Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update Windows application key support #343

Open
wants to merge 7 commits into
base: master
Choose a base branch
from

Conversation

hslatman
Copy link
Contributor

@hslatman hslatman commented Jul 17, 2023

Catching up to the earlier work on #274 and #317. This is the first of several PRs to get back to the state of #317, but in more manageable chunks.

There's been a bit of activity in terms of (new) function signatures in this repository lately. This PR takes @mjg59's changes and additions for Windows application key support and I applied the required changes to make it compile with the new function signatures.

@ericchiang you asked about the tests on Windows: #317 (comment). It's currently only a go build; nothing seems to be actually tested outside of the code compiling successfully. I might give that a stab in the upcoming PRs.

P.S.: I added the -f to the macOS CI to get around an issue with the linked library already existing: https://github.com/hslatman/go-attestation/actions/runs/5575815478/jobs/10186236329#step:5:8. I'm not sure why that resulted in an error in that run and did not before, outside of a slightly new image being used, but I think the override is OK. This was fixed in #350.

cc @brandonweeks

mjg59 and others added 7 commits May 25, 2023 14:15
There's currently no support for creating application keys on Windows systems. This patch transitions the Windows key type to specifically refer to attestation keys, and reuses the existing wrapped key support for application keys. This allows the creation of keys in the platform store, while still allowing said keys to be manipulated with existing TPM functionality rather than duplicating it.
When generating a new key using a Windows TPM, a `wrappedKey20` was
returned, which couldn't be used for signing on Windows, as it's
backed by a `windowsTPM`. The `wrappedKey20` seems to be a type
specifically aimed at usage with a `wrappedTPM20`, which in turn
seems to be used on Linux and for testing, but not when instantiating
a TPM on Windows.

This commit adds the `newWindowsKey20` function, which returns
a key backed by a `windowsTPM`. The key is a `windowsAK20`,
now also conforming to the `key` interface, so that it can be used
for signing purposes.
My system is returning RCScheme if TPM_ALG_NULL is passed here. This should
be causing the key's default scheme to be used, but for some reason it
seems unhappy. Just explicitly set the scheme for now to avoid that.
Conflicts:
	attest/key_windows.go
	attest/tpm_windows.go

Fixed by combining the new function names with the new
function arguments. Also had to fix a couple non-implemented
functions on structs after they had been renamed for the
Windows application key support.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants