Migrate tpm cleanup method from kcrypt-challenger #1027
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jimmykarily
force-pushed
the
add-tpm-cleanup-command
branch
from
5c9035d to
b8379d5
Compare
jimmykarily
added a commit
to kairos-io/kcrypt-discovery-challenger
that referenced
this pull request
Nov 7, 2025
because it's now implemented in kairos-sdk (used by kairos-agent and immucore). Also move the cleanup method to the kairos-agent: kairos-io/kairos-agent#1027 Signed-off-by: Dimitris Karakasilis <[email protected]>
jimmykarily
added a commit
to kairos-io/kcrypt-discovery-challenger
that referenced
this pull request
Nov 10, 2025
[WIP] Split with-TPM and without-TPM flows Signed-off-by: Dimitris Karakasilis <[email protected]> Introduce a cli interface to interace with the challenger client This will make debugging easier both while developing and in production. No need to use it through the kcrypt binary anymore, because we might not actually care about decrypting the disks but rather about getting the passphrase from the KMS. Signed-off-by: Dimitris Karakasilis <[email protected]> Use a KairosLogger consistently in plugin mode: log only to a file and journal and in "debug" level by default in cli mode: respect the `--debug` flag and write to the stdout Signed-off-by: Dimitris Karakasilis <[email protected]> Remove legacy methods from old flow TODO: Implemnt TOFU on the server Signed-off-by: Dimitris Karakasilis <[email protected]> Implement TOFU flow on the server and fix some issues with the data we send back and forth between the client and the server Signed-off-by: Dimitris Karakasilis <[email protected]> Treat and empty passphrase as an error Signed-off-by: Dimitris Karakasilis <[email protected]> Remove unecessary patches in deployment Signed-off-by: Dimitris Karakasilis <[email protected]> Use specific PCRs in tpm quote Signed-off-by: Dimitris Karakasilis <[email protected]> Don't shot trace log when a security violation occurs because it's not an application error but rather normal behaviour Signed-off-by: Dimitris Karakasilis <[email protected]> Handle PCR validation errors gracefully Signed-off-by: Dimitris Karakasilis <[email protected]> Don't use the (now removed) redundant field Signed-off-by: Dimitris Karakasilis <[email protected]> Remove unecessary wrapper Signed-off-by: Dimitris Karakasilis <[email protected]> Move path to a constant Signed-off-by: Dimitris Karakasilis <[email protected]> [TMP] use a replace that points to a branch (instead of localy dir) Point to this: kairos-io/tpm-helpers#7 Signed-off-by: Dimitris Karakasilis <[email protected]> Fix tests Signed-off-by: Dimitris Karakasilis <[email protected]> Remove meaningless test Signed-off-by: Dimitris Karakasilis <[email protected]> Migrate to cobra cli for better code organization Signed-off-by: Dimitris Karakasilis <[email protected]> Avoid global vars Signed-off-by: Dimitris Karakasilis <[email protected]> Allow the user to cleanup NV indexes e.g. to reset the passphrase stored on the TPM for local encryption Signed-off-by: Dimitris Karakasilis <[email protected]> Remove stubbed version and fix tests Signed-off-by: Dimitris Karakasilis <[email protected]> Add TODO in README for selective enrollement Signed-off-by: Dimitris Karakasilis <[email protected]> Refactor wall-of-text method to one with better narrative Signed-off-by: Dimitris Karakasilis <[email protected]> Remove enrollement reporting on authentication request Signed-off-by: Dimitris Karakasilis <[email protected]> Reuse a secret then it's there and ignore missing PCRs This allows the operator to re-use an existing passphrase but let the sealed volume be re-created automatically (so decryption can still happen, we don't loose the original passphrase). Also allows the operator to skip a PCR (e.g. 11) if they want to by simply removing it after the initial enrollement or by manuall creating the initial sealed volume but only with the PCRs they are interested in by setting those to empty strings. This is useful if a PCR is expected to change often, e.g. PCR 11 because of kernel upgrades. Signed-off-by: Dimitris Karakasilis <[email protected]> Explain the various scenarios Signed-off-by: Dimitris Karakasilis <[email protected]> Reject early when TPM is quarantined and update the README with remaining TODOs (only e2e tests missing) Signed-off-by: Dimitris Karakasilis <[email protected]> Add mermaid diagram explainin the attestation flow Signed-off-by: Dimitris Karakasilis <[email protected]> [WIP] Implement e2e tests Signed-off-by: Dimitris Karakasilis <[email protected]> Fix tests Signed-off-by: Dimitris Karakasilis <[email protected]> Merge multiple tests into one to save time from setup of VMs and such Signed-off-by: Dimitris Karakasilis <[email protected]> Make sure kcrypt-challenger respect the `manual-install` config Signed-off-by: Dimitris Karakasilis <[email protected]> Fix config in tests Signed-off-by: Dimitris Karakasilis <[email protected]> Fix plugin trying to run `--debug` event and not logging to files Args[0] is no longer guaranteed to be the event's name. We have a proper command now. Signed-off-by: Dimitris Karakasilis <[email protected]> [DEBUG] try to print the kcrypt logs on failure Signed-off-by: Dimitris Karakasilis <[email protected]> Set plugin mode to "debug" to see what's going on Signed-off-by: Dimitris Karakasilis <[email protected]> Use safe kube names, output the passphrase to stdout and improve test logging on failure Signed-off-by: Dimitris Karakasilis <[email protected]> When another partition is request for an enrolled tpm, just update instead of trying to create a new sealed volume Signed-off-by: Dimitris Karakasilis <[email protected]> go mod tidy (after rebase) Signed-off-by: Dimitris Karakasilis <[email protected]> Use nv index to store the AK blob because during initramfs there is no (unencrypted) persistent storage to use for a file. Signed-off-by: Dimitris Karakasilis <[email protected]> Use transient AK keys and avoid storing it because we don't have a persistent storage available during initramfs and NV indices are not big enough to store the AK blob. After all, we verify the EK so we just validate that the AK is generated by that EK, no need to enroll the AK. Signed-off-by: Dimitris Karakasilis <[email protected]> Use the new attestation pkg which has cleaner API and responsibilities Signed-off-by: Dimitris Karakasilis <[email protected]> Verify the PCRs against the quote Signed-off-by: Dimitris Karakasilis <[email protected]> Remove AK references Signed-off-by: Dimitris Karakasilis <[email protected]> Fix pem Signed-off-by: Dimitris Karakasilis <[email protected]> Try with CGO_ENABLED=1 because tests are failing with: Will run 3 of 3 specs ------------------------------ • [FAILED] [0.000 seconds] Remote attestation end-to-end [It] client and server roundtrip /runner/_work/kcrypt-discovery-challenger/kcrypt-discovery-challenger/pkg/attestation/attestation_test.go:21 [FAILED] Unexpected error: <*fmt.wrapError | 0xc000081b00>: opening TPM: startup: using the simulator requires building with CGO { msg: "opening TPM: startup: using the simulator requires building with CGO", err: <*fmt.wrapError | 0xc000081ae0>{ msg: "startup: using the simulator requires building with CGO", err: <*errors.errorString | 0xc000037b90>{ s: "using the simulator requires building with CGO", }, }, } occurred In [It] at: /runner/_work/kcrypt-discovery-challenger/kcrypt-discovery-challenger/pkg/attestation/attestation_test.go:24 @ 10/01/25 15:36:06.699 Signed-off-by: Dimitris Karakasilis <[email protected]> Add gcc in tests Signed-off-by: Dimitris Karakasilis <[email protected]> Add missing libraries resulting in: /runner/_work/kcrypt-discovery-challenger/kcrypt-discovery-challenger/bin/controller-gen rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases -: # github.com/google/go-tpm-tools/simulator/internal In file included from /home/runner/go/pkg/mod/github.com/google/[email protected]/simulator/ms-tpm-20-ref/TPMCmd/tpm/include/LibSupport.h:65, from /home/runner/go/pkg/mod/github.com/google/[email protected]/simulator/ms-tpm-20-ref/TPMCmd/tpm/include/Tpm.h:47, from /home/runner/go/pkg/mod/github.com/google/[email protected]/simulator/internal/internal_cgo.go:45: /home/runner/go/pkg/mod/github.com/google/[email protected]/simulator/ms-tpm-20-ref/TPMCmd/tpm/include/Ossl/TpmToOsslSym.h:47:10: fatal error: openssl/aes.h: No such file or directory 47 | #include <openssl/aes.h> | ^~~~~~~~~~~~~~~ Signed-off-by: Dimitris Karakasilis <[email protected]> Remove debug logs that pollute the output Signed-off-by: Dimitris Karakasilis <[email protected]> Fix selective enrollement of EK and add tests and docs Signed-off-by: Dimitris Karakasilis <[email protected]> Add tests Signed-off-by: Dimitris Karakasilis <[email protected]> Wait for 30 seconds for network because that's possibly the reason why the tests fail, dns is not ready and everything goes fubar Signed-off-by: Dimitris Karakasilis <[email protected]> Add missing import Signed-off-by: Dimitris Karakasilis <[email protected]> Fix identation Signed-off-by: Dimitris Karakasilis <[email protected]> Read kcrypt configuration from /proc/cmdline because when COS_OEM is encrypted, we can't read it from there. Needs: kairos-io/kairos-agent#988 Signed-off-by: Dimitris Karakasilis <[email protected]> Get kcrypt config from payload Signed-off-by: Dimitris Karakasilis <[email protected]> [TMP] Debugging targets (remove before merging?) Signed-off-by: Dimitris Karakasilis <[email protected]> Stick to a JSON api, fix and improve tests Signed-off-by: Dimitris Karakasilis <[email protected]> Fix linter warning/suggestions and remove unused code Signed-off-by: Dimitris Karakasilis <[email protected]> Add "info" command to kcrypt cli to help debugging It prints the TPM hash, the EK public key and the requested PCRs (defaults to 0,7,11) Signed-off-by: Dimitris Karakasilis <[email protected]> Defer PCR enrollement for after reboot because the values of the live system may not be the same as the installed system (e.g. because user installed with `--source` flag pointing to another image) Signed-off-by: Dimitris Karakasilis <[email protected]> Bump tpm-helpers Signed-off-by: Dimitris Karakasilis <[email protected]> Remove Earthly and migrate to Make targets with Dockerfile Signed-off-by: Dimitris Karakasilis <[email protected]> Use kairos-sdk ghw structs instead of upstream ones and adapt to the changed payload that doesn't include unecessary information Signed-off-by: Dimitris Karakasilis <[email protected]> Add missing deps, make keys dir mandatory in Make target and bump go.mod Signed-off-by: Dimitris Karakasilis <[email protected]> PR improvements Signed-off-by: Dimitris Karakasilis <[email protected]> Remove local passphrase logic because it's now implemented in kairos-sdk (used by kairos-agent and immucore). Also move the cleanup method to the kairos-agent: kairos-io/kairos-agent#1027 Signed-off-by: Dimitris Karakasilis <[email protected]> Add shared tpm-device flag and respect it when set. Also read the config using the collector for the various command that might need to read NVIndex, CIndex and TPMDevice (they were using an empty config so far) Signed-off-by: Dimitris Karakasilis <[email protected]> Remove tests that don't do anything Signed-off-by: Dimitris Karakasilis <[email protected]> Cleanup Signed-off-by: Dimitris Karakasilis <[email protected]> PR fixes Signed-off-by: Dimitris Karakasilis <[email protected]> Add README.md section to explain the Makefile usage Signed-off-by: Dimitris Karakasilis <[email protected]> Potential fix for code scanning alert no. 72: Clear-text logging of sensitive information Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
jimmykarily
added a commit
to kairos-io/kcrypt-discovery-challenger
that referenced
this pull request
Nov 11, 2025
* Remove attestation with KMS [WIP] Split with-TPM and without-TPM flows Signed-off-by: Dimitris Karakasilis <[email protected]> Introduce a cli interface to interace with the challenger client This will make debugging easier both while developing and in production. No need to use it through the kcrypt binary anymore, because we might not actually care about decrypting the disks but rather about getting the passphrase from the KMS. Signed-off-by: Dimitris Karakasilis <[email protected]> Use a KairosLogger consistently in plugin mode: log only to a file and journal and in "debug" level by default in cli mode: respect the `--debug` flag and write to the stdout Signed-off-by: Dimitris Karakasilis <[email protected]> Remove legacy methods from old flow TODO: Implemnt TOFU on the server Signed-off-by: Dimitris Karakasilis <[email protected]> Implement TOFU flow on the server and fix some issues with the data we send back and forth between the client and the server Signed-off-by: Dimitris Karakasilis <[email protected]> Treat and empty passphrase as an error Signed-off-by: Dimitris Karakasilis <[email protected]> Remove unecessary patches in deployment Signed-off-by: Dimitris Karakasilis <[email protected]> Use specific PCRs in tpm quote Signed-off-by: Dimitris Karakasilis <[email protected]> Don't shot trace log when a security violation occurs because it's not an application error but rather normal behaviour Signed-off-by: Dimitris Karakasilis <[email protected]> Handle PCR validation errors gracefully Signed-off-by: Dimitris Karakasilis <[email protected]> Don't use the (now removed) redundant field Signed-off-by: Dimitris Karakasilis <[email protected]> Remove unecessary wrapper Signed-off-by: Dimitris Karakasilis <[email protected]> Move path to a constant Signed-off-by: Dimitris Karakasilis <[email protected]> [TMP] use a replace that points to a branch (instead of localy dir) Point to this: kairos-io/tpm-helpers#7 Signed-off-by: Dimitris Karakasilis <[email protected]> Fix tests Signed-off-by: Dimitris Karakasilis <[email protected]> Remove meaningless test Signed-off-by: Dimitris Karakasilis <[email protected]> Migrate to cobra cli for better code organization Signed-off-by: Dimitris Karakasilis <[email protected]> Avoid global vars Signed-off-by: Dimitris Karakasilis <[email protected]> Allow the user to cleanup NV indexes e.g. to reset the passphrase stored on the TPM for local encryption Signed-off-by: Dimitris Karakasilis <[email protected]> Remove stubbed version and fix tests Signed-off-by: Dimitris Karakasilis <[email protected]> Add TODO in README for selective enrollement Signed-off-by: Dimitris Karakasilis <[email protected]> Refactor wall-of-text method to one with better narrative Signed-off-by: Dimitris Karakasilis <[email protected]> Remove enrollement reporting on authentication request Signed-off-by: Dimitris Karakasilis <[email protected]> Reuse a secret then it's there and ignore missing PCRs This allows the operator to re-use an existing passphrase but let the sealed volume be re-created automatically (so decryption can still happen, we don't loose the original passphrase). Also allows the operator to skip a PCR (e.g. 11) if they want to by simply removing it after the initial enrollement or by manuall creating the initial sealed volume but only with the PCRs they are interested in by setting those to empty strings. This is useful if a PCR is expected to change often, e.g. PCR 11 because of kernel upgrades. Signed-off-by: Dimitris Karakasilis <[email protected]> Explain the various scenarios Signed-off-by: Dimitris Karakasilis <[email protected]> Reject early when TPM is quarantined and update the README with remaining TODOs (only e2e tests missing) Signed-off-by: Dimitris Karakasilis <[email protected]> Add mermaid diagram explainin the attestation flow Signed-off-by: Dimitris Karakasilis <[email protected]> [WIP] Implement e2e tests Signed-off-by: Dimitris Karakasilis <[email protected]> Fix tests Signed-off-by: Dimitris Karakasilis <[email protected]> Merge multiple tests into one to save time from setup of VMs and such Signed-off-by: Dimitris Karakasilis <[email protected]> Make sure kcrypt-challenger respect the `manual-install` config Signed-off-by: Dimitris Karakasilis <[email protected]> Fix config in tests Signed-off-by: Dimitris Karakasilis <[email protected]> Fix plugin trying to run `--debug` event and not logging to files Args[0] is no longer guaranteed to be the event's name. We have a proper command now. Signed-off-by: Dimitris Karakasilis <[email protected]> [DEBUG] try to print the kcrypt logs on failure Signed-off-by: Dimitris Karakasilis <[email protected]> Set plugin mode to "debug" to see what's going on Signed-off-by: Dimitris Karakasilis <[email protected]> Use safe kube names, output the passphrase to stdout and improve test logging on failure Signed-off-by: Dimitris Karakasilis <[email protected]> When another partition is request for an enrolled tpm, just update instead of trying to create a new sealed volume Signed-off-by: Dimitris Karakasilis <[email protected]> go mod tidy (after rebase) Signed-off-by: Dimitris Karakasilis <[email protected]> Use nv index to store the AK blob because during initramfs there is no (unencrypted) persistent storage to use for a file. Signed-off-by: Dimitris Karakasilis <[email protected]> Use transient AK keys and avoid storing it because we don't have a persistent storage available during initramfs and NV indices are not big enough to store the AK blob. After all, we verify the EK so we just validate that the AK is generated by that EK, no need to enroll the AK. Signed-off-by: Dimitris Karakasilis <[email protected]> Use the new attestation pkg which has cleaner API and responsibilities Signed-off-by: Dimitris Karakasilis <[email protected]> Verify the PCRs against the quote Signed-off-by: Dimitris Karakasilis <[email protected]> Remove AK references Signed-off-by: Dimitris Karakasilis <[email protected]> Fix pem Signed-off-by: Dimitris Karakasilis <[email protected]> Try with CGO_ENABLED=1 because tests are failing with: Will run 3 of 3 specs ------------------------------ • [FAILED] [0.000 seconds] Remote attestation end-to-end [It] client and server roundtrip /runner/_work/kcrypt-discovery-challenger/kcrypt-discovery-challenger/pkg/attestation/attestation_test.go:21 [FAILED] Unexpected error: <*fmt.wrapError | 0xc000081b00>: opening TPM: startup: using the simulator requires building with CGO { msg: "opening TPM: startup: using the simulator requires building with CGO", err: <*fmt.wrapError | 0xc000081ae0>{ msg: "startup: using the simulator requires building with CGO", err: <*errors.errorString | 0xc000037b90>{ s: "using the simulator requires building with CGO", }, }, } occurred In [It] at: /runner/_work/kcrypt-discovery-challenger/kcrypt-discovery-challenger/pkg/attestation/attestation_test.go:24 @ 10/01/25 15:36:06.699 Signed-off-by: Dimitris Karakasilis <[email protected]> Add gcc in tests Signed-off-by: Dimitris Karakasilis <[email protected]> Add missing libraries resulting in: /runner/_work/kcrypt-discovery-challenger/kcrypt-discovery-challenger/bin/controller-gen rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases -: # github.com/google/go-tpm-tools/simulator/internal In file included from /home/runner/go/pkg/mod/github.com/google/[email protected]/simulator/ms-tpm-20-ref/TPMCmd/tpm/include/LibSupport.h:65, from /home/runner/go/pkg/mod/github.com/google/[email protected]/simulator/ms-tpm-20-ref/TPMCmd/tpm/include/Tpm.h:47, from /home/runner/go/pkg/mod/github.com/google/[email protected]/simulator/internal/internal_cgo.go:45: /home/runner/go/pkg/mod/github.com/google/[email protected]/simulator/ms-tpm-20-ref/TPMCmd/tpm/include/Ossl/TpmToOsslSym.h:47:10: fatal error: openssl/aes.h: No such file or directory 47 | #include <openssl/aes.h> | ^~~~~~~~~~~~~~~ Signed-off-by: Dimitris Karakasilis <[email protected]> Remove debug logs that pollute the output Signed-off-by: Dimitris Karakasilis <[email protected]> Fix selective enrollement of EK and add tests and docs Signed-off-by: Dimitris Karakasilis <[email protected]> Add tests Signed-off-by: Dimitris Karakasilis <[email protected]> Wait for 30 seconds for network because that's possibly the reason why the tests fail, dns is not ready and everything goes fubar Signed-off-by: Dimitris Karakasilis <[email protected]> Add missing import Signed-off-by: Dimitris Karakasilis <[email protected]> Fix identation Signed-off-by: Dimitris Karakasilis <[email protected]> Read kcrypt configuration from /proc/cmdline because when COS_OEM is encrypted, we can't read it from there. Needs: kairos-io/kairos-agent#988 Signed-off-by: Dimitris Karakasilis <[email protected]> Get kcrypt config from payload Signed-off-by: Dimitris Karakasilis <[email protected]> [TMP] Debugging targets (remove before merging?) Signed-off-by: Dimitris Karakasilis <[email protected]> Stick to a JSON api, fix and improve tests Signed-off-by: Dimitris Karakasilis <[email protected]> Fix linter warning/suggestions and remove unused code Signed-off-by: Dimitris Karakasilis <[email protected]> Add "info" command to kcrypt cli to help debugging It prints the TPM hash, the EK public key and the requested PCRs (defaults to 0,7,11) Signed-off-by: Dimitris Karakasilis <[email protected]> Defer PCR enrollement for after reboot because the values of the live system may not be the same as the installed system (e.g. because user installed with `--source` flag pointing to another image) Signed-off-by: Dimitris Karakasilis <[email protected]> Bump tpm-helpers Signed-off-by: Dimitris Karakasilis <[email protected]> Remove Earthly and migrate to Make targets with Dockerfile Signed-off-by: Dimitris Karakasilis <[email protected]> Use kairos-sdk ghw structs instead of upstream ones and adapt to the changed payload that doesn't include unecessary information Signed-off-by: Dimitris Karakasilis <[email protected]> Add missing deps, make keys dir mandatory in Make target and bump go.mod Signed-off-by: Dimitris Karakasilis <[email protected]> PR improvements Signed-off-by: Dimitris Karakasilis <[email protected]> Remove local passphrase logic because it's now implemented in kairos-sdk (used by kairos-agent and immucore). Also move the cleanup method to the kairos-agent: kairos-io/kairos-agent#1027 Signed-off-by: Dimitris Karakasilis <[email protected]> Add shared tpm-device flag and respect it when set. Also read the config using the collector for the various command that might need to read NVIndex, CIndex and TPMDevice (they were using an empty config so far) Signed-off-by: Dimitris Karakasilis <[email protected]> Remove tests that don't do anything Signed-off-by: Dimitris Karakasilis <[email protected]> Cleanup Signed-off-by: Dimitris Karakasilis <[email protected]> PR fixes Signed-off-by: Dimitris Karakasilis <[email protected]> Add README.md section to explain the Makefile usage Signed-off-by: Dimitris Karakasilis <[email protected]> Potential fix for code scanning alert no. 72: Clear-text logging of sensitive information Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Use go version from go.mod and fix broken unit-tests pipeline which can't find go 1.25-bookworm here: https://github.com/actions/go-versions/blob/main/versions-manifest.json Signed-off-by: Dimitris Karakasilis <[email protected]> * Replace missing github action with a simpler script Signed-off-by: Dimitris Karakasilis <[email protected]> * Test using latests immucore and kairos-agent Signed-off-by: Dimitris Karakasilis <[email protected]> * Don't fallback to DNS when mdns fails Signed-off-by: Dimitris Karakasilis <[email protected]> * Improve the discoverable-kms (but still not working) It doesn't VMs don't get IP addresses so the simple-mdns-server response can't reach the client in the VM Signed-off-by: Dimitris Karakasilis <[email protected]> * Try to skip Signed-off-by: Dimitris Karakasilis <[email protected]> * Move kube naming helpers to a new package and use them to create the expected secret in tests Signed-off-by: Dimitris Karakasilis <[email protected]> * Fix test and add commit info to compiled binaries Signed-off-by: Dimitris Karakasilis <[email protected]> --------- Signed-off-by: Dimitris Karakasilis <[email protected]> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
jimmykarily
force-pushed
the
add-tpm-cleanup-command
branch
2 times, most recently
from
4e30ca1 to
286aed7
Compare
Codecov Report❌ Patch coverage is
❌ Your project status has failed because the head coverage (59.27%) is below the target coverage (60.00%). You can increase the head coverage or adjust the target coverage. Additional details and impacted files@@ Coverage Diff @@
## main #1027 +/- ##
==========================================
- Coverage 42.28% 41.42% -0.87%
==========================================
Files 61 62 +1
Lines 6243 6363 +120
==========================================
- Hits 2640 2636 -4
- Misses 3278 3400 +122
- Partials 325 327 +2 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
jimmykarily
force-pushed
the
add-tpm-cleanup-command
branch
from
be2f9b3 to
ce82385
Compare
jimmykarily
commented
Nov 12, 2025
Itxaka
reviewed
Nov 12, 2025
| &kcryptNVIndexFlag, | ||
| &kcryptTPMDeviceFlag, | ||
| &cli.BoolFlag{ | ||
| Name: "i-know-what-i-am-doing", |
Itxaka
approved these changes
Nov 12, 2025
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR migrates TPM cleanup functionality from kcrypt-challenger to kairos-agent by adding new kcrypt subcommands for managing TPM NV memory operations, as local passphrase logic has been removed from kcrypt-challenger.
Key Changes:
- Added three new kcrypt CLI subcommands (
checknv,readnv,cleanupnv) for TPM NV index operations - Implemented helper functions to resolve NV index, TPM device, and certificate index from config or flags
- Promoted
github.com/kairos-io/tpm-helpersfrom indirect to direct dependency
Reviewed Changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| pkg/action/kcrypt.go | New file containing TPM NV index management functions with config resolution and cleanup operations |
| main.go | Added kcrypt command with three subcommands for TPM operations and related CLI flags |
| go.mod | Promoted tpm-helpers dependency from indirect to direct requirement |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
to read the specified nv index, clean it up and check if it has a value without printing it. Can be used to cleanup a device before re-purposing it. Signed-off-by: Dimitris Karakasilis <[email protected]>
jimmykarily
force-pushed
the
add-tpm-cleanup-command
branch
from
a2e009c to
b628e4d
Compare
Contributor
Author
|
This repository doesn't have an e2e test suite which would be suitable to test this new functionality. I think it would be better if I just test it this as part of the kairos e2e suite (which is already spinning up VMs). I'll leave this untested here then and add the test here: kairos-io/kairos#3757 |
github-project-automation
bot
moved this from Under review 🔍
to Done ✅
in 🧙Issue tracking board
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
because local passphrase logic is now removed from kcrypt-challenger