| package main | |
| /* | |
| script extracts the tpm encryptedblob (which is the client public/private key | |
| curl -v -H 'Metadata-Flavor: Google' http://metadata/computeMetadata/v1/instance/credentials/certs | |
| { | |
| "encrypted_credentials": "qmiCsZSSGxU8w7MnZoKe0XriLAPYmNGh6t9BqwtI5MqEJS7sv3pGFaHWi+U0oT8zQpuVsVVaEHP2qLwjE11v7xGR8ZCGr2Y5XnvlyEao8rcD8th6hCswLdJiMUATSZviThwziGIGAAzuHOofzEHbp8vDMe4hFsinz1sPvmOrd1aN1HAYPcXH5qpMdo0kgklXhc3O8p+cgVKO2UA7uNqM+/mOHzgxdLZ9f+X8gxAA1WWgr+X2G4W1BUUTPxFTchnzImoandoUo/SMinSVSrvVSkBCEm6GttxBjjgjc0Y391bOsCcEZH2xUx/Ev7+TfI2zqz0nMYQgB8Vly4/07WAPwUX3D8mFAgoTnokAOgHz1mcenH6C7XhKQRKd84wst2e5L35WFAsXY2Dtj7NgAS08T1e1N81VzDIBS7L8B1y9Y9ACu4n2gcKr/uRo36zunKEOd9rBRvNOdpkzaU3RQC97FUJrAUu6At2q9RLE2brphkq5bn11/CXWskNuzApS3MwzG9jeHJ1AAmDYbKicr1jzgMXhSBB63FXMs87kNtqj3X8XiCFJ89Ckewv1r3G9kzHisOQP1JjSfzD/AFOabkg/eFI6WfnriADuNPwMJHCKMsjDik+f6w4rLuOuLjMFm5OCAQkqAIppiWiBIfoT+4P7Z8Eg31s35wBvd82bIuTx8jG5ODYR7DjXa2kKlnytSI6KKPzlu3Q4z2gzkn3vuP5H5qjpWgDripKr2uqGMsYCRTEC0q0AutLtEY4ayU/Xo07kPyC/fBfQgXJuK/4Eq4UGHmbUP3YWaz |
Procedure to transfer a TPM key from one TPMA to TPMB with policies:
policy_duplicateselect: TPMB cannot re-export it.policy_pcr: allows TPMA to set which PCR values must be preset on B to use this keysee Prevent Chained duplication from A -> B -> C using tpm2_policyduplicationselect
crate prmiary
create key
evict primary to persistent handle 0x81000000
save key with go-tpm-keyfiles
load key using go-tpm-keyfile
module main
Generate a primary using the specified format described in ASN.1 Specification for TPM 2.0 Key Files where the template h-2 is described in pg 43 TCG EK Credential Profile
the priamry is formatted for use with openssl
## create the primary
seal an external hmac key to a tpm with a PCR policy
export secret="change this password to a secret"
export plain="foo"
echo -n $secret > hmac.key
hexkey=$(xxd -p -c 256 < hmac.key)
echo $hexkey
echo -n $plain > data.in
openssl dgst -sha256 -mac hmac -macopt hexkey:$hexkey data.in
sample demonstrating cross-usage/compatiblity between
go-tpm go-tpm-keyfile go-tpm-tools
package main
EC permanent handle as parent:
https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.html#section-3.1.8
// pg26: 7.5.1: https://trustedcomputinggroup.org/wp-content/uploads/TCG-TPM-v2.0-Provisioning-Guidance-Published-v1r1.pdf
// pg 43: B.4.5 Template H-2: ECC NIST P256 (Storage) https://trustedcomputinggroup.org/wp-content/uploads/TCG-EK-Credential-Profile-V-2.5-R2_published.pdf
| /* | |
| self-signed jwt access to google cloud iap | |
| https://cloud.google.com/iap/docs/authentication-howto#authenticating_with_a_self-signed_jwt | |
| using google auth library | |
| and service account bound inside Trusted Platform Module | |
| */ | |
| package main |
This procedure will transfer an HMAC key created inside TPM-A to TPM-B but prevent TPM-B to transfer it to TPM-C.
Basically, and extension of As an end-to-end example, the following will transfer an RSA key generated on TPM-A to TPM-B but
using tpm2_policyduplicationselect tp prevent further duplication
Step 1 below will transfer a key from A->B, step 2 attempts B->C but is prevented duplication on B by policy
This procedure will transfer an HMAC key created inside TPM-A to TPM-B and then to TPM-C using tpm2_policycommandcode
Basically, and extension of As an end-to-end example, the following will transfer an RSA key generated on TPM-A to TPM-B
To use this, you'll need three VMs.