Revisions of keylime
buildservice-autocommit
accepted
request 1031364
from
Alberto Planas Dominguez (aplanas)
(revision 56)
Alberto Planas Dominguez (aplanas)
(revision 56)
baserev update by copy to link target
Alberto Planas Dominguez (aplanas)
accepted
request 1031363
from
Alberto Planas Dominguez (aplanas)
(revision 55)
- Update to version v6.5.2: * Back to 6.5.1 * This PR fixes a bug that prevented 6.5.x verifiers from interacting with 6.2. agents * Revert "Revert "tenant: open file to send utf-8 encoded" (#1136)" (#1141) * Revert "tenant: open file to send utf-8 encoded" (#1136) * ca_util: allow users in the same group to read the created certificates and keys (#1138) * Update sample ima-policy to exclude overlayfs * installer: remove tarball option
buildservice-autocommit
accepted
request 1030126
from
Factory Maintainer (factory-maintainer)
(revision 54)
Factory Maintainer (factory-maintainer)
(revision 54)
baserev update by copy to link target
Alberto Planas Dominguez (aplanas)
accepted
request 1010444
from
Alberto Planas Dominguez (aplanas)
(revision 53)
- Update requirement name to python-lark
buildservice-autocommit
accepted
request 1010122
from
Alberto Planas Dominguez (aplanas)
(revision 52)
Alberto Planas Dominguez (aplanas)
(revision 52)
baserev update by copy to link target
Alberto Planas Dominguez (aplanas)
accepted
request 1010121
from
Alberto Planas Dominguez (aplanas)
(revision 51)
- Drop replace-use-of-cryptography.utils.register_interface.patch, already upstream - Update to version v6.5.1: * Bump version to 6.5.1 * Fix proper exception handling and impedance match in `tornado_requests` (#1128) * elchecking/tests: fix type hints for Dispatcher * tpm_main: unescape UEFI eventlog strings * elchecking: fix standalone program * elchecking/example: add support for MokListTrusted variable * README, docs: remove reference to ipsec demo * docs: fix typo and note box rendering * docs: update installation instructions * make Rust agent official, add depreacation warnings to Python agent * GH first-interaction action is busted, workaround * Replace use of cryptography.utils.register_interface * Remove unnecessary config symbolic link * Small changes required by enhancement #73 "Durable (Offline) Attestion" * docs, README: add reference to official Docker containers * Fix typo in ISSUE_TEMPLATE.md
Alberto Planas Dominguez (aplanas)
accepted
request 1009567
from
Alberto Planas Dominguez (aplanas)
(revision 50)
- Add replace-use-of-cryptography.utils.register_interface.patch to support new cryptography 38.0
buildservice-autocommit
accepted
request 1006460
from
Alberto Planas Dominguez (aplanas)
(revision 49)
Alberto Planas Dominguez (aplanas)
(revision 49)
baserev update by copy to link target
Alberto Planas Dominguez (aplanas)
accepted
request 1006458
from
Alberto Planas Dominguez (aplanas)
(revision 48)
- Remove keylime.conf.diff patch. Now the configuration file is
generated during build time
- The "config" subpackage shared only the logger configuration file
- New "tenant" subpackage for the Tenant command line tool
- Drop webapp service port in firewall XML service file
- Update to version v6.5.0:
* Bump up versions to 6.5.0
* Enable testing of Rust agent as well as Python by default
* New readthedocs location for keylime
* test_restful: Add test for /keys/verify endpoint to rust tests
* test_restful: Fix testing with rust agent
* run_tests: Install rust agent when RUST_TEST is defined
* A fix for "per-agent verifier-issued epoch timestamp"
* Move SQLite ref integrity pragma to keylime_db
* Separate CA key store password from server key password
* Generate missing key and certificates
* verifier: Add a configuration option to set timeouts
* config: Change default value for getfloat() to -1.0
* tenant: Add request_timeout configuration option
* tpm_main: Move agent specific initialization to tpm_init()
* failure: Do not read the verifier config on load
* logging, verifier: Read configuration only when needed
* tpm_ek_ca: Access tenant config file when needed
* tpm_main: Only access agent configuration if needed
* keylime_agent: Use a single tpm instance
* config: Evaluate snippets in /usr/etc/keylime before /etc/keylime
* Remove ignore_hostname argument from RequestsClient() calls
* requests_client: Ignore hostname verification by default
* web_util: Remove unneeded checks for absolute paths before joining
* requests_client: remove RequestClient class variables
* elchecking/policies: Use config.getlist() for measured_boot_imports
* mappings: Add back missing option measured_boot_imports to verifier config
* verifier: Fail earlier if mTLS cert is missing when required
* crypto: Replace if block with conditional argument passing
* config: Drop unused getdict()
* config: Use python generator to strip strings in the list
* verifier: Drop 'cloud' from 'cloudverifier_' variables
* verifier: Always generate TLS context to contact the agent
* ca_util: Replace if block with conditional argument
* Drop broken auto-ipsec demos
* tenant: Do not disable TLS when enable_agent_mtls = False
* test_config: Reload configuration on tearDown
* Change the meaning of trusted_client_ca=default for the agent
* Install configuration files in test scripts
* Add jinja2 as requirement for building and testing
* tenant: Fix mention to old configuration section
* tenant, verifier: Fix mTLS disablement
* tenant: Do not try to verify EK cert when not required
* Adjust test_restful to use the new configuration file
* ima: Do not try to read excludelist if it is None
* tenant: Use empty tpm_policy by default
* Read measured boot configuration when needed
* Add support for password encrypted keys
* Change owner of config files and fix sed command in services installer
* installer: Build and install split configuration files
* Fix configuration unit tests
* Remove trailing and leading white spaces in config.get_list()
* Make changes to use the new configuration files
* Add script to convert old config to new config
* Ignore false positive for lints
* Implement additional test to cover in-use deletion case
* Enable referential integrity for foreign keys in Keylime DB
* Prevent deletion of in-use allowlists via tenant + better error handling
* Fixes #1046 by explicitly and carefully dealing with a corner case.
* Fixes #1072 by explicitly and carefully dealing with yet another corner case.
* Define context agent due to keylime-tests PR#193
* Adds two small utilities which are used by "Offline Attestation" (enhancement #73)
* This commit solves #1091 by adding a per-agent verifier-issued epoch timestamp
* Remove keylime-bot
* Verifier log message improvements for large-scale testing.
* Bump version to 6.4.3
* KEYLIME_DIR should not be clobbered in TEST_MODE
* registrar: parse EK cert with pyasn1
* Reject invalid hash algorithms passed as arguments
* Treat tpm_cert_store as absolute path
* Fix for cloudverifier_tornado: 408 ('timeout') errors are retried instead of causing immediate attestation failure
* Typo fix: the two certificates got copied over each other during the openssl process by mistake.
* I downloaded the certs from here:
* Remove cryptodome.py from keylime
* Refactor allowlist handling on verifier to prevent premature DB writes
* With this change, the `verifier` will now use the `tpm2_print` command to extract clock information from the quote. It will then uses this information to make decisions about the attestation of the agent (i.e., the quote timestamp has to monotonically grow in a TPM which wasn't restarted/reset). In order to make this comparison the clock information from the previous quote is stored on the database and then both timestamps are compared.
* tpm_ek_ca: remove atmel keys
* Throw an error if --exclude is used without --allowlist
* Complete implementation of the Allowlists API
* readme: minor fixes
* Handle output file and algo validation errors
* Fixes #1063 in a minimalistic way, by making log output configurable
* Fix spacing
* Update fmf plans to run test which checking tenant verify options
* Fixes #1057 ensuring that the verifier can be restarted cleanly when mTLS for agents is disabled
* Adds a per-agent counter for "successfull attestations" on Keylime.
* Replace tabs with spaces
* Keep original control structure, minimize change
* Update installer.sh for RHEL8, PowerTools
* Set swtpm context which is later used for test filtering
* Update fmf plans to run tests which checking ek_certs
* Minor fixes
* Expand documentation for Measured Boot with additional info/examples.
* Fix the project logo in the readme (#1049)
* Add docs status to README
buildservice-autocommit
accepted
request 989361
from
Alberto Planas Dominguez (aplanas)
(revision 47)
Alberto Planas Dominguez (aplanas)
(revision 47)
baserev update by copy to link target
Alberto Planas Dominguez (aplanas)
accepted
request 989360
from
Alberto Planas Dominguez (aplanas)
(revision 46)
- Replace python-gpg requirement - Fix consolidation for _distconfdir and _sysconfdir macro
Alberto Planas Dominguez (aplanas)
accepted
request 989198
from
Alberto Planas Dominguez (aplanas)
(revision 45)
- Use chown -h to adjust persmissions for downgrade migration. This skip following symlinks and make the migration possible (bsc#1201466) - Fix consolidation for _distconfdir and _sysconfdir macro - Update to version v6.4.2: * Bump version # to 6.4.2 * Use python3-gpg instead of python3-gnupg * Update Packit CI tests to test both agent and zeromq revocation notifiers * ima_ast: Make entry parsing stricter * ima_ast: Calculate length of "n" and "n-ng" in bytes * Fix broken URLs in README (Additional Reading) * Remove CFSSL leftovers * signing: move exception handing to verify_signature() * Set revocation_notifiers = agent as default in keylime.conf * cloud_verifier: Support /notifications/revocation REST API * keylime_agent: Support /notifications/revocation REST method * revocation_notifier: Factor out revocation message processing * keylime: initialize supplementary groups when dropping privileges * Refactor allowlist processing to enable verifier-side signature checks * Full removal of the tenant WebApp * update roadmap for 2022 and 2023 * docs: make Python requirements less strict * docs: update API documentation for 2.1, add missing fields for agent quote * Add python3-alembic to distros * Update fmf plans to run test with IMA policy * Drop SPDX-License-Identifier header * Adjust CI test name according to keylime-tests PR#125 * ci: Run lint with Python 3.6 as well * [trivial]: fix style of recently added docs files * Improve error handling when doing signature verification * Fix coverage file paths in submit-HEAD-coverage workflow * Adding files from keylime-docs into main repo - Fix keylime service home directory - Adjust the directory for the TPM certificates
buildservice-autocommit
accepted
request 985769
from
Alberto Planas Dominguez (aplanas)
(revision 44)
Alberto Planas Dominguez (aplanas)
(revision 44)
baserev update by copy to link target
Alberto Planas Dominguez (aplanas)
accepted
request 985768
from
Alberto Planas Dominguez (aplanas)
(revision 43)
- Conflict also rust-keylime for all the subpackages
buildservice-autocommit
accepted
request 984735
from
Alberto Planas Dominguez (aplanas)
(revision 42)
Alberto Planas Dominguez (aplanas)
(revision 42)
baserev update by copy to link target
Alberto Planas Dominguez (aplanas)
accepted
request 984734
from
Alberto Planas Dominguez (aplanas)
(revision 41)
- Remove user downgrade mechanism from the package (CVE-2022-31250, bsc#1200885)
Alberto Planas Dominguez (aplanas)
accepted
request 984699
from
Alberto Planas Dominguez (aplanas)
(revision 40)
Include the logrotate in the refactor
Alberto Planas Dominguez (aplanas)
accepted
request 984696
from
Alberto Planas Dominguez (aplanas)
(revision 39)
Simplify the consolidation code, and make it more clear
Alberto Planas Dominguez (aplanas)
accepted
request 984683
from
Alberto Planas Dominguez (aplanas)
(revision 38)
- Add logrotate configuration for the services
- Create run directory as non-root user
- Conflict with rust-keylime
- Consolidate in _distconfdir when possible
- Update to version v6.4.1:
* Bump version for pypi
* verifier: ensure that execptions caused by the agent result in a failure
* tpm_main: add failure tagging to measured boot parsing
* tpm_main: fix temp file handling in parse_binary_bootlog(..)
* pylint: fix bad-option-value and implicit-str-concat warnings
* ca: drop support for using CFSSL as a backend
* ca_openssl_impl: add basic support for generating a CRL
* config: change libefivar.so to libefivar.so.1
* elchecking: add workaround for wrong GUID parsing
* Add test /functional/measured-boot-swtpm-sanity to Packit CI plan
* Fix order of parameters in an error message
* pylint: remove usage of distutils because it is deprecated
* ca_util: do not use deprecated setDeamon() call
* elchecking: error if policy name is invalid, change default to reject-all
* Simplify GitHub Actions used for code coverage processing
* ima_dm: enable support for dm_target_update events
* benchmark: remove benchmark code
* ima: remove read_unpack(..) function
* Fixes #996, by properly catching exceptions resulting from network problems on the verifier.
* List tests in Packit-CI plan explicitly
* contributing: add section about code style
* fix git blame ignore entry for code style changes
* Enable test /functional/basic-attestation-without-mtls
* Defer loading PyZMQ to avoid optional dependency
* Unify log messages about deleting agent from CV
* Ignore reformat commit for git blame
* Reformat Keylime with isort and black to new code style
* Introducing pre-commit hook to enforce code style with isort and black
- Drop already merged patches:
* config-libefivars.diff
- Drop cfssl dependency, as uses openssl only
- Drop cfssl firewalld rule
- Update to version v6.4.0 (CVE-2022-1053, boo#1199253):
* general: bump Keylime version to 6.4.0
* tests: adjust tests to reflect latest API changes
* api: bump version to 2.1
* config: remove unused registrar mTLS options in cloud_verifier section
* tenant, verifier: let the tenant provide the AK and mTLS certificate
* Fix exit call in scripts/download_packit_coverage.sh
* Added codecov.io description to TESTING.md
* ci: only run CodeQL on the keylime directory and disable it for the webapp
* Enable GitHub workflow integrating codecov.io
* README: Fix and cleanup the install instructions
* ima: add backport for dataclasses support for Python 3.6
* ima: add info that device mapper validation is still experimental
* add lark as a dependency
* ima: integrate dm validator into gernal IMA validation
* agentstates: add the option to load and store dm validator state
* ima: add parser and validator for device mapper entries
* ima_file_signatures: rename to file_signatures
* ima_ast: rename to ast
* ima: move IMA components into their own module
* failure: add function to get current event ids
* config: add more details for tpm_cert_store option
* Deprecate API version 1.0
* config, webapp: remove tls_check_hostnames option
* ci: add CodeQL analysis
* agent, tpm: remove is_vtpm() check
* tests: update to reflect vTPM removal
* remove vTPM related helper files and documentation
* config: remove vTPM related options
* tenant: remove vtpm_policy
* verifier: remove vtpm_policy
* remove REQUIRE_ROOT environment option
* Remove Testing farm tag-repository
* Bump required packaging module version to 20.0
* Remove last traces of M2Crypto
* Workaround for mock_open not supporting iteration in Python 3.6
- Fix "run_as" configuration parameter and set it to keylime:tss
- Improve downgrade user migration during package update
- Update to version v6.3.2:
* general: bump Keylime version to 6.3.2
* tpm_main: flush transient objects
* pypi: add notice that the Python API is unstable
* installer: use OpenSSL by default
* Avoid mounting secdir while unmounting it
* remove TPM, VTPM and IMA stubbing support
* archive: remove all archive files
* Change GH reviewers to be from developer group
* added suse / opensuse support with zypper
* Fix tpm import in test_tpm.py
* Fix cfssl configuration in run_tests.sh
* tpm_emulator: improve TPM emulator installation
* config: Add option to enable DB debugging via DEBUG_DB env var
* Enable SQL query cache for JSONPickleType
* tpm_emulator: move everything into systemd services
* Implement broader key support for Keylime's signing mechanisms
* tenant: Use exponential backoff on key verification retries
* tenant: Move JSON parsing to capture possible exceptions
* tenant: Move verifier stop from do_quote to do_verify
* pylint: Fix issues related to W0602 global-variable-not-assigned
* tenant: Handle 404 error from registrar gracefully
* pylint: Fix remaining code with issue R1732 consider-using-with
* pylint: Fix R1732 consider-using-with
* pylint: Fix issue detected by pylint-2.13.0
* pylint: Fix issue detected by pylint-2.13.0
* tenant: verify agent quote before adding to verifier
* README: remove tpm2-abrmd and OSX sections
* pylint: Fix issues related to W0102 dangerous-default-value
* pylint: Fix R0201 no-self-use
* pylint: remove W1203 logging-format-interpolation from ignore list
* pylint: remove R1729 use-a-generator from ignore list
* pylint: remove E1120 no-value-for-parameter from ignore list
* pylint: remove W1201 logging-not-lazy from ignore list
* pylint: fix C0209 consider-using-f-string
* pylint: fix C0201 consider-iterating-dictionary
* pylint: fix W1509 subprocess-popen-preexec-fn
* keylime_tenant non-zero exit code on error
* Fix prepare step adjustments in packit-ci.fmf plan
* failure: fix Pattern type hint
* mypy: add initial Mypy configuration
* ima_ast: add type hints
* failure: add type hints
* logging, config: add type hints for logging module
* algorithms: add type hints
* json: add type hints and add JSONType as custom type
* Full allowlist processing when not adding host
* provider, vTPM: remove vTPM manager and provider code
* tpm: fix that the set of missing PCRs is not serializable in failure
* Restores the option to use keylime agents without mTLS
* services: make the services run as keylime user instead of root
* State in --help that SHA-256 is used for --allowlist-checksum
* config: change cacert.pem to cacert.crt
* registrar_client: validate connections against registrar ca certificate
* tenant: validate connections against verifier ca certificate
* request_client: only add custom adapter if TLS is enabled
* setup: add static assets for webapp
* Add TESTING.md describing testing details
* Fix some remaining log format strings
* Fix for database_url parameter with sqlite
* Enable test basic-attestation-with-unpriviledged-agent in Packit CI
* Use lazy string formatting when logging (#535)
* Make Packit CI plan more resource-saving
* keylime.conf: Document setting ownership in WORK_DIR (/var/lib/keylime)
* agent: Make sure tmpfs is empty even if not mounted or cannot unmount
* agent: Drop privileges by switching to normal user and group
* agent: Move mounting of tmpfs towards beginning of main()
* agent: Read measured boot log near process start
* agent: Open file for IMA log file near process start
* ima: Refactor read_measurement_list() to take file as argument
* Add the policy name to failure event
* tpm_main: Check if tpm_cert_store exists (#553)
* Remove tag input from container build workflow
* Push container images to quay.io/keylime org
* Enable code coverage measurement for e2e tests in Packit CI
* config: fix config search order
* Add defaults for ephemeral keys for agent records
* Update outdated greetings Github messages
* services: add keylime_agent_secure.mount service
* installer.sh: updated tpm2-{tools, tss}, use system packages if possible
* revocation_notifier: convert the data to str in the notifiers
* revocation_notifier: mark webhook threads as daemon and add timeout
* Fix Packit CI test plan Summary
* Enable Packit CI testing on CentOS Stream 8
* Enable Packit CI testing on Fedora Rawhide
* Remove last trace of TPM 1.2 (hopefully)
* verifier: remove start_tornado() function
* verifier: wait for connections to be closed before stopping ioloop
* revocation_notifier: kill ZeroMQ broker if it blocks more than 5s
* Add more e2e tests to Packit CI
* Enable EPEL repo on CentOS Stream in packit.yaml
- Drop already merged patches
* drop_privileges_of_agent_process_after_startup.patch
* config_fix_config_search_order.patch
* services_add_keylime_agent_secure_mount_service.patch
- Add upstream patches:
* drop_privileges_of_agent_process_after_startup.patch
* config_fix_config_search_order.patch
* services_add_keylime_agent_secure_mount_service.patch
- Configure the agent to run as non-root (via keylime.conf)
- Add keylime sysuser conf file and deploy as part of the tpm
certificate subpackage
- Prepare the systemd mount unit for /var/lib/keylime/secure
- Drop patches beacuse merged upstream:
* version.diff
* cloud_verifier_tornado-use-fork_processes.patch
- Drop binaries not used anymore:
* keylime_provider_platform_init
* keylime_provider_registrar
* keylime_provider_vtpm_add
- Update to version v6.3.1:
* revocation_notifier: mark webhook threads as daemon and add timeout
* Fix Packit CI test plan Summary
* Enable Packit CI testing on CentOS Stream 8
* Enable Packit CI testing on Fedora Rawhide
* Remove last trace of TPM 1.2 (hopefully)
* verifier: remove start_tornado() function
* verifier: wait for connections to be closed before stopping ioloop
* revocation_notifier: kill ZeroMQ broker if it blocks more than 5s
* Add more e2e tests to Packit CI
* Enable EPEL repo on CentOS Stream in packit.yaml
* agent, crypto: add localhost, server and contact ip to agent certificate
* Add better default repo path for run_local.sh
* Fix incorrect variable name in test_restful
* Run existing agent tests against the rust-keylime agent
* Fix small wording mistakes caught while reading the code
* agent: move key and certificate logging levels from debug to info
* agent: allow absolute paths for rsa_keyname and mtls_cert
* Add missing backend parameter
* cloud_verifier_tornado: use fork_processes
* ci: automatically push release to PyPI
* setup.{py,cfg}: Move setup configuration to setup.cfg
* Add iproute tool to Dockerfile
* Pylint does not like single-line functions.
* A small beauty fix
* This is a small fix to proactively fix Issue #840 by identifying non-escaped double quotes in the tpm2-tools output
* setup.py: add version number and new Python versions, drop unsed binaries
* setup.py, config: install default configuration into package path
* ci: move old keylime.conf to keylime.conf.orig before running tests
* retry: fix pylint issue
* Adding Infineon Optiga 034 RSA and ECC certificates for Infineon SLB9675 devices.
* Ensure columns "mb_refstate" and "allowlist" are of type LONGTEXT in table "verifiermain"
* tenant: add exponential backoff option to retry timings
* cloud verifier: add exponential backoff option to retry timings
* tpm: add exponential backoff option to retry timings
* test, retry: add unit test for retry algorithm
* common: add algorithm for retry time calculation
* registrar, tpm_main: ensure that correct types are commited to DB.
* Fix typo for config param listen_notifications
* Lint is _really_ unhappy today.
* Linty fixes
* Adding a unit test file for tpm_main
* tpm_main: check if PCRs for the hash algorithm are available
* tpm_main: handle if tpm2_checkquote returns no PCRs for a hash algorithm
* agent: output supported_version as result not as a status
* Add missing subcommands to -c help message
* tests: fix mtls_cert generation in test_restful.py
* revocation_notifier: fix socket path permission check
* Remove unused database_query config param
* Move umask calls only on entry points
* config: move directory utilities to fs_util
- Change back agent_uuid to hostname
- Set tpm_hash_alg to sha256 by default
- Update version.diff patch to point to the correct version number
- Fix issue with Tornado, when multiple workers are started
* Add cloud_verifier_tornado-use-fork_processes.patch (bsc#1195605)
- Drop patches beacuse merged upstream:
* 0001-Drop-dataclasses-module-usage.patch
* 0001-config-support-merge-multiple-config-files.patch
* 0001-ca-support-back-old-cyptography-API.patch
- Update to version v6.3.0:
* Coordinated update to fix:
+ bsc#1193997 (CVE-2022-23948)
+ bsc#1193998 (CVE-2021-43310)
+ bsc#1194000 (CVE-2022-23949)
+ bsc#1194002 (CVE-2022-23950)
+ bsc#1194004 (CVE-2022-23951)
+ bsc#1194005 (CVE-2022-23952)
* secure_mount: add umount function
* secure_mount: use /proc/self/mountinfo
* Validate user ID in all public interfaces
* validators: add uuid and agent_id validators
* validators: create validators module
* revocation_notifier: move zmq socket to /var/run/keylime
* Update API version from 1.0 to 2.0
* tpm: do not compress quote with zlib by default
* verifier: persist AK and mTLS certificate to DB
* verifier: use "supported_version" for agent connections
* tenant: add support for "supported_version" option for the verifier
* api_version: add the option for basic validation
* verifier: add supported_version field to DB and API
* agent: add /version to REST API
* verifier, tenant: allow agents to not use mTLS
* tenant, verifier: allow manual configuration of agent mTLS
* tests: migrate to mTLS
* tenant: connect to the agent via mTLS
* verifier: connect to the agent via mTLS
* tornado_requests: handle SSLError
* web_util: add mTLS context generation for agent
* agent: Enable mTLS for agent REST API
* crypto: add helper function for creating self signed certs
* registrar: Allow the agent to registrar with a mTLS certificate
* request_client: add workaround for handling certificates
* request_client: add the option to ignore hostname validation
* Better docs and errors about IMA hash mismatches
* tests: use JSON instead Python string for IMA tests
* verifier: use json.loads(..) instead of ast.literal_eval(..)
* Adding Nuvoton certificate for a post 2020 TPM device. The EK cert
of the device directs to the following download site:
'https://www.nuvoton.com/security/NTC-TPM-EK-Cert/Nuvoton TPM Root
CA 1111.cer' (yes, including the spaces)
* Improve revocation notifier IP description in keylime.conf
* tornado_requests: set Content-Type header correctly for JSON
* tenant: post U key to agent with correct Content-Type header
* Explicitly set permissions on new keylime.conf files installed
* tpm_main: close file descriptor for aik handle
* verifier: do not call finish() twice
* agent: fix payload execution
* tests: add initial tests for web_util module
* config, web_util: move get_restful_params(..) to web_util
* verifier: Also retry on HTTP 500 status code
* agent: improve startup and shutdown
* registrar: cleanup start function
* web_util: move echo_json_response(..) out of config.py
* verifier: fix failure generation for V key
* tornado_requests: cleanup TornadoResponse class
* web_util, verifier: move mTLS SSLContext generation into separate module
* ca: support back old cyptography API
* Fix test branch reference in packit.yaml
* ci: disable DeprecationWarning from pylint in tox
* Enable new test in Packit CI
* tenant: fix reactivate command
* config: support merge multiple config files
* ci: use only fedora-stable for packit
* elchecking: harden example policy against event type manipulation
* elchecking: add new tests
* tests: fix stdout formatting for agent and verifier
* Drop dataclasses module usage
* revocation notifier: handle shutdown of process gracefully
* verifier: handle SIGINT and SIGTERM correctly
* ima_emulator: fix IMA hash validation and add more options
* ima_ast: fix handling ToMToU errors
* Remove leftovers of TPM 1.2 support
* agent: improved validation for post function
* agent: better validation for mask and nonce
* config: add function to validate hex strings
* agent: keys/verify check if challenge was provided
* tpm_main: do not append /usr/local/{bin,lib} to default env
* db: only set length on Text type if supported
* json: do not make sqlalchemy a hard requirement
* Enable functional testing with Packit CI
* ima_emulator: specify sys.argv as the named parameter argv in main()
* elchecking example policy: make it work with Fedora 34
* elchecking example policy: initrd* might be also called initramfs*
* scripts: add mb_refstate generator for example policy
* config: change tpm_hash_alg to SHA1 by default
* parse_mb_bootlog: specify the used hash algorithm used for PCRs
* agent: add warning that on kernels <5.10 IMA only works with SHA1
* tpm: explicitly pass hash alg to sim_extend(..)
* ima emulator: use IMA AST and support multiple hash algorithms
* tests: update IMA allowlist version number
* ima: add option 'log_hash_alg' to IMA allowlist
* ima: remove hard requirement for SHA1 PCR 10
* algorithms: extend Hash class to simplify computing hash values
* config, tpm_main: explicitly handle YAML load errors
* config: private_key must be set to -private.pem not -public.pem
* agent: add UUID option environment
* agent: drop openstack uuid option
- Set /var/lib/keylime under the same permissions expected by the code
- Add 0001-config-support-merge-multiple-config-files.patch
This will allow the merge of config files in /usr/etc and /etc.
- Move the configuration file to /usr/etc in new distributions
- Add 0001-ca-support-back-old-cyptography-API.patch
This is only required for SLE, but the API is compatible with new versions
- Add 0001-Drop-dataclasses-module-usage.patch, to support Python 3.6
- Fix cfssl bcond logic in Tumbleweed / SLE
- Update to version v6.2.1:
* Another addition to gitignore
* Update .gitignore with more Keylime-specific files
* json: add support for sqlalchemy.engine.row.Row in newer sqlalchemy
* ima_ast: check if the PCR is the same as in the config
* Fix permissions issue on volume mount in run_local.sh
* Make run_local.sh use a local copy of the repo
* Small updates to GOVERNANCE.md
* Move cargo-tarpaulin install to separate command
* config: drop registrar_* TLS options in [registrar] section
* Fix missing && in Dockerfile
* Remove simplejson from scripts and docs
* Replace simplejson with built-in json module
* Add rust-keylime container dependencies
* config: fix getboolean with fallback
* Clean up CI scripts and rewrite run_local.sh
* ima: for ToMToU errors skip template content validation
* ima: Use a set of entry numbers and file offsets to remember multiple positions
* Rename CONTRIBUTORS.md to CONTRIBUTING.md
* Update GOVERNANCE.md to match MAINTAINERS.md rename
* Update MAINTAINERS
* Update README: remove Gitter, Travis CI
* ca: Use UTC when setting certificate validity
* Tenant commands return json
* scripts: Allow passing a base policy to create_policy tool
* ima: Handle the case of ima-sig with a path with spaces in them
* add length to string object
* scripts: Implement create_policy to create the JSON allowlist from files
* ima: Also add a sha256 default boot_aggregate hash with 64 '0's
* ima: Use seek() to get to the last known last entry
* ima: Extend allowlist to be able to handle generic ima-buf entries
* ima: Extend JSON allowlist with 'ima' entry and 'ignored_keyrings'
* ima: Populate verifier keyrings with keys taken from ima-buf log line
* ima: Remove methods from ImaKeyring that are now in ImaKeyrings
* ima: Start passing ima_keyrings through APIs replacing ima_keyring
* Extend AgentAttestState with ima_keyrings field and use it
* ima: Implement ImaKeyrings class to support multiple keyrings
* verifier: Extend verifier DB to persist learned keyrings
* Fix a couple of pylint errors
* ima: Fix spurious attestation failures
* ima: make ToMToU errors not a failure by default
* Simple fix for tenant error message printout.
* pylint: Fix errors related to R1714
* pylint: Suppress C0201, C0209 and W0602 newly reported errors
* installer: do not install tpm2-abrmd
* tpm: by default use /dev/tpmrm0 instead of tpm2-abrmd
* verifier: add option to send revocation messages via webhook
- Fix keylime configuration file attributes
- Requires python-psutil
- Disable automatic execution of the payload by default
- Use ramdom UUID by default
- Introduce a bcond for cfssl detection
- Drop cfssl if we are not in openSUSE
- Update to version 6.2.0:
* Fix bug #757 where revoc cert was treated as text
* Code improvement: removal of extra dependencies in measured boot attestation (#755)
* Sanitize the exclude list while it is ingested at `tenant` by removing comments (^#) and empty lines.
* tenant: show severity level and last event id in status
* verifier: move to new failure architecture
* pcr validation: move to new failure architecture
* measured boot: move to new failure architecture
* ima: move to new failure architecture
* failure: add infrastructure to tag and collect revocation events in Keylime
* Simulating use of SSLContext.minimum_version on ssl v3.6
* verifier: fix minor typos
* Add tests for ca_impl_cfssl and ca_util
* Replace M2Crypto with python-cryptography
* tenant: status now shows if a agent was added to the registrar
* tenant: open file to send utf-8 encoded
* Correct some comments about and remove vestige in MB policy
* fixing a small bug that resulted in malformed refstates not failing MBA
* agent: ensure that EK is in PEM format when used as uuid
* Solves #703 by adding a "non-trivial" example of a "measured boot policy" (#734)
* ci: build and publish container images
* codestyle: fix W0612 and R1735 pylint errors
* codestyle: fix W1514 pylint error
* systemd: Add KillSignal=SIGINT to keylime_agent.service
* One-liner to set the minimum version of TLS to v1.2
* pylint fix
* Typo fix: return list order confusion between measured_boot.py and tpm_abstract.py
* Refactor keylime_logging module
* ima: Implement ima-buf validator and validate keys on keyrings (#725)
* Remove Python 2 leftovers
* Additional fix for the processing of "tpm_policy"
* ima: Return an empty allowlist rather than a plain empty list
* verifier: convert (v)tpm_policy in DB from string to JSONPickleType
* verifier: Create AgentAttestState objects from entries in the db
* verifier: Persist the IMA attestation state after running the log verification
* db: Add DB migration file for boottime, ima_pcrs, pcr10, and next_ima_ml_entries
* verifier: Skip attestation one time if agent's boottime changed
* test: Add test case simulating iterative attestation
* verifier: Delete an AgentAttestState when deleting an agent
* ima: Remember the number of lines successfully processed and last IMA PCR value(s)
* ima: Reset the attestation if processing the measurement list fails
* debug: Show line number when PCR match occurs
* verifier: Extend AgentAttestState with state of the IMA PCR
* Consult the AgentAttestState for the next measurement list entry
* Introduce an AgentAttestState class for passing state through the APIs
* verifier: Request IMA log at entry 0 for now
* agent: Get boottime and transfer to verifier
* agent: Add support for optional IMA log offset parameter
* tests: Add a unit test for the IMA function and run it
* agent: Move IMA measurement list reading function to ima.py
* Add default verifier-check value
* Use tox for pylint
* Use Fedora 34 as base image for CI container
* Run ci jobs only when needed
* config: merge convert and list_convert into the same function
* Versioned APIs
* Refacator of check_pcrs to parse then validate (#716)
* Automatically calculates the boot_aggregate from the measured boot log. (#713)
* Set default UUID as lowercase (#699)
* tenant: do_cvdelete wait until 404
* Ensures the output of `bulkinfo` command in `keylime_tenant` is JSON
* ima: Convert pcrval to bytes to increase efficiency
* tests: extend ima tests for signature validation and exclude lists
* Allow agents to specify a contact ip address and port for the tenant and CV (#690)
* verifer: Fix signature and allowlist evaluation bahavior change
* ima: Fix runtime error due to wrong datatype
* tenant: add the option to specify the registrar ip and port
* measured_boot: drop process_refstate
* check_pcrs: match PCR if no mb_refstate is provided
* ci: make run_local.sh work with newer docker versions
* Fixing pylint errors (#698)
* tests: add IMA test where validation should be ignored
* ima: Use ima_ast for parsing and validation
* tests: Add test for ima AST parser
* ima: Introducing a AST for parsing and validation
* Make stalebot a bit nicer
* enable tenant to fetch all (or verifier specific) agents info in a single call from the verifier
* Flush all sessions from TPM device (#682)
* multiple named verifiers sharing a single database
* webapp: fix tls certs paths (#659)
* Corrects markdown to have proper rendering (#673)
* ima_file_signatures: Extract keyidv2 from x509 certs
* installer: Add '-r' option to cp to copy directory (issue #671)
* config: Add optional fallback parameter to get()
* agent: Fix the usage of dmidecode during the agent startup (issue #664)
* agent: Rename allowlist to ima_allowlist in keylime.conf
* Fix decoding error in user_data_encrypt
* agent: Fix issue #667 by testing for an empty ima_sign_verification_keys list
* Addresses issue #660 (database path while running local tests) (#665)
* ima: Return 'None' when ImaKeyring.from_string() called with emtpy string
* tests: Move unittests into files with suffix _test.py
* Fixes and improvements for database configuration (#654)
* Add signature verification support for local and remote IMA signature verification keys (#597)
* install: Remove TPM 1.2 support from installer and bundeling scripts
* CI/CD: Remove tpm1.2 testing support
* Remove duplicated calls to verifier
* Remove adding entropy to system rng
* Cleanup and fix error case in encryptAIK (#648)
* Move measured boot related code into functions to make check_pcrs readable (#642)
* Move code related to tpm2_checkquote into its own function (#639)
* scripts: Cleanup shell script formatting
* installer.sh: Do not delete the local copy of the certificates.
* Fix user_data_encrypt to UTF8 decode before print
* tpm_abstract: Fix adding of entropy
* codestyle: Ignore R1732 implemented by pylint >=2.8.0
* a fix for letting JSON encoding bytes correctly
* Adding back reglist to the list of commands that don't need a -t argument
* Invoke tpm2_evictcontrol for 4.0 and 4.2 tools if aik_handle exists (#624)
* Addresses #436 (#611)
* Fixes #620
* Include PCR16 in the quote only when needed
* Close leaking file descriptors (#622)
* installer.sh: Add missing spaces when efivar is added
* More ima_emulator_adapter cleanups (#616)
* installer: Add json-c-devel/json-c-dev to BUILD_TOOLS for tpm2-tss build
* Remove more commented code in ca_util.py
* installer: Only install efi library on x86_64 systems
* Create allowlist table and basic API support
* installer: Add libuuid-devel/uuid-dev to BUILD_TOOLS for tpm2_tools build
* WIP: Some cleanups (#612)
* Remove _cLime.c
* config: Document the measured boot PCRs and what is using them
* Very simple fix for the agent (re: measured boot) The agent code does not need to import "measured boot policies"
* ima_emulator_adapater: Remove unnecessary global statement
* webapp: Fix private key and certificate path (issue #604)
* Add support for keylime_webapp service to read intervals from keylime.conf
- Update to Keylime 6.1.1
+ keylime_tenant add crash with TypeError: Object of type 'bytes' is
not JSON serializable
+ Whenever Keylime agent starts and cannot contact the registrar, it
fails and quits without flushing create EK handles
+ keylime_tenant -c reglist now requires a "-t" parameter for no
reason
+ Duplicated API calls to verifier in webapp backend
+ Installer deletes tpm_cert_store files
+ agent_uuid set to dmidecode crashes Keylime
+ Copying of tpm_cert_store fails during installation
+ If the PCR belong to a measured boot list, it is not validated
+ keylime_tenant --c update fails with a race condition
- Drop patches already present in the new version
+ webapp-fix-tls-certs-paths.patch
+ check_pcrs-match-PCR-if-no-mb_refstate-is-provided.patch
+ tenant-do_cvdelete-wait-until-404.patch
- Add tenant-do_cvdelete-wait-until-404.patch to fix the update command
- Adjust the default revocation notifier binding IP
- Default to CFSSL in keylime.conf
- Add config-libefivars.diff to adjust the path of the library
- Add check_pcrs-match-PCR-if-no-mb_refstate-is-provided.patch
(gh#keylime/keylime!695)
- Recommends CFSSL in the registrar (actually should be the CA)
- Change default value for require_ek_cert to False
- Reorder the patches to separate upstream fixes from openSUSE ones
- Add webapp-fix-tls-certs-paths.patch (gh#keylime/keylime!659)
- Recommend dmidecode for the agent
- Require libtss2-tcti-{device0,tabrmd0} to use abrmd service
- Add keylime.conf.diff patch to change the default config file
- Add keylime.xml for firewalld service definition
- Update to version 6.1.0:
* Update python cryptography lib to v3.3.2
* installer.sh improvments
* run_local.sh: Run unit tests in keylime/tpm/tpm2_objects.py
* Fourth and final PR to address #491 (#580)
* scripts: Also use pylint-3 if pylint is not installed
* agent: Fix the checking for a specific error returned by tpm2_quote
* Allowlist verification - Enhancement #16
* Forgot to remove the original, more crude solution (which caused pylint errors)
* New and improved code to fix issue #582
* Consistent formatting for logging strings
Alberto Planas Dominguez (aplanas)
accepted
request 984411
from
Alberto Planas Dominguez (aplanas)
(revision 37)
- Add logrotate configuration for the services - Create run directory as non-root user - Conflict with rust-keylime
Displaying revisions 41 - 60 of 96
