Skip to content

Implement AKManager #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 26 commits into
base: main
Choose a base branch
from
Draft

Implement AKManager #7

wants to merge 26 commits into from

Conversation

jimmykarily
Copy link
Contributor

@jimmykarily jimmykarily mentioned this pull request Sep 16, 2025
Open
@jimmykarily jimmykarily moved this to In Progress 🏃 in 🧙Issue tracking board Sep 16, 2025
@jimmykarily jimmykarily self-assigned this Sep 16, 2025
@jimmykarily jimmykarily force-pushed the 2988-remote-attestation branch from 922d118 to 1586402 Compare September 16, 2025 13:27
@jimmykarily
Implement AKManager
ecde469 
Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
@jimmykarily
Move "magic" policy into a constant with links to docs
e2f215b 
Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
@jimmykarily
Improve tests and bump ginkgo
500827c 
Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
@jimmykarily
Revert exporting getTPMDevice
da1c9fc 
since we implemented the getRawTPM which takes a different struct as
input and nobody needs to call getTPMDevice outside this package.

Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
@jimmykarily
Fix the flow and document it
2dbf0b0 
Every request that is prone to replay attacks, should include a nonce.
We now send the nonce only on the "proof" request along with the proof
data.

Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
@jimmykarily
Don't change existing struct to maintain backwards compatibility
de0e2ba 
Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
@jimmykarily jimmykarily force-pushed the 2988-remote-attestation branch from 10dfc4d to de0e2ba Compare September 17, 2025 11:16
@jimmykarily
Fix linter errors
aee7d5b 
Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
@jimmykarily
Send only the AK public key instead of the whole AttestationParameters
0cbc898 
which is what the legacy getAttestationData() method was doing, which is
enough (the server only needs the public key not the whole parameters
struct)

Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
@jimmykarily
Fix indentation
da27a1c 
Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
@jimmykarily
Adhere to the websockets flow
08bcc4f 
where no nonce is needed. Also use the full attestation parameters as
there are more fields reuquired to produce the challenge response

Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
@jimmykarily jimmykarily force-pushed the 2988-remote-attestation branch from a00e87c to 08bcc4f Compare September 19, 2025 11:17
@jimmykarily
Remove deprecated methods and debug output
9c19aea 
Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
@jimmykarily
Explain corrupted file handling
b5e0510 
Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
@jimmykarily
Bump tpm dependencies
b38e6f4 
so that we can choose which PCR to include in the tpm Quote in the
kcrypt-challenger repo. The old version included all PCRs and didn't let
us choose while now we can:

https://github.com/google/go-attestation/blob/4f3c3b0fe5706286182530cd798be833ad0c4a74/attest/tpm.go#L325

Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
@jimmykarily
Generate tpm quote for arbitrary PCRs
cc5c278 
Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
@jimmykarily
Fix tests
02ca1a6 
Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
@jimmykarily
Avoid unecessary indirection and redundant method
9638776 
Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
@jimmykarily
Consolidate redundant struct and make them unexported
a8d3a3c 
since they are internal implementation

Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
@jimmykarily
Remove unused function
42a558e 
Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
@jimmykarily
Add more tests and remove redundant field
19ab176 
Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
@jimmykarily
Remove empty block and improve test
22483db 
Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
@jimmykarily
Remove dead code an move remaining to a better place
f3736b4 
Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
@jimmykarily
Remove debug output and improve tests
d2b4ac5 
Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
@jimmykarily
Fix linter errors
ef277db 
Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
@jimmykarily
Remove non-needed ppa
bfa255f 
because swtpm is in the official repos:

https://launchpad.net/ubuntu/noble/+package/swtpm

Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
@jimmykarily
Install ginkgo under $PATH
3fc8028 
Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
jimmykarily added a commit to kairos-io/kcrypt-discovery-challenger that referenced this pull request Sep 24, 2025
@jimmykarily
[TMP] use a replace that points to a branch (instead of localy dir)
5f2d857 
Point to this: kairos-io/tpm-helpers#7

Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
@jimmykarily
Add tpm undefine helper method
49f51e3 
to allow kcrypt-challenger to cleanup the NV storage (e.g. to reset the
local passphrase)

Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@jimmykarily jimmykarily

Labels
None yet
Projects
🧙Issue tracking board
Status: In Progress 🏃
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@jimmykarily