Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

peer-pods: pass policy hash via userdata #941

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

peer-pods: pass policy hash via userdata #941

wants to merge 1 commit into from
+314 −1

Conversation

burgerdev
Copy link
Contributor

  1. Add some plumbing to forward the agent policy to remote hypervisor
  2. Add a policy-hash field to the agent config that's set via userdata.
  3. Measure the agent config into PCR10.
    • The daemon config contains a bunch of hard-to-predict network config, but we should double-check whether it could be an attack vector.
  4. Add hash-from-agent-config as an option in the hash-verification.

@burgerdev burgerdev added the no changelog PRs not listed in the release notes label Oct 18, 2024
Freax13
Freax13 reviewed Oct 18, 2024
View reviewed changes
packages/by-name/cloud-api-adaptor/0001-measure-agent-config.toml-into-PCR-10.patch
@@ -0,0 +1,116 @@
From 797a113c80c9fd3dfbd4d7b153d3de245c97044f Mon Sep 17 00:00:00 2001
From: Markus Rudy <[email protected]>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you intentionally use a different e-mail address?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unintentional, that's my default and apparently I did not change it for CAA.

packages/by-name/cloud-api-adaptor/0001-measure-agent-config.toml-into-PCR-10.patch
Comment on lines +91 to +95
- {path: cfg.paths.agentConfig, optional: false},
+ {path: cfg.paths.agentConfig, optional: false, pcrIndex: toPtr(10)},
{path: cfg.paths.daemonConfig, optional: false},
{path: cfg.paths.aaConfig, optional: true},
{path: cfg.paths.cdhConfig, optional: true},
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have you considered measuring the other files as well?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We're not using the three optional files (maybe we should even remove them), and the daemonConfig contains unpredictable network stuff (e.g. k8s node IP) - see PR description.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Freax13 Freax13 Freax13 left review comments

@katexochen katexochen Awaiting requested review from katexochen katexochen will be requested when the pull request is marked ready for review katexochen is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
no changelog PRs not listed in the release notes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@burgerdev @Freax13