Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Detect IDevID/IAK template from certificates #689

Merged
merged 1 commit into from
Jan 15, 2024
Merged

Detect IDevID/IAK template from certificates #689

merged 1 commit into from
Jan 15, 2024

Conversation

Isaac-Matthews
Copy link
Contributor

This adds the requested auto-detect functionality for the agent. The new default setting for the IDevID and IAK templates will be detect, and with that set the agent will detect what template has been used from the imported certificates. This can still be overridden by users that want to specify the template or algorithm but likely should be left as default for the majority of users.

The certs are now imported first, and the key regeneration is delayed until after, with the key comparison against the certs performed during key regeneration.

@Isaac-Matthews Isaac-Matthews mentioned this pull request Dec 4, 2023
Merged
@Isaac-Matthews
Copy link
Contributor Author

/packit retest-failed

@ansasaki ansasaki added the configuration Involves changes to configuration file format label Dec 14, 2023
stefanberger
stefanberger reviewed Jan 3, 2024
View reviewed changes
keylime-agent.conf Outdated
@@ -228,19 +228,21 @@ tpm_signing_alg = "rsassa"
ek_handle = "generate"

# Enable IDevID and IAK usage and set their algorithms.
# Choosing a template will override the name and asymmetric algorithm choices.
# By default the template will be detected automatically from the certificates. This will happen in iak_idevid_template is left empty or set as "default" or "detect".
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in -> if

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, fixed

@stefanberger
Copy link
Contributor

Works with "detect" now. Very cool!

@ansasaki
Copy link
Contributor

@Isaac-Matthews Thank you for implementing this! Could you please rebase?

@Isaac-Matthews
Copy link
Contributor Author

@Isaac-Matthews Thank you for implementing this! Could you please rebase?

No problem. Done!

@codecov Codecov
Copy link

codecov bot commented Jan 11, 2024

Codecov Report

Attention: 15 lines in your changes are missing coverage. Please review.

Comparison is base (10a3e32) 66.51% compared to head (96725bc) 66.39%.

Additional details and impacted files
Flag Coverage Δ
e2e-testsuite 60.11% <42.30%> (-0.10%) ⬇️
upstream-unit-tests 53.59% <0.00%> (-0.43%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files Coverage Δ
keylime-agent/src/main.rs 63.06% <ø> (ø)
keylime/src/tpm.rs 76.20% <75.00%> (-0.01%) ⬇️
keylime-agent/src/crypto.rs 77.93% <36.36%> (-2.73%) ⬇️

@ansasaki ansasaki merged commit c649ae0 into keylime:master Jan 15, 2024
10 of 11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ansasaki ansasaki ansasaki approved these changes

@stefanberger stefanberger stefanberger approved these changes

@aplanas aplanas Awaiting requested review from aplanas

@ueno ueno Awaiting requested review from ueno

Assignees

@ueno ueno

@aplanas aplanas

Labels
configuration Involves changes to configuration file format
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@Isaac-Matthews @stefanberger @ansasaki @ueno @aplanas