탐색 도움말
로그인
Tailscale
/
tailscale
의 미러 https://github.com/tailscale/tailscale.git
2
0
포크 0
파일 이슈 0 위키
소스 검색

feature/tpm: check TPM family data for compatibility (#17624)

Check that the TPM we have opened is advertised as a 2.0 family device
before using it for state sealing / hardware attestation.

Updates #17622

Signed-off-by: Patrick O'Doherty <[email protected]>
Patrick O'Doherty 4 달 전
부모
afaa23c3b4
커밋
36ad24b20f
4개의 변경된 파일22개의 추가작업 그리고 4개의 파일을 삭제
분할 보기 변경상태 보기
  1. 4 4
      feature/tpm/tpm.go
  2. 13 0
      feature/tpm/tpm_test.go
  3. 1 0
      ipn/ipnlocal/c2n_test.go
  4. 4 0
      tailcfg/tailcfg.go

+ 4 - 4
feature/tpm/tpm.go
파일 보기 

@@ -55,12 +55,11 @@ func init() {
 
 }
 
 
 func tpmSupported() bool {
 
-	tpm, err := open()
 
-	if err != nil {
 
+	hi := infoOnce()
 
+	if hi == nil {
 
 		return false
 
 	}
 
-	tpm.Close()
 
-	return true
 
+	return hi.FamilyIndicator == "2.0"
 
 }
 
 
 var verboseTPM = envknob.RegisterBool("TS_DEBUG_TPM")
 
@@ -104,6 +103,7 @@ func info() *tailcfg.TPMInfo {
 
 		{tpm2.TPMPTVendorTPMType, func(info *tailcfg.TPMInfo, value uint32) { info.Model = int(value) }},
 
 		{tpm2.TPMPTFirmwareVersion1, func(info *tailcfg.TPMInfo, value uint32) { info.FirmwareVersion += uint64(value) << 32 }},
 
 		{tpm2.TPMPTFirmwareVersion2, func(info *tailcfg.TPMInfo, value uint32) { info.FirmwareVersion += uint64(value) }},
 
+		{tpm2.TPMPTFamilyIndicator, toStr(&info.FamilyIndicator)},
 
 	} {
 
 		resp, err := tpm2.GetCapability{
 
 			Capability:    tpm2.TPMCapTPMProperties,

+ 13 - 0
feature/tpm/tpm_test.go
파일 보기 

@@ -133,6 +133,19 @@ func TestStore(t *testing.T) {
 
 	})
 
 }
 
 
+func BenchmarkInfo(b *testing.B) {
 
+	b.StopTimer()
 
+	skipWithoutTPM(b)
 
+	b.StartTimer()
 
+	for i := 0; i < b.N; i++ {
 
+		hi := info()
 
+		if hi == nil {
 
+			b.Fatalf("tpm info error")
 
+		}
 
+	}
 
+	b.StopTimer()
 
+}
 
+
 
 func BenchmarkStore(b *testing.B) {
 
 	skipWithoutTPM(b)
 
 	b.StopTimer()

+ 1 - 0
ipn/ipnlocal/c2n_test.go
파일 보기 

@@ -384,6 +384,7 @@ func TestRedactNetmapPrivateKeys(t *testing.T) {
 
 		f(tailcfg.Service{}, "Port"):                       false,
 
 		f(tailcfg.Service{}, "Proto"):                      false,
 
 		f(tailcfg.Service{}, "_"):                          false,
 
+		f(tailcfg.TPMInfo{}, "FamilyIndicator"):            false,
 
 		f(tailcfg.TPMInfo{}, "FirmwareVersion"):            false,
 
 		f(tailcfg.TPMInfo{}, "Manufacturer"):               false,
 
 		f(tailcfg.TPMInfo{}, "Model"):                      false,

+ 4 - 0
tailcfg/tailcfg.go
파일 보기 

@@ -928,6 +928,10 @@ type TPMInfo struct {
 
 	// https://trustedcomputinggroup.org/resource/tpm-library-specification/.
 
 	// Before revision 184, TCG used the "01.83" format for revision 183.
 
 	SpecRevision int `json:",omitempty"`
 
+
 
+	// FamilyIndicator is the TPM spec family, like "2.0".
 
+	// Read from TPM_PT_FAMILY_INDICATOR.
 
+	FamilyIndicator string `json:",omitempty"`
 
 }
 
 
 // Present reports whether a TPM device is present on this machine.