Alberto Planas Dominguez
cc7fc9144b
- Update to version 0.1.0+git.1657303637.5b9072a: * keys_handler: Use scopes to drop mutexes before await * Enable usage of Rust IMA emulator in E2E tests. * ima_emulator: Support PCR hash algorithms other than SHA-1 * ima_entry: add IMA entry parser ported from Python Keylime * algorithms: Add conversion between our hash algorithms and OpenSSL's * Remove unused functions revocation_ip_get and revocation_port_get. Change String to &str. * Adjust function usage comments to account for new parameters. * Load config file less at startup in src/common.rs * GNUmakefile: Make target dependencies explicit * permissions: Set supplementary groups when dropping privileges * main: Use more descriptive message for missing files error * Show path when fail to load the certificate * tpm: Add serialization functions for structures in quotes - Requires tpm2.0-abrmd dependency, as the kernel resource manager could be not enough - Downgrade /var/run/keylime permissions - Set "run_as" parameter to "keylime:tss" - Create the keylime user via systemd - Fix keylime service home directory OBS-URL: https://build.opensuse.org/request/show/989445 OBS-URL: https://build.opensuse.org/package/show/security/rust-keylime?expand=0&rev=20
57 lines
2.1 KiB
Diff
57 lines
2.1 KiB
Diff
Index: rust-keylime-0.1.0+git.1657303637.5b9072a/keylime.conf
|
|
===================================================================
|
|
--- rust-keylime-0.1.0+git.1657303637.5b9072a.orig/keylime.conf
|
|
+++ rust-keylime-0.1.0+git.1657303637.5b9072a/keylime.conf
|
|
@@ -4,7 +4,8 @@
|
|
|
|
# Revocation IP & Port used by either the cloud_agent or keylime_ca to receive
|
|
# revocation events from the verifier.
|
|
-receive_revocation_ip = 127.0.0.1
|
|
+# receive_revocation_ip = 127.0.0.1
|
|
+receive_revocation_ip = <REMOTE_IP>
|
|
receive_revocation_port = 8992
|
|
|
|
|
|
@@ -13,7 +14,8 @@ receive_revocation_port = 8992
|
|
#=============================================================================
|
|
|
|
# The binding address and port for the agent server
|
|
-cloudagent_ip = 127.0.0.1
|
|
+# cloudagent_ip = 127.0.0.1
|
|
+cloudagent_ip = 0.0.0.0
|
|
cloudagent_port = 9002
|
|
|
|
# Address and port where the verifier and tenant can connect to reach the agent.
|
|
@@ -22,7 +24,8 @@ agent_contact_ip = 127.0.0.1
|
|
agent_contact_port = 9002
|
|
|
|
# The address and port of registrar server which agent communicate with
|
|
-registrar_ip = 127.0.0.1
|
|
+# registrar_ip = 127.0.0.1
|
|
+registrar_ip = <REMOTE_IP>
|
|
registrar_port = 8890
|
|
|
|
# The keylime working directory. Can be overriden by setting the KEYLIME_DIR
|
|
@@ -127,3 +130,21 @@ tpm_signing_alg = rsassa
|
|
# handle (e.g. "0x81000000"). The Keylime agent will then not attempt to
|
|
# create a new EK upon startup, and neither will it flush the EK upon exit.
|
|
ek_handle = generate
|
|
+
|
|
+# The user account to switch to to drop privileges when started as root
|
|
+# If left empty, the agent will keep running with high privileges.
|
|
+# The user and group specified here must allow the user to access the
|
|
+# WORK_DIR (typically /var/lib/keylime) and /dev/tpmrm0. Therefore,
|
|
+# suggested value for the run_as parameter is keylime:tss.
|
|
+# The following commands should be used to set ownership before running the
|
|
+# agent:
|
|
+# chown keylime /var/lib/keylime
|
|
+#
|
|
+# If agent_data.json already exists:
|
|
+# chown keylime /var/lib/keylime/agent_data.json
|
|
+#
|
|
+# If cv_ca directory exists:
|
|
+# chown keylime /var/lib/keylime/cv_ca
|
|
+# chown keylime /var/lib/keylime/cv_ca/cacert.crt
|
|
+#
|
|
+run_as = keylime:tss
|