Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

keylime-config-6.4.1-3.1 RPM for noarch

From OpenSuSE Ports Tumbleweed for noarch

Name: keylime-config Distribution: openSUSE:Factory:zSystems
Version: 6.4.1 Vendor: obs://build.opensuse.org/openSUSE:Factory:zSystems
Release: 3.1 Build date: Thu Jun 30 13:20:26 2022
Group: Unspecified Build host: s390zl27
Size: 28597 Source RPM: keylime-6.4.1-3.1.src.rpm
Url: https://github.com/keylime/keylime
Summary: Configuration file for keylime
Subpackage of keylime for the shared configuration file of the agent
and the server components.

Provides

Requires

License

Apache-2.0 AND MIT

Changelog

* Wed Jun 29 2022 Alberto Planas Dominguez <aplanas@suse.com>
  - Conflict also rust-keylime for all the subpackages
* Thu Jun 23 2022 Alberto Planas Dominguez <aplanas@suse.com>
  - Remove user downgrade mechanism from the package (CVE-2022-31250, bsc#1200885)
* Thu Jun 23 2022 Alberto Planas Dominguez <aplanas@suse.com>
  - Add logrotate configuration for the services
  - Create run directory as non-root user
  - Conflict with rust-keylime
  - Consolidate in _distconfdir when possible
* Mon Jun 13 2022 aplanas@suse.com
  - Update to version v6.4.1:
    * Bump version for pypi
    * verifier: ensure that execptions caused by the agent result in a failure
    * tpm_main: add failure tagging to measured boot parsing
    * tpm_main: fix temp file handling in parse_binary_bootlog(..)
    * pylint: fix bad-option-value and implicit-str-concat warnings
    * ca: drop support for using CFSSL as a backend
    * ca_openssl_impl: add basic support for generating a CRL
    * config: change libefivar.so to libefivar.so.1
    * elchecking: add workaround for wrong GUID parsing
    * Add test /functional/measured-boot-swtpm-sanity to Packit CI plan
    * Fix order of parameters in an error message
    * pylint: remove usage of distutils because it is deprecated
    * ca_util: do not use deprecated setDeamon() call
    * elchecking: error if policy name is invalid, change default to reject-all
    * Simplify GitHub Actions used for code coverage processing
    * ima_dm: enable support for dm_target_update events
    * benchmark: remove benchmark code
    * ima: remove read_unpack(..) function
    * Fixes #996, by properly catching exceptions resulting from network problems on the verifier.
    * List tests in Packit-CI plan explicitly
    * contributing: add section about code style
    * fix git blame ignore entry for code style changes
    * Enable test /functional/basic-attestation-without-mtls
    * Defer loading PyZMQ to avoid optional dependency
    * Unify log messages about deleting agent from CV
    * Ignore reformat commit for git blame
    * Reformat Keylime with isort and black to new code style
    * Introducing pre-commit hook to enforce code style with isort and black
  - Drop already merged patches:
    * config-libefivars.diff
  - Drop cfssl dependency, as uses openssl only
  - Drop cfssl firewalld rule
* Mon May 23 2022 aplanas@suse.com
  - Update to version v6.4.0 (CVE-2022-1053, boo#1199253):
    * general: bump Keylime version to 6.4.0
    * tests: adjust tests to reflect latest API changes
    * api: bump version to 2.1
    * config: remove unused registrar mTLS options in cloud_verifier section
    * tenant, verifier: let the tenant provide the AK and mTLS certificate
    * Fix exit call in scripts/download_packit_coverage.sh
    * Added codecov.io description to TESTING.md
    * ci: only run CodeQL on the keylime directory and disable it for the webapp
    * Enable GitHub workflow integrating codecov.io
    * README: Fix and cleanup the install instructions
    * ima: add backport for dataclasses support for Python 3.6
    * ima: add info that device mapper validation is still experimental
    * add lark as a dependency
    * ima: integrate dm validator into gernal IMA validation
    * agentstates: add the option to load and store dm validator state
    * ima: add parser and validator for device mapper entries
    * ima_file_signatures: rename to file_signatures
    * ima_ast: rename to ast
    * ima: move IMA components into their own module
    * failure: add function to get current event ids
    * config: add more details for tpm_cert_store option
    * Deprecate API version 1.0
    * config, webapp: remove tls_check_hostnames option
    * ci: add CodeQL analysis
    * agent, tpm: remove is_vtpm() check
    * tests: update to reflect vTPM removal
    * remove vTPM related helper files and documentation
    * config: remove vTPM related options
    * tenant: remove vtpm_policy
    * verifier: remove vtpm_policy
    * remove REQUIRE_ROOT environment option
    * Remove Testing farm tag-repository
    * Bump required packaging module version to 20.0
    * Remove last traces of M2Crypto
    * Workaround for mock_open not supporting iteration in Python 3.6
* Wed May 18 2022 Alberto Planas Dominguez <aplanas@suse.com>
  - Fix "run_as" configuration parameter and set it to keylime:tss
  - Improve downgrade user migration during package update
* Wed Apr 13 2022 aplanas@suse.com
  - Update to version v6.3.2:
    * general: bump Keylime version to 6.3.2
    * tpm_main: flush transient objects
    * pypi: add notice that the Python API is unstable
    * installer: use OpenSSL by default
    * Avoid mounting secdir while unmounting it
    * remove TPM, VTPM and IMA stubbing support
    * archive: remove all archive files
    * Change GH reviewers to be from developer group
    * added suse / opensuse support with zypper
    * Fix tpm import in test_tpm.py
    * Fix cfssl configuration in run_tests.sh
    * tpm_emulator: improve TPM emulator installation
    * config: Add option to enable DB debugging via DEBUG_DB env var
    * Enable SQL query cache for JSONPickleType
    * tpm_emulator: move everything into systemd services
    * Implement broader key support for Keylime's signing mechanisms
    * tenant: Use exponential backoff on key verification retries
    * tenant: Move JSON parsing to capture possible exceptions
    * tenant: Move verifier stop from do_quote to do_verify
    * pylint: Fix issues related to W0602 global-variable-not-assigned
    * tenant: Handle 404 error from registrar gracefully
    * pylint: Fix remaining code with issue R1732 consider-using-with
    * pylint: Fix R1732 consider-using-with
    * pylint: Fix issue detected by pylint-2.13.0
    * pylint: Fix issue detected by pylint-2.13.0
    * tenant: verify agent quote before adding to verifier
    * README: remove tpm2-abrmd and OSX sections
    * pylint: Fix issues related to W0102 dangerous-default-value
    * pylint: Fix R0201 no-self-use
    * pylint: remove W1203 logging-format-interpolation from ignore list
    * pylint: remove R1729 use-a-generator from ignore list
    * pylint: remove E1120 no-value-for-parameter from ignore list
    * pylint: remove W1201 logging-not-lazy from ignore list
    * pylint: fix C0209 consider-using-f-string
    * pylint: fix C0201 consider-iterating-dictionary
    * pylint: fix W1509 subprocess-popen-preexec-fn
    * keylime_tenant non-zero exit code on error
    * Fix prepare step adjustments in packit-ci.fmf plan
    * failure: fix Pattern type hint
    * mypy: add initial Mypy configuration
    * ima_ast: add type hints
    * failure: add type hints
    * logging, config: add type hints for logging module
    * algorithms: add type hints
    * json: add type hints and add JSONType as custom type
    * Full allowlist processing when not adding host
    * provider, vTPM: remove vTPM manager and provider code
    * tpm: fix that the set of missing PCRs is not serializable in failure
    * Restores the option to use keylime agents without mTLS
    * services: make the services run as keylime user instead of root
    * State in --help that SHA-256 is used for --allowlist-checksum
    * config: change cacert.pem to cacert.crt
    * registrar_client: validate connections against registrar ca certificate
    * tenant: validate connections against verifier ca certificate
    * request_client: only add custom adapter if TLS is enabled
    * setup: add static assets for webapp
    * Add TESTING.md describing testing details
    * Fix some remaining log format strings
    * Fix for database_url parameter with sqlite
    * Enable test basic-attestation-with-unpriviledged-agent in Packit CI
    * Use lazy string formatting when logging (#535)
    * Make Packit CI plan more resource-saving
    * keylime.conf: Document setting ownership in WORK_DIR (/var/lib/keylime)
    * agent: Make sure tmpfs is empty even if not mounted or cannot unmount
    * agent: Drop privileges by switching to normal user and group
    * agent: Move mounting of tmpfs towards beginning of main()
    * agent: Read measured boot log near process start
    * agent: Open file for IMA log file near process start
    * ima: Refactor read_measurement_list() to take file as argument
    * Add the policy name to failure event
    * tpm_main: Check if tpm_cert_store exists (#553)
    * Remove tag input from container build workflow
    * Push container images to quay.io/keylime org
    * Enable code coverage measurement for e2e tests in Packit CI
    * config: fix config search order
    * Add defaults for ephemeral keys for agent records
    * Update outdated greetings Github messages
    * services: add keylime_agent_secure.mount service
    * installer.sh: updated tpm2-{tools, tss}, use system packages if possible
    * revocation_notifier: convert the data to str in the notifiers
    * revocation_notifier: mark webhook threads as daemon and add timeout
    * Fix Packit CI test plan Summary
    * Enable Packit CI testing on CentOS Stream 8
    * Enable Packit CI testing on Fedora Rawhide
    * Remove last trace of TPM 1.2 (hopefully)
    * verifier: remove start_tornado() function
    * verifier: wait for connections to be closed before stopping ioloop
    * revocation_notifier: kill ZeroMQ broker if it blocks more than 5s
    * Add more e2e tests to Packit CI
    * Enable EPEL repo on CentOS Stream in packit.yaml
  - Drop already merged patches
    * drop_privileges_of_agent_process_after_startup.patch
    * config_fix_config_search_order.patch
    * services_add_keylime_agent_secure_mount_service.patch
* Thu Feb 24 2022 Alberto Planas Dominguez <aplanas@suse.com>
  - Add upstream patches:
    * drop_privileges_of_agent_process_after_startup.patch
    * config_fix_config_search_order.patch
    * services_add_keylime_agent_secure_mount_service.patch
  - Configure the agent to run as non-root (via keylime.conf)
  - Add keylime sysuser conf file and deploy as part of the tpm
    certificate subpackage
  - Prepare the systemd mount unit for /var/lib/keylime/secure
* Thu Feb 24 2022 aplanas@suse.com
  - Drop patches beacuse merged upstream:
    * version.diff
    * cloud_verifier_tornado-use-fork_processes.patch
  - Drop binaries not used anymore:
    * keylime_provider_platform_init
    * keylime_provider_registrar
    * keylime_provider_vtpm_add
  - Update to version v6.3.1:
    * revocation_notifier: mark webhook threads as daemon and add timeout
    * Fix Packit CI test plan Summary
    * Enable Packit CI testing on CentOS Stream 8
    * Enable Packit CI testing on Fedora Rawhide
    * Remove last trace of TPM 1.2 (hopefully)
    * verifier: remove start_tornado() function
    * verifier: wait for connections to be closed before stopping ioloop
    * revocation_notifier: kill ZeroMQ broker if it blocks more than 5s
    * Add more e2e tests to Packit CI
    * Enable EPEL repo on CentOS Stream in packit.yaml
    * agent, crypto: add localhost, server and contact ip to agent certificate
    * Add better default repo path for run_local.sh
    * Fix incorrect variable name in test_restful
    * Run existing agent tests against the rust-keylime agent
    * Fix small wording mistakes caught while reading the code
    * agent: move key and certificate logging levels from debug to info
    * agent: allow absolute paths for rsa_keyname and mtls_cert
    * Add missing backend parameter
    * cloud_verifier_tornado: use fork_processes
    * ci: automatically push release to PyPI
    * setup.{py,cfg}: Move setup configuration to setup.cfg
    * Add iproute tool to Dockerfile
    * Pylint does not like single-line functions.
    * A small beauty fix
    * This is a small fix to proactively fix Issue #840 by identifying non-escaped double quotes in the tpm2-tools output
    * setup.py: add version number and new Python versions, drop unsed binaries
    * setup.py, config: install default configuration into package path
    * ci: move old keylime.conf to keylime.conf.orig before running tests
    * retry: fix pylint issue
    * Adding Infineon Optiga 034 RSA and ECC certificates for Infineon SLB9675 devices.
    * Ensure columns "mb_refstate" and "allowlist" are of type LONGTEXT in table "verifiermain"
    * tenant: add exponential backoff option to retry timings
    * cloud verifier: add exponential backoff option to retry timings
    * tpm: add exponential backoff option to retry timings
    * test, retry: add unit test for retry algorithm
    * common: add algorithm for retry time calculation
    * registrar, tpm_main: ensure that correct types are commited to DB.
    * Fix typo for config param listen_notifications
    * Lint is _really_ unhappy today.
    * Linty fixes
    * Adding a unit test file for tpm_main
    * tpm_main: check if PCRs for the hash algorithm are available
    * tpm_main: handle if tpm2_checkquote returns no PCRs for a hash algorithm
    * agent: output supported_version as result not as a status
    * Add missing subcommands to -c help message
    * tests: fix mtls_cert generation in test_restful.py
    * revocation_notifier: fix socket path permission check
    * Remove unused database_query config param
    * Move umask calls only on entry points
    * config: move directory utilities to fs_util
* Mon Feb 07 2022 Alberto Planas Dominguez <aplanas@suse.com>
  - Change back agent_uuid to hostname
  - Set tpm_hash_alg to sha256 by default
  - Update version.diff patch to point to the correct version number
  - Fix issue with Tornado, when multiple workers are started
    * Add cloud_verifier_tornado-use-fork_processes.patch (bsc#1195605)
* Thu Jan 27 2022 aplanas@suse.com
  - Drop patches beacuse merged upstream:
    * 0001-Drop-dataclasses-module-usage.patch
    * 0001-config-support-merge-multiple-config-files.patch
    * 0001-ca-support-back-old-cyptography-API.patch
  - Update to version v6.3.0:
    * Coordinated update to fix:
      + bsc#1193997 (CVE-2022-23948)
      + bsc#1193998 (CVE-2021-43310)
      + bsc#1194000 (CVE-2022-23949)
      + bsc#1194002 (CVE-2022-23950)
      + bsc#1194004 (CVE-2022-23951)
      + bsc#1194005 (CVE-2022-23952)
    * secure_mount: add umount function
    * secure_mount: use /proc/self/mountinfo
    * Validate user ID in all public interfaces
    * validators: add uuid and agent_id validators
    * validators: create validators module
    * revocation_notifier: move zmq socket to /var/run/keylime
    * Update API version from 1.0 to 2.0
    * tpm: do not compress quote with zlib by default
    * verifier: persist AK and mTLS certificate to DB
    * verifier: use "supported_version" for agent connections
    * tenant: add support for "supported_version" option for the verifier
    * api_version: add the option for basic validation
    * verifier: add supported_version field to DB and API
    * agent: add /version to REST API
    * verifier, tenant: allow agents to not use mTLS
    * tenant, verifier: allow manual configuration of agent mTLS
    * tests: migrate to mTLS
    * tenant: connect to the agent via mTLS
    * verifier: connect to the agent via mTLS
    * tornado_requests: handle SSLError
    * web_util: add mTLS context generation for agent
    * agent: Enable mTLS for agent REST API
    * crypto: add helper function for creating self signed certs
    * registrar: Allow the agent to registrar with a mTLS certificate
    * request_client: add workaround for handling certificates
    * request_client: add the option to ignore hostname validation
    * Better docs and errors about IMA hash mismatches
    * tests: use JSON instead Python string for IMA tests
    * verifier: use json.loads(..) instead of ast.literal_eval(..)
    * Adding Nuvoton certificate for a post 2020 TPM device. The EK cert
      of the device directs to the following download site:
      'https://www.nuvoton.com/security/NTC-TPM-EK-Cert/Nuvoton TPM Root
      CA 1111.cer' (yes, including the spaces)
    * Improve revocation notifier IP description in keylime.conf
    * tornado_requests: set Content-Type header correctly for JSON
    * tenant: post U key to agent with correct Content-Type header
    * Explicitly set permissions on new keylime.conf files installed
    * tpm_main: close file descriptor for aik handle
    * verifier: do not call finish() twice
    * agent: fix payload execution
    * tests: add initial tests for web_util module
    * config, web_util: move get_restful_params(..) to web_util
    * verifier: Also retry on HTTP 500 status code
    * agent: improve startup and shutdown
    * registrar: cleanup start function
    * web_util: move echo_json_response(..) out of config.py
    * verifier: fix failure generation for V key
    * tornado_requests: cleanup TornadoResponse class
    * web_util, verifier: move mTLS SSLContext generation into separate module
    * ca: support back old cyptography API
    * Fix test branch reference in packit.yaml
    * ci: disable DeprecationWarning from pylint in tox
    * Enable new test in Packit CI
    * tenant: fix reactivate command
    * config: support merge multiple config files
    * ci: use only fedora-stable for packit
    * elchecking: harden example policy against event type manipulation
    * elchecking: add new tests
    * tests: fix stdout formatting for agent and verifier
    * Drop dataclasses module usage
    * revocation notifier: handle shutdown of process gracefully
    * verifier: handle SIGINT and SIGTERM correctly
    * ima_emulator: fix IMA hash validation and add more options
    * ima_ast: fix handling ToMToU errors
    * Remove leftovers of TPM 1.2 support
    * agent: improved validation for post function
    * agent: better validation for mask and nonce
    * config: add function to validate hex strings
    * agent: keys/verify check if challenge was provided
    * tpm_main: do not append /usr/local/{bin,lib} to default env
    * db: only set length on Text type if supported
    * json: do not make sqlalchemy a hard requirement
    * Enable functional testing with Packit CI
    * ima_emulator: specify sys.argv as the named parameter argv in main()
    * elchecking example policy: make it work with Fedora 34
    * elchecking example policy: initrd* might be also called initramfs*
    * scripts: add mb_refstate generator for example policy
    * config: change tpm_hash_alg to SHA1 by default
    * parse_mb_bootlog: specify the used hash algorithm used for PCRs
    * agent: add warning that on kernels <5.10 IMA only works with SHA1
    * tpm: explicitly pass hash alg to sim_extend(..)
    * ima emulator: use IMA AST and support multiple hash algorithms
    * tests: update IMA allowlist version number
    * ima: add option 'log_hash_alg' to IMA allowlist
    * ima: remove hard requirement for SHA1 PCR 10
    * algorithms: extend Hash class to simplify computing hash values
    * config, tpm_main: explicitly handle YAML load errors
    * config: private_key must be set to -private.pem not -public.pem
    * agent: add UUID option environment
    * agent: drop openstack uuid option
* Tue Jan 25 2022 Alberto Planas Dominguez <aplanas@suse.com>
  - Set /var/lib/keylime under the same permissions expected by the code
* Tue Jan 18 2022 Alberto Planas Dominguez <aplanas@suse.com>
  - Add 0001-config-support-merge-multiple-config-files.patch
    This will allow the merge of config files in /usr/etc and /etc.
  - Move the configuration file to /usr/etc in new distributions
  - Add 0001-ca-support-back-old-cyptography-API.patch
    This is only required for SLE, but the API is compatible with new versions
* Tue Jan 11 2022 Alberto Planas Dominguez <aplanas@suse.com>
  - Add 0001-Drop-dataclasses-module-usage.patch, to support Python 3.6
* Tue Jan 11 2022 Alberto Planas Dominguez <aplanas@suse.com>
  - Fix cfssl bcond logic in Tumbleweed / SLE
* Mon Jan 10 2022 aplanas@suse.com
  - Update to version v6.2.1:
    * Another addition to gitignore
    * Update .gitignore with more Keylime-specific files
    * json: add support for sqlalchemy.engine.row.Row in newer sqlalchemy
    * ima_ast: check if the PCR is the same as in the config
    * Fix permissions issue on volume mount in run_local.sh
    * Make run_local.sh use a local copy of the repo
    * Small updates to GOVERNANCE.md
    * Move cargo-tarpaulin install to separate command
    * config: drop registrar_* TLS options in [registrar] section
    * Fix missing && in Dockerfile
    * Remove simplejson from scripts and docs
    * Replace simplejson with built-in json module
    * Add rust-keylime container dependencies
    * config: fix getboolean with fallback
    * Clean up CI scripts and rewrite run_local.sh
    * ima: for ToMToU errors skip template content validation
    * ima: Use a set of entry numbers and file offsets to remember multiple positions
    * Rename CONTRIBUTORS.md to CONTRIBUTING.md
    * Update GOVERNANCE.md to match MAINTAINERS.md rename
    * Update MAINTAINERS
    * Update README: remove Gitter, Travis CI
    * ca: Use UTC when setting certificate validity
    * Tenant commands return json
    * scripts: Allow passing a base policy to create_policy tool
    * ima: Handle the case of ima-sig with a path with spaces in them
    * add length to string object
    * scripts: Implement create_policy to create the JSON allowlist from files
    * ima: Also add a sha256 default boot_aggregate hash with 64 '0's
    * ima: Use seek() to get to the last known last entry
    * ima: Extend allowlist to be able to handle generic ima-buf entries
    * ima: Extend JSON allowlist with 'ima' entry and 'ignored_keyrings'
    * ima: Populate verifier keyrings with keys taken from ima-buf log line
    * ima: Remove methods from ImaKeyring that are now in ImaKeyrings
    * ima: Start passing ima_keyrings through APIs replacing ima_keyring
    * Extend AgentAttestState with ima_keyrings field and use it
    * ima: Implement ImaKeyrings class to support multiple keyrings
    * verifier: Extend verifier DB to persist learned keyrings
    * Fix a couple of pylint errors
    * ima: Fix spurious attestation failures
    * ima: make ToMToU errors not a failure by default
    * Simple fix for tenant error message printout.
    * pylint: Fix errors related to R1714
    * pylint: Suppress C0201, C0209 and W0602 newly reported errors
    * installer: do not install tpm2-abrmd
    * tpm: by default use /dev/tpmrm0 instead of tpm2-abrmd
    * verifier: add option to send revocation messages via webhook
* Wed Dec 15 2021 Alberto Planas Dominguez <aplanas@suse.com>
  - Fix keylime configuration file attributes
* Tue Dec 14 2021 Alberto Planas Dominguez <aplanas@suse.com>
  - Requires python-psutil
  - Disable automatic execution of the payload by default
  - Use ramdom UUID by default
* Wed Dec 08 2021 Alberto Planas Dominguez <aplanas@suse.com>
  - Introduce a bcond for cfssl detection
* Wed Dec 01 2021 Alberto Planas Dominguez <aplanas@suse.com>
  - Drop cfssl if we are not in openSUSE
* Thu Sep 16 2021 aplanas@suse.com
  - Update to version 6.2.0:
    * Fix bug #757 where revoc cert was treated as text
    * Code improvement: removal of extra dependencies in measured boot attestation (#755)
    * Sanitize the exclude list while it is ingested at `tenant` by removing comments (^#) and empty lines.
    * tenant: show severity level and last event id in status
    * verifier: move to new failure architecture
    * pcr validation: move to new failure architecture
    * measured boot: move to new failure architecture
    * ima: move to new failure architecture
    * failure: add infrastructure to tag and collect revocation events in Keylime
    * Simulating use of SSLContext.minimum_version on ssl v3.6
    * verifier: fix minor typos
    * Add tests for ca_impl_cfssl and ca_util
    * Replace M2Crypto with python-cryptography
    * tenant: status now shows if a agent was added to the registrar
    * tenant: open file to send utf-8 encoded
    * Correct some comments about and remove vestige in MB policy
    * fixing a small bug that resulted in malformed refstates not failing MBA
    * agent: ensure that EK is in PEM format when used as uuid
    * Solves #703 by adding a "non-trivial" example of a "measured boot policy" (#734)
    * ci: build and publish container images
    * codestyle: fix W0612 and R1735 pylint errors
    * codestyle: fix W1514 pylint error
    * systemd: Add KillSignal=SIGINT to keylime_agent.service
    * One-liner to set the minimum version of TLS to v1.2
    * pylint fix
    * Typo fix: return list order confusion between measured_boot.py and tpm_abstract.py
    * Refactor keylime_logging module
    * ima: Implement ima-buf validator and validate keys on keyrings (#725)
    * Remove Python 2 leftovers
    * Additional fix for the processing of "tpm_policy"
    * ima: Return an empty allowlist rather than a plain empty list
    * verifier: convert (v)tpm_policy in DB from string to JSONPickleType
    * verifier: Create AgentAttestState objects from entries in the db
    * verifier: Persist the IMA attestation state after running the log verification
    * db: Add DB migration file for boottime, ima_pcrs, pcr10, and next_ima_ml_entries
    * verifier: Skip attestation one time if agent's boottime changed
    * test: Add test case simulating iterative attestation
    * verifier: Delete an AgentAttestState when deleting an agent
    * ima: Remember the number of lines successfully processed and last IMA PCR value(s)
    * ima: Reset the attestation if processing the measurement list fails
    * debug: Show line number when PCR match occurs
    * verifier: Extend AgentAttestState with state of the IMA PCR
    * Consult the AgentAttestState for the next measurement list entry
    * Introduce an AgentAttestState class for passing state through the APIs
    * verifier: Request IMA log at entry 0 for now
    * agent: Get boottime and transfer to verifier
    * agent: Add support for optional IMA log offset parameter
    * tests: Add a unit test for the IMA function and run it
    * agent: Move IMA measurement list reading function to ima.py
    * Add default verifier-check value
    * Use tox for pylint
    * Use Fedora 34 as base image for CI container
    * Run ci jobs only when needed
    * config: merge convert and list_convert into the same function
    * Versioned APIs
    * Refacator of check_pcrs to parse then validate (#716)
    * Automatically calculates the boot_aggregate from the measured boot log. (#713)
    * Set default UUID as lowercase (#699)
    * tenant: do_cvdelete wait until 404
    * Ensures the output of `bulkinfo` command in `keylime_tenant` is JSON
    * ima: Convert pcrval to bytes to increase efficiency
    * tests: extend ima tests for signature validation and exclude lists
    * Allow agents to specify a contact ip address and port for the tenant and CV  (#690)
    * verifer: Fix signature and allowlist evaluation bahavior change
    * ima: Fix runtime error due to wrong datatype
    * tenant: add the option to specify the registrar ip and port
    * measured_boot: drop process_refstate
    * check_pcrs: match PCR if no mb_refstate is provided
    * ci: make run_local.sh work with newer docker versions
    * Fixing pylint errors (#698)
    * tests: add IMA test where validation should be ignored
    * ima: Use ima_ast for parsing and validation
    * tests: Add test for ima AST parser
    * ima: Introducing a AST for parsing and validation
    * Make stalebot a bit nicer
    * enable tenant to fetch all (or verifier specific) agents info in a single call from the verifier
    * Flush all sessions from TPM device (#682)
    * multiple named verifiers sharing a single database
    * webapp: fix tls certs paths (#659)
    * Corrects markdown to have proper rendering (#673)
    * ima_file_signatures: Extract keyidv2 from x509 certs
    * installer: Add '-r' option to cp to copy directory (issue #671)
    * config: Add optional fallback parameter to get()
    * agent: Fix the usage of dmidecode during the agent startup (issue #664)
    * agent: Rename allowlist to ima_allowlist in keylime.conf
    * Fix decoding error in user_data_encrypt
    * agent: Fix issue #667 by testing for an empty ima_sign_verification_keys list
    * Addresses issue #660 (database path while running local tests) (#665)
    * ima: Return 'None' when ImaKeyring.from_string() called with emtpy string
    * tests: Move unittests into files with suffix _test.py
    * Fixes and improvements for database configuration (#654)
    * Add signature verification support for local and remote IMA signature verification keys (#597)
    * install: Remove TPM 1.2 support from installer and bundeling scripts
    * CI/CD: Remove tpm1.2 testing support
    * Remove duplicated calls to verifier
    * Remove adding entropy to system rng
    * Cleanup and fix error case in encryptAIK (#648)
    * Move measured boot related code into functions to make check_pcrs readable (#642)
    * Move code related to tpm2_checkquote into its own function (#639)
    * scripts: Cleanup shell script formatting
    * installer.sh: Do not delete the local copy of the certificates.
    * Fix user_data_encrypt to UTF8 decode before print
    * tpm_abstract: Fix adding of entropy
    * codestyle: Ignore R1732 implemented by pylint >=2.8.0
    * a fix for letting JSON encoding bytes correctly
    * Adding back reglist to the list of commands that don't need a -t argument
    * Invoke tpm2_evictcontrol for 4.0 and 4.2 tools if aik_handle exists (#624)
    * Addresses #436 (#611)
    * Fixes #620
    * Include PCR16 in the quote only when needed
    * Close leaking file descriptors (#622)
    * installer.sh: Add missing spaces when efivar is added
    * More ima_emulator_adapter cleanups (#616)
    * installer: Add json-c-devel/json-c-dev to BUILD_TOOLS for tpm2-tss build
    * Remove more commented code in ca_util.py
    * installer: Only install efi library on x86_64 systems
    * Create allowlist table and basic API support
    * installer: Add libuuid-devel/uuid-dev to BUILD_TOOLS for tpm2_tools build
    * WIP: Some cleanups (#612)
    * Remove _cLime.c
    * config: Document the measured boot PCRs and what is using them
    * Very simple fix for the agent (re: measured boot) The agent code does not need to import "measured boot policies"
    * ima_emulator_adapater: Remove unnecessary global statement
    * webapp: Fix private key and certificate path (issue #604)
    * Add support for keylime_webapp service to read intervals from keylime.conf
* Mon Jul 26 2021 Alberto Planas Dominguez <aplanas@suse.com>
  - Update to Keylime 6.1.1
    + keylime_tenant add crash with TypeError: Object of type 'bytes' is
      not JSON serializable
    + Whenever Keylime agent starts and cannot contact the registrar, it
      fails and quits without flushing create EK handles
    + keylime_tenant -c reglist now requires a "-t" parameter for no
      reason
    + Duplicated API calls to verifier in webapp backend
    + Installer deletes tpm_cert_store files
    + agent_uuid set to dmidecode crashes Keylime
    + Copying of tpm_cert_store fails during installation
    + If the PCR belong to a measured boot list, it is not validated
    + keylime_tenant --c update fails with a race condition
  - Drop patches already present in the new version
    + webapp-fix-tls-certs-paths.patch
    + check_pcrs-match-PCR-if-no-mb_refstate-is-provided.patch
    + tenant-do_cvdelete-wait-until-404.patch
* Wed Jul 21 2021 Alberto Planas Dominguez <aplanas@suse.com>
  - Add tenant-do_cvdelete-wait-until-404.patch to fix the update command
* Mon Jul 19 2021 Alberto Planas Dominguez <aplanas@suse.com>
  - Adjust the default revocation notifier binding IP
  - Default to CFSSL in keylime.conf
* Wed Jul 14 2021 Alberto Planas Dominguez <aplanas@suse.com>
  - Add config-libefivars.diff to adjust the path of the library
* Thu Jul 08 2021 Alberto Planas Dominguez <aplanas@suse.com>
  - Add check_pcrs-match-PCR-if-no-mb_refstate-is-provided.patch
    (gh#keylime/keylime!695)
  - Recommends CFSSL in the registrar (actually should be the CA)
  - Change default value for require_ek_cert to False
  - Reorder the patches to separate upstream fixes from openSUSE ones
* Thu Jun 10 2021 Alberto Planas Dominguez <aplanas@suse.com>
  - Add webapp-fix-tls-certs-paths.patch (gh#keylime/keylime!659)
  - Recommend dmidecode for the agent
  - Require libtss2-tcti-{device0,tabrmd0} to use abrmd service
  - Add keylime.conf.diff patch to change the default config file
  - Add keylime.xml for firewalld service definition
* Tue Apr 27 2021 aplanas@suse.com
  - Update to version 6.1.0:
    * Update python cryptography lib to v3.3.2
    * installer.sh improvments
    * run_local.sh: Run unit tests in keylime/tpm/tpm2_objects.py
    * Fourth and final PR to address #491 (#580)
    * scripts: Also use pylint-3 if pylint is not installed
    * agent: Fix the checking for a specific error returned by tpm2_quote
    * Allowlist verification - Enhancement #16
    * Forgot to remove the original, more crude solution (which caused pylint errors)
    * New and improved code to fix issue #582
    * Consistent formatting for logging strings

Files

/usr/etc/keylime.conf


Generated by rpm2html 1.8.1

Fabrice Bellet, Mon Jul 18 23:13:12 2022