pool/rust-keylime
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 933782 from home:aplanas:branches:security

Browse Source 
- Conflict with keylime-agent, keylime-config and keylime-firewalld
- Add keylime_ima_emulator tool
- Add patch add_property_tag_variant_for_maxcapbuffer.patch

OBS-URL: https://build.opensuse.org/request/show/933782
OBS-URL: https://build.opensuse.org/package/show/security/rust-keylime?expand=0&rev=6
This commit is contained in:
Alberto Planas 2021-11-25 15:22:45 +00:00 committed by Git OBS Bridge
parent 4a125f71be
commit 28ad37bb22
4 changed files with 71 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
add_property_tag_variant_for_maxcapbuffer.patch Normal file
View File

@ -0,0 +1,43 @@
From 6dc9f3ccb0e5ce6561aeef73e9f757b4c193c3c4 Mon Sep 17 00:00:00 2001
From: Rob Shearman <rob@graphiant.com>
Date: Tue, 28 Sep 2021 14:22:10 +0100
Subject: [PATCH] Add property tag variant for MaxCapBuffer
As per "TCG TSS 2.0 Overview and Common Structures Specification" v0.9
rev 03, and tpm2-tss >= 2.4.0, add a constant for
TPM2_PT_MAX_CAP_BUFFER and a corresponding PropertyTag variant,
MaxCapBuffer.
This avoids an error for "value = 302 did not match any PropertyTag"
that may be seen with some TPM implementations.
Signed-off-by: Rob Shearman <rob@graphiant.com>
---
tss-esapi/src/constants/property_tag.rs | 1 +
tss-esapi/src/constants/tss.rs | 1 +
2 files changed, 2 insertions(+)
diff --git a/tss-esapi/src/constants/property_tag.rs b/tss-esapi/src/constants/property_tag.rs
index 1849efe5..db36c6ef 100644
--- a/vendor/tss-esapi/src/constants/property_tag.rs
+++ b/vendor/tss-esapi/src/constants/property_tag.rs
@@ -56,6 +56,7 @@ pub enum PropertyTag {
VendorCommands = TPM2_PT_VENDOR_COMMANDS,
NvBufferMax = TPM2_PT_NV_BUFFER_MAX,
Modes = TPM2_PT_MODES,
+ MaxCapBuffer = TPM2_PT_MAX_CAP_BUFFER,
// Variable
Permanent = TPM2_PT_PERMANENT,
StartupClear = TPM2_PT_STARTUP_CLEAR,
diff --git a/tss-esapi/src/constants/tss.rs b/tss-esapi/src/constants/tss.rs
index 72d1eedb..03f412e7 100644
--- a/vendor/tss-esapi/src/constants/tss.rs
+++ b/vendor/tss-esapi/src/constants/tss.rs
@@ -423,6 +423,7 @@ pub const TPM2_PT_LIBRARY_COMMANDS: TPM2_PT = TPM2_PT_FIXED + 42; /* number of c
pub const TPM2_PT_VENDOR_COMMANDS: TPM2_PT = TPM2_PT_FIXED + 43; /* number of vendor commands that are implemented */
pub const TPM2_PT_NV_BUFFER_MAX: TPM2_PT = TPM2_PT_FIXED + 44; /* the maximum data size in one NV write command */
pub const TPM2_PT_MODES: TPM2_PT = TPM2_PT_FIXED + 45; /* a TPMA_MODES value indicating that the TPM is designed for these modes. */
+pub const TPM2_PT_MAX_CAP_BUFFER: TPM2_PT = TPM2_PT_FIXED + 46; /* the maximum size of a TPMS_CAPABILITY_DATA structure returned in TPM2_GetCapability(). */
pub const TPM2_PT_VAR: TPM2_PT = TPM2_PT_GROUP * 2; /* the group of variable properties returned as TPMS_TAGGED_PROPERTY. The properties in this group change because of a Protected Capability other than a firmware update. The values are not necessarily persistent across all power transitions. */
pub const TPM2_PT_PERMANENT: TPM2_PT = TPM2_PT_VAR + 0; /* TPMA_PERMANENT */
pub const TPM2_PT_STARTUP_CLEAR: TPM2_PT = TPM2_PT_VAR + 1; /* TPMA_STARTUP_CLEAR */

18
keylime.conf.diff
View File

@ -1,7 +1,7 @@
diff --git a/keylime.conf b/keylime.conf Index: rust-keylime-0.1.0+git.1637095429.d5a3191/keylime.conf
index 005c0af..fb9b737 100644 ===================================================================
--- a/keylime.conf --- rust-keylime-0.1.0+git.1637095429.d5a3191.orig/keylime.conf
+++ b/keylime.conf +++ rust-keylime-0.1.0+git.1637095429.d5a3191/keylime.conf
@@ -4,7 +4,8 @@ @@ -4,7 +4,8 @@
# Revocation IP & Port used by either the cloud_agent or keylime_ca to receive # Revocation IP & Port used by either the cloud_agent or keylime_ca to receive
@ -32,13 +32,3 @@ index 005c0af..fb9b737 100644
registrar_port = 8890 registrar_port = 8890
# The name of the RSA key that Keylime should use for protecting shares of U/V. # The name of the RSA key that Keylime should use for protecting shares of U/V.
@@ -62,7 +65,8 @@ extract_payload_zip = True
# 'dmidecode -s system-uuid'.
# If you set this to "hostname", Keylime will use the full qualified domain
# name of current host as the agent id.
-agent_uuid = d432fbb3-d2f1-4a97-9ef7-75bd81c00000
+# agent_uuid = d432fbb3-d2f1-4a97-9ef7-75bd81c00000
+agent_uuid = hostname
# Whether to listen for revocation notifications from the verifier or not.
listen_notfications = True

7
rust-keylime.changes
View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Wed Nov 24 13:48:07 UTC 2021 - Alberto Planas Dominguez <aplanas@suse.com>
- Conflict with keylime-agent, keylime-config and keylime-firewalld
- Add keylime_ima_emulator tool
- Add patch add_property_tag_variant_for_maxcapbuffer.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Nov 19 13:02:48 UTC 2021 - aplanas@suse.com Fri Nov 19 13:02:48 UTC 2021 - aplanas@suse.com

21
rust-keylime.spec
View File

@ -30,12 +30,18 @@ Source3: keylime_agent.service
Source4: keylime.xml Source4: keylime.xml
# PATCH-FIX-OPENSUSE keylime.conf.diff # PATCH-FIX-OPENSUSE keylime.conf.diff
Patch1: keylime.conf.diff Patch1: keylime.conf.diff
# PATCH-FIX-UPSTREAM add_property_tag_variant_for_maxcapbuffer.patch
Patch2: add_property_tag_variant_for_maxcapbuffer.patch
BuildRequires: cargo BuildRequires: cargo
BuildRequires: firewall-macros BuildRequires: firewall-macros
BuildRequires: libarchive-devel BuildRequires: libarchive-devel
BuildRequires: rust BuildRequires: rust
BuildRequires: tpm2-0-tss-devel BuildRequires: tpm2-0-tss-devel
BuildRequires: zeromq-devel BuildRequires: zeromq-devel
Conflicts: keylime-agent
Conflicts: keylime-config
Conflicts: keylime-firewalld
Conflicts: python-keylime
ExcludeArch: %{ix86} s390x ppc64 ppc64le armhfp armv7hl ExcludeArch: %{ix86} s390x ppc64 ppc64le armhfp armv7hl
%description %description
@ -43,10 +49,19 @@ Rust implementation of keylime agent. Keylime is system integrity
monitoring system. monitoring system.
%prep %prep
%autosetup -a1 %autosetup -a1 -p1
mkdir .cargo mkdir .cargo
cp %{SOURCE2} .cargo/config cp %{SOURCE2} .cargo/config
# We patched a vendored component, we cannot use it as cargo will
# validate the source hash. The solution is move it out and add a
# [patch] section in Cargo.toml
mv vendor/tss-esapi .
cat <<EOF >> Cargo.toml
[patch.crates-io]
tss-esapi = { path = "tss-esapi" }
EOF
%build %build
RUSTFLAGS=%{rustflags} cargo build --release RUSTFLAGS=%{rustflags} cargo build --release
@ -61,9 +76,6 @@ install -D -m 644 %{SOURCE4} %{buildroot}%{_prefix}/lib/firewalld/services/keyli
rm %{buildroot}%{_prefix}/.crates.toml rm %{buildroot}%{_prefix}/.crates.toml
rm %{buildroot}%{_prefix}/.crates2.json rm %{buildroot}%{_prefix}/.crates2.json
# We do not need the IMA emulator until tests
rm %{buildroot}%{_bindir}/keylime_ima_emulator
%pre %pre
%service_add_pre keylime_agent.service %service_add_pre keylime_agent.service
@ -81,6 +93,7 @@ rm %{buildroot}%{_bindir}/keylime_ima_emulator
%doc README.md %doc README.md
%license LICENSE %license LICENSE
%{_bindir}/keylime_agent %{_bindir}/keylime_agent
%{_bindir}/keylime_ima_emulator
%config(noreplace) %{_sysconfdir}/keylime.conf %config(noreplace) %{_sysconfdir}/keylime.conf
%dir %{_prefix}/lib/firewalld %dir %{_prefix}/lib/firewalld
%dir %{_prefix}/lib/firewalld/services %dir %{_prefix}/lib/firewalld/services