Revisions of keylime
Alberto Planas Dominguez (aplanas)
accepted
request 934988
from
Alberto Planas Dominguez (aplanas)
(revision 16)
- Drop cfssl if we are not in openSUSE
Alberto Planas Dominguez (aplanas)
accepted
request 927724
from
Alberto Planas Dominguez (aplanas)
(revision 15)
- Update to version 6.2.0: * Fix bug #757 where revoc cert was treated as text * Code improvement: removal of extra dependencies in measured boot attestation (#755) * Sanitize the exclude list while it is ingested at `tenant` by removing comments (^#) and empty lines. * tenant: show severity level and last event id in status * verifier: move to new failure architecture * pcr validation: move to new failure architecture * measured boot: move to new failure architecture * ima: move to new failure architecture * failure: add infrastructure to tag and collect revocation events in Keylime * Simulating use of SSLContext.minimum_version on ssl v3.6 * verifier: fix minor typos * Add tests for ca_impl_cfssl and ca_util * Replace M2Crypto with python-cryptography * tenant: status now shows if a agent was added to the registrar * tenant: open file to send utf-8 encoded * Correct some comments about and remove vestige in MB policy * fixing a small bug that resulted in malformed refstates not failing MBA * agent: ensure that EK is in PEM format when used as uuid * Solves #703 by adding a "non-trivial" example of a "measured boot policy" (#734) * ci: build and publish container images * codestyle: fix W0612 and R1735 pylint errors * codestyle: fix W1514 pylint error * systemd: Add KillSignal=SIGINT to keylime_agent.service * One-liner to set the minimum version of TLS to v1.2 * pylint fix * Typo fix: return list order confusion between measured_boot.py and tpm_abstract.py * Refactor keylime_logging module * ima: Implement ima-buf validator and validate keys on keyrings (#725) * Remove Python 2 leftovers * Additional fix for the processing of "tpm_policy" * ima: Return an empty allowlist rather than a plain empty list * verifier: convert (v)tpm_policy in DB from string to JSONPickleType * verifier: Create AgentAttestState objects from entries in the db * verifier: Persist the IMA attestation state after running the log verification * db: Add DB migration file for boottime, ima_pcrs, pcr10, and next_ima_ml_entries * verifier: Skip attestation one time if agent's boottime changed * test: Add test case simulating iterative attestation * verifier: Delete an AgentAttestState when deleting an agent * ima: Remember the number of lines successfully processed and last IMA PCR value(s) * ima: Reset the attestation if processing the measurement list fails * debug: Show line number when PCR match occurs * verifier: Extend AgentAttestState with state of the IMA PCR * Consult the AgentAttestState for the next measurement list entry * Introduce an AgentAttestState class for passing state through the APIs * verifier: Request IMA log at entry 0 for now * agent: Get boottime and transfer to verifier * agent: Add support for optional IMA log offset parameter * tests: Add a unit test for the IMA function and run it * agent: Move IMA measurement list reading function to ima.py * Add default verifier-check value * Use tox for pylint * Use Fedora 34 as base image for CI container * Run ci jobs only when needed * config: merge convert and list_convert into the same function * Versioned APIs * Refacator of check_pcrs to parse then validate (#716) * Automatically calculates the boot_aggregate from the measured boot log. (#713) * Set default UUID as lowercase (#699) * tenant: do_cvdelete wait until 404 * Ensures the output of `bulkinfo` command in `keylime_tenant` is JSON * ima: Convert pcrval to bytes to increase efficiency * tests: extend ima tests for signature validation and exclude lists * Allow agents to specify a contact ip address and port for the tenant and CV (#690) * verifer: Fix signature and allowlist evaluation bahavior change * ima: Fix runtime error due to wrong datatype * tenant: add the option to specify the registrar ip and port * measured_boot: drop process_refstate * check_pcrs: match PCR if no mb_refstate is provided * ci: make run_local.sh work with newer docker versions * Fixing pylint errors (#698) * tests: add IMA test where validation should be ignored * ima: Use ima_ast for parsing and validation * tests: Add test for ima AST parser * ima: Introducing a AST for parsing and validation * Make stalebot a bit nicer * enable tenant to fetch all (or verifier specific) agents info in a single call from the verifier * Flush all sessions from TPM device (#682) * multiple named verifiers sharing a single database * webapp: fix tls certs paths (#659) * Corrects markdown to have proper rendering (#673) * ima_file_signatures: Extract keyidv2 from x509 certs * installer: Add '-r' option to cp to copy directory (issue #671) * config: Add optional fallback parameter to get() * agent: Fix the usage of dmidecode during the agent startup (issue #664) * agent: Rename allowlist to ima_allowlist in keylime.conf * Fix decoding error in user_data_encrypt * agent: Fix issue #667 by testing for an empty ima_sign_verification_keys list * Addresses issue #660 (database path while running local tests) (#665) * ima: Return 'None' when ImaKeyring.from_string() called with emtpy string * tests: Move unittests into files with suffix _test.py * Fixes and improvements for database configuration (#654) * Add signature verification support for local and remote IMA signature verification keys (#597) * install: Remove TPM 1.2 support from installer and bundeling scripts * CI/CD: Remove tpm1.2 testing support * Remove duplicated calls to verifier * Remove adding entropy to system rng * Cleanup and fix error case in encryptAIK (#648) * Move measured boot related code into functions to make check_pcrs readable (#642) * Move code related to tpm2_checkquote into its own function (#639) * scripts: Cleanup shell script formatting * installer.sh: Do not delete the local copy of the certificates. * Fix user_data_encrypt to UTF8 decode before print * tpm_abstract: Fix adding of entropy * codestyle: Ignore R1732 implemented by pylint >=2.8.0 * a fix for letting JSON encoding bytes correctly * Adding back reglist to the list of commands that don't need a -t argument * Invoke tpm2_evictcontrol for 4.0 and 4.2 tools if aik_handle exists (#624) * Addresses #436 (#611) * Fixes #620 * Include PCR16 in the quote only when needed * Close leaking file descriptors (#622) * installer.sh: Add missing spaces when efivar is added * More ima_emulator_adapter cleanups (#616) * installer: Add json-c-devel/json-c-dev to BUILD_TOOLS for tpm2-tss build * Remove more commented code in ca_util.py * installer: Only install efi library on x86_64 systems * Create allowlist table and basic API support * installer: Add libuuid-devel/uuid-dev to BUILD_TOOLS for tpm2_tools build * WIP: Some cleanups (#612) * Remove _cLime.c * config: Document the measured boot PCRs and what is using them * Very simple fix for the agent (re: measured boot) The agent code does not need to import "measured boot policies" * ima_emulator_adapater: Remove unnecessary global statement * webapp: Fix private key and certificate path (issue #604) * Add support for keylime_webapp service to read intervals from keylime.conf - Update to Keylime 6.1.1 + keylime_tenant add crash with TypeError: Object of type 'bytes' is not JSON serializable + Whenever Keylime agent starts and cannot contact the registrar, it fails and quits without flushing create EK handles + keylime_tenant -c reglist now requires a "-t" parameter for no reason + Duplicated API calls to verifier in webapp backend + Installer deletes tpm_cert_store files + agent_uuid set to dmidecode crashes Keylime + Copying of tpm_cert_store fails during installation + If the PCR belong to a measured boot list, it is not validated + keylime_tenant --c update fails with a race condition - Drop patches already present in the new version + webapp-fix-tls-certs-paths.patch + check_pcrs-match-PCR-if-no-mb_refstate-is-provided.patch + tenant-do_cvdelete-wait-until-404.patch - Add tenant-do_cvdelete-wait-until-404.patch to fix the update command - Adjust the default revocation notifier binding IP - Default to CFSSL in keylime.conf - Add config-libefivars.diff to adjust the path of the library - Add check_pcrs-match-PCR-if-no-mb_refstate-is-provided.patch (gh#keylime/keylime!695) - Recommends CFSSL in the registrar (actually should be the CA) - Change default value for require_ek_cert to False - Reorder the patches to separate upstream fixes from openSUSE ones - Add webapp-fix-tls-certs-paths.patch (gh#keylime/keylime!659) - Recommend dmidecode for the agent - Require libtss2-tcti-{device0,tabrmd0} to use abrmd service - Add keylime.conf.diff patch to change the default config file - Add keylime.xml for firewalld service definition - Update to version 6.1.0: * Update python cryptography lib to v3.3.2 * installer.sh improvments * run_local.sh: Run unit tests in keylime/tpm/tpm2_objects.py * Fourth and final PR to address #491 (#580) * scripts: Also use pylint-3 if pylint is not installed * agent: Fix the checking for a specific error returned by tpm2_quote * Allowlist verification - Enhancement #16 * Forgot to remove the original, more crude solution (which caused pylint errors) * New and improved code to fix issue #582 * Consistent formatting for logging strings
Alberto Planas Dominguez (aplanas)
accepted
request 927722
from
Alberto Planas Dominguez (aplanas)
(revision 14)
- Recommend dmidecode only on archs where it is available
Alberto Planas Dominguez (aplanas)
accepted
request 919474
from
Alberto Planas Dominguez (aplanas)
(revision 13)
- Update to version 6.2.0: * Fix bug #757 where revoc cert was treated as text * Code improvement: removal of extra dependencies in measured boot attestation (#755) * Sanitize the exclude list while it is ingested at `tenant` by removing comments (^#) and empty lines. * tenant: show severity level and last event id in status * verifier: move to new failure architecture * pcr validation: move to new failure architecture * measured boot: move to new failure architecture * ima: move to new failure architecture * failure: add infrastructure to tag and collect revocation events in Keylime * Simulating use of SSLContext.minimum_version on ssl v3.6 * verifier: fix minor typos * Add tests for ca_impl_cfssl and ca_util * Replace M2Crypto with python-cryptography * tenant: status now shows if a agent was added to the registrar * tenant: open file to send utf-8 encoded * Correct some comments about and remove vestige in MB policy * fixing a small bug that resulted in malformed refstates not failing MBA * agent: ensure that EK is in PEM format when used as uuid * Solves #703 by adding a "non-trivial" example of a "measured boot policy" (#734) * ci: build and publish container images * codestyle: fix W0612 and R1735 pylint errors * codestyle: fix W1514 pylint error * systemd: Add KillSignal=SIGINT to keylime_agent.service * One-liner to set the minimum version of TLS to v1.2 * pylint fix * Typo fix: return list order confusion between measured_boot.py and tpm_abstract.py * Refactor keylime_logging module * ima: Implement ima-buf validator and validate keys on keyrings (#725) * Remove Python 2 leftovers * Additional fix for the processing of "tpm_policy" * ima: Return an empty allowlist rather than a plain empty list * verifier: convert (v)tpm_policy in DB from string to JSONPickleType * verifier: Create AgentAttestState objects from entries in the db * verifier: Persist the IMA attestation state after running the log verification * db: Add DB migration file for boottime, ima_pcrs, pcr10, and next_ima_ml_entries * verifier: Skip attestation one time if agent's boottime changed * test: Add test case simulating iterative attestation * verifier: Delete an AgentAttestState when deleting an agent * ima: Remember the number of lines successfully processed and last IMA PCR value(s) * ima: Reset the attestation if processing the measurement list fails * debug: Show line number when PCR match occurs * verifier: Extend AgentAttestState with state of the IMA PCR * Consult the AgentAttestState for the next measurement list entry * Introduce an AgentAttestState class for passing state through the APIs * verifier: Request IMA log at entry 0 for now * agent: Get boottime and transfer to verifier * agent: Add support for optional IMA log offset parameter * tests: Add a unit test for the IMA function and run it * agent: Move IMA measurement list reading function to ima.py * Add default verifier-check value * Use tox for pylint * Use Fedora 34 as base image for CI container * Run ci jobs only when needed * config: merge convert and list_convert into the same function * Versioned APIs * Refacator of check_pcrs to parse then validate (#716) * Automatically calculates the boot_aggregate from the measured boot log. (#713) * Set default UUID as lowercase (#699) * tenant: do_cvdelete wait until 404 * Ensures the output of `bulkinfo` command in `keylime_tenant` is JSON * ima: Convert pcrval to bytes to increase efficiency * tests: extend ima tests for signature validation and exclude lists * Allow agents to specify a contact ip address and port for the tenant and CV (#690) * verifer: Fix signature and allowlist evaluation bahavior change * ima: Fix runtime error due to wrong datatype * tenant: add the option to specify the registrar ip and port * measured_boot: drop process_refstate * check_pcrs: match PCR if no mb_refstate is provided * ci: make run_local.sh work with newer docker versions * Fixing pylint errors (#698) * tests: add IMA test where validation should be ignored * ima: Use ima_ast for parsing and validation * tests: Add test for ima AST parser * ima: Introducing a AST for parsing and validation * Make stalebot a bit nicer * enable tenant to fetch all (or verifier specific) agents info in a single call from the verifier * Flush all sessions from TPM device (#682) * multiple named verifiers sharing a single database * webapp: fix tls certs paths (#659) * Corrects markdown to have proper rendering (#673) * ima_file_signatures: Extract keyidv2 from x509 certs * installer: Add '-r' option to cp to copy directory (issue #671) * config: Add optional fallback parameter to get() * agent: Fix the usage of dmidecode during the agent startup (issue #664) * agent: Rename allowlist to ima_allowlist in keylime.conf * Fix decoding error in user_data_encrypt * agent: Fix issue #667 by testing for an empty ima_sign_verification_keys list * Addresses issue #660 (database path while running local tests) (#665) * ima: Return 'None' when ImaKeyring.from_string() called with emtpy string * tests: Move unittests into files with suffix _test.py * Fixes and improvements for database configuration (#654) * Add signature verification support for local and remote IMA signature verification keys (#597) * install: Remove TPM 1.2 support from installer and bundeling scripts * CI/CD: Remove tpm1.2 testing support * Remove duplicated calls to verifier * Remove adding entropy to system rng * Cleanup and fix error case in encryptAIK (#648) * Move measured boot related code into functions to make check_pcrs readable (#642) * Move code related to tpm2_checkquote into its own function (#639) * scripts: Cleanup shell script formatting * installer.sh: Do not delete the local copy of the certificates. * Fix user_data_encrypt to UTF8 decode before print * tpm_abstract: Fix adding of entropy * codestyle: Ignore R1732 implemented by pylint >=2.8.0 * a fix for letting JSON encoding bytes correctly * Adding back reglist to the list of commands that don't need a -t argument * Invoke tpm2_evictcontrol for 4.0 and 4.2 tools if aik_handle exists (#624) * Addresses #436 (#611) * Fixes #620 * Include PCR16 in the quote only when needed * Close leaking file descriptors (#622) * installer.sh: Add missing spaces when efivar is added * More ima_emulator_adapter cleanups (#616) * installer: Add json-c-devel/json-c-dev to BUILD_TOOLS for tpm2-tss build * Remove more commented code in ca_util.py * installer: Only install efi library on x86_64 systems * Create allowlist table and basic API support * installer: Add libuuid-devel/uuid-dev to BUILD_TOOLS for tpm2_tools build * WIP: Some cleanups (#612) * Remove _cLime.c * config: Document the measured boot PCRs and what is using them * Very simple fix for the agent (re: measured boot) The agent code does not need to import "measured boot policies" * ima_emulator_adapater: Remove unnecessary global statement * webapp: Fix private key and certificate path (issue #604) * Add support for keylime_webapp service to read intervals from keylime.conf
Alberto Planas Dominguez (aplanas)
accepted
request 908384
from
Alberto Planas Dominguez (aplanas)
(revision 12)
- Update to Keylime 6.1.1 + keylime_tenant add crash with TypeError: Object of type 'bytes' is not JSON serializable + Whenever Keylime agent starts and cannot contact the registrar, it fails and quits without flushing create EK handles + keylime_tenant -c reglist now requires a "-t" parameter for no reason + Duplicated API calls to verifier in webapp backend + Installer deletes tpm_cert_store files + agent_uuid set to dmidecode crashes Keylime + Copying of tpm_cert_store fails during installation + If the PCR belong to a measured boot list, it is not validated + keylime_tenant --c update fails with a race condition - Drop patches already present in the new version + webapp-fix-tls-certs-paths.patch + check_pcrs-match-PCR-if-no-mb_refstate-is-provided.patch + tenant-do_cvdelete-wait-until-404.patch
Alberto Planas Dominguez (aplanas)
accepted
request 907679
from
Alberto Planas Dominguez (aplanas)
(revision 11)
- Add tenant-do_cvdelete-wait-until-404.patch to fix the update command
Alberto Planas Dominguez (aplanas)
accepted
request 907171
from
Alberto Planas Dominguez (aplanas)
(revision 10)
- Adjust the default revocation notifier binding IP - Default to CFSSL in keylime.conf - Add config-libefivars.diff to adjust the path of the library - Add check_pcrs-match-PCR-if-no-mb_refstate-is-provided.patch (gh#keylime/keylime!695) - Recommends CFSSL in the registrar (actually should be the CA) - Change default value for require_ek_cert to False - Reorder the patches to separate upstream fixes from openSUSE ones - Add webapp-fix-tls-certs-paths.patch (gh#keylime/keylime!659) - Recommend dmidecode for the agent - Require libtss2-tcti-{device0,tabrmd0} to use abrmd service - Add keylime.conf.diff patch to change the default config file - Add keylime.xml for firewalld service definition - Update to version 6.1.0: * Update python cryptography lib to v3.3.2 * installer.sh improvments * run_local.sh: Run unit tests in keylime/tpm/tpm2_objects.py * Fourth and final PR to address #491 (#580) * scripts: Also use pylint-3 if pylint is not installed * agent: Fix the checking for a specific error returned by tpm2_quote * Allowlist verification - Enhancement #16 * Forgot to remove the original, more crude solution (which caused pylint errors) * New and improved code to fix issue #582 * Consistent formatting for logging strings
Alberto Planas Dominguez (aplanas)
accepted
request 907163
from
Alberto Planas Dominguez (aplanas)
(revision 9)
- Adjust the default revocation notifier binding IP
Alberto Planas Dominguez (aplanas)
accepted
request 906289
from
Alberto Planas Dominguez (aplanas)
(revision 8)
- Add config-libefivars.diff to adjust the path of the library
Alberto Planas Dominguez (aplanas)
accepted
request 905098
from
Alberto Planas Dominguez (aplanas)
(revision 7)
- Add check_pcrs-match-PCR-if-no-mb_refstate-is-provided.patch (gh#keylime/keylime!695) - Recommends CFSSL in the registrar (actually should be the CA) - Change default value for require_ek_cert to False - Reorder the patches to separate upstream fixes from openSUSE ones
Dominique Leuenberger (dimstar_suse)
accepted
request 901553
from
Alberto Planas Dominguez (aplanas)
(revision 6)
initialized devel package after accepting 901553
Alberto Planas Dominguez (aplanas)
accepted
request 901500
from
Alberto Planas Dominguez (aplanas)
(revision 5)
- Add webapp-fix-tls-certs-paths.patch (gh#keylime/keylime!659) - Recommend dmidecode for the agent - Require libtss2-tcti-{device0,tabrmd0} to use abrmd service - Add keylime.conf.diff patch to change the default config file - Add keylime.xml for firewalld service definition - Update to version 6.1.0: * Update python cryptography lib to v3.3.2 * installer.sh improvments * run_local.sh: Run unit tests in keylime/tpm/tpm2_objects.py * Fourth and final PR to address #491 (#580) * scripts: Also use pylint-3 if pylint is not installed * agent: Fix the checking for a specific error returned by tpm2_quote * Allowlist verification - Enhancement #16 * Forgot to remove the original, more crude solution (which caused pylint errors) * New and improved code to fix issue #582 * Consistent formatting for logging strings
Alberto Planas Dominguez (aplanas)
accepted
request 898819
from
Alberto Planas Dominguez (aplanas)
(revision 4)
- Require libtss2-tcti-{device0,tabrmd0} to use abrmd service
Alberto Planas Dominguez (aplanas)
accepted
request 898802
from
Alberto Planas Dominguez (aplanas)
(revision 3)
- Add webapp-fix-tls-certs-paths.patch (gh#keylime/keylime!659) - Recommend dmidecode for the agent - Update to version 6.1.0: * Update python cryptography lib to v3.3.2 * installer.sh improvments * run_local.sh: Run unit tests in keylime/tpm/tpm2_objects.py * Fourth and final PR to address #491 (#580) * scripts: Also use pylint-3 if pylint is not installed * agent: Fix the checking for a specific error returned by tpm2_quote * Allowlist verification - Enhancement #16 * Forgot to remove the original, more crude solution (which caused pylint errors) * New and improved code to fix issue #582 * Consistent formatting for logging strings
Alberto Planas Dominguez (aplanas)
accepted
request 898452
from
Alberto Planas Dominguez (aplanas)
(revision 2)
- Add webapp-fix-tls-certs-paths.patch (gh#keylime/keylime!659)
Marcus Meissner (msmeissn)
accepted
request 891043
from
Alberto Planas Dominguez (aplanas)
(revision 1)
(See 890790 for reasons)
Displaying revisions 81 - 96 of 96