-
Notifications
You must be signed in to change notification settings - Fork 68
/
config.toml
304 lines (276 loc) · 15.9 KB
/
config.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
# Parsec Configuration File
# (Required) Core settings apply to the service as a whole rather than to individual components within it.
[core_settings]
# Whether or not to allow the service to run as the root user. If this is false, the service will refuse to
# start if it is run as root. If this is true, the safety check is disabled and the service will be allowed to
# start even if it is being run as root. The recommended (and default) setting is FALSE; allowing Parsec to
# run as root violates the principle of least privilege.
#allow_root = false
# Size of the thread pool used for processing requests. Defaults to the number of processors on
# the machine.
#thread_pool_size = 8
# Duration of sleep when the connection pool is empty. This can limit the response
# times for requests and so should be set to a low number. Default value is 10.
#idle_listener_sleep_duration = 10 # in milliseconds
# Log level to be applied across the service. Can be overwritten for certain modules which have the same
# configuration key. Possible values: "debug", "info", "warn", "error", "trace"
# WARNING: This option will not be updated if the configuration is reloaded with a different one.
#log_level = "warn"
# Control whether log entries contain a timestamp.
#log_timestamp = false
# Decide how large (in bytes) request bodies can be before they get rejected automatically.
# Defaults to 1MB.
#body_len_limit = 1048576
# Decide whether detailed information about errors occuring should be included in log messages.
# WARNING: the details might include sensitive information about the keys used by Parsec clients,
# such as key names or policies
#log_error_details = false
# Decide how large (in bytes) buffers inside responses from this provider can be. Requests that ask
# for buffers larger than this threshold will be rejected. Defaults to 1MB.
#buffer_size_limit = 1048576
# Decide whether deprecated algorithms and key types are allowed when generating keys or not.
# Note: While importing a deprecated key, only a warning log is generated.
# The default behaviour is to reject the deprecated primitives. Hence, the default value is false.
#allow_deprecated = false
# (Required) Configuration for the service IPC listener component.
[listener]
# (Required) Type of IPC that the service will support.
listener_type = "DomainSocket"
# (Required) Timeout of the read and write operations on the IPC channel. After the
# timeout expires, the connection is dropped.
timeout = 200 # in milliseconds
# Specify the Unix Domain Socket path. The path is fixed and should always be the default one for
# clients to connect. However, it is useful to change it for tests.
# WARNING: If a file already exists at that path, the service will remove it before creating the
# socket file.
#socket_path = "/run/parsec/parsec.sock"
# (Required) Authenticator configuration.
# WARNING: the authenticator MUST NOT be changed if there are existing keys stored in Parsec.
# In a future version, Parsec might support multiple authenticators, see parallaxsecond/parsec#271
# for details.
[authenticator]
# (Required) Type of authenticator that will be used to authenticate clients' authentication
# payloads.
# Possible values: "Direct", "UnixPeerCredentials" and "JwtSvid".
# WARNING: The "Direct" authenticator is only secure under specific requirements. Please make sure
# to read the Recommendations on a Secure Parsec Deployment at
# https://parallaxsecond.github.io/parsec-book/parsec_security/secure_deployment.html
auth_type = "UnixPeerCredentials"
# List of admins to be identified by the authenticator.
# The "name" field of each entry in the list must contain the application name (as required by the
# identifier in `auth_type`). For example, for `UnixPeerCredentials`, the names should be UIDs of
# the admin users.
# WARNING: Admins have special privileges and access to operations that are not permitted for normal
# users of the service. Only enable this feature with some list of admins if you are confident
# about the need for those permissions.
# Read more here: https://parallaxsecond.github.io/parsec-book/parsec_client/operations/index.html#core-operations
#admins = [ { name = "admin_1" }, { name = "admin_2" } ]
# (Required only for JwtSvid) Location of the Workload API endpoint
# WARNING: only use this authenticator if the Workload API socket is TRUSTED. A malicious entity
# owning that socket would have access to all the keys owned by clients using this authentication
# method. This path *must* be trusted for as long as Parsec is running.
#workload_endpoint="unix:///run/spire/sockets/agent.sock"
# (Required) Configuration for the components managing key info for providers.
# Defined as an array of tables: https://github.com/toml-lang/toml#user-content-array-of-tables
[[key_manager]]
# (Required) Name of the key info manager. Used to tie providers to the manager supporting them.
name = "sqlite-manager"
# (Required) Type of key info manager to be used.
# Possible values: "SQLite", "OnDisk"
# NOTE: The SQLite KIM is now the recommended type, with the OnDisk KIM to be deprecated at some
# point in the future.
manager_type = "SQLite"
# Path to the location where the database will be persisted
#store_path = "/var/lib/parsec/kim-mappings/sqlite/sqlite-key-info-manager.sqlite3"
# Example of OnDisk Key Info Manager configuration
#[[key_manager]]
# (Required) Name of the key info manager.
#name = "on-disk-manager"
# (Required) Type of key info manager to be used.
#manager_type = "OnDisk"
# Path to the location where the mappings will be persisted (in this case, the filesystem path)
#store_path = "/var/lib/parsec/mappings"
# (Required) Provider configurations.
# Defined as an array of tables: https://github.com/toml-lang/toml#user-content-array-of-tables
# IMPORTANT: The order in which providers below are declared matters: providers should be listed
# in terms of priority, the highest priority provider being declared first in this file.
# The first provider will be used as default provider by the Parsec clients. See below example
# configurations for the different providers supported by the Parsec service.
# Example of an Mbed Crypto provider configuration.
[[provider]]
# ⚠
# ⚠ WARNING: Provider name cannot change.
# ⚠ WARNING: Choose a suitable naming scheme for your providers now.
# ⚠ WARNING: Provider name defaults to "mbed-crypto-provider" if not provided, you will not be able to change
# ⚠ the provider's name from this if you decide to use the default.
# ⚠ WARNING: Changing provider name after use will lead to loss of existing keys.
# ⚠
# (Optional) The name of the provider
name = "mbed-crypto-provider"
# (Required) Type of provider.
provider_type = "MbedCrypto"
# (Required) Name of key info manager that will support this provider.
# NOTE: The key info manager only holds mappings between Parsec key name and Mbed Crypto ID, along
# with other metadata associated with the key. The keys themselves, however, are stored by the Mbed
# Crypto library by default within the working directory of the service, NOT in the same location
# as the mappings mentioned previously. If you want the keys to be persisted across reboots, ensure
# that the working directory is not temporary.
key_info_manager = "sqlite-manager"
# Example of a PKCS 11 provider configuration
#[[provider]]
# ⚠
# ⚠ WARNING: Provider name cannot change.
# ⚠ WARNING: Choose a suitable naming scheme for your providers now.
# ⚠ WARNING: Provider name defaults to "pkcs11-provider" if not provided, you will not be able to change
# ⚠ the provider's name from this if you decide to use the default.
# ⚠ WARNING: Changing provider name after use will lead to loss of existing keys.
# ⚠
# (Optional) The name of the provider
#name = "pkcs11-provider"
#provider_type = "Pkcs11"
#key_info_manager = "sqlite-manager"
# (Required for this provider) Path to the location of the dynamic library loaded by this provider.
# For the PKCS 11 provider, this library implements the PKCS 11 API on the target platform.
#library_path = "/usr/local/lib/softhsm/libsofthsm2.so"
# (Optional) PKCS 11 serial number of the token that will be used by Parsec.
# If the token serial number is entered, then the slot that has the provided serial number will be used. Otherwise, if both `serial_number` and `slot_number` are given but do not match, a warning is issued and serial number takes precedence.
# Note: Matching the serial_number done after trimming the leading and trailing whitespaces for serial numbers shorter than 16 charachter.
#serial_number = "0123456789abcdef"
# (Optional) PKCS 11 slot that will be used by Parsec If Token serial number is not entered. i.e, serial_number is preferred
# If the slot number is not entered and there is only one slot available - with a valid token - it will be automatically used
#slot_number = 123456789
# (Optional) User pin for authentication with the specific slot. If not set, the sessions will not
# be logged in. It might prevent some operations to execute successfully on some tokens.
#user_pin = "123456"
# (Optional) Control whether missing public key operation (such as verifying signatures or asymmetric
# encryption) are fully performed in software.
#software_public_operations = false
# (Optional) Control whether it is allowed for a key to be exportable. On some platforms creating a
# key that can be exported will fail with an obscure error. If this flag is set to false, creating
# a key with its export usage flag set to true will return a PsaErrorNotPermitted error.
#allow_export = true
# Example of a TPM provider configuration
#[[provider]]
# ⚠
# ⚠ WARNING: Provider name cannot change.
# ⚠ WARNING: Choose a suitable naming scheme for your providers now.
# ⚠ WARNING: Provider name defaults to "tpm-provider" if not provided, you will not be able to change
# ⚠ the provider's name from this if you decide to use the default.
# ⚠ WARNING: Changing provider name after use will lead to loss of existing keys.
# ⚠
# (Optional) The name of the provider
#name = "tpm-provider"
#provider_type = "Tpm"
#key_info_manager = "sqlite-manager"
# (Required) TPM TCTI device to use with this provider. The string can include configuration values - if no
# configuration value is given, the defaults are used. Options are:
# - "device": uses a TPM device available as a file node; path can be given as a configuration string,
# e.g "device:/path/to/tpm". The default path is /dev/tpm0, but this default is only suitable in deployments
# where Parsec would have exclusive usage of the device, and where Parsec is executing at a sufficiently high
# privilege for such access. It is more common for the TPM device to be managed by an Access Broker / Resource
# Manager (ABRM) component, either within the kernel or via a userspace daemon (the TABRMD). Trying to
# use /dev/tpm0 directly in such cases will lead to "device busy" errors on service start-up. Instead, Parsec should
# normally be configured to access the TPM via the suitable ABRM. To use the in-kernel ABRM, the "device"
# setting should be configured to use the managed TPM device path, typically /dev/tpmrm0. Permissions on this
# device are normally less restrictive. In most Linux distributions, this device can be accessed by any user
# within the "tss" group, so whatever user the Parsec service is running as should be made a member of this group.
# To use the userspace ABRMD, adopt the "tabrmd" setting below, instead of "device".
# - "mssim": uses the TPM simulator server with the socket; server path and/or port can be given as configuration values,
# e.g. "mssim:host=168.0.1.1,port=1234"; "host" can be set to IPv4, IPv6 or a hostname; default values are
# "localhost" for "host" and 2321 for "port"
# - "tabrmd": uses the TPM2 Access Broker & Resource Management Daemon; dbus name and type ("session" or
# "system") can be given as parameters: e.g. "tabrmd:bus_name=some.bus.Name,bus_type=session"; default
# values are "com.intel.tss2.Tabrmd" for "bus_name" and "system" for "bus_type"
#tcti = "mssim"
# (Required) Authentication value for performing operations on the TPM Owner Hierarchy. The string can
# be empty, however we strongly suggest that you use a secure passcode.
# To align with TPM tooling, PARSEC allows "owner_hierarchy_auth" to have a prefix indicating a string value,
# e.g. "str:password", or to represent a string version of a hex value, e.g. "hex:1a2b3c". If no prefix is
# provided, the value is considered to be a string.
#owner_hierarchy_auth = "password"
# (Optional) Authentication value for performing operations on the TPM Endorsement Hierarchy. The string can
# be empty, however we strongly suggest that you use a secure passcode.
# This authentication value is used for operations that rely on keys stored in the Endorsement Hierarchy, e.g.
# key attestation using the default Endorsement Key.
# To align with TPM tooling, PARSEC allows "endorsement_hierarchy_auth" to have a prefix indicating a string value,
# e.g. "str:password", or to represent a string version of a hex value, e.g. "hex:1a2b3c". If no prefix is
# provided, the value is considered to be a string.
#endorsement_hierarchy_auth = "password"
# (Optional) Allows the service to still start without this provider if there is no TPM on the system. The priority list of providers will be as if this provider was commented out.
#skip_if_no_tpm = false
# Example of a CryptoAuthLib provider configuration
# All below parameters depend on what devices, interfaces or parameters are required or supported by
# "rust-cryptoauthlib" wrapper for cryptoauthlib and underlying hardware.
#[[provider]]
# ⚠
# ⚠ WARNING: Provider name cannot change.
# ⚠ WARNING: Choose a suitable naming scheme for your providers now.
# ⚠ WARNING: Provider name defaults to "cryptoauthlib-provider" if not provided, you will not be able to change
# ⚠ the provider's name from this if you decide to use the default.
# ⚠ WARNING: Changing provider name after use will lead to loss of existing keys.
# ⚠
# (Optional) The name of the provider
#name = "cryptoauthlib-provider"
#provider_type = "CryptoAuthLib"
#key_info_manager = "sqlite-manager"
##########
# (Required) Interface for ATCA device
# Supported values: "i2c", "test-interface"
#iface_type = "i2c"
##########
# (Required) ATCA device type.
# Supported values: "atecc508a", "atecc608a", "always-fail", "always-success", "fail-unimplemented"
#device_type = "atecc508a"
##########
# (Optional) Default wake delay for ATCA device
# - required for hardware interfaces (e.g. i2c)
#wake_delay = 1500
##########
# (Optional) Default number of rx retries for ATCA device
# - required for hardware interfaces (e.g. i2c)
#rx_retries = 20
##########
# (Optional) i2c slave addres
# - required for i2c
#slave_address = 0xc0
##########
# (Optional) i2c bus number
# - required for i2c
#bus = 1
##########
# (Optional) i2c bus baud rate
# - required for i2c
#baud = 400000
##########
# (Optional) Atecc access key configuration file
# - required for i2c
# - this file contains potentially sensitive data, it should be stored in folder where only 'parsec' user may access it
#access_key_file_name = "/etc/parsec/cal_access_keys.toml"
###########
# Tree:
# iface_type = ["test-interface", "i2c"]
#
# iface_type = "test-interface"
# device_type = ["always-fail", "always-success", "fail-unimplemented"]
# iface_type = "i2c"
# device_type = ["atecc508a", "atecc608a"]
# wake_delay = <number>
# rx_retries = <number>
# slave_address = <number>
# bus = <number>
# baud = <number>
# Example of a Trusted Service provider configuration.
#[[provider]]
# ⚠
# ⚠ WARNING: Provider name cannot change.
# ⚠ WARNING: Choose a suitable naming scheme for your providers now.
# ⚠ WARNING: Provider name defaults to "trusted-service-provider" if not provided, you will not be able to change
# ⚠ the provider's name from this if you decide to use the default.
# ⚠ WARNING: Changing provider name after use will lead to loss of existing keys.
# ⚠
# (Optional) The name of the provider
#name = "trusted-service-provider"
# (Required) Type of provider.
#provider_type = "TrustedService"
# (Required) Name of key info manager that will support this provider.
#key_info_manager = "sqlite-manager"