/rust-keylime

Rust implementation of the keylime agent

Primary LanguageRustApache License 2.0Apache-2.0

Keylime

License: Apache 2.0

Overview

This is a Rust implementation of keylime agent. Keylime is system integrity monitoring system that has the following features:

  • Exposes TPM trust chain for higher-level use
  • Provides an end-to-end solution for bootstrapping node cryptographic identities
  • Securely monitors system integrity

For more information, visit the keylime website

For now, this project is focusing on the keylime agent component, which is a HTTP server running on the machine that executes keylime operations. Most keylime operations rely on TPM co-processor; therefore, the server needs a physical TPM chip (or a TPM emulator) to perform keylime operations. The TPM emulator is a program that runs in the daemon to mimic TPM commands.

The rust-keylime agent is the official agent (starting with version 0.1.0) and replaces the Python implementation.

Prerequisites

Required Packages

Fedora

The following packages are required for building:

  • clang
  • openssl-devel
  • tpm2-tss-devel
  • (optional for the with-zmq feature): zeromq-devel

To install, use the following command:

$ dnf install clang openssl-devel tpm2-tss-devel zeromq-devel

For runtime, the following packages are required:

  • openssl
  • tpm2-tss
  • systemd (to run as systemd service)
  • util-linux-core (for the mount command)
  • (optional for the with-zmq feature): zeromq

Debian and Ubuntu

For Debian and Ubuntu, use the following packages are required:

  • libclang-dev
  • libssl-dev
  • libtss2-dev
  • pkg-config
  • (optional for the with-zmq feature): libzmq3-dev

To install, use the following command:

$ apt-get install libclang-dev libssl-dev libtss2-dev libzmq3-dev pkg-config

For runtime, the following packages are required:

  • coreutils (for the mount command)
  • libssl
  • libtss2-esys-3.0.2-0
  • (optional for the with-zmq feature): libzmq3
  • systemd (to run as systemd service)

Rust

Make sure Rust is installed before running Keylime. Installation instructions can be found here.

Logging env

To run with pretty-env-logger trace logging active, set cargo run within RUST_LOG, as follows:

$ RUST_LOG=keylime_agent=trace cargo run --bin keylime_agent

Testing

Unit tests are gating in CI for new code submission. To run them:

$ cargo test

Running agent as a systemd-managed service

To make deployment and management of the service easier, this crate comes with a Makefile and systemd unit file.

To install the executables and the unit file, do:

$ make
$ sudo make install

Then you should be able to start the service with:

$ sudo systemctl start keylime_agent

Building Debian package with cargo-deb

Cargo deb requires Rust 1.60, so on Debian you need to install it first from rustup.rs.

# Install cargo-deb
rustup update
cargo install cargo-deb

# Build Debian package
cargo deb -p keylime_agent