- Release Signoff Checklist
- Summary
- Motivation
- Proposal
- Design Details
- Drawbacks
- Alternatives
- Infrastructure Needed (optional)
- Enhancement issue in release milestone, which links to pull request in [keylime/enhancements]
- Core members have approved the issue with the label
implementable - Design details are appropriately documented
- Test plan is in place
- User-facing documentation has been created in [keylime/keylime-docs]
This enhancement proposal removes partly the need for the transport key and removes the usage of PCR16 to bind the NK to the TPM.
The initial Keylime architecture did not use mTLS for agent and verifier/tenant communication and required a separate key to ensure confidentiality. We no longer need this when mTLS is enabled, further this scheme only works with RSA and not with EC keys.
- Remove the usage of PCR16 to bind data to a TPM quote by using TPM2_Certify instead
- Remove need to separately encrypt payload with NK when mTLS is enabled
- Link AK and NK together using TPM2_Certify at registration time
- Move the U/V key split to standard key exchange protocol
- make EC keys work when mTLS is disabled
See design details for now.
From a user perspective nothing should change, except that by default no identity quote is happening.
If the /quote/identity is called, no longer a full quote will be reported, instead the public data of the NK loaded on the TPM and the attestation data and signature output from TPM2_Certify
We no longer check the freshness of the binding every time the payload is sent, as we only do this check once during registration. Further we put trust in the registrar to validate this correctly. This does not change anything in our threat model, as we already rely on the registrar to make sure that the EK and AK belong together.
In the registrar we introduce a new field called transport_key. This is only used when mTLS is not used by the agent, as otherwise the key used for the mTLS server side is equal to the NK.
The registration process now looks like this:
- agent sends the usual information: AK, EK, (EK cert) and mTLS certificate
- the registrar responds with MakeCredential Challenge and nonce for TPM2_Certify
- agent does ActivateCredential and loads mTLS key pair as NK onto TPM, then runs TPM2_Certify on NK loaded in TPM
- agent sends HMAC with the secret and UUID, TPM2_PUBLIC of the NK and the attestation and signature data from TPM2_Certify to registrar
- registrar validates HMAC checks that the TPM2_PUBLIC part matches the key in mTLS certificate and checks if the nonce is correct.
- agent is now active in registrar
When adding agent to attestation:
- tenant gets agent information from registrar
- tenant uses mTLS certificate to establish a connection with the agent and sends payload and U key
- tenant adds agent to verifier
- verifier uses mTLS certificate to establish a connection with the agent and sends K key on successful attestation
The registration process now looks like this:
- agent sends the usual information: AK, EK, (EK cert) and NK in
transport_keyfield (PEM encoded) - the registrar responds with MakeCredential Challenge and nonce for TPM2_Certify
- agent does ActivateCredential and loads NK onto TPM, then runs TPM2_Certify on NK loaded in TPM
- agent sends HMAC with the secret and UUID, TPM2_PUBLIC of the NK and the attestation and signature data from TPM2_Certify to registrar
- registrar validates HMAC checks that the TPM2_PUBLIC part matches the key specified as
transport_keyand checks if the nonce is correct. - agent is now active in registrar
When adding agent to attestation:
- tenant gets agent information from registrar
- tenant encrypts payload and U key with NK and sends it to the agent
- tenant adds agent to verifier including the NK
- verifier uses the NK to encrypt and then send the K key on successful attestation
- Will be mostly already covered by the existing end-to-end tests
- New tests for validating objects via TPM2_Certify will be added where necessary
The identity quote endpoint will be replaced by the output as described in the user story. Otherwise this change is transparent for the user.
No new dependencies are required.
None.
- Eliminate to NK fully (would require for us to force enable mTLS when using payloads)