commit 629045bb779051e95105c550cd0462888360c68c Author: MSVSphere Packaging Team Date: Fri Apr 14 13:51:37 2023 +0300 import keylime-6.5.2-4.el9 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..333b933 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +SOURCES/keylime-selinux-1.0.0.tar.gz +SOURCES/v6.5.2.tar.gz diff --git a/.keylime.metadata b/.keylime.metadata new file mode 100644 index 0000000..d577a83 --- /dev/null +++ b/.keylime.metadata @@ -0,0 +1,2 @@ +a1154fc19d2ae6f52b6b77a39e62d2420c0f4c5e SOURCES/keylime-selinux-1.0.0.tar.gz +1c311bc1d3ab6c8050fd819410c593392187c2fa SOURCES/v6.5.2.tar.gz diff --git a/SOURCES/0001-Do-not-use-default-values-that-need-reading-the-conf.patch b/SOURCES/0001-Do-not-use-default-values-that-need-reading-the-conf.patch new file mode 100644 index 0000000..2c4ace1 --- /dev/null +++ b/SOURCES/0001-Do-not-use-default-values-that-need-reading-the-conf.patch @@ -0,0 +1,130 @@ +From d6dd71e3a3fe8e822fbcaa0d88f19a0c3332cacd Mon Sep 17 00:00:00 2001 +From: Sergio Correia +Date: Tue, 15 Nov 2022 07:09:13 -0300 +Subject: [PATCH] Do not use default values that need reading the config in + methods + +Following up from the recent refactoring that moved the EK validation +to cert_utils, in a few places were added default method values that +were reading the configuration files directly. + +It was not such a great idea becasue it then made those config files as +required to even import the modules. + +Example "from keylime import cert_utils" now also requires that the +tenant configuration be available for getting the path for the TPM +cert store. + +Let's stop doing that. + +Signed-off-by: Sergio Correia +--- + keylime/cert_utils.py | 5 +++-- + keylime/tenant.py | 2 +- + keylime/tpm/tpm_abstract.py | 2 +- + keylime/tpm/tpm_main.py | 4 ++-- + keylime/tpm_ek_ca.py | 6 +++--- + 5 files changed, 10 insertions(+), 9 deletions(-) + +diff --git a/keylime/cert_utils.py b/keylime/cert_utils.py +index d2fc54d..3576c64 100644 +--- a/keylime/cert_utils.py ++++ b/keylime/cert_utils.py +@@ -12,7 +12,7 @@ from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicKey + from pyasn1.codec.der import decoder, encoder + from pyasn1_modules import pem, rfc2459 + +-from keylime import config, keylime_logging, tpm_ek_ca ++from keylime import keylime_logging, tpm_ek_ca + + # Issue #944 -- python-cryptography won't parse malformed certs, + # such as some Nuvoton ones we have encountered in the field. +@@ -56,9 +56,10 @@ def x509_pem_cert(pem_cert_data: str): + return x509.load_der_x509_certificate(data=encoder.encode(pyasn1_cert), backend=default_backend()) + + +-def verify_ek(ekcert, tpm_cert_store=config.get("tenant", "tpm_cert_store")): ++def verify_ek(ekcert: bytes, tpm_cert_store: str) -> bool: + """Verify that the provided EK certificate is signed by a trusted root + :param ekcert: The Endorsement Key certificate in DER format ++ :param tpm_cert_store: The path for the TPM certificate store + :returns: True if the certificate can be verified, False otherwise + """ + try: +diff --git a/keylime/tenant.py b/keylime/tenant.py +index b574d04..076b849 100644 +--- a/keylime/tenant.py ++++ b/keylime/tenant.py +@@ -430,7 +430,7 @@ class Tenant: + elif ekcert is None: + logger.warning("No EK cert provided, require_ek_cert option in config set to True") + return False +- elif not self.tpm_instance.verify_ek(base64.b64decode(ekcert)): ++ elif not self.tpm_instance.verify_ek(base64.b64decode(ekcert), config.get("tenant", "tpm_cert_store")): + logger.warning("Invalid EK certificate") + return False + +diff --git a/keylime/tpm/tpm_abstract.py b/keylime/tpm/tpm_abstract.py +index ff41837..df6222c 100644 +--- a/keylime/tpm/tpm_abstract.py ++++ b/keylime/tpm/tpm_abstract.py +@@ -97,7 +97,7 @@ class AbstractTPM(metaclass=ABCMeta): + pass + + @abstractmethod +- def verify_ek(self, ekcert): ++ def verify_ek(self, ekcert, tpm_cert_store): + pass + + @abstractmethod +diff --git a/keylime/tpm/tpm_main.py b/keylime/tpm/tpm_main.py +index e1d1cf8..e244dfa 100644 +--- a/keylime/tpm/tpm_main.py ++++ b/keylime/tpm/tpm_main.py +@@ -776,12 +776,12 @@ class tpm(tpm_abstract.AbstractTPM): + os.remove(sesspath) + return key + +- def verify_ek(self, ekcert): ++ def verify_ek(self, ekcert, tpm_cert_store): + """Verify that the provided EK certificate is signed by a trusted root + :param ekcert: The Endorsement Key certificate in DER format + :returns: True if the certificate can be verified, false otherwise + """ +- return cert_utils.verify_ek(ekcert) ++ return cert_utils.verify_ek(ekcert, tpm_cert_store) + + def get_tpm_manufacturer(self, output=None): + vendorStr = None +diff --git a/keylime/tpm_ek_ca.py b/keylime/tpm_ek_ca.py +index fb66c07..bc84571 100644 +--- a/keylime/tpm_ek_ca.py ++++ b/keylime/tpm_ek_ca.py +@@ -1,13 +1,13 @@ + import glob + import os + +-from keylime import config, keylime_logging ++from keylime import keylime_logging + + logger = keylime_logging.init_logging("tpm_ek_ca") + trusted_certs = {} + + +-def check_tpm_cert_store(tpm_cert_store=config.get("tenant", "tpm_cert_store")): ++def check_tpm_cert_store(tpm_cert_store): + if not os.path.isdir(tpm_cert_store): + logger.error("The directory %s does not exist.", tpm_cert_store) + raise Exception(f"The directory {tpm_cert_store} does not exist.") +@@ -20,7 +20,7 @@ def check_tpm_cert_store(tpm_cert_store=config.get("tenant", "tpm_cert_store")): + raise Exception(f"The directory {tpm_cert_store} does not contain " f"any .pem files") + + +-def cert_loader(tpm_cert_store=config.get("tenant", "tpm_cert_store")): ++def cert_loader(tpm_cert_store): + file_list = glob.glob(os.path.join(tpm_cert_store, "*.pem")) + my_trusted_certs = {} + for file_path in file_list: +-- +2.38.1 + diff --git a/SOURCES/0002-Switch-to-sha256-hashes-for-signatures.patch b/SOURCES/0002-Switch-to-sha256-hashes-for-signatures.patch new file mode 100644 index 0000000..6401048 --- /dev/null +++ b/SOURCES/0002-Switch-to-sha256-hashes-for-signatures.patch @@ -0,0 +1,67 @@ +From 1f9ee7437f5b712a892c6d13ac8d75e128c1a16f Mon Sep 17 00:00:00 2001 +From: Stefan Berger +Date: Tue, 22 Nov 2022 10:56:43 -0500 +Subject: [PATCH] tests: Switch to sha256 hashes for signatures + +Resolves: https://github.com/keylime/keylime/issues/1202 +Signed-off-by: Stefan Berger +--- + test/test_ima_ast.py | 4 ++-- + test/test_ima_verification.py | 12 ++++++------ + 2 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/test/test_ima_ast.py b/test/test_ima_ast.py +index cd54f95f9..e7d3841a7 100644 +--- a/test/test_ima_ast.py ++++ b/test/test_ima_ast.py +@@ -14,11 +14,11 @@ + VALID_ENTRIES = { + "ima-sig-rsa": ( + ast.ImaSig, +- "10 50873c47693cf9458e87eb4a02dd4f594f7a0c0f ima-sig sha1:1350320e5f7f51553bac8aa403489a1b135bc101 /usr/bin/dd 030202f3452d23010084c2a6cf7de1aeefa119220df0da265a7c44d34380f0d97002e7c778d09cfcf88c018e6595df3ee70eda926851f159332f852e7981a8fca1bc5e959958d06d234a0896861f13cc60da825905c8ed234df26c1deecfa816d5aa9bfb11b905e2814084a86b588be60423afada8dd0dd5a143774c6d890b64195ac42fb47ef5a9a00f0d6c80711d8e0c2b843ec38c02f60fd46bc46c7b4c329ad2dbb1b7625293703f9c739dc4c2bf0769126a2f3cb2cd031d1881cd0af64bf20fd474a993b48620f103a5c14999a2f17d60721bcc019a896b4138a688a59f50cb6cd94a4cfe3b8052e82dec025fef4feabb08c7ce412e3de850f903797e293ec27c329f57fd84e0", ++ "10 1e70a3e1af66f42826ad63b761b4cb9c4df195e1 ima-sig sha256:d33d5d13792292e202dbf69a6f1b07bc8a02f01424db8489ba7bb7d43c0290ef /usr/bin/dd 030204f3452d2301009dd340c852f37e35748363586939d4199b6684be27e7c1236ca1528f708372ed9cd52a0d991f66448790f5616ed5bd7f9bbd22193b1e3e54f6bf29a1497945a34d1b418b24f4cbeaef897bf3cebca27065ebb8761b46bc2662fe76f141245b9186a5ac8493c7f4976cf0d6dfc085c3e503e3f771bc3ccb121230db76fd8aba4f45f060ad64ab3afd99b4e52824b9eba12e93e46f9dcb2fa01d9cef89f298a0da02a82a4fb56924afd3e3c277a1302d99f770d488449df2d43eb5b174a0a528827e6877b965c2f0b7c89cf1aa26a7417a892df4c2294e2872d62748b72ea04ecb0689b5d792e615a9bf9d56f6e0f298560bf9441df0a22729c5f23389f028c25f", + ), + "ima-sig-ec": ( + ast.ImaSig, +- "10 06e804489a77ddab51b9ef27e17053c0e5d503bd ima-sig sha1:1cb84b12db45d7da8de58ba6744187db84082f0e /usr/bin/zmore 030202531f402500483046022100bff9c02dc7b270c83cc94bfec10eecd42831de2cdcb04f024369a14623bc3a91022100cc4d015ae932fb98d6846645ed7d1bb1afd4621ec9089bc087126f191886dd31", ++ "10 5d4d5141ccd5066d50dc3f21d79ba02fedc24256 ima-sig sha256:b8ae0b8dd04a5935cd8165aa2260cd11b658bd71629bdb52256a675a1f73907b /usr/bin/zmore 030204531f402500483046022100fe24678d21083ead47660e1a2d553a592d777c478d1b0466de6ed484b54956b3022100cad3adb37f277bbb03544d6107751b4cd4f2289d8353fa36257400a99334d5c3", + ), + "ima-sig-missing": ( + ast.ImaSig, +diff --git a/test/test_ima_verification.py b/test/test_ima_verification.py +index bdb929c9c..d2fc9ef16 100644 +--- a/test/test_ima_verification.py ++++ b/test/test_ima_verification.py +@@ -27,8 +27,8 @@ + "/lib/modules/5.4.48-openpower1/kernel/drivers/gpu/drm/drm_panel_orientation_quirks.ko": [ + "cd026b58efdf66658685430ff526490d54a430a3f0066a35ac26a8acab66c55d" + ], +- "/usr/bin/dd": ["1350320e5f7f51553bac8aa403489a1b135bc101"], +- "/usr/bin/zmore": ["1cb84b12db45d7da8de58ba6744187db84082f0e"], ++ "/usr/bin/dd": ["d33d5d13792292e202dbf69a6f1b07bc8a02f01424db8489ba7bb7d43c0290ef"], ++ "/usr/bin/zmore": ["b8ae0b8dd04a5935cd8165aa2260cd11b658bd71629bdb52256a675a1f73907b"], + "/usr/bin/zless": ["233ad3a8e77c63a7d9a56063ec2cad1eafa58850"], + }, + "keyrings": { +@@ -50,8 +50,8 @@ + "version": 1, + }, + "hashes": { +- "/usr/bin/dd": ["1350320e5f7f51553bac8aa403489a1b135bc102"], +- "/usr/bin/zmore": ["1cb84b12db45d7da8de58ba6744187db84082f01"], ++ "/usr/bin/dd": ["bad05d13792292e202dbf69a6f1b07bc8a02f01424db8489ba7bb7d43c0290ef"], ++ "/usr/bin/zmore": ["bad00b8dd04a5935cd8165aa2260cd11b658bd71629bdb52256a675a1f73907b"], + }, + } + +@@ -73,8 +73,8 @@ + # 1st signature: RSA + # 2nd signature: EC + SIGNATURES = ( +- "10 50873c47693cf9458e87eb4a02dd4f594f7a0c0f ima-sig sha1:1350320e5f7f51553bac8aa403489a1b135bc101 /usr/bin/dd 030202f3452d23010084c2a6cf7de1aeefa119220df0da265a7c44d34380f0d97002e7c778d09cfcf88c018e6595df3ee70eda926851f159332f852e7981a8fca1bc5e959958d06d234a0896861f13cc60da825905c8ed234df26c1deecfa816d5aa9bfb11b905e2814084a86b588be60423afada8dd0dd5a143774c6d890b64195ac42fb47ef5a9a00f0d6c80711d8e0c2b843ec38c02f60fd46bc46c7b4c329ad2dbb1b7625293703f9c739dc4c2bf0769126a2f3cb2cd031d1881cd0af64bf20fd474a993b48620f103a5c14999a2f17d60721bcc019a896b4138a688a59f50cb6cd94a4cfe3b8052e82dec025fef4feabb08c7ce412e3de850f903797e293ec27c329f57fd84e0\n" +- "10 06e804489a77ddab51b9ef27e17053c0e5d503bd ima-sig sha1:1cb84b12db45d7da8de58ba6744187db84082f0e /usr/bin/zmore 030202531f402500483046022100bff9c02dc7b270c83cc94bfec10eecd42831de2cdcb04f024369a14623bc3a91022100cc4d015ae932fb98d6846645ed7d1bb1afd4621ec9089bc087126f191886dd31\n" ++ "10 1e70a3e1af66f42826ad63b761b4cb9c4df195e1 ima-sig sha256:d33d5d13792292e202dbf69a6f1b07bc8a02f01424db8489ba7bb7d43c0290ef /usr/bin/dd 030204f3452d2301009dd340c852f37e35748363586939d4199b6684be27e7c1236ca1528f708372ed9cd52a0d991f66448790f5616ed5bd7f9bbd22193b1e3e54f6bf29a1497945a34d1b418b24f4cbeaef897bf3cebca27065ebb8761b46bc2662fe76f141245b9186a5ac8493c7f4976cf0d6dfc085c3e503e3f771bc3ccb121230db76fd8aba4f45f060ad64ab3afd99b4e52824b9eba12e93e46f9dcb2fa01d9cef89f298a0da02a82a4fb56924afd3e3c277a1302d99f770d488449df2d43eb5b174a0a528827e6877b965c2f0b7c89cf1aa26a7417a892df4c2294e2872d62748b72ea04ecb0689b5d792e615a9bf9d56f6e0f298560bf9441df0a22729c5f23389f028c25f\n" ++ "10 5d4d5141ccd5066d50dc3f21d79ba02fedc24256 ima-sig sha256:b8ae0b8dd04a5935cd8165aa2260cd11b658bd71629bdb52256a675a1f73907b /usr/bin/zmore 030204531f402500483046022100fe24678d21083ead47660e1a2d553a592d777c478d1b0466de6ed484b54956b3022100cad3adb37f277bbb03544d6107751b4cd4f2289d8353fa36257400a99334d5c3\n" + ) + + COMBINED = MEASUREMENTS + SIGNATURES diff --git a/SOURCES/0003-logging-remove-option-to-log-into-separate-file.patch b/SOURCES/0003-logging-remove-option-to-log-into-separate-file.patch new file mode 100644 index 0000000..e7e3672 --- /dev/null +++ b/SOURCES/0003-logging-remove-option-to-log-into-separate-file.patch @@ -0,0 +1,136 @@ +From eb5112dd597336b566378b3a157e76fe3cbbbfee Mon Sep 17 00:00:00 2001 +From: Thore Sommer +Date: Mon, 16 Jan 2023 07:26:08 -0300 +Subject: [PATCH 3/3] logging: remove option to log into separate file + +The implementation had the issue that only the main loggers were added and that +the permissions were not set strict enough. Users should use the logging +provided by systemd instead. + +Signed-off-by: Thore Sommer +--- + keylime.conf | 10 ---------- + keylime/keylime_logging.py | 31 ------------------------------ + scripts/templates/2.0/registrar.j2 | 9 --------- + scripts/templates/2.0/verifier.j2 | 9 --------- + 4 files changed, 59 deletions(-) + +diff --git a/keylime.conf b/keylime.conf +index d896f9f..043b6a8 100644 +--- a/keylime.conf ++++ b/keylime.conf +@@ -342,11 +342,6 @@ tomtou_errors = False + # signature check before storing them in the database. + require_allow_list_signatures = False + +-# Destination for log output, in addition to console. Values can be 'file', +-# with the file being named after the "service" - cloud_verifier - created under +-# /var/log/keylime), 'stream' or it can be left empty (which results in +-# logging to console only, recommended when running inside a container) +-log_destination = file + + #============================================================================= + [tenant] +@@ -595,11 +590,6 @@ auto_migrate_db = True + # The file to use for SQLite persistence of provider hypervisor data. + prov_db_filename = provider_reg_data.sqlite + +-# Destination for log output, in addition to console. Values can be 'file', +-# with the file being named after the "service" - registrar - created under +-# /var/log/keylime), 'stream' or it can be left empty (which results in +-# logging to console only, recommended when running inside a container) +-log_destination = file + + #============================================================================= + [ca] +diff --git a/keylime/keylime_logging.py b/keylime/keylime_logging.py +index bc8a11d..f7c7a8f 100644 +--- a/keylime/keylime_logging.py ++++ b/keylime/keylime_logging.py +@@ -1,17 +1,10 @@ + import logging +-import os + from logging import Logger + from logging import config as logging_config + from typing import Any, Callable, Dict + + from keylime import config + +-LOG_TO_FILE = set() +-LOG_TO_STREAM = set() +-LOGDIR = os.getenv("KEYLIME_LOGDIR", "/var/log/keylime") +-# not clear that this works right. console logging may not work +-LOGSTREAM = os.path.join(LOGDIR, "keylime-stream.log") +- + logging_config.fileConfig(config.get_config("logging")) + + +@@ -50,31 +43,7 @@ def log_http_response(logger: Logger, loglevel: int, response_body: Dict[str, An + + + def init_logging(loggername: str) -> Logger: +- +- if loggername in ("verifier", "registrar"): +- logdest = config.get(loggername, "log_destination", fallback="") +- if logdest == "file": +- LOG_TO_FILE.add(loggername) +- if logdest == "stream": +- LOG_TO_STREAM.add(loggername) +- + logger = logging.getLogger(f"keylime.{loggername}") + logging.getLogger("requests").setLevel(logging.WARNING) +- mainlogger = logging.getLogger("keylime") +- basic_formatter = logging.Formatter("%(asctime)s %(name)s %(levelname)s %(message)s") +- if loggername in LOG_TO_FILE: +- logfilename = os.path.join(LOGDIR, f"{loggername}.log") +- if not os.path.exists(LOGDIR): +- os.makedirs(LOGDIR, 0o750) +- fh = logging.FileHandler(logfilename) +- fh.setLevel(logger.getEffectiveLevel()) +- fh.setFormatter(basic_formatter) +- mainlogger.addHandler(fh) +- +- if loggername in LOG_TO_STREAM: +- fh = logging.FileHandler(filename=LOGSTREAM, mode="w") +- fh.setLevel(logger.getEffectiveLevel()) +- fh.setFormatter(basic_formatter) +- mainlogger.addHandler(fh) + + return logger +diff --git a/scripts/templates/2.0/registrar.j2 b/scripts/templates/2.0/registrar.j2 +index 3d92303..8de7a50 100644 +--- a/scripts/templates/2.0/registrar.j2 ++++ b/scripts/templates/2.0/registrar.j2 +@@ -71,12 +71,3 @@ auto_migrate_db = {{ registrar.auto_migrate_db }} + + # The file to use for SQLite persistence of provider hypervisor data. + prov_db_filename: {{ registrar.prov_db_filename }} +- +-# Destination for log output, in addition to console. If left empty, the log +-# output will only be printed to console (recommended for containers to avoid +-# filling data storage). The accepted values are: +-# 'file': The log output will also be written to a file named after the +-# component in '/var/log/keylime/registrar.log' +-# 'stream': The log output will be written to a common file in +-# 'var/log/keylime/keylime-stream.log' +-log_destination = {{ registrar.log_destination }} +diff --git a/scripts/templates/2.0/verifier.j2 b/scripts/templates/2.0/verifier.j2 +index d1584df..7a66cb1 100644 +--- a/scripts/templates/2.0/verifier.j2 ++++ b/scripts/templates/2.0/verifier.j2 +@@ -196,12 +196,3 @@ zmq_port = {{ verifier.zmq_port }} + + # Webhook url for revocation notifications. + webhook_url = {{ verifier.webhook_url }} +- +-# Destination for log output, in addition to console. If left empty, the log +-# output will only be printed to console (recommended for containers to avoid +-# filling data storage). The accepted values are: +-# 'file': The log output will also be written to a file named after the +-# component in '/var/log/keylime/verifier.log' +-# 'stream': The log output will be written to a common file in +-# 'var/log/keylime/keylime-stream.log' +-log_destination = {{ verifier.log_destination }} +-- +2.38.1 + diff --git a/SOURCES/keylime.sysusers b/SOURCES/keylime.sysusers new file mode 100644 index 0000000..4979d46 --- /dev/null +++ b/SOURCES/keylime.sysusers @@ -0,0 +1,2 @@ +u keylime - "Keylime unprivileged user" /var/lib/keylime /usr/sbin/nologin +m keylime tss diff --git a/SPECS/keylime.spec b/SPECS/keylime.spec new file mode 100644 index 0000000..c582744 --- /dev/null +++ b/SPECS/keylime.spec @@ -0,0 +1,402 @@ +%global srcname keylime +%global policy_version 1.0.0 +%global with_selinux 1 +%global selinuxtype targeted + +# Package is actually noarch, but it has an optional dependency that is +# arch-specific. +%global debug_package %{nil} + +Name: keylime +Version: 6.5.2 +Release: 4%{?dist} +Summary: Open source TPM software for Bootstrapping and Maintaining Trust + +URL: https://github.com/keylime/keylime +Source0: https://github.com/keylime/keylime/archive/refs/tags/v%{version}.tar.gz +Source1: %{srcname}.sysusers +Source2: https://github.com/RedHat-SP-Security/%{name}-selinux/archive/v%{policy_version}/keylime-selinux-%{policy_version}.tar.gz + +Patch: 0001-Do-not-use-default-values-that-need-reading-the-conf.patch +Patch: 0002-Switch-to-sha256-hashes-for-signatures.patch +Patch: 0003-logging-remove-option-to-log-into-separate-file.patch + +License: ASL 2.0 and MIT + +BuildRequires: git-core +BuildRequires: swig +BuildRequires: openssl-devel +BuildRequires: python3-devel +BuildRequires: python3-dbus +BuildRequires: python3-jinja2 +BuildRequires: python3-setuptools +BuildRequires: systemd-rpm-macros + +Requires: python3-%{srcname} = %{version}-%{release} +Requires: %{srcname}-base = %{version}-%{release} +Requires: %{srcname}-verifier = %{version}-%{release} +Requires: %{srcname}-registrar = %{version}-%{release} +Requires: %{srcname}-tenant = %{version}-%{release} + +# Agent. +Requires: keylime-agent +Suggests: keylime-agent-rust + +%{?python_enable_dependency_generator} +%description +Keylime is a TPM based highly scalable remote boot attestation +and runtime integrity measurement solution. + +%package base +Summary: The base package contains the default configuration +License: MIT + + +Requires(pre): shadow-utils +Requires: procps-ng +Requires: tpm2-tss + +%if 0%{?with_selinux} +# This ensures that the *-selinux package and all it’s dependencies are not pulled +# into containers and other systems that do not use SELinux +Recommends: (%{srcname}-selinux if selinux-policy-%{selinuxtype}) +%endif + +%ifarch %efi +Requires: efivar-libs +%endif + + +%description base +The base package contains the Keylime default configuration + +%package -n python3-%{srcname} +Summary: The Python Keylime module +License: MIT + +Requires: %{srcname}-base = %{version}-%{release} +%{?python_provide:%python_provide python3-%{srcname}} + +Requires: python3-tornado +Requires: python3-sqlalchemy +Requires: python3-alembic +Requires: python3-cryptography +Requires: python3-pyyaml +Requires: python3-packaging +Requires: python3-requests +Requires: python3-gpg +Requires: python3-lark-parser +Requires: python3-pyasn1 +Requires: python3-pyasn1-modules +Requires: tpm2-tools +Requires: openssl + +%description -n python3-%{srcname} +The python3-keylime module implements the functionality used +by Keylime components. + +%package verifier +Summary: The Python Keylime Verifier component +License: MIT + +Requires: %{srcname}-base = %{version}-%{release} +Requires: python3-%{srcname} = %{version}-%{release} + +%description verifier +The Keylime Verifier continuously verifies the integrity state +of the machine that the agent is running on. + +%package registrar +Summary: The Keylime Registrar component +License: MIT + +Requires: %{srcname}-base = %{version}-%{release} +Requires: python3-%{srcname} = %{version}-%{release} + +%description registrar +The Keylime Registrar is a database of all agents registered +with Keylime and hosts the public keys of the TPM vendors. + +%if 0%{?with_selinux} +# SELinux subpackage +%package selinux +Summary: keylime SELinux policy +BuildArch: noarch +Requires: selinux-policy-%{selinuxtype} +Requires(post): selinux-policy-%{selinuxtype} +BuildRequires: selinux-policy-devel +%{?selinux_requires} + +%description selinux +Custom SELinux policy module +%endif + +%package tenant +Summary: The Python Keylime Tenant +License: MIT + +Requires: %{srcname}-base = %{version}-%{release} +Requires: python3-%{srcname} = %{version}-%{release} + + +%description tenant +The Keylime Tenant can be used to provision a Keylime Agent. + +%prep +%autosetup -S git -n %{srcname}-%{version} -a2 + +%if 0%{?with_selinux} +# SELinux policy (originally from selinux-policy-contrib) +# this policy module will override the production module +mkdir selinux + +make -f %{_datadir}/selinux/devel/Makefile %{srcname}.pp +bzip2 -9 %{srcname}.pp +%endif + +%build +%py3_build + +%install +%py3_install +mkdir -p %{buildroot}/%{_sharedstatedir}/%{srcname} +mkdir -p --mode=0700 %{buildroot}/%{_rundir}/%{srcname} +mkdir -p --mode=0700 %{buildroot}/%{_localstatedir}/log/%{srcname} + +mkdir -p --mode=0700 %{buildroot}/%{_sysconfdir}/%{srcname}/ +for comp in "verifier" "tenant" "registrar" "ca" "logging"; do + mkdir -p --mode=0700 %{buildroot}/%{_sysconfdir}/%{srcname}/${comp}.conf.d + install -Dpm 400 config/${comp}.conf %{buildroot}/%{_sysconfdir}/%{srcname} +done + +# Remove agent. +rm -f %{buildroot}/%{_bindir}/%{srcname}_agent +rm -f %{buildroot}%{python3_sitelib}/%{srcname}/__pycache__/%{srcname}_agent* +rm -f %{buildroot}%{python3_sitelib}/%{srcname}/cmd/__pycache__/agent.* +rm -f %{buildroot}%{python3_sitelib}/%{srcname}/cmd/agent.* +rm -f %{buildroot}%{python3_sitelib}/%{srcname}/%{srcname}_agent.* + +# Remove misc progs. +rm -f %{buildroot}/%{_bindir}/%{srcname}_ima_emulator +rm -f %{buildroot}/%{_bindir}/%{srcname}_userdata_encrypt + +# Ship some scripts. +mkdir -p %{buildroot}/%{_datadir}/%{srcname}/scripts +for s in create_allowlist.sh \ + create_mb_refstate \ + create_policy \ + ek-openssl-verify; do + install -Dpm 755 scripts/${s} \ + %{buildroot}/%{_datadir}/%{srcname}/scripts/${s} +done + +%if 0%{?with_selinux} +install -D -m 0644 %{srcname}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{srcname}.pp.bz2 +install -D -p -m 0644 keylime-selinux-%{policy_version}/%{srcname}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{srcname}.if +%endif + + +install -Dpm 644 ./services/%{srcname}_verifier.service \ + %{buildroot}%{_unitdir}/%{srcname}_verifier.service + +install -Dpm 644 ./services/%{srcname}_registrar.service \ + %{buildroot}%{_unitdir}/%{srcname}_registrar.service + +cp -r ./tpm_cert_store %{buildroot}%{_sharedstatedir}/%{srcname}/ +chmod 400 %{buildroot}%{_sharedstatedir}/%{srcname}/tpm_cert_store/*.pem + +install -p -d %{buildroot}/%{_tmpfilesdir} +cat > %{buildroot}/%{_tmpfilesdir}/%{srcname}.conf << EOF +d %{_rundir}/%{srcname} 0700 %{srcname} %{srcname} - +EOF + +install -p -D -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/%{srcname}.conf + +%pre base +%sysusers_create_compat %{SOURCE1} +exit 0 + +%posttrans base +if [ -d %{_sysconfdir}/%{srcname} ]; then + chmod 500 %{_sysconfdir}/%{srcname} + chown -R %{srcname}:%{srcname} %{_sysconfdir}/%{srcname} + + for comp in "verifier" "tenant" "registrar" "ca" "logging"; do + [ -d %{_sysconfdir}/%{srcname}/${comp}.conf.d ] && \ + chmod 500 %{_sysconfdir}/%{srcname}/${comp}.conf.d + done +fi + + +[ -d %{_sharedstatedir}/%{srcname} ] && \ + chown -R %{srcname} %{_sharedstatedir}/%{srcname}/ + +[ -d %{_sharedstatedir}/%{srcname}/tpm_cert_store ] && \ + chmod 400 %{_sharedstatedir}/%{srcname}/tpm_cert_store/*.pem && \ + chmod 500 %{_sharedstatedir}/%{srcname}/tpm_cert_store/ + +[ -d %{_localstatedir}/log/%{srcname} ] && \ + chown -R %{srcname} %{_localstatedir}/log/%{srcname}/ +exit 0 + +%post verifier +%systemd_post %{srcname}_verifier.service + +%post registrar +%systemd_post %{srcname}_registrar.service + +%preun verifier +%systemd_preun %{srcname}_verifier.service + +%preun registrar +%systemd_preun %{srcname}_registrar.service + +%postun verifier +%systemd_postun_with_restart %{srcname}_verifier.service + +%postun registrar +%systemd_postun_with_restart %{srcname}_registrar.service + +%if 0%{?with_selinux} +# SELinux contexts are saved so that only affected files can be +# relabeled after the policy module installation +%pre selinux +%selinux_relabel_pre -s %{selinuxtype} + +%post selinux +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{srcname}.pp.bz2 +%selinux_relabel_post -s %{selinuxtype} + +if [ "$1" -le "1" ]; then # First install + # The services need to be restarted for the custom label to be + # applied in case they where already present in the system, + # restart fails silently in case they where not. + for svc in agent registrar verifier; do + [ -f "%{_unitdir}/%{srcname}_${svc}".service ] && \ + %systemd_postun_with_restart "%{srcname}_${svc}".service + done +fi +exit 0 + +%postun selinux +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} %{srcname} + %selinux_relabel_post -s %{selinuxtype} +fi +%endif + +%files verifier +%license LICENSE +%attr(500,%{srcname},%{srcname}) %dir %{_sysconfdir}/%{srcname}/verifier.conf.d +%config(noreplace) %attr(400,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}/verifier.conf +%{_bindir}/%{srcname}_verifier +%{_bindir}/%{srcname}_ca +%{_bindir}/%{srcname}_migrations_apply +%{_unitdir}/keylime_verifier.service + +%files registrar +%license LICENSE +%attr(500,%{srcname},%{srcname}) %dir %{_sysconfdir}/%{srcname}/registrar.conf.d +%config(noreplace) %attr(400,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}/registrar.conf +%{_bindir}/%{srcname}_registrar +%{_unitdir}/keylime_registrar.service + +%if 0%{?with_selinux} +%files selinux +%{_datadir}/selinux/packages/%{selinuxtype}/%{srcname}.pp.* +%{_datadir}/selinux/devel/include/distributed/%{srcname}.if +%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{srcname} +%endif + +%files tenant +%license LICENSE +%attr(500,%{srcname},%{srcname}) %dir %{_sysconfdir}/%{srcname}/tenant.conf.d +%config(noreplace) %attr(400,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}/tenant.conf +%{_bindir}/%{srcname}_tenant + +%files -n python3-%{srcname} +%license LICENSE +%{python3_sitelib}/%{srcname}-*.egg-info/ +%{python3_sitelib}/%{srcname} +%{_datadir}/%{srcname}/scripts/create_mb_refstate +%{_datadir}/%{srcname}/scripts/create_policy +%{_bindir}/keylime_convert_ima_policy + +%files base +%license LICENSE +%doc README.md +%attr(500,%{srcname},%{srcname}) %dir %{_sysconfdir}/%{srcname}/{ca,logging}.conf.d +%config(noreplace) %attr(400,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}/ca.conf +%config(noreplace) %attr(400,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}/logging.conf +%attr(700,%{srcname},%{srcname}) %dir %{_rundir}/%{srcname} +%attr(700,%{srcname},%{srcname}) %dir %{_localstatedir}/log/%{srcname} +%attr(700,%{srcname},%{srcname}) %dir %{_sharedstatedir}/%{srcname} +%attr(500,%{srcname},%{srcname}) %dir %{_sharedstatedir}/%{srcname}/tpm_cert_store +%attr(400,%{srcname},%{srcname}) %{_sharedstatedir}/%{srcname}/tpm_cert_store/*.pem +%{_tmpfilesdir}/%{srcname}.conf +%{_sysusersdir}/%{srcname}.conf +%{_datadir}/%{srcname}/scripts/create_allowlist.sh +%{_datadir}/%{srcname}/scripts/ek-openssl-verify + +%files +%license LICENSE + +%changelog +* Fri Apr 14 2023 MSVSphere Packaging Team - 6.5.2-4 +- Rebuilt for MSVSphere 9.2 beta + +* Fri Jan 13 2023 Sergio Correia - 6.5.2-4 +- Backport upstream PR#1240 - logging: remove option to log into separate file + Resolves: rhbz#2154584 - keylime verifier is not logging to /var/log/keylime + +* Thu Dec 1 2022 Sergio Correia - 6.5.2-3 +- Remove leftover policy file + Related: rhbz#2152135 + +* Thu Dec 1 2022 Patrik Koncity - 6.5.2-2 +- Use keylime selinux policy from upstream. + Resolves: rhbz#2152135 + +* Mon Nov 14 2022 Sergio Correia - 6.5.2-1 +- Update to 6.5.2 + Resolves: CVE-2022-3500 + Resolves: rhbz#2138167 - agent fails IMA attestation when one scripts is executed quickly after the other + Resolves: rhbz#2140670 - Segmentation fault in /usr/share/keylime/create_mb_refstate script + Resolves: rhbz#142009 - Registrar may crash during EK validation when require_ek_cert is enabled + +* Tue Sep 13 2022 Sergio Correia - 6.5.0-1 +- Update to 6.5.0 + Resolves: rhbz#2120686 - Keylime configuration is too complex + +* Fri Aug 26 2022 Sergio Correia - 6.4.3-1 +- Update to 6.4.3 + Resolves: rhbz#2121044 - Error parsing EK ASN.1 certificate of Nuvoton HW TPM + +* Fri Aug 26 2022 Patrik Koncity - 6.4.2-6 +- Update keylime SELinux policy +- Resolves: rhbz#2121058 + +* Fri Aug 26 2022 Patrik Koncity - 6.4.2-5 +- Update keylime SELinux policy and removed duplicate rules +- Resolves: rhbz#2121058 + +* Fri Aug 26 2022 Patrik Koncity - 6.4.2-4 +- Update keylime SELinux policy +- Resolves: rhbz#2121058 + +* Wed Aug 17 2022 Patrik Koncity - 6.4.2-3 +- Add keylime-selinux policy as subpackage +- See https://fedoraproject.org/wiki/SELinux/IndependentPolicy +- Resolves: rhbz#2121058 + +* Mon Jul 11 2022 Sergio Correia - 6.4.2-2 +- Fix efivar-libs dependency + Related: rhbz#2082989 + +* Thu Jul 07 2022 Sergio Correia - 6.4.2-1 +- Update to 6.4.2 + Related: rhbz#2082989 + +* Tue Jun 21 2022 Sergio Correia - 6.4.1-1 +- Add keylime to RHEL-9 + Resolves: rhbz#2082989