Kind of the same as the keylime card but apply it to COS_PERSISTENT/COS_OEM files.
This could be done with keylime by applying a policy that only targets files under PERSISTENT mounts.
BUT those files will still need to be measured (no problem on persistent as its RW)
But seems ok, because you could measure those files offline and generate a policy based on those files (i.e. stylus binary and such) and on updates you will firs need to pre-measure what you are gonna deploy and then deploy it.
Anyway scenario for this:
uki/non-uki: doesnt matter
node server and attestation server. We dont care about the attestation but node server is a kairos node.
You have a binary under PERSISTENT that you use.
You want that binary to be measured continuously and compared against a know good value on the attestation server
If that value changes, node should either dont run it or even panic, but it should trigger something. I guess this depends on the attestation framework.
If the binary is updated with a good known version it should continue working, so policy should allow that.
Kind of the same as the keylime card but apply it to COS_PERSISTENT/COS_OEM files.
This could be done with keylime by applying a policy that only targets files under PERSISTENT mounts.
BUT those files will still need to be measured (no problem on persistent as its RW)
But seems ok, because you could measure those files offline and generate a policy based on those files (i.e. stylus binary and such) and on updates you will firs need to pre-measure what you are gonna deploy and then deploy it.
Anyway scenario for this:
uki/non-uki: doesnt matter node server and attestation server. We dont care about the attestation but node server is a kairos node. You have a binary under PERSISTENT that you use. You want that binary to be measured continuously and compared against a know good value on the attestation server If that value changes, node should either dont run it or even panic, but it should trigger something. I guess this depends on the attestation framework. If the binary is updated with a good known version it should continue working, so policy should allow that.
Additional context: https://github.com/kairos-io/kairos/pull/2981