Skip to content

Commit

Permalink
Add TPM 2 application key support for Windows
Browse files Browse the repository at this point in the history
There's currently no support for creating application keys on Windows systems. This patch transitions the Windows key type to specifically refer to attestation keys, and reuses the existing wrapped key support for application keys. This allows the creation of keys in the platform store, while still allowing said keys to be manipulated with existing TPM functionality rather than duplicating it.
  • Loading branch information
mjg59 committed May 18, 2023
1 parent 3ef3949 commit fbfc4a7
Show file tree
Hide file tree
Showing 3 changed files with 251 additions and 53 deletions.
40 changes: 20 additions & 20 deletions attest/key_windows.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,22 +24,22 @@ import (
"github.com/google/go-tpm/tpm2"
)

// windowsKey12 represents a Windows-managed key on a TPM1.2 TPM.
type windowsKey12 struct {
// windowsAK12 represents a Windows-managed key on a TPM1.2 TPM.
type windowsAK12 struct {
hnd uintptr
pcpKeyName string
public []byte
}

func newWindowsKey12(hnd uintptr, pcpKeyName string, public []byte) ak {
return &windowsKey12{
func newWindowsAK12(hnd uintptr, pcpKeyName string, public []byte) ak {
return &windowsAK12{
hnd: hnd,
pcpKeyName: pcpKeyName,
public: public,
}
}

func (k *windowsKey12) marshal() ([]byte, error) {
func (k *windowsAK12) marshal() ([]byte, error) {
out := serializedKey{
Encoding: keyEncodingOSManaged,
TPMVersion: TPMVersion12,
Expand All @@ -49,7 +49,7 @@ func (k *windowsKey12) marshal() ([]byte, error) {
return out.Serialize()
}

func (k *windowsKey12) activateCredential(t tpmBase, in EncryptedCredential) ([]byte, error) {
func (k *windowsAK12) activateCredential(t tpmBase, in EncryptedCredential) ([]byte, error) {
tpm, ok := t.(*windowsTPM)
if !ok {
return nil, fmt.Errorf("expected *windowsTPM, got %T", t)
Expand All @@ -61,7 +61,7 @@ func (k *windowsKey12) activateCredential(t tpmBase, in EncryptedCredential) ([]
return decryptCredential(secretKey, in.Secret)
}

func (k *windowsKey12) quote(tb tpmBase, nonce []byte, alg HashAlg) (*Quote, error) {
func (k *windowsAK12) quote(tb tpmBase, nonce []byte, alg HashAlg) (*Quote, error) {
if alg != HashSHA1 {
return nil, fmt.Errorf("only SHA1 algorithms supported on TPM 1.2, not %v", alg)
}
Expand Down Expand Up @@ -103,21 +103,21 @@ func (k *windowsKey12) quote(tb tpmBase, nonce []byte, alg HashAlg) (*Quote, err
}, nil
}

func (k *windowsKey12) close(tpm tpmBase) error {
func (k *windowsAK12) close(tpm tpmBase) error {
return closeNCryptObject(k.hnd)
}

func (k *windowsKey12) attestationParameters() AttestationParameters {
func (k *windowsAK12) attestationParameters() AttestationParameters {
return AttestationParameters{
Public: k.public,
}
}
func (k *windowsKey12) certify(tb tpmBase, handle interface{}) (*CertificationParameters, error) {
func (k *windowsAK12) certify(tb tpmBase, handle interface{}) (*CertificationParameters, error) {
return nil, fmt.Errorf("not implemented")
}

// windowsKey20 represents a key bound to a TPM 2.0.
type windowsKey20 struct {
// windowsAK20 represents a key bound to a TPM 2.0.
type windowsAK20 struct {
hnd uintptr

pcpKeyName string
Expand All @@ -127,8 +127,8 @@ type windowsKey20 struct {
createSignature []byte
}

func newWindowsKey20(hnd uintptr, pcpKeyName string, public, createData, createAttest, createSig []byte) ak {
return &windowsKey20{
func newWindowsAK20(hnd uintptr, pcpKeyName string, public, createData, createAttest, createSig []byte) ak {
return &windowsAK20{
hnd: hnd,
pcpKeyName: pcpKeyName,
public: public,
Expand All @@ -138,7 +138,7 @@ func newWindowsKey20(hnd uintptr, pcpKeyName string, public, createData, createA
}
}

func (k *windowsKey20) marshal() ([]byte, error) {
func (k *windowsAK20) marshal() ([]byte, error) {
out := serializedKey{
Encoding: keyEncodingOSManaged,
TPMVersion: TPMVersion20,
Expand All @@ -152,15 +152,15 @@ func (k *windowsKey20) marshal() ([]byte, error) {
return out.Serialize()
}

func (k *windowsKey20) activateCredential(t tpmBase, in EncryptedCredential) ([]byte, error) {
func (k *windowsAK20) activateCredential(t tpmBase, in EncryptedCredential) ([]byte, error) {
tpm, ok := t.(*windowsTPM)
if !ok {
return nil, fmt.Errorf("expected *windowsTPM, got %T", t)
}
return tpm.pcp.ActivateCredential(k.hnd, append(in.Credential, in.Secret...))
}

func (k *windowsKey20) quote(tb tpmBase, nonce []byte, alg HashAlg) (*Quote, error) {
func (k *windowsAK20) quote(tb tpmBase, nonce []byte, alg HashAlg) (*Quote, error) {
t, ok := tb.(*windowsTPM)
if !ok {
return nil, fmt.Errorf("expected *windowsTPM, got %T", tb)
Expand All @@ -177,11 +177,11 @@ func (k *windowsKey20) quote(tb tpmBase, nonce []byte, alg HashAlg) (*Quote, err
return quote20(tpm, tpmKeyHnd, alg.goTPMAlg(), nonce)
}

func (k *windowsKey20) close(tpm tpmBase) error {
func (k *windowsAK20) close(tpm tpmBase) error {
return closeNCryptObject(k.hnd)
}

func (k *windowsKey20) attestationParameters() AttestationParameters {
func (k *windowsAK20) attestationParameters() AttestationParameters {
return AttestationParameters{
Public: k.public,
CreateData: k.createData,
Expand All @@ -190,7 +190,7 @@ func (k *windowsKey20) attestationParameters() AttestationParameters {
}
}

func (k *windowsKey20) certify(tb tpmBase, handle interface{}) (*CertificationParameters, error) {
func (k *windowsAK20) certify(tb tpmBase, handle interface{}) (*CertificationParameters, error) {
t, ok := tb.(*windowsTPM)
if !ok {
return nil, fmt.Errorf("expected *windowsTPM, got %T", tb)
Expand Down
Loading

0 comments on commit fbfc4a7

Please sign in to comment.