Revisions of keylime

Alberto Planas Dominguez's avatar Alberto Planas Dominguez (aplanas) accepted request 934988 from Alberto Planas Dominguez's avatar Alberto Planas Dominguez (aplanas) (revision 16)
- Drop cfssl if we are not in openSUSE
Alberto Planas Dominguez's avatar Alberto Planas Dominguez (aplanas) accepted request 927724 from Alberto Planas Dominguez's avatar Alberto Planas Dominguez (aplanas) (revision 15)
- Update to version 6.2.0:
  * Fix bug #757 where revoc cert was treated as text
  * Code improvement: removal of extra dependencies in measured boot attestation (#755)
  * Sanitize the exclude list while it is ingested at `tenant` by removing comments (^#) and empty lines.
  * tenant: show severity level and last event id in status
  * verifier: move to new failure architecture
  * pcr validation: move to new failure architecture
  * measured boot: move to new failure architecture
  * ima: move to new failure architecture
  * failure: add infrastructure to tag and collect revocation events in Keylime
  * Simulating use of SSLContext.minimum_version on ssl v3.6
  * verifier: fix minor typos
  * Add tests for ca_impl_cfssl and ca_util
  * Replace M2Crypto with python-cryptography
  * tenant: status now shows if a agent was added to the registrar
  * tenant: open file to send utf-8 encoded
  * Correct some comments about and remove vestige in MB policy
  * fixing a small bug that resulted in malformed refstates not failing MBA
  * agent: ensure that EK is in PEM format when used as uuid
  * Solves #703 by adding a "non-trivial" example of a "measured boot policy" (#734)
  * ci: build and publish container images
  * codestyle: fix W0612 and R1735 pylint errors
  * codestyle: fix W1514 pylint error
  * systemd: Add KillSignal=SIGINT to keylime_agent.service
  * One-liner to set the minimum version of TLS to v1.2
  * pylint fix
  * Typo fix: return list order confusion between measured_boot.py and tpm_abstract.py
  * Refactor keylime_logging module
  * ima: Implement ima-buf validator and validate keys on keyrings (#725)
  * Remove Python 2 leftovers
  * Additional fix for the processing of "tpm_policy"
  * ima: Return an empty allowlist rather than a plain empty list
  * verifier: convert (v)tpm_policy in DB from string to JSONPickleType
  * verifier: Create AgentAttestState objects from entries in the db
  * verifier: Persist the IMA attestation state after running the log verification
  * db: Add DB migration file for boottime, ima_pcrs, pcr10, and next_ima_ml_entries
  * verifier: Skip attestation one time if agent's boottime changed
  * test: Add test case simulating iterative attestation
  * verifier: Delete an AgentAttestState when deleting an agent
  * ima: Remember the number of lines successfully processed and last IMA PCR value(s)
  * ima: Reset the attestation if processing the measurement list fails
  * debug: Show line number when PCR match occurs
  * verifier: Extend AgentAttestState with state of the IMA PCR
  * Consult the AgentAttestState for the next measurement list entry
  * Introduce an AgentAttestState class for passing state through the APIs
  * verifier: Request IMA log at entry 0 for now
  * agent: Get boottime and transfer to verifier
  * agent: Add support for optional IMA log offset parameter
  * tests: Add a unit test for the IMA function and run it
  * agent: Move IMA measurement list reading function to ima.py
  * Add default verifier-check value
  * Use tox for pylint
  * Use Fedora 34 as base image for CI container
  * Run ci jobs only when needed
  * config: merge convert and list_convert into the same function
  * Versioned APIs
  * Refacator of check_pcrs to parse then validate (#716)
  * Automatically calculates the boot_aggregate from the measured boot log. (#713)
  * Set default UUID as lowercase (#699)
  * tenant: do_cvdelete wait until 404
  * Ensures the output of `bulkinfo` command in `keylime_tenant` is JSON
  * ima: Convert pcrval to bytes to increase efficiency
  * tests: extend ima tests for signature validation and exclude lists
  * Allow agents to specify a contact ip address and port for the tenant and CV  (#690)
  * verifer: Fix signature and allowlist evaluation bahavior change
  * ima: Fix runtime error due to wrong datatype
  * tenant: add the option to specify the registrar ip and port
  * measured_boot: drop process_refstate
  * check_pcrs: match PCR if no mb_refstate is provided
  * ci: make run_local.sh work with newer docker versions
  * Fixing pylint errors (#698)
  * tests: add IMA test where validation should be ignored
  * ima: Use ima_ast for parsing and validation
  * tests: Add test for ima AST parser
  * ima: Introducing a AST for parsing and validation
  * Make stalebot a bit nicer
  * enable tenant to fetch all (or verifier specific) agents info in a single call from the verifier
  * Flush all sessions from TPM device (#682)
  * multiple named verifiers sharing a single database
  * webapp: fix tls certs paths (#659)
  * Corrects markdown to have proper rendering (#673)
  * ima_file_signatures: Extract keyidv2 from x509 certs
  * installer: Add '-r' option to cp to copy directory (issue #671)
  * config: Add optional fallback parameter to get()
  * agent: Fix the usage of dmidecode during the agent startup (issue #664)
  * agent: Rename allowlist to ima_allowlist in keylime.conf
  * Fix decoding error in user_data_encrypt
  * agent: Fix issue #667 by testing for an empty ima_sign_verification_keys list
  * Addresses issue #660 (database path while running local tests) (#665)
  * ima: Return 'None' when ImaKeyring.from_string() called with emtpy string
  * tests: Move unittests into files with suffix _test.py
  * Fixes and improvements for database configuration (#654)
  * Add signature verification support for local and remote IMA signature verification keys (#597)
  * install: Remove TPM 1.2 support from installer and bundeling scripts
  * CI/CD: Remove tpm1.2 testing support
  * Remove duplicated calls to verifier
  * Remove adding entropy to system rng
  * Cleanup and fix error case in encryptAIK (#648)
  * Move measured boot related code into functions to make check_pcrs readable (#642)
  * Move code related to tpm2_checkquote into its own function (#639)
  * scripts: Cleanup shell script formatting
  * installer.sh: Do not delete the local copy of the certificates.
  * Fix user_data_encrypt to UTF8 decode before print
  * tpm_abstract: Fix adding of entropy
  * codestyle: Ignore R1732 implemented by pylint >=2.8.0
  * a fix for letting JSON encoding bytes correctly
  * Adding back reglist to the list of commands that don't need a -t argument
  * Invoke tpm2_evictcontrol for 4.0 and 4.2 tools if aik_handle exists (#624)
  * Addresses #436 (#611)
  * Fixes #620
  * Include PCR16 in the quote only when needed
  * Close leaking file descriptors (#622)
  * installer.sh: Add missing spaces when efivar is added
  * More ima_emulator_adapter cleanups (#616)
  * installer: Add json-c-devel/json-c-dev to BUILD_TOOLS for tpm2-tss build
  * Remove more commented code in ca_util.py
  * installer: Only install efi library on x86_64 systems
  * Create allowlist table and basic API support
  * installer: Add libuuid-devel/uuid-dev to BUILD_TOOLS for tpm2_tools build
  * WIP: Some cleanups (#612)
  * Remove _cLime.c
  * config: Document the measured boot PCRs and what is using them
  * Very simple fix for the agent (re: measured boot) The agent code does not need to import "measured boot policies"
  * ima_emulator_adapater: Remove unnecessary global statement
  * webapp: Fix private key and certificate path (issue #604)
  * Add support for keylime_webapp service to read intervals from keylime.conf
- Update to Keylime 6.1.1
  + keylime_tenant add crash with TypeError: Object of type 'bytes' is
    not JSON serializable
  + Whenever Keylime agent starts and cannot contact the registrar, it
    fails and quits without flushing create EK handles
  + keylime_tenant -c reglist now requires a "-t" parameter for no
    reason
  + Duplicated API calls to verifier in webapp backend
  + Installer deletes tpm_cert_store files
  + agent_uuid set to dmidecode crashes Keylime
  + Copying of tpm_cert_store fails during installation
  + If the PCR belong to a measured boot list, it is not validated
  + keylime_tenant --c update fails with a race condition
- Drop patches already present in the new version
  + webapp-fix-tls-certs-paths.patch
  + check_pcrs-match-PCR-if-no-mb_refstate-is-provided.patch
  + tenant-do_cvdelete-wait-until-404.patch
- Add tenant-do_cvdelete-wait-until-404.patch to fix the update command
- Adjust the default revocation notifier binding IP
- Default to CFSSL in keylime.conf
- Add config-libefivars.diff to adjust the path of the library
- Add check_pcrs-match-PCR-if-no-mb_refstate-is-provided.patch
  (gh#keylime/keylime!695)
- Recommends CFSSL in the registrar (actually should be the CA)
- Change default value for require_ek_cert to False
- Reorder the patches to separate upstream fixes from openSUSE ones
- Add webapp-fix-tls-certs-paths.patch (gh#keylime/keylime!659)
- Recommend dmidecode for the agent
- Require libtss2-tcti-{device0,tabrmd0} to use abrmd service
- Add keylime.conf.diff patch to change the default config file
- Add keylime.xml for firewalld service definition
- Update to version 6.1.0:
  * Update python cryptography lib to v3.3.2
  * installer.sh improvments
  * run_local.sh: Run unit tests in keylime/tpm/tpm2_objects.py
  * Fourth and final PR to address #491 (#580)
  * scripts: Also use pylint-3 if pylint is not installed
  * agent: Fix the checking for a specific error returned by tpm2_quote
  * Allowlist verification - Enhancement #16
  * Forgot to remove the original, more crude solution (which caused pylint errors)
  * New and improved code to fix issue #582
  * Consistent formatting for logging strings
Alberto Planas Dominguez's avatar Alberto Planas Dominguez (aplanas) accepted request 927722 from Alberto Planas Dominguez's avatar Alberto Planas Dominguez (aplanas) (revision 14)
- Recommend dmidecode only on archs where it is available
Alberto Planas Dominguez's avatar Alberto Planas Dominguez (aplanas) accepted request 919474 from Alberto Planas Dominguez's avatar Alberto Planas Dominguez (aplanas) (revision 13)
- Update to version 6.2.0:
  * Fix bug #757 where revoc cert was treated as text
  * Code improvement: removal of extra dependencies in measured boot attestation (#755)
  * Sanitize the exclude list while it is ingested at `tenant` by removing comments (^#) and empty lines.
  * tenant: show severity level and last event id in status
  * verifier: move to new failure architecture
  * pcr validation: move to new failure architecture
  * measured boot: move to new failure architecture
  * ima: move to new failure architecture
  * failure: add infrastructure to tag and collect revocation events in Keylime
  * Simulating use of SSLContext.minimum_version on ssl v3.6
  * verifier: fix minor typos
  * Add tests for ca_impl_cfssl and ca_util
  * Replace M2Crypto with python-cryptography
  * tenant: status now shows if a agent was added to the registrar
  * tenant: open file to send utf-8 encoded
  * Correct some comments about and remove vestige in MB policy
  * fixing a small bug that resulted in malformed refstates not failing MBA
  * agent: ensure that EK is in PEM format when used as uuid
  * Solves #703 by adding a "non-trivial" example of a "measured boot policy" (#734)
  * ci: build and publish container images
  * codestyle: fix W0612 and R1735 pylint errors
  * codestyle: fix W1514 pylint error
  * systemd: Add KillSignal=SIGINT to keylime_agent.service
  * One-liner to set the minimum version of TLS to v1.2
  * pylint fix
  * Typo fix: return list order confusion between measured_boot.py and tpm_abstract.py
  * Refactor keylime_logging module
  * ima: Implement ima-buf validator and validate keys on keyrings (#725)
  * Remove Python 2 leftovers
  * Additional fix for the processing of "tpm_policy"
  * ima: Return an empty allowlist rather than a plain empty list
  * verifier: convert (v)tpm_policy in DB from string to JSONPickleType
  * verifier: Create AgentAttestState objects from entries in the db
  * verifier: Persist the IMA attestation state after running the log verification
  * db: Add DB migration file for boottime, ima_pcrs, pcr10, and next_ima_ml_entries
  * verifier: Skip attestation one time if agent's boottime changed
  * test: Add test case simulating iterative attestation
  * verifier: Delete an AgentAttestState when deleting an agent
  * ima: Remember the number of lines successfully processed and last IMA PCR value(s)
  * ima: Reset the attestation if processing the measurement list fails
  * debug: Show line number when PCR match occurs
  * verifier: Extend AgentAttestState with state of the IMA PCR
  * Consult the AgentAttestState for the next measurement list entry
  * Introduce an AgentAttestState class for passing state through the APIs
  * verifier: Request IMA log at entry 0 for now
  * agent: Get boottime and transfer to verifier
  * agent: Add support for optional IMA log offset parameter
  * tests: Add a unit test for the IMA function and run it
  * agent: Move IMA measurement list reading function to ima.py
  * Add default verifier-check value
  * Use tox for pylint
  * Use Fedora 34 as base image for CI container
  * Run ci jobs only when needed
  * config: merge convert and list_convert into the same function
  * Versioned APIs
  * Refacator of check_pcrs to parse then validate (#716)
  * Automatically calculates the boot_aggregate from the measured boot log. (#713)
  * Set default UUID as lowercase (#699)
  * tenant: do_cvdelete wait until 404
  * Ensures the output of `bulkinfo` command in `keylime_tenant` is JSON
  * ima: Convert pcrval to bytes to increase efficiency
  * tests: extend ima tests for signature validation and exclude lists
  * Allow agents to specify a contact ip address and port for the tenant and CV  (#690)
  * verifer: Fix signature and allowlist evaluation bahavior change
  * ima: Fix runtime error due to wrong datatype
  * tenant: add the option to specify the registrar ip and port
  * measured_boot: drop process_refstate
  * check_pcrs: match PCR if no mb_refstate is provided
  * ci: make run_local.sh work with newer docker versions
  * Fixing pylint errors (#698)
  * tests: add IMA test where validation should be ignored
  * ima: Use ima_ast for parsing and validation
  * tests: Add test for ima AST parser
  * ima: Introducing a AST for parsing and validation
  * Make stalebot a bit nicer
  * enable tenant to fetch all (or verifier specific) agents info in a single call from the verifier
  * Flush all sessions from TPM device (#682)
  * multiple named verifiers sharing a single database
  * webapp: fix tls certs paths (#659)
  * Corrects markdown to have proper rendering (#673)
  * ima_file_signatures: Extract keyidv2 from x509 certs
  * installer: Add '-r' option to cp to copy directory (issue #671)
  * config: Add optional fallback parameter to get()
  * agent: Fix the usage of dmidecode during the agent startup (issue #664)
  * agent: Rename allowlist to ima_allowlist in keylime.conf
  * Fix decoding error in user_data_encrypt
  * agent: Fix issue #667 by testing for an empty ima_sign_verification_keys list
  * Addresses issue #660 (database path while running local tests) (#665)
  * ima: Return 'None' when ImaKeyring.from_string() called with emtpy string
  * tests: Move unittests into files with suffix _test.py
  * Fixes and improvements for database configuration (#654)
  * Add signature verification support for local and remote IMA signature verification keys (#597)
  * install: Remove TPM 1.2 support from installer and bundeling scripts
  * CI/CD: Remove tpm1.2 testing support
  * Remove duplicated calls to verifier
  * Remove adding entropy to system rng
  * Cleanup and fix error case in encryptAIK (#648)
  * Move measured boot related code into functions to make check_pcrs readable (#642)
  * Move code related to tpm2_checkquote into its own function (#639)
  * scripts: Cleanup shell script formatting
  * installer.sh: Do not delete the local copy of the certificates.
  * Fix user_data_encrypt to UTF8 decode before print
  * tpm_abstract: Fix adding of entropy
  * codestyle: Ignore R1732 implemented by pylint >=2.8.0
  * a fix for letting JSON encoding bytes correctly
  * Adding back reglist to the list of commands that don't need a -t argument
  * Invoke tpm2_evictcontrol for 4.0 and 4.2 tools if aik_handle exists (#624)
  * Addresses #436 (#611)
  * Fixes #620
  * Include PCR16 in the quote only when needed
  * Close leaking file descriptors (#622)
  * installer.sh: Add missing spaces when efivar is added
  * More ima_emulator_adapter cleanups (#616)
  * installer: Add json-c-devel/json-c-dev to BUILD_TOOLS for tpm2-tss build
  * Remove more commented code in ca_util.py
  * installer: Only install efi library on x86_64 systems
  * Create allowlist table and basic API support
  * installer: Add libuuid-devel/uuid-dev to BUILD_TOOLS for tpm2_tools build
  * WIP: Some cleanups (#612)
  * Remove _cLime.c
  * config: Document the measured boot PCRs and what is using them
  * Very simple fix for the agent (re: measured boot) The agent code does not need to import "measured boot policies"
  * ima_emulator_adapater: Remove unnecessary global statement
  * webapp: Fix private key and certificate path (issue #604)
  * Add support for keylime_webapp service to read intervals from keylime.conf
Alberto Planas Dominguez's avatar Alberto Planas Dominguez (aplanas) accepted request 908384 from Alberto Planas Dominguez's avatar Alberto Planas Dominguez (aplanas) (revision 12)
- Update to Keylime 6.1.1
  + keylime_tenant add crash with TypeError: Object of type 'bytes' is
    not JSON serializable
  + Whenever Keylime agent starts and cannot contact the registrar, it
    fails and quits without flushing create EK handles
  + keylime_tenant -c reglist now requires a "-t" parameter for no
    reason
  + Duplicated API calls to verifier in webapp backend
  + Installer deletes tpm_cert_store files
  + agent_uuid set to dmidecode crashes Keylime
  + Copying of tpm_cert_store fails during installation
  + If the PCR belong to a measured boot list, it is not validated
  + keylime_tenant --c update fails with a race condition
- Drop patches already present in the new version
  + webapp-fix-tls-certs-paths.patch
  + check_pcrs-match-PCR-if-no-mb_refstate-is-provided.patch
  + tenant-do_cvdelete-wait-until-404.patch
Alberto Planas Dominguez's avatar Alberto Planas Dominguez (aplanas) accepted request 907679 from Alberto Planas Dominguez's avatar Alberto Planas Dominguez (aplanas) (revision 11)
- Add tenant-do_cvdelete-wait-until-404.patch to fix the update command
Alberto Planas Dominguez's avatar Alberto Planas Dominguez (aplanas) accepted request 907171 from Alberto Planas Dominguez's avatar Alberto Planas Dominguez (aplanas) (revision 10)
- Adjust the default revocation notifier binding IP
- Default to CFSSL in keylime.conf
- Add config-libefivars.diff to adjust the path of the library
- Add check_pcrs-match-PCR-if-no-mb_refstate-is-provided.patch
  (gh#keylime/keylime!695)
- Recommends CFSSL in the registrar (actually should be the CA)
- Change default value for require_ek_cert to False
- Reorder the patches to separate upstream fixes from openSUSE ones
- Add webapp-fix-tls-certs-paths.patch (gh#keylime/keylime!659)
- Recommend dmidecode for the agent
- Require libtss2-tcti-{device0,tabrmd0} to use abrmd service
- Add keylime.conf.diff patch to change the default config file
- Add keylime.xml for firewalld service definition
- Update to version 6.1.0:
  * Update python cryptography lib to v3.3.2
  * installer.sh improvments
  * run_local.sh: Run unit tests in keylime/tpm/tpm2_objects.py
  * Fourth and final PR to address #491 (#580)
  * scripts: Also use pylint-3 if pylint is not installed
  * agent: Fix the checking for a specific error returned by tpm2_quote
  * Allowlist verification - Enhancement #16
  * Forgot to remove the original, more crude solution (which caused pylint errors)
  * New and improved code to fix issue #582
  * Consistent formatting for logging strings
Alberto Planas Dominguez's avatar Alberto Planas Dominguez (aplanas) accepted request 907163 from Alberto Planas Dominguez's avatar Alberto Planas Dominguez (aplanas) (revision 9)
- Adjust the default revocation notifier binding IP
Alberto Planas Dominguez's avatar Alberto Planas Dominguez (aplanas) accepted request 906289 from Alberto Planas Dominguez's avatar Alberto Planas Dominguez (aplanas) (revision 8)
- Add config-libefivars.diff to adjust the path of the library
Alberto Planas Dominguez's avatar Alberto Planas Dominguez (aplanas) accepted request 905098 from Alberto Planas Dominguez's avatar Alberto Planas Dominguez (aplanas) (revision 7)
- Add check_pcrs-match-PCR-if-no-mb_refstate-is-provided.patch
  (gh#keylime/keylime!695)
- Recommends CFSSL in the registrar (actually should be the CA)
- Change default value for require_ek_cert to False
- Reorder the patches to separate upstream fixes from openSUSE ones
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 901553 from Alberto Planas Dominguez's avatar Alberto Planas Dominguez (aplanas) (revision 6)
initialized devel package after accepting 901553
Alberto Planas Dominguez's avatar Alberto Planas Dominguez (aplanas) accepted request 901500 from Alberto Planas Dominguez's avatar Alberto Planas Dominguez (aplanas) (revision 5)
- Add webapp-fix-tls-certs-paths.patch (gh#keylime/keylime!659)
- Recommend dmidecode for the agent
- Require libtss2-tcti-{device0,tabrmd0} to use abrmd service
- Add keylime.conf.diff patch to change the default config file
- Add keylime.xml for firewalld service definition
- Update to version 6.1.0:
  * Update python cryptography lib to v3.3.2
  * installer.sh improvments
  * run_local.sh: Run unit tests in keylime/tpm/tpm2_objects.py
  * Fourth and final PR to address #491 (#580)
  * scripts: Also use pylint-3 if pylint is not installed
  * agent: Fix the checking for a specific error returned by tpm2_quote
  * Allowlist verification - Enhancement #16
  * Forgot to remove the original, more crude solution (which caused pylint errors)
  * New and improved code to fix issue #582
  * Consistent formatting for logging strings
Alberto Planas Dominguez's avatar Alberto Planas Dominguez (aplanas) accepted request 898819 from Alberto Planas Dominguez's avatar Alberto Planas Dominguez (aplanas) (revision 4)
- Require libtss2-tcti-{device0,tabrmd0} to use abrmd service
Alberto Planas Dominguez's avatar Alberto Planas Dominguez (aplanas) accepted request 898802 from Alberto Planas Dominguez's avatar Alberto Planas Dominguez (aplanas) (revision 3)
- Add webapp-fix-tls-certs-paths.patch (gh#keylime/keylime!659)
- Recommend dmidecode for the agent
- Update to version 6.1.0:
  * Update python cryptography lib to v3.3.2
  * installer.sh improvments
  * run_local.sh: Run unit tests in keylime/tpm/tpm2_objects.py
  * Fourth and final PR to address #491 (#580)
  * scripts: Also use pylint-3 if pylint is not installed
  * agent: Fix the checking for a specific error returned by tpm2_quote
  * Allowlist verification - Enhancement #16
  * Forgot to remove the original, more crude solution (which caused pylint errors)
  * New and improved code to fix issue #582
  * Consistent formatting for logging strings
Alberto Planas Dominguez's avatar Alberto Planas Dominguez (aplanas) accepted request 898452 from Alberto Planas Dominguez's avatar Alberto Planas Dominguez (aplanas) (revision 2)
- Add webapp-fix-tls-certs-paths.patch (gh#keylime/keylime!659)
Marcus Meissner's avatar Marcus Meissner (msmeissn) accepted request 891043 from Alberto Planas Dominguez's avatar Alberto Planas Dominguez (aplanas) (revision 1)
(See 890790 for reasons)
Displaying revisions 81 - 96 of 96
openSUSE Build Service is sponsored by