Add a keylime-agent element and a tpm-emulator element

Story: #2002713

Task: #41304
Change-Id: Ia5226faabae8accb03f401aa4de3c8311b583455
This commit is contained in:
Danni Shi 2021-05-04 12:19:43 -04:00
parent ddd70501d4
commit 05d8f3ae38
21 changed files with 346 additions and 0 deletions

View File

@ -0,0 +1,52 @@
=============
keylime-agent
=============
Presently, we rely upon a certain level of trust for users that leverage
baremetal resources. While we do perform cleaning between deployments,
a malicious attacker could potentially modify firmware of attached devices
in ways that may or may not be readily detectable.
The solution that has been proposed for this is the use of a measured launch
environments with engagement of Trusted Platform Management (TPM) modules to
help ensure that the running system profile is exactly as desired or approved,
by the attestation service.
To leverage TPM's for attestation, we propose Keylime,
an open source remote boot attestation and
runtime integrity measurement system. Keylime agent is a component of the
Keylime suite which runs on the baremetal node we are attesting
during cleaning and deployment steps. Keylime regisrar is
a database of all agents registered with Keylime
and hosts the public keys of the TPM vendors.
In order to enhance the ramdisk to support TPM 2.0 and Keylime,
this keylime-agent element is proposed. This element provides
configurations for Keylime agent to communicate with Keylime server.
Keylime agent runs as a system service to collect
Integrity Measurement Architecture (IMA) measurement lists and
send the measurements to the Keylime verifier for attestation.
Environment Variables
---------------------
DIB_KEYLIME_AGENT_REGISTRAR_IP
:Required: Yes
:Default: 0
:Description: The IP address of Keylime registrar server
which Keylime agent communicates with.
DIB_KEYLIME_AGENT_REGISTRAR_PORT
:Required: Yes
:Default: 8890
:Description: The port of Keylime registrar server
which Keylime agent communicates with.
**REFERENCES**
[1] github.com/keylime/
[2] review.opendev.org/c/openstack/ironic-specs/+/576718

View File

@ -0,0 +1,4 @@
package-installs
pip-and-virtualenv
selinux-permissive
source-repositories

View File

@ -0,0 +1,2 @@
export DIB_KEYLIME_AGENT_REGISTRAR_IP=${DIB_KEYLIME_AGENT_REGISTRAR_IP:-0}
export DIB_KEYLIME_AGENT_REGISTRAR_PORT=${DIB_KEYLIME_AGENT_REGISTRAR_PORT:-8890}

View File

@ -0,0 +1,58 @@
#!/bin/bash
if [ "${DIB_DEBUG_TRACE:-0}" -gt 0 ]; then
set -x
fi
set -eu
set -o pipefail
SCRIPTDIR=$(dirname $0)
VENVDIR=/opt/keylime
KLDIR=/tmp/keylime
# create the virtual environment
if [ $DIB_PYTHON_VERSION == 3 ]; then
$DIB_PYTHON -m venv $VENVDIR
else
$DIB_PYTHON -m virtualenv $VENVDIR
fi
install -d /etc/ima/
install -c -m 0644 ${SCRIPTDIR}/ima-policy /etc/ima/ima-policy
# install Keylime-agent inside the virtual environment
$VENVDIR/bin/pip install 'pip>=19.1.1'
$VENVDIR/bin/pip install -r $KLDIR/requirements.txt $KLDIR
ln -s $VENVDIR/bin/keylime_agent /usr/local/bin/keylime_agent
if [ "$DIB_KEYLIME_AGENT_REGISTRAR_IP" != "0" ]; then
sed -i "s/registrar_ip = 127.0.0.1/registrar_ip = "$DIB_KEYLIME_AGENT_REGISTRAR_IP"/" /etc/keylime.conf
fi
if [ "$DIB_KEYLIME_AGENT_REGISTRAR_PORT" != "8890" ]; then
sed -i "s/registrar_port = 8890/registrar_port = "$DIB_KEYLIME_AGENT_REGISTRAR_PORT"/" /etc/keylime.conf
fi
# set the agent uuid to randomly generated
sed -i 's/^\(agent\_uuid\s*=\s*\).*$/\1dmidecode/' /etc/keylime.conf
sed -i 's/^\(level\s*=\s*\).*$/\1DEBUG/' /etc/keylime.conf
sed -i 's/^\(cloudagent\_ip\s*=\s*\).*$/\10.0.0.0/' /etc/keylime.conf
# create allowlist
./$KLDIR/scripts/create_allowlist.sh /root/allowlist.txt sha256sum
case "$DIB_INIT_SYSTEM" in
systemd)
install -D -g root -o root -m 0644 ${SCRIPTDIR}/keylime-agent.service /usr/lib/systemd/system/keylime-agent.service
;;
sysv)
install -D -g root -o root -m 0755 ${SCRIPTDIR}/keylime-agent.init /etc/init.d/keylime-agent.init
update-rc.d keylime-agent.init defaults
;;
*)
echo "Unsupported init system"
exit 1
;;
esac

View File

@ -0,0 +1,17 @@
# MEASUREMENTS
measure func=BPRM_CHECK
measure func=FILE_MMAP mask=MAY_EXEC
measure func=MODULE_CHECK uid=0
# PROC_SUPER_MAGIC
dont_measure fsmagic=0x9fa0
# SYSFS_MAGIC
dont_measure fsmagic=0x62656572
# DEBUGFS_MAGIC
dont_measure fsmagic=0x64626720
# TMPFS_MAGIC
dont_measure fsmagic=0x01021994
# RAMFS_MAGIC
dont_measure fsmagic=0x858458f6
# SECURITYFS_MAGIC
dont_measure fsmagic=0x73636673

View File

@ -0,0 +1,31 @@
#!/bin/sh -e
### BEGIN INIT INFO
# Provides: keylime-agent
# Required-Start: $local_fs networking
# Required-Stop: $local_fs
# Default-Start: S
# Default-Stop: 0 6
# X-Start-Before:
# Short-Description: Keylime Agent
# Description: The keylime-agent is deployed to the node for attestation
### END INIT INFO
NAME=keylime-agent
INIT_NAME=/etc/init.d/${NAME}
SCRIPT_NAME=/usr/local/bin/keylime_agent
[ -x $SCRIPT_NAME ] || exit 0
case "$1" in
start)
$SCRIPT_NAME --config-dir /etc/keylime-agent.d/
;;
stop)
;;
*)
echo "Usage: $INIT_NAME {start|stop}"
exit 1
;;
esac
exit 0

View File

@ -0,0 +1,12 @@
[Unit]
Description=The Keylime agent
Wants=tpm2-abrmd.service
After=network-online.target
[Service]
ExecStart=/usr/local/bin/keylime_agent
Restart=always
RestartSec=30s
[Install]
WantedBy=multi-user.target

View File

@ -0,0 +1 @@
git:

View File

@ -0,0 +1,18 @@
#!/bin/bash
if [ "${DIB_DEBUG_TRACE:-0}" -gt 0 ]; then
set -x
fi
set -eu
set -o pipefail
case "$DIB_INIT_SYSTEM" in
systemd)
systemctl enable keylime-agent
;;
*)
echo "Unsupported init system $DIB_INIT_SYSTEM"
exit 1
;;
esac

View File

@ -0,0 +1 @@
keylime git /tmp/keylime https://github.com/keylime/keylime.git 16a9cfd31b02f5c60b1ccc667627fac6144f82d1

View File

@ -0,0 +1,23 @@
=============
tpm-emulator
=============
This element should be used together with keylime-agent element.
Keylime can be used with a software TPM emulator for development purposes.
Please refer to keylime-agent element for the detailed explanation.
This element works with a software TPM 2.0 emulator.
The download source of IBM's TPM 2.0 Software TPM can be found here:
https://sourceforge.net/projects/ibmswtpm2/
TPM utility prerequisites are installed, including tpm2-tss software stack,
tpm2-tools utilities, and the tpm2-abrmd resource manager.
**REFERENCES**
[1] github.com/keylime/keylime-vagrant-ansible-tpm-emulator
[2] ibmswtpm.sourceforge.net/ibmswtpm2.html

View File

@ -0,0 +1,3 @@
package-installs
pip-and-virtualenv
source-repositories

View File

@ -0,0 +1,4 @@
[Service]
# need to specify ExecStart as empty first to "clear" it: see https://www.freedesktop.org/software/systemd/man/systemd.unit.html
ExecStart=
ExecStart=/usr/sbin/tpm2-abrmd --tcti=mssim

View File

@ -0,0 +1,53 @@
#!/bin/bash
if [ "${DIB_DEBUG_TRACE:-0}" -gt 0 ]; then
set -x
fi
set -eu
set -o pipefail
SCRIPTDIR=$(dirname $0)
VENVDIR=/opt/keylime
KLDIR=/tmp/keylime
TPMDIR=/tmp/ibmtpm
# create the virtual environment
if [ $DIB_PYTHON_VERSION == 3 ]; then
$DIB_PYTHON -m venv $VENVDIR
else
$DIB_PYTHON -m virtualenv $VENVDIR
fi
# install tpm
cd $TPMDIR/src
# compile tpm emulator
make
# install tpm_server
install -c -m 0755 $TPMDIR/src/tpm_server /usr/local/bin/tpm_server
# install init_tpm_server script
install -c -m 0755 $KLDIR/scripts/init_tpm_server /usr/local/bin/init_tpm_server
install -d -g root -o root -m 0755 /etc/systemd/system/tpm2-abrmd.service.d/
install -c -g root -o root -m 0644 ${SCRIPTDIR}/10-tcti-emulator.conf /etc/systemd/system/tpm2-abrmd.service.d/
install -c -g root -o root -m 0644 ${SCRIPTDIR}/20-remove-conditionpathexistsglob.conf /etc/systemd/system/tpm2-abrmd.service.d/
# install Keylime-agent inside the virtual environment
$VENVDIR/bin/pip install 'pip>=19.1.1'
$VENVDIR/bin/pip install -r $KLDIR/requirements.txt $KLDIR
ln -s $VENVDIR/bin/keylime_ima_emulator /usr/local/bin/keylime_ima_emulator
case "$DIB_INIT_SYSTEM" in
systemd)
install -D -g root -o root -m 0644 ${SCRIPTDIR}/tpm_server.service /usr/lib/systemd/system/tpm_server.service
install -D -g root -o root -m 0644 ${SCRIPTDIR}/keylime-ima-emulator.service /usr/lib/systemd/system/keylime-ima-emulator.service
;;
*)
echo "Unsupported init system"
exit 1
;;
esac

View File

@ -0,0 +1,13 @@
[Unit]
Description=The Keylime ima emulator
Wants=tpm2-abrmd.service
Before=keylime-agent.service
After=network-online.target
[Service]
ExecStart=/usr/local/bin/keylime_ima_emulator
Restart=always
RestartSec=30s
[Install]
WantedBy=multi-user.target

View File

@ -0,0 +1,10 @@
[Unit]
Description=TPM server
[Service]
ExecStart=/usr/local/bin/tpm_server -rm
Restart=on-failure
RestartSec=30s
[Install]
WantedBy=multi-user.target

View File

@ -0,0 +1,20 @@
swig:
tpm2-abrmd:
tpm2-tools:
tpm2-tss:
make:
gcc-c++:
uninstall: true
pkg-config:
uninstall: true
libtool:
uninstall: true
libstdc++-devel:
uninstall: true
git:
dbus-devel:
glib2-devel:
uriparser-devel:
libgcrypt-devel:
libcurl-devel:
libselinux-python3:

View File

@ -0,0 +1,20 @@
#!/bin/bash
if [ "${DIB_DEBUG_TRACE:-0}" -gt 0 ]; then
set -x
fi
set -eu
set -o pipefail
case "$DIB_INIT_SYSTEM" in
systemd)
systemctl enable tpm_server
systemctl enable tpm2-abrmd
systemctl enable keylime-ima-emulator
;;
*)
echo "Unsupported init system $DIB_INIT_SYSTEM"
exit 1
;;
esac

View File

@ -0,0 +1 @@
ibmtpm tar /tmp/ibmtpm http://sourceforge.net/projects/ibmswtpm2/files/ibmtpm1119.tar.gz .

View File

@ -0,0 +1 @@
keylime git /tmp/keylime https://github.com/keylime/keylime.git 16a9cfd31b02f5c60b1ccc667627fac6144f82d1