Add recover-tpm tool to debug container and verification image #3867
Conversation
This tool makes intercting with the TPM easier. specifically, it can be used extract volume keys from the TPM, but only in an encrypted format suitable for inserting in a cloud controler. Signed-off-by: Shahriyar Jalayeri <shahriyar@zededa.com>
Signed-off-by: Shahriyar Jalayeri <shahriyar@zededa.com>
utilize the tpm-recovery tool to run tests on TPM hardware and make sure operations that are used by EVE are all functional and available. Signed-off-by: Shahriyar Jalayeri <shahriyar@zededa.com>
Signed-off-by: Shahriyar Jalayeri <shahriyar@zededa.com>
shjala
changed the title
| # verify the TPM | ||
| if [ -c $TPM_DEVICE_PATH ]; then | ||
| logmsg "TPM device is present, running some extra tests" | ||
| /verifytpm.sh | tee -a "$REPORT/tpmchecks.log" >/dev/console 2>&1 |
There was a problem hiding this comment.
If there is a failure, do we indicate that in the summary.log?
pkg/debug/recover-tpm/main.go
Outdated
| return cert.PublicKey, nil | ||
| } | ||
|
|
||
| func getVualtKeyWireFormat(encryptedVaultKey []byte, digest256 []byte) (string, error) { |
There was a problem hiding this comment.
| func getVualtKeyWireFormat(encryptedVaultKey []byte, digest256 []byte) (string, error) { | |
| func getVaultKeyWireFormat(encryptedVaultKey []byte, digest256 []byte) (string, error) { |
Signed-off-by: Shahriyar Jalayeri <shahriyar@zededa.com>
shjala
force-pushed
the
tpm-recovery-tool
branch
from
b54b0d8
to
c849ba2
Compare
Signed-off-by: Shahriyar Jalayeri <shahriyar@zededa.com>
shjala
force-pushed
the
tpm-recovery-tool
branch
from
c9282d3
to
ff50a7f
Compare
Signed-off-by: Shahriyar Jalayeri <shahriyar@zededa.com>
|
nice tool @shjala , I think it deserves a dedicated repository under lf-edge or under your GH space (or maybe a pkg/recovertpm), then it can be integrated to debugger container through Dockerfile. In this way it can be more easy to maintain, track changes, without mix with debugger container stuff... |
There was a problem hiding this comment.
LGTM
It seems to be overkill to have a separate repo for this. Mayve a pkg/recovertpm would suffice @rene ?
I agree @eriknordmark , pkg/recovertpm should be enough to insulate and track changes.... |
|
@shjala do we merge this? All comments are addressed? |
|
@rouming there was a request to move the code to pkg/recovertpm instead of it being burried in pkg/debug. |
This PR adds the
recovertpmtool the debug container. With sufficient knowledge of how EVE intercats with TPM (key indexes, PCR indexes, etc) we can leverage the tool to perform various test on the TPM, re-generate keys, extract the volume key and more.This tools is used in a new script
verifytpm.shin the verification image to test all the TPM operations that are critical to EVE and make sure all function well, in addition it runs a small stress test on TPM to make sure key generation and derivation operations work fine even after a few dozen repeated operations .