Accepting request 908894 from home:aplanas:branches:security

- Add generate-cargo-lock-file.patch to fix the build system in OBS - Add keylime.conf.diff to adjust the default config file - Adjust build requirements - Add firewalld XML rules - Add systemd keylime_agent.service - Fix license tag - Update to version 0.0.1+git.1626706730.a009476: * libarchive-devel is needed to build on Fedora * Accept sets of U and V keys; use new Key types * Output mask info * Fix for race condition bug * Do not resend pubkey to CV after attestation * Run payload script from a shell * Write out data and run payload * Decrypt payload after key handlers find symm key * Add handler for U and V keys * Add helper functions for handling U and V keys * Some TPM fixes for IMA PCR validation * Do not flush AK context as this causes an error * Fix bug in revocation service * Drop references to vmask * Better documentation of consts * Do not fail if EK cert is not present in TPM NV * Add more verbose logging to better match Python agent * Remove verify stub as we are not using it * tests: Don't pass --allow-signing to swtpm_setup * Fix typos * Add dependency for libzmq3-dev / zeromq-devel * Fix new clippy lints * Add handling for Identity and Integrity quotes * Add Quote functionality * Add marshaling functions for TPM structs OBS-URL: https://build.opensuse.org/request/show/908894 OBS-URL: https://build.opensuse.org/package/show/security/rust-keylime?expand=0&rev=3
2021-07-28 13:39:06 +00:00 · 2021-07-28 13:39:06 +00:00 · 27546596af
commit 27546596af
parent a42c69290a
12 changed files with 3186 additions and 12 deletions
--- a/2
+++ b/2
@ -1,6 +1,6 @@
 <services>
  <service name="tar_scm" mode="disabled">
-    <param name="versionformat">0.0.1+git.%ct.%h</param>
+    <param name="versionformat">0.1.0+git.%ct.%h</param>
    <param name="revision">master</param>
    <param name="url">https://github.com/keylime/rust-keylime.git</param>
    <param name="scm">git</param>
--- a/2
+++ b/2
@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                <param name="url">https://github.com/keylime/rust-keylime.git</param>
-              <param name="changesrevision">4df2148b8063a592fd5cc4835332a9de4df54398</param></service></servicedata>
+              <param name="changesrevision">a009476300e6eebd49a00b04890318f3b2d24858</param></service></servicedata>
--- a/5
+++ b/5
@ -1,5 +1,10 @@
 [source.crates-io]
 replace-with = "vendored-sources"

+[source."https://github.com/puiterwijk/rust-tss-esapi.git"]
+git = "https://github.com/puiterwijk/rust-tss-esapi.git"
+branch = "keylime"
+replace-with = "vendored-sources"
+
 [source.vendored-sources]
 directory = "vendor"
--- a/generate-cargo-lock-file.patch
+++ b/generate-cargo-lock-file.patch
--- a/keylime.conf.diff
+++ b/keylime.conf.diff
@ -0,0 +1,74 @@
+Index: rust-keylime-0.1.0+git.1626706730.a009476/keylime.conf
+===================================================================
+--- rust-keylime-0.1.0+git.1626706730.a009476.orig/keylime.conf
+++ rust-keylime-0.1.0+git.1626706730.a009476/keylime.conf
+@@ -11,7 +11,8 @@ tls_check_hostnames = False
+ # Valid options are 'cfssl' or 'openssl'  For cfssl to work, you must have the
+ # go binary installed in your path or in /usr/local/
+ # Revocation list generation is only supported by cfssl
+-ca_implementation = openssl
+# ca_implementation = openssl
+ca_implementation = cfssl
+ 
+ #=============================================================================
+ [cloud_agent]
+@@ -19,7 +20,8 @@ ca_implementation = openssl
+ 
+ # The Agent's IP address and port used to communicate with other services
+ # as well as a bind address for the agent server.
+-cloudagent_ip = 127.0.0.1
+# cloudagent_ip = 127.0.0.1
+cloudagent_ip = 0.0.0.0
+ cloudagent_port = 9002
+ 
+ # What is the name of the rsa key that keylime should use for protecting
+@@ -54,7 +56,8 @@ extract_payload_zip = True
+ # If you set this to 'generate', keylime will create a random uuid
+ # If you set this to 'hash_ek', keylime will set the UUID to the result
+ # of SHA256(public EK in PEM format)
+-agent_uuid = D432FBB3-D2F1-4A97-9EF7-75BD81C00000
+# agent_uuid = D432FBB3-D2F1-4A97-9EF7-75BD81C00000
+agent_uuid = hash_ek
+ 
+ # Whether to listen for revocation notifications from the verifier
+ listen_notfications = True
+@@ -115,7 +118,8 @@ ek_handle = generate
+ 
+ # The cloud verifier IP address and port used to communicate with other services
+ # as well as a bind address for the verifier server.
+-cloudverifier_ip = 127.0.0.1
+# cloudverifier_ip = 127.0.0.1
+cloudverifier_ip = 0.0.0.0
+ cloudverifier_port = 8881
+ 
+ # Cloud Verifier TLS options.  This is for authenticating the CV itself,
+@@ -204,7 +208,8 @@ revocation_notifier = True
+ # The revocation notifier IP address and port used to start the revocation service.
+ # If the revocation_notifier is true, then the verifier automatically
+ # starts revocation service.
+-revocation_notifier_ip = 127.0.0.1
+# revocation_notifier_ip = 127.0.0.1
+revocation_notifier_ip = 0.0.0.0
+ revocation_notifier_port = 8992
+ 
+ # The verifier limits the size of upload payloads (whitelists) which defaults to
+@@ -330,7 +335,8 @@ max_retries = 10
+ # might provide a signed list of EK public key hashes.  Then you could write
+ # an ek_check_script that checks the signature of the whitelist and then
+ # compares the hash of the given EK with the whistlist
+-require_ek_cert = True
+# require_ek_cert = True
+require_ek_cert = False
+ 
+ # Optional script to execute to check the EK and/or EK certificate against a
+ # whitelist or any other additional EK processing you want to do. Runs in
+@@ -356,7 +362,8 @@ ek_check_script=
+ 
+ # The registrar's IP address and port used to communicate with other
+ # services as well as a bind address for the registrar server.
+-registrar_ip = 127.0.0.1
+# registrar_ip = 127.0.0.1
+registrar_ip = 0.0.0.0
+ registrar_port = 8890
+ registrar_tls_port = 8891
+ 
--- a/keylime.xml
+++ b/keylime.xml
@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="utf-8"?>
+<service>
+  <short>Keylime</short>
+  <description>Keylime is a remote attestation tool that requires access to several ports.</description>
+  <port protocol="tcp" port="443"/><!-- Webapp -->
+  <port protocol="tcp" port="8881"/><!-- Verifier -->
+  <port protocol="tcp" port="8888"/><!-- CFSSL -->
+  <port protocol="tcp" port="8890"/><!-- Registrar -->
+  <port protocol="tcp" port="8891"/><!-- Registrar TLS -->
+  <port protocol="tcp" port="8992"/><!-- Revocation -->
+  <port protocol="tcp" port="9002"/><!-- Agent -->
+</service>
--- a/keylime_agent.service
+++ b/keylime_agent.service
@ -0,0 +1,8 @@
+[Unit]
+Description=The Keylime compute agent
+
+[Service]
+ExecStart=/usr/bin/keylime_agent
+
+[Install]
+WantedBy=default.target
--- a/rust-keylime-0.0.1+git.1620935374.4df2148.tar.xz
+++ b/rust-keylime-0.0.1+git.1620935374.4df2148.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:94764e762fbea4cf35cb90964a8d9a0c9510055eed81e5f2f0f433db14c16134
-size 31748
--- a/rust-keylime-0.1.0+git.1626706730.a009476.tar.xz
+++ b/rust-keylime-0.1.0+git.1626706730.a009476.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0a91310d4a9f1eb2fa427095b87d0237584386a0aa5b3e91fd8067ef1593622a
+size 39692
--- a/rust-keylime.changes
+++ b/rust-keylime.changes
@ -1,3 +1,43 @@
+-------------------------------------------------------------------
+Wed Jul 28 08:56:33 UTC 2021 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Add generate-cargo-lock-file.patch to fix the build system in OBS
+- Add keylime.conf.diff to adjust the default config file
+- Adjust build requirements
+- Add firewalld XML rules
+- Add systemd keylime_agent.service
+- Fix license tag
+
+-------------------------------------------------------------------
+Thu Jul 22 09:20:38 UTC 2021 - aplanas@suse.com
+
+- Update to version 0.0.1+git.1626706730.a009476:
+  * libarchive-devel is needed to build on Fedora
+  * Accept sets of U and V keys; use new Key types
+  * Output mask info
+  * Fix for race condition bug
+  * Do not resend pubkey to CV after attestation
+  * Run payload script from a shell
+  * Write out data and run payload
+  * Decrypt payload after key handlers find symm key
+  * Add handler for U and V keys
+  * Add helper functions for handling U and V keys
+  * Some TPM fixes for IMA PCR validation
+  * Do not flush AK context as this causes an error
+  * Fix bug in revocation service
+  * Drop references to vmask
+  * Better documentation of consts
+  * Do not fail if EK cert is not present in TPM NV
+  * Add more verbose logging to better match Python agent
+  * Remove verify stub as we are not using it
+  * tests: Don't pass --allow-signing to swtpm_setup
+  * Fix typos
+  * Add dependency for libzmq3-dev / zeromq-devel
+  * Fix new clippy lints
+  * Add handling for Identity and Integrity quotes
+  * Add Quote functionality
+  * Add marshaling functions for TPM structs
+
 -------------------------------------------------------------------
 Tue Jun 08 11:59:11 UTC 2021 - aplanas@suse.com

--- a/rust-keylime.spec
+++ b/rust-keylime.spec
@ -18,18 +18,26 @@

 %global rustflags '-Clink-arg=-Wl,-z,relro,-z,now'
 Name:           rust-keylime
-Version:        0.0.1+git.1620935374.4df2148
+Version:        0.1.0+git.1626706730.a009476
 Release:        0
 Summary:        Rust implementation of the keylime agent
-License:        MIT
+License:        Apache-2.0 AND MIT
 URL:            https://github.com/keylime/rust-keylime
 Source:         rust-keylime-%{version}.tar.xz
 Source1:        vendor.tar.xz
 Source2:        cargo_config
+Source3:        keylime_agent.service
+Source4:        keylime.xml
+# PATCH-FIX-OPENSUSE keylime.conf.diff
+Patch1:         keylime.conf.diff
+# PATCH-FIX-UPSTREAM generate-cargo-lock-file.patch gh#keylime/rust-keylime!244
+Patch2:         generate-cargo-lock-file.patch
 BuildRequires:  cargo
-BuildRequires:  czmq-devel
+BuildRequires:  firewall-macros
+BuildRequires:  libarchive-devel
 BuildRequires:  rust
 BuildRequires:  tpm2-0-tss-devel
+BuildRequires:  zeromq-devel
 ExcludeArch:    %{ix86} s390x ppc64 ppc64le armhfp armv7hl

 %description
@ -37,7 +45,7 @@ Rust implementation of keylime agent. Keylime is system integrity
 monitoring system.

 %prep
-%setup -qa1
+%autosetup -a1
 mkdir .cargo
 cp %{SOURCE2} .cargo/config

@ -45,15 +53,37 @@ cp %{SOURCE2} .cargo/config
 RUSTFLAGS=%{rustflags} cargo build --release

 %install
-RUSTFLAGS=%{rustflags} cargo install --root=%{buildroot}%{_prefix} --path .
+RUSTFLAGS=%{rustflags} cargo install --frozen --root=%{buildroot}%{_prefix} --path .

 install -Dpm 644 keylime.conf %{buildroot}%{_sysconfdir}/keylime.conf
+install -Dpm 644 %{SOURCE3} %{buildroot}%{_unitdir}/keylime_agent.service
+
+install -D -m 644 %{SOURCE4} %{buildroot}%{_prefix}/lib/firewalld/services/keylime.xml

 rm %{buildroot}%{_prefix}/.crates.toml
 rm %{buildroot}%{_prefix}/.crates2.json

+%pre
+%service_add_pre keylime_agent.service
+
+%post
+%firewalld_reload
+%service_add_post keylime_agent.service
+
+%preun
+%service_del_preun keylime_agent.service
+
+%postun
+%service_del_postun keylime_agent.service
+
 %files
+%doc README.md
+%license LICENSE
 %{_bindir}/keylime_agent
 %config(noreplace) %{_sysconfdir}/keylime.conf
+%dir %{_prefix}/lib/firewalld
+%dir %{_prefix}/lib/firewalld/services
+%{_prefix}/lib/firewalld/services/keylime.xml
+%{_unitdir}/keylime_agent.service

 %changelog
--- a/vendor.tar.xz
+++ b/vendor.tar.xz
@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:7108bec5444d6f122bccb2ad850f038bfa3e32e08818e72ae63b378b72d87214
-size 15297844
+oid sha256:3a91a7293c73eaafcf7d1e8ffa6bcdb0e475a5ceb791544cbaeca2685b5b45a3
+size 15756232