verifier seems to read registrar.conf #1446

kkaarreell · 2023-08-04T08:58:32Z

Is your issue a feature request? If so, please raise it as an enhancement

Environment

OS / version: Fedora 38
Processor architecture: x86_64
TPM Manufacturer: swtpm
Keylime version: upstream (901f22d)

Description

verifier log suggests that the verifier is reading registrar.conf and there is also some output that suggests (even though it may not be true) db settings is loaded. This is not happening with registrar.

keylime_verifier[3357]: INFO:keylime.config:Reading configuration from ['/etc/keylime/logging.conf']
keylime_verifier[3357]: 2023-08-02 08:02:50.325 - keylime.config - INFO - Reading configuration from ['/etc/keylime/verifier.conf']
keylime_verifier[3357]: 2023-08-02 08:02:50.326 - keylime.failure - INFO - Severity configuration set
keylime_verifier[3357]: 2023-08-02 08:02:50.326 - keylime.keylime_db - INFO - database_url is set, using it to establish database connection
keylime_verifier[3357]: 2023-08-02 08:02:50.326 - keylime.keylime_db - INFO - database_url is set as 'sqlite' keyword, using default values to establish database connection
keylime_verifier[3357]: 2023-08-02 08:02:50.331 - keylime.config - INFO - Reading configuration from ['/etc/keylime/registrar.conf']
keylime_verifier[3357]: 2023-08-02 08:02:50.408 - keylime.keylime_db - INFO - database_url is set, using it to establish database connection
keylime_verifier[3357]: 2023-08-02 08:02:50.409 - keylime.keylime_db - INFO - database_url is set as 'sqlite' keyword, using default values to establish database connection
keylime_verifier[3357]: 2023-08-02 08:02:50.409 - alembic.env - INFO - Migrating database cloud_verifier
keylime_verifier[3357]: 2023-08-02 08:02:50.410 - alembic.runtime.migration - INFO - Context impl SQLiteImpl.
keylime_verifier[3357]: 2023-08-02 08:02:50.410 - alembic.runtime.migration - INFO - Will assume non-transactional DDL.
keylime_verifier[3357]: 2023-08-02 08:02:50.416 - keylime.measured_boot - DEBUG - mba.elchecking.elchecker: policy names = ['accept-all', 'reject-all']
keylime_verifier[3357]: 2023-08-02 08:02:50.417 - keylime.keylime.cmd_exec - DEBUG - Executing command "tpm2_startup --version"
keylime_verifier[3357]: 2023-08-02 08:02:50.423 - keylime.elparsing - DEBUG - mba.elparser.tpm2_tools_elparser: TPM2-TOOLS 5.4 detected.
keylime_verifier[3357]: 2023-08-02 08:02:50.423 - keylime.verifier - WARNING - The configuration upgrade templates path /usr/share/keylime/templates does not exist
keylime_verifier[3357]: 2023-08-02 08:02:50.433 - keylime.verifier - INFO - Starting Cloud Verifier (tornado) on port 8881, use <Ctrl-C> to stop
keylime_verifier[3357]: 2023-08-02 08:02:50.433 - keylime.verifier - INFO - Current API version 2.1
keylime_verifier[3357]: 2023-08-02 08:02:50.433 - keylime.verifier - INFO - Supported older API versions: 1.0, 2.0
keylime_verifier[3357]: 2023-08-02 08:02:50.433 - keylime.verifier - INFO - Deprecated API versions (soon to be removed): 1.0
keylime_verifier[3357]: 2023-08-02 08:02:50.433 - keylime.verifier - INFO - Setting up TLS...
keylime_verifier[3357]: 2023-08-02 08:02:50.433 - keylime.config - INFO - Reading configuration from ['/etc/keylime/ca.conf']

Expected behavior vs. actual behavior

registrar.conf won't be read

Steps to reproduce problem

start verifier and see the log

The text was updated successfully, but these errors were encountered:

ansasaki · 2023-08-11T13:36:02Z

I believe this was introduced in 383c56a:

keylime/keylime/cloud_verifier_tornado.py

Line 54 in 25c1aa0

    
           rmc = record.get_record_mgt_class(config.get("registrar", "durable_attestation_import", fallback=""))

maugustosilva · 2023-08-11T18:57:07Z

ooops, that is squarely on me. Thanks for diagnosing @ansasaki, I will have a PR soon.

Signed-off-by: Marcio Silva <marcio.a.silva@ibm.com>

The verifier should read "durable attestation" backend imports from verifier.conf (and NOT from registrar.conf) Signed-off-by: Marcio Silva <marcio.a.silva@ibm.com>

Single-line fix for keylime#1446 The verifier should read "durable attestation" backend imports from verifier.conf (and NOT from registrar.conf) Signed-off-by: Marcio Silva <marcio.a.silva@ibm.com>

Single-line fix for #1446 The verifier should read "durable attestation" backend imports from verifier.conf (and NOT from registrar.conf) Signed-off-by: Marcio Silva <marcio.a.silva@ibm.com>

THS-on added the bug label Aug 5, 2023

THS-on self-assigned this Aug 5, 2023

maugustosilva pushed a commit to maugustosilva/keylime that referenced this issue Aug 23, 2023

Single-line fix for keylime#1446

88fd788

Signed-off-by: Marcio Silva <marcio.a.silva@ibm.com>

aplanas mentioned this issue Aug 23, 2023

verifier: should read parameters from verifier.conf only #1458

Merged

maugustosilva closed this as completed Aug 23, 2023

kkaarreell mentioned this issue Apr 5, 2024

keylime_tenant seems to read verifier.conf #1541

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

verifier seems to read registrar.conf #1446

verifier seems to read registrar.conf #1446

kkaarreell commented Aug 4, 2023

ansasaki commented Aug 11, 2023

maugustosilva commented Aug 11, 2023

verifier seems to read registrar.conf #1446

verifier seems to read registrar.conf #1446

Comments

kkaarreell commented Aug 4, 2023

Environment

Description

Expected behavior vs. actual behavior

Steps to reproduce problem

ansasaki commented Aug 11, 2023

maugustosilva commented Aug 11, 2023