Gitiles
Code Review Sign In
gerrit-dev.monogon.dev / monogon / a50e845df333a4d7531793e3fed61ca8411384f5
commita50e845df333a4d7531793e3fed61ca8411384f5[log] [tgz]
authorLorenz Brun <lorenz@nexantic.com>Wed Sep 09 17:09:27 2020 +0200
committerLorenz Brun <lorenz@nexantic.com>Wed Sep 09 17:09:27 2020 +0200
treed27ebc111fce076181d9ddda5c06882334f91823
parented0503cbe3c2d85d138f2604b87d73417be6c940 [diff]
Introduce TPM event log infrastructure

This adds support for reading the local TPM event log and for parsing the
resulting blob. Reading the log is implemented as part of our TPM library, but
for reading and processing the event log binary structure we rely on Google's
go-attestation. Since they don't separate their event log processing from the rest
of the package, I imported the relevant files here directly.

Since TPM event logs are really terrible (see included workarounds and
https://github.com/google/go-attestation/blob/master/docs/event-log-disclosure.md)
it's probably a bad idea to use them for anything where we can avoid it.
So this will likely only be used for EFI boot / secure boot attestation and
everything we measure will be part of our TPM library with a much less insane format.

Test Plan:
Manually smoke-tested using a custom fixture on a Ryzen 3000 fTPM.
We cannot really test this until we have a way of generating and loading
secure boot keys since an empty secure boot setup generates no events.

X-Origin-Diff: phab/D622
GitOrigin-RevId: e730a3ea69c4055e411833c80530f630d77788e4
11 files changed
tree: d27ebc111fce076181d9ddda5c06882334f91823
  1. build/
  2. core/
  3. scripts/
  4. third_party/
  5. .bazelignore
  6. .bazelrc
  7. BUILD
  8. nogo_config.json
  9. README.md
  10. WORKSPACE
README.md

Nexantic monorepo

This is the monorepo storing all of nexantic's internal projects and libraries.

Environment

We assume a Fedora host system provisioned using rW, and IntelliJ as the IDE.

For better reproducibility, all builds are executed in containers.

Usage

Spinning up: scripts/create_container.sh

Spinning down: scripts/destroy_container.sh

Running commands: scripts/run_in_container.sh <...>

Using bazel using a wrapper script: scripts/bin/bazel <...> (add to your local $PATH for convenience)

Run a single node cluster

Launch the node:

bazel run //:launch

Run a kubectl command:

bazel run //core/cmd/dbg -- kubectl describe

IntelliJ

This repository is compatible with the IntelliJ Bazel plugin. All commands run inside the container, and necessary paths are mapped into the container.

We check the entire .ijwb project directory into the repository, which requires everyone to use the latest version of both IntelliJ and the Bazel plugin, but eliminates manual setup steps.

The following steps are necessary:

  • Install Google's official Bazel plugin in IntelliJ.

  • Add the absolute path to your ~/.cache/bazel-nxt folder to your idea64.vmoptions (Help → Edit Custom VM Options) and restart IntelliJ:

    -Dbazel.bep.path=/home/leopold/.cache/bazel-nxt

  • Set "Bazel Binary Location" in Other Settings → Bazel Settings to the absolute path of scripts/bin/bazel. This is a wrapper that will execute Bazel inside the container.

  • Open the .ijwb folder as IntelliJ project.

  • Disable Vgo support for the project.

  • Run a non-incremental sync in IntelliJ

The plugin will automatically resolve paths for generated files.

If you do not use IntelliJ, you need to use the scripts/bazel_copy_generated_for_ide.sh script to copy files locally.