Gitiles
Code Review Sign In
gerrit-dev.monogon.dev / monogon / e4a4ce1dbbc8abc8a0817f80fcb27437a9e6ca63^! / . / metropolis / proto
commite4a4ce1dbbc8abc8a0817f80fcb27437a9e6ca63[log] [tgz]
authorSerge Bazanski <serge@monogon.tech>Wed Mar 22 18:29:54 2023 +0100
committerSerge Bazanski <serge@monogon.tech>Mon Apr 17 09:14:54 2023 +0000
tree1d2fc878f2e74e1e077dd8848c983c00e6ffcb6d
parent5df62bae21bd89f15321a54a33a2ff59f5cbdce8 [diff]
metropolis: finish implementing TPMMode

This wraps up the implementation of TPMMode in ClusterConfiguration,
allowing operators to select whether nodes should or should not use
their TPM, based on local availability.

We keep the default behaviour to require a TPM, as we'd like to be
secure by default.

Change-Id: Ic8ac76d88ecc9de51f58ca99c92daede79d78ad7
Reviewed-on: https://review.monogon.dev/c/monogon/+/1495
Tested-by: Jenkins CI
Reviewed-by: Lorenz Brun <lorenz@monogon.tech>

diff --git a/metropolis/proto/api/management.proto b/metropolis/proto/api/management.proto
index 5560455..5c8905f 100644
--- a/metropolis/proto/api/management.proto
+++ b/metropolis/proto/api/management.proto

@@ -148,6 +148,16 @@
     // heartbeats was received, expressed in nanoseconds. It is only valid with
     // the health status of either HEALTHY or HEARTBEAT_TIMEOUT.
     google.protobuf.Duration time_since_heartbeat = 6;
+
+    // tpm_usage describes whether this node has a TPM 2.0 and whether it is
+    // being actively used as part of its membership in the Metropolis cluster.
+    //
+    // Currently, the TPM 2.0 is only used to seal the local part of the disk
+    // encryption key and the early join credentials of the node. Depending on
+    // future cluster configuration settings, this might also indicate that the
+    // node has actually passed high assurance hardware attestation against the
+    // cluster.
+    metropolis.proto.common.NodeTPMUsage tpm_usage = 8;
 }
 
 message ApproveNodeRequest {

diff --git a/metropolis/proto/common/common.proto b/metropolis/proto/common/common.proto
index 27dfa5a..8e0fa58 100644
--- a/metropolis/proto/common/common.proto
+++ b/metropolis/proto/common/common.proto

@@ -302,3 +302,16 @@
     }
     TPMMode tpm_mode = 1;
 }
+
+// NodeTPMUsage describes whether a node has a TPM2.0 and if it is/should be
+// actively used to seal secrets before saving them to its EFI system partition.
+enum NodeTPMUsage {
+    NODE_TPM_INVALID = 0;
+    // This node has no TPM 2.0.
+    NODE_TPM_NOT_PRESENT = 1;
+    // This node has a TPM 2.0 but the cluster configuration mandates not using
+    // it.
+    NODE_TPM_PRESENT_BUT_UNUSED = 2;
+    // This node has a TPM 2.0 and it is being actively used.
+    NODE_TPM_PRESENT_AND_USED = 3;
+}
\ No newline at end of file