Open travier opened 2 years ago
Concerns were raised about the case where a containerized version of the agent could lock out other users of the TPM.
As far as I understand and according to https://github.com/tpm2-software/tpm2-abrmd#tpm2-abrmd-vs-in-kernel-rm, I see two use cases:
/dev
or a specific TPM device /dev/tpm*
directly into the container. The kernel would then ensure no single process locks the TPM entirely. If this not doable in practice then this might not be an option.I think just using /dev/tpmrm*
is probably the easiest, it'll make sure the kernel performs the Resource Manager role. It also saves us from extra permissions (dbus) or more code (proxy).
Note that if we go the "bind mount devices for the container" route, we can either bind mount an exhaustive list of devices at container startup time or we need to bind mount the entire /dev
directory if the devices names are unknown or not present at startup time.
Could you please elaborate on the intended container use case? Without namespaced IMA the agent cannot distinguish whether a file comes from the host, agent container or a different container. Doing attestation in such a situation would be difficult, it basically mean you are doing attestation of everything running on the host (including all containers) and the allowlist would have to reflect that. Also, what would be the impact when one of the containers fails attestation? If I am not mistaken, starting that moment we won't be able to say if other containers or host itself comply? Or maybe I am wrong.
There are two different things:
I think it would be interesting to have 1. working on Fedora CoreOS, with a container approach.
I personally think that 2. is less valuable in general, especially for Fedora CoreOS use cases where reboots happen regularly and that's the moment that you really want to attest that your system is running the version that you want.
This is a tracking issue for the discussion and work needed to create a container image and documentation for the rust-keylime agent to work on systems such as Fedora CoreOS.
See previous discussion in https://github.com/coreos/fedora-coreos-tracker/issues/982.