Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package rust-keylime for openSUSE:Factory
checked in at 2022-08-11 18:31:44
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rust-keylime (Old)
and /work/SRC/openSUSE:Factory/.rust-keylime.new.1521 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rust-keylime"
Thu Aug 11 18:31:44 2022 rev:3 rq:994443 version:0.1.0+git.1659977521.0186093
Changes:
--------
--- /work/SRC/openSUSE:Factory/rust-keylime/rust-keylime.changes
2022-07-18 18:33:18.577703912 +0200
+++ /work/SRC/openSUSE:Factory/.rust-keylime.new.1521/rust-keylime.changes
2022-08-11 18:31:52.610199695 +0200
@@ -1,0 +2,20 @@
+Wed Aug 10 13:39:08 UTC 2022 - apla...@suse.com
+
+- Update to version 0.1.0+git.1659977521.0186093:
+ * Fix display of mb measurement file path
+ * Add more helpful error when config file is not found
+ * Fix small comment about implementing TPM ownership
+ * main: die when cannot drop privileges
+ * keylime.conf: add run_as section
+ * Use Rust agent-specific config in Makefile
+ * Fix typo in listen_notifications option in keylime.conf
+ * tpm: Support pre-existing EK
+ * Set swtpm context which is later used for test filtering
+ * Add GitLeaks configuration to ignore RSA key used for testing
+ * Handle whitespace in keylime.conf
+- Rename keylime.conf.diff to keylime-agent.conf.diff
+- Drop 0001-main-die-when-cannot-drop-privileges.patch, as is already
+ merged upstream
+- Add bindgen.patch to add more architectures
+
+-------------------------------------------------------------------
Old:
----
0001-main-die-when-cannot-drop-privileges.patch
keylime.conf.diff
rust-keylime-0.1.0+git.1657303637.5b9072a.tar.xz
New:
----
bindgen.patch
keylime-agent.conf.diff
rust-keylime-0.1.0+git.1659977521.0186093.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rust-keylime.spec ++++++
--- /var/tmp/diff_new_pack.tyBCOm/_old 2022-08-11 18:31:53.718202288 +0200
+++ /var/tmp/diff_new_pack.tyBCOm/_new 2022-08-11 18:31:53.722202298 +0200
@@ -25,7 +25,7 @@
%define _config_norepl %config(noreplace)
%endif
Name: rust-keylime
-Version: 0.1.0+git.1657303637.5b9072a
+Version: 0.1.0+git.1659977521.0186093
Release: 0
Summary: Rust implementation of the keylime agent
License: Apache-2.0 AND MIT
@@ -36,11 +36,12 @@
Source3: keylime.xml
Source4: keylime-user.conf
Source5: tmpfiles.keylime
-# PATCH-FIX-OPENSUSE keylime.conf.diff
-Patch1: keylime.conf.diff
-# PATCH-FIX-UPSTREAM 0001-main-die-when-cannot-drop-privileges.patch -- based
on PR 423
-Patch2: 0001-main-die-when-cannot-drop-privileges.patch
+# PATCH-FIX-OPENSUSE keylime-agent.conf.diff
+Patch1: keylime-agent.conf.diff
+# PATCH-FIX-OPENSUSE bindgen.patch
+Patch2: bindgen.patch
BuildRequires: cargo
+BuildRequires: clang
BuildRequires: firewall-macros
BuildRequires: libarchive-devel
BuildRequires: rust
@@ -50,7 +51,6 @@
Requires: libtss2-tcti-device0
Requires: logrotate
Requires: tpm2.0-abrmd
-ExcludeArch: %{ix86} s390x ppc64 ppc64le armhfp armv7hl
%description
Rust implementation of keylime agent. Keylime is system integrity
@@ -69,7 +69,7 @@
RUSTFLAGS=%{rustflags} cargo install --frozen --no-default-features --features
"with-zmq" --root=%{buildroot}%{_prefix} --path .
# TODO: move the configuration file into _distconfdir
-install -Dpm 0600 keylime.conf %{buildroot}%{_sysconfdir}/keylime.conf
+install -Dpm 0600 keylime-agent.conf
%{buildroot}%{_sysconfdir}/keylime-agent.conf
install -Dpm 0644 ./dist/systemd/system/keylime_agent.service
%{buildroot}%{_unitdir}/keylime_agent.service
install -Dpm 0644 ./dist/systemd/system/var-lib-keylime-secure.mount
%{buildroot}%{_unitdir}/var-lib-keylime-secure.mount
@@ -108,7 +108,7 @@
%license LICENSE
%{_bindir}/keylime_agent
%{_bindir}/keylime_ima_emulator
-%config(noreplace) %attr (0600,keylime,tss) %{_sysconfdir}/keylime.conf
+%config(noreplace) %attr (0600,keylime,tss) %{_sysconfdir}/keylime-agent.conf
%{_unitdir}/keylime_agent.service
%{_unitdir}/var-lib-keylime-secure.mount
%dir %{_prefix}/lib/firewalld
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.tyBCOm/_old 2022-08-11 18:31:53.758202383 +0200
+++ /var/tmp/diff_new_pack.tyBCOm/_new 2022-08-11 18:31:53.762202391 +0200
@@ -1,6 +1,6 @@
<servicedata>
<service name="tar_scm">
<param
name="url">https://github.com/keylime/rust-keylime.git</param>
- <param
name="changesrevision">5b9072abae219bda0e9a95498b5aef4af5db1bda</param></service></servicedata>
+ <param
name="changesrevision">01860934f7308bc5ea1e68c8d858aea056620ce8</param></service></servicedata>
(No newline at EOF)
++++++ bindgen.patch ++++++
++++ 1216 lines (skipped)
++++++ keylime-agent.conf.diff ++++++
Index: rust-keylime-0.1.0+git.1659977521.0186093/keylime-agent.conf
===================================================================
--- rust-keylime-0.1.0+git.1659977521.0186093.orig/keylime-agent.conf
+++ rust-keylime-0.1.0+git.1659977521.0186093/keylime-agent.conf
@@ -4,7 +4,8 @@
# Revocation IP & Port used by either the cloud_agent or keylime_ca to receive
# revocation events from the verifier.
-receive_revocation_ip = 127.0.0.1
+# receive_revocation_ip = 127.0.0.1
+receive_revocation_ip = <REMOTE_IP>
receive_revocation_port = 8992
@@ -13,7 +14,8 @@ receive_revocation_port = 8992
#=============================================================================
# The binding address and port for the agent server
-cloudagent_ip = 127.0.0.1
+# cloudagent_ip = 127.0.0.1
+cloudagent_ip = 0.0.0.0
cloudagent_port = 9002
# Address and port where the verifier and tenant can connect to reach the
agent.
@@ -22,7 +24,8 @@ agent_contact_ip = 127.0.0.1
agent_contact_port = 9002
# The address and port of registrar server which agent communicate with
-registrar_ip = 127.0.0.1
+# registrar_ip = 127.0.0.1
+registrar_ip = <REMOTE_IP>
registrar_port = 8890
# The keylime working directory. Can be overriden by setting the KEYLIME_DIR
++++++ rust-keylime-0.1.0+git.1657303637.5b9072a.tar.xz ->
rust-keylime-0.1.0+git.1659977521.0186093.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/rust-keylime-0.1.0+git.1657303637.5b9072a/.gitleaks.toml
new/rust-keylime-0.1.0+git.1659977521.0186093/.gitleaks.toml
--- old/rust-keylime-0.1.0+git.1657303637.5b9072a/.gitleaks.toml
1970-01-01 01:00:00.000000000 +0100
+++ new/rust-keylime-0.1.0+git.1659977521.0186093/.gitleaks.toml
2022-08-08 18:52:01.000000000 +0200
@@ -0,0 +1,10 @@
+#
+# GitLeaks Repo Specific Configuration
+#
+# This allowlist is used to help Red Hat ignore false positives during its code
+# scans.
+
+[allowlist]
+ paths = [
+ '''test-data/test-rsa.pem''',
+ ]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/rust-keylime-0.1.0+git.1657303637.5b9072a/GNUmakefile
new/rust-keylime-0.1.0+git.1659977521.0186093/GNUmakefile
--- old/rust-keylime-0.1.0+git.1657303637.5b9072a/GNUmakefile 2022-07-08
20:07:17.000000000 +0200
+++ new/rust-keylime-0.1.0+git.1659977521.0186093/GNUmakefile 2022-08-08
18:52:01.000000000 +0200
@@ -3,6 +3,7 @@
RELEASE ?= 0
TARGETDIR ?= target
+CONFFILE ?= ./keylime-agent.conf
ifeq ($(RELEASE),1)
PROFILE ?= release
@@ -26,6 +27,7 @@
.PHONY: install
install: all
+ cp ${CONFFILE} /etc/${CONFFILE}
for f in $(programs); do \
install -D -t ${DESTDIR}/usr/bin "$$f"; \
done
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/rust-keylime-0.1.0+git.1657303637.5b9072a/docker/fedora/keylime_py.Dockerfile
new/rust-keylime-0.1.0+git.1659977521.0186093/docker/fedora/keylime_py.Dockerfile
---
old/rust-keylime-0.1.0+git.1657303637.5b9072a/docker/fedora/keylime_py.Dockerfile
2022-07-08 20:07:17.000000000 +0200
+++
new/rust-keylime-0.1.0+git.1659977521.0186093/docker/fedora/keylime_py.Dockerfile
2022-08-08 18:52:01.000000000 +0200
@@ -76,8 +76,8 @@
WORKDIR ${HOME}
RUN git clone https://github.com/keylime/keylime.git && \
cd keylime && \
-sed -e 's/127.0.0.1/0.0.0.0/g' keylime.conf > tmp_keylime.conf && \
-mv tmp_keylime.conf keylime.conf && \
+sed -e 's/127.0.0.1/0.0.0.0/g' keylime-agent.conf > tmp_keylime-agent.conf && \
+mv tmp_keylime-agent.conf keylime-agent.conf && \
python3 ${KEYLIME_HOME}/setup.py install && \
pip3 install -r $KEYLIME_HOME/requirements.txt && \
${KEYLIME_HOME}/services/installer.sh
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/rust-keylime-0.1.0+git.1657303637.5b9072a/keylime-agent.conf
new/rust-keylime-0.1.0+git.1659977521.0186093/keylime-agent.conf
--- old/rust-keylime-0.1.0+git.1657303637.5b9072a/keylime-agent.conf
1970-01-01 01:00:00.000000000 +0100
+++ new/rust-keylime-0.1.0+git.1659977521.0186093/keylime-agent.conf
2022-08-08 18:52:01.000000000 +0200
@@ -0,0 +1,147 @@
+#=============================================================================
+[general]
+#=============================================================================
+
+# Revocation IP & Port used by either the cloud_agent or keylime_ca to receive
+# revocation events from the verifier.
+receive_revocation_ip = 127.0.0.1
+receive_revocation_port = 8992
+
+
+#=============================================================================
+[cloud_agent]
+#=============================================================================
+
+# The binding address and port for the agent server
+cloudagent_ip = 127.0.0.1
+cloudagent_port = 9002
+
+# Address and port where the verifier and tenant can connect to reach the
agent.
+# These keys are optional.
+agent_contact_ip = 127.0.0.1
+agent_contact_port = 9002
+
+# The address and port of registrar server which agent communicate with
+registrar_ip = 127.0.0.1
+registrar_port = 8890
+
+# The keylime working directory. Can be overriden by setting the KEYLIME_DIR
+# environment variable. The default value is /var/lib/keylime
+# keylime_dir = /var/lib/keylime
+
+# The CA that signs the client certificates of the tenant and verifier.
+# If set to default it tries to use $keylime_dir/cv_ca/cacert.crt
+keylime_ca = default
+
+# The name that should be used for the encryption key, placed in the
+# $keylime_dir/secure/ directory.
+enc_keyname = derived_tci_key
+
+# The name that should be used for the optional decrypted payload, placed in
+# the $keylime_dir/secure directory.
+dec_payload_file = decrypted_payload
+
+# The size of the memory-backed tmpfs partition where Keylime stores crypto
keys.
+# Use syntax that the 'mount' command would accept as a size parameter for
tmpfs.
+# The default below sets it to 1 megabyte.
+secure_size = 1m
+
+# Whether to allow the cloud_agent to automatically extract a zip file in
+# the delivered payload after it has been decrypted, or not. Defaults to
"true".
+# After decryption, the archive will be unzipped to a directory in
$keylime_dir/secure.
+# Note: the limits on the size of the tmpfs partition set above with the
'secure_size'
+# option will affect this.
+extract_payload_zip = True
+
+# The agent's UUID.
+# Set to "openstack", it will try to get the UUID from the metadata service.
+# If you set this to "generate", Keylime will create a random UUID.
+# If you set this to "hash_ek", Keylime will set the UUID to the result
+# of 'SHA256(public EK in PEM format)'.
+# If you set this to "dmidecode", Keylime will use the UUID from
+# 'dmidecode -s system-uuid'.
+# If you set this to "hostname", Keylime will use the full qualified domain
+# name of current host as the agent id.
+agent_uuid = d432fbb3-d2f1-4a97-9ef7-75bd81c00000
+
+# Whether to listen for revocation notifications from the verifier or not.
+listen_notifications = True
+
+# The path to the certificate to verify revocation messages received from the
+# verifier. The path is relative to $keylime_dir unless an absolute path is
+# provided (i.e. starts with '/').
+# If set to "default", Keylime will use the file RevocationNotifier-cert.crt
+# from the unzipped contents provided by the tenant.
+revocation_cert = default
+
+# A comma-separated list of executables to run upon receiving a revocation
+# message. Keylime will verify the signature first, then call these executables
+# with the json revocation message. The executables must be located in the
+# 'revocation_actions' directory.
+#
+# Keylime will also get the list of revocation actions from the file
+# action_list in the unzipped contents provided by the verifier.
+revocation_actions=
+
+# A script to execute after unzipping the tenant payload. This is like
+# cloud-init lite =) Keylime will run it with a /bin/sh environment and
+# with a working directory of $keylime_dir/secure/unzipped.
+payload_script=autorun.sh
+
+# The path to the directory containing the pre-installed revocation action
+# scripts. Ideally should point to an fixed/immutable location subject to
+# attestation. The default is /usr/libexec/keylime.
+revocation_actions_dir = /usr/libexec/keylime
+
+# Whether to allow running revocation actions sent as part of the payload. The
+# default is True and setting as False will limit the revocation actions to the
+# pre-installed ones.
+allow_payload_revocation_actions = True
+
+# Jason @henn made be do it! He wanted a way for Keylime to measure the
+# delivered payload into a pcr of choice.
+# Specify a PCR number to turn it on.
+# Set to -1 or any negative or out of range PCR value to turn off.
+measure_payload_pcr=-1
+
+# How long to wait between failed attempts to communicate with the TPM in
+# seconds. Floating point values are accepted here.
+retry_interval = 1
+
+# Integer number of retries to communicate with the TPM before giving up.
+max_retries = 10
+
+# TPM2-specific options, allows customizing default algorithms to use.
+# Specify the default crypto algorithms to use with a TPM2 for this agent.
+#
+# Currently accepted values include:
+# - hashing: sha512, sha384, sha256 or sha1
+# - encryption: ecc or rsa
+# - signing: rsassa, rsapss, ecdsa, ecdaa or ecschnorr
+tpm_hash_alg = sha256
+tpm_encryption_alg = rsa
+tpm_signing_alg = rsassa
+
+# If an EK is already present on the TPM (e.g., with "tpm2_createek") and
+# you require Keylime to use this EK, change "generate" to the actual EK
+# handle (e.g. "0x81000000"). The Keylime agent will then not attempt to
+# create a new EK upon startup, and neither will it flush the EK upon exit.
+ek_handle = generate
+
+# The user account to switch to to drop privileges when started as root
+# If left empty, the agent will keep running with high privileges.
+# The user and group specified here must allow the user to access the
+# WORK_DIR (typically /var/lib/keylime) and /dev/tpmrm0. Therefore,
+# suggested value for the run_as parameter is keylime:tss.
+# The following commands should be used to set ownership before running the
+# agent:
+# chown keylime /var/lib/keylime
+#
+# If agent_data.json already exists:
+# chown keylime /var/lib/keylime/agent_data.json
+#
+# If cv_ca directory exists:
+# chown keylime /var/lib/keylime/cv_ca
+# chown keylime /var/lib/keylime/cv_ca/cacert.crt
+#
+run_as =
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/rust-keylime-0.1.0+git.1657303637.5b9072a/keylime.conf
new/rust-keylime-0.1.0+git.1659977521.0186093/keylime.conf
--- old/rust-keylime-0.1.0+git.1657303637.5b9072a/keylime.conf 2022-07-08
20:07:17.000000000 +0200
+++ new/rust-keylime-0.1.0+git.1659977521.0186093/keylime.conf 1970-01-01
01:00:00.000000000 +0100
@@ -1,129 +0,0 @@
-#=============================================================================
-[general]
-#=============================================================================
-
-# Revocation IP & Port used by either the cloud_agent or keylime_ca to receive
-# revocation events from the verifier.
-receive_revocation_ip = 127.0.0.1
-receive_revocation_port = 8992
-
-
-#=============================================================================
-[cloud_agent]
-#=============================================================================
-
-# The binding address and port for the agent server
-cloudagent_ip = 127.0.0.1
-cloudagent_port = 9002
-
-# Address and port where the verifier and tenant can connect to reach the
agent.
-# These keys are optional.
-agent_contact_ip = 127.0.0.1
-agent_contact_port = 9002
-
-# The address and port of registrar server which agent communicate with
-registrar_ip = 127.0.0.1
-registrar_port = 8890
-
-# The keylime working directory. Can be overriden by setting the KEYLIME_DIR
-# environment variable. The default value is /var/lib/keylime
-# keylime_dir = /var/lib/keylime
-
-# The CA that signs the client certificates of the tenant and verifier.
-# If set to default it tries to use $keylime_dir/cv_ca/cacert.crt
-keylime_ca = default
-
-# The name that should be used for the encryption key, placed in the
-# $keylime_dir/secure/ directory.
-enc_keyname = derived_tci_key
-
-# The name that should be used for the optional decrypted payload, placed in
-# the $keylime_dir/secure directory.
-dec_payload_file = decrypted_payload
-
-# The size of the memory-backed tmpfs partition where Keylime stores crypto
keys.
-# Use syntax that the 'mount' command would accept as a size parameter for
tmpfs.
-# The default below sets it to 1 megabyte.
-secure_size = 1m
-
-# Whether to allow the cloud_agent to automatically extract a zip file in
-# the delivered payload after it has been decrypted, or not. Defaults to
"true".
-# After decryption, the archive will be unzipped to a directory in
$keylime_dir/secure.
-# Note: the limits on the size of the tmpfs partition set above with the
'secure_size'
-# option will affect this.
-extract_payload_zip = True
-
-# The agent's UUID.
-# Set to "openstack", it will try to get the UUID from the metadata service.
-# If you set this to "generate", Keylime will create a random UUID.
-# If you set this to "hash_ek", Keylime will set the UUID to the result
-# of 'SHA256(public EK in PEM format)'.
-# If you set this to "dmidecode", Keylime will use the UUID from
-# 'dmidecode -s system-uuid'.
-# If you set this to "hostname", Keylime will use the full qualified domain
-# name of current host as the agent id.
-agent_uuid = d432fbb3-d2f1-4a97-9ef7-75bd81c00000
-
-# Whether to listen for revocation notifications from the verifier or not.
-listen_notfications = True
-
-# The path to the certificate to verify revocation messages received from the
-# verifier. The path is relative to $keylime_dir unless an absolute path is
-# provided (i.e. starts with '/').
-# If set to "default", Keylime will use the file RevocationNotifier-cert.crt
-# from the unzipped contents provided by the tenant.
-revocation_cert = default
-
-# A comma-separated list of executables to run upon receiving a revocation
-# message. Keylime will verify the signature first, then call these executables
-# with the json revocation message. The executables must be located in the
-# 'revocation_actions' directory.
-#
-# Keylime will also get the list of revocation actions from the file
-# action_list in the unzipped contents provided by the verifier.
-revocation_actions=
-
-# A script to execute after unzipping the tenant payload. This is like
-# cloud-init lite =) Keylime will run it with a /bin/sh environment and
-# with a working directory of $keylime_dir/secure/unzipped.
-payload_script=autorun.sh
-
-# The path to the directory containing the pre-installed revocation action
-# scripts. Ideally should point to an fixed/immutable location subject to
-# attestation. The default is /usr/libexec/keylime.
-revocation_actions_dir = /usr/libexec/keylime
-
-# Whether to allow running revocation actions sent as part of the payload. The
-# default is True and setting as False will limit the revocation actions to the
-# pre-installed ones.
-allow_payload_revocation_actions = True
-
-# Jason @henn made be do it! He wanted a way for Keylime to measure the
-# delivered payload into a pcr of choice.
-# Specify a PCR number to turn it on.
-# Set to -1 or any negative or out of range PCR value to turn off.
-measure_payload_pcr=-1
-
-# How long to wait between failed attempts to communicate with the TPM in
-# seconds. Floating point values are accepted here.
-retry_interval = 1
-
-# Integer number of retries to communicate with the TPM before giving up.
-max_retries = 10
-
-# TPM2-specific options, allows customizing default algorithms to use.
-# Specify the default crypto algorithms to use with a TPM2 for this agent.
-#
-# Currently accepted values include:
-# - hashing: sha512, sha384, sha256 or sha1
-# - encryption: ecc or rsa
-# - signing: rsassa, rsapss, ecdsa, ecdaa or ecschnorr
-tpm_hash_alg = sha256
-tpm_encryption_alg = rsa
-tpm_signing_alg = rsassa
-
-# If an EK is already present on the TPM (e.g., with "tpm2_createek") and
-# you require Keylime to use this EK, change "generate" to the actual EK
-# handle (e.g. "0x81000000"). The Keylime agent will then not attempt to
-# create a new EK upon startup, and neither will it flush the EK upon exit.
-ek_handle = generate
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/rust-keylime-0.1.0+git.1657303637.5b9072a/packit-ci.fmf
new/rust-keylime-0.1.0+git.1659977521.0186093/packit-ci.fmf
--- old/rust-keylime-0.1.0+git.1657303637.5b9072a/packit-ci.fmf 2022-07-08
20:07:17.000000000 +0200
+++ new/rust-keylime-0.1.0+git.1659977521.0186093/packit-ci.fmf 2022-08-08
18:52:01.000000000 +0200
@@ -6,6 +6,9 @@
TPM_BINARY_MEASUREMENTS: /var/tmp/binary_bios_measurements
RUST_IMA_EMULATOR: 1
+ context:
+ swtpm: yes
+
prepare:
how: shell
script:
@@ -31,6 +34,8 @@
- /functional/basic-attestation-with-ima-signatures
- /functional/basic-attestation-without-mtls
- /functional/basic-attestation-with-unpriviledged-agent
+ - /functional/ek-cert-use-ek_check_script
+ - /functional/ek-cert-use-ek_handle-custom-ca_certs
- /functional/install-rpm-with-ima-signature
- /functional/keylime_tenant-commands-on-localhost
- /functional/db-postgresql-sanity-on-localhost
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/rust-keylime-0.1.0+git.1657303637.5b9072a/src/common.rs
new/rust-keylime-0.1.0+git.1659977521.0186093/src/common.rs
--- old/rust-keylime-0.1.0+git.1657303637.5b9072a/src/common.rs 2022-07-08
20:07:17.000000000 +0200
+++ new/rust-keylime-0.1.0+git.1659977521.0186093/src/common.rs 2022-08-08
18:52:01.000000000 +0200
@@ -37,7 +37,7 @@
pub const STUB_IMA: bool = true;
pub const TPM_DATA_PCR: usize = 16;
pub const IMA_PCR: usize = 10;
-pub static DEFAULT_CONFIG: &str = "/etc/keylime.conf";
+pub static DEFAULT_CONFIG: &str = "/etc/keylime-agent.conf";
pub static RSA_PUBLICKEY_EXPORTABLE: &str = "rsa placeholder";
pub static TPM_TOOLS_PATH: &str = "/usr/local/bin/";
pub static IMA_ML: &str =
@@ -290,12 +290,23 @@
pub mtls_enabled: bool,
pub enable_insecure_payload: bool,
pub run_as: Option<String>,
+ pub tpm_ownerpassword: Option<String>,
+ pub ek_handle: Option<String>,
}
impl KeylimeConfig {
pub fn build() -> Result<Self> {
let conf_name = config_file_get();
- let conf = Ini::load_from_file(&conf_name)?;
+ let conf = match Ini::load_from_file(&conf_name) {
+ Ok(file) => file,
+ Err(e) => {
+ error!(
+ "Could not load keylime config file: {} due to error: {}",
+ conf_name, e
+ );
+ return Err(Error::Ini(e));
+ }
+ };
let agent_ip = config_get_env(
&conf_name,
@@ -459,11 +470,19 @@
Ok(s) => bool::from_str(&s.to_lowercase())?,
Err(_) => ALLOW_PAYLOAD_REV_ACTIONS,
};
+
let run_as = if permissions::get_euid() == 0 {
match config_get(&conf_name, &conf, "cloud_agent", "run_as") {
- Ok(user_group) => Some(user_group),
+ Ok(user_group) => {
+ if user_group.is_empty() {
+ warn!("Cannot drop privileges since 'run_as' is empty
in 'cloud_agent' section of keylime-agent.conf.");
+ None
+ } else {
+ Some(user_group)
+ }
+ }
Err(_) => {
- warn!("Cannot drop privileges since 'run_as' is empty or
missing in 'cloud_agent' section of keylime.conf.");
+ warn!("Cannot drop privileges since 'run_as' is missing in
'cloud_agent' section of keylime-agent.conf.");
None
}
}
@@ -493,6 +512,16 @@
Err(_) => false,
};
+ let tpm_ownerpassword =
+ config_get(&conf_name, &conf, "cloud_agent", "tpm_ownerpassword")
+ .ok()
+ .filter(|s| s != "generate");
+
+ let ek_handle =
+ config_get(&conf_name, &conf, "cloud_agent", "ek_handle")
+ .ok()
+ .filter(|s| s != "generate");
+
Ok(KeylimeConfig {
agent_ip,
agent_port,
@@ -523,6 +552,8 @@
mtls_enabled,
enable_insecure_payload,
run_as,
+ tpm_ownerpassword,
+ ek_handle,
})
}
@@ -540,7 +571,7 @@
}
}
-// Default test configuration. This should match the defaults in keylime.conf
+// Default test configuration. This should match the defaults in
keylime-agent.conf
#[cfg(any(test, feature = "testing"))]
impl Default for KeylimeConfig {
fn default() -> Self {
@@ -584,6 +615,8 @@
mtls_enabled: true,
enable_insecure_payload: false,
run_as,
+ tpm_ownerpassword: None,
+ ek_handle: None,
}
}
}
@@ -617,7 +650,7 @@
/*
* Return: Returns the configuration file provided in the environment variable
- * KEYLIME_CONFIG or defaults to /etc/keylime.conf
+ * KEYLIME_CONFIG or defaults to /etc/keylime-agent.conf
*
* Example call:
* let config = config_file_get();
@@ -698,7 +731,7 @@
}
};
let value = match section.get(key) {
- Some(value) => value,
+ Some(value) => value.trim(),
None =>
// TODO: Make Error::Configuration an alternative with data instead of
string
{
@@ -709,6 +742,10 @@
}
};
+ if value.is_empty() {
+ warn!("Cannot find value for key {} in file {}", key, conf_name);
+ };
+
Ok(value.to_string())
}
@@ -746,7 +783,7 @@
#[test]
fn test_config_get_parameters_exist() {
- //let result = config_get("keylime.conf", "general",
"cloudagent_port");
+ //let result = config_get("keylime-agent.conf", "general",
"cloudagent_port");
//assert_eq!(result, "9002");
}
@@ -756,7 +793,10 @@
// Test with no environment variable
env::set_var("KEYLIME_CONFIG", "");
- assert_eq!(config_file_get(), String::from("/etc/keylime.conf"));
+ assert_eq!(
+ config_file_get(),
+ String::from("/etc/keylime-agent.conf")
+ );
// Test with an environment variable
env::set_var("KEYLIME_CONFIG", "/tmp/testing.conf");
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/rust-keylime-0.1.0+git.1657303637.5b9072a/src/main.rs
new/rust-keylime-0.1.0+git.1659977521.0186093/src/main.rs
--- old/rust-keylime-0.1.0+git.1657303637.5b9072a/src/main.rs 2022-07-08
20:07:17.000000000 +0200
+++ new/rust-keylime-0.1.0+git.1659977521.0186093/src/main.rs 2022-08-08
18:52:01.000000000 +0200
@@ -71,8 +71,12 @@
time::Duration,
};
use tss_esapi::{
- handles::KeyHandle, interface_types::algorithm::AsymmetricAlgorithm,
- structures::PublicBuffer, traits::Marshall, Context,
+ handles::KeyHandle,
+ interface_types::algorithm::AsymmetricAlgorithm,
+ interface_types::resource_handles::Hierarchy,
+ structures::{Auth, PublicBuffer},
+ traits::Marshall,
+ Context,
};
use uuid::Uuid;
@@ -213,7 +217,7 @@
}
}
-// checks if keylime.conf indicates the payload should be unzipped, and does
so if needed.
+// checks if keylime-agent.conf indicates the payload should be unzipped, and
does so if needed.
// the input string is the directory where the unzipped file(s) should be
stored.
pub(crate) fn optional_unzip_payload(
unzipped: &Path,
@@ -382,7 +386,7 @@
} else {
warn!(
"Measured boot measurement list not available: {}",
- ima_ml_path.display()
+ measuredboot_ml_path.display()
);
None
};
@@ -407,8 +411,14 @@
// Drop privileges
if let Some(user_group) = &config.run_as {
- permissions::chown(user_group, &mount);
- permissions::run_as(user_group);
+ permissions::chown(user_group, &mount)?;
+ if let Err(e) = permissions::run_as(user_group) {
+ let message = "The user running the Keylime agent should be set in
keylime-agent.conf, using the parameter `run_as`, with the format
`user:group`".to_string();
+
+ error!("Configuration error: {}", &message);
+ return Err(Error::Configuration(message));
+ }
+ info!("Running the service as {}...", user_group);
}
info!("Starting server with API version {}...", API_VERSION);
@@ -438,8 +448,24 @@
}
}
+ // When the EK handle is given, set auth for the Owner and
+ // Endorsement hierarchies. Note in the Python implementation,
+ // tpm_ownerpassword option is also used for claiming ownership of
+ // TPM access, which will not be implemented here.
+ if config.ek_handle.is_some() {
+ if let Some(ref v) = config.tpm_ownerpassword {
+ let auth = Auth::try_from(v.as_bytes())?;
+ ctx.tr_set_auth(Hierarchy::Owner.into(), auth.clone())?;
+ ctx.tr_set_auth(Hierarchy::Endorsement.into(), auth)?;
+ }
+ }
+
// Gather EK values and certs
- let ek_result = tpm::create_ek(&mut ctx, config.enc_alg.into())?;
+ let ek_result = tpm::create_ek(
+ &mut ctx,
+ config.enc_alg.into(),
+ config.ek_handle.as_deref(),
+ )?;
// Try to load persistent Agent data
let agent_data = config.agent_data.clone().and_then(|data|
@@ -579,6 +605,10 @@
ak_handle,
ek_result.key_handle,
)?;
+ // Flush EK if we created it
+ if config.ek_handle.is_none() {
+ ctx.flush_context(ek_result.key_handle.into())?;
+ }
let mackey = base64::encode(key.value());
let auth_tag = crypto::compute_hmac(
mackey.as_bytes(),
@@ -815,7 +845,7 @@
// Gather EK and AK key values and certs
let ek_result =
- tpm::create_ek(&mut ctx, test_config.enc_alg.into())?;
+ tpm::create_ek(&mut ctx, test_config.enc_alg.into(), None)?;
let ak_result = tpm::create_ak(
&mut ctx,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/rust-keylime-0.1.0+git.1657303637.5b9072a/src/tpm.rs
new/rust-keylime-0.1.0+git.1659977521.0186093/src/tpm.rs
--- old/rust-keylime-0.1.0+git.1657303637.5b9072a/src/tpm.rs 2022-07-08
20:07:17.000000000 +0200
+++ new/rust-keylime-0.1.0+git.1659977521.0186093/src/tpm.rs 2022-08-08
18:52:01.000000000 +0200
@@ -35,7 +35,9 @@
session_type::SessionType,
tss::{TPM2_ALG_NULL, TPM2_ST_ATTEST_QUOTE},
},
- handles::{AuthHandle, KeyHandle, PcrHandle},
+ handles::{
+ AuthHandle, KeyHandle, PcrHandle, PersistentTpmHandle, TpmHandle,
+ },
interface_types::{
algorithm::{
AsymmetricAlgorithm, HashingAlgorithm, SignatureSchemeAlgorithm,
@@ -98,17 +100,28 @@
}
/*
- * Input: Connection context, asymmetric algo (optional)
+ * Input: Connection context, asymmetric algo, existing key handle in hex
(optional)
* Return: (Key handle, public cert, TPM public object)
* Example call:
- * let (key, cert, tpm_pub) = tpm::create_ek(context,
Some(AsymmetricAlgorithm::Rsa))
+ * let (key, cert, tpm_pub) = tpm::create_ek(context,
AsymmetricAlgorithm::Rsa, None)
*/
pub(crate) fn create_ek(
context: &mut Context,
alg: AsymmetricAlgorithm,
+ handle: Option<&str>,
) -> Result<EKResult> {
// Retrieve EK handle, EK pub cert, and TPM pub object
- let handle = ek::create_ek_object(context, alg, DefaultKey)?;
+ let key_handle = match handle {
+ Some(v) => {
+ let handle = u32::from_str_radix(v.trim_start_matches("0x"), 16)?;
+ context
+ .tr_from_tpm_public(TpmHandle::Persistent(
+ PersistentTpmHandle::new(handle)?,
+ ))?
+ .into()
+ }
+ None => ek::create_ek_object(context, alg, DefaultKey)?,
+ };
let cert = match ek::retrieve_ek_pubcert(context, alg) {
Ok(v) => Some(v),
Err(_) => {
@@ -116,9 +129,9 @@
None
}
};
- let (tpm_pub, _, _) = context.read_public(handle)?;
+ let (tpm_pub, _, _) = context.read_public(key_handle)?;
Ok(EKResult {
- key_handle: handle,
+ key_handle,
ek_cert: cert,
public: tpm_pub,
})
@@ -255,7 +268,7 @@
data_vec
}
-/* Converts a hex value in the form of a string (ex. from keylime.conf's
+/* Converts a hex value in the form of a string (ex. from keylime-agent.conf's
* ek_handle) to a key handle.
*
* Input: &str
@@ -382,16 +395,11 @@
)
})?;
- let resp = ctx
- .execute_with_sessions(
- (Some(AuthSession::Password), Some(ek_auth), None),
- |context| context.activate_credential(ak, ek, credential, secret),
- )
- .map_err(KeylimeError::from);
-
- ctx.flush_context(ek.into())?;
-
- resp
+ ctx.execute_with_sessions(
+ (Some(AuthSession::Password), Some(ek_auth), None),
+ |context| context.activate_credential(ak, ek, credential, secret),
+ )
+ .map_err(KeylimeError::from)
}
// Takes a public PKey and returns a DigestValue of it.
@@ -431,7 +439,7 @@
//
// The masks are sent from the tenant and cloud verifier to indicate
// the PCRs to include in a Quote. The LSB in the mask corresponds to
-// PCR0. For example, keylime.conf specifies PCRs 15 and 22 under
+// PCR0. For example, keylime-agent.conf specifies PCRs 15 and 22 under
// [tenant][tpm_policy]. As a bit mask, this would be represented as
// 0b010000001000000000000000, which translates to 0x408000.
//
@@ -914,7 +922,8 @@
assert_eq!(encoded, buf);
}
-#[ignore] // This will only work as an integration test because it needs
keylime.conf
+#[ignore]
+// This will only work as an integration test because it needs
keylime-agent.conf
#[test]
fn pubkey_to_digest() {
let (key, _) = crate::crypto::rsa_generate_pair(2048).unwrap();
//#[allow_ci]
@@ -922,26 +931,6 @@
}
#[test]
-fn ek_from_hex() {
- assert_eq!(
- ek_from_hex_str("0x81000000").unwrap(), //#[allow_ci]
- ek_from_hex_str("81000000").unwrap() //#[allow_ci]
- );
- assert_eq!(
- ek_from_hex_str("0xdeadbeef").unwrap(), //#[allow_ci]
- ek_from_hex_str("deadbeef").unwrap() //#[allow_ci]
- );
-
- assert!(ek_from_hex_str("a").is_ok());
- assert!(ek_from_hex_str("18bb9").is_ok());
-
- assert!(ek_from_hex_str("qqq").is_err());
- assert!(ek_from_hex_str("0xqqq").is_err());
- assert!(ek_from_hex_str("0xdeadbeefqwerty").is_err());
- assert!(ek_from_hex_str("0x0x0x").is_err());
-}
-
-#[test]
fn mask() {
assert_eq!(read_mask("0x0").unwrap(), vec![]); //#[allow_ci]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/rust-keylime-0.1.0+git.1657303637.5b9072a/tests/run.sh
new/rust-keylime-0.1.0+git.1659977521.0186093/tests/run.sh
--- old/rust-keylime-0.1.0+git.1657303637.5b9072a/tests/run.sh 2022-07-08
20:07:17.000000000 +0200
+++ new/rust-keylime-0.1.0+git.1659977521.0186093/tests/run.sh 2022-08-08
18:52:01.000000000 +0200
@@ -34,12 +34,12 @@
echo "-------- Testing"
mkdir -p /var/lib/keylime
TCTI=tabrmd:bus_type=session RUST_BACKTRACE=1 RUST_LOG=info \
-KEYLIME_CONFIG=$PWD/keylime.conf \
+KEYLIME_CONFIG=$PWD/keylime-agent.conf \
cargo test --features testing -- --nocapture
echo "-------- Testing with coverage"
TCTI=tabrmd:bus_type=session RUST_BACKTRACE=1 RUST_LOG=info \
-KEYLIME_CONFIG=$PWD/keylime.conf \
+KEYLIME_CONFIG=$PWD/keylime-agent.conf \
cargo tarpaulin -v \
--target-dir target/tarpaulin \
--workspace \
++++++ vendor.tar.xz ++++++
/work/SRC/openSUSE:Factory/rust-keylime/vendor.tar.xz
/work/SRC/openSUSE:Factory/.rust-keylime.new.1521/vendor.tar.xz differ: char
26, line 1
