stage0: re-evaluate tpm.Extend in critical path #1816

jonboulle · 2015-12-01T03:40:52Z

Capturing discussion in #1775 (diff) : I raised the concern that the tpm.Extend operation is happening during the critical path of container instantiation.

Currently we just try to log in the TPM in every case (irrespective of whether rkt is built with/without TPM support, and whether there happens to be a local TSPI service running), and ignore any error returned by the operation. However, this involves an HTTP request which could fail in arbitrary ways, and potentially time out, etc.

We should deal with this more thoughtfully, especially as we consider adding TPM support to the default build. This will also set us up to deal with the eventual future where we will want to fail hard if the TPM operation does not succeed.

The text was updated successfully, but these errors were encountered:

iaguis · 2016-01-19T14:49:15Z

If I listen to the tpmd port I can block the execution of subsequent rkt runs:

$ sudo rkt run coreos.com/etcd:v2.0.10
rkt: using image from local store for image name coreos.com/rkt/stage1-coreos:0.15.0+git2776960
rkt: using image from local store for image name coreos.com/etcd:v2.0.10

[stays there...]

This is unfortunate because it's an unprivileged port:

$ nc localhost -l -p 12041
POST /v1/extend HTTP/1.1
Host: localhost:12041
User-Agent: Go-http-client/1.1
Content-Length: 799
Content-Type: application/json
Accept-Encoding: gzip

{"Pcr":15,"Eventtype":4096,"Data":null,"Event":"rkt: Rootfs: sha512-bd90da08a4dccea41d0a8258b213b86e3ec98c28f1cd6425e34aad42ad3ad53d Manifest: {\"acVersion\":\"0.15.0+git2776960\",\"acKind\":\"PodManifest\",\"apps\":[{\"name\":\"etcd\",\"image\":{\"name\":\"coreos.com/etcd\",\"id\":\"sha512-c03b055d02e51e36f44a2be436eb77d5b0fbbbe37c00851188d8798912e8508a\",\"labels\":[{\"name\":\"os\",\"value\":\"linux\"},{\"name\":\"arch\",\"value\":\"amd64\"},{\"name\":\"version\",\"value\":\"v2.0.10\"}]},\"app\":{\"exec\":[\"/etcd\"],\"user\":\"0\",\"group\":\"0\"}}],\"volumes\":null,\"isolators\":null,\"annotations\":null,\"ports\":[]} Stage 1 args: /var/lib/rkt/pods/run/44d625f5-f524-4023-9868-f13221bd1036/stage1/rootfs/init --net=default --local-config=/etc/rkt 44d625f5-f524-4023-9868-f13221bd1036"}

jonboulle · 2016-01-19T17:35:47Z

Ick. Maybe for now we should set a connection timeout and fail hard?

alban · 2016-01-19T19:42:34Z

The solution could be to get tpmd to listen on a privileged port. See google/go-tspi#3

jonboulle · 2016-01-19T19:45:24Z

We still need to deal with unexpected/bad services listening on that port..

On Tue, Jan 19, 2016 at 8:42 PM, Alban Crequy notifications@github.com
wrote:

The solution could be to get tpmd to listen on a privileged port. See
google/go-tspi#3 google/go-tspi#3

—
Reply to this email directly or view it on GitHub
#1816 (comment).

iaguis · 2016-01-21T14:33:26Z

Let's continue discussing this for 1.0.

iaguis · 2016-01-26T16:34:03Z

So we could fix this if tpmd listens on a privileged port and we implement some kind of timeout, right?

jonboulle · 2016-01-27T16:20:26Z

I would like to see the timeout for 1.0.

When we send requests to tpmd, we could potentially block for a long time if an unexpected service is listening on that port. Allow setting a timeout so users of the library can limit this possibility. See rkt/rkt#1816 (comment)

iaguis · 2016-02-01T11:25:05Z

google/go-tspi#4

iaguis · 2016-02-01T11:34:26Z

I would like to see the timeout for 1.0.

We still need to decide whether to enable TPM on the release binary.

When we send requests to tpmd, we could potentially block for a long time if an unexpected service is listening on that port. Allow setting a timeout so users of the library can limit this possibility. See rkt/rkt#1816 (comment)

jonboulle added component/stage0 kind/cleanup area/security labels Dec 1, 2015

jonboulle added this to the v0.14.0 milestone Dec 1, 2015

jonboulle mentioned this issue Dec 1, 2015

stage0: add container hash data into TPM #1775

Merged

alban modified the milestones: v0.16.0, v0.15.0 Jan 7, 2016

alban added help wanted priority/P2 labels Jan 19, 2016

iaguis mentioned this issue Jan 19, 2016

build: Add configure flags for controlling tpm logging #1996

Merged

alban mentioned this issue Jan 19, 2016

tpmd to listen on a privileged port google/go-tspi#3

Open

iaguis modified the milestones: v1.0.0, v0.16.0 Jan 21, 2016

jonboulle added priority/P1 and removed priority/P2 labels Jan 27, 2016

iaguis mentioned this issue Feb 1, 2016

tpmclient: add timeout google/go-tspi#4

Merged

iaguis mentioned this issue Feb 1, 2016

Godeps: bump go-tspi #2060

Merged

jonboulle closed this as completed in #2060 Feb 1, 2016

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

stage0: re-evaluate tpm.Extend in critical path #1816

stage0: re-evaluate tpm.Extend in critical path #1816

stage0: re-evaluate tpm.Extend in critical path #1816

stage0: re-evaluate tpm.Extend in critical path #1816

Comments