For most features Keylime uses a kubernetes style enhancement system that is used to manage bigger changes and new features. For details of the enhancement process, please visit the enhancements repository.
This document tracks only major changes done to Keylime.
Status: mostly complete
The Keylime agent is being ported to Rust Lang. This decision was made based on several reasons:
- Rust is statically linked and does not require the ability to retrieve dependencies. (Important for non internet connected machines or immutable read only operating systems)
- Rust can be more performant and generally requires less resources.
- Rust provides strong safety guarantees (memory safe).
For further details of development, please consult the rust-keylime repository and the Rust agent roadmap issue.
Once the Rust agent is stable the Python agent will be removed in two stages:
- Add deprecation warning and keep it for one major release
- Remove the agent from the code with the release of 7.0.0
Some aspects of Keylime of the Keylime user experience can be improved:
- Update the user documentation (keylime#1035)
- Simplify the TLS setup (keylime/enhancements#73)
- Simplify the configuration (keylime/enhancements#73)
- Remove or rework WebUI
- Investigate integration with monitoring systems (e.g. Prometheus)
Instead of the verifier connecting to the agent to retrieve the attestation data, the agent can also send this data periodically to the verifier.
Proposal: keylime/enhancements#60
Remove the need for “atomic quotes”, add clock validation and validate all IMA data first before validating content.
Proposal: keylime/enhancements#59
Attestation "artifacts" (e.g., quotes, IMA logs) collected by the verifier can be optionally written on a "persistent time-series like store", allowing a third-party (e.g., an auditor) to assess the state of a given node N at a certain date D, far in the past. This functionality will include the use of a "transparency log" to record the association between an given EK and AIK, and a new command-line tool (keylime_attest) to perform "offline attestation").
Proposal: keylime/enhancements#76