Generate a primary using the specified format described in ASN.1 Specification for TPM 2.0 Key Files where the template h-2 is described in pg 43 TCG EK Credential Profile
the priamry is formatted for use with openssl
## create the primary
Generate a primary using the specified format described in ASN.1 Specification for TPM 2.0 Key Files where the template h-2 is described in pg 43 TCG EK Credential Profile
the priamry is formatted for use with openssl
## create the primary
seal an external hmac key to a tpm with a PCR policy
export secret="change this password to a secret"
export plain="foo"
echo -n $secret > hmac.key
hexkey=$(xxd -p -c 256 < hmac.key)
echo $hexkey
echo -n $plain > data.in
openssl dgst -sha256 -mac hmac -macopt hexkey:$hexkey data.in
sample demonstrating cross-usage/compatiblity between
go-tpm go-tpm-keyfile go-tpm-tools
package main
EC permanent handle as parent:
https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.html#section-3.1.8
// pg26: 7.5.1: https://trustedcomputinggroup.org/wp-content/uploads/TCG-TPM-v2.0-Provisioning-Guidance-Published-v1r1.pdf
// pg 43: B.4.5 Template H-2: ECC NIST P256 (Storage) https://trustedcomputinggroup.org/wp-content/uploads/TCG-EK-Credential-Profile-V-2.5-R2_published.pdf
Verify TPM RSA Key file with openssl
The following generates a TPM key file using github.com/foxboron/go-tpm-keyfiles.
the asn.1 format described in https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.html
the code below will
/* | |
self-signed jwt access to google cloud iap | |
https://cloud.google.com/iap/docs/authentication-howto#authenticating_with_a_self-signed_jwt | |
using google auth library | |
and service account bound inside Trusted Platform Module | |
*/ | |
package main |
This procedure will transfer an HMAC key created inside TPM-A to TPM-B but prevent TPM-B to transfer it to TPM-C.
Basically, and extension of As an end-to-end example, the following will transfer an RSA key generated on TPM-A to TPM-B but
using tpm2_policyduplicationselect
tp prevent further duplication
Step 1 below will transfer a key from A->B, step 2 attempts B->C but is prevented duplication on B by policy
This procedure will transfer an HMAC key created inside TPM-A
to TPM-B
and then to TPM-C
using tpm2_policycommandcode
Basically, and extension of As an end-to-end example, the following will transfer an RSA key generated on TPM-A to TPM-B
To use this, you'll need three VMs.
package main | |
import ( | |
"bytes" | |
"crypto" | |
"crypto/rsa" | |
"crypto/sha256" | |
"crypto/x509" | |
"encoding/json" | |
"encoding/pem" |
parsing the os-inventory metadata server struct
if you have os-inventory enabled, you can get the values on the VM itself by running
curl -s -H 'Metadata-Flavor: Google' http://metadata.google.internal/computeMetadata/v1/instance/guest-attributes/guestInventory/InstalledPackages
parse the values using
(you can ofcourse otherwise get the packages via api