Tags: ansasaki/keylime
Tags
Update runtime_ima.rst 1. Update the url of create_allowlist.sh 2. Update the usage of create_allowlist.sh Signed-off-by: Coiby Xu <[email protected]>
Merge pull request keylime#743 from THS-on/agent-hash-ek agent: ensure that EK is in PEM format when used as uuid
tenant: do_cvdelete wait until 404 do_cvdelete sends a delete request, and if received a 202 response (accepted), actively iterate until the next get receives a 200 or 404. The issue is that a get of 200 imply that the object is still available, that causes the "update" operation to fail a bit later (update is a delete followed of an add, and this last action will fail if the object is still present) This patch change the active polling to consider the agent deleted only when a 404 is received. Fix keylime#711 Signed-off-by: Alberto Planas <[email protected]>
Update python cryptography lib to v3.3.2 Fixes issue keylime#581 Signed-off-by: Michael Peters <[email protected]>
Remove TPM1.2 specifics from README (keylime#561) Signed-off-by: Luke Hinds <[email protected]>
Fix CVE-2021-3406 This ensures we verify the EK and AIK we get from the agent before trusting signatures by it. Advisory: GHSA-78f8-6c68-375m For details, see https://patrick.uiterwijk.org/blog/tpm2-attestation-keylime-vulnerability Signed-off-by: Patrick Uiterwijk <[email protected]> Signed-off-by: Michael Peters <[email protected]>
ima: Count for bad file signatures in separate error field Extend the err array with another field and account for bad file signatures in err[3]. We move prior usage of err[3] to err[4] where the good entries are counted and now sum over 4 error fields rather than 3. Signed-off-by: Stefan Berger <[email protected]>
ima: Count for bad file signatures in separate error field Extend the err array with another field and account for bad file signatures in err[3]. We move prior usage of err[3] to err[4] where the good entries are counted and now sum over 4 error fields rather than 3. Signed-off-by: Stefan Berger <[email protected]>
ima: Return None in case there was no keyring in the DB
This patch fixes the following issue on the verifier side when no
string representation of an IMA keyring is found in the DB.
2021-01-20 15:58:55.083 - keylime.tpm2 - INFO - TPM2-TOOLS Version: 5.0
2021-01-20 15:58:55.084 - keylime.cloudverifier - ERROR - list indices must be integers or slices, not str
Traceback (most recent call last):
File "/usr/local/lib/python3.8/site-packages/keylime-0.0.0-py3.8.egg/keylime/cloud_verifier_tornado.py", line 437, in invoke_get_quote
if cloud_verifier_common.process_quote_response(agent, json_response['results']):
File "/usr/local/lib/python3.8/site-packages/keylime-0.0.0-py3.8.egg/keylime/cloud_verifier_common.py", line 202, in process_quote_response
ima_keyring = ima_file_signatures.ImaKeyring.from_string(agent['ima_sign_verification_keys'])
File "/usr/local/lib/python3.8/site-packages/keylime-0.0.0-py3.8.egg/keylime/ima_file_signatures.py", line 200, in from_string
for der_key in ImaKeyring._base64_to_der_keylist(obj['pubkeys']):
TypeError: list indices must be integers or slices, not str
Signed-off-by: Stefan Berger <[email protected]>
PreviousNext