Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Detect IDevID/IAK template from certificates #689

Merged
merged 1 commit into from
Jan 15, 2024

Conversation

Isaac-Matthews
Copy link
Contributor

This adds the requested auto-detect functionality for the agent. The new default setting for the IDevID and IAK templates will be detect, and with that set the agent will detect what template has been used from the imported certificates. This can still be overridden by users that want to specify the template or algorithm but likely should be left as default for the majority of users.

The certs are now imported first, and the key regeneration is delayed until after, with the key comparison against the certs performed during key regeneration.

@Isaac-Matthews
Copy link
Contributor Author

/packit retest-failed

@ansasaki ansasaki added the configuration Involves changes to configuration file format label Dec 14, 2023
@@ -228,19 +228,21 @@ tpm_signing_alg = "rsassa"
ek_handle = "generate"

# Enable IDevID and IAK usage and set their algorithms.
# Choosing a template will override the name and asymmetric algorithm choices.
# By default the template will be detected automatically from the certificates. This will happen in iak_idevid_template is left empty or set as "default" or "detect".
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in -> if

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, fixed

@Isaac-Matthews Isaac-Matthews force-pushed the detect_idevid_template branch from 0406adf to 1c20f8c Compare January 3, 2024 16:18
@stefanberger
Copy link
Contributor

Works with "detect" now. Very cool!

@ansasaki
Copy link
Contributor

@Isaac-Matthews Thank you for implementing this! Could you please rebase?

@Isaac-Matthews
Copy link
Contributor Author

@Isaac-Matthews Thank you for implementing this! Could you please rebase?

No problem. Done!

Copy link

codecov bot commented Jan 11, 2024

Codecov Report

Attention: 15 lines in your changes are missing coverage. Please review.

Comparison is base (10a3e32) 66.51% compared to head (96725bc) 66.39%.

Additional details and impacted files
Flag Coverage Δ
e2e-testsuite 60.11% <42.30%> (-0.10%) ⬇️
upstream-unit-tests 53.59% <0.00%> (-0.43%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files Coverage Δ
keylime-agent/src/main.rs 63.06% <ø> (ø)
keylime/src/tpm.rs 76.20% <75.00%> (-0.01%) ⬇️
keylime-agent/src/crypto.rs 77.93% <36.36%> (-2.73%) ⬇️

@ansasaki ansasaki merged commit c649ae0 into keylime:master Jan 15, 2024
10 of 11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
configuration Involves changes to configuration file format
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants