rpms/keylime-agent-rust
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

merge into: rpms:c9-beta
Branches Tags
rpms:c9-beta
rpms:c9s
rpms:c9
rpms:c10s
rpms:imports/c9/keylime-agent-rust-0.2.2-2.el9
rpms:imports/c10s/keylime-agent-rust-0.2.7-4.el10
rpms:imports/c10s/keylime-agent-rust-0.2.7-3.el10
rpms:imports/c9-beta/keylime-agent-rust-0.2.2-2.el9
rpms:imports/c10s/keylime-agent-rust-0.2.7-2.el10
rpms:imports/c10s/keylime-agent-rust-0.2.7-1.el10
rpms:imports/c10s/keylime-agent-rust-0.2.5-4.el10
rpms:imports/c10s/keylime-agent-rust-0.2.5-1.el10
rpms:imports/c9/keylime-agent-rust-0.2.2-1.el9
rpms:imports/c9-beta/keylime-agent-rust-0.2.2-1.el9
rpms:imports/c9-beta/keylime-agent-rust-0.1.0-1.el9
rpms:imports/c9/keylime-agent-rust-0.1.0-1.el9
rpms:imports/c9-beta/keylime-agent-rust-0.1.0%7e20220805git0186093-1.el9
...
pull from: rpms:c10s
Branches Tags
rpms:c9s
rpms:c9
rpms:c10s
rpms:c9-beta
rpms:imports/c9/keylime-agent-rust-0.2.2-2.el9
rpms:imports/c10s/keylime-agent-rust-0.2.7-4.el10
rpms:imports/c10s/keylime-agent-rust-0.2.7-3.el10
rpms:imports/c9-beta/keylime-agent-rust-0.2.2-2.el9
rpms:imports/c10s/keylime-agent-rust-0.2.7-2.el10
rpms:imports/c10s/keylime-agent-rust-0.2.7-1.el10
rpms:imports/c10s/keylime-agent-rust-0.2.5-4.el10
rpms:imports/c10s/keylime-agent-rust-0.2.5-1.el10
rpms:imports/c9/keylime-agent-rust-0.2.2-1.el9
rpms:imports/c9-beta/keylime-agent-rust-0.2.2-1.el9
rpms:imports/c9-beta/keylime-agent-rust-0.1.0-1.el9
rpms:imports/c9/keylime-agent-rust-0.1.0-1.el9
rpms:imports/c9-beta/keylime-agent-rust-0.1.0%7e20220805git0186093-1.el9

No commits in common. "c9-beta" and "c10s" have entirely different histories.
c9-beta ... c10s

21 changed files with 4912 additions and 1156 deletions
Show Stats Expand all files Collapse all files

1
.fmf/version Normal file
View File

@ -0,0 +1 @@
1

21
.gitignore vendored
View File

@ -1,2 +1,19 @@
SOURCES/rust-keylime-0.2.2-vendor.tar.xz
SOURCES/v0.2.2.tar.gz
/rust-keylime-0.1.0~20211110gitd5a3191-vendor.tar.xz
/rust-keylime-0.1.0~20211110gitd5a3191.tar.gz
/rust-keylime-0.1.0~20220602gitc98e381-vendor.tar.xz
/rust-keylime-0.1.0~20220602gitc98e381.tar.gz
/rust-keylime-0.1.0~20220603gitaed51c7.tar.gz
/rust-keylime-0.1.0~20220603gitaed51c7-vendor.tar.xz
/v0.1.0.tar.gz
/rust-keylime-0.1.0-vendor.tar.xz
/v0.2.0.tar.gz
/rust-keylime-0.2.0-vendor.tar.xz
/v0.2.1.tar.gz
/rust-keylime-0.2.1-vendor.tar.xz
/v0.2.2.tar.gz
/rust-keylime-0.2.2-vendor.tar.xz
/rust-keylime-0.2.5-vendor.tar.xz
/v0.2.5.tar.gz
/rust-keylime-0.2.7-vendor.tar.xz
/v0.2.7.tar.gz
/rust-keylime-0.2.7-vendor.tar.zstd

2
.keylime-agent-rust.metadata
View File

@ -1,2 +0,0 @@
65898cc04f96ee7a5bae484ecf40d63a480106ad SOURCES/rust-keylime-0.2.2-vendor.tar.xz
f83bc06ae2d04673fb2ed8356bf691ec664ef9f7 SOURCES/v0.2.2.tar.gz

3609
0003-Enable-non-standard-key-sizes-and-curves-for-EK-and-.patch Normal file
View File

File diff suppressed because it is too large Load Diff

557
0004-Clippy-fixes.patch Normal file
View File

@ -0,0 +1,557 @@
From dc36c72e75c9b3ab36693b59252e3246ef53d5fb Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Mon, 29 Sep 2025 22:45:55 +0000
Subject: [PATCH 4/6] Clippy fixes
Signed-off-by: Sergio Correia <scorreia@redhat.com>
---
keylime-agent/src/config.rs | 13 ++++++-------
keylime-agent/src/keys_handler.rs | 4 ++--
keylime-agent/src/main.rs | 10 +++++-----
keylime-agent/src/payloads.rs | 12 ++++++------
keylime-agent/src/permissions.rs | 14 +++++++-------
keylime-agent/src/quotes_handler.rs | 16 ++++++++--------
keylime-agent/src/revocation.rs | 15 +++++++--------
keylime-agent/src/secure_mount.rs | 6 +++---
keylime/src/crypto.rs | 12 ++++++------
keylime/src/ima/entry.rs | 7 +++----
keylime/src/registrar_client.rs | 2 +-
keylime/src/tpm.rs | 14 +++++---------
12 files changed, 59 insertions(+), 66 deletions(-)
diff --git a/keylime-agent/src/config.rs b/keylime-agent/src/config.rs
index 21c0516..f1fe7d1 100644
--- a/keylime-agent/src/config.rs
+++ b/keylime-agent/src/config.rs
@@ -614,8 +614,10 @@ fn config_translate_keywords(
.collect::<Vec<String>>()
.join(", "),
"latest" => {
- if let Some(version) =
- SUPPORTED_API_VERSIONS.iter().map(|&s| s.to_string()).last()
+ if let Some(version) = SUPPORTED_API_VERSIONS
+ .iter()
+ .map(|&s| s.to_string())
+ .next_back()
{
version
} else {
@@ -980,7 +982,7 @@ mod tests {
let expected = SUPPORTED_API_VERSIONS
.iter()
.map(|e| e.to_string())
- .last()
+ .next_back()
.unwrap(); //#[allow_ci]
assert_eq!(version, expected);
}
@@ -1273,10 +1275,7 @@ mod tests {
let j = obtained.get(i).unwrap(); //#[allow_ci]
assert!(
e.to_string() == j.to_string(),
- "Option {} mismatch: expected == '{}', obtained == '{}'",
- i,
- e,
- j
+ "Option {i} mismatch: expected == '{e}', obtained == '{j}'"
);
}
}
diff --git a/keylime-agent/src/keys_handler.rs b/keylime-agent/src/keys_handler.rs
index 447f0d1..a4c9f21 100644
--- a/keylime-agent/src/keys_handler.rs
+++ b/keylime-agent/src/keys_handler.rs
@@ -327,7 +327,7 @@ async fn pubkey(
HttpResponse::Ok().json(response)
}
Err(e) => {
- debug!("Unable to retrieve public key: {:?}", e);
+ debug!("Unable to retrieve public key: {e:?}");
HttpResponse::InternalServerError().json(JsonWrapper::error(
500,
"Unable to retrieve public key".to_string(),
@@ -411,7 +411,7 @@ async fn verify(
HttpResponse::Ok().json(response)
}
Err(e) => {
- warn!("GET key challenge failed: {:?}", e);
+ warn!("GET key challenge failed: {e:?}");
HttpResponse::InternalServerError().json(JsonWrapper::error(
500,
"GET key challenge failed".to_string(),
diff --git a/keylime-agent/src/main.rs b/keylime-agent/src/main.rs
index 9e3d727..be51a21 100644
--- a/keylime-agent/src/main.rs
+++ b/keylime-agent/src/main.rs
@@ -269,7 +269,7 @@ async fn main() -> Result<()> {
config::KeylimeConfigError::Generic(message),
));
}
- info!("Running the service as {}...", user_group);
+ info!("Running the service as {user_group}...");
}
// Parse the configured API versions
@@ -403,7 +403,7 @@ async fn main() -> Result<()> {
}
}
Err(e) => {
- warn!("Could not load agent data: {}", e);
+ warn!("Could not load agent data: {e}");
None
}
}
@@ -442,7 +442,7 @@ async fn main() -> Result<()> {
path => agent_data_new.store(Path::new(&path))?,
}
- info!("Agent UUID: {}", agent_uuid);
+ info!("Agent UUID: {agent_uuid}");
// If using IAK/IDevID is enabled, obtain IAK/IDevID and respective certificates
let mut device_id = if config.agent.enable_iak_idevid {
@@ -595,7 +595,7 @@ async fn main() -> Result<()> {
) {
Ok(t) => Ok(t),
Err(e) => {
- error!("Failed to load trusted CA certificates: {}", e);
+ error!("Failed to load trusted CA certificates: {e}");
Err(e)
}
}?;
@@ -833,7 +833,7 @@ async fn main() -> Result<()> {
Ok(ip_addr) => {
// Add bracket if IPv6, otherwise use as it is
if ip_addr.is_ipv6() {
- format!("[{}]", ip_addr)
+ format!("[{ip_addr}]")
} else {
ip_addr.to_string()
}
diff --git a/keylime-agent/src/payloads.rs b/keylime-agent/src/payloads.rs
index 3b8873d..8996a5e 100644
--- a/keylime-agent/src/payloads.rs
+++ b/keylime-agent/src/payloads.rs
@@ -109,14 +109,14 @@ fn write_out_key_and_payload(
if bytes != key.as_ref().len() {
return Err(Error::Other(format!("Error writing symm key to {:?}: key len is {}, but {bytes} bytes were written", key_path, key.as_ref().len())));
}
- info!("Wrote payload decryption key to {:?}", key_path);
+ info!("Wrote payload decryption key to {key_path:?}");
let mut dec_payload_file = fs::File::create(dec_payload_path)?;
let bytes = dec_payload_file.write(dec_payload)?;
if bytes != dec_payload.len() {
return Err(Error::Other(format!("Error writing decrypted payload to {:?}: payload len is {}, but {bytes} bytes were written", dec_payload_path, dec_payload.len())));
}
- info!("Wrote decrypted payload to {:?}", dec_payload_path);
+ info!("Wrote decrypted payload to {dec_payload_path:?}");
Ok(())
}
@@ -124,7 +124,7 @@ fn write_out_key_and_payload(
// run a script (such as the init script, if any) and check the status
fn run(dir: &Path, script: &str) -> Result<()> {
let script_path = dir.join(script);
- info!("Running script: {:?}", script_path);
+ info!("Running script: {script_path:?}");
if !script_path.exists() {
info!("No payload script {script} found in {}", dir.display());
@@ -176,7 +176,7 @@ fn optional_unzip_payload(
dec_file => {
let zipped_payload_path = unzipped.join(dec_file);
- info!("Unzipping payload {} to {:?}", dec_file, unzipped);
+ info!("Unzipping payload {dec_file} to {unzipped:?}");
let mut source = fs::File::open(zipped_payload_path)?;
let mut zip = ZipArchive::new(source)?;
@@ -215,7 +215,7 @@ async fn run_encrypted_payload(
info!("No payload script specified, skipping");
}
script => {
- info!("Payload init script indicated: {}", script);
+ info!("Payload init script indicated: {script}");
run(&unzipped, script)?;
}
}
@@ -304,7 +304,7 @@ pub(crate) async fn worker(
info!("Successfully executed encrypted payload");
}
Err(e) => {
- warn!("Failed to run encrypted payload: {}", e);
+ warn!("Failed to run encrypted payload: {e}");
}
}
}
diff --git a/keylime-agent/src/permissions.rs b/keylime-agent/src/permissions.rs
index aa240d9..4b8ac9a 100644
--- a/keylime-agent/src/permissions.rs
+++ b/keylime-agent/src/permissions.rs
@@ -38,7 +38,7 @@ impl TryFrom<&str> for UserIds {
if parts.len() != 2 {
let e = format!("Invalid parameter format: {value} cannot be parsed as 'user:group'");
- error!("{}", e);
+ error!("{e}");
return Err(Error::Conversion(e));
}
@@ -50,7 +50,7 @@ impl TryFrom<&str> for UserIds {
let p = unsafe { libc::getgrnam(g_cstr.as_ptr()) };
if p.is_null() {
let e = io::Error::last_os_error();
- error!("Could not get group {}: {}", group, e);
+ error!("Could not get group {group}: {e}");
return Err(Error::Conversion(e.to_string()));
}
unsafe { (*p) }
@@ -65,7 +65,7 @@ impl TryFrom<&str> for UserIds {
let p = unsafe { libc::getpwnam(u_cstr.as_ptr()) };
if p.is_null() {
let e = io::Error::last_os_error();
- error!("Could not get user {}: {}", user, e);
+ error!("Could not get user {user}: {e}");
return Err(Error::Conversion(e.to_string()));
}
unsafe { (*p) }
@@ -91,7 +91,7 @@ pub(crate) fn run_as(user_group: &str) -> Result<()> {
// Set gid
if unsafe { libc::setgid(ids.group.gr_gid) } != 0 {
let e = io::Error::last_os_error();
- error!("Could not set group id: {}", e);
+ error!("Could not set group id: {e}");
return Err(Error::Permission);
}
@@ -127,18 +127,18 @@ pub(crate) fn run_as(user_group: &str) -> Result<()> {
if unsafe { libc::setgroups(ngroups as usize, sup_groups.as_ptr()) } != 0
{
let e = io::Error::last_os_error();
- error!("Could not set supplementary groups: {}", e);
+ error!("Could not set supplementary groups: {e}");
return Err(Error::Permission);
}
// Set uid
if unsafe { libc::setuid(ids.passwd.pw_uid) } != 0 {
let e = io::Error::last_os_error();
- error!("Could not set user id: {}", e);
+ error!("Could not set user id: {e}");
return Err(Error::Permission);
}
- info!("Dropped privileges to run as {}", user_group);
+ info!("Dropped privileges to run as {user_group}");
Ok(())
}
diff --git a/keylime-agent/src/quotes_handler.rs b/keylime-agent/src/quotes_handler.rs
index a49dcc4..d61adf2 100644
--- a/keylime-agent/src/quotes_handler.rs
+++ b/keylime-agent/src/quotes_handler.rs
@@ -95,7 +95,7 @@ async fn identity(
) {
Ok(quote) => quote,
Err(e) => {
- debug!("Unable to retrieve quote: {:?}", e);
+ debug!("Unable to retrieve quote: {e:?}");
return HttpResponse::InternalServerError().json(
JsonWrapper::error(
500,
@@ -116,7 +116,7 @@ async fn identity(
match crypto::pkey_pub_to_pem(&data.pub_key) {
Ok(pubkey) => quote.pubkey = Some(pubkey),
Err(e) => {
- debug!("Unable to retrieve public key for quote: {:?}", e);
+ debug!("Unable to retrieve public key for quote: {e:?}");
return HttpResponse::InternalServerError().json(
JsonWrapper::error(
500,
@@ -193,7 +193,7 @@ async fn integrity(
let pubkey = match crypto::pkey_pub_to_pem(&data.pub_key) {
Ok(pubkey) => pubkey,
Err(e) => {
- debug!("Unable to retrieve public key: {:?}", e);
+ debug!("Unable to retrieve public key: {e:?}");
return HttpResponse::InternalServerError().json(
JsonWrapper::error(
500,
@@ -242,7 +242,7 @@ async fn integrity(
) {
Ok(tpm_quote) => tpm_quote,
Err(e) => {
- debug!("Unable to retrieve quote: {:?}", e);
+ debug!("Unable to retrieve quote: {e:?}");
return HttpResponse::InternalServerError().json(
JsonWrapper::error(
500,
@@ -268,7 +268,7 @@ async fn integrity(
let mut ml = Vec::<u8>::new();
let mut f = measuredboot_ml_file.lock().unwrap(); //#[allow_ci]
if let Err(e) = f.rewind() {
- debug!("Failed to rewind measured boot file: {}", e);
+ debug!("Failed to rewind measured boot file: {e}");
return HttpResponse::InternalServerError().json(
JsonWrapper::error(
500,
@@ -279,14 +279,14 @@ async fn integrity(
mb_measurement_list = match f.read_to_end(&mut ml) {
Ok(_) => Some(general_purpose::STANDARD.encode(ml)),
Err(e) => {
- warn!("Could not read TPM2 event log: {}", e);
+ warn!("Could not read TPM2 event log: {e}");
None
}
};
}
}
Err(e) => {
- debug!("Unable to check PCR mask: {:?}", e);
+ debug!("Unable to check PCR mask: {e:?}");
return HttpResponse::InternalServerError().json(
JsonWrapper::error(
500,
@@ -309,7 +309,7 @@ async fn integrity(
(Some(result.0), Some(result.1), Some(result.2))
}
Err(e) => {
- debug!("Unable to read measurement list: {:?}", e);
+ debug!("Unable to read measurement list: {e:?}");
return HttpResponse::InternalServerError().json(
JsonWrapper::error(
500,
diff --git a/keylime-agent/src/revocation.rs b/keylime-agent/src/revocation.rs
index fae5a9c..738c12a 100644
--- a/keylime-agent/src/revocation.rs
+++ b/keylime-agent/src/revocation.rs
@@ -124,7 +124,7 @@ pub(crate) fn run_action(
allow_payload_actions,
)?;
- info!("Executing revocation action {}", action);
+ info!("Executing revocation action {action}");
// Write JSON argument to a temporary file
let raw_json = serde_json::value::to_raw_value(&json)?;
@@ -171,7 +171,7 @@ pub(crate) fn run_action(
return Err(output.try_into()?);
}
- info!("INFO: revocation action {} successful", action);
+ info!("INFO: revocation action {action} successful");
Ok(output)
}
@@ -233,7 +233,7 @@ fn run_revocation_actions(
let msg = format!(
"error executing revocation script {action}: {e:?}"
);
- error!("{}", msg);
+ error!("{msg}");
return Err(Error::Script(
action.to_string(),
e.exe_code()?,
@@ -273,8 +273,7 @@ fn process_revocation(
let msg_payload: Value = serde_json::from_str(msg)?;
debug!(
- "Revocation signature validated for revocation: {}",
- msg_payload
+ "Revocation signature validated for revocation: {msg_payload}"
);
let outputs = run_revocation_actions(
@@ -289,11 +288,11 @@ fn process_revocation(
for output in outputs {
if !output.stdout.is_empty() {
let out = String::from_utf8(output.stdout)?;
- info!("Action stdout: {}", out);
+ info!("Action stdout: {out}");
}
if !output.stderr.is_empty() {
let out = String::from_utf8(output.stderr)?;
- warn!("Action stderr: {}", out);
+ warn!("Action stderr: {out}");
}
}
Ok(())
@@ -476,7 +475,7 @@ pub(crate) async fn worker(
info!("Revocation processed successfully");
}
Err(e) => {
- error!("Failed to process revocation: {}", e);
+ error!("Failed to process revocation: {e}");
}
}
}
diff --git a/keylime-agent/src/secure_mount.rs b/keylime-agent/src/secure_mount.rs
index 573d0c9..435fdfc 100644
--- a/keylime-agent/src/secure_mount.rs
+++ b/keylime-agent/src/secure_mount.rs
@@ -47,7 +47,7 @@ fn check_mount(secure_dir: &Path) -> Result<bool> {
return Ok(true);
} else {
let message = format!("Secure storage location {} already mounted on wrong file system type: {}. Unmount to continue.", secure_dir.display(), fs_type);
- error!("Secure mount error: {}", message);
+ error!("Secure mount error: {message}");
return Err(Error::SecureMount(message));
}
} else {
@@ -65,7 +65,7 @@ fn check_mount(secure_dir: &Path) -> Result<bool> {
let message =
"Mount information parsing error: not enough elements"
.to_string();
- error!("Secure mount error: {}", message);
+ error!("Secure mount error: {message}");
return Err(Error::SecureMount(message));
}
}
@@ -96,7 +96,7 @@ pub(crate) fn mount(work_dir: &Path, secure_size: &str) -> Result<PathBuf> {
))
})?;
- info!("Directory {:?} created.", secure_dir_path);
+ info!("Directory {secure_dir_path:?} created.");
let metadata = fs::metadata(&secure_dir_path).map_err(|e| {
Error::SecureMount(format!(
"unable to get metadata for secure dir path: {e:?}"
diff --git a/keylime/src/crypto.rs b/keylime/src/crypto.rs
index 5c951b1..19e651f 100644
--- a/keylime/src/crypto.rs
+++ b/keylime/src/crypto.rs
@@ -399,14 +399,14 @@ pub fn check_x509_key(
.map_err(CryptoError::RSAGetPublicKeyError)?
.n()
.to_vec();
- let mut cert_n_str = format!("{:?}", cert_n);
+ let mut cert_n_str = format!("{cert_n:?}");
_ = cert_n_str.pop();
_ = cert_n_str.remove(0);
let key = SubjectPublicKeyInfo::try_from(tpm_key.clone())
.map_err(CryptoError::SubjectPublicKeyInfoFromRSAError)?;
let key_der = picky_asn1_der::to_vec(&key)
.map_err(CryptoError::SubjectPublicKeyInfoToDERError)?;
- let key_der_str = format!("{:?}", key_der);
+ let key_der_str = format!("{key_der:?}");
Ok(key_der_str.contains(&cert_n_str))
}
@@ -418,14 +418,14 @@ pub fn check_x509_key(
.map_err(CryptoError::RSAGetPublicKeyError)?
.n()
.to_vec();
- let mut cert_n_str = format!("{:?}", cert_n);
+ let mut cert_n_str = format!("{cert_n:?}");
_ = cert_n_str.pop();
_ = cert_n_str.remove(0);
let key = SubjectPublicKeyInfo::try_from(tpm_key.clone())
.map_err(CryptoError::SubjectPublicKeyInfoFromRSAError)?;
let key_der = picky_asn1_der::to_vec(&key)
.map_err(CryptoError::SubjectPublicKeyInfoToDERError)?;
- let key_der_str = format!("{:?}", key_der);
+ let key_der_str = format!("{key_der:?}");
Ok(key_der_str.contains(&cert_n_str))
}
@@ -437,14 +437,14 @@ pub fn check_x509_key(
.map_err(CryptoError::PublicKeyGetECCError)?
.public_key_to_der()
.map_err(CryptoError::PublicKeyToDERError)?;
- let mut cert_n_str = format!("{:?}", cert_n);
+ let mut cert_n_str = format!("{cert_n:?}");
_ = cert_n_str.pop();
_ = cert_n_str.remove(0);
let key = SubjectPublicKeyInfo::try_from(tpm_key.clone())
.map_err(CryptoError::SubjectPublicKeyInfoFromECCError)?;
let key_der = picky_asn1_der::to_vec(&key)
.map_err(CryptoError::SubjectPublicKeyInfoToDERError)?;
- let key_der_str = format!("{:?}", key_der);
+ let key_der_str = format!("{key_der:?}");
Ok(key_der_str.contains(&cert_n_str))
}
diff --git a/keylime/src/ima/entry.rs b/keylime/src/ima/entry.rs
index 1168b3c..982afa7 100644
--- a/keylime/src/ima/entry.rs
+++ b/keylime/src/ima/entry.rs
@@ -431,10 +431,9 @@ impl TryFrom<&str> for Entry {
template_hash,
event_data: Box::new(ImaBuf::try_from(event)?),
}),
- template => Err(Error::new(
- ErrorKind::Other,
- format!("unrecognized template \"{template}\"",),
- )),
+ template => Err(Error::other(format!(
+ "unrecognized template \"{template}\"",
+ ))),
}
}
}
diff --git a/keylime/src/registrar_client.rs b/keylime/src/registrar_client.rs
index dcfcd22..e036845 100644
--- a/keylime/src/registrar_client.rs
+++ b/keylime/src/registrar_client.rs
@@ -320,7 +320,7 @@ impl<'a> RegistrarClientBuilder<'a> {
// Try to reach the registrar
let addr = format!("http://{registrar_ip}:{registrar_port}/version");
- info!("Requesting registrar API version to {}", addr);
+ info!("Requesting registrar API version to {addr}");
let resp = reqwest::Client::new()
.get(&addr)
diff --git a/keylime/src/tpm.rs b/keylime/src/tpm.rs
index 8a8c85a..ac23720 100644
--- a/keylime/src/tpm.rs
+++ b/keylime/src/tpm.rs
@@ -1344,7 +1344,7 @@ impl Context<'_> {
let mut pcrs = read_mask(mask)?;
// add pcr16 if it isn't in the vec already
- if !pcrs.iter().any(|&pcr| pcr == PcrSlot::Slot16) {
+ if !pcrs.contains(&PcrSlot::Slot16) {
let mut slot16 = vec![PcrSlot::Slot16];
pcrs.append(&mut slot16);
}
@@ -1838,9 +1838,7 @@ fn check_if_pcr_data_and_attestation_match(
.map_err(|source| TpmError::OpenSSLHasherFinish { source })?;
log::trace!(
- "Attested to PCR digest: {:?}, read PCR digest: {:?}",
- attested_pcr,
- pcr_digest,
+ "Attested to PCR digest: {attested_pcr:?}, read PCR digest: {pcr_digest:?}",
);
Ok(memcmp::eq(attested_pcr, &pcr_digest))
@@ -1884,12 +1882,11 @@ fn perform_quote_and_pcr_read(
}
log::info!(
- "PCR data and attestation data mismatched on attempt {}",
- attempt
+ "PCR data and attestation data mismatched on attempt {attempt}"
);
}
- log::error!("PCR data and attestation data mismatched on all {} attempts, giving up", NUM_ATTESTATION_ATTEMPTS);
+ log::error!("PCR data and attestation data mismatched on all {NUM_ATTESTATION_ATTEMPTS} attempts, giving up");
Err(TpmError::TooManyAttestationMismatches {
attempts: NUM_ATTESTATION_ATTEMPTS,
})
@@ -2128,8 +2125,7 @@ pub mod testing {
// Always 1 PCR digest should follow
if count != 1 {
return Err(TpmError::InvalidRequest(format!(
- "Expected 1 PCR digest, got {}",
- count
+ "Expected 1 PCR digest, got {count}"
)));
}
--
2.47.3

225
0005-tpm-add-policy-auth-for-EK-to-activate-crendential.patch Normal file
View File

@ -0,0 +1,225 @@
From d55b898c645d6beeda2952cd798ebfd7f14090a4 Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Wed, 17 Sep 2025 11:43:21 +0000
Subject: [PATCH 5/6] tpm: add policy auth for EK to activate crendential
Backport of upstream commit https://github.com/keylime/rust-keylime/commit/88884a5
Signed-off-by: Sergio Correia <scorreia@redhat.com>
---
keylime/src/tpm.rs | 151 +++++++++++++++++++++++++++++++++++----------
1 file changed, 118 insertions(+), 33 deletions(-)
diff --git a/keylime/src/tpm.rs b/keylime/src/tpm.rs
index ac23720..5e27f3a 100644
--- a/keylime/src/tpm.rs
+++ b/keylime/src/tpm.rs
@@ -16,6 +16,9 @@ use std::{
sync::{Arc, Mutex, OnceLock},
};
use thiserror::Error;
+use tss_esapi::handles::SessionHandle;
+use tss_esapi::interface_types::session_handles::PolicySession;
+use tss_esapi::structures::{DigestList, SymmetricDefinition};
use openssl::{
hash::{Hasher, MessageDigest},
@@ -26,9 +29,7 @@ use openssl::{
use tss_esapi::{
abstraction::{
- ak,
- cipher::Cipher,
- ek,
+ ak, ek,
pcr::{read_all, PcrData},
DefaultKey,
},
@@ -40,7 +41,7 @@ use tss_esapi::{
},
handles::{
AuthHandle, KeyHandle, ObjectHandle, PcrHandle, PersistentTpmHandle,
- SessionHandle, TpmHandle,
+ TpmHandle,
},
interface_types::{
algorithm::{AsymmetricAlgorithm, HashingAlgorithm, PublicAlgorithm},
@@ -116,6 +117,47 @@ const IAK_AUTH_POLICY_SHA256: [u8; 32] = [
];
const UNIQUE_IAK: [u8; 3] = [0x49, 0x41, 0x4b];
+// Source: TCG EK Credential Profile for TPM Family 2.0; Level 0 Version 2.5 Revision 2
+// Section B.6
+const POLICY_A_SHA384: [u8; 48] = [
+ 0x8b, 0xbf, 0x22, 0x66, 0x53, 0x7c, 0x17, 0x1c, 0xb5, 0x6e, 0x40, 0x3c,
+ 0x4d, 0xc1, 0xd4, 0xb6, 0x4f, 0x43, 0x26, 0x11, 0xdc, 0x38, 0x6e, 0x6f,
+ 0x53, 0x20, 0x50, 0xc3, 0x27, 0x8c, 0x93, 0x0e, 0x14, 0x3e, 0x8b, 0xb1,
+ 0x13, 0x38, 0x24, 0xcc, 0xb4, 0x31, 0x05, 0x38, 0x71, 0xc6, 0xdb, 0x53,
+];
+const POLICY_A_SHA512: [u8; 64] = [
+ 0x1e, 0x3b, 0x76, 0x50, 0x2c, 0x8a, 0x14, 0x25, 0xaa, 0x0b, 0x7b, 0x3f,
+ 0xc6, 0x46, 0xa1, 0xb0, 0xfa, 0xe0, 0x63, 0xb0, 0x3b, 0x53, 0x68, 0xf9,
+ 0xc4, 0xcd, 0xde, 0xca, 0xff, 0x08, 0x91, 0xdd, 0x68, 0x2b, 0xac, 0x1a,
+ 0x85, 0xd4, 0xd8, 0x32, 0xb7, 0x81, 0xea, 0x45, 0x19, 0x15, 0xde, 0x5f,
+ 0xc5, 0xbf, 0x0d, 0xc4, 0xa1, 0x91, 0x7c, 0xd4, 0x2f, 0xa0, 0x41, 0xe3,
+ 0xf9, 0x98, 0xe0, 0xee,
+];
+const POLICY_A_SM3_256: [u8; 32] = [
+ 0xc6, 0x7f, 0x7d, 0x35, 0xf6, 0x6f, 0x3b, 0xec, 0x13, 0xc8, 0x9f, 0xe8,
+ 0x98, 0x92, 0x1c, 0x65, 0x1b, 0x0c, 0xb5, 0xa3, 0x8a, 0x92, 0x69, 0x0a,
+ 0x62, 0xa4, 0x3c, 0x00, 0x12, 0xe4, 0xfb, 0x8b,
+];
+const POLICY_C_SHA384: [u8; 48] = [
+ 0xd6, 0x03, 0x2c, 0xe6, 0x1f, 0x2f, 0xb3, 0xc2, 0x40, 0xeb, 0x3c, 0xf6,
+ 0xa3, 0x32, 0x37, 0xef, 0x2b, 0x6a, 0x16, 0xf4, 0x29, 0x3c, 0x22, 0xb4,
+ 0x55, 0xe2, 0x61, 0xcf, 0xfd, 0x21, 0x7a, 0xd5, 0xb4, 0x94, 0x7c, 0x2d,
+ 0x73, 0xe6, 0x30, 0x05, 0xee, 0xd2, 0xdc, 0x2b, 0x35, 0x93, 0xd1, 0x65,
+];
+const POLICY_C_SHA512: [u8; 64] = [
+ 0x58, 0x9e, 0xe1, 0xe1, 0x46, 0x54, 0x47, 0x16, 0xe8, 0xde, 0xaf, 0xe6,
+ 0xdb, 0x24, 0x7b, 0x01, 0xb8, 0x1e, 0x9f, 0x9c, 0x7d, 0xd1, 0x6b, 0x81,
+ 0x4a, 0xa1, 0x59, 0x13, 0x87, 0x49, 0x10, 0x5f, 0xba, 0x53, 0x88, 0xdd,
+ 0x1d, 0xea, 0x70, 0x2f, 0x35, 0x24, 0x0c, 0x18, 0x49, 0x33, 0x12, 0x1e,
+ 0x2c, 0x61, 0xb8, 0xf5, 0x0d, 0x3e, 0xf9, 0x13, 0x93, 0xa4, 0x9a, 0x38,
+ 0xc3, 0xf7, 0x3f, 0xc8,
+];
+const POLICY_C_SM3_256: [u8; 32] = [
+ 0x2d, 0x4e, 0x81, 0x57, 0x8c, 0x35, 0x31, 0xd9, 0xbd, 0x1c, 0xdd, 0x7d,
+ 0x02, 0xba, 0x29, 0x8d, 0x56, 0x99, 0xa3, 0xe3, 0x9f, 0xc3, 0x55, 0x1b,
+ 0xfe, 0xff, 0xcf, 0x13, 0x2b, 0x49, 0xe1, 0x1d,
+];
+
/// TpmError wraps all possible errors raised in tpm.rs
#[derive(Error, Debug)]
pub enum TpmError {
@@ -1215,19 +1257,14 @@ impl Context<'_> {
/// Creates an empty authentication session
fn create_empty_session(
&mut self,
+ ctx: &mut tss_esapi::Context,
ses_type: SessionType,
+ symmetric: SymmetricDefinition,
+ hash_alg: HashingAlgorithm,
) -> Result<AuthSession> {
- let mut ctx = self.inner.lock().unwrap(); //#[allow_ci]
let Some(session) = ctx
.start_auth_session(
- None,
- None,
- None,
- ses_type,
- Cipher::aes_128_cfb().try_into().map_err(|source| {
- TpmError::TSSSymmetricDefinitionFromCipher { source }
- })?,
- HashingAlgorithm::Sha256,
+ None, None, None, ses_type, symmetric, hash_alg,
)
.map_err(|source| {
TpmError::TSSStartAuthenticationSessionError { source }
@@ -1255,35 +1292,83 @@ impl Context<'_> {
ak: KeyHandle,
ek: KeyHandle,
) -> Result<Digest> {
- let (credential, secret) = parse_cred_and_secret(keyblob)?;
-
- let ek_auth = self.create_empty_session(SessionType::Policy)?;
-
let mut ctx = self.inner.lock().unwrap(); //#[allow_ci]
- // We authorize ses2 with PolicySecret(ENDORSEMENT) as per PolicyA
- let _ = ctx.execute_with_nullauth_session(|context| {
- context.policy_secret(
- ek_auth.try_into()?,
- AuthHandle::Endorsement,
- Default::default(),
- Default::default(),
- Default::default(),
- None,
- )
- })?;
+ let (credential, secret) = parse_cred_and_secret(keyblob)?;
+ let mut policy_digests = DigestList::new();
+ let (parent_public, _, _) = ctx.read_public(ek)?;
+ let ek_hash_alg = parent_public.name_hashing_algorithm();
+ let ek_symmetric =
+ parent_public.symmetric_algorithm().ok_or_else(|| {
+ TpmError::TSSReadPublicError {
+ source: tss_esapi::Error::WrapperError(
+ tss_esapi::WrapperErrorKind::InvalidParam,
+ ),
+ }
+ })?;
+ match ek_hash_alg {
+ HashingAlgorithm::Sha384 => {
+ policy_digests
+ .add(Digest::try_from(POLICY_A_SHA384.as_slice())?)?;
+ policy_digests
+ .add(Digest::try_from(POLICY_C_SHA384.as_slice())?)?;
+ }
+ HashingAlgorithm::Sha512 => {
+ policy_digests
+ .add(Digest::try_from(POLICY_A_SHA512.as_slice())?)?;
+ policy_digests
+ .add(Digest::try_from(POLICY_C_SHA512.as_slice())?)?;
+ }
+ HashingAlgorithm::Sm3_256 => {
+ policy_digests
+ .add(Digest::try_from(POLICY_A_SM3_256.as_slice())?)?;
+ policy_digests
+ .add(Digest::try_from(POLICY_C_SM3_256.as_slice())?)?;
+ }
+ _ => (),
+ };
+
+ let ek_auth = self.create_empty_session(
+ &mut ctx,
+ SessionType::Policy,
+ ek_symmetric.into(),
+ ek_hash_alg,
+ )?;
+ // We authorize session according to the EK profile spec
let result = ctx
- .execute_with_sessions(
- (Some(AuthSession::Password), Some(ek_auth), None),
- |context| {
- context.activate_credential(ak, ek, credential, secret)
+ .execute_with_temporary_object(
+ SessionHandle::from(ek_auth).into(),
+ |ctx, _| {
+ let _ = ctx.execute_with_nullauth_session(|ctx| {
+ ctx.policy_secret(
+ PolicySession::try_from(ek_auth)?,
+ AuthHandle::Endorsement,
+ Default::default(),
+ Default::default(),
+ Default::default(),
+ None,
+ )
+ })?;
+ if !policy_digests.is_empty() {
+ ctx.policy_or(
+ PolicySession::try_from(ek_auth)?,
+ policy_digests,
+ )?
+ }
+ ctx.execute_with_sessions(
+ (Some(AuthSession::Password), Some(ek_auth), None),
+ |ctx| {
+ ctx.activate_credential(
+ ak, ek, credential, secret,
+ )
+ },
+ )
},
)
.map_err(TpmError::from);
// Clear sessions after use
- ctx.flush_context(SessionHandle::from(ek_auth).into())?;
ctx.clear_sessions();
result
--
2.47.3

28
0006-keylime-agent.conf-add-all-accepted-TPM-encryption-a.patch Normal file
View File

@ -0,0 +1,28 @@
From 2542812cf92ef35c71734694599dfb3aab9fdabd Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Wed, 17 Sep 2025 12:45:54 +0100
Subject: [PATCH 6/6] keylime-agent.conf: add all accepted TPM encryption algs
Backported from upstream commit https://github.com/keylime/rust-keylime/commit/a99bb40
Signed-off-by: Sergio Correia <scorreia@redhat.com>
---
keylime-agent.conf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/keylime-agent.conf b/keylime-agent.conf
index 71f6096..7669604 100644
--- a/keylime-agent.conf
+++ b/keylime-agent.conf
@@ -217,7 +217,7 @@ allow_payload_revocation_actions = true
#
# Currently accepted values include:
# - hashing: sha512, sha384, sha256 or sha1
-# - encryption: ecc or rsa
+# - encryption: rsa (alias for rsa2048), rsa1024, rsa2048, rsa3072, rsa4096, ecc (alias for ecc256), ecc192, ecc224, ecc256, ecc384, ecc521 or ecc_sm2.
# - signing: rsassa, rsapss, ecdsa, ecdaa or ecschnorr
#
# To override tpm_hash_alg, set KEYLIME_AGENT_TPM_HASH_ALG environment variable.
--
2.47.3

106
0007-Fix-ECC-RSA-algorithm-selection-and-reporting-for-ke.patch Normal file
View File

@ -0,0 +1,106 @@
From 9b90f051cddce7c62b7b2fb6f6349f8db9bcabb5 Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Mon, 6 Oct 2025 14:37:29 +0000
Subject: [PATCH 7/7] Fix ECC/RSA algorithm selection and reporting for keylime
agent
Backport of upstream PRs:
- https://github.com/keylime/rust-keylime/pull/1132
- https://github.com/keylime/rust-keylime/pull/1134
Signed-off-by: Sergio Correia <scorreia@redhat.com>
---
keylime-agent/src/agent_handler.rs | 2 +-
keylime-agent/src/quotes_handler.rs | 6 +++---
keylime/src/algorithms.rs | 4 ++--
keylime/src/tpm.rs | 4 ++--
4 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/keylime-agent/src/agent_handler.rs b/keylime-agent/src/agent_handler.rs
index 13bcc37..ec7f8ed 100644
--- a/keylime-agent/src/agent_handler.rs
+++ b/keylime-agent/src/agent_handler.rs
@@ -109,7 +109,7 @@ mod tests {
let result: JsonWrapper<AgentInfo> = test::read_body_json(resp).await;
assert_eq!(result.results.agent_uuid.as_str(), "DEADBEEF");
assert_eq!(result.results.tpm_hash_alg.as_str(), "sha256");
- assert_eq!(result.results.tpm_enc_alg.as_str(), "rsa");
+ assert_eq!(result.results.tpm_enc_alg.as_str(), "rsa2048");
assert_eq!(result.results.tpm_sign_alg.as_str(), "rsassa");
// Explicitly drop QuoteData to cleanup keys
diff --git a/keylime-agent/src/quotes_handler.rs b/keylime-agent/src/quotes_handler.rs
index d61adf2..bc0ddaa 100644
--- a/keylime-agent/src/quotes_handler.rs
+++ b/keylime-agent/src/quotes_handler.rs
@@ -405,7 +405,7 @@ mod tests {
let result: JsonWrapper<KeylimeQuote> =
test::read_body_json(resp).await;
assert_eq!(result.results.hash_alg.as_str(), "sha256");
- assert_eq!(result.results.enc_alg.as_str(), "rsa");
+ assert_eq!(result.results.enc_alg.as_str(), "rsa2048");
assert_eq!(result.results.sign_alg.as_str(), "rsassa");
assert!(
pkey_pub_from_pem(&result.results.pubkey.unwrap()) //#[allow_ci]
@@ -451,7 +451,7 @@ mod tests {
let result: JsonWrapper<KeylimeQuote> =
test::read_body_json(resp).await;
assert_eq!(result.results.hash_alg.as_str(), "sha256");
- assert_eq!(result.results.enc_alg.as_str(), "rsa");
+ assert_eq!(result.results.enc_alg.as_str(), "rsa2048");
assert_eq!(result.results.sign_alg.as_str(), "rsassa");
assert!(
pkey_pub_from_pem(&result.results.pubkey.unwrap()) //#[allow_ci]
@@ -513,7 +513,7 @@ mod tests {
let result: JsonWrapper<KeylimeQuote> =
test::read_body_json(resp).await;
assert_eq!(result.results.hash_alg.as_str(), "sha256");
- assert_eq!(result.results.enc_alg.as_str(), "rsa");
+ assert_eq!(result.results.enc_alg.as_str(), "rsa2048");
assert_eq!(result.results.sign_alg.as_str(), "rsassa");
if let Some(ima_mutex) = &quotedata.ima_ml_file {
diff --git a/keylime/src/algorithms.rs b/keylime/src/algorithms.rs
index cda8966..4b4205a 100644
--- a/keylime/src/algorithms.rs
+++ b/keylime/src/algorithms.rs
@@ -195,12 +195,12 @@ impl fmt::Display for EncryptionAlgorithm {
fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
let value = match self {
EncryptionAlgorithm::Rsa1024 => "rsa1024",
- EncryptionAlgorithm::Rsa2048 => "rsa", /* for backwards compatibility */
+ EncryptionAlgorithm::Rsa2048 => "rsa2048",
EncryptionAlgorithm::Rsa3072 => "rsa3072",
EncryptionAlgorithm::Rsa4096 => "rsa4096",
EncryptionAlgorithm::Ecc192 => "ecc192",
EncryptionAlgorithm::Ecc224 => "ecc224",
- EncryptionAlgorithm::Ecc256 => "ecc", /* for backwards compatibility */
+ EncryptionAlgorithm::Ecc256 => "ecc256",
EncryptionAlgorithm::Ecc384 => "ecc384",
EncryptionAlgorithm::Ecc521 => "ecc521",
EncryptionAlgorithm::EccSm2 => "ecc_sm2",
diff --git a/keylime/src/tpm.rs b/keylime/src/tpm.rs
index 5e27f3a..f907aca 100644
--- a/keylime/src/tpm.rs
+++ b/keylime/src/tpm.rs
@@ -31,7 +31,7 @@ use tss_esapi::{
abstraction::{
ak, ek,
pcr::{read_all, PcrData},
- DefaultKey,
+ AsymmetricAlgorithmSelection, DefaultKey,
},
attributes::{
object::ObjectAttributesBuilder, session::SessionAttributesBuilder,
@@ -682,7 +682,7 @@ impl Context<'_> {
&mut self.inner.lock().unwrap(), //#[allow_ci]
handle,
hash_alg.into(),
- key_alg.into(),
+ Into::<AsymmetricAlgorithmSelection>::into(key_alg),
sign_alg.into(),
None,
DefaultKey,
--
2.47.3

3
README.md Normal file
View File

@ -0,0 +1,3 @@
# keylime-agent-rust
The keylime-agent-rust package

29
SOURCES/rust-keylime-adjust-features.patch
View File

@ -1,29 +0,0 @@
--- a/keylime-agent/Cargo.toml 2025-02-07 17:53:24.436876268 +0100
+++ b/keylime-agent/Cargo.toml 2025-02-07 17:54:06.501697761 +0100
@@ -34,11 +34,6 @@
tss-esapi = {version = "7.2.0", features = ["generate-bindings"]}
thiserror = "1.0"
uuid = {version = "1.3", features = ["v4"]}
-zmq = {version = "0.9.2", optional = true}
-# wiremock was moved to be a regular dependency because optional
-# dev-dependencies are not supported
-# see: https://github.com/rust-lang/cargo/issues/1596
-wiremock = {version = "0.5", optional = true}
[dev-dependencies]
actix-rt = "2"
@@ -47,12 +42,12 @@
# The features enabled by default
default = []
# this should change to dev-dependencies when we have integration testing
-testing = ["wiremock"]
+testing = []
# Whether the agent should be compiled with support to listen for notification
# messages on ZeroMQ
#
# This feature is deprecated and will be removed on next major release
-with-zmq = ["zmq"]
+with-zmq = []
# Whether the agent should be compiled with support for python revocation
# actions loaded as modules, which is the only kind supported by the python
# agent (unless the enhancement-55 is implemented). See:

91
SOURCES/rust-keylime-fix-unnecessary-qualifications.patch
View File

@ -1,91 +0,0 @@
diff --git a/keylime-agent/src/crypto.rs b/keylime-agent/src/crypto.rs
index 8ec3449..aeebe34 100644
--- a/keylime-agent/src/crypto.rs
+++ b/keylime-agent/src/crypto.rs
@@ -111,7 +111,7 @@ pub(crate) fn write_key_pair(
_ = file.write(&key.private_key_to_pem_pkcs8()?)?;
} else {
_ = file.write(&key.private_key_to_pem_pkcs8_passphrase(
- openssl::symm::Cipher::aes_256_cbc(),
+ Cipher::aes_256_cbc(),
pw.as_bytes(),
)?)?;
}
diff --git a/keylime-agent/src/errors_handler.rs b/keylime-agent/src/errors_handler.rs
index b0fa4c2..d3722d0 100644
--- a/keylime-agent/src/errors_handler.rs
+++ b/keylime-agent/src/errors_handler.rs
@@ -379,7 +379,7 @@ mod tests {
let mut app = test::init_service(
App::new()
.wrap(
- middleware::ErrorHandlers::new()
+ ErrorHandlers::new()
.handler(http::StatusCode::NOT_FOUND, wrap_404),
)
.app_data(
diff --git a/keylime-agent/src/main.rs b/keylime-agent/src/main.rs
index a17e3cb..beef809 100644
--- a/keylime-agent/src/main.rs
+++ b/keylime-agent/src/main.rs
@@ -10,7 +10,6 @@
overflowing_literals,
path_statements,
patterns_in_fns_without_body,
- private_in_public,
unconditional_recursion,
unused,
while_true,
diff --git a/keylime-agent/src/payloads.rs b/keylime-agent/src/payloads.rs
index e190e3a..fc58c43 100644
--- a/keylime-agent/src/payloads.rs
+++ b/keylime-agent/src/payloads.rs
@@ -221,7 +221,7 @@ async fn run_encrypted_payload(
let action_file = unzipped.join("action_list");
if action_file.exists() {
- let action_data = std::fs::read_to_string(&action_file)
+ let action_data = fs::read_to_string(&action_file)
.expect("unable to read action_list");
action_data
diff --git a/keylime-agent/src/revocation.rs b/keylime-agent/src/revocation.rs
index 025a929..51edcea 100644
--- a/keylime-agent/src/revocation.rs
+++ b/keylime-agent/src/revocation.rs
@@ -203,7 +203,7 @@ fn run_revocation_actions(
let action_file = unzipped.join("action_list");
if action_file.exists() {
- action_data = std::fs::read_to_string(&action_file)
+ action_data = fs::read_to_string(&action_file)
.expect("unable to read action_list");
let file_actions = parse_list(&action_data)?;
@@ -529,7 +529,7 @@ mod tests {
env!("CARGO_MANIFEST_DIR"),
"/tests/unzipped/test_ok.json"
);
- let json_str = std::fs::read_to_string(json_file).unwrap(); //#[allow_ci]
+ let json_str = fs::read_to_string(json_file).unwrap(); //#[allow_ci]
let json = serde_json::from_str(&json_str).unwrap(); //#[allow_ci]
let actions_dir =
&Path::new(env!("CARGO_MANIFEST_DIR")).join("tests/actions/");
@@ -568,7 +568,7 @@ mod tests {
env!("CARGO_MANIFEST_DIR"),
"/tests/unzipped/test_err.json"
);
- let json_str = std::fs::read_to_string(json_file).unwrap(); //#[allow_ci]
+ let json_str = fs::read_to_string(json_file).unwrap(); //#[allow_ci]
let json = serde_json::from_str(&json_str).unwrap(); //#[allow_ci]
let actions_dir =
&Path::new(env!("CARGO_MANIFEST_DIR")).join("tests/actions/");
@@ -603,7 +603,7 @@ mod tests {
let revocation_actions = "local_action_stand_alone.py, local_action_rev_script1.py";
}
}
- let json_str = std::fs::read_to_string(json_file).unwrap(); //#[allow_ci]
+ let json_str = fs::read_to_string(json_file).unwrap(); //#[allow_ci]
let json = serde_json::from_str(&json_str).unwrap(); //#[allow_ci]
let actions_dir =
&Path::new(env!("CARGO_MANIFEST_DIR")).join("tests/actions/");

635
SOURCES/rust-keylime-openssl-0.10.70.patch
View File

@ -1,635 +0,0 @@
diff --git a/Cargo.lock b/tmp/Cargo.lock
index b91be43..6642d88 100644
--- a/Cargo.lock
+++ b/tmp/Cargo.lock
@@ -1,6 +1,6 @@
# This file is automatically @generated by Cargo.
# It is not intended for manual editing.
-version = 3
+version = 4
[[package]]
name = "actix-codec"
@@ -8,7 +8,7 @@ version = "0.5.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "57a7559404a7f3573127aab53c08ce37a6c6a315c374a31070f3c91cd1b4a7fe"
dependencies = [
- "bitflags",
+ "bitflags 1.3.2",
"bytes",
"futures-core",
"futures-sink",
@@ -32,7 +32,7 @@ dependencies = [
"actix-utils",
"ahash 0.8.3",
"base64 0.21.0",
- "bitflags",
+ "bitflags 1.3.2",
"bytes",
"bytestring",
"derive_more",
@@ -48,7 +48,7 @@ dependencies = [
"mime",
"percent-encoding",
"pin-project-lite",
- "rand 0.8.5",
+ "rand",
"sha1",
"smallvec",
"tokio",
@@ -206,7 +206,7 @@ version = "0.7.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "fcb51a0695d8f838b1ee009b3fbf66bda078cd64590202a864a8f3e8c4315c47"
dependencies = [
- "getrandom 0.2.7",
+ "getrandom",
"once_cell",
"version_check",
]
@@ -218,7 +218,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2c99f64d1e06488f620f932677e24bc6e2897582980441ae90a671415bd7ec2f"
dependencies = [
"cfg-if",
- "getrandom 0.2.7",
+ "getrandom",
"once_cell",
"version_check",
]
@@ -281,33 +281,6 @@ dependencies = [
"windows-sys 0.48.0",
]
-[[package]]
-name = "anyhow"
-version = "1.0.65"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "98161a4e3e2184da77bb14f02184cdd111e83bbbcc9979dfee3c44b9a85f5602"
-
-[[package]]
-name = "assert-json-diff"
-version = "2.0.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "47e4f2b81832e72834d7518d8487a0396a28cc408186a2e8854c0f98011faf12"
-dependencies = [
- "serde",
- "serde_json",
-]
-
-[[package]]
-name = "async-channel"
-version = "1.7.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e14485364214912d3b19cc3435dde4df66065127f05fa0d75c712f36f12c2f28"
-dependencies = [
- "concurrent-queue",
- "event-listener",
- "futures-core",
-]
-
[[package]]
name = "async-trait"
version = "0.1.57"
@@ -354,7 +327,7 @@ version = "0.63.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "36d860121800b2a9a94f9b5604b332d5cffb234ce17609ea479d723dbc9d3885"
dependencies = [
- "bitflags",
+ "bitflags 1.3.2",
"cexpr",
"clang-sys",
"lazy_static",
@@ -382,6 +355,12 @@ version = "1.3.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a"
+[[package]]
+name = "bitflags"
+version = "2.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8f68f53c83ab957f72c32642f3868eec03eb974d1fb82e453128456482613d36"
+
[[package]]
name = "block-buffer"
version = "0.10.3"
@@ -412,12 +391,6 @@ dependencies = [
"bytes",
]
-[[package]]
-name = "cache-padded"
-version = "1.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c1db59621ec70f09c5e9b597b220c7a2b43611f4710dc03ceb8748637775692c"
-
[[package]]
name = "cc"
version = "1.0.73"
@@ -509,15 +482,6 @@ dependencies = [
"vcpkg",
]
-[[package]]
-name = "concurrent-queue"
-version = "1.2.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "af4780a44ab5696ea9e28294517f1fffb421a83a25af521333c838635509db9c"
-dependencies = [
- "cache-padded",
-]
-
[[package]]
name = "config"
version = "0.13.3"
@@ -529,7 +493,7 @@ dependencies = [
"nom",
"pathdiff",
"serde",
- "toml 0.5.9",
+ "toml",
]
[[package]]
@@ -557,25 +521,6 @@ dependencies = [
"typenum",
]
-[[package]]
-name = "deadpool"
-version = "0.9.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "421fe0f90f2ab22016f32a9881be5134fdd71c65298917084b0c7477cbc3856e"
-dependencies = [
- "async-trait",
- "deadpool-runtime",
- "num_cpus",
- "retain_mut",
- "tokio",
-]
-
-[[package]]
-name = "deadpool-runtime"
-version = "0.1.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "eaa37046cc0f6c3cc6090fbdbf73ef0b8ef4cfcc37f6befc0020f63e8cf121e1"
-
[[package]]
name = "derive_more"
version = "0.99.17"
@@ -668,18 +613,6 @@ dependencies = [
"libc",
]
-[[package]]
-name = "error-chain"
-version = "0.10.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d9435d864e017c3c6afeac1654189b06cdb491cf2ff73dbf0d73b0f292f42ff8"
-
-[[package]]
-name = "event-listener"
-version = "2.5.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0206175f82b8d6bf6652ff7d71a1e27fd2e4efde587fd368662814d6ec1d9ce0"
-
[[package]]
name = "fastrand"
version = "1.8.0"
@@ -767,21 +700,6 @@ version = "0.3.27"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "89d422fa3cbe3b40dca574ab087abb5bc98258ea57eea3fd6f1fa7162c778b91"
-[[package]]
-name = "futures-lite"
-version = "1.12.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7694489acd39452c77daa48516b894c153f192c3578d5a839b62c58099fcbf48"
-dependencies = [
- "fastrand",
- "futures-core",
- "futures-io",
- "memchr",
- "parking",
- "pin-project-lite",
- "waker-fn",
-]
-
[[package]]
name = "futures-macro"
version = "0.3.27"
@@ -805,12 +723,6 @@ version = "0.3.27"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "fd65540d33b37b16542a0438c12e6aeead10d4ac5d05bd3f805b8f35ab592879"
-[[package]]
-name = "futures-timer"
-version = "3.0.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e64b03909df88034c26dc1547e8970b91f98bdb65165d6a4e9110d94263dbb2c"
-
[[package]]
name = "futures-util"
version = "0.3.27"
@@ -839,17 +751,6 @@ dependencies = [
"version_check",
]
-[[package]]
-name = "getrandom"
-version = "0.1.16"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8fc3cb4d91f53b50155bdcfd23f6a4c39ae1969c2ae85982b135750cccaf5fce"
-dependencies = [
- "cfg-if",
- "libc",
- "wasi 0.9.0+wasi-snapshot-preview1",
-]
-
[[package]]
name = "getrandom"
version = "0.2.7"
@@ -858,7 +759,7 @@ checksum = "4eb1a864a501629691edf6c15a593b7a51eebaa1e8468e9ddc623de7c9b58ec6"
dependencies = [
"cfg-if",
"libc",
- "wasi 0.11.0+wasi-snapshot-preview1",
+ "wasi",
]
[[package]]
@@ -947,27 +848,6 @@ dependencies = [
"pin-project-lite",
]
-[[package]]
-name = "http-types"
-version = "2.12.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6e9b187a72d63adbfba487f48095306ac823049cb504ee195541e91c7775f5ad"
-dependencies = [
- "anyhow",
- "async-channel",
- "base64 0.13.1",
- "futures-lite",
- "http",
- "infer",
- "pin-project-lite",
- "rand 0.7.3",
- "serde",
- "serde_json",
- "serde_qs",
- "serde_urlencoded",
- "url",
-]
-
[[package]]
name = "httparse"
version = "1.8.0"
@@ -1033,12 +913,6 @@ dependencies = [
"hashbrown",
]
-[[package]]
-name = "infer"
-version = "0.2.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "64e9829a50b42bb782c1df523f78d332fe371b10c661e78b7a3c34b0198e9fac"
-
[[package]]
name = "instant"
version = "0.1.12"
@@ -1141,8 +1015,6 @@ dependencies = [
"tokio",
"tss-esapi",
"uuid",
- "wiremock",
- "zmq",
]
[[package]]
@@ -1253,17 +1125,6 @@ version = "2.5.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2dffe52ecf27772e601905b7522cb4ef790d2cc203488bbd0e2fe85fcb74566d"
-[[package]]
-name = "metadeps"
-version = "1.1.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "73b122901b3a675fac8cecf68dcb2f0d3036193bc861d1ac0e1c337f7d5254c2"
-dependencies = [
- "error-chain",
- "pkg-config",
- "toml 0.2.1",
-]
-
[[package]]
name = "mime"
version = "0.3.16"
@@ -1284,7 +1145,7 @@ checksum = "57ee1c23c7c63b0c9250c339ffdc69255f110b298b901b9f6c82547b7b87caaf"
dependencies = [
"libc",
"log",
- "wasi 0.11.0+wasi-snapshot-preview1",
+ "wasi",
"windows-sys 0.36.1",
]
@@ -1354,11 +1215,11 @@ checksum = "e82dad04139b71a90c080c8463fe0dc7902db5192d939bd0950f074d014339e1"
[[package]]
name = "openssl"
-version = "0.10.55"
+version = "0.10.70"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "345df152bc43501c5eb9e4654ff05f794effb78d4efe3d53abc158baddc0703d"
+checksum = "61cfb4e166a8bb8c9b55c500bc2308550148ece889be90f609377e58140f42c6"
dependencies = [
- "bitflags",
+ "bitflags 2.8.0",
"cfg-if",
"foreign-types",
"libc",
@@ -1369,20 +1230,20 @@ dependencies = [
[[package]]
name = "openssl-macros"
-version = "0.1.0"
+version = "0.1.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b501e44f11665960c7e7fcf062c7d96a14ade4aa98116c004b2e37b5be7d736c"
+checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c"
dependencies = [
"proc-macro2",
"quote",
- "syn 1.0.100",
+ "syn 2.0.25",
]
[[package]]
name = "openssl-sys"
-version = "0.9.90"
+version = "0.9.105"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "374533b0e45f3a7ced10fcaeccca020e66656bc03dac384f852e4e5a7a8104a6"
+checksum = "8b22d5b84be05a8d6947c7cb71f7c849aa0f112acd4bf51c2a7c1c988ac0a9dc"
dependencies = [
"cc",
"libc",
@@ -1390,12 +1251,6 @@ dependencies = [
"vcpkg",
]
-[[package]]
-name = "parking"
-version = "2.0.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "427c3892f9e783d91cc128285287e70a59e206ca452770ece88a76f7a3eddd72"
-
[[package]]
name = "parking_lot"
version = "0.12.1"
@@ -1602,19 +1457,6 @@ dependencies = [
"proc-macro2",
]
-[[package]]
-name = "rand"
-version = "0.7.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6a6b1679d49b24bbfe0c803429aa1874472f50d9b363131f0e89fc356b544d03"
-dependencies = [
- "getrandom 0.1.16",
- "libc",
- "rand_chacha 0.2.2",
- "rand_core 0.5.1",
- "rand_hc",
-]
-
[[package]]
name = "rand"
version = "0.8.5"
@@ -1622,18 +1464,8 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404"
dependencies = [
"libc",
- "rand_chacha 0.3.1",
- "rand_core 0.6.4",
-]
-
-[[package]]
-name = "rand_chacha"
-version = "0.2.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f4c8ed856279c9737206bf725bf36935d8666ead7aa69b52be55af369d193402"
-dependencies = [
- "ppv-lite86",
- "rand_core 0.5.1",
+ "rand_chacha",
+ "rand_core",
]
[[package]]
@@ -1643,16 +1475,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e6c10a63a0fa32252be49d21e7709d4d4baf8d231c2dbce1eaa8141b9b127d88"
dependencies = [
"ppv-lite86",
- "rand_core 0.6.4",
-]
-
-[[package]]
-name = "rand_core"
-version = "0.5.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "90bde5296fc891b0cef12a6d03ddccc162ce7b2aff54160af9338f8d40df6d19"
-dependencies = [
- "getrandom 0.1.16",
+ "rand_core",
]
[[package]]
@@ -1661,16 +1484,7 @@ version = "0.6.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ec0be4795e2f6a28069bec0b5ff3e2ac9bafc99e6a9a7dc3547996c5c816922c"
dependencies = [
- "getrandom 0.2.7",
-]
-
-[[package]]
-name = "rand_hc"
-version = "0.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ca3129af7b92a17112d59ad498c6f81eaf463253766b90396d39ea7a39d6613c"
-dependencies = [
- "rand_core 0.5.1",
+ "getrandom",
]
[[package]]
@@ -1679,7 +1493,7 @@ version = "0.2.16"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "fb5a58c1855b4b6819d59012155603f0b22ad30cad752600aadfcb695265519a"
dependencies = [
- "bitflags",
+ "bitflags 1.3.2",
]
[[package]]
@@ -1688,7 +1502,7 @@ version = "0.3.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "567664f262709473930a4bf9e51bf2ebf3348f2e748ccc50dea20646858f8f29"
dependencies = [
- "bitflags",
+ "bitflags 1.3.2",
]
[[package]]
@@ -1742,12 +1556,6 @@ dependencies = [
"winreg",
]
-[[package]]
-name = "retain_mut"
-version = "0.1.9"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4389f1d5789befaf6029ebd9f7dac4af7f7e3d61b69d4f30e2ac02b57e7712b0"
-
[[package]]
name = "rustc-hash"
version = "1.1.0"
@@ -1778,7 +1586,7 @@ version = "0.37.11"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "85597d61f83914ddeba6a47b3b8ffe7365107221c2e557ed94426489fefb5f77"
dependencies = [
- "bitflags",
+ "bitflags 1.3.2",
"errno",
"io-lifetimes",
"libc",
@@ -1862,17 +1670,6 @@ dependencies = [
"serde",
]
-[[package]]
-name = "serde_qs"
-version = "0.8.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c7715380eec75f029a4ef7de39a9200e0a63823176b759d055b613f5a87df6a6"
-dependencies = [
- "percent-encoding",
- "serde",
- "thiserror",
-]
-
[[package]]
name = "serde_urlencoded"
version = "0.7.1"
@@ -2139,12 +1936,6 @@ dependencies = [
"tracing",
]
-[[package]]
-name = "toml"
-version = "0.2.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "736b60249cb25337bc196faa43ee12c705e426f3d55c214d73a4e7be06f92cb4"
-
[[package]]
name = "toml"
version = "0.5.9"
@@ -2268,7 +2059,6 @@ dependencies = [
"form_urlencoded",
"idna",
"percent-encoding",
- "serde",
]
[[package]]
@@ -2283,7 +2073,7 @@ version = "1.3.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5b55a3fef2a1e3b3a00ce878640918820d3c51081576ac657d23af9fc7928fdb"
dependencies = [
- "getrandom 0.2.7",
+ "getrandom",
]
[[package]]
@@ -2298,12 +2088,6 @@ version = "0.9.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "49874b5167b65d7193b8aba1567f5c7d93d001cafc34600cee003eda787e483f"
-[[package]]
-name = "waker-fn"
-version = "1.1.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9d5b2c62b4012a3e1eca5a7e077d13b3bf498c4073e33ccd58626607748ceeca"
-
[[package]]
name = "want"
version = "0.3.0"
@@ -2314,12 +2098,6 @@ dependencies = [
"try-lock",
]
-[[package]]
-name = "wasi"
-version = "0.9.0+wasi-snapshot-preview1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cccddf32554fecc6acb585f82a32a72e28b48f8c4c1883ddfeeeaa96f7d8e519"
-
[[package]]
name = "wasi"
version = "0.11.0+wasi-snapshot-preview1"
@@ -2562,28 +2340,6 @@ dependencies = [
"winapi",
]
-[[package]]
-name = "wiremock"
-version = "0.5.18"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bd7b0b5b253ebc0240d6aac6dd671c495c467420577bf634d3064ae7e6fa2b4c"
-dependencies = [
- "assert-json-diff",
- "async-trait",
- "base64 0.21.0",
- "deadpool",
- "futures",
- "futures-timer",
- "http-types",
- "hyper",
- "log",
- "once_cell",
- "regex",
- "serde",
- "serde_json",
- "tokio",
-]
-
[[package]]
name = "zeroize"
version = "1.5.7"
@@ -2604,25 +2360,3 @@ dependencies = [
"syn 1.0.100",
"synstructure",
]
-
-[[package]]
-name = "zmq"
-version = "0.9.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "aad98a7a617d608cd9e1127147f630d24af07c7cd95ba1533246d96cbdd76c66"
-dependencies = [
- "bitflags",
- "libc",
- "log",
- "zmq-sys",
-]
-
-[[package]]
-name = "zmq-sys"
-version = "0.11.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d33a2c51dde24d5b451a2ed4b488266df221a5eaee2ee519933dc46b9a9b3648"
-dependencies = [
- "libc",
- "metadeps",
-]

397
SPECS/keylime-agent-rust.spec
View File

@ -1,397 +0,0 @@
# keylime-agent-rust.spec
# Generated by rust2rpm 20
%bcond_without check
%global crate keylime_agent
# RHEL: Use bundled deps as it doesn't ship Rust libraries
%global bundled_rust_deps 1
Name: keylime-agent-rust
Version: 0.2.2
Release: 2%{?dist}
Summary: Rust agent for Keylime
# Upstream license specification: Apache-2.0
#
# The build dependencies have the following licenses:
#
# 0BSD or MIT or ASL 2.0
# ASL 2.0
# ASL 2.0 or Boost
# ASL 2.0 or MIT
# ASL 2.0 with exceptions
# BSD
# MIT
# MIT or ASL 2.0
# MIT or ASL 2.0 or zlib
# MIT or zlib or ASL 2.0
# Unlicense or MIT
# zlib or ASL 2.0 or MIT
#
License: ASL 2.0 and BSD and MIT
URL: https://github.com/keylime/rust-keylime/
# The source tarball is downloaded using the following commands:
# spectool -g keylime-agent-rust.spec
Source0: %{url}/archive/refs/tags/v%{version}.tar.gz
# The vendor tarball is created using cargo-vendor-filterer to remove Windows
# related files (https://github.com/cgwalters/cargo-vendor-filterer)
# tar xf rust-keylime-%%{version}.tar.gz
# cd rust-keylime-%%{version}
# cargo vendor-filterer --platform x86_64-unknown-linux-gnu \
# --platform powerpc64le-unknown-linux-gnu \
# --platform aarch64-unknown-linux-gnu \
# --platform i686-unknown-linux-gnu \
# --platform s390x-unknown-linux-gnu \
# --exclude-crate-path "libloading#tests"
# tar jcf rust-keylime-%%{version}-vendor.tar.xz vendor
Source1: rust-keylime-%{version}-vendor.tar.xz
# Drop dependencies and adjust the features
Patch0: rust-keylime-adjust-features.patch
# Update openssl to version 0.10.70 to fix CVE-2025-24898
Patch1: rust-keylime-openssl-0.10.70.patch
# Fix unnecessary qualification warnings
Patch2: rust-keylime-fix-unnecessary-qualifications.patch
ExclusiveArch: %{rust_arches}
Requires: tpm2-tss
# The keylime-base package provides the configuration file from the python
# implementation which ca be used for the rust implementation. It is available
# from Fedora 36
Requires: keylime-base
Requires: util-linux-core
BuildRequires: systemd
BuildRequires: openssl-devel
BuildRequires: libarchive-devel
BuildRequires: tpm2-tss-devel
BuildRequires: rust-toolset
BuildRequires: clang
# Virtual Provides to support swapping between Python and Rust implementation
Provides: keylime-agent
Conflicts: keylime-agent
Provides: bundled(crate(actix-codec)) = 0.5.0
Provides: bundled(crate(actix-http)) = 3.3.1
Provides: bundled(crate(actix-macros)) = 0.2.3
Provides: bundled(crate(actix-router)) = 0.5.1
Provides: bundled(crate(actix-rt)) = 2.8.0
Provides: bundled(crate(actix-server)) = 2.1.1
Provides: bundled(crate(actix-service)) = 2.0.2
Provides: bundled(crate(actix-tls)) = 3.0.3
Provides: bundled(crate(actix-utils)) = 3.0.0
Provides: bundled(crate(actix-web)) = 4.3.1
Provides: bundled(crate(actix-web-codegen)) = 4.2.0
Provides: bundled(crate(ahash)) = 0.7.6
Provides: bundled(crate(ahash)) = 0.8.3
Provides: bundled(crate(aho-corasick)) = 0.7.19
Provides: bundled(crate(anstream)) = 0.3.2
Provides: bundled(crate(anstyle)) = 1.0.1
Provides: bundled(crate(anstyle-parse)) = 0.2.1
Provides: bundled(crate(anstyle-query)) = 1.0.0
Provides: bundled(crate(async-trait)) = 0.1.57
Provides: bundled(crate(atty)) = 0.2.14
Provides: bundled(crate(autocfg)) = 1.1.0
Provides: bundled(crate(base64)) = 0.13.1
Provides: bundled(crate(base64)) = 0.21.0
Provides: bundled(crate(bindgen)) = 0.63.0
Provides: bundled(crate(bitfield)) = 0.13.2
Provides: bundled(crate(bitflags)) = 1.3.2
Provides: bundled(crate(bitflags)) = 2.8.0
Provides: bundled(crate(block-buffer)) = 0.10.3
Provides: bundled(crate(bytes)) = 1.2.1
Provides: bundled(crate(bytestring)) = 1.1.0
Provides: bundled(crate(cc)) = 1.0.73
Provides: bundled(crate(cexpr)) = 0.6.0
Provides: bundled(crate(cfg-if)) = 1.0.0
Provides: bundled(crate(clang-sys)) = 1.4.0
Provides: bundled(crate(clap)) = 4.3.11
Provides: bundled(crate(clap_builder)) = 4.3.11
Provides: bundled(crate(clap_derive)) = 4.3.2
Provides: bundled(crate(clap_lex)) = 0.5.0
Provides: bundled(crate(colorchoice)) = 1.0.0
Provides: bundled(crate(compress-tools)) = 0.12.4
Provides: bundled(crate(config)) = 0.13.3
Provides: bundled(crate(convert_case)) = 0.4.0
Provides: bundled(crate(cpufeatures)) = 0.2.5
Provides: bundled(crate(crypto-common)) = 0.1.6
Provides: bundled(crate(derive_more)) = 0.99.17
Provides: bundled(crate(digest)) = 0.10.5
Provides: bundled(crate(either)) = 1.8.0
Provides: bundled(crate(encoding_rs)) = 0.8.31
Provides: bundled(crate(enumflags2)) = 0.7.7
Provides: bundled(crate(enumflags2_derive)) = 0.7.7
Provides: bundled(crate(env_logger)) = 0.7.1
Provides: bundled(crate(errno)) = 0.3.1
Provides: bundled(crate(fastrand)) = 1.8.0
Provides: bundled(crate(fnv)) = 1.0.7
Provides: bundled(crate(foreign-types)) = 0.3.2
Provides: bundled(crate(foreign-types-shared)) = 0.1.1
Provides: bundled(crate(form_urlencoded)) = 1.1.0
Provides: bundled(crate(futures)) = 0.3.27
Provides: bundled(crate(futures-channel)) = 0.3.27
Provides: bundled(crate(futures-core)) = 0.3.27
Provides: bundled(crate(futures-executor)) = 0.3.27
Provides: bundled(crate(futures-io)) = 0.3.27
Provides: bundled(crate(futures-macro)) = 0.3.27
Provides: bundled(crate(futures-sink)) = 0.3.27
Provides: bundled(crate(futures-task)) = 0.3.27
Provides: bundled(crate(futures-util)) = 0.3.27
Provides: bundled(crate(generic-array)) = 0.14.6
Provides: bundled(crate(getrandom)) = 0.2.7
Provides: bundled(crate(glob)) = 0.3.1
Provides: bundled(crate(h2)) = 0.3.17
Provides: bundled(crate(hashbrown)) = 0.12.3
Provides: bundled(crate(heck)) = 0.4.0
Provides: bundled(crate(hex)) = 0.4.3
Provides: bundled(crate(hostname-validator)) = 1.1.1
Provides: bundled(crate(http)) = 0.2.8
Provides: bundled(crate(http-body)) = 0.4.5
Provides: bundled(crate(httparse)) = 1.8.0
Provides: bundled(crate(httpdate)) = 1.0.2
Provides: bundled(crate(humantime)) = 1.3.0
Provides: bundled(crate(hyper)) = 0.14.20
Provides: bundled(crate(idna)) = 0.3.0
Provides: bundled(crate(indexmap)) = 1.9.1
Provides: bundled(crate(io-lifetimes)) = 1.0.10
Provides: bundled(crate(ipnet)) = 2.5.0
Provides: bundled(crate(is-terminal)) = 0.4.7
Provides: bundled(crate(itoa)) = 1.0.3
Provides: bundled(crate(keylime)) = 0.2.2
Provides: bundled(crate(keylime_agent)) = 0.2.2
Provides: bundled(crate(keylime_ima_emulator)) = 0.2.2
Provides: bundled(crate(language-tags)) = 0.3.2
Provides: bundled(crate(lazy_static)) = 1.4.0
Provides: bundled(crate(lazycell)) = 1.3.0
Provides: bundled(crate(libc)) = 0.2.147
Provides: bundled(crate(libloading)) = 0.7.3
Provides: bundled(crate(linux-raw-sys)) = 0.3.1
Provides: bundled(crate(local-channel)) = 0.1.3
Provides: bundled(crate(local-waker)) = 0.1.3
Provides: bundled(crate(lock_api)) = 0.4.9
Provides: bundled(crate(log)) = 0.4.17
Provides: bundled(crate(mbox)) = 0.6.0
Provides: bundled(crate(memchr)) = 2.5.0
Provides: bundled(crate(mime)) = 0.3.16
Provides: bundled(crate(minimal-lexical)) = 0.2.1
Provides: bundled(crate(mio)) = 0.8.4
Provides: bundled(crate(nom)) = 7.1.1
Provides: bundled(crate(num-derive)) = 0.3.3
Provides: bundled(crate(num-traits)) = 0.2.15
Provides: bundled(crate(num_cpus)) = 1.13.1
Provides: bundled(crate(num_threads)) = 0.1.6
Provides: bundled(crate(oid)) = 0.2.1
Provides: bundled(crate(once_cell)) = 1.15.0
Provides: bundled(crate(openssl)) = 0.10.70
Provides: bundled(crate(openssl-macros)) = 0.1.1
Provides: bundled(crate(openssl-sys)) = 0.9.105
Provides: bundled(crate(parking_lot)) = 0.12.1
Provides: bundled(crate(parking_lot_core)) = 0.9.3
Provides: bundled(crate(paste)) = 1.0.9
Provides: bundled(crate(pathdiff)) = 0.2.1
Provides: bundled(crate(peeking_take_while)) = 0.1.2
Provides: bundled(crate(percent-encoding)) = 2.2.0
Provides: bundled(crate(pest)) = 2.7.0
Provides: bundled(crate(pest_derive)) = 2.7.0
Provides: bundled(crate(pest_generator)) = 2.7.0
Provides: bundled(crate(pest_meta)) = 2.7.0
Provides: bundled(crate(picky-asn1)) = 0.3.3
Provides: bundled(crate(picky-asn1)) = 0.5.0
Provides: bundled(crate(picky-asn1-der)) = 0.2.5
Provides: bundled(crate(picky-asn1-der)) = 0.3.1
Provides: bundled(crate(picky-asn1-x509)) = 0.6.1
Provides: bundled(crate(pin-project-lite)) = 0.2.9
Provides: bundled(crate(pin-utils)) = 0.1.0
Provides: bundled(crate(pkg-config)) = 0.3.25
Provides: bundled(crate(ppv-lite86)) = 0.2.16
Provides: bundled(crate(pretty_env_logger)) = 0.4.0
Provides: bundled(crate(proc-macro2)) = 1.0.64
Provides: bundled(crate(quick-error)) = 1.2.3
Provides: bundled(crate(quote)) = 1.0.29
Provides: bundled(crate(rand)) = 0.8.5
Provides: bundled(crate(rand_chacha)) = 0.3.1
Provides: bundled(crate(rand_core)) = 0.6.4
Provides: bundled(crate(regex)) = 1.6.0
Provides: bundled(crate(regex-syntax)) = 0.6.27
Provides: bundled(crate(reqwest)) = 0.11.16
Provides: bundled(crate(rustc-hash)) = 1.1.0
Provides: bundled(crate(rustc_version)) = 0.3.3
Provides: bundled(crate(rustc_version)) = 0.4.0
Provides: bundled(crate(rustix)) = 0.37.11
Provides: bundled(crate(ryu)) = 1.0.11
Provides: bundled(crate(scopeguard)) = 1.1.0
Provides: bundled(crate(semver)) = 0.11.0
Provides: bundled(crate(semver)) = 1.0.14
Provides: bundled(crate(semver-parser)) = 0.10.2
Provides: bundled(crate(serde)) = 1.0.166
Provides: bundled(crate(serde_bytes)) = 0.11.7
Provides: bundled(crate(serde_derive)) = 1.0.166
Provides: bundled(crate(serde_json)) = 1.0.96
Provides: bundled(crate(serde_urlencoded)) = 0.7.1
Provides: bundled(crate(sha1)) = 0.10.5
Provides: bundled(crate(sha2)) = 0.10.6
Provides: bundled(crate(shlex)) = 1.1.0
Provides: bundled(crate(signal-hook)) = 0.3.15
Provides: bundled(crate(signal-hook-registry)) = 1.4.0
Provides: bundled(crate(slab)) = 0.4.7
Provides: bundled(crate(smallvec)) = 1.9.0
Provides: bundled(crate(socket2)) = 0.4.9
Provides: bundled(crate(stable_deref_trait)) = 1.2.0
Provides: bundled(crate(static_assertions)) = 1.1.0
Provides: bundled(crate(strsim)) = 0.10.0
Provides: bundled(crate(syn)) = 1.0.100
Provides: bundled(crate(syn)) = 2.0.25
Provides: bundled(crate(synstructure)) = 0.12.6
Provides: bundled(crate(target-lexicon)) = 0.12.4
Provides: bundled(crate(tempfile)) = 3.6.0
Provides: bundled(crate(termcolor)) = 1.1.3
Provides: bundled(crate(thiserror)) = 1.0.40
Provides: bundled(crate(thiserror-impl)) = 1.0.40
Provides: bundled(crate(time)) = 0.3.14
Provides: bundled(crate(tinyvec)) = 1.6.0
Provides: bundled(crate(tinyvec_macros)) = 0.1.0
Provides: bundled(crate(tokio)) = 1.28.2
Provides: bundled(crate(tokio-macros)) = 2.1.0
Provides: bundled(crate(tokio-openssl)) = 0.6.3
Provides: bundled(crate(tokio-util)) = 0.7.4
Provides: bundled(crate(toml)) = 0.5.9
Provides: bundled(crate(tower-service)) = 0.3.2
Provides: bundled(crate(tracing)) = 0.1.36
Provides: bundled(crate(tracing-core)) = 0.1.29
Provides: bundled(crate(try-lock)) = 0.2.3
Provides: bundled(crate(tss-esapi)) = 7.2.0
Provides: bundled(crate(tss-esapi-sys)) = 0.4.0
Provides: bundled(crate(typenum)) = 1.15.0
Provides: bundled(crate(ucd-trie)) = 0.1.5
Provides: bundled(crate(unicode-bidi)) = 0.3.8
Provides: bundled(crate(unicode-ident)) = 1.0.4
Provides: bundled(crate(unicode-normalization)) = 0.1.22
Provides: bundled(crate(unicode-xid)) = 0.2.4
Provides: bundled(crate(url)) = 2.3.1
Provides: bundled(crate(utf8parse)) = 0.2.1
Provides: bundled(crate(uuid)) = 1.3.1
Provides: bundled(crate(vcpkg)) = 0.2.15
Provides: bundled(crate(version_check)) = 0.9.4
Provides: bundled(crate(want)) = 0.3.0
Provides: bundled(crate(which)) = 4.3.0
Provides: bundled(crate(zeroize)) = 1.5.7
Provides: bundled(crate(zeroize_derive)) = 1.3.2
%description
Rust agent for Keylime
%prep
%autosetup -N -n rust-keylime-%{version}
%cargo_prep -V 1
%autopatch -p1
# Sometimes Rust sources start with #![...] attributes, and "smart" editors think
# it's a shebang and make them executable. Then brp-mangle-shebangs gets upset...
find -name '*.rs' -type f -perm /111 -exec chmod -v -x '{}' '+'
%build
%cargo_build --no-default-features
%install
mkdir -p %{buildroot}/%{_sharedstatedir}/keylime
mkdir -p --mode=0700 %{buildroot}/%{_rundir}/keylime
mkdir -p --mode=0700 %{buildroot}/%{_libexecdir}/keylime
mkdir -p --mode=0700 %{buildroot}/%{_sysconfdir}/keylime
mkdir -p --mode=0700 %{buildroot}/%{_sysconfdir}/keylime/agent.conf.d
install -Dpm 400 keylime-agent.conf \
%{buildroot}%{_sysconfdir}/keylime/agent.conf
install -Dpm 644 ./dist/systemd/system/keylime_agent.service \
%{buildroot}%{_unitdir}/keylime_agent.service
install -Dpm 644 ./dist/systemd/system/var-lib-keylime-secure.mount \
%{buildroot}%{_unitdir}/var-lib-keylime-secure.mount
# Setting up the agent to use keylime:keylime user/group after dropping privileges.
cat > %{buildroot}/%{_sysconfdir}/keylime/agent.conf.d/001-run_as.conf << EOF
[agent]
run_as = "keylime:keylime"
EOF
install -Dpm 0755 \
-t %{buildroot}%{_bindir} \
./target/release/keylime_agent
install -Dpm 0755 \
-t %{buildroot}%{_bindir} \
./target/release/keylime_ima_emulator
%posttrans
chmod 500 %{_sysconfdir}/keylime/agent.conf.d
chmod 400 %{_sysconfdir}/keylime/agent.conf.d/*.conf
chmod 500 %{_sysconfdir}/keylime
chown -R keylime:keylime %{_sysconfdir}/keylime
%preun
%systemd_preun keylime_agent.service
%systemd_preun var-lib-keylime-secure.mount
%postun
%systemd_postun_with_restart keylime_agent.service
%systemd_postun_with_restart var-lib-keylime-secure.mount
%files
%license LICENSE
%doc README.md
%attr(500,keylime,keylime) %dir %{_sysconfdir}/keylime
%attr(500,keylime,keylime) %dir %{_sysconfdir}/keylime/agent.conf.d
%config(noreplace) %attr(400,keylime,keylime) %{_sysconfdir}/keylime/agent.conf.d/001-run_as.conf
%config(noreplace) %attr(400,keylime,keylime) %{_sysconfdir}/keylime/agent.conf
%{_unitdir}/keylime_agent.service
%{_unitdir}/var-lib-keylime-secure.mount
%attr(700,keylime,keylime) %dir %{_rundir}/keylime
%attr(700,keylime,keylime) %{_sharedstatedir}/keylime
%attr(500,keylime,keylime) %{_libexecdir}/keylime
%{_bindir}/keylime_agent
%{_bindir}/keylime_ima_emulator
%if %{with check}
%check
%cargo_test
%endif
%changelog
* Fri Feb 07 2025 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 0.2.2-2
- Update openssl crate to version 0.10.70 to fix CVE-2025-24898
* Thu Jul 20 2023 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 0.2.2-1
- Update to upstream release 0.2.2
* Thu May 25 2023 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 0.2.1-1
- Update to upstream release 0.2.1
* Wed Sep 21 2022 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 0.1.0-1
- Update to upstream release 0.1.0
* Thu Aug 25 2022 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 0.1.0~20220805git0185093-1
- Update to upstream commit 0186093
* Mon Jul 18 2022 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 0.1.0~20220603gitaed51c7-4
- Remove vendored source files for non-Linux or unsupported platforms
* Fri Jul 08 2022 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 0.1.0~20220603gitaed51c7-3
- Add support for hash algorithms other than SHA-1 to the IMA emulator
* Mon Jul 04 2022 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 0.1.0~20220603gitaed51c7-2
- Use classic release instead of autorelease macro
- Use classic changelog instead of autochangelog macro
* Mon Jul 04 2022 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 0.1.0~20220603gitaed51c7-2
- Backport patch to load configuration file only once
* Fri Jul 01 2022 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 0.1.0~20220603gitaed51c7-2
- Set supplementary groups when dropping privileges
- Show more descriptive error messages on missing files errors
- Create /usr/libexec/keylime directory
* Tue Jun 21 2022 Sergio Correia <scorreia@redhat.com> - 0.1.0~20220603gitaed51c7-1
- Add keylime-agent-rust to RHEL 9

2
changelog Normal file
View File

@ -0,0 +1,2 @@
* Mon Jan 24 2022 Daiki Ueno <dueno@redhat.com> - 0.1.0~20211110gitd5a3191-1
- Initial package

17
ci_tests.fmf Normal file
View File

@ -0,0 +1,17 @@
/e2e:
plan:
import:
url: https://github.com/RedHat-SP-Security/keylime-plans.git
name: /generic/e2e
/package-update:
plan:
import:
url: https://github.com/RedHat-SP-Security/keylime-plans.git
name: /generic/package-update
/rpmverify:
plan:
import:
url: https://github.com/RedHat-SP-Security/keylime-plans.git
name: /generic/rpmverify

6
gating.yaml Normal file
View File

@ -0,0 +1,6 @@
--- !Policy
product_versions:
- rhel-10
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}

198
keylime-agent-rust.spec Normal file
View File

@ -0,0 +1,198 @@
# keylime-agent-rust.spec
# Generated by rust2rpm 20
%bcond_without check
%global crate keylime_agent
%if 0%{?rhel}
# RHEL: Use bundled deps as it doesn't ship Rust libraries
%global bundled_rust_deps 1
%global __brp_mangle_shebangs_exclude_from ^/usr/src/debug/.*$
%else
# Fedora: Use only system Rust libraries
%global bundled_rust_deps 0
%endif
Name: keylime-agent-rust
Version: 0.2.7
Release: %{?autorelease}%{!?autorelease:1%{?dist}}
Summary: Rust agent for Keylime
# Upstream license specification: Apache-2.0
#
# The build dependencies have the following licenses:
#
# 0BSD or MIT or ASL 2.0
# ASL 2.0
# ASL 2.0 or Boost
# ASL 2.0 or MIT
# ASL 2.0 with exceptions
# BSD
# MIT
# MIT or ASL 2.0
# MIT or ASL 2.0 or zlib
# MIT or zlib or ASL 2.0
# Unlicense or MIT
# zlib or ASL 2.0 or MIT
#
License: (Apache-2.0 OR MIT) AND BSD-3-Clause AND (MIT OR Apache-2.0) AND Unicode-DFS-2016 AND (Apache-2.0 OR Apache-2.0 WITH LLVM-exception OR MIT) AND (Apache-2.0 OR BSL-1.0) AND (Apache-2.0 OR MIT) AND (Apache-2.0 OR MIT OR Zlib) AND Apache-2.0 WITH LLVM-exception AND ISC AND MIT AND (MIT OR Unlicense)
URL: https://github.com/keylime/rust-keylime/
# The source tarball is downloaded using the following commands:
# spectool -g keylime-agent-rust.spec
Source0: %{url}/archive/refs/tags/v%{version}.tar.gz
# The vendor tarball is created using cargo-vendor-filterer to remove Windows
# related files (https://github.com/cgwalters/cargo-vendor-filterer)
# tar xf rust-keylime-%%{version}.tar.zstd
# cd rust-keylime-%%{version}
# cargo vendor-filterer --platform x86_64-unknown-linux-gnu \
# --platform powerpc64le-unknown-linux-gnu \
# --platform aarch64-unknown-linux-gnu \
# --platform i686-unknown-linux-gnu \
# --platform s390x-unknown-linux-gnu \
# --exclude-crate-path "libloading#tests" \
# --prefix=vendor --format=tar.zstd
# Rename the vendor.tar.zstd tarball to rust-keylime-%%{version}-vendor.tar.zstd
Source1: rust-keylime-%{version}-vendor.tar.zstd
## (0-99) General patches
# Enable logging for the keylime library
# Patch from https://github.com/keylime/rust-keylime/pull/922
Patch0: rust-keylime-enable-logging-keylime-lib.patch
# Drop completely the legacy-python-actions feature
Patch1: rust-keylime-metadata.patch
# Update to openssl 0.10.70 to fix CVE-2025-24898
# Patch from https://github.com/keylime/rust-keylime/pull/926
Patch2: rust-keylime-openssl-0.10.70.patch
# Backport of https://github.com/keylime/rust-keylime/pull/846
# to enable different key sizes and curves for EK and AK.
Patch3: 0003-Enable-non-standard-key-sizes-and-curves-for-EK-and-.patch
Patch4: 0004-Clippy-fixes.patch
Patch5: 0005-tpm-add-policy-auth-for-EK-to-activate-crendential.patch
Patch6: 0006-keylime-agent.conf-add-all-accepted-TPM-encryption-a.patch
Patch7: 0007-Fix-ECC-RSA-algorithm-selection-and-reporting-for-ke.patch
## (100-199) Patches for building from system Rust libraries (Fedora)
## (200+) Patches for building from vendored Rust libraries (RHEL)
ExclusiveArch: %{rust_arches}
Requires: tpm2-tss
Requires: util-linux-core
# The keylime-base package provides the keylime user creation. It is available
# from Fedora 36
%if 0%{?fedora} >= 36 || 0%{?rhel} >= 9
Requires: keylime-base
%endif
BuildRequires: git-core
BuildRequires: systemd
BuildRequires: openssl-devel
BuildRequires: libarchive-devel
BuildRequires: tpm2-tss-devel
BuildRequires: clang
%if 0%{?bundled_rust_deps}
BuildRequires: rust-toolset
%else
BuildRequires: rust-packaging >= 21-2
%endif
# Virtual Provides to support swapping between Python and Rust implementation
Provides: keylime-agent
Conflicts: keylime-agent
%description
Rust agent for Keylime
%prep
%autosetup -S git -n rust-keylime-%{version} -N %{?bundled_rust_deps:-a1}
%autopatch -M 99 -p1
%if 0%{?bundled_rust_deps}
# Source1 is vendored dependencies
%cargo_prep -v vendor
%autopatch -m 200 -p1
%else
%autopatch -m 100 -M 199 -p1
%cargo_prep
%generate_buildrequires
%cargo_generate_buildrequires
%endif
%build
%cargo_build
%cargo_license_summary
%{cargo_license} > LICENSE.dependencies
%if 0%{?bundled_rust_deps}
%cargo_vendor_manifest
%endif
%install
mkdir -p %{buildroot}/%{_sharedstatedir}/keylime
mkdir -p --mode=0700 %{buildroot}/%{_rundir}/keylime
mkdir -p --mode=0700 %{buildroot}/%{_libexecdir}/keylime
mkdir -p --mode=0700 %{buildroot}/%{_sysconfdir}/keylime
mkdir -p --mode=0700 %{buildroot}/%{_sysconfdir}/keylime/agent.conf.d
install -Dpm 400 keylime-agent.conf \
%{buildroot}%{_sysconfdir}/keylime/agent.conf
install -Dpm 644 ./dist/systemd/system/keylime_agent.service \
%{buildroot}%{_unitdir}/keylime_agent.service
install -Dpm 644 ./dist/systemd/system/var-lib-keylime-secure.mount \
%{buildroot}%{_unitdir}/var-lib-keylime-secure.mount
# Setting up the agent to use keylime:keylime user/group after dropping privileges.
cat > %{buildroot}/%{_sysconfdir}/keylime/agent.conf.d/001-run_as.conf << EOF
[agent]
run_as = "keylime:keylime"
EOF
install -Dpm 0755 \
-t %{buildroot}%{_bindir} \
./target/release/keylime_agent
install -Dpm 0755 \
-t %{buildroot}%{_bindir} \
./target/release/keylime_ima_emulator
%posttrans
chmod 500 %{_sysconfdir}/keylime/agent.conf.d
chmod 400 %{_sysconfdir}/keylime/agent.conf.d/*.conf
chmod 500 %{_sysconfdir}/keylime
chown -R keylime:keylime %{_sysconfdir}/keylime
%preun
%systemd_preun keylime_agent.service
%systemd_preun var-lib-keylime-secure.mount
%postun
%systemd_postun_with_restart keylime_agent.service
%systemd_postun_with_restart var-lib-keylime-secure.mount
%files
%license LICENSE
%license LICENSE.dependencies
%if 0%{?bundled_rust_deps}
%license cargo-vendor.txt
%endif
%doc README.md
%attr(500,keylime,keylime) %dir %{_sysconfdir}/keylime
%attr(500,keylime,keylime) %dir %{_sysconfdir}/keylime/agent.conf.d
%config(noreplace) %attr(400,keylime,keylime) %{_sysconfdir}/keylime/agent.conf.d/001-run_as.conf
%config(noreplace) %attr(400,keylime,keylime) %{_sysconfdir}/keylime/agent.conf
%{_unitdir}/keylime_agent.service
%{_unitdir}/var-lib-keylime-secure.mount
%attr(700,keylime,keylime) %dir %{_rundir}/keylime
%attr(700,keylime,keylime) %{_sharedstatedir}/keylime
%attr(700,keylime,keylime) %{_libexecdir}/keylime
%{_bindir}/keylime_agent
%{_bindir}/keylime_ima_emulator
%if %{with check}
%check
%cargo_test
%endif
%changelog
%autochangelog

29
rust-keylime-enable-logging-keylime-lib.patch Normal file
View File

@ -0,0 +1,29 @@
From 43db7bdf66a11658614be63f06d74e379a18e0d8 Mon Sep 17 00:00:00 2001
From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Date: Tue, 21 Jan 2025 15:31:00 +0100
Subject: [PATCH] dist: Enable logging for keylime library in the service
Set the logging level as INFO for the keylime library in the systemd
service file.
Some of the messages were moved from main to the library and would not
be logged without this setting.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
---
dist/systemd/system/keylime_agent.service | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/dist/systemd/system/keylime_agent.service b/dist/systemd/system/keylime_agent.service
index c5df621d..7ec1a7a1 100644
--- a/dist/systemd/system/keylime_agent.service
+++ b/dist/systemd/system/keylime_agent.service
@@ -17,7 +17,7 @@ ExecStart=/usr/bin/keylime_agent
TimeoutSec=60s
Restart=on-failure
RestartSec=120s
-Environment="RUST_LOG=keylime_agent=info"
+Environment="RUST_LOG=keylime_agent=info,keylime=info"
# If using swtpm with tpm2-abrmd service, uncomment the line below to set TCTI
# variable on the service environment
#Environment="TCTI=tabrmd:"

48
rust-keylime-metadata.patch Normal file
View File

@ -0,0 +1,48 @@
--- a/keylime/Cargo.toml 2025-01-20 11:19:20.276090741 +0100
+++ b/keylime/Cargo.toml 2025-01-20 11:20:47.574791185 +0100
@@ -24,10 +24,6 @@
picky-asn1-der.workspace = true
picky-asn1-x509.workspace = true
tokio.workspace = true
-# wiremock was moved to be a regular dependency because optional
-# dev-dependencies are not supported
-# see: https://github.com/rust-lang/cargo/issues/1596
-wiremock = {version = "0.6", optional = true}
[dev-dependencies]
tempfile.workspace = true
@@ -37,4 +33,4 @@
# This feature enables tests that require a TPM and the TCTI environment
# variable properly configured
# This should change to dev-dependencies when we have integration testing
-testing = ["wiremock"]
+testing = []
--- a/keylime-agent/Cargo.toml 2025-01-20 11:19:40.095022736 +0100
+++ b/keylime-agent/Cargo.toml 2025-01-20 11:21:15.678694751 +0100
@@ -32,7 +32,6 @@
thiserror.workspace = true
uuid.workspace = true
zip.workspace = true
-zmq = {version = "0.9.2", optional = true}
[dev-dependencies]
actix-rt.workspace = true
@@ -41,18 +40,6 @@
# The features enabled by default
default = []
testing = []
-# Whether the agent should be compiled with support to listen for notification
-# messages on ZeroMQ
-#
-# This feature is deprecated and will be removed on next major release
-with-zmq = ["zmq"]
-# Whether the agent should be compiled with support for python revocation
-# actions loaded as modules, which is the only kind supported by the python
-# agent (unless the enhancement-55 is implemented). See:
-# https://github.com/keylime/enhancements/blob/master/55_revocation_actions_without_python.md
-#
-# This feature is deprecated and will be removed on next major release
-legacy-python-actions = []
[package.metadata.deb]
section = "net"

62
rust-keylime-openssl-0.10.70.patch Normal file
View File

@ -0,0 +1,62 @@
From 6087804c15b16a1456a191ccea25acec7a3f7fc0 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 4 Feb 2025 09:55:03 +0000
Subject: [PATCH] build(deps): bump openssl from 0.10.68 to 0.10.70
Bumps [openssl](https://github.com/sfackler/rust-openssl) from 0.10.68 to 0.10.70.
- [Release notes](https://github.com/sfackler/rust-openssl/releases)
- [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.68...openssl-v0.10.70)
---
updated-dependencies:
- dependency-name: openssl
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
---
Cargo.lock | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/Cargo.lock b/Cargo.lock
index 6cf79ea7..4c0ac1e6 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1387,9 +1387,9 @@ checksum = "3fdb12b2476b595f9358c5161aa467c2438859caa136dec86c26fdd2efe17b92"
[[package]]
name = "openssl"
-version = "0.10.68"
+version = "0.10.70"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6174bc48f102d208783c2c84bf931bb75927a617866870de8a4ea85597f871f5"
+checksum = "61cfb4e166a8bb8c9b55c500bc2308550148ece889be90f609377e58140f42c6"
dependencies = [
"bitflags 2.4.0",
"cfg-if",
@@ -1402,20 +1402,20 @@ dependencies = [
[[package]]
name = "openssl-macros"
-version = "0.1.0"
+version = "0.1.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b501e44f11665960c7e7fcf062c7d96a14ade4aa98116c004b2e37b5be7d736c"
+checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c"
dependencies = [
"proc-macro2",
"quote",
- "syn 1.0.100",
+ "syn 2.0.90",
]
[[package]]
name = "openssl-sys"
-version = "0.9.104"
+version = "0.9.105"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "45abf306cbf99debc8195b66b7346498d7b10c210de50418b5ccd7ceba08c741"
+checksum = "8b22d5b84be05a8d6947c7cb71f7c849aa0f112acd4bf51c2a7c1c988ac0a9dc"
dependencies = [
"cc",
"libc",

2
sources Normal file
View File

@ -0,0 +1,2 @@
SHA512 (rust-keylime-0.2.7-vendor.tar.zstd) = cac2cbe6b1831e5f8c1c7981df54b94dfab38e3784b672fe4a5ef85f22af7cb1accb3f726951579a10abb11205d50e58977e7146eba386195b1d6d126043e906
SHA512 (v0.2.7.tar.gz) = 6a9f4e581aa49c8be1599d235a54c6a65d0f45340ef37c3d08124b75c4c5ca2b8467dc00cac8dfae5402b5690bb90fe69a994770fe2715de6e9d4070dabebb7d