Thore Sommer

@kgold2 have you talked to the vendor? @alex as you stated, is unlikely that this will be fixed for all devices that are deployed in the wild with a firmware...

> It's unlikely that our approach would be to introduce a flag for allowing malformed certs, as this complicates our API surface and is difficult for users to reason about...

> I'm also wondering if the solution should be more general, because there is at least one more variable, SbatLevel, which I don't think follows the uefi_variable_data is uefi_signature_data pattern....

@ansasaki I fully agree that we should cleanup and normalize the names in the configuration. If/when we move the configuration to TOML (https://github.com/keylime/keylime/issues/895) we should redesign our configuration. This change...

@ansasaki I like the idea of only having one client certificate, but I don't know if this works because one cert can only be issued by one CA. At least...

Actually I think we can move all components to the same CA by adding the option to trust multiple CAs for mTLS connection. We can have only one CA that...

@ansasaki #1068 fixes all of the issues raised here, right?

There still no full separation. I noticed that for the verifier and registrar still the following options were required because otherwise Keylime crashes: ``` [cloud_agent] tpm_hash_alg = sha1 tpm_encryption_alg =...

Thanks for finding this. I already wanted to restructure the IMA allwlist/exclude API because it is more than that, but I haven't got around doing it.

@mpeters can you assign this to me?