Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-117442

keylime attestation fails when agent provide TPM quote with ECC keys

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • No
    • Moderate
    • rhel-security-special-projects
    • 12
    • 1
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • None
    • None
    • None
    • Unspecified Release Note Type - Unknown
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      Setting one of `ecc521`, `ecc384`, `ecc256` or `ecc` in `tpm_encryption_alg` in the agent configuration makes the attestation to fail

      What is the impact of this issue to you?

      The agent cannot generate TPM quote evidence to report to the verifier, making the whole Keylime solution to not work when TPM ECC keys are used 

      Please provide the package NVR for which the bug is seen:

      keylime-7.12.1-11.el10

      How reproducible is this bug?:

      Always

      Steps to reproduce

      1. Set any `ecc{521, 384, 256, }` to `tpm_encryption_alg` in the agent configuration
      2. Start the verifier, registrar, agent
      3. Enroll the agent to be monitored by the verifier using the tenant

      Expected results

      The agent is successfully enrolled and the verifier successfully verify the provided attestation evidences (TPM quotes)

      Actual results

      The attestation fails

              scorreia@redhat.com Sergio Correia
              ansasaki@redhat.com Anderson Sasaki
              Sergio Correia Sergio Correia
              Karel Srot Karel Srot
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: