Creating EK and AIK

[apoorvemohan]

Hi, The current Python Keylime Agent uses tpm2_tools to create EK (tpm2_createek) and AK (tpm2_createak), and we want to convert it to start using ESAPI instead. I was wondering if tpm2-pytss will provide similar abstractions in the near future?

Best, Apoorve

[williamcroberts]

tpm2-pytss provides bindings to ESAPI, so you can use it directly and just implement the logic the tools do. I have a ticket open to actually go convert you over to Python ESAPI (Ticket #10) and drop tools, but then I saw you we're heading to RUST. What's the future of the Python code base?

[galmasi]

Following up on the comment by @williamcroberts.

The keylime *agent* is migrating to rust, no question about it. But I don't think I'm ready to dig a shallow grave for the python agent yet -- it's the mainstay of keylime. I believe investing into streamlining the python code to avoid system() calls is a good thing(tm) -- pun not intended, but we'd do the keylime registrar and verifier a service. we spent a few hours with @apoorvemohan going through the createEK->createAK->makecredential->activatecredential set of calls, and made them work in pytss. We ended up writing what could end up as templates for RSA based EK and AIK creation. *Do you want them?* if "yes", they are a PR away from pytss.

[williamcroberts]

Following up on the comment by @williamcroberts.

The keylime agent is migrating to rust, no question about it. But I don't think I'm ready to dig a shallow grave for the python agent yet -- it's the mainstay of keylime. I believe investing into streamlining the python code to avoid system() calls is a good thing(tm) -- pun not intended, but we'd do the keylime registrar and verifier a service.

we spent a few hours with @apoorvemohan going through the createEK->createAK->makecredential->activatecredential set of calls, and made them work in pytss. We ended up writing what could end up as templates for RSA based EK and AIK creation. Do you want them? if "yes", they are a PR away from pytss.

Sure we'd love to have this support code so folks can create to tpm2-tool like things effortlessly.

[whooo]

@apoorvemohan and @galmasi any updats on this?

[williamcroberts]

So what do we need to close this, do we want templates in the python code that can be used in createprimary and create calls?

[galmasi]

My apologies. I am beset by multiple deadlines, and the code is somewhere in one of my repositories. If you can wait til after thanksgiving, I will return to this. I also need to have a conversation about how you want us to add the templates. I think last time (many months ago) I stopped because I didn't know how to find the best place right away, stopped to consider the best solution ... then another emergency came up :(

[williamcroberts]

My apologies. I am beset by multiple deadlines, and the code is somewhere in one of my repositories. If you can wait til after thanksgiving, I will return to this. I also need to have a conversation about how you want us to add the templates. I think last time (many months ago) I stopped because I didn't know how to find the best place right away, stopped to consider the best solution ... then another emergency came up :(

I can add them, no worries. I'll look at the tools code, as I'm assuming that's what you want to replace. We can probably add a templates.py and add them in there as well as consider adding some helper routines.