For #30476
Contributor doc updates: https://github.com/fleetdm/fleet/pull/31371
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
## fleetd/orbit/Fleet Desktop
- [x] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [x] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [x] Verified that fleetd runs on macOS, Linux and Windows
- [x] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Automated certificate renewal is now supported, including
proof-of-possession for enhanced security.
* Certificate renewal can be triggered when the existing certificate is
within 180 days of expiration.
* Dynamic configuration of certificate validity period via environment
variable.
* Improved TPM hardware integration for certificate management.
* **Bug Fixes**
* Enhanced error handling and logging for TPM device closure and
certificate operations.
* **Tests**
* Extended integration tests to cover certificate renewal flows, host
deletion, and TPM-based scenarios for improved reliability.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
For #31048
This change includes some refactoring of orbit code. No functional
changes. Moved non-Linux-specific code from `securehw_linux.go` to
`securehw_tpm.go` so that tests on any platform can use it.
There are no server changes impacting the upcoming 4.72 release. Just
tests.
# Checklist for submitter
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
## fleetd/orbit/Fleet Desktop
- [x] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [x] Verified that fleetd runs on macOS, Linux and Windows
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Introduced a new TPM 2.0-based secure hardware interface, enabling
creation, loading, and management of ECC keys within a TPM device.
* Added support for both standard and RFC 9421-compatible HTTP
signatures using TPM-backed keys.
* **Bug Fixes**
* Improved error handling and resource management for TPM operations.
* **Tests**
* Added comprehensive unit tests for TPM key file loading scenarios.
* Introduced integration tests using a simulated TPM device to validate
end-to-end secure hardware and SCEP workflows.
* **Chores**
* Updated dependencies for enhanced compatibility and security.
* Modernized build constraints for improved maintainability.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
One last change for #28818.
Do we need these `TPM2_ContextSave` command calls?
This PR is working for me. Double checking with @getvictor in case he
thinks there's a need for these commands.
#31047
We were storing public key bytes and encrypted private key bytes as raw
files called `tpm_cms_pub.blob` and `tpm_cms_priv.blob` respectively.
This PR changes to use a better format on a single file that looks like
this:
```
"-----BEGIN TSS2 PRIVATE KEY-----"
[...]
"-----END TSS2 PRIVATE KEY-----"
```
(We haven't released this feature yet so we don't need a migration.)
#30461
This PR contains the changes for the happy path.
On a separate PR we will be adding tests and further fixes for edge
cases.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Added/updated automated tests
- [x] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [ ] Make sure fleetd is compatible with the latest released version of
Fleet (see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md)).
- [ ] Orbit runs on macOS, Linux and Windows. Check if the orbit
feature/bugfix should only apply to one platform (`runtime.GOOS`).
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added support for using a TPM-backed key and SCEP-issued certificate
to sign HTTP requests, enhancing security through hardware-based key
management.
* Introduced new CLI and environment flags to enable TPM-backed client
certificates for Linux packages and Orbit.
* Added a local HTTPS proxy that automatically signs requests using the
TPM-backed key.
* **Bug Fixes**
* Improved cleanup and restart behavior when authentication fails with a
host identity certificate.
* **Tests**
* Added comprehensive tests for SCEP client functionality and TPM
integration.
* **Chores**
* Updated scripts and documentation to support TPM-backed client
certificate packaging and configuration.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
