Meeting 25/10/23

[THS-on]

Attendees

• [x] @ansasaki
• [ ] @aplanas
• [x] @edwards-n
• [x] @galmasi
• [x] @Isaac-Matthews
• [ ] @kkaarreell
• [ ] @lkatalin
• [ ] @lukehinds
• [x] @maugustosilva
• [ ] @mdrocco
• [ ] @mbestavros
• [x] @mheese
• [x] @mpeters
• [ ] Niteesh Dubey
• [ ] @osresearch
• [ ] @ruocco
• [x] @stringlytyped
• [ ] @stefanberger
• [x] @THS-on
• [ ] @tpletcher-hpe
• [ ] @ueno
• [x] @sergio-correia
• [ ] Maya Constantini
• [ ] Supreshna

Time: 25/10/23 15:30 BST (https://www.timeanddate.com/worldclock/fixedtime.html?msg=Keylime+Meeting&iso=20231025T1530&p1=136&ah=1) Meeting link: https://uni-kiel.zoom-x.de/j/64409148003?pwd=bWNRRlVSVFB4cWgvdkFEbHJOTnF5UT09

Topics

• Status update push model
  • mostly same as last month, but some progress regarding the certificate validation on the registrar
  • the registrar changes will be submitted as the first PR once nearly complete
• Status update IDevID by @Isaac-Matthews
  • Mostly done, is in final review round
  • Now e2e test are being worked on
  • Documentation needs to be added once that feature is fully merged
• Status update Kubernetes operator
  • @maugustosilva: CI via AWS Nitro instances can be likely added
  • @galmasi:
  • has the review of @mheese's on his TODO list
  • worked on unprivileged pods with IMA and Measured Boot. Still needs some rust-agent changes: https://github.com/keylime/rust-keylime/pull/665#pullrequestreview-1680072857
  • Durable Attestation should be possible to use to update the CRDs instead of polling the database directly
  • Container measurements are being worked on. There likely will be given a talk about this in the near future
• Review of https://github.com/keylime/keylime.github.io/pull/47
  • Is in review. Gets merged once all the comments are addressed
  • Feel free to give feedback if you have time
• @ansasaki is working on making configuration upgrades easier
  • Upgrade documentation is currently missing in Keylime. Let's add that
• Discussion about proving parsing and policy evaluation as separate API
  • Reason behind this: there are use cases where the logs come from different places and the agent model does not really fit. This would allow other systems to use IMA and Measured Boot attestation without needing to implement all the parsing and policy implementation stuff.
  • Needs an enhancement proposal (gets created by @THS-on, when he has time)
• Keylime's default TPM EK CA cert store
  • It tries to be user friendly therefore we will and already have also include CAs from cloud providers
  • TODO: add note and documentation on how to customize it for deployments.