Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-117442

keylime attestation fails when agent provide TPM quote with ECC keys

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • keylime-7.12.1-12.el10
    • No
    • Moderate
    • rhel-security-special-projects
    • 12
    • 1
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • None
    • Bug Fix
    • Hide
      Cause: The keylime verifier component did not properly support ECC key algorithms when verifying signed TPM quotes from agents.

      Consequence: When agents were configured with ECC key types (ecc521, ecc384, ecc256, or ecc) in the pm_encryption_alg setting, the verifier failed to validate TPM quote evidence, causing attestation failures and making the entire Keylime solution non-functional with TPM ECC keys.

      Fix: Updated the keylime verifier to correctly handle and verify ECC-based TPM quotes from agents.

      Result: Keylime verifiers can now successfully verify TPM quotes from agents using ECC encryption algorithms, enabling full attestation functionality with ECC-based TPM keys.
      Show
      Cause: The keylime verifier component did not properly support ECC key algorithms when verifying signed TPM quotes from agents. Consequence: When agents were configured with ECC key types (ecc521, ecc384, ecc256, or ecc) in the pm_encryption_alg setting, the verifier failed to validate TPM quote evidence, causing attestation failures and making the entire Keylime solution non-functional with TPM ECC keys. Fix: Updated the keylime verifier to correctly handle and verify ECC-based TPM quotes from agents. Result: Keylime verifiers can now successfully verify TPM quotes from agents using ECC encryption algorithms, enabling full attestation functionality with ECC-based TPM keys.
    • Proposed
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      Setting one of `ecc521`, `ecc384`, `ecc256` or `ecc` in `tpm_encryption_alg` in the agent configuration makes the attestation to fail

      What is the impact of this issue to you?

      The agent cannot generate TPM quote evidence to report to the verifier, making the whole Keylime solution to not work when TPM ECC keys are used 

      Please provide the package NVR for which the bug is seen:

      keylime-7.12.1-11.el10

      How reproducible is this bug?:

      Always

      Steps to reproduce

      1. Set any `ecc{521, 384, 256, }` to `tpm_encryption_alg` in the agent configuration
      2. Start the verifier, registrar, agent
      3. Enroll the agent to be monitored by the verifier using the tenant

      Expected results

      The agent is successfully enrolled and the verifier successfully verify the provided attestation evidences (TPM quotes)

      Actual results

      The attestation fails

              scorreia@redhat.com Sergio Correia
              ansasaki@redhat.com Anderson Toshiyuki Sasaki
              Sergio Correia Sergio Correia
              Karel Srot Karel Srot
              Mirek Jahoda Mirek Jahoda
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: