From bb2aac1ec0427f6850d6c4272bff9188e49a4152 Mon Sep 17 00:00:00 2001 From: Sergio Correia Date: Tue, 15 Aug 2023 14:41:58 +0100 Subject: [PATCH] Fix Keylime configuration upgrades issues introduced in last rebase - Fix Keylime configuration upgrades issues introduced in last rebase Resolves: RHEL-475 - Handle session close using a session manager Resolves: RHEL-1252 - Add ignores for EV_PLATFORM_CONFIG_FLAGS Resolves: RHEL-947 --- ...as-the-minimum-for-the-configuration.patch | 51 +++++++++++ ...-str_to_version-for-the-upgrade-tool.patch | 88 ++++++++++++++++++ ...le-add-ignores-for-EV_PLATFORM_CONFI.patch | 50 +++++++++++ 0006-Revert-mapping-changes.patch | 43 +++++++++ ...ession-close-using-a-session-manager.patch | 90 +++++++++++++++++++ keylime.spec | 31 ++++++- 6 files changed, 349 insertions(+), 4 deletions(-) create mode 100644 0003-Use-version-2.0-as-the-minimum-for-the-configuration.patch create mode 100644 0004-Duplicate-str_to_version-for-the-upgrade-tool.patch create mode 100644 0005-elchecking-example-add-ignores-for-EV_PLATFORM_CONFI.patch create mode 100644 0006-Revert-mapping-changes.patch create mode 100644 0007-Handle-session-close-using-a-session-manager.patch diff --git a/0003-Use-version-2.0-as-the-minimum-for-the-configuration.patch b/0003-Use-version-2.0-as-the-minimum-for-the-configuration.patch new file mode 100644 index 0000000..4ecd144 --- /dev/null +++ b/0003-Use-version-2.0-as-the-minimum-for-the-configuration.patch @@ -0,0 +1,51 @@ +From b8e26ca5e98e1b842db2fc21411962d40f27c557 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Tue, 15 Aug 2023 07:19:28 -0400 +Subject: [PATCH 3/4] Use version 2.0 as the minimum for the configuration + +--- + keylime/cmd/convert_config.py | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/keylime/cmd/convert_config.py b/keylime/cmd/convert_config.py +index ac28151..1d71b99 100755 +--- a/keylime/cmd/convert_config.py ++++ b/keylime/cmd/convert_config.py +@@ -191,7 +191,13 @@ def output(components: List[str], config: RawConfigParser, templates: str, outdi + + # Check that there are templates for all components + for component in components: +- version = config[component]["version"].strip('" ') ++ # Minimum version. ++ version = '2.0' ++ if "version" in config[component]: ++ version = config[component]["version"].strip('" ') ++ else: ++ config[component]["version"] = version ++ + version_dir = os.path.join(templates, version) + if not os.path.isdir(version_dir): + raise Exception(f"Could not find directory {version_dir}") +@@ -292,15 +298,15 @@ def process_mapping( + raise Exception("Invalid version number found in old configuration") + + except (configparser.NoOptionError, configparser.NoSectionError): +- print(f"No version found in old configuration for {component}, using '1.0'") +- old_version = (1, 0) ++ print(f"No version found in old configuration for {component}, using '2.0'") ++ old_version = (2, 0) + else: + # If the old_version does not contain the component from the + # mapping, use the minimum version to use defaults +- old_version = (1, 0) ++ old_version = (2, 0) + + # Skip versions lower than the current version +- if old_version >= new_version: ++ if old_version >= new_version and component in old_config: + new[component] = old_config[component] + continue + +-- +2.39.3 + diff --git a/0004-Duplicate-str_to_version-for-the-upgrade-tool.patch b/0004-Duplicate-str_to_version-for-the-upgrade-tool.patch new file mode 100644 index 0000000..66cb11b --- /dev/null +++ b/0004-Duplicate-str_to_version-for-the-upgrade-tool.patch @@ -0,0 +1,88 @@ +From dbd521e8e8f0ffd9ace79c7b9b888f4cb89488f9 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Tue, 15 Aug 2023 06:09:37 -0400 +Subject: [PATCH 4/4] Duplicate str_to_version for the upgrade tool + +So it does not depend on python-keylime +--- + keylime/cmd/convert_config.py | 24 ++++++++++++++++++++++-- + templates/2.0/adjust.py | 22 ++++++++++++++++++++-- + 2 files changed, 42 insertions(+), 4 deletions(-) + +diff --git a/keylime/cmd/convert_config.py b/keylime/cmd/convert_config.py +index c1c6180..cad5e31 100755 +--- a/keylime/cmd/convert_config.py ++++ b/keylime/cmd/convert_config.py +@@ -84,13 +84,33 @@ import importlib.util + import itertools + import json + import os ++import re + import shutil + from configparser import RawConfigParser +-from typing import List, Optional, Tuple ++from typing import List, Optional, Tuple, Union + + from jinja2 import Template + +-from keylime.common.version import str_to_version ++ ++def str_to_version(v_str: str) -> Union[Tuple[int, int], None]: ++ """ ++ Validates the string format and converts the provided string to a tuple of ++ ints which can be sorted and compared. ++ ++ :returns: Tuple with version number parts converted to int. In case of ++ invalid version string, returns None ++ """ ++ ++ # Strip to remove eventual quotes and spaces ++ v_str = v_str.strip('" ') ++ ++ m = re.match(r"^(\d+)\.(\d+)$", v_str) ++ ++ if not m: ++ return None ++ ++ return (int(m.group(1)), int(m.group(2))) ++ + + COMPONENTS = ["agent", "verifier", "tenant", "registrar", "ca", "logging"] + +diff --git a/templates/2.0/adjust.py b/templates/2.0/adjust.py +index 312b790..c1e582a 100644 +--- a/templates/2.0/adjust.py ++++ b/templates/2.0/adjust.py +@@ -2,9 +2,27 @@ import ast + import configparser + import re + from configparser import RawConfigParser +-from typing import Dict, List, Optional, Tuple ++from typing import Dict, List, Optional, Tuple, Union + +-from keylime.common.version import str_to_version ++ ++def str_to_version(v_str: str) -> Union[Tuple[int, int], None]: ++ """ ++ Validates the string format and converts the provided string to a tuple of ++ ints which can be sorted and compared. ++ ++ :returns: Tuple with version number parts converted to int. In case of ++ invalid version string, returns None ++ """ ++ ++ # Strip to remove eventual quotes and spaces ++ v_str = v_str.strip('" ') ++ ++ m = re.match(r"^(\d+)\.(\d+)$", v_str) ++ ++ if not m: ++ return None ++ ++ return (int(m.group(1)), int(m.group(2))) + + + def adjust(config: RawConfigParser, mapping: Dict) -> None: # pylint: disable=unused-argument +-- +2.39.3 + diff --git a/0005-elchecking-example-add-ignores-for-EV_PLATFORM_CONFI.patch b/0005-elchecking-example-add-ignores-for-EV_PLATFORM_CONFI.patch new file mode 100644 index 0000000..18a242d --- /dev/null +++ b/0005-elchecking-example-add-ignores-for-EV_PLATFORM_CONFI.patch @@ -0,0 +1,50 @@ +From f2432efbeb7b6305067111bb3a77ef5d7da4eb5b Mon Sep 17 00:00:00 2001 +From: Thore Sommer +Date: Thu, 10 Aug 2023 16:15:57 +0300 +Subject: [PATCH 5/6] elchecking/example: add ignores for + EV_PLATFORM_CONFIG_FLAGS + +These are generated by edk2 when used with QEMU, but we do not have a +reference for them. + +Signed-off-by: Thore Sommer +--- + keylime/mba/elchecking/example.py | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/keylime/mba/elchecking/example.py b/keylime/mba/elchecking/example.py +index 8885227..921db4e 100644 +--- a/keylime/mba/elchecking/example.py ++++ b/keylime/mba/elchecking/example.py +@@ -75,7 +75,6 @@ shim_authcode_sha256_no_secureboot = tests.obj_test( + kernel_cmdline=tests.type_test(str), + ) + +- + allowed_kernel_list_test_no_secureboot = tests.list_test(shim_authcode_sha256_no_secureboot) + + +@@ -303,6 +302,20 @@ class Example(policies.Policy): + ), + ), + ) ++ # edk2 measures up to 4 of those events, where we do not have a good way to get a reference ++ # See: ++ # - https://github.com/keylime/keylime/issues/1393 ++ # - https://github.com/tianocore/edk2/commit/935343cf1639a28530904a1e8d73d6517a07cbff ++ dispatcher.set( ++ (1, "EV_PLATFORM_CONFIG_FLAGS"), ++ tests.Or( ++ tests.OnceTest(tests.AcceptAll()), ++ tests.OnceTest(tests.AcceptAll()), ++ tests.OnceTest(tests.AcceptAll()), ++ tests.OnceTest(tests.AcceptAll()), ++ ), ++ ) ++ + dispatcher.set((4, "EV_EFI_ACTION"), tests.EvEfiActionTest(4)) + for pcr in range(8): + dispatcher.set((pcr, "EV_SEPARATOR"), tests.EvSeperatorTest()) +-- +2.39.3 + diff --git a/0006-Revert-mapping-changes.patch b/0006-Revert-mapping-changes.patch new file mode 100644 index 0000000..e06a1c0 --- /dev/null +++ b/0006-Revert-mapping-changes.patch @@ -0,0 +1,43 @@ +From ed213b9533535ceae5026b2fab274f80bcc58cb8 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Tue, 15 Aug 2023 09:18:32 -0400 +Subject: [PATCH 6/6] Revert mapping changes + +--- + templates/2.0/mapping.json | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/templates/2.0/mapping.json b/templates/2.0/mapping.json +index 66addbc..0036b63 100644 +--- a/templates/2.0/mapping.json ++++ b/templates/2.0/mapping.json +@@ -207,7 +207,7 @@ + "registrar_port": { + "section": "cloud_verifier", + "option": "registrar_port", +- "default": "8881" ++ "default": "8891" + }, + "tls_dir": { + "section": "cloud_verifier", +@@ -232,7 +232,7 @@ + "server_key_password": { + "section": "cloud_verifier", + "option": "private_key_pw", +- "default": "" ++ "default": "default" + }, + "enable_agent_mtls": { + "section": "cloud_verifier", +@@ -558,7 +558,7 @@ + "server_key_password": { + "section": "registrar", + "option": "private_key_pw", +- "default": "" ++ "default": "default" + }, + "server_cert": { + "section": "registrar", +-- +2.39.3 + diff --git a/0007-Handle-session-close-using-a-session-manager.patch b/0007-Handle-session-close-using-a-session-manager.patch new file mode 100644 index 0000000..ead77ea --- /dev/null +++ b/0007-Handle-session-close-using-a-session-manager.patch @@ -0,0 +1,90 @@ +From 3dc40e8b1878d84045ee80cb6d216348713c048a Mon Sep 17 00:00:00 2001 +From: Karel Srot +Date: Tue, 15 Aug 2023 10:00:50 +0200 +Subject: [PATCH 7/7] Handle session close using a session manager + +Resolves https://github.com/keylime/keylime/issues/1455 + +Signed-off-by: Karel Srot +--- + keylime/revocation_notifier.py | 50 +++++++++++++++++----------------- + packit-ci.fmf | 1 + + 2 files changed, 26 insertions(+), 25 deletions(-) + +diff --git a/keylime/revocation_notifier.py b/keylime/revocation_notifier.py +index 31a3095..5cc8b1a 100644 +--- a/keylime/revocation_notifier.py ++++ b/keylime/revocation_notifier.py +@@ -132,32 +132,32 @@ def notify_webhook(tosend: Dict[str, Any]) -> None: + def worker_webhook(tosend: Dict[str, Any], url: str) -> None: + interval = config.getfloat("verifier", "retry_interval") + exponential_backoff = config.getboolean("verifier", "exponential_backoff") +- session = requests.session() +- logger.info("Sending revocation event via webhook...") +- for i in range(config.getint("verifier", "max_retries")): +- next_retry = retry.retry_time(exponential_backoff, interval, i, logger) +- try: +- response = session.post(url, json=tosend, timeout=5) +- if response.status_code in [200, 202]: +- break +- +- logger.debug( +- "Unable to publish revocation message %d times via webhook, " +- "trying again in %d seconds. " +- "Server returned status code: %s", +- i, +- next_retry, +- response.status_code, +- ) +- except requests.exceptions.RequestException as e: +- logger.debug( +- "Unable to publish revocation message %d times via webhook, trying again in %d seconds: %s", +- i, +- next_retry, +- e, +- ) ++ with requests.Session() as session: ++ logger.info("Sending revocation event via webhook...") ++ for i in range(config.getint("verifier", "max_retries")): ++ next_retry = retry.retry_time(exponential_backoff, interval, i, logger) ++ try: ++ response = session.post(url, json=tosend, timeout=5) ++ if response.status_code in [200, 202]: ++ break ++ ++ logger.debug( ++ "Unable to publish revocation message %d times via webhook, " ++ "trying again in %d seconds. " ++ "Server returned status code: %s", ++ i, ++ next_retry, ++ response.status_code, ++ ) ++ except requests.exceptions.RequestException as e: ++ logger.debug( ++ "Unable to publish revocation message %d times via webhook, trying again in %d seconds: %s", ++ i, ++ next_retry, ++ e, ++ ) + +- time.sleep(next_retry) ++ time.sleep(next_retry) + + w = functools.partial(worker_webhook, tosend, url) + t = threading.Thread(target=w, daemon=True) +diff --git a/packit-ci.fmf b/packit-ci.fmf +index f4d2dae..7abe313 100644 +--- a/packit-ci.fmf ++++ b/packit-ci.fmf +@@ -108,6 +108,7 @@ adjust: + - /setup/configure_tpm_emulator + - /setup/install_upstream_keylime + - /setup/install_rust_keylime_from_copr ++ - /setup/configure_kernel_ima_module/ima_policy_simple + - /functional/basic-attestation-on-localhost + - /functional/basic-attestation-with-custom-certificates + - /functional/basic-attestation-without-mtls +-- +2.41.0 + diff --git a/keylime.spec b/keylime.spec index 3dd7fe4..57a2f93 100644 --- a/keylime.spec +++ b/keylime.spec @@ -9,7 +9,7 @@ Name: keylime Version: 7.3.0 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Open source TPM software for Bootstrapping and Maintaining Trust URL: https://github.com/keylime/keylime @@ -19,6 +19,11 @@ Source2: https://github.com/RedHat-SP-Security/%{name}-selinux/archive/v% Patch: 0001-Remove-usage-of-Required-NotRequired-typing_ext.patch Patch: 0002-Allow-keylime_server_t-tcp-connect-to-several-domain.patch +Patch: 0003-Use-version-2.0-as-the-minimum-for-the-configuration.patch +Patch: 0004-Duplicate-str_to_version-for-the-upgrade-tool.patch +Patch: 0005-elchecking-example-add-ignores-for-EV_PLATFORM_CONFI.patch +Patch: 0006-Revert-mapping-changes.patch +Patch: 0007-Handle-session-close-using-a-session-manager.patch License: ASL 2.0 and MIT @@ -183,14 +188,13 @@ done cp -r ./templates %{buildroot}%{_datadir}/%{srcname}/templates/ mkdir -p --mode=0755 %{buildroot}/%{_bindir} -cp -a ./keylime/cmd/convert_config.py %{buildroot}/%{_bindir}/keylime_upgrade_config +install -Dpm 755 ./keylime/cmd/convert_config.py %{buildroot}/%{_bindir}/keylime_upgrade_config %if 0%{?with_selinux} install -D -m 0644 %{srcname}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{srcname}.pp.bz2 install -D -p -m 0644 keylime-selinux-%{policy_version}/%{srcname}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{srcname}.if %endif - install -Dpm 644 ./services/%{srcname}_verifier.service \ %{buildroot}%{_unitdir}/%{srcname}_verifier.service @@ -211,6 +215,10 @@ install -p -D -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/%{srcname}.conf %sysusers_create_compat %{SOURCE1} exit 0 +%post base +/usr/bin/keylime_upgrade_config --component ca --component logging >/dev/null +exit 0 + %posttrans base if [ -d %{_sysconfdir}/%{srcname} ]; then chmod 500 %{_sysconfdir}/%{srcname} @@ -222,7 +230,6 @@ if [ -d %{_sysconfdir}/%{srcname} ]; then done fi - [ -d %{_sharedstatedir}/%{srcname} ] && \ chown -R %{srcname} %{_sharedstatedir}/%{srcname}/ @@ -235,10 +242,18 @@ fi exit 0 %post verifier +/usr/bin/keylime_upgrade_config --component verifier >/dev/null %systemd_post %{srcname}_verifier.service +exit 0 %post registrar +/usr/bin/keylime_upgrade_config --component registrar >/dev/null %systemd_post %{srcname}_registrar.service +exit 0 + +%post tenant +/usr/bin/keylime_upgrade_config --component tenant >/dev/null +exit 0 %preun verifier %systemd_preun %{srcname}_verifier.service @@ -341,6 +356,14 @@ fi %license LICENSE %changelog +* Tue Aug 15 2023 Sergio Correia - 7.3.0-3 +- Fix Keylime configuration upgrades issues introduced in last rebase + Resolves: RHEL-475 +- Handle session close using a session manager + Resolves: RHEL-1252 +- Add ignores for EV_PLATFORM_CONFIG_FLAGS + Resolves: RHEL-947 + * Tue Aug 8 2023 Patrik Koncity - 7.3.0-2 - Keylime SELinux policy provides more restricted ports. - New SELinux label for ports used by keylime.