// This program creates a key hierarchy consisting of a // primary key, and quoting key for cloudproxy and saves the context. func main() { keySize := flag.Int("modulusSize", 2048, "Modulus size for keys") rootContextFileName := flag.String("rootContextFile", "rootContext.bin", "Root context file") quoteContextFileName := flag.String("quoteContextFile", "quoteContext.bin", "Quote context file") storeContextFileName := flag.String("storeContextFile", "storeContext.bin", "Store context file") pcrList := flag.String("pcrList", "7", "Pcr list") flag.Parse() fmt.Printf("Pcr list: %s\n", *pcrList) // Open tpm rw, err := tpm2.OpenTPM("/dev/tpm0") if err != nil { fmt.Printf("OpenTPM failed %s\n", err) return } defer rw.Close() // Flushall err = tpm2.Flushall(rw) if err != nil { fmt.Printf("Flushall failed\n") return } pcrs, err := tpm2.StringToIntList(*pcrList) if err != nil { fmt.Printf("Can't format pcr list\n") return } err = tpm2.InitTpm2Keys(rw, pcrs, uint16(*keySize), uint16(tpm2.AlgTPM_ALG_SHA1), "", *rootContextFileName, *quoteContextFileName, *storeContextFileName) if err == nil { fmt.Printf("Key creation succeeded\n") } else { fmt.Printf("Key creation failed\n") } return }
// This program creates a key hierarchy consisting of a // primary key, and quoting key for cloudproxy // and makes their handles permanent. func main() { keySize := flag.Int("modulus size", 2048, "Modulus size for keys") policyKeyFile := flag.String("Policy save file", "policy.go.bin", "policy save file") policyKeyPassword := flag.String("Policy key password", "xxzzy", "policy key password") policyCertFile := flag.String("Policy cert save file", "policy.cert.go.der", "policy cert save file") flag.Parse() // Open tpm rw, err := tpm2.OpenTPM("/dev/tpm0") if err != nil { fmt.Printf("OpenTPM failed %s\n", err) return } defer rw.Close() // Flushall err = tpm2.Flushall(rw) if err != nil { fmt.Printf("Flushall failed\n") return } var notBefore time.Time notBefore = time.Now() validFor := 365 * 24 * time.Hour notAfter := notBefore.Add(validFor) policyKey, err := rsa.GenerateKey(rand.Reader, *keySize) if err != nil { fmt.Printf("Can't generate policy key\n") return } fmt.Printf("policyKey: %x\n", policyKey) derPolicyCert, err := tpm2.GenerateSelfSignedCertFromKey(policyKey, "Cloudproxy Authority", "Application Policy Key", tpm2.GetSerialNumber(), notBefore, notAfter) fmt.Printf("policyKey: %x\n", policyKey) ioutil.WriteFile(*policyCertFile, derPolicyCert, 0644) if err != nil { fmt.Printf("Can't write policy cert\n") return } // Marshal policy key serializedPolicyKey, err := tpm2.SerializeRsaPrivateKey(policyKey) if err != nil { fmt.Printf("Cant serialize rsa key\n") return } ioutil.WriteFile(*policyKeyFile, serializedPolicyKey, 0644) if err == nil { fmt.Printf("Policy Key generation succeeded, password: %s\n", *policyKeyPassword) } else { fmt.Printf("Policy Key generation failed\n") } }
// NewTPM2Tao creates a new TPM2Tao and returns it under the Tao interface. func NewTPM2Tao(tpmPath string, statePath string, pcrNums []int) (Tao, error) { var err error tt := &TPM2Tao{pcrCount: 24, password: ""} tt.rw, err = tpm2.OpenTPM(tpmPath) if err != nil { return nil, err } // Make sure the TPM2Tao releases all its resources runtime.SetFinalizer(tt, FinalizeTPM2Tao) tt.pcrs = pcrNums tt.path = statePath // Create the root key. keySize := uint16(2048) quotePassword := "" //var empty []byte rootSaveContext := path.Join(tt.path, "root_context") _, rootErr := os.Stat(rootSaveContext) quoteSaveContext := path.Join(tt.path, "quote_context") _, quoteErr := os.Stat(quoteSaveContext) sealSaveContext := path.Join(tt.path, "seal_context") _, sealErr := os.Stat(sealSaveContext) if rootErr != nil || quoteErr != nil || sealErr != nil { if err := tpm2.InitTpm2Keys(tt.rw, tt.pcrs, keySize, uint16(tpm2.AlgTPM_ALG_SHA1), quotePassword, rootSaveContext, quoteSaveContext, sealSaveContext); err != nil { return nil, err } } // Read the contexts and public info and use them to load the handles. if tt.rootContext, err = ioutil.ReadFile(rootSaveContext); err != nil { return nil, fmt.Errorf("Could not read the root context from %s: %v", rootSaveContext, err) } if tt.quoteContext, err = ioutil.ReadFile(quoteSaveContext); err != nil { return nil, fmt.Errorf("Could not read the quote context from %s: %v", quoteSaveContext, err) } if tt.sealContext, err = ioutil.ReadFile(sealSaveContext); err != nil { return nil, fmt.Errorf("Could not read the seal context from %s: %v", sealSaveContext, err) } if tt.quoteHandle, err = tt.loadQuote(); err != nil { return nil, err } defer tpm2.FlushContext(tt.rw, tt.quoteHandle) if tt.verifier, err = tpm2.GetRsaKeyFromHandle(tt.rw, tt.quoteHandle); err != nil { return nil, err } fmt.Fprintf(os.Stderr, "Loaded the handles and the verifier\n") // Get the pcr values for the PCR nums. tt.pcrNums = make([]int, len(pcrNums)) for i, v := range pcrNums { tt.pcrNums[i] = v } tt.pcrVals, err = ReadTPM2PCRs(tt.rw, pcrNums) if err != nil { return nil, err } // Create principal. tt.name, err = MakeTPM2Prin(tt.verifier, tt.pcrNums, tt.pcrVals) if err != nil { return nil, err } quoteCertPath := path.Join(tt.path, "quote_cert") if _, quoteCertErr := os.Stat(quoteCertPath); quoteCertErr != nil { tt.quoteCert, err = getQuoteCert(tt.rw, tt.path, tt.quoteHandle, quotePassword, tt.name, tt.verifier) if err != nil { return nil, err } if err := ioutil.WriteFile(quoteCertPath, tt.quoteCert, 0644); err != nil { return nil, err } } else { if tt.quoteCert, err = ioutil.ReadFile(quoteCertPath); err != nil { return nil, err } } fmt.Fprintf(os.Stderr, "Got TPM 2.0 principal name %q\n", tt.name) return tt, nil }
// This program makes the endorsement certificate given the Policy key. func main() { keySize := flag.Int("modulus size", 2048, "Modulus size for keys") keyName := flag.String("Endorsement key name", "JohnsHw", "endorsement key name") endorsementCertFile := flag.String("Endorsement save file", "endorsement.cert.der", "endorsement save file") policyCertFile := flag.String("Policy cert file", "policy.cert.go.der", "cert file") policyKeyFile := flag.String("Policy key file", "policy.go.bin", "policy save file") policyKeyPassword := flag.String("Policy key password", "xxzzy", "policy key password") flag.Parse() fmt.Printf("Policy key password: %s\n", *policyKeyPassword) // TODO pcrs := []int{7} // Open tpm rw, err := tpm2.OpenTPM("/dev/tpm0") if err != nil { fmt.Printf("OpenTPM failed %s\n", err) return } defer rw.Close() // Flushall err = tpm2.Flushall(rw) if err != nil { fmt.Printf("Flushall failed\n") return } var notBefore time.Time notBefore = time.Now() validFor := 365 * 24 * time.Hour notAfter := notBefore.Add(validFor) serializePolicyKey, err := ioutil.ReadFile(*policyKeyFile) if err != nil { fmt.Printf("Can't get serialized policy key\n") return } derPolicyCert, err := ioutil.ReadFile(*policyCertFile) if err != nil { fmt.Printf("Can't get policy cert %s\n", *policyCertFile) return } policyKey, err := tpm2.DeserializeRsaKey(serializePolicyKey) if err != nil { fmt.Printf("Can't get deserialize policy key\n") return } ekHandle, _, err := tpm2.CreateEndorsement(rw, uint16(*keySize), pcrs) if err != nil { fmt.Printf("Can't CreateEndorsement\n") return } defer tpm2.FlushContext(rw, ekHandle) endorsementCert, err := tpm2.GenerateHWCert(rw, ekHandle, *keyName, notBefore, notAfter, tpm2.GetSerialNumber(), derPolicyCert, policyKey) if err != nil { fmt.Printf("Can't create endorsement cert\n") } fmt.Printf("Endorsement cert: %x\n", endorsementCert) ioutil.WriteFile(*endorsementCertFile, endorsementCert, 0644) fmt.Printf("Endorsement cert created") }