forked from lf-edge/eve
-
Notifications
You must be signed in to change notification settings - Fork 1
/
attesttypes.go
274 lines (232 loc) · 7.94 KB
/
attesttypes.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
// Copyright (c) 2020 Zededa, Inc.
// SPDX-License-Identifier: Apache-2.0
package types
import (
"encoding/hex"
"github.com/google/go-cmp/cmp"
"github.com/lf-edge/eve/pkg/pillar/base"
)
// AttestState represents a state in the attest state machine
type AttestState int32
// States
const (
StateNone AttestState = iota + 0 // State when (Re)Starting attestation
StateNonceWait // Waiting for response from Controller for Nonce request
StateInternalQuoteWait // Waiting for internal PCR quote to be published
StateInternalEscrowWait // Waiting for internal Escrow data to be published
StateAttestWait // Waiting for response from Controller for PCR quote
StateAttestEscrowWait // Waiting for response from Controller for Escrow data
StateRestartWait // Waiting for restart timer to expire, to start all over again
StateComplete // Everything w.r.t attestation is complete
StateAny // Not a real state per se. helps defining wildcard transitions(below)
)
// String returns human readable string of an AttestState
func (state AttestState) String() string {
switch state {
case StateNone:
return "StateNone"
case StateNonceWait:
return "StateNonceWait"
case StateInternalQuoteWait:
return "StateInternalQuoteWait"
case StateInternalEscrowWait:
return "StateInternalEscrowWait"
case StateAttestWait:
return "StateAttestWait"
case StateAttestEscrowWait:
return "StateAttestEscrowWait"
case StateRestartWait:
return "StateRestartWait"
case StateComplete:
return "StateComplete"
case StateAny:
return "StateAny"
default:
return "Unknown State"
}
}
// AttestNonce carries nonce published by requester
type AttestNonce struct {
Nonce []byte
Requester string
}
// Key returns nonce content, which is the key as well
func (nonce AttestNonce) Key() string {
return hex.EncodeToString(nonce.Nonce)
}
// LogCreate :
func (nonce AttestNonce) LogCreate(logBase *base.LogObject) {
logObject := base.NewLogObject(logBase, base.AttestNonceLogType, "",
nilUUID, nonce.LogKey())
if logObject == nil {
return
}
logObject.Noticef("Attest nonce create")
}
// LogModify :
func (nonce AttestNonce) LogModify(logBase *base.LogObject, old interface{}) {
logObject := base.EnsureLogObject(logBase, base.AttestNonceLogType, "",
nilUUID, nonce.LogKey())
oldNonce, ok := old.(AttestNonce)
if !ok {
logObject.Clone().Fatalf("LogModify: Old object interface passed is not of AttestNonce type")
}
// XXX remove?
logObject.CloneAndAddField("diff", cmp.Diff(oldNonce, nonce)).
Noticef("Attest nonce modify")
}
// LogDelete :
func (nonce AttestNonce) LogDelete(logBase *base.LogObject) {
logObject := base.EnsureLogObject(logBase, base.AttestNonceLogType, "",
nilUUID, nonce.LogKey())
logObject.Noticef("Attest nonce delete")
base.DeleteLogObject(logBase, nonce.LogKey())
}
// LogKey :
func (nonce AttestNonce) LogKey() string {
return string(base.AttestNonceLogType) + "-" + nonce.Key()
}
// SigAlg denotes the Signature algorithm in use e.g. ECDSA, RSASSA
type SigAlg uint8
// CertType carries the certificate use case e.g. ek, ecdh_exchange etc
type CertType uint8
// CertHashType carries the hash algo used for compute the short hash
type CertHashType uint8
// PCRExtendHashType carries the hash algo used in PCR Extend operation
type PCRExtendHashType uint8
// CertMetaDataType is used for telling which type of MetaData is populated
type CertMetaDataType uint8
// Different values for CertMetaDataType
const (
CertMetaDataTypeNone CertMetaDataType = iota + 0
CertMetaDataTypeTpm2Public
)
// CertMetaData stores a pair of type and value for a MetaData
type CertMetaData struct {
Type CertMetaDataType
Data []byte
}
// Various certificate types published by tpmmgr
const (
SigAlgNone SigAlg = iota + 0
EcdsaSha256
RsaRsassa256
)
// PCR Extend Hash Algorithm used
const (
PCRExtendHashAlgoNone PCRExtendHashType = iota + 0
PCRExtendHashAlgoSha1
PCRExtendHashAlgoSha256
)
// Needs to match api/proto/attest/attest.proto:ZEveCertType
// Various types defined under CertType
const (
CertTypeNone CertType = iota + 0 //Default
CertTypeOnboarding
CertTypeRestrictSigning
CertTypeEk
CertTypeEcdhXchange
)
// PCRValue contains value of single PCR
type PCRValue struct {
Index uint8
Algo PCRExtendHashType
Digest []byte
}
// AttestQuote contains attestation quote
type AttestQuote struct {
Nonce []byte //Nonce provided by the requester
SigType SigAlg //The signature algorithm used
Signature []byte //ASN1 encoded signature
Quote []byte //the quote structure
PCRs []PCRValue //pcr values
}
// Key uniquely identifies an AttestQuote object
func (quote AttestQuote) Key() string {
return hex.EncodeToString(quote.Nonce)
}
// LogCreate :
func (quote AttestQuote) LogCreate(logBase *base.LogObject) {
logObject := base.NewLogObject(logBase, base.AttestQuoteLogType, "",
nilUUID, quote.LogKey())
if logObject == nil {
return
}
logObject.Noticef("Attest quote create")
}
// LogModify :
func (quote AttestQuote) LogModify(logBase *base.LogObject, old interface{}) {
logObject := base.EnsureLogObject(logBase, base.AttestQuoteLogType, "",
nilUUID, quote.LogKey())
oldQuote, ok := old.(AttestQuote)
if !ok {
logObject.Clone().Fatalf("LogModify: Old object interface passed is not of AttestQuote type")
}
// XXX remove?
logObject.CloneAndAddField("diff", cmp.Diff(oldQuote, quote)).
Noticef("Attest quote modify")
}
// LogDelete :
func (quote AttestQuote) LogDelete(logBase *base.LogObject) {
logObject := base.EnsureLogObject(logBase, base.AttestQuoteLogType, "",
nilUUID, quote.LogKey())
logObject.Noticef("Attest quote delete")
base.DeleteLogObject(logBase, quote.LogKey())
}
// LogKey :
func (quote AttestQuote) LogKey() string {
return string(base.AttestQuoteLogType) + "-" + quote.Key()
}
// Needs to match api/proto/attest/attest.proto:ZEveCertHashType
// Various CertHashType fields
const (
CertHashTypeNone = iota + 0
CertHashTypeSha256First16 = 1 // hash with sha256, the 1st 16 bytes of result in 'certHash'
)
// EdgeNodeCert : contains additional device certificates such as
// - attest signing certificate published by tpmmgr
// - ECDH certificate published by tpmmgr
type EdgeNodeCert struct {
HashAlgo CertHashType //hash method used to arrive at certHash
CertID []byte //Hash of the cert, computed using hashAlgo
CertType CertType //type of the certificate
Cert []byte //PEM encoded
IsTpm bool //TPM generated or, not
MetaDataItems []CertMetaData //Meta data items associated with this cert(can be empty)
}
// Key uniquely identifies the certificate
func (cert EdgeNodeCert) Key() string {
return hex.EncodeToString(cert.CertID)
}
// LogCreate :
func (cert EdgeNodeCert) LogCreate(logBase *base.LogObject) {
logObject := base.NewLogObject(logBase, base.EdgeNodeCertLogType, "",
nilUUID, cert.LogKey())
if logObject == nil {
return
}
logObject.Noticef("Edge node cert create")
}
// LogModify :
func (cert EdgeNodeCert) LogModify(logBase *base.LogObject, old interface{}) {
logObject := base.EnsureLogObject(logBase, base.EdgeNodeCertLogType, "",
nilUUID, cert.LogKey())
oldCert, ok := old.(EdgeNodeCert)
if !ok {
logObject.Clone().Fatalf("LogModify: Old object interface passed is not of EdgeNodeCert type")
}
// XXX remove?
logObject.CloneAndAddField("diff", cmp.Diff(oldCert, cert)).
Noticef("Edge node cert modify")
}
// LogDelete :
func (cert EdgeNodeCert) LogDelete(logBase *base.LogObject) {
logObject := base.EnsureLogObject(logBase, base.EdgeNodeCertLogType, "",
nilUUID, cert.LogKey())
logObject.Noticef("Edge node cert delete")
base.DeleteLogObject(logBase, cert.LogKey())
}
// LogKey :
func (cert EdgeNodeCert) LogKey() string {
return string(base.EdgeNodeCertLogType) + "-" + cert.Key()
}