Add pk and kek to the SecureBootState proto message and populate them. #534
Conversation
proto/attest.proto
Outdated
| @@ -149,6 +149,10 @@ message SecureBootState { | |||
| // Authority events post-separator. Pre-separator authorities | |||
| // are currently not supported. | |||
| Database authority = 4; | |||
| // Platform Keys | |||
There was a problem hiding this comment.
nit: please keep comments consistent:
"The Secure Boot Platform key, used to sign key exchange keys."
| // Platform Keys | ||
| Database pk = 5; | ||
| // Exchange Keys | ||
| Database kek = 6; |
There was a problem hiding this comment.
"The Secure Boot Key Exchange Keys, used to sign db and dbx updates."
Done |
There was a problem hiding this comment.
Tests are failing (https://github.com/google/go-tpm-tools/actions/runs/13159943001/job/36742118354?pr=534). You need to regenerate the pb files and check the changes in using go generate ./...
server/eventlog_test.go
Outdated
| for _, cert := range msState.GetSecureBoot().GetKek().GetCerts() { | ||
| switch c := cert.GetRepresentation().(type) { | ||
| case *attestpb.Certificate_Der: | ||
| if !bytes.Equal(c.Der, MicrosoftKEKCA2011Cert) { |
There was a problem hiding this comment.
nit: it would be nice to update
go-tpm-tools/server/eventlog.go
Line 418 in 7fe225f
There was a problem hiding this comment.
Done.
And as discussed offline, I also added GceDefaultPKCert to this list of well known certificates.
Done. Regenerated attest.pb.go and tpm.pb.go. |
server/eventlog_test.go
Outdated
| case *attestpb.Certificate_WellKnown: | ||
| if c.WellKnown == attestpb.WellKnownCertificate_UNKNOWN { | ||
| t.Error(("found WellKnownCertificate_UNKNOWN in pk")) | ||
| } | ||
| if c.WellKnown == attestpb.WellKnownCertificate_GCE_DEFAULT_PK { | ||
| containsGCEDefaultPK = true | ||
| } | ||
| } |
There was a problem hiding this comment.
this could be simplified:
certs := msState.GetSecureBoot().GetPk().GetCerts()
if len(certs) != 1 {
t.Error()
}
wkRep, ok := certs[0].(*attestpb.Certificate_WellKnown)
if !ok {
t.Error()
}
if wkRep.WellKnown != WellKnownCertificate_GCE_DEFAULT_PK{
t.Error()
}
Same with the KEK check.
There was a problem hiding this comment.
this could be simplified:
certs := msState.GetSecureBoot().GetPk().GetCerts() if len(certs) != 1 { t.Error() } wkRep, ok := certs[0].(*attestpb.Certificate_WellKnown) if !ok { t.Error() } if wkRep.WellKnown != WellKnownCertificate_GCE_DEFAULT_PK{ t.Error() }Same with the KEK check.
Done
No description provided.