Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-38409

Rebase keylime-agent-rust to version 0.2.5 or greater

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • rhel-10.0.beta
    • rhel-10.0.beta
    • keylime-agent-rust
    • None
    • keylime-agent-rust-0.2.5-1.el10
    • None
    • None
    • Rebase
    • rhel-sst-security-special-projects
    • ssg_security
    • 24
    • None
    • QE ack, Dev ack
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Red Hat Enterprise Linux
    • None
    • Rebase
    • Hide
      .`keylime-agent-rust` provided in version 0.2.5

      The `keylime-agent-rust` package, which contains the Keylime agent, is provided in version 0.2.5 in RHEL 10. This version offers important enhancements and bug fixes, most importantly the following:

      * Added support for Initial Device Identity (IDevID) and Initial Attestation Key (IAK) for device identity. The following configuration options have been added:
      `enable_iak_idevid`::: (default: `false`) Enables the use of IDevID and IAK certificates to identify the device.
      `iak_idevid_template`::: (default: `detect`) Specifies the template that sets the algorithms to be used for IDevID and IAK (defined in link:https://trustedcomputinggroup.org/wp-content/uploads/TCG_IWG_DevID_v1r2_02dec2020.pdf[TPM 2.0 Keys for Identity and Attestation, section 7.3.4]). The `detect` keyword sets the template according to the algorithms used in the configured certificates.
      `iak_idevid_name_alg`::: (default: `sha256`) Specifies the digest algorithm used in IDevID and IAK. Used only if the `iak_idevid_template` option is not set as `detect`.
      `iak_idevid_asymmetric_alg`::: (default: `rsa`) Specifies the signing algorithm used in IDevID and IAK. Used only if the `iak_idevid_template` option is not set as `detect`.
      `iak_cert`::: (default: `default`) Specifies the path to the file that contains the X509 IAK certificate. The default path is `/var/lib/keylime/iak-cert.crt`.
      `idevid_cert`::: (default: `default`) Specifies the path to the file that contains the X509 IDevID certificate. The default path is `/var/lib/keylime/idevid-cert.crt`.
      * Configurable IMA and measured boot event log locations are supported by using the new `ima_ml_path` and `measuredboot_ml_path` configuration options.
      * Local DNS name, local IP, and configured contact IP are included as part of the Subject Alternative Name of the generated self-signed X509 certificate.
      * IPv6 addresses with or without brackets are supported in the `registrar_ip` configuration option.
      * Hexadecimal encoded values are supported in the `tpm_ownerpassword` configuration option.
      * TLS 1.3 is enabled in connections to the agent.
      Show
      .`keylime-agent-rust` provided in version 0.2.5 The `keylime-agent-rust` package, which contains the Keylime agent, is provided in version 0.2.5 in RHEL 10. This version offers important enhancements and bug fixes, most importantly the following: * Added support for Initial Device Identity (IDevID) and Initial Attestation Key (IAK) for device identity. The following configuration options have been added: `enable_iak_idevid`::: (default: `false`) Enables the use of IDevID and IAK certificates to identify the device. `iak_idevid_template`::: (default: `detect`) Specifies the template that sets the algorithms to be used for IDevID and IAK (defined in link: https://trustedcomputinggroup.org/wp-content/uploads/TCG_IWG_DevID_v1r2_02dec2020.pdf [TPM 2.0 Keys for Identity and Attestation, section 7.3.4]). The `detect` keyword sets the template according to the algorithms used in the configured certificates. `iak_idevid_name_alg`::: (default: `sha256`) Specifies the digest algorithm used in IDevID and IAK. Used only if the `iak_idevid_template` option is not set as `detect`. `iak_idevid_asymmetric_alg`::: (default: `rsa`) Specifies the signing algorithm used in IDevID and IAK. Used only if the `iak_idevid_template` option is not set as `detect`. `iak_cert`::: (default: `default`) Specifies the path to the file that contains the X509 IAK certificate. The default path is `/var/lib/keylime/iak-cert.crt`. `idevid_cert`::: (default: `default`) Specifies the path to the file that contains the X509 IDevID certificate. The default path is `/var/lib/keylime/idevid-cert.crt`. * Configurable IMA and measured boot event log locations are supported by using the new `ima_ml_path` and `measuredboot_ml_path` configuration options. * Local DNS name, local IP, and configured contact IP are included as part of the Subject Alternative Name of the generated self-signed X509 certificate. * IPv6 addresses with or without brackets are supported in the `registrar_ip` configuration option. * Hexadecimal encoded values are supported in the `tpm_ownerpassword` configuration option. * TLS 1.3 is enabled in connections to the agent.
    • Done
    • None

      What were you trying to do that didn't work?

      A newer stable release is available upstream. This is about updating the keylime-agent-rust package to version 0.2.5 or greater

      Please provide the package NVR for which bug is seen:

      keylme-agent-rust-0.2.2-3.el10

      How reproducible:

      Always

      Steps to reproduce

      1. Check the current available version of the keylime-agent-rust package

      Expected results

      A version greater than or equal to 0.2.5 is available

      Actual results

      The version 0.2.2 is available

              ansasaki@redhat.com Anderson Sasaki
              ansasaki@redhat.com Anderson Sasaki
              Sergio Correia Sergio Correia
              Karel Srot Karel Srot
              Jan Fiala Jan Fiala
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: