Re: Security Working Group meeting - Wednesday August 31 - results

From: Joseph Reynolds <jrey@linux.ibm.com>
To: Patrick Williams <patrick@stwcx.xyz>
Cc: openbmc <openbmc@lists.ozlabs.org>
Subject: Re: Security Working Group meeting - Wednesday August 31 - results
Date: Mon, 5 Sep 2022 13:56:39 -0500	[thread overview]
Message-ID: <5723faf6-66c3-1793-699d-ffbf61bf3268@linux.ibm.com> (raw)
In-Reply-To: <YxCWpNZ+O89B+ulA@heinlein.stwcx.org.github.beta.tailscale.net>

On 9/1/22 6:25 AM, Patrick Williams wrote:
> On Wed, Aug 31, 2022 at 01:09:10PM -0500, Joseph Reynolds wrote:
>
>> DISCUSSION: Create two separate designs for:
>>      Enable Keylime Agent.  Direction is for the keylime agent to open
>>      the BMC network port (using systemd, sort of like how SSH works).
>>      The intention is to engage with Redfish for how to configure the
>>      Keylime Agent: certificates, start/stop the application, etc.
> I guess you said someone is working on a design for this.  The Keylime
> website seems light on details to me, but I'm having trouble
> conceptualizing how it is applicable to the BMC.  It seems more like it
> is geared towards a self-selecting cluster of services (which reject
> peers they don't trust).  Keylime does have the unfortunate aspect of being
> written entirely in Python, which makes it very difficult for us to support
> on any of the NOR-based systems (all of them except IBM's latest).

Yes, an IBM group is working this design.  The design we discussed in 
the security working group meeting has two parts, which I barely 
comprehend.  The parts are:
1. Code running on the BMC will "extend measurements" to a trusted 
platform module (TPM).  Two separate pieces of code are in U-Boot and in 
the Kernel.  The "measurements" are the readonly code image being loaded 
and run.
2. Code running on the BMC (the Keylime "Agent") will query the TPM and 
offer the results to whoever asks.

In my limited comprehension, the end-to-end flow is:
1. The BMC boots up and extends measurements into its TPM.
2. the BMC admin configures the BMC's Keylime Agent.  That is, starts 
the "Keylime Agent service", and provisions certificates, etc.
3. A network agent (a "Keylime Verifier") contacts the BMC's Keylime 
Agent and asks for the measurements.  The Agent that queries the TPM and 
provides the measurements.

Redfish has specs for getting server TPM measurements, but does not have 
any specs for getting BMC TPM measurements.
Because of this, the group doing the work is proposing for the BMC's 
Keylime Agent service to open a separate port, and to not use Redfish to 
get the actual measurements.  In support of this view: there are Keylime 
verifiers already available to use this new port, but there are no 
Keylime verifiers to use Redfish.

It should be clear from the paragraphs above that the intended use case 
is for a client server model, not a network of peers.  The Keylime 
Verifier client running on the BMC's management network contacts the 
Keylime Agent running on the BMC.  The mutual-TLS method is used for 
authentication.

Keylime is written in Python.  I think the the idea was to either port 
that version, or to use the new implementation in Rust.  We did not 
discuss any difficulties in image size increase due to Python or in 
getting the Rust language environment ported to bitbake.

Joseph

> Are we also planning on providing attestation information over Redfish?
>