Skip to content

Implement AKManager #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 35 commits into
base: main
Choose a base branch
from
Draft

Implement AKManager #7

wants to merge 35 commits into from

Conversation

jimmykarily
Copy link
Contributor

@jimmykarily jimmykarily mentioned this pull request Sep 16, 2025
Open
@jimmykarily jimmykarily moved this to In Progress 🏃 in 🧙Issue tracking board Sep 16, 2025
@jimmykarily jimmykarily self-assigned this Sep 16, 2025
@jimmykarily jimmykarily force-pushed the 2988-remote-attestation branch from 922d118 to 1586402 Compare September 16, 2025 13:27
@jimmykarily
Implement AKManager
ecde469 
Signed-off-by: Dimitris Karakasilis <[email protected]>
@jimmykarily
Move "magic" policy into a constant with links to docs
e2f215b 
Signed-off-by: Dimitris Karakasilis <[email protected]>
@jimmykarily
Improve tests and bump ginkgo
500827c 
Signed-off-by: Dimitris Karakasilis <[email protected]>
@jimmykarily
Revert exporting getTPMDevice
da1c9fc 
since we implemented the getRawTPM which takes a different struct as
input and nobody needs to call getTPMDevice outside this package.

Signed-off-by: Dimitris Karakasilis <[email protected]>
@jimmykarily
Fix the flow and document it
2dbf0b0 
Every request that is prone to replay attacks, should include a nonce.
We now send the nonce only on the "proof" request along with the proof
data.

Signed-off-by: Dimitris Karakasilis <[email protected]>
@jimmykarily
Don't change existing struct to maintain backwards compatibility
de0e2ba 
Signed-off-by: Dimitris Karakasilis <[email protected]>
@jimmykarily jimmykarily force-pushed the 2988-remote-attestation branch from 10dfc4d to de0e2ba Compare September 17, 2025 11:16
@jimmykarily
Fix linter errors
aee7d5b 
Signed-off-by: Dimitris Karakasilis <[email protected]>
@jimmykarily
Send only the AK public key instead of the whole AttestationParameters
0cbc898 
which is what the legacy getAttestationData() method was doing, which is
enough (the server only needs the public key not the whole parameters
struct)

Signed-off-by: Dimitris Karakasilis <[email protected]>
@jimmykarily
Fix indentation
da27a1c 
Signed-off-by: Dimitris Karakasilis <[email protected]>
@jimmykarily
Adhere to the websockets flow
08bcc4f 
where no nonce is needed. Also use the full attestation parameters as
there are more fields reuquired to produce the challenge response

Signed-off-by: Dimitris Karakasilis <[email protected]>
@jimmykarily jimmykarily force-pushed the 2988-remote-attestation branch from a00e87c to 08bcc4f Compare September 19, 2025 11:17
@jimmykarily
Remove deprecated methods and debug output
9c19aea 
Signed-off-by: Dimitris Karakasilis <[email protected]>
@jimmykarily
Explain corrupted file handling
b5e0510 
Signed-off-by: Dimitris Karakasilis <[email protected]>
@jimmykarily
Bump tpm dependencies
b38e6f4 
so that we can choose which PCR to include in the tpm Quote in the
kcrypt-challenger repo. The old version included all PCRs and didn't let
us choose while now we can:

https://github.com/google/go-attestation/blob/4f3c3b0fe5706286182530cd798be833ad0c4a74/attest/tpm.go#L325

Signed-off-by: Dimitris Karakasilis <[email protected]>
@jimmykarily
Generate tpm quote for arbitrary PCRs
cc5c278 
Signed-off-by: Dimitris Karakasilis <[email protected]>
@jimmykarily
Fix tests
02ca1a6 
Signed-off-by: Dimitris Karakasilis <[email protected]>
@jimmykarily
Avoid unecessary indirection and redundant method
9638776 
Signed-off-by: Dimitris Karakasilis <[email protected]>
@jimmykarily
Consolidate redundant struct and make them unexported
a8d3a3c 
since they are internal implementation

Signed-off-by: Dimitris Karakasilis <[email protected]>
@jimmykarily
Remove unused function
42a558e 
Signed-off-by: Dimitris Karakasilis <[email protected]>
@jimmykarily
Add more tests and remove redundant field
19ab176 
Signed-off-by: Dimitris Karakasilis <[email protected]>
@jimmykarily
Remove empty block and improve test
22483db 
Signed-off-by: Dimitris Karakasilis <[email protected]>
@jimmykarily
Remove dead code an move remaining to a better place
f3736b4 
Signed-off-by: Dimitris Karakasilis <[email protected]>
@jimmykarily
Remove debug output and improve tests
d2b4ac5 
Signed-off-by: Dimitris Karakasilis <[email protected]>
@jimmykarily
Fix linter errors
ef277db 
Signed-off-by: Dimitris Karakasilis <[email protected]>
@jimmykarily
Remove non-needed ppa
bfa255f 
because swtpm is in the official repos:

https://launchpad.net/ubuntu/noble/+package/swtpm

Signed-off-by: Dimitris Karakasilis <[email protected]>
@jimmykarily
Install ginkgo under $PATH
3fc8028 
Signed-off-by: Dimitris Karakasilis <[email protected]>
jimmykarily added a commit to kairos-io/kcrypt-discovery-challenger that referenced this pull request Sep 24, 2025
@jimmykarily
[TMP] use a replace that points to a branch (instead of localy dir)
5f2d857 
Point to this: kairos-io/tpm-helpers#7

Signed-off-by: Dimitris Karakasilis <[email protected]>
@jimmykarily
Add tpm undefine helper method
49f51e3 
to allow kcrypt-challenger to cleanup the NV storage (e.g. to reset the
local passphrase)

Signed-off-by: Dimitris Karakasilis <[email protected]>
@jimmykarily
Don't inform the client about enrollement on authentication
91352fe 
because enrollement happens in a later step

Signed-off-by: Dimitris Karakasilis <[email protected]>
jimmykarily added a commit to kairos-io/kcrypt-discovery-challenger that referenced this pull request Sep 30, 2025
@jimmykarily
[TMP] use a replace that points to a branch (instead of localy dir)
228e420 
Point to this: kairos-io/tpm-helpers#7

Signed-off-by: Dimitris Karakasilis <[email protected]>
@jimmykarily
Use an NV index to store the AK blob instead of a file
eed3ceb 
because during initramfs stage, there is no persistent storage available
to write a file to (except maybe the encrypted partitions which is what
we are trying to decrypt in the first place).

Signed-off-by: Dimitris Karakasilis <[email protected]>
@jimmykarily jimmykarily force-pushed the 2988-remote-attestation branch from 662b294 to 229b783 Compare September 30, 2025 07:35
@jimmykarily
Use transient AK
96deb0f 
because we don't need to verify the AK (we verify the EK instead) so we
don't have the problem of storing the AK permanently, thus fixing the error:

TPM_RC_SIZE (parameter 2): structure is the wrong size

when trying to store the whole AK into NV index

Signed-off-by: Dimitris Karakasilis <[email protected]>
@jimmykarily jimmykarily force-pushed the 2988-remote-attestation branch from 229b783 to 96deb0f Compare September 30, 2025 10:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@jimmykarily jimmykarily

Labels

None yet

Projects

🧙Issue tracking board
Status: In Progress 🏃

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jimmykarily