Skip to content

Commit

Permalink
Restore changes accidentally reverted during reconciliation (#256)
Browse files Browse the repository at this point in the history
  • Loading branch information
brandonweeks authored Dec 9, 2021
1 parent f1f1b84 commit 2f8dbfc
Show file tree
Hide file tree
Showing 13 changed files with 120 additions and 16 deletions.
66 changes: 66 additions & 0 deletions .github/workflows/test.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
on: [push, pull_request]
name: Test
jobs:
test-linux:
strategy:
matrix:
go-version: [1.16.x, 1.17.x]
runs-on: ubuntu-latest
steps:
- name: Install Go
uses: actions/setup-go@v2
with:
go-version: ${{ matrix.go-version }}
- name: Checkout code
uses: actions/checkout@v2
- name: Test
run: go test ./...
test-linux-tpm12:
strategy:
matrix:
go-version: [1.16.x, 1.17.x]
runs-on: ubuntu-latest
steps:
- name: Install Go
uses: actions/setup-go@v2
with:
go-version: ${{ matrix.go-version }}
- name: Checkout code
uses: actions/checkout@v2
- name: Install libtspi
run: sudo apt-get install -y libtspi-dev
- name: Test
run: go test -tags tspi ./...
test-macos:
strategy:
matrix:
go-version: [1.16.x, 1.17.x]
runs-on: macos-latest
steps:
- name: Install Go
uses: actions/setup-go@v2
with:
go-version: ${{ matrix.go-version }}
- name: Checkout code
uses: actions/checkout@v2
# See https://github.com/google/go-tpm-tools#macos-dev
- name: Install openssl
run: brew install [email protected]
- name: Link openssl
run: sudo ln -s $(brew --prefix [email protected])/include/openssl /usr/local/include
- name: Test
run: C_INCLUDE_PATH="$(brew --prefix [email protected])/include" LIBRARY_PATH="$(brew --prefix [email protected])/lib" go test ./...
test-windows:
strategy:
matrix:
go-version: [1.16.x, 1.17.x]
runs-on: windows-latest
steps:
- name: Install Go
uses: actions/setup-go@v2
with:
go-version: ${{ matrix.go-version }}
- name: Checkout code
uses: actions/checkout@v2
- name: Test
run: go build ./...
10 changes: 9 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,11 +20,19 @@ API changes at any time.

Please note that this is not an official Google product.

TPM 1.2 support is best effort, meaning we will accept fixes for TPM 1.2, but
testing is not covered by CI.

## Installation

The go-attestation package is installable using go get: `go get github.com/google/go-attestation/attest`

Linux users must install `libtspi` and its headers. This can be installed on debian-based systems using: `sudo apt-get install libtspi-dev`.
### TPM1.2
By default, go-attestation does not build in TPM1.2 support on Linux.
Linux users must install [`libtspi`](http://trousers.sourceforge.net/) and its headers if they need TPM 1.2 support. This can be installed on debian-based systems using: `sudo apt-get install libtspi-dev`.
Then, build go-attestation with the `tspi` [build tag](https://pkg.go.dev/go/build#hdr-Build_Constraints) `go build --tags=tspi`.

Windows users can use go-attestation with TPM1.2 by default.

## Example: device identity

Expand Down
6 changes: 3 additions & 3 deletions attest/activation.go
Original file line number Diff line number Diff line change
Expand Up @@ -36,11 +36,11 @@ type ActivationParameters struct {
// TPMVersion holds the version of the TPM, either 1.2 or 2.0.
TPMVersion TPMVersion

// EK, the endorsement key, describes an asymmetric key who's
// private key is permenantly bound to the TPM.
// EK, the endorsement key, describes an asymmetric key whose
// private key is permanently bound to the TPM.
//
// Activation will verify that the provided EK is held on the same
// TPM as the AK. However, it is the callers responsibility to
// TPM as the AK. However, it is the caller's responsibility to
// ensure the EK they provide corresponds to the the device which
// they are trying to associate the AK with.
EK crypto.PublicKey
Expand Down
2 changes: 2 additions & 0 deletions attest/application_key_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,9 @@
// License for the specific language governing permissions and limitations under
// the License.

//go:build (!localtest || !tpm12) && linux && cgo
// +build !localtest !tpm12
// +build linux
// +build cgo

// NOTE: simulator requires cgo, hence the build tag.
Expand Down
6 changes: 3 additions & 3 deletions attest/attest-tool/attest-tool.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,9 +15,9 @@ import (
"io/ioutil"
"os"

"github.com/google/go-attestation/attest"
"github.com/google/go-attestation/attest/attest_tool/internal"
"github.com/google/certificate-transparency-go/x509"
"github.com/google/go-attestation/attest"
"github.com/google/go-attestation/attest/attest-tool/internal"
)

var (
Expand Down Expand Up @@ -83,7 +83,7 @@ func selftestCredentialActivation(tpm *attest.TPM, ak *attest.AK) error {

func selftestAttest(tpm *attest.TPM, ak *attest.AK) error {
// This nonce is used in generating the quote. As this is a selftest,
// its set to an arbitrary value.
// it's set to an arbitrary value.
nonce := []byte{1, 2, 3, 4, 5, 6, 7, 8, 1, 2, 3, 4, 5, 6, 7, 8}

pub, err := attest.ParseAKPublic(tpm.Version(), ak.AttestationParameters().Public)
Expand Down
2 changes: 1 addition & 1 deletion attest/attest-tool/internal/eventlog/secureboot_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ import (
"testing"

"github.com/google/go-attestation/attest"
"github.com/google/go-attestation/attest/attest_tool/internal"
"github.com/google/go-attestation/attest/attest-tool/internal"
)

func parseEvents(t *testing.T, testdata string) []attest.Event {
Expand Down
2 changes: 2 additions & 0 deletions attest/attest_simulated_tpm20_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,9 @@
// License for the specific language governing permissions and limitations under
// the License.

//go:build (!localtest || !tpm12) && linux && cgo
// +build !localtest !tpm12
// +build linux
// +build cgo

// NOTE: simulator requires cgo, hence the build tag.
Expand Down
5 changes: 5 additions & 0 deletions attest/certification_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,11 @@
// License for the specific language governing permissions and limitations under
// the License.

//go:build (!localtest || !tpm12) && linux && cgo
// +build !localtest !tpm12
// +build linux
// +build cgo

package attest

import (
Expand Down
10 changes: 5 additions & 5 deletions attest/eventlog.go
Original file line number Diff line number Diff line change
Expand Up @@ -115,10 +115,10 @@ func (e EventType) String() string {
}

// Event is a single event from a TCG event log. This reports descrete items such
// as BIOs measurements or EFI states.
// as BIOS measurements or EFI states.
//
// There are many pitfalls for using event log events correctly to determine the
// state of a machine[1]. In general it's must safer to only rely on the raw PCR
// state of a machine[1]. In general it's much safer to only rely on the raw PCR
// values and use the event log for debugging.
//
// [1] https://github.com/google/go-attestation/blob/master/docs/event-log-disclosure.md
Expand Down Expand Up @@ -222,7 +222,7 @@ func (e *EventLog) Events(hash HashAlg) []Event {
// Verify replays the event log against a TPM's PCR values, returning the
// events which could be matched to a provided PCR value.
//
// PCRs provide no security guarentees unless they're attested to have been
// PCRs provide no security guarantees unless they're attested to have been
// generated by a TPM. Verify does not perform these checks.
//
// An error is returned if the replayed digest for events with a given PCR
Expand Down Expand Up @@ -407,7 +407,7 @@ func extend(pcr PCR, replay []byte, e rawEvent, locality byte) (pcrDigest []byte
// replayPCR replays the event log for a specific PCR, using pcr and
// event digests with the algorithm in pcr. An error is returned if the
// replayed values do not match the final PCR digest, or any event tagged
// with that PCR does not posess an event digest with the specified algorithm.
// with that PCR does not possess an event digest with the specified algorithm.
func replayPCR(rawEvents []rawEvent, pcr PCR) ([]Event, bool) {
var (
replay []byte
Expand Down Expand Up @@ -531,7 +531,7 @@ func ParseEventLog(measurementLog []byte) (*EventLog, error) {
// Switch to parsing crypto agile events. Don't include this in the
// replayed events since it intentionally doesn't extend the PCRs.
//
// Note that this doesn't actually guarentee that events have SHA256
// Note that this doesn't actually guarantee that events have SHA256
// digests.
parseFn = parseRawEvent2
el.specIDEvent = specID
Expand Down
2 changes: 1 addition & 1 deletion attest/key_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
// License for the specific language governing permissions and limitations under
// the License.

// +build linux,!gofuzz,cgo
// +build linux,!gofuzz,cgo,tspi

package attest

Expand Down
2 changes: 1 addition & 1 deletion attest/tpm.go
Original file line number Diff line number Diff line change
Expand Up @@ -256,7 +256,7 @@ func readAllPCRs20(tpm io.ReadWriter, alg tpm2.Algorithm) (map[uint32][]byte, er
out := map[uint32][]byte{}

// The TPM 2.0 spec says that the TPM can partially fulfill the
// request. As such, we repeat the command up to 8 times to get all
// request. As such, we repeat the command up to 24 times to get all
// 24 PCRs.
for i := 0; i < numPCRs; i++ {
// Build a selection structure, specifying all PCRs we do
Expand Down
2 changes: 1 addition & 1 deletion attest/tpm12_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
// License for the specific language governing permissions and limitations under
// the License.

// +build linux,!gofuzz,cgo
// +build linux,!gofuzz,cgo,tspi

package attest

Expand Down
21 changes: 21 additions & 0 deletions ci/run.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
#!/bin/bash -e

1>&2 echo "-----
WARNING: The TPM 1.2 simulator no longer builds with newer versions of openssl.
These scripts are kept for posterity, but likely won't build on new OS
versions.
----"

export PROJECT_ROOT="$( pwd )"
TMPDIR="$( mktemp -d )"
SIM_DIR="${TMPDIR}/tpm12_sim"

TEST_ROOT="${TMPDIR}/tests_base"

mkdir -pv "${SIM_DIR}"
./ci/setup_tpm12_simulator.sh "${SIM_DIR}"
./ci/setup_tests_fs.sh "${TEST_ROOT}"

go test -v ./... -- --testTPM12

./ci/shutdown_tpm12_simulator.sh "${SIM_DIR}"

0 comments on commit 2f8dbfc

Please sign in to comment.