-
Notifications
You must be signed in to change notification settings - Fork 58
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add certificates and certificate checking for IDevID and IAK keys #669
Conversation
Codecov Report
Additional details and impacted files
Flags with carried forward coverage won't be shown. Click here to find out more.
|
4adfac2
to
4450bdc
Compare
Signed-off-by: Isaac Matthews <[email protected]>
ec45533
to
53c21cc
Compare
I have the registrar in the mode that it requires iak + idevid. On the registrar I now see this here when starting the agent with the first line from my debugging added:
The agent then terminates:
The relevant part from the config file is:
The two files are here:
It doesn't seem to read the files, otherwise iak_cert and idevid_cert should not be None on the registrar side. Regarding the other parameters: The better identification for the certs to use would IMO be something like |
Shouldn't these certificates be respectively in
About this, I agree that we shouldn't expect the users to know that |
They are at these locations. Sorry, didn't show full path:
|
That seems to be a bug with it not using a custom path to specify the certs, I will take a look at this
I can add a table with more detail in the various configuration files etc. For clarity though, the user does not need to match H-n to any algorithms, if a template is specified (eg. H-3) and the user leaves/incorrectly modifies the name_alg and asymmetric_alg (eg. rsa, sha256) fields they are just ignored anyway as a template is being used, so the name and asym algs specified in the template take precedence. I did mention this in the config file but I can add more info maybe just above the template field for extra clarity. |
Where does one get the certificates from today? The TCG spec doesn't define it for infrastructure support and so far there are no (publicly known) NVRAM locations, either. If there's a way to get it from multiple source, should the agent not just take the best (strongest) key it can find, so work its way from trying to use a nist-p521 down to an rsa-2048 key? |
I think currently an IDevID cert would be provided alongside a device on purchase, and would be stored in an inventory system, along with probably somewhere on the device. There is no spec for this as you said so it is up to the user at the moment to know where their certs are and point keylime at them or add them to the keylime directory. As far as I know there would not be multiple sources. When an NVRAM spec becomes available we will be able to make this much more automatic for users going forward. |
@stefanberger |
@stefanberger sorry for the spam but I have just had a thought. Could you attach the journalctl logs for the agent? Also are you using DER certs for the IAK and IDevID? PEM will not work (DER is specified by the spec but I suppose we should at least add an informative message even if that isn't the issue if not just enable using PEM IDevIDs and IAKs.) |
Signed-off-by: Isaac Matthews <[email protected]>
d484668
to
2f7880d
Compare
Signed-off-by: Isaac Matthews <[email protected]>
43bf8d0
to
f1fe817
Compare
I have added a fix for rsapss, and allowed the use of pem idevid and iak certs. Could you check if you are still getting issues after these changes? |
I have DER certs that I read from the NVRAM locations of swtpm. The problems are still the same, the registrar only gets |
Here are my two base64-encoded certs: iak.crt:
idevid.crt:
|
Signed-off-by: Isaac Matthews <[email protected]>
It works for me now. Certs need to be put into directories where the keylime user has access to, so /root/iak.crt doesn't work... |
/packit retest-failed |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Signed-off-by: Isaac Matthews <[email protected]>
a0adaed
to
e1688ba
Compare
/packit retest-failed |
This is the next set of PRs to enable the use of IDevIDs and IAKs as proposed in enhancement 81.
The previous PRs added IDevID and IAK creation, sending, storing and using to verify: keylime PR, rust-keylime PR
The modifications to the Keylime repositories are:
Keylime
Columns for IDevID and IAK certificates
Config to require IDevID and IAK
IDevID and IAK certificate checks
Tests for cert checks
Rust-Keylime
IDevID and IAK certificate config options
Loading and sending IDevID and IAK certificates from paths
In this PR the certificates must be loaded from path. In future, the ability to load from TPM nvram will need to be added.