You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As discussed in the design meeting on August 1st, we want to update our process for attestation and use that to bootstrap secure communication with the cloud-init server.
Today, the TPM-Manager uses a pre-shared authorized ssh-key to connect to the host and deposit a jwt that can be used with curl to download the payload needed for cloud-init. The orchestration of this connection is handled through ansible.
Instead of depositing a jwt for authentication, we would like to explore other ways of handling the verifiable identity of a node using the cryptographic functions of the TPM. The remote attestation process described and implemented as part of the go-attestation library appears well suited to our needs.
We would like to adapt the tooling in this repository to harvest Public Enrollment Keys from the TPMs in nodes and store them for verification of attestation reports at each boot (or even more frequently).
Once this ticket is completed, we can proceed to using the attestation agent to establish a secure channel for passing cloud-init data.
The text was updated successfully, but these errors were encountered:
As discussed in the design meeting on August 1st, we want to update our process for attestation and use that to bootstrap secure communication with the cloud-init server.
Today, the TPM-Manager uses a pre-shared authorized ssh-key to connect to the host and deposit a jwt that can be used with curl to download the payload needed for cloud-init. The orchestration of this connection is handled through ansible.
Instead of depositing a jwt for authentication, we would like to explore other ways of handling the verifiable identity of a node using the cryptographic functions of the TPM. The remote attestation process described and implemented as part of the go-attestation library appears well suited to our needs.
We would like to adapt the tooling in this repository to harvest Public Enrollment Keys from the TPMs in nodes and store them for verification of attestation reports at each boot (or even more frequently).
Once this ticket is completed, we can proceed to using the attestation agent to establish a secure channel for passing cloud-init data.
The text was updated successfully, but these errors were encountered: