google / go-tspi Goto Github PK

TSPI bindings for golang

License: Apache License 2.0

Go 99.31% Shell 0.69%

go-tspi's Introduction

go-tspi - Go bindings and support code for libtspi and tpm communication

This is a library providing a set of bindings for communication between code written in Go and libtspi, the library responsible for providing a TPM control interface. It consists of the following components:

tspi

The tspi bindings for Go. These are a low-level interface intended for use by people writing new TPM-using applications in Go. Code using these bindings must run on the same system as the TPM. For example:

// Create a new TSPI context
context, err := tspi.NewContext()
// Connect to the TPM daemon
context.connect()
// Obtain a handle to the TPM itself
tpm := context.GetTPM()
// Obtain the TPM event log
log, err := tpm.GetEventLog()

attestation and verification

Helper functions for performing attestation-related tasks

// Retrieve the EK certificate
ekcert, err := attestation.GetEKCert(context)
// Verify that the EK certificate is signed by a TPM vendor
err = verification.VerifyEKCert(ekcert)
if err != nil {
   log.Fatal("Unable to verify EK certificate!")
}

tpmd

Daemon for performing certain TPM operations at a higher level API or via a network. Takes the listening port number as the only argument.

tpmclient

Library for client applications communicating with tpmd. Avoids the need for individual applications to care about TSPI context or resource lifecycles themselves.

`// Connect to the TPM daemon on localhost port 12401
client := tpmclient.New("127.0.0.1:12401")
// Extend a PCR with some data
data := []byte{0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08}
client.Extend(15, 0x1000, data, "Test extension")`

go-tspi's People

Contributors

Stargazers

Watchers

go-tspi's Issues

STM1 and STM2 certificates aren't parseable

At least the first two certs in this map are unparseable by both golang and openssl:

go-tspi/verification/verification.go

Line 157 in 115dea6

"STM1": `-----BEGIN CERTIFICATE-----

If you call VerifyEKCert with any blob of bytes you'll get the error:

Unable to parse STM1: asn1: structure error: SerialNumber: integer not minimally-encoded

I copied those out and ran openssl x509 on them (only one is pasted below)

$ openssl x509 -text -noout -in stm1.pem 
unable to load certificate
139741013725632:error:0D0E20DD:asn1 encoding routines:c2i_ibuf:illegal padding:../crypto/asn1/a_int.c:187:
139741013725632:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:627:Field=serialNumber, Type=X509_CINF
139741013725632:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:627:Field=cert_info, Type=X509
139741013725632:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:../crypto/pem/pem_oth.c:33:

The next two certs in the list from Nuvoton do parse fwiw.

While I'm here, thank you so much for this package. I had been looking at the go-tpm project which was nice but given that coreos already fires up tcsd this tspi package is super convenient and already has methods that suit our usecase. This will fit nicely into our stack.

tpmd shouldn't be open to the world

Currently tpmd seems to open its listening port to anyone (https://github.com/coreos/go-tspi/blob/master/tpmd/tpmd.go#L391), without authn/z.
This can be abused to DoS the machine or tamper with its state.

At the very least, tmpd should limit listening socket to localhost.

TPM not accessible from go-tspi, despite the fact that it is there

I am about to embark in my first non-trivial development in Go, which involves accessing my TPM from a Go application using the go-tspi bindings. I have been able to install the go-tspi software by means of

go get github.com/coreos/go-tspi

This installs the source files under src/github.com/coreos/go-tspi in my Go workspace all right, although it issues the following diagnostic:

package github.com/coreos/go-tspi
    imports github.com/coreos/go-tspi
    imports github.com/coreos/go-tspi: no buildable Go source files in  
    /home/Go/WS/src/github.com/coreos/go-tspi

I was able to install the different packages and executables as follows

go build github.com/coreos/go-tspi/tspi
go install github.com/coreos/go-tspu/tspi

and analogously for the remaining Go files distributed with this software. After doing that, I end up with a number of packages in my workspace under pkg/linux_amd64/github.com/coreos/go-tspi:

attestation.a  
tpmclient.a 
tspi.a 
tspiconst.a  
verification.a

plus two executables in bin:

tpmd
tpmown

I looked into the source for tpmown (src/github.com/coreos/go-tspi/tpmown/tpmown.go) which seems to correspond to a relatively straightforward application to take ownership of the TPM. I have already taken ownership of the TPM, but I invoked it anyway, if it is only to see what kind of a diagnostic it would return.

tpmown returns immediately reporting that my system has no TPM. This is not true - I took ownership of the TPM using the Trousers C language library, and I am able to interact with it with no problems using that library. Looking further into tpmown.go I notice that the code makes a number of tests based on data in /sys/class/tpm. The problem is that, despite of the fact that I have a functional TPM in my system, there is no tpm directory under /sys/class.

I will research this further in the net but, since I could use all the help I can get, if anybody in this forum has faced similar issues, your feedback would be most welcome. My system is running 64-bit Linux Slackware 14.1, with a 3.10.17 kernel, and the TPM in this system is version 1.2.

please tag formal releases

Please consider assigning version numbers and tagging releases. Tags/releases
are quite useful for downstream package maintainers (in Debian and other distributions) to export source tarballs, automatically track new releases and to declare dependencies between packages. Read more in the Debian Upstream Guide.

Thank you.

Can't compile GetEventLog() func on 32-bit architecture

How to reproduce

Make main.go file on 32-bit architecture(such as i386, i686)

package main

import (
        _ "github.com/coreos/go-tspi/tspi"
)

func main() {
}

And run below command.

$ go run main.go 
# github.com/coreos/go-tspi/tspi
../../coreos/go-tspi/tspi/tpm.go:92: type [1073741824]C.struct_tdTSS_PCR_EVENT larger than address space
../../coreos/go-tspi/tspi/tpm.go:92: type [1073741824]C.struct_tdTSS_PCR_EVENT too large

Environment

Debian GNU/Linux Sid i686

 $ uname -a
Linux debian-vm-tsr 4.8.0-2-686 #1 SMP Debian 4.8.11-1 (2016-12-02) i686 GNU/Linux

This problem is related to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849665

Thanks

tpmd to listen on a privileged port

At the moment, unprivileged users can bind on the tcp port before tpmd is started. That could DoS tpmclient.

See rkt/rkt#1816

Add build instructions to the README

xxx@RedShell:~> wget https://dl.google.com/go/go1.12.1.linux-amd64.tar.gz
^[^@--2019-03-28 20:51:37--  https://dl.google.com/go/go1.12.1.linux-amd64.tar.gz
Resolving dl.google.com (dl.google.com)... 74.125.195.136, 74.125.195.91, 74.125.195.190, ...
Connecting to dl.google.com (dl.google.com)|74.125.195.136|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 127906702 (122M) [application/octet-stream]
Saving to: ‘go1.12.1.linux-amd64.tar.gz’

go1.12.1.linux-amd64.tar.g 100%[=====================================>] 121.98M   253MB/s    in 0.5s    

2019-03-28 20:51:38 (253 MB/s) - ‘go1.12.1.linux-amd64.tar.gz’ saved [127906702/127906702]

xxx@RedShell:~> sudo tar -C /usr/local -xzf go1.12.1.linux-amd64.tar.gz 
xxx@RedShell:~> export GOPATH=`pwd`
xxx@RedShell:~> export PATH="$PATH:/usr/local/go/bin"
xxx@RedShell:~> go version
go version go1.12.1 linux/amd64



xxx@RedShell:~> go get github.com/google/go-tspi/tspi
# github.com/google/go-tspi/tspi
src/github.com/google/go-tspi/tspi/context.go:17:27: fatal error: trousers/tss.h: No such file or directory
 // #include <trousers/tss.h>
                           ^
compilation terminated.


xxx@RedShell:~> sudo apt-get install libtspi-dev
xxx@RedShell:~> go get github.com/google/go-tspi/tspi
xxx@RedShell:~>