diff --git a/add_property_tag_variant_for_maxcapbuffer.patch b/add_property_tag_variant_for_maxcapbuffer.patch new file mode 100644 index 0000000..18ab88a --- /dev/null +++ b/add_property_tag_variant_for_maxcapbuffer.patch @@ -0,0 +1,43 @@ +From 6dc9f3ccb0e5ce6561aeef73e9f757b4c193c3c4 Mon Sep 17 00:00:00 2001 +From: Rob Shearman +Date: Tue, 28 Sep 2021 14:22:10 +0100 +Subject: [PATCH] Add property tag variant for MaxCapBuffer + +As per "TCG TSS 2.0 Overview and Common Structures Specification" v0.9 +rev 03, and tpm2-tss >= 2.4.0, add a constant for +TPM2_PT_MAX_CAP_BUFFER and a corresponding PropertyTag variant, +MaxCapBuffer. + +This avoids an error for "value = 302 did not match any PropertyTag" +that may be seen with some TPM implementations. + +Signed-off-by: Rob Shearman +--- + tss-esapi/src/constants/property_tag.rs | 1 + + tss-esapi/src/constants/tss.rs | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/tss-esapi/src/constants/property_tag.rs b/tss-esapi/src/constants/property_tag.rs +index 1849efe5..db36c6ef 100644 +--- a/vendor/tss-esapi/src/constants/property_tag.rs ++++ b/vendor/tss-esapi/src/constants/property_tag.rs +@@ -56,6 +56,7 @@ pub enum PropertyTag { + VendorCommands = TPM2_PT_VENDOR_COMMANDS, + NvBufferMax = TPM2_PT_NV_BUFFER_MAX, + Modes = TPM2_PT_MODES, ++ MaxCapBuffer = TPM2_PT_MAX_CAP_BUFFER, + // Variable + Permanent = TPM2_PT_PERMANENT, + StartupClear = TPM2_PT_STARTUP_CLEAR, +diff --git a/tss-esapi/src/constants/tss.rs b/tss-esapi/src/constants/tss.rs +index 72d1eedb..03f412e7 100644 +--- a/vendor/tss-esapi/src/constants/tss.rs ++++ b/vendor/tss-esapi/src/constants/tss.rs +@@ -423,6 +423,7 @@ pub const TPM2_PT_LIBRARY_COMMANDS: TPM2_PT = TPM2_PT_FIXED + 42; /* number of c + pub const TPM2_PT_VENDOR_COMMANDS: TPM2_PT = TPM2_PT_FIXED + 43; /* number of vendor commands that are implemented */ + pub const TPM2_PT_NV_BUFFER_MAX: TPM2_PT = TPM2_PT_FIXED + 44; /* the maximum data size in one NV write command */ + pub const TPM2_PT_MODES: TPM2_PT = TPM2_PT_FIXED + 45; /* a TPMA_MODES value indicating that the TPM is designed for these modes. */ ++pub const TPM2_PT_MAX_CAP_BUFFER: TPM2_PT = TPM2_PT_FIXED + 46; /* the maximum size of a TPMS_CAPABILITY_DATA structure returned in TPM2_GetCapability(). */ + pub const TPM2_PT_VAR: TPM2_PT = TPM2_PT_GROUP * 2; /* the group of variable properties returned as TPMS_TAGGED_PROPERTY. The properties in this group change because of a Protected Capability other than a firmware update. The values are not necessarily persistent across all power transitions. */ + pub const TPM2_PT_PERMANENT: TPM2_PT = TPM2_PT_VAR + 0; /* TPMA_PERMANENT */ + pub const TPM2_PT_STARTUP_CLEAR: TPM2_PT = TPM2_PT_VAR + 1; /* TPMA_STARTUP_CLEAR */ diff --git a/keylime.conf.diff b/keylime.conf.diff index c067fc4..4deb180 100644 --- a/keylime.conf.diff +++ b/keylime.conf.diff @@ -1,7 +1,7 @@ -diff --git a/keylime.conf b/keylime.conf -index 005c0af..fb9b737 100644 ---- a/keylime.conf -+++ b/keylime.conf +Index: rust-keylime-0.1.0+git.1637095429.d5a3191/keylime.conf +=================================================================== +--- rust-keylime-0.1.0+git.1637095429.d5a3191.orig/keylime.conf ++++ rust-keylime-0.1.0+git.1637095429.d5a3191/keylime.conf @@ -4,7 +4,8 @@ # Revocation IP & Port used by either the cloud_agent or keylime_ca to receive @@ -32,13 +32,3 @@ index 005c0af..fb9b737 100644 registrar_port = 8890 # The name of the RSA key that Keylime should use for protecting shares of U/V. -@@ -62,7 +65,8 @@ extract_payload_zip = True - # 'dmidecode -s system-uuid'. - # If you set this to "hostname", Keylime will use the full qualified domain - # name of current host as the agent id. --agent_uuid = d432fbb3-d2f1-4a97-9ef7-75bd81c00000 -+# agent_uuid = d432fbb3-d2f1-4a97-9ef7-75bd81c00000 -+agent_uuid = hostname - - # Whether to listen for revocation notifications from the verifier or not. - listen_notfications = True diff --git a/rust-keylime.changes b/rust-keylime.changes index 436753e..948cdb8 100644 --- a/rust-keylime.changes +++ b/rust-keylime.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Wed Nov 24 13:48:07 UTC 2021 - Alberto Planas Dominguez + +- Conflict with keylime-agent, keylime-config and keylime-firewalld +- Add keylime_ima_emulator tool +- Add patch add_property_tag_variant_for_maxcapbuffer.patch + ------------------------------------------------------------------- Fri Nov 19 13:02:48 UTC 2021 - aplanas@suse.com diff --git a/rust-keylime.spec b/rust-keylime.spec index c88c2b0..dfb530f 100644 --- a/rust-keylime.spec +++ b/rust-keylime.spec @@ -30,12 +30,18 @@ Source3: keylime_agent.service Source4: keylime.xml # PATCH-FIX-OPENSUSE keylime.conf.diff Patch1: keylime.conf.diff +# PATCH-FIX-UPSTREAM add_property_tag_variant_for_maxcapbuffer.patch +Patch2: add_property_tag_variant_for_maxcapbuffer.patch BuildRequires: cargo BuildRequires: firewall-macros BuildRequires: libarchive-devel BuildRequires: rust BuildRequires: tpm2-0-tss-devel BuildRequires: zeromq-devel +Conflicts: keylime-agent +Conflicts: keylime-config +Conflicts: keylime-firewalld +Conflicts: python-keylime ExcludeArch: %{ix86} s390x ppc64 ppc64le armhfp armv7hl %description @@ -43,10 +49,19 @@ Rust implementation of keylime agent. Keylime is system integrity monitoring system. %prep -%autosetup -a1 +%autosetup -a1 -p1 mkdir .cargo cp %{SOURCE2} .cargo/config +# We patched a vendored component, we cannot use it as cargo will +# validate the source hash. The solution is move it out and add a +# [patch] section in Cargo.toml +mv vendor/tss-esapi . +cat <> Cargo.toml +[patch.crates-io] +tss-esapi = { path = "tss-esapi" } +EOF + %build RUSTFLAGS=%{rustflags} cargo build --release @@ -61,9 +76,6 @@ install -D -m 644 %{SOURCE4} %{buildroot}%{_prefix}/lib/firewalld/services/keyli rm %{buildroot}%{_prefix}/.crates.toml rm %{buildroot}%{_prefix}/.crates2.json -# We do not need the IMA emulator until tests -rm %{buildroot}%{_bindir}/keylime_ima_emulator - %pre %service_add_pre keylime_agent.service @@ -81,6 +93,7 @@ rm %{buildroot}%{_bindir}/keylime_ima_emulator %doc README.md %license LICENSE %{_bindir}/keylime_agent +%{_bindir}/keylime_ima_emulator %config(noreplace) %{_sysconfdir}/keylime.conf %dir %{_prefix}/lib/firewalld %dir %{_prefix}/lib/firewalld/services