2022-02-16 09:53:10 +00:00
|
|
|
package tpm
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"encoding/base64"
|
|
|
|
|
"encoding/json"
|
|
|
|
|
"fmt"
|
|
|
|
|
"strings"
|
|
|
|
|
|
|
|
|
|
"github.com/google/go-attestation/attest"
|
2022-02-16 11:52:30 +00:00
|
|
|
"github.com/google/go-tpm-tools/simulator"
|
|
|
|
|
"github.com/rancher-sandbox/go-tpm/backend"
|
2022-02-16 09:53:10 +00:00
|
|
|
)
|
|
|
|
|
|
2022-02-17 09:10:04 +00:00
|
|
|
// ResolveToken is just syntax sugar around GetPubHash.
|
|
|
|
|
// If the token provided is in EK's form it just returns it, otherwise
|
|
|
|
|
// retrieves the pubhash
|
2022-02-16 11:52:30 +00:00
|
|
|
func ResolveToken(token string, opts ...Option) (bool, string, error) {
|
2022-02-16 09:53:10 +00:00
|
|
|
if !strings.HasPrefix(token, "tpm://") {
|
|
|
|
|
return false, token, nil
|
|
|
|
|
}
|
|
|
|
|
|
2022-02-16 11:52:30 +00:00
|
|
|
hash, err := GetPubHash(opts...)
|
2022-02-16 09:53:10 +00:00
|
|
|
return true, hash, err
|
|
|
|
|
}
|
|
|
|
|
|
2022-02-17 09:10:04 +00:00
|
|
|
// GetPubHash returns the EK's pub hash
|
2022-02-16 11:52:30 +00:00
|
|
|
func GetPubHash(opts ...Option) (string, error) {
|
2022-02-17 09:10:04 +00:00
|
|
|
c := &config{}
|
|
|
|
|
c.apply(opts...)
|
2022-02-16 11:52:30 +00:00
|
|
|
|
|
|
|
|
ek, err := getEK(c)
|
2022-02-16 09:53:10 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return "", fmt.Errorf("getting EK: %w", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
hash, err := getPubHash(ek)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", fmt.Errorf("hashing EK: %w", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return hash, nil
|
|
|
|
|
}
|
|
|
|
|
|
2022-02-17 09:10:04 +00:00
|
|
|
func getTPM(c *config) (*attest.TPM, error) {
|
2022-02-16 11:52:30 +00:00
|
|
|
|
|
|
|
|
cfg := &attest.OpenConfig{
|
2022-02-16 09:53:10 +00:00
|
|
|
TPMVersion: attest.TPMVersion20,
|
2022-02-16 11:52:30 +00:00
|
|
|
}
|
|
|
|
|
if c.commandChannel != nil {
|
|
|
|
|
cfg.CommandChannel = c.commandChannel
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if c.emulated && c.seed == 0 {
|
|
|
|
|
sim, err := simulator.Get()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2022-02-17 09:10:04 +00:00
|
|
|
cfg.CommandChannel = backend.Fake(sim)
|
2022-02-16 11:52:30 +00:00
|
|
|
} else {
|
|
|
|
|
sim, err := simulator.GetWithFixedSeedInsecure(c.seed)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2022-02-17 09:10:04 +00:00
|
|
|
cfg.CommandChannel = backend.Fake(sim)
|
2022-02-16 11:52:30 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return attest.OpenTPM(cfg)
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
2022-02-17 09:10:04 +00:00
|
|
|
func getEK(c *config) (*attest.EK, error) {
|
2022-02-16 11:52:30 +00:00
|
|
|
var err error
|
|
|
|
|
|
|
|
|
|
tpm, err := getTPM(c)
|
2022-02-16 09:53:10 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, fmt.Errorf("opening tpm: %w", err)
|
|
|
|
|
}
|
|
|
|
|
defer tpm.Close()
|
|
|
|
|
|
|
|
|
|
eks, err := tpm.EKs()
|
|
|
|
|
if err != nil {
|
2022-02-16 11:52:30 +00:00
|
|
|
return nil, fmt.Errorf("getting eks: %w", err)
|
2022-02-16 09:53:10 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if len(eks) == 0 {
|
|
|
|
|
return nil, fmt.Errorf("failed to find EK")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return &eks[0], nil
|
|
|
|
|
}
|
|
|
|
|
|
2022-02-17 09:10:04 +00:00
|
|
|
func getToken(data *attestationData) (string, error) {
|
2022-02-16 09:53:10 +00:00
|
|
|
bytes, err := json.Marshal(data)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", fmt.Errorf("marshalling attestation data: %w", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return "Bearer TPM" + base64.StdEncoding.EncodeToString(bytes), nil
|
|
|
|
|
}
|
|
|
|
|
|
2022-02-17 09:10:04 +00:00
|
|
|
func getAttestationData(c *config) (*attestationData, []byte, error) {
|
2022-02-16 09:53:10 +00:00
|
|
|
var err error
|
2022-02-16 11:52:30 +00:00
|
|
|
|
|
|
|
|
tpm, err := getTPM(c)
|
2022-02-16 09:53:10 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, nil, fmt.Errorf("opening tpm: %w", err)
|
|
|
|
|
}
|
|
|
|
|
defer tpm.Close()
|
|
|
|
|
|
|
|
|
|
eks, err := tpm.EKs()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, nil, err
|
|
|
|
|
}
|
2022-02-16 11:52:30 +00:00
|
|
|
|
2022-02-16 09:53:10 +00:00
|
|
|
ak, err := tpm.NewAK(nil)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, nil, err
|
|
|
|
|
}
|
|
|
|
|
defer ak.Close(tpm)
|
|
|
|
|
params := ak.AttestationParameters()
|
|
|
|
|
|
|
|
|
|
if len(eks) == 0 {
|
|
|
|
|
return nil, nil, fmt.Errorf("failed to find EK")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ek := &eks[0]
|
2022-02-17 09:10:04 +00:00
|
|
|
ekBytes, err := encodeEK(ek)
|
2022-02-16 09:53:10 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
aikBytes, err := ak.Marshal()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, nil, fmt.Errorf("marshaling AK: %w", err)
|
|
|
|
|
}
|
|
|
|
|
|
2022-02-17 09:10:04 +00:00
|
|
|
return &attestationData{
|
2022-02-16 09:53:10 +00:00
|
|
|
EK: ekBytes,
|
|
|
|
|
AK: ¶ms,
|
|
|
|
|
}, aikBytes, nil
|
|
|
|
|
}
|
