google / go-tspi Goto Github PK
View Code? Open in Web Editor NEWTSPI bindings for golang
License: Apache License 2.0
TSPI bindings for golang
License: Apache License 2.0
xxx@RedShell:~> wget https://dl.google.com/go/go1.12.1.linux-amd64.tar.gz
^[^@--2019-03-28 20:51:37-- https://dl.google.com/go/go1.12.1.linux-amd64.tar.gz
Resolving dl.google.com (dl.google.com)... 74.125.195.136, 74.125.195.91, 74.125.195.190, ...
Connecting to dl.google.com (dl.google.com)|74.125.195.136|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 127906702 (122M) [application/octet-stream]
Saving to: ‘go1.12.1.linux-amd64.tar.gz’
go1.12.1.linux-amd64.tar.g 100%[=====================================>] 121.98M 253MB/s in 0.5s
2019-03-28 20:51:38 (253 MB/s) - ‘go1.12.1.linux-amd64.tar.gz’ saved [127906702/127906702]
xxx@RedShell:~> sudo tar -C /usr/local -xzf go1.12.1.linux-amd64.tar.gz
xxx@RedShell:~> export GOPATH=`pwd`
xxx@RedShell:~> export PATH="$PATH:/usr/local/go/bin"
xxx@RedShell:~> go version
go version go1.12.1 linux/amd64
xxx@RedShell:~> go get github.com/google/go-tspi/tspi
# github.com/google/go-tspi/tspi
src/github.com/google/go-tspi/tspi/context.go:17:27: fatal error: trousers/tss.h: No such file or directory
// #include <trousers/tss.h>
^
compilation terminated.
xxx@RedShell:~> sudo apt-get install libtspi-dev
xxx@RedShell:~> go get github.com/google/go-tspi/tspi
xxx@RedShell:~>
Currently tpmd
seems to open its listening port to anyone (https://github.com/coreos/go-tspi/blob/master/tpmd/tpmd.go#L391), without authn/z.
This can be abused to DoS the machine or tamper with its state.
At the very least, tmpd
should limit listening socket to localhost
.
At the moment, unprivileged users can bind on the tcp port before tpmd is started. That could DoS tpmclient.
See rkt/rkt#1816
I am about to embark in my first non-trivial development in Go, which involves accessing my TPM from a Go application using the go-tspi bindings. I have been able to install the go-tspi software by means of
go get github.com/coreos/go-tspi
This installs the source files under src/github.com/coreos/go-tspi in my Go workspace all right, although it issues the following diagnostic:
package github.com/coreos/go-tspi
imports github.com/coreos/go-tspi
imports github.com/coreos/go-tspi: no buildable Go source files in
/home/Go/WS/src/github.com/coreos/go-tspi
I was able to install the different packages and executables as follows
go build github.com/coreos/go-tspi/tspi
go install github.com/coreos/go-tspu/tspi
and analogously for the remaining Go files distributed with this software. After doing that, I end up with a number of packages in my workspace under pkg/linux_amd64/github.com/coreos/go-tspi:
attestation.a
tpmclient.a
tspi.a
tspiconst.a
verification.a
plus two executables in bin:
tpmd
tpmown
I looked into the source for tpmown (src/github.com/coreos/go-tspi/tpmown/tpmown.go) which seems to correspond to a relatively straightforward application to take ownership of the TPM. I have already taken ownership of the TPM, but I invoked it anyway, if it is only to see what kind of a diagnostic it would return.
tpmown returns immediately reporting that my system has no TPM. This is not true - I took ownership of the TPM using the Trousers C language library, and I am able to interact with it with no problems using that library. Looking further into tpmown.go I notice that the code makes a number of tests based on data in /sys/class/tpm. The problem is that, despite of the fact that I have a functional TPM in my system, there is no tpm directory under /sys/class.
I will research this further in the net but, since I could use all the help I can get, if anybody in this forum has faced similar issues, your feedback would be most welcome. My system is running 64-bit Linux Slackware 14.1, with a 3.10.17 kernel, and the TPM in this system is version 1.2.
At least the first two certs in this map are unparseable by both golang and openssl:
go-tspi/verification/verification.go
Line 157 in 115dea6
If you call VerifyEKCert with any blob of bytes you'll get the error:
Unable to parse STM1: asn1: structure error: SerialNumber: integer not minimally-encoded
I copied those out and ran openssl x509 on them (only one is pasted below)
$ openssl x509 -text -noout -in stm1.pem
unable to load certificate
139741013725632:error:0D0E20DD:asn1 encoding routines:c2i_ibuf:illegal padding:../crypto/asn1/a_int.c:187:
139741013725632:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:627:Field=serialNumber, Type=X509_CINF
139741013725632:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:627:Field=cert_info, Type=X509
139741013725632:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:../crypto/pem/pem_oth.c:33:
The next two certs in the list from Nuvoton do parse fwiw.
While I'm here, thank you so much for this package. I had been looking at the go-tpm project which was nice but given that coreos already fires up tcsd this tspi package is super convenient and already has methods that suit our usecase. This will fit nicely into our stack.
Make main.go file on 32-bit architecture(such as i386, i686)
package main
import (
_ "github.com/coreos/go-tspi/tspi"
)
func main() {
}
And run below command.
$ go run main.go
# github.com/coreos/go-tspi/tspi
../../coreos/go-tspi/tspi/tpm.go:92: type [1073741824]C.struct_tdTSS_PCR_EVENT larger than address space
../../coreos/go-tspi/tspi/tpm.go:92: type [1073741824]C.struct_tdTSS_PCR_EVENT too large
Debian GNU/Linux Sid i686
$ uname -a
Linux debian-vm-tsr 4.8.0-2-686 #1 SMP Debian 4.8.11-1 (2016-12-02) i686 GNU/Linux
This problem is related to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849665
Thanks
Please consider assigning version numbers and tagging releases. Tags/releases
are quite useful for downstream package maintainers (in Debian and other distributions) to export source tarballs, automatically track new releases and to declare dependencies between packages. Read more in the Debian Upstream Guide.
Thank you.
See also
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.