Update Windows application key support #343
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There's currently no support for creating application keys on Windows systems. This patch transitions the Windows key type to specifically refer to attestation keys, and reuses the existing wrapped key support for application keys. This allows the creation of keys in the platform store, while still allowing said keys to be manipulated with existing TPM functionality rather than duplicating it.
When generating a new key using a Windows TPM, a `wrappedKey20` was returned, which couldn't be used for signing on Windows, as it's backed by a `windowsTPM`. The `wrappedKey20` seems to be a type specifically aimed at usage with a `wrappedTPM20`, which in turn seems to be used on Linux and for testing, but not when instantiating a TPM on Windows. This commit adds the `newWindowsKey20` function, which returns a key backed by a `windowsTPM`. The key is a `windowsAK20`, now also conforming to the `key` interface, so that it can be used for signing purposes.
My system is returning RCScheme if TPM_ALG_NULL is passed here. This should be causing the key's default scheme to be used, but for some reason it seems unhappy. Just explicitly set the scheme for now to avoid that.
Conflicts: attest/key_windows.go attest/tpm_windows.go Fixed by combining the new function names with the new function arguments. Also had to fix a couple non-implemented functions on structs after they had been renamed for the Windows application key support.
…/improve-windows-support
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Catching up to the earlier work on #274 and #317. This is the first of several PRs to get back to the state of #317, but in more manageable chunks.
There's been a bit of activity in terms of (new) function signatures in this repository lately. This PR takes @mjg59's changes and additions for Windows application key support and I applied the required changes to make it compile with the new function signatures.
@ericchiang you asked about the tests on Windows: #317 (comment). It's currently only a
go build; nothing seems to be actually tested outside of the code compiling successfully. I might give that a stab in the upcoming PRs.P.S.: I added theThis was fixed in #350.-fto the macOS CI to get around an issue with the linked library already existing: https://github.com/hslatman/go-attestation/actions/runs/5575815478/jobs/10186236329#step:5:8. I'm not sure why that resulted in an error in that run and did not before, outside of a slightly new image being used, but I think the override is OK.cc @brandonweeks