192 lines
6.9 KiB
Plaintext
192 lines
6.9 KiB
Plaintext
|
|
#
|
|
# This is the configuration file for the trousers tcsd. (The Trusted Computing
|
|
# Software Stack Core Services Daemon).
|
|
#
|
|
# Defaults are listed below, commented out
|
|
#
|
|
# Send questions to: trousers-users@lists.sourceforge.net
|
|
#
|
|
|
|
# Option: port
|
|
# Values: 1 - 65535
|
|
# Description: The port that the tcsd will listen on.
|
|
#
|
|
# port = 30003
|
|
#
|
|
|
|
# Option: num_threads
|
|
# Values: 1 - 65535
|
|
# Description: The number of threads that the tcsd will spawn internally.
|
|
#
|
|
# num_threads = 10
|
|
#
|
|
|
|
# Option: system_ps_file
|
|
# Values: Any absolute directory path
|
|
# Description: Path where the tcsd creates its persistent storage file.
|
|
#
|
|
# system_ps_file = /var/lib/tpm/system.data
|
|
#
|
|
|
|
# Option: firmware_log_file
|
|
# Values: Any absolute directory path
|
|
# Description: Path to the file containing the current firmware PCR event
|
|
# log data. The interface to this log is usually provided by the TPM
|
|
# device driver.
|
|
#
|
|
# firmware_log_file = /sys/kernel/security/tpm0/binary_bios_measurements
|
|
#
|
|
|
|
# Option: kernel_log_file
|
|
# Values: Any absolute directory path
|
|
# Description: Path to the file containing the current kernel PCR event
|
|
# log data. By default, this data will be parsed in the format provided
|
|
# by the Integrity Measurement Architecture LSM. See
|
|
# http://sf.net/projects/linux-ima for more info on getting IMA.
|
|
#
|
|
#
|
|
# kernel_log_file = /sys/kernel/security/ima/binary_runtime_measurements
|
|
#
|
|
|
|
# Option: firmware_pcrs
|
|
# Values: PCR indices, separated by commas (no whitespace)
|
|
# Description: A list of PCR indices that are manipulated only by the system
|
|
# firmware and therefore are not extended or logged by the TCSD.
|
|
#
|
|
# firmware_pcrs =
|
|
#
|
|
|
|
# Option: kernel_pcrs
|
|
# Values: PCR indices, separated by commas (no whitespace)
|
|
# Description: A list of PCR indices that are manipulated only by the kernel
|
|
# and therefore are not extended or logged by the TCSD.
|
|
#
|
|
# kernel_pcrs =
|
|
#
|
|
|
|
# Option: platform_cred
|
|
# Values: Any absolute directory path (example: /path/to/platform.cert)
|
|
# Description: Path to the file containing your TPM's platform credential.
|
|
# The platform credential may have been provided to you by your TPM
|
|
# manufacturer. If so, set platform_cred to the path to the file on disk.
|
|
# Whenever a new TPM identity is created, the credential will be used. See
|
|
# Tspi_TPM_CollateIdentityRequest(3) for more information.
|
|
#
|
|
# platform_cred =
|
|
#
|
|
|
|
# Option: conformance_cred
|
|
# Values: Any absolute directory path (example: /path/to/conformance.cert)
|
|
# Description: Path to the file containing your TPM's conformance credential.
|
|
# The conformance credential may have been provided to you by your TPM
|
|
# manufacturer. If so, set conformance_cred to the path to the file on disk.
|
|
# Whenever a new TPM identity is created, the credential will be used. See
|
|
# Tspi_TPM_CollateIdentityRequest(3) for more information.
|
|
#
|
|
# conformance_cred =
|
|
#
|
|
|
|
# Option: endorsement_cred
|
|
# Values: Any absolute directory path (example: /path/to/endorsement.cert)
|
|
# Description: Path to the file containing your TPM's endorsement credential.
|
|
# The endorsement credential may have been provided to you by your TPM
|
|
# manufacturer. If so, set endorsement_cred to the path to the file on disk.
|
|
# Whenever a new TPM identity is created, the credential will be used. See
|
|
# Tspi_TPM_CollateIdentityRequest(3) for more information.
|
|
#
|
|
# endorsement_cred =
|
|
#
|
|
|
|
# Option: remote_ops
|
|
# Values: TCS operation names, separated by commas (no whitespace)
|
|
# Description: A list of TCS commands which will be allowed to be executed
|
|
# on this machine's TCSD by TSP's on non-local hosts (over the internet).
|
|
# By default, access to all operations is denied.
|
|
#
|
|
# possible values: seal - encrypt data bound to PCR values
|
|
# unseal - decrypt data bound to PCR values
|
|
# registerkey - store keys in system persistent storage [Disk write access!]
|
|
# unregisterkey - remove keys from system persistent storage [Disk write access!]
|
|
# loadkey - load a key into the TPM
|
|
# createkey - create a key using the TPM
|
|
# sign - encrypt data using a private key
|
|
# random - generate random numbers
|
|
# getcapability - query the TCS/TPM for its capabilities
|
|
# unbind - decrypt data
|
|
# quote - request a signed blob containing all PCR values
|
|
# readpubek - access the TPM's Public EndorsementKey
|
|
# getregisteredkeybypublicinfo - Search system persistent storage for a public key
|
|
# getpubkey - Retrieve a loaded key's public data from inside the TPM
|
|
# selftest - execute selftest and test results ordinals
|
|
#
|
|
# remote_ops =
|
|
#
|
|
|
|
# Option: enforce_exclusive_transport
|
|
# Values: 0 or 1
|
|
# Description: When an application opens a transport session with the TPM, one
|
|
# of the options available is an "exclusive" session, meaning that the TPM
|
|
# will not execute any commands other than those coming through the transport
|
|
# session for the lifetime of the session. The TCSD can choose to enforce this
|
|
# option or not. By default, exclusive sessions are not enforced, since this
|
|
# could allow for a denial of service to the TPM.
|
|
#
|
|
# enforce_exclusive_transport = 0
|
|
#
|
|
|
|
# Option: host_platform_class
|
|
# Values: One of the TCG platform class specifications
|
|
# PC_11 - PC Client System, version 1.1
|
|
# PC_12 - PC Client System, version 1.2
|
|
# PDA_12 - PDA System, version 1.2
|
|
# SERVER_12 - Server System, version 1.2
|
|
# MOBILE_12 - Mobile Phone System, version 1.2
|
|
#
|
|
# Description: This option determines the host platform (host the TCS system
|
|
# is running on) class, among those specified by the Trusted Computing group
|
|
# on https://www.trustedcomputinggroup.org/specs/. This class will be reported
|
|
# by the TCS daemon when an application queries it using the
|
|
# TSS_TCSCAP_PROP_HOST_PLATFORM sub-capability. The default is PC_12.
|
|
#
|
|
# host_platform_class = PC_12
|
|
#
|
|
|
|
# Option: all_platform_classes
|
|
# Values: TCG Platform class names, separated by commas (no whitespaces)
|
|
# PC_11 - PC Client System, version 1.1
|
|
# PC_12 - PC Client System, version 1.2
|
|
# PDA_12 - PDA System, version 1.2
|
|
# SERVER_12 - Server System, version 1.2
|
|
# MOBILE_12 - Mobile Phone System, version 1.2
|
|
#
|
|
# Description: This option determines all the platform classes supported by the
|
|
# TCS daemon. This list must not include the value set as "host_platform_class"
|
|
# specified above. Since by default TrouSerS supports all TPM 1.2 functionality,
|
|
# the default is all 1.2 and 1.1 platform classes.
|
|
#
|
|
# all_platform_classes = PC_11,PDA_12,SERVER_12,MOBILE_12
|
|
#
|
|
|
|
#
|
|
# Option: disable_ipv4
|
|
# Values: 0 or 1
|
|
# Description: This options determines if the TCSD will bind itself to the
|
|
# machine's local IPv4 addresses in order to receive requisitions through
|
|
# its TCP port. Value of 1 disables IPv4 support, so clients cannot reach
|
|
# TCSD using that protocol.
|
|
#
|
|
# disable_ipv4 = 0
|
|
#
|
|
|
|
#
|
|
# Option: disable_ipv6
|
|
# Values: 0 or 1
|
|
# Description: This options determines if the TCSD will bind itself to the
|
|
# machine's local IPv6 addresses in order to receive requisitions through
|
|
# its TCP port. Value of 1 disables IPv6 support, so clients cannot reach
|
|
# TCSD using that protocol.
|
|
#
|
|
# disable_ipv6 = 0
|
|
#
|