Verify TPM RSA Key file with openssl
The following generates a TPM key file using github.com/foxboron/go-tpm-keyfiles.
the asn.1 format described in https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.html
the code below will
Verify TPM RSA Key file with openssl
The following generates a TPM key file using github.com/foxboron/go-tpm-keyfiles.
the asn.1 format described in https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.html
the code below will
/* | |
self-signed jwt access to google cloud iap | |
https://cloud.google.com/iap/docs/authentication-howto#authenticating_with_a_self-signed_jwt | |
using google auth library | |
and service account bound inside Trusted Platform Module | |
*/ | |
package main |
This procedure will transfer an HMAC key created inside TPM-A to TPM-B but prevent TPM-B to transfer it to TPM-C.
Basically, and extension of As an end-to-end example, the following will transfer an RSA key generated on TPM-A to TPM-B but
using tpm2_policyduplicationselect
tp prevent further duplication
Step 1 below will transfer a key from A->B, step 2 attempts B->C but is prevented duplication on B by policy
This procedure will transfer an HMAC key created inside TPM-A
to TPM-B
and then to TPM-C
using tpm2_policycommandcode
Basically, and extension of As an end-to-end example, the following will transfer an RSA key generated on TPM-A to TPM-B
To use this, you'll need three VMs.
package main | |
import ( | |
"bytes" | |
"crypto" | |
"crypto/rsa" | |
"crypto/sha256" | |
"crypto/x509" | |
"encoding/json" | |
"encoding/pem" |
parsing the os-inventory metadata server struct
if you have os-inventory enabled, you can get the values on the VM itself by running
curl -s -H 'Metadata-Flavor: Google' http://metadata.google.internal/computeMetadata/v1/instance/guest-attributes/guestInventory/InstalledPackages
parse the values using
(you can ofcourse otherwise get the packages via api
Bazel build issue after upgrading
to repro, copy all the files below to a folder, then:
go get cloud.google.com/go/iam/credentials/apiv1@latest
bazel run :gazelle -- update-repos -from_file=go.mod -prune=true -to_macro=repositories.bzl%go_repositories
$ bazel run :main
$ bazel run :server_image
$ docker run -ti localhost:4000/harness:server_image
Traceback (most recent call last):
File "/app//py_image.binary.runfiles/qs/main.py", line 8, in <module>
import tink
this will migrate a project (your-project-to-migrate
) that sits outside of an cloud org (yourdomain.com
)
its owned by alice@domain
admin@domain is a cloud org domain owner who can migrate a project over
enable domain wide delegation on a service account with scopes
"https://www.googleapis.com/auth/cloud-platform"
see ref
scratchpad on starting up a GCP AMD-SEV instance
using go-sev-guest and virtee
# create instance
gcloud beta compute instances create snp-instance \
--machine-type=n2d-standard-4 \
--min-cpu-platform="AMD Milan" \