Ansible role to deploy Keylime with a pre-configured and ready to use TPM Emulator.
For details on using Keylime, please consult the project documentation
Do not use a software TPM emulator in a production environment.
SELinux is set to permissive for this role.
This role is designed to enable development environment provisioning or to a sandbox environment for anyone who would like to test drive Keylime.
Should you want to deploy with a hardware TPM, use the anisble-keylime role
Run the example playbook against your target remote node(s).
ansible-playbook -i your_hosts playbook.yml
Either TPM version 1.2 or TPM 2.0 support can be configured by simply changing
the role in the playbook.yml
file here.
For TPM 2.0 use:
- ansible-keylime-tpm20
For TPM 1.2 use:
- ansible-keylime-tpm12
Both roles will deploy the relevant TPM 1.2 Emulator (tpm4720) or 2.0 Emulator (IBM software TPM).
A Vagrantfile
is available for provisioning.
Clone the repository and then simply run with the following additional args
added to the vagrant
command:
--instances
: The number of Keylime Virtual Machines to create. If not provided, it defaults to1
--repo
: This mounts your local Keylime git repository into the virtual machine (allowing you to test your code within the VM). This is optional.--cpus
: The amount of CPU's. If not provided, it defaults to2
--memory
: The amount of memory to assign. If not provided, it defaults to2048
For example, using libvirt:
vagrant --instances=2 --repo=/home/jdoe/keylime --cpus=4 --memory=4096 up --provider libvirt --provision
For example, using VirtualBox:
vagrant --instances=2 --repo=/home/jdoe/keylime --cpus=4 --memory=4096 up --provider virtualbox --provision
NOTE: Customized args (--instances , --repos etc), come before the mainvagrant args (such as up , status , --provider ). Example: To ssh into the second machine instance, keylime2, use the vagrant command as such : vagrant --instances=2 ssh keylime2 |
---|
Once the VM is started, vagrant ssh into the VM and run sudo su -
to
become root.
The TPM emulator will be running.
You can then start the various components using commands:
keylime_verifier
keylime_registrar
keylime_agent
keylime_node
The web application can be started with the command keylime_webapp
. If using
Vagrant, port 443 will be forwarded from the guest to port 8443 on the host.
This will result in the web application being available on url:
https://localhost:8443/webapp/
This role deploys a basic ima-policy into /etc/ima/ima-policy
so that IMA
run time integrity may be used. For this to activate, you must reboot the
machine first (if you're using vagrant, perform vagrant reload
)
Should you reboot the machine, you will need to start the emulator again:
/usr/local/bin/tpm_serverd
systemctl restart tpm2-abrmd
Once the tpm2-abrmd
service is running, start the IMA component using the command:
keylime_ima_emulator
Apache 2.0
Please do! Pull requests are welcome.
Please ensure CI tests pass!
- Luke Hinds (lhinds@redhat.com)
- Leo Jia (ljia@redhat.com )
- Andrew Stoycos (astoycos@bu.edu)
- Amy Pattanasethanon (raynecarnes@gmail.com)