spike: check runtime attestation for COS_PERSISTENT and COS_OEM contents #2989
Labels
enhancement
New feature or request
triage
Add this label to issues that should be triaged and prioretized in the next planning call
Comments
Itxaka
added
enhancement
mudler
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Kind of the same as the keylime card but apply it to COS_PERSISTENT/COS_OEM files.
This could be done with keylime by applying a policy that only targets files under PERSISTENT mounts.
BUT those files will still need to be measured (no problem on persistent as its RW)
But seems ok, because you could measure those files offline and generate a policy based on those files (i.e. stylus binary and such) and on updates you will firs need to pre-measure what you are gonna deploy and then deploy it.
Anyway scenario for this:
uki/non-uki: doesnt matter
node server and attestation server. We dont care about the attestation but node server is a kairos node.
You have a binary under PERSISTENT that you use.
You want that binary to be measured continuously and compared against a know good value on the attestation server
If that value changes, node should either dont run it or even panic, but it should trigger something. I guess this depends on the attestation framework.
If the binary is updated with a good known version it should continue working, so policy should allow that.
Additional context: #2981
The text was updated successfully, but these errors were encountered: