SSS/Tang regenerate with multiple locations

Question

SSS/Tang regenerate with multiple locations

felsgaertner opened this issue a year ago · 1 comments

This is a follow-up for #444

With luks bind I have to provide a pin config that might in addition carry the advertisements of tang servers I cannot reach, see comment #444 (comment)

Unfortunately this is not possible with regen, since I cannot provide those additional offline advertisements.

So I have to unbind and then bind again. It would be nice to have a way to provide those offline advertisements to regen as well.

My current pin config reads:

{
  "t": 2,
  "pins": {
      "tpm2": {
        "pcr_bank": "sha256",
        "pcr_ids": "1,4,5,7,8"
      },
      "tang": [
          {
              "url": "http://server.1",
              "adv": {
                "payload": "eyJrZXlzIjogW3si...lmeSJdfV19",
                "protected": "eyJhbGci...iJ9",
                "signature": "AakEL-AX...PMo"
              }
          },
          {
              "url": "http://server.2",
              "adv": {
                "payload": "eyJrZXlz...dfV19",
                "protected": "eyJhbG.iJ9",
                "signature": "ATUMB...9fnBbzv"
              }
          }
      ]
  }
}

Only one of those servers is available at a specific time.

And BTW - can I nest SSS pins to have another SSS within the above config? I.e.

{
  "t": 2,
  "pins": {
    "tpm2": {
      "pcr_ids": "1,4,5,7,8"
    },
    "sss": {
      "t": 1,
      "pins": {
        "tang": [
          {
            "url": "http://1"
          },
          {
            "url": "http://2"
          }
        ]
      }
    }
  }
}

Answer 1 · 2024-01-08T09:52:22.000Z

Hello @felsgaertner . Regarding your second question: yes, you should be able to configure nested "sss" pins.