Introduce functional/push-attestation-on-localhost #821

ansasaki · 2025-08-01T13:42:13Z

Add a simple end-to-end test for the push attestation

Library/test-helpers/lib.sh

functional/push-attestation-on-localhost/test.sh

@@ -0,0 +1,119 @@
+#!/bin/bash
+. /usr/share/beakerlib/beakerlib.sh || exit 1


functional/push-attestation-on-localhost/test.sh

Library/test-helpers/lib.sh

functional/push-attestation-on-localhost/test.sh

ansasaki · 2025-08-08T12:32:57Z

/packit retest-failed

ansasaki · 2025-08-08T16:02:48Z

TBH, I'm out of ideas on why the test does not pass. When I try running on my machine with a VM, it passes.

kkaarreell · 2025-08-08T20:21:20Z

TBH, I'm out of ideas on why the test does not pass. When I try running on my machine with a VM, it passes.

Is it a fresh VM? Or freshly installed keylime with default config files?

I do not have the insight but my attention took this record from agent log

{"seconds_to_next_attestation": 2}, "jsonapi": {"version": "1.1"}}
Aug 08 13:32:49 ip-172-31-30-101.us-east-2.compute.internal keylime_push_model_agent[5959]:  INFO  keylime_push_model_agent::state_machine > Waiting 60 seconds before next attestation...

2 seconds to next attestation while waiting 60 seconds...

ansasaki · 2025-08-11T08:54:57Z

TBH, I'm out of ideas on why the test does not pass. When I try running on my machine with a VM, it passes.

Is it a fresh VM? Or freshly installed keylime with default config files?

I do not have the insight but my attention took this record from agent log
{"seconds_to_next_attestation": 2}, "jsonapi": {"version": "1.1"}}
Aug 08 13:32:49 ip-172-31-30-101.us-east-2.compute.internal keylime_push_model_agent[5959]:  INFO  keylime_push_model_agent::state_machine > Waiting 60 seconds before next attestation...
2 seconds to next attestation while waiting 60 seconds...

For now, the push-attestation prototype waits a fixed time of 60 seconds between attestations by default. I let the rlWaitForCmd to retry grep for 120 seconds, it should be sufficient.

The problematic lines for me are the following:

Aug 08 13:33:49 ip-172-31-30-101.us-east-2.compute.internal keylime_verifier[5304]: 2025-08-08 13:33:49.252 - keylime.ima - ERROR - IMA measurement list does not match TPM PCR 35a477a665ba88d9727c85d819e8df3a7c8e2079edba53cc682f24e0cd03e11a
Aug 08 13:33:49 ip-172-31-30-101.us-east-2.compute.internal keylime_verifier[5304]: 2025-08-08 13:33:49.252 - keylime.tpm - INFO - Checking remaining PCRs in quote against TPM policy for agent: d432fbb3-d2f1-4a97-9ef7-75bd81c00000
Aug 08 13:33:49 ip-172-31-30-101.us-east-2.compute.internal keylime_verifier[5304]: 2025-08-08 13:33:49.252 - keylime.tpm - WARNING - PCR #16 in quote (from agent d432fbb3-d2f1-4a97-9ef7-75bd81c00000) not found in tpm_policy, skipping.
Aug 08 13:33:49 ip-172-31-30-101.us-east-2.compute.internal keylime_verifier[5304]: 2025-08-08 13:33:49.253 - keylime.verifier - WARNING - Attestation 1 for agent 'd432fbb3-d2f1-4a97-9ef7-75bd81c00000' failed verification because the IMA log could not be authenticated against the TPM quote

What seems to happen is that something is executed between the initial attestation and attestation 1 that changes the IMA log and is not covered by the policy (it is not ignored). I did not try yet to find exactly what is the problem, but it should be possible by using the logs (maybe a job for the AI).

ansasaki · 2025-09-10T11:06:52Z

/packit test

ansasaki · 2025-09-10T14:57:07Z

/packit retest-failed

ansasaki · 2025-09-11T08:20:30Z

/packit test

ansasaki · 2025-09-18T17:18:02Z

/packit test

ansasaki · 2025-09-19T08:35:21Z

/packit test

ansasaki · 2025-09-19T14:27:48Z

/packit test

ansasaki · 2025-09-24T16:08:29Z

/packit test

ansasaki · 2025-09-25T08:29:19Z

/packit test

ansasaki · 2025-09-29T13:05:53Z

/packit test

ansasaki · 2025-09-29T13:39:05Z

/packit retest-failed

ansasaki · 2025-09-29T13:52:41Z

/packit test

sarroutbi · 2025-09-30T15:42:51Z

/packit test

sarroutbi · 2025-10-01T16:48:35Z

/packit test

kkaarreell · 2025-10-10T11:14:48Z

Hi @stringlytyped , one of the failing tests had revealed that the verifier is way more verbose in the log, see
https://artifacts.dev.testing-farm.io/9748819e-10ae-4a19-a627-906860b09413/work-upstream-keylime-all-tests3r_bbtu_/plans/upstream-keylime-all-tests/execute/data/guest/default-0/compatibility/basic-attestation-on-localhost-api-version-bump-43/data/var-tmp-limeLib-verifier.log
and compare it with
https://artifacts.dev.testing-farm.io/20bdc8b3-dbb1-4b20-8fcb-85954337e1ae/work-upstream-keylime-all-tests_29s9_h7/plans/upstream-keylime-all-tests/execute/data/guest/default-0/compatibility/basic-attestation-on-localhost-api-version-bump-42/data/var-tmp-limeLib-verifier.log

Previously, there was just

keylime.tpm - INFO - Checking IMA measurement list on agent: d432fbb3-d2f1-4a97-9ef7-75bd81c00000

we now have

keylime.tpm - INFO - PCR(s) 10 and 16 from bank 'sha256' found in TPM quote for agent 'd432fbb3-d2f1-4a97-9ef7-75bd81c00000'
keylime.tpm - INFO - No new IMA events received from agent 'd432fbb3-d2f1-4a97-9ef7-75bd81c00000'
keylime.tpm - INFO - Checking IMA measurement list on agent: d432fbb3-d2f1-4a97-9ef7-75bd81c00000
keylime.tpm - INFO - No measured boot policy configured for agent 'd432fbb3-d2f1-4a97-9ef7-75bd81c00000'; skipping measured boot verification
keylime.tpm - INFO - No remaining PCRs in quote to check against TPM policy for agent 'd432fbb3-d2f1-4a97-9ef7-75bd81c00000'

and it keeps repeating in the log every two seconds. I am thinking whether this is really expected and desired.

This is the complete test log
https://artifacts.dev.testing-farm.io/9748819e-10ae-4a19-a627-906860b09413/work-upstream-keylime-all-tests3r_bbtu_/plans/upstream-keylime-all-tests/execute/data/guest/default-0/compatibility/basic-attestation-on-localhost-api-version-bump-43/output.txt

Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>

Setup the push-attestation agent service in the same way as pull-attestation agent service. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>

Add a drop-in configuration file for the keylime_push_model_agent service to set the TCTI environment variable. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>

This adds an end-to-end test and a specific plan for push-attestation. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>

Change repositories to test Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>

ansasaki marked this pull request as draft August 1, 2025 13:42

github-advanced-security bot found potential problems Aug 1, 2025

View reviewed changes

ansasaki force-pushed the test_push_attestation branch 2 times, most recently from 4a3d2f2 to d5b042e Compare August 1, 2025 16:50

github-advanced-security bot found potential problems Aug 1, 2025

View reviewed changes

Library/test-helpers/lib.sh Fixed Show fixed Hide fixed

Library/test-helpers/lib.sh Fixed Show fixed Hide fixed

Library/test-helpers/lib.sh Fixed Show fixed Hide fixed

ansasaki force-pushed the test_push_attestation branch 4 times, most recently from 2d282b9 to afe466d Compare August 5, 2025 09:03

github-advanced-security bot found potential problems Aug 5, 2025

View reviewed changes

Library/test-helpers/lib.sh Fixed Show fixed Hide fixed

Library/test-helpers/lib.sh Fixed Show fixed Hide fixed

Library/test-helpers/lib.sh Fixed Show fixed Hide fixed

Library/test-helpers/lib.sh Fixed Show fixed Hide fixed

Library/test-helpers/lib.sh Fixed Show fixed Hide fixed

ansasaki force-pushed the test_push_attestation branch from afe466d to e224fe7 Compare August 5, 2025 09:14

github-advanced-security bot found potential problems Aug 5, 2025

View reviewed changes

Library/test-helpers/lib.sh Fixed Show fixed Hide fixed

Library/test-helpers/lib.sh Fixed Show fixed Hide fixed

ansasaki force-pushed the test_push_attestation branch 4 times, most recently from 0f8d43a to c78d559 Compare August 8, 2025 11:55

github-advanced-security bot found potential problems Aug 8, 2025

View reviewed changes

functional/push-attestation-on-localhost/test.sh Fixed Show fixed Hide fixed

ansasaki force-pushed the test_push_attestation branch from c78d559 to 54706e7 Compare August 8, 2025 12:08

ansasaki marked this pull request as ready for review August 8, 2025 12:46

ansasaki requested review from Koncpa, kkaarreell, sarroutbi and sergio-correia and removed request for kkaarreell August 8, 2025 12:46

ansasaki force-pushed the test_push_attestation branch from 54706e7 to 5974d5f Compare August 8, 2025 13:20

ansasaki force-pushed the test_push_attestation branch from 043a3a2 to c4b901e Compare September 9, 2025 17:33

ansasaki force-pushed the test_push_attestation branch 2 times, most recently from c236e6c to 1cceaa3 Compare September 15, 2025 15:29

ansasaki force-pushed the test_push_attestation branch from 1cceaa3 to 722d4ad Compare September 18, 2025 16:23

ansasaki force-pushed the test_push_attestation branch from 722d4ad to 77a5a45 Compare September 19, 2025 10:06

ansasaki force-pushed the test_push_attestation branch from 77a5a45 to 6bf8d04 Compare September 24, 2025 15:38

ansasaki force-pushed the test_push_attestation branch 2 times, most recently from ecafb31 to 0c5a8e9 Compare October 2, 2025 16:15

kkaarreell force-pushed the test_push_attestation branch from 0c5a8e9 to efd67ba Compare October 10, 2025 08:27

ansasaki and others added 6 commits October 20, 2025 14:38

lib: Add functions for push-attestation testing

fceff7b

Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>

install_upstream_rust_keylime/test.sh

d9fcffb

Setup the push-attestation agent service in the same way as pull-attestation agent service. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>

setup/configure_tpm_emulator: Set TCTI for push attestation agent

01f5c2a

Add a drop-in configuration file for the keylime_push_model_agent service to set the TCTI environment variable. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>

functional/push-attestation-on-localhost: Initial version

46e3f9b

This adds an end-to-end test and a specific plan for push-attestation. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>

DO NOT MERGE

27d7455

Change repositories to test Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>

Clean up unneeded parts

b1f798d

kkaarreell force-pushed the test_push_attestation branch from efd67ba to b1f798d Compare October 20, 2025 12:43

		@@ -0,0 +1,119 @@
		#!/bin/bash
		. /usr/share/beakerlib/beakerlib.sh \|\| exit 1

Introduce functional/push-attestation-on-localhost #821

Are you sure you want to change the base?

Introduce functional/push-attestation-on-localhost #821

Conversation

ansasaki commented Aug 1, 2025

Uh oh!

Uh oh!

Check warning

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

ansasaki commented Aug 8, 2025

Uh oh!

ansasaki commented Aug 8, 2025

Uh oh!

kkaarreell commented Aug 8, 2025

Uh oh!

ansasaki commented Aug 11, 2025

Uh oh!

ansasaki commented Sep 10, 2025

Uh oh!

ansasaki commented Sep 10, 2025

Uh oh!

ansasaki commented Sep 11, 2025

Uh oh!

ansasaki commented Sep 18, 2025

Uh oh!

ansasaki commented Sep 19, 2025

Uh oh!

ansasaki commented Sep 19, 2025

Uh oh!

ansasaki commented Sep 24, 2025

Uh oh!

ansasaki commented Sep 25, 2025

Uh oh!

ansasaki commented Sep 29, 2025

Uh oh!

ansasaki commented Sep 29, 2025

Uh oh!

ansasaki commented Sep 29, 2025

Uh oh!

sarroutbi commented Sep 30, 2025

Uh oh!

sarroutbi commented Oct 1, 2025

Uh oh!

kkaarreell commented Oct 10, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

kkaarreell commented Oct 10, 2025 •

edited

Loading