Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/rgl/tpm-go-attestation-vagrant

tpm go-attestation playground
https://github.com/rgl/tpm-go-attestation-vagrant

go remote-attestation swtpm tpm tpm2

Last synced: 26 days ago
JSON representation

tpm go-attestation playground

Host: GitHub
URL: https://github.com/rgl/tpm-go-attestation-vagrant
Owner: rgl
Created: 2021-01-01T16:35:34.000Z (almost 4 years ago)
Default Branch: master
Last Pushed: 2022-05-21T17:43:04.000Z (over 2 years ago)
Last Synced: 2024-10-05T18:22:07.167Z (about 2 months ago)
Topics: go, remote-attestation, swtpm, tpm, tpm2
Language: Go
Homepage:
Size: 80.1 KB
Stars: 4
Watchers: 3
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

        # Usage

Install the [Ubuntu 20.04 UEFI vagrant box](https://github.com/rgl/ubuntu-vagrant).

Install the [Windows 2022 UEFI vagrant box](https://github.com/rgl/windows-vagrant).

Install the [swtpm](https://github.com/stefanberger/swtpm) packages as described in [swtpm-vagrant](https://github.com/rgl/swtpm-vagrant).

Start the environment then do a self-test attestation:

```bash

# start the server.

time vagrant up --provider=libvirt --no-destroy-on-error --no-tty server

# start the ubuntu client.

time vagrant up --provider=libvirt --no-destroy-on-error --no-tty client0

# enter the envirment.

vagrant ssh client0

# switch to root.

sudo -i

# show information about the tpm.

attest-tool info

# show the swtpm root ca certificate (this signs the swtpm ca).

openssl x509 -noout -text -in /opt/swtpm-localca/swtpm-localca-rootca-cert.pem

# show the swtpm ca intermediate certificate (this signs the tpm ek).

openssl x509 -noout -text -in /opt/swtpm-localca/swtpm-localca-cert.pem

# list the tpm endorsement keys (ek) certificates.

attest-tool list-eks | openssl x509 -noout -text

# do a self-test attestation.

attest-tool self-test

```

Access the `server` page to see the known clients:

  http://10.11.0.101:8000

Click one of the clients to go to its Remove Attestation page.

Click the "Start Remote Attestation" button and go through the remote attestation steps.

# Real-World Projects

* [Secure Production Identity Framework For Everyone (SPIFFE)](https://github.com/spiffe/spiffe)

* [SPIFFE Runtime Environment (SPIRE)](https://github.com/spiffe/spire)

  * [TPM2 based node attestation plugin](https://github.com/bloomberg/spire-tpm-plugin)

* [Keylime (Bootstrap & Maintain Trust on the Edge / Cloud and IoT)](https://keylime.dev/)

# References

* [Go-Attestation library](https://github.com/google/go-attestation)

  * [attest-tool self-test](https://github.com/google/go-attestation/blob/v0.4.3/attest/attest-tool/attest-tool.go#L119-L132)

* [Remote Attestation with TPM (in the context of SPIRE)](https://github.com/bloomberg/spire-tpm-plugin/blob/master/TPM.md)

* [Remote Attestation With TPM2 Tools](https://tpm2-software.github.io/2020/06/12/Remote-Attestation-With-tpm2-tools.html)

* [tpm-js (experiment with a software Trusted Platform Module (TPM) in your browser)](https://google.github.io/tpm-js/)

* [Using the TPM - It's Not Rocket Science (Anymore) - Johannes Holland & Peter Huewe](https://www.youtube.com/watch?v=XwaSyHJIos8)