vcomLink communication refactoring

[shjala]

Description

New TPM communication APIs have been changed to use protobuf and the vcomlink package has been refactored to accommodate these changes. The existing custom message handling/protocol has been removed, and its functionalities have been integrated into the mentioned protobuf based API. This restructuring aims to streamline TPM-related operations and improve code maintainability.

New functions have been introduced to handle various TPM tasks more effectively. These include:

1. tpmReadNV: Reads data from a specified Non-Volatile (NV) index in the TPM
2. tpmGetPub: Retrieves the public key associated with a given handle
3. tpmSign: Signs data using a specified key index
4. certifykey: Certify a key using AK.

In addition this update introduces stricter security measures, such as enforcing security policies before performing TPM operations (for now a simple but sufficient policy, based on the key/NV index).

---

Relates to lf-edge/eve-tools#13 (not dependent).

How to test and validate this PR

Go tests are provided to fully test the vcomlink TPM related functionalities, the following are results of testing on HW TPM:

➜  pillar git:(vcomlink.refactor) ✗ /usr/bin/go test github.com/lf-edge/eve/pkg/pillar/cmd/vcomlink -v
time="2025-07-22T16:23:49+03:00" level=info msg="Containerd Init"
time="2025-07-22T16:23:49+03:00" level=info msg="VSOCK is supported, using VSOCK transport" pid=3783013 source=vcomlink_test
time="2025-07-22T16:23:49+03:00" level=info msg="Listening on vsock CID 1, port 2000" pid=3783013 source=vcomlink_test
=== RUN   TestValidGetPublic
TPM EK: 0001000b000300720000000600800043...
TPM EK Algorithm: RSA
TPM EK Attributes: FlagFixedParent | FlagSensitiveDataOrigin | FlagUserWithAuth | FlagRestricted | FlagDecrypt | FlagFixedTPM
--- PASS: TestValidGetPublic (0.02s)
=== RUN   TestValidGetEkCert
TPM EK cert issuer: CN=Nuvoton TPM Root CA 2112,O=Nuvoton Technology Corporation,C=TW
TPM EK URL: [https://www.nuvoton.com/security/NTC-TPM-EK-Cert/Nuvoton TPM Root CA 2112.cer]
Downloading issuing CA cert from URL: https://www.nuvoton.com/security/NTC-TPM-EK-Cert/Nuvoton TPM Root CA 2112.cer
EK cert verified successfully against issuing CA cert
--- PASS: TestValidGetEkCert (0.93s)
=== RUN   TestValidSigner
Signature verified successfully using RSA public key
--- PASS: TestValidSigner (0.11s)
=== RUN   TestValidActivateCred
Credential:           f63e0c102742a64374740b78995834828e8484e07d70a2a455af3c50202f9b3c
Recovered credential: f63e0c102742a64374740b78995834828e8484e07d70a2a455af3c50202f9b3c
Credential activation successful, we can trust the AIK
--- PASS: TestValidActivateCred (0.11s)
=== RUN   TestValidCertifyKey
    vcomlink_test.go:665: Successfully certified key with AIK and verified signature.
--- PASS: TestValidCertifyKey (0.10s)
PASS
ok      github.com/lf-edge/eve/pkg/pillar/cmd/vcomlink  3.282s

Changelog notes

Refactored vcomlink TPM communication to use protobuf-based APIs with updated vcomlink support, replacing custom messaging, adding tpmReadNV, tpmGetPub, and tpmSign functions, and introducing basic security policy enforcement.

Checklist

• I've provided a proper description
• I've added the proper documentation
• I've tested my PR on amd64 device
• I've tested my PR on arm64 device
• I've written the test verification instructions
• I've set the proper labels to this PR

For backport PRs (remove it if it's not a backport):

• I've added a reference link to the original PR
• PR's title follows the template

And the last but not least:

• I've checked the boxes above, or I've provided a good reason why I didn't
  check them.

Please, check the boxes above after submitting the PR in interactive mode.

[shjala]

Code ready for review, I'm fixing the CI errors and updating the documents.

[OhmSpectator]

I recall using code from this PR once... I had to modify it slightly to make it suitable... But I have no memory of the details... Will have to review again...

[OhmSpectator]

@shjala could you, please, meanwhile, check the Docker hash warning?...

[shjala]

@shjala could you, please, meanwhile, check the Docker hash warning?...

Sure, I have some more changes coming today, I'll fix that docker too.

[shjala]

I recall using code from this PR once... I had to modify it slightly to make it suitable... But I have no memory of the details... Will have to review again...

Yeah that probably was for sending monitoring data.

[OhmSpectator]

@shjala, I think it's better to rebase the branch

[eriknordmark]

There are failures in TestEdenScripts/eden_vcom, and also SPDX license headers to address.

[eriknordmark]

There are failures in TestEdenScripts/eden_vcom, and also SPDX license headers to address.

[shjala]

There are failures in TestEdenScripts/eden_vcom, and also SPDX license headers to address.

@eriknordmark the test failure is expected, I can disable that test for now in Eden until this gets merged lf-edge/eden#1095, but @OhmSpectator is in favour of not doing that and letting the test to fail.

[eriknordmark]

Note one more SPDX failure:
Checking tests/tpm/prep-and-run.sh

• SPDX-License-Identifier: OK
• Copyright: does not have the current year 2025 in the copyright notice!

Letting the test fail until Eden is fixed should be ok, but presumably we need a new version of eden so we can run the older one on 14.5.0?

[shjala]

Letting the test fail until Eden is fixed should be ok, but presumably we need a new version of eden so we can run the older one on 14.5.0?

But the older branches point to the old Eden right? so we need one for the master...

[shjala]

Yetus is picking up on unrelated files, my local run shows nothing :

shah in 🌐 shah-MS-7E12 in eve on  vcomlink.refactor [$?] via 🐍 v3.12.3 took 5s 
❯ make mini-yetus MYETUS_VERBOSE=y
shah in 🌐 shah-MS-7E12 in eve on  vcomlink.refactor [$?] via 🐍 v3.12.3 took 8s 
❯ cat /tmp/yetus.WZ5B3epSZ1/yetus-output/results-full.txt 
shah in 🌐 shah-MS-7E12 in eve on  vcomlink.refactor [$?] via 🐍 v3.12.3 
❯ 

[eriknordmark]

Yetus is picking up on unrelated files, my local run shows nothing :

shah in 🌐 shah-MS-7E12 in eve on  vcomlink.refactor [$?] via 🐍 v3.12.3 took 5s 
❯ make mini-yetus MYETUS_VERBOSE=y
shah in 🌐 shah-MS-7E12 in eve on  vcomlink.refactor [$?] via 🐍 v3.12.3 took 8s 
❯ cat /tmp/yetus.WZ5B3epSZ1/yetus-output/results-full.txt 
shah in 🌐 shah-MS-7E12 in eve on  vcomlink.refactor [$?] via 🐍 v3.12.3 
❯ 

I did see a comment in the output that the pr is not on top of current master so it might pick up other files.

[shjala]

I did see a comment in the output that the pr is not on top of current master so it might pick up other files.

rebased, let's see if Yetus is happy now...