| 192 |
- |
1 |
|
|
|
2 |
#
|
|
|
3 |
# This is the configuration file for the trousers tcsd. (The Trusted Computing
|
|
|
4 |
# Software Stack Core Services Daemon).
|
|
|
5 |
#
|
|
|
6 |
# Defaults are listed below, commented out
|
|
|
7 |
#
|
|
|
8 |
# Send questions to: trousers-users@lists.sourceforge.net
|
|
|
9 |
#
|
|
|
10 |
|
|
|
11 |
# Option: port
|
|
|
12 |
# Values: 1 - 65535
|
|
|
13 |
# Description: The port that the tcsd will listen on.
|
|
|
14 |
#
|
|
|
15 |
# port = 30003
|
|
|
16 |
#
|
|
|
17 |
|
|
|
18 |
# Option: num_threads
|
|
|
19 |
# Values: 1 - 65535
|
|
|
20 |
# Description: The number of threads that the tcsd will spawn internally.
|
|
|
21 |
#
|
|
|
22 |
# num_threads = 10
|
|
|
23 |
#
|
|
|
24 |
|
|
|
25 |
# Option: system_ps_file
|
|
|
26 |
# Values: Any absolute directory path
|
|
|
27 |
# Description: Path where the tcsd creates its persistent storage file.
|
|
|
28 |
#
|
|
|
29 |
# system_ps_file = /var/lib/tpm/system.data
|
|
|
30 |
#
|
|
|
31 |
|
|
|
32 |
# Option: firmware_log_file
|
|
|
33 |
# Values: Any absolute directory path
|
|
|
34 |
# Description: Path to the file containing the current firmware PCR event
|
|
|
35 |
# log data. The interface to this log is usually provided by the TPM
|
|
|
36 |
# device driver.
|
|
|
37 |
#
|
|
|
38 |
# firmware_log_file = /sys/kernel/security/tpm0/binary_bios_measurements
|
|
|
39 |
#
|
|
|
40 |
|
|
|
41 |
# Option: kernel_log_file
|
|
|
42 |
# Values: Any absolute directory path
|
|
|
43 |
# Description: Path to the file containing the current kernel PCR event
|
|
|
44 |
# log data. By default, this data will be parsed in the format provided
|
|
|
45 |
# by the Integrity Measurement Architecture LSM. See
|
|
|
46 |
# http://sf.net/projects/linux-ima for more info on getting IMA.
|
|
|
47 |
#
|
|
|
48 |
#
|
|
|
49 |
# kernel_log_file = /sys/kernel/security/ima/binary_runtime_measurements
|
|
|
50 |
#
|
|
|
51 |
|
|
|
52 |
# Option: firmware_pcrs
|
|
|
53 |
# Values: PCR indices, separated by commas (no whitespace)
|
|
|
54 |
# Description: A list of PCR indices that are manipulated only by the system
|
|
|
55 |
# firmware and therefore are not extended or logged by the TCSD.
|
|
|
56 |
#
|
|
|
57 |
# firmware_pcrs =
|
|
|
58 |
#
|
|
|
59 |
|
|
|
60 |
# Option: kernel_pcrs
|
|
|
61 |
# Values: PCR indices, separated by commas (no whitespace)
|
|
|
62 |
# Description: A list of PCR indices that are manipulated only by the kernel
|
|
|
63 |
# and therefore are not extended or logged by the TCSD.
|
|
|
64 |
#
|
|
|
65 |
# kernel_pcrs =
|
|
|
66 |
#
|
|
|
67 |
|
|
|
68 |
# Option: platform_cred
|
|
|
69 |
# Values: Any absolute directory path (example: /path/to/platform.cert)
|
|
|
70 |
# Description: Path to the file containing your TPM's platform credential.
|
|
|
71 |
# The platform credential may have been provided to you by your TPM
|
|
|
72 |
# manufacturer. If so, set platform_cred to the path to the file on disk.
|
|
|
73 |
# Whenever a new TPM identity is created, the credential will be used. See
|
|
|
74 |
# Tspi_TPM_CollateIdentityRequest(3) for more information.
|
|
|
75 |
#
|
|
|
76 |
# platform_cred =
|
|
|
77 |
#
|
|
|
78 |
|
|
|
79 |
# Option: conformance_cred
|
|
|
80 |
# Values: Any absolute directory path (example: /path/to/conformance.cert)
|
|
|
81 |
# Description: Path to the file containing your TPM's conformance credential.
|
|
|
82 |
# The conformance credential may have been provided to you by your TPM
|
|
|
83 |
# manufacturer. If so, set conformance_cred to the path to the file on disk.
|
|
|
84 |
# Whenever a new TPM identity is created, the credential will be used. See
|
|
|
85 |
# Tspi_TPM_CollateIdentityRequest(3) for more information.
|
|
|
86 |
#
|
|
|
87 |
# conformance_cred =
|
|
|
88 |
#
|
|
|
89 |
|
|
|
90 |
# Option: endorsement_cred
|
|
|
91 |
# Values: Any absolute directory path (example: /path/to/endorsement.cert)
|
|
|
92 |
# Description: Path to the file containing your TPM's endorsement credential.
|
|
|
93 |
# The endorsement credential may have been provided to you by your TPM
|
|
|
94 |
# manufacturer. If so, set endorsement_cred to the path to the file on disk.
|
|
|
95 |
# Whenever a new TPM identity is created, the credential will be used. See
|
|
|
96 |
# Tspi_TPM_CollateIdentityRequest(3) for more information.
|
|
|
97 |
#
|
|
|
98 |
# endorsement_cred =
|
|
|
99 |
#
|
|
|
100 |
|
|
|
101 |
# Option: remote_ops
|
|
|
102 |
# Values: TCS operation names, separated by commas (no whitespace)
|
|
|
103 |
# Description: A list of TCS commands which will be allowed to be executed
|
|
|
104 |
# on this machine's TCSD by TSP's on non-local hosts (over the internet).
|
|
|
105 |
# By default, access to all operations is denied.
|
|
|
106 |
#
|
|
|
107 |
# possible values: seal - encrypt data bound to PCR values
|
|
|
108 |
# unseal - decrypt data bound to PCR values
|
|
|
109 |
# registerkey - store keys in system persistent storage [Disk write access!]
|
|
|
110 |
# unregisterkey - remove keys from system persistent storage [Disk write access!]
|
|
|
111 |
# loadkey - load a key into the TPM
|
|
|
112 |
# createkey - create a key using the TPM
|
|
|
113 |
# sign - encrypt data using a private key
|
|
|
114 |
# random - generate random numbers
|
|
|
115 |
# getcapability - query the TCS/TPM for its capabilities
|
|
|
116 |
# unbind - decrypt data
|
|
|
117 |
# quote - request a signed blob containing all PCR values
|
|
|
118 |
# readpubek - access the TPM's Public EndorsementKey
|
|
|
119 |
# getregisteredkeybypublicinfo - Search system persistent storage for a public key
|
|
|
120 |
# getpubkey - Retrieve a loaded key's public data from inside the TPM
|
|
|
121 |
# selftest - execute selftest and test results ordinals
|
|
|
122 |
#
|
|
|
123 |
# remote_ops =
|
|
|
124 |
#
|
|
|
125 |
|
|
|
126 |
# Option: enforce_exclusive_transport
|
|
|
127 |
# Values: 0 or 1
|
|
|
128 |
# Description: When an application opens a transport session with the TPM, one
|
|
|
129 |
# of the options available is an "exclusive" session, meaning that the TPM
|
|
|
130 |
# will not execute any commands other than those coming through the transport
|
|
|
131 |
# session for the lifetime of the session. The TCSD can choose to enforce this
|
|
|
132 |
# option or not. By default, exclusive sessions are not enforced, since this
|
|
|
133 |
# could allow for a denial of service to the TPM.
|
|
|
134 |
#
|
|
|
135 |
# enforce_exclusive_transport = 0
|
|
|
136 |
#
|
|
|
137 |
|
|
|
138 |
# Option: host_platform_class
|
|
|
139 |
# Values: One of the TCG platform class specifications
|
|
|
140 |
# PC_11 - PC Client System, version 1.1
|
|
|
141 |
# PC_12 - PC Client System, version 1.2
|
|
|
142 |
# PDA_12 - PDA System, version 1.2
|
|
|
143 |
# SERVER_12 - Server System, version 1.2
|
|
|
144 |
# MOBILE_12 - Mobile Phone System, version 1.2
|
|
|
145 |
#
|
|
|
146 |
# Description: This option determines the host platform (host the TCS system
|
|
|
147 |
# is running on) class, among those specified by the Trusted Computing group
|
|
|
148 |
# on https://www.trustedcomputinggroup.org/specs/. This class will be reported
|
|
|
149 |
# by the TCS daemon when an application queries it using the
|
|
|
150 |
# TSS_TCSCAP_PROP_HOST_PLATFORM sub-capability. The default is PC_12.
|
|
|
151 |
#
|
|
|
152 |
# host_platform_class = PC_12
|
|
|
153 |
#
|
|
|
154 |
|
|
|
155 |
# Option: all_platform_classes
|
|
|
156 |
# Values: TCG Platform class names, separated by commas (no whitespaces)
|
|
|
157 |
# PC_11 - PC Client System, version 1.1
|
|
|
158 |
# PC_12 - PC Client System, version 1.2
|
|
|
159 |
# PDA_12 - PDA System, version 1.2
|
|
|
160 |
# SERVER_12 - Server System, version 1.2
|
|
|
161 |
# MOBILE_12 - Mobile Phone System, version 1.2
|
|
|
162 |
#
|
|
|
163 |
# Description: This option determines all the platform classes supported by the
|
|
|
164 |
# TCS daemon. This list must not include the value set as "host_platform_class"
|
|
|
165 |
# specified above. Since by default TrouSerS supports all TPM 1.2 functionality,
|
|
|
166 |
# the default is all 1.2 and 1.1 platform classes.
|
|
|
167 |
#
|
|
|
168 |
# all_platform_classes = PC_11,PDA_12,SERVER_12,MOBILE_12
|
|
|
169 |
#
|
|
|
170 |
|
|
|
171 |
#
|
|
|
172 |
# Option: disable_ipv4
|
|
|
173 |
# Values: 0 or 1
|
|
|
174 |
# Description: This options determines if the TCSD will bind itself to the
|
|
|
175 |
# machine's local IPv4 addresses in order to receive requisitions through
|
|
|
176 |
# its TCP port. Value of 1 disables IPv4 support, so clients cannot reach
|
|
|
177 |
# TCSD using that protocol.
|
|
|
178 |
#
|
|
|
179 |
# disable_ipv4 = 0
|
|
|
180 |
#
|
|
|
181 |
|
|
|
182 |
#
|
|
|
183 |
# Option: disable_ipv6
|
|
|
184 |
# Values: 0 or 1
|
|
|
185 |
# Description: This options determines if the TCSD will bind itself to the
|
|
|
186 |
# machine's local IPv6 addresses in order to receive requisitions through
|
|
|
187 |
# its TCP port. Value of 1 disables IPv6 support, so clients cannot reach
|
|
|
188 |
# TCSD using that protocol.
|
|
|
189 |
#
|
|
|
190 |
# disable_ipv6 = 0
|
|
|
191 |
#
|