Sync from SUSE:SLFO:Main keylime revision b612259e1459a99ebf1c4e12091d8318

This commit is contained in:
Adrian Schröter 2024-05-03 14:14:11 +02:00
commit e08e20120c
13 changed files with 1877 additions and 0 deletions

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

14
_service Normal file
View File

@ -0,0 +1,14 @@
<services>
<service name="tar_scm" mode="manual">
<param name="versionformat">@PARENT_TAG@</param>
<param name="revision">refs/tags/v7.7.0</param>
<param name="url">https://github.com/keylime/keylime.git</param>
<param name="scm">git</param>
<param name="changesgenerate">enable</param>
</service>
<service name="recompress" mode="manual">
<param name="compression">xz</param>
<param name="file">*.tar</param>
</service>
<service name="set_version" mode="manual"/>
</services>

4
_servicedata Normal file
View File

@ -0,0 +1,4 @@
<servicedata>
<service name="tar_scm">
<param name="url">https://github.com/keylime/keylime.git</param>
<param name="changesrevision">b7af6fef3baefeb41f471d1050ba7a78f9423e5b</param></service></servicedata>

2
keylime-user.conf Normal file
View File

@ -0,0 +1,2 @@
# Type Name ID GECOS [HOME]
u keylime - "Keylime agent" /var/lib/keylime

BIN
keylime-v7.7.0.tar.xz (Stored with Git LFS) Normal file

Binary file not shown.

1459
keylime.changes Normal file

File diff suppressed because it is too large Load Diff

307
keylime.spec Normal file
View File

@ -0,0 +1,307 @@
#
# spec file for package keylime
#
# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%global srcname keylime
%define skip_python2 1
# Consolidate _distconfdir and _sysconfdir
%if 0%{?_distconfdir:1}
%define _config_norepl %{nil}
%else
%define _distconfdir %{_sysconfdir}
%define _config_norepl %config(noreplace)
%endif
Name: keylime
Version: 7.7.0
Release: 0
Summary: Open source TPM software for Bootstrapping and Maintaining Trust
License: Apache-2.0 AND MIT AND BSD-3-Clause
URL: https://github.com/keylime/keylime
Source0: %{name}-v%{version}.tar.xz
Source1: keylime.xml
Source2: %{name}-user.conf
Source3: logrotate.%{name}
Source4: tmpfiles.%{name}
# openSUSE adjustments for generated configuration files
Source10: registrar.conf.diff
Source11: verifier.conf.diff
Source12: tenant.conf.diff
BuildRequires: %{python_module Jinja2}
BuildRequires: %{python_module setuptools}
BuildRequires: fdupes
BuildRequires: firewall-macros
BuildRequires: python-rpm-macros
BuildRequires: sysuser-tools
Requires: libtss2-tcti-device0
Requires: libtss2-tcti-tabrmd0
Requires: procps
Requires: python3-PyYAML
Requires: python3-SQLAlchemy
Requires: python3-alembic
Requires: python3-cryptography
Requires: python3-gpg
Requires: python3-jsonschema
Requires: python3-lark
Requires: python3-packaging
Requires: python3-psutil
Requires: python3-pyzmq
Requires: python3-requests
Requires: python3-tornado
Requires: python3-typing_extensions
Requires: tpm2-0-tss
Requires: tpm2.0-abrmd
Requires: tpm2.0-tools
Requires(post): update-alternatives
Requires(postun):update-alternatives
Conflicts: rust-keylime
BuildArch: noarch
%python_subpackages
%description
Keylime is a TPM based highly scalable remote boot attestation
and runtime integrity measurement solution.
%package -n %{name}-config
Summary: Configuration file for keylime
Requires: python3-%{name} = %{version}
Conflicts: rust-keylime
%description -n %{name}-config
Subpackage of %{name} for the shared configuration files for the agent
and the server components.
%package -n %{name}-firewalld
Summary: Firewalld service file for keylime
Requires: python3-%{name} = %{version}
Conflicts: rust-keylime
%description -n %{name}-firewalld
Subpackage of %{name} for the firewalld XML service file.
%package -n %{name}-tpm_cert_store
Summary: Certify store for the TPM
Requires: python3-%{name} = %{version}
Conflicts: rust-keylime
Provides: user(keylime)
%sysusers_requires
%description -n %{name}-tpm_cert_store
Subpackage of %{name} for storing the TPM certificates.
%package -n %{name}-registrar
Summary: Keylime registrar service
Requires: %{name}-config = %{version}
Requires: %{name}-logrotate = %{version}
Requires: %{name}-tpm_cert_store = %{version}
Requires: python3-%{name} = %{version}
Recommends: %{name}-firewalld = %{version}
Conflicts: rust-keylime
%description -n %{name}-registrar
Subpackage of %{name} for registrar service.
%package -n %{name}-verifier
Summary: Keylime verifier service
Requires: %{name}-config = %{version}
Requires: %{name}-logrotate = %{version}
Requires: %{name}-tpm_cert_store = %{version}
Requires: python3-%{name} = %{version}
Recommends: %{name}-firewalld = %{version}
Conflicts: rust-keylime
%description -n %{name}-verifier
Subpackage of %{name} for verifier service.
%package -n %{name}-tenant
Summary: Keylime tenant command line tool
Requires: %{name}-config = %{version}
Requires: %{name}-tpm_cert_store = %{version}
Requires: python3-%{name} = %{version}
Recommends: %{name}-firewalld = %{version}
Conflicts: rust-keylime
%description -n %{name}-tenant
Subpackage of %{name} for tenant command line tool.
%package -n %{name}-logrotate
Summary: Logrotate for Keylime servies
Requires: logrotate
Conflicts: rust-keylime
%description -n %{name}-logrotate
Subpackage of %{name} for logrotate for Keylime services
%prep
%autosetup -p1 -n %{name}-v%{version}
%build
%python_build
%sysusers_generate_pre %{SOURCE2} %{name} %{name}-user.conf
%install
export VERSION=%{version}
%python_install
rm config/agent.conf
patch -s --fuzz=0 config/registrar.conf < %{SOURCE10}
patch -s --fuzz=0 config/verifier.conf < %{SOURCE11}
patch -s --fuzz=0 config/tenant.conf < %{SOURCE12}
%python_clone -a %{buildroot}%{_bindir}/%{srcname}_attest
%python_clone -a %{buildroot}%{_bindir}/%{srcname}_ca
%python_clone -a %{buildroot}%{_bindir}/%{srcname}_convert_runtime_policy
%python_clone -a %{buildroot}%{_bindir}/%{srcname}_create_policy
%python_clone -a %{buildroot}%{_bindir}/%{srcname}_registrar
%python_clone -a %{buildroot}%{_bindir}/%{srcname}_sign_runtime_policy
%python_clone -a %{buildroot}%{_bindir}/%{srcname}_tenant
%python_clone -a %{buildroot}%{_bindir}/%{srcname}_upgrade_config
%python_clone -a %{buildroot}%{_bindir}/%{srcname}_userdata_encrypt
%python_clone -a %{buildroot}%{_bindir}/%{srcname}_verifier
%python_expand %fdupes %{buildroot}%{$python_sitelib}
for cfg in config/*.conf; do
install -Dpm 0600 "$cfg" %{buildroot}%{_distconfdir}/%{srcname}/$(basename "$cfg")
done
install -Dpm 0644 ./services/%{srcname}_verifier.service %{buildroot}%{_unitdir}/%{srcname}_verifier.service
install -Dpm 0644 ./services/%{srcname}_registrar.service %{buildroot}%{_unitdir}/%{srcname}_registrar.service
install -Dpm 0644 %{SOURCE1} %{buildroot}%{_prefix}/lib/firewalld/services/%{srcname}.xml
install -Dpm 0644 %{SOURCE2} %{buildroot}%{_sysusersdir}/%{name}-user.conf
install -Dpm 0644 %{SOURCE3} %{buildroot}%{_distconfdir}/logrotate.d/%{name}
install -Dpm 0644 %{SOURCE4} %{buildroot}%{_tmpfilesdir}/%{name}.conf
install -d %{buildroot}%{_localstatedir}/log/%{name}
mkdir -p %{buildroot}/%{_sharedstatedir}/%{srcname}
cp -r ./tpm_cert_store %{buildroot}%{_sharedstatedir}/%{srcname}/
%fdupes %{buildroot}%{_sharedstatedir}/%{srcname}/
# %%check
# %%pyunittest -v
%post
%python_install_alternative %{srcname}_attest
%python_install_alternative %{srcname}_ca
%python_install_alternative %{srcname}_convert_runtime_policy
%python_install_alternative %{srcname}_create_policy
%python_install_alternative %{srcname}_registrar
%python_install_alternative %{srcname}_sign_runtime_policy
%python_install_alternative %{srcname}_tenant
%python_install_alternative %{srcname}_upgrade_config
%python_install_alternative %{srcname}_userdata_encrypt
%python_install_alternative %{srcname}_verifier
%postun
%python_uninstall_alternative %{srcname}_attest
%python_uninstall_alternative %{srcname}_ca
%python_uninstall_alternative %{srcname}_convert_runtime_policy
%python_uninstall_alternative %{srcname}_create_policy
%python_uninstall_alternative %{srcname}_registrar
%python_uninstall_alternative %{srcname}_sign_runtime_policy
%python_uninstall_alternative %{srcname}_tenant
%python_uninstall_alternative %{srcname}_upgrade_config
%python_uninstall_alternative %{srcname}_userdata_encrypt
%python_uninstall_alternative %{srcname}_verifier
%post -n %{srcname}-firewalld
%firewalld_reload
%pre -n %{srcname}-tpm_cert_store -f %{srcname}.pre
%post -n %{srcname}-tpm_cert_store
%tmpfiles_create %{srcname}.conf
%pre -n %{srcname}-verifier
%service_add_pre %{srcname}_verifier.service
%post -n %{srcname}-verifier
%service_add_post %{srcname}_verifier.service
%preun -n %{srcname}-verifier
%service_del_preun %{srcname}_verifier.service
%postun -n %{srcname}-verifier
%service_del_postun %{srcname}_verifier.service
%pre -n %{srcname}-registrar
%service_add_pre %{srcname}_registrar.service
%post -n %{srcname}-registrar
%service_add_post %{srcname}_registrar.service
%preun -n %{srcname}-registrar
%service_del_preun %{srcname}_registrar.service
%postun -n %{srcname}-registrar
%service_del_postun %{srcname}_registrar.service
%files %{python_files}
%doc README.md
%license LICENSE
%python_alternative %{_bindir}/%{srcname}_attest
%python_alternative %{_bindir}/%{srcname}_ca
%python_alternative %{_bindir}/%{srcname}_convert_runtime_policy
%python_alternative %{_bindir}/%{srcname}_create_policy
%python_alternative %{_bindir}/%{srcname}_registrar
%python_alternative %{_bindir}/%{srcname}_sign_runtime_policy
%python_alternative %{_bindir}/%{srcname}_tenant
%python_alternative %{_bindir}/%{srcname}_upgrade_config
%python_alternative %{_bindir}/%{srcname}_userdata_encrypt
%python_alternative %{_bindir}/%{srcname}_verifier
%{python_sitelib}/keylime
%{python_sitelib}/keylime-%{version}*-info
%files -n %{srcname}-config
%dir %attr(0700,keylime,tss) %{_distconfdir}/%{srcname}
%_config_norepl %attr (0600,keylime,tss) %{_distconfdir}/%{srcname}/ca.conf
%_config_norepl %attr (0600,keylime,tss) %{_distconfdir}/%{srcname}/logging.conf
%files -n %{srcname}-firewalld
%dir %{_prefix}/lib/firewalld
%dir %{_prefix}/lib/firewalld/services
%{_prefix}/lib/firewalld/services/%{srcname}.xml
%files -n %{srcname}-tpm_cert_store
%dir %attr(0700,keylime,tss) %{_sharedstatedir}/%{srcname}
%dir %attr(0700,keylime,tss) %{_sharedstatedir}/%{srcname}/tpm_cert_store
%attr(0600,keylime,tss) %{_sharedstatedir}/%{srcname}/tpm_cert_store/*
# We use this subpackage to store other unrelated things, as far as is
# required by all the services
%{_sysusersdir}/%{srcname}-user.conf
%ghost %dir %attr(0700,keylime,tss) %{_rundir}/%{srcname}
%{_tmpfilesdir}/%{srcname}.conf
%files -n %{srcname}-registrar
%dir %attr(0700,keylime,tss) %{_distconfdir}/%{srcname}
%_config_norepl %attr (0600,keylime,tss) %{_distconfdir}/%{srcname}/registrar.conf
%{_unitdir}/%{srcname}_registrar.service
%files -n %{srcname}-verifier
%dir %attr(0700,keylime,tss) %{_distconfdir}/%{srcname}
%_config_norepl %attr (0600,keylime,tss) %{_distconfdir}/%{srcname}/verifier.conf
%{_unitdir}/%{srcname}_verifier.service
%files -n %{srcname}-tenant
%dir %attr(0700,keylime,tss) %{_distconfdir}/%{srcname}
%_config_norepl %attr (0600,keylime,tss) %{_distconfdir}/%{srcname}/tenant.conf
%files -n %{srcname}-logrotate
%_config_norepl %{_distconfdir}/logrotate.d/%{srcname}
%dir %attr(0750,keylime,tss) %{_localstatedir}/log/%{srcname}
%changelog

10
keylime.xml Normal file
View File

@ -0,0 +1,10 @@
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>Keylime</short>
<description>Keylime is a remote attestation tool that requires access to several ports.</description>
<port protocol="tcp" port="8881"/><!-- Verifier -->
<port protocol="tcp" port="8890"/><!-- Registrar -->
<port protocol="tcp" port="8891"/><!-- Registrar TLS -->
<port protocol="tcp" port="8992"/><!-- Revocation -->
<port protocol="tcp" port="9002"/><!-- Agent -->
</service>

8
logrotate.keylime Normal file
View File

@ -0,0 +1,8 @@
/var/log/keylime/*.log {
su keylime tss
weekly
missingok
rotate 4
copytruncate
minsize 1M
}

12
registrar.conf.diff Normal file
View File

@ -0,0 +1,12 @@
--- config/registrar.conf.ORIG 2023-08-24 09:34:59.228880762 +0200
+++ config/registrar.conf 2023-08-24 09:36:34.165570356 +0200
@@ -5,7 +5,8 @@
version = 2.0
# The binding address and port for the registrar server
-ip = "127.0.0.1"
+# ip = "127.0.0.1"
+ip = "0.0.0.0"
port = 8890
tls_port = 8891

12
tenant.conf.diff Normal file
View File

@ -0,0 +1,12 @@
--- tenant.conf.ORIG 2023-03-07 17:08:27.642929656 +0100
+++ tenant.conf 2023-03-07 17:09:23.018891153 +0100
@@ -106,7 +106,8 @@
# might provide a signed list of EK public key hashes. Then you could write
# an ek_check_script that checks the signature of the allowlist and then
# compares the hash of the given EK with the allowlist.
-require_ek_cert = True
+# require_ek_cert = True
+require_ek_cert = False
# Optional script to execute to check the EK and/or EK certificate against a
# allowlist or any other additional EK processing you want to do. Runs in

1
tmpfiles.keylime Normal file
View File

@ -0,0 +1 @@
d /run/keylime 0700 keylime tss

22
verifier.conf.diff Normal file
View File

@ -0,0 +1,22 @@
--- config/verifier.conf.ORIG 2023-08-24 09:34:59.222214093 +0200
+++ config/verifier.conf 2023-08-24 09:37:53.332256150 +0200
@@ -8,7 +8,8 @@
uuid = default
# The binding address and port for the verifier server
-ip = "127.0.0.1"
+# ip = "127.0.0.1"
+ip = "0.0.0.0"
port = 8881
# The address and port of registrar server that the verifier communicates with
@@ -242,7 +243,8 @@
enabled_revocation_notifications = ['agent']
# The binding address and port of the revocation notifier service via ZeroMQ.
-zmq_ip = 127.0.0.1
+# zmq_ip = 127.0.0.1
+zmq_ip = 0.0.0.0
zmq_port = 8992
# Webhook url for revocation notifications.