From b88b2eb241a90fc9c43d8e0c659d792f999c43a49f97de905c766bc170e1b9db Mon Sep 17 00:00:00 2001 From: Alberto Planas Dominguez Date: Thu, 16 Feb 2023 14:24:29 +0000 Subject: [PATCH 1/2] Accepting request 1066186 from home:aplanas:branches:security - Drop zmq from the feature set - Remove already merged patches: * 0001-keylime-agent-remove-const_err-deny.patch * 0001-Cargo.toml-tss-esapi-bindings.patch - Update to version 0.1.0+git.1676549716.5382ed9: * Cargo: Update clap minimum version to 3.2 * Cargo: Update uuid minimum version to 1.3 * Cargo: Update tokio minimum version to 1.24 and reduce features * build(deps): bump tss-esapi from 7.1.0 to 7.2.0 * cargo deb: include shim.py in packaging * build(deps): bump thiserror from 1.0.36 to 1.0.38 * keylime-agent.conf: Add comments on how to override options * config: Fix overriding options with env vars * Add missing e2e tests and reordering tests based on alphabetical order * e2e tests: Fix test name * Store associated U keys, auth tags, and payloads together * Refactor ZeroMQ revocation listener to not block * keylime-agent: Gracefully shutdown on SIGINT * Refactor async code for keys and payloads * main: Move payload related functions to payloads module * main: Run ZeroMQ service in a separate task * Remove unused option "openstack" for obtaining uuid * algorithms: fix typo * clippy: fix uninlined_format_args warnings * clippy: fix needless_borrow warnings * crypto, mTLS: allow certificate chain for trusted_client_ca * build(deps): bump base64 from 0.13.0 to 0.13.1 * build(deps): bump serde_json from 1.0.85 to 1.0.91 * build(deps): bump libc from 0.2.133 to 0.2.139 * build(deps): bump bumpalo from 3.11.0 to 3.12.0 * build(deps): bump futures from 0.3.24 to 0.3.25 * Cargo.toml: tss-esapi bindings * packit-ci: Disable Rawhide due to agent compilation issues * packit-ci: Add hotfix for tpm2-tss Fedora BZ#2158598 * keylime-agent: remove const_err deny * build(deps): bump tokio from 1.23.0 to 1.24.2 OBS-URL: https://build.opensuse.org/request/show/1066186 OBS-URL: https://build.opensuse.org/package/show/security/rust-keylime?expand=0&rev=36 --- 0001-Cargo.toml-tss-esapi-bindings.patch | 43 ------------------- ...-keylime-agent-remove-const_err-deny.patch | 32 -------------- _servicedata | 2 +- keylime-agent.conf.diff | 43 ++++++++++++------- ...eylime-0.1.0+git.1672681780.762cec8.tar.xz | 3 -- ...eylime-0.1.0+git.1676549716.5382ed9.tar.xz | 3 ++ rust-keylime.changes | 40 +++++++++++++++++ rust-keylime.spec | 19 ++------ vendor.tar.xz | 4 +- 9 files changed, 78 insertions(+), 111 deletions(-) delete mode 100644 0001-Cargo.toml-tss-esapi-bindings.patch delete mode 100644 0001-keylime-agent-remove-const_err-deny.patch delete mode 100644 rust-keylime-0.1.0+git.1672681780.762cec8.tar.xz create mode 100644 rust-keylime-0.1.0+git.1676549716.5382ed9.tar.xz diff --git a/0001-Cargo.toml-tss-esapi-bindings.patch b/0001-Cargo.toml-tss-esapi-bindings.patch deleted file mode 100644 index bac77dd..0000000 --- a/0001-Cargo.toml-tss-esapi-bindings.patch +++ /dev/null @@ -1,43 +0,0 @@ -From df18e7f683b610e198f8d359d2036655a1891795 Mon Sep 17 00:00:00 2001 -From: Alberto Planas -Date: Tue, 17 Jan 2023 11:35:59 +0100 -Subject: [PATCH] Cargo.toml: tss-esapi bindings - -Generate the tss-esapi bindings during compilation time. This will -extend the amount of supported architectures. - -This is a regression done after the crate split, that was fixed before -in #459. - -Signed-off-by: Alberto Planas ---- - keylime-ima-emulator/Cargo.toml | 2 +- - keylime/Cargo.toml | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/keylime-ima-emulator/Cargo.toml b/keylime-ima-emulator/Cargo.toml -index ee3d5c1..333a192 100644 ---- a/keylime-ima-emulator/Cargo.toml -+++ b/keylime-ima-emulator/Cargo.toml -@@ -12,4 +12,4 @@ keylime = { path = "../keylime" } - log = "0.4" - openssl = "0.10.15" - thiserror = "1.0" --tss-esapi = "7.1.0" -+tss-esapi = {version = "7.1.0", features = ["generate-bindings"]} -diff --git a/keylime/Cargo.toml b/keylime/Cargo.toml -index 9693912..c343d40 100644 ---- a/keylime/Cargo.toml -+++ b/keylime/Cargo.toml -@@ -14,7 +14,7 @@ serde = "1.0.80" - serde_derive = "1.0.80" - static_assertions = "1" - thiserror = "1.0" --tss-esapi = "7.1.0" -+tss-esapi = {version = "7.1.0", features = ["generate-bindings"]} - - [dev-dependencies] - tempfile = "3.0.4" --- -2.39.0 - diff --git a/0001-keylime-agent-remove-const_err-deny.patch b/0001-keylime-agent-remove-const_err-deny.patch deleted file mode 100644 index 4f0075f..0000000 --- a/0001-keylime-agent-remove-const_err-deny.patch +++ /dev/null @@ -1,32 +0,0 @@ -From a44207e5ffde079b39b119afbf12871d2f78adf1 Mon Sep 17 00:00:00 2001 -From: Alberto Planas -Date: Mon, 16 Jan 2023 15:51:46 +0100 -Subject: [PATCH] keylime-agent: remove const_err deny - -In 1.66 / 1.66.1 const_err is already a hard error, and was enabled as -such as long ago. New compilers will complain in case that this is still -used: - - warning: lint `const_err` has been removed: converted into hard error - -More info: - https://github.com/rust-lang/rust/issues/71800 ---- - keylime-agent/src/main.rs | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/keylime-agent/src/main.rs b/keylime-agent/src/main.rs -index 6333652..1d6fdf4 100644 ---- a/keylime-agent/src/main.rs -+++ b/keylime-agent/src/main.rs -@@ -3,7 +3,6 @@ - - #![deny( - nonstandard_style, -- const_err, - dead_code, - improper_ctypes, - non_shorthand_field_patterns, --- -2.39.0 - diff --git a/_servicedata b/_servicedata index a36c1ea..cde8a14 100644 --- a/_servicedata +++ b/_servicedata @@ -1,4 +1,4 @@ https://github.com/keylime/rust-keylime.git - 762cec820ee1bc00ca480cf3b410e61904410ffa \ No newline at end of file + 5382ed930bbb70c2041160386547fbbf07dcde44 \ No newline at end of file diff --git a/keylime-agent.conf.diff b/keylime-agent.conf.diff index 9dc1284..ff2c5b7 100644 --- a/keylime-agent.conf.diff +++ b/keylime-agent.conf.diff @@ -1,36 +1,49 @@ -Index: rust-keylime-0.1.0+git.1663769444.6318234/keylime-agent.conf +Index: rust-keylime-0.1.0+git.1676549716.5382ed9/keylime-agent.conf =================================================================== ---- rust-keylime-0.1.0+git.1663769444.6318234.orig/keylime-agent.conf -+++ rust-keylime-0.1.0+git.1663769444.6318234/keylime-agent.conf -@@ -10,10 +10,12 @@ version = "2.0" - # If you set this to "generate", Keylime will create a random UUID. - # If you set this to "hash_ek", Keylime will set the UUID to the result +--- rust-keylime-0.1.0+git.1676549716.5382ed9.orig/keylime-agent.conf ++++ rust-keylime-0.1.0+git.1676549716.5382ed9/keylime-agent.conf +@@ -19,13 +19,15 @@ version = "2.0" # of 'SHA256(public EK in PEM format)'. + # + # To override, set KEYLIME_AGENT_UUID environment variable. -uuid = "d432fbb3-d2f1-4a97-9ef7-75bd81c00000" +# uuid = "d432fbb3-d2f1-4a97-9ef7-75bd81c00000" +uuid = "generate" - # The binding address and port for the agent server + # The binding IP address and port for the agent server + # + # To override ip, set KEYLIME_AGENT_IP environment variable. + # To override port, set KEYLIME_AGENT_PORT environment variable. -ip = "127.0.0.1" +# ip = "127.0.0.1" +ip = "0.0.0.0" port = 9002 # Address and port where the verifier and tenant can connect to reach the agent. -@@ -22,7 +24,8 @@ contact_ip = "127.0.0.1" - contact_port = 9002 - - # The address and port of registrar server which agent communicate with +@@ -41,7 +43,8 @@ contact_port = 9002 + # To override registrar_ip, set KEYLIME_AGENT_REGISTRAR_IP environment variable. + # To override registrar_port, set KEYLIME_AGENT_REGISTRAR_PORT environment + # variable. -registrar_ip = "127.0.0.1" +# registrar_ip = "127.0.0.1" +registrar_ip = "" registrar_port = 8890 # Enable mTLS communication between agent, verifier and tenant. -@@ -96,7 +99,8 @@ revocation_actions_dir = "/usr/libexec/k - # Revocation IP & Port used by the agent to receive revocation - # notifications from the verifier via zeromq. - # This is optional and used only when 'enable_revocation_notifications' is 'true'. +@@ -133,7 +136,8 @@ extract_payload_zip = true + # + # To override enable_revocation_notifications, set + # KEYLIME_AGENT_ENABLE_REVOCATION_NOTIFICATIONS environment variable. +-enable_revocation_notifications = true ++# enable_revocation_notifications = true ++enable_revocation_notifications = false + + # The path to the directory containing the pre-installed revocation action + # scripts. Ideally should point to an fixed/immutable location subject to +@@ -151,7 +155,8 @@ revocation_actions_dir = "/usr/libexec/k + # KEYLIME_AGENT_REVOCATION_NOTIFICATION_IP environment variable. + # To override revocation_notification_port, set + # KEYLIME_AGENT_REVOCATION_NOTIFICATION_PORT environment variable. -revocation_notification_ip = "127.0.0.1" +# revocation_notification_ip = "127.0.0.1" +revocation_notification_ip = "" diff --git a/rust-keylime-0.1.0+git.1672681780.762cec8.tar.xz b/rust-keylime-0.1.0+git.1672681780.762cec8.tar.xz deleted file mode 100644 index b69be0c..0000000 --- a/rust-keylime-0.1.0+git.1672681780.762cec8.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:68268240480a7dabb3475afae040ea4cf093a1e9a85333f9e72cfe32747a5402 -size 20677888 diff --git a/rust-keylime-0.1.0+git.1676549716.5382ed9.tar.xz b/rust-keylime-0.1.0+git.1676549716.5382ed9.tar.xz new file mode 100644 index 0000000..9bc71ff --- /dev/null +++ b/rust-keylime-0.1.0+git.1676549716.5382ed9.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e0e916efe0dc4e3c20e78724be16c235d0f55cdf8d42ba92d01a5c19fb5a2eb6 +size 130384 diff --git a/rust-keylime.changes b/rust-keylime.changes index 1c8f53d..e62b4d7 100644 --- a/rust-keylime.changes +++ b/rust-keylime.changes @@ -1,3 +1,43 @@ +------------------------------------------------------------------- +Thu Feb 16 12:51:38 UTC 2023 - aplanas@suse.com + +- Drop zmq from the feature set +- Remove already merged patches: + * 0001-keylime-agent-remove-const_err-deny.patch + * 0001-Cargo.toml-tss-esapi-bindings.patch +- Update to version 0.1.0+git.1676549716.5382ed9: + * Cargo: Update clap minimum version to 3.2 + * Cargo: Update uuid minimum version to 1.3 + * Cargo: Update tokio minimum version to 1.24 and reduce features + * build(deps): bump tss-esapi from 7.1.0 to 7.2.0 + * cargo deb: include shim.py in packaging + * build(deps): bump thiserror from 1.0.36 to 1.0.38 + * keylime-agent.conf: Add comments on how to override options + * config: Fix overriding options with env vars + * Add missing e2e tests and reordering tests based on alphabetical order + * e2e tests: Fix test name + * Store associated U keys, auth tags, and payloads together + * Refactor ZeroMQ revocation listener to not block + * keylime-agent: Gracefully shutdown on SIGINT + * Refactor async code for keys and payloads + * main: Move payload related functions to payloads module + * main: Run ZeroMQ service in a separate task + * Remove unused option "openstack" for obtaining uuid + * algorithms: fix typo + * clippy: fix uninlined_format_args warnings + * clippy: fix needless_borrow warnings + * crypto, mTLS: allow certificate chain for trusted_client_ca + * build(deps): bump base64 from 0.13.0 to 0.13.1 + * build(deps): bump serde_json from 1.0.85 to 1.0.91 + * build(deps): bump libc from 0.2.133 to 0.2.139 + * build(deps): bump bumpalo from 3.11.0 to 3.12.0 + * build(deps): bump futures from 0.3.24 to 0.3.25 + * Cargo.toml: tss-esapi bindings + * packit-ci: Disable Rawhide due to agent compilation issues + * packit-ci: Add hotfix for tpm2-tss Fedora BZ#2158598 + * keylime-agent: remove const_err deny + * build(deps): bump tokio from 1.23.0 to 1.24.2 + ------------------------------------------------------------------- Mon Jan 16 14:02:08 UTC 2023 - aplanas@suse.com diff --git a/rust-keylime.spec b/rust-keylime.spec index 9bf7d15..f09360c 100644 --- a/rust-keylime.spec +++ b/rust-keylime.spec @@ -25,7 +25,7 @@ %define _config_norepl %config(noreplace) %endif Name: rust-keylime -Version: 0.1.0+git.1672681780.762cec8 +Version: 0.1.0+git.1676549716.5382ed9 Release: 0 Summary: Rust implementation of the keylime agent License: Apache-2.0 AND MIT @@ -38,10 +38,6 @@ Source4: keylime-user.conf Source5: tmpfiles.keylime # PATCH-FIX-OPENSUSE keylime-agent.conf.diff Patch1: keylime-agent.conf.diff -# PATCH-FIX-UPSTREAM 0001-keylime-agent-remove-const_err-deny.patch gh#keylime/rust-keylime#501 -Patch2: 0001-keylime-agent-remove-const_err-deny.patch -# PATCH-FIX-UPSTREAM 0001-Cargo.toml-tss-esapi-bindings.patch gh#keylime/rust-keylime#502 -Patch3: 0001-Cargo.toml-tss-esapi-bindings.patch BuildRequires: cargo-packaging BuildRequires: clang BuildRequires: firewall-macros @@ -49,7 +45,6 @@ BuildRequires: libarchive-devel BuildRequires: rust BuildRequires: sysuser-tools BuildRequires: tpm2-0-tss-devel -BuildRequires: zeromq-devel Requires: libtss2-tcti-device0 Requires: logrotate Requires: tpm2.0-abrmd @@ -70,18 +65,12 @@ mkdir .cargo cp %{SOURCE2} .cargo/config %build -%{cargo_build} --no-default-features --features "with-zmq" +%{cargo_build} --no-default-features %sysusers_generate_pre %{SOURCE4} keylime keylime-user.conf %install -# If https://github.com/Firstyear/cargo-packaging/pull/3 gets merged, -# replace it with: -# -# #{cargo_install -p keylime-agent} --no-default-features --features "with-zmq" -# #{cargo_install -p keylime-ima-emulator} - -install -Dpm 0755 %{_builddir}/%{name}-%{version}/target/release/keylime_agent %{buildroot}%{_bindir}/keylime_agent -install -Dpm 0755 %{_builddir}/%{name}-%{version}/target/release/keylime_ima_emulator %{buildroot}%{_bindir}/keylime_ima_emulator +%{cargo_install -p keylime-agent} --no-default-features +%{cargo_install -p keylime-ima-emulator} install -Dpm 0600 keylime-agent.conf %{buildroot}%{_distconfdir}/keylime/agent.conf install -Dpm 0644 ./dist/systemd/system/keylime_agent.service %{buildroot}%{_unitdir}/keylime_agent.service diff --git a/vendor.tar.xz b/vendor.tar.xz index 3a1455c..4dba4f3 100644 --- a/vendor.tar.xz +++ b/vendor.tar.xz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:89e4102d09cff722290c9c3e1cc18b02dd3edb7f893039b1190b41c6cb213c17 -size 26221436 +oid sha256:87478d2ed42d4b9b50c20a680c3b40fcc06dbbb8b6d9554ef9bb29d548e9073f +size 25855860 From 34edacfab618f784a67986b55ab2148f89ec6a76c823347c282d60e0d106ed98 Mon Sep 17 00:00:00 2001 From: Alberto Planas Dominguez Date: Thu, 16 Feb 2023 15:17:36 +0000 Subject: [PATCH 2/2] Accepting request 1066198 from home:aplanas:branches:security cargo-packaging still not updated OBS-URL: https://build.opensuse.org/request/show/1066198 OBS-URL: https://build.opensuse.org/package/show/security/rust-keylime?expand=0&rev=37 --- rust-keylime.spec | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/rust-keylime.spec b/rust-keylime.spec index f09360c..fcd508e 100644 --- a/rust-keylime.spec +++ b/rust-keylime.spec @@ -69,8 +69,14 @@ cp %{SOURCE2} .cargo/config %sysusers_generate_pre %{SOURCE4} keylime keylime-user.conf %install -%{cargo_install -p keylime-agent} --no-default-features -%{cargo_install -p keylime-ima-emulator} +# If https://github.com/Firstyear/cargo-packaging/pull/3 gets merged, +# replace it with: +# +# #{cargo_install -p keylime-agent} --no-default-features --features "with-zmq" +# #{cargo_install -p keylime-ima-emulator} + +install -Dpm 0755 %{_builddir}/%{name}-%{version}/target/release/keylime_agent %{buildroot}%{_bindir}/keylime_agent +install -Dpm 0755 %{_builddir}/%{name}-%{version}/target/release/keylime_ima_emulator %{buildroot}%{_bindir}/keylime_ima_emulator install -Dpm 0600 keylime-agent.conf %{buildroot}%{_distconfdir}/keylime/agent.conf install -Dpm 0644 ./dist/systemd/system/keylime_agent.service %{buildroot}%{_unitdir}/keylime_agent.service