Add a keylime-agent element and a tpm-emulator element
Story: #2002713 Task: #41304 Change-Id: Ia5226faabae8accb03f401aa4de3c8311b583455
This commit is contained in:
parent
ddd70501d4
commit
05d8f3ae38
52
diskimage_builder/elements/keylime-agent/README.rst
Normal file
52
diskimage_builder/elements/keylime-agent/README.rst
Normal file
@ -0,0 +1,52 @@
|
||||
=============
|
||||
keylime-agent
|
||||
=============
|
||||
|
||||
Presently, we rely upon a certain level of trust for users that leverage
|
||||
baremetal resources. While we do perform cleaning between deployments,
|
||||
a malicious attacker could potentially modify firmware of attached devices
|
||||
in ways that may or may not be readily detectable.
|
||||
|
||||
The solution that has been proposed for this is the use of a measured launch
|
||||
environments with engagement of Trusted Platform Management (TPM) modules to
|
||||
help ensure that the running system profile is exactly as desired or approved,
|
||||
by the attestation service.
|
||||
|
||||
To leverage TPM's for attestation, we propose Keylime,
|
||||
an open source remote boot attestation and
|
||||
runtime integrity measurement system. Keylime agent is a component of the
|
||||
Keylime suite which runs on the baremetal node we are attesting
|
||||
during cleaning and deployment steps. Keylime regisrar is
|
||||
a database of all agents registered with Keylime
|
||||
and hosts the public keys of the TPM vendors.
|
||||
|
||||
In order to enhance the ramdisk to support TPM 2.0 and Keylime,
|
||||
this keylime-agent element is proposed. This element provides
|
||||
configurations for Keylime agent to communicate with Keylime server.
|
||||
Keylime agent runs as a system service to collect
|
||||
Integrity Measurement Architecture (IMA) measurement lists and
|
||||
send the measurements to the Keylime verifier for attestation.
|
||||
|
||||
Environment Variables
|
||||
---------------------
|
||||
|
||||
DIB_KEYLIME_AGENT_REGISTRAR_IP
|
||||
:Required: Yes
|
||||
:Default: 0
|
||||
:Description: The IP address of Keylime registrar server
|
||||
which Keylime agent communicates with.
|
||||
|
||||
DIB_KEYLIME_AGENT_REGISTRAR_PORT
|
||||
:Required: Yes
|
||||
:Default: 8890
|
||||
:Description: The port of Keylime registrar server
|
||||
which Keylime agent communicates with.
|
||||
|
||||
**REFERENCES**
|
||||
|
||||
[1] github.com/keylime/
|
||||
[2] review.opendev.org/c/openstack/ironic-specs/+/576718
|
||||
|
||||
|
||||
|
||||
|
4
diskimage_builder/elements/keylime-agent/element-deps
Normal file
4
diskimage_builder/elements/keylime-agent/element-deps
Normal file
@ -0,0 +1,4 @@
|
||||
package-installs
|
||||
pip-and-virtualenv
|
||||
selinux-permissive
|
||||
source-repositories
|
@ -0,0 +1,2 @@
|
||||
export DIB_KEYLIME_AGENT_REGISTRAR_IP=${DIB_KEYLIME_AGENT_REGISTRAR_IP:-0}
|
||||
export DIB_KEYLIME_AGENT_REGISTRAR_PORT=${DIB_KEYLIME_AGENT_REGISTRAR_PORT:-8890}
|
@ -0,0 +1,58 @@
|
||||
#!/bin/bash
|
||||
|
||||
if [ "${DIB_DEBUG_TRACE:-0}" -gt 0 ]; then
|
||||
set -x
|
||||
fi
|
||||
set -eu
|
||||
set -o pipefail
|
||||
|
||||
SCRIPTDIR=$(dirname $0)
|
||||
VENVDIR=/opt/keylime
|
||||
|
||||
KLDIR=/tmp/keylime
|
||||
|
||||
# create the virtual environment
|
||||
|
||||
if [ $DIB_PYTHON_VERSION == 3 ]; then
|
||||
$DIB_PYTHON -m venv $VENVDIR
|
||||
else
|
||||
$DIB_PYTHON -m virtualenv $VENVDIR
|
||||
fi
|
||||
|
||||
install -d /etc/ima/
|
||||
|
||||
install -c -m 0644 ${SCRIPTDIR}/ima-policy /etc/ima/ima-policy
|
||||
|
||||
# install Keylime-agent inside the virtual environment
|
||||
$VENVDIR/bin/pip install 'pip>=19.1.1'
|
||||
$VENVDIR/bin/pip install -r $KLDIR/requirements.txt $KLDIR
|
||||
ln -s $VENVDIR/bin/keylime_agent /usr/local/bin/keylime_agent
|
||||
|
||||
if [ "$DIB_KEYLIME_AGENT_REGISTRAR_IP" != "0" ]; then
|
||||
sed -i "s/registrar_ip = 127.0.0.1/registrar_ip = "$DIB_KEYLIME_AGENT_REGISTRAR_IP"/" /etc/keylime.conf
|
||||
fi
|
||||
if [ "$DIB_KEYLIME_AGENT_REGISTRAR_PORT" != "8890" ]; then
|
||||
sed -i "s/registrar_port = 8890/registrar_port = "$DIB_KEYLIME_AGENT_REGISTRAR_PORT"/" /etc/keylime.conf
|
||||
fi
|
||||
# set the agent uuid to randomly generated
|
||||
sed -i 's/^\(agent\_uuid\s*=\s*\).*$/\1dmidecode/' /etc/keylime.conf
|
||||
sed -i 's/^\(level\s*=\s*\).*$/\1DEBUG/' /etc/keylime.conf
|
||||
sed -i 's/^\(cloudagent\_ip\s*=\s*\).*$/\10.0.0.0/' /etc/keylime.conf
|
||||
|
||||
|
||||
# create allowlist
|
||||
./$KLDIR/scripts/create_allowlist.sh /root/allowlist.txt sha256sum
|
||||
|
||||
case "$DIB_INIT_SYSTEM" in
|
||||
systemd)
|
||||
install -D -g root -o root -m 0644 ${SCRIPTDIR}/keylime-agent.service /usr/lib/systemd/system/keylime-agent.service
|
||||
;;
|
||||
sysv)
|
||||
install -D -g root -o root -m 0755 ${SCRIPTDIR}/keylime-agent.init /etc/init.d/keylime-agent.init
|
||||
update-rc.d keylime-agent.init defaults
|
||||
;;
|
||||
*)
|
||||
echo "Unsupported init system"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
@ -0,0 +1,17 @@
|
||||
# MEASUREMENTS
|
||||
measure func=BPRM_CHECK
|
||||
measure func=FILE_MMAP mask=MAY_EXEC
|
||||
measure func=MODULE_CHECK uid=0
|
||||
# PROC_SUPER_MAGIC
|
||||
dont_measure fsmagic=0x9fa0
|
||||
# SYSFS_MAGIC
|
||||
dont_measure fsmagic=0x62656572
|
||||
# DEBUGFS_MAGIC
|
||||
dont_measure fsmagic=0x64626720
|
||||
# TMPFS_MAGIC
|
||||
dont_measure fsmagic=0x01021994
|
||||
# RAMFS_MAGIC
|
||||
dont_measure fsmagic=0x858458f6
|
||||
# SECURITYFS_MAGIC
|
||||
dont_measure fsmagic=0x73636673
|
||||
|
@ -0,0 +1,31 @@
|
||||
#!/bin/sh -e
|
||||
### BEGIN INIT INFO
|
||||
# Provides: keylime-agent
|
||||
# Required-Start: $local_fs networking
|
||||
# Required-Stop: $local_fs
|
||||
# Default-Start: S
|
||||
# Default-Stop: 0 6
|
||||
# X-Start-Before:
|
||||
# Short-Description: Keylime Agent
|
||||
# Description: The keylime-agent is deployed to the node for attestation
|
||||
### END INIT INFO
|
||||
|
||||
NAME=keylime-agent
|
||||
INIT_NAME=/etc/init.d/${NAME}
|
||||
SCRIPT_NAME=/usr/local/bin/keylime_agent
|
||||
|
||||
[ -x $SCRIPT_NAME ] || exit 0
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
$SCRIPT_NAME --config-dir /etc/keylime-agent.d/
|
||||
;;
|
||||
stop)
|
||||
;;
|
||||
*)
|
||||
echo "Usage: $INIT_NAME {start|stop}"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
||||
exit 0
|
@ -0,0 +1,12 @@
|
||||
[Unit]
|
||||
Description=The Keylime agent
|
||||
Wants=tpm2-abrmd.service
|
||||
After=network-online.target
|
||||
|
||||
[Service]
|
||||
ExecStart=/usr/local/bin/keylime_agent
|
||||
Restart=always
|
||||
RestartSec=30s
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
@ -0,0 +1 @@
|
||||
git:
|
18
diskimage_builder/elements/keylime-agent/post-install.d/90-keylime-agent
Executable file
18
diskimage_builder/elements/keylime-agent/post-install.d/90-keylime-agent
Executable file
@ -0,0 +1,18 @@
|
||||
#!/bin/bash
|
||||
|
||||
if [ "${DIB_DEBUG_TRACE:-0}" -gt 0 ]; then
|
||||
set -x
|
||||
fi
|
||||
set -eu
|
||||
set -o pipefail
|
||||
|
||||
case "$DIB_INIT_SYSTEM" in
|
||||
systemd)
|
||||
systemctl enable keylime-agent
|
||||
;;
|
||||
*)
|
||||
echo "Unsupported init system $DIB_INIT_SYSTEM"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
@ -0,0 +1 @@
|
||||
keylime git /tmp/keylime https://github.com/keylime/keylime.git 16a9cfd31b02f5c60b1ccc667627fac6144f82d1
|
23
diskimage_builder/elements/tpm-emulator/README.rst
Normal file
23
diskimage_builder/elements/tpm-emulator/README.rst
Normal file
@ -0,0 +1,23 @@
|
||||
=============
|
||||
tpm-emulator
|
||||
=============
|
||||
|
||||
This element should be used together with keylime-agent element.
|
||||
Keylime can be used with a software TPM emulator for development purposes.
|
||||
Please refer to keylime-agent element for the detailed explanation.
|
||||
|
||||
This element works with a software TPM 2.0 emulator.
|
||||
The download source of IBM's TPM 2.0 Software TPM can be found here:
|
||||
https://sourceforge.net/projects/ibmswtpm2/
|
||||
|
||||
TPM utility prerequisites are installed, including tpm2-tss software stack,
|
||||
tpm2-tools utilities, and the tpm2-abrmd resource manager.
|
||||
|
||||
**REFERENCES**
|
||||
|
||||
[1] github.com/keylime/keylime-vagrant-ansible-tpm-emulator
|
||||
[2] ibmswtpm.sourceforge.net/ibmswtpm2.html
|
||||
|
||||
|
||||
|
||||
|
3
diskimage_builder/elements/tpm-emulator/element-deps
Normal file
3
diskimage_builder/elements/tpm-emulator/element-deps
Normal file
@ -0,0 +1,3 @@
|
||||
package-installs
|
||||
pip-and-virtualenv
|
||||
source-repositories
|
@ -0,0 +1,4 @@
|
||||
[Service]
|
||||
# need to specify ExecStart as empty first to "clear" it: see https://www.freedesktop.org/software/systemd/man/systemd.unit.html
|
||||
ExecStart=
|
||||
ExecStart=/usr/sbin/tpm2-abrmd --tcti=mssim
|
@ -0,0 +1,2 @@
|
||||
[Unit]
|
||||
ConditionPathExistsGlob=
|
@ -0,0 +1,53 @@
|
||||
#!/bin/bash
|
||||
|
||||
if [ "${DIB_DEBUG_TRACE:-0}" -gt 0 ]; then
|
||||
set -x
|
||||
fi
|
||||
set -eu
|
||||
set -o pipefail
|
||||
|
||||
SCRIPTDIR=$(dirname $0)
|
||||
VENVDIR=/opt/keylime
|
||||
|
||||
KLDIR=/tmp/keylime
|
||||
TPMDIR=/tmp/ibmtpm
|
||||
|
||||
# create the virtual environment
|
||||
|
||||
if [ $DIB_PYTHON_VERSION == 3 ]; then
|
||||
$DIB_PYTHON -m venv $VENVDIR
|
||||
else
|
||||
$DIB_PYTHON -m virtualenv $VENVDIR
|
||||
fi
|
||||
|
||||
# install tpm
|
||||
cd $TPMDIR/src
|
||||
# compile tpm emulator
|
||||
make
|
||||
# install tpm_server
|
||||
install -c -m 0755 $TPMDIR/src/tpm_server /usr/local/bin/tpm_server
|
||||
# install init_tpm_server script
|
||||
install -c -m 0755 $KLDIR/scripts/init_tpm_server /usr/local/bin/init_tpm_server
|
||||
|
||||
install -d -g root -o root -m 0755 /etc/systemd/system/tpm2-abrmd.service.d/
|
||||
install -c -g root -o root -m 0644 ${SCRIPTDIR}/10-tcti-emulator.conf /etc/systemd/system/tpm2-abrmd.service.d/
|
||||
install -c -g root -o root -m 0644 ${SCRIPTDIR}/20-remove-conditionpathexistsglob.conf /etc/systemd/system/tpm2-abrmd.service.d/
|
||||
|
||||
|
||||
# install Keylime-agent inside the virtual environment
|
||||
$VENVDIR/bin/pip install 'pip>=19.1.1'
|
||||
$VENVDIR/bin/pip install -r $KLDIR/requirements.txt $KLDIR
|
||||
ln -s $VENVDIR/bin/keylime_ima_emulator /usr/local/bin/keylime_ima_emulator
|
||||
|
||||
|
||||
case "$DIB_INIT_SYSTEM" in
|
||||
systemd)
|
||||
install -D -g root -o root -m 0644 ${SCRIPTDIR}/tpm_server.service /usr/lib/systemd/system/tpm_server.service
|
||||
install -D -g root -o root -m 0644 ${SCRIPTDIR}/keylime-ima-emulator.service /usr/lib/systemd/system/keylime-ima-emulator.service
|
||||
;;
|
||||
*)
|
||||
echo "Unsupported init system"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
@ -0,0 +1,13 @@
|
||||
[Unit]
|
||||
Description=The Keylime ima emulator
|
||||
Wants=tpm2-abrmd.service
|
||||
Before=keylime-agent.service
|
||||
After=network-online.target
|
||||
|
||||
[Service]
|
||||
ExecStart=/usr/local/bin/keylime_ima_emulator
|
||||
Restart=always
|
||||
RestartSec=30s
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
@ -0,0 +1,10 @@
|
||||
[Unit]
|
||||
Description=TPM server
|
||||
|
||||
[Service]
|
||||
ExecStart=/usr/local/bin/tpm_server -rm
|
||||
Restart=on-failure
|
||||
RestartSec=30s
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
@ -0,0 +1,20 @@
|
||||
swig:
|
||||
tpm2-abrmd:
|
||||
tpm2-tools:
|
||||
tpm2-tss:
|
||||
make:
|
||||
gcc-c++:
|
||||
uninstall: true
|
||||
pkg-config:
|
||||
uninstall: true
|
||||
libtool:
|
||||
uninstall: true
|
||||
libstdc++-devel:
|
||||
uninstall: true
|
||||
git:
|
||||
dbus-devel:
|
||||
glib2-devel:
|
||||
uriparser-devel:
|
||||
libgcrypt-devel:
|
||||
libcurl-devel:
|
||||
libselinux-python3:
|
20
diskimage_builder/elements/tpm-emulator/post-install.d/89-tpm-emulator
Executable file
20
diskimage_builder/elements/tpm-emulator/post-install.d/89-tpm-emulator
Executable file
@ -0,0 +1,20 @@
|
||||
#!/bin/bash
|
||||
|
||||
if [ "${DIB_DEBUG_TRACE:-0}" -gt 0 ]; then
|
||||
set -x
|
||||
fi
|
||||
set -eu
|
||||
set -o pipefail
|
||||
|
||||
case "$DIB_INIT_SYSTEM" in
|
||||
systemd)
|
||||
systemctl enable tpm_server
|
||||
systemctl enable tpm2-abrmd
|
||||
systemctl enable keylime-ima-emulator
|
||||
;;
|
||||
*)
|
||||
echo "Unsupported init system $DIB_INIT_SYSTEM"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
@ -0,0 +1 @@
|
||||
ibmtpm tar /tmp/ibmtpm http://sourceforge.net/projects/ibmswtpm2/files/ibmtpm1119.tar.gz .
|
@ -0,0 +1 @@
|
||||
keylime git /tmp/keylime https://github.com/keylime/keylime.git 16a9cfd31b02f5c60b1ccc667627fac6144f82d1
|
Loading…
Reference in New Issue
Block a user