From 5cb243bc48662e7f7202663ea16a35bce2a38f12 Mon Sep 17 00:00:00 2001 From: Thore Sommer Date: Thu, 26 Aug 2021 21:37:38 +0200 Subject: [PATCH] agent: ensure that EK is in PEM format when used as uuid The keylime.conf states that when hash_ek is used the uuid is the EK public key in PEM format hashed with sha256. This was not the case instead the internal tss format base64 encoded was hashed. Now if the TPM has an EK certificate the uuid can be easily derived with: tpm2_nvread 0x1c00002 | openssl x509 -inform DER -pubkey -noout | sha256sum Signed-off-by: Thore Sommer --- keylime/keylime_agent.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/keylime/keylime_agent.py b/keylime/keylime_agent.py index 37bade9f1..22a95157b 100644 --- a/keylime/keylime_agent.py +++ b/keylime/keylime_agent.py @@ -27,6 +27,8 @@ import simplejson as json +from cryptography.hazmat.primitives import serialization + from keylime import config from keylime import keylime_logging from keylime import cmd_exec @@ -39,6 +41,7 @@ from keylime import api_version as keylime_api_version from keylime.tpm.tpm_main import tpm from keylime.tpm.tpm_abstract import TPM_Utilities +from keylime.tpm.tpm2_objects import pubkey_from_tpm2b_public # Configure logger logger = keylime_logging.init_logging('cloudagent') @@ -527,7 +530,10 @@ def main(): if agent_uuid == 'openstack': agent_uuid = openstack.get_openstack_uuid() elif agent_uuid == 'hash_ek': - agent_uuid = hashlib.sha256(ek_tpm).hexdigest() + ek_pubkey = pubkey_from_tpm2b_public(base64.b64decode(ek_tpm)) + ek_pubkey_pem = ek_pubkey.public_bytes(encoding=serialization.Encoding.PEM, + format=serialization.PublicFormat.SubjectPublicKeyInfo) + agent_uuid = hashlib.sha256(ek_pubkey_pem).hexdigest() elif agent_uuid == 'generate' or agent_uuid is None: agent_uuid = str(uuid.uuid4()) elif agent_uuid == 'dmidecode':