Contents |
---|
These instructions assume an install of Fedora 37, 38 or 39 but should work on any recent version.
The system must have access to a TPM. If you are running on bare metal with a physical TPM, you can skip to Compiling the Agent below.
If you are using a VM, you must first set up a TPM. You have a couple different options:
If you are using a VMWare product, you can enable built-in TPM support.
For VMWare ESXi/vSphere, instructions are available from this support article: Enable Virtual Trusted Platform Module for an Existing Virtual Machine
For VMWare Workstation, refer to this article instead: Add a Virtual Trusted Platform Module Device
Warning: In my experience, Keylime does not play well with Microsoft's vTPM implementation, so if you are using Hyper-V, you will need to install the swtpm instead (instructions follow).
Open a terminal in your VM and run the following commands:
sudo dnf install swtpm tpm-tools
mkdir /var/swtpm
Add the following to your .bashrc
file:
export TPM2TOOLS_TCTI="swtpm:port=2321"
export TCTI="swtpm:port=2321"
Then, run:
source ~/.bashrc
swtpm socket --tpmstate dir=/var/swtpm --tpm2 --server type=tcp,port=2321,bindaddr=0.0.0.0 --ctrl type=tcp,port=2322,bindaddr=0.0.0.0 --flags not-need-init,startup-clear
You will need to keep the swtpm running while you perform the remaining steps to compile and run the agent.
Install dependencies:
sudo dnf install dnf-plugins-core git builddep clang cmake gcc libarchive-devel openssl-devel tpm2-tools tpm2-tss-devel zeromq-devel
Install Rust:
curl https://sh.rustup.rs -sSf | sh
source "$HOME/.cargo/env"
Download and compile the Keylime agent:
git clone https://github.com/keylime/rust-keylime.git
cd rust-keylime
RUST_LOG=keylime_agent=trace cargo run --bin keylime_agent
This will eventually fail with an error about being unable to mount a directory. This is expected.
To resolve the error, we need to give the Keylime agent permission to read the /var/lib/keylime
directory by creating a new keylime
Unix account, placing it in the tss
group, and changing the owner and group of the directory:
sudo useradd keylime
sudo usermod -a -G tss keylime
sudo chown -R keylime:tss /var/lib/keylime/
It is also necessary to copy the certificates from the Keylime verifier/registrar install. On the host with the registrar installed, run the following command, making sure to replace the placeholders in all caps:
sudo scp -r /var/lib/keylime/cv_ca AGENT_HOST_USERNAME@AGENT_HOST_IP:/home/AGENT_HOST_USERNAME/cv_ca
Then, on the host with the agent installed, run the following to move the certificates into the appropriate location and set their permissions:
sudo cp -r ~/cv_ca /var/lib/keylime
sudo chown -R keylime:tss /var/lib/keylime/cv_ca
Finally, to get the agent talking to the registrar, edit /etc/keylime/agent.conf
so that registrar_ip
matches the IP address of the host where the registrar is running.
To run the agent in the foreground with Rust's Cargo build tool:
RUST_LOG=keylime_agent=trace cargo run --bin keylime_agent
You can optionally increase the verbosity of the logging output for debugging purposes:
RUST_LOG=keylime_agent=debug cargo run --bin keylime_agent
Alternatively, you can install the agent as a systemd service:
make
sudo make install
sudo systemctl start keylime_agent
If you are using the swtpm, you will need to set the appropriate environment variables for the service by running systemctl edit keylime_agent
and edit the file to contain:
[Service]
Environment="TCTI=swtpm:port=2321"