-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
peer-pods: pass policy hash via userdata #941
base: main
Are you sure you want to change the base?
Conversation
burgerdev
commented
Oct 18, 2024
- Add some plumbing to forward the agent policy to remote hypervisor
- Add a policy-hash field to the agent config that's set via userdata.
- Measure the agent config into PCR10.
- The daemon config contains a bunch of hard-to-predict network config, but we should double-check whether it could be an attack vector.
- Add hash-from-agent-config as an option in the hash-verification.
01f3c0c
to
aeacb19
Compare
aeacb19
to
d6dd9c1
Compare
@@ -0,0 +1,116 @@ | |||
From 797a113c80c9fd3dfbd4d7b153d3de245c97044f Mon Sep 17 00:00:00 2001 | |||
From: Markus Rudy <[email protected]> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Did you intentionally use a different e-mail address?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unintentional, that's my default and apparently I did not change it for CAA.
- {path: cfg.paths.agentConfig, optional: false}, | ||
+ {path: cfg.paths.agentConfig, optional: false, pcrIndex: toPtr(10)}, | ||
{path: cfg.paths.daemonConfig, optional: false}, | ||
{path: cfg.paths.aaConfig, optional: true}, | ||
{path: cfg.paths.cdhConfig, optional: true}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Have you considered measuring the other files as well?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We're not using the three optional files (maybe we should even remove them), and the daemonConfig
contains unpredictable network stuff (e.g. k8s node IP) - see PR description.