rpms
/
keylime
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Update to 7.3.0 

Resolves: RHEL-475
This commit is contained in:
Sergio Correia 2023-07-19 16:00:54 +01:00
parent d04c383743
commit 4dba8b49a7
No known key found for this signature in database
GPG Key ID: D0D219ED1F7E762C
7 changed files with 129 additions and 356 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -4,3 +4,4 @@
/v6.5.0.tar.gz
/v6.5.2.tar.gz
/keylime-selinux-1.0.0.tar.gz
/v7.3.0.tar.gz

130
0001-Do-not-use-default-values-that-need-reading-the-conf.patch
View File

@ -1,130 +0,0 @@
From d6dd71e3a3fe8e822fbcaa0d88f19a0c3332cacd Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Tue, 15 Nov 2022 07:09:13 -0300
Subject: [PATCH] Do not use default values that need reading the config in
methods
Following up from the recent refactoring that moved the EK validation
to cert_utils, in a few places were added default method values that
were reading the configuration files directly.
It was not such a great idea becasue it then made those config files as
required to even import the modules.
Example "from keylime import cert_utils" now also requires that the
tenant configuration be available for getting the path for the TPM
cert store.
Let's stop doing that.
Signed-off-by: Sergio Correia <scorreia@redhat.com>
---
keylime/cert_utils.py | 5 +++--
keylime/tenant.py | 2 +-
keylime/tpm/tpm_abstract.py | 2 +-
keylime/tpm/tpm_main.py | 4 ++--
keylime/tpm_ek_ca.py | 6 +++---
5 files changed, 10 insertions(+), 9 deletions(-)
diff --git a/keylime/cert_utils.py b/keylime/cert_utils.py
index d2fc54d..3576c64 100644
--- a/keylime/cert_utils.py
+++ b/keylime/cert_utils.py
@@ -12,7 +12,7 @@ from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicKey
from pyasn1.codec.der import decoder, encoder
from pyasn1_modules import pem, rfc2459
-from keylime import config, keylime_logging, tpm_ek_ca
+from keylime import keylime_logging, tpm_ek_ca
# Issue #944 -- python-cryptography won't parse malformed certs,
# such as some Nuvoton ones we have encountered in the field.
@@ -56,9 +56,10 @@ def x509_pem_cert(pem_cert_data: str):
return x509.load_der_x509_certificate(data=encoder.encode(pyasn1_cert), backend=default_backend())
-def verify_ek(ekcert, tpm_cert_store=config.get("tenant", "tpm_cert_store")):
+def verify_ek(ekcert: bytes, tpm_cert_store: str) -> bool:
"""Verify that the provided EK certificate is signed by a trusted root
:param ekcert: The Endorsement Key certificate in DER format
+ :param tpm_cert_store: The path for the TPM certificate store
:returns: True if the certificate can be verified, False otherwise
"""
try:
diff --git a/keylime/tenant.py b/keylime/tenant.py
index b574d04..076b849 100644
--- a/keylime/tenant.py
+++ b/keylime/tenant.py
@@ -430,7 +430,7 @@ class Tenant:
elif ekcert is None:
logger.warning("No EK cert provided, require_ek_cert option in config set to True")
return False
- elif not self.tpm_instance.verify_ek(base64.b64decode(ekcert)):
+ elif not self.tpm_instance.verify_ek(base64.b64decode(ekcert), config.get("tenant", "tpm_cert_store")):
logger.warning("Invalid EK certificate")
return False
diff --git a/keylime/tpm/tpm_abstract.py b/keylime/tpm/tpm_abstract.py
index ff41837..df6222c 100644
--- a/keylime/tpm/tpm_abstract.py
+++ b/keylime/tpm/tpm_abstract.py
@@ -97,7 +97,7 @@ class AbstractTPM(metaclass=ABCMeta):
pass
@abstractmethod
- def verify_ek(self, ekcert):
+ def verify_ek(self, ekcert, tpm_cert_store):
pass
@abstractmethod
diff --git a/keylime/tpm/tpm_main.py b/keylime/tpm/tpm_main.py
index e1d1cf8..e244dfa 100644
--- a/keylime/tpm/tpm_main.py
+++ b/keylime/tpm/tpm_main.py
@@ -776,12 +776,12 @@ class tpm(tpm_abstract.AbstractTPM):
os.remove(sesspath)
return key
- def verify_ek(self, ekcert):
+ def verify_ek(self, ekcert, tpm_cert_store):
"""Verify that the provided EK certificate is signed by a trusted root
:param ekcert: The Endorsement Key certificate in DER format
:returns: True if the certificate can be verified, false otherwise
"""
- return cert_utils.verify_ek(ekcert)
+ return cert_utils.verify_ek(ekcert, tpm_cert_store)
def get_tpm_manufacturer(self, output=None):
vendorStr = None
diff --git a/keylime/tpm_ek_ca.py b/keylime/tpm_ek_ca.py
index fb66c07..bc84571 100644
--- a/keylime/tpm_ek_ca.py
+++ b/keylime/tpm_ek_ca.py
@@ -1,13 +1,13 @@
import glob
import os
-from keylime import config, keylime_logging
+from keylime import keylime_logging
logger = keylime_logging.init_logging("tpm_ek_ca")
trusted_certs = {}
-def check_tpm_cert_store(tpm_cert_store=config.get("tenant", "tpm_cert_store")):
+def check_tpm_cert_store(tpm_cert_store):
if not os.path.isdir(tpm_cert_store):
logger.error("The directory %s does not exist.", tpm_cert_store)
raise Exception(f"The directory {tpm_cert_store} does not exist.")
@@ -20,7 +20,7 @@ def check_tpm_cert_store(tpm_cert_store=config.get("tenant", "tpm_cert_store")):
raise Exception(f"The directory {tpm_cert_store} does not contain " f"any .pem files")
-def cert_loader(tpm_cert_store=config.get("tenant", "tpm_cert_store")):
+def cert_loader(tpm_cert_store):
file_list = glob.glob(os.path.join(tpm_cert_store, "*.pem"))
my_trusted_certs = {}
for file_path in file_list:
--
2.38.1

104
0001-Remove-usage-of-Required-NotRequired-typing_ext.patch Normal file
View File

@ -0,0 +1,104 @@
Subject: [PATCH] Remove usage of Required/NotRequired typing_ext
Since we do not yet have typing_extensions packaged, let us not
use its functionality yet.
---
keylime/ima/types.py | 33 ++++++++++++++-------------------
keylime/registrar_client.py | 8 +-------
2 files changed, 15 insertions(+), 26 deletions(-)
diff --git a/keylime/ima/types.py b/keylime/ima/types.py
index 99f0aa7..a0fffdf 100644
--- a/keylime/ima/types.py
+++ b/keylime/ima/types.py
@@ -6,11 +6,6 @@ if sys.version_info >= (3, 8):
else:
from typing_extensions import Literal, TypedDict
-if sys.version_info >= (3, 11):
- from typing import NotRequired, Required
-else:
- from typing_extensions import NotRequired, Required
-
### Types for tpm_dm.py
RuleAttributeType = Optional[Union[int, str, bool]]
@@ -51,7 +46,7 @@ class Rule(TypedDict):
class Policies(TypedDict):
- version: Required[int]
+ version: int
match_on: MatchKeyType
rules: Dict[str, Rule]
@@ -60,27 +55,27 @@ class Policies(TypedDict):
class RPMetaType(TypedDict):
- version: Required[int]
- generator: NotRequired[int]
- timestamp: NotRequired[str]
+ version: int
+ generator: int
+ timestamp: str
class RPImaType(TypedDict):
- ignored_keyrings: Required[List[str]]
- log_hash_alg: Required[Literal["sha1", "sha256", "sha384", "sha512"]]
+ ignored_keyrings: List[str]
+ log_hash_alg: Literal["sha1", "sha256", "sha384", "sha512"]
dm_policy: Optional[Policies]
RuntimePolicyType = TypedDict(
"RuntimePolicyType",
{
- "meta": Required[RPMetaType],
- "release": NotRequired[int],
- "digests": Required[Dict[str, List[str]]],
- "excludes": Required[List[str]],
- "keyrings": Required[Dict[str, List[str]]],
- "ima": Required[RPImaType],
- "ima-buf": Required[Dict[str, List[str]]],
- "verification-keys": Required[str],
+ "meta": RPMetaType,
+ "release": int,
+ "digests": Dict[str, List[str]],
+ "excludes": List[str],
+ "keyrings": Dict[str, List[str]],
+ "ima": RPImaType,
+ "ima-buf": Dict[str, List[str]],
+ "verification-keys": str,
},
)
diff --git a/keylime/registrar_client.py b/keylime/registrar_client.py
index ab28977..ea5341b 100644
--- a/keylime/registrar_client.py
+++ b/keylime/registrar_client.py
@@ -13,12 +13,6 @@ if sys.version_info >= (3, 8):
else:
from typing_extensions import TypedDict
-if sys.version_info >= (3, 11):
- from typing import NotRequired
-else:
- from typing_extensions import NotRequired
-
-
class RegistrarData(TypedDict):
ip: Optional[str]
port: Optional[str]
@@ -27,7 +21,7 @@ class RegistrarData(TypedDict):
aik_tpm: str
ek_tpm: str
ekcert: Optional[str]
- provider_keys: NotRequired[Dict[str, str]]
+ provider_keys: Dict[str, str]
logger = keylime_logging.init_logging("registrar_client")
--
2.41.0

67
0002-Switch-to-sha256-hashes-for-signatures.patch
View File

@ -1,67 +0,0 @@
From 1f9ee7437f5b712a892c6d13ac8d75e128c1a16f Mon Sep 17 00:00:00 2001
From: Stefan Berger <stefanb@linux.ibm.com>
Date: Tue, 22 Nov 2022 10:56:43 -0500
Subject: [PATCH] tests: Switch to sha256 hashes for signatures
Resolves: https://github.com/keylime/keylime/issues/1202
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
test/test_ima_ast.py | 4 ++--
test/test_ima_verification.py | 12 ++++++------
2 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/test/test_ima_ast.py b/test/test_ima_ast.py
index cd54f95f9..e7d3841a7 100644
--- a/test/test_ima_ast.py
+++ b/test/test_ima_ast.py
@@ -14,11 +14,11 @@
VALID_ENTRIES = {
"ima-sig-rsa": (
ast.ImaSig,
- "10 50873c47693cf9458e87eb4a02dd4f594f7a0c0f ima-sig sha1:1350320e5f7f51553bac8aa403489a1b135bc101 /usr/bin/dd 030202f3452d23010084c2a6cf7de1aeefa119220df0da265a7c44d34380f0d97002e7c778d09cfcf88c018e6595df3ee70eda926851f159332f852e7981a8fca1bc5e959958d06d234a0896861f13cc60da825905c8ed234df26c1deecfa816d5aa9bfb11b905e2814084a86b588be60423afada8dd0dd5a143774c6d890b64195ac42fb47ef5a9a00f0d6c80711d8e0c2b843ec38c02f60fd46bc46c7b4c329ad2dbb1b7625293703f9c739dc4c2bf0769126a2f3cb2cd031d1881cd0af64bf20fd474a993b48620f103a5c14999a2f17d60721bcc019a896b4138a688a59f50cb6cd94a4cfe3b8052e82dec025fef4feabb08c7ce412e3de850f903797e293ec27c329f57fd84e0",
+ "10 1e70a3e1af66f42826ad63b761b4cb9c4df195e1 ima-sig sha256:d33d5d13792292e202dbf69a6f1b07bc8a02f01424db8489ba7bb7d43c0290ef /usr/bin/dd 030204f3452d2301009dd340c852f37e35748363586939d4199b6684be27e7c1236ca1528f708372ed9cd52a0d991f66448790f5616ed5bd7f9bbd22193b1e3e54f6bf29a1497945a34d1b418b24f4cbeaef897bf3cebca27065ebb8761b46bc2662fe76f141245b9186a5ac8493c7f4976cf0d6dfc085c3e503e3f771bc3ccb121230db76fd8aba4f45f060ad64ab3afd99b4e52824b9eba12e93e46f9dcb2fa01d9cef89f298a0da02a82a4fb56924afd3e3c277a1302d99f770d488449df2d43eb5b174a0a528827e6877b965c2f0b7c89cf1aa26a7417a892df4c2294e2872d62748b72ea04ecb0689b5d792e615a9bf9d56f6e0f298560bf9441df0a22729c5f23389f028c25f",
),
"ima-sig-ec": (
ast.ImaSig,
- "10 06e804489a77ddab51b9ef27e17053c0e5d503bd ima-sig sha1:1cb84b12db45d7da8de58ba6744187db84082f0e /usr/bin/zmore 030202531f402500483046022100bff9c02dc7b270c83cc94bfec10eecd42831de2cdcb04f024369a14623bc3a91022100cc4d015ae932fb98d6846645ed7d1bb1afd4621ec9089bc087126f191886dd31",
+ "10 5d4d5141ccd5066d50dc3f21d79ba02fedc24256 ima-sig sha256:b8ae0b8dd04a5935cd8165aa2260cd11b658bd71629bdb52256a675a1f73907b /usr/bin/zmore 030204531f402500483046022100fe24678d21083ead47660e1a2d553a592d777c478d1b0466de6ed484b54956b3022100cad3adb37f277bbb03544d6107751b4cd4f2289d8353fa36257400a99334d5c3",
),
"ima-sig-missing": (
ast.ImaSig,
diff --git a/test/test_ima_verification.py b/test/test_ima_verification.py
index bdb929c9c..d2fc9ef16 100644
--- a/test/test_ima_verification.py
+++ b/test/test_ima_verification.py
@@ -27,8 +27,8 @@
"/lib/modules/5.4.48-openpower1/kernel/drivers/gpu/drm/drm_panel_orientation_quirks.ko": [
"cd026b58efdf66658685430ff526490d54a430a3f0066a35ac26a8acab66c55d"
],
- "/usr/bin/dd": ["1350320e5f7f51553bac8aa403489a1b135bc101"],
- "/usr/bin/zmore": ["1cb84b12db45d7da8de58ba6744187db84082f0e"],
+ "/usr/bin/dd": ["d33d5d13792292e202dbf69a6f1b07bc8a02f01424db8489ba7bb7d43c0290ef"],
+ "/usr/bin/zmore": ["b8ae0b8dd04a5935cd8165aa2260cd11b658bd71629bdb52256a675a1f73907b"],
"/usr/bin/zless": ["233ad3a8e77c63a7d9a56063ec2cad1eafa58850"],
},
"keyrings": {
@@ -50,8 +50,8 @@
"version": 1,
},
"hashes": {
- "/usr/bin/dd": ["1350320e5f7f51553bac8aa403489a1b135bc102"],
- "/usr/bin/zmore": ["1cb84b12db45d7da8de58ba6744187db84082f01"],
+ "/usr/bin/dd": ["bad05d13792292e202dbf69a6f1b07bc8a02f01424db8489ba7bb7d43c0290ef"],
+ "/usr/bin/zmore": ["bad00b8dd04a5935cd8165aa2260cd11b658bd71629bdb52256a675a1f73907b"],
},
}
@@ -73,8 +73,8 @@
# 1st signature: RSA
# 2nd signature: EC
SIGNATURES = (
- "10 50873c47693cf9458e87eb4a02dd4f594f7a0c0f ima-sig sha1:1350320e5f7f51553bac8aa403489a1b135bc101 /usr/bin/dd 030202f3452d23010084c2a6cf7de1aeefa119220df0da265a7c44d34380f0d97002e7c778d09cfcf88c018e6595df3ee70eda926851f159332f852e7981a8fca1bc5e959958d06d234a0896861f13cc60da825905c8ed234df26c1deecfa816d5aa9bfb11b905e2814084a86b588be60423afada8dd0dd5a143774c6d890b64195ac42fb47ef5a9a00f0d6c80711d8e0c2b843ec38c02f60fd46bc46c7b4c329ad2dbb1b7625293703f9c739dc4c2bf0769126a2f3cb2cd031d1881cd0af64bf20fd474a993b48620f103a5c14999a2f17d60721bcc019a896b4138a688a59f50cb6cd94a4cfe3b8052e82dec025fef4feabb08c7ce412e3de850f903797e293ec27c329f57fd84e0\n"
- "10 06e804489a77ddab51b9ef27e17053c0e5d503bd ima-sig sha1:1cb84b12db45d7da8de58ba6744187db84082f0e /usr/bin/zmore 030202531f402500483046022100bff9c02dc7b270c83cc94bfec10eecd42831de2cdcb04f024369a14623bc3a91022100cc4d015ae932fb98d6846645ed7d1bb1afd4621ec9089bc087126f191886dd31\n"
+ "10 1e70a3e1af66f42826ad63b761b4cb9c4df195e1 ima-sig sha256:d33d5d13792292e202dbf69a6f1b07bc8a02f01424db8489ba7bb7d43c0290ef /usr/bin/dd 030204f3452d2301009dd340c852f37e35748363586939d4199b6684be27e7c1236ca1528f708372ed9cd52a0d991f66448790f5616ed5bd7f9bbd22193b1e3e54f6bf29a1497945a34d1b418b24f4cbeaef897bf3cebca27065ebb8761b46bc2662fe76f141245b9186a5ac8493c7f4976cf0d6dfc085c3e503e3f771bc3ccb121230db76fd8aba4f45f060ad64ab3afd99b4e52824b9eba12e93e46f9dcb2fa01d9cef89f298a0da02a82a4fb56924afd3e3c277a1302d99f770d488449df2d43eb5b174a0a528827e6877b965c2f0b7c89cf1aa26a7417a892df4c2294e2872d62748b72ea04ecb0689b5d792e615a9bf9d56f6e0f298560bf9441df0a22729c5f23389f028c25f\n"
+ "10 5d4d5141ccd5066d50dc3f21d79ba02fedc24256 ima-sig sha256:b8ae0b8dd04a5935cd8165aa2260cd11b658bd71629bdb52256a675a1f73907b /usr/bin/zmore 030204531f402500483046022100fe24678d21083ead47660e1a2d553a592d777c478d1b0466de6ed484b54956b3022100cad3adb37f277bbb03544d6107751b4cd4f2289d8353fa36257400a99334d5c3\n"
)
COMBINED = MEASUREMENTS + SIGNATURES

136
0003-logging-remove-option-to-log-into-separate-file.patch
View File

@ -1,136 +0,0 @@
From eb5112dd597336b566378b3a157e76fe3cbbbfee Mon Sep 17 00:00:00 2001
From: Thore Sommer <mail@thson.de>
Date: Mon, 16 Jan 2023 07:26:08 -0300
Subject: [PATCH 3/3] logging: remove option to log into separate file
The implementation had the issue that only the main loggers were added and that
the permissions were not set strict enough. Users should use the logging
provided by systemd instead.
Signed-off-by: Thore Sommer <mail@thson.de>
---
keylime.conf | 10 ----------
keylime/keylime_logging.py | 31 ------------------------------
scripts/templates/2.0/registrar.j2 | 9 ---------
scripts/templates/2.0/verifier.j2 | 9 ---------
4 files changed, 59 deletions(-)
diff --git a/keylime.conf b/keylime.conf
index d896f9f..043b6a8 100644
--- a/keylime.conf
+++ b/keylime.conf
@@ -342,11 +342,6 @@ tomtou_errors = False
# signature check before storing them in the database.
require_allow_list_signatures = False
-# Destination for log output, in addition to console. Values can be 'file',
-# with the file being named after the "service" - cloud_verifier - created under
-# /var/log/keylime), 'stream' or it can be left empty (which results in
-# logging to console only, recommended when running inside a container)
-log_destination = file
#=============================================================================
[tenant]
@@ -595,11 +590,6 @@ auto_migrate_db = True
# The file to use for SQLite persistence of provider hypervisor data.
prov_db_filename = provider_reg_data.sqlite
-# Destination for log output, in addition to console. Values can be 'file',
-# with the file being named after the "service" - registrar - created under
-# /var/log/keylime), 'stream' or it can be left empty (which results in
-# logging to console only, recommended when running inside a container)
-log_destination = file
#=============================================================================
[ca]
diff --git a/keylime/keylime_logging.py b/keylime/keylime_logging.py
index bc8a11d..f7c7a8f 100644
--- a/keylime/keylime_logging.py
+++ b/keylime/keylime_logging.py
@@ -1,17 +1,10 @@
import logging
-import os
from logging import Logger
from logging import config as logging_config
from typing import Any, Callable, Dict
from keylime import config
-LOG_TO_FILE = set()
-LOG_TO_STREAM = set()
-LOGDIR = os.getenv("KEYLIME_LOGDIR", "/var/log/keylime")
-# not clear that this works right. console logging may not work
-LOGSTREAM = os.path.join(LOGDIR, "keylime-stream.log")
-
logging_config.fileConfig(config.get_config("logging"))
@@ -50,31 +43,7 @@ def log_http_response(logger: Logger, loglevel: int, response_body: Dict[str, An
def init_logging(loggername: str) -> Logger:
-
- if loggername in ("verifier", "registrar"):
- logdest = config.get(loggername, "log_destination", fallback="")
- if logdest == "file":
- LOG_TO_FILE.add(loggername)
- if logdest == "stream":
- LOG_TO_STREAM.add(loggername)
-
logger = logging.getLogger(f"keylime.{loggername}")
logging.getLogger("requests").setLevel(logging.WARNING)
- mainlogger = logging.getLogger("keylime")
- basic_formatter = logging.Formatter("%(asctime)s %(name)s %(levelname)s %(message)s")
- if loggername in LOG_TO_FILE:
- logfilename = os.path.join(LOGDIR, f"{loggername}.log")
- if not os.path.exists(LOGDIR):
- os.makedirs(LOGDIR, 0o750)
- fh = logging.FileHandler(logfilename)
- fh.setLevel(logger.getEffectiveLevel())
- fh.setFormatter(basic_formatter)
- mainlogger.addHandler(fh)
-
- if loggername in LOG_TO_STREAM:
- fh = logging.FileHandler(filename=LOGSTREAM, mode="w")
- fh.setLevel(logger.getEffectiveLevel())
- fh.setFormatter(basic_formatter)
- mainlogger.addHandler(fh)
return logger
diff --git a/scripts/templates/2.0/registrar.j2 b/scripts/templates/2.0/registrar.j2
index 3d92303..8de7a50 100644
--- a/scripts/templates/2.0/registrar.j2
+++ b/scripts/templates/2.0/registrar.j2
@@ -71,12 +71,3 @@ auto_migrate_db = {{ registrar.auto_migrate_db }}
# The file to use for SQLite persistence of provider hypervisor data.
prov_db_filename: {{ registrar.prov_db_filename }}
-
-# Destination for log output, in addition to console. If left empty, the log
-# output will only be printed to console (recommended for containers to avoid
-# filling data storage). The accepted values are:
-# 'file': The log output will also be written to a file named after the
-# component in '/var/log/keylime/registrar.log'
-# 'stream': The log output will be written to a common file in
-# 'var/log/keylime/keylime-stream.log'
-log_destination = {{ registrar.log_destination }}
diff --git a/scripts/templates/2.0/verifier.j2 b/scripts/templates/2.0/verifier.j2
index d1584df..7a66cb1 100644
--- a/scripts/templates/2.0/verifier.j2
+++ b/scripts/templates/2.0/verifier.j2
@@ -196,12 +196,3 @@ zmq_port = {{ verifier.zmq_port }}
# Webhook url for revocation notifications.
webhook_url = {{ verifier.webhook_url }}
-
-# Destination for log output, in addition to console. If left empty, the log
-# output will only be printed to console (recommended for containers to avoid
-# filling data storage). The accepted values are:
-# 'file': The log output will also be written to a file named after the
-# component in '/var/log/keylime/verifier.log'
-# 'stream': The log output will be written to a common file in
-# 'var/log/keylime/keylime-stream.log'
-log_destination = {{ verifier.log_destination }}
--
2.38.1

45
keylime.spec
View File

@ -8,8 +8,8 @@
%global debug_package %{nil}
Name: keylime
Version: 6.5.2
Release: 4%{?dist}
Version: 7.3.0
Release: 1%{?dist}
Summary: Open source TPM software for Bootstrapping and Maintaining Trust
URL: https://github.com/keylime/keylime
@ -17,9 +17,7 @@ Source0: https://github.com/keylime/keylime/archive/refs/tags/v%{version}
Source1: %{srcname}.sysusers
Source2: https://github.com/RedHat-SP-Security/%{name}-selinux/archive/v%{policy_version}/keylime-selinux-%{policy_version}.tar.gz
Patch: 0001-Do-not-use-default-values-that-need-reading-the-conf.patch
Patch: 0002-Switch-to-sha256-hashes-for-signatures.patch
Patch: 0003-logging-remove-option-to-log-into-separate-file.patch
Patch: 0001-Remove-usage-of-Required-NotRequired-typing_ext.patch
License: ASL 2.0 and MIT
@ -88,6 +86,7 @@ Requires: python3-gpg
Requires: python3-lark-parser
Requires: python3-pyasn1
Requires: python3-pyasn1-modules
Requires: python3-jsonschema
Requires: tpm2-tools
Requires: openssl
@ -169,27 +168,21 @@ for comp in "verifier" "tenant" "registrar" "ca" "logging"; do
install -Dpm 400 config/${comp}.conf %{buildroot}/%{_sysconfdir}/%{srcname}
done
# Remove agent.
rm -f %{buildroot}/%{_bindir}/%{srcname}_agent
rm -f %{buildroot}%{python3_sitelib}/%{srcname}/__pycache__/%{srcname}_agent*
rm -f %{buildroot}%{python3_sitelib}/%{srcname}/cmd/__pycache__/agent.*
rm -f %{buildroot}%{python3_sitelib}/%{srcname}/cmd/agent.*
rm -f %{buildroot}%{python3_sitelib}/%{srcname}/%{srcname}_agent.*
# Remove misc progs.
rm -f %{buildroot}/%{_bindir}/%{srcname}_ima_emulator
rm -f %{buildroot}/%{_bindir}/%{srcname}_userdata_encrypt
# Ship some scripts.
mkdir -p %{buildroot}/%{_datadir}/%{srcname}/scripts
for s in create_allowlist.sh \
for s in create_runtime_policy.sh \
create_mb_refstate \
create_policy \
ek-openssl-verify; do
install -Dpm 755 scripts/${s} \
%{buildroot}/%{_datadir}/%{srcname}/scripts/${s}
done
# Ship configuration templates.
cp -r ./templates %{buildroot}%{_datadir}/%{srcname}/templates/
mkdir -p --mode=0755 %{buildroot}/%{_bindir}
cp -a ./keylime/cmd/convert_config.py %{buildroot}/%{_bindir}/keylime_upgrade_config
%if 0%{?with_selinux}
install -D -m 0644 %{srcname}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{srcname}.pp.bz2
install -D -p -m 0644 keylime-selinux-%{policy_version}/%{srcname}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{srcname}.if
@ -291,7 +284,6 @@ fi
%config(noreplace) %attr(400,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}/verifier.conf
%{_bindir}/%{srcname}_verifier
%{_bindir}/%{srcname}_ca
%{_bindir}/%{srcname}_migrations_apply
%{_unitdir}/keylime_verifier.service
%files registrar
@ -319,8 +311,11 @@ fi
%{python3_sitelib}/%{srcname}-*.egg-info/
%{python3_sitelib}/%{srcname}
%{_datadir}/%{srcname}/scripts/create_mb_refstate
%{_datadir}/%{srcname}/scripts/create_policy
%{_bindir}/keylime_convert_ima_policy
%{_bindir}/keylime_attest
%{_bindir}/keylime_convert_runtime_policy
%{_bindir}/keylime_create_policy
%{_bindir}/keylime_sign_runtime_policy
%{_bindir}/keylime_userdata_encrypt
%files base
%license LICENSE
@ -335,13 +330,19 @@ fi
%attr(400,%{srcname},%{srcname}) %{_sharedstatedir}/%{srcname}/tpm_cert_store/*.pem
%{_tmpfilesdir}/%{srcname}.conf
%{_sysusersdir}/%{srcname}.conf
%{_datadir}/%{srcname}/scripts/create_allowlist.sh
%{_datadir}/%{srcname}/scripts/create_runtime_policy.sh
%{_datadir}/%{srcname}/scripts/ek-openssl-verify
%{_datadir}/%{srcname}/templates
%{_bindir}/keylime_upgrade_config
%files
%license LICENSE
%changelog
* Wed Jul 19 2023 Sergio Correia <scorreia@redhat.com> - 7.3.0-1
- Update to 7.3.0
Resolves: RHEL-475
* Fri Jan 13 2023 Sergio Correia <scorreia@redhat.com> - 6.5.2-4
- Backport upstream PR#1240 - logging: remove option to log into separate file
Resolves: rhbz#2154584 - keylime verifier is not logging to /var/log/keylime

2
sources
View File

@ -1,2 +1,2 @@
SHA512 (v6.5.2.tar.gz) = de73de8d88dbf3bf394ea65036ef22cd5098318c09ff92b5548af2344a9a6f28d2432356d792b0eae72fe619255c4ecfa51f5c7d185b9612a4a04d2fb8e91649
SHA512 (v7.3.0.tar.gz) = 6a5ee3e642015b4c09058ab84db9c1c132d94b387284cb363285fb43a875921fdf0e88ef4b67ab886ceed4e6a5a49aeef0334d42d9662d27f865287d3e9e000b
SHA512 (keylime-selinux-1.0.0.tar.gz) = d0b4fea7407ad493b08e6f087e8f32b1a65acbee59bf6e20a0e26aaa139f56c1206c7e707898fd8a2e11468cd918f76cb6985f68b8a2faa8a2a4b7a9ba4c3674