Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package keylime for openSUSE:Factory checked in at 2022-02-09 20:38:36 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/keylime (Old) and /work/SRC/openSUSE:Factory/.keylime.new.1898 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "keylime" Wed Feb 9 20:38:36 2022 rev:14 rq:952217 version:6.3.0 Changes: -------- --- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2022-01-29 20:57:40.936424405 +0100 +++ /work/SRC/openSUSE:Factory/.keylime.new.1898/keylime.changes 2022-02-09 20:39:12.126376267 +0100 @@ -1,0 +2,9 @@ +Mon Feb 7 16:28:22 UTC 2022 - Alberto Planas Dominguez <apla...@suse.com> + +- Change back agent_uuid to hostname +- Set tpm_hash_alg to sha256 by default +- Update version.diff patch to point to the correct version number +- Fix issue with Tornado, when multiple workers are started + * Add cloud_verifier_tornado-use-fork_processes.patch (bsc#1195605) + +------------------------------------------------------------------- New: ---- cloud_verifier_tornado-use-fork_processes.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ keylime.spec ++++++ --- /var/tmp/diff_new_pack.EjcBwT/_old 2022-02-09 20:39:12.934378200 +0100 +++ /var/tmp/diff_new_pack.EjcBwT/_new 2022-02-09 20:39:12.942378219 +0100 @@ -38,6 +38,8 @@ Patch2: keylime.conf.diff # PATCH-FIX-OPENSUSE config-libefivars.diff Patch3: config-libefivars.diff +# PATCH-FIX-UPSTREAM cloud_verifier_tornado-use-fork_processes.patch (gh#keylime/keylime!880) +Patch4: cloud_verifier_tornado-use-fork_processes.patch BuildRequires: %{python_module setuptools} BuildRequires: fdupes BuildRequires: firewall-macros ++++++ cloud_verifier_tornado-use-fork_processes.patch ++++++ >From 3ffdf86d6e3f2377520a07da0202cd6ba4c6f711 Mon Sep 17 00:00:00 2001 From: Alberto Planas <apla...@suse.com> Date: Mon, 7 Feb 2022 17:00:02 +0100 Subject: [PATCH 1/2] cloud_verifier_tornado: use fork_processes If the cloud_verifier/multiprocessing_pool_num_workers is different from 1, the call to the `.start()` process will fails, as previous call to `.add_stockets()` is already initializing the internal ioloop. The raised exception will be: Traceback (most recent call last): File "/usr/bin/keylime_verifier", line 11, in <module> load_entry_point('keylime==6.3.0', 'console_scripts', 'keylime_verifier')() File "/usr/lib/python3.6/site-packages/keylime/cmd/verifier.py", line 21, in main cloud_verifier_tornado.main() File "/usr/lib/python3.6/site-packages/keylime/cloud_verifier_tornado.py", line 1122, in main server.start(config.getint('cloud_verifier', 'multiprocessing_pool_num_workers')) File "/usr/lib64/python3.6/site-packages/tornado/tcpserver.py", line 220, in start process.fork_processes(num_processes) File "/usr/lib64/python3.6/site-packages/tornado/process.py", line 129, in fork_processes raise RuntimeError("Cannot run in multiple processes: IOLoop instance " RuntimeError: Cannot run in multiple processes: IOLoop instance has already been initialized. You cannot call IOLoop.instance() before calling start_processes() This was introduced in https://github.com/keylime/keylime/commit/50661f8b33f6b7335104cd4c0dfff711705ee96e This patch revert back to call `.process.fork_processes()` after the `.bind_sockets()` line, that is happening before the `.start()`, and drop the optional parameter in the last method call. Signed-off-by: Alberto Planas <apla...@suse.com> --- keylime/cloud_verifier_tornado.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) Index: keylime-v6.3.0/keylime/cloud_verifier_tornado.py =================================================================== --- keylime-v6.3.0.orig/keylime/cloud_verifier_tornado.py +++ keylime-v6.3.0/keylime/cloud_verifier_tornado.py @@ -1113,13 +1113,16 @@ def main(): sockets = tornado.netutil.bind_sockets( int(cloudverifier_port), address=cloudverifier_host) + tornado.process.fork_processes(config.getint( + 'cloud_verifier', 'multiprocessing_pool_num_workers')) + server = tornado.httpserver.HTTPServer(app, ssl_options=context, max_buffer_size=max_upload_size) server.add_sockets(sockets) signal.signal(signal.SIGTERM, lambda *_: sys.exit(0)) try: - server.start(config.getint('cloud_verifier', 'multiprocessing_pool_num_workers')) + server.start() if tornado.process.task_id() == 0: # Start the revocation notifier only on one process if config.getboolean('cloud_verifier', 'revocation_notifier'): Index: keylime-v6.3.0/keylime/crypto.py =================================================================== --- keylime-v6.3.0.orig/keylime/crypto.py +++ keylime-v6.3.0/keylime/crypto.py @@ -211,5 +211,5 @@ def generate_selfsigned_cert(name, key, .serial_number(x509.random_serial_number())\ .not_valid_before(datetime.datetime.utcnow())\ .not_valid_after(valid_until)\ - .sign(key, hashes.SHA256()) + .sign(key, hashes.SHA256(), backend=default_backend()) return cert Index: keylime-v6.3.0/keylime/keylime_agent.py =================================================================== --- keylime-v6.3.0.orig/keylime/keylime_agent.py +++ keylime-v6.3.0/keylime/keylime_agent.py @@ -30,6 +30,7 @@ import subprocess import psutil from cryptography import x509 +from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives import serialization from keylime import config @@ -422,7 +423,7 @@ class CloudAgentHTTPServer(ThreadingMixI if os.path.isfile(certname): logger.debug("Using existing mTLS cert in %s", certname) with open(certname, "rb") as f: - mtls_cert = x509.load_pem_x509_certificate(f.read()) + mtls_cert = x509.load_pem_x509_certificate(f.read(), backend=default_backend()) else: logger.debug("No mTLS certificate found generating a new one") with open(certname, "wb") as f: ++++++ keylime.conf.diff ++++++ --- /var/tmp/diff_new_pack.EjcBwT/_old 2022-02-09 20:39:13.042378458 +0100 +++ /var/tmp/diff_new_pack.EjcBwT/_new 2022-02-09 20:39:13.050378477 +0100 @@ -44,11 +44,21 @@ # name of current host as the agent id. -agent_uuid = d432fbb3-d2f1-4a97-9ef7-75bd81c00000 +# agent_uuid = d432fbb3-d2f1-4a97-9ef7-75bd81c00000 -+agent_uuid = generate ++agent_uuid = hostname # Whether to listen for revocation notifications from the verifier or not. listen_notfications = True -@@ -147,7 +152,8 @@ ek_handle = generate +@@ -129,7 +134,8 @@ max_retries = 10 + # - hashing: sha512, sha384, sha256 or sha1 + # - encryption: ecc or rsa + # - signing: rsassa, rsapss, ecdsa, ecdaa or ecschnorr +-tpm_hash_alg = sha1 ++# tpm_hash_alg = sha1 ++tpm_hash_alg = sha256 + tpm_encryption_alg = rsa + tpm_signing_alg = rsassa + +@@ -147,7 +153,8 @@ ek_handle = generate cloudverifier_id = default # The IP address and port of verifier server binds to @@ -58,7 +68,7 @@ cloudverifier_port = 8881 # The address and port of registrar server that verifier communicates with -@@ -266,7 +272,8 @@ revocation_notifier = True +@@ -266,7 +273,8 @@ revocation_notifier = True # The binding address and port of the revocation notifier service. # If the 'revocation_notifier' option is set to "true", then the verifier # automatically starts the revocation service. @@ -68,7 +78,7 @@ revocation_notifier_port = 8992 # Enable revocation notifications via webhook. This can be used to notify other -@@ -400,10 +407,12 @@ max_payload_size = 1048576 +@@ -400,10 +408,12 @@ max_payload_size = 1048576 # and SHA-512). # Note that you can't set a policy on PCR10 and PCR16 because Keylime uses # them internally. @@ -83,7 +93,7 @@ # Specify the file containing allowlists for processing Linux IMA measurements # this file is used if tenant provides "default" as the allowlist file -@@ -455,7 +464,8 @@ max_retries = 10 +@@ -455,7 +465,8 @@ max_retries = 10 # might provide a signed list of EK public key hashes. Then you could write # an ek_check_script that checks the signature of the allowlist and then # compares the hash of the given EK with the allowlist. @@ -93,7 +103,7 @@ # Optional script to execute to check the EK and/or EK certificate against a # allowlist or any other additional EK processing you want to do. Runs in -@@ -481,7 +491,8 @@ ek_check_script= +@@ -481,7 +492,8 @@ ek_check_script= # The registrar's IP address and port used to communicate with other services # as well as the bind address for the registrar server. ++++++ version.diff ++++++ --- /var/tmp/diff_new_pack.EjcBwT/_old 2022-02-09 20:39:13.090378573 +0100 +++ /var/tmp/diff_new_pack.EjcBwT/_new 2022-02-09 20:39:13.094378582 +0100 @@ -6,7 +6,7 @@ description=( 'TPM-based key bootstrapping and system ' 'integrity measurement system for cloud'), -+ version='6.2.1', ++ version='6.3.0', long_description=long_description, long_description_content_type='text/markdown', author='Keylime Community',