►
From YouTube: CNCF SIG Security 2020-10-14
Description
CNCF SIG Security 2020-10-14
C
B
B
B
B
B
E
Yes,
so
great
news,
everybody
this
schedule
is
live,
it's
posted
cncf,
tweeted
about
it.
I
really
cheated
about
it.
I'm
going
to
drop
it
in
the
meeting
notes.
So
if
you're
curious
as
to
what
is
on
schedule
I'll
make
sure
that
you
have
that
available
to
you,
but
don't
forget
to
sign
up
for
cloud
native
security
day.
It's
not
too
late.
B
F
G
F
Yeah
yeah
same
here
really,
so
they
have
a
semantics
for
it,
which
one
would
think
you
could
adapt
the
semantics
for
security,
audit
and
logging
streams,
but
it's
not
really
designed
for
that.
So
I'm
curious.
You
know
what,
where
that
ends
up
now,
my
colleague
who's
working
on
this
is
part
of
the
devops
security
work
in
ieee.
So
that's
kind
of
his
bent.
Maybe
I'll
ask
him
to
come
here
and
give
a
talk
at
some
point.
B
I
think
that
is
all
for
updates
today,
so
we
can
jump
right
into
the
presentation,
so
I'll
leave
casio.
If
else
is
going
to
be
talking
about
key
lime,
which
is
a
new
cncs
sandbox
project,
congratulations:
silk
and
it's
going
to
be
about
attestation
and
dpms
things
like
that,
but
I'm
gonna
give
it
good
to
plot.
You
know
sure.
How
long
do
I.
D
B
D
C
D
Branded
deck
available,
so
I'm
getting
the
chance
to
use
it
at
last,
which
is
good.
So,
yes,
a
key
line,
so
I'm
luke
hines,
I'm
from
red
hat
and
work
in
the
office
of
technology
and
worked
around
security
for
a
good
number
of
years
now,
and
it
says
charles
charles
isn't
actually
here.
Charles
is
another
guy
that
I
work
on
keyline
with
from
mit
and
he's
going
to
be
part
of
the
original
pitch
as
well,
which
is
why
he's?
Which
is
why
excuse
me,
his
name
is
on
there.
D
I've
been
hunting
for
some
sort
of
open
source,
remote
attestation
solution.
I
was
either
going
to
code
my
own
or
see
if
there
was
something
around
that
I
could
contribute
to,
and
I
found
the
bill
and
charlie's
prototype
and
I
really
liked
the
the
core
design
that
they
had
how
it
was.
It
was
simple,
but
it
was
a
very
scalable
architecture
and
I
could
see
they'd
solved
a
lot
of
the
problems
that
are
in
an
inherent
part
of
tpms,
around
performance
and
so
forth.
D
I
just
like
the
sort
of
the
use
cases
that
they've
built
on
top
of
this,
so
rather
than
it
just
being
remote
attestation.
They
had
these
other
nice
components
which
which
made
it
a
really
good
all-around
solution.
So
that's
where
I
got
involved
and
I
I
got
in
contact
with
those
guys
and
I
said,
look
are
you
interested
in?
We
build
a
community
around
this
and
start
to
to
get
other
people
working
on
the
project,
and
we
did
so.
D
D
Okay,
now
I
imagine
a
lot
of
you
are
familiar
with
a
tpm.
If
not
a
very,
very
quick
overview
is
a
tpm
is
a
a
chip.
Typically
that
resides
on
a
motherboard
of
a
server
or
device
okay
and
it's
inaccessible
to
software,
and
it
has
a
very
simple
crypto
engine
so
consider
it
almost
like
a
stripped-down
version
of
openssl.
D
So
it's
not
a
crypto
accelerator,
but
it
can
perform
very
simple
crypto
functions
such
as
signing
artifacts
and
generating
keys.
Okay
and
there's
this
principle
of
measurement
with
a
tpm
which
is
where
an
artifact
an
object,
whether
that
be
a
script
or
a
binary
or
or
or
any
sort
of
a
system
element
is
measured.
So
a
hash,
a
digest
is
generated
and
that
hash
is
then
signed
by
the
tpm
with
a
private
key
pair,
that's
locked
away
within
the
tpm.
It's
called
an
entity
key,
and
this
then
allows
you
to
using
the
public
counterpart.
D
You
can
then
verify
that
it
was
the
actual
tpm
that
signed
some
measurements.
So
you
can
remotely
retrieve
these
measurements
from
the
system
that
you're
monitoring
and
then
you
can
attest
them
effectively.
Using
this.
What's
called
a
hardware,
router
trust
and
tpms
have
been
around
for
quite
a
while.
It's
it's!
It's
not
too
far
out
there
to
say
they're,
almost
ubiquitous
they're
on
a
lot
of
servers
come
with
them
already
they're
they're,
not
that
they're
very
simple
to
retrofit,
usually
quite
cheap.
You
can
put
them
on
a
raspberry
pi.
D
D
D
There
is
a
project
called
uefi
shim
and
the
shim
sits
above
uefi
and
below
the
bootloader,
and
that
can
measure
these
components.
So
some
of
the
stuff
that's
measured
is
secure
boot
as
well,
so
secure
boot.
They
have
like
a
mock
list
and
certificates
and
so
forth.
So
all
of
these
things
are
measured
and
then
they're,
what's
called
extended
into
the
tpm.
So
it's
to
an
extend
is
a
like
a
one-way
hash
function.
Okay,
so
you
can
kind
of.
D
Once
the
system
is
running,
there's
a
linux
security,
sub-system
called
ime,
which
is
integrity,
measurement
architecture,
and
it's
been
in
the
kernel
for
quite
some
time.
I
think
it's
since
version
2.7
and
it
sits
alongside
sc,
linux,
okay
and
what
ima
does
is
when
a
system
call
comes
in
so
let's
say,
for
example,
somebody
runs
a
script
as
root.
Ima
will
measure
that
script
and
then
it
will
extend
it
into
the
tpm,
so
I'll
record
it
into
the
tpm
and
then
that
again,
that
list
can
be
remotely
retrieved
and
tested.
D
So
you
can
measure
the
script
that
was
run
on
the
machine
that
you're
monitoring
has
the
expected
digest.
Obviously,
if
the
digest
has
changed,
it
suggests,
there's
been
some
sort
of
compromise
and
so
ima
sort
of
is
like
a
kind
of
a
run
time
measurement
system,
okay
and
then
boot
is
obviously
one
time
for
the
boot
okay.
So
that's
remote
attestation.
D
D
The
target
machine
can
then
reconstruct
the
key,
which
then
allows
them
to
get
the
the
the
encrypted
payload,
and
the
other
thing
that
we
do
is
when,
when
a
machine
passes
its
trust,
I
don't
really
like
the
word
trust
when
it's
when
it's
cryptographically
of
the
state
that
we
expect
okay
with
its
measurements,
then
we
have
something
called
an
application
bootstrap.
So
this
is
a
script
that
runs.
It
automatically
runs
once
all
of
the
the
measurements
are
verified
and
people
use
this
app
to
do
all
sorts
of
things.
D
Some
folks
have
been
using
it
to
pull
up
a
kubernetes
cluster
or
it
could,
for
example,
it
could
wrap
around
some
sort
of
deployment
framework
such
as
ansible
or
a
puppet
or
shift.
So
what
you
would
then
have
is
you
would
have
your
secrets,
your
deployment,
your
the
the
secrets
that
you
require
for
deploying
an
application
would
that
be
tls
certificates
or,
for
example,
some
ssh
keys
or
an
ini
file
that
contains
some
passwords.
D
That
would
be
your
encrypted
payload
and
the
application
bootstrap
would
occur,
which
would
start
the
installation
and
then
the
secrets
would
be
there
okay.
But
if
a
machine
failed
to
pass
its
its
attestation,
then
it
won't
get
its
hands
on
that
payload
effectively
and
then
last
of
all,
we've
got
the
revocation
framework,
and
this
occurs
when
a
node
fails
attestation,
okay
and
what
we
do
is
we
send
out
a
signed
revocation
event
to
all
of
the
nodes
that
share
a
trust
boundary
with
that
machine,
effectively
telling
them
to
ring
fence
that
machine.
D
D
D
So
to
say-
and
all
of
these
are
built
around
this-
this
root
of
trust,
which
is
in
the
tpm
and
the
vtpm,
so
those
are
kind
of
the
the
central
trust
framework
to
these
to
these
three
pieces,
so
a
little
bit
about
the
architecture
so
to
the
left.
Consider
that
the
the
wild
west?
Okay,
that's
a
machine,
that's
in
a
it's
sort
of
outside
of
our
trust
boundary.
D
So
this
could
be
in
a
another
cloud
providers
network
or
it
could
be
an
edge
device
or
an
iot
device
in
the
roof
of
a
office
building
somewhere
that's
susceptible
to
physical
tampering.
This
is
effectively
the
machine
that
you
want
to
measure
and
on
that
machine
we
run
something
called
a
keyline
agent.
Okay
and
it's
pretty
simple:
it
just
talks
to
the
tpm
and
it
has
a
rest
interface,
okay,
and
this
can
run
on
a
container
a
virtual
machine
or
a
bare
metal
machine.
D
Okay,
so
the
agent
communicates
with
the
tpm
as
this
says
and
then
over
to
the
far
right.
This
is
more
sort
of
your
on-premise
okay,
so
you
have
the
key
line
verifier,
and
this
does
the
verification
of
the
measurements
that
are
retrieved,
and
then
we
have
the
register,
which
is
kind
of
like
a
database,
there's
no
cryptographic
properties
that
are
stored
in
there.
D
That's
where
we
have
the
agent
uuid
and
we
have
a
public
key
store
for
the
intermediate
certificates
that
are
provided
by
the
tpm
manufacturers
that
help
us
assess
that
it's
a
real
tpm
that
we're
talking
to
and
you'll
notice
in
the
middle.
It
says
untrusted
network.
So
this
connection,
we
don't
have
to
worry
about
a
man
in
the
middle
here,
because
all
of
the
communication
coming
back
from
the
agent
is
signed
with
a
key
pair,
that's
locked
away
in
that
chip
and
the
digests
use
this
one-way
hash
function.
D
So
for
somebody
to
be
able
to,
for
example,
if
somebody
changed
user
bin,
I
don't
know
ip
tables,
for
example,
they
trojanized
it.
So
they
changed
one
hash.
They
would
have
to
cryptographically
pick
back
through
the
the
hash,
extend
to
then
change
a
single
hash
and
then
reconstruct
that
chain
of
hashes
again,
which
is
impossible
to
do
it's
computationally
impossible
to
do
so.
We
don't
really
worry
about
this
particular
connection
and
it
be
there
being
a
man
in
the
middle
attack.
D
So
it
is
acceptable
to
run
this
over
http
because,
like
I
say
the
we
have
this
hardware
root
of
trust,
so
yeah,
that's
the
architecture,
the
the
blue
lines
that
you
see
here,
that's
using
the
trust,
the
tpm
tss
stack
and
then
the
connection
between
the
agent
and
the
verifier
and
the
register.
That's
all
on
a
rest
api.
D
So
we
protect
that
with
mtls
mutual
tls,
and
we
are
also
just
working
on
getting
json
web
tokens
that
are
involved
as
well,
so
you'll
be
able
to
use
one
or
the
other
or
both
if
you
want
to
go
belton
braces
so
to
say
so
the
remote
test
station
use
case.
This
is
kind
of
kind
of
a
simple
overview,
but
a
user
or
a
tenant
would
say.
Could
you
a
test,
a
machine
for
my
workload?
D
The
verifier
will
then
measure
the
agent
and
there'll
be
two
outcomes,
so
the
first
would
be
it
passes,
which
is
we
run
the
auto
run,
and
then
we
release
the
encrypted
payload
or
two
is
revocation
okay.
So
we
look
at
those
two
particular
outcomes
from
a
remote
attestation,
so
the
encrypted
payload
is
the
machine
passes
its
attestation.
D
The
payload
is
sent
okay,
and
this
is,
as
I
said,
it's
based
on
this
free
park.
Key
deviation
protocol
and
the
execution
of
the
auto
run
happens
once
the
system
attests
without
failure,
so
you
can
see
an
example
payload
there.
So,
for
example,
you
could
have
some
passwords,
you
could
have
a
script
which
does
something
with
those
particular
secret
artifacts
that
you
have
and
then
you'll
also
see.
D
There's
a
couple
of
scripts
in
here
called
local
actions,
cube
ctl
for
local
actions,
ip
tables,
so
those
are
what
that
machine
should
run
when
another
machine
fails
in
its
trust
boundary.
So
the
idea
is
that
you
would
then
sort
of
ring
fence
a
machine.
That's
been
compromised,
so
that's
part
of
the
revocation,
the
revocation
framework
which
I'll
go
into
next.
D
So
we
have
ima,
which
I
described
earlier,
so
this
is
the
integrity
measurement
architecture.
It's
a
linux
subsystem,
so
every
cisco
is
measured
and
extended
into
the
tpm.
The
remote
state
is
compared
with
the
expected
state.
So
on
the
verify
you
would
have
a
list
of
like
a
posix
path
to
a
file,
for
example,
and
then
a
cryptographic
digest
so
two
five,
six,
a
sha256,
checksum,
okay
and
you
would
then
query
the
remote
system
to
find
out
what
its
file
state
is.
D
Every
time
a
system
call
is
made
into
the
into
the
kernel.
Ima
will
intercept
that
and
it
will
record
it
into
the
tpm
and
we
continuously
poll
over
the
rest
api.
It's
a
very
lightweight
pole.
We
can
do
that.
You
know
to
2
0.12
of
a
second
if
we
had
to,
and
so
we
would
know
within
a
a
very
small
window.
D
We
would
know
somebody
compromised
the
machine
because
we
continuously
pull
the
the
state
of
that
machine
and
once
that
happens
so,
for
example,
if
somebody
swapped
out
a
binary,
trojanizer
binary,
also
with
ima,
you
can
let
you
can
measure
things
such
as
selinux
labels
and
kernel
modules
and
various
things.
So
if
a
machine
failed,
which
is
what
we're
going
to
look
at
now,
this
is
revocation.
So
we've
got
the
the
keyline
verifier.
D
What
happens
then?
The
key
lime
verifier
can
make
a
call
to
revoke
that
node
certificate.
So,
for
example,
if
this
node
had
some
tls
certificates
that
were
part
of
its
connectivity,
its
trust
is
trust
connectivity.
We
could
revoke
that
certificate,
so
a
crl
could
be
populated
and
then
the
other
thing
that
we
do,
which
is
which
is
a
lot
more
interesting,
is
we
send
a
revocation
event.
So
a
revocation
event
is
just
some
json
that
contains
some
metadata,
okay
and
that's
signed
by
the
verifier,
so
that
that
can
then
be.
D
You
can
be
make
sure
that
that's
not
sort
of
a
spoofed
actor
pretending
to
be
a
verifier
okay,
so
this
signed
metadata
goes
out
to
all
of
the
machines
that
share
some
sort
of
trust
relation
with
the
machine.
That's
been
compromised.
Okay
and
this
revocation
event
will
tell
them
to
run
local
actions,
so
they
will
perform
actions
which
typically
somehow
ring
fence
this
compromise
machine.
So
it's
a
pretty
similar
principle
to
some
of
you
that
work
with
load
balancing
with
no
astonish
do.
D
D
We
need
to
protect
what
is
good.
Still.
Okay,
there's
no
point
trying
to
rescue
this,
let's,
let's
just
completely
knock
it
out
so
to
say
so
an
example
here
would
be
say:
the
revocation
is
sent
out
to
execute
local
actions,
and
so
some
examples
could
be,
like
I
said
earlier,
is
to
remove
an
entry
from
authorized
keys
or
cordon
and
join
a
node
shut
down.
A
vpn
tunnel
amend
an
ip
tables
rule
anything
that
you
can
programmatically
do
on
a
machine
around
some
sort
of
sysadmin
task.
D
Then
the
the
agent
will
run
that
so,
for
example,
you
could
make
an
api
call
to
a
system
which
sends
out
an
sms
message
to
a
sys
admin
to
get
them
out
of
bed
to
look
at
something.
So
it's
it's
anything
you
dream
up
really
you
can
you
can
delegate
to
keyline
to
run
that
once
a
machine
fails?
It's
it's
a
it's
trust
state,
so
to
say
so.
D
That's
the
revocation
framework,
and
so
one
thing
at
the
moment
the
the
project
is
developed
in
python,
so
we
use
python
because
we
allowed
us
to
quickly
develop
and
prototype
and
try
different
things
out,
but
what
we're
doing
for
the
rust
agent.
So
this
is
the
one
that
runs
on
the
target
machine.
We're
porting
this
to
rust
at
present.
D
Okay,
that
works
taking
place
right
now
and
we
went
for
us
because
there's
a
few
things
it's
statically
linked,
so
we
don't
have
to
have
a
big
list
of
dependencies
that
need
to
be
pulled
in.
So
if
it's
a
machine,
that's
offline
or
it's
perhaps
like
an
immutable
sort
of
os
tree
type
operating
system
where
it's
a
read-only
operating
system,
we
don't
require
this
need
to
sort
of
pull
in
a
load
of
dependencies
and
then
of
course,
it's
memory
safe
and
it's
and
it's
very
performant.
D
It's
a
systems
level
language
so
to
say
so
that
works
underway
at
the
moment
and
when
that's
complete,
that
will
become
the
default
recommended
agent,
okay
and
then
in
time,
we're
open
to
considering
porting
from
the
the
other
nodes
from
python
that
that's
been
discussed.
As
well,
so
we
thought
about
you
know.
If,
if
the
demand
is
there,
then
we
could
either
go
to
golang
or
rust,
or
something
like
that,
because
python's
just
been
very,
very
good
for
allowing
us
to
quickly
iterate
and
develop
features
and
get
everything
in
place.
D
So
some
of
the
future
work
that
we're
doing
is
we're
working
with
the
colonel
folks
to
to
make
an
ima
name
space
so,
for
example,
this
integrity
measurement
architecture
that
I
described
earlier.
That
works
perfectly
well
on
a
sort
of
a
single
bare
metal
machine.
Okay,
you
can
get
this
to
run
in
a
virtual
machine,
but
it's
not
containerized.
D
D
So
that's
a
piece
of
work,
that's
underway
upstream,
so
to
say
we're
also
looking
at
there's
a
vtpm
which
will
run
in
a
container
okay
and
we're
doing
some
work
to
include
this
as
part
of
a
container
runtime
and
open
to
working
with
other
container
runtimes
as
well.
This
is
the
the
software
tpm
vtpm
code
and
then
we're
looking
to
do
some
stuff
to
extend
vtpm
support
as
well.
So
one
of
the
so
one
of
the
things
with
the
vtpm
is
the.
D
When
you
have
a
hardware
tpm
your
secrets,
your
the
cryptographic
keys
are
obviously
they're
on
a
hardware
chip.
Okay,
so,
like
I
say
there,
it's
only
a
specific
bus
that
the
cpu
can
use.
I
think
it's
the
lpc
bus
to
communicate
with
the
tpm
okay.
Now,
when
you
have
a
software
tpm,
it
looks
and
smells
exactly
the
same
as
a
tpm
functionally
around
its
functionality
that
it
provides.
But
you
don't
have
that
hardware
router
trust
the
keys
are
effectively
in
memory
or
on
a
disk.
D
The
the
quote
so
tpm
quotes
are
where
we
request
the
measurement
list,
we're
looking
at
how
we
can
marry
that
up
to
a
single
hardware,
tpm,
where
we
would
aggregate
the
quotes
into
a
merkle
tree
and
then
there'll
be
a
single
one-time
pole
to
the
hardware
tpm
to
vouch
for
the
software
tpm
and
then
that
that
extends
the
hardware
router
trust
up
to
the
software
tpm.
So
we've
got
some
very
basic
code
prototype
that
we've
worked
on
here.
D
The
other
thing
as
well
is
we're
monitoring
what's
happening
with
encrypted
containers,
because
if
a
container
is
encrypted
and
it's
protected
from
the
host,
then
you
can
run
the
vtpm
in
there
and
not
be
concerned
that
there's
an
attack
vector
where
the
underlying
host
can
can
access
the
container
and
the
vtpm.
So
that
will
solve
that
problem.
As
well
so
we've
got
a
few
avenues
to
to
to
solve
this
principle
of
a
vtpm
being
susceptible
to
attacks
from
the
host,
so
community,
wise,
we're,
we're
very
diverse,
there's,
obviously,
red
hat
mit
ibm
are
contributing.
D
D
We
do
all
the
things
that
we
think
a
good
open
source
project
should
do
so
all
poor
requests
undergo
unit
tests
and
integration
tests
and
we
assess
the
code
quality.
You
know
we
we
are
every
pull
request.
That's
made
is
reviewed
by
a
member
of
the
core
team
and
so
forth,
and
we're
also
very
we
try
to
be
very
welcome.
Welcome
into
new
contributors,
so
we've
got
a
lot
of
stuff
first
timers
support.
D
So
typically,
when
somebody
make
a
first
pull
request,
somebody
will
go
forward
and
you
know
with
a
helpful
spirit,
around
helping
them
sort
out
any
ci
failures
that
there
are
and
and
just
understanding
things
around.
How
to
format
a
good
commit
message
and
and
just
be
a
welcoming,
a
friendly
friendly,
I
was
gonna-
say
a
friendly
face,
a
friendly
bit
of
text
for
them
to
to
to
start
to
get
involved
in
the
community.
D
B
D
D
I
D
D
Format's
very
simple
is
two
columns:
it's
a
posix
path
to
the
file
and
then
the
hash
of
the
file.
Okay
and
that's
stored
in
the
verify,
which
is
on
premise,
okay
and
on
the
node
that
you're
monitoring
it
has
ima,
which
is
part
of
the
kernel.
Okay
and
then
what
happens
is
whenever
somebody
executes,
so
they
run,
for
example,
ipconfig
or
netstat,
or
they
run
a
script.
Okay.
What
will
happen
is
ima.
Will
capture
the
digest
of
that
object?
That's
been
executed.
Okay,
so
let's
say
it's
a
script.
D
D
Build
that
into
what's
called
a
one-way
hash.
Okay,
so,
as
entries
come
in,
it's
kind
of
like
a
kind
of
like
a
binary
tree,
a
merkle
tree
that
can
cut
it
concatenated
together
and
then
a
hash
is
made
of
those
two
and
then
you
effectively
have
a
root
hash,
so
you
can
sort
of
by
looking
at
the
root
hash.
You
can
make
sure
it's
not
being
tampered
with
and
yeah.
I'm
sorry,
I'm
going
off
for
a
little
bit
of
a
tangent
there,
so
it
measures
the
script.
D
D
It
will
perform
a
hardware,
router
trust
validation,
so
it
will
make
sure
that
it's
an
actual
real
tpm
that
signed
that
list.
Okay,
based
on
a
hardware,
router
trust
that
we
set
up
at
the
beginning.
When
we
we
first
set
the
system
up
okay,
and
it
will
then
compare
that
digest
that
sign
digest
with
the
golden
list
that
it
has
locally.
D
Now,
if
somebody's
tampered
with
that
shell
script,
then
you
would
immediately
know
about
it.
So
that
way
you
can
remotely
monitor
the
machine,
okay
and
then
you
could
then
perform
some
sort
of
if
you
wanted
to
some
sort
of
revocation
action,
so
that
machine
has
been
compromised.
You
believe,
because
somebody's
tampered
with
something
and
you
then
perform
an
action
to
to
ring
fence
it.
Now
there
are
stuff
there's
lots
of
noisy
stuff
on
a
system
like,
for
example,
var
log,
okay,
which
you
would
probably
be
quite
difficult
to
track.
D
So
we
do
support
regular
expressions
where
you
can
have
like
an
ignore
list,
so
you
can
say:
there's
part
of
the
systems
that
you
want
that
you
wish
to
ignore,
because
it's
not
really
of
interest
and
it's
very
busy
and
it's
very
mutable.
It's
constantly
changing
and
so
forth.
Does
that
make
sense
now.
I
Quick
follow-up
on
that
look.
I
think
I
think
what
throwing
me
off
is
the
granularity,
because
here
you
mentioned
cisco,
but
what
you
mentioned
was
actually
a
binary
opposing
posix
path
to
some
ip
tables
or
ifconfig.
So
and
when
you
say
you're
measuring
every
syscall,
so
these
binaries
could
execute
multiple
syscalls.
So
that's
where
I
was
getting
thrown
off.
I
I
think
I.
D
C
D
C
D
C
A
A
D
Yes,
yes,
so
with
the
vtpm,
how
we're
addressing
that
is,
is
one
there's
a
possibility
of
an
encrypted
container
okay.
So
the
real
person
that
you're
concerned
about
here
is
a
net
fairies
host,
okay
and
so
so
an
encrypted
container
would
I
use,
quotes
protect
that
attack
okay,
but
we're
also
looking
to
marry
up
the
cryptographic
relation
of
the
vtpm
to
the
hardware.
Tpm.
D
So
that
way,
we're
not
hammering
a
hardware
tpm
with
a
one-to-one
relationship
between
a
software
tpm
and
a
hardware
tpm,
and
there
is
also
some
other
stuff
happening
around
people
are
looking
at
using
utilizing,
fpga
type
dpms
which
could
be
plugged
into
a
system
and
could
then
I
don't
know
too
much
about
this,
but
they
can
then
sort
of
attest.
Thousands
of
virtual
tpm
so
to
say
so,
there's
quite
a
bit
going
on
in
this
space
to
to
to
address
this
problem.
It's
just
which
horse
will
the
win.
D
D
D
D
F
This
is
a
question
not
in
the
chat
but
sure
this
is
new
to
me,
so
this
is
probably
unrelated,
so
feel
free
to
tell
me
that,
but
is
there
any
application
of
this
technology
beyond
route
of
trust?
To
assurance?
One
of
the
challenges
with
security
tools
is
the
machine
to
machine.
Communications
is
difficult
to
do.
Reliability,
engineering
with.
F
C
D
D
D
C
I
Everybody
I
mean
so
we've
had
some
very,
very
interesting.
You
know
you
know
you
know
project
like
a
key
cloak
key
lime,
spiffy
spire.
They
have
a
lot
of
number
of
use
cases.
Potentially
there
could
be
some
overlapping.
I
think
it
would
be
interesting
to
explore
or
even
explicitly
articulate
how
these
tools
can
potentially
work
together,
identify
these
kinds
of
use
cases
and
really
for
the
broader
community,
help
them
understand
how
a
lot
of
the
this
this
ecosystem
of
these
kinds
of
specific
tools.
I
think
there
are
three
or
four.
I
B
So
so
my
team
has
been
working
with
luke
as
well
as
key
club
with
both
team
as
well
as
working
with
the
sleepy
inspired
community
as
well.
I
think
really
we'll
be
trying
to
tie
everything
into
the
identity,
using
key
lime
as
the
basis
of
trustworthy
identity
and
then
to
take
this
identity
and
be
able
to
make
you
know,
policy
and
authorization
decisions
in
an
open
source
im
type
solution.
A
You
can
you
can
think
about
key
lime
as
basically
certified
station
infrastructure
that
you
can
use
to
make
sure
that
your
software
and
hardware
is
not
being
compromised
and
build
something
on
top
of
it.
To
issue
like,
let's
say
short
belief,
ttl
key
sensor,
tvk
that
you
can
use
for,
like,
let's
say,
spire
a
type
of
fighter
station
for
this
node.
You
can
use
a
cytostation
infrastructure.
D
D
It's
a
very
good
question.
I
don't
mean
to
make
sort
of
light
of
it
with
humor,
so
at
present
there
there
hasn't
been
any
successful,
even
theoretical
attacks
around
getting
the
entity
key
from
the
tpm
and
people
are
doing,
trying
side,
channel
stuff,
putting
microphones
and
oscilloscopes
and
trying
to
sort
of
measure
keys.
That
way,
so
it's
not
being
proved
that
there's
any
sort
of
attack.
I
guess,
even
if,
if
a
key
was
compromised,
then
they
would
also
need
to
compromise
the
manufacturer
because
they
have
an
intermediate
sign-in
certificate
as
well
of
the
entity
key.
D
A
C
D
So
so,
interestingly,
on
that
note
it's
so
this,
this
is
a
a
project
that
I'm
working
on,
but
it's
obviously
not
a
cncf
project,
but
we
are
working
on
a
transparency
log
to
record
these
sorts
of
things
to
pick
up
a
key
compromise
specifically.
So
it's
a
it's,
not
a
cncf
project.
It's
it's!
It's
a
prototype
that
I've
been
working
on
with
somebody
from
google,
but
we
use
the
same
back
end
as
the
certificate
transparency
system,
yeah.
D
D
D
Okay,
we're
going
to
look
at
recording
those
into
a
transparency
log
to
prevent
some
sort
of
freeze
attack
and
to
provide
a
source
that
people
can
make
sure
that
the
list
that
they
have
is
what
everybody
else
is
seeing.
There's
some
sort
of
consensus
there
and
allow
auditors
to
query
the
log
as
well
and
to
check
the.
B
B
B
B
All
right
so,
and
I
think
next
week
we
are
going
to
have
a
conversation
with
santiago
for
intel
token
kind
of
get
some
updates.
What's
new
within
toto
and
total
is
applying
for
incubation,
so
we'll
be
talking
about
what
are
here,
the
things
that
have
changed
since
we've
done
the
security
assessment,
as
well
as
identify
points
of
recommendation
for
into
the
for
incubation.