Bug 2138167
Summary: | agent fails IMA attestation when one scripts is executed quickly after the other | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 9 | Reporter: | Karel Srot <ksrot> | |
Component: | keylime | Assignee: | Sergio Correia <scorreia> | |
Status: | CLOSED ERRATA | QA Contact: | Patrik Koncity <pkoncity> | |
Severity: | medium | Docs Contact: | Jan Fiala <jafiala> | |
Priority: | unspecified | |||
Version: | 9.0 | CC: | afarley, ansasaki, dueno, jafiala, lvrabec, pkoncity, scorreia | |
Target Milestone: | rc | Keywords: | Triaged, ZStream | |
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | keylime-6.5.2-1.el9 | Doc Type: | Bug Fix | |
Doc Text: |
.Keylime no longer fails attestation of systems that access multiple IMA-measured files
Previously, if a system that runs the Keylime agent accessed multiple files measured by the Integrity Measurement Architecture (IMA) in quick succession, the Keylime verifier incorrectly processed the IMA log additions. As a consequence, the running hash did not match the correct Platform Configuration Register (PCR) state, and the system failed attestation. This update fixes the problem and systems that quickly access multiple measured files no longer fail attestation.
|
Story Points: | --- | |
Clone Of: | ||||
: | 2142032 (view as bug list) | Environment: | ||
Last Closed: | 2023-05-09 07:45:11 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 2150830 | |||
Bug Blocks: | 2142032 |
Description
Karel Srot
2022-10-27 13:22:15 UTC
It turned out the issue is not limited to IMA sign verification keys but also when IMA hashes are used. Fixed in upstream through https://github.com/keylime/keylime/pull/1151 Impact: The agent fails attestation on quick-succession execution of scripts (i.e. script A is executed right after script B), even though script hashes are matching the allowlist. In a production environment where most of the filesystem gets measured this is very likely to happen. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (keylime bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:2307 |