Actions
action #105738
closed[sle][security][sle15sp4][manual]Add the keylime package (attestation)
Added by rfan1 over 2 years ago. Updated over 2 years ago.
Start date:
2022-01-30
Due date:
% Done:
100%
Estimated time:
30.00 h
Difficulty:
Updated by rfan1 over 2 years ago
- Status changed from New to In Progress
- % Done changed from 0 to 10
Updated by rfan1 over 2 years ago
- Status changed from In Progress to Resolved
- % Done changed from 10 to 100
- Estimated time changed from 20.00 h to 30.00 h
The bug is fixed, and all manual tests passed.
/susetest:/var/lib/keylime/tpm_cert_store # systemctl status keylime_verifier.service
● keylime_verifier.service
Loaded: loaded (/usr/lib/systemd/system/keylime_verifier.service; disabled; vendor preset: disabled)
Active: active (running) since Tue 2022-02-15 08:02:38 EST; 36s ago
Main PID: 13792 (keylime_verifie)
Tasks: 5
CGroup: /system.slice/keylime_verifier.service
├─13792 /usr/bin/python3 /usr/bin/keylime_verifier
├─13797 /usr/bin/python3 /usr/bin/keylime_verifier
└─13798 /usr/bin/python3 /usr/bin/keylime_verifierFeb 15 08:02:39 susetest keylime_verifier[13792]: 2022-02-15 08:02:39.488 - alembic.env - INFO - Migrating database cloud_verifier
Feb 15 08:02:39 susetest keylime_verifier[13792]: 2022-02-15 08:02:39.489 - alembic.runtime.migration - INFO - Context impl SQLiteImpl.
Feb 15 08:02:39 susetest keylime_verifier[13792]: 2022-02-15 08:02:39.490 - alembic.runtime.migration - INFO - Will assume non-transactional DDL.
Feb 15 08:02:39 susetest keylime_verifier[13792]: 2022-02-15 08:02:39.506 - keylime.cloudverifier - INFO - Starting Cloud Verifier (tornado) on port 8881, use <Ctrl-C> to stop
Feb 15 08:02:39 susetest keylime_verifier[13792]: 2022-02-15 08:02:39.507 - keylime.cloudverifier - INFO - Current API version 2.0
Feb 15 08:02:39 susetest keylime_verifier[13792]: 2022-02-15 08:02:39.507 - keylime.cloudverifier - INFO - Supported older API versions: 1.0
Feb 15 08:02:39 susetest keylime_verifier[13792]: 2022-02-15 08:02:39.508 - keylime.cloudverifier - INFO - Setting up TLS...
Feb 15 08:02:39 susetest keylime_verifier[13792]: 2022-02-15 08:02:39.508 - keylime.cloudverifier - INFO - Existing CA certificate found in /var/lib/keylime/cv_ca, not generating a new one
Feb 15 08:02:39 susetest keylime_verifier[13792]: 2022-02-15 08:02:39.510 - tornado.general - INFO - Starting 1 processes
Feb 15 08:02:39 susetest keylime_verifier[13797]: 2022-02-15 08:02:39.515 - keylime.cloudverifier - INFO - Starting service for revocation notifications on port 8992
susetest:/var/lib/keylime/tpm_cert_store # systemctl status keylime_registrar.service
● keylime_registrar.service - The Keylime registrar service
Loaded: loaded (/usr/lib/systemd/system/keylime_registrar.service; disabled; vendor preset: disabled)
Active: active (running) since Tue 2022-02-15 08:02:47 EST; 34s ago
Main PID: 13803 (keylime_registr)
Tasks: 3
CGroup: /system.slice/keylime_registrar.service
└─13803 /usr/bin/python3 /usr/bin/keylime_registrarFeb 15 08:02:47 susetest keylime_registrar[13803]: 2022-02-15 08:02:47.882 - keylime.registrar - INFO - Loaded 1 public keys from database
Feb 15 08:02:47 susetest keylime_registrar[13803]: 2022-02-15 08:02:47.885 - keylime.registrar - INFO - Setting up TLS...
Feb 15 08:02:47 susetest keylime_registrar[13803]: 2022-02-15 08:02:47.887 - keylime.registrar - INFO - Starting Cloud Registrar Server on ports 8890 and 8891 (TLS) use <Ctrl-C> to stop
Feb 15 08:02:47 susetest keylime_registrar[13803]: 2022-02-15 08:02:47.888 - keylime.registrar - INFO - Current API version 2.0
Feb 15 08:02:47 susetest keylime_registrar[13803]: 2022-02-15 08:02:47.888 - keylime.registrar - INFO - Supported older API versions: 1.0
Feb 15 08:02:59 susetest keylime_registrar[13803]: 2022-02-15 08:02:59.717 - keylime.tpm - INFO - TPM2-TOOLS Version: 5.2
Feb 15 08:02:59 susetest keylime_registrar[13803]: 2022-02-15 08:02:59.752 - keylime.tpm - INFO - Encrypting AIK for UUID susetest
Feb 15 08:02:59 susetest keylime_registrar[13803]: 2022-02-15 08:02:59.762 - keylime.registrar - INFO - Overwriting previous registration for this UUID.
Feb 15 08:03:00 susetest keylime_registrar[13803]: 2022-02-15 08:03:00.073 - keylime.registrar - INFO - POST returning key blob for agent_id: susetest
Feb 15 08:03:00 susetest keylime_registrar[13803]: 2022-02-15 08:03:00.527 - keylime.registrar - INFO - PUT activated: susetest
susetest:/var/lib/keylime/tpm_cert_store # systemctl status keylime_agent.service
● keylime_agent.service - The Keylime compute agent
Loaded: loaded (/usr/lib/systemd/system/keylime_agent.service; disabled; vendor preset: disabled)
Active: active (running) since Tue 2022-02-15 08:02:57 EST; 31s ago
Main PID: 13811 (keylime_agent)
Tasks: 5
CGroup: /system.slice/keylime_agent.service
├─13811 /usr/bin/python3 /usr/bin/keylime_agent
└─13842 /usr/bin/python3 /usr/bin/keylime_agentFeb 15 08:02:58 susetest keylime_agent[13811]: 2022-02-15 08:02:58.515 - keylime.tpm - INFO - Taking ownership with config provided TPM owner password
Feb 15 08:02:58 susetest keylime_agent[13811]: 2022-02-15 08:02:58.767 - keylime.tpm - INFO - TPM Owner password confirmed: keylime
Feb 15 08:02:58 susetest keylime_agent[13811]: 2022-02-15 08:02:58.768 - keylime.tpm - INFO - Flushing old ek handle: 0x81000001
Feb 15 08:02:59 susetest keylime_agent[13811]: 2022-02-15 08:02:59.179 - keylime.tpm - INFO - Flushing old ak handle: /var/lib/keylime/secure/tmpgkizon0q
Feb 15 08:02:59 susetest keylime_agent[13811]: 2022-02-15 08:02:59.446 - keylime.cloudagent - INFO - Agent UUID: susetest
Feb 15 08:03:00 susetest keylime_agent[13811]: 2022-02-15 08:03:00.075 - keylime.registrar_client - INFO - Agent registration requested for susetest
Feb 15 08:03:00 susetest keylime_agent[13811]: 2022-02-15 08:03:00.388 - keylime.tpm - INFO - AIK activated.
Feb 15 08:03:00 susetest keylime_agent[13811]: 2022-02-15 08:03:00.528 - keylime.registrar_client - INFO - Registration activated for agent susetest.
Feb 15 08:03:00 susetest keylime_agent[13811]: 2022-02-15 08:03:00.531 - keylime.cloudagent - INFO - Starting Cloud Agent on 127.0.0.1:9002 with API version 2.0. Use <Ctrl-C> to stop
Feb 15 08:03:00 susetest keylime_agent[13842]: 2022-02-15 08:03:00.536 - keylime.revocation_notifier - INFO - Waiting for revocation messages on 0mq 127.0.0.1:8992
susetest:/var/lib/keylime/tpm_cert_store # cat /etc/keylime.conf |grep 127.0.0.1
# receive_revocation_ip = 127.0.0.1
receive_revocation_ip = 127.0.0.1
# cloudagent_ip = 127.0.0.1
cloudagent_ip = 127.0.0.1
agent_contact_ip = 127.0.0.1
registrar_ip = 127.0.0.1
# cloudverifier_ip = 127.0.0.1
registrar_ip = 127.0.0.1
# revocation_notifier_ip = 127.0.0.1
cloudverifier_ip = 127.0.0.1
registrar_ip = 127.0.0.1
# registrar_ip = 127.0.0.1
provider_registrar_ip = 127.0.0.1
cfssl_ip = 127.0.0.1
webapp_ip = 127.0.0.1
Updated by rfan1 over 2 years ago
- Copied to action #106870: [sle][security][sle15sp4][automationi]Add the keylime package (attestation) added
Actions