Support a separate identity for the test PCA/ACA in cryptohomed and attestationd |
||||
Issue descriptionThe code in attestation.cc uses a separate identity for the default and the alternate PCAs, but not for the test one. Add one for the test one and use it as needed. In attestation_service.cc for attestationd, do the same for the test ACA. Note: separated into two bugs. See chromium:849899
,
Mar 27 2018
The code actually uses a single identity but multiple encrypted endorsement credentials. We want actual multiple identities.
,
Mar 28 2018
,
Jun 2 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/773ac7d0e6efd8d06b7190c7ec28ca2e2bade96d commit 773ac7d0e6efd8d06b7190c7ec28ca2e2bade96d Author: Yves Arrouye <drcrash@google.com> Date: Sat Jun 02 00:44:55 2018 cryptohome: Support multiple identities/PCAs simultaneously Move identity-related data into better entities (names here from their types in AttestationDatabase, see attestation.proto): - Identity: AIK and other TPM-generated identity data (e.g. PCR quotes) - Identity Certificate: An association between an identity and PCA data (the PCA itself and the PCA-signed AIK certificate) These entities allow us to use create as many Identities as we would like, and to enroll any of those Identities with any or all of the PCAs. This in turns allows (will allow, see below) one to present multiple identities to any PCA. Create one Identity when preparing for enrollment, and encrypt endorsement credentials for all known PCAs. Allow enrollment of any Identity with any PCA. For now, only the one Identity we create is used by default. Also only create at most one Identity Certificate per PCA. These limitations allow us to keep the existing DBUS API as is while still allowing simultaneous use of the default and test PCAs with the single identity we created. Allow certificate requests to use any Identity Certificate. For now, use the first (and only, given the above) Identity Certificate for the PCA used for the request. This limitation has the same reason as for above. Unit tests check every call against the default and test PCAs as well as initialization and database migration scenarios. See https://paste.googleplex.com/5189305878183936 for manual tests. (My apologies to non-Googlers. These just use a shell script wrapping cryptohome and curl commands to take ownership of the TPM, enroll with the default PCA, request a machine cert from that PCA, then enroll with the test PCA---unavailable outside of Google---before asking it for a machine certificate and then making that same request from the test PCA.) BUG= chromium:768140 TEST=unit tests and manual tests CQ-DEPEND=CL:982820 Change-Id: Ie6175b5e7a9e4256f6f8672b2a114fd4912210f2 Reviewed-on: https://chromium-review.googlesource.com/746146 Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com> Tested-by: Yves Arrouye <drcrash@chromium.org> Reviewed-by: Andrey Pronin <apronin@chromium.org> [modify] https://crrev.com/773ac7d0e6efd8d06b7190c7ec28ca2e2bade96d/cryptohome/tpm_manager_v1.cc [modify] https://crrev.com/773ac7d0e6efd8d06b7190c7ec28ca2e2bade96d/cryptohome/attestation.cc [modify] https://crrev.com/773ac7d0e6efd8d06b7190c7ec28ca2e2bade96d/cryptohome/attestation.h [modify] https://crrev.com/773ac7d0e6efd8d06b7190c7ec28ca2e2bade96d/cryptohome/service_monolithic.cc [modify] https://crrev.com/773ac7d0e6efd8d06b7190c7ec28ca2e2bade96d/cryptohome/attestation_unittest.cc [modify] https://crrev.com/773ac7d0e6efd8d06b7190c7ec28ca2e2bade96d/cryptohome/attestation.proto [modify] https://crrev.com/773ac7d0e6efd8d06b7190c7ec28ca2e2bade96d/cryptohome/mock_attestation.h
,
Jun 5 2018
,
Jun 5 2018
,
Jun 25 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/5b95643c8f3cfd81fdb940428b49b34a582eea89 commit 5b95643c8f3cfd81fdb940428b49b34a582eea89 Author: Yves Arrouye <drcrash@google.com> Date: Mon Jun 25 21:03:51 2018 cryptohome: fix documentation and harmonize style Removed reference to non-existence pca_data field. Fixed syntax for deprecated fields to be the same everywhere. Also fixed a couple log messages. BUG= chromium:768140 TEST=N/A Change-Id: I99cc630302ef358fc4da5b112ae247004fc5a8da Reviewed-on: https://chromium-review.googlesource.com/1087548 Commit-Ready: Yves Arrouye <drcrash@chromium.org> Tested-by: Yves Arrouye <drcrash@chromium.org> Reviewed-by: Andrey Pronin <apronin@chromium.org> [modify] https://crrev.com/5b95643c8f3cfd81fdb940428b49b34a582eea89/cryptohome/attestation.proto [modify] https://crrev.com/5b95643c8f3cfd81fdb940428b49b34a582eea89/cryptohome/attestation.cc |
||||
►
Sign in to add a comment |
||||
Comment 1 by drcrash@chromium.org
, Oct 31 2017