Update to 7.3.0

Resolves: RHEL-475
2023-07-19 16:00:54 +01:00 · 2023-07-19 16:00:54 +01:00 · 4dba8b49a7
commit 4dba8b49a7
parent d04c383743
7 changed files with 129 additions and 356 deletions
--- a/.gitignore
+++ b/.gitignore
@ -4,3 +4,4 @@
 /v6.5.0.tar.gz
 /v6.5.2.tar.gz
 /keylime-selinux-1.0.0.tar.gz
+/v7.3.0.tar.gz
--- a/0001-Do-not-use-default-values-that-need-reading-the-conf.patch
+++ b/0001-Do-not-use-default-values-that-need-reading-the-conf.patch
@ -1,130 +0,0 @@
-From d6dd71e3a3fe8e822fbcaa0d88f19a0c3332cacd Mon Sep 17 00:00:00 2001
-From: Sergio Correia <scorreia@redhat.com>
-Date: Tue, 15 Nov 2022 07:09:13 -0300
-Subject: [PATCH] Do not use default values that need reading the config in
- methods
-
-Following up from the recent refactoring that moved the EK validation
-to cert_utils, in a few places were added default method values that
-were reading the configuration files directly.
-
-It was not such a great idea becasue it then made those config files as
-required to even import the modules.
-
-Example "from keylime import cert_utils" now also requires that the
-tenant configuration be available for getting the path for the TPM
-cert store.
-
-Let's stop doing that.
-
-Signed-off-by: Sergio Correia <scorreia@redhat.com>
---
- keylime/cert_utils.py       | 5 +++--
- keylime/tenant.py           | 2 +-
- keylime/tpm/tpm_abstract.py | 2 +-
- keylime/tpm/tpm_main.py     | 4 ++--
- keylime/tpm_ek_ca.py        | 6 +++---
- 5 files changed, 10 insertions(+), 9 deletions(-)
-
-diff --git a/keylime/cert_utils.py b/keylime/cert_utils.py
-index d2fc54d..3576c64 100644
--- a/keylime/cert_utils.py
-+++ b/keylime/cert_utils.py
-@@ -12,7 +12,7 @@ from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicKey
- from pyasn1.codec.der import decoder, encoder
- from pyasn1_modules import pem, rfc2459
- 
-from keylime import config, keylime_logging, tpm_ek_ca
-+from keylime import keylime_logging, tpm_ek_ca
- 
- # Issue #944 -- python-cryptography won't parse malformed certs,
- # such as some Nuvoton ones we have encountered in the field.
-@@ -56,9 +56,10 @@ def x509_pem_cert(pem_cert_data: str):
-         return x509.load_der_x509_certificate(data=encoder.encode(pyasn1_cert), backend=default_backend())
- 
- 
-def verify_ek(ekcert, tpm_cert_store=config.get("tenant", "tpm_cert_store")):
-+def verify_ek(ekcert: bytes, tpm_cert_store: str) -> bool:
-     """Verify that the provided EK certificate is signed by a trusted root
-     :param ekcert: The Endorsement Key certificate in DER format
-+    :param tpm_cert_store: The path for the TPM certificate store
-     :returns: True if the certificate can be verified, False otherwise
-     """
-     try:
-diff --git a/keylime/tenant.py b/keylime/tenant.py
-index b574d04..076b849 100644
--- a/keylime/tenant.py
-+++ b/keylime/tenant.py
-@@ -430,7 +430,7 @@ class Tenant:
-             elif ekcert is None:
-                 logger.warning("No EK cert provided, require_ek_cert option in config set to True")
-                 return False
-            elif not self.tpm_instance.verify_ek(base64.b64decode(ekcert)):
-+            elif not self.tpm_instance.verify_ek(base64.b64decode(ekcert), config.get("tenant", "tpm_cert_store")):
-                 logger.warning("Invalid EK certificate")
-                 return False
- 
-diff --git a/keylime/tpm/tpm_abstract.py b/keylime/tpm/tpm_abstract.py
-index ff41837..df6222c 100644
--- a/keylime/tpm/tpm_abstract.py
-+++ b/keylime/tpm/tpm_abstract.py
-@@ -97,7 +97,7 @@ class AbstractTPM(metaclass=ABCMeta):
-         pass
- 
-     @abstractmethod
-    def verify_ek(self, ekcert):
-+    def verify_ek(self, ekcert, tpm_cert_store):
-         pass
- 
-     @abstractmethod
-diff --git a/keylime/tpm/tpm_main.py b/keylime/tpm/tpm_main.py
-index e1d1cf8..e244dfa 100644
--- a/keylime/tpm/tpm_main.py
-+++ b/keylime/tpm/tpm_main.py
-@@ -776,12 +776,12 @@ class tpm(tpm_abstract.AbstractTPM):
-                 os.remove(sesspath)
-         return key
- 
-    def verify_ek(self, ekcert):
-+    def verify_ek(self, ekcert, tpm_cert_store):
-         """Verify that the provided EK certificate is signed by a trusted root
-         :param ekcert: The Endorsement Key certificate in DER format
-         :returns: True if the certificate can be verified, false otherwise
-         """
-        return cert_utils.verify_ek(ekcert)
-+        return cert_utils.verify_ek(ekcert, tpm_cert_store)
- 
-     def get_tpm_manufacturer(self, output=None):
-         vendorStr = None
-diff --git a/keylime/tpm_ek_ca.py b/keylime/tpm_ek_ca.py
-index fb66c07..bc84571 100644
--- a/keylime/tpm_ek_ca.py
-+++ b/keylime/tpm_ek_ca.py
-@@ -1,13 +1,13 @@
- import glob
- import os
- 
-from keylime import config, keylime_logging
-+from keylime import keylime_logging
- 
- logger = keylime_logging.init_logging("tpm_ek_ca")
- trusted_certs = {}
- 
- 
-def check_tpm_cert_store(tpm_cert_store=config.get("tenant", "tpm_cert_store")):
-+def check_tpm_cert_store(tpm_cert_store):
-     if not os.path.isdir(tpm_cert_store):
-         logger.error("The directory %s does not exist.", tpm_cert_store)
-         raise Exception(f"The directory {tpm_cert_store} does not exist.")
-@@ -20,7 +20,7 @@ def check_tpm_cert_store(tpm_cert_store=config.get("tenant", "tpm_cert_store")):
-         raise Exception(f"The directory {tpm_cert_store} does not contain " f"any .pem files")
- 
- 
-def cert_loader(tpm_cert_store=config.get("tenant", "tpm_cert_store")):
-+def cert_loader(tpm_cert_store):
-     file_list = glob.glob(os.path.join(tpm_cert_store, "*.pem"))
-     my_trusted_certs = {}
-     for file_path in file_list:
-- 
-2.38.1
-
--- a/0001-Remove-usage-of-Required-NotRequired-typing_ext.patch
+++ b/0001-Remove-usage-of-Required-NotRequired-typing_ext.patch
@ -0,0 +1,104 @@
+Subject: [PATCH] Remove usage of Required/NotRequired typing_ext
+
+Since we do not yet have typing_extensions packaged, let us not
+use its functionality yet.
+---
+ keylime/ima/types.py        | 33 ++++++++++++++-------------------
+ keylime/registrar_client.py |  8 +-------
+ 2 files changed, 15 insertions(+), 26 deletions(-)
+
+diff --git a/keylime/ima/types.py b/keylime/ima/types.py
+index 99f0aa7..a0fffdf 100644
+--- a/keylime/ima/types.py
+++ b/keylime/ima/types.py
+@@ -6,11 +6,6 @@ if sys.version_info >= (3, 8):
+ else:
+     from typing_extensions import Literal, TypedDict
+ 
+-if sys.version_info >= (3, 11):
+-    from typing import NotRequired, Required
+-else:
+-    from typing_extensions import NotRequired, Required
+-
+ ### Types for tpm_dm.py
+ 
+ RuleAttributeType = Optional[Union[int, str, bool]]
+@@ -51,7 +46,7 @@ class Rule(TypedDict):
+ 
+ 
+ class Policies(TypedDict):
+-    version: Required[int]
+    version: int
+     match_on: MatchKeyType
+     rules: Dict[str, Rule]
+ 
+@@ -60,27 +55,27 @@ class Policies(TypedDict):
+ 
+ 
+ class RPMetaType(TypedDict):
+-    version: Required[int]
+-    generator: NotRequired[int]
+-    timestamp: NotRequired[str]
+    version: int
+    generator: int
+    timestamp: str
+ 
+ 
+ class RPImaType(TypedDict):
+-    ignored_keyrings: Required[List[str]]
+-    log_hash_alg: Required[Literal["sha1", "sha256", "sha384", "sha512"]]
+    ignored_keyrings: List[str]
+    log_hash_alg: Literal["sha1", "sha256", "sha384", "sha512"]
+     dm_policy: Optional[Policies]
+ 
+ 
+ RuntimePolicyType = TypedDict(
+     "RuntimePolicyType",
+     {
+-        "meta": Required[RPMetaType],
+-        "release": NotRequired[int],
+-        "digests": Required[Dict[str, List[str]]],
+-        "excludes": Required[List[str]],
+-        "keyrings": Required[Dict[str, List[str]]],
+-        "ima": Required[RPImaType],
+-        "ima-buf": Required[Dict[str, List[str]]],
+-        "verification-keys": Required[str],
+        "meta": RPMetaType,
+        "release": int,
+        "digests": Dict[str, List[str]],
+        "excludes": List[str],
+        "keyrings": Dict[str, List[str]],
+        "ima": RPImaType,
+        "ima-buf": Dict[str, List[str]],
+        "verification-keys": str,
+     },
+ )
+diff --git a/keylime/registrar_client.py b/keylime/registrar_client.py
+index ab28977..ea5341b 100644
+--- a/keylime/registrar_client.py
+++ b/keylime/registrar_client.py
+@@ -13,12 +13,6 @@ if sys.version_info >= (3, 8):
+ else:
+     from typing_extensions import TypedDict
+ 
+-if sys.version_info >= (3, 11):
+-    from typing import NotRequired
+-else:
+-    from typing_extensions import NotRequired
+-
+-
+ class RegistrarData(TypedDict):
+     ip: Optional[str]
+     port: Optional[str]
+@@ -27,7 +21,7 @@ class RegistrarData(TypedDict):
+     aik_tpm: str
+     ek_tpm: str
+     ekcert: Optional[str]
+-    provider_keys: NotRequired[Dict[str, str]]
+    provider_keys: Dict[str, str]
+ 
+ 
+ logger = keylime_logging.init_logging("registrar_client")
+-- 
+2.41.0
+
--- a/0002-Switch-to-sha256-hashes-for-signatures.patch
+++ b/0002-Switch-to-sha256-hashes-for-signatures.patch
@ -1,67 +0,0 @@
-From 1f9ee7437f5b712a892c6d13ac8d75e128c1a16f Mon Sep 17 00:00:00 2001
-From: Stefan Berger <stefanb@linux.ibm.com>
-Date: Tue, 22 Nov 2022 10:56:43 -0500
-Subject: [PATCH] tests: Switch to sha256 hashes for signatures
-
-Resolves: https://github.com/keylime/keylime/issues/1202
-Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
- test/test_ima_ast.py          |  4 ++--
- test/test_ima_verification.py | 12 ++++++------
- 2 files changed, 8 insertions(+), 8 deletions(-)
-
-diff --git a/test/test_ima_ast.py b/test/test_ima_ast.py
-index cd54f95f9..e7d3841a7 100644
--- a/test/test_ima_ast.py
-+++ b/test/test_ima_ast.py
-@@ -14,11 +14,11 @@
- VALID_ENTRIES = {
-     "ima-sig-rsa": (
-         ast.ImaSig,
-        "10 50873c47693cf9458e87eb4a02dd4f594f7a0c0f ima-sig sha1:1350320e5f7f51553bac8aa403489a1b135bc101 /usr/bin/dd 030202f3452d23010084c2a6cf7de1aeefa119220df0da265a7c44d34380f0d97002e7c778d09cfcf88c018e6595df3ee70eda926851f159332f852e7981a8fca1bc5e959958d06d234a0896861f13cc60da825905c8ed234df26c1deecfa816d5aa9bfb11b905e2814084a86b588be60423afada8dd0dd5a143774c6d890b64195ac42fb47ef5a9a00f0d6c80711d8e0c2b843ec38c02f60fd46bc46c7b4c329ad2dbb1b7625293703f9c739dc4c2bf0769126a2f3cb2cd031d1881cd0af64bf20fd474a993b48620f103a5c14999a2f17d60721bcc019a896b4138a688a59f50cb6cd94a4cfe3b8052e82dec025fef4feabb08c7ce412e3de850f903797e293ec27c329f57fd84e0",
-+        "10 1e70a3e1af66f42826ad63b761b4cb9c4df195e1 ima-sig sha256:d33d5d13792292e202dbf69a6f1b07bc8a02f01424db8489ba7bb7d43c0290ef /usr/bin/dd 030204f3452d2301009dd340c852f37e35748363586939d4199b6684be27e7c1236ca1528f708372ed9cd52a0d991f66448790f5616ed5bd7f9bbd22193b1e3e54f6bf29a1497945a34d1b418b24f4cbeaef897bf3cebca27065ebb8761b46bc2662fe76f141245b9186a5ac8493c7f4976cf0d6dfc085c3e503e3f771bc3ccb121230db76fd8aba4f45f060ad64ab3afd99b4e52824b9eba12e93e46f9dcb2fa01d9cef89f298a0da02a82a4fb56924afd3e3c277a1302d99f770d488449df2d43eb5b174a0a528827e6877b965c2f0b7c89cf1aa26a7417a892df4c2294e2872d62748b72ea04ecb0689b5d792e615a9bf9d56f6e0f298560bf9441df0a22729c5f23389f028c25f",
-     ),
-     "ima-sig-ec": (
-         ast.ImaSig,
-        "10 06e804489a77ddab51b9ef27e17053c0e5d503bd ima-sig sha1:1cb84b12db45d7da8de58ba6744187db84082f0e /usr/bin/zmore 030202531f402500483046022100bff9c02dc7b270c83cc94bfec10eecd42831de2cdcb04f024369a14623bc3a91022100cc4d015ae932fb98d6846645ed7d1bb1afd4621ec9089bc087126f191886dd31",
-+        "10 5d4d5141ccd5066d50dc3f21d79ba02fedc24256 ima-sig sha256:b8ae0b8dd04a5935cd8165aa2260cd11b658bd71629bdb52256a675a1f73907b /usr/bin/zmore 030204531f402500483046022100fe24678d21083ead47660e1a2d553a592d777c478d1b0466de6ed484b54956b3022100cad3adb37f277bbb03544d6107751b4cd4f2289d8353fa36257400a99334d5c3",
-     ),
-     "ima-sig-missing": (
-         ast.ImaSig,
-diff --git a/test/test_ima_verification.py b/test/test_ima_verification.py
-index bdb929c9c..d2fc9ef16 100644
--- a/test/test_ima_verification.py
-+++ b/test/test_ima_verification.py
-@@ -27,8 +27,8 @@
-         "/lib/modules/5.4.48-openpower1/kernel/drivers/gpu/drm/drm_panel_orientation_quirks.ko": [
-             "cd026b58efdf66658685430ff526490d54a430a3f0066a35ac26a8acab66c55d"
-         ],
-        "/usr/bin/dd": ["1350320e5f7f51553bac8aa403489a1b135bc101"],
-        "/usr/bin/zmore": ["1cb84b12db45d7da8de58ba6744187db84082f0e"],
-+        "/usr/bin/dd": ["d33d5d13792292e202dbf69a6f1b07bc8a02f01424db8489ba7bb7d43c0290ef"],
-+        "/usr/bin/zmore": ["b8ae0b8dd04a5935cd8165aa2260cd11b658bd71629bdb52256a675a1f73907b"],
-         "/usr/bin/zless": ["233ad3a8e77c63a7d9a56063ec2cad1eafa58850"],
-     },
-     "keyrings": {
-@@ -50,8 +50,8 @@
-         "version": 1,
-     },
-     "hashes": {
-        "/usr/bin/dd": ["1350320e5f7f51553bac8aa403489a1b135bc102"],
-        "/usr/bin/zmore": ["1cb84b12db45d7da8de58ba6744187db84082f01"],
-+        "/usr/bin/dd": ["bad05d13792292e202dbf69a6f1b07bc8a02f01424db8489ba7bb7d43c0290ef"],
-+        "/usr/bin/zmore": ["bad00b8dd04a5935cd8165aa2260cd11b658bd71629bdb52256a675a1f73907b"],
-     },
- }
- 
-@@ -73,8 +73,8 @@
- # 1st signature: RSA
- # 2nd signature: EC
- SIGNATURES = (
-    "10 50873c47693cf9458e87eb4a02dd4f594f7a0c0f ima-sig sha1:1350320e5f7f51553bac8aa403489a1b135bc101 /usr/bin/dd 030202f3452d23010084c2a6cf7de1aeefa119220df0da265a7c44d34380f0d97002e7c778d09cfcf88c018e6595df3ee70eda926851f159332f852e7981a8fca1bc5e959958d06d234a0896861f13cc60da825905c8ed234df26c1deecfa816d5aa9bfb11b905e2814084a86b588be60423afada8dd0dd5a143774c6d890b64195ac42fb47ef5a9a00f0d6c80711d8e0c2b843ec38c02f60fd46bc46c7b4c329ad2dbb1b7625293703f9c739dc4c2bf0769126a2f3cb2cd031d1881cd0af64bf20fd474a993b48620f103a5c14999a2f17d60721bcc019a896b4138a688a59f50cb6cd94a4cfe3b8052e82dec025fef4feabb08c7ce412e3de850f903797e293ec27c329f57fd84e0\n"
-    "10 06e804489a77ddab51b9ef27e17053c0e5d503bd ima-sig sha1:1cb84b12db45d7da8de58ba6744187db84082f0e /usr/bin/zmore 030202531f402500483046022100bff9c02dc7b270c83cc94bfec10eecd42831de2cdcb04f024369a14623bc3a91022100cc4d015ae932fb98d6846645ed7d1bb1afd4621ec9089bc087126f191886dd31\n"
-+    "10 1e70a3e1af66f42826ad63b761b4cb9c4df195e1 ima-sig sha256:d33d5d13792292e202dbf69a6f1b07bc8a02f01424db8489ba7bb7d43c0290ef /usr/bin/dd 030204f3452d2301009dd340c852f37e35748363586939d4199b6684be27e7c1236ca1528f708372ed9cd52a0d991f66448790f5616ed5bd7f9bbd22193b1e3e54f6bf29a1497945a34d1b418b24f4cbeaef897bf3cebca27065ebb8761b46bc2662fe76f141245b9186a5ac8493c7f4976cf0d6dfc085c3e503e3f771bc3ccb121230db76fd8aba4f45f060ad64ab3afd99b4e52824b9eba12e93e46f9dcb2fa01d9cef89f298a0da02a82a4fb56924afd3e3c277a1302d99f770d488449df2d43eb5b174a0a528827e6877b965c2f0b7c89cf1aa26a7417a892df4c2294e2872d62748b72ea04ecb0689b5d792e615a9bf9d56f6e0f298560bf9441df0a22729c5f23389f028c25f\n"
-+    "10 5d4d5141ccd5066d50dc3f21d79ba02fedc24256 ima-sig sha256:b8ae0b8dd04a5935cd8165aa2260cd11b658bd71629bdb52256a675a1f73907b /usr/bin/zmore 030204531f402500483046022100fe24678d21083ead47660e1a2d553a592d777c478d1b0466de6ed484b54956b3022100cad3adb37f277bbb03544d6107751b4cd4f2289d8353fa36257400a99334d5c3\n"
- )
- 
- COMBINED = MEASUREMENTS + SIGNATURES
--- a/0003-logging-remove-option-to-log-into-separate-file.patch
+++ b/0003-logging-remove-option-to-log-into-separate-file.patch
@ -1,136 +0,0 @@
-From eb5112dd597336b566378b3a157e76fe3cbbbfee Mon Sep 17 00:00:00 2001
-From: Thore Sommer <mail@thson.de>
-Date: Mon, 16 Jan 2023 07:26:08 -0300
-Subject: [PATCH 3/3] logging: remove option to log into separate file
-
-The implementation had the issue that only the main loggers were added and that
-the permissions were not set strict enough. Users should use the logging
-provided by systemd instead.
-
-Signed-off-by: Thore Sommer <mail@thson.de>
---
- keylime.conf                       | 10 ----------
- keylime/keylime_logging.py         | 31 ------------------------------
- scripts/templates/2.0/registrar.j2 |  9 ---------
- scripts/templates/2.0/verifier.j2  |  9 ---------
- 4 files changed, 59 deletions(-)
-
-diff --git a/keylime.conf b/keylime.conf
-index d896f9f..043b6a8 100644
--- a/keylime.conf
-+++ b/keylime.conf
-@@ -342,11 +342,6 @@ tomtou_errors = False
- # signature check before storing them in the database.
- require_allow_list_signatures = False
- 
-# Destination for log output, in addition to console. Values can be 'file', 
-# with the file being named after the "service" - cloud_verifier - created under 
-# /var/log/keylime), 'stream' or it can be left empty (which results in 
-# logging to console only, recommended when running inside a container)
-log_destination = file
- 
- #=============================================================================
- [tenant]
-@@ -595,11 +590,6 @@ auto_migrate_db = True
- # The file to use for SQLite persistence of provider hypervisor data.
- prov_db_filename = provider_reg_data.sqlite
- 
-# Destination for log output, in addition to console. Values can be 'file',
-# with the file being named after the "service" - registrar - created under
-# /var/log/keylime), 'stream' or it can be left empty (which results in
-# logging to console only, recommended when running inside a container)
-log_destination = file
- 
- #=============================================================================
- [ca]
-diff --git a/keylime/keylime_logging.py b/keylime/keylime_logging.py
-index bc8a11d..f7c7a8f 100644
--- a/keylime/keylime_logging.py
-+++ b/keylime/keylime_logging.py
-@@ -1,17 +1,10 @@
- import logging
-import os
- from logging import Logger
- from logging import config as logging_config
- from typing import Any, Callable, Dict
- 
- from keylime import config
- 
-LOG_TO_FILE = set()
-LOG_TO_STREAM = set()
-LOGDIR = os.getenv("KEYLIME_LOGDIR", "/var/log/keylime")
-# not clear that this works right.  console logging may not work
-LOGSTREAM = os.path.join(LOGDIR, "keylime-stream.log")
-
- logging_config.fileConfig(config.get_config("logging"))
- 
- 
-@@ -50,31 +43,7 @@ def log_http_response(logger: Logger, loglevel: int, response_body: Dict[str, An
- 
- 
- def init_logging(loggername: str) -> Logger:
-
-    if loggername in ("verifier", "registrar"):
-        logdest = config.get(loggername, "log_destination", fallback="")
-        if logdest == "file":
-            LOG_TO_FILE.add(loggername)
-        if logdest == "stream":
-            LOG_TO_STREAM.add(loggername)
-
-     logger = logging.getLogger(f"keylime.{loggername}")
-     logging.getLogger("requests").setLevel(logging.WARNING)
-    mainlogger = logging.getLogger("keylime")
-    basic_formatter = logging.Formatter("%(asctime)s %(name)s %(levelname)s %(message)s")
-    if loggername in LOG_TO_FILE:
-        logfilename = os.path.join(LOGDIR, f"{loggername}.log")
-        if not os.path.exists(LOGDIR):
-            os.makedirs(LOGDIR, 0o750)
-        fh = logging.FileHandler(logfilename)
-        fh.setLevel(logger.getEffectiveLevel())
-        fh.setFormatter(basic_formatter)
-        mainlogger.addHandler(fh)
-
-    if loggername in LOG_TO_STREAM:
-        fh = logging.FileHandler(filename=LOGSTREAM, mode="w")
-        fh.setLevel(logger.getEffectiveLevel())
-        fh.setFormatter(basic_formatter)
-        mainlogger.addHandler(fh)
- 
-     return logger
-diff --git a/scripts/templates/2.0/registrar.j2 b/scripts/templates/2.0/registrar.j2
-index 3d92303..8de7a50 100644
--- a/scripts/templates/2.0/registrar.j2
-+++ b/scripts/templates/2.0/registrar.j2
-@@ -71,12 +71,3 @@ auto_migrate_db = {{ registrar.auto_migrate_db }}
- 
- # The file to use for SQLite persistence of provider hypervisor data.
- prov_db_filename: {{ registrar.prov_db_filename }}
-
-# Destination for log output, in addition to console. If left empty, the log
-# output will only be printed to console (recommended for containers to avoid
-# filling data storage). The accepted values are:
-# 'file': The log output will also be written to a file named after the
-#         component in '/var/log/keylime/registrar.log'
-# 'stream': The log output will be written to a common file in
-#           'var/log/keylime/keylime-stream.log'
-log_destination = {{ registrar.log_destination }}
-diff --git a/scripts/templates/2.0/verifier.j2 b/scripts/templates/2.0/verifier.j2
-index d1584df..7a66cb1 100644
--- a/scripts/templates/2.0/verifier.j2
-+++ b/scripts/templates/2.0/verifier.j2
-@@ -196,12 +196,3 @@ zmq_port = {{ verifier.zmq_port }}
- 
- # Webhook url for revocation notifications.
- webhook_url = {{ verifier.webhook_url }}
-
-# Destination for log output, in addition to console. If left empty, the log
-# output will only be printed to console (recommended for containers to avoid
-# filling data storage). The accepted values are:
-# 'file': The log output will also be written to a file named after the
-#         component in '/var/log/keylime/verifier.log'
-# 'stream': The log output will be written to a common file in
-#           'var/log/keylime/keylime-stream.log'
-log_destination = {{ verifier.log_destination }}
-- 
-2.38.1
-
--- a/keylime.spec
+++ b/keylime.spec
@ -8,8 +8,8 @@
 %global debug_package %{nil}

 Name:    keylime
-Version: 6.5.2
-Release: 4%{?dist}
+Version: 7.3.0
+Release: 1%{?dist}
 Summary: Open source TPM software for Bootstrapping and Maintaining Trust

 URL:            https://github.com/keylime/keylime
@ -17,9 +17,7 @@ Source0:        https://github.com/keylime/keylime/archive/refs/tags/v%{version}
 Source1:        %{srcname}.sysusers
 Source2:        https://github.com/RedHat-SP-Security/%{name}-selinux/archive/v%{policy_version}/keylime-selinux-%{policy_version}.tar.gz

-Patch: 0001-Do-not-use-default-values-that-need-reading-the-conf.patch
-Patch: 0002-Switch-to-sha256-hashes-for-signatures.patch
-Patch: 0003-logging-remove-option-to-log-into-separate-file.patch
+Patch: 0001-Remove-usage-of-Required-NotRequired-typing_ext.patch

 License: ASL 2.0 and MIT

@ -88,6 +86,7 @@ Requires: python3-gpg
 Requires: python3-lark-parser
 Requires: python3-pyasn1
 Requires: python3-pyasn1-modules
+Requires: python3-jsonschema
 Requires: tpm2-tools
 Requires: openssl

@ -169,27 +168,21 @@ for comp in "verifier" "tenant" "registrar" "ca" "logging"; do
    install -Dpm 400 config/${comp}.conf %{buildroot}/%{_sysconfdir}/%{srcname}
 done

-# Remove agent.
-rm -f %{buildroot}/%{_bindir}/%{srcname}_agent
-rm -f %{buildroot}%{python3_sitelib}/%{srcname}/__pycache__/%{srcname}_agent*
-rm -f %{buildroot}%{python3_sitelib}/%{srcname}/cmd/__pycache__/agent.*
-rm -f %{buildroot}%{python3_sitelib}/%{srcname}/cmd/agent.*
-rm -f %{buildroot}%{python3_sitelib}/%{srcname}/%{srcname}_agent.*
-
-# Remove misc progs.
-rm -f %{buildroot}/%{_bindir}/%{srcname}_ima_emulator
-rm -f %{buildroot}/%{_bindir}/%{srcname}_userdata_encrypt
-
 # Ship some scripts.
 mkdir -p %{buildroot}/%{_datadir}/%{srcname}/scripts
-for s in create_allowlist.sh \
+for s in create_runtime_policy.sh \
         create_mb_refstate \
-         create_policy \
         ek-openssl-verify; do
    install -Dpm 755 scripts/${s} \
        %{buildroot}/%{_datadir}/%{srcname}/scripts/${s}
 done

+# Ship configuration templates.
+cp -r ./templates %{buildroot}%{_datadir}/%{srcname}/templates/
+
+mkdir -p --mode=0755 %{buildroot}/%{_bindir}
+cp -a ./keylime/cmd/convert_config.py %{buildroot}/%{_bindir}/keylime_upgrade_config
+
 %if 0%{?with_selinux}
 install -D -m 0644 %{srcname}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{srcname}.pp.bz2
 install -D -p -m 0644 keylime-selinux-%{policy_version}/%{srcname}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{srcname}.if
@ -291,7 +284,6 @@ fi
 %config(noreplace) %attr(400,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}/verifier.conf
 %{_bindir}/%{srcname}_verifier
 %{_bindir}/%{srcname}_ca
-%{_bindir}/%{srcname}_migrations_apply
 %{_unitdir}/keylime_verifier.service

 %files registrar
@ -319,8 +311,11 @@ fi
 %{python3_sitelib}/%{srcname}-*.egg-info/
 %{python3_sitelib}/%{srcname}
 %{_datadir}/%{srcname}/scripts/create_mb_refstate
-%{_datadir}/%{srcname}/scripts/create_policy
-%{_bindir}/keylime_convert_ima_policy
+%{_bindir}/keylime_attest
+%{_bindir}/keylime_convert_runtime_policy
+%{_bindir}/keylime_create_policy
+%{_bindir}/keylime_sign_runtime_policy
+%{_bindir}/keylime_userdata_encrypt

 %files base
 %license LICENSE
@ -335,13 +330,19 @@ fi
 %attr(400,%{srcname},%{srcname}) %{_sharedstatedir}/%{srcname}/tpm_cert_store/*.pem
 %{_tmpfilesdir}/%{srcname}.conf
 %{_sysusersdir}/%{srcname}.conf
-%{_datadir}/%{srcname}/scripts/create_allowlist.sh
+%{_datadir}/%{srcname}/scripts/create_runtime_policy.sh
 %{_datadir}/%{srcname}/scripts/ek-openssl-verify
+%{_datadir}/%{srcname}/templates
+%{_bindir}/keylime_upgrade_config

 %files
 %license LICENSE

 %changelog
+* Wed Jul 19 2023 Sergio Correia <scorreia@redhat.com> - 7.3.0-1
+- Update to 7.3.0
+  Resolves: RHEL-475
+
 * Fri Jan 13 2023 Sergio Correia <scorreia@redhat.com> - 6.5.2-4
 - Backport upstream PR#1240 - logging: remove option to log into separate file
  Resolves: rhbz#2154584 - keylime verifier is not logging to /var/log/keylime
--- a/2
+++ b/2
@ -1,2 +1,2 @@
-SHA512 (v6.5.2.tar.gz) = de73de8d88dbf3bf394ea65036ef22cd5098318c09ff92b5548af2344a9a6f28d2432356d792b0eae72fe619255c4ecfa51f5c7d185b9612a4a04d2fb8e91649
+SHA512 (v7.3.0.tar.gz) = 6a5ee3e642015b4c09058ab84db9c1c132d94b387284cb363285fb43a875921fdf0e88ef4b67ab886ceed4e6a5a49aeef0334d42d9662d27f865287d3e9e000b
 SHA512 (keylime-selinux-1.0.0.tar.gz) = d0b4fea7407ad493b08e6f087e8f32b1a65acbee59bf6e20a0e26aaa139f56c1206c7e707898fd8a2e11468cd918f76cb6985f68b8a2faa8a2a4b7a9ba4c3674