Updating for Keylime release v7.2.5

2023-04-07 09:22:36 -03:00 · 2023-04-07 09:22:36 -03:00 · 6a94ffa449
commit 6a94ffa449
parent 391573bca0
5 changed files with 139 additions and 46 deletions
--- a/.gitignore
+++ b/.gitignore
@ -21,3 +21,7 @@
 /keylime-selinux-1.0.0.tar.gz
 /v6.5.3.tar.gz
 /v6.6.0.tar.gz
+/v6.7.0.tar.gz
+/v6.8.0.tar.gz
+/v7.0.0.tar.gz
+/v7.2.5.tar.gz
--- a/0002-templates-Fix-mapping-and-adjust-for-Rust-agent.patch
+++ b/0002-templates-Fix-mapping-and-adjust-for-Rust-agent.patch
@ -0,0 +1,119 @@
+From de764c330e3a3f0306d47f7a1b5b3138e9106a06 Mon Sep 17 00:00:00 2001
+From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
+Date: Thu, 1 Jun 2023 09:58:56 -0300
+Subject: [PATCH 2/2] templates: Fix mapping and adjust for Rust agent
+
+The Rust Keylime agent does not set take ownership or set the TPM owner
+password. For this reason, the default value for tpm_ownerpassword
+should be the empty string "".
+
+Also, the agent does not support lists in the format specified for the
+Python agent (i.e. a Python list such as ["string_a", "string_b"]. For
+this reason, the adjust script should instead remove the square brackets
+and make the strings to be separated with a comma.
+
+Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
+---
+ templates/2.0/adjust.py    | 49 ++++++++++++++++++++++++++++++++++----
+ templates/2.0/mapping.json |  4 ++--
+ 2 files changed, 47 insertions(+), 6 deletions(-)
+
+diff --git a/templates/2.0/adjust.py b/templates/2.0/adjust.py
+index c1e582a..1aa5702 100644
+--- a/templates/2.0/adjust.py
+++ b/templates/2.0/adjust.py
+@@ -62,10 +62,6 @@ def adjust(config: RawConfigParser, mapping: Dict) -> None:  # pylint: disable=u
+ 
+     # Dictionary defining values to convert to lists
+     tolist = {
+-        "agent": [
+-            "trusted_client_ca",
+-            "revocation_actions",
+-        ],
+         "verifier": [
+             "trusted_server_ca",
+             "severity_labels",
+@@ -84,6 +80,12 @@ def adjust(config: RawConfigParser, mapping: Dict) -> None:  # pylint: disable=u
+         "registrar": ["trusted_client_ca"],
+     }
+ 
+    mergelist = {
+        "agent": [
+            "revocation_actions",
+        ]
+    }
+
+     for section in config:
+         try:
+             config_version = str_to_version(config[section].get("version", "1.0"))
+@@ -151,6 +153,45 @@ def adjust(config: RawConfigParser, mapping: Dict) -> None:  # pylint: disable=u
+ 
+                     print(f"[{section}] For option '{option}', converted '{value}' to " f"'{config[section][option]}'")
+ 
+        # This is a special treatment to make lists compatible with the Rust agent
+        if section in mergelist:
+            for option in mergelist[section]:
+                if section in config and option in config[section]:
+                    # Get raw string value
+                    value = config[section][option].strip(' "')
+
+                    if value == "default":
+                        continue
+
+                    l = []
+                    try:
+                        v = ast.literal_eval(value)
+                        # If the value in the config was already a list, continue
+                        if isinstance(v, list):
+                            l = v
+                        # If the value in the config was tuple
+                        elif isinstance(v, tuple):
+                            l = list(v)
+
+                    except Exception as e:
+                        print(
+                            f"[{section}] In option '{option}', failed to parse "
+                            f"'{value}' as python type, trying manual splitting"
+                        )
+
+                        # Eliminate surrounding spaces and brackets, if present
+                        v = value.strip("[ ]").split(",")
+
+                        # Eliminate surrounding quotes and blank spaces from each element
+                        v = map(lambda x: x.strip(' "'), v)
+
+                        # Remove empty strings
+                        l = list(filter(lambda x: (x != ""), v))
+
+                    config[section][option] = ",".join(l)
+
+                    print(f"[{section}] For option '{option}', converted '{value}' to '{config[section][option]}'")
+
+         # Other special adjustments
+ 
+         # Convert agent boolean values to lower case (for TOML output)
+diff --git a/templates/2.0/mapping.json b/templates/2.0/mapping.json
+index 62e8538..fd8519e 100644
+--- a/templates/2.0/mapping.json
+++ b/templates/2.0/mapping.json
+@@ -100,7 +100,7 @@
+             "tpm_ownerpassword": {
+                 "section": "cloud_agent",
+                 "option": "tpm_ownerpassword",
+-                "default": "keylime"
+                "default": ""
+             },
+             "extract_payload_zip": {
+                 "section": "cloud_agent",
+@@ -120,7 +120,7 @@
+             "revocation_actions": {
+                 "section": "cloud_agent",
+                 "option": "revocation_actions",
+-                "default": "[]"
+                "default": ""
+             },
+             "payload_script": {
+                 "section": "cloud_agent",
+-- 
+2.39.2
+
--- a/e2e_tests.fmf
+++ b/e2e_tests.fmf
@ -3,6 +3,8 @@ summary: run keylime e2e tests
 # define context to filter out all test requiring TPM device
 context:
  swtpm: yes
+  agent: rust
+  faked_measured_boot_log: no

 prepare:
  - how: shell
--- a/keylime.spec
+++ b/keylime.spec
@ -8,7 +8,7 @@
 %global selinuxtype targeted

 Name:    keylime
-Version: 6.6.0
+Version: 7.2.5
 Release: %autorelease
 Summary: Open source TPM software for Bootstrapping and Maintaining Trust

@ -19,6 +19,7 @@ Source1:        %{srcname}.sysusers
 Source2:        https://github.com/RedHat-SP-Security/%{name}-selinux/archive/v%{policy_version}/keylime-selinux-%{policy_version}.tar.gz

 Patch: 01-duplicate-str-to-version.patch
+Patch: 0002-templates-Fix-mapping-and-adjust-for-Rust-agent.patch

 # Main program: BSD
 # Icons: MIT
@ -43,9 +44,12 @@ Requires: %{srcname}-tools = %{version}-%{release}
 # webapp was removed upstream in release 6.4.2.
 Obsoletes: %{srcname}-webapp < 6.4.2

+# python agent was removed upstream in release 6.8.0.
+Obsoletes: python3-%{srcname}-agent < 6.8.0
+
 # Agent.
 Requires: keylime-agent
-Suggests: python3-%{srcname}-agent
+Suggests: %{srcname}-agent-rust

 # Conflicts with the monolithic versions of the package, before the split.
 Conflicts: keylime < 6.3.0-3
@ -219,7 +223,7 @@ mkdir -p %{buildroot}/%{_sharedstatedir}/%{srcname}
 mkdir -p --mode=0700 %{buildroot}/%{_rundir}/%{srcname}

 mkdir -p --mode=0700 %{buildroot}/%{_sysconfdir}/%{srcname}/
-for comp in "agent" "verifier" "tenant" "registrar" "ca" "logging"; do
+for comp in "verifier" "tenant" "registrar" "ca" "logging"; do
    mkdir -p --mode=0700  %{buildroot}/%{_sysconfdir}/%{srcname}/${comp}.conf.d
 done

@ -227,7 +231,6 @@ done
 mkdir -p %{buildroot}/%{_datadir}/%{srcname}/scripts
 for s in create_runtime_policy.sh \
         create_mb_refstate \
-         create_policy \
         ek-openssl-verify; do
    install -Dpm 755 scripts/${s} \
        %{buildroot}/%{_datadir}/%{srcname}/scripts/${s}
@ -236,14 +239,6 @@ done
 # Ship configuration templates.
 cp -r ./templates %{buildroot}%{_datadir}/%{srcname}/templates/

-# Setting up the agent to use keylime user/group.
-printf '[agent]\nrun_as = %s:%s\n' "%{srcname}" "%{srcname}" \
-    > %{buildroot}/%{_sysconfdir}/%{srcname}/agent.conf.d/run_as.conf
-
-# rhbz#2114485 - using sha256 for tpm_hash_alg.
-printf '[agent]\ntpm_hash_alg = sha256\n' \
-    > %{buildroot}/%{_sysconfdir}/%{srcname}/agent.conf.d/bz2114485.conf
-
 mkdir -p --mode=0755 %{buildroot}/%{_bindir}
 cp -a ./keylime/cmd/convert_config.py %{buildroot}/%{_bindir}/keylime_upgrade_config

@ -252,12 +247,6 @@ install -D -m 0644 %{srcname}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{
 install -D -p -m 0644 keylime-selinux-%{policy_version}/%{srcname}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{srcname}.if
 %endif

-install -Dpm 644 ./services/%{srcname}_agent.service \
-    %{buildroot}%{_unitdir}/%{srcname}_agent.service
-
-install -Dpm 644 ./services/var-lib-%{srcname}-secure.mount \
-    %{buildroot}%{_unitdir}/var-lib-%{srcname}-secure.mount
-
 install -Dpm 644 ./services/%{srcname}_verifier.service \
    %{buildroot}%{_unitdir}/%{srcname}_verifier.service

@ -289,10 +278,6 @@ exit 0
 /usr/bin/keylime_upgrade_config
 exit 0

-%pre -n python3-%{srcname}-agent
-/usr/bin/keylime_upgrade_config
-exit 0
-
 %pre tenant
 /usr/bin/keylime_upgrade_config
 exit 0
@ -302,7 +287,7 @@ if [ -d %{_sysconfdir}/%{srcname} ]; then
    chmod 500 %{_sysconfdir}/%{srcname}
    chown -R %{srcname}:%{srcname} %{_sysconfdir}/%{srcname}

-    for comp in "agent" "verifier" "tenant" "registrar" "ca" "logging"; do
+    for comp in "verifier" "tenant" "registrar" "ca" "logging"; do
        [ -d %{_sysconfdir}/%{srcname}/${comp}.conf.d ] && \
            chmod 500 %{_sysconfdir}/%{srcname}/${comp}.conf.d
    done
@ -325,9 +310,6 @@ exit 0
 %post registrar
 %systemd_post %{srcname}_registrar.service

-%post -n python3-%{srcname}-agent
-%systemd_post %{srcname}_agent.service
-
 %if 0%{?with_selinux}
 # SELinux contexts are saved so that only affected files can be
 # relabeled after the policy module installation
@ -342,7 +324,7 @@ if [ "$1" -le "1" ]; then # First install
    # The services need to be restarted for the custom label to be
    # applied in case they where already present in the system,
    # restart fails silently in case they where not.
-    for svc in agent registrar verifier; do
+    for svc in registrar verifier; do
        [ -f "%{_unitdir}/%{srcname}_${svc}".service ] && \
            %systemd_postun_with_restart "%{srcname}_${svc}".service
    done
@ -362,9 +344,6 @@ fi
 %preun registrar
 %systemd_preun %{srcname}_registrar.service

-%preun -n python3-%{srcname}-agent
-%systemd_preun %{srcname}_agent.service
-
 %preun tenant
 %systemd_preun %{srcname}_registrar.service

@ -374,9 +353,6 @@ fi
 %postun registrar
 %systemd_postun_with_restart %{srcname}_registrar.service

-%postun -n python3-%{srcname}-agent
-%systemd_postun_with_restart %{srcname}_agent.service
-
 %files verifier
 %license LICENSE
 %attr(500,%{srcname},%{srcname}) %dir %{_sysconfdir}/%{srcname}/verifier.conf.d
@ -390,17 +366,6 @@ fi
 %{_bindir}/%{srcname}_registrar
 %{_unitdir}/keylime_registrar.service

-%files -n python3-%{srcname}-agent
-%license LICENSE
-%attr(500,%{srcname},%{srcname}) %dir %{_sysconfdir}/%{srcname}/agent.conf.d
-%{_unitdir}/%{srcname}_agent.service
-%{_unitdir}/var-lib-%{srcname}-secure.mount
-%{_bindir}/%{srcname}_convert_runtime_policy
-%{_bindir}/%{srcname}_agent
-%{_bindir}/%{srcname}_ima_emulator
-%{_sysconfdir}/%{srcname}/agent.conf.d/bz2114485.conf
-%{_sysconfdir}/%{srcname}/agent.conf.d/run_as.conf
-
 %if 0%{?with_selinux}
 %files selinux
 %{_datadir}/selinux/packages/%{selinuxtype}/%{srcname}.pp.*
@ -418,8 +383,11 @@ fi
 %{python3_sitelib}/%{srcname}-*.egg-info/
 %{python3_sitelib}/%{srcname}
 %{_datadir}/%{srcname}/scripts/create_mb_refstate
-%{_datadir}/%{srcname}/scripts/create_policy
 %{_bindir}/keylime_attest
+%{_bindir}/keylime_convert_runtime_policy
+%{_bindir}/keylime_create_policy
+%{_bindir}/keylime_sign_runtime_policy
+

 %files tools
 %license LICENSE
--- a/2
+++ b/2
@ -1,2 +1,2 @@
-SHA512 (v6.6.0.tar.gz) = 6de9c1b1485e340c9c1b150842d4d7dcf21dfbd1545c25b934f5b4a980c74e17bb9060648442e1762ca335e45824ec1f158d18e9a1d8af0e9e07b93422f83c5e
+SHA512 (v7.2.5.tar.gz) = 375342f82786b604b534edf31dd0d9203d653562bc1ab0542a90b699e208e8fe4076dce7900c0f66f262c301418ae173390af15c01024e5d02b2b997eeabe702
 SHA512 (keylime-selinux-1.0.0.tar.gz) = d0b4fea7407ad493b08e6f087e8f32b1a65acbee59bf6e20a0e26aaa139f56c1206c7e707898fd8a2e11468cd918f76cb6985f68b8a2faa8a2a4b7a9ba4c3674