// GetEKCert reads the Endorsement Key certificate from the TPM's NVRAM and // returns it, along with any error generated. func GetEKCert(context *tspi.Context) (ekcert []byte, err error) { var wellKnown [20]byte tpm := context.GetTPM() nv, err := context.CreateNV() if err != nil { return nil, err } policy, err := tpm.GetPolicy(tspi.TSS_POLICY_USAGE) if err != nil { return nil, err } policy.SetSecret(tspi.TSS_SECRET_MODE_SHA1, wellKnown[:]) nv.SetIndex(0x1000f000) nv.AssignPolicy(policy) data, err := nv.ReadValue(0, 5) if err != nil { return nil, err } tag := (uint)((uint)(data[0])<<8 | (uint)(data[1])) if tag != 0x1001 { return nil, fmt.Errorf("Invalid tag: %x", tag) } if data[2] != 0 { return nil, fmt.Errorf("Invalid certificate") } ekbuflen := (uint)(uint(data[3])<<8 | (uint)(data[4])) offset := (uint)(5) data, err = nv.ReadValue(offset, 2) tag = (uint)((uint)(data[0])<<8 | (uint)(data[1])) if tag == 0x1002 { offset += 2 ekbuflen -= 2 } else if data[0] != 0x30 { return nil, fmt.Errorf("Invalid header: %x\n", tag) } ekoffset := (uint)(0) var ekbuf []byte for ekoffset < ekbuflen { length := (uint)(ekbuflen - ekoffset) if length > 128 { length = 128 } data, err = nv.ReadValue(offset, length) if err != nil { return nil, err } ekbuf = append(ekbuf, data...) offset += length ekoffset += length } return ekbuf, nil }