commit keylime for openSUSE:Factory

Sat, 17 Jul 2021 14:36:34 -0700 

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package keylime for openSUSE:Factory checked 
in at 2021-07-17 23:36:21
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/keylime (Old)
 and      /work/SRC/openSUSE:Factory/.keylime.new.2632 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "keylime"

Sat Jul 17 23:36:21 2021 rev:2 rq:906290 version:6.1.0

Changes:
--------
--- /work/SRC/openSUSE:Factory/keylime/keylime.changes  2021-06-24 
18:22:43.404926149 +0200
+++ /work/SRC/openSUSE:Factory/.keylime.new.2632/keylime.changes        
2021-07-17 23:36:24.702074732 +0200
@@ -1,0 +2,14 @@
+Wed Jul 14 12:12:23 UTC 2021 - Alberto Planas Dominguez <apla...@suse.com>
+
+- Add config-libefivars.diff to adjust the path of the library
+
+-------------------------------------------------------------------
+Thu Jul  8 14:45:24 UTC 2021 - Alberto Planas Dominguez <apla...@suse.com>
+
+- Add check_pcrs-match-PCR-if-no-mb_refstate-is-provided.patch
+  (gh#keylime/keylime!695)
+- Recommends CFSSL in the registrar (actually should be the CA)
+- Change default value for require_ek_cert to False
+- Reorder the patches to separate upstream fixes from openSUSE ones
+
+-------------------------------------------------------------------

New:
----
  check_pcrs-match-PCR-if-no-mb_refstate-is-provided.patch
  config-libefivars.diff

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ keylime.spec ++++++
--- /var/tmp/diff_new_pack.gxAI4B/_old  2021-07-17 23:36:25.238070600 +0200
+++ /var/tmp/diff_new_pack.gxAI4B/_new  2021-07-17 23:36:25.238070600 +0200
@@ -29,10 +29,14 @@
 Source1:        keylime.xml
 # PATCH-FIX-OPENSUSE version.diff
 Patch1:         version.diff
-# PATCH-FIX-UPSTREAM webapp-fix-tls-certs-paths.patch gh#keylime/keylime!659
-Patch2:         webapp-fix-tls-certs-paths.patch
 # PATCH-FIX-OPENSUSE keylime.conf.diff
-Patch3:         keylime.conf.diff
+Patch2:         keylime.conf.diff
+# PATCH-FIX-OPENSUSE config-libefivars.diff
+Patch3:         config-libefivars.diff
+# PATCH-FIX-UPSTREAM webapp-fix-tls-certs-paths.patch gh#keylime/keylime!659
+Patch4:         webapp-fix-tls-certs-paths.patch
+# PATCH-FIX-UPSTREAM check_pcrs-match-PCR-if-no-mb_refstate-is-provided.patch 
gh#keylime/keylime!695
+Patch5:         check_pcrs-match-PCR-if-no-mb_refstate-is-provided.patch
 BuildRequires:  %{python_module setuptools}
 BuildRequires:  fdupes
 BuildRequires:  firewall-macros
@@ -54,7 +58,7 @@
 Requires:       tpm2.0-abrmd
 Requires:       tpm2.0-tools
 Requires(post): update-alternatives
-Requires(postun): update-alternatives
+Requires(postun):update-alternatives
 BuildArch:      noarch
 %python_subpackages
 
@@ -101,6 +105,7 @@
 Requires:       %{name}-tpm_cert_store = %{version}
 Requires:       python3-%{name} = %{version}
 Recommends:     %{name}-firewalld = %{version}
+Recommends:     cfssl
 
 %description -n %{name}-registrar
 Subpackage of %{name} for registrar service.

++++++ check_pcrs-match-PCR-if-no-mb_refstate-is-provided.patch ++++++
>From 1c3dc5928866741426acabbe653c51d5ec2b9813 Mon Sep 17 00:00:00 2001
From: Alberto Planas <apla...@suse.com>
Date: Thu, 8 Jul 2021 16:16:32 +0200
Subject: [PATCH] check_pcrs: match PCR if no mb_refstate is provided

If the values for mb_refstate are empty, the PCRs that are present in
the tpm_policy and belong to the measured boot process are ignored.

This patch check that the PCRs form the policy matches the ones that
comes from the quote when there is no measured boot data.

Fix #694

Signed-off-by: Alberto Planas <apla...@suse.com>
---
 keylime/tpm/tpm_abstract.py | 3 +++
 1 file changed, 3 insertions(+)

Index: keylime-6.1.0/keylime/tpm/tpm_abstract.py
===================================================================
--- keylime-6.1.0.orig/keylime/tpm/tpm_abstract.py
+++ keylime-6.1.0/keylime/tpm/tpm_abstract.py
@@ -316,6 +316,9 @@ class AbstractTPM(metaclass=ABCMeta):
                     if val_from_log_hex_stripped != pcrval_stripped:
                         logger.error("For PCR %d and hash SHA256 the boot 
event log has value %r but the agent returned %r", pcrnum, val_from_log_hex, 
pcrval)
                         return False
+                elif pcrnum in pcr_allowlist and pcrval not in 
pcr_allowlist[pcrnum] and not config.STUB_TPM:
+                    logger.error("%sPCR #%s: %s from quote does not match 
expected value %s", ("", "v")[virtual], pcrnum, pcrval, pcr_allowlist[pcrnum])
+                    return False
                 pcrsInQuote.add(pcrnum)
                 continue
 
++++++ config-libefivars.diff ++++++
Index: keylime-6.1.0/keylime/config.py
===================================================================
--- keylime-6.1.0.orig/keylime/config.py
+++ keylime-6.1.0/keylime/config.py
@@ -318,7 +318,7 @@ MEASUREDBOOT_ML = '/sys/kernel/security/
 MEASUREDBOOT_IMPORTS = get_config().get('cloud_verifier', 
'measured_boot_imports', fallback='').split(',')
 MEASUREDBOOT_POLICYNAME = get_config().get('cloud_verifier', 
'measured_boot_policy_name', fallback='accept-all')
 
-LIBEFIVAR="libefivar.so" # formerly "/usr/lib/x86_64-linux-gnu/libefivar.so"
+LIBEFIVAR="/usr/lib64/libefivar.so.1" # formerly 
"/usr/lib/x86_64-linux-gnu/libefivar.so"
 
 # this is where data will be bound to a quote, MUST BE RESETABLE!
 TPM_DATA_PCR = 16
++++++ keylime.conf.diff ++++++
--- /var/tmp/diff_new_pack.gxAI4B/_old  2021-07-17 23:36:25.290070199 +0200
+++ /var/tmp/diff_new_pack.gxAI4B/_new  2021-07-17 23:36:25.290070199 +0200
@@ -2,7 +2,7 @@
 ===================================================================
 --- keylime-6.1.0.orig/keylime.conf
 +++ keylime-6.1.0/keylime.conf
-@@ -16,7 +16,8 @@
+@@ -16,7 +16,8 @@ ca_implementation = openssl
  
  # Revocation IP & Port used by either the cloud_agent or keylime_ca to receive
  # revocation events from the verifier.
@@ -12,7 +12,7 @@
  receive_revocation_port = 8992
  
  #=============================================================================
-@@ -24,11 +25,13 @@
+@@ -24,11 +25,13 @@ receive_revocation_port = 8992
  #=============================================================================
  
  # The binding address and port for the agent server
@@ -28,7 +28,7 @@
  registrar_port = 8890
  
  # The name of the RSA key that Keylime should use for protecting shares of 
U/V.
-@@ -68,7 +71,8 @@
+@@ -68,7 +71,8 @@ extract_payload_zip = True
  # 'dmidecode -s system-uuid'.
  # If you set this to "hostname", Keylime will use the full qualified domain
  # name of current host as the agent id.
@@ -38,7 +38,7 @@
  
  # Whether to listen for revocation notifications from the verifier or not.
  listen_notfications = True
-@@ -129,7 +133,8 @@
+@@ -129,7 +133,8 @@ ek_handle = generate
  #=============================================================================
  
  # The IP address and port of verifier server binds to
@@ -48,7 +48,17 @@
  cloudverifier_port = 8881
  
  # The address and port of registrar server that verifier communicates with
-@@ -406,7 +411,8 @@
+@@ -380,7 +385,8 @@ max_retries = 10
+ # might provide a signed list of EK public key hashes.  Then you could write
+ # an ek_check_script that checks the signature of the allowlist and then
+ # compares the hash of the given EK with the allowlist.
+-require_ek_cert = True
++# require_ek_cert = True
++require_ek_cert = False
+ 
+ # Optional script to execute to check the EK and/or EK certificate against a
+ # allowlist or any other additional EK processing you want to do. Runs in
+@@ -406,7 +412,8 @@ ek_check_script=
  
  # The registrar's IP address and port used to communicate with other services
  # as well as the bind address for the registrar server.

Reply via email to