Skip to content

Integration coverage for TPM attestation #6466

New issue
New issue
Open
Open
Integration coverage for TPM attestation#6466
Labels
help wantedIssues with this label are ready to start work but are in need of someone to do itpriority/backlogIssue is approved and in the backlog
@jsnctl

Description

@jsnctl
jsnctl
opened on Nov 30, 2025

SPIRE makes use of a TPM simulator (https://github.com/spiffe/spire/blob/main/test/tpmsimulator/simulator.go) for whitebox unit testing of the tpm_devid plugin. This is useful as it provides an ephemeral TPM fake that runs quickly with the test suite and covers both attestation and session management primitives.

However, this is limited to the tpm_devid plugin only and does not exercise the SPIFFE external plugin spire-tpm-plugin (or any plugins that might be added in the future).

There's also something of a maintenance burden on having our own TPM2.0 compliant simulator (although perhaps this isn't a huge problem given the likely operations the Agent uses).

An improvement here could be to begin to add test coverage at the integration level by using a software TPM - something like swtpm. This is an approach used by TPM-centric projects like Keylime, and e.g. library code for TPM2.0 bindings in Rust.

Happy to contribute with this, but wanted to raise for opinions before submitting any diff

Metadata

Metadata

Assignees

No one assigned

    Labels

    help wantedIssues with this label are ready to start work but are in need of someone to do itpriority/backlogIssue is approved and in the backlog

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions