Add TODO in README for selective enrollement

Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>

.github/workflows/dependabot_auto.yml

@@ -14,13 +14,13 @@ jobs:
     steps:
       - name: Dependabot metadata
         id: metadata
-        uses: dependabot/fetch-metadata@v2.3.0
+        uses: dependabot/fetch-metadata@v2.4.0
         with:
           github-token: "${{ secrets.GITHUB_TOKEN }}"
           skip-commit-verification: true
 
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Approve a PR if not already approved
         run: |

.github/workflows/e2e-tests.yml

@@ -18,11 +18,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
       - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
       - name: Install earthly
         uses: earthly/actions-setup@v1
         with:
@@ -63,11 +63,11 @@ jobs:
           - label: "discoverable-kms"
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
       - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version-file: go.mod
       - name: Install earthly
@@ -83,7 +83,7 @@ jobs:
           sudo luet repo add -y kairos --url quay.io/kairos/packages --type docker
           LUET_NOLOCK=true sudo -E luet install -y container/kubectl utils/k3d
       - name: Download artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v5
         with:
           name: challenger.iso.zip
       - name: Run tests

.github/workflows/image.yml

@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Prepare
         id: prep

.github/workflows/lint.yml

@@ -19,11 +19,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
       - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
       - name: Install earthly
         uses: earthly/actions-setup@v1
         with:

.github/workflows/osv-scanner-pr.yaml

@@ -18,4 +18,4 @@ permissions:
 
 jobs:
   scan-pr:
-    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v1.9.2"
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.2.2"

.github/workflows/release.yaml

@@ -9,13 +9,13 @@ jobs:
   goreleaser:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - run: |
           git fetch --prune --unshallow
       - name: Install gcc for arm64
         run: sudo apt-get update && sudo apt-get install -y build-essential crossbuild-essential-arm64
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version-file: 'go.mod'
       - name: Run GoReleaser

.github/workflows/renovate_auto.yml

@@ -13,7 +13,7 @@ jobs:
     if: ${{ github.actor == 'renovate[bot]' }}
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Approve a PR if not already approved
         run: |

.github/workflows/secscan.yaml

@@ -19,7 +19,7 @@ jobs:
       GO111MODULE: on
     steps:
       - name: Checkout Source
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - name: Run Gosec Security Scanner
         uses: securego/gosec@master
         with:

.github/workflows/unit-tests.yml

@@ -13,11 +13,11 @@ jobs:
   unit-tests:
     strategy:
       matrix:
-        go-version: ["1.24-bookworm"]
+        go-version: ["1.25-bookworm"]
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
       - name: Install earthly

.gitignore

@@ -6,6 +6,7 @@
 *.dylib
 bin
 testbin/*
+manager
 
 # Test binary, build with `go test -c`
 *.test

Dockerfile

@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM golang:1.24 as builder
+FROM golang:1.25 as builder
 
 WORKDIR /workspace
 # Copy the Go Modules manifests

Earthfile

@@ -6,7 +6,7 @@ ARG BASE_IMAGE=quay.io/kairos/ubuntu:23.10-core-amd64-generic-$KAIROS_VERSION
 
 ARG OSBUILDER_IMAGE=quay.io/kairos/osbuilder-tools
 # renovate: datasource=docker depName=golang
-ARG GO_VERSION=1.24-bookworm
+ARG GO_VERSION=1.25-bookworm
 ARG LUET_VERSION=0.33.0
 
 build-challenger:

Makefile

@@ -103,7 +103,7 @@ vet: ## Run go vet against code.
 
 .PHONY: test
 test: manifests generate fmt vet envtest ## Run tests.
-	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) -p path)" go test ./pkg/... -coverprofile cover.out
+	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) -p path)" go test ./pkg/...
 
 ##@ Build
 
@@ -160,7 +160,7 @@ ENVTEST ?= $(LOCALBIN)/setup-envtest
 
 ## Tool Versions
 KUSTOMIZE_VERSION ?= v3.8.7
-CONTROLLER_TOOLS_VERSION ?= v0.14.0
+CONTROLLER_TOOLS_VERSION ?= v0.16.0
 
 KUSTOMIZE_INSTALL_SCRIPT ?= "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh"
 .PHONY: kustomize
@@ -171,7 +171,8 @@ $(KUSTOMIZE): $(LOCALBIN)
 .PHONY: controller-gen
 controller-gen: $(CONTROLLER_GEN) ## Download controller-gen locally if necessary.
 $(CONTROLLER_GEN): $(LOCALBIN)
-	test -s $(LOCALBIN)/controller-gen || GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_TOOLS_VERSION)
+	test -s $(LOCALBIN)/controller-gen || curl -L -v -Sso $(LOCALBIN)/controller-gen https://github.com/kubernetes-sigs/controller-tools/releases/download/$(CONTROLLER_TOOLS_VERSION)/controller-gen-linux-amd64
+	chmod +x $(LOCALBIN)/controller-gen
 
 .PHONY: envtest
 envtest: $(ENVTEST) ## Download envtest-setup locally if necessary.

README.md

@@ -65,6 +65,33 @@ This is the Kairos kcrypt-challenger Kubernetes Native Extension.
 
 See the documentation in our website: https://kairos.io/docs/advanced/partition_encryption/.
 
+### TPM NV Memory Cleanup
+
+⚠️ **DANGER**: This command removes encryption passphrases from TPM memory!
+⚠️ **If you delete the wrong index, your encrypted disk may become UNBOOTABLE!**
+
+During development and testing, the kcrypt-challenger may store passphrases in TPM non-volatile (NV) memory. These passphrases persist across reboots and can accumulate over time, taking up space in the TPM.
+
+To clean up TPM NV memory used by the challenger:
+
+```bash
+# Clean up the default NV index (respects config or defaults to 0x1500000)
+kcrypt-discovery-challenger cleanup
+
+# Clean up a specific NV index
+kcrypt-discovery-challenger cleanup --nv-index=0x1500001
+
+# Clean up with specific TPM device
+kcrypt-discovery-challenger cleanup --tpm-device=/dev/tpmrm0
+```
+
+**Safety Features:**
+- By default, the command shows warnings and prompts for confirmation
+- You must type "yes" to proceed with deletion
+- Use `--i-know-what-i-am-doing` flag to skip the prompt (not recommended)
+
+**Note**: This command uses native Go TPM libraries and requires appropriate permissions to access the TPM device.
+
 ## Installation
 
 To install, use helm:
@@ -90,3 +117,73 @@ TEST SUITE: None
 # Installs challenger
 $ helm install kairos-challenger kairos/kcrypt-challenger
 ```
+
+## TODO: Implement Selective Enrollment Mode for Attestation Data
+
+### Problem Statement
+
+Currently, the TPM attestation system faces operational challenges in real-world deployments:
+
+1. **Test Complexity**: Tests require manually creating SealedVolumes with complex mock attestation data (EK, AK, PCR values)
+2. **Upgrade Compatibility**: Kernel upgrades change PCR values, causing TPM quarantine and disk inaccessibility  
+3. **Operational Flexibility**: No mechanism for operators to reset/update attestation data after TPM replacement, firmware upgrades, or key rotation
+
+### Proposed Solution: Selective Enrollment Mode
+
+Implement a "selective enrollment mode" where operators can set specific attestation fields to empty/null values in SealedVolume specs, indicating that the server should:
+1. Accept any value for that field during attestation
+2. Store the received value for future verification
+3. Update the SealedVolume with the learned value
+
+### Required Implementation Changes
+
+#### 1. **SealedVolume API Enhancement**
+```yaml
+spec:
+  TPMHash: "required-tpm-hash"  # MUST be set for client matching
+  attestation:
+    ekPublicKey: ""             # Empty = enrollment mode
+    akPublicKey: ""             # Empty = enrollment mode  
+    pcrValues:
+      pcrs:
+        "0": ""                 # Empty = enrollment mode for this PCR
+        "7": "fixed-value"      # Set = enforce this value
+        # "11": omitted         # Omitted = skip verification entirely
+```
+
+#### 2. **Server Logic Updates**
+- Modify `verifyAKMatch()` to handle empty AK fields as enrollment mode
+- Modify `verifyPCRValues()` to handle empty PCR values as enrollment mode  
+- Add logic to update SealedVolume specs when learning new values
+- Ensure TPM hash is always required and validated for client matching
+
+#### 3. **Test Simplification**
+Replace complex mock attestation data in tests with simple enrollment mode:
+```yaml
+# tests/encryption_test.go - remote-static test
+spec:
+  TPMHash: "computed-from-vm"   # Get from /system/discovery/kcrypt-discovery-challenger
+  partitions:
+    - label: COS_PERSISTENT
+      secret: {name: "static-passphrase", path: "pass"}
+  attestation: {}               # Full enrollment mode
+```
+
+### Use Cases Solved
+
+1. **Static Passphrase Tests**: Create Secret + minimal SealedVolume, let TOFU handle attestation
+2. **Production Manual Setup**: Operators set known passphrases + TPM hashes, system learns security data
+3. **Firmware Upgrades**: Set PCR fields to empty to re-learn after BIOS updates
+4. **TPM Replacement**: Set AK field to empty to re-learn after hardware changes
+5. **Kernel Updates**: Omit PCR 11 entirely to avoid quarantine on upgrades
+
+### Critical Implementation Notes
+
+- **TPM Hash MUST remain mandatory** - without it, multiple clients would match the same SealedVolume
+- **EK verification should remain strict** - only AK and PCRs should support enrollment mode
+- **Add proper logging** for enrollment events for audit trails
+- **Consider rate limiting** to prevent abuse of enrollment mode
+- **Update documentation** with operational procedures for each use case
+
+### Priority: High
+This blocks current test failures and addresses fundamental operational challenges for production deployments.

api/v1alpha1/sealedvolume_types.go

@@ -23,11 +23,39 @@ import (
 // EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
 // NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
 
+// PCRValues represents Platform Configuration Register values for boot state verification
+// Uses a flexible map where keys are PCR indices (as strings) and values are hex-encoded PCR values
+type PCRValues struct {
+	// PCRs is a flexible map of PCR index (as string) to PCR value (hex-encoded)
+	// Example: {"0": "a1b2c3...", "7": "d4e5f6...", "11": "g7h8i9..."}
+	// This allows for any combination of PCRs without hardcoding specific indices
+	PCRs map[string]string `json:"pcrs,omitempty"`
+}
+
+// AttestationSpec defines TPM attestation data for TOFU enrollment and verification
+type AttestationSpec struct {
+	// EKPublicKey stores the Endorsement Key public key in PEM format
+	EKPublicKey string `json:"ekPublicKey,omitempty"`
+
+	// AKPublicKey stores the Attestation Key public key in PEM format
+	AKPublicKey string `json:"akPublicKey,omitempty"`
+
+	// PCRValues stores the expected PCR values for boot state verification
+	PCRValues *PCRValues `json:"pcrValues,omitempty"`
+
+	// EnrolledAt timestamp when this TPM was first enrolled
+	EnrolledAt *metav1.Time `json:"enrolledAt,omitempty"`
+
+	// LastVerifiedAt timestamp of the last successful attestation
+	LastVerifiedAt *metav1.Time `json:"lastVerifiedAt,omitempty"`
+}
+
 // SealedVolumeSpec defines the desired state of SealedVolume
 type SealedVolumeSpec struct {
-	TPMHash     string          `json:"TPMHash,omitempty"`
-	Partitions  []PartitionSpec `json:"partitions,omitempty"`
-	Quarantined bool            `json:"quarantined,omitempty"`
+	TPMHash     string           `json:"TPMHash,omitempty"`
+	Partitions  []PartitionSpec  `json:"partitions,omitempty"`
+	Quarantined bool             `json:"quarantined,omitempty"`
+	Attestation *AttestationSpec `json:"attestation,omitempty"`
 }
 
 // PartitionSpec defines a Partition. A partition can be identified using

api/v1alpha1/zz_generated.deepcopy.go

@@ -25,6 +25,56 @@ import (
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AttestationSpec) DeepCopyInto(out *AttestationSpec) {
+	*out = *in
+	if in.PCRValues != nil {
+		in, out := &in.PCRValues, &out.PCRValues
+		*out = new(PCRValues)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.EnrolledAt != nil {
+		in, out := &in.EnrolledAt, &out.EnrolledAt
+		*out = (*in).DeepCopy()
+	}
+	if in.LastVerifiedAt != nil {
+		in, out := &in.LastVerifiedAt, &out.LastVerifiedAt
+		*out = (*in).DeepCopy()
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AttestationSpec.
+func (in *AttestationSpec) DeepCopy() *AttestationSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(AttestationSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PCRValues) DeepCopyInto(out *PCRValues) {
+	*out = *in
+	if in.PCRs != nil {
+		in, out := &in.PCRs, &out.PCRs
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PCRValues.
+func (in *PCRValues) DeepCopy() *PCRValues {
+	if in == nil {
+		return nil
+	}
+	out := new(PCRValues)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PartitionSpec) DeepCopyInto(out *PartitionSpec) {
 	*out = *in
@@ -114,6 +164,11 @@ func (in *SealedVolumeSpec) DeepCopyInto(out *SealedVolumeSpec) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.Attestation != nil {
+		in, out := &in.Attestation, &out.Attestation
+		*out = new(AttestationSpec)
+		(*in).DeepCopyInto(*out)
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SealedVolumeSpec.

cmd/discovery/cli_test.go

@@ -0,0 +1,374 @@
+package main
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+func TestCLI(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Discovery CLI Suite")
+}
+
+var _ = Describe("CLI Interface", func() {
+	BeforeEach(func() {
+		// Clean up any previous log files
+		_ = os.Remove("/tmp/kcrypt-challenger-client.log")
+	})
+
+	AfterEach(func() {
+		// Clean up log files
+		_ = os.Remove("/tmp/kcrypt-challenger-client.log")
+	})
+
+	Context("CLI help", func() {
+		It("should show help when --help is used", func() {
+			err := ExecuteWithArgs([]string{"--help"})
+
+			Expect(err).To(BeNil())
+			// We can't easily test the output content without complex output capture,
+			// but we can verify the function executes without error
+		})
+	})
+
+	Context("Input validation", func() {
+		It("should require all partition parameters for get command", func() {
+			err := ExecuteWithArgs([]string{"get"})
+
+			Expect(err).To(HaveOccurred())
+			// Should return an error when required parameters are missing
+		})
+
+		It("should validate that all required fields are provided for get command", func() {
+			// Test with valid partition parameters
+			err := ExecuteWithArgs([]string{"get", "--partition-name=/dev/sda2"})
+			Expect(err).To(HaveOccurred()) // Should fail at client connection but parsing should work
+
+			// Test with valid UUID
+			err = ExecuteWithArgs([]string{"get", "--partition-uuid=12345"})
+			Expect(err).To(HaveOccurred()) // Should fail at client connection but parsing should work
+		})
+
+		It("should handle invalid flags gracefully", func() {
+			err := ExecuteWithArgs([]string{"--invalid-flag"})
+
+			Expect(err).To(HaveOccurred())
+			// Should return an error for invalid flags
+		})
+	})
+
+	Context("Flow detection and backend integration", func() {
+		It("should attempt to get passphrase with valid parameters", func() {
+			err := ExecuteWithArgs([]string{
+				"get",
+				"--partition-name=/dev/test",
+				"--partition-uuid=test-uuid-12345",
+				"--partition-label=test-label",
+				"--attempts=1",
+			})
+
+			// We expect this to fail since there's no server, but it should reach the backend logic
+			Expect(err).To(HaveOccurred())
+
+			// Should show flow detection in the log (if created)
+			logContent, readErr := os.ReadFile("/tmp/kcrypt-challenger-client.log")
+			if readErr == nil {
+				logStr := string(logContent)
+				// Should contain flow detection message
+				Expect(logStr).To(ContainSubstring("flow"))
+			}
+		})
+
+		It("should use the correct backend client logic", func() {
+			// Test that the CLI mode uses the same GetPassphrase method
+			err := ExecuteWithArgs([]string{
+				"get",
+				"--partition-name=/dev/test",
+				"--partition-uuid=test-uuid",
+				"--partition-label=test-label",
+				"--attempts=1",
+			})
+
+			// Should fail but attempt to use the client
+			Expect(err).To(HaveOccurred())
+			// The important thing is that it reaches the backend and doesn't crash
+		})
+	})
+
+	Context("Configuration overrides with debug logging", func() {
+		var tempDir string
+		var originalLogFile string
+		var testLogFile string
+		var configDir string
+
+		BeforeEach(func() {
+			// Create a temporary directory for this test
+			var err error
+			tempDir, err = os.MkdirTemp("", "kcrypt-test-*")
+			Expect(err).NotTo(HaveOccurred())
+
+			// Use /tmp/oem since it's already in confScanDirs
+			configDir = "/tmp/oem"
+			err = os.MkdirAll(configDir, 0755)
+			Expect(err).NotTo(HaveOccurred())
+
+			// Create a test configuration file with known values
+			configContent := `kcrypt:
+  challenger:
+    challenger_server: "https://default-server.com:8080"
+    mdns: false
+    certificate: "/default/path/to/cert.pem"
+    nv_index: "0x1500000"
+    c_index: "0x1400000"
+    tpm_device: "/dev/tpm0"
+`
+			configFile := filepath.Join(configDir, "kairos.yaml")
+			err = os.WriteFile(configFile, []byte(configContent), 0644)
+			Expect(err).NotTo(HaveOccurred())
+
+			// Override the log file location for testing
+			originalLogFile = os.Getenv("KAIROS_LOG_FILE")
+			testLogFile = filepath.Join(tempDir, "kcrypt-discovery-challenger.log")
+			os.Setenv("KAIROS_LOG_FILE", testLogFile)
+		})
+
+		AfterEach(func() {
+			// Restore original log file setting
+			if originalLogFile != "" {
+				os.Setenv("KAIROS_LOG_FILE", originalLogFile)
+			} else {
+				os.Unsetenv("KAIROS_LOG_FILE")
+			}
+
+			// Clean up config file
+			_ = os.RemoveAll(configDir)
+
+			// Clean up temporary directory
+			_ = os.RemoveAll(tempDir)
+		})
+
+		It("should read and use original configuration values without overrides", func() {
+			err := ExecuteWithArgs([]string{
+				"get",
+				"--partition-name=/dev/test",
+				"--partition-uuid=test-uuid",
+				"--partition-label=test-label",
+				"--debug",
+				"--attempts=1",
+			})
+
+			// Should fail at passphrase retrieval but config parsing should work
+			Expect(err).To(HaveOccurred())
+
+			// Check that original configuration values are logged
+			logContent, readErr := os.ReadFile(testLogFile)
+			if readErr == nil {
+				logStr := string(logContent)
+				// Should show original configuration values from the file
+				Expect(logStr).To(ContainSubstring("Original configuration"))
+				Expect(logStr).To(ContainSubstring("https://default-server.com:8080"))
+				Expect(logStr).To(ContainSubstring("false")) // mdns value
+				Expect(logStr).To(ContainSubstring("/default/path/to/cert.pem"))
+				// Should also show final configuration (which should be the same as original)
+				Expect(logStr).To(ContainSubstring("Final configuration"))
+				// Should NOT contain any override messages since no flags were provided
+				Expect(logStr).NotTo(ContainSubstring("Overriding server URL"))
+				Expect(logStr).NotTo(ContainSubstring("Overriding MDNS setting"))
+				Expect(logStr).NotTo(ContainSubstring("Overriding certificate"))
+			}
+		})
+
+		It("should show configuration file values being overridden by CLI flags", func() {
+			err := ExecuteWithArgs([]string{
+				"get",
+				"--partition-name=/dev/test",
+				"--partition-uuid=test-uuid",
+				"--partition-label=test-label",
+				"--challenger-server=https://overridden-server.com:9999",
+				"--mdns=true",
+				"--certificate=/overridden/cert.pem",
+				"--debug",
+				"--attempts=1",
+			})
+
+			// Should fail at passphrase retrieval but config parsing and overrides should work
+			Expect(err).To(HaveOccurred())
+
+			// Check that both original and overridden values are logged
+			logContent, readErr := os.ReadFile(testLogFile)
+			if readErr == nil {
+				logStr := string(logContent)
+				// Should show original configuration values from the file
+				Expect(logStr).To(ContainSubstring("Original configuration"))
+				Expect(logStr).To(ContainSubstring("https://default-server.com:8080"))
+				Expect(logStr).To(ContainSubstring("/default/path/to/cert.pem"))
+
+				// Should show override messages
+				Expect(logStr).To(ContainSubstring("Overriding server URL"))
+				Expect(logStr).To(ContainSubstring("https://default-server.com:8080 -> https://overridden-server.com:9999"))
+				Expect(logStr).To(ContainSubstring("Overriding MDNS setting"))
+				Expect(logStr).To(ContainSubstring("false -> true"))
+				Expect(logStr).To(ContainSubstring("Overriding certificate"))
+
+				// Should show final configuration with overridden values
+				Expect(logStr).To(ContainSubstring("Final configuration"))
+				Expect(logStr).To(ContainSubstring("https://overridden-server.com:9999"))
+				Expect(logStr).To(ContainSubstring("/overridden/cert.pem"))
+			}
+		})
+
+		It("should apply CLI flag overrides and log configuration changes", func() {
+			err := ExecuteWithArgs([]string{
+				"get",
+				"--partition-name=/dev/test",
+				"--partition-uuid=test-uuid",
+				"--partition-label=test-label",
+				"--challenger-server=https://custom-server.com:8082",
+				"--mdns=true",
+				"--certificate=/path/to/cert.pem",
+				"--debug",
+				"--attempts=1",
+			})
+
+			// Should fail at passphrase retrieval but flag parsing should work
+			Expect(err).To(HaveOccurred())
+
+			// Check if debug log exists and contains configuration information
+			logContent, readErr := os.ReadFile(testLogFile)
+			if readErr == nil {
+				logStr := string(logContent)
+				// Should contain debug information about configuration overrides
+				Expect(logStr).To(ContainSubstring("Overriding server URL"))
+				Expect(logStr).To(ContainSubstring("https://custom-server.com:8082"))
+				Expect(logStr).To(ContainSubstring("Overriding MDNS setting"))
+				Expect(logStr).To(ContainSubstring("Overriding certificate"))
+			}
+		})
+
+		It("should show original vs final configuration in debug mode", func() {
+			err := ExecuteWithArgs([]string{
+				"get",
+				"--partition-name=/dev/test",
+				"--partition-uuid=test-uuid",
+				"--partition-label=test-label",
+				"--challenger-server=https://override-server.com:9999",
+				"--debug",
+				"--attempts=1",
+			})
+
+			// Should fail but debug information should be logged
+			Expect(err).To(HaveOccurred())
+
+			// Check for original and final configuration logging
+			logContent, readErr := os.ReadFile(testLogFile)
+			if readErr == nil {
+				logStr := string(logContent)
+				Expect(logStr).To(ContainSubstring("Original configuration"))
+				Expect(logStr).To(ContainSubstring("Final configuration"))
+				Expect(logStr).To(ContainSubstring("https://override-server.com:9999"))
+			}
+		})
+
+		It("should log partition details in debug mode", func() {
+			err := ExecuteWithArgs([]string{
+				"get",
+				"--partition-name=/dev/custom-partition",
+				"--partition-uuid=custom-uuid-123",
+				"--partition-label=custom-label-456",
+				"--debug",
+				"--attempts=2",
+			})
+
+			Expect(err).To(HaveOccurred())
+
+			// Check for partition details in debug log
+			logContent, readErr := os.ReadFile(testLogFile)
+			if readErr == nil {
+				logStr := string(logContent)
+				Expect(logStr).To(ContainSubstring("Partition details"))
+				Expect(logStr).To(ContainSubstring("/dev/custom-partition"))
+				Expect(logStr).To(ContainSubstring("custom-uuid-123"))
+				Expect(logStr).To(ContainSubstring("custom-label-456"))
+				Expect(logStr).To(ContainSubstring("Attempts: 2"))
+			}
+		})
+
+		It("should not log debug information without debug flag", func() {
+			err := ExecuteWithArgs([]string{
+				"get",
+				"--partition-name=/dev/test",
+				"--partition-uuid=test-uuid",
+				"--partition-label=test-label",
+				"--attempts=1",
+			})
+
+			Expect(err).To(HaveOccurred())
+
+			// Debug log should not exist or should not contain detailed debug info
+			logContent, readErr := os.ReadFile(testLogFile)
+			if readErr == nil {
+				logStr := string(logContent)
+				// Should not contain debug-level details
+				Expect(logStr).NotTo(ContainSubstring("Original configuration"))
+				Expect(logStr).NotTo(ContainSubstring("Partition details"))
+			}
+		})
+
+		It("should handle missing configuration file gracefully and show defaults", func() {
+			// Remove the config file to test default behavior
+			_ = os.RemoveAll(configDir)
+
+			err := ExecuteWithArgs([]string{
+				"get",
+				"--partition-name=/dev/test",
+				"--partition-uuid=test-uuid",
+				"--partition-label=test-label",
+				"--debug",
+				"--attempts=1",
+			})
+
+			// Should fail at passphrase retrieval but not due to config parsing
+			Expect(err).To(HaveOccurred())
+
+			// Check that default/empty configuration values are logged
+			logContent, readErr := os.ReadFile(testLogFile)
+			if readErr == nil {
+				logStr := string(logContent)
+				// Should show original configuration (which should be empty/defaults)
+				Expect(logStr).To(ContainSubstring("Original configuration"))
+				Expect(logStr).To(ContainSubstring("Final configuration"))
+				// Should NOT contain override messages since no flags were provided
+				Expect(logStr).NotTo(ContainSubstring("Overriding server URL"))
+				Expect(logStr).NotTo(ContainSubstring("Overriding MDNS setting"))
+				Expect(logStr).NotTo(ContainSubstring("Overriding certificate"))
+			}
+		})
+	})
+
+	Context("CLI argument parsing", func() {
+		It("should parse all arguments correctly", func() {
+			// This will fail at the client creation/server connection,
+			// but should successfully parse all arguments
+			err := ExecuteWithArgs([]string{
+				"get",
+				"--partition-name=/dev/custom",
+				"--partition-uuid=custom-uuid-999",
+				"--partition-label=custom-label",
+				"--attempts=5",
+			})
+
+			Expect(err).To(HaveOccurred()) // Fails due to no server
+			// The important thing is that flag parsing worked and it reached the backend
+		})
+
+		It("should handle boolean flags correctly", func() {
+			// Test help flag
+			err := ExecuteWithArgs([]string{"--help"})
+			Expect(err).To(BeNil())
+		})
+	})
+})

cmd/discovery/client/client.go

@@ -1,37 +1,50 @@
 package client
 
 import (
+	"crypto/x509"
 	"encoding/base64"
 	"encoding/json"
+	"encoding/pem"
 	"fmt"
 	"os"
 	"time"
 
+	"github.com/google/go-attestation/attest"
+	"github.com/gorilla/websocket"
 	"github.com/jaypipes/ghw/pkg/block"
-	"github.com/kairos-io/kairos-challenger/pkg/constants"
-	"github.com/kairos-io/kairos-challenger/pkg/payload"
-	"github.com/kairos-io/kcrypt/pkg/bus"
+	"github.com/kairos-io/kairos-sdk/kcrypt/bus"
+	"github.com/kairos-io/kairos-sdk/types"
 	"github.com/kairos-io/tpm-helpers"
 	"github.com/mudler/go-pluggable"
-	"github.com/mudler/yip/pkg/utils"
+
+	"github.com/kairos-io/kairos-challenger/pkg/constants"
 )
 
 // Because of how go-pluggable works, we can't just print to stdout
 const LOGFILE = "/tmp/kcrypt-challenger-client.log"
 
+// Retry delays for different failure types
+const (
+	TPMRetryDelay     = 100 * time.Millisecond // Brief delay for TPM hardware busy/unavailable
+	NetworkRetryDelay = 1 * time.Second        // Longer delay for network/server issues
+)
+
 var errPartNotFound error = fmt.Errorf("pass for partition not found")
 var errBadCertificate error = fmt.Errorf("unknown certificate")
 
 func NewClient() (*Client, error) {
+	return NewClientWithLogger(types.NewKairosLogger("kcrypt-challenger-client", "error", false))
+}
+
+func NewClientWithLogger(logger types.KairosLogger) (*Client, error) {
 	conf, err := unmarshalConfig()
 	if err != nil {
 		return nil, err
 	}
 
-	return &Client{Config: conf}, nil
+	return &Client{Config: conf, Logger: logger}, nil
 }
 
-// ❯ echo '{ "data": "{ \\"label\\": \\"LABEL\\" }"}' | sudo -E WSS_SERVER="http://localhost:8082/challenge" ./challenger "discovery.password"
 func (c *Client) Start() error {
 	if err := os.RemoveAll(LOGFILE); err != nil { // Start fresh
 		return fmt.Errorf("removing the logfile: %w", err)
@@ -51,7 +64,8 @@ func (c *Client) Start() error {
 			}
 		}
 
-		pass, err := c.waitPass(b, 30)
+		// Use the extracted core logic
+		pass, err := c.GetPassphrase(b, 30)
 		if err != nil {
 			return pluggable.EventResponse{
 				Error: fmt.Sprintf("failed getting pass: %s", err.Error()),
@@ -66,36 +80,9 @@ func (c *Client) Start() error {
 	return factory.Run(pluggable.EventType(os.Args[1]), os.Stdin, os.Stdout)
 }
 
-func (c *Client) generatePass(postEndpoint string, headers map[string]string, p *block.Partition) error {
-
-	rand := utils.RandomString(32)
-	pass, err := tpm.EncryptBlob([]byte(rand))
-	if err != nil {
-		return err
-	}
-	bpass := base64.RawURLEncoding.EncodeToString(pass)
-
-	opts := []tpm.Option{
-		tpm.WithCAs([]byte(c.Config.Kcrypt.Challenger.Certificate)),
-		tpm.AppendCustomCAToSystemCA,
-		tpm.WithAdditionalHeader("label", p.FilesystemLabel),
-		tpm.WithAdditionalHeader("name", p.Name),
-		tpm.WithAdditionalHeader("uuid", p.UUID),
-	}
-	for k, v := range headers {
-		opts = append(opts, tpm.WithAdditionalHeader(k, v))
-	}
-
-	conn, err := tpm.Connection(postEndpoint, opts...)
-	if err != nil {
-		return err
-	}
-
-	return conn.WriteJSON(payload.Data{Passphrase: bpass, GeneratedBy: constants.TPMSecret})
-}
-
-func (c *Client) waitPass(p *block.Partition, attempts int) (pass string, err error) {
-	additionalHeaders := map[string]string{}
+// ❯ echo '{ "data": "{ \\"label\\": \\"LABEL\\" }"}' | sudo -E WSS_SERVER="http://localhost:8082/challenge" ./challenger "discovery.password"
+// GetPassphrase retrieves a passphrase for the given partition - core business logic
+func (c *Client) GetPassphrase(partition *block.Partition, attempts int) (string, error) {
 	serverURL := c.Config.Kcrypt.Challenger.Server
 
 	// If we don't have any server configured, just do local
@@ -103,44 +90,197 @@ func (c *Client) waitPass(p *block.Partition, attempts int) (pass string, err er
 		return localPass(c.Config)
 	}
 
+	additionalHeaders := map[string]string{}
+	var err error
 	if c.Config.Kcrypt.Challenger.MDNS {
-		serverURL, additionalHeaders, err = queryMDNS(serverURL)
+		serverURL, additionalHeaders, err = queryMDNS(serverURL, c.Logger)
+		if err != nil {
+			return "", err
+		}
 	}
 
-	getEndpoint := fmt.Sprintf("%s/getPass", serverURL)
-	postEndpoint := fmt.Sprintf("%s/postPass", serverURL)
+	c.Logger.Debugf("Starting TPM attestation flow with server: %s", serverURL)
+	return c.waitPassWithTPMAttestation(serverURL, additionalHeaders, partition, attempts)
+}
+
+// waitPassWithTPMAttestation implements the new TPM remote attestation flow over WebSocket
+func (c *Client) waitPassWithTPMAttestation(serverURL string, additionalHeaders map[string]string, p *block.Partition, attempts int) (string, error) {
+	attestationEndpoint := fmt.Sprintf("%s/tpm-attestation", serverURL)
+	c.Logger.Debugf("Debug: TPM attestation endpoint: %s", attestationEndpoint)
 
 	for tries := 0; tries < attempts; tries++ {
-		var generated bool
-		pass, generated, err = getPass(getEndpoint, additionalHeaders, c.Config.Kcrypt.Challenger.Certificate, p)
-		if err == errPartNotFound {
-			// IF server doesn't have a pass for us, then we generate one and we set it
-			err = c.generatePass(postEndpoint, additionalHeaders, p)
-			if err != nil {
-				return
-			}
-			// Attempt to fetch again - validate that the server has it now
-			tries = 0
+		c.Logger.Debugf("Debug: TPM attestation attempt %d/%d", tries+1, attempts)
+
+		// Step 1: Initialize AK Manager
+		c.Logger.Debugf("Debug: Initializing AK Manager with handle file: %s", constants.AKBlobFile)
+		akManager, err := tpm.NewAKManager(tpm.WithAKHandleFile(constants.AKBlobFile))
+		if err != nil {
+			c.Logger.Debugf("Failed to create AK manager: %v", err)
+			time.Sleep(TPMRetryDelay)
+			continue
+		}
+		c.Logger.Debugf("Debug: AK Manager initialized successfully")
+
+		// Step 2: Ensure AK exists
+		c.Logger.Debugf("Debug: Getting or creating AK")
+		_, err = akManager.GetOrCreateAK()
+		if err != nil {
+			c.Logger.Debugf("Failed to get/create AK: %v", err)
+			time.Sleep(TPMRetryDelay)
+			continue
+		}
+		c.Logger.Debugf("Debug: AK obtained/created successfully")
+
+		// Step 3: Start WebSocket-based attestation flow
+		c.Logger.Debugf("Debug: Starting WebSocket-based attestation flow")
+		passphrase, err := c.performTPMAttestation(attestationEndpoint, additionalHeaders, akManager, p)
+		if err != nil {
+			c.Logger.Debugf("Failed TPM attestation: %v", err)
+			time.Sleep(NetworkRetryDelay)
 			continue
 		}
 
-		if generated { // passphrase is encrypted
-			return c.decryptPassphrase(pass)
-		}
-
-		if err == errBadCertificate { // No need to retry, won't succeed.
-			return
-		}
-
-		if err == nil { // passphrase available, no errors
-			return
-		}
-
-		logToFile("Failed with error: %s . Will retry.\n", err.Error())
-		time.Sleep(1 * time.Second) // network errors? retry
+		return passphrase, nil
 	}
 
-	return
+	return "", fmt.Errorf("exhausted all attempts (%d) for TPM attestation", attempts)
+}
+
+// performTPMAttestation handles the complete attestation flow over a single WebSocket connection
+func (c *Client) performTPMAttestation(endpoint string, additionalHeaders map[string]string, akManager *tpm.AKManager, p *block.Partition) (string, error) {
+	c.Logger.Debugf("Debug: Creating WebSocket connection to endpoint: %s", endpoint)
+	c.Logger.Debugf("Debug: Partition details - Label: %s, Name: %s, UUID: %s", p.FilesystemLabel, p.Name, p.UUID)
+	c.Logger.Debugf("Debug: Certificate length: %d", len(c.Config.Kcrypt.Challenger.Certificate))
+
+	// Create WebSocket connection
+	opts := []tpm.Option{
+		tpm.WithAdditionalHeader("label", p.FilesystemLabel),
+		tpm.WithAdditionalHeader("name", p.Name),
+		tpm.WithAdditionalHeader("uuid", p.UUID),
+	}
+
+	// Only add certificate options if a certificate is provided
+	if len(c.Config.Kcrypt.Challenger.Certificate) > 0 {
+		c.Logger.Debugf("Debug: Adding certificate validation options")
+		opts = append(opts,
+			tpm.WithCAs([]byte(c.Config.Kcrypt.Challenger.Certificate)),
+			tpm.AppendCustomCAToSystemCA,
+		)
+	} else {
+		c.Logger.Debugf("Debug: No certificate provided, using insecure connection")
+	}
+	for k, v := range additionalHeaders {
+		opts = append(opts, tpm.WithAdditionalHeader(k, v))
+	}
+	c.Logger.Debugf("Debug: WebSocket options configured, attempting connection...")
+
+	// Add connection timeout to prevent hanging indefinitely
+	type connectionResult struct {
+		conn interface{}
+		err  error
+	}
+
+	done := make(chan connectionResult, 1)
+
+	go func() {
+		c.Logger.Debugf("Debug: Using tpm.AttestationConnection for new TPM flow")
+		conn, err := tpm.AttestationConnection(endpoint, opts...)
+		c.Logger.Debugf("Debug: tpm.AttestationConnection returned with err: %v", err)
+		done <- connectionResult{conn: conn, err: err}
+	}()
+
+	var conn *websocket.Conn
+	select {
+	case result := <-done:
+		if result.err != nil {
+			c.Logger.Debugf("Debug: WebSocket connection failed: %v", result.err)
+			return "", fmt.Errorf("creating WebSocket connection: %w", result.err)
+		}
+		var ok bool
+		conn, ok = result.conn.(*websocket.Conn)
+		if !ok {
+			return "", fmt.Errorf("unexpected connection type")
+		}
+		c.Logger.Debugf("Debug: WebSocket connection established successfully")
+	case <-time.After(10 * time.Second):
+		c.Logger.Debugf("Debug: WebSocket connection timed out after 10 seconds")
+		return "", fmt.Errorf("WebSocket connection timed out")
+	}
+
+	defer conn.Close() //nolint:errcheck
+
+	// Protocol Step 1: Send attestation data (EK + AK) to server so it can generate proper challenge
+	c.Logger.Debugf("Debug: Getting attestation data for challenge generation")
+	ek, akParams, err := akManager.GetAttestationData()
+	if err != nil {
+		return "", fmt.Errorf("getting attestation data: %w", err)
+	}
+	c.Logger.Debugf("Debug: Got EK and AK attestation data")
+
+	// Serialize EK to bytes using the existing encoding from tmp-helpers
+	ekPEM, err := encodeEKToBytes(ek)
+	if err != nil {
+		return "", fmt.Errorf("encoding EK to bytes: %w", err)
+	}
+
+	// Serialize AK parameters to JSON bytes
+	akBytes, err := json.Marshal(akParams)
+	if err != nil {
+		return "", fmt.Errorf("marshaling AK parameters: %w", err)
+	}
+
+	// Send attestation data to server as bytes
+	attestationData := struct {
+		EKBytes []byte `json:"ek_bytes"`
+		AKBytes []byte `json:"ak_bytes"`
+	}{
+		EKBytes: ekPEM,
+		AKBytes: akBytes,
+	}
+
+	c.Logger.Debugf("Debug: Sending attestation data to server")
+	if err := conn.WriteJSON(attestationData); err != nil {
+		return "", fmt.Errorf("sending attestation data: %w", err)
+	}
+	c.Logger.Debugf("Debug: Attestation data sent successfully")
+
+	// Protocol Step 2: Wait for challenge response from server
+	c.Logger.Debugf("Debug: Waiting for challenge from server")
+	var challengeResp tpm.AttestationChallengeResponse
+	if err := conn.ReadJSON(&challengeResp); err != nil {
+		return "", fmt.Errorf("reading challenge from server: %w", err)
+	}
+	c.Logger.Debugf("Challenge received - Enrolled: %t", challengeResp.Enrolled)
+
+	// Protocol Step 3: Create proof request using AK Manager
+	c.Logger.Debugf("Debug: Creating proof request from challenge response")
+	proofReq, err := akManager.CreateProofRequest(&challengeResp)
+	if err != nil {
+		return "", fmt.Errorf("creating proof request: %w", err)
+	}
+	c.Logger.Debugf("Debug: Proof request created successfully")
+
+	// Protocol Step 4: Send proof to server
+	c.Logger.Debugf("Debug: Sending proof request to server")
+	if err := conn.WriteJSON(proofReq); err != nil {
+		return "", fmt.Errorf("sending proof request: %w", err)
+	}
+	c.Logger.Debugf("Proof request sent")
+
+	// Protocol Step 5: Receive passphrase from server
+	c.Logger.Debugf("Debug: Waiting for passphrase response")
+	var proofResp tpm.ProofResponse
+	if err := conn.ReadJSON(&proofResp); err != nil {
+		return "", fmt.Errorf("reading passphrase response: %w", err)
+	}
+	c.Logger.Debugf("Passphrase received - Length: %d bytes", len(proofResp.Passphrase))
+
+	// Check if we received an empty passphrase (indicates server error)
+	if len(proofResp.Passphrase) == 0 {
+		return "", fmt.Errorf("server returned empty passphrase, indicating an error occurred during attestation")
+	}
+
+	return string(proofResp.Passphrase), nil
 }
 
 // decryptPassphrase decodes (base64) and decrypts the passphrase returned
@@ -164,13 +304,25 @@ func (c *Client) decryptPassphrase(pass string) (string, error) {
 	return string(passBytes), err
 }
 
-func logToFile(format string, a ...any) {
-	s := fmt.Sprintf(format, a...)
-	file, err := os.OpenFile(LOGFILE, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)
-	if err != nil {
-		panic(err)
+// encodeEKToBytes encodes an EK to PEM bytes for transmission
+func encodeEKToBytes(ek *attest.EK) ([]byte, error) {
+	if ek.Certificate != nil {
+		pemBlock := &pem.Block{
+			Type:  "CERTIFICATE",
+			Bytes: ek.Certificate.Raw,
+		}
+		return pem.EncodeToMemory(pemBlock), nil
 	}
-	defer file.Close()
 
-	file.WriteString(s)
+	// For EKs without certificates, marshal the public key
+	pubBytes, err := x509.MarshalPKIXPublicKey(ek.Public)
+	if err != nil {
+		return nil, fmt.Errorf("marshaling EK public key: %w", err)
+	}
+
+	pemBlock := &pem.Block{
+		Type:  "PUBLIC KEY",
+		Bytes: pubBytes,
+	}
+	return pem.EncodeToMemory(pemBlock), nil
 }

cmd/discovery/client/config.go

@@ -2,12 +2,20 @@ package client
 
 import (
 	"github.com/kairos-io/kairos-sdk/collector"
-	kconfig "github.com/kairos-io/kcrypt/pkg/config"
+	"github.com/kairos-io/kairos-sdk/types"
 	"gopkg.in/yaml.v3"
 )
 
+// There are the directories under which we expect to find kairos configuration.
+// When we are booted from an iso (during installation), configuration is expected
+// under `/oem`. When we are booting an installed system (in initramfs phase),
+// the path is `/sysroot/oem`.
+// When we run the challenger in hooks, we may have the config under /tmp/oem
+var confScanDirs = []string{"/oem", "/sysroot/oem", "/tmp/oem"}
+
 type Client struct {
 	Config Config
+	Logger types.KairosLogger
 }
 
 type Config struct {
@@ -27,7 +35,7 @@ func unmarshalConfig() (Config, error) {
 	var result Config
 
 	o := &collector.Options{NoLogs: true, MergeBootCMDLine: false}
-	if err := o.Apply(collector.Directories(append(kconfig.ConfigScanDirs, "/tmp/oem")...)); err != nil {
+	if err := o.Apply(collector.Directories(confScanDirs...)); err != nil {
 		return result, err
 	}
 

cmd/discovery/client/enc.go

@@ -1,58 +1,12 @@
 package client
 
 import (
-	"encoding/json"
-	"fmt"
-	"strings"
-
-	"github.com/kairos-io/kairos-challenger/pkg/constants"
-	"github.com/kairos-io/kairos-challenger/pkg/payload"
-
-	"github.com/jaypipes/ghw/pkg/block"
 	"github.com/kairos-io/tpm-helpers"
 	"github.com/mudler/yip/pkg/utils"
-	"github.com/pkg/errors"
 )
 
 const DefaultNVIndex = "0x1500000"
 
-func getPass(server string, headers map[string]string, certificate string, partition *block.Partition) (string, bool, error) {
-	opts := []tpm.Option{
-		tpm.WithCAs([]byte(certificate)),
-		tpm.AppendCustomCAToSystemCA,
-		tpm.WithAdditionalHeader("label", partition.FilesystemLabel),
-		tpm.WithAdditionalHeader("name", partition.Name),
-		tpm.WithAdditionalHeader("uuid", partition.UUID),
-	}
-	for k, v := range headers {
-		opts = append(opts, tpm.WithAdditionalHeader(k, v))
-	}
-
-	msg, err := tpm.Get(server, opts...)
-	if err != nil {
-		return "", false, err
-	}
-	result := payload.Data{}
-	err = json.Unmarshal(msg, &result)
-	if err != nil {
-		return "", false, errors.Wrap(err, string(msg))
-	}
-
-	if result.HasPassphrase() {
-		return fmt.Sprint(result.Passphrase), result.HasBeenGenerated() && result.GeneratedBy == constants.TPMSecret, nil
-	} else if result.HasError() {
-		if strings.Contains(result.Error, "No secret found for") {
-			return "", false, errPartNotFound
-		}
-		if strings.Contains(result.Error, "x509: certificate signed by unknown authority") {
-			return "", false, errBadCertificate
-		}
-		return "", false, errors.New(result.Error)
-	}
-
-	return "", false, errPartNotFound
-}
-
 func genAndStore(k Config) (string, error) {
 	opts := []tpm.TPMOption{}
 	if k.Kcrypt.Challenger.TPMDevice != "" {

cmd/discovery/client/flow_test.go

@@ -0,0 +1,47 @@
+package client
+
+import (
+	"testing"
+
+	"github.com/kairos-io/kairos-sdk/types"
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+func TestClient(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Discovery Client Suite")
+}
+
+var _ = Describe("Flow Detection", func() {
+	var client *Client
+
+	BeforeEach(func() {
+		// Create a test client with basic config and logger
+		client = &Client{}
+		client.Config.Kcrypt.Challenger.Server = "http://test-server.local"
+		client.Logger = types.NewKairosLogger("test-client", "debug", false)
+	})
+
+	Context("TPM attestation capabilities", func() {
+		It("should handle TPM operations", func() {
+			// Test that client can be created without errors
+			// TPM availability testing requires actual hardware
+			Expect(client).ToNot(BeNil())
+		})
+	})
+
+	Context("Logging functionality", func() {
+		It("should have a valid logger", func() {
+			// Test that client has a valid logger
+			Expect(client.Logger).NotTo(BeNil())
+
+			// Test debug logging works without error
+			client.Logger.Debugf("Test log entry for flow detection")
+
+			// If we get here without panic, logging is working
+			Expect(true).To(BeTrue())
+		})
+	})
+
+})

cmd/discovery/client/mdns.go

@@ -8,6 +8,7 @@ import (
 	"time"
 
 	"github.com/hashicorp/mdns"
+	"github.com/kairos-io/kairos-sdk/types"
 )
 
 const (
@@ -18,7 +19,7 @@ const (
 // queryMDNS will make an mdns query on local network to find a kcrypt challenger server
 // instance. If none is found, the original URL is returned and no additional headers.
 // If a response is received, the IP address and port from the response will be returned// and an additional "Host" header pointing to the original host.
-func queryMDNS(originalURL string) (string, map[string]string, error) {
+func queryMDNS(originalURL string, logger types.KairosLogger) (string, map[string]string, error) {
 	additionalHeaders := map[string]string{}
 	var err error
 
@@ -32,9 +33,9 @@ func queryMDNS(originalURL string) (string, map[string]string, error) {
 		return "", additionalHeaders, fmt.Errorf("domain should end in \".local\" when using mdns")
 	}
 
-	mdnsIP, mdnsPort := discoverMDNSServer(host)
+	mdnsIP, mdnsPort := discoverMDNSServer(host, logger)
 	if mdnsIP == "" { // no reply
-		logToFile("no reply from mdns\n")
+		logger.Debugf("no reply from mdns")
 		return originalURL, additionalHeaders, nil
 	}
 
@@ -56,12 +57,12 @@ func queryMDNS(originalURL string) (string, map[string]string, error) {
 // discoverMDNSServer performs an mDNS query to discover any running kcrypt challenger
 // servers on the same network that matches the given hostname.
 // If a response if received, the IP address and the Port from the response are returned.
-func discoverMDNSServer(hostname string) (string, string) {
+func discoverMDNSServer(hostname string, logger types.KairosLogger) (string, string) {
 	// Make a channel for results and start listening
 	entriesCh := make(chan *mdns.ServiceEntry, 4)
 	defer close(entriesCh)
 
-	logToFile("Will now wait for some mdns server to respond\n")
+	logger.Debugf("Will now wait for some mdns server to respond")
 	// Start the lookup. It will block until we read from the chan.
 	mdns.Lookup(MDNSServiceType, entriesCh)
 
@@ -70,15 +71,15 @@ func discoverMDNSServer(hostname string) (string, string) {
 	for {
 		select {
 		case entry := <-entriesCh:
-			logToFile("mdns response received\n")
+			logger.Debugf("mdns response received")
 			if entry.Host == expectedHost {
-				logToFile("%s matches %s\n", entry.Host, expectedHost)
+				logger.Debugf("%s matches %s", entry.Host, expectedHost)
 				return entry.AddrV4.String(), strconv.Itoa(entry.Port) // TODO: v6?
 			} else {
-				logToFile("%s didn't match %s\n", entry.Host, expectedHost)
+				logger.Debugf("%s didn't match %s", entry.Host, expectedHost)
 			}
 		case <-time.After(MDNSTimeout):
-			logToFile("timed out waiting for mdns\n")
+			logger.Debugf("timed out waiting for mdns")
 			return "", ""
 		}
 	}

cmd/discovery/main.go

@@ -1,30 +1,478 @@
 package main
 
 import (
+	"bufio"
 	"fmt"
 	"os"
+	"strings"
 
+	"github.com/jaypipes/ghw/pkg/block"
 	"github.com/kairos-io/kairos-challenger/cmd/discovery/client"
-	"github.com/kairos-io/kcrypt/pkg/bus"
+	"github.com/kairos-io/kairos-challenger/pkg/constants"
+	"github.com/kairos-io/kairos-sdk/kcrypt/bus"
+	"github.com/kairos-io/kairos-sdk/types"
 	"github.com/kairos-io/tpm-helpers"
+	"github.com/spf13/cobra"
 )
 
-func main() {
-	if len(os.Args) >= 2 && bus.IsEventDefined(os.Args[1]) {
-		c, err := client.NewClient()
-		checkErr(err)
-		checkErr(c.Start())
-		return
-	}
-
-	pubhash, err := tpm.GetPubHash()
-	checkErr(err)
-	fmt.Print(pubhash)
+// GetFlags holds all flags specific to the get command
+type GetFlags struct {
+	PartitionName     string
+	PartitionUUID     string
+	PartitionLabel    string
+	Attempts          int
+	ChallengerServer  string
+	EnableMDNS        bool
+	ServerCertificate string
 }
 
-func checkErr(err error) {
-	if err != nil {
-		fmt.Println(err)
+var (
+	// Global/persistent flags
+	debug bool
+)
+
+// rootCmd represents the base command (TPM hash generation)
+var rootCmd = &cobra.Command{
+	Use:   "kcrypt-discovery-challenger",
+	Short: "kcrypt-challenger discovery client",
+	Long: `kcrypt-challenger discovery client
+
+This tool provides TPM-based operations for encrypted partition management.
+By default, it outputs the TPM hash for this device.
+
+Configuration:
+  The client reads configuration from Kairos configuration files in the following directories:
+  - /oem (during installation from ISO)
+  - /sysroot/oem (on installed systems during initramfs)
+  - /tmp/oem (when running in hooks)
+
+  Configuration format (YAML):
+    kcrypt:
+      challenger:
+        challenger_server: "https://my-server.com:8082"  # Server URL
+        mdns: true                                       # Enable mDNS discovery
+        certificate: "/path/to/server-cert.pem"         # Server certificate
+        nv_index: "0x1500000"                           # TPM NV index (offline mode)
+        c_index: "0x1500001"                            # TPM certificate index
+        tpm_device: "/dev/tpmrm0"                        # TPM device path`,
+	Example: `  # Get TPM hash for this device (default)
+  kcrypt-discovery-challenger
+
+  # Get passphrase for encrypted partition
+  kcrypt-discovery-challenger get --partition-name=/dev/sda2
+
+  # Clean up TPM NV memory (useful for development)
+  kcrypt-discovery-challenger cleanup
+
+  # Run plugin event
+  kcrypt-discovery-challenger discovery.password`,
+	RunE: func(cmd *cobra.Command, args []string) error {
+		return runTPMHash()
+	},
+}
+
+// newCleanupCmd creates the cleanup command
+func newCleanupCmd() *cobra.Command {
+	var nvIndex string
+	var tpmDevice string
+	var skipConfirmation bool
+
+	cmd := &cobra.Command{
+		Use:   "cleanup",
+		Short: "Clean up TPM NV memory",
+		Long: `Clean up TPM NV memory by undefining specific NV indices.
+
+⚠️  DANGER: This command removes encryption passphrases from TPM memory!
+⚠️  If you delete the wrong index, your encrypted disk may become UNBOOTABLE!
+
+This command helps clean up TPM NV memory used by the local pass flow,
+which stores encrypted passphrases in TPM non-volatile memory. Without
+cleanup, these passphrases persist indefinitely and take up space.
+
+The command will prompt for confirmation before deletion unless you use
+the --i-know-what-i-am-doing flag to skip the safety prompt.
+
+Default behavior:
+- Uses the same NV index as the local pass flow (from config or 0x1500000)
+- Uses the same TPM device as configured (or system default if none specified)
+- Prompts for confirmation with safety warnings`,
+		Example: `  # Clean up default NV index (with confirmation prompt)
+  kcrypt-discovery-challenger cleanup
+
+  # Clean up specific NV index
+  kcrypt-discovery-challenger cleanup --nv-index=0x1500001
+
+  # Clean up with specific TPM device
+  kcrypt-discovery-challenger cleanup --tpm-device=/dev/tpmrm0
+
+  # Skip confirmation prompt (DANGEROUS!)
+  kcrypt-discovery-challenger cleanup --i-know-what-i-am-doing`,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return runCleanup(nvIndex, tpmDevice, skipConfirmation)
+		},
+	}
+
+	cmd.Flags().StringVar(&nvIndex, "nv-index", "", fmt.Sprintf("NV index to clean up (defaults to configured index or %s)", client.DefaultNVIndex))
+	cmd.Flags().StringVar(&tpmDevice, "tpm-device", "", "TPM device path (defaults to configured device or system default)")
+	cmd.Flags().BoolVar(&skipConfirmation, "i-know-what-i-am-doing", false, "Skip confirmation prompt (DANGEROUS: may make encrypted disks unbootable)")
+
+	return cmd
+}
+
+// newGetCmd creates the get command with its flags
+func newGetCmd() *cobra.Command {
+	flags := &GetFlags{}
+
+	cmd := &cobra.Command{
+		Use:   "get",
+		Short: "Get passphrase for encrypted partition",
+		Long: `Get passphrase for encrypted partition using TPM attestation.
+
+This command retrieves passphrases for encrypted partitions by communicating
+with a challenger server using TPM-based attestation. At least one partition
+identifier (name, UUID, or label) must be provided.
+
+The command uses configuration from the root command's config files, but flags
+can override specific settings:
+  --challenger-server  Override kcrypt.challenger.challenger_server
+  --mdns               Override kcrypt.challenger.mdns  
+  --certificate        Override kcrypt.challenger.certificate`,
+		Example: `  # Get passphrase using partition name
+  kcrypt-discovery-challenger get --partition-name=/dev/sda2
+
+  # Get passphrase using UUID  
+  kcrypt-discovery-challenger get --partition-uuid=12345-abcde
+
+  # Get passphrase using filesystem label
+  kcrypt-discovery-challenger get --partition-label=encrypted-data
+
+  # Get passphrase with multiple identifiers
+  kcrypt-discovery-challenger get --partition-name=/dev/sda2 --partition-uuid=12345-abcde --partition-label=encrypted-data
+
+  # Get passphrase with custom server
+  kcrypt-discovery-challenger get --partition-label=encrypted-data --challenger-server=https://my-server.com:8082`,
+		PreRunE: func(cmd *cobra.Command, args []string) error {
+			// Validate that at least one partition identifier is provided
+			if flags.PartitionName == "" && flags.PartitionUUID == "" && flags.PartitionLabel == "" {
+				return fmt.Errorf("at least one of --partition-name, --partition-uuid, or --partition-label must be provided")
+			}
+			return nil
+		},
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return runGetPassphrase(flags)
+		},
+	}
+
+	// Register flags
+	cmd.Flags().StringVar(&flags.PartitionName, "partition-name", "", "Name of the partition (at least one identifier required)")
+	cmd.Flags().StringVar(&flags.PartitionUUID, "partition-uuid", "", "UUID of the partition (at least one identifier required)")
+	cmd.Flags().StringVar(&flags.PartitionLabel, "partition-label", "", "Filesystem label of the partition (at least one identifier required)")
+	cmd.Flags().IntVar(&flags.Attempts, "attempts", 30, "Number of attempts to get the passphrase")
+	cmd.Flags().StringVar(&flags.ChallengerServer, "challenger-server", "", "URL of the challenger server (overrides config)")
+	cmd.Flags().BoolVar(&flags.EnableMDNS, "mdns", false, "Enable mDNS discovery (overrides config)")
+	cmd.Flags().StringVar(&flags.ServerCertificate, "certificate", "", "Server certificate for verification (overrides config)")
+
+	return cmd
+}
+
+// pluginCmd represents the plugin event commands
+var pluginCmd = &cobra.Command{
+	Use:   string(bus.EventDiscoveryPassword),
+	Short: fmt.Sprintf("Run %s plugin event", bus.EventDiscoveryPassword),
+	Long: fmt.Sprintf(`Run the %s plugin event.
+
+This command runs in plugin mode, reading JSON partition data from stdin
+and outputting the passphrase to stdout. This is used for integration 
+with kcrypt and other tools.`, bus.EventDiscoveryPassword),
+	Example: fmt.Sprintf(`  # Plugin mode (for integration with kcrypt)
+  echo '{"data": "{\"name\": \"/dev/sda2\", \"uuid\": \"12345-abcde\", \"label\": \"encrypted-data\"}"}' | kcrypt-discovery-challenger %s`, bus.EventDiscoveryPassword),
+	RunE: func(cmd *cobra.Command, args []string) error {
+		return runPluginMode()
+	},
+}
+
+func init() {
+	// Global/persistent flags (available to all commands)
+	rootCmd.PersistentFlags().BoolVar(&debug, "debug", false, "Enable debug logging")
+
+	// Add subcommands
+	rootCmd.AddCommand(newGetCmd())
+	rootCmd.AddCommand(newCleanupCmd())
+	rootCmd.AddCommand(pluginCmd)
+}
+
+func main() {
+	if err := rootCmd.Execute(); err != nil {
 		os.Exit(1)
 	}
 }
+
+// ExecuteWithArgs executes the root command with the given arguments.
+// This function is used by tests to simulate CLI execution.
+func ExecuteWithArgs(args []string) error {
+	// Set command arguments (this overrides os.Args)
+	rootCmd.SetArgs(args)
+
+	return rootCmd.Execute()
+}
+
+// runTPMHash handles the root command - TPM hash generation
+func runTPMHash() error {
+	// Create logger based on debug flag
+	var logger types.KairosLogger
+	if debug {
+		logger = types.NewKairosLogger("kcrypt-discovery-challenger", "debug", false)
+		logger.Debugf("Debug mode enabled for TPM hash generation")
+	} else {
+		logger = types.NewKairosLogger("kcrypt-discovery-challenger", "error", false)
+	}
+
+	// Initialize AK Manager with the standard handle file
+	logger.Debugf("Initializing AK Manager with handle file: %s", constants.AKBlobFile)
+	akManager, err := tpm.NewAKManager(tpm.WithAKHandleFile(constants.AKBlobFile))
+	if err != nil {
+		return fmt.Errorf("creating AK manager: %w", err)
+	}
+	logger.Debugf("AK Manager initialized successfully")
+
+	// Ensure AK exists (create if necessary)
+	logger.Debugf("Getting or creating AK")
+	_, err = akManager.GetOrCreateAK()
+	if err != nil {
+		return fmt.Errorf("getting/creating AK: %w", err)
+	}
+	logger.Debugf("AK obtained/created successfully")
+
+	// Get attestation data (includes EK)
+	logger.Debugf("Getting attestation data")
+	ek, _, err := akManager.GetAttestationData()
+	if err != nil {
+		return fmt.Errorf("getting attestation data: %w", err)
+	}
+	logger.Debugf("Attestation data retrieved successfully")
+
+	// Compute TPM hash from EK
+	logger.Debugf("Computing TPM hash from EK")
+	tpmHash, err := tpm.DecodePubHash(ek)
+	if err != nil {
+		return fmt.Errorf("computing TPM hash: %w", err)
+	}
+	logger.Debugf("TPM hash computed successfully: %s", tpmHash)
+
+	// Output the TPM hash to stdout
+	fmt.Print(tpmHash)
+	return nil
+}
+
+// runGetPassphrase handles the get subcommand - passphrase retrieval
+func runGetPassphrase(flags *GetFlags) error {
+	// Create logger based on debug flag
+	var logger types.KairosLogger
+	if debug {
+		logger = types.NewKairosLogger("kcrypt-discovery-challenger", "debug", false)
+	} else {
+		logger = types.NewKairosLogger("kcrypt-discovery-challenger", "error", false)
+	}
+
+	// Create client with potential CLI overrides
+	c, err := createClientWithOverrides(flags.ChallengerServer, flags.EnableMDNS, flags.ServerCertificate, logger)
+	if err != nil {
+		return fmt.Errorf("creating client: %w", err)
+	}
+
+	// Create partition object
+	partition := &block.Partition{
+		Name:            flags.PartitionName,
+		UUID:            flags.PartitionUUID,
+		FilesystemLabel: flags.PartitionLabel,
+	}
+
+	// Log partition information
+	logger.Debugf("Partition details:")
+	logger.Debugf("  Name: %s", partition.Name)
+	logger.Debugf("  UUID: %s", partition.UUID)
+	logger.Debugf("  Label: %s", partition.FilesystemLabel)
+	logger.Debugf("  Attempts: %d", flags.Attempts)
+
+	// Get the passphrase using the same backend logic as the plugin
+	fmt.Fprintf(os.Stderr, "Requesting passphrase for partition %s (UUID: %s, Label: %s)...\n",
+		flags.PartitionName, flags.PartitionUUID, flags.PartitionLabel)
+
+	passphrase, err := c.GetPassphrase(partition, flags.Attempts)
+	if err != nil {
+		return fmt.Errorf("getting passphrase: %w", err)
+	}
+
+	// Output the passphrase to stdout (this is what tools expect)
+	fmt.Print(passphrase)
+	fmt.Fprintf(os.Stderr, "\nPassphrase retrieved successfully\n")
+	return nil
+}
+
+// runPluginMode handles plugin event commands
+func runPluginMode() error {
+	// In plugin mode, use quiet=true to log to file instead of console
+	// Log level depends on debug flag, write logs to /var/log/kairos/kcrypt-discovery-challenger.log
+	var logLevel string
+	if debug {
+		logLevel = "debug"
+	} else {
+		logLevel = "error"
+	}
+
+	logger := types.NewKairosLogger("kcrypt-discovery-challenger", logLevel, true)
+	c, err := client.NewClientWithLogger(logger)
+	if err != nil {
+		return fmt.Errorf("creating client: %w", err)
+	}
+
+	err = c.Start()
+	if err != nil {
+		return fmt.Errorf("starting plugin: %w", err)
+	}
+	return nil
+}
+
+// createClientWithOverrides creates a client and applies CLI flag overrides to the config
+func createClientWithOverrides(serverURL string, enableMDNS bool, certificate string, logger types.KairosLogger) (*client.Client, error) {
+	// Start with the default config from files and pass the logger
+	c, err := client.NewClientWithLogger(logger)
+	if err != nil {
+		return nil, err
+	}
+
+	// Log the original configuration values
+	logger.Debugf("Original configuration:")
+	logger.Debugf("  Server: %s", c.Config.Kcrypt.Challenger.Server)
+	logger.Debugf("  MDNS: %t", c.Config.Kcrypt.Challenger.MDNS)
+	logger.Debugf("  Certificate: %s", maskSensitiveString(c.Config.Kcrypt.Challenger.Certificate))
+
+	// Apply CLI overrides if provided
+	if serverURL != "" {
+		logger.Debugf("Overriding server URL: %s -> %s", c.Config.Kcrypt.Challenger.Server, serverURL)
+		c.Config.Kcrypt.Challenger.Server = serverURL
+	}
+
+	// For boolean flags, we can directly use the value since Cobra handles it properly
+	if enableMDNS {
+		logger.Debugf("Overriding MDNS setting: %t -> %t", c.Config.Kcrypt.Challenger.MDNS, enableMDNS)
+		c.Config.Kcrypt.Challenger.MDNS = enableMDNS
+	}
+
+	if certificate != "" {
+		logger.Debugf("Overriding certificate: %s -> %s",
+			maskSensitiveString(c.Config.Kcrypt.Challenger.Certificate),
+			maskSensitiveString(certificate))
+		c.Config.Kcrypt.Challenger.Certificate = certificate
+	}
+
+	// Log the final configuration values
+	logger.Debugf("Final configuration:")
+	logger.Debugf("  Server: %s", c.Config.Kcrypt.Challenger.Server)
+	logger.Debugf("  MDNS: %t", c.Config.Kcrypt.Challenger.MDNS)
+	logger.Debugf("  Certificate: %s", maskSensitiveString(c.Config.Kcrypt.Challenger.Certificate))
+
+	return c, nil
+}
+
+// runCleanup handles the cleanup subcommand - TPM NV memory cleanup
+func runCleanup(nvIndex, tpmDevice string, skipConfirmation bool) error {
+	// Create logger based on debug flag
+	var logger types.KairosLogger
+	if debug {
+		logger = types.NewKairosLogger("kcrypt-discovery-challenger", "debug", false)
+		logger.Debugf("Debug mode enabled for TPM NV cleanup")
+	} else {
+		logger = types.NewKairosLogger("kcrypt-discovery-challenger", "error", false)
+	}
+
+	// Load configuration to get defaults if flags not provided
+	var config client.Config
+	c, err := client.NewClientWithLogger(logger)
+	if err != nil {
+		logger.Debugf("Warning: Could not load configuration: %v", err)
+		// Continue with defaults - not a fatal error
+	} else {
+		config = c.Config
+	}
+
+	// Determine NV index to clean up (follow same pattern as localPass/genAndStore)
+	targetIndex := nvIndex
+	if targetIndex == "" {
+		// First check config, then fall back to the same default used by the local pass flow
+		if config.Kcrypt.Challenger.NVIndex != "" {
+			targetIndex = config.Kcrypt.Challenger.NVIndex
+		} else {
+			targetIndex = client.DefaultNVIndex
+		}
+	}
+
+	// Determine TPM device
+	targetDevice := tpmDevice
+	if targetDevice == "" && config.Kcrypt.Challenger.TPMDevice != "" {
+		targetDevice = config.Kcrypt.Challenger.TPMDevice
+	}
+
+	logger.Debugf("Cleaning up TPM NV index: %s", targetIndex)
+	if targetDevice != "" {
+		logger.Debugf("Using TPM device: %s", targetDevice)
+	}
+
+	// Check if the NV index exists first
+	opts := []tpm.TPMOption{tpm.WithIndex(targetIndex)}
+	if targetDevice != "" {
+		opts = append(opts, tpm.WithDevice(targetDevice))
+	}
+
+	// Try to read from the index to see if it exists
+	logger.Debugf("Checking if NV index %s exists", targetIndex)
+	_, err = tpm.ReadBlob(opts...)
+	if err != nil {
+		// If we can't read it, it might not exist or be empty
+		logger.Debugf("NV index %s appears to be empty or non-existent: %v", targetIndex, err)
+		fmt.Printf("NV index %s appears to be empty or does not exist\n", targetIndex)
+		return nil
+	}
+
+	// Confirmation prompt with warning
+	if !skipConfirmation {
+		fmt.Printf("\n⚠️  WARNING: You are about to delete TPM NV index %s\n", targetIndex)
+		fmt.Printf("⚠️  If this index contains your disk encryption passphrase, your encrypted disk will become UNBOOTABLE!\n")
+		fmt.Printf("⚠️  This action CANNOT be undone.\n\n")
+		fmt.Printf("Are you sure you want to continue? (type 'yes' to confirm): ")
+
+		scanner := bufio.NewScanner(os.Stdin)
+		scanner.Scan()
+		response := strings.TrimSpace(strings.ToLower(scanner.Text()))
+
+		if response != "yes" {
+			fmt.Printf("Cleanup cancelled.\n")
+			return nil
+		}
+	}
+
+	// Use native Go TPM library to undefine the NV space
+	logger.Debugf("Using native TPM library to undefine NV index")
+	fmt.Printf("Cleaning up TPM NV index %s...\n", targetIndex)
+
+	err = tpm.UndefineBlob(opts...)
+	if err != nil {
+		return fmt.Errorf("failed to undefine NV index %s: %w", targetIndex, err)
+	}
+
+	fmt.Printf("Successfully cleaned up NV index %s\n", targetIndex)
+	logger.Debugf("Successfully undefined NV index %s", targetIndex)
+	return nil
+}
+
+// maskSensitiveString masks certificate paths/content for logging
+func maskSensitiveString(s string) string {
+	if s == "" {
+		return "<empty>"
+	}
+	if len(s) <= 10 {
+		return strings.Repeat("*", len(s))
+	}
+	// Show first 3 and last 3 characters with * in between
+	return s[:3] + strings.Repeat("*", len(s)-6) + s[len(s)-3:]
+}

config/crd/bases/keyserver.kairos.io_sealedvolumes.yaml

@@ -37,6 +37,40 @@ spec:
             properties:
               TPMHash:
                 type: string
+              attestation:
+                description: AttestationSpec defines TPM attestation data for TOFU
+                  enrollment and verification
+                properties:
+                  akPublicKey:
+                    description: AKPublicKey stores the Attestation Key public key
+                      in PEM format
+                    type: string
+                  ekPublicKey:
+                    description: EKPublicKey stores the Endorsement Key public key
+                      in PEM format
+                    type: string
+                  enrolledAt:
+                    description: EnrolledAt timestamp when this TPM was first enrolled
+                    format: date-time
+                    type: string
+                  lastVerifiedAt:
+                    description: LastVerifiedAt timestamp of the last successful attestation
+                    format: date-time
+                    type: string
+                  pcrValues:
+                    description: PCRValues stores the expected PCR values for boot
+                      state verification
+                    properties:
+                      pcrs:
+                        additionalProperties:
+                          type: string
+                        description: 'PCRs is a flexible map of PCR index (as string)
+                          to PCR value (hex-encoded) Example: {"0": "a1b2c3...", "7":
+                          "d4e5f6...", "11": "g7h8i9..."} This allows for any combination
+                          of PCRs without hardcoding specific indices'
+                        type: object
+                    type: object
+                type: object
               partitions:
                 items:
                   description: 'PartitionSpec defines a Partition. A partition can

config/default/kustomization.yaml

@@ -25,11 +25,6 @@ bases:
 #- ../prometheus
 
 patchesStrategicMerge:
-# Protect the /metrics endpoint by putting it behind auth.
-# If you want your controller-manager to expose the /metrics
-# endpoint w/o any authn/z, please comment the following line.
-- manager_auth_proxy_patch.yaml
-
 # Mount the controller config file for loading manager configurations
 # through a ComponentConfig type
 #- manager_config_patch.yaml

config/default/manager_auth_proxy_patch.yaml

@@ -1,39 +0,0 @@
-# This patch inject a sidecar container which is a HTTP proxy for the
-# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: controller-manager
-  namespace: system
-spec:
-  template:
-    spec:
-      containers:
-      - name: kube-rbac-proxy
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-              - "ALL"
-        image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.0
-        args:
-        - "--secure-listen-address=0.0.0.0:8443"
-        - "--upstream=http://127.0.0.1:8080/"
-        - "--logtostderr=true"
-        - "--v=0"
-        ports:
-        - containerPort: 8443
-          protocol: TCP
-          name: https
-        resources:
-          limits:
-            cpu: 500m
-            memory: 128Mi
-          requests:
-            cpu: 5m
-            memory: 64Mi
-      - name: manager
-        args:
-        - "--health-probe-bind-address=:8081"
-        - "--metrics-bind-address=127.0.0.1:8080"
-        - "--leader-elect"

config/dev/kustomization.yaml

@@ -25,10 +25,6 @@ bases:
 #- ../prometheus
 
 patchesStrategicMerge:
-# Protect the /metrics endpoint by putting it behind auth.
-# If you want your controller-manager to expose the /metrics
-# endpoint w/o any authn/z, please comment the following line.
-- manager_auth_proxy_patch.yaml
 - pull.yaml
 # Mount the controller config file for loading manager configurations
 # through a ComponentConfig type

config/dev/manager_auth_proxy_patch.yaml

@@ -1,39 +0,0 @@
-# This patch inject a sidecar container which is a HTTP proxy for the
-# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: controller-manager
-  namespace: system
-spec:
-  template:
-    spec:
-      containers:
-      - name: kube-rbac-proxy
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-              - "ALL"
-        image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.0
-        args:
-        - "--secure-listen-address=0.0.0.0:8443"
-        - "--upstream=http://127.0.0.1:8080/"
-        - "--logtostderr=true"
-        - "--v=0"
-        ports:
-        - containerPort: 8443
-          protocol: TCP
-          name: https
-        resources:
-          limits:
-            cpu: 500m
-            memory: 128Mi
-          requests:
-            cpu: 5m
-            memory: 64Mi
-      - name: manager
-        args:
-        - "--health-probe-bind-address=:8081"
-        - "--metrics-bind-address=127.0.0.1:8080"
-        - "--leader-elect"

config/dev/pull.yaml

@@ -9,4 +9,6 @@ spec:
       containers:
       - name: manager
         imagePullPolicy: IfNotPresent
+      - name: kube-rbac-proxy
+        imagePullPolicy: IfNotPresent
 

config/manager/manager.yaml

@@ -34,10 +34,41 @@ spec:
         # seccompProfile:
         #   type: RuntimeDefault
       containers:
+      - name: kube-rbac-proxy
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - "ALL"
+        image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.0
+        args:
+        - "--secure-listen-address=0.0.0.0:8443"
+        - "--upstream=http://127.0.0.1:8080/"
+        - "--logtostderr=true"
+        - "--v=0"
+        ports:
+        - containerPort: 8443
+          protocol: TCP
+          name: https
+        resources:
+          limits:
+            cpu: 500m
+            memory: 128Mi
+          requests:
+            cpu: 5m
+            memory: 64Mi
       - command:
         - /manager
         args:
-        - --leader-elect
+        - "--health-probe-bind-address=:8081"
+        - "--metrics-bind-address=127.0.0.1:8080"
+        - "--leader-elect"
+        - "--namespace=$(POD_NAMESPACE)"
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
         image: controller:latest
         name: manager
         securityContext:

controllers/suite_test.go

@@ -69,8 +69,7 @@ var _ = BeforeSuite(func() {
 	k8sClient, err = client.New(cfg, client.Options{Scheme: scheme.Scheme})
 	Expect(err).NotTo(HaveOccurred())
 	Expect(k8sClient).NotTo(BeNil())
-
-}, 60)
+})
 
 var _ = AfterSuite(func() {
 	By("tearing down the test environment")

earthly.sh

@@ -1,3 +1,3 @@
 #!/bin/bash
 
-docker run --privileged -v /var/run/docker.sock:/var/run/docker.sock --rm -t -v $(pwd):/workspace -v earthly-tmp:/tmp/earthly:rw earthly/earthly:v0.8.15 --allow-privileged $@
+docker run --privileged -v /var/run/docker.sock:/var/run/docker.sock --rm -t -v $(pwd):/workspace -v earthly-tmp:/tmp/earthly:rw earthly/earthly:v0.8.16 --allow-privileged $@

examples/cli-usage.sh

@@ -0,0 +1,64 @@
+#!/bin/bash
+
+# Example script demonstrating the new CLI interface for kcrypt-challenger
+# This makes testing and debugging much easier than using the plugin interface
+
+echo "=== kcrypt-challenger CLI Examples ==="
+echo
+
+# Build the binary if it doesn't exist
+if [ ! -f "./kcrypt-discovery-challenger" ]; then
+    echo "Building kcrypt-discovery-challenger..."
+    go build -o kcrypt-discovery-challenger ./cmd/discovery/
+    echo
+fi
+
+echo "1. Show help:"
+./kcrypt-discovery-challenger --help
+echo
+
+echo "2. Show version:"
+./kcrypt-discovery-challenger --version
+echo
+
+echo "3. Test CLI mode with example parameters (will fail without server, but shows the flow):"
+echo "   Command: ./kcrypt-discovery-challenger --partition-name=/dev/sda2 --partition-uuid=12345-abcde --partition-label=encrypted-data --attempts=1"
+echo "   Expected: Error connecting to server, but flow detection should work"
+echo
+./kcrypt-discovery-challenger --partition-name=/dev/sda2 --partition-uuid=12345-abcde --partition-label=encrypted-data --attempts=1 2>&1 || true
+echo
+
+echo "4. Test CLI mode with configuration overrides:"
+echo "   Command: ./kcrypt-discovery-challenger --partition-name=/dev/sda2 --partition-uuid=12345-abcde --partition-label=encrypted-data --challenger-server=https://custom-server.com:8082 --mdns=true --attempts=1"
+echo "   Expected: Same error but with custom server configuration"
+echo
+./kcrypt-discovery-challenger --partition-name=/dev/sda2 --partition-uuid=12345-abcde --partition-label=encrypted-data --challenger-server=https://custom-server.com:8082 --mdns=true --attempts=1 2>&1 || true
+echo
+
+echo "4. Check the log file for flow detection:"
+if [ -f "/tmp/kcrypt-challenger-client.log" ]; then
+    echo "   Log contents:"
+    cat /tmp/kcrypt-challenger-client.log
+    echo
+else
+    echo "   No log file found"
+fi
+
+echo "5. Test plugin mode (for comparison):"
+echo "   Command: echo '{\"data\": \"{\\\"name\\\": \\\"/dev/sda2\\\", \\\"uuid\\\": \\\"12345-abcde\\\", \\\"filesystemLabel\\\": \\\"encrypted-data\\\"}\"}' | ./kcrypt-discovery-challenger discovery.password"
+echo "   Expected: Same behavior as CLI mode"
+echo
+echo '{"data": "{\"name\": \"/dev/sda2\", \"uuid\": \"12345-abcde\", \"filesystemLabel\": \"encrypted-data\"}"}' | ./kcrypt-discovery-challenger discovery.password 2>&1 || true
+echo
+
+echo "=== Summary ==="
+echo "✅ CLI interface successfully created"
+echo "✅ Full compatibility with plugin mode maintained"
+echo "✅ Same backend logic used for both interfaces"
+echo "✅ Flow detection works in both modes"
+echo ""
+echo "Benefits:"
+echo "- Much easier testing during development"
+echo "- Can be used for debugging in production"
+echo "- Clear command-line interface with help and examples"
+echo "- Maintains full compatibility with kcrypt integration"

go.mod

@@ -1,26 +1,29 @@
 module github.com/kairos-io/kairos-challenger
 
-go 1.24.2
+go 1.25
+
+replace github.com/kairos-io/tpm-helpers => github.com/kairos-io/tpm-helpers v0.0.0-20250924104130-49f51e390ef3
+//replace github.com/kairos-io/tpm-helpers => /home/dimitris/workspace/kairos/tpm-helpers
 
 require (
-	github.com/go-logr/logr v1.4.2
+	github.com/go-logr/logr v1.4.3
+	github.com/google/go-attestation v0.5.1
 	github.com/google/uuid v1.6.0
 	github.com/gorilla/websocket v1.5.3
 	github.com/hashicorp/mdns v1.0.6
-	github.com/jaypipes/ghw v0.14.0
-	github.com/kairos-io/kairos-sdk v0.7.3
-	github.com/kairos-io/kcrypt v0.13.0
+	github.com/jaypipes/ghw v0.19.1
+	github.com/kairos-io/kairos-sdk v0.10.1
 	github.com/kairos-io/tpm-helpers v0.0.0-20240123063624-f7a3fcc66199
 	github.com/mudler/go-pluggable v0.0.0-20230126220627-7710299a0ae5
 	github.com/mudler/go-processmanager v0.0.0-20240820160718-8b802d3ecf82
-	github.com/mudler/yip v1.15.0
-	github.com/onsi/ginkgo/v2 v2.23.0
-	github.com/onsi/gomega v1.36.2
-	github.com/pkg/errors v0.9.1
+	github.com/mudler/yip v1.18.0
+	github.com/onsi/ginkgo/v2 v2.25.3
+	github.com/onsi/gomega v1.38.2
 	github.com/spectrocloud/peg v0.0.0-20240405075800-c5da7125e30f
+	github.com/spf13/cobra v1.10.1
 	gopkg.in/yaml.v3 v3.0.1
 	k8s.io/api v0.27.2
-	k8s.io/apimachinery v0.27.2
+	k8s.io/apimachinery v0.27.4
 	k8s.io/client-go v0.27.2
 	sigs.k8s.io/controller-runtime v0.15.0
 )
@@ -31,11 +34,10 @@ require (
 	atomicgo.dev/schedule v0.1.0 // indirect
 	dario.cat/mergo v1.0.1 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
-	github.com/Masterminds/semver/v3 v3.3.1 // indirect
+	github.com/Masterminds/semver/v3 v3.4.0 // indirect
 	github.com/Masterminds/sprig/v3 v3.3.0 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/Microsoft/hcsshim v0.12.9 // indirect
-	github.com/StackExchange/wmi v1.2.1 // indirect
 	github.com/avast/retry-go v3.0.0+incompatible // indirect
 	github.com/aybabtme/rgbterm v0.0.0-20170906152045-cc83f3b3ce59 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
@@ -46,26 +48,26 @@ require (
 	github.com/codingsince1985/checksum v1.2.6 // indirect
 	github.com/containerd/cgroups/v3 v3.0.5 // indirect
 	github.com/containerd/console v1.0.4 // indirect
-	github.com/containerd/containerd v1.7.25 // indirect
+	github.com/containerd/containerd v1.7.27 // indirect
 	github.com/containerd/continuity v0.4.5 // indirect
 	github.com/containerd/errdefs v1.0.0 // indirect
 	github.com/containerd/errdefs/pkg v0.3.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/containerd/stargz-snapshotter/estargz v0.16.3 // indirect
 	github.com/containerd/typeurl/v2 v2.2.3 // indirect
+	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/denisbrodbeck/machineid v1.0.1 // indirect
 	github.com/distribution/reference v0.6.0 // indirect
-	github.com/docker/cli v27.5.0+incompatible // indirect
+	github.com/docker/cli v28.2.2+incompatible // indirect
 	github.com/docker/distribution v2.8.3+incompatible // indirect
-	github.com/docker/docker v27.5.1+incompatible // indirect
-	github.com/docker/docker-credential-helpers v0.8.2 // indirect
+	github.com/docker/docker v28.3.3+incompatible // indirect
+	github.com/docker/docker-credential-helpers v0.9.3 // indirect
 	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/emicklei/go-restful/v3 v3.10.1 // indirect
 	github.com/evanphx/json-patch/v5 v5.6.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/folbricht/tpmk v0.1.2-0.20230104073416-f20b20c289d7 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-logr/zapr v1.2.4 // indirect
@@ -74,34 +76,35 @@ require (
 	github.com/go-openapi/jsonreference v0.20.1 // indirect
 	github.com/go-openapi/swag v0.22.3 // indirect
 	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
-	github.com/gofrs/uuid v4.4.0+incompatible // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/certificate-transparency-go v1.1.4 // indirect
 	github.com/google/gnostic v0.5.7-v3refs // indirect
-	github.com/google/go-attestation v0.4.4-0.20220404204839-8820d49b18d9 // indirect
-	github.com/google/go-cmp v0.6.0 // indirect
-	github.com/google/go-containerregistry v0.20.3 // indirect
-	github.com/google/go-tpm v0.3.3 // indirect
-	github.com/google/go-tpm-tools v0.3.10 // indirect
+	github.com/google/go-cmp v0.7.0 // indirect
+	github.com/google/go-configfs-tsm v0.3.3 // indirect
+	github.com/google/go-containerregistry v0.20.6 // indirect
+	github.com/google/go-tpm v0.9.1 // indirect
+	github.com/google/go-tpm-tools v0.4.4 // indirect
 	github.com/google/go-tspi v0.3.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
-	github.com/google/pprof v0.0.0-20250208200701-d0013a598941 // indirect
+	github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/gookit/color v1.5.4 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/huandu/xstrings v1.5.0 // indirect
 	github.com/imdario/mergo v0.3.15 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/ipfs/go-log v1.0.5 // indirect
 	github.com/ipfs/go-log/v2 v2.5.1 // indirect
 	github.com/itchyny/gojq v0.12.17 // indirect
 	github.com/itchyny/timefmt-go v0.1.6 // indirect
+	github.com/jaypipes/pcidb v1.1.1 // indirect
 	github.com/joho/godotenv v1.5.1 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/klauspost/compress v1.17.11 // indirect
+	github.com/klauspost/compress v1.18.0 // indirect
 	github.com/lithammer/fuzzysearch v1.1.8 // indirect
 	github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
@@ -120,9 +123,10 @@ require (
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.1.0 // indirect
+	github.com/opencontainers/image-spec v1.1.1 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
 	github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
 	github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect
 	github.com/prometheus/client_golang v1.20.2 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
@@ -137,40 +141,42 @@ require (
 	github.com/shopspring/decimal v1.4.0 // indirect
 	github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af // indirect
 	github.com/spf13/cast v1.7.1 // indirect
-	github.com/spf13/pflag v1.0.6 // indirect
+	github.com/spf13/pflag v1.0.9 // indirect
 	github.com/tklauser/go-sysconf v0.3.12 // indirect
 	github.com/tklauser/numcpus v0.6.1 // indirect
 	github.com/twpayne/go-vfs/v4 v4.3.0 // indirect
-	github.com/vbatts/tar-split v0.11.6 // indirect
+	github.com/vbatts/tar-split v0.12.1 // indirect
 	github.com/wayneashleyberry/terminal-dimensions v1.1.0 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
 	go.opencensus.io v0.24.0 // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0 // indirect
-	go.opentelemetry.io/otel v1.34.0 // indirect
-	go.opentelemetry.io/otel/metric v1.34.0 // indirect
-	go.opentelemetry.io/otel/trace v1.34.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
+	go.opentelemetry.io/otel v1.36.0 // indirect
+	go.opentelemetry.io/otel/metric v1.36.0 // indirect
+	go.opentelemetry.io/otel/trace v1.36.0 // indirect
 	go.uber.org/atomic v1.10.0 // indirect
-	go.uber.org/multierr v1.9.0 // indirect
+	go.uber.org/automaxprocs v1.6.0 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.24.0 // indirect
-	golang.org/x/crypto v0.33.0 // indirect
-	golang.org/x/mod v0.23.0 // indirect
-	golang.org/x/net v0.35.0 // indirect
-	golang.org/x/oauth2 v0.25.0 // indirect
-	golang.org/x/sync v0.11.0 // indirect
-	golang.org/x/sys v0.30.0 // indirect
-	golang.org/x/term v0.29.0 // indirect
-	golang.org/x/text v0.22.0 // indirect
-	golang.org/x/time v0.3.0 // indirect
-	golang.org/x/tools v0.30.0 // indirect
+	go.yaml.in/yaml/v3 v3.0.4 // indirect
+	golang.org/x/crypto v0.42.0 // indirect
+	golang.org/x/mod v0.28.0 // indirect
+	golang.org/x/net v0.44.0 // indirect
+	golang.org/x/oauth2 v0.30.0 // indirect
+	golang.org/x/sync v0.17.0 // indirect
+	golang.org/x/sys v0.36.0 // indirect
+	golang.org/x/term v0.35.0 // indirect
+	golang.org/x/text v0.29.0 // indirect
+	golang.org/x/time v0.11.0 // indirect
+	golang.org/x/tools v0.37.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.3.0 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20250212204824-5a70512c5d8b // indirect
 	google.golang.org/grpc v1.70.0 // indirect
-	google.golang.org/protobuf v1.36.5 // indirect
+	google.golang.org/protobuf v1.36.7 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
-	howett.net/plist v1.0.0 // indirect
+	howett.net/plist v1.0.2-0.20250314012144-ee69052608d9 // indirect
 	k8s.io/apiextensions-apiserver v0.27.2 // indirect
 	k8s.io/component-base v0.27.2 // indirect
 	k8s.io/klog/v2 v2.90.1 // indirect

pkg/challenger/challenger_test.go

@@ -38,7 +38,7 @@ var _ = Describe("challenger", func() {
 			})
 
 			It("returns the sealed volume data", func() {
-				volumeData := findVolumeFor(requestData, volumeList)
+				volumeData, _ := findVolumeFor(requestData, volumeList)
 				Expect(volumeData).ToNot(BeNil())
 				Expect(volumeData.Quarantined).To(BeFalse())
 				Expect(volumeData.SecretName).To(Equal("the_secret"))
@@ -67,7 +67,7 @@ var _ = Describe("challenger", func() {
 			})
 
 			It("doesn't match a request with an empty field", func() {
-				volumeData := findVolumeFor(requestData, volumeList)
+				volumeData, _ := findVolumeFor(requestData, volumeList)
 				Expect(volumeData).To(BeNil())
 			})
 		})
@@ -86,7 +86,7 @@ var _ = Describe("challenger", func() {
 			})
 
 			It("returns the sealed volume data", func() {
-				volumeData := findVolumeFor(requestData, volumeList)
+				volumeData, _ := findVolumeFor(requestData, volumeList)
 				Expect(volumeData).ToNot(BeNil())
 				Expect(volumeData.Quarantined).To(BeFalse())
 				Expect(volumeData.SecretName).To(Equal("the_secret"))
@@ -108,7 +108,7 @@ var _ = Describe("challenger", func() {
 			})
 
 			It("returns the sealed volume data", func() {
-				volumeData := findVolumeFor(requestData, volumeList)
+				volumeData, _ := findVolumeFor(requestData, volumeList)
 				Expect(volumeData).ToNot(BeNil())
 				Expect(volumeData.Quarantined).To(BeFalse())
 				Expect(volumeData.SecretName).To(Equal("the_secret"))
@@ -130,7 +130,7 @@ var _ = Describe("challenger", func() {
 			})
 
 			It("returns nil sealedVolumeData", func() {
-				volumeData := findVolumeFor(requestData, volumeList)
+				volumeData, _ := findVolumeFor(requestData, volumeList)
 				Expect(volumeData).To(BeNil())
 			})
 		})

pkg/constants/secret.go

@@ -2,3 +2,4 @@ package constants
 
 const TPMSecret = "tpm"
 const GeneratedByKey = "generated_by"
+const AKBlobFile = "/etc/kairos/ak.blob"