This is a Rust implementation of python-keylime from MIT Lincoln Lab. Keylime is system integrity monitoring system that has the following features:
- Exposes TPM trust chain for higher-level use
- Provides an end-to-end solution for bootstrapping node cryptographic identities
- Securely monitors system integrity
For more information, see the original python implementation repo and paper in the References section.
For now, this project is focusing on the keylime agent component, which is a HTTP server running on the server machine that executes keylime operations. Most keylime operations rely on TPM co-processor; therefore, the server needs a physical TPM chip (or a TPM emulator) to perform keylime operations. The TPM emulator is a program that runs in the deamon to mimic TPM commands.
The rust-keylime agent requires the following packages for both compile and run time.
For Fedora, use the following command
$ dnf install openssl-devel gcc
For Ubuntu OS, use the following command
$ apt-get install openssl-dev gcc
Make sure Rust is installed before running Keylime. Installation instructions can be found here.
The TPM4720 package is required to use Keylime. It can be found at mit-ll/tpm4720-keylime. TPM4720` supports systems that have physical TPM chips, and can also integrate with a TPM emulator (see below).
TPM4720 Emulator on Fedora-28
Run the following script as the root user to install TPM4720 into the
mit-ll/tpm4720-keylime repo root directory.
$ cd scripts/ $ sudo bash install-fedora-28.sh
This has been tested with Fedora 28. It may or may not work with other environments.
To run with
pretty-env-logger trace logging active, set cargo run
RUST_LOG, as follows:
$ RUST_LOG=keylime_agent=trace cargo run
Unit tests are gating in CI for new code submission. To run them:
$ cargo test