Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • Apr 04 10:45
    lukehinds commented #263
  • Apr 04 10:35
    bu3alwa commented #263
  • Apr 04 10:27
    lukehinds commented #263
  • Apr 04 10:09
    lukehinds commented #265
  • Apr 04 10:08
    lukehinds commented #265
  • Apr 04 10:06
    lukehinds commented #265
  • Apr 04 09:54
    lukehinds opened #266
  • Apr 04 04:13
    bu3alwa commented #28
  • Apr 04 03:09
    bu3alwa commented #145
  • Apr 03 19:13
    williamcroberts edited #265
  • Apr 03 19:12
    williamcroberts opened #265
  • Apr 03 17:47
    lukehinds labeled #264
  • Apr 03 17:46
    lukehinds opened #264
  • Apr 03 12:08
    lukehinds synchronize #255
  • Apr 03 11:50
    lukehinds commented #255
  • Apr 03 11:48
    lukehinds synchronize #255
  • Apr 03 11:08
    lukehinds commented #255
  • Apr 03 08:54
    lukehinds commented #28
  • Apr 03 08:53
    lukehinds commented #28
  • Apr 03 08:53
    lukehinds commented #28
Rajat Bajpai
@rajdroid
Ok
Luke Hinds
@lukehinds
I have checked ima failure, revocation and payloads etc @jetwhiz
do you plan to test that first @jetwhiz ?
Charlie
@jetwhiz
oh, have you already confirmed that all works @lukehinds ?
Luke Hinds
@lukehinds
@jetwhiz I have, but if you want to be sure and have an env up, we could hold off merging to be double sure
@jetwhiz you're pretty good at spotting things that have gone astray, that I might have missed from having my nose close up to the work
Luke Hinds
@lukehinds
got to head off folks
bu3alwa
@bu3alwa
@lukehinds made a draft PR having some issues finishing it off since I am not familiar with all the tests. If you could look it over as well.
Luke Hinds
@lukehinds
@bu3alwa will do thanks
Luke Hinds
@lukehinds
ping @jetwhiz
bu3alwa
@bu3alwa
@lukehinds hi, can you help me understand what the cfssl component is? and are you looking for it to be as a separate module like the rest of the keylime_*
bu3alwa
@bu3alwa
also what is PCR8 and PCR10 not sure how to look this up and get more info
Luke Hinds
@lukehinds
@bu3alwa cfsssl is cloud flare SSL , we use it here:
so the idea is that the user installs cfssl go get cfssl and then Keylime starts an instance up for revocation events
the idea for the issue, is that a user might want to run cfssl on a different machine and not just have keylime start an instance. They might already have a solution in place they want to use.
so we would remove the following section:
and then these lines:
cfssl_ip = config.get('ca', 'cfssl_ip')
cfssl_port = config.get('ca', 'cfssl_port')
could point to an external server
in fact what would be nice is if we could have both :)
So keylime starts its own CFSSL instance and connects to it (exactly what we do now) and if the user chooses to, they can instead have their own existing cfssl server and point keylime to it.
Luke Hinds
@lukehinds
For something like this, its worth sketching your ideas out in a google Doc first. Have a summary of the change, how would you "roughly" make the change, and what areas would need updating (for example the ansible roles or installer.sh).
the following is a list of PCRs supported by the shim, this is present on most dists, so fedora / opensuse/ ubuntu / arch etc https://github.com/rhboot/shim/blob/master/README.tpm
bu3alwa
@bu3alwa
ok I will read all the information and the sourcecode and start writing a draft
Luke Hinds
@lukehinds
let me know if you want any help @bu3alwa
bu3alwa
@bu3alwa
@lukehinds Is it possible to know if the TPM is not tampered with? Or do you have to start with an assumption of TPM is safe.
Luke Hinds
@lukehinds
@bu3alwa I will try and dig something up for you to read more on this...with a TPM an RSA key pair is generated at manufacturer time, this I believe is done by feeding entropy into the chip. The private part of this key is stored within the TPM and is inaccessible to software, in facts its only the CPU who has access, and this access is very limited and controlled. The key pair is called the 'entity key' and as said the private part is locked away, but the public counterpart is freely available. Vendors of TPMs use an intermediate certicate, which allows anyone to use the public key and gain assurance that anything coming from a TPM has been signed by only that TPM and that it is a real TPM. Note this is not possible with an emulator as present, you need a hardware TPM (as software can be exploited). That is not to say we can't use the software emulator for development and testing, its just we do not have a 'hardware root of trust' like we do with a real TPM
@bu3alwa if you want to deep dive into TPMs, this is good overview : https://link.springer.com/book/10.1007%2F978-1-4302-6584-9
@kgold2 wrote sections of the book and knows the standard better than anyone and is often in the channel
Charlie
@jetwhiz
hi @lukehinds , so is the issue with revocation being a string taken care of with your latest commits?
Luke Hinds
@lukehinds
it has @jetwhiz , all works well now.
its again from sqlaclemy converting types again
I miss statically typed langs :(
Luke Hinds
@lukehinds
@jetwhiz In the whitepaper in refers to secrets being resident in an image "The tenant uses K b to
protect tenant secrets and trust relationships. The tenant
can use this key to unlock either its disk image or to unlock
tenant-specific configuration provided by cloud-init."
do you have any more details on that or could you enlarge upon the process of how this would work with an offline image, did you do any small proof of concepts?
bu3alwa
@bu3alwa
@lukehinds I am having trouble running python setup install in the vagrant vm under the keylime-dev folder. Any clues as to why? I keep getting permission denied on the build folder.
Luke Hinds
@lukehinds
@bu3alwa are you root? try sudo -i first
one of the things we need to do is set up a keylime user, for now we are just using root for dev / testing
bu3alwa
@bu3alwa
@lukehinds yea I am root so not sure what is up with that
Luke Hinds
@lukehinds
hmm, so you can delete the build folder..perhaps try that rm -rf build/
is that your mounted folder?
from your local machine?
bu3alwa
@bu3alwa
yea its the mounted folder
Luke Hinds
@lukehinds
ah ok, so do the delete on your local machine
I wonder if it might be a windows > linux mount thing?
bu3alwa
@bu3alwa
@lukehinds Yea it works now. The build folders were owned by root on the local machine which is probably why vagrant couldn't delete them. Not sure why it was root to begin with
Luke Hinds
@lukehinds
@bu3alwa awesome, glad that's fixed