From fceff7bb0f7226aa70b0a85d32a9ddb36059e45a Mon Sep 17 00:00:00 2001
From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Date: Fri, 1 Aug 2025 14:50:26 +0200
Subject: [PATCH 1/9] lib: Add functions for push-attestation testing

Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
---
 Library/test-helpers/lib.sh | 108 ++++++++++++++++++++++++++++++++----
 1 file changed, 98 insertions(+), 10 deletions(-)

diff --git a/Library/test-helpers/lib.sh b/Library/test-helpers/lib.sh
index e29b8011..ff4bfe49 100644
--- a/Library/test-helpers/lib.sh
+++ b/Library/test-helpers/lib.sh
@@ -455,6 +455,11 @@ __limeGetLogName() {
     local NAME=$1
     local LOGSUFFIX
     local TPMSUFFIX
+
+    if [[ "$NAME" == "push_model_agent" ]]; then
+        NAME="agent"
+    fi
+
     [ -n "$2" ] && LOGSUFFIX="$2" || LOGSUFFIX=$( echo "$NAME" | sed 's/.*/\u&/' )  # just uppercase first letter
     local LOGNAME=__INTERNAL_limeLog${LOGSUFFIX}
     if [ "$NAME" == "ima_emulator" ] && [ "$limeTPMDevNo" != "0" ]; then
@@ -1653,7 +1658,7 @@ and the suffix is specified by the SUFFIX parameter.
     limeInstallIMAKeys
 
 IMA certificate is signed by IMA CA key which is autogenerated if it is not present on a test
-system already. See 
+system already. See
 https://ima-doc.readthedocs.io/en/latest/ima-utilities.html#ima-ca-key-and-certificate
 for details and how to import IMA CA key to MOK.
 
@@ -2135,7 +2140,7 @@ limeRegistrarLogfile() {
 true <<'=cut'
 =pod
 
-=head2 limeAgentrLogfile
+=head2 limeAgentLogfile
 
 Prints to STDOUT filepath to a log file containing Agent logs
 
@@ -2250,6 +2255,7 @@ limeSubmitCommonLogs() {
     [ -f $(limeVerifierLogfile) ] && limeLogfileSubmit $(limeVerifierLogfile)
     [ -f $(limeRegistrarLogfile) ] && limeLogfileSubmit $(limeRegistrarLogfile)
     [ -f $(limeAgentLogfile) ] && limeLogfileSubmit $(limeAgentLogfile)
+    [ -f $(limePushAgentLogfile) ] && limeLogfileSubmit $(limePushAgentLogfile)
     if limeTPMEmulated && [ -f $(limeIMAEmulatorLogfile) ]; then
             limeLogfileSubmit $(limeIMAEmulatorLogfile)
     fi
@@ -2826,7 +2832,7 @@ limeconRunTenant() {
     if [ -d cv_ca ]; then
         MOUNT_TENANT="$PWD/cv_ca:/var/lib/keylime/cv_ca/:z $MOUNT_TENANT"
     fi
-    
+
     echo -e "\nRunning podman:\npodman run --volume $MOUNT_DIR --volume $MOUNT_TENANT --rm --name $NAME --entrypoint= --net $NETWORK --ip $IP $TAG keylime_tenant $TENANT_CMD"
     podman run --volume $MOUNT_DIR --volume $MOUNT_TENANT --rm --name $NAME --entrypoint= --net $NETWORK --ip $IP $TAG keylime_tenant $TENANT_CMD
 
@@ -3109,13 +3115,13 @@ set -m
 #   Purge log files for a new test. It is therefore important to rlImport
 #   the library before changing CWD to a different location.
 
-touch $__INTERNAL_limeLogCurrentTest
-if ! grep -q "^$PWD\$" $__INTERNAL_limeLogCurrentTest; then
-    echo "$PWD" > $__INTERNAL_limeLogCurrentTest
-    [ -f $__INTERNAL_limeLogVerifier ] && > $__INTERNAL_limeLogVerifier
-    [ -f $l__INTERNAL_imeLogRegistrar ] && > $__INTERNAL_limeLogRegistrar
-    [ -f $__INTERNAL_limeLogAgent ] && > $__INTERNAL_limeLogAgent
-    [ -f $__INTERNAL_limeLogIMAEmulator ] && > $__INTERNAL_limeLogIMAEmulator && rm -f "${__INTERNAL_limeLogIMAEmulator}.tpm"*
+touch "$__INTERNAL_limeLogCurrentTest"
+if ! grep -q "^$PWD\$" "$__INTERNAL_limeLogCurrentTest"; then
+    echo "$PWD" > "$__INTERNAL_limeLogCurrentTest"
+    [ -f "$__INTERNAL_limeLogVerifier" ] && true > "$__INTERNAL_limeLogVerifier"
+    [ -f "$__INTERNAL_limeLogRegistrar" ] && true > "$__INTERNAL_limeLogRegistrar"
+    [ -f "$__INTERNAL_limeLogAgent" ] && true > "$__INTERNAL_limeLogAgent"
+    [ -f "$__INTERNAL_limeLogIMAEmulator" ] && true > "$__INTERNAL_limeLogIMAEmulator" && rm -f "${__INTERNAL_limeLogIMAEmulator}.tpm"*
 fi
 
 # prepare coveragerc file
@@ -3148,6 +3154,88 @@ fi
 # delete previously existing TPM data
 rm -f "${__INTERNAL_limeTPMDetails}"
 
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#   Push Attestation Functions
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+true <<'=cut'
+=pod
+
+=head2 limeStartPushAgent
+
+Start the keylime push attestation agent, either using rlServiceStart or directly.
+
+    limeStartPushAgent
+
+=over
+
+=back
+
+Returns 0 when the start was successful, non-zero otherwise.
+
+=cut
+limeStartPushAgent() {
+
+    # save TPM details
+    date >> ${__INTERNAL_limeTPMDetails}
+    echo -e "\n# tpm2_getcap properties-fixed" >> ${__INTERNAL_limeTPMDetails}
+    tpm2_getcap properties-fixed >> ${__INTERNAL_limeTPMDetails}
+    echo -e "\n# tpm2_getcap algorithms" >> ${__INTERNAL_limeTPMDetails}
+    tpm2_getcap algorithms >> ${__INTERNAL_limeTPMDetails}
+    echo -e "\n# tpm2_getcap pcrs" >> ${__INTERNAL_limeTPMDetails}
+    tpm2_getcap pcrs >> ${__INTERNAL_limeTPMDetails}
+    echo >> ${__INTERNAL_limeTPMDetails}
+
+    limeStopPushAgent
+    __limeStartKeylimeService push_model_agent
+
+}
+
+true <<'=cut'
+=pod
+
+=head2 limeStopPushAgent
+
+Stop the keylime push attestation agent, either using rlServiceStart or directly.
+
+    limeStopPushAgent
+
+=over
+
+=back
+
+Returns 0 when the stop was successful, non-zero otherwise.
+
+=cut
+limeStopPushAgent() {
+
+    __limeStopKeylimeService push_model_agent
+
+}
+
+true <<'=cut'
+=pod
+
+=head2 limePushAgentLogfile
+
+Prints to STDOUT filepath to a log file containing Agent logs
+
+    limePushAgentLogfile
+
+=over
+
+=back
+
+Returns 0.
+
+=cut
+
+limePushAgentLogfile() {
+
+    __limeServiceLogfile push_model_agent
+
+}
+
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 #   Verification
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From d9fcffbf2198cfd948fce109be64f35ffbd2a00a Mon Sep 17 00:00:00 2001
From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Date: Fri, 15 Aug 2025 14:56:40 +0200
Subject: [PATCH 2/9] install_upstream_rust_keylime/test.sh

Setup the push-attestation agent service in the same way as
pull-attestation agent service.

Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
---
 setup/install_upstream_rust_keylime/test.sh | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/setup/install_upstream_rust_keylime/test.sh b/setup/install_upstream_rust_keylime/test.sh
index 1b2165b1..7d4db29c 100755
--- a/setup/install_upstream_rust_keylime/test.sh
+++ b/setup/install_upstream_rust_keylime/test.sh
@@ -68,6 +68,13 @@ _EOF'
         rlRun "cat > /etc/systemd/system/keylime_agent.service.d/20-rust_log_trace.conf <<_EOF
 [Service]
 Environment=\"RUST_LOG=keylime_agent=trace,keylime=trace\"
+_EOF"
+
+        # Add drop-in unit file updates for push-attestation agent
+        rlRun "mkdir -p /etc/systemd/system/keylime_push_model_agent.service.d"
+        rlRun "cat > /etc/systemd/system/keylime_push_model_agent.service.d/20-rust_log_trace.conf <<_EOF
+[Service]
+Environment=\"RUST_LOG=keylime_push_model_agent=trace,keylime=trace\"
 _EOF"
 
         # If the TPM_BINARY_MEASUREMENTS env var is set, set the binary
@@ -76,6 +83,10 @@ _EOF"
             rlRun "cat > /etc/systemd/system/keylime_agent.service.d/30-measured_boot_location.conf <<_EOF
 [Service]
 Environment=\"TPM_BINARY_MEASUREMENTS=${TPM_BINARY_MEASUREMENTS}\"
+_EOF"
+            rlRun "cat > /etc/systemd/system/keylime_push_model_agent.service.d/30-measured_boot_location.conf <<_EOF
+[Service]
+Environment=\"TPM_BINARY_MEASUREMENTS=${TPM_BINARY_MEASUREMENTS}\"
 _EOF"
         fi
 
@@ -96,6 +107,14 @@ Environment=\"LLVM_PROFILE_FILE=${__INTERNAL_limeCoverageDir}/rust_keylime_codec
 # we need to change WorkingDirectory since .profraw* files will be stored there
 WorkingDirectory=${__INTERNAL_limeCoverageDir}/
 ExecStopPost=sh ${__INTERNAL_limeCoverageDir}/coverage-script-stop.sh
+_EOF"
+            rlRun "cat > /etc/systemd/system/keylime_push_model_agent.service.d/15-coverage.conf <<_EOF
+[Service]
+# set variable containing name of the currently running test
+Environment=\"LLVM_PROFILE_FILE=${__INTERNAL_limeCoverageDir}/rust_keylime_codecoverage.profraw\"
+# we need to change WorkingDirectory since .profraw* files will be stored there
+WorkingDirectory=${__INTERNAL_limeCoverageDir}/
+ExecStopPost=sh ${__INTERNAL_limeCoverageDir}/coverage-script-stop.sh
 _EOF"
             #IMA emulator coverage, graceful shutdown of IMA emulator, allow SIGINT kill
             rlRun "touch $__INTERNAL_limeCoverageDir/enabled"
@@ -105,6 +124,7 @@ _EOF"
 
     rlPhaseStartTest "Test installed binaries"
         rlRun "keylime_agent --help" 0,1
+        rlRun "keylime_push_model_agent --help" 0,1
     rlPhaseEnd
 
 rlJournalEnd

From 01f5c2a28dc337103b537a8eac50a3b55dd6c31b Mon Sep 17 00:00:00 2001
From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Date: Thu, 7 Aug 2025 18:31:07 +0200
Subject: [PATCH 3/9] setup/configure_tpm_emulator: Set TCTI for push
 attestation agent

Add a drop-in configuration file for the keylime_push_model_agent
service to set the TCTI environment variable.

Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
---
 setup/configure_tpm_emulator/test.sh | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/setup/configure_tpm_emulator/test.sh b/setup/configure_tpm_emulator/test.sh
index cc12e45b..c30c72be 100755
--- a/setup/configure_tpm_emulator/test.sh
+++ b/setup/configure_tpm_emulator/test.sh
@@ -124,9 +124,11 @@ User=tss
 [Install]
 WantedBy=multi-user.target
 _EOF"
-        # also add drop-in update for eventual keylime_agent unit file
-        rlRun "mkdir -p /etc/systemd/system/keylime_agent.service.d"
-        rlRun "cat > /etc/systemd/system/keylime_agent.service.d/10-tcti.conf <<_EOF
+
+        # also add drop-in update for eventual keylime_agent unit files
+        for AGENT_DIR in keylime_agent.service.d keylime_push_model_agent.service.d; do
+            rlRun "mkdir -p /etc/systemd/system/${AGENT_DIR}"
+            rlRun "cat > /etc/systemd/system/${AGENT_DIR}/10-tcti.conf <<_EOF
 [Unit]
 # we want to unset this since there is no /dev/tmp0
 ConditionPathExistsGlob=
@@ -134,6 +136,7 @@ ConditionPathExistsGlob=
 Environment=\"TPM2TOOLS_TCTI=${TPM2TOOLS_TCTI}\"
 Environment=\"TCTI=${TPM2TOOLS_TCTI}\"
 _EOF"
+        done
         rlRun "systemctl daemon-reload"
 
         if [ "${TPM_EMULATOR}" = "swtpm" ]; then

From 46e3f9ba993aecd362d3093f4c901f1c28c45a2d Mon Sep 17 00:00:00 2001
From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Date: Fri, 1 Aug 2025 15:10:04 +0200
Subject: [PATCH 4/9] functional/push-attestation-on-localhost: Initial version

This adds an end-to-end test and a specific plan for push-attestation.

Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
---
 .packit.yaml                                  |  17 +++
 .../binary_bios_measurements                  | Bin 0 -> 18373 bytes
 .../push-attestation-on-localhost/main.fmf    |  25 ++++
 .../push-attestation-on-localhost/test.sh     | 122 ++++++++++++++++++
 plans/upstream-push-attestation-tests.fmf     |  57 ++++++++
 5 files changed, 221 insertions(+)
 create mode 100644 functional/push-attestation-on-localhost/binary_bios_measurements
 create mode 100644 functional/push-attestation-on-localhost/main.fmf
 create mode 100755 functional/push-attestation-on-localhost/test.sh
 create mode 100644 plans/upstream-push-attestation-tests.fmf

diff --git a/.packit.yaml b/.packit.yaml
index ed9fd632..ef991c47 100644
--- a/.packit.yaml
+++ b/.packit.yaml
@@ -123,3 +123,20 @@ jobs:
       - tmt:
           context:
             target_PR_branch: "fedora-rawhide"
+- job: tests
+  trigger: pull_request
+  identifier: push
+  branch: main
+  targets:
+    - fedora-all
+    - centos-stream-10-x86_64
+  skip_build: true
+  tf_extra_params:
+    test:
+      tmt:
+        name: "/plans/upstream-push-attestation-tests"
+    environments:
+      - tmt:
+          context:
+            target_PR_branch: "main"
+            multihost: "no"
diff --git a/functional/push-attestation-on-localhost/binary_bios_measurements b/functional/push-attestation-on-localhost/binary_bios_measurements
new file mode 100644
index 0000000000000000000000000000000000000000..d9f2122c0d95bc77877ad23532fcf87407bda07b
GIT binary patch
literal 18373
zcmeHu2|Sct`~P69S+Yi!#!_}}V_&nEEwW_EHW*BnnP#y>wuCH&M4=Lr5{Zy4YnBQr
zw3k98MTJVr@4hWh%{-p>eV_Mz-p}Xv|NoxD%suD6&$-TZ&biL@y{>be8wP{HXu!{U
zNf^9ogF|~FObii5LFhmtptw?u8b(b8{@MUTtmGNM%gT++{LFh|9}jngy+7W@mI$QT
z&pa-0xp_T8Z$pSD6JuW|^-2Zs8>|zxQs)J-dU01Gw<_n4I)@FpMUMj)k}I?y(a($-
z^v~YBp~bavxlYV#P1bcNJXUFOWsgnWJgC#EFrX)5A;0AI!S`X7{J79!;Y+J3>J<v9
zt2LXKuk_$I*#0UHcNWbmB@zmZ8WJZT*V##X96Y6z9268?qM$cdE~Hz?stlG!y%<fp
zb^IRtB^KE5NgC;7re!)SJ%@hUz|b&H7zu_4ulg`7_(z0MkvF4q?n?<N+J;Xp#Poa<
z;ZjGIj%HC2^TV@Z)NHpyQHwgW;8ajHvo>URSEtDeW(GUw*nEC8<AP~?RSCDV^bCIO
z*|l}*12HstKn!(49t|}WH8msb$6Uh1r_AOL01F+XRNT(E&n#3_8)#v`ZUt#Tl8(j>
zPQxi;jrKz9L=h1-XipLzjnKzpi3kZRGkG&3GlU;H6rmugAOawMtItTq!%0AUqWsZ#
zqAnio<%=T9d13<qp-n6bN(z9Y0+^H)Rh>4mD5@#|NafY+f1}A5Dv@71MnwywiJ@YH
z0Wnle)G<_4u+%NFVJQu7v$n+qB$Om}C;Q^QzA&S&P(8GPy35BGI5RRcbISC(qkV_o
zyjs!^Z*!A3s;cR7C#i(?a#_7DPT9&b7x%gZxUI`GnUcg4hci(9*xQ`;Vn5f>Q>;g-
z%>%@Ql1Jq&x8ALz`_eJN#~VZtj1DM%NZY5;6(-T8QozF^nS3hS_i0J9MM{%Xz4S$O
zGkBK3SC#sk8gcNlD+4iM!zIs6Xnhyw%X~Ncr&`$aX?c0m%y(Mne9q`QzVDoG_ocp5
zehrsg8OGHGK7V1Wql@@(dm`xB50S^E8m@blCM&y#E#Q(7*WGJrr>h=qa@fP;UJD>+
zR7~4GhNf`n;yzK+P{F7Q!hleK5u9s5PB=9H17zqJ-Q#vr#eLDIVu5er5wygi18r=~
z5j)U<XgrDt3WEVSvlwrTCzt^Qp^B_<9ypiQ8~2eVzH>}r1^Tlo`f}F>bMaHa7U;1k
zoEPAUTE76f+=0_W1#`AYPq-H2CRm!pKJ|jG=)igDv#NH?DS@=G(i&#HBbdG+G+oZ_
zkb9+_O}S5L36bMM>YUdmtAT^Mq>@~N4KK=D`I~^@*&oeMJcLiq-@Ni%)6#_Lwb0kN
z^6e}`1IDUPY>BQ*?5*w{IER}8*r|$#f!MYN#dx*CPljH(N}3WG+d{<8@@$&W#4v5W
zNKlD5qv||0vHeNfSB^^U-tlMLZDq-{2vp9A=Q&pvt~v{hWsSEfu^*mG6yH{eQ<-9(
zKct=dS>@B$Puv5k9ye^RUAb>^WqOt{5f(IRD5Y8#U3iLFLqTkR-sot}=G!|)FNyR`
zlTcA31~ohF3GCV-IT&&+A+Y&YZS6!x=BUl<!Hf5&nN^TIr%c>=7Moi}l{=(og;_z(
zL#ZX!bod10idHg%8T}JIQBYi$CkQXz*%03rz`^gT{kNX@TTlG0C;oTq2}<1OrCV9;
zi?lFUWA;L@BMs7`(OqJ8{8)$?5JNiwuIalgxX*-Q>Q7iMO!F%~LckxLrm$fd4d8T~
z)OI!soB%sy1~70k*`o-)m_Q#QHc(+BzzW@@=cEU1g8*!xmx2%=0Nr8Y<hH<g;;{s*
zHxXfg#pAFbVqm};nt(d=oQ4y*?sJ5#F9z?0utMR9p$H2U-VaU0`J+712y4*TShgG#
z02QPX5>Qe=s)LpTQe`Ep3}u1nsQ(JjQh>w?&%*2T4B0;hdI%(-pa5DF|Jc%KpQuV~
zDz)EMzO8L?{G0s&Luwa#mdB=JM5)*1Y*PVmry^@doIH`??3*lEM>bqg<34`0V{SP1
zYIcsy_*_le5aY{N&G6#OfWV8LpXjWzy)NvI>^f|D3=!A+L;mI2rI_Y-Z+d!XZT5L+
zY%r*Owe|ZC+OGrcTqW$UM31E4Y6=A{rpm^07kFA9wA>z;XqO*5^<FHAW-8@l(qx<I
zHv@K#4G~p4(*2*lh97x5rwD($kxFX+*w;gxT1#6Q<$Z&Um+CBUJT2WX<#6d6>%CCz
z(Hykq9Z9LPi+IQUw`J+m^U9o29n@2!Zg)-x^-O!Fw_FL;jSY>D9I-B*I2}fhImW$W
zX~a-jf+J-HY@}n9rlW#W#i(*q!9hzD_KO+ev1rhfr&D;_hvVMfM|PLP?o=nb0ertz
z;G%{z3o(J_H3{YcGl1y<8^AddWP?Lw;s7=%!%0Q81g8aPzzdoEVdQOX@G`=Iy=iFI
z8Bse1O%0KK#eg$ZV+-64umN`GS>{>9nfVflI1PDuPrScez?v*W2CO{J4+Gtm$KkPF
zBu^qi9ux~u#zD~q<rWlLP*&YQVE|;oe?VCdEDE^OF@PPVrKP8$g4+VtfYn+appG+K
zZ74W6c)f-|8|$C9K%`i{G%?^{4#XzRab@sQ-;&b$CY3J0{2;IY!-TbW@%#KL(t%Xi
zCE3Ctr^(QoTGf5K!!~-&zx4V@?Q`REF@H#7U2lSe7xR#P7hi!J?a-5syO`dcX2_bi
zF86@B=DF*2A@l{(KXRTZ?TMX=xmBjO6_@Mx=0_^qgUl^s;~85jq?l98mLw!MhJAhz
ze!f4bmbNSO9b0O8ZtIU1*a&~Nuz?n%XG*&>)!D{e_dMjK&77q#(yz=5{?5SnasQq>
zXX8W*<8K#zcZe9k_;9C1M1PFr9AimJ)QXRNJJQ=|FjguXd;I7=X{T_*1?x-EU9tl8
z!`3fg>|e6ATinZEDpnOF^rQKhHjiHpFKmg4-=%g{p5-Q2JobBvT!VV``0KXe(H`;G
z=?wj8$)r?cJ<Vu-pNC%!9MQK~8otBQEoVuZ7cPn|TIuPA4$E3H?Gq0Qw0@U~3A@7f
zIiB{eQERCUSM-)|0Q{1w3hJ>bhF|HS@4F%DKK~5n`+fc*p`}-68ffy3-7mJ&w+hF6
z`2KMs6zSgd@bY;PF0)%L56#{l+-|R2@!FDft=yeP#HK7QRB$LqZwq&vEw17@i!xhy
zxe~rE%UyFO^lg5HfJ;8l_4u1__~)y#wqn)Jj-)LlhMsK0u+|g^AZW9`+~O*OJ!t>b
z%(ao^r<BKEb;|vdbNNmCT`KpGu}x>l?ME-u%k#5TySIvJ8Rc}3vTg5@>ES9V-|^I{
zCQU2qME?UnW*F>t1>XY=?M$PBhR1hVebCr7FLMX@3`$<$TBAf8`c<@fyFS`H0MVvt
z4Q=Ry_AJw3pb%FeI^n;fxsd>{qPZo1YHkQge)U`sdL*JR7LNe|2U@f%Afo^%s4J)`
zDJUVAL1rbZ3}u1n*#8Qva-hGp42)ZUvTBbB^uh)c5LPRS2E<Q<)xQcf&zS4;N97nt
z#&3Sk#5BN!8!?KC)1~m+wo&it4%Od8#6J3bFX@w7c}ZcZY`8}#?b3+pcDOPEH_|@t
zH=Nt7LVA;^@GJ#4_EfcsXq+jrH{M-Trs?U9^FE(<i=V;2r7!BP71Fd(4j;QeC0-jZ
z@T0a{lo4BOoYoSUsik-ScENTR>U|bdm@Qi+oK=>-8*npa4D(&<d(q1As&%jUd+`t;
zX|EKcpU4p#cOIE$UqPF?DU(m9QOSpW83~3i2lH*EpM`$r?o)R07m#-DZO9c(!Uk4t
zd!)kIW;rBYR*TfsOP6`s*%Lf*$#&Og=MC_9^fd$C;)>w_zThb*v4x#9Yd~WF0?qb+
z2s9TZsnw72v}c9%q<%ePnf)@{?uyM{12lv4du|__$anVe?bpso-TR<7o3|a<vjQ}h
zfCXTdXOg!g&gf484Jf{#+YQR>3d8^^vPi{ch;dqj6cA!|0p@_|S{{TLoqr8t{($zn
z;KH>SzJK@m(AL0;X?2|jEo-(w>Fpai2|tQ`@9r#8vPjIN-S%F=I29E-w4^3y<Tu+q
zCUO0-;IYIfj1M+<nlq_*?@ONIe*jM{=G|17Q~OF6sS?!Q;?&VJ3U8j|xqrFMciQ9f
zGh2Tvz@g}E_>YVWyN=FIg~t)>Tdjo&N=}~&68Ch$AJa3w`;s)$I~#GdY-WB#BEz@s
z-GcZ?o9l0Hcn*(fE1=7x$39-};VC?;U3@jCRsU{ktedUi(vitJ!5yjCa>6dXv$|*9
z#?DDqu%{6cg(YTspA*#GbV{7vr(V!(EWXe9W_CXFaCPMF1n(VuDf#6b+R;+Jw88ah
z<{n|yE%cpr2jZ1zSj{{RoO*L>vDZ|!Tei?XT;PZH)9Y+b3q$Rd)Q71xCMzEWj$(vW
zpGWu4llW+T?jN^zmE>3NdN2F3XVi$W_wK#k10_6sF~$yeT~9|>`dsl>{@5_KUF?-|
zJ`;&<o_Eiwfe@K~TK>0p6R1vK+W3L?MO}o9XANDBsBrt&5dT*Wo9I-e(>Q4E6h8VW
zTlY2NwC+1zqYu4_&VD*2H1~15QcU}X-FEa3dNLtDUU{IhMGEIMrtiqG-^{));!yOA
zu-2?V%gx%<<E#lr$K&2yMVz{E^7hRWg)SaLd7cc2M$*RMgW8{rYR_h!y=@<bRlErA
z3oi5!aEzdY0o_#?5CgBjcRJ`cf-vx94F(wQw=cs0{C6<$zu4(eMJgbXO3G_a2bfia
zvOsk7e+3VIZoB@(gI^pegq@MG$-nG%oM-Si?=)iEXU1IE93M$XVm6?%^%~}hq<@!w
za6<*5iJ7Ux)CiS#lSel5{+x8)Hw%*-y{J^JTHEih8~RVT7xE@X>Lofm9`Z%jC-3Nf
zzrR7)GCMJR$#8qhF=WNIon@q|_ub|~rhE~jG1-D4!4}Nrjq_~xdG0qXNT1)W<}&xK
z?nwyslcgyp{>;Hc*ZDZ#R5yp|hP~V(A>O?(y~kDHbwox)^Ne9dsQTFB3Xdd<CN<nE
zUooz3#X<(vK?jWM{qT1!a2tm4UFA~oo(w3gC%5Bdg>>ixW|U9j-tVrZ@sV|LK9>6(
zI7HwgBE3n|w)<hdR>}@RCm7!EyP8imxCRD6AQ<2Qj^CUJ(CeUGeg=sCyhjafVt#4y
ztBDM@G5xevRdCn2ZDDK(T+}bl31?}O0b^qfE;o75QXz0q<YXfMz+ZzI|5uz7Wd{8v
z;7;%7Am-AIz7EQg#>gP?@M#V`aeaQ%O99bpI~_UgKD}{JD&pA?bIGMN=5f>^J-TDp
z1V7T$e%kE9|G_HtYo%SRzJvgxv7&4@*Uje3Sto=AQlGFb2A?@WNK3fY*l1l#YsK=y
z{!AX~9m`n2)<?Q*n{>N+3rt%ru4HovGT0t#>};r&);5vef?V7ujIqq=iqKbDRH56H
zbPS=}T$#O<B;M0aQ!ww+KdxeXpw_DDK1V-&Q$6v;Q=wx~gYS4}<+*tL<ez&dmy3>d
z#y)&E*`gRzy2p%H_Ji*U`kuZS{7hN>v$(@2WrWQYrDxboXME$U((RC>bNgcUX%%c`
zFML<}0A6<cp{`?IZ2t*!k2I0ZM8Rb39jt~$qvbhD%2yYvZHi^0rwVEJcb&doH^Fb{
zJ-Wk|_2{0+%CkHtE8_0@>ZFQR$-5r2I-Jsx662<KZdQ(E_|!dr(r7iNN;qzTzJLCe
zMgQYcnP3~Ctw_~Qe{1}SxbhFmsC|5M6`Ijjdy0^<Kk|=!)sGYBwL2Gc%PHpzaMG5m
zXh-H&`L1oFdKsIYske`1jvU^rrL(<$2M^xv)mD+KkHW@j=%flh3#A&j!B~d)j*PG>
zi+j-Q=PsJQE1s9<sOtVjE#vxd2<}Urd0c$P{BRky(R*}jbwLD%heV&AGgs8$c*ud=
zIpOmhj9P5&ea_=5dMM0J(e>@ic&p}`6A6lO)PZ^XM>_BzUQjwGYn$8V%UH7FoP@x(
z@wB&?Tczt>zNq(A<+y>w+EV~5MY*{>Qr@nAa#4UQ``c{SDQvBnc$wa)SI%+s!V{<X
zL#(gcK|I32&uT<+JL)9-qWlwGdp_BA?FTz2gA<=xH<%<((26y4U1#TmN<s;8n!w+y
zF+^I<&6oQ^UxrTziRKo3mk*{($VD8e&vT0OzoClPB+=V~rFmhbgHTP~6Kf6^l!L*P
zRxV&%l^J$dk7hZvNJRw#EY<Qi49>v2QbGjc5C&Viuu?yA3BJrTm|Nu{Imr1zW+7Xq
zpy=tY0Zdw$_)%U3?8N(=8&dYFuQCu8YG7^3;K6Fl0JaM3zeO)C!C0mj7|q0kJ%!qZ
zK0jNE%zEWc+SvB)Vu$9qnZ}}<z%I_QgCzWrL3-!b3tbkwi`HogiWEaBXyx)-OJEQR
z{6j9c-~lrR+w=nCr+63&EC;8OTD}j3jF(e0$MU5!TWcuUuv|A*?G7?xB)E~98V*;2
zIfH=@W0(ne_5Ov5GmHT9g<)U;un?FEINEaHGjA{tgZ+L4Rqs~&3L4(oE+jE@;>W(r
zO(yVoj#}f|Xf{ICA%hTu%ducB$`M>+4Vq&pt;K&=`lYbUzW~f`l{W;;0&JTAMvD<J
zLy(goFy{$g!O^9de{e?&l7eL}cU@+PW<Tp_ahUbhW@{P83i8=d$hsi}u$^;f;f-x8
zY&1<hXG_~uW!xv{KhNlvtRi(h5Tx=)T<d_(phV6!0AmE3kO8^I!1Q1^@DH2|dM;RZ
z<Mr^jUz98_P3nwZLGzr0({aIsFUc5l1<@EC3QVk?^%hltMip8m;JS)}_}l=~_Q7BK
zvTJ~J;(?Tmx!ZT{xq5u3RpcwIRN1SJ(|Z)_B*0PzD1U!&zZn4;JbE~sKNN3-Tw!lK
zHee+PZHa?!fJK+7uTXyRFRoUoG{n=Ns|BsIKVJ*dSbx42RO8Rr0(WEnjaraY{rR>a
zJvj_pn^OzZqcTKJ&Bo@<Jd+=vR1K1@yj7Wd_@d7}d)OfLjNF@@U?Y^ed_`};V379!
zC1|7RZ!h9M54Zg7Mf~kW{Qn%{_}h#4zwJdpC<j8usx^@c^K{#tevIJ6nd`cP`trLy
zw|z9+_g%>BS9-HBN0>V@3W7XjMOf)sgC-exzzD3(`OVz~LL3PHp|rFVxeP`kD_Pj{
z)qG$_5ULKl(d=rT;;Dsu<@IZb6$O@qK6|+)Yt}px34&D1mM{0%>&#$z-8$Wxls4&_
z&AQaNVzYwPm(z-kiU5O}p`aZ|1Z}?n7y@Pm+Pio#hgtq$VatZjT9tLLSF}6W4#nbk
z91YdRJlt_`bd#B-b-wwS@!=!M7p+dm6JcE|?Jjj9*RB7b-lS~*<1nG%ovWbXDa)CV
z{*aCqSl3FsVE@;K@jq>ntUhGHfOD}b70C{Cul=gZt>1oee~A|(Zp&TLe(n&r@rCe{
zi9U|zL#f$dY2G}RWe?0s`sYbfh~xq23rv4xf&cft5QrZZ@Uvo{Hg;Vy-m=#u#h8zg
z#VaJCEZ0yj)A!JLN|N>LNCG?hCFF5fVExQ71R{*QW=f()nbqJu2eocz8q?C=Fx%wp
z6LK}_t}20#ZNeSf${}xWwWb4Pp#NgfrOO@9wnK*|x_*!!KAmLJbYk<-$Rl}oE}Z94
z!D#ChSQvt(tx8<njfY_dCDqywH$F=eU2`7S1l$HR=un^ln=d;yXqZ2Y;DI8_D99iI
zBzP7S{8D2gpEj+$txWb~a;*>FKcypnU#L^{`!FL(JoMtVW?RX%4fNU$V5_{a2jSoa
z#!w{=U4BcDI}4?M<ofx5iwZhBu%7Ej-hX0~Y>rb=Q`y!&U9mZafGXpIxXnEST9+;}
znG95<_8Dh@vPRi|s4r0RU)2dVtBxkP4ekq`yR}-`3a5pg3i>!pxeJb1J4Hjo$!(1G
z0*}s+9l15oTaHnJ+tGlkf(lYuSqa*chO)}5S>T^j_-E%-%H}>>M_+W-k^U@bH|yjZ
zE8CD1lzEs%{5tRXo|Z!u$>J`eO#K{8q?7rtU8oXgADvyqHMF&F3Zt&#Y~P(e+)PWX
zmD3gr$qOZ9G`C7u#9Wvy@i7(o<ki#mm3bRg6aS#LdQ<npH&^T0!kynZo8l#zyrzZ2
z8iaVl5-dOHN<R|e-mxooUQEEkhR5luWWDRb$mW4pgP~U(3Di$(b~cqs<60Jok)d<%
zMeowkUJd27{B9}#%9GC`xUNMesqzu6+@pupyE&VBReZ8WOC9#mm)uSE<}i7h=6kJc
z@>y<kbVu6WCmbP9mRhbb@GRmuv-aAT`Wc>#*fRCb*!u(<t=-Cwada^deID4g7D)pm
zYx;mLptF_-BWp+~vPJ-piFhwh6nG?LAKH^BhsFEI2V=l<BF1PG5j-qSkY7184V{@L
zJB#vtWb3KcA;GIn4)lsHVTjS5Oig`&6ABS-g);+8Yc0{x{IdDHZk=_`&#DH`Xz1k&
zoZYWElyjnr`-N%sZ2#^$7Wm`b3elNQN{%Vl2eL^-bkru4MoVVog%;`in}^)B_G=Wj
zkEqj7b8|3k+0~O}^<~NGPPGor!2{zl2U>k@bhEOv@yH2X{22HH-Z*(?_G0Cu0hB#M
zeEZ3V`KP>|bK9oahjMLMV6pJ)IjKCyOxO5HVdw|#7WdR@p^cx#hPCDut$GYw_w(*<
z<W-0kLcV-`_G>P+&9$+8dPC@Iav%CCug8=ZWWEx6c&LnSZ>1Q~qQ8(ykO|38%Fpa)
z)p-fD@lM>fY2N@VjVSFh(VNb~G;+F4PisAPr+t{d_;}ys&h4x^gy8Q*N8W6QbkI-L
z>7*w>!lnA%8B1x)Ocfo!H1z5Ow|nE*oeZi|qwELFHMW4IC49XA86O-`K~f&H6ISO`
z-Um<ekn{BRf&JwKA$9$e!^{1Wwd_$x52{R*i|HJHa^3rS&J6?CQR9v`1OCEWo@hg7
zCm>$jJOjKm5Ck*|@9B$>l?}wodi!H>xKQx7H$j#}!gztd2xy|V7di;xh4exL9!hGm
zNOhF5tdb&tl2!BeM9Qk66cju>yu3V+YUpKq<R>2qJ0IEQnkC>Z1oAa{_t-JdX6eT(
zes59oc*!US|H4<Xje-v%0*6O?V?wmoh7T#ZJZ4A=x=S|o{9d|207ELCj-_;HcUzd`
zLe1p&>Q)hsje1l=Jdnxtvw!Fi@X#Rmg2C#P`~gjWRaO3Tx`T?=Gx?Zzk7kKSyp|>q
zmOJipJ2ObJ3Gd{VC!^_!4fMwNcw_w0zoYv{v;4f&^2p{;pO;TcBDvYk>Th+rW!c2P
z@~yj-`S{))g5S-}U;~sq{-i}d!Hb)lbr&Ud9=RH2REHac6eEYikL)fuKTac;cBVGh
zErExOS#SmsIFt_>udP5akd+HINmoMqTf|z0!p%Z>_GsK?#RuRUKa(CjY}q8#^ihh8
z&R&G9_xjyM2L>TrC}`6)FNr9q(7pfE!63r*r8)mP=eLswznh<=0iwhM%j1p62h<;n
z@^XX7{DUSamQByoNF|JM)hihxW0|L{waL8o%6U<b7$>Y!&oW&51e@mjqX7k*q2RSQ
zTC9Pet%13!XNO{PUgzMPVL<5dKtm0LVCL2I3yo+tigEZ|XHW0#=zi2`IE67h{ymI4
z=pApCXdk0X*nC`k#H_rT!)r@20?>qbp}kQgf1)-DP*n$%k?Lr`TT#hd%?qWbj#O7s
zLV2K&%AVdxHCbgj1tmG~0H7iO$a#AzD$9kasko^qQS`vbS7l3$1HVF{td~=j5+Gmu
zS-<p>YR&hT*1|5BSB~GvC1NikBov_yeNoOD<A;M5-^{W;co=)i2w%M{ytUhzE8*1p
zF}kz${7NczoT6kM2|x#uz!$ghp>7y2H|+A}skW>v#*2bE)0uiz<};e1G1LdChs}?>
zA_t|dqv&_|En3|V;E#)T-AYDub-k`bn}Y0rJZl?8t_<LZWIiw{UKx2)5S0B<(e$yK
zYolnA{xO!+!mLXOGQJ3CJO<?tX+#_v?WGOAa|E6WqhN_qZZ75gd8F9sh_NIVEIq#R
zw)!`*YMVP(MxM>F<eC&i+t5EX6A_IMzyzZF-7tYT5)o9y%MF0Kg@E;^)TLeA$IFYl
z0LC6>(g9!2QxBe+aM=v&*Hrpe0rb0^)oUf!r;H^L|0(IeN_GVH96H%2XL@=rfmHwC
z^wO}yl+le1#NF~2`SO1pyjH|0OvWO#2#A;fG{~VFff(wK)`n)BVm$YsudLYI7ALQ}
zP)~HqG-*3`U*Dt_hZgJJAQshn@<urnw)#1qzmU{crl2%(eP5?$bxNhG(RYE%GUtZs
zZ+ug~EO09}sk<SHifepKnvBx=s*VKC5QN{qTQ!n3Wg2%Zip&k7ew5{DnFa|YfYIH`
z3)vlsyCg*Fm*n}$h+_f?0az~tCeRa)2K!8;;MA@U?H!kGB-of%?Nr~GUb)v}0(K@%
zW#R>U>^_OG<7MQ;Ku!Y@2w4;Y02egyJI*|Mg6<0x^s^A<j60S#Z8YxXdzShMRV@Ca
z!(Pa-bw>t-IzI<+l`|Z8YTgaBUMLt-Z}Zr8^Ge#+_a>MSFO@rq5AoI&(ss>s^+&%Z
zvX*^u;a-nch&O?P%mPlR<|fA?|NLp~$h3HWt5jj>lNd8I$w8mtJvRrJJnhNI{0r6z
z9y*BmZ<r^4<=AvB)SJHcjJ$Y}hG^KuWOp_H-eVc*oCN)vXqwRYP`mkc$Hp5)ImF#}
z2UL!insyiCSZlKa-LsZ%UQ>0v=g4;GmdE1F?4BE1e|Bs<ps_(B)s<xp_0%arW7h$Z
zuYP652WLKFNW)D*Ttl^z#{mI!-Roj!G%)Jk1o_-Qg#(nd1Bl-VSZ7s{#uI@7#*;Pt
z#75fOzR=@$MyJz#MV09#yP7ta#G=S(Kr7S_jSobFb|#Ua4b7akot=rHwx@?8(o-Gq
zl2ubjp+M^r?Io*@0?|)F38k#0jP&#Z)D;kTEMiqTY7>c}Hh|2E4n|N2Sd5(Kfw&fP
zU;nUo7o&U_(rEf>Lt|+)1KbaueH$}#Pl;S<tjfHHKLN7L$?YuK^Y-D@75X(*S7u?~
zQ$>tU_K(;ek1XwGJ7Hd;-FcXgovd@KB*=~XN7i3@E@vT7y>A8|WCLd#W1ban$?!h&
z{`18RQa{3^V;n&eznFcH9fZcqL!gQQojv(~*E|5<F9`IeFql#u1Z#2&G1v=>c{G=_
zURpBJkGj>xdrhOdI5Mi^dl*drLskG;&_DGgp;y`_A4!2ota#j@u*&m`&tz~6SrZ&q
zr_07(IvhnC+P-+>v^!CNY$W$CYcmCeEEWN3HHF^^T|-z<9>-@qN2|H))%b6*#3vQ=
zd-lf_nJZgWvRN(~cnXqHgM<#k7B^pv7upT$r%j341YcL4)X3}MH88YC7{YJAzNb)n
zcDsZv@3%ebIqtYnE;4d!%u$+7F@@)L85Dj-@s@c?xG>E)eNg}CzAzRhgCHCb5d5Sj
z%}GIJ-JT5?A3bxfI)=2Ve}3DSHZv7n`T~@I)TVE9{GH>Ig=uQP?-{hh-3TO4Pc(t>
zyPmO^0!tlMqit6;bPV*^&o^*<gJIItnggTyksM~IVn67O`=2YEfC@q{8{xmwL@Z~(
z1LWvcbA?E0n*3Gv!+&hgx$KOPu&1jG*f~9;vqw$GIQ_ZUb)U*(x3wHHzl%sY+LJH*
zy$I0P1SbLdrku-fu~)uWj5XYpc=twniaoNpx6sq$=Do>`Ktsvw%wr3k7G&f0o2j~T
zn9>-74+utqFSgsDiA3<g0RglbL06gtHYDr4_AHEvk<mLC6ipJ2iSZzX-Vw+5XwYHD
z&g+bwFzy!xEUn+Ynh|mN_U5I<L4L*0$n&yf&985)c#;T2Y{0taN>aAkBb(T3JC8iM
z-BY!|>2rd8pnN_xWYBi};@%4>J<iZR>`$p!*89JxDCh|ivN+ar)&4=NLEB0m-XQ9?
zj*(PMbxz#Y(6rHVxKdw8eXp_P#TOUJPI8D`b_j#O1&gH^o4-oh9&p;ssT{3nk)TaY
zkCw>Fc@$XuL?}7hWP3=6nr2XmCb^lliW1-n61Vl3;yzE6L>1hZYtmdB%KpM<{A0`U
z`zW35?cHxr=2zXt-Vq`jQAi>Ac!%Inp-?Zi{m^I}MJN4@i31(h?|o_$J?I|T3f%rU
z_>_tF@yO<(z?jaA_N-WPcW#wAp92`m!RmI_48JeAo7G)73Z5O|l=h?&9)Ne<vyp+7
z#egHWf3Sv(FYt5>DdblVKPUjYb>NSDP!N#+68y#lpxjV693F)sptZsM9|Uv*hXoJl
zglZE#J(jaXbO87QClRd;K9eP2DEH9BZr<_RV#_T)+auf2@3W0zK_H2z?LfBv!ISB_
z`$c)KLFWB0GW<_E1|yFk)Lil@IaK_1-1GQwUsAr?nJ|}5B_i{e2wyKYbpb>$5&;s|
zh4U@PcxKSWVD9(n&r^(=?GAzH{1HWRfSpci6;aEGu?wSrJ^UW-@l>dFfAlzhwEe~G
zWb3Z-N@{4PS1d1R*AJXlw8sA{Gfm#nV9oR-7HjcDCKeq3zPD6a2ci<i_8u!rezY_A
ziT$m)MSZZNKb03I5JLpt1O8>|m+zngzzxnn*jbUo1W-y>8qN8mfz}tM4mc*VsT~vx
z<a3$Kr`jntpkwxt6rA}CrU172r<;I6&R~3KHMsZ?uI(3gxK#OQWp&xUc#WEA(R@$q
zn@=q-IlX_}=X#AF0)C?q3~}Y4nhhEsgaHvBVG<aGT{*@^POi$5q<{M%zIgNL)02mC
qq*I9D5sj`zC}-VSdBdV7Z}TM9Cua@f5on!zA%ZbPUxdwyRq;P1Qe!Cq

literal 0
HcmV?d00001

diff --git a/functional/push-attestation-on-localhost/main.fmf b/functional/push-attestation-on-localhost/main.fmf
new file mode 100644
index 00000000..8d630f35
--- /dev/null
+++ b/functional/push-attestation-on-localhost/main.fmf
@@ -0,0 +1,25 @@
+summary: Basic push attestation test on localhost
+description: |
+    Test basic push model attestation functionality
+    Running all services on localhost.
+    Uses certificates generated by keylime.
+
+    Enrolls agent using simple runtime policy.
+    Verifiers that system passed attestation.
+    Make changes on the system and verifies that the attestation fails.
+contact: Anderson Sasaki <ansasaki@redhat.com>
+component:
+  - keylime
+test: ./test.sh
+framework: beakerlib
+tag:
+  - CI-Tier-1
+require:
+  - yum
+  - expect
+recommend:
+  - keylime
+  - python3-tomli
+duration: 10m
+enabled: true
+id: 77f1f100-a165-477b-b81d-40540f9c2762
diff --git a/functional/push-attestation-on-localhost/test.sh b/functional/push-attestation-on-localhost/test.sh
new file mode 100755
index 00000000..25824746
--- /dev/null
+++ b/functional/push-attestation-on-localhost/test.sh
@@ -0,0 +1,122 @@
+#!/bin/bash
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+AGENT_ID="d432fbb3-d2f1-4a97-9ef7-75bd81c00000"
+
+rlJournalStart
+    rlPhaseStartSetup "Setup push attestation environment"
+        rlRun 'rlImport "./test-helpers"' || rlDie "cannot import keylime-tests/test-helpers library"
+        rlAssertRpm keylime
+
+        # Backup original configuration
+        limeBackupConfig
+
+        # Set the verifier to run in PUSH mode
+        rlRun "limeUpdateConf verifier mode 'push'"
+        rlRun "limeUpdateConf verifier challenge_lifetime 1800"
+
+        # Set the configuration for the agent
+        rlRun "limeUpdateConf agent measuredboot_ml_path '\"/var/tmp/binary_bios_measurements\"'"
+        # TODO: this is not used anywhere
+        #rlRun "limeUpdateConf agent uefi_logs_binary_path '\"/var/tmp/binary_bios_measurements\"'"
+
+        # Copy the fake UEFI log
+        rlRun "cp binary_bios_measurements /var/tmp"
+
+        # Disable EK certificate verification on the tenant
+        rlRun "limeUpdateConf tenant require_ek_cert False"
+
+        # Configure TPM emulator if needed
+        if limeTPMEmulated; then
+            rlRun "limeStartTPMEmulator"
+            rlRun "limeWaitForTPMEmulator"
+            rlRun "limeCondStartAbrmd"
+            rlRun "limeInstallIMAConfig"
+            rlRun "limeStartIMAEmulator"
+        fi
+
+        sleep 5
+
+        # Start keylime services with push support
+        rlRun "limeStartVerifier"
+        rlRun "limeWaitForVerifier"
+        rlRun "limeStartRegistrar"
+        rlRun "limeWaitForRegistrar"
+        # Start push-attestaton agent
+        rlRun "limeStartPushAgent"
+        rlRun "limeWaitForAgentRegistration ${AGENT_ID}"
+
+        # create some scripts
+        TESTDIR=$(limeCreateTestDir)
+        rlRun "echo -e '#!/bin/bash\necho This is good-script1' > $TESTDIR/good-script1.sh && chmod a+x $TESTDIR/good-script1.sh"
+        rlRun "echo -e '#!/bin/bash\necho This is good-script2' > $TESTDIR/good-script2.sh && chmod a+x $TESTDIR/good-script2.sh"
+
+        # create allowlist and excludelist
+        rlRun "limeCreateTestPolicy ${TESTDIR}/*"
+    rlPhaseEnd
+
+    rlPhaseStartTest "Add keylime agent"
+        REVOCATION_SCRIPT_TYPE=$( limeGetRevocationScriptType )
+        rlRun "cat > script.expect <<_EOF
+set timeout 20
+spawn keylime_tenant -v 127.0.0.1 -t 127.0.0.1 -u $AGENT_ID --verify --runtime-policy policy.json --include payload-${REVOCATION_SCRIPT_TYPE} --cert default -c add --push-model
+expect \"Please enter the password to decrypt your keystore:\"
+send \"keylime\n\"
+expect eof
+_EOF"
+        rlRun "expect script.expect"
+        # Check that agent appears in verifier's agent list
+        rlRun -s "keylime_tenant -c cvlist"
+        # shellcheck disable=SC2154  # rlRun_LOG is set by BeakerLib's rlRun -s
+        rlAssertGrep "$AGENT_ID" "$rlRun_LOG"
+
+        # TODO: For now the agent dies after starting because it tries to send
+        # measurements and fails. Restart the agent.
+        rlRun "limeStartPushAgent"
+        rlRun "limeWaitForAgentRegistration ${AGENT_ID}"
+
+        rlAssertGrep "Attestation [0-9]+ for agent .${AGENT_ID}. " "$(limeVerifierLogfile)" -E
+
+        # Store the index of the first attestation
+        INDEX=$(grep -oE "Attestation [0-9]+ for agent .${AGENT_ID}. successfully passed verification" "$(limeVerifierLogfile)" | tail -1 |  grep -oE "Attestation [0-9]+" | grep -oE "[0-9]+")
+    rlPhaseEnd
+
+    rlPhaseStartTest "Running allowed scripts should not affect attestation"
+        rlRun "${TESTDIR}/good-script1.sh"
+        rlRun "${TESTDIR}/good-script2.sh"
+        rlRun "tail /sys/kernel/security/ima/ascii_runtime_measurements | grep good-script1.sh"
+        rlRun "tail /sys/kernel/security/ima/ascii_runtime_measurements | grep good-script2.sh"
+        rlRun "sleep 5"
+
+        rlRun "rlWaitForCmd 'grep -qE \"Attestation $((INDEX + 1)) for agent .${AGENT_ID}. successfully passed verification\" \$(limeVerifierLogfile)' -m 120 -d 1"
+    rlPhaseEnd
+
+    rlPhaseStartTest "Fail keylime agent"
+        rlRun "echo -e '#!/bin/bash\necho boom' > $TESTDIR/bad-script.sh && chmod a+x $TESTDIR/bad-script.sh"
+        rlRun "$TESTDIR/bad-script.sh"
+
+        rlRun "rlWaitForCmd 'grep -qE \"Attestation [0-9]+ for agent .${AGENT_ID}. failed verification\" \$(limeVerifierLogfile)' -m 120 -d 1"
+        rlAssertGrep "File not found in allowlist: $TESTDIR/bad-script.sh" "$(limeVerifierLogfile)"
+    rlPhaseEnd
+
+    rlPhaseStartCleanup "Cleanup push attestation test"
+        # Stop push agent
+        rlRun "limeStopPushAgent"
+
+        # Stop keylime services
+        rlRun "limeStopRegistrar"
+        rlRun "limeStopVerifier"
+
+        # Stop TPM emulator if used
+        if limeTPMEmulated; then
+            rlRun "limeStopIMAEmulator"
+            rlRun "limeStopTPMEmulator"
+            rlRun "limeCondStopAbrmd"
+        fi
+
+        limeSubmitCommonLogs
+        limeClearData
+        limeRestoreConfig
+        limeExtendNextExcludelist "$TESTDIR"
+    rlPhaseEnd
+rlJournalEnd
diff --git a/plans/upstream-push-attestation-tests.fmf b/plans/upstream-push-attestation-tests.fmf
new file mode 100644
index 00000000..48eb9e07
--- /dev/null
+++ b/plans/upstream-push-attestation-tests.fmf
@@ -0,0 +1,57 @@
+summary:
+  Tests used by Packit/TFT CI on Github to test upstream keylime
+
+environment+:
+  TPM_BINARY_MEASUREMENTS: /var/tmp/binary_bios_measurements
+  KEYLIME_RUST_CODE_COVERAGE: 0
+
+discover:
+  how: fmf
+  test:
+   - /setup/apply_workarounds
+   #- /setup/configure_tpm_emulator
+   - /setup/configure_swtpm_device
+   - /setup/install_upstream_keylime
+   - /setup/install_upstream_rust_keylime
+   - /setup/enable_keylime_debug_messages
+   #- /setup/enable_keylime_coverage
+   # change IMA policy to simple and run one attestation scenario
+   # this is to utilize also a different parser
+   - /setup/configure_kernel_ima_module/ima_policy_simple
+   - /functional/push-attestation-on-localhost
+   #- /functional/basic-attestation-on-localhost
+   # now change IMA policy to signing and run all tests
+   #- /setup/configure_kernel_ima_module/ima_policy_signing
+   #- "^/functional/.*"
+   #- "^/compatibility/.*"
+   #- "^/regression/.*"
+   #- /update/basic-attestation-on-localhost/all
+   #- "/sanity/.*"
+   # run upstream test suite
+   - /upstream/run_keylime_tests
+   #- /setup/generate_coverage_report
+   #- /setup/generate_upstream_rust_keylime_code_coverage
+
+execute:
+    how: tmt
+
+adjust+:
+  - when: target_PR_branch is defined and target_PR_branch != main
+    enabled: false
+    because: we want to run this plan only for PRs targeting the main branch
+
+  # discover step adjustments
+  # disable code coverage measurement everywhere except latest fedora and CS
+  - when: distro != centos-stream-10 and distro != fedora-41
+    discover+:
+       test-:
+         - /setup/enable_keylime_coverage
+         - /setup/generate_coverage_report
+
+  # disable code coverage measurement everywhere except latest fedora and CS
+  - when: distro != centos-stream-10 and distro != fedora-41
+    environment+:
+       KEYLIME_RUST_CODE_COVERAGE: 0
+    discover+:
+       test-:
+         - /setup/generate_upstream_rust_keylime_code_coverage

From 27d74556a81e52a413ddafce214458cfb4896d6f Mon Sep 17 00:00:00 2001
From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Date: Thu, 2 Oct 2025 17:44:32 +0200
Subject: [PATCH 5/9] DO NOT MERGE

Change repositories to test

Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
---
 plans/main.fmf | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/plans/main.fmf b/plans/main.fmf
index eb722b89..6e053b21 100644
--- a/plans/main.fmf
+++ b/plans/main.fmf
@@ -5,8 +5,10 @@ context:
 
 # modify defaults below to point upstream keylime URL to a different repo and branch
 environment:
-  KEYLIME_UPSTREAM_URL: "https://github.com/keylime/keylime.git"
-  KEYLIME_UPSTREAM_BRANCH: "master"
+  #KEYLIME_UPSTREAM_URL: "https://github.com/keylime/keylime.git"
+  #KEYLIME_UPSTREAM_BRANCH: "master"
+  KEYLIME_UPSTREAM_URL: https://github.com/hse-aurora/keylime-oss
+  KEYLIME_UPSTREAM_BRANCH: push-attestation
   # variables below impact only plans that use /setup/install_upstream_rust_keylime
   # task, not plans using /setup/install_rust_keylime_from_copr
   RUST_KEYLIME_UPSTREAM_URL: "https://github.com/keylime/rust-keylime.git"

From b1f798dfe393fe7e2e3d9382806bba98689d95bd Mon Sep 17 00:00:00 2001
From: Karel Srot <ksrot@redhat.com>
Date: Mon, 20 Oct 2025 14:37:00 +0200
Subject: [PATCH 6/9] Clean up unneeded parts

---
 .packit.yaml                                  |  17 ------
 .../binary_bios_measurements                  | Bin 18373 -> 0 bytes
 .../push-attestation-on-localhost/test.sh     |  18 +-----
 plans/upstream-push-attestation-tests.fmf     |  57 ------------------
 4 files changed, 1 insertion(+), 91 deletions(-)
 delete mode 100644 functional/push-attestation-on-localhost/binary_bios_measurements
 delete mode 100644 plans/upstream-push-attestation-tests.fmf

diff --git a/.packit.yaml b/.packit.yaml
index ef991c47..ed9fd632 100644
--- a/.packit.yaml
+++ b/.packit.yaml
@@ -123,20 +123,3 @@ jobs:
       - tmt:
           context:
             target_PR_branch: "fedora-rawhide"
-- job: tests
-  trigger: pull_request
-  identifier: push
-  branch: main
-  targets:
-    - fedora-all
-    - centos-stream-10-x86_64
-  skip_build: true
-  tf_extra_params:
-    test:
-      tmt:
-        name: "/plans/upstream-push-attestation-tests"
-    environments:
-      - tmt:
-          context:
-            target_PR_branch: "main"
-            multihost: "no"
diff --git a/functional/push-attestation-on-localhost/binary_bios_measurements b/functional/push-attestation-on-localhost/binary_bios_measurements
deleted file mode 100644
index d9f2122c0d95bc77877ad23532fcf87407bda07b..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 18373
zcmeHu2|Sct`~P69S+Yi!#!_}}V_&nEEwW_EHW*BnnP#y>wuCH&M4=Lr5{Zy4YnBQr
zw3k98MTJVr@4hWh%{-p>eV_Mz-p}Xv|NoxD%suD6&$-TZ&biL@y{>be8wP{HXu!{U
zNf^9ogF|~FObii5LFhmtptw?u8b(b8{@MUTtmGNM%gT++{LFh|9}jngy+7W@mI$QT
z&pa-0xp_T8Z$pSD6JuW|^-2Zs8>|zxQs)J-dU01Gw<_n4I)@FpMUMj)k}I?y(a($-
z^v~YBp~bavxlYV#P1bcNJXUFOWsgnWJgC#EFrX)5A;0AI!S`X7{J79!;Y+J3>J<v9
zt2LXKuk_$I*#0UHcNWbmB@zmZ8WJZT*V##X96Y6z9268?qM$cdE~Hz?stlG!y%<fp
zb^IRtB^KE5NgC;7re!)SJ%@hUz|b&H7zu_4ulg`7_(z0MkvF4q?n?<N+J;Xp#Poa<
z;ZjGIj%HC2^TV@Z)NHpyQHwgW;8ajHvo>URSEtDeW(GUw*nEC8<AP~?RSCDV^bCIO
z*|l}*12HstKn!(49t|}WH8msb$6Uh1r_AOL01F+XRNT(E&n#3_8)#v`ZUt#Tl8(j>
zPQxi;jrKz9L=h1-XipLzjnKzpi3kZRGkG&3GlU;H6rmugAOawMtItTq!%0AUqWsZ#
zqAnio<%=T9d13<qp-n6bN(z9Y0+^H)Rh>4mD5@#|NafY+f1}A5Dv@71MnwywiJ@YH
z0Wnle)G<_4u+%NFVJQu7v$n+qB$Om}C;Q^QzA&S&P(8GPy35BGI5RRcbISC(qkV_o
zyjs!^Z*!A3s;cR7C#i(?a#_7DPT9&b7x%gZxUI`GnUcg4hci(9*xQ`;Vn5f>Q>;g-
z%>%@Ql1Jq&x8ALz`_eJN#~VZtj1DM%NZY5;6(-T8QozF^nS3hS_i0J9MM{%Xz4S$O
zGkBK3SC#sk8gcNlD+4iM!zIs6Xnhyw%X~Ncr&`$aX?c0m%y(Mne9q`QzVDoG_ocp5
zehrsg8OGHGK7V1Wql@@(dm`xB50S^E8m@blCM&y#E#Q(7*WGJrr>h=qa@fP;UJD>+
zR7~4GhNf`n;yzK+P{F7Q!hleK5u9s5PB=9H17zqJ-Q#vr#eLDIVu5er5wygi18r=~
z5j)U<XgrDt3WEVSvlwrTCzt^Qp^B_<9ypiQ8~2eVzH>}r1^Tlo`f}F>bMaHa7U;1k
zoEPAUTE76f+=0_W1#`AYPq-H2CRm!pKJ|jG=)igDv#NH?DS@=G(i&#HBbdG+G+oZ_
zkb9+_O}S5L36bMM>YUdmtAT^Mq>@~N4KK=D`I~^@*&oeMJcLiq-@Ni%)6#_Lwb0kN
z^6e}`1IDUPY>BQ*?5*w{IER}8*r|$#f!MYN#dx*CPljH(N}3WG+d{<8@@$&W#4v5W
zNKlD5qv||0vHeNfSB^^U-tlMLZDq-{2vp9A=Q&pvt~v{hWsSEfu^*mG6yH{eQ<-9(
zKct=dS>@B$Puv5k9ye^RUAb>^WqOt{5f(IRD5Y8#U3iLFLqTkR-sot}=G!|)FNyR`
zlTcA31~ohF3GCV-IT&&+A+Y&YZS6!x=BUl<!Hf5&nN^TIr%c>=7Moi}l{=(og;_z(
zL#ZX!bod10idHg%8T}JIQBYi$CkQXz*%03rz`^gT{kNX@TTlG0C;oTq2}<1OrCV9;
zi?lFUWA;L@BMs7`(OqJ8{8)$?5JNiwuIalgxX*-Q>Q7iMO!F%~LckxLrm$fd4d8T~
z)OI!soB%sy1~70k*`o-)m_Q#QHc(+BzzW@@=cEU1g8*!xmx2%=0Nr8Y<hH<g;;{s*
zHxXfg#pAFbVqm};nt(d=oQ4y*?sJ5#F9z?0utMR9p$H2U-VaU0`J+712y4*TShgG#
z02QPX5>Qe=s)LpTQe`Ep3}u1nsQ(JjQh>w?&%*2T4B0;hdI%(-pa5DF|Jc%KpQuV~
zDz)EMzO8L?{G0s&Luwa#mdB=JM5)*1Y*PVmry^@doIH`??3*lEM>bqg<34`0V{SP1
zYIcsy_*_le5aY{N&G6#OfWV8LpXjWzy)NvI>^f|D3=!A+L;mI2rI_Y-Z+d!XZT5L+
zY%r*Owe|ZC+OGrcTqW$UM31E4Y6=A{rpm^07kFA9wA>z;XqO*5^<FHAW-8@l(qx<I
zHv@K#4G~p4(*2*lh97x5rwD($kxFX+*w;gxT1#6Q<$Z&Um+CBUJT2WX<#6d6>%CCz
z(Hykq9Z9LPi+IQUw`J+m^U9o29n@2!Zg)-x^-O!Fw_FL;jSY>D9I-B*I2}fhImW$W
zX~a-jf+J-HY@}n9rlW#W#i(*q!9hzD_KO+ev1rhfr&D;_hvVMfM|PLP?o=nb0ertz
z;G%{z3o(J_H3{YcGl1y<8^AddWP?Lw;s7=%!%0Q81g8aPzzdoEVdQOX@G`=Iy=iFI
z8Bse1O%0KK#eg$ZV+-64umN`GS>{>9nfVflI1PDuPrScez?v*W2CO{J4+Gtm$KkPF
zBu^qi9ux~u#zD~q<rWlLP*&YQVE|;oe?VCdEDE^OF@PPVrKP8$g4+VtfYn+appG+K
zZ74W6c)f-|8|$C9K%`i{G%?^{4#XzRab@sQ-;&b$CY3J0{2;IY!-TbW@%#KL(t%Xi
zCE3Ctr^(QoTGf5K!!~-&zx4V@?Q`REF@H#7U2lSe7xR#P7hi!J?a-5syO`dcX2_bi
zF86@B=DF*2A@l{(KXRTZ?TMX=xmBjO6_@Mx=0_^qgUl^s;~85jq?l98mLw!MhJAhz
ze!f4bmbNSO9b0O8ZtIU1*a&~Nuz?n%XG*&>)!D{e_dMjK&77q#(yz=5{?5SnasQq>
zXX8W*<8K#zcZe9k_;9C1M1PFr9AimJ)QXRNJJQ=|FjguXd;I7=X{T_*1?x-EU9tl8
z!`3fg>|e6ATinZEDpnOF^rQKhHjiHpFKmg4-=%g{p5-Q2JobBvT!VV``0KXe(H`;G
z=?wj8$)r?cJ<Vu-pNC%!9MQK~8otBQEoVuZ7cPn|TIuPA4$E3H?Gq0Qw0@U~3A@7f
zIiB{eQERCUSM-)|0Q{1w3hJ>bhF|HS@4F%DKK~5n`+fc*p`}-68ffy3-7mJ&w+hF6
z`2KMs6zSgd@bY;PF0)%L56#{l+-|R2@!FDft=yeP#HK7QRB$LqZwq&vEw17@i!xhy
zxe~rE%UyFO^lg5HfJ;8l_4u1__~)y#wqn)Jj-)LlhMsK0u+|g^AZW9`+~O*OJ!t>b
z%(ao^r<BKEb;|vdbNNmCT`KpGu}x>l?ME-u%k#5TySIvJ8Rc}3vTg5@>ES9V-|^I{
zCQU2qME?UnW*F>t1>XY=?M$PBhR1hVebCr7FLMX@3`$<$TBAf8`c<@fyFS`H0MVvt
z4Q=Ry_AJw3pb%FeI^n;fxsd>{qPZo1YHkQge)U`sdL*JR7LNe|2U@f%Afo^%s4J)`
zDJUVAL1rbZ3}u1n*#8Qva-hGp42)ZUvTBbB^uh)c5LPRS2E<Q<)xQcf&zS4;N97nt
z#&3Sk#5BN!8!?KC)1~m+wo&it4%Od8#6J3bFX@w7c}ZcZY`8}#?b3+pcDOPEH_|@t
zH=Nt7LVA;^@GJ#4_EfcsXq+jrH{M-Trs?U9^FE(<i=V;2r7!BP71Fd(4j;QeC0-jZ
z@T0a{lo4BOoYoSUsik-ScENTR>U|bdm@Qi+oK=>-8*npa4D(&<d(q1As&%jUd+`t;
zX|EKcpU4p#cOIE$UqPF?DU(m9QOSpW83~3i2lH*EpM`$r?o)R07m#-DZO9c(!Uk4t
zd!)kIW;rBYR*TfsOP6`s*%Lf*$#&Og=MC_9^fd$C;)>w_zThb*v4x#9Yd~WF0?qb+
z2s9TZsnw72v}c9%q<%ePnf)@{?uyM{12lv4du|__$anVe?bpso-TR<7o3|a<vjQ}h
zfCXTdXOg!g&gf484Jf{#+YQR>3d8^^vPi{ch;dqj6cA!|0p@_|S{{TLoqr8t{($zn
z;KH>SzJK@m(AL0;X?2|jEo-(w>Fpai2|tQ`@9r#8vPjIN-S%F=I29E-w4^3y<Tu+q
zCUO0-;IYIfj1M+<nlq_*?@ONIe*jM{=G|17Q~OF6sS?!Q;?&VJ3U8j|xqrFMciQ9f
zGh2Tvz@g}E_>YVWyN=FIg~t)>Tdjo&N=}~&68Ch$AJa3w`;s)$I~#GdY-WB#BEz@s
z-GcZ?o9l0Hcn*(fE1=7x$39-};VC?;U3@jCRsU{ktedUi(vitJ!5yjCa>6dXv$|*9
z#?DDqu%{6cg(YTspA*#GbV{7vr(V!(EWXe9W_CXFaCPMF1n(VuDf#6b+R;+Jw88ah
z<{n|yE%cpr2jZ1zSj{{RoO*L>vDZ|!Tei?XT;PZH)9Y+b3q$Rd)Q71xCMzEWj$(vW
zpGWu4llW+T?jN^zmE>3NdN2F3XVi$W_wK#k10_6sF~$yeT~9|>`dsl>{@5_KUF?-|
zJ`;&<o_Eiwfe@K~TK>0p6R1vK+W3L?MO}o9XANDBsBrt&5dT*Wo9I-e(>Q4E6h8VW
zTlY2NwC+1zqYu4_&VD*2H1~15QcU}X-FEa3dNLtDUU{IhMGEIMrtiqG-^{));!yOA
zu-2?V%gx%<<E#lr$K&2yMVz{E^7hRWg)SaLd7cc2M$*RMgW8{rYR_h!y=@<bRlErA
z3oi5!aEzdY0o_#?5CgBjcRJ`cf-vx94F(wQw=cs0{C6<$zu4(eMJgbXO3G_a2bfia
zvOsk7e+3VIZoB@(gI^pegq@MG$-nG%oM-Si?=)iEXU1IE93M$XVm6?%^%~}hq<@!w
za6<*5iJ7Ux)CiS#lSel5{+x8)Hw%*-y{J^JTHEih8~RVT7xE@X>Lofm9`Z%jC-3Nf
zzrR7)GCMJR$#8qhF=WNIon@q|_ub|~rhE~jG1-D4!4}Nrjq_~xdG0qXNT1)W<}&xK
z?nwyslcgyp{>;Hc*ZDZ#R5yp|hP~V(A>O?(y~kDHbwox)^Ne9dsQTFB3Xdd<CN<nE
zUooz3#X<(vK?jWM{qT1!a2tm4UFA~oo(w3gC%5Bdg>>ixW|U9j-tVrZ@sV|LK9>6(
zI7HwgBE3n|w)<hdR>}@RCm7!EyP8imxCRD6AQ<2Qj^CUJ(CeUGeg=sCyhjafVt#4y
ztBDM@G5xevRdCn2ZDDK(T+}bl31?}O0b^qfE;o75QXz0q<YXfMz+ZzI|5uz7Wd{8v
z;7;%7Am-AIz7EQg#>gP?@M#V`aeaQ%O99bpI~_UgKD}{JD&pA?bIGMN=5f>^J-TDp
z1V7T$e%kE9|G_HtYo%SRzJvgxv7&4@*Uje3Sto=AQlGFb2A?@WNK3fY*l1l#YsK=y
z{!AX~9m`n2)<?Q*n{>N+3rt%ru4HovGT0t#>};r&);5vef?V7ujIqq=iqKbDRH56H
zbPS=}T$#O<B;M0aQ!ww+KdxeXpw_DDK1V-&Q$6v;Q=wx~gYS4}<+*tL<ez&dmy3>d
z#y)&E*`gRzy2p%H_Ji*U`kuZS{7hN>v$(@2WrWQYrDxboXME$U((RC>bNgcUX%%c`
zFML<}0A6<cp{`?IZ2t*!k2I0ZM8Rb39jt~$qvbhD%2yYvZHi^0rwVEJcb&doH^Fb{
zJ-Wk|_2{0+%CkHtE8_0@>ZFQR$-5r2I-Jsx662<KZdQ(E_|!dr(r7iNN;qzTzJLCe
zMgQYcnP3~Ctw_~Qe{1}SxbhFmsC|5M6`Ijjdy0^<Kk|=!)sGYBwL2Gc%PHpzaMG5m
zXh-H&`L1oFdKsIYske`1jvU^rrL(<$2M^xv)mD+KkHW@j=%flh3#A&j!B~d)j*PG>
zi+j-Q=PsJQE1s9<sOtVjE#vxd2<}Urd0c$P{BRky(R*}jbwLD%heV&AGgs8$c*ud=
zIpOmhj9P5&ea_=5dMM0J(e>@ic&p}`6A6lO)PZ^XM>_BzUQjwGYn$8V%UH7FoP@x(
z@wB&?Tczt>zNq(A<+y>w+EV~5MY*{>Qr@nAa#4UQ``c{SDQvBnc$wa)SI%+s!V{<X
zL#(gcK|I32&uT<+JL)9-qWlwGdp_BA?FTz2gA<=xH<%<((26y4U1#TmN<s;8n!w+y
zF+^I<&6oQ^UxrTziRKo3mk*{($VD8e&vT0OzoClPB+=V~rFmhbgHTP~6Kf6^l!L*P
zRxV&%l^J$dk7hZvNJRw#EY<Qi49>v2QbGjc5C&Viuu?yA3BJrTm|Nu{Imr1zW+7Xq
zpy=tY0Zdw$_)%U3?8N(=8&dYFuQCu8YG7^3;K6Fl0JaM3zeO)C!C0mj7|q0kJ%!qZ
zK0jNE%zEWc+SvB)Vu$9qnZ}}<z%I_QgCzWrL3-!b3tbkwi`HogiWEaBXyx)-OJEQR
z{6j9c-~lrR+w=nCr+63&EC;8OTD}j3jF(e0$MU5!TWcuUuv|A*?G7?xB)E~98V*;2
zIfH=@W0(ne_5Ov5GmHT9g<)U;un?FEINEaHGjA{tgZ+L4Rqs~&3L4(oE+jE@;>W(r
zO(yVoj#}f|Xf{ICA%hTu%ducB$`M>+4Vq&pt;K&=`lYbUzW~f`l{W;;0&JTAMvD<J
zLy(goFy{$g!O^9de{e?&l7eL}cU@+PW<Tp_ahUbhW@{P83i8=d$hsi}u$^;f;f-x8
zY&1<hXG_~uW!xv{KhNlvtRi(h5Tx=)T<d_(phV6!0AmE3kO8^I!1Q1^@DH2|dM;RZ
z<Mr^jUz98_P3nwZLGzr0({aIsFUc5l1<@EC3QVk?^%hltMip8m;JS)}_}l=~_Q7BK
zvTJ~J;(?Tmx!ZT{xq5u3RpcwIRN1SJ(|Z)_B*0PzD1U!&zZn4;JbE~sKNN3-Tw!lK
zHee+PZHa?!fJK+7uTXyRFRoUoG{n=Ns|BsIKVJ*dSbx42RO8Rr0(WEnjaraY{rR>a
zJvj_pn^OzZqcTKJ&Bo@<Jd+=vR1K1@yj7Wd_@d7}d)OfLjNF@@U?Y^ed_`};V379!
zC1|7RZ!h9M54Zg7Mf~kW{Qn%{_}h#4zwJdpC<j8usx^@c^K{#tevIJ6nd`cP`trLy
zw|z9+_g%>BS9-HBN0>V@3W7XjMOf)sgC-exzzD3(`OVz~LL3PHp|rFVxeP`kD_Pj{
z)qG$_5ULKl(d=rT;;Dsu<@IZb6$O@qK6|+)Yt}px34&D1mM{0%>&#$z-8$Wxls4&_
z&AQaNVzYwPm(z-kiU5O}p`aZ|1Z}?n7y@Pm+Pio#hgtq$VatZjT9tLLSF}6W4#nbk
z91YdRJlt_`bd#B-b-wwS@!=!M7p+dm6JcE|?Jjj9*RB7b-lS~*<1nG%ovWbXDa)CV
z{*aCqSl3FsVE@;K@jq>ntUhGHfOD}b70C{Cul=gZt>1oee~A|(Zp&TLe(n&r@rCe{
zi9U|zL#f$dY2G}RWe?0s`sYbfh~xq23rv4xf&cft5QrZZ@Uvo{Hg;Vy-m=#u#h8zg
z#VaJCEZ0yj)A!JLN|N>LNCG?hCFF5fVExQ71R{*QW=f()nbqJu2eocz8q?C=Fx%wp
z6LK}_t}20#ZNeSf${}xWwWb4Pp#NgfrOO@9wnK*|x_*!!KAmLJbYk<-$Rl}oE}Z94
z!D#ChSQvt(tx8<njfY_dCDqywH$F=eU2`7S1l$HR=un^ln=d;yXqZ2Y;DI8_D99iI
zBzP7S{8D2gpEj+$txWb~a;*>FKcypnU#L^{`!FL(JoMtVW?RX%4fNU$V5_{a2jSoa
z#!w{=U4BcDI}4?M<ofx5iwZhBu%7Ej-hX0~Y>rb=Q`y!&U9mZafGXpIxXnEST9+;}
znG95<_8Dh@vPRi|s4r0RU)2dVtBxkP4ekq`yR}-`3a5pg3i>!pxeJb1J4Hjo$!(1G
z0*}s+9l15oTaHnJ+tGlkf(lYuSqa*chO)}5S>T^j_-E%-%H}>>M_+W-k^U@bH|yjZ
zE8CD1lzEs%{5tRXo|Z!u$>J`eO#K{8q?7rtU8oXgADvyqHMF&F3Zt&#Y~P(e+)PWX
zmD3gr$qOZ9G`C7u#9Wvy@i7(o<ki#mm3bRg6aS#LdQ<npH&^T0!kynZo8l#zyrzZ2
z8iaVl5-dOHN<R|e-mxooUQEEkhR5luWWDRb$mW4pgP~U(3Di$(b~cqs<60Jok)d<%
zMeowkUJd27{B9}#%9GC`xUNMesqzu6+@pupyE&VBReZ8WOC9#mm)uSE<}i7h=6kJc
z@>y<kbVu6WCmbP9mRhbb@GRmuv-aAT`Wc>#*fRCb*!u(<t=-Cwada^deID4g7D)pm
zYx;mLptF_-BWp+~vPJ-piFhwh6nG?LAKH^BhsFEI2V=l<BF1PG5j-qSkY7184V{@L
zJB#vtWb3KcA;GIn4)lsHVTjS5Oig`&6ABS-g);+8Yc0{x{IdDHZk=_`&#DH`Xz1k&
zoZYWElyjnr`-N%sZ2#^$7Wm`b3elNQN{%Vl2eL^-bkru4MoVVog%;`in}^)B_G=Wj
zkEqj7b8|3k+0~O}^<~NGPPGor!2{zl2U>k@bhEOv@yH2X{22HH-Z*(?_G0Cu0hB#M
zeEZ3V`KP>|bK9oahjMLMV6pJ)IjKCyOxO5HVdw|#7WdR@p^cx#hPCDut$GYw_w(*<
z<W-0kLcV-`_G>P+&9$+8dPC@Iav%CCug8=ZWWEx6c&LnSZ>1Q~qQ8(ykO|38%Fpa)
z)p-fD@lM>fY2N@VjVSFh(VNb~G;+F4PisAPr+t{d_;}ys&h4x^gy8Q*N8W6QbkI-L
z>7*w>!lnA%8B1x)Ocfo!H1z5Ow|nE*oeZi|qwELFHMW4IC49XA86O-`K~f&H6ISO`
z-Um<ekn{BRf&JwKA$9$e!^{1Wwd_$x52{R*i|HJHa^3rS&J6?CQR9v`1OCEWo@hg7
zCm>$jJOjKm5Ck*|@9B$>l?}wodi!H>xKQx7H$j#}!gztd2xy|V7di;xh4exL9!hGm
zNOhF5tdb&tl2!BeM9Qk66cju>yu3V+YUpKq<R>2qJ0IEQnkC>Z1oAa{_t-JdX6eT(
zes59oc*!US|H4<Xje-v%0*6O?V?wmoh7T#ZJZ4A=x=S|o{9d|207ELCj-_;HcUzd`
zLe1p&>Q)hsje1l=Jdnxtvw!Fi@X#Rmg2C#P`~gjWRaO3Tx`T?=Gx?Zzk7kKSyp|>q
zmOJipJ2ObJ3Gd{VC!^_!4fMwNcw_w0zoYv{v;4f&^2p{;pO;TcBDvYk>Th+rW!c2P
z@~yj-`S{))g5S-}U;~sq{-i}d!Hb)lbr&Ud9=RH2REHac6eEYikL)fuKTac;cBVGh
zErExOS#SmsIFt_>udP5akd+HINmoMqTf|z0!p%Z>_GsK?#RuRUKa(CjY}q8#^ihh8
z&R&G9_xjyM2L>TrC}`6)FNr9q(7pfE!63r*r8)mP=eLswznh<=0iwhM%j1p62h<;n
z@^XX7{DUSamQByoNF|JM)hihxW0|L{waL8o%6U<b7$>Y!&oW&51e@mjqX7k*q2RSQ
zTC9Pet%13!XNO{PUgzMPVL<5dKtm0LVCL2I3yo+tigEZ|XHW0#=zi2`IE67h{ymI4
z=pApCXdk0X*nC`k#H_rT!)r@20?>qbp}kQgf1)-DP*n$%k?Lr`TT#hd%?qWbj#O7s
zLV2K&%AVdxHCbgj1tmG~0H7iO$a#AzD$9kasko^qQS`vbS7l3$1HVF{td~=j5+Gmu
zS-<p>YR&hT*1|5BSB~GvC1NikBov_yeNoOD<A;M5-^{W;co=)i2w%M{ytUhzE8*1p
zF}kz${7NczoT6kM2|x#uz!$ghp>7y2H|+A}skW>v#*2bE)0uiz<};e1G1LdChs}?>
zA_t|dqv&_|En3|V;E#)T-AYDub-k`bn}Y0rJZl?8t_<LZWIiw{UKx2)5S0B<(e$yK
zYolnA{xO!+!mLXOGQJ3CJO<?tX+#_v?WGOAa|E6WqhN_qZZ75gd8F9sh_NIVEIq#R
zw)!`*YMVP(MxM>F<eC&i+t5EX6A_IMzyzZF-7tYT5)o9y%MF0Kg@E;^)TLeA$IFYl
z0LC6>(g9!2QxBe+aM=v&*Hrpe0rb0^)oUf!r;H^L|0(IeN_GVH96H%2XL@=rfmHwC
z^wO}yl+le1#NF~2`SO1pyjH|0OvWO#2#A;fG{~VFff(wK)`n)BVm$YsudLYI7ALQ}
zP)~HqG-*3`U*Dt_hZgJJAQshn@<urnw)#1qzmU{crl2%(eP5?$bxNhG(RYE%GUtZs
zZ+ug~EO09}sk<SHifepKnvBx=s*VKC5QN{qTQ!n3Wg2%Zip&k7ew5{DnFa|YfYIH`
z3)vlsyCg*Fm*n}$h+_f?0az~tCeRa)2K!8;;MA@U?H!kGB-of%?Nr~GUb)v}0(K@%
zW#R>U>^_OG<7MQ;Ku!Y@2w4;Y02egyJI*|Mg6<0x^s^A<j60S#Z8YxXdzShMRV@Ca
z!(Pa-bw>t-IzI<+l`|Z8YTgaBUMLt-Z}Zr8^Ge#+_a>MSFO@rq5AoI&(ss>s^+&%Z
zvX*^u;a-nch&O?P%mPlR<|fA?|NLp~$h3HWt5jj>lNd8I$w8mtJvRrJJnhNI{0r6z
z9y*BmZ<r^4<=AvB)SJHcjJ$Y}hG^KuWOp_H-eVc*oCN)vXqwRYP`mkc$Hp5)ImF#}
z2UL!insyiCSZlKa-LsZ%UQ>0v=g4;GmdE1F?4BE1e|Bs<ps_(B)s<xp_0%arW7h$Z
zuYP652WLKFNW)D*Ttl^z#{mI!-Roj!G%)Jk1o_-Qg#(nd1Bl-VSZ7s{#uI@7#*;Pt
z#75fOzR=@$MyJz#MV09#yP7ta#G=S(Kr7S_jSobFb|#Ua4b7akot=rHwx@?8(o-Gq
zl2ubjp+M^r?Io*@0?|)F38k#0jP&#Z)D;kTEMiqTY7>c}Hh|2E4n|N2Sd5(Kfw&fP
zU;nUo7o&U_(rEf>Lt|+)1KbaueH$}#Pl;S<tjfHHKLN7L$?YuK^Y-D@75X(*S7u?~
zQ$>tU_K(;ek1XwGJ7Hd;-FcXgovd@KB*=~XN7i3@E@vT7y>A8|WCLd#W1ban$?!h&
z{`18RQa{3^V;n&eznFcH9fZcqL!gQQojv(~*E|5<F9`IeFql#u1Z#2&G1v=>c{G=_
zURpBJkGj>xdrhOdI5Mi^dl*drLskG;&_DGgp;y`_A4!2ota#j@u*&m`&tz~6SrZ&q
zr_07(IvhnC+P-+>v^!CNY$W$CYcmCeEEWN3HHF^^T|-z<9>-@qN2|H))%b6*#3vQ=
zd-lf_nJZgWvRN(~cnXqHgM<#k7B^pv7upT$r%j341YcL4)X3}MH88YC7{YJAzNb)n
zcDsZv@3%ebIqtYnE;4d!%u$+7F@@)L85Dj-@s@c?xG>E)eNg}CzAzRhgCHCb5d5Sj
z%}GIJ-JT5?A3bxfI)=2Ve}3DSHZv7n`T~@I)TVE9{GH>Ig=uQP?-{hh-3TO4Pc(t>
zyPmO^0!tlMqit6;bPV*^&o^*<gJIItnggTyksM~IVn67O`=2YEfC@q{8{xmwL@Z~(
z1LWvcbA?E0n*3Gv!+&hgx$KOPu&1jG*f~9;vqw$GIQ_ZUb)U*(x3wHHzl%sY+LJH*
zy$I0P1SbLdrku-fu~)uWj5XYpc=twniaoNpx6sq$=Do>`Ktsvw%wr3k7G&f0o2j~T
zn9>-74+utqFSgsDiA3<g0RglbL06gtHYDr4_AHEvk<mLC6ipJ2iSZzX-Vw+5XwYHD
z&g+bwFzy!xEUn+Ynh|mN_U5I<L4L*0$n&yf&985)c#;T2Y{0taN>aAkBb(T3JC8iM
z-BY!|>2rd8pnN_xWYBi};@%4>J<iZR>`$p!*89JxDCh|ivN+ar)&4=NLEB0m-XQ9?
zj*(PMbxz#Y(6rHVxKdw8eXp_P#TOUJPI8D`b_j#O1&gH^o4-oh9&p;ssT{3nk)TaY
zkCw>Fc@$XuL?}7hWP3=6nr2XmCb^lliW1-n61Vl3;yzE6L>1hZYtmdB%KpM<{A0`U
z`zW35?cHxr=2zXt-Vq`jQAi>Ac!%Inp-?Zi{m^I}MJN4@i31(h?|o_$J?I|T3f%rU
z_>_tF@yO<(z?jaA_N-WPcW#wAp92`m!RmI_48JeAo7G)73Z5O|l=h?&9)Ne<vyp+7
z#egHWf3Sv(FYt5>DdblVKPUjYb>NSDP!N#+68y#lpxjV693F)sptZsM9|Uv*hXoJl
zglZE#J(jaXbO87QClRd;K9eP2DEH9BZr<_RV#_T)+auf2@3W0zK_H2z?LfBv!ISB_
z`$c)KLFWB0GW<_E1|yFk)Lil@IaK_1-1GQwUsAr?nJ|}5B_i{e2wyKYbpb>$5&;s|
zh4U@PcxKSWVD9(n&r^(=?GAzH{1HWRfSpci6;aEGu?wSrJ^UW-@l>dFfAlzhwEe~G
zWb3Z-N@{4PS1d1R*AJXlw8sA{Gfm#nV9oR-7HjcDCKeq3zPD6a2ci<i_8u!rezY_A
ziT$m)MSZZNKb03I5JLpt1O8>|m+zngzzxnn*jbUo1W-y>8qN8mfz}tM4mc*VsT~vx
z<a3$Kr`jntpkwxt6rA}CrU172r<;I6&R~3KHMsZ?uI(3gxK#OQWp&xUc#WEA(R@$q
zn@=q-IlX_}=X#AF0)C?q3~}Y4nhhEsgaHvBVG<aGT{*@^POi$5q<{M%zIgNL)02mC
qq*I9D5sj`zC}-VSdBdV7Z}TM9Cua@f5on!zA%ZbPUxdwyRq;P1Qe!Cq

diff --git a/functional/push-attestation-on-localhost/test.sh b/functional/push-attestation-on-localhost/test.sh
index 25824746..43eb0257 100755
--- a/functional/push-attestation-on-localhost/test.sh
+++ b/functional/push-attestation-on-localhost/test.sh
@@ -15,14 +15,6 @@ rlJournalStart
         rlRun "limeUpdateConf verifier mode 'push'"
         rlRun "limeUpdateConf verifier challenge_lifetime 1800"
 
-        # Set the configuration for the agent
-        rlRun "limeUpdateConf agent measuredboot_ml_path '\"/var/tmp/binary_bios_measurements\"'"
-        # TODO: this is not used anywhere
-        #rlRun "limeUpdateConf agent uefi_logs_binary_path '\"/var/tmp/binary_bios_measurements\"'"
-
-        # Copy the fake UEFI log
-        rlRun "cp binary_bios_measurements /var/tmp"
-
         # Disable EK certificate verification on the tenant
         rlRun "limeUpdateConf tenant require_ek_cert False"
 
@@ -56,15 +48,7 @@ rlJournalStart
     rlPhaseEnd
 
     rlPhaseStartTest "Add keylime agent"
-        REVOCATION_SCRIPT_TYPE=$( limeGetRevocationScriptType )
-        rlRun "cat > script.expect <<_EOF
-set timeout 20
-spawn keylime_tenant -v 127.0.0.1 -t 127.0.0.1 -u $AGENT_ID --verify --runtime-policy policy.json --include payload-${REVOCATION_SCRIPT_TYPE} --cert default -c add --push-model
-expect \"Please enter the password to decrypt your keystore:\"
-send \"keylime\n\"
-expect eof
-_EOF"
-        rlRun "expect script.expect"
+        rlRun "keylime_tenant -v 127.0.0.1 -t 127.0.0.1 -u $AGENT_ID --runtime-policy policy.json -c add --push-model"
         # Check that agent appears in verifier's agent list
         rlRun -s "keylime_tenant -c cvlist"
         # shellcheck disable=SC2154  # rlRun_LOG is set by BeakerLib's rlRun -s
diff --git a/plans/upstream-push-attestation-tests.fmf b/plans/upstream-push-attestation-tests.fmf
deleted file mode 100644
index 48eb9e07..00000000
--- a/plans/upstream-push-attestation-tests.fmf
+++ /dev/null
@@ -1,57 +0,0 @@
-summary:
-  Tests used by Packit/TFT CI on Github to test upstream keylime
-
-environment+:
-  TPM_BINARY_MEASUREMENTS: /var/tmp/binary_bios_measurements
-  KEYLIME_RUST_CODE_COVERAGE: 0
-
-discover:
-  how: fmf
-  test:
-   - /setup/apply_workarounds
-   #- /setup/configure_tpm_emulator
-   - /setup/configure_swtpm_device
-   - /setup/install_upstream_keylime
-   - /setup/install_upstream_rust_keylime
-   - /setup/enable_keylime_debug_messages
-   #- /setup/enable_keylime_coverage
-   # change IMA policy to simple and run one attestation scenario
-   # this is to utilize also a different parser
-   - /setup/configure_kernel_ima_module/ima_policy_simple
-   - /functional/push-attestation-on-localhost
-   #- /functional/basic-attestation-on-localhost
-   # now change IMA policy to signing and run all tests
-   #- /setup/configure_kernel_ima_module/ima_policy_signing
-   #- "^/functional/.*"
-   #- "^/compatibility/.*"
-   #- "^/regression/.*"
-   #- /update/basic-attestation-on-localhost/all
-   #- "/sanity/.*"
-   # run upstream test suite
-   - /upstream/run_keylime_tests
-   #- /setup/generate_coverage_report
-   #- /setup/generate_upstream_rust_keylime_code_coverage
-
-execute:
-    how: tmt
-
-adjust+:
-  - when: target_PR_branch is defined and target_PR_branch != main
-    enabled: false
-    because: we want to run this plan only for PRs targeting the main branch
-
-  # discover step adjustments
-  # disable code coverage measurement everywhere except latest fedora and CS
-  - when: distro != centos-stream-10 and distro != fedora-41
-    discover+:
-       test-:
-         - /setup/enable_keylime_coverage
-         - /setup/generate_coverage_report
-
-  # disable code coverage measurement everywhere except latest fedora and CS
-  - when: distro != centos-stream-10 and distro != fedora-41
-    environment+:
-       KEYLIME_RUST_CODE_COVERAGE: 0
-    discover+:
-       test-:
-         - /setup/generate_upstream_rust_keylime_code_coverage

From b82dd1b8907d3e17df3455e893cc719fe48b0174 Mon Sep 17 00:00:00 2001
From: Karel Srot <ksrot@redhat.com>
Date: Mon, 20 Oct 2025 15:52:46 +0200
Subject: [PATCH 7/9] Add pull model subtest

---
 .../measured-boot-swtpm-sanity/main.fmf       | 10 ++++--
 functional/measured-boot-swtpm-sanity/test.sh | 34 ++++++++++++-------
 2 files changed, 30 insertions(+), 14 deletions(-)

diff --git a/functional/measured-boot-swtpm-sanity/main.fmf b/functional/measured-boot-swtpm-sanity/main.fmf
index 96e5b80a..8633fb30 100644
--- a/functional/measured-boot-swtpm-sanity/main.fmf
+++ b/functional/measured-boot-swtpm-sanity/main.fmf
@@ -27,7 +27,6 @@ recommend:
   - efivar-libs
 duration: 5m
 enabled: true
-extra-nitrate: TC#0613892
 adjust:
   - when: swtpm is not defined or swtpm != yes
     enabled: false
@@ -46,4 +45,11 @@ adjust:
     enabled: false
     because: For Rust agent we are not able to fake measuredboot log during 
         runtime
-id: a416a48b-3fd6-447f-82a7-6a305b6f7bc6
+
+/push:
+    environment:
+        AGENT_SERVICE: PushAgent
+/pull:
+    environment:
+        AGENT_SERVICE: Agent
+    id: a416a48b-3fd6-447f-82a7-6a305b6f7bc6
diff --git a/functional/measured-boot-swtpm-sanity/test.sh b/functional/measured-boot-swtpm-sanity/test.sh
index e3eae290..4c6ac5c3 100755
--- a/functional/measured-boot-swtpm-sanity/test.sh
+++ b/functional/measured-boot-swtpm-sanity/test.sh
@@ -3,6 +3,8 @@
 . /usr/share/beakerlib/beakerlib.sh || exit 1
 
 AGENT_ID="d432fbb3-d2f1-4a97-9ef7-75bd81c00000"
+TENANT_ARGS=""
+[ "${AGENT_SERVICE}" == "PushAgent" ] && TENANT_ARGS="--push-model"
 
 rlJournalStart
 
@@ -38,12 +40,20 @@ rlJournalStart
         rlRun "limeUpdateConf verifier measured_boot_policy_name accept-all"
         rlRun "limeUpdateConf revocations enabled_revocation_notifications '[]'"
         rlRun "limeUpdateConf agent enable_revocation_notifications false"
+
+        # configure push attestation
+	if [ "${AGENT_SERVICE}" == "PushAgent" ]; then
+            # Set the verifier to run in PUSH mode
+            rlRun "limeUpdateConf verifier mode 'push'"
+            rlRun "limeUpdateConf verifier challenge_lifetime 1800"
+        fi
+
         # start keylime_verifier
         rlRun "limeStartVerifier"
         rlRun "limeWaitForVerifier"
         rlRun "limeStartRegistrar"
         rlRun "limeWaitForRegistrar"
-        rlRun "limeStartAgent"
+        rlRun "limeStart${AGENT_SERVICE}"
         rlRun "limeWaitForAgentRegistration ${AGENT_ID}"
         # create allowlist and excludelist
         limeCreateTestPolicy
@@ -52,12 +62,12 @@ rlJournalStart
     rlPhaseStartTest "Try adding agent with PRC15 configured in tpm_policy"
         TPM_POLICY='{"15":["0000000000000000000000000000000000000000","0000000000000000000000000000000000000000000000000000000000000000","000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"]}'
         rlRun "echo '{}' > mb_refstate.txt"
-        rlRun -s "keylime_tenant -u $AGENT_ID --verify --tpm_policy '${TPM_POLICY}' --runtime-policy policy.json -f /etc/hostname -c add --mb-policy mb_refstate.txt" 1
+        rlRun -s "keylime_tenant -u $AGENT_ID --verify --tpm_policy '${TPM_POLICY}' --runtime-policy policy.json -f /etc/hostname -c add --mb-policy mb_refstate.txt ${TENANT_ARGS}" 1
         rlAssertGrep 'ERROR - WARNING: PCR 15 is specified in "tpm_policy", but will in fact be used by measured boot. Please remove it from policy' $rlRun_LOG
     rlPhaseEnd
 
     rlPhaseStartTest "Add agent with empty tpm_policy"
-        rlRun -s "keylime_tenant -u $AGENT_ID --verify --tpm_policy '{}' --runtime-policy policy.json -f /etc/hostname -c add --mb-policy mb_refstate.txt"
+        rlRun -s "keylime_tenant -u $AGENT_ID --verify --tpm_policy '{}' --runtime-policy policy.json -f /etc/hostname -c add --mb-policy mb_refstate.txt ${TENANT_ARGS}"
         rlRun "limeWaitForAgentStatus $AGENT_ID 'Get Quote'"
         rlRun -s "keylime_tenant -c cvlist"
         rlAssertGrep "{'code': 200, 'status': 'Success', 'results': {'uuids':.*'$AGENT_ID'" $rlRun_LOG -E
@@ -66,13 +76,13 @@ rlJournalStart
     rlPhaseStartTest "Configure verifier to use elchecking/example measured boot policy, restart and re-register agent"
         rlRun "keylime_tenant -u $AGENT_ID -c delete"
         rlRun "keylime_tenant -u $AGENT_ID -c regdelete"
-        rlRun "limeStopAgent"
+        rlRun "limeStop${AGENT_SERVICE}"
         rlRun "limeStopVerifier"
         sleep 5
         rlRun "limeUpdateConf verifier measured_boot_policy_name example"
         rlRun "limeStartVerifier"
         rlRun "limeWaitForVerifier"
-        rlRun "limeStartAgent"
+        rlRun "limeStart${AGENT_SERVICE}"
         rlRun "limeWaitForAgentRegistration ${AGENT_ID}"
     rlPhaseEnd
 
@@ -87,7 +97,7 @@ rlJournalStart
     rlPhaseEnd
 
     rlPhaseStartTest "Add agent with tpm_policy generated by create_mb_refstate script and incorrect PCR banks"
-        rlRun -s "keylime_tenant -u $AGENT_ID --verify --tpm_policy '{}' --runtime-policy policy.json -f /etc/hostname -c add --mb-policy mb_refstate2.txt" 1
+        rlRun -s "keylime_tenant -u $AGENT_ID --verify --tpm_policy '{}' --runtime-policy policy.json -f /etc/hostname -c add --mb-policy mb_refstate2.txt ${TENANT_ARGS}" 1
         rlRun "limeWaitForAgentStatus $AGENT_ID 'Tenant Quote Failed'"
         rlAssertGrep "keylime.tpm - ERROR - For PCR 0 and hash sha256 the boot event log has value '.*' but the agent .*returned '.*'" $(limeVerifierLogfile) -E
     rlPhaseEnd
@@ -100,17 +110,17 @@ rlJournalStart
         rlPhaseStartTest "Restart services and re-register agent"
             rlRun "keylime_tenant -u $AGENT_ID -c delete"
             rlRun "keylime_tenant -u $AGENT_ID -c regdelete"
-            rlRun "limeStopAgent"
+            rlRun "limeStop${AGENT_SERVICE}"
             rlRun "limeStopVerifier"
             sleep 5
             rlRun "limeStartVerifier"
             rlRun "limeWaitForVerifier"
-            rlRun "limeStartAgent"
+            rlRun "limeStart${AGENT_SERVICE}"
             rlRun "limeWaitForAgentRegistration ${AGENT_ID}"
         rlPhaseEnd
 
         rlPhaseStartTest "Add agent with tpm_policy generated by different tools and correct PCR banks"
-            rlRun -s "keylime_tenant -u $AGENT_ID --verify --tpm_policy '{}' --runtime-policy policy.json -f /etc/hostname -c add --mb-policy $mb_policy"
+            rlRun -s "keylime_tenant -u $AGENT_ID --verify --tpm_policy '{}' --runtime-policy policy.json -f /etc/hostname -c add --mb-policy $mb_policy ${TENANT_ARGS}"
             rlRun "limeWaitForAgentStatus $AGENT_ID 'Get Quote'"
         rlPhaseEnd
     done
@@ -151,7 +161,7 @@ rlJournalStart
     rlPhaseStartTest "Add an agent with a mbpolicy but without a name and verify UUID as the name of the policy in mbpolicy DB."
         rlRun "keylime_tenant -u $AGENT_ID -c delete"
         sleep 5
-        rlRun -s "keylime_tenant -u $AGENT_ID -f /etc/hostname -c add --mb-policy mb_refstate.txt"
+        rlRun -s "keylime_tenant -u $AGENT_ID -f /etc/hostname -c add --mb-policy mb_refstate.txt ${TENANT_ARGS}"
         rlRun -s "keylime_tenant -c showmbpolicy --mb-policy-name $AGENT_ID"
         rlAssertGrep "{'code': 200, 'status': 'Success', 'results': {'name': '$AGENT_ID', 'mb_policy': '{}'}}" "$rlRun_LOG"
     rlPhaseEnd
@@ -187,12 +197,12 @@ rlJournalStart
     rlPhaseEnd
 
     rlPhaseStartTest "Add an agent with a non-existing named mbpolicy."
-        rlRun -s "keylime_tenant -u $AGENT_ID -f /etc/hostname -c add --mb-policy-name non_existing_policy" 1
+        rlRun -s "keylime_tenant -u $AGENT_ID -f /etc/hostname -c add --mb-policy-name non_existing_policy ${TENANT_ARGS}" 1
         rlAssertGrep "{\"code\": 404, \"status\": \"Could not find mb_policy with name non_existing_policy!\", \"results\": {}}" "$rlRun_LOG"
     rlPhaseEnd
 
     rlPhaseStartCleanup "Do the keylime cleanup"
-        rlRun "limeStopAgent"
+        rlRun "limeStop${AGENT_SERVICE}"
         rlRun "limeStopRegistrar"
         rlRun "limeStopVerifier"
         rlRun "limeStopIMAEmulator"

From 1af4fd8f6f3e14c87a901f0fb82eeab5573fead3 Mon Sep 17 00:00:00 2001
From: Karel Srot <ksrot@redhat.com>
Date: Mon, 20 Oct 2025 15:54:05 +0200
Subject: [PATCH 8/9] DO NOT MERGE: shorten plan

---
 plans/upstream-keylime-all-tests.fmf | 14 +-------------
 1 file changed, 1 insertion(+), 13 deletions(-)

diff --git a/plans/upstream-keylime-all-tests.fmf b/plans/upstream-keylime-all-tests.fmf
index 23b0d947..7ebced20 100644
--- a/plans/upstream-keylime-all-tests.fmf
+++ b/plans/upstream-keylime-all-tests.fmf
@@ -13,22 +13,10 @@ discover:
    - /setup/install_upstream_keylime
    - /setup/install_upstream_rust_keylime
    #- /setup/enable_keylime_debug_messages
-   - /setup/enable_keylime_coverage
    # change IMA policy to simple and run one attestation scenario
    # this is to utilize also a different parser
-   - /setup/configure_kernel_ima_module/ima_policy_simple
-   - /functional/basic-attestation-on-localhost
-   # now change IMA policy to signing and run all tests
    - /setup/configure_kernel_ima_module/ima_policy_signing
-   - "^/functional/.*"
-   - "^/compatibility/.*"
-   - "^/regression/.*"
-   - /update/basic-attestation-on-localhost/all
-   - "/sanity/.*"
-   # run upstream test suite
-   - /upstream/run_keylime_tests
-   - /setup/generate_coverage_report
-   - /setup/generate_upstream_rust_keylime_code_coverage
+   - "^/functional/measured.*"
 
 execute:
     how: tmt

From 14012caa3b9f47ecdedea0f794000fe15e4a3335 Mon Sep 17 00:00:00 2001
From: Karel Srot <ksrot@redhat.com>
Date: Tue, 21 Oct 2025 11:09:18 +0200
Subject: [PATCH 9/9] DO NOT MERGE: changed keylime code source repo

---
 plans/main.fmf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/plans/main.fmf b/plans/main.fmf
index 6e053b21..6d8196dc 100644
--- a/plans/main.fmf
+++ b/plans/main.fmf
@@ -7,7 +7,7 @@ context:
 environment:
   #KEYLIME_UPSTREAM_URL: "https://github.com/keylime/keylime.git"
   #KEYLIME_UPSTREAM_BRANCH: "master"
-  KEYLIME_UPSTREAM_URL: https://github.com/hse-aurora/keylime-oss
+  KEYLIME_UPSTREAM_URL: https://github.com/sarroutbi-test-organization/keylime-oss.git
   KEYLIME_UPSTREAM_BRANCH: push-attestation
   # variables below impact only plans that use /setup/install_upstream_rust_keylime
   # task, not plans using /setup/install_rust_keylime_from_copr