-
Notifications
You must be signed in to change notification settings - Fork 156
/
tpm2.go
2032 lines (1747 loc) · 64.7 KB
/
tpm2.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
// Package tpm2 contains TPM 2.0 commands and structures.
package tpm2
import (
"bytes"
"encoding/binary"
"github.com/google/go-tpm/tpm2/transport"
)
// handle represents a TPM handle as comprehended in Part 3: Commands.
// In the context of TPM commands, handles are special parameters for which
// there is a known associated name.
// This is not an exported interface, because the reflection logic has special
// behavior for AuthHandle, due to the fact that referencing Session from this
// interface would break the ability to make TPMHandle implement it.
type handle interface {
// HandleValue is the numeric concrete handle value in the TPM.
HandleValue() uint32
// KnownName is the TPM Name of the associated entity. See Part 1, section 16.
KnownName() *TPM2BName
}
// NamedHandle represents an associated pairing of TPM handle and known Name.
type NamedHandle struct {
Handle TPMHandle
Name TPM2BName
}
// HandleValue implements the handle interface.
func (h NamedHandle) HandleValue() uint32 {
return h.Handle.HandleValue()
}
// KnownName implements the handle interface.
func (h NamedHandle) KnownName() *TPM2BName {
return &h.Name
}
// AuthHandle allows the caller to add an authorization session onto a handle.
type AuthHandle struct {
Handle TPMHandle
Name TPM2BName
Auth Session
}
// HandleValue implements the handle interface.
func (h AuthHandle) HandleValue() uint32 {
return h.Handle.HandleValue()
}
// KnownName implements the handle interface.
// If Name is not provided (i.e., only Auth), then rely on the underlying
// TPMHandle.
func (h AuthHandle) KnownName() *TPM2BName {
if len(h.Name.Buffer) != 0 {
return &h.Name
}
return h.Handle.KnownName()
}
// Command is an interface for any TPM command, parameterized by its response
// type.
type Command[R any, PR *R] interface {
// The TPM command code associated with this command.
Command() TPMCC
// Executes the command and returns the response.
Execute(t transport.TPM, s ...Session) (PR, error)
}
// PolicyCommand is a TPM command that can be part of a TPM policy.
type PolicyCommand interface {
// Update updates the given policy hash according to the command
// parameters.
Update(policy *PolicyCalculator) error
}
// Shutdown is the input to TPM2_Shutdown.
// See definition in Part 3, Commands, section 9.4.
type Shutdown struct {
// TPM_SU_CLEAR or TPM_SU_STATE
ShutdownType TPMSU
}
// Command implements the Command interface.
func (Shutdown) Command() TPMCC { return TPMCCShutdown }
// Execute executes the command and returns the response.
func (cmd Shutdown) Execute(t transport.TPM, s ...Session) (*ShutdownResponse, error) {
var rsp ShutdownResponse
err := execute[ShutdownResponse](t, cmd, &rsp, s...)
if err != nil {
return nil, err
}
return &rsp, nil
}
// ShutdownResponse is the response from TPM2_Shutdown.
type ShutdownResponse struct{}
// Startup is the input to TPM2_Startup.
// See definition in Part 3, Commands, section 9.3.
type Startup struct {
// TPM_SU_CLEAR or TPM_SU_STATE
StartupType TPMSU
}
// Command implements the Command interface.
func (Startup) Command() TPMCC { return TPMCCStartup }
// Execute executes the command and returns the response.
func (cmd Startup) Execute(t transport.TPM, s ...Session) (*StartupResponse, error) {
var rsp StartupResponse
err := execute[StartupResponse](t, cmd, &rsp, s...)
if err != nil {
return nil, err
}
return &rsp, nil
}
// StartupResponse is the response from TPM2_Startup.
type StartupResponse struct{}
// StartAuthSession is the input to TPM2_StartAuthSession.
// See definition in Part 3, Commands, section 11.1
type StartAuthSession struct {
// handle of a loaded decrypt key used to encrypt salt
// may be TPM_RH_NULL
TPMKey handle `gotpm:"handle"`
// entity providing the authValue
// may be TPM_RH_NULL
Bind handle `gotpm:"handle"`
// initial nonceCaller, sets nonceTPM size for the session
// shall be at least 16 octets
NonceCaller TPM2BNonce
// value encrypted according to the type of tpmKey
// If tpmKey is TPM_RH_NULL, this shall be the Empty Buffer.
EncryptedSalt TPM2BEncryptedSecret
// indicates the type of the session; simple HMAC or policy (including
// a trial policy)
SessionType TPMSE
// the algorithm and key size for parameter encryption
// may select transport.TPM_ALG_NULL
Symmetric TPMTSymDef
// hash algorithm to use for the session
// Shall be a hash algorithm supported by the TPM and not transport.TPM_ALG_NULL
AuthHash TPMIAlgHash
}
// Command implements the Command interface.
func (StartAuthSession) Command() TPMCC { return TPMCCStartAuthSession }
// Execute executes the command and returns the response.
func (cmd StartAuthSession) Execute(t transport.TPM, s ...Session) (*StartAuthSessionResponse, error) {
var rsp StartAuthSessionResponse
if err := execute[StartAuthSessionResponse](t, cmd, &rsp, s...); err != nil {
return nil, err
}
return &rsp, nil
}
// StartAuthSessionResponse is the response from TPM2_StartAuthSession.
type StartAuthSessionResponse struct {
// handle for the newly created session
SessionHandle TPMISHAuthSession `gotpm:"handle"`
// the initial nonce from the TPM, used in the computation of the sessionKey
NonceTPM TPM2BNonce
}
// Create is the input to TPM2_Create.
// See definition in Part 3, Commands, section 12.1
type Create struct {
// handle of parent for new object
ParentHandle handle `gotpm:"handle,auth"`
// the sensitive data
InSensitive TPM2BSensitiveCreate
// the public template
InPublic TPM2BPublic
// data that will be included in the creation data for this
// object to provide permanent, verifiable linkage between this
// object and some object owner data
OutsideInfo TPM2BData
// PCR that will be used in creation data
CreationPCR TPMLPCRSelection
}
// Command implements the Command interface.
func (Create) Command() TPMCC { return TPMCCCreate }
// Execute executes the command and returns the response.
func (cmd Create) Execute(t transport.TPM, s ...Session) (*CreateResponse, error) {
var rsp CreateResponse
if err := execute[CreateResponse](t, cmd, &rsp, s...); err != nil {
return nil, err
}
return &rsp, nil
}
// CreateResponse is the response from TPM2_Create.
type CreateResponse struct {
// the private portion of the object
OutPrivate TPM2BPrivate
// the public portion of the created object
OutPublic TPM2BPublic
// contains a TPMS_CREATION_DATA
CreationData tpm2bCreationData
// digest of creationData using nameAlg of outPublic
CreationHash TPM2BDigest
// ticket used by TPM2_CertifyCreation() to validate that the
// creation data was produced by the TPM.
CreationTicket TPMTTKCreation
}
// Load is the input to TPM2_Load.
// See definition in Part 3, Commands, section 12.2
type Load struct {
// handle of parent for new object
ParentHandle handle `gotpm:"handle,auth"`
// the private portion of the object
InPrivate TPM2BPrivate
// the public portion of the object
InPublic TPM2BPublic
}
// Command implements the Command interface.
func (Load) Command() TPMCC { return TPMCCLoad }
// Execute executes the command and returns the response.
func (cmd Load) Execute(t transport.TPM, s ...Session) (*LoadResponse, error) {
var rsp LoadResponse
if err := execute[LoadResponse](t, cmd, &rsp, s...); err != nil {
return nil, err
}
return &rsp, nil
}
// LoadResponse is the response from TPM2_Load.
type LoadResponse struct {
// handle of type TPM_HT_TRANSIENT for loaded object
ObjectHandle TPMHandle `gotpm:"handle"`
// Name of the loaded object
Name TPM2BName
}
// LoadExternal is the input to TPM2_LoadExternal.
// See definition in Part 3, Commands, section 12.3
type LoadExternal struct {
// the sensitive portion of the object (optional)
InPrivate TPM2BSensitive `gotpm:"optional"`
// the public portion of the object
InPublic TPM2BPublic
// hierarchy with which the object area is associated
Hierarchy TPMIRHHierarchy `gotpm:"nullable"`
}
// Command implements the Command interface.
func (LoadExternal) Command() TPMCC { return TPMCCLoadExternal }
// Execute executes the command and returns the response.
func (cmd LoadExternal) Execute(t transport.TPM, s ...Session) (*LoadExternalResponse, error) {
var rsp LoadExternalResponse
if err := execute[LoadExternalResponse](t, cmd, &rsp, s...); err != nil {
return nil, err
}
return &rsp, nil
}
// LoadExternalResponse is the response from TPM2_LoadExternal.
type LoadExternalResponse struct {
// handle of type TPM_HT_TRANSIENT for loaded object
ObjectHandle TPMHandle `gotpm:"handle"`
// Name of the loaded object
Name TPM2BName
}
// ReadPublic is the input to TPM2_ReadPublic.
// See definition in Part 3, Commands, section 12.4
type ReadPublic struct {
// TPM handle of an object
ObjectHandle TPMIDHObject `gotpm:"handle"`
}
// Command implements the Command interface.
func (ReadPublic) Command() TPMCC { return TPMCCReadPublic }
// Execute executes the command and returns the response.
func (cmd ReadPublic) Execute(t transport.TPM, s ...Session) (*ReadPublicResponse, error) {
var rsp ReadPublicResponse
if err := execute[ReadPublicResponse](t, cmd, &rsp, s...); err != nil {
return nil, err
}
return &rsp, nil
}
// ReadPublicResponse is the response from TPM2_ReadPublic.
type ReadPublicResponse struct {
// structure containing the public area of an object
OutPublic TPM2BPublic
// name of object
Name TPM2BName
// the Qualified Name of the object
QualifiedName TPM2BName
}
// ActivateCredential is the input to TPM2_ActivateCredential.
// See definition in Part 3, Commands, section 12.5.
type ActivateCredential struct {
// handle of the object associated with certificate in credentialBlob
ActivateHandle handle `gotpm:"handle,auth"`
// loaded key used to decrypt the TPMS_SENSITIVE in credentialBlob
KeyHandle handle `gotpm:"handle,auth"`
// the credential
CredentialBlob TPM2BIDObject
// keyHandle algorithm-dependent encrypted seed that protects credentialBlob
Secret TPM2BEncryptedSecret
}
// Command implements the Command interface.
func (ActivateCredential) Command() TPMCC { return TPMCCActivateCredential }
// Execute executes the command and returns the response.
func (cmd ActivateCredential) Execute(t transport.TPM, s ...Session) (*ActivateCredentialResponse, error) {
var rsp ActivateCredentialResponse
if err := execute[ActivateCredentialResponse](t, cmd, &rsp, s...); err != nil {
return nil, err
}
return &rsp, nil
}
// ActivateCredentialResponse is the response from TPM2_ActivateCredential.
type ActivateCredentialResponse struct {
// the decrypted certificate information
CertInfo TPM2BDigest
}
// MakeCredential is the input to TPM2_MakeCredential.
// See definition in Part 3, Commands, section 12.6.
type MakeCredential struct {
// loaded public area, used to encrypt the sensitive area containing the credential key
Handle TPMIDHObject `gotpm:"handle"`
// the credential information
Credential TPM2BDigest
// Name of the object to which the credential applies
ObjectNamae TPM2BName
}
// Command implements the Command interface.
func (MakeCredential) Command() TPMCC { return TPMCCMakeCredential }
// Execute executes the command and returns the response.
func (cmd MakeCredential) Execute(t transport.TPM, s ...Session) (*MakeCredentialResponse, error) {
var rsp MakeCredentialResponse
if err := execute[MakeCredentialResponse](t, cmd, &rsp, s...); err != nil {
return nil, err
}
return &rsp, nil
}
// MakeCredentialResponse is the response from TPM2_MakeCredential.
type MakeCredentialResponse struct {
// the credential
CredentialBlob TPM2BIDObject
// handle algorithm-dependent data that wraps the key that encrypts credentialBlob
Secret TPM2BEncryptedSecret
}
// Unseal is the input to TPM2_Unseal.
// See definition in Part 3, Commands, section 12.7
type Unseal struct {
ItemHandle handle `gotpm:"handle,auth"`
}
// Command implements the Command interface.
func (Unseal) Command() TPMCC { return TPMCCUnseal }
// Execute executes the command and returns the response.
func (cmd Unseal) Execute(t transport.TPM, s ...Session) (*UnsealResponse, error) {
var rsp UnsealResponse
if err := execute[UnsealResponse](t, cmd, &rsp, s...); err != nil {
return nil, err
}
return &rsp, nil
}
// UnsealResponse is the response from TPM2_Unseal.
type UnsealResponse struct {
OutData TPM2BSensitiveData
}
// ObjectChangeAuth is the input to TPM2_ObjectChangeAuth.
// See definition in Part 3, Commands, section 12.8
type ObjectChangeAuth struct {
// TPM handle of an object
ObjectHandle handle `gotpm:"handle,auth"`
// handle of the parent
ParentHandle handle `gotpm:"handle"`
// new authorization value
NewAuth TPM2BAuth
}
// Command implements the Command interface.
func (ObjectChangeAuth) Command() TPMCC { return TPMCCObjectChangeAuth }
// Execute executes the command and returns the response.
func (cmd ObjectChangeAuth) Execute(t transport.TPM, s ...Session) (*ObjectChangeAuthResponse, error) {
var rsp ObjectChangeAuthResponse
if err := execute[ObjectChangeAuthResponse](t, cmd, &rsp, s...); err != nil {
return nil, err
}
return &rsp, nil
}
// ObjectChangeAuthResponse the response from TPM2_ObjectChangeAuth.
type ObjectChangeAuthResponse struct {
// private area containing the new authorization value
OutPrivate TPM2BPrivate
}
// CreateLoaded is the input to TPM2_CreateLoaded.
// See definition in Part 3, Commands, section 12.9
type CreateLoaded struct {
// Handle of a transient storage key, a persistent storage key,
// TPM_RH_ENDORSEMENT, TPM_RH_OWNER, TPM_RH_PLATFORM+{PP}, or TPM_RH_NULL
ParentHandle handle `gotpm:"handle,auth"`
// the sensitive data, see TPM 2.0 Part 1 Sensitive Values
InSensitive TPM2BSensitiveCreate
// the public template
InPublic TPM2BTemplate
}
// Command implements the Command interface.
func (CreateLoaded) Command() TPMCC { return TPMCCCreateLoaded }
// Execute executes the command and returns the response.
func (cmd CreateLoaded) Execute(t transport.TPM, s ...Session) (*CreateLoadedResponse, error) {
var rsp CreateLoadedResponse
if err := execute[CreateLoadedResponse](t, cmd, &rsp, s...); err != nil {
return nil, err
}
return &rsp, nil
}
// CreateLoadedResponse is the response from TPM2_CreateLoaded.
type CreateLoadedResponse struct {
// handle of type TPM_HT_TRANSIENT for loaded object
ObjectHandle TPMHandle `gotpm:"handle"`
// the sensitive area of the object (optional)
OutPrivate TPM2BPrivate `gotpm:"optional"`
// the public portion of the created object
OutPublic TPM2BPublic
// the name of the created object
Name TPM2BName
}
// RSAEncrypt is the input to TPM2_RSA_Encrypt
// See definition in Part 3, Commands, section 14.2.
type RSAEncrypt struct {
// reference to public portion of RSA key to use for encryption
KeyHandle handle `gotpm:"handle"`
// message to be encrypted
Message TPM2BPublicKeyRSA
// the padding scheme to use if scheme associated with keyHandle is TPM_ALG_NULL
InScheme TPMTRSADecrypt `gotpm:"nullable"`
// optional label L to be associated with the message
Label TPM2BData `gotpm:"optional"`
}
// Command implements the Command interface.
func (RSAEncrypt) Command() TPMCC { return TPMCCRSAEncrypt }
// Execute executes the command and returns the response.
func (cmd RSAEncrypt) Execute(t transport.TPM, s ...Session) (*RSAEncryptResponse, error) {
var rsp RSAEncryptResponse
if err := execute[RSAEncryptResponse](t, cmd, &rsp, s...); err != nil {
return nil, err
}
return &rsp, nil
}
// RSAEncryptResponse is the response from TPM2_RSA_Encrypt
type RSAEncryptResponse struct {
// encrypted output
OutData TPM2BPublicKeyRSA
}
// RSADecrypt is the input to TPM2_RSA_Decrypt
// See definition in Part 3, Commands, section 14.3.
type RSADecrypt struct {
// RSA key to use for decryption
KeyHandle handle `gotpm:"handle,auth"`
// cipher text to be decrypted
CipherText TPM2BPublicKeyRSA
// the padding scheme to use if scheme associated with keyHandle is TPM_ALG_NULL
InScheme TPMTRSADecrypt `gotpm:"nullable"`
// label whose association with the message is to be verified
Label TPM2BData `gotpm:"optional"`
}
// Command implements the Command interface.
func (RSADecrypt) Command() TPMCC { return TPMCCRSADecrypt }
// Execute executes the command and returns the response.
func (cmd RSADecrypt) Execute(t transport.TPM, s ...Session) (*RSADecryptResponse, error) {
var rsp RSADecryptResponse
if err := execute[RSADecryptResponse](t, cmd, &rsp, s...); err != nil {
return nil, err
}
return &rsp, nil
}
// RSADecryptResponse is the response from TPM2_RSA_Decrypt
type RSADecryptResponse struct {
// decrypted output
Message TPM2BPublicKeyRSA
}
// ECDHZGen is the input to TPM2_ECDHZGen.
// See definition in Part 3, Commands, section 14.5
type ECDHZGen struct {
// handle of a loaded ECC key
KeyHandle handle `gotpm:"handle,auth"`
// a public key
InPoint TPM2BECCPoint
}
// Command implements the Command interface.
func (ECDHZGen) Command() TPMCC { return TPMCCECDHZGen }
// Execute executes the command and returns the response.
func (cmd ECDHZGen) Execute(t transport.TPM, s ...Session) (*ECDHZGenResponse, error) {
var rsp ECDHZGenResponse
if err := execute[ECDHZGenResponse](t, cmd, &rsp, s...); err != nil {
return nil, err
}
return &rsp, nil
}
// ECDHZGenResponse is the response from TPM2_ECDHZGen.
type ECDHZGenResponse struct {
// X and Y coordinates of the product of the multiplication
OutPoint TPM2BECCPoint
}
// Hash is the input to TPM2_Hash.
// See definition in Part 3, Commands, section 15.4
type Hash struct {
//data to be hashed
Data TPM2BMaxBuffer
// algorithm for the hash being computed - shall not be TPM_ALH_NULL
HashAlg TPMIAlgHash
// hierarchy to use for the ticket (TPM_RH_NULL_allowed)
Hierarchy TPMIRHHierarchy `gotpm:"nullable"`
}
// Command implements the Command interface.
func (Hash) Command() TPMCC { return TPMCCHash }
// Execute executes the command and returns the response.
func (cmd Hash) Execute(t transport.TPM, s ...Session) (*HashResponse, error) {
var rsp HashResponse
if err := execute[HashResponse](t, cmd, &rsp, s...); err != nil {
return nil, err
}
return &rsp, nil
}
// HashResponse is the response from TPM2_Hash.
type HashResponse struct {
// results
OutHash TPM2BDigest
// ticket indicating that the sequence of octets used to
// compute outDigest did not start with TPM_GENERATED_VALUE
Validation TPMTTKHashCheck
}
// GetRandom is the input to TPM2_GetRandom.
// See definition in Part 3, Commands, section 16.1
type GetRandom struct {
// number of octets to return
BytesRequested uint16
}
// Command implements the Command interface.
func (GetRandom) Command() TPMCC { return TPMCCGetRandom }
// Execute executes the command and returns the response.
func (cmd GetRandom) Execute(t transport.TPM, s ...Session) (*GetRandomResponse, error) {
var rsp GetRandomResponse
if err := execute[GetRandomResponse](t, cmd, &rsp, s...); err != nil {
return nil, err
}
return &rsp, nil
}
// GetRandomResponse is the response from TPM2_GetRandom.
type GetRandomResponse struct {
// the random octets
RandomBytes TPM2BDigest
}
// HashSequenceStart is the input to TPM2_HashSequenceStart.
// See definition in Part 3, Commands, section 17.3
type HashSequenceStart struct {
// authorization value for subsequent use of the sequence
Auth TPM2BAuth
// the hash algorithm to use for the hash sequence
// An Event Sequence starts if this is TPM_ALG_NULL.
HashAlg TPMIAlgHash
}
// Command implements the Command interface.
func (HashSequenceStart) Command() TPMCC { return TPMCCHashSequenceStart }
// Execute executes the command and returns the response.
func (cmd HashSequenceStart) Execute(t transport.TPM, s ...Session) (*HashSequenceStartResponse, error) {
var rsp HashSequenceStartResponse
if err := execute[HashSequenceStartResponse](t, cmd, &rsp, s...); err != nil {
return nil, err
}
return &rsp, nil
}
// HashSequenceStartResponse is the response from TPM2_StartHashSequence.
type HashSequenceStartResponse struct {
// a handle to reference the sequence
SequenceHandle TPMIDHObject
}
// HmacStart is the input to TPM2_HMAC_Start.
// See definition in Part 3, Commands, section 17.2.2
type HmacStart struct {
// HMAC key handle requiring an authorization session for the USER role
Handle AuthHandle `gotpm:"handle,auth"`
// authorization value for subsequent use of the sequence
Auth TPM2BAuth
// the hash algorithm to use for the hmac sequence
HashAlg TPMIAlgHash
}
// Command implements the Command interface.
func (HmacStart) Command() TPMCC { return TPMCCHMACStart }
// Execute executes the command and returns the response.
func (cmd HmacStart) Execute(t transport.TPM, s ...Session) (*HmacStartResponse, error) {
var rsp HmacStartResponse
if err := execute[HmacStartResponse](t, cmd, &rsp, s...); err != nil {
return nil, err
}
return &rsp, nil
}
// HmacStartResponse is the response from TPM2_HMAC_Start.
// See definition in Part 3, Commands, section 17.2.2
type HmacStartResponse struct {
// a handle to reference the sequence
SequenceHandle TPMIDHObject `gotpm:"handle"`
}
// SequenceUpdate is the input to TPM2_SequenceUpdate.
// See definition in Part 3, Commands, section 17.4
type SequenceUpdate struct {
// handle for the sequence object
SequenceHandle handle `gotpm:"handle,auth"`
// data to be added to hash
Buffer TPM2BMaxBuffer
}
// Command implements the Command interface.
func (SequenceUpdate) Command() TPMCC { return TPMCCSequenceUpdate }
// Execute executes the command and returns the response.
func (cmd SequenceUpdate) Execute(t transport.TPM, s ...Session) (*SequenceUpdateResponse, error) {
var rsp SequenceUpdateResponse
if err := execute[SequenceUpdateResponse](t, cmd, &rsp, s...); err != nil {
return nil, err
}
return &rsp, nil
}
// SequenceUpdateResponse is the response from TPM2_SequenceUpdate.
type SequenceUpdateResponse struct{}
// SequenceComplete is the input to TPM2_SequenceComplete.
// See definition in Part 3, Commands, section 17.5
type SequenceComplete struct {
// authorization for the sequence
SequenceHandle handle `gotpm:"handle,auth"`
// data to be added to the hash/HMAC
Buffer TPM2BMaxBuffer
// hierarchy of the ticket for a hash
Hierarchy TPMIRHHierarchy `gotpm:"nullable"`
}
// Command implements the Command interface.
func (SequenceComplete) Command() TPMCC { return TPMCCSequenceComplete }
// Execute executes the command and returns the response.
func (cmd SequenceComplete) Execute(t transport.TPM, s ...Session) (*SequenceCompleteResponse, error) {
var rsp SequenceCompleteResponse
if err := execute[SequenceCompleteResponse](t, cmd, &rsp, s...); err != nil {
return nil, err
}
return &rsp, nil
}
// SequenceCompleteResponse is the response from TPM2_SequenceComplete.
type SequenceCompleteResponse struct {
// the returned HMAC or digest in a sized buffer
Result TPM2BDigest
// ticket indicating that the sequence of octets used to
// compute outDigest did not start with TPM_GENERATED_VALUE
Validation TPMTTKHashCheck
}
// Certify is the input to TPM2_Certify.
// See definition in Part 3, Commands, section 18.2.
type Certify struct {
// handle of the object to be certified
ObjectHandle handle `gotpm:"handle,auth"`
// handle of the key used to sign the attestation structure
SignHandle handle `gotpm:"handle,auth"`
// user provided qualifying data
QualifyingData TPM2BData
// signing scheme to use if the scheme for signHandle is TPM_ALG_NULL
InScheme TPMTSigScheme
}
// Command implements the Command interface.
func (Certify) Command() TPMCC { return TPMCCCertify }
// Execute executes the command and returns the response.
func (cmd Certify) Execute(t transport.TPM, s ...Session) (*CertifyResponse, error) {
var rsp CertifyResponse
if err := execute[CertifyResponse](t, cmd, &rsp, s...); err != nil {
return nil, err
}
return &rsp, nil
}
// CertifyResponse is the response from TPM2_Certify.
type CertifyResponse struct {
// the structure that was signed
CertifyInfo TPM2BAttest
// the asymmetric signature over certifyInfo using the key referenced by signHandle
Signature TPMTSignature
}
// CertifyCreation is the input to TPM2_CertifyCreation.
// See definition in Part 3, Commands, section 18.3.
type CertifyCreation struct {
// handle of the key that will sign the attestation block
SignHandle handle `gotpm:"handle,auth"`
// the object associated with the creation data
ObjectHandle handle `gotpm:"handle"`
// user-provided qualifying data
QualifyingData TPM2BData
// hash of the creation data produced by TPM2_Create() or TPM2_CreatePrimary()
CreationHash TPM2BDigest
// signing scheme to use if the scheme for signHandle is TPM_ALG_NULL
InScheme TPMTSigScheme
// ticket produced by TPM2_Create() or TPM2_CreatePrimary()
CreationTicket TPMTTKCreation
}
// Command implements the Command interface.
func (CertifyCreation) Command() TPMCC { return TPMCCCertifyCreation }
// Execute executes the command and returns the response.
func (cmd CertifyCreation) Execute(t transport.TPM, s ...Session) (*CertifyCreationResponse, error) {
var rsp CertifyCreationResponse
if err := execute[CertifyCreationResponse](t, cmd, &rsp, s...); err != nil {
return nil, err
}
return &rsp, nil
}
// CertifyCreationResponse is the response from TPM2_CertifyCreation.
type CertifyCreationResponse struct {
// the structure that was signed
CertifyInfo TPM2BAttest
// the signature over certifyInfo
Signature TPMTSignature
}
// Quote is the input to TPM2_Quote.
// See definition in Part 3, Commands, section 18.4
type Quote struct {
// handle of key that will perform signature
SignHandle handle `gotpm:"handle,auth"`
// data supplied by the caller
QualifyingData TPM2BData
// signing scheme to use if the scheme for signHandle is TPM_ALG_NULL
InScheme TPMTSigScheme
// PCR set to quote
PCRSelect TPMLPCRSelection
}
// Command implements the Command interface.
func (Quote) Command() TPMCC { return TPMCCQuote }
// Execute executes the command and returns the response.
func (cmd Quote) Execute(t transport.TPM, s ...Session) (*QuoteResponse, error) {
var rsp QuoteResponse
if err := execute[QuoteResponse](t, cmd, &rsp, s...); err != nil {
return nil, err
}
return &rsp, nil
}
// QuoteResponse is the response from TPM2_Quote.
type QuoteResponse struct {
// the quoted information
Quoted TPM2BAttest
// the signature over quoted
Signature TPMTSignature
}
// GetSessionAuditDigest is the input to TPM2_GetSessionAuditDigest.
// See definition in Part 3, Commands, section 18.5
type GetSessionAuditDigest struct {
// handle of the privacy administrator (TPM_RH_ENDORSEMENT)
PrivacyAdminHandle handle `gotpm:"handle,auth"`
// handle of the signing key
SignHandle handle `gotpm:"handle,auth"`
// handle of the audit session
SessionHandle handle `gotpm:"handle"`
// user-provided qualifying data – may be zero-length
QualifyingData TPM2BData
// signing scheme to use if the scheme for signHandle is TPM_ALG_NULL
InScheme TPMTSigScheme
}
// Command implements the Command interface.
func (GetSessionAuditDigest) Command() TPMCC { return TPMCCGetSessionAuditDigest }
// Execute executes the command and returns the response.
func (cmd GetSessionAuditDigest) Execute(t transport.TPM, s ...Session) (*GetSessionAuditDigestResponse, error) {
var rsp GetSessionAuditDigestResponse
if err := execute[GetSessionAuditDigestResponse](t, cmd, &rsp, s...); err != nil {
return nil, err
}
return &rsp, nil
}
// GetSessionAuditDigestResponse is the response from
// TPM2_GetSessionAuditDigest.
type GetSessionAuditDigestResponse struct {
// the audit information that was signed
AuditInfo TPM2BAttest
// the signature over auditInfo
Signature TPMTSignature
}
// Commit is the input to TPM2_Commit.
// See definition in Part 3, Commands, section 19.2.
type Commit struct {
// handle of the key that will be used in the signing operation
SignHandle handle `gotpm:"handle,auth"`
// a point (M) on the curve used by signHandle
P1 TPM2BECCPoint
// octet array used to derive x-coordinate of a base point
S2 TPM2BSensitiveData
// y coordinate of the point associated with s2
Y2 TPM2BECCParameter
}
// Command implements the Command interface.
func (Commit) Command() TPMCC { return TPMCCCommit }
// Execute executes the command and returns the response.
func (cmd Commit) Execute(t transport.TPM, s ...Session) (*CommitResponse, error) {
var rsp CommitResponse
if err := execute[CommitResponse](t, cmd, &rsp, s...); err != nil {
return nil, err
}
return &rsp, nil
}
// CommitResponse is the response from TPM2_Commit.
type CommitResponse struct {
// ECC point K ≔ [ds](x2, y2)
K TPM2BECCPoint
// ECC point L ≔ [r](x2, y2)
L TPM2BECCPoint
// ECC point E ≔ [r]P1
E TPM2BECCPoint
// least-significant 16 bits of commitCount
Counter uint16
}
// VerifySignature is the input to TPM2_VerifySignature.
// See definition in Part 3, Commands, section 20.1
type VerifySignature struct {
// handle of public key that will be used in the validation
KeyHandle handle `gotpm:"handle"`
// digest of the signed message
Digest TPM2BDigest
// signature to be tested
Signature TPMTSignature
}
// Command implements the Command interface.
func (VerifySignature) Command() TPMCC { return TPMCCVerifySignature }
// Execute executes the command and returns the response.
func (cmd VerifySignature) Execute(t transport.TPM, s ...Session) (*VerifySignatureResponse, error) {
var rsp VerifySignatureResponse
if err := execute[VerifySignatureResponse](t, cmd, &rsp, s...); err != nil {
return nil, err
}
return &rsp, nil
}
// VerifySignatureResponse is the response from TPM2_VerifySignature.
type VerifySignatureResponse struct {
Validation TPMTTKVerified
}
// Sign is the input to TPM2_Sign.
// See definition in Part 3, Commands, section 20.2.
type Sign struct {
// Handle of key that will perform signing
KeyHandle handle `gotpm:"handle,auth"`
// digest to be signed
Digest TPM2BDigest
// signing scheme to use if the scheme for keyHandle is TPM_ALG_NULL
InScheme TPMTSigScheme `gotpm:"nullable"`
// proof that digest was created by the TPM.
// If keyHandle is not a restricted signing key, then this
// may be a NULL Ticket with tag = TPM_ST_CHECKHASH.
Validation TPMTTKHashCheck
}
// Command implements the Command interface.
func (Sign) Command() TPMCC { return TPMCCSign }
// Execute executes the command and returns the response.
func (cmd Sign) Execute(t transport.TPM, s ...Session) (*SignResponse, error) {
var rsp SignResponse
if err := execute[SignResponse](t, cmd, &rsp, s...); err != nil {
return nil, err
}
return &rsp, nil
}
// SignResponse is the response from TPM2_Sign.
type SignResponse struct {
// the signature
Signature TPMTSignature
}
// PCRExtend is the input to TPM2_PCR_Extend.
// See definition in Part 3, Commands, section 22.2
type PCRExtend struct {
// handle of the PCR
PCRHandle handle `gotpm:"handle,auth"`
// list of tagged digest values to be extended
Digests TPMLDigestValues
}
// Command implements the Command interface.
func (PCRExtend) Command() TPMCC { return TPMCCPCRExtend }
// Execute executes the command and returns the response.
func (cmd PCRExtend) Execute(t transport.TPM, s ...Session) (*PCRExtendResponse, error) {
var rsp PCRExtendResponse
err := execute[PCRExtendResponse](t, cmd, &rsp, s...)
if err != nil {
return nil, err
}
return &rsp, nil
}
// PCRExtendResponse is the response from TPM2_PCR_Extend.
type PCRExtendResponse struct{}
// PCREvent is the input to TPM2_PCR_Event.
// See definition in Part 3, Commands, section 22.3
type PCREvent struct {
// Handle of the PCR
PCRHandle handle `gotpm:"handle,auth"`
// Event data in sized buffer
EventData TPM2BEvent
}
// Command implements the Command interface.
func (PCREvent) Command() TPMCC { return TPMCCPCREvent }
// Execute executes the command and returns the response.
func (cmd PCREvent) Execute(t transport.TPM, s ...Session) (*PCREventResponse, error) {
var rsp PCREventResponse
err := execute[PCREventResponse](t, cmd, &rsp, s...)
if err != nil {
return nil, err
}
return &rsp, nil
}
// PCREventResponse is the response from TPM2_PCR_Event.