Revert "Change function return style"

This reverts commit 968ff53267.

cmd/discovery/client/client.go

@@ -1,25 +1,25 @@
 package client
 
 import (
+	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"os"
 	"time"
 
 	"github.com/jaypipes/ghw/pkg/block"
-	"github.com/kairos-io/go-tpm"
+	"github.com/kairos-io/kairos-challenger/pkg/constants"
+	"github.com/kairos-io/kairos-challenger/pkg/payload"
 	"github.com/kairos-io/kcrypt/pkg/bus"
-	kconfig "github.com/kairos-io/kcrypt/pkg/config"
+	"github.com/kairos-io/tpm-helpers"
 	"github.com/mudler/go-pluggable"
-	"github.com/pkg/errors"
+	"github.com/mudler/yip/pkg/utils"
 )
 
-type Client struct {
+var errPartNotFound error = fmt.Errorf("pass for partition not found")
-	Config kconfig.Config
-}
 
 func NewClient() (*Client, error) {
-	conf, err := kconfig.GetConfiguration(kconfig.ConfigScanDirs)
+	conf, err := unmarshalConfig()
 	if err != nil {
 		return nil, err
 	}
@@ -58,45 +58,81 @@ func (c *Client) Start() error {
 	return factory.Run(pluggable.EventType(os.Args[1]), os.Stdin, os.Stdout)
 }
 
+func (c *Client) generatePass(postEndpoint string, p *block.Partition) error {
+
+	rand := utils.RandomString(32)
+	pass, err := tpm.EncryptBlob([]byte(rand))
+	if err != nil {
+		return err
+	}
+	bpass := base64.RawURLEncoding.EncodeToString(pass)
+
+	opts := []tpm.Option{
+		tpm.WithAdditionalHeader("label", p.Label),
+		tpm.WithAdditionalHeader("name", p.Name),
+		tpm.WithAdditionalHeader("uuid", p.UUID),
+	}
+	conn, err := tpm.Connection(postEndpoint, opts...)
+	if err != nil {
+		return err
+	}
+
+	return conn.WriteJSON(payload.Data{Passphrase: bpass, GeneratedBy: constants.TPMSecret})
+}
+
 func (c *Client) waitPass(p *block.Partition, attempts int) (pass string, err error) {
-	// TODO: Why are we retrying?
+	// IF we don't have any server configured, just do local
-	// We don't need to retry if there is no matching secret.
+	if c.Config.Kcrypt.Challenger.Server == "" {
-	// TODO: Check if the request was successful and if the error was about
+		return localPass(c.Config)
-	// non-matching sealed volume, let's not retry.
+	}
+
+	challengeEndpoint := fmt.Sprintf("%s/getPass", c.Config.Kcrypt.Challenger.Server)
+	postEndpoint := fmt.Sprintf("%s/postPass", c.Config.Kcrypt.Challenger.Server)
+
 	for tries := 0; tries < attempts; tries++ {
-		if c.Config.Kcrypt.Server == "" {
+		var generated bool
-			err = fmt.Errorf("no server configured")
+		pass, generated, err = getPass(challengeEndpoint, p)
+		if err == errPartNotFound {
+			// IF server doesn't have a pass for us, then we generate one and we set it
+			err = c.generatePass(postEndpoint, p)
+			if err != nil {
+				return
+			}
+			// Attempt to fetch again - validate that the server has it now
+			tries = 0
 			continue
 		}
+		if generated { // passphrase is encrypted
+			return c.decryptPassphrase(pass)
+		}
 
-		pass, err = c.getPass(c.Config.Kcrypt.Server, p)
+		if err == nil || err == errPartNotFound { // passphrase not encrypted or not available
-		if pass != "" || err == nil {
 			return
 		}
-		if err != nil {
+
-			return
+		time.Sleep(1 * time.Second) // network errors? retry
-		}
-		time.Sleep(1 * time.Second)
 	}
+
 	return
 }
 
-func (c *Client) getPass(server string, partition *block.Partition) (string, error) {
+// decryptPassphrase decodes (base64) and decrypts the passphrase returned
-	msg, err := tpm.Get(server,
+// by the challenger server.
-		tpm.WithAdditionalHeader("label", partition.Label),
+func (c *Client) decryptPassphrase(pass string) (string, error) {
-		tpm.WithAdditionalHeader("name", partition.Name),
+	blob, err := base64.RawURLEncoding.DecodeString(pass)
-		tpm.WithAdditionalHeader("uuid", partition.UUID))
 	if err != nil {
 		return "", err
 	}
-	result := map[string]interface{}{}
+
-	err = json.Unmarshal(msg, &result)
+	// Decrypt and return it to unseal the LUKS volume
-	if err != nil {
+	opts := []tpm.TPMOption{}
-		return "", errors.Wrap(err, string(msg))
+	if c.Config.Kcrypt.Challenger.CIndex != "" {
+		opts = append(opts, tpm.WithIndex(c.Config.Kcrypt.Challenger.CIndex))
 	}
-	p, ok := result["passphrase"]
+	if c.Config.Kcrypt.Challenger.TPMDevice != "" {
-	if ok {
+		opts = append(opts, tpm.WithDevice(c.Config.Kcrypt.Challenger.TPMDevice))
-		return fmt.Sprint(p), nil
 	}
-	return "", fmt.Errorf("pass for partition not found")
+	passBytes, err := tpm.DecryptBlob(blob, opts...)
+
+	return string(passBytes), err
 }

cmd/discovery/client/config.go

@@ -0,0 +1,38 @@
+package client
+
+import (
+	"github.com/kairos-io/kairos/pkg/config"
+	kconfig "github.com/kairos-io/kcrypt/pkg/config"
+)
+
+type Client struct {
+	Config Config
+}
+
+type Config struct {
+	Kcrypt struct {
+		Challenger struct {
+			Server string `yaml:"challenger_server,omitempty"`
+			// Non-volatile index memory: where we store the encrypted passphrase (offline mode)
+			NVIndex string `yaml:"nv_index,omitempty"`
+			// Certificate index: this is where the rsa pair that decrypts the passphrase lives
+			CIndex    string `yaml:"c_index,omitempty"`
+			TPMDevice string `yaml:"tpm_device,omitempty"`
+		}
+	}
+}
+
+func unmarshalConfig() (Config, error) {
+	var result Config
+
+	c, err := config.Scan(config.Directories(kconfig.ConfigScanDirs...), config.NoLogs)
+	if err != nil {
+		return result, err
+	}
+
+	if err = c.Unmarshal(&result); err != nil {
+		return result, err
+	}
+
+	return result, nil
+}

cmd/discovery/client/enc.go

@@ -0,0 +1,93 @@
+package client
+
+import (
+	"encoding/json"
+	"fmt"
+	"strings"
+
+	"github.com/kairos-io/kairos-challenger/pkg/constants"
+	"github.com/kairos-io/kairos-challenger/pkg/payload"
+
+	"github.com/jaypipes/ghw/pkg/block"
+	"github.com/kairos-io/tpm-helpers"
+	"github.com/mudler/yip/pkg/utils"
+	"github.com/pkg/errors"
+)
+
+const DefaultNVIndex = "0x1500000"
+
+func getPass(server string, partition *block.Partition) (string, bool, error) {
+	msg, err := tpm.Get(server,
+		tpm.WithAdditionalHeader("label", partition.Label),
+		tpm.WithAdditionalHeader("name", partition.Name),
+		tpm.WithAdditionalHeader("uuid", partition.UUID))
+	if err != nil {
+		return "", false, err
+	}
+	result := payload.Data{}
+	err = json.Unmarshal(msg, &result)
+	if err != nil {
+		return "", false, errors.Wrap(err, string(msg))
+	}
+
+	if result.HasPassphrase() {
+		return fmt.Sprint(result.Passphrase), result.HasBeenGenerated() && result.GeneratedBy == constants.TPMSecret, nil
+	} else if result.HasError() {
+		if strings.Contains(result.Error, "No secret found for") {
+			return "", false, errPartNotFound
+		}
+		return "", false, fmt.Errorf(result.Error)
+	}
+
+	return "", false, errPartNotFound
+}
+
+func genAndStore(k Config) (string, error) {
+	opts := []tpm.TPMOption{}
+	if k.Kcrypt.Challenger.TPMDevice != "" {
+		opts = append(opts, tpm.WithDevice(k.Kcrypt.Challenger.TPMDevice))
+	}
+	if k.Kcrypt.Challenger.CIndex != "" {
+		opts = append(opts, tpm.WithIndex(k.Kcrypt.Challenger.CIndex))
+	}
+
+	// Generate a new one, and return it to luks
+	rand := utils.RandomString(32)
+	blob, err := tpm.EncryptBlob([]byte(rand))
+	if err != nil {
+		return "", err
+	}
+	nvindex := DefaultNVIndex
+	if k.Kcrypt.Challenger.NVIndex != "" {
+		nvindex = k.Kcrypt.Challenger.NVIndex
+	}
+	opts = append(opts, tpm.WithIndex(nvindex))
+	return rand, tpm.StoreBlob(blob, opts...)
+}
+
+func localPass(k Config) (string, error) {
+	index := DefaultNVIndex
+	if k.Kcrypt.Challenger.NVIndex != "" {
+		index = k.Kcrypt.Challenger.NVIndex
+	}
+	opts := []tpm.TPMOption{tpm.WithIndex(index)}
+	if k.Kcrypt.Challenger.TPMDevice != "" {
+		opts = append(opts, tpm.WithDevice(k.Kcrypt.Challenger.TPMDevice))
+	}
+	encodedPass, err := tpm.ReadBlob(opts...)
+	if err != nil {
+		// Generate if we fail to read from the assigned blob
+		return genAndStore(k)
+	}
+
+	// Decode and give it back
+	opts = []tpm.TPMOption{}
+	if k.Kcrypt.Challenger.CIndex != "" {
+		opts = append(opts, tpm.WithIndex(k.Kcrypt.Challenger.CIndex))
+	}
+	if k.Kcrypt.Challenger.TPMDevice != "" {
+		opts = append(opts, tpm.WithDevice(k.Kcrypt.Challenger.TPMDevice))
+	}
+	pass, err := tpm.DecryptBlob(encodedPass, opts...)
+	return string(pass), err
+}

cmd/discovery/main.go

@@ -4,9 +4,9 @@ import (
 	"fmt"
 	"os"
 
-	"github.com/kairos-io/go-tpm"
 	"github.com/kairos-io/kairos-challenger/cmd/discovery/client"
 	"github.com/kairos-io/kcrypt/pkg/bus"
+	"github.com/kairos-io/tpm-helpers"
 )
 
 func main() {

go.mod

@@ -5,13 +5,16 @@ go 1.18
 require (
 	github.com/gorilla/websocket v1.5.0
 	github.com/jaypipes/ghw v0.9.0
-	github.com/kairos-io/go-tpm v0.0.0-20221013145523-cc421fc8c33d
+	github.com/kairos-io/kairos v1.24.3-56.0.20230118103822-e3dbd41dddd1
 	github.com/kairos-io/kcrypt v0.4.5-0.20230118125949-27183fbce7ea
+	github.com/kairos-io/tpm-helpers v0.0.0-20230119140150-3fa97128ef6b
 	github.com/mudler/go-pluggable v0.0.0-20220716112424-189d463e3ff3
+	github.com/mudler/yip v0.11.4
 	github.com/onsi/ginkgo v1.16.5
 	github.com/onsi/ginkgo/v2 v2.7.0
 	github.com/onsi/gomega v1.25.0
 	github.com/pkg/errors v0.9.1
+	k8s.io/api v0.24.2
 	k8s.io/apimachinery v0.24.2
 	k8s.io/client-go v0.24.2
 	sigs.k8s.io/controller-runtime v0.12.2
@@ -27,6 +30,9 @@ require (
 	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
 	github.com/Azure/go-autorest/logger v0.2.1 // indirect
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
+	github.com/Masterminds/goutils v1.1.1 // indirect
+	github.com/Masterminds/semver/v3 v3.1.1 // indirect
+	github.com/Masterminds/sprig/v3 v3.2.2 // indirect
 	github.com/PuerkitoBio/purell v1.1.1 // indirect
 	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
 	github.com/StackExchange/wmi v1.2.1 // indirect
@@ -40,7 +46,8 @@ require (
 	github.com/denisbrodbeck/machineid v1.0.1 // indirect
 	github.com/emicklei/go-restful v2.9.5+incompatible // indirect
 	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
-	github.com/form3tech-oss/jwt-go v3.2.3+incompatible // indirect
+	github.com/folbricht/tpmk v0.1.2-0.20230104073416-f20b20c289d7 // indirect
+	github.com/form3tech-oss/jwt-go v3.2.5+incompatible // indirect
 	github.com/fsnotify/fsnotify v1.5.4 // indirect
 	github.com/ghodss/yaml v1.0.0 // indirect
 	github.com/go-logr/logr v1.2.3 // indirect
@@ -52,44 +59,47 @@ require (
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
-	github.com/google/certificate-transparency-go v1.1.2 // indirect
+	github.com/google/certificate-transparency-go v1.1.4 // indirect
 	github.com/google/gnostic v0.5.7-v3refs // indirect
-	github.com/google/go-attestation v0.4.3 // indirect
+	github.com/google/go-attestation v0.4.4-0.20220404204839-8820d49b18d9 // indirect
 	github.com/google/go-cmp v0.5.9 // indirect
 	github.com/google/go-tpm v0.3.3 // indirect
-	github.com/google/go-tpm-tools v0.3.2 // indirect
+	github.com/google/go-tpm-tools v0.3.10 // indirect
-	github.com/google/go-tspi v0.2.1-0.20190423175329-115dea689aad // indirect
+	github.com/google/go-tspi v0.3.0 // indirect
 	github.com/google/gofuzz v1.1.0 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/google/uuid v1.3.0 // indirect
 	github.com/gookit/color v1.5.2 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/huandu/xstrings v1.3.2 // indirect
 	github.com/imdario/mergo v0.3.13 // indirect
 	github.com/itchyny/gojq v0.12.11 // indirect
 	github.com/itchyny/timefmt-go v0.1.5 // indirect
 	github.com/joho/godotenv v1.4.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/kairos-io/kairos v1.24.3-56.0.20230118103822-e3dbd41dddd1 // indirect
 	github.com/lithammer/fuzzysearch v1.1.5 // indirect
 	github.com/mailru/easyjson v0.7.6 // indirect
 	github.com/mattn/go-isatty v0.0.17 // indirect
 	github.com/mattn/go-runewidth v0.0.14 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
+	github.com/mitchellh/copystructure v1.2.0 // indirect
+	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
-	github.com/mudler/yip v0.11.4 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646 // indirect
 	github.com/nxadm/tail v1.4.8 // indirect
-	github.com/prometheus/client_golang v1.12.1 // indirect
+	github.com/prometheus/client_golang v1.13.0 // indirect
 	github.com/prometheus/client_model v0.2.0 // indirect
-	github.com/prometheus/common v0.32.1 // indirect
+	github.com/prometheus/common v0.37.0 // indirect
-	github.com/prometheus/procfs v0.7.3 // indirect
+	github.com/prometheus/procfs v0.8.0 // indirect
 	github.com/pterm/pterm v0.12.53 // indirect
 	github.com/qeesung/image2ascii v1.0.1 // indirect
 	github.com/rivo/uniseg v0.4.3 // indirect
+	github.com/shopspring/decimal v1.3.1 // indirect
+	github.com/spf13/cast v1.5.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/twpayne/go-vfs v1.7.2 // indirect
 	github.com/wayneashleyberry/terminal-dimensions v1.1.0 // indirect
@@ -103,7 +113,7 @@ require (
 	golang.org/x/sys v0.4.0 // indirect
 	golang.org/x/term v0.4.0 // indirect
 	golang.org/x/text v0.6.0 // indirect
-	golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect
+	golang.org/x/time v0.0.0-20220411224347-583f2d630306 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/protobuf v1.28.1 // indirect
@@ -113,10 +123,9 @@ require (
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	howett.net/plist v1.0.0 // indirect
-	k8s.io/api v0.24.2 // indirect
 	k8s.io/apiextensions-apiserver v0.24.2 // indirect
 	k8s.io/component-base v0.24.2 // indirect
-	k8s.io/klog/v2 v2.60.1 // indirect
+	k8s.io/klog/v2 v2.80.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20220328201542-3ee0da9b0b42 // indirect
 	k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9 // indirect
 	sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 // indirect

pkg/challenger/challenger.go

@@ -4,15 +4,21 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"io"
 	"io/ioutil"
 	"net/http"
+	"strings"
 	"time"
 
 	keyserverv1alpha1 "github.com/kairos-io/kairos-challenger/api/v1alpha1"
+	"github.com/kairos-io/kairos-challenger/pkg/constants"
+	"github.com/kairos-io/kairos-challenger/pkg/payload"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	tpm "github.com/kairos-io/go-tpm"
 	"github.com/kairos-io/kairos-challenger/controllers"
+	tpm "github.com/kairos-io/tpm-helpers"
+	corev1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
 
@@ -32,6 +38,9 @@ type SealedVolumeData struct {
 	Quarantined bool
 	SecretName  string
 	SecretPath  string
+
+	PartitionLabel string
+	VolumeName     string
 }
 
 var upgrader = websocket.Upgrader{
@@ -39,6 +48,24 @@ var upgrader = websocket.Upgrader{
 	WriteBufferSize: 1024,
 }
 
+func cleanKubeName(s string) (d string) {
+	d = strings.ReplaceAll(s, "_", "-")
+	d = strings.ToLower(d)
+	return
+}
+
+func (s SealedVolumeData) DefaultSecret() (string, string) {
+	secretName := fmt.Sprintf("%s-%s", s.VolumeName, s.PartitionLabel)
+	secretPath := "passphrase"
+	if s.SecretName != "" {
+		secretName = s.SecretName
+	}
+	if s.SecretPath != "" {
+		secretPath = s.SecretPath
+	}
+	return cleanKubeName(secretName), cleanKubeName(secretPath)
+}
+
 func writeRead(conn *websocket.Conn, input []byte) ([]byte, error) {
 	writer, err := conn.NextWriter(websocket.BinaryMessage)
 	if err != nil {
@@ -61,6 +88,15 @@ func writeRead(conn *websocket.Conn, input []byte) ([]byte, error) {
 	return ioutil.ReadAll(reader)
 }
 
+func getPubHash(token string) (string, error) {
+	ek, _, err := tpm.GetAttestationData(token)
+	if err != nil {
+		return "", err
+	}
+
+	return tpm.DecodePubHash(ek)
+}
+
 func Start(ctx context.Context, kclient *kubernetes.Clientset, reconciler *controllers.SealedVolumeReconciler, namespace, address string) {
 	fmt.Println("Challenger started at", address)
 	s := http.Server{
@@ -71,7 +107,103 @@ func Start(ctx context.Context, kclient *kubernetes.Clientset, reconciler *contr
 
 	m := http.NewServeMux()
 
-	m.HandleFunc("/challenge", func(w http.ResponseWriter, r *http.Request) {
+	errorMessage := func(writer io.WriteCloser, errMsg string) {
+		err := json.NewEncoder(writer).Encode(payload.Data{Error: errMsg})
+		if err != nil {
+			fmt.Println("error encoding the response to json", err.Error())
+		}
+		fmt.Println(errMsg)
+	}
+
+	m.HandleFunc("/postPass", func(w http.ResponseWriter, r *http.Request) {
+		conn, _ := upgrader.Upgrade(w, r, nil) // error ignored for sake of simplicity
+		for {
+
+			fmt.Println("Receiving passphrase")
+			if err := tpm.AuthRequest(r, conn); err != nil {
+				fmt.Println("error", err.Error())
+				return
+			}
+			defer conn.Close()
+			fmt.Println("[Receiving passphrase] auth succeeded")
+
+			token := r.Header.Get("Authorization")
+
+			hashEncoded, err := getPubHash(token)
+			if err != nil {
+				fmt.Println("error decoding pubhash", err.Error())
+				return
+			}
+			fmt.Println("[Receiving passphrase] pubhash", hashEncoded)
+
+			label := r.Header.Get("label")
+			name := r.Header.Get("name")
+			uuid := r.Header.Get("uuid")
+			v := &payload.Data{}
+
+			volumeList := &keyserverv1alpha1.SealedVolumeList{}
+			if err := reconciler.List(ctx, volumeList, &client.ListOptions{Namespace: namespace}); err != nil {
+				fmt.Println("Failed listing volumes")
+				fmt.Println(err)
+				continue
+			}
+
+			sealedVolumeData := findVolumeFor(PassphraseRequestData{
+				TPMHash:    hashEncoded,
+				Label:      label,
+				DeviceName: name,
+				UUID:       uuid,
+			}, volumeList)
+
+			if sealedVolumeData == nil {
+				fmt.Println("No TPM Hash found for", hashEncoded)
+				conn.Close()
+				return
+			}
+
+			if err := conn.ReadJSON(v); err != nil {
+				fmt.Println("error", err.Error())
+				return
+			}
+
+			if v.HasPassphrase() && !v.HasError() {
+				secretName, secretPath := sealedVolumeData.DefaultSecret()
+				_, err := kclient.CoreV1().Secrets(namespace).Get(ctx, secretName, v1.GetOptions{})
+				if err != nil {
+					if !apierrors.IsNotFound(err) {
+						fmt.Printf("Failed getting secret: %s\n", err.Error())
+						continue
+					}
+
+					secret := corev1.Secret{
+						TypeMeta: v1.TypeMeta{
+							Kind:       "Secret",
+							APIVersion: "apps/v1",
+						},
+						ObjectMeta: v1.ObjectMeta{
+							Name:      secretName,
+							Namespace: namespace,
+						},
+						StringData: map[string]string{
+							secretPath:               v.Passphrase,
+							constants.GeneratedByKey: v.GeneratedBy,
+						},
+						Type: "Opaque",
+					}
+					_, err := kclient.CoreV1().Secrets(namespace).Create(ctx, &secret, v1.CreateOptions{})
+					if err != nil {
+						fmt.Println("failed during secret creation:", err.Error())
+					}
+				} else {
+					fmt.Println("Posted for already existing secret - ignoring")
+				}
+			} else {
+				fmt.Println("Invalid answer from client: doesn't contain any passphrase")
+			}
+		}
+	})
+
+	m.HandleFunc("/getPass", func(w http.ResponseWriter, r *http.Request) {
 		conn, _ := upgrader.Upgrade(w, r, nil) // error ignored for sake of simplicity
 
 		for {
@@ -87,21 +219,19 @@ func Start(ctx context.Context, kclient *kubernetes.Clientset, reconciler *contr
 			label := r.Header.Get("label")
 			name := r.Header.Get("name")
 			uuid := r.Header.Get("uuid")
-			ek, at, err := tpm.GetAttestationData(token)
-			if err != nil {
-				fmt.Println("Failed getting tpm token")
 
-				fmt.Println("error", err.Error())
+			if err := tpm.AuthRequest(r, conn); err != nil {
+				fmt.Println("error validating challenge", err.Error())
 				return
 			}
 
-			hashEncoded, err := tpm.DecodePubHash(ek)
+			hashEncoded, err := getPubHash(token)
 			if err != nil {
 				fmt.Println("error decoding pubhash", err.Error())
 				return
 			}
 
-			sealedVolumeData := findSecretFor(PassphraseRequestData{
+			sealedVolumeData := findVolumeFor(PassphraseRequestData{
 				TPMHash:    hashEncoded,
 				Label:      label,
 				DeviceName: name,
@@ -109,32 +239,28 @@ func Start(ctx context.Context, kclient *kubernetes.Clientset, reconciler *contr
 			}, volumeList)
 
 			if sealedVolumeData == nil {
-				fmt.Println("No TPM Hash found for", hashEncoded)
+				writer, _ := conn.NextWriter(websocket.BinaryMessage)
+				errorMessage(writer, fmt.Sprintf("Invalid hash: %s", hashEncoded))
 				conn.Close()
 				return
 			}
 
-			secret, challenge, err := tpm.GenerateChallenge(ek, at)
-			if err != nil {
-				fmt.Println("error", err.Error())
-				return
-			}
-
-			resp, _ := writeRead(conn, challenge)
-
-			if err := tpm.ValidateChallenge(secret, resp); err != nil {
-				fmt.Println("error validating challenge", err.Error(), string(resp))
-				return
-			}
-			fmt.Println("challenge done")
-
 			writer, _ := conn.NextWriter(websocket.BinaryMessage)
-
 			if !sealedVolumeData.Quarantined {
-				secret, err := kclient.CoreV1().Secrets(namespace).Get(ctx, sealedVolumeData.SecretName, v1.GetOptions{})
+				secretName, secretPath := sealedVolumeData.DefaultSecret()
+
+				// 1. The admin sets a specific cleartext password from Kube manager
+				//      SealedVolume -> with a secret .
+				// 2. The admin just adds a SealedVolume associated with a TPM Hash ( you don't provide any passphrase )
+				// 3. There is no challenger server at all (offline mode)
+				//
+				secret, err := kclient.CoreV1().Secrets(namespace).Get(ctx, secretName, v1.GetOptions{})
 				if err == nil {
-					passphrase := secret.Data[sealedVolumeData.SecretPath]
+					passphrase := secret.Data[secretPath]
-					err = json.NewEncoder(writer).Encode(map[string]string{"passphrase": string(passphrase)})
+					generatedBy := secret.Data[constants.GeneratedByKey]
+
+					p := payload.Data{Passphrase: string(passphrase), GeneratedBy: string(generatedBy)}
+					err = json.NewEncoder(writer).Encode(p)
 					if err != nil {
 						fmt.Println("error encoding the passphrase to json", err.Error(), string(passphrase))
 					}
@@ -148,9 +274,11 @@ func Start(ctx context.Context, kclient *kubernetes.Clientset, reconciler *contr
 					}
 
 					return
+				} else {
+					errorMessage(writer, fmt.Sprintf("No secret found for %s and %s", hashEncoded, sealedVolumeData.PartitionLabel))
 				}
 			} else {
-				fmt.Println("error getting the secret", err.Error())
+				errorMessage(writer, fmt.Sprintf("quarantined: %s", sealedVolumeData.PartitionLabel))
 				if err = conn.Close(); err != nil {
 					fmt.Println("error closing the connection", err.Error())
 					return
@@ -176,19 +304,28 @@ func Start(ctx context.Context, kclient *kubernetes.Clientset, reconciler *contr
 	}()
 }
 
-func findSecretFor(requestData PassphraseRequestData, volumeList *keyserverv1alpha1.SealedVolumeList) *SealedVolumeData {
+func findVolumeFor(requestData PassphraseRequestData, volumeList *keyserverv1alpha1.SealedVolumeList) *SealedVolumeData {
 	for _, v := range volumeList.Items {
 		if requestData.TPMHash == v.Spec.TPMHash {
 			for _, p := range v.Spec.Partitions {
 				deviceNameMatches := requestData.DeviceName != "" && p.DeviceName == requestData.DeviceName
 				uuidMatches := requestData.UUID != "" && p.UUID == requestData.UUID
 				labelMatches := requestData.Label != "" && p.Label == requestData.Label
-
+				secretName := ""
+				if p.Secret != nil && p.Secret.Name != "" {
+					secretName = p.Secret.Name
+				}
+				secretPath := ""
+				if p.Secret != nil && p.Secret.Path != "" {
+					secretPath = p.Secret.Path
+				}
 				if labelMatches || uuidMatches || deviceNameMatches {
 					return &SealedVolumeData{
-						Quarantined: v.Spec.Quarantined,
+						Quarantined:    v.Spec.Quarantined,
-						SecretName:  p.Secret.Name,
+						SecretName:     secretName,
-						SecretPath:  p.Secret.Path,
+						SecretPath:     secretPath,
+						VolumeName:     v.Name,
+						PartitionLabel: p.Label,
 					}
 				}
 			}

pkg/challenger/challenger_test.go

@@ -38,7 +38,7 @@ var _ = Describe("challenger", func() {
 			})
 
 			It("returns the sealed volume data", func() {
-				volumeData := findSecretFor(requestData, volumeList)
+				volumeData := findVolumeFor(requestData, volumeList)
 				Expect(volumeData).ToNot(BeNil())
 				Expect(volumeData.Quarantined).To(BeFalse())
 				Expect(volumeData.SecretName).To(Equal("the_secret"))
@@ -67,7 +67,7 @@ var _ = Describe("challenger", func() {
 			})
 
 			It("doesn't match a request with an empty field", func() {
-				volumeData := findSecretFor(requestData, volumeList)
+				volumeData := findVolumeFor(requestData, volumeList)
 				Expect(volumeData).To(BeNil())
 			})
 		})
@@ -86,7 +86,7 @@ var _ = Describe("challenger", func() {
 			})
 
 			It("returns the sealed volume data", func() {
-				volumeData := findSecretFor(requestData, volumeList)
+				volumeData := findVolumeFor(requestData, volumeList)
 				Expect(volumeData).ToNot(BeNil())
 				Expect(volumeData.Quarantined).To(BeFalse())
 				Expect(volumeData.SecretName).To(Equal("the_secret"))
@@ -108,7 +108,7 @@ var _ = Describe("challenger", func() {
 			})
 
 			It("returns the sealed volume data", func() {
-				volumeData := findSecretFor(requestData, volumeList)
+				volumeData := findVolumeFor(requestData, volumeList)
 				Expect(volumeData).ToNot(BeNil())
 				Expect(volumeData.Quarantined).To(BeFalse())
 				Expect(volumeData.SecretName).To(Equal("the_secret"))
@@ -130,7 +130,7 @@ var _ = Describe("challenger", func() {
 			})
 
 			It("returns nil sealedVolumeData", func() {
-				volumeData := findSecretFor(requestData, volumeList)
+				volumeData := findVolumeFor(requestData, volumeList)
 				Expect(volumeData).To(BeNil())
 			})
 		})

pkg/constants/secret.go

@@ -0,0 +1,4 @@
+package constants
+
+const TPMSecret = "tpm"
+const GeneratedByKey = "generated_by"

pkg/payload/payload.go

@@ -0,0 +1,19 @@
+package payload
+
+type Data struct {
+	Passphrase  string `json:"passphrase"`
+	Error       string `json:"error"`
+	GeneratedBy string `json:"generated_by"`
+}
+
+func (d Data) HasError() bool {
+	return d.Error != ""
+}
+
+func (d Data) HasPassphrase() bool {
+	return d.Passphrase != ""
+}
+
+func (d Data) HasBeenGenerated() bool {
+	return d.GeneratedBy != ""
+}