keylime-agent.conf

# All configuration options can be overridden by environment variables.
# The environment variables used to override options are composed by the
# 'KEYLIME_AGENT_' prefix followed by the option to be set in upper case.
# For example, to override the 'registrar_ip' option, set the
# KEYLIME_AGENT_REGISTRAR_IP environment variable.

#=============================================================================
[agent]
#=============================================================================

# The configuration file version
#
# To override, set KEYLIME_AGENT_VERSION environment variable.
version = "2.2"

# The agent's UUID.
# If you set this to "generate", Keylime will create a random UUID.
# If you set this to "hash_ek", Keylime will set the UUID to the result
# of 'SHA256(public EK in PEM format)'.
#
# To override, set KEYLIME_AGENT_UUID environment variable.
uuid = "d432fbb3-d2f1-4a97-9ef7-75bd81c00000"

# The binding IP address and port for the agent server
#
# To override ip, set KEYLIME_AGENT_IP environment variable.
# To override port, set KEYLIME_AGENT_PORT environment variable.
ip = "127.0.0.1"
port = 9002

# Address and port where the verifier and tenant can connect to reach the agent.
# These keys are optional.
#
# To override contact_ip, set KEYLIME_AGENT_CONTACT_IP environment variable.
# To override contact_port, set KEYLIME_AGENT_CONTACT_PORT environment variable.
contact_ip = "127.0.0.1"
contact_port = 9002

# The address and port of registrar server which agent communicate with
#
# To override registrar_ip, set KEYLIME_AGENT_REGISTRAR_IP environment variable.
# To override registrar_port, set KEYLIME_AGENT_REGISTRAR_PORT environment
# variable.
registrar_ip = "127.0.0.1"
registrar_port = 8890

# Enable mTLS communication between agent, verifier and tenant.
# Details on why setting it to "false" is generally considered insecure can be found
# on https://github.com/keylime/keylime/security/advisories/GHSA-2m39-75g9-ff5r
#
# To override enable_agent_mtls, set KEYLIME_AGENT_ENABLE_AGENT_MTLS environment
# variable.
enable_agent_mtls = true

# The keylime working directory. The default value is /var/lib/keylime
#
# To override keylime_dir, set KEYLIME_AGENT_KEYLIME_DIR or KEYLIME_DIR
# environment variable.
keylime_dir = "/var/lib/keylime"

# The name of the file containing the Keylime agent TLS server private key.
# This private key is used to serve the Keylime agent REST API
# A new private key is generated in case it is not found.
# If set as "default", the "server-private.pem" value is used.
# If a relative path is set, it will be considered relative from the keylime_dir.
# If an absolute path is set, it is used without change
#
# To override server_key, set KEYLIME_AGENT_SERVER_KEY environment variable.
server_key = "default"

# Set the password used to encrypt the private key file.
# This password will also be used to protect the generated private key used for
# mTLS authentication
# If left empty, the private key will not be encrypted.
#
# To override server_key_password, set KEYLIME_AGENT_SERVER_KEY_PASSWORD
# environment variable.
server_key_password = ""

# The name of the file containing the X509 certificate used as the Keylime agent
# server TLS certificate.
# This certificate must be self signed.
# If set as "default", the "server-cert.crt" value is used
# If a relative path is set, it will be considered relative from the keylime_dir.
# If an absolute path is set, it is used without change.
#
# To override server_cert, set KEYLIME_AGENT_SERVER_CERT environment variable.
server_cert = "default"

# The CA that signs the client certificates of the tenant and verifier.
# If set as "default" the "cv_ca/cacert.crt" value, relative from the
# keylime_dir is used.
# If a relative path is set, it will be considered relative from the keylime_dir.
# If an absolute path is set, it is used without change.
#
# To override trusted_client_ca, set KEYLIME_AGENT_TRUSTED_CLIENT_CA environment
# variable.
trusted_client_ca = "default"

# The name that should be used for the encryption key, placed in the
# $keylime_dir/secure/ directory.
#
# To override enc_keyname, set KEYLIME_AGENT_ENC_KEYNAME environment variable.
enc_keyname = "derived_tci_key"

# The name that should be used for the optional decrypted payload, placed in
# the $keylime_dir/secure directory.
#
# To override dec_payload_file, set KEYLIME_AGENT_DEC_PAYLOAD_FILE environment
# variable.
dec_payload_file = "decrypted_payload"

# The size of the memory-backed tmpfs partition where Keylime stores crypto keys.
# Use syntax that the 'mount' command would accept as a size parameter for tmpfs.
# The default below sets it to 1 megabyte.
#
# To override secure_size, set KEYLIME_AGENT_SECURE_SIZE environment variable.
secure_size = "1m"

# Whether to allow the agent to automatically extract a zip file in the
# delivered payload after it has been decrypted, or not. Defaults to "true".
# After decryption, the archive will be unzipped to a directory in $keylime_dir/secure.
# Note: the limits on the size of the tmpfs partition set above with the 'secure_size'
# option will affect this.
#
# To override extract_payload_zip, set KEYLIME_AGENT_EXTRACT_PAYLOAD_ZIP
# environment variable.
extract_payload_zip = true

# Whether to listen for revocation notifications from the verifier via zeromq.
# Note: The agent supports receiving revocation notifications via REST API
# regardless of the value set here.
#
# To override enable_revocation_notifications, set
# KEYLIME_AGENT_ENABLE_REVOCATION_NOTIFICATIONS environment variable.
enable_revocation_notifications = false

# The path to the directory containing the pre-installed revocation action
# scripts.  Ideally should point to an fixed/immutable location subject to
# attestation.  The default is /usr/libexec/keylime.
#
# To override revocation_actions_dir, set KEYLIME_AGENT_REVOCATION_ACTIONS_DIR
# environment variable.
revocation_actions_dir = "/usr/libexec/keylime"

# Revocation IP & Port used by the agent to receive revocation
# notifications from the verifier via zeromq.
# This is optional and used only when 'enable_revocation_notifications' is 'true'.
#
# To override revocation_notification_ip, set
# KEYLIME_AGENT_REVOCATION_NOTIFICATION_IP environment variable.
# To override revocation_notification_port, set
# KEYLIME_AGENT_REVOCATION_NOTIFICATION_PORT environment variable.
revocation_notification_ip = "127.0.0.1"
revocation_notification_port = 8992

# The path to the certificate to verify revocation messages received from the
# verifier.  The path is relative to keylime_dir unless an absolute path is
# provided (i.e. starts with '/').
# If set to "default", Keylime will use the file RevocationNotifier-cert.crt
# from the unzipped payload contents provided by the tenant.
#
# To override revocation_cert, set KEYLIME_AGENT_REVOCATION_CERT environment
# variable.
revocation_cert = "default"

# A comma-separated list of executables to run upon receiving a revocation
# message. Keylime will verify the signature first, then call these executables
# passing the json revocation message.
# The executables must be located in the 'revocation_actions_dir' directory.
#
# Keylime will also get the list of revocation actions from the file
# action_list in the unzipped payload contents provided by the verifier.
#
# To override revocation_actions, set KEYLIME_AGENT_REVOCATION_ACTIONS
# environment variable.
revocation_actions = ""

# A script to execute after unzipping the tenant payload.
# Keylime will run it with a /bin/sh environment and with a working directory of
# $keylime_dir/secure/unzipped.
#
# To override payload_script, set KEYLIME_AGENT_PAYLOAD_SCRIPT environment
# variable.
payload_script = "autorun.sh"

# In case mTLS for the agent is disabled and the use of payloads is still
# required, this option has to be set to "true" in order to allow the agent
# to start. Details on why this configuration (mTLS disabled and payload enabled)
# is generally considered insecure can be found on
# https://github.com/keylime/keylime/security/advisories/GHSA-2m39-75g9-ff5r
#
# To override enable_insecure_payload, set KEYLIME_AGENT_ENABLE_INSECURE_PAYLOAD
# environment variable.
enable_insecure_payload = false

# Whether to allow running revocation actions sent as part of the payload.  The
# default is true and setting as false will limit the revocation actions to the
# pre-installed ones.
#
# To override allow_payload_revocation_actions, set
# KEYLIME_AGENT_ALLOW_PAYLOAD_REVOCATION_ACTIONS environment variable.
allow_payload_revocation_actions = true

# TPM2-specific options, allows customizing default algorithms to use.
# Specify the default crypto algorithms to use with a TPM2 for this agent.
#
# Currently accepted values include:
# - hashing:    sha512, sha384, sha256 or sha1
# - encryption: ecc or rsa
# - signing:    rsassa, rsapss, ecdsa, ecdaa or ecschnorr
#
# To override tpm_hash_alg, set KEYLIME_AGENT_TPM_HASH_ALG environment variable.
# To override tpm_encryption_alg, set KEYLIME_AGENT_TPM_ENCRYPTION_ALG
# environment variable.
# To override tpm_signing_alg, set KEYLIME_AGENT_TPM_SIGNING_ALG environment
# variable.
tpm_hash_alg = "sha256"
tpm_encryption_alg = "rsa"
tpm_signing_alg = "rsassa"

# If an EK is already present on the TPM (e.g., with "tpm2_createek") and
# you require Keylime to use this EK, change "generate" to the actual EK
# handle (e.g. "0x81000000"). The Keylime agent will then not attempt to
# create a new EK upon startup, and neither will it flush the EK upon exit.
#
# To override ek_handle, set KEYLIME_AGENT_EK_HANDLE environment variable.
ek_handle = "generate"

# Enable IDevID and IAK usage 
enable_iak_idevid = false

# Select IDevID and IAK templates or algorithms for regenerating the keys.
# By default the template will be detected automatically from the certificates. This will happen if iak_idevid_template is left empty or set as "default" or "detect".
# Choosing a template will override the name and asymmetric algorithm choices. To use these choices, set iak_idevid_template to "manual"
# Templates are specified in the TCG document found here, section 7.3.4: 
# https://trustedcomputinggroup.org/wp-content/uploads/TPM-2p0-Keys-for-Device-Identity-and-Attestation_v1_r12_pub10082021.pdf
#
# Accepted values:
# iak_idevid_template:        default, detect, H-1, H-2, H-3, H-4, H-5, manual
# iak_idevid_asymmetric_alg:   rsa, ecc
# iak_idevid_name_alg:        sha256, sm3_256, sha384, sha512
iak_idevid_template = "detect"
# In order for these values to be used, set the iak_idevid_template option to manual
iak_idevid_asymmetric_alg = "rsa"
iak_idevid_name_alg = "sha256"

# Alternatively if the keys are persisted, provide the handles for their location below, and optionally their passwords.
# If handles are provided, they will take priority over templates/algorithms selected above.
# To use a hex password, use the prefix "hex:" at the start of the password.
idevid_password = ""
idevid_handle = ""

iak_password = ""
iak_handle = ""

# The name of the file containing the X509 IAK certificate.
# If set as "default", the "iak-cert.crt" value is used
# If a relative path is set, it will be considered relative from the keylime_dir.
# If an absolute path is set, it is used without change.
#
# To override iak_cert, set KEYLIME_AGENT_IAK_CERT environment variable.
iak_cert = "default"

# The name of the file containing the X509 IDevID certificate.
# If set as "default", the "idevid-cert.crt" value is used
# If a relative path is set, it will be considered relative from the keylime_dir.
# If an absolute path is set, it is used without change.
#
# To override idevid_cert, set KEYLIME_AGENT_IDEVID_CERT environment variable.
idevid_cert = "default"

# Use this option to state the existing TPM ownerpassword.
# This option should be set only when a password is set for the Endorsement
# Hierarchy (e.g. via "tpm2_changeauth -c e").
# In order to use a hex value for the password, use the prefix "hex:"
# For example if tpm2_changeauth -c e "hex:00a1b2c3e4" has run, the config option
# would be 'tpm_ownerpassword = "hex:00a1b2c3e4"'
# If no password was set, keep the empty string "".
#
# To override tpm_ownerpassword, set KEYLIME_AGENT_TPM_OWNERPASSWORD environment
# variable.
tpm_ownerpassword = ""

# The user account to switch to to drop privileges when started as root
# If left empty, the agent will keep running with high privileges.
# The user and group specified here must allow the user to access the
# WORK_DIR (by default /var/lib/keylime) and /dev/tpmrm0. Therefore, the
# suggested value for the run_as parameter is keylime:tss.
# The following commands should be used to set ownership before running the
# agent:
# chown keylime /var/lib/keylime
#
# If agent_data.json already exists:
# chown keylime /var/lib/keylime/agent_data.json
#
# If cv_ca directory exists:
# chown keylime /var/lib/keylime/cv_ca
# chown keylime /var/lib/keylime/cv_ca/cacert.crt
#
# To override run_as, set KEYLIME_AGENT_RUN_AS environment variable.
run_as = "keylime:tss"

# Path where to store the agent tpm data which can be loaded later
# If not an absolute path, it will be considered a relative path from the
# directory set by the keylime_dir option above
# If set as "default" Keylime will use "agent_data.json", located at
# keylime_dir.
#
# To override agent_data_path, set KEYLIME_AGENT_AGENT_DATA_PATH environment
# variable.
agent_data_path = "default"

# Path from where the agent will read the IMA measurement log.
#
# If set as "default", Keylime will use the default path:
# The default path is /sys/kernel/security/ima/ascii_runtime_measurements
# If set as a relative path, it will be considered from the root path "/".
# If set as an absolute path, it will use it without changes
ima_ml_path = "default"

# Path from where the agent will read the measured boot event log.
#
# If set as "default", Keylime will use the default path:
# The default path is /sys/kernel/security/tpm0/binary_bios_measurements
# If set as a relative path, it will be considered from the root path "/".
# If set as an absolute path, it will use it without changes
measuredboot_ml_path = "default"