The goal of the Keylime project is to connect the features of Trusted Platform Modules (TPMs) and cloud computing. Keylime is a scalable trusted cloud key management system, providing an end-to-end solution for both bootstrapping hardware-rooted cryptographic identities for Infrastructure-as-a-Service (IaaS) nodes and for system-integrity monitoring those nodes via periodic attestation. Keylime extends the attestation capabilities of the TPM into the cloud, allowing tenants to verify that their applications, operating systems, and everything down to the hardware have not been tampered with.
A TPM (Trusted Platform Module) is a chip, present in most modern computers, that can perform various cryptographic statements in a tamper-proof fashion. In particular, through UEFI secure boot, a TPM can be used to verify at boot time that anything from the firmware up through the kernel and applications has not been modified from what the distributor originally shipped.
Like many of the innovative projects Red Hat works with, Keylime is an evolving technology, divided into four major components: cloud verifier, registrar, client, and tenant.
The core component of Keylime is an out-of-band cloud verifier (CV). The CV maintains an allow-list of trusted code and checks all nodes’ respective integrities. Each cloud organization has at least one CV responsible for verifying the system state of the cloud nodes. The tenant can host the CV in the cloud or on premises at their own site. The CV relies upon the tenant registrar for validating that the Attestation Identity Key (AIK) used to sign TPM quotes is valid.
The registrar stores and certifies the public AIKs of the TPMs indexed by the node Universally Unique IDentifier (UUID) in the tenant’s infrastructure. It also can be hosted outside the cloud in the tenant’s own infrastructure or could be hosted on a physical system within the cloud. The registrar is only a trust root and does not store any tenant secrets.
The Keylime client is downloaded and measured by the node firmware and then passes quotes from the node’s TPM to the CV.
The Keylime tenant starts the attestation process and asks the CV to verify the node running the Keylime client.
The Keylime protocol uses secret sharing to rely upon the CV for integrity measurement. The protocol then extends beyond bootstrapping to enable continuous system integrity monitoring. The CV periodically polls each cloud node’s integrity state to determine if any runtime policies have been violated.
The Keylime attestation workflow, at a high level, would be:
- The node registers its public AIK key (based on its Endorsement Key (EK) certificate) with the registrar.
- The Keylime tenant cryptographically splits a secret provisioning key into two halves.
- Half of the key is given to the target node in order to show intent to provision this node (checking with the registrar to verify the node’s AIK is valid).
- The other half is given to the CV for delegating the integrity check of the node (checking with the registrar to verify AIK integrity).
- The node provides a TPM-rooted quote to the CV so it can check the integrity of the node and, if the integrity has been verified, the CV will provide its half of the provisioning key to the node.
- At this point, the node has both halves of the key and can combine them to obtain its provisioning key.
Considering Keylime’s potential importance for cloud tenants’ security, we wanted to explore importing Keylime into RPM-based operating systems including Fedora, CentOS, and Red Hat Enterprise Linux (RHEL). In this manner, the first step is packaging Keylime into an RPM. RHEL-based users will then not have to download, compile, and install different software needed by Python.
The next step is to make Keylime lighter and faster. The current version of Keylime has been implemented in Python. Pulling the Python interpreter into an area (initramfs) where it didn’t exist before could add extra liability and maintenance. Therefore, we decided to re-implement Keylime in the Rust language. Rust is a systems-programming language that combines strong compile-time correctness with faster performance. It provides memory safety and control over the lifecycle of memory. In this way, our trusted computing base for Keylime can be smaller and easier to manage. In addition, with Rust, we can offer stronger security.
As Keylime evolves, I believe that it will streamline the security of tenant-based nodes, something that is critical to the future of cloud computing.