Windows TPM enrollment support#25801
Merged
strideynet merged 41 commits intomasterfrom May 22, 2023
Merged
Conversation
strideynet
force-pushed
the
strideynet/windows-tpm-enrollment
branch
from
a5cafe7 to
2c958ba
Compare
codingllama
reviewed
May 17, 2023
Contributor
codingllama
left a comment
codingllama
left a comment
There was a problem hiding this comment.
Looks great, the vast majority of comments are inconsequential.
Apologies for the delay and thanks for splitting the other parts.
codingllama
reviewed
May 17, 2023
Contributor
codingllama
left a comment
codingllama
left a comment
There was a problem hiding this comment.
Looks great, the vast majority of comments are inconsequential.
Apologies for the delay and thanks for splitting the other parts.
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
Contributor
Author
|
@codingllama ready for you to take another look 🦦 |
codingllama
reviewed
May 22, 2023
codingllama
approved these changes
May 22, 2023
| } | ||
| } | ||
|
|
||
| // getDeviceSerial returns the serial number of the device using PowerShell to |
Contributor
There was a problem hiding this comment.
Thanks for the detailed explanation, sounds good.
tigrato
approved these changes
May 22, 2023
|
@strideynet See the table below for backport results.
|
zmb3
reviewed
May 22, 2023
| if os.IsNotExist(err) { | ||
| // If it doesn't exist, we can create it and return as we know | ||
| // the perms are correct as we created it. | ||
| if err := os.Mkdir(deviceStateDirPath, 700); err != nil { |
| } | ||
| } | ||
|
|
||
| // getDeviceSerial returns the serial number of the device using PowerShell to |
Collaborator
There was a problem hiding this comment.
cc @probakowski who has some experience calling win32 APIs via syscall. Przemko, do you think that would make sense here?
| // PF47WND6 | ||
| out, err := cmd.Output() | ||
| if err != nil { | ||
| return "", trace.Wrap(err) |
Collaborator
There was a problem hiding this comment.
I find it helpful to include out in the error message here, otherwise when this fails you'll just get an error message about a non-zero exit code and have no idea what went wrong.
strideynet
added a commit
that referenced
this pull request
May 22, 2023
* Start implementation of Windows TPM enrollment * Basic device data collection for windows * Add AK get/creatiom * Add helpers for converting tpm protos * Don't create AK in inappropriate circumstances * Furhter simplify AK load/create * Add tests for proto/attest conversions * Ensure that digestalg varies between test cases * More accurate proto field name * Missing license header * Add credential fingerprinting function * Add getDeviceCredential implementation for windows * Add dependencies so this builds * Fix generation of credential id * Introduce AKPublic field * Collect other key data * Add some additional debug logging * Add more specific serial number fields to dcd * Use faster powershell call for determining OS version * Fix missing field in DeviceFromResource * Add link to to-do issue * Add packages necessary for enterprise submodule * Fix import orders * bump go-tpm-tools to latest versions * Tidy up returned errors * Add failure case test for Linux enrollment * move linux device fake to lib/devicetrust/testenv * Add test to exercise `RunCeremony` * Tidier assertion messages Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Further simplifcations of test assertions/errors Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Apply suggestions from code review Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Further fixes as per the llama's suggestions * Further simplification and header on logs * Use BadParameter rather than platform unsupported * Add further notes on RSAness of `go-attestation` * Minor adjustments to comments * Unused import removed * License headers * rename `mustRandomBytes` -> `randomBytes` --------- Co-authored-by: Alan Parra <alan.parra@goteleport.com>
strideynet
added a commit
that referenced
this pull request
May 23, 2023
* Start implementation of Windows TPM enrollment * Basic device data collection for windows * Add AK get/creatiom * Add helpers for converting tpm protos * Don't create AK in inappropriate circumstances * Furhter simplify AK load/create * Add tests for proto/attest conversions * Ensure that digestalg varies between test cases * More accurate proto field name * Missing license header * Add credential fingerprinting function * Add getDeviceCredential implementation for windows * Add dependencies so this builds * Fix generation of credential id * Introduce AKPublic field * Collect other key data * Add some additional debug logging * Add more specific serial number fields to dcd * Use faster powershell call for determining OS version * Fix missing field in DeviceFromResource * Add link to to-do issue * Add packages necessary for enterprise submodule * Fix import orders * bump go-tpm-tools to latest versions * Tidy up returned errors * Add failure case test for Linux enrollment * move linux device fake to lib/devicetrust/testenv * Add test to exercise `RunCeremony` * Tidier assertion messages * Further simplifcations of test assertions/errors * Apply suggestions from code review * Further fixes as per the llama's suggestions * Further simplification and header on logs * Use BadParameter rather than platform unsupported * Add further notes on RSAness of `go-attestation` * Minor adjustments to comments * Unused import removed * License headers * rename `mustRandomBytes` -> `randomBytes` --------- Co-authored-by: Alan Parra <alan.parra@goteleport.com>
Closed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
As per https://github.com/gravitational/teleport.e/pull/911
Closes https://github.com/gravitational/teleport.e/issues/1163
Associated with https://github.com/gravitational/teleport.e/pull/1159 .