kairos/kcrypt-challenger
1
0
Fork 0
mirror of https://github.com/kairos-io/kcrypt-challenger.git synced 2025-09-25 22:24:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add TODO in README for selective enrollement

Browse Source 
Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
This commit is contained in:
Dimitris Karakasilis
2025-09-24 17:29:38 +03:00
parent fac5dfb32d
commit f30bf27e13
1 changed files with 70 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

70
README.md
View File

@@ -117,3 +117,73 @@ TEST SUITE: None
# Installs challenger # Installs challenger
$ helm install kairos-challenger kairos/kcrypt-challenger $ helm install kairos-challenger kairos/kcrypt-challenger
``` ```
## TODO: Implement Selective Enrollment Mode for Attestation Data
### Problem Statement
Currently, the TPM attestation system faces operational challenges in real-world deployments:
1. **Test Complexity**: Tests require manually creating SealedVolumes with complex mock attestation data (EK, AK, PCR values)
2. **Upgrade Compatibility**: Kernel upgrades change PCR values, causing TPM quarantine and disk inaccessibility
3. **Operational Flexibility**: No mechanism for operators to reset/update attestation data after TPM replacement, firmware upgrades, or key rotation
### Proposed Solution: Selective Enrollment Mode
Implement a "selective enrollment mode" where operators can set specific attestation fields to empty/null values in SealedVolume specs, indicating that the server should:
1. Accept any value for that field during attestation
2. Store the received value for future verification
3. Update the SealedVolume with the learned value
### Required Implementation Changes
#### 1. **SealedVolume API Enhancement**
```yaml
spec:
TPMHash: "required-tpm-hash" # MUST be set for client matching
attestation:
ekPublicKey: "" # Empty = enrollment mode
akPublicKey: "" # Empty = enrollment mode
pcrValues:
pcrs:
"0": "" # Empty = enrollment mode for this PCR
"7": "fixed-value" # Set = enforce this value
# "11": omitted # Omitted = skip verification entirely
```
#### 2. **Server Logic Updates**
- Modify `verifyAKMatch()` to handle empty AK fields as enrollment mode
- Modify `verifyPCRValues()` to handle empty PCR values as enrollment mode
- Add logic to update SealedVolume specs when learning new values
- Ensure TPM hash is always required and validated for client matching
#### 3. **Test Simplification**
Replace complex mock attestation data in tests with simple enrollment mode:
```yaml
# tests/encryption_test.go - remote-static test
spec:
TPMHash: "computed-from-vm" # Get from /system/discovery/kcrypt-discovery-challenger
partitions:
- label: COS_PERSISTENT
secret: {name: "static-passphrase", path: "pass"}
attestation: {} # Full enrollment mode
```
### Use Cases Solved
1. **Static Passphrase Tests**: Create Secret + minimal SealedVolume, let TOFU handle attestation
2. **Production Manual Setup**: Operators set known passphrases + TPM hashes, system learns security data
3. **Firmware Upgrades**: Set PCR fields to empty to re-learn after BIOS updates
4. **TPM Replacement**: Set AK field to empty to re-learn after hardware changes
5. **Kernel Updates**: Omit PCR 11 entirely to avoid quarantine on upgrades
### Critical Implementation Notes
- **TPM Hash MUST remain mandatory** - without it, multiple clients would match the same SealedVolume
- **EK verification should remain strict** - only AK and PCRs should support enrollment mode
- **Add proper logging** for enrollment events for audit trails
- **Consider rate limiting** to prevent abuse of enrollment mode
- **Update documentation** with operational procedures for each use case
### Priority: High
This blocks current test failures and addresses fundamental operational challenges for production deployments.