Implements TPM vendor check function

This change implements a means to check the vendor of the TPM. The main use for this function is to establish if we are using a software based TPM and in turn warn that no hardware root of trust is available
keylime · Nov 4, 2020 · b659bf5 · b659bf5
1 parent 36802e4
commit b659bf5
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/src/main.rs b/src/main.rs
@@ -32,6 +32,13 @@ static NOTFOUND: &[u8] = b"Not Found";
 async fn main() -> Result<()> {
     pretty_env_logger::init();
     let mut ctx = tpm::get_tpm2_ctx()?;
+    //  Retreive the TPM Vendor, this allows us to warn if someone is using a
+    // Software TPM ("SW")
+    if tss_esapi::utils::get_tpm_vendor(&mut ctx)?.contains("SW") {
+        warn!("INSECURE: Keylime is using a software TPM emulator rather than a real hardware TPM.");
+        warn!("INSECURE: The security of Keylime is NOT linked to a hardware root of trust.");
+        warn!("INSECURE: Only use Keylime in this mode for testing or debugging purposes.");
+    }
     let cloudagent_ip =
         config_get("/etc/keylime.conf", "cloud_agent", "cloudagent_ip")?;
     let cloudagent_port =