snippet demonstrating how to create an RSA key on a TPM, then assocaite that with a GCP service account.
Finally, use that embedded service account key to access GCP resources
snippet demonstrating how to create an RSA key on a TPM, then assocaite that with a GCP service account.
Finally, use that embedded service account key to access GCP resources
using bazel to build deterministic cog image
the following will build an image hash of
sha256:3db6542dc746aeabaa39d902570430e1d50c416e7fc20b875c10578aa5e62875
(more or less unless copy+paste from gist may add newline, whitespace to the .py files, sources..;
/* | |
Marshall Certificate.Issuer struct from raw DER Bytes | |
code uses parser from https://go.dev/src/crypto/x509/parser.go | |
https://lapo.it/asn1js/#MIIELTCCAxWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBXMQswCQYDVQQGEwJVUzEPMA0GA1UECgwGR29vZ2xlMRMwEQYDVQQLDApFbnRlcnByaXNlMSIwIAYDVQQDDBlFbnRlcnByaXNlIFN1Ym9yZGluYXRlIENBMB4XDTIzMDQwNzE0MDQwN1oXDTI1MDQwNjE0MDQwN1owRTELMAkGA1UEBhMCVVMxDzANBgNVBAoMBkdvb2dsZTETMBEGA1UECwwKRW50ZXJwcmlzZTEQMA4GA1UEAwwHbWNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALGzSU8QxpblEH9igyDzn24R1M3dNU9inBjxPmGFrbzI1HN2oGxVdYSDmTmRwPmuLVxvX3HiFSGuhG3GvjrMskydY6dqvcZmOB8IMcCuw74kXIOevGyBVr8EJN-Z8tLXvZHyZgDe-1bDRkw4IsmhJrgnrWWAoWucyTSKYq8U5ZQt_1f3_nMAtkmt2kI3mrF1E_ibasa_aWngsyjtAVC-y1p2hDznHU8rDLxdgNKIo3X85eDFAOi-wDPMxrO3_vtNP2i1OrKv-GLj_0d1HzGV_4R5sMzNCOVXJ7H7TbbxFceC6ajMwEddZdASB7E4Mc43T4yuQy0_opravLkQQFacuZcCAwEAAaOCARQwggEQMA4GA1UdDwEB_wQEAwIHgDAJBgNVHRMEAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMB0GA1UdDgQWBBRNAL-pKqCVY-RHtsRYG80GoULfLDAfBgNVHSMEGDAWgBSTvRe8TcBkyWIHOosz4S12KzT3wzBEBggrBgEFBQcBAQQ4MDYwNAYI |
/* | |
Create GCP Confidential Space VM using Terraform | |
export PROJECT_ID=`gcloud config get-value core/project` | |
export PROJECT_NUMBER=`gcloud projects describe $PROJECT_ID --format='value(projectNumber)'` | |
gcloud compute instances create vm1 --project=vegas-codelab-5 --confidential-compute \ | |
--shielded-secure-boot --tags=tee-vm --maintenance-policy=TERMINATE --service-account="$PROJECT_NUMBER-compute@developer.gserviceaccount.com" --scopes=cloud-platform --zone=us-central1-a --image-project=confidential-space-images --image-family=confidential-space-debug \ | |
--metadata ^~^tee-image-reference=gcr.io/cloud-marketplace/google/nginx1:latest~tee-restart-policy=Never~tee-container-log-redirect=true |
package main | |
import ( | |
"context" | |
"fmt" | |
"log" | |
"syscall" | |
"time" | |
// "github.com/containerd/cgroups/v3" |
simple demo on how to create extract the ocsprequest parameters from an issuing ca cert
## start ocsp server
git clone https://github.com/salrashid123/go_mtls_scratchpad
cd go_mtls_scratchpad/ca1/ca_scratchpad
Snippet which uses GCE Compute API to retrieve the ekCert encryption and signing keys per
The idea is that a remote verifier would first use the GCE API to retrieve the ekPub key and use that as a trust anchor for remote attestation.
Snippet used to confirm if AMD-SEV
is enabled or not on a GCE VM using TPM PCR0
values.
GCE Shielded VM that have TPMs enabled asserts that PCR0
surfaces the following encoded measurements
0: Contains the value for PCR0, which contains information about firmware components and the memory encryption technology that is active. This PCR diverges from the TCG PCClient platform firmware profile in that it measures only the following events:
Rough procedure to force sign/issue a CA signed certificate that is tied to a TPM's public key.
This procedure uses the -force_pubkey key parameter for openssl