com.vmware.vcenter.trusted_infrastructure.hosts.hardware package

Submodules

com.vmware.vcenter.trusted_infrastructure.hosts.hardware.tpm_client module

The com.vmware.vcenter.trusted_infrastructure.hosts.hardware.tpm_client module provides classes to manage Trusted Platform Modules (TPMs).

class com.vmware.vcenter.trusted_infrastructure.hosts.hardware.tpm_client.EndorsementKeys(config)

Bases: VapiInterface

The EndorsementKeys interface provides methods to get the Trusted Platform Module (TPM) Endorsement Key (EK) on a host. This class was added in vSphere API 8.0.0.1.

Parameters:

config (vmware.vapi.bindings.stub.StubConfiguration) – Configuration to be used for creating the stub.

class FilterSpec(types=None)

Bases: VapiStruct

The EndorsementKeys.FilterSpec class contains attributes used to filter the results when listing the endorsement key. This class was added in vSphere API 8.0.0.1.

Tip

The arguments are used to initialize data attributes with the same names.

Parameters:

types (set of EndorsementKeys.Type or None) – Type of the endorsement key. This attribute was added in vSphere API 8.0.0.1. if None or empty, the result will not be filtered by types.

class Info(type=None, public_area=None, name=None, qualified_name=None, public_key=None, certificate=None, manufacturer_certificate_uri=None, manufacturer_certificates=None)

Bases: VapiStruct

The EndorsementKeys.Info class contains information that describes a TPM endorsement key. This class was added in vSphere API 8.0.0.1.

Tip

The arguments are used to initialize data attributes with the same names.

Parameters:
  • type (EndorsementKeys.Type) – The TPM endorsement key type. This attribute was added in vSphere API 8.0.0.1.

  • public_area (str) –

    The TPM endorsement key public area.

    The public area is a TPM2B_PUBLIC structure.

    Trusted Platform Module Library Part 2: Structures, Family “2.0”, Level 00 Revision 01.59, November 8, 2019, Section 12.2.5 TPM2B_PUBLIC. This attribute was added in vSphere API 8.0.0.1.

  • name (str) –

    The TPM endorsement key name.

    The name is a TPM2B_NAME structure.

    Trusted Platform Module Library Part 2: Structures, Family “2.0”, Level 00 Revision 01.59, November 8, 2019, Section 10.5.3 TPM2B_NAME. This attribute was added in vSphere API 8.0.0.1.

  • qualified_name (str) –

    The TPM endorsement key qualified name.

    The qualified name is a TPM2B_NAME structure.

    Trusted Platform Module Library Part 2: Structures, Family “2.0”, Level 00 Revision 01.59, November 8, 2019, Section 10.5.3 TPM2B_NAME. This attribute was added in vSphere API 8.0.0.1.

  • public_key (str or None) – The TPM public endorsement key in PEM format. This attribute was added in vSphere API 8.0.0.1. if None, the PEM format public key could not be determined.

  • certificate (str or None) – The TPM endorsement key certificate in PEM format. This attribute was added in vSphere API 8.0.0.1. if None, the certificate cannot be retrieved from the TPM.

  • manufacturer_certificate_uri (str or None) – The TPM endorsement key issuer URL extracted from the TPM endorsement key certificate. This attribute was added in vSphere API 8.0.0.1. if None, the URI cannot be retrieved from the endorsement key certificate.

  • manufacturer_certificates (com.vmware.vcenter.trusted_infrastructure_client.X509CertChain or None) –

    The TPM manufacturer’s endorsement key certificate chain.

    Endorsement key certificates are signed by the TPM manufacturer. When available, the manufacturerCertificates attribute will contain the TPM manufacturer’s endorsement key certificate chain.. This attribute was added in vSphere API 8.0.0.1. if None, the certificate chain is not available.

class PolicyPcrSpec(pcrs=None, pcr_digest=None)

Bases: VapiStruct

The EndorsementKeys.PolicyPcrSpec class contains information that can be used to construct a PCR policy session for unsealing a secret using the EndorsementKeys.unseal() operation. This class was added in vSphere API 8.0.0.1.

Tip

The arguments are used to initialize data attributes with the same names.

Parameters:
  • pcrs (str) –

    The PCRs to which the data is sealed.

    The PCR selection is a TPML_PCR_SELECTION structure.

    Trusted Platform Module Library Part 2: Structures, Family “2.0”, Level 00 Revision 01.59, November 8, 2019, Section 10.9.7 TPML_PCR_SELECTION. This attribute was added in vSphere API 8.0.0.1.

  • pcr_digest (str or None) –

    The digest of the PCRs selected in EndorsementKeys.PolicyPcrSpec.pcrs.

    The digest is a TPM2B_DIGEST structure.

    Trusted Platform Module Library Part 2: Structures, Family “2.0”, Level 00 Revision 01.59, November 8, 2019, Section 10.4.2 TPM2B_DIGEST. This attribute was added in vSphere API 8.0.0.1. If None, then the PCR digest is calculated by the service based on the current PCR state.

RESOURCE_TYPE = 'com.vmware.vcenter.trusted_infrastructure.hosts.hardware.tpm.EndorsementKey'

Resource type for TPM endorsement Key. This class attribute was added in vSphere API 8.0.0.1.

class Summary(key=None, type=None)

Bases: VapiStruct

The EndorsementKeys.Summary class contains information that describes a TPM endorsement key. This class was added in vSphere API 8.0.0.1.

Tip

The arguments are used to initialize data attributes with the same names.

Parameters:
  • key (str) – A unique identifier for the TPM endorsement key. This attribute was added in vSphere API 8.0.0.1. When clients pass a value of this class as a parameter, the attribute must be an identifier for the resource type: com.vmware.vcenter.trusted_infrastructure.hosts.hardware.tpm.EndorsementKey. When methods return a value of this class as a return value, the attribute will be an identifier for the resource type: com.vmware.vcenter.trusted_infrastructure.hosts.hardware.tpm.EndorsementKey.

  • type (EndorsementKeys.Type) – The TPM endorsement key type. This attribute was added in vSphere API 8.0.0.1.

class Type(string)

Bases: Enum

The EndorsementKeys.Type class defines the endorsement key type based on key algorithms. This enumeration was added in vSphere API 8.0.0.1.

Note

This class represents an enumerated type in the interface language definition. The class contains class attributes which represent the values in the current version of the enumerated type. Newer versions of the enumerated type may contain new values. To use new values of the enumerated type in communication with a server that supports the newer version of the API, you instantiate this class. See enumerated type description page.

Parameters:

string (str) – String value for the Type instance.

ECC_NIST_P_256 = Type(string='ECC_NIST_P_256')

The ECC NISTP-256 bit key. This class attribute was added in vSphere API 8.0.0.1.

RSA_2048 = Type(string='RSA_2048')

The RSA 2048 bit key. This class attribute was added in vSphere API 8.0.0.1.

class UnsealSpec(public_area=None, private_area=None, seed=None, policy_pcr=None)

Bases: VapiStruct

The EndorsementKeys.UnsealSpec class contains information that describes the structures required to unseal a secret. This class was added in vSphere API 8.0.0.1.

Tip

The arguments are used to initialize data attributes with the same names.

Parameters:
  • public_area (str) –

    The public area which corresponding to the EndorsementKeys.UnsealSpec.private_area secret that is being unsealed.

    The public area is a TPM2B_PUBLIC structure.

    Trusted Platform Module Library Part 2: Structures, Family “2.0”, Level 00 Revision 01.59, November 8, 2019, Section 12.2.5 TPM2B_PUBLIC

    This public area is used as the “objectPublic” input to the TPM2_Import command.

    Trusted Platform Module Library Part 3: Commands, Family “2.0”, Level 00 Revision 01.59, November 8, 2019, Section 13.3 TPM2_Import. This attribute was added in vSphere API 8.0.0.1.

  • private_area (str) –

    A private area that contains a secret to be unsealed.

    The private area is symmetrically encrypted with the seed value derived from EndorsementKeys.UnsealSpec.seed.

    The private area is a TPM2B_PRIVATE structure.

    Trusted Platform Module Library Part 2: Structures, Family “2.0”, Level 00 Revision 01.59, November 8, 2019, Section 12.3.7 TPM2B_PRIVATE

    This private area is used as the “duplicate” input to the TPM2_Import command.

    Trusted Platform Module Library Part 3: Commands, Family “2.0”, Level 00 Revision 01.59, November 8, 2019, Section 13.3 TPM2_Import. This attribute was added in vSphere API 8.0.0.1.

  • seed (str) –

    A seed value that is encrypted by the TPM endorsement key.

    The seed will be decrypted with the endorsement key and then will be used as a symmetric key to decrypt EndorsementKeys.UnsealSpec.private_area. This ensures that only a TPM with the expected endorsement key can unseal the secret.

    The seed value is a TPM2B_ENCRYPTED_SECRET structure.

    Trusted Platform Module Library Part 2: Structures, Family “2.0”, Level 00 Revision 01.59, November 8, 2019, Section 11.4.3 TPM2B_ENCRYPTED_SECRET

    This seed is used as the “inSymSeed” input to the TPM2_Import command.

    Trusted Platform Module Library Part 3: Commands, Family “2.0”, Level 00 Revision 01.59, November 8, 2019, Section 13.3 TPM2_Import. This attribute was added in vSphere API 8.0.0.1.

  • policy_pcr (EndorsementKeys.PolicyPcrSpec or None) –

    PCR policy required to unseal the secret.

    Used as input to the TPM2_PolicyPCR command on a session that is created for issuing the TPM2_Unseal command.

    Trusted Platform Module Library Part 3: Commands, Family “2.0”, Level 00 Revision 01.59, November 8, 2019, Section 23.7 TPM2_PolicyPCR. This attribute was added in vSphere API 8.0.0.1. If None, then a zeroed authorization policy is used for the TPM2_Unseal session.

get(host, tpm, key)

Get the TPM endorsement key details on a host.

The information returned is derived from executing the TPM2_ReadPublic command on the endorsement key object handle.

Trusted Platform Module Library Part 3: Commands, Family “2.0”, Level 00 Revision 01.59, November 8, 2019, Section 12.4 TPM2_ReadPublic. This method was added in vSphere API 8.0.0.1.

Parameters:
  • host (str) – Identifier of the host. The parameter must be an identifier for the resource type: HostSystem.

  • tpm (str) – the TPM identifier. The parameter must be an identifier for the resource type: com.vmware.vcenter.trusted_infrastructure.hosts.hardware.Tpm.

  • key (str) – the endorsement key identifier. The parameter must be an identifier for the resource type: com.vmware.vcenter.trusted_infrastructure.hosts.hardware.tpm.EndorsementKey.

Return type:

EndorsementKeys.Info

Returns:

The endorsement key info.

Raise:

com.vmware.vapi.std.errors_client.Error if there is a generic error.

Raise:

com.vmware.vapi.std.errors_client.InvalidArgument if the arguments are invalid.

Raise:

com.vmware.vapi.std.errors_client.NotFound if the endorsement key, or the TPM device, or the host is not found.

Raise:

com.vmware.vapi.std.errors_client.ServiceUnavailable if too many requests are in progress.

Raise:

com.vmware.vapi.std.errors_client.Unauthenticated if the caller is not authenticated.

Raise:

com.vmware.vapi.std.errors_client.Unauthorized if the caller is not authorized.

Raise:

com.vmware.vapi.std.errors_client.Unauthorized if you do not have all of the privileges described as follows:

  • The resource HostSystem referenced by the parameter host requires Host.Tpm.Read.

list(host, tpm, filter=None)

Return a list of configured endorsement keys on a host. This method was added in vSphere API 8.0.0.1.

Parameters:
  • host (str) – Identifier of the host. The parameter must be an identifier for the resource type: HostSystem.

  • tpm (str) – the TPM identifier. The parameter must be an identifier for the resource type: com.vmware.vcenter.trusted_infrastructure.hosts.hardware.Tpm.

  • filter (EndorsementKeys.FilterSpec or None) – a filter for the returned list. if None, the behavior is equivalent to a EndorsementKeys.FilterSpec with attributes None.

Return type:

list of EndorsementKeys.Summary

Returns:

A list of configured endorsement keys.

Raise:

com.vmware.vapi.std.errors_client.Error if there is a generic error.

Raise:

com.vmware.vapi.std.errors_client.InvalidArgument if the arguments are invalid.

Raise:

com.vmware.vapi.std.errors_client.NotFound if the TPM device, or the host is not found.

Raise:

com.vmware.vapi.std.errors_client.ServiceUnavailable if too many requests are in progress.

Raise:

com.vmware.vapi.std.errors_client.Unauthenticated if the caller is not authenticated.

Raise:

com.vmware.vapi.std.errors_client.Unauthorized if the caller is not authorized.

Raise:

com.vmware.vapi.std.errors_client.Unauthorized if you do not have all of the privileges described as follows:

  • The resource HostSystem referenced by the parameter host requires Host.Tpm.Read.

unseal(host, tpm, key, spec)

Unseal a secret that is bound to an endorsement key.

Provided with duplicate key data, load the key as a child of the specified endorsement key using the TPM2_Import command and then unseal the secret data using the TPM2_Unseal command.

The duplicate key must include only outer wrapping; inner wrapping is not supported. The duplicate key cannot have a complex authorization policy (e.g. including command selection, locality, etc). Only PCR policy authorization is supported at this time.

Trusted Platform Module Library Part 1: Architecture, Family “2.0”, Level 00 Revision 01.59, November 8, 2019, Section 23.3 Duplication

Trusted Platform Module Library Part 3: Commands, Family “2.0”, Level 00 Revision 01.59, November 8, 2019, Section 13.3 TPM2_Import

Trusted Platform Module Library Part 3: Commands, Family “2.0”, Level 00 Revision 01.59, November 8, 2019, Section 12.7 TPM2_Unseal. This method was added in vSphere API 8.0.0.1.

Parameters:
  • host (str) – Identifier of the host. The parameter must be an identifier for the resource type: HostSystem.

  • tpm (str) – the TPM identifier. The parameter must be an identifier for the resource type: com.vmware.vcenter.trusted_infrastructure.hosts.hardware.Tpm.

  • key (str) – the endorsement key identifier. The parameter must be an identifier for the resource type: com.vmware.vcenter.trusted_infrastructure.hosts.hardware.tpm.EndorsementKey.

  • spec (EndorsementKeys.UnsealSpec) – the unseal spec.

Return type:

str

Returns:

The unsealed secret.

Raise:

com.vmware.vapi.std.errors_client.Error if there is a generic error.

Raise:

com.vmware.vapi.std.errors_client.InvalidArgument if the arguments are invalid.

Raise:

com.vmware.vapi.std.errors_client.NotFound if the endorsement key or TPM is not found.

Raise:

com.vmware.vapi.std.errors_client.ServiceUnavailable if too many requests are in progress.

Raise:

com.vmware.vapi.std.errors_client.Unauthenticated if the caller is not authenticated.

Raise:

com.vmware.vapi.std.errors_client.Unauthorized if the caller is not authorized.

Raise:

com.vmware.vapi.std.errors_client.Unauthorized if you do not have all of the privileges described as follows:

  • The resource HostSystem referenced by the parameter host requires Host.Tpm.Unseal.

class com.vmware.vcenter.trusted_infrastructure.hosts.hardware.tpm_client.EventLog(config)

Bases: VapiInterface

The EventLog interface provides methods to get the Trusted Platform Module (TPM) event log on a host. This class was added in vSphere API 8.0.0.1.

Parameters:

config (vmware.vapi.bindings.stub.StubConfiguration) – Configuration to be used for creating the stub.

class Info(type=None, data=None, truncated=None, banks=None)

Bases: VapiStruct

The EventLog.Info class contains information that describes an event log. This class was added in vSphere API 8.0.0.1.

Tip

The arguments are used to initialize data attributes with the same names.

Parameters:
  • type (EventLog.Type) – Type of the event log. This attribute was added in vSphere API 8.0.0.1.

  • data (str or None) – Event log data in the format described by EventLog.Info.type. This attribute was added in vSphere API 8.0.0.1. This attribute is currently required. It may be optional in a future version.

  • truncated (bool) –

    Indicates if the event log is truncated.

    An event log is truncated when there was insufficient memory to store one or more event entries.. This attribute was added in vSphere API 8.0.0.1.

  • banks (list of PcrBank) – The resulting PCR banks from event log replay. This attribute was added in vSphere API 8.0.0.1.

class Type(string)

Bases: Enum

The EventLog.Type class lists the event log types. This enumeration was added in vSphere API 8.0.0.1.

Note

This class represents an enumerated type in the interface language definition. The class contains class attributes which represent the values in the current version of the enumerated type. Newer versions of the enumerated type may contain new values. To use new values of the enumerated type in communication with a server that supports the newer version of the API, you instantiate this class. See enumerated type description page.

Parameters:

string (str) – String value for the Type instance.

EFI_TCG2_EVENT_LOG_FORMAT_TCG_2 = Type(string='EFI_TCG2_EVENT_LOG_FORMAT_TCG_2')

TCG EFI Protocol Specification, Family “2.0”, Level 00 Revision 00.13, March 30, 2016, Section 5.2 Crypto Agile Log Entry Format. This class attribute was added in vSphere API 8.0.0.1.

get(host, tpm)

Retrieves the event log associated with the TPM device. This method was added in vSphere API 8.0.0.1.

Parameters:
  • host (str) – Identifier of the host. The parameter must be an identifier for the resource type: HostSystem.

  • tpm (str) – the TPM identifier. The parameter must be an identifier for the resource type: com.vmware.vcenter.trusted_infrastructure.hosts.hardware.Tpm.

Return type:

EventLog.Info

Returns:

The event information.

Raise:

com.vmware.vapi.std.errors_client.Error if there is a generic error.

Raise:

com.vmware.vapi.std.errors_client.InvalidArgument if the argument is invalid.

Raise:

com.vmware.vapi.std.errors_client.NotFound if event log is not found, or tpm is not found or host is not found.

Raise:

com.vmware.vapi.std.errors_client.ServiceUnavailable if too many requests are in progress.

Raise:

com.vmware.vapi.std.errors_client.Unauthenticated if the caller is not authenticated.

Raise:

com.vmware.vapi.std.errors_client.Unauthorized if the caller is not authorized.

Raise:

com.vmware.vapi.std.errors_client.Unauthorized if you do not have all of the privileges described as follows:

  • The resource HostSystem referenced by the parameter host requires Host.Tpm.Read.

class com.vmware.vcenter.trusted_infrastructure.hosts.hardware.tpm_client.HashAlgorithm(string)

Bases: Enum

The HashAlgorithm class defines the possible hash algorithms. This enumeration was added in vSphere API 8.0.0.1.

Note

This class represents an enumerated type in the interface language definition. The class contains class attributes which represent the values in the current version of the enumerated type. Newer versions of the enumerated type may contain new values. To use new values of the enumerated type in communication with a server that supports the newer version of the API, you instantiate this class. See enumerated type description page.

Parameters:

string (str) – String value for the HashAlgorithm instance.

SHA256 = HashAlgorithm(string='SHA256')

The SHA 256 hash algorithm. This class attribute was added in vSphere API 8.0.0.1.

SHA384 = HashAlgorithm(string='SHA384')

The SHA 384 hash algorithm. This class attribute was added in vSphere API 8.0.0.1.

SHA512 = HashAlgorithm(string='SHA512')

The SHA 512 hash algorithm. This class attribute was added in vSphere API 8.0.0.1.

SM3_256 = HashAlgorithm(string='SM3_256')

The SM3 hash algorithm. This class attribute was added in vSphere API 8.0.0.1.

class com.vmware.vcenter.trusted_infrastructure.hosts.hardware.tpm_client.PcrBank(algorithm=None, pcrs=None)

Bases: VapiStruct

The PcrBank class contains information that describes digest information of a PCR bank. This class was added in vSphere API 8.0.0.1.

Tip

The arguments are used to initialize data attributes with the same names.

Parameters:
  • algorithm (HashAlgorithm) – The hash algorithm that is used by TPM to calculate the PCR values. This attribute was added in vSphere API 8.0.0.1.

  • pcrs (dict of long and str) – The index of PCR and corresponding TPM digest value. This attribute was added in vSphere API 8.0.0.1.

class com.vmware.vcenter.trusted_infrastructure.hosts.hardware.tpm_client.StubFactory(stub_config)

Bases: StubFactoryBase

Initialize StubFactoryBase

Parameters:

stub_config (vmware.vapi.bindings.stub.StubConfiguration) – Stub config instance