diff --git a/README.md b/README.md index 81d50c0..4613841 100644 --- a/README.md +++ b/README.md @@ -117,3 +117,73 @@ TEST SUITE: None # Installs challenger $ helm install kairos-challenger kairos/kcrypt-challenger ``` + +## TODO: Implement Selective Enrollment Mode for Attestation Data + +### Problem Statement + +Currently, the TPM attestation system faces operational challenges in real-world deployments: + +1. **Test Complexity**: Tests require manually creating SealedVolumes with complex mock attestation data (EK, AK, PCR values) +2. **Upgrade Compatibility**: Kernel upgrades change PCR values, causing TPM quarantine and disk inaccessibility +3. **Operational Flexibility**: No mechanism for operators to reset/update attestation data after TPM replacement, firmware upgrades, or key rotation + +### Proposed Solution: Selective Enrollment Mode + +Implement a "selective enrollment mode" where operators can set specific attestation fields to empty/null values in SealedVolume specs, indicating that the server should: +1. Accept any value for that field during attestation +2. Store the received value for future verification +3. Update the SealedVolume with the learned value + +### Required Implementation Changes + +#### 1. **SealedVolume API Enhancement** +```yaml +spec: + TPMHash: "required-tpm-hash" # MUST be set for client matching + attestation: + ekPublicKey: "" # Empty = enrollment mode + akPublicKey: "" # Empty = enrollment mode + pcrValues: + pcrs: + "0": "" # Empty = enrollment mode for this PCR + "7": "fixed-value" # Set = enforce this value + # "11": omitted # Omitted = skip verification entirely +``` + +#### 2. **Server Logic Updates** +- Modify `verifyAKMatch()` to handle empty AK fields as enrollment mode +- Modify `verifyPCRValues()` to handle empty PCR values as enrollment mode +- Add logic to update SealedVolume specs when learning new values +- Ensure TPM hash is always required and validated for client matching + +#### 3. **Test Simplification** +Replace complex mock attestation data in tests with simple enrollment mode: +```yaml +# tests/encryption_test.go - remote-static test +spec: + TPMHash: "computed-from-vm" # Get from /system/discovery/kcrypt-discovery-challenger + partitions: + - label: COS_PERSISTENT + secret: {name: "static-passphrase", path: "pass"} + attestation: {} # Full enrollment mode +``` + +### Use Cases Solved + +1. **Static Passphrase Tests**: Create Secret + minimal SealedVolume, let TOFU handle attestation +2. **Production Manual Setup**: Operators set known passphrases + TPM hashes, system learns security data +3. **Firmware Upgrades**: Set PCR fields to empty to re-learn after BIOS updates +4. **TPM Replacement**: Set AK field to empty to re-learn after hardware changes +5. **Kernel Updates**: Omit PCR 11 entirely to avoid quarantine on upgrades + +### Critical Implementation Notes + +- **TPM Hash MUST remain mandatory** - without it, multiple clients would match the same SealedVolume +- **EK verification should remain strict** - only AK and PCRs should support enrollment mode +- **Add proper logging** for enrollment events for audit trails +- **Consider rate limiting** to prevent abuse of enrollment mode +- **Update documentation** with operational procedures for each use case + +### Priority: High +This blocks current test failures and addresses fundamental operational challenges for production deployments.