From af1b8ba7c1fbd322dc9e1c650e0010285f6a80ff Mon Sep 17 00:00:00 2001 From: Luke Hinds Date: Tue, 29 Sep 2020 15:52:09 +0100 Subject: [PATCH] Update keylime.conf to latest version We may need to think of better ways of syncing the conf between both projects. For now I have moved the file over in its entirety as we will require integration tests and so forth (so keys around the verifier and register will be used there). --- keylime.conf | 477 ++++++++++++++++++++++++++++++++++++++++++++++----- src/main.rs | 4 +- 2 files changed, 438 insertions(+), 43 deletions(-) diff --git a/keylime.conf b/keylime.conf index 86ad7e25..cdfa0752 100644 --- a/keylime.conf +++ b/keylime.conf @@ -1,80 +1,67 @@ [general] #============================================================================= -# these options are self explanatory ip/port combinations to find the various -# keylime services on the network. some services use these, some do not. -# But they are used frequently enough that they end up here -cloudverifier_port = 8881 -registrar_port = 8890 -registrar_tls_port = 8891 -registrar_ip = 127.0.0.1 -cloudagent_port = 9002 -provider_registrar_port = 8990 -provider_registrar_tls_port = 8991 -provider_registrar_ip = 127.0.0.1 -webapp_port = 443 -webapp_ip = 127.0.0.1 - -# This is the port combination of the notification server. The cloud verifier -# will start a notification server automatically if the revocation_notifier -# option is set to true -revocation_notifier_ip = 127.0.0.1 -revocation_notifier_port = 8992 -# turn on or off TLS keylime wide +# Turn on or off TLS keylime wide enable_tls = True -# turn on or off DNS hostname checking for TLS certificates. +# Turn on or off DNS hostname checking for TLS certificates. tls_check_hostnames = False -# set which provider you want for the generation of certificates -# valid options are 'cfssl' or 'openssl' For cfssl to work, you must have the +# Set which provider you want for the generation of certificates +# Valid options are 'cfssl' or 'openssl' For cfssl to work, you must have the # go binary installed in your path or in /usr/local/ -# revocation list generation is only supported by cfssl -ca_implementation = cfssl +# Revocation list generation is only supported by cfssl +ca_implementation = openssl #============================================================================= [cloud_agent] #============================================================================= + +# The Agent's IP address and port used to communicate with other services +# as well as a bind address for the agent server. +cloudagent_ip = 127.0.0.1 +cloudagent_port = 9002 + # What is the name of the rsa key that keylime should use for protecting # shares of U/V rsa_keyname = tci_rsa_key -# what filename in /var/lib/keylime/secure should the encryption key be placed +# What filename in /var/lib/keylime/secure should the encryption key be placed enc_keyname = derived_tci_key -# what filename in /var/lib/keylime/secure should the optional decrypted +# What filename in /var/lib/keylime/secure should the optional decrypted # payload be placed dec_payload_file = decrypted_payload -# size of the memory backed tmpfs partition where keylime stores crypto keys +# The size of the memory backed tmpfs partition where keylime stores crypto keys # use syntax that mount would accept as a size parameter for tmpfs # the default below sets it to 1 megabyte secure_size = 1m -# use this option to set the TPM ownerpassword to something you want to use. +# Use this option to set the TPM ownerpassword to something you want to use. # Set it to "generate" if you want keylime to choose a random owner password # for you tpm_ownerpassword = keylime -# set to true to allow the cloud_agent to automatically extract a zip file in +# Set to true to allow the cloud_agent to automatically extract a zip file in # the delivered payload after it has been decrypted. It will be decrypted to # a folder unzipped in /var/lib/keylime/secure. Note the limits on the size # of the tmpfs partition above with secure_size option extract_payload_zip = True -# set the agent's uuid to the given value. -# set to 'openstack', it will try to get the uuid from the metadata service -# if you set this to 'generate', keylime will create a random uuid -# if you set this to 'hash_ek', keylime will set the UUID to the result +# Set the agent's uuid to the given value. +# Set to 'openstack', it will try to get the uuid from the metadata service +# If you set this to 'generate', keylime will create a random uuid +# If you set this to 'hash_ek', keylime will set the UUID to the result # of SHA256(public EK in PEM format) agent_uuid = D432FBB3-D2F1-4A97-9EF7-75BD81C00000 -# whether to listen for revocation notifications from the verifier +# Whether to listen for revocation notifications from the verifier listen_notfications = True -# path to the certificate to verify revocation messages received from the +# Path to the certificate to verify revocation messages received from the # verifier. path is relative to /var/lib/keylime -# if set to "default", keylime will use the file RevocationNotifier-cert.crt +# If set to "default", keylime will use the file RevocationNotifier-cert.crt # from the unzipped contents provided by the tenant revocation_cert = default @@ -83,7 +70,7 @@ revocation_cert = default # scripts with the json revocation message. The scripts must be located in # revocation_actions directory # -# keylime will also get the list of revocation actions from the file +# Keylime will also get the list of revocation actions from the file # action_list in the unzipped contents provided by the verifier # all actions must be named local_action_[some name] revocation_actions= @@ -98,20 +85,428 @@ payload_script=autorun.sh # set to -1 or any negative or out of range PCR value to turn off measure_payload_pcr=-1 -# how long to wait between failed attempts to communicate with the tpm in +# How long to wait between failed attempts to communicate with the tpm in # seconds. floating point values accepted here retry_interval = 1 -# integer number of retries to communicate with the tpm before giving up +# Integer number of retries to communicate with the tpm before giving up max_retries = 10 # TPM2-specific options, allow customizing default algorithms to use. # specify the default crypto algorithms to use with a TPM2 for this agent # -# currently accepted values include: +# Currently accepted values include: # hashing: sha512, sha384, sha256 or sha1 # encryption: ecc or rsa # signing: rsassa, rsapss, ecdsa, ecdaa or ecschnorr tpm_hash_alg = sha256 tpm_encryption_alg = rsa tpm_signing_alg = rsassa + +# If an EK is already present on the TPM (e.g., with "tpm2_createek") and +# you require keylime to use this EK, change "generate" to the actual EK +# handle (e.g. "0x81000000"). The keylime agent will then not attempt to +# create a new EK upon startup, and neither will it flush the EK upon exit +ek_handle = generate + +#============================================================================= +[cloud_verifier] +#============================================================================= + +# The cloud verifier IP address and port used to communicate with other services +# as well as a bind address for the verifier server. +cloudverifier_ip = 127.0.0.1 +cloudverifier_port = 8881 + +# Cloud Verifier TLS options. This is for authenticating the CV itself, +# authenticating the users of the CV and securing the transmission of keys +# +# tls_dir option sets directory in /var/lib/keylime/ to put CA certificates +# and files for TLS. +# Set to "generate" to automatically generate a CA/certificates in dir cv_ca +# If set to "generate": ca_cert, my_cert, and private_key must be "default" +# If you specify generate, you can manage the CA that the verifier will create +# using keylime_ca -d /var/lib/keylime/cv_ca/ +tls_dir = generate + +# The filename (in tls_dir) of the CA cert for verifying client certificates +ca_cert = default + +# The filename (in tls_dir) of the cloud verifier certificate and private key +# The following two options also take the string "default" to find a files +# with names -cert.crt and +# -public.pem for cert and private key respectively +my_cert = default +private_key = default + +# Set the password to Decrypt the private key file. this should be set to a +# strong password +# If tls_dir=generate, this password will also be used to protect the +# generated CA private key +private_key_pw = default + +# Registrar client TLS options. This allows the CV to authenticate the +# registar before asking for AIKs +# This option sets the directory where the CA certificate for the registrar +# can be found +# Use "default" to use 'reg_ca' (this points it to the directory automatically +# created by the registrar if it is set to "generate" +# Use "CV" to use 'cv_ca', the directory automatically created (and shared +# with the registar) by the CV +registrar_tls_dir = CV + +# The following three options set the filenames in tls_dir where the CA +# certificate, client certificate, and client private key file are +# if tls_dir = default, then default values will be used for ca_cert = +# cacert.pem, my_cert = client-cert.crt, and private_key = client-private.pem +registrar_ca_cert = default +registrar_my_cert = default +registrar_private_key = default + +# Set the password to decrypt the private key file. this should be set to a +# strong password +# If you are using the auto generated keys from the CV, set the same password +# here as you did for private_key_pw in the [cloud_verifier] section +registrar_private_key_pw = default + +# Database URL Configuration +# See document https://keylime-docs.readthedocs.io/en/latest/installation.html#database-support +# for instructions on using different database configurations +# The default is sqlite and will be situated at "/var/lib/keylime/cv_data.sqlite" +drivername = sqlite +username = '' +password = '' +host = '' +port = '' +database = cv_data.sqlite +query = '' + + +# Number of worker processes to use for the cloud verifier +# Set to 0 to create one worker per processor +multiprocessing_pool_num_workers = 0 + +# How long to wait between failed attempts to connect to an cloud agent in +# seconds. floating point values accepted here +retry_interval = 1 + +# Integer number of retries to connect to an agent before giving up +max_retries = 10 + +# Time between integrity measurement checks in seconds. Set to 0 to do as +# fast as possible. Floating point values accepted here +quote_interval = 2 + +# Whether to turn on the zero mq based revocation notifier system +# currently this only works if you are using keylime-CA +revocation_notifier = True + +# The revocation notifier IP address and port used to start the revocation service. +# If the revocation_notifier is true, then the verifier automatically +# starts revocation service. +revocation_notifier_ip = 127.0.0.1 +revocation_notifier_port = 8992 + +# The verifier limits the size of upload payloads (whitelists) which defaults to +# 100MB (104857600 bytes). This setting can be raised (or lowered) based on the +# size of the actual payloads +max_upload_size = 104857600 + +#============================================================================= +[tenant] +#============================================================================= + +# Tenant client TLS options. This is for authenticating the CV itself and +# proving that the tenant can talk to the CV. +# tls_dir option sets directory in /var/lib/keylime/ to find client +# certificates for talking to the CV. +# and files for TLS. +# set to default to use the CA setup by the cloud_verifier on the same machine +# files will be in /var/lib/keylime/cv_ca/ +tls_dir = default + +# the following three options set the filenames in tls_dir where the CA +# certificate, client certificate, and client private key file are +# if tls_dir = default, then default values will be used for ca_cert = +# cacert.pem, my_cert = client-cert.crt, and private_key = client-private.pem +ca_cert = default +my_cert = default +private_key = default + +#EK certificate storage location +tpm_cert_store = /var/lib/keylime/tpm_cert_store/ + +# set the password to decrypt the private key file. this should be set to a +# strong password +# if you are using the auto generated keys from the CV, set the same password +# here as you did for private_key_pw in the [cloud_verifier] section +private_key_pw = default + +# Registrar client TLS options. this allows the tenant to authenticate the +# registar before asking for AIKs +# this option sets the directory where the CA certificate for the registrar +# can be found +# use "default" to use 'reg_ca' (this points it to the directory automatically +# created by the registrar if it is set to "generate" +# use "CV" to use 'cv_ca', the directory automatically created (and shared +# with the registar) by the CV +registrar_tls_dir = CV +# the following three options set the filenames in tls_dir where the CA +# certificate, client certificate, and client private key file are +# if tls_dir = default, then default values will be used for ca_cert = +# cacert.pem, my_cert = client-cert.crt, and private_key = client-private.pem +registrar_ca_cert = default +registrar_my_cert = default +registrar_private_key = default + +# set the password to decrypt the private key file. this should be set to a +# strong password +# if you are using the auto generated keys from the CV, set the same password +# here as you did for private_key_pw in the [cloud_verifier] section +registrar_private_key_pw = default + +# max size of payload the tenant will take in bytes (default 1 megabyte) +# make sure this matches with secure_size param in the [cloud_agent] section. +# don't send things bigger than the tmpfs where they will be decrypted +max_payload_size = 1048576 + +# TPM policies are json structures that takes a list of accepted pcr values +# and will match any in the list for that pcr. These can be a mixture of any +# hashing algorithms, potentially of varying digest lengths (default policy +# below supports SHA1, SHA-256 and SHA-512) +# note that you can't set a policy on PCR10 and PCR16 because +# keylime uses them internally +tpm_policy = {"22":["0000000000000000000000000000000000000001","0000000000000000000000000000000000000000000000000000000000000001","000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001","ffffffffffffffffffffffffffffffffffffffff","ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff","ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"],"15":["0000000000000000000000000000000000000000","0000000000000000000000000000000000000000000000000000000000000000","000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"]} + +# Same as tpm_policy but for virtual PCRs +vtpm_policy = {"23":["ffffffffffffffffffffffffffffffffffffffff","0000000000000000000000000000000000000000"],"15":"0000000000000000000000000000000000000000"} + +# specify the file containing whitelists for processing Linux IMA white lists +# this file is used if tenant provides "default" as the IMA whitelist file +# this file should be in the form +# SHA1sum path_to_file +ima_whitelist = whitelist.txt + +# specify a file containing paths that should be ignored by IMA +# use with great caution as it will affect the security of IMA +ima_excludelist = exclude.txt + +# specify the acceptable crypto algorithms to use with the TPM for this agent. +# only algorithms specified below will be allowed for usage by an agent. if a +# agent uses an algorithm not specified here, it will fail validation +# +# currently accepted values include: +# hashing: sha512, sha384, sha256 and sha1 +# encryption: ecc and rsa +# signing: rsassa, rsapss, ecdsa, ecdaa and ecschnorr +# +# NOTE: the TPM 1.2 standard only supports sha1 hashing, rsa encryption and +# rsassa signing protocols, therefore these are required for agents with +# TPM 1.2 being used +accept_tpm_hash_algs = sha512,sha384,sha256,sha1 +accept_tpm_encryption_algs = ecc,rsa +accept_tpm_signing_algs = ecschnorr,rsassa + +# how long to wait between failed attempts to connect to a cloud agent in +# seconds. floating point values accepted here +retry_interval = 1 + +# integer number of retries to connect to a agent before giving up +max_retries = 10 + +# tell the tenant whether to require an EK certificate from the TPM. +# if set to False the tenant will ignore EK certificates entirely +# +# WARNING SETTING THIS OPTION TO FALSE IS VERY DANGEROUS!!!!! +# +# If you disable this check, then you may not be talking to a real TPM. +# All the security guarantees of keylime rely upon the security of the EK +# and the assumption that you are talking to a spec-compliant and honest TPM. +# some physical TPMs do not have EK certificates, so you may need to set +# this to False for some deployments. If you do set it to False, you +# MUST use the ek_check_script option below to specify a script that will +# check the provided EK against a whitelist for the environment that has +# been collected in a trustworthy way. For example, the cloud provider +# might provide a signed list of EK public key hashes. Then you could write +# an ek_check_script that checks the signature of the whitelist and then +# compares the hash of the given EK with the whistlist +require_ek_cert = True + +# Optional script to execute to check the EK and/or EK certificate against a +# whitelist or any other additional EK processing you want to do. Runs in +# /var/lib/keylime. You call also specify an absolute path to the script. +# script should return 0 if the EK or EK certificate are valid. Any other +# return value will invalidate the tenant quote check and prevent +# bootstrapping a key. +# +# The various keys are passed to the script via environment variables: +# EK - contains a PEM encoded version of the public ek +# EK_CERT - contains a DER encoded ek certificate if one is available. +# PROVKEYS - contains a json document containing ek, ekcert, and aik from the +# provider. ek and aik are in PEM format. The ekcert is in base64 encoded +# DER format. +# +# set to blank to disable this check. See warning above if require_ek_cert +# is False +ek_check_script= + +#============================================================================= +[registrar] +#============================================================================= + +# The registrar's IP address and port used to communicate with other +# services as well as a bind address for the registrar server. +registrar_ip = 127.0.0.1 +registrar_port = 8890 +registrar_tls_port = 8891 + +# Used for Xen vTPM +provider_registrar_port = 8990 +provider_registrar_tls_port = 8991 +provider_registrar_ip = 127.0.0.1 + +# Registrar TLS options. This is for authenticating the registrar to clients +# who want to query AIKs +# +# tls_dir option sets directory in /var/lib/keylime/ to put CA certificates +# and files for TLS. +# Set to "generate" to automatically generate a CA/certificates in dir reg_ca +# If you specify generate, you can manage the CA that the verifier will create +# using keylime_ca -d /var/lib/keylime/reg_ca/ +# +# Set to "CV" to share the CA with the cloud verifier (which must be run first +# once before starting the registrar so it can generate the keys) +tls_dir = CV + +# The filename (in tls_dir) of the CA cert for for the registrar's +ca_cert = default + +# The filename (in tls_dir) of the registrar certificate and private key +# The following two options also take the string "default" to find a files +# with names -cert.crt and +# -public.pem for cert and private key respectively +my_cert = default +private_key = default + +# Set the password to decrypt the private key file. This should be set to a +# strong password +# If tls_dir=generate, this password will also be used to protect the +# generated CA private key +private_key_pw = default + +# Registrar client TLS options. this allows the registrar to authenticate the +# provider registrar before asking for AIKs +# This option sets the directory where the CA certificate for the provider +# registrar can be found +# Use "default" to use 'reg_ca' (this points it to the directory automatically +# created by the registrar if it is set to "generate" +# Use "CV" to use 'cv_ca', the directory automatically created (and shared +# with the registar) by the CV +registrar_tls_dir = CV + +# The following three options set the filenames in tls_dir where the CA +# certificate, client certificate, and client private key file are +# If tls_dir = default, then default values will be used for ca_cert = +# cacert.pem, my_cert = client-cert.crt, and private_key = client-private.pem +registrar_ca_cert = default +registrar_my_cert = default +registrar_private_key = default + +# Set the password to decrypt the private key file. this should be set to a +# strong password +# If you are using the auto generated keys from the CV, set the same password +# here as you did for private_key_pw in the [cloud_verifier] section +registrar_private_key_pw = default + + +# Database URL Configuration +# See document https://keylime-docs.readthedocs.io/en/latest/installation.html#database-support +# for instructions on using different database configurations +# The default is sqlite and will be situated at "/var/lib/keylime/reg_data.sqlite" +drivername = sqlite +username = '' +password = '' +host = '' +port = '' +database = reg_data.sqlite +query = '' + +# The file to use for SQLite persistence of provider hypervisor data +prov_db_filename = provider_reg_data.sqlite + +#============================================================================= +[ca] +#============================================================================= + +# These options set the metadata into the certificates that the keylime_ca +# utility will use when creating certificates and CAs. +# These options are also used by the verifier and registrar when using the +# tls_dir=generate option +# the below options are pretty self explanatory X509 stuff. +cert_country=US +cert_ca_name=keylime certificate authority +cert_state=MA +cert_locality=Lexington +cert_organization=MITLL +cert_org_unit=53 +cert_ca_lifetime=3650 +cert_lifetime=365 +cert_bits=2048 + +# This setting allows you to specify where your CRL will be hosted +# Insert the relevant URL +# Use "default" to use the tenant machine FQDN as the CRL distribution point. +# Use "default" with caution as it will use the result python's +# socket.getfqdn() as the hostname. This may not be a properly resolvable +# DNS name in which case you need to specify a hostname where you will +# run the revocation listener (see below) +# +# You can then use keylime_ca -c listen -n ca/RevocationNotifier-cert.crt +cert_crl_dist=http://localhost:38080/crl + +# If the provider for certificate generation is CFSSL, then the HTTP-based +# API server will run at this address and port. +cfssl_ip = 127.0.0.1 +cfssl_port = 8888 + +#============================================================================= +[webapp] +#============================================================================= + +webapp_ip = 127.0.0.1 +webapp_port = 443 + +#============================================================================= +# GLOBAL LOGGING CONFIGURATION +#============================================================================= + +# The only thing really to change here is the default log levels for either +# console or keylime loggers + +[loggers] +keys = root,keylime + +[handlers] +keys = consoleHandler + +[formatters] +keys = formatter + +[formatter_formatter] +format = %(asctime)s.%(msecs)03d - %(name)s - %(levelname)s - %(message)s +datefmt = %Y-%m-%d %H:%M:%S + +[logger_root] +level = INFO +handlers = consoleHandler + +[handler_consoleHandler] +class = StreamHandler +level = INFO +formatter = formatter +args = (sys.stdout,) + +[logger_keylime] +level = INFO +qualname = keylime +handlers = diff --git a/src/main.rs b/src/main.rs index 78302ca9..69d7b6af 100644 --- a/src/main.rs +++ b/src/main.rs @@ -51,9 +51,9 @@ fn main() { pretty_env_logger::init(); let cloudagent_ip = - config_get("/etc/keylime.conf", "general", "cloudagent_ip"); + config_get("/etc/keylime.conf", "cloud_agent", "cloudagent_ip"); let cloudagent_port = - config_get("/etc/keylime.conf", "general", "cloudagent_port"); + config_get("/etc/keylime.conf", "cloud_agent", "cloudagent_port"); let endpoint = format!("{}:{}", cloudagent_ip, cloudagent_port); info!("Starting server...");