rancher/kcrypt-challenger
1
0
Fork 0
mirror of https://github.com/kairos-io/kcrypt-challenger.git synced 2025-09-26 13:04:30 +00:00
Code Issues Packages Projects Releases Wiki Activity
257 Commits 12 Branches 18 Tags
ee6ed01b50eb108e641e4d4e1567fa29ae4668e7
Commit Graph

257 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Dimitris Karakasilis
ee6ed01b50 Reject early when TPM is quarantined 
and update the README with remaining TODOs (only e2e tests missing)

Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
 2025-09-25 16:00:31 +03:00
Dimitris Karakasilis
f0cadbbe6e Explain the various scenarios 
Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
 2025-09-25 15:24:12 +03:00
Dimitris Karakasilis
62fb8f6cce Reuse a secret then it's there and ignore missing PCRs 
This allows the operator to re-use an existing passphrase but let the
sealed volume be re-created automatically (so decryption can still
happen, we don't loose the original passphrase).

Also allows the operator to skip a PCR (e.g. 11) if they want to by
simply removing it after the initial enrollement or by manuall creating
the initial sealed volume but only with the PCRs they are interested in
by setting those to empty strings. This is useful if a PCR is expected
to change often, e.g. PCR 11 because of kernel upgrades.

Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
 2025-09-25 15:16:54 +03:00
Dimitris Karakasilis
329fa9212c Remove enrollement reporting on authentication request 
Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
 2025-09-25 14:57:57 +03:00
Dimitris Karakasilis
b123339d19 Refactor wall-of-text method to one with better narrative 
Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
 2025-09-25 13:16:15 +03:00
Dimitris Karakasilis
2439d24e70 Add TODO in README for selective enrollement 
Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
 2025-09-25 10:31:55 +03:00
Dimitris Karakasilis
fac5dfb32d Remove stubbed version and fix tests 
Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
 2025-09-24 14:32:21 +03:00
Dimitris Karakasilis
5fb15c81f6 Allow the user to cleanup NV indexes 
e.g. to reset the passphrase stored on the TPM for local encryption

Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
 2025-09-24 13:58:17 +03:00
Dimitris Karakasilis
caedb1ef7f Avoid global vars 
Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
 2025-09-24 13:04:13 +03:00
Dimitris Karakasilis
55a0d62231 Migrate to cobra cli for better code organization 
Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
 2025-09-24 12:57:32 +03:00
Dimitris Karakasilis
592426ae43 Remove meaningless test 
Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
 2025-09-24 11:41:56 +03:00
Dimitris Karakasilis
118189e672 Fix tests 
Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
 2025-09-24 10:44:32 +03:00
Dimitris Karakasilis
5f2d857097 [TMP] use a replace that points to a branch (instead of localy dir) 
Point to this: https://github.com/kairos-io/tpm-helpers/pull/7

Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
 2025-09-24 10:14:38 +03:00
Dimitris Karakasilis
6ce6db1d84 Move path to a constant 
Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
 2025-09-23 16:38:03 +03:00
Dimitris Karakasilis
89b07027cb Remove unecessary wrapper 
Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
 2025-09-23 16:25:23 +03:00
Dimitris Karakasilis
bd19b91a1b Don't use the (now removed) redundant field 
Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
 2025-09-23 11:35:55 +03:00
Dimitris Karakasilis
9eeb285826 Handle PCR validation errors gracefully 
Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
 2025-09-22 16:10:25 +03:00
Dimitris Karakasilis
dc853ab2a4 Don't shot trace log when a security violation occurs 
because it's not an application error but rather normal behaviour

Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
 2025-09-22 16:00:23 +03:00
Dimitris Karakasilis
8383f4b1b0 Use specific PCRs in tpm quote 
Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
 2025-09-22 15:56:32 +03:00
Dimitris Karakasilis
eba04e1479 Remove unecessary patches in deployment 
Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
 2025-09-22 15:54:28 +03:00
Dimitris Karakasilis
db5793d0d1 Treat and empty passphrase as an error 
Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
 2025-09-19 17:04:51 +03:00
Dimitris Karakasilis
8ce8651bca Implement TOFU flow on the server 
and fix some issues with the data we send back and forth between the
client and the server

Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
 2025-09-19 16:48:52 +03:00
Dimitris Karakasilis
b674f911da Remove legacy methods from old flow 
TODO: Implemnt TOFU on the server

Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
 2025-09-19 15:32:58 +03:00
Dimitris Karakasilis
2ef72d3c0a Use a KairosLogger consistently 
in plugin mode: log only to a file and journal and in "debug" level by
default

in cli mode: respect the `--debug` flag and write to the stdout

Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
 2025-09-18 14:29:48 +03:00
Dimitris Karakasilis
f943b01c90 Introduce a cli interface to interace with the challenger client 
This will make debugging easier both while developing and in production.
No need to use it through the kcrypt binary anymore, because we might
not actually care about decrypting the disks but rather about getting
the passphrase from the KMS.

Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
 2025-09-18 13:47:10 +03:00
Dimitris Karakasilis
80cd276ff3 [WIP] Split with-TPM and without-TPM flows 
Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
 2025-09-17 17:29:34 +03:00
renovate[bot]
db720d392a fix(deps): update module github.com/onsi/ginkgo/v2 to v2.25.3 (#140) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-09-13 17:56:01 +00:00
renovate[bot]
af5f9b34e6 chore(deps): update actions/download-artifact action to v5 (#135) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-09-13 08:58:54 +00:00
renovate[bot]
69bd83e5ba fix(deps): update module github.com/mudler/yip to v1.18.0 (#138) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-09-13 07:58:46 +00:00
renovate[bot]
932a59b960 chore(deps): update google/osv-scanner-action action to v2.2.2 (#142) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-09-13 07:01:15 +00:00
renovate[bot]
eea31d697d chore(deps): update actions/setup-go action to v6 (#144) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-09-13 06:48:45 +00:00
renovate[bot]
ccd79623ad fix(deps): update module github.com/jaypipes/ghw to v0.19.1 (#141) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-09-13 06:37:31 +00:00
renovate[bot]
a4613048c6 fix(deps): update module github.com/onsi/gomega to v1.38.2 (#134) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-09-13 06:27:30 +00:00
renovate[bot]
ea1f84ed49 chore(deps): update earthly/earthly docker tag to v0.8.16 (#132) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-09-13 06:11:18 +00:00
Itxaka
afb9d5e70d chore: update Go version and dependencies (#143) 
* chore: update Go version and dependencies

Upgrade Go to version 1.25 and update various dependencies to their latest versions for improved performance and security. This includes updates to the kairos-sdk, docker, and opentelemetry packages.

Signed-off-by: Itxaka <itxaka@kairos.io>

* chore: update Go version to 1.25

This change updates the Go version in the Earthfile and unit-tests.yml to 1.25-bookworm to ensure compatibility with the latest features and improvements.

Signed-off-by: Itxaka <itxaka@kairos.io>

* go mod tidy

Signed-off-by: Itxaka <itxaka@kairos.io>

* go mod tidy

Signed-off-by: Itxaka <itxaka@kairos.io>

* Fix?

Signed-off-by: Itxaka <itxaka@kairos.io>

* Fix

Signed-off-by: Itxaka <itxaka@kairos.io>

* maybe fix

Signed-off-by: Itxaka <itxaka@kairos.io>

* Fix

Signed-off-by: Itxaka <itxaka@kairos.io>

---------

Signed-off-by: Itxaka <itxaka@kairos.io>
v0.11.3 		2025-09-12 14:03:36 +02:00
renovate[bot]
432c71e4c2 Update google/osv-scanner-action action to v2.2.1 (#136) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-08-12 04:29:27 +00:00
renovate[bot]
79dae2a87d Update actions/checkout action to v5 (#137) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-08-12 04:05:50 +00:00
renovate[bot]
1f596e0abf Update module github.com/mudler/yip to v1.16.3 (#130) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-07-14 14:25:03 +00:00
renovate[bot]
53b26c2635 Update module github.com/kairos-io/kairos-sdk to v0.9.4 (#129) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-07-14 14:21:05 +00:00
renovate[bot]
2683ad797b Update google/osv-scanner-action action to v2.1.0 (#131) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-07-14 07:03:46 +00:00
renovate[bot]
74e82836a5 Update module github.com/jaypipes/ghw to v0.17.0 (#127) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-06-04 11:29:24 +00:00
renovate[bot]
24d88295d8 Update module github.com/go-logr/logr to v1.4.3 (#128) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-06-04 10:55:22 +00:00
renovate[bot]
17efbabdfc Update module github.com/mudler/yip to v1.16.2 (#126) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-06-04 06:49:57 +00:00
renovate[bot]
05157abbd4 Update module github.com/kairos-io/kairos-sdk to v0.9.3 (#125) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-05-14 00:01:20 +00:00
renovate[bot]
f1360e172b Update dependabot/fetch-metadata action to v2.4.0 (#124) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-05-10 02:03:40 +00:00
renovate[bot]
ac41a4fdcb Update module github.com/kairos-io/kairos-sdk to v0.9.2 (#123) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-05-08 23:43:38 +00:00
renovate[bot]
17cc494985 Update module github.com/kairos-io/kairos-sdk to v0.9.1 (#122) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-05-07 00:09:15 +00:00
Itxaka
ddd65746f0 Drop kcrypt, use sdk (#120) 2025-05-06 09:18:50 +00:00
renovate[bot]
5787d7fa47 Update module github.com/mudler/yip to v1.16.0 (#115) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-05-05 08:53:59 +00:00
renovate[bot]
2ee88ce704 Update module github.com/kairos-io/kcrypt to v0.15.0 (#112) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-05-05 08:52:46 +00:00