smallstep · hslatman · Jun 26, 2023 · Jun 19, 2023 · Jun 19, 2023 · Jun 21, 2023
diff --git a/kms/tpmkms/tpmkms_simulator_test.go b/kms/tpmkms/tpmkms_simulator_test.go
@@ -75,8 +75,9 @@ func withSimulator(t *testing.T) tpmp.NewTPMOption {
 		err := sim.Close()
 		require.NoError(t, err)
 	})
-	sim = simulator.New()
-	err := sim.Open()
+	sim, err := simulator.New()
+	require.NoError(t, err)
+	err = sim.Open()
 	require.NoError(t, err)
 	return tpmp.WithSimulator(sim)
 }

diff --git a/tpm/attestation/client_simulator_test.go b/tpm/attestation/client_simulator_test.go
@@ -47,8 +47,9 @@ func withSimulator(t *testing.T) tpm.NewTPMOption {
 		err := sim.Close()
 		require.NoError(t, err)
 	})
-	sim = simulator.New()
-	err := sim.Open()
+	sim, err := simulator.New()
+	require.NoError(t, err)
+	err = sim.Open()
 	require.NoError(t, err)
 	return tpm.WithSimulator(sim)
 }

diff --git a/tpm/available/check.go b/tpm/available/check.go
@@ -0,0 +1,15 @@
+package available
+
+import (
+	"fmt"
+
+	"go.step.sm/crypto/tpm"
+)
+
+func Check(opts ...tpm.NewTPMOption) error {
+	t, err := tpm.New(opts...)
+	if err != nil {
+		return fmt.Errorf("failed creating TPM instance: %w", err)
+	}
+	return t.Available()
+}
diff --git a/tpm/internal/close/close.go b/tpm/internal/close/close.go
@@ -0,0 +1,15 @@
+package closer
+
+import (
+	"io"
+
+	"github.com/smallstep/go-attestation/attest"
+)
+
+func RWC(rwc io.ReadWriteCloser) error {
+	return closeRWC(rwc)
+}
+
+func AttestTPM(t *attest.TPM, c *attest.OpenConfig) error {
+	return attestTPM(t, c)
+}
diff --git a/tpm/internal/close/close_others.go b/tpm/internal/close/close_others.go
@@ -0,0 +1,27 @@
+//go:build !windows
+// +build !windows
+
+package closer
+
+import (
+	"io"
+
+	"github.com/google/go-tpm/tpmutil"
+	"github.com/smallstep/go-attestation/attest"
+
+	"go.step.sm/crypto/tpm/internal/socket"
+)
+
+func closeRWC(rwc io.ReadWriteCloser) error {
+	if _, ok := rwc.(*tpmutil.EmulatorReadWriteCloser); ok {
+		return nil // EmulatorReadWriteCloser automatically closes on every write/read cycle
+	}
+	return rwc.Close()
+}
+
+func attestTPM(t *attest.TPM, c *attest.OpenConfig) error {
+	if _, ok := c.CommandChannel.(*socket.CommandChannelWithoutMeasurementLog); ok {
+		return nil // backed by tpmutil.EmulatorReadWriteCloser; already closed
+	}
+	return t.Close()
+}
diff --git a/tpm/internal/close/close_windows.go b/tpm/internal/close/close_windows.go
@@ -0,0 +1,18 @@
+//go:build windows
+// +build windows
+
+package closer
+
+import (
+	"io"
+
+	"github.com/smallstep/go-attestation/attest"
+)
+
+func closeRWC(rwc io.ReadWriteCloser) error {
+	return rwc.Close()
+}
+
+func attestTPM(t *attest.TPM, _ *attest.OpenConfig) error {
+	return t.Close()
+}
diff --git a/tpm/internal/open/open.go b/tpm/internal/open/open.go
@@ -1,6 +1,8 @@
 package open
 
-import "io"
+import (
+	"io"
+)
 
 func TPM(deviceName string) (io.ReadWriteCloser, error) {
 	return open(deviceName)

diff --git a/tpm/internal/socket/socket.go b/tpm/internal/socket/socket.go
@@ -0,0 +1,23 @@
+package socket
+
+import (
+	"errors"
+	"io"
+)
+
+var (
+	ErrNotAvailable = errors.New("socket not available")
+	ErrNotSupported = errors.New("connecting to a TPM using a UNIX socket is not supported on Windows")
+)
+
+func New(path string) (io.ReadWriteCloser, error) {
+	return newSocket(path)
+}
+
+type CommandChannelWithoutMeasurementLog struct {
+	io.ReadWriteCloser
+}
+
+func (c *CommandChannelWithoutMeasurementLog) MeasurementLog() ([]byte, error) {
+	return nil, nil
+}
diff --git a/tpm/internal/socket/socket_others.go b/tpm/internal/socket/socket_others.go
@@ -0,0 +1,25 @@
+//go:build !windows
+// +build !windows
+
+package socket
+
+import (
+	"io"
+	"os"
+
+	"github.com/google/go-tpm/tpmutil"
+)
+
+func newSocket(path string) (io.ReadWriteCloser, error) {
+	if path == "" {
+		return nil, ErrNotAvailable
+	}
+	fi, err := os.Stat(path)
+	if err != nil { // TODO(hs): handle specific errors here?
+		return nil, err
+	}
+	if fi.Mode()&os.ModeSocket != 0 {
+		return tpmutil.NewEmulatorReadWriteCloser(path), nil
+	}
+	return nil, ErrNotAvailable
+}
diff --git a/tpm/internal/socket/socket_windows.go b/tpm/internal/socket/socket_windows.go
@@ -0,0 +1,12 @@
+//go:build windows
+// +build windows
+
+package socket
+
+import (
+	"io"
+)
+
+func newSocket(_ string) (io.ReadWriteCloser, error) {
+	return nil, ErrNotSupported
+}
diff --git a/tpm/rand/rand_simulator_test.go b/tpm/rand/rand_simulator_test.go
@@ -7,7 +7,6 @@ import (
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rsa"
-	"errors"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -26,18 +25,13 @@ func withSimulator(t *testing.T) tpm.NewTPMOption {
 		err := sim.Close()
 		require.NoError(t, err)
 	})
-	sim = simulator.New()
-	err := sim.Open()
+	sim, err := simulator.New()
+	require.NoError(t, err)
+	err = sim.Open()
 	require.NoError(t, err)
 	return tpm.WithSimulator(sim)
 }
 
-func withNewErrorSimulator(t *testing.T) tpm.NewTPMOption {
-	return func(t *tpm.TPM) error {
-		return errors.New("forced new error")
-	}
-}
-
 func TestNew(t *testing.T) {
 	r, err := New(withSimulator(t))
 	require.NoError(t, err)
@@ -55,7 +49,4 @@ func TestNew(t *testing.T) {
 	if assert.NotNil(t, rsaKey) {
 		require.Equal(t, 256, rsaKey.Size()) // 2048 bits; 256 bytes expected to have been read
 	}
-
-	_, err = New(withNewErrorSimulator(t))
-	require.Error(t, err)
 }
diff --git a/tpm/simulator/simulator_disabled.go b/tpm/simulator/simulator_disabled.go
@@ -11,12 +11,12 @@
 type NoSimulator struct {
 }
 
-func New() Simulator {
-	return &NoSimulator{}
+func New() (Simulator, error) {
+	return &NoSimulator{}, errors.New("no simulator available")
 }
 
 func (s *NoSimulator) Open() error {
-	return errors.New("no simulator available")
+	return errors.New("cannot open: no simulator available")
 }
 
 func (s *NoSimulator) Close() error {

diff --git a/tpm/simulator/simulator_enabled.go b/tpm/simulator/simulator_enabled.go
@@ -4,6 +4,9 @@
 package simulator
 
 import (
+	"bytes"
+	"encoding/binary"
+	"encoding/hex"
 	"fmt"
 	"io"
 
@@ -12,22 +15,53 @@
 
 type WrappingSimulator struct {
 	wrapped *gotpm.Simulator
+	seed    *int64
 }
 
-func New() Simulator {
-	return &WrappingSimulator{}
+type NewSimulatorOption func(ws *WrappingSimulator) error
+
+func WithSeed(seed string) NewSimulatorOption {
+	return func(ws *WrappingSimulator) error {
+		b, err := hex.DecodeString(seed)
+		if err != nil {
+			return fmt.Errorf("failed decoding %q: %w", seed, err)
+		}
+		if len(b) != 8 {
+			return fmt.Errorf("%q has wrong number of bytes (%d)", seed, len(b))
+		}
+		var intSeed int64
+		buf := bytes.NewBuffer(b)
+		if err := binary.Read(buf, binary.BigEndian, &intSeed); err != nil {
+			return fmt.Errorf("failed reading %q into int64: %w", seed, err)
+		}
+		ws.seed = &intSeed
+		return nil
+	}
+}
+
+func New(opts ...NewSimulatorOption) (Simulator, error) {
+	ws := &WrappingSimulator{}
+	for _, applyTo := range opts {
+		if err := applyTo(ws); err != nil {
+			return nil, fmt.Errorf("failed initializing TPM simulator: %w", err)
+		}
+	}
+	return ws, nil
 }
 
 func (s *WrappingSimulator) Open() error {
 	var sim *gotpm.Simulator
 	var err error
 	if s.wrapped == nil {
-		sim, err = gotpm.Get()
+		if s.seed == nil {
+			sim, err = gotpm.Get()
+		} else {
+			sim, err = gotpm.GetWithFixedSeedInsecure(*s.seed)
+		}
 		if err != nil {
 			return err
 		}
 	}
-
 	s.wrapped = sim
 	return nil
 }