Accepting request 908894 from home:aplanas:branches:security

- Add generate-cargo-lock-file.patch to fix the build system in OBS
- Add keylime.conf.diff to adjust the default config file
- Adjust build requirements
- Add firewalld XML rules
- Add systemd keylime_agent.service
- Fix license tag
- Update to version 0.0.1+git.1626706730.a009476:
  * libarchive-devel is needed to build on Fedora
  * Accept sets of U and V keys; use new Key types
  * Output mask info
  * Fix for race condition bug
  * Do not resend pubkey to CV after attestation
  * Run payload script from a shell
  * Write out data and run payload
  * Decrypt payload after key handlers find symm key
  * Add handler for U and V keys
  * Add helper functions for handling U and V keys
  * Some TPM fixes for IMA PCR validation
  * Do not flush AK context as this causes an error
  * Fix bug in revocation service
  * Drop references to vmask
  * Better documentation of consts
  * Do not fail if EK cert is not present in TPM NV
  * Add more verbose logging to better match Python agent
  * Remove verify stub as we are not using it
  * tests: Don't pass --allow-signing to swtpm_setup
  * Fix typos
  * Add dependency for libzmq3-dev / zeromq-devel
  * Fix new clippy lints
  * Add handling for Identity and Integrity quotes
  * Add Quote functionality
  * Add marshaling functions for TPM structs

OBS-URL: https://build.opensuse.org/request/show/908894
OBS-URL: https://build.opensuse.org/package/show/security/rust-keylime?expand=0&rev=3

_service

@@ -1,6 +1,6 @@
 <services>
   <service name="tar_scm" mode="disabled">
-    <param name="versionformat">0.0.1+git.%ct.%h</param>
+    <param name="versionformat">0.1.0+git.%ct.%h</param>
     <param name="revision">master</param>
     <param name="url">https://github.com/keylime/rust-keylime.git</param>
     <param name="scm">git</param>

_servicedata

@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://github.com/keylime/rust-keylime.git</param>
-              <param name="changesrevision">4df2148b8063a592fd5cc4835332a9de4df54398</param></service></servicedata>
+              <param name="changesrevision">a009476300e6eebd49a00b04890318f3b2d24858</param></service></servicedata>

cargo_config

@@ -1,5 +1,10 @@
 [source.crates-io]
 replace-with = "vendored-sources"
 
+[source."https://github.com/puiterwijk/rust-tss-esapi.git"]
+git = "https://github.com/puiterwijk/rust-tss-esapi.git"
+branch = "keylime"
+replace-with = "vendored-sources"
+
 [source.vendored-sources]
 directory = "vendor"

keylime.conf.diff

@@ -0,0 +1,74 @@
+Index: rust-keylime-0.1.0+git.1626706730.a009476/keylime.conf
+===================================================================
+--- rust-keylime-0.1.0+git.1626706730.a009476.orig/keylime.conf
++++ rust-keylime-0.1.0+git.1626706730.a009476/keylime.conf
+@@ -11,7 +11,8 @@ tls_check_hostnames = False
+ # Valid options are 'cfssl' or 'openssl'  For cfssl to work, you must have the
+ # go binary installed in your path or in /usr/local/
+ # Revocation list generation is only supported by cfssl
+-ca_implementation = openssl
++# ca_implementation = openssl
++ca_implementation = cfssl
+ 
+ #=============================================================================
+ [cloud_agent]
+@@ -19,7 +20,8 @@ ca_implementation = openssl
+ 
+ # The Agent's IP address and port used to communicate with other services
+ # as well as a bind address for the agent server.
+-cloudagent_ip = 127.0.0.1
++# cloudagent_ip = 127.0.0.1
++cloudagent_ip = 0.0.0.0
+ cloudagent_port = 9002
+ 
+ # What is the name of the rsa key that keylime should use for protecting
+@@ -54,7 +56,8 @@ extract_payload_zip = True
+ # If you set this to 'generate', keylime will create a random uuid
+ # If you set this to 'hash_ek', keylime will set the UUID to the result
+ # of SHA256(public EK in PEM format)
+-agent_uuid = D432FBB3-D2F1-4A97-9EF7-75BD81C00000
++# agent_uuid = D432FBB3-D2F1-4A97-9EF7-75BD81C00000
++agent_uuid = hash_ek
+ 
+ # Whether to listen for revocation notifications from the verifier
+ listen_notfications = True
+@@ -115,7 +118,8 @@ ek_handle = generate
+ 
+ # The cloud verifier IP address and port used to communicate with other services
+ # as well as a bind address for the verifier server.
+-cloudverifier_ip = 127.0.0.1
++# cloudverifier_ip = 127.0.0.1
++cloudverifier_ip = 0.0.0.0
+ cloudverifier_port = 8881
+ 
+ # Cloud Verifier TLS options.  This is for authenticating the CV itself,
+@@ -204,7 +208,8 @@ revocation_notifier = True
+ # The revocation notifier IP address and port used to start the revocation service.
+ # If the revocation_notifier is true, then the verifier automatically
+ # starts revocation service.
+-revocation_notifier_ip = 127.0.0.1
++# revocation_notifier_ip = 127.0.0.1
++revocation_notifier_ip = 0.0.0.0
+ revocation_notifier_port = 8992
+ 
+ # The verifier limits the size of upload payloads (whitelists) which defaults to
+@@ -330,7 +335,8 @@ max_retries = 10
+ # might provide a signed list of EK public key hashes.  Then you could write
+ # an ek_check_script that checks the signature of the whitelist and then
+ # compares the hash of the given EK with the whistlist
+-require_ek_cert = True
++# require_ek_cert = True
++require_ek_cert = False
+ 
+ # Optional script to execute to check the EK and/or EK certificate against a
+ # whitelist or any other additional EK processing you want to do. Runs in
+@@ -356,7 +362,8 @@ ek_check_script=
+ 
+ # The registrar's IP address and port used to communicate with other
+ # services as well as a bind address for the registrar server.
+-registrar_ip = 127.0.0.1
++# registrar_ip = 127.0.0.1
++registrar_ip = 0.0.0.0
+ registrar_port = 8890
+ registrar_tls_port = 8891
+ 

keylime.xml

@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="utf-8"?>
+<service>
+  <short>Keylime</short>
+  <description>Keylime is a remote attestation tool that requires access to several ports.</description>
+  <port protocol="tcp" port="443"/><!-- Webapp -->
+  <port protocol="tcp" port="8881"/><!-- Verifier -->
+  <port protocol="tcp" port="8888"/><!-- CFSSL -->
+  <port protocol="tcp" port="8890"/><!-- Registrar -->
+  <port protocol="tcp" port="8891"/><!-- Registrar TLS -->
+  <port protocol="tcp" port="8992"/><!-- Revocation -->
+  <port protocol="tcp" port="9002"/><!-- Agent -->
+</service>

keylime_agent.service

@@ -0,0 +1,8 @@
+[Unit]
+Description=The Keylime compute agent
+
+[Service]
+ExecStart=/usr/bin/keylime_agent
+
+[Install]
+WantedBy=default.target

rust-keylime-0.0.1+git.1620935374.4df2148.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:94764e762fbea4cf35cb90964a8d9a0c9510055eed81e5f2f0f433db14c16134
-size 31748

rust-keylime-0.1.0+git.1626706730.a009476.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0a91310d4a9f1eb2fa427095b87d0237584386a0aa5b3e91fd8067ef1593622a
+size 39692

rust-keylime.changes

@@ -1,3 +1,43 @@
+-------------------------------------------------------------------
+Wed Jul 28 08:56:33 UTC 2021 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Add generate-cargo-lock-file.patch to fix the build system in OBS
+- Add keylime.conf.diff to adjust the default config file
+- Adjust build requirements
+- Add firewalld XML rules
+- Add systemd keylime_agent.service
+- Fix license tag
+
+-------------------------------------------------------------------
+Thu Jul 22 09:20:38 UTC 2021 - aplanas@suse.com
+
+- Update to version 0.0.1+git.1626706730.a009476:
+  * libarchive-devel is needed to build on Fedora
+  * Accept sets of U and V keys; use new Key types
+  * Output mask info
+  * Fix for race condition bug
+  * Do not resend pubkey to CV after attestation
+  * Run payload script from a shell
+  * Write out data and run payload
+  * Decrypt payload after key handlers find symm key
+  * Add handler for U and V keys
+  * Add helper functions for handling U and V keys
+  * Some TPM fixes for IMA PCR validation
+  * Do not flush AK context as this causes an error
+  * Fix bug in revocation service
+  * Drop references to vmask
+  * Better documentation of consts
+  * Do not fail if EK cert is not present in TPM NV
+  * Add more verbose logging to better match Python agent
+  * Remove verify stub as we are not using it
+  * tests: Don't pass --allow-signing to swtpm_setup
+  * Fix typos
+  * Add dependency for libzmq3-dev / zeromq-devel
+  * Fix new clippy lints
+  * Add handling for Identity and Integrity quotes
+  * Add Quote functionality
+  * Add marshaling functions for TPM structs
+
 -------------------------------------------------------------------
 Tue Jun 08 11:59:11 UTC 2021 - aplanas@suse.com
 

rust-keylime.spec

@@ -18,18 +18,26 @@
 
 %global rustflags '-Clink-arg=-Wl,-z,relro,-z,now'
 Name:           rust-keylime
-Version:        0.0.1+git.1620935374.4df2148
+Version:        0.1.0+git.1626706730.a009476
 Release:        0
 Summary:        Rust implementation of the keylime agent
-License:        MIT
+License:        Apache-2.0 AND MIT
 URL:            https://github.com/keylime/rust-keylime
 Source:         rust-keylime-%{version}.tar.xz
 Source1:        vendor.tar.xz
 Source2:        cargo_config
+Source3:        keylime_agent.service
+Source4:        keylime.xml
+# PATCH-FIX-OPENSUSE keylime.conf.diff
+Patch1:         keylime.conf.diff
+# PATCH-FIX-UPSTREAM generate-cargo-lock-file.patch gh#keylime/rust-keylime!244
+Patch2:         generate-cargo-lock-file.patch
 BuildRequires:  cargo
-BuildRequires:  czmq-devel
+BuildRequires:  firewall-macros
+BuildRequires:  libarchive-devel
 BuildRequires:  rust
 BuildRequires:  tpm2-0-tss-devel
+BuildRequires:  zeromq-devel
 ExcludeArch:    %{ix86} s390x ppc64 ppc64le armhfp armv7hl
 
 %description
@@ -37,7 +45,7 @@ Rust implementation of keylime agent. Keylime is system integrity
 monitoring system.
 
 %prep
-%setup -qa1
+%autosetup -a1
 mkdir .cargo
 cp %{SOURCE2} .cargo/config
 
@@ -45,15 +53,37 @@ cp %{SOURCE2} .cargo/config
 RUSTFLAGS=%{rustflags} cargo build --release
 
 %install
-RUSTFLAGS=%{rustflags} cargo install --root=%{buildroot}%{_prefix} --path .
+RUSTFLAGS=%{rustflags} cargo install --frozen --root=%{buildroot}%{_prefix} --path .
 
 install -Dpm 644 keylime.conf %{buildroot}%{_sysconfdir}/keylime.conf
+install -Dpm 644 %{SOURCE3} %{buildroot}%{_unitdir}/keylime_agent.service
+
+install -D -m 644 %{SOURCE4} %{buildroot}%{_prefix}/lib/firewalld/services/keylime.xml
 
 rm %{buildroot}%{_prefix}/.crates.toml
 rm %{buildroot}%{_prefix}/.crates2.json
 
+%pre
+%service_add_pre keylime_agent.service
+
+%post
+%firewalld_reload
+%service_add_post keylime_agent.service
+
+%preun
+%service_del_preun keylime_agent.service
+
+%postun
+%service_del_postun keylime_agent.service
+
 %files
+%doc README.md
+%license LICENSE
 %{_bindir}/keylime_agent
 %config(noreplace) %{_sysconfdir}/keylime.conf
+%dir %{_prefix}/lib/firewalld
+%dir %{_prefix}/lib/firewalld/services
+%{_prefix}/lib/firewalld/services/keylime.xml
+%{_unitdir}/keylime_agent.service
 
 %changelog

vendor.tar.xz

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:7108bec5444d6f122bccb2ad850f038bfa3e32e08818e72ae63b378b72d87214
+oid sha256:3a91a7293c73eaafcf7d1e8ffa6bcdb0e475a5ceb791544cbaeca2685b5b45a3
-size 15297844
+size 15756232