Introduce documentation on trusted payloads #41
Conversation
lukehinds
requested review from
atothRedHat,
fduthilleul,
jetwhiz and
nabilschear
|
Many thanks @fduthilleul |
|
I am going to update this to instead show local_revocations on a different node running an agent, rather than onto the node itself that has failed. Starting to understand the design better now, so that would be much more useful for the end user to learn about. |
|
@fduthilleul @jetwhiz @jetwhiz review recommendations included in 98fb9ee |
This change includes a section on the setup and execution of trusted payloads using the Keylime Tenant.
docs/user_guide/secure_payloads.rst
Outdated
|
|
||
| Secure payloads offer the ability to securely provision secrets to an enrolled node. | ||
|
|
||
| The payload itself is sent via the Keylime Tenant to the verifier and only when a node |
There was a problem hiding this comment.
I think this still needs correction -- the verifier never receives the payload. The payload is always sent directly from the tenant to the node/agent. The verifier's job is to send its key half (the v_key) to the node when the node passed its enrollment criteria.
Maybe word this to say
The encrypted payload itself is sent via the Keylime Tenant to the target node's Agent, along with the Tenant's
u_keyhalf. Only when a node has passed its enrollment criteria (including anytpm_policyor IMA whitelist) will the Verifier send itsv_keyhalf to the Agent so that it can decrypt the payload.
docs/user_guide/secure_payloads.rst
Outdated
| * The tenant will generate a new CA (if one hasn't been generated yet) and then generate a new cert/key combo for the agent to be bootstrapped | ||
| * The tenant will include the payload files with the `--include` option | ||
| * Tenant and verifier will bootstrap the agent and derive a key as normal | ||
| * Once the bootstrap key has been derived and tpm_policy and IMA verification has passed, Keylime will decrypt and extract the zipped payload that includes both the cert/key and files situated in the payload folder. |
There was a problem hiding this comment.
Should we specify that the node's "Keylime agent" is decrypting and extracting the zipped payload (instead of just generically "Keylime") to make this more explicit?
That is, say "the Keylime agent will decrypt and extract the zipped payload ..."
| Send the files using the Keylime Tenant | ||
|
|
||
| ``` | ||
| keylime_tenant -t <agent-ip> --cert myca --include payload |
There was a problem hiding this comment.
Maybe we should change myca to just the default location (/var/lib/keylime/ca) to avoid confusion here?
|
I made a new commit 9588e9d with a rewrite made by @nabilschear - his PR landed in my local repo as the original had merged Please review as a fresh read. |
This change includes a section on the setup and execution of
trusted payloads using the Keylime Tenant.