►
Description
Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Securing Edge Systems with TPM 2.0 and SPIRE - Cole Kennedy, TestifySec
The TPM 2.0 device is a secure enclave that is included in most recent servers, workstations, and laptops. We discuss how the TPM 2.0, along with SPIRE can be used to architect secure edge and hybrid systems.
A
A
My
name
is
cole
kennedy.
So
a
little
bit
of
the
work
I've
done
recently.
I
co-authored
the
cncf
secure
supply
chain,
best
practices
paper,
I've
contributed
to
spire
and
toto
and
a
lot
more
open
source
projects.
Open
source
was
really
a
passion
for
me
and
I
think
it's
really
driven
a
lot
of
our
innovation
forward
over
the
past
10
years.
A
I'm
a
security
and
architecture,
sme
I've
done,
architecture
and
security
for
duke
energy,
colorado,
state
university
platform,
one
gbsd
and
then
most
recently
I
worked
on
the
city,
secure
software
factory,
I'm
an
sme
with
air
gapped
and
high
compliance
networks,
and
then
I'm
also
a
iraq
and
afghanistan
veteran.
A
So
I
work
for
company.
Thank
you.
I
work
for
a
company
called
texas,
or
I
own
testify
sec.
We
just
launched
last
wednesday,
so
we're
providing
cyber
security,
professional
services
and
software
to
enterprise
and
federal
customers
right
we're
focusing
on
software
supply
chain,
zero
trust,
automated
governance
and
open
source
software
risk
management.
But
enough
of
that.
A
So
what
are
we
doing?
We
want
to
use
workload,
identity
to
secure
systems
all
the
way
from
source
to
production
right.
So
when
we
threat
model
ci
systems,
we're
looking
at
three
different
things
that
we
really
need
to
attest.
We
need
to
test
the
materials
that
are
going
into
that
build
right.
A
We
need
to
attest
the
environment
that
the
build's
taking
place
in
and
then
we
need
to
test
the
actual
process
that
that
is
acting
on
those
materials
in
that
environment
all
right,
and
then
we
need
to
protect
private
key
material
with
trusted
hardware
right.
In
that
way,
our
attacks
are
either
limited
to
hardware
attacks,
which
are
which
are
tough
or
critical
software
components
that
we
know
to
monitor.
A
So
really,
what
we're
trying
to
do
is
we're
trying
to
understand
what
was
a
system
state
when
we
issued
that
identity
right
and
we're
using
spy
to
do
this,
because
tpm
policy
is
pretty
difficult
to
manage
per
machine
right,
we're
using
fleets
of
machines
that
are
ephemeral,
they're
coming
up
they're
coming
down
we're
changing
them
all
the
time
with
these
immutable
states.
So
if
we
got
to
change
a
tpm
policy
for
that,
the
tooling
around
that
might
be
a
little
bit
complex
right
and
then
spire
provides
an
identity
management
engine.
A
This
identity
management
engine
is
federated.
It's
distributed
inspire
best
of
all.
It's
really
ready
for
production
deployment.
Right
we've
been
running
spire
in
some
production
deployments
for
some
various
customers
for
a
long
time.
It's
been
rock
solid.
We
really
love
it
and
it's
pluggable
design
really
meets
needs
for
complex
use.
Cases
right.
You
can
take
spy
and
really
make
it
whatever
you
want
it
to
be.
So
spire
is
a
community
project
and
it's
backed
by
a
bunch
of
major
corporations.
A
Right
we
got
like
a
bunch
of
corporations,
are
in
this
room
like
vmware
hpe
right,
so
it's
a
project
that
has
money
behind
it
and
really
good,
solid
devs
right.
I
consider
spire
high
assurance
open
source
so
again
right
that
tpm
that
we're
talking
about
right,
that's
going
to
provide
selectors
for
spires
identity
issuance
right.
A
A
So
let's
go
back
a
little
bit
and
talk
about
what
is
a
tpm?
Why
is
it
important
that
we're
building
secure
systems
around
this
device
right
so
there's
different
types
of
tpms?
It's
really
important
because
they
all
have
different
threat
models,
so
you
have
a
discrete
tpm.
This
is
what
the
trusted
computing
group
considers.
The
most
tamper
resistant
most
of
our
tpms,
that
we're
going
to
be
talking
about,
I
think,
are
going
to
be
integrated
tpms
and
that's
going
to
be
a
hardware
component.
A
That's
integrated
onto
the
chip,
there's
a
firmware
tpm
right
and
that's
actually
integrated
on
the
cpu.
Those
might
be
vulnerable
to
like
management
engine
attacks.
For
example.
There's
a
software
tpm!
Don't
ever
use
these.
Unless
you're
testing
there's
really
no
use
to
actually
secure
an
environment,
they
might
be
good
for
metadata
if
you're
in
a
trusted
environment,
but
but
really
tpms
are
not
that
hard
to
find
and
then
virtualize
tpm
right.
A
So,
if
you're
running
cloud,
if
you're
running
your
builds
in
the
cloud,
actually,
google
actually
gives
us
a
shielded
virtual
machine
that
includes
a
virtualized
tpm
and
there's
some
proofs
that
they
have
about
how
how
secure
that
is.
So
you
can
go
ahead
and
look
at
that
yourself
and
then,
if
you're,
using
like
a
virtualized
system,
I
know
vmware
or
keel
mew
also
offers
tpms
so
tpms
right.
A
A
Also
we
have
the
public
key
hash
or
the
ca
certificate
hash
right.
This
tpm
plugin
was
actually
forked
from
bloomberg
to
box
boat
and
then
we
forked
it
from
box
boat.
So
there's
a
lot
of
different
things.
You
can
do
with
this
and
then
also
we're
going
to
get
that
process
identity
from
the
workload
api.
A
A
So
then
we
take
that,
and
we
ask
the
agent
then
to
decrypt
that
if
the
agent's
able
to
decrypt
that
right,
we
know
that
the
agent
is,
who
is
that
the
agent
owns
a
private
key
for
that
public
key
that
we
have
so
we
take
that
public
key
hash
it
and
use
it
as
an
identity
selector
not
shown
in
this,
but
there's
also
pcr
data.
That
is
attested.
A
A
So
what
exactly?
Is
it
a
pcr
register?
Well,
here's
here's
an
example
of
what
normally
is
in
one
for
an
x86
pc
now,
depending
on
where
your
tpm
is
right,
that's
going
to
dictate
what
gets
put
into
it
a
device
manufacturing
changes
but
trusted
computing
group.
This
is
generally
what
we're
looking
at.
So
what
we're
going
to
look
at
right
now
is
pcr4
and
pcr5.
A
That's
that
master
boot
record
now,
if
we,
if
we
have
a
hash
of
that
and
we
have
a
hash
of
the
config,
we
can
assert
that
nothing
changed
in
that
mbr
and
our
boot
state
is
what
we
expect
it
to
be.
Also,
we
can
select
on
the
bios
hash
the
option,
rom
hash
right,
all
of
this
one
that
you
might
not
want
to
use.
There
is
pcr
six,
that's
state
transition.
So
if
your
computer
goes
to
sleep
and
wakes
back
up,
that's
going
to
change
and
then
pcr
pcr
10.
That
is
a
really
interesting
one.
A
The
linux
integrity
management
system
actually
uses
pcr
10
when
able
to
do
integrity,
checks
on
all
the
files
in
the
system.
So
if
something
like
solarwind
happened
on
your
system
right,
you
could,
if
you
had
that,
enabled
you
could
look
at
pcr
10
to
kind
of
verify
that,
along
with
ima
to
see
okay,
there
was
something
that
happened
in
the
system
that
we
didn't
expect.
So
so
we're
not
going
to
issue
it
assert
so
demo
time
all
right.
A
A
There's
some
work
being
done
on
it,
but
it's
best
probably
practice
to
you
know
trust
on
first
use,
grab
those
grab,
those
hashes
and
then
register
in
the
system.
So
that's
what
we're
going
to
do
so
we
can
see
we
have
our
pcr
hashes
there.
Now,
if
you
look
right,
we
have
pcr
four
and
five
right
as
long
as
our
kernel
stays
the
same
version
and
we
don't
have
any
kernel
modules
or
anything
else
go
in
the
mbr.
That's
going
to
stay
the
same.
A
I
think
that's
some
important
information
that
that
we
we
want
in
in
our
to
include
in
our
build
metadata.
So
then
we're
going
to
do
aspire,
registration,
all
right.
A
A
All
right,
this
is
important
because
when
we
are
building
software
on
systems-
and
we
are
signing
that
metadata
for
that
software-
we
now
have
a
way
to
assert
the
state
that
that
software
was
built
in.
We
can
now
ship
that
that
data,
either
downstream
to
our
production
systems
or
off
to
our
consumer
of
our
software,
to
give
them
confidence
of
the
that
we've
done
the
right
thing
and
the
risk
level
of
running
the
software
on
their
system
is
is
low.
A
So
what
what's
the
future
work
look
like?
So,
unfortunately,
this
plug-in
was
written
on
a
free,
plug-in
sdk.
So
in
the
next
few
weeks,
mikael-
and
I
we're
going
to
be
rewriting
this-
to
use
the
the
new
plug-in
sdk
we're
looking
at
using
a
key
manager,
plugger
tpm
key
manager
plug-in
for
the
server.
A
So
we
can
securely
store
those
keys,
whether
you're
in
the
cloud
or
on
bare
metal
infrastructure
and
then
are
also
starting
to
work
on
ima
hooks
into
the
work
unix
workload
api
right.
So
that
way,
when
we
issue
a
certificate
to
that
workload,
let's
go
check
that
that
pcr
register
and
and
see
if
it
matches
and
that'll,
allow
us
to
make
make
sure
that
not
only
the
boot
state
is
consistent,
but
also
the
the
current
state
of
that
system
is
consistent
with
what
we
expect
it
to
be
right.
A
If
any
of
those
files
are
different
than
what
they're
expected
to
be
on
that
ima-10
that
iman
a10
will
show
it,
and
then
I
know,
vmware
is
also
working
on
some
spire
like
trusts
on
first
use
semantics.
There's
some
work
going
on
in
there.
I
think
there's
a
github
issue.
I
think
that's
another
issue
that
we
need
to
look
at,
because
we
don't
want
to
trust
that
certificate
that
we
issued
to
the
agent
for
a
reissuance
right.
A
All
right!
Well,
that
is
my
presentation,
but
I'm
sure
you
all
have
a
lot
of
questions.
B
So,
q
a
works
differently
now
that
we're
in
person
our
moderator
andrew
here
will
read
any
questions
that
come
from
the
platform
and
I
can
walk
around
with
the
handheld
for
any
questions
in
person,
question
and
person
number
one.
You
have
to
raise
your
hand
if
you
have
a
question.
C
Hey
this
is
awesome
work
I
noticed
you,
you
mentioned
I'm
for
pcr
10..
So
do
you
see
kind
of
there
being
a
separate
server
to
kind
of
validate
locks
before
you
kind
of
you
know,
create
the
entry
or
do
you
think
you
can
specify
your
imr
policy
within
the
the
node
tested
itself?
How
do
you
see
that
working
I'm.
A
Looking
at
building
into
the
unix,
the
unix
plug-in
for
the
workload
tester,
because
I
think
that's
where
it
belongs
right,
because
if
we
want
to
test
a
state,
that's
changing.
We
want
to
check
that
every
time
we
issue
a
certificate,
so
I've
been
I'm
open
to
figuring
out
where
that
fits
in
and
we've
been
talking
about
a
little
bit.
But
I
think
that's
where
I
want
to
explore.
First
and
then
we
can
add
additional
selectors
to
when
we
hand
out
search
to
workloads,
cool.
D
So
you
kind
of
pointed
out
that
you
know
getting
your
hands
on
those
pcr.
Hashes
is
kind
of
like
a
trust
on
first
use
sort
of
a
process
where
you
kind.
D
D
Right
now
on
on
how
you
might
make
that
process
a
little
less
a
little
more
a
little
more
easy
for
folks,
I.
A
Think
you
know
I
I
it's
hard
to
say
right.
I
think
there
there
needs
to
be.
There
needs
to
be
somewhere
to
share
those
hashes.
We
haven't
quite
got
there
yet
we're
just
kind
of
trying
to
get
this
whole
thing
work
and
get
from
the
left
to
the
right,
but
yeah.
I
think
that's
going
to
be
an
organizational
thing
right.
I
think
a
lot
of
those
hashes
should
be
similar.
Organizations
buy
the
same
hardware
a
lot.
A
C
Sorry,
do
you
mind
if
I
chime
in
on
that
a
little
bit
yeah,
so
at
ibm
research,
we,
we
have
figured
out
a
way
to
kind
of
reliably
validate
a
bootlock.
B
Have
a
question
I
saw
on
your
slide,
I
I
don't
think
you
covered
this.
I
apologize
if
you
did,
but
I
saw
your
slides
at
the
pcr
there's
like
a
six
or
seven
of
them.
Yes
here,
so
we
got
yes,
seven.
I
guess
pcr
eight
through
reserved
for
osgs
and
then
within
that
range
pcr,
10,
linux
ima,
which
is
obviously
operating
system
feature,
I'm
wondering
you
know,
is
8
through
15.
A
I
so
I
know
bitlocker
uses
them,
but
I
haven't
really
messed
around
with
windows
in
a
while
other
than
some
microscope.
Microsoft
has
some
really
good
docs
on
tpms,
so
they
talk
about
bitlocker
a
lot
in
there
and
the
pcr
registers
they
use.
B
A
B
A
This
was
great,
thank
you
and
if
anyone's
got
any
questions,
there's
my
information
just
hit
me
a
dm
or
talk
to
me
in
the
hallway.
Thank
you.