This is a project demonstrating leveraging the TPM remote attestation protocol to provision SPIFFE X.509 SVIDs. Most of the work was done for the 2022 Student Design Competition on Networked Computing at the Edge and is meant to demonstrate how painless it can be to generate short-lived X.509 certificates to support mTLS at the edge.
- Go 1.22
A Dockerfile is provided if a container is desired, but to build binaries for your local architecture:
makeThe server binary will expose a gRPC server listening for TPM attestation challenges
# Starts listening on port 8080 by default
./serverThe client binary will send a TPM attestation request to a specific server. Since it needs to interact with the TPM, it needs to be run with elevated privileges.
# Sends an attestation request to localhost:8080 by default
sudo ./client -insecure
# If the target supports TLS the -insecure flag can be dropped
sudo ./client -host "cloud.run.app:443"This requires additional dependencies - if you use the nix package manager, a flake is provided to get these setup.
- protobuf v3.19.0
- protoc-gen-go v1.28.0
- protoc-gen-go-grpc v1.2.0
If the protobuf definitions are modified, the generated code will need to be updated:
make gen