Merge physical-tpm-preview to main (for v1.12) (#174)

* CASSINI-8033: Support Azure TDX report generation in Amber client CLI (intel#43)

* Updated Azure adapter per TDX1.4 preview.

* resolve tpm read issue

- paravisor only update report when read full region

Signed-off-by: Jerry Yu <jerry.yu@intel.com>

* Removed GET nonce call to TrustAuthority.

* update README

* define nv index 0x1400002 if not yet

Signed-off-by: Jerry Yu <jerry.yu@intel.com>

* verify user data hash in the evidence

Ensure the collected evidence matches the user data(hash)
provided to the vTPM

* use nonce to validate the evidence freshness

* print out base64 encoded evidence (#97)

Signed-off-by: Jerry Yu <jerry.yu@intel.com>

* Modified Connector to use new attestation end-point for Azure tdvm. (#100)

* Add sleep time of 3 sec to reflect user data in runtime data.

* Updated Azure adapter per TDX1.4 preview.

* Modified Connector to use new attestation end-point for Azure tdvm. (#100)

* Azure TDX+vTPM composite attestation (#125)

* Draft changes for TDX/TPM composite attestation.

* Help correction.

* Misc code clean up.

* Misc cleanup

* Add pcr selection, additional refactoring of TPM/adapter.

* Owner auth, request-ids, token signing alg.

* Updates while debugging against poc/tpm_with_coordinator-main-rebase cc75186c.

* Minor changes

* Add user-data/verifier-nonce handling

* Miscellaneous fixes from debugging.

* Add sleep to workaround Azure bug.

* Adjust the name of user_data/nonce.

* Wire up misc command line options into request body.

* Refactor TPM/vTPM and composite attestation.

* Revive "evidence" command (by popular demand).

* Correct command line usage (--aztdx vs. --tdx).

* Fix incorrect error handling in TPM adapter.

* Enable checkmarx check in CI

* Bump CLI version.

* CI updates.

* Unit test correction.

* Unit test corrections.

* Cassini 21810 -- README files for AZ-TDX/vTPM preview (#139)

* Initial commit for TPM readmes.

* Changes from first review feedback; ready for final review.

* Fix typo

---------

Co-authored-by: Thompson, Kent <kent.thompson@intel.com>

* CASSINI-21986: Remove 3 second sleep from azure adapter.

* Misc fixes, unit tests and comment updates.

* Correction.

* Address pull request comments.

* Miscellaneous fixes made during "physical-tpm" validation. (#144)

* CASSINI-21986: Remove 3 second sleep from azure adapter.

* Misc fixes, unit tests and comment updates.

* Correction.

* Address pull request comments.

* Address pull request comments.

* Remove info message when writing to NV ram.

* Remove info/time from logrus messages when used in trustauthority-cli.

* Clean up comment.

* Consistently print '0x' and hex for TPM handles.

* AK provisioning.

* Changes to send TPMT_Public instead of AK public key to the provisioning service.

* WIP:  Debug ak-provisioning, add tpm-simulator and initial unit tests.

* Unit test correction.

* Unit test correction.

* Add Ak certificate to evidence command.

* Update ak provisioning endpoint

* Address CASSINI-22273 and other miscellaneous changes.

* Misc code clean up.

* Misc updates for validation (error typo, max handle values, support
"all" for pcr selections, better config.json parsing).

* Fix unit tests.

* Rebase with tpm-preview.

* Consistently add '0x' and hex to TPM handle messages.

* WIP

* Unit tests for go-tpm package.

* Misc cleanup.

* Fix connector unit-tests.

* Increase unit-test coverage for go-connector package.

* Version bump.

* Unit test correction.

* Unit test correction.

* Address PR comments.

---------

Signed-off-by: Jerry Yu <jerry.yu@intel.com>
Co-authored-by: Yanhui Zhao <wildyz.yky@gmail.com>
Co-authored-by: Rawat, Arvind <arvind.rawat@intel.com>
Co-authored-by: Jerry Yu <jerry.yu@intel.com>
Co-authored-by: Yanhui Zhao <yanhui.zhao@intel.com>
Co-authored-by: Glenn Minch <97639000+grminch@users.noreply.github.com>

Author: 5 people

go-aztdx/aztdx_test.go

@@ -38,6 +38,16 @@ func (m *MockTpm) CreateEK(ekHandle int) error {
 	return args.Error(0)
 }
 
+func (m *MockTpm) CreateAK(akHandle int, ekHandle int) error {
+	args := m.Called(akHandle, ekHandle)
+	return args.Error(0)
+}
+
+func (m *MockTpm) ActivateCredential(ekHandle int, akHandle int, credentialBlob []byte, secret []byte) ([]byte, error) {
+	args := m.Called(ekHandle, akHandle, credentialBlob, secret)
+	return args.Get(0).([]byte), args.Error(1)
+}
+
 func (m *MockTpm) NVRead(nvHandle int) ([]byte, error) {
 	args := m.Called(nvHandle)
 	return args.Get(0).([]byte), args.Error(1)

go-connector/ak_certificate.go

@@ -0,0 +1,89 @@
+/*
+ *   Copyright (c) 2022-2024 Intel Corporation
+ *   All rights reserved.
+ *   SPDX-License-Identifier: BSD-3-Clause
+ */
+
+package connector
+
+import (
+	"bytes"
+	"crypto/x509"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+
+	"github.com/google/uuid"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+type akCertificateRequest struct {
+	EkCertificateDer []byte `json:"ek_certificate_der"`
+	AKTpmtPublic     []byte `json:"ak_tpmt_public"`
+}
+
+type akCertificateRequestResponse struct {
+	CredentialBlob     []byte `json:"credential_blob"`
+	Secret             []byte `json:"secret"`
+	EncryptedAkCertDer []byte `json:"encrypted_ak_cert_der"`
+}
+
+const akProvisioningApiPath = "/ak-provisioning/v1/ak-certs"
+
+func (connector *trustAuthorityConnector) GetAKCertificate(ekCert *x509.Certificate, akTpmtPublic []byte) ([]byte, []byte, []byte, error) {
+	if ekCert == nil {
+		return nil, nil, nil, errors.New("EK certificate cannot be nil")
+	}
+
+	if len(akTpmtPublic) == 0 {
+		return nil, nil, nil, errors.New("The AK's TPMT_PUBLIC cannot be nil or empty")
+	}
+
+	akCertRequest := akCertificateRequest{
+		AKTpmtPublic:     akTpmtPublic,
+		EkCertificateDer: ekCert.Raw,
+	}
+
+	requestBody, err := json.Marshal(akCertRequest)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	logrus.Debugf("REQ: %s", string(requestBody))
+
+	url := fmt.Sprintf("%s%s", connector.cfg.ApiUrl, akProvisioningApiPath)
+	newRequest := func() (*http.Request, error) {
+		return http.NewRequest(http.MethodPost, url, bytes.NewReader(requestBody))
+	}
+
+	var headers = map[string]string{
+		headerXApiKey:     connector.cfg.ApiKey,
+		headerAccept:      mimeApplicationJson,
+		headerContentType: mimeApplicationJson,
+		HeaderRequestId:   uuid.New().String(),
+	}
+
+	var response akCertificateRequestResponse
+	processResponse := func(resp *http.Response) error {
+		body, err := io.ReadAll(resp.Body)
+		if err != nil {
+			return errors.Errorf("Failed to read body from %s: %s", url, err)
+		}
+
+		dec := json.NewDecoder(bytes.NewReader(body))
+		dec.DisallowUnknownFields()
+		err = dec.Decode(&response)
+		if err != nil {
+			return errors.Errorf("Failed to decode json from %s: %s", err, string(body))
+		}
+		return nil
+	}
+
+	if err := doRequest(*connector.rclient, connector.cfg.TlsCfg, newRequest, nil, headers, processResponse); err != nil {
+		return nil, nil, nil, err
+	}
+
+	return response.CredentialBlob, response.Secret, response.EncryptedAkCertDer, nil
+}

go-connector/ak_certificate_test.go

@@ -0,0 +1,47 @@
+/*
+ *   Copyright (c) 2022-2024 Intel Corporation
+ *   All rights reserved.
+ *   SPDX-License-Identifier: BSD-3-Clause
+ */
+
+package connector
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+)
+
+func TestGetAKCertificate(t *testing.T) {
+	testServer := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path == akProvisioningApiPath {
+			w.WriteHeader(http.StatusOK)
+			response := akCertificateRequestResponse{}
+
+			j, err := json.Marshal(&response)
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			w.Write([]byte(j))
+		} else {
+			w.WriteHeader(http.StatusNotFound)
+		}
+	}))
+
+	ctr, err := New(&Config{
+		ApiUrl: testServer.URL,
+		TlsCfg: &tls.Config{InsecureSkipVerify: true},
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, _, _, err = ctr.GetAKCertificate(&x509.Certificate{}, make([]byte, 100))
+	if err != nil {
+		t.Fatal(err)
+	}
+}

go-connector/connector.go

@@ -8,6 +8,7 @@ package connector
 import (
 	"context"
 	"crypto/tls"
+	"crypto/x509"
 	"net/http"
 	"net/url"
 	"strings"
@@ -33,6 +34,11 @@ type Connector interface {
 	// only "azure" is supported.  'reqId' is an optional string that is included in the
 	// x-request-id header that can be used for troubleshooting.
 	AttestEvidence(evidence interface{}, cloudProvider string, reqId string) (AttestResponse, error)
+
+	// GetAkCertificate sends the TPM's EK certificate and the AK's TPMT_PUBLIC structure
+	// to Intel Trust Authority and returns an encrypted AK certificate, a secret, and credential blob
+	// that can be decrypted by the TPM (ActivateCredential command).
+	GetAKCertificate(ekCert *x509.Certificate, akTpmtPublic []byte) ([]byte, []byte, []byte, error)
 }
 
 // GetNonceArgs holds the request parameters needed for getting nonce from Intel Trust Authority

go-connector/connector_factory.go

@@ -0,0 +1,25 @@
+/*
+ *   Copyright (c) 2022-2024 Intel Corporation
+ *   All rights reserved.
+ *   SPDX-License-Identifier: BSD-3-Clause
+ */
+
+package connector
+
+// ConnectorFactory is an interface for instantiating Connector
+// objects.
+type ConnectorFactory interface {
+	NewConnector(config *Config) (Connector, error)
+}
+
+// NewConnectorFactory returns a default instance of ConnectorFactory
+// that will communicate with a remote instance of Intel Trust Authority.
+func NewConnectorFactory() ConnectorFactory {
+	return &connectorFactory{}
+}
+
+type connectorFactory struct{}
+
+func (c *connectorFactory) NewConnector(config *Config) (Connector, error) {
+	return New(config)
+}

go-connector/mocks_test.go

@@ -6,6 +6,8 @@
 package connector
 
 import (
+	"crypto/x509"
+
 	"github.com/golang-jwt/jwt/v4"
 	"github.com/stretchr/testify/mock"
 )
@@ -46,3 +48,8 @@ func (m *MockConnector) AttestEvidence(evidence interface{}, cloudProvider strin
 	args := m.Called(evidence, cloudProvider, reqId)
 	return args.Get(0).(AttestResponse), args.Error(1)
 }
+
+func (m *MockConnector) GetAKCertificate(ekCert *x509.Certificate, akTpmtPublic []byte) ([]byte, []byte, []byte, error) {
+	args := m.Called(ekCert, akTpmtPublic)
+	return args.Get(0).([]byte), args.Get(1).([]byte), args.Get(2).([]byte), args.Error(3)
+}

go-tpm/activate.go

@@ -0,0 +1,64 @@
+/*
+ *   Copyright (c) 2022-2024 Intel Corporation
+ *   All rights reserved.
+ *   SPDX-License-Identifier: BSD-3-Clause
+ */
+
+package tpm
+
+import (
+	"github.com/canonical/go-tpm2"
+	"github.com/pkg/errors"
+)
+
+func (tpm *trustedPlatformModule) ActivateCredential(ekHandle int, akHandle int, credentialBlob []byte, secret []byte) ([]byte, error) {
+
+	// verify the ak handle and create an "akContext" needed for ActivateCredential
+	ak := tpm2.Handle(akHandle)
+	if ak.Type() != tpm2.HandleTypePersistent {
+		return nil, ErrInvalidHandle
+	}
+
+	if !tpm.ctx.DoesHandleExist(ak) {
+		return nil, ErrHandleDoesNotExist
+	}
+
+	akContext, err := tpm.ctx.NewResourceContext(ak)
+	if err != nil {
+		return nil, errors.Wrapf(err, "Failed to create resource context for handle 0x%x", akHandle)
+	}
+	akContext.SetAuthValue(tpm.ownerAuth)
+
+	// verify the ek handle and create an "ekContext" needed for ActivateCredential
+	ek := tpm2.Handle(ekHandle)
+	if ek.Type() != tpm2.HandleTypePersistent {
+		return nil, ErrInvalidHandle
+	}
+
+	if !tpm.ctx.DoesHandleExist(ek) {
+		return nil, ErrHandleDoesNotExist
+	}
+
+	ekContext, err := tpm.ctx.NewResourceContext(ek)
+	if err != nil {
+		return nil, errors.Wrapf(err, "Failed to create resource context for handle 0x%x", ekHandle)
+	}
+
+	// start a session with endorsement hierarchy policy permissions
+	ekAuthSession, err := tpm.ctx.StartAuthSession(nil, nil, tpm2.SessionTypePolicy, nil, tpm2.HashAlgorithmSHA256)
+	if err != nil {
+		return nil, err
+	}
+
+	_, _, err = tpm.ctx.PolicySecret(tpm.ctx.EndorsementHandleContext(), ekAuthSession, nil, nil, 0, nil, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	decrypted, err := tpm.ctx.ActivateCredential(akContext, ekContext, credentialBlob, secret, nil, ekAuthSession)
+	if err != nil {
+		return nil, err
+	}
+
+	return decrypted, nil
+}

go-tpm/activate_test.go

@@ -0,0 +1,9 @@
+/*
+ *   Copyright (c) 2022-2024 Intel Corporation
+ *   All rights reserved.
+ *   SPDX-License-Identifier: BSD-3-Clause
+ */
+
+package tpm
+
+// TODO:  negative unit tests for ActivateCredential (positive test are in tpm_e2e_test.go)