All Projects → bloomberg → spire-tpm-plugin

bloomberg / spire-tpm-plugin

Licence: Apache-2.0 License
Provides agent and server plugins for SPIRE to allow TPM 2-based node attestation.

Programming Languages

go
31211 projects - #10 most used programming language
shell
77523 projects
Dockerfile
14818 projects
Makefile
30231 projects

Projects that are alternatives of or similar to spire-tpm-plugin

vault-auth-spire
vault-auth-spire is an authentication plugin for Hashicorp Vault which allows logging into Vault using a Spire provided SVID.
Stars: ✭ 37 (-17.78%)
Mutual labels:  spiffe, spire
tpm2-pytss
Python bindings for TSS
Stars: ✭ 30 (-33.33%)
Mutual labels:  tpm2
tpm futurepcr
Calculate future (next boot) TPM PCRs after a kernel upgrade
Stars: ✭ 19 (-57.78%)
Mutual labels:  tpm2
tpm2-abrmd
TPM2 Access Broker & Resource Management Daemon implementing the TCG spec.
Stars: ✭ 97 (+115.56%)
Mutual labels:  tpm2
meta-secure-core
OpenEmbedded layer for the use cases on secure boot, integrity and encryption
Stars: ✭ 80 (+77.78%)
Mutual labels:  tpm2

SPIRE TPM Plugin

This repository contains agent and server plugins for SPIRE to allow TPM 2-based node attestation.

Menu

Demo

Here's a quick demo that shows how this plugin looks when run:

asciicast

Quick Start

Before starting, create a running SPIRE deployment and add the following configuration to the agent and server:

Agent Configuration

NodeAttestor "tpm" {
	plugin_cmd = "/path/to/plugin_cmd"
	plugin_checksum = "sha256 of the plugin binary"
	plugin_data {
	}
}

Server Configuration

NodeAttestor "tpm" {
	plugin_cmd = "/path/to/plugin_cmd"
	plugin_checksum = "sha256 of the plugin binary"
	plugin_data {
		ca_path = "/opt/spire/.data/certs"
	}
}
key type required description default
ca_path string the path to the CA directory /opt/spire/.data/certs

Certificate Directory Configuration

For this plugin to work, you need to have the certificate for the CA that signed your TPM's EK certificate. Drop all CA certs in the directory ca_path.

How it Works

The plugin uses TPM credential activation as the method of attestation. The plugin operates as follows:

  1. Agent generates AK (attestation key) using TPM
  2. Agent sends the AK attestation parameters and EK certificate to the server
  3. Server inspects EK certificate and checks if it is signed by any chain in the directory specified by ca_path
  4. If the EK certificate is signed by one of the CAs, the server generates a credential activation challenge using
    1. The EK public key
    2. The AK attestation parameters
  5. Server sends challenge to agent
  6. Agent decrypts the challenge's secret
  7. Agent sends back decrypted secret
  8. Server verifies that the decrypted secret is the same it used to build the challenge
  9. Server creates a SPIFFE ID in the form of spiffe://<trust_domain>/agent/tpm/<sha256sum_of_tpm_pubkey>
  10. All done!

For info on how TPM attestation usually works and how this implementation differs, visit TPM.md.

Building

To build this plugin on Linux, run make build. Because of the dependency on go-attestation, you must have libtspi-dev installed.

Contributions

We ❤️ contributions.

Have you had a good experience with this project? Why not share some love and contribute code, or just let us know about any issues you had with it?

We welcome issue reports here; be sure to choose the proper issue template for your issue, so that we can be sure you're providing the necessary information.

Before sending a Pull Request, please make sure you read our Contribution Guidelines.

License

Please read the LICENSE file.

Code of Conduct

This project has adopted a Code of Conduct. If you have any concerns about the Code, or behavior which you have experienced in the project, please contact us at [email protected].

Security Vulnerability Reporting

If you believe you have identified a security vulnerability in this project, please send email to the project team at [email protected], detailing the suspected issue and any methods you've found to reproduce it.

Please do NOT open an issue in the GitHub repository, as we'd prefer to keep vulnerability reports private until we've had an opportunity to review and address them.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].