tpm-helpers/tpm.go

package tpm

import (
	"encoding/base64"
	"encoding/json"
	"fmt"
	"strings"

	"github.com/google/go-attestation/attest"
	"github.com/google/go-tpm-tools/simulator"
	"github.com/rancher-sandbox/go-tpm/backend"
)

func ResolveToken(token string, opts ...Option) (bool, string, error) {
	if !strings.HasPrefix(token, "tpm://") {
		return false, token, nil
	}

	hash, err := GetPubHash(opts...)
	return true, hash, err
}

func GetPubHash(opts ...Option) (string, error) {

	c := &Config{}
	c.Apply(opts...)

	ek, err := getEK(c)
	if err != nil {
		return "", fmt.Errorf("getting EK: %w", err)
	}

	hash, err := getPubHash(ek)
	if err != nil {
		return "", fmt.Errorf("hashing EK: %w", err)
	}

	return hash, nil
}

func getTPM(c *Config) (*attest.TPM, error) {

	cfg := &attest.OpenConfig{
		TPMVersion: attest.TPMVersion20,
	}
	if c.commandChannel != nil {
		cfg.CommandChannel = c.commandChannel
	}

	if c.emulated && c.seed == 0 {
		sim, err := simulator.Get()
		if err != nil {
			return nil, err
		}
		cfg.CommandChannel = &backend.FakeTPM{ReadWriteCloser: sim}
	} else {
		sim, err := simulator.GetWithFixedSeedInsecure(c.seed)
		if err != nil {
			return nil, err
		}
		cfg.CommandChannel = &backend.FakeTPM{ReadWriteCloser: sim}
	}

	return attest.OpenTPM(cfg)

}

func getEK(c *Config) (*attest.EK, error) {
	var err error

	tpm, err := getTPM(c)
	if err != nil {
		return nil, fmt.Errorf("opening tpm: %w", err)
	}
	defer tpm.Close()

	eks, err := tpm.EKs()
	if err != nil {
		return nil, fmt.Errorf("getting eks: %w", err)
	}

	if len(eks) == 0 {
		return nil, fmt.Errorf("failed to find EK")
	}

	return &eks[0], nil
}

func getToken(data *AttestationData) (string, error) {
	bytes, err := json.Marshal(data)
	if err != nil {
		return "", fmt.Errorf("marshalling attestation data: %w", err)
	}

	return "Bearer TPM" + base64.StdEncoding.EncodeToString(bytes), nil
}

func getAttestationData(c *Config) (*AttestationData, []byte, error) {
	var err error

	tpm, err := getTPM(c)
	if err != nil {
		return nil, nil, fmt.Errorf("opening tpm: %w", err)
	}
	defer tpm.Close()

	eks, err := tpm.EKs()
	if err != nil {
		return nil, nil, err
	}

	ak, err := tpm.NewAK(nil)
	if err != nil {
		return nil, nil, err
	}
	defer ak.Close(tpm)
	params := ak.AttestationParameters()

	if len(eks) == 0 {
		return nil, nil, fmt.Errorf("failed to find EK")
	}

	ek := &eks[0]
	ekBytes, err := EncodeEK(ek)
	if err != nil {
		return nil, nil, err
	}

	aikBytes, err := ak.Marshal()
	if err != nil {
		return nil, nil, fmt.Errorf("marshaling AK: %w", err)
	}

	return &AttestationData{
		EK: ekBytes,
		AK: &params,
	}, aikBytes, nil
}
Import from rancherd Signed-off-by: Ettore Di Giacinto <edigiacinto@suse.com> 2022-02-16 09:53:10 +00:00			`package tpm`

			`import (`
			`"encoding/base64"`
			`"encoding/json"`
			`"fmt"`
			`"strings"`

			`"github.com/google/go-attestation/attest"`
Add backends and simulated TPM device Signed-off-by: Ettore Di Giacinto <edigiacinto@suse.com> 2022-02-16 11:52:30 +00:00			`"github.com/google/go-tpm-tools/simulator"`
			`"github.com/rancher-sandbox/go-tpm/backend"`
Import from rancherd Signed-off-by: Ettore Di Giacinto <edigiacinto@suse.com> 2022-02-16 09:53:10 +00:00			`)`

Add backends and simulated TPM device Signed-off-by: Ettore Di Giacinto <edigiacinto@suse.com> 2022-02-16 11:52:30 +00:00			`func ResolveToken(token string, opts ...Option) (bool, string, error) {`
Import from rancherd Signed-off-by: Ettore Di Giacinto <edigiacinto@suse.com> 2022-02-16 09:53:10 +00:00			`if !strings.HasPrefix(token, "tpm://") {`
			`return false, token, nil`
			`}`

Add backends and simulated TPM device Signed-off-by: Ettore Di Giacinto <edigiacinto@suse.com> 2022-02-16 11:52:30 +00:00			`hash, err := GetPubHash(opts...)`
Import from rancherd Signed-off-by: Ettore Di Giacinto <edigiacinto@suse.com> 2022-02-16 09:53:10 +00:00			`return true, hash, err`
			`}`

Add backends and simulated TPM device Signed-off-by: Ettore Di Giacinto <edigiacinto@suse.com> 2022-02-16 11:52:30 +00:00			`func GetPubHash(opts ...Option) (string, error) {`

			`c := &Config{}`
			`c.Apply(opts...)`

			`ek, err := getEK(c)`
Import from rancherd Signed-off-by: Ettore Di Giacinto <edigiacinto@suse.com> 2022-02-16 09:53:10 +00:00			`if err != nil {`
			`return "", fmt.Errorf("getting EK: %w", err)`
			`}`

			`hash, err := getPubHash(ek)`
			`if err != nil {`
			`return "", fmt.Errorf("hashing EK: %w", err)`
			`}`

			`return hash, nil`
			`}`

Add backends and simulated TPM device Signed-off-by: Ettore Di Giacinto <edigiacinto@suse.com> 2022-02-16 11:52:30 +00:00			`func getTPM(c Config) (attest.TPM, error) {`

			`cfg := &attest.OpenConfig{`
Import from rancherd Signed-off-by: Ettore Di Giacinto <edigiacinto@suse.com> 2022-02-16 09:53:10 +00:00			`TPMVersion: attest.TPMVersion20,`
Add backends and simulated TPM device Signed-off-by: Ettore Di Giacinto <edigiacinto@suse.com> 2022-02-16 11:52:30 +00:00			`}`
			`if c.commandChannel != nil {`
			`cfg.CommandChannel = c.commandChannel`
			`}`

			`if c.emulated && c.seed == 0 {`
			`sim, err := simulator.Get()`
			`if err != nil {`
			`return nil, err`
			`}`
			`cfg.CommandChannel = &backend.FakeTPM{ReadWriteCloser: sim}`
			`} else {`
			`sim, err := simulator.GetWithFixedSeedInsecure(c.seed)`
			`if err != nil {`
			`return nil, err`
			`}`
			`cfg.CommandChannel = &backend.FakeTPM{ReadWriteCloser: sim}`
			`}`

			`return attest.OpenTPM(cfg)`

			`}`

			`func getEK(c Config) (attest.EK, error) {`
			`var err error`

			`tpm, err := getTPM(c)`
Import from rancherd Signed-off-by: Ettore Di Giacinto <edigiacinto@suse.com> 2022-02-16 09:53:10 +00:00			`if err != nil {`
			`return nil, fmt.Errorf("opening tpm: %w", err)`
			`}`
			`defer tpm.Close()`

			`eks, err := tpm.EKs()`
			`if err != nil {`
Add backends and simulated TPM device Signed-off-by: Ettore Di Giacinto <edigiacinto@suse.com> 2022-02-16 11:52:30 +00:00			`return nil, fmt.Errorf("getting eks: %w", err)`
Import from rancherd Signed-off-by: Ettore Di Giacinto <edigiacinto@suse.com> 2022-02-16 09:53:10 +00:00			`}`

			`if len(eks) == 0 {`
			`return nil, fmt.Errorf("failed to find EK")`
			`}`

			`return &eks[0], nil`
			`}`

			`func getToken(data *AttestationData) (string, error) {`
			`bytes, err := json.Marshal(data)`
			`if err != nil {`
			`return "", fmt.Errorf("marshalling attestation data: %w", err)`
			`}`

			`return "Bearer TPM" + base64.StdEncoding.EncodeToString(bytes), nil`
			`}`

Add backends and simulated TPM device Signed-off-by: Ettore Di Giacinto <edigiacinto@suse.com> 2022-02-16 11:52:30 +00:00			`func getAttestationData(c Config) (AttestationData, []byte, error) {`
Import from rancherd Signed-off-by: Ettore Di Giacinto <edigiacinto@suse.com> 2022-02-16 09:53:10 +00:00			`var err error`
Add backends and simulated TPM device Signed-off-by: Ettore Di Giacinto <edigiacinto@suse.com> 2022-02-16 11:52:30 +00:00
			`tpm, err := getTPM(c)`
Import from rancherd Signed-off-by: Ettore Di Giacinto <edigiacinto@suse.com> 2022-02-16 09:53:10 +00:00			`if err != nil {`
			`return nil, nil, fmt.Errorf("opening tpm: %w", err)`
			`}`
			`defer tpm.Close()`

			`eks, err := tpm.EKs()`
			`if err != nil {`
			`return nil, nil, err`
			`}`
Add backends and simulated TPM device Signed-off-by: Ettore Di Giacinto <edigiacinto@suse.com> 2022-02-16 11:52:30 +00:00
Import from rancherd Signed-off-by: Ettore Di Giacinto <edigiacinto@suse.com> 2022-02-16 09:53:10 +00:00			`ak, err := tpm.NewAK(nil)`
			`if err != nil {`
			`return nil, nil, err`
			`}`
			`defer ak.Close(tpm)`
			`params := ak.AttestationParameters()`

			`if len(eks) == 0 {`
			`return nil, nil, fmt.Errorf("failed to find EK")`
			`}`

			`ek := &eks[0]`
			`ekBytes, err := EncodeEK(ek)`
			`if err != nil {`
			`return nil, nil, err`
			`}`

			`aikBytes, err := ak.Marshal()`
			`if err != nil {`
			`return nil, nil, fmt.Errorf("marshaling AK: %w", err)`
			`}`

			`return &AttestationData{`
			`EK: ekBytes,`
			`AK: &params,`
			`}, aikBytes, nil`
			`}`