fleet/ee/orbit/pkg/securehw/example_linux_test.go

//go:build linux

package securehw_test

import (
	"crypto"
	"crypto/rand"
	"crypto/sha256"
	"fmt"
	"log"
	"os"
	"testing"

	"github.com/fleetdm/fleet/v4/ee/orbit/pkg/securehw"
	"github.com/rs/zerolog"
)

func TestExampleTPM20Linux(t *testing.T) {
	if os.Geteuid() != 0 {
		t.Skip("Test needs to be run as root")
	}
	if _, err := os.Stat("/dev/tpmrm0"); err != nil {
		t.Skip("Could not read TPM 2.0 device")
	}

	logger := zerolog.New(zerolog.NewConsoleWriter()).With().Timestamp().Logger()
	tmpDir := t.TempDir()

	t.Run("CreateKey", func(t *testing.T) {
		teeDevice, err := securehw.New(tmpDir, logger)
		if err != nil {
			log.Fatalf("Failed to initialize SecureHW: %v", err)
		}
		defer teeDevice.Close()

		// Create an ECC key in the SecureHW (automatically selects best curve)
		key, err := teeDevice.CreateKey()
		if err != nil {
			log.Fatalf("Failed to create key: %v", err)
		}
		defer key.Close()

		// Get a signer for the key
		signer, err := key.Signer()
		if err != nil {
			log.Fatalf("Failed to get signer: %v", err)
		}

		// Sign some data
		message := []byte("Hello, SecureHW!")
		hash := sha256.Sum256(message)
		signature, err := signer.Sign(rand.Reader, hash[:], crypto.SHA256)
		if err != nil {
			log.Fatalf("Failed to sign: %v", err)
		}

		fmt.Printf("Signature created: %x\n", signature)
	})

	t.Run("LoadKey", func(t *testing.T) {
		teeDevice, err := securehw.New(tmpDir, logger)
		if err != nil {
			log.Fatalf("Failed to initialize SecureHW: %v", err)
		}
		defer teeDevice.Close()

		// Later, load the key back from the saved blobs
		key, err := teeDevice.LoadKey()
		if err != nil {
			log.Fatalf("Failed to load key: %v", err)
		}
		defer key.Close()

		fmt.Println("Key successfully loaded")

		// Get a signer for the key
		signer, err := key.Signer()
		if err != nil {
			log.Fatalf("Failed to get signer: %v", err)
		}

		// Sign some data
		message := []byte("Hello, SecureHW!")
		hash := sha256.Sum256(message)
		signature, err := signer.Sign(rand.Reader, hash[:], crypto.SHA256)
		if err != nil {
			log.Fatalf("Failed to sign: %v", err)
		}

		fmt.Printf("Signature created: %x\n", signature)
	})
}
fleetd generate TPM key and issue SCEP certificate (#30932) #30461 This PR contains the changes for the happy path. On a separate PR we will be adding tests and further fixes for edge cases. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [ ] Added/updated automated tests - [x] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Make sure fleetd is compatible with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md)). - [ ] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`). - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * New Features * Added support for using a TPM-backed key and SCEP-issued certificate to sign HTTP requests, enhancing security through hardware-based key management. * Introduced new CLI and environment flags to enable TPM-backed client certificates for Linux packages and Orbit. * Added a local HTTPS proxy that automatically signs requests using the TPM-backed key. * Bug Fixes * Improved cleanup and restart behavior when authentication fails with a host identity certificate. * Tests * Added comprehensive tests for SCEP client functionality and TPM integration. * Chores * Updated scripts and documentation to support TPM-backed client certificate packaging and configuration. <!-- end of auto-generated comment: release notes by coderabbit.ai --> 2025-07-18 14:31:52 +00:00			`//go:build linux`

			`package securehw_test`

			`import (`
			`"crypto"`
			`"crypto/rand"`
			`"crypto/sha256"`
			`"fmt"`
			`"log"`
			`"os"`
			`"testing"`

			`"github.com/fleetdm/fleet/v4/ee/orbit/pkg/securehw"`
			`"github.com/rs/zerolog"`
			`)`

			`func TestExampleTPM20Linux(t *testing.T) {`
			`if os.Geteuid() != 0 {`
			`t.Skip("Test needs to be run as root")`
			`}`
			`if _, err := os.Stat("/dev/tpmrm0"); err != nil {`
			`t.Skip("Could not read TPM 2.0 device")`
			`}`

			`logger := zerolog.New(zerolog.NewConsoleWriter()).With().Timestamp().Logger()`
			`tmpDir := t.TempDir()`

			`t.Run("CreateKey", func(t *testing.T) {`
			`teeDevice, err := securehw.New(tmpDir, logger)`
			`if err != nil {`
Rename flags and types for TPM work (#31176) Victor suggested the following renames on previous PRs: - Consider updating TEE terminology to SecureHW or TPM. - https://fleetdm.slack.com/archives/C084F4MKYSJ/p1752834365688019?thread_ts=1752600813.175889&cid=C084F4MKYSJ 2025-07-23 17:30:44 +00:00			`log.Fatalf("Failed to initialize SecureHW: %v", err)`
fleetd generate TPM key and issue SCEP certificate (#30932) #30461 This PR contains the changes for the happy path. On a separate PR we will be adding tests and further fixes for edge cases. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [ ] Added/updated automated tests - [x] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Make sure fleetd is compatible with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md)). - [ ] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`). - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * New Features * Added support for using a TPM-backed key and SCEP-issued certificate to sign HTTP requests, enhancing security through hardware-based key management. * Introduced new CLI and environment flags to enable TPM-backed client certificates for Linux packages and Orbit. * Added a local HTTPS proxy that automatically signs requests using the TPM-backed key. * Bug Fixes * Improved cleanup and restart behavior when authentication fails with a host identity certificate. * Tests * Added comprehensive tests for SCEP client functionality and TPM integration. * Chores * Updated scripts and documentation to support TPM-backed client certificate packaging and configuration. <!-- end of auto-generated comment: release notes by coderabbit.ai --> 2025-07-18 14:31:52 +00:00			`}`
			`defer teeDevice.Close()`

Rename flags and types for TPM work (#31176) Victor suggested the following renames on previous PRs: - Consider updating TEE terminology to SecureHW or TPM. - https://fleetdm.slack.com/archives/C084F4MKYSJ/p1752834365688019?thread_ts=1752600813.175889&cid=C084F4MKYSJ 2025-07-23 17:30:44 +00:00			`// Create an ECC key in the SecureHW (automatically selects best curve)`
fleetd generate TPM key and issue SCEP certificate (#30932) #30461 This PR contains the changes for the happy path. On a separate PR we will be adding tests and further fixes for edge cases. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [ ] Added/updated automated tests - [x] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Make sure fleetd is compatible with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md)). - [ ] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`). - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * New Features * Added support for using a TPM-backed key and SCEP-issued certificate to sign HTTP requests, enhancing security through hardware-based key management. * Introduced new CLI and environment flags to enable TPM-backed client certificates for Linux packages and Orbit. * Added a local HTTPS proxy that automatically signs requests using the TPM-backed key. * Bug Fixes * Improved cleanup and restart behavior when authentication fails with a host identity certificate. * Tests * Added comprehensive tests for SCEP client functionality and TPM integration. * Chores * Updated scripts and documentation to support TPM-backed client certificate packaging and configuration. <!-- end of auto-generated comment: release notes by coderabbit.ai --> 2025-07-18 14:31:52 +00:00			`key, err := teeDevice.CreateKey()`
			`if err != nil {`
			`log.Fatalf("Failed to create key: %v", err)`
			`}`
			`defer key.Close()`

			`// Get a signer for the key`
			`signer, err := key.Signer()`
			`if err != nil {`
			`log.Fatalf("Failed to get signer: %v", err)`
			`}`

			`// Sign some data`
Rename flags and types for TPM work (#31176) Victor suggested the following renames on previous PRs: - Consider updating TEE terminology to SecureHW or TPM. - https://fleetdm.slack.com/archives/C084F4MKYSJ/p1752834365688019?thread_ts=1752600813.175889&cid=C084F4MKYSJ 2025-07-23 17:30:44 +00:00			`message := []byte("Hello, SecureHW!")`
fleetd generate TPM key and issue SCEP certificate (#30932) #30461 This PR contains the changes for the happy path. On a separate PR we will be adding tests and further fixes for edge cases. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [ ] Added/updated automated tests - [x] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Make sure fleetd is compatible with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md)). - [ ] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`). - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * New Features * Added support for using a TPM-backed key and SCEP-issued certificate to sign HTTP requests, enhancing security through hardware-based key management. * Introduced new CLI and environment flags to enable TPM-backed client certificates for Linux packages and Orbit. * Added a local HTTPS proxy that automatically signs requests using the TPM-backed key. * Bug Fixes * Improved cleanup and restart behavior when authentication fails with a host identity certificate. * Tests * Added comprehensive tests for SCEP client functionality and TPM integration. * Chores * Updated scripts and documentation to support TPM-backed client certificate packaging and configuration. <!-- end of auto-generated comment: release notes by coderabbit.ai --> 2025-07-18 14:31:52 +00:00			`hash := sha256.Sum256(message)`
			`signature, err := signer.Sign(rand.Reader, hash[:], crypto.SHA256)`
			`if err != nil {`
			`log.Fatalf("Failed to sign: %v", err)`
			`}`

			`fmt.Printf("Signature created: %x\n", signature)`
			`})`

			`t.Run("LoadKey", func(t *testing.T) {`
			`teeDevice, err := securehw.New(tmpDir, logger)`
			`if err != nil {`
Rename flags and types for TPM work (#31176) Victor suggested the following renames on previous PRs: - Consider updating TEE terminology to SecureHW or TPM. - https://fleetdm.slack.com/archives/C084F4MKYSJ/p1752834365688019?thread_ts=1752600813.175889&cid=C084F4MKYSJ 2025-07-23 17:30:44 +00:00			`log.Fatalf("Failed to initialize SecureHW: %v", err)`
fleetd generate TPM key and issue SCEP certificate (#30932) #30461 This PR contains the changes for the happy path. On a separate PR we will be adding tests and further fixes for edge cases. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [ ] Added/updated automated tests - [x] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Make sure fleetd is compatible with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md)). - [ ] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`). - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * New Features * Added support for using a TPM-backed key and SCEP-issued certificate to sign HTTP requests, enhancing security through hardware-based key management. * Introduced new CLI and environment flags to enable TPM-backed client certificates for Linux packages and Orbit. * Added a local HTTPS proxy that automatically signs requests using the TPM-backed key. * Bug Fixes * Improved cleanup and restart behavior when authentication fails with a host identity certificate. * Tests * Added comprehensive tests for SCEP client functionality and TPM integration. * Chores * Updated scripts and documentation to support TPM-backed client certificate packaging and configuration. <!-- end of auto-generated comment: release notes by coderabbit.ai --> 2025-07-18 14:31:52 +00:00			`}`
			`defer teeDevice.Close()`

			`// Later, load the key back from the saved blobs`
			`key, err := teeDevice.LoadKey()`
			`if err != nil {`
			`log.Fatalf("Failed to load key: %v", err)`
			`}`
			`defer key.Close()`

			`fmt.Println("Key successfully loaded")`

			`// Get a signer for the key`
			`signer, err := key.Signer()`
			`if err != nil {`
			`log.Fatalf("Failed to get signer: %v", err)`
			`}`

			`// Sign some data`
Rename flags and types for TPM work (#31176) Victor suggested the following renames on previous PRs: - Consider updating TEE terminology to SecureHW or TPM. - https://fleetdm.slack.com/archives/C084F4MKYSJ/p1752834365688019?thread_ts=1752600813.175889&cid=C084F4MKYSJ 2025-07-23 17:30:44 +00:00			`message := []byte("Hello, SecureHW!")`
fleetd generate TPM key and issue SCEP certificate (#30932) #30461 This PR contains the changes for the happy path. On a separate PR we will be adding tests and further fixes for edge cases. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [ ] Added/updated automated tests - [x] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Make sure fleetd is compatible with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md)). - [ ] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`). - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * New Features * Added support for using a TPM-backed key and SCEP-issued certificate to sign HTTP requests, enhancing security through hardware-based key management. * Introduced new CLI and environment flags to enable TPM-backed client certificates for Linux packages and Orbit. * Added a local HTTPS proxy that automatically signs requests using the TPM-backed key. * Bug Fixes * Improved cleanup and restart behavior when authentication fails with a host identity certificate. * Tests * Added comprehensive tests for SCEP client functionality and TPM integration. * Chores * Updated scripts and documentation to support TPM-backed client certificate packaging and configuration. <!-- end of auto-generated comment: release notes by coderabbit.ai --> 2025-07-18 14:31:52 +00:00			`hash := sha256.Sum256(message)`
			`signature, err := signer.Sign(rand.Reader, hash[:], crypto.SHA256)`
			`if err != nil {`
			`log.Fatalf("Failed to sign: %v", err)`
			`}`

			`fmt.Printf("Signature created: %x\n", signature)`
			`})`
			`}`