forked from google/go-tpm-tools
/
template.go
143 lines (129 loc) · 4.17 KB
/
template.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
package client
import (
"crypto/sha256"
"github.com/google/go-tpm/tpm2"
"github.com/google/go-tpm/tpmutil"
)
// Calculations from Credential_Profile_EK_V2.0, section 2.1.5.3 - authPolicy
func defaultEKAuthPolicy() []byte {
buf, err := tpmutil.Pack(tpm2.CmdPolicySecret, tpm2.HandleEndorsement)
if err != nil {
panic(err)
}
digest1 := sha256.Sum256(append(make([]byte, 32), buf...))
// We would normally append the policy buffer to digest1, but the
// policy buffer is empty for the default Auth Policy.
digest2 := sha256.Sum256(digest1[:])
return digest2[:]
}
func defaultEKAttributes() tpm2.KeyProp {
// The EK is a storage key that must use session-based authorization.
return (tpm2.FlagStorageDefault | tpm2.FlagAdminWithPolicy) & ^tpm2.FlagUserWithAuth
}
func defaultSRKAttributes() tpm2.KeyProp {
// FlagNoDA doesn't do anything (as the AuthPolicy is nil). However, this is
// what Windows does, and we don't want to conflict.
return tpm2.FlagStorageDefault | tpm2.FlagNoDA
}
func defaultSymScheme() *tpm2.SymScheme {
return &tpm2.SymScheme{
Alg: tpm2.AlgAES,
KeyBits: 128,
Mode: tpm2.AlgCFB,
}
}
func defaultRSAParams() *tpm2.RSAParams {
return &tpm2.RSAParams{
Symmetric: defaultSymScheme(),
KeyBits: 2048,
ModulusRaw: make([]byte, 256), // public.unique must be all zeros
}
}
func defaultECCParams() *tpm2.ECCParams {
return &tpm2.ECCParams{
Symmetric: defaultSymScheme(),
CurveID: tpm2.CurveNISTP256,
Point: tpm2.ECPoint{
XRaw: make([]byte, 32),
YRaw: make([]byte, 32),
},
}
}
// DefaultEKTemplateRSA returns the default Endorsement Key (EK) template as
// specified in Credential_Profile_EK_V2.0, section 2.1.5.1 - authPolicy.
// https://trustedcomputinggroup.org/wp-content/uploads/Credential_Profile_EK_V2.0_R14_published.pdf
func DefaultEKTemplateRSA() tpm2.Public {
return tpm2.Public{
Type: tpm2.AlgRSA,
NameAlg: tpm2.AlgSHA256,
Attributes: defaultEKAttributes(),
AuthPolicy: defaultEKAuthPolicy(),
RSAParameters: defaultRSAParams(),
}
}
// DefaultEKTemplateECC returns the default Endorsement Key (EK) template as
// specified in Credential_Profile_EK_V2.0, section 2.1.5.2 - authPolicy.
// https://trustedcomputinggroup.org/wp-content/uploads/Credential_Profile_EK_V2.0_R14_published.pdf
func DefaultEKTemplateECC() tpm2.Public {
return tpm2.Public{
Type: tpm2.AlgECC,
NameAlg: tpm2.AlgSHA256,
Attributes: defaultEKAttributes(),
AuthPolicy: defaultEKAuthPolicy(),
ECCParameters: defaultECCParams(),
}
}
// AKTemplateRSA returns a potential Attestation Key (AK) template.
// This is very similar to DefaultEKTemplateRSA, except that this will be a
// signing key instead of an encrypting key.
func AKTemplateRSA() tpm2.Public {
return tpm2.Public{
Type: tpm2.AlgRSA,
NameAlg: tpm2.AlgSHA256,
Attributes: tpm2.FlagSignerDefault,
RSAParameters: &tpm2.RSAParams{
Sign: &tpm2.SigScheme{
Alg: tpm2.AlgRSASSA,
Hash: tpm2.AlgSHA256,
},
KeyBits: 2048,
},
}
}
// AKTemplateECC returns a potential Attestation Key (AK) template.
// This is very similar to DefaultEKTemplateECC, except that this will be a
// signing key instead of an encrypting key.
func AKTemplateECC() tpm2.Public {
params := defaultECCParams()
params.Symmetric = nil
params.Sign = &tpm2.SigScheme{
Alg: tpm2.AlgECDSA,
Hash: tpm2.AlgSHA256,
}
return tpm2.Public{
Type: tpm2.AlgECC,
NameAlg: tpm2.AlgSHA256,
Attributes: tpm2.FlagSignerDefault,
ECCParameters: params,
}
}
// SRKTemplateRSA returns a standard Storage Root Key (SRK) template.
// This is based upon the advice in the TCG's TPM v2.0 Provisioning Guidance.
func SRKTemplateRSA() tpm2.Public {
return tpm2.Public{
Type: tpm2.AlgRSA,
NameAlg: tpm2.AlgSHA256,
Attributes: defaultSRKAttributes(),
RSAParameters: defaultRSAParams(),
}
}
// SRKTemplateECC returns a standard Storage Root Key (SRK) template.
// This is based upon the advice in the TCG's TPM v2.0 Provisioning Guidance.
func SRKTemplateECC() tpm2.Public {
return tpm2.Public{
Type: tpm2.AlgECC,
NameAlg: tpm2.AlgSHA256,
Attributes: defaultSRKAttributes(),
ECCParameters: defaultECCParams(),
}
}