To setup in Microsoft Hyper-V VM, follow this Github Comment.
tpm2_main.patch
--- /usr/lib/python3.9/site-packages/keylime/tpm/tpm_main.py 2021-03-22 10:56:48.147184032 -0700
+++ /usr/lib/python3.9/site-packages/keylime/tpm/tpm_main.py 2021-03-22 11:01:51.158510487 -0700
@@ -1179,8 +1179,15 @@
"-f", nvpath.name, "-a", "0x01c00002"],
raiseOnError=False, outputpaths=nvpath.name)
elif self.tools_version in ["4.0", "4.2"]:
- retDict = self.__run(["tpm2_nvread", '0x1c00002', "-s", ekcert_size, "-o", nvpath.name],
- raiseOnError=False, outputpaths=nvpath.name)
+ if int(ekcert_size) <= 1024:
+ retDict = self.__run(["tpm2_nvread", "0x1c00002", "-s", ekcert_size, "-o", nvpath.name],
+ raiseOnError=False, outputpaths=nvpath.name)
+ else:
+ owner_pw = self.get_tpm_metadata('owner_pw')
+ retDict = self.__run(["tpm2_nvread", "0x1c00002", "-s", "1024", "-o", nvpath.name, "-C", "o", "-P", owner_pw],
+ raiseOnError=False, outputpaths=nvpath.name)
+ tmpRetDict = self.__run(["tpm2_nvread", "0x1c00002", "-s", "512", "-C", "o", "-P", owner_pw, ">>", nvpath.name],
+ raiseOnError=False, outputpaths=nvpath.name)
output = config.list_convert(retDict['retout'])
errout = config.list_convert(retDict['reterr'])
code = retDict['code']
tenant_webapp.patch
--- /usr/lib/python3.9/site-packages/keylime/tenant_webapp.py 2021-03-01 13:33:16.000000000 -0800
+++ /usr/lib/python3.9/site-packages/keylime/tenant_webapp.py 2021-03-22 11:17:53.308795604 -0700
@@ -657,8 +657,8 @@
logger.info(f"Setting up client TLS in {tls_dir}")
ca_path = "%s/%s" % (tls_dir, ca_cert)
- my_tls_cert = "%s/%s" % (tls_dir, my_cert)
- my_tls_priv_key = "%s/%s" % (tls_dir, my_priv_key)
+ my_tls_cert = "%s" % (my_cert)
+ my_tls_priv_key = "%s" % (my_priv_key)
context = ssl.create_default_context()
context.load_verify_locations(cafile=ca_path)
To revert the patch:
interdiff -q tpm_main.patch /dev/null > revert.patch
Keylime Verifier, Registrar and Webapp
dnf install -y keylime tmux nano patch patchutils
sed -i 's/require_ek_cert = True/require_ek_cert = False/g' /etc/keylime.conf
sed -i 's/cloudverifier_ip = 127.0.0.1/cloudverifier_ip = fedora-server.mshome.net/g' /etc/keylime.conf
sed -i 's/registrar_ip = 127.0.0.1/registrar_ip = fedora-server.mshome.net/g' /etc/keylime.conf
sed -i 's/webapp_ip = 127.0.0.1/webapp_ip = fedora-server.mshome.net/g' /etc/keylime.conf
firewall-cmd --add-port=8881/tcp
firewall-cmd --add-port=8881/udp
keylime_verifier
firewall-cmd --add-port=8890/tcp
firewall-cmd --add-port=8890/udp
firewall-cmd --add-port=8891/tcp
firewall-cmd --add-port=8891/udp
keylime_registrar
patch < tenant_webapp.patch
curl https://codeload.github.com/keylime/keylime/zip/refs/heads/master --output keylime-master.zip
unzip keylime-master.zip
cp -R keylime-master/keylime/static/ /usr/lib/python3.9/site-packages/keylime/static/
firewall-cmd --add-port=443/tcp
firewall-cmd --add-port=443/udp
keylime_webapp
Keylime Agent
patch < tpm_main.patch
sed -i 's/cloudagent_ip = 127.0.0.1/cloudagent_ip = fedora-server.mshome.net/g' /etc/keylime.conf
sed -i 's/agent_uuid = D432FBB3-D2F1-4A97-9EF7-75BD81C00000/agent_uuid = hash_ek/g' /etc/keylime.conf
firewall-cmd --add-port=9002/tcp
firewall-cmd --add-port=9002/udp
keylime_agent
Keylime Tenant Add Agent - Boot Integrity Attestaion
export HASH_EK="8311d033da67302353d77f1ad91e621269236a27f1e49e9fff5ef1d1a60e9549"
echo "Beep Beep I'm a Sheep" > filetosend
keylime_tenant -c add -t fedora-server.mshome.net -v fedora-server.mshome.net -u ${HASH_EK} -f filetosend
cat /var/lib/keylime/secure/decrypted_payload
echo "You've got to Beep Beep" > filetosend
keylime_tenant -c update -t fedora-server.mshome.net -v fedora-server.mshome.net -u ${HASH_EK} -f filetosend
cat /var/lib/keylime/secure/decrypted_payload
Keylime Tenant Add Agent - Runtime Integrity Attestaion
export HASH_EK="8311d033da67302353d77f1ad91e621269236a27f1e49e9fff5ef1d1a60e9549"
curl https://codeload.github.com/keylime/keylime/zip/refs/heads/master --output keylime-master.zip
unzip keylime-master.zip
./keylime-master/scripts/create_allowlist.sh list.txt sha256sum
mkdir -p /etc/ima/
cp ./keylime-master/demo/ima-policy /etc/ima/ima-policy
systemctl reboot
echo "Throw your hands up and then point them to the floor" > filetosend
keylime_tenant -c update -t fedora-server.mshome.net -v fedora-server.mshome.net -u ${HASH_EK} -f filetosend --allowlist list.txt
cat /var/lib/keylime/secure/decrypted_payload
Keylime Tenant Delete Agent
export HASH_EK="8311d033da67302353d77f1ad91e621269236a27f1e49e9fff5ef1d1a60e9549"
keylime_tenant -c delete -t fedora-server.mshome.net -v fedora-server.mshome.net -u ${HASH_EK}
keylime_tenant -c regdelete -v fedora-server.mshome.net -u ${HASH_EK}
Keylime Agent
rpm-ostree install --reboot keylime nano patch patchutils ncurses
rpm-ostree usroverlay
patch < tpm_main.patch
sed -i 's/registrar_ip = 127.0.0.1/registrar_ip = fedora-server.mshome.net/g' /etc/keylime.conf
sed -i 's/cloudagent_ip = 127.0.0.1/cloudagent_ip = fedora-iot.mshome.net/g' /etc/keylime.conf
sed -i 's/agent_uuid = D432FBB3-D2F1-4A97-9EF7-75BD81C00000/agent_uuid = hash_ek/g' /etc/keylime.conf
firewall-cmd --add-port=9002/tcp
firewall-cmd --add-port=9002/udp
keylime_agent
Keylime Tenant Add Agent - Boot Integrity Attestaion
export HASH_EK="f6be2807952dec4efedd56274279d992b2e66ab1951b4f8cad60deca4f9ae52d"
echo "Here's what to do now get down on all fours" > filetosend
keylime_tenant -c add -t fedora-iot.mshome.net -v fedora-server.mshome.net -u ${HASH_EK} --tpm_policy='{"0":"F481E41A47245D35B538B46C452913B591F536A6A4D00742C432F7B7EBE9B57E"}' -f filetosend
cat /var/lib/keylime/secure/decrypted_payload
Keylime Tenant Delete Agent
export HASH_EK="f6be2807952dec4efedd56274279d992b2e66ab1951b4f8cad60deca4f9ae52d"
keylime_tenant -c delete -t fedora-iot.mshome.net -v fedora-server.mshome.net -u ${HASH_EK}
keylime_tenant -c regdelete -v fedora-server.mshome.net -u ${HASH_EK}