WiP -- govc: Cmd to enc data for VMs w TPM2 devs

[akutz]

Description

This patch introduces support for encrypting plain-text information for VMs with TPM2 devices without the system on which the command is run needing a TPM.

Please refer to google/go-tpm#343 for more information.

Closes: NA

Type of change

Please mark options that are relevant:

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update
• Build related change

How Has This Been Tested?

Ran the command locally and tested it in conjunction with google/go-tpm#343, ex.

1. From my local desktop, a macOS system with no TPM:

   $ echo "Hello, world" | govc vm.tpm2.seal -vm photon5-w-tpm     
   AE4ACAALAAAEAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAgLFQ7X8yj6G+bD0G6TihYVjTnLc29DEJKBE/LOIDWBXY=@@NULL@@AFkAIAnVMHKXQ45PqD6FkS6BcJx/BPaifUQ3adyOC9vKbzBWlcbEckvojXXsDH+xgY+IyIFVJKFHf/swIpxGa5Jxzp1a/Ltp58v1mLg9n8jyfIxRzBqFVM3NlQ==@@NULL@@AQA3Ega0AKIZM59bXGA26BQKt785XO3VhtmywvR1W4NDCYMpR+8BEk0zstEy0dROLpCd4ogKMN94JK7l0Rxs5dt4VP/A9Mz8cpityNyWkWYVd9vuB9vr7tE7QUKeRbYQ/h9rfg3LMDxDvvm2AcAT3Kkr8CEovJKtzrHz4Zf93UHiTNi5/AeQR7DOO68/X3VzwNHgniFzHwrHEXoVOD2BZmn0Viyu/G0hDKRXet2S5sfMMnsGpz0UsIJbd1Ydxttny/8G9bCRSpAq82evCSbO7TsVArTz2troJOfa3r2wqOJclhvb54NW3NpFqWs1OkDuD2V8lC5HEnzBEdaTAY//HS4T

2. From within the VM (using the program tpm2-ekunseal.sh):

   $ echo 'AE4ACAALAAAEAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAgLFQ7X8yj6G+bD0G6TihYVjTnLc29DEJKBE/LOIDWBXY=@@NULL@@AFkAIAnVMHKXQ45PqD6FkS6BcJx/BPaifUQ3adyOC9vKbzBWlcbEckvojXXsDH+xgY+IyIFVJKFHf/swIpxGa5Jxzp1a/Ltp58v1mLg9n8jyfIxRzBqFVM3NlQ==@@NULL@@AQA3Ega0AKIZM59bXGA26BQKt785XO3VhtmywvR1W4NDCYMpR+8BEk0zstEy0dROLpCd4ogKMN94JK7l0Rxs5dt4VP/A9Mz8cpityNyWkWYVd9vuB9vr7tE7QUKeRbYQ/h9rfg3LMDxDvvm2AcAT3Kkr8CEovJKtzrHz4Zf93UHiTNi5/AeQR7DOO68/X3VzwNHgniFzHwrHEXoVOD2BZmn0Viyu/G0hDKRXet2S5sfMMnsGpz0UsIJbd1Ydxttny/8G9bCRSpAq82evCSbO7TsVArTz2troJOfa3r2wqOJclhvb54NW3NpFqWs1OkDuD2V8lC5HEnzBEdaTAY//HS4T' | \
     tpm2-ekunseal.sh -0 2>/dev/null
   Hello, world.

There are also commands for listing and getting a VM's endorsement key certificates:

1. List the VM's EK certs:

   $ govc vm.tpm2.cert.ls -vm photon5-w-tpm                                                              
   Algorithm  Fingerprint
   rsa        41:5D:F1:AE:B9:F2:B1:22:9F:79:B7:FF:DA:55:5B:86
   ecc        28:54:DB:D8:40:6C:DA:5D:BA:66:87:96:AA:2E:55:1D

2. Or only list the certs of a particular type:

   $ govc vm.tpm2.cert.ls -vm photon5-w-tpm -G ecc
   Algorithm  Fingerprint
   ecc        28:54:DB:D8:40:6C:DA:5D:BA:66:87:96:AA:2E:55:1D

3. Once the fingerprint is known, it's also possible to get the certificate itself!

   $ govc vm.tpm2.cert.get -vm photon5-w-tpm -fingerprint 28:54:DB:D8:40:6C:DA:5D:BA:66:87:96:AA:2E:55:1D
   -----BEGIN CERTIFICATE-----
   MIIEbzCCAtegAwIBAgIJAPyDMhSaeSEEMA0GCSqGSIb3DQEBCwUAMIGoMQswCQYD
   VQQDDAJDQTEXMBUGCgmSJomT8ixkARkWB3ZzcGhlcmUxFTATBgoJkiaJk/IsZAEZ
   FgVsb2NhbDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExKjAoBgNV
   BAoMIXNjMi0xMC0xODQtMTAzLTEyNi5lbmcudm13YXJlLmNvbTEbMBkGA1UECwwS
   Vk13YXJlIEVuZ2luZWVyaW5nMB4XDTIzMDgyOTIwMzg1NloXDTMzMDgxNzA4NDU0
   MVowSDEWMBQGBWeBBQIBDAtpZDo1NjRENTcwMDEWMBQGBWeBBQICDAtWTXdhcmUg
   VFBNMjEWMBQGBWeBBQIDDAtpZDowMDAyMDA2NTBZMBMGByqGSM49AgEGCCqGSM49
   AwEHA0IABD4/Q4n5Ju60174JndC/GOJmMwtK1jXbaGv8jJsJiC1ojL3bxR/agDSn
   zSejK/vMUtElZSXRyMi3oZ60sq6xOhyjggFEMIIBQDAOBgNVHQ8BAf8EBAMCAwgw
   WAYDVR0RAQH/BE4wTKRKMEgxFjAUBgVngQUCAQwLaWQ6NTY0RDU3MDAxFjAUBgVn
   gQUCAgwLVk13YXJlIFRQTTIxFjAUBgVngQUCAwwLaWQ6MDAwMjAwNjUwDAYDVR0T
   AQH/BAIwADAQBgNVHSUECTAHBgVngQUIATAhBgNVHQkEGjAYMBYGBWeBBQIQMQ0w
   CwwDMi4wAgEAAgF0MB0GA1UdDgQWBBSWtRzqfDcPeatHhgkhowb85EhyCDAfBgNV
   HSMEGDAWgBSmwq+iw85ovFyxi4MRmnn6yJbBizBRBggrBgEFBQcBAQRFMEMwQQYI
   KwYBBQUHMAKGNWh0dHBzOi8vc2MyLTEwLTE4NC0xMDMtMTI2LmVuZy52bXdhcmUu
   Y29tL2FmZC92ZWNzL2NhMA0GCSqGSIb3DQEBCwUAA4IBgQA5gMNkE+upkJFB6FBy
   aHbH2fraJ6tOgxMsbQvj2G1dqf7r8W9XJj2oHG+Q6wY42PKSDRVYNYBBkl739neP
   frS67zGbOOkmVp3CUzJjBaA7thFa6ZqS1h5NHokQ81gGFX7wzHrNIqokYIRlLaK3
   Be7XVHXJrEM6R+xi/s2ZmtR1I5JZLcKSZ5qFYvlKJoRX09pNyEE+DHNKm9MPU0ci
   cX10igdGhzeTTm7nvcblp8NLl9gEbcb+ej0E1doN9OYKz4vIcjfT5C5zwM0QnjSr
   QxTPbXMCVG78lB6UjsFS7hNp0qmU4EsS+qZyZIolArDRcjmyQK8X/JUukrPqVNze
   FOWVf13coOo5siUYBW5IfMoJ0BrLSyGrNuGgB5R0m/lxGeZQb5y/3YhlPn5af9FJ
   uutfgkJTREUMR/ue0PpOSPVAqccmpreFrBgU6iUsWYdBwjVU/59RUxdLRm8OfsnH
   ntuWJPjo3QV6kA7U4z53nPO6gULpn4sU9db5HnzRvUGePsQ=
   -----END CERTIFICATE-----

4. Which is handy when wanting to pipe the output to openssl:

   $ govc vm.tpm2.cert.get -vm photon5-w-tpm -fingerprint 28:54:DB:D8:40:6C:DA:5D:BA:66:87:96:AA:2E:55:1D | \
     openssl x509 -noout -text
   Certificate:
       Data:
           Version: 3 (0x2)
           Serial Number:
               fc:83:32:14:9a:79:21:04
           Signature Algorithm: sha256WithRSAEncryption
           Issuer: CN = CA, DC = vsphere, DC = local, C = US, ST = California, O = sc2-10-184-103-126.eng.vmware.com, OU = VMware Engineering
           Validity
               Not Before: Aug 29 20:38:56 2023 GMT
               Not After : Aug 17 08:45:41 2033 GMT
           Subject: 2.23.133.2.1 = id:564D5700, 2.23.133.2.2 = VMware TPM2, 2.23.133.2.3 = id:00020065
           Subject Public Key Info:
               Public Key Algorithm: id-ecPublicKey
                   Public-Key: (256 bit)
                   pub:
                       04:3e:3f:43:89:f9:26:ee:b4:d7:be:09:9d:d0:bf:
                       18:e2:66:33:0b:4a:d6:35:db:68:6b:fc:8c:9b:09:
                       88:2d:68:8c:bd:db:c5:1f:da:80:34:a7:cd:27:a3:
                       2b:fb:cc:52:d1:25:65:25:d1:c8:c8:b7:a1:9e:b4:
                       b2:ae:b1:3a:1c
                   ASN1 OID: prime256v1
                   NIST CURVE: P-256
           X509v3 extensions:
               X509v3 Key Usage: critical
                   Key Agreement
               X509v3 Subject Alternative Name: critical
                   DirName:/2.23.133.2.1=id:564D5700/2.23.133.2.2=VMware TPM2/2.23.133.2.3=id:00020065
               X509v3 Basic Constraints: critical
                   CA:FALSE
               X509v3 Extended Key Usage: 
                   2.23.133.8.1
               X509v3 Subject Directory Attributes: 
   0...2.0.....t   0.0...g....1
               X509v3 Subject Key Identifier: 
                   96:B5:1C:EA:7C:37:0F:79:AB:47:86:09:21:A3:06:FC:E4:48:72:08
               X509v3 Authority Key Identifier: 
                   A6:C2:AF:A2:C3:CE:68:BC:5C:B1:8B:83:11:9A:79:FA:C8:96:C1:8B
               Authority Information Access: 
                   CA Issuers - URI:https://sc2-10-184-103-126.eng.vmware.com/afd/vecs/ca
       Signature Algorithm: sha256WithRSAEncryption
       Signature Value:
           39:80:c3:64:13:eb:a9:90:91:41:e8:50:72:68:76:c7:d9:fa:
           da:27:ab:4e:83:13:2c:6d:0b:e3:d8:6d:5d:a9:fe:eb:f1:6f:
           57:26:3d:a8:1c:6f:90:eb:06:38:d8:f2:92:0d:15:58:35:80:
           41:92:5e:f7:f6:77:8f:7e:b4:ba:ef:31:9b:38:e9:26:56:9d:
           c2:53:32:63:05:a0:3b:b6:11:5a:e9:9a:92:d6:1e:4d:1e:89:
           10:f3:58:06:15:7e:f0:cc:7a:cd:22:aa:24:60:84:65:2d:a2:
           b7:05:ee:d7:54:75:c9:ac:43:3a:47:ec:62:fe:cd:99:9a:d4:
           75:23:92:59:2d:c2:92:67:9a:85:62:f9:4a:26:84:57:d3:da:
           4d:c8:41:3e:0c:73:4a:9b:d3:0f:53:47:22:71:7d:74:8a:07:
           46:87:37:93:4e:6e:e7:bd:c6:e5:a7:c3:4b:97:d8:04:6d:c6:
           fe:7a:3d:04:d5:da:0d:f4:e6:0a:cf:8b:c8:72:37:d3:e4:2e:
           73:c0:cd:10:9e:34:ab:43:14:cf:6d:73:02:54:6e:fc:94:1e:
           94:8e:c1:52:ee:13:69:d2:a9:94:e0:4b:12:fa:a6:72:64:8a:
           25:02:b0:d1:72:39:b2:40:af:17:fc:95:2e:92:b3:ea:54:dc:
           de:14:e5:95:7f:5d:dc:a0:ea:39:b2:25:18:05:6e:48:7c:ca:
           09:d0:1a:cb:4b:21:ab:36:e1:a0:07:94:74:9b:f9:71:19:e6:
           50:6f:9c:bf:dd:88:65:3e:7e:5a:7f:d1:49:ba:eb:5f:82:42:
           53:44:45:0c:47:fb:9e:d0:fa:4e:48:f5:40:a9:c7:26:a6:b7:
           85:ac:18:14:ea:25:2c:59:87:41:c2:35:54:ff:9f:51:53:17:
           4b:46:6f:0e:7e:c9:c7:9e:db:96:24:f8:e8:dd:05:7a:90:0e:
           d4:e3:3e:77:9c:f3:ba:81:42:e9:9f:8b:14:f5:d6:f9:1e:7c:
           d1:bd:41:9e:3e:c4

Checklist:

• My code follows the CONTRIBUTION guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• Any dependent changes have been merged
  • Seal info w EK pub or cert on systems without TPM google/go-tpm#343

[github-actions]

This Pull Request is stale because it has been open for 90 days with
no activity. It will automatically close after 30 more days of
inactivity. Mark as fresh by adding the comment /remove-lifecycle stale.