Add tpm_ownerpassword option to keylime.conf #432
Conversation
|
Note that the generate option should be not implemented in the rust agent, because there is no reason to do that. |
|
See also #429 |
|
I see. I have updated it so it resides after the |
keylime.conf
Outdated
|
|
||
| # Use this option to state the existing TPM ownerpassword. This option should | ||
| # be set only when ek_handle option points to an existing EK. | ||
| tpm_ownerpassword = |
There was a problem hiding this comment.
As this option is optional, maybe we could comment it out rather than having an empty value?
There was a problem hiding this comment.
+1 , might even be worth removing entirely.
There was a problem hiding this comment.
I made it empty since I wasn't able to think some reasonable default.
I am not strictly opposed to it but it would be nice to keep some consistency within keylime.conf. There are e.g. agent_contact_ip and agent_contact_port options listed as optional and not commented out.
Strictly speaking, any option is optional since the default value is defined in the code.
There was a problem hiding this comment.
As this option is optional, maybe we could comment it out rather than having an empty value?
Could you please clarify under which circumstances the password is optional? What is the expected TPM setup?
Let's say I start with TPM after running tpm2_clear. What an administrator is supposed to do so that the rust agent would work properly?
There was a problem hiding this comment.
Please see #429. My understanding is the password would only be used if the Rust agent needs to use tpm2_changeauth to reset after another program takes TPM ownership. The Rust agent should generally work properly without taking any ownership or setting any passwords for the TPM.
There was a problem hiding this comment.
Would this be a case where the test should be updated, since this is functionality that was needed for the Python agent only? I could be missing something, but we were transitioning away from this. I can try to find out more as well.
There was a problem hiding this comment.
@THS-on commented above "Note that the generate option should be not implemented in the rust agent, because there is no reason to do that" - so do we need to do this?
There was a problem hiding this comment.
There was a problem hiding this comment.
@lkatalin About the other question, it is not about changing the test, but the python agent implementation itself. In my opinion, it should stop taking ownership of the TPM.
There was a problem hiding this comment.
@ansasaki I see, since we are not yet removing the Python agent completely, it is true that the Rust agent will in most cases need to conform to the existing tests. Re: generating the EK, I don't have an opinion on this but just want to make sure everyone agrees. Perhaps it can be a separate issue.
|
This fixes #433 |
|
What is the status on this one? |
|
@kkaarreell Could you rebase on the new keylime.conf changes? I am okay to merge this (if others are) when conflicts are resolved. |
The option has been introduced in keylime#426 but keylime.conf has not been updated with it. Signed-off-by: Karel Srot <[email protected]>
kkaarreell
force-pushed
the
tpm_password
branch
from
d2cecde to
adcadd3
Compare
|
@lkatalin Done. Thank you. |
The option has been introduced in
#426
but keylime.conf has not been updated with it.
Signed-off-by: Karel Srot [email protected]