Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TPM device is a hard requirement #7

Closed
mudler opened this issue Jan 27, 2022 · 6 comments
Closed

TPM device is a hard requirement #7

mudler opened this issue Jan 27, 2022 · 6 comments
Assignees
Labels
area/elemental kind/bug Something isn't working spike

Comments

@mudler
Copy link
Contributor

mudler commented Jan 27, 2022

See: rancher/os2#9

@mudler mudler changed the title TPM device is a hard requirement #9 TPM device is a hard requirement Jan 27, 2022
@mudler mudler added area/elemental kind/bug Something isn't working spike labels Jan 28, 2022
@mudler
Copy link
Contributor Author

mudler commented Feb 16, 2022

As I see it at least would require to split https://github.com/rancher/rancherd/blob/bdf5642d62d50b9cd23eaabfdc848637bf62e056/pkg/tpm/tpm.go into a separate golang package. The code is completely untied from rancherd, no need to do cross imports and as such we can also pin changes to it directly from the consumers

@mudler mudler self-assigned this Feb 16, 2022
@mudler
Copy link
Contributor Author

mudler commented Feb 16, 2022

tpm code extracted here: https://github.com/rancher-sandbox/go-tpm

@mudler
Copy link
Contributor Author

mudler commented Feb 16, 2022

Experimenting with emulated TPM in a separate branch: https://github.com/rancher-sandbox/go-tpm/tree/backends

@mudler
Copy link
Contributor Author

mudler commented Feb 17, 2022

I'm having issues using swtpm from go-tpm, seems commands are not recognized by swtpm:

Error: Unknown command: 0x80020000
 Ctrl Rsp: length 4
 00 00 00 0A 
 Ctrl Cmd: length 22
 80 01 00 00 00 16 00 00 01 7A 00 00 00 06 00 00 
 01 2C 00 00 00 01 
Error: Unknown command: 0x80010000
 Ctrl Rsp: length 4
 00 00 00 0A 
 Ctrl Cmd: length 22
 80 01 00 00 00 16 00 00 01 7A 00 00 00 06 00 00 
 01 2C 00 00 00 01 
Error: Unknown command: 0x80010000
 Ctrl Rsp: length 4
 00 00 00 0A 
 Ctrl Cmd: length 355
 80 02 00 00 01 63 00 00 01 31 40 00 00 0B 00 00 
 00 09 40 00 00 09 00 00 01 00 00 00 04 00 00 00 
 00 01 3A 00 01 00 0B 00 03 00 B2 00 20 83 71 97 
 67 44 84 B3 F8 1A 90 CC 8D 46 A5 D7 24 FD 52 D7 
 6E 06 52 0B 64 F2 A1 DA 1B 33 14 69 AA 00 06 00 
 80 00 43 00 10 08 00 00 00 00 00 01 00 00 00 00 
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
 00 00 00 
Error: Unknown command: 0x80020000
 Ctrl Rsp: length 4
 00 00 00 0A 

However, I've managed to re-use the emulated TPM device from github.com/google/go-tpm-tools/simulator but that is insecure and doesn't have any state preserved as swtpm does. That means we could expose in the config file a flag to a least simulate TPM if not present on the HW (which should be turned on manually).

@mudler
Copy link
Contributor Author

mudler commented Feb 17, 2022

Pushed to main and also added a test to check out the whole process: https://github.com/rancher-sandbox/go-tpm/blob/main/get_test.go#L105 . I'll create a separate card to consume it in os2 and have an option to enable emulated TPM

@mudler mudler mentioned this issue Feb 17, 2022
3 tasks
@mudler
Copy link
Contributor Author

mudler commented Feb 17, 2022

I'm closing this card as it was a spike and now we know what's needed in order to emulate TPM #20, although it is just meant for testing and relying on that feature is insecure.

We can always go back at this if we want to extend and have other mechanisms of registering nodes

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/elemental kind/bug Something isn't working spike
Projects
None yet
Development

No branches or pull requests

1 participant