mirror of
https://github.com/kairos-io/kcrypt-challenger.git
synced 2025-09-26 13:04:30 +00:00
Remove enrollement reporting on authentication request
Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
This commit is contained in:
Dimitris Karakasilis
@@ -250,7 +250,7 @@ func (c *Client) performTPMAttestation(endpoint string, additionalHeaders map[st
|
|||||||
if err := conn.ReadJSON(&challengeResp); err != nil {
|
if err := conn.ReadJSON(&challengeResp); err != nil {
|
||||||
return "", fmt.Errorf("reading challenge from server: %w", err)
|
return "", fmt.Errorf("reading challenge from server: %w", err)
|
||||||
}
|
}
|
||||||
c.Logger.Debugf("Challenge received - Enrolled: %t", challengeResp.Enrolled)
|
c.Logger.Debugf("Challenge received")
|
||||||
|
|
||||||
// Protocol Step 3: Create proof request using AK Manager
|
// Protocol Step 3: Create proof request using AK Manager
|
||||||
c.Logger.Debugf("Debug: Creating proof request from challenge response")
|
c.Logger.Debugf("Debug: Creating proof request from challenge response")
|
||||||
|
|||||||
1
go.mod
1
go.mod
@@ -3,6 +3,7 @@ module github.com/kairos-io/kairos-challenger
|
|||||||
go 1.25
|
go 1.25
|
||||||
|
|
||||||
replace github.com/kairos-io/tpm-helpers => github.com/kairos-io/tpm-helpers v0.0.0-20250924104130-49f51e390ef3
|
replace github.com/kairos-io/tpm-helpers => github.com/kairos-io/tpm-helpers v0.0.0-20250924104130-49f51e390ef3
|
||||||
|
|
||||||
//replace github.com/kairos-io/tpm-helpers => /home/dimitris/workspace/kairos/tpm-helpers
|
//replace github.com/kairos-io/tpm-helpers => /home/dimitris/workspace/kairos/tpm-helpers
|
||||||
|
|
||||||
require (
|
require (
|
||||||
|
|||||||
@@ -53,6 +53,7 @@ var upgrader = websocket.Upgrader{
|
|||||||
|
|
||||||
func cleanKubeName(s string) (d string) {
|
func cleanKubeName(s string) (d string) {
|
||||||
d = strings.ReplaceAll(s, "_", "-")
|
d = strings.ReplaceAll(s, "_", "-")
|
||||||
|
d = strings.ReplaceAll(d, "/", "-") // Replace forward slashes with hyphens
|
||||||
d = strings.ToLower(d)
|
d = strings.ToLower(d)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
@@ -625,9 +626,12 @@ func handleTPMAttestation(w http.ResponseWriter, r *http.Request, logger logr.Lo
|
|||||||
func performInitialEnrollment(ctx *EnrollmentContext, attestation *ClientAttestation, reconciler *controllers.SealedVolumeReconciler, kclient *kubernetes.Clientset, namespace string, logger logr.Logger) error {
|
func performInitialEnrollment(ctx *EnrollmentContext, attestation *ClientAttestation, reconciler *controllers.SealedVolumeReconciler, kclient *kubernetes.Clientset, namespace string, logger logr.Logger) error {
|
||||||
logger.Info("Creating new TOFU enrollment")
|
logger.Info("Creating new TOFU enrollment")
|
||||||
|
|
||||||
// Generate secret name and path for new enrollment
|
// Generate secret name and path for new enrollment using DefaultSecret logic
|
||||||
secretName := fmt.Sprintf("tofu-%s", ctx.TPMHash[:8])
|
volumeData := SealedVolumeData{
|
||||||
secretPath := "/tmp/disk_passphrase"
|
PartitionLabel: ctx.Partition.Label,
|
||||||
|
VolumeName: fmt.Sprintf("tofu-%s", ctx.TPMHash[:8]),
|
||||||
|
}
|
||||||
|
secretName, secretPath := volumeData.DefaultSecret()
|
||||||
|
|
||||||
// Generate secure passphrase for new enrollment
|
// Generate secure passphrase for new enrollment
|
||||||
passphrase, err := generateTOFUPassphrase()
|
passphrase, err := generateTOFUPassphrase()
|
||||||
@@ -655,12 +659,19 @@ func performInitialEnrollment(ctx *EnrollmentContext, attestation *ClientAttesta
|
|||||||
return fmt.Errorf("creating TOFU SealedVolume: %w", err)
|
return fmt.Errorf("creating TOFU SealedVolume: %w", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Update the enrollment context with volume data for passphrase retrieval
|
||||||
|
ctx.VolumeData = &SealedVolumeData{
|
||||||
|
Quarantined: false,
|
||||||
|
SecretName: secretName,
|
||||||
|
SecretPath: secretPath,
|
||||||
|
VolumeName: volumeData.VolumeName,
|
||||||
|
PartitionLabel: volumeData.PartitionLabel,
|
||||||
|
}
|
||||||
|
|
||||||
logger.Info("TOFU enrollment completed", "secretName", secretName, "secretPath", secretPath)
|
logger.Info("TOFU enrollment completed", "secretName", secretName, "secretPath", secretPath)
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// TODO: Implement these functions to replace the old handleTPMAttestation
|
|
||||||
|
|
||||||
// verifyAttestationData verifies AK and PCR data using selective enrollment
|
// verifyAttestationData verifies AK and PCR data using selective enrollment
|
||||||
func verifyAttestationData(ctx *EnrollmentContext, attestation *ClientAttestation, logger logr.Logger) error {
|
func verifyAttestationData(ctx *EnrollmentContext, attestation *ClientAttestation, logger logr.Logger) error {
|
||||||
// Skip verification for new enrollments (TOFU - Trust On First Use)
|
// Skip verification for new enrollments (TOFU - Trust On First Use)
|
||||||
@@ -726,20 +737,15 @@ func updateEnrollmentData(ctx *EnrollmentContext, attestation *ClientAttestation
|
|||||||
|
|
||||||
// sendPassphrase retrieves and securely sends the passphrase to the client
|
// sendPassphrase retrieves and securely sends the passphrase to the client
|
||||||
func sendPassphrase(conn *websocket.Conn, ctx *EnrollmentContext, kclient *kubernetes.Clientset, namespace string, logger logr.Logger) error {
|
func sendPassphrase(conn *websocket.Conn, ctx *EnrollmentContext, kclient *kubernetes.Clientset, namespace string, logger logr.Logger) error {
|
||||||
var secretName, secretPath string
|
// After performInitialEnrollment, VolumeData should always be populated
|
||||||
|
if ctx.VolumeData == nil {
|
||||||
if ctx.IsNewEnrollment {
|
return fmt.Errorf("no volume data available - enrollment may have failed")
|
||||||
// For new enrollments, use the TOFU secret created in performInitialEnrollment
|
|
||||||
secretName = fmt.Sprintf("tofu-%s", ctx.TPMHash[:8])
|
|
||||||
secretPath = "/tmp/disk_passphrase"
|
|
||||||
logger.Info("Retrieving passphrase for new TOFU enrollment", "secretName", secretName)
|
|
||||||
} else {
|
|
||||||
// For existing enrollments, get passphrase from stored secret
|
|
||||||
secretName = ctx.VolumeData.SecretName
|
|
||||||
secretPath = ctx.VolumeData.SecretPath
|
|
||||||
logger.Info("Retrieving passphrase for known TPM", "secretName", secretName)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Get secret name and path from the enrolled volume data
|
||||||
|
secretName, secretPath := ctx.VolumeData.DefaultSecret()
|
||||||
|
logger.Info("Retrieving passphrase", "secretName", secretName, "tpmHash", ctx.TPMHash[:8])
|
||||||
|
|
||||||
// Retrieve the secret
|
// Retrieve the secret
|
||||||
secret, err := kclient.CoreV1().Secrets(namespace).Get(context.TODO(), secretName, metav1.GetOptions{})
|
secret, err := kclient.CoreV1().Secrets(namespace).Get(context.TODO(), secretName, metav1.GetOptions{})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@@ -748,7 +754,7 @@ func sendPassphrase(conn *websocket.Conn, ctx *EnrollmentContext, kclient *kuber
|
|||||||
|
|
||||||
secretData, exists := secret.Data[secretPath]
|
secretData, exists := secret.Data[secretPath]
|
||||||
if !exists {
|
if !exists {
|
||||||
return fmt.Errorf("passphrase not found in secret at path: %s", secretPath)
|
return fmt.Errorf("passphrase not found in secret at key: %s", secretPath)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Send passphrase securely to client
|
// Send passphrase securely to client
|
||||||
@@ -1144,7 +1150,6 @@ func performTPMAuthentication(conn *websocket.Conn, logger logr.Logger) (*Client
|
|||||||
|
|
||||||
challengeResp := tpm.AttestationChallengeResponse{
|
challengeResp := tpm.AttestationChallengeResponse{
|
||||||
Challenge: challenge.EC,
|
Challenge: challenge.EC,
|
||||||
Enrolled: false, // Will be determined later in enrollment context
|
|
||||||
}
|
}
|
||||||
|
|
||||||
logger.Info("Sending challenge to client")
|
logger.Info("Sending challenge to client")
|
||||||
|
|||||||
Reference in New Issue
Block a user