252.227-7013 or 7014 (Feb 2014). Notwithstanding any copyright notice, U.S. Government
rights in this work are defined by DFARS 252.227-7013 or DFARS 252.227-7014 as detailed
above. Use of this work other than as specifically authorized by the U.S. Government may
violate any copyrights that exist in this work.
'''
import sys
import common
import keylime_logging
import hashlib
import struct
import re
import os
import ConfigParser
logger = keylime_logging.init_logging('ima')
# setup config
config = ConfigParser.RawConfigParser()
config.read(common.CONFIG_FILE)
# m = ima_measure_re.match(measure_line)
# measure = m.group('file_hash')
# filename = m.group('file_path')
START_HASH = '0000000000000000000000000000000000000000'.decode('hex')
FF_HASH = 'ffffffffffffffffffffffffffffffffffffffff'.decode('hex')
# struct event {
# struct {
# u_int32_t pcr;
material are those of the author(s) and do not necessarily reflect the views of the
Assistant Secretary of Defense for Research and Engineering.
Copyright 2015 Massachusetts Institute of Technology.
The software/firmware is provided to you on an As-Is basis
Delivered to the US Government with Unlimited Rights, as defined in DFARS Part
252.227-7013 or 7014 (Feb 2014). Notwithstanding any copyright notice, U.S. Government
rights in this work are defined by DFARS 252.227-7013 or DFARS 252.227-7014 as detailed
above. Use of this work other than as specifically authorized by the U.S. Government may
violate any copyrights that exist in this work.
'''
import common
import keylime_logging
logger = keylime_logging.init_logging('cloudverifier')
import json
import ConfigParser
import traceback
import sys
import tornado.ioloop
import tornado.web
import functools
from tornado import httpserver
from tornado.httpclient import AsyncHTTPClient
from tornado.httputil import url_concat
import cloud_verifier_common
import revocation_notifier
config = ConfigParser.SafeConfigParser()
The software/firmware is provided to you on an As-Is basis
Delivered to the US Government with Unlimited Rights, as defined in DFARS Part
252.227-7013 or 7014 (Feb 2014). Notwithstanding any copyright notice, U.S. Government
rights in this work are defined by DFARS 252.227-7013 or DFARS 252.227-7014 as detailed
above. Use of this work other than as specifically authorized by the U.S. Government may
violate any copyrights that exist in this work.
'''
import cmd_exec
import common
import keylime_logging
import os
import ConfigParser
logger = keylime_logging.init_logging('secure_mount')
# read the config file
config = ConfigParser.RawConfigParser()
config.read(common.CONFIG_FILE)
def check_mounted(secdir):
whatsmounted = cmd_exec.run("mount", lock=False)['retout']
for line in whatsmounted:
tokens = line.split()
tmpfs = False
if len(tokens) < 3:
continue
if tokens[0] == 'tmpfs':
tmpfs = True
Assistant Secretary of Defense for Research and Engineering.
Copyright 2015 Massachusetts Institute of Technology.
The software/firmware is provided to you on an As-Is basis
Delivered to the US Government with Unlimited Rights, as defined in DFARS Part
252.227-7013 or 7014 (Feb 2014). Notwithstanding any copyright notice, U.S. Government
rights in this work are defined by DFARS 252.227-7013 or DFARS 252.227-7014 as detailed
above. Use of this work other than as specifically authorized by the U.S. Government may
violate any copyrights that exist in this work.
'''
import common
import keylime_logging
logger = keylime_logging.init_logging('cloudagent')
import BaseHTTPServer
from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
from SocketServer import ThreadingMixIn
import threading
from urlparse import urlparse
import json
import base64
import ConfigParser
import uuid
import crypto
import os
import sys
import registrar_client
Copyright 2017 Massachusetts Institute of Technology.
The software/firmware is provided to you on an As-Is basis
Delivered to the US Government with Unlimited Rights, as defined in DFARS Part
252.227-7013 or 7014 (Feb 2014). Notwithstanding any copyright notice, U.S. Government
rights in this work are defined by DFARS 252.227-7013 or DFARS 252.227-7014 as detailed
above. Use of this work other than as specifically authorized by the U.S. Government may
violate any copyrights that exist in this work.
'''
import common
import keylime_logging
logger = keylime_logging.init_logging('keylime_sqlite')
import os
import sqlite3
import json
class KeylimeDB():
db_filename = None
# in the form key, SQL type
cols_db = None
# these are the columns that contain json data and need marshalling
json_cols_db = None
# in the form key : default value
exclude_db = None
def __init__(self, dbname, cols_db, json_cols_db, exclude_db):
Assistant Secretary of Defense for Research and Engineering.
Copyright 2015 Massachusetts Institute of Technology.
The software/firmware is provided to you on an As-Is basis
Delivered to the US Government with Unlimited Rights, as defined in DFARS Part
252.227-7013 or 7014 (Feb 2014). Notwithstanding any copyright notice, U.S. Government
rights in this work are defined by DFARS 252.227-7013 or DFARS 252.227-7014 as detailed
above. Use of this work other than as specifically authorized by the U.S. Government may
violate any copyrights that exist in this work.
'''
import common
import keylime_logging
logger = keylime_logging.init_logging('registrar-common')
import BaseHTTPServer
from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
from SocketServer import ThreadingMixIn
from urlparse import urlparse
import json
import threading
import sys
import crypto
import base64
import ConfigParser
import registrar_client
import signal
import time
import hashlib
import sys
import tornado.ioloop
import tornado.web
import tornado_requests
import functools
from tornado import httpserver
from tornado.httpclient import AsyncHTTPClient
from tornado.httputil import url_concat
import revocation_notifier
import cloud_verifier_common
import tenant
import base64
import common
import keylime_logging
logger = keylime_logging.init_logging('tenant_webapp')
config = ConfigParser.SafeConfigParser()
config.read(common.CONFIG_FILE)
tenant_templ = tenant.Tenant()
class Agent_Init_Types:
FILE = '0'
KEYFILE = '1'
CA_DIR = '2'
class BaseHandler(tornado.web.RequestHandler):
def write_error(self, status_code, **kwargs):
import zmq
import common
import keylime_logging
import ConfigParser
import json
import crypto
import threading
import functools
import time
import os
import sys
from multiprocessing import Process
import signal
logger = keylime_logging.init_logging('revocation_notifier')
config = ConfigParser.SafeConfigParser()
config.read(common.CONFIG_FILE)
broker_proc = None
def start_broker():
def worker():
context = zmq.Context(1)
frontend = context.socket(zmq.SUB)
frontend.bind("ipc:///tmp/keylime.verifier.ipc")
frontend.setsockopt(zmq.SUBSCRIBE, "")
def gencrl(_, a, b):
logger = keylime_logging.init_logging('ca_impl_openssl')
logger.warning("CRL creation with openssl is not supported")
return ""
import struct
import sys
import time
import tempfile
from uuid import UUID
import json
import tpm_obj
# get the tpm object
tpm = tpm_obj.getTPM(need_hw_tpm=True)
sys.path.append(os.path.dirname(__file__))
from tpm_initialize import get_mod_from_pem
# Logging boiler plate
logger = keylime_logging.init_logging('vtpmmgr')
logger.setLevel(logging.INFO)
# ./utils/encaik -ek ~/tmp/LLSRC-tci/scripts/llsrc-vtpm-host0_pubek.pem -ik ~/tmp/LLSRC-tci/scripts/llsrc-vtpm-host0_pubek.pem -ok key.blob -oak key.aes
# cd /home/rudd/tmp/tpm4720/libtpm
# VTPM Command Ordinals. Taken from Xen's stubdoms/vtpmmgr/vtpm_manager.h
VTPM_ORD_GROUP_LIST = 0x02000101
VTPM_ORD_GROUP_NEW = 0x02000102
VTPM_ORD_GROUP_DEL = 0x02000103
VTPM_ORD_GROUP_ACTIVATE = 0x02000104
VTPM_ORD_GROUP_SHOW = 0x02000107
VTPM_ORD_VTPM_LIST = 0x02000201
VTPM_ORD_VTPM_NEW = 0x02000204
import threading
import traceback
import ca_util
import common
import keylime_logging
import tornado.ioloop
import tornado.web
from tornado import httpserver
import keylime.web_util
from keylime import json
sys.path.insert(0, "../../keylime/")
logger = keylime_logging.init_logging("agent_monitor")
initscript = None
class BaseHandler(tornado.web.RequestHandler):
def write_error(self, status_code, **kwargs):
self.set_header("Content-Type", "text/json")
if self.settings.get("serve_traceback") and "exc_info" in kwargs:
# in debug mode, try to send a traceback
lines = []
for line in traceback.format_exception(*kwargs["exc_info"]):
lines.append(line)
self.finish(
json.dumps({
"code": status_code,
import M2Crypto
from M2Crypto import m2
import os
import re
import secure_mount
from sets import Set
import string
import subprocess
import sys
import tempfile
import threading
import time
from tpm_abstract import *
from tpm_ek_ca import *
logger = keylime_logging.init_logging('tpm1')
# read the config file
config = ConfigParser.RawConfigParser()
config.read(common.CONFIG_FILE)
class tpm1(AbstractTPM):
def __init__(self, need_hw_tpm=False):
AbstractTPM.__init__(self, need_hw_tpm)
# shared lock to serialize access to tools
self.tpmutilLock = threading.Lock()
# TPM 1.2 supports fixed set of algorithms
self.supported['hash'] = Set([Hash_Algorithms.SHA1])
import keylime_logging
import registrar_client
import os
import crypto
import ssl
import socket
import ca_util
import sqlite3
import revocation_notifier
import keylime_sqlite
import ConfigParser
import tpm_obj
from tpm_abstract import TPM_Utilities, Hash_Algorithms, Encrypt_Algorithms, Sign_Algorithms
# setup logging
logger = keylime_logging.init_logging('cloudverifier_common')
# setup config
config = ConfigParser.SafeConfigParser()
config.read(common.CONFIG_FILE)
class CloudAgent_Operational_State:
REGISTERED = 0
START = 1
SAVED = 2
GET_QUOTE = 3
GET_QUOTE_RETRY = 4
PROVIDE_V = 5
PROVIDE_V_RETRY = 6
FAILED = 7
above. Use of this work other than as specifically authorized by the U.S. Government may
violate any copyrights that exist in this work.
'''
import sys
import common
import keylime_logging
import ConfigParser
import registrar_client
import vtpm_manager
import base64
import os
import errno
import json
logger = keylime_logging.init_logging('provider_platform_init')
config = ConfigParser.RawConfigParser()
config.read(common.CONFIG_FILE)
def symlink_force(target, link_name):
try:
os.symlink(target, link_name)
except OSError, e:
if e.errno == errno.EEXIST:
os.remove(link_name)
os.symlink(target, link_name)
else:
raise e
def main(argv=sys.argv):
import threading
import ca_util
import ssl
import os
import functools
import tornado.web
import tornado.ioloop
import traceback
import getpass
import argparse
import keylime_logging
import common
import sys
sys.path.insert(0, '../../keylime/')
logger = keylime_logging.init_logging('agent_monitor')
import simplejson as json
initscript = None
class BaseHandler(tornado.web.RequestHandler):
def write_error(self, status_code, **kwargs):
self.set_header('Content-Type', 'text/json')
if self.settings.get("serve_traceback") and "exc_info" in kwargs:
# in debug mode, try to send a traceback
lines = []
for line in traceback.format_exception(*kwargs["exc_info"]):
lines.append(line)
'''
import common
import keylime_logging
import json
import ConfigParser
import os
import subprocess
import tornado_requests
from M2Crypto import EVP, X509
import secure_mount
import base64
import time
import socket
logger = keylime_logging.init_logging('ca_impl_cfssl')
config = ConfigParser.SafeConfigParser()
config.read(common.CONFIG_FILE)
cfsslproc = None
def post_cfssl(url, data):
numtries = 0
maxr = 10
retry = 0.05
while True:
try:
response = tornado_requests.request("POST",
url,
import os
import ssl
import tornado_requests
import hashlib
import ima
import zipfile
import cStringIO
import StringIO
import logging
import subprocess
import tpm_obj
from tpm_abstract import TPM_Utilities, Hash_Algorithms, Encrypt_Algorithms, Sign_Algorithms
# setup logging
logger = keylime_logging.init_logging('tenant')
# setup config
config = ConfigParser.RawConfigParser()
config.read(common.CONFIG_FILE)
# special exception that suppresses stack traces when it happens
class UserError(Exception):
pass
class Tenant():
"""Simple command processor example."""
config = None
cloudverifier_ip = None
Assistant Secretary of Defense for Research and Engineering.
Copyright 2015 Massachusetts Institute of Technology.
The software/firmware is provided to you on an As-Is basis
Delivered to the US Government with Unlimited Rights, as defined in DFARS Part
252.227-7013 or 7014 (Feb 2014). Notwithstanding any copyright notice, U.S. Government
rights in this work are defined by DFARS 252.227-7013 or DFARS 252.227-7014 as detailed
above. Use of this work other than as specifically authorized by the U.S. Government may
violate any copyrights that exist in this work.
'''
import common
import keylime_logging
logger = keylime_logging.init_logging('ca-util')
import sys
import os
import crypto
import base64
import argparse
import ConfigParser
import getpass
import json
import zipfile
import cStringIO
import socket
import revocation_notifier
import threading
import BaseHTTPServer
rights in this work are defined by DFARS 252.227-7013 or DFARS 252.227-7014 as detailed
above. Use of this work other than as specifically authorized by the U.S. Government may
violate any copyrights that exist in this work.
'''
import json
import tornado_requests
import crypto
import base64
import common
import keylime_logging
import ssl
import os
import logging
logger = keylime_logging.init_logging('registrar_client')
context = None
def init_client_tls(config, section):
global context
#make this reentrant
if context is not None:
return
if not config.getboolean('general', "enable_tls"):
logger.warning("TLS is currently disabled, AIKs may not be authentic.")
return None
logger.info("Setting up client TLS...")
The software/firmware is provided to you on an As-Is basis
Delivered to the US Government with Unlimited Rights, as defined in DFARS Part
252.227-7013 or 7014 (Feb 2014). Notwithstanding any copyright notice, U.S. Government
rights in this work are defined by DFARS 252.227-7013 or DFARS 252.227-7014 as detailed
above. Use of this work other than as specifically authorized by the U.S. Government may
violate any copyrights that exist in this work.
'''
import ConfigParser
import distutils.spawn
import os
import common
import keylime_logging
logger = keylime_logging.init_logging('tpmobj')
import tpm1
import tpm2
# read the config file
config = ConfigParser.RawConfigParser()
config.read(common.CONFIG_FILE)
# singleton objects for working with the TPM
__tpm1 = None
__tpm2 = None
__version = None
def __guess_tpm_version():
if __version is not None:
Assistant Secretary of Defense for Research and Engineering.
Copyright 2015 Massachusetts Institute of Technology.
The software/firmware is provided to you on an As-Is basis
Delivered to the US Government with Unlimited Rights, as defined in DFARS Part
252.227-7013 or 7014 (Feb 2014). Notwithstanding any copyright notice, U.S. Government
rights in this work are defined by DFARS 252.227-7013 or DFARS 252.227-7014 as detailed
above. Use of this work other than as specifically authorized by the U.S. Government may
violate any copyrights that exist in this work.
'''
import common
import keylime_logging
logger = keylime_logging.init_logging('registrar')
import registrar_common
import ConfigParser
import sys
config = ConfigParser.SafeConfigParser()
config.read(common.CONFIG_FILE)
def main(argv=sys.argv):
registrar_common.start(config.getint('general', 'registrar_tls_port'),
config.getint('general', 'registrar_port'),
config.get('registrar', 'db_filename'))
The software/firmware is provided to you on an As-Is basis
Delivered to the US Government with Unlimited Rights, as defined in DFARS Part
252.227-7013 or 7014 (Feb 2014). Notwithstanding any copyright notice, U.S. Government
rights in this work are defined by DFARS 252.227-7013 or DFARS 252.227-7014 as detailed
above. Use of this work other than as specifically authorized by the U.S. Government may
violate any copyrights that exist in this work.
'''
import common
import keylime_logging
import uuid
import tornado_requests
logger = keylime_logging.init_logging('openstack')
def get_openstack_uuid(uuid_service_ip='169.254.169.254',
uuid_service_resource='/openstack/2012-08-10/meta_data.json'):
logger.debug("Getting instance UUID from openstack http://%s%s"%(uuid_service_ip,uuid_service_resource))
try:
response = tornado_requests.request("GET", "http://" + uuid_service_ip + uuid_service_resource)
if response.status_code == 200:
response_body = response.json()
return response_body["uuid"]
logger.debug("Forcing using locally generated uuid.")
return str(uuid.uuid4())
except Exception:
logger.debug("Using locally generated uuid. Error getting UUID from openstack: %s\n"%(e))
return str(uuid.uuid4())
Assistant Secretary of Defense for Research and Engineering.
Copyright 2015 Massachusetts Institute of Technology.
The software/firmware is provided to you on an As-Is basis
Delivered to the US Government with Unlimited Rights, as defined in DFARS Part
252.227-7013 or 7014 (Feb 2014). Notwithstanding any copyright notice, U.S. Government
rights in this work are defined by DFARS 252.227-7013 or DFARS 252.227-7014 as detailed
above. Use of this work other than as specifically authorized by the U.S. Government may
violate any copyrights that exist in this work.
'''
import common
import keylime_logging
logger = keylime_logging.init_logging('provider-registrar')
import registrar_common
import ConfigParser
import sys
config = ConfigParser.SafeConfigParser()
config.read(common.CONFIG_FILE)
def main(argv=sys.argv):
registrar_common.start(
config.getint('general', 'provider_registrar_tls_port'),
config.getint('general', 'provider_registrar_port'),
config.get('registrar', 'prov_db_filename'))
'''
import sys
import common
import keylime_logging
import ConfigParser
import registrar_client
import vtpm_manager
import base64
import json
# read the config file
config = ConfigParser.RawConfigParser()
config.read(common.CONFIG_FILE)
logger = keylime_logging.init_logging('platform-init')
def add_vtpm(inputfile):
# read in the file
with open(inputfile, 'r') as f:
group = json.load(f)
# fetch configuration parameters
provider_reg_port = config.get('general', 'provider_registrar_port')
provider_reg_ip = config.get('general', 'provider_registrar_ip')
# request a vtpm uuid from the manager
vtpm_uuid = vtpm_manager.add_vtpm_to_group(group['uuid'])
# registrar it and get back a blob
