8e648f7c62
- Use tmpfiles.d for /var directories (PED-14736) - Update to version 0.2.8+96: * build(deps): bump wiremock from 0.6.4 to 0.6.5 * build(deps): bump actions/checkout from 5 to 6 * build(deps): bump chrono from 0.4.41 to 0.4.42 * packit: Get coverage from Fedora 43 runs * Fix issues pointed out by clippy * Replace mutex unwraps with proper error handling in TPM library * Remove unused session request methods from StructureFiller * Fix config panic on missing ek_handle in push model agent * build(deps): bump tempfile from 3.21.0 to 3.23.0 * build(deps): bump actions/upload-artifact from 4 to 6 (#1163) * Fix clippy warnings project-wide * Add KEYLIME_DIR support for verifier TLS certificates in push model agent * Thread privileged resources and use MeasurementList for IMA reading * Add privileged resource initialization and privilege dropping to push model agent * Fix privilege dropping order in run_as() * add documentation on FQDN hostnames * Remove confusing logs for push mode agent * Set correct default Verifier port (8891->8881) (#1159) * Add verifier_url to reference configuration file (#1158) * Add TLS support for Registrar communication (#1139) * Fix agent handling of 403 registration responses (#1154) * Add minor README.md rephrasing (#1151) * build(deps): bump actions/checkout from 5 to 6 (#1153) * ci: update spec files for packit COPR build * docs: improve challenge encoding and async TPM documentation * refactor: improve middleware and error handling * feat: add authentication client with middleware integration * docker: Include keylime_push_model_agent binary * Include attestation_interval configuration (#1146) * Persist payload keys to avoid attestation failure on restart * crypto: Implement the load or generate pattern for keys * Use simple algorithm specifiers in certification_keys object (#1140) * tests: Enable more tests in CI * Fix RSA2048 algorithm reporting in keylime agent * Remove disabled_signing_algorithms configuration * rpm: Fix metadata patches to apply to current code * workflows/rpm.yml: Use more strict patching * build(deps): bump uuid from 1.17.0 to 1.18.1 * Fix ECC algorithm selection and reporting for keylime agent * Improve logging consistency and coherency * Implement minimal RFC compliance for Location header and URI parsing (#1125) * Use separate keys for payload mechanism and mTLS * docker: update rust to 1.81 for distroless Dockerfile * Ensure UEFI log capabilities are set to false * build(deps): bump http from 1.1.0 to 1.3.1 * build(deps): bump log from 0.4.27 to 0.4.28 * build(deps): bump cfg-if from 1.0.1 to 1.0.3 * build(deps): bump actix-rt from 2.10.0 to 2.11.0 * build(deps): bump async-trait from 0.1.88 to 0.1.89 * build(deps): bump trybuild from 1.0.105 to 1.0.110 * Accept evidence handling structures null entries * workflows: Add test to check if RPM patches still apply * CI: Enable test add-agent-with-malformed-ek-cert * config: Fix singleton tests * FSM: Remove needless lifetime annotations (#1105) * rpm: Do not remove wiremock which is now available in Fedora * Use latest Fedora httpdate version (1.0.3) * Enhance coverage with parse_retry_after test * Fix issues reported by CI regarding unwrap() calls * Reuse max retries indicated to the ResilientClient * Include limit of retries to 5 for Retry-After * Add policy to handle Retry-After response headers * build(deps): bump wiremock from 0.6.3 to 0.6.4 * build(deps): bump serde_json from 1.0.140 to 1.0.143 * build(deps): bump pest_derive from 2.8.0 to 2.8.1 * build(deps): bump syn from 2.0.90 to 2.0.106 * build(deps): bump tempfile from 3.20.0 to 3.21.0 * build(deps): bump thiserror from 2.0.12 to 2.0.16 * rpm: Fix patches to apply to current master code * build(deps): bump anyhow from 1.0.98 to 1.0.99 * state_machine: Automatically clean config override during tests * config: Implement singleton and factory pattern * testing: Support overriding configuration during tests * feat: implement standalone challenge-response authentication module * structures: rename session structs for clarity and fix typos * tpm: refactor certify_credential_with_iak() into a more generic function * Add Push Model Agent Mermaid FSM chart (#1095) * Add state to avoid exiting on wrong attestation (#1093) * Add 6 alphanumeric lowercase X-Request-ID header * Enhance Evidence Handling response parsing * build(deps): bump quote from 1.0.35 to 1.0.40 * build(deps): bump libc from 0.2.172 to 0.2.175 * build(deps): bump glob from 0.3.2 to 0.3.3 * build(deps): bump actix-web from 4.10.2 to 4.11.0
Alberto Planas Dominguez2026-01-07 20:22:10 +00:00
219187e48a
Accepting request 1300481 from security
Ana Guerrero2025-08-21 14:53:47 +00:00
3b82c2e154
- Update vendored crates (bsc#1248006, CVE-2025-55159) * slab 0.4.11 - Add Cargo_lock.patch patch to update slab and other dependencies - Update to version 0.2.8+12: * build(deps): bump actions/checkout from 4 to 5 * build(deps): bump cfg-if from 1.0.0 to 1.0.1 * build(deps): bump openssl from 0.10.72 to 0.10.73 * build(deps): bump clap from 4.5.39 to 4.5.45 * build(deps): bump pest from 2.8.0 to 2.8.1 * Fix clippy warnings * Use verifier-provided interval for continuous attestation timing * Add meta object with seconds_to_next_attestation to evidence response * Fix boot time retrieval * Fix IMA log format (it must be ['text/plain']) (#1073) * Remove unnecessary configuration fields * cargo: Bump retry-policies to version 0.4.0 * Bump version to 0.2.8
Alberto Planas Dominguez2025-08-20 10:28:22 +00:00
9c0fe162de
- Update vendored crates (bsc#1247193, CVE-2025-58266) * shlex 1.3.0 - Rebase keylime-agent.conf.diff for current configuration - Drop Cargo_lock.patch patch, already present in Cargo.lock - Update to version 0.2.7+141: * service: Use WantedBy=multi-user.target * rpm: Add subpackage for push-attestation agent * push-model: implement continuous attestation with configurable intervals * Retry registration forever in the state machine * Add Verifier URL to configuration * Align exp.backoff to current configuration format * Increase coverage of state machine (using Context) * Increase coverage of struct_filler.rs * Groom code (remove dead code) * Fix exponential backoff (10secs, 4xx accepted) * test: Add documentation test to tests/run.sh * tpm: Avoid running code example during documentation tests * state_machine: Always start the agent from the Unregistered state * Add fixes for the URL construction * Refactor evidences collection in push attestation agent * push-model: refactor attestation logic into a state machine * Fix body sending by allowing serializing strings (#1057) * Log ResilientClient errors/response status codes (#1055) * Add AK signing scheme and hash algorithm to negotiation * tpm: Add method to extract signing scheme and hash algorithm from AK * Allow custom content-type/accept headers * Integrate exponential backoff to registration (#1052) * keylime/structures: Rename ShaValues to PcrBanks * Add resilient_client for exponential backoff (#1048)
Alberto Planas Dominguez2025-08-07 12:43:55 +00:00
bab9b48ae1
- Update vendored crates (bsc#1242623, CVE-2025-3416) * openssl 0.10.73 - Update to version 0.2.7+117: * Increase coverage in evidence handling structure * Add Capabilities Negotiations resp. missing fields * Fix UEFI test to check file access in all cases * context_info_handler: Do not assume /var/lib/keylime exists * Fix clippy warnings about uninlined format arguments * attestation: Allow unwrap() in tests * Increase coverage (groom code, extend unit tests) * Include IMA/UEFI logs in Evidence Handling request * Include method to get all IMA entries as string * Send correct list of pcr banks and sign algorithms * Try to fix TPM tests related issues * Define attestation perform asynchronous * Perform attestation in push model agent binary * Refactor code to use new attestation.rs * Create attestation.rs for Attestation stuff * Move ContextInfo management to its own handler * Adjust context_info.rs after rebase * Add attestation function to ContextInfo structure * Add prohibited signing algorithms, avoid ecschnorr * keylime/config: Use macro to implement PushModelConfigTrait * Introduce keylime-macros and define_view_trait * config: Remove KeylimeConfig structure * config: Remove unnecessary options and lazy initialization * Fix pcr_bank function to send all possible slots * Send Content-Type:application/json on request (#1039) * Send correct 'key_algorithm' in certification_keys (#1035) * Push Model: Persist Attestation Key to file * Add Keylime push model binary to root GNUmakefile * Use singleton to avoid multiple Context allocation * tests: Do not assume /var/lib/keylime exists (#1030) * lib/cert: Fix race condition due to use of same file path * payloads: Fix race condition in tests * Add uefi_log_handler.rs to parse UEFI binary * Use IMA log parser to send correct entry count * Add IMA log parser * build(deps): bump once_cell from 1.19.0 to 1.21.3 * lib/config/base.rs: Add more unit tests * lib/permissions: Add unit tests * keylime-agent: move JsonWrapper from common.rs to the library * lib/agent_data: Move agent_data related tests from common * common: Replace APIVersion with the library Version structure * keylime_agent: Move secure_mount.rs to the library * lib: Rename keylime_error.rs as error.rs * config: Move config to keylime library * config: Rename push_model_config to push_model * lib: Move permissions.rs from keylime-agent to the lib * Extract Capabilities Negotiation info from TPM (#1014)
Alberto Planas Dominguez2025-07-14 13:25:21 +00:00
16a95103b3
Accepting request 1285370 from security
Ana Guerrero2025-06-13 16:44:25 +00:00
20e305cf12
Accepting request 1283647 from security
Ana Guerrero2025-06-10 06:59:29 +00:00
9fa5dca9cc
- Update vendored crates (bsc#1243861, CVE-2024-12224) * idna 1.0.3 - Add Cargo_lock.patch to adjust versions that will allow the compilation of mbox crate - Update to version 0.2.7+70: * build(deps): bump wiremock from 0.6.2 to 0.6.3 * build(deps): bump uuid from 1.16.0 to 1.17.0 * lib: Introduce AgentIdentity structure * gitignore: Add *.swp and *.orig to be ignored * build(deps): bump clap from 4.5.38 to 4.5.39 * build(deps): bump tokio from 1.45.0 to 1.45.1 * Unify Push Model structures time formats to UTC (#1016) * Add Quote related structures to Keylime library * Remove configuration file trailing whitespaces (#1012) * keylime-agent.conf: add all accepted TPM encryption algs * tpm: add policy auth for EK to activate crendential * Enable non standard key sizes and curves for EK and AK * config: Use next_back() instead of last() for iterators * Update to tss-esapi v7.6.0 * Avoid duplicated call to ctx.create_ek * build(deps): bump clap from 4.5.23 to 4.5.38 * Add registration for Push Model client * build(deps): bump tokio from 1.44.2 to 1.45.0 * build(deps): bump chrono from 0.4.40 to 0.4.41 * build(deps): bump tempfile from 3.17.1 to 3.20.0 * Refactor code: move error, registration to lib * Move structure filling and URL selection code (#999) * build(deps): bump pest_derive from 2.7.15 to 2.8.0 * build(deps): bump pest from 2.7.15 to 2.8.0 * build(deps): bump libc from 0.2.169 to 0.2.172 * Add Evidence/Authentication messages to prototype * build(deps): bump uuid from 1.15.1 to 1.16.0 * build(deps): bump thiserror from 2.0.11 to 2.0.12 * build(deps): bump signal-hook from 0.3.17 to 0.3.18 * build(deps): bump log from 0.4.25 to 0.4.27 * build(deps): bump assert_cmd from 2.0.16 to 2.0.17 * build(deps): bump actix-web from 4.9.0 to 4.10.2 * build(deps): bump reqwest from 0.12.12 to 0.12.15 * build(deps): bump serde from 1.0.217 to 1.0.219 * Add unit tests for sessions.rs structures * Add auth(sessions) structures * Fix minor README.md issue (#988) * Define EvidenceHandling structures (#971) * Add mockoon test scenario * Add client certificates to push-attestation prototype * Cargo: bump url crate to version 2.5.4 * Add logging to the push attestation prototype * Do not use certificate on insecure mode * common: Move the EncryptedData structure from common to the library * common: Move AuthTag from common to the library * build(deps): bump openssl from 0.10.71 to 0.10.72 * common: Move Symmkey to library as crypto::symmkey * common: Remove unused constants and static values * build(deps): bump tokio from 1.43.0 to 1.44.2 * Refactor code: Include AgentIdentity structure * Push model prototype * Add support for ek certificate chain, stored in TPM NVRAM. * Recover key_class field and set it as "asymmetric" * Update push model structures to latest values * build(deps): bump serde_json from 1.0.138 to 1.0.140 * packit: Add identifier for each copr_build job * keylime-agent.conf: only mention ecdsa and rsassa for signing * build(deps): bump openssl from 0.10.70 to 0.10.71 * build(deps): bump uuid from 1.13.2 to 1.15.1 * Add capabilities_negotiation structures * packit: Add compatibility/api_version_compatibility test * build(deps): bump uuid from 1.11.0 to 1.13.2 * build(deps): bump serde_json from 1.0.135 to 1.0.138 * build(deps): bump thiserror from 2.0.9 to 2.0.11 * build(deps): bump tempfile from 3.14.0 to 3.17.1 * Allow agent to start as non-root * scripts: Fix coverage information downloading script * build(deps): bump openssl from 0.10.68 to 0.10.70 * build(deps): bump tokio from 1.42.0 to 1.43.0
Alberto Planas Dominguez2025-06-06 12:03:07 +00:00
c1a016424c
Accepting request 1240482 from security
Ana Guerrero2025-01-28 13:58:26 +00:00
bb63965416
- Update to version 0.2.7+1: * dist: Enable logging for keylime library in the service * Bump version to 0.2.7 * scripts: Download coverage data from Testing Farm directly * main: Remove unnecessary lifetime * cargo: Bump pretty_env_logger to version 0.5.0 * scripts: Fix regex in download_packit_coverage.sh * cargo: Bump clap crate to version 4.5.23 * cargo: Bump base64 crate to version 0.22.1 * build(deps): bump log from 0.4.22 to 0.4.25 * build(deps): bump serde_json from 1.0.133 to 1.0.135 * cargo: Bump tokio crate to version 1.42.0 * packit: Fix RPM builds on copr * cargo: Bump thiserror crate to version 0.2.9 * cargo: Update reqwest to version 0.12.12 * build(deps): bump libc from 0.2.168 to 0.2.169 * build(deps): bump glob from 0.3.1 to 0.3.2 * version: Implement API version validation and ordering * main: Support using multiple API versions for registration * keylime: Introduce the registrar_client module * Provide endpoints under multiple API versions * Move 'serialization' module to the keylime library * Drop unnecessary dependency on common::API_VERSION * keylime-agent.conf: Bump version to 2.3 * build(deps): bump serde from 1.0.210 to 1.0.217 * build(deps): bump pest_derive from 2.7.14 to 2.7.15 * build(deps): bump pest from 2.7.14 to 2.7.15 * build(deps): bump libc from 0.2.167 to 0.2.168 * config: Make IAK and IDevID certificates optional * Fix warnings reported by clippy * workflows: Run job in the CI container directly * tests: Add unit test for device ID builder * main: Move IAK/IDevID related code to dedicated module * tests: Add script to generate IAK and IDevID certificates * build(deps): bump openssl from 0.10.66 to 0.10.68 * build(deps): bump uuid from 1.10.0 to 1.11.0 * build(deps): bump serde_json from 1.0.128 to 1.0.133 * build(deps): bump actix-web from 4.5.1 to 4.9.0 * build(deps): bump reqwest from 0.12.7 to 0.12.9 * tests/setup_swtpm.sh: Add script to setup temporary TPM * Use a single TPM context and avoid race conditions during tests * config: Enable passing a hostname instead of IP * build(deps): bump clap from 4.3.11 to 4.5.21 * build(deps): bump tempfile from 3.10.1 to 3.14.0 * build(deps): bump pest_derive from 2.7.6 to 2.7.14 * build(deps): bump pest from 2.7.6 to 2.7.14 * build(deps): bump codecov/codecov-action from 4 to 5 * workflows: Submit the coverage for merged PR from Fedora 41 * tests: Use Fedora 41 to generate code coverage * api: Make API configuration modular * agent_handler: Move the /agent scope configuration * notifications_handler: Move the /notifications scope configuration * quotes_handler: Move the /quotes scope configuration to quotes_handler * keys_handler: Move /keys scope configuration to keys_handler * Use ${DESTDIR} for config * Fix showing wrong UUID * build(deps): bump actix-rt from 2.9.0 to 2.10.0 * config: Refactor AgentConfig Source trait implementation * build(deps): bump log from 0.4.21 to 0.4.22 * build(deps): bump serde_json from 1.0.120 to 1.0.128 * tpm: check if EK certificate has valid ASN.1 DER encoding * build(deps): bump futures from 0.3.27 to 0.3.31 * cargo: Bump reqwest to version 0.12.7 * build(deps): bump serde from 1.0.203 to 1.0.210 * tests: Add more tests to Packit CI * build(deps): bump docker/build-push-action from 5 to 6 * tests: apply workarounds to known bugs
Alberto Planas Dominguez2025-01-27 09:54:47 +00:00
Ana Guerrero
Alberto Planas
Dominique Leuenberger
Marcus Meissner
Richard Brown