Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-117441

keylime agent fails to create TPM quote with ECC keys

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • keylime-agent-rust-0.2.7-4.el10
    • No
    • Moderate
    • rhel-security-special-projects
    • 12
    • 1
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • None
    • Bug Fix
    • Hide
      Cause: The keylime-agent-rust component did not properly support ECC key algorithms when generating signed TPM quotes.

      Consequence: When users configured ECC key types (ecc521, ecc384, ecc256, or ecc) in the tpm_encryption_alg setting, the agent failed to generate TPM quote evidence, causing enrollment failures and making the entire Keylime attestation solution non-functional with TPM ECC keys.

      Fix: Updated the keylime-agent-rust to correctly handle ECC key algorithms during TPM quote generation.

      Result: Keylime agents can now successfully generate TPM quotes and enroll with verifiers when using ECC encryption algorithms, enabling full attestation functionality with ECC-based TPM keys.
      Show
      Cause: The keylime-agent-rust component did not properly support ECC key algorithms when generating signed TPM quotes. Consequence: When users configured ECC key types (ecc521, ecc384, ecc256, or ecc) in the tpm_encryption_alg setting, the agent failed to generate TPM quote evidence, causing enrollment failures and making the entire Keylime attestation solution non-functional with TPM ECC keys. Fix: Updated the keylime-agent-rust to correctly handle ECC key algorithms during TPM quote generation. Result: Keylime agents can now successfully generate TPM quotes and enroll with verifiers when using ECC encryption algorithms, enabling full attestation functionality with ECC-based TPM keys.
    • Proposed
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      Setting one of `ecc521`, `ecc384`, `ecc256` or `ecc` in `tpm_encryption_alg` makes the agent to fail generating signed TPM quotes 

      What is the impact of this issue to you?

      The agent cannot generate TPM quote evidence to report to the verifier, making the whole Keylime solution to not work when TPM ECC keys are used 

      Please provide the package NVR for which the bug is seen:

      keylime-agent-rust-0.2.7-3.el10

      How reproducible is this bug?:

      Always

      Steps to reproduce

      1. Set any `ecc{521, 384, 256, }` to `tpm_encryption_alg`
      2. Start the verifier, registrar, agent
      3. Enroll the agent to be monitored by the verifier using the tenant

      Expected results

      The agent is successfully enrolled and the verifier successfully verify the provided attestation evidences (TPM quotes)

      Actual results

      The enrollment fails

              scorreia@redhat.com Sergio Correia
              ansasaki@redhat.com Anderson Toshiyuki Sasaki
              Sergio Correia Sergio Correia
              Karel Srot Karel Srot
              Mirek Jahoda Mirek Jahoda
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: