SSS with tang in different locaions

Question

SSS with tang in different locaions

felsgaertner opened this issue a year ago · 6 comments

Hello, I plan to use clevis with TPM2 and TANG in different locations, i.e. at home and in the office.

This will be two different TANG servers, one in each location.

Is it possible to setup SSS with t=2 (so TPM2 and one of the TANG servers) together, or do I have to setup a TPM2/TANG combination for each location?

Answer 1 · 2023-12-19T15:05:35.000Z

You can to sss with t=2 between TPM2 and an sss with t=1 between the two tang servers.
I use something like

{
    "t": 2,
    "pins": {
        "tpm2": [
            {
                "pcr_ids": "0,1,5,7,12",
                "pcr_bank": "sha256"
            }
        ],
        "sss": {
            "t": 1,
            "pins": {
                "tang": [
                    {
                        "url": "http://tang1"
                    },
                    {
                        "url": "http://tang2"
                    }
                ]
            }
        }
    }
}

Answer 2 · 2023-12-19T15:20:20.000Z

But I will not have access to both tang servers at the same time. Question is how to provision the SSS tang parts.

Answer 3 · 2023-12-19T15:27:29.000Z

You don't need both tang servers at the same time, as threshold in sss tang servers configuration provided by @Cornelicorn is 1, so if any of them can be reached, that would be enough

Answer 4 · 2023-12-19T15:31:53.000Z

You don't need both tang servers at the same time, as threshold in sss tang servers configuration provided by @Cornelicorn is 1, so if any of them can be reached, that would be enough

That is the part I understood.

But it is still not clear how I store the shared parts of the secret in the two tang servers. I did not find any docs or examples that match this use-case. All examples use mostly either TPM or Tang - but not both.

Answer 5 · 2023-12-19T16:16:41.000Z

But it is still not clear how I store the shared parts of the secret in the two tang servers. I did not find any docs or examples that match this use-case. All examples use mostly either TPM or Tang - but not both.

I'm not sure what you mean by shared parts in the tang servers? The tang servers don't care about any sharing, you can just keep the tang servers as they are. The secret sharing is done entirely by clevis locally.

If you can't reach both servers during enrollment, you can fetch the advertisement using curl http://tang1/adv and add that data to the config

{
    "url": "http://tang1",
    "adv": {
        "payload": "...",
        "protected": "...",
        "signature": "..."
    }
}

Answer 6 · 2023-12-20T09:51:20.000Z

If you can't reach both servers during enrollment, you can fetch the advertisement using curl http://tang1/adv and add that data to the config

Exactly that is my problem - I do not have access to both tang servers at the same time.

Edit: I managed to reach both servers with VPN connections.