githedgehog / k8s-tpm-device-plugin Goto Github PK
View Code? Open in Web Editor NEWKubernetes TPM Device Plugin
License: Apache License 2.0
Kubernetes TPM Device Plugin
License: Apache License 2.0
Currently the helm chart creates a service account and mounts credentials. However, this is (at least at this point in time), not a requirement at all.
We should consider to remove it completely and remove a mount of a service account credential altogether.
This repo still needs CI integration using github actions which build and test, and also publish and release on tags.
Well, that's kind of a bummer. I simply used our company as the base name for the devices (githedgehog.com/tpmrm
), but that's not really "correct" IMHO.
Input welcome on how that should be changed.
I find that the example specified in your README does not work on my particular version of kubernetes.
lunar
) substratedocker.io
tpm2-tools
capsh --print
or check /proc/1/status
inside the container)root@tpm-device-test:/# cat /proc/1/status | grep CapPrm
CapPrm: 0000000000000000
tpm2_pcrread
or some other tpm2 tool and confirm that it fails with an "access denied" error:root@tpm-device-test:/# tpm2_pcrread
ERROR:tcti:src/tss2-tcti/tcti-device.c:452:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: Permission denied
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:154:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0
ERROR:tcti:src/tss2-tcti/tcti-device.c:452:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpm0: No such file or directory
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:154:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0
WARNING:tcti:src/util/io.c:262:socket_connect() Failed to connect to host ::1, port 2321: errno 99: Cannot assign requested address
ERROR:tcti:src/tss2-tcti/tcti-swtpm.c:614:Tss2_Tcti_Swtpm_Init() Cannot connect to swtpm TPM socket
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:154:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-swtpm.so.0
WARNING:tcti:src/util/io.c:262:socket_connect() Failed to connect to host ::1, port 2321: errno 99: Cannot assign requested address
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:154:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-mssim.so.0
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:254:tctildr_get_default() No standard TCTI could be loaded
ERROR:tcti:src/tss2-tcti/tctildr.c:428:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI
ERROR: Could not load tcti, got: "(null)"
...
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
add: ["CAP_DAC_OVERRIDE"] <--------this will allow directory access for tpm2-tools
root@tpm-device-test:/# cat /proc/1/status | grep CapPrm
CapPrm: 0000000000000002
tpm2_pcrread
now works correctly.WTF, no tests?! Who wrote this software.
Mea culpa, but the plugin was so easy/simple at this point that the integration testing on a Kubernetes cluster was all that was necessary so far.
This is really one of the core pieces missing where I'm not sure yet what or if it is necessary to do at all.
Kubernetes device plugins have a concept of device health. Currently the implementation reports every device simply as "Healthy".
There are things to consider on how to check the TPM device health:
/dev/tpm0
device we could check if it is actually being used by the host and mark it as "Unhealthy" if it isStill something that needs to be discussed internally, but putting this out here already: we should consider moving this project under the keylime organization. That is pending Hedgehog internal approval as well as keylime orgs willingness to take it on of course.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.