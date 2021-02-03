Submitted by Roy Schestowitz on Wednesday 24th of February 2021 11:51:21 PM

In my previous blog post, I explained how a verifier can get a signing key that it trusts is on a TPM for attestation (part 2 of the other post in the making).

I have been contributing to a specific implementation of remote attestation for Linux, called Keylime.

As part of the effort on porting the agent to Rust, I was looking into how the process works, and as part of that I identified a vulnerability in how Keylime deals with the TPM2 that breaks the Chain of Trust in two different places.

For the quick rundown, see the advisory.

