Skip to content

push-attestation: Drop mTLS support and require PoP authentication #1185

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
ansasaki wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

push-attestation: Drop mTLS support and require PoP authentication #1185

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 5 additions & 17 deletions keylime-agent.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -377,29 +377,17 @@ measuredboot_ml_path = "default"
# KEYLIME_AGENT_ATTESTATION_INTERVAL_SECONDS environment variable.
attestation_interval_seconds = 60

# Enable challenge-response authentication for push model attestation.
# When enabled, the agent will authenticate with the verifier using TPM-based
# proof of possession before sending attestation evidence.
# This option is specific to the push attestation model.
# The default is false (disabled).
#
# To override enable_authentication, set
# KEYLIME_AGENT_ENABLE_AUTHENTICATION environment variable.
enable_authentication = false

# Verifier URL (Push Model specific).
# Verifier URL containing schema, host and port
verifier_url = "https://localhost:8881"

# Verifier client TLS certificates (Push Model specific)
# These certificates are used by the push model agent to authenticate with the verifier.
# If set as "default", the paths below are used relative to keylime_dir.
# Verifier TLS CA certificate (Push Model specific)
# The push model agent uses TLS (server verification only) + mandatory PoP authentication.
# Client certificates (mTLS) are NOT used by the push model.
# This CA certificate is used to verify the verifier's server certificate.
# If set as "default", the path below is used relative to keylime_dir.
# If a relative path is set, it will be considered relative from the keylime_dir.
# If an absolute path is set, it is used without change.
#
# To override verifier_tls_ca_cert, set KEYLIME_AGENT_VERIFIER_TLS_CA_CERT environment variable.
# To override verifier_tls_client_cert, set KEYLIME_AGENT_VERIFIER_TLS_CLIENT_CERT environment variable.
# To override verifier_tls_client_key, set KEYLIME_AGENT_VERIFIER_TLS_CLIENT_KEY environment variable.
verifier_tls_ca_cert = "default" # default: cv_ca/cacert.crt
verifier_tls_client_cert = "default" # default: cv_ca/client-cert.crt
verifier_tls_client_key = "default" # default: cv_ca/client-private.pem
Loading