Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-118148

keylime agent fails to create TPM quote with ECC keys [rhel-9]

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • keylime-agent-rust-0.2.2-5.el9
    • No
    • Low
    • rhel-security-special-projects
    • 26
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • None
    • Bug Fix
    • Hide
      Cause: Setting ECC algorithms such as ecc256, ecc384, or ecc521 in the tpm_encryption_alg
      Consequence: Agent was not able to provide the TPM quote evidence to report to the verifier, making the Keylime attestation impossible
      Fix: Added support for using ECC keys for Keylime's TPM operations. The supported options are (ecc192, ecc224, ecc256, ecc384, and ecc521)
      Result: Keylime now correctly supports attestation with ECC keys from the TPM
      Show
      Cause: Setting ECC algorithms such as ecc256, ecc384, or ecc521 in the tpm_encryption_alg Consequence: Agent was not able to provide the TPM quote evidence to report to the verifier, making the Keylime attestation impossible Fix: Added support for using ECC keys for Keylime's TPM operations. The supported options are (ecc192, ecc224, ecc256, ecc384, and ecc521) Result: Keylime now correctly supports attestation with ECC keys from the TPM
    • Proposed
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      Setting one of `ecc521`, `ecc384`, `ecc256` or `ecc` in `tpm_encryption_alg` makes the agent to fail generating signed TPM quotes 

      What is the impact of this issue to you?

      The agent cannot generate TPM quote evidence to report to the verifier, making the whole Keylime solution to not work when TPM ECC keys are used 

      Please provide the package NVR for which the bug is seen:

      keylime-agent-rust-0.2.7-3.el10

      How reproducible is this bug?:

      Always

      Steps to reproduce

      1. Set any `ecc{521, 384, 256, }` to `tpm_encryption_alg`
      2. Start the verifier, registrar, agent
      3. Enroll the agent to be monitored by the verifier using the tenant

      Expected results

      The agent is successfully enrolled and the verifier successfully verify the provided attestation evidences (TPM quotes)

      Actual results

      The enrollment fails

              ansasaki@redhat.com Anderson Toshiyuki Sasaki
              ansasaki@redhat.com Anderson Toshiyuki Sasaki
              Sergio Correia Sergio Correia
              SSG Security QE SSG Security QE
              Mirek Jahoda Mirek Jahoda
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated: