File keylime.conf.diff of Package keylime

Index: keylime-v6.3.0/keylime.conf
===================================================================
--- keylime-v6.3.0.orig/keylime.conf
+++ keylime-v6.3.0/keylime.conf
@@ -12,11 +12,13 @@ tls_check_hostnames = False
 # Valid values are "cfssl" or "openssl". For cfssl to work, you must have the
 # go binary installed in your path or in /usr/local/.
 # Note: Revocation list generation is only supported by "cfssl".
-ca_implementation = openssl
+# ca_implementation = openssl
+ca_implementation = cfssl
 
 # The address and port of the revocation notifier service on the verifier from
 # which either the cloud_agent or keylime_ca receive revocation events.
-receive_revocation_ip = 127.0.0.1
+# receive_revocation_ip = 127.0.0.1
+receive_revocation_ip = <REMOTE_IP>
 receive_revocation_port = 8992
 
 #=============================================================================
@@ -24,7 +26,8 @@ receive_revocation_port = 8992
 #=============================================================================
 
 # The binding address and port for the agent server
-cloudagent_ip = 127.0.0.1
+# cloudagent_ip = 127.0.0.1
+cloudagent_ip = 0.0.0.0
 cloudagent_port = 9002
 
 # Address and port where the verifier and tenant can connect to reach the agent.
@@ -33,7 +36,8 @@ agent_contact_ip = 127.0.0.1
 agent_contact_port = 9002
 
 # The address and port of registrar server which agent communicate with
-registrar_ip = 127.0.0.1
+# registrar_ip = 127.0.0.1
+registrar_ip = <REMOTE_IP>
 registrar_port = 8890
 
 # The name of the RSA key that Keylime should use for protecting shares of U/V.
@@ -81,7 +85,8 @@ extract_payload_zip = True
 # 'dmidecode -s system-uuid'.
 # If you set this to "hostname", Keylime will use the full qualified domain
 # name of current host as the agent id.
-agent_uuid = d432fbb3-d2f1-4a97-9ef7-75bd81c00000
+# agent_uuid = d432fbb3-d2f1-4a97-9ef7-75bd81c00000
+agent_uuid = hostname
 
 # Whether to listen for revocation notifications from the verifier or not.
 listen_notfications = True
@@ -129,7 +134,8 @@ max_retries = 10
 # - hashing:    sha512, sha384, sha256 or sha1
 # - encryption: ecc or rsa
 # - signing:    rsassa, rsapss, ecdsa, ecdaa or ecschnorr
-tpm_hash_alg = sha1
+# tpm_hash_alg = sha1
+tpm_hash_alg = sha256
 tpm_encryption_alg = rsa
 tpm_signing_alg = rsassa
 
@@ -147,7 +153,8 @@ ek_handle = generate
 cloudverifier_id = default
 
 # The IP address and port of verifier server binds to
-cloudverifier_ip = 127.0.0.1
+# cloudverifier_ip = 127.0.0.1
+cloudverifier_ip = 0.0.0.0
 cloudverifier_port = 8881
 
 # The address and port of registrar server that verifier communicates with
@@ -266,7 +273,8 @@ revocation_notifier = True
 # The binding address and port of the revocation notifier service.
 # If the 'revocation_notifier' option is set to "true", then the verifier
 # automatically starts the revocation service.
-revocation_notifier_ip = 127.0.0.1
+# revocation_notifier_ip = 127.0.0.1
+revocation_notifier_ip = 0.0.0.0
 revocation_notifier_port = 8992
 
 # Enable revocation notifications via webhook. This can be used to notify other
@@ -400,10 +408,12 @@ max_payload_size = 1048576
 # and SHA-512).
 # Note that you can't set a policy on PCR10 and PCR16 because Keylime uses
 # them internally.
-tpm_policy = {"22":["0000000000000000000000000000000000000001","0000000000000000000000000000000000000000000000000000000000000001","000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001","ffffffffffffffffffffffffffffffffffffffff","ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff","ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"],"15":["0000000000000000000000000000000000000000","0000000000000000000000000000000000000000000000000000000000000000","000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"]}
+# tpm_policy = {"22":["0000000000000000000000000000000000000001","0000000000000000000000000000000000000000000000000000000000000001","000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001","ffffffffffffffffffffffffffffffffffffffff","ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff","ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"],"15":["0000000000000000000000000000000000000000","0000000000000000000000000000000000000000000000000000000000000000","000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"]}
+tpm_policy = {}
 
 # Same as 'tpm_policy' but for virtual PCRs.
-vtpm_policy = {"23":["ffffffffffffffffffffffffffffffffffffffff","0000000000000000000000000000000000000000"],"15":"0000000000000000000000000000000000000000"}
+# vtpm_policy = {"23":["ffffffffffffffffffffffffffffffffffffffff","0000000000000000000000000000000000000000"],"15":"0000000000000000000000000000000000000000"}
+vtpm_policy = {}
 
 # Specify the file containing allowlists for processing Linux IMA measurements
 # this file is used if tenant provides "default" as the allowlist file
@@ -455,7 +465,8 @@ max_retries = 10
 # might provide a signed list of EK public key hashes.  Then you could write
 # an ek_check_script that checks the signature of the allowlist and then
 # compares the hash of the given EK with the allowlist.
-require_ek_cert = True
+# require_ek_cert = True
+require_ek_cert = False
 
 # Optional script to execute to check the EK and/or EK certificate against a
 # allowlist or any other additional EK processing you want to do. Runs in
@@ -481,7 +492,8 @@ ek_check_script=
 
 # The registrar's IP address and port used to communicate with other services
 # as well as the bind address for the registrar server.
-registrar_ip = 127.0.0.1
+# registrar_ip = 127.0.0.1
+registrar_ip = 0.0.0.0
 registrar_port = 8890
 registrar_tls_port = 8891