From 4dba8b49a74acbb7005bc516f1c8b50389304961 Mon Sep 17 00:00:00 2001 From: Sergio Correia Date: Wed, 19 Jul 2023 16:00:54 +0100 Subject: [PATCH] Update to 7.3.0 Resolves: RHEL-475 --- .gitignore | 1 + ...lt-values-that-need-reading-the-conf.patch | 130 ----------------- ...e-of-Required-NotRequired-typing_ext.patch | 104 ++++++++++++++ ...itch-to-sha256-hashes-for-signatures.patch | 67 --------- ...ove-option-to-log-into-separate-file.patch | 136 ------------------ keylime.spec | 45 +++--- sources | 2 +- 7 files changed, 129 insertions(+), 356 deletions(-) delete mode 100644 0001-Do-not-use-default-values-that-need-reading-the-conf.patch create mode 100644 0001-Remove-usage-of-Required-NotRequired-typing_ext.patch delete mode 100644 0002-Switch-to-sha256-hashes-for-signatures.patch delete mode 100644 0003-logging-remove-option-to-log-into-separate-file.patch diff --git a/.gitignore b/.gitignore index dadda7b..8dbf0ad 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,4 @@ /v6.5.0.tar.gz /v6.5.2.tar.gz /keylime-selinux-1.0.0.tar.gz +/v7.3.0.tar.gz diff --git a/0001-Do-not-use-default-values-that-need-reading-the-conf.patch b/0001-Do-not-use-default-values-that-need-reading-the-conf.patch deleted file mode 100644 index 2c4ace1..0000000 --- a/0001-Do-not-use-default-values-that-need-reading-the-conf.patch +++ /dev/null @@ -1,130 +0,0 @@ -From d6dd71e3a3fe8e822fbcaa0d88f19a0c3332cacd Mon Sep 17 00:00:00 2001 -From: Sergio Correia -Date: Tue, 15 Nov 2022 07:09:13 -0300 -Subject: [PATCH] Do not use default values that need reading the config in - methods - -Following up from the recent refactoring that moved the EK validation -to cert_utils, in a few places were added default method values that -were reading the configuration files directly. - -It was not such a great idea becasue it then made those config files as -required to even import the modules. - -Example "from keylime import cert_utils" now also requires that the -tenant configuration be available for getting the path for the TPM -cert store. - -Let's stop doing that. - -Signed-off-by: Sergio Correia ---- - keylime/cert_utils.py | 5 +++-- - keylime/tenant.py | 2 +- - keylime/tpm/tpm_abstract.py | 2 +- - keylime/tpm/tpm_main.py | 4 ++-- - keylime/tpm_ek_ca.py | 6 +++--- - 5 files changed, 10 insertions(+), 9 deletions(-) - -diff --git a/keylime/cert_utils.py b/keylime/cert_utils.py -index d2fc54d..3576c64 100644 ---- a/keylime/cert_utils.py -+++ b/keylime/cert_utils.py -@@ -12,7 +12,7 @@ from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicKey - from pyasn1.codec.der import decoder, encoder - from pyasn1_modules import pem, rfc2459 - --from keylime import config, keylime_logging, tpm_ek_ca -+from keylime import keylime_logging, tpm_ek_ca - - # Issue #944 -- python-cryptography won't parse malformed certs, - # such as some Nuvoton ones we have encountered in the field. -@@ -56,9 +56,10 @@ def x509_pem_cert(pem_cert_data: str): - return x509.load_der_x509_certificate(data=encoder.encode(pyasn1_cert), backend=default_backend()) - - --def verify_ek(ekcert, tpm_cert_store=config.get("tenant", "tpm_cert_store")): -+def verify_ek(ekcert: bytes, tpm_cert_store: str) -> bool: - """Verify that the provided EK certificate is signed by a trusted root - :param ekcert: The Endorsement Key certificate in DER format -+ :param tpm_cert_store: The path for the TPM certificate store - :returns: True if the certificate can be verified, False otherwise - """ - try: -diff --git a/keylime/tenant.py b/keylime/tenant.py -index b574d04..076b849 100644 ---- a/keylime/tenant.py -+++ b/keylime/tenant.py -@@ -430,7 +430,7 @@ class Tenant: - elif ekcert is None: - logger.warning("No EK cert provided, require_ek_cert option in config set to True") - return False -- elif not self.tpm_instance.verify_ek(base64.b64decode(ekcert)): -+ elif not self.tpm_instance.verify_ek(base64.b64decode(ekcert), config.get("tenant", "tpm_cert_store")): - logger.warning("Invalid EK certificate") - return False - -diff --git a/keylime/tpm/tpm_abstract.py b/keylime/tpm/tpm_abstract.py -index ff41837..df6222c 100644 ---- a/keylime/tpm/tpm_abstract.py -+++ b/keylime/tpm/tpm_abstract.py -@@ -97,7 +97,7 @@ class AbstractTPM(metaclass=ABCMeta): - pass - - @abstractmethod -- def verify_ek(self, ekcert): -+ def verify_ek(self, ekcert, tpm_cert_store): - pass - - @abstractmethod -diff --git a/keylime/tpm/tpm_main.py b/keylime/tpm/tpm_main.py -index e1d1cf8..e244dfa 100644 ---- a/keylime/tpm/tpm_main.py -+++ b/keylime/tpm/tpm_main.py -@@ -776,12 +776,12 @@ class tpm(tpm_abstract.AbstractTPM): - os.remove(sesspath) - return key - -- def verify_ek(self, ekcert): -+ def verify_ek(self, ekcert, tpm_cert_store): - """Verify that the provided EK certificate is signed by a trusted root - :param ekcert: The Endorsement Key certificate in DER format - :returns: True if the certificate can be verified, false otherwise - """ -- return cert_utils.verify_ek(ekcert) -+ return cert_utils.verify_ek(ekcert, tpm_cert_store) - - def get_tpm_manufacturer(self, output=None): - vendorStr = None -diff --git a/keylime/tpm_ek_ca.py b/keylime/tpm_ek_ca.py -index fb66c07..bc84571 100644 ---- a/keylime/tpm_ek_ca.py -+++ b/keylime/tpm_ek_ca.py -@@ -1,13 +1,13 @@ - import glob - import os - --from keylime import config, keylime_logging -+from keylime import keylime_logging - - logger = keylime_logging.init_logging("tpm_ek_ca") - trusted_certs = {} - - --def check_tpm_cert_store(tpm_cert_store=config.get("tenant", "tpm_cert_store")): -+def check_tpm_cert_store(tpm_cert_store): - if not os.path.isdir(tpm_cert_store): - logger.error("The directory %s does not exist.", tpm_cert_store) - raise Exception(f"The directory {tpm_cert_store} does not exist.") -@@ -20,7 +20,7 @@ def check_tpm_cert_store(tpm_cert_store=config.get("tenant", "tpm_cert_store")): - raise Exception(f"The directory {tpm_cert_store} does not contain " f"any .pem files") - - --def cert_loader(tpm_cert_store=config.get("tenant", "tpm_cert_store")): -+def cert_loader(tpm_cert_store): - file_list = glob.glob(os.path.join(tpm_cert_store, "*.pem")) - my_trusted_certs = {} - for file_path in file_list: --- -2.38.1 - diff --git a/0001-Remove-usage-of-Required-NotRequired-typing_ext.patch b/0001-Remove-usage-of-Required-NotRequired-typing_ext.patch new file mode 100644 index 0000000..5782252 --- /dev/null +++ b/0001-Remove-usage-of-Required-NotRequired-typing_ext.patch @@ -0,0 +1,104 @@ +Subject: [PATCH] Remove usage of Required/NotRequired typing_ext + +Since we do not yet have typing_extensions packaged, let us not +use its functionality yet. +--- + keylime/ima/types.py | 33 ++++++++++++++------------------- + keylime/registrar_client.py | 8 +------- + 2 files changed, 15 insertions(+), 26 deletions(-) + +diff --git a/keylime/ima/types.py b/keylime/ima/types.py +index 99f0aa7..a0fffdf 100644 +--- a/keylime/ima/types.py ++++ b/keylime/ima/types.py +@@ -6,11 +6,6 @@ if sys.version_info >= (3, 8): + else: + from typing_extensions import Literal, TypedDict + +-if sys.version_info >= (3, 11): +- from typing import NotRequired, Required +-else: +- from typing_extensions import NotRequired, Required +- + ### Types for tpm_dm.py + + RuleAttributeType = Optional[Union[int, str, bool]] +@@ -51,7 +46,7 @@ class Rule(TypedDict): + + + class Policies(TypedDict): +- version: Required[int] ++ version: int + match_on: MatchKeyType + rules: Dict[str, Rule] + +@@ -60,27 +55,27 @@ class Policies(TypedDict): + + + class RPMetaType(TypedDict): +- version: Required[int] +- generator: NotRequired[int] +- timestamp: NotRequired[str] ++ version: int ++ generator: int ++ timestamp: str + + + class RPImaType(TypedDict): +- ignored_keyrings: Required[List[str]] +- log_hash_alg: Required[Literal["sha1", "sha256", "sha384", "sha512"]] ++ ignored_keyrings: List[str] ++ log_hash_alg: Literal["sha1", "sha256", "sha384", "sha512"] + dm_policy: Optional[Policies] + + + RuntimePolicyType = TypedDict( + "RuntimePolicyType", + { +- "meta": Required[RPMetaType], +- "release": NotRequired[int], +- "digests": Required[Dict[str, List[str]]], +- "excludes": Required[List[str]], +- "keyrings": Required[Dict[str, List[str]]], +- "ima": Required[RPImaType], +- "ima-buf": Required[Dict[str, List[str]]], +- "verification-keys": Required[str], ++ "meta": RPMetaType, ++ "release": int, ++ "digests": Dict[str, List[str]], ++ "excludes": List[str], ++ "keyrings": Dict[str, List[str]], ++ "ima": RPImaType, ++ "ima-buf": Dict[str, List[str]], ++ "verification-keys": str, + }, + ) +diff --git a/keylime/registrar_client.py b/keylime/registrar_client.py +index ab28977..ea5341b 100644 +--- a/keylime/registrar_client.py ++++ b/keylime/registrar_client.py +@@ -13,12 +13,6 @@ if sys.version_info >= (3, 8): + else: + from typing_extensions import TypedDict + +-if sys.version_info >= (3, 11): +- from typing import NotRequired +-else: +- from typing_extensions import NotRequired +- +- + class RegistrarData(TypedDict): + ip: Optional[str] + port: Optional[str] +@@ -27,7 +21,7 @@ class RegistrarData(TypedDict): + aik_tpm: str + ek_tpm: str + ekcert: Optional[str] +- provider_keys: NotRequired[Dict[str, str]] ++ provider_keys: Dict[str, str] + + + logger = keylime_logging.init_logging("registrar_client") +-- +2.41.0 + diff --git a/0002-Switch-to-sha256-hashes-for-signatures.patch b/0002-Switch-to-sha256-hashes-for-signatures.patch deleted file mode 100644 index 6401048..0000000 --- a/0002-Switch-to-sha256-hashes-for-signatures.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 1f9ee7437f5b712a892c6d13ac8d75e128c1a16f Mon Sep 17 00:00:00 2001 -From: Stefan Berger -Date: Tue, 22 Nov 2022 10:56:43 -0500 -Subject: [PATCH] tests: Switch to sha256 hashes for signatures - -Resolves: https://github.com/keylime/keylime/issues/1202 -Signed-off-by: Stefan Berger ---- - test/test_ima_ast.py | 4 ++-- - test/test_ima_verification.py | 12 ++++++------ - 2 files changed, 8 insertions(+), 8 deletions(-) - -diff --git a/test/test_ima_ast.py b/test/test_ima_ast.py -index cd54f95f9..e7d3841a7 100644 ---- a/test/test_ima_ast.py -+++ b/test/test_ima_ast.py -@@ -14,11 +14,11 @@ - VALID_ENTRIES = { - "ima-sig-rsa": ( - ast.ImaSig, -- "10 50873c47693cf9458e87eb4a02dd4f594f7a0c0f ima-sig sha1:1350320e5f7f51553bac8aa403489a1b135bc101 /usr/bin/dd 030202f3452d23010084c2a6cf7de1aeefa119220df0da265a7c44d34380f0d97002e7c778d09cfcf88c018e6595df3ee70eda926851f159332f852e7981a8fca1bc5e959958d06d234a0896861f13cc60da825905c8ed234df26c1deecfa816d5aa9bfb11b905e2814084a86b588be60423afada8dd0dd5a143774c6d890b64195ac42fb47ef5a9a00f0d6c80711d8e0c2b843ec38c02f60fd46bc46c7b4c329ad2dbb1b7625293703f9c739dc4c2bf0769126a2f3cb2cd031d1881cd0af64bf20fd474a993b48620f103a5c14999a2f17d60721bcc019a896b4138a688a59f50cb6cd94a4cfe3b8052e82dec025fef4feabb08c7ce412e3de850f903797e293ec27c329f57fd84e0", -+ "10 1e70a3e1af66f42826ad63b761b4cb9c4df195e1 ima-sig sha256:d33d5d13792292e202dbf69a6f1b07bc8a02f01424db8489ba7bb7d43c0290ef /usr/bin/dd 030204f3452d2301009dd340c852f37e35748363586939d4199b6684be27e7c1236ca1528f708372ed9cd52a0d991f66448790f5616ed5bd7f9bbd22193b1e3e54f6bf29a1497945a34d1b418b24f4cbeaef897bf3cebca27065ebb8761b46bc2662fe76f141245b9186a5ac8493c7f4976cf0d6dfc085c3e503e3f771bc3ccb121230db76fd8aba4f45f060ad64ab3afd99b4e52824b9eba12e93e46f9dcb2fa01d9cef89f298a0da02a82a4fb56924afd3e3c277a1302d99f770d488449df2d43eb5b174a0a528827e6877b965c2f0b7c89cf1aa26a7417a892df4c2294e2872d62748b72ea04ecb0689b5d792e615a9bf9d56f6e0f298560bf9441df0a22729c5f23389f028c25f", - ), - "ima-sig-ec": ( - ast.ImaSig, -- "10 06e804489a77ddab51b9ef27e17053c0e5d503bd ima-sig sha1:1cb84b12db45d7da8de58ba6744187db84082f0e /usr/bin/zmore 030202531f402500483046022100bff9c02dc7b270c83cc94bfec10eecd42831de2cdcb04f024369a14623bc3a91022100cc4d015ae932fb98d6846645ed7d1bb1afd4621ec9089bc087126f191886dd31", -+ "10 5d4d5141ccd5066d50dc3f21d79ba02fedc24256 ima-sig sha256:b8ae0b8dd04a5935cd8165aa2260cd11b658bd71629bdb52256a675a1f73907b /usr/bin/zmore 030204531f402500483046022100fe24678d21083ead47660e1a2d553a592d777c478d1b0466de6ed484b54956b3022100cad3adb37f277bbb03544d6107751b4cd4f2289d8353fa36257400a99334d5c3", - ), - "ima-sig-missing": ( - ast.ImaSig, -diff --git a/test/test_ima_verification.py b/test/test_ima_verification.py -index bdb929c9c..d2fc9ef16 100644 ---- a/test/test_ima_verification.py -+++ b/test/test_ima_verification.py -@@ -27,8 +27,8 @@ - "/lib/modules/5.4.48-openpower1/kernel/drivers/gpu/drm/drm_panel_orientation_quirks.ko": [ - "cd026b58efdf66658685430ff526490d54a430a3f0066a35ac26a8acab66c55d" - ], -- "/usr/bin/dd": ["1350320e5f7f51553bac8aa403489a1b135bc101"], -- "/usr/bin/zmore": ["1cb84b12db45d7da8de58ba6744187db84082f0e"], -+ "/usr/bin/dd": ["d33d5d13792292e202dbf69a6f1b07bc8a02f01424db8489ba7bb7d43c0290ef"], -+ "/usr/bin/zmore": ["b8ae0b8dd04a5935cd8165aa2260cd11b658bd71629bdb52256a675a1f73907b"], - "/usr/bin/zless": ["233ad3a8e77c63a7d9a56063ec2cad1eafa58850"], - }, - "keyrings": { -@@ -50,8 +50,8 @@ - "version": 1, - }, - "hashes": { -- "/usr/bin/dd": ["1350320e5f7f51553bac8aa403489a1b135bc102"], -- "/usr/bin/zmore": ["1cb84b12db45d7da8de58ba6744187db84082f01"], -+ "/usr/bin/dd": ["bad05d13792292e202dbf69a6f1b07bc8a02f01424db8489ba7bb7d43c0290ef"], -+ "/usr/bin/zmore": ["bad00b8dd04a5935cd8165aa2260cd11b658bd71629bdb52256a675a1f73907b"], - }, - } - -@@ -73,8 +73,8 @@ - # 1st signature: RSA - # 2nd signature: EC - SIGNATURES = ( -- "10 50873c47693cf9458e87eb4a02dd4f594f7a0c0f ima-sig sha1:1350320e5f7f51553bac8aa403489a1b135bc101 /usr/bin/dd 030202f3452d23010084c2a6cf7de1aeefa119220df0da265a7c44d34380f0d97002e7c778d09cfcf88c018e6595df3ee70eda926851f159332f852e7981a8fca1bc5e959958d06d234a0896861f13cc60da825905c8ed234df26c1deecfa816d5aa9bfb11b905e2814084a86b588be60423afada8dd0dd5a143774c6d890b64195ac42fb47ef5a9a00f0d6c80711d8e0c2b843ec38c02f60fd46bc46c7b4c329ad2dbb1b7625293703f9c739dc4c2bf0769126a2f3cb2cd031d1881cd0af64bf20fd474a993b48620f103a5c14999a2f17d60721bcc019a896b4138a688a59f50cb6cd94a4cfe3b8052e82dec025fef4feabb08c7ce412e3de850f903797e293ec27c329f57fd84e0\n" -- "10 06e804489a77ddab51b9ef27e17053c0e5d503bd ima-sig sha1:1cb84b12db45d7da8de58ba6744187db84082f0e /usr/bin/zmore 030202531f402500483046022100bff9c02dc7b270c83cc94bfec10eecd42831de2cdcb04f024369a14623bc3a91022100cc4d015ae932fb98d6846645ed7d1bb1afd4621ec9089bc087126f191886dd31\n" -+ "10 1e70a3e1af66f42826ad63b761b4cb9c4df195e1 ima-sig sha256:d33d5d13792292e202dbf69a6f1b07bc8a02f01424db8489ba7bb7d43c0290ef /usr/bin/dd 030204f3452d2301009dd340c852f37e35748363586939d4199b6684be27e7c1236ca1528f708372ed9cd52a0d991f66448790f5616ed5bd7f9bbd22193b1e3e54f6bf29a1497945a34d1b418b24f4cbeaef897bf3cebca27065ebb8761b46bc2662fe76f141245b9186a5ac8493c7f4976cf0d6dfc085c3e503e3f771bc3ccb121230db76fd8aba4f45f060ad64ab3afd99b4e52824b9eba12e93e46f9dcb2fa01d9cef89f298a0da02a82a4fb56924afd3e3c277a1302d99f770d488449df2d43eb5b174a0a528827e6877b965c2f0b7c89cf1aa26a7417a892df4c2294e2872d62748b72ea04ecb0689b5d792e615a9bf9d56f6e0f298560bf9441df0a22729c5f23389f028c25f\n" -+ "10 5d4d5141ccd5066d50dc3f21d79ba02fedc24256 ima-sig sha256:b8ae0b8dd04a5935cd8165aa2260cd11b658bd71629bdb52256a675a1f73907b /usr/bin/zmore 030204531f402500483046022100fe24678d21083ead47660e1a2d553a592d777c478d1b0466de6ed484b54956b3022100cad3adb37f277bbb03544d6107751b4cd4f2289d8353fa36257400a99334d5c3\n" - ) - - COMBINED = MEASUREMENTS + SIGNATURES diff --git a/0003-logging-remove-option-to-log-into-separate-file.patch b/0003-logging-remove-option-to-log-into-separate-file.patch deleted file mode 100644 index e7e3672..0000000 --- a/0003-logging-remove-option-to-log-into-separate-file.patch +++ /dev/null @@ -1,136 +0,0 @@ -From eb5112dd597336b566378b3a157e76fe3cbbbfee Mon Sep 17 00:00:00 2001 -From: Thore Sommer -Date: Mon, 16 Jan 2023 07:26:08 -0300 -Subject: [PATCH 3/3] logging: remove option to log into separate file - -The implementation had the issue that only the main loggers were added and that -the permissions were not set strict enough. Users should use the logging -provided by systemd instead. - -Signed-off-by: Thore Sommer ---- - keylime.conf | 10 ---------- - keylime/keylime_logging.py | 31 ------------------------------ - scripts/templates/2.0/registrar.j2 | 9 --------- - scripts/templates/2.0/verifier.j2 | 9 --------- - 4 files changed, 59 deletions(-) - -diff --git a/keylime.conf b/keylime.conf -index d896f9f..043b6a8 100644 ---- a/keylime.conf -+++ b/keylime.conf -@@ -342,11 +342,6 @@ tomtou_errors = False - # signature check before storing them in the database. - require_allow_list_signatures = False - --# Destination for log output, in addition to console. Values can be 'file', --# with the file being named after the "service" - cloud_verifier - created under --# /var/log/keylime), 'stream' or it can be left empty (which results in --# logging to console only, recommended when running inside a container) --log_destination = file - - #============================================================================= - [tenant] -@@ -595,11 +590,6 @@ auto_migrate_db = True - # The file to use for SQLite persistence of provider hypervisor data. - prov_db_filename = provider_reg_data.sqlite - --# Destination for log output, in addition to console. Values can be 'file', --# with the file being named after the "service" - registrar - created under --# /var/log/keylime), 'stream' or it can be left empty (which results in --# logging to console only, recommended when running inside a container) --log_destination = file - - #============================================================================= - [ca] -diff --git a/keylime/keylime_logging.py b/keylime/keylime_logging.py -index bc8a11d..f7c7a8f 100644 ---- a/keylime/keylime_logging.py -+++ b/keylime/keylime_logging.py -@@ -1,17 +1,10 @@ - import logging --import os - from logging import Logger - from logging import config as logging_config - from typing import Any, Callable, Dict - - from keylime import config - --LOG_TO_FILE = set() --LOG_TO_STREAM = set() --LOGDIR = os.getenv("KEYLIME_LOGDIR", "/var/log/keylime") --# not clear that this works right. console logging may not work --LOGSTREAM = os.path.join(LOGDIR, "keylime-stream.log") -- - logging_config.fileConfig(config.get_config("logging")) - - -@@ -50,31 +43,7 @@ def log_http_response(logger: Logger, loglevel: int, response_body: Dict[str, An - - - def init_logging(loggername: str) -> Logger: -- -- if loggername in ("verifier", "registrar"): -- logdest = config.get(loggername, "log_destination", fallback="") -- if logdest == "file": -- LOG_TO_FILE.add(loggername) -- if logdest == "stream": -- LOG_TO_STREAM.add(loggername) -- - logger = logging.getLogger(f"keylime.{loggername}") - logging.getLogger("requests").setLevel(logging.WARNING) -- mainlogger = logging.getLogger("keylime") -- basic_formatter = logging.Formatter("%(asctime)s %(name)s %(levelname)s %(message)s") -- if loggername in LOG_TO_FILE: -- logfilename = os.path.join(LOGDIR, f"{loggername}.log") -- if not os.path.exists(LOGDIR): -- os.makedirs(LOGDIR, 0o750) -- fh = logging.FileHandler(logfilename) -- fh.setLevel(logger.getEffectiveLevel()) -- fh.setFormatter(basic_formatter) -- mainlogger.addHandler(fh) -- -- if loggername in LOG_TO_STREAM: -- fh = logging.FileHandler(filename=LOGSTREAM, mode="w") -- fh.setLevel(logger.getEffectiveLevel()) -- fh.setFormatter(basic_formatter) -- mainlogger.addHandler(fh) - - return logger -diff --git a/scripts/templates/2.0/registrar.j2 b/scripts/templates/2.0/registrar.j2 -index 3d92303..8de7a50 100644 ---- a/scripts/templates/2.0/registrar.j2 -+++ b/scripts/templates/2.0/registrar.j2 -@@ -71,12 +71,3 @@ auto_migrate_db = {{ registrar.auto_migrate_db }} - - # The file to use for SQLite persistence of provider hypervisor data. - prov_db_filename: {{ registrar.prov_db_filename }} -- --# Destination for log output, in addition to console. If left empty, the log --# output will only be printed to console (recommended for containers to avoid --# filling data storage). The accepted values are: --# 'file': The log output will also be written to a file named after the --# component in '/var/log/keylime/registrar.log' --# 'stream': The log output will be written to a common file in --# 'var/log/keylime/keylime-stream.log' --log_destination = {{ registrar.log_destination }} -diff --git a/scripts/templates/2.0/verifier.j2 b/scripts/templates/2.0/verifier.j2 -index d1584df..7a66cb1 100644 ---- a/scripts/templates/2.0/verifier.j2 -+++ b/scripts/templates/2.0/verifier.j2 -@@ -196,12 +196,3 @@ zmq_port = {{ verifier.zmq_port }} - - # Webhook url for revocation notifications. - webhook_url = {{ verifier.webhook_url }} -- --# Destination for log output, in addition to console. If left empty, the log --# output will only be printed to console (recommended for containers to avoid --# filling data storage). The accepted values are: --# 'file': The log output will also be written to a file named after the --# component in '/var/log/keylime/verifier.log' --# 'stream': The log output will be written to a common file in --# 'var/log/keylime/keylime-stream.log' --log_destination = {{ verifier.log_destination }} --- -2.38.1 - diff --git a/keylime.spec b/keylime.spec index 8a47a55..c7f9334 100644 --- a/keylime.spec +++ b/keylime.spec @@ -8,8 +8,8 @@ %global debug_package %{nil} Name: keylime -Version: 6.5.2 -Release: 4%{?dist} +Version: 7.3.0 +Release: 1%{?dist} Summary: Open source TPM software for Bootstrapping and Maintaining Trust URL: https://github.com/keylime/keylime @@ -17,9 +17,7 @@ Source0: https://github.com/keylime/keylime/archive/refs/tags/v%{version} Source1: %{srcname}.sysusers Source2: https://github.com/RedHat-SP-Security/%{name}-selinux/archive/v%{policy_version}/keylime-selinux-%{policy_version}.tar.gz -Patch: 0001-Do-not-use-default-values-that-need-reading-the-conf.patch -Patch: 0002-Switch-to-sha256-hashes-for-signatures.patch -Patch: 0003-logging-remove-option-to-log-into-separate-file.patch +Patch: 0001-Remove-usage-of-Required-NotRequired-typing_ext.patch License: ASL 2.0 and MIT @@ -88,6 +86,7 @@ Requires: python3-gpg Requires: python3-lark-parser Requires: python3-pyasn1 Requires: python3-pyasn1-modules +Requires: python3-jsonschema Requires: tpm2-tools Requires: openssl @@ -169,27 +168,21 @@ for comp in "verifier" "tenant" "registrar" "ca" "logging"; do install -Dpm 400 config/${comp}.conf %{buildroot}/%{_sysconfdir}/%{srcname} done -# Remove agent. -rm -f %{buildroot}/%{_bindir}/%{srcname}_agent -rm -f %{buildroot}%{python3_sitelib}/%{srcname}/__pycache__/%{srcname}_agent* -rm -f %{buildroot}%{python3_sitelib}/%{srcname}/cmd/__pycache__/agent.* -rm -f %{buildroot}%{python3_sitelib}/%{srcname}/cmd/agent.* -rm -f %{buildroot}%{python3_sitelib}/%{srcname}/%{srcname}_agent.* - -# Remove misc progs. -rm -f %{buildroot}/%{_bindir}/%{srcname}_ima_emulator -rm -f %{buildroot}/%{_bindir}/%{srcname}_userdata_encrypt - # Ship some scripts. mkdir -p %{buildroot}/%{_datadir}/%{srcname}/scripts -for s in create_allowlist.sh \ +for s in create_runtime_policy.sh \ create_mb_refstate \ - create_policy \ ek-openssl-verify; do install -Dpm 755 scripts/${s} \ %{buildroot}/%{_datadir}/%{srcname}/scripts/${s} done +# Ship configuration templates. +cp -r ./templates %{buildroot}%{_datadir}/%{srcname}/templates/ + +mkdir -p --mode=0755 %{buildroot}/%{_bindir} +cp -a ./keylime/cmd/convert_config.py %{buildroot}/%{_bindir}/keylime_upgrade_config + %if 0%{?with_selinux} install -D -m 0644 %{srcname}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{srcname}.pp.bz2 install -D -p -m 0644 keylime-selinux-%{policy_version}/%{srcname}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{srcname}.if @@ -291,7 +284,6 @@ fi %config(noreplace) %attr(400,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}/verifier.conf %{_bindir}/%{srcname}_verifier %{_bindir}/%{srcname}_ca -%{_bindir}/%{srcname}_migrations_apply %{_unitdir}/keylime_verifier.service %files registrar @@ -319,8 +311,11 @@ fi %{python3_sitelib}/%{srcname}-*.egg-info/ %{python3_sitelib}/%{srcname} %{_datadir}/%{srcname}/scripts/create_mb_refstate -%{_datadir}/%{srcname}/scripts/create_policy -%{_bindir}/keylime_convert_ima_policy +%{_bindir}/keylime_attest +%{_bindir}/keylime_convert_runtime_policy +%{_bindir}/keylime_create_policy +%{_bindir}/keylime_sign_runtime_policy +%{_bindir}/keylime_userdata_encrypt %files base %license LICENSE @@ -335,13 +330,19 @@ fi %attr(400,%{srcname},%{srcname}) %{_sharedstatedir}/%{srcname}/tpm_cert_store/*.pem %{_tmpfilesdir}/%{srcname}.conf %{_sysusersdir}/%{srcname}.conf -%{_datadir}/%{srcname}/scripts/create_allowlist.sh +%{_datadir}/%{srcname}/scripts/create_runtime_policy.sh %{_datadir}/%{srcname}/scripts/ek-openssl-verify +%{_datadir}/%{srcname}/templates +%{_bindir}/keylime_upgrade_config %files %license LICENSE %changelog +* Wed Jul 19 2023 Sergio Correia - 7.3.0-1 +- Update to 7.3.0 + Resolves: RHEL-475 + * Fri Jan 13 2023 Sergio Correia - 6.5.2-4 - Backport upstream PR#1240 - logging: remove option to log into separate file Resolves: rhbz#2154584 - keylime verifier is not logging to /var/log/keylime diff --git a/sources b/sources index 7ad1cb0..ac05c02 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (v6.5.2.tar.gz) = de73de8d88dbf3bf394ea65036ef22cd5098318c09ff92b5548af2344a9a6f28d2432356d792b0eae72fe619255c4ecfa51f5c7d185b9612a4a04d2fb8e91649 +SHA512 (v7.3.0.tar.gz) = 6a5ee3e642015b4c09058ab84db9c1c132d94b387284cb363285fb43a875921fdf0e88ef4b67ab886ceed4e6a5a49aeef0334d42d9662d27f865287d3e9e000b SHA512 (keylime-selinux-1.0.0.tar.gz) = d0b4fea7407ad493b08e6f087e8f32b1a65acbee59bf6e20a0e26aaa139f56c1206c7e707898fd8a2e11468cd918f76cb6985f68b8a2faa8a2a4b7a9ba4c3674