Merge systemboot tpm library

README.md

@@ -3,7 +3,7 @@ tpmtool is a tool for TPM interaction and disk encryption. It is written in pure
 # Basic Features
 
 -   Supports TPM 1.2 and 2.0 with [Go TSS](https://github.com/google/go-tpm).
--   Higher TPM abstraction layer (TSPI) is implemented in the [systemboot](https://github.com/systemboot/systemboot).
+-   Higher TPM abstraction layer (TSPI) is implemented.
 -   Written in pure Go.
 -   TPM states are derived by Linux sysfs.
 -   Automatic TSS selection based on TPM version.

commands.go

@@ -12,7 +12,7 @@ import (
 	"time"
 
 	"github.com/systemboot/systemboot/pkg/storage"
-	"github.com/systemboot/systemboot/pkg/tpm"
+	"github.com/systemboot/tpmtool/pkg/tpm"
 	"github.com/systemboot/tpmtool/pkg/tpmtool"
 )
 

docs/index.md

@@ -3,7 +3,7 @@ tpmtool is a tool for TPM interaction and disk encryption. It is written in pure
 # Basic Features
 
 -   Supports TPM 1.2 and 2.0 with [Go TSS](https://github.com/google/go-tpm).
--   Higher TPM abstraction layer (TSPI) is implemented in the [systemboot](https://github.com/systemboot/systemboot).
+-   Higher TPM abstraction layer (TSPI) is implemented.
 -   Written in pure Go.
 -   TPM states are derived by Linux sysfs.
 -   Automatic TSS selection based on TPM version.

pkg/tpm/constants.go

@@ -0,0 +1,157 @@
+package tpm
+
+// TPMMaxPCRListSize is the maximum number of PCRs for a TPM
+const TPMMaxPCRListSize = 24
+
+// IAlgHash is the TPM hash algorithm
+type IAlgHash uint16
+
+// We only define TPM hash algorithms here we use
+const (
+	// TPMAlgError is an algorithm error
+	TPMAlgError IAlgHash = 0x0000
+	// TPMAlgSha
+	TPMAlgSha     IAlgHash = 0x0004
+	TPMAlgSha256  IAlgHash = 0x000B
+	TPMAlgSha384  IAlgHash = 0x000C
+	TPMAlgSha512  IAlgHash = 0x000D
+	TPMAlgSm3s256 IAlgHash = 0x0012
+)
+
+// IAlgHashSize is the TPM hash algorithm length
+type IAlgHashSize uint8
+
+const (
+	// TPMAlgShaSize SHA hash size
+	TPMAlgShaSize IAlgHashSize = 20
+	// TPMAlgSha256Size SHA256 hash size
+	TPMAlgSha256Size IAlgHashSize = 32
+	// TPMAlgSha384Size SHA384 hash size
+	TPMAlgSha384Size IAlgHashSize = 48
+	// TPMAlgSha512Size SHA512 hash size
+	TPMAlgSha512Size IAlgHashSize = 64
+	// TPMAlgSm3s256Size SM3-256 hash size
+	TPMAlgSm3s256Size IAlgHashSize = 32
+)
+
+// BIOSLogID is the legacy eventlog type
+type BIOSLogID uint32
+
+const (
+	// EvPrebootCert see [2] specification in tcpa_log.go
+	EvPrebootCert BIOSLogID = 0x0
+	// EvPostCode see [2] specification in tcpa_log.go
+	EvPostCode BIOSLogID = 0x1
+	// EvUnused see [2] specification in tcpa_log.go
+	EvUnused BIOSLogID = 0x2
+	// EvNoAction see [2] specification in tcpa_log.go
+	EvNoAction BIOSLogID = 0x3
+	// EvSeparator see [2] specification in tcpa_log.go
+	EvSeparator BIOSLogID = 0x4
+	// EvAction see [2] specification in tcpa_log.go
+	EvAction BIOSLogID = 0x5
+	// EvEventTag see [2] specification in tcpa_log.go
+	EvEventTag BIOSLogID = 0x6
+	// EvSCRTMContents see [2] specification in tcpa_log.go
+	EvSCRTMContents BIOSLogID = 0x7
+	// EvSCRTMVersion see [2] specification in tcpa_log.go
+	EvSCRTMVersion BIOSLogID = 0x8
+	// EvCPUMicrocode see [2] specification in tcpa_log.go
+	EvCPUMicrocode BIOSLogID = 0x9
+	// EvPlatformConfigFlags see [2] specification in tcpa_log.go
+	EvPlatformConfigFlags BIOSLogID = 0xA
+	// EvTableOfServices see [2] specification in tcpa_log.go
+	EvTableOfServices BIOSLogID = 0xB
+	// EvCompactHash see [2] specification in tcpa_log.go
+	EvCompactHash BIOSLogID = 0xC
+	// EvIPL see [2] specification in tcpa_log.go
+	EvIPL BIOSLogID = 0xD
+	// EvIPLPartitionData see [2] specification in tcpa_log.go
+	EvIPLPartitionData BIOSLogID = 0xE
+	// EvNonHostCode see [2] specification in tcpa_log.go
+	EvNonHostCode BIOSLogID = 0xF
+	// EvNonHostConfig see [2] specification in tcpa_log.go
+	EvNonHostConfig BIOSLogID = 0x10
+	// EvNonHostInfo see [2] specification in tcpa_log.go
+	EvNonHostInfo BIOSLogID = 0x11
+	// EvOmitBootDeviceEvents see [2] specification in tcpa_log.go
+	EvOmitBootDeviceEvents BIOSLogID = 0x12
+)
+
+// BIOSLogTypes are the BIOS eventlog types
+var BIOSLogTypes = map[BIOSLogID]string{
+	EvPrebootCert:          "EV_PREBOOT_CERT",
+	EvPostCode:             "EV_POST_CODE",
+	EvUnused:               "EV_UNUSED",
+	EvNoAction:             "EV_NO_ACTION",
+	EvSeparator:            "EV_SEPARATOR",
+	EvAction:               "EV_ACTION",
+	EvEventTag:             "EV_EVENT_TAG",
+	EvSCRTMContents:        "EV_S_CRTM_CONTENTS",
+	EvSCRTMVersion:         "EV_S_CRTM_VERSION",
+	EvCPUMicrocode:         "EV_CPU_MICROCODE",
+	EvPlatformConfigFlags:  "EV_PLATFORM_CONFIG_FLAGS",
+	EvTableOfServices:      "EV_TABLE_OF_DEVICES",
+	EvCompactHash:          "EV_COMPACT_HASH",
+	EvIPL:                  "EV_IPL",
+	EvIPLPartitionData:     "EV_IPL_PARTITION_DATA",
+	EvNonHostCode:          "EV_NONHOST_CODE",
+	EvNonHostConfig:        "EV_NONHOST_CONFIG",
+	EvNonHostInfo:          "EV_NONHOST_INFO",
+	EvOmitBootDeviceEvents: "EV_OMIT_BOOT_DEVICE_EVENTS",
+}
+
+// EFILogID is the EFI eventlog type
+type EFILogID uint32
+
+const (
+	// EvEFIEventBase is the base value for all EFI platform
+	EvEFIEventBase EFILogID = 0x80000000
+	// EvEFIVariableDriverConfig see [1] specification in tcpa_log.go
+	EvEFIVariableDriverConfig EFILogID = 0x80000001
+	// EvEFIVariableBoot see [1] specification in tcpa_log.go
+	EvEFIVariableBoot EFILogID = 0x80000002
+	// EvEFIBootServicesApplication see [1] specification in tcpa_log.go
+	EvEFIBootServicesApplication EFILogID = 0x80000003
+	// EvEFIBootServicesDriver see [1] specification in tcpa_log.go
+	EvEFIBootServicesDriver EFILogID = 0x80000004
+	// EvEFIRuntimeServicesDriver see [1] specification in tcpa_log.go
+	EvEFIRuntimeServicesDriver EFILogID = 0x80000005
+	// EvEFIGPTEvent see [1] specification in tcpa_log.go
+	EvEFIGPTEvent EFILogID = 0x80000006
+	// EvEFIAction see [1] specification in tcpa_log.go
+	EvEFIAction EFILogID = 0x80000007
+	// EvEFIPlatformFirmwareBlob see [1] specification in tcpa_log.go
+	EvEFIPlatformFirmwareBlob EFILogID = 0x80000008
+	// EvEFIHandoffTables see [1] specification in tcpa_log.go
+	EvEFIHandoffTables EFILogID = 0x80000009
+	// EvEFIHCRTMEvent see [1] specification in tcpa_log.go
+	EvEFIHCRTMEvent EFILogID = 0x80000010
+	// EvEFIVariableAuthority see [1] specification in tcpa_log.go
+	EvEFIVariableAuthority EFILogID = 0x800000E0
+)
+
+// EFILogTypes are the EFI eventlog types
+var EFILogTypes = map[EFILogID]string{
+	EvEFIEventBase:               "EV_EFI_EVENT_BASE",
+	EvEFIVariableDriverConfig:    "EV_EFI_VARIABLE_DRIVER_CONFIG",
+	EvEFIVariableBoot:            "EV_EFI_VARIABLE_BOOT",
+	EvEFIBootServicesApplication: "EV_EFI_BOOT_SERVICES_APPLICATION",
+	EvEFIBootServicesDriver:      "EV_EFI_BOOT_SERVICES_DRIVER",
+	EvEFIRuntimeServicesDriver:   "EV_EFI_RUNTIME_SERVICES_DRIVER",
+	EvEFIGPTEvent:                "EV_EFI_GPT_EVENT",
+	EvEFIAction:                  "EV_EFI_ACTION",
+	EvEFIPlatformFirmwareBlob:    "EV_EFI_PLATFORM_FIRMWARE_BLOB",
+	EvEFIHandoffTables:           "EV_EFI_HANDOFF_TABLES",
+	EvEFIHCRTMEvent:              "EV_EFI_HCRTM_EVENT",
+	EvEFIVariableAuthority:       "EV_EFI_VARIABLE_AUTHORITY",
+}
+
+// TCGAgileEventFormatID is the agile eventlog identifier for EV_NO_ACTION events
+const TCGAgileEventFormatID string = "Spec ID Event03"
+
+// TCGOldEfiFormatID is the legacy eventlog identifier for EV_NO_ACTION events
+const TCGOldEfiFormatID string = "Spec ID Event02"
+
+// HCRTM string for event type EV_EFI_HCRTM_EVENT
+const HCRTM string = "HCRTM"

pkg/tpmtool/tcpa_log_structures.go → pkg/tpm/structures.go

@@ -1,7 +1,9 @@
-package tpmtool
+package tpm
 
 import (
 	"github.com/rekby/gpt"
+
+	"github.com/systemboot/tpmtool/pkg/tpmtool"
 )
 
 // [1] https://members.uefi.org/kws/documents/UEFI_Spec_2_7_A_Sept_6.pdf
@@ -72,21 +74,21 @@ type EFIVariableData struct {
 	variableData       []byte
 }
 
-// TPMIHA is a TPM2 structure
-type TPMIHA struct {
+// IHA is a TPM2 structure
+type IHA struct {
 	hash []byte
 }
 
-// TPMTHA is a TPM2 structure
-type TPMTHA struct {
-	hashAlg TPMIAlgHash
-	digest  TPMIHA
+// THA is a TPM2 structure
+type THA struct {
+	hashAlg IAlgHash
+	digest  IHA
 }
 
-// TPMLDigestValues is a TPM2 structure
-type TPMLDigestValues struct {
+// LDigestValues is a TPM2 structure
+type LDigestValues struct {
 	count   uint32
-	digests []TPMTHA
+	digests []THA
 }
 
 // TcgEfiSpecIDEventAlgorithmSize is a TPM2 structure
@@ -125,7 +127,7 @@ type TcgBiosSpecIDEvent struct {
 type TcgPcrEvent2 struct {
 	pcrIndex  uint32
 	eventType uint32
-	digests   TPMLDigestValues
+	digests   LDigestValues
 	eventSize uint32
 	event     []byte
 }
@@ -141,7 +143,7 @@ type TcgPcrEvent struct {
 
 // PCRDigestValue is the hash and algorithm
 type PCRDigestValue struct {
-	DigestAlg TPMIAlgHash
+	DigestAlg IAlgHash
 	Digest    []byte
 }
 
@@ -155,6 +157,6 @@ type PCRDigestInfo struct {
 
 // PCRLog is a generic PCR eventlog structure
 type PCRLog struct {
-	Firmware FirmwareType
+	Firmware tpmtool.FirmwareType
 	PcrList  []PCRDigestInfo
 }

pkg/tpmtool/tcpa_log.go → pkg/tpm/tcpa_log.go

@@ -1,4 +1,4 @@
-package tpmtool
+package tpm
 
 import (
 	"bytes"
@@ -9,7 +9,7 @@ import (
 	"os"
 	"unicode/utf16"
 
-	"github.com/systemboot/systemboot/pkg/tpm"
+	"github.com/systemboot/tpmtool/pkg/tpmtool"
 )
 
 /*
@@ -31,7 +31,7 @@ var (
 )
 
 // HashAlgoToSize is a map converter for hash to length
-var HashAlgoToSize = map[TPMIAlgHash]TPMIAlgHashSize{
+var HashAlgoToSize = map[IAlgHash]IAlgHashSize{
 	TPMAlgSha:     TPMAlgShaSize,
 	TPMAlgSha256:  TPMAlgSha256Size,
 	TPMAlgSha384:  TPMAlgSha384Size,
@@ -330,7 +330,7 @@ func getEventDataString(eventType uint32, eventData []byte) (*string, error) {
 	return &eventInfo, errors.New("Event type couldn't get parsed")
 }
 
-func readTPM2Log(firmware FirmwareType) (*PCRLog, error) {
+func readTPM2Log(firmware tpmtool.FirmwareType) (*PCRLog, error) {
 	var pcrLog PCRLog
 	pcrLog.Firmware = firmware
 
@@ -464,7 +464,7 @@ func readTPM2Log(firmware FirmwareType) (*PCRLog, error) {
 				return nil, err
 			}
 
-			pcrEvent.digests.digests = make([]TPMTHA, pcrEvent.digests.count)
+			pcrEvent.digests.digests = make([]THA, pcrEvent.digests.count)
 			for i := uint32(0); i < pcrEvent.digests.count; i++ {
 				if err := binary.Read(file, endianess, &pcrEvent.digests.digests[i].hashAlg); err == io.EOF {
 					break
@@ -521,7 +521,7 @@ func readTPM2Log(firmware FirmwareType) (*PCRLog, error) {
 	return &pcrLog, nil
 }
 
-func readTPM1Log(firmware FirmwareType) (*PCRLog, error) {
+func readTPM1Log(firmware tpmtool.FirmwareType) (*PCRLog, error) {
 	var pcrLog PCRLog
 	pcrLog.Firmware = firmware
 
@@ -674,24 +674,24 @@ func readTPM1Log(firmware FirmwareType) (*PCRLog, error) {
 }
 
 // ParseLog is a ,..
-func ParseLog(firmware FirmwareType, tpmSpec string) (*PCRLog, error) {
+func ParseLog(firmware tpmtool.FirmwareType, tpmSpec string) (*PCRLog, error) {
 	var pcrLog *PCRLog
 	var err error
 
 	switch firmware {
-	case Uefi:
-	case Bios:
+	case tpmtool.Uefi:
+	case tpmtool.Bios:
 	default:
 		return nil, errors.New("Firmware not supported yet")
 	}
 
 	switch tpmSpec {
-	case tpm.TPM12:
+	case TPM12:
 		pcrLog, err = readTPM1Log(firmware)
 		if err != nil {
 			return nil, err
 		}
-	case tpm.TPM20:
+	case TPM20:
 		pcrLog, err = readTPM2Log(firmware)
 		if err != nil {
 			// Kernel eventlog workaround does not export agile measurement log..

pkg/tpmtool/tcpa_log_test.go → pkg/tpm/tcpa_log_test.go

@@ -1,32 +1,32 @@
-package tpmtool
+package tpm
 
 import (
 	"testing"
 
 	"github.com/stretchr/testify/require"
-	"github.com/systemboot/systemboot/pkg/tpm"
+	"github.com/systemboot/tpmtool/pkg/tpmtool"
 )
 
 func TestParseTPM12BiosEventLog(t *testing.T) {
 	DefaultTCPABinaryLog = "tests/binary_bios_measurements_tpm12_bios"
-	_, err := ParseLog(Bios, tpm.TPM12)
+	_, err := ParseLog(tpmtool.Bios, TPM12)
 	require.NoError(t, err)
 }
 
 func TestParseTPM12UefiEventLog(t *testing.T) {
 	DefaultTCPABinaryLog = "tests/binary_bios_measurements_tpm12_efi"
-	_, err := ParseLog(Uefi, tpm.TPM12)
+	_, err := ParseLog(tpmtool.Uefi, TPM12)
 	require.NoError(t, err)
 }
 
 func TestParseTPM20UefiNonAgileEventLog(t *testing.T) {
 	DefaultTCPABinaryLog = "tests/binary_bios_measurements_tpm20_efi_non_agile"
-	_, err := ParseLog(Uefi, tpm.TPM20)
+	_, err := ParseLog(tpmtool.Uefi, TPM20)
 	require.NoError(t, err)
 }
 
 func TestParseTPM20UefiAgileEventLog(t *testing.T) {
 	DefaultTCPABinaryLog = "tests/binary_bios_measurements_tpm20_efi_agile"
-	_, err := ParseLog(Uefi, tpm.TPM20)
+	_, err := ParseLog(tpmtool.Uefi, TPM20)
 	require.NoError(t, err)
 }

pkg/tpm/tests/fake_active_0

@@ -0,0 +1 @@
+0

pkg/tpm/tests/fake_active_1

@@ -0,0 +1 @@
+1

pkg/tpm/tests/fake_caps_tpm12

@@ -0,0 +1,3 @@
+Manufacturer: 0x53544d20
+TCG version: 1.2
+Firmware version: 8.16

pkg/tpm/tests/fake_enabled_0

@@ -0,0 +1 @@
+0

pkg/tpm/tests/fake_enabled_1

@@ -0,0 +1 @@
+1

pkg/tpm/tests/fake_owned_0

@@ -0,0 +1 @@
+0

pkg/tpm/tests/fake_owned_1

@@ -0,0 +1 @@
+1

pkg/tpm/tests/fake_temp_deactivated_0

@@ -0,0 +1 @@
+0