rust-keylime/keylime.conf.diff

Index: rust-keylime-0.1.0+git.1626706730.a009476/keylime.conf
===================================================================
--- rust-keylime-0.1.0+git.1626706730.a009476.orig/keylime.conf
+++ rust-keylime-0.1.0+git.1626706730.a009476/keylime.conf
@@ -11,7 +11,8 @@ tls_check_hostnames = False
 # Valid options are 'cfssl' or 'openssl'  For cfssl to work, you must have the
 # go binary installed in your path or in /usr/local/
 # Revocation list generation is only supported by cfssl
-ca_implementation = openssl
+# ca_implementation = openssl
+ca_implementation = cfssl
 
 #=============================================================================
 [cloud_agent]
@@ -19,7 +20,8 @@ ca_implementation = openssl
 
 # The Agent's IP address and port used to communicate with other services
 # as well as a bind address for the agent server.
-cloudagent_ip = 127.0.0.1
+# cloudagent_ip = 127.0.0.1
+cloudagent_ip = 0.0.0.0
 cloudagent_port = 9002
 
 # What is the name of the rsa key that keylime should use for protecting
@@ -54,7 +56,8 @@ extract_payload_zip = True
 # If you set this to 'generate', keylime will create a random uuid
 # If you set this to 'hash_ek', keylime will set the UUID to the result
 # of SHA256(public EK in PEM format)
-agent_uuid = D432FBB3-D2F1-4A97-9EF7-75BD81C00000
+# agent_uuid = D432FBB3-D2F1-4A97-9EF7-75BD81C00000
+agent_uuid = hash_ek
 
 # Whether to listen for revocation notifications from the verifier
 listen_notfications = True
@@ -115,7 +118,8 @@ ek_handle = generate
 
 # The cloud verifier IP address and port used to communicate with other services
 # as well as a bind address for the verifier server.
-cloudverifier_ip = 127.0.0.1
+# cloudverifier_ip = 127.0.0.1
+cloudverifier_ip = 0.0.0.0
 cloudverifier_port = 8881
 
 # Cloud Verifier TLS options.  This is for authenticating the CV itself,
@@ -204,7 +208,8 @@ revocation_notifier = True
 # The revocation notifier IP address and port used to start the revocation service.
 # If the revocation_notifier is true, then the verifier automatically
 # starts revocation service.
-revocation_notifier_ip = 127.0.0.1
+# revocation_notifier_ip = 127.0.0.1
+revocation_notifier_ip = 0.0.0.0
 revocation_notifier_port = 8992
 
 # The verifier limits the size of upload payloads (whitelists) which defaults to
@@ -330,7 +335,8 @@ max_retries = 10
 # might provide a signed list of EK public key hashes.  Then you could write
 # an ek_check_script that checks the signature of the whitelist and then
 # compares the hash of the given EK with the whistlist
-require_ek_cert = True
+# require_ek_cert = True
+require_ek_cert = False
 
 # Optional script to execute to check the EK and/or EK certificate against a
 # whitelist or any other additional EK processing you want to do. Runs in
@@ -356,7 +362,8 @@ ek_check_script=
 
 # The registrar's IP address and port used to communicate with other
 # services as well as a bind address for the registrar server.
-registrar_ip = 127.0.0.1
+# registrar_ip = 127.0.0.1
+registrar_ip = 0.0.0.0
 registrar_port = 8890
 registrar_tls_port = 8891
Accepting request 908894 from home:aplanas:branches:security - Add generate-cargo-lock-file.patch to fix the build system in OBS - Add keylime.conf.diff to adjust the default config file - Adjust build requirements - Add firewalld XML rules - Add systemd keylime_agent.service - Fix license tag - Update to version 0.0.1+git.1626706730.a009476: * libarchive-devel is needed to build on Fedora * Accept sets of U and V keys; use new Key types * Output mask info * Fix for race condition bug * Do not resend pubkey to CV after attestation * Run payload script from a shell * Write out data and run payload * Decrypt payload after key handlers find symm key * Add handler for U and V keys * Add helper functions for handling U and V keys * Some TPM fixes for IMA PCR validation * Do not flush AK context as this causes an error * Fix bug in revocation service * Drop references to vmask * Better documentation of consts * Do not fail if EK cert is not present in TPM NV * Add more verbose logging to better match Python agent * Remove verify stub as we are not using it * tests: Don't pass --allow-signing to swtpm_setup * Fix typos * Add dependency for libzmq3-dev / zeromq-devel * Fix new clippy lints * Add handling for Identity and Integrity quotes * Add Quote functionality * Add marshaling functions for TPM structs OBS-URL: https://build.opensuse.org/request/show/908894 OBS-URL: https://build.opensuse.org/package/show/security/rust-keylime?expand=0&rev=3 2021-07-28 13:39:06 +00:00			`Index: rust-keylime-0.1.0+git.1626706730.a009476/keylime.conf`
			`===================================================================`
			`--- rust-keylime-0.1.0+git.1626706730.a009476.orig/keylime.conf`
			`+++ rust-keylime-0.1.0+git.1626706730.a009476/keylime.conf`
			`@@ -11,7 +11,8 @@ tls_check_hostnames = False`
			`# Valid options are 'cfssl' or 'openssl' For cfssl to work, you must have the`
			`# go binary installed in your path or in /usr/local/`
			`# Revocation list generation is only supported by cfssl`
			`-ca_implementation = openssl`
			`+# ca_implementation = openssl`
			`+ca_implementation = cfssl`

			`#=============================================================================`
			`[cloud_agent]`
			`@@ -19,7 +20,8 @@ ca_implementation = openssl`

			`# The Agent's IP address and port used to communicate with other services`
			`# as well as a bind address for the agent server.`
			`-cloudagent_ip = 127.0.0.1`
			`+# cloudagent_ip = 127.0.0.1`
			`+cloudagent_ip = 0.0.0.0`
			`cloudagent_port = 9002`

			`# What is the name of the rsa key that keylime should use for protecting`
			`@@ -54,7 +56,8 @@ extract_payload_zip = True`
			`# If you set this to 'generate', keylime will create a random uuid`
			`# If you set this to 'hash_ek', keylime will set the UUID to the result`
			`# of SHA256(public EK in PEM format)`
			`-agent_uuid = D432FBB3-D2F1-4A97-9EF7-75BD81C00000`
			`+# agent_uuid = D432FBB3-D2F1-4A97-9EF7-75BD81C00000`
			`+agent_uuid = hash_ek`

			`# Whether to listen for revocation notifications from the verifier`
			`listen_notfications = True`
			`@@ -115,7 +118,8 @@ ek_handle = generate`

			`# The cloud verifier IP address and port used to communicate with other services`
			`# as well as a bind address for the verifier server.`
			`-cloudverifier_ip = 127.0.0.1`
			`+# cloudverifier_ip = 127.0.0.1`
			`+cloudverifier_ip = 0.0.0.0`
			`cloudverifier_port = 8881`

			`# Cloud Verifier TLS options. This is for authenticating the CV itself,`
			`@@ -204,7 +208,8 @@ revocation_notifier = True`
			`# The revocation notifier IP address and port used to start the revocation service.`
			`# If the revocation_notifier is true, then the verifier automatically`
			`# starts revocation service.`
			`-revocation_notifier_ip = 127.0.0.1`
			`+# revocation_notifier_ip = 127.0.0.1`
			`+revocation_notifier_ip = 0.0.0.0`
			`revocation_notifier_port = 8992`

			`# The verifier limits the size of upload payloads (whitelists) which defaults to`
			`@@ -330,7 +335,8 @@ max_retries = 10`
			`# might provide a signed list of EK public key hashes. Then you could write`
			`# an ek_check_script that checks the signature of the whitelist and then`
			`# compares the hash of the given EK with the whistlist`
			`-require_ek_cert = True`
			`+# require_ek_cert = True`
			`+require_ek_cert = False`

			`# Optional script to execute to check the EK and/or EK certificate against a`
			`# whitelist or any other additional EK processing you want to do. Runs in`
			`@@ -356,7 +362,8 @@ ek_check_script=`

			`# The registrar's IP address and port used to communicate with other`
			`# services as well as a bind address for the registrar server.`
			`-registrar_ip = 127.0.0.1`
			`+# registrar_ip = 127.0.0.1`
			`+registrar_ip = 0.0.0.0`
			`registrar_port = 8890`
			`registrar_tls_port = 8891`