by

Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • Jul 30 09:12

    lukehinds on master

    setup: Remove PBR once more (#3… (compare)

  • Jul 30 09:12
    lukehinds closed #338
  • Jul 29 19:29
    ashcrow synchronize #338
  • Jul 28 12:22
    lukehinds synchronize #309
  • Jul 25 08:25
    lukehinds review_requested #338
  • Jul 24 19:32
    ashcrow commented #336
  • Jul 24 19:31
    ashcrow opened #338
  • Jul 24 12:02

    lukehinds on 5.7.3

    (compare)

  • Jul 24 12:00
    lukehinds commented #319
  • Jul 24 12:00

    lukehinds on master

    Update verifier REST API to ret… (compare)

  • Jul 24 12:00
    lukehinds closed #319
  • Jul 24 12:00
    lukehinds closed #314
  • Jul 24 11:58
    lukehinds commented #319
  • Jul 24 11:50
    lukehinds commented #319
  • Jul 20 20:39
    font synchronize #38
  • Jul 20 18:22
    github-actions[bot] commented #337
  • Jul 20 18:21
    mpeters assigned #337
  • Jul 20 18:21
    mpeters opened #337
  • Jul 20 18:07
    AyushAmbastha commented #38
  • Jul 20 09:55

    lukehinds on master

    V572 (#17) Update to v572 (compare)

Luke Hinds
@lukehinds
actually looking at the log, I think I see the problem
Failed to open device file /dev/tpm0: No such file or directory
Its trying to find the hardware TPM still
can you check /usr/lib/systemd/system/tpm2-abrmd.service
Make sure this line is commented out
ConditionPathExistsGlob=/dev/tpm*
if you do make a change to the systemd file above, you will need to reload it:
systemctl daemon-reload
and then restart the service systemctl restart tpm2-abrmd
hopefully then, bobs your uncle.
Luke Hinds
@lukehinds
btw tpm_serverd is a wrapper script around tpm_server which is the executable to start the emulator. Its a script we drop into /usr/local/bin
Santiago Torres
@SantiagoTorres
let me give this a try right now. I wa sin a meeting soz
Santiago Torres
@SantiagoTorres
yeah I think it's trying to use the device node on /dev/tpm*, I didn't get a chance to make it work unfortunately (after changing the unit, reloading and re-starting)
this is the effective unit https://paste.xinu.at/3rZXY/ and this is the journalctl logs https://paste.xinu.at/Ig4eOq/
Luke Hinds
@lukehinds
did you manage to run tpm_serverd?
Santiago Torres
@SantiagoTorres
oh, that precludes the unit? my bad
oh, things seem to be working
Luke Hinds
@lukehinds
awesome!
Santiago Torres
@SantiagoTorres
great! let me re-provision from 0 and see if I can set things up and send a PR to the repo? :)
Luke Hinds
@lukehinds
sounds great , appreciate that.. !
Santiago Torres
@SantiagoTorres
np! My pleasure to play around with it :)
Luke Hinds
@lukehinds
its a good fun when you get to mess with the revocation events and payloads. We can get you running with those next.
Santiago Torres
@SantiagoTorres
woop, seems to work, and i think now in master the disable line is also being commented out. I was about to send a pr :)
I also noticed there's a typo in the PR I sent yesterday. Idk when I added an s to present, and it seems the ansible provisioner caches the playbooks so it was still working on my side...
should I send a PR or will you guys fix it on your side?
Luke Hinds
@lukehinds
I got the typo from yesterday "defaults", that;s fixed up now , did you spot something else? You can go ahead and make a PR if you like.
Santiago Torres
@SantiagoTorres
nope, it at looks good now that I'm looking at master
Luke Hinds
@lukehinds
good to know! I have been caught out with that caching thing before, I think if you run vagrant up again it does not refresh the files up to the host again
you have to do a destroy first, it could do with a --reprovision or similar
Santiago Torres
@SantiagoTorres
aha, yeah the ansible provisioner is the best thing i've found but I wouldn't call it perfect at all :/
Luke Hinds
@lukehinds
ping @jetwhiz when you're online
bu3alwa
@bu3alwa
@lukehinds can you check #268 when you have the chance
Luke Hinds
@lukehinds
sure @bu3alwa , sorry about the delay..will really try and look this week and thanks for the work you have done so far!
Santiago Torres
@SantiagoTorres
just got myself a TPM so I could test things locally a little better. Is there any info on how to passthrough the TPM to a libvirt/virtualbox/whatever really so I can continue tinkering with keylime? would mounting the device node suffice?
Ken Goldman
@kgold2
Santiago: We did a weird hack years ago with VMWare, because we could not patch VMWare. We used a VMWare's serial port pass through, then soft linked the serial port to /dev/tpm0.
However, if it's just tinkering, I do all my attestation development with a SW TPM. It runs faster, I can debug inside it, and if I really mess up, I can simply delete the TPM state and start over.
Jorge Luis Tudela Gonzalez de Riancho
@jtudelag_gitlab
Morning ;)
I have seen this issue,keylime/keylime#140
"Validate against Fedora CoreOS"
Jorge Luis Tudela Gonzalez de Riancho
@jtudelag_gitlab
Does this include OKD/K8s as well?
Luke Hinds
@lukehinds
@jtudelag_gitlab work is underway to integrate keylime to work with k8s, likely will be admission controller, but not sure yet.
@jtudelag_gitlab that issue is to install keylime on fed coreos (with it being an rpm-ostree) we need to work out the best way to deploy on that platform
@SantiagoTorres you can edit the xml for a virtual machine and add the following:
<devices>
  <tpm model='tpm-tis'>
    <backend type='passthrough'>
      <device path='/dev/tpm0'/>
    </backend>
  </tpm>
</devices>
Ahmed Kamal
@kim0
Hello folks .. just watched Luke's youtube talk .. Interesting stuff. I had the same question asked in the video, about log files or config files, which do change a lot. How are those handled with IMA. I think Luke mentioned to take a look at immutable OSs .. Any particular OSs that work well with keylime ?
Luke Hinds
@lukehinds
Hey @kim0 , at present we tend to recommend ignoring log files in the excludes.txt file. You can think o fthis like a .gitignore it uses regular expressions to tell Keylime not to measure any files which match the regex.. for example /var/log/boringstuff/*
In time we expect a more automated approach around sourcing measurements. A couple of things we are looking into is SWIDs and also having a transparent log type ledger system which developers can send whitelists too. There are of course others ways users could dream up to create whitelists, so we hope the community will have some influence here.
Luke Hinds
@lukehinds
ping @jetwhiz when you're online
Charlie Munson
@jetwhiz
Hey @lukehinds !
Jonathan Beri
@beriberikix
:wave: hi everyone! I was chatting with @lukehinds over LinkedIn and decided to hop in here. I'm interested in IoT use cases and wondering if others might be too. I'm interested in Secure Elements, RATS and the like.