tpm2: Implement TPM2_Import #341
Conversation
pk, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
t.Fatalf("something")
}
b, err := x509.MarshalECPrivateKey(pk)
if err != nil {
t.Fatalf("failed DER encoding")
}
tpmdata := TPM2BPrivate{
Buffer: b,
}
m := Marshal(tpmdata)This might cause a problem, because TPMs don't deal in DER-encoded data. Instead, you probably want to create a |
|
TPM2_Import might be the hardest possible command to build a test for. So once you've cracked this, you should feel prepared to deal with anything. 😎 |
I might have been tricked by the
I'm glad to see I involuntarily stumbled into the worst of them 🙃 |
|
Actually, with the links I was able to figure out how to pass the I forgot filling out If the outline for the test looks sane'ish I'll clean up this PR to undraft it. Thanks for the help :) package tpm2test
import (
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"testing"
. "github.com/google/go-tpm/tpm2"
"github.com/google/go-tpm/tpm2/transport/simulator"
)
func TestImport(t *testing.T) {
thetpm, err := simulator.OpenSimulator()
if err != nil {
t.Fatalf("could not connect to TPM simulator: %v", err)
}
defer thetpm.Close()
srkCreate := CreatePrimary{
PrimaryHandle: TPMRHOwner,
InPublic: New2B(ECCSRKTemplate),
}
srkCreateRsp, err := srkCreate.Execute(thetpm)
if err != nil {
t.Fatalf("could not generate SRK: %v", err)
}
defer func() {
flush := FlushContext{
FlushHandle: srkCreateRsp.ObjectHandle,
}
_, err := flush.Execute(thetpm)
if err != nil {
t.Fatalf("could not flush SRK: %v", err)
}
}()
pk, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
t.Fatalf("something")
}
sens2B := New2B(TPMTSensitive{
SensitiveType: TPMAlgECC,
Sensitive: NewTPMUSensitiveComposite(
TPMAlgECC,
&TPM2BECCParameter{Buffer: pk.D.FillBytes(make([]byte, 32))},
),
})
l := Marshal(TPM2BPrivate{Buffer: sens2B.Bytes()})
_, err = Import{
ParentHandle: &AuthHandle{
Handle: srkCreateRsp.ObjectHandle,
Name: srkCreateRsp.Name,
Auth: PasswordAuth(nil),
},
Duplicate: TPM2BPrivate{Buffer: l},
ObjectPublic: New2B(TPMTPublic{
Type: TPMAlgECC,
NameAlg: TPMAlgSHA256,
ObjectAttributes: TPMAObject{
SignEncrypt: true,
SensitiveDataOrigin: false,
EncryptedDuplication: false,
},
Parameters: NewTPMUPublicParms(
TPMAlgECC,
&TPMSECCParms{
CurveID: TPMECCNistP256,
Scheme: TPMTECCScheme{
Scheme: TPMAlgECDSA,
Details: NewTPMUAsymScheme(
TPMAlgECDSA,
&TPMSSigSchemeECDSA{
HashAlg: TPMAlgSHA256,
},
),
},
},
),
Unique: NewTPMUPublicID(
TPMAlgECC,
&TPMSECCPoint{
X: TPM2BECCParameter{
Buffer: pk.X.FillBytes(make([]byte, 32)),
},
Y: TPM2BECCParameter{
Buffer: pk.Y.FillBytes(make([]byte, 32)),
},
},
),
}),
}.Execute(thetpm)
if err != nil {
t.Fatalf("could not import: %v", err)
}
} |
|
Feel free to test only based on unencrypted import; I have a hard time seeing a bug you could introduce here that would succeed for unencrypted import but fail for encrypted. |
|
If your current plan for testing looks like the draft above (minus the DERification), seems totally reasonable! |
Signed-off-by: Morten Linderud <morten@linderud.pw>
Foxboron
force-pushed
the
morten/tpm_import
branch
from
0c543b8 to
549802b
Compare
|
I've implemented a feature using this into |
|
Thank you @Foxboron !! |
This is an attempt from me to try and implement
TPM2_Import, but I suspect I picked a non-obvious thing to implement.Useage I have is to take a pre-existing EC key and import it into the TPM. But I suspect there is a bunch of wrapping with the
duplicateargument I just don't understand. Thelegacy/tpm2implementation seemed to just do things with thePrivatestruct, but transferring that to thetpmdirectAPI is very non-obvious.The outline for the test I have been trying to write for the implementation>
Any help our guidance would be appreicated.