treewide: switch to gomod and bump everything
This switches version resolution from fietsje to gomod and updates
all Go dependencies. It also bumps rules_go (required by gVisor) and
switches the Gazelle naming convention from go_default_xxx to the
standard Bazel convention of the default target having the package
name.
Since Kubernetes dropped upstream Bazel support and doesn't check in
all generated files I manually pregenerated the OpenAPI spec. This
should be fixed, but because of the already-huge scope of this CL
and the rebase complexity this is not in here.
Change-Id: Iec8ea613d06946882426c2f9fad5bda7e8aaf833
Reviewed-on: https://review.monogon.dev/c/monogon/+/639
Reviewed-by: Sergiusz Bazanski <serge@monogon.tech>
Reviewed-by: Leopold Schabel <leo@nexantic.com>
diff --git a/metropolis/pkg/tpm/BUILD.bazel b/metropolis/pkg/tpm/BUILD.bazel
index da2154a..4873a82 100644
--- a/metropolis/pkg/tpm/BUILD.bazel
+++ b/metropolis/pkg/tpm/BUILD.bazel
@@ -1,7 +1,7 @@
load("@io_bazel_rules_go//go:def.bzl", "go_library")
go_library(
- name = "go_default_library",
+ name = "tpm",
srcs = [
"credactivation_compat.go",
"tpm.go",
@@ -9,15 +9,15 @@
importpath = "source.monogon.dev/metropolis/pkg/tpm",
visibility = ["//metropolis:__subpackages__"],
deps = [
- "//metropolis/pkg/logtree:go_default_library",
- "//metropolis/pkg/sysfs:go_default_library",
- "//metropolis/pkg/tpm/proto:go_default_library",
+ "//metropolis/pkg/logtree",
+ "//metropolis/pkg/sysfs",
+ "//metropolis/pkg/tpm/proto",
"@com_github_golang_protobuf//proto:go_default_library",
- "@com_github_google_go_tpm//tpm2:go_default_library",
- "@com_github_google_go_tpm//tpmutil:go_default_library",
- "@com_github_google_go_tpm_tools//tpm2tools:go_default_library",
- "@com_github_pkg_errors//:go_default_library",
- "@org_golang_x_crypto//nacl/secretbox:go_default_library",
- "@org_golang_x_sys//unix:go_default_library",
+ "@com_github_google_go_tpm//tpm2",
+ "@com_github_google_go_tpm//tpmutil",
+ "@com_github_google_go_tpm_tools//client",
+ "@com_github_pkg_errors//:errors",
+ "@org_golang_x_crypto//nacl/secretbox",
+ "@org_golang_x_sys//unix",
],
)
diff --git a/metropolis/pkg/tpm/credactivation_compat.go b/metropolis/pkg/tpm/credactivation_compat.go
index a6710ae..24766a7 100644
--- a/metropolis/pkg/tpm/credactivation_compat.go
+++ b/metropolis/pkg/tpm/credactivation_compat.go
@@ -46,7 +46,7 @@
)
func generateRSA(aik *tpm2.HashValue, pub *rsa.PublicKey, symBlockSize int, secret []byte, rnd io.Reader) ([]byte, []byte, error) {
- newAIKHash, err := aik.Alg.HashConstructor()
+ aikHash, err := aik.Alg.Hash()
if err != nil {
return nil, nil, err
}
@@ -63,7 +63,7 @@
// Encrypt the seed value using the provided public key.
// See annex B, section 10.4 of the TPM specification revision 2 part 1.
label := append([]byte(labelIdentity), 0)
- encSecret, err := rsa.EncryptOAEP(newAIKHash(), rnd, pub, seed, label)
+ encSecret, err := rsa.EncryptOAEP(aikHash.New(), rnd, pub, seed, label)
if err != nil {
return nil, nil, fmt.Errorf("generating encrypted seed: %v", err)
}
@@ -95,12 +95,12 @@
// Generate the integrity HMAC, which is used to protect the integrity of the
// encrypted structure.
// See section 24.5 of the TPM specification revision 2 part 1.
- macKey, err := tpm2.KDFa(aik.Alg, seed, labelIntegrity, nil, nil, newAIKHash().Size()*8)
+ macKey, err := tpm2.KDFa(aik.Alg, seed, labelIntegrity, nil, nil, aikHash.Size()*8)
if err != nil {
return nil, nil, fmt.Errorf("generating HMAC key: %v", err)
}
- mac := hmac.New(newAIKHash, macKey)
+ mac := hmac.New(aikHash.New, macKey)
mac.Write(encIdentity)
mac.Write(aikNameEncoded)
integrityHMAC := mac.Sum(nil)
diff --git a/metropolis/pkg/tpm/eventlog/BUILD.bazel b/metropolis/pkg/tpm/eventlog/BUILD.bazel
index a678808..7bbd464 100644
--- a/metropolis/pkg/tpm/eventlog/BUILD.bazel
+++ b/metropolis/pkg/tpm/eventlog/BUILD.bazel
@@ -1,7 +1,7 @@
load("@io_bazel_rules_go//go:def.bzl", "go_library")
go_library(
- name = "go_default_library",
+ name = "eventlog",
srcs = [
"compat.go",
"eventlog.go",
@@ -10,8 +10,8 @@
importpath = "source.monogon.dev/metropolis/pkg/tpm/eventlog",
visibility = ["//metropolis:__subpackages__"],
deps = [
- "//metropolis/pkg/tpm/eventlog/internal:go_default_library",
- "@com_github_google_certificate_transparency_go//x509:go_default_library",
- "@com_github_google_go_tpm//tpm2:go_default_library",
+ "//metropolis/pkg/tpm/eventlog/internal",
+ "@com_github_google_certificate_transparency_go//x509",
+ "@com_github_google_go_tpm//tpm2",
],
)
diff --git a/metropolis/pkg/tpm/eventlog/internal/BUILD.bazel b/metropolis/pkg/tpm/eventlog/internal/BUILD.bazel
index d4730aa..f134e7c 100644
--- a/metropolis/pkg/tpm/eventlog/internal/BUILD.bazel
+++ b/metropolis/pkg/tpm/eventlog/internal/BUILD.bazel
@@ -1,12 +1,12 @@
load("@io_bazel_rules_go//go:def.bzl", "go_library")
go_library(
- name = "go_default_library",
+ name = "internal",
srcs = ["events.go"],
importpath = "source.monogon.dev/metropolis/pkg/tpm/eventlog/internal",
visibility = ["//metropolis/pkg/tpm/eventlog:__subpackages__"],
deps = [
- "@com_github_google_certificate_transparency_go//asn1:go_default_library",
- "@com_github_google_certificate_transparency_go//x509:go_default_library",
+ "@com_github_google_certificate_transparency_go//asn1",
+ "@com_github_google_certificate_transparency_go//x509",
],
)
diff --git a/metropolis/pkg/tpm/proto/BUILD.bazel b/metropolis/pkg/tpm/proto/BUILD.bazel
index 7d7ee86..81c42e6 100644
--- a/metropolis/pkg/tpm/proto/BUILD.bazel
+++ b/metropolis/pkg/tpm/proto/BUILD.bazel
@@ -6,7 +6,7 @@
name = "proto_proto",
srcs = ["tpm.proto"],
visibility = ["//visibility:public"],
- deps = ["@com_github_google_go_tpm_tools//proto:proto_proto"], #keep
+ deps = ["@com_github_google_go_tpm_tools//proto/tpm:tpm_proto"], #keep
)
go_proto_library(
@@ -14,11 +14,11 @@
importpath = "source.monogon.dev/metropolis/pkg/tpm/proto",
proto = ":proto_proto",
visibility = ["//visibility:public"],
- deps = ["@com_github_google_go_tpm_tools//proto:go_default_library"], #keep
+ deps = ["@com_github_google_go_tpm_tools//proto/tpm"], #keep
)
go_library(
- name = "go_default_library",
+ name = "proto",
embed = [":proto_go_proto"],
importpath = "source.monogon.dev/metropolis/pkg/tpm/proto",
visibility = ["//visibility:public"],
diff --git a/metropolis/pkg/tpm/proto/tpm.proto b/metropolis/pkg/tpm/proto/tpm.proto
index 29b74aa..9f86291 100644
--- a/metropolis/pkg/tpm/proto/tpm.proto
+++ b/metropolis/pkg/tpm/proto/tpm.proto
@@ -2,7 +2,7 @@
option go_package = "source.monogon.dev/metropolis/pkg/tpm/proto";
package metropolis.pkg.tpm;
-import "proto/tpm.proto";
+import "proto/tpm/tpm.proto";
// ExtendedSealedBytes contains data sealed by a TPM2 via an indirection to
// allow for more than 128 bytes of payload. It seals an ephemeral key for
@@ -10,7 +10,7 @@
// key.
message ExtendedSealedBytes {
// The secretbox key, as sealed by the TPM.
- .proto.SealedBytes sealed_key = 1;
+ .tpm.SealedBytes sealed_key = 1;
// The encrypted box contents.
bytes encrypted_payload = 2;
}
\ No newline at end of file
diff --git a/metropolis/pkg/tpm/tpm.go b/metropolis/pkg/tpm/tpm.go
index fe7c698..2b7d20d 100644
--- a/metropolis/pkg/tpm/tpm.go
+++ b/metropolis/pkg/tpm/tpm.go
@@ -32,7 +32,7 @@
"time"
"github.com/golang/protobuf/proto"
- "github.com/google/go-tpm-tools/tpm2tools"
+ tpm2tools "github.com/google/go-tpm-tools/client"
"github.com/google/go-tpm/tpm2"
"github.com/google/go-tpm/tpmutil"
"github.com/pkg/errors"
@@ -247,7 +247,7 @@
// therefore we can just leave it all-zero.
var unusedNonce [24]byte
encryptedData := secretbox.Seal(nil, data, &unusedNonce, &boxKeyArr)
- sealedKey, err := srk.Seal(pcrs, boxKey)
+ sealedKey, err := srk.Seal(boxKey, tpm2tools.SealOpts{Current: tpm2.PCRSelection{Hash: tpm2.AlgSHA256, PCRs: pcrs}})
if err != nil {
return []byte{}, fmt.Errorf("failed to seal boxKey: %w", err)
}
@@ -286,7 +286,7 @@
pcrList = append(pcrList, string(pcr))
}
tpm.logger.Infof("Attempting to unseal key protected with PCRs %s", strings.Join(pcrList, ","))
- unsealedKey, err := srk.Unseal(sealedBytes.SealedKey)
+ unsealedKey, err := srk.Unseal(sealedBytes.SealedKey, tpm2tools.UnsealOpts{})
if err != nil {
return []byte{}, errors.Wrap(err, "failed to unseal key")
}
@@ -460,7 +460,7 @@
}
defer tpm2.FlushContext(tpm.device, endorsementSession)
- _, err = tpm2.PolicySecret(tpm.device, tpm2.HandleEndorsement, tpm2.AuthCommand{Session: tpm2.HandlePasswordSession, Attributes: tpm2.AttrContinueSession}, endorsementSession, nil, nil, nil, 0)
+ _, _, err = tpm2.PolicySecret(tpm.device, tpm2.HandleEndorsement, tpm2.AuthCommand{Session: tpm2.HandlePasswordSession, Attributes: tpm2.AttrContinueSession}, endorsementSession, nil, nil, nil, 0)
if err != nil {
return []byte{}, fmt.Errorf("failed to make a policy secret session: %w", err)
}