add pcr policy support

salrashid123 · Apr 8, 2024 · 74581fd · 74581fd
1 parent 452be5d
commit 74581fd
Show file tree

Hide file tree

Showing 4 changed files with 77 additions and 13 deletions.
diff --git a/README.md b/README.md
@@ -52,10 +52,10 @@ On the TPM device, generate a self-signed  RSA key.
 The following generates an RSA on the device, then a self-signed x509 cert.  It then creates a _persistent handle_ to the key on NV area of the TPM (so that it survives system reboots)
 
 ```bash
-git clone https://github.com/salrashid123/go_tpm_https_embed.git
-cd go_tpm_https_embed/
-go run src/selfsigned/main.go 
-more x509cert.pem 
+git clone https://github.com/salrashid123/signer.git
+cd signer/util/
+go run  certgen/certgen.go  --filename /tmp/server.crt --persistentHandle=0x81008003 --sni server.domain.com --cn=server.domain.com 
+more /tmp/server.crt 
 ```
 
 Note that instead of a self-signed cert, the same repo above has a function that will issue a CSR which you can issue an x509 against.  
@@ -83,7 +83,7 @@ On the machine with the TPM, specify the PROJECT_ID and the default persistent h
 ```bash
 CGO_ENABLED=0 go build -o gcp-adc-tpm adc.go
 
-./gcp-adc-tpm --persistentHandle=0x81008000 --svcAccountEmail="tpm-sa@$PROJECT_ID.iam.gserviceaccount.com"
+./gcp-adc-tpm --persistentHandle=0x81008003 --svcAccountEmail="tpm-sa@$PROJECT_ID.iam.gserviceaccount.com" 
 
 ## output is json Token specs
 {
@@ -114,14 +114,43 @@ You can also invoke this binary as a full TokenSource as well:  see
 for `gcloud` cli, you could apply the token directly using [--access-token-file](https://cloud.google.com/sdk/gcloud/reference#--access-token-file):
 
 ```bash
-gcp-adc-tpm --persistentHandle=0x81008000 --svcAccountEmail="tpm-sa@$PROJECT_ID.iam.gserviceaccount.com" | jq -r '.access_token' > token.txt
+gcp-adc-tpm --persistentHandle=0x81008000 --svcAccountEmail="tpm-sa@$PROJECT_ID.iam.gserviceaccount.com"  | jq -r '.access_token' > token.txt
 
 gcloud storage ls --access-token-file=token.txt
 ``` 
 
 ---
 
+### PCR and Password Policies
 
+if you want to create a service account key which has a PCR policy attached to it:
+
+```bash
+# tpm2_flushcontext -s
+# tpm2_flushcontext -t
+
+ tpm2_startauthsession -S session.dat
+ tpm2_policypcr -S session.dat -l sha256:23  -L policy.dat
+ tpm2_flushcontext session.dat
+ tpm2_createprimary -C o -c primary2.ctx
+ tpm2_create -G rsa2048:rsassa:null -g sha256 -u rsa2.pub -r rsa2.priv -C primary2.ctx  -L policy.dat
+ tpm2_load -C primary2.ctx -u rsa2.pub -r rsa2.priv -c rsa2.ctx
+ tpm2_evictcontrol -C o -c rsa2.ctx 0x81008004
+
+git clone https://github.com/salrashid123/signer.git
+cd signer/util/
+go run  tpm_selfsigned_policy/main.go  --x509certFile /tmp/server.crt --persistentHandle=0x81008004 
+more /tmp/server.crt 
+```
+
+
+```bash
+gcp-adc-tpm --persistentHandle=0x81008004 \
+   --svcAccountEmail="tpm-sa@$PROJECT_ID.iam.gserviceaccount.com" --pcrs=23  | jq -r '.access_token' > token.txt
+```
+
+
+---
 
 Finally, you may want to restrict access to the TPM device by applying [tpm-udev.rules](https://github.com/salrashid123/tpm2#non-root-access-to-in-kernel-resource-manager-devtpmrm0-usint-tpm2-tss)
 

diff --git a/adc.go b/adc.go
@@ -1,3 +1,7 @@
+// Creates creates GCP access tokens where the service account key
+// is saved on a Trusted Platform Module (TPM).
+//
+//	see https://github.com/salrashid123/gce_metadata_server
 package main
 
 import (
@@ -9,9 +13,11 @@ import (
 	"net/http"
 	"net/url"
 	"os"
+	"strconv"
+	"strings"
 	"time"
 
-	jwt "github.com/golang-jwt/jwt/v4"
+	jwt "github.com/golang-jwt/jwt/v5"
 
 	"github.com/google/go-tpm-tools/client"
 	"github.com/google/go-tpm/legacy/tpm2"
@@ -31,6 +37,8 @@ var (
 	tpmPath          = flag.String("tpm-path", "/dev/tpm0", "Path to the TPM device (character device or a Unix socket).")
 	persistentHandle = flag.Uint("persistentHandle", 0x81008000, "Handle value")
 	svcAccountEmail  = flag.String("svcAccountEmail", "", "Service Account Email")
+	pcrs             = flag.String("pcrs", "", "PCR Bound value (increasing order, comma separated)")
+	scopes           = flag.String("scopes", "https://www.googleapis.com/auth/cloud-platform", "comma separated scopes")
 )
 
 type oauthJWT struct {
@@ -49,7 +57,32 @@ func main() {
 		os.Exit(1)
 	}
 	defer rwc.Close()
-	k, err := client.LoadCachedKey(rwc, tpmutil.Handle(*persistentHandle), nil)
+	var k *client.Key
+
+	if *pcrs != "" {
+		strpcrs := strings.Split(*pcrs, ",")
+		var pcrList = []int{}
+
+		for _, i := range strpcrs {
+			j, err := strconv.Atoi(i)
+			if err != nil {
+				fmt.Printf("ERROR:  could convert pcr value: %v", err)
+				os.Exit(1)
+			}
+			pcrList = append(pcrList, j)
+		}
+
+		fmt.Printf(">>>%v\n", pcrList)
+		s, err := client.NewPCRSession(rwc, tpm2.PCRSelection{tpm2.AlgSHA256, pcrList})
+		if err != nil {
+			fmt.Printf("Unable to initialize tpmJWT: %v", err)
+			os.Exit(1)
+		}
+		k, err = client.LoadCachedKey(rwc, tpmutil.Handle(*persistentHandle), s)
+	} else {
+		k, err = client.LoadCachedKey(rwc, tpmutil.Handle(*persistentHandle), client.NullSession{})
+	}
+
 	if err != nil {
 		fmt.Printf("ERROR:  could not initialize Key: %v", err)
 		os.Exit(1)
@@ -67,7 +100,7 @@ func main() {
 			IssuedAt:  jwt.NewNumericDate(iat),
 			ExpiresAt: jwt.NewNumericDate(exp),
 		},
-		"https://www.googleapis.com/auth/cloud-platform",
+		strings.Replace(*scopes, ",", " ", -1),
 	}
 
 	tpmjwt.SigningMethodTPMRS256.Override()

diff --git a/go.mod b/go.mod
@@ -3,10 +3,10 @@ module github.com/salrashid123/gcp-adc-tpm
 go 1.21
 
 require (
-	github.com/golang-jwt/jwt/v4 v4.5.0
+	github.com/golang-jwt/jwt/v5 v5.2.1
 	github.com/google/go-tpm v0.9.0
 	github.com/google/go-tpm-tools v0.4.0
-	github.com/salrashid123/golang-jwt-tpm v1.1.2
+	github.com/salrashid123/golang-jwt-tpm v1.3.0
 )
 
 require (

diff --git a/go.sum b/go.sum
@@ -1,7 +1,7 @@
 github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
 github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
-github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
-github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
+github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
 github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
@@ -31,6 +31,8 @@ github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/salrashid123/golang-jwt-tpm v1.1.2 h1:Arsj8FKUb8TiNFC1bOEqfssSSWkWoNccyDsdAKG2vOg=
 github.com/salrashid123/golang-jwt-tpm v1.1.2/go.mod h1:yipaLDdIYPikIhVhp4PD4x01dxTGYQFBIN3+DwHNESE=
+github.com/salrashid123/golang-jwt-tpm v1.3.0 h1:N9TIfe+TNVyGHi7xfJq4mOtr6pkZqVshc3zQuXh/wCQ=
+github.com/salrashid123/golang-jwt-tpm v1.3.0/go.mod h1:kxgtjiHArZCs+O0wNxr+nKMUTazdH3vWqBfjuQeMIm8=
 go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw=
 go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
 go.uber.org/multierr v1.8.0 h1:dg6GjLku4EH+249NNmoIciG9N/jURbDG+pFlTkhzIC8=