From aef3874c79f5f17b7893e8d07dbdbd2458824569 Mon Sep 17 00:00:00 2001
From: Tuomo Tanskanen <tuomo.tanskanen@est.tech>
Date: Thu, 21 Nov 2024 14:29:39 +0200
Subject: [PATCH] WIP: add docker-compose and soft-tpm setup

Signed-off-by: Tuomo Tanskanen <tuomo.tanskanen@est.tech>
---
 security/keylime-poc/compose/.gitignore       |  1 +
 security/keylime-poc/compose/agent.conf       | 17 +++++++
 security/keylime-poc/compose/compose.yml      | 50 +++++++++++++++++++
 .../compose/enable_ima_measurement.sh         | 24 +++++++++
 security/keylime-poc/compose/ima_policy.conf  | 10 ++++
 security/keylime-poc/compose/tenant.sh        | 14 ++++++
 security/keylime-poc/scripts/gen_allowlist.sh | 47 +++++++++++++++++
 security/keylime-poc/soft-tpm/Dockerfile      | 42 ++++++++++++++++
 security/keylime-poc/soft-tpm/init.sh         | 16 ++++++
 9 files changed, 221 insertions(+)
 create mode 100644 security/keylime-poc/compose/.gitignore
 create mode 100644 security/keylime-poc/compose/agent.conf
 create mode 100644 security/keylime-poc/compose/compose.yml
 create mode 100755 security/keylime-poc/compose/enable_ima_measurement.sh
 create mode 100644 security/keylime-poc/compose/ima_policy.conf
 create mode 100755 security/keylime-poc/compose/tenant.sh
 create mode 100755 security/keylime-poc/scripts/gen_allowlist.sh
 create mode 100644 security/keylime-poc/soft-tpm/Dockerfile
 create mode 100755 security/keylime-poc/soft-tpm/init.sh

diff --git a/security/keylime-poc/compose/.gitignore b/security/keylime-poc/compose/.gitignore
new file mode 100644
index 00000000..92b72c46
--- /dev/null
+++ b/security/keylime-poc/compose/.gitignore
@@ -0,0 +1 @@
+allowlist.txt
diff --git a/security/keylime-poc/compose/agent.conf b/security/keylime-poc/compose/agent.conf
new file mode 100644
index 00000000..587f4290
--- /dev/null
+++ b/security/keylime-poc/compose/agent.conf
@@ -0,0 +1,17 @@
+[agent]
+uuid = "d432fbb3-d2f1-4a97-9ef7-75bd81c00000"
+tpm_ownerpassword = ""
+tpm_version = "2"
+work_dir = "/var/lib/keylime/secure"
+secure_size = "1m"
+
+[cloud_agent]
+cloudagent_ip = "127.0.0.1"
+cloudagent_port = "9002"
+registrar_ip = "127.0.0.1"
+registrar_port = "8891"
+
+[tpm]
+tpm_ownerpassword = ""
+ek_handle = "0x81010000"
+
diff --git a/security/keylime-poc/compose/compose.yml b/security/keylime-poc/compose/compose.yml
new file mode 100644
index 00000000..26b47d8c
--- /dev/null
+++ b/security/keylime-poc/compose/compose.yml
@@ -0,0 +1,50 @@
+version: '3.8'
+
+services:
+  tpm-simulator:
+    image: tpmserver:tumi
+    # build:
+      # context: ../soft-tpm
+      # dockerfile: ../soft-tpm/Dockerfile
+    ports:
+      - "2321:2321"
+      - "2322:2322"
+    volumes:
+      - tpm-state:/var/lib/tpm
+
+  keylime-verifier:
+    image: keylime/keylime
+    depends_on:
+      - tpm-simulator
+    environment:
+      - TPM2TOOLS_TCTI=mssim:host=tpm-simulator,port=2321
+    ports:
+      - "8881:8881"
+    command: keylime_verifier
+
+  keylime-registrar:
+    image: keylime/keylime
+    depends_on:
+      - tpm-simulator
+    environment:
+      - TPM2TOOLS_TCTI=mssim:host=tpm-simulator,port=2321
+    ports:
+      - "8891:8891"
+    command: keylime_registrar
+
+  keylime-agent:
+    image: keylime/keylime
+    depends_on:
+      - tpm-simulator
+      - keylime-verifier
+      - keylime-registrar
+    environment:
+      - TPM2TOOLS_TCTI=mssim:host=tpm-simulator,port=2321
+    volumes:
+      - /sys/kernel/security:/sys/kernel/security:ro
+      - agent.conf:/etc/keylime/agent.conf:ro
+      - allowlist.txt:/tmp/allowlist.txt
+    command: keylime_agent
+
+volumes:
+  tpm-state:
diff --git a/security/keylime-poc/compose/enable_ima_measurement.sh b/security/keylime-poc/compose/enable_ima_measurement.sh
new file mode 100755
index 00000000..15c19be5
--- /dev/null
+++ b/security/keylime-poc/compose/enable_ima_measurement.sh
@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+set -eu
+
+# Enable IMA measurement
+echo "1" | sudo tee /sys/kernel/security/ima/policy_update
+sudo tee /etc/ipa/policy << 'EOF'
+# Default IMA policy
+# Don't measure files opened with read-only permissions
+dont_measure obj_type=file mask=MAY_READ
+# Measure all executed files
+measure func=BPRM_CHECK mask=MAY_EXEC
+# Measure files mmap()ed for execute
+measure func=FILE_MMAP mask=MAY_EXEC
+# Measure files opened for write or append
+measure func=FILE_CHECK mask=MAY_WRITE uid=0
+EOF
+
+# load the ima policy
+sudo cat /etc/ima/policy | sudo tee /sys/kernel/security/ima/policy
+
+# Configure TPM PRC
+# PCR 10 will store IMA measurements
+tpm2_pcrextend 10:sha256=0000000000000000000000000000000000000000000000000000000000000000
diff --git a/security/keylime-poc/compose/ima_policy.conf b/security/keylime-poc/compose/ima_policy.conf
new file mode 100644
index 00000000..a919baa1
--- /dev/null
+++ b/security/keylime-poc/compose/ima_policy.conf
@@ -0,0 +1,10 @@
+# Default IMA policy
+# Don't measure files opened with read-only permissions
+dont_measure obj_type=file mask=MAY_READ
+# Measure all executed files
+measure func=BPRM_CHECK mask=MAY_EXEC
+# Measure files mmap()ed for execute
+measure func=FILE_MMAP mask=MAY_EXEC
+# Measure files opened for write or append
+measure func=FILE_CHECK mask=MAY_WRITE uid=0
+
diff --git a/security/keylime-poc/compose/tenant.sh b/security/keylime-poc/compose/tenant.sh
new file mode 100755
index 00000000..b55c854e
--- /dev/null
+++ b/security/keylime-poc/compose/tenant.sh
@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+# Run docker-compose up -d first to have infra in place
+
+set -eu
+
+# Register agent with allowlist
+keylime_tenant \
+    -v 127.0.0.1 -t 127.0.0.1 \
+    -u d432fbb3-d2f1-4a97-9ef7-75bd81c00000 \
+    --uuid d432fbb3-d2f1-4a97-9ef7-75bd81c00000 \
+    -f /tmp/allowlist.txt \
+    --exclude boot_aggregate \
+    --tpm_policy="1,3,7" \
+    -c add
diff --git a/security/keylime-poc/scripts/gen_allowlist.sh b/security/keylime-poc/scripts/gen_allowlist.sh
new file mode 100755
index 00000000..a5506106
--- /dev/null
+++ b/security/keylime-poc/scripts/gen_allowlist.sh
@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+# Script to generate file hashes for allowlist
+# redirect to target file "allowlist.txt"
+
+set -eu
+
+cat <<EOF
+# Allowlist format - use hashes of known good files
+exclude: !policy
+  - boot_aggregate
+  - ima-buf
+  - ima-sig
+  - ima-ng
+
+EOF
+
+echo "# Generated allowlist"
+echo "hashes:"
+
+# List of critical directories to measure
+DIRS_TO_MEASURE=(
+    "/bin"
+    "/sbin"
+    "/usr/bin"
+    "/usr/sbin"
+    "/lib/systemd"
+    "/usr/lib/systemd"
+)
+
+for dir in "${DIRS_TO_MEASURE[@]}"; do
+    if [[ -d "${dir}" ]]; then
+        find "${dir}" -type f -exec sha256sum {} \; | while read -r hash file; do
+            echo "  ${file}: ${hash}"
+        done
+    fi
+done
+echo
+
+# Read current IMA measurements
+echo "ima:"
+sudo cat /sys/kernel/security/ima/ascii_runtime_measurements | while read -r _ hash template file; do
+    if [[ "${template}" == "ima-ng" ]]; then
+        echo "  ${file}:"
+        echo "    hash: ${hash}"
+        echo "    validation_mask: 0xd"
+    fi
+done
diff --git a/security/keylime-poc/soft-tpm/Dockerfile b/security/keylime-poc/soft-tpm/Dockerfile
new file mode 100644
index 00000000..c089e4da
--- /dev/null
+++ b/security/keylime-poc/soft-tpm/Dockerfile
@@ -0,0 +1,42 @@
+# Building this image:
+# docker build . -t tpm-server:tumi
+
+# Running this image:
+# docker run -d --name tpm-server -p 2321:2321 -p 2322:2322 tpm-server:tumi
+
+# Use a debian slim image as base
+FROM debian:bullseye-slim
+
+# Set working directory
+WORKDIR /tpm
+
+# Install dependencies
+RUN apt-get update && apt-get install -y \
+    build-essential \
+    autoconf \
+    libtool \
+    libssl-dev \
+    pkg-config \
+    git \
+    wget \
+    && rm -rf /var/lib/apt/lists/*
+
+# Clone and build IBM's TPM2 simulator
+RUN git clone https://github.com/kgoldman/ibmswtpm2 \
+    && cd ibmswtpm2/src \
+    && make \
+    && mv tpm_server /usr/local/bin/ \
+    && cd / \
+    && rm -rf /tpm/ibmswtpm2
+
+# Create directory for TPM state
+RUN mkdir -p /var/lib/tpm
+
+# Set working directory for TPM state
+WORKDIR /var/lib/tpm
+
+# Expose TPM simulator ports
+EXPOSE 2321 2322
+
+# Start TPM simulator
+CMD ["tpm_server"]
diff --git a/security/keylime-poc/soft-tpm/init.sh b/security/keylime-poc/soft-tpm/init.sh
new file mode 100755
index 00000000..fc06915e
--- /dev/null
+++ b/security/keylime-poc/soft-tpm/init.sh
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+set -eu
+
+# run tpmserver
+docker run -d --name tpm-server -p 2321:2321 -p 2322:2322 tpm2:tumi
+sleep 10
+
+# setup tpm2-tools to access the tpmserver in docker
+export TPM2TOOLS_TCTI="mssim:host=localhost,port=2321"
+
+# clear the tpm
+tpm2_startup -c
+
+# get random 16 hex from tpm to verify it works
+tpm2_getrandom --hex 16