tking/guildhouse-spire-plugins
SHA256
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
guildhouse-spire-plugins/deploy/cascade-timing.md
Tyler J King f0268305ae docs(spire): revocation cascade timing + Keylime SPIRE server config 
Document the trust withdrawal cascade:
  Keylime breach → posture degraded → sessions downgraded
  → SPIRE re-attestation fails → SVIDs expire
  → service mTLS fails → quorum degrades

No new code for the cascade — it's emergent from existing
re-attestation behavior + the Keylime attestor plugin.
SPIRE federation handles cross-edge propagation through
standard certificate expiration.

Three timing profiles: Standard (~1hr), Enhanced (~15min),
Critical (~5min) with SVID TTL configuration guidance.

Example SPIRE server config with Keylime attestor + k8s_psat
fallback for nodes without hardware TPM.

Signed-off-by: Tyler King <tking@guildhouse.dev>
Signed-off-by: Tyler J King <tking727@gmail.com>
2026-04-15 20:36:00 -04:00

63 lines
2.2 KiB
Markdown
Raw Blame History

# Revocation Cascade Timing
When Keylime detects a TPM attestation failure, trust withdrawal cascades
through the stack automatically. No custom revocation protocol — each
layer reacts to the posture change produced by the layer above it.
## Cascade Stages
| # | Stage | Default Interval | Trigger |
|---|-------|-----------------|---------|
| 1 | Keylime detects failure | 300s (pull) / varies (push) | TPM quote mismatch, IMA violation, boot integrity |
| 2 | Posture evaluator updates ConfigMap | 300s | Keylime verdict changes |
| 3 | Bascule session downgrade | 30s | posture-current ConfigMap poll |
| 4 | SPIRE re-attestation fails | varies | Keylime attestor reads ConfigMap |
| 5 | SVID expiry (identity loss) | 3600s (1 hour) | SPIRE agent can't renew |
| 6 | Service mTLS failures | immediate after 5 | Peer cert expired/missing |
| 7 | Quorum degradation | immediate after 6 | SPIRE federation — other members see expired SVIDs |
## Timing Profiles
### Standard (default) — ~1 hour total cascade
Acceptable for most workloads. SVID TTL provides grace period for
transient failures.
### Enhanced — ~15 minute total cascade
```yaml
# SVID TTL
default_x509_svid_ttl: 15m
# SPIRE re-attestation (implicit via SVID rotation interval)
# Keylime poll: default 300s is fine
```
Higher renewal overhead, faster trust withdrawal.
### Critical — ~5 minute total cascade
```yaml
default_x509_svid_ttl: 5m
```
Significant renewal overhead. Use only for high-security workloads
where fast trust withdrawal justifies the cost.
## Cross-Edge (Quorum) Propagation
When one quorum member's edge fails Keylime attestation:
1. That edge's SPIRE server stops issuing SVIDs (Keylime attestor rejects)
2. Existing SVIDs expire (per TTL)
3. Other members' services see TLS handshake failures (expired peer cert)
4. No explicit cross-member notification needed — SPIRE federation's
standard certificate lifecycle handles it
This is automatic. SPIRE federation trusts Member A's SVIDs via the
bundle exchange. When those SVIDs expire and aren't renewed, Member B's
services can't verify them.
## Configuration
See `spire-server-keylime.yaml` for the SPIRE server configuration with
the Keylime node attestor plugin and timing parameters.
Reference in a new issue View git blame Copy permalink