A Go library for verifying TPM2.0 quotes, useful for performing remote or local attestation of devices to verify system integrity.
- Verify RSA and ECDSA signatures of TPM quotes
- Validation of nonces
- Parse TPM quotes into structured data
- JSON output support
- Mobile support via Gomobile
To use as a Go library in your project:
go get github.com/Kioubit/tpm2-quote-attestTo install the CLI tool globally:
# Option 1: Install from source (requires Go 1.22+)
go install github.com/Kioubit/tpm2-quote-attest/cmd/tpm2-quote-attest@latest
# Option 2: Clone and build locally
git clone https://github.com/Kioubit/tpm2-quote-attest.git
cd tpm2-quote-attest
make cli
# Binary will be available at ./bin/tpm2-quote-attestpackage main
import (
"fmt"
"github.com/Kioubit/tpm2-quote-attest"
"os"
)
func main() {
// Load your files
publicKey, _ := os.ReadFile("ak_public.pem")
message, _ := os.ReadFile("quote.out")
pcrValues, _ := os.ReadFile("quote.pcr")
signature, _ := os.ReadFile("quote.sig")
nonce, _ := os.ReadFile("quote.nonce")
// Validate the quote
result, err := tpm2quoteattest.Attest(publicKey, message, pcrValues, signature, nonce)
if err != nil {
panic(err)
}
// Use the validated data
fmt.Printf("TPM Quote validated successfully\n")
fmt.Printf("PCR Values: %+v\n", result.PCRValues)
}# Build the CLI
make cli
# Run attestation
./bin/tpm2-quote-attest \
-message-file data/quote.out \
-pcr-file data/quote.pcr \
-pubKey-file data/ak_public.pem \
-signature-file data/quote.sig \
-nonce-file data/quote.nonceThe library supports gomobile for use in mobile applications:
# Generate bindings for Android/iOS
make mobile-android
make mobile-iosThen use in your mobile app:
// Android example
String result = Tpm2ToolMobile.parseAndValidate(publicKey, message, pcr, signature, nonce);The create-quote.sh script shows how to create the required keys and how to perform the actual quote generation process.
Validates a TPM quote against provided PCR values, signature, and nonce.
Parameters:
publicKey: PEM-encoded public key used to verify the signaturemessage: Raw TPM quote message to validatepcrValues: PCR values in pcrs_format=values formatsignature: Signature to verify against the messagenonce: Expected nonce value that must match the quote's extra data
Returns:
Attested: Contains the parsed TPM data and verified PCR valueserror: Any validation error that occurred
type Attested struct {
TPMData TPMSAttest
PCRValues PCRValues
}Contains the validated TPM quote data and PCR values.
{
"TPMData": {
"AttestationType": "TPM_ST_ATTEST_QUOTE",
"QualifiedSigner": {
"Name": "AAtjsxXkcLNro2xtN3I9Cn2p0a0mXGV001zs0v4svOX7Pw=="
},
"ExtraData": {
"Data": ""
},
"ClockInfo": {
"Clock": 123456789,
"ResetCount": 12,
"RestartCount": 0,
"Safe": true
},
"FirmwareVersion": 123456789012345,
"Attested": {
"Quote": {
"PcrSelect": {
"Count": 1,
"PcrSelections": [
{
"HashAlgorithm": "TPM_ALG_SHA256",
"PcrSelect": [1, 2, 3, 4, 5, 6, 7, 8, 9]
}
]
},
"PcrDigest": {
"Buffer": "ZXhhbXBsZWV4YW1wbGVleGFtcGxlZXhhbXBsZWV4YW0K="
}
}
}
},
"PCRValues": {
"1": "ZXhhbXBsZWV4YW1wbGVleGFtcGxlZXhhbXBsZWV4YW0K",
"2": "ZXhhbXBsZWV4YW1wbGVleGFtcGxlZXhhbXBsZWV4YW0K",
"3": "ZXhhbXBsZWV4YW1wbGVleGFtcGxlZXhhbXBsZWV4YW0K",
"4": "ZXhhbXBsZWV4YW1wbGVleGFtcGxlZXhhbXBsZWV4YW0K",
"5": "ZXhhbXBsZWV4YW1wbGVleGFtcGxlZXhhbXBsZWV4YW0K",
"6": "ZXhhbXBsZWV4YW1wbGVleGFtcGxlZXhhbXBsZWV4YW0K",
"7": "ZXhhbXBsZWV4YW1wbGVleGFtcGxlZXhhbXBsZWV4YW0K",
"8": "ZXhhbXBsZWV4YW1wbGVleGFtcGxlZXhhbXBsZWV4YW0K",
"9": "ZXhhbXBsZWV4YW1wbGVleGFtcGxlZXhhbXBsZWV4YW0K"
}
}