Add Nix flake for mciasctl and mciasgrpcctl

Vendor dependencies and expose control program binaries via
nix build. Uses nixpkgs-unstable for Go 1.26 support.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

vendor/github.com/google/go-tpm/tpm2/templates.go

@@ -0,0 +1,200 @@
+package tpm2
+
+var (
+	// RSASRKTemplate contains the TCG reference RSA-2048 SRK template.
+	// https://trustedcomputinggroup.org/wp-content/uploads/TCG-TPM-v2.0-Provisioning-Guidance-Published-v1r1.pdf
+	RSASRKTemplate = TPMTPublic{
+		Type:    TPMAlgRSA,
+		NameAlg: TPMAlgSHA256,
+		ObjectAttributes: TPMAObject{
+			FixedTPM:             true,
+			STClear:              false,
+			FixedParent:          true,
+			SensitiveDataOrigin:  true,
+			UserWithAuth:         true,
+			AdminWithPolicy:      false,
+			NoDA:                 true,
+			EncryptedDuplication: false,
+			Restricted:           true,
+			Decrypt:              true,
+			SignEncrypt:          false,
+		},
+		Parameters: NewTPMUPublicParms(
+			TPMAlgRSA,
+			&TPMSRSAParms{
+				Symmetric: TPMTSymDefObject{
+					Algorithm: TPMAlgAES,
+					KeyBits: NewTPMUSymKeyBits(
+						TPMAlgAES,
+						TPMKeyBits(128),
+					),
+					Mode: NewTPMUSymMode(
+						TPMAlgAES,
+						TPMAlgCFB,
+					),
+				},
+				KeyBits: 2048,
+			},
+		),
+		Unique: NewTPMUPublicID(
+			TPMAlgRSA,
+			&TPM2BPublicKeyRSA{
+				Buffer: make([]byte, 256),
+			},
+		),
+	}
+	// RSAEKTemplate contains the TCG reference RSA-2048 EK template.
+	RSAEKTemplate = TPMTPublic{
+		Type:    TPMAlgRSA,
+		NameAlg: TPMAlgSHA256,
+		ObjectAttributes: TPMAObject{
+			FixedTPM:             true,
+			STClear:              false,
+			FixedParent:          true,
+			SensitiveDataOrigin:  true,
+			UserWithAuth:         false,
+			AdminWithPolicy:      true,
+			NoDA:                 false,
+			EncryptedDuplication: false,
+			Restricted:           true,
+			Decrypt:              true,
+			SignEncrypt:          false,
+		},
+		AuthPolicy: TPM2BDigest{
+			Buffer: []byte{
+				// TPM2_PolicySecret(RH_ENDORSEMENT)
+				0x83, 0x71, 0x97, 0x67, 0x44, 0x84, 0xB3, 0xF8,
+				0x1A, 0x90, 0xCC, 0x8D, 0x46, 0xA5, 0xD7, 0x24,
+				0xFD, 0x52, 0xD7, 0x6E, 0x06, 0x52, 0x0B, 0x64,
+				0xF2, 0xA1, 0xDA, 0x1B, 0x33, 0x14, 0x69, 0xAA,
+			},
+		},
+		Parameters: NewTPMUPublicParms(
+			TPMAlgRSA,
+			&TPMSRSAParms{
+				Symmetric: TPMTSymDefObject{
+					Algorithm: TPMAlgAES,
+					KeyBits: NewTPMUSymKeyBits(
+						TPMAlgAES,
+						TPMKeyBits(128),
+					),
+					Mode: NewTPMUSymMode(
+						TPMAlgAES,
+						TPMAlgCFB,
+					),
+				},
+				KeyBits: 2048,
+			},
+		),
+		Unique: NewTPMUPublicID(
+			TPMAlgRSA,
+			&TPM2BPublicKeyRSA{
+				Buffer: make([]byte, 256),
+			},
+		),
+	}
+
+	// ECCSRKTemplate contains the TCG reference ECC-P256 SRK template.
+	// https://trustedcomputinggroup.org/wp-content/uploads/TCG-TPM-v2.0-Provisioning-Guidance-Published-v1r1.pdf
+	ECCSRKTemplate = TPMTPublic{
+		Type:    TPMAlgECC,
+		NameAlg: TPMAlgSHA256,
+		ObjectAttributes: TPMAObject{
+			FixedTPM:             true,
+			STClear:              false,
+			FixedParent:          true,
+			SensitiveDataOrigin:  true,
+			UserWithAuth:         true,
+			AdminWithPolicy:      false,
+			NoDA:                 true,
+			EncryptedDuplication: false,
+			Restricted:           true,
+			Decrypt:              true,
+			SignEncrypt:          false,
+		},
+		Parameters: NewTPMUPublicParms(
+			TPMAlgECC,
+			&TPMSECCParms{
+				Symmetric: TPMTSymDefObject{
+					Algorithm: TPMAlgAES,
+					KeyBits: NewTPMUSymKeyBits(
+						TPMAlgAES,
+						TPMKeyBits(128),
+					),
+					Mode: NewTPMUSymMode(
+						TPMAlgAES,
+						TPMAlgCFB,
+					),
+				},
+				CurveID: TPMECCNistP256,
+			},
+		),
+		Unique: NewTPMUPublicID(
+			TPMAlgECC,
+			&TPMSECCPoint{
+				X: TPM2BECCParameter{
+					Buffer: make([]byte, 32),
+				},
+				Y: TPM2BECCParameter{
+					Buffer: make([]byte, 32),
+				},
+			},
+		),
+	}
+
+	// ECCEKTemplate contains the TCG reference ECC-P256 EK template.
+	ECCEKTemplate = TPMTPublic{
+		Type:    TPMAlgECC,
+		NameAlg: TPMAlgSHA256,
+		ObjectAttributes: TPMAObject{
+			FixedTPM:             true,
+			STClear:              false,
+			FixedParent:          true,
+			SensitiveDataOrigin:  true,
+			UserWithAuth:         false,
+			AdminWithPolicy:      true,
+			NoDA:                 false,
+			EncryptedDuplication: false,
+			Restricted:           true,
+			Decrypt:              true,
+			SignEncrypt:          false,
+		},
+		AuthPolicy: TPM2BDigest{
+			Buffer: []byte{
+				// TPM2_PolicySecret(RH_ENDORSEMENT)
+				0x83, 0x71, 0x97, 0x67, 0x44, 0x84, 0xB3, 0xF8,
+				0x1A, 0x90, 0xCC, 0x8D, 0x46, 0xA5, 0xD7, 0x24,
+				0xFD, 0x52, 0xD7, 0x6E, 0x06, 0x52, 0x0B, 0x64,
+				0xF2, 0xA1, 0xDA, 0x1B, 0x33, 0x14, 0x69, 0xAA,
+			},
+		},
+		Parameters: NewTPMUPublicParms(
+			TPMAlgECC,
+			&TPMSECCParms{
+				Symmetric: TPMTSymDefObject{
+					Algorithm: TPMAlgAES,
+					KeyBits: NewTPMUSymKeyBits(
+						TPMAlgAES,
+						TPMKeyBits(128),
+					),
+					Mode: NewTPMUSymMode(
+						TPMAlgAES,
+						TPMAlgCFB,
+					),
+				},
+				CurveID: TPMECCNistP256,
+			},
+		),
+		Unique: NewTPMUPublicID(
+			TPMAlgECC,
+			&TPMSECCPoint{
+				X: TPM2BECCParameter{
+					Buffer: make([]byte, 32),
+				},
+				Y: TPM2BECCParameter{
+					Buffer: make([]byte, 32),
+				},
+			},
+		),
+	}
+)