Luke Hinds @lukehinds Mar 20 15:00 @/all Hi ! Keylime meeting # 2 , please say hello, so I know who is here? leonjia0112 @leonjia0112 Mar 20 15:01 Hi! Mark Bestavros @mbestavros Mar 20 15:01 Hello! Robbie Harwood @frozencemetery Mar 20 15:01 hello Luke Hinds @lukehinds Mar 20 15:01 hi @leonjia0112 @mbestavros @frozencemetery ! Andrew Toth @atothRedHat Mar 20 15:01 Hello all Luke Hinds @lukehinds Mar 20 15:01 Hey @atothRedHat ! See if we can reach the MIT folks.. ping @jetwhiz / @nabilschear ! meeting agenda: keylime/meetings#2 Charlie @jetwhiz Mar 20 15:02 I'm here, Nabil might join in a few minutes Luke Hinds @lukehinds Mar 20 15:02 awesome, hi @jetwhiz ! Charlie @jetwhiz Mar 20 15:03 hey, how's it going @lukehinds ? Luke Hinds @lukehinds Mar 20 15:03 before we kick off, a quick intro to @atothRedHat . He is keen to get invovled and brings quite a few talents, Andrew will be getting his feet wet over the next few weeks. good thanks @jetwhiz Andrew Toth @atothRedHat Mar 20 15:04 Hey all, glad to be here, hope I can help Charlie @jetwhiz Mar 20 15:04 welcome @atothRedHat ! Luke Hinds @lukehinds Mar 20 15:04 thanks @atothRedHat , let's get rolling.. TPM 2.0 port keylime/rust-keylime#44 @mbestavros @leonjia0112 Last week I had... @leonjia0112 commented that the following are required first:

keylime/rust-keylime#28 keylime/rust-keylime#40

28 is closed

leonjia0112 @leonjia0112 Mar 20 15:05 PR# 53 which is for keylime/rust-keylime#40 is ready for review. Luke Hinds @lukehinds Mar 20 15:05 actually, #28 needs reopening Robbie Harwood @frozencemetery Mar 20 15:06 heh Luke Hinds @lukehinds Mar 20 15:06 @frozencemetery , could you see if you can reopen, I think it needs admin Robbie Harwood @frozencemetery Mar 20 15:06 so we had a problem with github it won't let us reopen that leonjia0112 made a new PR Luke Hinds @lukehinds Mar 20 15:06 cool! makes sense is it something I should look at (ACL's)? leonjia0112 @leonjia0112 Mar 20 15:06 PR#53 is the same as PR#28 Luke Hinds @lukehinds Mar 20 15:07 ack, thanks @leonjia0112 Robbie Harwood @frozencemetery Mar 20 15:07 if you have an ideas feel free; but github says I have admin permissions for the repo it's not a huge deal, fortunately. We just have to remember not to click the button too early I guess Luke Hinds @lukehinds Mar 20 15:07 @frozencemetery , hmmm not sure too. I will have a look though Robbie Harwood @frozencemetery Mar 20 15:07 okay Luke Hinds @lukehinds Mar 20 15:08 do you guys need help w ith the 2.0 work? or extra hands. once #53 lands Mark Bestavros @mbestavros Mar 20 15:09 I think we're okay for now leonjia0112 @leonjia0112 Mar 20 15:09 same as @mbestavros Luke Hinds @lukehinds Mar 20 15:10 good! so I plan to pull the rust client into CI testing against the python-keylime registrar and verifier (along with an EMU) once 2.0 is there. leonjia0112 @leonjia0112 Mar 20 15:10 alright That makes sense Luke Hinds @lukehinds Mar 20 15:10 or we could do vice-versa and test on the rust repo. I am don't really have a strong view here, let's visit this again later ok vTPM vTPM port keylime/python-keylime#29 @nabilschear @lukehinds so I think we can glance over this one, I need to hook up with @nabilschear and work on our approach we need some stuff up'streamed https://github.com/keylime/python-keylime/issues/29#issuecomment-474422432 nabilschear @nabilschear Mar 20 15:12 hi, i'm here now Luke Hinds @lukehinds Mar 20 15:12 hey @nabilschear anything you want to add about the vTPM? looks like we need to work on a plan of approach, I could arrnage a meeting with you there (if that sounds good) nabilschear @nabilschear Mar 20 15:13 there's some work to be done that i probably don't have the bandwidth to do basically some c coding and testing we can develop most of the swtpm support without needing to use kvm at all. just use the emulator directly and have it talk to the real tpm Luke Hinds @lukehinds Mar 20 15:14 understood, so maybe we could look at what can be offloaded. the key thing we have, is you know what needs doing and understand the tech and history I can certainly help with lots of testing. nabilschear @nabilschear Mar 20 15:15 i think we'd need some help from @jetwhiz to implement the appropriate tpm2-tools for deep quote and then someone to go digging through swtpm2 Charlie @jetwhiz Mar 20 15:15 hopefully we can leverage the older tpm tools for quoting without much redesign nabilschear @nabilschear Mar 20 15:15 i don't think any of us have any experience modifying swtpm2 Luke Hinds @lukehinds Mar 20 15:16 yep, he did a really good job of landing the other patches is deep quorte a TCG thing? quote nabilschear @nabilschear Mar 20 15:16 no, the folks who built the xen vtpm came up with it they used an unused tpm cmd ordinal have we reached out to stefan? i know we talked about that it might be good to see what he thinks Luke Hinds @lukehinds Mar 20 15:18 not yet, I was just about to say we draft a GH issue and then put it on the swtpm repo? and then contact him once that is in place. nabilschear @nabilschear Mar 20 15:18 ok, do we need a plan of attack in order to open the issue ? Luke Hinds @lukehinds Mar 20 15:18 I think so, yes nabilschear @nabilschear Mar 20 15:18 i.e., do we need to have dug through swtpm to see where this could be implemented? and actually this would be in libtpms not swtpm but all realted Luke Hinds @lukehinds Mar 20 15:19 that would all help, but key thing is to sell him on the functionality and it not be difficult for him to maintain (that will be one of his views) nabilschear @nabilschear Mar 20 15:20 i think deepquote is the big thing. i thought that there would be some work in the registration process. But i think that can all be handled outside of swtpm with keylime pretty easily. Luke Hinds @lukehinds Mar 20 15:20 Shall we do this, I will start to draft a google doc on an attack plan? nabilschear @nabilschear Mar 20 15:20 ok, i don't want to take over the meeting with this sounds good Luke Hinds @lukehinds Mar 20 15:21 no, its an important one, one of the key features! nabilschear @nabilschear Mar 20 15:21 does it make sense to start porting deepquote to tpm2-tools? that part hopefully is more straight forward Luke Hinds @lukehinds Mar 20 15:22 I am thinking without the support in libtpms, we might end up with tool cmds with no where to call? nabilschear @nabilschear Mar 20 15:22 true Luke Hinds @lukehinds Mar 20 15:22 So perhaps we should get stefan on board, although no harm in writing code and having a play. ok, thanks @nabilschear nabilschear @nabilschear Mar 20 15:23 sounds good, we'll come up with a plan Luke Hinds @lukehinds Mar 20 15:23 Once we land the deep quote stuff and rhboot we should be less reliant on both of your expertise. you can then kick back and watch in with pride as the founding forefathers (or something like that) :) ok.. rhboot, not much more to report here. I have started to dump some notes on setup. @jetwhiz was away for a bit, so I plan to hook up with him just to see how its done with TrustedGrub2 "Unexpected Get quote " has taken a back seat for a bit. I will pick this up again. Back-porting the Intel tpm2-tools to the 3.X branch @jetwhiz We have a meeting setup with Javier to go over this b Charlie @jetwhiz Mar 20 15:26 yeah i think you've set up a meeting for this coming Monday Luke Hinds @lukehinds Mar 20 15:26 yep! Charlie @jetwhiz Mar 20 15:27 it will be good to get our tools into 3.X, then we can start using Intel's tools directly from keylime Luke Hinds @lukehinds Mar 20 15:27 use of raise Exception keylime/python-keylime#87 - thanks for the feedback here @nabilschear agree @jetwhiz , and also use package managers and not need to compile / make the tpm2- projects nabilschear @nabilschear Mar 20 15:27 that should be an easy fix right? the raise exception bit Luke Hinds @lukehinds Mar 20 15:28 @nabilschear , yeah I got that ok. I will add you to review Charlie @jetwhiz Mar 20 15:28 about your question for that @nabilschear , the webapp doesn't rely on any tenant exceptions Luke Hinds @lukehinds Mar 20 15:29 I was just about to ask that! Thanks @jetwhiz nabilschear @nabilschear Mar 20 15:29 perfect Charlie @jetwhiz Mar 20 15:29 it does rely on the tenant to return REST codes for deleting/reactivating though, so just make sure those don't get changed Luke Hinds @lukehinds Mar 20 15:29 ack! so for PR's a simple readme change keylime/python-keylime#86 @jetwhiz , this is based on your itertools change keylime/python-keylime#85 nabilschear @nabilschear Mar 20 15:30 i'd like to pull the warning text up right where we first mention an emulator. re #86 Luke Hinds @lukehinds Mar 20 15:30 sure! sounds good I will push another change nabilschear @nabilschear Mar 20 15:30 into the installer section Luke Hinds @lukehinds Mar 20 15:30 ack! Charlie @jetwhiz Mar 20 15:30 yeah that should be near the top when they're setting the system up Luke Hinds @lukehinds Mar 20 15:31 agree, makes sense. I will pick up the demo changes again keylime/python-keylime#67 that's it for PR's rust folks: https://github.com/keylime/rust-keylime/pulls any one in partlcular it would be useful to look at? @leonjia0112 @mbestavros @frozencemetery ^ Robbie Harwood @frozencemetery Mar 20 15:33 I think they're all inactive right now except #53 but they should correct me if that's not right Mark Bestavros @mbestavros Mar 20 15:33

53 is what we've been focusing on recently

Luke Hinds @lukehinds Mar 20 15:33 ok, understood so any other business? Charlie @jetwhiz Mar 20 15:33 by the way, did keylime/python-keylime#85 fix the issue for you on Fedora @lukehinds Luke Hinds @lukehinds Mar 20 15:34 @jetwhiz it did, yes thanks! I tested on ubuntu too! looked good to me. I don't think we need to worry about performance, as this is only with the eumlator. (in regards to seek being quicker to parse the file) Charlie @jetwhiz Mar 20 15:34 awesome! yeah that file shouldn't grow to be insanely large anyways Luke Hinds @lukehinds Mar 20 15:35 yep. Charlie @jetwhiz Mar 20 15:35 did you want to poke at #85 @nabilschear ? nabilschear @nabilschear Mar 20 15:35 i'd say go for it no need to wait on me Luke Hinds @lukehinds Mar 20 15:36 so if you do a quick lgtm @jetwhiz , I will merge it. Charlie @jetwhiz Mar 20 15:36 is there a priority set for keylime/python-keylime#55 Luke Hinds @lukehinds Mar 20 15:37 not a high one , unless somene says they really need it its certainly worth having, but I think we have bigger fish. perhaps when we kick outreach into action, and users turn up, it might need more attention does that sound ok @jetwhiz ? Charlie @jetwhiz Mar 20 15:39 true, would that be a relatively big effort, or is it mostly updating the dockerfiles to use ubuntu (and switch to apt, etc.)? Luke Hinds @lukehinds Mar 20 15:39 not a big effort, no..like you say, just some docker files. I am keen to have it in place, alongside CentOS as well, Charlie @jetwhiz Mar 20 15:40 yeah it would be good to check on multiple platforms automatically Luke Hinds @lukehinds Mar 20 15:40 yep, and in time perhaps against upstream tools that we use. so that way if a change lands in tpm2-tools that breaks keylime, we get an early view of it. Charlie @jetwhiz Mar 20 15:41 yeah that's a good idea Luke Hinds @lukehinds Mar 20 15:41 I did also speak with someone who is intersted in using keylime in centos ci https://ci.centos.org/ Charlie @jetwhiz Mar 20 15:41 does centos ci use 3.x tpm2-tools? Luke Hinds @lukehinds Mar 20 15:42 they don't use any tpm stuff at the moment, but as they use tons of mirrors, they would like to know that config files have not been tampered with. something like that, I have yet to deep dive with them . should hopefull meet soon. Charlie @jetwhiz Mar 20 15:43 sounds good, keep me in the loop if i can help Luke Hinds @lukehinds Mar 20 15:43 so this would be keylime being a tool they use, rather then being tested there @jetwhiz thanks, will do! ok, I think we can call it to an end now. thanks so much for coming all, I will update the minutes Charlie @jetwhiz Mar 20 15:44 ok, thanks everyone! nabilschear @nabilschear Mar 20 15:44 @lukehinds do you want to make the update to #86? Luke Hinds @lukehinds Mar 20 15:44 the last bit of news I forgot, we released v3.1.0 this week Robbie Harwood @frozencemetery Mar 20 15:44 \o/ nabilschear @nabilschear Mar 20 15:44 or do you want me to pull it up? Luke Hinds @lukehinds Mar 20 15:44 I really don't mind @nabilschear if you like you can push to it, or review my changes and recommed in there @nabilschear , do you have a gmail account for working on a google-doc? nabilschear @nabilschear Mar 20 15:48 uhoh did gitter die on me? Andrew Toth @atothRedHat Mar 20 15:48 nope Luke Hinds @lukehinds Mar 20 15:48 you're back nabilschear @nabilschear Mar 20 15:48 ok, i'll send you my email for google doc Luke Hinds @lukehinds Mar 20 15:49 cool, thanks @nabilschear nabilschear @nabilschear Mar 20 15:49 i had sent a few more messages but they got stuck in the proxy i'll throw a few comments into the PR for #86 Luke Hinds @lukehinds Mar 20 15:51 thanks! @nabilschear , pm'ed you (if you can see it) nabilschear @nabilschear Mar 20 15:54 yep nabilschear @nabilschear Mar 20 16:33 @lukehinds does the ansible stuff use the emulator by default? Luke Hinds @lukehinds Mar 20 16:34 it does, we have an issue to change that though nabilschear @nabilschear Mar 20 16:34 ok, i'm updating the readme Luke Hinds @lukehinds Mar 20 16:34 keylime/ansible-keylime#6 nabilschear @nabilschear Mar 20 16:34 so the ansible stuff is just for development purposes right now? Luke Hinds @lukehinds Mar 20 16:35 I would say so yes, I should update its readme too. nabilschear @nabilschear Mar 20 16:35 ok, i'll update the main keylime readme to make this clear Luke Hinds @lukehinds Mar 20 16:35 I will use your text and replicate it to the anisble role go for it nabilschear @nabilschear Mar 20 16:35 ok, i'll push it to your pr shortly aha, the readme already says the right thing for the docker image (thumbsup) Andrew Toth @atothRedHat Mar 20 16:40 Is there an "official" community landing page or is it just the main github link for now? Luke Hinds @lukehinds Mar 20 16:40 @atothRedHat , we plan to put something here: https://keylime.github.io and get a domain, something like keylime.org Andrew Toth @atothRedHat Mar 20 16:41 but for now only the guthub link Luke Hinds @lukehinds Mar 20 16:42 @nabilschear - the TCG "Virtualized Trusted Platform Architecture Specification" desribes 'Deep quotes' - see this in way adds weight to the command being upstreamed @atothRedHat ack, just for now. nabilschear @nabilschear Mar 20 16:42 nice, i've not read that in detail was stefan involved in that spec? Andrew Toth @atothRedHat Mar 20 16:43 who has access to update the https://keylime.github.io page source? Should probably add a link to github space for now. Luke Hinds @lukehinds Mar 20 16:43 @nabilschear , yes he was @atothRedHat will get you access Andrew Toth @atothRedHat Mar 20 16:44 cool, first contribution ;-) nabilschear @nabilschear Mar 20 16:44 excellent Luke Hinds @lukehinds Mar 20 16:44 @atothRedHat I plan to do something like what I did for another one of my old projects https://anteater.github.io/ nabilschear @nabilschear Mar 20 16:46 @lukehinds i pushed up my readme changes @lukehinds that looks really nice re anteater Luke Hinds @lukehinds Mar 20 16:47 thanks @nabilschear @nabilschear website will be used to encourage adoption, users...they can quickly see how to get up'n'running @nabilschear lgtm! @nabilschear when we land hardware support in ansible, we can patch out the (Development Only)

keylime / meetings

Meeting 20/03/2019 #2

Project Board

Attendees

Previous meeting minutes:

Topics

Actions

Meeting notes

New Feature

28 is closed

53 is what we've been focusing on recently