keylime/community

Discussions on Keylime Development

Luke Hinds

@lukehinds

actually looking at the log, I think I see the problem

Failed to open device file /dev/tpm0: No such file or directory

Its trying to find the hardware TPM still

can you check /usr/lib/systemd/system/tpm2-abrmd.service

Make sure this line is commented out

ConditionPathExistsGlob=/dev/tpm*

if you do make a change to the systemd file above, you will need to reload it:

systemctl daemon-reload

and then restart the service systemctl restart tpm2-abrmd

hopefully then, bobs your uncle.

Luke Hinds

@lukehinds

btw tpm_serverd is a wrapper script around tpm_server which is the executable to start the emulator. Its a script we drop into /usr/local/bin

Santiago Torres

@SantiagoTorres

let me give this a try right now. I wa sin a meeting soz

Santiago Torres

@SantiagoTorres

yeah I think it's trying to use the device node on /dev/tpm*, I didn't get a chance to make it work unfortunately (after changing the unit, reloading and re-starting)

this is the effective unit https://paste.xinu.at/3rZXY/ and this is the journalctl logs https://paste.xinu.at/Ig4eOq/

Luke Hinds

@lukehinds

did you manage to run tpm_serverd?

Santiago Torres

@SantiagoTorres

oh, that precludes the unit? my bad

oh, things seem to be working

Luke Hinds

@lukehinds

awesome!

Santiago Torres

@SantiagoTorres

great! let me re-provision from 0 and see if I can set things up and send a PR to the repo? :)

Luke Hinds

@lukehinds

sounds great , appreciate that.. !

Santiago Torres

@SantiagoTorres

np! My pleasure to play around with it :)

Luke Hinds

@lukehinds

its a good fun when you get to mess with the revocation events and payloads. We can get you running with those next.

Santiago Torres

@SantiagoTorres

woop, seems to work, and i think now in master the disable line is also being commented out. I was about to send a pr :)

I also noticed there's a typo in the PR I sent yesterday. Idk when I added an s to present, and it seems the ansible provisioner caches the playbooks so it was still working on my side...

should I send a PR or will you guys fix it on your side?

Luke Hinds

@lukehinds

I got the typo from yesterday "defaults", that;s fixed up now , did you spot something else? You can go ahead and make a PR if you like.

Santiago Torres

@SantiagoTorres

nope, it at looks good now that I'm looking at master

Luke Hinds

@lukehinds

good to know! I have been caught out with that caching thing before, I think if you run vagrant up again it does not refresh the files up to the host again

you have to do a destroy first, it could do with a --reprovision or similar

Santiago Torres

@SantiagoTorres

aha, yeah the ansible provisioner is the best thing i've found but I wouldn't call it perfect at all :/

Luke Hinds

@lukehinds

ping @jetwhiz when you're online

bu3alwa

@bu3alwa

@lukehinds can you check #268 when you have the chance

Luke Hinds

@lukehinds

sure @bu3alwa , sorry about the delay..will really try and look this week and thanks for the work you have done so far!

Santiago Torres

@SantiagoTorres

just got myself a TPM so I could test things locally a little better. Is there any info on how to passthrough the TPM to a libvirt/virtualbox/whatever really so I can continue tinkering with keylime? would mounting the device node suffice?

Ken Goldman

@kgold2

Santiago: We did a weird hack years ago with VMWare, because we could not patch VMWare. We used a VMWare's serial port pass through, then soft linked the serial port to /dev/tpm0.
However, if it's just tinkering, I do all my attestation development with a SW TPM. It runs faster, I can debug inside it, and if I really mess up, I can simply delete the TPM state and start over.

Jorge Luis Tudela Gonzalez de Riancho

@jtudelag_gitlab

Morning ;)

I have seen this issue,keylime/keylime#140

"Validate against Fedora CoreOS"

Jorge Luis Tudela Gonzalez de Riancho

@jtudelag_gitlab

Does this include OKD/K8s as well?

Luke Hinds

@lukehinds

@jtudelag_gitlab work is underway to integrate keylime to work with k8s, likely will be admission controller, but not sure yet.

@jtudelag_gitlab that issue is to install keylime on fed coreos (with it being an rpm-ostree) we need to work out the best way to deploy on that platform

@SantiagoTorres you can edit the xml for a virtual machine and add the following:

https://libvirt.org/formatdomain.html#elementsTpm

<devices>
  <tpm model='tpm-tis'>
    <backend type='passthrough'>
      <device path='/dev/tpm0'/>
    </backend>
  </tpm>
</devices>

Ahmed Kamal

@kim0

Hello folks .. just watched Luke's youtube talk .. Interesting stuff. I had the same question asked in the video, about log files or config files, which do change a lot. How are those handled with IMA. I think Luke mentioned to take a look at immutable OSs .. Any particular OSs that work well with keylime ?

Luke Hinds

@lukehinds

Hey @kim0 , at present we tend to recommend ignoring log files in the excludes.txt file. You can think o fthis like a .gitignore it uses regular expressions to tell Keylime not to measure any files which match the regex.. for example /var/log/boringstuff/*

In time we expect a more automated approach around sourcing measurements. A couple of things we are looking into is SWIDs and also having a transparent log type ledger system which developers can send whitelists too. There are of course others ways users could dream up to create whitelists, so we hope the community will have some influence here.

Luke Hinds

@lukehinds

ping @jetwhiz when you're online

Charlie Munson

@jetwhiz

Hey @lukehinds !

Jonathan Beri

@beriberikix

:wave: hi everyone! I was chatting with @lukehinds over LinkedIn and decided to hop in here. I'm interested in IoT use cases and wondering if others might be too. I'm interested in Secure Elements, RATS and the like.

Where communities thrive

People

Repo info

Activity