Overview

Request 984683 accepted

- Add logrotate configuration for the services
- Create run directory as non-root user
- Conflict with rust-keylime
- Consolidate in _distconfdir when possible
- Update to version v6.4.1:
* Bump version for pypi
* verifier: ensure that execptions caused by the agent result in a failure
* tpm_main: add failure tagging to measured boot parsing
* tpm_main: fix temp file handling in parse_binary_bootlog(..)
* pylint: fix bad-option-value and implicit-str-concat warnings
* ca: drop support for using CFSSL as a backend
* ca_openssl_impl: add basic support for generating a CRL
* config: change libefivar.so to libefivar.so.1
* elchecking: add workaround for wrong GUID parsing
* Add test /functional/measured-boot-swtpm-sanity to Packit CI plan
* Fix order of parameters in an error message
* pylint: remove usage of distutils because it is deprecated
* ca_util: do not use deprecated setDeamon() call
* elchecking: error if policy name is invalid, change default to reject-all
* Simplify GitHub Actions used for code coverage processing
* ima_dm: enable support for dm_target_update events
* benchmark: remove benchmark code
* ima: remove read_unpack(..) function
* Fixes #996, by properly catching exceptions resulting from network problems on the verifier.
* List tests in Packit-CI plan explicitly
* contributing: add section about code style
* fix git blame ignore entry for code style changes
* Enable test /functional/basic-attestation-without-mtls
* Defer loading PyZMQ to avoid optional dependency
* Unify log messages about deleting agent from CV
* Ignore reformat commit for git blame
* Reformat Keylime with isort and black to new code style
* Introducing pre-commit hook to enforce code style with isort and black
- Drop already merged patches:
* config-libefivars.diff
- Drop cfssl dependency, as uses openssl only
- Drop cfssl firewalld rule
- Update to version v6.4.0 (CVE-2022-1053, boo#1199253):
* general: bump Keylime version to 6.4.0
* tests: adjust tests to reflect latest API changes
* api: bump version to 2.1
* config: remove unused registrar mTLS options in cloud_verifier section
* tenant, verifier: let the tenant provide the AK and mTLS certificate
* Fix exit call in scripts/download_packit_coverage.sh
* Added codecov.io description to TESTING.md
* ci: only run CodeQL on the keylime directory and disable it for the webapp
* Enable GitHub workflow integrating codecov.io
* README: Fix and cleanup the install instructions
* ima: add backport for dataclasses support for Python 3.6
* ima: add info that device mapper validation is still experimental
* add lark as a dependency
* ima: integrate dm validator into gernal IMA validation
* agentstates: add the option to load and store dm validator state
* ima: add parser and validator for device mapper entries
* ima_file_signatures: rename to file_signatures
* ima_ast: rename to ast
* ima: move IMA components into their own module
* failure: add function to get current event ids
* config: add more details for tpm_cert_store option
* Deprecate API version 1.0
* config, webapp: remove tls_check_hostnames option
* ci: add CodeQL analysis
* agent, tpm: remove is_vtpm() check
* tests: update to reflect vTPM removal
* remove vTPM related helper files and documentation
* config: remove vTPM related options
* tenant: remove vtpm_policy
* verifier: remove vtpm_policy
* remove REQUIRE_ROOT environment option
* Remove Testing farm tag-repository
* Bump required packaging module version to 20.0
* Remove last traces of M2Crypto
* Workaround for mock_open not supporting iteration in Python 3.6
- Fix "run_as" configuration parameter and set it to keylime:tss
- Improve downgrade user migration during package update
- Update to version v6.3.2:
* general: bump Keylime version to 6.3.2
* tpm_main: flush transient objects
* pypi: add notice that the Python API is unstable
* installer: use OpenSSL by default
* Avoid mounting secdir while unmounting it
* remove TPM, VTPM and IMA stubbing support
* archive: remove all archive files
* Change GH reviewers to be from developer group
* added suse / opensuse support with zypper
* Fix tpm import in test_tpm.py
* Fix cfssl configuration in run_tests.sh
* tpm_emulator: improve TPM emulator installation
* config: Add option to enable DB debugging via DEBUG_DB env var
* Enable SQL query cache for JSONPickleType
* tpm_emulator: move everything into systemd services
* Implement broader key support for Keylime's signing mechanisms
* tenant: Use exponential backoff on key verification retries
* tenant: Move JSON parsing to capture possible exceptions
* tenant: Move verifier stop from do_quote to do_verify
* pylint: Fix issues related to W0602 global-variable-not-assigned
* tenant: Handle 404 error from registrar gracefully
* pylint: Fix remaining code with issue R1732 consider-using-with
* pylint: Fix R1732 consider-using-with
* pylint: Fix issue detected by pylint-2.13.0
* pylint: Fix issue detected by pylint-2.13.0
* tenant: verify agent quote before adding to verifier
* README: remove tpm2-abrmd and OSX sections
* pylint: Fix issues related to W0102 dangerous-default-value
* pylint: Fix R0201 no-self-use
* pylint: remove W1203 logging-format-interpolation from ignore list
* pylint: remove R1729 use-a-generator from ignore list
* pylint: remove E1120 no-value-for-parameter from ignore list
* pylint: remove W1201 logging-not-lazy from ignore list
* pylint: fix C0209 consider-using-f-string
* pylint: fix C0201 consider-iterating-dictionary
* pylint: fix W1509 subprocess-popen-preexec-fn
* keylime_tenant non-zero exit code on error
* Fix prepare step adjustments in packit-ci.fmf plan
* failure: fix Pattern type hint
* mypy: add initial Mypy configuration
* ima_ast: add type hints
* failure: add type hints
* logging, config: add type hints for logging module
* algorithms: add type hints
* json: add type hints and add JSONType as custom type
* Full allowlist processing when not adding host
* provider, vTPM: remove vTPM manager and provider code
* tpm: fix that the set of missing PCRs is not serializable in failure
* Restores the option to use keylime agents without mTLS
* services: make the services run as keylime user instead of root
* State in --help that SHA-256 is used for --allowlist-checksum
* config: change cacert.pem to cacert.crt
* registrar_client: validate connections against registrar ca certificate
* tenant: validate connections against verifier ca certificate
* request_client: only add custom adapter if TLS is enabled
* setup: add static assets for webapp
* Add TESTING.md describing testing details
* Fix some remaining log format strings
* Fix for database_url parameter with sqlite
* Enable test basic-attestation-with-unpriviledged-agent in Packit CI
* Use lazy string formatting when logging (#535)
* Make Packit CI plan more resource-saving
* keylime.conf: Document setting ownership in WORK_DIR (/var/lib/keylime)
* agent: Make sure tmpfs is empty even if not mounted or cannot unmount
* agent: Drop privileges by switching to normal user and group
* agent: Move mounting of tmpfs towards beginning of main()
* agent: Read measured boot log near process start
* agent: Open file for IMA log file near process start
* ima: Refactor read_measurement_list() to take file as argument
* Add the policy name to failure event
* tpm_main: Check if tpm_cert_store exists (#553)
* Remove tag input from container build workflow
* Push container images to quay.io/keylime org
* Enable code coverage measurement for e2e tests in Packit CI
* config: fix config search order
* Add defaults for ephemeral keys for agent records
* Update outdated greetings Github messages
* services: add keylime_agent_secure.mount service
* installer.sh: updated tpm2-{tools, tss}, use system packages if possible
* revocation_notifier: convert the data to str in the notifiers
* revocation_notifier: mark webhook threads as daemon and add timeout
* Fix Packit CI test plan Summary
* Enable Packit CI testing on CentOS Stream 8
* Enable Packit CI testing on Fedora Rawhide
* Remove last trace of TPM 1.2 (hopefully)
* verifier: remove start_tornado() function
* verifier: wait for connections to be closed before stopping ioloop
* revocation_notifier: kill ZeroMQ broker if it blocks more than 5s
* Add more e2e tests to Packit CI
* Enable EPEL repo on CentOS Stream in packit.yaml
- Drop already merged patches
* drop_privileges_of_agent_process_after_startup.patch
* config_fix_config_search_order.patch
* services_add_keylime_agent_secure_mount_service.patch
- Add upstream patches:
* drop_privileges_of_agent_process_after_startup.patch
* config_fix_config_search_order.patch
* services_add_keylime_agent_secure_mount_service.patch
- Configure the agent to run as non-root (via keylime.conf)
- Add keylime sysuser conf file and deploy as part of the tpm
certificate subpackage
- Prepare the systemd mount unit for /var/lib/keylime/secure
- Drop patches beacuse merged upstream:
* version.diff
* cloud_verifier_tornado-use-fork_processes.patch
- Drop binaries not used anymore:
* keylime_provider_platform_init
* keylime_provider_registrar
* keylime_provider_vtpm_add
- Update to version v6.3.1:
* revocation_notifier: mark webhook threads as daemon and add timeout
* Fix Packit CI test plan Summary
* Enable Packit CI testing on CentOS Stream 8
* Enable Packit CI testing on Fedora Rawhide
* Remove last trace of TPM 1.2 (hopefully)
* verifier: remove start_tornado() function
* verifier: wait for connections to be closed before stopping ioloop
* revocation_notifier: kill ZeroMQ broker if it blocks more than 5s
* Add more e2e tests to Packit CI
* Enable EPEL repo on CentOS Stream in packit.yaml
* agent, crypto: add localhost, server and contact ip to agent certificate
* Add better default repo path for run_local.sh
* Fix incorrect variable name in test_restful
* Run existing agent tests against the rust-keylime agent
* Fix small wording mistakes caught while reading the code
* agent: move key and certificate logging levels from debug to info
* agent: allow absolute paths for rsa_keyname and mtls_cert
* Add missing backend parameter
* cloud_verifier_tornado: use fork_processes
* ci: automatically push release to PyPI
* setup.{py,cfg}: Move setup configuration to setup.cfg
* Add iproute tool to Dockerfile
* Pylint does not like single-line functions.
* A small beauty fix
* This is a small fix to proactively fix Issue #840 by identifying non-escaped double quotes in the tpm2-tools output
* setup.py: add version number and new Python versions, drop unsed binaries
* setup.py, config: install default configuration into package path
* ci: move old keylime.conf to keylime.conf.orig before running tests
* retry: fix pylint issue
* Adding Infineon Optiga 034 RSA and ECC certificates for Infineon SLB9675 devices.
* Ensure columns "mb_refstate" and "allowlist" are of type LONGTEXT in table "verifiermain"
* tenant: add exponential backoff option to retry timings
* cloud verifier: add exponential backoff option to retry timings
* tpm: add exponential backoff option to retry timings
* test, retry: add unit test for retry algorithm
* common: add algorithm for retry time calculation
* registrar, tpm_main: ensure that correct types are commited to DB.
* Fix typo for config param listen_notifications
* Lint is _really_ unhappy today.
* Linty fixes
* Adding a unit test file for tpm_main
* tpm_main: check if PCRs for the hash algorithm are available
* tpm_main: handle if tpm2_checkquote returns no PCRs for a hash algorithm
* agent: output supported_version as result not as a status
* Add missing subcommands to -c help message
* tests: fix mtls_cert generation in test_restful.py
* revocation_notifier: fix socket path permission check
* Remove unused database_query config param
* Move umask calls only on entry points
* config: move directory utilities to fs_util
- Change back agent_uuid to hostname
- Set tpm_hash_alg to sha256 by default
- Update version.diff patch to point to the correct version number
- Fix issue with Tornado, when multiple workers are started
* Add cloud_verifier_tornado-use-fork_processes.patch (bsc#1195605)
- Drop patches beacuse merged upstream:
* 0001-Drop-dataclasses-module-usage.patch
* 0001-config-support-merge-multiple-config-files.patch
* 0001-ca-support-back-old-cyptography-API.patch
- Update to version v6.3.0:
* Coordinated update to fix:
+ bsc#1193997 (CVE-2022-23948)
+ bsc#1193998 (CVE-2021-43310)
+ bsc#1194000 (CVE-2022-23949)
+ bsc#1194002 (CVE-2022-23950)
+ bsc#1194004 (CVE-2022-23951)
+ bsc#1194005 (CVE-2022-23952)
* secure_mount: add umount function
* secure_mount: use /proc/self/mountinfo
* Validate user ID in all public interfaces
* validators: add uuid and agent_id validators
* validators: create validators module
* revocation_notifier: move zmq socket to /var/run/keylime
* Update API version from 1.0 to 2.0
* tpm: do not compress quote with zlib by default
* verifier: persist AK and mTLS certificate to DB
* verifier: use "supported_version" for agent connections
* tenant: add support for "supported_version" option for the verifier
* api_version: add the option for basic validation
* verifier: add supported_version field to DB and API
* agent: add /version to REST API
* verifier, tenant: allow agents to not use mTLS
* tenant, verifier: allow manual configuration of agent mTLS
* tests: migrate to mTLS
* tenant: connect to the agent via mTLS
* verifier: connect to the agent via mTLS
* tornado_requests: handle SSLError
* web_util: add mTLS context generation for agent
* agent: Enable mTLS for agent REST API
* crypto: add helper function for creating self signed certs
* registrar: Allow the agent to registrar with a mTLS certificate
* request_client: add workaround for handling certificates
* request_client: add the option to ignore hostname validation
* Better docs and errors about IMA hash mismatches
* tests: use JSON instead Python string for IMA tests
* verifier: use json.loads(..) instead of ast.literal_eval(..)
* Adding Nuvoton certificate for a post 2020 TPM device. The EK cert
of the device directs to the following download site:
'https://www.nuvoton.com/security/NTC-TPM-EK-Cert/Nuvoton TPM Root
CA 1111.cer' (yes, including the spaces)
* Improve revocation notifier IP description in keylime.conf
* tornado_requests: set Content-Type header correctly for JSON
* tenant: post U key to agent with correct Content-Type header
* Explicitly set permissions on new keylime.conf files installed
* tpm_main: close file descriptor for aik handle
* verifier: do not call finish() twice
* agent: fix payload execution
* tests: add initial tests for web_util module
* config, web_util: move get_restful_params(..) to web_util
* verifier: Also retry on HTTP 500 status code
* agent: improve startup and shutdown
* registrar: cleanup start function
* web_util: move echo_json_response(..) out of config.py
* verifier: fix failure generation for V key
* tornado_requests: cleanup TornadoResponse class
* web_util, verifier: move mTLS SSLContext generation into separate module
* ca: support back old cyptography API
* Fix test branch reference in packit.yaml
* ci: disable DeprecationWarning from pylint in tox
* Enable new test in Packit CI
* tenant: fix reactivate command
* config: support merge multiple config files
* ci: use only fedora-stable for packit
* elchecking: harden example policy against event type manipulation
* elchecking: add new tests
* tests: fix stdout formatting for agent and verifier
* Drop dataclasses module usage
* revocation notifier: handle shutdown of process gracefully
* verifier: handle SIGINT and SIGTERM correctly
* ima_emulator: fix IMA hash validation and add more options
* ima_ast: fix handling ToMToU errors
* Remove leftovers of TPM 1.2 support
* agent: improved validation for post function
* agent: better validation for mask and nonce
* config: add function to validate hex strings
* agent: keys/verify check if challenge was provided
* tpm_main: do not append /usr/local/{bin,lib} to default env
* db: only set length on Text type if supported
* json: do not make sqlalchemy a hard requirement
* Enable functional testing with Packit CI
* ima_emulator: specify sys.argv as the named parameter argv in main()
* elchecking example policy: make it work with Fedora 34
* elchecking example policy: initrd* might be also called initramfs*
* scripts: add mb_refstate generator for example policy
* config: change tpm_hash_alg to SHA1 by default
* parse_mb_bootlog: specify the used hash algorithm used for PCRs
* agent: add warning that on kernels <5.10 IMA only works with SHA1
* tpm: explicitly pass hash alg to sim_extend(..)
* ima emulator: use IMA AST and support multiple hash algorithms
* tests: update IMA allowlist version number
* ima: add option 'log_hash_alg' to IMA allowlist
* ima: remove hard requirement for SHA1 PCR 10
* algorithms: extend Hash class to simplify computing hash values
* config, tpm_main: explicitly handle YAML load errors
* config: private_key must be set to -private.pem not -public.pem
* agent: add UUID option environment
* agent: drop openstack uuid option
- Set /var/lib/keylime under the same permissions expected by the code
- Add 0001-config-support-merge-multiple-config-files.patch
This will allow the merge of config files in /usr/etc and /etc.
- Move the configuration file to /usr/etc in new distributions
- Add 0001-ca-support-back-old-cyptography-API.patch
This is only required for SLE, but the API is compatible with new versions
- Add 0001-Drop-dataclasses-module-usage.patch, to support Python 3.6
- Fix cfssl bcond logic in Tumbleweed / SLE
- Update to version v6.2.1:
* Another addition to gitignore
* Update .gitignore with more Keylime-specific files
* json: add support for sqlalchemy.engine.row.Row in newer sqlalchemy
* ima_ast: check if the PCR is the same as in the config
* Fix permissions issue on volume mount in run_local.sh
* Make run_local.sh use a local copy of the repo
* Small updates to GOVERNANCE.md
* Move cargo-tarpaulin install to separate command
* config: drop registrar_* TLS options in [registrar] section
* Fix missing && in Dockerfile
* Remove simplejson from scripts and docs
* Replace simplejson with built-in json module
* Add rust-keylime container dependencies
* config: fix getboolean with fallback
* Clean up CI scripts and rewrite run_local.sh
* ima: for ToMToU errors skip template content validation
* ima: Use a set of entry numbers and file offsets to remember multiple positions
* Rename CONTRIBUTORS.md to CONTRIBUTING.md
* Update GOVERNANCE.md to match MAINTAINERS.md rename
* Update MAINTAINERS
* Update README: remove Gitter, Travis CI
* ca: Use UTC when setting certificate validity
* Tenant commands return json
* scripts: Allow passing a base policy to create_policy tool
* ima: Handle the case of ima-sig with a path with spaces in them
* add length to string object
* scripts: Implement create_policy to create the JSON allowlist from files
* ima: Also add a sha256 default boot_aggregate hash with 64 '0's
* ima: Use seek() to get to the last known last entry
* ima: Extend allowlist to be able to handle generic ima-buf entries
* ima: Extend JSON allowlist with 'ima' entry and 'ignored_keyrings'
* ima: Populate verifier keyrings with keys taken from ima-buf log line
* ima: Remove methods from ImaKeyring that are now in ImaKeyrings
* ima: Start passing ima_keyrings through APIs replacing ima_keyring
* Extend AgentAttestState with ima_keyrings field and use it
* ima: Implement ImaKeyrings class to support multiple keyrings
* verifier: Extend verifier DB to persist learned keyrings
* Fix a couple of pylint errors
* ima: Fix spurious attestation failures
* ima: make ToMToU errors not a failure by default
* Simple fix for tenant error message printout.
* pylint: Fix errors related to R1714
* pylint: Suppress C0201, C0209 and W0602 newly reported errors
* installer: do not install tpm2-abrmd
* tpm: by default use /dev/tpmrm0 instead of tpm2-abrmd
* verifier: add option to send revocation messages via webhook
- Fix keylime configuration file attributes
- Requires python-psutil
- Disable automatic execution of the payload by default
- Use ramdom UUID by default
- Introduce a bcond for cfssl detection
- Drop cfssl if we are not in openSUSE
- Update to version 6.2.0:
* Fix bug #757 where revoc cert was treated as text
* Code improvement: removal of extra dependencies in measured boot attestation (#755)
* Sanitize the exclude list while it is ingested at `tenant` by removing comments (^#) and empty lines.
* tenant: show severity level and last event id in status
* verifier: move to new failure architecture
* pcr validation: move to new failure architecture
* measured boot: move to new failure architecture
* ima: move to new failure architecture
* failure: add infrastructure to tag and collect revocation events in Keylime
* Simulating use of SSLContext.minimum_version on ssl v3.6
* verifier: fix minor typos
* Add tests for ca_impl_cfssl and ca_util
* Replace M2Crypto with python-cryptography
* tenant: status now shows if a agent was added to the registrar
* tenant: open file to send utf-8 encoded
* Correct some comments about and remove vestige in MB policy
* fixing a small bug that resulted in malformed refstates not failing MBA
* agent: ensure that EK is in PEM format when used as uuid
* Solves #703 by adding a "non-trivial" example of a "measured boot policy" (#734)
* ci: build and publish container images
* codestyle: fix W0612 and R1735 pylint errors
* codestyle: fix W1514 pylint error
* systemd: Add KillSignal=SIGINT to keylime_agent.service
* One-liner to set the minimum version of TLS to v1.2
* pylint fix
* Typo fix: return list order confusion between measured_boot.py and tpm_abstract.py
* Refactor keylime_logging module
* ima: Implement ima-buf validator and validate keys on keyrings (#725)
* Remove Python 2 leftovers
* Additional fix for the processing of "tpm_policy"
* ima: Return an empty allowlist rather than a plain empty list
* verifier: convert (v)tpm_policy in DB from string to JSONPickleType
* verifier: Create AgentAttestState objects from entries in the db
* verifier: Persist the IMA attestation state after running the log verification
* db: Add DB migration file for boottime, ima_pcrs, pcr10, and next_ima_ml_entries
* verifier: Skip attestation one time if agent's boottime changed
* test: Add test case simulating iterative attestation
* verifier: Delete an AgentAttestState when deleting an agent
* ima: Remember the number of lines successfully processed and last IMA PCR value(s)
* ima: Reset the attestation if processing the measurement list fails
* debug: Show line number when PCR match occurs
* verifier: Extend AgentAttestState with state of the IMA PCR
* Consult the AgentAttestState for the next measurement list entry
* Introduce an AgentAttestState class for passing state through the APIs
* verifier: Request IMA log at entry 0 for now
* agent: Get boottime and transfer to verifier
* agent: Add support for optional IMA log offset parameter
* tests: Add a unit test for the IMA function and run it
* agent: Move IMA measurement list reading function to ima.py
* Add default verifier-check value
* Use tox for pylint
* Use Fedora 34 as base image for CI container
* Run ci jobs only when needed
* config: merge convert and list_convert into the same function
* Versioned APIs
* Refacator of check_pcrs to parse then validate (#716)
* Automatically calculates the boot_aggregate from the measured boot log. (#713)
* Set default UUID as lowercase (#699)
* tenant: do_cvdelete wait until 404
* Ensures the output of `bulkinfo` command in `keylime_tenant` is JSON
* ima: Convert pcrval to bytes to increase efficiency
* tests: extend ima tests for signature validation and exclude lists
* Allow agents to specify a contact ip address and port for the tenant and CV (#690)
* verifer: Fix signature and allowlist evaluation bahavior change
* ima: Fix runtime error due to wrong datatype
* tenant: add the option to specify the registrar ip and port
* measured_boot: drop process_refstate
* check_pcrs: match PCR if no mb_refstate is provided
* ci: make run_local.sh work with newer docker versions
* Fixing pylint errors (#698)
* tests: add IMA test where validation should be ignored
* ima: Use ima_ast for parsing and validation
* tests: Add test for ima AST parser
* ima: Introducing a AST for parsing and validation
* Make stalebot a bit nicer
* enable tenant to fetch all (or verifier specific) agents info in a single call from the verifier
* Flush all sessions from TPM device (#682)
* multiple named verifiers sharing a single database
* webapp: fix tls certs paths (#659)
* Corrects markdown to have proper rendering (#673)
* ima_file_signatures: Extract keyidv2 from x509 certs
* installer: Add '-r' option to cp to copy directory (issue #671)
* config: Add optional fallback parameter to get()
* agent: Fix the usage of dmidecode during the agent startup (issue #664)
* agent: Rename allowlist to ima_allowlist in keylime.conf
* Fix decoding error in user_data_encrypt
* agent: Fix issue #667 by testing for an empty ima_sign_verification_keys list
* Addresses issue #660 (database path while running local tests) (#665)
* ima: Return 'None' when ImaKeyring.from_string() called with emtpy string
* tests: Move unittests into files with suffix _test.py
* Fixes and improvements for database configuration (#654)
* Add signature verification support for local and remote IMA signature verification keys (#597)
* install: Remove TPM 1.2 support from installer and bundeling scripts
* CI/CD: Remove tpm1.2 testing support
* Remove duplicated calls to verifier
* Remove adding entropy to system rng
* Cleanup and fix error case in encryptAIK (#648)
* Move measured boot related code into functions to make check_pcrs readable (#642)
* Move code related to tpm2_checkquote into its own function (#639)
* scripts: Cleanup shell script formatting
* installer.sh: Do not delete the local copy of the certificates.
* Fix user_data_encrypt to UTF8 decode before print
* tpm_abstract: Fix adding of entropy
* codestyle: Ignore R1732 implemented by pylint >=2.8.0
* a fix for letting JSON encoding bytes correctly
* Adding back reglist to the list of commands that don't need a -t argument
* Invoke tpm2_evictcontrol for 4.0 and 4.2 tools if aik_handle exists (#624)
* Addresses #436 (#611)
* Fixes #620
* Include PCR16 in the quote only when needed
* Close leaking file descriptors (#622)
* installer.sh: Add missing spaces when efivar is added
* More ima_emulator_adapter cleanups (#616)
* installer: Add json-c-devel/json-c-dev to BUILD_TOOLS for tpm2-tss build
* Remove more commented code in ca_util.py
* installer: Only install efi library on x86_64 systems
* Create allowlist table and basic API support
* installer: Add libuuid-devel/uuid-dev to BUILD_TOOLS for tpm2_tools build
* WIP: Some cleanups (#612)
* Remove _cLime.c
* config: Document the measured boot PCRs and what is using them
* Very simple fix for the agent (re: measured boot) The agent code does not need to import "measured boot policies"
* ima_emulator_adapater: Remove unnecessary global statement
* webapp: Fix private key and certificate path (issue #604)
* Add support for keylime_webapp service to read intervals from keylime.conf
- Update to Keylime 6.1.1
+ keylime_tenant add crash with TypeError: Object of type 'bytes' is
not JSON serializable
+ Whenever Keylime agent starts and cannot contact the registrar, it
fails and quits without flushing create EK handles
+ keylime_tenant -c reglist now requires a "-t" parameter for no
reason
+ Duplicated API calls to verifier in webapp backend
+ Installer deletes tpm_cert_store files
+ agent_uuid set to dmidecode crashes Keylime
+ Copying of tpm_cert_store fails during installation
+ If the PCR belong to a measured boot list, it is not validated
+ keylime_tenant --c update fails with a race condition
- Drop patches already present in the new version
+ webapp-fix-tls-certs-paths.patch
+ check_pcrs-match-PCR-if-no-mb_refstate-is-provided.patch
+ tenant-do_cvdelete-wait-until-404.patch
- Add tenant-do_cvdelete-wait-until-404.patch to fix the update command
- Adjust the default revocation notifier binding IP
- Default to CFSSL in keylime.conf
- Add config-libefivars.diff to adjust the path of the library
- Add check_pcrs-match-PCR-if-no-mb_refstate-is-provided.patch
(gh#keylime/keylime!695)
- Recommends CFSSL in the registrar (actually should be the CA)
- Change default value for require_ek_cert to False
- Reorder the patches to separate upstream fixes from openSUSE ones
- Add webapp-fix-tls-certs-paths.patch (gh#keylime/keylime!659)
- Recommend dmidecode for the agent
- Require libtss2-tcti-{device0,tabrmd0} to use abrmd service
- Add keylime.conf.diff patch to change the default config file
- Add keylime.xml for firewalld service definition
- Update to version 6.1.0:
* Update python cryptography lib to v3.3.2
* installer.sh improvments
* run_local.sh: Run unit tests in keylime/tpm/tpm2_objects.py
* Fourth and final PR to address #491 (#580)
* scripts: Also use pylint-3 if pylint is not installed
* agent: Fix the checking for a specific error returned by tpm2_quote
* Allowlist verification - Enhancement #16
* Forgot to remove the original, more crude solution (which caused pylint errors)
* New and improved code to fix issue #582
* Consistent formatting for logging strings

Loading...
Request History
Alberto Planas Dominguez's avatar

aplanas created request

- Add logrotate configuration for the services
- Create run directory as non-root user
- Conflict with rust-keylime
- Consolidate in _distconfdir when possible
- Update to version v6.4.1:
* Bump version for pypi
* verifier: ensure that execptions caused by the agent result in a failure
* tpm_main: add failure tagging to measured boot parsing
* tpm_main: fix temp file handling in parse_binary_bootlog(..)
* pylint: fix bad-option-value and implicit-str-concat warnings
* ca: drop support for using CFSSL as a backend
* ca_openssl_impl: add basic support for generating a CRL
* config: change libefivar.so to libefivar.so.1
* elchecking: add workaround for wrong GUID parsing
* Add test /functional/measured-boot-swtpm-sanity to Packit CI plan
* Fix order of parameters in an error message
* pylint: remove usage of distutils because it is deprecated
* ca_util: do not use deprecated setDeamon() call
* elchecking: error if policy name is invalid, change default to reject-all
* Simplify GitHub Actions used for code coverage processing
* ima_dm: enable support for dm_target_update events
* benchmark: remove benchmark code
* ima: remove read_unpack(..) function
* Fixes #996, by properly catching exceptions resulting from network problems on the verifier.
* List tests in Packit-CI plan explicitly
* contributing: add section about code style
* fix git blame ignore entry for code style changes
* Enable test /functional/basic-attestation-without-mtls
* Defer loading PyZMQ to avoid optional dependency
* Unify log messages about deleting agent from CV
* Ignore reformat commit for git blame
* Reformat Keylime with isort and black to new code style
* Introducing pre-commit hook to enforce code style with isort and black
- Drop already merged patches:
* config-libefivars.diff
- Drop cfssl dependency, as uses openssl only
- Drop cfssl firewalld rule
- Update to version v6.4.0 (CVE-2022-1053, boo#1199253):
* general: bump Keylime version to 6.4.0
* tests: adjust tests to reflect latest API changes
* api: bump version to 2.1
* config: remove unused registrar mTLS options in cloud_verifier section
* tenant, verifier: let the tenant provide the AK and mTLS certificate
* Fix exit call in scripts/download_packit_coverage.sh
* Added codecov.io description to TESTING.md
* ci: only run CodeQL on the keylime directory and disable it for the webapp
* Enable GitHub workflow integrating codecov.io
* README: Fix and cleanup the install instructions
* ima: add backport for dataclasses support for Python 3.6
* ima: add info that device mapper validation is still experimental
* add lark as a dependency
* ima: integrate dm validator into gernal IMA validation
* agentstates: add the option to load and store dm validator state
* ima: add parser and validator for device mapper entries
* ima_file_signatures: rename to file_signatures
* ima_ast: rename to ast
* ima: move IMA components into their own module
* failure: add function to get current event ids
* config: add more details for tpm_cert_store option
* Deprecate API version 1.0
* config, webapp: remove tls_check_hostnames option
* ci: add CodeQL analysis
* agent, tpm: remove is_vtpm() check
* tests: update to reflect vTPM removal
* remove vTPM related helper files and documentation
* config: remove vTPM related options
* tenant: remove vtpm_policy
* verifier: remove vtpm_policy
* remove REQUIRE_ROOT environment option
* Remove Testing farm tag-repository
* Bump required packaging module version to 20.0
* Remove last traces of M2Crypto
* Workaround for mock_open not supporting iteration in Python 3.6
- Fix "run_as" configuration parameter and set it to keylime:tss
- Improve downgrade user migration during package update
- Update to version v6.3.2:
* general: bump Keylime version to 6.3.2
* tpm_main: flush transient objects
* pypi: add notice that the Python API is unstable
* installer: use OpenSSL by default
* Avoid mounting secdir while unmounting it
* remove TPM, VTPM and IMA stubbing support
* archive: remove all archive files
* Change GH reviewers to be from developer group
* added suse / opensuse support with zypper
* Fix tpm import in test_tpm.py
* Fix cfssl configuration in run_tests.sh
* tpm_emulator: improve TPM emulator installation
* config: Add option to enable DB debugging via DEBUG_DB env var
* Enable SQL query cache for JSONPickleType
* tpm_emulator: move everything into systemd services
* Implement broader key support for Keylime's signing mechanisms
* tenant: Use exponential backoff on key verification retries
* tenant: Move JSON parsing to capture possible exceptions
* tenant: Move verifier stop from do_quote to do_verify
* pylint: Fix issues related to W0602 global-variable-not-assigned
* tenant: Handle 404 error from registrar gracefully
* pylint: Fix remaining code with issue R1732 consider-using-with
* pylint: Fix R1732 consider-using-with
* pylint: Fix issue detected by pylint-2.13.0
* pylint: Fix issue detected by pylint-2.13.0
* tenant: verify agent quote before adding to verifier
* README: remove tpm2-abrmd and OSX sections
* pylint: Fix issues related to W0102 dangerous-default-value
* pylint: Fix R0201 no-self-use
* pylint: remove W1203 logging-format-interpolation from ignore list
* pylint: remove R1729 use-a-generator from ignore list
* pylint: remove E1120 no-value-for-parameter from ignore list
* pylint: remove W1201 logging-not-lazy from ignore list
* pylint: fix C0209 consider-using-f-string
* pylint: fix C0201 consider-iterating-dictionary
* pylint: fix W1509 subprocess-popen-preexec-fn
* keylime_tenant non-zero exit code on error
* Fix prepare step adjustments in packit-ci.fmf plan
* failure: fix Pattern type hint
* mypy: add initial Mypy configuration
* ima_ast: add type hints
* failure: add type hints
* logging, config: add type hints for logging module
* algorithms: add type hints
* json: add type hints and add JSONType as custom type
* Full allowlist processing when not adding host
* provider, vTPM: remove vTPM manager and provider code
* tpm: fix that the set of missing PCRs is not serializable in failure
* Restores the option to use keylime agents without mTLS
* services: make the services run as keylime user instead of root
* State in --help that SHA-256 is used for --allowlist-checksum
* config: change cacert.pem to cacert.crt
* registrar_client: validate connections against registrar ca certificate
* tenant: validate connections against verifier ca certificate
* request_client: only add custom adapter if TLS is enabled
* setup: add static assets for webapp
* Add TESTING.md describing testing details
* Fix some remaining log format strings
* Fix for database_url parameter with sqlite
* Enable test basic-attestation-with-unpriviledged-agent in Packit CI
* Use lazy string formatting when logging (#535)
* Make Packit CI plan more resource-saving
* keylime.conf: Document setting ownership in WORK_DIR (/var/lib/keylime)
* agent: Make sure tmpfs is empty even if not mounted or cannot unmount
* agent: Drop privileges by switching to normal user and group
* agent: Move mounting of tmpfs towards beginning of main()
* agent: Read measured boot log near process start
* agent: Open file for IMA log file near process start
* ima: Refactor read_measurement_list() to take file as argument
* Add the policy name to failure event
* tpm_main: Check if tpm_cert_store exists (#553)
* Remove tag input from container build workflow
* Push container images to quay.io/keylime org
* Enable code coverage measurement for e2e tests in Packit CI
* config: fix config search order
* Add defaults for ephemeral keys for agent records
* Update outdated greetings Github messages
* services: add keylime_agent_secure.mount service
* installer.sh: updated tpm2-{tools, tss}, use system packages if possible
* revocation_notifier: convert the data to str in the notifiers
* revocation_notifier: mark webhook threads as daemon and add timeout
* Fix Packit CI test plan Summary
* Enable Packit CI testing on CentOS Stream 8
* Enable Packit CI testing on Fedora Rawhide
* Remove last trace of TPM 1.2 (hopefully)
* verifier: remove start_tornado() function
* verifier: wait for connections to be closed before stopping ioloop
* revocation_notifier: kill ZeroMQ broker if it blocks more than 5s
* Add more e2e tests to Packit CI
* Enable EPEL repo on CentOS Stream in packit.yaml
- Drop already merged patches
* drop_privileges_of_agent_process_after_startup.patch
* config_fix_config_search_order.patch
* services_add_keylime_agent_secure_mount_service.patch
- Add upstream patches:
* drop_privileges_of_agent_process_after_startup.patch
* config_fix_config_search_order.patch
* services_add_keylime_agent_secure_mount_service.patch
- Configure the agent to run as non-root (via keylime.conf)
- Add keylime sysuser conf file and deploy as part of the tpm
certificate subpackage
- Prepare the systemd mount unit for /var/lib/keylime/secure
- Drop patches beacuse merged upstream:
* version.diff
* cloud_verifier_tornado-use-fork_processes.patch
- Drop binaries not used anymore:
* keylime_provider_platform_init
* keylime_provider_registrar
* keylime_provider_vtpm_add
- Update to version v6.3.1:
* revocation_notifier: mark webhook threads as daemon and add timeout
* Fix Packit CI test plan Summary
* Enable Packit CI testing on CentOS Stream 8
* Enable Packit CI testing on Fedora Rawhide
* Remove last trace of TPM 1.2 (hopefully)
* verifier: remove start_tornado() function
* verifier: wait for connections to be closed before stopping ioloop
* revocation_notifier: kill ZeroMQ broker if it blocks more than 5s
* Add more e2e tests to Packit CI
* Enable EPEL repo on CentOS Stream in packit.yaml
* agent, crypto: add localhost, server and contact ip to agent certificate
* Add better default repo path for run_local.sh
* Fix incorrect variable name in test_restful
* Run existing agent tests against the rust-keylime agent
* Fix small wording mistakes caught while reading the code
* agent: move key and certificate logging levels from debug to info
* agent: allow absolute paths for rsa_keyname and mtls_cert
* Add missing backend parameter
* cloud_verifier_tornado: use fork_processes
* ci: automatically push release to PyPI
* setup.{py,cfg}: Move setup configuration to setup.cfg
* Add iproute tool to Dockerfile
* Pylint does not like single-line functions.
* A small beauty fix
* This is a small fix to proactively fix Issue #840 by identifying non-escaped double quotes in the tpm2-tools output
* setup.py: add version number and new Python versions, drop unsed binaries
* setup.py, config: install default configuration into package path
* ci: move old keylime.conf to keylime.conf.orig before running tests
* retry: fix pylint issue
* Adding Infineon Optiga 034 RSA and ECC certificates for Infineon SLB9675 devices.
* Ensure columns "mb_refstate" and "allowlist" are of type LONGTEXT in table "verifiermain"
* tenant: add exponential backoff option to retry timings
* cloud verifier: add exponential backoff option to retry timings
* tpm: add exponential backoff option to retry timings
* test, retry: add unit test for retry algorithm
* common: add algorithm for retry time calculation
* registrar, tpm_main: ensure that correct types are commited to DB.
* Fix typo for config param listen_notifications
* Lint is _really_ unhappy today.
* Linty fixes
* Adding a unit test file for tpm_main
* tpm_main: check if PCRs for the hash algorithm are available
* tpm_main: handle if tpm2_checkquote returns no PCRs for a hash algorithm
* agent: output supported_version as result not as a status
* Add missing subcommands to -c help message
* tests: fix mtls_cert generation in test_restful.py
* revocation_notifier: fix socket path permission check
* Remove unused database_query config param
* Move umask calls only on entry points
* config: move directory utilities to fs_util
- Change back agent_uuid to hostname
- Set tpm_hash_alg to sha256 by default
- Update version.diff patch to point to the correct version number
- Fix issue with Tornado, when multiple workers are started
* Add cloud_verifier_tornado-use-fork_processes.patch (bsc#1195605)
- Drop patches beacuse merged upstream:
* 0001-Drop-dataclasses-module-usage.patch
* 0001-config-support-merge-multiple-config-files.patch
* 0001-ca-support-back-old-cyptography-API.patch
- Update to version v6.3.0:
* Coordinated update to fix:
+ bsc#1193997 (CVE-2022-23948)
+ bsc#1193998 (CVE-2021-43310)
+ bsc#1194000 (CVE-2022-23949)
+ bsc#1194002 (CVE-2022-23950)
+ bsc#1194004 (CVE-2022-23951)
+ bsc#1194005 (CVE-2022-23952)
* secure_mount: add umount function
* secure_mount: use /proc/self/mountinfo
* Validate user ID in all public interfaces
* validators: add uuid and agent_id validators
* validators: create validators module
* revocation_notifier: move zmq socket to /var/run/keylime
* Update API version from 1.0 to 2.0
* tpm: do not compress quote with zlib by default
* verifier: persist AK and mTLS certificate to DB
* verifier: use "supported_version" for agent connections
* tenant: add support for "supported_version" option for the verifier
* api_version: add the option for basic validation
* verifier: add supported_version field to DB and API
* agent: add /version to REST API
* verifier, tenant: allow agents to not use mTLS
* tenant, verifier: allow manual configuration of agent mTLS
* tests: migrate to mTLS
* tenant: connect to the agent via mTLS
* verifier: connect to the agent via mTLS
* tornado_requests: handle SSLError
* web_util: add mTLS context generation for agent
* agent: Enable mTLS for agent REST API
* crypto: add helper function for creating self signed certs
* registrar: Allow the agent to registrar with a mTLS certificate
* request_client: add workaround for handling certificates
* request_client: add the option to ignore hostname validation
* Better docs and errors about IMA hash mismatches
* tests: use JSON instead Python string for IMA tests
* verifier: use json.loads(..) instead of ast.literal_eval(..)
* Adding Nuvoton certificate for a post 2020 TPM device. The EK cert
of the device directs to the following download site:
'https://www.nuvoton.com/security/NTC-TPM-EK-Cert/Nuvoton TPM Root
CA 1111.cer' (yes, including the spaces)
* Improve revocation notifier IP description in keylime.conf
* tornado_requests: set Content-Type header correctly for JSON
* tenant: post U key to agent with correct Content-Type header
* Explicitly set permissions on new keylime.conf files installed
* tpm_main: close file descriptor for aik handle
* verifier: do not call finish() twice
* agent: fix payload execution
* tests: add initial tests for web_util module
* config, web_util: move get_restful_params(..) to web_util
* verifier: Also retry on HTTP 500 status code
* agent: improve startup and shutdown
* registrar: cleanup start function
* web_util: move echo_json_response(..) out of config.py
* verifier: fix failure generation for V key
* tornado_requests: cleanup TornadoResponse class
* web_util, verifier: move mTLS SSLContext generation into separate module
* ca: support back old cyptography API
* Fix test branch reference in packit.yaml
* ci: disable DeprecationWarning from pylint in tox
* Enable new test in Packit CI
* tenant: fix reactivate command
* config: support merge multiple config files
* ci: use only fedora-stable for packit
* elchecking: harden example policy against event type manipulation
* elchecking: add new tests
* tests: fix stdout formatting for agent and verifier
* Drop dataclasses module usage
* revocation notifier: handle shutdown of process gracefully
* verifier: handle SIGINT and SIGTERM correctly
* ima_emulator: fix IMA hash validation and add more options
* ima_ast: fix handling ToMToU errors
* Remove leftovers of TPM 1.2 support
* agent: improved validation for post function
* agent: better validation for mask and nonce
* config: add function to validate hex strings
* agent: keys/verify check if challenge was provided
* tpm_main: do not append /usr/local/{bin,lib} to default env
* db: only set length on Text type if supported
* json: do not make sqlalchemy a hard requirement
* Enable functional testing with Packit CI
* ima_emulator: specify sys.argv as the named parameter argv in main()
* elchecking example policy: make it work with Fedora 34
* elchecking example policy: initrd* might be also called initramfs*
* scripts: add mb_refstate generator for example policy
* config: change tpm_hash_alg to SHA1 by default
* parse_mb_bootlog: specify the used hash algorithm used for PCRs
* agent: add warning that on kernels <5.10 IMA only works with SHA1
* tpm: explicitly pass hash alg to sim_extend(..)
* ima emulator: use IMA AST and support multiple hash algorithms
* tests: update IMA allowlist version number
* ima: add option 'log_hash_alg' to IMA allowlist
* ima: remove hard requirement for SHA1 PCR 10
* algorithms: extend Hash class to simplify computing hash values
* config, tpm_main: explicitly handle YAML load errors
* config: private_key must be set to -private.pem not -public.pem
* agent: add UUID option environment
* agent: drop openstack uuid option
- Set /var/lib/keylime under the same permissions expected by the code
- Add 0001-config-support-merge-multiple-config-files.patch
This will allow the merge of config files in /usr/etc and /etc.
- Move the configuration file to /usr/etc in new distributions
- Add 0001-ca-support-back-old-cyptography-API.patch
This is only required for SLE, but the API is compatible with new versions
- Add 0001-Drop-dataclasses-module-usage.patch, to support Python 3.6
- Fix cfssl bcond logic in Tumbleweed / SLE
- Update to version v6.2.1:
* Another addition to gitignore
* Update .gitignore with more Keylime-specific files
* json: add support for sqlalchemy.engine.row.Row in newer sqlalchemy
* ima_ast: check if the PCR is the same as in the config
* Fix permissions issue on volume mount in run_local.sh
* Make run_local.sh use a local copy of the repo
* Small updates to GOVERNANCE.md
* Move cargo-tarpaulin install to separate command
* config: drop registrar_* TLS options in [registrar] section
* Fix missing && in Dockerfile
* Remove simplejson from scripts and docs
* Replace simplejson with built-in json module
* Add rust-keylime container dependencies
* config: fix getboolean with fallback
* Clean up CI scripts and rewrite run_local.sh
* ima: for ToMToU errors skip template content validation
* ima: Use a set of entry numbers and file offsets to remember multiple positions
* Rename CONTRIBUTORS.md to CONTRIBUTING.md
* Update GOVERNANCE.md to match MAINTAINERS.md rename
* Update MAINTAINERS
* Update README: remove Gitter, Travis CI
* ca: Use UTC when setting certificate validity
* Tenant commands return json
* scripts: Allow passing a base policy to create_policy tool
* ima: Handle the case of ima-sig with a path with spaces in them
* add length to string object
* scripts: Implement create_policy to create the JSON allowlist from files
* ima: Also add a sha256 default boot_aggregate hash with 64 '0's
* ima: Use seek() to get to the last known last entry
* ima: Extend allowlist to be able to handle generic ima-buf entries
* ima: Extend JSON allowlist with 'ima' entry and 'ignored_keyrings'
* ima: Populate verifier keyrings with keys taken from ima-buf log line
* ima: Remove methods from ImaKeyring that are now in ImaKeyrings
* ima: Start passing ima_keyrings through APIs replacing ima_keyring
* Extend AgentAttestState with ima_keyrings field and use it
* ima: Implement ImaKeyrings class to support multiple keyrings
* verifier: Extend verifier DB to persist learned keyrings
* Fix a couple of pylint errors
* ima: Fix spurious attestation failures
* ima: make ToMToU errors not a failure by default
* Simple fix for tenant error message printout.
* pylint: Fix errors related to R1714
* pylint: Suppress C0201, C0209 and W0602 newly reported errors
* installer: do not install tpm2-abrmd
* tpm: by default use /dev/tpmrm0 instead of tpm2-abrmd
* verifier: add option to send revocation messages via webhook
- Fix keylime configuration file attributes
- Requires python-psutil
- Disable automatic execution of the payload by default
- Use ramdom UUID by default
- Introduce a bcond for cfssl detection
- Drop cfssl if we are not in openSUSE
- Update to version 6.2.0:
* Fix bug #757 where revoc cert was treated as text
* Code improvement: removal of extra dependencies in measured boot attestation (#755)
* Sanitize the exclude list while it is ingested at `tenant` by removing comments (^#) and empty lines.
* tenant: show severity level and last event id in status
* verifier: move to new failure architecture
* pcr validation: move to new failure architecture
* measured boot: move to new failure architecture
* ima: move to new failure architecture
* failure: add infrastructure to tag and collect revocation events in Keylime
* Simulating use of SSLContext.minimum_version on ssl v3.6
* verifier: fix minor typos
* Add tests for ca_impl_cfssl and ca_util
* Replace M2Crypto with python-cryptography
* tenant: status now shows if a agent was added to the registrar
* tenant: open file to send utf-8 encoded
* Correct some comments about and remove vestige in MB policy
* fixing a small bug that resulted in malformed refstates not failing MBA
* agent: ensure that EK is in PEM format when used as uuid
* Solves #703 by adding a "non-trivial" example of a "measured boot policy" (#734)
* ci: build and publish container images
* codestyle: fix W0612 and R1735 pylint errors
* codestyle: fix W1514 pylint error
* systemd: Add KillSignal=SIGINT to keylime_agent.service
* One-liner to set the minimum version of TLS to v1.2
* pylint fix
* Typo fix: return list order confusion between measured_boot.py and tpm_abstract.py
* Refactor keylime_logging module
* ima: Implement ima-buf validator and validate keys on keyrings (#725)
* Remove Python 2 leftovers
* Additional fix for the processing of "tpm_policy"
* ima: Return an empty allowlist rather than a plain empty list
* verifier: convert (v)tpm_policy in DB from string to JSONPickleType
* verifier: Create AgentAttestState objects from entries in the db
* verifier: Persist the IMA attestation state after running the log verification
* db: Add DB migration file for boottime, ima_pcrs, pcr10, and next_ima_ml_entries
* verifier: Skip attestation one time if agent's boottime changed
* test: Add test case simulating iterative attestation
* verifier: Delete an AgentAttestState when deleting an agent
* ima: Remember the number of lines successfully processed and last IMA PCR value(s)
* ima: Reset the attestation if processing the measurement list fails
* debug: Show line number when PCR match occurs
* verifier: Extend AgentAttestState with state of the IMA PCR
* Consult the AgentAttestState for the next measurement list entry
* Introduce an AgentAttestState class for passing state through the APIs
* verifier: Request IMA log at entry 0 for now
* agent: Get boottime and transfer to verifier
* agent: Add support for optional IMA log offset parameter
* tests: Add a unit test for the IMA function and run it
* agent: Move IMA measurement list reading function to ima.py
* Add default verifier-check value
* Use tox for pylint
* Use Fedora 34 as base image for CI container
* Run ci jobs only when needed
* config: merge convert and list_convert into the same function
* Versioned APIs
* Refacator of check_pcrs to parse then validate (#716)
* Automatically calculates the boot_aggregate from the measured boot log. (#713)
* Set default UUID as lowercase (#699)
* tenant: do_cvdelete wait until 404
* Ensures the output of `bulkinfo` command in `keylime_tenant` is JSON
* ima: Convert pcrval to bytes to increase efficiency
* tests: extend ima tests for signature validation and exclude lists
* Allow agents to specify a contact ip address and port for the tenant and CV (#690)
* verifer: Fix signature and allowlist evaluation bahavior change
* ima: Fix runtime error due to wrong datatype
* tenant: add the option to specify the registrar ip and port
* measured_boot: drop process_refstate
* check_pcrs: match PCR if no mb_refstate is provided
* ci: make run_local.sh work with newer docker versions
* Fixing pylint errors (#698)
* tests: add IMA test where validation should be ignored
* ima: Use ima_ast for parsing and validation
* tests: Add test for ima AST parser
* ima: Introducing a AST for parsing and validation
* Make stalebot a bit nicer
* enable tenant to fetch all (or verifier specific) agents info in a single call from the verifier
* Flush all sessions from TPM device (#682)
* multiple named verifiers sharing a single database
* webapp: fix tls certs paths (#659)
* Corrects markdown to have proper rendering (#673)
* ima_file_signatures: Extract keyidv2 from x509 certs
* installer: Add '-r' option to cp to copy directory (issue #671)
* config: Add optional fallback parameter to get()
* agent: Fix the usage of dmidecode during the agent startup (issue #664)
* agent: Rename allowlist to ima_allowlist in keylime.conf
* Fix decoding error in user_data_encrypt
* agent: Fix issue #667 by testing for an empty ima_sign_verification_keys list
* Addresses issue #660 (database path while running local tests) (#665)
* ima: Return 'None' when ImaKeyring.from_string() called with emtpy string
* tests: Move unittests into files with suffix _test.py
* Fixes and improvements for database configuration (#654)
* Add signature verification support for local and remote IMA signature verification keys (#597)
* install: Remove TPM 1.2 support from installer and bundeling scripts
* CI/CD: Remove tpm1.2 testing support
* Remove duplicated calls to verifier
* Remove adding entropy to system rng
* Cleanup and fix error case in encryptAIK (#648)
* Move measured boot related code into functions to make check_pcrs readable (#642)
* Move code related to tpm2_checkquote into its own function (#639)
* scripts: Cleanup shell script formatting
* installer.sh: Do not delete the local copy of the certificates.
* Fix user_data_encrypt to UTF8 decode before print
* tpm_abstract: Fix adding of entropy
* codestyle: Ignore R1732 implemented by pylint >=2.8.0
* a fix for letting JSON encoding bytes correctly
* Adding back reglist to the list of commands that don't need a -t argument
* Invoke tpm2_evictcontrol for 4.0 and 4.2 tools if aik_handle exists (#624)
* Addresses #436 (#611)
* Fixes #620
* Include PCR16 in the quote only when needed
* Close leaking file descriptors (#622)
* installer.sh: Add missing spaces when efivar is added
* More ima_emulator_adapter cleanups (#616)
* installer: Add json-c-devel/json-c-dev to BUILD_TOOLS for tpm2-tss build
* Remove more commented code in ca_util.py
* installer: Only install efi library on x86_64 systems
* Create allowlist table and basic API support
* installer: Add libuuid-devel/uuid-dev to BUILD_TOOLS for tpm2_tools build
* WIP: Some cleanups (#612)
* Remove _cLime.c
* config: Document the measured boot PCRs and what is using them
* Very simple fix for the agent (re: measured boot) The agent code does not need to import "measured boot policies"
* ima_emulator_adapater: Remove unnecessary global statement
* webapp: Fix private key and certificate path (issue #604)
* Add support for keylime_webapp service to read intervals from keylime.conf
- Update to Keylime 6.1.1
+ keylime_tenant add crash with TypeError: Object of type 'bytes' is
not JSON serializable
+ Whenever Keylime agent starts and cannot contact the registrar, it
fails and quits without flushing create EK handles
+ keylime_tenant -c reglist now requires a "-t" parameter for no
reason
+ Duplicated API calls to verifier in webapp backend
+ Installer deletes tpm_cert_store files
+ agent_uuid set to dmidecode crashes Keylime
+ Copying of tpm_cert_store fails during installation
+ If the PCR belong to a measured boot list, it is not validated
+ keylime_tenant --c update fails with a race condition
- Drop patches already present in the new version
+ webapp-fix-tls-certs-paths.patch
+ check_pcrs-match-PCR-if-no-mb_refstate-is-provided.patch
+ tenant-do_cvdelete-wait-until-404.patch
- Add tenant-do_cvdelete-wait-until-404.patch to fix the update command
- Adjust the default revocation notifier binding IP
- Default to CFSSL in keylime.conf
- Add config-libefivars.diff to adjust the path of the library
- Add check_pcrs-match-PCR-if-no-mb_refstate-is-provided.patch
(gh#keylime/keylime!695)
- Recommends CFSSL in the registrar (actually should be the CA)
- Change default value for require_ek_cert to False
- Reorder the patches to separate upstream fixes from openSUSE ones
- Add webapp-fix-tls-certs-paths.patch (gh#keylime/keylime!659)
- Recommend dmidecode for the agent
- Require libtss2-tcti-{device0,tabrmd0} to use abrmd service
- Add keylime.conf.diff patch to change the default config file
- Add keylime.xml for firewalld service definition
- Update to version 6.1.0:
* Update python cryptography lib to v3.3.2
* installer.sh improvments
* run_local.sh: Run unit tests in keylime/tpm/tpm2_objects.py
* Fourth and final PR to address #491 (#580)
* scripts: Also use pylint-3 if pylint is not installed
* agent: Fix the checking for a specific error returned by tpm2_quote
* Allowlist verification - Enhancement #16
* Forgot to remove the original, more crude solution (which caused pylint errors)
* New and improved code to fix issue #582
* Consistent formatting for logging strings


Alberto Planas Dominguez's avatar

aplanas accepted request

openSUSE Build Service is sponsored by