Meeting 26/11/2025

[sarroutbi]

Keylime Community Meeting - November 26, 2025

Attendees

• @ansasaki
• @aplanas
• @deeglaze
• @edwards-n
• @ematery
• @galmasi
• @husky-parul
• @Isaac-Matthews
• @kkaarreell
• @maugustosilva
• @mayaCostantini
• @marcostork
• @mdrocco
• @mbestavros
• @mheese
• @mruffin
• @mpeters
• Niteesh Dubey
• @ruocco
• @stringlytyped
• @stefanberger
• @THS-on
• @tpletcher-hpe
• @tylerfanelli
• @ueno
• @sarroutbi
• @sergio-correia
• @gnurugs
• Shiva Dasari
• Christian Schilling

Time: 26/11/2025 16:00 UTC (https://www.timeanddate.com/worldclock/fixedtime.html?msg=Keylime+Meeting&iso=20251126T16)

Keylime Community Meeting
Wednesday, November 26 · 5:00 – 6:00pm
Time zone: Europe/Madrid
Google Meet joining info
Video call link: https://meet.google.com/ckn-povx-haz
Or dial: <202a>(ES) +34 955 25 63 98<202c> PIN: <202a>832 211 063<202c>#
More phone numbers: https://tel.meet/ckn-povx-haz?pin=2304316365525
Or join via SIP: sip:2304316365525@gmeet.redhat.com

Topics

• Current stable releases:

  • Keylime v7.13.0
  • Agent v0.2.8

• Push model updates and improvements

  • #keylime-push-attestation channel on CNCF Slack
  • Publicly accessible project: Agent-driven attestation
  • Recent improvements to PUSH mode stability and monitoring:
    • Event-driven PUSH mode agent monitoring implemented
    • Fixed PUSH mode agent recovery from timeout-induced failures
    • Improved attestation status tracking with new fields (attestation_status, attestation_period)
    • Enhanced operational_state handling for PUSH mode agents
    • HTTPS requirement enforced for authentication, registration and attestation endpoints

• Database and SQLAlchemy 2.0 migration

  • Work in progress on database race conditions and SQLAlchemy 2.0 compatibility
  • Fixes for Fedora 42 compatibility with PostgreSQL backend
  • Addressed connection pool management across process forks
  • Migration from deprecated SQLAlchemy 1.x API to 2.0 API
  • Python 3.13 compatibility improvements
  • Branch: include-new-attestation-information

• Rust agent updates

  • Authentication middleware integration improvements
  • Enhanced logging consistency and coherency
  • Payload key persistence to avoid attestation failure on restart
  • Improved RFC compliance for Location header and URI parsing
  • Fixed RSA2048 and ECC algorithm reporting
  • Separate keys for payload mechanism and mTLS
  • Docker improvements to include keylime_push_model_agent binary

• Keylime and Post-Quantum Cryptography

  • Planned enhancement proposal: support dual certification on all server components
    • This will allow deployments using different key types at the same time for TLS (e.g. RSA and ML-DSA)

• Mentorship project CMW, EAT in collaboration with Veraison

  • Veraison Mentorship: Harmonizing Open-Source Verifiers with RATS Standards veraison/.github#6

• Enhancements:

  • 123_verifier_evidence_types 123_verifier_evidence_types enhancements#124
    • Add support for other evidences types to the evidence verification endpoint
    • Merged!
    • The implementation was also merged: verify/evidence: Add evidence types, SEV-SNP verification keylime#1788
  • 126_verify_evidence_jwt 126_verify_evidence_jwt enhancements#127
    • Add JWT format response for the one-shot attestation endpoint
    • Merged!
    • Implementation pending
    • Note: JWE response was removed from the enhancement
  • 121_verify_evidence_api Create enhancement #121 - Verification API enhancements#122
    • Verification API - endpoint name updated
  • 114_agent_multiple_api Proposal 114: Add support for multiple API versions to the agent enhancements#115
    • Add support for multiple API versions to the agent
    • Merged!
  • 112_nk_improvements enhancement-112: Improvements around the Transport Key (NK) enhancements#113
    • Improvements around the Transport Key (NK)
    • Merged!
  • 98_spire_integration
    • SPIRE integration proposal
    • In progress

• Open PRs:

  • Keylime:
    • #1823 - Fix Database race conditions and SQLAlchemy 2.0 compatibility - @sarroutbi
    • #1818 - Include new attestation information fields - @sarroutbi
    • #1812 - Removed sphinx prompt from conf file because it caused build issues - @msafarik
    • #1810 - verify/evidence: Add claims to JSON response - @tylerfanelli
    • #1809 - docs: Add configuration options tables - @ansasaki
    • #1781 - fix: resolve extreme line-too-long violations in keylime/tenant.py - @msafarik
    • #1777 - Add support for CMW evidence format - server side - @HarshvMahawar
    • #1731 - Push authentication (Draft) - @gnurugs
    • #1715 - Allow separate CA and logging configurations for components - @marcostork
    • #1670 - Add webhook for receiving and modifying registrar identity trust decisions (Draft) - @stringlytyped
    • #1668 - Add support for EK Certificate Chain, resolves #1552 - @ematery
    • #1545 - Add support for a reject list in runtime policy - @stefanberger
  • Agent (rust-keylime):
    • #1151 - Add minor README.md rephrasing - @sarroutbi
    • #1150 - docs: add documentation on FQDN hostnames - @tuminoid
    • #1149 - build(deps): bump clap from 4.5.45 to 4.5.51 - dependabot
    • #1147 - build(deps): bump actions/upload-artifact from 4 to 5 - dependabot
    • #1143 - build(deps): bump pest_derive from 2.8.1 to 2.8.3 - dependabot
    • #1142 - build(deps): bump pest from 2.8.1 to 2.8.3 - dependabot
    • #1139 - Add TLS support for Registrar communication - @sarroutbi
    • #1131 - build(deps): bump tempfile from 3.21.0 to 3.23.0 - dependabot
    • #1118 - build(deps): bump chrono from 0.4.41 to 0.4.42 - dependabot
    • #1107 - Add unwrap/panic detection for Push Model files (Draft) - @sarroutbi
    • #1104 - Make compilation to fail on warnings (Draft) - @sarroutbi
    • #1068 - keylimectl: A replacement for keylime_tenant in rust (Draft) - @ansasaki
    • #1051 - add support for CMW evidence format - agent side - @HarshvMahawar
    • #986 - Update rust-config to 0.15 - @LecrisUT
    • #658 - Remove deprecated zmq revocation notification feature - @arkivm

Recent Merged Work Highlights

• PUSH mode stability improvements (multiple commits merged to master):

  • Allow PUSH mode agents to recover immediately from failures
  • Fixed tenant status to only use PUSH mode when appropriate
  • Event-driven PUSH mode agent monitoring implementation
  • Auto-detection of push vs pull mode
  • Enhanced attestation status tracking

• Rust agent improvements:

  • Authentication client with middleware integration
  • Improved logging consistency
  • Payload key persistence
  • Algorithm reporting fixes (RSA2048, ECC)
  • Separate keys for payload and mTLS

Action Items

• Review and test database race condition fixes (SQLAlchemy 2.0 migration)
• Continue PUSH mode testing and stabilization
• Review pending enhancement implementations (JWT response format)
• Follow up on Post-Quantum Cryptography enhancement proposal
• Keylime registrar does not reject same UUID from different TPM
• Add support for CMW evidence format - agent side

Next Meeting

Next meeting: December 17, 2025 16:00 UTC