attestationd: support attestation-based enrollment
This change ports the functionallity added in c/370302 to attestationd.
When the attestation daemon launches, it will read the contents of
ABE_DATA_FILE and use it to generate the enterprise_enrollment_nonce
when creating an AttestationEnrollmentRequest.
The mechanism for reading the ABE_DATA is the same as the one used in
cryptohomed:
https://chromium.googlesource.com/chromiumos/platform2/+/a5d9e02d2d7bdf68378cdacb2fc7ba2eaaaedf97/cryptohome/init/cryptohomed.conf
The ABE data is passed to attestationd, and every time
CreateEnrollRequestInternal is called, it will calculate the DEN based
on the ABE data: HMAC::SHA256("attestation_based_enrollment", ABE_DATA)
The DEN is set in the EnterpriseEnrollmentNonce field from the
AttestationEnrollmentRequest message that is going to be sent to the
PCA.
PCA then will calculate the Enrollment ID with: HMAC::SHA256(DEN,
TPMPublicKey) and add that value to the AIKCert that we receive.
BUG=chromium:641153
TEST=unit tests. Manually verified PCA Enrollment works with and without
ABE_DATA.
Change-Id: I78df5e1661f8a59df08e1baecd2879ba73a13cee
Reviewed-on: https://chromium-review.googlesource.com/562532
Commit-Ready: Marco Vanotti <mvanotti@google.com>
Tested-by: Marco Vanotti <mvanotti@google.com>
Reviewed-by: Yves Arrouye <drcrash@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
5 files changed
