Documentation ¶
Index ¶
- func AIKChallengeResponse(context *tspi.Context, aikblob []byte, asymchallenge []byte, ...) (secret []byte, err error)
- func CreateAIK(context *tspi.Context) ([]byte, []byte, error)
- func GenerateChallenge(context *tspi.Context, ekcert []byte, aikpub []byte, secret []byte) (asymenc []byte, symenc []byte, err error)
- func GetEKCert(context *tspi.Context) (ekcert []byte, err error)
- func QuoteVerify(data []byte, validation []byte, aikpub []byte, pcrvalues [][]byte, ...) error
- func VerifyEKCert(ekcert []byte) error
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AIKChallengeResponse ¶
func AIKChallengeResponse(context *tspi.Context, aikblob []byte, asymchallenge []byte, symchallenge []byte) (secret []byte, err error)
AIKChallengeResponse takes the output from GenerateChallenge along with the encrypted AIK key blob. The TPM then decrypts the asymmetric challenge with its EK in order to obtain the AES key, and uses the AES key to decrypt the symmetrically encrypted data. It verifies that this data blob corresponds to the AIK it was given, and if so hands back the secret contained within the symmetrically encrypted data.
func CreateAIK ¶
CreateAIK asks the TPM to generate an Attestation Identity Key. It returns the unencrypted public half of the AIK along with an encrypted blob containing both halves of the key, and any error.
func GenerateChallenge ¶
func GenerateChallenge(context *tspi.Context, ekcert []byte, aikpub []byte, secret []byte) (asymenc []byte, symenc []byte, err error)
GenerateChallenge takes a TSPI context, a copy of the EK certificate, the public half of the AIK to be challenged and a secret. It then symmetrically encrypts the secret with a randomly generated AES key and Asymmetrically encrypts the AES key with the public half of the EK. These can then be provided to the TPM in order to ensure that the AIK is under the control of the TPM. It returns the asymmetrically and symmetrically encrypted data, along with any error.
func GetEKCert ¶
GetEKCert reads the Endorsement Key certificate from the TPM's NVRAM and returns it, along with any error generated.
func QuoteVerify ¶
func QuoteVerify(data []byte, validation []byte, aikpub []byte, pcrvalues [][]byte, secret []byte) error
QuoteVerify verifies that a quote was genuinely provided by the TPM. It takes the quote data, quote validation blob, public half of the AIK, current PCR values and the nonce used in the original quote request. It then verifies that the validation block is a valid signature for the quote data, that the secrets are the same (in order to avoid replay attacks), and that the PCR values are the same. It returns an error if any stage of the validation fails.
func VerifyEKCert ¶
VerifyEKCert verifies that the provided EK certificate is signed by a trusted manufacturer.
Types ¶
This section is empty.