attestationd: support attestation-based enrollment

This change ports the functionallity added in c/370302 to attestationd.
When the attestation daemon launches, it will read the contents of
ABE_DATA_FILE and use it to generate the enterprise_enrollment_nonce
when creating an AttestationEnrollmentRequest.

The mechanism for reading the ABE_DATA is the same as the one used in

The ABE data is passed to attestationd, and every time
CreateEnrollRequestInternal is called, it will calculate the DEN based
on the ABE data: HMAC::SHA256("attestation_based_enrollment", ABE_DATA)

The DEN is set in the EnterpriseEnrollmentNonce field from the
AttestationEnrollmentRequest message that is going to be sent to the

PCA then will calculate the Enrollment ID with: HMAC::SHA256(DEN,
TPMPublicKey) and add that value to the AIKCert that we receive.

TEST=unit tests. Manually verified PCA Enrollment works with and without
Change-Id: I78df5e1661f8a59df08e1baecd2879ba73a13cee
Commit-Ready: Marco Vanotti <>
Tested-by: Marco Vanotti <>
Reviewed-by: Yves Arrouye <>
Reviewed-by: Andrey Pronin <>
5 files changed