Giters

nokia / AttestationEngine

An experimental (but fully functional) Remote Attestation Engine and Applications for TPM2.0 based systems (cloud, edge, IoT etc)

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Keylime tpm2/quote Protocol

iolivergithub opened this issue · comments

commented

Base protocol code generated. Needs the keylime bit

commented

I've got getting a tpm2/quote working, but it is missing some of the metadata that is normally provided.
This requires either pytss or tpm2-tools to parse the TPM data structures in the a10 library.

Nearly all intents should be possible to get with a single Keylime call because we send the PCR values, IMA eventlog and UEFI log with the limitation that the agent only supports one hash algorithm at the time.

commented

For the moment if the data coming back from Keylime is put into the Claim format, IIRC there's a helper class there somewhere, then that's fine.

A canonical format for quotes, PCRs etc needs to be defined. I'm quite happy if the tpm2_tools formats became that.

Can you send me an example of what comes back from Keylime?

commented

Also interesting, is the fact tat we could then generate 3 individual claims from one call....interesting....

commented

I look forward to the pull request

commented

Can you send me an example of what comes back from Keylime?

  "code": 200,
  "status": "Success",
  "results": {
    "quote": "QUOTE_DATA",
    "hash_alg": "sha256",
    "enc_alg": "rsa",
    "sign_alg": "rsassa",
    "boottime": 1639133504,
    "ima_measurement_list": "ASCII IMA list",
    "ima_measurement_list_entry": 0,
    "mb_measurement_list": "base64 encoded UEFI event log"

QUOTE DATA has the following structure. It is basically all the file outputs of tpm2_quote:

QUOTE_DATA := rTPM_QUOTE:TPM_SIG:TPM_PCRS
TPM_QUOTE  := base64(zlib(TPMS_ATTEST))
TPM_SIG    := base64(zlib(TPMT_SIGNATURE))
TPM_PCRS   := base64(zlib(tpm2_pcrs)) // Can hold more that 8 PCR entries generated by tpm2_quote

Example can be found here: https://keylime-docs.readthedocs.io/en/latest/rest_apis.html#get--v1.0-quotes-integrity

Also interesting, is the fact tat we could then generate 3 individual claims from one call....interesting....

Yeah depending on the input it could generate all current intents.

commented

OK, easiest thing to do is to accept the tpm2/quote intent and its paramters - the params might take a little work, but basically they are the same as tpm2_quote's input. I haven't implemented nonces :-)

When you get the return, extact the TPM_QUOTE, uncompess and decode the base64.

Warning: this is horrible:

use python's tempfile.NamedTemporaryFile and write the binary from there into the temporary file.
f = tempfile.NamedTemporaryFile()
f.write( base64.decode( uncompresszilb_whatever_the_function_is_called ( TPM_QUOTE ))
f.seek(0)

then use subprocess check check_outåut
cmd = "tpm2_print TPMS_ATTEST "+f.name
out = subprocess.check_output(cmd)
f.close()

the variable out should now contain the quote in yaml format IIRC, yaml.loads will give you a python dict

To create a claim structure, under t10/nut10 is a file called claim.py which contains a convenience class which generates the correct header and footer.

commented

If we get quotes then that is sufficient to show a proof of concept of integration :-)

commented

Going to close this now, if you have more features add them in another PR