Meeting 23/04/2025

[ansasaki]

Attendees

• @ansasaki
• @aplanas
• @deeglaze
• @edwards-n
• @ematery
• @galmasi
• @husky-parul
• @Isaac-Matthews
• @kkaarreell
• @maugustosilva
• @mayaCostantini
• @marcostork
• @mdrocco
• @mbestavros
• @mheese
• @mruffin
• @mpeters
• Niteesh Dubey
• @ruocco
• @stringlytyped
• @stefanberger
• @THS-on
• @tpletcher-hpe
• @tylerfanelli
• @ueno
• @sarroutbi
• @sergio-correia
• @gnurugs
• Shiva Dasari
• Christian Schilling

Time: 23/04/2025 15:00 UTC (https://www.timeanddate.com/worldclock/fixedtime.html?msg=Keylime+Meeting&iso=20250423T15)

Google Meet joining info
Video call link: https://meet.google.com/nos-bkdi-cnn
Or dial: ‪(DE) +49 30 300195060‬ PIN: ‪607 390 654 8381‬#
More phone numbers: https://tel.meet/nos-bkdi-cnn?pin=6073906548381
Or join via SIP: sip:6073906548381@gmeet.redhat.com

Topics

• Call for action: let's improve Keylime documentation
  • Please, answer this survey if possible: https://docs.google.com/forms/d/e/1FAIpQLScFUaddubxu8tyzIP4cNRWlN_w6EOrZfjmzagonrw9EiHQdVw/viewform?usp=header
  • If you can contribute with documentation, tutorials, FAQs, scripts, or any other material that can be useful for newcomers, please submit a PR or reach the maintainers on slack!
• Push model updates
  • #keylime-push-attestation channel on CNCF Slack
  • Publicly accessible project: Agent-driven attestation
  • Most of the messages for the capabilities negotiation are defined and an initial prototype is implemented
• Mentorship project CMW, EAT in collaboration with Veraison
  • Veraison Mentorship: Harmonizing Open-Source Verifiers with RATS Standards veraison/.github#6
• Enhancements:
  • One shot attestation: Create enhancement #121 - Verification API enhancements#122
  • TEE Boot Attestation: TEE Boot Attestation proposal enhancements#108
  • Improvement around Transport Key (NK): enhancement-112: Improvements around the Transport Key (NK) enhancements#113
  • EK certificate chain support: Enhancement: Add EK Certificate Chain support enhancements#116
  • Multiple addresses for registrar and verifier in push model: Multiple Addresses for Server enhancements#119
• Open PRs:
  • EK certificate chain support:
    • Add support for EK Certificate Chain, resolves #1552 keylime#1668
    • The enhancement proposal was merged, but not the implementation (yet)
    • A rebase and fixes to pass linting are needed
  • Add agent-driven (push) attestation protocol: Add agent-driven (push) attestation protocol keylime#1693
  • Registrar hook for identity trust decisions: Add webhook for receiving and modifying registrar identity trust decisions keylime#1670
  • ECC support in agent: Enable different key sizes and curves for EK and AK rust-keylime#846
    • [ansasaki] I'm intentionally holding this while trying to solve dependency update (rust-tss-esapi) on Fedora
    • [ansasaki] I asked the Fedora maintainer to consider updating the package and unblock this
  • Threat model documentation: Docs: expand security/threat model page keylime#1704
  • Separate CA and logging configuration per component: Allow separate CA and logging configurations for components keylime#1715
  • Implement reject list in runtime policy: Add support for a reject list in runtime policy keylime#1545
  • Extend meta_data field in verifierdb: Extend meta_data field in verifierdb keylime#1750

[stringlytyped]

If we have time, I had a question for those who have been involved with the project for longer than I have:

When talking about KL with others, I am often asked what the benefit is of having the verifier and registrar as separate services. I'd like to have a good answer to give them and perhaps update the docs to address this.