UNPKG

@reclaimprotocol/attestor-core

Version:

<div> <div> <img src="https://raw.githubusercontent.com/reclaimprotocol/.github/main/assets/banners/Attestor-Core.png" /> </div> </div>

289 lines (288 loc) 12 kB
import { BinaryReader, BinaryWriter } from "@bufbuild/protobuf/wire"; export declare const protobufPackage = "state"; /** The type of UEFI firmware log. */ export declare const LogType: { readonly LOG_TYPE_UNDEFINED: 0; /** * LOG_TYPE_TCG2 - The log used by EFI_TCG2_PROTOCOL and defined in the TCG PC Client * Platform Firmware Profile Specification */ readonly LOG_TYPE_TCG2: 1; /** * LOG_TYPE_CC - The log used by EFI_CC_MEASUREMENT_PROTOCOL and defined in the UEFI spec: * https://uefi.org/specs/UEFI/2.10/38_Confidential_Computing.html. */ readonly LOG_TYPE_CC: 2; readonly UNRECOGNIZED: -1; }; export type LogType = typeof LogType[keyof typeof LogType]; export declare namespace LogType { type LOG_TYPE_UNDEFINED = typeof LogType.LOG_TYPE_UNDEFINED; type LOG_TYPE_TCG2 = typeof LogType.LOG_TYPE_TCG2; type LOG_TYPE_CC = typeof LogType.LOG_TYPE_CC; type UNRECOGNIZED = typeof LogType.UNRECOGNIZED; } export declare function logTypeFromJSON(object: any): LogType; export declare function logTypeToJSON(object: LogType): string; /** Type of hardware technology used to protect this instance */ export declare const GCEConfidentialTechnology: { readonly NONE: 0; readonly AMD_SEV: 1; readonly AMD_SEV_ES: 2; readonly INTEL_TDX: 3; readonly AMD_SEV_SNP: 4; readonly UNRECOGNIZED: -1; }; export type GCEConfidentialTechnology = typeof GCEConfidentialTechnology[keyof typeof GCEConfidentialTechnology]; export declare namespace GCEConfidentialTechnology { type NONE = typeof GCEConfidentialTechnology.NONE; type AMD_SEV = typeof GCEConfidentialTechnology.AMD_SEV; type AMD_SEV_ES = typeof GCEConfidentialTechnology.AMD_SEV_ES; type INTEL_TDX = typeof GCEConfidentialTechnology.INTEL_TDX; type AMD_SEV_SNP = typeof GCEConfidentialTechnology.AMD_SEV_SNP; type UNRECOGNIZED = typeof GCEConfidentialTechnology.UNRECOGNIZED; } export declare function gCEConfidentialTechnologyFromJSON(object: any): GCEConfidentialTechnology; export declare function gCEConfidentialTechnologyToJSON(object: GCEConfidentialTechnology): string; /** Common, publicly-listed certificates by different vendors. */ export declare const WellKnownCertificate: { readonly UNKNOWN: 0; /** * MS_WINDOWS_PROD_PCA_2011 - Microsoft certs: * https://go.microsoft.com/fwlink/p/?linkid=321192 */ readonly MS_WINDOWS_PROD_PCA_2011: 1; /** MS_THIRD_PARTY_UEFI_CA_2011 - https://go.microsoft.com/fwlink/p/?linkid=321194 */ readonly MS_THIRD_PARTY_UEFI_CA_2011: 2; /** MS_THIRD_PARTY_KEK_CA_2011 - https://go.microsoft.com/fwlink/p/?linkid=321185 */ readonly MS_THIRD_PARTY_KEK_CA_2011: 3; /** GCE_DEFAULT_PK - GCE certs: */ readonly GCE_DEFAULT_PK: 4; readonly UNRECOGNIZED: -1; }; export type WellKnownCertificate = typeof WellKnownCertificate[keyof typeof WellKnownCertificate]; export declare namespace WellKnownCertificate { type UNKNOWN = typeof WellKnownCertificate.UNKNOWN; type MS_WINDOWS_PROD_PCA_2011 = typeof WellKnownCertificate.MS_WINDOWS_PROD_PCA_2011; type MS_THIRD_PARTY_UEFI_CA_2011 = typeof WellKnownCertificate.MS_THIRD_PARTY_UEFI_CA_2011; type MS_THIRD_PARTY_KEK_CA_2011 = typeof WellKnownCertificate.MS_THIRD_PARTY_KEK_CA_2011; type GCE_DEFAULT_PK = typeof WellKnownCertificate.GCE_DEFAULT_PK; type UNRECOGNIZED = typeof WellKnownCertificate.UNRECOGNIZED; } export declare function wellKnownCertificateFromJSON(object: any): WellKnownCertificate; export declare function wellKnownCertificateToJSON(object: WellKnownCertificate): string; /** Enum values come from the TCG Algorithm Registry - v1.27 - Table 3. */ export declare const HashAlgo: { readonly HASH_INVALID: 0; readonly SHA1: 4; readonly SHA256: 11; readonly SHA384: 12; readonly SHA512: 13; readonly UNRECOGNIZED: -1; }; export type HashAlgo = typeof HashAlgo[keyof typeof HashAlgo]; export declare namespace HashAlgo { type HASH_INVALID = typeof HashAlgo.HASH_INVALID; type SHA1 = typeof HashAlgo.SHA1; type SHA256 = typeof HashAlgo.SHA256; type SHA384 = typeof HashAlgo.SHA384; type SHA512 = typeof HashAlgo.SHA512; type UNRECOGNIZED = typeof HashAlgo.UNRECOGNIZED; } export declare function hashAlgoFromJSON(object: any): HashAlgo; export declare function hashAlgoToJSON(object: HashAlgo): string; /** * Information uniquely identifying a GCE instance. Can be used to create an * instance URL, which can then be used with GCE APIs. Formatted like: * https://www.googleapis.com/compute/v1/projects/{project_id}/zones/{zone}/instances/{instance_name} */ export interface GCEInstanceInfo { zone: string; projectId: string; projectNumber: bigint; instanceName: string; instanceId: bigint; } /** The platform/firmware state for this instance */ export interface PlatformState { /** Raw S-CRTM version identifier (EV_S_CRTM_VERSION) */ scrtmVersionId?: Uint8Array | undefined; /** Virtual GCE firmware version (parsed from S-CRTM version id) */ gceVersion?: number | undefined; /** Set to NONE on non-GCE instances or non-Confidential Shielded GCE instances */ technology: GCEConfidentialTechnology; /** * Only set for GCE instances. * Included for backcompat. go-eventlog should NOT set this field. */ instanceInfo: GCEInstanceInfo | undefined; } export interface GrubFile { /** The digest of the file (pulled from the raw event digest). */ digest: Uint8Array; /** The event data. This is not measured, so it is untrusted. */ untrustedFilename: Uint8Array; } export interface GrubState { /** All GRUB-read and measured files, including grub.cfg. */ files: GrubFile[]; /** * A list of executed GRUB commands and command lines passed to the kernel * and kernel modules. */ commands: string[]; } /** * The state of the Linux kernel. * At the moment, parsing LinuxKernelState relies on parsing the GrubState. * To do so, use ExtractOpts{Loader: GRUB} when calling ParseMachineState. */ export interface LinuxKernelState { /** The kernel command line. */ commandLine: string; } /** * A parsed event from the source firmware event log. This can be from either * the firmware TPM event log, the Confidential Computing event log, or any * other TCG-like event log used by firmware to record its measurements. */ export interface Event { /** * The register this event was extended into. Can be PCR, RTMR, etc. * Named pcr_index for backcompat reasons. */ pcrIndex: number; /** * The type of this event. Note that this value is not verified, so it should * only be used as a hint during event parsing. */ untrustedType: number; /** * The raw data associated to this event. The meaning of this data is * specific to the type of the event. */ data: Uint8Array; /** * The event digest actually extended into the TPM. This is often the hash of * the data field, but in some cases it may have a type-specific calculation. */ digest: Uint8Array; /** This is true if hash(data) == digest. */ digestVerified: boolean; } export interface Certificate { /** DER representation of the certificate. */ der?: Uint8Array | undefined; wellKnown?: WellKnownCertificate | undefined; } /** * A Secure Boot database containing lists of hashes and certificates, * as defined by section 32.4.1 Signature Database in the UEFI spec. */ export interface Database { certs: Certificate[]; hashes: Uint8Array[]; } /** The Secure Boot state for this instance. */ export interface SecureBootState { /** Whether Secure Boot is enabled. */ enabled: boolean; /** The Secure Boot signature (allowed) database. */ db: Database | undefined; /** The Secure Boot revoked signature (forbidden) database. */ dbx: Database | undefined; /** * Authority events post-separator. Pre-separator authorities * are currently not supported. */ authority: Database | undefined; /** The Secure Boot Platform key, used to sign key exchange keys. */ pk: Database | undefined; /** The Secure Boot Key Exchange Keys, used to sign db and dbx updates. */ kek: Database | undefined; } export interface EfiApp { /** * The PE/COFF digest of the EFI application (pulled from the raw event digest). * This can also represent digest of the EFI boot/runtime service drivers. */ digest: Uint8Array; } /** * The verified state of EFI Drivers and Applications. Policy usage on this machine state * should check the entire set of EFI App digests matches, not a subset. */ export interface EfiState { /** * UEFI's OS Loader code is required to measure attempts to load and execute * UEFI applications. * UEFI applications are typically bootloaders such as shim and GRUB. * These run and are measured using the UEFI LoadImage() service. */ apps: EfiApp[]; /** * The EFI drivers, * obtained from https://trustedcomputinggroup.org/wp-content/uploads/TCG_EFI_Platform_1_22_Final_-v15.pdf#page=22. * The EFI Boot Services Drivers from adapter or loaded bydriver in adapter. */ bootServicesDrivers: EfiApp[]; /** The EFI Runtime Drivers from adapter or loaded bydriver in adapter. */ runtimeServicesDrivers: EfiApp[]; } /** * The verified state of a booted machine, obtained from a UEFI event log. * The state is extracted from either EFI_TCG2_PROTOCOL or * EFI_CC_MEASUREMENT_PROTOCOL. Both of these follow the TCG-defined format * in https://trustedcomputinggroup.org/resource/tcg-efi-protocol-specification/ * The TCG2-related (TPM) logs are structured using TCG_PCR_EVENT (SHA1 format) * or TCG_PCR_EVENT2 (Crypto Agile format). * The CC logs are structured using CC_EVENT. */ export interface FirmwareLogState { platform: PlatformState | undefined; secureBoot: SecureBootState | undefined; /** * The complete parsed Firmware Event Log, including those events used to * create this MachineState. */ rawEvents: Event[]; /** The hash algorithm used to calculate event digests to verify a log entry. */ hash: HashAlgo; grub: GrubState | undefined; linuxKernel: LinuxKernelState | undefined; efi: EfiState | undefined; logType: LogType; } /** The verified state of Google measurements on the machine. */ export interface GMESState { bmcFirmware: string; bios: string; hostKernel: string; mbm: string; } export declare const GCEInstanceInfo: MessageFns<GCEInstanceInfo>; export declare const PlatformState: MessageFns<PlatformState>; export declare const GrubFile: MessageFns<GrubFile>; export declare const GrubState: MessageFns<GrubState>; export declare const LinuxKernelState: MessageFns<LinuxKernelState>; export declare const Event: MessageFns<Event>; export declare const Certificate: MessageFns<Certificate>; export declare const Database: MessageFns<Database>; export declare const SecureBootState: MessageFns<SecureBootState>; export declare const EfiApp: MessageFns<EfiApp>; export declare const EfiState: MessageFns<EfiState>; export declare const FirmwareLogState: MessageFns<FirmwareLogState>; export declare const GMESState: MessageFns<GMESState>; type Builtin = Date | Function | Uint8Array | string | number | boolean | bigint | undefined; export type DeepPartial<T> = T extends Builtin ? T : T extends globalThis.Array<infer U> ? globalThis.Array<DeepPartial<U>> : T extends ReadonlyArray<infer U> ? ReadonlyArray<DeepPartial<U>> : T extends {} ? { [K in keyof T]?: DeepPartial<T[K]>; } : Partial<T>; export interface MessageFns<T> { encode(message: T, writer?: BinaryWriter): BinaryWriter; decode(input: BinaryReader | Uint8Array, length?: number): T; fromJSON(object: any): T; toJSON(message: T): unknown; create(base?: DeepPartial<T>): T; fromPartial(object: DeepPartial<T>): T; } export {};