# README
TPM 2.0 client library
Tests
This library contains unit tests in github.com/google/go-tpm/tpm2, which just
tests that various encoding and error checking functions work correctly. It also
contains more comprehensive integration tests in
github.com/google/go-tpm/tpm2/test, which run actual commands on a TPM.
By default, these integration tests are run against the
go-tpm-tools
simulator, which is baesed on the
Microsoft Reference TPM2 code. To
run both the unit and integration tests, run (in this directory)
go test . ./test
These integration tests can also be run against a real TPM device. This is slightly more complex as the tests often need to be built as a normal user and then executed as root. For example,
# Build the test binary without running it
go test -c github.com/google/go-tpm/tpm2/test
# Execute the test binary as root
sudo ./test.test --tpm-path=/dev/tpmrm0
On Linux, The --tpm-path causes the integration tests to be run against a
real TPM located at that path (usually /dev/tpmrm0 or /dev/tpm0). On Windows, the story is similar, execept that
the --use-tbs flag is used instead.
Tip: if your TPM host is remote and you don't want to install Go on it, this same two-step process can be used. The test binary can be copied to a remote host and run without extra installation (as the test binary has very few runtime dependancies).
# Packages
Package credactivation implements generation of data blobs to be used when invoking the ActivateCredential command, on a TPM.
No description provided by the author
# Functions
ActivateCredential associates an object with a credential.
ActivateCredentialUsingAuth associates an object with a credential, using the given set of authorizations.
Certify generates a signature of a loaded TPM object with a signing key signer.
CertifyCreation generates a signature of a newly-created & loaded TPM object, using signer as the signing key.
CertifyEx generates a signature of a loaded TPM object with a signing key signer.
Clear clears lockout, endorsement and owner hierarchy authorization values.
ContextLoad reloads context data created by ContextSave.
ContextSave returns an encrypted version of the session, object or sequence context for storage outside of the TPM.
CreateKey creates a new key pair under the owner handle.
CreateKeyUsingAuth creates a new key pair under the owner handle using the provided AuthCommand.
CreateKeyWithOutsideInfo is very similar to CreateKey, except that it returns the outside information.
CreateKeyWithSensitive is very similar to CreateKey, except that it can take in a piece of sensitive data.
CreatePrimary initializes the primary key in a given hierarchy.
CreatePrimaryEx initializes the primary key in a given hierarchy.
CreatePrimaryRawTemplate is CreatePrimary, but with the public template (TPMT_PUBLIC) provided pre-encoded.
DecodeAttestationData decode a TPMS_ATTEST message.
DecodeCreationData decodes a TPMS_CREATION_DATA message.
DecodeName deserializes a Name hash from the TPM wire format.
DecodePublic decodes a TPMT_PUBLIC message.
DecodeSignature decodes a serialized TPMT_SIGNATURE structure.
DecodeTPMLDigest decodes a TPML_Digest part of a message.
DecryptSymmetric decrypts data using a symmetric key.
DictionaryAttackLockReset cancels the effect of a TPM lockout due to a number of successive authorization failures, by setting the lockout counter to zero.
DictionaryAttackParameters changes the lockout parameters.
ECDHKeyGen generates an ephemeral ECC key, calculates the ECDH point multiplcation of the ephemeral private key and a loaded public key, and returns the public ephemeral point along with the coordinates of the resulting point.
ECDHZGen performs ECDH point multiplication between a private key held in the TPM and a given public point, returning the coordinates of the resulting point.
EncryptSymmetric encrypts data using a symmetric key.
EventSequenceComplete adds the last part of data, if any, to an Event Sequence and returns the result in a digest list.
EvictControl toggles persistence of an object within the TPM.
FlushContext removes an object or session under handle to be removed from the TPM.
GetCapability returns various information about the TPM state.
GetManufacturer returns the manufacturer ID.
GetRandom gets random bytes from the TPM.
Hash computes a hash of data in buf using TPM2_Hash, returning the computed digest and validation ticket.
HashSequenceStart starts a hash or an event sequence.
HashToAlgorithm looks up the TPM2 algorithm corresponding to the provided crypto.Hash.
HierarchyChangeAuth changes the authorization values for a hierarchy or for the lockout authority.
Import allows a user to import a key created on a different computer or in a different TPM.
KDFa implements TPM 2.0's default key derivation function, as defined in section 11.4.9.2 of the TPM revision 2 specification part 1.
KDFaHash implements TPM 2.0's default key derivation function, as defined in section 11.4.9.2 of the TPM revision 2 specification part 1.
KDFe implements TPM 2.0's ECDH key derivation function, as defined in section 11.4.9.3 of the TPM revision 2 specification part 1.
KDFeHash implements TPM 2.0's ECDH key derivation function, as defined in section 11.4.9.3 of the TPM revision 2 specification part 1.
Load loads public/private blobs into an object in the TPM.
LoadExternal loads a public (and optionally a private) key into an object in the TPM.
LoadUsingAuth loads public/private blobs into an object in the TPM using the provided AuthCommand.
MakeCredential creates an encrypted credential for use in MakeCredential.
NVDefineSpace creates an index in TPM's NV storage.
NVDefineSpaceEx accepts NVPublic structure and AuthCommand, allowing more flexibility.
NVIncrement increments a counter in NVRAM.
NVRead reads a full data blob from an NV index.
NVReadEx reads a full data blob from an NV index, using the given authorization handle.
NVReadLock inhibits further reads of the given NV index if AttrReadSTClear is set.
NVReadPublic reads the public data of an NV index.
NVUndefineSpace removes an index from TPM's NV storage.
NVUndefineSpaceEx removes an index from NVRAM.
NVUndefineSpaceSpecial This command allows removal of a platform-created NV Index that has TPMA_NV_POLICY_DELETE SET.
NVWrite writes data into the TPM's NV storage.
NVWriteEx does the same as NVWrite with the exception of letting the user take care of the AuthCommand before calling the function.
NVWriteLock inhibits further writes on the given NV index if at least one of the AttrWriteSTClear or AttrWriteDefine bits is set.
OpenTPM opens a channel to the TPM at the given path.
PCREvent writes an update to the specified PCR.
PCRExtend extends a value into the selected PCR.
PCRReset resets the value of the given PCR.
PolicyCommandCode indicates that the authorization will be limited to a specific command code.
PolicyGetDigest returns the current policyDigest of the session.
PolicyOr compares PolicySession→Digest against the list of provided values.
PolicyPassword sets password authorization requirement on the object.
PolicyPCR sets PCR state binding for authorization on a session.
PolicySecret sets a secret authorization requirement on the provided entity.
PolicySigned sets a signed authorization requirement on the provided policy.
Quote returns a quote of PCR values.
QuoteRaw is very similar to Quote, except that it will return the raw signature in a byte array without decoding.
ReadClock returns current clock values from the TPM.
ReadPCR reads the value of the given PCR.
ReadPCRs reads PCR values from the TPM.
ReadPublic reads the public part of the object under handle.
RSADecrypt performs RSA decryption in the TPM according to RFC 3447.
RSADecryptWithSession performs RSA decryption in the TPM according to RFC 3447.
RSAEncrypt performs RSA encryption in the TPM according to RFC 3447.
Seal creates a data blob object that seals the sensitive data under a parent and with a password and auth policy.
SequenceComplete adds the last part of data, if any, to a hash/HMAC sequence and returns the result.
SequenceUpdate is used to add data to a hash or HMAC sequence.
Shutdown shuts down a TPM (usually done by the OS).
Sign computes a signature for digest using a given loaded key.
SignWithSession computes a signature for digest using a given loaded key.
StartAuthSession initializes a session object.
Startup initializes a TPM (usually done by the OS).
Unseal returns the data for a loaded sealed object.
UnsealWithSession returns the data for a loaded sealed object.
# Constants
Allowed ranges of different kinds of Handles (TPM_HANDLE) These constants have type TPMProp for backwards compatibility.
TPM Capability Properties, see TPM 2.0 Spec, Rev 1.38, Table 23.
Supported Algorithms.
Supported Algorithms.
Supported Algorithms.
Supported Algorithms.
Supported Algorithms.
Supported Algorithms.
Supported Algorithms.
Supported Algorithms.
Supported Algorithms.
Supported Algorithms.
Supported Algorithms.
Supported Algorithms.
Supported Algorithms.
Supported Algorithms.
Supported Algorithms.
Variable TPM Properties (PT_VAR).
Supported Algorithms.
Supported Algorithms.
Supported Algorithms.
Supported Algorithms.
Supported Algorithms.
Supported Algorithms.
Supported Algorithms.
Supported Algorithms.
Supported Algorithms.
Supported Algorithms.
Supported Algorithms.
Supported Algorithms.
Supported Algorithms.
Supported Algorithms.
Session Attributes (Structures 8.4 TPMA_SESSION).
Session Attributes (Structures 8.4 TPMA_SESSION).
Session Attributes (Structures 8.4 TPMA_SESSION).
NV Attributes.
NV Attributes.
NV Attributes.
Session Attributes (Structures 8.4 TPMA_SESSION).
Session Attributes (Structures 8.4 TPMA_SESSION).
Session Attributes (Structures 8.4 TPMA_SESSION).
NV Attributes.
NV Attributes.
NV Attributes.
NV Attributes.
NV Attributes.
NV Attributes.
NV Attributes.
NV Attributes.
NV Attributes.
NV Attributes.
NV Attributes.
NV Attributes.
NV Attributes.
NV Attributes.
NV Attributes.
NV Attributes.
NV Attributes.
NV Attributes.
Variable TPM Properties (PT_VAR).
Variable TPM Properties (PT_VAR).
Variable TPM Properties (PT_VAR).
TPM Capabilities.
TPM Capabilities.
TPM Capabilities.
TPM Capabilities.
TPM Capabilities.
TPM Capabilities.
TPM Capability Properties, see TPM 2.0 Spec, Rev 1.38, Table 23.
TPM Capabilities.
TPM Capabilities.
TPM Capabilities.
TPM Capabilities.
TPM Capability Properties, see TPM 2.0 Spec, Rev 1.38, Table 23.
Supported TPM operations.
Supported TPM operations.
Supported TPM operations.
Supported TPM operations.
Supported TPM operations.
Supported TPM operations.
Supported TPM operations.
Supported TPM operations.
Supported TPM operations.
Supported TPM operations.
Supported TPM operations.
Supported TPM operations.
Supported TPM operations.
Supported TPM operations.
Supported TPM operations.
Supported TPM operations.
Supported TPM operations.
Supported TPM operations.
Supported TPM operations.
Supported TPM operations.
Supported TPM operations.
Supported TPM operations.
Supported TPM operations.
Supported TPM operations.
Supported TPM operations.
Supported TPM operations.
Supported TPM operations.
Supported TPM operations.
Supported TPM operations.
Supported TPM operations.
Supported TPM operations.
Supported TPM operations.
Supported TPM operations.
Supported TPM operations.
Supported TPM operations.
Supported TPM operations.
Supported TPM operations.
Supported TPM operations.
Supported TPM operations.
Supported TPM operations.
Supported TPM operations.
Supported TPM operations.
Supported TPM operations.
Supported TPM operations.
Supported TPM operations.
Supported TPM operations.
Supported TPM operations.
Supported TPM operations.
Supported TPM operations.
Supported TPM operations.
Supported TPM operations.
Supported TPM operations.
Supported TPM operations.
Supported TPM operations.
Supported TPM operations.
Supported TPM operations.
Supported TPM operations.
Supported TPM operations.
TPM Capability Properties, see TPM 2.0 Spec, Rev 1.38, Table 23.
TPM Capability Properties, see TPM 2.0 Spec, Rev 1.38, Table 23.
TPM Capability Properties, see TPM 2.0 Spec, Rev 1.38, Table 23.
TPM Capability Properties, see TPM 2.0 Spec, Rev 1.38, Table 23.
TPM Capability Properties, see TPM 2.0 Spec, Rev 1.38, Table 23.
Variable TPM Properties (PT_VAR).
ECC curves supported by TPM 2.0 spec.
ECC curves supported by TPM 2.0 spec.
ECC curves supported by TPM 2.0 spec.
ECC curves supported by TPM 2.0 spec.
ECC curves supported by TPM 2.0 spec.
ECC curves supported by TPM 2.0 spec.
ECC curves supported by TPM 2.0 spec.
ECC curves supported by TPM 2.0 spec.
TPM Capability Properties, see TPM 2.0 Spec, Rev 1.38, Table 23.
TPM Capability Properties, see TPM 2.0 Spec, Rev 1.38, Table 23.
TPM Capability Properties, see TPM 2.0 Spec, Rev 1.38, Table 23.
TPM Capability Properties, see TPM 2.0 Spec, Rev 1.38, Table 23.
Key properties.
Key properties.
Key properties.
Key properties.
Key properties.
Key properties.
Key properties.
Key properties.
Key properties.
Key properties.
Key properties.
Key properties.
Key properties.
Reserved Handles.
Reserved Handles.
Reserved Handles.
Reserved Handles.
Reserved Handles.
Reserved Handles.
Reserved Handles.
Reserved Handles.
Reserved Handles.
Reserved Handles.
Reserved Handles.
Supported handle types.
Supported handle types.
Supported handle types.
Supported handle types.
Supported handle types.
Supported handle types.
Supported handle types.
Supported handle types.
Supported handle types.
Reserved Handles.
Allowed ranges of different kinds of Handles (TPM_HANDLE) These constants have type TPMProp for backwards compatibility.
Variable TPM Properties (PT_VAR).
Variable TPM Properties (PT_VAR).
Variable TPM Properties (PT_VAR).
Variable TPM Properties (PT_VAR).
Variable TPM Properties (PT_VAR).
Variable TPM Properties (PT_VAR).
TPM Capability Properties, see TPM 2.0 Spec, Rev 1.38, Table 23.
TPM Capability Properties, see TPM 2.0 Spec, Rev 1.38, Table 23.
Variable TPM Properties (PT_VAR).
TPM Capability Properties, see TPM 2.0 Spec, Rev 1.38, Table 23.
Allowed ranges of different kinds of Handles (TPM_HANDLE) These constants have type TPMProp for backwards compatibility.
Variable TPM Properties (PT_VAR).
Variable TPM Properties (PT_VAR).
Variable TPM Properties (PT_VAR).
TPM Capability Properties, see TPM 2.0 Spec, Rev 1.38, Table 23.
Variable TPM Properties (PT_VAR).
TPM Capability Properties, see TPM 2.0 Spec, Rev 1.38, Table 23.
Variable TPM Properties (PT_VAR).
Variable TPM Properties (PT_VAR).
TPM Capability Properties, see TPM 2.0 Spec, Rev 1.38, Table 23.
Allowed ranges of different kinds of Handles (TPM_HANDLE) These constants have type TPMProp for backwards compatibility.
Allowed ranges of different kinds of Handles (TPM_HANDLE) These constants have type TPMProp for backwards compatibility.
TPM Capability Properties, see TPM 2.0 Spec, Rev 1.38, Table 23.
TPM Capability Properties, see TPM 2.0 Spec, Rev 1.38, Table 23.
Variable TPM Properties (PT_VAR).
TPM Capability Properties, see TPM 2.0 Spec, Rev 1.38, Table 23.
TPM Capability Properties, see TPM 2.0 Spec, Rev 1.38, Table 23.
TPM Capability Properties, see TPM 2.0 Spec, Rev 1.38, Table 23.
Allowed ranges of different kinds of Handles (TPM_HANDLE) These constants have type TPMProp for backwards compatibility.
TPM Capability Properties, see TPM 2.0 Spec, Rev 1.38, Table 23.
Allowed ranges of different kinds of Handles (TPM_HANDLE) These constants have type TPMProp for backwards compatibility.
Allowed ranges of different kinds of Handles (TPM_HANDLE) These constants have type TPMProp for backwards compatibility.
Allowed ranges of different kinds of Handles (TPM_HANDLE) These constants have type TPMProp for backwards compatibility.
Allowed ranges of different kinds of Handles (TPM_HANDLE) These constants have type TPMProp for backwards compatibility.
TPM Capability Properties, see TPM 2.0 Spec, Rev 1.38, Table 23.
Allowed ranges of different kinds of Handles (TPM_HANDLE) These constants have type TPMProp for backwards compatibility.
Allowed ranges of different kinds of Handles (TPM_HANDLE) These constants have type TPMProp for backwards compatibility.
TPM Capability Properties, see TPM 2.0 Spec, Rev 1.38, Table 23.
TPM Capability Properties, see TPM 2.0 Spec, Rev 1.38, Table 23.
TPM Capability Properties, see TPM 2.0 Spec, Rev 1.38, Table 23.
TPM Capability Properties, see TPM 2.0 Spec, Rev 1.38, Table 23.
TPM Capability Properties, see TPM 2.0 Spec, Rev 1.38, Table 23.
Indexes for arguments, handles and sessions.
Indexes for arguments, handles and sessions.
Indexes for arguments, handles and sessions.
Indexes for arguments, handles and sessions.
Indexes for arguments, handles and sessions.
Indexes for arguments, handles and sessions.
Indexes for arguments, handles and sessions.
Indexes for arguments, handles and sessions.
Indexes for arguments, handles and sessions.
Indexes for arguments, handles and sessions.
Format 1 error codes.
Format 1 error codes.
Format 0 error codes.
Format 1 error codes.
Format 0 error codes.
Format 0 error codes.
Format 0 error codes.
Format 0 error codes.
Indexes for arguments, handles and sessions.
Format 1 error codes.
Format 0 error codes.
Format 1 error codes.
Indexes for arguments, handles and sessions.
Warning codes.
Format 0 error codes.
Format 0 error codes.
Warning codes.
Format 0 error codes.
Format 1 error codes.
Indexes for arguments, handles and sessions.
Format 0 error codes.
Indexes for arguments, handles and sessions.
Format 1 error codes.
Format 0 error codes.
Format 1 error codes.
Indexes for arguments, handles and sessions.
Format 0 error codes.
Format 1 error codes.
Format 1 error codes.
Format 1 error codes.
Format 0 error codes.
Format 0 error codes.
Format 1 error codes.
Format 1 error codes.
Format 1 error codes.
Format 1 error codes.
Format 1 error codes.
Warning codes.
Warning codes.
Warning codes.
Format 1 error codes.
Format 1 error codes.
Format 0 error codes.
Format 1 error codes.
Format 0 error codes.
Format 0 error codes.
Format 0 error codes.
Format 0 error codes.
Format 0 error codes.
Warning codes.
Format 0 error codes.
Format 0 error codes.
Warning codes.
Format 0 error codes.
Warning codes.
Warning codes.
Format 0 error codes.
Format 0 error codes.
Format 0 error codes.
Format 0 error codes.
Format 1 error codes.
Format 1 error codes.
Format 1 error codes.
Format 0 error codes.
Format 1 error codes.
Format 0 error codes.
Warning codes.
Warning codes.
Warning codes.
Warning codes.
Warning codes.
Warning codes.
Warning codes.
Warning codes.
Warning codes.
Warning codes.
Warning codes.
Warning codes.
Warning codes.
Warning codes.
Format 1 error codes.
Warning codes.
Format 1 error codes.
Format 1 error codes.
Format 0 error codes.
Format 0 error codes.
Warning codes.
Warning codes.
Format 1 error codes.
Format 1 error codes.
Format 1 error codes.
Format 1 error codes.
Warning codes.
Format 1 error codes.
Format 0 error codes.
Format 1 error codes.
Format 0 error codes.
Format 0 error codes.
Format 1 error codes.
Warning codes.
TPM Capability Properties, see TPM 2.0 Spec, Rev 1.38, Table 23.
TPM Capability Properties, see TPM 2.0 Spec, Rev 1.38, Table 23.
Supported session types.
Supported session types.
Supported session types.
TPM Capability Properties, see TPM 2.0 Spec, Rev 1.38, Table 23.
TPM Capability Properties, see TPM 2.0 Spec, Rev 1.38, Table 23.
TPM Capability Properties, see TPM 2.0 Spec, Rev 1.38, Table 23.
TPM Capability Properties, see TPM 2.0 Spec, Rev 1.38, Table 23.
TPM Capability Properties, see TPM 2.0 Spec, Rev 1.38, Table 23.
Startup types.
Startup types.
TPM Structure Tags.
TPM Structure Tags.
TPM Structure Tags.
TPM Structure Tags.
TPM Structure Tags.
TPM Structure Tags.
TPM Structure Tags.
TPM Structure Tags.
TPM Structure Tags.
TPM Capability Properties, see TPM 2.0 Spec, Rev 1.38, Table 23.
Variable TPM Properties (PT_VAR).
Variable TPM Properties (PT_VAR).
TPM Capability Properties, see TPM 2.0 Spec, Rev 1.38, Table 23.
Allowed ranges of different kinds of Handles (TPM_HANDLE) These constants have type TPMProp for backwards compatibility.
TPM Capability Properties, see TPM 2.0 Spec, Rev 1.38, Table 23.
TPM Capability Properties, see TPM 2.0 Spec, Rev 1.38, Table 23.
TPM Capability Properties, see TPM 2.0 Spec, Rev 1.38, Table 23.
TPM Capability Properties, see TPM 2.0 Spec, Rev 1.38, Table 23.
TPM Capability Properties, see TPM 2.0 Spec, Rev 1.38, Table 23.
TPM Capability Properties, see TPM 2.0 Spec, Rev 1.38, Table 23.
TPM Capability Properties, see TPM 2.0 Spec, Rev 1.38, Table 23.
# Variables
EmptyAuth represents the empty authorization value.
# Structs
AlgorithmDescription represents a TPMS_ALGORITHM_DESCRIPTION structure.
AsymScheme represents am asymmetric encryption scheme.
AttestationData contains data attested by TPM commands (like Certify).
AuthCommand represents a TPMS_AUTH_COMMAND.
CertifyInfo contains Certify-specific data for TPMS_ATTEST.
ClockInfo contains TPM state info included in AttestationData.
CreationData describes the attributes and environment for an object created on the TPM.
CreationInfo contains Creation-specific data for TPMS_ATTEST.
ECCParams represents parameters of an ECC key pair: both the TPMS_ECC_PARMS and the TPMS_ECC_POINT.
ECPoint represents a ECC coordinates for a point using byte buffers.
Error is returned for all Format 0 errors from the TPM.
HandleError describes an error related to a handle, and the handle number.
HashValue is an algorithm-specific hash value.
IDObject represents an encrypted credential bound to a TPM object.
KDFScheme represents a KDF (Key Derivation Function) scheme.
KeyedHashParams represents parameters of a keyed hash TPM object: both the TPMS_KEYEDHASH_PARMS and the TPM2B_DIGEST (hash of the key).
Name represents a TPM2B_NAME, a name for TPM entities.
NVPublic contains the public area of an NV index.
ParameterError describes an error related to a parameter, and the parameter number.
PCRSelection contains a slice of PCR indexes and a hash algorithm used in them.
Private contains private section of a TPM key.
Public contains the public area of an object.
QuoteInfo represents a TPMS_QUOTE_INFO structure.
RSAParams represents parameters of an RSA key pair: both the TPMS_RSA_PARMS and the TPM2B_PUBLIC_KEY_RSA.
SessionError describes an error related to a session, and the session number.
Signature combines all possible signatures from RSA and ECC keys.
SignatureECC is an ECC-specific signature value.
SignatureRSA is an RSA-specific signature value.
SigScheme represents a signing scheme.
SymCipherParams represents parameters of a symmetric block cipher TPM object: both the TPMS_SYMCIPHER_PARMS and the TPM2B_DIGEST (hash of the key).
SymScheme represents a symmetric encryption scheme.
TaggedProperty represents a TPMS_TAGGED_PROPERTY structure.
Ticket represents evidence the TPM previously processed information.
TPMLDigest represents the TPML_Digest structure It is used to convey a list of digest values.
VendorError represents a vendor-specific error response.
Warning is typically used to report transient errors.
# Type aliases
Algorithm represents a TPM_ALG_ID value.
AlgorithmAttributes represents a TPMA_ALGORITHM value.
Capability identifies some TPM property or state type.
EllipticCurve identifies specific EC curves.
HandleType defines a type of handle.
KeyProp is a bitmask used in Attributes field of key templates.
NVAttr is a bitmask used in Attributes field of NV indexes.
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
SessionAttributes represents an attribute of a session.
SessionType defines the type of session created in StartAuthSession.
StartupType instructs the TPM on how to handle its state during Shutdown or Startup.
TPMProp represents a Property Tag (TPM_PT) used with calls to GetCapability(CapabilityTPMProperties).