keylime_verifier

Keylime verifier service for agent attestation

Manual section:

8

Author:

Keylime Developers

Date:

September 2025

SYNOPSIS

keylime_verifier

(Most operations require root privileges, use with sudo)

DESCRIPTION

The verifier is a long-running service that attests registered agents. It accesses the registrar database to obtain agent data, and optionally performs measured boot evaluation and durable attestation. The service does not accept command-line options; its behavior is configured via configuration files and environment variables, and it is managed by keylime tenant.

CONFIGURATION

Primary configuration is read from /etc/keylime/verifier.conf (or an override via env). All options are under the [verifier] section.

Essentials: - mode: Attestation mode (pull or push). Default: pull - uuid: Unique identifier for this verifier instance - ip, port: Bind address and HTTP port. Use a concrete address to limit

the verifier to one interface, 0.0.0.0 to listen on all IPv4 interfaces, or :: to listen on all IPv6 interfaces (which also accepts IPv4 on dual-stack hosts).

  • registrar_ip, registrar_port: Registrar endpoint

  • enable_agent_mtls: Enable mTLS with agents and tenant

  • tls_dir: TLS material location

    • generate: auto-generate CA, client and server keys/certs under $KEYLIME_DIR/cv_ca

    • default: use existing materials under $KEYLIME_DIR/cv_ca

  • server_key, server_key_password, server_cert: Server TLS files

  • client_key, client_key_password, client_cert: Client TLS files

  • trusted_client_ca, trusted_server_ca: CA lists

  • database_url: SQLAlchemy URL; value sqlite maps to $KEYLIME_DIR/cv_data.sqlite

  • database_pool_sz_ovfl: Pool size, overflow (non-sqlite)

  • auto_migrate_db: Apply DB migrations on startup

  • num_workers: Number of worker processes (0 = CPU count)

  • max_workers: Maximum worker processes; actual count is min(cpu_count, max_workers) (0 = no limit, default 16)

  • exponential_backoff, retry_interval, max_retries: Retry behavior for agent comm

  • quote_interval: Time between integrity checks (seconds)

  • max_upload_size: Upload size limit (bytes)

  • request_timeout: Agent request timeout (seconds)

  • shutdown_drain_timeout: Max time (seconds) to wait for in-flight operations during shutdown

  • measured_boot_policy_name, measured_boot_imports, measured_boot_evaluate: measured boot policy settings

  • severity_labels, severity_policy: revocation severity config

  • ignore_tomtou_errors: handle ToMToU IMA entries (bool)

  • durable_attestation_import and related persistent_store_url, transparency_log_url, time_stamp_authority_url, time_stamp_authority_certs_path, persistent_store_format, persistent_store_encoding, transparency_log_sign_algo, signed_attributes: durable attestation

  • require_allow_list_signatures: require signed allowlists (bool)

ENVIRONMENT

  • KEYLIME_VERIFIER_CONFIG: Path to verifier.conf (highest priority)

  • KEYLIME_LOGGING_CONFIG: Path to logging.conf

  • KEYLIME_DIR: Working directory (default: /var/lib/keylime)

  • KEYLIME_TEST: on/true/1 enables testing mode (looser checks; WORK_DIR becomes CWD)

FILES

  • /etc/keylime/verifier.conf

  • /etc/keylime/logging.conf

  • $KEYLIME_DIR/cv_data.sqlite (when database_url = sqlite)

  • $KEYLIME_DIR/cv_ca (when tls_dir = default or generate)

  • systemd unit: keylime_verifier.service

RUNTIME

Start from system install:

sudo keylime_verifier

Start as a systemd service:

systemctl enable --now keylime_verifier

Open firewall ports (adjust if you changed ports):

firewall-cmd --add-port 8881/tcp
firewall-cmd --runtime-to-permanent

NOTES

  • Verifier initializes measured boot components on startup.

  • With tls_dir = generate, the verifier creates CA/keys/certs in $KEYLIME_DIR/cv_ca used by other components.

SEE ALSO

keylime_registrar(8), keylime_tenant(1), keylime_agent(8), keylime_push_model_agent(8)

BUGS

Report bugs at https://github.com/keylime/keylime/issues