From 812e61624114207843ea4994ab63597517f996e2 Mon Sep 17 00:00:00 2001 From: Matthew Miller Date: Fri, 19 Jun 2026 10:53:05 -0700 Subject: [PATCH 1/3] Add new isValidTPMManufacturerID() --- .../verifications/tpm/constants.ts | 2 +- .../tpm/isValidTPMManufacturerID.test.ts | 22 +++++++++++++++++++ .../tpm/isValidTPMManufacturerID.ts | 8 +++++++ 3 files changed, 31 insertions(+), 1 deletion(-) create mode 100644 packages/server/src/registration/verifications/tpm/isValidTPMManufacturerID.test.ts create mode 100644 packages/server/src/registration/verifications/tpm/isValidTPMManufacturerID.ts diff --git a/packages/server/src/registration/verifications/tpm/constants.ts b/packages/server/src/registration/verifications/tpm/constants.ts index 323f7136..d987d3de 100644 --- a/packages/server/src/registration/verifications/tpm/constants.ts +++ b/packages/server/src/registration/verifications/tpm/constants.ts @@ -90,7 +90,7 @@ export const TPM_ECC_CURVE: { [key: number]: string } = { 0x0020: 'TPM_ECC_SM2_P256', }; -type ManufacturerInfo = { +export type ManufacturerInfo = { name: string; id: string; }; diff --git a/packages/server/src/registration/verifications/tpm/isValidTPMManufacturerID.test.ts b/packages/server/src/registration/verifications/tpm/isValidTPMManufacturerID.test.ts new file mode 100644 index 00000000..eeba5cd4 --- /dev/null +++ b/packages/server/src/registration/verifications/tpm/isValidTPMManufacturerID.test.ts @@ -0,0 +1,22 @@ +import { assertEquals } from '@std/assert'; +import { getTPMManufacturerInfo } from './isValidTPMManufacturerID.ts'; + +Deno.test('should normalize manufacturer ID - Qualcomm', () => { + const isValid = getTPMManufacturerInfo('id:51434f4d'); + + assertEquals(isValid?.id, 'QCOM'); + assertEquals(isValid?.name, 'Qualcomm'); +}); + +Deno.test('should normalize manufacturer ID - IBM', () => { + const isValid = getTPMManufacturerInfo('id:49424d00'); + + assertEquals(isValid?.id, 'IBM'); + assertEquals(isValid?.name, 'IBM'); +}); + +Deno.test('should return undefined for bad manufacturer ID', () => { + const isValid = getTPMManufacturerInfo(''); + + assertEquals(isValid, undefined); +}); diff --git a/packages/server/src/registration/verifications/tpm/isValidTPMManufacturerID.ts b/packages/server/src/registration/verifications/tpm/isValidTPMManufacturerID.ts new file mode 100644 index 00000000..4849f2ff --- /dev/null +++ b/packages/server/src/registration/verifications/tpm/isValidTPMManufacturerID.ts @@ -0,0 +1,8 @@ +import { type ManufacturerInfo, TPM_MANUFACTURERS } from './constants.ts'; + +export function getTPMManufacturerInfo(id: string): ManufacturerInfo | undefined { + // e.g. "id:51434f4d" -> "id:51434f4D" + const _normalized = `id:${id.substring(3).toUpperCase()}`; + + return TPM_MANUFACTURERS[_normalized]; +} From 610870f67a4d524ee20bf246b03099af6cb1aeb6 Mon Sep 17 00:00:00 2001 From: Matthew Miller Date: Fri, 19 Jun 2026 10:53:19 -0700 Subject: [PATCH 2/3] Use new method in TPM verification --- .../registration/verifications/tpm/verifyAttestationTPM.ts | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/packages/server/src/registration/verifications/tpm/verifyAttestationTPM.ts b/packages/server/src/registration/verifications/tpm/verifyAttestationTPM.ts index 443d1f4b..0c3d8429 100644 --- a/packages/server/src/registration/verifications/tpm/verifyAttestationTPM.ts +++ b/packages/server/src/registration/verifications/tpm/verifyAttestationTPM.ts @@ -28,9 +28,10 @@ import { MetadataService } from '../../../services/metadataService.ts'; import { verifyAttestationWithMetadata } from '../../../metadata/verifyAttestationWithMetadata.ts'; import type { Uint8Array_ } from '../../../types/index.ts'; -import { TPM_ECC_CURVE_COSE_CRV_MAP, TPM_MANUFACTURERS } from './constants.ts'; +import { TPM_ECC_CURVE_COSE_CRV_MAP } from './constants.ts'; import { parseCertInfo } from './parseCertInfo.ts'; import { parsePubArea } from './parsePubArea.ts'; +import { getTPMManufacturerInfo } from './isValidTPMManufacturerID.ts'; export async function verifyAttestationTPM( options: AttestationFormatVerifierOpts, @@ -325,7 +326,7 @@ export async function verifyAttestationTPM( } // Check that tcpaTpmManufacturer (2.23.133.2.1) field is set to a valid manufacturer ID. - if (!TPM_MANUFACTURERS[tcgAtTpmManufacturer]) { + if (!getTPMManufacturerInfo(tcgAtTpmManufacturer)) { throw new Error( `Could not match TPM manufacturer "${tcgAtTpmManufacturer}" (TPM)`, ); From ebdec355b54a1ab951f110ec4a5e56f050da1245 Mon Sep 17 00:00:00 2001 From: Matthew Miller Date: Fri, 19 Jun 2026 10:53:43 -0700 Subject: [PATCH 3/3] Deduplicate IBM in TPM_MANUFACTURERS --- .../server/src/registration/verifications/tpm/constants.ts | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/packages/server/src/registration/verifications/tpm/constants.ts b/packages/server/src/registration/verifications/tpm/constants.ts index d987d3de..5db2954f 100644 --- a/packages/server/src/registration/verifications/tpm/constants.ts +++ b/packages/server/src/registration/verifications/tpm/constants.ts @@ -113,8 +113,7 @@ export const TPM_MANUFACTURERS: { [key: string]: ManufacturerInfo } = { 'id:48504900': { name: 'HPI', id: 'HPI' }, 'id:48504500': { name: 'HPE', id: 'HPE' }, 'id:48495349': { name: 'Huawei', id: 'HISI' }, - 'id:49424d00': { name: 'IBM', id: 'IBM' }, - 'id:49424D00': { name: 'IBM', id: 'IBM' }, // Same ID for IBM as above, except the "D" is capitalized as per TPM spec + 'id:49424D00': { name: 'IBM', id: 'IBM' }, // IBM is "id:49424d00" in the TPM spec. It's been normalized here 'id:49465800': { name: 'Infineon', id: 'IFX' }, 'id:494E5443': { name: 'Intel', id: 'INTC' }, 'id:4C454E00': { name: 'Lenovo', id: 'LEN' },