rpms/keylime-agent-rust
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Enable different key sizes and curves for EK and AK

Browse Source 
Resolves: RHEL-1951

Signed-off-by: Sergio Correia <scorreia@redhat.com>
This commit is contained in:
Sergio Correia 2025-09-17 11:52:15 +00:00
parent 46e345a070
commit 2d2ad77dbe
No known key found for this signature in database
GPG Key ID: D0D219ED1F7E762C
7 changed files with 4435 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -16,3 +16,4 @@
/v0.2.5.tar.gz
/rust-keylime-0.2.7-vendor.tar.xz
/v0.2.7.tar.gz
/rust-keylime-0.2.7-vendor.tar.zstd

3609
0003-Enable-non-standard-key-sizes-and-curves-for-EK-and-.patch Normal file
View File

File diff suppressed because it is too large Load Diff

557
0004-Clippy-fixes.patch Normal file
View File

@ -0,0 +1,557 @@
From dc36c72e75c9b3ab36693b59252e3246ef53d5fb Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Mon, 29 Sep 2025 22:45:55 +0000
Subject: [PATCH 4/6] Clippy fixes
Signed-off-by: Sergio Correia <scorreia@redhat.com>
---
keylime-agent/src/config.rs | 13 ++++++-------
keylime-agent/src/keys_handler.rs | 4 ++--
keylime-agent/src/main.rs | 10 +++++-----
keylime-agent/src/payloads.rs | 12 ++++++------
keylime-agent/src/permissions.rs | 14 +++++++-------
keylime-agent/src/quotes_handler.rs | 16 ++++++++--------
keylime-agent/src/revocation.rs | 15 +++++++--------
keylime-agent/src/secure_mount.rs | 6 +++---
keylime/src/crypto.rs | 12 ++++++------
keylime/src/ima/entry.rs | 7 +++----
keylime/src/registrar_client.rs | 2 +-
keylime/src/tpm.rs | 14 +++++---------
12 files changed, 59 insertions(+), 66 deletions(-)
diff --git a/keylime-agent/src/config.rs b/keylime-agent/src/config.rs
index 21c0516..f1fe7d1 100644
--- a/keylime-agent/src/config.rs
+++ b/keylime-agent/src/config.rs
@@ -614,8 +614,10 @@ fn config_translate_keywords(
.collect::<Vec<String>>()
.join(", "),
"latest" => {
- if let Some(version) =
- SUPPORTED_API_VERSIONS.iter().map(|&s| s.to_string()).last()
+ if let Some(version) = SUPPORTED_API_VERSIONS
+ .iter()
+ .map(|&s| s.to_string())
+ .next_back()
{
version
} else {
@@ -980,7 +982,7 @@ mod tests {
let expected = SUPPORTED_API_VERSIONS
.iter()
.map(|e| e.to_string())
- .last()
+ .next_back()
.unwrap(); //#[allow_ci]
assert_eq!(version, expected);
}
@@ -1273,10 +1275,7 @@ mod tests {
let j = obtained.get(i).unwrap(); //#[allow_ci]
assert!(
e.to_string() == j.to_string(),
- "Option {} mismatch: expected == '{}', obtained == '{}'",
- i,
- e,
- j
+ "Option {i} mismatch: expected == '{e}', obtained == '{j}'"
);
}
}
diff --git a/keylime-agent/src/keys_handler.rs b/keylime-agent/src/keys_handler.rs
index 447f0d1..a4c9f21 100644
--- a/keylime-agent/src/keys_handler.rs
+++ b/keylime-agent/src/keys_handler.rs
@@ -327,7 +327,7 @@ async fn pubkey(
HttpResponse::Ok().json(response)
}
Err(e) => {
- debug!("Unable to retrieve public key: {:?}", e);
+ debug!("Unable to retrieve public key: {e:?}");
HttpResponse::InternalServerError().json(JsonWrapper::error(
500,
"Unable to retrieve public key".to_string(),
@@ -411,7 +411,7 @@ async fn verify(
HttpResponse::Ok().json(response)
}
Err(e) => {
- warn!("GET key challenge failed: {:?}", e);
+ warn!("GET key challenge failed: {e:?}");
HttpResponse::InternalServerError().json(JsonWrapper::error(
500,
"GET key challenge failed".to_string(),
diff --git a/keylime-agent/src/main.rs b/keylime-agent/src/main.rs
index 9e3d727..be51a21 100644
--- a/keylime-agent/src/main.rs
+++ b/keylime-agent/src/main.rs
@@ -269,7 +269,7 @@ async fn main() -> Result<()> {
config::KeylimeConfigError::Generic(message),
));
}
- info!("Running the service as {}...", user_group);
+ info!("Running the service as {user_group}...");
}
// Parse the configured API versions
@@ -403,7 +403,7 @@ async fn main() -> Result<()> {
}
}
Err(e) => {
- warn!("Could not load agent data: {}", e);
+ warn!("Could not load agent data: {e}");
None
}
}
@@ -442,7 +442,7 @@ async fn main() -> Result<()> {
path => agent_data_new.store(Path::new(&path))?,
}
- info!("Agent UUID: {}", agent_uuid);
+ info!("Agent UUID: {agent_uuid}");
// If using IAK/IDevID is enabled, obtain IAK/IDevID and respective certificates
let mut device_id = if config.agent.enable_iak_idevid {
@@ -595,7 +595,7 @@ async fn main() -> Result<()> {
) {
Ok(t) => Ok(t),
Err(e) => {
- error!("Failed to load trusted CA certificates: {}", e);
+ error!("Failed to load trusted CA certificates: {e}");
Err(e)
}
}?;
@@ -833,7 +833,7 @@ async fn main() -> Result<()> {
Ok(ip_addr) => {
// Add bracket if IPv6, otherwise use as it is
if ip_addr.is_ipv6() {
- format!("[{}]", ip_addr)
+ format!("[{ip_addr}]")
} else {
ip_addr.to_string()
}
diff --git a/keylime-agent/src/payloads.rs b/keylime-agent/src/payloads.rs
index 3b8873d..8996a5e 100644
--- a/keylime-agent/src/payloads.rs
+++ b/keylime-agent/src/payloads.rs
@@ -109,14 +109,14 @@ fn write_out_key_and_payload(
if bytes != key.as_ref().len() {
return Err(Error::Other(format!("Error writing symm key to {:?}: key len is {}, but {bytes} bytes were written", key_path, key.as_ref().len())));
}
- info!("Wrote payload decryption key to {:?}", key_path);
+ info!("Wrote payload decryption key to {key_path:?}");
let mut dec_payload_file = fs::File::create(dec_payload_path)?;
let bytes = dec_payload_file.write(dec_payload)?;
if bytes != dec_payload.len() {
return Err(Error::Other(format!("Error writing decrypted payload to {:?}: payload len is {}, but {bytes} bytes were written", dec_payload_path, dec_payload.len())));
}
- info!("Wrote decrypted payload to {:?}", dec_payload_path);
+ info!("Wrote decrypted payload to {dec_payload_path:?}");
Ok(())
}
@@ -124,7 +124,7 @@ fn write_out_key_and_payload(
// run a script (such as the init script, if any) and check the status
fn run(dir: &Path, script: &str) -> Result<()> {
let script_path = dir.join(script);
- info!("Running script: {:?}", script_path);
+ info!("Running script: {script_path:?}");
if !script_path.exists() {
info!("No payload script {script} found in {}", dir.display());
@@ -176,7 +176,7 @@ fn optional_unzip_payload(
dec_file => {
let zipped_payload_path = unzipped.join(dec_file);
- info!("Unzipping payload {} to {:?}", dec_file, unzipped);
+ info!("Unzipping payload {dec_file} to {unzipped:?}");
let mut source = fs::File::open(zipped_payload_path)?;
let mut zip = ZipArchive::new(source)?;
@@ -215,7 +215,7 @@ async fn run_encrypted_payload(
info!("No payload script specified, skipping");
}
script => {
- info!("Payload init script indicated: {}", script);
+ info!("Payload init script indicated: {script}");
run(&unzipped, script)?;
}
}
@@ -304,7 +304,7 @@ pub(crate) async fn worker(
info!("Successfully executed encrypted payload");
}
Err(e) => {
- warn!("Failed to run encrypted payload: {}", e);
+ warn!("Failed to run encrypted payload: {e}");
}
}
}
diff --git a/keylime-agent/src/permissions.rs b/keylime-agent/src/permissions.rs
index aa240d9..4b8ac9a 100644
--- a/keylime-agent/src/permissions.rs
+++ b/keylime-agent/src/permissions.rs
@@ -38,7 +38,7 @@ impl TryFrom<&str> for UserIds {
if parts.len() != 2 {
let e = format!("Invalid parameter format: {value} cannot be parsed as 'user:group'");
- error!("{}", e);
+ error!("{e}");
return Err(Error::Conversion(e));
}
@@ -50,7 +50,7 @@ impl TryFrom<&str> for UserIds {
let p = unsafe { libc::getgrnam(g_cstr.as_ptr()) };
if p.is_null() {
let e = io::Error::last_os_error();
- error!("Could not get group {}: {}", group, e);
+ error!("Could not get group {group}: {e}");
return Err(Error::Conversion(e.to_string()));
}
unsafe { (*p) }
@@ -65,7 +65,7 @@ impl TryFrom<&str> for UserIds {
let p = unsafe { libc::getpwnam(u_cstr.as_ptr()) };
if p.is_null() {
let e = io::Error::last_os_error();
- error!("Could not get user {}: {}", user, e);
+ error!("Could not get user {user}: {e}");
return Err(Error::Conversion(e.to_string()));
}
unsafe { (*p) }
@@ -91,7 +91,7 @@ pub(crate) fn run_as(user_group: &str) -> Result<()> {
// Set gid
if unsafe { libc::setgid(ids.group.gr_gid) } != 0 {
let e = io::Error::last_os_error();
- error!("Could not set group id: {}", e);
+ error!("Could not set group id: {e}");
return Err(Error::Permission);
}
@@ -127,18 +127,18 @@ pub(crate) fn run_as(user_group: &str) -> Result<()> {
if unsafe { libc::setgroups(ngroups as usize, sup_groups.as_ptr()) } != 0
{
let e = io::Error::last_os_error();
- error!("Could not set supplementary groups: {}", e);
+ error!("Could not set supplementary groups: {e}");
return Err(Error::Permission);
}
// Set uid
if unsafe { libc::setuid(ids.passwd.pw_uid) } != 0 {
let e = io::Error::last_os_error();
- error!("Could not set user id: {}", e);
+ error!("Could not set user id: {e}");
return Err(Error::Permission);
}
- info!("Dropped privileges to run as {}", user_group);
+ info!("Dropped privileges to run as {user_group}");
Ok(())
}
diff --git a/keylime-agent/src/quotes_handler.rs b/keylime-agent/src/quotes_handler.rs
index a49dcc4..d61adf2 100644
--- a/keylime-agent/src/quotes_handler.rs
+++ b/keylime-agent/src/quotes_handler.rs
@@ -95,7 +95,7 @@ async fn identity(
) {
Ok(quote) => quote,
Err(e) => {
- debug!("Unable to retrieve quote: {:?}", e);
+ debug!("Unable to retrieve quote: {e:?}");
return HttpResponse::InternalServerError().json(
JsonWrapper::error(
500,
@@ -116,7 +116,7 @@ async fn identity(
match crypto::pkey_pub_to_pem(&data.pub_key) {
Ok(pubkey) => quote.pubkey = Some(pubkey),
Err(e) => {
- debug!("Unable to retrieve public key for quote: {:?}", e);
+ debug!("Unable to retrieve public key for quote: {e:?}");
return HttpResponse::InternalServerError().json(
JsonWrapper::error(
500,
@@ -193,7 +193,7 @@ async fn integrity(
let pubkey = match crypto::pkey_pub_to_pem(&data.pub_key) {
Ok(pubkey) => pubkey,
Err(e) => {
- debug!("Unable to retrieve public key: {:?}", e);
+ debug!("Unable to retrieve public key: {e:?}");
return HttpResponse::InternalServerError().json(
JsonWrapper::error(
500,
@@ -242,7 +242,7 @@ async fn integrity(
) {
Ok(tpm_quote) => tpm_quote,
Err(e) => {
- debug!("Unable to retrieve quote: {:?}", e);
+ debug!("Unable to retrieve quote: {e:?}");
return HttpResponse::InternalServerError().json(
JsonWrapper::error(
500,
@@ -268,7 +268,7 @@ async fn integrity(
let mut ml = Vec::<u8>::new();
let mut f = measuredboot_ml_file.lock().unwrap(); //#[allow_ci]
if let Err(e) = f.rewind() {
- debug!("Failed to rewind measured boot file: {}", e);
+ debug!("Failed to rewind measured boot file: {e}");
return HttpResponse::InternalServerError().json(
JsonWrapper::error(
500,
@@ -279,14 +279,14 @@ async fn integrity(
mb_measurement_list = match f.read_to_end(&mut ml) {
Ok(_) => Some(general_purpose::STANDARD.encode(ml)),
Err(e) => {
- warn!("Could not read TPM2 event log: {}", e);
+ warn!("Could not read TPM2 event log: {e}");
None
}
};
}
}
Err(e) => {
- debug!("Unable to check PCR mask: {:?}", e);
+ debug!("Unable to check PCR mask: {e:?}");
return HttpResponse::InternalServerError().json(
JsonWrapper::error(
500,
@@ -309,7 +309,7 @@ async fn integrity(
(Some(result.0), Some(result.1), Some(result.2))
}
Err(e) => {
- debug!("Unable to read measurement list: {:?}", e);
+ debug!("Unable to read measurement list: {e:?}");
return HttpResponse::InternalServerError().json(
JsonWrapper::error(
500,
diff --git a/keylime-agent/src/revocation.rs b/keylime-agent/src/revocation.rs
index fae5a9c..738c12a 100644
--- a/keylime-agent/src/revocation.rs
+++ b/keylime-agent/src/revocation.rs
@@ -124,7 +124,7 @@ pub(crate) fn run_action(
allow_payload_actions,
)?;
- info!("Executing revocation action {}", action);
+ info!("Executing revocation action {action}");
// Write JSON argument to a temporary file
let raw_json = serde_json::value::to_raw_value(&json)?;
@@ -171,7 +171,7 @@ pub(crate) fn run_action(
return Err(output.try_into()?);
}
- info!("INFO: revocation action {} successful", action);
+ info!("INFO: revocation action {action} successful");
Ok(output)
}
@@ -233,7 +233,7 @@ fn run_revocation_actions(
let msg = format!(
"error executing revocation script {action}: {e:?}"
);
- error!("{}", msg);
+ error!("{msg}");
return Err(Error::Script(
action.to_string(),
e.exe_code()?,
@@ -273,8 +273,7 @@ fn process_revocation(
let msg_payload: Value = serde_json::from_str(msg)?;
debug!(
- "Revocation signature validated for revocation: {}",
- msg_payload
+ "Revocation signature validated for revocation: {msg_payload}"
);
let outputs = run_revocation_actions(
@@ -289,11 +288,11 @@ fn process_revocation(
for output in outputs {
if !output.stdout.is_empty() {
let out = String::from_utf8(output.stdout)?;
- info!("Action stdout: {}", out);
+ info!("Action stdout: {out}");
}
if !output.stderr.is_empty() {
let out = String::from_utf8(output.stderr)?;
- warn!("Action stderr: {}", out);
+ warn!("Action stderr: {out}");
}
}
Ok(())
@@ -476,7 +475,7 @@ pub(crate) async fn worker(
info!("Revocation processed successfully");
}
Err(e) => {
- error!("Failed to process revocation: {}", e);
+ error!("Failed to process revocation: {e}");
}
}
}
diff --git a/keylime-agent/src/secure_mount.rs b/keylime-agent/src/secure_mount.rs
index 573d0c9..435fdfc 100644
--- a/keylime-agent/src/secure_mount.rs
+++ b/keylime-agent/src/secure_mount.rs
@@ -47,7 +47,7 @@ fn check_mount(secure_dir: &Path) -> Result<bool> {
return Ok(true);
} else {
let message = format!("Secure storage location {} already mounted on wrong file system type: {}. Unmount to continue.", secure_dir.display(), fs_type);
- error!("Secure mount error: {}", message);
+ error!("Secure mount error: {message}");
return Err(Error::SecureMount(message));
}
} else {
@@ -65,7 +65,7 @@ fn check_mount(secure_dir: &Path) -> Result<bool> {
let message =
"Mount information parsing error: not enough elements"
.to_string();
- error!("Secure mount error: {}", message);
+ error!("Secure mount error: {message}");
return Err(Error::SecureMount(message));
}
}
@@ -96,7 +96,7 @@ pub(crate) fn mount(work_dir: &Path, secure_size: &str) -> Result<PathBuf> {
))
})?;
- info!("Directory {:?} created.", secure_dir_path);
+ info!("Directory {secure_dir_path:?} created.");
let metadata = fs::metadata(&secure_dir_path).map_err(|e| {
Error::SecureMount(format!(
"unable to get metadata for secure dir path: {e:?}"
diff --git a/keylime/src/crypto.rs b/keylime/src/crypto.rs
index 5c951b1..19e651f 100644
--- a/keylime/src/crypto.rs
+++ b/keylime/src/crypto.rs
@@ -399,14 +399,14 @@ pub fn check_x509_key(
.map_err(CryptoError::RSAGetPublicKeyError)?
.n()
.to_vec();
- let mut cert_n_str = format!("{:?}", cert_n);
+ let mut cert_n_str = format!("{cert_n:?}");
_ = cert_n_str.pop();
_ = cert_n_str.remove(0);
let key = SubjectPublicKeyInfo::try_from(tpm_key.clone())
.map_err(CryptoError::SubjectPublicKeyInfoFromRSAError)?;
let key_der = picky_asn1_der::to_vec(&key)
.map_err(CryptoError::SubjectPublicKeyInfoToDERError)?;
- let key_der_str = format!("{:?}", key_der);
+ let key_der_str = format!("{key_der:?}");
Ok(key_der_str.contains(&cert_n_str))
}
@@ -418,14 +418,14 @@ pub fn check_x509_key(
.map_err(CryptoError::RSAGetPublicKeyError)?
.n()
.to_vec();
- let mut cert_n_str = format!("{:?}", cert_n);
+ let mut cert_n_str = format!("{cert_n:?}");
_ = cert_n_str.pop();
_ = cert_n_str.remove(0);
let key = SubjectPublicKeyInfo::try_from(tpm_key.clone())
.map_err(CryptoError::SubjectPublicKeyInfoFromRSAError)?;
let key_der = picky_asn1_der::to_vec(&key)
.map_err(CryptoError::SubjectPublicKeyInfoToDERError)?;
- let key_der_str = format!("{:?}", key_der);
+ let key_der_str = format!("{key_der:?}");
Ok(key_der_str.contains(&cert_n_str))
}
@@ -437,14 +437,14 @@ pub fn check_x509_key(
.map_err(CryptoError::PublicKeyGetECCError)?
.public_key_to_der()
.map_err(CryptoError::PublicKeyToDERError)?;
- let mut cert_n_str = format!("{:?}", cert_n);
+ let mut cert_n_str = format!("{cert_n:?}");
_ = cert_n_str.pop();
_ = cert_n_str.remove(0);
let key = SubjectPublicKeyInfo::try_from(tpm_key.clone())
.map_err(CryptoError::SubjectPublicKeyInfoFromECCError)?;
let key_der = picky_asn1_der::to_vec(&key)
.map_err(CryptoError::SubjectPublicKeyInfoToDERError)?;
- let key_der_str = format!("{:?}", key_der);
+ let key_der_str = format!("{key_der:?}");
Ok(key_der_str.contains(&cert_n_str))
}
diff --git a/keylime/src/ima/entry.rs b/keylime/src/ima/entry.rs
index 1168b3c..982afa7 100644
--- a/keylime/src/ima/entry.rs
+++ b/keylime/src/ima/entry.rs
@@ -431,10 +431,9 @@ impl TryFrom<&str> for Entry {
template_hash,
event_data: Box::new(ImaBuf::try_from(event)?),
}),
- template => Err(Error::new(
- ErrorKind::Other,
- format!("unrecognized template \"{template}\"",),
- )),
+ template => Err(Error::other(format!(
+ "unrecognized template \"{template}\"",
+ ))),
}
}
}
diff --git a/keylime/src/registrar_client.rs b/keylime/src/registrar_client.rs
index dcfcd22..e036845 100644
--- a/keylime/src/registrar_client.rs
+++ b/keylime/src/registrar_client.rs
@@ -320,7 +320,7 @@ impl<'a> RegistrarClientBuilder<'a> {
// Try to reach the registrar
let addr = format!("http://{registrar_ip}:{registrar_port}/version");
- info!("Requesting registrar API version to {}", addr);
+ info!("Requesting registrar API version to {addr}");
let resp = reqwest::Client::new()
.get(&addr)
diff --git a/keylime/src/tpm.rs b/keylime/src/tpm.rs
index 8a8c85a..ac23720 100644
--- a/keylime/src/tpm.rs
+++ b/keylime/src/tpm.rs
@@ -1344,7 +1344,7 @@ impl Context<'_> {
let mut pcrs = read_mask(mask)?;
// add pcr16 if it isn't in the vec already
- if !pcrs.iter().any(|&pcr| pcr == PcrSlot::Slot16) {
+ if !pcrs.contains(&PcrSlot::Slot16) {
let mut slot16 = vec![PcrSlot::Slot16];
pcrs.append(&mut slot16);
}
@@ -1838,9 +1838,7 @@ fn check_if_pcr_data_and_attestation_match(
.map_err(|source| TpmError::OpenSSLHasherFinish { source })?;
log::trace!(
- "Attested to PCR digest: {:?}, read PCR digest: {:?}",
- attested_pcr,
- pcr_digest,
+ "Attested to PCR digest: {attested_pcr:?}, read PCR digest: {pcr_digest:?}",
);
Ok(memcmp::eq(attested_pcr, &pcr_digest))
@@ -1884,12 +1882,11 @@ fn perform_quote_and_pcr_read(
}
log::info!(
- "PCR data and attestation data mismatched on attempt {}",
- attempt
+ "PCR data and attestation data mismatched on attempt {attempt}"
);
}
- log::error!("PCR data and attestation data mismatched on all {} attempts, giving up", NUM_ATTESTATION_ATTEMPTS);
+ log::error!("PCR data and attestation data mismatched on all {NUM_ATTESTATION_ATTEMPTS} attempts, giving up");
Err(TpmError::TooManyAttestationMismatches {
attempts: NUM_ATTESTATION_ATTEMPTS,
})
@@ -2128,8 +2125,7 @@ pub mod testing {
// Always 1 PCR digest should follow
if count != 1 {
return Err(TpmError::InvalidRequest(format!(
- "Expected 1 PCR digest, got {}",
- count
+ "Expected 1 PCR digest, got {count}"
)));
}
--
2.47.3

225
0005-tpm-add-policy-auth-for-EK-to-activate-crendential.patch Normal file
View File

@ -0,0 +1,225 @@
From d55b898c645d6beeda2952cd798ebfd7f14090a4 Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Wed, 17 Sep 2025 11:43:21 +0000
Subject: [PATCH 5/6] tpm: add policy auth for EK to activate crendential
Backport of upstream commit https://github.com/keylime/rust-keylime/commit/88884a5
Signed-off-by: Sergio Correia <scorreia@redhat.com>
---
keylime/src/tpm.rs | 151 +++++++++++++++++++++++++++++++++++----------
1 file changed, 118 insertions(+), 33 deletions(-)
diff --git a/keylime/src/tpm.rs b/keylime/src/tpm.rs
index ac23720..5e27f3a 100644
--- a/keylime/src/tpm.rs
+++ b/keylime/src/tpm.rs
@@ -16,6 +16,9 @@ use std::{
sync::{Arc, Mutex, OnceLock},
};
use thiserror::Error;
+use tss_esapi::handles::SessionHandle;
+use tss_esapi::interface_types::session_handles::PolicySession;
+use tss_esapi::structures::{DigestList, SymmetricDefinition};
use openssl::{
hash::{Hasher, MessageDigest},
@@ -26,9 +29,7 @@ use openssl::{
use tss_esapi::{
abstraction::{
- ak,
- cipher::Cipher,
- ek,
+ ak, ek,
pcr::{read_all, PcrData},
DefaultKey,
},
@@ -40,7 +41,7 @@ use tss_esapi::{
},
handles::{
AuthHandle, KeyHandle, ObjectHandle, PcrHandle, PersistentTpmHandle,
- SessionHandle, TpmHandle,
+ TpmHandle,
},
interface_types::{
algorithm::{AsymmetricAlgorithm, HashingAlgorithm, PublicAlgorithm},
@@ -116,6 +117,47 @@ const IAK_AUTH_POLICY_SHA256: [u8; 32] = [
];
const UNIQUE_IAK: [u8; 3] = [0x49, 0x41, 0x4b];
+// Source: TCG EK Credential Profile for TPM Family 2.0; Level 0 Version 2.5 Revision 2
+// Section B.6
+const POLICY_A_SHA384: [u8; 48] = [
+ 0x8b, 0xbf, 0x22, 0x66, 0x53, 0x7c, 0x17, 0x1c, 0xb5, 0x6e, 0x40, 0x3c,
+ 0x4d, 0xc1, 0xd4, 0xb6, 0x4f, 0x43, 0x26, 0x11, 0xdc, 0x38, 0x6e, 0x6f,
+ 0x53, 0x20, 0x50, 0xc3, 0x27, 0x8c, 0x93, 0x0e, 0x14, 0x3e, 0x8b, 0xb1,
+ 0x13, 0x38, 0x24, 0xcc, 0xb4, 0x31, 0x05, 0x38, 0x71, 0xc6, 0xdb, 0x53,
+];
+const POLICY_A_SHA512: [u8; 64] = [
+ 0x1e, 0x3b, 0x76, 0x50, 0x2c, 0x8a, 0x14, 0x25, 0xaa, 0x0b, 0x7b, 0x3f,
+ 0xc6, 0x46, 0xa1, 0xb0, 0xfa, 0xe0, 0x63, 0xb0, 0x3b, 0x53, 0x68, 0xf9,
+ 0xc4, 0xcd, 0xde, 0xca, 0xff, 0x08, 0x91, 0xdd, 0x68, 0x2b, 0xac, 0x1a,
+ 0x85, 0xd4, 0xd8, 0x32, 0xb7, 0x81, 0xea, 0x45, 0x19, 0x15, 0xde, 0x5f,
+ 0xc5, 0xbf, 0x0d, 0xc4, 0xa1, 0x91, 0x7c, 0xd4, 0x2f, 0xa0, 0x41, 0xe3,
+ 0xf9, 0x98, 0xe0, 0xee,
+];
+const POLICY_A_SM3_256: [u8; 32] = [
+ 0xc6, 0x7f, 0x7d, 0x35, 0xf6, 0x6f, 0x3b, 0xec, 0x13, 0xc8, 0x9f, 0xe8,
+ 0x98, 0x92, 0x1c, 0x65, 0x1b, 0x0c, 0xb5, 0xa3, 0x8a, 0x92, 0x69, 0x0a,
+ 0x62, 0xa4, 0x3c, 0x00, 0x12, 0xe4, 0xfb, 0x8b,
+];
+const POLICY_C_SHA384: [u8; 48] = [
+ 0xd6, 0x03, 0x2c, 0xe6, 0x1f, 0x2f, 0xb3, 0xc2, 0x40, 0xeb, 0x3c, 0xf6,
+ 0xa3, 0x32, 0x37, 0xef, 0x2b, 0x6a, 0x16, 0xf4, 0x29, 0x3c, 0x22, 0xb4,
+ 0x55, 0xe2, 0x61, 0xcf, 0xfd, 0x21, 0x7a, 0xd5, 0xb4, 0x94, 0x7c, 0x2d,
+ 0x73, 0xe6, 0x30, 0x05, 0xee, 0xd2, 0xdc, 0x2b, 0x35, 0x93, 0xd1, 0x65,
+];
+const POLICY_C_SHA512: [u8; 64] = [
+ 0x58, 0x9e, 0xe1, 0xe1, 0x46, 0x54, 0x47, 0x16, 0xe8, 0xde, 0xaf, 0xe6,
+ 0xdb, 0x24, 0x7b, 0x01, 0xb8, 0x1e, 0x9f, 0x9c, 0x7d, 0xd1, 0x6b, 0x81,
+ 0x4a, 0xa1, 0x59, 0x13, 0x87, 0x49, 0x10, 0x5f, 0xba, 0x53, 0x88, 0xdd,
+ 0x1d, 0xea, 0x70, 0x2f, 0x35, 0x24, 0x0c, 0x18, 0x49, 0x33, 0x12, 0x1e,
+ 0x2c, 0x61, 0xb8, 0xf5, 0x0d, 0x3e, 0xf9, 0x13, 0x93, 0xa4, 0x9a, 0x38,
+ 0xc3, 0xf7, 0x3f, 0xc8,
+];
+const POLICY_C_SM3_256: [u8; 32] = [
+ 0x2d, 0x4e, 0x81, 0x57, 0x8c, 0x35, 0x31, 0xd9, 0xbd, 0x1c, 0xdd, 0x7d,
+ 0x02, 0xba, 0x29, 0x8d, 0x56, 0x99, 0xa3, 0xe3, 0x9f, 0xc3, 0x55, 0x1b,
+ 0xfe, 0xff, 0xcf, 0x13, 0x2b, 0x49, 0xe1, 0x1d,
+];
+
/// TpmError wraps all possible errors raised in tpm.rs
#[derive(Error, Debug)]
pub enum TpmError {
@@ -1215,19 +1257,14 @@ impl Context<'_> {
/// Creates an empty authentication session
fn create_empty_session(
&mut self,
+ ctx: &mut tss_esapi::Context,
ses_type: SessionType,
+ symmetric: SymmetricDefinition,
+ hash_alg: HashingAlgorithm,
) -> Result<AuthSession> {
- let mut ctx = self.inner.lock().unwrap(); //#[allow_ci]
let Some(session) = ctx
.start_auth_session(
- None,
- None,
- None,
- ses_type,
- Cipher::aes_128_cfb().try_into().map_err(|source| {
- TpmError::TSSSymmetricDefinitionFromCipher { source }
- })?,
- HashingAlgorithm::Sha256,
+ None, None, None, ses_type, symmetric, hash_alg,
)
.map_err(|source| {
TpmError::TSSStartAuthenticationSessionError { source }
@@ -1255,35 +1292,83 @@ impl Context<'_> {
ak: KeyHandle,
ek: KeyHandle,
) -> Result<Digest> {
- let (credential, secret) = parse_cred_and_secret(keyblob)?;
-
- let ek_auth = self.create_empty_session(SessionType::Policy)?;
-
let mut ctx = self.inner.lock().unwrap(); //#[allow_ci]
- // We authorize ses2 with PolicySecret(ENDORSEMENT) as per PolicyA
- let _ = ctx.execute_with_nullauth_session(|context| {
- context.policy_secret(
- ek_auth.try_into()?,
- AuthHandle::Endorsement,
- Default::default(),
- Default::default(),
- Default::default(),
- None,
- )
- })?;
+ let (credential, secret) = parse_cred_and_secret(keyblob)?;
+ let mut policy_digests = DigestList::new();
+ let (parent_public, _, _) = ctx.read_public(ek)?;
+ let ek_hash_alg = parent_public.name_hashing_algorithm();
+ let ek_symmetric =
+ parent_public.symmetric_algorithm().ok_or_else(|| {
+ TpmError::TSSReadPublicError {
+ source: tss_esapi::Error::WrapperError(
+ tss_esapi::WrapperErrorKind::InvalidParam,
+ ),
+ }
+ })?;
+ match ek_hash_alg {
+ HashingAlgorithm::Sha384 => {
+ policy_digests
+ .add(Digest::try_from(POLICY_A_SHA384.as_slice())?)?;
+ policy_digests
+ .add(Digest::try_from(POLICY_C_SHA384.as_slice())?)?;
+ }
+ HashingAlgorithm::Sha512 => {
+ policy_digests
+ .add(Digest::try_from(POLICY_A_SHA512.as_slice())?)?;
+ policy_digests
+ .add(Digest::try_from(POLICY_C_SHA512.as_slice())?)?;
+ }
+ HashingAlgorithm::Sm3_256 => {
+ policy_digests
+ .add(Digest::try_from(POLICY_A_SM3_256.as_slice())?)?;
+ policy_digests
+ .add(Digest::try_from(POLICY_C_SM3_256.as_slice())?)?;
+ }
+ _ => (),
+ };
+
+ let ek_auth = self.create_empty_session(
+ &mut ctx,
+ SessionType::Policy,
+ ek_symmetric.into(),
+ ek_hash_alg,
+ )?;
+ // We authorize session according to the EK profile spec
let result = ctx
- .execute_with_sessions(
- (Some(AuthSession::Password), Some(ek_auth), None),
- |context| {
- context.activate_credential(ak, ek, credential, secret)
+ .execute_with_temporary_object(
+ SessionHandle::from(ek_auth).into(),
+ |ctx, _| {
+ let _ = ctx.execute_with_nullauth_session(|ctx| {
+ ctx.policy_secret(
+ PolicySession::try_from(ek_auth)?,
+ AuthHandle::Endorsement,
+ Default::default(),
+ Default::default(),
+ Default::default(),
+ None,
+ )
+ })?;
+ if !policy_digests.is_empty() {
+ ctx.policy_or(
+ PolicySession::try_from(ek_auth)?,
+ policy_digests,
+ )?
+ }
+ ctx.execute_with_sessions(
+ (Some(AuthSession::Password), Some(ek_auth), None),
+ |ctx| {
+ ctx.activate_credential(
+ ak, ek, credential, secret,
+ )
+ },
+ )
},
)
.map_err(TpmError::from);
// Clear sessions after use
- ctx.flush_context(SessionHandle::from(ek_auth).into())?;
ctx.clear_sessions();
result
--
2.47.3

28
0006-keylime-agent.conf-add-all-accepted-TPM-encryption-a.patch Normal file
View File

@ -0,0 +1,28 @@
From 2542812cf92ef35c71734694599dfb3aab9fdabd Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Wed, 17 Sep 2025 12:45:54 +0100
Subject: [PATCH 6/6] keylime-agent.conf: add all accepted TPM encryption algs
Backported from upstream commit https://github.com/keylime/rust-keylime/commit/a99bb40
Signed-off-by: Sergio Correia <scorreia@redhat.com>
---
keylime-agent.conf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/keylime-agent.conf b/keylime-agent.conf
index 71f6096..7669604 100644
--- a/keylime-agent.conf
+++ b/keylime-agent.conf
@@ -217,7 +217,7 @@ allow_payload_revocation_actions = true
#
# Currently accepted values include:
# - hashing: sha512, sha384, sha256 or sha1
-# - encryption: ecc or rsa
+# - encryption: rsa (alias for rsa2048), rsa1024, rsa2048, rsa3072, rsa4096, ecc (alias for ecc256), ecc192, ecc224, ecc256, ecc384, ecc521 or ecc_sm2.
# - signing: rsassa, rsapss, ecdsa, ecdaa or ecschnorr
#
# To override tpm_hash_alg, set KEYLIME_AGENT_TPM_HASH_ALG environment variable.
--
2.47.3

19
keylime-agent-rust.spec
View File

@ -43,16 +43,17 @@ URL: https://github.com/keylime/rust-keylime/
Source0: %{url}/archive/refs/tags/v%{version}.tar.gz
# The vendor tarball is created using cargo-vendor-filterer to remove Windows
# related files (https://github.com/cgwalters/cargo-vendor-filterer)
# tar xf rust-keylime-%%{version}.tar.gz
# tar xf rust-keylime-%%{version}.tar.zstd
# cd rust-keylime-%%{version}
# cargo vendor-filterer --platform x86_64-unknown-linux-gnu \
# --platform powerpc64le-unknown-linux-gnu \
# --platform aarch64-unknown-linux-gnu \
# --platform i686-unknown-linux-gnu \
# --platform s390x-unknown-linux-gnu \
# --exclude-crate-path "libloading#tests"
# tar jcf rust-keylime-%%{version}-vendor.tar.xz vendor
Source1: rust-keylime-%{version}-vendor.tar.xz
# --exclude-crate-path "libloading#tests" \
# --prefix=vendor --format=tar.zstd
# Rename the vendor.tar.zstd tarball to rust-keylime-%%{version}-vendor.tar.zstd
Source1: rust-keylime-%{version}-vendor.tar.zstd
## (0-99) General patches
# Enable logging for the keylime library
# Patch from https://github.com/keylime/rust-keylime/pull/922
@ -62,6 +63,13 @@ Patch1: rust-keylime-metadata.patch
# Update to openssl 0.10.70 to fix CVE-2025-24898
# Patch from https://github.com/keylime/rust-keylime/pull/926
Patch2: rust-keylime-openssl-0.10.70.patch
# Backport of https://github.com/keylime/rust-keylime/pull/846
# to enable different key sizes and curves for EK and AK.
Patch3: 0003-Enable-non-standard-key-sizes-and-curves-for-EK-and-.patch
Patch4: 0004-Clippy-fixes.patch
Patch5: 0005-tpm-add-policy-auth-for-EK-to-activate-crendential.patch
Patch6: 0006-keylime-agent.conf-add-all-accepted-TPM-encryption-a.patch
## (100-199) Patches for building from system Rust libraries (Fedora)
## (200+) Patches for building from vendored Rust libraries (RHEL)
@ -76,6 +84,7 @@ Requires: util-linux-core
Requires: keylime-base
%endif
BuildRequires: git-core
BuildRequires: systemd
BuildRequires: openssl-devel
BuildRequires: libarchive-devel
@ -95,7 +104,7 @@ Conflicts: keylime-agent
Rust agent for Keylime
%prep
%autosetup -n rust-keylime-%{version} -N %{?bundled_rust_deps:-a1}
%autosetup -S git -n rust-keylime-%{version} -N %{?bundled_rust_deps:-a1}
%autopatch -M 99 -p1
%if 0%{?bundled_rust_deps}
# Source1 is vendored dependencies

2
sources
View File

@ -1,2 +1,2 @@
SHA512 (rust-keylime-0.2.7-vendor.tar.xz) = 1b014fdede3e945ab37e38de62737d90d1a4f7e95379e00d039bbfc68b73e1bcedccea37d81326bd02b18a43bff150f378d090639047bcea88f3689472942512
SHA512 (rust-keylime-0.2.7-vendor.tar.zstd) = cac2cbe6b1831e5f8c1c7981df54b94dfab38e3784b672fe4a5ef85f22af7cb1accb3f726951579a10abb11205d50e58977e7146eba386195b1d6d126043e906
SHA512 (v0.2.7.tar.gz) = 6a9f4e581aa49c8be1599d235a54c6a65d0f45340ef37c3d08124b75c4c5ca2b8467dc00cac8dfae5402b5690bb90fe69a994770fe2715de6e9d4070dabebb7d