Skip to content
Rust implementation of the keylime agent (Not ready for deployment)
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.travis
src
.gitignore
.rustfmt.toml
.travis.yml
Cargo.toml
LICENSE
README.md
test.json
test_input.txt
tpmdata_test.json

README.md

Keylime

License: LGPL v3

Overview

This is a Rust implementation of python-keylime from MIT Lincoln Lab. Keylime is system integrity monitoring system that has the following features:

  • Exposes TPM trust chain for higher-level use
  • Provides an end-to-end solution for bootstrapping node cryptographic identities
  • Securely monitors system integrity

For more information, see the original python implementation repo and paper in the References section.

For now, this project is focusing on the keylime agent component, which is a HTTP server running on the server machine that executes keylime operations. Most keylime operations rely on TPM co-processor; therefore, the server needs a physical TPM chip (or a TPM emulator) to perform keylime operations. The TPM emulator is a program that runs in the deamon to mimic TPM commands.

Prerequisites

Required Packages

The rust-keylime agent requires the following packages for both compile and run time.

For Fedora, use the following command

$ dnf install openssl-devel gcc

For Ubuntu OS, use the following command

$ apt-get install openssl-dev gcc

Rust

Make sure Rust is installed before running Keylime. Installation instructions can be found here.

TPM

The TPM4720 package is required to use Keylime. It can be found at mit-ll/tpm4720-keylime. TPM4720` supports systems that have physical TPM chips, and can also integrate with a TPM emulator (see below).

Installation

TPM4720 Emulator on Fedora-28

Run the following script as the root user to install TPM4720 into the mit-ll/tpm4720-keylime repo root directory.

$ cd scripts/
$ sudo bash install-fedora-28.sh

This has been tested with Fedora 28. It may or may not work with other environments.

Logging env

To run with pretty-env-logger trace logging active, set cargo run within RUST_LOG, as follows:

$ RUST_LOG=keylime_agent=trace cargo run

Testing

Unit tests are gating in CI for new code submission. To run them:

$ cargo test

References

  1. Keylime Paper: here
  2. python-keylime: here
  3. TPM4720: here
You can’t perform that action at this time.