diff --git a/src/practices-keylime.md b/src/practices-keylime.md
new file mode 100644
index 0000000000000000000000000000000000000000..e4856b8fff5d48e3a955163a23168c05ffabdc70
--- /dev/null
+++ b/src/practices-keylime.md
@@ -0,0 +1,450 @@
+# keylime概述
+
+[Keylime](https://github.com/keylime/keylime) 是一个利用可信计算TPM 技术的开源可扩展信任系统。Keylime已经进入CNCF项目且被Redhat等多个主流发行版集成。Keylime 提供了一种端到端解决方案，用于为远程计算机引导基于硬件的加密信任、加密负载的配置以及运行时系统完整性监控。 它还为任何给定 PCR（平台配置寄存器）的远程证明提供了灵活的框架。 用户可以创建自己的自定义操作，当机器未通过其验证测量时将触发这些操作。
+
+Keylime 的使命是让开发人员和用户能够轻松使用 TPM 技术，而无需深入了解 TPM 较低级别的操作。 在许多场景中，租户需要对于不受自己完全控制的机器的远程证明（例如混合云的消费者或位于不安全的、容易被篡改的物理位置的远程边缘/物联网设备）。
+
+通过 CLI 应用程序和一组 RESTful APIs(包括http和https，其中https相关的RESTful APIs采用mTLS握手协议) 来执行和管理keylime。
+
+Keylime 由三个主要组件组成；verifier、registrar和agent。
+- verifer持续验证运行agent的计算机的完整性状态。
+- registrar是在 Keylime 中注册的所有agent的数据库，并托管 TPM 供应商的公钥。
+- agent部署在要监控的TPM机器上
+
+此外keylime还提供tenant工具便于用户远程管理agent。
+
+# 龙蜥社区在keylime社区的工作与探索
+
+龙蜥社区自其可信计算SIG成立以外，一直在关注可信计算业界进展和国际OSV厂商的可信计算方案。同时龙蜥社区在keylime社区积极贡献代码与适配，一共在rust-keylime和keylime两个仓库提交16个patch，包括多个features、bugfixes和文档。详见[keylime release notes](https://github.com/keylime/keylime/releases)和[rust-keylime](https://github.com/keylime/rust-keylime/releases), 具体包括：
+- features：集成龙蜥anolis以及下游阿里云Alibaba Cloud Linux OS的安装代码、集成阿里云vTPM EK证书、支持keylime安装时选择缺省的监听端口等。
+- bugfixes: 修复measure boot时处理部分eventlog出错、修复rust-keylime跟keylime RESTful APIs版本和接口不一致、移除无用的代码等。
+- 文档：修复安装文档和实践文档中多处命令错误等。
+
+在完成keylime的适配和实践后，龙蜥社区也将自己的keylime经验写入到白皮书中。未来，龙蜥社区除了继续加强与keylime社区的沟通和贡献（参与keylime rust化）外，还将结合自己在国密/国产化/机密计算的积累围绕keylime开展一些国密、国产化、机密计算相关的工作，尽情期待。
+
+# 龙蜥Anolis OS上keylime实践
+## Anolis OS上keylime安装与配置、运行
+### 安装
+
+keylime分为两个代码仓库：
+- [keylime](https://github.com/keylime/keylime)：包含除了agent以外的其它keylime组件（verifier，registrar，tenant）
+- [rust-keylime](https://github.com/keylime/rust-keylime): 包含keylime的agent组件
+
+#### 安装keylime
+
+根据以下命令在anolis (以anolis 8.8为例) 上安装keylime
+
+```shell
+yum install -y git jq
+git clone https://github.com/keylime/keylime.git
+cd keylime
+./installer.sh -i
+```
+
+#### 安装rust-keylime
+
+根据以下命令在anolis（以anolis 8.8为例）上安装rust-keylime（keylime agent）
+
+1. 安装tpm2-tss软件包(**如果keylime agent跟keylime 其它组件安装在一台机器，则这一步可以省略**)
+
+```shell
+yum install -y git openssl-devel json-c-devel libcurl-devel libuuid-devel m4 libtool automake autoconf autoconf-archive
+git clone https://github.com/tpm2-software/tpm2-tss.git
+pushd tpm2-tss
+./bootstrap
+./configure --prefix=/usr
+make
+sudo make install
+popd
+```
+
+2. 安装tpm2-tools软件包(**如果keylime agent跟keylime 其它组件安装在一台机器，则这一步可以省略**)
+```shell
+git clone https://github.com/tpm2-software/tpm2-tools.git
+pushd tpm2-tools
+./bootstrap
+./configure --prefix=/usr/local
+make
+sudo make install
+popd
+```
+
+3. 安装rust-keylime
+```shell
+yum install -y libarchive-devel clang-devel rust cargo openssl-devel jq
+git clone https://github.com/keylime/rust-keylime.git
+cd rust-keylime
+cargo build
+make install
+useradd keylime
+mkdir -p /var/lib/keylime/cv_ca
+# 将keylime verifier机器上的/var/lib/keylime/cv_ca/cacert.crt拷贝到agent机器上/var/lib/keylime/cv_ca/目录下，以便于后续Agent侧https RESTful APIs的访问
+chown -R keylime /var/lib/keylime
+```
+
+### 配置
+#### verifier配置
+
+`/etc/keylime/verifier.conf`为verifier的缺省配置。一般情况下不需要进行修改（当然您也可以根据您的需求进行修改）。
+
+#### registrar配置
+
+`/etc/keylime/registrar.conf`为registrar的缺省配置。一般情况下不需要进行修改（当然您也可以根据您的需求进行修改）。
+
+#### agent配置
+
+`/etc/keylime/agent.conf`为agent的缺省配置。当agent跟verifier、registrar部署在同一台机器时，不需要修改agent的配置；否则需要修改agent监听的IP、contact_ip(verifier和tenant用来连接的agent IP)、registrar的IP以便于正确注册和通信。
+
+#### tenant配置
+
+`/etc/keylime/tenant.conf`为tenant的缺省配置。一般情况下不需要进行修改（当然您也可以根据您的需求进行修改）。
+
+### 运行
+
+启动方式：
+1. 以二进制方式启动verifier、registrar和agent：
+```shell
+keylime_verifier &
+keylime_registrar &
+RUST_LOG=debug keylime_agent &
+```
+
+- ![undefined](https://intranetproxy.alipay.com/skylark/lark/0/2023/png/136439/1691735004148-a8851d2e-78f7-4bc7-a345-b680ec76c859.png) 
+- ![undefined](https://intranetproxy.alipay.com/skylark/lark/0/2023/png/136439/1691735017966-82c855d3-d190-4054-b0e4-8b30f38ef1a1.png)
+- ![undefined](https://intranetproxy.alipay.com/skylark/lark/0/2023/png/136439/1691740824910-d78537dd-c737-4aa8-9eda-df9aaf8e1e6d.png) 
+
+2. 以systemd方式启动verifier、registrar（具体命令如下）
+
+```shell
+cd keylime
+./services/installer.sh
+systemctl start keylime_verifier
+systemctl start keylime_registrar
+systemctl start keylime_agent
+```
+
+- ![undefined](https://intranetproxy.alipay.com/skylark/lark/0/2023/png/136439/1691735031725-7d9744d3-eca7-4902-90d7-d54c49f2d6b5.png) 
+- ![undefined](https://intranetproxy.alipay.com/skylark/lark/0/2023/png/136439/1691740620033-4ef6d497-edb8-405f-98c9-cc1c59049576.png) 
+
+## 用Restful API去监控/管理Anolis OS上的各个keylime组件
+### registrar
+
+这里的registrar IP请根据自己的实际IP进行修改
+
+#### GET /v2.1/agents/
+
+用来获取注册的agents列表，具体命令如下：
+
+```shell
+curl --key /var/lib/keylime/cv_ca/client-private.pem --cert /var/lib/keylime/cv_ca/client-cert.crt -k "https://127.0.0.1:8891/v2.1/agents"  | jq .
+```
+
+![undefined](https://intranetproxy.alipay.com/skylark/lark/0/2023/png/136439/1691742046552-32684038-4377-408d-a06a-ed8a85534e92.png)
+
+#### GET /v2.1/agents/{agent_id:UUID}
+
+获取对应agent的EK证书、
+
+命令如下：
+
+```shell
+curl --key /var/lib/keylime/cv_ca/client-private.pem --cert /var/lib/keylime/cv_ca/client-cert.crt -k  "https://127.0.0.1:8891/v2.1/agents/d432fbb3-d2f1-4a97-9ef7-75bd81c00000"  | jq .
+```
+
+![undefined](https://intranetproxy.alipay.com/skylark/lark/0/2023/png/136439/1691742182879-eea791a1-1f94-4baa-aea7-34fb92c08d27.png)
+
+#### PUT /v2.1/agents/{agent_id:UUID}/activate
+
+激活agent_id的agent，注意**这是一个http请求，不是https，如果用https会提示这个不是TLS接口** 
+命令如下:
+
+```shell
+curl -k -X PUT "http://127.0.0.1:8890/v2.1/agents/d432fbb3-d2f1-4a97-9ef7-75bd81c00000/activate"  -H 'Content-Type: application/json' -d '{"auth_tag":"166be150040c57b4e2c69ad7a5dd4c57059e5838a1df4715872f6e385e8ce1ed91f22b5e42b46a792718c7cb70f044d5"}' | jq .
+```
+
+![undefined](https://intranetproxy.alipay.com/skylark/lark/0/2023/png/136439/1691742275699-4a0668ae-edb5-4a48-a2f4-ea744fb46160.png)
+
+#### DELETE /v2.1/agents/{agent_id:UUID}
+
+Remove agent agent_id from registrar
+
+具体命令如下：
+
+```shell
+curl --key /var/lib/keylime/cv_ca/client-private.pem --cert /var/lib/keylime/cv_ca/client-cert.crt -k -X DELETE "https://127.0.0.1:8891/v2.1/agents/d432fbb3-d2f1-4a97-9ef7-75bd81c00000"  | jq .
+```
+
+此时再查看发现没有该agent了, 使用该命令
+
+```shell
+curl --key /var/lib/keylime/cv_ca/client-private.pem --cert /var/lib/keylime/cv_ca/client-cert.crt -k "https://127.0.0.1:8891/v2.1/agents"  | jq .
+```
+
+![undefined](https://intranetproxy.alipay.com/skylark/lark/0/2023/png/136439/1691742405235-772ad1f3-480c-468c-b827-d491ffc6037c.png) 
+
+#### POST /v2.1/agents/{agent_id:UUID}
+
+注册agent_id的agent到registrar.**这是一个http不是https的请求。**
+当使用http时
+
+```shell
+# curl -X POST  "http://127.0.0.1:8890/v2.1/agents/d432fbb3-d2f1-4a97-9ef7-75bd81c00000" -H 'Content-Type: application/json' -d '{ "ekcert": "MIIE3DCCA8SgAwIBAgIBBDANBgkqhkiG9w0BAQsFADBvMQswCQYDVQQGEwJDTjEPMA0GA1UECgwGQWxpeXVuMTIwMAYDVQQLDClBbGl5dW4gVFBNIEVuZG9yc2VtZW50IEtleSBNYW51ZmFjdHVyZSBDQTEbMBkGA1UEAwwSQWxpeXVuIFRQTSBFS01GIENBMB4XDTIzMDUxNzA0MzMxNFoXDTMzMDUxNDA0MzMxNFowaTELMAkGA1UEBhMCQ04xDzANBgNVBAoTBkFsaXl1bjEoMCYGA1UECxMfVFBNIEVuZG9yc2VtZW50IEtleSBDZXJ0aWZpY2F0ZTEfMB0GA1UEAxMWaS1icDE3M3BwZ3dxZmJwd3FxbHdjNDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ1merAAAU4dbFKmBAwRWTQwVISBekah4sFaT7iBuKJzlylXgAnpgxFzohvu84dbv5MQLYsQ3Au/H2Y7isYCO4U2VJPsKfozZd7FhDvRs4YAQ+ldsQ9128fFZo4OjjZJc27+lR9Gg1CD5oE6vo0XlvqiVJIfG8klnqdIPzqArV1SE3vd5JooZKEpXAcyeZDf7ntkZuL9H38uka2eHwbsQd9A5nfJTPtDw1zMlE8U3Xj8n5IkQV8bOg4U4GFx8tBebXkym90VmCsILfJMisUiuD5uEC/JzxusPUsbBLO1/vL1IAifRwG0i0rT3JJFKeY+BzOErIPLghn/iKWtahlPMOECAwEAAaOCAYcwggGDMBAGA1UdJQQJMAcGBWeBBQgBMFIGA1UdEQEB/wRIMEakRDBCMRYwFAYFZ4EFAgEMC2lkOjAwMDAxMDE0MRAwDgYFZ4EFAgIMBXN3dHBtMRYwFAYFZ4EFAgMMC2lkOjIwMTcwNjE5MAwGA1UdEwEB/wQCMAAwIgYDVR0JBBswGTAXBgVngQUCEDEOMAwMAzIuMAIBAAICAJYwHwYDVR0jBBgwFoAUgaqaZJKI/wcHB1Caz5dO/2ZZUMgwDwYDVR0PAQH/BAUDAwcgADBgBggrBgEFBQcBAQRUMFIwUAYIKwYBBQUHMAKGRGh0dHBzOi8vYWxpeXVuLXRwbS1jYS5vc3MtY24tYmVpamluZy5hbGl5dW5jcy5jb20vcGtpMDAxL2VrbWYtY2EuY3J0MFUGA1UdHwROMEwwSqBIoEaGRGh0dHBzOi8vYWxpeXVuLXRwbS1jYS5vc3MtY24tYmVpamluZy5hbGl5dW5jcy5jb20vcGtpMDAxL2VrbWYtY2EuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQDQAJDuG9pxYkX3poXGbub+HkyYC2OuwYsEcRP0QJL2XcSePDjwQpz8p3Y8usCVVSke3gn5JhN2ATtQCpNsR1+RD1+9s1VlvwneP4vfF/9grDDs7TAiCQz+irMoFZS6TwW6Q9WW5TH9DfjUAsyPb0z4ysF4fqby+2zUM5kjPvGoi+vbXbTo/aweLgRC3tHMc/q2aj4unDKfIdB1wsGwWAu+m5BMO0NxziljC/9UDfGhrRUNUbfLw+KNcJwpRlphFgwMKDVPSmcXbU/laL6eikHJTW78s36gEcN3aWdBuzITrUvN1dyX3bMjjAO6dqj3K1d9UaSJpGguIyPmNh1rBhix", "aik_tpm": "ARgAAQALAAUAcgAAABAAFAALCAAAAAAAAQC7R7SiAAExqqCZJ60cTJXxcYMCRsctsh96vX/f2T31DMrB6SnCMV9euHlMUCUs2HT5mT2uvB+sBgy4pCMrWUtsldFuvfZtwu0XVsoXmnFiVEV6gYTkhC+CQwQNKNzp3m2lB2UojHGXGMscq8Ka7yiDse8tYhFshVFNMS1j2xnK4g0fdkVBv+oaArvB6A/XlVasuLZGvrQRPa/qr7Wqvc6qk2eSm74NLIqRf7PdzGtuYsqWBhWc4wpiEKvJn7vvcXJZLz6X7buWfBTpV6/KfDTjK7QnFOkwXw/4Y8QXAriegXAbt2bcF0tmnFa6XKuGCg2zW3W7ixNlrG9EpT1SpxCz", "ip": "127.0.0.1","port": 9002}' | jq .
+```
+
+此时再查看发现新增对应的agent了, 使用该命令
+
+```shell
+# curl --key /var/lib/keylime/cv_ca/client-private.pem --cert /var/lib/keylime/cv_ca/client-cert.crt -k "https://127.0.0.1:8891/v2.1/agents"  | jq .
+```
+
+![undefined](https://intranetproxy.alipay.com/skylark/lark/0/2023/png/136439/1691742604676-6f20a3d9-1380-4465-9604-c701a501944d.png)
+
+### verifier
+
+#### GET /v2.1/agents/{agent_id:UUID}
+
+从CV中获取agent `agent_id`的状态。
+
+具体命令如下：
+
+```shell
+curl --key /var/lib/keylime/cv_ca/client-private.pem --cert /var/lib/keylime/cv_ca/client-cert.crt -k "https://127.0.0.1:8881/v2.1/agents/d432fbb3-d2f1-4a97-9ef7-75bd81c00000"  | jq .
+```
+
+测试截图
+
+![undefined](https://intranetproxy.alipay.com/skylark/lark/0/2023/png/136439/1691746520169-0152c2ab-32b4-477f-a196-88318925e1a2.png) 
+
+#### PUT /v2.1/agents/{agent_id:UUID}/stop
+
+停止对 `agent_id` 的 cv 轮询，但不要删除（对于已经启动的 agent_id）。
+
+具体命令如下：
+
+```shell
+curl --key /var/lib/keylime/cv_ca/client-private.pem --cert /var/lib/keylime/cv_ca/client-cert.crt -k -X PUT "https://127.0.0.1:8881/v2.1/agents/d432fbb3-d2f1-4a97-9ef7-75bd81c00000/stop"  | jq .
+```
+
+测试截图
+
+![undefined](https://intranetproxy.alipay.com/skylark/lark/0/2023/png/136439/1691746611789-3697624c-7bfc-44ef-ba22-c4b4f7144a7c.png) 
+
+#### DELETE /v2.1/agents/{agent_id:UUID}
+
+删除 agent_id实例。
+
+具体命令如下：
+
+```shell
+# curl --key /var/lib/keylime/cv_ca/client-private.pem --cert /var/lib/keylime/cv_ca/client-cert.crt -k -X DELETE "https://127.0.0.1:8881/v2.1/agents/d432fbb3-d2f1-4a97-9ef7-75bd81c00000"  | jq .
+```
+
+然后执行以下命令查看:
+
+```shell
+# curl --key /var/lib/keylime/cv_ca/client-private.pem --cert /var/lib/keylime/cv_ca/client-cert.crt -k "https://121.0.0.1:8881/v2.1/agents/d432fbb3-d2f1-4a97-9ef7-75bd81c00000"  | jq .
+```
+
+测试截图
+
+![undefined](https://intranetproxy.alipay.com/skylark/lark/0/2023/png/136439/1691746838009-ee7d521a-de01-469a-badd-df3a56d46cc4.png)
+
+#### GET /v2.1/allowlists/{runtime_policy_name:string}
+
+从 CV 中检索命名的运行时策略 runtime_policy_name。
+
+具体命令如下：
+
+```shell
+# curl --key /var/lib/keylime/cv_ca/client-private.pem --cert /var/lib/keylime/cv_ca/client-cert.crt -k "https://127.0.0.1:8881/v2.1/allowlists/tpm"  | jq .
+# curl --key /var/lib/keylime/cv_ca/client-private.pem --cert /var/lib/keylime/cv_ca/client-cert.crt -k "https://127.0.0.1:8881/v2.1/allowlists/test"  | jq .
+```
+
+tpm的policy创建了，所以是有的
+
+![undefined](https://intranetproxy.alipay.com/skylark/lark/0/2023/png/136439/1691753046322-299ecabe-cea7-474f-8c3c-16b21cf3604d.png) 
+
+因为test我们没有创建和添加，所以查询是没有的
+
+![undefined](https://intranetproxy.alipay.com/skylark/lark/0/2023/png/136439/1691753198206-4ba199ee-0943-4b10-aeaa-f656876c2cac.png) 
+
+#### DELETE /v2.1/allowlist/{runtime_policy_name:string}
+
+删除 IMA policy `runtime_policy_name`.
+
+删除已有的`tpm` policy，然后再测试，发现`tpm`没了
+
+```shell
+# curl --key /var/lib/keylime/cv_ca/client-private.pem --cert /var/lib/keylime/cv_ca/client-cert.crt -k "https://127.0.0.1:8881/v2.1/allowlists/tpm"  | jq .
+# curl --key /var/lib/keylime/cv_ca/client-private.pem --cert /var/lib/keylime/cv_ca/client-cert.crt -X DELETE -k "https://127.0.0.1:8881/v2.1/allowlists/tpm"  | jq .
+# curl --key /var/lib/keylime/cv_ca/client-private.pem --cert /var/lib/keylime/cv_ca/client-cert.crt -k "https://127.0.0.1:8881/v2.1/allowlists/test"  | jq .
+```
+
+![undefined](https://intranetproxy.alipay.com/skylark/lark/0/2023/png/136439/1691753549321-03ad1af9-5dd3-4fb9-88d6-7cb1f5bd78f8.png) 
+
+删除一个不存在的policy test，会报错
+
+```shell
+curl --key /var/lib/keylime/cv_ca/client-private.pem --cert /var/lib/keylime/cv_ca/client-cert.crt -X DELETE -k "https://127.0.0.1:8881/v2.1/allowlists/test"  | jq .
+```
+
+![undefined](https://intranetproxy.alipay.com/skylark/lark/0/2023/png/136439/1691753558088-3010c876-d199-4432-93ba-129d37242dc3.png) 
+
+### agent
+
+#### GET /version
+
+Returns what API version the agent supports. This endpoint might not be implemented by all agents.
+
+对应的命令如下:
+
+```shell
+curl --key /var/lib/keylime/cv_ca/client-private.pem --cert /var/lib/keylime/cv_ca/client-cert.crt -k "https://127.0.0.1:9002/version" | jq .
+```
+
+结果截图如下：
+
+![undefined](https://intranetproxy.alipay.com/skylark/lark/0/2023/png/136439/1691745013033-9ff01fcc-b757-4b2a-93c4-a1353694aa68.png)
+
+#### GET /v2.1/keys/pubkey
+
+获取agent的公钥. 
+
+对应的命令如下:
+
+```shell
+curl --key /var/lib/keylime/cv_ca/client-private.pem --cert /var/lib/keylime/cv_ca/client-cert.crt -k "https://127.0.0.1:9002/v2.1/keys/pubkey"  | jq .
+```
+
+结果截图如下：
+
+![undefined](https://intranetproxy.alipay.com/skylark/lark/0/2023/png/136439/1691745101144-e91da717-43e8-4592-b2fb-e2b2f67ebe12.png) 
+
+#### GET /v2.1/quotes/identity
+
+Get identity quote from node
+
+对应的命令如下:
+
+```shell
+curl --key /var/lib/keylime/cv_ca/client-private.pem --cert /var/lib/keylime/cv_ca/client-cert.crt -k "https://127.0.0.1:9002/v2.1/quotes/identity?nonce=1234567890ABCDEFHIJ"  | jq .
+```
+
+结果截图如下：
+
+![undefined](https://intranetproxy.alipay.com/skylark/lark/0/2023/png/136439/1690945718718-2333ced3-34bf-47a4-824b-fcac9805bfaf.png) 
+
+#### GET /v2.1/quotes/integrity
+
+Get integrity quote from node
+
+```shell
+curl --key /var/lib/keylime/cv_ca/client-private.pem --cert /var/lib/keylime/cv_ca/client-cert.crt -k "https://127.0.0.1:9002/v2.1/quotes/integrity?nonce=1234567890ABCDEFHIJ&mask=0x10401&partial=0"  | jq .
+```
+
+结果截图如下：
+
+![undefined](https://intranetproxy.alipay.com/skylark/lark/0/2023/png/136439/1691745220787-b9613f49-efd2-4bd9-a9a2-a4a5a734f35d.png) 
+
+#### GET /v2.1/keys/verify
+
+Get confirmation of bootstrap key derivation
+
+对应的命令如下：
+
+```shell
+curl --key /var/lib/keylime/cv_ca/client-private.pem --cert /var/lib/keylime/cv_ca/client-cert.crt -k "https://127.0.0.1:9002/v2.1/keys/verify?challenge=1234567890ABCDEFHIJ"  | jq .
+```
+
+截图结果如下(TPM实例没有bootstrap key）：
+
+![undefined](https://intranetproxy.alipay.com/skylark/lark/0/2023/png/136439/1691745331527-7a3e22be-dcd3-477f-ab8c-696f2560c39e.png) 
+
+## Anolis OS上keylime高级功能实践
+### User Selected PCR Monitoring
+
+参考: 
+- [User Selected PCR Monitoring](https://keylime.readthedocs.io/en/latest/user_guide/user_selected_pcr_monitoring.html)
+
+缺点：
+- PCR数量优先，扩展性不好
+
+配置tpm_policy并用keylime_tenant工具进行添加，具体命令如下
+
+```shell
+# keylime_tenant -v 121.43.60.253 -t 120.26.100.138 --uuid d432fbb3-d2f1-4a97-9ef7-75bd81c00000 --tpm_policy "{\"22\": [\"0000000000000000000000000000000000000001\", \"0000000000000000000000000000000000000000000000000000000000000001\", \"000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001\", \"ffffffffffffffffffffffffffffffffffffffff\", \"ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\", \"ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\"], \"15\": [\"0000000000000000000000000000000000000000\", \"0000000000000000000000000000000000000000000000000000000000000000\", \"000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\"]}" -c add --cert /var/lib/keylime/cv_ca
+INFO:keylime.config:Reading configuration from ['/etc/keylime/logging.conf']
+```
+
+对应的截图如下：
+
+![undefined](https://intranetproxy.alipay.com/skylark/lark/0/2023/png/136439/1691746192516-c5d84e2e-c677-438d-9741-c3d63b2ef7b5.png) 
+
+#### 监控
+
+成功的case如下（agent时刻监控TPM PCRs的状态）
+
+![undefined](https://intranetproxy.alipay.com/skylark/lark/0/2023/png/136439/1691746272947-2c5dc3b8-bf2c-4bfc-8c2d-2b14e6af0dbe.png) 
+
+### Use Measured Boot
+
+参考：
+- [Use Measured Boot](https://keylime.readthedocs.io/en/latest/user_guide/use_measured_boot.html)
+
+第一步，生成measure boot policy
+
+```shell
+cd keylime
+./scripts/create_mb_refstate -i /sys/kernel/security/tpm0/binary_bios_measurements ./measured_boot_reference_state.json
+cat ./measured_boot_reference_state.json | jq .
+```
+
+![undefined](https://intranetproxy.alipay.com/skylark/lark/0/2023/png/136439/1691751357999-b9d6393d-3c1e-443c-b504-1a457ea7b5e0.png) 
+
+用keylime_tenant工具进行添加mb_reference，对应的命令如下：
+
+```shell
+keylime_tenant -c update -t 120.26.100.138 -v 121.43.60.253 -u d432fbb3-d2f1-4a97-9ef7-75bd81c00000 --mb_refstate ./measured_boot_reference_state.json --cert /var/lib/keylime/cv_ca
+```
+
+![undefined](https://intranetproxy.alipay.com/skylark/lark/0/2023/png/136439/1691751495723-a3ed228e-6521-4e46-b551-8d6855d2042e.png)
+
+agent侧查看轮询结果:时刻轮询/监控着是否有异常。
+
+![undefined](https://intranetproxy.alipay.com/skylark/lark/0/2023/png/136439/1691751506214-660ed997-28b1-4662-afcd-6a31bd78802e.png) 
+
+### Runtime Integrity Monitoring
+
+参考:
+- [Runtime Integrity Monitoring](https://keylime.readthedocs.io/en/latest/user_guide/use_measured_boot.html)
+
+使用keylime_create_policy工具来生成policy：
+
+```shell
+keylime_create_policy -m /sys/kernel/security/ima/ascii_runtime_measurements -o runtime_policy.json
+cat runtime_policy.json | jq .
+```
+
+![undefined](https://intranetproxy.alipay.com/skylark/lark/0/2023/png/136439/1691752688123-c8058faf-b4f5-404e-aa08-b130d3f8e8c1.png) 
+
+使用keylime_tenant来添加runtime_policy：
+
+```shell
+keylime_tenant -c update --uuid d432fbb3-d2f1-4a97-9ef7-75bd81c00000 -t 120.26.100.138 -v 121.43.60.253 --runtime-policy /root/runtime_policy.json --runtime-policy-name=tpm --cert /var/lib/keylime/cv_ca
+```
+
+![undefined](https://intranetproxy.alipay.com/skylark/lark/0/2023/png/136439/1691752701674-c4b65354-2bb5-4d90-8653-b854569ec572.png) 
+
+查看runtime policy
+
+```shell
+curl --key /var/lib/keylime/cv_ca/client-private.pem --cert /var/lib/keylime/cv_ca/client-cert.crt -k  "https://127.0.0.1:8881/v2.1/allowlists/tpm"  | jq .
+```
+
+![undefined](https://intranetproxy.alipay.com/skylark/lark/0/2023/png/136439/1691752726734-65857254-a3fb-4316-ba32-dab701da582e.png) 
+
+#### 监控IMA错误
+
+从verifier的日志可以看到有一些没有进行IMA签名，无法验证，所有直接报错
+
+![undefined](https://intranetproxy.alipay.com/skylark/lark/0/2023/png/136439/1691752719183-3f8eb685-0e20-4f8d-b361-0d9398eec49e.png)