Version information
This version is compatible with:
- CentOS,RedHat
Start using this module
Add this module to your Puppetfile:
mod 'simp-tpm', '0.1.0'Learn more about managing modules with a PuppetfileDocumentation
Table of Contents
- Description
- Setup - The basics of getting started with tpm
- Usage - Configuration options and additional functionality
- Reference - An under-the-hood peek at what the module is doing and how
- Limitations - OS compatibility, etc.
- Development - Guide for contributing to the module
Description
This module manages a TPM, including taking ownership and enabling IMA. You must take ownership of a TPM to load and unload certs, use it as a PKCS #11 interface, or to use SecureBoot or IMA.
The Integrity Management Architecture (IMA) subsystem is a tool that
uses the TPM to verify integrity of the system, based on filesystem and file
hashes. The IMA class sets up IMA kernel boot flags if they are not enabled and
when they are, mounts the securityfs.
The TPM ecosystem has been designed to be difficult to automate. The difficulty
has shown many downsides of using a tool like this module to manage your
TPM device. For example, simply reading the TPM's public key after taking
ownership of the device requires the owner password to be typed in at the
command line. This is an intentional feature to encourage admins to be
physically present at the machine with the device. To get around this, the
provider included in this module and the advanced facts use Ruby's expect
library to interact with the command line. This module also drops the owner
password in the Puppet $vardir to make interacting with trousers in facts
possible.
This is a SIMP module
This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.
If you find any issues, they may be submitted to our bug tracker.
This module is optimally designed for use within a larger SIMP ecosystem, but it can be used independently:
- When included within the SIMP ecosystem, security compliance settings will be managed from the Puppet server.
- If used independently, all SIMP-managed security subsystems are disabled by default and must be explicitly opted into by administrators. Please review the
$client_nets,$enable_*and$use_*parameters inmanifests/init.ppfor details.
Setup
What tpm affects
WARNING
This module can take ownership of your TPM. This could be a destructive process and is not easily reversed. For that reason, the provider does not support clearing a TPM.
This module will:
- install
tpm-toolsandtrousers - enable the
tcsdservice - (OPTIONAL) Take ownership of the TPM
- The password will be in a flat file in
$vardir/simp
- The password will be in a flat file in
- (OPTIONAL) Enable IMA on the host
Setup Requirements
In order to use the TPM module or a TPM in general, you must do the following:
- Enable the TPM in BIOS
- Set a user/admin BIOS password
- Be able to type in the user/admin password at boot time, every boot
Beginning with the TPM module
Include the TPM class and set the passwords in hieradata:
classes:
- tpm
tpm::take_ownership: true
tpm::ownership::advanced_facts: true
To enable IMA, add this line to hiera:
tpm::use_ima: true
Usage
The type and provider provided in this module can be used as follows:
tpm_ownership { 'tpm0':
ensure => present,
owner_pass => 'badpass',
srk_pass => 'badpass2',
advanced_facts => true
}
Reference
Please refer to the inline documentation within each source file, or to the module's generated YARD documentation for reference material.
Limitations
SIMP Puppet modules are generally intended for use on Red Hat Enterprise Linux and compatible distributions, such as CentOS. Please see the metadata.json file for the most up-to-date list of supported operating systems, Puppet versions, and module dependencies.
This module does not support clearing a previously owned TPM.
Development
Please read our Contribution Guide and visit our developer wiki.
Acceptance tests
TODO: There are currently no acceptance tests. We would need to use a virtual TPM to ensure test system stability, and it requires quite a few patches to libvirt, associated emulation software, Beaker, and Vagrant before acceptance tests for this module become feasible. Read our progress so far on the issue.
This module will include Beaker acceptance tests using the SIMP Beaker Helpers. By default the tests will use Vagrant with VirtualBox as a back-end; Vagrant and VirtualBox must both be installed to run these tests without modification. To execute the tests, when written, run the following:
bundle install
bundle exec rake beaker:suites
Please refer to the SIMP Beaker Helpers documentation for more information.
Types in this module release
- Tue Mar 01 2016 Ralph Wright ralph.wright@onyxpoint.com - 0.0.1-10
- Added compliance function support
- Mon Nov 09 2015 Chris Tessmer chris.tessmer@onypoint.com - 0.0.1-9
- migration to simplib and simpcat (lib/ only)
- Mon Jul 27 2015 Trevor Vaughan tvaughan@onyxpoint.com - 0.0.1-8
- Disable IMA by default.
- Thu Jul 09 2015 Nick Markowski nmarkowski@kewcorp.com - 0.0.1-7
- Cast ima_audit to string when passed to kernel_parameter.
- Thu Feb 19 2015 Trevor Vaughan tvaughan@onyxpoint.com - 0.0.1-6
- Migrated to the new 'simp' environment.
- Fri Jan 16 2015 Trevor Vaughan tvaughan@onyxpoint.com - 0.0.1-5
- Changed puppet-server requirement to puppet
- Sat Aug 23 2014 Trevor Vaughan tvaughan@onyxpoint.com - 0.0.1-4
- Replaced the reboot calls with the new reboot_notify type.
- Sat Aug 02 2014 Trevor Vaughan tvaughan@onyxpoint.com - 0.0.1-3
- Upadted the has_tpm fact to use /sys
- Fixed the ima_enabled fact to use /proc/cmdline
- Thu Jul 31 2014 Adam Yohrling adam.yohrling@onyxpoint.com - 0.0.1-2
- Added has_tpm fact
- Added installation of tpm-tools and trousers (by dependency)
- Added tcsd service
- Updated spec_helper to include rubygems (didn't run without)
- Updated spec tests
- Changed existing logic to use str2bool in tpm::ima class for fact check
- Thu Jul 10 2014 Trevor Vaughan tvaughan@onyxpoint.com - 0.0.1-2
- Updated the 'tpm::ima' class to use the new 'common::reboot' functionality as well as the kernel_parameter augeasproviders mods
- Mon Apr 28 2014 Nick Markowski nmarkowski@keywcorp.com - 0.0.1-1
- Updated ima_enabled fact to properly return IMA status
- Typo fix in the template
- Thu Mar 27 2014 Nick Markowski nmarkowski@keywcorp.com - 0.0.1-0
- Initial Commit.
- Provided basic IMA functionality to set kernel boot flags, and mount securityfs at /sys/kernel/security if present.
Dependencies
- herculesteam/augeasproviders (>= 1.0.2)
- simp/simplib (>= 1.0.0)
- puppetlabs/stdlib (>= 4.1.0)
- simp/compliance_markup (>= 1.0.0)
pupmod-simp-tpm - A Puppet Module for managing the TPM
--
Per Section 105 of the Copyright Act of 1976, these works are not entitled to
domestic copyright protection under US Federal law.
The US Government retains the right to pursue copyright protections outside of
the United States.
The United States Government has unlimited rights in this software and all
derivatives thereof, pursuant to the contracts under which it was developed and
the License under which it falls.
---
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.