rpm/keylime
SHA256
1
0
Fork 0
forked from pool/keylime
Code Pull Requests Activity
111 Commits 2 Branches 0 Tags
factory
Commit Graph

5 Commits

Author SHA256 Message Date
Alberto Planas Dominguez
436587cab6 Accepting request 1180844 from home:aplanas:branches:security 
- Update to version v7.11.0:
  * "Monthly" Release (7.11.0)
  * template mapping change for persisted idevids
  * add config options for the persisted idevid and iak handles and passwords
  * templates: Restore the default values
  * templates: Add version 2.3
  * convert_config: Use the latest default value for --default
  * Add new /verify/identity API
  * PSS padding fix - salt length changed to byte length of digest from length of signature
  * sign_runtime_policy: Display error message if non-EC key is provided
  * packit: enable /regression/CVE-2023-3674 (suggested by Karel Srot)
  * Fix durable attestation in absence of mb_policy
  * tests: Fix coverage download by supporting new webdrives
  * templates: verifier: Add require_allow_list_signatures to config file
  * runtime policy: Raise error on missing key if signature required
  * runtime policy: Raise error on unsigned policy if signature required
  * dsse: Remove unused type: ignore comment (mypy)

OBS-URL: https://build.opensuse.org/request/show/1180844
OBS-URL: https://build.opensuse.org/package/show/security/keylime?expand=0&rev=95
 2024-06-14 08:16:19 +00:00
Alberto Planas Dominguez
3cf6b07e2d Accepting request 1142946 from home:aplanas:branches:security 
- Update to version v7.9.0:
  * templates: Add version 2.2, with event log location options
  * Monthly release (7.9.0)
  * update roadmap for 2024
  * Extended the length of `verifier_ip` column to String(255)
  * mba/e/elchecking: add workaround for non spec compliant firmware
  * mba/e/example: ignore EV_CPU_MICROCODE, EV_EFI_HANDOFF_TABLES2 and MokListRT
  * mba/e/example: Allow db entries to be also hashes
  * mba/elchecking: load imports first
  * codestyle: Have pyright ignore ffi.NULL
  * codestyle: Use cast() to set type after splitlines()
  * codestyle: Replace _ with variable name in abstract method (pyright)
  * codestyle: Address some issues detected by pyright
  * codestyle: Remove a 'type: ignore' comment (mypy)
  * detect template changes - docs
  * detect template changes - mappings
  * Tests: Switch code coverage measurement to Fedora 39
  * Correcting paths in userguide documentation
  * docs: fix conf.py
  * Add build os and python version to readthedocs
  * Fix readthedocs config file location
  * docs: add additional reading section
- Update to version v7.8.0:
  * Monthly release (7.8.0)
  * address marcio and stefan comments
  * Add documentation for IAK and IDevID
  * templates/2.1: Fix enable_iak_idevid in agent template
  * support for user mode in run-test.sh
  * docs: fix small typo in threat model
  * ca_impl_openssl: support CRL distribution point from config
  * ca_util: add import functions for private keys
  * Enable test functional/iak-idevid-register-with-certificates
  * Replace mailing list address with Slack channel
  * docs: Add configuration documentation
  * tests: Add tests for exception cases in configuration update
  * tests: Add test for update mapping corner cases
  * convert_config: Add support for update mappings
  * convert_config: Do not require keylime modules
  * convert_config: Make the config upgrade less verbose
  * ima: Report an error if no quote forward-progress was made
  * codestyle: Modify list generator to avoid annotation issue (pyright)
  * codestyle: Remove unnecessary type check ignore statement (mypy)
  * codestyle: Add missing type parameter to generic type 'Pattern' (mypy)
  * Update packit plan with new tests
  * Fix typo in Secure Payloads docs
  * incorrect boolean expression causing ECs to be disallowed
  * codestyle: Create explicit sighandler with type annotation (pyright)
  * cert_utils: Ignore malformed certificate files
  * unit test for cert utils
  * Add certificates and certificate checking for IDevID and IAK keys

OBS-URL: https://build.opensuse.org/request/show/1142946
OBS-URL: https://build.opensuse.org/package/show/security/keylime?expand=0&rev=91
 2024-01-31 09:14:50 +00:00
Alberto Planas Dominguez
efbdfc71a6 Accepting request 1105559 from home:aplanas:branches:security 
- Update to version v7.5.0 (CVE-2023-38201, bsc#1213314):
  * Monthly release (7.5.0)
  * Fix for CVE-2023-38201 (Security Advisory GHSA-f4r5-q63f-gcww)
  * verifier: should read parameters from verifier.conf only
  * tests: Correctly configure kernel IMA
  * Handle session close using a session manager
  * requirements.txt: update the need sqlalchemy version to 1.3.12 and above.
  * elchecking/example: add ignores for EV_PLATFORM_CONFIG_FLAGS
  * tpm_cert_store: add the Alibaba Cloud vTPM EK x509 cert
  * installer.sh: use the -i parameter to set the default binding and listening IP about the agent, verifier, and registrar server is 127.0.0.1  or 0.0.0.0
  * installer.sh: remove the unused command line params
  * Update container build workflow actions
  * mba: Manage the number of times measure boot attestation is done.
  * codestyle: Fix access to possibly not available package 'rpm' (pyright)
  * templates/2.0/mapping.json: fix the default registrar_port error in the verifier config

OBS-URL: https://build.opensuse.org/request/show/1105559
OBS-URL: https://build.opensuse.org/package/show/security/keylime?expand=0&rev=84
 2023-08-24 07:42:27 +00:00
Alberto Planas Dominguez
923da6e3ba Accepting request 1060357 from home:aplanas:branches:security 
- Update to version v6.5.3:
  * Bump version number to 6.5.3
  * durable attestation: a simple "attestation replay" CLI utility
  * cmd_exec: Replace cast()s to bytes with asserts isinstance(..., bytes)
  * codestyle: Add type annotations to db/keylime_db.py and add to mypy
  * codestyle: Add type annotations to requests_client.py and add to mypy
  * codestyle: Add type annotations to tornado_requests.py and add to mypy
  * mypy: Change list of checked files to shorter list of unchecked files
  * codestyle: Add missing annotations to cmd_exec.py and add to mypy
  * codestyle: Have all files in ima directory checked by mypy
  * pylint: ignore zmq Context abstract-class-instantiated warnings
  * tenant: reliable and consistent add/delete operations (fixes #1158) (#1271)
  * tenant: fix the exit code for `bulkinfo` operation
  * config: support override via environment variables
  * Extend test execution instructions in TESTING.md
  * packit-ci: Add hotfix for tpm2-tss Fedora BZ#2158598
  * tenant: Remove code hashing a public key and using hash as UUID
  * linters: Exclude intentionally invalid python file
  * config: Check for available config upgrade on startup
  * Do not install keylime nor configuration files during tests
  * .ci/test_wrapper: Add test user keylime:tss
  * config: Support quoted strings for TOML compatibility
  * gitignore: Do not use 'config' as a match pattern
  * tests: Add test for convert_config script
  * convert_config: Set version for each mapping processed
  * cmd/convert_config: Remove quotes and spaces around version string
  * convert_config: Set default output path as /etc/keylime for root
  * convert_config: Do not use keys() to iterate on maps
  * Install config upgrade script as keylime_upgrade_config
  * templates: Remove log_destination option
  * Fix default values in mappings
  * Correctly strip elements of a list on config v2.0 adjust script
  * setup: Don't use keylime.conf to generate the split configuration
  * convert_config: Add --defaults option to use default values
  * convert_config: Use str_to_version from common module
  * Add keylime/common/version.py for version manipulation
  * elchecking: load policy modules explicitly
  * Revert "tpm_abstract: move import of measured_boot into check_pcrs(..)"
  * codestyle: Add type-annotations to cli/policies.py and add to mypy
  * codestyle: Add type-annotations to cli/options.py and add to mypy
  * Introduce a RetDictType for return type of cmd_exec.run()
  * requirements, docs: add typing-extensions as a dependency
  * ima_dm: add type checks and hints
  * Switch code coverage measurement to Fedora 37
  * codestyle: Fix annotation of mb_measurement_data
  * ima: Fix the ima_sign_verification_keys initial datatype
  * elchecking: add support for MeasuredBoot when SecureBoot is disabled
  * verifier: a (very simple) cache implementation for IMA policies (solves #1167)
  * codestyle: Add type annotations to cmd/convert_ima_policy.py and add to mypy
  * codestyle: Add type annotations to cmd/ima_emulator_adapter.py and add to mypy
  * codestyle: Add type annotations to cmd/user_data_encrypt.py and add to mypy
  * codestyle: Add type annotations to cmd/verifier.py and add to mypy
  * codestyle: Add type annotations to cmd/tenant.py and add to mypy
  * codestyle: Add type annotations to cmd/registrar.py and add to mypy
  * codestyle: Add type annotations to cmd/ca.py and add to mypy
  * codestyle: Add type annotations to cmd/agent.py and add to mypy
  * CI tests: Do not remove Fedora tag repository
  * tpm_abstract: move import of measured_boot into check_pcrs(..)
  * docker: fix and improve build_locally.sh
  * docker: use version 5.4 of tpm2-tools
  * docker: update container to Fedora 37
  * codestyle: Type-annotate files in revocation_actions & add to mypy
  * Remove redundant parameter from enforce_pcrs()
  * codestyle: Add missing type annotations to files in common & add to mypy
  * api_version: Catch InvalidVersion for packaging v22.0
  * verifier: fix for IMA policy checksum calculation
  * codestyle: Type-annotate measured_boot.py and add to mypy
  * codestyle: Fix variable assigments in tpm2_object_test.py and add to mypy
  * codestyle: Fix and add type annotations to tpm2_objects.py and add to mypy
  * codestyle: Cast the agent Dict to allow Any types to be assigned to it
  * codestyle: Change verifier_port annotation from int to str
  * codestyle: Avoid switching datatypes of agent by using differnt variable
  * codestyle: Fix event parameter to be an Optional[Event]
  * codestyle: Fix annotation of tosend parameter to be a Dict[str, Any]
  * codestyle: add type hints to elchecking module
  * codestyle: Type-annotate web_util.py and add to mypy
  * codestyle: Add missing type annotations to ima.py and add to mypy
  * codestyle: Add missing type annotations to ima_test.py and add to mypy
  * codestyle: Add missing type annotations to file_signatures.py and add to mypy
  * logging: remove option to log into separate file
  * codestyle: Add type annotations to tpm classes and address issues
  * codestyle: Add type-annotations to signing.py and add to mypy
  * codestyle: Add missing type annotations to api_version.py and add to mypy
  * codestyle: Add keylime_logging.py to mypy
  * codestyle: Add missing type-annotations to agentstates and add to mypy
  * codestyle: Add missing type annotations to failure.py and add to mypy
  * codestyle: Type-annotate user_utils_test.py and add to mypy
  * codestyle: Type-annotate user_utils.py and add to mypy
  * codestyle: Type-annotate ca_util.py and add to mypy
  * codestyle: Add missing annotations to cert_utils and add to mypy
  * codestyle: Type-annotate ca_impl_openssl and add to mypy
  * codestyle: Type-annotate tpm_ek_ca.py and add to mypy
  * codestyle: Type-annotate fs_util.py and add to mypy
  * codestyle: Add json.py to mypy.ini
  * codestyle: Type-annotate secure_mount.py and add to mypy
  * codestyle: Add missing annotations to crypto.py and add to mypy
  * common: remove metrics
  * cmd: removal of keylime_migrations_apply
  * codestyle: Set type of trusted_server_ca to List[str] and initialize with list
  * codestyle: Avoid switching of type of trusted_ca by using another variable
  * codestyle: Enable test_tpm.py to be type-checked by pyright
  * codestyle: Fix an issue detected by pyright in test_ca_impl_openssl
  * codestyle: Fix typo in annotation
  * codestyle: Relax some parameter type requirements due to test case
  * codestyle: Fix an issue detected by pyright in test_ca_util.py
  * ci: add mypy to CI
  * config: add missing type hints
  * ima/ast: add missing type hints
  * json: allow ignore comment to be parsed by mypy
  * tox: add mypy support
  * tox: Add test directory to black and isort tools' command line
  * codestyle: Add type annotations to test_ima_verification.py and fix issues
  * codestyle: Add type annotations to test_validators and fix issues
  * codestyle: Add type annotations to test_crypto.py
  * tpm: Replace assert with Exception
  * Fix incorrect generators in converted IMA policies (#1223)
  * ima: Remove dead m2w function parameter
  * ima: Remove 'main' function from ima.py
  * codestyle: Add type annotations to cmd_exec.py
  * tpm: Type-annotate tools_version and avoid switching data types
  * codestyle: cmd: Type annotation ima_emulator_adapter.py
  * codestyle: Add type annotations to various low-level functions
  * pyproject: Add test directory for pyright and exclude some tests
  * verifier: Calculates the checksum for the whole IMA policy on the verifier #1198
  * codestyle: Add type annotations to crypto.py and address issues
  * codestyle: Do not assign function parameter a new value in function
  * codestyle: Avoid switching type of ek_handle from 'str' to int
  * codestyle: Avoid switching type of pcrs variable from List[str] to dict
  * codestyle: Avoid switching type of tpm_policy from possible 'str' to dict
  * codestyle: Drop re.Pattern annotation due to pyright on python 3.6
  * codestyle: Add missing type annotations to ima/ima.py and address issues
  * ima: Always set algorithm in Digest class and require a string
  * codestyle: Add type annotations to various files
  * config: remove fallback config
  * codestyle: Add missing type annotations to agentstates.py
  * pyright: Fix a pyright issue in ca_impl_openssl
  * cleaning up pyproject.toml
  * fixing type issue
  * tests: Switch to sha256 hashes for signatures
  * The verifier can selectively load only a subset of columns from the `allowlist` table.
  * pyright: Enable pyright on cmd/ima_emulator_adapter.py
  * pyright: Add type annotations to cmd/convert_ima_policy.py
  * pyright: Add type annotations to ima/file_signatures.py
  * ima: Raise ValueError on unsupported key types
  * pyright: Fix issue in keylime/revocation_notifier.py
  * pyright: Fix issue in keylime/da/record.py
  * pyright: Fix issues in keylime/ima/file_signatures.py
  * pyright: Fix issue in keylime/json.py
  * code-style: Make tox less verbose when running check tools
  * code-style: Run isort as part of 'make check'
  * code-style: Run black --diff as part of 'make check'
  * pyright: Run pyright as part of 'make check'
  * pyright: Fix an issue in ima/ima.py
  * removing unnecessary entry from pyright ignore list
  * addressing type issues related to IMA
  * algorithms: simplify the Hash class
  * CI/CD: Run pyright as part of PRs
  * pyproject: Filter-out files with warnings in pyright
  * Some fixes to validate_ima_policy_data (#1192)
  * common: Raise ValueError in Hash constructor if hash not supported
  * common: Add a test case for testing the Hash class
  * ima: this PR adds checksums for allowlists as a separate column on the DB
  * requirements.txt, docs: add gpg package and sync list in docs
  * codestyle: Add codestyle checking for script/create_policy
  * scripts: Fix pylint issue W1514 in scripts/create_policy
  * scripts: Fix pylint issue C0209 in scripts/create_policy
  * codestyle: Add codestyle checking for all .py files under scripts/
  * scripts: Fix pylint issue W0612 in scripts/templates/2.0/adjust.py
  * scripts: Fix pylint issue W0613 in scripts/templates/2.0/adjust.py
  * scripts: Fix pylint issue C0201 in scripts/templates/2.0/adjust.py
  * scripts: Fix pylint issue W1309 in scripts/templates/2.0/adjust.py
  * scripts: Fix pylint issue W0707 in scripts/convert_config.py
  * scripts: Fix pylint issue W1514 in scripts/convert_config.py
  * scripts: Fix pylint issue W0621 in scripts/convert_config.py
  * scripts: Fix pylint issue W0105 in scripts/convert_config.py
  * scripts: Fix pylint issue W1309 in scripts/convert_config.py
  * scripts: Fix pylint issue W0611 in scripts/convert_config.py
  * scripts: Fix pylin R1705 in scipts/convert_config.py
  * common: Remove redundant return parameter from validate_ima_policy_data
  * common: Remove redundant return parameter from valid_exclude_list
  * common: Remove redundant return parameter from valid_regex
  * Do not use default values that need reading the config in methods
  * non-obvious type fixes not concerning IMA (#1173)
  * da: This commit implements most of the changes for #73 "Durable (Offline) Attestation". (#1129)
  * verifier: Do not access agent["tpm_clockinfo"] if value is 'None'
  * Enable e2e test functional/tpm-issuer-cert-using-ecc
  * tpm_main: fix ek creation for tpm2-tools versions > 4.2

OBS-URL: https://build.opensuse.org/request/show/1060357
OBS-URL: https://build.opensuse.org/package/show/security/keylime?expand=0&rev=61
 2023-01-23 08:58:55 +00:00
Alberto Planas Dominguez
ecc1d180d7 Accepting request 1006458 from home:aplanas:branches:security 
- Remove keylime.conf.diff patch.  Now the configuration file is
  generated during build time
- The "config" subpackage shared only the logger configuration file
- New "tenant" subpackage for the Tenant command line tool
- Drop webapp service port in firewall XML service file
- Update to version v6.5.0:
  * Bump up versions to 6.5.0
  * Enable testing of Rust agent as well as Python by default
  * New readthedocs location for keylime
  * test_restful: Add test for /keys/verify endpoint to rust tests
  * test_restful: Fix testing with rust agent
  * run_tests: Install rust agent when RUST_TEST is defined
  * A fix for "per-agent verifier-issued epoch timestamp"
  * Move SQLite ref integrity pragma to keylime_db
  * Separate CA key store password from server key password
  * Generate missing key and certificates
  * verifier: Add a configuration option to set timeouts
  * config: Change default value for getfloat() to -1.0
  * tenant: Add request_timeout configuration option
  * tpm_main: Move agent specific initialization to tpm_init()
  * failure: Do not read the verifier config on load
  * logging, verifier: Read configuration only when needed
  * tpm_ek_ca: Access tenant config file when needed
  * tpm_main: Only access agent configuration if needed
  * keylime_agent: Use a single tpm instance
  * config: Evaluate snippets in /usr/etc/keylime before /etc/keylime
  * Remove ignore_hostname argument from RequestsClient() calls
  * requests_client: Ignore hostname verification by default
  * web_util: Remove unneeded checks for absolute paths before joining
  * requests_client: remove RequestClient class variables
  * elchecking/policies: Use config.getlist() for measured_boot_imports
  * mappings: Add back missing option measured_boot_imports to verifier config
  * verifier: Fail earlier if mTLS cert is missing when required
  * crypto: Replace if block with conditional argument passing
  * config: Drop unused getdict()
  * config: Use python generator to strip strings in the list
  * verifier: Drop 'cloud' from 'cloudverifier_' variables
  * verifier: Always generate TLS context to contact the agent
  * ca_util: Replace if block with conditional argument
  * Drop broken auto-ipsec demos
  * tenant: Do not disable TLS when enable_agent_mtls = False
  * test_config: Reload configuration on tearDown
  * Change the meaning of trusted_client_ca=default for the agent
  * Install configuration files in test scripts
  * Add jinja2 as requirement for building and testing
  * tenant: Fix mention to old configuration section
  * tenant, verifier: Fix mTLS disablement
  * tenant: Do not try to verify EK cert when not required
  * Adjust test_restful to use the new configuration file
  * ima: Do not try to read excludelist if it is None
  * tenant: Use empty tpm_policy by default
  * Read measured boot configuration when needed
  * Add support for password encrypted keys
  * Change owner of config files and fix sed command in services installer
  * installer: Build and install split configuration files
  * Fix configuration unit tests
  * Remove trailing and leading white spaces in config.get_list()
  * Make changes to use the new configuration files
  * Add script to convert old config to new config
  * Ignore false positive for lints
  * Implement additional test to cover in-use deletion case
  * Enable referential integrity for foreign keys in Keylime DB
  * Prevent deletion of in-use allowlists via tenant + better error handling
  * Fixes #1046 by explicitly and carefully dealing with a corner case.
  * Fixes #1072 by explicitly and carefully dealing with yet another corner case.
  * Define context agent due to keylime-tests PR#193
  * Adds two small utilities which are used by "Offline Attestation" (enhancement #73)
  * This commit solves #1091 by adding a per-agent verifier-issued epoch timestamp
  * Remove keylime-bot
  * Verifier log message improvements for large-scale testing.
  * Bump version to 6.4.3
  * KEYLIME_DIR should not be clobbered in TEST_MODE
  * registrar: parse EK cert with pyasn1
  * Reject invalid hash algorithms passed as arguments
  * Treat tpm_cert_store as absolute path
  * Fix for cloudverifier_tornado: 408 ('timeout') errors are retried instead of causing immediate attestation failure
  * Typo fix: the two certificates got copied over each other during the openssl process by mistake.
  * I downloaded the certs from here:
  * Remove cryptodome.py from keylime
  * Refactor allowlist handling on verifier to prevent premature DB writes
  * With this change, the `verifier` will now use the `tpm2_print` command to extract clock information from the quote. It will then uses this information to make decisions about the attestation of the agent (i.e., the quote timestamp has to monotonically grow in a TPM which wasn't restarted/reset). In order to make this comparison the clock information from the previous quote is stored on the database and then both timestamps are compared.
  * tpm_ek_ca: remove atmel keys
  * Throw an error if --exclude is used without --allowlist
  * Complete implementation of the Allowlists API
  * readme: minor fixes
  * Handle output file and algo validation errors
  * Fixes #1063 in a minimalistic way, by making log output configurable
  * Fix spacing
  * Update fmf plans to run test which checking tenant verify options
  * Fixes #1057 ensuring that the verifier can be restarted cleanly when mTLS for agents is disabled
  * Adds a per-agent counter for "successfull attestations" on Keylime.
  * Replace tabs with spaces
  * Keep original control structure, minimize change
  * Update installer.sh for RHEL8, PowerTools
  * Set swtpm context which is later used for test filtering
  * Update fmf plans to run tests which checking ek_certs
  * Minor fixes
  * Expand documentation for Measured Boot with additional info/examples.
  * Fix the project logo in the readme (#1049)
  * Add docs status to README

OBS-URL: https://build.opensuse.org/request/show/1006458
OBS-URL: https://build.opensuse.org/package/show/security/keylime?expand=0&rev=48
 2022-09-27 15:47:26 +00:00