Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for TPM1.2 enrollment. #52

Merged
merged 7 commits into from
Jan 17, 2025
Merged

Add support for TPM1.2 enrollment. #52

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
d9ec09a
Add support for TPM1.2 enrollment.
marcushines Jan 13, 2025
d105a79
Address comment
marcushines Jan 13, 2025
5ea1145
address comments
marcushines Jan 16, 2025
e0e69e8
Fix typo
marcushines Jan 16, 2025
ac26a9f
Update comments
marcushines Jan 17, 2025
9b3d111
Merge branch 'main' into enrollz
marcushines Jan 17, 2025
7c560e7
Merge branch 'main' into enrollz
marcushines Jan 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion WORKSPACE
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ load("@io_bazel_rules_go//go:deps.bzl", "go_register_toolchains", "go_rules_depe

go_rules_dependencies()

go_register_toolchains(go_version = "1.19")
go_register_toolchains(go_version = "1.20")

# gazelle:repo bazel_gazelle
bazel_gazelle()
Expand Down
28 changes: 28 additions & 0 deletions proto/tpm_enrollz.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ option go_package = "github.com/openconfig/attestz";
message GetIakCertRequest {
// Switch control card selected identifier.
ControlCardSelection control_card_selection = 1;

}

// Response from the specified control card containing its Initial Attestation
Expand All @@ -43,6 +44,7 @@ message GetIakCertResponse {
// card. It should only be populated for standby/secondary control card when
// no direct communication to that control card is possible.
string idevid_cert = 3;

}

// Request for a given control card to rotate/install an owner Initial
Expand Down Expand Up @@ -81,6 +83,25 @@ message RotateOIakCertResponse {
// changes.
}

// The RotateAIKCertRequest handles the workflow for enrollment of TPM1.2
// devices. The initial request will include the issuer_public_key to allow
// the building of the AIK which will then be returned and used to generate
// the AIK cert. For any updates after initial enrollment the new AIK cert
// can just be returned.
message RotateAIKCertRequest {
oneof value {
bytes issuer_public_key = 1;
string aik_cert = 2;
marcushines marked this conversation as resolved.
Show resolved Hide resolved
}
}

message RotateAIKCertResponse {
oneof value {
bytes application_identity_public_key = 1;
marcushines marked this conversation as resolved.
Show resolved Hide resolved
bool finalized = 2;
marcushines marked this conversation as resolved.
Show resolved Hide resolved
}
}
betuls marked this conversation as resolved.
Show resolved Hide resolved

// The service is responsible for TPM enrollment workflow on the switch
// owner/administrator side. In this workflow switch owner verifies device's
// Initial Attestation Key (IAK) and Initial DevID (IDevID) certificates (signed
Expand All @@ -106,4 +127,11 @@ service TpmEnrollzService {
// present on the device, then a new one is persisted. Otherwise, a new oIAK
// cert should overwrite an existing oIAK cert on the device.
rpc RotateOIakCert(RotateOIakCertRequest) returns (RotateOIakCertResponse);

// For TPM1.2 systems the following RPC's are used to enroll the device.
// RotateAIKCert takes the public key of the issuer and uses it as input to
// generate the AIK. The AIK is then returned to the caller for use in AIK
// cert generation then returned to the device for storage and finalization.
rpc RotateAIKCert(stream RotateAIKCertRequest) returns (stream RotateAIKCertRequest);

}
Loading
Loading