diff --git a/security/keylime-poc/agent/Dockerfile b/security/keylime-poc/agent/Dockerfile
new file mode 100644
index 00000000..5c1c848f
--- /dev/null
+++ b/security/keylime-poc/agent/Dockerfile
@@ -0,0 +1,83 @@
+##############################################################################
+# keylime TPM 2.0 Dockerfile
+#
+# This file is for automatic test running of Keylime and rust-keylime.
+# It is not recommended for use beyond testing scenarios.
+##############################################################################
+
+FROM quay.io/fedora/fedora
+
+# environment variables
+ARG BRANCH=master
+ENV container docker
+ENV HOME /root
+ENV KEYLIME_HOME ${HOME}/keylime
+ENV TPM_HOME ${HOME}/swtpm2
+COPY dbus-policy.conf /etc/dbus-1/system.d/
+
+# Packaged dependencies
+ENV PKGS_DEPS "automake \
+clang clang-devel \
+createrepo_c \
+czmq-devel \
+dbus \
+dbus-daemon \
+dbus-devel \
+dnf-plugins-core \
+efivar-devel \
+gcc \
+git \
+glib2-devel \
+glib2-static \
+gnulib \
+iproute \
+kmod \
+libarchive-devel \
+libselinux-python3 \
+libtool \
+libtpms \
+llvm llvm-devel \
+make \
+openssl-devel \
+pkg-config \
+procps \
+python3-cryptography \
+python3-dbus \
+python3-devel \
+python3-gpg \
+python3-pip \
+python3-requests \
+python3-setuptools \
+python3-sqlalchemy \
+python3-tornado \
+python3-virtualenv \
+python3-yaml \
+python3-zmq \
+redhat-rpm-config \
+rpm-build \
+rpm-sign \
+rust clippy cargo \
+swtpm \
+swtpm-tools \
+tpm2-abrmd \
+tpm2-tools \
+tpm2-tss \
+tpm2-tss-devel \
+uthash-devel \
+wget \
+which"
+
+RUN dnf makecache && \
+ dnf -y install $PKGS_DEPS && \
+ dnf clean all && \
+ rm -rf /var/cache/dnf/*
+
+RUN git clone https://github.com/keylime/rust-keylime \
+ && cd rust-keylime \
+ && make all \
+ && make install \
+ && cd .. \
+ && rm -rf rust-keylime
+
+COPY start.sh /
+CMD ["/start.sh"]
diff --git a/security/keylime-poc/agent/dbus-policy.conf b/security/keylime-poc/agent/dbus-policy.conf
new file mode 100644
index 00000000..c8b0b903
--- /dev/null
+++ b/security/keylime-poc/agent/dbus-policy.conf
@@ -0,0 +1,12 @@
+
+
+
+
+
+
+
+
+
+
+
diff --git a/security/keylime-poc/agent/start.sh b/security/keylime-poc/agent/start.sh
new file mode 100755
index 00000000..690b0c02
--- /dev/null
+++ b/security/keylime-poc/agent/start.sh
@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+
+set -eux
+
+# Configure swtpm2
+mkdir -p /tmp/tpmdir
+chown tss:tss /tmp/tpmdir
+chmod 750 /tmp/tpmdir
+
+swtpm_setup --tpm2 \
+ --tpmstate /tmp/tpmdir \
+ --createek --decryption --create-ek-cert \
+ --create-platform-cert \
+ --display || true
+swtpm socket --tpm2 \
+ --tpmstate dir=/tmp/tpmdir \
+ --flags startup-clear \
+ --ctrl type=tcp,port=2322 \
+ --server type=tcp,port=2321 \
+ --daemon
+sleep 2
+
+# Configure dbus
+sudo rm -rf /var/run/dbus
+sudo mkdir /var/run/dbus
+sudo dbus-daemon --system
+
+# run abmrd
+# Start tpm2-abrmd
+tpm2-abrmd \
+ --logger=stdout \
+ --tcti=swtpm: \
+ --allow-root \
+ --flush-all \
+ &
+sleep 2
+
+# run agent
+useradd -s /sbin/nologin -g tss keylime || true
+
+sudo mkdir -p /var/lib/keylime
+sudo chown keylime:tss /var/lib/keylime
+sudo chmod 770 /var/lib/keylime
+
+sleep 2
+keylime_agent
diff --git a/security/keylime-poc/compose/agent.conf b/security/keylime-poc/compose/agent.conf
index 587f4290..d6b91550 100644
--- a/security/keylime-poc/compose/agent.conf
+++ b/security/keylime-poc/compose/agent.conf
@@ -5,13 +5,6 @@ tpm_version = "2"
work_dir = "/var/lib/keylime/secure"
secure_size = "1m"
-[cloud_agent]
-cloudagent_ip = "127.0.0.1"
-cloudagent_port = "9002"
-registrar_ip = "127.0.0.1"
-registrar_port = "8891"
-
-[tpm]
-tpm_ownerpassword = ""
-ek_handle = "0x81010000"
-
+#agent_enable_mtls = "true"
+#registrar_ip = "127.0.0.1"
+#registrar_port = "8891"
diff --git a/security/keylime-poc/compose/compose.yml b/security/keylime-poc/compose/compose.yml
index c7e621e0..f4831994 100644
--- a/security/keylime-poc/compose/compose.yml
+++ b/security/keylime-poc/compose/compose.yml
@@ -1,82 +1,66 @@
services:
- tpm-simulator:
- build:
- context: ../soft-tpm
- dockerfile: ../soft-tpm/Dockerfile
- ports:
- - "2321:2321"
- - "2322:2322"
- volumes:
- - tpm-state:/var/lib/tpm
- # command: tpm_server -port 2321 -rm
-
keylime-verifier:
image: quay.io/keylime/keylime_verifier
- depends_on:
- - tpm-simulator
- environment:
- - TPM2TOOLS_TCTI=mssim:host=tpm-simulator,port=2321
- - TCTI=mssim:host=tpm-simulator,port=2321
+ hostname: keylime-registrar
+ # network_mode: host
volumes:
- - cv_ca:/var/lib/keylime/cv_ca:rw
+ - secure_volume:/var/lib/keylime
ports:
- - "8881:8881"
- # just create delay so certs are there when it runs
- healthcheck:
- test: ["CMD-SHELL", "true"]
- interval: 5s
- timeout: 5s
- retries: 5
- start_period: 10s
+ - "8892:8892"
+ user: root
command: keylime_verifier
keylime-registrar:
image: quay.io/keylime/keylime_registrar
+ hostname: keylime-registrar
+ # network_mode: host
depends_on:
- - tpm-simulator
- keylime-verifier
- environment:
- - TPM2TOOLS_TCTI=mssim:host=tpm-simulator,port=2321
- - TCTI=mssim:host=tpm-simulator,port=2321
volumes:
- - cv_ca:/var/lib/keylime/cv_ca:ro
+ - secure_volume:/var/lib/keylime
ports:
- "8891:8891"
- # just create delay so certs are there when it runs
- healthcheck:
- test: ["CMD-SHELL", "true"]
- interval: 5s
- timeout: 5s
- retries: 5
- start_period: 10s
- command: keylime_registrar
+ - "8890:8890"
+ user: root
+ entrypoint: ["bash", "-c", "sleep 5; keylime_registrar"]
+
+ keylime-tenant:
+ image: quay.io/keylime/keylime_tenant
+ hostname: keylime-tenant
+ # network_mode: host
+ depends_on:
+ - keylime-verifier
+ volumes:
+ - secure_volume:/var/lib/keylime
+ - ./allowlist.txt:/tmp/allowlist.txt
+ user: root
+ entrypoint: ["bash", "-c", "tail -f /dev/null"]
keylime-agent:
- image: quay.io/keylime/keylime_agent:master
- privileged: true
+ # image: quay.io/keylime/keylime_agent:master
+ build:
+ context: ../agent
+ dockerfile: ../agent/Dockerfile
+ hostname: keylime-agent
+ network_mode: host
+ user: root
depends_on:
- - tpm-simulator
- keylime-verifier
- keylime-registrar
environment:
- - TPM2TOOLS_TCTI=mssim:host=tpm-simulator,port=2321
- - TCTI=mssim:host=tpm-simulator,port=2321
- - TPM_INTERFACE_TYPE=socsim
- # just create delay so certs are there when it runs
- healthcheck:
- test: ["CMD-SHELL", "true"]
- interval: 5s
- timeout: 5s
- retries: 5
- start_period: 10s
+ - TPM2TOOLS_TCTI=tabrmd:bus_type=system
+ - TCTI=tabrmd:bus_type=system
volumes:
- /sys/kernel/security:/sys/kernel/security:ro
- ./agent.conf:/etc/keylime/agent.conf:ro
- - agent_var_lib_keylime:/var/lib/keylime:rw
- - cv_ca:/var/lib/keylime/cv_ca:ro
+ - ./target/debug/:/rust-keylime
+ - secure_volume:/var/lib/keylime
+ - agent_volume:/var/lib/keylime/secure
# command: keylime_agent
volumes:
- tpm-state:
- cv_ca:
- agent_var_lib_keylime:
+ secure_volume:
+ agent_volume:
+ driver_opts:
+ type: tmpfs
+ device: tmpfs
diff --git a/security/keylime-poc/compose/tenant.sh b/security/keylime-poc/compose/tenant.sh
index f8a2f459..2a1b09a9 100755
--- a/security/keylime-poc/compose/tenant.sh
+++ b/security/keylime-poc/compose/tenant.sh
@@ -4,13 +4,8 @@
set -eu
# Register agent with allowlist
-docker run --network host \
- -e KEYLIME_TENANT_TLS_ENABLED=False \
- -e KEYLIME_VERIFIER_TLS_ENABLED=False \
- -e KEYLIME_REGISTRAR_TLS_ENABLED=False \
- -e KEYLIME_TENANT_ENABLE_INSECURE_VERIFICATION=True \
- -v "$(pwd)"/allowlist.txt:/tmp/allowlist.txt:ro \
- quay.io/keylime/keylime_tenant \
+docker exec -it compose-keylime-tenant-1 \
+ keylime_tenant \
-v 127.0.0.1 \
-t 127.0.0.1 \
-u d432fbb3-d2f1-4a97-9ef7-75bd81c00000 \
diff --git a/security/keylime-poc/soft-tpm/Dockerfile b/security/keylime-poc/soft-tpm/Dockerfile
index da0cd11c..9b58f8cf 100644
--- a/security/keylime-poc/soft-tpm/Dockerfile
+++ b/security/keylime-poc/soft-tpm/Dockerfile
@@ -14,12 +14,15 @@ WORKDIR /tpm
RUN apt-get update && apt-get install -y \
build-essential \
autoconf \
+ dbus \
+ dbus-daemon \
libtool \
libssl-dev \
pkg-config \
git \
wget \
tpm2-tools \
+ tpm2-abrmd \
&& rm -rf /var/lib/apt/lists/*
# Clone and build IBM's TPM2 simulator
@@ -30,6 +33,7 @@ RUN git clone https://github.com/kgoldman/ibmswtpm2 \
&& cd / \
&& rm -rf /tpm/ibmswtpm2
+COPY dbus-policy.conf /etc/dbus-1/system.d/
COPY start.sh /
# Create directory for TPM state
diff --git a/security/keylime-poc/soft-tpm/dbus-policy.conf b/security/keylime-poc/soft-tpm/dbus-policy.conf
new file mode 100644
index 00000000..c8b0b903
--- /dev/null
+++ b/security/keylime-poc/soft-tpm/dbus-policy.conf
@@ -0,0 +1,12 @@
+
+
+
+
+
+
+
+
+
+
+
diff --git a/security/keylime-poc/soft-tpm/start.sh b/security/keylime-poc/soft-tpm/start.sh
index 72ee0b6c..296a3e15 100755
--- a/security/keylime-poc/soft-tpm/start.sh
+++ b/security/keylime-poc/soft-tpm/start.sh
@@ -4,9 +4,21 @@
nohup tpm_server &
# Wait for simulator to be ready
-sleep 2
+sleep 5
export TPM2TOOLS_TCTI="mssim:host=localhost,port=2321"
tpm2_startup -c
+# Configure dbus
+rm -rf /var/run/dbus
+mkdir /var/run/dbus
+dbus-daemon --system
+
+# --tcti=swtpm: \
+tpm2-abrmd \
+ --logger=stdout \
+ --flush-all \
+ --tcti="${TPM2TOOLS_TCTI}" \
+ --allow-root &
+
tail -f /dev/null