Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • 08:53

    lukehinds on master

    Various clean ups and additions… Merge pull request #26 from luk… (compare)

  • 08:53
    lukehinds closed #26
  • Dec 05 21:45
    lukehinds assigned #218
  • Dec 05 21:22
    amylily1011 commented #218
  • Dec 05 20:26
    lukehinds commented #218
  • Dec 05 16:58
    jetwhiz synchronize #212
  • Dec 05 16:58

    jetwhiz on tool-fixes

    Adding back a change that got l… (compare)

  • Dec 05 16:46
    jetwhiz synchronize #212
  • Dec 05 16:46

    jetwhiz on tool-fixes

    Add comment explaining regex th… (compare)

  • Dec 05 15:47
    lukehinds closed #19
  • Dec 05 15:44
    lukehinds review_requested #26
  • Dec 05 15:44
    lukehinds review_requested #26
  • Dec 05 15:44
    lukehinds opened #26
  • Dec 05 15:27

    lukehinds on master

    Fixing issues with shared folde… Remove BU project specific inst… Merge pull request #25 from ast… (compare)

  • Dec 05 15:27
    lukehinds closed #25
  • Dec 05 15:26
    lukehinds review_requested #25
  • Dec 05 12:34
    lukehinds labeled #218
  • Dec 05 12:34
    lukehinds labeled #218
  • Dec 05 12:34
    issue-label-bot[bot] commented #218
  • Dec 05 12:34
    issue-label-bot[bot] labeled #218
Luke Hinds
@lukehinds
ok, so I think we are done for this week! thanks @/all
@nabilschear pm'ed you
Amy Pattanasethanon
@amylily1011
thank you @lukehinds @nabilschear
o/
Luke Hinds
@lukehinds
thanks @amylily1011
chrohm
@chrohm

Hi all! I'm new keylime and am trying to get the system setup and play with it a bit locally.

I noticed that the README on GitHub (keylime/keylime@bd2b3ac ) has links to slides such as the architecture one. Do y'all have links to the talks associated with those slides? I've found Andrew Toth's talk from the Embedded Linux Conference this year but not much else - YouTube is mostly throwing baking videos at me

Luke Hinds
@lukehinds
hi @chrohm , welcome to the community, here are my recent slides on Keylime from the security summit https://docs.google.com/presentation/d/1OL6XMJPu4ejf3Xxrq5IFmAjXIPwxEpLtveWvj81C5xI/edit?usp=sharing
let us know if you hit any issues getting keylime running and will try to support you
Andrew Toth
@atothRedHat
@lukehinds, did you see the question from @galmasi above on Nov 20 (just before the last meeting)?
Luke Hinds
@lukehinds
@atothRedHat I missed that @galmasi check out our docker files for dealing with dbus:
@galmasi https://github.com/keylime/keylime/blob/351fa1d0f7b87da57ae2522974bb737356ed6352/docker/Dockerfile-tpm20#L56-L68
@galmasi this might be useful to you as well https://keylime.dev/blog/2019/04/01/handy-docker-environment.html
@galmasi last of all, any help you need hit me up by tagging me @lukehinds and I will take a look as soon as I see the notification! welcome to Keylime community.
Nabil Schear
@nabilschear
@chrohm sadly some of the earlier talks weren't recorded.
galmasi
@galmasi

@lukehinds for now i simply deployed abrmd and keylime as systemd, so worked around the problem. My next problems are with endorsement keys and swtpm, which means I have an RTFM problem - not going to bother you with it.

However, when I turn off "EK required" flags in keylime --- quotes don't fail even if the PCRs don't match - that gives me a bit of pause, should I expect to happen? that said, this could easily be some setup screwup.

Lastly, keylime_tenant -c list usually throws up Python errors. The usual complaint is about response_json['results'] not having the key 'operational_state'. This, again, may be because of misconfigured keylime, but IMHO should not result in the software throwing an exception. I haven't checked your existing list of issues whether anyone else has flagged this, though.

Luke Hinds
@lukehinds
@galmasi have you set require_ek = False in Keylime.conf?
for the second one, you might have found a bug, are you OK to raise a github issue on that?
in regards to qoutes not matching, are you setting PCR values with --tpm-policy passed to the keylime_tenant CLI or within keylime.conf?
Charlie
@jetwhiz
@galmasi yep that's a bug. it should be fixed with PR keylime/keylime#215 @lukehinds
Luke Hinds
@lukehinds
@jetwhiz @nabilschear - could you take a look at this when you have a moment: https://github.com/keylime/keylime/pull/212#issuecomment-559058716
Luke Hinds
@lukehinds
ping @/all
anyone around today?
Amy Pattanasethanon
@amylily1011
looks quiet today hehehe. Sorry, I was packing and forgot there was a meeting today :(
Luke Hinds
@lukehinds
ping @jetwhiz
Amy Pattanasethanon
@amylily1011
Hello....
Andrew Toth
@atothRedHat
o/
Amy Pattanasethanon
@amylily1011
yayyy haven't seen you for a while @atothRedHat :-)
Andrew Toth
@atothRedHat
traveling and vacation for the past couple weeks :-)
Amy Pattanasethanon
@amylily1011
do we have a meeting today?
Andrew Toth
@atothRedHat
I figured we would but you're seeing what I am :-)
Luke Hinds
@lukehinds
hi @amylily1011 / @atothRedHat , a very loose meeting. I am fire fighting an issue around ekcert encoding.. Was hoping @jetwhiz would be around, but thinking he might be on leave
Amy Pattanasethanon
@amylily1011
okie
axel simon
@axelsimon
hi everyone!
sorry, haven't been around much lately
I was moving last week :)
Andrew Toth
@atothRedHat
@axelsimon long distance move?
axel simon
@axelsimon
Not exactly (well, depends on your standards I suppose), but international ;)
Andrew Toth
@atothRedHat
long enough (even if just over from one side of the line to the other :-] )
axel simon
@axelsimon
and a bit of water, but yes!
Dan Brimer
@DBrime_twitter
Hello Everyone, I'm new to this group. I'm working on a large cloud project and was wondering if I could use this forum to ask some questions about vTPM
Here goes: Can keylime be installed and run a vTPM on top of KVM in an orchestrated cloud environment (cloud stack)?
axel simon
@axelsimon
hi @DBrime_twitter and welcome!
you might have to wait a bit to get an answer, if only because @lukehinds is in a timezone where it's not work time right now :)
but you are very much in the right place otherwise!
Dan Brimer
@DBrime_twitter
ok great, thanks!
Luke Hinds
@lukehinds
@DBrime_twitter , welcome to the community. At present keylime can work with a vTPM , but with a vTPM you don't have a hardware root of trust (as it stores keys within the virtual machines memory, which can be accessed by the host). However we are undertaking some work to support 'marrying' the cryptographic hierarchy of the vTPM to the hosts HW TPM, so many vTPMS can have a hardware root of trust. We are hoping this will be ready for Q2 next year.
@DBrime_twitter however we do right now support Trust status of a bare metal machine, so you could rent servers from a data centre and ensure they are not tampered with, before you choose to run your Virtual Machine on the measured host.
Along these lines: https://wiki.openstack.org/wiki/Trusted-Location-Control
@DBrime_twitter We are young project though, so we need to sow these pieces together and have folks test, run and try out deployment scenarios. If you have some spare cycles to work with us, that would be well appreciated. You get to help shape what is an exciting piece of technology.
chrohm
@chrohm
Hi I'm back! @lukehinds , thanks for the slides before - also I found the corresponding talk here if you want to keep that info with your slides
https://www.youtube.com/watch?v=YtPsruEqGeY