- Release Signoff Checklist
- Summary
- Motivation
- Proposal
- Design Details
- Drawbacks
- Alternatives
- Infrastructure Needed (optional)
- Enhancement issue in release milestone, which links to pull request in [keylime/enhancements]
- Core members have approved the issue with the label
implementable
- Design details are appropriately documented
- Test plan is in place
- User-facing documentation has been created in [keylime/keylime-docs]
This document proposes that agents are added to the verifier only after the initial identity quote they provide to the tenant are successfully verified.
Currently, the tenant first adds the agent to the verifier and then handles the provided initial quote, resulting in untrusted agents added to the verifier database.
This behavior resulted in the following reported issue:
A related issue which could be mitigated by this enhancement:
- Only trusted agents are added to the verifier database.
- Make the operational states to be indicators of the agent trusted state.
The tenant must request initial identity quote to the agent and verify the quote before adding the agent to the verifier database.
- The user requests the tenant to add an agent
- The tenant requests the initial identity quote to the agent
- The tenant verifies the provided initial quote
- If the initial quote is successfully verified, the tenant proceeds and adds the agent to the verifier
The enhancement proposed in this document changes the current behavior as an agent will not be added to the verifier unless the initial quote they provide is verified. If the current behavior is preferred, this enhancement proposal should be rejected.
If the Keylime tenant is upgraded in an existing deployment in which the verifier database already contains untrusted agents, but before these agents provide initial identity quote, it is possible that the initial identity quote is never requested to these untrusted agents.
The main modification would be changing the order of the operations executed by
the tenant by swapping the do_cv()
and do_quote()
calls and fixing eventual
dependencies do_quote()
has from do_cv()
(e.g. removing the agent from the
verifier in case of failure).
It may be required to change the order of the operational states REGISTERED
and GET_QUOTE
or changing the semantics of the states START
and
REGISTERED
.
If the upgrade happens after an untrusted agent is added to the database and before they provide the initial identity quote, it is possible that the initial identity quote is never requested to these untrusted agents.
For this reason the upgrade should not be done before checking the state of all agents added to the verifier.
There is no risk for new deployments where the verifier database does not contain any agent.
- There are no new required dependencies.
- There are no known drawbacks.
- Keep the current behavior, accepting untrusted agents to be added to the verifier database.
No infrastructure change needed.