do you plan to test that first @jetwhiz ?
@jetwhiz you're pretty good at spotting things that have gone astray, that I might have missed from having my nose close up to the work
so the idea is that the user installs cfssl
go get cfssl and then Keylime starts an instance up for revocation events
the idea for the issue, is that a user might want to run cfssl on a different machine and not just have keylime start an instance. They might already have a solution in place they want to use.
so we would remove the following section:
and then these lines:
cfssl_ip = config.get('ca', 'cfssl_ip')
cfssl_port = config.get('ca', 'cfssl_port')
cfssl_port = config.get('ca', 'cfssl_port')
could point to an external server
in fact what would be nice is if we could have both :)
So keylime starts its own CFSSL instance and connects to it (exactly what we do now) and if the user chooses to, they can instead have their own existing cfssl server and point keylime to it.
the following is a list of PCRs supported by the shim, this is present on most dists, so fedora / opensuse/ ubuntu / arch etc https://github.com/rhboot/shim/blob/master/README.tpm
@bu3alwa I will try and dig something up for you to read more on this...with a TPM an RSA key pair is generated at manufacturer time, this I believe is done by feeding entropy into the chip. The private part of this key is stored within the TPM and is inaccessible to software, in facts its only the CPU who has access, and this access is very limited and controlled. The key pair is called the 'entity key' and as said the private part is locked away, but the public counterpart is freely available. Vendors of TPMs use an intermediate certicate, which allows anyone to use the public key and gain assurance that anything coming from a TPM has been signed by only that TPM and that it is a real TPM. Note this is not possible with an emulator as present, you need a hardware TPM (as software can be exploited). That is not to say we can't use the software emulator for development and testing, its just we do not have a 'hardware root of trust' like we do with a real TPM
@bu3alwa if you want to deep dive into TPMs, this is good overview : https://link.springer.com/book/10.1007%2F978-1-4302-6584-9
@kgold2 wrote sections of the book and knows the standard better than anyone and is often in the channel
its again from sqlaclemy converting types again
I miss statically typed langs :(
do you have any more details on that or could you enlarge upon the process of how this would work with an offline image, did you do any small proof of concepts?
one of the things we need to do is set up a keylime user, for now we are just using root for dev / testing
is that your mounted folder?
from your local machine?
I wonder if it might be a windows > linux mount thing?