by

Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • 15:04
    lukehinds commented #101
  • 15:04
    lukehinds closed #100
  • 14:55
    lukehinds review_requested #101
  • 14:55
    lukehinds review_requested #101
  • 14:55
    lukehinds review_requested #101
  • 14:55
    lukehinds review_requested #101
  • 14:54
    lukehinds opened #101
  • 14:40
    ashcrow assigned #91
  • Sep 28 18:51

    lukehinds on master

    Delete MAINTAINERS.md (#368) T… (compare)

  • Sep 28 18:51
    lukehinds closed #368
  • Sep 28 18:46
    lukehinds opened #368
  • Sep 28 18:46

    lukehinds on lukehinds-patch-1

    Delete MAINTAINERS.md This sho… (compare)

  • Sep 28 14:01
    lukehinds commented #324
  • Sep 28 13:47
    mpeters commented #324
  • Sep 28 13:47
    mpeters commented #324
  • Sep 28 13:46
    mpeters commented #324
  • Sep 28 13:41
    mpeters assigned #324
  • Sep 28 13:41
    mpeters commented #324
  • Sep 28 13:38
    mpeters commented #367
  • Sep 28 13:28
    mpeters commented #40
Luke Hinds
@lukehinds
export TPM2TOOLS_TCTI="tabrmd:bus_name=com.intel.tss2.Tabrmd"
tpm_serverd
systemctl start tpm2-abrmd
tpm2_pcrread
sorry about all this by the way, happy to fix anything that has been causing greif
actually looking at the log, I think I see the problem
Failed to open device file /dev/tpm0: No such file or directory
Its trying to find the hardware TPM still
can you check /usr/lib/systemd/system/tpm2-abrmd.service
Make sure this line is commented out
ConditionPathExistsGlob=/dev/tpm*
Luke Hinds
@lukehinds
if you do make a change to the systemd file above, you will need to reload it:
systemctl daemon-reload
and then restart the service systemctl restart tpm2-abrmd
hopefully then, bobs your uncle.
btw tpm_serverd is a wrapper script around tpm_server which is the executable to start the emulator. Its a script we drop into /usr/local/bin
Santiago Torres
@SantiagoTorres
let me give this a try right now. I wa sin a meeting soz
Santiago Torres
@SantiagoTorres
yeah I think it's trying to use the device node on /dev/tpm*, I didn't get a chance to make it work unfortunately (after changing the unit, reloading and re-starting)
this is the effective unit https://paste.xinu.at/3rZXY/ and this is the journalctl logs https://paste.xinu.at/Ig4eOq/
Luke Hinds
@lukehinds
did you manage to run tpm_serverd?
Santiago Torres
@SantiagoTorres
oh, that precludes the unit? my bad
oh, things seem to be working
Luke Hinds
@lukehinds
awesome!
Santiago Torres
@SantiagoTorres
great! let me re-provision from 0 and see if I can set things up and send a PR to the repo? :)
Luke Hinds
@lukehinds
sounds great , appreciate that.. !
Santiago Torres
@SantiagoTorres
np! My pleasure to play around with it :)
Luke Hinds
@lukehinds
its a good fun when you get to mess with the revocation events and payloads. We can get you running with those next.
Santiago Torres
@SantiagoTorres
woop, seems to work, and i think now in master the disable line is also being commented out. I was about to send a pr :)
I also noticed there's a typo in the PR I sent yesterday. Idk when I added an s to present, and it seems the ansible provisioner caches the playbooks so it was still working on my side...
should I send a PR or will you guys fix it on your side?
Luke Hinds
@lukehinds
I got the typo from yesterday "defaults", that;s fixed up now , did you spot something else? You can go ahead and make a PR if you like.
Santiago Torres
@SantiagoTorres
nope, it at looks good now that I'm looking at master
Luke Hinds
@lukehinds
good to know! I have been caught out with that caching thing before, I think if you run vagrant up again it does not refresh the files up to the host again
you have to do a destroy first, it could do with a --reprovision or similar
Santiago Torres
@SantiagoTorres
aha, yeah the ansible provisioner is the best thing i've found but I wouldn't call it perfect at all :/
Luke Hinds
@lukehinds
ping @jetwhiz when you're online
bu3alwa
@bu3alwa
@lukehinds can you check #268 when you have the chance
Luke Hinds
@lukehinds
sure @bu3alwa , sorry about the delay..will really try and look this week and thanks for the work you have done so far!
Santiago Torres
@SantiagoTorres
just got myself a TPM so I could test things locally a little better. Is there any info on how to passthrough the TPM to a libvirt/virtualbox/whatever really so I can continue tinkering with keylime? would mounting the device node suffice?
Ken Goldman
@kgold2
Santiago: We did a weird hack years ago with VMWare, because we could not patch VMWare. We used a VMWare's serial port pass through, then soft linked the serial port to /dev/tpm0.
However, if it's just tinkering, I do all my attestation development with a SW TPM. It runs faster, I can debug inside it, and if I really mess up, I can simply delete the TPM state and start over.
Jorge Luis Tudela Gonzalez de Riancho
@jtudelag_gitlab
Morning ;)
I have seen this issue,keylime/keylime#140
"Validate against Fedora CoreOS"
Jorge Luis Tudela Gonzalez de Riancho
@jtudelag_gitlab
Does this include OKD/K8s as well?
Luke Hinds
@lukehinds
@jtudelag_gitlab work is underway to integrate keylime to work with k8s, likely will be admission controller, but not sure yet.
@jtudelag_gitlab that issue is to install keylime on fed coreos (with it being an rpm-ostree) we need to work out the best way to deploy on that platform
@SantiagoTorres you can edit the xml for a virtual machine and add the following:
<devices>
  <tpm model='tpm-tis'>
    <backend type='passthrough'>
      <device path='/dev/tpm0'/>
    </backend>
  </tpm>
</devices>
Ahmed Kamal
@kim0
Hello folks .. just watched Luke's youtube talk .. Interesting stuff. I had the same question asked in the video, about log files or config files, which do change a lot. How are those handled with IMA. I think Luke mentioned to take a look at immutable OSs .. Any particular OSs that work well with keylime ?