commit 662182fd732fb523ee76bdc069f603bc378a6d2e
author Lorenz Brun <lorenz@monogon.tech> Thu Mar 10 14:06:48 2022 +0100
committer Lorenz Brun <lorenz@monogon.tech> Thu Mar 10 16:24:34 2022 +0000
tree 0dbebeb12a8be1de9f19d31d6c6319e005af749e
parent 74440ac441be981eb570dc37036e71bf25a04492

m/p/tpm: use secretbox with seal/unseal for larger payloads

Natively the Seal/Unseal operation in the TPM 2.0 specification only
supports up to 128 bytes of payload. If you need to seal more than that
the specification tells you to generate and seal a key and use that to
encrypt and authenticate the rest of the data. This CL implements said
mechanism transparently as part of the Seal and Unseal functions using
a nacl-compatible secretbox as the authenticated encryption primitive.

Change-Id: I0a724b12aae5e5151d103b52ed13b71c864076ab
Reviewed-on: https://review.monogon.dev/c/monogon/+/626
Reviewed-by: Sergiusz Bazanski <serge@monogon.tech>

metropolis/pkg/tpm/proto/BUILD.bazel

diff --git a/metropolis/pkg/tpm/proto/BUILD.bazel b/metropolis/pkg/tpm/proto/BUILD.bazel
new file mode 100644
index 0000000..7d7ee86
--- /dev/null
+++ b/metropolis/pkg/tpm/proto/BUILD.bazel
@@ -0,0 +1,25 @@
+load("@rules_proto//proto:defs.bzl", "proto_library")
+load("@io_bazel_rules_go//go:def.bzl", "go_library")
+load("@io_bazel_rules_go//proto:def.bzl", "go_proto_library")
+
+proto_library(
+    name = "proto_proto",
+    srcs = ["tpm.proto"],
+    visibility = ["//visibility:public"],
+    deps = ["@com_github_google_go_tpm_tools//proto:proto_proto"],  #keep
+)
+
+go_proto_library(
+    name = "proto_go_proto",
+    importpath = "source.monogon.dev/metropolis/pkg/tpm/proto",
+    proto = ":proto_proto",
+    visibility = ["//visibility:public"],
+    deps = ["@com_github_google_go_tpm_tools//proto:go_default_library"],  #keep
+)
+
+go_library(
+    name = "go_default_library",
+    embed = [":proto_go_proto"],
+    importpath = "source.monogon.dev/metropolis/pkg/tpm/proto",
+    visibility = ["//visibility:public"],
+)