@reclaimprotocol/attestor-core
Version:
<div> <div> <img src="https://raw.githubusercontent.com/reclaimprotocol/.github/main/assets/banners/Attestor-Core.png" /> </div> </div>
289 lines (288 loc) • 12 kB
TypeScript
import { BinaryReader, BinaryWriter } from "@bufbuild/protobuf/wire";
export declare const protobufPackage = "state";
/** The type of UEFI firmware log. */
export declare const LogType: {
readonly LOG_TYPE_UNDEFINED: 0;
/**
* LOG_TYPE_TCG2 - The log used by EFI_TCG2_PROTOCOL and defined in the TCG PC Client
* Platform Firmware Profile Specification
*/
readonly LOG_TYPE_TCG2: 1;
/**
* LOG_TYPE_CC - The log used by EFI_CC_MEASUREMENT_PROTOCOL and defined in the UEFI spec:
* https://uefi.org/specs/UEFI/2.10/38_Confidential_Computing.html.
*/
readonly LOG_TYPE_CC: 2;
readonly UNRECOGNIZED: -1;
};
export type LogType = typeof LogType[keyof typeof LogType];
export declare namespace LogType {
type LOG_TYPE_UNDEFINED = typeof LogType.LOG_TYPE_UNDEFINED;
type LOG_TYPE_TCG2 = typeof LogType.LOG_TYPE_TCG2;
type LOG_TYPE_CC = typeof LogType.LOG_TYPE_CC;
type UNRECOGNIZED = typeof LogType.UNRECOGNIZED;
}
export declare function logTypeFromJSON(object: any): LogType;
export declare function logTypeToJSON(object: LogType): string;
/** Type of hardware technology used to protect this instance */
export declare const GCEConfidentialTechnology: {
readonly NONE: 0;
readonly AMD_SEV: 1;
readonly AMD_SEV_ES: 2;
readonly INTEL_TDX: 3;
readonly AMD_SEV_SNP: 4;
readonly UNRECOGNIZED: -1;
};
export type GCEConfidentialTechnology = typeof GCEConfidentialTechnology[keyof typeof GCEConfidentialTechnology];
export declare namespace GCEConfidentialTechnology {
type NONE = typeof GCEConfidentialTechnology.NONE;
type AMD_SEV = typeof GCEConfidentialTechnology.AMD_SEV;
type AMD_SEV_ES = typeof GCEConfidentialTechnology.AMD_SEV_ES;
type INTEL_TDX = typeof GCEConfidentialTechnology.INTEL_TDX;
type AMD_SEV_SNP = typeof GCEConfidentialTechnology.AMD_SEV_SNP;
type UNRECOGNIZED = typeof GCEConfidentialTechnology.UNRECOGNIZED;
}
export declare function gCEConfidentialTechnologyFromJSON(object: any): GCEConfidentialTechnology;
export declare function gCEConfidentialTechnologyToJSON(object: GCEConfidentialTechnology): string;
/** Common, publicly-listed certificates by different vendors. */
export declare const WellKnownCertificate: {
readonly UNKNOWN: 0;
/**
* MS_WINDOWS_PROD_PCA_2011 - Microsoft certs:
* https://go.microsoft.com/fwlink/p/?linkid=321192
*/
readonly MS_WINDOWS_PROD_PCA_2011: 1;
/** MS_THIRD_PARTY_UEFI_CA_2011 - https://go.microsoft.com/fwlink/p/?linkid=321194 */
readonly MS_THIRD_PARTY_UEFI_CA_2011: 2;
/** MS_THIRD_PARTY_KEK_CA_2011 - https://go.microsoft.com/fwlink/p/?linkid=321185 */
readonly MS_THIRD_PARTY_KEK_CA_2011: 3;
/** GCE_DEFAULT_PK - GCE certs: */
readonly GCE_DEFAULT_PK: 4;
readonly UNRECOGNIZED: -1;
};
export type WellKnownCertificate = typeof WellKnownCertificate[keyof typeof WellKnownCertificate];
export declare namespace WellKnownCertificate {
type UNKNOWN = typeof WellKnownCertificate.UNKNOWN;
type MS_WINDOWS_PROD_PCA_2011 = typeof WellKnownCertificate.MS_WINDOWS_PROD_PCA_2011;
type MS_THIRD_PARTY_UEFI_CA_2011 = typeof WellKnownCertificate.MS_THIRD_PARTY_UEFI_CA_2011;
type MS_THIRD_PARTY_KEK_CA_2011 = typeof WellKnownCertificate.MS_THIRD_PARTY_KEK_CA_2011;
type GCE_DEFAULT_PK = typeof WellKnownCertificate.GCE_DEFAULT_PK;
type UNRECOGNIZED = typeof WellKnownCertificate.UNRECOGNIZED;
}
export declare function wellKnownCertificateFromJSON(object: any): WellKnownCertificate;
export declare function wellKnownCertificateToJSON(object: WellKnownCertificate): string;
/** Enum values come from the TCG Algorithm Registry - v1.27 - Table 3. */
export declare const HashAlgo: {
readonly HASH_INVALID: 0;
readonly SHA1: 4;
readonly SHA256: 11;
readonly SHA384: 12;
readonly SHA512: 13;
readonly UNRECOGNIZED: -1;
};
export type HashAlgo = typeof HashAlgo[keyof typeof HashAlgo];
export declare namespace HashAlgo {
type HASH_INVALID = typeof HashAlgo.HASH_INVALID;
type SHA1 = typeof HashAlgo.SHA1;
type SHA256 = typeof HashAlgo.SHA256;
type SHA384 = typeof HashAlgo.SHA384;
type SHA512 = typeof HashAlgo.SHA512;
type UNRECOGNIZED = typeof HashAlgo.UNRECOGNIZED;
}
export declare function hashAlgoFromJSON(object: any): HashAlgo;
export declare function hashAlgoToJSON(object: HashAlgo): string;
/**
* Information uniquely identifying a GCE instance. Can be used to create an
* instance URL, which can then be used with GCE APIs. Formatted like:
* https://www.googleapis.com/compute/v1/projects/{project_id}/zones/{zone}/instances/{instance_name}
*/
export interface GCEInstanceInfo {
zone: string;
projectId: string;
projectNumber: bigint;
instanceName: string;
instanceId: bigint;
}
/** The platform/firmware state for this instance */
export interface PlatformState {
/** Raw S-CRTM version identifier (EV_S_CRTM_VERSION) */
scrtmVersionId?: Uint8Array | undefined;
/** Virtual GCE firmware version (parsed from S-CRTM version id) */
gceVersion?: number | undefined;
/** Set to NONE on non-GCE instances or non-Confidential Shielded GCE instances */
technology: GCEConfidentialTechnology;
/**
* Only set for GCE instances.
* Included for backcompat. go-eventlog should NOT set this field.
*/
instanceInfo: GCEInstanceInfo | undefined;
}
export interface GrubFile {
/** The digest of the file (pulled from the raw event digest). */
digest: Uint8Array;
/** The event data. This is not measured, so it is untrusted. */
untrustedFilename: Uint8Array;
}
export interface GrubState {
/** All GRUB-read and measured files, including grub.cfg. */
files: GrubFile[];
/**
* A list of executed GRUB commands and command lines passed to the kernel
* and kernel modules.
*/
commands: string[];
}
/**
* The state of the Linux kernel.
* At the moment, parsing LinuxKernelState relies on parsing the GrubState.
* To do so, use ExtractOpts{Loader: GRUB} when calling ParseMachineState.
*/
export interface LinuxKernelState {
/** The kernel command line. */
commandLine: string;
}
/**
* A parsed event from the source firmware event log. This can be from either
* the firmware TPM event log, the Confidential Computing event log, or any
* other TCG-like event log used by firmware to record its measurements.
*/
export interface Event {
/**
* The register this event was extended into. Can be PCR, RTMR, etc.
* Named pcr_index for backcompat reasons.
*/
pcrIndex: number;
/**
* The type of this event. Note that this value is not verified, so it should
* only be used as a hint during event parsing.
*/
untrustedType: number;
/**
* The raw data associated to this event. The meaning of this data is
* specific to the type of the event.
*/
data: Uint8Array;
/**
* The event digest actually extended into the TPM. This is often the hash of
* the data field, but in some cases it may have a type-specific calculation.
*/
digest: Uint8Array;
/** This is true if hash(data) == digest. */
digestVerified: boolean;
}
export interface Certificate {
/** DER representation of the certificate. */
der?: Uint8Array | undefined;
wellKnown?: WellKnownCertificate | undefined;
}
/**
* A Secure Boot database containing lists of hashes and certificates,
* as defined by section 32.4.1 Signature Database in the UEFI spec.
*/
export interface Database {
certs: Certificate[];
hashes: Uint8Array[];
}
/** The Secure Boot state for this instance. */
export interface SecureBootState {
/** Whether Secure Boot is enabled. */
enabled: boolean;
/** The Secure Boot signature (allowed) database. */
db: Database | undefined;
/** The Secure Boot revoked signature (forbidden) database. */
dbx: Database | undefined;
/**
* Authority events post-separator. Pre-separator authorities
* are currently not supported.
*/
authority: Database | undefined;
/** The Secure Boot Platform key, used to sign key exchange keys. */
pk: Database | undefined;
/** The Secure Boot Key Exchange Keys, used to sign db and dbx updates. */
kek: Database | undefined;
}
export interface EfiApp {
/**
* The PE/COFF digest of the EFI application (pulled from the raw event digest).
* This can also represent digest of the EFI boot/runtime service drivers.
*/
digest: Uint8Array;
}
/**
* The verified state of EFI Drivers and Applications. Policy usage on this machine state
* should check the entire set of EFI App digests matches, not a subset.
*/
export interface EfiState {
/**
* UEFI's OS Loader code is required to measure attempts to load and execute
* UEFI applications.
* UEFI applications are typically bootloaders such as shim and GRUB.
* These run and are measured using the UEFI LoadImage() service.
*/
apps: EfiApp[];
/**
* The EFI drivers,
* obtained from https://trustedcomputinggroup.org/wp-content/uploads/TCG_EFI_Platform_1_22_Final_-v15.pdf#page=22.
* The EFI Boot Services Drivers from adapter or loaded bydriver in adapter.
*/
bootServicesDrivers: EfiApp[];
/** The EFI Runtime Drivers from adapter or loaded bydriver in adapter. */
runtimeServicesDrivers: EfiApp[];
}
/**
* The verified state of a booted machine, obtained from a UEFI event log.
* The state is extracted from either EFI_TCG2_PROTOCOL or
* EFI_CC_MEASUREMENT_PROTOCOL. Both of these follow the TCG-defined format
* in https://trustedcomputinggroup.org/resource/tcg-efi-protocol-specification/
* The TCG2-related (TPM) logs are structured using TCG_PCR_EVENT (SHA1 format)
* or TCG_PCR_EVENT2 (Crypto Agile format).
* The CC logs are structured using CC_EVENT.
*/
export interface FirmwareLogState {
platform: PlatformState | undefined;
secureBoot: SecureBootState | undefined;
/**
* The complete parsed Firmware Event Log, including those events used to
* create this MachineState.
*/
rawEvents: Event[];
/** The hash algorithm used to calculate event digests to verify a log entry. */
hash: HashAlgo;
grub: GrubState | undefined;
linuxKernel: LinuxKernelState | undefined;
efi: EfiState | undefined;
logType: LogType;
}
/** The verified state of Google measurements on the machine. */
export interface GMESState {
bmcFirmware: string;
bios: string;
hostKernel: string;
mbm: string;
}
export declare const GCEInstanceInfo: MessageFns<GCEInstanceInfo>;
export declare const PlatformState: MessageFns<PlatformState>;
export declare const GrubFile: MessageFns<GrubFile>;
export declare const GrubState: MessageFns<GrubState>;
export declare const LinuxKernelState: MessageFns<LinuxKernelState>;
export declare const Event: MessageFns<Event>;
export declare const Certificate: MessageFns<Certificate>;
export declare const Database: MessageFns<Database>;
export declare const SecureBootState: MessageFns<SecureBootState>;
export declare const EfiApp: MessageFns<EfiApp>;
export declare const EfiState: MessageFns<EfiState>;
export declare const FirmwareLogState: MessageFns<FirmwareLogState>;
export declare const GMESState: MessageFns<GMESState>;
type Builtin = Date | Function | Uint8Array | string | number | boolean | bigint | undefined;
export type DeepPartial<T> = T extends Builtin ? T : T extends globalThis.Array<infer U> ? globalThis.Array<DeepPartial<U>> : T extends ReadonlyArray<infer U> ? ReadonlyArray<DeepPartial<U>> : T extends {} ? {
[K in keyof T]?: DeepPartial<T[K]>;
} : Partial<T>;
export interface MessageFns<T> {
encode(message: T, writer?: BinaryWriter): BinaryWriter;
decode(input: BinaryReader | Uint8Array, length?: number): T;
fromJSON(object: any): T;
toJSON(message: T): unknown;
create(base?: DeepPartial<T>): T;
fromPartial(object: DeepPartial<T>): T;
}
export {};