Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-04-21 21:47:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 117
fleet/ee/orbit/pkg/securehw/securehw_linux.go
Victor Lyuboslavsky d1992aa983
Added integration test for TPM. (#31315) 
For #31048

This change includes some refactoring of orbit code. No functional
changes. Moved non-Linux-specific code from `securehw_linux.go` to
`securehw_tpm.go` so that tests on any platform can use it.

There are no server changes impacting the upcoming 4.72 release. Just
tests.

# Checklist for submitter

## Testing

- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually

## fleetd/orbit/Fleet Desktop

- [x] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [x] Verified that fleetd runs on macOS, Linux and Windows


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **New Features**
* Introduced a new TPM 2.0-based secure hardware interface, enabling
creation, loading, and management of ECC keys within a TPM device.
* Added support for both standard and RFC 9421-compatible HTTP
signatures using TPM-backed keys.

* **Bug Fixes**
  * Improved error handling and resource management for TPM operations.

* **Tests**
  * Added comprehensive unit tests for TPM key file loading scenarios.
* Introduced integration tests using a simulated TPM device to validate
end-to-end secure hardware and SCEP workflows.

* **Chores**
  * Updated dependencies for enhanced compatibility and security.
  * Modernized build constraints for improved maintainability.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-07-29 20:21:09 +02:00

42 lines
1.3 KiB
Go
Raw Blame History

//go:build linux
package securehw
import (
"errors"
"fmt"
"path/filepath"
"github.com/google/go-tpm/tpm2/transport/linuxtpm"
"github.com/rs/zerolog"
)
const tpm20DevicePath = "/dev/tpmrm0"
// Creates a new SecureHW instance using TPM 2.0 for Linux.
// It attempts to open the TPM device using the provided configuration.
func newSecureHW(metadataDir string, logger zerolog.Logger) (SecureHW, error) {
if metadataDir == "" {
return nil, errors.New("required metadata directory not set")
}
logger.Info().Msg("initializing TPM 2.0 connection")
// Open the TPM 2.0 resource manager, which
// - Provides managed access to TPM resources, allowing multiple applications to share the TPM safely.
// - Used by the TPM2 Access Broker and Resource Manager (tpm2-abrmd or the kernel resource manager).
device, err := linuxtpm.Open(tpm20DevicePath)
if err != nil {
return nil, ErrSecureHWUnavailable{
Message: fmt.Sprintf("failed to open TPM 2.0 device %q: %s", tpm20DevicePath, err.Error()),
}
}
logger.Info().Str("device_path", tpm20DevicePath).Msg("successfully opened TPM 2.0 device")
return &tpm2SecureHW{
device: device,
logger: logger.With().Str("component", "securehw-tpm").Logger(),
keyFilePath: filepath.Join(metadataDir, "host_identity_tpm.pem"),
}, nil
}
Reference in a new issue View git blame Copy permalink