tpm2-pytss icon indicating copy to clipboard operation
tpm2-pytss copied to clipboard

Published 20 hours ago verified publisher icon tpm2-software

Creating EK and AIK

Open apoorvemohan opened this issue 3 years ago • 7 comments

Hi, The current Python Keylime Agent uses tpm2_tools to create EK (tpm2_createek) and AK (tpm2_createak), and we want to convert it to start using ESAPI instead. I was wondering if tpm2-pytss will provide similar abstractions in the near future?

Best, Apoorve

apoorvemohan avatar Jul 28 '21 19:07 apoorvemohan

tpm2-pytss provides bindings to ESAPI, so you can use it directly and just implement the logic the tools do. I have a ticket open to actually go convert you over to Python ESAPI (Ticket #10) and drop tools, but then I saw you we're heading to RUST. What's the future of the Python code base?

williamcroberts avatar Jul 28 '21 21:07 williamcroberts

Following up on the comment by @williamcroberts.

The keylime agent is migrating to rust, no question about it. But I don't think I'm ready to dig a shallow grave for the python agent yet -- it's the mainstay of keylime. I believe investing into streamlining the python code to avoid system() calls is a good thing(tm) -- pun not intended, but we'd do the keylime registrar and verifier a service.

we spent a few hours with @apoorvemohan going through the createEK->createAK->makecredential->activatecredential set of calls, and made them work in pytss. We ended up writing what could end up as templates for RSA based EK and AIK creation. Do you want them? if "yes", they are a PR away from pytss.

galmasi avatar Jul 29 '21 20:07 galmasi

Following up on the comment by @williamcroberts.

The keylime agent is migrating to rust, no question about it. But I don't think I'm ready to dig a shallow grave for the python agent yet -- it's the mainstay of keylime. I believe investing into streamlining the python code to avoid system() calls is a good thing(tm) -- pun not intended, but we'd do the keylime registrar and verifier a service.

we spent a few hours with @apoorvemohan going through the createEK->createAK->makecredential->activatecredential set of calls, and made them work in pytss. We ended up writing what could end up as templates for RSA based EK and AIK creation. Do you want them? if "yes", they are a PR away from pytss.

Sure we'd love to have this support code so folks can create to tpm2-tool like things effortlessly.

williamcroberts avatar Jul 30 '21 21:07 williamcroberts

@apoorvemohan and @galmasi any updats on this?

whooo avatar Sep 15 '21 18:09 whooo

So what do we need to close this, do we want templates in the python code that can be used in createprimary and create calls?

williamcroberts avatar Nov 08 '21 23:11 williamcroberts

My apologies. I am beset by multiple deadlines, and the code is somewhere in one of my repositories. If you can wait til after thanksgiving, I will return to this. I also need to have a conversation about how you want us to add the templates. I think last time (many months ago) I stopped because I didn't know how to find the best place right away, stopped to consider the best solution ... then another emergency came up :(

galmasi avatar Nov 11 '21 15:11 galmasi

My apologies. I am beset by multiple deadlines, and the code is somewhere in one of my repositories. If you can wait til after thanksgiving, I will return to this. I also need to have a conversation about how you want us to add the templates. I think last time (many months ago) I stopped because I didn't know how to find the best place right away, stopped to consider the best solution ... then another emergency came up :(

I can add them, no worries. I'll look at the tools code, as I'm assuming that's what you want to replace. We can probably add a templates.py and add them in there as well as consider adding some helper routines.

williamcroberts avatar Nov 11 '21 15:11 williamcroberts