Skip to content

Instantly share code, notes, and snippets.

View salrashid123's full-sized avatar

salrashid123

226 followers · 1 following
View GitHub Profile
@salrashid123
salrashid123 / tpm-keyfile.md
Last active May 23, 2024 16:18
TPM KeyFiles with go and openssl TSS2 PRIVATE KEY format
@salrashid123
salrashid123 / iap_jwtaccesstoken.go
Last active May 21, 2024 17:57
self-signed jwt access to google cloud iap
/*
self-signed jwt access to google cloud iap
https://cloud.google.com/iap/docs/authentication-howto#authenticating_with_a_self-signed_jwt
using google auth library
and service account bound inside Trusted Platform Module
*/
package main
@salrashid123
salrashid123 / duplicate_policyduplicationselect.md
Created May 9, 2024 14:56
Prevent Chained duplication from TPM-A -> TPM-B -> TPM-C using tpm2_policyduplicationselect

Prevent Chained duplication from A -> B -> C using tpm2_policyduplicationselect

This procedure will transfer an HMAC key created inside TPM-A to TPM-B but prevent TPM-B to transfer it to TPM-C.

Basically, and extension of As an end-to-end example, the following will transfer an RSA key generated on TPM-A to TPM-B but using tpm2_policyduplicationselect tp prevent further duplication

Step 1 below will transfer a key from A->B, step 2 attempts B->C but is prevented duplication on B by policy

@salrashid123
salrashid123 / duplicate_policycommandcode.md
Created May 9, 2024 14:40
Duplicate and Transfer an encoded key from TPM-A -> TPM-B -> TPM-C using tpm2_policycommandcode
@salrashid123
salrashid123 / tinkrsa.go
Created April 17, 2024 00:17
tink-golang sign/verify and extract rsa.PublicKey
package main
import (
"bytes"
"crypto"
"crypto/rsa"
"crypto/sha256"
"crypto/x509"
"encoding/json"
"encoding/pem"
@salrashid123
salrashid123 / os-inventory.md
Created April 2, 2024 13:41
Parsing GCP OSInventory packages from metadata server

parsing the os-inventory metadata server struct

if you have os-inventory enabled, you can get the values on the VM itself by running

curl -s -H 'Metadata-Flavor: Google'  http://metadata.google.internal/computeMetadata/v1/instance/guest-attributes/guestInventory/InstalledPackages

parse the values using
(you can ofcourse otherwise get the packages via api

@salrashid123
salrashid123 / bazel_protobuf_1.33.0.md
Created March 18, 2024 18:45
Bazel rules_go error after upgrading google.golang.org/protobuf from 1.32.0 to 1.33.0

Bazel build issue after upgrading

to repro, copy all the files below to a folder, then:

go get cloud.google.com/go/iam/credentials/apiv1@latest

bazel run :gazelle -- update-repos -from_file=go.mod -prune=true -to_macro=repositories.bzl%go_repositories
@salrashid123
salrashid123 / bazel_py.md
Last active March 7, 2024 12:40
bazel_python 
$ bazel run :main

$ bazel run :server_image

$ docker run -ti localhost:4000/harness:server_image
Traceback (most recent call last):
  File "/app//py_image.binary.runfiles/qs/main.py", line 8, in <module>
    import tink
@salrashid123
salrashid123 / migrate.md
Last active January 31, 2024 13:03
Migrate non-org gcp project into org wihout console

this will migrate a project (your-project-to-migrate) that sits outside of an cloud org (yourdomain.com)

  1. its owned by alice@domain

  2. admin@domain is a cloud org domain owner who can migrate a project over

  3. enable domain wide delegation on a service account with scopes

    "https://www.googleapis.com/auth/cloud-platform"

    see ref

@salrashid123
salrashid123 / amd-snp.md
Last active January 29, 2024 16:10
GCP AMD SNP client

scratchpad on starting up a GCP AMD-SEV instance

using go-sev-guest and virtee

# create instance

gcloud beta compute instances create snp-instance \
  --machine-type=n2d-standard-4 \
  --min-cpu-platform="AMD Milan" \