attestationd: support attestation-based enrollment
This change ports the functionallity added in c/370302 to attestationd.
When the attestation daemon launches, it will read the contents of
ABE_DATA_FILE and use it to generate the enterprise_enrollment_nonce
when creating an AttestationEnrollmentRequest.
The mechanism for reading the ABE_DATA is the same as the one used in
The ABE data is passed to attestationd, and every time
CreateEnrollRequestInternal is called, it will calculate the DEN based
on the ABE data: HMAC::SHA256("attestation_based_enrollment", ABE_DATA)
The DEN is set in the EnterpriseEnrollmentNonce field from the
AttestationEnrollmentRequest message that is going to be sent to the
PCA then will calculate the Enrollment ID with: HMAC::SHA256(DEN,
TPMPublicKey) and add that value to the AIKCert that we receive.
TEST=unit tests. Manually verified PCA Enrollment works with and without
Commit-Ready: Marco Vanotti <email@example.com>
Tested-by: Marco Vanotti <firstname.lastname@example.org>
Reviewed-by: Yves Arrouye <email@example.com>
Reviewed-by: Andrey Pronin <firstname.lastname@example.org>
5 files changed