Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature Request: need support for spire agent CSR verification #5713

Open
jzeng4 opened this issue Dec 13, 2024 · 0 comments
Open

Feature Request: need support for spire agent CSR verification #5713

jzeng4 opened this issue Dec 13, 2024 · 0 comments
Assignees
Labels
triage/in-progress Issue triage is in progress

Comments

@jzeng4
Copy link

jzeng4 commented Dec 13, 2024

Hi we use spire+TPM for host identity. Spire follows the zero trust networking security model, which assumes that network communication is inherently untrustworthy or potentially fully compromised. However, it also assumes that the hardware running SPIRE components can be trusted. In our threat model, we don't fully trust the host (e.g. running the spire agent) and are trying to leveraging hardware elements (HSM, TPM etc.) to protect keys.

One of the problem is to implement one feature called spire agent key binding. In particular,

  • The spire agent key is stored in TPM (we call it TPM agent key).
  • The spire server issues the agent certificate only if the CSR is signed by the TPM agent key in the same TPM as TPM EK and AK.

For 1, we think Spire has very good support. For 2, we tried to verify whether CSR is signed by the TPM agent key in Spire server in node attestation (we set reattestable to true). Specifically, we attach "evidence" in the node attestation payload which is combined with CSRs for the verification. However,

  1. This verification part is not customizable (like plugins).
  2. Another way is to let Node attestation plugin verify the CSR. However, the plugin can only access the payload which is not including CSR.

We mixed tow agent plugins together (key manager and node attestation) to solve key binding problem. We would like to know if it is the right way to leverage Spire node attestation to solve key binding problem. If not, any suggestions? Thank you!

@MarcosDY MarcosDY added the triage/in-progress Issue triage is in progress label Dec 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
triage/in-progress Issue triage is in progress
Projects
None yet
Development

No branches or pull requests

3 participants