tpm2

package module
v0.0.0-...-d0e3238 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 12, 2020 License: LGPL-3.0 Imports: 26 Imported by: 5

README

go-tpm2

Build Status GoDoc

This repository contains a go library for interacting with TPM 2.0 devices. Some currently supported features are:

  • All authorization modes: cleartext password, HMAC session based and policy session based.
  • All session configurations: salted or unsalted + bound or unbound.
  • Session-based command and response parameter encryption using AES-CFB or XOR obfuscation.
  • Session-based command auditing.
  • Backends for Linux TPM character devices and TPM simulators implementing the Microsoft TPM 2.0 simulator interface.

The current support status for each command group is detailed below.

Command group Support Comment
Start-up Full
Testing Full
Session Commands Full
Object Commands Full
Duplication Commands Partial TPM2_Duplicate and TPM2_Import are supported
Asymmetric Primitives None
Symmetric Primitives None
Random Number Generator Full
Hash/HMAC/Event Sequences None
Attestation Commands Full
Ephemeral EC Keys None
Signing and Signature Verification Full
Command Audit Full
Integrity Collection (PCR) Partial TPM2_PCR_Extend, TPM2_PCR_Event, TPM2_PCR_Read and TPM2_PCR_Reset are supported
Enhanced Authorization (EA) Commands Partial All commands are supported except for TPM2_PolicyLocality, TPM2_PolicyPhysicalPresence, TPM2_PolicyTemplate and TPM2_PolicyAuthorizeNV
Hierarchy Commands Partial TPM2_CreatePrimary, TPM2_Clear, TPM2_ClearControl and TPM2_HierarchyChangeAuth are supported
Dictionary Attack Functions Full
Miscellaneous Management Functions None
Field Upgrade None
Context Management Full
Clocks and Timers Partial TPM2_ReadClock is supported
Capability Commands Full
Non-Volatile Storage Partial All commands are supported except for TPM2_NV_Certify
Vendor Specific None

Documentation

Overview

Package tpm2 implements an API for communicating with TPM 2.0 devices.

This documentation refers to TPM commands and types that are described in more detail in the TPM 2.0 Library Specification, which can be found at https://trustedcomputinggroup.org/resource/tpm-library-specification/. Knowledge of this specification is assumed in this documentation.

Communication with Linux TPM character devices and TPM simulators implementing the Microsoft TPM2 simulator interface is supported. The core type by which consumers of this package communicate with a TPM is TPMContext.

Quick start

In order to create a new TPMContext that can be used to communicate with a Linux TPM character device: 

 tcti, err := tpm2.OpenTPMDevice("/dev/tpm0")
 if err != nil {
	 return err
 }
 tpm, _ := tpm2.NewTPMContext(tcti)

In order to create and persist a new storage primary key: 

 tcti, err := tpm2.OpenTPMDevice("/dev/tpm0")
 if err != nil {
	return err
 }
 tpm, _ := tpm2.NewTPMContext(tcti)

 template = tpm2.Public{
	Type:    tpm2.ObjectTypeRSA,
	NameAlg: tpm2.HashAlgorithmSHA256,
	Attrs: tpm2.AttrFixedTPM | tpm2.AttrFixedParent | tpm2.AttrSensitiveDataOrigin | tpm2.AttrUserWithAuth | tpm2.AttrNoDA | tpm2.AttrRestricted | tpm2.AttrDecrypt,
	Params: tpm2.PublicParamsU{
		Data: &tpm2.RSAParams{
			Symmetric: tpm2.SymDefObject{
				Algorithm: tpm2.SymObjectAlgorithmAES,
				KeyBits:   tpm2.SymKeyBitsU{Data: uint16(128)},
				Mode:      tpm2.SymModeU{Data: tpm2.SymModeCFB}},
			Scheme:   tpm2.RSAScheme{Scheme: tpm2.RSASchemeNull},
			KeyBits:  2048,
			Exponent: 0}},
	Unique: tpm2.PublicIDU{Data: make(tpm2.PublicKeyRSA, 256)}}
 context, _, _, _, _, err := tpm.CreatePrimary(tpm.OwnerHandleContext(), nil, &template, nil, nil, nil)
 if err != nil {
	return err
 }

 persistentContext, err := tpm.EvictControl(tpm.OwnerHandleContext(), context, tpm2.Handle(0x81000001), nil)
 if err != nil {
	return err
 }
 // persistentContext is a ResourceContext corresponding to the new persistent storage primary key.

In order to evict a persistent object: 

 tcti, err := tpm2.OpenTPMDevice("/dev/tpm0")
 if err != nil {
	return err
 }
 tpm, _ := tpm2.NewTPMContext(tcti)

 context, err := tpm.CreateResourceContextFromTPM(tpm2.Handle(0x81000001))
 if err != nil {
	 return err
 }

 if _, err := tpm.EvictControl(tpm.OwnerHandleContext(), context, context.Handle(), nil); err != nil {
	 return err
 }
 // The resource associated with context is now unavailable.

Parameter marshalling and unmarshalling

This package marshals go types to and from the TPM wire format, according to the following rules:

  • UINT8 <-> uint8
  • BYTE <-> byte
  • INT8 <-> int8
  • BOOL <-> bool
  • UINT16 <-> uint16
  • INT16 <-> int16
  • UINT32 <-> uint32
  • INT32 <-> int32
  • UINT64 <-> uint64
  • INT64 <-> int64
  • TPM2B prefixed types (sized buffers with a 2-byte size field) fall in to 2 categories:
  • Byte buffer <-> []byte, or any type with an identical underlying type.
  • Sized structure <-> struct referenced via a pointer field in an enclosing struct, where the field has the `tpm2:"sized"` tag. A zero sized struct is represented as a nil pointer.
  • TPMA prefixed types (attributes) <-> whichever go type corresponds to the underlying TPM type (UINT8, UINT16, or UINT32).
  • TPM_ALG_ID (algorithm enum) <-> AlgorithmId
  • TPML prefixed types (lists with a 4-byte length field) <-> slice of whichever go type corresponds to the underlying TPM type.
  • TPMS prefixed types (structures) <-> struct
  • TPMT prefixed types (structures with a tag field used as a union selector) <-> struct
  • TPMU prefixed types (unions) <-> struct with a single field and which implements the Union interface. These must be referenced from a field in an enclosing struct, where the field has the `tpm2:"selector:<field_name>"` tag referencing a valid selector field name in the enclosing struct.

TPMI prefixed types (interface types) are generally not explicitly supported. These are used by the TPM for type checking during unmarshalling. Some TPMI prefixed types that use TPM_ALG_ID as the underlying concrete type are implemented.

Pointer types are automatically dereferenced.

The marshalling code parses the "tpm2" tag on struct fields, the value of which is a comma separated list of options. These options are:

  • selector:<field_name> - used when the field is a struct that implements the Union interface. <field_name> references the name of another field in the struct, the value of which is used as the selector for the union type.
  • sized - used when the field is a struct, to indicate that it should be marshalled and unmarshalled as a sized struct. The field must be a pointer to a struct, and a nil pointer indicates a zero-sized struct.
  • raw - used when the field is a slice, to indicate that it should be marshalled and unmarshalled without a length (if it represents a list) or size (if it represents a sized buffer) field. The slice must be pre-allocated to the correct length by the caller during unmarshalling.

Authorization types

Some TPM resources require authorization in order to use them in some commands. There are 3 main types of authorization supported by this package:

  • Cleartext password: A cleartext authorization value is sent to the TPM by calling ResourceContext.SetAuthValue and supplying the ResourceContext to a function requiring authorization. Authorization succeeds if the correct value is sent.

  • HMAC session: Knowledge of an authorization value is demonstrated by calling ResourceContext.SetAuthValue and supplying the ResourceContext to a function requiring authorization, along with a session with the type SessionTypeHMAC. Authorization succeeds if the computed HMAC matches that expected by the TPM.

  • Policy session: A ResourceContext is supplied to a function requiring authorization along with a session with the type SessionTypePolicy, containing a record of and the result of a sequence of assertions. Authorization succeeds if the conditions required by the resource's authorization policy are satisfied.

The type of authorizations permitted for a resource is dependent on the authorization role (user, admin or duplication), the type of resource and the resource's attributes.

Index

Constants

View Source 
const (
	CapabilityMaxProperties uint32 = math.MaxUint32
)
View Source 
const (
	DefaultRSAExponent = 65537
)

Variables

View Source 
var Separator separatorSentinel

Separator is a sentinel value used to separate command handles, command parameters, response handle pointers and response parameter pointers in the variable length params argument in TPMContext.RunCommand.

Functions

func DecodeResponseCode 

func DecodeResponseCode(command CommandCode, resp ResponseCode) error

DecodeResponseCode decodes the ResponseCode provided via resp. If the specified response code is Success, it returns no error, else it returns an error that is appropriate for the response code. The command code is used for adding context to the returned error.

func MarshalToBytes 

func MarshalToBytes(vals ...interface{}) ([]byte, error)

MarshalToBytes marshals vals to the TPM wire format, according to the rules specified in "Parameter marshalling and unmarshalling". A nil pointer encountered during marshalling causes the zero value for the type to be marshalled, unless the pointer is to a sized structure.

If successful, this function returns the marshalled data. If this function does not complete successfully, it will return an error. In this case, no data will be returned.

func MarshalToWriter 

func MarshalToWriter(buf io.Writer, vals ...interface{}) error

MarshalToWriter marshals vals to buf in the TPM wire format, according to the rules specified in "Parameter marshalling and unmarshalling". A nil pointer encountered during marshalling causes the zero value for the type to be marshalled, unless the pointer is to a sized structure.

If this function does not complete successfully, it will return an error. In this case, a partial result may have been written to buf.

func UnmarshalFromBytes 

func UnmarshalFromBytes(b []byte, vals ...interface{}) (int, error)

UnmarshalFromBytes unmarshals data in the TPM wire format from b to vals, according to the rules specified in "Parameter marshalling and unmarshalling". The values supplied to this function must be pointers to the destination values. Nil pointer fields encountered during unmarshalling will result in memory being allocated for those values, unless the pointer represents a zero-sized sized struct. New slices will always be created - even if the caller pre-allocates them, unless it is a RawBytes type or a field with the `tpm2:"raw"` tag.

If successful, this function returns the number of bytes consumed from b. If this function does not complete successfully, it will return an error and zero for the number of bytes consumed. In this case, partial results may have been unmarshalled to the supplied destination values.

func UnmarshalFromReader 

func UnmarshalFromReader(buf io.Reader, vals ...interface{}) error

UnmarshalFromReader unmarshals data in the TPM wire format from buf to vals, according to the rules specified in "Parameter marshalling and unmarshalling". The values supplied to this function must be pointers to the destination values. Nil pointer fields encountered during unmarshalling will result in memory being allocated for those values, unless the pointer represents a zero-sized sized struct. New slices will always be created - even if the caller pre-allocates them, unless it is a RawBytes type or a field with the `tpm2:"raw"` tag.

If this function does not complete successfully, it will return an error. In this case, partial results may have been unmarshalled to the supplied destination values.

Types

type AlgorithmAttributes 

type AlgorithmAttributes uint32

AlgorithmAttributes corresponds to the TPMA_ALGORITHM type and represents the attributes for an algorithm. 

const (
	AttrAsymmetric AlgorithmAttributes = 1 << 0
	AttrSymmetric  AlgorithmAttributes = 1 << 1
	AttrHash       AlgorithmAttributes = 1 << 2
	AttrObject     AlgorithmAttributes = 1 << 3
	AttrSigning    AlgorithmAttributes = 1 << 8
	AttrEncrypting AlgorithmAttributes = 1 << 9
	AttrMethod     AlgorithmAttributes = 1 << 10
)

type AlgorithmId 

type AlgorithmId uint16

AlgorithmId corresponds to the TPM_ALG_ID type. 

const (
	AlgorithmError          AlgorithmId = 0x0000 // TPM_ALG_ERROR
	AlgorithmRSA            AlgorithmId = 0x0001 // TPM_ALG_RSA
	AlgorithmSHA1           AlgorithmId = 0x0004 // TPM_ALG_SHA1
	AlgorithmHMAC           AlgorithmId = 0x0005 // TPM_ALG_HMAC
	AlgorithmAES            AlgorithmId = 0x0006 // TPM_ALG_AES
	AlgorithmMGF1           AlgorithmId = 0x0007 // TPM_ALG_MGF1
	AlgorithmKeyedHash      AlgorithmId = 0x0008 // TPM_ALG_KEYEDHASH
	AlgorithmXOR            AlgorithmId = 0x000a // TPM_ALG_XOR
	AlgorithmSHA256         AlgorithmId = 0x000b // TPM_ALG_SHA256
	AlgorithmSHA384         AlgorithmId = 0x000c // TPM_ALG_SHA384
	AlgorithmSHA512         AlgorithmId = 0x000d // TPM_ALG_SHA512
	AlgorithmNull           AlgorithmId = 0x0010 // TPM_ALG_NULL
	AlgorithmSM3_256        AlgorithmId = 0x0012 // TPM_ALG_SM3_256
	AlgorithmSM4            AlgorithmId = 0x0013 // TPM_ALG_SM4
	AlgorithmRSASSA         AlgorithmId = 0x0014 // TPM_ALG_RSASSA
	AlgorithmRSAES          AlgorithmId = 0x0015 // TPM_ALG_RSAES
	AlgorithmRSAPSS         AlgorithmId = 0x0016 // TPM_ALG_RSAPSS
	AlgorithmOAEP           AlgorithmId = 0x0017 // TPM_ALG_OAEP
	AlgorithmECDSA          AlgorithmId = 0x0018 // TPM_ALG_ECDSA
	AlgorithmECDH           AlgorithmId = 0x0019 // TPM_ALG_ECDH
	AlgorithmECDAA          AlgorithmId = 0x001a // TPM_ALG_ECDAA
	AlgorithmSM2            AlgorithmId = 0x001b // TPM_ALG_SM2
	AlgorithmECSCHNORR      AlgorithmId = 0x001c // TPM_ALG_ECSCHNORR
	AlgorithmECMQV          AlgorithmId = 0x001d // TPM_ALG_ECMQV
	AlgorithmKDF1_SP800_56A AlgorithmId = 0x0020 // TPM_ALG_KDF1_SP800_56A
	AlgorithmKDF2           AlgorithmId = 0x0021 // TPM_ALG_KDF2
	AlgorithmKDF1_SP800_108 AlgorithmId = 0x0022 // TPM_ALG_KDF1_SP800_108
	AlgorithmECC            AlgorithmId = 0x0023 // TPM_ALG_ECC
	AlgorithmSymCipher      AlgorithmId = 0x0025 // TPM_ALG_SYMCIPHER
	AlgorithmCamellia       AlgorithmId = 0x0026 // TPM_ALG_CAMELLIA
	AlgorithmCTR            AlgorithmId = 0x0040 // TPM_ALG_CTR
	AlgorithmOFB            AlgorithmId = 0x0041 // TPM_ALG_OFB
	AlgorithmCBC            AlgorithmId = 0x0042 // TPM_ALG_CBC
	AlgorithmCFB            AlgorithmId = 0x0043 // TPM_ALG_CFB
	AlgorithmECB            AlgorithmId = 0x0044 // TPM_ALG_ECB

	AlgorithmFirst AlgorithmId = AlgorithmRSA
)

func (AlgorithmId) Format 

func (a AlgorithmId) Format(s fmt.State, f rune)

func (AlgorithmId) String 

func (a AlgorithmId) String() string

type AlgorithmList 

type AlgorithmList []AlgorithmId

AlgorithmList is a slice of AlgorithmId values, and corresponds to the TPML_ALG type.

type AlgorithmProperty 

type AlgorithmProperty struct {
	Alg        AlgorithmId         // Algorithm identifier
	Properties AlgorithmAttributes // Attributes of the algorithm
}

AlgorithmProperty corresponds to the TPMS_ALG_PROPERTY type. It is used to report the properties of an algorithm.

type AlgorithmPropertyList 

type AlgorithmPropertyList []AlgorithmProperty

AlgorithmPropertyList is a slice of AlgorithmProperty values, and corresponds to the TPML_ALG_PROPERTY type.

type ArithmeticOp 

type ArithmeticOp uint16

ArithmeticOp corresponds to the TPM_EO type. 

const (
	OpEq         ArithmeticOp = 0x0000 // TPM_EO_EQ
	OpNeq        ArithmeticOp = 0x0001 // TPM_EO_NEQ
	OpSignedGT   ArithmeticOp = 0x0002 // TPM_EO_SIGNED_GT
	OpUnsignedGT ArithmeticOp = 0x0003 // TPM_EO_UNSIGNED_GT
	OpSignedLT   ArithmeticOp = 0x0004 // TPM_EO_SIGNED_LT
	OpUnsignedLT ArithmeticOp = 0x0005 // TPM_EO_UNSIGNED_LT
	OpSignedGE   ArithmeticOp = 0x0006 // TPM_EO_SIGNED_GE
	OpUnsignedGE ArithmeticOp = 0x0007 // TPM_EO_UNSIGNED_GE
	OpSignedLE   ArithmeticOp = 0x0008 // TPM_EO_SIGNED_LE
	OpUnsignedLE ArithmeticOp = 0x0009 // TPM_EO_UNSIGNED_LE
	OpBitset     ArithmeticOp = 0x000a // TPM_EO_BITSET
	OpBitclear   ArithmeticOp = 0x000b // TPM_EO_BITCLEAR
)

type AsymParams 

type AsymParams struct {
	Symmetric SymDefObject // Symmetric algorithm for a restricted decrypt key.
	// For a key with the AttrSign attribute: a signing scheme.
	// For a key with the AttrDecrypt attribute: a key exchange protocol.
	// For a key with both AttrSign and AttrDecrypt attributes: AlgorithmNull.
	Scheme AsymScheme
}

AsymParams corresponds to the TPMS_ASYM_PARMS type, and defines the common public parameters for an asymmetric key.

type AsymScheme 

type AsymScheme struct {
	Scheme  AsymSchemeId // Scheme selector
	Details AsymSchemeU  `tpm2:"selector:Scheme"` // Scheme specific parameters
}

AsymScheme corresponds to the TPMT_ASYM_SCHEME type.

type AsymSchemeId 

type AsymSchemeId AlgorithmId

AsymSchemeId corresponds to the TPMI_ALG_ASYM_SCHEME type 

const (
	AsymSchemeNull      AsymSchemeId = AsymSchemeId(AlgorithmNull)      // TPM_ALG_NULL
	AsymSchemeRSASSA    AsymSchemeId = AsymSchemeId(AlgorithmRSASSA)    // TPM_ALG_RSASSA
	AsymSchemeRSAES     AsymSchemeId = AsymSchemeId(AlgorithmRSAES)     // TPM_ALG_RSAES
	AsymSchemeRSAPSS    AsymSchemeId = AsymSchemeId(AlgorithmRSAPSS)    // TPM_ALG_RSAPSS
	AsymSchemeOAEP      AsymSchemeId = AsymSchemeId(AlgorithmOAEP)      // TPM_ALG_OAEP
	AsymSchemeECDSA     AsymSchemeId = AsymSchemeId(AlgorithmECDSA)     // TPM_ALG_ECDSA
	AsymSchemeECDH      AsymSchemeId = AsymSchemeId(AlgorithmECDH)      // TPM_ALG_ECDH
	AsymSchemeECDAA     AsymSchemeId = AsymSchemeId(AlgorithmECDAA)     // TPM_ALG_ECDAA
	AsymSchemeSM2       AsymSchemeId = AsymSchemeId(AlgorithmSM2)       // TPM_ALG_SM2
	AsymSchemeECSCHNORR AsymSchemeId = AsymSchemeId(AlgorithmECSCHNORR) // TPM_ALG_ECSCHNORR
	AsymSchemeECMQV     AsymSchemeId = AsymSchemeId(AlgorithmECMQV)     // TPM_ALG_ECMQV
)

func (AsymSchemeId) Format 

func (a AsymSchemeId) Format(s fmt.State, f rune)

type AsymSchemeU 

type AsymSchemeU struct {
	Data interface{}
}

AsymSchemeU is a fake union type that corresponds to the TPMU_ASYM_SCHEME type. The selector type is AsymSchemeId. Valid types for Data for each selector value are:

  • AsymSchemeRSASSA: *SigSchemeRSASSA
  • AsymSchemeRSAES: *EncSchemeRSAES
  • AsymSchemeRSAPSS: *SigSchemeRSAPSS
  • AsymSchemeOAEP: *EncSchemeOAEP
  • AsymSchemeECDSA: *SigSchemeECDSA
  • AsymSchemeECDH: *KeySchemeECDH
  • AsymSchemeECDAA: *SigSchemeECDAA
  • AsymSchemeSM2: *SigSchemeSM2
  • AsymSchemeECSCHNORR: *SigSchemeECSCHNORR
  • AsymSchemeECMQV: *KeySchemeECMQV
  • AsymSchemeNull: <nil>

func (AsymSchemeU) Any 

func (s AsymSchemeU) Any() *SchemeHash

Any returns the underlying value as *SchemeHash. It panics if the underlying type is not convertible to *SchemeHash.

func (AsymSchemeU) ECDAA 

func (s AsymSchemeU) ECDAA() *SigSchemeECDAA

ECDAA returns the underlying value as *SigSchemeECDAA. It panics if the underlying type is not *SigSchemeECDAA.

func (AsymSchemeU) ECDH 

func (s AsymSchemeU) ECDH() *KeySchemeECDH

ECDH returns the underlying value as *KeySchemeECDH. It panics if the underlying type is not *KeySchemeECDH.

func (AsymSchemeU) ECDSA 

func (s AsymSchemeU) ECDSA() *SigSchemeECDSA

ECDSA returns the underlying value as *SigSchemeECDSA. It panics if the underlying type is not *SigSchemeECDSA.

func (AsymSchemeU) ECMQV 

func (s AsymSchemeU) ECMQV() *KeySchemeECMQV

ECMQV returns the underlying value as *KeySchemeECMQV. It panics if the underlying type is not *KeySchemeECMQV.

func (AsymSchemeU) ECSCHNORR 

func (s AsymSchemeU) ECSCHNORR() *SigSchemeECSCHNORR

ECSCHNORR returns the underlying value as *SigSchemeECSCHNORR. It panics if the underlying type is not *SigSchemeECSCHNORR.

func (AsymSchemeU) OAEP 

func (s AsymSchemeU) OAEP() *EncSchemeOAEP

OAEP returns the underlying value as *EncSchemeOAEP. It panics if the underlying type is not *EncSchemeOAEP.

func (AsymSchemeU) RSAES 

func (s AsymSchemeU) RSAES() *EncSchemeRSAES

RSAES returns the underlying value as *EncSchemeRSAES. It panics if the underlying type is not *EncSchemeRSAES.

func (AsymSchemeU) RSAPSS 

func (s AsymSchemeU) RSAPSS() *SigSchemeRSAPSS

RSAPSS returns the underlying value as *SigSchemeRSAPSS. It panics if the underlying type is not *SigSchemeRSAPSS.

func (AsymSchemeU) RSASSA 

func (s AsymSchemeU) RSASSA() *SigSchemeRSASSA

RSASSA returns the underlying value as *SigSchemeRSASSA. It panics if the underlying type is not *SigSchemeRSASSA.

func (AsymSchemeU) SM2 

func (s AsymSchemeU) SM2() *SigSchemeSM2

SM2 returns the underlying value as *SigSchemeSM2. It panics if the underlying type is not *SigSchemeSM2.

func (AsymSchemeU) Select 

func (s AsymSchemeU) Select(selector reflect.Value) (reflect.Type, error)

type Attest 

type Attest struct {
	Magic           TPMGenerated // Always TPMGeneratedValue
	Type            StructTag    // Type of the attestation structure
	QualifiedSigner Name         // Qualified name of the signing key
	ExtraData       Data         // External information provided by the caller
	ClockInfo       ClockInfo    // Clock information
	FirmwareVersion uint64       // TPM vendor specific value indicating the version of the firmware
	Attested        AttestU      `tpm2:"selector:Type"` // Type specific attestation data
}

Attest corresponds to the TPMS_ATTEST type, and is returned by the attestation commands. The signature of the attestation is over this structure.

type AttestRaw 

type AttestRaw []byte

AttestRaw corresponds to the TPM2B_ATTEST type, and is returned by the attestation commands. The signature of the attestation is over this data.

func (AttestRaw) Decode 

func (a AttestRaw) Decode() (*Attest, error)

Decode unmarshals the underlying buffer to the corresponding Attest structure.

type AttestU 

type AttestU struct {
	Data interface{}
}

AttestU is a fake union type that corresponds to the TPMU_ATTEST type. The selector type is StructTag. Valid types for Data for each selector value are:

  • TagAttestNV: *NVCertifyInfo
  • TagAttestCommandAudit: *CommandAuditInfo
  • TagAttestSessionAudit: *SessionAuditInfo
  • TagAttestCertify: *CertifyInfo
  • TagAttestQuote: *QuoteInfo
  • TagAttestTime: *TimeAttestInfo
  • TagAttestCreation: *CreationInfo

func (AttestU) Certify 

func (a AttestU) Certify() *CertifyInfo

Certify returns the underlying value as *CertifyInfo. It panics if the underlying type is not *CertifyInfo.

func (AttestU) CommandAudit 

func (a AttestU) CommandAudit() *CommandAuditInfo

CommandAudit returns the underlying value as *CommandAuditInfo. It panics if the underlying type is not *CommandAuditInfo.

func (AttestU) Creation 

func (a AttestU) Creation() *CreationInfo

Creation returns the underlying value as *CreationInfo. It panics if the underlying type is not *CreationInfo.

func (AttestU) NV 

func (a AttestU) NV() *NVCertifyInfo

NV returns the underlying value as *NVCertifyInfo. It panics if the underlying type is not *NVCertifyInfo.

func (AttestU) Quote 

func (a AttestU) Quote() *QuoteInfo

Quote returns the underlying value as *QuoteInfo. It panics if the underlying type is not *QuoteInfo.

func (AttestU) Select 

func (a AttestU) Select(selector reflect.Value) (reflect.Type, error)

func (AttestU) SessionAudit 

func (a AttestU) SessionAudit() *SessionAuditInfo

SessionAudit returns the underlying value as *SessionAuditInfo. It panics if the underlying type is not *SessionAuditInfo.

func (AttestU) Time 

func (a AttestU) Time() *TimeAttestInfo

Time returns the underlying value as *TimeAttestInfo. It panics if the underlying type is not *TimeAttestInfo.

type Auth 

type Auth Digest

Auth corresponds to the TPM2B_AUTH type.

type CapabilitiesU 

type CapabilitiesU struct {
	Data interface{}
}

Capabilities is a fake union type that corresponds to the TPMU_CAPABILITIES type. The selector type is Capability. Valid types for Data for each selector value are:

  • CapabilityAlgs: AlgorithmPropertyList
  • CapabilityHandles: HandleList
  • CapabilityCommands: CommandAttributesList
  • CapabilityPPCommands: CommandCodeList
  • CapabilityAuditCommands: CommandCodeList
  • CapabilityPCRs: PCRSelectionList
  • CapabilityTPMProperties: TaggedTPMPropertyList
  • CapabilityPCRProperties: TaggedPCRPropertyList
  • CapabilityECCCurves: ECCCurveList
  • CapabilityAuthPolicies: TaggedPolicyList

func (CapabilitiesU) Algorithms 

func (c CapabilitiesU) Algorithms() AlgorithmPropertyList

Algorithms returns the underlying value as AlgorithmPropertyList. It panics if the underlying type is not AlgorithmPropertyList.

func (CapabilitiesU) AssignedPCR 

func (c CapabilitiesU) AssignedPCR() PCRSelectionList

AssignedPCR returns the underlying value as PCRSelectionList. It panics if the underlying type is not PCRSelectionList.

func (CapabilitiesU) AuditCommands 

func (c CapabilitiesU) AuditCommands() CommandCodeList

AuditCommands returns the underlying value as CommandCodeList. It panics if the underlying type is not CommandCodeList.

func (CapabilitiesU) AuthPolicies 

func (c CapabilitiesU) AuthPolicies() TaggedPolicyList

AuthPolicies returns the underlying value as TaggedPolicyList. It panics if the underlying type is not TaggedPolicyList.

func (CapabilitiesU) Command 

func (c CapabilitiesU) Command() CommandAttributesList

Command returns the underlying value as CommandAttributesList. It panics if the underlying type is not CommandAttributesList.

func (CapabilitiesU) ECCCurves 

func (c CapabilitiesU) ECCCurves() ECCCurveList

ECCCurves returns the underlying value as ECCCurveList. It panics if the underlying type is not ECCCurveList.

func (CapabilitiesU) Handles 

func (c CapabilitiesU) Handles() HandleList

Handles returns the underlying value as HandleList. It panics if the underlying type is not HandleList.

func (CapabilitiesU) PCRProperties 

func (c CapabilitiesU) PCRProperties() TaggedPCRPropertyList

PCRProperties returns the underlying value as TaggedPCRPropertyList. It panics if the underlying type is not TaggedPCRPropertyList.

func (CapabilitiesU) PPCommands 

func (c CapabilitiesU) PPCommands() CommandCodeList

PPCommands returns the underlying value as CommandCodeList. If panics if the underlying type is not CommandCodeList.

func (CapabilitiesU) Select 

func (c CapabilitiesU) Select(selector reflect.Value) (reflect.Type, error)

func (CapabilitiesU) TPMProperties 

func (c CapabilitiesU) TPMProperties() TaggedTPMPropertyList

TPMProperties returns the underlying value as TaggedTPMPropertyList. It panics if the underlying type is not TaggedTPMPropertyList.

type Capability 

type Capability uint32

Capability corresponds to the TPM_CAP type. 

const (
	CapabilityAlgs          Capability = 0 // TPM_CAP_ALGS
	CapabilityHandles       Capability = 1 // TPM_CAP_HANDLES
	CapabilityCommands      Capability = 2 // TPM_CAP_COMMANDS
	CapabilityPPCommands    Capability = 3 // TPM_CAP_PP_COMMANDS
	CapabilityAuditCommands Capability = 4 // TPM_CAP_AUDIT_COMMANDS
	CapabilityPCRs          Capability = 5 // TPM_CAP_PCRS
	CapabilityTPMProperties Capability = 6 // TPM_CAP_TPM_PROPERTIES
	CapabilityPCRProperties Capability = 7 // TPM_CAP_PCR_PROPERTIES
	CapabilityECCCurves     Capability = 8 // TPM_CAP_ECC_CURVES
	CapabilityAuthPolicies  Capability = 9 // TPM_CAP_AUTH_POLICIES
)

func (Capability) Format 

func (c Capability) Format(s fmt.State, f rune)

func (Capability) String 

func (c Capability) String() string

type CapabilityData 

type CapabilityData struct {
	Capability Capability    // Capability
	Data       CapabilitiesU `tpm2:"selector:Capability"` // Capability data
}

CapabilityData corresponds to the TPMS_CAPABILITY_DATA type, and is returned by TPMContext.GetCapability.

type CertifyInfo 

type CertifyInfo struct {
	Name          Name // Name of the certified object
	QualifiedName Name // Qualified name of the certified object
}

CertifyInfo corresponds to the TPMS_CERTIFY_INFO type, and is returned by TPMContext.Certify.

type ClockInfo 

type ClockInfo struct {
	Clock      uint64 // Time value in milliseconds that increments whilst the TPM is powered
	ResetCount uint32 // Number of TPM resets since the TPM was last cleared
	// RestartCount is the number of TPM restarts or resumes since the last TPM reset or the last time the TPM was cleared.
	RestartCount uint32
	// Safe indicates the the value reported by Clock is guaranteed to be unique for the current owner.
	Safe bool
}

ClockInfo corresponds to the TPMS_CLOCK_INFO type.

type CommandAttributes 

type CommandAttributes uint32

CommandAttributes corresponds to the TPMA_CC type and represents the attributes of a command. It also encodes the command code to which these attributes belong, and the number of command handles for the command. 

const (
	AttrNV        CommandAttributes = 1 << 22
	AttrExtensive CommandAttributes = 1 << 23
	AttrFlushed   CommandAttributes = 1 << 24
	AttrRHandle   CommandAttributes = 1 << 28
	AttrV         CommandAttributes = 1 << 29
)

func (CommandAttributes) CommandCode 

func (a CommandAttributes) CommandCode() CommandCode

CommandCode returns the command code that a set of attributes belongs to.

func (CommandAttributes) NumberOfCommandHandles 

func (a CommandAttributes) NumberOfCommandHandles() int

NumberOfCommandHandles returns the number of command handles for the command that a set of attributes belong to.

type CommandAttributesList 

type CommandAttributesList []CommandAttributes

CommandAttributesList is a slice of CommandAttribute values, and corresponds to the TPML_CCA type.

type CommandAuditInfo 

type CommandAuditInfo struct {
	AuditCounter  uint64      // Monotonic audit counter
	DigestAlg     AlgorithmId // Hash algorithm used for the command audit
	AuditDigest   Digest      // Current value of the audit digest
	CommandDigest Digest      // Digest of command codes being audited, using DigestAlg
}

CommandAuditInfo corresponds to the TPMS_COMMAND_AUDIT_INFO type, and is returned by TPMContext.GetCommandAuditDigest.

type CommandCode 

type CommandCode uint32

CommandCode corresponds to the TPM_CC type. 

const (
	CommandFirst CommandCode = 0x0000011A

	CommandNVUndefineSpaceSpecial     CommandCode = 0x0000011F // TPM_CC_NV_UndefineSpaceSpecial
	CommandEvictControl               CommandCode = 0x00000120 // TPM_CC_EvictControl
	CommandNVUndefineSpace            CommandCode = 0x00000122 // TPM_CC_NV_UndefineSpace
	CommandClear                      CommandCode = 0x00000126 // TPM_CC_Clear
	CommandClearControl               CommandCode = 0x00000127 // TPM_CC_ClearControl
	CommandHierarchyChangeAuth        CommandCode = 0x00000129 // TPM_CC_HierarchyChangeAuth
	CommandNVDefineSpace              CommandCode = 0x0000012A // TPM_CC_NV_DefineSpace
	CommandCreatePrimary              CommandCode = 0x00000131 // TPM_CC_CreatePrimary
	CommandNVGlobalWriteLock          CommandCode = 0x00000132 // TPM_CC_NV_GlobalWriteLock
	CommandGetCommandAuditDigest      CommandCode = 0x00000133 // TPM_CC_GetCommandAuditDigest
	CommandNVIncrement                CommandCode = 0x00000134 // TPM_CC_NV_Increment
	CommandNVSetBits                  CommandCode = 0x00000135 // TPM_CC_NV_SetBits
	CommandNVExtend                   CommandCode = 0x00000136 // TPM_CC_NV_Extend
	CommandNVWrite                    CommandCode = 0x00000137 // TPM_CC_NV_Write
	CommandNVWriteLock                CommandCode = 0x00000138 // TPM_CC_NV_WriteLock
	CommandDictionaryAttackLockReset  CommandCode = 0x00000139 // TPM_CC_DictionaryAttackLockReset
	CommandDictionaryAttackParameters CommandCode = 0x0000013A // TPM_CC_DictionaryAttackParameters
	CommandNVChangeAuth               CommandCode = 0x0000013B // TPM_CC_NV_ChangeAuth
	CommandPCREvent                   CommandCode = 0x0000013C // TPM_CC_PCR_Event
	CommandPCRReset                   CommandCode = 0x0000013D // TPM_CC_PCR_Reset
	CommandSetCommandCodeAuditStatus  CommandCode = 0x00000140 // TPM_CC_SetCommandCodeAuditStatus
	CommandIncrementalSelfTest        CommandCode = 0x00000142 // TPM_CC_IncrementalSelfTest
	CommandSelfTest                   CommandCode = 0x00000143 // TPM_CC_SelfTest
	CommandStartup                    CommandCode = 0x00000144 // TPM_CC_Startup
	CommandShutdown                   CommandCode = 0x00000145 // TPM_CC_Shutdown
	CommandStirRandom                 CommandCode = 0x00000146 // TPM_CC_StirRandom
	CommandActivateCredential         CommandCode = 0x00000147 // TPM_CC_ActivateCredential
	CommandCertify                    CommandCode = 0x00000148 // TPM_CC_Certify
	CommandPolicyNV                   CommandCode = 0x00000149 // TPM_CC_PolicyNV
	CommandCertifyCreation            CommandCode = 0x0000014A // TPM_CC_CertifyCreation
	CommandDuplicate                  CommandCode = 0x0000014B // TPM_CC_Duplicate
	CommandGetTime                    CommandCode = 0x0000014C // TPM_CC_GetTime
	CommandGetSessionAuditDigest      CommandCode = 0x0000014D // TPM_CC_GetSessionAuditDigest
	CommandNVRead                     CommandCode = 0x0000014E // TPM_CC_NV_Read
	CommandNVReadLock                 CommandCode = 0x0000014F // TPM_CC_NV_ReadLock
	CommandObjectChangeAuth           CommandCode = 0x00000150 // TPM_CC_ObjectChangeAuth
	CommandPolicySecret               CommandCode = 0x00000151 // TPM_CC_PolicySecret
	CommandCreate                     CommandCode = 0x00000153 // TPM_CC_Create
	CommandImport                     CommandCode = 0x00000156 // TPM_CC_Import
	CommandLoad                       CommandCode = 0x00000157 // TPM_CC_Load
	CommandQuote                      CommandCode = 0x00000158 // TPM_CC_Quote
	CommandSign                       CommandCode = 0x0000015D // TPM_CC_Sign
	CommandUnseal                     CommandCode = 0x0000015E // TPM_CC_Unseal
	CommandPolicySigned               CommandCode = 0x00000160 // TPM_CC_PolicySigned
	CommandContextLoad                CommandCode = 0x00000161 // TPM_CC_ContextLoad
	CommandContextSave                CommandCode = 0x00000162 // TPM_CC_ContextSave
	CommandFlushContext               CommandCode = 0x00000165 // TPM_CC_FlushContext
	CommandLoadExternal               CommandCode = 0x00000167 // TPM_CC_LoadExternal
	CommandMakeCredential             CommandCode = 0x00000168 // TPM_CC_MakeCredential
	CommandNVReadPublic               CommandCode = 0x00000169 // TPM_CC_NV_ReadPublic
	CommandPolicyAuthorize            CommandCode = 0x0000016A // TPM_CC_PolicyAuthorize
	CommandPolicyAuthValue            CommandCode = 0x0000016B // TPM_CC_PolicyAuthValue
	CommandPolicyCommandCode          CommandCode = 0x0000016C // TPM_CC_PolicyCommandCode
	CommandPolicyCounterTimer         CommandCode = 0x0000016D // TPM_CC_PolicyCounterTimer
	CommandPolicyCpHash               CommandCode = 0x0000016E // TPM_CC_PolicyCpHash
	CommandPolicyNameHash             CommandCode = 0x00000170 // TPM_CC_PolicyNameHash
	CommandPolicyOR                   CommandCode = 0x00000171 // TPM_CC_PolicyOR
	CommandPolicyTicket               CommandCode = 0x00000172 // TPM_CC_PolicyTicket
	CommandReadPublic                 CommandCode = 0x00000173 // TPM_CC_ReadPublic
	CommandStartAuthSession           CommandCode = 0x00000176 // TPM_CC_StartAuthSession
	CommandVerifySignature            CommandCode = 0x00000177 // TPM_CC_VerifySignature
	CommandGetCapability              CommandCode = 0x0000017A // TPM_CC_GetCapability
	CommandGetRandom                  CommandCode = 0x0000017B // TPM_CC_GetRandom
	CommandGetTestResult              CommandCode = 0x0000017C // TPM_CC_GetTestResult
	CommandPCRRead                    CommandCode = 0x0000017E // TPM_CC_PCR_Read
	CommandPolicyPCR                  CommandCode = 0x0000017F // TPM_CC_PolicyPCR
	CommandPolicyRestart              CommandCode = 0x00000180 // TPM_CC_PolicyRestart
	CommandReadClock                  CommandCode = 0x00000181 // TPM_CC_ReadClock
	CommandPCRExtend                  CommandCode = 0x00000182 // TPM_CC_PCR_Extend
	CommandPolicyDuplicationSelect    CommandCode = 0x00000188 // TPM_CC_PolicyDuplicationSelect
	CommandPolicyGetDigest            CommandCode = 0x00000189 // TPM_CC_PolicyGetDigest
	CommandTestParms                  CommandCode = 0x0000018A // TPM_CC_TestParms
	CommandPolicyPassword             CommandCode = 0x0000018C // TPM_CC_PolicyPassword
	CommandPolicyNvWritten            CommandCode = 0x0000018F // TPM_CC_PolicyNvWritten
	CommandCreateLoaded               CommandCode = 0x00000191 // TPM_CC_CreateLoaded
)

func (CommandCode) Format 

func (c CommandCode) Format(s fmt.State, f rune)

func (CommandCode) String 

func (c CommandCode) String() string

type CommandCodeList 

type CommandCodeList []CommandCode

CommandCodeList is a slice of CommandCode values, and corresponds to the TPML_CC type.

type Context 

type Context struct {
	Sequence    uint64      // Sequence number of the context
	SavedHandle Handle      // Handle indicating if this is a session or object
	Hierarchy   Handle      // Hierarchy of the context
	Blob        ContextData // Encrypted context data and integrity HMAC
}

Context corresponds to the TPMS_CONTEXT type and is used in TPMContext.ContextLoad and TPMContext.ContextSave.

type ContextData 

type ContextData []byte

ContextData corresponds to the TPM2B_CONTEXT_DATA type.

type CreationData 

type CreationData struct {
	PCRSelect PCRSelectionList // PCRs included in PCRDigest
	// Digest of the selected PCRs using the name algorithm of the object associated with this data.
	PCRDigest           Digest
	Locality            Locality    // Locality at which the object was created
	ParentNameAlg       AlgorithmId // Name algorithm of the parent
	ParentName          Name        // Name of the parent
	ParentQualifiedName Name        // Qualified name of the parent
	OutsideInfo         Data        // External information provided by the caller
}

CreationData corresponds to the TPMS_CREATION_DATA type, which provides information about the creation environment of an object.

type CreationInfo 

type CreationInfo struct {
	ObjectName   Name // Name of the object
	CreationHash Digest
}

CreationInfo corresponds to the TPMS_CREATION_INFO type, and is returned by TPMContext.CertifyCreation.

type CustomMarshaller 

type CustomMarshaller interface {
	Marshal(buf io.Writer) error
	Unmarshal(buf io.Reader) error
}

CustomMarshaller is implemented by types that require custom marshalling and unmarshalling behaviour because they are non-standard and not directly supported by the marshalling code.

type Data 

type Data []byte

Data corresponds to the TPM2B_DATA type.

type Derive 

type Derive struct {
	Label   Label
	Context Label
}

Derive corresponds to the TPMS_DERIVE type.

type Digest 

type Digest []byte

Digest corresponds to the TPM2B_DIGEST type.

func ComputeCpHash 

func ComputeCpHash(hashAlg HashAlgorithmId, command CommandCode, params ...interface{}) (Digest, error)

ComputeCpHash computes a command parameter digest from the specified command code and provided command parameters, using the digest algorithm specified by hashAlg. The params argument corresponds to the handle and parameters area of a command (in that order), separated by the Separator sentinel value. Handle arguments must be represented by either the Handle type or HandleContext type.

The number of command handles and number / type of command parameters can be determined by looking in part 3 of the TPM 2.0 Library Specification for the specific command.

The result of this is useful for extended authorization commands that bind an authorization to a command and set of command parameters, such as TPMContext.PolicySigned, TPMContext.PolicySecret, TPMContext.PolicyTicket and TPMContext.PolicyCpHash.

func ComputePCRDigest 

func ComputePCRDigest(alg HashAlgorithmId, pcrs PCRSelectionList, values PCRValues) (Digest, error)

ComputePCRDigest computes a digest using the specified algorithm from the provided set of PCR values and the provided PCR selection. It is most useful for computing an input to TPMContext.PolicyPCR, and validating quotes and creation data.

type DigestList 

type DigestList []Digest

DigestList is a slice of Digest values, and corresponds to the TPML_DIGEST type.

type ECCCurve 

type ECCCurve uint16

ECCCurve corresponds to the TPM_ECC_CURVE type. 

const (
	ECCCurveNIST_P192 ECCCurve = 0x0001 // TPM_ECC_NIST_P192
	ECCCurveNIST_P224 ECCCurve = 0x0002 // TPM_ECC_NIST_P224
	ECCCurveNIST_P256 ECCCurve = 0x0003 // TPM_ECC_NIST_P256
	ECCCurveNIST_P384 ECCCurve = 0x0004 // TPM_ECC_NIST_P384
	ECCCurveNIST_P521 ECCCurve = 0x0005 // TPM_ECC_NIST_P521
	ECCCurveBN_P256   ECCCurve = 0x0010 // TPM_ECC_BN_P256
	ECCCurveBN_P638   ECCCurve = 0x0011 // TPM_ECC_BN_P638
	ECCCurveSM2_P256  ECCCurve = 0x0020 // TPM_ECC_SM2_P256

	ECCCurveFirst ECCCurve = ECCCurveNIST_P192
)

type ECCCurveList 

type ECCCurveList []ECCCurve

ECCCurveList is a slice of ECCCurve values, and corresponds to the TPML_ECC_CURVE type.

type ECCParameter 

type ECCParameter []byte

ECCParameter corresponds to the TPM2B_ECC_PARAMETER type.

type ECCParams 

type ECCParams struct {
	Symmetric SymDefObject // Symmetric algorithm for a restricted decrypt key.
	// For a key with the AttrSign attribute: a signing scheme.
	// For a key with the AttrDecrypt attribute: a key exchange protocol or AlgorithmNull.
	// For a storage key: AlgorithmNull.
	Scheme  ECCScheme
	CurveID ECCCurve  // ECC curve ID
	KDF     KDFScheme // Unused - always AlgorithmNull
}

ECCParams corresponds to the TPMS_ECC_PARMS type, and defines the public parameters for an ECC key.

type ECCPoint 

type ECCPoint struct {
	X ECCParameter // X coordinate
	Y ECCParameter // Y coordinate
}

ECCPoint corresponds to the TPMS_ECC_POINT type, and contains the coordinates that define an ECC point.

type ECCScheme 

type ECCScheme struct {
	Scheme  ECCSchemeId // Scheme selector
	Details AsymSchemeU `tpm2:"selector:Scheme"` // Scheme specific parameters.
}

ECCScheme corresponds to the TPMT_ECC_SCHEME type.

type ECCSchemeId 

type ECCSchemeId AsymSchemeId

ECCSchemeId corresponds to the TPMI_ALG_ECC_SCHEME type. 

const (
	ECCSchemeNull      ECCSchemeId = ECCSchemeId(AlgorithmNull)      // TPM_ALG_NULL
	ECCSchemeECDSA     ECCSchemeId = ECCSchemeId(AlgorithmECDSA)     // TPM_ALG_ECDSA
	ECCSchemeECDH      ECCSchemeId = ECCSchemeId(AlgorithmECDH)      // TPM_ALG_ECDH
	ECCSchemeECDAA     ECCSchemeId = ECCSchemeId(AlgorithmECDAA)     // TPM_ALG_ECDAA
	ECCSchemeSM2       ECCSchemeId = ECCSchemeId(AlgorithmSM2)       // TPM_ALG_SM2
	ECCSchemeECSCHNORR ECCSchemeId = ECCSchemeId(AlgorithmECSCHNORR) // TPM_ALG_ECSCHNORR
	ECCSchemeECMQV     ECCSchemeId = ECCSchemeId(AlgorithmECMQV)     // TPM_ALG_ECMQV
)

func (ECCSchemeId) Format 

func (a ECCSchemeId) Format(s fmt.State, f rune)

type Empty 

type Empty struct{}

type EncSchemeOAEP 

type EncSchemeOAEP SchemeHash

type EncSchemeRSAES 

type EncSchemeRSAES Empty

type EncryptedSecret 

type EncryptedSecret []byte

EncryptedSecret corresponds to the TPM2B_ENCRYPTED_SECRET type.

type ErrorCode 

type ErrorCode ResponseCode

ErrorCode represents an error code from the TPM. 

const (
	// ErrorInitialize corresponds to TPM_RC_INITIALIZE and is returned for any command executed between a _TPM_Init event and a
	// TPM2_Startup command.
	ErrorInitialize ErrorCode = 0x00

	// ErrorFailure corresponds to TPM_RC_FAILURE and is returned for any command if the TPM is in failure mode.
	ErrorFailure ErrorCode = 0x01

	ErrorSequence  ErrorCode = 0x03 // TPM_RC_SEQUENCE
	ErrorDisabled  ErrorCode = 0x20 // TPM_RC_DISABLED
	ErrorExclusive ErrorCode = 0x21 // TPM_RC_EXCLUSIVE

	// ErrorAuthType corresponds to TPM_RC_AUTH_TYPE and is returned for a command where an authorization is required and the
	// authorization type is expected to be a policy session, but another authorization type has been provided.
	ErrorAuthType ErrorCode = 0x24

	// ErrorAuthMissing corresponds to TPM_RC_AUTH_MISSING and is returned for a command that accepts a HandleContext or Handle
	// argument that requires authorization, but no authorization session has been provided in the command payload.
	ErrorAuthMissing ErrorCode = 0x25

	ErrorPolicy ErrorCode = 0x26 // TPM_RC_POLICY
	ErrorPCR    ErrorCode = 0x27 // TPM_RC_PCR

	// ErrorPCRChanged corresponds to TPM_RC_PCR_CHANGED and is returned for a command where a policy session is used for authorization
	// and the PCR contents have been updated since the last time that they were checked in the session with a TPM2_PolicyPCR assertion.
	ErrorPCRChanged ErrorCode = 0x28

	// ErrorUpgrade corresponds to TPM_RC_UPGRADE and is returned for any command that isn't TPM2_FieldUpgradeData if the TPM is in
	// field upgrade mode.
	ErrorUpgrade ErrorCode = 0x2d

	ErrorTooManyContexts ErrorCode = 0x2e // TPM_RC_TOO_MANY_CONTEXTS

	// ErrorAuthUnavailable corresponds to TPM_RC_AUTH_UNAVAILABLE and is returned for a command where the provided authorization
	// requires the use of the authorization value for an entity, but the authorization value cannot be used. For example, if the entity
	// is an object and the command requires the user auth role but the object does not have the AttrUserWithAuth attribute.
	ErrorAuthUnavailable ErrorCode = 0x2f

	// ErrorReboot corresponds to TPM_RC_REBOOT and is returned for any command if the TPM requires a _TPM_Init event before it will
	// execute any more commands.
	ErrorReboot ErrorCode = 0x30

	ErrorUnbalanced ErrorCode = 0x31 // TPM_RC_UNBALANCED

	// ErrorCommandSize corresponds to TPM_RC_COMMAND_SIZE and indicates that the value of the commandSize field in the command header
	// does not match the size of the command packet transmitted to the TPM.
	ErrorCommandSize ErrorCode = 0x42

	// ErrorCommandCode corresponds to TPM_RC_COMMAND_CODE and is returned for any command that is not implemented by the TPM.
	ErrorCommandCode ErrorCode = 0x43

	ErrorAuthsize ErrorCode = 0x44 // TPM_RC_AUTHSIZE

	// ErrorAuthContext corresponds to TPM_RC_AUTH_CONTEXT and is returned for any command that does not accept any sessions if
	// sessions have been provided in the command payload.
	ErrorAuthContext ErrorCode = 0x45

	ErrorNVRange         ErrorCode = 0x46 // TPM_RC_NV_RANGE
	ErrorNVSize          ErrorCode = 0x47 // TPM_RC_NV_SIZE
	ErrorNVLocked        ErrorCode = 0x48 // TPM_RC_NV_LOCKED
	ErrorNVAuthorization ErrorCode = 0x49 // TPM_RC_NV_AUTHORIZATION
	ErrorNVUninitialized ErrorCode = 0x4a // TPM_RC_NV_UNINITIALIZED
	ErrorNVSpace         ErrorCode = 0x4b // TPM_RC_NV_SPACE
	ErrorNVDefined       ErrorCode = 0x4c // TPM_RC_NV_DEFINED
	ErrorBadContext      ErrorCode = 0x50 // TPM_RC_BAD_CONTEXT
	ErrorCpHash          ErrorCode = 0x51 // TPM_RC_CPHASH
	ErrorParent          ErrorCode = 0x52 // TPM_RC_PARENT
	ErrorNeedsTest       ErrorCode = 0x53 // TPM_RC_NEEDS_TEST

	// ErrorNoResult corresponds to TPM_RC_NO_RESULT and is returned for any command if the TPM cannot process a request due to an
	// unspecified problem.
	ErrorNoResult ErrorCode = 0x54

	ErrorSensitive ErrorCode = 0x55 // TPM_RC_SENSITIVE

	ErrorAsymmetric ErrorCode = errorCode1Start + 0x01 // TPM_RC_ASYMMETRIC

	// ErrorAttributes corresponds to TPM_RC_ATTRIBUTES and is returned as a *TPMSessionError for a command in the following
	// circumstances:
	// * More than one SessionContext instance with the AttrCommandEncrypt attribute has been provided.
	// * More than one SessionContext instance with the AttrResponseEncrypt attribute has been provided.
	// * A SessionContext instance referencing a trial session has been provided for authorization.
	ErrorAttributes ErrorCode = errorCode1Start + 0x02

	// ErrorHash corresponds to TPM_RC_HASH and is returned as a *TPMParameterError error for any command that accepts a AlgorithmId
	// parameter that corresponds to the TPMI_ALG_HASH interface type if the parameter value is not a valid digest algorithm.
	ErrorHash ErrorCode = errorCode1Start + 0x03

	// ErrorValue corresponds to TPM_RC_VALUE and is returned as a *TPMParameterError or *TPMHandleError for any command where an
	// argument value is incorrect or out of range for the command.
	ErrorValue ErrorCode = errorCode1Start + 0x04 // TPM_RC_VALUE

	// ErrorHierarchy corresponds to TPM_RC_HIERARCHY and is returned as a *TPMHandleError error for any command that accepts a
	// HandleContext or Handle argument if that argument corresponds to a hierarchy on the TPM that has been disabled.
	ErrorHierarchy ErrorCode = errorCode1Start + 0x05

	ErrorKeySize ErrorCode = errorCode1Start + 0x07 // TPM_RC_KEY_SIZE
	ErrorMGF     ErrorCode = errorCode1Start + 0x08 // TPM_RC_MGF

	// ErrorMode corresponds to TPM_RC_MODE and is returned as a *TPMParameterError error for any command that accepts a AlgorithmId
	// parameter that corresponds to the TPMI_ALG_SYM_MODE interface type if the parameter value is not a valid symmetric mode.
	ErrorMode ErrorCode = errorCode1Start + 0x09

	// ErrorType corresponds to TPM_RC_TYPE and is returned as a *TPMParameterError error for any command that accepts a AlgorithmId
	// parameter that corresponds to the TPMI_ALG_PUBLIC interface type if the parameter value is not a valid public type.
	ErrorType ErrorCode = errorCode1Start + 0x0a

	ErrorHandle ErrorCode = errorCode1Start + 0x0b // TPM_RC_HANDLE

	// ErrorKDF corresponds to TPM_RC_KDF and is returned as a *TPMParameterError error for any command that accepts a AlgorithmId
	// parameter that corresponds to the TPMI_ALG_KDF interface type if the parameter value is not a valid key derivation function.
	ErrorKDF ErrorCode = errorCode1Start + 0x0c

	ErrorRange ErrorCode = errorCode1Start + 0x0d // TPM_RC_RANGE

	// ErrorAuthFail corresponds to TPM_RC_AUTH_FAIL and is returned as a *TPMSessionError error for a command if an authorization
	// check fails. The dictionary attack counter is incremented when this error is returned.
	ErrorAuthFail ErrorCode = errorCode1Start + 0x0e

	// ErrorNonce corresponds to TPM_RC_NONCE and is returned as a *TPMSessionError error for any command where a password authorization
	// has been provided and the authorization session in the command payload contains a non-zero sized nonce field.
	ErrorNonce ErrorCode = errorCode1Start + 0x0f

	// ErrorPP corresponds to TPM_RC_PP and is returned as a *TPMSessionError for a command in the following circumstances:
	// * Authorization of the platform hierarchy is provided and the command requires an assertion of physical presence that hasn't been
	//   provided.
	// * Authorization is provided with a policy session that includes the TPM2_PolicyPhysicalPresence assertion, and an assertion of
	//   physical presence hasn't been provided.
	ErrorPP ErrorCode = errorCode1Start + 0x10

	// ErrorScheme corresponds to TPM_RC_SCHEME and is returned as a *TPMParameterError error for any command that accepts a AlgorithmId
	// parameter that corresponds to the TPMI_ALG_SIG_SCHEME or TPMI_ALG_ECC_SCHEME interface types if the parameter value is not a valid
	// signature or ECC key exchange scheme.
	ErrorScheme ErrorCode = errorCode1Start + 0x12

	// ErrorSize corresponds to TPM_RC_SIZE and is returned for a command in the following circumstances:
	// * As a *TPMParameterError if the command accepts a parameter type corresponding to TPM2B or TPML prefixed types and the size or
	//   length field has an invalid value.
	// * As a *TPMHandleError with an unspecified handle if the TPM's parameter unmarshalling doesn't consume all of the bytes in the
	//   input buffer.
	// * As a *TPMHandleError with an unspecified handle if the size field of the command's authorization area is an invalid value.
	// * As a *TPMSessionError if the authorization area for a command payload contains more than 3 sessions.
	ErrorSize ErrorCode = errorCode1Start + 0x15

	// ErrorSymmetric corresponds to TPM_RC_SYMMETRIC and is returned for a command in the following circumstances:
	// * As a *TPMParameterError if the command accepts a AlgorithmId parameter that corresponds to the TPMI_ALG_SYM interface type
	//   and the parameter value is not a valid symmetric algorithm.
	// * As a *TPMSessionError if a SessionContext instance is provided with the AttrCommandEncrypt attribute set but the session has no
	//   symmetric algorithm.
	// * As a *TPMSessionError if a SessionContext instance is provided with the AttrResponseEncrypt attribute set but the session has no
	//   symmetric algorithm.
	ErrorSymmetric ErrorCode = errorCode1Start + 0x16

	// ErrorTag corresponds to TPM_RC_TAG and is returned as a *TPMParameterError error for a command that accepts a StructTag parameter
	// if the parameter value is not the correct value.
	ErrorTag ErrorCode = errorCode1Start + 0x17

	// ErrorSelector corresponds to TPM_RC_SELECTOR and is returned as a *TPMParameterError error for a command that accepts a parameter
	// type corresponding to a TPMU prefixed type if the value of the selector field in the surrounding TPMT prefixed type is incorrect.
	ErrorSelector ErrorCode = errorCode1Start + 0x18

	// ErrorInsufficient corresponds to TPM_RC_INSUFFICIENT and is returned as a *TPMParameterError for a command if there is
	// insufficient data in the TPM's input buffer to complete unmarshalling of the command parameters.
	ErrorInsufficient ErrorCode = errorCode1Start + 0x1a

	ErrorSignature ErrorCode = errorCode1Start + 0x1b // TPM_RC_SIGNATURE
	ErrorKey       ErrorCode = errorCode1Start + 0x1c // TPM_RC_KEY

	// ErrorPolicyFail corresponds to TPM_RC_POLICY_FAIL and is returned as a *TPMSessionError error for a command in the following
	// circumstances:
	// * A policy session is used for authorization and the policy session digest does not match the authorization policy digest for
	//   the entity being authorized.
	// * A policy session is used for authorization and the digest algorithm of the session does not match the name algorithm of the
	//   entity being authorized.
	// * A policy session is used for authorization but the authorization is for the admin or DUP role and the policy session does not
	//   include a TPM2_PolicyCommandCode assertion.
	// * A policy session is used for authorization and the policy session includes a TPM2_PolicyNvWritten assertion but the entity
	//   being authorized is not a NV index.
	// * A policy session is used for authorization, the policy session includes the TPM2_PolicyNvWritten assertion, but the NV index
	//   being authorized does not have the AttrNVWritten attribute set.
	ErrorPolicyFail ErrorCode = errorCode1Start + 0x1d

	ErrorIntegrity ErrorCode = errorCode1Start + 0x1f // TPM_RC_INTEGRITY
	ErrorTicket    ErrorCode = errorCode1Start + 0x20 // TPM_RC_TICKET

	// ErroReservedBits corresponds to TPM_RC_RESERVED_BITS and is returned as a *TPMParameterError error for a command that accepts
	// a parameter type corresponding to a TPMA prefixed type if the parameter value has reserved bits set.
	ErrorReservedBits ErrorCode = errorCode1Start + 0x21

	// ErrorBadAuth corresponds to TPM_RC_BAD_AUTH and is returned as a *TPMSessionError error for a command if an authorization
	// check fails and the authorized entity is excempt from dictionary attack protections.
	ErrorBadAuth ErrorCode = errorCode1Start + 0x22

	// ErrorExpired corresponds to TPM_RC_EXPIRED and is returned as a *TPMSessionError error for a command if a policy session is used
	// for authorization, and the session has expired.
	ErrorExpired ErrorCode = errorCode1Start + 0x23

	// ErrorPolicyCC corresponds to TPM_RC_POLICY_CC and is returned as a *TPMSessionError error for a command if a policy session is
	// used for authorization, the session includes a TPM2_PolicyCommandCode assertion, but the command code doesn't match the command
	// for which the authorization is being used for.
	ErrorPolicyCC ErrorCode = errorCode1Start + 0x24

	ErrorBinding ErrorCode = errorCode1Start + 0x25 // TPM_RC_BINDING

	// ErrorCurve corresponds to TPM_RC_CURVE and is returned as a *TPMParameterError for a command that accepts a ECCCurve parameter
	// if the parameter value is incorrect.
	ErrorCurve ErrorCode = errorCode1Start + 0x26

	ErrorECCPoint ErrorCode = errorCode1Start + 0x27 // TPM_RC_ECC_POINT
)

func (ErrorCode) Format 

func (e ErrorCode) Format(s fmt.State, f rune)

func (ErrorCode) String 

func (e ErrorCode) String() string

type Event 

type Event []byte

Event corresponds to the TPM2B_EVENT type.

type Handle 

type Handle uint32

Handle corresponds to the TPM_HANDLE type, and is a numeric identifier that references a resource on the TPM. 

const (
	HandleOwner       Handle = 0x40000001 // TPM_RH_OWNER
	HandleNull        Handle = 0x40000007 // TPM_RH_NULL
	HandleUnassigned  Handle = 0x40000008 // TPM_RH_UNASSIGNED
	HandlePW          Handle = 0x40000009 // TPM_RS_PW
	HandleLockout     Handle = 0x4000000a // TPM_RH_LOCKOUT
	HandleEndorsement Handle = 0x4000000b // TPM_RH_ENDORSEMENT
	HandlePlatform    Handle = 0x4000000c // TPM_RH_PLATFORM
	HandlePlatformNV  Handle = 0x4000000d // TPM_RH_PLATFORM_NV
)

func (Handle) Format 

func (h Handle) Format(s fmt.State, f rune)

func (Handle) String 

func (h Handle) String() string

func (Handle) Type 

func (h Handle) Type() HandleType

Type returns the type of the handle.

type HandleContext 

type HandleContext interface {
	// Handle returns the handle of the corresponding entity on the TPM. If the HandleContext has been invalidated then this will
	// return HandleUnassigned.
	Handle() Handle
	Name() Name                        // The name of the entity
	SerializeToBytes() []byte          // Return a byte slice containing the serialized form of this HandleContext
	SerializeToWriter(io.Writer) error // Write the serialized form of this HandleContext to the supplied io.Writer
}

HandleContext corresponds to an entity that resides on the TPM. Implementations of HandleContext maintain some host-side state in order to be able to participate in HMAC sessions. They are invalidated when used in a command that results in the entity being flushed or evicted from the TPM. Once invalidated, they can no longer be used.

func CreateHandleContextFromBytes 

func CreateHandleContextFromBytes(b []byte) (HandleContext, int, error)

CreateHandleContextFromBytes returns a new HandleContext created from the serialized data read from the supplied byte slice. This should contain data that was previously created by HandleContext.SerializeToBytes or HandleContext.SerializeToWriter.

If the supplied data corresponds to a session then a SessionContext will be returned, else a ResourceContext will be returned.

If a ResourceContext is returned and subsequent use of it requires knowledge of the authorization value of the corresponding TPM resource, this should be provided by calling ResourceContext.SetAuthValue.

func CreateHandleContextFromReader 

func CreateHandleContextFromReader(r io.Reader) (HandleContext, error)

CreateHandleContextFromReader returns a new HandleContext created from the serialized data read from the supplied io.Reader. This should contain data that was previously created by HandleContext.SerializeToBytes or HandleContext.SerializeToWriter.

If the supplied data corresponds to a session then a SessionContext will be returned, else a ResourceContext will be returned.

If a ResourceContext is returned and subsequent use of it requires knowledge of the authorization value of the corresponding TPM resource, this should be provided by calling ResourceContext.SetAuthValue.

type HandleList 

type HandleList []Handle

HandleList is a slice of Handle values, and corresponds to the TPML_HANDLE type.

type HandleType 

type HandleType uint8

HandleType corresponds to the TPM_HT type, and is used to identify the type of a Handle. 

const (
	HandleTypePCR           HandleType = 0x00 // TPM_HT_PCR
	HandleTypeNVIndex       HandleType = 0x01 // TPM_HT_NV_INDEX
	HandleTypeHMACSession   HandleType = 0x02 // TPM_HT_HMAC_SESSION
	HandleTypeLoadedSession HandleType = 0x02 // TPM_HT_LOADED_SESSION
	HandleTypePolicySession HandleType = 0x03 // TPM_HT_POLICY_SESSION
	HandleTypeSavedSession  HandleType = 0x03 // TPM_HT_SAVED_SESSION
	HandleTypePermanent     HandleType = 0x40 // TPM_HT_PERMANENT
	HandleTypeTransient     HandleType = 0x80 // TPM_HT_TRANSIENT
	HandleTypePersistent    HandleType = 0x81 // TPM_HT_PERSISTENT
)

func (HandleType) BaseHandle 

func (h HandleType) BaseHandle() Handle

BaseHandle returns the first handle for the handle type.

type HashAlgorithmId 

type HashAlgorithmId AlgorithmId

HashAlgorithmId corresponds to the TPMI_ALG_HASH type 

const (
	HashAlgorithmNull    HashAlgorithmId = HashAlgorithmId(AlgorithmNull)    // TPM_ALG_NULL
	HashAlgorithmSHA1    HashAlgorithmId = HashAlgorithmId(AlgorithmSHA1)    // TPM_ALG_SHA1
	HashAlgorithmSHA256  HashAlgorithmId = HashAlgorithmId(AlgorithmSHA256)  // TPM_ALG_SHA256
	HashAlgorithmSHA384  HashAlgorithmId = HashAlgorithmId(AlgorithmSHA384)  // TPM_ALG_SHA384
	HashAlgorithmSHA512  HashAlgorithmId = HashAlgorithmId(AlgorithmSHA512)  // TPM_ALG_SHA512
	HashAlgorithmSM3_256 HashAlgorithmId = HashAlgorithmId(AlgorithmSM3_256) // TPM_ALG_SM3_256
)

func (HashAlgorithmId) Format 

func (a HashAlgorithmId) Format(s fmt.State, f rune)

func (HashAlgorithmId) GetHash 

func (a HashAlgorithmId) GetHash() crypto.Hash

GetHash returns the equivalent crypto.Hash value for this algorithm.

func (HashAlgorithmId) NewHash 

func (a HashAlgorithmId) NewHash() hash.Hash

NewHash constructs a new hash.Hash implementation for this algorithm. It will panic if HashAlgorithmId.Supported returns false.

func (HashAlgorithmId) Size 

func (a HashAlgorithmId) Size() int

Size returns the size of the algorithm. It will panic if HashAlgorithmId.Supported returns false.

func (HashAlgorithmId) Supported 

func (a HashAlgorithmId) Supported() bool

Supported determines if the TPM digest algorithm has an equivalent go crypto.Hash.

type IDObjectRaw 

type IDObjectRaw []byte

IDObjectRaw corresponds to the TPM2B_ID_OBJECT type.

type InvalidResponseError 

type InvalidResponseError struct {
	Command CommandCode
	// contains filtered or unexported fields
}

InvalidResponseError is returned from any TPMContext method that executes a TPM command if the TPM's response is invalid. An invalid response could be one that is shorter than the response header, one with an invalid responseSize field, a payload that is shorter than the responseSize field indicates, a payload that unmarshals incorrectly because of an invalid union selector value, or an invalid response authorization.

Any sessions used in the command that caused this error should be considered invalid.

If any function that executes a command which allocates objects on the TPM returns this error, it is possible that these objects were allocated and now exist on the TPM without a corresponding HandleContext being created or any knowledge of the handle of the object created.

If any function that executes a command which removes objects from the TPM returns this error, it is possible that these objects were removed from the TPM. Any associated HandleContexts should be considered stale after this error.

func (*InvalidResponseError) Error 

func (e *InvalidResponseError) Error() string

type InvalidSelectorError 

type InvalidSelectorError struct {
	Selector reflect.Value
}

func (InvalidSelectorError) Error 

func (e InvalidSelectorError) Error() string

type KDFAlgorithmId 

type KDFAlgorithmId AlgorithmId

KDFAlgorithmId corresppnds to the TPMI_ALG_KDF type 

const (
	KDFAlgorithmMGF1           KDFAlgorithmId = KDFAlgorithmId(AlgorithmMGF1)           // TPM_ALG_MGF1
	KDFAlgorithmNull           KDFAlgorithmId = KDFAlgorithmId(AlgorithmNull)           // TPM_ALG_NULL
	KDFAlgorithmKDF1_SP800_56A KDFAlgorithmId = KDFAlgorithmId(AlgorithmKDF1_SP800_56A) // TPM_ALG_KDF1_SP800_56A
	KDFAlgorithmKDF2           KDFAlgorithmId = KDFAlgorithmId(AlgorithmKDF2)           // TPM_ALG_KDF2
	KDFAlgorithmKDF1_SP800_108 KDFAlgorithmId = KDFAlgorithmId(AlgorithmKDF1_SP800_108) // TPM_ALG_KDF1_SP800_108
)

func (KDFAlgorithmId) Format 

func (a KDFAlgorithmId) Format(s fmt.State, f rune)

type KDFScheme 

type KDFScheme struct {
	Scheme  KDFAlgorithmId // Scheme selector
	Details KDFSchemeU     `tpm2:"selector:Scheme"` // Scheme specific parameters.
}

KDFScheme corresponds to the TPMT_KDF_SCHEME type.

type KDFSchemeU 

type KDFSchemeU struct {
	Data interface{}
}

KDFSchemeU is a fake union type that corresponds to the TPMU_KDF_SCHEME type. The selector type is KDFAlgorithmId. Valid types for Data for each selector value are:

  • KDFAlgorithmMGF1: *SchemeMGF1
  • KDFAlgorithmKDF1_SP800_56A: *SchemeKDF1_SP800_56A
  • KDFAlgorithmKDF2: *SchemeKF2
  • KDFAlgorithmKDF1_SP800_108: *SchemeKDF1_SP800_108
  • KDFAlgorithmNull: <nil>

func (KDFSchemeU) KDF1_SP800_108 

func (s KDFSchemeU) KDF1_SP800_108() *SchemeKDF1_SP800_108

KDF1_SP800_108 returns the underlying value as *SchemeKDF1_SP800_108. It panics if the underlying type is not *SchemeKDF1_SP800_108.

func (KDFSchemeU) KDF1_SP800_56A 

func (s KDFSchemeU) KDF1_SP800_56A() *SchemeKDF1_SP800_56A

KDF1_SP800_56A returns the underlying value as *SchemeKDF1_SP800_56A. It panics if the underlying type is not *SchemeKDF1_SP800_56A.

func (KDFSchemeU) KDF2 

func (s KDFSchemeU) KDF2() *SchemeKDF2

KDF2 returns the underlying value as *SchemeKDF2. It panics if the underlying type is not *SchemeKDF2.

func (KDFSchemeU) MGF1 

func (s KDFSchemeU) MGF1() *SchemeMGF1

MGF1 returns the underlying value as *SchemeMGF1. It panics if the underlying type is not *SchemeMGF1.

func (KDFSchemeU) Select 

func (s KDFSchemeU) Select(selector reflect.Value) (reflect.Type, error)

type KeySchemeECDH 

type KeySchemeECDH SchemeHash

type KeySchemeECMQV 

type KeySchemeECMQV SchemeHash

type KeyedHashParams 

type KeyedHashParams struct {
	Scheme KeyedHashScheme // Signing method for a keyed hash signing object
}

KeyedHashParams corresponds to the TPMS_KEYEDHASH_PARMS type, and defines the public parameters for a keyedhash object.

type KeyedHashScheme 

type KeyedHashScheme struct {
	Scheme  KeyedHashSchemeId // Scheme selector
	Details SchemeKeyedHashU  `tpm2:"selector:Scheme"` // Scheme specific parameters
}

KeyedHashScheme corresponds to the TPMT_KEYEDHASH_SCHEME type.

type KeyedHashSchemeId 

type KeyedHashSchemeId AlgorithmId

KeyedHashSchemeId corresponds to the TPMI_ALG_KEYEDHASH_SCHEME type 

const (
	KeyedHashSchemeHMAC KeyedHashSchemeId = KeyedHashSchemeId(AlgorithmHMAC) // TPM_ALG_HMAC
	KeyedHashSchemeXOR  KeyedHashSchemeId = KeyedHashSchemeId(AlgorithmXOR)  // TPM_ALG_XOR
	KeyedHashSchemeNull KeyedHashSchemeId = KeyedHashSchemeId(AlgorithmNull) // TPM_ALG_NULL
)

func (KeyedHashSchemeId) Format 

func (a KeyedHashSchemeId) Format(s fmt.State, f rune)

type Label 

type Label []byte

Label corresponds to the TPM2B_LABEL type.

type Locality 

type Locality uint8

Locality corresponds to the TPMA_LOCALITY type. 

const (
	LocalityZero  Locality = 0 // TPM_LOC_ZERO
	LocalityOne   Locality = 1 // TPM_LOC_ONE
	LocalityTwo   Locality = 2 // TPM_LOC_TWO
	LocalityThree Locality = 3 // TPM_LOC_THREE
	LocalityFour  Locality = 4 // TPM_LOC_FOUR
)

type MaxBuffer 

type MaxBuffer []byte

MaxBuffer corresponds to the TPM2B_MAX_BUFFER type.

type MaxNVBuffer 

type MaxNVBuffer []byte

MaxNVBuffer corresponds to the TPM2B_MAX_NV_BUFFER type.

type NVAttributes 

type NVAttributes uint32

NVAttributes corresponds to the TPMA_NV type, and represents the attributes of a NV index. When exchanged with the TPM, some bits are reserved to encode the type of the NV index (NVType). 

const (
	AttrNVPPWrite        NVAttributes = 1 << 0  // TPMA_NV_PPWRITE
	AttrNVOwnerWrite     NVAttributes = 1 << 1  // TPMA_NV_OWNERWRITE
	AttrNVAuthWrite      NVAttributes = 1 << 2  // TPMA_NV_AUTHWRITE
	AttrNVPolicyWrite    NVAttributes = 1 << 3  // TPMA_NV_POLICY_RITE
	AttrNVPolicyDelete   NVAttributes = 1 << 10 // TPMA_NV_POLICY_DELETE
	AttrNVWriteLocked    NVAttributes = 1 << 11 // TPMA_NV_WRITELOCKED
	AttrNVWriteAll       NVAttributes = 1 << 12 // TPMA_NV_WRITEALL
	AttrNVWriteDefine    NVAttributes = 1 << 13 // TPMA_NV_WRITEDEFINE
	AttrNVWriteStClear   NVAttributes = 1 << 14 // TPMA_NV_WRITE_STCLEAR
	AttrNVGlobalLock     NVAttributes = 1 << 15 // TPMA_NV_GLOBALLOCK
	AttrNVPPRead         NVAttributes = 1 << 16 // TPMA_NV_PPREAD
	AttrNVOwnerRead      NVAttributes = 1 << 17 // TPMA_NV_OWNERREAD
	AttrNVAuthRead       NVAttributes = 1 << 18 // TPMA_NV_AUTHREAD
	AttrNVPolicyRead     NVAttributes = 1 << 19 // TPMA_NV_POLICYREAD
	AttrNVNoDA           NVAttributes = 1 << 25 // TPMA_NV_NO_DA
	AttrNVOrderly        NVAttributes = 1 << 26 // TPMA_NV_ORDERLY
	AttrNVClearStClear   NVAttributes = 1 << 27 // TPMA_NV_CLEAR_STCLEAR
	AttrNVReadLocked     NVAttributes = 1 << 28 // TPMA_NV_READLOCKED
	AttrNVWritten        NVAttributes = 1 << 29 // TPMA_NV_WRITTEN
	AttrNVPlatformCreate NVAttributes = 1 << 30 // TPMA_NV_PLATFORMCREATE
	AttrNVReadStClear    NVAttributes = 1 << 31 // TPMA_NV_READ_STCLEAR
)

func (NVAttributes) AttrsOnly 

func (a NVAttributes) AttrsOnly() NVAttributes

AttrsOnly returns the NVAttributes without the encoded NVType.

func (NVAttributes) Type 

func (a NVAttributes) Type() NVType

Type returns the NVType encoded in a NVAttributes value.

type NVCertifyInfo 

type NVCertifyInfo struct {
	IndexName  Name        // Name of the NV index
	Offset     uint16      // Offset parameter of TPMContext.NVCertify
	NVContents MaxNVBuffer // Contents of the NV index
}

NVCertifyInfo corresponds to the TPMS_NV_CERTIFY_INFO type, and is returned by TPMContext.NVCertify.

type NVPinCounterParams 

type NVPinCounterParams struct {
	Count uint32
	Limit uint32
}

NVPinCounterParams corresponds to the TPMS_NV_PIN_COUNTER_PARAMETERS type.

type NVPublic 

type NVPublic struct {
	Index      Handle          // Handle of the NV index
	NameAlg    HashAlgorithmId // NameAlg is the digest algorithm used to compute the name of the index
	Attrs      NVAttributes    // Attributes of this index
	AuthPolicy Digest          // Authorization policy for this index
	Size       uint16          // Size of this index
}

NVPublic corresponds to the TPMS_NV_PUBLIC type, which describes a NV index.

func (*NVPublic) Name 

func (p *NVPublic) Name() (Name, error)

Name computes the name of this NV index

type NVType 

type NVType uint32

NVType corresponds to the TPM_NT type. 

const (
	NVTypeOrdinary NVType = 0 // TPM_NT_ORDINARY
	NVTypeCounter  NVType = 1 // TPM_NT_COUNTER
	NVTypeBits     NVType = 2 // TPM_NT_BITS
	NVTypeExtend   NVType = 4 // TPM_NT_EXTEND
	NVTypePinFail  NVType = 8 // TPM_NT_PIN_FAIL
	NVTypePinPass  NVType = 9 // TPM_NT_PIN_PASS
)

func (NVType) WithAttrs 

func (t NVType) WithAttrs(attrs NVAttributes) NVAttributes

WithAttrs returns NVAttributes for this type with the specified attributes set.

type Name 

type Name []byte

Name corresponds to the TPM2B_NAME type.

func (Name) Algorithm 

func (n Name) Algorithm() HashAlgorithmId

Algorithm returns the digest algorithm of the name, if it contains a digest. If the name does not contain a digest, HashAlgorithmNull will be returned.

func (Name) Digest 

func (n Name) Digest() Digest

Digest returns the name as a digest, without the algorithm identifier. If it doesn't contain a digest, it will panic.

func (Name) Handle 

func (n Name) Handle() Handle

Handle returns the handle of the resource that this name corresponds to. If it does not contain a handle, it will panic.

func (Name) IsHandle 

func (n Name) IsHandle() bool

IsHandle returns true if the name contains a handle.

type Nonce 

type Nonce Digest

Nonce corresponds to the TPM2B_NONCE type.

type ObjectAttributes 

type ObjectAttributes uint32

ObjectAttributes corresponds to the TPMA_OBJECT type, and represents the attributes for an object. 

const (
	AttrFixedTPM             ObjectAttributes = 1 << 1  // fixedTPM
	AttrStClear              ObjectAttributes = 1 << 2  // stClear
	AttrFixedParent          ObjectAttributes = 1 << 4  // fixedParent
	AttrSensitiveDataOrigin  ObjectAttributes = 1 << 5  // sensitiveDataOrigin
	AttrUserWithAuth         ObjectAttributes = 1 << 6  // userWithAuth
	AttrAdminWithPolicy      ObjectAttributes = 1 << 7  // adminWithPolicy
	AttrNoDA                 ObjectAttributes = 1 << 10 // noDA
	AttrEncryptedDuplication ObjectAttributes = 1 << 11 // encryptedDuplication
	AttrRestricted           ObjectAttributes = 1 << 16 // restricted
	AttrDecrypt              ObjectAttributes = 1 << 17 // decrypt
	AttrSign                 ObjectAttributes = 1 << 18 // sign
)

type ObjectTypeId 

type ObjectTypeId AlgorithmId

ObjectTypeId corresponds to the TPMI_ALG_PUBLIC type. 

const (
	ObjectTypeRSA       ObjectTypeId = ObjectTypeId(AlgorithmRSA)       // TPM_ALG_RSA
	ObjectTypeKeyedHash ObjectTypeId = ObjectTypeId(AlgorithmKeyedHash) // TPM_ALG_KEYEDHASH
	ObjectTypeECC       ObjectTypeId = ObjectTypeId(AlgorithmECC)       // TPM_ALG_ECC
	ObjectTypeSymCipher ObjectTypeId = ObjectTypeId(AlgorithmSymCipher) // TPM_ALG_SYMCIPHER
)

func (ObjectTypeId) Format 

func (a ObjectTypeId) Format(s fmt.State, f rune)

type Operand 

type Operand Digest

Operand corresponds to the TPM2B_OPERAND type.

type PCRSelection 

type PCRSelection struct {
	Hash   HashAlgorithmId  // Hash is the digest algorithm associated with the selection
	Select PCRSelectionData // The selected PCRs
}

PCRSelection corresponds to the TPMS_PCR_SELECTION type.

type PCRSelectionData 

type PCRSelectionData []int

PCRSelectionData is a list of PCR indexes. It is marshalled to and from the TPMS_PCR_SELECT type, which is a bitmap of the PCR indexes contained within this list.

func (*PCRSelectionData) Marshal 

func (d *PCRSelectionData) Marshal(buf io.Writer) error

func (*PCRSelectionData) Unmarshal 

func (d *PCRSelectionData) Unmarshal(buf io.Reader) error

type PCRSelectionList 

type PCRSelectionList []PCRSelection

PCRSelectionList is a slice of PCRSelection values, and corresponds to the TPML_PCR_SELECTION type.

type PCRValues 

type PCRValues map[HashAlgorithmId]map[int]Digest

PCRValues contains a collection of PCR values, keyed by AlgorithmId and PCR index.

func (PCRValues) EnsureBank 

func (v PCRValues) EnsureBank(alg HashAlgorithmId)

EnsureBank initializes a map of PCR indices to PCR values for the specified algorithm if one doesn't exist already.

type PermanentAttributes 

type PermanentAttributes uint32

PermanentAttributes corresponds to the TPMA_PERMANENT type and is returned when querying the value of PropertyPermanent with TPMContext.GetCapabilityTPMProperties. 

const (
	AttrOwnerAuthSet       PermanentAttributes = 1 << 0  // ownerAuthSet
	AttrEndorsementAuthSet PermanentAttributes = 1 << 1  // endorsementAuthSet
	AttrLockoutAuthSet     PermanentAttributes = 1 << 2  // lockoutAuthSet
	AttrDisableClear       PermanentAttributes = 1 << 8  // disableClear
	AttrInLockout          PermanentAttributes = 1 << 9  // inLockout
	AttrTPMGeneratedEPS    PermanentAttributes = 1 << 10 // tpmGeneratedEPS
)

type PlatformCommandError 

type PlatformCommandError struct {
	Code uint32
	// contains filtered or unexported fields
}

PlatformCommandError corresponds to an error code in response to a platform command executed on a TPM simulator.

func (PlatformCommandError) Error 

func (e PlatformCommandError) Error() string

type Private 

type Private []byte

Private corresponds to the TPM2B_PRIVATE type.

type PrivateKeyRSA 

type PrivateKeyRSA []byte

PrivateKeyRSA corresponds to the TPM2B_PRIVATE_KEY_RSA type.

type PrivateVendorSpecific 

type PrivateVendorSpecific []byte

PrivateVendorSpecific corresponds to the TPM2B_PRIVATE_VENDOR_SPECIFIC type.

type Property 

type Property uint32

Property corresponds to the TPM_PT type. 

const (
	// These constants represent properties that only change when the firmware in the TPM changes.
	PropertyFamilyIndicator   Property = 0x100 // TPM_PT_FAMILY_INDICATOR
	PropertyLevel             Property = 0x101 // TPM_PT_LEVEL
	PropertyRevision          Property = 0x102 // TPM_PT_REVISION
	PropertyDayOfYear         Property = 0x103 // TPM_PT_DAY_OF_YEAR
	PropertyYear              Property = 0x104 // TPM_PT_YEAR
	PropertyManufacturer      Property = 0x105 // TPM_PT_MANUFACTURER
	PropertyVendorString1     Property = 0x106 // TPM_PT_VENDOR_STRING_1
	PropertyVendorString2     Property = 0x107 // TPM_PT_VENDOR_STRING_2
	PropertyVendorString3     Property = 0x108 // TPM_PT_VENDOR_STRING_3
	PropertyVendorString4     Property = 0x109 // TPM_PT_VENDOR_STRING_4
	PropertyVendorTPMType     Property = 0x10a // TPM_PT_VENDOR_TPM_TYPE
	PropertyFirmwareVersion1  Property = 0x10b // TPM_PT_FIRMWARE_VERSION_1
	PropertyFirmwareVersion2  Property = 0x10c // TPM_PT_FIRMWARE_VERSION_2
	PropertyInputBuffer       Property = 0x10d // TPM_PT_INPUT_BUFFER
	PropertyHRTransientMin    Property = 0x10e // TPM_PT_HR_TRANSIENT_MIN
	PropertyHRPersistentMin   Property = 0x10f // TPM_PT_HR_PERSISTENT_MIN
	PropertyHRLoadedMin       Property = 0x110 // TPM_PT_HR_LOADED_MIN
	PropertyActiveSessionsMax Property = 0x111 // TPM_PT_ACTIVE_SESSIONS_MAX
	PropertyPCRCount          Property = 0x112 // TPM_PT_PCR_COUNT
	PropertyPCRSelectMin      Property = 0x113 // TPM_PT_PCR_SELECT_MIN
	PropertyContextGapMax     Property = 0x114 // TPM_PT_CONTEXT_GAP_MAX
	PropertyNVCountersMax     Property = 0x116 // TPM_PT_NV_COUNTERS_MAX
	PropertyNVIndexMax        Property = 0x117 // TPM_PT_NV_INDEX_MAX
	PropertyMemory            Property = 0x118 // TPM_PT_MEMORY
	PropertyClockUpdate       Property = 0x119 // TPM_PT_CLOCK_UPDATE
	PropertyContextHash       Property = 0x11a // TPM_PT_CONTEXT_HASH
	PropertyContextSym        Property = 0x11b // TPM_PT_CONTEXT_SYM
	PropertyContextSymSize    Property = 0x11c // TPM_PT_CONTEXT_SYM_SIZE
	PropertyOrderlyCount      Property = 0x11d // TPM_PT_ORDERLY_COUNT
	PropertyMaxCommandSize    Property = 0x11e // TPM_PT_MAX_COMMAND_SIZE
	PropertyMaxResponseSize   Property = 0x11f // TPM_PT_MAX_RESPONSE_SIZE
	PropertyMaxDigest         Property = 0x120 // TPM_PT_MAX_DIGEST
	PropertyMaxObjectContext  Property = 0x121 // TPM_PT_MAX_OBJECT_CONTEXT
	PropertyMaxSessionContext Property = 0x122 // TPM_PT_MAX_SESSION_CONTEXT
	PropertyPSFamilyIndicator Property = 0x123 // TPM_PT_PS_FAMILY_INDICATOR
	PropertyPSLevel           Property = 0x124 // TPM_PT_PS_LEVEL
	PropertyPSRevision        Property = 0x125 // TPM_PT_PS_REVISION
	PropertyPSDayOfYear       Property = 0x126 // TPM_PT_PS_DAY_OF_YEAR
	PropertyPSYear            Property = 0x127 // TPM_PT_PS_YEAR
	PropertySplitMax          Property = 0x128 // TPM_PT_SPLIT_MAX
	PropertyTotalCommands     Property = 0x129 // TPM_PT_TOTAL_COMMANDS
	PropertyLibraryCommands   Property = 0x12a // TPM_PT_LIBRARY_COMMANDS
	PropertyVendorCommands    Property = 0x12b // TPM_PT_VENDOR_COMMANDS
	PropertyNVBufferMax       Property = 0x12c // TPM_PT_NV_BUFFER_MAX
	PropertyModes             Property = 0x12d // TPM_PT_MODES
	PropertyMaxCapBuffer      Property = 0x12e // TPM_PT_MAX_CAP_BUFFER

	PropertyFixed Property = PropertyFamilyIndicator
)
const (
	// These constants represent properties that change for reasons other than a firmware upgrade. Some of
	// them may not persist across power cycles.
	PropertyPermanent         Property = 0x200 // TPM_PT_PERMANENT
	PropertyStartupClear      Property = 0x201 // TPM_PT_STARTUP_CLEAR
	PropertyHRNVIndex         Property = 0x202 // TPM_PT_HR_NV_INDEX
	PropertyHRLoaded          Property = 0x203 // TPM_PT_HR_LOADED
	PropertyHRLoadedAvail     Property = 0x204 // TPM_PT_HR_LOADED_AVAIL
	PropertyHRActive          Property = 0x205 // TPM_PT_HR_ACTIVE
	PropertyHRActiveAvail     Property = 0x206 // TPM_PT_HR_ACTIVE_AVAIL
	PropertyHRTransientAvail  Property = 0x207 // TPM_PT_HR_TRANSIENT_AVAIL
	PropertyHRPersistent      Property = 0x208 // TPM_PT_HR_PERSISTENT
	PropertyHRPersistentAvail Property = 0x209 // TPM_PT_HR_PERSISTENT_AVAIL
	PropertyNVCounters        Property = 0x20a // TPM_PT_NV_COUNTERS
	PropertyNVCountersAvail   Property = 0x20b // TPM_PT_NV_COUNTERS_AVAIL
	PropertyAlgorithmSet      Property = 0x20c // TPM_PT_ALGORITHM_SET
	PropertyLoadedCurves      Property = 0x20d // TPM_PT_LOADED_CURVES
	PropertyLockoutCounter    Property = 0x20e // TPM_PT_LOCKOUT_COUNTER
	PropertyMaxAuthFail       Property = 0x20f // TPM_PT_MAX_AUTH_FAIL
	PropertyLockoutInterval   Property = 0x210 // TPM_PT_LOCKOUT_INTERVAL
	PropertyLockoutRecovery   Property = 0x211 // TPM_PT_LOCKOUT_RECOVERY
	PropertyNVWriteRecovery   Property = 0x212 // TPM_PT_NV_WRITE_RECOVERY
	PropertyAuditCounter0     Property = 0x213 // TPM_PT_AUDIT_COUNTER_0
	PropertyAuditCounter1     Property = 0x214 // TPM_PT_AUDIT_COUNTER_1

	PropertyVar Property = PropertyPermanent
)

type PropertyPCR 

type PropertyPCR uint32

PropertyPCR corresponds to the TPM_PT_PCR type. 

const (
	PropertyPCRSave        PropertyPCR = 0x00 // TPM_PT_PCR_SAVE
	PropertyPCRExtendL0    PropertyPCR = 0x01 // TPM_PT_PCR_EXTEND_L0
	PropertyPCRResetL0     PropertyPCR = 0x02 // TPM_PT_PCR_RESET_L0
	PropertyPCRExtendL1    PropertyPCR = 0x03 // TPM_PT_PCR_EXTEND_L1
	PropertyPCRResetL1     PropertyPCR = 0x04 // TPM_PT_PCR_RESET_L1
	PropertyPCRExtendL2    PropertyPCR = 0x05 // TPM_PT_PCR_EXTEND_L2
	PropertyPCRResetL2     PropertyPCR = 0x06 // TPM_PT_PCR_RESET_L2
	PropertyPCRExtendL3    PropertyPCR = 0x07 // TPM_PT_PCR_EXTEND_L3
	PropertyPCRResetL3     PropertyPCR = 0x08 // TPM_PT_PCR_RESET_L3
	PropertyPCRExtendL4    PropertyPCR = 0x09 // TPM_PT_PCR_EXTEND_L4
	PropertyPCRResetL4     PropertyPCR = 0x0a // TPM_PT_PCR_RESET_L4
	PropertyPCRNoIncrement PropertyPCR = 0x11 // TPM_PT_PCR_NO_INCREMENT
	PropertyPCRDRTMReset   PropertyPCR = 0x12 // TPM_PT_PCR_DRTM_RESET
	PropertyPCRPolicy      PropertyPCR = 0x13 // TPM_PT_PCR_POLICY
	PropertyPCRAuth        PropertyPCR = 0x14 // TPM_PT_PCR_AUTH

	PropertyPCRFirst PropertyPCR = PropertyPCRSave
)

type Public 

type Public struct {
	Type       ObjectTypeId     // Type of this object
	NameAlg    HashAlgorithmId  // NameAlg is the algorithm used to compute the name of this object
	Attrs      ObjectAttributes // Object attributes
	AuthPolicy Digest           // Authorization policy for this object
	Params     PublicParamsU    `tpm2:"selector:Type"` // Type specific parameters
	Unique     PublicIDU        `tpm2:"selector:Type"` // Type specific unique identifier
}

Public corresponds to the TPMT_PUBLIC type, and defines the public area for an object.

func (*Public) Name 

func (p *Public) Name() (Name, error)

Name computes the name of this object

func (*Public) ToTemplate 

func (p *Public) ToTemplate() (Template, error)

type PublicDerived 

type PublicDerived struct {
	Type       ObjectTypeId     // Type of this object
	NameAlg    HashAlgorithmId  // NameAlg is the algorithm used to compute the name of this object
	Attrs      ObjectAttributes // Object attributes
	AuthPolicy Digest           // Authorization policy for this object
	Params     PublicParamsU    `tpm2:"selector:Type"` // Type specific parameters

	// Unique contains the derivation values. These take precedence over any values specified in SensitiveCreate.Data when creating a
	// derived object,
	Unique *Derive
}

PublicDerived is similar to Public but can be used as a template to create a derived object with TPMContext.CreateLoaded

func (*PublicDerived) Name 

func (p *PublicDerived) Name() (Name, error)

Name computes the name of this object

func (*PublicDerived) ToTemplate 

func (p *PublicDerived) ToTemplate() (Template, error)

type PublicIDU 

type PublicIDU struct {
	Data interface{}
}

PublicIDU is a fake union type that corresponds to the TPMU_PUBLIC_ID type. The selector type is ObjectTypeId. Valid types for Data for each selector value are:

  • ObjectTypeRSA: PublicKeyRSA
  • ObjectTypeKeyedHash: Digest
  • ObjectTypeECC: *ECCPoint
  • ObjectTypeSymCipher: Digest

func (PublicIDU) ECC 

func (p PublicIDU) ECC() *ECCPoint

ECC returns the underlying value as *ECCPoint. It panics if the underlying type is not *ECCPoint.

func (PublicIDU) KeyedHash 

func (p PublicIDU) KeyedHash() Digest

KeyedHash returns the underlying value as Digest. It panics if the underlying type is not Digest.

func (PublicIDU) RSA 

func (p PublicIDU) RSA() PublicKeyRSA

RSA returns the underlying value as PublicKeyRSA. It panics if the underlying type is not PublicKeyRSA.

func (PublicIDU) Select 

func (p PublicIDU) Select(selector reflect.Value) (reflect.Type, error)

func (PublicIDU) Sym 

func (p PublicIDU) Sym() Digest

Sym returns the underlying value as Digest. It panics if the underlying type is not Digest.

type PublicKeyRSA 

type PublicKeyRSA []byte

PublicKeyRSA corresponds to the TPM2B_PUBLIC_KEY_RSA type.

type PublicParams 

type PublicParams struct {
	Type       ObjectTypeId  // Type specifier
	Parameters PublicParamsU `tpm2:"selector:Type"` // Algorithm details
}

PublicParams corresponds to the TPMT_PUBLIC_PARMS type.

type PublicParamsU 

type PublicParamsU struct {
	Data interface{}
}

PublicParamsU is a fake union type that corresponds to the TPMU_PUBLIC_PARMS type. The selector type is ObjectTypeId. Valid types for Data for each selector value are:

  • ObjectTypeRSA: *RSAParams
  • ObjectTypeKeyedHash: *KeyedHashParams
  • ObjectTypeECC: *ECCParams
  • ObjectTypeSymCipher: *SymCipherParams

func (PublicParamsU) AsymDetail 

func (p PublicParamsU) AsymDetail() *AsymParams

AsymDetail returns the underlying value as *AsymParams. It panics if the underlying type is not *RSAParams or *ECCParams.

func (PublicParamsU) ECCDetail 

func (p PublicParamsU) ECCDetail() *ECCParams

ECCDetail returns the underlying value as *ECCParams. It panics if the underlying type is not *ECCParams.

func (PublicParamsU) KeyedHashDetail 

func (p PublicParamsU) KeyedHashDetail() *KeyedHashParams

KeyedHashDetail returns the underlying value as *KeyedHashParams. It panics if the underlying type is not *KeyedHashParams.

func (PublicParamsU) RSADetail 

func (p PublicParamsU) RSADetail() *RSAParams

RSADetail returns the underlying value as *RSAParams. It panics if the underlying type is not *RSAParams.

func (PublicParamsU) Select 

func (p PublicParamsU) Select(selector reflect.Value) (reflect.Type, error)

func (PublicParamsU) SymDetail 

func (p PublicParamsU) SymDetail() *SymCipherParams

SymDetail returns the underlying value as *SymCipherParams. It panics if the underlying type is not *SymCipherParams.

type PublicTemplate 

type PublicTemplate interface {
	ToTemplate() (Template, error)
}

PublicTemplate exists to allow either Public or PublicDerived structures to be used as the template value for TPMContext.CreateLoaded.

type QuoteInfo 

type QuoteInfo struct {
	PCRSelect PCRSelectionList // PCRs included in PCRDigest
	PCRDigest Digest           // Digest of the selected PCRs, using the hash algorithm of the signing key
}

QuoteInfo corresponds to the TPMS_QUOTE_INFO type, and is returned by TPMContext.Quote.

type RSAParams 

type RSAParams struct {
	Symmetric SymDefObject // Symmetric algorithm for a restricted decrypt key.
	// For an unrestricted signing key: AlgorithmRSAPSS, AlgorithmRSASSA or AlgorithmNull.
	// For a restricted signing key: AlgorithmRSAPSS or AlgorithmRSASSA.
	// For an unrestricted decrypt key: AlgorithmRSAES, AlgorithmOAEP or AlgorithmNull.
	// For a restricted decrypt key: AlgorithmNull.
	Scheme   RSAScheme
	KeyBits  uint16 // Number of bits in the public modulus
	Exponent uint32 // Public exponent. When the value is zero, the exponent is 65537
}

RSAParams corresponds to the TPMS_RSA_PARMS type, and defines the public parameters for an RSA key.

type RSAScheme 

type RSAScheme struct {
	Scheme  RSASchemeId // Scheme selector
	Details AsymSchemeU `tpm2:"selector:Scheme"` // Scheme specific parameters.
}

RSAScheme corresponds to the TPMT_RSA_SCHEME type.

type RSASchemeId 

type RSASchemeId AsymSchemeId

RSASchemeId corresponds to the TPMI_ALG_RSA_SCHEME type. 

const (
	RSASchemeNull   RSASchemeId = RSASchemeId(AlgorithmNull)   // TPM_ALG_NULL
	RSASchemeRSASSA RSASchemeId = RSASchemeId(AlgorithmRSASSA) // TPM_ALG_RSASSA
	RSASchemeRSAES  RSASchemeId = RSASchemeId(AlgorithmRSAES)  // TPM_ALG_RSAES
	RSASchemeRSAPSS RSASchemeId = RSASchemeId(AlgorithmRSAPSS) // TPM_ALG_RSAPSS
	RSASchemeOAEP   RSASchemeId = RSASchemeId(AlgorithmOAEP)   // TPM_ALG_OAEP
)

func (RSASchemeId) Format 

func (a RSASchemeId) Format(s fmt.State, f rune)

type RawBytes 

type RawBytes []byte

RawBytes is a special byte slice type which is marshalled and unmarshalled without a size field. The slice must be pre-allocated to the correct length by the caller during unmarshalling.

type ResourceContext 

type ResourceContext interface {
	HandleContext

	// SetAuthValue sets the authorization value that will be used in authorization roles where knowledge of the authorization
	// value is required. Functions that create resources on the TPM and return a ResourceContext will set this automatically,
	// else it will need to be set manually.
	SetAuthValue([]byte)
}

ResourceContext is a HandleContext that corresponds to a non-session entity on the TPM.

func CreateNVIndexResourceContextFromPublic 

func CreateNVIndexResourceContextFromPublic(pub *NVPublic) (ResourceContext, error)

CreateNVIndexResourceContextFromPublic returns a new ResourceContext created from the provided public area. If subsequent use of the returned ResourceContext requires knowledge of the authorization value of the corresponding TPM resource, this should be provided by calling ResourceContext.SetAuthValue.

func CreateObjectResourceContextFromPublic 

func CreateObjectResourceContextFromPublic(handle Handle, pub *Public) (ResourceContext, error)

CreateObjectResourceContextFromPublic returns a new ResourceContext created from the provided public area. If subsequent use of the returned ResourceContext requires knowledge of the authorization value of the corresponding TPM resource, this should be provided by calling ResourceContext.SetAuthValue.

type ResourceContextWithSession 

type ResourceContextWithSession struct {
	Context ResourceContext
	Session SessionContext
}

ResourceContextWithAuth associates a ResourceContext with a session for authorization, and is provided to TPMContext.RunCommand in the command handle area for any handles that require an authorization.

type ResourceUnavailableError 

type ResourceUnavailableError struct {
	Handle Handle
}

ResourceUnavailableError is returned from TPMContext.GetOrCreateResourceContext or TPMContext.GetOrCreateSessionContext if it is called with a handle that does not correspond to a resource that is available on the TPM. This could be because the resource doesn't exist on the TPM, or it lives within a hierarchy that is disabled.

func (ResourceUnavailableError) Error 

func (e ResourceUnavailableError) Error() string

type ResponseCode 

type ResponseCode uint32

ResponseCode corresponds to the TPM_RC type. 

const (
	Success ResponseCode = 0
)

type SchemeECDAA 

type SchemeECDAA struct {
	HashAlg HashAlgorithmId // Hash algorithm used to digest the message
	Count   uint16
}

SchemeECDAA corresponds to the TPMS_SCHEME_ECDAA type.

type SchemeHMAC 

type SchemeHMAC SchemeHash

SchemeHMAC corresponds to the TPMS_SCHEME_HMAC type.

type SchemeHash 

type SchemeHash struct {
	HashAlg HashAlgorithmId // Hash algorithm used to digest the message
}

SchemeHash corresponds to the TPMS_SCHEME_HASH type, and is used for schemes that only require a hash algorithm to complete their definition.

type SchemeKDF1_SP800_108 

type SchemeKDF1_SP800_108 SchemeHash

type SchemeKDF1_SP800_56A 

type SchemeKDF1_SP800_56A SchemeHash

type SchemeKDF2 

type SchemeKDF2 SchemeHash

type SchemeKeyedHashU 

type SchemeKeyedHashU struct {
	Data interface{}
}

SchemeKeyedHashU is a fake union type that corresponds to the TPMU_SCHEME_KEYED_HASH type. The selector type is KeyedHashSchemeId. Valid types for Data for each selector value are:

  • KeyedHashSchemeHMAC: *SchemeHMAC
  • KeyedHashSchemeXOR: *SchemeXOR
  • KeyedHashSchemeNull: <nil>

func (SchemeKeyedHashU) HMAC 

func (d SchemeKeyedHashU) HMAC() *SchemeHMAC

HMAC returns the underlying value as *SchemeHMAC. It panics if the underlying type is not *SchemeHMAC.

func (SchemeKeyedHashU) Select 

func (d SchemeKeyedHashU) Select(selector reflect.Value) (reflect.Type, error)

func (SchemeKeyedHashU) XOR 

func (d SchemeKeyedHashU) XOR() *SchemeXOR

XOR returns the underlying value as *SchemeXOR. It panics if the underlying type is not *SchemeXOR.

type SchemeMGF1 

type SchemeMGF1 SchemeHash

type SchemeXOR 

type SchemeXOR struct {
	HashAlg HashAlgorithmId // Hash algorithm used to digest the message
	KDF     KDFAlgorithmId  // Hash algorithm used for the KDF
}

SchemeXOR corresponds to the TPMS_SCHEME_XOR type, and is used to define the XOR encryption scheme.

type Sensitive 

type Sensitive struct {
	Type      ObjectTypeId        // Same as the corresponding Type in the Public object
	AuthValue Auth                // Authorization value
	SeedValue Digest              // For a parent object, the seed value for protecting descendant objects
	Sensitive SensitiveCompositeU `tpm2:"selector:Type"` // Type specific private data
}

Sensitive corresponds to the TPMT_SENSITIVE type.

type SensitiveCompositeU 

type SensitiveCompositeU struct {
	Data interface{}
}

SensitiveCompositeU is a fake union type that corresponds to the TPMU_SENSITIVE_COMPOSITE type. The selector type is ObjectTypeId. Valid types for Data for each selector value are:

  • ObjectTypeRSA: PrivateKeyRSA
  • ObjectTypeECC: ECCParameter
  • ObjectTypeKeyedHash: SensitiveData
  • ObjectTypeSymCipher: SymKey

func (SensitiveCompositeU) Any 

func (s SensitiveCompositeU) Any() PrivateVendorSpecific

Any returns the underlying value as PrivateVendorSpecific. It panics if the underlying type is not convertible to PrivateVendorSpecific.

func (SensitiveCompositeU) Bits 

func (s SensitiveCompositeU) Bits() SensitiveData

Bits returns the underlying value as SensitiveData. It panics if the underlying type is not SensitiveData.

func (SensitiveCompositeU) ECC 

func (s SensitiveCompositeU) ECC() ECCParameter

ECC returns the underlying value as ECCParameter. It panics if the underlying type is not ECCParameter.

func (SensitiveCompositeU) RSA 

func (s SensitiveCompositeU) RSA() PrivateKeyRSA

RSA returns the underlying value as PrivateKeyRSA. It panics if the underlying type is not PrivateKeyRSA.

func (SensitiveCompositeU) Select 

func (s SensitiveCompositeU) Select(selector reflect.Value) (reflect.Type, error)

func (SensitiveCompositeU) Sym 

func (s SensitiveCompositeU) Sym() SymKey

Sym returns the underlying value as SymKey. It panics if the underlying type is not SymKey.

type SensitiveCreate 

type SensitiveCreate struct {
	UserAuth Auth          // Authorization value
	Data     SensitiveData // Secret data
}

SensitiveCreate corresponds to the TPMS_SENSITIVE_CREATE type and is used to define the values to be placed in the sensitive area of a created object.

type SensitiveData 

type SensitiveData []byte

SensitiveData corresponds to the TPM2B_SENSITIVE_DATA type.

type SessionAttributes 

type SessionAttributes int

SessionAttributes is a set of flags that specify the usage and behaviour of a session. 

const (
	// AttrContinueSession specifies that the session should not be flushed from the TPM after it is used. If a session is used without
	// this flag, it will be flushed from the TPM after the command completes. In this case, the HandleContext associated with the
	// session will be invalidated.
	AttrContinueSession SessionAttributes = 1 << iota

	// AttrAuditExclusive indicates that the session should be used for auditing and that the command should only be executed if the
	// session is exclusive at the start of the command. A session becomes exclusive when it is used for auditing for the first time,
	// or if the AttrAuditReset attribute is provided. A session will remain exclusive until the TPM executes any command where the
	// exclusive session isn't used for auditing, if that command allows for audit sessions to be provided.
	AttrAuditExclusive

	// AttrAuditReset indicates that the session should be used for auditing and that the audit digest of the session should be reset.
	// The session will subsequently become exclusive. A session will remain exclusive until the TPM executes any command where the
	// exclusive session isn't used for auditing, if that command allows for audit sessions to be provided.
	AttrAuditReset

	// AttrCommandEncrypt specifies that the session should be used for encryption of the first command parameter before being sent
	// from the host to the TPM. This can only be used for parameters that have types corresponding to TPM2B prefixed TCG types,
	// and requires a session that was configured with a valid symmetric algorithm via the symmetric argument of
	// TPMContext.StartAuthSession.
	AttrCommandEncrypt

	// AttrResponseEncrypt specifies that the session should be used for encryption of the first response parameter before being sent
	// from the TPM to the host. This can only be used for parameters that have types corresponding to TPM2B prefixed TCG types, and
	// requires a session that was configured with a valid symmetric algorithm via the symmetric argument of TPMContext.StartAuthSession.
	// This package automatically decrypts the received encrypted response parameter.
	AttrResponseEncrypt

	// AttrAudit indicates that the session should be used for auditing. If this is the first time that the session is used for auditing,
	// then this attribute will result in the session becoming exclusive. A session will remain exclusive until the TPM executes any
	// command where the exclusive session isn't used for auditing, if that command allows for audit sessions to be provided.
	AttrAudit
)

type SessionAuditInfo 

type SessionAuditInfo struct {
	// ExclusiveSession indicates the current exclusive status of the session. It is true if all of the commands recorded in
	// SessionDigest were executed without any intervening commands that did not use
	// the audit session.
	ExclusiveSession bool
	SessionDigest    Digest // Current value of the session audit digest
}

SessionAuditInfo corresponds to the TPMS_SESSION_AUDIT_INFO type, and is returned by TPMContext.GetSessionAuditDigest.

type SessionContext 

type SessionContext interface {
	HandleContext
	NonceTPM() Nonce   // The most recent TPM nonce value
	IsAudit() bool     // Whether the session has been used for audit
	IsExclusive() bool // Whether the most recent response from the TPM indicated that the session is exclusive for audit purposes

	SetAttrs(attrs SessionAttributes)                 // Set the attributes that will be used for this SessionContext
	WithAttrs(attrs SessionAttributes) SessionContext // Return a duplicate of this SessionContext with the specified attributes

	// IncludeAttrs returns a duplicate of this SessionContext and its attributes with the specified attributes included.
	IncludeAttrs(attrs SessionAttributes) SessionContext
	// ExcludeAttrs returns a duplicate of this SessionContext and its attributes with the specified attributes excluded.
	ExcludeAttrs(attrs SessionAttributes) SessionContext
}

SessionContext is a HandleContext that corresponds to a session on the TPM.

func CreateIncompleteSessionContext 

func CreateIncompleteSessionContext(handle Handle) SessionContext

CreateIncompleteSessionContext creates and returns a new SessionContext for the specified handle. The returned SessionContext will not be complete and the session associated with it cannot be used in any command other than TPMContext.FlushContext.

This function will panic if handle doesn't correspond to a session.

type SessionType 

type SessionType uint8

SessionType corresponds to the TPM_SE type. 

const (
	SessionTypeHMAC   SessionType = 0x00 // TPM_SE_HMAC
	SessionTypePolicy SessionType = 0x01 // TPM_SE_POLICY
	SessionTypeTrial  SessionType = 0x03 // TPM_SE_TRIAL
)

type SigScheme 

type SigScheme struct {
	Scheme  SigSchemeId // Scheme selector
	Details SigSchemeU  `tpm2:"selector:Scheme"` // Scheme specific parameters
}

SigScheme corresponds to the TPMT_SIG_SCHEME type.

type SigSchemeECDAA 

type SigSchemeECDAA SchemeECDAA

type SigSchemeECDSA 

type SigSchemeECDSA SchemeHash

type SigSchemeECSCHNORR 

type SigSchemeECSCHNORR SchemeHash

type SigSchemeId 

type SigSchemeId AlgorithmId

SigSchemeId corresponds to the TPMI_ALG_SIG_SCHEME type 

const (
	SigSchemeAlgHMAC      SigSchemeId = SigSchemeId(AlgorithmHMAC)      // TPM_ALG_HMAC
	SigSchemeAlgNull      SigSchemeId = SigSchemeId(AlgorithmNull)      // TPM_ALG_NULL
	SigSchemeAlgRSASSA    SigSchemeId = SigSchemeId(AlgorithmRSASSA)    // TPM_ALG_RSASSA
	SigSchemeAlgRSAPSS    SigSchemeId = SigSchemeId(AlgorithmRSAPSS)    // TPM_ALG_RSAPSS
	SigSchemeAlgECDSA     SigSchemeId = SigSchemeId(AlgorithmECDSA)     // TPM_ALG_ECDSA
	SigSchemeAlgECDAA     SigSchemeId = SigSchemeId(AlgorithmECDAA)     // TPM_ALG_ECDAA
	SigSchemeAlgSM2       SigSchemeId = SigSchemeId(AlgorithmSM2)       // TPM_ALG_SM2
	SigSchemeAlgECSCHNORR SigSchemeId = SigSchemeId(AlgorithmECSCHNORR) // TPM_ALG_ECSCHNORR
)

func (SigSchemeId) Format 

func (a SigSchemeId) Format(s fmt.State, f rune)

type SigSchemeRSAPSS 

type SigSchemeRSAPSS SchemeHash

type SigSchemeRSASSA 

type SigSchemeRSASSA SchemeHash

type SigSchemeSM2 

type SigSchemeSM2 SchemeHash

type SigSchemeU 

type SigSchemeU struct {
	Data interface{}
}

SigSchemeU is a fake union type that corresponds to the TPMU_SIG_SCHEME type. The selector type is SigSchemeId. Valid types for Data for each selector value are:

  • SigSchemeAlgRSASSA: *SigSchemeRSASSA
  • SigSchemeAlgRSAPSS: *SigSchemeRSAPSS
  • SigSchemeAlgECDSA: *SigSchemeECDSA
  • SigSchemeAlgECDAA: *SigSchemeECDAA
  • SigSchemeAlgSM2: *SigSchemeSM2
  • SigSchemeAlgECSCHNORR: *SigSchemeECSCHNORR
  • SigSchemeAlgHMAC: *SigSchemeHMAC
  • SigSchemeAlgNull: <nil>

func (SigSchemeU) Any 

func (s SigSchemeU) Any() *SchemeHash

Any returns the underlying value as *SchemeHash. It panics if the underlying type is not convertible to *SchemeHash.

func (SigSchemeU) ECDAA 

func (s SigSchemeU) ECDAA() *SigSchemeECDAA

ECDAA returns the underlying value as *SigSchemeECDAA. It panics if the underlying type is not *SigSchemeECDAA

func (SigSchemeU) ECDSA 

func (s SigSchemeU) ECDSA() *SigSchemeECDSA

ECDSA returns the underlying value as *SigSchemeECDSA. It panics if the underlying type is not *SigSchemeECDSA

func (SigSchemeU) ECSCHNORR 

func (s SigSchemeU) ECSCHNORR() *SigSchemeECSCHNORR

ECSCHNORR returns the underlying value as *SigSchemeECSCHNORR. It panics if the underlying type is not *SigSchemeECSCHNORR

func (SigSchemeU) HMAC 

func (s SigSchemeU) HMAC() *SchemeHMAC

HMAC returns the underlying value as *SchemeHMAC. It panics if the underlying type is not *SchemeHMAC

func (SigSchemeU) RSAPSS 

func (s SigSchemeU) RSAPSS() *SigSchemeRSAPSS

RSAPSS returns the underlying value as *SigSchemeRSAPSS. It panics if the underlying type is not *SigSchemeRSAPSS

func (SigSchemeU) RSASSA 

func (s SigSchemeU) RSASSA() *SigSchemeRSASSA

RSASSA returns the underlying value as *SigSchemeRSASSA. It panics if the underlying type is not *SigSchemeRSASSA

func (SigSchemeU) SM2 

func (s SigSchemeU) SM2() *SigSchemeSM2

SM2 returns the underlying value as *SigSchemeSM2. It panics if the underlying type is not *SigSchemeSM2

func (SigSchemeU) Select 

func (s SigSchemeU) Select(selector reflect.Value) (reflect.Type, error)

type Signature 

type Signature struct {
	SigAlg    SigSchemeId // Signature algorithm
	Signature SignatureU  `tpm2:"selector:SigAlg"` // Actual signature
}

Signature corresponds to the TPMT_SIGNATURE type. It is returned by the attestation commands, and is a parameter for TPMContext.VerifySignature and TPMContext.PolicySigned.

type SignatureECC 

type SignatureECC struct {
	Hash       HashAlgorithmId // Hash is the digest algorithm used in the signature process
	SignatureR ECCParameter
	SignatureS ECCParameter
}

SignatureECC corresponds to the TPMS_SIGNATURE_ECC type.

type SignatureECDAA 

type SignatureECDAA SignatureECC

type SignatureECDSA 

type SignatureECDSA SignatureECC

type SignatureECSCHNORR 

type SignatureECSCHNORR SignatureECC

type SignatureRSA 

type SignatureRSA struct {
	Hash HashAlgorithmId // Hash algorithm used to digest the message
	Sig  PublicKeyRSA    // Signature, which is the same size as the public key
}

SignatureRSA corresponds to the TPMS_SIGNATURE_RSA type.

type SignatureRSAPSS 

type SignatureRSAPSS SignatureRSA

type SignatureRSASSA 

type SignatureRSASSA SignatureRSA

type SignatureSM2 

type SignatureSM2 SignatureECC

type SignatureU 

type SignatureU struct {
	Data interface{}
}

SignatureU is a fake union type that corresponds to TPMU_SIGNATURE. The selector type is SigSchemeId. Valid types for Data for each selector value are:

  • SigSchemeAlgRSASSA: *SignatureRSASSA
  • SigSchemeAlgRSAPSS: *SignatureRSAPSS
  • SigSchemeAlgECDSA: *SignatureECDSA
  • SigSchemeAlgECDAA: *SignatureECDAA
  • SigSchemeAlgSM2: *SignatureSM2
  • SigSchemeAlgECSCHNORR: *SignatureECSCHNORR
  • SigSchemeAlgHMAC: *TaggedHash
  • SigSchemeAlgNull: <nil>

func (SignatureU) Any 

func (s SignatureU) Any() *SchemeHash

Any returns the underlying value as *SchemeHash. It panics if the underlying type is not convertible to *SchemeHash.

func (SignatureU) ECDAA 

func (s SignatureU) ECDAA() *SignatureECDAA

ECDAA returns the underlying value as *SignatureECDAA. It panics if the underlying type is not *SignatureECDAA.

func (SignatureU) ECDSA 

func (s SignatureU) ECDSA() *SignatureECDSA

ECDSA returns the underlying value as *SignatureECDSA. It panics if the underlying type is not *SignatureECDSA.

func (SignatureU) ECSCHNORR 

func (s SignatureU) ECSCHNORR() *SignatureECSCHNORR

ECSCHNORR returns the underlying value as *SignatureECSCHNORR. It panics if the underlying type is not *SignatureECSCHNORR.

func (SignatureU) HMAC 

func (s SignatureU) HMAC() *TaggedHash

HMAC returns the underlying value as *TaggedHash. It panics if the underlying type is not *TaggedHash.

func (SignatureU) RSAPSS 

func (s SignatureU) RSAPSS() *SignatureRSAPSS

RSAPSS returns the underlying value as *SignatureRSAPSS. It panics if the underlying type is not *SignatureRSAPSS.

func (SignatureU) RSASSA 

func (s SignatureU) RSASSA() *SignatureRSASSA

RSASSA returns the underlying value as *SignatureRSASSA. It panics if the underlying type is not *SignatureRSASSA.

func (SignatureU) SM2 

func (s SignatureU) SM2() *SignatureSM2

SM2 returns the underlying value as *SignatureSM2. It panics if the underlying type is not *SignatureSM2.

func (SignatureU) Select 

func (s SignatureU) Select(selector reflect.Value) (reflect.Type, error)

type StartupClearAttributes 

type StartupClearAttributes uint32

StatupClearAttributes corresponds to the TPMA_STARTUP_CLEAR type and is returned when querying the value of PropertyStartupClear with TPMContext.GetCapabilityTPMProperties. 

const (
	AttrPhEnable   StartupClearAttributes = 1 << 0  // phEnable
	AttrShEnable   StartupClearAttributes = 1 << 1  // shEnable
	AttrEhEnable   StartupClearAttributes = 1 << 2  // ehEnable
	AttrPhEnableNV StartupClearAttributes = 1 << 3  // phEnableNV
	AttrOrderly    StartupClearAttributes = 1 << 31 // orderly
)

type StartupType 

type StartupType uint16

StartupType corresponds to the TPM_SU type. 

const (
	StartupClear StartupType = iota
	StartupState
)

type StructTag 

type StructTag uint16

StructTag corresponds to the TPM_ST type. 

const (
	TagNoSessions         StructTag = 0x8001 // TPM_ST_NO_SESSIONS
	TagSessions           StructTag = 0x8002 // TPM_ST_SESSIONS
	TagAttestNV           StructTag = 0x8014 // TPM_ST_ATTEST_NV
	TagAttestCommandAudit StructTag = 0x8015 // TPM_ST_ATTEST_COMMAND_AUDIT
	TagAttestSessionAudit StructTag = 0x8016 // TPM_ST_ATTEST_SESSION_AUDIT
	TagAttestCertify      StructTag = 0x8017 // TPM_ST_ATTEST_CERTIFY
	TagAttestQuote        StructTag = 0x8018 // TPM_ST_ATTEST_QUOTE
	TagAttestTime         StructTag = 0x8019 // TPM_ST_ATTEST_TIME
	TagAttestCreation     StructTag = 0x801a // TPM_ST_ATTEST_CREATION
	TagCreation           StructTag = 0x8021 // TPM_ST_CREATION
	TagVerified           StructTag = 0x8022 // TPM_ST_VERIFIED
	TagAuthSecret         StructTag = 0x8023 // TPM_ST_AUTH_SECRET
	TagHashcheck          StructTag = 0x8024 // TPM_ST_HASHCHECK
	TagAuthSigned         StructTag = 0x8025 // TPM_ST_AUTH_SIGNED
)

type SymAlgorithmId 

type SymAlgorithmId AlgorithmId

SymAlgorithmId corresponds to the TPMI_ALG_SYM type 

const (
	SymAlgorithmAES      SymAlgorithmId = SymAlgorithmId(AlgorithmAES)      // TPM_ALG_AES
	SymAlgorithmXOR      SymAlgorithmId = SymAlgorithmId(AlgorithmXOR)      // TPM_ALG_XOR
	SymAlgorithmNull     SymAlgorithmId = SymAlgorithmId(AlgorithmNull)     // TPM_ALG_NULL
	SymAlgorithmSM4      SymAlgorithmId = SymAlgorithmId(AlgorithmSM4)      // TPM_ALG_SM4
	SymAlgorithmCamellia SymAlgorithmId = SymAlgorithmId(AlgorithmCamellia) // TPM_ALG_CAMELLIA
)

func (SymAlgorithmId) Format 

func (a SymAlgorithmId) Format(s fmt.State, f rune)

type SymCipherParams 

type SymCipherParams struct {
	Sym SymDefObject
}

SymCipherParams corresponds to the TPMS_SYMCIPHER_PARMS type, and contains the parameters for a symmetric object.

type SymDef 

type SymDef struct {
	Algorithm SymAlgorithmId // Symmetric algorithm
	KeyBits   SymKeyBitsU    `tpm2:"selector:Algorithm"` // Symmetric key size
	Mode      SymModeU       `tpm2:"selector:Algorithm"` // Symmetric mode
}

SymDef corresponds to the TPMT_SYM_DEF type, and is used to select the algorithm used for parameter encryption.

type SymDefObject 

type SymDefObject struct {
	Algorithm SymObjectAlgorithmId // Symmetric algorithm
	KeyBits   SymKeyBitsU          `tpm2:"selector:Algorithm"` // Symmetric key size
	Mode      SymModeU             `tpm2:"selector:Algorithm"` // Symmetric mode
}

SymDefObject corresponds to the TPMT_SYM_DEF_OBJECT type, and is used to define an object's symmetric algorithm.

type SymKey 

type SymKey []byte

SymKey corresponds to the TPM2B_SYM_KEY type.

type SymKeyBitsU 

type SymKeyBitsU struct {
	Data interface{}
}

SymKeyBitsU is a fake union type that corresponds to the TPMU_SYM_KEY_BITS type and is used to specify symmetric encryption key sizes. The selector type is AlgorithmId. Valid types for Data for each selector value are:

  • AlgorithmAES: uint16
  • AlgorithmSM4: uint16
  • AlgorithmCamellia: uint16
  • AlgorithmXOR: HashAlgorithmId
  • AlgorithmNull: <nil>

func (SymKeyBitsU) Select 

func (b SymKeyBitsU) Select(selector reflect.Value) (reflect.Type, error)

func (SymKeyBitsU) Sym 

func (b SymKeyBitsU) Sym() uint16

Sym returns the underlying value as uint16. It panics if the underlying type is not uint16.

func (SymKeyBitsU) XOR 

func (b SymKeyBitsU) XOR() HashAlgorithmId

XOR returns the underlying value as HashAlgorithmId. It panics if the underlying type is not HashAlgorithmId.

type SymModeId 

type SymModeId AlgorithmId

SymModeId corresponds to the TPMI_ALG_SYM_MODE type 

const (
	SymModeNull SymModeId = SymModeId(AlgorithmNull) // TPM_ALG_NULL
	SymModeCTR  SymModeId = SymModeId(AlgorithmCTR)  // TPM_ALG_CTR
	SymModeOFB  SymModeId = SymModeId(AlgorithmOFB)  // TPM_ALG_OFB
	SymModeCBC  SymModeId = SymModeId(AlgorithmCBC)  // TPM_ALG_CBC
	SymModeCFB  SymModeId = SymModeId(AlgorithmCFB)  // TPM_ALG_CFB
	SymModeECB  SymModeId = SymModeId(AlgorithmECB)  // TPM_ALG_ECB
)

func (SymModeId) Format 

func (a SymModeId) Format(s fmt.State, f rune)

type SymModeU 

type SymModeU struct {
	Data interface{}
}

SymModeU is a fake union type that corresponds to the TPMU_SYM_MODE type. The selector type is AlgorithmId. Valid types for Data for each selector value are:

  • AlgorithmAES: SymModeId
  • AlgorithmSM4: SymModeId
  • AlgorithmCamellia: SymModeId
  • AlgorithmXOR: <nil>
  • AlgorithmNull: <nil>

func (SymModeU) Select 

func (m SymModeU) Select(selector reflect.Value) (reflect.Type, error)

func (SymModeU) Sym 

func (m SymModeU) Sym() SymModeId

Sym returns the underlying value as SymModeId. It panics if the underlying type is not SymModeId.

type SymObjectAlgorithmId 

type SymObjectAlgorithmId AlgorithmId

SymObjectAlgorithmId corresponds to the TPMI_ALG_SYM_OBJECT type 

const (
	SymObjectAlgorithmAES      SymObjectAlgorithmId = SymObjectAlgorithmId(AlgorithmAES)      // TPM_ALG_AES
	SymObjectAlgorithmNull     SymObjectAlgorithmId = SymObjectAlgorithmId(AlgorithmNull)     // TPM_ALG_NULL
	SymObjectAlgorithmSM4      SymObjectAlgorithmId = SymObjectAlgorithmId(AlgorithmSM4)      // TPM_ALG_SM4
	SymObjectAlgorithmCamellia SymObjectAlgorithmId = SymObjectAlgorithmId(AlgorithmCamellia) // TPM_ALG_CAMELLIA
)

func (SymObjectAlgorithmId) Format 

func (a SymObjectAlgorithmId) Format(s fmt.State, f rune)

type TPM1Error 

type TPM1Error struct {
	Command CommandCode  // Command code associated with this error
	Code    ResponseCode // Response code
}

TPM1Error is returned from DecodeResponseCode and any TPMContext method that executes a command on the TPM if the TPM response code indicates an error from a TPM 1.2 device.

func (*TPM1Error) Error 

func (e *TPM1Error) Error() string

type TPMContext 

type TPMContext struct {
	// contains filtered or unexported fields
}

TPMContext is the main entry point by which commands are executed on a TPM device using this package. It communicates with the underlying device via a transmission interface, which is an implementation of io.ReadWriteCloser provided to NewTPMContext.

Methods that execute commands on the TPM will return errors where the TPM responds with them. These are in the form of *TPMError, *TPMWarning, *TPMHandleError, *TPMSessionError, *TPMParameterError and *TPMVendorError types.

Some methods also accept a variable number of optional SessionContext arguments - these are for sessions that don't provide authorization for a corresponding TPM resource. These sessions may be used for the purposes of session based parameter encryption or command auditing.

func NewTPMContext 

func NewTPMContext(tcti io.ReadWriteCloser) (*TPMContext, error)

NewTPMContext creates a new instance of TPMContext, which communicates with the TPM using the transmission interface provided via the tcti parameter.

If the tcti parameter is nil, this function will try to autodetect a TPM interface using the following order:

  • Linux TPM device (/dev/tpmrm0)
  • Linux TPM device (/dev/tpm0)
  • TPM simulator (localhost:2321 for the TPM command server and localhost:2322 for the platform server)

It will return an error if a TPM interface cannot be detected.

If the tcti parameter is not nil, this function never returns an error.

func (*TPMContext) ActivateCredential 

func (t *TPMContext) ActivateCredential(activateContext, keyContext ResourceContext, credentialBlob IDObjectRaw, secret EncryptedSecret, activateContextAuthSession, keyContextAuthSession SessionContext, sessions ...SessionContext) (Digest, error)

ActivateCredential executes the TPM2_ActivateCredential command to associate a certificate with the object associated with activateContext.

The activateContext parameter corresponds to an object to which credentialBlob is to be associated. It would typically be an attestation key, and the issusing certificate authority would have validated that this object has the expected properties of an attestation key (it is a restricted, non-duplicable signing key) before issuing the credential. Authorization with the admin role is required for activateContext, with session based authorization provided via activateContextAuthSession.

The credentialBlob is an encrypted and integrity protected credential issued by a certificate authority. It is encrypted with a key derived from a seed generated by the certificate authority, and the name of the object associated with activateContext. It is integrity protected by prepending a HMAC of the encrypted data and the name of the object associated with activateContext, using the same seed as the HMAC key.

The keyContext parameter corresponds to an asymmetric restricted decrypt that was used to encrypt the seed value, which is provided via the secret parameter in encrypted form. It is typically an endorsement key, and the issuing certificate authority would have verified that it is a valid endorsement key by verifying the associated endorsement certificate. Authorization with the user auth role is required for keyContext, with session based authorization provided via keyContextAuthSession.

If keyContext does not correspond to an asymmetric restricted decrypt key, a *TPMHandleError error with an error code of ErrorType is returned for handle index 2.

If recovering the seed from secret fails, a *TPMParameterError error with an error code of ErrorScheme, ErrorValue, ErrorSize or ErrorECCPoint may be returned for parameter index 2.

If the integrity value of IV for credentialBlob cannot be unmarshalled correctly or any other errors occur during unmarshalling of credentialBlob, a *TPMParameterError error with an error code of either ErrorSize or ErrorInsufficient will be returned for parameter index 1. If the integrity check of credentialBlob fails, a *TPMParameterError error with an error code of ErrorIntegrity will be returned for parameter index 1. If the size of the IV for credentialBlob doesn't match the block size for the encryption algorithm, a *TPMParameterError error with an error code of ErrorValue will be returned for parameter index 1.

On success, the decrypted credential is returned. This is typically used to decrypt a certificate associated with activateContext, which was issued by a certificate authority.

func (*TPMContext) Certify 

func (t *TPMContext) Certify(objectContext, signContext ResourceContext, qualifyingData Data, inScheme *SigScheme, objectContextAuthSession, signContextAuthSession SessionContext, sessions ...SessionContext) (AttestRaw, *Signature, error)

Certify executes the TPM2_Certify command, which is used to prove that an object with a specific name is loaded in to the TPM. By producing an attestation, the TPM certifies that the object with a given name is loaded in to the TPM and consistent with a valid sensitive area.

The objectContext parameter corresponds to the object for which to produce an attestation. The command requires authorization with the admin role for objectContext, with session based authorization provided via objectContextAuthSession.

If signContext is not nil, the returned attestation will be signed by the key associated with it. This command requires authorization with the user auth role for signContext, with session based authorization provided via signContextAuthSession.

If signContext is not nil and the object associated with signContext is not a signing key, a *TPMHandleError error with an error code of ErrorKey will be returned for handle index 2.

If signContext is not nil and if the scheme of the key associated with signContext is AlgorithmNull, then inScheme must be provided to specify a valid signing scheme for the key. If it isn't, a *TPMParameterError error with an error code of ErrorScheme will be returned for parameter index 2.

If signContext is not nil and the scheme of the key associated with signContext is not AlgorithmNull, then inScheme may be nil. If it is provided, then the specified scheme must match that of the signing key, else a *TPMParameterError error with an error code of ErrorScheme will be returned for parameter index 2.

On successful, it returns an attestation structure detailing the name of the object associated with objectContext. If signContext is not nil, the attestation structure will be signed by the associated key and returned too.

func (*TPMContext) CertifyCreation 

func (t *TPMContext) CertifyCreation(signContext, objectContext ResourceContext, qualifyingData Data, creationHash Digest, inScheme *SigScheme, creationTicket *TkCreation, signContextAuthSession SessionContext, sessions ...SessionContext) (AttestRaw, *Signature, error)

CertifyCreation executes the TPM2_CertifyCreation command, which is used to prove the association between the object represented by objectContext and its creation data represented by creationHash. It does this by computing a ticket from creationHash and the name of the object represented by objectContext and then verifying that it matches the provided creationTicket, which was provided by the TPM at object creation time.

If signContext is not nil, the returned attestation will be signed by the key associated with it. This command requires authorization with the user auth role for signContext, with session based authorization provided via signContextAuthSession.

If signContext is not nil and the object associated with signContext is not a signing key, a *TPMHandleError error with an error code of ErrorKey will be returned for handle index 1.

If signContext is not nil and if the scheme of the key associated with signContext is AlgorithmNull, then inScheme must be provided to specify a valid signing scheme for the key. If it isn't, a *TPMParameterError error with an error code of ErrorScheme will be returned for parameter index 3.

If signContext is not nil and the scheme of the key associated with signContext is not AlgorithmNull, then inScheme may be nil. If it is provided, then the specified scheme must match that of the signing key, else a *TPMParameterError error with an error code of ErrorScheme will be returned for parameter index 3.

If creationTicket corresponds to an invalid ticket, a *TPMParameterError error with an error code of ErrorTicket will be returned for parameter index 4.

If the digest generated for signing is greater than or has a larger size than the modulus of the key associated with signContext, a *TPMError with an error code of ErrorValue will be returned.

If successful, it returns an attestation structure. If signContext is not nil, the attestation structure will be signed by the associated key and returned too.

func (*TPMContext) Clear 

func (t *TPMContext) Clear(authContext ResourceContext, authContextAuthSession SessionContext, sessions ...SessionContext) error

Clear executes the TPM2_Clear command to remove all context associated with the current owner. The command requires knowledge of the authorization value for either the platform or lockout hierarchy. The hierarchy is specified by passing a ResourceContext corresponding to either HandlePlatform or HandleLockout to authContext. The command requires authorization with the user auth role for authContext, with session based authorization provided via authContextAuthSession.

On successful completion, all NV indices and objects associated with the current owner will have been evicted and subsequent use of ResourceContext instances associated with these resources will fail. The authorization values of the storage, endorsement and lockout hierarchies will have been cleared. It isn't necessary to update the corresponding ResourceContext instances for these by calling ResourceContext.SetAuthValue in order to use them in subsequent commands that require knowledge of the authorization value for those permanent resources.

If the TPM2_Clear command has been disabled, a *TPMError error will be returned with an error code of ErrorDisabled.

func (*TPMContext) ClearControl 

func (t *TPMContext) ClearControl(authContext ResourceContext, disable bool, authContextAuthSession SessionContext, sessions ...SessionContext) error

ClearControl executes the TPM2_ClearControl command to enable or disable execution of the TPM2_Clear command (via the TPMContext.Clear function).

If disable is true, then this command will disable the execution of TPM2_Clear. In this case, the command requires knowledge of the authorization value for the platform or lockout hierarchy. The hierarchy is specified via the authContext parameter by passing a ResourceContext corresponding to either HandlePlatform or HandleLockout.

If disable is false, then this command will enable execution of TPM2_Clear. In this case, the command requires knowledge of the authorization value for the platform hierarchy, and authContext must be a ResourceContext corresponding to HandlePlatform. If authContext is a HandleContext corresponding to HandleOwner, a *TPMError error with an error code of ErrorAuthFail will be returned.

The command requires the authorization with the user auth role for authContext, with session based authorization provided via authContextAuthSession.

func (*TPMContext) Close 

func (t *TPMContext) Close() error

Close calls Close on the transmission interface.

func (*TPMContext) ContextLoad 

func (t *TPMContext) ContextLoad(context *Context) (HandleContext, error)

ContextLoad executes the TPM2_ContextLoad command with the supplied Context, in order to restore a context previously saved from TPMContext.ContextSave.

If the size field of the integrity HMAC in the context blob is greater than the size of the largest digest algorithm, a *TPMError with an error code of ErrorSize is returned. If the context blob is shorter than the size indicated for the integrity HMAC, a *TPMError with an error code of ErrorInsufficient is returned.

If the size of the context's integrity HMAC does not match the context integrity digest algorithm for the TPM, or the context blob is too short, a *TPMParameterError error with an error code of ErrorSize will be returned. If the integrity HMAC check fails, a *TPMParameterError with an error code of ErrorIntegrity will be returned.

If the hierarchy that the context is part of is disabled, a *TPMParameterError error with an error code of ErrorHierarchy will be returned.

If the context corresponds to a session but the handle doesn't reference a saved session or the sequence number is invalid, a *TPMParameterError error with an error code of ErrorHandle will be returned.

If the context corresponds to a session and no more sessions can be created until the oldest session is context loaded, and context doesn't correspond to the oldest session, a *TPMWarning error with a warning code of WarningContextGap will be returned.

If there are no more slots available for objects or loaded sessions, a *TPMWarning error with a warning code of either WarningSessionMemory or WarningObjectMemory will be returned.

On successful completion, it returns a HandleContext which corresponds to the resource loaded in to the TPM. If the context corresponds to an object, this will be a new ResourceContext. If context corresponds to a session, then this will be a new SessionContext.

func (*TPMContext) ContextSave 

func (t *TPMContext) ContextSave(saveContext HandleContext) (*Context, error)

ContextSave executes the TPM2_ContextSave command on the handle referenced by saveContext, in order to save the context associated with that handle outside of the TPM. The TPM encrypts and integrity protects the context with a key derived from the hierarchy proof. If saveContext does not correspond to a transient object or a session, then it will return an error.

On successful completion, it returns a Context instance that can be passed to TPMContext.ContextLoad. Note that this function wraps the context data returned from the TPM with some host-side state associated with the resource, so that it can be restored fully in TPMContext.ContextLoad. If saveContext corresponds to a session, the host-side state that is added to the returned context blob includes the session key.

If saveContext corresponds to a session, then TPM2_ContextSave also removes resources associated with the session from the TPM (it becomes a saved session rather than a loaded session). In this case, saveContext is marked as not loaded and can only be used as an argument to TPMContext.FlushContext.

If saveContext corresponds to a session and no more contexts can be saved, a *TPMError error will be returned with an error code of ErrorTooManyContexts. If a context ID cannot be assigned for the session, a *TPMWarning error with a warning code of WarningContextGap will be returned.

func (*TPMContext) Create 

func (t *TPMContext) Create(parentContext ResourceContext, inSensitive *SensitiveCreate, inPublic *Public, outsideInfo Data, creationPCR PCRSelectionList, parentContextAuthSession SessionContext, sessions ...SessionContext) (Private, *Public, *CreationData, Digest, *TkCreation, error)

Create executes the TPM2_Create command to create a new ordinary object as a child of the storage parent associated with parentContext.

The command requires authorization with the user auth role for parentContext, with session based authorization provided via parentContextAuthSession.

A template for the object is provided via the inPublic parameter. The Type field of inPublic defines the algorithm for the object. The NameAlg field defines the digest algorithm for computing the name of the object. The Attrs field defines the attributes of the object. The AuthPolicy field allows an authorization policy to be defined for the new object.

Data that will form part of the sensitive area of the object can be provided via inSensitive, which is optional.

If the Attrs field of inPublic does not have the AttrSensitiveDataOrigin attribute set, then the sensitive data in the created object is initialized with the data provided via the Data field of inSensitive.

If the Attrs field of inPublic has the AttrSensitiveDataOrigin attribute set and Type is AlgorithmSymCipher, then the sensitive data in the created object is initialized with a TPM generated key. The size of this key is determined by the value of the Params field of inPublic. If Type is AlgorithmKeyedHash, then the sensitive data in the created object is initialized with a TPM generated value that is the same size as the name algorithm selected by the NameAlg field of inPublic.

If the Type field of inPublic is AlgorithmRSA or AlgorithmECC, then the sensitive data in the created object is initialized with a TPM generated private key. The size of this is determined by the value of the Params field of inPublic.

If the Type field of inPublic is AlgorithmKeyedHash and the Attrs field has AttrSensitiveDataOrigin, AttrSign and AttrDecrypt all clear, then the created object is a sealed data object.

If the Attrs field of inPublic has the AttrRestricted and AttrDecrypt attributes set, and the Type field is not AlgorithmKeyedHash, then the newly created object will be a storage parent.

If the Attrs field of inPublic has the AttrRestricted and AttrDecrypt attributes set, and the Type field is AlgorithmKeyedHash, then the newly created object will be a derivation parent.

The authorization value for the created object is initialized to the value of the UserAuth field of inSensitive.

If the object associated with parentContext is not a valid storage parent object, a *TPMHandleError error with an error code of ErrorType will be returned for handle index 1.

If there are no available slots for new objects on the TPM, a *TPMWarning error with a warning code of WarningObjectMemory will be returned.

If the Attrs field of inPublic as the AttrSensitiveDataOrigin attribute set and the Data field of inSensitive has a non-zero size, or the AttrSensitiveDataOrigin attribute is clear and the Data field of inSensitive has a zero size, a *TPMParameterError error with an error code of ErrorAttributes will be returned for parameter index 1.

If the attributes in the Attrs field of inPublic are inconsistent or inappropriate for the usage, a *TPMParameterError error with an error code of ErrorAttributes will be returned for parameter index 2.

If the NameAlg field of inPublic is AlgorithmNull, then a *TPMParameterError error with an error code of ErrorHash will be returned for parameter index 2.

If an authorization policy is defined via the AuthPolicy field of inPublic then the length of the digest must match the name algorithm selected via the NameAlg field, else a *TPMParameterError error with an error code of ErrorSize is returned for parameter index 2.

If the scheme in the Params field of inPublic is inappropriate for the usage, a *TPMParameterError errow with an error code of ErrorScheme will be returned for parameter index 2.

If the digest algorithm specified by the scheme in the Params field of inPublic is inappropriate for the usage, a *TPMParameterError error with an error code of ErrorHash will be returned for parameter index 2.

If the Type field of inPublic is not AlgorithmKeyedHash, a *TPMParameterError error with an error code of ErrorSymmetric will be returned for parameter index 2 if the symmetric algorithm specified in the Params field of inPublic is inappropriate for the usage.

If the Type field of inPublic is AlgorithmECC and the KDF scheme specified in the Params field of inPublic is not AlgorithmNull, a *TPMParameterError error with an error code of ErrorKDF will be returned for parameter index 2.

If the Type field of inPublic is not AlgorithmKeyedHash and the AttrRestricted, AttrFixedParent and AttrDecrypt attributes of Attrs are set, a *TPMParameterError error with an error code of ErrorHash will be returned for parameter index 2 if the NameAlg field of inPublic does not select the same name algorithm as the parent object. A *TPMParameterError error with an error code of ErrorSymmetric will be returned for parameter index 2 if the symmetric algorithm specified in the Params field of inPublic does not match the symmetric algorithm of the parent object.

If the length of the UserAuth field of inSensitive is longer than the name algorithm selected by the NameAlg field of inPublic, a *TPMParameterError error with an error code of ErrorSize will be returned for parameter index 1.

If the Type field of inPublic is AlgorithmRSA and the Params field specifies an unsupported exponent, a *TPMError with an error code of ErrorRange will be returned. If the specified key size is an unsupported value, a *TPMError with an error code of ErrorValue will be returned.

If the Type field of inPublic is AlgorithmSymCipher and the key size is an unsupported value, a *TPMError with an error code of ErrorKeySize will be returned. If the AttrSensitiveDataOrigin attribute is not set and the length of the Data field of inSensitive does not match the key size specified in the Params field of inPublic, a *TPMError with an error code of ErrorKeySize will be returned.

If the Type field of inPublic is AlgorithmKeyedHash and the AttrSensitiveDataOrigin attribute is not set, a *TPMError with an error code of ErrorSize will be returned if the length of the Data field of inSensitive is longer than permitted for the digest algorithm selected by the specified scheme.

On success, the private and public parts of the newly created object will be returned. The newly created object will not exist on the TPM. If the Type field of inPublic is AlgorithmKeyedHash or AlgorithmSymCipher, then the returned *Public object will have a Unique field that is the digest of the sensitive data and the value of the object's seed in the sensitive area, computed using the object's name algorithm. If the Type field of inPublic is AlgorithmECC or AlgorithmRSA, then the returned *Public object will have a Unique field containing details about the public part of the key, computed from the private part of the key.

The returned *CreationData will contain a digest computed from the values of PCRs selected by the creationPCR parameter at creation time in the PCRDigest field. It will also contain the provided outsideInfo in the OutsideInfo field. The returned *TkCreation ticket can be used to prove the association between the created object and the returned *CreationData via the TPMContext.CertifyCreation method.

func (*TPMContext) CreateLoaded 

func (t *TPMContext) CreateLoaded(parentContext ResourceContext, inSensitive *SensitiveCreate, inPublic PublicTemplate, parentContextAuthSession SessionContext, sessions ...SessionContext) (ResourceContext, Private, *Public, error)

CreateLoaded executes the TPM2_CreateLoaded command to create a new primary, ordinary or derived object. To create a new primary object, parentContext should correspond to a hierarchy. To create a new ordinary object, parentContext should correspond to a storage parent. To create a new derived object, parentContext should correspond to a derivation parent.

The command requires authorization with the user auth role for parentContext, with session based authorization provided via parentContextAuthSession.

A template for the object is provided via the inPublic parameter. The Type field of inPublic defines the algorithm for the object. The NameAlg field defines the digest algorithm for computing the name of the object. The Attrs field defines the attributes of the object. The AuthPolicy field allows an authorization policy to be defined for the new object.

Data that will form part of the sensitive area of the object can be provided via inSensitive, which is optional.

If parentContext does not correspond to a derivation parent and the Attrs field of inPublic does not have the AttrSensitiveDataOrigin attribute set, then the sensitive data in the created object is initialized with the data provided via the Data field of inSensitive.

If the Attrs field of inPublic has the AttrSensitiveDataOrigin attribute set and Type is AlgorithmSymCipher, then the sensitive data in the created object is initialized with a TPM generated key. The size of this key is determined by the value of the Params field of inPublic. If Type is AlgorithmKeyedHash, then the sensitive data in the created object is initialized with a TPM generated value that is the same size as the name algorithm selected by the NameAlg field of inPublic.

If the Type field of inPublic is AlgorithmRSA then the sensitive data in the created object is initialized with a TPM generated private key. The size of this is determined by the value of the Params field of inPublic.

If the Type field of inPublic is AlgorithmECC and parentContext does not correspond to a derivation parent, then the sensitive data in the created object is initialized with a TPM generated private key. The size of this is determined by the value of the Params field of inPublic.

If parentContext corresponds to a derivation parent, the sensitive data in the created object is initialized with a value derived from the parent object's private seed, and the derivation values specified in either the Unique field of inPublic or the Data field of inSensitive.

If the Type field of inPublic is AlgorithmKeyedHash, the Attrs field has AttrSensitiveDataOrigin, AttrSign and AttrDecrypt all clear, then the created object is a sealed data object.

If the Attrs field of inPublic has the AttrRestricted and AttrDecrypt attributes set, and the Type field is not AlgorithmKeyedHash, then the newly created object will be a storage parent.

If the Attrs field of inPublic has the AttrRestricted and AttrDecrypt attributes set, and the Type field is AlgorithmKeyedHash, then the newly created object will be a derivation parent.

The authorization value for the created object is initialized to the value of the UserAuth field of inSensitive.

If parentContext corresponds to an object and it isn't a valid storage parent or derivation parent, *TPMHandleError error with an error code of ErrorType will be returned for handle index 1.

If there are no available slots for new objects on the TPM, a *TPMWarning error with a warning code of WarningObjectMemory will be returned.

If the attributes in the Attrs field of inPublic are inconsistent or inappropriate for the usage, a *TPMParameterError error with an error code of ErrorAttributes will be returned for parameter index 2.

If the NameAlg field of inPublic is AlgorithmNull, then a *TPMParameterError error with an error code of ErrorHash will be returned for parameter index 2.

If an authorization policy is defined via the AuthPolicy field of inPublic then the length of the digest must match the name algorithm selected via the NameAlg field, else a *TPMParameterError error with an error code of ErrorSize is returned for parameter index 2.

If the scheme in the Params field of inPublic is inappropriate for the usage, a *TPMParameterError errow with an error code of ErrorScheme will be returned for parameter index 2.

If the digest algorithm specified by the scheme in the Params field of inPublic is inappropriate for the usage, a *TPMParameterError error with an error code of ErrorHash will be returned for parameter index 2.

If the Type field of inPublic is not AlgorithmKeyedHash, a *TPMParameterError error with an error code of ErrorSymmetric will be returned for parameter index 2 if the symmetric algorithm specified in the Params field of inPublic is inappropriate for the usage.

If the Type field of inPublic is AlgorithmECC and the KDF scheme specified in the Params field of inPublic is not AlgorithmNull, a *TPMParameterError error with an error code of ErrorKDF will be returned for parameter index 2.

If the Type field of inPublic is not AlgorithmKeyedHash and the AttrRestricted, AttrFixedParent and AttrDecrypt attributes of Attrs are set, a *TPMParameterError error with an error code of ErrorHash will be returned for parameter index 2 if the NameAlg field of inPublic does not select the same name algorithm as the parent object. A *TPMParameterError error with an error code of ErrorSymmetric will be returned for parameter index 2 if the symmetric algorithm specified in the Params field of inPublic does not match the symmetric algorithm of the parent object.

If the length of the UserAuth field of inSensitive is longer than the name algorithm selected by the NameAlg field of inPublic, a *TPMParameterError error with an error code of ErrorSize will be returned for parameter index 1.

If the Type field of inPublic is AlgorithmRSA and the Params field specifies an unsupported exponent, a *TPMError with an error code of ErrorRange will be returned. If the specified key size is an unsupported value, a *TPMError with an error code of ErrorValue will be returned.

If the Type field of inPublic is AlgorithmSymCipher and the key size is an unsupported value, a *TPMError with an error code of ErrorKeySize will be returned. If the AttrSensitiveDataOrigin attribute is not set and the length of the Data field of inSensitive does not match the key size specified in the Params field of inPublic, a *TPMError with an error code of ErrorKeySize will be returned.

If the Type field of inPublic is AlgorithmKeyedHash and the AttrSensitiveDataOrigin attribute is not set, a *TPMError with an error code of ErrorSize will be returned if the length of the Data field of inSensitive is longer than permitted for the digest algorithm selected by the specified scheme.

On success, a ResourceContext instance will be returned that corresponds to the newly created object on the TPM, along with the private and public parts. It will not be necessary to call ResourceContext.SetAuthValue on the returned ResourceContext - this function sets the correct authorization value so that it can be used in subsequent commands that require knowledge of the authorization value. If the Type field of inPublic is AlgorithmKeyedHash or AlgorithmSymCipher, then the returned *Public object will have a Unique field that is the digest of the sensitive data and the value of the object's seed in the sensitive area, computed using the object's name algorithm. If the Type field of inPublic is AlgorithmECC or AlgorithmRSA, then the returned *Public object will have a Unique field containing details about the public part of the key, computed from the private part of the key.

func (*TPMContext) CreatePrimary 

func (t *TPMContext) CreatePrimary(primaryObject ResourceContext, inSensitive *SensitiveCreate, inPublic *Public, outsideInfo Data, creationPCR PCRSelectionList, primaryObjectAuthSession SessionContext, sessions ...SessionContext) (ResourceContext, *Public, *CreationData, Digest, *TkCreation, error)

CreatePrimary executes the TPM2_CreatePrimary command to create a new primary object in the hierarchy corresponding to primaryObject.

The primaryObject parameter should correspond to a hierarchy. The command requires authorization with the user auth role for primaryObject, with session based authorization provided via primaryObjectAuthSession.

A template for the object is provided via the inPublic parameter. The Type field of inPublic defines the algorithm for the object. The NameAlg field defines the digest algorithm for computing the name of the object. The Attrs field defines the attributes of the object. The AuthPolicy field allows an authorization policy to be defined for the new object.

Data that will form part of the sensitive area of the object can be provided via inSensitive, which is optional.

If the Attrs field of inPublic does not have the AttrSensitiveDataOrigin attribute set, then the sensitive data in the created object is initialized with the data provided via the Data field of inSensitive.

If the Attrs field of inPublic has the AttrSensitiveDataOrigin attribute set and Type is AlgorithmSymCipher, then the sensitive data in the created object is initialized with a TPM generated key. The size of this key is determined by the value of the Params field of inPublic. If Type is AlgorithmKeyedHash, then the sensitive data in the created object is initialized with a TPM generated value that is the same size as the name algorithm selected by the NameAlg field of inPublic.

If the Type field of inPublic is AlgorithmRSA or AlgorithmECC, then the sensitive data in the created object is initialized with a TPM generated private key. The size of this is determined by the value of the Params field of inPublic.

If the Type field of inPublic is AlgorithmKeyedHash and the Attrs field has AttrSensitiveDataOrigin, AttrSign and AttrDecrypt all clear, then the created object is a sealed data object.

If the Attrs field of inPublic has the AttrRestricted and AttrDecrypt attributes set, and the Type field is not AlgorithmKeyedHash, then the newly created object will be a storage parent.

If the Attrs field of inPublic has the AttrRestricted and AttrDecrypt attributes set, and the Type field is AlgorithmKeyedHash, then the newly created object will be a derivation parent.

The authorization value for the created object is initialized to the value of the UserAuth field of inSensitive.

If there are no available slots for new objects on the TPM, a *TPMWarning error with a warning code of WarningObjectMemory will be returned.

If the attributes in the Attrs field of inPublic are inconsistent or inappropriate for the usage, a *TPMParameterError error with an error code of ErrorAttributes will be returned for parameter index 2.

If the NameAlg field of inPublic is AlgorithmNull, then a *TPMParameterError error with an error code of ErrorHash will be returned for parameter index 2.

If an authorization policy is defined via the AuthPolicy field of inPublic then the length of the digest must match the name algorithm selected via the NameAlg field, else a *TPMParameterError error with an error code of ErrorSize is returned for parameter index 2.

If the scheme in the Params field of inPublic is inappropriate for the usage, a *TPMParameterError errow with an error code of ErrorScheme will be returned for parameter index 2.

If the digest algorithm specified by the scheme in the Params field of inPublic is inappropriate for the usage, a *TPMParameterError error with an error code of ErrorHash will be returned for parameter index 2.

If the Type field of inPublic is not AlgorithmKeyedHash, a *TPMParameterError error with an error code of ErrorSymmetric will be returned for parameter index 2 if the symmetric algorithm specified in the Params field of inPublic is inappropriate for the usage.

If the Type field of inPublic is AlgorithmECC and the KDF scheme specified in the Params field of inPublic is not AlgorithmNull, a *TPMParameterError error with an error code of ErrorKDF will be returned for parameter index 2.

If the length of the UserAuth field of inSensitive is longer than the name algorithm selected by the NameAlg field of inPublic, a *TPMParameterError error with an error code of ErrorSize will be returned for parameter index 1.

If the Type field of inPublic is AlgorithmRSA and the Params field specifies an unsupported exponent, a *TPMError with an error code of ErrorRange will be returned. If the specified key size is an unsupported value, a *TPMError with an error code of ErrorValue will be returned.

If the Type field of inPublic is AlgorithmSymCipher and the key size is an unsupported value, a *TPMError with an error code of ErrorKeySize will be returned. If the AttrSensitiveDataOrigin attribute is not set and the length of the Data field of inSensitive does not match the key size specified in the Params field of inPublic, a *TPMError with an error code of ErrorKeySize will be returned.

If the Type field of inPublic is AlgorithmKeyedHash and the AttrSensitiveDataOrigin attribute is not set, a *TPMError with an error code of ErrorSize will be returned if the length of the Data field of inSensitive is longer than permitted for the digest algorithm selected by the specified scheme.

On success, a ResourceContext instance will be returned that corresponds to the newly created object on the TPM. It will not be necessary to call ResourceContext.SetAuthValue on it - this function sets the correct authorization value so that it can be used in subsequent commands that require knowledge of the authorization value. If the Type field of inPublic is AlgorithmKeyedHash or AlgorithmSymCipher, then the returned *Public object will have a Unique field that is the digest of the sensitive data and the value of the object's seed in the sensitive area, computed using the object's name algorithm. If the Type field of inPublic is AlgorithmECC or AlgorithmRSA, then the returned *Public object will have a Unique field containing details about the public part of the key, computed from the private part of the key.

The returned *CreationData will contain a digest computed from the values of PCRs selected by the creationPCR parameter at creation time in the PCRDigest field. It will also contain the provided outsideInfo in the OutsideInfo field. The returned *TkCreation ticket can be used to prove the association between the created object and the returned *CreationData via the TPMContext.CertifyCreation method.

func (*TPMContext) CreateResourceContextFromTPM 

func (t *TPMContext) CreateResourceContextFromTPM(handle Handle, sessions ...SessionContext) (ResourceContext, error)

CreateResourceContextFromTPM creates and returns a new ResourceContext for the specified handle. It will execute a command to read the public area from the TPM in order to initialize state that is maintained on the host side. A ResourceUnavailableError error will be returned if the specified handle references a resource that is currently unavailable. If this function is called without any sessions, it does not benefit from any integrity protections other than a consistency cross-check that is performed on the returned data to make sure that the name and public area match. Applications should consider the implications of this during subsequent use of the ResourceContext. If any sessions are passed then the pubic area is read back from the TPM twice - the session is used only on the second read once the name is known. This second read provides an assurance that an entity with the name of the returned ResourceContext actually lives on the TPM.

This function will panic if handle doesn't correspond to a NV index, transient object or persistent object.

If subsequent use of the returned ResourceContext requires knowledge of the authorization value of the corresponding TPM resource, this should be provided by calling ResourceContext.SetAuthValue.

func (*TPMContext) DictionaryAttackLockReset 

func (t *TPMContext) DictionaryAttackLockReset(lockContext ResourceContext, lockContextAuthSession SessionContext, sessions ...SessionContext) error

DictionaryAttackLockReset executes the TPM2_DictionaryAttackLockReset command to cancel the effect of a TPM lockout. The lockContext parameter must always be a ResourceContext corresponding to HandleLockout. The command requires authorization with the user auth role for lockContext, with session based authorization provided via lockContextAuthSession.

On successful completion, the lockout counter will be reset to zero.

func (*TPMContext) DictionaryAttackParameters 

func (t *TPMContext) DictionaryAttackParameters(lockContext ResourceContext, newMaxTries, newRecoveryTime, lockoutRecovery uint32, lockContextAuthSession SessionContext, sessions ...SessionContext) error

DictionaryAttackParameters executes the TPM2_DictionaryAttackParameters command to change the dictionary attack lockout settings. The newMaxTries parameter sets the maximum value of the lockout counter before the TPM enters lockout mode. If it is set to zero, then the TPM will enter lockout mode and the use of dictionary attack protected entities will be disabled. The newRecoveryTime parameter specifies the amount of time in seconds it takes for the lockout counter to decrement by one. If it is set to zero, then dictionary attack protection is disabled. The lockoutRecovery parameter specifies the amount of time in seconds that the lockout hierarchy authorization cannot be used after an authorization failure. If it is set to zero, then the lockout hierarchy can be used again after a TPM reset, restart or resume. The newRecoveryTime and lockoutRecovery parameters are measured against powered on time rather than clock time.

The lockContext parameter must be a ResourceContext corresponding to HandleLockout. The command requires authorization with the user auth role for lockContext, with session based authorization provided via lockContextAuthSession.

func (*TPMContext) Duplicate 

func (t *TPMContext) Duplicate(objectContext, newParentContext ResourceContext, encryptionKeyIn Data, symmetricAlg *SymDefObject, objectContextAuthSession SessionContext, sessions ...SessionContext) (Data, Private, EncryptedSecret, error)

Duplicate executes the TPM2_Duplicate command in order to duplicate the object associated with objectContext so that it may be used in a different hierarchy. The new parent is specified by the newParentContext argument, which may correspond to an object on the same or a different TPM, or may be nil for no parent.

This command requires authorization for objectContext with the duplication role, with the session provided via objectContextAuthSession.

If symmetricAlg is provided, it defines the symmetric algorithm used for the inner duplication wrapper (see section 23.3 - "Protected Storage Hierarchy - Duplication" of Part 1 of the Trusted Platform Module Library specification). If symmetricAlg is provided and symmetricAlg.Algorithm is not SymObjectAlgorithmNull, a symmetric key for the inner duplication wrapper may be provided via encryptionKeyIn.

If the object associated with objectContext has the AttrFixedParent atttribute set, a *TPMHandleError error with an error code of ErrorAttributes will be returned for handle index 1.

If the object associated with objectContext has a name algorithm of HashAlgorithmNull, a *TPMHandleError error with an error code of ErrorType will be returned for handle index 1.

If newParentContext is provided and it does not correspond to a storage parent, a *TPMHandleError error with an error code of ErrorType will be returned for handle index 2.

If the object associated with objectContext has the AttrEncryptedDuplication attribute set and no symmetricAlg is provided or symmetricAlg.Algorithm is SymObjectAlgorithmNull, a *TPMParameterError error with an error code of ErrorSymmetric will be returned for parameter index 2.

If the object associated with objectContext has the AttrEncryptedDuplication attribute set and newParentContext is not provided, a *TPMHandleError error with an error code of ErrorHierarchy will be returned for handle index 2.

If the length of encryptionKeyIn is not consistent with symmetricAlg, *TPMParameterError error with an error code of ErrorSize will be returned for parameter index 1.

If newParentContext corresponds to an ECC key and the public point of the key is not on the curve specified by the key, a *TPMError error with an error code of ErrorKey will be returned.

On success, the function returns a randomly generated symmetric key as Data for the inner duplication wrapper if symmetricAlg was provided, symmetricAlg.Algorithm was not SymObjectAlgorithmNull and encryptionKeyIn was not provided. It also returns the sensitive area associated with objectContext protected with an inner duplication wrapper (if specified by symmetricAlg) and an outer duplication wrapper (if newParentContext was provided). If newParentContext was provided, the seed used to generate the symmetric key and the HMAC key for the outer duplication wrapper is encrypted using the methods defined by newParentContext and returned as an EncryptedSecret.

func (*TPMContext) EndorsementHandleContext 

func (t *TPMContext) EndorsementHandleContext() ResourceContext

EndorsementHandleContext returns the ResourceContext corresponding to the endorsement hiearchy.

func (*TPMContext) EvictControl 

func (t *TPMContext) EvictControl(auth, object ResourceContext, persistentHandle Handle, authAuthSession SessionContext, sessions ...SessionContext) (ResourceContext, error)

EvictControl executes the TPM2_EvictControl command on the handle referenced by object. To persist a transient object, object should correspond to the transient object and persistentHandle should specify the persistent handle to which the resource associated with object should be persisted. To evict a persistent object, object should correspond to the persistent object and persistentHandle should be the handle associated with that resource.

The auth parameter should be a ResourceContext that corresponds to a hierarchy - it should be HandlePlatform for objects within the platform hierarchy, or HandleOwner for objects within the storage or endorsement hierarchies. If auth is a ResourceContext corresponding to HandlePlatform but object corresponds to an object outside of the platform hierarchy, or auth is a ResourceContext corresponding to HandleOwner but object corresponds to an object inside of the platform hierarchy, a *TPMHandleError error with an error code of ErrorHierarchy will be returned for handle index 2. The auth handle requires authorization with the user auth role, with session based authorization provided via authAuthSession.

If object corresponds to a transient object that only has a public part loaded, or which has the AttrStClear attribute set, then a *TPMHandleError error with an error code of ErrorAttributes will be returned for handle index 2.

If object corresponds to a persistent object and persistentHandle is not the handle for that object, a *TPMHandleError error with an error code of ErrorHandle will be returned for handle index 2.

If object corresponds to a transient object and persistentHandle is not in the correct range determined by the value of auth, a *TPMParameterError error with an error code of ErrorRange will be returned.

If there is insuffient space to persist a transient object, a *TPMError error with an error code of ErrorNVSpace will be returned. If a persistent object already exists at the specified handle, a *TPMError error with an error code of ErrorNVDefined will be returned.

On successful completion of persisting a transient object, it returns a ResourceContext that corresponds to the persistent object. On successful completion of evicting a persistent object, it returns a nil ResourceContext, and object will be invalidated.

func (*TPMContext) FlushContext 

func (t *TPMContext) FlushContext(flushContext HandleContext) error

FlushContext executes the TPM2_FlushContext command on the handle referenced by flushContext, in order to flush resources associated with it from the TPM. If flushContext does not correspond to a transient object or a session, then it will return with an error.

On successful completion, flushContext is invalidated. If flushContext corresponded to a session, then it will no longer be possible to restore that session with TPMContext.ContextLoad, even if it was previously saved with TPMContext.ContextSave.

func (*TPMContext) GetCapability 

func (t *TPMContext) GetCapability(capability Capability, property, propertyCount uint32, sessions ...SessionContext) (*CapabilityData, error)

GetCapability executes the TPM2_GetCapability command, which returns various properties of the TPM and its current state. The capability parameter indicates the category of data to be returned. The property parameter indicates the first value of the selected category to be returned. The propertyCount parameter indicates the number of values to be returned.

If no property in the TPM corresponds to the value of property, then the next property is returned.

The underlying implementation of TPM2_GetCapability is not required to (or may not be able to) return all of the requested values in a single request. This function will re-execute the TPM2_GetCapability command until all of the requested properties have been returned. As a consequence, any SessionContext instances provided should have the AttrContinueSession attribute defined.

If capability is CapabilityHandles and property does not correspond to a valid handle type, a *TPMParameterError error with an error code of ErrorHandle is returned for parameter index 2.

func (*TPMContext) GetCapabilityAlgs 

func (t *TPMContext) GetCapabilityAlgs(first AlgorithmId, propertyCount uint32, sessions ...SessionContext) (AlgorithmPropertyList, error)

GetCapabilityAlgs is a helper function that wraps around TPMContext.GetCapability, and returns properties of the algorithms supported by the TPM. The first parameter indicates the first algorithm for which to return properties. If this algorithm isn't supported, then the properties of the next supported algorithm are returned instead. The propertyCount parameter indicates the number of algorithms for which to return properties.

func (*TPMContext) GetCapabilityAuditCommands 

func (t *TPMContext) GetCapabilityAuditCommands(first CommandCode, propertyCount uint32, sessions ...SessionContext) (CommandCodeList, error)

GetCapabilityPPCommands is a helper function that wraps around TPMContext.GetCapability, and returns a list of commands that are currently set for command audit. The first parameter indicates the command code at which the returned list should start. The propertyCount parameter indicates the maximum number of command codes to return.

func (*TPMContext) GetCapabilityAuthPolicies 

func (t *TPMContext) GetCapabilityAuthPolicies(first Handle, propertyCount uint32, sessions ...SessionContext) (TaggedPolicyList, error)

GetCapabilityAuthPolicies is a helper function that wraps around TPMContext.GetCapability, and returns auth policy digests associated with permanent handles. The first parameter indicates the first handle for which to return an auth policy. If the handle doesn't exist, then the auth policy for the next available handle is returned. The propertyCount parameter indicates the number of permanent handles for which to return an auth policy.

func (*TPMContext) GetCapabilityCommands 

func (t *TPMContext) GetCapabilityCommands(first CommandCode, propertyCount uint32, sessions ...SessionContext) (CommandAttributesList, error)

GetCapabilityCommands is a helper function that wraps around TPMContext.GetCapability, and returns attributes of the commands supported by the TPM. The first parameter indicates the first command for which to return attributes. If this command isn't supported, then the attributes of the next supported command are returned instead. The propertyCount parameter indicates the number of commands for which to return attributes.

func (*TPMContext) GetCapabilityECCCurves 

func (t *TPMContext) GetCapabilityECCCurves(sessions ...SessionContext) (ECCCurveList, error)

GetCapabilityECCCurves is a helper function that wraps around TPMContext.GetCapability, and returns a list of ECC curves supported by the TPM.

func (*TPMContext) GetCapabilityHandles 

func (t *TPMContext) GetCapabilityHandles(handleType Handle, propertyCount uint32, sessions ...SessionContext) (HandleList, error)

GetCapabilityHandles is a helper function that wraps around TPMContext.GetCapability, and returns a list of handles of resources on the TPM. The handleType parameter indicates the type of handles to be returned (represented by the most-significant byte), and also the handle at which the list should start. The propertyCount parameter indicates the maximum number of handles to return.

func (*TPMContext) GetCapabilityPCRProperties 

func (t *TPMContext) GetCapabilityPCRProperties(first PropertyPCR, propertyCount uint32, sessions ...SessionContext) (TaggedPCRPropertyList, error)

GetCapabilityPCRProperties is a helper function that wraps around TPMContext.GetCapability, and returns the values of PCR properties. The first parameter indicates the first property for which to return a value. If the property does not exist, then the value of the next available property is returned. The propertyCount parameter indicates the number of properties for which to return values. Each returned property value is a list of PCR indexes associated with a property.

func (*TPMContext) GetCapabilityPCRs 

func (t *TPMContext) GetCapabilityPCRs(sessions ...SessionContext) (PCRSelectionList, error)

GetCapabilityPCRs is a helper function that wraps around TPMContext.GetCapability, and returns the current allocation of PCRs on the TPM.

func (*TPMContext) GetCapabilityPPCommands 

func (t *TPMContext) GetCapabilityPPCommands(first CommandCode, propertyCount uint32, sessions ...SessionContext) (CommandCodeList, error)

GetCapabilityPPCommands is a helper function that wraps around TPMContext.GetCapability, and returns a list of commands that require physical presence for platform authorization. The first parameter indicates the command code at which the returned list should start. The propertyCount parameter indicates the maximum number of command codes to return.

func (*TPMContext) GetCapabilityTPMProperties 

func (t *TPMContext) GetCapabilityTPMProperties(first Property, propertyCount uint32, sessions ...SessionContext) (TaggedTPMPropertyList, error)

GetCapabilityTPMProperties is a helper function that wraps around TPMContext.GetCapability, and returns the values of properties of the TPM. The first parameter indicates the first property for which to return a value. If the property does not exist, then the value of the next available property is returned. The propertyCount parameter indicates the number of properties for which to return values.

func (*TPMContext) GetCommandAuditDigest 

func (t *TPMContext) GetCommandAuditDigest(privacyContext, signContext ResourceContext, qualifyingData Data, inScheme *SigScheme, privacyContextAuthSession, signContextAuthSession SessionContext, sessions ...SessionContext) (AttestRaw, *Signature, error)

GetCommandAuditDigest executes the TPM2_GetCommandAuditDigest command to obtain the current command audit digest, the current audit digest algorithm and a digest of the list of commands being audited.

The privacyContext argument must be a ResourceContext corresponding to HandleEndorsement. This command requires authorization with the user auth role for privacyContext, with session based authorization provided via privacyContextAuthSession.

If signContext is not nil, the returned attestation will be signed by the key associated with it. This command requires authorization with the user auth role for signContext, with session based authorization provided via provided via signContextAuthSession.

If signContext is not nil and the object associated with signContext is not a signing key, a *TPMHandleError error with an error code of ErrorKey will be returned for handle index 2.

If signContext is not nil and if the scheme of the key associated with signContext is AlgorithmNull, then inScheme must be provided to specify a valid signing scheme for the key. If it isn't, a *TPMParameterError error with an error code of ErrorScheme will be returned for parameter index 2.

If signContext is not nil and the scheme of the key associated with signContext is not AlgorithmNull, then inScheme may be nil. If it is provided, then the specified scheme must match that of the signing key, else a *TPMParameterError error with an error code of ErrorScheme will be returned for parameter index 2.

On success, it returns an attestation structure detailing the current command audit digest, digest algorithm and a digest of the list of commands being audited. If signContext is not nil, the attestation structure will be signed by the associated key and returned too.

func (*TPMContext) GetManufacturer 

func (t *TPMContext) GetManufacturer(sessions ...SessionContext) (TPMManufacturer, error)

GetManufacturer is a helper function that wraps around TPMContext.GetCapability in order to obtain the ID of the TPM manufacturer.

func (*TPMContext) GetPermanentContext 

func (t *TPMContext) GetPermanentContext(handle Handle) ResourceContext

GetPermanentContext returns a ResourceContext for the specified permanent handle or PCR handle.

This function will panic if handle does not correspond to a permanent or PCR handle.

If subsequent use of the returned ResourceContext requires knowledge of the authorization value of the corresponding TPM resource, this should be provided by calling ResourceContext.SetAuthValue.

func (*TPMContext) GetRandom 

func (t *TPMContext) GetRandom(bytesRequested uint16, sessions ...SessionContext) (Digest, error)

func (*TPMContext) GetSessionAuditDigest 

func (t *TPMContext) GetSessionAuditDigest(privacyAdminContext, signContext ResourceContext, sessionContext SessionContext, qualifyingData Data, inScheme *SigScheme, privacyAdminContextAuthSession, signContextAuthSession SessionContext, sessions ...SessionContext) (AttestRaw, *Signature, error)

GetSessionAuditDigest executes the TPM2_GetSessionAuditDigest to obtain the current digest of the audit session corresponding to sessionContext.

The privacyAdminContext argument must be a ResourceContext that corresponds to HandleEndorsement. This command requires authorization with the user auth role for privacyAdminContext, with session based authorization provided via privacyAdminContextAuthSession.

If signContext is not nil, the returned attestation will be signed by the key associated with it. This command requires authorization with the user auth role for signContext, with session based authorization provided via signContextAuthSession.

If signContext is not nil and the object associated with signContext is not a signing key, a *TPMHandleError error with an error code of ErrorKey will be returned for handle index 2.

If signContext is not nil and if the scheme of the key associated with signContext is AlgorithmNull, then inScheme must be provided to specify a valid signing scheme for the key. If it isn't, a *TPMParameterError error with an error code of ErrorScheme will be returned for parameter index 2.

If signContext is not nil and the scheme of the key associated with signContext is not AlgorithmNull, then inScheme may be nil. If it is provided, then the specified scheme must match that of the signing key, else a *TPMParameterError error with an error code of ErrorScheme will be returned for parameter index 2.

On success, it returns an attestation structure detailing the current audit digest for sessionContext. If signContext is not nil, the attestation structure will be signed by the associated key and returned too.

func (*TPMContext) GetTestResult 

func (t *TPMContext) GetTestResult(sessions ...SessionContext) (MaxBuffer, ResponseCode, error)

func (*TPMContext) GetTime 

func (t *TPMContext) GetTime(privacyAdminContext, signContext ResourceContext, qualifyingData Data, inScheme *SigScheme, privacyAdminContextAuthSession, signContextAuthSession SessionContext, sessions ...SessionContext) (AttestRaw, *Signature, error)

GetTime executes the TPM2_GetTime command in order to obtain the current values of time and clock.

The privacyAdminContext argument must be a ResourceContext that corresponds to HandleEndorsement. The command requires authorization with the user auth role for privacyAdminContext, with session based authorization provided via privacyAdminContextAuthSession.

If signContext is not nil, the returned attestation will be signed by the key associated with it. This command requires authorization with the user auth role for signContext, with session based authorization provided via signContextAuthSession.

If signContext is not nil and the object associated with signContext is not a signing key, a *TPMHandleError error with an error code of ErrorKey will be returned for handle index 2.

If signContext is not nil and if the scheme of the key associated with signContext is AlgorithmNull, then inScheme must be provided to specify a valid signing scheme for the key. If it isn't, a *TPMParameterError error with an error code of ErrorScheme will be returned for parameter index 2.

If signContext is not nil and the scheme of the key associated with signContext is not AlgorithmNull, then inScheme may be nil. If it is provided, then the specified scheme must match that of the signing key, else a *TPMParameterError error with an error code of ErrorScheme will be returned for parameter index 2.

On success, it returns an attestation structure detailing the current values of time and clock. If signContext is not nil, the attestation structure will be signed by the associated key and returned too.

func (*TPMContext) HierarchyChangeAuth 

func (t *TPMContext) HierarchyChangeAuth(authContext ResourceContext, newAuth Auth, authContextAuthSession SessionContext, sessions ...SessionContext) error

HierarchyChangeAuth executes the TPM2_HierarchyChangeAuth command to change the authorization value for the hierarchy associated with the authContext parameter. The command requires authorization with the user auth role for authContext, with session based authorization provided via authContextAuthSession.

If the value of newAuth is longer than the context integrity digest algorithm for the TPM, a *TPMParameterError error with an error code of ErrorSize will be returned.

On successful completion, the authorization value of the hierarchy associated with authContext will be set to the value of newAuth, and authContext will be updated to reflect this - it isn't necessary to update authContext with ResourceContext.SetAuthValue in order to use it in subsequent commands that require knowledge of the authorization value for the resource.

func (*TPMContext) Import 

func (t *TPMContext) Import(parentContext ResourceContext, encryptionKey Data, objectPublic *Public, duplicate Private, inSymSeed EncryptedSecret, symmetricAlg *SymDefObject, parentContextAuthSession SessionContext, sessions ...SessionContext) (Private, error)

Import executes the TPM2_Import command in order to encrypt the sensitive area of the object associated with the objectPublic and duplicate arguments with the symmetric algorithm of the storage parent associated with parentContext, so that it can be loaded and used in the new hierarchy. If the object to be imported has an inner duplication wrapper (see section 23.3 - "Protected Storage Hierarchy - Duplication" of Part 1 of the Trusted Platform Module Library specification), then symmetricAlg must be provided with the algorithm of the inner duplication wrapper, and encryptionKey must be provided with the symmetric key for the inner duplication wrapper. If the object to be imported has an outer duplication wrapper, the seed used to generate the symmetric key and HMAC key for the outer duplication wrapper, encrypted using the methods defined by parentContext, must be provided via the inSymSeed argument.

This command requires authorization with the user auth role for parentContext, with session based authorization provided via parentContextAuthSession.

If objectPublic has the AttrFixedTPM or AttrFixedParent attributes set, a *TPMParameterError error with an error code of ErrorAttributes will be returned for parameter index 2.

If parentContext is not associated with a storage parent, a *TPMHandleError error with an error code of ErrorType will be returned.

If the length of encryptionKey is not consistent with symmetricAlg, a *TPMParameterError error with an error code of ErrorSize will be returned for parameter index 1.

If symmetricAlg is not provided or symmetricAlg.Algorithm is SymObjectAlgorithmNull and objectPublic has the AttrEncryptedDuplication attribute set, a *TPMParameterError error with an error code of ErrorAttributes will be returned for parameter index 1.

If the length of inSymSeed is not zero and the object associated with parentContext is not an asymmetric key, a *TPMHandleError error with an error code of ErrorType will be returned.

If parentContext is associated with a RSA key and the size of inSymSeed does not match the size of the key's public modulus, a *TPMParameterError error with an error code of ErrorSize will be returned for parameter index 4.

If parentContext is associated with a RSA key and the plaintext size of inSymSeed is larger than the name algorithm, a *TPMParameterError error with an error code of ErrorValue will be returned for parameter index 4.

If parentContext is associated with a ECC key and inSymSeed does not contain enough data to unmarshal a ECC point, a *TPMParameterError error with an error code of ErrorInsufficient will be returned for parameter index 4.

If parentContext is associated with a ECC key and the ECC point in inSymSeed is not on the curve specified by the parent key, a *TPMParameterError error with an error code of ErrorECCPoint will be returned for parameter index 4.

If parentContext is associated with a ECC key and multiplication of the ECC point in inSymSeed results in a point at infinity, a *TPMParameterError error with an error code of ErrorNoResult will be returned for parameter index 4.

If the name of the object associated with objectPublic cannot be computed, a *TPMParameterError error with an error code of ErrorHash will be returned for parameter index 2.

If the object has an outer duplication wrapper and the integrity value of duplicate cannot be unmarshalled correctly, a *TPMParameterError error with an error code of either ErrorSize or ErrorInsufficient will be returned for parameter index 3. If the integrity check fails, a *TPMParameterError error with an error code of ErrorIntegrity will be returned for parameter index 3.

If the object has an inner duplication wrapper and the integrity value of duplicate cannot be unmarshalled correctly after decrypting the inner wrapper, a *TPMParameterError error with an error code of either ErrorSize or ErrorInsufficient will be returned for parameter index 3. If the integrity check fails, a *TPMParameterError error with an error code of ErrorIntegrity will be returned for parameter index 3.

If, after removing the duplication wrappers, the sensitive area does not unmarshal correctly, a *TPMParameterError error with an error code of either ErrorSize or ErrorInsufficient will be returned for parameter index 3.

On success, a new private area encrypted with the symmetric algorithm defined by the object associated with parentContext is returned.

func (*TPMContext) IncrementalSelfTest 

func (t *TPMContext) IncrementalSelfTest(toTest AlgorithmList, sessions ...SessionContext) (AlgorithmList, error)

func (*TPMContext) Load 

func (t *TPMContext) Load(parentContext ResourceContext, inPrivate Private, inPublic *Public, parentContextAuthSession SessionContext, sessions ...SessionContext) (ResourceContext, error)

Load executes the TPM2_Load command in order to load both the public and private parts of an object in to the TPM.

The parentContext parameter corresponds to the parent key. The command requires authorization with the user auth role for parentContext, with session based authorization provided via parentContextAuthSession.

The object to load is specified by providing the inPrivate and inPublic arguments.

If there are no available slots for new objects on the TPM, a *TPMWarning error with a warning code of WarningObjectMemory will be returned.

If inPrivate is empty, a *TPMParameterError error with an error code of ErrorSize will be returned for parameter index 1.

If parentContext does not correspond to a storage parent, a *TPMHandleError error with an error code of ErrorType will be returned.

If the name algorithm associated with inPublic is invalid, a *TPMParameterError error with an error code of ErrorHash will be returned for parameter index 2.

If the integrity value or IV for inPrivate cannot be unmarshalled correctly, a *TPMParameterError error with an error code of either ErrorSize or ErrorInsufficient will be returned for parameter index 1. If the integrity check of inPrivate fails, a *TPMParameterError error with an error code of ErrorIntegrity will be returned for parameter index 1. If the size of the IV for inPrivate doesn't match the block size for the encryption algorithm, a *TPMParameterError error with an error code of ErrorValue will be returned for parameter index 1.

TPM2_Load performs many of the same validations of the public attributes as TPM2_Create, and may return similar error codes as *TPMParameterError for parameter index 2.

If the object associated with parentContext has the AttrFixedTPM attribute clear, some additional validation of the decrypted sensitive data is performed as detailed below.

If the Type field of inPublic does not match the type specified in the sensitive data, a *TPMParameterError error with an error code of ErrorType is returned for parameter index 1. If the authorization value in the sensitive area is larger than the name algorithm, a *TPMParameterError error with an error code of ErrorSize is returned for parameter index 1.

If the Type field of inPublic is AlgorithmRSA and the size of the modulus in the Unique field is inconsistent with the size specified in the Params field, a *TPMParameterError error with an error code of ErrorKey will be returned for parameter index 2. If the value of the exponent in the Params field is invalid, a *TPMParameterError error with an error code of ErrorValue will be returned for parameter index 2. If the size of private key in the sensitive area is not the correct size, a *TPMParameterError error with an error code of ErrorKeySize will be returned for parameter index 1.

If the Type field of inPublic is AlgorithmECC and the private key in the sensitive area is invalid, a *TPMParameterError error with an error code of ErrorKeySize will be returned for parameter index 1. If the public point specified in the Unique field of inPublic does not belong to the private key, a *TPMError with an error code of ErrorBinding will be returned.

If the Type field of inPublic is AlgorithmSymCipher and the size of the symmetric key in the sensitive area is inconsistent with the symmetric algorithm specified in the Params field of inPublic, a *TPMParameterError error with an error code of ErrorKeySize will be returned for parameter index 1.

If the Type field of inPublic is AlgorithmKeyedHash and the size of the sensitive data is larger than permitted for the digest algorithm selected by the scheme defined in the Params field of inPublic, a *TPMParameterError error with an error code of ErrorKeySize will be returned for parameter index 1.

If the Type field of inPublic is AlgorithmSymCipher or AlgorithmKeyedHash and the size of seed value in the sensitive area does not match the name algorithm, a *TPMError error with an error code of ErrorKeySize will be returned. If the digest in the Unique field of inPublic is inconsistent with the value of the sensitive data and the seed value, a *TPMError with an error code of ErrorBinding will be returned.

If the loaded object is a storage parent and the size of the seed value in the sensitive area isn't sufficient for the selected name algorithm, a *TPMParameterError error with an error code of ErrorSize will be returned for parameter index 1.

On success, a ResourceContext corresponding to the newly loaded transient object will be returned. If subsequent use of the returned ResourceContext requires knowledge of the authorization value of the corresponding TPM resource, this should be provided by calling ResourceContext.SetAuthValue.

func (*TPMContext) LoadExternal 

func (t *TPMContext) LoadExternal(inPrivate *Sensitive, inPublic *Public, hierarchy Handle, sessions ...SessionContext) (ResourceContext, error)

LoadExternal executes the TPM2_LoadExternal command in order to load an object that is not a protected object in to the TPM. The object is specified by providing the inPrivate and inPublic arguments, although inPrivate is optional. If only the public part is to be loaded, the hierarchy parameter must specify a hierarchy to associate the loaded object with so that tickets can be created properly. If both the public and private parts are to be loaded, then hierarchy should be HandleNull.

If there are no available slots for new objects on the TPM, a *TPMWarning error with a warning code of WarningObjectMemory will be returned.

If the hierarchy specified by the hierarchy parameter is disabled, a *TPMParameterError error with an error code of ErrorHierarchy will be returned for parameter index 3.

If inPrivate is provided and hierarchy is not HandleNull, a *TPMParameterError error with an error code of ErrorHierarchy will be returned for parameter index 3.

If inPrivate is provided and the Attrs field of inPublic has either AttrFixedTPM, AttrFixedParent or AttrRestricted attribute set, a *TPMParameterError error with an error code of ErrorAttributes will be returned for parameter index 2.

TPM2_LoadExternal performs many of the same validations of the public attributes as TPM2_Create, and may return similar error codes as *TPMParameterError for parameter index 2.

If inPrivate is provided and the Type field of inPublic does not match the type specified in the sensitive data, a *TPMParameterError error with an error code of ErrorType is returned for parameter index 1. If the authorization value in the sensitive area is larger than the name algorithm, a *TPMParameterError error with an error code of ErrorSize is returned for parameter index 1.

If the Type field of inPublic is AlgorithmRSA and the size of the modulus in the Unique field is inconsistent with the size specified in the Params field, a *TPMParameterError error with an error code of ErrorKey will be returned for parameter index 2. If the value of the exponent in the Params field is invalid, a *TPMParameterError error with an error code of ErrorValue will be returned for parameter index 2. If inPrivate is provided and the size of private key in the sensitive area is not the correct size, a *TPMParameterError error with an error code of ErrorKeySize will be returned for parameter index 1.

If the Type field of inPublic is AlgorithmECC, inPrivate is provided and the private key in the sensitive area is invalid, a *TPMParameterError error with an error code of ErrorKeySize will be returned for parameter index 1. If the public point specified in the Unique field of inPublic does not belong to the private key, a *TPMError with an error code of ErrorBinding will be returned.

If the Type field of inPublic is AlgorithmECC, inPrivate is not provided and the size of the public key in the Unique field of inPublic is inconsistent with the value of the Params field of inPublic, a *TPMParameterError error with an error code of ErrorKey is returned for parameter index 2. If the public point is not on the curve specified in the Params field of inPublic, a *TPMParameterError error with an error code of ErrorECCPoint will be returned for parameter index 2.

If the Type field of inPublic is AlgorithmSymCipher, inPrivate is provided and the size of the symmetric key in the sensitive area is inconsistent with the symmetric algorithm specified in the Params field of inPublic, a *TPMParameterError error with an error code of ErrorKeySize will be returned for parameter index 1.

If the Type field of inPublic is AlgorithmKeyedHash, inPrivate is provided and the size of the sensitive data is larger than permitted for the digest algorithm selected by the scheme defined in the Params field of inPublic, a *TPMParameterError error with an error code of ErrorKeySize will be returned for parameter index 1.

If the Type field of inPublic is AlgorithmSymCipher or AlgorithmKeyedHash and inPrivate has not been provided, a *TPMParameterError error with an error code of ErrorKey will be returned for parameter index 2 if the size of the digest in the Unique field of inPublic does not match the selected name algorithm.

If the Type field of inPublic is AlgorithmSymCipher or AlgorithmKeyedHash, inPrivate has been provided and the size of seed value in the sensitive area does not match the name algorithm, a *TPMError error with an error code of ErrorKeySize will be returned. If the digest in the Unique field of inPublic is inconsistent with the value of the sensitive data and the seed value, a *TPMError with an error code of ErrorBinding will be returned.

On success, a ResourceContext corresponding to the newly loaded transient object will be returned.

func (*TPMContext) LockoutHandleContext 

func (t *TPMContext) LockoutHandleContext() ResourceContext

LockoutHandleContext returns the ResourceContext corresponding to the lockout hiearchy.

func (*TPMContext) MakeCredential 

func (t *TPMContext) MakeCredential(context ResourceContext, credential Digest, objectName Name, sessions ...SessionContext) (IDObjectRaw, EncryptedSecret, error)

MakeCredential executes the TPM2_MakeCredential command to allow the TPM to perform the actions of a certificate authority, in order to create an activation credential.

The object associated with context must be the public part of a storage key, which would typically be the endorsement key of the TPM from which the request originates. The certificate authority would normally be in receipt of the TPM manufacturer issued endorsement certificate corresponding to this key and would have validated this. The certificate is an assertion from the manufacturer that the key is a valid endorsement key (a restricted, non-duplicable decrypt key) that is resident on a genuine TPM.

The credential parameter is the activation credential, which would typically be used to protect the generated certificate. The objectName parameter is the name of object for which a certificate is requested. The public part of this object would normally be validated by the certificate authority to ensure that it has the properties expected of an attestation key (it is a restricted, non-duplicable signing key).

If context does not correspond to an asymmetric restricted decrypt key, a *TPMHandleError error with an error code of ErrorType is returned.

If the size of credential is larger than the name algorithm associated with context, a *TPMParameterError error with an error code of ErrorSize will be returned for parameter index 1.

If the algorithm of the object associated with context is AlgorithmECC, a *TPMError with an error code of ErrorKey will be returned if the ECC key is invalid. If the algorithm of the object associated with context is AlgorithmRSA, a *TPMError with an error code of ErrorScheme will be returned if the padding scheme is invalid or not supported.

On success, the encrypted activation credential is returned as IDObjectRaw. The activation credential is encrypted with a key derived from a randomly generated seed and objectName, and an integrity HMAC of the encrypted credential and objectName is prepended using a HMAC key derived from the same seed. The seed is encrypted using the public key associated with context, and returned as EncryptedSecret.

The certificate authority would typically protect the certificate it generates with the unencrypted credential, and then return the protected certificate, the encrypted credential blob and the encrypted seed to the requesting party. The seed and credential values can only be recovered on the TPM associated with the endorsement certificate that the requesting party provided if the object associated with objectName is resident on it.

func (*TPMContext) NVChangeAuth 

func (t *TPMContext) NVChangeAuth(nvIndex ResourceContext, newAuth Auth, nvIndexAuthSession SessionContext, sessions ...SessionContext) error

NVChangeAuth executes the TPM2_NV_ChangeAuth command to change the authorization value for the NV index associated with nvIndex, setting it to the new value defined by newAuth. The command requires the admin auth role for nvIndex, with the session provided via nvIndexAuthSession.

If the size of newAuth is greater than the name algorithm for the index, a *TPMParameterError error with an error code of ErrorSize will be returned.

On successful completion, the authorization value of the NV index associated with nvIndex will be set to the value of newAuth, and nvIndex will be updated to reflect this - it isn't necessary to update nvIndex with ResourceContext.SetAuthValue in order to use it in authorization roles that require knowledge of the authorization value for the index.

func (*TPMContext) NVDefineSpace 

func (t *TPMContext) NVDefineSpace(authContext ResourceContext, auth Auth, publicInfo *NVPublic, authContextAuthSession SessionContext, sessions ...SessionContext) (ResourceContext, error)

NVDefineSpace executes the TPM2_NV_DefineSpace command to reserve space to hold the data associated with a NV index described by the publicInfo parameter. The Index field of publicInfo defines the handle at which the index should be reserved. The NameAlg field defines the digest algorithm for computing the name of the NV index. The Attrs field is used to describe attributes for the index, as well as its type. An authorization policy for the index can be defined using the AuthPolicy field of publicInfo. The Size field defines the size of the index.

The auth parameter specifies an authorization value for the NV index.

The authContext parameter specifies the hierarchy used for authorization, and should correspond to HandlePlatform or HandleOwner. The command requires authorization with the user auth role for the specified hierarchy, with session based authorization provided via authContextAuthSession.

If the Attrs field of publicInfo has AttrNVPolicyDelete set but TPM2_NV_UndefineSpaceSpecial isn't supported, or the Attrs field defines a type that is unsupported, a *TPMParameterError error with an error code of ErrorAttributes will be returned for parameter index 2.

If the AuthPolicy field of publicInfo defines an authorization policy digest then the digest length must match the size of the name algorithm defined by the NameAlg field of publicInfo, else a *TPMParameterError error with an error code of ErrorSize will be returned for parameter index 2.

If the length of auth is greater than the name algorithm selected by the NameAlg field of the publicInfo parameter, a *TPMParameterError error with an error code of ErrorSize will be returned for parameter index 1.

If authContext corresponds to HandlePlatform but the AttrPhEnableNV attribute is clear, a *TPMHandleError error with an error code of ErrorHierarchy will be returned.

If the type indicated by the Attrs field of publicInfo isn't supported by the TPM, a *TPMParameterError error with an error code of ErrorAttributes will be returned for parameter index 2.

If the type defined by publicInfo is NVTypeCounter, NVTypeBits, NVTypePinPass or NVTypePinFail, the Size field of publicInfo must be 8. If the type defined by publicInfo is NVTypeExtend, the Size field of publicInfo must match the size of the name algorithm defined by the NameAlg field. If the size is unexpected, or the size for an index of type NVTypeOrdinary is too large, a *TPMParameterError error with an error code of ErrorSize will be returned for parameter index 2.

If the type defined by publicInfo is NVTypeCounter, then the Attrs field must not have the AttrNVClearStClear attribute set, else a *TPMParameterError error with an error code of ErrorAttributes will be returned for parameter index 2.

If the type defined by publicInfo is NVTypePinFail, then the Attrs field must have the AttrNVNoDA attribute set. If the type is either NVTypePinPass or NVTypePinFail, then the Attrs field must have the AttrNVAuthWrite, AttrNVGlobalLock and AttrNVWriteDefine attributes clear, else a *TPMParameterError error with an error code of ErrorAttributes will be returned for parameter index 2.

If the Attrs field of publicInfo has either AttrNVWriteLocked, AttrNVReadLocked or AttrNVWritten set, a *TPMParameterError error with an error code of ErrorAttributes will be returned for parameter index 2.

The Attrs field of publicInfo must have one of either AttrNVPPWrite, AttrNVOwnerWrite, AttrNVAuthWrite or AttrNVPolicyWrite set, and must also have one of either AttrNVPPRead, AttrNVOwnerRead, AttrNVAuthRead or AttrNVPolicyRead set. If there is no way to read or write an index, a *TPMParameterError error with an error code of ErrorAttributes will be returned for parameter index 2.

If the Attrs field of publicInfo has AttrNVClearStClear set, a *TPMParameterError error with an error code of ErrorAttributes will be returned for parameter index 2 if AttrNVWriteDefine is set.

If authContext corresponds to HandlePlatform, then the Attrs field of publicInfo must have the AttrNVPlatformCreate attribute set. If authContext corresponds to HandleOwner, then the AttrNVPlatformCreate attributes must be clear, else a *TPMHandleError error with an error code of ErrorAttributes will be returned.

If the Attrs field of publicInfo has the AttrNVPolicyDelete attribute set, then HandlePlatform must be used for authorization via authContext, else a *TPMParameterError error with an error code of ErrorAttributes will be returned for parameter index 2.

If an index is already defined at the location specified by the Index field of publicInfo, a *TPMError error with an error code of ErrorNVDefined will be returned.

If there is insufficient space for the index, a *TPMError error with an error code of ErrorNVSpace will be returned.

On successful completion, the NV index will be defined and a ResourceContext corresponding to the new NV index will be returned. It will not be necessary to call ResourceContext.SetAuthValue on the returned ResourceContext - this function sets the correct authorization value so that it can be used in subsequent commands that require knowledge of it.

func (*TPMContext) NVExtend 

func (t *TPMContext) NVExtend(authContext, nvIndex ResourceContext, data MaxNVBuffer, authContextAuthSession SessionContext, sessions ...SessionContext) error

NVExtend executes the TPM2_NV_Extend command to extend data to the NV index associated with nvIndex, using the index's name algorithm.

The command requires authorization, defined by the state of the AttrNVPPWrite, AttrNVOwnerWrite, AttrNVAuthWrite and AttrNVPolicyWrite attributes. The handle used for authorization is specified via authContext. If the NV index has the AttrNVPPWrite attribute, authorization can be satisfied with HandlePlatform. If the NV index has the AttrNVOwnerWrite attribute, authorization can be satisfied with HandleOwner. If the NV index has the AttrNVAuthWrite or AttrNVPolicyWrite attribute, authorization can be satisfied with nvIndex. The command requires authorization with the user auth role for authContext, with session based authorization provided via authContextAuthSession. If the resource associated with authContext is not permitted to authorize this access, a *TPMError error with an error code of ErrorNVAuthorization will be returned.

If nvIndex is being used for authorization and the AttrNVAuthWrite attribute is defined, the authorization can be satisfied by demonstrating knowledge of the authorization value, either via cleartext or HMAC authorization. If nvIndex is being used for authorization and the AttrNVPolicyWrite attribute is defined, the authorization can be satisfied using a policy session with a digest that matches the authorization policy for the index.

If the index has the AttrNVWriteLocked attribute set, a *TPMError error with an error code of ErrorNVLocked will be returned.

If the type of the index is not NVTypeExtend, a *TPMHandleError error with an error code of ErrorAttributes will be returned for handle index 2.

On successful completion, the AttrNVWritten flag will be set if this is the first time that the index has been written to.

func (*TPMContext) NVGlobalWriteLock 

func (t *TPMContext) NVGlobalWriteLock(authContext ResourceContext, authContextAuthSession SessionContext, sessions ...SessionContext) error

NVGlobalWriteLock executes the TPM2_NV_GlobalWriteLock command to inhibit further writes for all NV indexes that have the AttrNVGlobalLock attribute set.

The authContext parameter specifies a hierarchy, and should correspond to either HandlePlatform or HandleOwner. The command requires the user auth role for authContext, with session based authorization provided via authContextAuthSession.

On successful completion, the AttrNVWriteLocked attribute will be set for all NV indexes that have the AttrNVGlobalLock attribute set. If an index also has the AttrNVWriteDefine attribute set, this will permanently inhibit further writes unless AttrNVWritten is clear. ResourceContext instances associated with NV indices that are updated as a consequence of this function will no longer be able to be used because the name will be incorrect.

func (*TPMContext) NVIncrement 

func (t *TPMContext) NVIncrement(authContext, nvIndex ResourceContext, authContextAuthSession SessionContext, sessions ...SessionContext) error

NVIncrement executes the TPM2_NV_Increment command to increment the counter associated with nvIndex.

The command requires authorization, defined by the state of the AttrNVPPWrite, AttrNVOwnerWrite, AttrNVAuthWrite and AttrNVPolicyWrite attributes. The handle used for authorization is specified via authContext. If the NV index has the AttrNVPPWrite attribute, authorization can be satisfied with HandlePlatform. If the NV index has the AttrNVOwnerWrite attribute, authorization can be satisfied with HandleOwner. If the NV index has the AttrNVAuthWrite or AttrNVPolicyWrite attribute, authorization can be satisfied with nvIndex. The command requires authorization with the user auth role for authContext, with session based authorization provided via authContextAuthSession. If the resource associated with authContext is not permitted to authorize this access, a *TPMError error with an error code of ErrorNVAuthorization will be returned.

If nvIndex is being used for authorization and the AttrNVAuthWrite attribute is defined, the authorization can be satisfied by demonstrating knowledge of the authorization value, either via cleartext or HMAC authorization. If nvIndex is being used for authorization and the AttrNVPolicyWrite attribute is defined, the authorization can be satisfied using a policy session with a digest that matches the authorization policy for the index.

If the index has the AttrNVWriteLocked attribute set, a *TPMError error with an error code of ErrorNVLocked will be returned.

If the type of the index is not NVTypeCounter, a *TPMHandleError error with an error code of ErrorAttributes will be returned for handle index 2.

On successful completion, the AttrNVWritten flag will be set if this is the first time that the index has been written to.

func (*TPMContext) NVRead 

func (t *TPMContext) NVRead(authContext, nvIndex ResourceContext, size, offset uint16, authContextAuthSession SessionContext, sessions ...SessionContext) (MaxNVBuffer, error)

NVRead executes the TPM2_NV_Read command to read the contents of the NV index associated with nvIndex. The amount of data to read, and the offset within the index are defined by the size and offset parameters.

The command requires authorization, defined by the state of the AttrNVPPRead, AttrNVOwnerRead, AttrNVAuthRead and AttrNVPolicyRead attributes. The handle used for authorization is specified via authContext. If the NV index has the AttrNVPPRead attribute, authorization can be satisfied with HandlePlatform. If the NV index has the AttrNVOwnerRead attribute, authorization can be satisfied with HandleOwner. If the NV index has the AttrNVAuthRead or AttrNVPolicyRead attribute, authorization can be satisfied with nvIndex. The command requires authorization with the user auth role for authContext, with session based authorization provided via authContextAuthSession. If the resource associated with authContext is not permitted to authorize this access, a *TPMError error with an error code of ErrorNVAuthorization will be returned.

If nvIndex is being used for authorization and the AttrNVAuthRead attribute is defined, the authorization can be satisfied by demonstrating knowledge of the authorization value, either via cleartext or HMAC authorization. If nvIndex is being used for authorization and the AttrNVPolicyRead attribute is defined, the authorization can be satisfied using a policy session with a digest that matches the authorization policy for the index.

If the requested data can not be read in a single command, this function will re-execute the TPM2_NV_Read command until all data is read. As a consequence, any SessionContext instances provided should have the AttrContinueSession attribute defined. If the requested data cannot be read in a single command, then authContextAuth should not correspond to a policy session. If a policy session is required, use TPMContext.NVReadRaw instead.

If the index has the AttrNVReadLocked attribute set, a *TPMError error with an error code of ErrorNVLocked will be returned.

If the index has not been initialized (ie, the AttrNVWritten attribute is not set), a *TPMError error with an error code of ErrorNVUninitialized will be returned.

If the value of size is too large, a *TPMParameterError error with an error code of ErrorValue will be returned for parameter index 1.

If the value of offset falls outside of the bounds of the index, a *TPMParameterError error with an error code of ErrorValue will be returned for parameter index 2.

If the data selection falls outside of the bounds of the index, a *TPMError error with an error code of ErrorNVRange will be returned.

On successful completion, the requested data will be returned.

func (*TPMContext) NVReadCounter 

func (t *TPMContext) NVReadCounter(authContext, nvIndex ResourceContext, authContextAuthSession SessionContext, sessions ...SessionContext) (uint64, error)

NVReadCounter is a helper function for NVRead for reading the contents of the NV counter index associated with nvIndex. If the type of nvIndex is not NVTypeCounter, an error will be returned.

The command requires authorization, defined by the state of the AttrNVPPRead, AttrNVOwnerRead, AttrNVAuthRead and AttrNVPolicyRead attributes. The handle used for authorization is specified via authContext. If the NV index has the AttrNVPPRead attribute, authorization can be satisfied with HandlePlatform. If the NV index has the AttrNVOwnerRead attribute, authorization can be satisfied with HandleOwner. If the NV index has the AttrNVAuthRead or AttrNVPolicyRead attribute, authorization can be satisfied with nvIndex. The command requires authorization with the user auth role for authContext, with session based authorization provided via authContextAuthSession. If the resource associated with authContext is not permitted to authorize this access, a *TPMError error with an error code of ErrorNVAuthorization will be returned.

If nvIndex is being used for authorization and the AttrNVAuthRead attribute is defined, the authorization can be satisfied by demonstrating knowledge of the authorization value, either via cleartext or HMAC authorization. If nvIndex is being used for authorization and the AttrNVPolicyRead attribute is defined, the authorization can be satisfied using a policy session with a digest that matches the authorization policy for the index.

If the index has the AttrNVReadLocked attribute set, a *TPMError error with an error code of ErrorNVLocked will be returned.

If the index has not been initialized (ie, the AttrNVWritten attribute is not set), a *TPMError error with an error code of ErrorNVUninitialized will be returned.

On successful completion, the current counter value will be returned.

func (*TPMContext) NVReadLock 

func (t *TPMContext) NVReadLock(authContext, nvIndex ResourceContext, authContextAuthSession SessionContext, sessions ...SessionContext) error

NVReadLock executes the TPM2_NV_ReadLock command to inhibit further reads of the NV index associated with nvIndex.

The command requires authorization, defined by the state of the AttrNVPPRead, AttrNVOwnerRead, AttrNVAuthRead and AttrNVPolicyRead attributes. The handle used for authorization is specified via authContext. If the NV index has the AttrNVPPRead attribute, authorization can be satisfied with HandlePlatform. If the NV index has the AttrNVOwnerRead attribute, authorization can be satisfied with HandleOwner. If the NV index has the AttrNVAuthRead or AttrNVPolicyRead attribute, authorization can be satisfied with nvIndex. The command requires authorization with the user auth role for authContext, with session based authorization provided via authContextAuthSession. If the resource associated with authContext is not permitted to authorize this access, a *TPMError error with an error code of ErrorNVAuthorization will be returned.

If nvIndex is being used for authorization and the AttrNVAuthRead attribute is defined, the authorization can be satisfied by demonstrating knowledge of the authorization value, either via cleartext or HMAC authorization. If nvIndex is being used for authorization and the AttrNVPolicyRead attribute is defined, the authorization can be satisfied using a policy session with a digest that matches the authorization policy for the index.

If the index doesn't have the AttrNVReadStClear attribute set, then a *TPMHandleError error with an error code of ErrorAttributes will be returned for handle index 2.

On successful completion, the AttrNVReadLocked attribute will be set. It will be cleared again (and reads will be reenabled) on the next TPM reset or TPM restart.

func (*TPMContext) NVReadPinCounterParams 

func (t *TPMContext) NVReadPinCounterParams(authContext, nvIndex ResourceContext, authContextAuthSession SessionContext, sessions ...SessionContext) (*NVPinCounterParams, error)

NVReadPinCounterParams is a helper function for NVRead for reading the contents of the NV pin pass or NV pin fail index associated with nvIndex. If the type of nvIndex is not NVTypePinPass of NVTypePinFail, an error will be returned.

The command requires authorization, defined by the state of the AttrNVPPRead, AttrNVOwnerRead, AttrNVAuthRead and AttrNVPolicyRead attributes. The handle used for authorization is specified via authContext. If the NV index has the AttrNVPPRead attribute, authorization can be satisfied with HandlePlatform. If the NV index has the AttrNVOwnerRead attribute, authorization can be satisfied with HandleOwner. If the NV index has the AttrNVAuthRead or AttrNVPolicyRead attribute, authorization can be satisfied with nvIndex. The command requires authorization with the user auth role for authContext, with session based authorization provided via authContextAuthSession. If the resource associated with authContext is not permitted to authorize this access, a *TPMError error with an error code of ErrorNVAuthorization will be returned.

If nvIndex is being used for authorization and the AttrNVAuthRead attribute is defined, the authorization can be satisfied by demonstrating knowledge of the authorization value, either via cleartext or HMAC authorization. If nvIndex is being used for authorization and the AttrNVPolicyRead attribute is defined, the authorization can be satisfied using a policy session with a digest that matches the authorization policy for the index.

If the index has the AttrNVReadLocked attribute set, a *TPMError error with an error code of ErrorNVLocked will be returned.

If the index has not been initialized (ie, the AttrNVWritten attribute is not set), a *TPMError error with an error code of ErrorNVUninitialized will be returned.

On successful completion, the current PIN count and limit will be returned.

func (*TPMContext) NVReadPublic 

func (t *TPMContext) NVReadPublic(nvIndex ResourceContext, sessions ...SessionContext) (*NVPublic, Name, error)

NVReadPublic executes the TPM2_NV_ReadPublic command to read the public area of the NV index associated with nvIndex.

func (*TPMContext) NVReadRaw 

func (t *TPMContext) NVReadRaw(authContext, nvIndex ResourceContext, size, offset uint16, authContextAuthSession SessionContext, sessions ...SessionContext) (MaxNVBuffer, error)

NVReadRaw executes the TPM2_NV_Read command to read the contents of the NV index associated with nvIndex. The amount of data to read, and the offset within the index are defined by the size and offset parameters. If the amount of data requested is greater than the maximum supported by the TPM in a single command, a partial read will be performed.

The command requires authorization, defined by the state of the AttrNVPPRead, AttrNVOwnerRead, AttrNVAuthRead and AttrNVPolicyRead attributes. The handle used for authorization is specified via authContext. If the NV index has the AttrNVPPRead attribute, authorization can be satisfied with HandlePlatform. If the NV index has the AttrNVOwnerRead attribute, authorization can be satisfied with HandleOwner. If the NV index has the AttrNVAuthRead or AttrNVPolicyRead attribute, authorization can be satisfied with nvIndex. The command requires authorization with the user auth role for authContext, with session based authorization provided via authContextAuthSession. If the resource associated with authContext is not permitted to authorize this access, a *TPMError error with an error code of ErrorNVAuthorization will be returned.

If nvIndex is being used for authorization and the AttrNVAuthRead attribute is defined, the authorization can be satisfied by demonstrating knowledge of the authorization value, either via cleartext or HMAC authorization. If nvIndex is being used for authorization and the AttrNVPolicyRead attribute is defined, the authorization can be satisfied using a policy session with a digest that matches the authorization policy for the index.

If the index has the AttrNVReadLocked attribute set, a *TPMError error with an error code of ErrorNVLocked will be returned.

If the index has not been initialized (ie, the AttrNVWritten attribute is not set), a *TPMError error with an error code of ErrorNVUninitialized will be returned.

If the value of size is too large, a *TPMParameterError error with an error code of ErrorValue will be returned for parameter index 1.

If the value of offset falls outside of the bounds of the index, a *TPMParameterError error with an error code of ErrorValue will be returned for parameter index 2.

If the data selection falls outside of the bounds of the index, a *TPMError error with an error code of ErrorNVRange will be returned.

On successful completion, the requested data will be returned.

func (*TPMContext) NVSetBits 

func (t *TPMContext) NVSetBits(authContext, nvIndex ResourceContext, bits uint64, authContextAuthSession SessionContext, sessions ...SessionContext) error

NVSetBits executes the TPM2_NV_SetBits command to OR the value of bits with the contents of the NV index associated with nvIndex.

The command requires authorization, defined by the state of the AttrNVPPWrite, AttrNVOwnerWrite, AttrNVAuthWrite and AttrNVPolicyWrite attributes. The handle used for authorization is specified via authContext. If the NV index has the AttrNVPPWrite attribute, authorization can be satisfied with HandlePlatform. If the NV index has the AttrNVOwnerWrite attribute, authorization can be satisfied with HandleOwner. If the NV index has the AttrNVAuthWrite or AttrNVPolicyWrite attribute, authorization can be satisfied with nvIndex. The command requires authorization with the user auth role for authContext, with session based authorization provided via authContextAuthSession. If the resource associated with authContext is not permitted to authorize this access, a *TPMError error with an error code of ErrorNVAuthorization will be returned.

If nvIndex is being used for authorization and the AttrNVAuthWrite attribute is defined, the authorization can be satisfied by demonstrating knowledge of the authorization value, either via cleartext or HMAC authorization. If nvIndex is being used for authorization and the AttrNVPolicyWrite attribute is defined, the authorization can be satisfied using a policy session with a digest that matches the authorization policy for the index.

If the index has the AttrNVWriteLocked attribute set, a *TPMError error with an error code of ErrorNVLocked will be returned.

If the type of the index is not NVTypeBits, a *TPMHandleError error with an error code of ErrorAttributes will be returned for handle index 2.

On successful completion, the AttrNVWritten flag will be set if this is the first time that the index has been written to.

func (*TPMContext) NVSetPinCounterParams 

func (t *TPMContext) NVSetPinCounterParams(authContext, nvIndex ResourceContext, params *NVPinCounterParams, authContextAuthSession SessionContext, sessions ...SessionContext) error

NVSetPinCounterParams is a helper function for NVWrite for updating the contents of the NV pin pass or NV pin fail index associated with nvIndex. If the type of nvIndex is not NVTypePinPass of NVTypePinFail, an error will be returned.

The command requires authorization, defined by the state of the AttrNVPPWrite, AttrNVOwnerWrite, AttrNVAuthWrite and AttrNVPolicyWrite attributes. The handle used for authorization is specified via authContext. If the NV index has the AttrNVPPWrite attribute, authorization can be satisfied with HandlePlatform. If the NV index has the AttrNVOwnerWrite attribute, authorization can be satisfied with HandleOwner. If the NV index has the AttrNVAuthWrite or AttrNVPolicyWrite attribute, authorization can be satisfied with nvIndex. The command requires authorization with the user auth role for authContext, with session based authorization provided via authContextAuthSession. If the resource associated with authContext is not permitted to authorize this access, a *TPMError error with an error code of ErrorNVAuthorization will be returned.

If nvIndex is being used for authorization and the AttrNVAuthWrite attribute is defined, the authorization can be satisfied by demonstrating knowledge of the authorization value, either via cleartext or HMAC authorization. If nvIndex is being used for authorization and the AttrNVPolicyWrite attribute is defined, the authorization can be satisfied using a policy session with a digest that matches the authorization policy for the index.

If the index has the AttrNVWriteLocked attribute set, a *TPMError error with an error code of ErrorNVLocked will be returned.

On successful completion, the AttrNVWritten flag will be set if this is the first time that the index has been written to.

func (*TPMContext) NVUndefineSpace 

func (t *TPMContext) NVUndefineSpace(authContext, nvIndex ResourceContext, authContextAuthSession SessionContext, sessions ...SessionContext) error

NVUndefineSpace executes the TPM2_NV_UndefineSpace command to remove the NV index associated with nvIndex, and free the resources used by it. If the index has the AttrNVPolicyDelete attribute set, then a *TPMHandleError error with an error code of ErrorAttributes will be returned for handle index 2.

The authContext parameter specifies the hierarchy used for authorization and should correspond to either HandlePlatform or HandleOwner. The command requires authorization with the user auth role for the specified hierarchy, with session based authorization provided via authContextAuthSession.

If authContext corresponds to HandleOwner and the NV index has the AttrNVPlatformCreate attribute set, then a *TPMError error with an error code of ErrorNVAuthorization will be returned.

On successful completion, nvIndex will be invalidated.

func (*TPMContext) NVUndefineSpaceSpecial 

func (t *TPMContext) NVUndefineSpaceSpecial(nvIndex, platform ResourceContext, nvIndexAuthSession, platformAuthSession SessionContext, sessions ...SessionContext) error

NVUndefineSpaceSpecial executes the TPM2_NV_UndefineSpaceSpecial command to remove the NV index associated with nvIndex, and free the resources used by it. If the NV index does not have the AttrNVPolicyDelete attribute set, then a *TPMHandleError error with an error code of ErrorAttributes will be returned for handle index 1.

The platform parameter must correspond to HandlePlatform. The command requires authorization with the user auth role for the platform hierarchy, with session based authorization provided via platformAuthSession. The command requires authorization with the admin role for nvIndex, with the session provided via nvIndexAuthSession.

On successful completion, nvIndex will be invalidated.

func (*TPMContext) NVWrite 

func (t *TPMContext) NVWrite(authContext, nvIndex ResourceContext, data MaxNVBuffer, offset uint16, authContextAuthSession SessionContext, sessions ...SessionContext) error

NVWrite executes the TPM2_NV_Write command to write data to the NV index associated with nvIndex, at the specified offset.

The command requires authorization, defined by the state of the AttrNVPPWrite, AttrNVOwnerWrite, AttrNVAuthWrite and AttrNVPolicyWrite attributes. The handle used for authorization is specified via authContext. If the NV index has the AttrNVPPWrite attribute, authorization can be satisfied with HandlePlatform. If the NV index has the AttrNVOwnerWrite attribute, authorization can be satisfied with HandleOwner. If the NV index has the AttrNVAuthWrite or AttrNVPolicyWrite attribute, authorization can be satisfied with nvIndex. The command requires authorization with the user auth role for authContext, with session based authorization provided via authContextAuthSession. If the resource associated with authContext is not permitted to authorize this access, a *TPMError error with an error code of ErrorNVAuthorization will be returned.

If nvIndex is being used for authorization and the AttrNVAuthWrite attribute is defined, the authorization can be satisfied by demonstrating knowledge of the authorization value, either via cleartext or HMAC authorization. If nvIndex is being used for authorization and the AttrNVPolicyWrite attribute is defined, the authorization can be satisfied using a policy session with a digest that matches the authorization policy for the index.

If data is too large to be written in a single command, this function will re-execute the TPM2_NV_Write command until all data is written. As a consequence, any SessionContext instances provided should have the AttrContinueSession attribute defined. An error will be returned if the write will require more than one command execution and there are sessions without the AttrContinueSession attribute defined. If authContextAuth is a SessionContext instance that references a bound session and this is the first write to this index, the first write will break the session binding. In this case, the AuthValue field should be set to the authorization value of the resource associated with authContext to avoid a partial write when the write is split across multiple commands. A policy session can not be used for authContextAuth if the write is to be split across multiple commands - in this case, TPMContext.NVWriteRaw must be used instead.

If the index has the AttrNVWriteLocked attribute set, a *TPMError error with an error code of ErrorNVLocked will be returned.

If the type of the index is NVTypeCounter, NVTypeBits or NVTypeExtend, a *TPMError error with an error code fo ErrorAttributes will be returned.

If the value of offset is outside of the bounds of the index, a *TPMParameterError error with an error code of ErrorValue will be returned for parameter index 2.

If the length of the data and the specified offset would result in a write outside of the bounds of the index, or if the index has the AttrNVWriteAll attribute set and the size of the data doesn't match the size of the index, a *TPMError error with an error code of ErrorNVRange will be returned.

On successful completion, the AttrNVWritten flag will be set if this is the first time that the index has been written to.

func (*TPMContext) NVWriteLock 

func (t *TPMContext) NVWriteLock(authContext, nvIndex ResourceContext, authContextAuthSession SessionContext, sessions ...SessionContext) error

NVWriteLock executes the TPM2_NV_WriteLock command to inhibit further writes to the NV index associated with nvIndex.

The command requires authorization, defined by the state of the AttrNVPPWrite, AttrNVOwnerWrite, AttrNVAuthWrite and AttrNVPolicyWrite attributes. The handle used for authorization is specified via authContext. If the NV index has the AttrNVPPWrite attribute, authorization can be satisfied with HandlePlatform. If the NV index has the AttrNVOwnerWrite attribute, authorization can be satisfied with HandleOwner. If the NV index has the AttrNVAuthWrite or AttrNVPolicyWrite attribute, authorization can be satisfied with nvIndex. The command requires authorization with the user auth role for authContext, with session based authorization provided via authContextAuthSession. If the resource associated with authContext is not permitted to authorize this command, a *TPMError error with an error code of ErrorNVAuthorization will be returned.

If nvIndex is being used for authorization and the AttrNVAuthWrite attribute is defined, the authorization can be satisfied by demonstrating knowledge of the authorization value, either via cleartext or HMAC authorization. If nvIndex is being used for authorization and the AttrNVPolicyWrite attribute is defined, the authorization can be satisfied using a policy session with a digest that matches the authorization policy for the index.

If the index has neither the AttrNVWriteDefine or AttrNVWriteStClear attributes set, then a *TPMHandleError error with an error code of ErrorAttributes will be returned for handle index 2.

On successful completion, the AttrNVWriteLocked attribute will be set. It will be cleared again (and writes will be reenabled) on the next TPM reset or TPM restart unless the index has the AttrNVWriteDefine attribute set and AttrNVWritten attribute is set.

func (*TPMContext) NVWriteRaw 

func (t *TPMContext) NVWriteRaw(authContext, nvIndex ResourceContext, data MaxNVBuffer, offset uint16, authContextAuthSession SessionContext, sessions ...SessionContext) (uint16, error)

NVWriteRaw executes the TPM2_NV_Write command to write data to the NV index associated with nvIndex, at the specified offset. If the length of the data is greater than the maximum supported by the TPM in a single command, a partial write will be performed and the number of bytes written will be returned.

The command requires authorization, defined by the state of the AttrNVPPWrite, AttrNVOwnerWrite, AttrNVAuthWrite and AttrNVPolicyWrite attributes. The handle used for authorization is specified via authContext. If the NV index has the AttrNVPPWrite attribute, authorization can be satisfied with HandlePlatform. If the NV index has the AttrNVOwnerWrite attribute, authorization can be satisfied with HandleOwner. If the NV index has the AttrNVAuthWrite or AttrNVPolicyWrite attribute, authorization can be satisfied with nvIndex. The command requires authorization with the user auth role for authContext, with session based authorization provided via authContextAuthSession. If the resource associated with authContext is not permitted to authorize this access, a *TPMError error with an error code of ErrorNVAuthorization will be returned.

If nvIndex is being used for authorization and the AttrNVAuthWrite attribute is defined, the authorization can be satisfied by demonstrating knowledge of the authorization value, either via cleartext or HMAC authorization. If nvIndex is being used for authorization and the AttrNVPolicyWrite attribute is defined, the authorization can be satisfied using a policy session with a digest that matches the authorization policy for the index.

If the index has the AttrNVWriteLocked attribute set, a *TPMError error with an error code of ErrorNVLocked will be returned.

If the type of the index is NVTypeCounter, NVTypeBits or NVTypeExtend, a *TPMError error with an error code fo ErrorAttributes will be returned.

If the value of offset is outside of the bounds of the index, a *TPMParameterError error with an error code of ErrorValue will be returned for parameter index 2.

If the length of the data and the specified offset would result in a write outside of the bounds of the index, or if the index has the AttrNVWriteAll attribute set and the size of the data doesn't match the size of the index, a *TPMError error with an error code of ErrorNVRange will be returned.

On successful completion, the AttrNVWritten flag will be set if this is the first time that the index has been written to.

func (*TPMContext) NullHandleContext 

func (t *TPMContext) NullHandleContext() ResourceContext

NulHandleContext returns the ResourceContext corresponding to the null hiearchy.

func (*TPMContext) ObjectChangeAuth 

func (t *TPMContext) ObjectChangeAuth(objectContext, parentContext ResourceContext, newAuth Auth, objectContextAuthSession SessionContext, sessions ...SessionContext) (Private, error)

ObjectChangeAuth executes the TPM2_ObjectChangeAuth to change the authorization value of the object associated with objectContext. This command requires authorization with the admin role for objectContext, with sessio based authorization provided via objectContextAuthSession.

The new authorization value is provided via newAuth. The parentContext parameter must correspond to the parent object for objectContext. No authorization is required for parentContext.

If the object associated with objectContext is a sequence object, a *TPMHandleError error with an error code of ErrorType will be returned for handle index 1.

If the length of newAuth is longer than the name algorithm for objectContext, a *TPMParameterError error with an error code of ErrorSize will be returned.

If the object associated with parentContext is not the parent object of objectContext, a *TPMHandleError error with an error code of ErrorType will be returned for handle index 2.

On success, this returns a new private area for the object associated with objectContext. This function does not make any changes to the version of the object that is currently loaded in to the TPM.

func (*TPMContext) OwnerHandleContext 

func (t *TPMContext) OwnerHandleContext() ResourceContext

OwnerHandleContext returns the ResouceContext corresponding to the owner hiearchy.

func (*TPMContext) PCREvent 

func (t *TPMContext) PCREvent(pcrContext ResourceContext, eventData Event, pcrContextAuthSession SessionContext, sessions ...SessionContext) (TaggedHashList, error)

PCREvent executes the TPM2_PCR_Event command to extend the PCR associated with the pcrContext parameter with a digest of the provided eventData, hashed with the algorithm for each supported PCR bank.

If pcrContext is nil, this function will do nothing. The command requires authorization with the user auth role for pcrContext, with session based authorization provided via pcrContextAuthSession.

If the PCR associated with pcrContext can not be extended from the current locality, a *TPMError error with an error code of ErrorLocality will be returned.

On success, this function will return a list of tagged digests that the PCR associated with pcrContext was extended with.

func (*TPMContext) PCRExtend 

func (t *TPMContext) PCRExtend(pcrContext ResourceContext, digests TaggedHashList, pcrContextAuthSession SessionContext, sessions ...SessionContext) error

PCRExtend executes the TPM2_PCR_Extend command to extend the PCR associated with the pcrContext parameter with the tagged digests provided via the digests argument. If will iterate over the digests and extend the PCR with each one for the PCR bank associated with the algorithm for each digest.

If pcrContext is nil, this function will do nothing. The command requires authorization with the user auth role for pcrContext, with session based authorization provided via pcrContextAuthSession.

If the PCR associated with pcrContext can not be extended from the current locality, a *TPMError error with an error code of ErrorLocality will be returned.

func (*TPMContext) PCRHandleContext 

func (t *TPMContext) PCRHandleContext(pcr int) ResourceContext

PCRHandleContext returns the ResourceContext corresponding to the PCR at the specified index. It will panic if pcr is not a valid PCR index.

func (*TPMContext) PCRRead 

func (t *TPMContext) PCRRead(pcrSelectionIn PCRSelectionList, sessions ...SessionContext) (uint32, PCRValues, error)

PCRRead executes the TPM2_PCR_Read command to return the values of the PCRs defined in the pcrSelectionIn parameter. The underlying command may not be able to read all of the specified PCRs in a single transaction, so this function will re-execute the TPM2_PCR_Read command until all requested values have been read. As a consequence, any SessionContext instances provided should have the AttrContinueSession attribute defined.

On success, the current value of pcrUpdateCounter is returned, as well as the requested PCR values.

func (*TPMContext) PCRReset 

func (t *TPMContext) PCRReset(pcrContext ResourceContext, pcrContextAuthSession SessionContext, sessions ...SessionContext) error

PCRReset executes the TPM2_PCR_Reset command to reset the PCR associated with pcrContext in all banks. This command requires authorization with the user auth role for pcrContext, with session based authorization provided via pcrContextAuthSession.

If the PCR associated with pcrContext can not be reset from the current locality, a *TPMError error with an error code of ErrorLocality will be returned.

func (*TPMContext) PlatformHandleContext 

func (t *TPMContext) PlatformHandleContext() ResourceContext

PlatformHandleContext returns the ResourceContext corresponding to the platform hiearchy.

func (*TPMContext) PlatformNVHandleContext 

func (t *TPMContext) PlatformNVHandleContext() ResourceContext

PlatformNVHandleContext returns the ResourceContext corresponding to the platform hiearchy.

func (*TPMContext) PolicyAuthValue 

func (t *TPMContext) PolicyAuthValue(policySession SessionContext, sessions ...SessionContext) error

PolicyAuthValue executes the TPM2_PolicyAuthValue command to bind the policy to the authorization value of the entity on which the authorization is used. This is a deferred assertion. On successful completion, the policy digest of the session context associated with policySession will be extended to record that this assertion has been executed, and a flag will be set on the session context to indicate that the authorization value of the entity on which the authorization is used must be included in the key for computing the command HMAC when the session is used.

When using policySession in a subsequent authorization, the authorization value of the entity being authorized must be provided by calling ResourceContext.SetAuthValue.

func (*TPMContext) PolicyAuthorize 

func (t *TPMContext) PolicyAuthorize(policySession SessionContext, approvedPolicy Digest, policyRef Nonce, keySign Name, checkTicket *TkVerified, sessions ...SessionContext) error

PolicyAuthorize executes the TPM2_PolicyAuthorize command, which allows policies to change. This is an immediate assertion. The command allows an authorizing entity to sign a new policy that can be used in an existing policy. The authorizing party signs a digest that is computed as follows: 

digest := H(approvedPolicy||policyRef)

... where H is the name algorithm of the key used to sign the digest.

The signature is then verified by TPMContext.VerifySignature, which provides a ticket that is used by this function.

If the name algorithm of the signing key is not supported, a *TPMParameterError error with an error code of ErrorHash will be returned for parameter index 3.

If the length of keySign does not match the length of the name algorithm, a *TPMParameterError error with an error code of ErrorSize will be returned for parameter index 3.

If policySession is not associated with a trial session, the current digest of the session associated with policySession will be compared with approvedPolicy. If they don't match, then a *TPMParameterError error with an error code of ErrorValue will be returned for parameter index 1.

If policySession is not associated with a trial session and checkTicket is invalid, a *TPMParameterError error with an error code of ErrorValue will be returned for parameter index 4.

On successful completion, the policy digest of the session context associated with policySession is cleared, and then extended to include the value of keySign and policyRef.

func (*TPMContext) PolicyCommandCode 

func (t *TPMContext) PolicyCommandCode(policySession SessionContext, code CommandCode, sessions ...SessionContext) error

PolicyCommandCode executes the TPM2_PolicyCommandCode command to indicate that an authorization policy should be limited to a specific command. Ths is a deferred assertion.

If the command code is not implemented, a *TPMParameterError error with an error code of ErrorPolicyCC will be returned. If the session associated with policySession has already been limited to a different command code, a *TPMParameterError error with an error code of ErrorValue will be returned.

On successful completion, the policy digest of the session context associated with policySession will be extended to include the value of the specified command code, and the command code will be recorded on the session context to limit usage of the session.

func (*TPMContext) PolicyCounterTimer 

func (t *TPMContext) PolicyCounterTimer(policySession SessionContext, operandB Operand, offset uint16, operation ArithmeticOp, sessions ...SessionContext) error

PolicyCounterTimer executes the TPM2_PolicyCounterTimer command to gate a policy based on the contents of the TimeInfo structure, and is an immediate assertion. The caller specifies a value to be used for the comparison via the operandB argument, an offset from the start of the TimeInfo structure from which to start the comparison via the offset argument, and a comparison operator via the operation argument.

If the comparison fails and policySession does not correspond to a trial session, a *TPMError error will be returned with an error code of ErrorPolicy.

On successful completion, the policy digest of the session context associated with policySession is extended to include the values of operandB, offset and operation.

func (*TPMContext) PolicyCpHash 

func (t *TPMContext) PolicyCpHash(policySession SessionContext, cpHashA Digest, sessions ...SessionContext) error

PolicyCpHash executes the TPM2_PolicyCpHash command to bind a policy to a specific command and set of command parameters. This is a deferred assertion.

TPMContext.PolicySigned, TPMContext.PolicySecret and TPMContext.PolicyTicket allow an authorizing entity to execute an arbitrary command as the cpHashA parameter is not included in the session's policy digest. TPMContext.PolicyCommandCode allows the policy to be limited to a specific command. This command allows the policy to be limited further to a specific command set of command parameters.

Command parameter digests can be computed using ComputeCpHash, using the digest algorithm for the session.

If the size of cpHashA is inconsistent with the digest algorithm for the session, a *TPMParameterError error with an error code of ErrorSize will be returned.

If the session associated with policySession already has a command parameter digest, name digest or template digest defined, a *TPMError error with an error code of ErrorCpHash will be returned if cpHashA does not match the digest already recorded on the session context.

On successful completion, the policy digest of the session context associated with policySession will be extended to include the value of cpHashA, and the value of cpHashA will be recorded on the session context to limit usage of the session to the specific command and set of command parameters.

func (*TPMContext) PolicyDuplicationSelect 

func (t *TPMContext) PolicyDuplicationSelect(policySession SessionContext, objectName, newParentName Name, includeObject bool, sessions ...SessionContext) error

PolicyDuplicationSelect executes the TPM2_PolicyDuplicationSelect command to allow the policy to be restricted to duplication and to allow duplication to a specific new parent. The objectName argument corresponds to the name of the object to be duplicated. The newParentName argument corresponds to the name of the new parent object. This is a deferred assertion.

If the session associated with policySession already has a command parameter digest, name digest or template digest defined, a *TPMError error with an error code of ErrorCpHash will be returned.

If the session associated with policySession has already been limited to a specific command code, a *TPMError error with an error code of ErrorCommandCode will be returned.

On successful completion, the policy digest of the session context associated with policySession will be extended to include the value of newParentName and includeObject. If includeObject is true, the policy digest of the session will be extended to also include the value of objectName. A digest of objectName and newParentName will be recorded as the name hash on the session context to limit usage of the session to those entities, and the CommandDuplicate command code will be recorded to limit usage of the session to TPMContext.Duplicate.

func (*TPMContext) PolicyGetDigest 

func (t *TPMContext) PolicyGetDigest(policySession SessionContext, sessions ...SessionContext) (Digest, error)

PolicyGetDigest executes the TPM2_PolicyGetDigest command to return the current policy digest of the session context associated with policySession.

func (*TPMContext) PolicyNV 

func (t *TPMContext) PolicyNV(authContext, nvIndex ResourceContext, policySession SessionContext, operandB Operand, offset uint16, operation ArithmeticOp, authContextAuthSession SessionContext, sessions ...SessionContext) error

PolicyNV executes the TPM2_PolicyNV command to gate a policy based on the contents of the NV index associated with nvIndex, and is an immediate assertion. The caller specifies a value to be used for the comparison via the operandB argument, an offset from the start of the NV index data from which to start the comparison via the offset argument, and a comparison operator via the operation argument.

The command requires authorization to read the NV index, defined by the state of the AttrNVPPRead, AttrNVOwnerRead, AttrNVAuthRead and AttrNVPolicyRead attributes. The handle used for authorization is specified via authContext. If the NV index has the AttrNVPPRead attribute, authorization can be satisfied with HandlePlatform. If the NV index has the AttrNVOwnerRead attribute, authorization can be satisfied with HandleOwner. If the NV index has the AttrNVAuthRead or AttrNVPolicyRead attribute, authorization can be satisfied with nvIndex. The command requires authorization with the user auth role for authContext, with session based authorization provided via authContextAuthSession. If the resource associated with authContext is not permitted to authorize this access and policySession does not correspond to a trial session, a *TPMError error with an error code of ErrorNVAuthorization will be returned.

If nvIndex is being used for authorization and the AttrNVAuthRead attribute is defined, the authorization can be satisfied by demonstrating knowledge of the authorization value, either via cleartext or HMAC authorization. If nvIndex is being used for authorization and the AttrNVPolicyRead attribute is defined, the authorization can be satisfied using a policy session with a digest that matches the authorization policy for the index.

If the index associated with nvIndex has the AttrNVReadLocked attribute set and policySession does not correspond to a trial session, a *TPMError error with an error code of ErrorNVLocked will be returned.

If the index associated with nvIndex has not been initialized (ie, the AttrNVWritten attribute is not set) and policySession does not correspond to a trial session, a *TPMError with an error code of ErrorNVUninitialized will be returned.

If the session associated with policySession is not a trial session and offset is outside of the bounds of the NV index, a *TPMParameterError error with an error code of ErrorValue is returned for paramter index 2.

If the session associated with policySession is not a trial session and the size of operandB in combination with the value of offset would result in a read outside of the bounds of the NV index, a *TPMParameterError error with an error code of ErrorSize is returned for paramter index 1.

If the comparison fails and policySession does not correspond to a trial session, a *TPMError error will be returned with an error code of ErrorPolicy.

On successful completion, the policy digest of the session context associated with policySession is extended to include the values of operandB, offset, operation and the name of nvIndex.

func (*TPMContext) PolicyNameHash 

func (t *TPMContext) PolicyNameHash(policySession SessionContext, nameHash Digest, sessions ...SessionContext) error

PolicyNameHash executes the TPM2_PolicyNameHash command to bind a policy to a specific set of TPM entities, without being bound to the parameters of the command. This is a deferred assertion.

If the size of nameHash is inconsistent with the digest algorithm for the session, a *TPMParameterError error with an error code of ErrorSize will be returned.

If the session associated with policySession already has a name digest, command parameter digest or template digest defined, a *TPMError error with an error code of ErrorCpHash will be returned.

On successful completion, the policy digest of the session context associated with policySession will be extended to include the value of nameHash, and the value of nameHash will be recorded on the session context to limit usage of the session to the specific set of TPM entities.

func (*TPMContext) PolicyNvWritten 

func (t *TPMContext) PolicyNvWritten(policySession SessionContext, writtenSet bool, sessions ...SessionContext) error

PolicyNvWritten executes the TPM2_PolicyNvWritten command to bind a policy to the value of the AttrNVWritten attribute of the NV index being authorized, and is a deferred assertion.

If this command has been executed previously in this session, and the value of writtenSet doesn't match the value provided previously, a *TPMParameterError error with an error code of ErrorValue will be returned.

On successful completion, the policy digest of the session associated with policySession will be extended to include the value of writtenSet. A flag will be set on the session context so that the value of the AttrNVWritten attribute of the NV index being authorized will be compared to writtenSet when the session is used.

func (*TPMContext) PolicyOR 

func (t *TPMContext) PolicyOR(policySession SessionContext, pHashList DigestList, sessions ...SessionContext) error

PolicyOR executes the TPM2_PolicyOR command to allow a policy to be satisfied by different sets of conditions, and is an immediate assertion. If policySession does not correspond to a trial session, it determines if the current policy digest of the session context associated with policySession is contained in the list of digests specified via pHashList. If it is not, then a *TPMParameterError error with an error code of ErrorValue is returned without making any changes to the session context.

On successful completion, the policy digest of the session context associated with policySession is cleared, and then extended to include the concatenation of all of the digests contained in pHashList.

func (*TPMContext) PolicyPCR 

func (t *TPMContext) PolicyPCR(policySession SessionContext, pcrDigest Digest, pcrs PCRSelectionList, sessions ...SessionContext) error

PolicyPCR executes the TPM2_PolicyPCR command to gate a policy based on the values of the PCRs selected via the pcrs parameter. If no digest has been specified via the pcrDigest parameter, then it is a deferred assertion and the policy digest of the session context associated with policySession will be extended to include the value of the PCR selection and a digest computed from the selected PCR contents.

If pcrDigest is provided, then it is a combined assertion. If policySession does not correspond to a trial session, the digest computed from the selected PCRs will be compared to the value of pcrDigest and a *TPMParameterError error with an error code of ErrorValue will be returned for parameter index 1 if they don't match, without making any changes to the session context. If policySession corresponds to a trial session, the digest computed from the selected PCRs is not compared to the value of pcrDigest; instead, the policy digest of the session is extended to include the value of the PCR selection and the value of pcrDigest.

If the PCR contents have changed since the last time this command was executed for this session, a *TPMError error will be returned with an error code of ErrorPCRChanged.

func (*TPMContext) PolicyPassword 

func (t *TPMContext) PolicyPassword(policySession SessionContext, sessions ...SessionContext) error

PolicyPassword executes the TPM2_PolicyPassword command to bind the policy to the authorization value of the entity on which the authorization is used. This is a deferred assertion. On successful completion, the policy digest of the session context associated with policySession will be extended to record that this assertion has been executed, and a flag will be set on the session context to indicate that the authorization value of the entity on which the authorization is used must be included in cleartext in the command authorization when the session is used.

When using policySession in a subsequent authorization, the authorization value of the entity being authorized must be provided by calling ResourceContext.SetAuthValue.

func (*TPMContext) PolicyRestart 

func (t *TPMContext) PolicyRestart(sessionContext SessionContext, sessions ...SessionContext) error

PolicyRestart executes the TPM2_PolicyRestart command on the policy session associated with sessionContext, to reset the policy authorization session to its initial state.

func (*TPMContext) PolicySecret 

func (t *TPMContext) PolicySecret(authContext ResourceContext, policySession SessionContext, cpHashA Digest, policyRef Nonce, expiration int32, authContextAuthSession SessionContext, sessions ...SessionContext) (Timeout, *TkAuth, error)

PolicySecret executes the TPM2_PolicySecret command to include a secret-based authorization to the policy session associated with policySession, and is a combined assertion. The command requires authorization with the user auth role for authContext, with session based authorization provided via authContextAuthSession. If authContextAuthSession corresponds a policy session, and that session does not include a TPM2_PolicyPassword or TPM2_PolicyAuthValue assertion, a *TPMSessionError error with an error code of ErrorMode will be returned for session index 1.

The cpHashA parameter allows the session to be bound to a specific command and set of command parameters by providing a command parameter digest. Command parameter digests can be computed using ComputeCpHash, using the digest algorithm for the session. If provided, the cpHashA value must be included in the digest that is signed by the authorizing entity.

If policySession does not correspond to a trial session, a *TPMError error with an error code of ErrorCpHash will be returned if the session context already has a command parameter digest, name digest or template digest recorded on it and cpHashA does not match it.

If policySession does not correspond to a trial session and the length of cpHashA does not match the digest algorithm for the session, a *TPMParameterError error with an error code of ErrorSize will be returned for parameter index 2.

If the expiration parameter is not 0, it sets a timeout based on the absolute value of expiration in seconds since the start of the session by which the authorization will expire. If the session associated with policySession is not a trial session and expiration corresponds to a time in the past, or the TPM's time epoch has changed since the session was started, a *TPMParameterError error with an error code of ErrorExpired will be returned for parameter index 4.

On successful completion, knowledge of the authorization value associated with authContext is proven. The policy digest of the session associated with olicySession will be extended to include the name of authContext and the value of policyRef. If provided, the value of cpHashA will be recorded on the session context to restrict the session's usage. If expiration is non-zero, the expiration time of the session context will be updated unless it already has an expiration time that is earlier. If expiration is less than zero, a timeout value and corresponding *TkAuth ticket will be returned if policySession does not correspond to a trial session.

func (*TPMContext) PolicySigned 

func (t *TPMContext) PolicySigned(authContext ResourceContext, policySession SessionContext, includeNonceTPM bool, cpHashA Digest, policyRef Nonce, expiration int32, auth *Signature, sessions ...SessionContext) (Timeout, *TkAuth, error)

PolicySigned executes the TPM2_PolicySigned command to include a signed authorization in a policy. This is a combined assertion that binds a policy to the signing key associated with authContext.

An authorizing entity signs a digest of authorization qualifiers with the key associated with authContext. The digest is computed as: 

digest := H(nonceTPM||expiration||cpHashA||policyRef)

... where H is the digest algorithm associated with the auth parameter. Where there are no restrictions, the digest is computed from 4 zero bytes, which corresponds to an expiration time of zero. The authorization qualifiers must match the arguments passed to this command. The signature is provided via the auth parameter.

If includeNonceTPM is set to true, this function includes the most recently received TPM nonce value for the session associated with policySession in the command. In this case, the nonce value must be included in the digest that is signed by the authorizing entity.

The cpHashA parameter allows the session to be bound to a specific command and set of command parameters by providing a command parameter digest. Command parameter digests can be computed using ComputeCpHash, using the digest algorithm for the session. If provided, the cpHashA value must be included in the digest that is signed by the authorizing entity.

If policySession does not correspond to a trial session, a *TPMError error with an error code of ErrorCpHash will be returned if the session context already has a command parameter digest, name digest or template digest recorded on it and cpHashA does not match it.

If policySession does not correspond to a trial session and the length of cpHashA does not match the digest algorithm for the session, a *TPMParameterError error with an error code of ErrorSize will be returned for parameter index 2.

If the expiration parameter is not 0, it sets a timeout based on the absolute value of expiration in seconds since the start of the session by which the authorization will expire. If the session associated with policySession is not a trial session and expiration corresponds to a time in the past, or the TPM's time epoch has changed since the session was started, a *TPMParameterError error with an error code of ErrorExpired will be returned for parameter index 4.

If the session associated with policySession is not a trial session and the signing scheme or digest algorithm associated with the auth parameter is not supported by the TPM, a *TPMParameterError error with an error code of ErrorScheme will be returned for parameter index 5.

If the session associated with policySession is not a trial session, the signature will be validated against a digest computed from the provided arguments, using the key associated with authContext. If the signature is invalid, a *TPMParameterError error with an error code of ErrorSignature will be returned for parameter index 5.

On successful completion, the policy digest of the session associated with policySession will be extended to include the name of authContext and the value of policyRef. If provided, the value of cpHashA will be recorded on the session context to restrict the session's usage. If expiration is non-zero, the expiration time of the session context will be updated unless it already has an expiration time that is earlier. If expiration is less than zero, a timeout value and corresponding *TkAuth ticket will be returned if policySession does not correspond to a trial session.

func (*TPMContext) PolicyTicket 

func (t *TPMContext) PolicyTicket(policySession SessionContext, timeout Timeout, cpHashA Digest, policyRef Nonce, authName Name, ticket *TkAuth, sessions ...SessionContext) error

PolicyTicket executes the TPM2_PolicyTicket command, and behaves similarly to TPMContext.PolicySigned with the exception that it takes an authorization ticket rather than a signed authorization. The ticket parameter represents a valid authorization with an expiration time, and will have been returned from a previous call to TPMContext.PolicySigned or TPMContext.PolicySecret when called with an expiration time of less than zero.

If policySession corresponds to a trial session, a *TPMHandleError error with an error code of ErrorAttributes will be returned.

If the size of timeout is not the expected size, a *TPMParameterError with an error code of ErrorSize will be returned for parameter index 1.

A *TPMError error with an error code of ErrorCpHash will be returned if the session context already has a command parameter digest, name digest or template digest recorded on it and cpHashA does not match it.

The cpHashA and policyRef arguments must match the values passed to the command that originally produced the ticket. If the command that produced the ticket was TPMContext.PolicySecret, authName must correspond to the name of the entity of which knowledge of the authorization value was proven. If the command that produced the ticket was TPMContext.PolicySigned, authName must correspond to the name of the key that produced the signed authorization.

If the ticket is invalid, a *TPMParameterError error with an error code of ErrorTicket will be returned for parameter index 5. If the ticket corresponds to an authorization that has expired, a *TPMParameterError error with an error code of ErrorExpired will be returned for parameter index 1.

On successful verification of the ticket, the policy digest of the session context associated with policySession will be extended with the same values that the command that produced the ticket would extend it with. If provided, the value of cpHashA will be recorded on the session context to restrict the session's usage. The expiration time of the session context will be updated with the value of timeout, unless it already has an expiration time that is earlier.

func (*TPMContext) Quote 

func (t *TPMContext) Quote(signContext ResourceContext, qualifyingData Data, inScheme *SigScheme, pcrs PCRSelectionList, signContextAuthSession SessionContext, sessions ...SessionContext) (AttestRaw, *Signature, error)

Quote executes the TPM2_Quote command in order to quote a set of PCR values. The TPM will hash the set of PCRs specified by the pcrs parameter.

If signContext is not nil, the returned attestation will be signed by the key associated with it. This command requires authorization with the user auth role for signContext, with session based authorization provided via signContextAuthSession.

If signContext is not nil and the object associated with signContext is not a signing key, a *TPMHandleError error with an error code of ErrorKey will be returned for handle index 1.

If signContext is not nil and if the scheme of the key associated with signContext is AlgorithmNull, then inScheme must be provided to specify a valid signing scheme for the key. If it isn't, a *TPMParameterError error with an error code of ErrorScheme will be returned for parameter index 2.

If signContext is not nil and the scheme of the key associated with signContext is not AlgorithmNull, then inScheme may be nil. If it is provided, then the specified scheme must match that of the signing key, else a *TPMParameterError error with an error code of ErrorScheme will be returned for parameter index 2.

On successful, it returns an attestation structure containing the hash of the PCRs selected by the pcrs parameter. If signContext is not nil, the attestation structure will be signed by the associated key and returned too.

func (*TPMContext) ReadClock 

func (t *TPMContext) ReadClock(sessions ...SessionContext) (*TimeInfo, error)

ReadClock executes the TPM2_ReadClock command. On succesful completion, it will return a TimeInfo struct that contains the current value of time, clock, reset and restart counts.

func (*TPMContext) ReadPublic 

func (t *TPMContext) ReadPublic(objectContext ResourceContext, sessions ...SessionContext) (*Public, Name, Name, error)

ReadPublic executes the TPM2_ReadPublic command to read the public area of the object associated with objectContext.

If objectContext corresponds to a sequence object, a *TPMError with an error code of ErrorSequence will be returned.

On success, the public part of the object is returned, along with the object's name and qualified name.

func (*TPMContext) RunCommand 

func (t *TPMContext) RunCommand(commandCode CommandCode, sessions []SessionContext, params ...interface{}) error

RunCommand is the high-level generic interface for executing the command specified by commandCode. All of the methods on TPMContext exported by this package that execute commands on the TPM are essentially wrappers around this function. It takes care of marshalling command handles and command parameters, as well as constructing and marshalling the authorization area and choosing the correct StructTag value. It takes care of unmarshalling response handles and response parameters, as well as unmarshalling the response authorization area and performing checks on the authorization response.

The variable length params argument provides a mechanism for the caller to provide command handles, command parameters, response handle pointers and response parameter pointers (in that order), with each group of arguments being separated by the Separator sentinel value.

Command handles are provided as HandleContext types if they do not require an authorization. For command handles that require an authorization, they are provided using the ResourceContextWithSession type. This links the ResourceContext to an optional authorization session. If the authorization value of the TPM entity is required as part of the authorization, this will be obtained from the supplied ResourceContext. A nil HandleContext will automatically be converted to a handle with the value of HandleNull.

Command parameters are provided as the go equivalent types for the types defined in the TPM Library Specification.

Response handles are provided as pointers to Handle values.

Response parameters are provided as pointers to values of the go equivalent types for the types defined in the TPM Library Specification.

If the TPM responds with a warning that indicates the command could not be started and should be retried, this function will resubmit the command a finite number of times before returning an error. The maximum number of retries can be set via TPMContext.SetMaxSubmissions.

The caller can provide additional sessions that aren't associated with a TPM entity (and therefore not used for authorization) via the sessions parameter, for the purposes of command auditing or session based parameter encryption.

In addition to returning an error if any marshalling or unmarshalling fails, or if the transmission backend returns an error, this function will also return an error if the TPM responds with any ResponseCode other than Success.

func (*TPMContext) RunCommandBytes 

func (t *TPMContext) RunCommandBytes(tag StructTag, commandCode CommandCode, commandBytes []byte) (ResponseCode, StructTag, []byte, error)

RunCommandBytes is a low-level interface for executing the command defined by the specified commandCode. It will construct an appropriate header, but the caller is responsible for providing the rest of the serialized command structure in commandBytes. Valid values for tag are TagNoSessions if the authorization area is empty, else it must be TagSessions.

If successful, this function will return the ResponseCode and StructTag from the response header along with the rest of the response structure (everything except for the header). It will not return an error if the TPM responds with an error as long as the returned response structure is correctly formed, but will return an error if marshalling of the command header or unmarshalling of the response header fails, or the transmission interface returns an error.

func (*TPMContext) SelfTest 

func (t *TPMContext) SelfTest(fullTest bool, sessions ...SessionContext) error

func (*TPMContext) SetCommandCodeAuditStatus 

func (t *TPMContext) SetCommandCodeAuditStatus(auth ResourceContext, auditAlg HashAlgorithmId, setList, clearList CommandCodeList, authAuthSession SessionContext, sessions ...SessionContext) error

SetCommandCodeAuditStatus executes the TPM2_SetCommandCodeAuditStatus command to allow the privacy administrator or platform to change the audit status of a command, or change the digest algorithm used for command auditing (but not both at the same time).

The auth parameter should be a ResourceContext corresponding to either HandlePlatform or HandleOwner. This command requires authorization of auth with the user auth role, with session based authorization provided via authAuthSession.

The auditAlg argument specifies the digest algorithm for command auditing. The setList argument is used to specify which commands should be added to the list of commands to be audited. The clearList argument is used to specify which commands should be removed from the list of commands to be audited.

If auditAlg is not HashAlgorithmNull or the current audit digest algorith, and the length of setList or clearList is greater than zero, a *TPMParameterError error with an error code of ErrorValue will be returned for parameter index 1.

func (*TPMContext) SetMaxSubmissions 

func (t *TPMContext) SetMaxSubmissions(max uint)

SetMaxSubmissions sets the maximum number of times that RunCommand will attempt to submit a command before failing with an error. The default value is 5.

func (*TPMContext) Shutdown 

func (t *TPMContext) Shutdown(shutdownType StartupType, sessions ...SessionContext) error

Shutdown executes the TPM2_Shutdown command with the specified StartupType, and is used to prepare the TPM for a power cycle. Calling this with shutdownType == StartupClear prepares the TPM for a TPM reset. Calling it with shutdownType == StartupState prepares the TPM for either a TPM restart or TPM resume, depending on how TPMContext.Startup is called. Some commands executed after TPMContext.Shutdown but before a power cycle will nullify the effect of this function.

If a PCR bank has been reconfigured and shutdownType == StartupState, a *TPMParameterError error with an error code of ErrorType will be returned.

func (*TPMContext) Sign 

func (t *TPMContext) Sign(keyContext ResourceContext, digest Digest, inScheme *SigScheme, validation *TkHashcheck, keyContextAuthSession SessionContext, sessions ...SessionContext) (*Signature, error)

Sign executes the TPM2_Sign command to sign the provided digest with the key associated with keyContext. The function requires authorization with the user auth role for keyContext, with session based authorization provided via keyContextAuthSession.

If the object associated with keyContext is not a signing key, a *TPMHandleError error with an error code of ErrorKey will be returned.

If the scheme of the key associated with keyContext is AlgorithmNull, then inScheme must be provided to specify a valid signing scheme for the key. If it isn't, a *TPMParameterError error with an error code of ErrorScheme will be returned for parameter index 2.

If the scheme of the key associated with keyContext is not AlgorithmNull, then inScheme may be nil. If it is provided, then the specified scheme must match that of the signing key, else a *TPMParameterError error with an error code of ErrorScheme will be returned for parameter index 2.

If the chosen scheme is unsupported, a *TPMError error with an error code of ErrorScheme will be returned.

If the length of digest does not match the size of the digest associated with the selected signing scheme, a *TPMParameterError error with an error code of ErrorSize will be returned for parameter index 1.

If the key associated with keyContext has the AttrRestricted attribute, then the validation parameter must be provided as proof that the supplied digest was created by the TPM. If the key associated with keyContext does not have the AttrRestricted attribute, then validation may be nil. If validation is not nil and doesn't correspond to a valid ticket, or it is nil and the key associated with keyContext has the AttrRestricted attribute set, a *TPMParameterError error with an error code of ErrorTicket will be returned for parameter index 3.

func (*TPMContext) StartAuthSession 

func (t *TPMContext) StartAuthSession(tpmKey, bind ResourceContext, sessionType SessionType, symmetric *SymDef, authHash HashAlgorithmId, sessions ...SessionContext) (SessionContext, error)

StartAuthSession executes the TPM2_StartAuthSession command to start an authorization session. On successful completion, it will return a HandleContext that corresponds to the new session. The session can be used in subsequent commands by passing it as the Context field of a Session struct instance to a command that accepts a session.

The type of session is defined by the sessionType parameter. If sessionType is SessionTypeHMAC or SessionTypePolicy, then the created session may be used for authorization. If sessionType is SessionTypeTrial, then the created session can only be used for computing an authorization policy digest.

The authHash parameter must be a digest algorithm, and defines the algorithm used for computing command and response parameter digests, command and response HMACs, and derivation of the session key and symmetric keys for parameter encryption where used. The size of the digest algorithm is used to determine the nonce size used for the session.

If tpmKey is provided, it must correspond to an asymmetric decrypt key in the TPM. In this case, a random salt value will contribute to the session key derivation, and the salt will be encrypted using the method specified by tpmKey before being sent to the TPM. If tpmKey is provided but does not correspond to an asymmetric key, a *TPMHandleError error with an error code of ErrorKey will be returned for handle index 1. If tpmKey is provided but corresponds to an object with only its public part loaded, a *TPMHandleError error with an error code of ErrorHandle will be returned for handle index 1. If tpmKey is provided but does not correspond to a decrypt key, a *TPMHandleError error with an error code of ErrorAttributes will be returned for handle index 1.

If tpmkey is provided but decryption of the salt fails on the TPM, a *TPMParameterError error with an error code of ErrorValue or ErrorKey may be returned for parameter index 2.

If bind is specified, then the auhorization value for the corresponding resource must be known, by calling ResourceContext.SetAuthValue on bind before calling this function - the authorization value will contribute to the session key derivation. The created session will be bound to the resource associated with bind, unless the authorization value of that resource is subsequently changed. If bind corresponds to a transient object and only the public part of the object is loaded, or if bind corresponds to a NV index with a type of NVTypePinPass or NVTypePinFail, a *TPMHandleError error with an error code of ErrorHandle will be returned for handle index 2.

If a session key is computed, this will be used (along with the authorization value of resources that the session is being used for authorization of if the session is not bound to them) to derive a HMAC key for generating command and response HMACs. If both tpmKey and bind are nil, no session key is created.

If symmetric is provided, it defines the symmetric algorithm to use if the session is subsequently used for session based command or response parameter encryption. Session based parameter encryption allows the first command and/or response parameter for a command to be encrypted between the TPM and host CPU for supported parameter types (go types that correspond to TPM2B prefixed types). If symmetric is provided and corresponds to a symmetric block cipher (ie, the Algorithm field is not AlgorithmXOR) then the value of symmetric.Mode.Sym() must be AlgorithmCFB, else a *TPMParameterError error with an error code of ErrorMode is returned for parameter index 4.

If a SessionContext instance with the AttrCommandEncrypt attribute set is provided in the variable length sessions parameter, then the initial caller nonce will be encrypted as this is the first command parameter, despite not being exposed via this API. If a SessionContext instance with the AttrResponseEncrypt attribute set is provided, then the initial TPM nonce will be encrypted in the response.

If sessionType is SessionTypeHMAC and the session is subsequently used for authorization of a resource to which the session is not bound, the authorization value of that resource must be known as it is used to derive the key for computing command and response HMACs.

If no more sessions can be created without first context loading the oldest saved session, then a *TPMWarning error with a warning code of WarningContextGap will be returned. If there are no more slots available for loaded sessions, a *TPMWarning error with a warning code of WarningSessionMemory will be returned. If there are no more session handles available, a *TPMwarning error with a warning code of WarningSessionHandles will be returned.

func (*TPMContext) Startup 

func (t *TPMContext) Startup(startupType StartupType) error

Startup executes the TPM2_Startup command with the specified StartupType. If this isn't preceded by _TPM_Init then it will return a *TPMError error with an error code of ErrorInitialize. The shutdown and startup sequence determines how the TPM responds to this call:

  • A call with startupType == StartupClear preceded by a call to TPMContext.Shutdown with shutdownType == StartupClear or without a preceding call to TPMContext.Shutdown will cause a TPM reset.
  • A call with startupType == StartupClear preceded by a call to TPMContext.Shutdown with shutdownType == StartupState will cause a TPM restart.
  • A call with startupType == StartupState preceded by a call to TPMContext.Shutdown with shutdownType == StartupState will cause a TPM resume.
  • A call with startupType == StartupState that isn't preceded by a call to TPMContext.Shutdown with shutdownType == StartupState will fail with a *TPMParameterError error with an error code of ErrorValue.

If called with startupType == StartupState, a *TPMError error with an error code of ErrorNVUninitialized will be returned if the saved state cannot be recovered. In this case, the function must be called with startupType == StartupClear.

Subsequent use of HandleContext instances corresponding to entities that are evicted as a consequence of this function will no longer work.

func (*TPMContext) StirRandom 

func (t *TPMContext) StirRandom(inData SensitiveData, sessions ...SessionContext) error

func (*TPMContext) TestParms 

func (t *TPMContext) TestParms(parameters *PublicParams, sessions ...SessionContext) error

TestParms executes the TPM2_TestParms command to check if the specified combination of algorithm parameters is supported.

func (*TPMContext) Unseal 

func (t *TPMContext) Unseal(itemContext ResourceContext, itemContextAuthSession SessionContext, sessions ...SessionContext) (SensitiveData, error)

Unseal executes the TPM2_Unseal command to decrypt the sealed data object associated with itemContext and retrieve its sensitive data. The command requires authorization with the user auth role for itemContext, with session based authorization provided via itemContextAuthSession.

If the type of object associated with itemContext is not AlgorithmKeyedHash, a *TPMHandleError error with an error code of ErrorType will be returned. If the object associated with itemContext has either the AttrDecrypt, AttrSign or AttrRestricted attributes set, a *TPMHandlerError error with an error code of ErrorAttributes will be returned.

On success, the object's sensitive data is returned in decrypted form.

func (*TPMContext) VerifySignature 

func (t *TPMContext) VerifySignature(keyContext ResourceContext, digest Digest, signature *Signature, sessions ...SessionContext) (*TkVerified, error)

VerifySignature executes the TPM2_VerifySignature command to validate the provided signature against a message with the provided digest, using the key associated with keyContext. If keyContext corresponds to an object that isn't a signing key, a *TPMHandleError error with an error code of ErrorAttributes will be returned.

If the signature is invalid, a *TPMParameterError error with an error code of ErrorSignature will be returned for parameter index 2. If the signature references an unsupported signature scheme, a *TPMParameterError error with an error code of ErrorScheme will be returned for parameter index 2.

If keyContext corresponds to a HMAC key but only the public part is loaded, a *TPMParameterError error with an error code of ErrorHandle will be returned for parameter index 2.

On success, a valid TkVerified structure will be returned.

type TPMError 

type TPMError struct {
	Command CommandCode // Command code associated with this error
	Code    ErrorCode   // Error code
}

TPMError is returned from DecodeResponseCode and any TPMContext method that executes a command on the TPM if the TPM response code indicates an error that is not associated with a handle, parameter or session.

func (*TPMError) Error 

func (e *TPMError) Error() string

type TPMGenerated 

type TPMGenerated uint32

TPMGenerated corresponds to the TPM_GENERATED type. 

const (
	TPMGeneratedValue TPMGenerated = 0xff544347 // TPM_GENERATED_VALUE
)

type TPMHandleError 

type TPMHandleError struct {
	// Index is the index of the handle associated with this error in the command handle area, starting from 1. An index of 0 corresponds
	// to an unspecified handle
	Index int
	// contains filtered or unexported fields
}

TPMHandleError is returned from DecodeResponseCode and any TPMContext method that executes a command on the TPM if the TPM response code indicates an error that is associated with a command handle. It wraps a *TPMError.

func (*TPMHandleError) Code 

func (e *TPMHandleError) Code() ErrorCode

func (*TPMHandleError) Command 

func (e *TPMHandleError) Command() CommandCode

func (*TPMHandleError) Error 

func (e *TPMHandleError) Error() string

func (*TPMHandleError) Unwrap 

func (e *TPMHandleError) Unwrap() error

type TPMManufacturer 

type TPMManufacturer uint32

TPMManufacturer corresponds to the TPM manufacturer and is returned when querying the value PropertyManufacturer with TPMContext.GetCapabilityTPMProperties 

const (
	TPMManufacturerAMD  TPMManufacturer = 0x414D4400 // AMD
	TPMManufacturerATML TPMManufacturer = 0x41544D4C // Atmel
	TPMManufacturerBRCM TPMManufacturer = 0x4252434D // Broadcom
	TPMManufacturerHPE  TPMManufacturer = 0x48504500 // HPE
	TPMManufacturerIBM  TPMManufacturer = 0x49424d00 // IBM
	TPMManufacturerIFX  TPMManufacturer = 0x49465800 // Infineon
	TPMManufacturerINTC TPMManufacturer = 0x494E5443 // Intel
	TPMManufacturerLEN  TPMManufacturer = 0x4C454E00 // Lenovo
	TPMManufacturerMSFT TPMManufacturer = 0x4D534654 // Microsoft
	TPMManufacturerNSM  TPMManufacturer = 0x4E534D20 // National Semiconductor
	TPMManufacturerNTZ  TPMManufacturer = 0x4E545A00 // Nationz
	TPMManufacturerNTC  TPMManufacturer = 0x4E544300 // Nuvoton Technology
	TPMManufacturerQCOM TPMManufacturer = 0x51434F4D // Qualcomm
	TPMManufacturerSMSC TPMManufacturer = 0x534D5343 // SMSC
	TPMManufacturerSTM  TPMManufacturer = 0x53544D20 // ST Microelectronics
	TPMManufacturerSMSN TPMManufacturer = 0x534D534E // Samsung
	TPMManufacturerSNS  TPMManufacturer = 0x534E5300 // Sinosun
	TPMManufacturerTXN  TPMManufacturer = 0x54584E00 // Texas Instruments
	TPMManufacturerWEC  TPMManufacturer = 0x57454300 // Winbond
	TPMManufacturerROCC TPMManufacturer = 0x524F4343 // Fuzhou Rockchip
	TPMManufacturerGOOG TPMManufacturer = 0x474F4F47 // Google
)

func (TPMManufacturer) Format 

func (m TPMManufacturer) Format(s fmt.State, f rune)

func (TPMManufacturer) String 

func (m TPMManufacturer) String() string

type TPMParameterError 

type TPMParameterError struct {
	Index int // Index of the parameter associated with this error in the command parameter area, starting from 1
	// contains filtered or unexported fields
}

TPMParameterError is returned from DecodeResponseCode and any TPMContext method that executes a command on the TPM if the TPM response code indicates an error that is associated with a command parameter. It wraps a *TPMError.

func (*TPMParameterError) Code 

func (e *TPMParameterError) Code() ErrorCode

func (*TPMParameterError) Command 

func (e *TPMParameterError) Command() CommandCode

func (*TPMParameterError) Error 

func (e *TPMParameterError) Error() string

func (*TPMParameterError) Unwrap 

func (e *TPMParameterError) Unwrap() error

type TPMSessionError 

type TPMSessionError struct {
	Index int // Index of the session associated with this error in the authorization area, starting from 1
	// contains filtered or unexported fields
}

TPMSessionError is returned from DecodeResponseCode and any TPMContext method that executes a command on the TPM if the TPM response code indicates an error that is associated with a session. It wraps a *TPMError.

func (*TPMSessionError) Code 

func (e *TPMSessionError) Code() ErrorCode

func (*TPMSessionError) Command 

func (e *TPMSessionError) Command() CommandCode

func (*TPMSessionError) Error 

func (e *TPMSessionError) Error() string

func (*TPMSessionError) Unwrap 

func (e *TPMSessionError) Unwrap() error

type TPMVendorError 

type TPMVendorError struct {
	Command CommandCode  // Command code associated with this error
	Code    ResponseCode // Response code
}

TPMVendorError is returned from DecodeResponseCode and and TPMContext method that executes a command on the TPM if the TPM response code indicates a vendor-specific error.

func (*TPMVendorError) Error 

func (e *TPMVendorError) Error() string

type TPMWarning 

type TPMWarning struct {
	Command CommandCode // Command code associated with this error
	Code    WarningCode // Warning code
}

TPMWarning is returned from DecodeResponseCode and any TPMContext method that executes a command on the TPM if the TPM response code indicates a condition that is not necessarily an error.

func (*TPMWarning) Error 

func (e *TPMWarning) Error() string

type TaggedHash 

type TaggedHash struct {
	HashAlg HashAlgorithmId // Algorithm of the digest contained with Digest
	Digest  []byte          // Digest data
}

TaggedHash corresponds to the TPMT_HA type.

func (*TaggedHash) Marshal 

func (p *TaggedHash) Marshal(buf io.Writer) error

func (*TaggedHash) Unmarshal 

func (p *TaggedHash) Unmarshal(buf io.Reader) error

type TaggedHashList 

type TaggedHashList []TaggedHash

TaggedHashList is a slice of TaggedHash values, and corresponds to the TPML_DIGEST_VALUES type.

type TaggedPCRPropertyList 

type TaggedPCRPropertyList []TaggedPCRSelect

TaggedPCRPropertyList is a slice of TaggedPCRSelect values, and corresponds to the TPML_TAGGED_PCR_PROPERTY type.

type TaggedPCRSelect 

type TaggedPCRSelect struct {
	Tag    PropertyPCR      // Property identifier
	Select PCRSelectionData // PCRs associated with Tag
}

TaggedPCRSelect corresponds to the TPMS_TAGGED_PCR_SELECT type. It is used to report the PCR indexes associated with a property.

type TaggedPolicy 

type TaggedPolicy struct {
	Handle     Handle     // Permanent handle
	PolicyHash TaggedHash // Policy algorithm and hash
}

TaggedPolicy corresponds to the TPMS_TAGGED_POLICY type. It is used to report the authorization policy for a permanent resource.

type TaggedPolicyList 

type TaggedPolicyList []TaggedPolicy

TaggedPolicyList is a slice of TaggedPolicy values, and corresponds to the TPML_TAGGED_POLICY type.

type TaggedProperty 

type TaggedProperty struct {
	Property Property // Property identifier
	Value    uint32   // Value of the property
}

TaggedProperty corresponds to the TPMS_TAGGED_PROPERTY type. It is used to report the value of a property.

type TaggedTPMPropertyList 

type TaggedTPMPropertyList []TaggedProperty

TaggedTPMPropertyList is a slice of TaggedProperty values, and corresponds to the TPML_TAGGED_TPM_PROPERTY type.

type TctiDeviceLinux 

type TctiDeviceLinux struct {
	// contains filtered or unexported fields
}

TctiDeviceLinux represents a connection to a Linux TPM character device.

func OpenTPMDevice 

func OpenTPMDevice(path string) (*TctiDeviceLinux, error)

OpenTPMDevice attempts to open a connection to the Linux TPM character device at the specified path. If successful, it returns a new TctiDeviceLinux instance which can be passed to NewTPMContext. Failure to open the TPM character device will result in a wrapped *os.PathError being returned

func (*TctiDeviceLinux) Close 

func (d *TctiDeviceLinux) Close() error

func (*TctiDeviceLinux) Read 

func (d *TctiDeviceLinux) Read(data []byte) (int, error)

func (*TctiDeviceLinux) Write 

func (d *TctiDeviceLinux) Write(data []byte) (int, error)

type TctiError 

type TctiError struct {
	Op string // The operation that caused the error
	// contains filtered or unexported fields
}

TctiError is returned from any TPMContext method if the underlying TCTI returns an error.

func (*TctiError) Error 

func (e *TctiError) Error() string

func (*TctiError) Unwrap 

func (e *TctiError) Unwrap() error

type TctiMssim 

type TctiMssim struct {
	Locality uint8 // Locality of commands submitted to the simulator on this interface
	// contains filtered or unexported fields
}

TctiMssim represents a connection to a TPM simulator that implements the Microsoft TPM2 simulator interface.

func OpenMssim 

func OpenMssim(host string, tpmPort, platformPort uint) (*TctiMssim, error)

OpenMssim attempts to open a connection to a TPM simulator on the specified host. tpmPort is the port on which the TPM command server is listening. platformPort is the port on which the platform server is listening. If host is an empty string, it defaults to "localhost".

If successful, it returns a new TctiMssim instance which can be passed to NewTPMContext.

func (*TctiMssim) Close 

func (t *TctiMssim) Close() (out error)

func (*TctiMssim) Read 

func (t *TctiMssim) Read(data []byte) (int, error)

func (*TctiMssim) Reset 

func (t *TctiMssim) Reset() error

Reset submits the reset command on the platform connection, which initiates a reset of the TPM simulator and results in the execution of _TPM_Init().

func (*TctiMssim) Stop 

func (t *TctiMssim) Stop() (out error)

Stop submits a stop command on both the TPM command and platform channels, which initiates a shutdown of the TPM simulator.

func (*TctiMssim) Write 

func (t *TctiMssim) Write(data []byte) (int, error)

type Template 

type Template []byte

Template corresponds to the TPM2B_TEMPLATE type

type TimeAttestInfo 

type TimeAttestInfo struct {
	Time            TimeInfo // Time information
	FirmwareVersion uint64   // TPM vendor specific value indicating the version of the firmware
}

TimeAttestInfo corresponds to the TPMS_TIME_ATTEST_INFO type, and is returned by TPMContext.GetTime.

type TimeInfo 

type TimeInfo struct {
	Time      uint64    // Time value in milliseconds since the last TPM startup
	ClockInfo ClockInfo // Clock information
}

TimeInfo corresponds to the TPMS_TIME_INFO type.

type Timeout 

type Timeout []byte

Timeout corresponds to the TPM2B_TIMEOUT type.

type TkAuth 

type TkAuth struct {
	Tag       StructTag // Ticket structure tag (TagAuthSecret or TagAuthSigned)
	Hierarchy Handle    // The hierarchy of the object used to produce this ticket
	Digest    Digest    // HMAC computed using the proof value of Hierarchy
}

TkAuth corresponds to the TPMT_TK_AUTH type. It is created by TPMContext.PolicySigned and TPMContext.PolicySecret when the authorization has an expiration time.

type TkCreation 

type TkCreation struct {
	Tag       StructTag // Ticket structure tag (TagCreation)
	Hierarchy Handle    // The hierarchy of the object to which this ticket belongs.
	Digest    Digest    // HMAC computed using the proof value of Hierarchy
}

TkCreation corresponds to the TPMT_TK_CREATION type. It is created by TPMContext.Create and TPMContext.CreatePrimary, and is used to cryptographically bind the CreationData to the created object.

type TkHashcheck 

type TkHashcheck struct {
	Tag       StructTag // Ticket structure tag (TagHashcheck)
	Hierarchy Handle    // The hierarchy of the object used to produce this ticket
	Digest    Digest    // HMAC computed using the proof value of Hierarchy
}

TkHashcheck corresponds to the TPMT_TK_HASHCHECK type.

type TkVerified 

type TkVerified struct {
	Tag       StructTag // Ticket structure tag (TagVerified)
	Hierarchy Handle    // The hierarchy of the object to which this ticket belongs.
	Digest    Digest    // HMAC computed using the proof value of Hierarcht
}

TkVerified corresponds to the TPMT_TK_VERIFIED type. It is created by TPMContext.VerifySignature and provides evidence that the TPM has verified that a digest was signed by a specific key.

type TrialAuthPolicy 

type TrialAuthPolicy struct {
	// contains filtered or unexported fields
}

TrialAuthPolicy provides a mechanism for computing authorization policy digests without having to execute a trial authorization policy session on the TPM. An advantage of this is that it is possible to compute digests for PolicySecret and PolicyNV assertions without knowledge of the authorization value of the authorizing entities used for those commands.

func ComputeAuthPolicy 

func ComputeAuthPolicy(alg HashAlgorithmId) (*TrialAuthPolicy, error)

ComputeAuthPolicy creates a new context for computing an authorization policy digest.

func (*TrialAuthPolicy) GetDigest 

func (p *TrialAuthPolicy) GetDigest() Digest

GetDigest returns the current digest computed for the policy assertions executed so far.

func (*TrialAuthPolicy) PolicyAuthValue 

func (p *TrialAuthPolicy) PolicyAuthValue()

func (*TrialAuthPolicy) PolicyAuthorize 

func (p *TrialAuthPolicy) PolicyAuthorize(policyRef Nonce, keySign Name)

func (*TrialAuthPolicy) PolicyCommandCode 

func (p *TrialAuthPolicy) PolicyCommandCode(code CommandCode)

func (*TrialAuthPolicy) PolicyCounterTimer 

func (p *TrialAuthPolicy) PolicyCounterTimer(operandB Operand, offset uint16, operation ArithmeticOp)

func (*TrialAuthPolicy) PolicyCpHash 

func (p *TrialAuthPolicy) PolicyCpHash(cpHashA Digest)

func (*TrialAuthPolicy) PolicyDuplicationSelect 

func (p *TrialAuthPolicy) PolicyDuplicationSelect(objectName, newParentName Name, includeObject bool)

func (*TrialAuthPolicy) PolicyNV 

func (p *TrialAuthPolicy) PolicyNV(nvIndexName Name, operandB Operand, offset uint16, operation ArithmeticOp)

func (*TrialAuthPolicy) PolicyNameHash 

func (p *TrialAuthPolicy) PolicyNameHash(nameHash Digest)

func (*TrialAuthPolicy) PolicyNvWritten 

func (p *TrialAuthPolicy) PolicyNvWritten(writtenSet bool)

func (*TrialAuthPolicy) PolicyOR 

func (p *TrialAuthPolicy) PolicyOR(pHashList DigestList)

func (*TrialAuthPolicy) PolicyPCR 

func (p *TrialAuthPolicy) PolicyPCR(pcrDigest Digest, pcrs PCRSelectionList)

func (*TrialAuthPolicy) PolicyPassword 

func (p *TrialAuthPolicy) PolicyPassword()

func (*TrialAuthPolicy) PolicySecret 

func (p *TrialAuthPolicy) PolicySecret(authName Name, policyRef Nonce)

func (*TrialAuthPolicy) PolicySigned 

func (p *TrialAuthPolicy) PolicySigned(authName Name, policyRef Nonce)

type Union 

type Union interface {
	Select(selector reflect.Value) (reflect.Type, error)
}

Union is implemented by types that implement the TPMU prefixed TPM types.

The Select method is called by the marshalling code with the value of the selector field from the enclosing struct, and the implementation should respond with the type that will be marshalled or unmarshalled for the selector value.

type WarningCode 

type WarningCode ResponseCode

WarningCode represents a response from the TPM that is not necessarily an error. 

const (
	WarningContextGap     WarningCode = 0x01 // TPM_RC_CONTEXT_GAP
	WarningObjectMemory   WarningCode = 0x02 // TPM_RC_OBJECT_MEMORY
	WarningSessionMemory  WarningCode = 0x03 // TPM_RC_SESSION_MEMORY
	WarningMemory         WarningCode = 0x04 // TPM_RC_MEMORY
	WarningSessionHandles WarningCode = 0x05 // TPM_RC_SESSION_HANDLES
	WarningObjectHandles  WarningCode = 0x06 // TPM_RC_OBJECT_HANDLES

	// WarningLocality corresponds to TPM_RC_LOCALITY and is returned for a command if a policy session is used for authorization and the
	// session includes a TPM2_PolicyLocality assertion, but the command isn't executed with the authorized locality.
	WarningLocality WarningCode = 0x07

	// WarningYielded corresponds to TPM_RC_YIELDED and is returned for any command that is suspended as a hint that the command can be
	// retried. This is handled automatically by all methods on TPMContext that execute commands via TPMContext.RunCommand by
	// resubmitting the command.
	WarningYielded WarningCode = 0x08

	// WarningCanceled corresponds to TPM_RC_CANCELED and is returned for any command that is canceled before being able to complete.
	WarningCanceled WarningCode = 0x09

	WarningTesting     WarningCode = 0x0a // TPM_RC_TESTING
	WarningReferenceH0 WarningCode = 0x10 // TPM_RC_REFERENCE_H0
	WarningReferenceH1 WarningCode = 0x11 // TPM_RC_REFERENCE_H1
	WarningReferenceH2 WarningCode = 0x12 // TPM_RC_REFERENCE_H2
	WarningReferenceH3 WarningCode = 0x13 // TPM_RC_REFERENCE_H3
	WarningReferenceH4 WarningCode = 0x14 // TPM_RC_REFERENCE_H4
	WarningReferenceH5 WarningCode = 0x15 // TPM_RC_REFERENCE_H5
	WarningReferenceH6 WarningCode = 0x16 // TPM_RC_REFERENCE_H6
	WarningReferenceS0 WarningCode = 0x18 // TPM_RC_REFERENCE_S0
	WarningReferenceS1 WarningCode = 0x19 // TPM_RC_REFERENCE_S1
	WarningReferenceS2 WarningCode = 0x1a // TPM_RC_REFERENCE_S2
	WarningReferenceS3 WarningCode = 0x1b // TPM_RC_REFERENCE_S3
	WarningReferenceS4 WarningCode = 0x1c // TPM_RC_REFERENCE_S4
	WarningReferenceS5 WarningCode = 0x1d // TPM_RC_REFERENCE_S5
	WarningReferenceS6 WarningCode = 0x1e // TPM_RC_REFERENCE_S6

	// WarningNVRate corresponds to TPM_RC_NV_RATE and is returned for any command that requires NV access if NV access is currently
	// rate limited to prevent the NV memory from wearing out.
	WarningNVRate WarningCode = 0x20

	// WarningLockout corresponds to TPM_RC_LOCKOUT and is returned for any command that requires authorization for an entity that is
	// subject to dictionary attack protection, and the TPM is in dictionary attack lockout mode.
	WarningLockout WarningCode = 0x21

	// WarningRetry corresponds to TPM_RC_RETRY and is returned for any command if the TPM was not able to start the command. This is
	// handled automatically by all methods on TPMContext that execute commands via TPMContext.RunCommand by resubmitting the command.
	WarningRetry WarningCode = 0x22

	// WarningNVUnavailable corresponds to TPM_RC_NV_UNAVAILABLE and is returned for any command that requires NV access but NV memory
	// is currently not available.
	WarningNVUnavailable WarningCode = 0x23
)

func (WarningCode) Format 

func (e WarningCode) Format(s fmt.State, f rune)

func (WarningCode) String 

func (e WarningCode) String() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.