Merge "Update keylime-agent and tpm-emulator elements"
This commit is contained in:
commit
a2b8d4d846
16
diskimage_builder/elements/keylime-agent/cleanup.d/98-copy-allowlist
Executable file
16
diskimage_builder/elements/keylime-agent/cleanup.d/98-copy-allowlist
Executable file
@ -0,0 +1,16 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# dib-lint: disable=safe_sudo
|
||||||
|
|
||||||
|
if [ "${DIB_DEBUG_TRACE:-0}" -gt 0 ]; then
|
||||||
|
set -x
|
||||||
|
fi
|
||||||
|
set -eu
|
||||||
|
set -o pipefail
|
||||||
|
|
||||||
|
[ -n "$TARGET_ROOT" ]
|
||||||
|
|
||||||
|
IMAGE_PATH=$(readlink -f $IMAGE_NAME)
|
||||||
|
# copy allowlist and checksum to image path
|
||||||
|
sudo cp $TARGET_ROOT/root/allowlist.txt ${IMAGE_PATH}-allowlist.txt
|
||||||
|
sudo cp $TARGET_ROOT/root/checksum.txt ${IMAGE_PATH}-checksum.txt
|
@ -1,2 +1,3 @@
|
|||||||
export DIB_KEYLIME_AGENT_REGISTRAR_IP=${DIB_KEYLIME_AGENT_REGISTRAR_IP:-0}
|
export DIB_KEYLIME_AGENT_REGISTRAR_IP=${DIB_KEYLIME_AGENT_REGISTRAR_IP:-0}
|
||||||
export DIB_KEYLIME_AGENT_REGISTRAR_PORT=${DIB_KEYLIME_AGENT_REGISTRAR_PORT:-8890}
|
export DIB_KEYLIME_AGENT_REGISTRAR_PORT=${DIB_KEYLIME_AGENT_REGISTRAR_PORT:-8890}
|
||||||
|
export DIB_KEYLIME_AGENT_PORT=${DIB_KEYLIME_AGENT_PORT:-9002}
|
@ -12,7 +12,6 @@ VENVDIR=/opt/keylime
|
|||||||
KLDIR=/tmp/keylime
|
KLDIR=/tmp/keylime
|
||||||
|
|
||||||
# create the virtual environment
|
# create the virtual environment
|
||||||
|
|
||||||
if [ $DIB_PYTHON_VERSION == 3 ]; then
|
if [ $DIB_PYTHON_VERSION == 3 ]; then
|
||||||
$DIB_PYTHON -m venv $VENVDIR
|
$DIB_PYTHON -m venv $VENVDIR
|
||||||
else
|
else
|
||||||
@ -26,6 +25,8 @@ install -c -m 0644 ${SCRIPTDIR}/ima-policy /etc/ima/ima-policy
|
|||||||
# install Keylime-agent inside the virtual environment
|
# install Keylime-agent inside the virtual environment
|
||||||
$VENVDIR/bin/pip install 'pip>=19.1.1'
|
$VENVDIR/bin/pip install 'pip>=19.1.1'
|
||||||
$VENVDIR/bin/pip install -r $KLDIR/requirements.txt $KLDIR
|
$VENVDIR/bin/pip install -r $KLDIR/requirements.txt $KLDIR
|
||||||
|
# dataclasses are missing in python3.6, so we have to install it manually
|
||||||
|
$VENVDIR/bin/pip install dataclasses
|
||||||
ln -s $VENVDIR/bin/keylime_agent /usr/local/bin/keylime_agent
|
ln -s $VENVDIR/bin/keylime_agent /usr/local/bin/keylime_agent
|
||||||
|
|
||||||
if [ "$DIB_KEYLIME_AGENT_REGISTRAR_IP" != "0" ]; then
|
if [ "$DIB_KEYLIME_AGENT_REGISTRAR_IP" != "0" ]; then
|
||||||
@ -34,14 +35,18 @@ fi
|
|||||||
if [ "$DIB_KEYLIME_AGENT_REGISTRAR_PORT" != "8890" ]; then
|
if [ "$DIB_KEYLIME_AGENT_REGISTRAR_PORT" != "8890" ]; then
|
||||||
sed -i "s/registrar_port = 8890/registrar_port = "$DIB_KEYLIME_AGENT_REGISTRAR_PORT"/" /etc/keylime.conf
|
sed -i "s/registrar_port = 8890/registrar_port = "$DIB_KEYLIME_AGENT_REGISTRAR_PORT"/" /etc/keylime.conf
|
||||||
fi
|
fi
|
||||||
# set the agent uuid to randomly generated
|
if [ "$DIB_KEYLIME_AGENT_PORT" != "9002" ]; then
|
||||||
sed -i 's/^\(agent\_uuid\s*=\s*\).*$/\1dmidecode/' /etc/keylime.conf
|
sed -i "s/cloudagent_port = 9002/cloudagent_port = "$DIB_KEYLIME_AGENT_PORT"/" /etc/keylime.conf
|
||||||
|
fi
|
||||||
|
# set the agent uuid to hash_ek
|
||||||
|
sed -i 's/^\(agent\_uuid\s*=\s*\).*$/\1hash_ek/' /etc/keylime.conf
|
||||||
sed -i 's/^\(level\s*=\s*\).*$/\1DEBUG/' /etc/keylime.conf
|
sed -i 's/^\(level\s*=\s*\).*$/\1DEBUG/' /etc/keylime.conf
|
||||||
sed -i 's/^\(cloudagent\_ip\s*=\s*\).*$/\10.0.0.0/' /etc/keylime.conf
|
sed -i 's/^\(cloudagent\_ip\s*=\s*\).*$/\10.0.0.0/' /etc/keylime.conf
|
||||||
|
|
||||||
|
# create allowlist and checksum
|
||||||
# create allowlist
|
|
||||||
./$KLDIR/scripts/create_allowlist.sh /root/allowlist.txt sha256sum
|
./$KLDIR/scripts/create_allowlist.sh /root/allowlist.txt sha256sum
|
||||||
|
touch /root/checksum.txt
|
||||||
|
sha256sum /root/allowlist.txt > /root/checksum.txt
|
||||||
|
|
||||||
case "$DIB_INIT_SYSTEM" in
|
case "$DIB_INIT_SYSTEM" in
|
||||||
systemd)
|
systemd)
|
||||||
|
@ -1 +1 @@
|
|||||||
keylime git /tmp/keylime https://github.com/keylime/keylime.git 16a9cfd31b02f5c60b1ccc667627fac6144f82d1
|
keylime git /tmp/keylime https://github.com/keylime/keylime.git v6.2.0
|
||||||
|
@ -34,9 +34,10 @@ install -c -g root -o root -m 0644 ${SCRIPTDIR}/10-tcti-emulator.conf /etc/syste
|
|||||||
install -c -g root -o root -m 0644 ${SCRIPTDIR}/20-remove-conditionpathexistsglob.conf /etc/systemd/system/tpm2-abrmd.service.d/
|
install -c -g root -o root -m 0644 ${SCRIPTDIR}/20-remove-conditionpathexistsglob.conf /etc/systemd/system/tpm2-abrmd.service.d/
|
||||||
|
|
||||||
|
|
||||||
# install Keylime-agent inside the virtual environment
|
# install Keylime-ima-emulator inside the virtual environment
|
||||||
$VENVDIR/bin/pip install 'pip>=19.1.1'
|
$VENVDIR/bin/pip install 'pip>=19.1.1'
|
||||||
$VENVDIR/bin/pip install -r $KLDIR/requirements.txt $KLDIR
|
$VENVDIR/bin/pip install -r $KLDIR/requirements.txt $KLDIR
|
||||||
|
$VENVDIR/bin/pip install dataclasses
|
||||||
ln -s $VENVDIR/bin/keylime_ima_emulator /usr/local/bin/keylime_ima_emulator
|
ln -s $VENVDIR/bin/keylime_ima_emulator /usr/local/bin/keylime_ima_emulator
|
||||||
|
|
||||||
|
|
||||||
|
@ -1 +1 @@
|
|||||||
keylime git /tmp/keylime https://github.com/keylime/keylime.git 16a9cfd31b02f5c60b1ccc667627fac6144f82d1
|
keylime git /tmp/keylime https://github.com/keylime/keylime.git v6.2.0
|
||||||
|
Loading…
Reference in New Issue
Block a user