forked from parallaxsecond/parsec
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathconfig.toml
213 lines (188 loc) · 10 KB
/
config.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
# Parsec Configuration File
# (Required) Core settings apply to the service as a whole rather than to individual components within it.
[core_settings]
# Whether or not to allow the service to run as the root user. If this is false, the service will refuse to
# start if it is run as root. If this is true, the safety check is disabled and the service will be allowed to
# start even if it is being run as root. The recommended (and default) setting is FALSE; allowing Parsec to
# run as root violates the principle of least privilege.
#allow_root = false
# Size of the thread pool used for processing requests. Defaults to the number of processors on
# the machine.
#thread_pool_size = 8
# Duration of sleep when the connection pool is empty. This can limit the response
# times for requests and so should be set to a low number. Default value is 10.
#idle_listener_sleep_duration = 10 # in milliseconds
# Log level to be applied across the service. Can be overwritten for certain modules which have the same
# configuration key. Possible values: "debug", "info", "warn", "error", "trace"
# WARNING: This option will not be updated if the configuration is reloaded with a different one.
#log_level = "warn"
# Control whether log entries contain a timestamp.
#log_timestamp = false
# Decide how large (in bytes) request bodies can be before they get rejected automatically.
# Defaults to 1MB.
#body_len_limit = 1048576
# Decide whether detailed information about errors occuring should be included in log messages.
# WARNING: the details might include sensitive information about the keys used by Parsec clients,
# such as key names or policies
#log_error_details = false
# Decide how large (in bytes) buffers inside responses from this provider can be. Requests that ask
# for buffers larger than this threshold will be rejected. Defaults to 1MB.
#buffer_size_limit = 1048576
# (Required) Configuration for the service IPC listener component.
[listener]
# (Required) Type of IPC that the service will support.
listener_type = "DomainSocket"
# (Required) Timeout of the read and write operations on the IPC channel. After the
# timeout expires, the connection is dropped.
timeout = 200 # in milliseconds
# Specify the Unix Domain Socket path. The path is fixed and should always be the default one for
# clients to connect. However, it is useful to change it for tests.
# WARNING: If a file already exists at that path, the service will remove it before creating the
# socket file.
#socket_path = "/run/parsec/parsec.sock"
# (Required) Authenticator configuration.
# WARNING: the authenticator MUST NOT be changed if there are existing keys stored in Parsec.
# In a future version, Parsec might support multiple authenticators, see parallaxsecond/parsec#271
# for details.
[authenticator]
# (Required) Type of authenticator that will be used to authenticate clients' authentication
# payloads.
# Possible values: "Direct", "UnixPeerCredentials" and "JwtSvid".
# WARNING: The "Direct" authenticator is only secure under specific requirements. Please make sure
# to read the Recommendations on a Secure Parsec Deployment at
# https://parallaxsecond.github.io/parsec-book/parsec_security/secure_deployment.html
auth_type = "UnixPeerCredentials"
# List of admins to be identified by the authenticator.
# The "name" field of each entry in the list must contain the application name (as required by the
# identifier in `auth_type`). For example, for `UnixPeerCredentials`, the names should be UIDs of
# the admin users.
# WARNING: Admins have special privileges and access to operations that are not permitted for normal
# users of the service. Only enable this feature with some list of admins if you are confident
# about the need for those permissions.
# Read more here: https://parallaxsecond.github.io/parsec-book/parsec_client/operations/index.html#core-operations
#admins = [ { name = "admin_1" }, { name = "admin_2" } ]
# (Required only for JwtSvid) Location of the Workload API endpoint
# WARNING: only use this authenticator if the Workload API socket is TRUSTED. A malicious entity
# owning that socket would have access to all the keys owned by clients using this authentication
# method. This path *must* be trusted for as long as Parsec is running.
#workload_endpoint="unix:///run/spire/sockets/agent.sock"
# (Required) Configuration for the components managing key info for providers.
# Defined as an array of tables: https://github.com/toml-lang/toml#user-content-array-of-tables
[[key_manager]]
# (Required) Name of the key info manager. Used to tie providers to the manager supporting them.
name = "on-disk-manager"
# (Required) Type of key info manager to be used.
manager_type = "OnDisk"
# Path to the location where the mapping will be persisted (in this case, the filesystem path)
#store_path = "/var/lib/parsec/mappings"
# (Required) Provider configurations.
# Defined as an array of tables: https://github.com/toml-lang/toml#user-content-array-of-tables
# IMPORTANT: The order in which providers below are declared matters: providers should be listed
# in terms of priority, the highest priority provider being declared first in this file.
# The first provider will be used as default provider by the Parsec clients. See below example
# configurations for the different providers supported by the Parsec service.
# Example of an Mbed Crypto provider configuration.
[[provider]]
# (Required) Type of provider.
provider_type = "MbedCrypto"
# (Required) Name of key info manager that will support this provider.
# NOTE: The key info manager only holds mappings between Parsec key name and Mbed Crypto ID, along
# with other metadata associated with the key. The keys themselves, however, are stored by the Mbed
# Crypto library by default within the working directory of the service, NOT in the same location
# as the mappings mentioned previously. If you want the keys to be persisted across reboots, ensure
# that the working directory is not temporary.
key_info_manager = "on-disk-manager"
# Example of a PKCS 11 provider configuration
#[[provider]]
#provider_type = "Pkcs11"
#key_info_manager = "on-disk-manager"
# (Required for this provider) Path to the location of the dynamic library loaded by this provider.
# For the PKCS 11 provider, this library implements the PKCS 11 API on the target platform.
#library_path = "/usr/local/lib/softhsm/libsofthsm2.so"
# (Required) PKCS 11 slot that will be used by Parsec.
#slot_number = 123456789
# (Optional) User pin for authentication with the specific slot. If not set, no authentication will
# be used.
#user_pin = "123456"
# (Optional) Control whether missing public key operation (such as verifying signatures or asymmetric
# encryption) are fully performed in software.
#software_public_operations = false
# Example of a TPM provider configuration
#[[provider]]
#provider_type = "Tpm"
#key_info_manager = "on-disk-manager"
# (Required) TPM TCTI device to use with this provider. The string can include configuration values - if no
# configuration value is given, the defaults are used. Options are:
# - "device": uses a TPM device available as a file node; path can be given as a configuration string,
# e.g "device:/path/to/tpm"; the default path is /dev/tpm0
# - "mssim": uses the TPM simulator server with the socket; server path and/or port can be given as configuration values,
# e.g. "mssim:host=168.0.1.1,port=1234"; "host" can be set to IPv4, IPv6 or a hostname; default values are
# "localhost" for "host" and 2321 for "port"
# - "tabrmd": uses the TPM2 Access Broker & Resource Management Daemon; dbus name and type ("session" or
# "system") can be given as parameters: e.g. "tabrmd:bus_name=some.bus.Name,bus_type=session"; default
# values are "com.intel.tss2.Tabrmd" for "bus_name" and "system" for "bus_type"
#tcti = "mssim"
# (Required) Authentication value for performing operations on the TPM Owner Hierarchy. The string can
# be empty, however we strongly suggest that you use a secure passcode.
# To align with TPM tooling, PARSEC allows "owner_hierarchy_auth" to have a prefix indicating a string value,
# e.g. "str:password", or to represent a string version of a hex value, e.g. "hex:1a2b3c". If no prefix is
# provided, the value is considered to be a string.
#owner_hierarchy_auth = "password"
# Example of a CryptoAuthLib provider configuration
# All below parameters depend on what devices, interfaces or parameters are required or supported by
# "rust-cryptoauthlib" wrapper for cryptoauthlib and underlying hardware.
#[[provider]]
#provider_type = "CryptoAuthLib"
#key_info_manager = "on-disk-manager"
##########
# (Required) Interface for ATCA device
# Supported values: "i2c", "test-interface"
#iface_type = "i2c"
##########
# (Required) ATCA device type.
# Supported values: "atecc508a", "atecc608a", "always-fail", "always-success", "fail-unimplemented"
#device_type = "atecc508a"
##########
# (Optional) Default wake delay for ATCA device
# - required for hardware interfaces (e.g. i2c)
#wake_delay = 1500
##########
# (Optional) Default number of rx retries for ATCA device
# - required for hardware interfaces (e.g. i2c)
#rx_retries = 20
##########
# (Optional) i2c slave addres
# - required for i2c
#slave_address = 0xc0
##########
# (Optional) i2c bus number
# - required for i2c
#bus = 1
##########
# (Optional) i2c bus baud rate
# - required for i2c
#baud = 400000
##########
# (Optional) Atecc access key configuration file
# - required for i2c
# - this file contains potentially sensitive data, it should be stored in folder where only 'parsec' user may access it
#access_key_file_name = "/etc/parsec/cal_access_keys.toml"
###########
# Tree:
# iface_type = ["test-interface", "i2c"]
#
# iface_type = "test-interface"
# device_type = ["always-fail", "always-success", "fail-unimplemented"]
# iface_type = "i2c"
# device_type = ["atecc508a", "atecc608a"]
# wake_delay = <number>
# rx_retries = <number>
# slave_address = <number>
# bus = <number>
# baud = <number>
# Example of a Trusted Service provider configuration.
#[[provider]]
# (Required) Type of provider.
#provider_type = "TrustedService"
# (Required) Name of key info manager that will support this provider.
#key_info_manager = "on-disk-manager"