m (Markup fixes) |
m (Remove administrative header) |
||
Line 1: | Line 1: | ||
<!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name. This keeps all change proposals in the same namespace --> | <!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name. This keeps all change proposals in the same namespace --> | ||
Revision as of 08:07, 8 December 2021
Keylime subpackaging and agent alternatives
Summary
The keylime package will be split into subpackages per role (agent, registrar, verifier, and admin components), while allowing the alternative agent implementation in Rust.
Owner
- Name: Sergio Correia
- Email: scorreia@redhat.com
- Name: Daiki Ueno
- Email: dueno@redhat.com
Current status
- Targeted release: Fedora Linux 36
- Last updated: 2021-12-08
- FESCo issue: <will be assigned by the Wrangler>
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
The current Keylime package available in Fedora provides all the components as a single package. To support the usage scenarios where only agent or management component is deployed on a specific host, we plan to split the package into subpackages per role. This change also enables the alternative Keylime agent implementation in Rust, which will eventually be preferred over the Python implementation.
Feedback
Benefit to Fedora
This makes it easier to deploy Keylime agent in IoT or Fedora CoreOS spins and thus enable remote attestation without installing full dependencies of Keylime.
Scope
- Proposal owners:
- The keylime package will provide subpackages (keylime-agent, keylime-registrar, etc)
- The keylime package will be a meta package that will install all the subpackages
- The Rust based agent will be packaged along with its build dependencies
- Both keylime-agent implementations, one written in Python, the other written in Rust, will be selectively installable through alternatives or a similar mechanism
- Other developers: N/A (not a System Wide Change)
- Release engineering: #Releng issue number N/A (not a System Wide Change)
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with Objectives:
Upgrade/compatibility impact
The keylime package will remain as a meta package for the compatibility with the current packaging.
How To Test
- Make sure that your systems meet the requirement to run either Keylime agent or other components, as described in the documentation
- Install the subpackages individually and see if they function as expected
- Install the meta package (keylime) and see if it pulls all the subpackages
- Install rust-keylime-agent package and see if it does not interfere with the keylime-agent package
- Check that rust-keylime-agent can be the default, using the alternative --set command
User Experience
No visible change should be observed by the existing users.
Dependencies
N/A (not a System Wide Change)
Contingency Plan
- Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
- Contingency deadline: N/A (not a System Wide Change)
- Blocks release? N/A (not a System Wide Change), No
Documentation
N/A (not a System Wide Change)