keylimectl: A replacement for keylime_tenant in rust

Cargo.toml

@@ -4,6 +4,7 @@ members = [
     "keylime-agent", "keylime-macros",
     "keylime-ima-emulator",
     "keylime-push-model-agent",
+    "keylimectl",
 ]
 resolver = "2"
 

keylime-agent/Cargo.toml

@@ -16,7 +16,7 @@ config.workspace = true
 futures.workspace = true
 glob.workspace = true
 hex.workspace = true
-keylime.workspace = true
+keylime = { workspace = true, features = [] }
 libc.workspace = true
 log.workspace = true
 openssl.workspace = true
@@ -40,7 +40,7 @@ actix-rt.workspace = true
 [features]
 # The features enabled by default
 default = []
-testing = []
+testing = ["keylime/testing"]
 # Whether the agent should be compiled with support to listen for notification
 # messages on ZeroMQ
 #

keylime-push-model-agent/Cargo.toml

@@ -14,7 +14,7 @@ assert_cmd.workspace = true
 async-trait.workspace = true
 chrono.workspace = true
 clap.workspace = true
-keylime.workspace = true
+keylime = { workspace = true, features = [] }
 log.workspace = true
 predicates.workspace = true
 pretty_env_logger.workspace = true
@@ -34,7 +34,7 @@ wiremock = {version = "0.6"}
 [features]
 # The features enabled by default
 default = []
-testing = []
+testing = ["keylime/testing"]
 legacy-python-actions = []
 
 [package.metadata.deb]

keylime-push-model-agent/src/attestation.rs

@@ -65,7 +65,7 @@ impl AttestationClient {
             None
         };
 
-        debug!("ResilientClient: initial delay: {} ms, max retries: {}, max delay: {:?} ms", 
+        debug!("ResilientClient: initial delay: {} ms, max retries: {}, max delay: {:?} ms",
             config.initial_delay_ms, config.max_retries, config.max_delay_ms);
         let client = ResilientClient::new(
             base_client,

keylime-push-model-agent/src/struct_filler.rs

@@ -661,11 +661,7 @@ mod tests {
         if let Ok(mut ctx) = context_info_result {
             // Temporarily override config to point to a non-existent path
             let original_path =
-                std::env::var("KEYLIME_CONFIG_PATH").unwrap_or_default();
-            std::env::set_var(
-                "KEYLIME_CONFIG_PATH",
-                "test-data/non-existent-config.conf",
-            );
+                std::env::var("KEYLIME_AGENT_CONFIG").unwrap_or_default();
 
             // Create a temporary config file with an invalid path for measuredboot_ml_path
             let temp_dir = tempfile::tempdir().unwrap();
@@ -675,16 +671,20 @@ mod tests {
             writeln!(file, "[agent]").unwrap();
             writeln!(
                 file,
-                "measuredboot_ml_path = /path/to/non/existent/log"
+                "measuredboot_ml_path = \"/path/to/non/existent/log\""
             )
             .unwrap();
-            std::env::set_var("KEYLIME_CONFIG_PATH", config_path);
+            std::env::set_var("KEYLIME_AGENT_CONFIG", config_path);
 
             let filler = FillerFromHardware::new(&mut ctx);
             assert!(filler.uefi_log_handler.is_none());
 
             // Restore original config path
-            std::env::set_var("KEYLIME_CONFIG_PATH", original_path);
+            if original_path.is_empty() {
+                std::env::remove_var("KEYLIME_AGENT_CONFIG");
+            } else {
+                std::env::set_var("KEYLIME_AGENT_CONFIG", original_path);
+            }
             assert!(ctx.flush_context().is_ok());
         }
     }

keylimectl/Cargo.toml

@@ -0,0 +1,38 @@
+[package]
+name = "keylimectl"
+description = "Command-line tool for Keylime remote attestation"
+authors.workspace = true
+edition.workspace = true
+license.workspace = true
+repository.workspace = true
+version.workspace = true
+
+[[bin]]
+name = "keylimectl"
+path = "src/main.rs"
+
+[dependencies]
+anyhow.workspace = true
+base64.workspace = true
+chrono.workspace = true
+clap.workspace = true
+config.workspace = true
+hex.workspace = true
+keylime.workspace = true
+log.workspace = true
+openssl.workspace = true
+pretty_env_logger.workspace = true
+reqwest.workspace = true
+reqwest-middleware.workspace = true
+serde.workspace = true
+serde_derive.workspace = true
+serde_json.workspace = true
+thiserror.workspace = true
+tokio = {workspace = true, features = ["rt-multi-thread"]}
+uuid.workspace = true
+
+[dev-dependencies]
+assert_cmd.workspace = true
+predicates.workspace = true
+tempfile.workspace = true
+toml = "0.8"

keylimectl/keylimectl.conf

@@ -0,0 +1,231 @@
+# keylimectl Configuration File
+#
+# This file contains all available configuration options for keylimectl,
+# the modern command-line tool for Keylime remote attestation.
+#
+# Configuration files are completely optional. keylimectl will work out-of-the-box
+# with sensible defaults if no configuration file is provided.
+#
+# Configuration precedence (highest to lowest):
+# 1. Command-line arguments
+# 2. Environment variables (KEYLIME_*)
+# 3. Configuration files (this file)
+# 4. Default values
+#
+# This file uses TOML format. For more information about TOML syntax,
+# see: https://toml.io/
+
+#
+# VERIFIER CONFIGURATION
+#
+# The verifier continuously monitors agent integrity and manages attestation policies.
+# It receives attestation evidence from agents and verifies their trustworthiness.
+#
+[verifier]
+
+# IP address of the Keylime verifier service
+# Default: "127.0.0.1"
+# Environment variable: KEYLIME_VERIFIER__IP
+ip = "127.0.0.1"
+
+# Port number of the Keylime verifier service
+# Default: 8881
+# Environment variable: KEYLIME_VERIFIER__PORT
+port = 8881
+
+# Optional verifier identifier for multi-verifier deployments
+# Default: None
+# Environment variable: KEYLIME_VERIFIER__ID
+# id = "verifier-1"
+
+#
+# REGISTRAR CONFIGURATION
+#
+# The registrar maintains a database of registered agents and their TPM public keys.
+# Agents must register with the registrar before they can be added to the verifier.
+#
+[registrar]
+
+# IP address of the Keylime registrar service
+# Default: "127.0.0.1"
+# Environment variable: KEYLIME_REGISTRAR__IP
+ip = "127.0.0.1"
+
+# Port number of the Keylime registrar service
+# Default: 8891
+# Environment variable: KEYLIME_REGISTRAR__PORT
+port = 8891
+
+#
+# TLS/SSL SECURITY CONFIGURATION
+#
+# This section controls secure communication with Keylime services.
+# Proper TLS configuration is essential for production deployments.
+#
+[tls]
+
+# Path to client certificate file for mutual TLS authentication
+# Default: None (no client certificate)
+# Environment variable: KEYLIME_TLS__CLIENT_CERT
+client_cert = "/var/lib/keylime/cv_ca/client-cert.crt"
+
+# Path to client private key file for mutual TLS authentication
+# Default: None (no client key)
+# Environment variable: KEYLIME_TLS__CLIENT_KEY
+client_key = "/var/lib/keylime/cv_ca/client-private.pem"
+
+# Password for encrypted client private key (if applicable)
+# Default: None (no password)
+# Environment variable: KEYLIME_TLS__CLIENT_KEY_PASSWORD
+# client_key_password = "your-key-password"
+
+# List of trusted CA certificate file paths for server verification
+# Default: [] (empty list - uses system CA store)
+# Environment variable: KEYLIME_TLS__TRUSTED_CA (comma-separated)
+trusted_ca = ["/var/lib/keylime/cv_ca/cacert.crt"]
+
+# Whether to verify server certificates
+# Default: true
+# Environment variable: KEYLIME_TLS__VERIFY_SERVER_CERT
+# WARNING: Only disable for testing - never in production!
+verify_server_cert = true
+
+# Whether to enable mutual TLS for agent communications
+# Default: true
+# Environment variable: KEYLIME_TLS__ENABLE_AGENT_MTLS
+enable_agent_mtls = true
+
+#
+# HTTP CLIENT CONFIGURATION
+#
+# This section controls HTTP client behavior including timeouts and retry logic.
+# These settings affect reliability and performance of API communications.
+#
+[client]
+
+# Request timeout in seconds
+# Default: 60
+# Environment variable: KEYLIME_CLIENT__TIMEOUT
+timeout = 60
+
+# Base retry interval in seconds
+# Default: 1.0
+# Environment variable: KEYLIME_CLIENT__RETRY_INTERVAL
+retry_interval = 1.0
+
+# Whether to use exponential backoff for retries
+# Default: true
+# Environment variable: KEYLIME_CLIENT__EXPONENTIAL_BACKOFF
+# When true, retry delays increase exponentially: 1s, 2s, 4s, 8s, etc.
+# When false, retry delay remains constant at retry_interval
+exponential_backoff = true
+
+# Maximum number of retry attempts
+# Default: 3
+# Environment variable: KEYLIME_CLIENT__MAX_RETRIES
+max_retries = 3
+
+#
+# EXAMPLE CONFIGURATIONS
+#
+
+# Example 1: Production configuration with custom services
+# [verifier]
+# ip = "keylime-verifier.company.com"
+# port = 8881
+# id = "prod-verifier-01"
+#
+# [registrar]
+# ip = "keylime-registrar.company.com"
+# port = 8891
+#
+# [tls]
+# client_cert = "/etc/keylime/certs/client.crt"
+# client_key = "/etc/keylime/certs/client.key"
+# trusted_ca = ["/etc/keylime/certs/ca.crt"]
+# verify_server_cert = true
+# enable_agent_mtls = true
+#
+# [client]
+# timeout = 30
+# retry_interval = 2.0
+# exponential_backoff = true
+# max_retries = 5
+
+# Example 2: Development/testing configuration
+# [verifier]
+# ip = "192.168.1.100"
+# port = 8881
+#
+# [registrar]
+# ip = "192.168.1.101"
+# port = 8891
+#
+# [tls]
+# verify_server_cert = false  # WARNING: Testing only!
+# enable_agent_mtls = false   # WARNING: Testing only!
+#
+# [client]
+# timeout = 10
+# retry_interval = 0.5
+# max_retries = 1
+
+# Example 3: IPv6 configuration
+# [verifier]
+# ip = "2001:db8::1"
+# port = 8881
+#
+# [registrar]
+# ip = "2001:db8::2"
+# port = 8891
+
+#
+# ENVIRONMENT VARIABLE REFERENCE
+#
+# All configuration options can be overridden using environment variables
+# with the KEYLIME_ prefix and double underscores as section separators:
+#
+# KEYLIME_VERIFIER__IP=192.168.1.100
+# KEYLIME_VERIFIER__PORT=8881
+# KEYLIME_VERIFIER__ID=verifier-1
+# KEYLIME_REGISTRAR__IP=192.168.1.101
+# KEYLIME_REGISTRAR__PORT=8891
+# KEYLIME_TLS__CLIENT_CERT=/path/to/client.crt
+# KEYLIME_TLS__CLIENT_KEY=/path/to/client.key
+# KEYLIME_TLS__CLIENT_KEY_PASSWORD=password
+# KEYLIME_TLS__TRUSTED_CA=/path/ca1.crt,/path/ca2.crt
+# KEYLIME_TLS__VERIFY_SERVER_CERT=true
+# KEYLIME_TLS__ENABLE_AGENT_MTLS=true
+# KEYLIME_CLIENT__TIMEOUT=60
+# KEYLIME_CLIENT__RETRY_INTERVAL=1.0
+# KEYLIME_CLIENT__EXPONENTIAL_BACKOFF=true
+# KEYLIME_CLIENT__MAX_RETRIES=3
+
+#
+# COMMAND-LINE ARGUMENT REFERENCE
+#
+# Configuration can also be overridden via command-line arguments:
+#
+# --verifier-ip <IP>          Override verifier IP address
+# --verifier-port <PORT>      Override verifier port
+# --registrar-ip <IP>         Override registrar IP address
+# --registrar-port <PORT>     Override registrar port
+# -c, --config <FILE>         Specify explicit configuration file path
+# -v, --verbose               Enable verbose logging
+# -q, --quiet                 Suppress non-essential output
+# --format <FORMAT>           Output format (json, table, yaml)
+
+#
+# CONFIGURATION FILE LOCATIONS
+#
+# keylimectl searches for configuration files in this order:
+# 1. Explicit path provided via -c/--config (required to exist)
+# 2. ./keylimectl.toml (current directory)
+# 3. ./keylimectl.conf (current directory)
+# 4. /etc/keylime/keylimectl.conf (system-wide)
+# 5. /usr/etc/keylime/keylimectl.conf (alternative system-wide)
+# 6. ~/.config/keylime/keylimectl.conf (user-specific)
+# 7. ~/.keylimectl.toml (user-specific)
+# 8. $XDG_CONFIG_HOME/keylime/keylimectl.conf (XDG standard)
+#
+# If no configuration files are found, keylimectl works with defaults.