kubectl apply -f deployment.yaml
Now there will be an unregistered alpine pod which causes the system to be con-sidered untrusted (i.e. with operational state set to INVALID QUOTE).
To delete the new alpine deployment you can run:
kubectl delete deployment alpine-deployment
• ip, that is the IP address of the Keylime Agent
• port, that is the port used by the Keylime Agent to connect to the Keylime Verifier.
• tpm policy, that is used to specify the PCRs that must be included in each TPM quote contained in the IR.
• vtpm policy, that is used as the tpm policy when virtual PCRs are involved.
• meta data, that specifies the Keylime Agent-related metadata.
• allowlist len, that corresponds to the number of lines in the whitelist asso-ciated with the physical system.
• mb refstate len, that corresponds to the length of the policy associated with the measured boot.
• accept tpm hash algs, that specifies the list of the hash algorithms ac-cepted by the TPM.
• accept tpm encryption algs, that specifies the list of the encryption algo-rithms accepted by the TPM.
• accept tpm signing algs, that specifies the list of the signing algorithms accepted by the TPM.
• hash alg, that is the actual hash algorithm used by the TPM.
• enc alg, that is the actual encryption algorithm used by the TPM.
• sign alg, that is the actual signing algorithm used by the TPM.
• verifier id, that is a unique identifier for each verifier instances.
• verifier ip, that is the IP address of the Keylime Verifier server binds to.
• verifier port, that is the port of the Keylime Verifier server binds to.
• severity level, that in case of a failure corresponds to the severity of the failure.
• last event id, which is the identifier of the last failure event with maximum severity.
• pods, that is a JSON object that specifies the pods registered in the Keylime Agent. Each pod is described through a JSON object containing the fields specified above.
POST /v2/agents/{agent_id:UUID}
This POST API is in charge to provide the add operation for registering an agent at the verifier. The modification is concerned with providing in the request the ad-ditional data needed for the proposed solution, which are the pod list and whitelists.
The request JSON object is composed of the following fields, where the field pods is the new one:
• v, that is the V part of the bootstrap key.
• cloudagent ip, that is the IP address of the Keylime Agent for the Keylime Verifier.
• cloudagent port, that is the port used by the Keylime Agent to connect to the Keylime Verifier.
• tpm policy, that is used to specify the PCRs that must be included in each TPM quote contained in the IR.
• vtpm policy, that is used as the tpm policy when virtual PCRs are involved.
• meta data, that specifies the Keylime Agent-related metadata.
• allowlist, that corresponds to the whitelist associated with the physical sys-tem.
• mb refstate, that corresponds to the policy associated with the measured boot.
• ima sign verification keys, that corresponds to the list of IMA public keys for signature verification.
• revocation key, which corresponds to the RSA private key to be used by the Keylime Verifier to sign a revocation message for this Keylime Agent.
• accept tpm hash algs, that specifies the list of the hash algorithms ac-cepted by the TPM.
• accept tpm encryption algs, that specifies the list of the encryption algo-rithms accepted by the TPM.
• accept tpm signing algs, that specifies the list of the signing algorithms accepted by the TPM.
• pods, that is a JSON object that specifies the pods to be registered in the Keylime Agent. Each pod is specified through its UUID and a JSON object that contains the allowlist and the exclude list.
A.7.2 New REST APIs
The new REST APIs added to the framework with the thesis work are presented in this section.
GET /v2/agents/{agent_id:UUID}/pods
This GET API is in charge to show the pod UUIDs list of the registered pods for the Keylime Agent specified through the {agent id:UUID} placeholder. The response JSON object will contain:
• the UUID of the Keylime Agent
• the list of the pod UUIDs registered for that Keylime Agent An example of the response could be:
{
code: 200, status: "OK", results: {
uuid: "d432fbb3-d2f1-4a97-9ef7-75bd81c00000", pod_ids:
0: "226aed86-763b-4a3e-925b-82e50146171e", 1: "bead1494-a2ff-4b2b-bead-97f911a0039f", ...
} }
POST /v2/agents/agent_id:UUID/pods
This POST API is in charge to add at the Keylime Verifier the pod UUIDs list associated with the Keylime Agent specified through the {agent id:UUID} place-holder. The pod list is a dictionary of pod UUIDs, each one associated with its whitelist and (optionally) exclude list.
The Request JSON object will contain a dictionary of pod identifiers, each one associated with a JSON object containing the fields:
• allowlist
• exclude list
PUT /v2/agents/{agent_id:UUID}/pods
This PUT API is in charge to modify at the Keylime Verifier the pod UUIDs list associated with the Keylime Agent specified through the {agent id:UUID} place-holder.
The Request JSON object will contain a dictionary of pod identifiers, each one associated with a JSON object containing the fields:
• allowlist
• exclude list
GET /v2/agents/{agent_id:UUID}/pods/{pod_id}
This GET API is in charge to show the status of a registered pod specified through the {pod id} placeholder. Specifically, in the response JSON object, there will be:
• the pod UUID;
• the pod operational state;
• the pod whitelist;
• the pod exclude list (if present).
• The list of files present in the ML but not found in the whitelist.
• The list of files present in the ML, in the whitelist, but with a wrong measure.
PUT /v2/agents/{agent_id:UUID}/pods/{pod_id}
This PUT API is in charge to modify the whitelist or the exclude list of the pod specified through the {pod id} placeholder.
The Request JSON object will contain:
• the allowlist of the {pod id}
• the exclude list of the {pod id}
DELETE /v2/agents/{agent_id:UUID}/pods/{pod_id}
This DELETE API is in charge to remove the pod specified through {pod id} from the Keylime Agent identified through {agent id:UUID}.
GET /v2/agents/{agent_id:UUID}/pods/{pod_id}/allowlist
This GET API is in charge to show the whitelist associated with the pod specified through the {pod id} placeholder.
PUT /v2/agents/{agent_id:UUID}/pods/{pod_id}/allowlist
This PUT API is in charge to substitute the whitelist associated with the pod specified through the {pod id} placeholder, with the new whitelist provided in the request body.
The Request JSON object will contain the new whitelist for the {pod id}
GET /v2/agents/{agent_id:UUID}/pods/{pod_id}/exclude
This GET API is in charge to show the exclude list associated with the pod speci-fied through the {pod id} placeholder.
PUT /v2/agents/{agent_id:UUID}/pods/{pod_id}/exclude
This PUT API is in charge to substitute the exclude list associated with the pod specified with the {pod id} placeholder, with the new exclude list provided in the request body.