keylime.conf

[general]
#=============================================================================

# Turn on or off TLS keylime wide
enable_tls = True

# Turn on or off DNS hostname checking for TLS certificates.
tls_check_hostnames = False

# Set which provider you want for the generation of certificates
# Valid options are 'cfssl' or 'openssl'  For cfssl to work, you must have the
# go binary installed in your path or in /usr/local/
# Revocation list generation is only supported by cfssl
ca_implementation = openssl

#=============================================================================
[cloud_agent]
#=============================================================================

# The Agent's IP address and port used to communicate with other services 
# as well as a bind address for the agent server.
cloudagent_ip = 127.0.0.1
cloudagent_port = 9002

# What is the name of the rsa key that keylime should use for protecting
# shares of U/V
rsa_keyname = tci_rsa_key

# What filename in /var/lib/keylime/secure should the encryption key be placed
enc_keyname = derived_tci_key

# What filename in /var/lib/keylime/secure should the optional decrypted
# payload be placed
dec_payload_file = decrypted_payload

# The size of the memory backed tmpfs partition where keylime stores crypto keys
# use syntax that mount would accept as a size parameter for tmpfs
# the default below sets it to 1 megabyte
secure_size = 1m

# Use this option to set the TPM ownerpassword to something you want to use.
# Set it to "generate" if you want keylime to choose a random owner password
# for you
tpm_ownerpassword = keylime

# Set to true to allow the cloud_agent to automatically extract a zip file in
# the delivered payload after it has been decrypted.  It will be decrypted to
# a folder unzipped in /var/lib/keylime/secure.  Note the limits on the size
# of the tmpfs partition above with secure_size option
extract_payload_zip = True

# Set the agent's uuid to the given value.
# Set to 'openstack', it will try to get the uuid from the metadata service
# If you set this to 'generate', keylime will create a random uuid
# If you set this to 'hash_ek', keylime will set the UUID to the result
# of SHA256(public EK in PEM format)
agent_uuid = D432FBB3-D2F1-4A97-9EF7-75BD81C00000

# Whether to listen for revocation notifications from the verifier
listen_notfications = True

# Path to the certificate to verify revocation messages received from the
# verifier.  path is relative to /var/lib/keylime
# If set to "default", keylime will use the file RevocationNotifier-cert.crt
# from the unzipped contents provided by the tenant
revocation_cert = default

# Comma separated list of python scripts to run upon receiving a revocation
# message. Keylime will verify the signature first, then call these python
# scripts with the json revocation message.  The scripts must be located in
# revocation_actions directory
#
# Keylime will also get the list of revocation actions from the file
# action_list in the unzipped contents provided by the verifier
# all actions must be named local_action_[some name]
revocation_actions=

# A script to execute after unzipping the tenant payload.  This is like
# cloud-init lite =)  Keylime will run it with a /bin/sh environment with
# a working directory of /var/lib/keylime/secure/unzipped
payload_script=autorun.sh

# Jason @henn made be do it! he wanted a way for keylime to measure the
# delivered payload into a pcr of choice.  specify a PCR number to turn it on
# set to -1 or any negative or out of range PCR value to turn off
measure_payload_pcr=-1

# How long to wait between failed attempts to communicate with the tpm in
# seconds.  floating point values accepted here
retry_interval = 1

# Integer number of retries to communicate with the tpm before giving up
max_retries = 10

# TPM2-specific options, allow customizing default algorithms to use.
# specify the default crypto algorithms to use with a TPM2 for this agent
#
# Currently accepted values include:
# hashing: sha512, sha384, sha256 or sha1
# encryption: ecc or rsa
# signing: rsassa, rsapss, ecdsa, ecdaa or ecschnorr
tpm_hash_alg = sha256
tpm_encryption_alg = rsa
tpm_signing_alg = rsassa

#=============================================================================
[cloud_verifier]
#=============================================================================

# The cloud verifier IP address and port used to communicate with other services 
# as well as a bind address for the verifier server.
cloudverifier_ip = 127.0.0.1
cloudverifier_port = 8881

# Cloud Verifier TLS options.  This is for authenticating the CV itself,
# authenticating the users of the CV and securing the transmission of keys
#
# tls_dir option sets directory in /var/lib/keylime/ to put CA certificates
# and files for TLS.
# Set to "generate" to automatically generate a CA/certificates in dir cv_ca
# If set to "generate":  ca_cert, my_cert, and private_key must be "default"
# If you specify generate, you can manage the CA that the verifier will create
# using keylime_ca -d /var/lib/keylime/cv_ca/
tls_dir = generate

# The filename (in tls_dir) of the CA cert for verifying client certificates
ca_cert = default

# The filename (in tls_dir) of the cloud verifier certificate and private key
# The following two options also take the string "default" to find a files
# with names <fully_qualified_name>-cert.crt and
# <fully_qualified_name>-public.pem for cert and private key respectively
my_cert = default
private_key = default

# Set the password to Decrypt the private key file.  this should be set to a
# strong password
# If tls_dir=generate, this password will also be used to protect the
# generated CA private key
private_key_pw = default

# Registrar client TLS options. This allows the CV to authenticate the
# registar before asking for AIKs
# This option sets the directory where the CA certificate for the registrar
# can be found
# Use "default" to use 'reg_ca' (this points it to the directory automatically
# created by the registrar if it is set to "generate"
# Use "CV" to use 'cv_ca', the directory automatically created (and shared
# with the registar) by the CV
registrar_tls_dir = CV

# The following three options set the filenames in tls_dir where the CA
# certificate, client certificate, and client private key file are
# if tls_dir = default, then default values will be used for ca_cert =
# cacert.pem, my_cert = client-cert.crt, and private_key = client-private.pem
registrar_ca_cert = default
registrar_my_cert = default
registrar_private_key = default

# Set the password to decrypt the private key file.  this should be set to a
# strong password
# If you are using the auto generated keys from the CV, set the same password
# here as you did for private_key_pw in the [cloud_verifier] section
registrar_private_key_pw = default

# The file to use for SQLite persistence of agent data
db_filename = cv_data.sqlite

# Number of worker processes to use for the cloud verifier
# Set to 0 to create one worker per processor
multiprocessing_pool_num_workers = 0

# How long to wait between failed attempts to connect to an cloud agent in
# seconds.  floating point values accepted here
retry_interval = 1

# Integer number of retries to connect to an agent before giving up
max_retries = 10

# Time between integrity measurement checks in seconds.  Set to 0 to do as
# fast as possible.  Floating point values accepted here
quote_interval = 2

# Whether to turn on the zero mq based revocation notifier system
# currently this only works if you are using keylime-CA
revocation_notifier = True

# The revocation notifier IP address and port used to start the revocation service. 
# If the revocation_notifier is true, then the verifier automatically 
# starts revocation service.
revocation_notifier_ip = 127.0.0.1
revocation_notifier_port = 8992

#=============================================================================
[tenant]
#=============================================================================

# Tenant client TLS options.  This is for authenticating the CV itself and
# proving that the tenant can talk to the CV.
# tls_dir option sets directory in /var/lib/keylime/ to find client
# certificates for talking to the CV.
# and files for TLS.
# set to default to use the CA setup by the cloud_verifier on the same machine
# files will be in /var/lib/keylime/cv_ca/
tls_dir = default

# the following three options set the filenames in tls_dir where the CA
# certificate, client certificate, and client private key file are
# if tls_dir = default, then default values will be used for ca_cert =
# cacert.pem, my_cert = client-cert.crt, and private_key = client-private.pem
ca_cert = default
my_cert = default
private_key = default

#EK certificate storage location
tpm_cert_store = /var/lib/keylime/tpm_cert_store/

# set the password to decrypt the private key file.  this should be set to a
# strong password
# if you are using the auto generated keys from the CV, set the same password
# here as you did for private_key_pw in the [cloud_verifier] section
private_key_pw = default

# Registrar client TLS options.  this allows the tenant to authenticate the
# registar before asking for AIKs
# this option sets the directory where the CA certificate for the registrar
# can be found
# use "default" to use 'reg_ca' (this points it to the directory automatically
# created by the registrar if it is set to "generate"
# use "CV" to use 'cv_ca', the directory automatically created (and shared
# with the registar) by the CV
registrar_tls_dir = CV
# the following three options set the filenames in tls_dir where the CA
# certificate, client certificate, and client private key file are
# if tls_dir = default, then default values will be used for ca_cert =
# cacert.pem, my_cert = client-cert.crt, and private_key = client-private.pem
registrar_ca_cert = default
registrar_my_cert = default
registrar_private_key = default

# set the password to decrypt the private key file.  this should be set to a
# strong password
# if you are using the auto generated keys from the CV, set the same password
# here as you did for private_key_pw in the [cloud_verifier] section
registrar_private_key_pw = default

# max size of payload the tenant will take in bytes (default 1 megabyte)
# make sure this matches with secure_size param in the [cloud_agent] section.
# don't send things bigger than the tmpfs where they will be decrypted
max_payload_size = 1048576

# TPM policies are json structures that takes a list of accepted pcr values
# and will match any in the list for that pcr.  These can be a mixture of any
# hashing algorithms, potentially of varying digest lengths (default policy
# below supports SHA1, SHA-256 and SHA-512)
# note that you can't set a policy on PCR10 and PCR16 because
# keylime uses them internally
tpm_policy = {"22":["0000000000000000000000000000000000000001","0000000000000000000000000000000000000000000000000000000000000001","000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001","ffffffffffffffffffffffffffffffffffffffff","ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff","ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"],"15":["0000000000000000000000000000000000000000","0000000000000000000000000000000000000000000000000000000000000000","000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"]}

# Same as tpm_policy but for virtual PCRs
vtpm_policy = {"23":["ffffffffffffffffffffffffffffffffffffffff","0000000000000000000000000000000000000000"],"15":"0000000000000000000000000000000000000000"}

# specify the file containing whitelists for processing Linux IMA white lists
# this file is used if tenant provides "default" as the IMA whitelist file
# this file should be in the form
# SHA1sum path_to_file
ima_whitelist = whitelist.txt

# specify a file containing paths that should be ignored by IMA
# use with great caution as it will affect the security of IMA
ima_excludelist = exclude.txt

# specify the acceptable crypto algorithms to use with the TPM for this agent.
# only algorithms specified below will be allowed for usage by an agent.  if a
# agent uses an algorithm not specified here, it will fail validation
#
# currently accepted values include:
# hashing: sha512, sha384, sha256 and sha1
# encryption: ecc and rsa
# signing: rsassa, rsapss, ecdsa, ecdaa and ecschnorr
#
# NOTE: the TPM 1.2 standard only supports sha1 hashing, rsa encryption and
# rsassa signing protocols, therefore these are required for agents with
# TPM 1.2 being used
accept_tpm_hash_algs = sha512,sha384,sha256,sha1
accept_tpm_encryption_algs = ecc,rsa
accept_tpm_signing_algs = ecschnorr,rsassa

# how long to wait between failed attempts to connect to a cloud agent in
# seconds.  floating point values accepted here
retry_interval = 1

# integer number of retries to connect to a agent before giving up
max_retries = 10

# tell the tenant whether to require an EK certificate from the TPM.
# if set to False the tenant will ignore EK certificates entirely
#
# WARNING SETTING THIS OPTION TO FALSE IS VERY DANGEROUS!!!!!
#
# If you disable this check, then you may not be talking to a real TPM.
# All the security guarantees of keylime rely upon the security of the EK
# and the assumption that you are talking to a spec-compliant and honest TPM.
# some physical TPMs do not have EK certificates, so you may need to set
# this to False for some deployments.  If you do set it to False, you
# MUST use the ek_check_script option below to specify a script that will
# check the provided EK against a whitelist for the environment that has
# been collected in a trustworthy way.  For example, the cloud provider
# might provide a signed list of EK public key hashes.  Then you could write
# an ek_check_script that checks the signature of the whitelist and then
# compares the hash of the given EK with the whistlist
require_ek_cert = True

# Optional script to execute to check the EK and/or EK certificate against a
# whitelist or any other additional EK processing you want to do. Runs in
# /var/lib/keylime. You call also specify an absolute path to the script.
# script should return 0 if the EK or EK certificate are valid.  Any other
# return value will invalidate the tenant quote check and prevent
# bootstrapping a key.
#
# The various keys are passed to the script via environment variables:
# EK - contains a PEM encoded version of the public ek
# EK_CERT - contains a DER encoded  ek certificate if one is available.
# PROVKEYS - contains a json document containing ek, ekcert, and aik from the
# provider.  ek and aik are in PEM format.  The ekcert is in base64 encoded
# DER format.
#
# set to blank to disable this check.  See warning above if require_ek_cert
# is False
ek_check_script=

#=============================================================================
[registrar]
#=============================================================================

# The registrar's IP address and port used to communicate with other 
# services as well as a bind address for the registrar server.
registrar_ip = 127.0.0.1
registrar_port = 8890
registrar_tls_port = 8891

# Used for Xen vTPM
provider_registrar_port = 8990
provider_registrar_tls_port = 8991
provider_registrar_ip = 127.0.0.1

# Registrar TLS options.  This is for authenticating the registrar to clients
# who want to query AIKs
#
# tls_dir option sets directory in /var/lib/keylime/ to put CA certificates
# and files for TLS.
# Set to "generate" to automatically generate a CA/certificates in dir reg_ca
# If you specify generate, you can manage the CA that the verifier will create
# using keylime_ca -d /var/lib/keylime/reg_ca/
#
# Set to "CV" to share the CA with the cloud verifier (which must be run first
# once before starting the registrar so it can generate the keys)
tls_dir = CV

# The filename (in tls_dir) of the CA cert for for the registrar's
ca_cert = default

# The filename (in tls_dir) of the registrar certificate and private key
# The following two options also take the string "default" to find a files
# with names <fully_qualified_name>-cert.crt and
# <fully_qualified_name>-public.pem for cert and private key respectively
my_cert = default
private_key = default

# Set the password to decrypt the private key file. This should be set to a
# strong password
# If tls_dir=generate, this password will also be used to protect the
# generated CA private key
private_key_pw = default

# Registrar client TLS options.  this allows the registrar to authenticate the
# provider registrar before asking for AIKs
# This option sets the directory where the CA certificate for the provider
# registrar can be found
# Use "default" to use 'reg_ca' (this points it to the directory automatically
# created by the registrar if it is set to "generate"
# Use "CV" to use 'cv_ca', the directory automatically created (and shared
# with the registar) by the CV
registrar_tls_dir = CV

# The following three options set the filenames in tls_dir where the CA
# certificate, client certificate, and client private key file are
# If tls_dir = default, then default values will be used for ca_cert =
# cacert.pem, my_cert = client-cert.crt, and private_key = client-private.pem
registrar_ca_cert = default
registrar_my_cert = default
registrar_private_key = default

# Set the password to decrypt the private key file.  this should be set to a
# strong password
# If you are using the auto generated keys from the CV, set the same password
# here as you did for private_key_pw in the [cloud_verifier] section
registrar_private_key_pw = default

# The file to use for SQLite persistence of agent data
db_filename = reg_data.sqlite

# The file to use for SQLite persistence of provider hypervisor data
prov_db_filename = provider_reg_data.sqlite

#=============================================================================
[ca]
#=============================================================================

# These options set the metadata into the certificates that the keylime_ca
# utility will use when creating certificates and CAs.
# These options are also used by the verifier and registrar when using the
# tls_dir=generate option
# the below options are pretty self explanatory X509 stuff.
cert_country=US
cert_ca_name=keylime certificate authority
cert_state=MA
cert_locality=Lexington
cert_organization=MITLL
cert_org_unit=53
cert_ca_lifetime=3650
cert_lifetime=365
cert_bits=2048

# This setting allows you to specify where your CRL will be hosted
# Insert the relevant URL
# Use "default" to use the tenant machine FQDN as the CRL distribution point.
# Use "default" with caution as it will use the result python's
# socket.getfqdn() as the hostname. This may not be a properly resolvable
# DNS name in which case you need to specify a hostname where you will
# run the revocation listener (see below)
#
# You can then use keylime_ca -c listen -n ca/RevocationNotifier-cert.crt
cert_crl_dist=http://localhost:38080/crl

# If the provider for certificate generation is CFSSL, then the HTTP-based 
# API server will run at this address and port.
cfssl_ip = 127.0.0.1
cfssl_port = 8888

#=============================================================================
[webapp]
#=============================================================================

webapp_ip = 127.0.0.1
webapp_port = 443

#=============================================================================
# GLOBAL LOGGING CONFIGURATION
#=============================================================================

# The only thing really to change here is the default log levels for either
# console or keylime loggers

[loggers]
keys = root,keylime

[handlers]
keys = consoleHandler

[formatters]
keys = formatter

[formatter_formatter]
format = %(asctime)s.%(msecs)03d - %(name)s - %(levelname)s - %(message)s
datefmt = %Y-%m-%d %H:%M:%S

[logger_root]
level = INFO
handlers = consoleHandler

[handler_consoleHandler]
class = StreamHandler
level = INFO
formatter = formatter
args = (sys.stdout,)

[logger_keylime]
level = INFO
qualname = keylime
handlers =