keylime-agent.conf

# All configuration options can be overridden by environment variables.
# The environment variables used to override options are composed by the
# 'KEYLIME_AGENT_' prefix followed by the option to be set in upper case.
# For example, to override the 'registrar_ip' option, set the
# KEYLIME_AGENT_REGISTRAR_IP environment variable.
#
# Note: Configuration options named with '_ip' suffix (ip, contact_ip, registrar_ip,
# revocation_notification_ip) accept both IP addresses (IPv4/IPv6) and fully qualified
# domain names (FQDNs). The '_ip' suffix is maintained for backward compatibility.

#=============================================================================
[agent]
#=============================================================================

# The configuration file version
#
# To override, set KEYLIME_AGENT_VERSION environment variable.
version = "2.4"

# The enabled API versions
# This sets which of the supported API versions to enable.
# Only supported versions can be set, which are defined by
# api::SUPPORTED_API_VERSIONS
# A list of versions to enable can be provided (e.g. "2.1, 2.2")
# The following keywords are also supported:
# - "default": Enables all supported API versions
# - "latest": Enables only the latest supported API version
api_versions = "default"

# The agent's UUID.
# If you set this to "generate", Keylime will create a random UUID.
# If you set this to "hash_ek", Keylime will set the UUID to the result
# of 'SHA256(public EK in PEM format)'.
#
# To override, set KEYLIME_AGENT_UUID environment variable.
uuid = "d432fbb3-d2f1-4a97-9ef7-75bd81c00000"

# The binding IP address or hostname (FQDN) and port for the agent server
# Supports IPv4, IPv6, or fully qualified domain names
#
# To override ip, set KEYLIME_AGENT_IP environment variable.
# To override port, set KEYLIME_AGENT_PORT environment variable.
ip = "127.0.0.1"
port = 9002

# Address (IP or hostname/FQDN) and port where the verifier and tenant can connect to reach the agent.
# Supports IPv4, IPv6, or fully qualified domain names
# These keys are optional.
#
# To override contact_ip, set KEYLIME_AGENT_CONTACT_IP environment variable.
# To override contact_port, set KEYLIME_AGENT_CONTACT_PORT environment variable.
contact_ip = "127.0.0.1"
contact_port = 9002

# The address (IP or hostname/FQDN) and port of registrar server which agent communicate with
# Supports IPv4, IPv6, or fully qualified domain names
#
# To override registrar_ip, set KEYLIME_AGENT_REGISTRAR_IP environment variable.
# To override registrar_port, set KEYLIME_AGENT_REGISTRAR_PORT environment
# variable.
registrar_ip = "127.0.0.1"
registrar_port = 8890

# The TLS port of the registrar server which agent communicates with when
# registrar_tls_enabled is set to true.
# This is the port the registrar listens on for TLS connections.
#
# To override registrar_tls_port, set KEYLIME_AGENT_REGISTRAR_TLS_PORT
# environment variable.
registrar_tls_port = 8891

# Enable TLS communication between agent and registrar.
# When enabled, the agent will use TLS (server verification only) when
# communicating with the registrar. The registrar_tls_ca_cert option must be
# configured to verify the registrar's server certificate.
# When disabled or when the CA certificate path is missing, plain HTTP is used.
#
# To override registrar_tls_enabled, set KEYLIME_AGENT_REGISTRAR_TLS_ENABLED
# environment variable.
registrar_tls_enabled = false

# TLS CA certificate for verifying the registrar's server certificate.
# This is only used when 'registrar_tls_enabled' is set to true.
# If set as "default", the "cv_ca/cacert.crt" value, relative from the
# keylime_dir is used.
# If a relative path is set, it will be considered relative from the keylime_dir.
# If an absolute path is set, it is used without change.
#
# To override registrar_tls_ca_cert, set KEYLIME_AGENT_REGISTRAR_TLS_CA_CERT
# environment variable.
registrar_tls_ca_cert = "default"

# Enable mTLS communication between agent, verifier and tenant.
# Details on why setting it to "false" is generally considered insecure can be found
# on https://github.com/keylime/keylime/security/advisories/GHSA-2m39-75g9-ff5r
#
# To override enable_agent_mtls, set KEYLIME_AGENT_ENABLE_AGENT_MTLS environment
# variable.
enable_agent_mtls = true

# The keylime working directory. The default value is /var/lib/keylime
#
# To override keylime_dir, set KEYLIME_AGENT_KEYLIME_DIR or KEYLIME_DIR
# environment variable.
keylime_dir = "/var/lib/keylime"

# The name of the file containing the Keylime agent TLS server private key.
# This private key is used to serve the Keylime agent REST API
# A new private key is generated in case it is not found.
# If set as "default", the "server-private.pem" value is used.
# If a relative path is set, it will be considered relative from the keylime_dir.
# If an absolute path is set, it is used without change
#
# To override server_key, set KEYLIME_AGENT_SERVER_KEY environment variable.
server_key = "default"

# Set the password used to encrypt the private key file.
# This password will also be used to protect the generated private key used for
# mTLS authentication
# If left empty, the private key will not be encrypted.
#
# To override server_key_password, set KEYLIME_AGENT_SERVER_KEY_PASSWORD
# environment variable.
server_key_password = ""

# The name of the file containing the payload encryption private key.
# This private key is used to decrypt U and V keys sent by the verifier/tenant
# for secure payload transmission.
# A new RSA 2048 private key is generated in case it is not found.
# If an existing key is provided, it MUST be RSA 2048, otherwise the agent will
# fail to start.
# If set as "default", the "payload-private.pem" value is used.
# If a relative path is set, it will be considered relative from the keylime_dir.
# If an absolute path is set, it is used without change.
#
# To override payload_key, set KEYLIME_AGENT_PAYLOAD_KEY environment variable.
payload_key = "default"

# Set the password used to encrypt the payload private key file.
# This password will also be used to protect the generated private key used for
# payload encryption.
# If left empty, the private key will not be encrypted.
#
# To override payload_key_password, set KEYLIME_AGENT_PAYLOAD_KEY_PASSWORD
# environment variable.
payload_key_password = ""

# The name of the file containing the X509 certificate used as the Keylime agent
# server TLS certificate.
# This certificate must be self signed.
# If set as "default", the "server-cert.crt" value is used
# If a relative path is set, it will be considered relative from the keylime_dir.
# If an absolute path is set, it is used without change.
#
# To override server_cert, set KEYLIME_AGENT_SERVER_CERT environment variable.
server_cert = "default"

# The CA that signs the client certificates of the tenant and verifier.
# If set as "default" the "cv_ca/cacert.crt" value, relative from the
# keylime_dir is used.
# If a relative path is set, it will be considered relative from the keylime_dir.
# If an absolute path is set, it is used without change.
#
# To override trusted_client_ca, set KEYLIME_AGENT_TRUSTED_CLIENT_CA environment
# variable.
trusted_client_ca = "default"

# The name that should be used for the encryption key, placed in the
# $keylime_dir/secure/ directory.
#
# To override enc_keyname, set KEYLIME_AGENT_ENC_KEYNAME environment variable.
enc_keyname = "derived_tci_key"

# The name that should be used for the optional decrypted payload, placed in
# the $keylime_dir/secure directory.
#
# To override dec_payload_file, set KEYLIME_AGENT_DEC_PAYLOAD_FILE environment
# variable.
dec_payload_file = "decrypted_payload"

# The size of the memory-backed tmpfs partition where Keylime stores crypto keys.
# Use syntax that the 'mount' command would accept as a size parameter for tmpfs.
# The default below sets it to 1 megabyte.
#
# To override secure_size, set KEYLIME_AGENT_SECURE_SIZE environment variable.
secure_size = "1m"

# Whether to allow the agent to automatically extract a zip file in the
# delivered payload after it has been decrypted, or not. Defaults to "true".
# After decryption, the archive will be unzipped to a directory in $keylime_dir/secure.
# Note: the limits on the size of the tmpfs partition set above with the 'secure_size'
# option will affect this.
#
# To override extract_payload_zip, set KEYLIME_AGENT_EXTRACT_PAYLOAD_ZIP
# environment variable.
extract_payload_zip = true

# Whether to listen for revocation notifications from the verifier via zeromq.
# Note: The agent supports receiving revocation notifications via REST API
# regardless of the value set here.
#
# To override enable_revocation_notifications, set
# KEYLIME_AGENT_ENABLE_REVOCATION_NOTIFICATIONS environment variable.
enable_revocation_notifications = false

# The path to the directory containing the pre-installed revocation action
# scripts.  Ideally should point to an fixed/immutable location subject to
# attestation.  The default is /usr/libexec/keylime.
#
# To override revocation_actions_dir, set KEYLIME_AGENT_REVOCATION_ACTIONS_DIR
# environment variable.
revocation_actions_dir = "/usr/libexec/keylime"

# Revocation IP address or hostname (FQDN) & Port used by the agent to receive revocation
# notifications from the verifier via zeromq.
# Supports IPv4, IPv6, or fully qualified domain names
# This is optional and used only when 'enable_revocation_notifications' is 'true'.
#
# To override revocation_notification_ip, set
# KEYLIME_AGENT_REVOCATION_NOTIFICATION_IP environment variable.
# To override revocation_notification_port, set
# KEYLIME_AGENT_REVOCATION_NOTIFICATION_PORT environment variable.
revocation_notification_ip = "127.0.0.1"
revocation_notification_port = 8992

# The path to the certificate to verify revocation messages received from the
# verifier.  The path is relative to keylime_dir unless an absolute path is
# provided (i.e. starts with '/').
# If set to "default", Keylime will use the file RevocationNotifier-cert.crt
# from the unzipped payload contents provided by the tenant.
#
# To override revocation_cert, set KEYLIME_AGENT_REVOCATION_CERT environment
# variable.
revocation_cert = "default"

# A comma-separated list of executables to run upon receiving a revocation
# message. Keylime will verify the signature first, then call these executables
# passing the json revocation message.
# The executables must be located in the 'revocation_actions_dir' directory.
#
# Keylime will also get the list of revocation actions from the file
# action_list in the unzipped payload contents provided by the verifier.
#
# To override revocation_actions, set KEYLIME_AGENT_REVOCATION_ACTIONS
# environment variable.
revocation_actions = ""

# A script to execute after unzipping the tenant payload.
# Keylime will run it with a /bin/sh environment and with a working directory of
# $keylime_dir/secure/unzipped.
#
# To override payload_script, set KEYLIME_AGENT_PAYLOAD_SCRIPT environment
# variable.
payload_script = "autorun.sh"

# In case mTLS for the agent is disabled and the use of payloads is still
# required, this option has to be set to "true" in order to allow the agent
# to start. Details on why this configuration (mTLS disabled and payload enabled)
# is generally considered insecure can be found on
# https://github.com/keylime/keylime/security/advisories/GHSA-2m39-75g9-ff5r
#
# To override enable_insecure_payload, set KEYLIME_AGENT_ENABLE_INSECURE_PAYLOAD
# environment variable.
enable_insecure_payload = false

# Whether to allow running revocation actions sent as part of the payload.  The
# default is true and setting as false will limit the revocation actions to the
# pre-installed ones.
#
# To override allow_payload_revocation_actions, set
# KEYLIME_AGENT_ALLOW_PAYLOAD_REVOCATION_ACTIONS environment variable.
allow_payload_revocation_actions = true

# TPM2-specific options, allows customizing default algorithms to use.
# Specify the default crypto algorithms to use with a TPM2 for this agent.
#
# Currently accepted values include:
# - hashing:    sha512, sha384, sha256 or sha1
# - encryption: rsa (alias for rsa2048), rsa1024, rsa2048, rsa3072, rsa4096, ecc (alias for ecc256), ecc192, ecc224, ecc256, ecc384, ecc521 or ecc_sm2.
# - signing:    rsassa or ecdsa
#
# To override tpm_hash_alg, set KEYLIME_AGENT_TPM_HASH_ALG environment variable.
# To override tpm_encryption_alg, set KEYLIME_AGENT_TPM_ENCRYPTION_ALG
# environment variable.
# To override tpm_signing_alg, set KEYLIME_AGENT_TPM_SIGNING_ALG environment
# variable.
tpm_hash_alg = "sha256"
tpm_encryption_alg = "rsa"
tpm_signing_alg = "rsassa"

# If an EK is already present on the TPM (e.g., with "tpm2_createek") and
# you require Keylime to use this EK, change "generate" to the actual EK
# handle (e.g. "0x81000000"). The Keylime agent will then not attempt to
# create a new EK upon startup, and neither will it flush the EK upon exit.
#
# To override ek_handle, set KEYLIME_AGENT_EK_HANDLE environment variable.
ek_handle = "generate"

# Enable IDevID and IAK usage
enable_iak_idevid = false

# Select IDevID and IAK templates or algorithms for regenerating the keys.
# By default the template will be detected automatically from the certificates. This will happen if iak_idevid_template is left empty or set as "default" or "detect".
# Choosing a template will override the name and asymmetric algorithm choices. To use these choices, set iak_idevid_template to "manual"
# Templates are specified in the TCG document found here, section 7.3.4:
# https://trustedcomputinggroup.org/wp-content/uploads/TPM-2p0-Keys-for-Device-Identity-and-Attestation_v1_r12_pub10082021.pdf
#
# Accepted values:
# iak_idevid_template:        default, detect, H-1, H-2, H-3, H-4, H-5, manual
# iak_idevid_asymmetric_alg:   rsa, ecc
# iak_idevid_name_alg:        sha256, sm3_256, sha384, sha512
iak_idevid_template = "detect"
# In order for these values to be used, set the iak_idevid_template option to manual
iak_idevid_asymmetric_alg = "rsa"
iak_idevid_name_alg = "sha256"

# Alternatively if the keys are persisted, provide the handles for their location below, and optionally their passwords.
# If handles are provided, they will take priority over templates/algorithms selected above.
# To use a hex password, use the prefix "hex:" at the start of the password.
idevid_password = ""
idevid_handle = ""

iak_password = ""
iak_handle = ""

# The name of the file containing the X509 IAK certificate.
# If set as "default", the "iak-cert.crt" value is used
# If a relative path is set, it will be considered relative from the keylime_dir.
# If an absolute path is set, it is used without change.
#
# To override iak_cert, set KEYLIME_AGENT_IAK_CERT environment variable.
iak_cert = "default"

# The name of the file containing the X509 IDevID certificate.
# If set as "default", the "idevid-cert.crt" value is used
# If a relative path is set, it will be considered relative from the keylime_dir.
# If an absolute path is set, it is used without change.
#
# To override idevid_cert, set KEYLIME_AGENT_IDEVID_CERT environment variable.
idevid_cert = "default"

# Use this option to state the existing TPM ownerpassword.
# This option should be set only when a password is set for the Endorsement
# Hierarchy (e.g. via "tpm2_changeauth -c e").
# In order to use a hex value for the password, use the prefix "hex:"
# For example if tpm2_changeauth -c e "hex:00a1b2c3e4" has run, the config option
# would be 'tpm_ownerpassword = "hex:00a1b2c3e4"'
# If no password was set, keep the empty string "".
#
# To override tpm_ownerpassword, set KEYLIME_AGENT_TPM_OWNERPASSWORD environment
# variable.
tpm_ownerpassword = ""

# The user account to switch to to drop privileges when started as root
# If left empty, the agent will keep running with high privileges.
# The user and group specified here must allow the user to access the
# WORK_DIR (by default /var/lib/keylime) and /dev/tpmrm0. Therefore, the
# suggested value for the run_as parameter is keylime:tss.
# The following commands should be used to set ownership before running the
# agent:
# chown keylime /var/lib/keylime
#
# If agent_data.json already exists:
# chown keylime /var/lib/keylime/agent_data.json
#
# If cv_ca directory exists:
# chown keylime /var/lib/keylime/cv_ca
# chown keylime /var/lib/keylime/cv_ca/cacert.crt
#
# To override run_as, set KEYLIME_AGENT_RUN_AS environment variable.
run_as = "keylime:tss"

# Path where to store the agent tpm data which can be loaded later
# If not an absolute path, it will be considered a relative path from the
# directory set by the keylime_dir option above
# If set as "default" Keylime will use "agent_data.json", located at
# keylime_dir.
#
# To override agent_data_path, set KEYLIME_AGENT_AGENT_DATA_PATH environment
# variable.
agent_data_path = "default"

# Path from where the agent will read the IMA measurement log.
#
# If set as "default", Keylime will use the default path:
# The default path is /sys/kernel/security/ima/ascii_runtime_measurements
# If set as a relative path, it will be considered from the root path "/".
# If set as an absolute path, it will use it without changes
ima_ml_path = "default"

# Path from where the agent will read the measured boot event log.
#
# If set as "default", Keylime will use the default path:
# The default path is /sys/kernel/security/tpm0/binary_bios_measurements
# If set as a relative path, it will be considered from the root path "/".
# If set as an absolute path, it will use it without changes
measuredboot_ml_path = "default"

# Push attestation model options
# The interval in seconds between attestations after a successful attestation,
# and also used as the retry delay after a failed attestation attempt.
# This option is specific to the push attestation model.
# The default is 60 seconds.
#
# To override attestation_interval_seconds, set
# KEYLIME_AGENT_ATTESTATION_INTERVAL_SECONDS environment variable.
attestation_interval_seconds = 60

# Verifier URL (Push Model specific).
# Verifier URL containing schema, host and port
verifier_url = "https://localhost:8881"

# Verifier TLS CA certificate (Push Model specific)
# The push model agent uses TLS (server verification only) + mandatory PoP authentication.
# Client certificates (mTLS) are NOT used by the push model.
# This CA certificate is used to verify the verifier's server certificate.
# If set as "default", the path below is used relative to keylime_dir.
# If a relative path is set, it will be considered relative from the keylime_dir.
# If an absolute path is set, it is used without change.
#
# To override verifier_tls_ca_cert, set KEYLIME_AGENT_VERIFIER_TLS_CA_CERT environment variable.
verifier_tls_ca_cert = "default"      # default: cv_ca/cacert.crt

# The API versions to use when communicating with the registrar (Push Model
# specific). The agent will negotiate with the registrar to select the best
# mutually supported version.
# A list of versions can be provided (e.g. "2.1, 2.3").
# The following keywords are also supported:
# - "default": Enables all supported API versions
# - "latest": Enables only the latest supported API version
#
# To override registrar_api_versions, set
# KEYLIME_AGENT_REGISTRAR_API_VERSIONS environment variable.
registrar_api_versions = "default"

# The server identifier used for certification keys (Push Model specific).
# This identifier is used when building AK certification data.
#
# To override certification_keys_server_identifier, set
# KEYLIME_AGENT_CERTIFICATION_KEYS_SERVER_IDENTIFIER environment variable.
certification_keys_server_identifier = "ak"

# The evidence version to use for UEFI event logs sent during attestation
# (Push Model specific).
#
# To override uefi_logs_evidence_version, set
# KEYLIME_AGENT_UEFI_LOGS_EVIDENCE_VERSION environment variable.
uefi_logs_evidence_version = "2.1"

# Exponential backoff settings for retrying failed operations such as
# registrar registration and verifier attestation.
# The initial_delay is the delay in milliseconds before the first retry.
# The max_retries is the maximum number of retry attempts.
# The max_delay is the maximum delay in milliseconds between retries.
# When all three are unset, exponential backoff is disabled and a simple
# retry loop is used instead.
#
# To override, set the corresponding environment variable:
# KEYLIME_AGENT_EXPONENTIAL_BACKOFF_INITIAL_DELAY
# KEYLIME_AGENT_EXPONENTIAL_BACKOFF_MAX_RETRIES
# KEYLIME_AGENT_EXPONENTIAL_BACKOFF_MAX_DELAY
exponential_backoff_initial_delay = 10000
exponential_backoff_max_retries = 5
exponential_backoff_max_delay = 300000

# TLS security options (INSECURE - for testing/debugging only)
# These options disable TLS verification and should NEVER be enabled in
# production environments.
#
# Accept invalid TLS certificates (e.g. self-signed, expired, wrong CA).
# WARNING: Enabling this makes the agent vulnerable to man-in-the-middle attacks.
#
# To override tls_accept_invalid_certs, set
# KEYLIME_AGENT_TLS_ACCEPT_INVALID_CERTS environment variable.
tls_accept_invalid_certs = false

# Accept TLS certificates where the hostname does not match the certificate's
# subject or SAN fields.
# WARNING: Enabling this makes the agent vulnerable to man-in-the-middle attacks.
#
# To override tls_accept_invalid_hostnames, set
# KEYLIME_AGENT_TLS_ACCEPT_INVALID_HOSTNAMES environment variable.
tls_accept_invalid_hostnames = false