diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml new file mode 100644 index 00000000..9e4642b6 --- /dev/null +++ b/.github/workflows/test.yml @@ -0,0 +1,66 @@ +on: [push, pull_request] +name: Test +jobs: + test-linux: + strategy: + matrix: + go-version: [1.16.x, 1.17.x] + runs-on: ubuntu-latest + steps: + - name: Install Go + uses: actions/setup-go@v2 + with: + go-version: ${{ matrix.go-version }} + - name: Checkout code + uses: actions/checkout@v2 + - name: Test + run: go test ./... + test-linux-tpm12: + strategy: + matrix: + go-version: [1.16.x, 1.17.x] + runs-on: ubuntu-latest + steps: + - name: Install Go + uses: actions/setup-go@v2 + with: + go-version: ${{ matrix.go-version }} + - name: Checkout code + uses: actions/checkout@v2 + - name: Install libtspi + run: sudo apt-get install -y libtspi-dev + - name: Test + run: go test -tags tspi ./... + test-macos: + strategy: + matrix: + go-version: [1.16.x, 1.17.x] + runs-on: macos-latest + steps: + - name: Install Go + uses: actions/setup-go@v2 + with: + go-version: ${{ matrix.go-version }} + - name: Checkout code + uses: actions/checkout@v2 + # See https://github.com/google/go-tpm-tools#macos-dev + - name: Install openssl + run: brew install openssl@1.1 + - name: Link openssl + run: sudo ln -s $(brew --prefix openssl@1.1)/include/openssl /usr/local/include + - name: Test + run: C_INCLUDE_PATH="$(brew --prefix openssl@1.1)/include" LIBRARY_PATH="$(brew --prefix openssl@1.1)/lib" go test ./... + test-windows: + strategy: + matrix: + go-version: [1.16.x, 1.17.x] + runs-on: windows-latest + steps: + - name: Install Go + uses: actions/setup-go@v2 + with: + go-version: ${{ matrix.go-version }} + - name: Checkout code + uses: actions/checkout@v2 + - name: Test + run: go build ./... diff --git a/README.md b/README.md index 90bafbd8..ce4675f5 100644 --- a/README.md +++ b/README.md @@ -20,11 +20,19 @@ API changes at any time. Please note that this is not an official Google product. +TPM 1.2 support is best effort, meaning we will accept fixes for TPM 1.2, but +testing is not covered by CI. + ## Installation The go-attestation package is installable using go get: `go get github.com/google/go-attestation/attest` -Linux users must install `libtspi` and its headers. This can be installed on debian-based systems using: `sudo apt-get install libtspi-dev`. +### TPM1.2 +By default, go-attestation does not build in TPM1.2 support on Linux. +Linux users must install [`libtspi`](http://trousers.sourceforge.net/) and its headers if they need TPM 1.2 support. This can be installed on debian-based systems using: `sudo apt-get install libtspi-dev`. +Then, build go-attestation with the `tspi` [build tag](https://pkg.go.dev/go/build#hdr-Build_Constraints) `go build --tags=tspi`. + +Windows users can use go-attestation with TPM1.2 by default. ## Example: device identity diff --git a/attest/activation.go b/attest/activation.go index 8ef749f2..752968ea 100644 --- a/attest/activation.go +++ b/attest/activation.go @@ -36,11 +36,11 @@ type ActivationParameters struct { // TPMVersion holds the version of the TPM, either 1.2 or 2.0. TPMVersion TPMVersion - // EK, the endorsement key, describes an asymmetric key who's - // private key is permenantly bound to the TPM. + // EK, the endorsement key, describes an asymmetric key whose + // private key is permanently bound to the TPM. // // Activation will verify that the provided EK is held on the same - // TPM as the AK. However, it is the callers responsibility to + // TPM as the AK. However, it is the caller's responsibility to // ensure the EK they provide corresponds to the the device which // they are trying to associate the AK with. EK crypto.PublicKey diff --git a/attest/application_key_test.go b/attest/application_key_test.go index 03acd834..b7cd3fe6 100644 --- a/attest/application_key_test.go +++ b/attest/application_key_test.go @@ -12,7 +12,9 @@ // License for the specific language governing permissions and limitations under // the License. +//go:build (!localtest || !tpm12) && linux && cgo // +build !localtest !tpm12 +// +build linux // +build cgo // NOTE: simulator requires cgo, hence the build tag. diff --git a/attest/attest-tool/attest-tool.go b/attest/attest-tool/attest-tool.go index 107549c3..eee98eb1 100644 --- a/attest/attest-tool/attest-tool.go +++ b/attest/attest-tool/attest-tool.go @@ -15,9 +15,9 @@ import ( "io/ioutil" "os" - "github.com/google/go-attestation/attest" - "github.com/google/go-attestation/attest/attest_tool/internal" "github.com/google/certificate-transparency-go/x509" + "github.com/google/go-attestation/attest" + "github.com/google/go-attestation/attest/attest-tool/internal" ) var ( @@ -83,7 +83,7 @@ func selftestCredentialActivation(tpm *attest.TPM, ak *attest.AK) error { func selftestAttest(tpm *attest.TPM, ak *attest.AK) error { // This nonce is used in generating the quote. As this is a selftest, - // its set to an arbitrary value. + // it's set to an arbitrary value. nonce := []byte{1, 2, 3, 4, 5, 6, 7, 8, 1, 2, 3, 4, 5, 6, 7, 8} pub, err := attest.ParseAKPublic(tpm.Version(), ak.AttestationParameters().Public) diff --git a/attest/attest-tool/internal/eventlog/secureboot_test.go b/attest/attest-tool/internal/eventlog/secureboot_test.go index 2124591b..258acb34 100644 --- a/attest/attest-tool/internal/eventlog/secureboot_test.go +++ b/attest/attest-tool/internal/eventlog/secureboot_test.go @@ -20,7 +20,7 @@ import ( "testing" "github.com/google/go-attestation/attest" - "github.com/google/go-attestation/attest/attest_tool/internal" + "github.com/google/go-attestation/attest/attest-tool/internal" ) func parseEvents(t *testing.T, testdata string) []attest.Event { diff --git a/attest/attest_simulated_tpm20_test.go b/attest/attest_simulated_tpm20_test.go index 3e879d58..66cfaa1a 100644 --- a/attest/attest_simulated_tpm20_test.go +++ b/attest/attest_simulated_tpm20_test.go @@ -12,7 +12,9 @@ // License for the specific language governing permissions and limitations under // the License. +//go:build (!localtest || !tpm12) && linux && cgo // +build !localtest !tpm12 +// +build linux // +build cgo // NOTE: simulator requires cgo, hence the build tag. diff --git a/attest/certification_test.go b/attest/certification_test.go index ef277d01..0630b203 100644 --- a/attest/certification_test.go +++ b/attest/certification_test.go @@ -12,6 +12,11 @@ // License for the specific language governing permissions and limitations under // the License. +//go:build (!localtest || !tpm12) && linux && cgo +// +build !localtest !tpm12 +// +build linux +// +build cgo + package attest import ( diff --git a/attest/eventlog.go b/attest/eventlog.go index d6c1a8d4..e2ed0322 100644 --- a/attest/eventlog.go +++ b/attest/eventlog.go @@ -115,10 +115,10 @@ func (e EventType) String() string { } // Event is a single event from a TCG event log. This reports descrete items such -// as BIOs measurements or EFI states. +// as BIOS measurements or EFI states. // // There are many pitfalls for using event log events correctly to determine the -// state of a machine[1]. In general it's must safer to only rely on the raw PCR +// state of a machine[1]. In general it's much safer to only rely on the raw PCR // values and use the event log for debugging. // // [1] https://github.com/google/go-attestation/blob/master/docs/event-log-disclosure.md @@ -222,7 +222,7 @@ func (e *EventLog) Events(hash HashAlg) []Event { // Verify replays the event log against a TPM's PCR values, returning the // events which could be matched to a provided PCR value. // -// PCRs provide no security guarentees unless they're attested to have been +// PCRs provide no security guarantees unless they're attested to have been // generated by a TPM. Verify does not perform these checks. // // An error is returned if the replayed digest for events with a given PCR @@ -407,7 +407,7 @@ func extend(pcr PCR, replay []byte, e rawEvent, locality byte) (pcrDigest []byte // replayPCR replays the event log for a specific PCR, using pcr and // event digests with the algorithm in pcr. An error is returned if the // replayed values do not match the final PCR digest, or any event tagged -// with that PCR does not posess an event digest with the specified algorithm. +// with that PCR does not possess an event digest with the specified algorithm. func replayPCR(rawEvents []rawEvent, pcr PCR) ([]Event, bool) { var ( replay []byte @@ -531,7 +531,7 @@ func ParseEventLog(measurementLog []byte) (*EventLog, error) { // Switch to parsing crypto agile events. Don't include this in the // replayed events since it intentionally doesn't extend the PCRs. // - // Note that this doesn't actually guarentee that events have SHA256 + // Note that this doesn't actually guarantee that events have SHA256 // digests. parseFn = parseRawEvent2 el.specIDEvent = specID diff --git a/attest/key_linux.go b/attest/key_linux.go index af252b60..ec5109f4 100644 --- a/attest/key_linux.go +++ b/attest/key_linux.go @@ -12,7 +12,7 @@ // License for the specific language governing permissions and limitations under // the License. -// +build linux,!gofuzz,cgo +// +build linux,!gofuzz,cgo,tspi package attest diff --git a/attest/tpm.go b/attest/tpm.go index e3aaf5a4..4d2bc9f5 100644 --- a/attest/tpm.go +++ b/attest/tpm.go @@ -256,7 +256,7 @@ func readAllPCRs20(tpm io.ReadWriter, alg tpm2.Algorithm) (map[uint32][]byte, er out := map[uint32][]byte{} // The TPM 2.0 spec says that the TPM can partially fulfill the - // request. As such, we repeat the command up to 8 times to get all + // request. As such, we repeat the command up to 24 times to get all // 24 PCRs. for i := 0; i < numPCRs; i++ { // Build a selection structure, specifying all PCRs we do diff --git a/attest/tpm12_linux.go b/attest/tpm12_linux.go index ef4e2da5..40560bff 100644 --- a/attest/tpm12_linux.go +++ b/attest/tpm12_linux.go @@ -12,7 +12,7 @@ // License for the specific language governing permissions and limitations under // the License. -// +build linux,!gofuzz,cgo +// +build linux,!gofuzz,cgo,tspi package attest diff --git a/ci/run.sh b/ci/run.sh new file mode 100755 index 00000000..d44e7c1f --- /dev/null +++ b/ci/run.sh @@ -0,0 +1,21 @@ +#!/bin/bash -e + +1>&2 echo "----- +WARNING: The TPM 1.2 simulator no longer builds with newer versions of openssl. +These scripts are kept for posterity, but likely won't build on new OS +versions. +----" + +export PROJECT_ROOT="$( pwd )" +TMPDIR="$( mktemp -d )" +SIM_DIR="${TMPDIR}/tpm12_sim" + +TEST_ROOT="${TMPDIR}/tests_base" + +mkdir -pv "${SIM_DIR}" +./ci/setup_tpm12_simulator.sh "${SIM_DIR}" +./ci/setup_tests_fs.sh "${TEST_ROOT}" + +go test -v ./... -- --testTPM12 + +./ci/shutdown_tpm12_simulator.sh "${SIM_DIR}"