Registration of agent fail, when keylime use non-default algorithm #513
Comments
|
Can you check if swtpm can load certificates for ECC, because it looks like that the NV index where the ECC certificate is normally located does not exist? Besides that, the error handling if reading the EK fails should be improved. |
|
Sorry for the later response. There is output of nv-indexes: It's look like that NV indexes are here. I assume, that ECC cert should be in |
|
Hmm that's interesting, thank you for checking. It might be an issue with the upstream library and not us. Yes the index |
|
Ok the issue is that swtpm uses the P-384 curve for ECC and the rust bindings and tpm2-tools use P-256. The question is if we need to make this parameter configurable or if we convince both to only use one curve. |
|
Hmm what do you think will be more effective? How difficult would it be to implement if we decided to handle this on the keylime side using a configurable parameter? If it would be too difficult and unnecessary, we can try to open a discussion about the replaced P-256, which offers lower safety even though the performance is better. |
|
The idea is probably going to be to provide an "auto" option that chooses the best curve (by e.g. checking if we have an EK certificate for that) and a way to choose for people that know what they are doing. This issue is currently blocked by: parallaxsecond/rust-tss-esapi#397 |
|
We now have the code to handle this in the TSS bindings. Once the next version is released, I'll look into how we implement it in Keylime. |
|
Any news regarding to this? @THS-on |
|
We finally have the |
|
@ansasaki that would be nice! Note that there was a bug in create_ak for ECC keys in some versions, that was only fixed last week: parallaxsecond/rust-tss-esapi#464 |
|
@ansasaki have you had the chance to look at this? We at least should make sure that some ECC options work |
|
@THS-on IIRC, the fix you introduced in |
|
Right the fix is only in part of the 8.0.0 alpha branch. Do you think this worth trying to ask to backport it into a stable branch? |
Yes, I think that could unblock us in this front. I'm also interested in enabling ECC when possible |
Environment
Description
When I use different encryption and signing algorithm in agent.conf, than default RSA the agent cannot be registered and registration fail. I used ECC instead of RSA for encryption and ECSCHNORR instead of RSASSA for signing.
RFE-Keylime tests
Expected behavior vs. actual behavior
Agent will succesfully register vs. registration of agent fail.
Steps to reproduce problem:
tpm_encryption_alg = eccand signing algorithm totpm_signing_alg = ecschnorrRelevant logs
Feb 03 10:22:58 ci-vm-10-0-136-178.hosted.upshift.rdu2.redhat.com keylime_agent[6013]: WARNING:esys:src/tss2-esys/api/Esys_NV_ReadPublic.c:309:Esys_NV_ReadPublic_Finish() Received TPM Error
Feb 03 10:22:58 ci-vm-10-0-136-178.hosted.upshift.rdu2.redhat.com keylime_agent[6013]: ERROR:esys:src/tss2-esys/esys_tr.c:209:Esys_TR_FromTPMPublic_Finish() Error NV_ReadPublic ErrorCode (0x0000018b)
Feb 03 10:22:58 ci-vm-10-0-136-178.hosted.upshift.rdu2.redhat.com keylime_agent[6013]: ERROR:esys:src/tss2-esys/esys_tr.c:320:Esys_TR_FromTPMPublic() Error TR FromTPMPublic ErrorCode (0x0000018b)
Output of logs can be found in
/var/tmp/limeLibafter run, when you reproduce by first approach. Should be here agent.log and also registrar.log.The text was updated successfully, but these errors were encountered: