tpmdevice

package
v0.1.6 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 29, 2026 License: AGPL-3.0 Imports: 13 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Device 

type Device interface {
	// EKCertDER returns the DER-encoded EK certificate from TPM NVRAM.
	// Returns (nil, nil) when the TPM has no EK certificate provisioned
	// (e.g. VirtualBox vTPM). Callers should fall back to EKPublicDER().
	EKCertDER() ([]byte, error)

	// EKPublicDER returns the PKIX DER-encoded EK public key.
	// Always available regardless of whether the TPM has an EK certificate.
	EKPublicDER() ([]byte, error)

	// AKPublic returns the raw TPMT_PUBLIC bytes from CreateKey.
	// Server's ParseAKPublic calls tpm2legacy.DecodePublic() which expects this format.
	AKPublic() ([]byte, error)

	// ActivateCredential decrypts the server's credential challenge.
	// Input: raw wire bytes (uint16(credBlobLen) || credBlob || encSecret)
	// Output: decrypted 32-byte secret
	ActivateCredential(encCredential []byte) ([]byte, error)

	// Quote generates a TPM quote signed by the AK.
	// nonce is passed directly to the TPM as qualifyingData — callers must
	// decode any transport encoding (hex, base64) before calling.
	// Max 32 bytes to fit TPM2B_DATA on SHA-256-only TPMs.
	// Returns base64-encoded wire format: uint32(quoteLen) || TPMS_ATTEST || TPMT_SIGNATURE
	Quote(nonce []byte) (string, error)

	// QuoteOverData generates a TPM quote using sha256(data) as the nonce.
	// Used for voucher signing where the "nonce" is a deterministic hash of the payload.
	QuoteOverData(data []byte) (string, error)

	// Close releases TPM handles (EK, AK) and closes the connection.
	Close() error
}

Device abstracts TPM operations needed for attestation. Callers manage the TPM lifecycle externally; Device only holds the connection.

func Open 

func Open(_ context.Context, addr string, opts ...OpenOption) (Device, error)

Open connects to a TPM at the given address and initializes EK + AK. addr is a Unix domain socket path (e.g. "/tmp/swtpm.sock" or "/dev/tpmrm0"). For swtpm, use the Unix socket path returned by Process.Addr().

type OpenOption 

type OpenOption func(*device)

OpenOption configures how a Device is opened.

func WithStateDir 

func WithStateDir(dir string) OpenOption

WithStateDir enables AK persistence. When set, Open() will load AK blobs from stateDir if they exist, or save newly-created AK blobs there. Files written: ak_pub (TPMT_PUBLIC), ak_priv (TPM2B_PRIVATE).

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.