Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add TPMKMS implementation #253

Merged
merged 41 commits into from
Jun 7, 2023
Merged

Add TPMKMS implementation #253

merged 41 commits into from
Jun 7, 2023

Conversation

hslatman
Copy link
Member

@hslatman hslatman commented Jun 5, 2023
edited
Loading

This PR adds a KMS implementation backed by a TPM. It uses our tpm package and its storage methods for its core operations. It uses URIs similar to the format used by PKCS11 to address / configure (attestation) keys.

The TPMKMS implementation supports attestation through configuration of the attestation CA to use when instantiating the KMS instance. This configuration is provided through an URI too. A default client implementation is provided that interacts with the Smallstep Attestation CA. A custom implementation can be provided through the AttestationClient interface.

As a bonus, this PR includes an io.Reader implementation backed by the tpm package to make a TPM generate random data.

@hslatman
Add boilerplate for tpmkms implementation
d566571
@hslatman
Merge branch 'master' into herman/tpmkms
2eebd6a
@hslatman
Add some more core TPM KMS operations
5e82bd5
@hslatman
Merge branch 'master' into herman/tpmkms
7681be9
@hslatman
Add tests for KeyManager and CertificateManager interfaces
27232ad
@hslatman
Merge branch 'master' into herman/tpmkms
46f1076
@hslatman
Add ak.Public method
2df0a79
@hslatman
Add test cases for AK certificate methods
c1c68e9
@hslatman
Use apiv1.TPMKMS as the TPMKMS scheme
2468bc8
@hslatman
Merge branch 'master' into herman/tpmkms
f5447e8
@hslatman
Merge branch 'master' into herman/tpmkms
a480356
@hslatman
Add attestation client to tpm package
fc0fab8
@hslatman
Add basic implementation for Attest to TPMKMS
276220f
@hslatman
Merge branch 'master' into herman/tpmkms
f3e7377
@hslatman
Change HTTP statuscode error level
67e7a01
@hslatman
Add AttestationClient interface
56e7ce0
@hslatman
Improve the TPMKMS attestation implementation
6d26ad1
@hslatman
Add tests for attestation client
a489858
@hslatman
Add tests for CreateAttestation in TPMKMS
2a2e373
@hslatman
Improve readability and make tests independent from eachother
bc35e9e
@hslatman
Improve TPMKMS URI parsing
0f1ecbe
@hslatman
Add io.Reader backed by a TPM in rand subpackage of tpm
8c70ff1 
A new instance of a random generator backed by a TPM can be
created by calling `rand.New()`. It can be used instead of
`rand.Reader`. Opening and closing the connection to the TPM
is performed transparently.
@hslatman hslatman marked this pull request as ready for review June 5, 2023 16:36
@hslatman hslatman requested a review from maraino June 5, 2023 16:41
@hslatman hslatman requested a review from maraino June 7, 2023 00:27
maraino
maraino requested changes Jun 7, 2023
View reviewed changes
kms/tpmkms/tpmkms.go Outdated Show resolved Hide resolved
kms/tpmkms/tpmkms.go Show resolved Hide resolved
kms/tpmkms/tpmkms.go Show resolved Hide resolved
tpm/attestation/client.go Outdated Show resolved Hide resolved
tpm/rand/rand.go Outdated Show resolved Hide resolved
@hslatman hslatman requested a review from maraino June 7, 2023 11:06
@hslatman
Return CertificationParameters in CreateAttestation
22849e4 
When CreateAttestation is used with the TPMKMS, the existing
CertificationParameters are required to be returned, so that
they can be used within an application. The certification facts
are recorded at the time of key attestation.
@hslatman
Store TPM objects in $STEPPATH/tpm by default
8d9932a
@hslatman
Add StorageDirectory to KMS Options
24f412b
maraino
maraino reviewed Jun 7, 2023
View reviewed changes
kms/apiv1/options.go Show resolved Hide resolved
tpm/rand/rand.go Outdated Show resolved Hide resolved
maraino
maraino previously approved these changes Jun 7, 2023
View reviewed changes
Copy link
Contributor

@maraino maraino left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've added a couple of comments, if you're ok with them, I am ok. It will also be good to send to codecov the coverage with the simulator.

kms/tpmkms/tpmkms.go Show resolved Hide resolved
@hslatman
Copy link
Member Author

hslatman commented Jun 7, 2023
edited
Loading

I've added a couple of comments, if you're ok with them, I am ok. It will also be good to send to codecov the coverage with the simulator.

I thought I already added coverage reporting through combining the results from multiple tests runs, but maybe this typo resulted in it not working as expected: c2407d1. And now also include kms/tpmkms: b2dc92c.

@maraino maraino self-requested a review June 7, 2023 21:04
maraino
maraino previously approved these changes Jun 7, 2023
View reviewed changes
@hslatman hslatman requested a review from maraino June 7, 2023 21:41
@hslatman hslatman enabled auto-merge June 7, 2023 22:05
@hslatman hslatman merged commit 541f830 into master Jun 7, 2023
12 of 13 checks passed
@hslatman hslatman deleted the herman/tpmkms branch June 7, 2023 22:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maraino maraino maraino approved these changes

Assignees
No one assigned
Labels
needs triage
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@hslatman @maraino