Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • 05:10
    MartinMa28 commented #555
  • 00:10
    MartinMa28 commented #555
  • Mar 01 23:22
    MartinMa28 commented #555
  • Mar 01 22:57
    MartinMa28 commented #555
  • Mar 01 22:32
    maugustosilva synchronize #563
  • Mar 01 21:33

    lukehinds on master

    Remove TPM1.2 specifics from RE… (compare)

  • Mar 01 21:33
    lukehinds closed #561
  • Mar 01 21:33
    lukehinds closed #558
  • Mar 01 21:28
    keylime-bot assigned #563
  • Mar 01 21:28
    keylime-bot assigned #563
  • Mar 01 21:28
    keylime-bot assigned #563
  • Mar 01 21:22
    maugustosilva closed #534
  • Mar 01 21:22
    keylime-bot review_requested #563
  • Mar 01 21:22
    keylime-bot review_requested #563
  • Mar 01 21:22
    keylime-bot review_requested #563
  • Mar 01 21:21
    maugustosilva opened #563
  • Mar 01 20:40
    maugustosilva synchronize #534
  • Mar 01 20:10
    lukehinds edited #561
  • Mar 01 20:09
    lukehinds opened #562
  • Mar 01 20:07
    keylime-bot assigned #561
Ken Goldman
@kgold2
No, you do not need PCR values. You need the two event logs, pre- and post-OS, and the quote digest.
axel simon
@axelsimon
we've gone 15 min over the planned time for the meeting, it's not necessarilly an issue if everyone is fine with it
but i just want to give us the possibility to address other things, such as PRs or new issues
Luke Hinds
@lukehinds
we should let this discussion roll on
Ken Goldman
@kgold2
BTW, it's important to record the last IMA log entry processed, so the next quote can pick up from there. You don't want to process an entire 50-100K log for each attestation.
Luke Hinds
@lukehinds
its quite key we get to the bottom of this above the other issues / prs
Charlie Munson
@jetwhiz
Ah, so you're talking about re-calculating all of the PCRs based on the full event logs?
Imran Desai
@idesai
@kgold2 @jetwhiz what instance do you quote and check the quote?
Luke Hinds
@lukehinds
thanks for bringing it up though @axelsimon :thumbsup:
axel simon
@axelsimon
right, so let's end the actual meeting now and let the conversation continue :)
Ken Goldman
@kgold2
Yes, recalculate the PCRs at each entry, recalculate the quote digest, do the match. If matching, done, else do the next entry.
That's what I implemented.
The incremental attestation is a but messy, but I think it's needed for performance.
Amy Pattanasethanon
@amylily1011
@lukehinds what are the plans for the UI?
Ken Goldman
@kgold2
anyone is welcome to look at the code - it's all open source.
Charlie Munson
@jetwhiz
OK I understand, yeah that will be a bit more substantial change then
Luke Hinds
@lukehinds
Is there anyone who could do this work? On the rust side we can look to implement it this way from the onset. I am thinking about how do we resolve the issue in the python code?
I can't profess to fully understand this myself yet
I am wondering why we even have PCRs now
@amylily1011 , its sort of parked for now
Amy Pattanasethanon
@amylily1011

@amylily1011 , its sort of parked for now

okie

Charlie Munson
@jetwhiz
If we do this approach then we won't need to send/receive the PCR values
Luke Hinds
@lukehinds
so we just need to remove that part of the code? how about when we look at PCRs outside of 10?
I guess we could work this out in the issue if need be and folks have other meetings
Charlie Munson
@jetwhiz
we would need to start parsing the pre-OS event logs to calculate all of the other PCR values from scratch (in addition to the IMA logs)
Imran Desai
@idesai

we would need to start parsing the pre-OS event logs to calculate all of the other PCR values from scratch (in addition to the IMA logs)

is the goal to match a quote, when ever you took it, to match against all the PCR updates?

Ken Goldman
@kgold2
Yes, I don't see where just attesting post-OS without the pre-OS state can give any security statement.
Charlie Munson
@jetwhiz
Wouldn't you need to potentially try many different positions in both logs to see where they match against the quote (if both pre- and post-OS had their logs written to before the PCR was extended)?
Ken Goldman
@kgold2
pre-OS does not have to be from scratch each time. It's stable until a reboot, so the server remembers those PCR values, in fact remembers all previous PCR values for the incremental attestation.
The server only asks for 'what's new' unless there was a reboot.
I assume that pre-OS always comes before post-OS.
Charlie Munson
@jetwhiz
@idesai - so instead of getting PCR values from tpm2_quote, we only get the quote. then we have the Keylime agent send along pre-OS event logs (as well as IMA logs, like we do now). then we calculate all of the PCR values based on both logs
Ken Goldman
@kgold2
Yes.
Imran Desai
@idesai

@idesai - so instead of getting PCR values from tpm2_quote, we only get the quote. then we have the Keylime agent send along pre-OS event logs (as well as IMA logs, like we do now). then we calculate all of the PCR values based on both logs

The pcr output is just additional output, you can choose to ignore it.

Charlie Munson
@jetwhiz
Yeah, we'll no longer export the PCR values with tpm2_quote.
Ken Goldman
@kgold2
@idesai I don't bother reading PCRs at all. It just degrades performance and has no benefit.
Imran Desai
@idesai

@idesai I don't bother reading PCRs at all. It just degrades performance and has no benefit.

agreed and so we don't output it unless explicitly chosen with an option.

Charlie Munson
@jetwhiz
Keylime will also have to be modified to only send changes to the event logs (instead of the entire event logs)
Ken Goldman
@kgold2
@jetwhiz Yes. In my implementation, the server remembers the last event and its PCR result and tells the client to send what's new. Eventually it may converge to nothing new.
Regarding tpm2_xxxx, is that expected to be the final solution, python calling command line tools. If not, if it's just a proof of concept, it may not be worth optimizing.
Charlie Munson
@jetwhiz
Yeah eventually we need a more integrated solution for performance
Esp. in the rust implementation
Ken Goldman
@kgold2
@jetwhiz If so, perhaps it's not worth optimizing for performance.
Charlie Munson
@jetwhiz
True, especially if the pre-OS event log is short
Imran Desai
@idesai
Okay SGTM @jetwhiz please update the github issue #342 to summarize your next steps. Thank you.
Charlie Munson
@jetwhiz
ok, throwing some notes in now @idesai
Luke Hinds
@lukehinds

Gitter is no longer in use as the community chat application, please come over to : https://slack.cncf.io/ and join channel #keylime

Michael Peters
@mpeters
Just one last reminder about tomorrow's meeting at 15:30 UTC. Here is an issue for the agenda: keylime/meetings#48 feel free to add any proposed items to discuss tomorrow. That meeting (and future meetings) have been migrated to the CNCF #keylime slack channel
Santiago Torres
@SantiagoTorres
random question, is this now dead in favor of the cncf slack or ?
also, hi FFY00!
bu3alwa
@bu3alwa
yes slack is the main area
Santiago Torres
@SantiagoTorres
noted, thanks