rename tpmdirect to tpm2 and rename existing tpm2 as legacy/tpm2 (#304)

This change moves the existing tpm2 package out to legacy/tpm2 and renames the direct package as tpm2.

The KDFa and KDFe helpers from the legacy API (which are needed by the new API) are moved into the new API, with the legacy API calling into the new API for htem.

A small adapter layer is added at tpm2/adapter.go to provide the API that go-tpm-tools/simulator requires. In the future, we can remove it after go-tpm-tools/simulator has been updated to use the new API.

We may flatten the new tpm2 library's sub-libraries structures and commands together into tpm2 in a future change, perhaps as part of resolving #302.

examples/tpm-clear/clear.go

@@ -1,4 +1,4 @@
-// +build !windows
+//go:build !windows
 
 // Copyright (c) 2014, Google LLC All rights reserved.
 //

examples/tpm-genaik/genaik.go

@@ -1,4 +1,4 @@
-// +build !windows
+//go:build !windows
 
 // Copyright (c) 2014, Google LLC All rights reserved.
 //

examples/tpm-keys/tpm-keys.go

@@ -1,4 +1,4 @@
-// +build !windows
+//go:build !windows
 
 // Copyright (c) 2016, Kevin Walsh.  All rights reserved.
 //

examples/tpm-sign/common.go

@@ -1,4 +1,4 @@
-// +build !windows
+//go:build !windows
 
 package main
 

examples/tpm-sign/extend_pcr.go

@@ -1,4 +1,4 @@
-// +build !windows
+//go:build !windows
 
 // Copyright (c) 2018, Ian Haken. All rights reserved.
 //

examples/tpm-sign/generate.go

@@ -1,4 +1,4 @@
-// +build !windows
+//go:build !windows
 
 // Copyright (c) 2018, Ian Haken. All rights reserved.
 //

examples/tpm-sign/sign.go

@@ -1,4 +1,4 @@
-// +build !windows
+//go:build !windows
 
 // Copyright (c) 2018, Ian Haken. All rights reserved.
 //

examples/tpm-sign/tpm-sign.go

@@ -1,4 +1,4 @@
-// +build !windows
+//go:build !windows
 
 // Copyright (c) 2018, Ian Haken. All rights reserved.
 //

examples/tpm-sign/verify.go

@@ -1,4 +1,4 @@
-// +build !windows
+//go:build !windows
 
 // Copyright (c) 2018, Ian Haken. All rights reserved.
 //

examples/tpm-takeownership/own.go

@@ -1,4 +1,4 @@
-// +build !windows
+//go:build !windows
 
 // Copyright (c) 2014, Google LLC All rights reserved.
 //

examples/tpm2-ekcert/main.go

@@ -1,4 +1,4 @@
-// +build !windows
+//go:build !windows
 
 // Binary tpm2-ekcert reads an x509 certificate from a specific NVRAM index.
 package main
@@ -13,7 +13,7 @@ import (
 	"os"
 	"reflect"
 
-	"github.com/google/go-tpm/tpm2"
+	"github.com/google/go-tpm/legacy/tpm2"
 	"github.com/google/go-tpm/tpmutil"
 )
 

examples/tpm2-nvread/main.go

@@ -1,4 +1,4 @@
-// +build !windows
+//go:build !windows
 
 // Binary tpm2-nvread reads data from NVRAM at a specified index. The data is
 // printed out hex-encoded.
@@ -9,7 +9,7 @@ import (
 	"fmt"
 	"os"
 
-	"github.com/google/go-tpm/tpm2"
+	"github.com/google/go-tpm/legacy/tpm2"
 	"github.com/google/go-tpm/tpmutil"
 )
 

examples/tpm2-seal-unseal/main.go

@@ -1,4 +1,4 @@
-// +build !windows
+//go:build !windows
 
 // Copyright (c) 2018, Google LLC All rights reserved.
 //
@@ -23,7 +23,7 @@ import (
 	"io"
 	"os"
 
-	"github.com/google/go-tpm/tpm2"
+	"github.com/google/go-tpm/legacy/tpm2"
 	"github.com/google/go-tpm/tpmutil"
 )
 

go.mod

@@ -1,6 +1,6 @@
 module github.com/google/go-tpm
 
-go 1.17
+go 1.18
 
 require (
 	github.com/google/go-cmp v0.5.0

tpm2/credactivation/credential_activation.go → legacy/tpm2/credactivation/credential_activation.go

@@ -27,7 +27,8 @@ import (
 	"fmt"
 	"io"
 
-	"github.com/google/go-tpm/tpm2"
+	"github.com/google/go-tpm/legacy/tpm2"
+	"github.com/google/go-tpm/tpm2/helpers"
 	"github.com/google/go-tpm/tpmutil"
 )
 
@@ -91,7 +92,7 @@ func generateRSA(aik *tpm2.HashValue, pub *rsa.PublicKey, symBlockSize int, secr
 	if err != nil {
 		return nil, nil, fmt.Errorf("generating symmetric key: %v", err)
 	}
-	symmetricKey := tpm2.KDFaHash(h, seed, labelStorage, aikNameEncoded, nil, len(seed)*8)
+	symmetricKey := helpers.KDFaHash(h, seed, labelStorage, aikNameEncoded, nil, len(seed)*8)
 	c, err := aes.NewCipher(symmetricKey)
 	if err != nil {
 		return nil, nil, fmt.Errorf("symmetric cipher setup: %v", err)
@@ -108,7 +109,7 @@ func generateRSA(aik *tpm2.HashValue, pub *rsa.PublicKey, symBlockSize int, secr
 	// Generate the integrity HMAC, which is used to protect the integrity of the
 	// encrypted structure.
 	// See section 24.5 of the TPM specification revision 2 part 1.
-	macKey := tpm2.KDFaHash(h, seed, labelIntegrity, nil, nil, crypothash.Size()*8)
+	macKey := helpers.KDFaHash(h, seed, labelIntegrity, nil, nil, crypothash.Size()*8)
 
 	mac := hmac.New(crypothash.New, macKey)
 	mac.Write(encIdentity)

tpm2/credactivation/credential_activation_test.go → legacy/tpm2/credactivation/credential_activation_test.go

@@ -22,7 +22,7 @@ import (
 	insecureRand "math/rand"
 	"testing"
 
-	"github.com/google/go-tpm/tpm2"
+	"github.com/google/go-tpm/legacy/tpm2"
 )
 
 func mustDecodeBase64(in string, t *testing.T) []byte {

legacy/tpm2/kdf.go

@@ -0,0 +1,50 @@
+// Copyright (c) 2018, Google LLC All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package tpm2
+
+import (
+	"github.com/google/go-tpm/tpm2/helpers"
+)
+
+// KDFa implements TPM 2.0's default key derivation function, as defined in
+// section 11.4.9.2 of the TPM revision 2 specification part 1.
+// See: https://trustedcomputinggroup.org/resource/tpm-library-specification/
+// The key & label parameters must not be zero length.
+// The label parameter is a non-null-terminated string.
+// The contextU & contextV parameters are optional.
+// Deprecated: Use KDFaHash.
+func KDFa(hashAlg Algorithm, key []byte, label string, contextU, contextV []byte, bits int) ([]byte, error) {
+	h, err := hashAlg.Hash()
+	if err != nil {
+		return nil, err
+	}
+	return helpers.KDFaHash(h, key, label, contextU, contextV, bits), nil
+}
+
+// KDFe implements TPM 2.0's ECDH key derivation function, as defined in
+// section 11.4.9.3 of the TPM revision 2 specification part 1.
+// See: https://trustedcomputinggroup.org/resource/tpm-library-specification/
+// The z parameter is the x coordinate of one party's private ECC key multiplied
+// by the other party's public ECC point.
+// The use parameter is a non-null-terminated string.
+// The partyUInfo and partyVInfo are the x coordinates of the initiator's and
+// Deprecated: Use KDFeHash.
+func KDFe(hashAlg Algorithm, z []byte, use string, partyUInfo, partyVInfo []byte, bits int) ([]byte, error) {
+	h, err := hashAlg.Hash()
+	if err != nil {
+		return nil, err
+	}
+	return helpers.KDFeHash(h, z, use, partyUInfo, partyVInfo, bits), nil
+}

tpm2/open_other.go → legacy/tpm2/open_other.go

@@ -1,4 +1,4 @@
-// +build !windows
+//go:build !windows
 
 // Copyright (c) 2019, Google LLC All rights reserved.
 //

tpm2/open_windows.go → legacy/tpm2/open_windows.go

@@ -1,3 +1,5 @@
+//go:build windows
+
 // Copyright (c) 2018, Google LLC All rights reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");

tpm2/test/benchmark_test.go → legacy/tpm2/test/benchmark_test.go

@@ -18,7 +18,7 @@ import (
 	"crypto/sha256"
 	"testing"
 
-	. "github.com/google/go-tpm/tpm2"
+	. "github.com/google/go-tpm/legacy/tpm2"
 )
 
 func BenchmarkRSA2048Signing(b *testing.B) {

tpm2/test/kdf_test.go → legacy/tpm2/test/kdf_test.go

@@ -18,7 +18,7 @@ import (
 	"bytes"
 	"testing"
 
-	. "github.com/google/go-tpm/tpm2"
+	. "github.com/google/go-tpm/legacy/tpm2"
 )
 
 func TestKDFa(t *testing.T) {

tpm2/test/tpm2_other_test.go → legacy/tpm2/test/tpm2_other_test.go

@@ -1,4 +1,4 @@
-// +build !windows
+//go:build !windows
 
 // Copyright (c) 2018, Google LLC All rights reserved.
 //
@@ -21,7 +21,7 @@ import (
 	"io"
 	"testing"
 
-	. "github.com/google/go-tpm/tpm2"
+	. "github.com/google/go-tpm/legacy/tpm2"
 )
 
 var tpmPath = flag.String("tpm-path", "", "Path to TPM character device. Most Linux systems expose it under /dev/tpm0. Empty value (default) will disable all integration tests.")

tpm2/test/tpm2_test.go → legacy/tpm2/test/tpm2_test.go

@@ -35,7 +35,7 @@ import (
 	"testing"
 
 	"github.com/google/go-tpm-tools/simulator"
-	. "github.com/google/go-tpm/tpm2"
+	. "github.com/google/go-tpm/legacy/tpm2"
 	"github.com/google/go-tpm/tpmutil"
 )
 

tpm2/test/tpm2_windows_test.go → legacy/tpm2/test/tpm2_windows_test.go

@@ -19,7 +19,7 @@ import (
 	"io"
 	"testing"
 
-	. "github.com/google/go-tpm/tpm2"
+	. "github.com/google/go-tpm/legacy/tpm2"
 )
 
 var runTPMTests = flag.Bool("use-tbs", false, "Run integration tests against Windows TPM Base Services (TBS). Defaults to false.")

tpm/open_other.go

@@ -1,4 +1,4 @@
-// +build !windows
+//go:build !windows
 
 // Copyright (c) 2019, Google LLC All rights reserved.
 //

tpm/tpm_other_test.go

@@ -1,4 +1,4 @@
-// +build !windows
+//go:build !windows
 
 // Copyright (c) 2014, Google LLC All rights reserved.
 //

tpm2/adapter.go

@@ -0,0 +1,22 @@
+// Package tpm2 implements an adapter layer expected by github.com/google/go-tpm-tools/simulator
+// TODO: after release, we can update simulator to use the new API
+package tpm2
+
+import (
+	"io"
+
+	"github.com/google/go-tpm/legacy/tpm2"
+)
+
+// StartupClear tells the TPM to perform a Reset and not a Restart.
+var StartupClear = tpm2.StartupClear
+
+// Startup initializes the TPM.
+func Startup(rw io.ReadWriter, typ tpm2.StartupType) error {
+	return tpm2.Startup(rw, typ)
+}
+
+// Shutdown prepares the TPM for a power loss.
+func Shutdown(rw io.ReadWriter, typ tpm2.StartupType) error {
+	return tpm2.Shutdown(rw, typ)
+}

direct/tpm2/audit.go → tpm2/commands/audit.go

@@ -5,8 +5,8 @@ import (
 	"fmt"
 	"reflect"
 
-	"github.com/google/go-tpm/direct/structures/tpm"
-	"github.com/google/go-tpm/direct/structures/tpmi"
+	"github.com/google/go-tpm/tpm2/structures/tpm"
+	"github.com/google/go-tpm/tpm2/structures/tpmi"
 )
 
 // CommandAudit represents an audit session for attesting the execution of a

direct/tpm2/audit_test.go → tpm2/commands/audit_test.go

@@ -4,13 +4,13 @@ import (
 	"bytes"
 	"testing"
 
-	"github.com/google/go-tpm/direct/structures/tpm"
-	"github.com/google/go-tpm/direct/structures/tpm2b"
-	"github.com/google/go-tpm/direct/structures/tpma"
-	"github.com/google/go-tpm/direct/structures/tpms"
-	"github.com/google/go-tpm/direct/structures/tpmt"
-	"github.com/google/go-tpm/direct/structures/tpmu"
-	"github.com/google/go-tpm/direct/transport/simulator"
+	"github.com/google/go-tpm/tpm2/structures/tpm"
+	"github.com/google/go-tpm/tpm2/structures/tpm2b"
+	"github.com/google/go-tpm/tpm2/structures/tpma"
+	"github.com/google/go-tpm/tpm2/structures/tpms"
+	"github.com/google/go-tpm/tpm2/structures/tpmt"
+	"github.com/google/go-tpm/tpm2/structures/tpmu"
+	"github.com/google/go-tpm/tpm2/transport/simulator"
 )
 
 func TestAuditSession(t *testing.T) {

direct/tpm2/certify_test.go → tpm2/commands/certify_test.go

@@ -8,15 +8,15 @@ import (
 	"testing"
 
 	"github.com/google/go-cmp/cmp"
-	"github.com/google/go-tpm/direct/helpers"
-	"github.com/google/go-tpm/direct/structures/tpm"
-	"github.com/google/go-tpm/direct/structures/tpm2b"
-	"github.com/google/go-tpm/direct/structures/tpma"
-	"github.com/google/go-tpm/direct/structures/tpml"
-	"github.com/google/go-tpm/direct/structures/tpms"
-	"github.com/google/go-tpm/direct/structures/tpmt"
-	"github.com/google/go-tpm/direct/structures/tpmu"
-	"github.com/google/go-tpm/direct/transport/simulator"
+	"github.com/google/go-tpm/tpm2/helpers"
+	"github.com/google/go-tpm/tpm2/structures/tpm"
+	"github.com/google/go-tpm/tpm2/structures/tpm2b"
+	"github.com/google/go-tpm/tpm2/structures/tpma"
+	"github.com/google/go-tpm/tpm2/structures/tpml"
+	"github.com/google/go-tpm/tpm2/structures/tpms"
+	"github.com/google/go-tpm/tpm2/structures/tpmt"
+	"github.com/google/go-tpm/tpm2/structures/tpmu"
+	"github.com/google/go-tpm/tpm2/transport/simulator"
 )
 
 func TestCertify(t *testing.T) {
@@ -150,7 +150,7 @@ func TestCertify(t *testing.T) {
 	pub := rspSigner.OutPublic.PublicArea
 	rsaPub, err := helpers.RSAPub(pub.Parameters.RSADetail, pub.Unique.RSA)
 	if err != nil {
-		t.Fatalf("Failed to retrive Public Key: %v", err)
+		t.Fatalf("Failed to retrieve Public Key: %v", err)
 	}
 
 	if err := rsa.VerifyPKCS1v15(rsaPub, crypto.SHA256, attestHash[:], rspCert.Signature.Signature.RSASSA.Sig.Buffer); err != nil {
@@ -268,7 +268,7 @@ func TestCreateAndCertifyCreation(t *testing.T) {
 	pub := rspCP.OutPublic.PublicArea
 	rsaPub, err := helpers.RSAPub(pub.Parameters.RSADetail, pub.Unique.RSA)
 	if err != nil {
-		t.Fatalf("Failed to retrive Public Key: %v", err)
+		t.Fatalf("Failed to retrieve Public Key: %v", err)
 	}
 
 	if err := rsa.VerifyPKCS1v15(rsaPub, crypto.SHA256, attestHash[:], rspCC.Signature.Signature.RSASSA.Sig.Buffer); err != nil {

direct/tpm2/combined_context_test.go → tpm2/commands/combined_context_test.go

@@ -4,15 +4,15 @@ import (
 	"testing"
 
 	"github.com/google/go-cmp/cmp"
-	"github.com/google/go-tpm/direct/structures/tpm"
-	"github.com/google/go-tpm/direct/structures/tpm2b"
-	"github.com/google/go-tpm/direct/structures/tpma"
-	"github.com/google/go-tpm/direct/structures/tpml"
-	"github.com/google/go-tpm/direct/structures/tpms"
-	"github.com/google/go-tpm/direct/structures/tpmt"
-	"github.com/google/go-tpm/direct/structures/tpmu"
-	"github.com/google/go-tpm/direct/transport"
-	"github.com/google/go-tpm/direct/transport/simulator"
+	"github.com/google/go-tpm/tpm2/structures/tpm"
+	"github.com/google/go-tpm/tpm2/structures/tpm2b"
+	"github.com/google/go-tpm/tpm2/structures/tpma"
+	"github.com/google/go-tpm/tpm2/structures/tpml"
+	"github.com/google/go-tpm/tpm2/structures/tpms"
+	"github.com/google/go-tpm/tpm2/structures/tpmt"
+	"github.com/google/go-tpm/tpm2/structures/tpmu"
+	"github.com/google/go-tpm/tpm2/transport"
+	"github.com/google/go-tpm/tpm2/transport/simulator"
 )
 
 func ReadPublicName(t *testing.T, handle tpm.Handle, thetpm transport.TPM) tpm2b.Name {