Fix crypto routines, add SM2/SM3 support, parsing issues

cmd/bg-prov/cmd.go

@@ -16,7 +16,6 @@ import (
 	"github.com/9elements/converged-security-suite/v2/pkg/intel/metadata/manifest/key"
 	"github.com/9elements/converged-security-suite/v2/pkg/provisioning/bg"
 	"github.com/9elements/converged-security-suite/v2/pkg/tools"
-	"github.com/google/go-tpm/tpm2"
 )
 
 type context struct {
@@ -43,7 +42,7 @@ type templateCmd struct {
 	DMABase1    uint64               `flag optional name:"dmabase1" help:"High DMA protected range base."`
 	DMASize1    uint64               `flag optional name:"dmasize1" help:"High DMA protected range limit."`
 	EntryPoint  uint32               `flag optional name:"entrypoint" help:"IBB (Startup BIOS) entry point"`
-	IbbHash     []tpm2.Algorithm     `flag optional name:"ibbhash" help:"IBB Hash Algorithm"`
+	IbbHash     []manifest.Algorithm `flag optional name:"ibbhash" help:"IBB Hash Algorithm"`
 	IbbSegbase  uint32               `flag optional name:"ibbsegbase" help:"Value for IbbSegment structure"`
 	IbbSegsize  uint32               `flag optional name:"ibbsegsize" help:"Value for IBB segment structure"`
 	IbbSegFlag  uint16               `flag optional name:"ibbsegflag" help:"Reducted"`
@@ -89,19 +88,19 @@ type bpmExportCmd struct {
 }
 
 type generateKMCmd struct {
-	KM         string         `arg required name:"km" help:"Path to the newly generated Key Manifest binary file." type:"path"`
-	Key        string         `arg required name:"key" help:"Public signing key"`
-	Config     string         `flag optional name:"config" help:"Path to the JSON config file." type:"path"`
-	Revision   uint8          `flag optional name:"revision" help:"Platform Manufacturer’s BPM revision number."`
-	SVN        manifest.SVN   `flag optional name:"svn" help:"Boot Policy Manifest Security Version Number"`
-	ID         uint8          `flag optional name:"id" help:"The key Manifest Identifier"`
-	PKHashAlg  tpm2.Algorithm `flag optional name:"pkhashalg" help:"Hash algorithm of OEM public key digest"`
-	KMHashes   []key.Hash     `flag optional name:"kmhashes" help:"Key hashes for BPM, ACM, uCode etc"`
-	BpmPubkey  string         `flag optional name:"bpmpubkey" help:"Path to bpm public signing key"`
-	BpmHashAlg tpm2.Algorithm `flag optional name:"bpmhashalgo" help:"Hash algorithm for bpm public signing key"`
-	Out        string         `flag optional name:"out" help:"Path to write applied config to"`
-	Cut        bool           `flag optional name:"cut" help:"Cuts the signature before writing to binary."`
-	PrintME    bool           `flag optional name:"printme" help:"Prints the hash of KM public signing key"`
+	KM         string             `arg required name:"km" help:"Path to the newly generated Key Manifest binary file." type:"path"`
+	Key        string             `arg required name:"key" help:"Public signing key"`
+	Config     string             `flag optional name:"config" help:"Path to the JSON config file." type:"path"`
+	Revision   uint8              `flag optional name:"revision" help:"Platform Manufacturer’s BPM revision number."`
+	SVN        manifest.SVN       `flag optional name:"svn" help:"Boot Policy Manifest Security Version Number"`
+	ID         uint8              `flag optional name:"id" help:"The key Manifest Identifier"`
+	PKHashAlg  manifest.Algorithm `flag optional name:"pkhashalg" help:"Hash algorithm of OEM public key digest"`
+	KMHashes   []key.Hash         `flag optional name:"kmhashes" help:"Key hashes for BPM, ACM, uCode etc"`
+	BpmPubkey  string             `flag optional name:"bpmpubkey" help:"Path to bpm public signing key"`
+	BpmHashAlg manifest.Algorithm `flag optional name:"bpmhashalgo" help:"Hash algorithm for bpm public signing key"`
+	Out        string             `flag optional name:"out" help:"Path to write applied config to"`
+	Cut        bool               `flag optional name:"cut" help:"Cuts the signature before writing to binary."`
+	PrintME    bool               `flag optional name:"printme" help:"Prints the hash of KM public signing key"`
 }
 
 type generateBPMCmd struct {
@@ -123,7 +122,7 @@ type generateBPMCmd struct {
 	DMABase1    uint64               `flag optional name:"dmabase1" help:"High DMA protected range base."`
 	DMASize1    uint64               `flag optional name:"dmasize1" help:"High DMA protected range limit."`
 	EntryPoint  uint32               `flag optional name:"entrypoint" help:"IBB (Startup BIOS) entry point"`
-	IbbHash     []tpm2.Algorithm     `flag optional name:"ibbhash" help:"IBB Hash Algorithm"`
+	IbbHash     []manifest.Algorithm `flag optional name:"ibbhash" help:"IBB Hash Algorithm"`
 	IbbSegbase  uint32               `flag optional name:"ibbsegbase" help:"Value for IbbSegment structure"`
 	IbbSegsize  uint32               `flag optional name:"ibbsegsize" help:"Value for IBB segment structure"`
 	IbbSegFlag  uint16               `flag optional name:"ibbsegflag" help:"Reducted"`
@@ -188,11 +187,9 @@ func (kmp *kmPrintCmd) Run(ctx *context) error {
 		return err
 	}
 	km.Print()
-
-	if err := km.KeyAndSignature.Key.PrintMEKey(); err != nil {
+	if err := km.KeyAndSignature.Key.PrintKMPubKey(km.PubKeyHashAlg); err != nil {
 		return err
 	}
-
 	return nil
 }
 
@@ -207,6 +204,9 @@ func (bpmp *bpmPrintCmd) Run(ctx *context) error {
 		return err
 	}
 	bpm.Print()
+	if err := bpm.PMSE.KeySignature.Key.PrintBPMPubKey(bpm.PMSE.Signature.HashAlg); err != nil {
+		return err
+	}
 	return nil
 }
 
@@ -330,7 +330,7 @@ func (g *generateKMCmd) Run(ctx *context) error {
 		return err
 	}
 	if g.PrintME {
-		if err := options.KeyManifest.KeyAndSignature.Key.PrintMEKey(); err != nil {
+		if err := options.KeyManifest.KeyAndSignature.Key.PrintKMPubKey(options.KeyManifest.PubKeyHashAlg); err != nil {
 			return err
 		}
 	}

go.mod

@@ -5,18 +5,29 @@ go 1.13
 require (
 	github.com/alecthomas/kong v0.2.11
 	github.com/creasty/defaults v1.5.1
+	github.com/dsnet/compress v0.0.1 // indirect
 	github.com/dustin/go-humanize v1.0.0
 	github.com/fatih/camelcase v1.0.0
 	github.com/fatih/structtag v1.2.0 // indirect
 	github.com/fearful-symmetry/gomsr v0.0.1
+	github.com/frankban/quicktest v1.11.3 // indirect
+	github.com/golang/snappy v0.0.2 // indirect
 	github.com/google/go-tpm v0.3.3-0.20210120190357-1ff48daca32f
 	github.com/intel-go/cpuid v0.0.0-20200819041909-2aa72927c3e2
 	github.com/linuxboot/fiano v5.0.0+incompatible
 	github.com/logrusorgru/aurora v2.0.3+incompatible
+	github.com/mholt/archiver v3.1.1+incompatible
+	github.com/nwaples/rardecode v1.1.0 // indirect
+	github.com/pierrec/lz4 v2.6.0+incompatible // indirect
+	github.com/spf13/pflag v1.0.3
 	github.com/stretchr/testify v1.2.2
 	github.com/tidwall/pretty v1.0.2
+	github.com/tjfoc/gmsm v1.4.0
 	github.com/ulikunitz/xz v0.5.8 // indirect
 	github.com/xaionaro-go/gosrc v0.0.0-20201124181305-3fdf8476a735
 	github.com/xaionaro-go/unsafetools v0.0.0-20200202162159-021b112c4d30 // indirect
-	golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a
+	github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 // indirect
+	golang.org/x/crypto v0.0.0-20201012173705-84dcc777aaee
+	golang.org/x/sys v0.0.0-20210218155724-8ebf48af031b // indirect
+	golang.org/x/text v0.3.3 // indirect
 )

go.sum

@@ -11,6 +11,7 @@ github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+Ce
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
+github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
 github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk=
@@ -25,9 +26,14 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
 github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
+github.com/dsnet/compress v0.0.1 h1:PlZu0n3Tuv04TzpfPbrnI0HW/YwodEXDS+oPKahKF0Q=
+github.com/dsnet/compress v0.0.1/go.mod h1:Aw8dCMJ7RioblQeTqt88akK31OvO8Dhf5JflhBbQEHo=
+github.com/dsnet/golib v0.0.0-20171103203638-1ea166775780/go.mod h1:Lj+Z9rebOhdfkVLjJ8T6VcRQv3SXugXy999NBtR9aFY=
 github.com/dustin/go-humanize v1.0.0 h1:VSnTsYCnlFHaM2/igO1h6X3HA71jcobQuxemgkq4zYo=
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
+github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
+github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/fatih/camelcase v1.0.0 h1:hxNvNX/xYBp0ovncs8WyWZrOrpBNub/JfaMvbURyft8=
 github.com/fatih/camelcase v1.0.0/go.mod h1:yN2Sb0lFhZJUdVvtELVWefmrXpuZESvPmqwoZc+/fpc=
@@ -35,6 +41,8 @@ github.com/fatih/structtag v1.2.0 h1:/OdNE99OxoI/PqaW/SuSK9uxxT3f/tcSZgon/ssNSx4
 github.com/fatih/structtag v1.2.0/go.mod h1:mBJUNpUnHmRKrKlQQlmCrh5PuhftFbNv8Ys4/aAZl94=
 github.com/fearful-symmetry/gomsr v0.0.1 h1:m208RzdTApWVbv8a9kf78rdPLQe+BY9AxRb/nSbHxSA=
 github.com/fearful-symmetry/gomsr v0.0.1/go.mod h1:Qb/0Y7zwobP7v8Sji+M5mlL4N7Voyz5WaKXXRFPnLio=
+github.com/frankban/quicktest v1.11.3 h1:8sXhOn0uLys67V8EsXLc6eszDs8VXWxL3iRvebPhedY=
+github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
@@ -50,12 +58,16 @@ github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5y
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.2 h1:6nsPYzhq5kReh6QImI3k5qWzO4PEbvbIW2cwSfR/6xs=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
 github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
 github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
 github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
 github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
 github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
 github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
+github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
+github.com/golang/snappy v0.0.2 h1:aeE13tS0IiQgFjYdoL8qN3K1N2bXXtI6Vi51/y7BpMw=
+github.com/golang/snappy v0.0.2/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
@@ -67,8 +79,6 @@ github.com/google/go-cmp v0.5.4 h1:L8R9j+yAqZuZjsqh/z+F1NCffTKKLShY6zXTItVIZ8M=
 github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-tpm v0.1.2-0.20190725015402-ae6dd98980d4/go.mod h1:H9HbmUG2YgV/PHITkO7p6wxEEj/v5nlsVWIwumwH2NI=
 github.com/google/go-tpm v0.3.0/go.mod h1:iVLWvrPp/bHeEkxTFi9WG6K9w0iy2yIszHwZGHPbzAw=
-github.com/google/go-tpm v0.3.2 h1:3iQQ2dlEf+1no7CLlfLPYzxhQy7j2G/emBqU5okydaw=
-github.com/google/go-tpm v0.3.2/go.mod h1:j71sMBTfp3X5jPHz852ZOfQMUOf65Gb/Th8pRmp7fvg=
 github.com/google/go-tpm v0.3.3-0.20210120190357-1ff48daca32f h1:L2/I8aWw3KRzIPQ55ps20JfD8tF/olPBJepwmGHxiXA=
 github.com/google/go-tpm v0.3.3-0.20210120190357-1ff48daca32f/go.mod h1:j71sMBTfp3X5jPHz852ZOfQMUOf65Gb/Th8pRmp7fvg=
 github.com/google/go-tpm-tools v0.0.0-20190906225433-1614c142f845/go.mod h1:AVfHadzbdzHo54inR2x1v640jdi1YSi3NauM2DUsxk0=
@@ -85,10 +95,15 @@ github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22
 github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
 github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/klauspost/compress v1.4.1/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A=
+github.com/klauspost/cpuid v1.2.0/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
+github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI=
+github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/linuxboot/fiano v5.0.0+incompatible h1:DZAZO0z9l35cakTNnkdh+yWRZfzCCJnDHmPAYW/t0No=
 github.com/linuxboot/fiano v5.0.0+incompatible/go.mod h1:IPKmAwYdbidivI8+nWCBO97QkdsiF8OThAHowU8Tvdk=
@@ -96,11 +111,17 @@ github.com/logrusorgru/aurora v2.0.3+incompatible h1:tOpm7WcpBTn4fjmVfgpQq0EfczG
 github.com/logrusorgru/aurora v2.0.3+incompatible/go.mod h1:7rIyQOR62GCctdiQpZ/zOJlFyk6y+94wXzv6RNZgaR4=
 github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
+github.com/mholt/archiver v3.1.1+incompatible h1:1dCVxuqs0dJseYEhi5pl7MYPH9zDa1wBi7mF09cbNkU=
+github.com/mholt/archiver v3.1.1+incompatible/go.mod h1:Dh2dOXnSdiLxRiPoVfIr/fI1TwETms9B8CTWfeh7ROU=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
+github.com/nwaples/rardecode v1.1.0 h1:vSxaY8vQhOcVr4mm5e8XllHWTiM4JF507A0Katqw7MQ=
+github.com/nwaples/rardecode v1.1.0/go.mod h1:5DzqNKiOdpKKBH87u8VlvAnPZMXcGRhxWkRpHbbfGS0=
 github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
+github.com/pierrec/lz4 v2.6.0+incompatible h1:Ix9yFKn1nSPBLFl/yZknTp8TU5G4Ps0JDmguYK6iH1A=
+github.com/pierrec/lz4 v2.6.0+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@@ -137,15 +158,20 @@ github.com/stretchr/testify v1.2.2 h1:bSDNvY7ZPG5RlJ8otE/7V6gMiyenm9RtJ7IUVIAoJ1
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/tidwall/pretty v1.0.2 h1:Z7S3cePv9Jwm1KwS0513MRaoUe3S01WPbLNV40pwWZU=
 github.com/tidwall/pretty v1.0.2/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
+github.com/tjfoc/gmsm v1.4.0 h1:8nbaiZG+iVdh+fXVw0DZoZZa7a4TGm3Qab+xdrdzj8s=
+github.com/tjfoc/gmsm v1.4.0/go.mod h1:j4INPkHWMrhJb38G+J6W4Tw0AbuN8Thu3PbdVYhVcTE=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc=
 github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0=
+github.com/ulikunitz/xz v0.5.6/go.mod h1:2bypXElzHzzJZwzH67Y6wb67pO62Rzfn7BSiF4ABRW8=
 github.com/ulikunitz/xz v0.5.8 h1:ERv8V6GKqVi23rgu5cj9pVfVzJbOqAY2Ntl88O6c2nQ=
 github.com/ulikunitz/xz v0.5.8/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
 github.com/xaionaro-go/gosrc v0.0.0-20201124181305-3fdf8476a735 h1:I5vlWq623SQl/E48ulUZP2YN+vlLMhzyETuOuTNtZhI=
 github.com/xaionaro-go/gosrc v0.0.0-20201124181305-3fdf8476a735/go.mod h1:KWPOUqeg7VZ8gE4MQJJmG+YgmNf2yAkBiDI++R48tFg=
 github.com/xaionaro-go/unsafetools v0.0.0-20200202162159-021b112c4d30 h1:6HCWbXp+IoQx6XRlVbcDlM0BSWigu8H2FM6VdXeOk5s=
 github.com/xaionaro-go/unsafetools v0.0.0-20200202162159-021b112c4d30/go.mod h1:spWmgrD4QEkFsootCLGU3OLWgeeJew0KXrCsVPWBQ88=
+github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 h1:nIPpBwaJSVYIxUFsDv3M8ofmx9yWTog9BfvIu0q41lo=
+github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8/go.mod h1:HUYIGzjTL3rfEspMxjDjgmT5uz5wzYJKVo23qUhYTos=
 github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
 github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q=
 go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
@@ -156,8 +182,9 @@ golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnf
 golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9 h1:mKdxBk7AujPs8kU4m80U72y/zjbZ3UcXC7dClwKbUI0=
 golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a h1:vclmkQCjlDX5OydZ9wv8rBCcS0QyQY66Mpf/7BZbInM=
-golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20201012173705-84dcc777aaee h1:4yd7jl+vXjalO5ztz6Vc1VADv+S/80LGJmyl1ROJ2AI=
+golang.org/x/crypto v0.0.0-20201012173705-84dcc777aaee/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
@@ -170,6 +197,7 @@ golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73r
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
+golang.org/x/net v0.0.0-20201010224723-4f7140c49acb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -182,12 +210,18 @@ golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5h
 golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201207223542-d4d67f95c62d h1:MiWWjyhUzZ+jvhZvloX6ZrUsdEghn8a64Upd8EMHglE=
 golang.org/x/sys v0.0.0-20201207223542-d4d67f95c62d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210218155724-8ebf48af031b h1:lAZ0/chPUDWwjqosYR0X4M490zQhMsiJ4K3DbA7o+3g=
+golang.org/x/sys v0.0.0-20210218155724-8ebf48af031b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.3 h1:cokOdA+Jmi5PJGXLlLllQSgYigAEfHXJAERHVMaCc2k=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
@@ -202,13 +236,16 @@ google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEY
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
 google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
+google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
 google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
+google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
 google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
 google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
 google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=

pkg/intel/metadata/manifest/README.md

@@ -1,3 +1,10 @@
+Prequesites:
+Open another terminal and go get the sm2/sm3 crypto library into your gopath.
+The code generator disables go modules.
+```
+GOPATH=your/go/path go get "github.com/tjfoc/gmsm/sm2"
+```
+
 To generalize all the logic related to Boot Policy Manifest and Key Manifest
 we use code generation. Therefore it is enough to create structure declarations
 and run command from this directory:

pkg/intel/metadata/manifest/crypto_routines.go

@@ -0,0 +1,109 @@
+package manifest
+
+import (
+	"crypto"
+	"fmt"
+	"strings"
+)
+
+// MAX_DIGEST_BUFFER is the maximum size of []byte request or response fields.
+// Typically used for chunking of big blobs of data (such as for hashing or
+// encryption).
+const maxDigestBuffer = 1024
+
+// Algorithm represents a crypto algorithm value.
+type Algorithm uint16
+
+const (
+	AlgUnknown Algorithm = 0x0000
+	AlgRSA     Algorithm = 0x0001
+	AlgSHA1    Algorithm = 0x0004
+	AlgSHA256  Algorithm = 0x000B
+	AlgSHA384  Algorithm = 0x000C
+	AlgSHA512  Algorithm = 0x000D
+	AlgNull    Algorithm = 0x0010
+	AlgSM3_256 Algorithm = 0x0012
+	AlgRSASSA  Algorithm = 0x0014
+	AlgRSAPSS  Algorithm = 0x0016
+	AlgECDSA   Algorithm = 0x0018
+	AlgSM2     Algorithm = 0x001b
+	AlgECC     Algorithm = 0x0023
+)
+
+var hashInfo = []struct {
+	alg  Algorithm
+	hash crypto.Hash
+}{
+	{AlgSHA1, crypto.SHA1},
+	{AlgSHA256, crypto.SHA256},
+	{AlgSHA384, crypto.SHA384},
+	{AlgSHA512, crypto.SHA512},
+}
+
+// HashToAlgorithm looks up the manifest algorithm corresponding to the provided crypto.Hash
+func HashToAlgorithm(hash crypto.Hash) (Algorithm, error) {
+	for _, info := range hashInfo {
+		if info.hash == hash {
+			return info.alg, nil
+		}
+	}
+	return AlgUnknown, fmt.Errorf("go hash algorithm #%d has no manifest algorithm", hash)
+}
+
+// IsNull returns true if a is AlgNull or zero (unset).
+func (a Algorithm) IsNull() bool {
+	return a == AlgNull || a == AlgUnknown
+}
+
+// Hash returns a crypto.Hash based on the given id.
+// An error is returned if the given algorithm is not a hash algorithm or is not available.
+func (a Algorithm) Hash() (crypto.Hash, error) {
+	for _, info := range hashInfo {
+		if info.alg == a {
+			if !info.hash.Available() {
+				return crypto.Hash(0), fmt.Errorf("go hash algorithm #%d not available", info.hash)
+			}
+			return info.hash, nil
+		}
+	}
+	return crypto.Hash(0), fmt.Errorf("hash algorithm not supported: 0x%x", a)
+}
+
+func (a Algorithm) String() string {
+	var s strings.Builder
+	var err error
+	switch a {
+	case AlgUnknown:
+		_, err = s.WriteString("AlgUnknown")
+	case AlgRSA:
+		_, err = s.WriteString("RSA")
+	case AlgSHA1:
+		_, err = s.WriteString("SHA1")
+	case AlgSHA256:
+		_, err = s.WriteString("SHA256")
+	case AlgSHA384:
+		_, err = s.WriteString("SHA384")
+	case AlgSHA512:
+		_, err = s.WriteString("SHA512")
+	case AlgSM3_256:
+		_, err = s.WriteString("SM3_256")
+	case AlgNull:
+		_, err = s.WriteString("AlgNull")
+	case AlgRSASSA:
+		_, err = s.WriteString("RSASSA")
+	case AlgRSAPSS:
+		_, err = s.WriteString("RSAPSS")
+	case AlgECDSA:
+		_, err = s.WriteString("ECDSA")
+	case AlgECC:
+		_, err = s.WriteString("ECC")
+	case AlgSM2:
+		_, err = s.WriteString("SM2")
+	default:
+		return fmt.Sprintf("Alg?<%d>", int(a))
+	}
+	if err != nil {
+		return fmt.Sprintf("Writing to string builder failed: %v", err)
+	}
+	return s.String()
+}

pkg/intel/metadata/manifest/hash.go

@@ -2,12 +2,10 @@
 
 package manifest
 
-import "github.com/google/go-tpm/tpm2"
-
 // HashStructure describes a digest.
 type HashStructure struct {
-	HashAlg    tpm2.Algorithm `default:"0x10" json:"hs_Alg"`
-	HashBuffer []byte         `json:"hs_Buffer"`
+	HashAlg    Algorithm `default:"0x10" json:"hs_Alg"`
+	HashBuffer []byte    `json:"hs_Buffer"`
 }
 
 // HashList describes multiple digests

pkg/intel/metadata/manifest/key.go

@@ -8,20 +8,19 @@ import (
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rsa"
-	"crypto/sha256"
 	"encoding/binary"
 	"fmt"
 	"math/big"
 
-	"github.com/google/go-tpm/tpm2"
+	"github.com/tjfoc/gmsm/sm2"
 )
 
 // Key is a public key of an asymmetric crypto keypair.
 type Key struct {
-	KeyAlg  tpm2.Algorithm `json:"key_alg"`
-	Version uint8          `require:"0x10"  json:"key_version"`
-	KeySize BitSize        `json:"key_bitsize"`
-	Data    []byte         `countValue:"keyDataSize()" json:"key_data"`
+	KeyAlg  Algorithm `json:"key_alg"`
+	Version uint8     `require:"0x10"  json:"key_version"`
+	KeySize BitSize   `json:"key_bitsize"`
+	Data    []byte    `countValue:"keyDataSize()" json:"key_data"`
 }
 
 // BitSize is a size in bits.
@@ -51,9 +50,9 @@ func (ks *BitSize) SetInBytes(amountOfBytes uint16) {
 // KeyAlg and KeySize.
 func (k Key) keyDataSize() int64 {
 	switch k.KeyAlg {
-	case tpm2.AlgRSA:
+	case AlgRSA:
 		return int64(k.KeySize.InBytes()) + 4
-	case tpm2.AlgECC:
+	case AlgECC, AlgSM2:
 		return int64(k.KeySize.InBytes()) * 2
 	}
 	return -1
@@ -70,18 +69,23 @@ func (k Key) PubKey() (crypto.PublicKey, error) {
 	}
 
 	switch k.KeyAlg {
-	case tpm2.AlgRSA:
+	case AlgRSA:
 		result := &rsa.PublicKey{
 			N: new(big.Int).SetBytes(reverseBytes(k.Data[4:])),
 			E: int(binaryOrder.Uint32(k.Data)),
 		}
 
 		return result, nil
-	case tpm2.AlgECC:
+	case AlgECC:
 		keySize := k.KeySize.InBytes()
 		x := new(big.Int).SetBytes(reverseBytes(k.Data[:keySize]))
 		y := new(big.Int).SetBytes(reverseBytes(k.Data[keySize:]))
 		return ecdsa.PublicKey{Curve: elliptic.P256(), X: x, Y: y}, nil
+	case AlgSM2:
+		keySize := k.KeySize.InBytes()
+		x := new(big.Int).SetBytes(reverseBytes(k.Data[:keySize]))
+		y := new(big.Int).SetBytes(reverseBytes(k.Data[keySize:]))
+		return sm2.PublicKey{Curve: elliptic.P256(), X: x, Y: y}, nil
 	}
 
 	return nil, fmt.Errorf("unexpected TPM algorithm: %s", k.KeyAlg)
@@ -101,7 +105,7 @@ func (k *Key) SetPubKey(key crypto.PublicKey) error {
 
 	switch key := key.(type) {
 	case *rsa.PublicKey:
-		k.KeyAlg = tpm2.AlgRSA
+		k.KeyAlg = AlgRSA
 		n := key.N.Bytes()
 		k.KeySize.SetInBytes(uint16(len(n)))
 		k.Data = make([]byte, 4+len(n))
@@ -111,7 +115,25 @@ func (k *Key) SetPubKey(key crypto.PublicKey) error {
 
 	case *ecdsa.PublicKey:
 		var x, y *big.Int
-		k.KeyAlg = tpm2.AlgRSA
+		k.KeyAlg = AlgECC
+		x, y = key.X, key.Y
+		if x == nil || y == nil {
+			return fmt.Errorf("the pubkey '%#+v' is invalid: x == nil || y == nil", key)
+		}
+		k.KeySize.SetInBits(256)
+		xB, yB := x.Bytes(), y.Bytes()
+		if len(xB) != int(k.KeySize.InBytes()) || len(yB) != int(k.KeySize.InBytes()) {
+			return fmt.Errorf("the pubkey '%#+v' is invalid: len(x)<%d> != %d || len(y)<%d> == %d",
+				key, len(xB), int(k.KeySize.InBytes()), len(yB), int(k.KeySize.InBytes()))
+		}
+		k.Data = make([]byte, 2*k.KeySize.InBytes())
+		copy(k.Data[:], reverseBytes(xB))
+		copy(k.Data[len(xB):], reverseBytes(yB))
+		return nil
+
+	case *sm2.PublicKey:
+		var x, y *big.Int
+		k.KeyAlg = AlgSM2
 		x, y = key.X, key.Y
 		if x == nil || y == nil {
 			return fmt.Errorf("the pubkey '%#+v' is invalid: x == nil || y == nil", key)
@@ -131,19 +153,66 @@ func (k *Key) SetPubKey(key crypto.PublicKey) error {
 	return fmt.Errorf("unexpected key type: %T", key)
 }
 
-//PrintMEKey prints the KM public signing key hash to fuse into the Intel ME
-func (k *Key) PrintMEKey() error {
+//PrintBPMPubKey prints the BPM public signing key hash to fuse into the Intel ME
+func (k *Key) PrintBPMPubKey(bpmAlg Algorithm) error {
 	buf := new(bytes.Buffer)
 	if len(k.Data) > 1 {
-		if err := binary.Write(buf, binary.LittleEndian, k.Data[4:]); err != nil {
-			return nil
+		if k.KeyAlg == AlgRSA {
+			if err := binary.Write(buf, binary.LittleEndian, k.Data[4:]); err != nil {
+				return err
+			}
+			h, err := bpmAlg.Hash()
+			if err != nil {
+				return err
+			}
+			hash := h.New()
+			hash.Write(buf.Bytes())
+			fmt.Printf("   Boot Policy Manifest Pubkey Hash: 0x%x\n", hash.Sum(nil))
+		} else if k.KeyAlg == AlgSM2 || k.KeyAlg == AlgECC {
+			if err := binary.Write(buf, binary.LittleEndian, k.Data); err != nil {
+				return err
+			}
+			h, err := bpmAlg.Hash()
+			if err != nil {
+				return err
+			}
+			hash := h.New()
+			hash.Write(buf.Bytes())
+			fmt.Printf("   Boot Policy Manifest Pubkey Hash: 0x%x\n", hash.Sum(nil))
+		} else {
+			fmt.Printf("   Boot Policy Manifest Pubkey Hash: Unknown Algorithm\n")
 		}
-		if err := binary.Write(buf, binary.LittleEndian, k.Data[:4]); err != nil {
-			return nil
+	} else {
+		fmt.Printf("   Boot Policy Pubkey Hash: No km public key set in KM\n")
+	}
+
+	return nil
+}
+
+//PrintKMPubKey prints the KM public signing key hash to fuse into the Intel ME
+func (k *Key) PrintKMPubKey(kmAlg Algorithm) error {
+	buf := new(bytes.Buffer)
+	if len(k.Data) > 1 {
+		if k.KeyAlg == AlgRSA {
+			if err := binary.Write(buf, binary.LittleEndian, k.Data[4:]); err != nil {
+				return err
+			}
+			if err := binary.Write(buf, binary.LittleEndian, k.Data[:4]); err != nil {
+				return err
+			}
+			if kmAlg != AlgSHA256 {
+				return fmt.Errorf("KM public key hash algorithm must be SHA256")
+			}
+			h, err := kmAlg.Hash()
+			if err != nil {
+				return err
+			}
+			hash := h.New()
+			hash.Write(buf.Bytes())
+			fmt.Printf("   Key Manifest Pubkey Hash: 0x%x\n", hash.Sum(nil))
+		} else {
+			fmt.Printf("   Key Manifest Pubkey Hash: Unsupported Algorithm\n")
 		}
-		h := sha256.New()
-		h.Write(buf.Bytes())
-		fmt.Printf("   Key Manifest Pubkey Hash: 0x%x\n", h.Sum(nil))
 	} else {
 		fmt.Printf("   Key Manifest Pubkey Hash: No km public key set in KM\n")
 	}

pkg/intel/metadata/manifest/key/manifest.go

@@ -6,8 +6,6 @@ import (
 	"crypto"
 	"fmt"
 
-	"github.com/google/go-tpm/tpm2"
-
 	"github.com/9elements/converged-security-suite/v2/pkg/intel/metadata/manifest"
 )
 
@@ -35,7 +33,7 @@ type Manifest struct {
 
 	// PubKeyHashAlg is the hash algorithm of OEM public key digest programmed
 	// into the FPF.
-	PubKeyHashAlg tpm2.Algorithm `json:"km_PubKeyHashAlg"`
+	PubKeyHashAlg manifest.Algorithm `json:"km_PubKeyHashAlg"`
 
 	// Hash is the slice of KMHASH_STRUCT (KHS) structures (see table 5-3
 	// of the document #575623). Describes BPM pubkey digest (among other).
@@ -46,7 +44,7 @@ type Manifest struct {
 }
 
 func (m *Manifest) SetSignature(
-	algo tpm2.Algorithm,
+	algo manifest.Algorithm,
 	privKey crypto.Signer,
 	signedData []byte,
 ) error {

pkg/intel/metadata/manifest/key_signature.go

@@ -5,8 +5,6 @@ package manifest
 import (
 	"crypto"
 	"fmt"
-
-	"github.com/google/go-tpm/tpm2"
 )
 
 // KeySignature
@@ -38,7 +36,7 @@ func (m *KeySignature) Verify(signedData []byte) error {
 //
 // if signAlgo is zero then it is detected automatically, based on the type
 // of the provided private key.
-func (ks *KeySignature) SetSignature(signAlgo tpm2.Algorithm, privKey crypto.Signer, signedData []byte) error {
+func (ks *KeySignature) SetSignature(signAlgo Algorithm, privKey crypto.Signer, signedData []byte) error {
 	err := ks.Key.SetPubKey(privKey.Public())
 	if err != nil {
 		return fmt.Errorf("unable to set public key: %w", err)

pkg/intel/metadata/manifest/signature.go

@@ -7,8 +7,6 @@ import (
 	"crypto/rand"
 	"fmt"
 	"math/big"
-
-	"github.com/google/go-tpm/tpm2"
 )
 
 var (
@@ -18,11 +16,11 @@ var (
 
 // Signature exports the Signature structure
 type Signature struct {
-	SigScheme tpm2.Algorithm `json:"sig_scheme"`
-	Version   uint8          `require:"0x10" json:"sig_version,omitempty"`
-	KeySize   BitSize        `json:"sig_keysize,omitempty"`
-	HashAlg   tpm2.Algorithm `json:"sig_hashAlg"`
-	Data      []byte         `countValue:"KeySize.InBytes()" prettyValue:"dataPrettyValue()" json:"sig_data"`
+	SigScheme Algorithm `json:"sig_scheme"`
+	Version   uint8     `require:"0x10" json:"sig_version,omitempty"`
+	KeySize   BitSize   `json:"sig_keysize,omitempty"`
+	HashAlg   Algorithm `json:"sig_hashAlg"`
+	Data      []byte    `countValue:"KeySize.InBytes()" prettyValue:"dataPrettyValue()" json:"sig_data"`
 }
 
 func (m Signature) dataPrettyValue() interface{} {
@@ -36,9 +34,9 @@ func (m Signature) dataPrettyValue() interface{} {
 // * SignatureSM2
 func (m Signature) SignatureData() (SignatureDataInterface, error) {
 	switch m.SigScheme {
-	case tpm2.AlgRSASSA:
+	case AlgRSA:
 		return SignatureRSAASA(m.Data), nil
-	case tpm2.AlgECDSA:
+	case AlgECDSA:
 		if len(m.Data) != 64 && len(m.Data) != 96 {
 			return nil, fmt.Errorf("invalid length of the signature data: %d (expected 64 or 96)", len(m.Data))
 		}
@@ -46,6 +44,14 @@ func (m Signature) SignatureData() (SignatureDataInterface, error) {
 			R: new(big.Int).SetBytes(reverseBytes(m.Data[:len(m.Data)/2])),
 			S: new(big.Int).SetBytes(reverseBytes(m.Data[len(m.Data)/2:])),
 		}, nil
+	case AlgSM2:
+		if len(m.Data) != 64 && len(m.Data) != 96 {
+			return nil, fmt.Errorf("invalid length of the signature data: %d (expected 64 or 96)", len(m.Data))
+		}
+		return SignatureSM2{
+			R: new(big.Int).SetBytes(reverseBytes(m.Data[:len(m.Data)/2])),
+			S: new(big.Int).SetBytes(reverseBytes(m.Data[len(m.Data)/2:])),
+		}, nil
 	}
 
 	return nil, fmt.Errorf("unexpected signature scheme: %s", m.SigScheme)
@@ -64,12 +70,16 @@ func (m *Signature) SetSignatureByData(sig SignatureDataInterface) error {
 
 	switch sig := sig.(type) {
 	case SignatureRSAASA:
-		m.SigScheme = tpm2.AlgRSASSA
-		m.HashAlg = tpm2.AlgSHA256
+		m.SigScheme = AlgRSA
+		m.HashAlg = AlgSHA256
 		m.KeySize.SetInBytes(uint16(len(m.Data)))
 	case SignatureECDSA:
-		m.SigScheme = tpm2.AlgECDSA
-		m.HashAlg = tpm2.AlgSHA256
+		m.SigScheme = AlgECDSA
+		m.HashAlg = AlgSHA256
+		m.KeySize.SetInBits(uint16(sig.R.BitLen()))
+	case SignatureSM2:
+		m.SigScheme = AlgSM2
+		m.HashAlg = AlgSM3_256
 		m.KeySize.SetInBits(uint16(sig.R.BitLen()))
 	default:
 		return fmt.Errorf("unexpected signature type: %T", sig)
@@ -91,6 +101,8 @@ func (m *Signature) SetSignatureData(sig SignatureDataInterface) error {
 		switch sig := sig.(type) {
 		case SignatureECDSA:
 			r, s = sig.R, sig.S
+		case SignatureSM2:
+			r, s = sig.R, sig.S
 		default:
 			return fmt.Errorf("internal error")
 		}
@@ -114,7 +126,7 @@ func (m *Signature) SetSignatureData(sig SignatureDataInterface) error {
 //
 // if signAlgo is zero then it is detected automatically, based on the type
 // of the provided private key.
-func (m *Signature) SetSignature(signAlgo tpm2.Algorithm, privKey crypto.Signer, signedData []byte) error {
+func (m *Signature) SetSignature(signAlgo Algorithm, privKey crypto.Signer, signedData []byte) error {
 	signData, err := NewSignatureData(signAlgo, privKey, signedData)
 	if err != nil {
 		return fmt.Errorf("unable to construct the signature data: %w", err)

pkg/intel/metadata/manifest/signature_types.go

@@ -8,16 +8,18 @@ import (
 	"fmt"
 	"math/big"
 
-	"github.com/google/go-tpm/tpm2"
+	"github.com/tjfoc/gmsm/sm2"
 )
 
+var SM2UID = []byte{0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38}
+
 // NewSignatureData returns an implementation of SignatureDataInterface,
 // accordingly to signAlgo, privKey and signedData.
 //
 // if signAlgo is zero then it is detected automatically, based on the type
 // of the provided private key.
 func NewSignatureData(
-	signAlgo tpm2.Algorithm,
+	signAlgo Algorithm,
 	privKey crypto.Signer,
 	signedData []byte,
 ) (SignatureDataInterface, error) {
@@ -25,19 +27,19 @@ func NewSignatureData(
 		// auto-detect the sign algorithm, based on the provided signing key
 		switch privKey.(type) {
 		case *rsa.PrivateKey:
-			signAlgo = tpm2.AlgRSASSA
+			signAlgo = AlgRSASSA
 		case *ecdsa.PrivateKey:
-			signAlgo = tpm2.AlgECDSA
+			signAlgo = AlgECDSA
+		case *sm2.PrivateKey:
+			signAlgo = AlgSM2
 		}
 	}
-
 	switch signAlgo {
-	case tpm2.AlgRSASSA:
+	case AlgRSASSA:
 		rsaPrivateKey, ok := privKey.(*rsa.PrivateKey)
 		if !ok {
 			return nil, fmt.Errorf("expected private RSA key (type %T), but received %T", rsaPrivateKey, privKey)
 		}
-
 		h := sha256.New()
 		_, _ = h.Write(signedData)
 		bpmHash := h.Sum(nil)
@@ -47,7 +49,7 @@ func NewSignatureData(
 		}
 		return SignatureRSAASA(data), nil
 
-	case tpm2.AlgECDSA:
+	case AlgECDSA:
 		eccPrivateKey, ok := privKey.(*ecdsa.PrivateKey)
 		if !ok {
 			return nil, fmt.Errorf("expected private ECDSA key (type %T), but received %T", eccPrivateKey, privKey)
@@ -59,6 +61,19 @@ func NewSignatureData(
 			return nil, fmt.Errorf("unable to sign with ECDSA the data: %w", err)
 		}
 		return data, nil
+
+	case AlgSM2:
+		eccPrivateKey, ok := privKey.(*sm2.PrivateKey)
+		if !ok {
+			return nil, fmt.Errorf("expected private SM2 key (type %T), but received %T", eccPrivateKey, privKey)
+		}
+		var data SignatureSM2
+		var err error
+		data.R, data.S, err = sm2.Sm2Sign(eccPrivateKey, signedData, SM2UID, RandReader)
+		if err != nil {
+			return nil, fmt.Errorf("unable to sign with SM2 the data: %w", err)
+		}
+		return data, nil
 	}
 
 	return nil, fmt.Errorf("signing algorithm '%s' is not implemented in this library", signAlgo)

pkg/provisioning/bg/config.go

@@ -11,8 +11,6 @@ import (
 	"io/ioutil"
 	"os"
 
-	"github.com/google/go-tpm/tpm2"
-
 	"github.com/9elements/converged-security-suite/v2/pkg/intel/metadata/manifest"
 	"github.com/9elements/converged-security-suite/v2/pkg/intel/metadata/manifest/bootpolicy"
 	"github.com/9elements/converged-security-suite/v2/pkg/intel/metadata/manifest/key"
@@ -30,9 +28,9 @@ type IbbSegment struct {
 
 // KeyHash export for usage as cmd line argument type
 type KeyHash struct {
-	Usage     uint64         `json:"usage"`     //
-	Hash      string         `json:"hash"`      //
-	Algorithm tpm2.Algorithm `json:"algorithm"` //
+	Usage     uint64             `json:"usage"`     //
+	Hash      string             `json:"hash"`      //
+	Algorithm manifest.Algorithm `json:"algorithm"` //
 }
 
 // BootGuardOptions presents all available options for BootGuard configuarion file.
@@ -94,10 +92,10 @@ func getIBBSegment(ibbs []bootpolicy.IBBSegment, image []byte) ([][]byte, error)
 	return ibbSegments, nil
 }
 
-func getIBBsDigest(ibbs []bootpolicy.IBBSegment, image []byte, algo tpm2.Algorithm) ([]byte, error) {
+func getIBBsDigest(ibbs []bootpolicy.IBBSegment, image []byte, algo manifest.Algorithm) ([]byte, error) {
 	var hash []byte
 	switch algo {
-	case tpm2.AlgSHA1:
+	case manifest.AlgSHA1:
 		h := sha1.New()
 		segments, err := getIBBSegment(ibbs, image)
 		if err != nil {
@@ -110,7 +108,7 @@ func getIBBsDigest(ibbs []bootpolicy.IBBSegment, image []byte, algo tpm2.Algorit
 			}
 		}
 		hash = h.Sum(nil)
-	case tpm2.AlgSHA256:
+	case manifest.AlgSHA256:
 		h := sha256.New()
 		segments, err := getIBBSegment(ibbs, image)
 		if err != nil {
@@ -123,7 +121,7 @@ func getIBBsDigest(ibbs []bootpolicy.IBBSegment, image []byte, algo tpm2.Algorit
 			}
 		}
 		hash = h.Sum(nil)
-	case tpm2.AlgSHA384:
+	case manifest.AlgSHA384:
 		h := sha512.New384()
 		segments, err := getIBBSegment(ibbs, image)
 		if err != nil {
@@ -136,7 +134,7 @@ func getIBBsDigest(ibbs []bootpolicy.IBBSegment, image []byte, algo tpm2.Algorit
 			}
 		}
 		hash = h.Sum(nil)
-	case tpm2.AlgSHA512:
+	case manifest.AlgSHA512:
 		h := sha512.New512_256()
 		segments, err := getIBBSegment(ibbs, image)
 		if err != nil {
@@ -149,7 +147,7 @@ func getIBBsDigest(ibbs []bootpolicy.IBBSegment, image []byte, algo tpm2.Algorit
 			}
 		}
 		hash = h.Sum(nil)
-	case tpm2.AlgNull:
+	case manifest.AlgNull:
 		return nil, nil
 	default:
 		return nil, fmt.Errorf("couldn't match requested hash algorithm: 0x%x", algo)
@@ -310,7 +308,7 @@ func ReadConfigFromBIOSImage(biosFilepath string, configFilepath *os.File) (*Boo
 
 // GetBPMPubHash takes the path to public BPM signing key and hash algorithm
 // and returns a hash with hashAlg of pub BPM singing key
-func GetBPMPubHash(path string, hashAlg tpm2.Algorithm) ([]key.Hash, error) {
+func GetBPMPubHash(path string, hashAlg manifest.Algorithm) ([]key.Hash, error) {
 	var data []byte
 	pubkey, err := ReadPubKey(path)
 	if err != nil {
@@ -332,7 +330,7 @@ func GetBPMPubHash(path string, hashAlg tpm2.Algorithm) ([]key.Hash, error) {
 	data = hash.Sum(nil)
 	var keyHashes []key.Hash
 	hStruc := &manifest.HashStructure{
-		HashAlg: tpm2.Algorithm(hashAlg),
+		HashAlg: manifest.Algorithm(hashAlg),
 	}
 	hStruc.HashBuffer = data
 

pkg/provisioning/bg/tools.go

@@ -14,7 +14,6 @@ import (
 	"github.com/9elements/converged-security-suite/v2/pkg/intel/metadata/manifest/bootpolicy"
 	"github.com/9elements/converged-security-suite/v2/pkg/intel/metadata/manifest/key"
 	"github.com/9elements/converged-security-suite/v2/pkg/tools"
-	"github.com/google/go-tpm/tpm2"
 )
 
 // WriteBootGuardStructures takes a firmware image and extracts boot policy manifest, key manifest and acm into seperate files.
@@ -246,7 +245,7 @@ func generatePCR0Content(status uint64, km *key.Manifest, bpm *bootpolicy.Manife
 
 	for _, se := range bpm.SE {
 		for i := 0; i < len(se.DigestList.List); i++ {
-			if se.DigestList.List[i].HashAlg == tpm2.AlgSHA1 {
+			if se.DigestList.List[i].HashAlg == manifest.AlgSHA1 {
 				if err = binary.Write(buf, binary.LittleEndian, se.DigestList.List[i].HashBuffer); err != nil {
 					return nil, nil, err
 				}