Security improvements to Keylime #854
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
For most certificates we do not care about the hostname Signed-off-by: Thore Sommer <mail@thson.de>
SSLContext in Python only takes a file path, so we dump the certificate into a temporary file before using it. Signed-off-by: Thore Sommer <mail@thson.de>
Signed-off-by: Thore Sommer <mail@thson.de>
Signed-off-by: Thore Sommer <mail@thson.de>
All connections to the agent require a mTLS connection using the Keylime CA deployed on the agent. Signed-off-by: Thore Sommer <mail@thson.de>
Signed-off-by: Thore Sommer <mail@thson.de>
Signed-off-by: Thore Sommer <mail@thson.de>
Signed-off-by: Thore Sommer <mail@thson.de>
Signed-off-by: Thore Sommer <mail@thson.de>
Signed-off-by: Thore Sommer <mail@thson.de>
Signed-off-by: Thore Sommer <mail@thson.de>
This is done in order to allow upgrading the server side first. The next minor version will drop support for it. Signed-off-by: Thore Sommer <mail@thson.de>
This returns now the version supported by the agent. Signed-off-by: Thore Sommer <mail@thson.de>
Signed-off-by: Thore Sommer <mail@thson.de>
Signed-off-by: Thore Sommer <mail@thson.de>
Signed-off-by: Thore Sommer <mail@thson.de>
Signed-off-by: Thore Sommer <mail@thson.de>
This allows the verifier to start the attestation of an agent again after a restart of the verifier without connecting the the registrar first. Signed-off-by: Thore Sommer <mail@thson.de>
Pythons zlib decompression has no mitigations against zip bombs or similar attacks, so we remove the compression for the quote data. The data itself is rather small compared to the IMA or UEFI event log. Signed-off-by: Thore Sommer <mail@thson.de>
Keylime will drop support for 1.0 after the initial upgrade to 2.0 Changes from 1.0: - mTLS authentication against the agent is now required. - The verifier API now has the field supported_version for indicating which API version the agent supports. This API version is then used for the communication between the verifier and the agent. - Agents are expected to implemented a /version API endpoint to allow other components to querry supported API versions. - Quote data is no longer compressed. Signed-off-by: Thore Sommer <mail@thson.de>
Currently we are placing the zmq IPC socket in /tmp, that can be accessed by all the users. This patch moves the socket into /var/run/keylime, making sure that the directory is created and present with the correct user permissions. Signed-off-by: Alberto Planas <aplanas@suse.com>
Move from the config module some validators, and create the validators module. Add tests for them. Signed-off-by: Alberto Planas <aplanas@suse.com>
Add valid_uuid and valid_agent_id validators, and tests for both. Signed-off-by: Alberto Planas <aplanas@suse.com>
The user ID is read from the config file, or from some public REST API. We should validate that is composed with valid set of chars. Signed-off-by: Alberto Planas <aplanas@suse.com>
The function `check_mounted()` is parsing the output of the `mount` command. This command can have an unknown number of spaces, that can break the parsing logic (and produces security issues) This commit take the mount information data from `/proc/self/mountinfo`, that is more friendly parsed as it will escape the spaces. Signed-off-by: Alberto Planas <aplanas@suse.com>
The `mount` function is called several times in different places in the code, but it takes care of not mounting the secure directory if is already present. The problem is that this is never umounted. This patch add the `umount` function, and update the `mount` one to track when a mount point needs to be umounted. Also adjust the keylime_agent exit point to make sure that the `umount` function is called at the end. Signed-off-by: Alberto Planas <aplanas@suse.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains fixes for the following issues:
The Keylime API version is increased to v2.0 and the agent now requires a Keylime CA certificate (which is by default the cv_ca) to validate connections from the verifier and tenant.
6.3 will be the only new version that still supports API v1.0.
Thanks to @mgerstner, @aplanas, @maugustosilva, @mpeters and @THS-on for finding, developing and/or testing those changes.