diff --git a/security/keylime-poc/agent/Dockerfile b/security/keylime-poc/agent/Dockerfile new file mode 100644 index 00000000..5c1c848f --- /dev/null +++ b/security/keylime-poc/agent/Dockerfile @@ -0,0 +1,83 @@ +############################################################################## +# keylime TPM 2.0 Dockerfile +# +# This file is for automatic test running of Keylime and rust-keylime. +# It is not recommended for use beyond testing scenarios. +############################################################################## + +FROM quay.io/fedora/fedora + +# environment variables +ARG BRANCH=master +ENV container docker +ENV HOME /root +ENV KEYLIME_HOME ${HOME}/keylime +ENV TPM_HOME ${HOME}/swtpm2 +COPY dbus-policy.conf /etc/dbus-1/system.d/ + +# Packaged dependencies +ENV PKGS_DEPS "automake \ +clang clang-devel \ +createrepo_c \ +czmq-devel \ +dbus \ +dbus-daemon \ +dbus-devel \ +dnf-plugins-core \ +efivar-devel \ +gcc \ +git \ +glib2-devel \ +glib2-static \ +gnulib \ +iproute \ +kmod \ +libarchive-devel \ +libselinux-python3 \ +libtool \ +libtpms \ +llvm llvm-devel \ +make \ +openssl-devel \ +pkg-config \ +procps \ +python3-cryptography \ +python3-dbus \ +python3-devel \ +python3-gpg \ +python3-pip \ +python3-requests \ +python3-setuptools \ +python3-sqlalchemy \ +python3-tornado \ +python3-virtualenv \ +python3-yaml \ +python3-zmq \ +redhat-rpm-config \ +rpm-build \ +rpm-sign \ +rust clippy cargo \ +swtpm \ +swtpm-tools \ +tpm2-abrmd \ +tpm2-tools \ +tpm2-tss \ +tpm2-tss-devel \ +uthash-devel \ +wget \ +which" + +RUN dnf makecache && \ + dnf -y install $PKGS_DEPS && \ + dnf clean all && \ + rm -rf /var/cache/dnf/* + +RUN git clone https://github.com/keylime/rust-keylime \ + && cd rust-keylime \ + && make all \ + && make install \ + && cd .. \ + && rm -rf rust-keylime + +COPY start.sh / +CMD ["/start.sh"] diff --git a/security/keylime-poc/agent/dbus-policy.conf b/security/keylime-poc/agent/dbus-policy.conf new file mode 100644 index 00000000..c8b0b903 --- /dev/null +++ b/security/keylime-poc/agent/dbus-policy.conf @@ -0,0 +1,12 @@ + + + + + + + + + + + diff --git a/security/keylime-poc/agent/start.sh b/security/keylime-poc/agent/start.sh new file mode 100755 index 00000000..690b0c02 --- /dev/null +++ b/security/keylime-poc/agent/start.sh @@ -0,0 +1,46 @@ +#!/usr/bin/env bash + +set -eux + +# Configure swtpm2 +mkdir -p /tmp/tpmdir +chown tss:tss /tmp/tpmdir +chmod 750 /tmp/tpmdir + +swtpm_setup --tpm2 \ + --tpmstate /tmp/tpmdir \ + --createek --decryption --create-ek-cert \ + --create-platform-cert \ + --display || true +swtpm socket --tpm2 \ + --tpmstate dir=/tmp/tpmdir \ + --flags startup-clear \ + --ctrl type=tcp,port=2322 \ + --server type=tcp,port=2321 \ + --daemon +sleep 2 + +# Configure dbus +sudo rm -rf /var/run/dbus +sudo mkdir /var/run/dbus +sudo dbus-daemon --system + +# run abmrd +# Start tpm2-abrmd +tpm2-abrmd \ + --logger=stdout \ + --tcti=swtpm: \ + --allow-root \ + --flush-all \ + & +sleep 2 + +# run agent +useradd -s /sbin/nologin -g tss keylime || true + +sudo mkdir -p /var/lib/keylime +sudo chown keylime:tss /var/lib/keylime +sudo chmod 770 /var/lib/keylime + +sleep 2 +keylime_agent diff --git a/security/keylime-poc/compose/agent.conf b/security/keylime-poc/compose/agent.conf index 587f4290..d6b91550 100644 --- a/security/keylime-poc/compose/agent.conf +++ b/security/keylime-poc/compose/agent.conf @@ -5,13 +5,6 @@ tpm_version = "2" work_dir = "/var/lib/keylime/secure" secure_size = "1m" -[cloud_agent] -cloudagent_ip = "127.0.0.1" -cloudagent_port = "9002" -registrar_ip = "127.0.0.1" -registrar_port = "8891" - -[tpm] -tpm_ownerpassword = "" -ek_handle = "0x81010000" - +#agent_enable_mtls = "true" +#registrar_ip = "127.0.0.1" +#registrar_port = "8891" diff --git a/security/keylime-poc/compose/compose.yml b/security/keylime-poc/compose/compose.yml index c7e621e0..f4831994 100644 --- a/security/keylime-poc/compose/compose.yml +++ b/security/keylime-poc/compose/compose.yml @@ -1,82 +1,66 @@ services: - tpm-simulator: - build: - context: ../soft-tpm - dockerfile: ../soft-tpm/Dockerfile - ports: - - "2321:2321" - - "2322:2322" - volumes: - - tpm-state:/var/lib/tpm - # command: tpm_server -port 2321 -rm - keylime-verifier: image: quay.io/keylime/keylime_verifier - depends_on: - - tpm-simulator - environment: - - TPM2TOOLS_TCTI=mssim:host=tpm-simulator,port=2321 - - TCTI=mssim:host=tpm-simulator,port=2321 + hostname: keylime-registrar + # network_mode: host volumes: - - cv_ca:/var/lib/keylime/cv_ca:rw + - secure_volume:/var/lib/keylime ports: - - "8881:8881" - # just create delay so certs are there when it runs - healthcheck: - test: ["CMD-SHELL", "true"] - interval: 5s - timeout: 5s - retries: 5 - start_period: 10s + - "8892:8892" + user: root command: keylime_verifier keylime-registrar: image: quay.io/keylime/keylime_registrar + hostname: keylime-registrar + # network_mode: host depends_on: - - tpm-simulator - keylime-verifier - environment: - - TPM2TOOLS_TCTI=mssim:host=tpm-simulator,port=2321 - - TCTI=mssim:host=tpm-simulator,port=2321 volumes: - - cv_ca:/var/lib/keylime/cv_ca:ro + - secure_volume:/var/lib/keylime ports: - "8891:8891" - # just create delay so certs are there when it runs - healthcheck: - test: ["CMD-SHELL", "true"] - interval: 5s - timeout: 5s - retries: 5 - start_period: 10s - command: keylime_registrar + - "8890:8890" + user: root + entrypoint: ["bash", "-c", "sleep 5; keylime_registrar"] + + keylime-tenant: + image: quay.io/keylime/keylime_tenant + hostname: keylime-tenant + # network_mode: host + depends_on: + - keylime-verifier + volumes: + - secure_volume:/var/lib/keylime + - ./allowlist.txt:/tmp/allowlist.txt + user: root + entrypoint: ["bash", "-c", "tail -f /dev/null"] keylime-agent: - image: quay.io/keylime/keylime_agent:master - privileged: true + # image: quay.io/keylime/keylime_agent:master + build: + context: ../agent + dockerfile: ../agent/Dockerfile + hostname: keylime-agent + network_mode: host + user: root depends_on: - - tpm-simulator - keylime-verifier - keylime-registrar environment: - - TPM2TOOLS_TCTI=mssim:host=tpm-simulator,port=2321 - - TCTI=mssim:host=tpm-simulator,port=2321 - - TPM_INTERFACE_TYPE=socsim - # just create delay so certs are there when it runs - healthcheck: - test: ["CMD-SHELL", "true"] - interval: 5s - timeout: 5s - retries: 5 - start_period: 10s + - TPM2TOOLS_TCTI=tabrmd:bus_type=system + - TCTI=tabrmd:bus_type=system volumes: - /sys/kernel/security:/sys/kernel/security:ro - ./agent.conf:/etc/keylime/agent.conf:ro - - agent_var_lib_keylime:/var/lib/keylime:rw - - cv_ca:/var/lib/keylime/cv_ca:ro + - ./target/debug/:/rust-keylime + - secure_volume:/var/lib/keylime + - agent_volume:/var/lib/keylime/secure # command: keylime_agent volumes: - tpm-state: - cv_ca: - agent_var_lib_keylime: + secure_volume: + agent_volume: + driver_opts: + type: tmpfs + device: tmpfs diff --git a/security/keylime-poc/compose/tenant.sh b/security/keylime-poc/compose/tenant.sh index f8a2f459..2a1b09a9 100755 --- a/security/keylime-poc/compose/tenant.sh +++ b/security/keylime-poc/compose/tenant.sh @@ -4,13 +4,8 @@ set -eu # Register agent with allowlist -docker run --network host \ - -e KEYLIME_TENANT_TLS_ENABLED=False \ - -e KEYLIME_VERIFIER_TLS_ENABLED=False \ - -e KEYLIME_REGISTRAR_TLS_ENABLED=False \ - -e KEYLIME_TENANT_ENABLE_INSECURE_VERIFICATION=True \ - -v "$(pwd)"/allowlist.txt:/tmp/allowlist.txt:ro \ - quay.io/keylime/keylime_tenant \ +docker exec -it compose-keylime-tenant-1 \ + keylime_tenant \ -v 127.0.0.1 \ -t 127.0.0.1 \ -u d432fbb3-d2f1-4a97-9ef7-75bd81c00000 \ diff --git a/security/keylime-poc/soft-tpm/Dockerfile b/security/keylime-poc/soft-tpm/Dockerfile index da0cd11c..9b58f8cf 100644 --- a/security/keylime-poc/soft-tpm/Dockerfile +++ b/security/keylime-poc/soft-tpm/Dockerfile @@ -14,12 +14,15 @@ WORKDIR /tpm RUN apt-get update && apt-get install -y \ build-essential \ autoconf \ + dbus \ + dbus-daemon \ libtool \ libssl-dev \ pkg-config \ git \ wget \ tpm2-tools \ + tpm2-abrmd \ && rm -rf /var/lib/apt/lists/* # Clone and build IBM's TPM2 simulator @@ -30,6 +33,7 @@ RUN git clone https://github.com/kgoldman/ibmswtpm2 \ && cd / \ && rm -rf /tpm/ibmswtpm2 +COPY dbus-policy.conf /etc/dbus-1/system.d/ COPY start.sh / # Create directory for TPM state diff --git a/security/keylime-poc/soft-tpm/dbus-policy.conf b/security/keylime-poc/soft-tpm/dbus-policy.conf new file mode 100644 index 00000000..c8b0b903 --- /dev/null +++ b/security/keylime-poc/soft-tpm/dbus-policy.conf @@ -0,0 +1,12 @@ + + + + + + + + + + + diff --git a/security/keylime-poc/soft-tpm/start.sh b/security/keylime-poc/soft-tpm/start.sh index 72ee0b6c..296a3e15 100755 --- a/security/keylime-poc/soft-tpm/start.sh +++ b/security/keylime-poc/soft-tpm/start.sh @@ -4,9 +4,21 @@ nohup tpm_server & # Wait for simulator to be ready -sleep 2 +sleep 5 export TPM2TOOLS_TCTI="mssim:host=localhost,port=2321" tpm2_startup -c +# Configure dbus +rm -rf /var/run/dbus +mkdir /var/run/dbus +dbus-daemon --system + +# --tcti=swtpm: \ +tpm2-abrmd \ + --logger=stdout \ + --flush-all \ + --tcti="${TPM2TOOLS_TCTI}" \ + --allow-root & + tail -f /dev/null