@lukehinds to investigate @frozencemetery 's suggestion of a keylime/infra repo
@lukehinds to meet with @jetwhiz to discuss rhboot implementation
@leonjia0112 to clean up old TPM 1.2 PR's
Meeting minutes
Luke Hinds @lukehinds 15:03
ping @/all
Andrew Toth @atothRedHat 15:03
there we go, I thought my gitter was hosed :-)
Luke Hinds @lukehinds 15:03
agenda: keylime/meetings#3
leonjia0112 @leonjia0112 15:04
Hi!
Luke Hinds @lukehinds 15:04
please take a look and if any additions needed, please let me know
Robbie Harwood @frozencemetery 15:04
hello
Luke Hinds @lukehinds 15:05
i just updated TPM 2.0 port with @leonjia0112 PR keylime/rust-keylime#54
Topic: TPM 2.0 port keylime/rust-keylime#44 @mbestavros @leonjia0112
so getting close fellows?
leonjia0112 @leonjia0112 15:06
TPM2.0 porting is partial done with the existing functions of the repo.
Working on implementing the remaining functions in TPM2.0
Luke Hinds @lukehinds 15:07
will those go into the same PR @leonjia0112 ?
leonjia0112 @leonjia0112 15:07
create_deep_quote (vtpm) is set with a placeholder for now
Luke Hinds @lukehinds 15:07
yep, that makes sense
leonjia0112 @leonjia0112 15:07
I think there will be in the same PR as @frozencemetery suggested
Luke Hinds @lukehinds 15:07
great
leonjia0112 @leonjia0112 15:08
Now it is about 30% - 40% done of TPM2.0 functions overall
Luke Hinds @lukehinds 15:08
There are a few old PR's that might be stale now, if we are no longer maintaining TPM .12 in the rust node.
leonjia0112 @leonjia0112 15:09
I will close those stale PRs with TPM1.2
Luke Hinds @lukehinds 15:09
@leonjia0112 - thanks
topic: Cross-project strategy between python-keylime / rust-keylime.
leonjia0112 @leonjia0112 15:10
thx!
Luke Hinds @lukehinds 15:10
so for this one was born out of a discussion around CI testing.
when 2.0 port is complete, it makes sense to test the rust node against the registrar and verififer in CI
so we can be sure we capture anything that breaks either project.
Robbie Harwood @frozencemetery 15:12
agreed
that sounds good
Luke Hinds @lukehinds 15:13
so we need to think about in which repo we test.
I believe it would need to be both...
A PR is made to python-keylime , we build the rust node and test against it.
A PR is made to rust-keylime., the python registrar and verifier is built and we test there.
its seems like duplicate jobs, but I am not sure that can be avoided just because of a how PR works within git
Robbie Harwood @frozencemetery 15:15
we could have a separate repo for infrastructure for that... not having looked very hard at how python-keylime is tested, is that something that can be done in (e.g.) Travis, or do we need a custom VM?
Luke Hinds @lukehinds 15:15
that's not a bad idea.
in python-keylime we have some docker containers which spin up fed 29 with a TPM emu
the part I am not sure of , is travis needs the patch / PR to test against..I don't know if anotgher repo would be able to gran that - if that makes sense?
Charlie @jetwhiz 15:17
I'm here, Nabil will come soon I think
Luke Hinds @lukehinds 15:17
hey @jetwhiz
Robbie Harwood @frozencemetery 15:17
each repo could have a basic travis.yml that clones the infrastructure repo and runs CI out of there?
Charlie @jetwhiz 15:17
hey @lukehinds , just catching up on the chat log
Robbie Harwood @frozencemetery 15:17
or we could do something else entirely :)
Luke Hinds @lukehinds 15:19
I like the idea @frozencemetery , let me investigate. having a keylime/infra would be v useful. As we have ansible CI now, and we might want to do RPM lint checks etc.
that way we can have all our scripts and tricks in a single repo.
the other x-project tasks will be reviewing docs, README etc to make users aware they should use the rust client.
I have a colleage at RH who is interested in looking at early boot introduction of the node as well. She should join us around then I hope/
nabilschear @nabilschear 15:21
i'm here
sorry i'm late
Luke Hinds @lukehinds 15:21
no worries @nabilschear
ok, lets move on and I will play with robbies infra repo idea.
vTPM port keylime/python-keylime#29 @nabilschear @lukehinds
not much more to report here, I have a doc I am working on with @nabilschear
nabilschear @nabilschear 15:22
I've not been able to look at this yet.
Luke Hinds @lukehinds 15:22
this week I have had some internal stuff to clear off my desk.
me too!
nabilschear @nabilschear 15:23
i'll try to get something very basic written down so that we can get in touch with stefan
i think that once we can get that conversation started, progress will ramp up
Luke Hinds @lukehinds 15:23
I agree. lets revisit next week.
topic: Implement rhboot keylime/python-keylime#63 @lukehinds
I have done some poking around here and need to sync up with @jetwhiz
Charlie @jetwhiz 15:24
were you able to get a machine up and running with rhboot writing out its PCR values?
Luke Hinds @lukehinds 15:24
Had an email chat with Peter Jones & Javier Martinez Canillas who both work on rhboot
@jetwhiz yep!
turns out its active in RHEL and Fedora already!
Charlie @jetwhiz 15:25
awesome, I'll have to check on our TPM laptop to see
Luke Hinds @lukehinds 15:25
Its writes to the PCRs if UEFI losds the shim..
Charlie @jetwhiz 15:26
i can help you with getting Keylime to attest those PCR values
Luke Hinds @lukehinds 15:26
I am working on seeing if we can use the UEFI OVMF stuff in QEMU to boot a VM with uefi enabled and then have the swtpm running
Charlie @jetwhiz 15:26
we can even update the trusted grub demo script to use rhboot (if any set up is needed)
Luke Hinds @lukehinds 15:26
Peter had a play with this and hit some issues, but it should be doable
@jetwhiz that would be great
I think getting this rhboot in place place puts us in a very strong position then.
we have a trusted boot and trusted run time.
Charlie @jetwhiz 15:28
agree, do you need this ready before your demo meeting?
Luke Hinds @lukehinds 15:29
vtpm is of course important too, but a full protection system availble for bare metal is a great story for when we outreach and do some external evangelism
@jetwhiz that would be great, and happy to do what I can from here.
also @atothRedHat got accepted to demo keylime at the Red Hat Summit
would be great to have it available for there.
Andrew Toth @atothRedHat 15:30
+1
Charlie @jetwhiz 15:30
that's great news, when will that be held?
Andrew Toth @atothRedHat 15:30
May 2-4 I believe
in boston
get your passes now :-)
Robbie Harwood @frozencemetery 15:31
lol
Luke Hinds @lukehinds 15:31
@jetwhiz maybe I could set a meeting up with you, and we can set up an attack plan
Charlie @jetwhiz 15:32
that sounds good, especially to make sure we're ready for @atothRedHat 's demo
Luke Hinds @lukehinds 15:32
ok, Backport 3.x TPM2-Tools keylime/python-keylime#92 @jetwhiz
we can skip over the above as @jetwhiz is on the case here, but its fresh from yesterday
mainly have it there to track
Python 3 support keylime/python-keylime#32
For this, @jetwhiz I would dump the code you have up as a py3 branch and I will take a look at doing the port
or find someone that can help. I don't want you bogged down with stuff like this.
Charlie @jetwhiz 15:34
will do, it's a bit outdated but it will give some guidance on how to resolve some issues
Luke Hinds @lukehinds 15:34
that's fine. I have done a few py2>py3 ports so I should be able to work it out.
ok, speeding on as we are at the 30 min mark
website keylime/python-keylime#35 @atothRedHat
anything new @atothRedHat , fine if not, as you only recently took it on.
Andrew Toth @atothRedHat 15:37
not yet, redirected to learning for the demo/talk generation
Mark Bestavros @mbestavros 15:40
but no PRs up at the moment
Luke Hinds @lukehinds 15:40
ok, sounds good - thanks @mbestavros
so I think we can close now, I will update the meeting minutes and thanks @/all for turning up!
opps.
Project Board
https://github.com/orgs/keylime/projects/1
Attendees
Topics
Actions
@lukehinds to investigate @frozencemetery 's suggestion of a keylime/infra repo @lukehinds to meet with @jetwhiz to discuss rhboot implementation @leonjia0112 to clean up old TPM 1.2 PR's
Meeting minutes
Luke Hinds @lukehinds 15:03 ping @/all
Andrew Toth @atothRedHat 15:03 there we go, I thought my gitter was hosed :-)
Luke Hinds @lukehinds 15:03 agenda: keylime/meetings#3
leonjia0112 @leonjia0112 15:04 Hi!
Luke Hinds @lukehinds 15:04 please take a look and if any additions needed, please let me know
Robbie Harwood @frozencemetery 15:04 hello
Luke Hinds @lukehinds 15:05 i just updated TPM 2.0 port with @leonjia0112 PR keylime/rust-keylime#54 Topic: TPM 2.0 port keylime/rust-keylime#44 @mbestavros @leonjia0112 so getting close fellows?
leonjia0112 @leonjia0112 15:06 TPM2.0 porting is partial done with the existing functions of the repo. Working on implementing the remaining functions in TPM2.0
Luke Hinds @lukehinds 15:07 will those go into the same PR @leonjia0112 ?
leonjia0112 @leonjia0112 15:07 create_deep_quote (vtpm) is set with a placeholder for now
Luke Hinds @lukehinds 15:07 yep, that makes sense
leonjia0112 @leonjia0112 15:07 I think there will be in the same PR as @frozencemetery suggested
Luke Hinds @lukehinds 15:07 great
leonjia0112 @leonjia0112 15:08 Now it is about 30% - 40% done of TPM2.0 functions overall
Luke Hinds @lukehinds 15:08 There are a few old PR's that might be stale now, if we are no longer maintaining TPM .12 in the rust node.
leonjia0112 @leonjia0112 15:09 I will close those stale PRs with TPM1.2
Luke Hinds @lukehinds 15:09 @leonjia0112 - thanks topic: Cross-project strategy between python-keylime / rust-keylime.
leonjia0112 @leonjia0112 15:10 thx!
Luke Hinds @lukehinds 15:10 so for this one was born out of a discussion around CI testing. when 2.0 port is complete, it makes sense to test the rust node against the registrar and verififer in CI so we can be sure we capture anything that breaks either project.
Robbie Harwood @frozencemetery 15:12 agreed that sounds good
Luke Hinds @lukehinds 15:13 so we need to think about in which repo we test. I believe it would need to be both... A PR is made to python-keylime , we build the rust node and test against it. A PR is made to rust-keylime., the python registrar and verifier is built and we test there. its seems like duplicate jobs, but I am not sure that can be avoided just because of a how PR works within git
Robbie Harwood @frozencemetery 15:15 we could have a separate repo for infrastructure for that... not having looked very hard at how python-keylime is tested, is that something that can be done in (e.g.) Travis, or do we need a custom VM?
Luke Hinds @lukehinds 15:15 that's not a bad idea. in python-keylime we have some docker containers which spin up fed 29 with a TPM emu the part I am not sure of , is travis needs the patch / PR to test against..I don't know if anotgher repo would be able to gran that - if that makes sense?
Charlie @jetwhiz 15:17 I'm here, Nabil will come soon I think
Luke Hinds @lukehinds 15:17 hey @jetwhiz
Robbie Harwood @frozencemetery 15:17 each repo could have a basic travis.yml that clones the infrastructure repo and runs CI out of there?
Charlie @jetwhiz 15:17 hey @lukehinds , just catching up on the chat log
Robbie Harwood @frozencemetery 15:17 or we could do something else entirely :)
Luke Hinds @lukehinds 15:19 I like the idea @frozencemetery , let me investigate. having a keylime/infra would be v useful. As we have ansible CI now, and we might want to do RPM lint checks etc. that way we can have all our scripts and tricks in a single repo. the other x-project tasks will be reviewing docs, README etc to make users aware they should use the rust client. I have a colleage at RH who is interested in looking at early boot introduction of the node as well. She should join us around then I hope/
nabilschear @nabilschear 15:21 i'm here sorry i'm late
Luke Hinds @lukehinds 15:21 no worries @nabilschear ok, lets move on and I will play with robbies infra repo idea. vTPM port keylime/python-keylime#29 @nabilschear @lukehinds not much more to report here, I have a doc I am working on with @nabilschear
nabilschear @nabilschear 15:22 I've not been able to look at this yet.
Luke Hinds @lukehinds 15:22 this week I have had some internal stuff to clear off my desk. me too!
nabilschear @nabilschear 15:23 i'll try to get something very basic written down so that we can get in touch with stefan i think that once we can get that conversation started, progress will ramp up
Luke Hinds @lukehinds 15:23 I agree. lets revisit next week. topic: Implement rhboot keylime/python-keylime#63 @lukehinds I have done some poking around here and need to sync up with @jetwhiz
Charlie @jetwhiz 15:24 were you able to get a machine up and running with rhboot writing out its PCR values?
Luke Hinds @lukehinds 15:24 Had an email chat with Peter Jones & Javier Martinez Canillas who both work on rhboot @jetwhiz yep! turns out its active in RHEL and Fedora already!
Charlie @jetwhiz 15:25 awesome, I'll have to check on our TPM laptop to see
Luke Hinds @lukehinds 15:25 Its writes to the PCRs if UEFI losds the shim..
Charlie @jetwhiz 15:26 i can help you with getting Keylime to attest those PCR values
Luke Hinds @lukehinds 15:26 I am working on seeing if we can use the UEFI OVMF stuff in QEMU to boot a VM with uefi enabled and then have the swtpm running
Charlie @jetwhiz 15:26 we can even update the trusted grub demo script to use rhboot (if any set up is needed)
Luke Hinds @lukehinds 15:26 Peter had a play with this and hit some issues, but it should be doable @jetwhiz that would be great I think getting this rhboot in place place puts us in a very strong position then. we have a trusted boot and trusted run time.
Charlie @jetwhiz 15:28 agree, do you need this ready before your demo meeting?
Luke Hinds @lukehinds 15:29 vtpm is of course important too, but a full protection system availble for bare metal is a great story for when we outreach and do some external evangelism @jetwhiz that would be great, and happy to do what I can from here. also @atothRedHat got accepted to demo keylime at the Red Hat Summit would be great to have it available for there.
Andrew Toth @atothRedHat 15:30 +1
Charlie @jetwhiz 15:30 that's great news, when will that be held?
Andrew Toth @atothRedHat 15:30 May 2-4 I believe in boston get your passes now :-)
Robbie Harwood @frozencemetery 15:31 lol
Luke Hinds @lukehinds 15:31 @jetwhiz maybe I could set a meeting up with you, and we can set up an attack plan
Charlie @jetwhiz 15:32 that sounds good, especially to make sure we're ready for @atothRedHat 's demo
Andrew Toth @atothRedHat 15:32 (correction MAY 7-9 https://www.redhat.com/en/summit/2019)
Luke Hinds @lukehinds 15:32 ok, Backport 3.x TPM2-Tools keylime/python-keylime#92 @jetwhiz we can skip over the above as @jetwhiz is on the case here, but its fresh from yesterday mainly have it there to track Python 3 support keylime/python-keylime#32 For this, @jetwhiz I would dump the code you have up as a py3 branch and I will take a look at doing the port or find someone that can help. I don't want you bogged down with stuff like this.
Charlie @jetwhiz 15:34 will do, it's a bit outdated but it will give some guidance on how to resolve some issues
Luke Hinds @lukehinds 15:34 that's fine. I have done a few py2>py3 ports so I should be able to work it out. ok, speeding on as we are at the 30 min mark website keylime/python-keylime#35 @atothRedHat anything new @atothRedHat , fine if not, as you only recently took it on.
Andrew Toth @atothRedHat 15:37 not yet, redirected to learning for the demo/talk generation
Luke Hinds @lukehinds 15:37 no worries PRs https://github.com/keylime/python-keylime/pulls I need to clean up mine, will get onto that. @jetwhiz , I am fine with your approach for initramfs as long as it all tests out ok for you. rust PR's: https://github.com/keylime/rust-keylime/pulls
Charlie @jetwhiz 15:38 ok, sounds good
Luke Hinds @lukehinds 15:39 anything key here rust folks, I guess the list will be a little shorter once the 1.2 stuff is pruned?
Robbie Harwood @frozencemetery 15:39 I guess mbestavros isn't here, but he doesn't have anything open right now
Mark Bestavros @mbestavros 15:39 I'm here I'm working on POST handling for the Rust client
Robbie Harwood @frozencemetery 15:39 oh hello! Sorry :)
Mark Bestavros @mbestavros 15:40 but no PRs up at the moment
Luke Hinds @lukehinds 15:40 ok, sounds good - thanks @mbestavros so I think we can close now, I will update the meeting minutes and thanks @/all for turning up! opps.