com.vmware.vcenter.trusted_infrastructure.hosts.hardware package
Submodules
com.vmware.vcenter.trusted_infrastructure.hosts.hardware.tpm_client module
The com.vmware.vcenter.trusted_infrastructure.hosts.hardware.tpm_client
module provides classes to manage Trusted Platform Modules (TPMs).
- class com.vmware.vcenter.trusted_infrastructure.hosts.hardware.tpm_client.EndorsementKeys(config)
Bases:
VapiInterface
The
EndorsementKeys
interface provides methods to get the Trusted Platform Module (TPM) Endorsement Key (EK) on a host. This class was added in vSphere API 8.0.0.1.- Parameters:
config (
vmware.vapi.bindings.stub.StubConfiguration
) – Configuration to be used for creating the stub.
- class FilterSpec(types=None)
Bases:
VapiStruct
The
EndorsementKeys.FilterSpec
class contains attributes used to filter the results when listing the endorsement key. This class was added in vSphere API 8.0.0.1.Tip
The arguments are used to initialize data attributes with the same names.
- Parameters:
types (
set
ofEndorsementKeys.Type
orNone
) – Type of the endorsement key. This attribute was added in vSphere API 8.0.0.1. if None or empty, the result will not be filtered bytypes
.
- class Info(type=None, public_area=None, name=None, qualified_name=None, public_key=None, certificate=None, manufacturer_certificate_uri=None, manufacturer_certificates=None)
Bases:
VapiStruct
The
EndorsementKeys.Info
class contains information that describes a TPM endorsement key. This class was added in vSphere API 8.0.0.1.Tip
The arguments are used to initialize data attributes with the same names.
- Parameters:
type (
EndorsementKeys.Type
) – The TPM endorsement key type. This attribute was added in vSphere API 8.0.0.1.public_area (
str
) –The TPM endorsement key public area.
The public area is a TPM2B_PUBLIC structure.
Trusted Platform Module Library Part 2: Structures, Family “2.0”, Level 00 Revision 01.59, November 8, 2019, Section 12.2.5 TPM2B_PUBLIC. This attribute was added in vSphere API 8.0.0.1.
name (
str
) –The TPM endorsement key name.
The name is a TPM2B_NAME structure.
Trusted Platform Module Library Part 2: Structures, Family “2.0”, Level 00 Revision 01.59, November 8, 2019, Section 10.5.3 TPM2B_NAME. This attribute was added in vSphere API 8.0.0.1.
qualified_name (
str
) –The TPM endorsement key qualified name.
The qualified name is a TPM2B_NAME structure.
Trusted Platform Module Library Part 2: Structures, Family “2.0”, Level 00 Revision 01.59, November 8, 2019, Section 10.5.3 TPM2B_NAME. This attribute was added in vSphere API 8.0.0.1.
public_key (
str
orNone
) – The TPM public endorsement key in PEM format. This attribute was added in vSphere API 8.0.0.1. if None, the PEM format public key could not be determined.certificate (
str
orNone
) – The TPM endorsement key certificate in PEM format. This attribute was added in vSphere API 8.0.0.1. if None, the certificate cannot be retrieved from the TPM.manufacturer_certificate_uri (
str
orNone
) – The TPM endorsement key issuer URL extracted from the TPM endorsement key certificate. This attribute was added in vSphere API 8.0.0.1. if None, the URI cannot be retrieved from the endorsement key certificate.manufacturer_certificates (
com.vmware.vcenter.trusted_infrastructure_client.X509CertChain
orNone
) –The TPM manufacturer’s endorsement key certificate chain.
Endorsement key certificates are signed by the TPM manufacturer. When available, the
manufacturerCertificates
attribute will contain the TPM manufacturer’s endorsement key certificate chain.. This attribute was added in vSphere API 8.0.0.1. if None, the certificate chain is not available.
- class PolicyPcrSpec(pcrs=None, pcr_digest=None)
Bases:
VapiStruct
The
EndorsementKeys.PolicyPcrSpec
class contains information that can be used to construct a PCR policy session for unsealing a secret using theEndorsementKeys.unseal()
operation. This class was added in vSphere API 8.0.0.1.Tip
The arguments are used to initialize data attributes with the same names.
- Parameters:
pcrs (
str
) –The PCRs to which the data is sealed.
The PCR selection is a TPML_PCR_SELECTION structure.
Trusted Platform Module Library Part 2: Structures, Family “2.0”, Level 00 Revision 01.59, November 8, 2019, Section 10.9.7 TPML_PCR_SELECTION. This attribute was added in vSphere API 8.0.0.1.
pcr_digest (
str
orNone
) –The digest of the PCRs selected in
EndorsementKeys.PolicyPcrSpec.pcrs
.The digest is a TPM2B_DIGEST structure.
Trusted Platform Module Library Part 2: Structures, Family “2.0”, Level 00 Revision 01.59, November 8, 2019, Section 10.4.2 TPM2B_DIGEST. This attribute was added in vSphere API 8.0.0.1. If None, then the PCR digest is calculated by the service based on the current PCR state.
- RESOURCE_TYPE = 'com.vmware.vcenter.trusted_infrastructure.hosts.hardware.tpm.EndorsementKey'
Resource type for TPM endorsement Key. This class attribute was added in vSphere API 8.0.0.1.
- class Summary(key=None, type=None)
Bases:
VapiStruct
The
EndorsementKeys.Summary
class contains information that describes a TPM endorsement key. This class was added in vSphere API 8.0.0.1.Tip
The arguments are used to initialize data attributes with the same names.
- Parameters:
key (
str
) – A unique identifier for the TPM endorsement key. This attribute was added in vSphere API 8.0.0.1. When clients pass a value of this class as a parameter, the attribute must be an identifier for the resource type:com.vmware.vcenter.trusted_infrastructure.hosts.hardware.tpm.EndorsementKey
. When methods return a value of this class as a return value, the attribute will be an identifier for the resource type:com.vmware.vcenter.trusted_infrastructure.hosts.hardware.tpm.EndorsementKey
.type (
EndorsementKeys.Type
) – The TPM endorsement key type. This attribute was added in vSphere API 8.0.0.1.
- class Type(string)
Bases:
Enum
The
EndorsementKeys.Type
class defines the endorsement key type based on key algorithms. This enumeration was added in vSphere API 8.0.0.1.Note
This class represents an enumerated type in the interface language definition. The class contains class attributes which represent the values in the current version of the enumerated type. Newer versions of the enumerated type may contain new values. To use new values of the enumerated type in communication with a server that supports the newer version of the API, you instantiate this class. See enumerated type description page.
- Parameters:
string (
str
) – String value for theType
instance.
- ECC_NIST_P_256 = Type(string='ECC_NIST_P_256')
The ECC NISTP-256 bit key. This class attribute was added in vSphere API 8.0.0.1.
- RSA_2048 = Type(string='RSA_2048')
The RSA 2048 bit key. This class attribute was added in vSphere API 8.0.0.1.
- class UnsealSpec(public_area=None, private_area=None, seed=None, policy_pcr=None)
Bases:
VapiStruct
The
EndorsementKeys.UnsealSpec
class contains information that describes the structures required to unseal a secret. This class was added in vSphere API 8.0.0.1.Tip
The arguments are used to initialize data attributes with the same names.
- Parameters:
public_area (
str
) –The public area which corresponding to the
EndorsementKeys.UnsealSpec.private_area
secret that is being unsealed.The public area is a TPM2B_PUBLIC structure.
Trusted Platform Module Library Part 2: Structures, Family “2.0”, Level 00 Revision 01.59, November 8, 2019, Section 12.2.5 TPM2B_PUBLIC
This public area is used as the “objectPublic” input to the TPM2_Import command.
Trusted Platform Module Library Part 3: Commands, Family “2.0”, Level 00 Revision 01.59, November 8, 2019, Section 13.3 TPM2_Import. This attribute was added in vSphere API 8.0.0.1.
private_area (
str
) –A private area that contains a secret to be unsealed.
The private area is symmetrically encrypted with the seed value derived from
EndorsementKeys.UnsealSpec.seed
.The private area is a TPM2B_PRIVATE structure.
Trusted Platform Module Library Part 2: Structures, Family “2.0”, Level 00 Revision 01.59, November 8, 2019, Section 12.3.7 TPM2B_PRIVATE
This private area is used as the “duplicate” input to the TPM2_Import command.
Trusted Platform Module Library Part 3: Commands, Family “2.0”, Level 00 Revision 01.59, November 8, 2019, Section 13.3 TPM2_Import. This attribute was added in vSphere API 8.0.0.1.
seed (
str
) –A seed value that is encrypted by the TPM endorsement key.
The seed will be decrypted with the endorsement key and then will be used as a symmetric key to decrypt
EndorsementKeys.UnsealSpec.private_area
. This ensures that only a TPM with the expected endorsement key can unseal the secret.The seed value is a TPM2B_ENCRYPTED_SECRET structure.
Trusted Platform Module Library Part 2: Structures, Family “2.0”, Level 00 Revision 01.59, November 8, 2019, Section 11.4.3 TPM2B_ENCRYPTED_SECRET
This seed is used as the “inSymSeed” input to the TPM2_Import command.
Trusted Platform Module Library Part 3: Commands, Family “2.0”, Level 00 Revision 01.59, November 8, 2019, Section 13.3 TPM2_Import. This attribute was added in vSphere API 8.0.0.1.
policy_pcr (
EndorsementKeys.PolicyPcrSpec
orNone
) –PCR policy required to unseal the secret.
Used as input to the TPM2_PolicyPCR command on a session that is created for issuing the TPM2_Unseal command.
Trusted Platform Module Library Part 3: Commands, Family “2.0”, Level 00 Revision 01.59, November 8, 2019, Section 23.7 TPM2_PolicyPCR. This attribute was added in vSphere API 8.0.0.1. If None, then a zeroed authorization policy is used for the TPM2_Unseal session.
- get(host, tpm, key)
Get the TPM endorsement key details on a host.
The information returned is derived from executing the TPM2_ReadPublic command on the endorsement key object handle.
Trusted Platform Module Library Part 3: Commands, Family “2.0”, Level 00 Revision 01.59, November 8, 2019, Section 12.4 TPM2_ReadPublic. This method was added in vSphere API 8.0.0.1.
- Parameters:
host (
str
) – Identifier of the host. The parameter must be an identifier for the resource type:HostSystem
.tpm (
str
) – the TPM identifier. The parameter must be an identifier for the resource type:com.vmware.vcenter.trusted_infrastructure.hosts.hardware.Tpm
.key (
str
) – the endorsement key identifier. The parameter must be an identifier for the resource type:com.vmware.vcenter.trusted_infrastructure.hosts.hardware.tpm.EndorsementKey
.
- Return type:
- Returns:
The endorsement key info.
- Raise:
com.vmware.vapi.std.errors_client.Error
if there is a generic error.- Raise:
com.vmware.vapi.std.errors_client.InvalidArgument
if the arguments are invalid.- Raise:
com.vmware.vapi.std.errors_client.NotFound
if the endorsement key, or the TPM device, or the host is not found.- Raise:
com.vmware.vapi.std.errors_client.ServiceUnavailable
if too many requests are in progress.- Raise:
com.vmware.vapi.std.errors_client.Unauthenticated
if the caller is not authenticated.- Raise:
com.vmware.vapi.std.errors_client.Unauthorized
if the caller is not authorized.- Raise:
com.vmware.vapi.std.errors_client.Unauthorized
if you do not have all of the privileges described as follows:The resource
HostSystem
referenced by the parameterhost
requiresHost.Tpm.Read
.
- list(host, tpm, filter=None)
Return a list of configured endorsement keys on a host. This method was added in vSphere API 8.0.0.1.
- Parameters:
host (
str
) – Identifier of the host. The parameter must be an identifier for the resource type:HostSystem
.tpm (
str
) – the TPM identifier. The parameter must be an identifier for the resource type:com.vmware.vcenter.trusted_infrastructure.hosts.hardware.Tpm
.filter (
EndorsementKeys.FilterSpec
orNone
) – a filter for the returned list. if None, the behavior is equivalent to aEndorsementKeys.FilterSpec
with attributes None.
- Return type:
- Returns:
A list of configured endorsement keys.
- Raise:
com.vmware.vapi.std.errors_client.Error
if there is a generic error.- Raise:
com.vmware.vapi.std.errors_client.InvalidArgument
if the arguments are invalid.- Raise:
com.vmware.vapi.std.errors_client.NotFound
if the TPM device, or the host is not found.- Raise:
com.vmware.vapi.std.errors_client.ServiceUnavailable
if too many requests are in progress.- Raise:
com.vmware.vapi.std.errors_client.Unauthenticated
if the caller is not authenticated.- Raise:
com.vmware.vapi.std.errors_client.Unauthorized
if the caller is not authorized.- Raise:
com.vmware.vapi.std.errors_client.Unauthorized
if you do not have all of the privileges described as follows:The resource
HostSystem
referenced by the parameterhost
requiresHost.Tpm.Read
.
- unseal(host, tpm, key, spec)
Unseal a secret that is bound to an endorsement key.
Provided with duplicate key data, load the key as a child of the specified endorsement key using the TPM2_Import command and then unseal the secret data using the TPM2_Unseal command.
The duplicate key must include only outer wrapping; inner wrapping is not supported. The duplicate key cannot have a complex authorization policy (e.g. including command selection, locality, etc). Only PCR policy authorization is supported at this time.
Trusted Platform Module Library Part 1: Architecture, Family “2.0”, Level 00 Revision 01.59, November 8, 2019, Section 23.3 Duplication
Trusted Platform Module Library Part 3: Commands, Family “2.0”, Level 00 Revision 01.59, November 8, 2019, Section 13.3 TPM2_Import
Trusted Platform Module Library Part 3: Commands, Family “2.0”, Level 00 Revision 01.59, November 8, 2019, Section 12.7 TPM2_Unseal. This method was added in vSphere API 8.0.0.1.
- Parameters:
host (
str
) – Identifier of the host. The parameter must be an identifier for the resource type:HostSystem
.tpm (
str
) – the TPM identifier. The parameter must be an identifier for the resource type:com.vmware.vcenter.trusted_infrastructure.hosts.hardware.Tpm
.key (
str
) – the endorsement key identifier. The parameter must be an identifier for the resource type:com.vmware.vcenter.trusted_infrastructure.hosts.hardware.tpm.EndorsementKey
.spec (
EndorsementKeys.UnsealSpec
) – the unseal spec.
- Return type:
str
- Returns:
The unsealed secret.
- Raise:
com.vmware.vapi.std.errors_client.Error
if there is a generic error.- Raise:
com.vmware.vapi.std.errors_client.InvalidArgument
if the arguments are invalid.- Raise:
com.vmware.vapi.std.errors_client.NotFound
if the endorsement key or TPM is not found.- Raise:
com.vmware.vapi.std.errors_client.ServiceUnavailable
if too many requests are in progress.- Raise:
com.vmware.vapi.std.errors_client.Unauthenticated
if the caller is not authenticated.- Raise:
com.vmware.vapi.std.errors_client.Unauthorized
if the caller is not authorized.- Raise:
com.vmware.vapi.std.errors_client.Unauthorized
if you do not have all of the privileges described as follows:The resource
HostSystem
referenced by the parameterhost
requiresHost.Tpm.Unseal
.
- class com.vmware.vcenter.trusted_infrastructure.hosts.hardware.tpm_client.EventLog(config)
Bases:
VapiInterface
The
EventLog
interface provides methods to get the Trusted Platform Module (TPM) event log on a host. This class was added in vSphere API 8.0.0.1.- Parameters:
config (
vmware.vapi.bindings.stub.StubConfiguration
) – Configuration to be used for creating the stub.
- class Info(type=None, data=None, truncated=None, banks=None)
Bases:
VapiStruct
The
EventLog.Info
class contains information that describes an event log. This class was added in vSphere API 8.0.0.1.Tip
The arguments are used to initialize data attributes with the same names.
- Parameters:
type (
EventLog.Type
) – Type of the event log. This attribute was added in vSphere API 8.0.0.1.data (
str
orNone
) – Event log data in the format described byEventLog.Info.type
. This attribute was added in vSphere API 8.0.0.1. This attribute is currently required. It may be optional in a future version.truncated (
bool
) –Indicates if the event log is truncated.
An event log is truncated when there was insufficient memory to store one or more event entries.. This attribute was added in vSphere API 8.0.0.1.
banks (
list
ofPcrBank
) – The resulting PCR banks from event log replay. This attribute was added in vSphere API 8.0.0.1.
- class Type(string)
Bases:
Enum
The
EventLog.Type
class lists the event log types. This enumeration was added in vSphere API 8.0.0.1.Note
This class represents an enumerated type in the interface language definition. The class contains class attributes which represent the values in the current version of the enumerated type. Newer versions of the enumerated type may contain new values. To use new values of the enumerated type in communication with a server that supports the newer version of the API, you instantiate this class. See enumerated type description page.
- Parameters:
string (
str
) – String value for theType
instance.
- EFI_TCG2_EVENT_LOG_FORMAT_TCG_2 = Type(string='EFI_TCG2_EVENT_LOG_FORMAT_TCG_2')
TCG EFI Protocol Specification, Family “2.0”, Level 00 Revision 00.13, March 30, 2016, Section 5.2 Crypto Agile Log Entry Format. This class attribute was added in vSphere API 8.0.0.1.
- get(host, tpm)
Retrieves the event log associated with the TPM device. This method was added in vSphere API 8.0.0.1.
- Parameters:
host (
str
) – Identifier of the host. The parameter must be an identifier for the resource type:HostSystem
.tpm (
str
) – the TPM identifier. The parameter must be an identifier for the resource type:com.vmware.vcenter.trusted_infrastructure.hosts.hardware.Tpm
.
- Return type:
- Returns:
The event information.
- Raise:
com.vmware.vapi.std.errors_client.Error
if there is a generic error.- Raise:
com.vmware.vapi.std.errors_client.InvalidArgument
if the argument is invalid.- Raise:
com.vmware.vapi.std.errors_client.NotFound
if event log is not found, or tpm is not found or host is not found.- Raise:
com.vmware.vapi.std.errors_client.ServiceUnavailable
if too many requests are in progress.- Raise:
com.vmware.vapi.std.errors_client.Unauthenticated
if the caller is not authenticated.- Raise:
com.vmware.vapi.std.errors_client.Unauthorized
if the caller is not authorized.- Raise:
com.vmware.vapi.std.errors_client.Unauthorized
if you do not have all of the privileges described as follows:The resource
HostSystem
referenced by the parameterhost
requiresHost.Tpm.Read
.
- class com.vmware.vcenter.trusted_infrastructure.hosts.hardware.tpm_client.HashAlgorithm(string)
Bases:
Enum
The
HashAlgorithm
class defines the possible hash algorithms. This enumeration was added in vSphere API 8.0.0.1.Note
This class represents an enumerated type in the interface language definition. The class contains class attributes which represent the values in the current version of the enumerated type. Newer versions of the enumerated type may contain new values. To use new values of the enumerated type in communication with a server that supports the newer version of the API, you instantiate this class. See enumerated type description page.
- Parameters:
string (
str
) – String value for theHashAlgorithm
instance.
- SHA256 = HashAlgorithm(string='SHA256')
The SHA 256 hash algorithm. This class attribute was added in vSphere API 8.0.0.1.
- SHA384 = HashAlgorithm(string='SHA384')
The SHA 384 hash algorithm. This class attribute was added in vSphere API 8.0.0.1.
- SHA512 = HashAlgorithm(string='SHA512')
The SHA 512 hash algorithm. This class attribute was added in vSphere API 8.0.0.1.
- SM3_256 = HashAlgorithm(string='SM3_256')
The SM3 hash algorithm. This class attribute was added in vSphere API 8.0.0.1.
- class com.vmware.vcenter.trusted_infrastructure.hosts.hardware.tpm_client.PcrBank(algorithm=None, pcrs=None)
Bases:
VapiStruct
The
PcrBank
class contains information that describes digest information of a PCR bank. This class was added in vSphere API 8.0.0.1.Tip
The arguments are used to initialize data attributes with the same names.
- Parameters:
algorithm (
HashAlgorithm
) – The hash algorithm that is used by TPM to calculate the PCR values. This attribute was added in vSphere API 8.0.0.1.pcrs (
dict
oflong
andstr
) – The index of PCR and corresponding TPM digest value. This attribute was added in vSphere API 8.0.0.1.
- class com.vmware.vcenter.trusted_infrastructure.hosts.hardware.tpm_client.StubFactory(stub_config)
Bases:
StubFactoryBase
Initialize StubFactoryBase
- Parameters:
stub_config (
vmware.vapi.bindings.stub.StubConfiguration
) – Stub config instance