New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add recover-tpm tool to debug container and verification image #3867
base: master
Are you sure you want to change the base?
Conversation
This tool makes intercting with the TPM easier. specifically, it can be used extract volume keys from the TPM, but only in an encrypted format suitable for inserting in a cloud controler. Signed-off-by: Shahriyar Jalayeri <shahriyar@zededa.com>
Signed-off-by: Shahriyar Jalayeri <shahriyar@zededa.com>
utilize the tpm-recovery tool to run tests on TPM hardware and make sure operations that are used by EVE are all functional and available. Signed-off-by: Shahriyar Jalayeri <shahriyar@zededa.com>
Signed-off-by: Shahriyar Jalayeri <shahriyar@zededa.com>
# verify the TPM | ||
if [ -c $TPM_DEVICE_PATH ]; then | ||
logmsg "TPM device is present, running some extra tests" | ||
/verifytpm.sh | tee -a "$REPORT/tpmchecks.log" >/dev/console 2>&1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If there is a failure, do we indicate that in the summary.log?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nope, I'll add it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some nits.
Will re-run yetus workflow since it appears to have failed without any output.
pkg/debug/recover-tpm/main.go
Outdated
return cert.PublicKey, nil | ||
} | ||
|
||
func getVualtKeyWireFormat(encryptedVaultKey []byte, digest256 []byte) (string, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
func getVualtKeyWireFormat(encryptedVaultKey []byte, digest256 []byte) (string, error) { | |
func getVaultKeyWireFormat(encryptedVaultKey []byte, digest256 []byte) (string, error) { |
Signed-off-by: Shahriyar Jalayeri <shahriyar@zededa.com>
b54b0d8
to
c849ba2
Compare
Signed-off-by: Shahriyar Jalayeri <shahriyar@zededa.com>
c9282d3
to
ff50a7f
Compare
Signed-off-by: Shahriyar Jalayeri <shahriyar@zededa.com>
nice tool @shjala , I think it deserves a dedicated repository under lf-edge or under your GH space (or maybe a pkg/recovertpm), then it can be integrated to debugger container through Dockerfile. In this way it can be more easy to maintain, track changes, without mix with debugger container stuff... |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
It seems to be overkill to have a separate repo for this. Mayve a pkg/recovertpm would suffice @rene ?
I agree @eriknordmark , pkg/recovertpm should be enough to insulate and track changes.... |
@shjala do we merge this? All comments are addressed? |
@rouming there was a request to move the code to pkg/recovertpm instead of it being burried in pkg/debug. |
This PR adds the
recovertpm
tool the debug container. With sufficient knowledge of how EVE intercats with TPM (key indexes, PCR indexes, etc) we can leverage the tool to perform various test on the TPM, re-generate keys, extract the volume key and more.This tools is used in a new script
verifytpm.sh
in the verification image to test all the TPM operations that are critical to EVE and make sure all function well, in addition it runs a small stress test on TPM to make sure key generation and derivation operations work fine even after a few dozen repeated operations .