The go-tpm-tools module is a TPM 2.0 support library designed to complement Go-TPM.

It contains the following public packages:

• client: A Go package providing simplified abstractions and utility functions for interacting with a TPM 2.0, including:
  • Signing
  • Attestation
  • Reading PCRs
  • Sealing/Unsealing data
  • Importing Data and Keys
  • Reading NVData
  • Getting the TCG Event Log
• server: A Go package providing functionality for a remote server to send, receive, and interpret TPM 2.0 data. None of the commands in this package issue TPM commands, but instead handle:
  • TCG Event Log parsing
  • Attestation verification
  • Creating data for Importing into a TPM
• proto: Common Protocol Buffer messages that are exchanged between the client and server libraries. This package also contains helper methods for validating these messages.
• simulator: Go bindings to the Microsoft's TPM 2.0 simulator.

This repository also contains gotpm, a command line tool for using the TPM. Run gotpm --help and gotpm <command> --help for more documentation.

gotpm can be directly installed from this repo by running:

go install github.com/google/go-tpm-tools/cmd/gotpm@latest
# gotpm will be installed to $GOBIN
gotpm --help

Alternatively, to build gotpm from a cloned version of this repo, run:

cd /my/path/to/cloned/go-tpm-tools
go build ./cmd/gotpm
# gotpm will be in the root of the repo
./gotpm --help

This project currently requires Go 1.16 or newer. Any update to the minimum required Go version will be released as a minor version update.

When building the server library (or tests) you may get an error that looks like:

fatal error: trousers/tss.h: No such file or directory
   17 | // #include <trousers/tss.h>
      |           ^~~~~~~~~~~~~~~~
compilation terminated.

This is because the server library (indirectly) depends on the Trousers libtspi library. This is a temporary dependency (tracking issue). To fix this error, install libtspi by running:

sudo apt install libtspi-dev

Similarly, when building the simulator library (or tests), you may get an error that looks like:

fatal error: openssl/aes.h: No such file or directory
   47 | // #include <openssl/aes.h>
      |           ^~~~~~~~~~~~~~~~
compilation terminated.

This is because the simulator library depends on having the OpenSSL headers installed. To fix this error, install them by running:

sudo apt install libssl-dev

macOS fails to go build and go test by default with the error ld: library not found for -lcrypto. Fix it by installing OpenSSL and pointing cgo to the include and lib.

These commands were tested on macOS 10.15.7 (Catalina).

1. Install Homebrew
2. brew install openssl
3. cd /usr/local/include
4. sudo ln -s $(brew --prefix openssl)/include/openssl .

To point the simulator at openssl as provided by Homebrew, there are a couple of options. Both of these use the output of $(brew --prefix openssl) for $OPENSSL_PATH.

This solution does not require modifying go-tpm-tools code and is useful when working on other projects that depend on go-tpm-tools/simulator.

C_INCLUDE_PATH="$OPENSSL_PATH/include" LIBRARY_PATH="$OPENSSL_PATH/lib" go test ...

This solution modifies your local copy of the go-tpm-tools simulator source and removes the need to provide the paths on the command line.

Remember to remove the lines from simulator/internal/internal.go before committing changes.

// #cgo CFLAGS: -I $OPENSSL_PATH/include
// #cgo LDFLAGS: -L$OPENSSL_PATH/lib

Unlike Go-TPM (which supports TPM 1.2 and TPM 2.0), this module explicitly only supports TPM 2.0. Users should avoid use of TPM 1.2 due to the inherent reliance on SHA1 (which is quite broken).

Copyright 2018 Google Inc. under the Apache 2.0 License. Microsoft's TPM simulator code is licensed under a 3-clause BSD license and the TCG software license. See the LICENSE file for more information.

This is not an official Google product.