Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

keylime_tenant seems to read verifier.conf #1541

Open
kkaarreell opened this issue Apr 5, 2024 · 3 comments
Open

keylime_tenant seems to read verifier.conf #1541

kkaarreell opened this issue Apr 5, 2024 · 3 comments

Comments

@kkaarreell
Copy link
Contributor

Is your issue a feature request? If so, please raise it as an enhancement

Environment

  • OS / version: Fedora 40
  • Processor architecture: x86_64
  • TPM Manufacturer: swtpm
  • Keylime version: current upstream ea0cc9f

Description

in keylime_tenant outout one can see that verifier.conf is read.
For example:

$ keylime_tenant -v 127.0.0.1 -t 127.0.0.1 -u d432fbb3-d2f1-4a97-9ef7-75bd81c00000 --verify --runtime-policy policy.json --cert default -c add

INFO:keylime.config:Reading configuration from ['/etc/keylime/logging.conf']
2024-03-20 13:05:58.186 - keylime.config - INFO - Reading configuration from ['/etc/keylime/tenant.conf']
2024-03-20 13:05:58.187 - keylime.tenant - INFO - Setting up client TLS...
2024-03-20 13:05:58.187 - keylime.tenant - INFO - Using default client_cert option for tenant
2024-03-20 13:05:58.187 - keylime.tenant - INFO - Using default client_key option for tenant
2024-03-20 13:05:58.187 - keylime.tenant - INFO - No value provided in client_key_password option for tenant, assuming the key is unencrypted
2024-03-20 13:05:58.194 - keylime.tenant - INFO - TLS is enabled.
2024-03-20 13:05:58.194 - keylime.config - INFO - Reading configuration from ['/etc/keylime/verifier.conf']
2024-03-20 13:05:58.240 - keylime.cli.policies - INFO - TPM PCR Mask from policy is 0x0
2024-03-20 13:05:58.240 - keylime.config - INFO - Reading configuration from ['/etc/keylime/ca.conf']
2024-03-20 13:05:58.240 - keylime.ca-util - WARNING - The 'default' password option from CA configuration file cannot be used with keylime CLI (keylime_tenant or keylime_ca)
...

Previously, I have reported similar issue #1446, I don't know if this is related though.

Expected behavior vs. actual behavior

keylime_tenant should not access verifier.conf, probably even ca.conf

Steps to reproduce problem

  1. run keylime_tenant command
@kkaarreell
Copy link
Contributor Author

When there is no verifier.conf on the system I can see tenant to fail

2024-05-02 06:31:58.711 - keylime.config - WARNING - Config file not found in ['/etc/keylime/verifier.conf', '/usr/etc/keylime/verifier.conf']. It is required by component /usr/lib/python3.12/site-packages/keylime/config.py. 
Please use "keylime_upgrade_config --defaults" to create a minimalistic set of configurations.

2024-05-02 06:31:58.711 - keylime.tenant - ERROR - 
Traceback (most recent call last):
  File "/usr/lib/python3.12/site-packages/keylime/mba/mba.py", line 69, in load_imports
    imports = config.getlist("verifier", "measured_boot_imports")
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/keylime/config.py", line 260, in getlist
    read = get_config(component).get(section, option).strip('" ')
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.12/configparser.py", line 759, in get
    d = self._unify_values(section, vars)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.12/configparser.py", line 1130, in _unify_values
    raise NoSectionError(section) from None
configparser.NoSectionError: No section: 'verifier'

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/usr/lib/python3.12/site-packages/keylime/cmd/tenant.py", line 10, in main
    tenant.main()
  File "/usr/lib/python3.12/site-packages/keylime/tenant.py", line 1598, in main
    mytenant = Tenant()
               ^^^^^^^^
  File "/usr/lib/python3.12/site-packages/keylime/tenant.py", line 160, in __init__
    mba.load_imports()
  File "/usr/lib/python3.12/site-packages/keylime/mba/mba.py", line 78, in load_imports
    raise ValueError from e
ValueError

@stefanberger
Copy link
Contributor

Does the tenant need mba at all?

# grep mba keylime/tenant.py
from keylime.mba import mba
        mba.load_imports()

This was added in c99103b:

diff --git a/keylime/tenant.py b/keylime/tenant.py
index 9070817..3b93d05 100644
--- a/keylime/tenant.py
+++ b/keylime/tenant.py
@@ -21,6 +21,7 @@ from keylime.cli import options, policies
 from keylime.cmd import user_data_encrypt
 from keylime.common import algorithms, retry, states, validators
 from keylime.ip_util import bracketize_ipv6
+from keylime.mba import mba
 from keylime.requests_client import RequestsClient
 from keylime.tpm import tpm2_objects, tpm_util
 from keylime.tpm.tpm_main import Tpm
@@ -156,6 +157,8 @@ class Tenant:
         else:
             logger.warning("TLS is disabled.")

+        mba.load_imports()
+
     @property
     def verifier_base_url(self) -> str:
         return f"{bracketize_ipv6(self.verifier_ip)}:{self.verifier_port}"

@stefanberger
Copy link
Contributor

I opened #1544 . @galmasi

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@stefanberger @kkaarreell