2c72bb73e3df9c Mon Sep 17 00:00:00 2001 From: Ludovic Fernandez Date: Tue, 20 Jun 2023 18:35:01 +0200 Subject: [PATCH 12/18] Fix golangci-lint workflow (#336) --- .github/workflows/golangci-lint.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml index 876de83b..76caa79b 100644 --- a/.github/workflows/golangci-lint.yml +++ b/.github/workflows/golangci-lint.yml @@ -10,9 +10,9 @@ jobs: steps: - uses: actions/setup-go@v3 with: - go-version: 1.19.3 + go-version: 1.20.x - uses: actions/checkout@v3 - name: golangci-lint uses: golangci/golangci-lint-action@v3 with: - version: v1.50.1 + version: v1.53.3 From ac9aa2497f601e52f650b1ddb01ff3c66cd8b748 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 20 Jun 2023 16:40:32 +0000 Subject: [PATCH 13/18] Bump golang.org/x/sys from 0.8.0 to 0.9.0 (#335) Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.8.0 to 0.9.0. - [Commits](https://github.com/golang/sys/compare/v0.8.0...v0.9.0) --- updated-dependencies: - dependency-name: golang.org/x/sys dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 3295d7b5..9af336bb 100644 --- a/go.mod +++ b/go.mod @@ -7,7 +7,7 @@ require ( github.com/google/go-tpm v0.3.4-0.20230613064043-511507721cb1 github.com/google/go-tpm-tools v0.3.12 github.com/google/go-tspi v0.3.0 - golang.org/x/sys v0.8.0 + golang.org/x/sys v0.9.0 ) require ( diff --git a/go.sum b/go.sum index b1539516..08646867 100644 --- a/go.sum +++ b/go.sum @@ -942,8 +942,8 @@ golang.org/x/sys v0.0.0-20210603125802-9665404d3644/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210806184541-e5e7981a1069/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.8.0 h1:EBmGv8NaZBZTWvrbjNoL6HVt+IVy3QDQpJs7VRIw3tU= -golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.9.0 h1:KS/R3tvhPqvJvwcKfnBHJwwthS11LRhmM5D59eEXa0s= +golang.org/x/sys v0.9.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= From 63dd90f6993ea99d37bea9d277d978bf87a48763 Mon Sep 17 00:00:00 2001 From: Brandon Weeks Date: Wed, 21 Jun 2023 07:18:54 -0700 Subject: [PATCH 14/18] Bump github.com/google/go-tpm from 0.3.4 to 0.9.0 (#337) --- go.mod | 4 ++-- go.sum | 4 ++++ 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/go.mod b/go.mod index 9af336bb..5f4feb8f 100644 --- a/go.mod +++ b/go.mod @@ -4,8 +4,8 @@ go 1.20 require ( github.com/google/go-cmp v0.5.9 - github.com/google/go-tpm v0.3.4-0.20230613064043-511507721cb1 - github.com/google/go-tpm-tools v0.3.12 + github.com/google/go-tpm v0.9.0 + github.com/google/go-tpm-tools v0.3.13-0.20230620182252-4639ecce2aba github.com/google/go-tspi v0.3.0 golang.org/x/sys v0.9.0 ) diff --git a/go.sum b/go.sum index 08646867..906fe7be 100644 --- a/go.sum +++ b/go.sum @@ -306,8 +306,12 @@ github.com/google/go-replayers/httpreplay v0.1.0/go.mod h1:YKZViNhiGgqdBlUbI2MwG github.com/google/go-sev-guest v0.6.1 h1:NajHkAaLqN9/aW7bCFSUplUMtDgk2+HcN7jC2btFtk0= github.com/google/go-tpm v0.3.4-0.20230613064043-511507721cb1 h1:wGP91a6fiYbZhKlGcQD25K8XwXzoG4yHAEIjtpeV2QA= github.com/google/go-tpm v0.3.4-0.20230613064043-511507721cb1/go.mod h1:Yj9bYgsIKoza8oMlxZqvqgUIDKFaExnuLaDdOtFCwG4= +github.com/google/go-tpm v0.9.0 h1:sQF6YqWMi+SCXpsmS3fd21oPy/vSddwZry4JnmltHVk= +github.com/google/go-tpm v0.9.0/go.mod h1:FkNVkc6C+IsvDI9Jw1OveJmxGZUUaKxtrpOS47QWKfU= github.com/google/go-tpm-tools v0.3.12 h1:hpWglH4RaZnGVbgOK3IThI5K++jnFvjQ94EIN34xrUU= github.com/google/go-tpm-tools v0.3.12/go.mod h1:2OtmyPGPuaWWIOjr+IDhNQb6t5njjbSmZtzc350Q6Ro= +github.com/google/go-tpm-tools v0.3.13-0.20230620182252-4639ecce2aba h1:qJEJcuLzH5KDR0gKc0zcktin6KSAwL7+jWKBYceddTc= +github.com/google/go-tpm-tools v0.3.13-0.20230620182252-4639ecce2aba/go.mod h1:EFYHy8/1y2KfgTAsx7Luu7NGhoxtuVHnNo8jE7FikKc= github.com/google/go-tspi v0.3.0 h1:ADtq8RKfP+jrTyIWIZDIYcKOMecRqNJFOew2IT0Inus= github.com/google/go-tspi v0.3.0/go.mod h1:xfMGI3G0PhxCdNVcYr1C4C+EizojDg/TXuX5by8CiHI= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= From d29df3055302816a3940dd18304c6cfaee4a62a2 Mon Sep 17 00:00:00 2001 From: zhsh Date: Fri, 23 Jun 2023 06:17:47 +1000 Subject: [PATCH 15/18] Add EK as a field to AK struct. (#332) The change is a no-op for existing clients, and it will simplify adding the support for ECC EKs. The activation code no longer makes assumptions about EK's type and handle (i.e. RSA and 0x81010001), and instead relies on TPM.EKs() to provide the EK's details. --- attest/attest.go | 19 +++++-- attest/attest_simulated_tpm20_test.go | 77 +++++++++++++++++++++------ attest/attest_test.go | 9 ++-- attest/attest_tpm12_test.go | 2 +- attest/key_linux.go | 2 +- attest/key_windows.go | 4 +- attest/wrapped_tpm20.go | 71 ++++++++++++++++++------ 7 files changed, 140 insertions(+), 44 deletions(-) diff --git a/attest/attest.go b/attest/attest.go index 28afb75f..8408a834 100644 --- a/attest/attest.go +++ b/attest/attest.go @@ -25,6 +25,7 @@ import ( "github.com/google/go-tpm/legacy/tpm2" "github.com/google/go-tpm/tpm" + "github.com/google/go-tpm/tpmutil" ) // TPMVersion is used to configure a preference in @@ -101,7 +102,7 @@ const ( type ak interface { close(tpmBase) error marshal() ([]byte, error) - activateCredential(tpm tpmBase, in EncryptedCredential) ([]byte, error) + activateCredential(tpm tpmBase, in EncryptedCredential, ek *EK) ([]byte, error) quote(t tpmBase, nonce []byte, alg HashAlg) (*Quote, error) attestationParameters() AttestationParameters certify(tb tpmBase, handle interface{}) (*CertificationParameters, error) @@ -110,6 +111,10 @@ type ak interface { // AK represents a key which can be used for attestation. type AK struct { ak ak + + // The EK that will be used for attestation. + // If nil, an RSA EK with handle 0x81010001 will be used. + ek *EK } // Close unloads the AK from the system. @@ -130,7 +135,7 @@ func (k *AK) Marshal() ([]byte, error) { // // This operation is synonymous with TPM2_ActivateCredential. func (k *AK) ActivateCredential(tpm *TPM, in EncryptedCredential) (secret []byte, err error) { - return k.ak.activateCredential(tpm.tpm, in) + return k.ak.activateCredential(tpm.tpm, in, k.ek) } // Quote returns a quote over the platform state, signed by the AK. @@ -155,9 +160,12 @@ func (k *AK) Certify(tpm *TPM, handle interface{}) (*CertificationParameters, er return k.ak.certify(tpm.tpm, handle) } -// AKConfig encapsulates parameters for minting keys. This type is defined -// now (despite being empty) for future interface compatibility. +// AKConfig encapsulates parameters for minting keys. type AKConfig struct { + // The EK that will be used for attestation. + // If nil, an RSA EK with handle 0x81010001 will be used. + // If not nil, it must be one of EKs returned from TPM.EKs(). + EK *EK } // EncryptedCredential represents encrypted parameters which must be activated @@ -205,6 +213,9 @@ type EK struct { // Public key. Clients or servers can perform an HTTP GET to this URL, and // use ParseEKCertificate on the response body. CertificateURL string + + // The EK persistent handle. + handle tpmutil.Handle } // AttestationParameters describes information about a key which is necessary diff --git a/attest/attest_simulated_tpm20_test.go b/attest/attest_simulated_tpm20_test.go index 77cb01e1..af01f395 100644 --- a/attest/attest_simulated_tpm20_test.go +++ b/attest/attest_simulated_tpm20_test.go @@ -98,25 +98,37 @@ func TestSimTPM20AKCreateAndLoad(t *testing.T) { } func TestSimTPM20ActivateCredential(t *testing.T) { + testActivateCredential(t, false) +} + +func TestSimTPM20ActivateCredentialWithEK(t *testing.T) { + testActivateCredential(t, true) +} + +func testActivateCredential(t *testing.T, useEK bool) { sim, tpm := setupSimulatedTPM(t) defer sim.Close() - ak, err := tpm.NewAK(nil) - if err != nil { - t.Fatalf("NewAK() failed: %v", err) - } - defer ak.Close(tpm) - EKs, err := tpm.EKs() if err != nil { t.Fatalf("EKs() failed: %v", err) } ek := chooseEK(t, EKs) + var akConfig *AKConfig + if useEK { + akConfig = &AKConfig{EK: &ek} + } + ak, err := tpm.NewAK(akConfig) + if err != nil { + t.Fatalf("NewAK() failed: %v", err) + } + defer ak.Close(tpm) + ap := ActivationParameters{ TPMVersion: TPMVersion20, AK: ak.AttestationParameters(), - EK: ek, + EK: ek.Public, } secret, challenge, err := ap.Generate() if err != nil { @@ -246,24 +258,57 @@ func TestSimTPM20PCRs(t *testing.T) { } } -func TestSimTPM20Persistence(t *testing.T) { +func TestSimTPM20PersistenceSRK(t *testing.T) { sim, tpm := setupSimulatedTPM(t) defer sim.Close() - ekHnd, _, err := tpm.tpm.(*wrappedTPM20).getPrimaryKeyHandle(commonRSAEkEquivalentHandle) + srkHnd, _, err := tpm.tpm.(*wrappedTPM20).getStorageRootKeyHandle(commonSrkEquivalentHandle) + if err != nil { + t.Fatalf("getStorageRootKeyHandle() failed: %v", err) + } + if srkHnd != commonSrkEquivalentHandle { + t.Fatalf("bad SRK-equivalent handle: got 0x%x, wanted 0x%x", srkHnd, commonSrkEquivalentHandle) + } + + srkHnd, p, err := tpm.tpm.(*wrappedTPM20).getStorageRootKeyHandle(commonSrkEquivalentHandle) + if err != nil { + t.Fatalf("second getStorageRootKeyHandle() failed: %v", err) + } + if srkHnd != commonSrkEquivalentHandle { + t.Fatalf("bad SRK-equivalent handle: got 0x%x, wanted 0x%x", srkHnd, commonSrkEquivalentHandle) + } + if p { + t.Fatalf("generated a new key the second time; that shouldn't happen") + } +} + +func TestSimTPM20PersistenceEK(t *testing.T) { + sim, tpm := setupSimulatedTPM(t) + defer sim.Close() + + eks, err := tpm.EKs() + if err != nil { + t.Errorf("EKs() failed: %v", err) + } + if len(eks) == 0 || (eks[0].Public == nil) { + t.Errorf("EKs() = %v, want at least 1 EK with populated fields", eks) + } + + ek := eks[0] + ekHnd, _, err := tpm.tpm.(*wrappedTPM20).getEndorsementKeyHandle(&ek) if err != nil { - t.Fatalf("getPrimaryKeyHandle() failed: %v", err) + t.Fatalf("getStorageRootKeyHandle() failed: %v", err) } - if ekHnd != commonRSAEkEquivalentHandle { - t.Fatalf("bad EK-equivalent handle: got 0x%x, wanted 0x%x", ekHnd, commonRSAEkEquivalentHandle) + if ekHnd != ek.handle { + t.Fatalf("bad EK-equivalent handle: got 0x%x, wanted 0x%x", ekHnd, ek.handle) } - ekHnd, p, err := tpm.tpm.(*wrappedTPM20).getPrimaryKeyHandle(commonRSAEkEquivalentHandle) + ekHnd, p, err := tpm.tpm.(*wrappedTPM20).getEndorsementKeyHandle(&ek) if err != nil { - t.Fatalf("second getPrimaryKeyHandle() failed: %v", err) + t.Fatalf("second getEndorsementKeyHandle() failed: %v", err) } - if ekHnd != commonRSAEkEquivalentHandle { - t.Fatalf("bad EK-equivalent handle: got 0x%x, wanted 0x%x", ekHnd, commonRSAEkEquivalentHandle) + if ekHnd != ek.handle { + t.Fatalf("bad EK-equivalent handle: got 0x%x, wanted 0x%x", ekHnd, ek.handle) } if p { t.Fatalf("generated a new key the second time; that shouldn't happen") diff --git a/attest/attest_test.go b/attest/attest_test.go index 8a2b812e..2d7a2fb9 100644 --- a/attest/attest_test.go +++ b/attest/attest_test.go @@ -16,7 +16,6 @@ package attest import ( "bytes" - "crypto" "flag" "fmt" "reflect" @@ -119,16 +118,16 @@ func TestAKCreateAndLoad(t *testing.T) { } } -// chooseEK selects the EK public which will be activated against. -func chooseEK(t *testing.T, eks []EK) crypto.PublicKey { +// chooseEK selects the EK which will be activated against. +func chooseEK(t *testing.T, eks []EK) EK { t.Helper() for _, ek := range eks { - return ek.Public + return ek } t.Fatalf("No suitable EK found") - return nil + return EK{} } func TestPCRs(t *testing.T) { diff --git a/attest/attest_tpm12_test.go b/attest/attest_tpm12_test.go index 7acd1723..627de331 100644 --- a/attest/attest_tpm12_test.go +++ b/attest/attest_tpm12_test.go @@ -151,7 +151,7 @@ func TestTPMActivateCredential(t *testing.T) { ap := ActivationParameters{ TPMVersion: TPMVersion12, AK: ak.AttestationParameters(), - EK: ek, + EK: ek.Public, } secret, challenge, err := ap.Generate() if err != nil { diff --git a/attest/key_linux.go b/attest/key_linux.go index ac09e491..1e56b4fc 100644 --- a/attest/key_linux.go +++ b/attest/key_linux.go @@ -52,7 +52,7 @@ func (k *trousersKey12) close(tpm tpmBase) error { return nil // No state for tpm 1.2. } -func (k *trousersKey12) activateCredential(tb tpmBase, in EncryptedCredential) ([]byte, error) { +func (k *trousersKey12) activateCredential(tb tpmBase, in EncryptedCredential, ek *EK) ([]byte, error) { t, ok := tb.(*trousersTPM) if !ok { return nil, fmt.Errorf("expected *linuxTPM, got %T", tb) diff --git a/attest/key_windows.go b/attest/key_windows.go index 6c79b5f1..aab867f3 100644 --- a/attest/key_windows.go +++ b/attest/key_windows.go @@ -49,7 +49,7 @@ func (k *windowsKey12) marshal() ([]byte, error) { return out.Serialize() } -func (k *windowsKey12) activateCredential(t tpmBase, in EncryptedCredential) ([]byte, error) { +func (k *windowsKey12) activateCredential(t tpmBase, in EncryptedCredential, ek *EK) ([]byte, error) { tpm, ok := t.(*windowsTPM) if !ok { return nil, fmt.Errorf("expected *windowsTPM, got %T", t) @@ -152,7 +152,7 @@ func (k *windowsKey20) marshal() ([]byte, error) { return out.Serialize() } -func (k *windowsKey20) activateCredential(t tpmBase, in EncryptedCredential) ([]byte, error) { +func (k *windowsKey20) activateCredential(t tpmBase, in EncryptedCredential, ek *EK) ([]byte, error) { tpm, ok := t.(*windowsTPM) if !ok { return nil, fmt.Errorf("expected *windowsTPM, got %T", t) diff --git a/attest/wrapped_tpm20.go b/attest/wrapped_tpm20.go index a563fff0..d4efb97d 100644 --- a/attest/wrapped_tpm20.go +++ b/attest/wrapped_tpm20.go @@ -83,8 +83,50 @@ func (t *wrappedTPM20) info() (*TPMInfo, error) { return &tInfo, nil } +// Return value: handle, whether we generated a new one, error. +func (t *wrappedTPM20) getEndorsementKeyHandle(ek *EK) (tpmutil.Handle, bool, error) { + var ekHandle tpmutil.Handle + var ekTemplate tpm2.Public + + if ek == nil { + // The default is RSA for backward compatibility. + ekHandle = commonRSAEkEquivalentHandle + ekTemplate = t.rsaEkTemplate() + } else { + ekHandle = ek.handle + switch pub := ek.Public.(type) { + case *rsa.PublicKey: + ekTemplate = t.rsaEkTemplate() + case *ecdsa.PublicKey: + return 0, false, errors.New("ECC EKs are not supported") + default: + return 0, false, fmt.Errorf("unsupported public key type %T", pub) + } + } + + _, _, _, err := tpm2.ReadPublic(t.rwc, ekHandle) + if err == nil { + // Found the persistent handle, assume it's the key we want. + return ekHandle, false, nil + } + rerr := err // Preserve this failure for later logging, if needed + + keyHnd, _, err := tpm2.CreatePrimary(t.rwc, tpm2.HandleEndorsement, tpm2.PCRSelection{}, "", "", ekTemplate) + if err != nil { + return 0, false, fmt.Errorf("ReadPublic failed (%v), and then CreatePrimary failed: %v", rerr, err) + } + defer tpm2.FlushContext(t.rwc, keyHnd) + + err = tpm2.EvictControl(t.rwc, "", tpm2.HandleOwner, keyHnd, ekHandle) + if err != nil { + return 0, false, fmt.Errorf("EvictControl failed: %v", err) + } + + return ekHandle, true, nil +} + // Return value: handle, whether we generated a new one, error -func (t *wrappedTPM20) getPrimaryKeyHandle(pHnd tpmutil.Handle) (tpmutil.Handle, bool, error) { +func (t *wrappedTPM20) getStorageRootKeyHandle(pHnd tpmutil.Handle) (tpmutil.Handle, bool, error) { _, _, _, err := tpm2.ReadPublic(t.rwc, pHnd) if err == nil { // Found the persistent handle, assume it's the key we want. @@ -92,13 +134,7 @@ func (t *wrappedTPM20) getPrimaryKeyHandle(pHnd tpmutil.Handle) (tpmutil.Handle, } rerr := err // Preserve this failure for later logging, if needed - var keyHnd tpmutil.Handle - switch pHnd { - case commonSrkEquivalentHandle: - keyHnd, _, err = tpm2.CreatePrimary(t.rwc, tpm2.HandleOwner, tpm2.PCRSelection{}, "", "", defaultSRKTemplate) - case commonRSAEkEquivalentHandle: - keyHnd, _, err = tpm2.CreatePrimary(t.rwc, tpm2.HandleEndorsement, tpm2.PCRSelection{}, "", "", t.rsaEkTemplate()) - } + keyHnd, _, err := tpm2.CreatePrimary(t.rwc, tpm2.HandleOwner, tpm2.PCRSelection{}, "", "", defaultSRKTemplate) if err != nil { return 0, false, fmt.Errorf("ReadPublic failed (%v), and then CreatePrimary failed: %v", rerr, err) } @@ -115,7 +151,7 @@ func (t *wrappedTPM20) getPrimaryKeyHandle(pHnd tpmutil.Handle) (tpmutil.Handle, func (t *wrappedTPM20) eks() ([]EK, error) { if cert, err := readEKCertFromNVRAM20(t.rwc, nvramRSACertIndex); err == nil { return []EK{ - {Public: crypto.PublicKey(cert.PublicKey), Certificate: cert}, + {Public: crypto.PublicKey(cert.PublicKey), Certificate: cert, handle: commonRSAEkEquivalentHandle}, }, nil } @@ -139,13 +175,14 @@ func (t *wrappedTPM20) eks() ([]EK, error) { E: int(pub.RSAParameters.Exponent()), N: pub.RSAParameters.Modulus(), }, + handle: commonRSAEkEquivalentHandle, }, }, nil } func (t *wrappedTPM20) newAK(opts *AKConfig) (*AK, error) { // TODO(jsonp): Abstract choice of hierarchy & parent. - srk, _, err := t.getPrimaryKeyHandle(commonSrkEquivalentHandle) + srk, _, err := t.getStorageRootKeyHandle(commonSrkEquivalentHandle) if err != nil { return nil, fmt.Errorf("failed to get SRK handle: %v", err) } @@ -170,7 +207,11 @@ func (t *wrappedTPM20) newAK(opts *AKConfig) (*AK, error) { if err != nil { return nil, fmt.Errorf("CertifyCreation failed: %v", err) } - return &AK{ak: newWrappedAK20(keyHandle, blob, pub, creationData, attestation, sig)}, nil + var ek *EK + if opts != nil { + ek = opts.EK + } + return &AK{ak: newWrappedAK20(keyHandle, blob, pub, creationData, attestation, sig), ek: ek}, nil } func (t *wrappedTPM20) newKey(ak *AK, opts *KeyConfig) (*Key, error) { @@ -217,7 +258,7 @@ func (t *wrappedTPM20) newKey(ak *AK, opts *KeyConfig) (*Key, error) { } func createKey(t *wrappedTPM20, opts *KeyConfig) (tpmutil.Handle, []byte, []byte, []byte, error) { - srk, _, err := t.getPrimaryKeyHandle(commonSrkEquivalentHandle) + srk, _, err := t.getStorageRootKeyHandle(commonSrkEquivalentHandle) if err != nil { return 0, nil, nil, nil, fmt.Errorf("failed to get SRK handle: %v", err) } @@ -291,7 +332,7 @@ func (t *wrappedTPM20) deserializeAndLoad(opaqueBlob []byte) (tpmutil.Handle, *s return 0, nil, fmt.Errorf("unsupported key encoding: %x", sKey.Encoding) } - srk, _, err := t.getPrimaryKeyHandle(commonSrkEquivalentHandle) + srk, _, err := t.getStorageRootKeyHandle(commonSrkEquivalentHandle) if err != nil { return 0, nil, fmt.Errorf("failed to get SRK handle: %v", err) } @@ -402,7 +443,7 @@ func (k *wrappedKey20) close(t tpmBase) error { return tpm2.FlushContext(tpm.rwc, k.hnd) } -func (k *wrappedKey20) activateCredential(tb tpmBase, in EncryptedCredential) ([]byte, error) { +func (k *wrappedKey20) activateCredential(tb tpmBase, in EncryptedCredential, ek *EK) ([]byte, error) { t, ok := tb.(*wrappedTPM20) if !ok { return nil, fmt.Errorf("expected *wrappedTPM20, got %T", tb) @@ -417,7 +458,7 @@ func (k *wrappedKey20) activateCredential(tb tpmBase, in EncryptedCredential) ([ } secret := in.Secret[2:] - ekHnd, _, err := t.getPrimaryKeyHandle(commonRSAEkEquivalentHandle) + ekHnd, _, err := t.getEndorsementKeyHandle(ek) if err != nil { return nil, err } From b92d1c69bf33444e33960927adc447a9469f5b64 Mon Sep 17 00:00:00 2001 From: zhsh Date: Sat, 24 Jun 2023 08:10:34 +1000 Subject: [PATCH 16/18] Add TPM.EKCertificates() method, it returns all certificates from TPM's NVRAM (#333) --- attest/tpm.go | 9 +++++++++ attest/tpm12_linux.go | 6 +++++- attest/tpm_windows.go | 12 ++++++++++++ attest/wrapped_tpm20.go | 15 +++++++++++++++ 4 files changed, 41 insertions(+), 1 deletion(-) diff --git a/attest/tpm.go b/attest/tpm.go index d995d7ca..1f0539f3 100644 --- a/attest/tpm.go +++ b/attest/tpm.go @@ -39,10 +39,12 @@ const ( // Defined in "Registry of reserved TPM 2.0 handles and localities". nvramRSACertIndex = 0x1c00002 nvramRSAEkNonceIndex = 0x1c00003 + nvramECCCertIndex = 0x1c0000a // Defined in "Registry of reserved TPM 2.0 handles and localities", and checked on a glinux machine. commonSrkEquivalentHandle = 0x81000001 commonRSAEkEquivalentHandle = 0x81010001 + commonECCEkEquivalentHandle = 0x81010002 ) var ( @@ -297,6 +299,7 @@ type tpmBase interface { close() error tpmVersion() TPMVersion eks() ([]EK, error) + ekCertificates() ([]EK, error) info() (*TPMInfo, error) loadAK(opaqueBlob []byte) (*AK, error) @@ -324,6 +327,12 @@ func (t *TPM) EKs() ([]EK, error) { return t.tpm.eks() } +// EKCertificates returns the endorsement key certificates burned-in to the platform. +// It is guaranteed that each EK.Certificate field will be populated. +func (t *TPM) EKCertificates() ([]EK, error) { + return t.tpm.ekCertificates() +} + // Info returns information about the TPM. func (t *TPM) Info() (*TPMInfo, error) { return t.tpm.info() diff --git a/attest/tpm12_linux.go b/attest/tpm12_linux.go index a2eba7d2..50594967 100644 --- a/attest/tpm12_linux.go +++ b/attest/tpm12_linux.go @@ -94,7 +94,7 @@ func readEKCertFromNVRAM12(ctx *tspi.Context) (*x509.Certificate, error) { return ParseEKCertificate(ekCert) } -func (t *trousersTPM) eks() ([]EK, error) { +func (t *trousersTPM) ekCertificates() ([]EK, error) { cert, err := readEKCertFromNVRAM12(t.ctx) if err != nil { return nil, fmt.Errorf("readEKCertFromNVRAM failed: %v", err) @@ -104,6 +104,10 @@ func (t *trousersTPM) eks() ([]EK, error) { }, nil } +func (t *trousersTPM) eks() ([]EK, error) { + return t.ekCertificates() +} + func (t *trousersTPM) newKey(*AK, *KeyConfig) (*Key, error) { return nil, fmt.Errorf("not implemented") } diff --git a/attest/tpm_windows.go b/attest/tpm_windows.go index 0203c767..6bbdcf14 100644 --- a/attest/tpm_windows.go +++ b/attest/tpm_windows.go @@ -152,6 +152,18 @@ func (t *windowsTPM) info() (*TPMInfo, error) { return &tInfo, nil } +func (t *windowsTPM) ekCertificates() ([]EK, error) { + ekCerts, err := t.pcp.EKCerts() + if err != nil { + return nil, fmt.Errorf("could not read EKCerts: %v", err) + } + var eks []EK + for _, cert := range ekCerts { + eks = append(eks, EK{Certificate: cert, Public: cert.PublicKey}) + } + return eks, nil +} + func (t *windowsTPM) eks() ([]EK, error) { ekCerts, err := t.pcp.EKCerts() if err != nil { diff --git a/attest/wrapped_tpm20.go b/attest/wrapped_tpm20.go index d4efb97d..dd08dfe2 100644 --- a/attest/wrapped_tpm20.go +++ b/attest/wrapped_tpm20.go @@ -94,6 +94,10 @@ func (t *wrappedTPM20) getEndorsementKeyHandle(ek *EK) (tpmutil.Handle, bool, er ekTemplate = t.rsaEkTemplate() } else { ekHandle = ek.handle + if ekHandle == 0 { + // Assume RSA EK handle if it was not provided. + ekHandle = commonRSAEkEquivalentHandle + } switch pub := ek.Public.(type) { case *rsa.PublicKey: ekTemplate = t.rsaEkTemplate() @@ -148,6 +152,17 @@ func (t *wrappedTPM20) getStorageRootKeyHandle(pHnd tpmutil.Handle) (tpmutil.Han return pHnd, true, nil } +func (t *wrappedTPM20) ekCertificates() ([]EK, error) { + var res []EK + if rsaCert, err := readEKCertFromNVRAM20(t.rwc, nvramRSACertIndex); err == nil { + res = append(res, EK{Public: crypto.PublicKey(rsaCert.PublicKey), Certificate: rsaCert, handle: commonRSAEkEquivalentHandle}) + } + if eccCert, err := readEKCertFromNVRAM20(t.rwc, nvramECCCertIndex); err == nil { + res = append(res, EK{Public: crypto.PublicKey(eccCert.PublicKey), Certificate: eccCert, handle: commonECCEkEquivalentHandle}) + } + return res, nil +} + func (t *wrappedTPM20) eks() ([]EK, error) { if cert, err := readEKCertFromNVRAM20(t.rwc, nvramRSACertIndex); err == nil { return []EK{ From 8af5f4e7de9bc66c1318e853ebad5d6cc9fc52fb Mon Sep 17 00:00:00 2001 From: smo4201 <72933253+smo4201@users.noreply.github.com> Date: Tue, 27 Jun 2023 01:04:59 +0200 Subject: [PATCH 17/18] attest: Make PCRs included in quote configurable (#311) Change the low-level Quote() functions so that the PCRs to be included in the quote is selectable. Does not change the high-level attestPlatform functions, which still retrieve all PCRs. --- attest/attest.go | 13 +++++++++++-- attest/key_linux.go | 5 ++++- attest/key_windows.go | 11 +++-------- attest/tpm.go | 10 ++++------ attest/wrapped_tpm20.go | 4 ++-- 5 files changed, 24 insertions(+), 19 deletions(-) diff --git a/attest/attest.go b/attest/attest.go index 8408a834..424622ac 100644 --- a/attest/attest.go +++ b/attest/attest.go @@ -103,7 +103,7 @@ type ak interface { close(tpmBase) error marshal() ([]byte, error) activateCredential(tpm tpmBase, in EncryptedCredential, ek *EK) ([]byte, error) - quote(t tpmBase, nonce []byte, alg HashAlg) (*Quote, error) + quote(t tpmBase, nonce []byte, alg HashAlg, selectedPCRs []int) (*Quote, error) attestationParameters() AttestationParameters certify(tb tpmBase, handle interface{}) (*CertificationParameters, error) } @@ -143,7 +143,16 @@ func (k *AK) ActivateCredential(tpm *TPM, in EncryptedCredential) (secret []byte // This is a low-level API. Consumers seeking to attest the state of the // platform should use tpm.AttestPlatform() instead. func (k *AK) Quote(tpm *TPM, nonce []byte, alg HashAlg) (*Quote, error) { - return k.ak.quote(tpm.tpm, nonce, alg) + pcrs := make([]int, 24) + for pcr := range pcrs { + pcrs[pcr] = pcr + } + return k.ak.quote(tpm.tpm, nonce, alg, pcrs) +} + +// QuotePCRs is like Quote() but allows the caller to select a subset of the PCRs. +func (k *AK) QuotePCRs(tpm *TPM, nonce []byte, alg HashAlg, pcrs []int) (*Quote, error) { + return k.ak.quote(tpm.tpm, nonce, alg, pcrs) } // AttestationParameters returns information about the AK, typically used to diff --git a/attest/key_linux.go b/attest/key_linux.go index 1e56b4fc..0afd58f7 100644 --- a/attest/key_linux.go +++ b/attest/key_linux.go @@ -65,7 +65,7 @@ func (k *trousersKey12) activateCredential(tb tpmBase, in EncryptedCredential, e return cred, nil } -func (k *trousersKey12) quote(tb tpmBase, nonce []byte, alg HashAlg) (*Quote, error) { +func (k *trousersKey12) quote(tb tpmBase, nonce []byte, alg HashAlg, selectedPCRs []int) (*Quote, error) { t, ok := tb.(*trousersTPM) if !ok { return nil, fmt.Errorf("expected *linuxTPM, got %T", tb) @@ -73,6 +73,9 @@ func (k *trousersKey12) quote(tb tpmBase, nonce []byte, alg HashAlg) (*Quote, er if alg != HashSHA1 { return nil, fmt.Errorf("only SHA1 algorithms supported on TPM 1.2, not %v", alg) } + if selectedPCRs != nil { + return nil, fmt.Errorf("selecting PCRs not supported on TPM 1.2 (parameter must be nil)") + } quote, rawSig, err := attestation.GetQuote(t.ctx, k.blob, nonce) if err != nil { diff --git a/attest/key_windows.go b/attest/key_windows.go index aab867f3..831b9e6c 100644 --- a/attest/key_windows.go +++ b/attest/key_windows.go @@ -61,7 +61,7 @@ func (k *windowsKey12) activateCredential(t tpmBase, in EncryptedCredential, ek return decryptCredential(secretKey, in.Secret) } -func (k *windowsKey12) quote(tb tpmBase, nonce []byte, alg HashAlg) (*Quote, error) { +func (k *windowsKey12) quote(tb tpmBase, nonce []byte, alg HashAlg, selectedPCRs []int) (*Quote, error) { if alg != HashSHA1 { return nil, fmt.Errorf("only SHA1 algorithms supported on TPM 1.2, not %v", alg) } @@ -80,11 +80,6 @@ func (k *windowsKey12) quote(tb tpmBase, nonce []byte, alg HashAlg) (*Quote, err return nil, fmt.Errorf("TPMCommandInterface() failed: %v", err) } - selectedPCRs := make([]int, 24) - for pcr := range selectedPCRs { - selectedPCRs[pcr] = pcr - } - sig, pcrc, err := tpm1.Quote(tpm, tpmKeyHnd, nonce, selectedPCRs[:], wellKnownAuth[:]) if err != nil { return nil, fmt.Errorf("Quote() failed: %v", err) @@ -160,7 +155,7 @@ func (k *windowsKey20) activateCredential(t tpmBase, in EncryptedCredential, ek return tpm.pcp.ActivateCredential(k.hnd, append(in.Credential, in.Secret...)) } -func (k *windowsKey20) quote(tb tpmBase, nonce []byte, alg HashAlg) (*Quote, error) { +func (k *windowsKey20) quote(tb tpmBase, nonce []byte, alg HashAlg, selectedPCRs []int) (*Quote, error) { t, ok := tb.(*windowsTPM) if !ok { return nil, fmt.Errorf("expected *windowsTPM, got %T", tb) @@ -174,7 +169,7 @@ func (k *windowsKey20) quote(tb tpmBase, nonce []byte, alg HashAlg) (*Quote, err if err != nil { return nil, fmt.Errorf("TPMCommandInterface() failed: %v", err) } - return quote20(tpm, tpmKeyHnd, alg.goTPMAlg(), nonce) + return quote20(tpm, tpmKeyHnd, alg.goTPMAlg(), nonce, selectedPCRs) } func (k *windowsKey20) close(tpm tpmBase) error { diff --git a/attest/tpm.go b/attest/tpm.go index 1f0539f3..5a251d8b 100644 --- a/attest/tpm.go +++ b/attest/tpm.go @@ -236,12 +236,9 @@ func readEKCertFromNVRAM20(tpm io.ReadWriter, nvramCertIndex tpmutil.Handle) (*x return ParseEKCertificate(ekCert) } -func quote20(tpm io.ReadWriter, akHandle tpmutil.Handle, hashAlg tpm2.Algorithm, nonce []byte) (*Quote, error) { - sel := tpm2.PCRSelection{Hash: hashAlg} - numPCRs := 24 - for pcr := 0; pcr < numPCRs; pcr++ { - sel.PCRs = append(sel.PCRs, pcr) - } +func quote20(tpm io.ReadWriter, akHandle tpmutil.Handle, hashAlg tpm2.Algorithm, nonce []byte, selectedPCRs []int) (*Quote, error) { + sel := tpm2.PCRSelection{Hash: hashAlg, + PCRs: selectedPCRs} quote, sig, err := tpm2.Quote(tpm, akHandle, "", "", nonce, sel, tpm2.AlgNull) if err != nil { @@ -403,6 +400,7 @@ func (t *TPM) attestPCRs(ak *AK, nonce []byte, alg HashAlg) (*Quote, []PCR, erro if err != nil { return nil, nil, fmt.Errorf("failed to read %v PCRs: %v", alg, err) } + quote, err := ak.Quote(t, nonce, alg) if err != nil { return nil, nil, fmt.Errorf("failed to quote using %v: %v", alg, err) diff --git a/attest/wrapped_tpm20.go b/attest/wrapped_tpm20.go index dd08dfe2..65a18e43 100644 --- a/attest/wrapped_tpm20.go +++ b/attest/wrapped_tpm20.go @@ -518,12 +518,12 @@ func (k *wrappedKey20) certify(tb tpmBase, handle interface{}) (*CertificationPa return certify(t.rwc, hnd, k.hnd, scheme) } -func (k *wrappedKey20) quote(tb tpmBase, nonce []byte, alg HashAlg) (*Quote, error) { +func (k *wrappedKey20) quote(tb tpmBase, nonce []byte, alg HashAlg, selectedPCRs []int) (*Quote, error) { t, ok := tb.(*wrappedTPM20) if !ok { return nil, fmt.Errorf("expected *wrappedTPM20, got %T", tb) } - return quote20(t.rwc, k.hnd, tpm2.Algorithm(alg), nonce) + return quote20(t.rwc, k.hnd, tpm2.Algorithm(alg), nonce, selectedPCRs) } func (k *wrappedKey20) attestationParameters() AttestationParameters { From ce1f4b5d06fa7762c30c5cb65df55aae3bfef176 Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Tue, 27 Jun 2023 11:54:42 +0200 Subject: [PATCH 18/18] Fix legacy TPM2 path for Windows key creation and loading --- attest/tpm_windows.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/attest/tpm_windows.go b/attest/tpm_windows.go index faa31667..bc65ba72 100644 --- a/attest/tpm_windows.go +++ b/attest/tpm_windows.go @@ -29,8 +29,8 @@ import ( "io" "math/big" + "github.com/google/go-tpm/legacy/tpm2" tpm1 "github.com/google/go-tpm/tpm" - "github.com/google/go-tpm/tpm2" tpmtbs "github.com/google/go-tpm/tpmutil/tbs" "golang.org/x/sys/windows" )