RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2138167 - agent fails IMA attestation when one scripts is executed quickly after the other
Summary: agent fails IMA attestation when one scripts is executed quickly after the other
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: keylime
Version: 9.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: rc
: ---
Assignee: Sergio Correia
QA Contact: Patrik Koncity
Jan Fiala
URL:
Whiteboard:
Depends On: 2150830
Blocks: 2142032
TreeView+ depends on / blocked
 
Reported: 2022-10-27 13:22 UTC by Karel Srot
Modified: 2023-05-09 14:48 UTC (History)
7 users (show)

Fixed In Version: keylime-6.5.2-1.el9
Doc Type: Bug Fix
Doc Text:
.Keylime no longer fails attestation of systems that access multiple IMA-measured files Previously, if a system that runs the Keylime agent accessed multiple files measured by the Integrity Measurement Architecture (IMA) in quick succession, the Keylime verifier incorrectly processed the IMA log additions. As a consequence, the running hash did not match the correct Platform Configuration Register (PCR) state, and the system failed attestation. This update fixes the problem and systems that quickly access multiple measured files no longer fail attestation.
Clone Of:
: 2142032 (view as bug list)
Environment:
Last Closed: 2023-05-09 07:45:11 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github keylime keylime pull 1151 0 None Merged ima: Fix log evaluation on quick-succession execution of scripts 2022-11-10 14:51:25 UTC
Red Hat Issue Tracker RHELPLAN-137877 0 None None None 2022-10-31 09:38:17 UTC
Red Hat Issue Tracker SECENGSP-4857 0 None None None 2022-10-31 09:38:21 UTC
Red Hat Product Errata RHBA-2023:2307 0 None None None 2023-05-09 07:45:34 UTC

Description Karel Srot 2022-10-27 13:22:15 UTC 
Description of problem:

We have a test scenario where keylime is configured to use two IMA sign verification keys to verify IMA file signatures. This scenario is automated in

https://github.com/RedHat-SP-Security/keylime-tests/tree/main/functional/multiple-files-with-ima-signature

What is happening is that on system with HW TPM the agent fails attestation when two scripts, each signed using a different key are executed. After that the system fails attestation. The problem doesn't appear when only one of the scripts is executed.

The issue is present with keylime-agent-rust installed (it is not reproducible with upstream Python agent).
Also, for some reason we didn't encounter a problem on system with QEMU/SWTPM).

Version-Release number of selected component (if applicable):
keylime-6.5.0-1.el9

How reproducible:


Steps to Reproduce:
1. configure system to use ima signatures, e.g. using
https://github.com/RedHat-SP-Security/keylime-tests/blob/main/setup/configure_kernel_ima_module/ima_policy_signing.fmf
2. run automated test
https://github.com/RedHat-SP-Security/keylime-tests/tree/main/functional/multiple-files-with-ima-signature


Actual results:
system fails attestation

# ./test.sh 

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Do the keylime setup
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 09:08:47 ] :: [  BEGIN   ] :: Running 'rlImport "./test-helpers"'
:: [ 09:08:47 ] :: [   INFO   ] :: rlImport: Found './test-helpers' during upwards traversal
:: [ 09:08:47 ] :: [   INFO   ] :: rlImport: Will try to import ./test-helpers from /root/keylime-tests/./Library/test-helpers/lib.sh
:: [ 09:08:47 ] :: [   INFO   ] :: found dependencies: ''
uid=11235(limetester) gid=11235(limetester) groups=11235(limetester)
keylime-selinux-6.5.1-1.el9_1.noarch
keylime-agent-rust-0.1.0-1.el9.x86_64
keylime-base-6.5.0-1.el9.x86_64
python3-keylime-6.5.0-1.el9.x86_64
keylime-registrar-6.5.0-1.el9.x86_64
keylime-tenant-6.5.0-1.el9.x86_64
keylime-verifier-6.5.0-1.el9.x86_64
keylime-6.5.0-1.el9.x86_64
:: [ 09:08:47 ] :: [   PASS   ] :: Command 'rlImport "./test-helpers"' (Expected 0, got 0)
keylime-6.5.0-1.el9.x86_64
:: [ 09:08:47 ] :: [   PASS   ] :: Checking for the presence of keylime rpm 
:: [ 09:08:47 ] :: [   LOG    ] :: Package versions:
:: [ 09:08:47 ] :: [   LOG    ] ::   keylime-6.5.0-1.el9.x86_64
:: [ 09:08:47 ] :: [   INFO   ] :: using '/var/tmp/beakerlib-uxEVDtm/backup-limeConf' as backup destination
:: [ 09:08:47 ] :: [  BEGIN   ] :: Running 'limeUpdateConf tenant require_ek_cert False'
/etc/keylime/tenant.conf:
[tenant]
require_ek_cert = False
:: [ 09:08:48 ] :: [   PASS   ] :: Command 'limeUpdateConf tenant require_ek_cert False' (Expected 0, got 0)
:: [ 09:08:48 ] :: [  BEGIN   ] :: Running 'limeUpdateConf revocations enabled_revocation_notifications '[]''
/etc/keylime/verifier.conf:
[revocations]
enabled_revocation_notifications = []
:: [ 09:08:48 ] :: [   PASS   ] :: Command 'limeUpdateConf revocations enabled_revocation_notifications '[]'' (Expected 0, got 0)
:: [ 09:08:48 ] :: [  BEGIN   ] :: Running 'limeUpdateConf verifier quote_interval 2'
/etc/keylime/verifier.conf:
[verifier]
quote_interval = 2
:: [ 09:08:48 ] :: [   PASS   ] :: Command 'limeUpdateConf verifier quote_interval 2' (Expected 0, got 0)
:: [ 09:08:48 ] :: [  BEGIN   ] :: Running 'limeUpdateConf agent enable_revocation_notifications false'
/etc/keylime/agent.conf:
[agent]
enable_revocation_notifications = false
:: [ 09:08:48 ] :: [   PASS   ] :: Command 'limeUpdateConf agent enable_revocation_notifications false' (Expected 0, got 0)
:: [ 09:08:53 ] :: [  BEGIN   ] :: Running 'limeStartVerifier'
.
:: [ 09:08:54 ] :: [   PASS   ] :: Command 'limeStartVerifier' (Expected 0, got 0)
:: [ 09:08:54 ] :: [  BEGIN   ] :: Running 'limeWaitForVerifier'
:: [ 09:08:54 ] :: [   INFO   ] :: rlWaitForSocket: Waiting max 20s for socket `8881' to start listening
:: [ 09:08:55 ] :: [   INFO   ] :: rlWaitForSocket: Wait successful!
:: [ 09:08:56 ] :: [   PASS   ] :: Command 'limeWaitForVerifier' (Expected 0, got 0)
:: [ 09:08:56 ] :: [  BEGIN   ] :: Running 'limeStartRegistrar'
.
:: [ 09:08:57 ] :: [   PASS   ] :: Command 'limeStartRegistrar' (Expected 0, got 0)
:: [ 09:08:57 ] :: [  BEGIN   ] :: Running 'limeWaitForRegistrar'
:: [ 09:08:57 ] :: [   INFO   ] :: rlWaitForSocket: Waiting max 20s for socket `8891' to start listening
:: [ 09:08:58 ] :: [   INFO   ] :: rlWaitForSocket: Wait successful!
:: [ 09:08:58 ] :: [   PASS   ] :: Command 'limeWaitForRegistrar' (Expected 0, got 0)
:: [ 09:08:58 ] :: [  BEGIN   ] :: Running 'limeStartAgent'
.
:: [ 09:08:59 ] :: [   PASS   ] :: Command 'limeStartAgent' (Expected 0, got 0)
:: [ 09:08:59 ] :: [  BEGIN   ] :: Running 'limeWaitForAgentRegistration d432fbb3-d2f1-4a97-9ef7-75bd81c00000'
Reading configuration from ['/etc/keylime/logging.conf']
2022-10-27 09:09:05.035 - keylime.tpm - INFO - TPM2-TOOLS Version: 5.2
Reading configuration from ['/etc/keylime/tenant.conf']
2022-10-27 09:09:05.039 - keylime.tenant - INFO - Setting up client TLS...
2022-10-27 09:09:05.039 - keylime.tenant - INFO - Using default client_cert option for tenant
2022-10-27 09:09:05.039 - keylime.tenant - INFO - Using default client_key option for tenant
2022-10-27 09:09:05.117 - keylime.tenant - INFO - TLS is enabled.
2022-10-27 09:09:05.208 - keylime.tenant - INFO - {"code": 200, "status": "Agent d432fbb3-d2f1-4a97-9ef7-75bd81c00000 exists on registrar 127.0.0.1 port 8891.", "results": {"d432fbb3-d2f1-4a97-9ef7-75bd81c00000": {"aik_tpm": "ARgAAQALAAUAcgAAABAAFAALCAAAAAAAAQDRGSCLhze50Az2JW2ezTXVe3K0oiRIbGDCVI5jWO7oxGqfNOQFscIP7Uzh/a3jbP3s3L0k5RGJ/nHOE9znKOKxFRYeg9xwK5ExAfAFaHIBBElyeW5uTf++JJDl8Tsv26bXlcbbBEZqWEfdpzOi8HMwYm63yBDKg9j+afEEe675ZxPoX9NTThIE9T2z2wZ+d+ada99rxe0KsvT1sucfB1j80BR5eyQyBC8aricYM/u5KwGpf9MyOITNXouJGImdZUlCqxcRI/bcy9jFzadK7V6Ox0/ebWt6x/HRLdaFio3cpSoTVG0adRhBycL1ptwkm2Nc154IMPsA4yp8644b+NPX", "ek_tpm": "AToAAQALAAMAsgAgg3GXZ0SEs/gakMyNRqXXJP1S124GUgtk8qHaGzMUaaoABgCAAEMAEAgAAAAAAAEA4CmiqK9vnBC0ql4RjBt0/YCCuiqc6Rq/Hwf1OJplJ9XolCGFFCMgS3pMbFI/KeOTmAoXkOtjHFxCJXaLKjMtWHbHzGTJEpnNtqjfMBXX5LIwjBqUDv3y5Fd6p1a1+fH2DVUfjYGO6KsYTvZ9rZ4pwzhMSpLmJHy9zC1lOlK+qsQq3b5PoxN8jVk4VaogeO1DOZ7uQ0zJoBREKcaGMpf1En/XUrwJue4ktzYtRuBQKWD4CEo/TQwgPynYTzlyb6ZAzT3+71hYIMrLH/HUQWQFtUJ52rinQYW8yaAf/ctpskBwQ7ctbFWRrq26VujxwON/SZOufLO7NSK20ix2nU93DQ==", "ekcert": "MIID2zCCA4GgAwIBAgILAKpTJnyY244UkKEwCgYIKoZIzj0EAwIwVTFTMB8GA1UEAxMYTnV2b3RvbiBUUE0gUm9vdCBDQSAyMTEwMCUGA1UEChMeTnV2b3RvbiBUZWNobm9sb2d5IENvcnBvcmF0aW9uMAkGA1UEBhMCVFcwHhcNMTgxMTEzMTI0NDQyWhcNMzgxMTA5MTI0NDQyWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4CmiqK9vnBC0ql4RjBt0/YCCuiqc6Rq/Hwf1OJplJ9XolCGFFCMgS3pMbFI/KeOTmAoXkOtjHFxCJXaLKjMtWHbHzGTJEpnNtqjfMBXX5LIwjBqUDv3y5Fd6p1a1+fH2DVUfjYGO6KsYTvZ9rZ4pwzhMSpLmJHy9zC1lOlK+qsQq3b5PoxN8jVk4VaogeO1DOZ7uQ0zJoBREKcaGMpf1En/XUrwJue4ktzYtRuBQKWD4CEo/TQwgPynYTzlyb6ZAzT3+71hYIMrLH/HUQWQFtUJ52rinQYW8yaAf/ctpskBwQ7ctbFWRrq26VujxwON/SZOufLO7NSK20ix2nU93DQIDAQABo4IBwDCCAbwwSgYDVR0RAQH/BEAwPqQ8MDoxODAUBgVngQUCARMLaWQ6NEU1NDQzMDAwEAYFZ4EFAgITB05QQ1Q2eHgwDgYFZ4EFAgMTBWlkOjEzMAwGA1UdEwEB/wQCMAAwEAYDVR0lBAkwBwYFZ4EFCAEwHwYDVR0jBBgwFoAUn7t5qg9SYni+0VCSmnFx6Wo1vvcwDgYDVR0PAQH/BAQDAgUgMHAGA1UdCQRpMGcwFgYFZ4EFAhAxDTALDAMyLjACAQACAXQwTQYFZ4EFAhIxRDBCAgEAAQH/oAMKAQGhAwoBAKIDCgEAoxUwExYDMy4xCgEECgEBAQH/oAMKAQKkDzANFgUxNDAtMgoBAgEBAKUDAQEAMEEGA1UdIAQ6MDgwNgYEVR0gADAuMCwGCCsGAQUFBwIBFiBodHRwOi8vd3d3Lm51dm90b24uY29tL3NlY3VyaXR5LzBoBggrBgEFBQcBAQRcMFowWAYIKwYBBQUHMAKGTGh0dHA6Ly93d3cubnV2b3Rvbi5jb20vc2VjdXJpdHkvTlRDLVRQTS1FSy1DZXJ0L051dm90b24gVFBNIFJvb3QgQ0EgMjExMC5jZXIwCgYIKoZIzj0EAwIDSAAwRQIhAO5sSZIRda+Q4WBjKNCcNWk7ADDBcylnGJgJtAHzgwU7AiBa3VyD2s1r+kzm+Tf/R9UBtcHz9TJSoA/cXqJeHIE9xQ==", "mtls_cert": "-----BEGIN CERTIFICATE-----\nMIIC1zCCAb+gAwIBAgIBADANBgkqhkiG9w0BAQsFADAvMS0wKwYDVQQDDCRkNDMy\nZmJiMy1kMmYxLTRhOTctOWVmNy03NWJkODFjMDAwMDAwHhcNMjIxMDI3MTIwNzM4\nWhcNMjMxMDE4MTIwNzM4WjAvMS0wKwYDVQQDDCRkNDMyZmJiMy1kMmYxLTRhOTct\nOWVmNy03NWJkODFjMDAwMDAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB\nAQCpo7h0t/TeU5hetR2mwd8BXDmrKNdV/3iAm461MCW7QCWwJEhZDbBNd4tyT3q3\nVbdjtTiPY9hP5b4tymaJUyqUTjr0SzOmHFNas6WPlblb9RNhPD+B96xjrPKmuocG\nufw6/WDKVQiPEvtIuQTu9YWqN0Y4csyK2PWQ8fv/mFO3KS8lLSykWiE/T3LfIvof\n8PjwsM6Am4uHRQApXNUCIa1r7UZPcOsKLt4YvqF8vYjiejQSr8jUAcZrZOJfSkEB\nUshyVhf+gBsq9kfyoM1ymP2qsH6A2gdxmdq9wamhOOPWl7HcBqMrPgdpRUF99mjL\ncbtqPxwouHkrKKUa6CDar02RAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIZswu8O\nDipoIe2PvfdfT74pMxYqmcd4YfoRBpe0Z90qs+w+v1ijK3+S7Hpc0klMAV0ZaIhh\ngNAuqG/w/pLSrYw547KFsYHJcpMUQ/8d4O9A82tt37QuxftraQXDMyV/1Ma9Ug33\ndnPXfHh4NAIYMusCkM9RwKzrxv8DF8BVugA4+LfeaJX3e7TquwR2CWj6hxqrPdHz\nv87ah6MP5OHY6XHu6b8vXU7kLFqYwUJ9+MKudqoDCqj+uXXNuiPjHTP9p9HQq3VH\nEQ6yaRFLABWcgsb7XBiAtTxYGvyWfYIodmpOnv7vL+0FzC5YUE83Kcwqkg+p/H42\nO8JfZFBF4+qM6Vs=\n-----END CERTIFICATE-----\n", "ip": "127.0.0.1", "port": 9002, "regcount": 1, "operational_state": "Registered"}}}
:: [ 09:09:05 ] :: [   PASS   ] :: Command 'limeWaitForAgentRegistration d432fbb3-d2f1-4a97-9ef7-75bd81c00000' (Expected 0, got 0)
:: [ 09:09:05 ] :: [  BEGIN   ] :: Running 'pushd /keylime-tests/multiple-files-with-ima-signature-OPPUy'
/keylime-tests/multiple-files-with-ima-signature-OPPUy ~/keylime-tests/functional/multiple-files-with-ima-signature
:: [ 09:09:05 ] :: [   PASS   ] :: Command 'pushd /keylime-tests/multiple-files-with-ima-signature-OPPUy' (Expected 0, got 0)
Writing allowlist to /keylime-tests/multiple-files-with-ima-signature-OPPUy/allowlist.txt with sha256sum...
:: [ 09:09:05 ] :: [  BEGIN   ] :: Running 'limeInstallIMAKeys first_key /keylime-tests/multiple-files-with-ima-signature-OPPUy'
........+...+....+......+...+..+...+.+...+...+..................+......+...........+...+.......+...+.....+....+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*....+...........+...+....+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.......+....+..+.+..............+.+..................+..+.............+..+.......+............+.....+.+.....+...............+...+......+.........+......+.+...+.........+........+.......+...+..+.......+......+...+...........+...+...+....+........+...+.........+....+.........+...+..+...+....+...+..+........................+.+.....+....+......+......+.....+...+...................+...+........+....+..+.+..+...+.......................................+..........+...........+....+...+..+.+..+......+..........+..+..........+............+..+....+.....+.......+...+..+............+...............+.+..+....+.....+...+..........+..+.............+..+...+...+............+.+..............+...+...+.......+.................+.+.....+....+........+....+......+...+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
...+.........+......+.+.....+...+............+.........+...+.+......+...+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...........+...+......+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*............+......+.+.....+.........+..........+..+....+...+.....+.+..+...+..........+..+....+......+..+............+.+..+.+.....+...............+.+.........+.........+.....+...+.......+........+....+...+........+.......+..+................+.........+.....+.+........+.......+...+..+...+....+...+...+..+.........+...+......+....+.....+...............+.+...........+...+...+...+....+..+..........+.........+.....+....+..+.+............+.....+.+..+.............+...........+....+.....+.+........+.........................+...+...+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
writing RSA key
total 12
-rw-------. 1 root root 1704 Oct 27 06:59 privkey_evm.pem
-rw-r--r--. 1 root root  892 Oct 27 06:59 x509_evm.der
-rw-r--r--. 1 root root  451 Oct 27 06:59 x509_evm.pem
:: [ 09:09:05 ] :: [   PASS   ] :: Command 'limeInstallIMAKeys first_key /keylime-tests/multiple-files-with-ima-signature-OPPUy' (Expected 0, got 0)
:: [ 09:09:05 ] :: [  BEGIN   ] :: Running 'limeInstallIMAKeys second_key /keylime-tests/multiple-files-with-ima-signature-OPPUy'
.+......+....+.....+......+...+.........+..................+...+..........+..+....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.....+........+.+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*........+...............+....+.........+........+.........................+..+.......+...+...+..............+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
.+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*......+.....+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...........+............+..+..................+...+....+...+..+...+.........+.........+.+........+.+......+...............+..............+....+..+....+......+...+.....+...+.......+...+..+..........+...+..+......+.+.....+......+.......+...+............+......+.....+.......+..............+................+.............................+....+..+...+....+.....+...+....+..............+....+...+.................+...+....+...............+...+...........+......+...+.+.....+...............+......+....+...............+..+.........+......+...+.+.........+.....+...............+.........+.............+..+................+..+..........+..+..........+..+....+......+......+..+...+...................+........+.+..............+...+...+.+...+..+...............+......+..................+....+...+...+......+...+..+.........+.+.....+.+..+......+....+..+...............+.+...+.....+......+....+......+...+..+...+.......+...+.....+..........+...........+.......+..+...+....+......+.....+....+......+.....+...+............+...............+...+.........+.+......+........+.+............+..+...+............+......+...................+...+.....+....+........+......+.+...+......+..+.........+...+.+......+.........+..+..........+..+..........+...+........+..........+...........+.....................+....+...+.....+............+..........+...+.....+......+.+...+...+.....+...+....+.....+.+.................+...+.+......+........+.......+...+......+.....+...+.+............+.........+.....+......+...+......+...+...+....+.....+...+...+..........+..+...+..........+...+............+..+.+.....+...............+.......+...+..+.......+...+..................+.....+.+......+.....+..........+..+......+..........+......+..............+...................+............+...+........+..........+.....+...+.+.....+.........+......+..........+.....+......+....+....................+...+.+..............+...............+.+..+...+.+...+..+.+...............+...+.........+..+......+....+.....+.+...+.....+....+..+....+...........+...+.......+......+..............+...+.............+.....+...+...............+.+.....+.+...+...........+......+.............+......+........+...+....+.....+.+...+......+........+.+.........+...........+.+..............+......+...+.......+.....+.............+.....+...+...+....+..+...+......+............+...+.+......+.........+...+......+.........+............+...+..+...+..........+......+.....+....+..+...+.......+.....+...+...............+...+...+..........+..+...+....+.....+..........+........+...+.......+..+...+....+...+...+..+.......+.....+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
writing RSA key
total 12
-rw-------. 1 root root 1704 Oct 27 06:59 privkey_evm.pem
-rw-r--r--. 1 root root  892 Oct 27 06:59 x509_evm.der
-rw-r--r--. 1 root root  451 Oct 27 06:59 x509_evm.pem
:: [ 09:09:06 ] :: [   PASS   ] :: Command 'limeInstallIMAKeys second_key /keylime-tests/multiple-files-with-ima-signature-OPPUy' (Expected 0, got 0)
:: [ 09:09:06 ] :: [  BEGIN   ] :: Running 'cat > script_first.sh <<_EOF
#!/bin/bash
echo "Hello one!"
_EOF'
:: [ 09:09:06 ] :: [   PASS   ] :: Command 'cat > script_first.sh <<_EOF
#!/bin/bash
echo "Hello one!"
_EOF' (Expected 0, got 0)
:: [ 09:09:06 ] :: [  BEGIN   ] :: Running 'cat > script_second.sh <<_EOF
#!/bin/bash
echo "Hello two!"
_EOF'
:: [ 09:09:06 ] :: [   PASS   ] :: Command 'cat > script_second.sh <<_EOF
#!/bin/bash
echo "Hello two!"
_EOF' (Expected 0, got 0)
:: [ 09:09:06 ] :: [  BEGIN   ] :: Running 'chmod a+rx script_first.sh'
:: [ 09:09:06 ] :: [   PASS   ] :: Command 'chmod a+rx script_first.sh' (Expected 0, got 0)
:: [ 09:09:06 ] :: [  BEGIN   ] :: Running 'evmctl ima_sign -k privkey_first_key.pem script_first.sh'
hash(sha256): ea510421851c5d8e4384b319527c71a8beaa6888a600b1116af14c5abf93029c
evm/ima signature: 264 bytes
03020477db5767010085c63cec60d16a286734e6f98ae4126be168b8c78cfbc1bd6e7606137d6cc8367e3600b38d10865239d0de93df05b0b9d1fa8d22dd6a5cc0e2ca93fb4af8ecdf054c49520de8edccbadc53bff236f71e641b189dead19159952a8357c5b2275ee7912160183c4bfc905c62f1597e70ced7715f7c45e87f7e91b3f4fd3d670eb07e20c94b7027cf24fb2afab2728086b31d21fe925b761b9515c931f102bdeba05b5bd9abbd375e6ffab87033632240c4b7bf14510b628a3ebee6fb93a890cbdd477f4a10e353f248b325ce118da78e5dc31426de6a978621d4beeef3210e0c2c16821a96097b4f089bb62ae6518dbc48f5f7d387ebe16c88152c2a7fb97c6334
:: [ 09:09:06 ] :: [   PASS   ] :: Command 'evmctl ima_sign -k privkey_first_key.pem script_first.sh' (Expected 0, got 0)
:: [ 09:09:06 ] :: [  BEGIN   ] :: Running 'getfattr -m ^security.ima --dump script_first.sh'
# file: script_first.sh
security.ima=0sAwIEd9tXZwEAhcY87GDRaihnNOb5iuQSa+FouMeM+8G9bnYGE31syDZ+NgCzjRCGUjnQ3pPfBbC50fqNIt1qXMDiypP7Svjs3wVMSVIN6O3MutxTv/I29x5kGxid6tGRWZUqg1fFside55EhYBg8S/yQXGLxWX5wztdxX3xF6H9+kbP0/T1nDrB+IMlLcCfPJPsq+rJygIazHSH+klt2G5UVyTHxAr3roFtb2au9N15v+rhwM2MiQMS3vxRRC2KKPr7m+5OokMvdR39KEONT8kizJc4RjaeOXcMUJt5ql4Yh1L7u8yEODCwWghqWCXtPCJu2KuZRjbxI9ffTh+vhbIgVLCp/uXxjNA==

:: [ 09:09:06 ] :: [   PASS   ] :: Command 'getfattr -m ^security.ima --dump script_first.sh' (Expected 0, got 0)
:: [ 09:09:06 ] :: [  BEGIN   ] :: Running 'chmod a+rx script_second.sh'
:: [ 09:09:06 ] :: [   PASS   ] :: Command 'chmod a+rx script_second.sh' (Expected 0, got 0)
:: [ 09:09:06 ] :: [  BEGIN   ] :: Running 'evmctl ima_sign -k privkey_second_key.pem script_second.sh'
hash(sha256): 68600e8b222f36e4ddfdb3eb831a03bf83a877f439c5642ec88200bfa45e5b12
evm/ima signature: 264 bytes
030204ecb1769a010044a3b9857251e29c902a1f25dbbb27b5bea708483c6a101528611263633164816f9fbccf2dfecd131a02dfb8a35e5a36c0c4c9cfb40e17c136a73ce592049bd598c14f1bc0609826b1a865285f508bfbbfafc995875d7f4eec997433ffd80043f9a12f1d28b622e9442adecaa7f04d802a7c014417de01af8e47aaf0224ebdc843c8222031b837c49250c2dd77b6611dd5b0726fe8d8fda9d6f2fef80376ed71b7a762cb2a446bc830e4769005e0f091d76db2fef4afcb99e65a9b958d20c78392a6ebac0fad580ff9bed970ffc08ceba28ae1b692af10dc16633dd4e29603aea40e7aea0ab7410465923d67c7be80a5009219d5f83cced685543c0d7ae2ee1b
:: [ 09:09:06 ] :: [   PASS   ] :: Command 'evmctl ima_sign -k privkey_second_key.pem script_second.sh' (Expected 0, got 0)
:: [ 09:09:06 ] :: [  BEGIN   ] :: Running 'getfattr -m ^security.ima --dump script_second.sh'
# file: script_second.sh
security.ima=0sAwIE7LF2mgEARKO5hXJR4pyQKh8l27sntb6nCEg8ahAVKGESY2MxZIFvn7zPLf7NExoC37ijXlo2wMTJz7QOF8E2pzzlkgSb1ZjBTxvAYJgmsahlKF9Qi/u/r8mVh11/TuyZdDP/2ABD+aEvHSi2IulEKt7Kp/BNgCp8AUQX3gGvjkeq8CJOvchDyCIgMbg3xJJQwt13tmEd1bByb+jY/anW8v74A3btcbenYssqRGvIMOR2kAXg8JHXbbL+9K/LmeZam5WNIMeDkqbrrA+tWA/5vtlw/8CM66KK4baSrxDcFmM91OKWA66kDnrqCrdBBGWSPWfHvoClAJIZ1fg8ztaFVDwNeuLuGw==

:: [ 09:09:06 ] :: [   PASS   ] :: Command 'getfattr -m ^security.ima --dump script_second.sh' (Expected 0, got 0)
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Duration: 20s
::   Assertions: 23 good, 0 bad
::   RESULT: PASS (Do the keylime setup)


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Add keylime agent with keys
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 09:09:07 ] :: [  BEGIN   ] :: Running 'keylime_tenant -u d432fbb3-d2f1-4a97-9ef7-75bd81c00000 --allowlist allowlist.txt --exclude excludelist.txt -f excludelist.txt --sign_verification_key  x509_first_key.pem --sign_verification_key x509_second_key.pem  -c add'
Reading configuration from ['/etc/keylime/logging.conf']
2022-10-27 09:09:08.002 - keylime.tpm - INFO - TPM2-TOOLS Version: 5.2
Reading configuration from ['/etc/keylime/tenant.conf']
2022-10-27 09:09:08.006 - keylime.tenant - INFO - Setting up client TLS...
2022-10-27 09:09:08.006 - keylime.tenant - INFO - Using default client_cert option for tenant
2022-10-27 09:09:08.006 - keylime.tenant - INFO - Using default client_key option for tenant
2022-10-27 09:09:08.085 - keylime.tenant - INFO - TLS is enabled.
2022-10-27 09:09:08.350 - keylime.tenant - INFO - TPM PCR Mask from policy is 0x0
<Response [200]>
2022-10-27 09:09:10.646 - keylime.tenant - WARNING - DANGER: EK cert checking is disabled and no additional checks on EKs have been specified with ek_check_script option. Keylime is not secure!!
2022-10-27 09:09:10.646 - keylime.tenant - INFO - Quote from 127.0.0.1 validated
:: [ 09:09:11 ] :: [   PASS   ] :: Command 'keylime_tenant -u d432fbb3-d2f1-4a97-9ef7-75bd81c00000 --allowlist allowlist.txt --exclude excludelist.txt -f excludelist.txt --sign_verification_key  x509_first_key.pem --sign_verification_key x509_second_key.pem  -c add' (Expected 0, got 0)
:: [ 09:09:11 ] :: [  BEGIN   ] :: Running 'limeWaitForAgentStatus d432fbb3-d2f1-4a97-9ef7-75bd81c00000 'Get Quote''
Reading configuration from ['/etc/keylime/logging.conf']
2022-10-27 09:09:16.603 - keylime.tpm - INFO - TPM2-TOOLS Version: 5.2
Reading configuration from ['/etc/keylime/tenant.conf']
2022-10-27 09:09:16.607 - keylime.tenant - INFO - Setting up client TLS...
2022-10-27 09:09:16.608 - keylime.tenant - INFO - Using default client_cert option for tenant
2022-10-27 09:09:16.608 - keylime.tenant - INFO - Using default client_key option for tenant
2022-10-27 09:09:16.686 - keylime.tenant - INFO - TLS is enabled.
2022-10-27 09:09:16.780 - keylime.tenant - INFO - {"code": 200, "status": "Agent d432fbb3-d2f1-4a97-9ef7-75bd81c00000 exists on registrar 127.0.0.1 port 8891.", "results": {"d432fbb3-d2f1-4a97-9ef7-75bd81c00000": {"aik_tpm": "ARgAAQALAAUAcgAAABAAFAALCAAAAAAAAQDRGSCLhze50Az2JW2ezTXVe3K0oiRIbGDCVI5jWO7oxGqfNOQFscIP7Uzh/a3jbP3s3L0k5RGJ/nHOE9znKOKxFRYeg9xwK5ExAfAFaHIBBElyeW5uTf++JJDl8Tsv26bXlcbbBEZqWEfdpzOi8HMwYm63yBDKg9j+afEEe675ZxPoX9NTThIE9T2z2wZ+d+ada99rxe0KsvT1sucfB1j80BR5eyQyBC8aricYM/u5KwGpf9MyOITNXouJGImdZUlCqxcRI/bcy9jFzadK7V6Ox0/ebWt6x/HRLdaFio3cpSoTVG0adRhBycL1ptwkm2Nc154IMPsA4yp8644b+NPX", "ek_tpm": "AToAAQALAAMAsgAgg3GXZ0SEs/gakMyNRqXXJP1S124GUgtk8qHaGzMUaaoABgCAAEMAEAgAAAAAAAEA4CmiqK9vnBC0ql4RjBt0/YCCuiqc6Rq/Hwf1OJplJ9XolCGFFCMgS3pMbFI/KeOTmAoXkOtjHFxCJXaLKjMtWHbHzGTJEpnNtqjfMBXX5LIwjBqUDv3y5Fd6p1a1+fH2DVUfjYGO6KsYTvZ9rZ4pwzhMSpLmJHy9zC1lOlK+qsQq3b5PoxN8jVk4VaogeO1DOZ7uQ0zJoBREKcaGMpf1En/XUrwJue4ktzYtRuBQKWD4CEo/TQwgPynYTzlyb6ZAzT3+71hYIMrLH/HUQWQFtUJ52rinQYW8yaAf/ctpskBwQ7ctbFWRrq26VujxwON/SZOufLO7NSK20ix2nU93DQ==", "ekcert": "MIID2zCCA4GgAwIBAgILAKpTJnyY244UkKEwCgYIKoZIzj0EAwIwVTFTMB8GA1UEAxMYTnV2b3RvbiBUUE0gUm9vdCBDQSAyMTEwMCUGA1UEChMeTnV2b3RvbiBUZWNobm9sb2d5IENvcnBvcmF0aW9uMAkGA1UEBhMCVFcwHhcNMTgxMTEzMTI0NDQyWhcNMzgxMTA5MTI0NDQyWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4CmiqK9vnBC0ql4RjBt0/YCCuiqc6Rq/Hwf1OJplJ9XolCGFFCMgS3pMbFI/KeOTmAoXkOtjHFxCJXaLKjMtWHbHzGTJEpnNtqjfMBXX5LIwjBqUDv3y5Fd6p1a1+fH2DVUfjYGO6KsYTvZ9rZ4pwzhMSpLmJHy9zC1lOlK+qsQq3b5PoxN8jVk4VaogeO1DOZ7uQ0zJoBREKcaGMpf1En/XUrwJue4ktzYtRuBQKWD4CEo/TQwgPynYTzlyb6ZAzT3+71hYIMrLH/HUQWQFtUJ52rinQYW8yaAf/ctpskBwQ7ctbFWRrq26VujxwON/SZOufLO7NSK20ix2nU93DQIDAQABo4IBwDCCAbwwSgYDVR0RAQH/BEAwPqQ8MDoxODAUBgVngQUCARMLaWQ6NEU1NDQzMDAwEAYFZ4EFAgITB05QQ1Q2eHgwDgYFZ4EFAgMTBWlkOjEzMAwGA1UdEwEB/wQCMAAwEAYDVR0lBAkwBwYFZ4EFCAEwHwYDVR0jBBgwFoAUn7t5qg9SYni+0VCSmnFx6Wo1vvcwDgYDVR0PAQH/BAQDAgUgMHAGA1UdCQRpMGcwFgYFZ4EFAhAxDTALDAMyLjACAQACAXQwTQYFZ4EFAhIxRDBCAgEAAQH/oAMKAQGhAwoBAKIDCgEAoxUwExYDMy4xCgEECgEBAQH/oAMKAQKkDzANFgUxNDAtMgoBAgEBAKUDAQEAMEEGA1UdIAQ6MDgwNgYEVR0gADAuMCwGCCsGAQUFBwIBFiBodHRwOi8vd3d3Lm51dm90b24uY29tL3NlY3VyaXR5LzBoBggrBgEFBQcBAQRcMFowWAYIKwYBBQUHMAKGTGh0dHA6Ly93d3cubnV2b3Rvbi5jb20vc2VjdXJpdHkvTlRDLVRQTS1FSy1DZXJ0L051dm90b24gVFBNIFJvb3QgQ0EgMjExMC5jZXIwCgYIKoZIzj0EAwIDSAAwRQIhAO5sSZIRda+Q4WBjKNCcNWk7ADDBcylnGJgJtAHzgwU7AiBa3VyD2s1r+kzm+Tf/R9UBtcHz9TJSoA/cXqJeHIE9xQ==", "mtls_cert": "-----BEGIN CERTIFICATE-----\nMIIC1zCCAb+gAwIBAgIBADANBgkqhkiG9w0BAQsFADAvMS0wKwYDVQQDDCRkNDMy\nZmJiMy1kMmYxLTRhOTctOWVmNy03NWJkODFjMDAwMDAwHhcNMjIxMDI3MTIwNzM4\nWhcNMjMxMDE4MTIwNzM4WjAvMS0wKwYDVQQDDCRkNDMyZmJiMy1kMmYxLTRhOTct\nOWVmNy03NWJkODFjMDAwMDAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB\nAQCpo7h0t/TeU5hetR2mwd8BXDmrKNdV/3iAm461MCW7QCWwJEhZDbBNd4tyT3q3\nVbdjtTiPY9hP5b4tymaJUyqUTjr0SzOmHFNas6WPlblb9RNhPD+B96xjrPKmuocG\nufw6/WDKVQiPEvtIuQTu9YWqN0Y4csyK2PWQ8fv/mFO3KS8lLSykWiE/T3LfIvof\n8PjwsM6Am4uHRQApXNUCIa1r7UZPcOsKLt4YvqF8vYjiejQSr8jUAcZrZOJfSkEB\nUshyVhf+gBsq9kfyoM1ymP2qsH6A2gdxmdq9wamhOOPWl7HcBqMrPgdpRUF99mjL\ncbtqPxwouHkrKKUa6CDar02RAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIZswu8O\nDipoIe2PvfdfT74pMxYqmcd4YfoRBpe0Z90qs+w+v1ijK3+S7Hpc0klMAV0ZaIhh\ngNAuqG/w/pLSrYw547KFsYHJcpMUQ/8d4O9A82tt37QuxftraQXDMyV/1Ma9Ug33\ndnPXfHh4NAIYMusCkM9RwKzrxv8DF8BVugA4+LfeaJX3e7TquwR2CWj6hxqrPdHz\nv87ah6MP5OHY6XHu6b8vXU7kLFqYwUJ9+MKudqoDCqj+uXXNuiPjHTP9p9HQq3VH\nEQ6yaRFLABWcgsb7XBiAtTxYGvyWfYIodmpOnv7vL+0FzC5YUE83Kcwqkg+p/H42\nO8JfZFBF4+qM6Vs=\n-----END CERTIFICATE-----\n", "ip": "127.0.0.1", "port": 9002, "regcount": 1, "operational_state": "Registered"}}}
2022-10-27 09:09:16.882 - keylime.tenant - INFO - Agent Info:
{"d432fbb3-d2f1-4a97-9ef7-75bd81c00000": {"operational_state": "Get Quote", "v": "IBI0OEMlR9lHxTDnRAFlOF7jOAgoq4/v4nH9KbM7Qek=", "ip": "127.0.0.1", "port": 9002, "tpm_policy": "{\"mask\": \"0x400\"}", "meta_data": "{}", "allowlist_len": 6, "mb_refstate_len": 0, "accept_tpm_hash_algs": ["sha512", "sha384", "sha256", "sha1"], "accept_tpm_encryption_algs": ["ecc", "rsa"], "accept_tpm_signing_algs": ["ecschnorr", "rsassa"], "hash_alg": "sha256", "enc_alg": "rsa", "sign_alg": "rsassa", "verifier_id": "default", "verifier_ip": "127.0.0.1", "verifier_port": 8881, "severity_level": null, "last_event_id": null, "attestation_count": 2, "last_received_quote": 1666876155}}
:: [ 09:09:17 ] :: [   PASS   ] :: Command 'limeWaitForAgentStatus d432fbb3-d2f1-4a97-9ef7-75bd81c00000 'Get Quote'' (Expected 0, got 0)
:: [ 09:09:17 ] :: [  BEGIN   ] :: Running 'keylime_tenant -c cvlist'
Reading configuration from ['/etc/keylime/logging.conf']
2022-10-27 09:09:17.976 - keylime.tpm - INFO - TPM2-TOOLS Version: 5.2
Reading configuration from ['/etc/keylime/tenant.conf']
2022-10-27 09:09:17.980 - keylime.tenant - INFO - Setting up client TLS...
2022-10-27 09:09:17.980 - keylime.tenant - INFO - Using default client_cert option for tenant
2022-10-27 09:09:17.980 - keylime.tenant - INFO - Using default client_key option for tenant
2022-10-27 09:09:18.059 - keylime.tenant - INFO - TLS is enabled.
2022-10-27 09:09:18.059 - keylime.tenant - WARNING - Using default UUID d432fbb3-d2f1-4a97-9ef7-75bd81c00000
2022-10-27 09:09:18.151 - keylime.tenant - INFO - From verifier 127.0.0.1 port 8881 retrieved: "{'code': 200, 'status': 'Success', 'results': {'uuids': [['d432fbb3-d2f1-4a97-9ef7-75bd81c00000']]}}"
:: [ 09:09:18 ] :: [   PASS   ] :: Command 'keylime_tenant -c cvlist' (Expected 0, got 0)
2022-10-27 09:09:18.151 - keylime.tenant - INFO - From verifier 127.0.0.1 port 8881 retrieved: "{'code': 200, 'status': 'Success', 'results': {'uuids': [['d432fbb3-d2f1-4a97-9ef7-75bd81c00000']]}}"
:: [ 09:09:18 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.qBMkb4W0' should contain '{'code': 200, 'status': 'Success', 'results': {'uuids':.*'d432fbb3-d2f1-4a97-9ef7-75bd81c00000'' 
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Duration: 11s
::   Assertions: 4 good, 0 bad
::   RESULT: PASS (Add keylime agent with keys)


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Run script and check if scripts are in ascii_runtime_measurements
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 09:09:18 ] :: [  BEGIN   ] :: Running './script_first.sh'
Hello one!
:: [ 09:09:18 ] :: [   PASS   ] :: Command './script_first.sh' (Expected 0, got 0)
:: [ 09:09:18 ] :: [  BEGIN   ] :: Running './script_second.sh'
Hello two!
:: [ 09:09:18 ] :: [   PASS   ] :: Command './script_second.sh' (Expected 0, got 0)
:: [ 09:09:18 ] :: [   PASS   ] :: File '/sys/kernel/security/ima/ascii_runtime_measurements' should contain 'script_first.sh' 
:: [ 09:09:18 ] :: [   PASS   ] :: File '/sys/kernel/security/ima/ascii_runtime_measurements' should contain 'script_second.sh' 
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Duration: 0s
::   Assertions: 4 good, 0 bad
::   RESULT: PASS (Run script and check if scripts are in ascii_runtime_measurements)


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Confirm the system is still compliant
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 09:09:18 ] :: [  BEGIN   ] :: Wait 10 seconds to give verifier some time to do a new attestation :: actually running 'sleep 10'
:: [ 09:09:28 ] :: [   PASS   ] :: Wait 10 seconds to give verifier some time to do a new attestation (Expected 0, got 0)
:: [ 09:09:28 ] :: [  BEGIN   ] :: Running 'limeWaitForAgentStatus d432fbb3-d2f1-4a97-9ef7-75bd81c00000 'Get Quote''
Reading configuration from ['/etc/keylime/logging.conf']
2022-10-27 09:10:13.386 - keylime.tpm - INFO - TPM2-TOOLS Version: 5.2
Reading configuration from ['/etc/keylime/tenant.conf']
2022-10-27 09:10:13.390 - keylime.tenant - INFO - Setting up client TLS...
2022-10-27 09:10:13.391 - keylime.tenant - INFO - Using default client_cert option for tenant
2022-10-27 09:10:13.391 - keylime.tenant - INFO - Using default client_key option for tenant
2022-10-27 09:10:13.469 - keylime.tenant - INFO - TLS is enabled.
2022-10-27 09:10:13.562 - keylime.tenant - INFO - {"code": 200, "status": "Agent d432fbb3-d2f1-4a97-9ef7-75bd81c00000 exists on registrar 127.0.0.1 port 8891.", "results": {"d432fbb3-d2f1-4a97-9ef7-75bd81c00000": {"aik_tpm": "ARgAAQALAAUAcgAAABAAFAALCAAAAAAAAQDRGSCLhze50Az2JW2ezTXVe3K0oiRIbGDCVI5jWO7oxGqfNOQFscIP7Uzh/a3jbP3s3L0k5RGJ/nHOE9znKOKxFRYeg9xwK5ExAfAFaHIBBElyeW5uTf++JJDl8Tsv26bXlcbbBEZqWEfdpzOi8HMwYm63yBDKg9j+afEEe675ZxPoX9NTThIE9T2z2wZ+d+ada99rxe0KsvT1sucfB1j80BR5eyQyBC8aricYM/u5KwGpf9MyOITNXouJGImdZUlCqxcRI/bcy9jFzadK7V6Ox0/ebWt6x/HRLdaFio3cpSoTVG0adRhBycL1ptwkm2Nc154IMPsA4yp8644b+NPX", "ek_tpm": "AToAAQALAAMAsgAgg3GXZ0SEs/gakMyNRqXXJP1S124GUgtk8qHaGzMUaaoABgCAAEMAEAgAAAAAAAEA4CmiqK9vnBC0ql4RjBt0/YCCuiqc6Rq/Hwf1OJplJ9XolCGFFCMgS3pMbFI/KeOTmAoXkOtjHFxCJXaLKjMtWHbHzGTJEpnNtqjfMBXX5LIwjBqUDv3y5Fd6p1a1+fH2DVUfjYGO6KsYTvZ9rZ4pwzhMSpLmJHy9zC1lOlK+qsQq3b5PoxN8jVk4VaogeO1DOZ7uQ0zJoBREKcaGMpf1En/XUrwJue4ktzYtRuBQKWD4CEo/TQwgPynYTzlyb6ZAzT3+71hYIMrLH/HUQWQFtUJ52rinQYW8yaAf/ctpskBwQ7ctbFWRrq26VujxwON/SZOufLO7NSK20ix2nU93DQ==", "ekcert": "MIID2zCCA4GgAwIBAgILAKpTJnyY244UkKEwCgYIKoZIzj0EAwIwVTFTMB8GA1UEAxMYTnV2b3RvbiBUUE0gUm9vdCBDQSAyMTEwMCUGA1UEChMeTnV2b3RvbiBUZWNobm9sb2d5IENvcnBvcmF0aW9uMAkGA1UEBhMCVFcwHhcNMTgxMTEzMTI0NDQyWhcNMzgxMTA5MTI0NDQyWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4CmiqK9vnBC0ql4RjBt0/YCCuiqc6Rq/Hwf1OJplJ9XolCGFFCMgS3pMbFI/KeOTmAoXkOtjHFxCJXaLKjMtWHbHzGTJEpnNtqjfMBXX5LIwjBqUDv3y5Fd6p1a1+fH2DVUfjYGO6KsYTvZ9rZ4pwzhMSpLmJHy9zC1lOlK+qsQq3b5PoxN8jVk4VaogeO1DOZ7uQ0zJoBREKcaGMpf1En/XUrwJue4ktzYtRuBQKWD4CEo/TQwgPynYTzlyb6ZAzT3+71hYIMrLH/HUQWQFtUJ52rinQYW8yaAf/ctpskBwQ7ctbFWRrq26VujxwON/SZOufLO7NSK20ix2nU93DQIDAQABo4IBwDCCAbwwSgYDVR0RAQH/BEAwPqQ8MDoxODAUBgVngQUCARMLaWQ6NEU1NDQzMDAwEAYFZ4EFAgITB05QQ1Q2eHgwDgYFZ4EFAgMTBWlkOjEzMAwGA1UdEwEB/wQCMAAwEAYDVR0lBAkwBwYFZ4EFCAEwHwYDVR0jBBgwFoAUn7t5qg9SYni+0VCSmnFx6Wo1vvcwDgYDVR0PAQH/BAQDAgUgMHAGA1UdCQRpMGcwFgYFZ4EFAhAxDTALDAMyLjACAQACAXQwTQYFZ4EFAhIxRDBCAgEAAQH/oAMKAQGhAwoBAKIDCgEAoxUwExYDMy4xCgEECgEBAQH/oAMKAQKkDzANFgUxNDAtMgoBAgEBAKUDAQEAMEEGA1UdIAQ6MDgwNgYEVR0gADAuMCwGCCsGAQUFBwIBFiBodHRwOi8vd3d3Lm51dm90b24uY29tL3NlY3VyaXR5LzBoBggrBgEFBQcBAQRcMFowWAYIKwYBBQUHMAKGTGh0dHA6Ly93d3cubnV2b3Rvbi5jb20vc2VjdXJpdHkvTlRDLVRQTS1FSy1DZXJ0L051dm90b24gVFBNIFJvb3QgQ0EgMjExMC5jZXIwCgYIKoZIzj0EAwIDSAAwRQIhAO5sSZIRda+Q4WBjKNCcNWk7ADDBcylnGJgJtAHzgwU7AiBa3VyD2s1r+kzm+Tf/R9UBtcHz9TJSoA/cXqJeHIE9xQ==", "mtls_cert": "-----BEGIN CERTIFICATE-----\nMIIC1zCCAb+gAwIBAgIBADANBgkqhkiG9w0BAQsFADAvMS0wKwYDVQQDDCRkNDMy\nZmJiMy1kMmYxLTRhOTctOWVmNy03NWJkODFjMDAwMDAwHhcNMjIxMDI3MTIwNzM4\nWhcNMjMxMDE4MTIwNzM4WjAvMS0wKwYDVQQDDCRkNDMyZmJiMy1kMmYxLTRhOTct\nOWVmNy03NWJkODFjMDAwMDAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB\nAQCpo7h0t/TeU5hetR2mwd8BXDmrKNdV/3iAm461MCW7QCWwJEhZDbBNd4tyT3q3\nVbdjtTiPY9hP5b4tymaJUyqUTjr0SzOmHFNas6WPlblb9RNhPD+B96xjrPKmuocG\nufw6/WDKVQiPEvtIuQTu9YWqN0Y4csyK2PWQ8fv/mFO3KS8lLSykWiE/T3LfIvof\n8PjwsM6Am4uHRQApXNUCIa1r7UZPcOsKLt4YvqF8vYjiejQSr8jUAcZrZOJfSkEB\nUshyVhf+gBsq9kfyoM1ymP2qsH6A2gdxmdq9wamhOOPWl7HcBqMrPgdpRUF99mjL\ncbtqPxwouHkrKKUa6CDar02RAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIZswu8O\nDipoIe2PvfdfT74pMxYqmcd4YfoRBpe0Z90qs+w+v1ijK3+S7Hpc0klMAV0ZaIhh\ngNAuqG/w/pLSrYw547KFsYHJcpMUQ/8d4O9A82tt37QuxftraQXDMyV/1Ma9Ug33\ndnPXfHh4NAIYMusCkM9RwKzrxv8DF8BVugA4+LfeaJX3e7TquwR2CWj6hxqrPdHz\nv87ah6MP5OHY6XHu6b8vXU7kLFqYwUJ9+MKudqoDCqj+uXXNuiPjHTP9p9HQq3VH\nEQ6yaRFLABWcgsb7XBiAtTxYGvyWfYIodmpOnv7vL+0FzC5YUE83Kcwqkg+p/H42\nO8JfZFBF4+qM6Vs=\n-----END CERTIFICATE-----\n", "ip": "127.0.0.1", "port": 9002, "regcount": 1, "operational_state": "Registered"}}}
2022-10-27 09:10:13.653 - keylime.tenant - INFO - Agent Info:
{"d432fbb3-d2f1-4a97-9ef7-75bd81c00000": {"operational_state": "Invalid Quote", "v": "IBI0OEMlR9lHxTDnRAFlOF7jOAgoq4/v4nH9KbM7Qek=", "ip": "127.0.0.1", "port": 9002, "tpm_policy": "{\"mask\": \"0x400\"}", "meta_data": "{}", "allowlist_len": 6, "mb_refstate_len": 0, "accept_tpm_hash_algs": ["sha512", "sha384", "sha256", "sha1"], "accept_tpm_encryption_algs": ["ecc", "rsa"], "accept_tpm_signing_algs": ["ecschnorr", "rsassa"], "hash_alg": "sha256", "enc_alg": "rsa", "sign_alg": "rsassa", "verifier_id": "default", "verifier_ip": "127.0.0.1", "verifier_port": 8881, "severity_level": 6, "last_event_id": "ima.pcr_mismatch", "attestation_count": 2, "last_received_quote": 1666876158}}
:: [ 09:10:14 ] :: [   FAIL   ] :: Command 'limeWaitForAgentStatus d432fbb3-d2f1-4a97-9ef7-75bd81c00000 'Get Quote'' (Expected 0, got 1)
:: [ 09:10:14 ] :: [  BEGIN   ] :: Running 'keylime_tenant -c cvlist'
Reading configuration from ['/etc/keylime/logging.conf']
2022-10-27 09:10:15.673 - keylime.tpm - INFO - TPM2-TOOLS Version: 5.2
Reading configuration from ['/etc/keylime/tenant.conf']
2022-10-27 09:10:15.676 - keylime.tenant - INFO - Setting up client TLS...
2022-10-27 09:10:15.676 - keylime.tenant - INFO - Using default client_cert option for tenant
2022-10-27 09:10:15.677 - keylime.tenant - INFO - Using default client_key option for tenant
2022-10-27 09:10:15.754 - keylime.tenant - INFO - TLS is enabled.
2022-10-27 09:10:15.754 - keylime.tenant - WARNING - Using default UUID d432fbb3-d2f1-4a97-9ef7-75bd81c00000
2022-10-27 09:10:15.845 - keylime.tenant - INFO - From verifier 127.0.0.1 port 8881 retrieved: "{'code': 200, 'status': 'Success', 'results': {'uuids': [['d432fbb3-d2f1-4a97-9ef7-75bd81c00000']]}}"
:: [ 09:10:15 ] :: [   PASS   ] :: Command 'keylime_tenant -c cvlist' (Expected 0, got 0)
2022-10-27 09:10:15.845 - keylime.tenant - INFO - From verifier 127.0.0.1 port 8881 retrieved: "{'code': 200, 'status': 'Success', 'results': {'uuids': [['d432fbb3-d2f1-4a97-9ef7-75bd81c00000']]}}"
:: [ 09:10:15 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.zI7MTeif' should contain '{'code': 200, 'status': 'Success', 'results': {'uuids':.*'d432fbb3-d2f1-4a97-9ef7-75bd81c00000'' 
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Duration: 58s
::   Assertions: 3 good, 1 bad
::   RESULT: FAIL (Confirm the system is still compliant)


In the verifier log there is just:
Oct 27 09:09:18 dell-per7415-01.khw2.lab.eng.bos.redhat.com keylime_verifier[24641]: 2022-10-27 09:09:18.634 - keylime.tpm - INFO - Checking IMA measurement list on agent: d432fbb3-d2f1-4a97-9ef7-75bd81c00000
Oct 27 09:09:18 dell-per7415-01.khw2.lab.eng.bos.redhat.com keylime_verifier[24641]: 2022-10-27 09:09:18.634 - keylime.ima - ERROR - IMA measurement list does not match TPM PCR 4f984332f41d55d0f5734c16f6f901819ca749085c2d0cd719a77b4cee222c95
Oct 27 09:09:18 dell-per7415-01.khw2.lab.eng.bos.redhat.com keylime_verifier[24641]: 2022-10-27 09:09:18.651 - keylime.verifier - WARNING - Agent d432fbb3-d2f1-4a97-9ef7-75bd81c00000 failed, stopping polling
Comment 5 Karel Srot 2022-11-10 14:05:05 UTC 
It turned out the issue is not limited to IMA sign verification keys but also when IMA hashes are used.
Fixed in upstream through https://github.com/keylime/keylime/pull/1151
Comment 6 Karel Srot 2022-11-10 14:08:27 UTC 
Impact: The agent fails attestation on quick-succession execution of scripts (i.e. script A is executed right after script B), even though script hashes are matching the allowlist. In a production environment where most of the filesystem gets measured this is very likely to happen.
Comment 27 errata-xmlrpc 2023-05-09 07:45:11 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (keylime bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2307
Note You need to log in before you can comment on or make changes to this bug.