[v15] Add tpm package with Attestation/Validation functionality (#40351)

go.mod

@@ -101,7 +101,8 @@ require (
 	github.com/google/go-cmp v0.6.0
 	github.com/google/go-containerregistry v0.17.0
 	github.com/google/go-querystring v1.1.0
-	github.com/google/go-tpm-tools v0.4.2
+	github.com/google/go-tpm v0.9.0
+	github.com/google/go-tpm-tools v0.4.4
 	github.com/google/renameio/v2 v2.0.0
 	github.com/google/safetext v0.0.0-20240104143208-7a7d9b3d812f
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510
@@ -351,7 +352,7 @@ require (
 	github.com/google/certificate-transparency-go v1.1.7 // indirect
 	github.com/google/flatbuffers v23.1.21+incompatible // indirect
 	github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect
-	github.com/google/go-tpm v0.9.0 // indirect
+	github.com/google/go-configfs-tsm v0.2.2 // indirect
 	github.com/google/go-tspi v0.3.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/s2a-go v0.1.7 // indirect

go.sum

@@ -731,6 +731,8 @@ github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeN
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-configfs-tsm v0.2.2 h1:YnJ9rXIOj5BYD7/0DNnzs8AOp7UcvjfTvt215EWcs98=
+github.com/google/go-configfs-tsm v0.2.2/go.mod h1:EL1GTDFMb5PZQWDviGfZV9n87WeGTR/JUg13RfwkgRo=
 github.com/google/go-containerregistry v0.17.0 h1:5p+zYs/R4VGHkhyvgWurWrpJ2hW4Vv9fQI+GzdcwXLk=
 github.com/google/go-containerregistry v0.17.0/go.mod h1:u0qB2l7mvtWVR5kNcbFIhFY1hLbf8eeGapA+vbFDCtQ=
 github.com/google/go-github v17.0.0+incompatible/go.mod h1:zLgOLi98H3fifZn+44m+umXrS52loVEgC2AApnigrVQ=
@@ -740,12 +742,12 @@ github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD
 github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
 github.com/google/go-sev-guest v0.9.3 h1:GOJ+EipURdeWFl/YYdgcCxyPeMgQUWlI056iFkBD8UU=
 github.com/google/go-sev-guest v0.9.3/go.mod h1:hc1R4R6f8+NcJwITs0L90fYWTsBpd1Ix+Gur15sqHDs=
-github.com/google/go-tdx-guest v0.2.3-0.20231011100059-4cf02bed9d33 h1:lRlUusuieEuqljjihCXb+Mr73VNitOYPJYWXzJKtBWs=
-github.com/google/go-tdx-guest v0.2.3-0.20231011100059-4cf02bed9d33/go.mod h1:84ut3oago/BqPXD4ppiGXdkZNW3WFPkcyAO4my2hXdY=
+github.com/google/go-tdx-guest v0.3.1 h1:gl0KvjdsD4RrJzyLefDOvFOUH3NAJri/3qvaL5m83Iw=
+github.com/google/go-tdx-guest v0.3.1/go.mod h1:/rc3d7rnPykOPuY8U9saMyEps0PZDThLk/RygXm04nE=
 github.com/google/go-tpm v0.9.0 h1:sQF6YqWMi+SCXpsmS3fd21oPy/vSddwZry4JnmltHVk=
 github.com/google/go-tpm v0.9.0/go.mod h1:FkNVkc6C+IsvDI9Jw1OveJmxGZUUaKxtrpOS47QWKfU=
-github.com/google/go-tpm-tools v0.4.2 h1:iyaCPKt2N5Rd0yz0G8ANa022SgCNZkMpp+db6QELtvI=
-github.com/google/go-tpm-tools v0.4.2/go.mod h1:fGUDZu4tw3V4hUVuFHmiYgRd0c58/IXivn9v3Ea/ck4=
+github.com/google/go-tpm-tools v0.4.4 h1:oiQfAIkc6xTy9Fl5NKTeTJkBTlXdHsxAofmQyxBKY98=
+github.com/google/go-tpm-tools v0.4.4/go.mod h1:T8jXkp2s+eltnCDIsXR84/MTcVU9Ja7bh3Mit0pa4AY=
 github.com/google/go-tspi v0.3.0 h1:ADtq8RKfP+jrTyIWIZDIYcKOMecRqNJFOew2IT0Inus=
 github.com/google/go-tspi v0.3.0/go.mod h1:xfMGI3G0PhxCdNVcYr1C4C+EizojDg/TXuX5by8CiHI=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=

lib/tpm/proto.go

@@ -0,0 +1,74 @@
+/*
+ * Teleport
+ * Copyright (C) 2024  Gravitational, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package tpm
+
+import (
+	"github.com/google/go-attestation/attest"
+
+	"github.com/gravitational/teleport/api/client/proto"
+)
+
+// AttestationParametersToProto converts an attest.AttestationParameters to
+// its protobuf representation.
+func AttestationParametersToProto(in attest.AttestationParameters) *proto.TPMAttestationParameters {
+	return &proto.TPMAttestationParameters{
+		Public:            in.Public,
+		CreateData:        in.CreateData,
+		CreateAttestation: in.CreateAttestation,
+		CreateSignature:   in.CreateSignature,
+	}
+}
+
+// AttestationParametersFromProto extracts an attest.AttestationParameters from
+// its protobuf representation.
+func AttestationParametersFromProto(in *proto.TPMAttestationParameters) attest.AttestationParameters {
+	if in == nil {
+		return attest.AttestationParameters{}
+	}
+	return attest.AttestationParameters{
+		Public:            in.Public,
+		CreateData:        in.CreateData,
+		CreateAttestation: in.CreateAttestation,
+		CreateSignature:   in.CreateSignature,
+	}
+}
+
+// EncryptedCredentialToProto converts an attest.EncryptedCredential to
+// its protobuf representation.
+func EncryptedCredentialToProto(in *attest.EncryptedCredential) *proto.TPMEncryptedCredential {
+	if in == nil {
+		return nil
+	}
+	return &proto.TPMEncryptedCredential{
+		CredentialBlob: in.Credential,
+		Secret:         in.Secret,
+	}
+}
+
+// EncryptedCredentialFromProto extracts an attest.EncryptedCredential from
+// its protobuf representation.
+func EncryptedCredentialFromProto(in *proto.TPMEncryptedCredential) *attest.EncryptedCredential {
+	if in == nil {
+		return nil
+	}
+	return &attest.EncryptedCredential{
+		Credential: in.CredentialBlob,
+		Secret:     in.Secret,
+	}
+}

lib/tpm/proto_test.go

@@ -0,0 +1,52 @@
+/*
+ * Teleport
+ * Copyright (C) 2024  Gravitational, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package tpm
+
+import (
+	"testing"
+
+	"github.com/google/go-attestation/attest"
+	"github.com/stretchr/testify/require"
+
+	"github.com/gravitational/teleport/api/utils"
+)
+
+func TestAttestationParametersProto(t *testing.T) {
+	want := attest.AttestationParameters{
+		Public:            []byte("public"),
+		CreateData:        []byte("create_data"),
+		CreateAttestation: []byte("create_attestation"),
+		CreateSignature:   []byte("create_signature"),
+	}
+	pb := AttestationParametersToProto(want)
+	clonedPb := utils.CloneProtoMsg(pb)
+	got := AttestationParametersFromProto(clonedPb)
+	require.Equal(t, want, got)
+}
+
+func TestEncryptedCredentialProto(t *testing.T) {
+	want := &attest.EncryptedCredential{
+		Credential: []byte("encrypted_credential"),
+		Secret:     []byte("secret"),
+	}
+	pb := EncryptedCredentialToProto(want)
+	clonedPb := utils.CloneProtoMsg(pb)
+	got := EncryptedCredentialFromProto(clonedPb)
+	require.Equal(t, want, got)
+}