Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-104571

Incorrect keylime tpmfiles.d configuration

Linking RHIVOS CVEs to...Migration: Automation ...RHELPRIO AssignedTeam ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Major Major
    • rhel-10.1
    • rhel-10.1
    • keylime
    • None
    • keylime-7.12.1-7.el10
    • No
    • Important
    • 1
    • rhel-security-special-projects
    • 23
    • 1
    • QE ack
    • False
    • False
    • Hide

      None

      Show
      None
    • No
    • SECENGSP Cycle 24
    • Release Note Not Required
    • Unspecified
    • Unspecified
    • Unspecified
    • All
    • None

      What were you trying to do that didn't work?

      The issue appears when keylime is installed during an update of existing image mode system (without keylime).

      1. /usr/share/keylime/tpm_cert_store has incorrect ownership

      1. ls -ld /usr/share/keylime/tpm_cert_store/
        dr-x------. 2 984 keylime 1341 Jan 1 1970 /usr/share/keylime/tpm_cert_store/

      This is because it is not listed in the tmpfiles.d  config file at all.

      2. /var/lib/keylime/tpm_cert_store is empty
      root@vm-10-0-184-59 ~]# ls -ld /var/lib/keylime/tpm_cert_store
      dr-x------. 2 keylime keylime 6 Jul 21 08:38 /var/lib/keylime/tpm_cert_store
      [root@vm-10-0-184-59 ~]# ls -l /var/lib/keylime/tpm_cert_store
      total 0

      The configuration is

      1. Files inside /var/lib/keylime/tpm_cert_store/ have
      2. 0400 permission and are owned by keylime/keylime,
      3. while /var/lib/keylime/tpm_cert_store/ itself has
      4. permission 0500, also owned by keylime/keylime.
        C /var/lib/keylime/tpm_cert_store 0500 keylime keylime - /usr/share/keylime/cert_store_dir

        Notice that the directory is /usr/share/keylime/tpm_cert_store/ but in the tmpfiles.d configuration you have /usr/share/keylime/cert_store_dir

      Also, 
      it won\'t work anyway due to
       

      1. systemd-tmpfiles --create /usr/lib/tmpfiles.d/keylime.conf /usr/lib/tmpfiles.d/keylime.conf:20: Duplicate line for path "/var/lib/keylime/tpm_cert_store", ignoring.
         
        We need to also remove previous definition at line 3
         
        d /var/lib/keylime/tpm_cert_store 0500 keylime keylime -
         
         
        and then it works

        What is the impact of this issue to you?

      keylime is not able to access TPM certificates

      Please provide the package NVR for which the bug is seen:

      keylime-7.12.1-6.el10
      keylime-7.12.1-6.el9

      How reproducible is this bug?:

      always

      Steps to reproduce

      For issue 2:

      1. install keylime
      2. delete /var/lib/keylime/tpm_cert_store
      3. reboot
      4. observe the directory is absent

      Expected results

      1. /var/lib/keylime/tpm_cert_store exists and is populated with a content from /usr/share/keylime/tpm_cert_store
      2. /usr/share/keylime/tpm_cert_store has correct ownership in image mode

      Actual results

              scorreia@redhat.com Sergio Correia
              ksrot@redhat.com Karel Srot
              Sergio Correia Sergio Correia
              Karel Srot Karel Srot
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: