Skip to content

Enforce sprockets measurements#9938

Open
labbott wants to merge 1 commit into
mainfrom
labbott/sprockets_enforce
Open

Enforce sprockets measurements#9938
labbott wants to merge 1 commit into
mainfrom
labbott/sprockets_enforce

Conversation

@labbott

@labbott labbott commented Feb 27, 2026

Copy link
Copy Markdown
Contributor

Sprockets is currently in warning only mode for measurements. This
change makes sprockets reject connections if the references measurements
aren't as expected. Being able to turn this on/off with a sled-agent
config is still a security gap as tech port access can defeat this.
It's still useful to have this as a backup option for a little
while longer since a failure here will prevent the control plane
from coming up. The eventual plan will to change sprockets to be always
enforcing regardless of the config.

When measurements are enforced we need a (relatively) easy way
to allow testing of engineering builds of the SP that need the full
control plane. A good example would be a change in the SP to collect
sensor data in the control plane. This also adds a tool to take care
of adusting the measurement manifest on the install dataset. This
restricts testing to MUPdate cases but if you need to test
reconfigurator with an engineering SP build you are better off
making a full TUF repo.

@labbott labbott changed the title Enforce sprockets measurements WIP: Enforce sprockets measurements Feb 27, 2026
@labbott labbott marked this pull request as draft February 27, 2026 17:05
@labbott

labbott commented Feb 27, 2026

Copy link
Copy Markdown
Contributor Author
Appraisal Failed

@labbott labbott added this to the 20 milestone Feb 27, 2026
@labbott labbott modified the milestones: 20, 21 May 1, 2026
@labbott

labbott commented May 1, 2026

Copy link
Copy Markdown
Contributor Author

Changed this to 21

@labbott labbott force-pushed the labbott/sprockets_enforce branch from daae34f to 5967404 Compare June 12, 2026 17:41
@labbott labbott marked this pull request as ready for review June 12, 2026 17:41
@labbott labbott changed the title WIP: Enforce sprockets measurements Enforce sprockets measurements Jun 12, 2026
@labbott labbott force-pushed the labbott/sprockets_enforce branch 3 times, most recently from ae3b6c2 to 0024df7 Compare June 14, 2026 22:09
@labbott

labbott commented Jun 18, 2026

Copy link
Copy Markdown
Contributor Author

I gave this another quick round of testing and it seems to work. I expect we're going to get more mileage out of merging it.

Sprockets is currently in warning only mode for measurements. This
change makes sprockets reject connections if the references measurements
aren't as expected. Being able to turn this on/off with a sled-agent
config is still a security gap as tech port access can defeat this.
It's still useful to have this as a backup option for a little
while longer since a failure here will prevent the control plane
from coming up. The eventual plan will to change sprockets to be always
enforcing regardless of the config.

When measurements are enforced we need a (relatively) easy way
to allow testing of engineering builds of the SP that need the full
control plane. A good example would be a change in the SP to collect
sensor data in the control plane. This also adds a tool to take care
of adusting the measurement manifest on the `install` dataset. This
restricts testing to MUPdate cases but if you need to test
reconfigurator with an engineering SP build you are better off
making a full TUF repo.
@labbott labbott force-pushed the labbott/sprockets_enforce branch from 0024df7 to 5c432de Compare June 24, 2026 18:29
@andrewjstone andrewjstone self-requested a review June 25, 2026 19:22

@andrewjstone andrewjstone left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants