Giter Club home page Giter Club logo

keylime-vagrant-ansible-tpm-emulator's Introduction

Vagrant Ansible Keylime TPM Emulator

Build Status Slack chat

Ansible role to deploy Keylime with a pre-configured and ready to use TPM Emulator and Vagrant file to easily bring up a test environment.

For details on using Keylime, please consult the general project documentation

Security Warning

โš  Do not use a software TPM emulator in a production environment. โš 

SELinux is set to permissive for this role.

This role is designed to enable development environment provisioning or to set up a sandbox environment to test drive Keylime.

Should you want to deploy with a hardware TPM, use the anisble-keylime role

Usage: Ansible role

Run the example playbook against your target remote node(s).

ansible-playbook -i your_hosts playbook.yml

Usage: Vagrant

A Vagrantfile is available for provisioning virtual machines for local testing..

Clone the repository and then simply run with the following additional args added to the vagrant command:

  • --instances: The number of Keylime Virtual Machines to create. If not provided, it defaults to 1
  • --repo: This mounts your local Keylime git repository into the virtual machine (allowing you to test your code within the VM). This is optional.
  • --cpus: The amount of CPU's. If not provided, it defaults to 2
  • --memory: The amount of memory to assign. If not provided, it defaults to 2048
  • --qualityoflife: Adds a few extras, such as the Powerline improved bash shell prompt as well as an ls alias (ll for ls -lAh). This is optional.

Deployment example, using libvirt as the virtualization provider:

vagrant --instances=2 --repo=/home/jdoe/keylime --cpus=4 --memory=4096  up --provider libvirt --provision

Deployment example, using VirtualBox as the virtualization provider:

vagrant --instances=2 --repo=/home/jdoe/keylime --cpus=4 --memory=4096  up --provider virtualbox --provision
NOTE: Customized args (--instances, --repos etc), come before the main Vagrant args (such as up, status, --provider). Example: To ssh into the second machine instance, keylime2, use the Vagrant command as such : vagrant --instances=2 ssh keylime2

If you would like to customise these defaults without having to specify them on the command line each time, you can use a vagrant_variables.yml file. The simplest way to do this is to copy vagrant_variables.yml.sample to vagrant_variables.yml and edit it:

cp vagrant_variables.yml.sample vagrant_variables.yml

You can still override the defaults in vagrant_variables.yml by using the command line options.

Once the VM is started, use vagrant ssh to ssh into the VM and run sudo su - to become root.

The TPM emulator will be running.

You can then start the various components using commands:

keylime_verifier

keylime_registrar

keylime_agent

keylime_node

Upgrading VMs

If you just want to upgrade Keylime within your VM(s), running the following as root, from within /root/keylime, should be enough: git pull python setup.py install

To fully rebuild your VM(s), run the following from the directory where you cloned this repo: vagrant destroy Note: this will delete your Keylime VM(s).

You can then re-deploy the VM(s) by re-running the provisioning step.

Lastly, if you have a VM that was provisioned using an older version of Fedora (say, 31, while the current Vagrantfile will use Fedora 33), you will need to remove the Fedora 31 cloudbase image before vagrant up --provision will upgrade you to the new version of Fedora, eg: vagrant box remove fedora/31-cloud-base

WebApp

The web application can be started with the command keylime_webapp. If using Vagrant, port 443 will be forwarded from the guest to port 8443 on the host.

This will result in the web application being available at the following URL:

https://localhost:8443/webapp/

IMA Policy

This role deploys a basic ima-policy into /etc/ima/ima-policy so that IMA run time integrity may be used. For this to activate, you must reboot the machine first (if you're using vagrant, perform vagrant reload)

Should you reboot the machine, you will need to start the emulator again:

/usr/local/bin/tpm_serverd

systemctl restart tpm2-abrmd

Once the tpm2-abrmd service is running, start the IMA component using the command:

keylime_ima_emulator

License

Apache 2.0

Contribute

We welcome contributions and pull requests are welcome!

Please ensure CI tests pass!

Contributors

keylime-vagrant-ansible-tpm-emulator's People

Contributors

lukehinds avatar axelsimon avatar font avatar mpeters avatar leonjia0112 avatar ayushambastha avatar amylily1011 avatar rukip avatar santiagotorres avatar

Watchers

James Cloos avatar  avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.