Importing ServiceAccount Credentials to TPMs

sa_import.md

sample procdure to encrypt a service account rsa key GCP such that it is loadable on specific TPMs

this procedure will save the key reference to non-volatile memory which will persist through powercycles.

however, there are limited nv slots avaiable (7 per tpm i think).

long term is to allow is to allow full persitence via go-tpm-tools Allow persistence client.Key() and move away from nvram slots

also see

• Sealing RSA and Symmetric keys with GCP vTPMs
• TPMTokenSource

Laptop

for each TPM, get the ekCert and extract the public key (or just get the ekPub)

# if using GCE
gcloud compute instances get-shielded-identity instance-2 --format="value(encryptionKey.ekPub)"

# if you have the ekcert
openssl x509 -pubkey -noout -in ekcert.pem  >  ekpub.pem

or if you are on the mahine with the target TPM you can get the ekPublic key using tpm2_tools:

# if using tpm2_tools
tpm2_createek -c primary.ctx -G rsa -u ek.pub -Q
tpm2_readpublic -c primary.ctx -o primary.pub
tpm2_readpublic -c primary.ctx -o ekpub.pem -f PEM -Q

# if using go-tpm-tools, its
### https://github.com/salrashid123/tpm2/blob/master/gcp_ek_ak/main.go#L94-L111

create a service account and download a key, note the keyID

gcloud iam service-accounts keys list --iam-account=tpm-sa@core-eso.iam.gserviceaccount.com
    KEY_ID                                    CREATED_AT            EXPIRES_AT            DISABLED
    71b831d149e4667809644840cda2e7e0080035d5  2023-08-24T19:57:32Z  9999-12-31T23:59:59Z  <<<<<<<<<<<<<<<<<<<<<<<<

note the svc account key is formatted as an RSA PRIVATE KEY (this is just because the implementation i have...)

$ cat /tmp/key_rsa.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEA6ila7sGempkwfThV8DqjZJe2WsYdIw9QF25w/br55NM9fLRj

eg

 cat svc_account.json | jq -r '.private_key_id'
71b831d149e4667809644840cda2e7e0080035d5

cat svc_account.json | jq -r '.private_key' > f.key
openssl rsa -out /tmp/key_rsa.pem -traditional -in f.key 

Seal

$ git clone https://github.com/salrashid123/gcp_tpm_sealed_keys
$ go run asymmetric/seal/main.go   \
     --rsaKeyFile=/tmp/key_rsa.pem  \
     --sealedOutput=sealed.dat  \
     --ekPubFile=/tmp/ek.pem \
      --v=10 -alsologtostderr

then copy sealed.dat to vm

scp sealed.dat to vm

on vm

$ git clone https://github.com/salrashid123/gcp_tpm_sealed_keys


$ go run asymmetric/import/main.go   --importSigningKeyFile=/tmp/sealed.dat   --persistentHandle=0x81008001   --bindPCRValue=23  --flush=all    --v=2 -alsologtostderr --evict=false

I0825 18:51:28.375322    5654 main.go:52] ======= Init importSigningKey ========
I0825 18:51:28.411068    5654 main.go:87] ======= Loading EndorsementKeyRSA ========
I0825 18:51:28.419475    5654 main.go:94] ======= Loading sealedkey ========
I0825 18:51:28.419722    5654 main.go:105] ======= Loading ImportSigningKey ========
I0825 18:51:28.481885    5654 main.go:148] ======= Signing Data with Key Handle ========
I0825 18:51:28.490727    5654 main.go:210] Test Signature: yt5tjN+idFUrJk1+Z3nSErlIp9BImGpFF+xPzB1x+gpx+6TI7H0+TsAglHBF0SKvxoLIM1yVpAW8/XFwj1ywmwJt7Uo99SuIKp/ignNvwfk+NKspI7CZFw70RbGdBEbWiYLbiQqV09Or3K8kStX9mudGlSdbD4UBNTYMt67lyXFV7CW8aqyKw4R0LKq8WVRW3q8kolowwmFeG3YkwpiVtZGrr30t9Jwbfkpmk7nS4UdupgzbJGU2WgSCL0dwrUwtDKvAw5g/wrT+PDbd4ahaDuvTaxLYftMSWz4dj+C//3AwDOdziaWPe52KbPoBcLAiuYpORUhD+6w6UtjYgVzn3A==

# tpm2_getcap handles-persistent
- 0x81008000

call gcp apis

see code at

• https://github.com/salrashid123/oauth2/tree/master#post-step-a-b-or-c

#  go run main --persistentHandle=0x81008000 -serviceAccountEmail="tpm-sa@core-eso.iam.gserviceaccount.com" -keyId=71b831d149e4667809644840cda2e7e0080035d5
2023/08/25 19:25:45 ======= Init  ========
2023/08/25 19:25:45 Token: ya29.c.b0Aaek...

2023/08/25 19:25:45 core-eso-bucket
2023/08/25 19:25:45 core-eso_cloudbuild

also see https://github.com/salrashid123/gcp_tpm_sealed_keys#duplicate-and-transfer-using-endorsement-key

---