From 05d8f3ae38b443f5ca3756a100fd07413ceb5f6e Mon Sep 17 00:00:00 2001 From: Danni Shi Date: Tue, 4 May 2021 12:19:43 -0400 Subject: [PATCH] Add a keylime-agent element and a tpm-emulator element Story: #2002713 Task: #41304 Change-Id: Ia5226faabae8accb03f401aa4de3c8311b583455 --- .../elements/keylime-agent/README.rst | 52 +++++++++++++++++ .../elements/keylime-agent/element-deps | 4 ++ .../environment.d/16-keylime-agent | 2 + .../80-keylime-agent-install | 58 +++++++++++++++++++ .../keylime-agent-source-install/ima-policy | 17 ++++++ .../keylime-agent.init | 31 ++++++++++ .../keylime-agent.service | 12 ++++ .../keylime-agent/package-installs.yaml | 1 + .../post-install.d/90-keylime-agent | 18 ++++++ .../keylime-agent/source-repository-keylime | 1 + .../elements/tpm-emulator/README.rst | 23 ++++++++ .../elements/tpm-emulator/element-deps | 3 + .../10-tcti-emulator.conf | 4 ++ .../20-remove-conditionpathexistsglob.conf | 2 + .../78-tpm-emulator-install | 53 +++++++++++++++++ .../keylime-ima-emulator.service | 13 +++++ .../tpm_server.service | 10 ++++ .../tpm-emulator/package-installs.yaml | 20 +++++++ .../post-install.d/89-tpm-emulator | 20 +++++++ .../tpm-emulator/source-repository-ibmtpm | 1 + .../tpm-emulator/source-repository-keylime | 1 + 21 files changed, 346 insertions(+) create mode 100644 diskimage_builder/elements/keylime-agent/README.rst create mode 100644 diskimage_builder/elements/keylime-agent/element-deps create mode 100644 diskimage_builder/elements/keylime-agent/environment.d/16-keylime-agent create mode 100755 diskimage_builder/elements/keylime-agent/install.d/keylime-agent-source-install/80-keylime-agent-install create mode 100644 diskimage_builder/elements/keylime-agent/install.d/keylime-agent-source-install/ima-policy create mode 100755 diskimage_builder/elements/keylime-agent/install.d/keylime-agent-source-install/keylime-agent.init create mode 100644 diskimage_builder/elements/keylime-agent/install.d/keylime-agent-source-install/keylime-agent.service create mode 100644 diskimage_builder/elements/keylime-agent/package-installs.yaml create mode 100755 diskimage_builder/elements/keylime-agent/post-install.d/90-keylime-agent create mode 100644 diskimage_builder/elements/keylime-agent/source-repository-keylime create mode 100644 diskimage_builder/elements/tpm-emulator/README.rst create mode 100644 diskimage_builder/elements/tpm-emulator/element-deps create mode 100644 diskimage_builder/elements/tpm-emulator/install.d/tpm-emulator-source-install/10-tcti-emulator.conf create mode 100644 diskimage_builder/elements/tpm-emulator/install.d/tpm-emulator-source-install/20-remove-conditionpathexistsglob.conf create mode 100755 diskimage_builder/elements/tpm-emulator/install.d/tpm-emulator-source-install/78-tpm-emulator-install create mode 100644 diskimage_builder/elements/tpm-emulator/install.d/tpm-emulator-source-install/keylime-ima-emulator.service create mode 100644 diskimage_builder/elements/tpm-emulator/install.d/tpm-emulator-source-install/tpm_server.service create mode 100644 diskimage_builder/elements/tpm-emulator/package-installs.yaml create mode 100755 diskimage_builder/elements/tpm-emulator/post-install.d/89-tpm-emulator create mode 100644 diskimage_builder/elements/tpm-emulator/source-repository-ibmtpm create mode 100644 diskimage_builder/elements/tpm-emulator/source-repository-keylime diff --git a/diskimage_builder/elements/keylime-agent/README.rst b/diskimage_builder/elements/keylime-agent/README.rst new file mode 100644 index 00000000..62650e83 --- /dev/null +++ b/diskimage_builder/elements/keylime-agent/README.rst @@ -0,0 +1,52 @@ +============= +keylime-agent +============= + +Presently, we rely upon a certain level of trust for users that leverage +baremetal resources. While we do perform cleaning between deployments, +a malicious attacker could potentially modify firmware of attached devices +in ways that may or may not be readily detectable. + +The solution that has been proposed for this is the use of a measured launch +environments with engagement of Trusted Platform Management (TPM) modules to +help ensure that the running system profile is exactly as desired or approved, +by the attestation service. + +To leverage TPM's for attestation, we propose Keylime, +an open source remote boot attestation and +runtime integrity measurement system. Keylime agent is a component of the +Keylime suite which runs on the baremetal node we are attesting +during cleaning and deployment steps. Keylime regisrar is +a database of all agents registered with Keylime +and hosts the public keys of the TPM vendors. + +In order to enhance the ramdisk to support TPM 2.0 and Keylime, +this keylime-agent element is proposed. This element provides +configurations for Keylime agent to communicate with Keylime server. +Keylime agent runs as a system service to collect +Integrity Measurement Architecture (IMA) measurement lists and +send the measurements to the Keylime verifier for attestation. + +Environment Variables +--------------------- + +DIB_KEYLIME_AGENT_REGISTRAR_IP + :Required: Yes + :Default: 0 + :Description: The IP address of Keylime registrar server + which Keylime agent communicates with. + +DIB_KEYLIME_AGENT_REGISTRAR_PORT + :Required: Yes + :Default: 8890 + :Description: The port of Keylime registrar server + which Keylime agent communicates with. + +**REFERENCES** + +[1] github.com/keylime/ +[2] review.opendev.org/c/openstack/ironic-specs/+/576718 + + + + diff --git a/diskimage_builder/elements/keylime-agent/element-deps b/diskimage_builder/elements/keylime-agent/element-deps new file mode 100644 index 00000000..6eae0987 --- /dev/null +++ b/diskimage_builder/elements/keylime-agent/element-deps @@ -0,0 +1,4 @@ +package-installs +pip-and-virtualenv +selinux-permissive +source-repositories \ No newline at end of file diff --git a/diskimage_builder/elements/keylime-agent/environment.d/16-keylime-agent b/diskimage_builder/elements/keylime-agent/environment.d/16-keylime-agent new file mode 100644 index 00000000..f6f07529 --- /dev/null +++ b/diskimage_builder/elements/keylime-agent/environment.d/16-keylime-agent @@ -0,0 +1,2 @@ +export DIB_KEYLIME_AGENT_REGISTRAR_IP=${DIB_KEYLIME_AGENT_REGISTRAR_IP:-0} +export DIB_KEYLIME_AGENT_REGISTRAR_PORT=${DIB_KEYLIME_AGENT_REGISTRAR_PORT:-8890} \ No newline at end of file diff --git a/diskimage_builder/elements/keylime-agent/install.d/keylime-agent-source-install/80-keylime-agent-install b/diskimage_builder/elements/keylime-agent/install.d/keylime-agent-source-install/80-keylime-agent-install new file mode 100755 index 00000000..d4603e7e --- /dev/null +++ b/diskimage_builder/elements/keylime-agent/install.d/keylime-agent-source-install/80-keylime-agent-install @@ -0,0 +1,58 @@ +#!/bin/bash + +if [ "${DIB_DEBUG_TRACE:-0}" -gt 0 ]; then + set -x +fi +set -eu +set -o pipefail + +SCRIPTDIR=$(dirname $0) +VENVDIR=/opt/keylime + +KLDIR=/tmp/keylime + +# create the virtual environment + +if [ $DIB_PYTHON_VERSION == 3 ]; then + $DIB_PYTHON -m venv $VENVDIR +else + $DIB_PYTHON -m virtualenv $VENVDIR +fi + +install -d /etc/ima/ + +install -c -m 0644 ${SCRIPTDIR}/ima-policy /etc/ima/ima-policy + +# install Keylime-agent inside the virtual environment +$VENVDIR/bin/pip install 'pip>=19.1.1' +$VENVDIR/bin/pip install -r $KLDIR/requirements.txt $KLDIR +ln -s $VENVDIR/bin/keylime_agent /usr/local/bin/keylime_agent + +if [ "$DIB_KEYLIME_AGENT_REGISTRAR_IP" != "0" ]; then + sed -i "s/registrar_ip = 127.0.0.1/registrar_ip = "$DIB_KEYLIME_AGENT_REGISTRAR_IP"/" /etc/keylime.conf +fi +if [ "$DIB_KEYLIME_AGENT_REGISTRAR_PORT" != "8890" ]; then + sed -i "s/registrar_port = 8890/registrar_port = "$DIB_KEYLIME_AGENT_REGISTRAR_PORT"/" /etc/keylime.conf +fi +# set the agent uuid to randomly generated +sed -i 's/^\(agent\_uuid\s*=\s*\).*$/\1dmidecode/' /etc/keylime.conf +sed -i 's/^\(level\s*=\s*\).*$/\1DEBUG/' /etc/keylime.conf +sed -i 's/^\(cloudagent\_ip\s*=\s*\).*$/\10.0.0.0/' /etc/keylime.conf + + +# create allowlist +./$KLDIR/scripts/create_allowlist.sh /root/allowlist.txt sha256sum + +case "$DIB_INIT_SYSTEM" in + systemd) + install -D -g root -o root -m 0644 ${SCRIPTDIR}/keylime-agent.service /usr/lib/systemd/system/keylime-agent.service + ;; + sysv) + install -D -g root -o root -m 0755 ${SCRIPTDIR}/keylime-agent.init /etc/init.d/keylime-agent.init + update-rc.d keylime-agent.init defaults + ;; + *) + echo "Unsupported init system" + exit 1 + ;; +esac diff --git a/diskimage_builder/elements/keylime-agent/install.d/keylime-agent-source-install/ima-policy b/diskimage_builder/elements/keylime-agent/install.d/keylime-agent-source-install/ima-policy new file mode 100644 index 00000000..2c4bbad8 --- /dev/null +++ b/diskimage_builder/elements/keylime-agent/install.d/keylime-agent-source-install/ima-policy @@ -0,0 +1,17 @@ +# MEASUREMENTS +measure func=BPRM_CHECK +measure func=FILE_MMAP mask=MAY_EXEC +measure func=MODULE_CHECK uid=0 +# PROC_SUPER_MAGIC +dont_measure fsmagic=0x9fa0 +# SYSFS_MAGIC +dont_measure fsmagic=0x62656572 +# DEBUGFS_MAGIC +dont_measure fsmagic=0x64626720 +# TMPFS_MAGIC +dont_measure fsmagic=0x01021994 +# RAMFS_MAGIC +dont_measure fsmagic=0x858458f6 +# SECURITYFS_MAGIC +dont_measure fsmagic=0x73636673 + diff --git a/diskimage_builder/elements/keylime-agent/install.d/keylime-agent-source-install/keylime-agent.init b/diskimage_builder/elements/keylime-agent/install.d/keylime-agent-source-install/keylime-agent.init new file mode 100755 index 00000000..b932484b --- /dev/null +++ b/diskimage_builder/elements/keylime-agent/install.d/keylime-agent-source-install/keylime-agent.init @@ -0,0 +1,31 @@ +#!/bin/sh -e +### BEGIN INIT INFO +# Provides: keylime-agent +# Required-Start: $local_fs networking +# Required-Stop: $local_fs +# Default-Start: S +# Default-Stop: 0 6 +# X-Start-Before: +# Short-Description: Keylime Agent +# Description: The keylime-agent is deployed to the node for attestation +### END INIT INFO + +NAME=keylime-agent +INIT_NAME=/etc/init.d/${NAME} +SCRIPT_NAME=/usr/local/bin/keylime_agent + +[ -x $SCRIPT_NAME ] || exit 0 + +case "$1" in + start) + $SCRIPT_NAME --config-dir /etc/keylime-agent.d/ + ;; + stop) + ;; + *) + echo "Usage: $INIT_NAME {start|stop}" + exit 1 + ;; +esac + +exit 0 diff --git a/diskimage_builder/elements/keylime-agent/install.d/keylime-agent-source-install/keylime-agent.service b/diskimage_builder/elements/keylime-agent/install.d/keylime-agent-source-install/keylime-agent.service new file mode 100644 index 00000000..61c1d616 --- /dev/null +++ b/diskimage_builder/elements/keylime-agent/install.d/keylime-agent-source-install/keylime-agent.service @@ -0,0 +1,12 @@ +[Unit] +Description=The Keylime agent +Wants=tpm2-abrmd.service +After=network-online.target + +[Service] +ExecStart=/usr/local/bin/keylime_agent +Restart=always +RestartSec=30s + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/diskimage_builder/elements/keylime-agent/package-installs.yaml b/diskimage_builder/elements/keylime-agent/package-installs.yaml new file mode 100644 index 00000000..7dba7d57 --- /dev/null +++ b/diskimage_builder/elements/keylime-agent/package-installs.yaml @@ -0,0 +1 @@ +git: \ No newline at end of file diff --git a/diskimage_builder/elements/keylime-agent/post-install.d/90-keylime-agent b/diskimage_builder/elements/keylime-agent/post-install.d/90-keylime-agent new file mode 100755 index 00000000..be72f0d8 --- /dev/null +++ b/diskimage_builder/elements/keylime-agent/post-install.d/90-keylime-agent @@ -0,0 +1,18 @@ +#!/bin/bash + +if [ "${DIB_DEBUG_TRACE:-0}" -gt 0 ]; then + set -x +fi +set -eu +set -o pipefail + +case "$DIB_INIT_SYSTEM" in + systemd) + systemctl enable keylime-agent + ;; + *) + echo "Unsupported init system $DIB_INIT_SYSTEM" + exit 1 + ;; +esac + diff --git a/diskimage_builder/elements/keylime-agent/source-repository-keylime b/diskimage_builder/elements/keylime-agent/source-repository-keylime new file mode 100644 index 00000000..d35a0fc6 --- /dev/null +++ b/diskimage_builder/elements/keylime-agent/source-repository-keylime @@ -0,0 +1 @@ +keylime git /tmp/keylime https://github.com/keylime/keylime.git 16a9cfd31b02f5c60b1ccc667627fac6144f82d1 diff --git a/diskimage_builder/elements/tpm-emulator/README.rst b/diskimage_builder/elements/tpm-emulator/README.rst new file mode 100644 index 00000000..72808af6 --- /dev/null +++ b/diskimage_builder/elements/tpm-emulator/README.rst @@ -0,0 +1,23 @@ +============= +tpm-emulator +============= + +This element should be used together with keylime-agent element. +Keylime can be used with a software TPM emulator for development purposes. +Please refer to keylime-agent element for the detailed explanation. + +This element works with a software TPM 2.0 emulator. +The download source of IBM's TPM 2.0 Software TPM can be found here: +https://sourceforge.net/projects/ibmswtpm2/ + +TPM utility prerequisites are installed, including tpm2-tss software stack, +tpm2-tools utilities, and the tpm2-abrmd resource manager. + +**REFERENCES** + +[1] github.com/keylime/keylime-vagrant-ansible-tpm-emulator +[2] ibmswtpm.sourceforge.net/ibmswtpm2.html + + + + diff --git a/diskimage_builder/elements/tpm-emulator/element-deps b/diskimage_builder/elements/tpm-emulator/element-deps new file mode 100644 index 00000000..ba715bef --- /dev/null +++ b/diskimage_builder/elements/tpm-emulator/element-deps @@ -0,0 +1,3 @@ +package-installs +pip-and-virtualenv +source-repositories \ No newline at end of file diff --git a/diskimage_builder/elements/tpm-emulator/install.d/tpm-emulator-source-install/10-tcti-emulator.conf b/diskimage_builder/elements/tpm-emulator/install.d/tpm-emulator-source-install/10-tcti-emulator.conf new file mode 100644 index 00000000..64764f9b --- /dev/null +++ b/diskimage_builder/elements/tpm-emulator/install.d/tpm-emulator-source-install/10-tcti-emulator.conf @@ -0,0 +1,4 @@ +[Service] +# need to specify ExecStart as empty first to "clear" it: see https://www.freedesktop.org/software/systemd/man/systemd.unit.html +ExecStart= +ExecStart=/usr/sbin/tpm2-abrmd --tcti=mssim diff --git a/diskimage_builder/elements/tpm-emulator/install.d/tpm-emulator-source-install/20-remove-conditionpathexistsglob.conf b/diskimage_builder/elements/tpm-emulator/install.d/tpm-emulator-source-install/20-remove-conditionpathexistsglob.conf new file mode 100644 index 00000000..ef89429e --- /dev/null +++ b/diskimage_builder/elements/tpm-emulator/install.d/tpm-emulator-source-install/20-remove-conditionpathexistsglob.conf @@ -0,0 +1,2 @@ +[Unit] +ConditionPathExistsGlob= \ No newline at end of file diff --git a/diskimage_builder/elements/tpm-emulator/install.d/tpm-emulator-source-install/78-tpm-emulator-install b/diskimage_builder/elements/tpm-emulator/install.d/tpm-emulator-source-install/78-tpm-emulator-install new file mode 100755 index 00000000..f16c810d --- /dev/null +++ b/diskimage_builder/elements/tpm-emulator/install.d/tpm-emulator-source-install/78-tpm-emulator-install @@ -0,0 +1,53 @@ +#!/bin/bash + +if [ "${DIB_DEBUG_TRACE:-0}" -gt 0 ]; then + set -x +fi +set -eu +set -o pipefail + +SCRIPTDIR=$(dirname $0) +VENVDIR=/opt/keylime + +KLDIR=/tmp/keylime +TPMDIR=/tmp/ibmtpm + +# create the virtual environment + +if [ $DIB_PYTHON_VERSION == 3 ]; then + $DIB_PYTHON -m venv $VENVDIR +else + $DIB_PYTHON -m virtualenv $VENVDIR +fi + +# install tpm +cd $TPMDIR/src +# compile tpm emulator +make +# install tpm_server +install -c -m 0755 $TPMDIR/src/tpm_server /usr/local/bin/tpm_server +# install init_tpm_server script +install -c -m 0755 $KLDIR/scripts/init_tpm_server /usr/local/bin/init_tpm_server + +install -d -g root -o root -m 0755 /etc/systemd/system/tpm2-abrmd.service.d/ +install -c -g root -o root -m 0644 ${SCRIPTDIR}/10-tcti-emulator.conf /etc/systemd/system/tpm2-abrmd.service.d/ +install -c -g root -o root -m 0644 ${SCRIPTDIR}/20-remove-conditionpathexistsglob.conf /etc/systemd/system/tpm2-abrmd.service.d/ + + +# install Keylime-agent inside the virtual environment +$VENVDIR/bin/pip install 'pip>=19.1.1' +$VENVDIR/bin/pip install -r $KLDIR/requirements.txt $KLDIR +ln -s $VENVDIR/bin/keylime_ima_emulator /usr/local/bin/keylime_ima_emulator + + +case "$DIB_INIT_SYSTEM" in + systemd) + install -D -g root -o root -m 0644 ${SCRIPTDIR}/tpm_server.service /usr/lib/systemd/system/tpm_server.service + install -D -g root -o root -m 0644 ${SCRIPTDIR}/keylime-ima-emulator.service /usr/lib/systemd/system/keylime-ima-emulator.service + ;; + *) + echo "Unsupported init system" + exit 1 + ;; +esac + diff --git a/diskimage_builder/elements/tpm-emulator/install.d/tpm-emulator-source-install/keylime-ima-emulator.service b/diskimage_builder/elements/tpm-emulator/install.d/tpm-emulator-source-install/keylime-ima-emulator.service new file mode 100644 index 00000000..1f1f0f25 --- /dev/null +++ b/diskimage_builder/elements/tpm-emulator/install.d/tpm-emulator-source-install/keylime-ima-emulator.service @@ -0,0 +1,13 @@ +[Unit] +Description=The Keylime ima emulator +Wants=tpm2-abrmd.service +Before=keylime-agent.service +After=network-online.target + +[Service] +ExecStart=/usr/local/bin/keylime_ima_emulator +Restart=always +RestartSec=30s + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/diskimage_builder/elements/tpm-emulator/install.d/tpm-emulator-source-install/tpm_server.service b/diskimage_builder/elements/tpm-emulator/install.d/tpm-emulator-source-install/tpm_server.service new file mode 100644 index 00000000..61ec437f --- /dev/null +++ b/diskimage_builder/elements/tpm-emulator/install.d/tpm-emulator-source-install/tpm_server.service @@ -0,0 +1,10 @@ +[Unit] +Description=TPM server + +[Service] +ExecStart=/usr/local/bin/tpm_server -rm +Restart=on-failure +RestartSec=30s + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/diskimage_builder/elements/tpm-emulator/package-installs.yaml b/diskimage_builder/elements/tpm-emulator/package-installs.yaml new file mode 100644 index 00000000..fb6957e7 --- /dev/null +++ b/diskimage_builder/elements/tpm-emulator/package-installs.yaml @@ -0,0 +1,20 @@ +swig: +tpm2-abrmd: +tpm2-tools: +tpm2-tss: +make: +gcc-c++: + uninstall: true +pkg-config: + uninstall: true +libtool: + uninstall: true +libstdc++-devel: + uninstall: true +git: +dbus-devel: +glib2-devel: +uriparser-devel: +libgcrypt-devel: +libcurl-devel: +libselinux-python3: diff --git a/diskimage_builder/elements/tpm-emulator/post-install.d/89-tpm-emulator b/diskimage_builder/elements/tpm-emulator/post-install.d/89-tpm-emulator new file mode 100755 index 00000000..aae7dd3b --- /dev/null +++ b/diskimage_builder/elements/tpm-emulator/post-install.d/89-tpm-emulator @@ -0,0 +1,20 @@ +#!/bin/bash + +if [ "${DIB_DEBUG_TRACE:-0}" -gt 0 ]; then + set -x +fi +set -eu +set -o pipefail + +case "$DIB_INIT_SYSTEM" in + systemd) + systemctl enable tpm_server + systemctl enable tpm2-abrmd + systemctl enable keylime-ima-emulator + ;; + *) + echo "Unsupported init system $DIB_INIT_SYSTEM" + exit 1 + ;; +esac + diff --git a/diskimage_builder/elements/tpm-emulator/source-repository-ibmtpm b/diskimage_builder/elements/tpm-emulator/source-repository-ibmtpm new file mode 100644 index 00000000..f60a8163 --- /dev/null +++ b/diskimage_builder/elements/tpm-emulator/source-repository-ibmtpm @@ -0,0 +1 @@ +ibmtpm tar /tmp/ibmtpm http://sourceforge.net/projects/ibmswtpm2/files/ibmtpm1119.tar.gz . diff --git a/diskimage_builder/elements/tpm-emulator/source-repository-keylime b/diskimage_builder/elements/tpm-emulator/source-repository-keylime new file mode 100644 index 00000000..d35a0fc6 --- /dev/null +++ b/diskimage_builder/elements/tpm-emulator/source-repository-keylime @@ -0,0 +1 @@ +keylime git /tmp/keylime https://github.com/keylime/keylime.git 16a9cfd31b02f5c60b1ccc667627fac6144f82d1