chrisfenner / tpm-spam Goto Github PK
View Code? Open in Web Editor NEWSemantic Platform Attestation Measurements
License: BSD 3-Clause "New" or "Revised" License
Semantic Platform Attestation Measurements
License: BSD 3-Clause "New" or "Revised" License
There are 3 packages:
The Policy.go part of helpers
should be broken up into some smaller libraries, e.g.:
TpmState
There should not be a library called helpers
. They are all helpers.
For a 64-byte NV index, having a policy hash bloats the size in flash by around 50% (attributes, size, and other small bits of metadata aside).
If there is a way to make spams write-once in practice without a policy, we should switch to it. For example, we could use WriteLock to lock the index after writing it, and use TPMA_NV_WRITE_STCLEAR
to ensure that WRITTEN
and WRITELOCKED
both get cleared on TPM reset or restart.
This might increase the number of Orderly spams supported by the reference implementation (#22) from 6 to 8 or 9.
fmt.Errorf
With the initial barebones implementation complete, I see some interesting things:
There are a couple of options:
The only reason I can think of to do (2) other than "someone else might think of a reason later, we could just be universally compatible from time t=0" is that some firmware TPM implementations have a "dark period" where writes to NV and DA counters have to fail (because there is actually no access to persistent NV during this time).
proto is nice for imagining policies that come from a machine, but as can be seen in the examples, it's pretty heavyweight for human-readable spam policies.
Consider something like YAML:
vs. JSON:
Open question: should there be a way to invalidate a previously-written spam? For example, a kernel might need to kexec another kernel, but invalidate its own spam. This would need to not result in the spam becoming writable again.
For example, every spam could have a policy that allows writing all zeros into it, even if written. This would mean sticking with the NvWritten policy and not switching over to a lock mechanism (#23).
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.