Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: tpm2.EvictControl #338

Merged
merged 1 commit into from
Jul 20, 2023
Merged

feat: tpm2.EvictControl #338

merged 1 commit into from
Jul 20, 2023

Conversation

jclab-joseph
Copy link
Contributor

@jclab-joseph jclab-joseph commented Jul 15, 2023
edited
Loading

Fix #335

Sample Code:

package main

import (
	"flag"
	"fmt"
	"github.com/google/go-tpm/tpm2"
	"github.com/google/go-tpm/tpm2/transport"
	"github.com/google/go-tpm/tpmutil/mssim"
	"log"
	"os"
)

var (
	defaultKeyTemplate = tpm2.TPMTPublic{
		Type:    tpm2.TPMAlgECC,
		NameAlg: tpm2.TPMAlgSHA256,
		ObjectAttributes: tpm2.TPMAObject{
			FixedTPM:            true,
			STClear:             false,
			FixedParent:         true,
			SensitiveDataOrigin: true,
			UserWithAuth:        true,
			NoDA:                true,
			Decrypt:             false,
			SignEncrypt:         true,
			X509Sign:            false,
		},
		Parameters: tpm2.NewTPMUPublicParms(
			tpm2.TPMAlgECC,
			&tpm2.TPMSECCParms{
				Scheme: tpm2.TPMTECCScheme{
					Scheme: tpm2.TPMAlgECDSA,
					Details: tpm2.NewTPMUAsymScheme(
						tpm2.TPMAlgECDSA,
						&tpm2.TPMSSigSchemeECDSA{
							HashAlg: tpm2.TPMAlgSHA256,
						},
					),
				},
				CurveID: tpm2.TPMECCNistP256,
			},
		),
	}
)

func main() {
	flag.Parse()

	conn, err := mssim.Open(mssim.Config{})
	if err != nil {
		fmt.Fprintf(os.Stderr, "Couldn't open mssim %s\n", err)
		return
	}
	defer conn.Close()

	tpmTransport := transport.FromReadWriter(conn)
	if err != nil {
		fmt.Fprintf(os.Stderr, "Could't open the TPM: %s\n", err)
		return
	}

	if true {
		tpm2.Startup{}.Execute(tpmTransport)
	}

	session, closer, err := tpm2.HMACSession(tpmTransport, tpm2.TPMAlgSHA256, 32)
	if err != nil {
		log.Fatalln("hmac session failed: ", err)
	}
	defer closer()

	var nextPersistentHandle tpm2.TPMIDHObject
	if true {
		resp, err := tpm2.GetCapability{
			Capability:    tpm2.TPMCapHandles,
			Property:      0x81000000,
			PropertyCount: 64,
		}.Execute(tpmTransport)
		if err != nil {
			log.Fatalln("read public failed: ", err)
		}

		handles, err := resp.CapabilityData.Data.Handles()
		if err != nil {
			log.Fatalln("read public failed: ", err)
		}
		for _, handle := range handles.Handle {
			if nextPersistentHandle < handle {
				nextPersistentHandle = handle
			}
		}
		if nextPersistentHandle == 0 {
			nextPersistentHandle = 0x81000000
		} else {
			nextPersistentHandle += 1
		}
	}

	createResp, err := tpm2.CreatePrimary{
		PrimaryHandle: tpm2.AuthHandle{
			Handle: tpm2.TPMRHOwner,
			Auth:   session,
		},
		InPublic: tpm2.New2B(defaultKeyTemplate),
	}.Execute(tpmTransport)
	if err != nil {
		log.Fatalln("CreatePrimary failed: ", err)
	}

	resp, err := tpm2.EvictControl{
		Auth: tpm2.AuthHandle{
			Handle: tpm2.TPMRHOwner,
			Auth:   session,
		},
		ObjectHandle: &tpm2.NamedHandle{
			Handle: createResp.ObjectHandle,
			Name:   createResp.Name,
		},
		PersistentHandle: nextPersistentHandle,
	}.Execute(tpmTransport)
	if err != nil {
		log.Printf("EVICT FAILED: %v", err)
	}
	_ = resp

	log.Printf("persistent handle: 0x%08x", nextPersistentHandle)
}

@jclab-joseph jclab-joseph requested review from alexmwu, jkl73 and a team as code owners July 15, 2023 07:56
@frezbo
Copy link

frezbo commented Jul 16, 2023

cool, i wanted to take a stab at this at some point. Nice work 👏

chrisfenner
chrisfenner requested changes Jul 17, 2023
View reviewed changes
Copy link
Member

@chrisfenner chrisfenner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is excellent Joseph, thanks so much for the PR!

I have left two extremely minor comments to the actual code, other than that looks right.

Could you also please add a small unit test that uses simulator.OpenSimulator() (see the tests directory) that uses EvictControl to do something simple (like persist and then unpersist some object)?

tpm2/tpm2.go Outdated Show resolved Hide resolved
tpm2/tpm2.go Outdated Show resolved Hide resolved
@jclab-joseph jclab-joseph force-pushed the feat/evict-handle branch 2 times, most recently from 5c33211 to f3e992f Compare July 20, 2023 01:27
@jclab-joseph
Copy link
Contributor Author

@chrisfenner Fixes and added test code!

@chrisfenner
Copy link
Member

@jclab-joseph I see the lint CI check is failing because goimports -w would change some files. Would you mind running that and updating the PR?

chrisfenner
chrisfenner reviewed Jul 20, 2023
View reviewed changes
Copy link
Member

@chrisfenner chrisfenner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks right, will approve after goimports

tpm2/test/evict_control_test.go Outdated Show resolved Hide resolved
@chrisfenner chrisfenner merged commit e9722e4 into google:main Jul 20, 2023
4 checks passed
@chrisfenner
Copy link
Member

thank you @jclab-joseph for this change!!

@chrisfenner chrisfenner mentioned this pull request Oct 3, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chrisfenner chrisfenner chrisfenner approved these changes

@alexmwu alexmwu Awaiting requested review from alexmwu alexmwu is a code owner

@jkl73 jkl73 Awaiting requested review from jkl73 jkl73 is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

EvictControl missing from new tpm2
3 participants
@jclab-joseph @frezbo @chrisfenner