# Revocation Cascade Timing When Keylime detects a TPM attestation failure, trust withdrawal cascades through the stack automatically. No custom revocation protocol — each layer reacts to the posture change produced by the layer above it. ## Cascade Stages | # | Stage | Default Interval | Trigger | |---|-------|-----------------|---------| | 1 | Keylime detects failure | 300s (pull) / varies (push) | TPM quote mismatch, IMA violation, boot integrity | | 2 | Posture evaluator updates ConfigMap | 300s | Keylime verdict changes | | 3 | Bascule session downgrade | 30s | posture-current ConfigMap poll | | 4 | SPIRE re-attestation fails | varies | Keylime attestor reads ConfigMap | | 5 | SVID expiry (identity loss) | 3600s (1 hour) | SPIRE agent can't renew | | 6 | Service mTLS failures | immediate after 5 | Peer cert expired/missing | | 7 | Quorum degradation | immediate after 6 | SPIRE federation — other members see expired SVIDs | ## Timing Profiles ### Standard (default) — ~1 hour total cascade Acceptable for most workloads. SVID TTL provides grace period for transient failures. ### Enhanced — ~15 minute total cascade ```yaml # SVID TTL default_x509_svid_ttl: 15m # SPIRE re-attestation (implicit via SVID rotation interval) # Keylime poll: default 300s is fine ``` Higher renewal overhead, faster trust withdrawal. ### Critical — ~5 minute total cascade ```yaml default_x509_svid_ttl: 5m ``` Significant renewal overhead. Use only for high-security workloads where fast trust withdrawal justifies the cost. ## Cross-Edge (Quorum) Propagation When one quorum member's edge fails Keylime attestation: 1. That edge's SPIRE server stops issuing SVIDs (Keylime attestor rejects) 2. Existing SVIDs expire (per TTL) 3. Other members' services see TLS handshake failures (expired peer cert) 4. No explicit cross-member notification needed — SPIRE federation's standard certificate lifecycle handles it This is automatic. SPIRE federation trusts Member A's SVIDs via the bundle exchange. When those SVIDs expire and aren't renewed, Member B's services can't verify them. ## Configuration See `spire-server-keylime.yaml` for the SPIRE server configuration with the Keylime node attestor plugin and timing parameters.