clevis icon indicating copy to clipboard operation
clevis copied to clipboard
verified publisher icon latchset

Consider merging fedora-iot/clevis-pin-tpm2 and using it by default

Open travier opened this issue 3 years ago • 9 comments

I'm opening this issue to get a discussion started on using the Rust rewrite of the TPM2 Pin (https://github.com/fedora-iot/clevis-pin-tpm2) by default in this project.

If we don't want to introduce a dependency on Rust, I think we should alternatively consider moving Fedora to the Rust implementation by default.

CC @cgwalters @nullr0ute

travier avatar Jul 25 '22 16:07 travier

I'm all in favor of centralizing on the Rust implementation, particularly with coherent TPM2 pinning policies.

cgwalters avatar Jul 25 '22 20:07 cgwalters

Also cc: @puiterwijk

Overall I have no problem with merging the two. We (@puiterwijk and I) decided originally to do it as a separate project at the beginning because:

  1. It was an experiment in rust, main clevis doesn't use rust
  2. Develop it independently to allow separate releases etc

I have no real opinion either way TBH. It has a bunch of stuff needed for things like IMA around tpm policies etc (I'll let @puiterwijk outline the details) but also needs rust to build so will likely need some changes/improvements to the clevis build process but I think now it's overall mature enough to merge into this project.

nullr0ute avatar Jul 26 '22 09:07 nullr0ute

I would be OK with this change, for the record.

sergio-correia avatar Aug 11 '22 17:08 sergio-correia

@puiterwijk @martinezjavier: what are your thoughts here?

sergio-correia avatar Aug 18 '22 00:08 sergio-correia

Where did we get to here?

nullr0ute avatar Jun 05 '23 11:06 nullr0ute

@puiterwijk @martinezjavier: what are your thoughts here?

I agree with using the new tpm2 pin as the default.

The clevis tpm2 pin already defaults to the new one if available since commit latchset/clevis@66d1f35e068f

martinezjavier avatar Jun 06 '23 07:06 martinezjavier

Yeah, I think it's already the default these days if it's installed. I'm also happy to get it in this project if that's what is asked, happy to relicense it if wanted, but right now it's MIT licensed.

puiterwijk avatar Jun 06 '23 07:06 puiterwijk

So @sergio-correia let me know how you want to move forward and how I can assist

nullr0ute avatar Jun 06 '23 18:06 nullr0ute

My two cents related to this matter ... do we really want to include all Rust related dependencies into clevis? I am not sure of that, in particular for those cases of users who just want to use clevis with tang pin for NBDE scenarios. I am worried about increasing clevis size, compilation time and requirements. If we finally decide the integration, I would make somehow this dependency optional, so that we can avoid requiring Rust compiler and required packages for clevis compilation

sarroutbi avatar Jun 15 '23 09:06 sarroutbi