Enable ECC attestation

Resolves: RHEL-117441 Signed-off-by: Sergio Correia <scorreia@redhat.com>
2025-10-06 14:43:31 +00:00 · 2025-10-06 14:43:31 +00:00 · c35112e60f
commit c35112e60f
parent 2d2ad77dbe
2 changed files with 107 additions and 0 deletions
--- a/0007-Fix-ECC-RSA-algorithm-selection-and-reporting-for-ke.patch
+++ b/0007-Fix-ECC-RSA-algorithm-selection-and-reporting-for-ke.patch
@ -0,0 +1,106 @@
+From 9b90f051cddce7c62b7b2fb6f6349f8db9bcabb5 Mon Sep 17 00:00:00 2001
+From: Sergio Correia <scorreia@redhat.com>
+Date: Mon, 6 Oct 2025 14:37:29 +0000
+Subject: [PATCH 7/7] Fix ECC/RSA algorithm selection and reporting for keylime
+ agent
+
+Backport of upstream PRs:
+- https://github.com/keylime/rust-keylime/pull/1132
+- https://github.com/keylime/rust-keylime/pull/1134
+
+Signed-off-by: Sergio Correia <scorreia@redhat.com>
+---
+ keylime-agent/src/agent_handler.rs  | 2 +-
+ keylime-agent/src/quotes_handler.rs | 6 +++---
+ keylime/src/algorithms.rs           | 4 ++--
+ keylime/src/tpm.rs                  | 4 ++--
+ 4 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/keylime-agent/src/agent_handler.rs b/keylime-agent/src/agent_handler.rs
+index 13bcc37..ec7f8ed 100644
+--- a/keylime-agent/src/agent_handler.rs
+++ b/keylime-agent/src/agent_handler.rs
+@@ -109,7 +109,7 @@ mod tests {
+         let result: JsonWrapper<AgentInfo> = test::read_body_json(resp).await;
+         assert_eq!(result.results.agent_uuid.as_str(), "DEADBEEF");
+         assert_eq!(result.results.tpm_hash_alg.as_str(), "sha256");
+-        assert_eq!(result.results.tpm_enc_alg.as_str(), "rsa");
+        assert_eq!(result.results.tpm_enc_alg.as_str(), "rsa2048");
+         assert_eq!(result.results.tpm_sign_alg.as_str(), "rsassa");
+ 
+         // Explicitly drop QuoteData to cleanup keys
+diff --git a/keylime-agent/src/quotes_handler.rs b/keylime-agent/src/quotes_handler.rs
+index d61adf2..bc0ddaa 100644
+--- a/keylime-agent/src/quotes_handler.rs
+++ b/keylime-agent/src/quotes_handler.rs
+@@ -405,7 +405,7 @@ mod tests {
+         let result: JsonWrapper<KeylimeQuote> =
+             test::read_body_json(resp).await;
+         assert_eq!(result.results.hash_alg.as_str(), "sha256");
+-        assert_eq!(result.results.enc_alg.as_str(), "rsa");
+        assert_eq!(result.results.enc_alg.as_str(), "rsa2048");
+         assert_eq!(result.results.sign_alg.as_str(), "rsassa");
+         assert!(
+             pkey_pub_from_pem(&result.results.pubkey.unwrap()) //#[allow_ci]
+@@ -451,7 +451,7 @@ mod tests {
+         let result: JsonWrapper<KeylimeQuote> =
+             test::read_body_json(resp).await;
+         assert_eq!(result.results.hash_alg.as_str(), "sha256");
+-        assert_eq!(result.results.enc_alg.as_str(), "rsa");
+        assert_eq!(result.results.enc_alg.as_str(), "rsa2048");
+         assert_eq!(result.results.sign_alg.as_str(), "rsassa");
+         assert!(
+             pkey_pub_from_pem(&result.results.pubkey.unwrap()) //#[allow_ci]
+@@ -513,7 +513,7 @@ mod tests {
+         let result: JsonWrapper<KeylimeQuote> =
+             test::read_body_json(resp).await;
+         assert_eq!(result.results.hash_alg.as_str(), "sha256");
+-        assert_eq!(result.results.enc_alg.as_str(), "rsa");
+        assert_eq!(result.results.enc_alg.as_str(), "rsa2048");
+         assert_eq!(result.results.sign_alg.as_str(), "rsassa");
+ 
+         if let Some(ima_mutex) = &quotedata.ima_ml_file {
+diff --git a/keylime/src/algorithms.rs b/keylime/src/algorithms.rs
+index cda8966..4b4205a 100644
+--- a/keylime/src/algorithms.rs
+++ b/keylime/src/algorithms.rs
+@@ -195,12 +195,12 @@ impl fmt::Display for EncryptionAlgorithm {
+     fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
+         let value = match self {
+             EncryptionAlgorithm::Rsa1024 => "rsa1024",
+-            EncryptionAlgorithm::Rsa2048 => "rsa", /* for backwards compatibility */
+            EncryptionAlgorithm::Rsa2048 => "rsa2048",
+             EncryptionAlgorithm::Rsa3072 => "rsa3072",
+             EncryptionAlgorithm::Rsa4096 => "rsa4096",
+             EncryptionAlgorithm::Ecc192 => "ecc192",
+             EncryptionAlgorithm::Ecc224 => "ecc224",
+-            EncryptionAlgorithm::Ecc256 => "ecc", /* for backwards compatibility */
+            EncryptionAlgorithm::Ecc256 => "ecc256",
+             EncryptionAlgorithm::Ecc384 => "ecc384",
+             EncryptionAlgorithm::Ecc521 => "ecc521",
+             EncryptionAlgorithm::EccSm2 => "ecc_sm2",
+diff --git a/keylime/src/tpm.rs b/keylime/src/tpm.rs
+index 5e27f3a..f907aca 100644
+--- a/keylime/src/tpm.rs
+++ b/keylime/src/tpm.rs
+@@ -31,7 +31,7 @@ use tss_esapi::{
+     abstraction::{
+         ak, ek,
+         pcr::{read_all, PcrData},
+-        DefaultKey,
+        AsymmetricAlgorithmSelection, DefaultKey,
+     },
+     attributes::{
+         object::ObjectAttributesBuilder, session::SessionAttributesBuilder,
+@@ -682,7 +682,7 @@ impl Context<'_> {
+             &mut self.inner.lock().unwrap(), //#[allow_ci]
+             handle,
+             hash_alg.into(),
+-            key_alg.into(),
+            Into::<AsymmetricAlgorithmSelection>::into(key_alg),
+             sign_alg.into(),
+             None,
+             DefaultKey,
+-- 
+2.47.3
+
--- a/keylime-agent-rust.spec
+++ b/keylime-agent-rust.spec
@ -69,6 +69,7 @@ Patch3:         0003-Enable-non-standard-key-sizes-and-curves-for-EK-and-.patch
 Patch4:         0004-Clippy-fixes.patch
 Patch5:         0005-tpm-add-policy-auth-for-EK-to-activate-crendential.patch
 Patch6:         0006-keylime-agent.conf-add-all-accepted-TPM-encryption-a.patch
+Patch7:         0007-Fix-ECC-RSA-algorithm-selection-and-reporting-for-ke.patch

 ## (100-199) Patches for building from system Rust libraries (Fedora)
 ## (200+) Patches for building from vendored Rust libraries (RHEL)