Add a keylime-agent element and a tpm-emulator element

Story: #2002713

Task: #41304
Change-Id: Ia5226faabae8accb03f401aa4de3c8311b583455

diskimage_builder/elements/keylime-agent/README.rst

@@ -0,0 +1,52 @@
+=============
+keylime-agent
+=============
+
+Presently, we rely upon a certain level of trust for users that leverage
+baremetal resources. While we do perform cleaning between deployments,
+a malicious attacker could potentially modify firmware of attached devices
+in ways that may or may not be readily detectable.
+
+The solution that has been proposed for this is the use of a measured launch
+environments with engagement of Trusted Platform Management (TPM) modules to
+help ensure that the running system profile is exactly as desired or approved,
+by the attestation service.
+
+To leverage TPM's for attestation, we propose Keylime,
+an open source remote boot attestation and
+runtime integrity measurement system. Keylime agent is a component of the
+Keylime suite which runs on the baremetal node we are attesting
+during cleaning and deployment steps. Keylime regisrar is
+a database of all agents registered with Keylime
+and hosts the public keys of the TPM vendors.
+
+In order to enhance the ramdisk to support TPM 2.0 and Keylime,
+this keylime-agent element is proposed. This element provides
+configurations for Keylime agent to communicate with Keylime server.
+Keylime agent runs as a system service to collect
+Integrity Measurement Architecture (IMA) measurement lists and
+send the measurements to the Keylime verifier for attestation.
+
+Environment Variables
+---------------------
+
+DIB_KEYLIME_AGENT_REGISTRAR_IP
+  :Required: Yes
+  :Default: 0
+  :Description: The IP address of Keylime registrar server
+    which Keylime agent communicates with.
+
+DIB_KEYLIME_AGENT_REGISTRAR_PORT
+  :Required: Yes
+  :Default: 8890
+  :Description: The port of Keylime registrar server
+    which Keylime agent communicates with.
+
+**REFERENCES**
+
+[1] github.com/keylime/
+[2] review.opendev.org/c/openstack/ironic-specs/+/576718
+
+
+
+

diskimage_builder/elements/keylime-agent/element-deps

@@ -0,0 +1,4 @@
+package-installs
+pip-and-virtualenv
+selinux-permissive
+source-repositories

diskimage_builder/elements/keylime-agent/environment.d/16-keylime-agent

@@ -0,0 +1,2 @@
+export DIB_KEYLIME_AGENT_REGISTRAR_IP=${DIB_KEYLIME_AGENT_REGISTRAR_IP:-0}
+export DIB_KEYLIME_AGENT_REGISTRAR_PORT=${DIB_KEYLIME_AGENT_REGISTRAR_PORT:-8890}

diskimage_builder/elements/keylime-agent/install.d/keylime-agent-source-install/80-keylime-agent-install

@@ -0,0 +1,58 @@
+#!/bin/bash
+
+if [ "${DIB_DEBUG_TRACE:-0}" -gt 0 ]; then
+    set -x
+fi
+set -eu
+set -o pipefail
+
+SCRIPTDIR=$(dirname $0)
+VENVDIR=/opt/keylime
+
+KLDIR=/tmp/keylime
+
+# create the virtual environment
+
+if [ $DIB_PYTHON_VERSION == 3 ]; then
+    $DIB_PYTHON -m venv $VENVDIR
+else
+    $DIB_PYTHON -m virtualenv $VENVDIR
+fi
+
+install -d /etc/ima/
+
+install -c -m 0644 ${SCRIPTDIR}/ima-policy /etc/ima/ima-policy
+
+# install Keylime-agent inside the virtual environment
+$VENVDIR/bin/pip install 'pip>=19.1.1'
+$VENVDIR/bin/pip install -r $KLDIR/requirements.txt $KLDIR
+ln -s $VENVDIR/bin/keylime_agent /usr/local/bin/keylime_agent
+
+if [ "$DIB_KEYLIME_AGENT_REGISTRAR_IP" != "0" ]; then
+    sed -i "s/registrar_ip = 127.0.0.1/registrar_ip = "$DIB_KEYLIME_AGENT_REGISTRAR_IP"/" /etc/keylime.conf
+fi
+if [ "$DIB_KEYLIME_AGENT_REGISTRAR_PORT" != "8890" ]; then
+    sed -i "s/registrar_port = 8890/registrar_port = "$DIB_KEYLIME_AGENT_REGISTRAR_PORT"/" /etc/keylime.conf
+fi
+# set the agent uuid to randomly generated
+sed -i 's/^\(agent\_uuid\s*=\s*\).*$/\1dmidecode/' /etc/keylime.conf
+sed -i 's/^\(level\s*=\s*\).*$/\1DEBUG/' /etc/keylime.conf
+sed -i 's/^\(cloudagent\_ip\s*=\s*\).*$/\10.0.0.0/' /etc/keylime.conf
+
+
+# create allowlist
+./$KLDIR/scripts/create_allowlist.sh /root/allowlist.txt sha256sum
+
+case "$DIB_INIT_SYSTEM" in
+    systemd)
+        install -D -g root -o root -m 0644 ${SCRIPTDIR}/keylime-agent.service /usr/lib/systemd/system/keylime-agent.service
+        ;;
+    sysv)
+        install -D -g root -o root -m 0755 ${SCRIPTDIR}/keylime-agent.init /etc/init.d/keylime-agent.init
+        update-rc.d keylime-agent.init defaults
+        ;;
+    *)
+        echo "Unsupported init system"
+        exit 1
+        ;;
+esac

diskimage_builder/elements/keylime-agent/install.d/keylime-agent-source-install/ima-policy

@@ -0,0 +1,17 @@
+# MEASUREMENTS
+measure func=BPRM_CHECK
+measure func=FILE_MMAP mask=MAY_EXEC
+measure func=MODULE_CHECK uid=0
+# PROC_SUPER_MAGIC
+dont_measure fsmagic=0x9fa0
+# SYSFS_MAGIC
+dont_measure fsmagic=0x62656572
+# DEBUGFS_MAGIC
+dont_measure fsmagic=0x64626720
+# TMPFS_MAGIC
+dont_measure fsmagic=0x01021994
+# RAMFS_MAGIC
+dont_measure fsmagic=0x858458f6
+# SECURITYFS_MAGIC
+dont_measure fsmagic=0x73636673
+

diskimage_builder/elements/keylime-agent/install.d/keylime-agent-source-install/keylime-agent.init

@@ -0,0 +1,31 @@
+#!/bin/sh -e
+### BEGIN INIT INFO
+# Provides:          keylime-agent
+# Required-Start:    $local_fs networking
+# Required-Stop:     $local_fs
+# Default-Start:     S
+# Default-Stop:      0 6
+# X-Start-Before:
+# Short-Description: Keylime Agent
+# Description:       The keylime-agent is deployed to the node for attestation
+### END INIT INFO
+
+NAME=keylime-agent
+INIT_NAME=/etc/init.d/${NAME}
+SCRIPT_NAME=/usr/local/bin/keylime_agent
+
+[ -x $SCRIPT_NAME ] || exit 0
+
+case "$1" in
+    start)
+        $SCRIPT_NAME --config-dir /etc/keylime-agent.d/
+        ;;
+    stop)
+        ;;
+    *)
+        echo "Usage: $INIT_NAME {start|stop}"
+        exit 1
+        ;;
+esac
+
+exit 0

diskimage_builder/elements/keylime-agent/install.d/keylime-agent-source-install/keylime-agent.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=The Keylime agent
+Wants=tpm2-abrmd.service
+After=network-online.target
+
+[Service]
+ExecStart=/usr/local/bin/keylime_agent
+Restart=always
+RestartSec=30s
+
+[Install]
+WantedBy=multi-user.target

diskimage_builder/elements/keylime-agent/package-installs.yaml

@@ -0,0 +1 @@
+git:

diskimage_builder/elements/keylime-agent/post-install.d/90-keylime-agent

@@ -0,0 +1,18 @@
+#!/bin/bash
+
+if [ "${DIB_DEBUG_TRACE:-0}" -gt 0 ]; then
+    set -x
+fi
+set -eu
+set -o pipefail
+
+case "$DIB_INIT_SYSTEM" in
+    systemd)
+        systemctl enable keylime-agent
+        ;;
+    *)
+        echo "Unsupported init system $DIB_INIT_SYSTEM"
+        exit 1
+        ;;
+esac
+

diskimage_builder/elements/keylime-agent/source-repository-keylime

@@ -0,0 +1 @@
+keylime git /tmp/keylime https://github.com/keylime/keylime.git 16a9cfd31b02f5c60b1ccc667627fac6144f82d1

diskimage_builder/elements/tpm-emulator/README.rst

@@ -0,0 +1,23 @@
+=============
+tpm-emulator
+=============
+
+This element should be used together with keylime-agent element.
+Keylime can be used with a software TPM emulator for development purposes.
+Please refer to keylime-agent element for the detailed explanation.
+
+This element works with a software TPM 2.0 emulator.
+The download source of IBM's TPM 2.0 Software TPM can be found here:
+https://sourceforge.net/projects/ibmswtpm2/
+
+TPM utility prerequisites are installed, including tpm2-tss software stack,
+tpm2-tools utilities, and the tpm2-abrmd resource manager.
+
+**REFERENCES**
+
+[1] github.com/keylime/keylime-vagrant-ansible-tpm-emulator
+[2] ibmswtpm.sourceforge.net/ibmswtpm2.html
+
+
+
+

diskimage_builder/elements/tpm-emulator/element-deps

@@ -0,0 +1,3 @@
+package-installs
+pip-and-virtualenv
+source-repositories

diskimage_builder/elements/tpm-emulator/install.d/tpm-emulator-source-install/10-tcti-emulator.conf

@@ -0,0 +1,4 @@
+[Service]
+# need to specify ExecStart as empty first to "clear" it: see https://www.freedesktop.org/software/systemd/man/systemd.unit.html
+ExecStart=
+ExecStart=/usr/sbin/tpm2-abrmd --tcti=mssim

diskimage_builder/elements/tpm-emulator/install.d/tpm-emulator-source-install/20-remove-conditionpathexistsglob.conf

@@ -0,0 +1,2 @@
+[Unit]
+ConditionPathExistsGlob=

diskimage_builder/elements/tpm-emulator/install.d/tpm-emulator-source-install/78-tpm-emulator-install

@@ -0,0 +1,53 @@
+#!/bin/bash
+
+if [ "${DIB_DEBUG_TRACE:-0}" -gt 0 ]; then
+    set -x
+fi
+set -eu
+set -o pipefail
+
+SCRIPTDIR=$(dirname $0)
+VENVDIR=/opt/keylime
+
+KLDIR=/tmp/keylime
+TPMDIR=/tmp/ibmtpm
+
+# create the virtual environment
+
+if [ $DIB_PYTHON_VERSION == 3 ]; then
+    $DIB_PYTHON -m venv $VENVDIR
+else
+    $DIB_PYTHON -m virtualenv $VENVDIR
+fi
+
+# install tpm
+cd $TPMDIR/src
+# compile tpm emulator
+make
+# install tpm_server
+install -c -m 0755 $TPMDIR/src/tpm_server /usr/local/bin/tpm_server
+# install init_tpm_server script
+install -c -m 0755 $KLDIR/scripts/init_tpm_server /usr/local/bin/init_tpm_server
+
+install -d -g root -o root -m 0755 /etc/systemd/system/tpm2-abrmd.service.d/
+install -c -g root -o root -m 0644 ${SCRIPTDIR}/10-tcti-emulator.conf /etc/systemd/system/tpm2-abrmd.service.d/
+install -c -g root -o root -m 0644 ${SCRIPTDIR}/20-remove-conditionpathexistsglob.conf /etc/systemd/system/tpm2-abrmd.service.d/
+
+
+# install Keylime-agent inside the virtual environment
+$VENVDIR/bin/pip install 'pip>=19.1.1'
+$VENVDIR/bin/pip install -r $KLDIR/requirements.txt $KLDIR
+ln -s $VENVDIR/bin/keylime_ima_emulator /usr/local/bin/keylime_ima_emulator
+
+
+case "$DIB_INIT_SYSTEM" in
+    systemd)
+        install -D -g root -o root -m 0644 ${SCRIPTDIR}/tpm_server.service /usr/lib/systemd/system/tpm_server.service
+        install -D -g root -o root -m 0644 ${SCRIPTDIR}/keylime-ima-emulator.service /usr/lib/systemd/system/keylime-ima-emulator.service
+        ;;
+    *)
+        echo "Unsupported init system"
+        exit 1
+        ;;
+esac
+

diskimage_builder/elements/tpm-emulator/install.d/tpm-emulator-source-install/keylime-ima-emulator.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=The Keylime ima emulator
+Wants=tpm2-abrmd.service
+Before=keylime-agent.service
+After=network-online.target
+
+[Service]
+ExecStart=/usr/local/bin/keylime_ima_emulator
+Restart=always
+RestartSec=30s
+
+[Install]
+WantedBy=multi-user.target

diskimage_builder/elements/tpm-emulator/install.d/tpm-emulator-source-install/tpm_server.service

@@ -0,0 +1,10 @@
+[Unit]
+Description=TPM server
+
+[Service]
+ExecStart=/usr/local/bin/tpm_server -rm
+Restart=on-failure
+RestartSec=30s
+
+[Install]
+WantedBy=multi-user.target

diskimage_builder/elements/tpm-emulator/package-installs.yaml

@@ -0,0 +1,20 @@
+swig:
+tpm2-abrmd:
+tpm2-tools:
+tpm2-tss:
+make:
+gcc-c++:
+  uninstall: true
+pkg-config:
+  uninstall: true
+libtool:
+  uninstall: true
+libstdc++-devel:
+  uninstall: true
+git:
+dbus-devel:
+glib2-devel:
+uriparser-devel:
+libgcrypt-devel:
+libcurl-devel:
+libselinux-python3:

diskimage_builder/elements/tpm-emulator/post-install.d/89-tpm-emulator

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+if [ "${DIB_DEBUG_TRACE:-0}" -gt 0 ]; then
+    set -x
+fi
+set -eu
+set -o pipefail
+
+case "$DIB_INIT_SYSTEM" in
+    systemd)
+        systemctl enable tpm_server
+        systemctl enable tpm2-abrmd
+        systemctl enable keylime-ima-emulator
+        ;;
+    *)
+        echo "Unsupported init system $DIB_INIT_SYSTEM"
+        exit 1
+        ;;
+esac
+

diskimage_builder/elements/tpm-emulator/source-repository-ibmtpm

@@ -0,0 +1 @@
+ibmtpm tar /tmp/ibmtpm http://sourceforge.net/projects/ibmswtpm2/files/ibmtpm1119.tar.gz .

diskimage_builder/elements/tpm-emulator/source-repository-keylime

@@ -0,0 +1 @@
+keylime git /tmp/keylime https://github.com/keylime/keylime.git 16a9cfd31b02f5c60b1ccc667627fac6144f82d1