Review comments for TPM attestation
Lots of comments and an updated boot test. Generously increase the timeout to eliminate random CI failures.
Test Plan: Boot test works
Bug: T499
X-Origin-Diff: phab/D319
GitOrigin-RevId: cf17fe7c599f670ff8b6f0ac60486f2a04f13a5a
diff --git a/core/internal/api/nodemanagement.go b/core/internal/api/nodemanagement.go
index 2becd00..f193d5c 100644
--- a/core/internal/api/nodemanagement.go
+++ b/core/internal/api/nodemanagement.go
@@ -109,7 +109,7 @@
func (s *Server) TPM2Unlock(unlockServer api.NodeManagementService_TPM2UnlockServer) error {
nonce := make([]byte, 32)
if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
- return status.Error(codes.Unavailable, "failed to get randonmess")
+ return status.Error(codes.Unavailable, "failed to get randomness")
}
if err := unlockServer.Send(&api.TPM2UnlockFlowResponse{
Stage: &api.TPM2UnlockFlowResponse_UnlockInit{
@@ -191,7 +191,7 @@
challengeNonce := make([]byte, 32)
if _, err := io.ReadFull(rand.Reader, challengeNonce); err != nil {
- return status.Error(codes.Unavailable, "failed to get randonmess")
+ return status.Error(codes.Unavailable, "failed to get randomness")
}
challenge, challengeBlob, err := tpm.MakeAKChallenge(registerReq.EkPubkey, registerReq.AkPublic, challengeNonce)
if err != nil {
@@ -199,7 +199,7 @@
}
nonce := make([]byte, 32)
if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
- return status.Error(codes.Unavailable, "failed to get randonmess")
+ return status.Error(codes.Unavailable, "failed to get randomness")
}
if err := registerServer.Send(&api.TPM2FlowResponse{Stage: &api.TPM2FlowResponse_AttestRequest{AttestRequest: &api.TPM2AttestRequest{
AkChallenge: challenge,
diff --git a/core/internal/integrity/common.go b/core/internal/integrity/common.go
index 6850a12..52196ce 100644
--- a/core/internal/integrity/common.go
+++ b/core/internal/integrity/common.go
@@ -33,6 +33,7 @@
)
// Agent specifices the interface which every integrity agent needs to fulfill
+// TODO: This interface is not yet used, we call the TPM2 agent directly.
type Agent interface {
// Initialize needs to be called once and initializes the systems required to maintain integrity
// on the given platform.
@@ -42,8 +43,8 @@
// Initialize returns the cryptographic identity that it's bound to.
Initialize(newNode api.NewNodeInfo, enrolment api.EnrolmentConfig) (string, error)
- // Unlock performs all required actions to assure the integrity of the platform and retrieves
- // the unlock key in a secure manner
+ // Unlock performs all required actions to assure the integrity of the platform and securely retrieves
+ // the unlock key.
Unlock(enrolment api.EnrolmentConfig) ([]byte, error)
}