pool/rust-keylime
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rust-keylime/keylime.conf.diff
Alberto Planas Dominguez 27546596af Accepting request 908894 from home:aplanas:branches:security 
- Add generate-cargo-lock-file.patch to fix the build system in OBS
- Add keylime.conf.diff to adjust the default config file
- Adjust build requirements
- Add firewalld XML rules
- Add systemd keylime_agent.service
- Fix license tag
- Update to version 0.0.1+git.1626706730.a009476:
  * libarchive-devel is needed to build on Fedora
  * Accept sets of U and V keys; use new Key types
  * Output mask info
  * Fix for race condition bug
  * Do not resend pubkey to CV after attestation
  * Run payload script from a shell
  * Write out data and run payload
  * Decrypt payload after key handlers find symm key
  * Add handler for U and V keys
  * Add helper functions for handling U and V keys
  * Some TPM fixes for IMA PCR validation
  * Do not flush AK context as this causes an error
  * Fix bug in revocation service
  * Drop references to vmask
  * Better documentation of consts
  * Do not fail if EK cert is not present in TPM NV
  * Add more verbose logging to better match Python agent
  * Remove verify stub as we are not using it
  * tests: Don't pass --allow-signing to swtpm_setup
  * Fix typos
  * Add dependency for libzmq3-dev / zeromq-devel
  * Fix new clippy lints
  * Add handling for Identity and Integrity quotes
  * Add Quote functionality
  * Add marshaling functions for TPM structs

OBS-URL: https://build.opensuse.org/request/show/908894
OBS-URL: https://build.opensuse.org/package/show/security/rust-keylime?expand=0&rev=3
2021-07-28 13:39:06 +00:00

75 lines
3.0 KiB
Diff
Raw Blame History

Index: rust-keylime-0.1.0+git.1626706730.a009476/keylime.conf
===================================================================
--- rust-keylime-0.1.0+git.1626706730.a009476.orig/keylime.conf
+++ rust-keylime-0.1.0+git.1626706730.a009476/keylime.conf
@@ -11,7 +11,8 @@ tls_check_hostnames = False
# Valid options are 'cfssl' or 'openssl' For cfssl to work, you must have the
# go binary installed in your path or in /usr/local/
# Revocation list generation is only supported by cfssl
-ca_implementation = openssl
+# ca_implementation = openssl
+ca_implementation = cfssl
#=============================================================================
[cloud_agent]
@@ -19,7 +20,8 @@ ca_implementation = openssl
# The Agent's IP address and port used to communicate with other services
# as well as a bind address for the agent server.
-cloudagent_ip = 127.0.0.1
+# cloudagent_ip = 127.0.0.1
+cloudagent_ip = 0.0.0.0
cloudagent_port = 9002
# What is the name of the rsa key that keylime should use for protecting
@@ -54,7 +56,8 @@ extract_payload_zip = True
# If you set this to 'generate', keylime will create a random uuid
# If you set this to 'hash_ek', keylime will set the UUID to the result
# of SHA256(public EK in PEM format)
-agent_uuid = D432FBB3-D2F1-4A97-9EF7-75BD81C00000
+# agent_uuid = D432FBB3-D2F1-4A97-9EF7-75BD81C00000
+agent_uuid = hash_ek
# Whether to listen for revocation notifications from the verifier
listen_notfications = True
@@ -115,7 +118,8 @@ ek_handle = generate
# The cloud verifier IP address and port used to communicate with other services
# as well as a bind address for the verifier server.
-cloudverifier_ip = 127.0.0.1
+# cloudverifier_ip = 127.0.0.1
+cloudverifier_ip = 0.0.0.0
cloudverifier_port = 8881
# Cloud Verifier TLS options. This is for authenticating the CV itself,
@@ -204,7 +208,8 @@ revocation_notifier = True
# The revocation notifier IP address and port used to start the revocation service.
# If the revocation_notifier is true, then the verifier automatically
# starts revocation service.
-revocation_notifier_ip = 127.0.0.1
+# revocation_notifier_ip = 127.0.0.1
+revocation_notifier_ip = 0.0.0.0
revocation_notifier_port = 8992
# The verifier limits the size of upload payloads (whitelists) which defaults to
@@ -330,7 +335,8 @@ max_retries = 10
# might provide a signed list of EK public key hashes. Then you could write
# an ek_check_script that checks the signature of the whitelist and then
# compares the hash of the given EK with the whistlist
-require_ek_cert = True
+# require_ek_cert = True
+require_ek_cert = False
# Optional script to execute to check the EK and/or EK certificate against a
# whitelist or any other additional EK processing you want to do. Runs in
@@ -356,7 +362,8 @@ ek_check_script=
# The registrar's IP address and port used to communicate with other
# services as well as a bind address for the registrar server.
-registrar_ip = 127.0.0.1
+# registrar_ip = 127.0.0.1
+registrar_ip = 0.0.0.0
registrar_port = 8890
registrar_tls_port = 8891
Reference in New Issue View Git Blame Copy Permalink