diskimage-builder/diskimage_builder/elements/keylime-agent
Danni Shi 05d8f3ae38 Add a keylime-agent element and a tpm-emulator element
Story: #2002713

Task: #41304
Change-Id: Ia5226faabae8accb03f401aa4de3c8311b583455
2021-07-20 10:05:41 -04:00
..
environment.d Add a keylime-agent element and a tpm-emulator element 2021-07-20 10:05:41 -04:00
install.d/keylime-agent-source-install Add a keylime-agent element and a tpm-emulator element 2021-07-20 10:05:41 -04:00
post-install.d Add a keylime-agent element and a tpm-emulator element 2021-07-20 10:05:41 -04:00
element-deps Add a keylime-agent element and a tpm-emulator element 2021-07-20 10:05:41 -04:00
package-installs.yaml Add a keylime-agent element and a tpm-emulator element 2021-07-20 10:05:41 -04:00
README.rst Add a keylime-agent element and a tpm-emulator element 2021-07-20 10:05:41 -04:00
source-repository-keylime Add a keylime-agent element and a tpm-emulator element 2021-07-20 10:05:41 -04:00

=============
keylime-agent
=============

Presently, we rely upon a certain level of trust for users that leverage
baremetal resources. While we do perform cleaning between deployments,
a malicious attacker could potentially modify firmware of attached devices
in ways that may or may not be readily detectable.

The solution that has been proposed for this is the use of a measured launch
environments with engagement of Trusted Platform Management (TPM) modules to
help ensure that the running system profile is exactly as desired or approved,
by the attestation service.

To leverage TPM's for attestation, we propose Keylime,
an open source remote boot attestation and
runtime integrity measurement system. Keylime agent is a component of the
Keylime suite which runs on the baremetal node we are attesting
during cleaning and deployment steps. Keylime regisrar is
a database of all agents registered with Keylime
and hosts the public keys of the TPM vendors.

In order to enhance the ramdisk to support TPM 2.0 and Keylime,
this keylime-agent element is proposed. This element provides
configurations for Keylime agent to communicate with Keylime server.
Keylime agent runs as a system service to collect
Integrity Measurement Architecture (IMA) measurement lists and
send the measurements to the Keylime verifier for attestation.

Environment Variables
---------------------

DIB_KEYLIME_AGENT_REGISTRAR_IP
  :Required: Yes
  :Default: 0
  :Description: The IP address of Keylime registrar server
    which Keylime agent communicates with.

DIB_KEYLIME_AGENT_REGISTRAR_PORT
  :Required: Yes
  :Default: 8890
  :Description: The port of Keylime registrar server
    which Keylime agent communicates with.

**REFERENCES**

[1] github.com/keylime/
[2] review.opendev.org/c/openstack/ironic-specs/+/576718