From c75801409a87bdf2ee66c464e7c75579c94a1014 Mon Sep 17 00:00:00 2001 From: Anderson Toshiyuki Sasaki Date: Mon, 18 Nov 2024 15:51:33 +0100 Subject: [PATCH 1/7] Set log level for the keylime lib as well Some of the log messages were moved from the keylime_agent to the keylime library. With these changes, the messages logged by the keylime library are also visible. Signed-off-by: Anderson Toshiyuki Sasaki --- Library/test-helpers/lib.sh | 2 +- setup/install_rust_keylime_from_copr/test.sh | 2 +- setup/install_upstream_rust_keylime/test.sh | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Library/test-helpers/lib.sh b/Library/test-helpers/lib.sh index 8b30ebc2..d7dcb120 100644 --- a/Library/test-helpers/lib.sh +++ b/Library/test-helpers/lib.sh @@ -2382,7 +2382,7 @@ limeconRunAgent() { PUBLISH_PORTS="-P" fi - local EXTRA_ARGS="--privileged $ADD_PORT $ADD_REV_PORT $PUBLISH_PORTS --volume=/sys/kernel/security/:/sys/kernel/security/:ro --volume=$TESTDIR:$TESTDIR -e RUST_LOG=keylime_agent=trace -e TCTI=device:/dev/tpmrm${limeTPMDevNo}" + local EXTRA_ARGS="--privileged $ADD_PORT $ADD_REV_PORT $PUBLISH_PORTS --volume=/sys/kernel/security/:/sys/kernel/security/:ro --volume=$TESTDIR:$TESTDIR -e RUST_LOG=keylime_agent=trace,keylime=trace -e TCTI=device:/dev/tpmrm${limeTPMDevNo}" if [ -n "$CONFDIR" ]; then EXTRA_ARGS="--volume=${CONFDIR}:/etc/keylime/:z $EXTRA_ARGS" diff --git a/setup/install_rust_keylime_from_copr/test.sh b/setup/install_rust_keylime_from_copr/test.sh index 94134a6f..18d0d6b7 100755 --- a/setup/install_rust_keylime_from_copr/test.sh +++ b/setup/install_rust_keylime_from_copr/test.sh @@ -32,7 +32,7 @@ _EOF' rlRun "mkdir -p /etc/keylime/agent.conf.d" rlRun "cat > /etc/systemd/system/keylime_agent.service.d/20-rust_log_trace.conf <<_EOF [Service] -Environment=\"RUST_LOG=keylime_agent=trace\" +Environment=\"RUST_LOG=keylime_agent=trace,keylime=trace\" _EOF" # If the TPM_BINARY_MEASUREMENTS env var is set, set the binary # measurements location for the service diff --git a/setup/install_upstream_rust_keylime/test.sh b/setup/install_upstream_rust_keylime/test.sh index d7b639c8..18d02608 100755 --- a/setup/install_upstream_rust_keylime/test.sh +++ b/setup/install_upstream_rust_keylime/test.sh @@ -71,7 +71,7 @@ _EOF' rlRun "mkdir -p /etc/systemd/system/keylime_agent.service.d" rlRun "cat > /etc/systemd/system/keylime_agent.service.d/20-rust_log_trace.conf <<_EOF [Service] -Environment=\"RUST_LOG=keylime_agent=trace\" +Environment=\"RUST_LOG=keylime_agent=trace,keylime=trace\" _EOF" # If the TPM_BINARY_MEASUREMENTS env var is set, set the binary From 02f80baca099373c19a770670d1569d134fb5ce0 Mon Sep 17 00:00:00 2001 From: Karel Srot Date: Mon, 15 Jul 2024 16:05:45 +0200 Subject: [PATCH 2/7] Add another acceptable error message --- regression/CVE-2023-3674/test.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/regression/CVE-2023-3674/test.sh b/regression/CVE-2023-3674/test.sh index a2a3948d..32708d1a 100755 --- a/regression/CVE-2023-3674/test.sh +++ b/regression/CVE-2023-3674/test.sh @@ -79,7 +79,7 @@ rlJournalStart rlRun "cat malformed_quote > $ATTESTATION_FILE" rlRun -s "keylime_attest" 1 rlAssertGrep "ERROR - Error verifying quote" "$rlRun_LOG" - rlAssertGrep "raise InvalidSignature" "$rlRun_LOG" + rlAssertGrep "(raise InvalidSignature|cryptography.exceptions.InvalidSignature)" "$rlRun_LOG" -E rlAssertGrep "The following agents failed attestation" "$rlRun_LOG" rlPhaseEnd From 01a93829cc242b7854690535ece1d08d6c55a5ac Mon Sep 17 00:00:00 2001 From: Karel Srot Date: Tue, 9 Apr 2024 16:12:06 +0200 Subject: [PATCH 3/7] Stop building tpm2-openssl provider if RPM exists --- .../test.sh | 29 ++++++++++++------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/functional/iak-idevid-register-with-certificates/test.sh b/functional/iak-idevid-register-with-certificates/test.sh index 134f9163..4d2787a2 100755 --- a/functional/iak-idevid-register-with-certificates/test.sh +++ b/functional/iak-idevid-register-with-certificates/test.sh @@ -28,21 +28,28 @@ rlJournalStart rlRun "limeWaitForTPMEmulator" rlRun "limeCondStartAbrmd" fi + # start verifier so it generates TLS certs for the registrar + if [ ! -d /var/lib/keylime/cv_ca ]; then + rlRun "limeStartVerifier" + rlRun "limeWaitForVerifier" + rlRun "limeStopVerifier" + fi rlPhaseEnd - rlPhaseStartSetup "Install tpm2-openssl to generate csrs with TPM keys" - rlRun "dnf -y install autoconf automake libtool m4 autoconf-archive openssl-devel tpm2-tss-devel" - rlRun "wget -c ${TPM2_OPENSSL} -q -O - | tar -xz" - rlRun "cd tpm2-openssl-1.2.0" - rlRun "./configure" - rlRun "make" - rlRun "make install" - #rlRun "make check" - rlRun "cd .." - rlPhaseEnd + if ! rpm -q tpm2-openssl; then + rlPhaseStartSetup "Build and install tpm2-openssl to generate csrs with TPM keys" + rlRun "dnf -y install autoconf automake libtool m4 autoconf-archive openssl-devel tpm2-tss-devel" + rlRun "wget -c ${TPM2_OPENSSL} -q -O - | tar -xz" + rlRun "cd tpm2-openssl-1.2.0" + rlRun "./configure" + rlRun "make" + rlRun "make install" + #rlRun "make check" + rlRun "cd .." + rlPhaseEnd + fi rlPhaseStartSetup "Create CA" - rlRun "mkdir -p ca/intermediate && cp ${TESTDIR}/root.cnf ca/ && cp ${TESTDIR}/intermediate.cnf ca/intermediate/" # Update config files with correct path rlRun "sed -i \"/dir = ca/c dir = ${TMPDIR}/ca\" ca/root.cnf" From a54fc43d4026ec85515135b7c711995042e131b2 Mon Sep 17 00:00:00 2001 From: Isaac-Matthews Date: Wed, 8 May 2024 06:01:24 -0500 Subject: [PATCH 4/7] change IDevID grep phrase check Signed-off-by: Isaac-Matthews --- functional/iak-idevid-register-with-certificates/test.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/functional/iak-idevid-register-with-certificates/test.sh b/functional/iak-idevid-register-with-certificates/test.sh index 4d2787a2..ae33c772 100755 --- a/functional/iak-idevid-register-with-certificates/test.sh +++ b/functional/iak-idevid-register-with-certificates/test.sh @@ -141,7 +141,7 @@ rlJournalStart rlRun "limeStartAgent" # Agent can now register with IDevID and IAK getting verified rlRun "limeWaitForAgentRegistration ${AGENT_ID}" - rlAssertGrep "IDevID created" "$(limeAgentLogfile)" + rlAssertGrep "(IDevID created|Recreating IDevID)" "$(limeAgentLogfile)" -E rlAssertGrep "AK certified with IAK" "$(limeAgentLogfile)" # Check the registrar used the IDevID and IAK code block rlAssertGrep "INFO - IDevID and IAK received" "$(limeRegistrarLogfile)" From 275881a27a88ad5f901033ee96cac702205279d1 Mon Sep 17 00:00:00 2001 From: Isaac Matthews Date: Tue, 16 Jul 2024 13:54:48 +0100 Subject: [PATCH 5/7] stop test being dependant on previous test Signed-off-by: Isaac Matthews --- functional/iak-idevid-register-with-certificates/test.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/functional/iak-idevid-register-with-certificates/test.sh b/functional/iak-idevid-register-with-certificates/test.sh index ae33c772..69e47ccf 100755 --- a/functional/iak-idevid-register-with-certificates/test.sh +++ b/functional/iak-idevid-register-with-certificates/test.sh @@ -137,6 +137,7 @@ rlJournalStart rlPhaseStartTest "Successful registration - IDevID and IAK certs verified, and IAK verifies AK" # Add CA to store + rlRun "mkdir -p $TPM_CERTS" rlRun "cp ./ca/certs/klca-chain.cert.pem $TPM_CERTS/" rlRun "limeStartAgent" # Agent can now register with IDevID and IAK getting verified From 264ff60bc65a9309e4ae2eca3cbd80deb03e688e Mon Sep 17 00:00:00 2001 From: Karel Srot Date: Tue, 9 Apr 2024 16:12:06 +0200 Subject: [PATCH 6/7] Stop building tpm2-openssl provider if RPM exists --- functional/iak-idevid-register-with-certificates/main.fmf | 1 + 1 file changed, 1 insertion(+) diff --git a/functional/iak-idevid-register-with-certificates/main.fmf b/functional/iak-idevid-register-with-certificates/main.fmf index 5484c145..b27fdf4d 100644 --- a/functional/iak-idevid-register-with-certificates/main.fmf +++ b/functional/iak-idevid-register-with-certificates/main.fmf @@ -14,6 +14,7 @@ require: - xxd recommend: - keylime + - tpm2-openssl duration: 5m enabled: true adjust: From 8574028c1d93e0fbbd68fbad7a874cbd850f9c4b Mon Sep 17 00:00:00 2001 From: Karel Srot Date: Tue, 9 Apr 2024 14:29:07 +0200 Subject: [PATCH 7/7] Fix xxd requirement specification --- functional/iak-idevid-register-with-certificates/main.fmf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/functional/iak-idevid-register-with-certificates/main.fmf b/functional/iak-idevid-register-with-certificates/main.fmf index b27fdf4d..82d96aca 100644 --- a/functional/iak-idevid-register-with-certificates/main.fmf +++ b/functional/iak-idevid-register-with-certificates/main.fmf @@ -11,7 +11,7 @@ framework: beakerlib require: - yum - tpm2-tools - - xxd + - /usr/bin/xxd recommend: - keylime - tpm2-openssl