Keylime MCP

A Model Context Protocol (MCP) server for Keylime, the remote attestation framework for cloud and edge systems.

Requirements

This MCP server is a helper tool for working with Keylime. You need:

• A running Keylime verifier and Keylime registrar
• Keylime agents to monitor
• Network access to the Keylime API endpoints
• MCP Client (Claude Desktop, Cline, etc.) OR Podman for containers

Usage

There are two ways to use this MCP server:

Option 1: With MCP Client (Claude Desktop, Cline, etc.)

Build the server:

make build-server

You can move the binary anywhere you want (e.g., /usr/local/bin/server).

Add to your MCP client config (e.g., ~/.config/Claude/claude_desktop_config.json):

{
  "mcpServers": {
    "keylime": {
      "command": "/full/path/to/keylime-mcp/bin/server",
      "env": {
        "KEYLIME_CERT_DIR": "/full/path/to/keylime/certs/dir"
      }
    }
  }
}

Replace /full/path/to/keylime-mcp with your actual path!

Replace /full/path/to/keylime/certs/dir with your cert directory! Certs should be in /var/lib/keylime/cv_ca but need read permissions.

Restart your MCP client. Done.

Option 2: Web UI

make run

Access at http://localhost:3000

Commands

• make install - Full setup (check deps, env, certs, build)
• make check-deps - Verify Go is installed and certs are readable
• make setup-certs - Grant read access to Keylime certs (requires sudo)
• make build-server - Build MCP server binary
• make build - Build everything (server + client)
• make run - Build and run
• make start - Run pre-built binary (no compilation)

About Keylime

Keylime is an open-source remote attestation framework that provides:

• Measured Boot verification via TPM
• Runtime Integrity monitoring with IMA
• Secure Enrollment and key management
• Policy-based Attestation with automated responses

Contributing

Contributions are welcome! This is an experimental project to explore MCP integration with Keylime.

License

Apache-2.0

Resources

• Keylime Documentation
• Keylime GitHub
• Model Context Protocol