WIP: try another swtpm

Signed-off-by: Tuomo Tanskanen <[email protected]>

security/keylime-poc/agent/Dockerfile

@@ -0,0 +1,83 @@
+##############################################################################
+# keylime TPM 2.0 Dockerfile
+#
+# This file is for automatic test running of Keylime and rust-keylime.
+# It is not recommended for use beyond testing scenarios.
+##############################################################################
+
+FROM quay.io/fedora/fedora
+
+# environment variables
+ARG BRANCH=master
+ENV container docker
+ENV HOME /root
+ENV KEYLIME_HOME ${HOME}/keylime
+ENV TPM_HOME ${HOME}/swtpm2
+COPY dbus-policy.conf /etc/dbus-1/system.d/
+
+# Packaged dependencies
+ENV PKGS_DEPS "automake \
+clang clang-devel \
+createrepo_c \
+czmq-devel \
+dbus \
+dbus-daemon \
+dbus-devel \
+dnf-plugins-core \
+efivar-devel \
+gcc \
+git \
+glib2-devel \
+glib2-static \
+gnulib \
+iproute \
+kmod \
+libarchive-devel \
+libselinux-python3 \
+libtool \
+libtpms \
+llvm llvm-devel \
+make \
+openssl-devel \
+pkg-config \
+procps \
+python3-cryptography \
+python3-dbus \
+python3-devel \
+python3-gpg \
+python3-pip \
+python3-requests \
+python3-setuptools \
+python3-sqlalchemy \
+python3-tornado \
+python3-virtualenv \
+python3-yaml \
+python3-zmq \
+redhat-rpm-config \
+rpm-build \
+rpm-sign \
+rust clippy cargo \
+swtpm \
+swtpm-tools \
+tpm2-abrmd \
+tpm2-tools \
+tpm2-tss \
+tpm2-tss-devel \
+uthash-devel \
+wget \
+which"
+
+RUN dnf makecache && \
+  dnf -y install $PKGS_DEPS && \
+  dnf clean all && \
+  rm -rf /var/cache/dnf/*
+
+RUN git clone https://github.com/keylime/rust-keylime \
+  && cd rust-keylime \
+  && make all \
+  && make install \
+  && cd .. \
+  && rm -rf rust-keylime
+
+COPY start.sh /
+CMD ["/start.sh"]

security/keylime-poc/agent/dbus-policy.conf

@@ -0,0 +1,12 @@
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+  <policy context="default">
+    <!-- Allow everything to be sent -->
+    <allow send_destination="*" eavesdrop="true"/>
+    <!-- Allow everything to be received -->
+    <allow eavesdrop="true"/>
+    <!-- Allow anyone to own anything -->
+    <allow own="*"/>
+  </policy>
+</busconfig>

security/keylime-poc/agent/start.sh

@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+
+set -eux
+
+# Configure swtpm2
+mkdir -p /tmp/tpmdir
+chown tss:tss /tmp/tpmdir
+chmod 750 /tmp/tpmdir
+
+swtpm_setup --tpm2 \
+    --tpmstate /tmp/tpmdir \
+    --createek --decryption --create-ek-cert \
+    --create-platform-cert \
+    --display || true
+swtpm socket --tpm2 \
+    --tpmstate dir=/tmp/tpmdir \
+    --flags startup-clear \
+    --ctrl type=tcp,port=2322 \
+    --server type=tcp,port=2321 \
+    --daemon
+sleep 2
+
+# Configure dbus
+sudo rm -rf /var/run/dbus
+sudo mkdir /var/run/dbus
+sudo dbus-daemon --system
+
+# run abmrd
+# Start tpm2-abrmd
+tpm2-abrmd \
+    --logger=stdout \
+    --tcti=swtpm: \
+    --allow-root \
+    --flush-all \
+    &
+sleep 2
+
+# run agent
+useradd -s /sbin/nologin -g tss keylime || true
+
+sudo mkdir -p /var/lib/keylime
+sudo chown keylime:tss /var/lib/keylime
+sudo chmod 770 /var/lib/keylime
+
+sleep 2
+keylime_agent

security/keylime-poc/compose/agent.conf

@@ -5,13 +5,6 @@ tpm_version = "2"
 work_dir = "/var/lib/keylime/secure"
 secure_size = "1m"
 
-[cloud_agent]
-cloudagent_ip = "127.0.0.1"
-cloudagent_port = "9002"
-registrar_ip = "127.0.0.1"
-registrar_port = "8891"
-
-[tpm]
-tpm_ownerpassword = ""
-ek_handle = "0x81010000"
-
+#agent_enable_mtls = "true"
+#registrar_ip = "127.0.0.1"
+#registrar_port = "8891"

security/keylime-poc/compose/compose.yml

@@ -1,82 +1,66 @@
 services:
-  tpm-simulator:
-    build:
-      context: ../soft-tpm
-      dockerfile: ../soft-tpm/Dockerfile
-    ports:
-      - "2321:2321"
-      - "2322:2322"
-    volumes:
-      - tpm-state:/var/lib/tpm
-    # command: tpm_server -port 2321 -rm
-
   keylime-verifier:
     image: quay.io/keylime/keylime_verifier
-    depends_on:
-      - tpm-simulator
-    environment:
-      - TPM2TOOLS_TCTI=mssim:host=tpm-simulator,port=2321
-      - TCTI=mssim:host=tpm-simulator,port=2321
+    hostname: keylime-registrar
+    # network_mode: host
     volumes:
-      - cv_ca:/var/lib/keylime/cv_ca:rw
+      - secure_volume:/var/lib/keylime
     ports:
-      - "8881:8881"
-    # just create delay so certs are there when it runs
-    healthcheck:
-      test: ["CMD-SHELL", "true"]
-      interval: 5s
-      timeout: 5s
-      retries: 5
-      start_period: 10s
+      - "8892:8892"
+    user: root
     command: keylime_verifier
 
   keylime-registrar:
     image: quay.io/keylime/keylime_registrar
+    hostname: keylime-registrar
+    # network_mode: host
     depends_on:
-      - tpm-simulator
       - keylime-verifier
-    environment:
-      - TPM2TOOLS_TCTI=mssim:host=tpm-simulator,port=2321
-      - TCTI=mssim:host=tpm-simulator,port=2321
     volumes:
-      - cv_ca:/var/lib/keylime/cv_ca:ro
+      - secure_volume:/var/lib/keylime
     ports:
       - "8891:8891"
-    # just create delay so certs are there when it runs
-    healthcheck:
-      test: ["CMD-SHELL", "true"]
-      interval: 5s
-      timeout: 5s
-      retries: 5
-      start_period: 10s
-    command: keylime_registrar
+      - "8890:8890"
+    user: root
+    entrypoint: ["bash", "-c", "sleep 5; keylime_registrar"]
+
+  keylime-tenant:
+    image: quay.io/keylime/keylime_tenant
+    hostname: keylime-tenant
+    # network_mode: host
+    depends_on:
+      - keylime-verifier
+    volumes:
+      - secure_volume:/var/lib/keylime
+      - ./allowlist.txt:/tmp/allowlist.txt
+    user: root
+    entrypoint: ["bash", "-c", "tail -f /dev/null"]
 
   keylime-agent:
-    image: quay.io/keylime/keylime_agent:master
-    privileged: true
+    # image: quay.io/keylime/keylime_agent:master
+    build:
+      context: ../agent
+      dockerfile: ../agent/Dockerfile
+    hostname: keylime-agent
+    network_mode: host
+    user: root
     depends_on:
-      - tpm-simulator
       - keylime-verifier
       - keylime-registrar
     environment:
-      - TPM2TOOLS_TCTI=mssim:host=tpm-simulator,port=2321
-      - TCTI=mssim:host=tpm-simulator,port=2321
-      - TPM_INTERFACE_TYPE=socsim
-    # just create delay so certs are there when it runs
-    healthcheck:
-      test: ["CMD-SHELL", "true"]
-      interval: 5s
-      timeout: 5s
-      retries: 5
-      start_period: 10s
+      - TPM2TOOLS_TCTI=tabrmd:bus_type=system
+      - TCTI=tabrmd:bus_type=system
     volumes:
       - /sys/kernel/security:/sys/kernel/security:ro
       - ./agent.conf:/etc/keylime/agent.conf:ro
-      - agent_var_lib_keylime:/var/lib/keylime:rw
-      - cv_ca:/var/lib/keylime/cv_ca:ro
+      - ./target/debug/:/rust-keylime
+      - secure_volume:/var/lib/keylime
+      - agent_volume:/var/lib/keylime/secure
     # command: keylime_agent
 
 volumes:
-  tpm-state:
-  cv_ca:
-  agent_var_lib_keylime:
+  secure_volume:
+  agent_volume:
+    driver_opts:
+      type: tmpfs
+      device: tmpfs

security/keylime-poc/compose/tenant.sh

@@ -4,13 +4,8 @@
 set -eu
 
 # Register agent with allowlist
-docker run --network host \
-    -e KEYLIME_TENANT_TLS_ENABLED=False \
-    -e KEYLIME_VERIFIER_TLS_ENABLED=False \
-    -e KEYLIME_REGISTRAR_TLS_ENABLED=False \
-    -e KEYLIME_TENANT_ENABLE_INSECURE_VERIFICATION=True \
-    -v "$(pwd)"/allowlist.txt:/tmp/allowlist.txt:ro \
-    quay.io/keylime/keylime_tenant \
+docker exec -it compose-keylime-tenant-1 \
+    keylime_tenant \
     -v 127.0.0.1 \
     -t 127.0.0.1 \
     -u d432fbb3-d2f1-4a97-9ef7-75bd81c00000 \

security/keylime-poc/soft-tpm/Dockerfile

@@ -14,12 +14,15 @@ WORKDIR /tpm
 RUN apt-get update && apt-get install -y \
     build-essential \
     autoconf \
+    dbus \
+    dbus-daemon \
     libtool \
     libssl-dev \
     pkg-config \
     git \
     wget \
     tpm2-tools \
+    tpm2-abrmd \
     && rm -rf /var/lib/apt/lists/*
 
 # Clone and build IBM's TPM2 simulator
@@ -30,6 +33,7 @@ RUN git clone https://github.com/kgoldman/ibmswtpm2 \
     && cd / \
     && rm -rf /tpm/ibmswtpm2
 
+COPY dbus-policy.conf /etc/dbus-1/system.d/
 COPY start.sh /
 
 # Create directory for TPM state

security/keylime-poc/soft-tpm/dbus-policy.conf

@@ -0,0 +1,12 @@
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+  <policy context="default">
+    <!-- Allow everything to be sent -->
+    <allow send_destination="*" eavesdrop="true"/>
+    <!-- Allow everything to be received -->
+    <allow eavesdrop="true"/>
+    <!-- Allow anyone to own anything -->
+    <allow own="*"/>
+  </policy>
+</busconfig>

security/keylime-poc/soft-tpm/start.sh

@@ -4,9 +4,21 @@
 nohup tpm_server &
 
 # Wait for simulator to be ready
-sleep 2
+sleep 5
 
 export TPM2TOOLS_TCTI="mssim:host=localhost,port=2321"
 tpm2_startup -c
 
+# Configure dbus
+rm -rf /var/run/dbus
+mkdir /var/run/dbus
+dbus-daemon --system
+
+#    --tcti=swtpm: \
+tpm2-abrmd \
+    --logger=stdout \
+    --flush-all \
+    --tcti="${TPM2TOOLS_TCTI}" \
+    --allow-root &
+
 tail -f /dev/null