by

Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • 15:04
    lukehinds commented #101
  • 15:04
    lukehinds closed #100
  • 14:55
    lukehinds review_requested #101
  • 14:55
    lukehinds review_requested #101
  • 14:55
    lukehinds review_requested #101
  • 14:55
    lukehinds review_requested #101
  • 14:54
    lukehinds opened #101
  • 14:40
    ashcrow assigned #91
  • Sep 28 18:51

    lukehinds on master

    Delete MAINTAINERS.md (#368) T… (compare)

  • Sep 28 18:51
    lukehinds closed #368
  • Sep 28 18:46
    lukehinds opened #368
  • Sep 28 18:46

    lukehinds on lukehinds-patch-1

    Delete MAINTAINERS.md This sho… (compare)

  • Sep 28 14:01
    lukehinds commented #324
  • Sep 28 13:47
    mpeters commented #324
  • Sep 28 13:47
    mpeters commented #324
  • Sep 28 13:46
    mpeters commented #324
  • Sep 28 13:41
    mpeters assigned #324
  • Sep 28 13:41
    mpeters commented #324
  • Sep 28 13:38
    mpeters commented #367
  • Sep 28 13:28
    mpeters commented #40
Luke Hinds
@lukehinds
if you do make a change to the systemd file above, you will need to reload it:
systemctl daemon-reload
and then restart the service systemctl restart tpm2-abrmd
hopefully then, bobs your uncle.
btw tpm_serverd is a wrapper script around tpm_server which is the executable to start the emulator. Its a script we drop into /usr/local/bin
Santiago Torres
@SantiagoTorres
let me give this a try right now. I wa sin a meeting soz
Santiago Torres
@SantiagoTorres
yeah I think it's trying to use the device node on /dev/tpm*, I didn't get a chance to make it work unfortunately (after changing the unit, reloading and re-starting)
this is the effective unit https://paste.xinu.at/3rZXY/ and this is the journalctl logs https://paste.xinu.at/Ig4eOq/
Luke Hinds
@lukehinds
did you manage to run tpm_serverd?
Santiago Torres
@SantiagoTorres
oh, that precludes the unit? my bad
oh, things seem to be working
Luke Hinds
@lukehinds
awesome!
Santiago Torres
@SantiagoTorres
great! let me re-provision from 0 and see if I can set things up and send a PR to the repo? :)
Luke Hinds
@lukehinds
sounds great , appreciate that.. !
Santiago Torres
@SantiagoTorres
np! My pleasure to play around with it :)
Luke Hinds
@lukehinds
its a good fun when you get to mess with the revocation events and payloads. We can get you running with those next.
Santiago Torres
@SantiagoTorres
woop, seems to work, and i think now in master the disable line is also being commented out. I was about to send a pr :)
I also noticed there's a typo in the PR I sent yesterday. Idk when I added an s to present, and it seems the ansible provisioner caches the playbooks so it was still working on my side...
should I send a PR or will you guys fix it on your side?
Luke Hinds
@lukehinds
I got the typo from yesterday "defaults", that;s fixed up now , did you spot something else? You can go ahead and make a PR if you like.
Santiago Torres
@SantiagoTorres
nope, it at looks good now that I'm looking at master
Luke Hinds
@lukehinds
good to know! I have been caught out with that caching thing before, I think if you run vagrant up again it does not refresh the files up to the host again
you have to do a destroy first, it could do with a --reprovision or similar
Santiago Torres
@SantiagoTorres
aha, yeah the ansible provisioner is the best thing i've found but I wouldn't call it perfect at all :/
Luke Hinds
@lukehinds
ping @jetwhiz when you're online
bu3alwa
@bu3alwa
@lukehinds can you check #268 when you have the chance
Luke Hinds
@lukehinds
sure @bu3alwa , sorry about the delay..will really try and look this week and thanks for the work you have done so far!
Santiago Torres
@SantiagoTorres
just got myself a TPM so I could test things locally a little better. Is there any info on how to passthrough the TPM to a libvirt/virtualbox/whatever really so I can continue tinkering with keylime? would mounting the device node suffice?
Ken Goldman
@kgold2
Santiago: We did a weird hack years ago with VMWare, because we could not patch VMWare. We used a VMWare's serial port pass through, then soft linked the serial port to /dev/tpm0.
However, if it's just tinkering, I do all my attestation development with a SW TPM. It runs faster, I can debug inside it, and if I really mess up, I can simply delete the TPM state and start over.
Jorge Luis Tudela Gonzalez de Riancho
@jtudelag_gitlab
Morning ;)
I have seen this issue,keylime/keylime#140
"Validate against Fedora CoreOS"
Jorge Luis Tudela Gonzalez de Riancho
@jtudelag_gitlab
Does this include OKD/K8s as well?
Luke Hinds
@lukehinds
@jtudelag_gitlab work is underway to integrate keylime to work with k8s, likely will be admission controller, but not sure yet.
@jtudelag_gitlab that issue is to install keylime on fed coreos (with it being an rpm-ostree) we need to work out the best way to deploy on that platform
@SantiagoTorres you can edit the xml for a virtual machine and add the following:
<devices>
  <tpm model='tpm-tis'>
    <backend type='passthrough'>
      <device path='/dev/tpm0'/>
    </backend>
  </tpm>
</devices>
Ahmed Kamal
@kim0
Hello folks .. just watched Luke's youtube talk .. Interesting stuff. I had the same question asked in the video, about log files or config files, which do change a lot. How are those handled with IMA. I think Luke mentioned to take a look at immutable OSs .. Any particular OSs that work well with keylime ?
Luke Hinds
@lukehinds
Hey @kim0 , at present we tend to recommend ignoring log files in the excludes.txt file. You can think o fthis like a .gitignore it uses regular expressions to tell Keylime not to measure any files which match the regex.. for example /var/log/boringstuff/*
In time we expect a more automated approach around sourcing measurements. A couple of things we are looking into is SWIDs and also having a transparent log type ledger system which developers can send whitelists too. There are of course others ways users could dream up to create whitelists, so we hope the community will have some influence here.
Luke Hinds
@lukehinds
ping @jetwhiz when you're online
Charlie Munson
@jetwhiz
Hey @lukehinds !
Jonathan Beri
@beriberikix
:wave: hi everyone! I was chatting with @lukehinds over LinkedIn and decided to hop in here. I'm interested in IoT use cases and wondering if others might be too. I'm interested in Secure Elements, RATS and the like.
Maurizio Drocco
@droccom
Hi folks! As someone might know, I am working at issue #341 [keylime/keylime#341]. Can someone give me some help understanding how the process_measurement_list function [https://github.com/keylime/keylime/blob/7fc63fdaef67a09a79ff37e82b0de9e601c483f0/keylime/ima.py#L117] works? What is confusing me is that the hash accumulation always starts from "zero" [https://github.com/keylime/keylime/blob/7fc63fdaef67a09a79ff37e82b0de9e601c483f0/keylime/ima.py#L119] but the final value [https://github.com/keylime/keylime/blob/7fc63fdaef67a09a79ff37e82b0de9e601c483f0/keylime/ima.py#L238] is compared against the "current" PCR value obtained from the agent [https://github.com/keylime/keylime/blob/7fc63fdaef67a09a79ff37e82b0de9e601c483f0/keylime/tpm/tpm_abstract.py#L340], which in my understanding is the "grand sum" from the beginning of IMA history. I feel I am missing something basic here, but cannot figure out what, so any hint would be helpful. Thanks!
Luke Hinds
@lukehinds
hey @droccom , I dropped @jetwhiz an email and he should be online (he might be on leave). He wrote the original IMA code and will have some idea behind the zero starting approach
Maurizio Drocco
@droccom
Great, thanks @lukehinds!
Ken Goldman
@kgold2
@droccom The IMA PCR (PCR 10) starts at zero when the TPM comes out of reset. As files are measured, (1) the entry is added to the IMA log, and (2) a hash is extended to PCR 10. During a quote verification, the log is replayed, PCR 10 is recalculated, and the verification stops when there is a match (success) or the log ends (failure).
I have open source sample code for all this if you need it.
Call me if that's easier than typing.