 Hey folks, hello, sorry my mic was on the wrong one You have so many microphones. Yeah, no, it's a problem my my my list of one, two, three, four, five, six Inputs and another six outputs I should go disable some of these in the top Yeah, I hope it's not how not not happening to you when you are sitting in the headphones, but your output goes to like your External sound system and everyone enjoying your meeting So we'll need one or two scrubs today, so if You don't mind helping scrub that'll be and hey look Hey there, how you doing great? All right. We'll just give a couple moments usually wait five minutes for people to join in I'm gonna paste the The meeting minutes in the chat if you can please go to attendance and Put your name in Luke are we expecting a child's as well today? No, it's just myself. Okay. Yeah Okay, great. I think we can get started. So we're gonna start with check-ins and then today we have your care That we're presenting to us about key lime, which is some a new CNCF samples project So let me quickly go through this Emily do you want to give an update for CNCF security today? Posted CNCF tweeted about it. Are you treated about it? I'm going to drop it in the meeting notes So if you're curious as to what is on schedule, I'll make sure that you have that available to you But don't forget to sign up for Cognitive Security Day. It's not too late. Awesome. Thanks Emily Cool and Eli, thank you for helping to squirt Um and also Mark, could you have something on open telemetry? Yeah, one of my colleagues in the I should believe DevOps Communities working on open telemetry. I just wondered if anybody else here in this group is working on it or where of it or Trying to develop products that are compatible with that developing spec Okay, take that as a no. I'll try to track it and put some notes in here later. Yeah I Explored it a little bit for a project that I was working on but I'm also interested but I can't say that I'm working on something related. I'm just interested Yeah, yeah, same here really so they have a semantics for it, which One would think you could adapt the semantics for security audit and logging streams But it's not really designed for that so I'm curious, you know what where that ends up now my colleague who's working on this Is part of the DevOps security work in IEEE so that's kind of his bent if y'all ask him to come here and give a talk at some point That would be awesome If you can open a presentation Issue and then tag him and then we can pull off. Okay. Thanks. Let's see. I think that is all for updates today So we can jump right into the presentation. So Lucas show if I'll see someone be talking about Key lime, which is a new CNCS sandbox project congratulations silk and It's gonna be about attestation and DPMs things like that, but I'm gonna Give it good to plot you know it sure. How long do I have just to place it? So we have until the the end of the session. So I'm usually Up to 30 minutes and then yeah, yeah, sure sounds good Okay, let me just Not use too much before so hopefully I don't blow up my desktop manager. Hold on. Is that visible? Oh We can see yeah, okay. I'll go and try let's try presenter mode Yeah, that's that's good. Yeah Great. Okay. So so funny enough. I have these slides because originally We anticipated First of all showing the project to seek security, but then they changed the process for sandbox inclusion So I already had a branded deck available. So I'm getting the chance to use it at last, which is good So, yes a key lime So I'm Luke Kynes. I'm from Red Hat and work in the office of technology and worked around security for a good number of years now and Child it says Charles Charles isn't actually here Charles is Another guy that I work on key line with from MIT And he was going to be part of the original pitch as well, which is while he's which is why Excuse me. His name is on there So a little bit of history about the project Originally, it was a research paper That came out of MIT cells Charles and a new bill Who are both a couple of our researchers at MIT in their Lincoln labs? security Research department and they came up with this paper bootstrapping and maintaining trust in the cloud and they also wrote together a basic prototype and I've been Around this time about a year after they wrote the prototype. I've been hunting for Some sort of open source Remote attestation solution. I was either going to code my own or see if there was something around that I could contribute to and I found the Bill and Charlie's prototype and I really liked the Core design that they had how it was it was simple, but it was a very scalable architecture And I could see they'd solved a lot of the problems that are in an inherent part of TPMs around Performance and so forth. I just like the sort of the the use cases that they've built on top of this So rather than it just being remote attestation They had these other nice components which which made it a really good all-round solution So that's where I got involved and I I got in contact with those guys and I said, look are you Interested in we build a community around this and start to to get other people working on the project And we did so we started to sort of take it from a prototype Into being a good healthy open source project, which is what it is now And as you know recent bit of news we got accepted as a CNCF sandbox project So key lime itself the the main scope is that We have remote attestation Okay, now Imagine a lot of you are familiar with a TPM. If not a very very quick overview is a TPM is a A chip typically that resides on Another board of a server or device, okay And it's inaccessible to software and it has a very simple Crypto engine so consider it almost like a stripped-down version of OpenSSR So it's not a crypto accelerator, but it can perform very simple crypto functions such as Signing artifacts and generating keys. Okay, and there's this principle of measurement with a TPM, which is where An artifact an object whether that be a script or a binary or or or any sort of system element is measured So a hash a digest is generated And that hash is then signed by the TPM with a private key pair that's Locked away within the TPM. It's called an entity key And this then allows you to Using the public counterpart you can then Verify that it was the actual TPM That signs some measurements so you can remotely Retrieve these measurements from the system that you're monitoring and then you can attest them effectively using this What's called a hardware router trust and TPMs have been around for quite a while Um, it's it's it's not too far out there to say they're almost ubiquitous. They're on a lot of servers come with them Already there. They're not they're very Simple to retrofit usually quite cheap You can put them on a Raspberry Pi. I have a Raspberry Pi for about 20 euros or something You can get a TPM and put it on the GPIO So they're they're they're quite an accessible piece of inexpensive hardware. Okay And and there's also a virtual TPM which could be used in containers and virtual machines So with remote attestation what we do is we first of all, we've got something called measured boot Where we measure boot components. So this could be the the firmware the bootloader The kernel command line options There is a project called UEFI shim and the shim sits Above UEFI and below the bootloader and that can measure these components So some of the stuff that's measured is secure boots as well So secure boot they have like a mock list and certificates and so forth So all of these things are measured and then they're what's called extended into the TPM So it's to an extend is a like a one-way hash function. Okay, so you can kind of um, you can then Have a sort of a record a cryptographic replay of the boot occurring Okay, because it sort of concatenates and extends hashes to build like a one-way hash function And that is then signed And we remotely retrieve that Measurement set from the uh from the node. Okay, and then we attest it Is we attest the the hardware router truss using these cryptographic keys that I that I described earlier Now that sort of measures the boot of a system Once the system is running There's a linux security subsystem called IMA which is integrity measurement architecture And it's been in the kernel for quite some time. I think it's since Version 2.7 and it sits alongside se linux. Okay, and what IMA does is When a system call comes in so let's say for example, somebody runs a script as root IMA will measure that script And then it will extend it into the TPM. So I'll record it into the TPM and then that again that list can be Remotely retrieved and attested so you can measure the script that was run on the machine that you're monitoring Has the expected digest Obviously the digest is changed It suggests there's been some sort of compromise and so IMA sort of is like a A kind of a runtime measurement System okay, and then boot is obviously one time for the boot. Okay, so that's remote attestation We then have two things called encrypted payloads and the revocation framework. So encrypted payloads what these are is once a machine Passes its measurements. So it has the the expected state We that we Have set for that machine Then we will allow that machine to unload an Encrypted store or it could be a payload that's sent over the wire And we do this with something called a three-part key deviation protocol Where we have the machine attest itself to the verifier, which is a A node that's part of key line And the actual user themselves they can then there's there's like a two-part attestation that happens And then once that passes Two keys are released the keys are two. So a key is cryptographically split It's it's released by these different counterparts the agent which is the the end resulting machine the target machine can then Reconstruct the key which then allows them to get the the the encrypted payload And the other thing that we do is when when a machine passes its trust I don't really like the word trust when it's when it's cryptographically Of the state that we expect Okay, with its measurements Then we have something called an application bootstrap. So this is a script that runs it automatically runs Once all of the the measurements are verified And people use this app to do all sorts of things that Some folks have been using it to pull up a kubernetes cluster Or it could for example It could wrap around some sort of deployment framework such as ansible Or a puppet or chef. So what you would then have is you would have your secrets your deployment Your the secrets that you require for deploying an application would there be t less certificates or for example some ssh keys or An iini file that contains some passwords that that would be your encrypted payload And the application bootstrap would occur which would start the installation and then the secrets would be there Okay, but if a machine failed to pass its Its attestation And then it won't get its hands on that payload effectively And then last of all we've got the revocation framework And this occurs when a node fails attestation. Okay, and what we do is we send out Assigned revocation event to all of the nodes That share a trust boundary with that machine effectively telling them to Ring fence that machine. So this is like a It's a frame. It's got a framework because you can write your own scripts Which the key line agent will then execute for you. So people write scripts around shutting down network interfaces removing a machine from What's what is it in ssh your known host your trusted your authorized host you could for example remove The machine from there and i've seen other folks that have cordon and drained The kubernetes worker so effectively a po a pod will migrate to a a machine that still has a A trusted state so to say and all of these are built around this this router trust which is in the tpm and the vtpm So those are kind of the the central Trust framework to these to these three pieces So a little bit about the architecture So to the left consider that The the wild west. Okay, that's a machine that's in a It's sort of outside of our trust boundary So this could be in a another cloud provider's network or it could be an edge device or an iot device in the roof of an office building somewhere That's susceptible to physical tampering This is effectively the machine that you want to measure and on that machine we run something called a key lime agent Okay, and it's pretty simple. It just talks to the tpm And it has a rest interface. Okay And uh, this can run on a container a virtual machine or a bare metal machine. Okay So the agent communicates with the tpm as this says and then over to the far right This is more sort of your on-premise. Okay, so you have the key lime verifier and this does the Verification of the measurements that are retrieved and then we have the register which is kind of like a database There's no cryptographic properties for the store in there That's where we have the agent uu id and we have a public key store For the intermediate certificates that are provided by the tpm manufacturers that help us Assess that it's a real tpm that we're talking to and you'll notice in the middle It says untrusted network So this connection we don't have to worry about a man in the middle here Because all of the communication coming back from the agent Is signed with a key pair that's locked away in that chip And the digests use this one-way hash function So for for somebody to be able to for example, if somebody changed Uh user bin Uh, I don't I don't know IP tables For example, they chose and iced it so they changed one hash They would have to cryptographically pick back through the the hash extend to then change a single hash and then reconstruct That chain of hashes again, which is impossible to do. It's it's computationally impossible to do So we don't really worry about this particular connection And it being there being a man in the middle attack So it is acceptable to run this over HTTP because like I say the we have this hardware router trust So, yeah, that's the architecture the The blue lines that you see here that's used in the trust the tpm tss stack And then the connection between the agent and the verifier and the register that's all on a rest API So we protect that with mtls mutual tls and we are also just working on getting json web tokens They're involved as well So you'll be able to use one or the other or both if you want to go belt embraces so to say So the remote test station use case. This is kind of kind of a simple overview but A user or a tenant would say could you attest a machine for my workload? The verifier will then measure the agent and there'll be two outcomes. So the first would be Passes which is we run the auto run and we release the encrypted payload or two is revocation Okay, so we look at those two particular outcomes from a remote attestation so the encrypted payload is The machine passes its attestation The payload is sent, okay And this is as I said, it's based on this three-part key deviation protocol And the execution of the auto run Happens once the system attests without failure. So you can see an example payload there So for example, you could have some passwords You could have a script With those particular Secret artifacts that you have and then you'll also see there's a couple of scripts in here called local actions Cube CTL and local actions IP tables So those are what that machine should run when another machine fails in its trust boundary So the idea is that um, you would then sort of ring fence a machine that's being compromised So that's part of the revocation The revocation framework which I'll go into next So um, we have IMA which I described earlier. So this is the integrity measurement architecture. It's a Linux subsystem So every syscall is measured and extended into the tpm The remote state is compared with the expected state. So on the verifier you would have A list of uh, like a posix path to a file for example And then a cryptographic digest so two five six A char two five six checks on okay And you would then query the remote system to find out what its file state is every time A system call is made into the into the kernel. IMA will intercept that And it will record it into the tpm and we continuously poll over the REST API. It's a very lightweight poll. We can do that you know to Point one two of a second if if we had to and so we would know we're in a very small window We would know somebody compromised a machine Because we continuously poll the the state of that machine and once that happens. So for example, if somebody Swapped out a binary trojanize the binary. Also with IMA you can let you can measure things such as su linux labels and kernel modules and various things so If a machine failed, which is what we're going to look at now This is revocation. So we've got the the key line verifier We have a simple ca that we work with But this can be integrated with CF SSL as well And we're looking to have like a plug plug in framework to to integrate with different ca's And then you can see that we've got Four nodes at the bottom. So key lime agents. Okay, these are all being monitored continuously by the verify And so one machine is compromised What happens then the key lime verifier Can make a call to revoke that node certificate So for example, if this node Had some TLS certificates that were part of its Connectivity it's trust it's trust connectivity. We could revoke that certificate. So a crl could be populated And then the other thing that we do which is uh Which is a lot more interesting is we send a revocation event So a revocation event is just some json that contains some metadata. Okay, and that's signed by the verifier So that that can then be you can be make sure that that's not sort of a A spoofed actor pretending to be a verifier Okay, so this signed metadata goes out to all of the machines That share some sort of trust relation with the machine that's been compromised. Okay and This revocation event will tell them to run local actions. So they will perform actions which typically somehow Ring fenced this compromise machine. So it's a pretty similar principle to some of you that work with load balancing with no stoniff Do you know shoot the other node in the head effectively? So that machine's compromised We just want to knock it out. We want to get it off the network Terminate any association with it and then it can be taken off of forensics and so forth. Okay So this is effectively this machine is bad We need to protect what is good still. Okay. There's no point trying to rescue this Let's let's just completely knock it out. So to say so an example here would be So the uh revocation is sent out to execute local actions And so some examples could be like I said earlier is to remove An entry from more fries keys or Cordon and join a node shut down a VPN tunnel amend an IP tables rule Anything that you can programmatically Do on a machine around some sort of sysadmin task Then the the agent will run that so for example, you could make an api call to a system which Sends out an sms message to a sysadmin to get them out of bed to look at something So it's it's anything you dream up really you can you can delegate to key line to run that once the machine fails It's uh, it's trust state. So to say so that's the revocation framework And um, so one thing at the moment the uh, the project is Uh developed in python. So we use python because we allowed us to quickly Develop and prototype and try different things out. But what we're doing for the rust agent So this is the one that runs on the target machine. Uh, we're porting this to rust at present Okay, that works taking place right now and we went for rust because um, there's a few things. It's um statically linked So we don't have to have a big less listed dependencies that need to be pulled in so that's a machine that's offline or it's uh, perhaps like a an immutable Sort of os tree type operating system where it's a read only operating system. We don't require This need to sort of pull in a load of dependencies And then of course it's memory safe and it's and it's very performant. It's a systems level Language so to say so that works underway at the moment and when that's complete That will become the default recommended agent Okay, and then in time we're open to considering Porting from the the other nodes from python that that's been discussed as well. So we thought about You know, if the demand is there then we could even go to golang or rust or something like that Because python's just been very very good for an hour and us to quickly iterate and develop features and and get everything in place So some of the future work that we're doing is um We're working with the uh, kernel folks to to make an iMA namespace. So for example this uh Integrity measurement architect that I described earlier that works perfectly well on a Sort of a single bare metal machine. Okay, you can get this to run in a virtual machine But it's not containerized. We require a namespace. So we have as you can see a prototype working and we're just trying to uh to get that Set so that we can then do Uh measurements of iMA within a container as well I mean, there are other things that you can measure with a container, but this is quite a key one So that's a piece of work that's underway Um upstream so to say We're also looking at um There's a vtpm which will run in the container. Okay, and uh, we're doing some work to include this As part of a container runtime and open to working with other container runtimes as well. This is the uh, the software tpm the vtpm code and then um We're looking to do some stuff to extend vtpm support as well. So One of the so one of the things with a vtpm is the When you have a hardware tpm Your secrets your the cryptographic keys are obviously they're on a hardware chip Okay, so like I say there It's only a specific bus that this cpu can use I think it's the lpc bus to communicate with the tpm. Okay now when you have a software tpm It looks and smells exactly the same as a tpm functionally what Around its functionality that it provides But you don't have that hardware router trust the keys are effectively in memory or on a disk so the underlying host can obviously See any sort of cryptographic Secrets that are stored in the vtpm. Okay, and so one of the things that we're looking at doing is Marrying up the the quotes so tpm quotes are Where we request The measurement list we're looking at how we can marry that up to a single hardware tpm Where we would aggregate the quotes into a merkle tree And then there'll be a single one-time poll to the hardware tpm to vouch for the software tpm And then that that extends the hardware router trust up to the software tpm So we've got some very basic code prototype that we've worked on here It's it's an idea that the folks at mit had and so we're looking to uh To to uh bring that into the main Keyline project The other thing as well is we're monitoring what's happening with Encrypted containers because if a container is encrypted And it's protected from the host then you can run the vtpm in there and not be concerned that There's an attack vector where the underlying host Can can can access the container and the vtpm so that will solve that problem as well So we've got a few avenues to to to solve this Principle of a vtpm being susceptible to attacks from the host So community-wise we're very Diverse there's obviously red hat mit ibm a contributing person from ibm recently became a a maintainer We also have Contributions from Intel in the city in the past. We've got another maintainer from canonical Netfix and quite a few int independent contributors and smaller companies as well that are interested in the technology We do all the things that we think a good open source project should do so All poor requests undergo unit tests and integration tests and we assess the code quality you know we we are Every poor request that's made is reviewed by a member of the core team and so forth and we're also very We try to be very welcome welcome into new contributors So we've got a lot of stuff the first time of support. So typically when somebody will make a first poor request somebody will go forward and You know with a helpful spirit around helping them Sort out any CI failures that there are and and just understanding things around How to format a good commit message and and just be a welcoming a friendly friendly, uh, I was going to say a friendly face a friendly bit of text for them to to uh Start to get involved in the community so um Yeah, that's it for now, which is quite good because my voice is just starting to give up But I guess we could go to questions now or I can roll back if any of that doesn't make any sense as well All right. Thank you. Look. I think we have some questions in the and the chat um Let me just um Maybe I can ask the question if it's not yeah, that'd be great. Thank you Sure So one of the questions I had at that point is the the syscall validation I was just curious as to what what exactly are you trying to guarantee validate? And if that is the case, how how do you achieve that? What is the use case around the syscall? aspect that you mentioned Sure. Yeah, so this would be in a okay and um this one so What happens is Typically You would build a list a kind of a golden list of hashes or digests for your The node that you're monitoring. Okay, so the list the format is very simple. It's two columns It's a a posix path to the file and then the hash of the file. Okay And that's stored in the verifier, which is on premise. Okay and On the node that you're monitoring It has ima which is part of the kernel. Okay, and then what happens is whenever somebody Executes so they run for example IP config or netstat or they run a script. Okay, what will happen is ima will capture the digest of that object that's Been executed. Okay, so let's say it's a script. It's a script that's been run as um a bash Okay, so that will be that digest will be captured now that digest ima will Record that into the tpm. Okay, so the digest will go into the tpm. Okay, and then the tpm Will Build that into what's called a one-way hash. Okay, so as entries come in It's kind of like a kind of like a burnt binary tree a merkle tree that concatenated Concatenated together and then a hash is made of those two and then you effectively have a root hash So you can sort of um by looking at the root hash. You can make sure it's not being tampered with Anyhow, I'm sorry. I'm going off a little bit of a tangent there So it measures the script it grabs the digest records it into the tpm. Okay And then the verifier the on premise node Will query the agent for hey, can I have a fresh? Quote and a quote is a measurement list. Okay And then it will receive that list It will perform a hardware root of trust validation So it will make sure that it's an actual real tpm that signed that list Okay, based on a hardware root of trust that we set up at the beginning when we we first Set the system up. Okay, and it will then compare that digest that signed digest With the golden list that it has locally Now if somebody's tampered with that shell script Then you would immediately know about it So that way you can remotely monitor the machine. Okay, and then you could then perform some sort of If you wanted to some sort of revocation action So that machine has been compromised you believe because somebody's tampered with something And You then perform an action to to ring fence it now there are stuff There's lots of noisy stuff on a system like for example var log Okay, but you would probably be quite difficult to track So we do support regular expressions where you can have like an ignore list So you can say there's part of the systems that you want that you wish to ignore Because it's not really of interest and it's very busy and it's very Mutable it's constantly changing and so forth. Does that make sense now a quick follow-up on that? Look, I think I think what growing me off is the granularity Because here you mentioned syscall But what you mentioned was actually a binary a posic posix path to some IP tables or if config so And when you say you're measuring every syscall, so these binaries could execute multiple syscalls So that's where I was getting thrown up. I think I see. Yeah. Okay. So yeah, we don't measure the syscall Yeah, the syscall the syscall is the event The the Inaccess to take the measurement. I guess. Yeah, I see what you mean. Yeah. I was a bit I put that in a bit of a confusing way. Yeah, so yeah, that now you're right the syscall is the Is the event that that kicks off the process of measuring whatever that's requested. This is got it. Thank you so much You know, no worries good question So, um, there's some more in the chat. How do I see the chat? I'm completely Use. Yeah, look, I had a question. Thanks for the presentation. That's I think very interesting stuff. I can see how can How can you use and integrate some of these? Ideas I had a question related to vtpm And he mentioned that it's like a software like do Underneath it's still use a hardware tpm. Does it use a key in a hardware tpm to wrap all the software keys In vtpm or or it's like pure Software information pure pure software. Yes. Yes. So with the vtpm How we're addressing that is is one There's a possibility of an encrypted container. Okay, so the the real person that you're concerned about here is a netfarious host Okay And so so an encrypted container would I use quotes protect That attack. Okay, but we're also looking to marry up the cryptographic Relation of the vtpm to the hardware tpm. Okay, and that's this That's his prototype code that we have at the moment and where we Where we can what we can do is we can take thousands of vtpm's We will aggregate their quotes, which is a request for a measurement Okay Into a merkle tree which is then sent back to the verifier Which will sort of percolate those quotes back out and perform the verification So that way we're not hammering a hardware tpm with a one-to-one relationship between a software tpm and a and a hardware tpm and there is also some other stuff happening around um People are looking at using utilizing fpga type tpm's which could be plugged into a system And could then I don't know too much about this, but they can Then sort of attest thousands of virtual tpm so to say so there's quite a bit going on in this space to To uh to address this problem. It's just which horse will win the win the races yet. I'm not sure yet Very Thank you Yeah, and look just to clarify on the terminology when you say encrypted container you mean something like like tees like enclaves and stuff like that Possibility yes. Yes. Yeah. Yeah, that's that's one model. Yeah So is there will say some other questions in the chat. I don't know how to access the chat. Maybe I think I mean maybe need to stop sharing um No, I can see it now chat. Sorry. I've got it. I've got it. Okay. I've got a vinnaze question Kapil Is I'm intended to be stacked on top of other lsm's But you know, I don't actually know the answer to that it's um, I don't believe so. I think it sits in parallel if that makes sense it's um Yeah, I must it's in parallel with the other lsm's Yeah, so it's it's a sort of a neighbor to I see linux and other lsm's aparma and so forth And it's been in there for go. I think about 10 years now. So it's it's quite well established in the kernel Cool. Thanks. Yeah, so yeah, I would say pretty much all distributions carry IMA gen 2 debbie and fedora Arch linux Is is very very well established. Yeah, so um Brandon is that a question or you will clarify in something? I think I was just clarifying things This is a question not in the chat, but sure this is new to me. So this Is probably unrelated. So feel free to tell me that but Is there any application of this technology beyond root of trust to assurance One of the challenges with security tools is the machine to machine communications Is difficult to do reliability engineering with So sort of machine identity Yeah, so if you lose connectivity, you know in a container to container scenario where It in a cloud scenario it may be different Could be different hosts could be the same Could be the same instance I suppose but Maybe launched under different circumstances or policies You know speaking in a very Generalized use case. It's just that one tool stops talking to another and the tooling for Handling assurance for that is is primitive and so is the troubleshooting So it occurs to me that it's similar to the problem of establishing trust. It's just that Uh assurance for connectivity is a more regularized event, right? Yes, yes so I know that Brandon George And folks they're using the entity key. Aren't they for machine identification? Yep. We use the Yeah, they use they use the ek key the entity key, which is the key that's locked away in the tpm as a means to to to uh Verify the identity of a machine with a hardware router trust. So that's possible and this is outside a key line, but From what I recall spiffy and spire. We're doing some sort of tpm Integration that might have been vault something to do with well I'm a bit. I'm a bit sketchy on the details there though But yeah, sorry to to answer your question is that is possible with the entity key Okay, yeah While we're on that topic also kind of I think one of the the things that I was exploring as you know, put this be also know the tester for for spiffy and for spire for example Where you would use some key line to bootstrap the workload identity Yeah, that's what it is. It's great for doing that really any sort of um Bootstrap in trust on a new machine That's another interesting topic right look and everybody. I mean, so we've had some very very interesting You know, you know project like a key cloak key line Spiffy spire. They have a lot of a number of use cases potentially. There could be some overlapping I think it would be interesting to explore or even explicitly articulate how these tools can potentially work together identify these kinds of use cases and really For the broader community help them understand how a lot of the This ecosystem of these kinds of specific tools. I think there are three or four I think we should go back and look into it and to see how it can The kinds of use cases that they address at least at most level Yeah, I would love to do that. I really would like to take part in that definitely I have a presentation drop on that Okay, Brandon. So I'm gonna bring you real less That as well because I think that's the same question that comes up right like even in key cloak and then the You know, how it works with spiffy inspire So so my team has been working with luke as well as Key cloak with both us team as well as working with the spiffy inspire community as well I think Really, we are trying to tie everything into the identity using key lime as the basis for trust with identity And then to take this identity and be able to make you know policy and authorization decisions Um in an open source. I am type solution. So we are looking at key cloak in terms of that Nice But that's like 10,000 feet level. Yeah I'll Clean up that and then get get feedback from community as well You can you can think about key lime as basically certified station infrastructure that you can use To make sure that's your Software and hardware. It's not being compromised And build something on top of it to issue like let's say short leave TTL T send certificate that you can use for like let's say spire uh type of hide station for this note you can Uh Use the satis station infrastructure. So if you're not as compromised, you're just not renewing uh The Certificate so you're not cannot be participate as a part of infrastructure because it has no proof That it can preserve show or to aspire server And and be part of infrastructure Anymore so that that's basically how we're looking to this Yeah, it's um I'm fairly familiar with spiffy inspire, but Yeah, I'll be really interested in exploring that definitely Um, we have one question to chat Um, do you have any thoughts on detection of key compromises? Okay, so um key compromises In general sort of people's Personal keys or within the tpm or uh right now. Do you do want to clarify on that question? In the tpm Somebody does get access to the keys then how do we detect? That's an entity is already compromised. So if somebody if somebody compromises the entity key I just fall into a heap on the floor and start crying Because my whole project's ruined. Um, so how would you detect it? But well, so this is the ek and this is the ek right? I think the ek is so No, it's a very good question. I don't mean to make sort of light of it with with humor um, so At present that There hasn't been any successful even theoretical attacks around getting the entity key from the tpm And people are doing trying side channel stuff putting microphones and oscilloscopes and trying to sort of measure keys that way So it's not being proved that there's any sort of attack. I guess If an if if a key was compromised Then they would also need to compromise the manufacturer because they have an intermediate signing certificate as well of the entity key so the An attack that happened it would It I believe it would be detected because suddenly there would be real tpm's Requesting attestation that don't have an intermediate certificate That's that's that's tied to them. So what we do in key lime is the the entity key We actually have a local storage of some certificates from the vendors themselves that allow us to To to attest that that's an actual entity key. That's part of a real tpm. So to say so that that would yeah, that would be the detection Sure, thank you. Yeah, no worries a good question other other option could be used a certificate transparency, but in this case They're basically tpm vendors should support this Uh with their infrastructure. I I'm not aware of anything like this But that could be another measure and if you use and if you use a hardware key to rob anything Inside you you can also use a certificate transparency for that So so interestingly on that note So this this is a project that i'm working on but it's obviously not a cncf project, but we are Working on a transparency log to record these sorts of things to pick up a key compromise specifically so It's it's not a cncf project. It's it's a prototype that i've been working on With somebody from google, but we use the same back end as the certificate transparency system Yeah, I think they use a trillian for that yeah, so we built a trillian personality as a sort of secure supply chain ledger manifest ledger And um, so but it's it's very early and it's it's quite more we've got You know and and one of the things you have to say one of the ways that that maps to key lime is We're going to look at Where you have these golden lists Okay, we're going to look at recording those into a transparency log to prevent some sort of freeze attack and to provide a source that people can Make sure that the list that they have is what everybody else is seeing there's some sort of consensus there And allow auditors to query the log as well and to check the log Who knows maybe a couple of months i'll be pitching that project I'll be great. Thank you. Yeah Okay, I think we're almost out of time so um Let's wrap up here. Thank you so much. I think this was a great session. Um, there's a lot of discussion around this Um, and it looks like there's some follow-up items that we can talk about as well, which is great as business suggested um, so just kind of along the lines of The process and now that key lime is in sandbox If there are any plans into going to incubation Um, we have a security assessment process um, so whenever You and other members of the team are thinking about incubation Um, you know, please reach out to us. We can figure out what what we have to do that Um to give recommendation for due diligence Um All right, so and I think next week. Um, we are going to have a conversation with Um, Santiago for in total again kind of get some updates. What's new with in total? Uh, in total is applying for incubation So we're talking about um, what are here the things that have changed since we've done the security assessment As well as identify points of recommendation for into the full incubation cool if not, um Any other topics that we want to bring out anybody that has a topic for the future Awesome. If not, thank you everyone Thanks. You're welcome Sorry, I was muted there. Yeah. Thank you everybody. I'm going to try and come along as well be a regular if I can Awesome. That would be great. Uh, look, do you mind to provide a link to presentation? Is it like public level? Yeah, yeah, yeah, of course. Yeah, it should be. Yes. Um, Yeah, you can you can you post it in the um the issue on Issue 411 for security. I'm gonna place it in the yeah, if you pop it into slack for me, um, I'll I'll I'll put it in now. I'll make sure it's shareable and Everybody can access Awesome. Great. Thanks everybody. Take care. Bye. Bye. Bye. Bye guys