Advisories for Golang/Github.com/Google/Go-Tpm package

2022

Improper Initialization

An improperly initialized 'migrationAuth' value in Google's go-tpm TPM1.2 library can lead an eavesdropping attacker to discover the auth value for a key created with CreateWrapKey. An attacker listening in on the channel can collect both 'encUsageAuth' and 'encMigrationAuth', and then can calculate 'usageAuth ^ encMigrationAuth' as the 'migrationAuth' can be guessed for all keys created with CreateWrapKey. TPM2.0 is not impacted by this. We recommend updating your library to …

2020

Improper Initialization

An improperly initialized migrationAuth' value in Google's go-tpm library can lead an eavesdropping attacker to discover the authvalue for a key created with CreateWrapKey. An attacker listening in on the channel can collect bothencUsageAuthandencMigrationAuth, and then can calculate usageAuth ^ encMigrationAuthas themigrationAuthcan be guessed for all keys created withCreateWrapKey`.