Hello Team, please check the below report: -------- Keylime does not enforce that the agent registrar data is the same when the tenant uses it for validation of the EK and identity quote and the verifier for validating the integrity quote. This allows an attacker to use one AK, EK pair from a real TPM to pass EK validation and give the verifier an AK of a software TPM. Affects all versions of Keylime <6.4.0 Thanks
lifting embargo as it is public now. Ref: https://github.com/keylime/keylime/security/advisories/GHSA-jf66-3q76-h5p5
Created keylime tracking bugs for this issue: Affects: fedora-all [bug 2082162]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.