GitHub - bloomberg/spire-tpm-plugin: Provides agent and server plugins for SPIRE...
source link: https://github.com/bloomberg/spire-tpm-plugin
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
SPIRE TPM Plugin
This repository contains agent and server plugins for SPIRE to allow TPM 2-based node attestation.
Here's a quick demo that shows how this plugin looks when run:
Quick Start
Before starting, create a running SPIRE deployment and add the following configuration to the agent and server:
Agent Configuration
NodeAttestor "tpm" { plugin_cmd = "/path/to/plugin_cmd" plugin_checksum = "sha256 of the plugin binary" plugin_data { } }
Server Configuration
NodeAttestor "tpm" { plugin_cmd = "/path/to/plugin_cmd" plugin_checksum = "sha256 of the plugin binary" plugin_data { ca_path = "/opt/spire/.data/certs" } }
key type required description default
ca_path string
the path to the CA directory /opt/spire/.data/certs
Certificate Directory Configuration
For this plugin to work, you need to have the certificate for the CA that signed your TPM's EK certificate. Drop all CA certs in the directory ca_path
.
How it Works
The plugin uses TPM credential activation as the method of attestation. The plugin operates as follows:
- Agent generates AK (attestation key) using TPM
- Agent sends the AK attestation parameters and EK certificate to the server
- Server inspects EK certificate and checks if it is signed by any chain in the directory specified by
ca_path
- If the EK certificate is signed by one of the CAs, the server generates a credential activation challenge using
- The EK public key
- The AK attestation parameters
- Server sends challenge to agent
- Agent decrypts the challenge's secret
- Agent sends back decrypted secret
- Server verifies that the decrypted secret is the same it used to build the challenge
- Server creates a SPIFFE ID in the form of
spiffe://<trust_domain>/agent/tpm/<sha256sum_of_tpm_pubkey>
- All done!
For info on how TPM attestation usually works and how this implementation differs, visit TPM.md.
Building
To build this plugin on Linux, run make build
. Because of the dependency on go-attestation, you must have libtspi-dev
installed.
Contributions
We contributions.
Have you had a good experience with this project? Why not share some love and contribute code, or just let us know about any issues you had with it?
We welcome issue reports here; be sure to choose the proper issue template for your issue, so that we can be sure you're providing the necessary information.
Before sending a Pull Request, please make sure you read our Contribution Guidelines.
License
Please read the LICENSE file.
Code of Conduct
This project has adopted a Code of Conduct. If you have any concerns about the Code, or behavior which you have experienced in the project, please contact us at [email protected].
Security Vulnerability Reporting
If you believe you have identified a security vulnerability in this project, please send email to the project team at [email protected], detailing the suspected issue and any methods you've found to reproduce it.
Please do NOT open an issue in the GitHub repository, as we'd prefer to keep vulnerability reports private until we've had an opportunity to review and address them.
Recommend
-
148
tmux.vim Vim plugin for .tmux.conf. Features When you edit .tmux.conf you get: proper syntax highlighting commentstring - so that plugins like
-
88
README.markdown scriptease.vim I make so many Vim plugins I had to make a Vim plugin for making Vim plugins. Features :PP: Pretty print. With no argument, act...
-
10
Files Permalink Latest commit message Commit time
-
3
'NUTS' and 'Spire Blast' Arrive on Apple ArcadeFriday January 22, 2021 8:37 am PST by Hartley Charlton"
-
9
$ update_xcode_plugins This tool adds the missing UUIDs into the installed Xcode plugins so that they can be loaded by newer versions of Xcode. You can choose to run it once or install a launch agent that will...
-
9
The rebar3_plugin — a simple GitHub template to quickly build your plug...
-
6
Three very different games coming soon to PS Plus members Following the reveal of its
-
5
Probability for Slay the Spire fanatics probability I’m a huge fan of Slay the Spire and I wanted to share a small probability trick I’ve learned that has helped me improve my game b...
-
5
GitHub - bloomberg/collectd_plugins-cookbook This repository has been archived by the owner. It is now read-only.
-
9
SPIRE Vault Authentication Plugin SPIRE Vault Authentication Plugin is an authentication plugin for Hashicorp Vault which allows logging into Vault using a SPIRE provided SVID. Rat...
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK