Summer 2022 Internship (and beyond!) Roadmap

[lkatalin]

Note that this roadmap is changeable and may undergo edits as we adapt the project!

Note also that this is a larger number of tasks than we expect to be completed over one summer internship. While the focus is on running Keylime in a public cloud and documenting steps to do so, beyond this task the idea is to "choose your own adventure" and tackle any optional tasks that sound exciting to you.

Goals

Enable use of Keylime with Rust agent on at least one mainstream cloud provider. Document the setup and any errors encountered (resolve if possible). Remove friction for new users and developers by improving and updating documentation and scripting around setup in public cloud as well as locally. Improve security by addressing outstanding issues around integration testing. Investigate potential integration of hardware TPMs from cloud provider, or tests from other repos, into CI for Rust agent.

The benefits include showing the practicality of running Keylime in a public cloud environment, making it easier for new users and developers to get an environment set up and to run Keylime, and improving security and integration testing - including investigating the potential to use real hardware TPMs in the Rust agent CI. (Note that bringing in cloud providers' VMs to the CI may require funding, which is out of scope here.)

Primary Tasks

Feature addition

• Choose at least one open issue on the Rust Keylime repo that look interesting and create a PR to fix it (look for Good First Issue label)

Keylime environment

Get Keylime with the Rust agent running on:

• Mainstream cloud provider setup (GCP)
  • Get Keylime running with hardware TPM and/or document blockers to doing so
  • Document the steps to do so
  • Resolve or open issues for any errors
  • Create new repo with ansible playbooks that can create a dev/demo environment in that cloud (could be modeled on current vagrant repo)
  • Option: explore making it official ansible playbook and/or using something like terraform if warranted

Demo and handoff

• Create a short demo showing Keylime running in this new environment and recapping the work done over the summer
• Create a doc, issues, or README with next steps at end of summer

Optional tasks

Keylime environment

• Second mainstream cloud provider setup (AWS)
  • Get Keylime running with hardware TPM and/or document blockers to doing so
  • Document the steps to do so
  • Resolve or open issues for any errors
  • Create new repo with ansible playbooks that can create a dev/demo environment in that cloud (could be modeled on current vagrant repo)
• Get Keylime running on a 3rd cloud provider (ex. Azure)
• Vagrant setup
  • Get Rust agent working with Vagrant setup (currently undocumented!)
  • Update the internal Keylime setup notes doc with above steps; consider moving this info to public repo and archiving the internal doc
  • Update documentation about running with multiple agents
  • Submit a PR to the vagrant repo to supercede #48 and get this working again
• Libvirt / manual setup (documented poorly in this gist)
  • Update Rust agent README with info on how to run the agent with Python Keylime components and swtpm (under a new header)
  • Update Rust agent README pointing to vagrant repo as alternative (only if that repo has been updated)

Integration testing

• Bring in keylime/keylime tests to Rust agent CI to test on each new Rust agent PR that components still work together
• Using the work from setting up Keylime on at least one public cloud, investigate and document how these VMs equipped with vTPMs could be used in the Rust agent CI (and/or any technical blockers to doing so)

Security enhancement (from this issue)

• Add cargo audit to Rust agent test flow
• Increase cargo tarpaulin coverage with unit tests to 85%+ on all paths
• Fix vulnerabilities found by https://deps.rs/repo/github/keylime/rust-keylime

Feature addition

• For any bugs encountered while doing other work, or missing features that could be helpful, open an issue scoping the problem (and resolve it if possible)

[lkatalin]

@lukehinds @mpeters @jyotsna-penumaka
FYI in case you'd like any edits, additions, etc.