Skip to content

Instantly share code, notes, and snippets.

@salrashid123

salrashid123/exponent.go

Created August 24, 2025 19:05
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save salrashid123/e962571153aafc9bf2fd6fb69e23bcf4 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save salrashid123/e962571153aafc9bf2fd6fb69e23bcf4 to your computer and use it in GitHub Desktop.
Download ZIP
create ek rsa key with exponent
Raw
exponent.go
package main
import (
"crypto/x509"
"encoding/hex"
"encoding/pem"
"flag"
"io"
"log"
"net"
"slices"
"github.com/google/go-tpm/tpm2"
"github.com/google/go-tpm/tpm2/transport"
"github.com/google/go-tpm/tpmutil"
)
const ()
var (
tpmPath = flag.String("tpm-path", "127.0.0.1:2341", "Path to the TPM device (character device or a Unix socket).")
)
var TPMDEVICES = []string{"/dev/tpm0", "/dev/tpmrm0"}
func OpenTPM(path string) (io.ReadWriteCloser, error) {
if slices.Contains(TPMDEVICES, path) {
return tpmutil.OpenTPM(path)
} else {
return net.Dial("tcp", path)
}
}
func main() {
flag.Parse()
log.Println("======= Init ========")
rwc, err := OpenTPM(*tpmPath)
if err != nil {
log.Fatalf("can't open TPM %q: %v", *tpmPath, err)
}
defer func() {
rwc.Close()
}()
rwr := transport.FromReadWriter(rwc)
log.Printf("======= EK ========")
tmpl := tpm2.TPMTPublic{
Type: tpm2.TPMAlgRSA,
NameAlg: tpm2.TPMAlgSHA256,
ObjectAttributes: tpm2.TPMAObject{
FixedTPM: true,
STClear: false,
FixedParent: true,
SensitiveDataOrigin: true,
UserWithAuth: false,
AdminWithPolicy: true,
NoDA: false,
EncryptedDuplication: false,
Restricted: true,
Decrypt: true,
SignEncrypt: false,
},
AuthPolicy: tpm2.TPM2BDigest{
Buffer: []byte{
// TPM2_PolicySecret(RH_ENDORSEMENT)
0x83, 0x71, 0x97, 0x67, 0x44, 0x84, 0xB3, 0xF8,
0x1A, 0x90, 0xCC, 0x8D, 0x46, 0xA5, 0xD7, 0x24,
0xFD, 0x52, 0xD7, 0x6E, 0x06, 0x52, 0x0B, 0x64,
0xF2, 0xA1, 0xDA, 0x1B, 0x33, 0x14, 0x69, 0xAA,
},
},
Parameters: tpm2.NewTPMUPublicParms(
tpm2.TPMAlgRSA,
&tpm2.TPMSRSAParms{
Symmetric: tpm2.TPMTSymDefObject{
Algorithm: tpm2.TPMAlgAES,
KeyBits: tpm2.NewTPMUSymKeyBits(
tpm2.TPMAlgAES,
tpm2.TPMKeyBits(128),
),
Mode: tpm2.NewTPMUSymMode(
tpm2.TPMAlgAES,
tpm2.TPMAlgCFB,
),
},
KeyBits: 2048,
Exponent: 0, // uint32(65537),
},
),
Unique: tpm2.NewTPMUPublicID(
tpm2.TPMAlgRSA,
&tpm2.TPM2BPublicKeyRSA{
Buffer: make([]byte, 256),
},
),
}
cCreateEK, err := tpm2.CreatePrimary{
PrimaryHandle: tpm2.TPMRHEndorsement,
InPublic: tpm2.New2B(tmpl),
}.Execute(rwr)
if err != nil {
log.Fatalf("can't create object TPM %q: %v", *tpmPath, err)
}
defer func() {
flushContextCmd := tpm2.FlushContext{
FlushHandle: cCreateEK.ObjectHandle,
}
_, err := flushContextCmd.Execute(rwr)
if err != nil {
log.Fatalf("can't close TPM %q: %v", *tpmPath, err)
}
}()
log.Printf("Name %s\n", hex.EncodeToString(cCreateEK.Name.Buffer))
rsaEKpub, err := cCreateEK.OutPublic.Contents()
if err != nil {
log.Fatalf("Failed to get rsa public: %v", err)
}
rsaEKDetail, err := rsaEKpub.Parameters.RSADetail()
if err != nil {
log.Fatalf("Failed to get rsa details: %v", err)
}
rsaEKUnique, err := rsaEKpub.Unique.RSA()
if err != nil {
log.Fatalf("Failed to get rsa unique: %v", err)
}
primaryRsaEKPub, err := tpm2.RSAPub(rsaEKDetail, rsaEKUnique)
if err != nil {
log.Fatalf("Failed to get rsa public key: %v", err)
}
b4, err := x509.MarshalPKIXPublicKey(primaryRsaEKPub)
if err != nil {
log.Fatalf("Unable to convert rsaGCEAKPub: %v", err)
}
block := &pem.Block{
Type: "PUBLIC KEY",
Bytes: b4,
}
primaryEKPEMByte := pem.EncodeToMemory(block)
log.Printf("RSA createPrimary public \n%s\n", string(primaryEKPEMByte))
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment