README
¶
tpmutil
Package tpmutil provides high-level utilities and abstractions for working with TPM 2.0 devices using the go-tpm library.
Features
Smart Handle Management
The package introduces an intelligent Handle abstraction that extends TPM handle functionality:
- Type Identification: Automatically determine handle types (transient, persistent, NV index, etc.) via
Type() - Resource Cleanup:
HandleCloserinterface provides automatic resource management throughClose()which flushes TPM handles - Unified Interface: Work seamlessly with both
tpm2.AuthHandleandtpm2.NamedHandlethrough a common interface
This creates a clean contract for TPM commands that return handles, enabling proper resource lifecycle management.
Example:
// Create a closable handle for automatic cleanup
keyHandle := tpmutil.NewHandleCloser(tpm, &tpm2.NamedHandle{
Handle: createRsp.ObjectHandle,
Name: createRsp.Name,
})
defer keyHandle.Close() // Automatically flushes the handle
// Check handle type
if keyHandle.Type() == tpmutil.TransientHandle {
fmt.Println("This is a transient key")
}
Helper Functions
Sign
Sign() automatically formats signature output based on key type and signature algorithm:
- ECC keys: Returns DER-encoded ECDSA signatures (ASN.1 format with R and S components)
- RSA keys: Returns raw signature bytes, supporting both RSASSA and RSAPSS schemes
Example:
signature, err := tpmutil.Sign(tpm, &tpmutil.SignConfig{
KeyHandle: keyHandle,
Digest: digest,
PublicKey: publicKey,
SignerOpts: crypto.SHA256,
Validation: tpmutil.NullTicket,
})
// signature is ready to use, formatted correctly for the key type
NVRead/NVWrite/Hash: Batch Buffer Management
These functions handle TPM buffer size limitations automatically by splitting large data into chunks:
NVRead(): Reads NV index data in configurable blocks, automatically handling offset managementNVWrite(): Writes data to NV indices in batches (max 2048 bytes), with automatic space allocationHash(): Computes hash digests using TPM's sequence commands for data larger than buffer size
Example:
// Write large data to NV index - automatically batched
data := make([]byte, 1024)
err := tpmutil.NVWrite(tpm, &tpmutil.NVWriteConfig{
Index: 0x01500000,
Data: data,
Hierarchy: tpm2.TPMRHOwner,
})
// Read it back - automatically handles chunking
readData, err := tpmutil.NVRead(tpm, &tpmutil.NVReadConfig{
Index: 0x01500000,
Hierarchy: tpm2.TPMRHOwner,
})
GetSKRHandle: Intelligent Storage Root Key Management
GetSKRHandle() provides smart SRK (Storage Root Key) lifecycle management:
- Search: First attempts to read from the persistent handle location
- Create & Persist: If not found, creates a new SRK and stores it at the specified persistent handle
- Return: Returns a
Handleready for use as a parent key
Supports both ECC and RSA storage root keys.
Example:
// Get or create an ECC SRK at the default persistent handle
srkHandle, err := tpmutil.GetSKRHandle(tpm, &tpmutil.ParentConfig{
KeyType: tpmutil.ECC,
Hierarchy: tpm2.TPMRHOwner,
})
// srkHandle is ready to use as a parent for key creation
// The SRK persists across TPM resets
PCR Format Conversion
Convert between external PCR representations (slices of PCR numbers) and internal TPM formats:
ToTPMLPCRSelection(): Converts PCR numbers totpm2.TPMLPCRSelectionfor use in TPM commandsPCRSelectToPCRs(): Converts PCR selection bitmaps back to PCR numbers
Example:
// Convert PCR numbers to TPM format
selection := tpmutil.ToTPMLPCRSelection([]uint{0, 1, 7}, tpm2.TPMAlgSHA256)
// Use in PolicyPCR, Quote, etc.
// Convert bitmap back to numbers
pcrs := tpmutil.PCRSelectToPCRs([]byte{0x83, 0x00, 0x00}) // Returns []uint{0, 1, 7}
Configuration Pattern
All main functions accept configuration structs that implement the CheckAndSetDefault() pattern for validation and default value handling:
cfg := &tpmutil.HashConfig{
Data: data,
HashAlg: crypto.SHA256,
}
// CheckAndSetDefault() called internally - sets defaults and validates
result, err := tpmutil.Hash(tpm, cfg)
Documentation
¶
Index ¶
- Constants
- Variables
- func EkPolicyCallback(t transport.TPM, handle tpm2.TPMISHPolicy, nonceTPM tpm2.TPM2BNonce) error
- func IsHandleOfType(h Handle, ht HandleType) bool
- func NVRead(t transport.TPM, optionalCfg ...NVReadConfig) ([]byte, error)
- func NVWrite(t transport.TPM, optionalCfg ...NVWriteConfig) error
- func PCRSelectToPCRs(selection []byte) []uint
- func Sign(t transport.TPM, optionalCfg ...SignConfig) ([]byte, error)
- func ToAuthHandle(h Handle, optionalAuth ...tpm2.Session) tpm2.AuthHandle
- func ToTPMLPCRSelection(pcrs []uint, bank tpm2.TPMIAlgHash) tpm2.TPMLPCRSelection
- type CreateConfig
- type CreatePrimaryConfig
- type CreatePrimaryResult
- type CreateResult
- type EKParentConfig
- type ErrHandleNotFound
- type Handle
- func GetEKHandle(t transport.TPM, optionalCfg ...EKParentConfig) (Handle, error)
- func GetSKRHandle(t transport.TPM, optionalCfg ...ParentConfig) (Handle, error)
- func NewHandle(h handle) Handle
- func PersistEK(t transport.TPM, optionalCfg ...EKParentConfig) (Handle, error)
- func ToHandle(t transport.TPM, handle any) (Handle, error)
- type HandleCloser
- func Create(t transport.TPM, optionalCfg ...CreateConfig) (HandleCloser, error)
- func CreatePrimary(t transport.TPM, optionalCfg ...CreatePrimaryConfig) (HandleCloser, error)
- func Load(t transport.TPM, optionalCfg ...LoadConfig) (HandleCloser, error)
- func NewHandleCloser(tpm transport.TPM, h handle) HandleCloser
- type HandleType
- type HashConfig
- type HashResult
- type KeyFamily
- type KeyType
- type LoadConfig
- type NVReadConfig
- type NVWriteConfig
- type ParentConfig
- type SignConfig
- type Target
Constants ¶
View Source
const ( // MaxPCRIndex is the maximum PCR index supported by PC Client TPMs. // // PC Client specification mandates at least 24 PCRs (0-23). MaxPCRIndex = 23 )
Variables ¶
View Source
var ( // SRK handle // // Source: TCG TPM v2.0 Provisioning Guidance v1.0, rev1.0, section 7.7 SRKHandle tpm2.TPMHandle = 0x81000001 // RSA EK handle // // Source: TCG TPM v2.0 Provisioning Guidance v1.0, rev1.0, section 7.8 RSAEKHandle tpm2.TPMHandle = 0x81010001 // ECC EK handle // // Note: unfortunately TCG TPM v2.0 Provisioning Guidance v1.0, rev1.0, section 7.8 // does not specify a specific handle for ECC key. // However, various TPM2 tools (e.g., go-tpm-tools) use the following handle // as the de-facto standard. I've also confirmed with my own TPM (Nuvoton) that the // ECC EK is indeed pre-provisioned at this handle. // // Sources: // - https://docs.kernel.org/security/tpm/tpm-security.html // - https://chromium.googlesource.com/chromiumos/platform2/+/main/vtpm/README.md#glinux-profile ECCEKHandle tpm2.TPMHandle = 0x81010002 )
Predefined handles defined by TCG specifications.
View Source
var ( // RSASRKTemplate contains the TCG reference RSA-2048 SRK template. // https://trustedcomputinggroup.org/wp-content/uploads/TCG-TPM-v2.0-Provisioning-Guidance-Published-v1r1.pdf RSASRKTemplate = tpm2.RSASRKTemplate // ECCSRKTemplate contains the TCG reference ECC-P256 SRK template. // https://trustedcomputinggroup.org/wp-content/uploads/TCG-TPM-v2.0-Provisioning-Guidance-Published-v1r1.pdf ECCSRKTemplate = tpm2.ECCSRKTemplate // Low-Range RSA 2048 EK template (storage) // Source: TCG EK Credential Profile, v2.6, section B.3.3 RSAEKTemplate = tpm2.RSAEKTemplate // Low-Range ECC P256 EK template (storage) // Source: TCG EK Credential Profile, v2.6, section B.3.4 ECCEKTemplate = tpm2.ECCEKTemplate // High-Range RSA 2048 EK template (storage) // Source: TCG EK Credential Profile, v2.6, section B.4.4.1 RSA2048EKTemplate = tpm2.TPMTPublic{ Type: tpm2.TPMAlgRSA, NameAlg: tpm2.TPMAlgSHA256, ObjectAttributes: tpm2.TPMAObject{ FixedTPM: true, STClear: false, FixedParent: true, SensitiveDataOrigin: true, UserWithAuth: true, AdminWithPolicy: true, FirmwareLimited: false, NoDA: false, EncryptedDuplication: false, Restricted: true, Decrypt: true, SignEncrypt: false, }, AuthPolicy: tpm2.TPM2BDigest{ Buffer: []byte{ 0xCA, 0x3D, 0x0A, 0x99, 0xA2, 0xB9, 0x39, 0x06, 0xF7, 0xA3, 0x34, 0x24, 0x14, 0xEF, 0xCF, 0xB3, 0xA3, 0x85, 0xD4, 0x4C, 0xD1, 0xFD, 0x45, 0x90, 0x89, 0xD1, 0x9B, 0x50, 0x71, 0xC0, 0xB7, 0xA0, }, }, Parameters: tpm2.NewTPMUPublicParms( tpm2.TPMAlgRSA, &tpm2.TPMSRSAParms{ Symmetric: tpm2.TPMTSymDefObject{ Algorithm: tpm2.TPMAlgAES, KeyBits: tpm2.NewTPMUSymKeyBits( tpm2.TPMAlgAES, tpm2.TPMKeyBits(128), ), Mode: tpm2.NewTPMUSymMode( tpm2.TPMAlgAES, tpm2.TPMAlgCFB, ), }, KeyBits: 2048, }, ), } // High-Range ECC P256 EK template (storage) // Source: TCG EK Credential Profile, v2.6, section B.4.4.2 ECCP256EKTemplate = tpm2.TPMTPublic{ Type: tpm2.TPMAlgECC, NameAlg: tpm2.TPMAlgSHA256, ObjectAttributes: tpm2.TPMAObject{ FixedTPM: true, STClear: false, FixedParent: true, SensitiveDataOrigin: true, UserWithAuth: true, AdminWithPolicy: true, FirmwareLimited: false, NoDA: false, EncryptedDuplication: false, Restricted: true, Decrypt: true, SignEncrypt: false, }, AuthPolicy: tpm2.TPM2BDigest{ Buffer: []byte{ 0xCA, 0x3D, 0x0A, 0x99, 0xA2, 0xB9, 0x39, 0x06, 0xF7, 0xA3, 0x34, 0x24, 0x14, 0xEF, 0xCF, 0xB3, 0xA3, 0x85, 0xD4, 0x4C, 0xD1, 0xFD, 0x45, 0x90, 0x89, 0xD1, 0x9B, 0x50, 0x71, 0xC0, 0xB7, 0xA0, }, }, Parameters: tpm2.NewTPMUPublicParms( tpm2.TPMAlgECC, &tpm2.TPMSECCParms{ Symmetric: tpm2.TPMTSymDefObject{ Algorithm: tpm2.TPMAlgAES, KeyBits: tpm2.NewTPMUSymKeyBits( tpm2.TPMAlgAES, tpm2.TPMKeyBits(128), ), Mode: tpm2.NewTPMUSymMode( tpm2.TPMAlgAES, tpm2.TPMAlgCFB, ), }, CurveID: tpm2.TPMECCNistP256, }, ), } // High-Range ECC P384 EK template (storage) // Source: TCG EK Credential Profile, v2.6, section B.4.4.3 ECCP384EKTemplate = tpm2.TPMTPublic{ Type: tpm2.TPMAlgECC, NameAlg: tpm2.TPMAlgSHA384, ObjectAttributes: tpm2.TPMAObject{ FixedTPM: true, STClear: false, FixedParent: true, SensitiveDataOrigin: true, UserWithAuth: true, AdminWithPolicy: true, FirmwareLimited: false, NoDA: false, EncryptedDuplication: false, Restricted: true, Decrypt: true, SignEncrypt: false, }, AuthPolicy: tpm2.TPM2BDigest{ Buffer: []byte{ 0xB2, 0x6E, 0x7D, 0x28, 0xD1, 0x1A, 0x50, 0xBC, 0x53, 0xD8, 0x82, 0xBC, 0xF5, 0xFD, 0x3A, 0x1A, 0x07, 0x41, 0x48, 0xBB, 0x35, 0xD3, 0xB4, 0xE4, 0xCB, 0x1C, 0x0A, 0xD9, 0xBD, 0xE4, 0x19, 0xCA, 0xCB, 0x47, 0xBA, 0x09, 0x69, 0x96, 0x46, 0x15, 0x0F, 0x9F, 0xC0, 0x00, 0xF3, 0xF8, 0x0E, 0x12, }, }, Parameters: tpm2.NewTPMUPublicParms( tpm2.TPMAlgECC, &tpm2.TPMSECCParms{ Symmetric: tpm2.TPMTSymDefObject{ Algorithm: tpm2.TPMAlgAES, KeyBits: tpm2.NewTPMUSymKeyBits( tpm2.TPMAlgAES, tpm2.TPMKeyBits(256), ), Mode: tpm2.NewTPMUSymMode( tpm2.TPMAlgAES, tpm2.TPMAlgCFB, ), }, CurveID: tpm2.TPMECCNistP384, }, ), } // High-Range ECC P521 EK template (storage) // Source: TCG EK Credential Profile, v2.6, section B.4.4.4 ECCP521EKTemplate = tpm2.TPMTPublic{ Type: tpm2.TPMAlgECC, NameAlg: tpm2.TPMAlgSHA512, ObjectAttributes: tpm2.TPMAObject{ FixedTPM: true, STClear: false, FixedParent: true, SensitiveDataOrigin: true, UserWithAuth: true, AdminWithPolicy: true, FirmwareLimited: false, NoDA: false, EncryptedDuplication: false, Restricted: true, Decrypt: true, SignEncrypt: false, }, AuthPolicy: tpm2.TPM2BDigest{ Buffer: []byte{ 0xB8, 0x22, 0x1C, 0xA6, 0x9E, 0x85, 0x50, 0xA4, 0x91, 0x4D, 0xE3, 0xFA, 0xA6, 0xA1, 0x8C, 0x07, 0x2C, 0xC0, 0x12, 0x08, 0x07, 0x3A, 0x92, 0x8D, 0x5D, 0x66, 0xD5, 0x9E, 0xF7, 0x9E, 0x49, 0xA4, 0x29, 0xC4, 0x1A, 0x6B, 0x26, 0x95, 0x71, 0xD5, 0x7E, 0xDB, 0x25, 0xFB, 0xDB, 0x18, 0x38, 0x42, 0x56, 0x08, 0xB4, 0x13, 0xCD, 0x61, 0x6A, 0x5F, 0x6D, 0xB5, 0xB6, 0x07, 0x1A, 0xF9, 0x9B, 0xEA, }, }, Parameters: tpm2.NewTPMUPublicParms( tpm2.TPMAlgECC, &tpm2.TPMSECCParms{ Symmetric: tpm2.TPMTSymDefObject{ Algorithm: tpm2.TPMAlgAES, KeyBits: tpm2.NewTPMUSymKeyBits( tpm2.TPMAlgAES, tpm2.TPMKeyBits(256), ), Mode: tpm2.NewTPMUSymMode( tpm2.TPMAlgAES, tpm2.TPMAlgCFB, ), }, CurveID: tpm2.TPMECCNistP521, }, ), } // High-Range ECC SM2 P256 EK template (storage) // Source: TCG EK Credential Profile, v2.6, section B.4.4.5 ECCSM2P256EKTemplate = tpm2.TPMTPublic{ Type: tpm2.TPMAlgECC, NameAlg: tpm2.TPMAlgSM3256, ObjectAttributes: tpm2.TPMAObject{ FixedTPM: true, STClear: false, FixedParent: true, SensitiveDataOrigin: true, UserWithAuth: true, AdminWithPolicy: true, FirmwareLimited: false, NoDA: false, EncryptedDuplication: false, Restricted: true, Decrypt: true, SignEncrypt: false, }, AuthPolicy: tpm2.TPM2BDigest{ Buffer: []byte{ 0x16, 0x78, 0x60, 0xA3, 0x5F, 0x2C, 0x5C, 0x35, 0x67, 0xF9, 0xC9, 0x27, 0xAC, 0x56, 0xC0, 0x32, 0xF3, 0xB3, 0xA6, 0x46, 0x2F, 0x8D, 0x03, 0x79, 0x98, 0xE7, 0xA1, 0x0F, 0x77, 0xFA, 0x45, 0x4A, }, }, Parameters: tpm2.NewTPMUPublicParms( tpm2.TPMAlgECC, &tpm2.TPMSECCParms{ Symmetric: tpm2.TPMTSymDefObject{ Algorithm: tpm2.TPMAlgSM4, KeyBits: tpm2.NewTPMUSymKeyBits( tpm2.TPMAlgSM4, tpm2.TPMKeyBits(128), ), Mode: tpm2.NewTPMUSymMode( tpm2.TPMAlgSM4, tpm2.TPMAlgCFB, ), }, CurveID: tpm2.TPMECCSM2P256, }, ), } // High-Range RSA 3072 EK template (storage) // Source: TCG EK Credential Profile, v2.6, section B.4.4.6 RSA3072EKTemplate = tpm2.TPMTPublic{ Type: tpm2.TPMAlgRSA, NameAlg: tpm2.TPMAlgSHA384, ObjectAttributes: tpm2.TPMAObject{ FixedTPM: true, STClear: false, FixedParent: true, SensitiveDataOrigin: true, UserWithAuth: true, AdminWithPolicy: true, FirmwareLimited: false, NoDA: false, EncryptedDuplication: false, Restricted: true, Decrypt: true, SignEncrypt: false, }, AuthPolicy: tpm2.TPM2BDigest{ Buffer: []byte{ 0xB2, 0x6E, 0x7D, 0x28, 0xD1, 0x1A, 0x50, 0xBC, 0x53, 0xD8, 0x82, 0xBC, 0xF5, 0xFD, 0x3A, 0x1A, 0x07, 0x41, 0x48, 0xBB, 0x35, 0xD3, 0xB4, 0xE4, 0xCB, 0x1C, 0x0A, 0xD9, 0xBD, 0xE4, 0x19, 0xCA, 0xCB, 0x47, 0xBA, 0x09, 0x69, 0x96, 0x46, 0x15, 0x0F, 0x9F, 0xC0, 0x00, 0xF3, 0xF8, 0x0E, 0x12, }, }, Parameters: tpm2.NewTPMUPublicParms( tpm2.TPMAlgRSA, &tpm2.TPMSRSAParms{ Symmetric: tpm2.TPMTSymDefObject{ Algorithm: tpm2.TPMAlgAES, KeyBits: tpm2.NewTPMUSymKeyBits( tpm2.TPMAlgAES, tpm2.TPMKeyBits(256), ), Mode: tpm2.NewTPMUSymMode( tpm2.TPMAlgAES, tpm2.TPMAlgCFB, ), }, KeyBits: 3072, }, ), } // High-Range RSA 4096 EK template (storage) // Source: TCG EK Credential Profile, v2.6, section B.4.4.7 RSA4096EKTemplate = tpm2.TPMTPublic{ Type: tpm2.TPMAlgRSA, NameAlg: tpm2.TPMAlgSHA384, ObjectAttributes: tpm2.TPMAObject{ FixedTPM: true, STClear: false, FixedParent: true, SensitiveDataOrigin: true, UserWithAuth: true, AdminWithPolicy: true, FirmwareLimited: false, NoDA: false, EncryptedDuplication: false, Restricted: true, Decrypt: true, SignEncrypt: false, }, AuthPolicy: tpm2.TPM2BDigest{ Buffer: []byte{ 0xB2, 0x6E, 0x7D, 0x28, 0xD1, 0x1A, 0x50, 0xBC, 0x53, 0xD8, 0x82, 0xBC, 0xF5, 0xFD, 0x3A, 0x1A, 0x07, 0x41, 0x48, 0xBB, 0x35, 0xD3, 0xB4, 0xE4, 0xCB, 0x1C, 0x0A, 0xD9, 0xBD, 0xE4, 0x19, 0xCA, 0xCB, 0x47, 0xBA, 0x09, 0x69, 0x96, 0x46, 0x15, 0x0F, 0x9F, 0xC0, 0x00, 0xF3, 0xF8, 0x0E, 0x12, }, }, Parameters: tpm2.NewTPMUPublicParms( tpm2.TPMAlgRSA, &tpm2.TPMSRSAParms{ Symmetric: tpm2.TPMTSymDefObject{ Algorithm: tpm2.TPMAlgAES, KeyBits: tpm2.NewTPMUSymKeyBits( tpm2.TPMAlgAES, tpm2.TPMKeyBits(256), ), Mode: tpm2.NewTPMUSymMode( tpm2.TPMAlgAES, tpm2.TPMAlgCFB, ), }, KeyBits: 4096, }, ), } )
Predefined templates (public area) from TCG specifications.
View Source
var ( ErrMissingTpm = errors.New("missing TPM transport") ErrDigestNotSafe = errors.New("digest considered unsafe for signing by the TPM") ErrInvalidBlockSize = errors.New("blockSize must be positive") ErrDataTooLarge = errors.New("data size exceeds maximum NV index size") ErrMissingHandle = errors.New("keyHandle is required") ErrMissingData = errors.New("data is required") ErrMissingPublicKey = errors.New("publicKey is required") ErrMissingIndex = errors.New("index is required") )
View Source
var ( NoAuth = tpm2.PasswordAuth(nil) NullTicket = tpm2.TPMTTKHashCheck{ Tag: tpm2.TPMSTHashCheck, Hierarchy: tpm2.TPMRHNull, } )
Functions ¶
func EkPolicyCallback ¶
func EkPolicyCallback(t transport.TPM, handle tpm2.TPMISHPolicy, nonceTPM tpm2.TPM2BNonce) error
EkPolicyCallback is a callback used to satisfy EK's authPolicy. It is used to create a policy session for the endorsement hierarchy.
Example:
activateRsp, err := tpm2.ActivateCredential{
KeyHandle: tpmutil.ToAuthHandle(ekHandle, tpm2.Policy(tpm2.TPMAlgSHA256, 16, tpmutil.EkPolicyCallback)),
truncated...
}.Execute(tpm)
func IsHandleOfType ¶
func IsHandleOfType(h Handle, ht HandleType) bool
IsHandleOfType checks if the given handle is of the specified type.
Example:
// Check if a handle is a persistent handle
if tpmutil.IsHandleOfType(handle, tpmutil.PersistentHandle) {
fmt.Println("This is a persistent handle")
}
func NVRead ¶
func NVRead(t transport.TPM, optionalCfg ...NVReadConfig) ([]byte, error)
NVRead reads data from a non-volatile storage (NV) index.
Example:
// Read from NV index 0x01500000
data, err := tpmutil.NVRead(tpm, &tpmutil.NVReadConfig{
Index: 0x01500000,
Hierarchy: tpm2.TPMRHOwner,
})
if err != nil {
log.Fatal(err)
}
fmt.Printf("Read %d bytes from NV index\n", len(data))
Note: If cfg is nil, default configuration is used.
func NVWrite ¶
func NVWrite(t transport.TPM, optionalCfg ...NVWriteConfig) error
NVWrite writes data to a non-volatile storage (NV) index.
Example:
// Write data to NV index 0x01500000
data := []byte("secret data")
err := tpmutil.NVWrite(tpm, &tpmutil.NVWriteConfig{
Index: 0x01500000,
Data: data,
Hierarchy: tpm2.TPMRHOwner,
})
if err != nil {
log.Fatal(err)
}
Note: If cfg is nil, default configuration is used.
func PCRSelectToPCRs ¶
PCRSelectToPCRs converts a byte slice representing a PCR selection into a slice of PCR numbers.
Example:
// Convert a PCR selection bitmap to PCR numbers
// The byte slice [0x83, 0x00, 0x00] represents PCRs 0, 1, and 7
pcrs := tpmutil.PCRSelectToPCRs([]byte{0x83, 0x00, 0x00})
// pcrs will be []uint{0, 1, 7}
func Sign ¶
func Sign(t transport.TPM, optionalCfg ...SignConfig) ([]byte, error)
Sign signs a digest using the TPM with the provided configuration.
Note: If cfg is nil, default configuration is used.
Example:
// Sign a digest with a TPM key
digest := []byte{0x01, 0x02, 0x03}
signature, err := tpmutil.Sign(tpm, &tpmutil.SignConfig{
KeyHandle: keyHandle,
Digest: digest,
PublicKey: publicKey,
SignerOpts: crypto.SHA256,
Validation: tpmutil.NullTicket,
})
if err != nil {
log.Fatal(err)
}
fmt.Printf("Signature: %x\n", signature)
func ToAuthHandle ¶ added in v0.4.0
func ToAuthHandle(h Handle, optionalAuth ...tpm2.Session) tpm2.AuthHandle
ToAuthHandle converts a Handle to an authorization Handle with the given session.
This function is a hack in order to deals with Authorization Handles because internally go-tpm is able to interpret Authz only as tpm2.AuthHandle.
Note: if no session is provided, NoAuth is used by default.
EXPERIMENTAL: this function may change or be removed in future releases.
func ToTPMLPCRSelection ¶
func ToTPMLPCRSelection(pcrs []uint, bank tpm2.TPMIAlgHash) tpm2.TPMLPCRSelection
ToTPMLPCRSelection converts a slice of PCR numbers and a hash algorithm to a tpm2.TPMLPCRSelection structure.
Returns an empty TPMLPCRSelection if no valid PCRs are provided.
Example:
// Create a PCR selection for PCRs 0, 1, 7 using SHA256
selection := tpmutil.ToTPMLPCRSelection([]uint{0, 1, 7}, tpm2.TPMAlgSHA256)
// Use the selection in TPM operations like PolicyPCR or Quote
Types ¶
type CreateConfig ¶ added in v0.3.0
type CreateConfig struct {
// ParentHandle is the handle of the parent key.
//
// Required.
ParentHandle Handle
// ParentAuth is the authorization session for the parent key.
//
// Default: [NoAuth].
ParentAuth tpm2.Session
// Template specifies the key template to use for the created object.
//
// Required.
Template tpm2.TPMTPublic
// UserAuth is the user authorization value for the created object.
//
// Default: nil.
UserAuth []byte
// SealingData is the sensitive data associated with the created object.
//
// This field can be provided when you want to seal data with the created object.
//
// Note: this field is accepted if the Template is of type [tpm2.TPMAlgKeyedHash].
//
// Default: nil.
SealingData []byte
}
CreateConfig holds configuration for TPM Create operations.
func (*CreateConfig) CheckAndSetDefault ¶ added in v0.3.0
func (c *CreateConfig) CheckAndSetDefault() error
CheckAndSetDefault validates and sets default values for CreateConfig.
type CreatePrimaryConfig ¶ added in v0.2.0
type CreatePrimaryConfig struct {
// Template specifies the key template to use.
//
// Required.
Template tpm2.TPMTPublic
// PrimaryHandle specifies which hierarchy to create the primary key under.
//
// Default: [tpm2.TPMRHOwner].
PrimaryHandle tpm2.TPMHandle
// Auth is the authorization session for the hierarchy.
//
// Default: [NoAuth].
Auth tpm2.Session
// UserAuth is the user authorization value for the created primary object.
//
// Default: nil.
UserAuth []byte
// SealingData is the sensitive data associated with the created primary object.
//
// This field can be provided when you want to seal data with the created primary object.
//
// Note: this field is accepted if the Template is of type [tpm2.TPMAlgKeyedHash].
//
// Default: nil.
SealingData []byte
}
CreatePrimaryConfig holds configuration for TPM CreatePrimary operations.
func (*CreatePrimaryConfig) CheckAndSetDefault ¶ added in v0.2.0
func (c *CreatePrimaryConfig) CheckAndSetDefault() error
CheckAndSetDefault validates and sets default values for CreatePrimaryConfig.
type CreatePrimaryResult ¶ added in v0.3.0
type CreatePrimaryResult struct {
// ObjectHandle is the handle of the created primary object.
ObjectHandle tpm2.TPMHandle
// OutPublic is the public portion of the created object.
OutPublic tpm2.TPM2BPublic
// CreationHash is the digest of the creation data.
CreationHash tpm2.TPM2BDigest
// CreationTicket is the ticket that proves the association between the object and its creation data.
CreationTicket tpm2.TPMTTKCreation
// Name is the name of the created object.
Name tpm2.TPM2BName
}
CreatePrimaryResult contains the result of a TPM CreatePrimary operation.
func CreatePrimaryWithResult ¶ added in v0.3.0
func CreatePrimaryWithResult(t transport.TPM, optionalCfg ...CreatePrimaryConfig) (*CreatePrimaryResult, func() error, error)
CreatePrimaryWithResult creates a primary key in the TPM and returns the result along with a closer function.
Example:
// Create an RSA primary key and get the full response
rsaTemplate := tpm2.RSASRKTemplate
result, closer, err := tpmutil.CreatePrimaryWithResult(tpm, &tpmutil.CreatePrimaryConfig{
PrimaryHandle: tpm2.TPMRHOwner,
Template: &rsaTemplate,
})
if err != nil {
log.Fatal(err)
}
defer closer()
Note: If cfg is nil, default configuration is used.
func LoadCreatePrimaryResult ¶ added in v0.3.0
func LoadCreatePrimaryResult(path string) (*CreatePrimaryResult, error)
LoadCreatePrimaryResult loads a CreatePrimaryResult from the specified file path.
The file must contain JSON data created by CreatePrimaryResult.Marshal.
Note: ObjectHandle is not loaded from the file as it was not marshaled. The returned CreatePrimaryResult will have ObjectHandle set to 0.
Example:
result, err := LoadCreatePrimaryResult("primary-key.json")
if err != nil {
log.Fatal(err)
}
func (CreatePrimaryResult) Marshal ¶ added in v0.3.0
func (r CreatePrimaryResult) Marshal(optionalTarget ...Target) ([]byte, error)
Marshal marshals the CreatePrimaryResult to the specified target format.
If target is not provided, it defaults to JSON.
Note: ObjectHandle is not marshaled as it is a transient handle that is only valid during the current TPM session.
Example:
result := CreatePrimaryResult{...}
data, err := result.Marshal(JSON)
if err != nil {
log.Fatal(err)
}
os.WriteFile("primary-key.json", data, 0644)
type CreateResult ¶ added in v0.3.0
type CreateResult struct {
// OutPrivate is the encrypted private portion of the created object.
OutPrivate tpm2.TPM2BPrivate
// OutPublic is the public portion of the created object.
OutPublic tpm2.TPM2BPublic
// CreationHash is the digest of the creation data.
CreationHash tpm2.TPM2BDigest
// CreationTicket is the ticket that proves the association between the object and its creation data.
CreationTicket tpm2.TPMTTKCreation
}
CreateResult contains the result of a TPM Create operation.
func CreateWithResult ¶ added in v0.3.0
func CreateWithResult(t transport.TPM, optionalCfg ...CreateConfig) (*CreateResult, error)
CreateWithResult creates a child key under a parent key in the TPM and returns the result.
This function returns the encrypted private and public portions that can later be loaded with Load.
Use this function if you need to marshal the created key material for storage or transmission. For direct loading, use Create instead.
Example:
// CreateWithResult a child key under an existing parent
srkHandle, err := tpmutil.GetSKRHandle(tpm)
if err != nil {
log.Fatal(err)
}
eccTemplate := tpmutil.ECCSRKTemplate
result, err := tpmutil.CreateWithResult(tpm, &tpmutil.CreateConfig{
ParentHandle: srkHandle,
Template: &eccTemplate,
})
if err != nil {
log.Fatal(err)
}
// marshal the result in order to store or transmit it
b, err := result.Marshal()
if err != nil {
log.Fatal(err)
}
// Later, load the created key
keyHandle, err := tpmutil.Load(tpm, &tpmutil.LoadConfig{
ParentHandle: srkHandle,
InPrivate: result.OutPrivate,
InPublic: result.OutPublic,
})
if err != nil {
log.Fatal(err)
}
defer keyHandle.Close()
Note: If cfg is nil, default configuration is used.
func LoadCreateResult ¶ added in v0.3.0
func LoadCreateResult(path string) (*CreateResult, error)
LoadCreateResult loads a CreateResult from the specified file path.
The file must contain JSON data created by CreateResult.Marshal.
Example:
result, err := LoadCreateResult("key.json")
if err != nil {
log.Fatal(err)
}
func (CreateResult) Marshal ¶ added in v0.3.0
func (r CreateResult) Marshal(optionalTarget ...Target) ([]byte, error)
Marshal marshals the CreateResult to the specified target format.
If target is not provided, it defaults to JSON.
Example:
result := CreateResult{...}
data, err := result.Marshal(JSON)
if err != nil {
log.Fatal(err)
}
os.WriteFile("key.json", data, 0644)
type EKParentConfig ¶
type EKParentConfig struct {
// KeyFamily is the type of the key to be created under the parent.
//
// Default: [ECC].
KeyFamily KeyFamily
// Handle is the handle of the parent key.
//
// Default: [RSAEKHandle] or [ECCEKHandle] based on KeyFamily.
Handle Handle
// Hierarchy specifies which TPM hierarchy to use.
//
// Default: [tpm2.TPMRHEndorsement].
Hierarchy tpm2.TPMHandle
// Auth is the authorization session for the parent key.
//
// Default: [NoAuth].
Auth tpm2.Session
// Transient key handle represents the current EK key
// that we want to persist.
//
// If nil, a new key will be created based on KeyType and IsLowRange.
// Default: nil
TransientKey Handle
// KeyType specifies the type of EK to create if TransientKey is nil.
//
// Default: 0
KeyType KeyType
// IsLowRange indicates whether to use low-range templates for EK creation
// if TransientKey is nil.
//
// Note: this field is taken into account only if KeyType is RSA2048 or ECCNISTP256.
IsLowRange bool
// Force indicates whether to evict an existing key at the target handle
// before persisting the new key.
//
// Default: false
Force bool
}
func (*EKParentConfig) CheckAndSetDefault ¶
func (c *EKParentConfig) CheckAndSetDefault() error
type ErrHandleNotFound ¶
ErrHandleNotFound indicates that a handle was not found at the specified address.
func (*ErrHandleNotFound) Error ¶
func (e *ErrHandleNotFound) Error() string
func (*ErrHandleNotFound) Unwrap ¶
func (e *ErrHandleNotFound) Unwrap() error
type Handle ¶
type Handle interface {
// Handle returns the underlying TPM handle value.
Handle() tpm2.TPMHandle
// Name returns the TPM Name associated with the handle.
Name() tpm2.TPM2BName
// IsAuth indicates if the handle is an authorization handle.
IsAuth() bool
// Type returns the type of the handle.
Type() HandleType
// Public returns the public area associated with the handle.
// Returns nil if no public area is available.
Public() *tpm2.TPMTPublic
// HasPublic indicates if the handle has an associated public area.
HasPublic() bool
// contains filtered or unexported methods
}
Handle provides a layer of abstraction over TPM handles. Typically, users will interact with two types of handles:
- Authorization handles (e.g., for sessions, passwords) tpm2.AuthHandle
- Object handles (e.g., for keys, NV indices) tpm2.NamedHandle
Handle allows users to work with both types uniformly.
func GetEKHandle ¶
func GetEKHandle(t transport.TPM, optionalCfg ...EKParentConfig) (Handle, error)
GetEKHandle retrieves the Endorsement Key (EK) handle from the TPM. Unlike GetSKRHandle, this function does not create the EK if it doesn't exist.
Example:
// Get RSA EK at the default persistent handle
ekHandle, err := tpmutil.GetEKHandle(tpm, &tpmutil.EKParentConfig{
KeyFamily: tpmutil.RSA,
})
if err != nil {
log.Fatal(err)
}
fmt.Printf("EK handle: 0x%x\n", ekHandle.Handle())
Note: If cfg is nil, default configuration is used (RSA EK at handle 0x81010001).
func GetSKRHandle ¶
func GetSKRHandle(t transport.TPM, optionalCfg ...ParentConfig) (Handle, error)
GetSKRHandle retrieves or creates the Storage Root Key (SRK) handle based on the provided configuration.
Example:
// Get or create an ECC SRK at the default persistent handle
srkHandle, err := tpmutil.GetSKRHandle(tpm, &tpmutil.ParentConfig{
KeyType: tpmutil.ECC,
Hierarchy: tpm2.TPMRHOwner,
})
if err != nil {
log.Fatal(err)
}
fmt.Printf("SRK handle: 0x%x\n", srkHandle.Handle())
Note: If cfg is nil, default configuration is used.
func NewHandle ¶
func NewHandle(h handle) Handle
NewHandle creates a new Handle from the given TPM handle.
Examples:
// Create a handle from a Command Response
h := &tpm2.NamedHandle{Handle: rsp.ObjectHandle, Name: rsp.Name}
handle := tpmutil.NewHandle(h)
// Create a handle from a TPM persistent handle
handle := tpmutil.NewHandle(tpm2.TPMHandle(0x81000001))
fmt.Printf("Handle type: %s\n", h.Type())
Note: tpm2.TPMHandle, tpm2.AuthHandle and tpm2.NamedHandle can be used as input.
func PersistEK ¶
func PersistEK(t transport.TPM, optionalCfg ...EKParentConfig) (Handle, error)
PersistEK persists an Endorsement Key (EK) to the TPM at the configured handle.
If cfg.TransientKey is nil, a new transient EK is created based on cfg.KeyType and cfg.IsLowRange. Otherwise, the provided transient key is persisted.
Example:
// Create and persist a new RSA EK
ekHandle, err := tpmutil.PersistEK(tpm, &tpmutil.EKParentConfig{
KeyFamily: tpmutil.RSA,
KeyType: tpmutil.RSA2048,
IsLowRange: true,
})
if err != nil {
log.Fatal(err)
}
fmt.Printf("Persisted EK at handle: 0x%x\n", ekHandle.Handle())
Note: If cfg is nil, default configuration is used.
func ToHandle ¶
ToHandle converts an input a tpm2.TPMHandle.
Example:
// Convert a raw TPM handle to a Handle
h, err := tpmutil.ToHandle(tpm, tpm2.TPMHandle(0x81000001))
if err != nil {
log.Fatal(err)
}
fmt.Printf("Handle: 0x%x, Type: %s\n", h.Handle(), h.Type())
Note: if the input is a raw TPM handle, a TPM2_ReadPublic command is issued to retrieve the associated Name.
type HandleCloser ¶
HandleCloser extends Handle with the ability to release resources. When a HandleCloser is no longer needed, calling Close() will flush the handle
Note: struct implementing this interface must have access to a TPM transport.
func Create ¶ added in v0.3.0
func Create(t transport.TPM, optionalCfg ...CreateConfig) (HandleCloser, error)
Create creates a child key under a parent key in the TPM and loads it.
This is a convenience function that combines CreateWithResult and Load. Use CreateWithResult if you need the encrypted private/public portions for later use without loading the key immediately.
Example:
// Create a child key under an existing parent
srkHandle, err := tpmutil.GetSKRHandle(tpm)
if err != nil {
log.Fatal(err)
}
eccTemplate := tpmutil.ECCSRKTemplate
keyHandle, err := tpmutil.Create(tpm, tpmutil.CreateConfig{
ParentHandle: srkHandle,
Template: eccTemplate,
})
if err != nil {
log.Fatal(err)
}
defer keyHandle.Close()
Note: If cfg is nil, default configuration is used.
func CreatePrimary ¶
func CreatePrimary(t transport.TPM, optionalCfg ...CreatePrimaryConfig) (HandleCloser, error)
CreatePrimary creates a primary key in the TPM and returns a HandleCloser.
Example:
// Create an ECC primary key in the owner hierarchy
eccTemplate := tpmutil.ECCSRKTemplate
primaryHandle, err := tpmutil.CreatePrimary(tpm, &tpmutil.CreatePrimaryConfig{
PrimaryHandle: tpm2.TPMRHOwner,
Template: &eccTemplate,
})
if err != nil {
log.Fatal(err)
}
defer primaryHandle.Close()
Note: If cfg is nil, default configuration is used.
func Load ¶
func Load(t transport.TPM, optionalCfg ...LoadConfig) (HandleCloser, error)
Load loads a key into the TPM and returns a HandleCloser.
Example:
// Load a previously created key into the TPM
keyHandle, err := tpmutil.Load(tpm, &tpmutil.LoadConfig{
ParentHandle: srkHandle,
InPrivate: createRsp.OutPrivate,
InPublic: createRsp.OutPublic,
})
if err != nil {
log.Fatal(err)
}
defer keyHandle.Close()
Note: If cfg is nil, default configuration is used.
func NewHandleCloser ¶
func NewHandleCloser(tpm transport.TPM, h handle) HandleCloser
NewHandleCloser creates a new HandleCloser from the given TPM handle. The returned handle can be closed to flush the TPM resource.
Example:
// Create a closable handle for a transient key
keyHandle := tpmutil.NewHandleCloser(tpm, &tpm2.NamedHandle{
Handle: createRsp.ObjectHandle,
Name: createRsp.Name,
})
defer keyHandle.Close()
// Use keyHandle for TPM operations
Note: tpm2.TPMHandle, tpm2.AuthHandle and tpm2.NamedHandle can be used as input.
type HandleType ¶
type HandleType int
HandleType represents the different types of handles in TPM 2.0.
const ( // UnspecifiedHandle represents an unknown or unidentified handle type. UnspecifiedHandle HandleType = iota // NVIndexHandle represents a handle for Non-Volatile (NV) memory indices. // These handles reference persistent storage areas in the TPM. NVIndexHandle // PolicySessionHandle represents a handle for policy sessions. // These are used for complex authorization scenarios. PolicySessionHandle // PermanentHandle represents a handle for permanent TPM entities. // These are built-in handles like TPM_RH_OWNER, TPM_RH_PLATFORM, etc. PermanentHandle // PersistentHandle represents a handle for persistent objects. // These objects remain in TPM memory across power cycles. PersistentHandle // TransientHandle represents a handle for transient objects. // These objects exist only in TPM volatile memory and are lost on reboot. TransientHandle )
func (HandleType) String ¶
func (ht HandleType) String() string
type HashConfig ¶
type HashConfig struct {
// Hierarchy specifies which TPM hierarchy to use for hashing.
//
// Defaut: [tpm2.TPMRHOwner].
Hierarchy tpm2.TPMHandle
// Password for the hierarchy.
//
// Defaut: empty string.
Password string // TODO(lsikidi): can it be replaced with tpm2.Session?
// BlockSize for sequential hash operations.
//
// Defaut: maxBufferSize (1024 bytes).
BlockSize int
// HashAlg specifies the hash algorithm to use.
//
// Defaut: crypto.SHA256
HashAlg crypto.Hash
// Data to be hashed.
Data []byte
}
HashConfig holds configuration for TPM hash operations.
func (*HashConfig) CheckAndSetDefault ¶
func (c *HashConfig) CheckAndSetDefault() error
CheckAndSetDefault validates and sets default values for HashConfig.
type HashResult ¶
type HashResult struct {
// Digest is the computed hash digest.
Digest []byte
// Validation is the ticket returned by the TPM.
Validation tpm2.TPMTTKHashCheck
}
HashResult contains the result of a TPM hash operation.
func Hash ¶
func Hash(t transport.TPM, optionalCfg ...HashConfig) (*HashResult, error)
Hash hashes data using the TPM with the provided configuration.
Note: If cfg is nil, default configuration is used.
Example:
// Hash data using TPM with SHA256
result, err := tpmutil.Hash(tpm, &tpmutil.HashConfig{
Data: []byte("data to hash"),
HashAlg: crypto.SHA256,
Hierarchy: tpm2.TPMRHOwner,
})
if err != nil {
log.Fatal(err)
}
fmt.Printf("Digest: %x\n", result.Digest)
type KeyFamily ¶
type KeyFamily int
func AlgIDToKeyFamily ¶ added in v0.2.0
AlgIDToKeyFamily converts a tpm2.TPMAlgID to a KeyFamily.
Returns UnspecifiedKey if the algorithm is not recognized or not a key type.
type KeyType ¶
type KeyType int
const ( // UnspecifiedAlgo represents an unknown or unidentified key algorithm. UnspecifiedAlgo KeyType = iota // RSA2048 represents RSA algorithm with 2048-bit key size. RSA2048 // RSA3072 represents RSA algorithm with 3072-bit key size. RSA3072 // RSA4096 represents RSA algorithm with 4096-bit key size. RSA4096 // ECCNISTP256 represents ECC algorithm with NIST P-256 curve. ECCNISTP256 // ECCNISTP384 represents ECC algorithm with NIST P-384 curve. ECCNISTP384 // ECCNISTP521 represents ECC algorithm with NIST P-521 curve. ECCNISTP521 // ECCSM2P256 represents ECC algorithm with SM2 P-256 curve. ECCSM2P256 )
func MustPublicToKeyType ¶ added in v0.2.0
func MustPublicToKeyType(public tpm2.TPMTPublic) KeyType
MustPublicToKeyType is like PublicToKeyType but panics if an error occurs.
func PublicToKeyType ¶ added in v0.2.0
func PublicToKeyType(public tpm2.TPMTPublic) (KeyType, error)
PublicToKeyType converts a tpm2.TPMTPublic to a KeyType.
Returns an error if the key type cannot be determined or is not supported.
type LoadConfig ¶ added in v0.2.0
type LoadConfig struct {
// ParentHandle is the handle of the parent key.
//
// Required.
ParentHandle Handle
// InPrivate is the encrypted private portion of the object.
//
// Required.
InPrivate tpm2.TPM2BPrivate
// InPublic is the public portion of the object.
//
// Required.
InPublic tpm2.TPM2BPublic
// Auth is the authorization session for the parent key.
//
// Default: [NoAuth].
Auth tpm2.Session
}
LoadConfig holds configuration for TPM Load operations.
func (*LoadConfig) CheckAndSetDefault ¶ added in v0.2.0
func (c *LoadConfig) CheckAndSetDefault() error
CheckAndSetDefault validates and sets default values for LoadConfig.
type NVReadConfig ¶
type NVReadConfig struct {
// Index is the NV index to read from.
Index tpm2.TPMHandle
// Hierarchy specifies which TPM hierarchy to use.
//
// Default: [tpm2.TPMRHOwner].
Hierarchy tpm2.TPMHandle
// Auth is the authorization session.
//
// Default: [NoAuth].
Auth tpm2.Session
// BlockSize for sequential read operations.
//
// Default: maxBufferSize (1024 bytes).
BlockSize int
}
NVReadConfig holds configuration for TPM NV read operations.
func (*NVReadConfig) CheckAndSetDefault ¶
func (c *NVReadConfig) CheckAndSetDefault() error
CheckAndSetDefault validates and sets default values for NVReadConfig.
type NVWriteConfig ¶
type NVWriteConfig struct {
// Index is the NV index to write to.
Index tpm2.TPMHandle
// Data to write.
Data []byte
// Hierarchy specifies which TPM hierarchy to use.
//
// Default: [tpm2.TPMRHOwner].
Hierarchy tpm2.TPMHandle
// Auth is the authorization session.
//
// Default: [NoAuth].
Auth tpm2.Session
// Attributes specifies NV attributes.
//
// Default: defaultNVAttributes.
Attributes tpm2.TPMANV
}
NVWriteConfig holds configuration for TPM NV write operations.
func (*NVWriteConfig) CheckAndSetDefault ¶
func (c *NVWriteConfig) CheckAndSetDefault() error
CheckAndSetDefault validates and sets default values for NVWriteConfig.
type ParentConfig ¶
type ParentConfig struct {
// ParentHandle is the handle of the parent key.
//
// Default: [tpmkit.SRKHandle].
Handle Handle
// KeyFamily is the type of the key to be created under the parent.
//
// Default: [ECC] (to save key generation time).
KeyFamily KeyFamily
// Hierarchy specifies which TPM hierarchy to use.
//
// Default: [tpm2.TPMRHOwner].
Hierarchy tpm2.TPMHandle
// Auth is the authorization session for the parent key.
//
// Default: [NoAuth].
Auth tpm2.Session
}
func (*ParentConfig) CheckAndSetDefault ¶
func (c *ParentConfig) CheckAndSetDefault() error
CheckAndSetDefault validates and sets default values for NVWriteConfig.
type SignConfig ¶
type SignConfig struct {
// KeyHandle to the signing key.
KeyHandle Handle
// Digest to sign.
Digest []byte
// PublicKey for scheme determination.
PublicKey crypto.PublicKey
// SignerOpts for signing options (hash algorithm, etc.).
//
// Default: crypto.SHA256
SignerOpts crypto.SignerOpts
// Validation ticket from TPM hash operation.
//
// Note: use [NullTicket] for external data.
Validation tpm2.TPMTTKHashCheck
}
SignConfig holds configuration for TPM signing operations.
func (*SignConfig) CheckAndSetDefault ¶
func (c *SignConfig) CheckAndSetDefault() error
CheckAndSetDefault validates and sets default values for SignConfig.
type Target ¶ added in v0.3.0
type Target int
Target represents the marshaling format for CreateResult.
Source Files
Click to show internal directories.
Click to hide internal directories.