pool/rust-keylime
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rust-keylime/keylime.conf.diff

57 lines
2.1 KiB
Diff
Raw Normal View History

Accepting request 989445 from home:aplanas:branches:security - Update to version 0.1.0+git.1657303637.5b9072a: * keys_handler: Use scopes to drop mutexes before await * Enable usage of Rust IMA emulator in E2E tests. * ima_emulator: Support PCR hash algorithms other than SHA-1 * ima_entry: add IMA entry parser ported from Python Keylime * algorithms: Add conversion between our hash algorithms and OpenSSL's * Remove unused functions revocation_ip_get and revocation_port_get. Change String to &str. * Adjust function usage comments to account for new parameters. * Load config file less at startup in src/common.rs * GNUmakefile: Make target dependencies explicit * permissions: Set supplementary groups when dropping privileges * main: Use more descriptive message for missing files error * Show path when fail to load the certificate * tpm: Add serialization functions for structures in quotes - Requires tpm2.0-abrmd dependency, as the kernel resource manager could be not enough - Downgrade /var/run/keylime permissions - Set "run_as" parameter to "keylime:tss" - Create the keylime user via systemd - Fix keylime service home directory OBS-URL: https://build.opensuse.org/request/show/989445 OBS-URL: https://build.opensuse.org/package/show/security/rust-keylime?expand=0&rev=20
2022-07-15 13:19:45 +00:00
Index: rust-keylime-0.1.0+git.1657303637.5b9072a/keylime.conf
Accepting request 933782 from home:aplanas:branches:security - Conflict with keylime-agent, keylime-config and keylime-firewalld - Add keylime_ima_emulator tool - Add patch add_property_tag_variant_for_maxcapbuffer.patch OBS-URL: https://build.opensuse.org/request/show/933782 OBS-URL: https://build.opensuse.org/package/show/security/rust-keylime?expand=0&rev=6
2021-11-25 15:22:45 +00:00
===================================================================
Accepting request 989445 from home:aplanas:branches:security - Update to version 0.1.0+git.1657303637.5b9072a: * keys_handler: Use scopes to drop mutexes before await * Enable usage of Rust IMA emulator in E2E tests. * ima_emulator: Support PCR hash algorithms other than SHA-1 * ima_entry: add IMA entry parser ported from Python Keylime * algorithms: Add conversion between our hash algorithms and OpenSSL's * Remove unused functions revocation_ip_get and revocation_port_get. Change String to &str. * Adjust function usage comments to account for new parameters. * Load config file less at startup in src/common.rs * GNUmakefile: Make target dependencies explicit * permissions: Set supplementary groups when dropping privileges * main: Use more descriptive message for missing files error * Show path when fail to load the certificate * tpm: Add serialization functions for structures in quotes - Requires tpm2.0-abrmd dependency, as the kernel resource manager could be not enough - Downgrade /var/run/keylime permissions - Set "run_as" parameter to "keylime:tss" - Create the keylime user via systemd - Fix keylime service home directory OBS-URL: https://build.opensuse.org/request/show/989445 OBS-URL: https://build.opensuse.org/package/show/security/rust-keylime?expand=0&rev=20
2022-07-15 13:19:45 +00:00
--- rust-keylime-0.1.0+git.1657303637.5b9072a.orig/keylime.conf
+++ rust-keylime-0.1.0+git.1657303637.5b9072a/keylime.conf
Accepting request 932540 from home:aplanas:branches:security - Update to version 0.1.0+git.1637095429.d5a3191: * Run Fedora tests on unified Keylime test container * ima_emulator: Print error message when TCTI envvar is not set * Add keylime_ima_emulator executable for testing * Fix 0mq problem * ci: Check unit test coverage with cargo tarpaulin (#216) * config: merge with Python keylime.conf and remove unused entries * Add support for contact ip and port * common: move get env or from config into sperate function * keys_handler: Add unit tests * quotes_handler: Add unit tests (#265) * Fix bugs that occur after a delete and re-add from the tenant * Retain the main loop running after payload execution (#249) * keys_handler: verify HMAC in constant-time (#248) * build: Adjust package dependencies to compile in Fedora (#245) * Generate Cargo.lock file * Add Ueno as a maintainer and set codeowners * Fix clippy errors, update to newest TSS-ESAPI - Drop generate-cargo-lock-file.patch (already in upstream) OBS-URL: https://build.opensuse.org/request/show/932540 OBS-URL: https://build.opensuse.org/package/show/security/rust-keylime?expand=0&rev=5
2021-11-19 13:51:44 +00:00
@@ -4,7 +4,8 @@
Accepting request 908894 from home:aplanas:branches:security - Add generate-cargo-lock-file.patch to fix the build system in OBS - Add keylime.conf.diff to adjust the default config file - Adjust build requirements - Add firewalld XML rules - Add systemd keylime_agent.service - Fix license tag - Update to version 0.0.1+git.1626706730.a009476: * libarchive-devel is needed to build on Fedora * Accept sets of U and V keys; use new Key types * Output mask info * Fix for race condition bug * Do not resend pubkey to CV after attestation * Run payload script from a shell * Write out data and run payload * Decrypt payload after key handlers find symm key * Add handler for U and V keys * Add helper functions for handling U and V keys * Some TPM fixes for IMA PCR validation * Do not flush AK context as this causes an error * Fix bug in revocation service * Drop references to vmask * Better documentation of consts * Do not fail if EK cert is not present in TPM NV * Add more verbose logging to better match Python agent * Remove verify stub as we are not using it * tests: Don't pass --allow-signing to swtpm_setup * Fix typos * Add dependency for libzmq3-dev / zeromq-devel * Fix new clippy lints * Add handling for Identity and Integrity quotes * Add Quote functionality * Add marshaling functions for TPM structs OBS-URL: https://build.opensuse.org/request/show/908894 OBS-URL: https://build.opensuse.org/package/show/security/rust-keylime?expand=0&rev=3
2021-07-28 13:39:06 +00:00
Accepting request 932540 from home:aplanas:branches:security - Update to version 0.1.0+git.1637095429.d5a3191: * Run Fedora tests on unified Keylime test container * ima_emulator: Print error message when TCTI envvar is not set * Add keylime_ima_emulator executable for testing * Fix 0mq problem * ci: Check unit test coverage with cargo tarpaulin (#216) * config: merge with Python keylime.conf and remove unused entries * Add support for contact ip and port * common: move get env or from config into sperate function * keys_handler: Add unit tests * quotes_handler: Add unit tests (#265) * Fix bugs that occur after a delete and re-add from the tenant * Retain the main loop running after payload execution (#249) * keys_handler: verify HMAC in constant-time (#248) * build: Adjust package dependencies to compile in Fedora (#245) * Generate Cargo.lock file * Add Ueno as a maintainer and set codeowners * Fix clippy errors, update to newest TSS-ESAPI - Drop generate-cargo-lock-file.patch (already in upstream) OBS-URL: https://build.opensuse.org/request/show/932540 OBS-URL: https://build.opensuse.org/package/show/security/rust-keylime?expand=0&rev=5
2021-11-19 13:51:44 +00:00
# Revocation IP & Port used by either the cloud_agent or keylime_ca to receive
# revocation events from the verifier.
-receive_revocation_ip = 127.0.0.1
+# receive_revocation_ip = 127.0.0.1
+receive_revocation_ip = <REMOTE_IP>
receive_revocation_port = 8992
@@ -13,7 +14,8 @@ receive_revocation_port = 8992
Accepting request 908894 from home:aplanas:branches:security - Add generate-cargo-lock-file.patch to fix the build system in OBS - Add keylime.conf.diff to adjust the default config file - Adjust build requirements - Add firewalld XML rules - Add systemd keylime_agent.service - Fix license tag - Update to version 0.0.1+git.1626706730.a009476: * libarchive-devel is needed to build on Fedora * Accept sets of U and V keys; use new Key types * Output mask info * Fix for race condition bug * Do not resend pubkey to CV after attestation * Run payload script from a shell * Write out data and run payload * Decrypt payload after key handlers find symm key * Add handler for U and V keys * Add helper functions for handling U and V keys * Some TPM fixes for IMA PCR validation * Do not flush AK context as this causes an error * Fix bug in revocation service * Drop references to vmask * Better documentation of consts * Do not fail if EK cert is not present in TPM NV * Add more verbose logging to better match Python agent * Remove verify stub as we are not using it * tests: Don't pass --allow-signing to swtpm_setup * Fix typos * Add dependency for libzmq3-dev / zeromq-devel * Fix new clippy lints * Add handling for Identity and Integrity quotes * Add Quote functionality * Add marshaling functions for TPM structs OBS-URL: https://build.opensuse.org/request/show/908894 OBS-URL: https://build.opensuse.org/package/show/security/rust-keylime?expand=0&rev=3
2021-07-28 13:39:06 +00:00
#=============================================================================
Accepting request 932540 from home:aplanas:branches:security - Update to version 0.1.0+git.1637095429.d5a3191: * Run Fedora tests on unified Keylime test container * ima_emulator: Print error message when TCTI envvar is not set * Add keylime_ima_emulator executable for testing * Fix 0mq problem * ci: Check unit test coverage with cargo tarpaulin (#216) * config: merge with Python keylime.conf and remove unused entries * Add support for contact ip and port * common: move get env or from config into sperate function * keys_handler: Add unit tests * quotes_handler: Add unit tests (#265) * Fix bugs that occur after a delete and re-add from the tenant * Retain the main loop running after payload execution (#249) * keys_handler: verify HMAC in constant-time (#248) * build: Adjust package dependencies to compile in Fedora (#245) * Generate Cargo.lock file * Add Ueno as a maintainer and set codeowners * Fix clippy errors, update to newest TSS-ESAPI - Drop generate-cargo-lock-file.patch (already in upstream) OBS-URL: https://build.opensuse.org/request/show/932540 OBS-URL: https://build.opensuse.org/package/show/security/rust-keylime?expand=0&rev=5
2021-11-19 13:51:44 +00:00
# The binding address and port for the agent server
Accepting request 908894 from home:aplanas:branches:security - Add generate-cargo-lock-file.patch to fix the build system in OBS - Add keylime.conf.diff to adjust the default config file - Adjust build requirements - Add firewalld XML rules - Add systemd keylime_agent.service - Fix license tag - Update to version 0.0.1+git.1626706730.a009476: * libarchive-devel is needed to build on Fedora * Accept sets of U and V keys; use new Key types * Output mask info * Fix for race condition bug * Do not resend pubkey to CV after attestation * Run payload script from a shell * Write out data and run payload * Decrypt payload after key handlers find symm key * Add handler for U and V keys * Add helper functions for handling U and V keys * Some TPM fixes for IMA PCR validation * Do not flush AK context as this causes an error * Fix bug in revocation service * Drop references to vmask * Better documentation of consts * Do not fail if EK cert is not present in TPM NV * Add more verbose logging to better match Python agent * Remove verify stub as we are not using it * tests: Don't pass --allow-signing to swtpm_setup * Fix typos * Add dependency for libzmq3-dev / zeromq-devel * Fix new clippy lints * Add handling for Identity and Integrity quotes * Add Quote functionality * Add marshaling functions for TPM structs OBS-URL: https://build.opensuse.org/request/show/908894 OBS-URL: https://build.opensuse.org/package/show/security/rust-keylime?expand=0&rev=3
2021-07-28 13:39:06 +00:00
-cloudagent_ip = 127.0.0.1
+# cloudagent_ip = 127.0.0.1
+cloudagent_ip = 0.0.0.0
cloudagent_port = 9002
Accepting request 932540 from home:aplanas:branches:security - Update to version 0.1.0+git.1637095429.d5a3191: * Run Fedora tests on unified Keylime test container * ima_emulator: Print error message when TCTI envvar is not set * Add keylime_ima_emulator executable for testing * Fix 0mq problem * ci: Check unit test coverage with cargo tarpaulin (#216) * config: merge with Python keylime.conf and remove unused entries * Add support for contact ip and port * common: move get env or from config into sperate function * keys_handler: Add unit tests * quotes_handler: Add unit tests (#265) * Fix bugs that occur after a delete and re-add from the tenant * Retain the main loop running after payload execution (#249) * keys_handler: verify HMAC in constant-time (#248) * build: Adjust package dependencies to compile in Fedora (#245) * Generate Cargo.lock file * Add Ueno as a maintainer and set codeowners * Fix clippy errors, update to newest TSS-ESAPI - Drop generate-cargo-lock-file.patch (already in upstream) OBS-URL: https://build.opensuse.org/request/show/932540 OBS-URL: https://build.opensuse.org/package/show/security/rust-keylime?expand=0&rev=5
2021-11-19 13:51:44 +00:00
# Address and port where the verifier and tenant can connect to reach the agent.
@@ -22,7 +24,8 @@ agent_contact_ip = 127.0.0.1
agent_contact_port = 9002
Accepting request 908894 from home:aplanas:branches:security - Add generate-cargo-lock-file.patch to fix the build system in OBS - Add keylime.conf.diff to adjust the default config file - Adjust build requirements - Add firewalld XML rules - Add systemd keylime_agent.service - Fix license tag - Update to version 0.0.1+git.1626706730.a009476: * libarchive-devel is needed to build on Fedora * Accept sets of U and V keys; use new Key types * Output mask info * Fix for race condition bug * Do not resend pubkey to CV after attestation * Run payload script from a shell * Write out data and run payload * Decrypt payload after key handlers find symm key * Add handler for U and V keys * Add helper functions for handling U and V keys * Some TPM fixes for IMA PCR validation * Do not flush AK context as this causes an error * Fix bug in revocation service * Drop references to vmask * Better documentation of consts * Do not fail if EK cert is not present in TPM NV * Add more verbose logging to better match Python agent * Remove verify stub as we are not using it * tests: Don't pass --allow-signing to swtpm_setup * Fix typos * Add dependency for libzmq3-dev / zeromq-devel * Fix new clippy lints * Add handling for Identity and Integrity quotes * Add Quote functionality * Add marshaling functions for TPM structs OBS-URL: https://build.opensuse.org/request/show/908894 OBS-URL: https://build.opensuse.org/package/show/security/rust-keylime?expand=0&rev=3
2021-07-28 13:39:06 +00:00
Accepting request 932540 from home:aplanas:branches:security - Update to version 0.1.0+git.1637095429.d5a3191: * Run Fedora tests on unified Keylime test container * ima_emulator: Print error message when TCTI envvar is not set * Add keylime_ima_emulator executable for testing * Fix 0mq problem * ci: Check unit test coverage with cargo tarpaulin (#216) * config: merge with Python keylime.conf and remove unused entries * Add support for contact ip and port * common: move get env or from config into sperate function * keys_handler: Add unit tests * quotes_handler: Add unit tests (#265) * Fix bugs that occur after a delete and re-add from the tenant * Retain the main loop running after payload execution (#249) * keys_handler: verify HMAC in constant-time (#248) * build: Adjust package dependencies to compile in Fedora (#245) * Generate Cargo.lock file * Add Ueno as a maintainer and set codeowners * Fix clippy errors, update to newest TSS-ESAPI - Drop generate-cargo-lock-file.patch (already in upstream) OBS-URL: https://build.opensuse.org/request/show/932540 OBS-URL: https://build.opensuse.org/package/show/security/rust-keylime?expand=0&rev=5
2021-11-19 13:51:44 +00:00
# The address and port of registrar server which agent communicate with
Accepting request 908894 from home:aplanas:branches:security - Add generate-cargo-lock-file.patch to fix the build system in OBS - Add keylime.conf.diff to adjust the default config file - Adjust build requirements - Add firewalld XML rules - Add systemd keylime_agent.service - Fix license tag - Update to version 0.0.1+git.1626706730.a009476: * libarchive-devel is needed to build on Fedora * Accept sets of U and V keys; use new Key types * Output mask info * Fix for race condition bug * Do not resend pubkey to CV after attestation * Run payload script from a shell * Write out data and run payload * Decrypt payload after key handlers find symm key * Add handler for U and V keys * Add helper functions for handling U and V keys * Some TPM fixes for IMA PCR validation * Do not flush AK context as this causes an error * Fix bug in revocation service * Drop references to vmask * Better documentation of consts * Do not fail if EK cert is not present in TPM NV * Add more verbose logging to better match Python agent * Remove verify stub as we are not using it * tests: Don't pass --allow-signing to swtpm_setup * Fix typos * Add dependency for libzmq3-dev / zeromq-devel * Fix new clippy lints * Add handling for Identity and Integrity quotes * Add Quote functionality * Add marshaling functions for TPM structs OBS-URL: https://build.opensuse.org/request/show/908894 OBS-URL: https://build.opensuse.org/package/show/security/rust-keylime?expand=0&rev=3
2021-07-28 13:39:06 +00:00
-registrar_ip = 127.0.0.1
+# registrar_ip = 127.0.0.1
Accepting request 932540 from home:aplanas:branches:security - Update to version 0.1.0+git.1637095429.d5a3191: * Run Fedora tests on unified Keylime test container * ima_emulator: Print error message when TCTI envvar is not set * Add keylime_ima_emulator executable for testing * Fix 0mq problem * ci: Check unit test coverage with cargo tarpaulin (#216) * config: merge with Python keylime.conf and remove unused entries * Add support for contact ip and port * common: move get env or from config into sperate function * keys_handler: Add unit tests * quotes_handler: Add unit tests (#265) * Fix bugs that occur after a delete and re-add from the tenant * Retain the main loop running after payload execution (#249) * keys_handler: verify HMAC in constant-time (#248) * build: Adjust package dependencies to compile in Fedora (#245) * Generate Cargo.lock file * Add Ueno as a maintainer and set codeowners * Fix clippy errors, update to newest TSS-ESAPI - Drop generate-cargo-lock-file.patch (already in upstream) OBS-URL: https://build.opensuse.org/request/show/932540 OBS-URL: https://build.opensuse.org/package/show/security/rust-keylime?expand=0&rev=5
2021-11-19 13:51:44 +00:00
+registrar_ip = <REMOTE_IP>
Accepting request 908894 from home:aplanas:branches:security - Add generate-cargo-lock-file.patch to fix the build system in OBS - Add keylime.conf.diff to adjust the default config file - Adjust build requirements - Add firewalld XML rules - Add systemd keylime_agent.service - Fix license tag - Update to version 0.0.1+git.1626706730.a009476: * libarchive-devel is needed to build on Fedora * Accept sets of U and V keys; use new Key types * Output mask info * Fix for race condition bug * Do not resend pubkey to CV after attestation * Run payload script from a shell * Write out data and run payload * Decrypt payload after key handlers find symm key * Add handler for U and V keys * Add helper functions for handling U and V keys * Some TPM fixes for IMA PCR validation * Do not flush AK context as this causes an error * Fix bug in revocation service * Drop references to vmask * Better documentation of consts * Do not fail if EK cert is not present in TPM NV * Add more verbose logging to better match Python agent * Remove verify stub as we are not using it * tests: Don't pass --allow-signing to swtpm_setup * Fix typos * Add dependency for libzmq3-dev / zeromq-devel * Fix new clippy lints * Add handling for Identity and Integrity quotes * Add Quote functionality * Add marshaling functions for TPM structs OBS-URL: https://build.opensuse.org/request/show/908894 OBS-URL: https://build.opensuse.org/package/show/security/rust-keylime?expand=0&rev=3
2021-07-28 13:39:06 +00:00
registrar_port = 8890
Accepting request 982602 from home:aplanas:branches:security - Update to version 0.1.0+git.1655143451.7c4121e: * Add dependabot for automatic dependency updates * config: remove unused options * persist AK, NK and mTLS certificate to disk * Update tokio minimum version * Adjust CI test name according to keylime-tests PR#125 * Make wiremock an optional dependency * Drop unused dependency flate2 * Drop unused dependency rustc-serialize * Update clap dependency to 3.1.18 * add support for "hash_ek" UUID creation * tpm: add and use EKResult struct as return value for create_ek(..) * replace custom marshall functions with the offical one * update to tss-esapi 7.1.0 * quotes_handler: Rewind measured boot log file * Add test /functional/measured-boot-swtpm-sanity to Packit CI plan * OpenSSL on deb family is now libssl-dev OBS-URL: https://build.opensuse.org/request/show/982602 OBS-URL: https://build.opensuse.org/package/show/security/rust-keylime?expand=0&rev=14
2022-06-14 11:50:32 +00:00
# The keylime working directory. Can be overriden by setting the KEYLIME_DIR
Accepting request 989445 from home:aplanas:branches:security - Update to version 0.1.0+git.1657303637.5b9072a: * keys_handler: Use scopes to drop mutexes before await * Enable usage of Rust IMA emulator in E2E tests. * ima_emulator: Support PCR hash algorithms other than SHA-1 * ima_entry: add IMA entry parser ported from Python Keylime * algorithms: Add conversion between our hash algorithms and OpenSSL's * Remove unused functions revocation_ip_get and revocation_port_get. Change String to &str. * Adjust function usage comments to account for new parameters. * Load config file less at startup in src/common.rs * GNUmakefile: Make target dependencies explicit * permissions: Set supplementary groups when dropping privileges * main: Use more descriptive message for missing files error * Show path when fail to load the certificate * tpm: Add serialization functions for structures in quotes - Requires tpm2.0-abrmd dependency, as the kernel resource manager could be not enough - Downgrade /var/run/keylime permissions - Set "run_as" parameter to "keylime:tss" - Create the keylime user via systemd - Fix keylime service home directory OBS-URL: https://build.opensuse.org/request/show/989445 OBS-URL: https://build.opensuse.org/package/show/security/rust-keylime?expand=0&rev=20
2022-07-15 13:19:45 +00:00
@@ -127,3 +130,21 @@ tpm_signing_alg = rsassa
# handle (e.g. "0x81000000"). The Keylime agent will then not attempt to
# create a new EK upon startup, and neither will it flush the EK upon exit.
ek_handle = generate
+
+# The user account to switch to to drop privileges when started as root
+# If left empty, the agent will keep running with high privileges.
+# The user and group specified here must allow the user to access the
+# WORK_DIR (typically /var/lib/keylime) and /dev/tpmrm0. Therefore,
+# suggested value for the run_as parameter is keylime:tss.
+# The following commands should be used to set ownership before running the
+# agent:
+# chown keylime /var/lib/keylime
+#
+# If agent_data.json already exists:
+# chown keylime /var/lib/keylime/agent_data.json
+#
+# If cv_ca directory exists:
+# chown keylime /var/lib/keylime/cv_ca
+# chown keylime /var/lib/keylime/cv_ca/cacert.crt
+#
+run_as = keylime:tss
Reference in New Issue Copy Permalink