-
Notifications
You must be signed in to change notification settings - Fork 58
/
Copy pathkeylime-agent.conf
338 lines (300 loc) · 14.3 KB
/
keylime-agent.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
# All configuration options can be overridden by environment variables.
# The environment variables used to override options are composed by the
# 'KEYLIME_AGENT_' prefix followed by the option to be set in upper case.
# For example, to override the 'registrar_ip' option, set the
# KEYLIME_AGENT_REGISTRAR_IP environment variable.
#=============================================================================
[agent]
#=============================================================================
# The configuration file version
#
# To override, set KEYLIME_AGENT_VERSION environment variable.
version = "2.4"
# The enabled API versions
# This sets which of the supported API versions to enable.
# Only supported versions can be set, which are defined by
# api::SUPPORTED_API_VERSIONS
# A list of versions to enable can be provided (e.g. "2.1, 2.2")
# The following keywords are also supported:
# - "default": Enables all supported API versions
# - "latest": Enables only the latest supported API version
api_versions = "default"
# The agent's UUID.
# If you set this to "generate", Keylime will create a random UUID.
# If you set this to "hash_ek", Keylime will set the UUID to the result
# of 'SHA256(public EK in PEM format)'.
#
# To override, set KEYLIME_AGENT_UUID environment variable.
uuid = "d432fbb3-d2f1-4a97-9ef7-75bd81c00000"
# The binding IP address and port for the agent server
#
# To override ip, set KEYLIME_AGENT_IP environment variable.
# To override port, set KEYLIME_AGENT_PORT environment variable.
ip = "127.0.0.1"
port = 9002
# Address and port where the verifier and tenant can connect to reach the agent.
# These keys are optional.
#
# To override contact_ip, set KEYLIME_AGENT_CONTACT_IP environment variable.
# To override contact_port, set KEYLIME_AGENT_CONTACT_PORT environment variable.
contact_ip = "127.0.0.1"
contact_port = 9002
# The address and port of registrar server which agent communicate with
#
# To override registrar_ip, set KEYLIME_AGENT_REGISTRAR_IP environment variable.
# To override registrar_port, set KEYLIME_AGENT_REGISTRAR_PORT environment
# variable.
registrar_ip = "127.0.0.1"
registrar_port = 8890
# Enable mTLS communication between agent, verifier and tenant.
# Details on why setting it to "false" is generally considered insecure can be found
# on https://github.com/keylime/keylime/security/advisories/GHSA-2m39-75g9-ff5r
#
# To override enable_agent_mtls, set KEYLIME_AGENT_ENABLE_AGENT_MTLS environment
# variable.
enable_agent_mtls = true
# The keylime working directory. The default value is /var/lib/keylime
#
# To override keylime_dir, set KEYLIME_AGENT_KEYLIME_DIR or KEYLIME_DIR
# environment variable.
keylime_dir = "/var/lib/keylime"
# The name of the file containing the Keylime agent TLS server private key.
# This private key is used to serve the Keylime agent REST API
# A new private key is generated in case it is not found.
# If set as "default", the "server-private.pem" value is used.
# If a relative path is set, it will be considered relative from the keylime_dir.
# If an absolute path is set, it is used without change
#
# To override server_key, set KEYLIME_AGENT_SERVER_KEY environment variable.
server_key = "default"
# Set the password used to encrypt the private key file.
# This password will also be used to protect the generated private key used for
# mTLS authentication
# If left empty, the private key will not be encrypted.
#
# To override server_key_password, set KEYLIME_AGENT_SERVER_KEY_PASSWORD
# environment variable.
server_key_password = ""
# The name of the file containing the X509 certificate used as the Keylime agent
# server TLS certificate.
# This certificate must be self signed.
# If set as "default", the "server-cert.crt" value is used
# If a relative path is set, it will be considered relative from the keylime_dir.
# If an absolute path is set, it is used without change.
#
# To override server_cert, set KEYLIME_AGENT_SERVER_CERT environment variable.
server_cert = "default"
# The CA that signs the client certificates of the tenant and verifier.
# If set as "default" the "cv_ca/cacert.crt" value, relative from the
# keylime_dir is used.
# If a relative path is set, it will be considered relative from the keylime_dir.
# If an absolute path is set, it is used without change.
#
# To override trusted_client_ca, set KEYLIME_AGENT_TRUSTED_CLIENT_CA environment
# variable.
trusted_client_ca = "default"
# The name that should be used for the encryption key, placed in the
# $keylime_dir/secure/ directory.
#
# To override enc_keyname, set KEYLIME_AGENT_ENC_KEYNAME environment variable.
enc_keyname = "derived_tci_key"
# The name that should be used for the optional decrypted payload, placed in
# the $keylime_dir/secure directory.
#
# To override dec_payload_file, set KEYLIME_AGENT_DEC_PAYLOAD_FILE environment
# variable.
dec_payload_file = "decrypted_payload"
# The size of the memory-backed tmpfs partition where Keylime stores crypto keys.
# Use syntax that the 'mount' command would accept as a size parameter for tmpfs.
# The default below sets it to 1 megabyte.
#
# To override secure_size, set KEYLIME_AGENT_SECURE_SIZE environment variable.
secure_size = "1m"
# Whether to allow the agent to automatically extract a zip file in the
# delivered payload after it has been decrypted, or not. Defaults to "true".
# After decryption, the archive will be unzipped to a directory in $keylime_dir/secure.
# Note: the limits on the size of the tmpfs partition set above with the 'secure_size'
# option will affect this.
#
# To override extract_payload_zip, set KEYLIME_AGENT_EXTRACT_PAYLOAD_ZIP
# environment variable.
extract_payload_zip = true
# Whether to listen for revocation notifications from the verifier via zeromq.
# Note: The agent supports receiving revocation notifications via REST API
# regardless of the value set here.
#
# To override enable_revocation_notifications, set
# KEYLIME_AGENT_ENABLE_REVOCATION_NOTIFICATIONS environment variable.
enable_revocation_notifications = false
# The path to the directory containing the pre-installed revocation action
# scripts. Ideally should point to an fixed/immutable location subject to
# attestation. The default is /usr/libexec/keylime.
#
# To override revocation_actions_dir, set KEYLIME_AGENT_REVOCATION_ACTIONS_DIR
# environment variable.
revocation_actions_dir = "/usr/libexec/keylime"
# Revocation IP & Port used by the agent to receive revocation
# notifications from the verifier via zeromq.
# This is optional and used only when 'enable_revocation_notifications' is 'true'.
#
# To override revocation_notification_ip, set
# KEYLIME_AGENT_REVOCATION_NOTIFICATION_IP environment variable.
# To override revocation_notification_port, set
# KEYLIME_AGENT_REVOCATION_NOTIFICATION_PORT environment variable.
revocation_notification_ip = "127.0.0.1"
revocation_notification_port = 8992
# The path to the certificate to verify revocation messages received from the
# verifier. The path is relative to keylime_dir unless an absolute path is
# provided (i.e. starts with '/').
# If set to "default", Keylime will use the file RevocationNotifier-cert.crt
# from the unzipped payload contents provided by the tenant.
#
# To override revocation_cert, set KEYLIME_AGENT_REVOCATION_CERT environment
# variable.
revocation_cert = "default"
# A comma-separated list of executables to run upon receiving a revocation
# message. Keylime will verify the signature first, then call these executables
# passing the json revocation message.
# The executables must be located in the 'revocation_actions_dir' directory.
#
# Keylime will also get the list of revocation actions from the file
# action_list in the unzipped payload contents provided by the verifier.
#
# To override revocation_actions, set KEYLIME_AGENT_REVOCATION_ACTIONS
# environment variable.
revocation_actions = ""
# A script to execute after unzipping the tenant payload.
# Keylime will run it with a /bin/sh environment and with a working directory of
# $keylime_dir/secure/unzipped.
#
# To override payload_script, set KEYLIME_AGENT_PAYLOAD_SCRIPT environment
# variable.
payload_script = "autorun.sh"
# In case mTLS for the agent is disabled and the use of payloads is still
# required, this option has to be set to "true" in order to allow the agent
# to start. Details on why this configuration (mTLS disabled and payload enabled)
# is generally considered insecure can be found on
# https://github.com/keylime/keylime/security/advisories/GHSA-2m39-75g9-ff5r
#
# To override enable_insecure_payload, set KEYLIME_AGENT_ENABLE_INSECURE_PAYLOAD
# environment variable.
enable_insecure_payload = false
# Whether to allow running revocation actions sent as part of the payload. The
# default is true and setting as false will limit the revocation actions to the
# pre-installed ones.
#
# To override allow_payload_revocation_actions, set
# KEYLIME_AGENT_ALLOW_PAYLOAD_REVOCATION_ACTIONS environment variable.
allow_payload_revocation_actions = true
# TPM2-specific options, allows customizing default algorithms to use.
# Specify the default crypto algorithms to use with a TPM2 for this agent.
#
# Currently accepted values include:
# - hashing: sha512, sha384, sha256 or sha1
# - encryption: ecc or rsa
# - signing: rsassa, rsapss, ecdsa, ecdaa or ecschnorr
#
# To override tpm_hash_alg, set KEYLIME_AGENT_TPM_HASH_ALG environment variable.
# To override tpm_encryption_alg, set KEYLIME_AGENT_TPM_ENCRYPTION_ALG
# environment variable.
# To override tpm_signing_alg, set KEYLIME_AGENT_TPM_SIGNING_ALG environment
# variable.
tpm_hash_alg = "sha256"
tpm_encryption_alg = "rsa"
tpm_signing_alg = "rsassa"
# If an EK is already present on the TPM (e.g., with "tpm2_createek") and
# you require Keylime to use this EK, change "generate" to the actual EK
# handle (e.g. "0x81000000"). The Keylime agent will then not attempt to
# create a new EK upon startup, and neither will it flush the EK upon exit.
#
# To override ek_handle, set KEYLIME_AGENT_EK_HANDLE environment variable.
ek_handle = "generate"
# Enable IDevID and IAK usage
enable_iak_idevid = false
# Select IDevID and IAK templates or algorithms for regenerating the keys.
# By default the template will be detected automatically from the certificates. This will happen if iak_idevid_template is left empty or set as "default" or "detect".
# Choosing a template will override the name and asymmetric algorithm choices. To use these choices, set iak_idevid_template to "manual"
# Templates are specified in the TCG document found here, section 7.3.4:
# https://trustedcomputinggroup.org/wp-content/uploads/TPM-2p0-Keys-for-Device-Identity-and-Attestation_v1_r12_pub10082021.pdf
#
# Accepted values:
# iak_idevid_template: default, detect, H-1, H-2, H-3, H-4, H-5, manual
# iak_idevid_asymmetric_alg: rsa, ecc
# iak_idevid_name_alg: sha256, sm3_256, sha384, sha512
iak_idevid_template = "detect"
# In order for these values to be used, set the iak_idevid_template option to manual
iak_idevid_asymmetric_alg = "rsa"
iak_idevid_name_alg = "sha256"
# Alternatively if the keys are persisted, provide the handles for their location below, and optionally their passwords.
# If handles are provided, they will take priority over templates/algorithms selected above.
# To use a hex password, use the prefix "hex:" at the start of the password.
idevid_password = ""
idevid_handle = ""
iak_password = ""
iak_handle = ""
# The name of the file containing the X509 IAK certificate.
# If set as "default", the "iak-cert.crt" value is used
# If a relative path is set, it will be considered relative from the keylime_dir.
# If an absolute path is set, it is used without change.
#
# To override iak_cert, set KEYLIME_AGENT_IAK_CERT environment variable.
iak_cert = "default"
# The name of the file containing the X509 IDevID certificate.
# If set as "default", the "idevid-cert.crt" value is used
# If a relative path is set, it will be considered relative from the keylime_dir.
# If an absolute path is set, it is used without change.
#
# To override idevid_cert, set KEYLIME_AGENT_IDEVID_CERT environment variable.
idevid_cert = "default"
# Use this option to state the existing TPM ownerpassword.
# This option should be set only when a password is set for the Endorsement
# Hierarchy (e.g. via "tpm2_changeauth -c e").
# In order to use a hex value for the password, use the prefix "hex:"
# For example if tpm2_changeauth -c e "hex:00a1b2c3e4" has run, the config option
# would be 'tpm_ownerpassword = "hex:00a1b2c3e4"'
# If no password was set, keep the empty string "".
#
# To override tpm_ownerpassword, set KEYLIME_AGENT_TPM_OWNERPASSWORD environment
# variable.
tpm_ownerpassword = ""
# The user account to switch to to drop privileges when started as root
# If left empty, the agent will keep running with high privileges.
# The user and group specified here must allow the user to access the
# WORK_DIR (by default /var/lib/keylime) and /dev/tpmrm0. Therefore, the
# suggested value for the run_as parameter is keylime:tss.
# The following commands should be used to set ownership before running the
# agent:
# chown keylime /var/lib/keylime
#
# If agent_data.json already exists:
# chown keylime /var/lib/keylime/agent_data.json
#
# If cv_ca directory exists:
# chown keylime /var/lib/keylime/cv_ca
# chown keylime /var/lib/keylime/cv_ca/cacert.crt
#
# To override run_as, set KEYLIME_AGENT_RUN_AS environment variable.
run_as = "keylime:tss"
# Path where to store the agent tpm data which can be loaded later
# If not an absolute path, it will be considered a relative path from the
# directory set by the keylime_dir option above
# If set as "default" Keylime will use "agent_data.json", located at
# keylime_dir.
#
# To override agent_data_path, set KEYLIME_AGENT_AGENT_DATA_PATH environment
# variable.
agent_data_path = "default"
# Path from where the agent will read the IMA measurement log.
#
# If set as "default", Keylime will use the default path:
# The default path is /sys/kernel/security/ima/ascii_runtime_measurements
# If set as a relative path, it will be considered from the root path "/".
# If set as an absolute path, it will use it without changes
ima_ml_path = "default"
# Path from where the agent will read the measured boot event log.
#
# If set as "default", Keylime will use the default path:
# The default path is /sys/kernel/security/tpm0/binary_bios_measurements
# If set as a relative path, it will be considered from the root path "/".
# If set as an absolute path, it will use it without changes
measuredboot_ml_path = "default"