Skip to content

Commit

Permalink
Update comments in the configuration file
Browse files Browse the repository at this point in the history
The comments in the configuration file didn't reflect the actual
supported values and behavior.

Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
  • Loading branch information
ansasaki authored and lkatalin committed Sep 21, 2022
1 parent 9dfb597 commit 6318234
Showing 1 changed file with 31 additions and 22 deletions.
53 changes: 31 additions & 22 deletions keylime-agent.conf
Original file line number Diff line number Diff line change
Expand Up @@ -10,10 +10,6 @@ version = "2.0"
# If you set this to "generate", Keylime will create a random UUID.
# If you set this to "hash_ek", Keylime will set the UUID to the result
# of 'SHA256(public EK in PEM format)'.
# If you set this to "dmidecode", Keylime will use the UUID from
# 'dmidecode -s system-uuid'.
# If you set this to "hostname", Keylime will use the full qualified domain
# name of current host as the agent id.
uuid = "d432fbb3-d2f1-4a97-9ef7-75bd81c00000"

# The binding address and port for the agent server
Expand Down Expand Up @@ -42,6 +38,8 @@ keylime_dir = "/var/lib/keylime"
# This private key is used to serve the Keylime agent REST API
# A new private key is generated in case it is not found.
# If set as "default", the "server-private.pem" value is used.
# If a relative path is set, it will be considered relative from the keylime_dir.
# If an absolute path is set, it is used without change
server_key = "default"

# Set the password used to encrypt the private key file.
Expand All @@ -54,10 +52,15 @@ server_key_password = ""
# server TLS certificate.
# This certificate must be self signed.
# If set as "default", the "server-cert.crt" value is used
# If a relative path is set, it will be considered relative from the keylime_dir.
# If an absolute path is set, it is used without change.
server_cert = "default"

# The CA that signs the client certificates of the tenant and verifier.
# If set as "default" the "cv_ca/cacert.crt" value is used
# If set as "default" the "cv_ca/cacert.crt" value, relative from the
# keylime_dir is used.
# If a relative path is set, it will be considered relative from the keylime_dir.
# If an absolute path is set, it is used without change.
trusted_client_ca = "default"

# The name that should be used for the encryption key, placed in the
Expand All @@ -73,45 +76,48 @@ dec_payload_file = "decrypted_payload"
# The default below sets it to 1 megabyte.
secure_size = "1m"

# Whether to allow the cloud_agent to automatically extract a zip file in
# the delivered payload after it has been decrypted, or not. Defaults to "true".
# Whether to allow the agent to automatically extract a zip file in the
# delivered payload after it has been decrypted, or not. Defaults to "true".
# After decryption, the archive will be unzipped to a directory in $keylime_dir/secure.
# Note: the limits on the size of the tmpfs partition set above with the 'secure_size'
# option will affect this.
extract_payload_zip = true

# Whether to listen for revocation notifications from the verifier or not.
# Whether to listen for revocation notifications from the verifier via zeromq.
# Note: The agent supports receiving revocation notifications via REST API
# regardless of the value set here.
enable_revocation_notifications = true

# The path to the directory containing the pre-installed revocation action
# scripts. Ideally should point to an fixed/immutable location subject to
# attestation. The default is /usr/libexec/keylime.
revocation_actions_dir = "/usr/libexec/keylime"

# Revocation IP & Port used by either the cloud_agent to receive revocation
# notifications from the verifier.
# Revocation IP & Port used by the agent to receive revocation
# notifications from the verifier via zeromq.
# This is optional and used only when 'enable_revocation_notifications' is 'true'.
revocation_notification_ip = "127.0.0.1"
revocation_notification_port = 8992

# The path to the certificate to verify revocation messages received from the
# verifier. The path is relative to $keylime_dir unless an absolute path is
# verifier. The path is relative to keylime_dir unless an absolute path is
# provided (i.e. starts with '/').
# If set to "default", Keylime will use the file RevocationNotifier-cert.crt
# from the unzipped contents provided by the tenant.
# from the unzipped payload contents provided by the tenant.
revocation_cert = "default"

# A comma-separated list of executables to run upon receiving a revocation
# message. Keylime will verify the signature first, then call these executables
# with the json revocation message. The executables must be located in the
# 'revocation_actions' directory.
# passing the json revocation message.
# The executables must be located in the 'revocation_actions' directory.
#
# Keylime will also get the list of revocation actions from the file
# action_list in the unzipped contents provided by the verifier.
# action_list in the unzipped payload contents provided by the verifier.
revocation_actions = ""

# A script to execute after unzipping the tenant payload. This is like
# cloud-init lite =) Keylime will run it with a /bin/sh environment and
# with a working directory of $keylime_dir/secure/unzipped.
# A script to execute after unzipping the tenant payload.
# Keylime will run it with a /bin/sh environment and with a working directory of
# $keylime_dir/secure/unzipped.
payload_script = "autorun.sh"

# In case mTLS for the agent is disabled and the use of payloads is still
Expand Down Expand Up @@ -143,14 +149,16 @@ tpm_signing_alg = "rsassa"
# create a new EK upon startup, and neither will it flush the EK upon exit.
ek_handle = "generate"

# Use this option to state the existing TPM ownerpassword. This option should
# be set only when ek_handle option points to an existing EK.
# Use this option to state the existing TPM ownerpassword.
# This option should be set only when a password is set for the Endorsement
# Hierarchy (e.g. via "tpm2_changeauth -c e").
# If no password was set, keep the empty string "".
tpm_ownerpassword = ""

# The user account to switch to to drop privileges when started as root
# If left empty, the agent will keep running with high privileges.
# The user and group specified here must allow the user to access the
# WORK_DIR (typically /var/lib/keylime) and /dev/tpmrm0. Therefore,
# WORK_DIR (by default /var/lib/keylime) and /dev/tpmrm0. Therefore, the
# suggested value for the run_as parameter is keylime:tss.
# The following commands should be used to set ownership before running the
# agent:
Expand All @@ -168,6 +176,7 @@ run_as = "keylime:tss"
# Path where to store the agent tpm data which can be loaded later
# If not an absolute path, it will be considered a relative path from the
# directory set by the keylime_dir option above
# If set as "default" Keylime will use "agent_data.json"
# If set as "default" Keylime will use "agent_data.json", located at
# keylime_dir.
agent_data_path = "default"

0 comments on commit 6318234

Please sign in to comment.