Update comments in the configuration file

The comments in the configuration file didn't reflect the actual supported values and behavior. Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>
keylime · Sep 21, 2022 · 6318234 · 6318234
1 parent 9dfb597
commit 6318234
Showing 1 changed file with 31 additions and 22 deletions.
diff --git a/keylime-agent.conf b/keylime-agent.conf
@@ -10,10 +10,6 @@ version = "2.0"
 # If you set this to "generate", Keylime will create a random UUID.
 # If you set this to "hash_ek", Keylime will set the UUID to the result
 # of 'SHA256(public EK in PEM format)'.
-# If you set this to "dmidecode", Keylime will use the UUID from
-# 'dmidecode -s system-uuid'.
-# If you set this to "hostname", Keylime will use the full qualified domain
-# name of current host as the agent id.
 uuid = "d432fbb3-d2f1-4a97-9ef7-75bd81c00000"
 
 # The binding address and port for the agent server
@@ -42,6 +38,8 @@ keylime_dir = "/var/lib/keylime"
 # This private key is used to serve the Keylime agent REST API
 # A new private key is generated in case it is not found.
 # If set as "default", the "server-private.pem" value is used.
+# If a relative path is set, it will be considered relative from the keylime_dir.
+# If an absolute path is set, it is used without change
 server_key = "default"
 
 # Set the password used to encrypt the private key file.
@@ -54,10 +52,15 @@ server_key_password = ""
 # server TLS certificate.
 # This certificate must be self signed.
 # If set as "default", the "server-cert.crt" value is used
+# If a relative path is set, it will be considered relative from the keylime_dir.
+# If an absolute path is set, it is used without change.
 server_cert = "default"
 
 # The CA that signs the client certificates of the tenant and verifier.
-# If set as "default" the "cv_ca/cacert.crt" value is used
+# If set as "default" the "cv_ca/cacert.crt" value, relative from the
+# keylime_dir is used.
+# If a relative path is set, it will be considered relative from the keylime_dir.
+# If an absolute path is set, it is used without change.
 trusted_client_ca = "default"
 
 # The name that should be used for the encryption key, placed in the
@@ -73,45 +76,48 @@ dec_payload_file = "decrypted_payload"
 # The default below sets it to 1 megabyte.
 secure_size = "1m"
 
-# Whether to allow the cloud_agent to automatically extract a zip file in
-# the delivered payload after it has been decrypted, or not. Defaults to "true".
+# Whether to allow the agent to automatically extract a zip file in the
+# delivered payload after it has been decrypted, or not. Defaults to "true".
 # After decryption, the archive will be unzipped to a directory in $keylime_dir/secure.
 # Note: the limits on the size of the tmpfs partition set above with the 'secure_size'
 # option will affect this.
 extract_payload_zip = true
 
-# Whether to listen for revocation notifications from the verifier or not.
+# Whether to listen for revocation notifications from the verifier via zeromq.
+# Note: The agent supports receiving revocation notifications via REST API
+# regardless of the value set here.
 enable_revocation_notifications = true
 
 # The path to the directory containing the pre-installed revocation action
 # scripts.  Ideally should point to an fixed/immutable location subject to
 # attestation.  The default is /usr/libexec/keylime.
 revocation_actions_dir = "/usr/libexec/keylime"
 
-# Revocation IP & Port used by either the cloud_agent to receive revocation
-# notifications from the verifier.
+# Revocation IP & Port used by the agent to receive revocation
+# notifications from the verifier via zeromq.
+# This is optional and used only when 'enable_revocation_notifications' is 'true'.
 revocation_notification_ip = "127.0.0.1"
 revocation_notification_port = 8992
 
 # The path to the certificate to verify revocation messages received from the
-# verifier.  The path is relative to $keylime_dir unless an absolute path is
+# verifier.  The path is relative to keylime_dir unless an absolute path is
 # provided (i.e. starts with '/').
 # If set to "default", Keylime will use the file RevocationNotifier-cert.crt
-# from the unzipped contents provided by the tenant.
+# from the unzipped payload contents provided by the tenant.
 revocation_cert = "default"
 
 # A comma-separated list of executables to run upon receiving a revocation
 # message. Keylime will verify the signature first, then call these executables
-# with the json revocation message.  The executables must be located in the
-# 'revocation_actions' directory.
+# passing the json revocation message.
+# The executables must be located in the 'revocation_actions' directory.
 #
 # Keylime will also get the list of revocation actions from the file
-# action_list in the unzipped contents provided by the verifier.
+# action_list in the unzipped payload contents provided by the verifier.
 revocation_actions = ""
 
-# A script to execute after unzipping the tenant payload.  This is like
-# cloud-init lite =)  Keylime will run it with a /bin/sh environment and
-# with a working directory of $keylime_dir/secure/unzipped.
+# A script to execute after unzipping the tenant payload.
+# Keylime will run it with a /bin/sh environment and with a working directory of
+# $keylime_dir/secure/unzipped.
 payload_script = "autorun.sh"
 
 # In case mTLS for the agent is disabled and the use of payloads is still
@@ -143,14 +149,16 @@ tpm_signing_alg = "rsassa"
 # create a new EK upon startup, and neither will it flush the EK upon exit.
 ek_handle = "generate"
 
-# Use this option to state the existing TPM ownerpassword. This option should
-# be set only when ek_handle option points to an existing EK.
+# Use this option to state the existing TPM ownerpassword.
+# This option should be set only when a password is set for the Endorsement
+# Hierarchy (e.g. via "tpm2_changeauth -c e").
+# If no password was set, keep the empty string "".
 tpm_ownerpassword = ""
 
 # The user account to switch to to drop privileges when started as root
 # If left empty, the agent will keep running with high privileges.
 # The user and group specified here must allow the user to access the
-# WORK_DIR (typically /var/lib/keylime) and /dev/tpmrm0. Therefore,
+# WORK_DIR (by default /var/lib/keylime) and /dev/tpmrm0. Therefore, the
 # suggested value for the run_as parameter is keylime:tss.
 # The following commands should be used to set ownership before running the
 # agent:
@@ -168,6 +176,7 @@ run_as = "keylime:tss"
 # Path where to store the agent tpm data which can be loaded later
 # If not an absolute path, it will be considered a relative path from the
 # directory set by the keylime_dir option above
-# If set as "default" Keylime will use "agent_data.json"
+# If set as "default" Keylime will use "agent_data.json", located at
+# keylime_dir.
 agent_data_path = "default"