Enable attestation with TPM ECC keys

Resolves: RHEL-118148 Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
2026-02-06 18:28:59 +01:00 · 2026-02-06 18:28:59 +01:00 · 428d44e5dd
commit 428d44e5dd
parent 29f282e620
10 changed files with 817 additions and 198 deletions
--- a/0001-rust-keylime-adjust-features.patch
+++ b/0001-rust-keylime-adjust-features.patch
--- a/0002-rust-keylime-openssl-0.10.70.patch
+++ b/0002-rust-keylime-openssl-0.10.70.patch
--- a/0003-rust-keylime-fix-unnecessary-qualifications.patch
+++ b/0003-rust-keylime-fix-unnecessary-qualifications.patch
--- a/0004-rust-keylime-bump-tss-esapi-from-7.2.0-to-7.6.0.patch
+++ b/0004-rust-keylime-bump-tss-esapi-from-7.2.0-to-7.6.0.patch
@ -0,0 +1,62 @@
+From 203caa94c6d899dc71845a3cdccebd20b226d3af Mon Sep 17 00:00:00 2001
+From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
+Date: Fri, 6 Feb 2026 17:58:24 +0100
+Subject: [PATCH 4/7] Bump tss-esapi from 7.2.0 to 7.6.0
+
+The tss-esapi 7.6.0 provides the create_ek_object_2 and create_ak_2
+APIs (from rust-tss-esapi PR #546) that accept
+AsymmetricAlgorithmSelection with key size/curve info, which is
+required for ECC key support.
+
+Also bump picky-asn1-der from 0.3.1 to 0.4 and picky-asn1-x509 from
+0.6.1 to 0.12 to match the versions required by tss-esapi 7.6.0.
+
+Backported from upstream commits:
+- https://github.com/keylime/rust-keylime/commit/b5c863e
+- https://github.com/keylime/rust-keylime/commit/17202c6
+
+---
+ keylime-agent/Cargo.toml | 6 +++---
+ keylime/Cargo.toml       | 2 +-
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/keylime-agent/Cargo.toml b/keylime-agent/Cargo.toml
+index db6cec7..522be45 100644
+--- a/keylime-agent/Cargo.toml
+++ b/keylime-agent/Cargo.toml
+@@ -21,8 +21,8 @@ keylime = { path = "../keylime" }
+ libc = "0.2.43"
+ log = "0.4"
+ openssl = "0.10.15"
+-picky-asn1-der = "0.3.1"
+-picky-asn1-x509 = "0.6.1"
+picky-asn1-der = "0.4"
+picky-asn1-x509 = "0.12"
+ pretty_env_logger = "0.4"
+ reqwest = {version = "0.11", default-features = false, features = ["json"]}
+ serde = "1.0.80"
+@@ -31,7 +31,7 @@ serde_json = { version = "1.0", features = ["raw_value"] }
+ static_assertions = "1"
+ tempfile = "3.4.0"
+ tokio = {version = "1.24", features = ["rt", "sync", "macros"]}
+-tss-esapi = {version = "7.2.0", features = ["generate-bindings"]}
+tss-esapi = {version = "7.6.0", features = ["generate-bindings"]}
+ thiserror = "1.0"
+ uuid = {version = "1.3", features = ["v4"]}
+ 
+diff --git a/keylime/Cargo.toml b/keylime/Cargo.toml
+index 61ad8b7..ddba447 100644
+--- a/keylime/Cargo.toml
+++ b/keylime/Cargo.toml
+@@ -16,7 +16,7 @@ serde = "1.0.80"
+ serde_derive = "1.0.80"
+ static_assertions = "1"
+ thiserror = "1.0"
+-tss-esapi = {version = "7.2.0", features = ["generate-bindings"]}
+tss-esapi = {version = "7.6.0", features = ["generate-bindings"]}
+ 
+ [dev-dependencies]
+ tempfile = "3.0.4"
+-- 
+2.52.0
+
--- a/0005-rust-keylime-enable-non-standard-key-sizes-and-curve.patch
+++ b/0005-rust-keylime-enable-non-standard-key-sizes-and-curve.patch
@ -0,0 +1,179 @@
+From 9ba0459fab8852e073351614133cffdd7343fe94 Mon Sep 17 00:00:00 2001
+From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
+Date: Fri, 6 Feb 2026 17:58:35 +0100
+Subject: [PATCH 5/7] Enable non-standard key sizes and curves for
+ EncryptionAlgorithm
+
+Replace the simple Rsa/Ecc variants with specific key sizes and curves:
+- RSA: Rsa1024, Rsa2048, Rsa3072, Rsa4096
+- ECC: Ecc192, Ecc224, Ecc256, Ecc384, Ecc521, EccSm2
+
+Add From<EncryptionAlgorithm> for AsymmetricAlgorithmSelection to
+support the tss-esapi 7.6.0 create_ek_object_2 and create_ak_2 APIs.
+
+For backwards compatibility, "rsa" maps to Rsa2048 and "ecc" maps to
+Ecc256 in both parsing and display.
+
+Backported from upstream commit:
+- https://github.com/keylime/rust-keylime/commit/2c73a2a
+
+---
+ keylime/src/algorithms.rs | 109 ++++++++++++++++++++++++++++++++++----
+ 1 file changed, 99 insertions(+), 10 deletions(-)
+
+diff --git a/keylime/src/algorithms.rs b/keylime/src/algorithms.rs
+index c077466..fc35006 100644
+--- a/keylime/src/algorithms.rs
+++ b/keylime/src/algorithms.rs
+@@ -6,8 +6,13 @@ use std::convert::TryFrom;
+ use std::fmt;
+ use thiserror::Error;
+ use tss_esapi::{
+-    interface_types::algorithm::{
+-        AsymmetricAlgorithm, HashingAlgorithm, SignatureSchemeAlgorithm,
+    abstraction::AsymmetricAlgorithmSelection,
+    interface_types::{
+        algorithm::{
+            AsymmetricAlgorithm, HashingAlgorithm, SignatureSchemeAlgorithm,
+        },
+        ecc::EccCurve,
+        key_bits::RsaKeyBits,
+     },
+     structures::{HashScheme, SignatureScheme},
+ };
+@@ -87,15 +92,68 @@ impl From<HashAlgorithm> for MessageDigest {
+ 
+ #[derive(Copy, Clone, Debug, PartialEq, Eq, Hash, Serialize, Deserialize)]
+ pub enum EncryptionAlgorithm {
+-    Rsa,
+-    Ecc,
+    Rsa1024,
+    Rsa2048,
+    Rsa3072,
+    Rsa4096,
+    Ecc192,
+    Ecc224,
+    Ecc256,
+    Ecc384,
+    Ecc521,
+    EccSm2,
+ }
+ 
+ impl From<EncryptionAlgorithm> for AsymmetricAlgorithm {
+     fn from(enc_alg: EncryptionAlgorithm) -> Self {
+         match enc_alg {
+-            EncryptionAlgorithm::Rsa => AsymmetricAlgorithm::Rsa,
+-            EncryptionAlgorithm::Ecc => AsymmetricAlgorithm::Ecc,
+            EncryptionAlgorithm::Rsa1024
+            | EncryptionAlgorithm::Rsa2048
+            | EncryptionAlgorithm::Rsa3072
+            | EncryptionAlgorithm::Rsa4096 => AsymmetricAlgorithm::Rsa,
+            EncryptionAlgorithm::Ecc192
+            | EncryptionAlgorithm::Ecc224
+            | EncryptionAlgorithm::Ecc256
+            | EncryptionAlgorithm::Ecc384
+            | EncryptionAlgorithm::Ecc521
+            | EncryptionAlgorithm::EccSm2 => AsymmetricAlgorithm::Ecc,
+        }
+    }
+}
+
+impl From<EncryptionAlgorithm> for AsymmetricAlgorithmSelection {
+    fn from(enc_alg: EncryptionAlgorithm) -> Self {
+        match enc_alg {
+            EncryptionAlgorithm::Rsa1024 => {
+                AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa1024)
+            }
+            EncryptionAlgorithm::Rsa2048 => {
+                AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048)
+            }
+            EncryptionAlgorithm::Rsa3072 => {
+                AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa3072)
+            }
+            EncryptionAlgorithm::Rsa4096 => {
+                AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa4096)
+            }
+            EncryptionAlgorithm::Ecc192 => {
+                AsymmetricAlgorithmSelection::Ecc(EccCurve::NistP192)
+            }
+            EncryptionAlgorithm::Ecc224 => {
+                AsymmetricAlgorithmSelection::Ecc(EccCurve::NistP224)
+            }
+            EncryptionAlgorithm::Ecc256 => {
+                AsymmetricAlgorithmSelection::Ecc(EccCurve::NistP256)
+            }
+            EncryptionAlgorithm::Ecc384 => {
+                AsymmetricAlgorithmSelection::Ecc(EccCurve::NistP384)
+            }
+            EncryptionAlgorithm::Ecc521 => {
+                AsymmetricAlgorithmSelection::Ecc(EccCurve::NistP521)
+            }
+            EncryptionAlgorithm::EccSm2 => {
+                AsymmetricAlgorithmSelection::Ecc(EccCurve::Sm2P256)
+            }
+         }
+     }
+ }
+@@ -105,8 +163,18 @@ impl TryFrom<&str> for EncryptionAlgorithm {
+ 
+     fn try_from(value: &str) -> Result<Self, Self::Error> {
+         match value {
+-            "rsa" => Ok(EncryptionAlgorithm::Rsa),
+-            "ecc" => Ok(EncryptionAlgorithm::Ecc),
+            "rsa" | "rsa2048" => Ok(EncryptionAlgorithm::Rsa2048),
+            "rsa1024" => Ok(EncryptionAlgorithm::Rsa1024),
+            "rsa3072" => Ok(EncryptionAlgorithm::Rsa3072),
+            "rsa4096" => Ok(EncryptionAlgorithm::Rsa4096),
+            "ecc" | "ecc256" | "ecc_nist_p256" => {
+                Ok(EncryptionAlgorithm::Ecc256)
+            }
+            "ecc192" | "ecc_nist_p192" => Ok(EncryptionAlgorithm::Ecc192),
+            "ecc224" | "ecc_nist_p224" => Ok(EncryptionAlgorithm::Ecc224),
+            "ecc384" | "ecc_nist_p384" => Ok(EncryptionAlgorithm::Ecc384),
+            "ecc521" | "ecc_nist_p521" => Ok(EncryptionAlgorithm::Ecc521),
+            "ecc_sm2" | "ecc_sm2_p256" => Ok(EncryptionAlgorithm::EccSm2),
+             _ => Err(AlgorithmError::Encrypt(format!(
+                 "Encryption algorithm {value} not supported by Keylime"
+             ))),
+@@ -117,8 +185,16 @@ impl TryFrom<&str> for EncryptionAlgorithm {
+ impl fmt::Display for EncryptionAlgorithm {
+     fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
+         let value = match self {
+-            EncryptionAlgorithm::Rsa => "rsa",
+-            EncryptionAlgorithm::Ecc => "ecc",
+            EncryptionAlgorithm::Rsa2048 => "rsa",
+            EncryptionAlgorithm::Rsa1024 => "rsa1024",
+            EncryptionAlgorithm::Rsa3072 => "rsa3072",
+            EncryptionAlgorithm::Rsa4096 => "rsa4096",
+            EncryptionAlgorithm::Ecc256 => "ecc",
+            EncryptionAlgorithm::Ecc192 => "ecc192",
+            EncryptionAlgorithm::Ecc224 => "ecc224",
+            EncryptionAlgorithm::Ecc384 => "ecc384",
+            EncryptionAlgorithm::Ecc521 => "ecc521",
+            EncryptionAlgorithm::EccSm2 => "ecc_sm2",
+         };
+         write!(f, "{value}")
+     }
+@@ -205,6 +281,19 @@ mod tests {
+     fn test_encrypt_try_from() {
+         let result = EncryptionAlgorithm::try_from("rsa");
+         assert!(result.is_ok());
+        assert_eq!(result.unwrap(), EncryptionAlgorithm::Rsa2048); //#[allow_ci]
+
+        let result = EncryptionAlgorithm::try_from("ecc");
+        assert!(result.is_ok());
+        assert_eq!(result.unwrap(), EncryptionAlgorithm::Ecc256); //#[allow_ci]
+
+        let result = EncryptionAlgorithm::try_from("rsa4096");
+        assert!(result.is_ok());
+        assert_eq!(result.unwrap(), EncryptionAlgorithm::Rsa4096); //#[allow_ci]
+
+        let result = EncryptionAlgorithm::try_from("ecc384");
+        assert!(result.is_ok());
+        assert_eq!(result.unwrap(), EncryptionAlgorithm::Ecc384); //#[allow_ci]
+     }
+     #[test]
+     fn test_sign_tryfrom() {
+-- 
+2.52.0
+
--- a/0006-rust-keylime-update-TPM-functions-for-ECC-support.patch
+++ b/0006-rust-keylime-update-TPM-functions-for-ECC-support.patch
@ -0,0 +1,269 @@
+From d051c8e617f50c7200722ffb4e8d32b5a638f240 Mon Sep 17 00:00:00 2001
+From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
+Date: Fri, 6 Feb 2026 01:00:00 +0100
+Subject: [PATCH 6/7] tpm: add policy auth for EK to activate crendential
+
+Backported from upstream commit:
+- https://github.com/keylime/rust-keylime/commit/af32aa2
+
+---
+ keylime/src/tpm.rs | 168 +++++++++++++++++++++++++++++++++++++--------
+ 1 file changed, 140 insertions(+), 28 deletions(-)
+
+diff --git a/keylime/src/tpm.rs b/keylime/src/tpm.rs
+index 4b83e1f..9244b03 100644
+--- a/keylime/src/tpm.rs
+++ b/keylime/src/tpm.rs
+@@ -16,11 +16,9 @@ use openssl::{
+
+ use tss_esapi::{
+     abstraction::{
+-        ak,
+-        cipher::Cipher,
+-        ek,
+        ak, ek,
+         pcr::{read_all, PcrData},
+-        DefaultKey,
+        AsymmetricAlgorithmSelection, DefaultKey,
+     },
+     attributes::session::SessionAttributesBuilder,
+     constants::{
+@@ -30,12 +28,13 @@ use tss_esapi::{
+         AuthHandle, KeyHandle, PcrHandle, PersistentTpmHandle, TpmHandle,
+     },
+     interface_types::{
+-        algorithm::HashingAlgorithm, session_handles::AuthSession,
+        algorithm::HashingAlgorithm,
+        session_handles::{AuthSession, PolicySession},
+     },
+     structures::{
+-        Attest, AttestInfo, Digest, DigestValues, EncryptedSecret, IdObject,
+-        PcrSelectionList, PcrSelectionListBuilder, PcrSlot, Signature,
+-        SignatureScheme,
+        Attest, AttestInfo, Digest, DigestList, DigestValues,
+        EncryptedSecret, IdObject, PcrSelectionList, PcrSelectionListBuilder,
+        PcrSlot, Signature, SignatureScheme, SymmetricDefinition,
+     },
+     tcti_ldr::TctiNameConf,
+     traits::Marshall,
+@@ -49,6 +48,59 @@ const TPML_DIGEST_SIZE: usize = std::mem::size_of::<TPML_DIGEST>();
+ const TPML_PCR_SELECTION_SIZE: usize =
+     std::mem::size_of::<TPML_PCR_SELECTION>();
+
+// Policy digest constants from TCG EK Credential Profile for TPM Family 2.0
+// Level 0 Version 2.5 Revision 2, Section B.6
+
+// Policy A (PolicySecret(ENDORSEMENT)) for SHA-384
+const POLICY_A_SHA384: [u8; 48] = [
+    0x8b, 0xbf, 0x22, 0x66, 0x53, 0x7c, 0x17, 0x1c, 0xb5, 0x6e, 0x40, 0x3c,
+    0x4d, 0xc1, 0xd4, 0xb6, 0x4f, 0x43, 0x26, 0x11, 0xdc, 0x38, 0x6e, 0x6f,
+    0x53, 0x20, 0x50, 0xc3, 0x27, 0x8c, 0x93, 0x0e, 0x14, 0x3e, 0x8b, 0xb1,
+    0x13, 0x38, 0x24, 0xcc, 0xb4, 0x31, 0x05, 0x38, 0x71, 0xc6, 0xdb, 0x53,
+];
+
+// Policy A (PolicySecret(ENDORSEMENT)) for SHA-512
+const POLICY_A_SHA512: [u8; 64] = [
+    0x1e, 0x3b, 0x76, 0x50, 0x2c, 0x8a, 0x14, 0x25, 0xaa, 0x0b, 0x7b, 0x3f,
+    0xc6, 0x46, 0xa1, 0xb0, 0xfa, 0xe0, 0x63, 0xb0, 0x3b, 0x53, 0x68, 0xf9,
+    0xc4, 0xcd, 0xde, 0xca, 0xff, 0x08, 0x91, 0xdd, 0x68, 0x2b, 0xac, 0x1a,
+    0x85, 0xd4, 0xd8, 0x32, 0xb7, 0x81, 0xea, 0x45, 0x19, 0x15, 0xde, 0x5f,
+    0xc5, 0xbf, 0x0d, 0xc4, 0xa1, 0x91, 0x7c, 0xd4, 0x2f, 0xa0, 0x41, 0xe3,
+    0xf9, 0x98, 0xe0, 0xee,
+];
+
+// Policy A (PolicySecret(ENDORSEMENT)) for SM3-256
+const POLICY_A_SM3_256: [u8; 32] = [
+    0xc6, 0x7f, 0x7d, 0x35, 0xf6, 0x6f, 0x3b, 0xec, 0x13, 0xc8, 0x9f, 0xe8,
+    0x98, 0x92, 0x1c, 0x65, 0x1b, 0x0c, 0xb5, 0xa3, 0x8a, 0x92, 0x69, 0x0a,
+    0x62, 0xa4, 0x3c, 0x00, 0x12, 0xe4, 0xfb, 0x8b,
+];
+
+// Policy C (PolicyOr(PolicyA, PolicyB)) for SHA-384
+const POLICY_C_SHA384: [u8; 48] = [
+    0xd6, 0x03, 0x2c, 0xe6, 0x1f, 0x2f, 0xb3, 0xc2, 0x40, 0xeb, 0x3c, 0xf6,
+    0xa3, 0x32, 0x37, 0xef, 0x2b, 0x6a, 0x16, 0xf4, 0x29, 0x3c, 0x22, 0xb4,
+    0x55, 0xe2, 0x61, 0xcf, 0xfd, 0x21, 0x7a, 0xd5, 0xb4, 0x94, 0x7c, 0x2d,
+    0x73, 0xe6, 0x30, 0x05, 0xee, 0xd2, 0xdc, 0x2b, 0x35, 0x93, 0xd1, 0x65,
+];
+
+// Policy C (PolicyOr(PolicyA, PolicyB)) for SHA-512
+const POLICY_C_SHA512: [u8; 64] = [
+    0x58, 0x9e, 0xe1, 0xe1, 0x46, 0x54, 0x47, 0x16, 0xe8, 0xde, 0xaf, 0xe6,
+    0xdb, 0x24, 0x7b, 0x01, 0xb8, 0x1e, 0x9f, 0x9c, 0x7d, 0xd1, 0x6b, 0x81,
+    0x4a, 0xa1, 0x59, 0x13, 0x87, 0x49, 0x10, 0x5f, 0xba, 0x53, 0x88, 0xdd,
+    0x1d, 0xea, 0x70, 0x2f, 0x35, 0x24, 0x0c, 0x18, 0x49, 0x33, 0x12, 0x1e,
+    0x2c, 0x61, 0xb8, 0xf5, 0x0d, 0x3e, 0xf9, 0x13, 0x93, 0xa4, 0x9a, 0x38,
+    0xc3, 0xf7, 0x3f, 0xc8,
+];
+
+// Policy C (PolicyOr(PolicyA, PolicyB)) for SM3-256
+const POLICY_C_SM3_256: [u8; 32] = [
+    0x2d, 0x4e, 0x81, 0x57, 0x8c, 0x35, 0x31, 0xd9, 0xbd, 0x1c, 0xdd, 0x7d,
+    0x02, 0xba, 0x29, 0x8d, 0x56, 0x99, 0xa3, 0xe3, 0x9f, 0xc3, 0x55, 0x1b,
+    0xfe, 0xff, 0xcf, 0x13, 0x2b, 0x49, 0xe1, 0x1d,
+];
+
+ #[derive(Error, Debug)]
+ pub enum TpmError {
+     #[error("TSS2 Error: {err:?}, kind: {kind:?}, {message}")]
+@@ -153,9 +205,9 @@ impl Context {
+         let key_handle = match handle {
+             Some(v) => {
+                 if v.is_empty() {
+-                    ek::create_ek_object(
+                    ek::create_ek_object_2(
+                         &mut self.inner,
+-                        alg.into(),
+                        Into::<AsymmetricAlgorithmSelection>::into(alg),
+                         DefaultKey,
+                     )?
+                 } else {
+@@ -168,12 +220,16 @@ impl Context {
+                         .into()
+                 }
+             }
+-            None => {
+-                ek::create_ek_object(&mut self.inner, alg.into(), DefaultKey)?
+-            }
+            None => ek::create_ek_object_2(
+                &mut self.inner,
+                Into::<AsymmetricAlgorithmSelection>::into(alg),
+                DefaultKey,
+            )?,
+         };
+-        let cert = match ek::retrieve_ek_pubcert(&mut self.inner, alg.into())
+-        {
+        let cert = match ek::retrieve_ek_pubcert(
+            &mut self.inner,
+            Into::<AsymmetricAlgorithmSelection>::into(alg),
+        ) {
+             Ok(v) => Some(v),
+             Err(_) => {
+                 warn!("No EK certificate found in TPM NVRAM");
+@@ -194,11 +250,13 @@ impl Context {
+         handle: KeyHandle,
+         hash_alg: HashAlgorithm,
+         sign_alg: SignAlgorithm,
+        key_alg: EncryptionAlgorithm,
+     ) -> Result<AKResult> {
+-        let ak = ak::create_ak(
+        let ak = ak::create_ak_2(
+             &mut self.inner,
+             handle,
+             hash_alg.into(),
+            Into::<AsymmetricAlgorithmSelection>::into(key_alg),
+             sign_alg.into(),
+             None,
+             DefaultKey,
+@@ -228,14 +286,16 @@ impl Context {
+     fn create_empty_session(
+         &mut self,
+         ses_type: SessionType,
+        symmetric: SymmetricDefinition,
+        hash_alg: HashingAlgorithm,
+     ) -> Result<AuthSession> {
+         let session = self.inner.start_auth_session(
+             None,
+             None,
+             None,
+             ses_type,
+-            Cipher::aes_128_cfb().try_into()?,
+-            HashingAlgorithm::Sha256,
+            symmetric,
+            hash_alg,
+         )?;
+         let (ses_attrs, ses_attrs_mask) = SessionAttributesBuilder::new()
+             .with_encrypt(true)
+@@ -258,12 +318,49 @@ impl Context {
+     ) -> Result<Digest> {
+         let (credential, secret) = parse_cred_and_secret(keyblob)?;
+
+-        let ek_auth = self.create_empty_session(SessionType::Policy)?;
+        // Read EK public info to determine hash and symmetric algorithms
+        let (ek_public, _, _) = self.inner.read_public(ek)?;
+        let ek_hash_alg = ek_public.name_hashing_algorithm();
+        let ek_symmetric: SymmetricDefinition = ek_public
+            .symmetric_algorithm()
+            .map(Into::into)
+            .unwrap_or(SymmetricDefinition::AES_128_CFB); //#[allow_ci]
+
+        // Build policy digests for PolicyOr (needed for ECC EKs and
+        // non-default hash algorithms)
+        let mut policy_digests = DigestList::new();
+        match ek_hash_alg {
+            HashingAlgorithm::Sha384 => {
+                policy_digests
+                    .add(Digest::try_from(POLICY_A_SHA384.as_slice())?)?;
+                policy_digests
+                    .add(Digest::try_from(POLICY_C_SHA384.as_slice())?)?;
+            }
+            HashingAlgorithm::Sha512 => {
+                policy_digests
+                    .add(Digest::try_from(POLICY_A_SHA512.as_slice())?)?;
+                policy_digests
+                    .add(Digest::try_from(POLICY_C_SHA512.as_slice())?)?;
+            }
+            HashingAlgorithm::Sm3_256 => {
+                policy_digests
+                    .add(Digest::try_from(POLICY_A_SM3_256.as_slice())?)?;
+                policy_digests
+                    .add(Digest::try_from(POLICY_C_SM3_256.as_slice())?)?;
+            }
+            _ => {}
+        }
+
+        let ek_auth = self.create_empty_session(
+            SessionType::Policy,
+            ek_symmetric,
+            ek_hash_alg,
+        )?;
+
+         // We authorize ses2 with PolicySecret(ENDORSEMENT) as per PolicyA
+         let _ = self.inner.execute_with_nullauth_session(|context| {
+             context.policy_secret(
+-                ek_auth.try_into()?,
+                PolicySession::try_from(ek_auth)?,
+                 AuthHandle::Endorsement,
+                 Default::default(),
+                 Default::default(),
+@@ -272,14 +369,29 @@ impl Context {
+             )
+         })?;
+
+-        self.inner
+-            .execute_with_sessions(
+-                (Some(AuthSession::Password), Some(ek_auth), None),
+-                |context| {
+-                    context.activate_credential(ak, ek, credential, secret)
+-                },
+-            )
+-            .map_err(TpmError::from)
+        // Apply PolicyOr if needed (for ECC EKs and non-default hash algs)
+        // PolicyOR does not require authorization; use
+        // execute_without_session to ensure no extra sessions with
+        // encrypt/decrypt attributes are passed to Esys_PolicyOR.
+        if !policy_digests.is_empty() {
+            self.inner.execute_without_session(|ctx| {
+                ctx.policy_or(
+                    PolicySession::try_from(ek_auth)?,
+                    policy_digests.clone(),
+                )
+            })?;
+        }
+
+        let result = self.inner.execute_with_sessions(
+            (Some(AuthSession::Password), Some(ek_auth), None),
+            |context| {
+                context.activate_credential(ak, ek, credential, secret)
+            },
+        )?;
+
+        self.inner.clear_sessions();
+
+        Ok(result)
+     }
+
+     // This function extends Pcr16 with the digest, then creates a PcrList
+--
+2.52.0
+
--- a/0007-rust-keylime-pass-encryption-algorithm-to-create_ak.patch
+++ b/0007-rust-keylime-pass-encryption-algorithm-to-create_ak.patch
@ -0,0 +1,54 @@
+From 05a0c158a3d9ec1179a0b4539c28f048d1be5724 Mon Sep 17 00:00:00 2001
+From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
+Date: Fri, 6 Feb 2026 01:00:00 +0100
+Subject: [PATCH 7/7] Pass encryption_alg to create AK
+
+---
+ keylime-agent/src/common.rs | 1 +
+ keylime-agent/src/main.rs   | 4 +++-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/keylime-agent/src/common.rs b/keylime-agent/src/common.rs
+index 226bed3..a5f9975 100644
+--- a/keylime-agent/src/common.rs
+++ b/keylime-agent/src/common.rs
+@@ -333,6 +333,7 @@ mod tests {
+             ek_result.key_handle,
+             tpm_hash_alg,
+             tpm_signing_alg,
+            tpm_encryption_alg,
+         )?;
+
+         let agent_data_test = AgentData::create(
+diff --git a/keylime-agent/src/main.rs b/keylime-agent/src/main.rs
+index beef809..35c0c52 100644
+--- a/keylime-agent/src/main.rs
+++ b/keylime-agent/src/main.rs
+@@ -363,6 +363,7 @@ async fn main() -> Result<()> {
+                 ek_result.key_handle,
+                 tpm_hash_alg,
+                 tpm_signing_alg,
+                tpm_encryption_alg,
+             )?;
+             let ak_handle = ctx.load_ak(ek_result.key_handle, &new_ak)?;
+             (ak_handle, new_ak)
+@@ -848,6 +849,7 @@ mod testing {
+                 ek_result.key_handle,
+                 tpm_hash_alg,
+                 tpm_signing_alg,
+                tpm_encryption_alg,
+             )?;
+             let ak_handle = ctx.load_ak(ek_result.key_handle, &ak_result)?;
+             let ak_tpm2b_pub =
+@@ -914,7 +916,7 @@ mod testing {
+                 payload_tx,
+                 revocation_tx,
+                 hash_alg: keylime::algorithms::HashAlgorithm::Sha256,
+-                enc_alg: keylime::algorithms::EncryptionAlgorithm::Rsa,
+                enc_alg: keylime::algorithms::EncryptionAlgorithm::Rsa2048,
+                 sign_alg: keylime::algorithms::SignAlgorithm::RsaSsa,
+                 agent_uuid: test_config.agent.uuid,
+                 allow_payload_revocation_actions: test_config
+--
+2.52.0
+
--- a/0008-rust-keylime-bump-pretty-env-logger.patch
+++ b/0008-rust-keylime-bump-pretty-env-logger.patch
@ -0,0 +1,13 @@
+diff --git a/keylime-agent/Cargo.toml b/keylime-agent/Cargo.toml
+index 522be45..f77cf6c 100644
+--- a/keylime-agent/Cargo.toml
+++ b/keylime-agent/Cargo.toml
+@@ -23,7 +23,7 @@ log = "0.4"
+ openssl = "0.10.15"
+ picky-asn1-der = "0.4"
+ picky-asn1-x509 = "0.12"
+-pretty_env_logger = "0.4"
+pretty_env_logger = "0.5"
+ reqwest = {version = "0.11", default-features = false, features = ["json"]}
+ serde = "1.0.80"
+ serde_derive = "1.0.80"
--- a/keylime-agent-rust.spec
+++ b/keylime-agent-rust.spec
@ -10,7 +10,7 @@

 Name:           keylime-agent-rust
 Version:        0.2.2
-Release:        4%{?dist}
+Release:        5%{?dist}
 Summary:        Rust agent for Keylime

 # Upstream license specification: Apache-2.0
@ -48,11 +48,30 @@ Source0:        %{url}/archive/refs/tags/v%{version}.tar.gz
 #   tar jcf rust-keylime-%%{version}-vendor.tar.xz vendor
 Source1:        rust-keylime-%{version}-vendor.tar.xz
 # Drop dependencies and adjust the features
-Patch0:         rust-keylime-adjust-features.patch
+Patch0:         0001-rust-keylime-adjust-features.patch
 # Update openssl to version 0.10.70 to fix CVE-2025-24898
-Patch1:         rust-keylime-openssl-0.10.70.patch
+Patch1:         0002-rust-keylime-openssl-0.10.70.patch
 # Fix unnecessary qualification warnings
-Patch2:         rust-keylime-fix-unnecessary-qualifications.patch
+Patch2:         0003-rust-keylime-fix-unnecessary-qualifications.patch
+# Bump tss-esapi from 7.2.0 to 7.6.0 for ECC key support
+# Backported from upstream commits
+# https://github.com/keylime/rust-keylime/commit/b5c863e
+# https://github.com/keylime/rust-keylime/commit/17202c6
+Patch3:         0004-rust-keylime-bump-tss-esapi-from-7.2.0-to-7.6.0.patch
+# Enable non-standard key sizes and curves for EncryptionAlgorithm
+# Backported from upstream commits
+# https://github.com/keylime/rust-keylime/commit/2c73a2a
+Patch4:         0005-rust-keylime-enable-non-standard-key-sizes-and-curve.patch
+# Update TPM functions for ECC support (EK/AK creation, credential activation)
+# Backported from upstream commits
+# https://github.com/keylime/rust-keylime/commit/af32aa2
+Patch5:         0006-rust-keylime-update-TPM-functions-for-ECC-support.patch
+# Pass encryption algorithm to create_ak
+Patch6:         0007-rust-keylime-pass-encryption-algorithm-to-create_ak.patch
+# Bump pretty-env-logger to version 0.5
+# Backported from upstream commit:
+# https://github.com/keylime/rust-keylime/commit/fbe6a03
+Patch7:         0008-rust-keylime-bump-pretty-env-logger.patch

 ExclusiveArch:  %{rust_arches}

@ -64,228 +83,247 @@ Requires: tpm2-tss
 Requires: keylime-base
 Requires: util-linux-core

-BuildRequires:  systemd
-BuildRequires:  openssl-devel
-BuildRequires:  libarchive-devel
-BuildRequires:  tpm2-tss-devel
-BuildRequires:  rust-toolset
 BuildRequires:  clang
+BuildRequires:  git-core
+BuildRequires:  libarchive-devel
+BuildRequires:  openssl-devel
+BuildRequires:  rust-toolset
+BuildRequires:  systemd
+BuildRequires:  tpm2-tss-devel

 # Virtual Provides to support swapping between Python and Rust implementation
 Provides:       keylime-agent
 Conflicts:      keylime-agent

-Provides: bundled(crate(actix-codec)) = 0.5.0
-Provides: bundled(crate(actix-http)) = 3.3.1
-Provides: bundled(crate(actix-macros)) = 0.2.3
-Provides: bundled(crate(actix-router)) = 0.5.1
-Provides: bundled(crate(actix-rt)) = 2.8.0
-Provides: bundled(crate(actix-server)) = 2.1.1
-Provides: bundled(crate(actix-service)) = 2.0.2
-Provides: bundled(crate(actix-tls)) = 3.0.3
-Provides: bundled(crate(actix-utils)) = 3.0.0
-Provides: bundled(crate(actix-web)) = 4.3.1
-Provides: bundled(crate(actix-web-codegen)) = 4.2.0
-Provides: bundled(crate(ahash)) = 0.7.6
-Provides: bundled(crate(ahash)) = 0.8.3
-Provides: bundled(crate(aho-corasick)) = 0.7.19
-Provides: bundled(crate(anstream)) = 0.3.2
-Provides: bundled(crate(anstyle)) = 1.0.1
-Provides: bundled(crate(anstyle-parse)) = 0.2.1
-Provides: bundled(crate(anstyle-query)) = 1.0.0
-Provides: bundled(crate(async-trait)) = 0.1.57
-Provides: bundled(crate(atty)) = 0.2.14
-Provides: bundled(crate(autocfg)) = 1.1.0
-Provides: bundled(crate(base64)) = 0.13.1
-Provides: bundled(crate(base64)) = 0.21.0
-Provides: bundled(crate(bindgen)) = 0.63.0
-Provides: bundled(crate(bitfield)) = 0.13.2
-Provides: bundled(crate(bitflags)) = 1.3.2
-Provides: bundled(crate(bitflags)) = 2.8.0
-Provides: bundled(crate(block-buffer)) = 0.10.3
-Provides: bundled(crate(bytes)) = 1.2.1
-Provides: bundled(crate(bytestring)) = 1.1.0
-Provides: bundled(crate(cc)) = 1.0.73
+Provides: bundled(crate(actix-codec)) = 0.5.2
+Provides: bundled(crate(actix-http)) = 3.11.2
+Provides: bundled(crate(actix-macros)) = 0.2.4
+Provides: bundled(crate(actix-router)) = 0.5.3
+Provides: bundled(crate(actix-rt)) = 2.11.0
+Provides: bundled(crate(actix-server)) = 2.6.0
+Provides: bundled(crate(actix-service)) = 2.0.3
+Provides: bundled(crate(actix-tls)) = 3.5.0
+Provides: bundled(crate(actix-utils)) = 3.0.1
+Provides: bundled(crate(actix-web)) = 4.12.1
+Provides: bundled(crate(actix-web-codegen)) = 4.3.0
+Provides: bundled(crate(aho-corasick)) = 1.1.4
+Provides: bundled(crate(anstream)) = 0.6.21
+Provides: bundled(crate(anstyle)) = 1.0.13
+Provides: bundled(crate(anstyle-parse)) = 0.2.7
+Provides: bundled(crate(anstyle-query)) = 1.1.5
+Provides: bundled(crate(async-trait)) = 0.1.89
+Provides: bundled(crate(autocfg)) = 1.5.0
+Provides: bundled(crate(base64)) = 0.21.7
+Provides: bundled(crate(bindgen)) = 0.66.1
+Provides: bundled(crate(bitfield)) = 0.14.0
+Provides: bundled(crate(bitflags)) = 2.10.0
+Provides: bundled(crate(block-buffer)) = 0.10.4
+Provides: bundled(crate(bytes)) = 1.11.1
+Provides: bundled(crate(bytestring)) = 1.5.0
+Provides: bundled(crate(cc)) = 1.2.55
 Provides: bundled(crate(cexpr)) = 0.6.0
-Provides: bundled(crate(cfg-if)) = 1.0.0
-Provides: bundled(crate(clang-sys)) = 1.4.0
-Provides: bundled(crate(clap)) = 4.3.11
-Provides: bundled(crate(clap_builder)) = 4.3.11
-Provides: bundled(crate(clap_derive)) = 4.3.2
-Provides: bundled(crate(clap_lex)) = 0.5.0
-Provides: bundled(crate(colorchoice)) = 1.0.0
+Provides: bundled(crate(cfg-if)) = 1.0.4
+Provides: bundled(crate(clang-sys)) = 1.8.1
+Provides: bundled(crate(clap)) = 4.5.57
+Provides: bundled(crate(clap_builder)) = 4.5.57
+Provides: bundled(crate(clap_derive)) = 4.5.55
+Provides: bundled(crate(clap_lex)) = 0.7.7
+Provides: bundled(crate(colorchoice)) = 1.0.4
 Provides: bundled(crate(compress-tools)) = 0.12.4
-Provides: bundled(crate(config)) = 0.13.3
-Provides: bundled(crate(convert_case)) = 0.4.0
-Provides: bundled(crate(cpufeatures)) = 0.2.5
-Provides: bundled(crate(crypto-common)) = 0.1.6
-Provides: bundled(crate(derive_more)) = 0.99.17
-Provides: bundled(crate(digest)) = 0.10.5
-Provides: bundled(crate(either)) = 1.8.0
-Provides: bundled(crate(encoding_rs)) = 0.8.31
-Provides: bundled(crate(enumflags2)) = 0.7.7
-Provides: bundled(crate(enumflags2_derive)) = 0.7.7
-Provides: bundled(crate(env_logger)) = 0.7.1
-Provides: bundled(crate(errno)) = 0.3.1
-Provides: bundled(crate(fastrand)) = 1.8.0
+Provides: bundled(crate(config)) = 0.13.4
+Provides: bundled(crate(convert_case)) = 0.10.0
+Provides: bundled(crate(cpufeatures)) = 0.2.17
+Provides: bundled(crate(crypto-common)) = 0.1.7
+Provides: bundled(crate(deranged)) = 0.5.6
+Provides: bundled(crate(derive_more)) = 0.99.20
+Provides: bundled(crate(derive_more)) = 2.1.1
+Provides: bundled(crate(derive_more-impl)) = 2.1.1
+Provides: bundled(crate(digest)) = 0.10.7
+Provides: bundled(crate(displaydoc)) = 0.2.5
+Provides: bundled(crate(either)) = 1.15.0
+Provides: bundled(crate(encoding_rs)) = 0.8.35
+Provides: bundled(crate(enumflags2)) = 0.7.12
+Provides: bundled(crate(enumflags2_derive)) = 0.7.12
+Provides: bundled(crate(env_logger)) = 0.10.2
+Provides: bundled(crate(equivalent)) = 1.0.2
+Provides: bundled(crate(errno)) = 0.3.14
+Provides: bundled(crate(fastrand)) = 2.3.0
+Provides: bundled(crate(find-msvc-tools)) = 0.1.9
 Provides: bundled(crate(fnv)) = 1.0.7
+Provides: bundled(crate(foldhash)) = 0.1.5
 Provides: bundled(crate(foreign-types)) = 0.3.2
 Provides: bundled(crate(foreign-types-shared)) = 0.1.1
-Provides: bundled(crate(form_urlencoded)) = 1.1.0
-Provides: bundled(crate(futures)) = 0.3.27
-Provides: bundled(crate(futures-channel)) = 0.3.27
-Provides: bundled(crate(futures-core)) = 0.3.27
-Provides: bundled(crate(futures-executor)) = 0.3.27
-Provides: bundled(crate(futures-io)) = 0.3.27
-Provides: bundled(crate(futures-macro)) = 0.3.27
-Provides: bundled(crate(futures-sink)) = 0.3.27
-Provides: bundled(crate(futures-task)) = 0.3.27
-Provides: bundled(crate(futures-util)) = 0.3.27
-Provides: bundled(crate(generic-array)) = 0.14.6
-Provides: bundled(crate(getrandom)) = 0.2.7
-Provides: bundled(crate(glob)) = 0.3.1
-Provides: bundled(crate(h2)) = 0.3.17
-Provides: bundled(crate(hashbrown)) = 0.12.3
-Provides: bundled(crate(heck)) = 0.4.0
+Provides: bundled(crate(form_urlencoded)) = 1.2.2
+Provides: bundled(crate(futures)) = 0.3.31
+Provides: bundled(crate(futures-channel)) = 0.3.31
+Provides: bundled(crate(futures-core)) = 0.3.31
+Provides: bundled(crate(futures-executor)) = 0.3.31
+Provides: bundled(crate(futures-io)) = 0.3.31
+Provides: bundled(crate(futures-macro)) = 0.3.31
+Provides: bundled(crate(futures-sink)) = 0.3.31
+Provides: bundled(crate(futures-task)) = 0.3.31
+Provides: bundled(crate(futures-util)) = 0.3.31
+Provides: bundled(crate(generic-array)) = 0.14.7
+Provides: bundled(crate(getrandom)) = 0.2.17
+Provides: bundled(crate(getrandom)) = 0.3.4
+Provides: bundled(crate(getrandom)) = 0.4.1
+Provides: bundled(crate(glob)) = 0.3.3
+Provides: bundled(crate(h2)) = 0.3.27
+Provides: bundled(crate(hashbrown)) = 0.16.1
+Provides: bundled(crate(heck)) = 0.5.0
 Provides: bundled(crate(hex)) = 0.4.3
+Provides: bundled(crate(home)) = 0.5.12
 Provides: bundled(crate(hostname-validator)) = 1.1.1
-Provides: bundled(crate(http)) = 0.2.8
-Provides: bundled(crate(http-body)) = 0.4.5
-Provides: bundled(crate(httparse)) = 1.8.0
-Provides: bundled(crate(httpdate)) = 1.0.2
-Provides: bundled(crate(humantime)) = 1.3.0
-Provides: bundled(crate(hyper)) = 0.14.20
-Provides: bundled(crate(idna)) = 0.3.0
-Provides: bundled(crate(indexmap)) = 1.9.1
-Provides: bundled(crate(io-lifetimes)) = 1.0.10
-Provides: bundled(crate(ipnet)) = 2.5.0
-Provides: bundled(crate(is-terminal)) = 0.4.7
-Provides: bundled(crate(itoa)) = 1.0.3
-Provides: bundled(crate(keylime)) = 0.2.2
-Provides: bundled(crate(keylime_agent)) = 0.2.2
-Provides: bundled(crate(keylime_ima_emulator)) = 0.2.2
+Provides: bundled(crate(http)) = 0.2.12
+Provides: bundled(crate(http-body)) = 0.4.6
+Provides: bundled(crate(httparse)) = 1.10.1
+Provides: bundled(crate(httpdate)) = 1.0.3
+Provides: bundled(crate(humantime)) = 2.3.0
+Provides: bundled(crate(hyper)) = 0.14.32
+Provides: bundled(crate(icu_collections)) = 2.1.1
+Provides: bundled(crate(icu_locale_core)) = 2.1.1
+Provides: bundled(crate(icu_normalizer)) = 2.1.1
+Provides: bundled(crate(icu_normalizer_data)) = 2.1.1
+Provides: bundled(crate(icu_properties)) = 2.1.2
+Provides: bundled(crate(icu_properties_data)) = 2.1.2
+Provides: bundled(crate(icu_provider)) = 2.1.1
+Provides: bundled(crate(idna)) = 1.1.0
+Provides: bundled(crate(idna_adapter)) = 1.2.1
+Provides: bundled(crate(impl-more)) = 0.1.9
+Provides: bundled(crate(indexmap)) = 2.13.0
+Provides: bundled(crate(ipnet)) = 2.11.0
+Provides: bundled(crate(is-terminal)) = 0.4.17
+Provides: bundled(crate(is_terminal_polyfill)) = 1.70.2
+Provides: bundled(crate(itoa)) = 1.0.17
 Provides: bundled(crate(language-tags)) = 0.3.2
-Provides: bundled(crate(lazy_static)) = 1.4.0
+Provides: bundled(crate(lazy_static)) = 1.5.0
 Provides: bundled(crate(lazycell)) = 1.3.0
-Provides: bundled(crate(libc)) = 0.2.147
-Provides: bundled(crate(libloading)) = 0.7.3
-Provides: bundled(crate(linux-raw-sys)) = 0.3.1
-Provides: bundled(crate(local-channel)) = 0.1.3
-Provides: bundled(crate(local-waker)) = 0.1.3
-Provides: bundled(crate(lock_api)) = 0.4.9
-Provides: bundled(crate(log)) = 0.4.17
-Provides: bundled(crate(mbox)) = 0.6.0
-Provides: bundled(crate(memchr)) = 2.5.0
-Provides: bundled(crate(mime)) = 0.3.16
+Provides: bundled(crate(libc)) = 0.2.181
+Provides: bundled(crate(libloading)) = 0.8.9
+Provides: bundled(crate(linux-raw-sys)) = 0.4.15
+Provides: bundled(crate(linux-raw-sys)) = 0.11.0
+Provides: bundled(crate(litemap)) = 0.8.1
+Provides: bundled(crate(local-waker)) = 0.1.4
+Provides: bundled(crate(lock_api)) = 0.4.14
+Provides: bundled(crate(log)) = 0.4.29
+Provides: bundled(crate(mbox)) = 0.7.1
+Provides: bundled(crate(memchr)) = 2.8.0
+Provides: bundled(crate(mime)) = 0.3.17
 Provides: bundled(crate(minimal-lexical)) = 0.2.1
-Provides: bundled(crate(mio)) = 0.8.4
-Provides: bundled(crate(nom)) = 7.1.1
-Provides: bundled(crate(num-derive)) = 0.3.3
-Provides: bundled(crate(num-traits)) = 0.2.15
-Provides: bundled(crate(num_cpus)) = 1.13.1
-Provides: bundled(crate(num_threads)) = 0.1.6
+Provides: bundled(crate(mio)) = 1.1.1
+Provides: bundled(crate(nom)) = 7.1.3
+Provides: bundled(crate(num-conv)) = 0.2.0
+Provides: bundled(crate(num-derive)) = 0.4.2
+Provides: bundled(crate(num-traits)) = 0.2.19
 Provides: bundled(crate(oid)) = 0.2.1
-Provides: bundled(crate(once_cell)) = 1.15.0
-Provides: bundled(crate(openssl)) = 0.10.70
+Provides: bundled(crate(once_cell)) = 1.21.3
+Provides: bundled(crate(openssl)) = 0.10.75
 Provides: bundled(crate(openssl-macros)) = 0.1.1
-Provides: bundled(crate(openssl-sys)) = 0.9.105
-Provides: bundled(crate(parking_lot)) = 0.12.1
-Provides: bundled(crate(parking_lot_core)) = 0.9.3
-Provides: bundled(crate(paste)) = 1.0.9
-Provides: bundled(crate(pathdiff)) = 0.2.1
+Provides: bundled(crate(openssl-sys)) = 0.9.111
+Provides: bundled(crate(parking_lot)) = 0.12.5
+Provides: bundled(crate(parking_lot_core)) = 0.9.12
+Provides: bundled(crate(pathdiff)) = 0.2.3
 Provides: bundled(crate(peeking_take_while)) = 0.1.2
-Provides: bundled(crate(percent-encoding)) = 2.2.0
-Provides: bundled(crate(pest)) = 2.7.0
-Provides: bundled(crate(pest_derive)) = 2.7.0
-Provides: bundled(crate(pest_generator)) = 2.7.0
-Provides: bundled(crate(pest_meta)) = 2.7.0
-Provides: bundled(crate(picky-asn1)) = 0.3.3
-Provides: bundled(crate(picky-asn1)) = 0.5.0
-Provides: bundled(crate(picky-asn1-der)) = 0.2.5
-Provides: bundled(crate(picky-asn1-der)) = 0.3.1
-Provides: bundled(crate(picky-asn1-x509)) = 0.6.1
-Provides: bundled(crate(pin-project-lite)) = 0.2.9
+Provides: bundled(crate(percent-encoding)) = 2.3.2
+Provides: bundled(crate(pest)) = 2.8.6
+Provides: bundled(crate(pest_derive)) = 2.8.6
+Provides: bundled(crate(pest_generator)) = 2.8.6
+Provides: bundled(crate(pest_meta)) = 2.8.6
+Provides: bundled(crate(picky-asn1)) = 0.8.0
+Provides: bundled(crate(picky-asn1-der)) = 0.4.1
+Provides: bundled(crate(picky-asn1-x509)) = 0.12.0
+Provides: bundled(crate(pin-project-lite)) = 0.2.16
 Provides: bundled(crate(pin-utils)) = 0.1.0
-Provides: bundled(crate(pkg-config)) = 0.3.25
-Provides: bundled(crate(ppv-lite86)) = 0.2.16
-Provides: bundled(crate(pretty_env_logger)) = 0.4.0
-Provides: bundled(crate(proc-macro2)) = 1.0.64
-Provides: bundled(crate(quick-error)) = 1.2.3
-Provides: bundled(crate(quote)) = 1.0.29
-Provides: bundled(crate(rand)) = 0.8.5
-Provides: bundled(crate(rand_chacha)) = 0.3.1
-Provides: bundled(crate(rand_core)) = 0.6.4
-Provides: bundled(crate(regex)) = 1.6.0
-Provides: bundled(crate(regex-syntax)) = 0.6.27
-Provides: bundled(crate(reqwest)) = 0.11.16
+Provides: bundled(crate(pkg-config)) = 0.3.32
+Provides: bundled(crate(potential_utf)) = 0.1.4
+Provides: bundled(crate(powerfmt)) = 0.2.0
+Provides: bundled(crate(pretty_env_logger)) = 0.5.0
+Provides: bundled(crate(prettyplease)) = 0.2.37
+Provides: bundled(crate(proc-macro2)) = 1.0.106
+Provides: bundled(crate(quote)) = 1.0.44
+Provides: bundled(crate(regex)) = 1.12.3
+Provides: bundled(crate(regex-automata)) = 0.4.14
+Provides: bundled(crate(regex-lite)) = 0.1.9
+Provides: bundled(crate(regex-syntax)) = 0.8.9
+Provides: bundled(crate(reqwest)) = 0.11.27
 Provides: bundled(crate(rustc-hash)) = 1.1.0
-Provides: bundled(crate(rustc_version)) = 0.3.3
-Provides: bundled(crate(rustc_version)) = 0.4.0
-Provides: bundled(crate(rustix)) = 0.37.11
-Provides: bundled(crate(ryu)) = 1.0.11
-Provides: bundled(crate(scopeguard)) = 1.1.0
-Provides: bundled(crate(semver)) = 0.11.0
-Provides: bundled(crate(semver)) = 1.0.14
-Provides: bundled(crate(semver-parser)) = 0.10.2
-Provides: bundled(crate(serde)) = 1.0.166
-Provides: bundled(crate(serde_bytes)) = 0.11.7
-Provides: bundled(crate(serde_derive)) = 1.0.166
-Provides: bundled(crate(serde_json)) = 1.0.96
+Provides: bundled(crate(rustc_version)) = 0.4.1
+Provides: bundled(crate(rustix)) = 0.38.44
+Provides: bundled(crate(rustix)) = 1.1.3
+Provides: bundled(crate(ryu)) = 1.0.23
+Provides: bundled(crate(scopeguard)) = 1.2.0
+Provides: bundled(crate(semver)) = 1.0.27
+Provides: bundled(crate(serde)) = 1.0.228
+Provides: bundled(crate(serde_bytes)) = 0.11.19
+Provides: bundled(crate(serde_core)) = 1.0.228
+Provides: bundled(crate(serde_derive)) = 1.0.228
+Provides: bundled(crate(serde_json)) = 1.0.149
 Provides: bundled(crate(serde_urlencoded)) = 0.7.1
-Provides: bundled(crate(sha1)) = 0.10.5
-Provides: bundled(crate(sha2)) = 0.10.6
-Provides: bundled(crate(shlex)) = 1.1.0
-Provides: bundled(crate(signal-hook)) = 0.3.15
-Provides: bundled(crate(signal-hook-registry)) = 1.4.0
-Provides: bundled(crate(slab)) = 0.4.7
-Provides: bundled(crate(smallvec)) = 1.9.0
-Provides: bundled(crate(socket2)) = 0.4.9
-Provides: bundled(crate(stable_deref_trait)) = 1.2.0
+Provides: bundled(crate(sha2)) = 0.10.9
+Provides: bundled(crate(shlex)) = 1.3.0
+Provides: bundled(crate(signal-hook)) = 0.3.18
+Provides: bundled(crate(signal-hook-registry)) = 1.4.8
+Provides: bundled(crate(slab)) = 0.4.12
+Provides: bundled(crate(smallvec)) = 1.15.1
+Provides: bundled(crate(socket2)) = 0.5.10
+Provides: bundled(crate(socket2)) = 0.6.2
+Provides: bundled(crate(stable_deref_trait)) = 1.2.1
 Provides: bundled(crate(static_assertions)) = 1.1.0
-Provides: bundled(crate(strsim)) = 0.10.0
-Provides: bundled(crate(syn)) = 1.0.100
-Provides: bundled(crate(syn)) = 2.0.25
-Provides: bundled(crate(synstructure)) = 0.12.6
-Provides: bundled(crate(target-lexicon)) = 0.12.4
-Provides: bundled(crate(tempfile)) = 3.6.0
-Provides: bundled(crate(termcolor)) = 1.1.3
-Provides: bundled(crate(thiserror)) = 1.0.40
-Provides: bundled(crate(thiserror-impl)) = 1.0.40
-Provides: bundled(crate(time)) = 0.3.14
-Provides: bundled(crate(tinyvec)) = 1.6.0
-Provides: bundled(crate(tinyvec_macros)) = 0.1.0
-Provides: bundled(crate(tokio)) = 1.28.2
-Provides: bundled(crate(tokio-macros)) = 2.1.0
-Provides: bundled(crate(tokio-openssl)) = 0.6.3
-Provides: bundled(crate(tokio-util)) = 0.7.4
-Provides: bundled(crate(toml)) = 0.5.9
-Provides: bundled(crate(tower-service)) = 0.3.2
-Provides: bundled(crate(tracing)) = 0.1.36
-Provides: bundled(crate(tracing-core)) = 0.1.29
-Provides: bundled(crate(try-lock)) = 0.2.3
-Provides: bundled(crate(tss-esapi)) = 7.2.0
-Provides: bundled(crate(tss-esapi-sys)) = 0.4.0
-Provides: bundled(crate(typenum)) = 1.15.0
-Provides: bundled(crate(ucd-trie)) = 0.1.5
-Provides: bundled(crate(unicode-bidi)) = 0.3.8
-Provides: bundled(crate(unicode-ident)) = 1.0.4
-Provides: bundled(crate(unicode-normalization)) = 0.1.22
-Provides: bundled(crate(unicode-xid)) = 0.2.4
-Provides: bundled(crate(url)) = 2.3.1
-Provides: bundled(crate(utf8parse)) = 0.2.1
-Provides: bundled(crate(uuid)) = 1.3.1
+Provides: bundled(crate(strsim)) = 0.11.1
+Provides: bundled(crate(syn)) = 2.0.114
+Provides: bundled(crate(sync_wrapper)) = 0.1.2
+Provides: bundled(crate(synstructure)) = 0.13.2
+Provides: bundled(crate(target-lexicon)) = 0.12.16
+Provides: bundled(crate(tempfile)) = 3.25.0
+Provides: bundled(crate(termcolor)) = 1.4.1
+Provides: bundled(crate(thiserror)) = 1.0.69
+Provides: bundled(crate(thiserror-impl)) = 1.0.69
+Provides: bundled(crate(time)) = 0.3.47
+Provides: bundled(crate(time-core)) = 0.1.8
+Provides: bundled(crate(time-macros)) = 0.2.27
+Provides: bundled(crate(tinystr)) = 0.8.2
+Provides: bundled(crate(tokio)) = 1.49.0
+Provides: bundled(crate(tokio-macros)) = 2.6.0
+Provides: bundled(crate(tokio-openssl)) = 0.6.5
+Provides: bundled(crate(tokio-util)) = 0.7.18
+Provides: bundled(crate(toml)) = 0.5.11
+Provides: bundled(crate(tower-service)) = 0.3.3
+Provides: bundled(crate(tracing)) = 0.1.44
+Provides: bundled(crate(tracing-attributes)) = 0.1.31
+Provides: bundled(crate(tracing-core)) = 0.1.36
+Provides: bundled(crate(try-lock)) = 0.2.5
+Provides: bundled(crate(tss-esapi)) = 7.6.0
+Provides: bundled(crate(tss-esapi-sys)) = 0.5.0
+Provides: bundled(crate(typenum)) = 1.19.0
+Provides: bundled(crate(ucd-trie)) = 0.1.7
+Provides: bundled(crate(unicode-ident)) = 1.0.23
+Provides: bundled(crate(unicode-segmentation)) = 1.12.0
+Provides: bundled(crate(unicode-xid)) = 0.2.6
+Provides: bundled(crate(url)) = 2.5.8
+Provides: bundled(crate(utf8_iter)) = 1.0.4
+Provides: bundled(crate(utf8parse)) = 0.2.2
+Provides: bundled(crate(uuid)) = 1.20.0
 Provides: bundled(crate(vcpkg)) = 0.2.15
-Provides: bundled(crate(version_check)) = 0.9.4
-Provides: bundled(crate(want)) = 0.3.0
-Provides: bundled(crate(which)) = 4.3.0
-Provides: bundled(crate(zeroize)) = 1.5.7
-Provides: bundled(crate(zeroize_derive)) = 1.3.2
+Provides: bundled(crate(version_check)) = 0.9.5
+Provides: bundled(crate(want)) = 0.3.1
+Provides: bundled(crate(which)) = 4.4.2
+Provides: bundled(crate(writeable)) = 0.6.2
+Provides: bundled(crate(yoke)) = 0.8.1
+Provides: bundled(crate(yoke-derive)) = 0.8.1
+Provides: bundled(crate(zerofrom)) = 0.1.6
+Provides: bundled(crate(zerofrom-derive)) = 0.1.6
+Provides: bundled(crate(zeroize)) = 1.8.2
+Provides: bundled(crate(zeroize_derive)) = 1.4.3
+Provides: bundled(crate(zerotrie)) = 0.2.3
+Provides: bundled(crate(zerovec)) = 0.11.5
+Provides: bundled(crate(zerovec-derive)) = 0.11.2
+Provides: bundled(crate(zmij)) = 1.0.20

 %description
 Rust agent for Keylime

 %prep
-%autosetup -N -n rust-keylime-%{version}
+%autosetup -S git -N -n rust-keylime-%{version} -a1
 %cargo_prep -V 1
 %autopatch -p1

@ -358,6 +396,10 @@ chown -R keylime:keylime %{_sysconfdir}/keylime
 %endif

 %changelog
+* Wed Feb 11 2026 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 0.2.2-5
+- Enable attestation with TPM ECC keys
+  Resolves: RHEL-118148
+
 * Tue Feb 03 2026 Sergio Correia <scorreia@redhat.com> - 0.2.2-4
 - Remove /usr/libexec/keylime/
  Resolves: RHEL-145712
--- a/2
+++ b/2
@ -1,2 +1,2 @@
-SHA512 (rust-keylime-0.2.2-vendor.tar.xz) = 003d4562291f2aa209f17bcc4e1b72a181ec02e474aa7cae8d525d1ece38aa353326c53612123fd060214bc61198feaa0f3c4d355c633987d276108e32e7a265
 SHA512 (v0.2.2.tar.gz) = d83dbece1e850383fe98dec7ab2c473cdad46193d0f31eba25ae0a75928df94ee00fa8ee656806f356fcccbc36a5b6f417c1029a1f6a3a0974186197826eb4cc
+SHA512 (rust-keylime-0.2.2-vendor.tar.xz) = 57cc1d03cd7abc5d1ecafee08cb08b27e40463257360fe4f780774ad24fa372dcb376d48ab0091775734170c1eeb6d7866fbf5cc16e17a3d1a3099c572df1130