kairos/kcrypt-challenger
1
0
Fork 0
mirror of https://github.com/kairos-io/kcrypt-challenger.git synced 2025-09-24 20:47:01 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: kairos:2988-remote-attestation
Branches Tags
kairos:main kairos:2988-remote-attestation kairos:renovate/github.com-kairos-io-kairos-sdk-0.x kairos:renovate/github.com-kairos-io-tpm-helpers-digest kairos:renovate/sigs.k8s.io-controller-runtime-0.x kairos:renovate/kubernetes-go kairos:pedro-dimitris-debugging kairos:bump_kairos kairos:update_ghw kairos:ubuntu-local kairos:test_itxaka kairos:challenger
kairos:v0.11.3 kairos:v0.11.2 kairos:v0.11.1 kairos:v0.11.0 kairos:v0.10.0 kairos:v0.9.1 kairos:v0.9.0 kairos:v0.8.0 kairos:v0.7.0 kairos:v0.6.0 kairos:v0.5.0 kairos:v0.4.0 kairos:v0.3 kairos:v0.2.3 kairos:v0.2.2 kairos:v0.2.1 kairos:v0.2.0 kairos:v0.1.0
..
compare: kairos:renovate/github.com-kairos-io-tpm-helpers-digest
Branches Tags
kairos:2988-remote-attestation kairos:renovate/github.com-kairos-io-kairos-sdk-0.x kairos:renovate/github.com-kairos-io-tpm-helpers-digest kairos:renovate/sigs.k8s.io-controller-runtime-0.x kairos:renovate/kubernetes-go kairos:main kairos:pedro-dimitris-debugging kairos:bump_kairos kairos:update_ghw kairos:ubuntu-local kairos:test_itxaka kairos:challenger
kairos:v0.11.3 kairos:v0.11.2 kairos:v0.11.1 kairos:v0.11.0 kairos:v0.10.0 kairos:v0.9.1 kairos:v0.9.0 kairos:v0.8.0 kairos:v0.7.0 kairos:v0.6.0 kairos:v0.5.0 kairos:v0.4.0 kairos:v0.3 kairos:v0.2.3 kairos:v0.2.2 kairos:v0.2.1 kairos:v0.2.0 kairos:v0.1.0

1 Commits
2988-remot ... renovate/g

Author SHA1 Message Date
renovate[bot]
de82af7d80 fix(deps): update github.com/kairos-io/tpm-helpers digest to e914e08 2025-09-18 01:58:45 +00:00
25 changed files with 1080 additions and 2281 deletions
Expand all files Collapse all files

1
.gitignore vendored
View File

@@ -6,7 +6,6 @@
*.dylib
bin
testbin/*
manager
# Test binary, build with `go test -c`
*.test

97
README.md
View File

@@ -65,33 +65,6 @@ This is the Kairos kcrypt-challenger Kubernetes Native Extension.
See the documentation in our website: https://kairos.io/docs/advanced/partition_encryption/.
### TPM NV Memory Cleanup
⚠️ **DANGER**: This command removes encryption passphrases from TPM memory!
⚠️ **If you delete the wrong index, your encrypted disk may become UNBOOTABLE!**
During development and testing, the kcrypt-challenger may store passphrases in TPM non-volatile (NV) memory. These passphrases persist across reboots and can accumulate over time, taking up space in the TPM.
To clean up TPM NV memory used by the challenger:
```bash
# Clean up the default NV index (respects config or defaults to 0x1500000)
kcrypt-discovery-challenger cleanup
# Clean up a specific NV index
kcrypt-discovery-challenger cleanup --nv-index=0x1500001
# Clean up with specific TPM device
kcrypt-discovery-challenger cleanup --tpm-device=/dev/tpmrm0
```
**Safety Features:**
- By default, the command shows warnings and prompts for confirmation
- You must type "yes" to proceed with deletion
- Use `--i-know-what-i-am-doing` flag to skip the prompt (not recommended)
**Note**: This command uses native Go TPM libraries and requires appropriate permissions to access the TPM device.
## Installation
To install, use helm:
@@ -117,73 +90,3 @@ TEST SUITE: None
# Installs challenger
$ helm install kairos-challenger kairos/kcrypt-challenger
```
## TODO: Implement Selective Enrollment Mode for Attestation Data
### Problem Statement
Currently, the TPM attestation system faces operational challenges in real-world deployments:
1. **Test Complexity**: Tests require manually creating SealedVolumes with complex mock attestation data (EK, AK, PCR values)
2. **Upgrade Compatibility**: Kernel upgrades change PCR values, causing TPM quarantine and disk inaccessibility
3. **Operational Flexibility**: No mechanism for operators to reset/update attestation data after TPM replacement, firmware upgrades, or key rotation
### Proposed Solution: Selective Enrollment Mode
Implement a "selective enrollment mode" where operators can set specific attestation fields to empty/null values in SealedVolume specs, indicating that the server should:
1. Accept any value for that field during attestation
2. Store the received value for future verification
3. Update the SealedVolume with the learned value
### Required Implementation Changes
#### 1. **SealedVolume API Enhancement**
```yaml
spec:
TPMHash: "required-tpm-hash" # MUST be set for client matching
attestation:
ekPublicKey: "" # Empty = enrollment mode
akPublicKey: "" # Empty = enrollment mode
pcrValues:
pcrs:
"0": "" # Empty = enrollment mode for this PCR
"7": "fixed-value" # Set = enforce this value
# "11": omitted # Omitted = skip verification entirely
```
#### 2. **Server Logic Updates**
- Modify `verifyAKMatch()` to handle empty AK fields as enrollment mode
- Modify `verifyPCRValues()` to handle empty PCR values as enrollment mode
- Add logic to update SealedVolume specs when learning new values
- Ensure TPM hash is always required and validated for client matching
#### 3. **Test Simplification**
Replace complex mock attestation data in tests with simple enrollment mode:
```yaml
# tests/encryption_test.go - remote-static test
spec:
TPMHash: "computed-from-vm" # Get from /system/discovery/kcrypt-discovery-challenger
partitions:
- label: COS_PERSISTENT
secret: {name: "static-passphrase", path: "pass"}
attestation: {} # Full enrollment mode
```
### Use Cases Solved
1. **Static Passphrase Tests**: Create Secret + minimal SealedVolume, let TOFU handle attestation
2. **Production Manual Setup**: Operators set known passphrases + TPM hashes, system learns security data
3. **Firmware Upgrades**: Set PCR fields to empty to re-learn after BIOS updates
4. **TPM Replacement**: Set AK field to empty to re-learn after hardware changes
5. **Kernel Updates**: Omit PCR 11 entirely to avoid quarantine on upgrades
### Critical Implementation Notes
- **TPM Hash MUST remain mandatory** - without it, multiple clients would match the same SealedVolume
- **EK verification should remain strict** - only AK and PCRs should support enrollment mode
- **Add proper logging** for enrollment events for audit trails
- **Consider rate limiting** to prevent abuse of enrollment mode
- **Update documentation** with operational procedures for each use case
### Priority: High
This blocks current test failures and addresses fundamental operational challenges for production deployments.

34
api/v1alpha1/sealedvolume_types.go
View File

@@ -23,39 +23,11 @@ import (
// EDIT THIS FILE! THIS IS SCAFFOLDING FOR YOU TO OWN!
// NOTE: json tags are required. Any new fields you add must have json tags for the fields to be serialized.
// PCRValues represents Platform Configuration Register values for boot state verification
// Uses a flexible map where keys are PCR indices (as strings) and values are hex-encoded PCR values
type PCRValues struct {
// PCRs is a flexible map of PCR index (as string) to PCR value (hex-encoded)
// Example: {"0": "a1b2c3...", "7": "d4e5f6...", "11": "g7h8i9..."}
// This allows for any combination of PCRs without hardcoding specific indices
PCRs map[string]string `json:"pcrs,omitempty"`
}
// AttestationSpec defines TPM attestation data for TOFU enrollment and verification
type AttestationSpec struct {
// EKPublicKey stores the Endorsement Key public key in PEM format
EKPublicKey string `json:"ekPublicKey,omitempty"`
// AKPublicKey stores the Attestation Key public key in PEM format
AKPublicKey string `json:"akPublicKey,omitempty"`
// PCRValues stores the expected PCR values for boot state verification
PCRValues *PCRValues `json:"pcrValues,omitempty"`
// EnrolledAt timestamp when this TPM was first enrolled
EnrolledAt *metav1.Time `json:"enrolledAt,omitempty"`
// LastVerifiedAt timestamp of the last successful attestation
LastVerifiedAt *metav1.Time `json:"lastVerifiedAt,omitempty"`
}
// SealedVolumeSpec defines the desired state of SealedVolume
type SealedVolumeSpec struct {
TPMHash string `json:"TPMHash,omitempty"`
Partitions []PartitionSpec `json:"partitions,omitempty"`
Quarantined bool `json:"quarantined,omitempty"`
Attestation *AttestationSpec `json:"attestation,omitempty"`
TPMHash string `json:"TPMHash,omitempty"`
Partitions []PartitionSpec `json:"partitions,omitempty"`
Quarantined bool `json:"quarantined,omitempty"`
}
// PartitionSpec defines a Partition. A partition can be identified using

55
api/v1alpha1/zz_generated.deepcopy.go
View File

@@ -25,56 +25,6 @@ import (
runtime "k8s.io/apimachinery/pkg/runtime"
)
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *AttestationSpec) DeepCopyInto(out *AttestationSpec) {
*out = *in
if in.PCRValues != nil {
in, out := &in.PCRValues, &out.PCRValues
*out = new(PCRValues)
(*in).DeepCopyInto(*out)
}
if in.EnrolledAt != nil {
in, out := &in.EnrolledAt, &out.EnrolledAt
*out = (*in).DeepCopy()
}
if in.LastVerifiedAt != nil {
in, out := &in.LastVerifiedAt, &out.LastVerifiedAt
*out = (*in).DeepCopy()
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AttestationSpec.
func (in *AttestationSpec) DeepCopy() *AttestationSpec {
if in == nil {
return nil
}
out := new(AttestationSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *PCRValues) DeepCopyInto(out *PCRValues) {
*out = *in
if in.PCRs != nil {
in, out := &in.PCRs, &out.PCRs
*out = make(map[string]string, len(*in))
for key, val := range *in {
(*out)[key] = val
}
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PCRValues.
func (in *PCRValues) DeepCopy() *PCRValues {
if in == nil {
return nil
}
out := new(PCRValues)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *PartitionSpec) DeepCopyInto(out *PartitionSpec) {
*out = *in
@@ -164,11 +114,6 @@ func (in *SealedVolumeSpec) DeepCopyInto(out *SealedVolumeSpec) {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
if in.Attestation != nil {
in, out := &in.Attestation, &out.Attestation
*out = new(AttestationSpec)
(*in).DeepCopyInto(*out)
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SealedVolumeSpec.

374
cmd/discovery/cli_test.go
View File

@@ -1,374 +0,0 @@
package main
import (
"os"
"path/filepath"
"testing"
. "github.com/onsi/ginkgo/v2"
. "github.com/onsi/gomega"
)
func TestCLI(t *testing.T) {
RegisterFailHandler(Fail)
RunSpecs(t, "Discovery CLI Suite")
}
var _ = Describe("CLI Interface", func() {
BeforeEach(func() {
// Clean up any previous log files
_ = os.Remove("/tmp/kcrypt-challenger-client.log")
})
AfterEach(func() {
// Clean up log files
_ = os.Remove("/tmp/kcrypt-challenger-client.log")
})
Context("CLI help", func() {
It("should show help when --help is used", func() {
err := ExecuteWithArgs([]string{"--help"})
Expect(err).To(BeNil())
// We can't easily test the output content without complex output capture,
// but we can verify the function executes without error
})
})
Context("Input validation", func() {
It("should require all partition parameters for get command", func() {
err := ExecuteWithArgs([]string{"get"})
Expect(err).To(HaveOccurred())
// Should return an error when required parameters are missing
})
It("should validate that all required fields are provided for get command", func() {
// Test with valid partition parameters
err := ExecuteWithArgs([]string{"get", "--partition-name=/dev/sda2"})
Expect(err).To(HaveOccurred()) // Should fail at client connection but parsing should work
// Test with valid UUID
err = ExecuteWithArgs([]string{"get", "--partition-uuid=12345"})
Expect(err).To(HaveOccurred()) // Should fail at client connection but parsing should work
})
It("should handle invalid flags gracefully", func() {
err := ExecuteWithArgs([]string{"--invalid-flag"})
Expect(err).To(HaveOccurred())
// Should return an error for invalid flags
})
})
Context("Flow detection and backend integration", func() {
It("should attempt to get passphrase with valid parameters", func() {
err := ExecuteWithArgs([]string{
"get",
"--partition-name=/dev/test",
"--partition-uuid=test-uuid-12345",
"--partition-label=test-label",
"--attempts=1",
})
// We expect this to fail since there's no server, but it should reach the backend logic
Expect(err).To(HaveOccurred())
// Should show flow detection in the log (if created)
logContent, readErr := os.ReadFile("/tmp/kcrypt-challenger-client.log")
if readErr == nil {
logStr := string(logContent)
// Should contain flow detection message
Expect(logStr).To(ContainSubstring("flow"))
}
})
It("should use the correct backend client logic", func() {
// Test that the CLI mode uses the same GetPassphrase method
err := ExecuteWithArgs([]string{
"get",
"--partition-name=/dev/test",
"--partition-uuid=test-uuid",
"--partition-label=test-label",
"--attempts=1",
})
// Should fail but attempt to use the client
Expect(err).To(HaveOccurred())
// The important thing is that it reaches the backend and doesn't crash
})
})
Context("Configuration overrides with debug logging", func() {
var tempDir string
var originalLogFile string
var testLogFile string
var configDir string
BeforeEach(func() {
// Create a temporary directory for this test
var err error
tempDir, err = os.MkdirTemp("", "kcrypt-test-*")
Expect(err).NotTo(HaveOccurred())
// Use /tmp/oem since it's already in confScanDirs
configDir = "/tmp/oem"
err = os.MkdirAll(configDir, 0755)
Expect(err).NotTo(HaveOccurred())
// Create a test configuration file with known values
configContent := `kcrypt:
challenger:
challenger_server: "https://default-server.com:8080"
mdns: false
certificate: "/default/path/to/cert.pem"
nv_index: "0x1500000"
c_index: "0x1400000"
tpm_device: "/dev/tpm0"
`
configFile := filepath.Join(configDir, "kairos.yaml")
err = os.WriteFile(configFile, []byte(configContent), 0644)
Expect(err).NotTo(HaveOccurred())
// Override the log file location for testing
originalLogFile = os.Getenv("KAIROS_LOG_FILE")
testLogFile = filepath.Join(tempDir, "kcrypt-discovery-challenger.log")
os.Setenv("KAIROS_LOG_FILE", testLogFile)
})
AfterEach(func() {
// Restore original log file setting
if originalLogFile != "" {
os.Setenv("KAIROS_LOG_FILE", originalLogFile)
} else {
os.Unsetenv("KAIROS_LOG_FILE")
}
// Clean up config file
_ = os.RemoveAll(configDir)
// Clean up temporary directory
_ = os.RemoveAll(tempDir)
})
It("should read and use original configuration values without overrides", func() {
err := ExecuteWithArgs([]string{
"get",
"--partition-name=/dev/test",
"--partition-uuid=test-uuid",
"--partition-label=test-label",
"--debug",
"--attempts=1",
})
// Should fail at passphrase retrieval but config parsing should work
Expect(err).To(HaveOccurred())
// Check that original configuration values are logged
logContent, readErr := os.ReadFile(testLogFile)
if readErr == nil {
logStr := string(logContent)
// Should show original configuration values from the file
Expect(logStr).To(ContainSubstring("Original configuration"))
Expect(logStr).To(ContainSubstring("https://default-server.com:8080"))
Expect(logStr).To(ContainSubstring("false")) // mdns value
Expect(logStr).To(ContainSubstring("/default/path/to/cert.pem"))
// Should also show final configuration (which should be the same as original)
Expect(logStr).To(ContainSubstring("Final configuration"))
// Should NOT contain any override messages since no flags were provided
Expect(logStr).NotTo(ContainSubstring("Overriding server URL"))
Expect(logStr).NotTo(ContainSubstring("Overriding MDNS setting"))
Expect(logStr).NotTo(ContainSubstring("Overriding certificate"))
}
})
It("should show configuration file values being overridden by CLI flags", func() {
err := ExecuteWithArgs([]string{
"get",
"--partition-name=/dev/test",
"--partition-uuid=test-uuid",
"--partition-label=test-label",
"--challenger-server=https://overridden-server.com:9999",
"--mdns=true",
"--certificate=/overridden/cert.pem",
"--debug",
"--attempts=1",
})
// Should fail at passphrase retrieval but config parsing and overrides should work
Expect(err).To(HaveOccurred())
// Check that both original and overridden values are logged
logContent, readErr := os.ReadFile(testLogFile)
if readErr == nil {
logStr := string(logContent)
// Should show original configuration values from the file
Expect(logStr).To(ContainSubstring("Original configuration"))
Expect(logStr).To(ContainSubstring("https://default-server.com:8080"))
Expect(logStr).To(ContainSubstring("/default/path/to/cert.pem"))
// Should show override messages
Expect(logStr).To(ContainSubstring("Overriding server URL"))
Expect(logStr).To(ContainSubstring("https://default-server.com:8080 -> https://overridden-server.com:9999"))
Expect(logStr).To(ContainSubstring("Overriding MDNS setting"))
Expect(logStr).To(ContainSubstring("false -> true"))
Expect(logStr).To(ContainSubstring("Overriding certificate"))
// Should show final configuration with overridden values
Expect(logStr).To(ContainSubstring("Final configuration"))
Expect(logStr).To(ContainSubstring("https://overridden-server.com:9999"))
Expect(logStr).To(ContainSubstring("/overridden/cert.pem"))
}
})
It("should apply CLI flag overrides and log configuration changes", func() {
err := ExecuteWithArgs([]string{
"get",
"--partition-name=/dev/test",
"--partition-uuid=test-uuid",
"--partition-label=test-label",
"--challenger-server=https://custom-server.com:8082",
"--mdns=true",
"--certificate=/path/to/cert.pem",
"--debug",
"--attempts=1",
})
// Should fail at passphrase retrieval but flag parsing should work
Expect(err).To(HaveOccurred())
// Check if debug log exists and contains configuration information
logContent, readErr := os.ReadFile(testLogFile)
if readErr == nil {
logStr := string(logContent)
// Should contain debug information about configuration overrides
Expect(logStr).To(ContainSubstring("Overriding server URL"))
Expect(logStr).To(ContainSubstring("https://custom-server.com:8082"))
Expect(logStr).To(ContainSubstring("Overriding MDNS setting"))
Expect(logStr).To(ContainSubstring("Overriding certificate"))
}
})
It("should show original vs final configuration in debug mode", func() {
err := ExecuteWithArgs([]string{
"get",
"--partition-name=/dev/test",
"--partition-uuid=test-uuid",
"--partition-label=test-label",
"--challenger-server=https://override-server.com:9999",
"--debug",
"--attempts=1",
})
// Should fail but debug information should be logged
Expect(err).To(HaveOccurred())
// Check for original and final configuration logging
logContent, readErr := os.ReadFile(testLogFile)
if readErr == nil {
logStr := string(logContent)
Expect(logStr).To(ContainSubstring("Original configuration"))
Expect(logStr).To(ContainSubstring("Final configuration"))
Expect(logStr).To(ContainSubstring("https://override-server.com:9999"))
}
})
It("should log partition details in debug mode", func() {
err := ExecuteWithArgs([]string{
"get",
"--partition-name=/dev/custom-partition",
"--partition-uuid=custom-uuid-123",
"--partition-label=custom-label-456",
"--debug",
"--attempts=2",
})
Expect(err).To(HaveOccurred())
// Check for partition details in debug log
logContent, readErr := os.ReadFile(testLogFile)
if readErr == nil {
logStr := string(logContent)
Expect(logStr).To(ContainSubstring("Partition details"))
Expect(logStr).To(ContainSubstring("/dev/custom-partition"))
Expect(logStr).To(ContainSubstring("custom-uuid-123"))
Expect(logStr).To(ContainSubstring("custom-label-456"))
Expect(logStr).To(ContainSubstring("Attempts: 2"))
}
})
It("should not log debug information without debug flag", func() {
err := ExecuteWithArgs([]string{
"get",
"--partition-name=/dev/test",
"--partition-uuid=test-uuid",
"--partition-label=test-label",
"--attempts=1",
})
Expect(err).To(HaveOccurred())
// Debug log should not exist or should not contain detailed debug info
logContent, readErr := os.ReadFile(testLogFile)
if readErr == nil {
logStr := string(logContent)
// Should not contain debug-level details
Expect(logStr).NotTo(ContainSubstring("Original configuration"))
Expect(logStr).NotTo(ContainSubstring("Partition details"))
}
})
It("should handle missing configuration file gracefully and show defaults", func() {
// Remove the config file to test default behavior
_ = os.RemoveAll(configDir)
err := ExecuteWithArgs([]string{
"get",
"--partition-name=/dev/test",
"--partition-uuid=test-uuid",
"--partition-label=test-label",
"--debug",
"--attempts=1",
})
// Should fail at passphrase retrieval but not due to config parsing
Expect(err).To(HaveOccurred())
// Check that default/empty configuration values are logged
logContent, readErr := os.ReadFile(testLogFile)
if readErr == nil {
logStr := string(logContent)
// Should show original configuration (which should be empty/defaults)
Expect(logStr).To(ContainSubstring("Original configuration"))
Expect(logStr).To(ContainSubstring("Final configuration"))
// Should NOT contain override messages since no flags were provided
Expect(logStr).NotTo(ContainSubstring("Overriding server URL"))
Expect(logStr).NotTo(ContainSubstring("Overriding MDNS setting"))
Expect(logStr).NotTo(ContainSubstring("Overriding certificate"))
}
})
})
Context("CLI argument parsing", func() {
It("should parse all arguments correctly", func() {
// This will fail at the client creation/server connection,
// but should successfully parse all arguments
err := ExecuteWithArgs([]string{
"get",
"--partition-name=/dev/custom",
"--partition-uuid=custom-uuid-999",
"--partition-label=custom-label",
"--attempts=5",
})
Expect(err).To(HaveOccurred()) // Fails due to no server
// The important thing is that flag parsing worked and it reached the backend
})
It("should handle boolean flags correctly", func() {
// Test help flag
err := ExecuteWithArgs([]string{"--help"})
Expect(err).To(BeNil())
})
})
})

288
cmd/discovery/client/client.go
View File

@@ -1,50 +1,37 @@
package client
import (
"crypto/x509"
"encoding/base64"
"encoding/json"
"encoding/pem"
"fmt"
"os"
"time"
"github.com/google/go-attestation/attest"
"github.com/gorilla/websocket"
"github.com/jaypipes/ghw/pkg/block"
"github.com/kairos-io/kairos-challenger/pkg/constants"
"github.com/kairos-io/kairos-challenger/pkg/payload"
"github.com/kairos-io/kairos-sdk/kcrypt/bus"
"github.com/kairos-io/kairos-sdk/types"
"github.com/kairos-io/tpm-helpers"
"github.com/mudler/go-pluggable"
"github.com/kairos-io/kairos-challenger/pkg/constants"
"github.com/mudler/yip/pkg/utils"
)
// Because of how go-pluggable works, we can't just print to stdout
const LOGFILE = "/tmp/kcrypt-challenger-client.log"
// Retry delays for different failure types
const (
TPMRetryDelay = 100 * time.Millisecond // Brief delay for TPM hardware busy/unavailable
NetworkRetryDelay = 1 * time.Second // Longer delay for network/server issues
)
var errPartNotFound error = fmt.Errorf("pass for partition not found")
var errBadCertificate error = fmt.Errorf("unknown certificate")
func NewClient() (*Client, error) {
return NewClientWithLogger(types.NewKairosLogger("kcrypt-challenger-client", "error", false))
}
func NewClientWithLogger(logger types.KairosLogger) (*Client, error) {
conf, err := unmarshalConfig()
if err != nil {
return nil, err
}
return &Client{Config: conf, Logger: logger}, nil
return &Client{Config: conf}, nil
}
// echo '{ "data": "{ \\"label\\": \\"LABEL\\" }"}' | sudo -E WSS_SERVER="http://localhost:8082/challenge" ./challenger "discovery.password"
func (c *Client) Start() error {
if err := os.RemoveAll(LOGFILE); err != nil { // Start fresh
return fmt.Errorf("removing the logfile: %w", err)
@@ -64,8 +51,7 @@ func (c *Client) Start() error {
}
}
// Use the extracted core logic
pass, err := c.GetPassphrase(b, 30)
pass, err := c.waitPass(b, 30)
if err != nil {
return pluggable.EventResponse{
Error: fmt.Sprintf("failed getting pass: %s", err.Error()),
@@ -80,9 +66,36 @@ func (c *Client) Start() error {
return factory.Run(pluggable.EventType(os.Args[1]), os.Stdin, os.Stdout)
}
// echo '{ "data": "{ \\"label\\": \\"LABEL\\" }"}' | sudo -E WSS_SERVER="http://localhost:8082/challenge" ./challenger "discovery.password"
// GetPassphrase retrieves a passphrase for the given partition - core business logic
func (c *Client) GetPassphrase(partition *block.Partition, attempts int) (string, error) {
func (c *Client) generatePass(postEndpoint string, headers map[string]string, p *block.Partition) error {
rand := utils.RandomString(32)
pass, err := tpm.EncryptBlob([]byte(rand))
if err != nil {
return err
}
bpass := base64.RawURLEncoding.EncodeToString(pass)
opts := []tpm.Option{
tpm.WithCAs([]byte(c.Config.Kcrypt.Challenger.Certificate)),
tpm.AppendCustomCAToSystemCA,
tpm.WithAdditionalHeader("label", p.FilesystemLabel),
tpm.WithAdditionalHeader("name", p.Name),
tpm.WithAdditionalHeader("uuid", p.UUID),
}
for k, v := range headers {
opts = append(opts, tpm.WithAdditionalHeader(k, v))
}
conn, err := tpm.Connection(postEndpoint, opts...)
if err != nil {
return err
}
return conn.WriteJSON(payload.Data{Passphrase: bpass, GeneratedBy: constants.TPMSecret})
}
func (c *Client) waitPass(p *block.Partition, attempts int) (pass string, err error) {
additionalHeaders := map[string]string{}
serverURL := c.Config.Kcrypt.Challenger.Server
// If we don't have any server configured, just do local
@@ -90,197 +103,44 @@ func (c *Client) GetPassphrase(partition *block.Partition, attempts int) (string
return localPass(c.Config)
}
additionalHeaders := map[string]string{}
var err error
if c.Config.Kcrypt.Challenger.MDNS {
serverURL, additionalHeaders, err = queryMDNS(serverURL, c.Logger)
if err != nil {
return "", err
}
serverURL, additionalHeaders, err = queryMDNS(serverURL)
}
c.Logger.Debugf("Starting TPM attestation flow with server: %s", serverURL)
return c.waitPassWithTPMAttestation(serverURL, additionalHeaders, partition, attempts)
}
// waitPassWithTPMAttestation implements the new TPM remote attestation flow over WebSocket
func (c *Client) waitPassWithTPMAttestation(serverURL string, additionalHeaders map[string]string, p *block.Partition, attempts int) (string, error) {
attestationEndpoint := fmt.Sprintf("%s/tpm-attestation", serverURL)
c.Logger.Debugf("Debug: TPM attestation endpoint: %s", attestationEndpoint)
getEndpoint := fmt.Sprintf("%s/getPass", serverURL)
postEndpoint := fmt.Sprintf("%s/postPass", serverURL)
for tries := 0; tries < attempts; tries++ {
c.Logger.Debugf("Debug: TPM attestation attempt %d/%d", tries+1, attempts)
// Step 1: Initialize AK Manager
c.Logger.Debugf("Debug: Initializing AK Manager with handle file: %s", constants.AKBlobFile)
akManager, err := tpm.NewAKManager(tpm.WithAKHandleFile(constants.AKBlobFile))
if err != nil {
c.Logger.Debugf("Failed to create AK manager: %v", err)
time.Sleep(TPMRetryDelay)
continue
}
c.Logger.Debugf("Debug: AK Manager initialized successfully")
// Step 2: Ensure AK exists
c.Logger.Debugf("Debug: Getting or creating AK")
_, err = akManager.GetOrCreateAK()
if err != nil {
c.Logger.Debugf("Failed to get/create AK: %v", err)
time.Sleep(TPMRetryDelay)
continue
}
c.Logger.Debugf("Debug: AK obtained/created successfully")
// Step 3: Start WebSocket-based attestation flow
c.Logger.Debugf("Debug: Starting WebSocket-based attestation flow")
passphrase, err := c.performTPMAttestation(attestationEndpoint, additionalHeaders, akManager, p)
if err != nil {
c.Logger.Debugf("Failed TPM attestation: %v", err)
time.Sleep(NetworkRetryDelay)
var generated bool
pass, generated, err = getPass(getEndpoint, additionalHeaders, c.Config.Kcrypt.Challenger.Certificate, p)
if err == errPartNotFound {
// IF server doesn't have a pass for us, then we generate one and we set it
err = c.generatePass(postEndpoint, additionalHeaders, p)
if err != nil {
return
}
// Attempt to fetch again - validate that the server has it now
tries = 0
continue
}
return passphrase, nil
}
return "", fmt.Errorf("exhausted all attempts (%d) for TPM attestation", attempts)
}
// performTPMAttestation handles the complete attestation flow over a single WebSocket connection
func (c *Client) performTPMAttestation(endpoint string, additionalHeaders map[string]string, akManager *tpm.AKManager, p *block.Partition) (string, error) {
c.Logger.Debugf("Debug: Creating WebSocket connection to endpoint: %s", endpoint)
c.Logger.Debugf("Debug: Partition details - Label: %s, Name: %s, UUID: %s", p.FilesystemLabel, p.Name, p.UUID)
c.Logger.Debugf("Debug: Certificate length: %d", len(c.Config.Kcrypt.Challenger.Certificate))
// Create WebSocket connection
opts := []tpm.Option{
tpm.WithAdditionalHeader("label", p.FilesystemLabel),
tpm.WithAdditionalHeader("name", p.Name),
tpm.WithAdditionalHeader("uuid", p.UUID),
}
// Only add certificate options if a certificate is provided
if len(c.Config.Kcrypt.Challenger.Certificate) > 0 {
c.Logger.Debugf("Debug: Adding certificate validation options")
opts = append(opts,
tpm.WithCAs([]byte(c.Config.Kcrypt.Challenger.Certificate)),
tpm.AppendCustomCAToSystemCA,
)
} else {
c.Logger.Debugf("Debug: No certificate provided, using insecure connection")
}
for k, v := range additionalHeaders {
opts = append(opts, tpm.WithAdditionalHeader(k, v))
}
c.Logger.Debugf("Debug: WebSocket options configured, attempting connection...")
// Add connection timeout to prevent hanging indefinitely
type connectionResult struct {
conn interface{}
err error
}
done := make(chan connectionResult, 1)
go func() {
c.Logger.Debugf("Debug: Using tpm.AttestationConnection for new TPM flow")
conn, err := tpm.AttestationConnection(endpoint, opts...)
c.Logger.Debugf("Debug: tpm.AttestationConnection returned with err: %v", err)
done <- connectionResult{conn: conn, err: err}
}()
var conn *websocket.Conn
select {
case result := <-done:
if result.err != nil {
c.Logger.Debugf("Debug: WebSocket connection failed: %v", result.err)
return "", fmt.Errorf("creating WebSocket connection: %w", result.err)
if generated { // passphrase is encrypted
return c.decryptPassphrase(pass)
}
var ok bool
conn, ok = result.conn.(*websocket.Conn)
if !ok {
return "", fmt.Errorf("unexpected connection type")
if err == errBadCertificate { // No need to retry, won't succeed.
return
}
c.Logger.Debugf("Debug: WebSocket connection established successfully")
case <-time.After(10 * time.Second):
c.Logger.Debugf("Debug: WebSocket connection timed out after 10 seconds")
return "", fmt.Errorf("WebSocket connection timed out")
if err == nil { // passphrase available, no errors
return
}
logToFile("Failed with error: %s . Will retry.\n", err.Error())
time.Sleep(1 * time.Second) // network errors? retry
}
defer conn.Close() //nolint:errcheck
// Protocol Step 1: Send attestation data (EK + AK) to server so it can generate proper challenge
c.Logger.Debugf("Debug: Getting attestation data for challenge generation")
ek, akParams, err := akManager.GetAttestationData()
if err != nil {
return "", fmt.Errorf("getting attestation data: %w", err)
}
c.Logger.Debugf("Debug: Got EK and AK attestation data")
// Serialize EK to bytes using the existing encoding from tmp-helpers
ekPEM, err := encodeEKToBytes(ek)
if err != nil {
return "", fmt.Errorf("encoding EK to bytes: %w", err)
}
// Serialize AK parameters to JSON bytes
akBytes, err := json.Marshal(akParams)
if err != nil {
return "", fmt.Errorf("marshaling AK parameters: %w", err)
}
// Send attestation data to server as bytes
attestationData := struct {
EKBytes []byte `json:"ek_bytes"`
AKBytes []byte `json:"ak_bytes"`
}{
EKBytes: ekPEM,
AKBytes: akBytes,
}
c.Logger.Debugf("Debug: Sending attestation data to server")
if err := conn.WriteJSON(attestationData); err != nil {
return "", fmt.Errorf("sending attestation data: %w", err)
}
c.Logger.Debugf("Debug: Attestation data sent successfully")
// Protocol Step 2: Wait for challenge response from server
c.Logger.Debugf("Debug: Waiting for challenge from server")
var challengeResp tpm.AttestationChallengeResponse
if err := conn.ReadJSON(&challengeResp); err != nil {
return "", fmt.Errorf("reading challenge from server: %w", err)
}
c.Logger.Debugf("Challenge received - Enrolled: %t", challengeResp.Enrolled)
// Protocol Step 3: Create proof request using AK Manager
c.Logger.Debugf("Debug: Creating proof request from challenge response")
proofReq, err := akManager.CreateProofRequest(&challengeResp)
if err != nil {
return "", fmt.Errorf("creating proof request: %w", err)
}
c.Logger.Debugf("Debug: Proof request created successfully")
// Protocol Step 4: Send proof to server
c.Logger.Debugf("Debug: Sending proof request to server")
if err := conn.WriteJSON(proofReq); err != nil {
return "", fmt.Errorf("sending proof request: %w", err)
}
c.Logger.Debugf("Proof request sent")
// Protocol Step 5: Receive passphrase from server
c.Logger.Debugf("Debug: Waiting for passphrase response")
var proofResp tpm.ProofResponse
if err := conn.ReadJSON(&proofResp); err != nil {
return "", fmt.Errorf("reading passphrase response: %w", err)
}
c.Logger.Debugf("Passphrase received - Length: %d bytes", len(proofResp.Passphrase))
// Check if we received an empty passphrase (indicates server error)
if len(proofResp.Passphrase) == 0 {
return "", fmt.Errorf("server returned empty passphrase, indicating an error occurred during attestation")
}
return string(proofResp.Passphrase), nil
return
}
// decryptPassphrase decodes (base64) and decrypts the passphrase returned
@@ -304,25 +164,13 @@ func (c *Client) decryptPassphrase(pass string) (string, error) {
return string(passBytes), err
}
// encodeEKToBytes encodes an EK to PEM bytes for transmission
func encodeEKToBytes(ek *attest.EK) ([]byte, error) {
if ek.Certificate != nil {
pemBlock := &pem.Block{
Type: "CERTIFICATE",
Bytes: ek.Certificate.Raw,
}
return pem.EncodeToMemory(pemBlock), nil
}
// For EKs without certificates, marshal the public key
pubBytes, err := x509.MarshalPKIXPublicKey(ek.Public)
func logToFile(format string, a ...any) {
s := fmt.Sprintf(format, a...)
file, err := os.OpenFile(LOGFILE, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)
if err != nil {
return nil, fmt.Errorf("marshaling EK public key: %w", err)
panic(err)
}
defer file.Close()
pemBlock := &pem.Block{
Type: "PUBLIC KEY",
Bytes: pubBytes,
}
return pem.EncodeToMemory(pemBlock), nil
file.WriteString(s)
}

2
cmd/discovery/client/config.go
View File

@@ -2,7 +2,6 @@ package client
import (
"github.com/kairos-io/kairos-sdk/collector"
"github.com/kairos-io/kairos-sdk/types"
"gopkg.in/yaml.v3"
)
@@ -15,7 +14,6 @@ var confScanDirs = []string{"/oem", "/sysroot/oem", "/tmp/oem"}
type Client struct {
Config Config
Logger types.KairosLogger
}
type Config struct {

46
cmd/discovery/client/enc.go
View File

@@ -1,12 +1,58 @@
package client
import (
"encoding/json"
"fmt"
"strings"
"github.com/kairos-io/kairos-challenger/pkg/constants"
"github.com/kairos-io/kairos-challenger/pkg/payload"
"github.com/jaypipes/ghw/pkg/block"
"github.com/kairos-io/tpm-helpers"
"github.com/mudler/yip/pkg/utils"
"github.com/pkg/errors"
)
const DefaultNVIndex = "0x1500000"
func getPass(server string, headers map[string]string, certificate string, partition *block.Partition) (string, bool, error) {
opts := []tpm.Option{
tpm.WithCAs([]byte(certificate)),
tpm.AppendCustomCAToSystemCA,
tpm.WithAdditionalHeader("label", partition.FilesystemLabel),
tpm.WithAdditionalHeader("name", partition.Name),
tpm.WithAdditionalHeader("uuid", partition.UUID),
}
for k, v := range headers {
opts = append(opts, tpm.WithAdditionalHeader(k, v))
}
msg, err := tpm.Get(server, opts...)
if err != nil {
return "", false, err
}
result := payload.Data{}
err = json.Unmarshal(msg, &result)
if err != nil {
return "", false, errors.Wrap(err, string(msg))
}
if result.HasPassphrase() {
return fmt.Sprint(result.Passphrase), result.HasBeenGenerated() && result.GeneratedBy == constants.TPMSecret, nil
} else if result.HasError() {
if strings.Contains(result.Error, "No secret found for") {
return "", false, errPartNotFound
}
if strings.Contains(result.Error, "x509: certificate signed by unknown authority") {
return "", false, errBadCertificate
}
return "", false, errors.New(result.Error)
}
return "", false, errPartNotFound
}
func genAndStore(k Config) (string, error) {
opts := []tpm.TPMOption{}
if k.Kcrypt.Challenger.TPMDevice != "" {

47
cmd/discovery/client/flow_test.go
View File

@@ -1,47 +0,0 @@
package client
import (
"testing"
"github.com/kairos-io/kairos-sdk/types"
. "github.com/onsi/ginkgo/v2"
. "github.com/onsi/gomega"
)
func TestClient(t *testing.T) {
RegisterFailHandler(Fail)
RunSpecs(t, "Discovery Client Suite")
}
var _ = Describe("Flow Detection", func() {
var client *Client
BeforeEach(func() {
// Create a test client with basic config and logger
client = &Client{}
client.Config.Kcrypt.Challenger.Server = "http://test-server.local"
client.Logger = types.NewKairosLogger("test-client", "debug", false)
})
Context("TPM attestation capabilities", func() {
It("should handle TPM operations", func() {
// Test that client can be created without errors
// TPM availability testing requires actual hardware
Expect(client).ToNot(BeNil())
})
})
Context("Logging functionality", func() {
It("should have a valid logger", func() {
// Test that client has a valid logger
Expect(client.Logger).NotTo(BeNil())
// Test debug logging works without error
client.Logger.Debugf("Test log entry for flow detection")
// If we get here without panic, logging is working
Expect(true).To(BeTrue())
})
})
})

19
cmd/discovery/client/mdns.go
View File

@@ -8,7 +8,6 @@ import (
"time"
"github.com/hashicorp/mdns"
"github.com/kairos-io/kairos-sdk/types"
)
const (
@@ -19,7 +18,7 @@ const (
// queryMDNS will make an mdns query on local network to find a kcrypt challenger server
// instance. If none is found, the original URL is returned and no additional headers.
// If a response is received, the IP address and port from the response will be returned// and an additional "Host" header pointing to the original host.
func queryMDNS(originalURL string, logger types.KairosLogger) (string, map[string]string, error) {
func queryMDNS(originalURL string) (string, map[string]string, error) {
additionalHeaders := map[string]string{}
var err error
@@ -33,9 +32,9 @@ func queryMDNS(originalURL string, logger types.KairosLogger) (string, map[strin
return "", additionalHeaders, fmt.Errorf("domain should end in \".local\" when using mdns")
}
mdnsIP, mdnsPort := discoverMDNSServer(host, logger)
mdnsIP, mdnsPort := discoverMDNSServer(host)
if mdnsIP == "" { // no reply
logger.Debugf("no reply from mdns")
logToFile("no reply from mdns\n")
return originalURL, additionalHeaders, nil
}
@@ -57,12 +56,12 @@ func queryMDNS(originalURL string, logger types.KairosLogger) (string, map[strin
// discoverMDNSServer performs an mDNS query to discover any running kcrypt challenger
// servers on the same network that matches the given hostname.
// If a response if received, the IP address and the Port from the response are returned.
func discoverMDNSServer(hostname string, logger types.KairosLogger) (string, string) {
func discoverMDNSServer(hostname string) (string, string) {
// Make a channel for results and start listening
entriesCh := make(chan *mdns.ServiceEntry, 4)
defer close(entriesCh)
logger.Debugf("Will now wait for some mdns server to respond")
logToFile("Will now wait for some mdns server to respond\n")
// Start the lookup. It will block until we read from the chan.
mdns.Lookup(MDNSServiceType, entriesCh)
@@ -71,15 +70,15 @@ func discoverMDNSServer(hostname string, logger types.KairosLogger) (string, str
for {
select {
case entry := <-entriesCh:
logger.Debugf("mdns response received")
logToFile("mdns response received\n")
if entry.Host == expectedHost {
logger.Debugf("%s matches %s", entry.Host, expectedHost)
logToFile("%s matches %s\n", entry.Host, expectedHost)
return entry.AddrV4.String(), strconv.Itoa(entry.Port) // TODO: v6?
} else {
logger.Debugf("%s didn't match %s", entry.Host, expectedHost)
logToFile("%s didn't match %s\n", entry.Host, expectedHost)
}
case <-time.After(MDNSTimeout):
logger.Debugf("timed out waiting for mdns")
logToFile("timed out waiting for mdns\n")
return "", ""
}
}

489
cmd/discovery/main.go
View File

@@ -1,478 +1,53 @@
package main
import (
"bufio"
"fmt"
"os"
"strings"
"github.com/jaypipes/ghw/pkg/block"
"github.com/kairos-io/kairos-challenger/cmd/discovery/client"
"github.com/kairos-io/kairos-challenger/pkg/constants"
"github.com/kairos-io/kairos-sdk/kcrypt/bus"
"github.com/kairos-io/kairos-sdk/types"
"github.com/kairos-io/tpm-helpers"
"github.com/spf13/cobra"
"github.com/mudler/go-pluggable"
)
// GetFlags holds all flags specific to the get command
type GetFlags struct {
PartitionName string
PartitionUUID string
PartitionLabel string
Attempts int
ChallengerServer string
EnableMDNS bool
ServerCertificate string
}
var (
// Global/persistent flags
debug bool
)
// rootCmd represents the base command (TPM hash generation)
var rootCmd = &cobra.Command{
Use: "kcrypt-discovery-challenger",
Short: "kcrypt-challenger discovery client",
Long: `kcrypt-challenger discovery client
This tool provides TPM-based operations for encrypted partition management.
By default, it outputs the TPM hash for this device.
Configuration:
The client reads configuration from Kairos configuration files in the following directories:
- /oem (during installation from ISO)
- /sysroot/oem (on installed systems during initramfs)
- /tmp/oem (when running in hooks)
Configuration format (YAML):
kcrypt:
challenger:
challenger_server: "https://my-server.com:8082" # Server URL
mdns: true # Enable mDNS discovery
certificate: "/path/to/server-cert.pem" # Server certificate
nv_index: "0x1500000" # TPM NV index (offline mode)
c_index: "0x1500001" # TPM certificate index
tpm_device: "/dev/tpmrm0" # TPM device path`,
Example: ` # Get TPM hash for this device (default)
kcrypt-discovery-challenger
# Get passphrase for encrypted partition
kcrypt-discovery-challenger get --partition-name=/dev/sda2
# Clean up TPM NV memory (useful for development)
kcrypt-discovery-challenger cleanup
# Run plugin event
kcrypt-discovery-challenger discovery.password`,
RunE: func(cmd *cobra.Command, args []string) error {
return runTPMHash()
},
}
// newCleanupCmd creates the cleanup command
func newCleanupCmd() *cobra.Command {
var nvIndex string
var tpmDevice string
var skipConfirmation bool
cmd := &cobra.Command{
Use: "cleanup",
Short: "Clean up TPM NV memory",
Long: `Clean up TPM NV memory by undefining specific NV indices.
⚠️ DANGER: This command removes encryption passphrases from TPM memory!
⚠️ If you delete the wrong index, your encrypted disk may become UNBOOTABLE!
This command helps clean up TPM NV memory used by the local pass flow,
which stores encrypted passphrases in TPM non-volatile memory. Without
cleanup, these passphrases persist indefinitely and take up space.
The command will prompt for confirmation before deletion unless you use
the --i-know-what-i-am-doing flag to skip the safety prompt.
Default behavior:
- Uses the same NV index as the local pass flow (from config or 0x1500000)
- Uses the same TPM device as configured (or system default if none specified)
- Prompts for confirmation with safety warnings`,
Example: ` # Clean up default NV index (with confirmation prompt)
kcrypt-discovery-challenger cleanup
# Clean up specific NV index
kcrypt-discovery-challenger cleanup --nv-index=0x1500001
# Clean up with specific TPM device
kcrypt-discovery-challenger cleanup --tpm-device=/dev/tpmrm0
# Skip confirmation prompt (DANGEROUS!)
kcrypt-discovery-challenger cleanup --i-know-what-i-am-doing`,
RunE: func(cmd *cobra.Command, args []string) error {
return runCleanup(nvIndex, tpmDevice, skipConfirmation)
},
}
cmd.Flags().StringVar(&nvIndex, "nv-index", "", fmt.Sprintf("NV index to clean up (defaults to configured index or %s)", client.DefaultNVIndex))
cmd.Flags().StringVar(&tpmDevice, "tpm-device", "", "TPM device path (defaults to configured device or system default)")
cmd.Flags().BoolVar(&skipConfirmation, "i-know-what-i-am-doing", false, "Skip confirmation prompt (DANGEROUS: may make encrypted disks unbootable)")
return cmd
}
// newGetCmd creates the get command with its flags
func newGetCmd() *cobra.Command {
flags := &GetFlags{}
cmd := &cobra.Command{
Use: "get",
Short: "Get passphrase for encrypted partition",
Long: `Get passphrase for encrypted partition using TPM attestation.
This command retrieves passphrases for encrypted partitions by communicating
with a challenger server using TPM-based attestation. At least one partition
identifier (name, UUID, or label) must be provided.
The command uses configuration from the root command's config files, but flags
can override specific settings:
--challenger-server Override kcrypt.challenger.challenger_server
--mdns Override kcrypt.challenger.mdns
--certificate Override kcrypt.challenger.certificate`,
Example: ` # Get passphrase using partition name
kcrypt-discovery-challenger get --partition-name=/dev/sda2
# Get passphrase using UUID
kcrypt-discovery-challenger get --partition-uuid=12345-abcde
# Get passphrase using filesystem label
kcrypt-discovery-challenger get --partition-label=encrypted-data
# Get passphrase with multiple identifiers
kcrypt-discovery-challenger get --partition-name=/dev/sda2 --partition-uuid=12345-abcde --partition-label=encrypted-data
# Get passphrase with custom server
kcrypt-discovery-challenger get --partition-label=encrypted-data --challenger-server=https://my-server.com:8082`,
PreRunE: func(cmd *cobra.Command, args []string) error {
// Validate that at least one partition identifier is provided
if flags.PartitionName == "" && flags.PartitionUUID == "" && flags.PartitionLabel == "" {
return fmt.Errorf("at least one of --partition-name, --partition-uuid, or --partition-label must be provided")
}
return nil
},
RunE: func(cmd *cobra.Command, args []string) error {
return runGetPassphrase(flags)
},
}
// Register flags
cmd.Flags().StringVar(&flags.PartitionName, "partition-name", "", "Name of the partition (at least one identifier required)")
cmd.Flags().StringVar(&flags.PartitionUUID, "partition-uuid", "", "UUID of the partition (at least one identifier required)")
cmd.Flags().StringVar(&flags.PartitionLabel, "partition-label", "", "Filesystem label of the partition (at least one identifier required)")
cmd.Flags().IntVar(&flags.Attempts, "attempts", 30, "Number of attempts to get the passphrase")
cmd.Flags().StringVar(&flags.ChallengerServer, "challenger-server", "", "URL of the challenger server (overrides config)")
cmd.Flags().BoolVar(&flags.EnableMDNS, "mdns", false, "Enable mDNS discovery (overrides config)")
cmd.Flags().StringVar(&flags.ServerCertificate, "certificate", "", "Server certificate for verification (overrides config)")
return cmd
}
// pluginCmd represents the plugin event commands
var pluginCmd = &cobra.Command{
Use: string(bus.EventDiscoveryPassword),
Short: fmt.Sprintf("Run %s plugin event", bus.EventDiscoveryPassword),
Long: fmt.Sprintf(`Run the %s plugin event.
This command runs in plugin mode, reading JSON partition data from stdin
and outputting the passphrase to stdout. This is used for integration
with kcrypt and other tools.`, bus.EventDiscoveryPassword),
Example: fmt.Sprintf(` # Plugin mode (for integration with kcrypt)
echo '{"data": "{\"name\": \"/dev/sda2\", \"uuid\": \"12345-abcde\", \"label\": \"encrypted-data\"}"}' | kcrypt-discovery-challenger %s`, bus.EventDiscoveryPassword),
RunE: func(cmd *cobra.Command, args []string) error {
return runPluginMode()
},
}
func init() {
// Global/persistent flags (available to all commands)
rootCmd.PersistentFlags().BoolVar(&debug, "debug", false, "Enable debug logging")
// Add subcommands
rootCmd.AddCommand(newGetCmd())
rootCmd.AddCommand(newCleanupCmd())
rootCmd.AddCommand(pluginCmd)
}
func main() {
if err := rootCmd.Execute(); err != nil {
if len(os.Args) >= 2 && isEventDefined(os.Args[1]) {
c, err := client.NewClient()
checkErr(err)
checkErr(c.Start())
return
}
pubhash, err := tpm.GetPubHash()
checkErr(err)
fmt.Print(pubhash)
}
func checkErr(err error) {
if err != nil {
fmt.Println(err)
os.Exit(1)
}
}
// ExecuteWithArgs executes the root command with the given arguments.
// This function is used by tests to simulate CLI execution.
func ExecuteWithArgs(args []string) error {
// Set command arguments (this overrides os.Args)
rootCmd.SetArgs(args)
return rootCmd.Execute()
}
// runTPMHash handles the root command - TPM hash generation
func runTPMHash() error {
// Create logger based on debug flag
var logger types.KairosLogger
if debug {
logger = types.NewKairosLogger("kcrypt-discovery-challenger", "debug", false)
logger.Debugf("Debug mode enabled for TPM hash generation")
} else {
logger = types.NewKairosLogger("kcrypt-discovery-challenger", "error", false)
}
// Initialize AK Manager with the standard handle file
logger.Debugf("Initializing AK Manager with handle file: %s", constants.AKBlobFile)
akManager, err := tpm.NewAKManager(tpm.WithAKHandleFile(constants.AKBlobFile))
if err != nil {
return fmt.Errorf("creating AK manager: %w", err)
}
logger.Debugf("AK Manager initialized successfully")
// Ensure AK exists (create if necessary)
logger.Debugf("Getting or creating AK")
_, err = akManager.GetOrCreateAK()
if err != nil {
return fmt.Errorf("getting/creating AK: %w", err)
}
logger.Debugf("AK obtained/created successfully")
// Get attestation data (includes EK)
logger.Debugf("Getting attestation data")
ek, _, err := akManager.GetAttestationData()
if err != nil {
return fmt.Errorf("getting attestation data: %w", err)
}
logger.Debugf("Attestation data retrieved successfully")
// Compute TPM hash from EK
logger.Debugf("Computing TPM hash from EK")
tpmHash, err := tpm.DecodePubHash(ek)
if err != nil {
return fmt.Errorf("computing TPM hash: %w", err)
}
logger.Debugf("TPM hash computed successfully: %s", tpmHash)
// Output the TPM hash to stdout
fmt.Print(tpmHash)
return nil
}
// runGetPassphrase handles the get subcommand - passphrase retrieval
func runGetPassphrase(flags *GetFlags) error {
// Create logger based on debug flag
var logger types.KairosLogger
if debug {
logger = types.NewKairosLogger("kcrypt-discovery-challenger", "debug", false)
} else {
logger = types.NewKairosLogger("kcrypt-discovery-challenger", "error", false)
}
// Create client with potential CLI overrides
c, err := createClientWithOverrides(flags.ChallengerServer, flags.EnableMDNS, flags.ServerCertificate, logger)
if err != nil {
return fmt.Errorf("creating client: %w", err)
}
// Create partition object
partition := &block.Partition{
Name: flags.PartitionName,
UUID: flags.PartitionUUID,
FilesystemLabel: flags.PartitionLabel,
}
// Log partition information
logger.Debugf("Partition details:")
logger.Debugf(" Name: %s", partition.Name)
logger.Debugf(" UUID: %s", partition.UUID)
logger.Debugf(" Label: %s", partition.FilesystemLabel)
logger.Debugf(" Attempts: %d", flags.Attempts)
// Get the passphrase using the same backend logic as the plugin
fmt.Fprintf(os.Stderr, "Requesting passphrase for partition %s (UUID: %s, Label: %s)...\n",
flags.PartitionName, flags.PartitionUUID, flags.PartitionLabel)
passphrase, err := c.GetPassphrase(partition, flags.Attempts)
if err != nil {
return fmt.Errorf("getting passphrase: %w", err)
}
// Output the passphrase to stdout (this is what tools expect)
fmt.Print(passphrase)
fmt.Fprintf(os.Stderr, "\nPassphrase retrieved successfully\n")
return nil
}
// runPluginMode handles plugin event commands
func runPluginMode() error {
// In plugin mode, use quiet=true to log to file instead of console
// Log level depends on debug flag, write logs to /var/log/kairos/kcrypt-discovery-challenger.log
var logLevel string
if debug {
logLevel = "debug"
} else {
logLevel = "error"
}
logger := types.NewKairosLogger("kcrypt-discovery-challenger", logLevel, true)
c, err := client.NewClientWithLogger(logger)
if err != nil {
return fmt.Errorf("creating client: %w", err)
}
err = c.Start()
if err != nil {
return fmt.Errorf("starting plugin: %w", err)
}
return nil
}
// createClientWithOverrides creates a client and applies CLI flag overrides to the config
func createClientWithOverrides(serverURL string, enableMDNS bool, certificate string, logger types.KairosLogger) (*client.Client, error) {
// Start with the default config from files and pass the logger
c, err := client.NewClientWithLogger(logger)
if err != nil {
return nil, err
}
// Log the original configuration values
logger.Debugf("Original configuration:")
logger.Debugf(" Server: %s", c.Config.Kcrypt.Challenger.Server)
logger.Debugf(" MDNS: %t", c.Config.Kcrypt.Challenger.MDNS)
logger.Debugf(" Certificate: %s", maskSensitiveString(c.Config.Kcrypt.Challenger.Certificate))
// Apply CLI overrides if provided
if serverURL != "" {
logger.Debugf("Overriding server URL: %s -> %s", c.Config.Kcrypt.Challenger.Server, serverURL)
c.Config.Kcrypt.Challenger.Server = serverURL
}
// For boolean flags, we can directly use the value since Cobra handles it properly
if enableMDNS {
logger.Debugf("Overriding MDNS setting: %t -> %t", c.Config.Kcrypt.Challenger.MDNS, enableMDNS)
c.Config.Kcrypt.Challenger.MDNS = enableMDNS
}
if certificate != "" {
logger.Debugf("Overriding certificate: %s -> %s",
maskSensitiveString(c.Config.Kcrypt.Challenger.Certificate),
maskSensitiveString(certificate))
c.Config.Kcrypt.Challenger.Certificate = certificate
}
// Log the final configuration values
logger.Debugf("Final configuration:")
logger.Debugf(" Server: %s", c.Config.Kcrypt.Challenger.Server)
logger.Debugf(" MDNS: %t", c.Config.Kcrypt.Challenger.MDNS)
logger.Debugf(" Certificate: %s", maskSensitiveString(c.Config.Kcrypt.Challenger.Certificate))
return c, nil
}
// runCleanup handles the cleanup subcommand - TPM NV memory cleanup
func runCleanup(nvIndex, tpmDevice string, skipConfirmation bool) error {
// Create logger based on debug flag
var logger types.KairosLogger
if debug {
logger = types.NewKairosLogger("kcrypt-discovery-challenger", "debug", false)
logger.Debugf("Debug mode enabled for TPM NV cleanup")
} else {
logger = types.NewKairosLogger("kcrypt-discovery-challenger", "error", false)
}
// Load configuration to get defaults if flags not provided
var config client.Config
c, err := client.NewClientWithLogger(logger)
if err != nil {
logger.Debugf("Warning: Could not load configuration: %v", err)
// Continue with defaults - not a fatal error
} else {
config = c.Config
}
// Determine NV index to clean up (follow same pattern as localPass/genAndStore)
targetIndex := nvIndex
if targetIndex == "" {
// First check config, then fall back to the same default used by the local pass flow
if config.Kcrypt.Challenger.NVIndex != "" {
targetIndex = config.Kcrypt.Challenger.NVIndex
} else {
targetIndex = client.DefaultNVIndex
// isEventDefined checks whether an event is defined in the bus.
// It accepts strings or EventType, returns a boolean indicating that
// the event was defined among the events emitted by the bus.
func isEventDefined(i interface{}) bool {
checkEvent := func(e pluggable.EventType) bool {
if e == bus.EventDiscoveryPassword {
return true
}
return false
}
// Determine TPM device
targetDevice := tpmDevice
if targetDevice == "" && config.Kcrypt.Challenger.TPMDevice != "" {
targetDevice = config.Kcrypt.Challenger.TPMDevice
switch f := i.(type) {
case string:
return checkEvent(pluggable.EventType(f))
case pluggable.EventType:
return checkEvent(f)
default:
return false
}
logger.Debugf("Cleaning up TPM NV index: %s", targetIndex)
if targetDevice != "" {
logger.Debugf("Using TPM device: %s", targetDevice)
}
// Check if the NV index exists first
opts := []tpm.TPMOption{tpm.WithIndex(targetIndex)}
if targetDevice != "" {
opts = append(opts, tpm.WithDevice(targetDevice))
}
// Try to read from the index to see if it exists
logger.Debugf("Checking if NV index %s exists", targetIndex)
_, err = tpm.ReadBlob(opts...)
if err != nil {
// If we can't read it, it might not exist or be empty
logger.Debugf("NV index %s appears to be empty or non-existent: %v", targetIndex, err)
fmt.Printf("NV index %s appears to be empty or does not exist\n", targetIndex)
return nil
}
// Confirmation prompt with warning
if !skipConfirmation {
fmt.Printf("\n⚠ WARNING: You are about to delete TPM NV index %s\n", targetIndex)
fmt.Printf("⚠️ If this index contains your disk encryption passphrase, your encrypted disk will become UNBOOTABLE!\n")
fmt.Printf("⚠️ This action CANNOT be undone.\n\n")
fmt.Printf("Are you sure you want to continue? (type 'yes' to confirm): ")
scanner := bufio.NewScanner(os.Stdin)
scanner.Scan()
response := strings.TrimSpace(strings.ToLower(scanner.Text()))
if response != "yes" {
fmt.Printf("Cleanup cancelled.\n")
return nil
}
}
// Use native Go TPM library to undefine the NV space
logger.Debugf("Using native TPM library to undefine NV index")
fmt.Printf("Cleaning up TPM NV index %s...\n", targetIndex)
err = tpm.UndefineBlob(opts...)
if err != nil {
return fmt.Errorf("failed to undefine NV index %s: %w", targetIndex, err)
}
fmt.Printf("Successfully cleaned up NV index %s\n", targetIndex)
logger.Debugf("Successfully undefined NV index %s", targetIndex)
return nil
}
// maskSensitiveString masks certificate paths/content for logging
func maskSensitiveString(s string) string {
if s == "" {
return "<empty>"
}
if len(s) <= 10 {
return strings.Repeat("*", len(s))
}
// Show first 3 and last 3 characters with * in between
return s[:3] + strings.Repeat("*", len(s)-6) + s[len(s)-3:]
}

34
config/crd/bases/keyserver.kairos.io_sealedvolumes.yaml
View File

@@ -37,40 +37,6 @@ spec:
properties:
TPMHash:
type: string
attestation:
description: AttestationSpec defines TPM attestation data for TOFU
enrollment and verification
properties:
akPublicKey:
description: AKPublicKey stores the Attestation Key public key
in PEM format
type: string
ekPublicKey:
description: EKPublicKey stores the Endorsement Key public key
in PEM format
type: string
enrolledAt:
description: EnrolledAt timestamp when this TPM was first enrolled
format: date-time
type: string
lastVerifiedAt:
description: LastVerifiedAt timestamp of the last successful attestation
format: date-time
type: string
pcrValues:
description: PCRValues stores the expected PCR values for boot
state verification
properties:
pcrs:
additionalProperties:
type: string
description: 'PCRs is a flexible map of PCR index (as string)
to PCR value (hex-encoded) Example: {"0": "a1b2c3...", "7":
"d4e5f6...", "11": "g7h8i9..."} This allows for any combination
of PCRs without hardcoding specific indices'
type: object
type: object
type: object
partitions:
items:
description: 'PartitionSpec defines a Partition. A partition can

5
config/default/kustomization.yaml
View File

@@ -25,6 +25,11 @@ bases:
#- ../prometheus
patchesStrategicMerge:
# Protect the /metrics endpoint by putting it behind auth.
# If you want your controller-manager to expose the /metrics
# endpoint w/o any authn/z, please comment the following line.
- manager_auth_proxy_patch.yaml
# Mount the controller config file for loading manager configurations
# through a ComponentConfig type
#- manager_config_patch.yaml

39
config/default/manager_auth_proxy_patch.yaml Normal file
View File

@@ -0,0 +1,39 @@
# This patch inject a sidecar container which is a HTTP proxy for the
# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.
apiVersion: apps/v1
kind: Deployment
metadata:
name: controller-manager
namespace: system
spec:
template:
spec:
containers:
- name: kube-rbac-proxy
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.0
args:
- "--secure-listen-address=0.0.0.0:8443"
- "--upstream=http://127.0.0.1:8080/"
- "--logtostderr=true"
- "--v=0"
ports:
- containerPort: 8443
protocol: TCP
name: https
resources:
limits:
cpu: 500m
memory: 128Mi
requests:
cpu: 5m
memory: 64Mi
- name: manager
args:
- "--health-probe-bind-address=:8081"
- "--metrics-bind-address=127.0.0.1:8080"
- "--leader-elect"

4
config/dev/kustomization.yaml
View File

@@ -25,6 +25,10 @@ bases:
#- ../prometheus
patchesStrategicMerge:
# Protect the /metrics endpoint by putting it behind auth.
# If you want your controller-manager to expose the /metrics
# endpoint w/o any authn/z, please comment the following line.
- manager_auth_proxy_patch.yaml
- pull.yaml
# Mount the controller config file for loading manager configurations
# through a ComponentConfig type

39
config/dev/manager_auth_proxy_patch.yaml Normal file
View File

@@ -0,0 +1,39 @@
# This patch inject a sidecar container which is a HTTP proxy for the
# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.
apiVersion: apps/v1
kind: Deployment
metadata:
name: controller-manager
namespace: system
spec:
template:
spec:
containers:
- name: kube-rbac-proxy
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.0
args:
- "--secure-listen-address=0.0.0.0:8443"
- "--upstream=http://127.0.0.1:8080/"
- "--logtostderr=true"
- "--v=0"
ports:
- containerPort: 8443
protocol: TCP
name: https
resources:
limits:
cpu: 500m
memory: 128Mi
requests:
cpu: 5m
memory: 64Mi
- name: manager
args:
- "--health-probe-bind-address=:8081"
- "--metrics-bind-address=127.0.0.1:8080"
- "--leader-elect"

2
config/dev/pull.yaml
View File

@@ -9,6 +9,4 @@ spec:
containers:
- name: manager
imagePullPolicy: IfNotPresent
- name: kube-rbac-proxy
imagePullPolicy: IfNotPresent

33
config/manager/manager.yaml
View File

@@ -34,41 +34,10 @@ spec:
# seccompProfile:
# type: RuntimeDefault
containers:
- name: kube-rbac-proxy
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.0
args:
- "--secure-listen-address=0.0.0.0:8443"
- "--upstream=http://127.0.0.1:8080/"
- "--logtostderr=true"
- "--v=0"
ports:
- containerPort: 8443
protocol: TCP
name: https
resources:
limits:
cpu: 500m
memory: 128Mi
requests:
cpu: 5m
memory: 64Mi
- command:
- /manager
args:
- "--health-probe-bind-address=:8081"
- "--metrics-bind-address=127.0.0.1:8080"
- "--leader-elect"
- "--namespace=$(POD_NAMESPACE)"
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- --leader-elect
image: controller:latest
name: manager
securityContext:

3
controllers/suite_test.go
View File

@@ -69,7 +69,8 @@ var _ = BeforeSuite(func() {
k8sClient, err = client.New(cfg, client.Options{Scheme: scheme.Scheme})
Expect(err).NotTo(HaveOccurred())
Expect(k8sClient).NotTo(BeNil())
})
}, 60)
var _ = AfterSuite(func() {
By("tearing down the test environment")

64
examples/cli-usage.sh
View File

@@ -1,64 +0,0 @@
#!/bin/bash
# Example script demonstrating the new CLI interface for kcrypt-challenger
# This makes testing and debugging much easier than using the plugin interface
echo "=== kcrypt-challenger CLI Examples ==="
echo
# Build the binary if it doesn't exist
if [ ! -f "./kcrypt-discovery-challenger" ]; then
echo "Building kcrypt-discovery-challenger..."
go build -o kcrypt-discovery-challenger ./cmd/discovery/
echo
fi
echo "1. Show help:"
./kcrypt-discovery-challenger --help
echo
echo "2. Show version:"
./kcrypt-discovery-challenger --version
echo
echo "3. Test CLI mode with example parameters (will fail without server, but shows the flow):"
echo " Command: ./kcrypt-discovery-challenger --partition-name=/dev/sda2 --partition-uuid=12345-abcde --partition-label=encrypted-data --attempts=1"
echo " Expected: Error connecting to server, but flow detection should work"
echo
./kcrypt-discovery-challenger --partition-name=/dev/sda2 --partition-uuid=12345-abcde --partition-label=encrypted-data --attempts=1 2>&1 || true
echo
echo "4. Test CLI mode with configuration overrides:"
echo " Command: ./kcrypt-discovery-challenger --partition-name=/dev/sda2 --partition-uuid=12345-abcde --partition-label=encrypted-data --challenger-server=https://custom-server.com:8082 --mdns=true --attempts=1"
echo " Expected: Same error but with custom server configuration"
echo
./kcrypt-discovery-challenger --partition-name=/dev/sda2 --partition-uuid=12345-abcde --partition-label=encrypted-data --challenger-server=https://custom-server.com:8082 --mdns=true --attempts=1 2>&1 || true
echo
echo "4. Check the log file for flow detection:"
if [ -f "/tmp/kcrypt-challenger-client.log" ]; then
echo " Log contents:"
cat /tmp/kcrypt-challenger-client.log
echo
else
echo " No log file found"
fi
echo "5. Test plugin mode (for comparison):"
echo " Command: echo '{\"data\": \"{\\\"name\\\": \\\"/dev/sda2\\\", \\\"uuid\\\": \\\"12345-abcde\\\", \\\"filesystemLabel\\\": \\\"encrypted-data\\\"}\"}' | ./kcrypt-discovery-challenger discovery.password"
echo " Expected: Same behavior as CLI mode"
echo
echo '{"data": "{\"name\": \"/dev/sda2\", \"uuid\": \"12345-abcde\", \"filesystemLabel\": \"encrypted-data\"}"}' | ./kcrypt-discovery-challenger discovery.password 2>&1 || true
echo
echo "=== Summary ==="
echo "✅ CLI interface successfully created"
echo "✅ Full compatibility with plugin mode maintained"
echo "✅ Same backend logic used for both interfaces"
echo "✅ Flow detection works in both modes"
echo ""
echo "Benefits:"
echo "- Much easier testing during development"
echo "- Can be used for debugging in production"
echo "- Clear command-line interface with help and examples"
echo "- Maintains full compatibility with kcrypt integration"

22
go.mod
View File

@@ -2,25 +2,21 @@ module github.com/kairos-io/kairos-challenger
go 1.25
replace github.com/kairos-io/tpm-helpers => github.com/kairos-io/tpm-helpers v0.0.0-20250924104130-49f51e390ef3
//replace github.com/kairos-io/tpm-helpers => /home/dimitris/workspace/kairos/tpm-helpers
require (
github.com/go-logr/logr v1.4.3
github.com/google/go-attestation v0.5.1
github.com/google/uuid v1.6.0
github.com/gorilla/websocket v1.5.3
github.com/hashicorp/mdns v1.0.6
github.com/jaypipes/ghw v0.19.1
github.com/kairos-io/kairos-sdk v0.10.1
github.com/kairos-io/tpm-helpers v0.0.0-20240123063624-f7a3fcc66199
github.com/kairos-io/tpm-helpers v0.0.0-20250917111550-e914e08a09c2
github.com/mudler/go-pluggable v0.0.0-20230126220627-7710299a0ae5
github.com/mudler/go-processmanager v0.0.0-20240820160718-8b802d3ecf82
github.com/mudler/yip v1.18.0
github.com/onsi/ginkgo/v2 v2.25.3
github.com/onsi/gomega v1.38.2
github.com/pkg/errors v0.9.1
github.com/spectrocloud/peg v0.0.0-20240405075800-c5da7125e30f
github.com/spf13/cobra v1.10.1
gopkg.in/yaml.v3 v3.0.1
k8s.io/api v0.27.2
k8s.io/apimachinery v0.27.4
@@ -38,6 +34,7 @@ require (
github.com/Masterminds/sprig/v3 v3.3.0 // indirect
github.com/Microsoft/go-winio v0.6.2 // indirect
github.com/Microsoft/hcsshim v0.12.9 // indirect
github.com/StackExchange/wmi v1.2.1 // indirect
github.com/avast/retry-go v3.0.0+incompatible // indirect
github.com/aybabtme/rgbterm v0.0.0-20170906152045-cc83f3b3ce59 // indirect
github.com/beorn7/perks v1.0.1 // indirect
@@ -68,6 +65,7 @@ require (
github.com/emicklei/go-restful/v3 v3.10.1 // indirect
github.com/evanphx/json-patch/v5 v5.6.0 // indirect
github.com/felixge/httpsnoop v1.0.4 // indirect
github.com/folbricht/tpmk v0.1.2-0.20230104073416-f20b20c289d7 // indirect
github.com/fsnotify/fsnotify v1.7.0 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
github.com/go-logr/zapr v1.2.4 // indirect
@@ -81,11 +79,11 @@ require (
github.com/golang/protobuf v1.5.4 // indirect
github.com/google/certificate-transparency-go v1.1.4 // indirect
github.com/google/gnostic v0.5.7-v3refs // indirect
github.com/google/go-attestation v0.4.4-0.20220404204839-8820d49b18d9 // indirect
github.com/google/go-cmp v0.7.0 // indirect
github.com/google/go-configfs-tsm v0.3.3 // indirect
github.com/google/go-containerregistry v0.20.6 // indirect
github.com/google/go-tpm v0.9.1 // indirect
github.com/google/go-tpm-tools v0.4.4 // indirect
github.com/google/go-tpm v0.3.3 // indirect
github.com/google/go-tpm-tools v0.3.10 // indirect
github.com/google/go-tspi v0.3.0 // indirect
github.com/google/gofuzz v1.2.0 // indirect
github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 // indirect
@@ -95,7 +93,6 @@ require (
github.com/hashicorp/go-multierror v1.1.1 // indirect
github.com/huandu/xstrings v1.5.0 // indirect
github.com/imdario/mergo v0.3.15 // indirect
github.com/inconshreveable/mousetrap v1.1.0 // indirect
github.com/ipfs/go-log v1.0.5 // indirect
github.com/ipfs/go-log/v2 v2.5.1 // indirect
github.com/itchyny/gojq v0.12.17 // indirect
@@ -126,7 +123,6 @@ require (
github.com/opencontainers/image-spec v1.1.1 // indirect
github.com/opentracing/opentracing-go v1.2.0 // indirect
github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5 // indirect
github.com/pkg/errors v0.9.1 // indirect
github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect
github.com/prometheus/client_golang v1.20.2 // indirect
github.com/prometheus/client_model v0.6.1 // indirect
@@ -141,7 +137,7 @@ require (
github.com/shopspring/decimal v1.4.0 // indirect
github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af // indirect
github.com/spf13/cast v1.7.1 // indirect
github.com/spf13/pflag v1.0.9 // indirect
github.com/spf13/pflag v1.0.6 // indirect
github.com/tklauser/go-sysconf v0.3.12 // indirect
github.com/tklauser/numcpus v0.6.1 // indirect
github.com/twpayne/go-vfs/v4 v4.3.0 // indirect
@@ -157,7 +153,7 @@ require (
go.opentelemetry.io/otel/trace v1.36.0 // indirect
go.uber.org/atomic v1.10.0 // indirect
go.uber.org/automaxprocs v1.6.0 // indirect
go.uber.org/multierr v1.11.0 // indirect
go.uber.org/multierr v1.9.0 // indirect
go.uber.org/zap v1.24.0 // indirect
go.yaml.in/yaml/v3 v3.0.4 // indirect
golang.org/x/crypto v0.42.0 // indirect

617
go.sum
View File

File diff suppressed because it is too large Load Diff

1036
pkg/challenger/challenger.go
View File

File diff suppressed because it is too large Load Diff

10
pkg/challenger/challenger_test.go
View File

@@ -38,7 +38,7 @@ var _ = Describe("challenger", func() {
})
It("returns the sealed volume data", func() {
volumeData, _ := findVolumeFor(requestData, volumeList)
volumeData := findVolumeFor(requestData, volumeList)
Expect(volumeData).ToNot(BeNil())
Expect(volumeData.Quarantined).To(BeFalse())
Expect(volumeData.SecretName).To(Equal("the_secret"))
@@ -67,7 +67,7 @@ var _ = Describe("challenger", func() {
})
It("doesn't match a request with an empty field", func() {
volumeData, _ := findVolumeFor(requestData, volumeList)
volumeData := findVolumeFor(requestData, volumeList)
Expect(volumeData).To(BeNil())
})
})
@@ -86,7 +86,7 @@ var _ = Describe("challenger", func() {
})
It("returns the sealed volume data", func() {
volumeData, _ := findVolumeFor(requestData, volumeList)
volumeData := findVolumeFor(requestData, volumeList)
Expect(volumeData).ToNot(BeNil())
Expect(volumeData.Quarantined).To(BeFalse())
Expect(volumeData.SecretName).To(Equal("the_secret"))
@@ -108,7 +108,7 @@ var _ = Describe("challenger", func() {
})
It("returns the sealed volume data", func() {
volumeData, _ := findVolumeFor(requestData, volumeList)
volumeData := findVolumeFor(requestData, volumeList)
Expect(volumeData).ToNot(BeNil())
Expect(volumeData.Quarantined).To(BeFalse())
Expect(volumeData.SecretName).To(Equal("the_secret"))
@@ -130,7 +130,7 @@ var _ = Describe("challenger", func() {
})
It("returns nil sealedVolumeData", func() {
volumeData, _ := findVolumeFor(requestData, volumeList)
volumeData := findVolumeFor(requestData, volumeList)
Expect(volumeData).To(BeNil())
})
})

1
pkg/constants/secret.go
View File

@@ -2,4 +2,3 @@ package constants
const TPMSecret = "tpm"
const GeneratedByKey = "generated_by"
const AKBlobFile = "/etc/kairos/ak.blob"