Update to 6.5.2

Resolves: CVE-2022-3500
Resolves: rhbz#2138167 - agent fails IMA attestation when one scripts is executed quickly after the other
Resolves: rhbz#2140670 - Segmentation fault in /usr/share/keylime/create_mb_refstate script
Resolves: rhbz#142009 - Registrar may crash during EK validation when require_ek_cert is enabled

.gitignore

@@ -2,3 +2,4 @@
 /v6.4.2.tar.gz
 /v6.4.3.tar.gz
 /v6.5.0.tar.gz
+/v6.5.2.tar.gz

0001-Do-not-use-default-values-that-need-reading-the-conf.patch

@@ -0,0 +1,130 @@
+From d6dd71e3a3fe8e822fbcaa0d88f19a0c3332cacd Mon Sep 17 00:00:00 2001
+From: Sergio Correia <scorreia@redhat.com>
+Date: Tue, 15 Nov 2022 07:09:13 -0300
+Subject: [PATCH] Do not use default values that need reading the config in
+ methods
+
+Following up from the recent refactoring that moved the EK validation
+to cert_utils, in a few places were added default method values that
+were reading the configuration files directly.
+
+It was not such a great idea becasue it then made those config files as
+required to even import the modules.
+
+Example "from keylime import cert_utils" now also requires that the
+tenant configuration be available for getting the path for the TPM
+cert store.
+
+Let's stop doing that.
+
+Signed-off-by: Sergio Correia <scorreia@redhat.com>
+---
+ keylime/cert_utils.py       | 5 +++--
+ keylime/tenant.py           | 2 +-
+ keylime/tpm/tpm_abstract.py | 2 +-
+ keylime/tpm/tpm_main.py     | 4 ++--
+ keylime/tpm_ek_ca.py        | 6 +++---
+ 5 files changed, 10 insertions(+), 9 deletions(-)
+
+diff --git a/keylime/cert_utils.py b/keylime/cert_utils.py
+index d2fc54d..3576c64 100644
+--- a/keylime/cert_utils.py
++++ b/keylime/cert_utils.py
+@@ -12,7 +12,7 @@ from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicKey
+ from pyasn1.codec.der import decoder, encoder
+ from pyasn1_modules import pem, rfc2459
+ 
+-from keylime import config, keylime_logging, tpm_ek_ca
++from keylime import keylime_logging, tpm_ek_ca
+ 
+ # Issue #944 -- python-cryptography won't parse malformed certs,
+ # such as some Nuvoton ones we have encountered in the field.
+@@ -56,9 +56,10 @@ def x509_pem_cert(pem_cert_data: str):
+         return x509.load_der_x509_certificate(data=encoder.encode(pyasn1_cert), backend=default_backend())
+ 
+ 
+-def verify_ek(ekcert, tpm_cert_store=config.get("tenant", "tpm_cert_store")):
++def verify_ek(ekcert: bytes, tpm_cert_store: str) -> bool:
+     """Verify that the provided EK certificate is signed by a trusted root
+     :param ekcert: The Endorsement Key certificate in DER format
++    :param tpm_cert_store: The path for the TPM certificate store
+     :returns: True if the certificate can be verified, False otherwise
+     """
+     try:
+diff --git a/keylime/tenant.py b/keylime/tenant.py
+index b574d04..076b849 100644
+--- a/keylime/tenant.py
++++ b/keylime/tenant.py
+@@ -430,7 +430,7 @@ class Tenant:
+             elif ekcert is None:
+                 logger.warning("No EK cert provided, require_ek_cert option in config set to True")
+                 return False
+-            elif not self.tpm_instance.verify_ek(base64.b64decode(ekcert)):
++            elif not self.tpm_instance.verify_ek(base64.b64decode(ekcert), config.get("tenant", "tpm_cert_store")):
+                 logger.warning("Invalid EK certificate")
+                 return False
+ 
+diff --git a/keylime/tpm/tpm_abstract.py b/keylime/tpm/tpm_abstract.py
+index ff41837..df6222c 100644
+--- a/keylime/tpm/tpm_abstract.py
++++ b/keylime/tpm/tpm_abstract.py
+@@ -97,7 +97,7 @@ class AbstractTPM(metaclass=ABCMeta):
+         pass
+ 
+     @abstractmethod
+-    def verify_ek(self, ekcert):
++    def verify_ek(self, ekcert, tpm_cert_store):
+         pass
+ 
+     @abstractmethod
+diff --git a/keylime/tpm/tpm_main.py b/keylime/tpm/tpm_main.py
+index e1d1cf8..e244dfa 100644
+--- a/keylime/tpm/tpm_main.py
++++ b/keylime/tpm/tpm_main.py
+@@ -776,12 +776,12 @@ class tpm(tpm_abstract.AbstractTPM):
+                 os.remove(sesspath)
+         return key
+ 
+-    def verify_ek(self, ekcert):
++    def verify_ek(self, ekcert, tpm_cert_store):
+         """Verify that the provided EK certificate is signed by a trusted root
+         :param ekcert: The Endorsement Key certificate in DER format
+         :returns: True if the certificate can be verified, false otherwise
+         """
+-        return cert_utils.verify_ek(ekcert)
++        return cert_utils.verify_ek(ekcert, tpm_cert_store)
+ 
+     def get_tpm_manufacturer(self, output=None):
+         vendorStr = None
+diff --git a/keylime/tpm_ek_ca.py b/keylime/tpm_ek_ca.py
+index fb66c07..bc84571 100644
+--- a/keylime/tpm_ek_ca.py
++++ b/keylime/tpm_ek_ca.py
+@@ -1,13 +1,13 @@
+ import glob
+ import os
+ 
+-from keylime import config, keylime_logging
++from keylime import keylime_logging
+ 
+ logger = keylime_logging.init_logging("tpm_ek_ca")
+ trusted_certs = {}
+ 
+ 
+-def check_tpm_cert_store(tpm_cert_store=config.get("tenant", "tpm_cert_store")):
++def check_tpm_cert_store(tpm_cert_store):
+     if not os.path.isdir(tpm_cert_store):
+         logger.error("The directory %s does not exist.", tpm_cert_store)
+         raise Exception(f"The directory {tpm_cert_store} does not exist.")
+@@ -20,7 +20,7 @@ def check_tpm_cert_store(tpm_cert_store=config.get("tenant", "tpm_cert_store")):
+         raise Exception(f"The directory {tpm_cert_store} does not contain " f"any .pem files")
+ 
+ 
+-def cert_loader(tpm_cert_store=config.get("tenant", "tpm_cert_store")):
++def cert_loader(tpm_cert_store):
+     file_list = glob.glob(os.path.join(tpm_cert_store, "*.pem"))
+     my_trusted_certs = {}
+     for file_path in file_list:
+-- 
+2.38.1
+

0002-Switch-to-sha256-hashes-for-signatures.patch

@@ -0,0 +1,67 @@
+From 1f9ee7437f5b712a892c6d13ac8d75e128c1a16f Mon Sep 17 00:00:00 2001
+From: Stefan Berger <stefanb@linux.ibm.com>
+Date: Tue, 22 Nov 2022 10:56:43 -0500
+Subject: [PATCH] tests: Switch to sha256 hashes for signatures
+
+Resolves: https://github.com/keylime/keylime/issues/1202
+Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
+---
+ test/test_ima_ast.py          |  4 ++--
+ test/test_ima_verification.py | 12 ++++++------
+ 2 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/test/test_ima_ast.py b/test/test_ima_ast.py
+index cd54f95f9..e7d3841a7 100644
+--- a/test/test_ima_ast.py
++++ b/test/test_ima_ast.py
+@@ -14,11 +14,11 @@
+ VALID_ENTRIES = {
+     "ima-sig-rsa": (
+         ast.ImaSig,
+-        "10 50873c47693cf9458e87eb4a02dd4f594f7a0c0f ima-sig sha1:1350320e5f7f51553bac8aa403489a1b135bc101 /usr/bin/dd 030202f3452d23010084c2a6cf7de1aeefa119220df0da265a7c44d34380f0d97002e7c778d09cfcf88c018e6595df3ee70eda926851f159332f852e7981a8fca1bc5e959958d06d234a0896861f13cc60da825905c8ed234df26c1deecfa816d5aa9bfb11b905e2814084a86b588be60423afada8dd0dd5a143774c6d890b64195ac42fb47ef5a9a00f0d6c80711d8e0c2b843ec38c02f60fd46bc46c7b4c329ad2dbb1b7625293703f9c739dc4c2bf0769126a2f3cb2cd031d1881cd0af64bf20fd474a993b48620f103a5c14999a2f17d60721bcc019a896b4138a688a59f50cb6cd94a4cfe3b8052e82dec025fef4feabb08c7ce412e3de850f903797e293ec27c329f57fd84e0",
++        "10 1e70a3e1af66f42826ad63b761b4cb9c4df195e1 ima-sig sha256:d33d5d13792292e202dbf69a6f1b07bc8a02f01424db8489ba7bb7d43c0290ef /usr/bin/dd 030204f3452d2301009dd340c852f37e35748363586939d4199b6684be27e7c1236ca1528f708372ed9cd52a0d991f66448790f5616ed5bd7f9bbd22193b1e3e54f6bf29a1497945a34d1b418b24f4cbeaef897bf3cebca27065ebb8761b46bc2662fe76f141245b9186a5ac8493c7f4976cf0d6dfc085c3e503e3f771bc3ccb121230db76fd8aba4f45f060ad64ab3afd99b4e52824b9eba12e93e46f9dcb2fa01d9cef89f298a0da02a82a4fb56924afd3e3c277a1302d99f770d488449df2d43eb5b174a0a528827e6877b965c2f0b7c89cf1aa26a7417a892df4c2294e2872d62748b72ea04ecb0689b5d792e615a9bf9d56f6e0f298560bf9441df0a22729c5f23389f028c25f",
+     ),
+     "ima-sig-ec": (
+         ast.ImaSig,
+-        "10 06e804489a77ddab51b9ef27e17053c0e5d503bd ima-sig sha1:1cb84b12db45d7da8de58ba6744187db84082f0e /usr/bin/zmore 030202531f402500483046022100bff9c02dc7b270c83cc94bfec10eecd42831de2cdcb04f024369a14623bc3a91022100cc4d015ae932fb98d6846645ed7d1bb1afd4621ec9089bc087126f191886dd31",
++        "10 5d4d5141ccd5066d50dc3f21d79ba02fedc24256 ima-sig sha256:b8ae0b8dd04a5935cd8165aa2260cd11b658bd71629bdb52256a675a1f73907b /usr/bin/zmore 030204531f402500483046022100fe24678d21083ead47660e1a2d553a592d777c478d1b0466de6ed484b54956b3022100cad3adb37f277bbb03544d6107751b4cd4f2289d8353fa36257400a99334d5c3",
+     ),
+     "ima-sig-missing": (
+         ast.ImaSig,
+diff --git a/test/test_ima_verification.py b/test/test_ima_verification.py
+index bdb929c9c..d2fc9ef16 100644
+--- a/test/test_ima_verification.py
++++ b/test/test_ima_verification.py
+@@ -27,8 +27,8 @@
+         "/lib/modules/5.4.48-openpower1/kernel/drivers/gpu/drm/drm_panel_orientation_quirks.ko": [
+             "cd026b58efdf66658685430ff526490d54a430a3f0066a35ac26a8acab66c55d"
+         ],
+-        "/usr/bin/dd": ["1350320e5f7f51553bac8aa403489a1b135bc101"],
+-        "/usr/bin/zmore": ["1cb84b12db45d7da8de58ba6744187db84082f0e"],
++        "/usr/bin/dd": ["d33d5d13792292e202dbf69a6f1b07bc8a02f01424db8489ba7bb7d43c0290ef"],
++        "/usr/bin/zmore": ["b8ae0b8dd04a5935cd8165aa2260cd11b658bd71629bdb52256a675a1f73907b"],
+         "/usr/bin/zless": ["233ad3a8e77c63a7d9a56063ec2cad1eafa58850"],
+     },
+     "keyrings": {
+@@ -50,8 +50,8 @@
+         "version": 1,
+     },
+     "hashes": {
+-        "/usr/bin/dd": ["1350320e5f7f51553bac8aa403489a1b135bc102"],
+-        "/usr/bin/zmore": ["1cb84b12db45d7da8de58ba6744187db84082f01"],
++        "/usr/bin/dd": ["bad05d13792292e202dbf69a6f1b07bc8a02f01424db8489ba7bb7d43c0290ef"],
++        "/usr/bin/zmore": ["bad00b8dd04a5935cd8165aa2260cd11b658bd71629bdb52256a675a1f73907b"],
+     },
+ }
+ 
+@@ -73,8 +73,8 @@
+ # 1st signature: RSA
+ # 2nd signature: EC
+ SIGNATURES = (
+-    "10 50873c47693cf9458e87eb4a02dd4f594f7a0c0f ima-sig sha1:1350320e5f7f51553bac8aa403489a1b135bc101 /usr/bin/dd 030202f3452d23010084c2a6cf7de1aeefa119220df0da265a7c44d34380f0d97002e7c778d09cfcf88c018e6595df3ee70eda926851f159332f852e7981a8fca1bc5e959958d06d234a0896861f13cc60da825905c8ed234df26c1deecfa816d5aa9bfb11b905e2814084a86b588be60423afada8dd0dd5a143774c6d890b64195ac42fb47ef5a9a00f0d6c80711d8e0c2b843ec38c02f60fd46bc46c7b4c329ad2dbb1b7625293703f9c739dc4c2bf0769126a2f3cb2cd031d1881cd0af64bf20fd474a993b48620f103a5c14999a2f17d60721bcc019a896b4138a688a59f50cb6cd94a4cfe3b8052e82dec025fef4feabb08c7ce412e3de850f903797e293ec27c329f57fd84e0\n"
+-    "10 06e804489a77ddab51b9ef27e17053c0e5d503bd ima-sig sha1:1cb84b12db45d7da8de58ba6744187db84082f0e /usr/bin/zmore 030202531f402500483046022100bff9c02dc7b270c83cc94bfec10eecd42831de2cdcb04f024369a14623bc3a91022100cc4d015ae932fb98d6846645ed7d1bb1afd4621ec9089bc087126f191886dd31\n"
++    "10 1e70a3e1af66f42826ad63b761b4cb9c4df195e1 ima-sig sha256:d33d5d13792292e202dbf69a6f1b07bc8a02f01424db8489ba7bb7d43c0290ef /usr/bin/dd 030204f3452d2301009dd340c852f37e35748363586939d4199b6684be27e7c1236ca1528f708372ed9cd52a0d991f66448790f5616ed5bd7f9bbd22193b1e3e54f6bf29a1497945a34d1b418b24f4cbeaef897bf3cebca27065ebb8761b46bc2662fe76f141245b9186a5ac8493c7f4976cf0d6dfc085c3e503e3f771bc3ccb121230db76fd8aba4f45f060ad64ab3afd99b4e52824b9eba12e93e46f9dcb2fa01d9cef89f298a0da02a82a4fb56924afd3e3c277a1302d99f770d488449df2d43eb5b174a0a528827e6877b965c2f0b7c89cf1aa26a7417a892df4c2294e2872d62748b72ea04ecb0689b5d792e615a9bf9d56f6e0f298560bf9441df0a22729c5f23389f028c25f\n"
++    "10 5d4d5141ccd5066d50dc3f21d79ba02fedc24256 ima-sig sha256:b8ae0b8dd04a5935cd8165aa2260cd11b658bd71629bdb52256a675a1f73907b /usr/bin/zmore 030204531f402500483046022100fe24678d21083ead47660e1a2d553a592d777c478d1b0466de6ed484b54956b3022100cad3adb37f277bbb03544d6107751b4cd4f2289d8353fa36257400a99334d5c3\n"
+ )
+ 
+ COMBINED = MEASUREMENTS + SIGNATURES

keylime.spec

@@ -7,7 +7,7 @@
 %global debug_package %{nil}
 
 Name:    keylime
-Version: 6.5.0
+Version: 6.5.2
 Release: 1%{?dist}
 Summary: Open source TPM software for Bootstrapping and Maintaining Trust
 
@@ -18,6 +18,9 @@ Source2:        %{srcname}.te
 Source3:        %{srcname}.if
 Source4:        %{srcname}.fc
 
+Patch0: 0001-Do-not-use-default-values-that-need-reading-the-conf.patch
+Patch1: 0002-Switch-to-sha256-hashes-for-signatures.patch
+
 License: ASL 2.0 and MIT
 
 BuildRequires: git-core
@@ -86,6 +89,7 @@ Requires: python3-lark-parser
 Requires: python3-pyasn1
 Requires: python3-pyasn1-modules
 Requires: tpm2-tools
+Requires: openssl
 
 %description -n python3-%{srcname}
 The python3-keylime module implements the functionality used
@@ -183,7 +187,8 @@ rm -f %{buildroot}/%{_bindir}/%{srcname}_userdata_encrypt
 mkdir -p %{buildroot}/%{_datadir}/%{srcname}/scripts
 for s in create_allowlist.sh \
          create_mb_refstate \
-         create_policy; do
+         create_policy \
+         ek-openssl-verify; do
     install -Dpm 755 scripts/${s} \
         %{buildroot}/%{_datadir}/%{srcname}/scripts/${s}
 done
@@ -318,6 +323,7 @@ fi
 %{python3_sitelib}/%{srcname}
 %{_datadir}/%{srcname}/scripts/create_mb_refstate
 %{_datadir}/%{srcname}/scripts/create_policy
+%{_bindir}/keylime_convert_ima_policy
 
 %files base
 %license LICENSE
@@ -333,11 +339,19 @@ fi
 %{_tmpfilesdir}/%{srcname}.conf
 %{_sysusersdir}/%{srcname}.conf
 %{_datadir}/%{srcname}/scripts/create_allowlist.sh
+%{_datadir}/%{srcname}/scripts/ek-openssl-verify
 
 %files
 %license LICENSE
 
 %changelog
+* Mon Nov 14 2022 Sergio Correia <scorreia@redhat.com> - 6.5.2-1
+- Update to 6.5.2
+  Resolves: CVE-2022-3500
+  Resolves: rhbz#2138167 - agent fails IMA attestation when one scripts is executed quickly after the other
+  Resolves: rhbz#2140670 - Segmentation fault in /usr/share/keylime/create_mb_refstate script
+  Resolves: rhbz#142009 - Registrar may crash during EK validation when require_ek_cert is enabled
+
 * Tue Sep 13 2022 Sergio Correia <scorreia@redhat.com> - 6.5.0-1
 - Update to 6.5.0
   Resolves: rhbz#2120686 - Keylime configuration is too complex

sources

@@ -1 +1 @@
-SHA512 (v6.5.0.tar.gz) = a0f78f841ff3d1b87fb5e6ff222626ba9be72a1cc57077dada09f4c8b938ff2155b493ee6b5cb5e1e22d432edeec0b99e0e75412fd488008121c70339b94267e
+SHA512 (v6.5.2.tar.gz) = de73de8d88dbf3bf394ea65036ef22cd5098318c09ff92b5548af2344a9a6f28d2432356d792b0eae72fe619255c4ecfa51f5c7d185b9612a4a04d2fb8e91649