rpms/keylime
6
0
Fork 0
Code Issues Pull Requests Releases Activity
85 Commits 6 Branches 33 Tags 703 KiB
c10s
Commit Graph

85 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Marek Safarik
6611ed9a38 Added manpages for keylime services and the tenant 
- Added support for ECC attestation
- Fixed man page RST formatting for rst2man compatibility

Resolves: RHEL-387
 2025-10-15 15:19:18 +02:00
Sergio Correia
1ed9c6dfe5
Add support for ECC attestation 
Resolves: RHEL-117442

Signed-off-by: Sergio Correia <scorreia@redhat.com>
 2025-10-06 14:28:55 +00:00
Anderson Toshiyuki Sasaki
f1b9a25332
Properly fix malformed TPM certificates workaround 
The previous fix attempt on commit 9ae48db was incorrect. This is a
replacement for that fix.

Restore the possibility of using an alternative certificate verification
script to verify the EK certificate.

Resolves: RHEL-111239

Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
 2025-09-15 13:44:17 +02:00
Anderson Toshiyuki Sasaki
6f0ec89584 Avoid opening /dev/stdout when printing 
This fixes a test failure during build in ppc64le arch

Related: RHEL-111239

Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
 2025-08-28 17:48:05 +02:00
Anderson Toshiyuki Sasaki
9ae48db98c Fix malformed TPM certificates workaround 
Restore the possibility of using an alternative certificate verification
script to verify the EK certificate.

Resolves: RHEL-111239

Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
 2025-08-27 13:53:46 +02:00
Sergio Correia
d49b6792af
mba: normalize vendor_db in EV_EFI_VARIABLE_AUTHORITY events 
tpm2_eventlog may provide the vendor_db data as either a signature list
or raw hex bytes, depending on the version used.

In this commit we add a enrich_vendor_db_authority_variable() function
to make sure we end up with a signature list independent on the format
of the data obtained by tpm2_eventlog.

Related: RHEL-108844

Signed-off-by: Sergio Correia <scorreia@redhat.com>
 2025-08-20 09:50:59 +00:00
Sergio Correia
84e80090a9
Fix for revocation notifier not closing TLS session correctly 
Resolves: RHEL-96990

Signed-off-by: Sergio Correia <scorreia@redhat.com>
 2025-08-18 12:18:00 +00:00
Sergio Correia
66d3d39edc
Support vendor_db as logged by newer shim versions 
Resolves: RHEL-108844

Signed-off-by: Sergio Correia <scorreia@redhat.com>
 2025-08-12 13:05:56 +01:00
Anderson Toshiyuki Sasaki
67382e6215 Fix DB connection leaks 
Resolves: RHEL-102995

Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
 2025-08-08 17:04:40 +02:00
Sergio Correia
e502db4d71
Fix tmpfiles.d configuration related to the cert store 
Resolves: RHEL-104571

Signed-off-by: Sergio Correia <scorreia@redhat.com>
 2025-07-24 09:12:44 +01:00
Sergio Correia
17296a6b3a
Populate cert_store_dir with tpmfiles.d 
The TPM cert store is now deployed to /usr/share/keylime/tpm_cert_store
and we use tpmfiles.d to sync the content there to place where Keylime
will read the certificates from, /var/lib/keylime/tpm_cert_store.

Resolves: RHEL-76925

Signed-off-by: Sergio Correia <scorreia@redhat.com>
 2025-07-10 08:43:55 -03:00
Sergio Correia
903b0e83ce
Use tmpfiles.d for permissions in /var/lib/keylime and /etc/keylime 
Resolves: RHEL-77143

Signed-off-by: Sergio Correia <scorreia@redhat.com>
 2025-07-10 08:43:54 -03:00
Patrik Koncity
2d4c1fd43c Use the newest keylime-selinux release 
New version of keylime-selinux dropping
keylime_var_log_t label.

Resolves: RHEL-101561
 2025-07-09 11:29:59 +02:00
Anderson Toshiyuki Sasaki
3929dd712b Avoid changing the ownership of /var/log/keylime 
Resolves: RHEL-101561

Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
 2025-07-02 17:32:34 +02:00
Sergio Correia
8d0b3c47db
Drop old keylime policy related scripts 
The functionality provided by these scripts is now provided by the
keylime-policy tool.

Resolves: RHEL-79831

Signed-off-by: Sergio Correia <scorreia@redhat.com>
 2025-02-17 15:04:17 +00:00
Sergio Correia
4742bca699
Updating for Keylime release v7.12.1 
This update brings the keylime-policy tool.

Resolves: RHEL-75794

Signed-off-by: Sergio Correia <scorreia@redhat.com>
 2025-02-14 12:58:56 +00:00
Troy Dawson
f0dcfc866f Bump release for October 2024 mass rebuild: 
Resolves: RHEL-64018
 2024-10-29 08:39:00 -07:00
Anderson Toshiyuki Sasaki
e1bccbcb9d Use TLS on revocation notification webhook 
- Include system installed CA certificates when verifying webhook server
  certificate
- Include the CA certificates added via configuration file option
  'trusted_server_ca'

Resolves: RHEL-49601
Resolves: RHEL-51279
Resolves: RHEL-51321

Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
 2024-08-19 11:32:04 +02:00
Anderson Toshiyuki Sasaki
fdd9b2c51b Restore create_allowlist.sh to be the same as in RHEL-9 
Resolves: RHEL-32637

Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
 2024-08-16 17:36:42 +02:00
Karel Srot
f688487375 Add rhel-10 gating.yaml 2024-06-24 16:05:26 +00:00
Troy Dawson
e8fbf501b8 Bump release for June 2024 mass rebuild 2024-06-24 08:53:40 -07:00
Karel Srot
4241665e37 tests: Update CI test plan for C10S 
Resolves: RHEL-35979

Signed-off-by: Karel Srot <ksrot@redhat.com>
 2024-05-09 15:56:26 +02:00
Sergio Correia
feee12343d
Fixes for rawhide 
* Remove python3-keylime-agent subpackaged
  It had been removed upstream in 7.0.0 release

* Update dependencies:
  Add python3-jsonschema to python3-keylime
  Add openssl to keylime-base (required by the ek-openssl-verify
    script)
 2024-02-12 16:38:51 +00:00
Sergio Correia
705c3a1856
Updating for Keylime release v7.9.0 
- Migrated license to SPDX
 2024-01-30 18:40:35 +00:00
Fedora Release Engineering
7e7a382ff3 Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild 2024-01-24 23:57:01 +00:00
Fedora Release Engineering
f2cbbd511d Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild 2024-01-21 00:16:57 +00:00
Sergio Correia
50ddc5f8cf
Updating for Keylime release v7.8.0 2023-12-05 16:00:11 +00:00
Sergio Correia
ddfaa1e3f1
Updating for Keylime release v7.7.0 2023-11-02 10:11:52 +00:00
Sergio Correia
1ff58b5d20
Updating for Keylime release v7.5.0 2023-08-24 13:25:29 +01:00
Sergio Correia
c4fb4ff4a2
Updating for Keylime release v7.3.0 2023-07-31 12:22:19 +01:00
Fedora Release Engineering
405de1f2ac Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild 
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
 2023-07-20 08:44:04 +00:00
Python Maint
473a0b6c4d Rebuilt for Python 3.12 2023-06-15 18:54:49 +02:00
Sergio Correia
8bd46bc758
Update test plan 
Fix regex so that we will not run unwanted tests.
 2023-06-06 13:50:41 -03:00
Sergio Correia
6a94ffa449
Updating for Keylime release v7.2.5 2023-06-05 07:41:04 -03:00
Sergio Correia
391573bca0
Updating for Keylime release v6.6.0 2023-02-03 09:48:41 -03:00
Sergio Correia
5173a643e7
e2e tests: do not change the tpm hash alg to sha256 
That is already default, since rhbz#2114485, plus the proper way to
do it now would be creating a snippet under /etc/keylime/agent.conf.d.
 2023-01-25 15:19:15 -03:00
Sergio Correia
126f6404f2
Updating for Keylime release v6.5.3 2023-01-25 14:32:00 -03:00
Fedora Release Engineering
d2197f4062 Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild 
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
 2023-01-19 14:24:11 +00:00
Karel Srot
75167c22c0 Ignore non-keylime AVCs on Fedora Rawhide 2022-12-12 12:48:16 +01:00
Sergio Correia
39928f5149
Proper exception handling in tornado_requests 
Fixes: CVE-2022-3500
 2022-12-09 09:16:37 -03:00
Sergio Correia
2ff4a57711
Do not remove tag-repository.repo 2022-12-09 09:16:37 -03:00
Karel Srot
5ce5dc11c1 Add dynamic_ref reference to e2e_tests.fmf 2022-12-01 13:14:23 +01:00
Patrik Koncity
761a2a2733 Add keylime selinux policy as subpackage and update CI 2022-10-25 08:52:11 +02:00
Sergio Correia
ca613224de Update tests branch to fedora-main 2022-09-14 08:30:55 -03:00
Sergio Correia
e6d044d7f3 Updating for Keylime release v6.4.3 2022-08-24 22:33:13 -03:00
Fedora Release Engineering
33289197f6 Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild 
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
 2022-07-21 15:54:20 +00:00
Sergio Correia
bee1262a8b Wrap efivar-libs dependency in a "ifarch %efi" 2022-07-11 08:05:28 -03:00
Sergio Correia
53cec23924 Fix efivar-libs dependency 
- Some arches do not have efivar-libs, so let's require it
  conditionally.
 2022-07-08 20:45:47 -03:00
Sergio Correia
a7cf835927 Updating for Keylime release v6.4.2 
- Remove keylime-webapp and mark package as obsolete
- Configure tmpfiles.d
- Move common python dependencies to python3-keylime
- Change dependency from python3-gnupg to python3-gpg
- Use sysusers.d for handling user creation
 2022-07-08 15:39:47 -03:00
Sergio Correia
15dee78736 Adjust Fedora CI test plan as per upstream 2022-07-08 15:39:47 -03:00