Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not fail if EK cert is not present in TPM NV #214

Merged
merged 1 commit into from
Jul 9, 2021
Merged

Do not fail if EK cert is not present in TPM NV #214

merged 1 commit into from
Jul 9, 2021

Conversation

ueno
Copy link
Contributor

@ueno ueno commented Jul 5, 2021

According to the spec (4.5.2), it is not mandatory that an EK
certificate is pre-provisioned in NVRAM; actually some TPM chips do
not have it, e.g., AMD fTPM, and the Python registrar tolerates
"ekcert: null".

Signed-off-by: Daiki Ueno [email protected]

@lukehinds
Copy link
Member

tagging @puiterwijk

@ueno ueno force-pushed the wip/dueno/ekcert branch 2 times, most recently from 3014b52 to ce5bd73 Compare July 6, 2021 08:35
puiterwijk
puiterwijk approved these changes Jul 9, 2021
View reviewed changes
Copy link
Member

@puiterwijk puiterwijk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you very much for this patch!

src/registrar_agent.rs
@@ -40,11 +53,8 @@ fn is_empty(buf: &[u8]) -> bool {

#[derive(Debug, Serialize, Deserialize)]
struct Register<'a> {
#[serde(
serialize_with = "serialize_as_base64",
skip_serializing_if = "is_empty"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hah, right. I thought I had made the code check whether ekcert is in the json, but instead I made it assume that that's there and just check if that's json null.
Thanks for finding and fixing that!

@puiterwijk
Copy link
Member

@ueno could you rebase it? Then me or anyone else with write access can merge this!

@ueno ueno force-pushed the wip/dueno/ekcert branch from ce5bd73 to a8a011e Compare July 9, 2021 07:49
@ueno
Copy link
Contributor Author

ueno commented Jul 9, 2021

Thank you for the review; rebased.

@ueno ueno force-pushed the wip/dueno/ekcert branch from a8a011e to 3a85ced Compare July 9, 2021 13:04
@ueno
Do not fail if EK cert is not present in TPM NV
77bb9aa 
According to the spec (4.5.2), it is not mandatory that an EK
certificate is pre-provisioned in NVRAM; actually some TPM chips do
not have it, e.g., AMD fTPM, and the Python registrar tolerates
"ekcert: null".

Signed-off-by: Daiki Ueno <[email protected]>
@ueno ueno force-pushed the wip/dueno/ekcert branch from 3a85ced to 77bb9aa Compare July 9, 2021 17:29
@lkatalin lkatalin merged commit 0b16e81 into keylime:master Jul 9, 2021
@ueno ueno mentioned this pull request Jun 2, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@puiterwijk puiterwijk puiterwijk approved these changes

@lukehinds lukehinds Awaiting requested review from lukehinds

@ashcrow ashcrow Awaiting requested review from ashcrow

Assignees

@ashcrow ashcrow

@lukehinds lukehinds

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@ueno @lukehinds @puiterwijk @ashcrow @lkatalin