diff --git a/rust-keylime-adjust-features.patch b/0001-rust-keylime-adjust-features.patch similarity index 100% rename from rust-keylime-adjust-features.patch rename to 0001-rust-keylime-adjust-features.patch diff --git a/rust-keylime-openssl-0.10.70.patch b/0002-rust-keylime-openssl-0.10.70.patch similarity index 100% rename from rust-keylime-openssl-0.10.70.patch rename to 0002-rust-keylime-openssl-0.10.70.patch diff --git a/rust-keylime-fix-unnecessary-qualifications.patch b/0003-rust-keylime-fix-unnecessary-qualifications.patch similarity index 100% rename from rust-keylime-fix-unnecessary-qualifications.patch rename to 0003-rust-keylime-fix-unnecessary-qualifications.patch diff --git a/0004-rust-keylime-bump-tss-esapi-from-7.2.0-to-7.6.0.patch b/0004-rust-keylime-bump-tss-esapi-from-7.2.0-to-7.6.0.patch new file mode 100644 index 0000000..643eda9 --- /dev/null +++ b/0004-rust-keylime-bump-tss-esapi-from-7.2.0-to-7.6.0.patch @@ -0,0 +1,62 @@ +From 203caa94c6d899dc71845a3cdccebd20b226d3af Mon Sep 17 00:00:00 2001 +From: Anderson Toshiyuki Sasaki +Date: Fri, 6 Feb 2026 17:58:24 +0100 +Subject: [PATCH 4/7] Bump tss-esapi from 7.2.0 to 7.6.0 + +The tss-esapi 7.6.0 provides the create_ek_object_2 and create_ak_2 +APIs (from rust-tss-esapi PR #546) that accept +AsymmetricAlgorithmSelection with key size/curve info, which is +required for ECC key support. + +Also bump picky-asn1-der from 0.3.1 to 0.4 and picky-asn1-x509 from +0.6.1 to 0.12 to match the versions required by tss-esapi 7.6.0. + +Backported from upstream commits: +- https://github.com/keylime/rust-keylime/commit/b5c863e +- https://github.com/keylime/rust-keylime/commit/17202c6 + +--- + keylime-agent/Cargo.toml | 6 +++--- + keylime/Cargo.toml | 2 +- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/keylime-agent/Cargo.toml b/keylime-agent/Cargo.toml +index db6cec7..522be45 100644 +--- a/keylime-agent/Cargo.toml ++++ b/keylime-agent/Cargo.toml +@@ -21,8 +21,8 @@ keylime = { path = "../keylime" } + libc = "0.2.43" + log = "0.4" + openssl = "0.10.15" +-picky-asn1-der = "0.3.1" +-picky-asn1-x509 = "0.6.1" ++picky-asn1-der = "0.4" ++picky-asn1-x509 = "0.12" + pretty_env_logger = "0.4" + reqwest = {version = "0.11", default-features = false, features = ["json"]} + serde = "1.0.80" +@@ -31,7 +31,7 @@ serde_json = { version = "1.0", features = ["raw_value"] } + static_assertions = "1" + tempfile = "3.4.0" + tokio = {version = "1.24", features = ["rt", "sync", "macros"]} +-tss-esapi = {version = "7.2.0", features = ["generate-bindings"]} ++tss-esapi = {version = "7.6.0", features = ["generate-bindings"]} + thiserror = "1.0" + uuid = {version = "1.3", features = ["v4"]} + +diff --git a/keylime/Cargo.toml b/keylime/Cargo.toml +index 61ad8b7..ddba447 100644 +--- a/keylime/Cargo.toml ++++ b/keylime/Cargo.toml +@@ -16,7 +16,7 @@ serde = "1.0.80" + serde_derive = "1.0.80" + static_assertions = "1" + thiserror = "1.0" +-tss-esapi = {version = "7.2.0", features = ["generate-bindings"]} ++tss-esapi = {version = "7.6.0", features = ["generate-bindings"]} + + [dev-dependencies] + tempfile = "3.0.4" +-- +2.52.0 + diff --git a/0005-rust-keylime-enable-non-standard-key-sizes-and-curve.patch b/0005-rust-keylime-enable-non-standard-key-sizes-and-curve.patch new file mode 100644 index 0000000..4e80b9a --- /dev/null +++ b/0005-rust-keylime-enable-non-standard-key-sizes-and-curve.patch @@ -0,0 +1,179 @@ +From 9ba0459fab8852e073351614133cffdd7343fe94 Mon Sep 17 00:00:00 2001 +From: Anderson Toshiyuki Sasaki +Date: Fri, 6 Feb 2026 17:58:35 +0100 +Subject: [PATCH 5/7] Enable non-standard key sizes and curves for + EncryptionAlgorithm + +Replace the simple Rsa/Ecc variants with specific key sizes and curves: +- RSA: Rsa1024, Rsa2048, Rsa3072, Rsa4096 +- ECC: Ecc192, Ecc224, Ecc256, Ecc384, Ecc521, EccSm2 + +Add From for AsymmetricAlgorithmSelection to +support the tss-esapi 7.6.0 create_ek_object_2 and create_ak_2 APIs. + +For backwards compatibility, "rsa" maps to Rsa2048 and "ecc" maps to +Ecc256 in both parsing and display. + +Backported from upstream commit: +- https://github.com/keylime/rust-keylime/commit/2c73a2a + +--- + keylime/src/algorithms.rs | 109 ++++++++++++++++++++++++++++++++++---- + 1 file changed, 99 insertions(+), 10 deletions(-) + +diff --git a/keylime/src/algorithms.rs b/keylime/src/algorithms.rs +index c077466..fc35006 100644 +--- a/keylime/src/algorithms.rs ++++ b/keylime/src/algorithms.rs +@@ -6,8 +6,13 @@ use std::convert::TryFrom; + use std::fmt; + use thiserror::Error; + use tss_esapi::{ +- interface_types::algorithm::{ +- AsymmetricAlgorithm, HashingAlgorithm, SignatureSchemeAlgorithm, ++ abstraction::AsymmetricAlgorithmSelection, ++ interface_types::{ ++ algorithm::{ ++ AsymmetricAlgorithm, HashingAlgorithm, SignatureSchemeAlgorithm, ++ }, ++ ecc::EccCurve, ++ key_bits::RsaKeyBits, + }, + structures::{HashScheme, SignatureScheme}, + }; +@@ -87,15 +92,68 @@ impl From for MessageDigest { + + #[derive(Copy, Clone, Debug, PartialEq, Eq, Hash, Serialize, Deserialize)] + pub enum EncryptionAlgorithm { +- Rsa, +- Ecc, ++ Rsa1024, ++ Rsa2048, ++ Rsa3072, ++ Rsa4096, ++ Ecc192, ++ Ecc224, ++ Ecc256, ++ Ecc384, ++ Ecc521, ++ EccSm2, + } + + impl From for AsymmetricAlgorithm { + fn from(enc_alg: EncryptionAlgorithm) -> Self { + match enc_alg { +- EncryptionAlgorithm::Rsa => AsymmetricAlgorithm::Rsa, +- EncryptionAlgorithm::Ecc => AsymmetricAlgorithm::Ecc, ++ EncryptionAlgorithm::Rsa1024 ++ | EncryptionAlgorithm::Rsa2048 ++ | EncryptionAlgorithm::Rsa3072 ++ | EncryptionAlgorithm::Rsa4096 => AsymmetricAlgorithm::Rsa, ++ EncryptionAlgorithm::Ecc192 ++ | EncryptionAlgorithm::Ecc224 ++ | EncryptionAlgorithm::Ecc256 ++ | EncryptionAlgorithm::Ecc384 ++ | EncryptionAlgorithm::Ecc521 ++ | EncryptionAlgorithm::EccSm2 => AsymmetricAlgorithm::Ecc, ++ } ++ } ++} ++ ++impl From for AsymmetricAlgorithmSelection { ++ fn from(enc_alg: EncryptionAlgorithm) -> Self { ++ match enc_alg { ++ EncryptionAlgorithm::Rsa1024 => { ++ AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa1024) ++ } ++ EncryptionAlgorithm::Rsa2048 => { ++ AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048) ++ } ++ EncryptionAlgorithm::Rsa3072 => { ++ AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa3072) ++ } ++ EncryptionAlgorithm::Rsa4096 => { ++ AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa4096) ++ } ++ EncryptionAlgorithm::Ecc192 => { ++ AsymmetricAlgorithmSelection::Ecc(EccCurve::NistP192) ++ } ++ EncryptionAlgorithm::Ecc224 => { ++ AsymmetricAlgorithmSelection::Ecc(EccCurve::NistP224) ++ } ++ EncryptionAlgorithm::Ecc256 => { ++ AsymmetricAlgorithmSelection::Ecc(EccCurve::NistP256) ++ } ++ EncryptionAlgorithm::Ecc384 => { ++ AsymmetricAlgorithmSelection::Ecc(EccCurve::NistP384) ++ } ++ EncryptionAlgorithm::Ecc521 => { ++ AsymmetricAlgorithmSelection::Ecc(EccCurve::NistP521) ++ } ++ EncryptionAlgorithm::EccSm2 => { ++ AsymmetricAlgorithmSelection::Ecc(EccCurve::Sm2P256) ++ } + } + } + } +@@ -105,8 +163,18 @@ impl TryFrom<&str> for EncryptionAlgorithm { + + fn try_from(value: &str) -> Result { + match value { +- "rsa" => Ok(EncryptionAlgorithm::Rsa), +- "ecc" => Ok(EncryptionAlgorithm::Ecc), ++ "rsa" | "rsa2048" => Ok(EncryptionAlgorithm::Rsa2048), ++ "rsa1024" => Ok(EncryptionAlgorithm::Rsa1024), ++ "rsa3072" => Ok(EncryptionAlgorithm::Rsa3072), ++ "rsa4096" => Ok(EncryptionAlgorithm::Rsa4096), ++ "ecc" | "ecc256" | "ecc_nist_p256" => { ++ Ok(EncryptionAlgorithm::Ecc256) ++ } ++ "ecc192" | "ecc_nist_p192" => Ok(EncryptionAlgorithm::Ecc192), ++ "ecc224" | "ecc_nist_p224" => Ok(EncryptionAlgorithm::Ecc224), ++ "ecc384" | "ecc_nist_p384" => Ok(EncryptionAlgorithm::Ecc384), ++ "ecc521" | "ecc_nist_p521" => Ok(EncryptionAlgorithm::Ecc521), ++ "ecc_sm2" | "ecc_sm2_p256" => Ok(EncryptionAlgorithm::EccSm2), + _ => Err(AlgorithmError::Encrypt(format!( + "Encryption algorithm {value} not supported by Keylime" + ))), +@@ -117,8 +185,16 @@ impl TryFrom<&str> for EncryptionAlgorithm { + impl fmt::Display for EncryptionAlgorithm { + fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { + let value = match self { +- EncryptionAlgorithm::Rsa => "rsa", +- EncryptionAlgorithm::Ecc => "ecc", ++ EncryptionAlgorithm::Rsa2048 => "rsa", ++ EncryptionAlgorithm::Rsa1024 => "rsa1024", ++ EncryptionAlgorithm::Rsa3072 => "rsa3072", ++ EncryptionAlgorithm::Rsa4096 => "rsa4096", ++ EncryptionAlgorithm::Ecc256 => "ecc", ++ EncryptionAlgorithm::Ecc192 => "ecc192", ++ EncryptionAlgorithm::Ecc224 => "ecc224", ++ EncryptionAlgorithm::Ecc384 => "ecc384", ++ EncryptionAlgorithm::Ecc521 => "ecc521", ++ EncryptionAlgorithm::EccSm2 => "ecc_sm2", + }; + write!(f, "{value}") + } +@@ -205,6 +281,19 @@ mod tests { + fn test_encrypt_try_from() { + let result = EncryptionAlgorithm::try_from("rsa"); + assert!(result.is_ok()); ++ assert_eq!(result.unwrap(), EncryptionAlgorithm::Rsa2048); //#[allow_ci] ++ ++ let result = EncryptionAlgorithm::try_from("ecc"); ++ assert!(result.is_ok()); ++ assert_eq!(result.unwrap(), EncryptionAlgorithm::Ecc256); //#[allow_ci] ++ ++ let result = EncryptionAlgorithm::try_from("rsa4096"); ++ assert!(result.is_ok()); ++ assert_eq!(result.unwrap(), EncryptionAlgorithm::Rsa4096); //#[allow_ci] ++ ++ let result = EncryptionAlgorithm::try_from("ecc384"); ++ assert!(result.is_ok()); ++ assert_eq!(result.unwrap(), EncryptionAlgorithm::Ecc384); //#[allow_ci] + } + #[test] + fn test_sign_tryfrom() { +-- +2.52.0 + diff --git a/0006-rust-keylime-update-TPM-functions-for-ECC-support.patch b/0006-rust-keylime-update-TPM-functions-for-ECC-support.patch new file mode 100644 index 0000000..ae13bb7 --- /dev/null +++ b/0006-rust-keylime-update-TPM-functions-for-ECC-support.patch @@ -0,0 +1,269 @@ +From d051c8e617f50c7200722ffb4e8d32b5a638f240 Mon Sep 17 00:00:00 2001 +From: Anderson Toshiyuki Sasaki +Date: Fri, 6 Feb 2026 01:00:00 +0100 +Subject: [PATCH 6/7] tpm: add policy auth for EK to activate crendential + +Backported from upstream commit: +- https://github.com/keylime/rust-keylime/commit/af32aa2 + +--- + keylime/src/tpm.rs | 168 +++++++++++++++++++++++++++++++++++++-------- + 1 file changed, 140 insertions(+), 28 deletions(-) + +diff --git a/keylime/src/tpm.rs b/keylime/src/tpm.rs +index 4b83e1f..9244b03 100644 +--- a/keylime/src/tpm.rs ++++ b/keylime/src/tpm.rs +@@ -16,11 +16,9 @@ use openssl::{ + + use tss_esapi::{ + abstraction::{ +- ak, +- cipher::Cipher, +- ek, ++ ak, ek, + pcr::{read_all, PcrData}, +- DefaultKey, ++ AsymmetricAlgorithmSelection, DefaultKey, + }, + attributes::session::SessionAttributesBuilder, + constants::{ +@@ -30,12 +28,13 @@ use tss_esapi::{ + AuthHandle, KeyHandle, PcrHandle, PersistentTpmHandle, TpmHandle, + }, + interface_types::{ +- algorithm::HashingAlgorithm, session_handles::AuthSession, ++ algorithm::HashingAlgorithm, ++ session_handles::{AuthSession, PolicySession}, + }, + structures::{ +- Attest, AttestInfo, Digest, DigestValues, EncryptedSecret, IdObject, +- PcrSelectionList, PcrSelectionListBuilder, PcrSlot, Signature, +- SignatureScheme, ++ Attest, AttestInfo, Digest, DigestList, DigestValues, ++ EncryptedSecret, IdObject, PcrSelectionList, PcrSelectionListBuilder, ++ PcrSlot, Signature, SignatureScheme, SymmetricDefinition, + }, + tcti_ldr::TctiNameConf, + traits::Marshall, +@@ -49,6 +48,59 @@ const TPML_DIGEST_SIZE: usize = std::mem::size_of::(); + const TPML_PCR_SELECTION_SIZE: usize = + std::mem::size_of::(); + ++// Policy digest constants from TCG EK Credential Profile for TPM Family 2.0 ++// Level 0 Version 2.5 Revision 2, Section B.6 ++ ++// Policy A (PolicySecret(ENDORSEMENT)) for SHA-384 ++const POLICY_A_SHA384: [u8; 48] = [ ++ 0x8b, 0xbf, 0x22, 0x66, 0x53, 0x7c, 0x17, 0x1c, 0xb5, 0x6e, 0x40, 0x3c, ++ 0x4d, 0xc1, 0xd4, 0xb6, 0x4f, 0x43, 0x26, 0x11, 0xdc, 0x38, 0x6e, 0x6f, ++ 0x53, 0x20, 0x50, 0xc3, 0x27, 0x8c, 0x93, 0x0e, 0x14, 0x3e, 0x8b, 0xb1, ++ 0x13, 0x38, 0x24, 0xcc, 0xb4, 0x31, 0x05, 0x38, 0x71, 0xc6, 0xdb, 0x53, ++]; ++ ++// Policy A (PolicySecret(ENDORSEMENT)) for SHA-512 ++const POLICY_A_SHA512: [u8; 64] = [ ++ 0x1e, 0x3b, 0x76, 0x50, 0x2c, 0x8a, 0x14, 0x25, 0xaa, 0x0b, 0x7b, 0x3f, ++ 0xc6, 0x46, 0xa1, 0xb0, 0xfa, 0xe0, 0x63, 0xb0, 0x3b, 0x53, 0x68, 0xf9, ++ 0xc4, 0xcd, 0xde, 0xca, 0xff, 0x08, 0x91, 0xdd, 0x68, 0x2b, 0xac, 0x1a, ++ 0x85, 0xd4, 0xd8, 0x32, 0xb7, 0x81, 0xea, 0x45, 0x19, 0x15, 0xde, 0x5f, ++ 0xc5, 0xbf, 0x0d, 0xc4, 0xa1, 0x91, 0x7c, 0xd4, 0x2f, 0xa0, 0x41, 0xe3, ++ 0xf9, 0x98, 0xe0, 0xee, ++]; ++ ++// Policy A (PolicySecret(ENDORSEMENT)) for SM3-256 ++const POLICY_A_SM3_256: [u8; 32] = [ ++ 0xc6, 0x7f, 0x7d, 0x35, 0xf6, 0x6f, 0x3b, 0xec, 0x13, 0xc8, 0x9f, 0xe8, ++ 0x98, 0x92, 0x1c, 0x65, 0x1b, 0x0c, 0xb5, 0xa3, 0x8a, 0x92, 0x69, 0x0a, ++ 0x62, 0xa4, 0x3c, 0x00, 0x12, 0xe4, 0xfb, 0x8b, ++]; ++ ++// Policy C (PolicyOr(PolicyA, PolicyB)) for SHA-384 ++const POLICY_C_SHA384: [u8; 48] = [ ++ 0xd6, 0x03, 0x2c, 0xe6, 0x1f, 0x2f, 0xb3, 0xc2, 0x40, 0xeb, 0x3c, 0xf6, ++ 0xa3, 0x32, 0x37, 0xef, 0x2b, 0x6a, 0x16, 0xf4, 0x29, 0x3c, 0x22, 0xb4, ++ 0x55, 0xe2, 0x61, 0xcf, 0xfd, 0x21, 0x7a, 0xd5, 0xb4, 0x94, 0x7c, 0x2d, ++ 0x73, 0xe6, 0x30, 0x05, 0xee, 0xd2, 0xdc, 0x2b, 0x35, 0x93, 0xd1, 0x65, ++]; ++ ++// Policy C (PolicyOr(PolicyA, PolicyB)) for SHA-512 ++const POLICY_C_SHA512: [u8; 64] = [ ++ 0x58, 0x9e, 0xe1, 0xe1, 0x46, 0x54, 0x47, 0x16, 0xe8, 0xde, 0xaf, 0xe6, ++ 0xdb, 0x24, 0x7b, 0x01, 0xb8, 0x1e, 0x9f, 0x9c, 0x7d, 0xd1, 0x6b, 0x81, ++ 0x4a, 0xa1, 0x59, 0x13, 0x87, 0x49, 0x10, 0x5f, 0xba, 0x53, 0x88, 0xdd, ++ 0x1d, 0xea, 0x70, 0x2f, 0x35, 0x24, 0x0c, 0x18, 0x49, 0x33, 0x12, 0x1e, ++ 0x2c, 0x61, 0xb8, 0xf5, 0x0d, 0x3e, 0xf9, 0x13, 0x93, 0xa4, 0x9a, 0x38, ++ 0xc3, 0xf7, 0x3f, 0xc8, ++]; ++ ++// Policy C (PolicyOr(PolicyA, PolicyB)) for SM3-256 ++const POLICY_C_SM3_256: [u8; 32] = [ ++ 0x2d, 0x4e, 0x81, 0x57, 0x8c, 0x35, 0x31, 0xd9, 0xbd, 0x1c, 0xdd, 0x7d, ++ 0x02, 0xba, 0x29, 0x8d, 0x56, 0x99, 0xa3, 0xe3, 0x9f, 0xc3, 0x55, 0x1b, ++ 0xfe, 0xff, 0xcf, 0x13, 0x2b, 0x49, 0xe1, 0x1d, ++]; ++ + #[derive(Error, Debug)] + pub enum TpmError { + #[error("TSS2 Error: {err:?}, kind: {kind:?}, {message}")] +@@ -153,9 +205,9 @@ impl Context { + let key_handle = match handle { + Some(v) => { + if v.is_empty() { +- ek::create_ek_object( ++ ek::create_ek_object_2( + &mut self.inner, +- alg.into(), ++ Into::::into(alg), + DefaultKey, + )? + } else { +@@ -168,12 +220,16 @@ impl Context { + .into() + } + } +- None => { +- ek::create_ek_object(&mut self.inner, alg.into(), DefaultKey)? +- } ++ None => ek::create_ek_object_2( ++ &mut self.inner, ++ Into::::into(alg), ++ DefaultKey, ++ )?, + }; +- let cert = match ek::retrieve_ek_pubcert(&mut self.inner, alg.into()) +- { ++ let cert = match ek::retrieve_ek_pubcert( ++ &mut self.inner, ++ Into::::into(alg), ++ ) { + Ok(v) => Some(v), + Err(_) => { + warn!("No EK certificate found in TPM NVRAM"); +@@ -194,11 +250,13 @@ impl Context { + handle: KeyHandle, + hash_alg: HashAlgorithm, + sign_alg: SignAlgorithm, ++ key_alg: EncryptionAlgorithm, + ) -> Result { +- let ak = ak::create_ak( ++ let ak = ak::create_ak_2( + &mut self.inner, + handle, + hash_alg.into(), ++ Into::::into(key_alg), + sign_alg.into(), + None, + DefaultKey, +@@ -228,14 +286,16 @@ impl Context { + fn create_empty_session( + &mut self, + ses_type: SessionType, ++ symmetric: SymmetricDefinition, ++ hash_alg: HashingAlgorithm, + ) -> Result { + let session = self.inner.start_auth_session( + None, + None, + None, + ses_type, +- Cipher::aes_128_cfb().try_into()?, +- HashingAlgorithm::Sha256, ++ symmetric, ++ hash_alg, + )?; + let (ses_attrs, ses_attrs_mask) = SessionAttributesBuilder::new() + .with_encrypt(true) +@@ -258,12 +318,49 @@ impl Context { + ) -> Result { + let (credential, secret) = parse_cred_and_secret(keyblob)?; + +- let ek_auth = self.create_empty_session(SessionType::Policy)?; ++ // Read EK public info to determine hash and symmetric algorithms ++ let (ek_public, _, _) = self.inner.read_public(ek)?; ++ let ek_hash_alg = ek_public.name_hashing_algorithm(); ++ let ek_symmetric: SymmetricDefinition = ek_public ++ .symmetric_algorithm() ++ .map(Into::into) ++ .unwrap_or(SymmetricDefinition::AES_128_CFB); //#[allow_ci] ++ ++ // Build policy digests for PolicyOr (needed for ECC EKs and ++ // non-default hash algorithms) ++ let mut policy_digests = DigestList::new(); ++ match ek_hash_alg { ++ HashingAlgorithm::Sha384 => { ++ policy_digests ++ .add(Digest::try_from(POLICY_A_SHA384.as_slice())?)?; ++ policy_digests ++ .add(Digest::try_from(POLICY_C_SHA384.as_slice())?)?; ++ } ++ HashingAlgorithm::Sha512 => { ++ policy_digests ++ .add(Digest::try_from(POLICY_A_SHA512.as_slice())?)?; ++ policy_digests ++ .add(Digest::try_from(POLICY_C_SHA512.as_slice())?)?; ++ } ++ HashingAlgorithm::Sm3_256 => { ++ policy_digests ++ .add(Digest::try_from(POLICY_A_SM3_256.as_slice())?)?; ++ policy_digests ++ .add(Digest::try_from(POLICY_C_SM3_256.as_slice())?)?; ++ } ++ _ => {} ++ } ++ ++ let ek_auth = self.create_empty_session( ++ SessionType::Policy, ++ ek_symmetric, ++ ek_hash_alg, ++ )?; + + // We authorize ses2 with PolicySecret(ENDORSEMENT) as per PolicyA + let _ = self.inner.execute_with_nullauth_session(|context| { + context.policy_secret( +- ek_auth.try_into()?, ++ PolicySession::try_from(ek_auth)?, + AuthHandle::Endorsement, + Default::default(), + Default::default(), +@@ -272,14 +369,29 @@ impl Context { + ) + })?; + +- self.inner +- .execute_with_sessions( +- (Some(AuthSession::Password), Some(ek_auth), None), +- |context| { +- context.activate_credential(ak, ek, credential, secret) +- }, +- ) +- .map_err(TpmError::from) ++ // Apply PolicyOr if needed (for ECC EKs and non-default hash algs) ++ // PolicyOR does not require authorization; use ++ // execute_without_session to ensure no extra sessions with ++ // encrypt/decrypt attributes are passed to Esys_PolicyOR. ++ if !policy_digests.is_empty() { ++ self.inner.execute_without_session(|ctx| { ++ ctx.policy_or( ++ PolicySession::try_from(ek_auth)?, ++ policy_digests.clone(), ++ ) ++ })?; ++ } ++ ++ let result = self.inner.execute_with_sessions( ++ (Some(AuthSession::Password), Some(ek_auth), None), ++ |context| { ++ context.activate_credential(ak, ek, credential, secret) ++ }, ++ )?; ++ ++ self.inner.clear_sessions(); ++ ++ Ok(result) + } + + // This function extends Pcr16 with the digest, then creates a PcrList +-- +2.52.0 + diff --git a/0007-rust-keylime-pass-encryption-algorithm-to-create_ak.patch b/0007-rust-keylime-pass-encryption-algorithm-to-create_ak.patch new file mode 100644 index 0000000..88d6f6a --- /dev/null +++ b/0007-rust-keylime-pass-encryption-algorithm-to-create_ak.patch @@ -0,0 +1,54 @@ +From 05a0c158a3d9ec1179a0b4539c28f048d1be5724 Mon Sep 17 00:00:00 2001 +From: Anderson Toshiyuki Sasaki +Date: Fri, 6 Feb 2026 01:00:00 +0100 +Subject: [PATCH 7/7] Pass encryption_alg to create AK + +--- + keylime-agent/src/common.rs | 1 + + keylime-agent/src/main.rs | 4 +++- + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/keylime-agent/src/common.rs b/keylime-agent/src/common.rs +index 226bed3..a5f9975 100644 +--- a/keylime-agent/src/common.rs ++++ b/keylime-agent/src/common.rs +@@ -333,6 +333,7 @@ mod tests { + ek_result.key_handle, + tpm_hash_alg, + tpm_signing_alg, ++ tpm_encryption_alg, + )?; + + let agent_data_test = AgentData::create( +diff --git a/keylime-agent/src/main.rs b/keylime-agent/src/main.rs +index beef809..35c0c52 100644 +--- a/keylime-agent/src/main.rs ++++ b/keylime-agent/src/main.rs +@@ -363,6 +363,7 @@ async fn main() -> Result<()> { + ek_result.key_handle, + tpm_hash_alg, + tpm_signing_alg, ++ tpm_encryption_alg, + )?; + let ak_handle = ctx.load_ak(ek_result.key_handle, &new_ak)?; + (ak_handle, new_ak) +@@ -848,6 +849,7 @@ mod testing { + ek_result.key_handle, + tpm_hash_alg, + tpm_signing_alg, ++ tpm_encryption_alg, + )?; + let ak_handle = ctx.load_ak(ek_result.key_handle, &ak_result)?; + let ak_tpm2b_pub = +@@ -914,7 +916,7 @@ mod testing { + payload_tx, + revocation_tx, + hash_alg: keylime::algorithms::HashAlgorithm::Sha256, +- enc_alg: keylime::algorithms::EncryptionAlgorithm::Rsa, ++ enc_alg: keylime::algorithms::EncryptionAlgorithm::Rsa2048, + sign_alg: keylime::algorithms::SignAlgorithm::RsaSsa, + agent_uuid: test_config.agent.uuid, + allow_payload_revocation_actions: test_config +-- +2.52.0 + diff --git a/0008-rust-keylime-bump-pretty-env-logger.patch b/0008-rust-keylime-bump-pretty-env-logger.patch new file mode 100644 index 0000000..6cc875a --- /dev/null +++ b/0008-rust-keylime-bump-pretty-env-logger.patch @@ -0,0 +1,13 @@ +diff --git a/keylime-agent/Cargo.toml b/keylime-agent/Cargo.toml +index 522be45..f77cf6c 100644 +--- a/keylime-agent/Cargo.toml ++++ b/keylime-agent/Cargo.toml +@@ -23,7 +23,7 @@ log = "0.4" + openssl = "0.10.15" + picky-asn1-der = "0.4" + picky-asn1-x509 = "0.12" +-pretty_env_logger = "0.4" ++pretty_env_logger = "0.5" + reqwest = {version = "0.11", default-features = false, features = ["json"]} + serde = "1.0.80" + serde_derive = "1.0.80" diff --git a/keylime-agent-rust.spec b/keylime-agent-rust.spec index fdbb662..b167bdb 100644 --- a/keylime-agent-rust.spec +++ b/keylime-agent-rust.spec @@ -10,7 +10,7 @@ Name: keylime-agent-rust Version: 0.2.2 -Release: 4%{?dist} +Release: 5%{?dist} Summary: Rust agent for Keylime # Upstream license specification: Apache-2.0 @@ -48,11 +48,30 @@ Source0: %{url}/archive/refs/tags/v%{version}.tar.gz # tar jcf rust-keylime-%%{version}-vendor.tar.xz vendor Source1: rust-keylime-%{version}-vendor.tar.xz # Drop dependencies and adjust the features -Patch0: rust-keylime-adjust-features.patch +Patch0: 0001-rust-keylime-adjust-features.patch # Update openssl to version 0.10.70 to fix CVE-2025-24898 -Patch1: rust-keylime-openssl-0.10.70.patch +Patch1: 0002-rust-keylime-openssl-0.10.70.patch # Fix unnecessary qualification warnings -Patch2: rust-keylime-fix-unnecessary-qualifications.patch +Patch2: 0003-rust-keylime-fix-unnecessary-qualifications.patch +# Bump tss-esapi from 7.2.0 to 7.6.0 for ECC key support +# Backported from upstream commits +# https://github.com/keylime/rust-keylime/commit/b5c863e +# https://github.com/keylime/rust-keylime/commit/17202c6 +Patch3: 0004-rust-keylime-bump-tss-esapi-from-7.2.0-to-7.6.0.patch +# Enable non-standard key sizes and curves for EncryptionAlgorithm +# Backported from upstream commits +# https://github.com/keylime/rust-keylime/commit/2c73a2a +Patch4: 0005-rust-keylime-enable-non-standard-key-sizes-and-curve.patch +# Update TPM functions for ECC support (EK/AK creation, credential activation) +# Backported from upstream commits +# https://github.com/keylime/rust-keylime/commit/af32aa2 +Patch5: 0006-rust-keylime-update-TPM-functions-for-ECC-support.patch +# Pass encryption algorithm to create_ak +Patch6: 0007-rust-keylime-pass-encryption-algorithm-to-create_ak.patch +# Bump pretty-env-logger to version 0.5 +# Backported from upstream commit: +# https://github.com/keylime/rust-keylime/commit/fbe6a03 +Patch7: 0008-rust-keylime-bump-pretty-env-logger.patch ExclusiveArch: %{rust_arches} @@ -64,228 +83,247 @@ Requires: tpm2-tss Requires: keylime-base Requires: util-linux-core -BuildRequires: systemd -BuildRequires: openssl-devel -BuildRequires: libarchive-devel -BuildRequires: tpm2-tss-devel -BuildRequires: rust-toolset BuildRequires: clang +BuildRequires: git-core +BuildRequires: libarchive-devel +BuildRequires: openssl-devel +BuildRequires: rust-toolset +BuildRequires: systemd +BuildRequires: tpm2-tss-devel # Virtual Provides to support swapping between Python and Rust implementation Provides: keylime-agent Conflicts: keylime-agent -Provides: bundled(crate(actix-codec)) = 0.5.0 -Provides: bundled(crate(actix-http)) = 3.3.1 -Provides: bundled(crate(actix-macros)) = 0.2.3 -Provides: bundled(crate(actix-router)) = 0.5.1 -Provides: bundled(crate(actix-rt)) = 2.8.0 -Provides: bundled(crate(actix-server)) = 2.1.1 -Provides: bundled(crate(actix-service)) = 2.0.2 -Provides: bundled(crate(actix-tls)) = 3.0.3 -Provides: bundled(crate(actix-utils)) = 3.0.0 -Provides: bundled(crate(actix-web)) = 4.3.1 -Provides: bundled(crate(actix-web-codegen)) = 4.2.0 -Provides: bundled(crate(ahash)) = 0.7.6 -Provides: bundled(crate(ahash)) = 0.8.3 -Provides: bundled(crate(aho-corasick)) = 0.7.19 -Provides: bundled(crate(anstream)) = 0.3.2 -Provides: bundled(crate(anstyle)) = 1.0.1 -Provides: bundled(crate(anstyle-parse)) = 0.2.1 -Provides: bundled(crate(anstyle-query)) = 1.0.0 -Provides: bundled(crate(async-trait)) = 0.1.57 -Provides: bundled(crate(atty)) = 0.2.14 -Provides: bundled(crate(autocfg)) = 1.1.0 -Provides: bundled(crate(base64)) = 0.13.1 -Provides: bundled(crate(base64)) = 0.21.0 -Provides: bundled(crate(bindgen)) = 0.63.0 -Provides: bundled(crate(bitfield)) = 0.13.2 -Provides: bundled(crate(bitflags)) = 1.3.2 -Provides: bundled(crate(bitflags)) = 2.8.0 -Provides: bundled(crate(block-buffer)) = 0.10.3 -Provides: bundled(crate(bytes)) = 1.2.1 -Provides: bundled(crate(bytestring)) = 1.1.0 -Provides: bundled(crate(cc)) = 1.0.73 +Provides: bundled(crate(actix-codec)) = 0.5.2 +Provides: bundled(crate(actix-http)) = 3.11.2 +Provides: bundled(crate(actix-macros)) = 0.2.4 +Provides: bundled(crate(actix-router)) = 0.5.3 +Provides: bundled(crate(actix-rt)) = 2.11.0 +Provides: bundled(crate(actix-server)) = 2.6.0 +Provides: bundled(crate(actix-service)) = 2.0.3 +Provides: bundled(crate(actix-tls)) = 3.5.0 +Provides: bundled(crate(actix-utils)) = 3.0.1 +Provides: bundled(crate(actix-web)) = 4.12.1 +Provides: bundled(crate(actix-web-codegen)) = 4.3.0 +Provides: bundled(crate(aho-corasick)) = 1.1.4 +Provides: bundled(crate(anstream)) = 0.6.21 +Provides: bundled(crate(anstyle)) = 1.0.13 +Provides: bundled(crate(anstyle-parse)) = 0.2.7 +Provides: bundled(crate(anstyle-query)) = 1.1.5 +Provides: bundled(crate(async-trait)) = 0.1.89 +Provides: bundled(crate(autocfg)) = 1.5.0 +Provides: bundled(crate(base64)) = 0.21.7 +Provides: bundled(crate(bindgen)) = 0.66.1 +Provides: bundled(crate(bitfield)) = 0.14.0 +Provides: bundled(crate(bitflags)) = 2.10.0 +Provides: bundled(crate(block-buffer)) = 0.10.4 +Provides: bundled(crate(bytes)) = 1.11.1 +Provides: bundled(crate(bytestring)) = 1.5.0 +Provides: bundled(crate(cc)) = 1.2.55 Provides: bundled(crate(cexpr)) = 0.6.0 -Provides: bundled(crate(cfg-if)) = 1.0.0 -Provides: bundled(crate(clang-sys)) = 1.4.0 -Provides: bundled(crate(clap)) = 4.3.11 -Provides: bundled(crate(clap_builder)) = 4.3.11 -Provides: bundled(crate(clap_derive)) = 4.3.2 -Provides: bundled(crate(clap_lex)) = 0.5.0 -Provides: bundled(crate(colorchoice)) = 1.0.0 +Provides: bundled(crate(cfg-if)) = 1.0.4 +Provides: bundled(crate(clang-sys)) = 1.8.1 +Provides: bundled(crate(clap)) = 4.5.57 +Provides: bundled(crate(clap_builder)) = 4.5.57 +Provides: bundled(crate(clap_derive)) = 4.5.55 +Provides: bundled(crate(clap_lex)) = 0.7.7 +Provides: bundled(crate(colorchoice)) = 1.0.4 Provides: bundled(crate(compress-tools)) = 0.12.4 -Provides: bundled(crate(config)) = 0.13.3 -Provides: bundled(crate(convert_case)) = 0.4.0 -Provides: bundled(crate(cpufeatures)) = 0.2.5 -Provides: bundled(crate(crypto-common)) = 0.1.6 -Provides: bundled(crate(derive_more)) = 0.99.17 -Provides: bundled(crate(digest)) = 0.10.5 -Provides: bundled(crate(either)) = 1.8.0 -Provides: bundled(crate(encoding_rs)) = 0.8.31 -Provides: bundled(crate(enumflags2)) = 0.7.7 -Provides: bundled(crate(enumflags2_derive)) = 0.7.7 -Provides: bundled(crate(env_logger)) = 0.7.1 -Provides: bundled(crate(errno)) = 0.3.1 -Provides: bundled(crate(fastrand)) = 1.8.0 +Provides: bundled(crate(config)) = 0.13.4 +Provides: bundled(crate(convert_case)) = 0.10.0 +Provides: bundled(crate(cpufeatures)) = 0.2.17 +Provides: bundled(crate(crypto-common)) = 0.1.7 +Provides: bundled(crate(deranged)) = 0.5.6 +Provides: bundled(crate(derive_more)) = 0.99.20 +Provides: bundled(crate(derive_more)) = 2.1.1 +Provides: bundled(crate(derive_more-impl)) = 2.1.1 +Provides: bundled(crate(digest)) = 0.10.7 +Provides: bundled(crate(displaydoc)) = 0.2.5 +Provides: bundled(crate(either)) = 1.15.0 +Provides: bundled(crate(encoding_rs)) = 0.8.35 +Provides: bundled(crate(enumflags2)) = 0.7.12 +Provides: bundled(crate(enumflags2_derive)) = 0.7.12 +Provides: bundled(crate(env_logger)) = 0.10.2 +Provides: bundled(crate(equivalent)) = 1.0.2 +Provides: bundled(crate(errno)) = 0.3.14 +Provides: bundled(crate(fastrand)) = 2.3.0 +Provides: bundled(crate(find-msvc-tools)) = 0.1.9 Provides: bundled(crate(fnv)) = 1.0.7 +Provides: bundled(crate(foldhash)) = 0.1.5 Provides: bundled(crate(foreign-types)) = 0.3.2 Provides: bundled(crate(foreign-types-shared)) = 0.1.1 -Provides: bundled(crate(form_urlencoded)) = 1.1.0 -Provides: bundled(crate(futures)) = 0.3.27 -Provides: bundled(crate(futures-channel)) = 0.3.27 -Provides: bundled(crate(futures-core)) = 0.3.27 -Provides: bundled(crate(futures-executor)) = 0.3.27 -Provides: bundled(crate(futures-io)) = 0.3.27 -Provides: bundled(crate(futures-macro)) = 0.3.27 -Provides: bundled(crate(futures-sink)) = 0.3.27 -Provides: bundled(crate(futures-task)) = 0.3.27 -Provides: bundled(crate(futures-util)) = 0.3.27 -Provides: bundled(crate(generic-array)) = 0.14.6 -Provides: bundled(crate(getrandom)) = 0.2.7 -Provides: bundled(crate(glob)) = 0.3.1 -Provides: bundled(crate(h2)) = 0.3.17 -Provides: bundled(crate(hashbrown)) = 0.12.3 -Provides: bundled(crate(heck)) = 0.4.0 +Provides: bundled(crate(form_urlencoded)) = 1.2.2 +Provides: bundled(crate(futures)) = 0.3.31 +Provides: bundled(crate(futures-channel)) = 0.3.31 +Provides: bundled(crate(futures-core)) = 0.3.31 +Provides: bundled(crate(futures-executor)) = 0.3.31 +Provides: bundled(crate(futures-io)) = 0.3.31 +Provides: bundled(crate(futures-macro)) = 0.3.31 +Provides: bundled(crate(futures-sink)) = 0.3.31 +Provides: bundled(crate(futures-task)) = 0.3.31 +Provides: bundled(crate(futures-util)) = 0.3.31 +Provides: bundled(crate(generic-array)) = 0.14.7 +Provides: bundled(crate(getrandom)) = 0.2.17 +Provides: bundled(crate(getrandom)) = 0.3.4 +Provides: bundled(crate(getrandom)) = 0.4.1 +Provides: bundled(crate(glob)) = 0.3.3 +Provides: bundled(crate(h2)) = 0.3.27 +Provides: bundled(crate(hashbrown)) = 0.16.1 +Provides: bundled(crate(heck)) = 0.5.0 Provides: bundled(crate(hex)) = 0.4.3 +Provides: bundled(crate(home)) = 0.5.12 Provides: bundled(crate(hostname-validator)) = 1.1.1 -Provides: bundled(crate(http)) = 0.2.8 -Provides: bundled(crate(http-body)) = 0.4.5 -Provides: bundled(crate(httparse)) = 1.8.0 -Provides: bundled(crate(httpdate)) = 1.0.2 -Provides: bundled(crate(humantime)) = 1.3.0 -Provides: bundled(crate(hyper)) = 0.14.20 -Provides: bundled(crate(idna)) = 0.3.0 -Provides: bundled(crate(indexmap)) = 1.9.1 -Provides: bundled(crate(io-lifetimes)) = 1.0.10 -Provides: bundled(crate(ipnet)) = 2.5.0 -Provides: bundled(crate(is-terminal)) = 0.4.7 -Provides: bundled(crate(itoa)) = 1.0.3 -Provides: bundled(crate(keylime)) = 0.2.2 -Provides: bundled(crate(keylime_agent)) = 0.2.2 -Provides: bundled(crate(keylime_ima_emulator)) = 0.2.2 +Provides: bundled(crate(http)) = 0.2.12 +Provides: bundled(crate(http-body)) = 0.4.6 +Provides: bundled(crate(httparse)) = 1.10.1 +Provides: bundled(crate(httpdate)) = 1.0.3 +Provides: bundled(crate(humantime)) = 2.3.0 +Provides: bundled(crate(hyper)) = 0.14.32 +Provides: bundled(crate(icu_collections)) = 2.1.1 +Provides: bundled(crate(icu_locale_core)) = 2.1.1 +Provides: bundled(crate(icu_normalizer)) = 2.1.1 +Provides: bundled(crate(icu_normalizer_data)) = 2.1.1 +Provides: bundled(crate(icu_properties)) = 2.1.2 +Provides: bundled(crate(icu_properties_data)) = 2.1.2 +Provides: bundled(crate(icu_provider)) = 2.1.1 +Provides: bundled(crate(idna)) = 1.1.0 +Provides: bundled(crate(idna_adapter)) = 1.2.1 +Provides: bundled(crate(impl-more)) = 0.1.9 +Provides: bundled(crate(indexmap)) = 2.13.0 +Provides: bundled(crate(ipnet)) = 2.11.0 +Provides: bundled(crate(is-terminal)) = 0.4.17 +Provides: bundled(crate(is_terminal_polyfill)) = 1.70.2 +Provides: bundled(crate(itoa)) = 1.0.17 Provides: bundled(crate(language-tags)) = 0.3.2 -Provides: bundled(crate(lazy_static)) = 1.4.0 +Provides: bundled(crate(lazy_static)) = 1.5.0 Provides: bundled(crate(lazycell)) = 1.3.0 -Provides: bundled(crate(libc)) = 0.2.147 -Provides: bundled(crate(libloading)) = 0.7.3 -Provides: bundled(crate(linux-raw-sys)) = 0.3.1 -Provides: bundled(crate(local-channel)) = 0.1.3 -Provides: bundled(crate(local-waker)) = 0.1.3 -Provides: bundled(crate(lock_api)) = 0.4.9 -Provides: bundled(crate(log)) = 0.4.17 -Provides: bundled(crate(mbox)) = 0.6.0 -Provides: bundled(crate(memchr)) = 2.5.0 -Provides: bundled(crate(mime)) = 0.3.16 +Provides: bundled(crate(libc)) = 0.2.181 +Provides: bundled(crate(libloading)) = 0.8.9 +Provides: bundled(crate(linux-raw-sys)) = 0.4.15 +Provides: bundled(crate(linux-raw-sys)) = 0.11.0 +Provides: bundled(crate(litemap)) = 0.8.1 +Provides: bundled(crate(local-waker)) = 0.1.4 +Provides: bundled(crate(lock_api)) = 0.4.14 +Provides: bundled(crate(log)) = 0.4.29 +Provides: bundled(crate(mbox)) = 0.7.1 +Provides: bundled(crate(memchr)) = 2.8.0 +Provides: bundled(crate(mime)) = 0.3.17 Provides: bundled(crate(minimal-lexical)) = 0.2.1 -Provides: bundled(crate(mio)) = 0.8.4 -Provides: bundled(crate(nom)) = 7.1.1 -Provides: bundled(crate(num-derive)) = 0.3.3 -Provides: bundled(crate(num-traits)) = 0.2.15 -Provides: bundled(crate(num_cpus)) = 1.13.1 -Provides: bundled(crate(num_threads)) = 0.1.6 +Provides: bundled(crate(mio)) = 1.1.1 +Provides: bundled(crate(nom)) = 7.1.3 +Provides: bundled(crate(num-conv)) = 0.2.0 +Provides: bundled(crate(num-derive)) = 0.4.2 +Provides: bundled(crate(num-traits)) = 0.2.19 Provides: bundled(crate(oid)) = 0.2.1 -Provides: bundled(crate(once_cell)) = 1.15.0 -Provides: bundled(crate(openssl)) = 0.10.70 +Provides: bundled(crate(once_cell)) = 1.21.3 +Provides: bundled(crate(openssl)) = 0.10.75 Provides: bundled(crate(openssl-macros)) = 0.1.1 -Provides: bundled(crate(openssl-sys)) = 0.9.105 -Provides: bundled(crate(parking_lot)) = 0.12.1 -Provides: bundled(crate(parking_lot_core)) = 0.9.3 -Provides: bundled(crate(paste)) = 1.0.9 -Provides: bundled(crate(pathdiff)) = 0.2.1 +Provides: bundled(crate(openssl-sys)) = 0.9.111 +Provides: bundled(crate(parking_lot)) = 0.12.5 +Provides: bundled(crate(parking_lot_core)) = 0.9.12 +Provides: bundled(crate(pathdiff)) = 0.2.3 Provides: bundled(crate(peeking_take_while)) = 0.1.2 -Provides: bundled(crate(percent-encoding)) = 2.2.0 -Provides: bundled(crate(pest)) = 2.7.0 -Provides: bundled(crate(pest_derive)) = 2.7.0 -Provides: bundled(crate(pest_generator)) = 2.7.0 -Provides: bundled(crate(pest_meta)) = 2.7.0 -Provides: bundled(crate(picky-asn1)) = 0.3.3 -Provides: bundled(crate(picky-asn1)) = 0.5.0 -Provides: bundled(crate(picky-asn1-der)) = 0.2.5 -Provides: bundled(crate(picky-asn1-der)) = 0.3.1 -Provides: bundled(crate(picky-asn1-x509)) = 0.6.1 -Provides: bundled(crate(pin-project-lite)) = 0.2.9 +Provides: bundled(crate(percent-encoding)) = 2.3.2 +Provides: bundled(crate(pest)) = 2.8.6 +Provides: bundled(crate(pest_derive)) = 2.8.6 +Provides: bundled(crate(pest_generator)) = 2.8.6 +Provides: bundled(crate(pest_meta)) = 2.8.6 +Provides: bundled(crate(picky-asn1)) = 0.8.0 +Provides: bundled(crate(picky-asn1-der)) = 0.4.1 +Provides: bundled(crate(picky-asn1-x509)) = 0.12.0 +Provides: bundled(crate(pin-project-lite)) = 0.2.16 Provides: bundled(crate(pin-utils)) = 0.1.0 -Provides: bundled(crate(pkg-config)) = 0.3.25 -Provides: bundled(crate(ppv-lite86)) = 0.2.16 -Provides: bundled(crate(pretty_env_logger)) = 0.4.0 -Provides: bundled(crate(proc-macro2)) = 1.0.64 -Provides: bundled(crate(quick-error)) = 1.2.3 -Provides: bundled(crate(quote)) = 1.0.29 -Provides: bundled(crate(rand)) = 0.8.5 -Provides: bundled(crate(rand_chacha)) = 0.3.1 -Provides: bundled(crate(rand_core)) = 0.6.4 -Provides: bundled(crate(regex)) = 1.6.0 -Provides: bundled(crate(regex-syntax)) = 0.6.27 -Provides: bundled(crate(reqwest)) = 0.11.16 +Provides: bundled(crate(pkg-config)) = 0.3.32 +Provides: bundled(crate(potential_utf)) = 0.1.4 +Provides: bundled(crate(powerfmt)) = 0.2.0 +Provides: bundled(crate(pretty_env_logger)) = 0.5.0 +Provides: bundled(crate(prettyplease)) = 0.2.37 +Provides: bundled(crate(proc-macro2)) = 1.0.106 +Provides: bundled(crate(quote)) = 1.0.44 +Provides: bundled(crate(regex)) = 1.12.3 +Provides: bundled(crate(regex-automata)) = 0.4.14 +Provides: bundled(crate(regex-lite)) = 0.1.9 +Provides: bundled(crate(regex-syntax)) = 0.8.9 +Provides: bundled(crate(reqwest)) = 0.11.27 Provides: bundled(crate(rustc-hash)) = 1.1.0 -Provides: bundled(crate(rustc_version)) = 0.3.3 -Provides: bundled(crate(rustc_version)) = 0.4.0 -Provides: bundled(crate(rustix)) = 0.37.11 -Provides: bundled(crate(ryu)) = 1.0.11 -Provides: bundled(crate(scopeguard)) = 1.1.0 -Provides: bundled(crate(semver)) = 0.11.0 -Provides: bundled(crate(semver)) = 1.0.14 -Provides: bundled(crate(semver-parser)) = 0.10.2 -Provides: bundled(crate(serde)) = 1.0.166 -Provides: bundled(crate(serde_bytes)) = 0.11.7 -Provides: bundled(crate(serde_derive)) = 1.0.166 -Provides: bundled(crate(serde_json)) = 1.0.96 +Provides: bundled(crate(rustc_version)) = 0.4.1 +Provides: bundled(crate(rustix)) = 0.38.44 +Provides: bundled(crate(rustix)) = 1.1.3 +Provides: bundled(crate(ryu)) = 1.0.23 +Provides: bundled(crate(scopeguard)) = 1.2.0 +Provides: bundled(crate(semver)) = 1.0.27 +Provides: bundled(crate(serde)) = 1.0.228 +Provides: bundled(crate(serde_bytes)) = 0.11.19 +Provides: bundled(crate(serde_core)) = 1.0.228 +Provides: bundled(crate(serde_derive)) = 1.0.228 +Provides: bundled(crate(serde_json)) = 1.0.149 Provides: bundled(crate(serde_urlencoded)) = 0.7.1 -Provides: bundled(crate(sha1)) = 0.10.5 -Provides: bundled(crate(sha2)) = 0.10.6 -Provides: bundled(crate(shlex)) = 1.1.0 -Provides: bundled(crate(signal-hook)) = 0.3.15 -Provides: bundled(crate(signal-hook-registry)) = 1.4.0 -Provides: bundled(crate(slab)) = 0.4.7 -Provides: bundled(crate(smallvec)) = 1.9.0 -Provides: bundled(crate(socket2)) = 0.4.9 -Provides: bundled(crate(stable_deref_trait)) = 1.2.0 +Provides: bundled(crate(sha2)) = 0.10.9 +Provides: bundled(crate(shlex)) = 1.3.0 +Provides: bundled(crate(signal-hook)) = 0.3.18 +Provides: bundled(crate(signal-hook-registry)) = 1.4.8 +Provides: bundled(crate(slab)) = 0.4.12 +Provides: bundled(crate(smallvec)) = 1.15.1 +Provides: bundled(crate(socket2)) = 0.5.10 +Provides: bundled(crate(socket2)) = 0.6.2 +Provides: bundled(crate(stable_deref_trait)) = 1.2.1 Provides: bundled(crate(static_assertions)) = 1.1.0 -Provides: bundled(crate(strsim)) = 0.10.0 -Provides: bundled(crate(syn)) = 1.0.100 -Provides: bundled(crate(syn)) = 2.0.25 -Provides: bundled(crate(synstructure)) = 0.12.6 -Provides: bundled(crate(target-lexicon)) = 0.12.4 -Provides: bundled(crate(tempfile)) = 3.6.0 -Provides: bundled(crate(termcolor)) = 1.1.3 -Provides: bundled(crate(thiserror)) = 1.0.40 -Provides: bundled(crate(thiserror-impl)) = 1.0.40 -Provides: bundled(crate(time)) = 0.3.14 -Provides: bundled(crate(tinyvec)) = 1.6.0 -Provides: bundled(crate(tinyvec_macros)) = 0.1.0 -Provides: bundled(crate(tokio)) = 1.28.2 -Provides: bundled(crate(tokio-macros)) = 2.1.0 -Provides: bundled(crate(tokio-openssl)) = 0.6.3 -Provides: bundled(crate(tokio-util)) = 0.7.4 -Provides: bundled(crate(toml)) = 0.5.9 -Provides: bundled(crate(tower-service)) = 0.3.2 -Provides: bundled(crate(tracing)) = 0.1.36 -Provides: bundled(crate(tracing-core)) = 0.1.29 -Provides: bundled(crate(try-lock)) = 0.2.3 -Provides: bundled(crate(tss-esapi)) = 7.2.0 -Provides: bundled(crate(tss-esapi-sys)) = 0.4.0 -Provides: bundled(crate(typenum)) = 1.15.0 -Provides: bundled(crate(ucd-trie)) = 0.1.5 -Provides: bundled(crate(unicode-bidi)) = 0.3.8 -Provides: bundled(crate(unicode-ident)) = 1.0.4 -Provides: bundled(crate(unicode-normalization)) = 0.1.22 -Provides: bundled(crate(unicode-xid)) = 0.2.4 -Provides: bundled(crate(url)) = 2.3.1 -Provides: bundled(crate(utf8parse)) = 0.2.1 -Provides: bundled(crate(uuid)) = 1.3.1 +Provides: bundled(crate(strsim)) = 0.11.1 +Provides: bundled(crate(syn)) = 2.0.114 +Provides: bundled(crate(sync_wrapper)) = 0.1.2 +Provides: bundled(crate(synstructure)) = 0.13.2 +Provides: bundled(crate(target-lexicon)) = 0.12.16 +Provides: bundled(crate(tempfile)) = 3.25.0 +Provides: bundled(crate(termcolor)) = 1.4.1 +Provides: bundled(crate(thiserror)) = 1.0.69 +Provides: bundled(crate(thiserror-impl)) = 1.0.69 +Provides: bundled(crate(time)) = 0.3.47 +Provides: bundled(crate(time-core)) = 0.1.8 +Provides: bundled(crate(time-macros)) = 0.2.27 +Provides: bundled(crate(tinystr)) = 0.8.2 +Provides: bundled(crate(tokio)) = 1.49.0 +Provides: bundled(crate(tokio-macros)) = 2.6.0 +Provides: bundled(crate(tokio-openssl)) = 0.6.5 +Provides: bundled(crate(tokio-util)) = 0.7.18 +Provides: bundled(crate(toml)) = 0.5.11 +Provides: bundled(crate(tower-service)) = 0.3.3 +Provides: bundled(crate(tracing)) = 0.1.44 +Provides: bundled(crate(tracing-attributes)) = 0.1.31 +Provides: bundled(crate(tracing-core)) = 0.1.36 +Provides: bundled(crate(try-lock)) = 0.2.5 +Provides: bundled(crate(tss-esapi)) = 7.6.0 +Provides: bundled(crate(tss-esapi-sys)) = 0.5.0 +Provides: bundled(crate(typenum)) = 1.19.0 +Provides: bundled(crate(ucd-trie)) = 0.1.7 +Provides: bundled(crate(unicode-ident)) = 1.0.23 +Provides: bundled(crate(unicode-segmentation)) = 1.12.0 +Provides: bundled(crate(unicode-xid)) = 0.2.6 +Provides: bundled(crate(url)) = 2.5.8 +Provides: bundled(crate(utf8_iter)) = 1.0.4 +Provides: bundled(crate(utf8parse)) = 0.2.2 +Provides: bundled(crate(uuid)) = 1.20.0 Provides: bundled(crate(vcpkg)) = 0.2.15 -Provides: bundled(crate(version_check)) = 0.9.4 -Provides: bundled(crate(want)) = 0.3.0 -Provides: bundled(crate(which)) = 4.3.0 -Provides: bundled(crate(zeroize)) = 1.5.7 -Provides: bundled(crate(zeroize_derive)) = 1.3.2 +Provides: bundled(crate(version_check)) = 0.9.5 +Provides: bundled(crate(want)) = 0.3.1 +Provides: bundled(crate(which)) = 4.4.2 +Provides: bundled(crate(writeable)) = 0.6.2 +Provides: bundled(crate(yoke)) = 0.8.1 +Provides: bundled(crate(yoke-derive)) = 0.8.1 +Provides: bundled(crate(zerofrom)) = 0.1.6 +Provides: bundled(crate(zerofrom-derive)) = 0.1.6 +Provides: bundled(crate(zeroize)) = 1.8.2 +Provides: bundled(crate(zeroize_derive)) = 1.4.3 +Provides: bundled(crate(zerotrie)) = 0.2.3 +Provides: bundled(crate(zerovec)) = 0.11.5 +Provides: bundled(crate(zerovec-derive)) = 0.11.2 +Provides: bundled(crate(zmij)) = 1.0.20 %description Rust agent for Keylime %prep -%autosetup -N -n rust-keylime-%{version} +%autosetup -S git -N -n rust-keylime-%{version} -a1 %cargo_prep -V 1 %autopatch -p1 @@ -358,6 +396,10 @@ chown -R keylime:keylime %{_sysconfdir}/keylime %endif %changelog +* Wed Feb 11 2026 Anderson Toshiyuki Sasaki - 0.2.2-5 +- Enable attestation with TPM ECC keys + Resolves: RHEL-118148 + * Tue Feb 03 2026 Sergio Correia - 0.2.2-4 - Remove /usr/libexec/keylime/ Resolves: RHEL-145712 diff --git a/sources b/sources index 2723e90..8b94abb 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (rust-keylime-0.2.2-vendor.tar.xz) = 003d4562291f2aa209f17bcc4e1b72a181ec02e474aa7cae8d525d1ece38aa353326c53612123fd060214bc61198feaa0f3c4d355c633987d276108e32e7a265 SHA512 (v0.2.2.tar.gz) = d83dbece1e850383fe98dec7ab2c473cdad46193d0f31eba25ae0a75928df94ee00fa8ee656806f356fcccbc36a5b6f417c1029a1f6a3a0974186197826eb4cc +SHA512 (rust-keylime-0.2.2-vendor.tar.xz) = 57cc1d03cd7abc5d1ecafee08cb08b27e40463257360fe4f780774ad24fa372dcb376d48ab0091775734170c1eeb6d7866fbf5cc16e17a3d1a3099c572df1130