Skip to content

Fix ekcert checking #21

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kfox1111 merged 1 commit into from
Feb 11, 2026
+86 −1,180
Merged

Fix ekcert checking #21

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 5 additions & 4 deletions ci/docker/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,10 @@
FROM golang:latest AS go

FROM ubuntu:20.04

RUN addgroup --gid 1000 docker \
&& adduser --uid 1000 --ingroup docker --home /home/docker --shell /bin/sh --disabled-password --gecos "" docker
FROM ubuntu:24.04

RUN apt-get update \
&& apt-get install -y \
adduser \
curl \
gcc \
libtspi-dev \
Expand All @@ -15,6 +13,9 @@ RUN apt-get update \
tpm2-tools \
xxd

RUN addgroup --gid 1001 docker \
&& adduser --uid 1001 --ingroup docker --home /home/docker --shell /bin/sh --disabled-password --gecos "" docker

RUN USER=docker \
&& GROUP=docker \
&& curl -SsL https://github.com/boxboat/fixuid/releases/download/v0.4.1/fixuid-0.4.1-linux-amd64.tar.gz | tar -C /usr/local/bin -xzf - \
Expand Down
4 changes: 2 additions & 2 deletions ci/tpm2_ek_cert_generator/generate_ek_cert.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -187,8 +187,8 @@ if command -v tpm2_getpubek > /dev/null 2>&1; then
tpm2_nvdefine -x "${h_ek_pub_crt}" -a "${h_authorization}" -s "${ek_der_cert_size}" -t "${ek_cert_nvram_attr}"
tpm2_nvwrite -x "${h_ek_pub_crt}" -a "${h_authorization}" -f "${output_der_crt}"
else
tpm2_nvdefine "${h_ek_pub_crt}" -p "${h_authorization}" -s "${ek_der_cert_size}"
tpm2_nvwrite "${h_ek_pub_crt}" -P "${h_authorization}" -i "${output_der_crt}"
tpm2_nvdefine "${h_ek_pub_crt}" -C "${h_authorization}" -s "${ek_der_cert_size}" -a "${ek_cert_nvram_attr}"
tpm2_nvwrite "${h_ek_pub_crt}" -C "${h_authorization}" -i "${output_der_crt}"
fi

# Show EK certificate in console
Expand Down
17 changes: 3 additions & 14 deletions ci/tpm2_ek_cert_generator/openssl/configs/tpm2_ekc.csr.config
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,14 +1,3 @@
openssl_conf = openssl_init

[openssl_init]
oid_section = tpm_oids

[tpm_oids]
TPMManufacturer=tcg_at_tpmManufacturer,2.23.133.2.1
TPMModel=tcg-at-tpmModel,2.23.133.2.2
TPMVersion=tcg-at-tpmVersion,2.23.133.2.3
TPMSpecification=tcg-at-tpmSpecification,2.23.133.2.16

[req]
#prompt = no
default_bits = 2048
Expand All @@ -23,9 +12,9 @@ req_extensions = v3_req


[v3_req]
subjectAltName=ASN1:SEQUENCE:dir_seq
basicConstraints=CA:FALSE
keyUsage = keyEncipherment
subjectAltName=critical,ASN1:SEQUENCE:dir_seq
basicConstraints=critical,CA:FALSE
keyUsage=critical,keyEncipherment


[dir_seq]
Expand Down
1 change: 0 additions & 1 deletion cmd/get_tpm_pubhash/get_tpm_pubhash_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,6 @@ func TestFakeTPM(t *testing.T) {
defer client.CheckedClose(t, s)

tpm, err := attest.OpenTPM(&attest.OpenConfig{
TPMVersion: attest.TPMVersion20,
CommandChannel: &common_test.TPMCmdChannel{ReadWriteCloser: s},
})
require.NoError(t, err)
Expand Down
4 changes: 1 addition & 3 deletions cmd/get_tpm_pubhash/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,9 +27,7 @@ import (
)

func main() {
tpm, err := attest.OpenTPM(&attest.OpenConfig{
TPMVersion: attest.TPMVersion20,
})
tpm, err := attest.OpenTPM(&attest.OpenConfig{})
if err != nil {
log.Fatalln(err)
}
Expand Down
36 changes: 21 additions & 15 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,38 +1,44 @@
module github.com/bloomberg/spire-tpm-plugin

go 1.23.0

toolchain go1.23.2
go 1.24.0

require (
github.com/google/go-attestation v0.4.4-0.20220404204839-8820d49b18d9
github.com/google/go-tpm-tools v0.3.8
github.com/google/go-attestation v0.6.1-0.20260123045045-5514d09200e7
Copy link
Author

@arianvp arianvp Jan 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the (unreleased) commit that implements exactly what we want. google/go-attestation@5514d09

github.com/google/go-tpm-tools v0.4.7
github.com/hashicorp/hcl v1.0.1-0.20190430135223-99e2f22d1c94
github.com/spiffe/spire-plugin-sdk v1.7.0
github.com/stretchr/testify v1.7.1
github.com/stretchr/testify v1.9.0
google.golang.org/grpc v1.56.3
)

require (
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/fatih/color v1.13.0 // indirect
github.com/golang/protobuf v1.5.3 // indirect
github.com/google/certificate-transparency-go v1.1.2 // indirect
github.com/google/go-tpm v0.3.3 // indirect
github.com/google/go-tspi v0.2.1-0.20190423175329-115dea689aad // indirect
github.com/google/go-configfs-tsm v0.3.3-0.20240919001351-b4b5b84fdcbc // indirect
github.com/google/go-sev-guest v0.14.0 // indirect
github.com/google/go-tdx-guest v0.3.2-0.20241009005452-097ee70d0843 // indirect
github.com/google/go-tpm v0.9.8 // indirect
github.com/google/logger v1.1.1 // indirect
github.com/google/uuid v1.6.0 // indirect
github.com/hashicorp/go-hclog v1.2.0 // indirect
github.com/hashicorp/go-plugin v1.4.3 // indirect
github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d // indirect
github.com/jhump/protoreflect v1.9.0 // indirect
github.com/kr/pretty v0.2.1 // indirect
github.com/kr/text v0.2.0 // indirect
github.com/mattn/go-colorable v0.1.12 // indirect
github.com/mattn/go-isatty v0.0.14 // indirect
github.com/mitchellh/go-testing-interface v1.0.0 // indirect
github.com/oklog/run v1.0.0 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
golang.org/x/crypto v0.36.0 // indirect
golang.org/x/net v0.38.0 // indirect
golang.org/x/sys v0.31.0 // indirect
golang.org/x/text v0.23.0 // indirect
go.uber.org/multierr v1.11.0 // indirect
golang.org/x/crypto v0.45.0 // indirect
golang.org/x/net v0.47.0 // indirect
golang.org/x/sys v0.40.0 // indirect
golang.org/x/text v0.31.0 // indirect
google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect
google.golang.org/protobuf v1.33.0 // indirect
gopkg.in/yaml.v3 v3.0.0 // indirect
google.golang.org/protobuf v1.35.1 // indirect
gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
)
Loading