import keylime-6.5.2-4.el9

.gitignore

@@ -0,0 +1,2 @@
+SOURCES/keylime-selinux-1.0.0.tar.gz
+SOURCES/v6.5.2.tar.gz

.keylime.metadata

@@ -0,0 +1,2 @@
+a1154fc19d2ae6f52b6b77a39e62d2420c0f4c5e SOURCES/keylime-selinux-1.0.0.tar.gz
+1c311bc1d3ab6c8050fd819410c593392187c2fa SOURCES/v6.5.2.tar.gz

SOURCES/0001-Do-not-use-default-values-that-need-reading-the-conf.patch

@@ -0,0 +1,130 @@
+From d6dd71e3a3fe8e822fbcaa0d88f19a0c3332cacd Mon Sep 17 00:00:00 2001
+From: Sergio Correia <scorreia@redhat.com>
+Date: Tue, 15 Nov 2022 07:09:13 -0300
+Subject: [PATCH] Do not use default values that need reading the config in
+ methods
+
+Following up from the recent refactoring that moved the EK validation
+to cert_utils, in a few places were added default method values that
+were reading the configuration files directly.
+
+It was not such a great idea becasue it then made those config files as
+required to even import the modules.
+
+Example "from keylime import cert_utils" now also requires that the
+tenant configuration be available for getting the path for the TPM
+cert store.
+
+Let's stop doing that.
+
+Signed-off-by: Sergio Correia <scorreia@redhat.com>
+---
+ keylime/cert_utils.py       | 5 +++--
+ keylime/tenant.py           | 2 +-
+ keylime/tpm/tpm_abstract.py | 2 +-
+ keylime/tpm/tpm_main.py     | 4 ++--
+ keylime/tpm_ek_ca.py        | 6 +++---
+ 5 files changed, 10 insertions(+), 9 deletions(-)
+
+diff --git a/keylime/cert_utils.py b/keylime/cert_utils.py
+index d2fc54d..3576c64 100644
+--- a/keylime/cert_utils.py
++++ b/keylime/cert_utils.py
+@@ -12,7 +12,7 @@ from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicKey
+ from pyasn1.codec.der import decoder, encoder
+ from pyasn1_modules import pem, rfc2459
+ 
+-from keylime import config, keylime_logging, tpm_ek_ca
++from keylime import keylime_logging, tpm_ek_ca
+ 
+ # Issue #944 -- python-cryptography won't parse malformed certs,
+ # such as some Nuvoton ones we have encountered in the field.
+@@ -56,9 +56,10 @@ def x509_pem_cert(pem_cert_data: str):
+         return x509.load_der_x509_certificate(data=encoder.encode(pyasn1_cert), backend=default_backend())
+ 
+ 
+-def verify_ek(ekcert, tpm_cert_store=config.get("tenant", "tpm_cert_store")):
++def verify_ek(ekcert: bytes, tpm_cert_store: str) -> bool:
+     """Verify that the provided EK certificate is signed by a trusted root
+     :param ekcert: The Endorsement Key certificate in DER format
++    :param tpm_cert_store: The path for the TPM certificate store
+     :returns: True if the certificate can be verified, False otherwise
+     """
+     try:
+diff --git a/keylime/tenant.py b/keylime/tenant.py
+index b574d04..076b849 100644
+--- a/keylime/tenant.py
++++ b/keylime/tenant.py
+@@ -430,7 +430,7 @@ class Tenant:
+             elif ekcert is None:
+                 logger.warning("No EK cert provided, require_ek_cert option in config set to True")
+                 return False
+-            elif not self.tpm_instance.verify_ek(base64.b64decode(ekcert)):
++            elif not self.tpm_instance.verify_ek(base64.b64decode(ekcert), config.get("tenant", "tpm_cert_store")):
+                 logger.warning("Invalid EK certificate")
+                 return False
+ 
+diff --git a/keylime/tpm/tpm_abstract.py b/keylime/tpm/tpm_abstract.py
+index ff41837..df6222c 100644
+--- a/keylime/tpm/tpm_abstract.py
++++ b/keylime/tpm/tpm_abstract.py
+@@ -97,7 +97,7 @@ class AbstractTPM(metaclass=ABCMeta):
+         pass
+ 
+     @abstractmethod
+-    def verify_ek(self, ekcert):
++    def verify_ek(self, ekcert, tpm_cert_store):
+         pass
+ 
+     @abstractmethod
+diff --git a/keylime/tpm/tpm_main.py b/keylime/tpm/tpm_main.py
+index e1d1cf8..e244dfa 100644
+--- a/keylime/tpm/tpm_main.py
++++ b/keylime/tpm/tpm_main.py
+@@ -776,12 +776,12 @@ class tpm(tpm_abstract.AbstractTPM):
+                 os.remove(sesspath)
+         return key
+ 
+-    def verify_ek(self, ekcert):
++    def verify_ek(self, ekcert, tpm_cert_store):
+         """Verify that the provided EK certificate is signed by a trusted root
+         :param ekcert: The Endorsement Key certificate in DER format
+         :returns: True if the certificate can be verified, false otherwise
+         """
+-        return cert_utils.verify_ek(ekcert)
++        return cert_utils.verify_ek(ekcert, tpm_cert_store)
+ 
+     def get_tpm_manufacturer(self, output=None):
+         vendorStr = None
+diff --git a/keylime/tpm_ek_ca.py b/keylime/tpm_ek_ca.py
+index fb66c07..bc84571 100644
+--- a/keylime/tpm_ek_ca.py
++++ b/keylime/tpm_ek_ca.py
+@@ -1,13 +1,13 @@
+ import glob
+ import os
+ 
+-from keylime import config, keylime_logging
++from keylime import keylime_logging
+ 
+ logger = keylime_logging.init_logging("tpm_ek_ca")
+ trusted_certs = {}
+ 
+ 
+-def check_tpm_cert_store(tpm_cert_store=config.get("tenant", "tpm_cert_store")):
++def check_tpm_cert_store(tpm_cert_store):
+     if not os.path.isdir(tpm_cert_store):
+         logger.error("The directory %s does not exist.", tpm_cert_store)
+         raise Exception(f"The directory {tpm_cert_store} does not exist.")
+@@ -20,7 +20,7 @@ def check_tpm_cert_store(tpm_cert_store=config.get("tenant", "tpm_cert_store")):
+         raise Exception(f"The directory {tpm_cert_store} does not contain " f"any .pem files")
+ 
+ 
+-def cert_loader(tpm_cert_store=config.get("tenant", "tpm_cert_store")):
++def cert_loader(tpm_cert_store):
+     file_list = glob.glob(os.path.join(tpm_cert_store, "*.pem"))
+     my_trusted_certs = {}
+     for file_path in file_list:
+-- 
+2.38.1
+

SOURCES/0002-Switch-to-sha256-hashes-for-signatures.patch

@@ -0,0 +1,67 @@
+From 1f9ee7437f5b712a892c6d13ac8d75e128c1a16f Mon Sep 17 00:00:00 2001
+From: Stefan Berger <stefanb@linux.ibm.com>
+Date: Tue, 22 Nov 2022 10:56:43 -0500
+Subject: [PATCH] tests: Switch to sha256 hashes for signatures
+
+Resolves: https://github.com/keylime/keylime/issues/1202
+Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
+---
+ test/test_ima_ast.py          |  4 ++--
+ test/test_ima_verification.py | 12 ++++++------
+ 2 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/test/test_ima_ast.py b/test/test_ima_ast.py
+index cd54f95f9..e7d3841a7 100644
+--- a/test/test_ima_ast.py
++++ b/test/test_ima_ast.py
+@@ -14,11 +14,11 @@
+ VALID_ENTRIES = {
+     "ima-sig-rsa": (
+         ast.ImaSig,
+-        "10 50873c47693cf9458e87eb4a02dd4f594f7a0c0f ima-sig sha1:1350320e5f7f51553bac8aa403489a1b135bc101 /usr/bin/dd 030202f3452d23010084c2a6cf7de1aeefa119220df0da265a7c44d34380f0d97002e7c778d09cfcf88c018e6595df3ee70eda926851f159332f852e7981a8fca1bc5e959958d06d234a0896861f13cc60da825905c8ed234df26c1deecfa816d5aa9bfb11b905e2814084a86b588be60423afada8dd0dd5a143774c6d890b64195ac42fb47ef5a9a00f0d6c80711d8e0c2b843ec38c02f60fd46bc46c7b4c329ad2dbb1b7625293703f9c739dc4c2bf0769126a2f3cb2cd031d1881cd0af64bf20fd474a993b48620f103a5c14999a2f17d60721bcc019a896b4138a688a59f50cb6cd94a4cfe3b8052e82dec025fef4feabb08c7ce412e3de850f903797e293ec27c329f57fd84e0",
++        "10 1e70a3e1af66f42826ad63b761b4cb9c4df195e1 ima-sig sha256:d33d5d13792292e202dbf69a6f1b07bc8a02f01424db8489ba7bb7d43c0290ef /usr/bin/dd 030204f3452d2301009dd340c852f37e35748363586939d4199b6684be27e7c1236ca1528f708372ed9cd52a0d991f66448790f5616ed5bd7f9bbd22193b1e3e54f6bf29a1497945a34d1b418b24f4cbeaef897bf3cebca27065ebb8761b46bc2662fe76f141245b9186a5ac8493c7f4976cf0d6dfc085c3e503e3f771bc3ccb121230db76fd8aba4f45f060ad64ab3afd99b4e52824b9eba12e93e46f9dcb2fa01d9cef89f298a0da02a82a4fb56924afd3e3c277a1302d99f770d488449df2d43eb5b174a0a528827e6877b965c2f0b7c89cf1aa26a7417a892df4c2294e2872d62748b72ea04ecb0689b5d792e615a9bf9d56f6e0f298560bf9441df0a22729c5f23389f028c25f",
+     ),
+     "ima-sig-ec": (
+         ast.ImaSig,
+-        "10 06e804489a77ddab51b9ef27e17053c0e5d503bd ima-sig sha1:1cb84b12db45d7da8de58ba6744187db84082f0e /usr/bin/zmore 030202531f402500483046022100bff9c02dc7b270c83cc94bfec10eecd42831de2cdcb04f024369a14623bc3a91022100cc4d015ae932fb98d6846645ed7d1bb1afd4621ec9089bc087126f191886dd31",
++        "10 5d4d5141ccd5066d50dc3f21d79ba02fedc24256 ima-sig sha256:b8ae0b8dd04a5935cd8165aa2260cd11b658bd71629bdb52256a675a1f73907b /usr/bin/zmore 030204531f402500483046022100fe24678d21083ead47660e1a2d553a592d777c478d1b0466de6ed484b54956b3022100cad3adb37f277bbb03544d6107751b4cd4f2289d8353fa36257400a99334d5c3",
+     ),
+     "ima-sig-missing": (
+         ast.ImaSig,
+diff --git a/test/test_ima_verification.py b/test/test_ima_verification.py
+index bdb929c9c..d2fc9ef16 100644
+--- a/test/test_ima_verification.py
++++ b/test/test_ima_verification.py
+@@ -27,8 +27,8 @@
+         "/lib/modules/5.4.48-openpower1/kernel/drivers/gpu/drm/drm_panel_orientation_quirks.ko": [
+             "cd026b58efdf66658685430ff526490d54a430a3f0066a35ac26a8acab66c55d"
+         ],
+-        "/usr/bin/dd": ["1350320e5f7f51553bac8aa403489a1b135bc101"],
+-        "/usr/bin/zmore": ["1cb84b12db45d7da8de58ba6744187db84082f0e"],
++        "/usr/bin/dd": ["d33d5d13792292e202dbf69a6f1b07bc8a02f01424db8489ba7bb7d43c0290ef"],
++        "/usr/bin/zmore": ["b8ae0b8dd04a5935cd8165aa2260cd11b658bd71629bdb52256a675a1f73907b"],
+         "/usr/bin/zless": ["233ad3a8e77c63a7d9a56063ec2cad1eafa58850"],
+     },
+     "keyrings": {
+@@ -50,8 +50,8 @@
+         "version": 1,
+     },
+     "hashes": {
+-        "/usr/bin/dd": ["1350320e5f7f51553bac8aa403489a1b135bc102"],
+-        "/usr/bin/zmore": ["1cb84b12db45d7da8de58ba6744187db84082f01"],
++        "/usr/bin/dd": ["bad05d13792292e202dbf69a6f1b07bc8a02f01424db8489ba7bb7d43c0290ef"],
++        "/usr/bin/zmore": ["bad00b8dd04a5935cd8165aa2260cd11b658bd71629bdb52256a675a1f73907b"],
+     },
+ }
+ 
+@@ -73,8 +73,8 @@
+ # 1st signature: RSA
+ # 2nd signature: EC
+ SIGNATURES = (
+-    "10 50873c47693cf9458e87eb4a02dd4f594f7a0c0f ima-sig sha1:1350320e5f7f51553bac8aa403489a1b135bc101 /usr/bin/dd 030202f3452d23010084c2a6cf7de1aeefa119220df0da265a7c44d34380f0d97002e7c778d09cfcf88c018e6595df3ee70eda926851f159332f852e7981a8fca1bc5e959958d06d234a0896861f13cc60da825905c8ed234df26c1deecfa816d5aa9bfb11b905e2814084a86b588be60423afada8dd0dd5a143774c6d890b64195ac42fb47ef5a9a00f0d6c80711d8e0c2b843ec38c02f60fd46bc46c7b4c329ad2dbb1b7625293703f9c739dc4c2bf0769126a2f3cb2cd031d1881cd0af64bf20fd474a993b48620f103a5c14999a2f17d60721bcc019a896b4138a688a59f50cb6cd94a4cfe3b8052e82dec025fef4feabb08c7ce412e3de850f903797e293ec27c329f57fd84e0\n"
+-    "10 06e804489a77ddab51b9ef27e17053c0e5d503bd ima-sig sha1:1cb84b12db45d7da8de58ba6744187db84082f0e /usr/bin/zmore 030202531f402500483046022100bff9c02dc7b270c83cc94bfec10eecd42831de2cdcb04f024369a14623bc3a91022100cc4d015ae932fb98d6846645ed7d1bb1afd4621ec9089bc087126f191886dd31\n"
++    "10 1e70a3e1af66f42826ad63b761b4cb9c4df195e1 ima-sig sha256:d33d5d13792292e202dbf69a6f1b07bc8a02f01424db8489ba7bb7d43c0290ef /usr/bin/dd 030204f3452d2301009dd340c852f37e35748363586939d4199b6684be27e7c1236ca1528f708372ed9cd52a0d991f66448790f5616ed5bd7f9bbd22193b1e3e54f6bf29a1497945a34d1b418b24f4cbeaef897bf3cebca27065ebb8761b46bc2662fe76f141245b9186a5ac8493c7f4976cf0d6dfc085c3e503e3f771bc3ccb121230db76fd8aba4f45f060ad64ab3afd99b4e52824b9eba12e93e46f9dcb2fa01d9cef89f298a0da02a82a4fb56924afd3e3c277a1302d99f770d488449df2d43eb5b174a0a528827e6877b965c2f0b7c89cf1aa26a7417a892df4c2294e2872d62748b72ea04ecb0689b5d792e615a9bf9d56f6e0f298560bf9441df0a22729c5f23389f028c25f\n"
++    "10 5d4d5141ccd5066d50dc3f21d79ba02fedc24256 ima-sig sha256:b8ae0b8dd04a5935cd8165aa2260cd11b658bd71629bdb52256a675a1f73907b /usr/bin/zmore 030204531f402500483046022100fe24678d21083ead47660e1a2d553a592d777c478d1b0466de6ed484b54956b3022100cad3adb37f277bbb03544d6107751b4cd4f2289d8353fa36257400a99334d5c3\n"
+ )
+ 
+ COMBINED = MEASUREMENTS + SIGNATURES

SOURCES/0003-logging-remove-option-to-log-into-separate-file.patch

@@ -0,0 +1,136 @@
+From eb5112dd597336b566378b3a157e76fe3cbbbfee Mon Sep 17 00:00:00 2001
+From: Thore Sommer <mail@thson.de>
+Date: Mon, 16 Jan 2023 07:26:08 -0300
+Subject: [PATCH 3/3] logging: remove option to log into separate file
+
+The implementation had the issue that only the main loggers were added and that
+the permissions were not set strict enough. Users should use the logging
+provided by systemd instead.
+
+Signed-off-by: Thore Sommer <mail@thson.de>
+---
+ keylime.conf                       | 10 ----------
+ keylime/keylime_logging.py         | 31 ------------------------------
+ scripts/templates/2.0/registrar.j2 |  9 ---------
+ scripts/templates/2.0/verifier.j2  |  9 ---------
+ 4 files changed, 59 deletions(-)
+
+diff --git a/keylime.conf b/keylime.conf
+index d896f9f..043b6a8 100644
+--- a/keylime.conf
++++ b/keylime.conf
+@@ -342,11 +342,6 @@ tomtou_errors = False
+ # signature check before storing them in the database.
+ require_allow_list_signatures = False
+ 
+-# Destination for log output, in addition to console. Values can be 'file', 
+-# with the file being named after the "service" - cloud_verifier - created under 
+-# /var/log/keylime), 'stream' or it can be left empty (which results in 
+-# logging to console only, recommended when running inside a container)
+-log_destination = file
+ 
+ #=============================================================================
+ [tenant]
+@@ -595,11 +590,6 @@ auto_migrate_db = True
+ # The file to use for SQLite persistence of provider hypervisor data.
+ prov_db_filename = provider_reg_data.sqlite
+ 
+-# Destination for log output, in addition to console. Values can be 'file',
+-# with the file being named after the "service" - registrar - created under
+-# /var/log/keylime), 'stream' or it can be left empty (which results in
+-# logging to console only, recommended when running inside a container)
+-log_destination = file
+ 
+ #=============================================================================
+ [ca]
+diff --git a/keylime/keylime_logging.py b/keylime/keylime_logging.py
+index bc8a11d..f7c7a8f 100644
+--- a/keylime/keylime_logging.py
++++ b/keylime/keylime_logging.py
+@@ -1,17 +1,10 @@
+ import logging
+-import os
+ from logging import Logger
+ from logging import config as logging_config
+ from typing import Any, Callable, Dict
+ 
+ from keylime import config
+ 
+-LOG_TO_FILE = set()
+-LOG_TO_STREAM = set()
+-LOGDIR = os.getenv("KEYLIME_LOGDIR", "/var/log/keylime")
+-# not clear that this works right.  console logging may not work
+-LOGSTREAM = os.path.join(LOGDIR, "keylime-stream.log")
+-
+ logging_config.fileConfig(config.get_config("logging"))
+ 
+ 
+@@ -50,31 +43,7 @@ def log_http_response(logger: Logger, loglevel: int, response_body: Dict[str, An
+ 
+ 
+ def init_logging(loggername: str) -> Logger:
+-
+-    if loggername in ("verifier", "registrar"):
+-        logdest = config.get(loggername, "log_destination", fallback="")
+-        if logdest == "file":
+-            LOG_TO_FILE.add(loggername)
+-        if logdest == "stream":
+-            LOG_TO_STREAM.add(loggername)
+-
+     logger = logging.getLogger(f"keylime.{loggername}")
+     logging.getLogger("requests").setLevel(logging.WARNING)
+-    mainlogger = logging.getLogger("keylime")
+-    basic_formatter = logging.Formatter("%(asctime)s %(name)s %(levelname)s %(message)s")
+-    if loggername in LOG_TO_FILE:
+-        logfilename = os.path.join(LOGDIR, f"{loggername}.log")
+-        if not os.path.exists(LOGDIR):
+-            os.makedirs(LOGDIR, 0o750)
+-        fh = logging.FileHandler(logfilename)
+-        fh.setLevel(logger.getEffectiveLevel())
+-        fh.setFormatter(basic_formatter)
+-        mainlogger.addHandler(fh)
+-
+-    if loggername in LOG_TO_STREAM:
+-        fh = logging.FileHandler(filename=LOGSTREAM, mode="w")
+-        fh.setLevel(logger.getEffectiveLevel())
+-        fh.setFormatter(basic_formatter)
+-        mainlogger.addHandler(fh)
+ 
+     return logger
+diff --git a/scripts/templates/2.0/registrar.j2 b/scripts/templates/2.0/registrar.j2
+index 3d92303..8de7a50 100644
+--- a/scripts/templates/2.0/registrar.j2
++++ b/scripts/templates/2.0/registrar.j2
+@@ -71,12 +71,3 @@ auto_migrate_db = {{ registrar.auto_migrate_db }}
+ 
+ # The file to use for SQLite persistence of provider hypervisor data.
+ prov_db_filename: {{ registrar.prov_db_filename }}
+-
+-# Destination for log output, in addition to console. If left empty, the log
+-# output will only be printed to console (recommended for containers to avoid
+-# filling data storage). The accepted values are:
+-# 'file': The log output will also be written to a file named after the
+-#         component in '/var/log/keylime/registrar.log'
+-# 'stream': The log output will be written to a common file in
+-#           'var/log/keylime/keylime-stream.log'
+-log_destination = {{ registrar.log_destination }}
+diff --git a/scripts/templates/2.0/verifier.j2 b/scripts/templates/2.0/verifier.j2
+index d1584df..7a66cb1 100644
+--- a/scripts/templates/2.0/verifier.j2
++++ b/scripts/templates/2.0/verifier.j2
+@@ -196,12 +196,3 @@ zmq_port = {{ verifier.zmq_port }}
+ 
+ # Webhook url for revocation notifications.
+ webhook_url = {{ verifier.webhook_url }}
+-
+-# Destination for log output, in addition to console. If left empty, the log
+-# output will only be printed to console (recommended for containers to avoid
+-# filling data storage). The accepted values are:
+-# 'file': The log output will also be written to a file named after the
+-#         component in '/var/log/keylime/verifier.log'
+-# 'stream': The log output will be written to a common file in
+-#           'var/log/keylime/keylime-stream.log'
+-log_destination = {{ verifier.log_destination }}
+-- 
+2.38.1
+

SOURCES/keylime.sysusers

@@ -0,0 +1,2 @@
+u keylime -   "Keylime unprivileged user" /var/lib/keylime /usr/sbin/nologin
+m keylime tss

SPECS/keylime.spec

@@ -0,0 +1,402 @@
+%global srcname keylime
+%global policy_version 1.0.0
+%global with_selinux 1
+%global selinuxtype targeted
+
+# Package is actually noarch, but it has an optional dependency that is
+# arch-specific.
+%global debug_package %{nil}
+
+Name:    keylime
+Version: 6.5.2
+Release: 4%{?dist}
+Summary: Open source TPM software for Bootstrapping and Maintaining Trust
+
+URL:            https://github.com/keylime/keylime
+Source0:        https://github.com/keylime/keylime/archive/refs/tags/v%{version}.tar.gz
+Source1:        %{srcname}.sysusers
+Source2:        https://github.com/RedHat-SP-Security/%{name}-selinux/archive/v%{policy_version}/keylime-selinux-%{policy_version}.tar.gz
+
+Patch: 0001-Do-not-use-default-values-that-need-reading-the-conf.patch
+Patch: 0002-Switch-to-sha256-hashes-for-signatures.patch
+Patch: 0003-logging-remove-option-to-log-into-separate-file.patch
+
+License: ASL 2.0 and MIT
+
+BuildRequires: git-core
+BuildRequires: swig
+BuildRequires: openssl-devel
+BuildRequires: python3-devel
+BuildRequires: python3-dbus
+BuildRequires: python3-jinja2
+BuildRequires: python3-setuptools
+BuildRequires: systemd-rpm-macros
+
+Requires: python3-%{srcname} = %{version}-%{release}
+Requires: %{srcname}-base = %{version}-%{release}
+Requires: %{srcname}-verifier = %{version}-%{release}
+Requires: %{srcname}-registrar = %{version}-%{release}
+Requires: %{srcname}-tenant = %{version}-%{release}
+
+# Agent.
+Requires: keylime-agent
+Suggests: keylime-agent-rust
+
+%{?python_enable_dependency_generator}
+%description
+Keylime is a TPM based highly scalable remote boot attestation
+and runtime integrity measurement solution.
+
+%package base
+Summary: The base package contains the default configuration
+License: MIT
+
+
+Requires(pre): shadow-utils
+Requires: procps-ng
+Requires: tpm2-tss
+
+%if 0%{?with_selinux}
+# This ensures that the *-selinux package and all it’s dependencies are not pulled
+# into containers and other systems that do not use SELinux
+Recommends:       (%{srcname}-selinux if selinux-policy-%{selinuxtype})
+%endif
+
+%ifarch %efi
+Requires: efivar-libs
+%endif
+
+
+%description base
+The base package contains the Keylime default configuration
+
+%package -n python3-%{srcname}
+Summary: The Python Keylime module
+License: MIT
+
+Requires: %{srcname}-base = %{version}-%{release}
+%{?python_provide:%python_provide python3-%{srcname}}
+
+Requires: python3-tornado
+Requires: python3-sqlalchemy
+Requires: python3-alembic
+Requires: python3-cryptography
+Requires: python3-pyyaml
+Requires: python3-packaging
+Requires: python3-requests
+Requires: python3-gpg
+Requires: python3-lark-parser
+Requires: python3-pyasn1
+Requires: python3-pyasn1-modules
+Requires: tpm2-tools
+Requires: openssl
+
+%description -n python3-%{srcname}
+The python3-keylime module implements the functionality used
+by Keylime components.
+
+%package verifier
+Summary: The Python Keylime Verifier component
+License: MIT
+
+Requires: %{srcname}-base = %{version}-%{release}
+Requires: python3-%{srcname} = %{version}-%{release}
+
+%description verifier
+The Keylime Verifier continuously verifies the integrity state
+of the machine that the agent is running on.
+
+%package registrar
+Summary: The Keylime Registrar component
+License: MIT
+
+Requires: %{srcname}-base = %{version}-%{release}
+Requires: python3-%{srcname} = %{version}-%{release}
+
+%description registrar
+The Keylime Registrar is a database of all agents registered
+with Keylime and hosts the public keys of the TPM vendors.
+
+%if 0%{?with_selinux}
+# SELinux subpackage
+%package selinux
+Summary:             keylime SELinux policy
+BuildArch:           noarch
+Requires:            selinux-policy-%{selinuxtype}
+Requires(post):      selinux-policy-%{selinuxtype}
+BuildRequires:       selinux-policy-devel
+%{?selinux_requires}
+
+%description selinux
+Custom SELinux policy module
+%endif
+
+%package tenant
+Summary: The Python Keylime Tenant
+License: MIT
+
+Requires: %{srcname}-base = %{version}-%{release}
+Requires: python3-%{srcname} = %{version}-%{release}
+
+
+%description tenant
+The Keylime Tenant can be used to provision a Keylime Agent.
+
+%prep
+%autosetup -S git -n %{srcname}-%{version} -a2
+
+%if 0%{?with_selinux}
+# SELinux policy (originally from selinux-policy-contrib)
+# this policy module will override the production module
+mkdir selinux
+
+make -f %{_datadir}/selinux/devel/Makefile %{srcname}.pp
+bzip2 -9 %{srcname}.pp
+%endif
+
+%build
+%py3_build
+
+%install
+%py3_install
+mkdir -p %{buildroot}/%{_sharedstatedir}/%{srcname}
+mkdir -p --mode=0700 %{buildroot}/%{_rundir}/%{srcname}
+mkdir -p --mode=0700 %{buildroot}/%{_localstatedir}/log/%{srcname}
+
+mkdir -p --mode=0700 %{buildroot}/%{_sysconfdir}/%{srcname}/
+for comp in "verifier" "tenant" "registrar" "ca" "logging"; do
+    mkdir -p --mode=0700  %{buildroot}/%{_sysconfdir}/%{srcname}/${comp}.conf.d
+    install -Dpm 400 config/${comp}.conf %{buildroot}/%{_sysconfdir}/%{srcname}
+done
+
+# Remove agent.
+rm -f %{buildroot}/%{_bindir}/%{srcname}_agent
+rm -f %{buildroot}%{python3_sitelib}/%{srcname}/__pycache__/%{srcname}_agent*
+rm -f %{buildroot}%{python3_sitelib}/%{srcname}/cmd/__pycache__/agent.*
+rm -f %{buildroot}%{python3_sitelib}/%{srcname}/cmd/agent.*
+rm -f %{buildroot}%{python3_sitelib}/%{srcname}/%{srcname}_agent.*
+
+# Remove misc progs.
+rm -f %{buildroot}/%{_bindir}/%{srcname}_ima_emulator
+rm -f %{buildroot}/%{_bindir}/%{srcname}_userdata_encrypt
+
+# Ship some scripts.
+mkdir -p %{buildroot}/%{_datadir}/%{srcname}/scripts
+for s in create_allowlist.sh \
+         create_mb_refstate \
+         create_policy \
+         ek-openssl-verify; do
+    install -Dpm 755 scripts/${s} \
+        %{buildroot}/%{_datadir}/%{srcname}/scripts/${s}
+done
+
+%if 0%{?with_selinux}
+install -D -m 0644 %{srcname}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{srcname}.pp.bz2
+install -D -p -m 0644 keylime-selinux-%{policy_version}/%{srcname}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{srcname}.if
+%endif
+
+
+install -Dpm 644 ./services/%{srcname}_verifier.service \
+    %{buildroot}%{_unitdir}/%{srcname}_verifier.service
+
+install -Dpm 644 ./services/%{srcname}_registrar.service \
+    %{buildroot}%{_unitdir}/%{srcname}_registrar.service
+
+cp -r ./tpm_cert_store %{buildroot}%{_sharedstatedir}/%{srcname}/
+chmod 400 %{buildroot}%{_sharedstatedir}/%{srcname}/tpm_cert_store/*.pem
+
+install -p -d %{buildroot}/%{_tmpfilesdir}
+cat > %{buildroot}/%{_tmpfilesdir}/%{srcname}.conf << EOF
+d %{_rundir}/%{srcname} 0700 %{srcname} %{srcname} -
+EOF
+
+install -p -D -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/%{srcname}.conf
+
+%pre base
+%sysusers_create_compat %{SOURCE1}
+exit 0
+
+%posttrans base
+if [ -d %{_sysconfdir}/%{srcname} ]; then
+    chmod 500 %{_sysconfdir}/%{srcname}
+    chown -R %{srcname}:%{srcname} %{_sysconfdir}/%{srcname}
+
+    for comp in "verifier" "tenant" "registrar" "ca" "logging"; do
+        [ -d %{_sysconfdir}/%{srcname}/${comp}.conf.d ] && \
+            chmod 500 %{_sysconfdir}/%{srcname}/${comp}.conf.d
+    done
+fi
+
+
+[ -d %{_sharedstatedir}/%{srcname} ] && \
+    chown -R %{srcname} %{_sharedstatedir}/%{srcname}/
+
+[ -d %{_sharedstatedir}/%{srcname}/tpm_cert_store ] && \
+    chmod 400 %{_sharedstatedir}/%{srcname}/tpm_cert_store/*.pem && \
+    chmod 500 %{_sharedstatedir}/%{srcname}/tpm_cert_store/
+
+[ -d %{_localstatedir}/log/%{srcname} ] && \
+    chown -R %{srcname} %{_localstatedir}/log/%{srcname}/
+exit 0
+
+%post verifier
+%systemd_post %{srcname}_verifier.service
+
+%post registrar
+%systemd_post %{srcname}_registrar.service
+
+%preun verifier
+%systemd_preun %{srcname}_verifier.service
+
+%preun registrar
+%systemd_preun %{srcname}_registrar.service
+
+%postun verifier
+%systemd_postun_with_restart %{srcname}_verifier.service
+
+%postun registrar
+%systemd_postun_with_restart %{srcname}_registrar.service
+
+%if 0%{?with_selinux}
+# SELinux contexts are saved so that only affected files can be
+# relabeled after the policy module installation
+%pre selinux
+%selinux_relabel_pre -s %{selinuxtype}
+
+%post selinux
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{srcname}.pp.bz2
+%selinux_relabel_post -s %{selinuxtype}
+
+if [ "$1" -le "1" ]; then # First install
+    # The services need to be restarted for the custom label to be
+    # applied in case they where already present in the system,
+    # restart fails silently in case they where not.
+    for svc in agent registrar verifier; do
+        [ -f "%{_unitdir}/%{srcname}_${svc}".service ] && \
+            %systemd_postun_with_restart "%{srcname}_${svc}".service
+    done
+fi
+exit 0
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+    %selinux_modules_uninstall -s %{selinuxtype} %{srcname}
+    %selinux_relabel_post -s %{selinuxtype}
+fi
+%endif
+
+%files verifier
+%license LICENSE
+%attr(500,%{srcname},%{srcname}) %dir %{_sysconfdir}/%{srcname}/verifier.conf.d
+%config(noreplace) %attr(400,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}/verifier.conf
+%{_bindir}/%{srcname}_verifier
+%{_bindir}/%{srcname}_ca
+%{_bindir}/%{srcname}_migrations_apply
+%{_unitdir}/keylime_verifier.service
+
+%files registrar
+%license LICENSE
+%attr(500,%{srcname},%{srcname}) %dir %{_sysconfdir}/%{srcname}/registrar.conf.d
+%config(noreplace) %attr(400,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}/registrar.conf
+%{_bindir}/%{srcname}_registrar
+%{_unitdir}/keylime_registrar.service
+
+%if 0%{?with_selinux}
+%files selinux
+%{_datadir}/selinux/packages/%{selinuxtype}/%{srcname}.pp.*
+%{_datadir}/selinux/devel/include/distributed/%{srcname}.if
+%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{srcname}
+%endif
+
+%files tenant
+%license LICENSE
+%attr(500,%{srcname},%{srcname}) %dir %{_sysconfdir}/%{srcname}/tenant.conf.d
+%config(noreplace) %attr(400,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}/tenant.conf
+%{_bindir}/%{srcname}_tenant
+
+%files -n python3-%{srcname}
+%license LICENSE
+%{python3_sitelib}/%{srcname}-*.egg-info/
+%{python3_sitelib}/%{srcname}
+%{_datadir}/%{srcname}/scripts/create_mb_refstate
+%{_datadir}/%{srcname}/scripts/create_policy
+%{_bindir}/keylime_convert_ima_policy
+
+%files base
+%license LICENSE
+%doc README.md
+%attr(500,%{srcname},%{srcname}) %dir %{_sysconfdir}/%{srcname}/{ca,logging}.conf.d
+%config(noreplace) %attr(400,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}/ca.conf
+%config(noreplace) %attr(400,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}/logging.conf
+%attr(700,%{srcname},%{srcname}) %dir %{_rundir}/%{srcname}
+%attr(700,%{srcname},%{srcname}) %dir %{_localstatedir}/log/%{srcname}
+%attr(700,%{srcname},%{srcname}) %dir %{_sharedstatedir}/%{srcname}
+%attr(500,%{srcname},%{srcname}) %dir %{_sharedstatedir}/%{srcname}/tpm_cert_store
+%attr(400,%{srcname},%{srcname}) %{_sharedstatedir}/%{srcname}/tpm_cert_store/*.pem
+%{_tmpfilesdir}/%{srcname}.conf
+%{_sysusersdir}/%{srcname}.conf
+%{_datadir}/%{srcname}/scripts/create_allowlist.sh
+%{_datadir}/%{srcname}/scripts/ek-openssl-verify
+
+%files
+%license LICENSE
+
+%changelog
+* Fri Apr 14 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 6.5.2-4
+- Rebuilt for MSVSphere 9.2 beta
+
+* Fri Jan 13 2023 Sergio Correia <scorreia@redhat.com> - 6.5.2-4
+- Backport upstream PR#1240 - logging: remove option to log into separate file
+  Resolves: rhbz#2154584 - keylime verifier is not logging to /var/log/keylime
+
+* Thu Dec 1 2022 Sergio Correia <scorreia@redhat.com> - 6.5.2-3
+- Remove leftover policy file
+  Related: rhbz#2152135
+
+* Thu Dec 1 2022 Patrik Koncity <pkoncity@redhat.com> - 6.5.2-2
+- Use keylime selinux policy from upstream.
+  Resolves: rhbz#2152135
+
+* Mon Nov 14 2022 Sergio Correia <scorreia@redhat.com> - 6.5.2-1
+- Update to 6.5.2
+  Resolves: CVE-2022-3500
+  Resolves: rhbz#2138167 - agent fails IMA attestation when one scripts is executed quickly after the other
+  Resolves: rhbz#2140670 - Segmentation fault in /usr/share/keylime/create_mb_refstate script
+  Resolves: rhbz#142009 - Registrar may crash during EK validation when require_ek_cert is enabled
+
+* Tue Sep 13 2022 Sergio Correia <scorreia@redhat.com> - 6.5.0-1
+- Update to 6.5.0
+  Resolves: rhbz#2120686 - Keylime configuration is too complex
+
+* Fri Aug 26 2022 Sergio Correia <scorreia@redhat.com> - 6.4.3-1
+- Update to 6.4.3
+  Resolves: rhbz#2121044 - Error parsing EK ASN.1 certificate of Nuvoton HW TPM
+
+* Fri Aug 26 2022 Patrik Koncity <pkoncity@redhat.com> - 6.4.2-6
+- Update keylime SELinux policy
+- Resolves: rhbz#2121058
+
+* Fri Aug 26 2022 Patrik Koncity <pkoncity@redhat.com> - 6.4.2-5
+- Update keylime SELinux policy and removed duplicate rules
+- Resolves: rhbz#2121058
+
+* Fri Aug 26 2022 Patrik Koncity <pkoncity@redhat.com> - 6.4.2-4
+- Update keylime SELinux policy
+- Resolves: rhbz#2121058
+
+* Wed Aug 17 2022 Patrik Koncity <pkoncity@redhat.com> - 6.4.2-3
+- Add keylime-selinux policy as subpackage
+- See https://fedoraproject.org/wiki/SELinux/IndependentPolicy
+- Resolves: rhbz#2121058
+
+* Mon Jul 11 2022 Sergio Correia <scorreia@redhat.com> - 6.4.2-2
+- Fix efivar-libs dependency
+  Related: rhbz#2082989
+
+* Thu Jul 07 2022 Sergio Correia <scorreia@redhat.com> - 6.4.2-1
+- Update to 6.4.2
+  Related: rhbz#2082989
+
+* Tue Jun 21 2022 Sergio Correia <scorreia@redhat.com> - 6.4.1-1
+- Add keylime to RHEL-9
+  Resolves: rhbz#2082989