 Hello everyone and welcome to this Lightning Talk on the KeyLime project. The title of the talk is What's New in KeyLime and we expect to share some highlights on the recent changes that have happened with the project. Let's start with a brief introduction of KeyLime for some context. So what's KeyLime? KeyLime is an open-source project that has a primary goal of providing a scalable remote boot attestation and runtime-interview measurement solution. Remote attestation is a mechanism to ensure that a remote system is running in a good state. Besides performing remote attestation, KeyLime also provides a revocation framework to handle trust failures. When a node fails at a stable, KeyLime can then perform some specific actions, such as removing the failed system from the pool of available machines, for instance. And how can KeyLime do these things? It's anchored on a hardware root of trust, relying on a TPM device and the Linux IMA subsystem. A TPM, from TrueCert Platform Module, is basically a specialized cryptographic chip that can perform operations such as generating keys and taking store security measurements. In this context, a measure is a cryptographic hash of a particular object. TPM devices also have some features to make them tamper-resistant. IMA, from Intel Demajorment Architecture, is a Linux subsystem that can monitor files as they are accessed by system calls. KeyLime is then built on top of these foundations. Now that you know a little bit about KeyLime, let's look at a general overview of it. In this image, we see the main components that make KeyLime. The KeyLime agent, the KeyLime verifier, and the KeyLime register. As of now, most of KeyLime is written in the Python language. As we see in the figure, the agent runs on the node that's been monitored, and it interacts with the TPM device. The agent also communicates with the older KeyLime components across the network, and the process of attestation is performed continuously. Now that we have a better idea of what KeyLime is and what it does, let's see what's new in KeyLimeLand. One of the most important things that have been happening for a while already is the effort to port the KeyLime agent to Rust, which is a security-conscious language with great performance. The current agent, like most of KeyLime itself, is written in Python. One of the main advantages of this change will be that the deployment of the agent will become much easier, and there are fewer runtime dependencies compared to the Python agent. An interesting scenario that comes to mind would be deploying the Rust agent in more restricted environments, such as containers. As of now, the Rust port is almost featured complete in comparison to the Python agent, and should be available sometime soon. API versioning is another recent change, and this is a very interesting feature, as it improves our guarantees with regard to backward compatibility. Another exciting change is that KeyLime now supports incremental IMA attestation. Now it's not needed to send a full IMA measurement list every time the attestation is being performed, but only a subset of it, and that is the part that has changed from the previous attestation. In practice, we reduce the requirements on network bandwidth for the attestation, which in turn improves scalability further. Continuing with the changes, KeyLime now supports IMA signatures, and that means that in addition to hashes, file can be protected with signatures as well. The project also publishes official container images, which make it very easy to try it out. Simply spin up a container and you can get started. Another interesting effort that has been up recently is on the front of three main dependencies, which means inspect the code to see if it can remove any redundant dependencies. One example that we can mention here is the removal of M2Crypto library, that had its user replaced by the Python cryptography module. And finally, it's worth mentioning that effort will improve our automated testing, the testing that happens right when some code changes submitted to the project. We already had some unit tests in place, but we have started integrating functional testing as well, so that it can run simple but complete attestation scenarios. This has been paying off already, as it has helped identify a few issues that were subsequently fixed. The fact that functional test suite runs continuously also helps in minimizing the risks of introducing regressions with the new changes. All right, these were the main changes that we wanted to highlight, and to conclude, we'd like to provide some resources for people interested in KeyLime. Here we see some links for some useful resources, including additional presentations on the project for the ones interested in to learn more about it. Feel free to check it out, and feel also invited to get involved with KeyLime. We hope that you have enjoyed learning a little bit about KeyLime, and if you have any questions, feel free to get in touch with us. Thank you very much.