Meeting 25/01/23

[THS-on]

Project Board

https://github.com/orgs/keylime/projects/1

Attendees

• [ ] @ansasaki
• [ ] @aplanas
• [ ] @edwards-n
• [x] @galmasi
• [x] @gustavobbrand
• [ ] @kkaarreell
• [ ] @lkatalin
• [ ] @iolivergithub
• [ ] @lukehinds
• [x] @maugustosilva
• [ ] @mdrocco
• [x] @mbestavros
• [x] @mheese
• [x] @mpeters
• [ ] @osresearch
• [x] @ruocco
• [x] @THS-on
• [ ] @ueno

Time: 25/01/23 15:30 GMT, 16:30 CET (https://www.timeanddate.com/worldclock/fixedtime.html?msg=Keylime+Meeting&iso=20230125T1530&p1=769&ah=1) Link: https://uni-kiel.zoom.us/j/67239362130?pwd=cFI2b0lYL210RGY2dmxxenNyNWVnQT09

Topics

• GSoC 2023
• Roadmap 2023
• Documentation improvements
• FOSDEM 2023
• Removal of the Python agent
• Scalability of Keylime

Actions

• GSoC: @ansasaki is the contact person. If you want to be a mentor contact him.
• Roadmap: @THS-on will create a PR to update it
• Removal of the Python agent: @mpeters will make a 6.6.0 release next week, after that the removal process can begin
• @maugustosilva will move the eventlog code into one module
• @THS-on will fix
• Video meetings are going to b probably monthly

Meeting notes

Roadmap 2023

• Removal of the Python agent
• Refactoring Keylime internals
  • Cleanly separate: event loop, quote validation, IMA validation, static PCR checks and measured boot
  • Remove the current TPM abstraction layer (no longer needed when the agent is removed)
  • Plan framework for different data input and attestation methods (push model, SGX attestation)
  • Allow for more flexible policies on a per agent basis
• Push model: don't require a fixed connection to the agents
  • HPE has also interest in getting that feature implemented
• Documentation improvements
  • Completing getting started guide
  • Guides on how to create policies on common distributions
  • Documenting mTLS setup
• Implementation of the IDevID proposal

FOSDEM 2023

@ansasaki and @THS-on are presenting Keylime at FOSDEM 2023: https://fosdem.org/2023/schedule/event/security_keylime/

IDevID proposal implementation

Is slowly advancing.

Scalability

Main issue currently is that transient failures in the DB causes Keylime to hard error. Also the verifier state machine is not reentrant which causes issues when the tenant is called in parallel.

Also https://github.com/keylime/keylime/issues/1283 was discussed.

User perspective

@mheese talked about integrating Remote Attestation into Hedgehog and the challenges of getting started with Keylime.

• Challenges
  • Creating IMA policies and other ones in general
  • Attestation during installation in Open Network Install Environment (ONIE) and during runtime in Debian. (Push model is probably going to be helpful here)

IMA runtime policies and DSSE

@mbestavros is working on moving our signature format to DSSE-envelops.