forked from keylime/keylime
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathkeylime.conf
458 lines (392 loc) · 19.3 KB
/
keylime.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
[general]
#=============================================================================
# these options are self explanatory ip/port combinations to find the various
# keylime services on the network. some services use these, some do not.
# But they are used frequently enough that they end up here
cloudverifier_port = 8881
registrar_port = 8890
registrar_tls_port = 8891
registrar_ip = 127.0.0.1
cloudagent_port = 9002
provider_registrar_port = 8990
provider_registrar_tls_port = 8991
provider_registrar_ip = 127.0.0.1
webapp_port = 443
webapp_ip = 127.0.0.1
cfssl_ip = 127.0.0.1
cfssl_port = 8888
# This is the port combination of the notification server. The cloud verifier
# will start a notification server automatically if the revocation_notifier
# option is set to true
revocation_notifier_ip = 127.0.0.1
revocation_notifier_port = 8992
# turn on or off TLS keylime wide
enable_tls = True
# turn on or off DNS hostname checking for TLS certificates.
tls_check_hostnames = False
# set which provider you want for the generation of certificates
# valid options are 'cfssl' or 'openssl' For cfssl to work, you must have the
# go binary installed in your path or in /usr/local/
# revocation list generation is only supported by cfssl
ca_implementation = openssl
#=============================================================================
[cloud_agent]
#=============================================================================
# What is the name of the rsa key that keylime should use for protecting
# shares of U/V
rsa_keyname = tci_rsa_key
# what filename in /var/lib/keylime/secure should the encryption key be placed
enc_keyname = derived_tci_key
# what filename in /var/lib/keylime/secure should the optional decrypted
# payload be placed
dec_payload_file = decrypted_payload
# size of the memory backed tmpfs partition where keylime stores crypto keys
# use syntax that mount would accept as a size parameter for tmpfs
# the default below sets it to 1 megabyte
secure_size = 1m
# use this option to set the TPM ownerpassword to something you want to use.
# Set it to "generate" if you want keylime to choose a random owner password
# for you
tpm_ownerpassword = keylime
# set to true to allow the cloud_agent to automatically extract a zip file in
# the delivered payload after it has been decrypted. It will be decrypted to
# a folder unzipped in /var/lib/keylime/secure. Note the limits on the size
# of the tmpfs partition above with secure_size option
extract_payload_zip = True
# set the agent's uuid to the given value.
# set to 'openstack', it will try to get the uuid from the metadata service
# if you set this to 'generate', keylime will create a random uuid
# if you set this to 'hash_ek', keylime will set the UUID to the result
# of SHA256(public EK in PEM format)
agent_uuid = D432FBB3-D2F1-4A97-9EF7-75BD81C00000
# whether to listen for revocation notifications from the verifier
listen_notfications = True
# path to the certificate to verify revocation messages received from the
# verifier. path is relative to /var/lib/keylime
# if set to "default", keylime will use the file RevocationNotifier-cert.crt
# from the unzipped contents provided by the tenant
revocation_cert = default
# Comma separated list of python scripts to run upon receiving a revocation
# message. Keylime will verify the signature first, then call these python
# scripts with the json revocation message. The scripts must be located in
# revocation_actions directory
#
# keylime will also get the list of revocation actions from the file
# action_list in the unzipped contents provided by the verifier
# all actions must be named local_action_[some name]
revocation_actions=
# A script to execute after unzipping the tenant payload. This is like
# cloud-init lite =) Keylime will run it with a /bin/sh environment with
# a working directory of /var/lib/keylime/secure/unzipped
payload_script=autorun.sh
# Jason @henn made be do it! he wanted a way for keylime to measure the
# delivered payload into a pcr of choice. specify a PCR number to turn it on
# set to -1 or any negative or out of range PCR value to turn off
measure_payload_pcr=-1
# how long to wait between failed attempts to communicate with the tpm in
# seconds. floating point values accepted here
retry_interval = 1
# integer number of retries to communicate with the tpm before giving up
max_retries = 10
# TPM2-specific options, allow customizing default algorithms to use.
# specify the default crypto algorithms to use with a TPM2 for this agent
#
# currently accepted values include:
# hashing: sha512, sha384, sha256 or sha1
# encryption: ecc or rsa
# signing: rsassa, rsapss, ecdsa, ecdaa or ecschnorr
tpm_hash_alg = sha256
tpm_encryption_alg = rsa
tpm_signing_alg = rsassa
#=============================================================================
[cloud_verifier]
#=============================================================================
# Cloud Verifier TLS options. This is for authenticating the CV itself,
# authenticating the users of the CV and securing the transmission of keys
#
# tls_dir option sets directory in /var/lib/keylime/ to put CA certificates
# and files for TLS.
# set to "generate" to automatically generate a CA/certificates in dir cv_ca
# if set to "generate": ca_cert, my_cert, and private_key must be "default"
# if you specify generate, you can manage the CA that the verifier will create
# using keylime_ca -d /var/lib/keylime/cv_ca/
tls_dir = generate
# the filename (in tls_dir) of the CA cert for verifying client certificates
ca_cert = default
# the filename (in tls_dir) of the cloud verifier certificate and private key
# the following two options also take the string "default" to find a files
# with names <fully_qualified_name>-cert.crt and
# <fully_qualified_name>-public.pem for cert and private key respectively
my_cert = default
private_key = default
# set the password to Decrypt the private key file. this should be set to a
# strong password
# if tls_dir=generate, this password will also be used to protect the
# generated CA private key
private_key_pw = default
# Registrar client TLS options. this allows the CV to authenticate the
# registar before asking for AIKs
# this option sets the directory where the CA certificate for the registrar
# can be found
# use "default" to use 'reg_ca' (this points it to the directory automatically
# created by the registrar if it is set to "generate"
# use "CV" to use 'cv_ca', the directory automatically created (and shared
# with the registar) by the CV
registrar_tls_dir = CV
# the following three options set the filenames in tls_dir where the CA
# certificate, client certificate, and client private key file are
# if tls_dir = default, then default values will be used for ca_cert =
# cacert.pem, my_cert = client-cert.crt, and private_key = client-private.pem
registrar_ca_cert = default
registrar_my_cert = default
registrar_private_key = default
# set the password to decrypt the private key file. this should be set to a
# strong password
# if you are using the auto generated keys from the CV, set the same password
# here as you did for private_key_pw in the [cloud_verifier] section
registrar_private_key_pw = default
# The file to use for SQLite persistence of agent data
db_filename = cv_data.sqlite
# number of worker processes to use for the cloud verifier
# set to 0 to create one worker per processor
multiprocessing_pool_num_workers = 0
# how long to wait between failed attempts to connect to an cloud agent in
# seconds. floating point values accepted here
retry_interval = 1
# integer number of retries to connect to an agent before giving up
max_retries = 10
# time between integrity measurement checks in seconds. Set to 0 to do as
# fast as possible. Floating point values accepted here
quote_interval = 2
# whether to turn on the zero mq based revocation notifier system
# currently this only works if you are using keylime-CA
revocation_notifier = True
#=============================================================================
[tenant]
#=============================================================================
# Tenant client TLS options. This is for authenticating the CV itself and
# proving that the tenant can talk to the CV.
# tls_dir option sets directory in /var/lib/keylime/ to find client
# certificates for talking to the CV.
# and files for TLS.
# set to default to use the CA setup by the cloud_verifier on the same machine
# files will be in /var/lib/keylime/cv_ca/
tls_dir = default
# the following three options set the filenames in tls_dir where the CA
# certificate, client certificate, and client private key file are
# if tls_dir = default, then default values will be used for ca_cert =
# cacert.pem, my_cert = client-cert.crt, and private_key = client-private.pem
ca_cert = default
my_cert = default
private_key = default
# set the password to decrypt the private key file. this should be set to a
# strong password
# if you are using the auto generated keys from the CV, set the same password
# here as you did for private_key_pw in the [cloud_verifier] section
private_key_pw = default
# Registrar client TLS options. this allows the tenant to authenticate the
# registar before asking for AIKs
# this option sets the directory where the CA certificate for the registrar
# can be found
# use "default" to use 'reg_ca' (this points it to the directory automatically
# created by the registrar if it is set to "generate"
# use "CV" to use 'cv_ca', the directory automatically created (and shared
# with the registar) by the CV
registrar_tls_dir = CV
# the following three options set the filenames in tls_dir where the CA
# certificate, client certificate, and client private key file are
# if tls_dir = default, then default values will be used for ca_cert =
# cacert.pem, my_cert = client-cert.crt, and private_key = client-private.pem
registrar_ca_cert = default
registrar_my_cert = default
registrar_private_key = default
# set the password to decrypt the private key file. this should be set to a
# strong password
# if you are using the auto generated keys from the CV, set the same password
# here as you did for private_key_pw in the [cloud_verifier] section
registrar_private_key_pw = default
# max size of payload the tenant will take in bytes (default 1 megabyte)
# make sure this matches with secure_size param in the [cloud_agent] section.
# don't send things bigger than the tmpfs where they will be decrypted
max_payload_size = 1048576
# You can set the default address/host to find the verifier with this option
# this will be overwritten by the -v option on the tenant on the command line
# if specified
cloudverifier_ip = 127.0.0.1
# TPM policies are json structures that takes a list of accepted pcr values
# and will match any in the list for that pcr. These can be a mixture of any
# hashing algorithms, potentially of varying digest lengths (default policy
# below supports SHA1, SHA-256 and SHA-512)
# note that you can't set a policy on PCR10 and PCR16 because
# keylime uses them internally
tpm_policy = {"22":["0000000000000000000000000000000000000001","0000000000000000000000000000000000000000000000000000000000000001","000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001","ffffffffffffffffffffffffffffffffffffffff","ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff","ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"],"15":["0000000000000000000000000000000000000000","0000000000000000000000000000000000000000000000000000000000000000","000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"]}
# Same as tpm_policy but for virtual PCRs
vtpm_policy = {"23":["ffffffffffffffffffffffffffffffffffffffff","0000000000000000000000000000000000000000"],"15":"0000000000000000000000000000000000000000"}
# specify the file containing whitelists for processing Linux IMA white lists
# this file is used if tenant provides "default" as the IMA whitelist file
# this file should be in the form
# SHA1sum path_to_file
ima_whitelist = whitelist.txt
# specify a file containing paths that should be ignored by IMA
# use with great caution as it will affect the security of IMA
ima_excludelist = exclude.txt
# specify the acceptable crypto algorithms to use with the TPM for this agent.
# only algorithms specified below will be allowed for usage by an agent. if a
# agent uses an algorithm not specified here, it will fail validation
#
# currently accepted values include:
# hashing: sha512, sha384, sha256 and sha1
# encryption: ecc and rsa
# signing: rsassa, rsapss, ecdsa, ecdaa and ecschnorr
#
# NOTE: the TPM 1.2 standard only supports sha1 hashing, rsa encryption and
# rsassa signing protocols, therefore these are required for agents with
# TPM 1.2 being used
accept_tpm_hash_algs = sha512,sha384,sha256,sha1
accept_tpm_encryption_algs = ecc,rsa
accept_tpm_signing_algs = ecschnorr,rsassa
# how long to wait between failed attempts to connect to a cloud agent in
# seconds. floating point values accepted here
retry_interval = 1
# integer number of retries to connect to a agent before giving up
max_retries = 10
# tell the tenant whether to require an EK certificate from the TPM.
# if set to False the tenant will ignore EK certificates entirely
#
# WARNING SETTING THIS OPTION TO FALSE IS VERY DANGEROUS!!!!!
#
# If you disable this check, then you may not be talking to a real TPM.
# All the security guarantees of keylime rely upon the security of the EK
# and the assumption that you are talking to a spec-compliant and honest TPM.
# some physical TPMs do not have EK certificates, so you may need to set
# this to False for some deployments. If you do set it to False, you
# MUST use the ek_check_script option below to specify a script that will
# check the provided EK against a whitelist for the environment that has
# been collected in a trustworthy way. For example, the cloud provider
# might provide a signed list of EK public key hashes. Then you could write
# an ek_check_script that checks the signature of the whitelist and then
# compares the hash of the given EK with the whistlist
require_ek_cert = True
# Optional script to execute to check the EK and/or EK certificate against a
# whitelist or any other additional EK processing you want to do. Runs in
# /var/lib/keylime. You call also specify an absolute path to the script.
# script should return 0 if the EK or EK certificate are valid. Any other
# return value will invalidate the tenant quote check and prevent
# bootstrapping a key.
#
# The various keys are passed to the script via environment variables:
# EK - contains a PEM encoded version of the public ek
# EK_CERT - contains a DER encoded ek certificate if one is available.
# PROVKEYS - contains a json document containing ek, ekcert, and aik from the
# provider. ek and aik are in PEM format. The ekcert is in base64 encoded
# DER format.
#
# set to blank to disable this check. See warning above if require_ek_cert
# is False
ek_check_script=
#=============================================================================
[registrar]
#=============================================================================
# Registrar TLS options. This is for authenticating the registrar to clients
# who want to query AIKs
#
# tls_dir option sets directory in /var/lib/keylime/ to put CA certificates
# and files for TLS.
# set to "generate" to automatically generate a CA/certificates in dir reg_ca
# if you specify generate, you can manage the CA that the verifier will create
# using keylime_ca -d /var/lib/keylime/reg_ca/
#
# set to "CV" to share the CA with the cloud verifier (which must be run first
# once before starting the registrar so it can generate the keys)
tls_dir = CV
# the filename (in tls_dir) of the CA cert for for the registrar's
ca_cert = default
# the filename (in tls_dir) of the registrar certificate and private key
# the following two options also take the string "default" to find a files
# with names <fully_qualified_name>-cert.crt and
# <fully_qualified_name>-public.pem for cert and private key respectively
my_cert = default
private_key = default
# set the password to decrypt the private key file. this should be set to a
# strong password
# if tls_dir=generate, this password will also be used to protect the
# generated CA private key
private_key_pw = default
# Registrar client TLS options. this allows the registrar to authenticate the
# provider registrar before asking for AIKs
# this option sets the directory where the CA certificate for the provider
# registrar can be found
# use "default" to use 'reg_ca' (this points it to the directory automatically
# created by the registrar if it is set to "generate"
# use "CV" to use 'cv_ca', the directory automatically created (and shared
# with the registar) by the CV
registrar_tls_dir = CV
# the following three options set the filenames in tls_dir where the CA
# certificate, client certificate, and client private key file are
# if tls_dir = default, then default values will be used for ca_cert =
# cacert.pem, my_cert = client-cert.crt, and private_key = client-private.pem
registrar_ca_cert = default
registrar_my_cert = default
registrar_private_key = default
# set the password to decrypt the private key file. this should be set to a
# strong password
# if you are using the auto generated keys from the CV, set the same password
# here as you did for private_key_pw in the [cloud_verifier] section
registrar_private_key_pw = default
# The file to use for SQLite persistence of agent data
db_filename = reg_data.sqlite
# The file to use for SQLite persistence of provider hypervisor data
prov_db_filename = provider_reg_data.sqlite
#=============================================================================
[ca]
#=============================================================================
# These options set the metadata into the certificates that the keylime_ca
# utility will use when creating certificates and CAs.
# These options are also used by the verifier and registrar when using the
# tls_dir=generate option
# the below options are pretty self explanatory X509 stuff.
cert_country=US
cert_ca_name=keylime certificate authority
cert_state=MA
cert_locality=Lexington
cert_organization=MITLL
cert_org_unit=53
cert_ca_lifetime=3650
cert_lifetime=365
cert_bits=2048
# this setting allows you to specify where your CRL will be hosted
# insert the relevant URL
# use "default" to use the tenant machine FQDN as the CRL distribution point.
# use "default" with caution as it will use the result python's
# socket.getfqdn() as the hostname. This may not be a properly resolvable
# DNS name. in which case you need to specify a hostname where you will
# run the revocation listener (see below)
#
# you can then use keylime_ca -c listen -n ca/RevocationNotifier-cert.crt
cert_crl_dist=http://localhost:38080/crl
#=============================================================================
# GLOBAL LOGGING CONFIGURATION
#=============================================================================
# the only thing really to change here is the default log levels for either
# console or keylime loggers
[loggers]
keys = root,keylime
[handlers]
keys = consoleHandler
[formatters]
keys = formatter
[formatter_formatter]
format = %(asctime)s.%(msecs)03d - %(name)s - %(levelname)s - %(message)s
datefmt = %Y-%m-%d %H:%M:%S
[logger_root]
level = INFO
handlers = consoleHandler
[handler_consoleHandler]
class = StreamHandler
level = INFO
formatter = formatter
args = (sys.stdout,)
[logger_keylime]
level = INFO
qualname = keylime
handlers =