8000 Add generalized support for Restricted Decryption operations (ActivateCredential, Import, StartAuthSession) by chrisfenner · Pull Request #395 · google/go-tpm · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Add generalized support for Restricted Decryption operations (ActivateCredential, Import, StartAuthSession) #395

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
May 8, 2025
Merged

Add generalized support for Restricted Decryption operations (ActivateCredential, Import, StartAuthSession) #395

merged 6 commits into from
May 8, 2025

Conversation

chrisfenner
Copy link
Member
@chrisfenner chrisfenner commented Apr 19, 2025
edited
Loading

Asymmetric restricted decryption keys (e.g., EK/SRK) can be either RSA or ECC and support the following flows:

  • Key attestation with ActivateCredential
  • Object unwrap with Import
  • Salted session establishment with StartAuthSession

This change splits apart the algorithm-specific asymmetric crypto, and the parent-algorithm-agnostic protocols. This PR names the first part "Labeled Key Encapsulation" because it is very much like a KEM with an additional label (that depends on which protocol is being used). The advantage of this splitup, aside from aiding understandability, is that new algorithms for PQC can be added to the "Labeled KEM" side without touching the protocols.

This change adds helper functions that can be used to create attestation credentials/challenges as well as object import blobs, and refactors the existing salted session code to leverage the same Labeled KEM code.

This change vendors the test vectors from https://github.com/chrisfenner/tpm-test-vectors, which provide comprehensive coverage for this crypto protocol code.

This change introduces a .gitallowed file, because git-secrets was yelling at me about the JSON files containing the string "KEY" :)

@chrisfenner chrisfenner marked this pull request as ready for review April 19, 2025 23:09
@chrisfenner chrisfenner requested review from alexmwu, jkl73 and a team as code owners April 19, 2025 23:09
@chrisfenner
Copy link
Member Author

In parallel to this, I started working on test vectors. I've got some test vectors now, so I'm going to refactor the implementation a bit to make use of them.

@chrisfenner chrisfenner force-pushed the restricted-decryption branch from 7156b55 to 388df4f Compare April 29, 2025 16:04
alexmwu
alexmwu approved these changes May 8, 2025
View reviewed changes
Copy link
Contributor
@alexmwu alexmwu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Neat! The new "Table 27: Protection Values" table saved me a lot of effort, nice job on the spec updates!

@chrisfenner chrisfenner merged commit d88acdb into google:main May 8, 2025
4 checks passed
@renovate renovate bot mentioned this pull request May 21, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alexmwu alexmwu alexmwu approved these changes

@jkl73 jkl73 Awaiting requested review from jkl73 jkl73 is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@chrisfenner @alexmwu
0