Introduce TPM event log infrastructure
This adds support for reading the local TPM event log and for parsing the
resulting blob. Reading the log is implemented as part of our TPM library, but
for reading and processing the event log binary structure we rely on Google's
go-attestation. Since they don't separate their event log processing from the rest
of the package, I imported the relevant files here directly.
Since TPM event logs are really terrible (see included workarounds and
https://github.com/google/go-attestation/blob/master/docs/event-log-disclosure.md)
it's probably a bad idea to use them for anything where we can avoid it.
So this will likely only be used for EFI boot / secure boot attestation and
everything we measure will be part of our TPM library with a much less insane format.
Test Plan:
Manually smoke-tested using a custom fixture on a Ryzen 3000 fTPM.
We cannot really test this until we have a way of generating and loading
secure boot keys since an empty secure boot setup generates no events.
X-Origin-Diff: phab/D622
GitOrigin-RevId: e730a3ea69c4055e411833c80530f630d77788e4
diff --git a/core/pkg/tpm/eventlog/BUILD.bazel b/core/pkg/tpm/eventlog/BUILD.bazel
new file mode 100644
index 0000000..fd73133
--- /dev/null
+++ b/core/pkg/tpm/eventlog/BUILD.bazel
@@ -0,0 +1,17 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_library")
+
+go_library(
+ name = "go_default_library",
+ srcs = [
+ "compat.go",
+ "eventlog.go",
+ "secureboot.go",
+ ],
+ importpath = "git.monogon.dev/source/nexantic.git/core/pkg/tpm/eventlog",
+ visibility = ["//visibility:public"],
+ deps = [
+ "//core/pkg/tpm/eventlog/internal:go_default_library",
+ "@com_github_google_certificate_transparency_go//x509:go_default_library",
+ "@com_github_google_go_tpm//tpm2:go_default_library",
+ ],
+)