Code Monkey home page Code Monkey logo

attestationengine's Introduction

A10 - Nokia Attestation Engine

This is the source for the Nokia Attestation Engine A10.

This software is used as the remote attestation engine as part of a trusted and/or confidential computing environment. This is the system that holds the known good values about devices and other elements, and provides the attestation and validation mechanisms.

The software here is provided as-is - there is no security (http for the win!) and the error checking in places is completely missing. The point of this was to explore more interesting mechanisms for remote attestation and to implement ideas from the IEFT RATS specification. READ the security section!!!

Refer to the contents in the docs directory.

attestationengine's People

Contributors

aleksikosonen avatar aleksikyto avatar csatarigergely avatar cyroxin avatar dependabot[bot] avatar iolivergithub avatar jaanikaukonen avatar jeromelenssen avatar klenjavor avatar leosa00 avatar matiasvainio avatar nikolindborg avatar roosae avatar taneli1 avatar taneli2 avatar ths-on avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

cyroxin klenjavor ths-on roosae jlenssen nikolindborg aleksikosonen feri aleksikyto jaanikaukonen matiasvainio toobaf tabz11 leosa00 leosa123 xiaoxiaobian abhaypawar

attestationengine's Issues

Add known hash value to hashes.

Firmware version for updated Infineon 9670 TPM2.0 :

2a1aa04410004700

{
"hash":"2a1aa04410004700",
"type":"other",
"short":"Infineon TPM2.0 F/W",
"long":"This is the TPM 2.0 firmware value for an Infineon TPM 2.0 SLB 9760 Post 2020 release. This value will be seen as part of the TPMS_ATTEST structure generated by a quote. This version contains the fix for the RSA key generation"
}

QUERY : Is it IETF RATS compliant?

Thanks a lot for open sourcing the project and talks given at tpmdev, I just wanted to know if the attestation follows IETF RATS standards (passport or challenge response)

MQTT keepalive

Add keepalive to mqtt client sessions...cf: asmqttviewer

client = mqtt.Client()
client.on_connect = on_connect
client.on_message = on_message
client.connect(broker_url, broker_port,keepalive=60, bind_address="")

MIght replace the keepalive ping too?

Ideas/TODOs

  • Allow a rule to take multiple claims
    • An example would be a tpm2_quote and a list of PCR values to check if they are consistent
  • Expose in the API if a rule needs parameters and which
  • Allow to set a EV on a rule invocation basis not per policy
  • Rename policies to intents

Typos in compiling.md

Threadripper spelt wrongly
Installation of edgeless uses an environment variable not the package name

Include instructions on how to handle the redirect not using sudo when you add to the intel-sgx.list

TCTI error in enoller

File "/home/risto/Work/AttestationEngine/apps/enroller/client/enrol.py", line 20, in
tcti=os.environ['TPM2TOOLS_TCTI']
File "/usr/lib/python3.9/os.py", line 679, in getitem
raise KeyError(key) from None
KeyError: 'TPM2TOOLS_TCTI'

u10 PCR Pretty Print fails if bank is undefined 

    File "/usr/local/lib/python3.9/dist-packages/flask/app.py", line 2095, in __call__

    return self.wsgi_app(environ, start_response) [Open an interactive python shell in this frame] 

    File "/usr/local/lib/python3.9/dist-packages/flask/app.py", line 2080, in wsgi_app

    response = self.handle_exception(e)

    File "/usr/local/lib/python3.9/dist-packages/flask/app.py", line 2077, in wsgi_app

    response = self.full_dispatch_request()

    File "/usr/local/lib/python3.9/dist-packages/flask/app.py", line 1525, in full_dispatch_request

    rv = self.handle_user_exception(e)

    File "/usr/local/lib/python3.9/dist-packages/flask/app.py", line 1523, in full_dispatch_request

    rv = self.dispatch_request()

    File "/usr/local/lib/python3.9/dist-packages/flask/app.py", line 1509, in dispatch_request

    return self.ensure_sync(self.view_functions[rule.endpoint])(**req.view_args)

    File "/home/att/AttestationEngine/u10/blueprints/claims.py", line 83, in claimprettyprintPCRs

    ps = sorted( {int(k) : v for k, v in pcrs.get(p).items()}.items() )

    AttributeError: 'str' object has no attribute 'items'

This happens with the T440's PCR banks which contani sha1 and sha256 keys BUT the sha256 banks are undefined, ie: sha256:{}

Add check for missing PCR banks in verify 

File "/usr/local/lib/python3.9/dist-packages/flask/app.py", line 2095, in __call__

return self.wsgi_app(environ, start_response) [Open an interactive python shell in this frame] 

File "/usr/local/lib/python3.9/dist-packages/flask/app.py", line 2080, in wsgi_app

response = self.handle_exception(e)

File "/usr/local/lib/python3.9/dist-packages/flask/app.py", line 2077, in wsgi_app

response = self.full_dispatch_request()

File "/usr/local/lib/python3.9/dist-packages/flask/app.py", line 1525, in full_dispatch_request

rv = self.handle_user_exception(e)

File "/usr/local/lib/python3.9/dist-packages/flask/app.py", line 1523, in full_dispatch_request

rv = self.dispatch_request()

File "/usr/local/lib/python3.9/dist-packages/flask/app.py", line 1509, in dispatch_request

return self.ensure_sync(self.view_functions[rule.endpoint])(**req.view_args)

File "/home/att/AttestationEngine/u10/blueprints/attestation.py", line 98, in attestverify_post

v = attestation.verify(cres.msg(), rule, None)

File "/usr/local/lib/python3.9/dist-packages/a10server-2022.4.24-py3.9.egg/a10/asvr/attestation.py", line 168, in verify

application_result = handler_instance.apply()

File "/usr/local/lib/python3.9/dist-packages/a10server-2022.4.24-py3.9.egg/a10/asvr/rules/tpm2rules.py", line 70, in apply

pcrentry = str(pcrs[str(p)])

Needs a try/except around the last one to catch when the PCR bank does not exist, cf: T440 only support sha1 and the sha256 bank is present but unused and not reported in pcrread

/msg endpoint

As in the nut10 code

  1. /msg endpoint to A10
  2. add messaging capabilites to the a10 libraries - write to logfile perhaps? Check whether the logfile supports the itemid
  3. add messaging list to the u10 UI

Licenses on each file

Should be

Copyright 2021 Nokia

Licensed under the BSD 3-Clause Clear License.

SPDX-License-Identifier: BSD-3-Clear

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.