eca2d398c1
The included patches implement graceful shutdown for both pull and push models, cancelling pending operations, and waiting for critical in-flight operations to finish before shutting down. Backport the following upstream PRs: - https://github.com/keylime/keylime/pull/1809 - Document supported configuration options - Sync missing and removed options from configuration templates - https://github.com/keylime/keylime/pull/1868 - Remove 'enable_authentication' from agent config templates - https://github.com/keylime/keylime/pull/1855 - Add push-model documentation - https://github.com/keylime/keylime/pull/1869 - Add verifier graceful shutdown - https://github.com/keylime/keylime/pull/1883 - Ignore SIGTERM and SIGINT signals on Manager and parent processes - https://github.com/keylime/keylime/pull/1886 - Move socket from /tmp to /var/run/keylime Also, update the keylime-selinux to the latest release (43.2.1) to include the following changes: - https://github.com/RedHat-SP-Security/keylime-selinux/pull/33 - Allow Keylime to perform socket operation on /var/run/keylime - https://github.com/RedHat-SP-Security/keylime-selinux/pull/34 - Allow Keylime to read /proc/net to populate certificates Subject Alternative Names (SAN) Documentation updates and configuration template updates were included to allow the graceful shutdown patch to apply cleanly. This also modifies the test runner to use pytest, adding python3-pytest to the BuildRequires. This was necessary to make the fixtures created in conftest.py to be used, which is not available when running with unittest. Resolves: RHEL-151493 Resolves: RHEL-151408 Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
47 lines
1.9 KiB
Diff
47 lines
1.9 KiB
Diff
From 416d3906fe4071132d5cdc494f828ce3a909f336 Mon Sep 17 00:00:00 2001
|
|
From: Sergio Arroutbi <sarroutb@redhat.com>
|
|
Date: Fri, 20 Mar 2026 10:57:23 +0100
|
|
Subject: [PATCH] Remove enable_authentication agent config option
|
|
|
|
The Rust agent does not parse the enable_authentication
|
|
configuration option and always performs authentication.
|
|
Remove the option from both the agent.j2 template and the
|
|
2.5 mapping.json to avoid exposing a non-functional setting
|
|
to users.
|
|
|
|
Signed-off-by: Sergio Arroutbi <sarroutb@redhat.com>
|
|
---
|
|
templates/2.5/agent.j2 | 7 -------
|
|
templates/2.5/mapping.json | 3 +--
|
|
2 files changed, 1 insertion(+), 9 deletions(-)
|
|
|
|
diff --git a/templates/2.5/agent.j2 b/templates/2.5/agent.j2
|
|
index d5eec733d..5e9a1a706 100644
|
|
--- a/templates/2.5/agent.j2
|
|
+++ b/templates/2.5/agent.j2
|
|
@@ -274,10 +274,3 @@ ima_ml_path = "{{ agent.ima_ml_path }}"
|
|
# If set as a relative path, it will be considered from the root path "/".
|
|
# If set as an absolute path, it will use it without changes
|
|
measuredboot_ml_path = "{{ agent.measuredboot_ml_path }}"
|
|
-
|
|
-# Enable challenge-response authentication for push model attestation.
|
|
-# When enabled, the agent will authenticate with the verifier using TPM-based
|
|
-# proof of possession before sending attestation evidence.
|
|
-# This option is specific to the push attestation model.
|
|
-# The default is False (disabled).
|
|
-enable_authentication = {{ agent.enable_authentication }}
|
|
diff --git a/templates/2.5/mapping.json b/templates/2.5/mapping.json
|
|
index 522aa4ce9..4b198e768 100644
|
|
--- a/templates/2.5/mapping.json
|
|
+++ b/templates/2.5/mapping.json
|
|
@@ -13,8 +13,7 @@
|
|
"ima_ml_count_file": "/tmp/ima_ml_count",
|
|
"uefi_logs_evidence_version": "1.0",
|
|
"tls_accept_invalid_certs": "false",
|
|
- "tls_accept_invalid_hostnames": "false",
|
|
- "enable_authentication": "true"
|
|
+ "tls_accept_invalid_hostnames": "false"
|
|
}
|
|
},
|
|
"verifier": {
|