From 6c01a5e3eca987047b4e83c5279f397ca0f32b49 Mon Sep 17 00:00:00 2001 From: Sergio Correia Date: Mon, 14 Nov 2022 19:24:32 -0300 Subject: [PATCH] Update to 6.5.2 Resolves: CVE-2022-3500 Resolves: rhbz#2138167 - agent fails IMA attestation when one scripts is executed quickly after the other Resolves: rhbz#2140670 - Segmentation fault in /usr/share/keylime/create_mb_refstate script Resolves: rhbz#142009 - Registrar may crash during EK validation when require_ek_cert is enabled --- .gitignore | 1 + ...lt-values-that-need-reading-the-conf.patch | 130 ++++++++++++++++++ ...itch-to-sha256-hashes-for-signatures.patch | 67 +++++++++ keylime.spec | 18 ++- sources | 2 +- 5 files changed, 215 insertions(+), 3 deletions(-) create mode 100644 0001-Do-not-use-default-values-that-need-reading-the-conf.patch create mode 100644 0002-Switch-to-sha256-hashes-for-signatures.patch diff --git a/.gitignore b/.gitignore index 8c763a8..8033cbf 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ /v6.4.2.tar.gz /v6.4.3.tar.gz /v6.5.0.tar.gz +/v6.5.2.tar.gz diff --git a/0001-Do-not-use-default-values-that-need-reading-the-conf.patch b/0001-Do-not-use-default-values-that-need-reading-the-conf.patch new file mode 100644 index 0000000..2c4ace1 --- /dev/null +++ b/0001-Do-not-use-default-values-that-need-reading-the-conf.patch @@ -0,0 +1,130 @@ +From d6dd71e3a3fe8e822fbcaa0d88f19a0c3332cacd Mon Sep 17 00:00:00 2001 +From: Sergio Correia +Date: Tue, 15 Nov 2022 07:09:13 -0300 +Subject: [PATCH] Do not use default values that need reading the config in + methods + +Following up from the recent refactoring that moved the EK validation +to cert_utils, in a few places were added default method values that +were reading the configuration files directly. + +It was not such a great idea becasue it then made those config files as +required to even import the modules. + +Example "from keylime import cert_utils" now also requires that the +tenant configuration be available for getting the path for the TPM +cert store. + +Let's stop doing that. + +Signed-off-by: Sergio Correia +--- + keylime/cert_utils.py | 5 +++-- + keylime/tenant.py | 2 +- + keylime/tpm/tpm_abstract.py | 2 +- + keylime/tpm/tpm_main.py | 4 ++-- + keylime/tpm_ek_ca.py | 6 +++--- + 5 files changed, 10 insertions(+), 9 deletions(-) + +diff --git a/keylime/cert_utils.py b/keylime/cert_utils.py +index d2fc54d..3576c64 100644 +--- a/keylime/cert_utils.py ++++ b/keylime/cert_utils.py +@@ -12,7 +12,7 @@ from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicKey + from pyasn1.codec.der import decoder, encoder + from pyasn1_modules import pem, rfc2459 + +-from keylime import config, keylime_logging, tpm_ek_ca ++from keylime import keylime_logging, tpm_ek_ca + + # Issue #944 -- python-cryptography won't parse malformed certs, + # such as some Nuvoton ones we have encountered in the field. +@@ -56,9 +56,10 @@ def x509_pem_cert(pem_cert_data: str): + return x509.load_der_x509_certificate(data=encoder.encode(pyasn1_cert), backend=default_backend()) + + +-def verify_ek(ekcert, tpm_cert_store=config.get("tenant", "tpm_cert_store")): ++def verify_ek(ekcert: bytes, tpm_cert_store: str) -> bool: + """Verify that the provided EK certificate is signed by a trusted root + :param ekcert: The Endorsement Key certificate in DER format ++ :param tpm_cert_store: The path for the TPM certificate store + :returns: True if the certificate can be verified, False otherwise + """ + try: +diff --git a/keylime/tenant.py b/keylime/tenant.py +index b574d04..076b849 100644 +--- a/keylime/tenant.py ++++ b/keylime/tenant.py +@@ -430,7 +430,7 @@ class Tenant: + elif ekcert is None: + logger.warning("No EK cert provided, require_ek_cert option in config set to True") + return False +- elif not self.tpm_instance.verify_ek(base64.b64decode(ekcert)): ++ elif not self.tpm_instance.verify_ek(base64.b64decode(ekcert), config.get("tenant", "tpm_cert_store")): + logger.warning("Invalid EK certificate") + return False + +diff --git a/keylime/tpm/tpm_abstract.py b/keylime/tpm/tpm_abstract.py +index ff41837..df6222c 100644 +--- a/keylime/tpm/tpm_abstract.py ++++ b/keylime/tpm/tpm_abstract.py +@@ -97,7 +97,7 @@ class AbstractTPM(metaclass=ABCMeta): + pass + + @abstractmethod +- def verify_ek(self, ekcert): ++ def verify_ek(self, ekcert, tpm_cert_store): + pass + + @abstractmethod +diff --git a/keylime/tpm/tpm_main.py b/keylime/tpm/tpm_main.py +index e1d1cf8..e244dfa 100644 +--- a/keylime/tpm/tpm_main.py ++++ b/keylime/tpm/tpm_main.py +@@ -776,12 +776,12 @@ class tpm(tpm_abstract.AbstractTPM): + os.remove(sesspath) + return key + +- def verify_ek(self, ekcert): ++ def verify_ek(self, ekcert, tpm_cert_store): + """Verify that the provided EK certificate is signed by a trusted root + :param ekcert: The Endorsement Key certificate in DER format + :returns: True if the certificate can be verified, false otherwise + """ +- return cert_utils.verify_ek(ekcert) ++ return cert_utils.verify_ek(ekcert, tpm_cert_store) + + def get_tpm_manufacturer(self, output=None): + vendorStr = None +diff --git a/keylime/tpm_ek_ca.py b/keylime/tpm_ek_ca.py +index fb66c07..bc84571 100644 +--- a/keylime/tpm_ek_ca.py ++++ b/keylime/tpm_ek_ca.py +@@ -1,13 +1,13 @@ + import glob + import os + +-from keylime import config, keylime_logging ++from keylime import keylime_logging + + logger = keylime_logging.init_logging("tpm_ek_ca") + trusted_certs = {} + + +-def check_tpm_cert_store(tpm_cert_store=config.get("tenant", "tpm_cert_store")): ++def check_tpm_cert_store(tpm_cert_store): + if not os.path.isdir(tpm_cert_store): + logger.error("The directory %s does not exist.", tpm_cert_store) + raise Exception(f"The directory {tpm_cert_store} does not exist.") +@@ -20,7 +20,7 @@ def check_tpm_cert_store(tpm_cert_store=config.get("tenant", "tpm_cert_store")): + raise Exception(f"The directory {tpm_cert_store} does not contain " f"any .pem files") + + +-def cert_loader(tpm_cert_store=config.get("tenant", "tpm_cert_store")): ++def cert_loader(tpm_cert_store): + file_list = glob.glob(os.path.join(tpm_cert_store, "*.pem")) + my_trusted_certs = {} + for file_path in file_list: +-- +2.38.1 + diff --git a/0002-Switch-to-sha256-hashes-for-signatures.patch b/0002-Switch-to-sha256-hashes-for-signatures.patch new file mode 100644 index 0000000..6401048 --- /dev/null +++ b/0002-Switch-to-sha256-hashes-for-signatures.patch @@ -0,0 +1,67 @@ +From 1f9ee7437f5b712a892c6d13ac8d75e128c1a16f Mon Sep 17 00:00:00 2001 +From: Stefan Berger +Date: Tue, 22 Nov 2022 10:56:43 -0500 +Subject: [PATCH] tests: Switch to sha256 hashes for signatures + +Resolves: https://github.com/keylime/keylime/issues/1202 +Signed-off-by: Stefan Berger +--- + test/test_ima_ast.py | 4 ++-- + test/test_ima_verification.py | 12 ++++++------ + 2 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/test/test_ima_ast.py b/test/test_ima_ast.py +index cd54f95f9..e7d3841a7 100644 +--- a/test/test_ima_ast.py ++++ b/test/test_ima_ast.py +@@ -14,11 +14,11 @@ + VALID_ENTRIES = { + "ima-sig-rsa": ( + ast.ImaSig, +- "10 50873c47693cf9458e87eb4a02dd4f594f7a0c0f ima-sig sha1:1350320e5f7f51553bac8aa403489a1b135bc101 /usr/bin/dd 030202f3452d23010084c2a6cf7de1aeefa119220df0da265a7c44d34380f0d97002e7c778d09cfcf88c018e6595df3ee70eda926851f159332f852e7981a8fca1bc5e959958d06d234a0896861f13cc60da825905c8ed234df26c1deecfa816d5aa9bfb11b905e2814084a86b588be60423afada8dd0dd5a143774c6d890b64195ac42fb47ef5a9a00f0d6c80711d8e0c2b843ec38c02f60fd46bc46c7b4c329ad2dbb1b7625293703f9c739dc4c2bf0769126a2f3cb2cd031d1881cd0af64bf20fd474a993b48620f103a5c14999a2f17d60721bcc019a896b4138a688a59f50cb6cd94a4cfe3b8052e82dec025fef4feabb08c7ce412e3de850f903797e293ec27c329f57fd84e0", ++ "10 1e70a3e1af66f42826ad63b761b4cb9c4df195e1 ima-sig sha256:d33d5d13792292e202dbf69a6f1b07bc8a02f01424db8489ba7bb7d43c0290ef /usr/bin/dd 030204f3452d2301009dd340c852f37e35748363586939d4199b6684be27e7c1236ca1528f708372ed9cd52a0d991f66448790f5616ed5bd7f9bbd22193b1e3e54f6bf29a1497945a34d1b418b24f4cbeaef897bf3cebca27065ebb8761b46bc2662fe76f141245b9186a5ac8493c7f4976cf0d6dfc085c3e503e3f771bc3ccb121230db76fd8aba4f45f060ad64ab3afd99b4e52824b9eba12e93e46f9dcb2fa01d9cef89f298a0da02a82a4fb56924afd3e3c277a1302d99f770d488449df2d43eb5b174a0a528827e6877b965c2f0b7c89cf1aa26a7417a892df4c2294e2872d62748b72ea04ecb0689b5d792e615a9bf9d56f6e0f298560bf9441df0a22729c5f23389f028c25f", + ), + "ima-sig-ec": ( + ast.ImaSig, +- "10 06e804489a77ddab51b9ef27e17053c0e5d503bd ima-sig sha1:1cb84b12db45d7da8de58ba6744187db84082f0e /usr/bin/zmore 030202531f402500483046022100bff9c02dc7b270c83cc94bfec10eecd42831de2cdcb04f024369a14623bc3a91022100cc4d015ae932fb98d6846645ed7d1bb1afd4621ec9089bc087126f191886dd31", ++ "10 5d4d5141ccd5066d50dc3f21d79ba02fedc24256 ima-sig sha256:b8ae0b8dd04a5935cd8165aa2260cd11b658bd71629bdb52256a675a1f73907b /usr/bin/zmore 030204531f402500483046022100fe24678d21083ead47660e1a2d553a592d777c478d1b0466de6ed484b54956b3022100cad3adb37f277bbb03544d6107751b4cd4f2289d8353fa36257400a99334d5c3", + ), + "ima-sig-missing": ( + ast.ImaSig, +diff --git a/test/test_ima_verification.py b/test/test_ima_verification.py +index bdb929c9c..d2fc9ef16 100644 +--- a/test/test_ima_verification.py ++++ b/test/test_ima_verification.py +@@ -27,8 +27,8 @@ + "/lib/modules/5.4.48-openpower1/kernel/drivers/gpu/drm/drm_panel_orientation_quirks.ko": [ + "cd026b58efdf66658685430ff526490d54a430a3f0066a35ac26a8acab66c55d" + ], +- "/usr/bin/dd": ["1350320e5f7f51553bac8aa403489a1b135bc101"], +- "/usr/bin/zmore": ["1cb84b12db45d7da8de58ba6744187db84082f0e"], ++ "/usr/bin/dd": ["d33d5d13792292e202dbf69a6f1b07bc8a02f01424db8489ba7bb7d43c0290ef"], ++ "/usr/bin/zmore": ["b8ae0b8dd04a5935cd8165aa2260cd11b658bd71629bdb52256a675a1f73907b"], + "/usr/bin/zless": ["233ad3a8e77c63a7d9a56063ec2cad1eafa58850"], + }, + "keyrings": { +@@ -50,8 +50,8 @@ + "version": 1, + }, + "hashes": { +- "/usr/bin/dd": ["1350320e5f7f51553bac8aa403489a1b135bc102"], +- "/usr/bin/zmore": ["1cb84b12db45d7da8de58ba6744187db84082f01"], ++ "/usr/bin/dd": ["bad05d13792292e202dbf69a6f1b07bc8a02f01424db8489ba7bb7d43c0290ef"], ++ "/usr/bin/zmore": ["bad00b8dd04a5935cd8165aa2260cd11b658bd71629bdb52256a675a1f73907b"], + }, + } + +@@ -73,8 +73,8 @@ + # 1st signature: RSA + # 2nd signature: EC + SIGNATURES = ( +- "10 50873c47693cf9458e87eb4a02dd4f594f7a0c0f ima-sig sha1:1350320e5f7f51553bac8aa403489a1b135bc101 /usr/bin/dd 030202f3452d23010084c2a6cf7de1aeefa119220df0da265a7c44d34380f0d97002e7c778d09cfcf88c018e6595df3ee70eda926851f159332f852e7981a8fca1bc5e959958d06d234a0896861f13cc60da825905c8ed234df26c1deecfa816d5aa9bfb11b905e2814084a86b588be60423afada8dd0dd5a143774c6d890b64195ac42fb47ef5a9a00f0d6c80711d8e0c2b843ec38c02f60fd46bc46c7b4c329ad2dbb1b7625293703f9c739dc4c2bf0769126a2f3cb2cd031d1881cd0af64bf20fd474a993b48620f103a5c14999a2f17d60721bcc019a896b4138a688a59f50cb6cd94a4cfe3b8052e82dec025fef4feabb08c7ce412e3de850f903797e293ec27c329f57fd84e0\n" +- "10 06e804489a77ddab51b9ef27e17053c0e5d503bd ima-sig sha1:1cb84b12db45d7da8de58ba6744187db84082f0e /usr/bin/zmore 030202531f402500483046022100bff9c02dc7b270c83cc94bfec10eecd42831de2cdcb04f024369a14623bc3a91022100cc4d015ae932fb98d6846645ed7d1bb1afd4621ec9089bc087126f191886dd31\n" ++ "10 1e70a3e1af66f42826ad63b761b4cb9c4df195e1 ima-sig sha256:d33d5d13792292e202dbf69a6f1b07bc8a02f01424db8489ba7bb7d43c0290ef /usr/bin/dd 030204f3452d2301009dd340c852f37e35748363586939d4199b6684be27e7c1236ca1528f708372ed9cd52a0d991f66448790f5616ed5bd7f9bbd22193b1e3e54f6bf29a1497945a34d1b418b24f4cbeaef897bf3cebca27065ebb8761b46bc2662fe76f141245b9186a5ac8493c7f4976cf0d6dfc085c3e503e3f771bc3ccb121230db76fd8aba4f45f060ad64ab3afd99b4e52824b9eba12e93e46f9dcb2fa01d9cef89f298a0da02a82a4fb56924afd3e3c277a1302d99f770d488449df2d43eb5b174a0a528827e6877b965c2f0b7c89cf1aa26a7417a892df4c2294e2872d62748b72ea04ecb0689b5d792e615a9bf9d56f6e0f298560bf9441df0a22729c5f23389f028c25f\n" ++ "10 5d4d5141ccd5066d50dc3f21d79ba02fedc24256 ima-sig sha256:b8ae0b8dd04a5935cd8165aa2260cd11b658bd71629bdb52256a675a1f73907b /usr/bin/zmore 030204531f402500483046022100fe24678d21083ead47660e1a2d553a592d777c478d1b0466de6ed484b54956b3022100cad3adb37f277bbb03544d6107751b4cd4f2289d8353fa36257400a99334d5c3\n" + ) + + COMBINED = MEASUREMENTS + SIGNATURES diff --git a/keylime.spec b/keylime.spec index acf4a9a..6ae3078 100644 --- a/keylime.spec +++ b/keylime.spec @@ -7,7 +7,7 @@ %global debug_package %{nil} Name: keylime -Version: 6.5.0 +Version: 6.5.2 Release: 1%{?dist} Summary: Open source TPM software for Bootstrapping and Maintaining Trust @@ -18,6 +18,9 @@ Source2: %{srcname}.te Source3: %{srcname}.if Source4: %{srcname}.fc +Patch0: 0001-Do-not-use-default-values-that-need-reading-the-conf.patch +Patch1: 0002-Switch-to-sha256-hashes-for-signatures.patch + License: ASL 2.0 and MIT BuildRequires: git-core @@ -86,6 +89,7 @@ Requires: python3-lark-parser Requires: python3-pyasn1 Requires: python3-pyasn1-modules Requires: tpm2-tools +Requires: openssl %description -n python3-%{srcname} The python3-keylime module implements the functionality used @@ -183,7 +187,8 @@ rm -f %{buildroot}/%{_bindir}/%{srcname}_userdata_encrypt mkdir -p %{buildroot}/%{_datadir}/%{srcname}/scripts for s in create_allowlist.sh \ create_mb_refstate \ - create_policy; do + create_policy \ + ek-openssl-verify; do install -Dpm 755 scripts/${s} \ %{buildroot}/%{_datadir}/%{srcname}/scripts/${s} done @@ -318,6 +323,7 @@ fi %{python3_sitelib}/%{srcname} %{_datadir}/%{srcname}/scripts/create_mb_refstate %{_datadir}/%{srcname}/scripts/create_policy +%{_bindir}/keylime_convert_ima_policy %files base %license LICENSE @@ -333,11 +339,19 @@ fi %{_tmpfilesdir}/%{srcname}.conf %{_sysusersdir}/%{srcname}.conf %{_datadir}/%{srcname}/scripts/create_allowlist.sh +%{_datadir}/%{srcname}/scripts/ek-openssl-verify %files %license LICENSE %changelog +* Mon Nov 14 2022 Sergio Correia - 6.5.2-1 +- Update to 6.5.2 + Resolves: CVE-2022-3500 + Resolves: rhbz#2138167 - agent fails IMA attestation when one scripts is executed quickly after the other + Resolves: rhbz#2140670 - Segmentation fault in /usr/share/keylime/create_mb_refstate script + Resolves: rhbz#142009 - Registrar may crash during EK validation when require_ek_cert is enabled + * Tue Sep 13 2022 Sergio Correia - 6.5.0-1 - Update to 6.5.0 Resolves: rhbz#2120686 - Keylime configuration is too complex diff --git a/sources b/sources index a437fdd..a879d04 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (v6.5.0.tar.gz) = a0f78f841ff3d1b87fb5e6ff222626ba9be72a1cc57077dada09f4c8b938ff2155b493ee6b5cb5e1e22d432edeec0b99e0e75412fd488008121c70339b94267e +SHA512 (v6.5.2.tar.gz) = de73de8d88dbf3bf394ea65036ef22cd5098318c09ff92b5548af2344a9a6f28d2432356d792b0eae72fe619255c4ecfa51f5c7d185b9612a4a04d2fb8e91649