Skip to content

Improving the Keylime documentation #1035

@THS-on

Description

@THS-on

The Keylime documentation is now part of the main repository and want to improve it. Following things need to be improved:

How to use the TPM EK CA Store

There is currently no documentation on how to add custom CA to the cert store (there is only a comment in the keylime.conf).

Supported TPM Configurations

See #1105.

Keylime and virtualized TPMs

The Keylime test setup using the IBM TPM emulator does not have a EK certificate. We should provide documentation on how to add a EK CA and EK certficate for testing. Also there is no documentation on how to use Keylime with virtualized TPMs.

  • Add tutorial on how to add an EK certificate to the tpm_emulator using createekcert from the IBM TSS.
  • Add tutorial on how to use the libvrit swtpm integration and link to the general swtpm documentation.
  • Investigate vTPM implementations of Hyper-V and VMWare

IMA Validation

Keylime does support validation for many of the features provided by IMA. Unfortunately only the basic features are documented.

Measured Boot Validation

Keylime does provide a entire policy engine for measured boot. The current documentation only describes the general concept and not how to use it.

Keylime mTLS setup

The verifier/tenant connects to the agent using mTLS. The entire TLS setup is pretty complicated and will be simplified with keylime/enhancements#73. The following things should be documented:

  • How to deploy the agent using the current configuration (@THS-on)
  • Describe more complex setups
  • Check if registrar IP and port options are still mentioned for verifier configuration. If yes, document them as deprecated and unnecessary since version 6.4.0

How to create runtime policies

Add documentation on how to get the information required to create policies.

  • Create list of information that is required before creating policies
  • IMA signature verification from a distribution that support it
  • Get file hashes from deb and RPM repositories
  • How to work with containers

Migration guide from older versions

  • How to handle DB updates. If auto migration was disabled, you can use alembic stamp to set the correct version and re enable from there
  • config upgrades

PR Template

  • Create a PR template that contains a reminder to also update the documentation.

API documentation

  • Add API documentation in OpenAPI format

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions