Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DEV] Add TPM Attestation and Chain-loading process #1

Open
yogi4 opened this issue Dec 5, 2024 · 1 comment
Open

[DEV] Add TPM Attestation and Chain-loading process #1

yogi4 opened this issue Dec 5, 2024 · 1 comment
Assignees
@yogi4

Comments

@yogi4
Copy link
Collaborator

yogi4 commented Dec 5, 2024

Objective
Implement an extensible and reusable initrd solution with TPM attestation to enable a secure bootstrapping process. The initrd will verify the system's trustworthiness via TPM attestation and facilitate the downloading of files to faciliate secure bootstrapping process ( including secure, more permanent kernel)

Definition of Done
The initrd includes TPM attestation capabilities and successfully verifies the system's trustworthiness during the bootstrapping process.
The initrd dynamically retrieves and boots into a verified kernel and initrd, supporting secure environments.
Artifacts (initrd, Dockerfile, build scripts) are extensible to other OpenChami environments, adhering to modular and reusable design principles.

The TPM attestation flow:

  • Generates TPM attestation keys during the build process.
  • Attestation keys and PCR values are used to create a TPM quote.
  • The quote is verified with an attestation server.
  • All changes are tested and verified:
  • A sample kernel and initrd are downloaded and booted after successful attestation.
  • PCR values and attestation server interactions are logged for auditability.
  • Failure scenarios (e.g., missing TPM device, failed attestation) are gracefully handled and logged.
  • Provide clear instructions for testing, including:
  • Building the initrd and attestation server.
  • Configuring kernel parameters.
  • Running the initrd with QEMU or other testing environments.

Additional Context

Enhancements: Explore integrating Keylime (https://keylime.dev/) for advanced TPM-based remote attestation workflows. Keylime can augment this solution by adding higher-level trust policies and automated integrity verification.
Uni-Kernels: Investigate the feasibility of using Uni-kernels to create lighter, purpose-built boot environments that can streamline and optimize the secure bootstrapping process.
Extensibility: The artifacts (initrd, scripts, server) should be modular and adaptable to any OpenChami environments. This ensures long-term maintainability and ease of integration with different secure boot workflows.
Purpose: The ultimate goal is to create an initrd that establishes a trusted bootstrapping mechanism. This mechanism enables the system to securely download and transition to a verified kernel, setting the foundation for a robust and secure operating environment.
@yogi4 yogi4 self-assigned this Dec 9, 2024
@yogi4
Copy link
Collaborator Author

yogi4 commented Dec 9, 2024

https://github.com/OpenCHAMI/aria2-initrd/tree/aria2-initrd-tpmattest

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yogi4 yogi4

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

When branches are created from issues, their pull requests are automatically linked.

aria2-initrd-tpmattest OpenCHAMI/aria2-initrd
1 participant
@yogi4