Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

spike: UKI Remote boot attestation with KMS #2988

Open
Tracked by #2129
Itxaka opened this issue Nov 8, 2024 · 1 comment
Open
Tracked by #2129

spike: UKI Remote boot attestation with KMS #2988

Itxaka opened this issue Nov 8, 2024 · 1 comment
Labels
enhancement New feature or request triage Add this label to issues that should be triaged and prioretized in the next planning call uki

Comments

@Itxaka
Copy link
Member

Itxaka commented Nov 8, 2024
edited by mudler
Loading

We would like to investigate how we can port the KMS to UKI scenarios.

High level scenario:

  • uki kairos node with encrypted partitions with a remote KMS in online mode (https://kairos.io/docs/advanced/partition_encryption/)
  • during boot we want to measure the system, and that have the expected values
  • if not, halt boot before mounting partitions
  • if yes, continue

Reference

https://www.redhat.com/en/blog/attestation-confidential-computing
https://docs.system-transparency.org/st-1.1.0/docs/selected-topics/remote-attestation/
https://kairos.io/docs/advanced/partition_encryption/#discoverable-key-management-server-kms
@Itxaka Itxaka added enhancement New feature or request triage Add this label to issues that should be triaged and prioretized in the next planning call labels Nov 8, 2024
@mudler mudler changed the title spike: check boot attestation/tpm unlocking for non-uki KMS scenarios spike: check boot attestation/tpm unlocking for uki KMS scenarios Nov 8, 2024
@mudler
Copy link
Member

mudler commented Nov 8, 2024

Seems we basically had this around already: #2166

@mudler mudler mentioned this issue Nov 8, 2024
Closed
@mudler mudler added the uki label Nov 8, 2024
@mudler mudler mentioned this issue Nov 8, 2024
Open
29 tasks
@mudler mudler changed the title spike: check boot attestation/tpm unlocking for uki KMS scenarios spike: UKI Remote boot attestation with KMS Nov 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request triage Add this label to issues that should be triaged and prioretized in the next planning call uki
Projects
🧙Issue tracking board
Status: Todo 🖊
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Itxaka @mudler