This PR updates the local server response to include a hardware signature. On macOS the hardware signer is the secure enclave. The secure enclave can only be used by a process running in the user security context. To accomplish this, launcher uses launchctl to exec itself in the user security context.
One thing we wanted to focus on preventing was using a signed launcher binary to sign arbitrary things. To do this, the launcher secure enclave command will only work when it has been provided validated a local server challenge. Additionally, the command adds kolide: & :kolide to either ends of the data it's signing. As well as a nonce and a timestamp to the signed data.
This was not required for windows and linux since the TPM can be used by the root user. However, this has been added to both the linux and TPM signing so that the data structure returned by launcher is the same for all platforms.
This PR updates the local server response to include a hardware signature. On macOS the hardware signer is the secure enclave. The secure enclave can only be used by a process running in the user security context. To accomplish this, launcher uses launchctl to exec itself in the user security context.
One thing we wanted to focus on preventing was using a signed launcher binary to sign arbitrary things. To do this, the launcher secure enclave command will only work when it has been provided validated a local server challenge. Additionally, the command adds
kolide:&:kolideto either ends of the data it's signing. As well as a nonce and a timestamp to the signed data.This was not required for windows and linux since the TPM can be used by the root user. However, this has been added to both the linux and TPM signing so that the data structure returned by launcher is the same for all platforms.
Here are some more detailed docs https://github.com/kolide/monorepo/pull/166