Improve configuration and change format to TOML #449
Conversation
Follow the naming specified in the configuration enhancement: https://github.com/keylime/enhancements/blob/master/72_config_and_simplify_tls.md Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>
Keep only the data path as part of the configuration structure. Then open and load the data when needed. Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>
Separate the key and certificate from the Agent Data and store in separate files. Add the configuration options 'server_key' and 'server_cert' to allow the user to use existing key and certificate. If the files set to 'server_key' or 'server_cert' don't exist, new files are created to store the generated key or certificate. Otherwise the existing files will not be overwritten. This also unify the handling of file paths in the configuration file for the files stored in the 'keylime_dir' by introducing the config_get_file_path() function with the following behavior: - If the option is set as "default" or left empty, the default value is used - If the option is not an absolute path, it is treated as relative from the directory set in the 'keylime_dir' configuration option - If the option is set with an absolute path, it is used without change Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>
Include as part of the stored Agent Data the hash of the public EK of the TPM that generated the AK. Before loading the AK, check if the current TPM is the same TPM that generated the information to avoid loading errors. Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>
Perhaps I should have mentioned it earlier but I wonder if |
Add the configuration option server_key_password to allow setting a password to be used to encrypt the generated key when writing to a file and to decrypt the key when loading from a file. If the server_key_password is set as empty, the key is assumed to be unencrypted. Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>
I can drop this. I just added this path to make it similar to the python configuration. |
Was there any discussion on this on the Python side? If not and it's not too late, maybe good to revisit; I would suggest |
I think the main supporter of using the |
ansasaki
force-pushed
the
toml
branch
2 times, most recently
from
fcbd834 to
b544401
Compare
Depends on the source. There is a tendency of using it, that is also referenced here: https://tldp.org/LDP/Linux-Filesystem-Hierarchy/html/usr.html
I hope that I am not alone here!
Ideally the service will know how to merge the snipped in
A longer explanation, with more examples can be found here: https://kubic.opensuse.org/blog/2019-12-05-usr-etc/ For doing the merge in services that do not support it by default, we are using libeconf, and doing upstream commits to support it. |
|
/packit test |
| pub static DEFAULT_KEYLIME_DIR: &str = "/var/lib/keylime"; | ||
| pub static DEFAULT_SERVER_KEY: &str = "server-private.pem"; | ||
| pub static DEFAULT_SERVER_CERT: &str = "server-cert.crt"; | ||
| pub static DEFAULT_SERVER_KEY_PASSWORD: &str = ""; |
| enc_keyname: DEFAULT_ENC_KEYNAME.to_string(), | ||
| extract_payload_zip: DEFAULT_EXTRACT_PAYLOAD_ZIP, | ||
| server_key: Some("default".to_string()), | ||
| server_key_password: Some( |
There was a problem hiding this comment.
... because this put Some("") (there is a password, that is the empty string), that is different from None (no password was provided)
There was a problem hiding this comment.
The empty string is considered "no password". Check:
https://github.com/ansasaki/rust-keylime/blob/036ab2a392022641a8603fddb405b58dd36430b8/src/crypto.rs#L77-L101
and
https://github.com/ansasaki/rust-keylime/blob/036ab2a392022641a8603fddb405b58dd36430b8/src/crypto.rs#L54-L72
|
/packit retest-failed |
|
/packit test |
This introduces several improvements to the agent configuration.
- The file format is modified from INI style files to TOML formatted
files.
- The configuration is constructed using an hierarchical organization
following the order:
- The default hardcoded values are loaded
- If a configuration file is found in /usr/etc/keylime-agent.conf, it
is loaded and any option set overrides the default values
- Load configuration snippets from /usr/etc/keylime-agent.conf.d/*,
overriding the previous values
- Load the configuration from /etc/keylime-agent.conf, overriding
previous values
- Load configuration snippets from /etc/keylime-agent.conf.d/*,
overriding previous values
- Finally any configuration option can be overriden via environment
variable, by using the 'KEYLIME_AGENT_' prefix. For example,
KEYLIME_AGENT_PORT=9003 will override the 'port' option from the
'agent' section with the value '9003'.
This was introduced by using an added dependency, the 'config' crate
using the 'toml' feature for the toml file format.
Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>
Add back the support for overriding the 'keylime_dir' option by setting the 'KEYLIME_DIR' environment variable. Note that it is also possible to override the 'keylime_dir' option by setting the 'KEYLIME_AGENT_KEYLIME_DIR' environment variable, although 'KEYLIME_DIR' has priority. Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>
This is not currently used, but will be important in future to check configuration file compatibility and upgrades. Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>
Quick reminder that |
|
I did a first pass and it seemed good to me, I can do another one shortly. |
My vote is for
Exactly. /usr/etc will be deployed with the image, never edited by the user (that should edit /etc) |
The python components expect the configuration files to be in /etc/keylime/*.conf and the configuration snippets to be in /etc/keylime/*.conf.d This patch modifies the paths where the configuration files are searched to align with the python components. In the case, the agent configuration will be installed in /etc/keylime/agent.conf and the snippets are searched in /etc/keylime/agent.conf.d/ Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>
|
/packit test |
1 similar comment
|
/packit test |
|
/packit retest-failed |
|
@aplanas thanks for the detailed explanation!
I wasn't aware of the UsrEtc effort. It makes sense from the package update point of view, though other distributions currently don't seem to catch up; as mentioned in the link to the Fedora packaging guideline:
That said, I guess it shouldn't be a problem as long as the Fedora package doesn't ship any files under |
I'll make sure the Fedora package doesn't ship any files there. |
|
Maybe the location could be configurable at build time, so that config templates could be shipped also to a different location (and used from there). |
That is a good idea |
This introduces several improvements to the agent configuration.
files.
enhancement proposal:
following the order:
is loaded and any option set overrides the default values
overriding the previous values
previous values
overriding previous values
variable, by using the 'KEYLIME_AGENT_' prefix. For example,
KEYLIME_AGENT_PORT=9003 will override the 'port' option from the
'agent' section with the value '9003'.
It is possible to override all file sources with a single file by setting the
KEYLIME_AGENT_CONFIGenvironment variable. If it is set, the configuration files and snippets are ignored and all options are loaded from the file pointed byKEYLIME_AGENT_CONFIG. The environment variable overrides still apply, meaning it is still possible to override the options from the file pointed byKEYLIME_AGENT_CONFIGusing the environment variables with theKEYLIME_AGENT_prefix.This was implemented using new dependency crates:
configandglob.Other changes: