### Importing ServiceAccount Credentials to TPMs sample procdure to encrypt a service account rsa key GCP such that it is loadable on specific TPMs this procedure will save the key reference to non-volatile memory which will persist through powercycles. however, there are limited nv slots avaiable (7 per tpm i think). long term is to allow is to allow full persitence via go-tpm-tools [Allow persistence client.Key()](https://github.com/google/go-tpm-tools/issues/349) and move away from nvram slots also see * [Sealing RSA and Symmetric keys with GCP vTPMs](https://github.com/salrashid123/gcp_tpm_sealed_keys#sealed-asymmetric-key) * [TPMTokenSource](https://github.com/salrashid123/oauth2#usage-tpmtokensource) ## Laptop for each TPM, get the ekCert and extract the public key (or just get the ekPub) ```bash # if using GCE gcloud compute instances get-shielded-identity instance-2 --format="value(encryptionKey.ekPub)" # if you have the ekcert openssl x509 -pubkey -noout -in ekcert.pem > ekpub.pem ``` or if you are _on the mahine with the target TPM_ you can get the ekPublic key using tpm2_tools: ```bash # if using tpm2_tools tpm2_createek -c primary.ctx -G rsa -u ek.pub -Q tpm2_readpublic -c primary.ctx -o primary.pub tpm2_readpublic -c primary.ctx -o ekpub.pem -f PEM -Q # if using go-tpm-tools, its ### https://github.com/salrashid123/tpm2/blob/master/gcp_ek_ak/main.go#L94-L111 ``` #### create a service account and download a key, note the keyID ```bash gcloud iam service-accounts keys list --iam-account=tpm-sa@core-eso.iam.gserviceaccount.com KEY_ID CREATED_AT EXPIRES_AT DISABLED 71b831d149e4667809644840cda2e7e0080035d5 2023-08-24T19:57:32Z 9999-12-31T23:59:59Z <<<<<<<<<<<<<<<<<<<<<<<< ``` note the svc account key is formatted as an `RSA PRIVATE KEY` (this is just because the implementation i have...) ```bash $ cat /tmp/key_rsa.pem -----BEGIN RSA PRIVATE KEY----- MIIEpQIBAAKCAQEA6ila7sGempkwfThV8DqjZJe2WsYdIw9QF25w/br55NM9fLRj ``` eg ```bash cat svc_account.json | jq -r '.private_key_id' 71b831d149e4667809644840cda2e7e0080035d5 cat svc_account.json | jq -r '.private_key' > f.key openssl rsa -out /tmp/key_rsa.pem -traditional -in f.key ``` #### Seal ``` $ git clone https://github.com/salrashid123/gcp_tpm_sealed_keys $ go run asymmetric/seal/main.go \ --rsaKeyFile=/tmp/key_rsa.pem \ --sealedOutput=sealed.dat \ --ekPubFile=/tmp/ek.pem \ --v=10 -alsologtostderr ``` then copy `sealed.dat` to vm ```bash scp sealed.dat to vm ``` ## on vm ```bash $ git clone https://github.com/salrashid123/gcp_tpm_sealed_keys $ go run asymmetric/import/main.go --importSigningKeyFile=/tmp/sealed.dat --persistentHandle=0x81008001 --bindPCRValue=23 --flush=all --v=2 -alsologtostderr --evict=false I0825 18:51:28.375322 5654 main.go:52] ======= Init importSigningKey ======== I0825 18:51:28.411068 5654 main.go:87] ======= Loading EndorsementKeyRSA ======== I0825 18:51:28.419475 5654 main.go:94] ======= Loading sealedkey ======== I0825 18:51:28.419722 5654 main.go:105] ======= Loading ImportSigningKey ======== I0825 18:51:28.481885 5654 main.go:148] ======= Signing Data with Key Handle ======== I0825 18:51:28.490727 5654 main.go:210] Test Signature: yt5tjN+idFUrJk1+Z3nSErlIp9BImGpFF+xPzB1x+gpx+6TI7H0+TsAglHBF0SKvxoLIM1yVpAW8/XFwj1ywmwJt7Uo99SuIKp/ignNvwfk+NKspI7CZFw70RbGdBEbWiYLbiQqV09Or3K8kStX9mudGlSdbD4UBNTYMt67lyXFV7CW8aqyKw4R0LKq8WVRW3q8kolowwmFeG3YkwpiVtZGrr30t9Jwbfkpmk7nS4UdupgzbJGU2WgSCL0dwrUwtDKvAw5g/wrT+PDbd4ahaDuvTaxLYftMSWz4dj+C//3AwDOdziaWPe52KbPoBcLAiuYpORUhD+6w6UtjYgVzn3A== ``` ```bash # tpm2_getcap handles-persistent - 0x81008000 ``` ## call gcp apis see code at * [https://github.com/salrashid123/oauth2/tree/master#post-step-a-b-or-c](https://github.com/salrashid123/oauth2/tree/master#post-step-a-b-or-c) ``` # go run main --persistentHandle=0x81008000 -serviceAccountEmail="tpm-sa@core-eso.iam.gserviceaccount.com" -keyId=71b831d149e4667809644840cda2e7e0080035d5 2023/08/25 19:25:45 ======= Init ======== 2023/08/25 19:25:45 Token: ya29.c.b0Aaek... 2023/08/25 19:25:45 core-eso-bucket 2023/08/25 19:25:45 core-eso_cloudbuild ``` also see [https://github.com/salrashid123/gcp_tpm_sealed_keys#duplicate-and-transfer-using-endorsement-key](https://github.com/salrashid123/gcp_tpm_sealed_keys#duplicate-and-transfer-using-endorsement-key) ---