psanford/tpm-fido psanford/tpm-fido

  • Stars
    star
    179
  • Rank 214,039 (Top 5 %)
  • Language
    Go
  • License
    MIT License
  • Created over 3 years ago
  • Updated over 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
psanford/tpm-fido
github

psanford

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A WebAuthn/U2F token protected by a TPM (Go/Linux)

tpm-fido

tpm-fido is FIDO token implementation for Linux that protects the token keys by using your system's TPM. tpm-fido uses Linux's uhid facility to emulate a USB HID device so that it is properly detected by browsers.

Implementation details

tpm-fido uses the TPM 2.0 API. The overall design is as follows:

On registration tpm-fido generates a new P256 primary key under the Owner hierarchy on the TPM. To ensure that the key is unique per site and registration, tpm-fido generates a random 20 byte seed for each registration. The primary key template is populated with unique values from a sha256 hkdf of the 20 byte random seed and the application parameter provided by the browser.

A signing child key is then generated from that primary key. The key handle returned to the caller is a concatenation of the child key's public and private key handles and the 20 byte seed.

On an authentication request, tpm-fido will attempt to load the primary key by initializing the hkdf in the same manner as above. It will then attempt to load the child key from the provided key handle. Any incorrect values or values created by a different TPM will fail to load.

Status

tpm-fido has been tested to work with Chrome and Firefox on Linux.

Building

# in the root directory of tpm-fido run:
go build

Running

In order to run tpm-fido you will need permission to access /dev/tpmrm0. On Ubuntu and Arch, you can add your user to the tss group.

Your user also needs permission to access /dev/uhid so that tpm-fido can appear to be a USB device. I use the following udev rule to set the appropriate uhid permissions:

KERNEL=="uhid", SUBSYSTEM=="misc", GROUP="SOME_UHID_GROUP_MY_USER_BELONGS_TO", MODE="0660"

To ensure the above udev rule gets triggered, I also add the uhid module to /etc/modules-load.d/uhid.conf so that it loads at boot.

To run:

# as a user that has permission to read and write to /dev/tpmrm0:
./tpm-fido

Note: do not run with sudo or as root, as it will not work.

Dependencies

tpm-fido requires pinentry to be available on the system. If you have gpg installed you most likely already have pinentry.

More Repositories

1

wormhole-william

End-to-end encrypted file transfer. A magic wormhole CLI and API in Go (golang).
Go
730
star
2

donutdb

Store and query a sqlite db directly backed by DynamoDB.
Go
134
star
3

sqlite3vfshttp

Go sqlite3 http vfs: query sqlite databases over http with range headers
Go
130
star
4

wormhole-william-mobile

End-to-end encrypted file transfer for Android and iOS. A Magic Wormhole Mobile client.
Go
104
star
5

memfs

In-memory implementation of Go's `io/fs.FS` interface
Go
85
star
6

emacs-oauth

An oauth library for emacs
Emacs Lisp
42
star
7

sqlite3vfs

Go sqlite3 vfs
Go
29
star
8

cloudtrail-tattletail

AWS Cloudtrail event alerting lambda function. Send alerts to Slack, Email, or SNS.
Go
19
star
9

node-proxy

HTTP and SSL Proxy Using Node.js
JavaScript
16
star
10

node-mjpeg-test-server

Example of an mjpeg server written in node.js
JavaScript
15
star
11

emacs-yammer

A simple yammer client for emacs
Emacs Lisp
14
star
12

csv2sqlite

Go
9
star
13

cassandra-visual-ring

Visualization and planning tool for Cassandra rings
JavaScript
7
star
14

mirabox

Globalscale Mirabox Info
6
star
15

uhid

Linux uhid api in Go.
Go
6
star
16

tpm-ssh-ca

Go
5
star
17

ctapkey

Go
5
star
18

lencode

Go (golang) length prefix encoder and decoder package
Go
4
star
19

lambda-email

SES Lambda email forwarding and programmatic routing service
Go
3
star
20

ruby-mode

Emacs ruby-mode with modified indentation rules.
Emacs Lisp
3
star
21

awsip

Go package to check if ip address belongs to AWS
Go
3
star
22

getlogin

go implementation of getlogin(3)
Go
3
star
23

slack-channel-history

Go
3
star
24

github-stars

CLI tool to list all starred repos by user
Go
3
star
25

ec2price

EC2 price comparison cli tool
Go
2
star
26

wg-captive-browser

Connect to captive portals without disabling wireguard on linux
Shell
2
star
27

what-the-fido

https://what-the-fido.sanford.io Identify FIDO key by its attestation certificate
Go
2
star
28

awsso-agent

awsso is a credential agent for caching aws sso credentials (similar to ssh-agent)
Go
2
star
29

lambdahttp

Go
2
star
30

pinephoneproxy

Go
1
star
31

goversions

CLI tool to list Go releases
Go
1
star
32

awsv4signer

Go aws v4 signer implementation with pluggable hmac function
Go
1
star
33

json2csv

Go
1
star
34

gopherfest-2016-slides

Go
1
star
35

android-media-backup

Android application that uploads your media files to a webserver in the background
Go
1
star
36

nft-to-beanie-baby

Replace 'NFT' with 'Beanie Baby'
JavaScript
1
star
37

github-recent-activity

CLI tool that shows recent github activity for a user.
Go
1
star
38

door-awesomer-chrome

Chrome extension for Nearbuy's door awesomer
1
star
39

remarkablecloud

Go API to the ReMarkable cloud
Go
1
star
40

photo-backup-lambda

Go
1
star
41

git-code-review-el

Emacs Lisp
1
star
42

systray-inbox

Show systray icon when files appear in directory
Go
1
star
43

git-time-machine-el

Easy file history viewing in emacs
Emacs Lisp
1
star
44

dnsforward

Simple dns forwarding server (stub resolver)
Go
1
star
45

btf

BPF Type Format (BTF) in Go
Go
1
star
46

door-awesomer-arduino

C
1
star
47

ubuntuami

Go
1
star
48

parquet-buddy

Parquet-buddy is a CLI tool for inspecting parquet files written in Go
Go
1
star
49

cloudflareip

Go
1
star