rpms/keylime
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Populate cert_store_dir with tpmfiles.d

Browse Source 
The TPM cert store is now deployed to /usr/share/keylime/tpm_cert_store
and we use tpmfiles.d to sync the content there to place where Keylime
will read the certificates from, /var/lib/keylime/tpm_cert_store.

Resolves: RHEL-76926

Signed-off-by: Sergio Correia <scorreia@redhat.com>
This commit is contained in:
Sergio Correia 2025-07-04 10:33:56 -03:00
parent 1cce18a56d
commit cf0b35b740
No known key found for this signature in database
GPG Key ID: D0D219ED1F7E762C
2 changed files with 16 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
keylime.spec
View File

@ -9,7 +9,7 @@
Name: keylime
Version: 7.12.1
Release: 5%{?dist}
Release: 6%{?dist}
Summary: Open source TPM software for Bootstrapping and Maintaining Trust
URL: https://github.com/keylime/keylime
@ -224,8 +224,12 @@ install -Dpm 644 ./services/%{srcname}_verifier.service \
install -Dpm 644 ./services/%{srcname}_registrar.service \
%{buildroot}%{_unitdir}/%{srcname}_registrar.service
cp -r ./tpm_cert_store %{buildroot}%{_sharedstatedir}/%{srcname}/
chmod 400 %{buildroot}%{_sharedstatedir}/%{srcname}/tpm_cert_store/*.pem
# TPM cert store is deployed to both /usr/share/keylime/tpm_cert_store
# and then /var/lib/keylime/tpm_cert_store.
for cert_store_dir in %{_datadir} %{_sharedstatedir}; do
mkdir -p %{buildroot}/"${cert_store_dir}"/%{srcname}
cp -r ./tpm_cert_store %{buildroot}/"${cert_store_dir}"/%{srcname}/
done
# Install the sysusers + tmpfiles.d configuration.
install -p -D -m 0644 %{SOURCE2} %{buildroot}/%{_sysusersdir}/%{srcname}.conf
@ -402,6 +406,8 @@ fi
%config(noreplace) %verify(not md5 size mode mtime) %attr(400,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}/logging.conf
%attr(700,%{srcname},%{srcname}) %dir %{_rundir}/%{srcname}
%attr(700,%{srcname},%{srcname}) %dir %{_sharedstatedir}/%{srcname}
%attr(500,%{srcname},%{srcname}) %dir %{_datadir}/%{srcname}/tpm_cert_store
%attr(400,%{srcname},%{srcname}) %{_datadir}/%{srcname}/tpm_cert_store/*.pem
%attr(500,%{srcname},%{srcname}) %dir %{_sharedstatedir}/%{srcname}/tpm_cert_store
%attr(400,%{srcname},%{srcname}) %{_sharedstatedir}/%{srcname}/tpm_cert_store/*.pem
%{_tmpfilesdir}/%{srcname}.conf
@ -415,6 +421,10 @@ fi
%license LICENSE
%changelog
* Thu Jul 10 2025 Sergio Correia <scorreia@redhat.com> - 7.12.1-6
- Populate cert_store_dir with tpmfiles.d
Resolves: RHEL-76926
* Thu Jul 10 2025 Sergio Correia <scorreia@redhat.com> - 7.12.1-5
- Use tmpfiles.d for permissions in /var/lib/keylime and /etc/keylime
Resolves: RHEL-77144

3
keylime.tmpfiles
View File

@ -11,10 +11,13 @@ d /etc/keylime/tenant.conf.d 0500 keylime keylime -
d /etc/keylime/agent.conf.d 0500 keylime keylime -
# TPM certificate store.
# Copy the cert store from /usr/share/keylime/cert_store_dir
# to /var/lib/keylime/cert_store_dir.
# Files inside /var/lib/keylime/tpm_cert_store/ have
# 0400 permission and are owned by keylime/keylime,
# while /var/lib/keylime/tpm_cert_store/ itself has
# permission 0500, also owned by keylime/keylime.
C /var/lib/keylime/tpm_cert_store 0500 keylime keylime - /usr/share/keylime/cert_store_dir
Z /var/lib/keylime/tpm_cert_store 0400 keylime keylime -
z /var/lib/keylime/tpm_cert_store 0500 keylime keylime -
# Finally, /var/lib/keylime itself has 0700 permission,