.fmf/version

@@ -0,0 +1 @@
+1

.gitignore

@@ -1,2 +1,8 @@
-SOURCES/keylime-selinux-1.2.0.tar.gz
-SOURCES/v7.3.0.tar.gz
+/v6.4.1.tar.gz
+/v6.4.2.tar.gz
+/v6.4.3.tar.gz
+/v6.5.0.tar.gz
+/v6.5.2.tar.gz
+/keylime-selinux-1.0.0.tar.gz
+/v7.3.0.tar.gz
+/keylime-selinux-1.2.0.tar.gz

.keylime.metadata

@@ -1,2 +1 @@
-9130beade415b8e3b02aac8d06678f2c45b939fe SOURCES/keylime-selinux-1.2.0.tar.gz
-400e2b019060b8a6cc255dbfc14c582121acbee1 SOURCES/v7.3.0.tar.gz
+400e2b019060b8a6cc255dbfc14c582121acbee1 v7.3.0.tar.gz

0012-Restore-create-allowlist.patch

@@ -0,0 +1,59 @@
+--- a/scripts/create_runtime_policy.sh	2023-10-09 17:04:26.121194607 +0200
++++ b/scripts/create_runtime_policy.sh	2023-10-09 17:06:02.089855614 +0200
+@@ -42,7 +42,7 @@
+     exit $NOARGS;
+ fi
+ 
+-ALGO=sha1sum
++ALGO=sha256sum
+ 
+ ALGO_LIST=("sha1sum" "sha256sum" "sha512sum")
+ 
+@@ -78,7 +78,7 @@
+ 
+ 
+ # Where to look for initramfs image
+-INITRAMFS_LOC="/boot/"
++INITRAMFS_LOC="/boot"
+ if [ -d "/ostree" ]; then
+     # If we are on an ostree system change where we look for initramfs image
+     loc=$(grep -E "/ostree/[^/]([^/]*)" -o /proc/cmdline | head -n 1 | cut -d / -f 3)
+@@ -121,7 +121,7 @@
+             cp -r /tmp/ima/$i-extracted-unmk/. /tmp/ima/$i-extracted
+         fi
+     elif [[ -x "/usr/lib/dracut/skipcpio" ]] ; then
+-        /usr/lib/dracut/skipcpio $i | gunzip -c | cpio -i -d 2> /dev/null
++        /usr/lib/dracut/skipcpio $i | gunzip -c 2> /dev/null | cpio -i -d 2> /dev/null
+     else
+         echo "ERROR: No tools for initramfs image processing found!"
+         break
+@@ -130,9 +130,26 @@
+     find -type f -exec $ALGO "./{}" \; | sed "s| \./\./| /|" >> $OUTPUT
+ done
+ 
+-# Convert to runtime policy
+-echo "Converting created allowlist to Keylime runtime policy"
+-python3 $WORKING_DIR/../keylime/cmd/convert_runtime_policy.py -a $OUTPUT -o $OUTPUT
++# when ROOTFS_LOC = '/', the path starts on allowlist ends up with double '//'
++#
++# Example:
++#
++# b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c  //bar
++#
++# Replace the unwanted '//' with a single '/'
++sed -i 's| /\+| /|g'  $ALLOWLIST_DIR/${OUTPUT}
++
++# When the file name contains newlines or backslashes, the output of sha256sum
++# adds a backslash at the beginning of the line.
++#
++# Example:
++#
++# $ echo foo > ba\\r
++# $ sha256sum ba\\r
++# \b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c  ba\\r
++#
++# Remove the unwanted backslash prefix
++sed -i 's/^\\//g' $ALLOWLIST_DIR/${OUTPUT}
+ 
+ # Clean up
+ rm -rf /tmp/ima

0013-Set-generator-and-timestamp-in-create-policy.patch

@@ -0,0 +1,44 @@
+diff --git a/keylime/cloud_verifier_common.py b/keylime/cloud_verifier_common.py
+index a7399d2..c0f416d 100644
+--- a/keylime/cloud_verifier_common.py
++++ b/keylime/cloud_verifier_common.py
+@@ -8,7 +8,7 @@ from keylime.agentstates import AgentAttestState, AgentAttestStates, TPMClockInf
+ from keylime.common import algorithms
+ from keylime.db.verifier_db import VerfierMain
+ from keylime.failure import Component, Event, Failure
+-from keylime.ima import file_signatures
++from keylime.ima import file_signatures, ima
+ from keylime.ima.types import RuntimePolicyType
+ from keylime.tpm import tpm_util
+ from keylime.tpm.tpm_main import Tpm
+@@ -271,7 +271,7 @@ def process_get_status(agent: VerfierMain) -> Dict[str, Any]:
+         logger.debug('The contents of the agent %s attribute "mb_refstate" are %s', agent.agent_id, agent.mb_refstate)
+ 
+     has_runtime_policy = 0
+-    if agent.ima_policy.generator and agent.ima_policy.generator > 1:
++    if agent.ima_policy.generator and agent.ima_policy.generator > ima.RUNTIME_POLICY_GENERATOR.EmptyAllowList:
+         has_runtime_policy = 1
+ 
+     response = {
+diff --git a/keylime/cmd/create_policy.py b/keylime/cmd/create_policy.py
+index 0841d64..086b92a 100755
+--- a/keylime/cmd/create_policy.py
++++ b/keylime/cmd/create_policy.py
+@@ -6,6 +6,7 @@ import argparse
+ import binascii
+ import collections
+ import copy
++import datetime
+ import gzip
+ import json
+ import multiprocessing
+@@ -580,6 +581,9 @@ def main() -> None:
+     policy["excludes"] = sorted(list(set(policy["excludes"])))
+     policy["ima"]["ignored_keyrings"] = sorted(list(set(policy["ima"]["ignored_keyrings"])))
+ 
++    policy["meta"]["generator"] = ima.RUNTIME_POLICY_GENERATOR.LegacyAllowList
++    policy["meta"]["timestamp"] = str(datetime.datetime.now())
++
+     try:
+         ima.validate_runtime_policy(policy)
+     except ima.ImaValidationError as ex:

0014-tpm_util-Replace-a-logger.error-with-an-Exception-in.patch

@@ -0,0 +1,80 @@
+From add9847988e963fd124863736592fc16cc8c716b Mon Sep 17 00:00:00 2001
+From: Stefan Berger <stefanb@linux.ibm.com>
+Date: Tue, 11 Jul 2023 18:03:28 -0400
+Subject: [PATCH 14/14] tpm_util: Replace a logger.error with an Exception in
+ case of invalid signature
+
+This fixes a possibly severe issue in 7.2.5 & 7.3.0.
+
+Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
+---
+ keylime/tpm/tpm_util.py      |  6 +-----
+ keylime/tpm/tpm_util_test.py | 21 +++++++++++++++++++++
+ 2 files changed, 22 insertions(+), 5 deletions(-)
+
+diff --git a/keylime/tpm/tpm_util.py b/keylime/tpm/tpm_util.py
+index ce2ce0f..58a1a04 100644
+--- a/keylime/tpm/tpm_util.py
++++ b/keylime/tpm/tpm_util.py
+@@ -3,7 +3,6 @@ import string
+ import struct
+ from typing import Any, Dict, List, Optional, Tuple, Union
+ 
+-from cryptography.exceptions import InvalidSignature
+ from cryptography.hazmat import backends
+ from cryptography.hazmat.primitives import hashes, hmac, serialization
+ from cryptography.hazmat.primitives.asymmetric import ec, padding
+@@ -155,10 +154,7 @@ def checkquote(
+     digest.update(quoteblob)
+     quote_digest = digest.finalize()
+ 
+-    try:
+-        verify(pubkey, signature, quote_digest, hashfunc)
+-    except InvalidSignature:
+-        logger.error("Invalid quote signature!")
++    verify(pubkey, signature, quote_digest, hashfunc)
+ 
+     # Check that reported nonce is expected one
+     retDict = tpm2_objects.unmarshal_tpms_attest(quoteblob)
+diff --git a/keylime/tpm/tpm_util_test.py b/keylime/tpm/tpm_util_test.py
+index aaf16cd..2c73997 100644
+--- a/keylime/tpm/tpm_util_test.py
++++ b/keylime/tpm/tpm_util_test.py
+@@ -2,6 +2,7 @@ import base64
+ import unittest
+ from unittest import mock
+ 
++from cryptography.exceptions import InvalidSignature
+ from cryptography.hazmat.primitives.asymmetric.ec import (
+     SECP256R1,
+     EllipticCurve,
+@@ -60,6 +61,26 @@ class TestTpmUtil(unittest.TestCase):
+         except Exception as e:
+             self.fail(f"checkquote failed with {e}")
+ 
++        # test bad input
++        bad_quoteblob = bytearray(quoteblob)
++        bad_quoteblob[5] ^= 0x1
++        with self.assertRaises(InvalidSignature):
++            checkquote(aikblob, nonce, sigblob, bad_quoteblob, pcrblob, "sha256")
++
++        l = list(nonce)
++        l[0] = "a"
++        bad_nonce = "".join(l)
++        with self.assertRaises(Exception):
++            checkquote(aikblob, bad_nonce, sigblob, quoteblob, pcrblob, "sha256")
++
++        bad_pcrblob = bytearray(pcrblob)
++        bad_pcrblob[5] ^= 0x1
++        with self.assertRaises(Exception):
++            checkquote(aikblob, nonce, sigblob, quoteblob, bad_pcrblob, "sha256")
++
++        with self.assertRaises(ValueError):
++            checkquote(aikblob, nonce, sigblob, quoteblob, pcrblob, "sha1")
++
+     @staticmethod
+     def not_random(numbytes: int) -> bytes:
+         return b"\x12" * numbytes
+-- 
+2.41.0
+

e2e_tests.fmf

@@ -0,0 +1,80 @@
+# define context to filter out all test requiring TPM device
+context:
+    swtpm: yes
+    agent: rust
+
+execute:
+    how: tmt
+
+/functional:
+    summary: run keylime e2e tests
+
+    discover:
+        how: fmf
+        url: https://github.com/RedHat-SP-Security/keylime-tests
+        ref: "@.tmt/dynamic_ref.fmf"
+        test:
+         - /setup/configure_tpm_emulator
+         - /setup/inject_SELinux_AVC_check
+         # change IMA policy to simple and run one attestation scenario
+         # this is to utilize also a different parser
+         - /setup/configure_kernel_ima_module/ima_policy_simple
+         - /functional/basic-attestation-on-localhost
+         # now change IMA policy to signing and run all tests
+         - /setup/configure_kernel_ima_module/ima_policy_signing
+         - "^/functional/.*"
+         - "^/compatibility/.*"
+
+/package-update:
+    summary: package update scenario
+
+    prepare:
+      - how: shell
+        order: 90
+        script:
+          # remove installed (tested) keylime and any leftovers
+          - dnf -y remove '*keylime*'
+          - rm -rf /var/lib/keylime /etc/keylime
+          # install older keylime
+          - dnf -y install keylime --disablerepo test-artifacts
+
+    discover:
+
+      - name: Update_scenario_setup
+        how: fmf
+        url: https://github.com/RedHat-SP-Security/keylime-tests
+        ref: "@.tmt/dynamic_ref.fmf"
+        test:
+          - /setup/configure_tpm_emulator
+          - /setup/inject_SELinux_AVC_check
+          - /setup/enable_keylime_debug_messages
+          - /setup/configure_kernel_ima_module/ima_policy_signing
+          # do the actual keylime test setup
+          - /update/basic-attestation-on-localhost/setup
+
+      - name: Update_keylime_package
+        how: shell
+        tests:
+          - name: keylime_update
+            test: dnf -y update '*keylime*'
+            duration: 2m
+
+      - name: Test_scenario_post-update
+        how: fmf
+        url: https://github.com/RedHat-SP-Security/keylime-tests
+        ref: "@.tmt/dynamic_ref.fmf"
+        test:
+          # run the post-update test scenario
+          - /update/basic-attestation-on-localhost/test
+
+/rpmverify:
+    summary: rpmverify test
+
+    discover:
+
+      - name: test
+        how: shell
+        tests:
+          - name: rpmverify
+            test: 'rpmverify $(rpm -qa | grep keylime)'
+            duration: 2m

gating.yaml

@@ -0,0 +1,8 @@
+--- !Policy
+product_versions:
+  - rhel-9
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.openstack-swtpm.functional}
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.beaker-tpm-ima.functional}
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.beaker-swtpm-multihost.functional}

keylime.spec

@@ -9,7 +9,7 @@
 
 Name:    keylime
 Version: 7.3.0
-Release: 9%{?dist}
+Release: 13%{?dist}
 Summary: Open source TPM software for Bootstrapping and Maintaining Trust
 
 URL:            https://github.com/keylime/keylime
@@ -28,6 +28,9 @@ Patch: 0008-verifier-should-read-parameters-from-verifier.conf-o.patch
 Patch: 0009-CVE-2023-38201.patch
 Patch: 0010-CVE-2023-38200.patch
 Patch: 0011-Automatically-update-agent-API-version.patch
+Patch: 0012-Restore-create-allowlist.patch
+Patch: 0013-Set-generator-and-timestamp-in-create-policy.patch
+Patch: 0014-tpm_util-Replace-a-logger.error-with-an-Exception-in.patch
 
 License: ASL 2.0 and MIT
 
@@ -183,13 +186,19 @@ done
 
 # Ship some scripts.
 mkdir -p %{buildroot}/%{_datadir}/%{srcname}/scripts
-for s in create_runtime_policy.sh \
-         create_mb_refstate \
+for s in create_mb_refstate \
          ek-openssl-verify; do
     install -Dpm 755 scripts/${s} \
         %{buildroot}/%{_datadir}/%{srcname}/scripts/${s}
 done
 
+# On RHEL 9.3, install create_runtime_policy.sh as create_allowlist.sh
+# The convert_runtime_policy.py script to convert allowlist and excludelist into
+# runtime policy is not called anymore.
+# See: https://issues.redhat.com/browse/RHEL-11866
+install -Dpm 755 scripts/create_runtime_policy.sh \
+        %{buildroot}/%{_datadir}/%{srcname}/scripts/create_allowlist.sh
+
 # Ship configuration templates.
 cp -r ./templates %{buildroot}%{_datadir}/%{srcname}/templates/
 
@@ -353,7 +362,7 @@ fi
 %attr(400,%{srcname},%{srcname}) %{_sharedstatedir}/%{srcname}/tpm_cert_store/*.pem
 %{_tmpfilesdir}/%{srcname}.conf
 %{_sysusersdir}/%{srcname}.conf
-%{_datadir}/%{srcname}/scripts/create_runtime_policy.sh
+%{_datadir}/%{srcname}/scripts/create_allowlist.sh
 %{_datadir}/%{srcname}/scripts/ek-openssl-verify
 %{_datadir}/%{srcname}/templates
 %{_bindir}/keylime_upgrade_config
@@ -362,6 +371,23 @@ fi
 %license LICENSE
 
 %changelog
+* Fri Jan 05 2024 Sergio Correia <scorreia@redhat.com> - 7.3.0-13
+- Backport fix for CVE-2023-3674
+  Resolves: RHEL-21013
+
+* Tue Oct 17 2023 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 7.3.0-12
+- Set the generator and timestamp in create_policy.py
+  Related: RHEL-11866
+
+* Mon Oct 09 2023 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 7.3.0-11
+- Suppress unnecessary error message
+  Related: RHEL-11866
+
+* Fri Oct 06 2023 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 7.3.0-10
+- Restore allowlist generation script
+  Resolves: RHEL-11866
+  Resolves: RHEL-11867
+
 * Wed Sep 06 2023 Sergio Correia <scorreia@redhat.com> - 7.3.0-9
 - Rebuild for properly tagging the resulting build
   Resolves: RHEL-1898

sources

@@ -0,0 +1,2 @@
+SHA512 (v7.3.0.tar.gz) = 6a5ee3e642015b4c09058ab84db9c1c132d94b387284cb363285fb43a875921fdf0e88ef4b67ab886ceed4e6a5a49aeef0334d42d9662d27f865287d3e9e000b
+SHA512 (keylime-selinux-1.2.0.tar.gz) = 6557738add1cebbc962f8366657a028f4092a36aea0d8a624aa0568a50ff49a516d34f16d699366ac039352d219c522c8ee2ab3a8eea69bd72c616cc4e9a9a7c