Meeting 20/03/2019

[lukehinds]

Project Board

https://github.com/orgs/keylime/projects/1

Attendees

• @lukehinds (Luke Hinds)
• @frozencemetery (Robbie Harwood)
• @jetwhiz (Charlie)
• @leonjia0112 (Leo Jia)
• @nabilschear (Nabil Schear)
• @mbestavros (Mark Bestavros)
• @atothRedHat (Andrew Toth).

Previous meeting minutes:

#1

Topics

• TPM 2.0 port TPM 2.0 support rust-keylime#44 @mbestavros
• vTPM port Add vTPM support for TPM 2.0 (with KVM/QEMU) keylime#29 @nabilschear @lukehinds
• Implement rhboot Implement rhboot UEFI SHIM loader keylime#63 @lukehinds
• Unexpected Get quote CRITICAL - Unexpected Get Quote response error for cloud instance <UUID>, Error: HTTP 599: Timeout during request keylime#71 @lukehinds
• Back-porting the Intel tpm2-tools to the 3.X branch @jetwhiz
• use of raise Exception use of raise Exception keylime#87
• python-keylime PR review: https://github.com/keylime/python-keylime/pulls
• rust-keylime PR review: https://github.com/keylime/rust-keylime/pulls

Actions

Meeting notes

New Feature

[lukehinds]

Luke Hinds @lukehinds Mar 20 15:00
@/all Hi ! Keylime meeting # 2 , please say hello, so I know who is here?
leonjia0112 @leonjia0112 Mar 20 15:01
Hi!
Mark Bestavros @mbestavros Mar 20 15:01
Hello!
Robbie Harwood @frozencemetery Mar 20 15:01
hello
Luke Hinds @lukehinds Mar 20 15:01
hi @leonjia0112 @mbestavros @frozencemetery !
Andrew Toth @atothRedHat Mar 20 15:01
Hello all
Luke Hinds @lukehinds Mar 20 15:01
Hey @atothRedHat !
See if we can reach the MIT folks..
ping @jetwhiz / @nabilschear !
meeting agenda: #2
Charlie @jetwhiz Mar 20 15:02
I'm here, Nabil might join in a few minutes
Luke Hinds @lukehinds Mar 20 15:02
awesome, hi @jetwhiz !
Charlie @jetwhiz Mar 20 15:03
hey, how's it going @lukehinds ?
Luke Hinds @lukehinds Mar 20 15:03
before we kick off, a quick intro to @atothRedHat . He is keen to get invovled and brings quite a few talents, Andrew will be getting his feet wet over the next few weeks.
good thanks @jetwhiz
Andrew Toth @atothRedHat Mar 20 15:04
Hey all, glad to be here, hope I can help
Charlie @jetwhiz Mar 20 15:04
welcome @atothRedHat !
Luke Hinds @lukehinds Mar 20 15:04
thanks @atothRedHat , let's get rolling..
TPM 2.0 port keylime/rust-keylime#44 @mbestavros @leonjia0112
Last week I had...
@leonjia0112 commented that the following are required first:

keylime/rust-keylime#28
keylime/rust-keylime#40

#28 is closed
leonjia0112 @leonjia0112 Mar 20 15:05
PR# 53 which is for keylime/rust-keylime#40 is ready for review.
Luke Hinds @lukehinds Mar 20 15:05
actually, #28 needs reopening
Robbie Harwood @frozencemetery Mar 20 15:06
heh
Luke Hinds @lukehinds Mar 20 15:06
@frozencemetery , could you see if you can reopen, I think it needs admin
Robbie Harwood @frozencemetery Mar 20 15:06
so we had a problem with github
it won't let us reopen that
leonjia0112 made a new PR
Luke Hinds @lukehinds Mar 20 15:06
cool! makes sense
is it something I should look at (ACL's)?
leonjia0112 @leonjia0112 Mar 20 15:06
PR#53 is the same as PR#28
Luke Hinds @lukehinds Mar 20 15:07
ack, thanks @leonjia0112
Robbie Harwood @frozencemetery Mar 20 15:07
if you have an ideas feel free; but github says I have admin permissions for the repo
it's not a huge deal, fortunately. We just have to remember not to click the button too early I guess
Luke Hinds @lukehinds Mar 20 15:07
@frozencemetery , hmmm not sure too. I will have a look though
Robbie Harwood @frozencemetery Mar 20 15:07
okay
Luke Hinds @lukehinds Mar 20 15:08
do you guys need help w ith the 2.0 work?
or extra hands.
once #53 lands
Mark Bestavros @mbestavros Mar 20 15:09
I think we're okay for now
leonjia0112 @leonjia0112 Mar 20 15:09
same as @mbestavros
Luke Hinds @lukehinds Mar 20 15:10
good! so I plan to pull the rust client into CI testing against the python-keylime registrar and verifier (along with an EMU)
once 2.0 is there.
leonjia0112 @leonjia0112 Mar 20 15:10
alright
That makes sense
Luke Hinds @lukehinds Mar 20 15:10
or we could do vice-versa and test on the rust repo.
I am don't really have a strong view here, let's visit this again later
ok vTPM
vTPM port keylime/keylime#29 @nabilschear @lukehinds
so I think we can glance over this one, I need to hook up with @nabilschear and work on our approach
we need some stuff up'streamed
keylime/keylime#29 (comment)
nabilschear @nabilschear Mar 20 15:12
hi, i'm here now
Luke Hinds @lukehinds Mar 20 15:12
hey @nabilschear
anything you want to add about the vTPM?
looks like we need to work on a plan of approach, I could arrnage a meeting with you there (if that sounds good)
nabilschear @nabilschear Mar 20 15:13
there's some work to be done that i probably don't have the bandwidth to do
basically some c coding and testing
we can develop most of the swtpm support without needing to use kvm at all. just use the emulator directly and have it talk to the real tpm
Luke Hinds @lukehinds Mar 20 15:14
understood, so maybe we could look at what can be offloaded. the key thing we have, is you know what needs doing and
understand the tech and history
I can certainly help with lots of testing.
nabilschear @nabilschear Mar 20 15:15
i think we'd need some help from @jetwhiz to implement the appropriate tpm2-tools
for deep quote
and then someone to go digging through swtpm2
Charlie @jetwhiz Mar 20 15:15
hopefully we can leverage the older tpm tools for quoting without much redesign
nabilschear @nabilschear Mar 20 15:15
i don't think any of us have any experience modifying swtpm2
Luke Hinds @lukehinds Mar 20 15:16
yep, he did a really good job of landing the other patches
is deep quorte a TCG thing?
quote
nabilschear @nabilschear Mar 20 15:16
no, the folks who built the xen vtpm came up with it
they used an unused tpm cmd ordinal
have we reached out to stefan? i know we talked about that
it might be good to see what he thinks
Luke Hinds @lukehinds Mar 20 15:18
not yet, I was just about to say we draft a GH issue and then put it on the swtpm repo?
and then contact him once that is in place.
nabilschear @nabilschear Mar 20 15:18
ok, do we need a plan of attack in order to open the issue ?
Luke Hinds @lukehinds Mar 20 15:18
I think so, yes
nabilschear @nabilschear Mar 20 15:18
i.e., do we need to have dug through swtpm to see where this could be implemented?
and actually this would be in libtpms not swtpm
but all realted
Luke Hinds @lukehinds Mar 20 15:19
that would all help, but key thing is to sell him on the functionality
and it not be difficult for him to maintain (that will be one of his views)
nabilschear @nabilschear Mar 20 15:20
i think deepquote is the big thing. i thought that there would be some work in the registration process. But i think that can all be handled outside of swtpm with keylime pretty easily.
Luke Hinds @lukehinds Mar 20 15:20
Shall we do this, I will start to draft a google doc on an attack plan?
nabilschear @nabilschear Mar 20 15:20
ok, i don't want to take over the meeting with this
sounds good
Luke Hinds @lukehinds Mar 20 15:21
no, its an important one, one of the key features!
nabilschear @nabilschear Mar 20 15:21
does it make sense to start porting deepquote to tpm2-tools?
that part hopefully is more straight forward
Luke Hinds @lukehinds Mar 20 15:22
I am thinking without the support in libtpms, we might end up with tool cmds with no where to call?
nabilschear @nabilschear Mar 20 15:22
true
Luke Hinds @lukehinds Mar 20 15:22
So perhaps we should get stefan on board, although no harm in writing code and having a play.
ok, thanks @nabilschear
nabilschear @nabilschear Mar 20 15:23
sounds good, we'll come up with a plan
Luke Hinds @lukehinds Mar 20 15:23
Once we land the deep quote stuff and rhboot we should be less reliant on both of your expertise.
you can then kick back and watch in with pride as the founding forefathers (or something like that)
:)
ok..
rhboot, not much more to report here. I have started to dump some notes on setup. @jetwhiz was away for a bit, so I plan to hook up with him just to see how its done with TrustedGrub2
"Unexpected Get quote " has taken a back seat for a bit. I will pick this up again.
Back-porting the Intel tpm2-tools to the 3.X branch @jetwhiz
We have a meeting setup with Javier to go over this
b
Charlie @jetwhiz Mar 20 15:26
yeah i think you've set up a meeting for this coming Monday
Luke Hinds @lukehinds Mar 20 15:26
yep!
Charlie @jetwhiz Mar 20 15:27
it will be good to get our tools into 3.X, then we can start using Intel's tools directly from keylime
Luke Hinds @lukehinds Mar 20 15:27
use of raise Exception keylime/keylime#87 - thanks for the feedback here @nabilschear
agree @jetwhiz , and also use package managers and not need to compile / make the tpm2- projects
nabilschear @nabilschear Mar 20 15:27
that should be an easy fix right?
the raise exception bit
Luke Hinds @lukehinds Mar 20 15:28
@nabilschear , yeah I got that ok.
I will add you to review
Charlie @jetwhiz Mar 20 15:28
about your question for that @nabilschear , the webapp doesn't rely on any tenant exceptions
Luke Hinds @lukehinds Mar 20 15:29
I was just about to ask that! Thanks @jetwhiz
nabilschear @nabilschear Mar 20 15:29
perfect
Charlie @jetwhiz Mar 20 15:29
it does rely on the tenant to return REST codes for deleting/reactivating though, so just make sure those don't get changed
Luke Hinds @lukehinds Mar 20 15:29
ack!
so for PR's
a simple readme change keylime/keylime#86
@jetwhiz , this is based on your itertools change keylime/keylime#85
nabilschear @nabilschear Mar 20 15:30
i'd like to pull the warning text up right where we first mention an emulator. re #86
Luke Hinds @lukehinds Mar 20 15:30
sure! sounds good
I will push another change
nabilschear @nabilschear Mar 20 15:30
into the installer section
Luke Hinds @lukehinds Mar 20 15:30
ack!
Charlie @jetwhiz Mar 20 15:30
yeah that should be near the top when they're setting the system up
Luke Hinds @lukehinds Mar 20 15:31
agree, makes sense.
I will pick up the demo changes again keylime/keylime#67
that's it for PR's
rust folks: https://github.com/keylime/rust-keylime/pulls
any one in partlcular it would be useful to look at?
@leonjia0112 @mbestavros @frozencemetery ^
Robbie Harwood @frozencemetery Mar 20 15:33
I think they're all inactive right now except #53 but they should correct me if that's not right
Mark Bestavros @mbestavros Mar 20 15:33
#53 is what we've been focusing on recently
Luke Hinds @lukehinds Mar 20 15:33
ok, understood
so any other business?
Charlie @jetwhiz Mar 20 15:33
by the way, did keylime/keylime#85 fix the issue for you on Fedora @lukehinds
Luke Hinds @lukehinds Mar 20 15:34
@jetwhiz it did, yes thanks!
I tested on ubuntu too!
looked good to me.
I don't think we need to worry about performance, as this is only with the eumlator.
(in regards to seek being quicker to parse the file)
Charlie @jetwhiz Mar 20 15:34
awesome! yeah that file shouldn't grow to be insanely large anyways
Luke Hinds @lukehinds Mar 20 15:35
yep.
Charlie @jetwhiz Mar 20 15:35
did you want to poke at #85 @nabilschear ?
nabilschear @nabilschear Mar 20 15:35
i'd say go for it
no need to wait on me
Luke Hinds @lukehinds Mar 20 15:36
so if you do a quick lgtm @jetwhiz , I will merge it.
Charlie @jetwhiz Mar 20 15:36
is there a priority set for keylime/keylime#55
Luke Hinds @lukehinds Mar 20 15:37
not a high one , unless somene says they really need it
its certainly worth having, but I think we have bigger fish.
perhaps when we kick outreach into action, and users turn up, it might need more attention
does that sound ok @jetwhiz ?
Charlie @jetwhiz Mar 20 15:39
true, would that be a relatively big effort, or is it mostly updating the dockerfiles to use ubuntu (and switch to apt, etc.)?
Luke Hinds @lukehinds Mar 20 15:39
not a big effort, no..like you say, just some docker files.
I am keen to have it in place, alongside CentOS as well,
Charlie @jetwhiz Mar 20 15:40
yeah it would be good to check on multiple platforms automatically
Luke Hinds @lukehinds Mar 20 15:40
yep, and in time perhaps against upstream tools that we use.
so that way if a change lands in tpm2-tools that breaks keylime, we get an early view of it.
Charlie @jetwhiz Mar 20 15:41
yeah that's a good idea
Luke Hinds @lukehinds Mar 20 15:41
I did also speak with someone who is intersted in using keylime in centos ci
https://ci.centos.org/
Charlie @jetwhiz Mar 20 15:41
does centos ci use 3.x tpm2-tools?
Luke Hinds @lukehinds Mar 20 15:42
they don't use any tpm stuff at the moment, but as they use tons of mirrors, they would like to know that config files have not been tampered with.
something like that, I have yet to deep dive with them . should hopefull meet soon.
Charlie @jetwhiz Mar 20 15:43
sounds good, keep me in the loop if i can help
Luke Hinds @lukehinds Mar 20 15:43
so this would be keylime being a tool they use, rather then being tested there
@jetwhiz thanks, will do!
ok, I think we can call it to an end now.
thanks so much for coming all, I will update the minutes
Charlie @jetwhiz Mar 20 15:44
ok, thanks everyone!
nabilschear @nabilschear Mar 20 15:44
@lukehinds do you want to make the update to #86?
Luke Hinds @lukehinds Mar 20 15:44
the last bit of news I forgot, we released v3.1.0 this week
Robbie Harwood @frozencemetery Mar 20 15:44
\o/
nabilschear @nabilschear Mar 20 15:44
or do you want me to pull it up?
Luke Hinds @lukehinds Mar 20 15:44
I really don't mind @nabilschear
if you like you can push to it, or review my changes and recommed in there
@nabilschear , do you have a gmail account for working on a google-doc?
nabilschear @nabilschear Mar 20 15:48
uhoh did gitter die on me?
Andrew Toth @atothRedHat Mar 20 15:48
nope
Luke Hinds @lukehinds Mar 20 15:48
you're back
nabilschear @nabilschear Mar 20 15:48
ok, i'll send you my email for google doc
Luke Hinds @lukehinds Mar 20 15:49
cool, thanks @nabilschear
nabilschear @nabilschear Mar 20 15:49
i had sent a few more messages but they got stuck in the proxy
i'll throw a few comments into the PR for #86
Luke Hinds @lukehinds Mar 20 15:51
thanks!
@nabilschear , pm'ed you (if you can see it)
nabilschear @nabilschear Mar 20 15:54
yep
nabilschear @nabilschear Mar 20 16:33
@lukehinds does the ansible stuff use the emulator by default?
Luke Hinds @lukehinds Mar 20 16:34
it does, we have an issue to change that though
nabilschear @nabilschear Mar 20 16:34
ok, i'm updating the readme
Luke Hinds @lukehinds Mar 20 16:34
keylime/ansible-keylime#6
nabilschear @nabilschear Mar 20 16:34
so the ansible stuff is just for development purposes right now?
Luke Hinds @lukehinds Mar 20 16:35
I would say so yes, I should update its readme too.
nabilschear @nabilschear Mar 20 16:35
ok, i'll update the main keylime readme
to make this clear
Luke Hinds @lukehinds Mar 20 16:35
I will use your text and replicate it to the anisble role
go for it
nabilschear @nabilschear Mar 20 16:35
ok, i'll push it to your pr shortly
aha, the readme already says the right thing for the docker image
(thumbsup)
Andrew Toth @atothRedHat Mar 20 16:40
Is there an "official" community landing page or is it just the main github link for now?
Luke Hinds @lukehinds Mar 20 16:40
@atothRedHat , we plan to put something here: https://keylime.github.io
and get a domain, something like keylime.org
Andrew Toth @atothRedHat Mar 20 16:41
but for now only the guthub link
Luke Hinds @lukehinds Mar 20 16:42
@nabilschear - the TCG "Virtualized Trusted Platform Architecture Specification" desribes 'Deep quotes' - see this in way adds weight to the command being upstreamed
@atothRedHat ack, just for now.
nabilschear @nabilschear Mar 20 16:42
nice, i've not read that in detail
was stefan involved in that spec?
Andrew Toth @atothRedHat Mar 20 16:43
who has access to update the https://keylime.github.io page source? Should probably add a link to github space for now.
Luke Hinds @lukehinds Mar 20 16:43
@nabilschear , yes he was
@atothRedHat will get you access
Andrew Toth @atothRedHat Mar 20 16:44
cool, first contribution ;-)
nabilschear @nabilschear Mar 20 16:44
excellent
Luke Hinds @lukehinds Mar 20 16:44
@atothRedHat I plan to do something like what I did for another one of my old projects https://anteater.github.io/
nabilschear @nabilschear Mar 20 16:46
@lukehinds i pushed up my readme changes
@lukehinds that looks really nice re anteater
Luke Hinds @lukehinds Mar 20 16:47
thanks @nabilschear
@nabilschear website will be used to encourage adoption, users...they can quickly see how to get up'n'running
@nabilschear lgtm!
@nabilschear when we land hardware support in ansible, we can patch out the (Development Only)