Skip to content

tpm: Respect ek_handle from config #426

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ansasaki merged 1 commit into from
Jul 25, 2022
Merged

tpm: Respect ek_handle from config #426

ansasaki merged 1 commit into from
Jul 25, 2022

Conversation

@ueno
Copy link
Contributor

@ueno ueno commented Jul 14, 2022

Previously it always generated new EK handle even if the "ek_handle"
option is set to use the existing key.

Signed-off-by: Daiki Ueno dueno@redhat.com

@ueno ueno force-pushed the wip/dueno/ek-config branch from 485c792 to d74d80d Compare July 14, 2022 12:15
@kkaarreell
Copy link
Contributor

kkaarreell commented Jul 14, 2022

Test log says: Error: NumParse(ParseIntError { kind: InvalidDigit })

@ueno ueno force-pushed the wip/dueno/ek-config branch 2 times, most recently from f6b0fe8 to 0bbf0b0 Compare July 14, 2022 13:51
@ueno ueno marked this pull request as draft July 14, 2022 22:26
@ueno ueno force-pushed the wip/dueno/ek-config branch 2 times, most recently from 0f76785 to af5e64d Compare July 21, 2022 06:09
@ueno ueno marked this pull request as ready for review July 21, 2022 06:11
@ueno ueno force-pushed the wip/dueno/ek-config branch from af5e64d to 0fac890 Compare July 21, 2022 07:15
@lkatalin
Copy link
Contributor

lkatalin commented Jul 21, 2022

@ueno I see some TPM password and owner auth related code - we're not trying to take ownership of the TPM here, right?

@ueno ueno force-pushed the wip/dueno/ek-config branch 2 times, most recently from 149a209 to fbd3a62 Compare July 22, 2022 02:09
@ueno
Copy link
Contributor Author

ueno commented Jul 22, 2022

@ueno I see some TPM password and owner auth related code - we're not trying to take ownership of the TPM here, right?

Yeah password seems to be needed to access pre-existing EK. For the general decision about ownership, I've filed #429 to make it clear.

@lkatalin
Copy link
Contributor

lkatalin commented Jul 22, 2022

Thanks @ueno. The password seems okay to access the EK as long as the agent doesn't take ownership of the TPM.

@ueno @ansasaki
tpm: Support pre-existing EK
badaf2b 
This adds support for the "ek_handle" option in the cloud_agent
configuration, which previously was not checked and a new EK was
always generated.  This also adds partial support for
"tpm_ownerpassword" for the use with "ek_handle".

Signed-off-by: Daiki Ueno <dueno@redhat.com>
@ansasaki ansasaki force-pushed the wip/dueno/ek-config branch from fbd3a62 to badaf2b Compare July 22, 2022 15:56
ansasaki
ansasaki approved these changes Jul 25, 2022
View reviewed changes
Copy link
Contributor

@ansasaki ansasaki left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@ansasaki ansasaki merged commit 85ab944 into keylime:master Jul 25, 2022
@kkaarreell
Copy link
Contributor

kkaarreell commented Jul 26, 2022

Hi @ueno @ansasaki @lkatalin
I think we should also add and document tpm_ownerpassword to keylime.conf (resp. keylime-agent.conf).

kkaarreell added a commit to kkaarreell/rust-keylime that referenced this pull request Jul 26, 2022
@kkaarreell
Add tpm_ownerpassword option to keylime.conf
0b05edf 
The option has been introduced in
keylime#426
but keylime.conf has not been updated with it.

Signed-off-by: Karel Srot <ksrot@redhat.com>
@kkaarreell kkaarreell mentioned this pull request Jul 26, 2022
Merged
kkaarreell added a commit to kkaarreell/rust-keylime that referenced this pull request Jul 26, 2022
@kkaarreell
Add tpm_ownerpassword option to keylime.conf
1a2eefa 
The option has been introduced in
keylime#426
but keylime.conf has not been updated with it.

Signed-off-by: Karel Srot <ksrot@redhat.com>
kkaarreell added a commit to kkaarreell/rust-keylime that referenced this pull request Jul 26, 2022
@kkaarreell
Add tpm_ownerpassword option to keylime.conf
de92707 
The option has been introduced in
keylime#426
but keylime.conf has not been updated with it.

Signed-off-by: Karel Srot <ksrot@redhat.com>
@lkatalin lkatalin mentioned this pull request Jul 26, 2022
Closed
@lkatalin
Copy link
Contributor

lkatalin commented Jul 26, 2022

@kkaarreell I opened #433

kkaarreell added a commit to kkaarreell/rust-keylime that referenced this pull request Sep 16, 2022
@kkaarreell
Add tpm_ownerpassword option to keylime.conf
adcadd3 
The option has been introduced in
keylime#426
but keylime.conf has not been updated with it.

Signed-off-by: Karel Srot <ksrot@redhat.com>
lkatalin pushed a commit that referenced this pull request Sep 16, 2022
@kkaarreell @lkatalin
Add tpm_ownerpassword option to keylime.conf
836a204 
The option has been introduced in
#426
but keylime.conf has not been updated with it.

Signed-off-by: Karel Srot <ksrot@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ansasaki ansasaki ansasaki approved these changes

@lukehinds lukehinds Awaiting requested review from lukehinds

@ashcrow ashcrow Awaiting requested review from ashcrow

@lkatalin lkatalin Awaiting requested review from lkatalin

Assignees

@ashcrow ashcrow

@lukehinds lukehinds

@lkatalin lkatalin

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@ueno @kkaarreell @lkatalin @ansasaki @ashcrow @lukehinds