You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+59-2
Original file line number
Diff line number
Diff line change
@@ -21,7 +21,6 @@ see the [example/](example/) folder for more information.
21
21
22
22
---
23
23
24
-
>> **NOTE** there will be a breaking change if you are using this library for TPM based signature after `v0.8.0`. The new structure uses the [tpm-direct](https://github.com/google/go-tpm/releases/tag/v0.9.0) API. If you would rather use the tpm2/legacy branch, please use the signer at [v0.7.2](https://github.com/salrashid123/signer/releases/tag/v0.7.2). This change also *removes* the library managed device. The caller must provide a pre-authorized key (there was no way the library could authorize the variety of auth sessions...it must be provided in)
25
24
26
25
27
26
>> this library is not supported by google
@@ -70,8 +69,66 @@ go run certgen/certgen.go -cn server.domain.com
>> **NOTE** there will be a breaking change if you are using this library for TPM based signature after `v0.8.0`. The new structure uses the [tpm-direct](https://github.com/google/go-tpm/releases/tag/v0.9.0) API. If you would rather use the tpm2/legacy branch, please use the signer at [v0.7.2](https://github.com/salrashid123/signer/releases/tag/v0.7.2). While this repo still retain managed and unmanaged handles to the TPM device, its recommended to to manage it externally if you need complex authorization...if its simple authorization like pcr and password or if you need concurrent, non blocking of the TPM device, use library managed handle. For externally manged, just remember to open-sign-close as the device is locking.
81
+
82
+
For TPM Signer, there are two modes of operation:
83
+
84
+
* managed externally
85
+
86
+
The TPM device is managed externally outside of the signer. You have to instantiate the TPM device ReadWriteCloser and client.Key outside of the library and pass that in.
87
+
88
+
The advantage of this is you control it opening and closing. You must close the key and closer before calling another signing operation. THis sounds ok but is problematic when dealing with long-running processes which may need to hang on to the tpm (for example you use the singer for an TLS server)
89
+
90
+
if you want to manage it externally,
91
+
92
+
```golang
93
+
// this blocks access to the tpm by other processes
94
+
// until rwc.Close() is closed
95
+
rwc, err:=OpenTPM(*tpmPath)
96
+
rwr:= transport.FromReadWriter(rwc)
97
+
98
+
pub, err:= tpm2.ReadPublic{
99
+
ObjectHandle: tpm2.TPMHandle(*handle),
100
+
}.Execute(rwr)
101
+
102
+
r, err:= saltpm.NewTPMCrypto(&saltpm.TPM{
103
+
TpmDevice: rwc,
104
+
AuthHandle: &tpm2.AuthHandle{
105
+
Handle: tpm2.TPMHandle(*handle),
106
+
Name: pub.Name,
107
+
Auth: tpm2.PasswordAuth(nil),
108
+
},
109
+
})
110
+
// the tpm is opened and then closed after every sign operation
This is the preferred mode: you just pass the uint32 handle for the key and the path to the tpm device as string and the library opens/closes it as needed.
117
+
118
+
If the device is busy or the TPM is in use during invocation, the operation will fail.
119
+
120
+
121
+
```golang
122
+
r, err:= saltpm.NewTPMCrypto(&saltpm.TPM{
123
+
TpmPath: *tpmPath,
124
+
KeyHandle: tpm2.TPMHandle(*handle).HandleValue(),
125
+
PCRs: []uint{},
126
+
AuthPassword: []byte(""),
127
+
})
128
+
129
+
// the tpm is opened and then closed after every sign operation
0 commit comments