Thore Sommer THS-on

Push Model for Keylime

Issue

Keylime currently operates on a pull basis which means that the tenant or verifier connect to the agent to collect attestation data. Therefore they need to know the IP and Port to connect to beforehand and this currently cannot change during attestation. This works fine in most virtualized environments where all the devices are in the same network, but not for edge devices or in BYOD contexts. There are workarounds using VPNs/overlay networking using OpenVPN, ZeroTier, Nebula etc. but none of them provide an ideal solution.

Actions that require connections to the agent

Identity quote: The purpose of the identity quote is to prove to the tenant that the NK (also called transport key) belongs to the same TPM as the agent. The NK is used for encrypting the U and V key during transport and is the also the key of mTLS certificate of the agent. The tenant uses this feature. This is also done to ensure that the agent behind that IP is still the same that registered by val

Non atomic Quotes for attestation

Issue

A TPM contains multiple PCRs and can generate a signed quote over the concatenated hash of a selection of PCRs. The quote itself does not contain the values of the PCRs. If you want to have matching quote and PCR values most implementations (also Keylime) do the following trick:

Read PCR values (8 at the time)
Generate quote
Read PCR values (8 at the time)
Check if the PCR values from step 1. and 3. match, if not start with 1.

lernstickWelcome

HOWTO import this project into Netbeans

The best way to build lernstickWelcome is on the Lernstick itself, because all dependencies are already installed.

Install Netbeans on Lernstick

Go into the Welcome program and install Netbeans.

	use std::str::FromStr;

	pub use tss_esapi::Error;
	use tss_esapi::{
	attributes::ObjectAttributesBuilder,
	handles::PcrHandle,
	interface_types::{
	algorithm::{PublicAlgorithm, SymmetricMode},
	ecc::EccCurve,
	key_bits::AesKeyBits,

	#!/usr/bin/wpexec

	local mic_name = "alsa_input.usb-C-Media_Electronics_Inc._USB_Audio_Device-00.mono-fallback"
	local filter_name = "rnnoise_source"

	local link_props = {
	["link.output.port"] = nil,
	["link.input.port"] = nil,
	["link.output.node"] = nil,
	["link.input.node"] = nil

	# This enables to-to-click and disables naturalscrolling in Mate, LXDE, XFCE and Enlightment
	Section "InputClass"
	Identifier "libinput touchpad catchall"
	MatchIsTouchpad "on"
	MatchDevicePath "/dev/input/event*"
	Driver "libinput"
	Option "Tapping" "on"
	Option "NaturalScrolling" "false"
	EndSection

	[Desktop Entry]
	Version=1.0
	Name= Firefox Privat
	Exec=/usr/lib/firefox/firefox --private-window %u
	Icon=firefox
	Terminal=false
	Type=Application

	# Please copy to /home/user/.config/lxpanel/LXDE/panels/panel
	# lxpanel <profile> config file. Manually editing is not recommended.
	# Use preference dialog in lxpanel to adjust config when you can.

	Global {
	edge=bottom
	allign=left
	margin=0
	widthtype=percent
	width=100



	fsview & export PID=$(echo $!) && xdotool windowsize $(xdotool search --sync --pid $PID \| tail -1) 100% 100%

	#!/bin/sh
	# Created by THS
	# Support for LXDE, Mate, Gnome, Cinnamon and XFCE
	# Uses https://github.com/horst3180/arc-theme and https://github.com/dglava/arc-openbox

	# Install arc-theme will be replaced in Debian 9
	echo "Install Arc Theme"
	echo 'deb http://download.opensuse.org/repositories/home:/Horst3180/Debian_8.0/ /' \| sudo tee /etc/apt/sources.list.d/arc-theme.list
	wget http://download.opensuse.org/repositories/home:Horst3180/Debian_8.0/Release.key
	sudo apt-key add - < Release.key

Thore Sommer THS-on

Push Model for Keylime

Issue

Actions that require connections to the agent

Non atomic Quotes for attestation

Issue

lernstickWelcome

HOWTO import this project into Netbeans

Install Netbeans on Lernstick

Import lernstickWelcome into Netbeans