Sync from SUSE:SLFO:Main keylime revision b612259e1459a99ebf1c4e12091d8318

2024-05-03 14:14:11 +02:00 · 2024-05-03 14:14:11 +02:00 · e08e20120c
commit e08e20120c
13 changed files with 1877 additions and 0 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text
--- a/14
+++ b/14
@ -0,0 +1,14 @@
+<services>
+  <service name="tar_scm" mode="manual">
+    <param name="versionformat">@PARENT_TAG@</param>
+    <param name="revision">refs/tags/v7.7.0</param>
+    <param name="url">https://github.com/keylime/keylime.git</param>
+    <param name="scm">git</param>
+    <param name="changesgenerate">enable</param>
+  </service>
+  <service name="recompress" mode="manual">
+    <param name="compression">xz</param>
+    <param name="file">*.tar</param>
+  </service>
+  <service name="set_version" mode="manual"/>
+</services>
--- a/4
+++ b/4
@ -0,0 +1,4 @@
+<servicedata>
+<service name="tar_scm">
+                <param name="url">https://github.com/keylime/keylime.git</param>
+              <param name="changesrevision">b7af6fef3baefeb41f471d1050ba7a78f9423e5b</param></service></servicedata>
--- a/keylime-user.conf
+++ b/keylime-user.conf
@ -0,0 +1,2 @@
+# Type Name ID GECOS [HOME]
+u keylime - "Keylime agent" /var/lib/keylime
--- a/keylime-v7.7.0.tar.xz
+++ b/keylime-v7.7.0.tar.xz
--- a/keylime.changes
+++ b/keylime.changes
--- a/keylime.spec
+++ b/keylime.spec
@ -0,0 +1,307 @@
+#
+# spec file for package keylime
+#
+# Copyright (c) 2023 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+%global srcname keylime
+%define skip_python2 1
+# Consolidate _distconfdir and _sysconfdir
+%if 0%{?_distconfdir:1}
+  %define _config_norepl %{nil}
+%else
+  %define _distconfdir   %{_sysconfdir}
+  %define _config_norepl %config(noreplace)
+%endif
+Name:           keylime
+Version:        7.7.0
+Release:        0
+Summary:        Open source TPM software for Bootstrapping and Maintaining Trust
+License:        Apache-2.0 AND MIT AND BSD-3-Clause
+URL:            https://github.com/keylime/keylime
+Source0:        %{name}-v%{version}.tar.xz
+Source1:        keylime.xml
+Source2:        %{name}-user.conf
+Source3:        logrotate.%{name}
+Source4:        tmpfiles.%{name}
+# openSUSE adjustments for generated configuration files
+Source10:       registrar.conf.diff
+Source11:       verifier.conf.diff
+Source12:       tenant.conf.diff
+BuildRequires:  %{python_module Jinja2}
+BuildRequires:  %{python_module setuptools}
+BuildRequires:  fdupes
+BuildRequires:  firewall-macros
+BuildRequires:  python-rpm-macros
+BuildRequires:  sysuser-tools
+Requires:       libtss2-tcti-device0
+Requires:       libtss2-tcti-tabrmd0
+Requires:       procps
+Requires:       python3-PyYAML
+Requires:       python3-SQLAlchemy
+Requires:       python3-alembic
+Requires:       python3-cryptography
+Requires:       python3-gpg
+Requires:       python3-jsonschema
+Requires:       python3-lark
+Requires:       python3-packaging
+Requires:       python3-psutil
+Requires:       python3-pyzmq
+Requires:       python3-requests
+Requires:       python3-tornado
+Requires:       python3-typing_extensions
+Requires:       tpm2-0-tss
+Requires:       tpm2.0-abrmd
+Requires:       tpm2.0-tools
+Requires(post): update-alternatives
+Requires(postun):update-alternatives
+Conflicts:      rust-keylime
+BuildArch:      noarch
+%python_subpackages
+
+%description
+Keylime is a TPM based highly scalable remote boot attestation
+and runtime integrity measurement solution.
+
+%package -n %{name}-config
+Summary:        Configuration file for keylime
+Requires:       python3-%{name} = %{version}
+Conflicts:      rust-keylime
+
+%description -n %{name}-config
+Subpackage of %{name} for the shared configuration files for the agent
+and the server components.
+
+%package -n %{name}-firewalld
+Summary:        Firewalld service file for keylime
+Requires:       python3-%{name} = %{version}
+Conflicts:      rust-keylime
+
+%description -n %{name}-firewalld
+Subpackage of %{name} for the firewalld XML service file.
+
+%package -n %{name}-tpm_cert_store
+Summary:        Certify store for the TPM
+Requires:       python3-%{name} = %{version}
+Conflicts:      rust-keylime
+Provides:       user(keylime)
+%sysusers_requires
+
+%description -n %{name}-tpm_cert_store
+Subpackage of %{name} for storing the TPM certificates.
+
+%package -n %{name}-registrar
+Summary:        Keylime registrar service
+Requires:       %{name}-config = %{version}
+Requires:       %{name}-logrotate = %{version}
+Requires:       %{name}-tpm_cert_store = %{version}
+Requires:       python3-%{name} = %{version}
+Recommends:     %{name}-firewalld = %{version}
+Conflicts:      rust-keylime
+
+%description -n %{name}-registrar
+Subpackage of %{name} for registrar service.
+
+%package -n %{name}-verifier
+Summary:        Keylime verifier service
+Requires:       %{name}-config = %{version}
+Requires:       %{name}-logrotate = %{version}
+Requires:       %{name}-tpm_cert_store = %{version}
+Requires:       python3-%{name} = %{version}
+Recommends:     %{name}-firewalld = %{version}
+Conflicts:      rust-keylime
+
+%description -n %{name}-verifier
+Subpackage of %{name} for verifier service.
+
+%package -n %{name}-tenant
+Summary:        Keylime tenant command line tool
+Requires:       %{name}-config = %{version}
+Requires:       %{name}-tpm_cert_store = %{version}
+Requires:       python3-%{name} = %{version}
+Recommends:     %{name}-firewalld = %{version}
+Conflicts:      rust-keylime
+
+%description -n %{name}-tenant
+Subpackage of %{name} for tenant command line tool.
+
+%package -n %{name}-logrotate
+Summary:        Logrotate for Keylime servies
+Requires:       logrotate
+Conflicts:      rust-keylime
+
+%description -n %{name}-logrotate
+Subpackage of %{name} for logrotate for Keylime services
+
+%prep
+%autosetup -p1 -n %{name}-v%{version}
+
+%build
+%python_build
+%sysusers_generate_pre %{SOURCE2} %{name} %{name}-user.conf
+
+%install
+export VERSION=%{version}
+%python_install
+
+rm config/agent.conf
+patch -s --fuzz=0 config/registrar.conf < %{SOURCE10}
+patch -s --fuzz=0 config/verifier.conf < %{SOURCE11}
+patch -s --fuzz=0 config/tenant.conf < %{SOURCE12}
+
+%python_clone -a %{buildroot}%{_bindir}/%{srcname}_attest
+%python_clone -a %{buildroot}%{_bindir}/%{srcname}_ca
+%python_clone -a %{buildroot}%{_bindir}/%{srcname}_convert_runtime_policy
+%python_clone -a %{buildroot}%{_bindir}/%{srcname}_create_policy
+%python_clone -a %{buildroot}%{_bindir}/%{srcname}_registrar
+%python_clone -a %{buildroot}%{_bindir}/%{srcname}_sign_runtime_policy
+%python_clone -a %{buildroot}%{_bindir}/%{srcname}_tenant
+%python_clone -a %{buildroot}%{_bindir}/%{srcname}_upgrade_config
+%python_clone -a %{buildroot}%{_bindir}/%{srcname}_userdata_encrypt
+%python_clone -a %{buildroot}%{_bindir}/%{srcname}_verifier
+
+%python_expand %fdupes %{buildroot}%{$python_sitelib}
+
+for cfg in config/*.conf; do
+  install -Dpm 0600 "$cfg" %{buildroot}%{_distconfdir}/%{srcname}/$(basename "$cfg")
+done
+
+install -Dpm 0644 ./services/%{srcname}_verifier.service %{buildroot}%{_unitdir}/%{srcname}_verifier.service
+install -Dpm 0644 ./services/%{srcname}_registrar.service %{buildroot}%{_unitdir}/%{srcname}_registrar.service
+
+install -Dpm 0644 %{SOURCE1} %{buildroot}%{_prefix}/lib/firewalld/services/%{srcname}.xml
+install -Dpm 0644 %{SOURCE2} %{buildroot}%{_sysusersdir}/%{name}-user.conf
+install -Dpm 0644 %{SOURCE3} %{buildroot}%{_distconfdir}/logrotate.d/%{name}
+install -Dpm 0644 %{SOURCE4} %{buildroot}%{_tmpfilesdir}/%{name}.conf
+install -d %{buildroot}%{_localstatedir}/log/%{name}
+
+mkdir -p %{buildroot}/%{_sharedstatedir}/%{srcname}
+cp -r ./tpm_cert_store %{buildroot}%{_sharedstatedir}/%{srcname}/
+%fdupes %{buildroot}%{_sharedstatedir}/%{srcname}/
+
+# %%check
+# %%pyunittest -v
+
+%post
+%python_install_alternative %{srcname}_attest
+%python_install_alternative %{srcname}_ca
+%python_install_alternative %{srcname}_convert_runtime_policy
+%python_install_alternative %{srcname}_create_policy
+%python_install_alternative %{srcname}_registrar
+%python_install_alternative %{srcname}_sign_runtime_policy
+%python_install_alternative %{srcname}_tenant
+%python_install_alternative %{srcname}_upgrade_config
+%python_install_alternative %{srcname}_userdata_encrypt
+%python_install_alternative %{srcname}_verifier
+
+%postun
+%python_uninstall_alternative %{srcname}_attest
+%python_uninstall_alternative %{srcname}_ca
+%python_uninstall_alternative %{srcname}_convert_runtime_policy
+%python_uninstall_alternative %{srcname}_create_policy
+%python_uninstall_alternative %{srcname}_registrar
+%python_uninstall_alternative %{srcname}_sign_runtime_policy
+%python_uninstall_alternative %{srcname}_tenant
+%python_uninstall_alternative %{srcname}_upgrade_config
+%python_uninstall_alternative %{srcname}_userdata_encrypt
+%python_uninstall_alternative %{srcname}_verifier
+
+%post -n %{srcname}-firewalld
+%firewalld_reload
+
+%pre -n %{srcname}-tpm_cert_store -f %{srcname}.pre
+
+%post -n %{srcname}-tpm_cert_store
+%tmpfiles_create %{srcname}.conf
+
+%pre -n %{srcname}-verifier
+%service_add_pre %{srcname}_verifier.service
+
+%post -n %{srcname}-verifier
+%service_add_post %{srcname}_verifier.service
+
+%preun -n %{srcname}-verifier
+%service_del_preun %{srcname}_verifier.service
+
+%postun -n %{srcname}-verifier
+%service_del_postun %{srcname}_verifier.service
+
+%pre -n %{srcname}-registrar
+%service_add_pre %{srcname}_registrar.service
+
+%post -n %{srcname}-registrar
+%service_add_post %{srcname}_registrar.service
+
+%preun -n %{srcname}-registrar
+%service_del_preun %{srcname}_registrar.service
+
+%postun -n %{srcname}-registrar
+%service_del_postun %{srcname}_registrar.service
+
+%files %{python_files}
+%doc README.md
+%license LICENSE
+%python_alternative %{_bindir}/%{srcname}_attest
+%python_alternative %{_bindir}/%{srcname}_ca
+%python_alternative %{_bindir}/%{srcname}_convert_runtime_policy
+%python_alternative %{_bindir}/%{srcname}_create_policy
+%python_alternative %{_bindir}/%{srcname}_registrar
+%python_alternative %{_bindir}/%{srcname}_sign_runtime_policy
+%python_alternative %{_bindir}/%{srcname}_tenant
+%python_alternative %{_bindir}/%{srcname}_upgrade_config
+%python_alternative %{_bindir}/%{srcname}_userdata_encrypt
+%python_alternative %{_bindir}/%{srcname}_verifier
+%{python_sitelib}/keylime
+%{python_sitelib}/keylime-%{version}*-info
+
+%files -n %{srcname}-config
+%dir %attr(0700,keylime,tss) %{_distconfdir}/%{srcname}
+%_config_norepl %attr (0600,keylime,tss) %{_distconfdir}/%{srcname}/ca.conf
+%_config_norepl %attr (0600,keylime,tss) %{_distconfdir}/%{srcname}/logging.conf
+
+%files -n %{srcname}-firewalld
+%dir %{_prefix}/lib/firewalld
+%dir %{_prefix}/lib/firewalld/services
+%{_prefix}/lib/firewalld/services/%{srcname}.xml
+
+%files -n %{srcname}-tpm_cert_store
+%dir %attr(0700,keylime,tss) %{_sharedstatedir}/%{srcname}
+%dir %attr(0700,keylime,tss) %{_sharedstatedir}/%{srcname}/tpm_cert_store
+%attr(0600,keylime,tss) %{_sharedstatedir}/%{srcname}/tpm_cert_store/*
+# We use this subpackage to store other unrelated things, as far as is
+# required by all the services
+%{_sysusersdir}/%{srcname}-user.conf
+%ghost %dir %attr(0700,keylime,tss) %{_rundir}/%{srcname}
+%{_tmpfilesdir}/%{srcname}.conf
+
+%files -n %{srcname}-registrar
+%dir %attr(0700,keylime,tss) %{_distconfdir}/%{srcname}
+%_config_norepl %attr (0600,keylime,tss) %{_distconfdir}/%{srcname}/registrar.conf
+%{_unitdir}/%{srcname}_registrar.service
+
+%files -n %{srcname}-verifier
+%dir %attr(0700,keylime,tss) %{_distconfdir}/%{srcname}
+%_config_norepl %attr (0600,keylime,tss) %{_distconfdir}/%{srcname}/verifier.conf
+%{_unitdir}/%{srcname}_verifier.service
+
+%files -n %{srcname}-tenant
+%dir %attr(0700,keylime,tss) %{_distconfdir}/%{srcname}
+%_config_norepl %attr (0600,keylime,tss) %{_distconfdir}/%{srcname}/tenant.conf
+
+%files -n %{srcname}-logrotate
+%_config_norepl %{_distconfdir}/logrotate.d/%{srcname}
+%dir %attr(0750,keylime,tss) %{_localstatedir}/log/%{srcname}
+
+%changelog
--- a/keylime.xml
+++ b/keylime.xml
@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="utf-8"?>
+<service>
+  <short>Keylime</short>
+  <description>Keylime is a remote attestation tool that requires access to several ports.</description>
+  <port protocol="tcp" port="8881"/><!-- Verifier -->
+  <port protocol="tcp" port="8890"/><!-- Registrar -->
+  <port protocol="tcp" port="8891"/><!-- Registrar TLS -->
+  <port protocol="tcp" port="8992"/><!-- Revocation -->
+  <port protocol="tcp" port="9002"/><!-- Agent -->
+</service>
--- a/logrotate.keylime
+++ b/logrotate.keylime
@ -0,0 +1,8 @@
+/var/log/keylime/*.log {
+    su keylime tss
+    weekly
+    missingok
+    rotate 4
+    copytruncate
+    minsize 1M
+}
--- a/registrar.conf.diff
+++ b/registrar.conf.diff
@ -0,0 +1,12 @@
+--- config/registrar.conf.ORIG	2023-08-24 09:34:59.228880762 +0200
+++ config/registrar.conf	2023-08-24 09:36:34.165570356 +0200
+@@ -5,7 +5,8 @@
+ version = 2.0
+ 
+ # The binding address and port for the registrar server
+-ip = "127.0.0.1"
+# ip = "127.0.0.1"
+ip = "0.0.0.0"
+ port = 8890
+ tls_port = 8891
+ 
--- a/tenant.conf.diff
+++ b/tenant.conf.diff
@ -0,0 +1,12 @@
+--- tenant.conf.ORIG	2023-03-07 17:08:27.642929656 +0100
+++ tenant.conf	2023-03-07 17:09:23.018891153 +0100
+@@ -106,7 +106,8 @@
+ # might provide a signed list of EK public key hashes.  Then you could write
+ # an ek_check_script that checks the signature of the allowlist and then
+ # compares the hash of the given EK with the allowlist.
+-require_ek_cert = True
+# require_ek_cert = True
+require_ek_cert = False
+ 
+ # Optional script to execute to check the EK and/or EK certificate against a
+ # allowlist or any other additional EK processing you want to do. Runs in
--- a/tmpfiles.keylime
+++ b/tmpfiles.keylime
@ -0,0 +1 @@
+d /run/keylime 0700 keylime tss
--- a/verifier.conf.diff
+++ b/verifier.conf.diff
@ -0,0 +1,22 @@
+--- config/verifier.conf.ORIG	2023-08-24 09:34:59.222214093 +0200
+++ config/verifier.conf	2023-08-24 09:37:53.332256150 +0200
+@@ -8,7 +8,8 @@
+ uuid = default
+ 
+ # The binding address and port for the verifier server
+-ip = "127.0.0.1"
+# ip = "127.0.0.1"
+ip = "0.0.0.0"
+ port = 8881
+ 
+ # The address and port of registrar server that the verifier communicates with
+@@ -242,7 +243,8 @@
+ enabled_revocation_notifications = ['agent']
+ 
+ # The binding address and port of the revocation notifier service via ZeroMQ.
+-zmq_ip = 127.0.0.1
+# zmq_ip = 127.0.0.1
+zmq_ip = 0.0.0.0
+ zmq_port = 8992
+ 
+ # Webhook url for revocation notifications.