-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add TPMKMS implementation #253
Conversation
A new instance of a random generator backed by a TPM can be created by calling `rand.New()`. It can be used instead of `rand.Reader`. Opening and closing the connection to the TPM is performed transparently.
When CreateAttestation is used with the TPMKMS, the existing CertificationParameters are required to be returned, so that they can be used within an application. The certification facts are recorded at the time of key attestation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've added a couple of comments, if you're ok with them, I am ok. It will also be good to send to codecov the coverage with the simulator.
I thought I already added coverage reporting through combining the results from multiple tests runs, but maybe this typo resulted in it not working as expected: c2407d1. And now also include |
This PR adds a KMS implementation backed by a TPM. It uses our
tpm
package and its storage methods for its core operations. It uses URIs similar to the format used by PKCS11 to address / configure (attestation) keys.The
TPMKMS
implementation supports attestation through configuration of the attestation CA to use when instantiating the KMS instance. This configuration is provided through an URI too. A default client implementation is provided that interacts with the Smallstep Attestation CA. A custom implementation can be provided through theAttestationClient
interface.As a bonus, this PR includes an
io.Reader
implementation backed by thetpm
package to make a TPM generate random data.