Secure payload documentation #53
Conversation
docs/user_guide/secure_payloads.rst
Outdated
| this like a very simple form of `cloud-init <https://cloudinit.readthedocs.io/>`_. | ||
| By default this script is called `autorun.sh`. You can configure this to some | ||
| other script with the `payload_script` option in `keylime.conf`. Note that this | ||
| script must be contained in the encrypted zip file and must be located in |
There was a problem hiding this comment.
Saying the script "must be located in" seems to imply that I need to somehow put the script there. Instead maybe say keylime will extract the script into that location on unzip.
There was a problem hiding this comment.
Good point, changing the wording to be more helpful.
docs/user_guide/secure_payloads.rst
Outdated
| This mode of Keylime automates many common actions that tenants will want to do | ||
| when provisioning their Agents. First, Keylime can create an X509 certificate | ||
| authority (CA) and then issue certificates and corresponding private keys to each | ||
| provisioned node. This CA lives on the tenant and can be used to bootstrap many |
There was a problem hiding this comment.
In this case, what does "tenant" mean? Is it where the verifier and registrar run (which can be on separate nodes)? Or where the tenant commands are issued from? Or is this defined better somewhere else?
There was a problem hiding this comment.
This is a good question. I'm not sure. I understand "tenant" here to be the machine from which the tenant issues their commands, although the machine which hosts the Keylime Registrar would make more sense, considering Keylime's architecture. @jetwhiz or @lukehinds, can you weigh in?
There was a problem hiding this comment.
I understand "tenant" here to be the machine from which the tenant issues their commands
I believe this is correct. I guess I was just asking that the document make that explicitly clear. Maybe language like "This CA lives on the same host where the tenant commands are issued and ..."
|
|
||
| Revocation actions are small Python scripts that will run on an Agent when a valid | ||
| revocation is received. They should contain an `execute` function that takes | ||
| one argument. This argument is a Python dictionary of metadata that can be used |
There was a problem hiding this comment.
It would be nice to have this Python dictionary documented somewhere. When I was working on revocation actions I had to first create a dummy action that just dumped the contents of the dict so I could figure out how to use it.
There was a problem hiding this comment.
Absolutely, tough this sounds like something a bit out of scope for this document / PR.
I think we should create an issue to track this.
There was a problem hiding this comment.
I think it should actually live in this documented (unless there's a better place for it that I'm unaware of). But it doesn't have to be part of this current PR and can just be a future improvement.
There was a problem hiding this comment.
Tracking this in #54. Let's keep the conversation going there.
|
Sorry I took so long to review. Not sure whey this slipped through the cracks |
axelsimon
force-pushed
the
secure_payloads
branch
from
536dd28 to
f259c02
Compare
|
I've addressed most of your remarks @mpeters, thanks! |
docs/user_guide/secure_payloads.rst
Outdated
| This mode of Keylime automates many common actions that tenants will want to do | ||
| when provisioning their Agents. First, Keylime can create an X509 certificate | ||
| authority (CA) and then issue certificates and corresponding private keys to each | ||
| provisioned node. This CA lives on the tenant and can be used to bootstrap many |
There was a problem hiding this comment.
I understand "tenant" here to be the machine from which the tenant issues their commands
I believe this is correct. I guess I was just asking that the document make that explicitly clear. Maybe language like "This CA lives on the same host where the tenant commands are issued and ..."
axelsimon
force-pushed
the
secure_payloads
branch
from
f259c02 to
dbc6c8a
Compare
|
Right, just made one last push to improve the language surrounding the use of |
| take when provisioning their Agents. First, Keylime can create an X509 | ||
| certificate authority (CA) using `keylime_ca -d listen` and then issue | ||
| certificates and the corresponding private keys to each provisioned node. This | ||
| CA lives on the same host where the tenant issues the `keylime_ca` command and | ||
| can be used to bootstrap many other security solutions like mutual TLS or SSH. |
There was a problem hiding this comment.
Just to make sure, this is correct @lukehinds / @nabilschear ?
This is a new version of #41, based on Luke and Nabil's work.
I cleaned up the document a bit, improved some of the language and checked it for consistency.
It doesn't address @jetwhiz comment as i wasn't sure either way.
Other than that, it should be ready to go. Reviews appreciated 🙂