snippet demonstrating how to create an RSA key on a TPM, then assocaite that with a GCP service account.
Finally, use that embedded service account key to access GCP resources
salrashid123
salrashid123
/ gcp-tpm.md
Last active
August 29, 2023 00:40
Trusted Platform Module (TPM) based GCP Service Account Key
salrashid123
/ cog_bazel.md
Last active
August 18, 2023 11:43
Deterministic builds with cog and bazel (ttps://github.com/replicate/cog/issues/1250)
using bazel to build deterministic cog image
the following will build an image hash of
sha256:3db6542dc746aeabaa39d902570430e1d50c416e7fc20b875c10578aa5e62875
(more or less unless copy+paste from gist may add newline, whitespace to the .py files, sources..;
salrashid123
/ parseIssuer.go
Last active
August 13, 2023 13:49
Parse certificate.Issuer from raw DER bytes in golang
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Marshall Certificate.Issuer struct from raw DER Bytes | |
| code uses parser from https://go.dev/src/crypto/x509/parser.go | |
| https://lapo.it/asn1js/#MIIELTCCAxWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBXMQswCQYDVQQGEwJVUzEPMA0GA1UECgwGR29vZ2xlMRMwEQYDVQQLDApFbnRlcnByaXNlMSIwIAYDVQQDDBlFbnRlcnByaXNlIFN1Ym9yZGluYXRlIENBMB4XDTIzMDQwNzE0MDQwN1oXDTI1MDQwNjE0MDQwN1owRTELMAkGA1UEBhMCVVMxDzANBgNVBAoMBkdvb2dsZTETMBEGA1UECwwKRW50ZXJwcmlzZTEQMA4GA1UEAwwHbWNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALGzSU8QxpblEH9igyDzn24R1M3dNU9inBjxPmGFrbzI1HN2oGxVdYSDmTmRwPmuLVxvX3HiFSGuhG3GvjrMskydY6dqvcZmOB8IMcCuw74kXIOevGyBVr8EJN-Z8tLXvZHyZgDe-1bDRkw4IsmhJrgnrWWAoWucyTSKYq8U5ZQt_1f3_nMAtkmt2kI3mrF1E_ibasa_aWngsyjtAVC-y1p2hDznHU8rDLxdgNKIo3X85eDFAOi-wDPMxrO3_vtNP2i1OrKv-GLj_0d1HzGV_4R5sMzNCOVXJ7H7TbbxFceC6ajMwEddZdASB7E4Mc43T4yuQy0_opravLkQQFacuZcCAwEAAaOCARQwggEQMA4GA1UdDwEB_wQEAwIHgDAJBgNVHRMEAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMB0GA1UdDgQWBBRNAL-pKqCVY-RHtsRYG80GoULfLDAfBgNVHSMEGDAWgBSTvRe8TcBkyWIHOosz4S12KzT3wzBEBggrBgEFBQcBAQQ4MDYwNAYI |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Create GCP Confidential Space VM using Terraform | |
| export PROJECT_ID=`gcloud config get-value core/project` | |
| export PROJECT_NUMBER=`gcloud projects describe $PROJECT_ID --format='value(projectNumber)'` | |
| gcloud compute instances create vm1 --project=vegas-codelab-5 --confidential-compute \ | |
| --shielded-secure-boot --tags=tee-vm --maintenance-policy=TERMINATE --service-account="$PROJECT_NUMBER-compute@developer.gserviceaccount.com" --scopes=cloud-platform --zone=us-central1-a --image-project=confidential-space-images --image-family=confidential-space-debug \ | |
| --metadata ^~^tee-image-reference=gcr.io/cloud-marketplace/google/nginx1:latest~tee-restart-policy=Never~tee-container-log-redirect=true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| import ( | |
| "context" | |
| "fmt" | |
| "log" | |
| "syscall" | |
| "time" | |
| // "github.com/containerd/cgroups/v3" |
salrashid123
/ ocsp_parse_cert.md
Last active
August 1, 2023 04:13
Extract OCSP Request Parametres from certificate
simple demo on how to create extract the ocsprequest parameters from an issuing ca cert
- https://pkg.go.dev/golang.org/x/crypto/ocsp#Request
- https://www.rfc-editor.org/rfc/rfc6960#section-2.1
## start ocsp server
git clone https://github.com/salrashid123/go_mtls_scratchpad
cd go_mtls_scratchpad/ca1/ca_scratchpad
salrashid123
/ bq_diff_privacy.md
Created
July 20, 2023 13:03
BQ Differential Privacy using AEAD and GCP Confidential Space
salrashid123
/ getshieldedIdentity.md
Last active
July 3, 2023 12:56
Using GCE APIs to retrieve EKPub
Snippet which uses GCE Compute API to retrieve the ekCert encryption and signing keys per
The idea is that a remote verifier would first use the GCE API to retrieve the ekPub key and use that as a trust anchor for remote attestation.
salrashid123
/ gce_eventlog.md
Last active
October 20, 2023 10:16
TPM EventLog value for GCE Confidential VMs (SEV)
Snippet used to confirm if AMD-SEV is enabled or not on a GCE VM using TPM PCR0 values.
GCE Shielded VM that have TPMs enabled asserts that PCR0 surfaces the following encoded measurements
0: Contains the value for PCR0, which contains information about firmware components and the memory encryption technology that is active. This PCR diverges from the TCG PCClient platform firmware profile in that it measures only the following events:
salrashid123
/ tpm_ca.md
Last active
January 3, 2024 14:16
Issue CA-signed certificate for TPM public key using (-force_pubkey)
Rough procedure to force sign/issue a CA signed certificate that is tied to a TPM's public key.
This procedure uses the -force_pubkey key parameter for openssl