Generate a primary using the specified format described in ASN.1 Specification for TPM 2.0 Key Files where the template h-2 is described in pg 43 TCG EK Credential Profile
the priamry is formatted for use with openssl
## create the primary
salrashid123
salrashid123
/ tpm2_createprimary_h2.md
Created
May 31, 2024 22:16
tpm2 primarykey for (eg TCG EK Credential Profile H-2 profile
seal an external hmac key to a tpm with a PCR policy
export secret="change this password to a secret"
export plain="foo"
echo -n $secret > hmac.key
hexkey=$(xxd -p -c 256 < hmac.key)
echo $hexkey
echo -n $plain > data.in
openssl dgst -sha256 -mac hmac -macopt hexkey:$hexkey data.in
salrashid123
/ go-tpm-gokeyfile.md
Created
May 30, 2024 16:49
go-tpm-tools compatibility with go-tpm-keyfile and go-tpm
sample demonstrating cross-usage/compatiblity between
go-tpm go-tpm-keyfile go-tpm-tools
package main
EC permanent handle as parent:
https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.html#section-3.1.8
// pg26: 7.5.1: https://trustedcomputinggroup.org/wp-content/uploads/TCG-TPM-v2.0-Provisioning-Guidance-Published-v1r1.pdf
// pg 43: B.4.5 Template H-2: ECC NIST P256 (Storage) https://trustedcomputinggroup.org/wp-content/uploads/TCG-EK-Credential-Profile-V-2.5-R2_published.pdf
salrashid123
/ tpm-keyfile.md
Last active
May 23, 2024 16:18
TPM KeyFiles with go and openssl TSS2 PRIVATE KEY format
Verify TPM RSA Key file with openssl
The following generates a TPM key file using github.com/foxboron/go-tpm-keyfiles.
the asn.1 format described in https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.html
the code below will
salrashid123
/ iap_jwtaccesstoken.go
Last active
May 21, 2024 17:57
self-signed jwt access to google cloud iap
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| self-signed jwt access to google cloud iap | |
| https://cloud.google.com/iap/docs/authentication-howto#authenticating_with_a_self-signed_jwt | |
| using google auth library | |
| and service account bound inside Trusted Platform Module | |
| */ | |
| package main |
salrashid123
/ duplicate_policyduplicationselect.md
Created
May 9, 2024 14:56
Prevent Chained duplication from TPM-A -> TPM-B -> TPM-C using tpm2_policyduplicationselect
This procedure will transfer an HMAC key created inside TPM-A to TPM-B but prevent TPM-B to transfer it to TPM-C.
Basically, and extension of As an end-to-end example, the following will transfer an RSA key generated on TPM-A to TPM-B but
using tpm2_policyduplicationselect tp prevent further duplication
Step 1 below will transfer a key from A->B, step 2 attempts B->C but is prevented duplication on B by policy
salrashid123
/ duplicate_policycommandcode.md
Created
May 9, 2024 14:40
Duplicate and Transfer an encoded key from TPM-A -> TPM-B -> TPM-C using tpm2_policycommandcode
This procedure will transfer an HMAC key created inside TPM-A to TPM-B and then to TPM-C using tpm2_policycommandcode
Basically, and extension of As an end-to-end example, the following will transfer an RSA key generated on TPM-A to TPM-B
To use this, you'll need three VMs.
salrashid123
/ tinkrsa.go
Created
April 17, 2024 00:17
tink-golang sign/verify and extract rsa.PublicKey
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| import ( | |
| "bytes" | |
| "crypto" | |
| "crypto/rsa" | |
| "crypto/sha256" | |
| "crypto/x509" | |
| "encoding/json" | |
| "encoding/pem" |
salrashid123
/ os-inventory.md
Created
April 2, 2024 13:41
Parsing GCP OSInventory packages from metadata server
parsing the os-inventory metadata server struct
if you have os-inventory enabled, you can get the values on the VM itself by running
curl -s -H 'Metadata-Flavor: Google' http://metadata.google.internal/computeMetadata/v1/instance/guest-attributes/guestInventory/InstalledPackagesparse the values using
(you can ofcourse otherwise get the packages via api
NewerOlder