tpm2: rename base version to generation

tpm2/keydata_v3.go

@@ -35,13 +35,13 @@ import (
 )
 
 type additionalData_v3 struct {
-	BaseVersion uint32
-	KDFAlg      tpm2.HashAlgorithmId
-	AuthMode    secboot.AuthMode
+	Generation uint32
+	KDFAlg     tpm2.HashAlgorithmId
+	AuthMode   secboot.AuthMode
 }
 
 func (d additionalData_v3) Marshal(w io.Writer) error {
-	_, err := mu.MarshalToWriter(w, uint32(3), d.BaseVersion, d.KDFAlg, d.AuthMode)
+	_, err := mu.MarshalToWriter(w, uint32(3), d.Generation, d.KDFAlg, d.AuthMode)
 	return err
 }
 
@@ -165,16 +165,16 @@ func (d *keyData_v3) Policy() keyDataPolicy {
 	return d.PolicyData
 }
 
-func (d *keyData_v3) Decrypt(key, payload []byte, baseVersion uint32, kdfAlg tpm2.HashAlgorithmId, authMode secboot.AuthMode) ([]byte, error) {
+func (d *keyData_v3) Decrypt(key, payload []byte, generation uint32, kdfAlg tpm2.HashAlgorithmId, authMode secboot.AuthMode) ([]byte, error) {
 	// We only support AES-256-GCM with a 12-byte nonce, so we expect 44 bytes here
 	if len(key) != 32+12 {
 		return nil, errors.New("invalid symmetric key size")
 	}
 
 	aad, err := mu.MarshalToBytes(&additionalData_v3{
-		BaseVersion: baseVersion,
-		KDFAlg:      kdfAlg,
-		AuthMode:    authMode,
+		Generation: generation,
+		KDFAlg:     kdfAlg,
+		AuthMode:   authMode,
 	})
 	if err != nil {
 		return nil, xerrors.Errorf("cannot create AAD: %w", err)

tpm2/platform.go

@@ -39,10 +39,10 @@ const platformName = "tpm2"
 type platformKeyDataHandler struct{}
 
 func (h *platformKeyDataHandler) recoverKeysCommon(data *secboot.PlatformKeyData, encryptedPayload, authKey []byte) ([]byte, error) {
-	if data.Version < 0 || int64(data.Version) > math.MaxUint32 {
+	if data.Generation < 0 || int64(data.Generation) > math.MaxUint32 {
 		return nil, &secboot.PlatformHandlerError{
 			Type: secboot.PlatformHandlerErrorInvalidData,
-			Err:  fmt.Errorf("invalid base key data version: %d", data.Version)}
+			Err:  fmt.Errorf("invalid key data generation: %d", data.Generation)}
 	}
 
 	kdfAlg, err := hashAlgorithmIdFromCryptoHash(data.KDFAlg)
@@ -102,7 +102,7 @@ func (h *platformKeyDataHandler) recoverKeysCommon(data *secboot.PlatformKeyData
 		return nil, xerrors.Errorf("cannot unseal key: %w", err)
 	}
 
-	payload, err := k.data.Decrypt(symKey, encryptedPayload, uint32(data.Version), kdfAlg, data.AuthMode)
+	payload, err := k.data.Decrypt(symKey, encryptedPayload, uint32(data.Generation), kdfAlg, data.AuthMode)
 	if err != nil {
 		return nil, &secboot.PlatformHandlerError{
 			Type: secboot.PlatformHandlerErrorInvalidData,

tpm2/platform_test.go

@@ -197,7 +197,7 @@ func (s *platformSuite) testRecoverKeys(c *C, params *ProtectKeyParams) {
 	c.Check(k.UnmarshalPlatformHandle(&platformHandle), IsNil)
 
 	platformKeyData := &secboot.PlatformKeyData{
-		Version:       k.Version(),
+		Generation:    k.Generation(),
 		EncodedHandle: platformHandle,
 		KDFAlg:        crypto.Hash(crypto.SHA256),
 		AuthMode:      k.AuthMode(),
@@ -253,7 +253,7 @@ func (s *platformSuite) testRecoverKeysNoValidSRK(c *C, prepareSrk func()) {
 
 	var handler PlatformKeyDataHandler
 	payload, err := handler.RecoverKeys(&secboot.PlatformKeyData{
-		Version:       k.Version(),
+		Generation:    k.Generation(),
 		EncodedHandle: platformHandle,
 		KDFAlg:        crypto.Hash(crypto.SHA256)},
 		s.lastEncryptedPayload)
@@ -307,7 +307,7 @@ func (s *platformSuite) testRecoverKeysImportable(c *C, params *ProtectKeyParams
 
 	var handler PlatformKeyDataHandler
 	payload, err := handler.RecoverKeys(&secboot.PlatformKeyData{
-		Version:       k.Version(),
+		Generation:    k.Generation(),
 		EncodedHandle: platformHandle,
 		KDFAlg:        crypto.Hash(crypto.SHA256)},
 		s.lastEncryptedPayload)
@@ -356,7 +356,7 @@ func (s *platformSuite) TestRecoverKeysNoTPMConnection(c *C) {
 
 	var handler PlatformKeyDataHandler
 	_, err = handler.RecoverKeys(&secboot.PlatformKeyData{
-		Version:       k.Version(),
+		Generation:    k.Generation(),
 		EncodedHandle: platformHandle,
 		KDFAlg:        crypto.Hash(crypto.SHA256)},
 		s.lastEncryptedPayload)
@@ -381,7 +381,7 @@ func (s *platformSuite) testRecoverKeysUnsealErrorHandling(c *C, prepare func(*s
 
 	var handler PlatformKeyDataHandler
 	_, err = handler.RecoverKeys(&secboot.PlatformKeyData{
-		Version:       k.Version(),
+		Generation:    k.Generation(),
 		AuthMode:      secboot.AuthModeNone,
 		Role:          "",
 		KDFAlg:        crypto.Hash(crypto.SHA256),
@@ -502,7 +502,7 @@ func (s *platformSuite) TestRecoverKeysWithAuthKey(c *C) {
 	c.Check(k.UnmarshalPlatformHandle(&platformHandle), IsNil)
 
 	platformKeyData := &secboot.PlatformKeyData{
-		Version:       k.Version(),
+		Generation:    k.Generation(),
 		EncodedHandle: platformHandle,
 		KDFAlg:        crypto.Hash(crypto.SHA256),
 		AuthMode:      k.AuthMode(),
@@ -513,7 +513,7 @@ func (s *platformSuite) TestRecoverKeysWithAuthKey(c *C) {
 	c.Check(err, IsNil)
 
 	newPlatformKeyData := &secboot.PlatformKeyData{
-		Version:       k.Version(),
+		Generation:    k.Generation(),
 		EncodedHandle: newHandle,
 		KDFAlg:        crypto.Hash(crypto.SHA256),
 		AuthMode:      k.AuthMode(),
@@ -579,7 +579,7 @@ func (s *platformSuite) TestRecoverKeysWithIncorrectAuthKey(c *C) {
 	c.Check(k.UnmarshalPlatformHandle(&platformHandle), IsNil)
 
 	platformKeyData := &secboot.PlatformKeyData{
-		Version:       k.Version(),
+		Generation:    k.Generation(),
 		EncodedHandle: platformHandle,
 		KDFAlg:        crypto.Hash(crypto.SHA256),
 		AuthMode:      k.AuthMode(),
@@ -590,7 +590,7 @@ func (s *platformSuite) TestRecoverKeysWithIncorrectAuthKey(c *C) {
 	c.Check(err, IsNil)
 
 	newPlatformKeyData := &secboot.PlatformKeyData{
-		Version:       k.Version(),
+		Generation:    k.Generation(),
 		EncodedHandle: newHandle,
 		KDFAlg:        crypto.Hash(crypto.SHA256),
 		// AuthMode:      k.AuthMode(),
@@ -651,7 +651,7 @@ func (s *platformSuite) TestChangeAuthKeyWithIncorrectAuthKey(c *C) {
 	c.Check(k.UnmarshalPlatformHandle(&platformHandle), IsNil)
 
 	platformKeyData := &secboot.PlatformKeyData{
-		Version:       k.Version(),
+		Generation:    k.Generation(),
 		EncodedHandle: platformHandle,
 		KDFAlg:        crypto.Hash(crypto.SHA256),
 		AuthMode:      k.AuthMode(),
@@ -662,7 +662,7 @@ func (s *platformSuite) TestChangeAuthKeyWithIncorrectAuthKey(c *C) {
 	c.Check(err, IsNil)
 
 	newPlatformKeyData := &secboot.PlatformKeyData{
-		Version:       k.Version(),
+		Generation:    k.Generation(),
 		EncodedHandle: newHandle,
 		KDFAlg:        crypto.Hash(crypto.SHA256),
 		AuthMode:      k.AuthMode(),

tpm2/seal.go

@@ -187,9 +187,9 @@ func makeSealedKeyData(tpm *tpm2.TPMContext, params *makeSealedKeyDataParams, se
 	}
 
 	aad, err := mu.MarshalToBytes(&additionalData_v3{
-		BaseVersion: uint32(secboot.KeyDataVersion),
-		KDFAlg:      tpm2.HashAlgorithmSHA256,
-		AuthMode:    params.AuthMode,
+		Generation: uint32(secboot.KeyDataGeneration),
+		KDFAlg:     tpm2.HashAlgorithmSHA256,
+		AuthMode:   params.AuthMode,
 	})
 	if err != nil {
 		return nil, nil, nil, xerrors.Errorf("cannot create AAD: %w", err)

tpm2/seal_test.go

@@ -619,9 +619,9 @@ func (s *sealSuiteNoTPM) testMakeSealedKeyData(c *C, data *testMakeSealedKeyData
 	c.Assert(err, IsNil)
 
 	aad, err := mu.MarshalToBytes(&AdditionalData_v3{
-		BaseVersion: uint32(kd.Version()),
-		KDFAlg:      tpm2.HashAlgorithmSHA256,
-		AuthMode:    kd.AuthMode(),
+		Generation: uint32(kd.Generation()),
+		KDFAlg:     tpm2.HashAlgorithmSHA256,
+		AuthMode:   kd.AuthMode(),
 	})
 
 	aead, err := cipher.NewGCM(b)