Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

attest: Remove the EK field from AK struct #341

Merged
merged 1 commit into from
Jun 29, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 3 additions & 10 deletions attest/attest.go
Original file line number Diff line number Diff line change
Expand Up @@ -111,10 +111,6 @@ type ak interface {
// AK represents a key which can be used for attestation.
type AK struct {
ak ak

// The EK that will be used for attestation.
// If nil, an RSA EK with handle 0x81010001 will be used.
ek *EK
}

// Close unloads the AK from the system.
Expand All @@ -136,7 +132,7 @@ func (k *AK) Marshal() ([]byte, error) {
//
// This operation is synonymous with TPM2_ActivateCredential.
func (k *AK) ActivateCredential(tpm *TPM, in EncryptedCredential) (secret []byte, err error) {
return k.ak.activateCredential(tpm.tpm, in, k.ek)
return k.ak.activateCredential(tpm.tpm, in, nil)
}

// ActivateCredential decrypts the secret using the key to prove that the AK
Expand Down Expand Up @@ -180,12 +176,9 @@ func (k *AK) Certify(tpm *TPM, handle interface{}) (*CertificationParameters, er
return k.ak.certify(tpm.tpm, handle)
}

// AKConfig encapsulates parameters for minting keys.
// AKConfig encapsulates parameters for minting keys. This type is defined
// now (despite being empty) for future interface compatibility.
type AKConfig struct {
// The EK that will be used for attestation.
// If nil, an RSA EK with handle 0x81010001 will be used.
// If not nil, it must be one of EKs returned from TPM.EKs().
EK *EK
}

// EncryptedCredential represents encrypted parameters which must be activated
Expand Down
6 changes: 1 addition & 5 deletions attest/wrapped_tpm20.go
Original file line number Diff line number Diff line change
Expand Up @@ -240,11 +240,7 @@ func (t *wrappedTPM20) newAK(opts *AKConfig) (*AK, error) {
if err != nil {
return nil, fmt.Errorf("CertifyCreation failed: %v", err)
}
var ek *EK
if opts != nil {
ek = opts.EK
}
return &AK{ak: newWrappedAK20(keyHandle, blob, pub, creationData, attestation, sig), ek: ek}, nil
return &AK{ak: newWrappedAK20(keyHandle, blob, pub, creationData, attestation, sig)}, nil
}

func (t *wrappedTPM20) newKey(ak *AK, opts *KeyConfig) (*Key, error) {
Expand Down