Index: rust-keylime-0.1.0+git.1626706730.a009476/keylime.conf =================================================================== --- rust-keylime-0.1.0+git.1626706730.a009476.orig/keylime.conf +++ rust-keylime-0.1.0+git.1626706730.a009476/keylime.conf @@ -11,7 +11,8 @@ tls_check_hostnames = False # Valid options are 'cfssl' or 'openssl' For cfssl to work, you must have the # go binary installed in your path or in /usr/local/ # Revocation list generation is only supported by cfssl -ca_implementation = openssl +# ca_implementation = openssl +ca_implementation = cfssl #============================================================================= [cloud_agent] @@ -19,7 +20,8 @@ ca_implementation = openssl # The Agent's IP address and port used to communicate with other services # as well as a bind address for the agent server. -cloudagent_ip = 127.0.0.1 +# cloudagent_ip = 127.0.0.1 +cloudagent_ip = 0.0.0.0 cloudagent_port = 9002 # What is the name of the rsa key that keylime should use for protecting @@ -54,7 +56,8 @@ extract_payload_zip = True # If you set this to 'generate', keylime will create a random uuid # If you set this to 'hash_ek', keylime will set the UUID to the result # of SHA256(public EK in PEM format) -agent_uuid = D432FBB3-D2F1-4A97-9EF7-75BD81C00000 +# agent_uuid = D432FBB3-D2F1-4A97-9EF7-75BD81C00000 +agent_uuid = hash_ek # Whether to listen for revocation notifications from the verifier listen_notfications = True @@ -115,7 +118,8 @@ ek_handle = generate # The cloud verifier IP address and port used to communicate with other services # as well as a bind address for the verifier server. -cloudverifier_ip = 127.0.0.1 +# cloudverifier_ip = 127.0.0.1 +cloudverifier_ip = 0.0.0.0 cloudverifier_port = 8881 # Cloud Verifier TLS options. This is for authenticating the CV itself, @@ -204,7 +208,8 @@ revocation_notifier = True # The revocation notifier IP address and port used to start the revocation service. # If the revocation_notifier is true, then the verifier automatically # starts revocation service. -revocation_notifier_ip = 127.0.0.1 +# revocation_notifier_ip = 127.0.0.1 +revocation_notifier_ip = 0.0.0.0 revocation_notifier_port = 8992 # The verifier limits the size of upload payloads (whitelists) which defaults to @@ -330,7 +335,8 @@ max_retries = 10 # might provide a signed list of EK public key hashes. Then you could write # an ek_check_script that checks the signature of the whitelist and then # compares the hash of the given EK with the whistlist -require_ek_cert = True +# require_ek_cert = True +require_ek_cert = False # Optional script to execute to check the EK and/or EK certificate against a # whitelist or any other additional EK processing you want to do. Runs in @@ -356,7 +362,8 @@ ek_check_script= # The registrar's IP address and port used to communicate with other # services as well as a bind address for the registrar server. -registrar_ip = 127.0.0.1 +# registrar_ip = 127.0.0.1 +registrar_ip = 0.0.0.0 registrar_port = 8890 registrar_tls_port = 8891