Accepting request 1006461 from security

OBS-URL: https://build.opensuse.org/request/show/1006461
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rust-keylime?expand=0&rev=4

_servicedata

@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://github.com/keylime/rust-keylime.git</param>
-              <param name="changesrevision">01860934f7308bc5ea1e68c8d858aea056620ce8</param></service></servicedata>
+              <param name="changesrevision">63182344ab8efa90896eb0765c3ad9ecad11362e</param></service></servicedata>

keylime-agent.conf.diff

@@ -1,34 +1,39 @@
-Index: rust-keylime-0.1.0+git.1659977521.0186093/keylime-agent.conf
+Index: rust-keylime-0.1.0+git.1663769444.6318234/keylime-agent.conf
 ===================================================================
---- rust-keylime-0.1.0+git.1659977521.0186093.orig/keylime-agent.conf
+--- rust-keylime-0.1.0+git.1663769444.6318234.orig/keylime-agent.conf
-+++ rust-keylime-0.1.0+git.1659977521.0186093/keylime-agent.conf
++++ rust-keylime-0.1.0+git.1663769444.6318234/keylime-agent.conf
-@@ -4,7 +4,8 @@
+@@ -10,10 +10,12 @@ version = "2.0"
- 
+ # If you set this to "generate", Keylime will create a random UUID.
- # Revocation IP & Port used by either the cloud_agent or keylime_ca to receive
+ # If you set this to "hash_ek", Keylime will set the UUID to the result
- # revocation events from the verifier.
+ # of 'SHA256(public EK in PEM format)'.
--receive_revocation_ip = 127.0.0.1
+-uuid = "d432fbb3-d2f1-4a97-9ef7-75bd81c00000"
-+# receive_revocation_ip = 127.0.0.1
++# uuid = "d432fbb3-d2f1-4a97-9ef7-75bd81c00000"
-+receive_revocation_ip = <REMOTE_IP>
++uuid = "generate"
- receive_revocation_port = 8992
- 
- 
-@@ -13,7 +14,8 @@ receive_revocation_port = 8992
- #=============================================================================
  
  # The binding address and port for the agent server
--cloudagent_ip = 127.0.0.1
+-ip = "127.0.0.1"
-+# cloudagent_ip = 127.0.0.1
++# ip = "127.0.0.1"
-+cloudagent_ip = 0.0.0.0
++ip = "0.0.0.0"
- cloudagent_port = 9002
+ port = 9002
  
  # Address and port where the verifier and tenant can connect to reach the agent.
-@@ -22,7 +24,8 @@ agent_contact_ip = 127.0.0.1
+@@ -22,7 +24,8 @@ contact_ip = "127.0.0.1"
- agent_contact_port = 9002
+ contact_port = 9002
  
  # The address and port of registrar server which agent communicate with
--registrar_ip = 127.0.0.1
+-registrar_ip = "127.0.0.1"
-+# registrar_ip = 127.0.0.1
++# registrar_ip = "127.0.0.1"
-+registrar_ip = <REMOTE_IP>
++registrar_ip = "<REMOTE_IP>"
  registrar_port = 8890
  
- # The keylime working directory.  Can be overriden by setting the KEYLIME_DIR
+ # Enable mTLS communication between agent, verifier and tenant.
+@@ -96,7 +99,8 @@ revocation_actions_dir = "/usr/libexec/k
+ # Revocation IP & Port used by the agent to receive revocation
+ # notifications from the verifier via zeromq.
+ # This is optional and used only when 'enable_revocation_notifications' is 'true'.
+-revocation_notification_ip = "127.0.0.1"
++# revocation_notification_ip = "127.0.0.1"
++revocation_notification_ip = "<REMOTE_IP>"
+ revocation_notification_port = 8992
+ 
+ # The path to the certificate to verify revocation messages received from the

keylime.xml

@@ -2,7 +2,6 @@
 <service>
   <short>Keylime</short>
   <description>Keylime is a remote attestation tool that requires access to several ports.</description>
-  <port protocol="tcp" port="443"/><!-- Webapp -->
   <port protocol="tcp" port="8881"/><!-- Verifier -->
   <port protocol="tcp" port="8890"/><!-- Registrar -->
   <port protocol="tcp" port="8891"/><!-- Registrar TLS -->

rust-keylime-0.1.0+git.1659977521.0186093.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:c6e878e1b8ba3106f7ce152fd227fc2f6a3b17c6ffc98fc9a3093a41e6327336
-size 119944

rust-keylime-0.1.0+git.1663769444.6318234.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6044f08a59635a4b7b1801708261334259f72b63095fc44bc5fd37ccb5853d8f
+size 122752

rust-keylime.changes

@@ -1,3 +1,28 @@
+-------------------------------------------------------------------
+Mon Sep 26 14:15:04 UTC 2022 - aplanas@suse.com
+
+- Rebase bindgen.patch and upstream the change
+- Rebase keylime-agent.conf.diff
+- Store the configuration file in /usr/etc/keylime/agent.conf
+- Fix keylime user creation
+- Drop webapp service port in firewall XML service file
+- Update to version 0.1.0+git.1663769444.6318234:
+  * Update comments in the configuration file
+  * config: Align config locations with the python components
+  * config: Add configuration file version
+  * config: Add back support for KEYLIME_DIR env var
+  * Change configuration format to TOML
+  * Add support for using passphrase protected key
+  * Do not try to load TPM data generated by another TPM
+  * Allow using existing key and certificate
+  * Remove the agent TPM data from the config struct
+  * Rename the configuration options
+  * Use password to generate EK when provided
+  * Add tpm_ownerpassword option to keylime.conf
+  * Add cargo audit to CI static tests
+  * Add agent and faked_measured_boot_log tests context
+  * Appease clippy
+
 -------------------------------------------------------------------
 Wed Aug 10 13:39:08 UTC 2022 - aplanas@suse.com
 

rust-keylime.spec

@@ -25,7 +25,7 @@
   %define _config_norepl %config(noreplace)
 %endif
 Name:           rust-keylime
-Version:        0.1.0+git.1659977521.0186093
+Version:        0.1.0+git.1663769444.6318234
 Release:        0
 Summary:        Rust implementation of the keylime agent
 License:        Apache-2.0 AND MIT
@@ -38,7 +38,7 @@ Source4:        keylime-user.conf
 Source5:        tmpfiles.keylime
 # PATCH-FIX-OPENSUSE keylime-agent.conf.diff
 Patch1:         keylime-agent.conf.diff
-# PATCH-FIX-OPENSUSE bindgen.patch
+# PATCH-FIX-UPSTREAM bindgen.patch -- gh#keylime/rust-keylime!459
 Patch2:         bindgen.patch
 BuildRequires:  cargo
 BuildRequires:  clang
@@ -51,6 +51,8 @@ BuildRequires:  zeromq-devel
 Requires:       libtss2-tcti-device0
 Requires:       logrotate
 Requires:       tpm2.0-abrmd
+Provides:       user(keylime)
+%sysusers_requires
 
 %description
 Rust implementation of keylime agent. Keylime is system integrity
@@ -68,8 +70,7 @@ RUSTFLAGS=%{rustflags} cargo build --release --no-default-features --features "w
 %install
 RUSTFLAGS=%{rustflags} cargo install --frozen --no-default-features --features "with-zmq" --root=%{buildroot}%{_prefix} --path .
 
-# TODO: move the configuration file into _distconfdir
+install -Dpm 0600 keylime-agent.conf %{buildroot}%{_distconfdir}/keylime/agent.conf
-install -Dpm 0600 keylime-agent.conf %{buildroot}%{_sysconfdir}/keylime-agent.conf
 install -Dpm 0644 ./dist/systemd/system/keylime_agent.service %{buildroot}%{_unitdir}/keylime_agent.service
 install -Dpm 0644 ./dist/systemd/system/var-lib-keylime-secure.mount %{buildroot}%{_unitdir}/var-lib-keylime-secure.mount
 
@@ -85,7 +86,7 @@ mkdir -p %{buildroot}%{_sharedstatedir}/keylime
 rm %{buildroot}%{_prefix}/.crates.toml
 rm %{buildroot}%{_prefix}/.crates2.json
 
-%pre
+%pre -f keylime.pre
 %service_add_pre keylime_agent.service
 %service_add_pre var-lib-keylime-secure.mount
 
@@ -108,7 +109,8 @@ rm %{buildroot}%{_prefix}/.crates2.json
 %license LICENSE
 %{_bindir}/keylime_agent
 %{_bindir}/keylime_ima_emulator
-%config(noreplace) %attr (0600,keylime,tss) %{_sysconfdir}/keylime-agent.conf
+%dir %attr(0700,keylime,tss) %{_distconfdir}/keylime
+%_config_norepl %attr (0600,keylime,tss) %{_distconfdir}/keylime/agent.conf
 %{_unitdir}/keylime_agent.service
 %{_unitdir}/var-lib-keylime-secure.mount
 %dir %{_prefix}/lib/firewalld

vendor.tar.xz

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:fcc10303f90db5ff1485a76892b1c7eef8904d848e26e67af928eeb96c071aa4
+oid sha256:95bb3976b462d1619f87de02826cc1714d909c801f95c5144bb0cf10ca5a1294
-size 20796756
+size 21085344