File keylime.conf.diff of Package keylime.30092

Index: keylime-v6.3.2/keylime.conf
===================================================================
--- keylime-v6.3.2.orig/keylime.conf
+++ keylime-v6.3.2/keylime.conf
@@ -16,7 +16,8 @@ ca_implementation = openssl
 
 # The address and port of the revocation notifier service on the verifier from
 # which either the cloud_agent or keylime_ca receive revocation events.
-receive_revocation_ip = 127.0.0.1
+# receive_revocation_ip = 127.0.0.1
+receive_revocation_ip = <REMOTE_IP>
 receive_revocation_port = 8992
 
 #=============================================================================
@@ -24,7 +25,8 @@ receive_revocation_port = 8992
 #=============================================================================
 
 # The binding address and port for the agent server
-cloudagent_ip = 127.0.0.1
+# cloudagent_ip = 127.0.0.1
+cloudagent_ip = 0.0.0.0
 cloudagent_port = 9002
 
 # Address and port where the verifier and tenant can connect to reach the agent.
@@ -33,7 +35,8 @@ agent_contact_ip = 127.0.0.1
 agent_contact_port = 9002
 
 # The address and port of registrar server which agent communicate with
-registrar_ip = 127.0.0.1
+# registrar_ip = 127.0.0.1
+registrar_ip = <REMOTE_IP>
 registrar_port = 8890
 
 # The name of the RSA key that Keylime should use for protecting shares of U/V.
@@ -89,7 +92,8 @@ extract_payload_zip = True
 # 'dmidecode -s system-uuid'.
 # If you set this to "hostname", Keylime will use the full qualified domain
 # name of current host as the agent id.
-agent_uuid = d432fbb3-d2f1-4a97-9ef7-75bd81c00000
+# agent_uuid = d432fbb3-d2f1-4a97-9ef7-75bd81c00000
+agent_uuid = hostname
 
 # Whether to listen for revocation notifications from the verifier or not.
 listen_notifications = True
@@ -148,7 +152,8 @@ max_retries = 4
 # - hashing:    sha512, sha384, sha256 or sha1
 # - encryption: ecc or rsa
 # - signing:    rsassa, rsapss, ecdsa, ecdaa or ecschnorr
-tpm_hash_alg = sha1
+# tpm_hash_alg = sha1
+tpm_hash_alg = sha256
 tpm_encryption_alg = rsa
 tpm_signing_alg = rsassa
 
@@ -174,7 +179,8 @@ ek_handle = generate
 # chown keylime /var/lib/keylime/cv_ca
 # chown keylime /var/lib/keylime/cv_ca/cacert.crt
 #
-run_as =
+# run_as =
+run_as = keylime:tss
 
 #=============================================================================
 [cloud_verifier]
@@ -184,7 +190,8 @@ run_as =
 cloudverifier_id = default
 
 # The IP address and port of verifier server binds to
-cloudverifier_ip = 127.0.0.1
+# cloudverifier_ip = 127.0.0.1
+cloudverifier_ip = 0.0.0.0
 cloudverifier_port = 8881
 
 # The address and port of registrar server that verifier communicates with
@@ -309,7 +316,8 @@ revocation_notifier = True
 # The binding address and port of the revocation notifier service.
 # If the 'revocation_notifier' option is set to "true", then the verifier
 # automatically starts the revocation service.
-revocation_notifier_ip = 127.0.0.1
+# revocation_notifier_ip = 127.0.0.1
+revocation_notifier_ip = 0.0.0.0
 revocation_notifier_port = 8992
 
 # Enable revocation notifications via webhook. This can be used to notify other
@@ -445,10 +453,12 @@ max_payload_size = 1048576
 # and SHA-512).
 # Note that you can't set a policy on PCR10 and PCR16 because Keylime uses
 # them internally.
-tpm_policy = {"22":["0000000000000000000000000000000000000001","0000000000000000000000000000000000000000000000000000000000000001","000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001","ffffffffffffffffffffffffffffffffffffffff","ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff","ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"],"15":["0000000000000000000000000000000000000000","0000000000000000000000000000000000000000000000000000000000000000","000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"]}
+# tpm_policy = {"22":["0000000000000000000000000000000000000001","0000000000000000000000000000000000000000000000000000000000000001","000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001","ffffffffffffffffffffffffffffffffffffffff","ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff","ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"],"15":["0000000000000000000000000000000000000000","0000000000000000000000000000000000000000000000000000000000000000","000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"]}
+tpm_policy = {}
 
 # Same as 'tpm_policy' but for virtual PCRs.
-vtpm_policy = {"23":["ffffffffffffffffffffffffffffffffffffffff","0000000000000000000000000000000000000000"],"15":"0000000000000000000000000000000000000000"}
+# vtpm_policy = {"23":["ffffffffffffffffffffffffffffffffffffffff","0000000000000000000000000000000000000000"],"15":"0000000000000000000000000000000000000000"}
+vtpm_policy = {}
 
 # Specify the file containing allowlists for processing Linux IMA measurements
 # this file is used if tenant provides "default" as the allowlist file
@@ -500,7 +510,8 @@ max_retries = 5
 # might provide a signed list of EK public key hashes.  Then you could write
 # an ek_check_script that checks the signature of the allowlist and then
 # compares the hash of the given EK with the allowlist.
-require_ek_cert = True
+# require_ek_cert = True
+require_ek_cert = False
 
 # Optional script to execute to check the EK and/or EK certificate against a
 # allowlist or any other additional EK processing you want to do. Runs in
@@ -526,7 +537,8 @@ ek_check_script=
 
 # The registrar's IP address and port used to communicate with other services
 # as well as the bind address for the registrar server.
-registrar_ip = 127.0.0.1
+# registrar_ip = 127.0.0.1
+registrar_ip = 0.0.0.0
 registrar_port = 8890
 registrar_tls_port = 8891