Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

keylime-registrar-6.3.0-150400.2.5 RPM for noarch

From OpenSuSE Leap 15.4 for noarch

Name: keylime-registrar Distribution: SUSE Linux Enterprise 15
Version: 6.3.0 Vendor: SUSE LLC <https://www.suse.com/>
Release: 150400.2.5 Build date: Sun May 8 06:53:35 2022
Group: Unspecified Build host: sheep66
Size: 153 Source RPM: keylime-6.3.0-150400.2.5.src.rpm
Packager: https://www.suse.com/
Url: https://github.com/keylime/keylime
Summary: Keylime registrar service
Subpackage of keylime for registrar service.

Provides

Requires

License

Apache-2.0 AND MIT

Changelog

* Mon Feb 07 2022 aplanas@suse.com
  - Change back agent_uuid to hostname
  - Set tpm_hash_alg to sha256 by default
  - Update version.diff patch to point to the correct version number
  - Fix issue with Tornado, when multiple workers are started
    * Add cloud_verifier_tornado-use-fork_processes.patch (bsc#1195605)
* Thu Jan 27 2022 aplanas@suse.com
  - Drop patches beacuse merged upstream:
    * 0001-Drop-dataclasses-module-usage.patch
    * 0001-config-support-merge-multiple-config-files.patch
    * 0001-ca-support-back-old-cyptography-API.patch
  - Update to version v6.3.0:
    * Coordinated update to fix:
      + bsc#1193997 (CVE-2022-23948)
      + bsc#1193998 (CVE-2021-43310)
      + bsc#1194000 (CVE-2022-23949)
      + bsc#1194002 (CVE-2022-23950)
      + bsc#1194004 (CVE-2022-23951)
      + bsc#1194005 (CVE-2022-23952)
    * secure_mount: add umount function
    * secure_mount: use /proc/self/mountinfo
    * Validate user ID in all public interfaces
    * validators: add uuid and agent_id validators
    * validators: create validators module
    * revocation_notifier: move zmq socket to /var/run/keylime
    * Update API version from 1.0 to 2.0
    * tpm: do not compress quote with zlib by default
    * verifier: persist AK and mTLS certificate to DB
    * verifier: use "supported_version" for agent connections
    * tenant: add support for "supported_version" option for the verifier
    * api_version: add the option for basic validation
    * verifier: add supported_version field to DB and API
    * agent: add /version to REST API
    * verifier, tenant: allow agents to not use mTLS
    * tenant, verifier: allow manual configuration of agent mTLS
    * tests: migrate to mTLS
    * tenant: connect to the agent via mTLS
    * verifier: connect to the agent via mTLS
    * tornado_requests: handle SSLError
    * web_util: add mTLS context generation for agent
    * agent: Enable mTLS for agent REST API
    * crypto: add helper function for creating self signed certs
    * registrar: Allow the agent to registrar with a mTLS certificate
    * request_client: add workaround for handling certificates
    * request_client: add the option to ignore hostname validation
    * Better docs and errors about IMA hash mismatches
    * tests: use JSON instead Python string for IMA tests
    * verifier: use json.loads(..) instead of ast.literal_eval(..)
    * Adding Nuvoton certificate for a post 2020 TPM device. The EK cert
      of the device directs to the following download site:
      'https://www.nuvoton.com/security/NTC-TPM-EK-Cert/Nuvoton TPM Root
      CA 1111.cer' (yes, including the spaces)
    * Improve revocation notifier IP description in keylime.conf
    * tornado_requests: set Content-Type header correctly for JSON
    * tenant: post U key to agent with correct Content-Type header
    * Explicitly set permissions on new keylime.conf files installed
    * tpm_main: close file descriptor for aik handle
    * verifier: do not call finish() twice
    * agent: fix payload execution
    * tests: add initial tests for web_util module
    * config, web_util: move get_restful_params(..) to web_util
    * verifier: Also retry on HTTP 500 status code
    * agent: improve startup and shutdown
    * registrar: cleanup start function
    * web_util: move echo_json_response(..) out of config.py
    * verifier: fix failure generation for V key
    * tornado_requests: cleanup TornadoResponse class
    * web_util, verifier: move mTLS SSLContext generation into separate module
    * ca: support back old cyptography API
    * Fix test branch reference in packit.yaml
    * ci: disable DeprecationWarning from pylint in tox
    * Enable new test in Packit CI
    * tenant: fix reactivate command
    * config: support merge multiple config files
    * ci: use only fedora-stable for packit
    * elchecking: harden example policy against event type manipulation
    * elchecking: add new tests
    * tests: fix stdout formatting for agent and verifier
    * Drop dataclasses module usage
    * revocation notifier: handle shutdown of process gracefully
    * verifier: handle SIGINT and SIGTERM correctly
    * ima_emulator: fix IMA hash validation and add more options
    * ima_ast: fix handling ToMToU errors
    * Remove leftovers of TPM 1.2 support
    * agent: improved validation for post function
    * agent: better validation for mask and nonce
    * config: add function to validate hex strings
    * agent: keys/verify check if challenge was provided
    * tpm_main: do not append /usr/local/{bin,lib} to default env
    * db: only set length on Text type if supported
    * json: do not make sqlalchemy a hard requirement
    * Enable functional testing with Packit CI
    * ima_emulator: specify sys.argv as the named parameter argv in main()
    * elchecking example policy: make it work with Fedora 34
    * elchecking example policy: initrd* might be also called initramfs*
    * scripts: add mb_refstate generator for example policy
    * config: change tpm_hash_alg to SHA1 by default
    * parse_mb_bootlog: specify the used hash algorithm used for PCRs
    * agent: add warning that on kernels <5.10 IMA only works with SHA1
    * tpm: explicitly pass hash alg to sim_extend(..)
    * ima emulator: use IMA AST and support multiple hash algorithms
    * tests: update IMA allowlist version number
    * ima: add option 'log_hash_alg' to IMA allowlist
    * ima: remove hard requirement for SHA1 PCR 10
    * algorithms: extend Hash class to simplify computing hash values
    * config, tpm_main: explicitly handle YAML load errors
    * config: private_key must be set to -private.pem not -public.pem
    * agent: add UUID option environment
    * agent: drop openstack uuid option
* Tue Jan 25 2022 aplanas@suse.com
  - Set /var/lib/keylime under the same permissions expected by the code
* Tue Jan 18 2022 aplanas@suse.com
  - Add 0001-config-support-merge-multiple-config-files.patch
    This will allow the merge of config files in /usr/etc and /etc.
  - Move the configuration file to /usr/etc in new distributions
  - Add 0001-ca-support-back-old-cyptography-API.patch
    This is only required for SLE, but the API is compatible with new versions
* Tue Jan 11 2022 aplanas@suse.com
  - Add 0001-Drop-dataclasses-module-usage.patch, to support Python 3.6
* Tue Jan 11 2022 aplanas@suse.com
  - Fix cfssl bcond logic in Tumbleweed / SLE
* Mon Jan 10 2022 aplanas@suse.com
  - Update to version v6.2.1:
    * Another addition to gitignore
    * Update .gitignore with more Keylime-specific files
    * json: add support for sqlalchemy.engine.row.Row in newer sqlalchemy
    * ima_ast: check if the PCR is the same as in the config
    * Fix permissions issue on volume mount in run_local.sh
    * Make run_local.sh use a local copy of the repo
    * Small updates to GOVERNANCE.md
    * Move cargo-tarpaulin install to separate command
    * config: drop registrar_* TLS options in [registrar] section
    * Fix missing && in Dockerfile
    * Remove simplejson from scripts and docs
    * Replace simplejson with built-in json module
    * Add rust-keylime container dependencies
    * config: fix getboolean with fallback
    * Clean up CI scripts and rewrite run_local.sh
    * ima: for ToMToU errors skip template content validation
    * ima: Use a set of entry numbers and file offsets to remember multiple positions
    * Rename CONTRIBUTORS.md to CONTRIBUTING.md
    * Update GOVERNANCE.md to match MAINTAINERS.md rename
    * Update MAINTAINERS
    * Update README: remove Gitter, Travis CI
    * ca: Use UTC when setting certificate validity
    * Tenant commands return json
    * scripts: Allow passing a base policy to create_policy tool
    * ima: Handle the case of ima-sig with a path with spaces in them
    * add length to string object
    * scripts: Implement create_policy to create the JSON allowlist from files
    * ima: Also add a sha256 default boot_aggregate hash with 64 '0's
    * ima: Use seek() to get to the last known last entry
    * ima: Extend allowlist to be able to handle generic ima-buf entries
    * ima: Extend JSON allowlist with 'ima' entry and 'ignored_keyrings'
    * ima: Populate verifier keyrings with keys taken from ima-buf log line
    * ima: Remove methods from ImaKeyring that are now in ImaKeyrings
    * ima: Start passing ima_keyrings through APIs replacing ima_keyring
    * Extend AgentAttestState with ima_keyrings field and use it
    * ima: Implement ImaKeyrings class to support multiple keyrings
    * verifier: Extend verifier DB to persist learned keyrings
    * Fix a couple of pylint errors
    * ima: Fix spurious attestation failures
    * ima: make ToMToU errors not a failure by default
    * Simple fix for tenant error message printout.
    * pylint: Fix errors related to R1714
    * pylint: Suppress C0201, C0209 and W0602 newly reported errors
    * installer: do not install tpm2-abrmd
    * tpm: by default use /dev/tpmrm0 instead of tpm2-abrmd
    * verifier: add option to send revocation messages via webhook
* Wed Dec 15 2021 aplanas@suse.com
  - Fix keylime configuration file attributes
* Tue Dec 14 2021 aplanas@suse.com
  - Requires python-psutil
  - Disable automatic execution of the payload by default
  - Use ramdom UUID by default
* Wed Dec 08 2021 aplanas@suse.com
  - Introduce a bcond for cfssl detection
* Wed Dec 01 2021 aplanas@suse.com
  - Drop cfssl if we are not in openSUSE
* Thu Sep 16 2021 aplanas@suse.com
  - Update to version 6.2.0:
    * Fix bug #757 where revoc cert was treated as text
    * Code improvement: removal of extra dependencies in measured boot attestation (#755)
    * Sanitize the exclude list while it is ingested at `tenant` by removing comments (^#) and empty lines.
    * tenant: show severity level and last event id in status
    * verifier: move to new failure architecture
    * pcr validation: move to new failure architecture
    * measured boot: move to new failure architecture
    * ima: move to new failure architecture
    * failure: add infrastructure to tag and collect revocation events in Keylime
    * Simulating use of SSLContext.minimum_version on ssl v3.6
    * verifier: fix minor typos
    * Add tests for ca_impl_cfssl and ca_util
    * Replace M2Crypto with python-cryptography
    * tenant: status now shows if a agent was added to the registrar
    * tenant: open file to send utf-8 encoded
    * Correct some comments about and remove vestige in MB policy
    * fixing a small bug that resulted in malformed refstates not failing MBA
    * agent: ensure that EK is in PEM format when used as uuid
    * Solves #703 by adding a "non-trivial" example of a "measured boot policy" (#734)
    * ci: build and publish container images
    * codestyle: fix W0612 and R1735 pylint errors
    * codestyle: fix W1514 pylint error
    * systemd: Add KillSignal=SIGINT to keylime_agent.service
    * One-liner to set the minimum version of TLS to v1.2
    * pylint fix
    * Typo fix: return list order confusion between measured_boot.py and tpm_abstract.py
    * Refactor keylime_logging module
    * ima: Implement ima-buf validator and validate keys on keyrings (#725)
    * Remove Python 2 leftovers
    * Additional fix for the processing of "tpm_policy"
    * ima: Return an empty allowlist rather than a plain empty list
    * verifier: convert (v)tpm_policy in DB from string to JSONPickleType
    * verifier: Create AgentAttestState objects from entries in the db
    * verifier: Persist the IMA attestation state after running the log verification
    * db: Add DB migration file for boottime, ima_pcrs, pcr10, and next_ima_ml_entries
    * verifier: Skip attestation one time if agent's boottime changed
    * test: Add test case simulating iterative attestation
    * verifier: Delete an AgentAttestState when deleting an agent
    * ima: Remember the number of lines successfully processed and last IMA PCR value(s)
    * ima: Reset the attestation if processing the measurement list fails
    * debug: Show line number when PCR match occurs
    * verifier: Extend AgentAttestState with state of the IMA PCR
    * Consult the AgentAttestState for the next measurement list entry
    * Introduce an AgentAttestState class for passing state through the APIs
    * verifier: Request IMA log at entry 0 for now
    * agent: Get boottime and transfer to verifier
    * agent: Add support for optional IMA log offset parameter
    * tests: Add a unit test for the IMA function and run it
    * agent: Move IMA measurement list reading function to ima.py
    * Add default verifier-check value
    * Use tox for pylint
    * Use Fedora 34 as base image for CI container
    * Run ci jobs only when needed
    * config: merge convert and list_convert into the same function
    * Versioned APIs
    * Refacator of check_pcrs to parse then validate (#716)
    * Automatically calculates the boot_aggregate from the measured boot log. (#713)
    * Set default UUID as lowercase (#699)
    * tenant: do_cvdelete wait until 404
    * Ensures the output of `bulkinfo` command in `keylime_tenant` is JSON
    * ima: Convert pcrval to bytes to increase efficiency
    * tests: extend ima tests for signature validation and exclude lists
    * Allow agents to specify a contact ip address and port for the tenant and CV  (#690)
    * verifer: Fix signature and allowlist evaluation bahavior change
    * ima: Fix runtime error due to wrong datatype
    * tenant: add the option to specify the registrar ip and port
    * measured_boot: drop process_refstate
    * check_pcrs: match PCR if no mb_refstate is provided
    * ci: make run_local.sh work with newer docker versions
    * Fixing pylint errors (#698)
    * tests: add IMA test where validation should be ignored
    * ima: Use ima_ast for parsing and validation
    * tests: Add test for ima AST parser
    * ima: Introducing a AST for parsing and validation
    * Make stalebot a bit nicer
    * enable tenant to fetch all (or verifier specific) agents info in a single call from the verifier
    * Flush all sessions from TPM device (#682)
    * multiple named verifiers sharing a single database
    * webapp: fix tls certs paths (#659)
    * Corrects markdown to have proper rendering (#673)
    * ima_file_signatures: Extract keyidv2 from x509 certs
    * installer: Add '-r' option to cp to copy directory (issue #671)
    * config: Add optional fallback parameter to get()
    * agent: Fix the usage of dmidecode during the agent startup (issue #664)
    * agent: Rename allowlist to ima_allowlist in keylime.conf
    * Fix decoding error in user_data_encrypt
    * agent: Fix issue #667 by testing for an empty ima_sign_verification_keys list
    * Addresses issue #660 (database path while running local tests) (#665)
    * ima: Return 'None' when ImaKeyring.from_string() called with emtpy string
    * tests: Move unittests into files with suffix _test.py
    * Fixes and improvements for database configuration (#654)
    * Add signature verification support for local and remote IMA signature verification keys (#597)
    * install: Remove TPM 1.2 support from installer and bundeling scripts
    * CI/CD: Remove tpm1.2 testing support
    * Remove duplicated calls to verifier
    * Remove adding entropy to system rng
    * Cleanup and fix error case in encryptAIK (#648)
    * Move measured boot related code into functions to make check_pcrs readable (#642)
    * Move code related to tpm2_checkquote into its own function (#639)
    * scripts: Cleanup shell script formatting
    * installer.sh: Do not delete the local copy of the certificates.
    * Fix user_data_encrypt to UTF8 decode before print
    * tpm_abstract: Fix adding of entropy
    * codestyle: Ignore R1732 implemented by pylint >=2.8.0
    * a fix for letting JSON encoding bytes correctly
    * Adding back reglist to the list of commands that don't need a -t argument
    * Invoke tpm2_evictcontrol for 4.0 and 4.2 tools if aik_handle exists (#624)
    * Addresses #436 (#611)
    * Fixes #620
    * Include PCR16 in the quote only when needed
    * Close leaking file descriptors (#622)
    * installer.sh: Add missing spaces when efivar is added
    * More ima_emulator_adapter cleanups (#616)
    * installer: Add json-c-devel/json-c-dev to BUILD_TOOLS for tpm2-tss build
    * Remove more commented code in ca_util.py
    * installer: Only install efi library on x86_64 systems
    * Create allowlist table and basic API support
    * installer: Add libuuid-devel/uuid-dev to BUILD_TOOLS for tpm2_tools build
    * WIP: Some cleanups (#612)
    * Remove _cLime.c
    * config: Document the measured boot PCRs and what is using them
    * Very simple fix for the agent (re: measured boot) The agent code does not need to import "measured boot policies"
    * ima_emulator_adapater: Remove unnecessary global statement
    * webapp: Fix private key and certificate path (issue #604)
    * Add support for keylime_webapp service to read intervals from keylime.conf
* Mon Jul 26 2021 aplanas@suse.com
  - Update to Keylime 6.1.1
    + keylime_tenant add crash with TypeError: Object of type 'bytes' is
      not JSON serializable
    + Whenever Keylime agent starts and cannot contact the registrar, it
      fails and quits without flushing create EK handles
    + keylime_tenant -c reglist now requires a "-t" parameter for no
      reason
    + Duplicated API calls to verifier in webapp backend
    + Installer deletes tpm_cert_store files
    + agent_uuid set to dmidecode crashes Keylime
    + Copying of tpm_cert_store fails during installation
    + If the PCR belong to a measured boot list, it is not validated
    + keylime_tenant --c update fails with a race condition
  - Drop patches already present in the new version
    + webapp-fix-tls-certs-paths.patch
    + check_pcrs-match-PCR-if-no-mb_refstate-is-provided.patch
    + tenant-do_cvdelete-wait-until-404.patch
* Wed Jul 21 2021 aplanas@suse.com
  - Add tenant-do_cvdelete-wait-until-404.patch to fix the update command
* Mon Jul 19 2021 aplanas@suse.com
  - Adjust the default revocation notifier binding IP
  - Default to CFSSL in keylime.conf
* Wed Jul 14 2021 aplanas@suse.com
  - Add config-libefivars.diff to adjust the path of the library
* Thu Jul 08 2021 aplanas@suse.com
  - Add check_pcrs-match-PCR-if-no-mb_refstate-is-provided.patch
    (gh#keylime/keylime!695)
  - Recommends CFSSL in the registrar (actually should be the CA)
  - Change default value for require_ek_cert to False
  - Reorder the patches to separate upstream fixes from openSUSE ones
* Thu Jun 10 2021 aplanas@suse.com
  - Add webapp-fix-tls-certs-paths.patch (gh#keylime/keylime!659)
  - Recommend dmidecode for the agent
  - Require libtss2-tcti-{device0,tabrmd0} to use abrmd service
  - Add keylime.conf.diff patch to change the default config file
  - Add keylime.xml for firewalld service definition
* Tue Apr 27 2021 aplanas@suse.com
  - Update to version 6.1.0:
    * Update python cryptography lib to v3.3.2
    * installer.sh improvments
    * run_local.sh: Run unit tests in keylime/tpm/tpm2_objects.py
    * Fourth and final PR to address #491 (#580)
    * scripts: Also use pylint-3 if pylint is not installed
    * agent: Fix the checking for a specific error returned by tpm2_quote
    * Allowlist verification - Enhancement #16
    * Forgot to remove the original, more crude solution (which caused pylint errors)
    * New and improved code to fix issue #582
    * Consistent formatting for logging strings

Files

/usr/lib/systemd/system/keylime_registrar.service


Generated by rpm2html 1.8.1

Fabrice Bellet, Tue Jul 9 15:53:55 2024