Gitiles
Code Review Sign In
gerrit-dev.monogon.dev / monogon / d13c1c64387ca9a83bb832a3faa5c4b07268d265^! / . / metropolis / pkg / tpm / tpm.go
commitd13c1c64387ca9a83bb832a3faa5c4b07268d265[log] [tgz]
authorLorenz Brun <lorenz@monogon.tech>Wed Mar 30 19:58:58 2022 +0200
committerLorenz Brun <lorenz@monogon.tech>Tue Apr 05 10:35:29 2022 +0000
tree0c0f534db4726e4400486aad25235e8c573d455e
parent79a1a8f9dd49afe8e0a2364c4586b8f39525b204 [diff] [blame]
treewide: switch to gomod and bump everything

This switches version resolution from fietsje to gomod and updates
all Go dependencies. It also bumps rules_go (required by gVisor) and
switches the Gazelle naming convention from go_default_xxx to the
standard Bazel convention of the default target having the package
name.

Since Kubernetes dropped upstream Bazel support and doesn't check in
all generated files I manually pregenerated the OpenAPI spec. This
should be fixed, but because of the already-huge scope of this CL
and the rebase complexity this is not in here.

Change-Id: Iec8ea613d06946882426c2f9fad5bda7e8aaf833
Reviewed-on: https://review.monogon.dev/c/monogon/+/639
Reviewed-by: Sergiusz Bazanski <serge@monogon.tech>
Reviewed-by: Leopold Schabel <leo@nexantic.com>

diff --git a/metropolis/pkg/tpm/tpm.go b/metropolis/pkg/tpm/tpm.go
index fe7c698..2b7d20d 100644
--- a/metropolis/pkg/tpm/tpm.go
+++ b/metropolis/pkg/tpm/tpm.go

@@ -32,7 +32,7 @@
 	"time"
 
 	"github.com/golang/protobuf/proto"
-	"github.com/google/go-tpm-tools/tpm2tools"
+	tpm2tools "github.com/google/go-tpm-tools/client"
 	"github.com/google/go-tpm/tpm2"
 	"github.com/google/go-tpm/tpmutil"
 	"github.com/pkg/errors"
@@ -247,7 +247,7 @@
 	// therefore we can just leave it all-zero.
 	var unusedNonce [24]byte
 	encryptedData := secretbox.Seal(nil, data, &unusedNonce, &boxKeyArr)
-	sealedKey, err := srk.Seal(pcrs, boxKey)
+	sealedKey, err := srk.Seal(boxKey, tpm2tools.SealOpts{Current: tpm2.PCRSelection{Hash: tpm2.AlgSHA256, PCRs: pcrs}})
 	if err != nil {
 		return []byte{}, fmt.Errorf("failed to seal boxKey: %w", err)
 	}
@@ -286,7 +286,7 @@
 		pcrList = append(pcrList, string(pcr))
 	}
 	tpm.logger.Infof("Attempting to unseal key protected with PCRs %s", strings.Join(pcrList, ","))
-	unsealedKey, err := srk.Unseal(sealedBytes.SealedKey)
+	unsealedKey, err := srk.Unseal(sealedBytes.SealedKey, tpm2tools.UnsealOpts{})
 	if err != nil {
 		return []byte{}, errors.Wrap(err, "failed to unseal key")
 	}
@@ -460,7 +460,7 @@
 	}
 	defer tpm2.FlushContext(tpm.device, endorsementSession)
 
-	_, err = tpm2.PolicySecret(tpm.device, tpm2.HandleEndorsement, tpm2.AuthCommand{Session: tpm2.HandlePasswordSession, Attributes: tpm2.AttrContinueSession}, endorsementSession, nil, nil, nil, 0)
+	_, _, err = tpm2.PolicySecret(tpm.device, tpm2.HandleEndorsement, tpm2.AuthCommand{Session: tpm2.HandlePasswordSession, Attributes: tpm2.AttrContinueSession}, endorsementSession, nil, nil, nil, 0)
 	if err != nil {
 		return []byte{}, fmt.Errorf("failed to make a policy secret session: %w", err)
 	}