Ks push mb

Library/test-helpers/lib.sh

@@ -455,6 +455,11 @@
     local NAME=$1
     local LOGSUFFIX
     local TPMSUFFIX
+
+    if [[ "$NAME" == "push_model_agent" ]]; then
+        NAME="agent"
+    fi
+
     [ -n "$2" ] && LOGSUFFIX="$2" || LOGSUFFIX=$( echo "$NAME" | sed 's/.*/\u&/' )  # just uppercase first letter
     local LOGNAME=__INTERNAL_limeLog${LOGSUFFIX}
     if [ "$NAME" == "ima_emulator" ] && [ "$limeTPMDevNo" != "0" ]; then
@@ -673,14 +678,14 @@
 
 =cut
 
 limeStopRegistrar() {
 
     __limeStopKeylimeService registrar
 
 }
 
 true <<'=cut'
 =pod
 
 =head2 limeStartAgent
 
@@ -1653,7 +1658,7 @@
     limeInstallIMAKeys
 
 IMA certificate is signed by IMA CA key which is autogenerated if it is not present on a test
-system already. See 
+system already. See
 https://ima-doc.readthedocs.io/en/latest/ima-utilities.html#ima-ca-key-and-certificate
 for details and how to import IMA CA key to MOK.
 
@@ -2135,7 +2140,7 @@
 true <<'=cut'
 =pod
 
-=head2 limeAgentrLogfile
+=head2 limeAgentLogfile
 
 Prints to STDOUT filepath to a log file containing Agent logs
 
@@ -2146,7 +2151,7 @@
 =back
 
 Returns 0.
 
 =cut
 
 limeAgentLogfile() {
@@ -2250,6 +2255,7 @@
     [ -f $(limeVerifierLogfile) ] && limeLogfileSubmit $(limeVerifierLogfile)
     [ -f $(limeRegistrarLogfile) ] && limeLogfileSubmit $(limeRegistrarLogfile)
     [ -f $(limeAgentLogfile) ] && limeLogfileSubmit $(limeAgentLogfile)
+    [ -f $(limePushAgentLogfile) ] && limeLogfileSubmit $(limePushAgentLogfile)
     if limeTPMEmulated && [ -f $(limeIMAEmulatorLogfile) ]; then
             limeLogfileSubmit $(limeIMAEmulatorLogfile)
     fi
@@ -2826,7 +2832,7 @@
     if [ -d cv_ca ]; then
         MOUNT_TENANT="$PWD/cv_ca:/var/lib/keylime/cv_ca/:z $MOUNT_TENANT"
     fi
-    
+
     echo -e "\nRunning podman:\npodman run --volume $MOUNT_DIR --volume $MOUNT_TENANT --rm --name $NAME --entrypoint= --net $NETWORK --ip $IP $TAG keylime_tenant $TENANT_CMD"
     podman run --volume $MOUNT_DIR --volume $MOUNT_TENANT --rm --name $NAME --entrypoint= --net $NETWORK --ip $IP $TAG keylime_tenant $TENANT_CMD
 
@@ -3109,13 +3115,13 @@
 #   Purge log files for a new test. It is therefore important to rlImport
 #   the library before changing CWD to a different location.
 
-touch $__INTERNAL_limeLogCurrentTest
-if ! grep -q "^$PWD\$" $__INTERNAL_limeLogCurrentTest; then
-    echo "$PWD" > $__INTERNAL_limeLogCurrentTest
-    [ -f $__INTERNAL_limeLogVerifier ] && > $__INTERNAL_limeLogVerifier
-    [ -f $l__INTERNAL_imeLogRegistrar ] && > $__INTERNAL_limeLogRegistrar
-    [ -f $__INTERNAL_limeLogAgent ] && > $__INTERNAL_limeLogAgent
-    [ -f $__INTERNAL_limeLogIMAEmulator ] && > $__INTERNAL_limeLogIMAEmulator && rm -f "${__INTERNAL_limeLogIMAEmulator}.tpm"*
+touch "$__INTERNAL_limeLogCurrentTest"
+if ! grep -q "^$PWD\$" "$__INTERNAL_limeLogCurrentTest"; then
+    echo "$PWD" > "$__INTERNAL_limeLogCurrentTest"
+    [ -f "$__INTERNAL_limeLogVerifier" ] && true > "$__INTERNAL_limeLogVerifier"
+    [ -f "$__INTERNAL_limeLogRegistrar" ] && true > "$__INTERNAL_limeLogRegistrar"
+    [ -f "$__INTERNAL_limeLogAgent" ] && true > "$__INTERNAL_limeLogAgent"
+    [ -f "$__INTERNAL_limeLogIMAEmulator" ] && true > "$__INTERNAL_limeLogIMAEmulator" && rm -f "${__INTERNAL_limeLogIMAEmulator}.tpm"*
 fi
 
 # prepare coveragerc file
@@ -3148,6 +3154,88 @@
 # delete previously existing TPM data
 rm -f "${__INTERNAL_limeTPMDetails}"
 
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#   Push Attestation Functions
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+true <<'=cut'
+=pod
+
+=head2 limeStartPushAgent
+
+Start the keylime push attestation agent, either using rlServiceStart or directly.
+
+    limeStartPushAgent
+
+=over
+
+=back
+
+Returns 0 when the start was successful, non-zero otherwise.
+
+=cut
+limeStartPushAgent() {
+
+    # save TPM details
+    date >> ${__INTERNAL_limeTPMDetails}
+    echo -e "\n# tpm2_getcap properties-fixed" >> ${__INTERNAL_limeTPMDetails}
+    tpm2_getcap properties-fixed >> ${__INTERNAL_limeTPMDetails}
+    echo -e "\n# tpm2_getcap algorithms" >> ${__INTERNAL_limeTPMDetails}
+    tpm2_getcap algorithms >> ${__INTERNAL_limeTPMDetails}
+    echo -e "\n# tpm2_getcap pcrs" >> ${__INTERNAL_limeTPMDetails}
+    tpm2_getcap pcrs >> ${__INTERNAL_limeTPMDetails}
+    echo >> ${__INTERNAL_limeTPMDetails}
+
+    limeStopPushAgent
+    __limeStartKeylimeService push_model_agent
+
+}
+
+true <<'=cut'
+=pod
+
+=head2 limeStopPushAgent
+
+Stop the keylime push attestation agent, either using rlServiceStart or directly.
+
+    limeStopPushAgent
+
+=over
+
+=back
+
+Returns 0 when the stop was successful, non-zero otherwise.
+
+=cut
+limeStopPushAgent() {
+
+    __limeStopKeylimeService push_model_agent
+
+}
+
+true <<'=cut'
+=pod
+
+=head2 limePushAgentLogfile
+
+Prints to STDOUT filepath to a log file containing Agent logs
+
+    limePushAgentLogfile
+
+=over
+
+=back
+
+Returns 0.
+
+=cut
+
+limePushAgentLogfile() {
+
+    __limeServiceLogfile push_model_agent
+
+}
+
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 #   Verification
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

functional/measured-boot-swtpm-sanity/main.fmf

@@ -27,7 +27,6 @@ recommend:
   - efivar-libs
 duration: 5m
 enabled: true
-extra-nitrate: TC#0613892
 adjust:
   - when: swtpm is not defined or swtpm != yes
     enabled: false
@@ -46,4 +45,11 @@ adjust:
     enabled: false
     because: For Rust agent we are not able to fake measuredboot log during 
         runtime
-id: a416a48b-3fd6-447f-82a7-6a305b6f7bc6
+
+/push:
+    environment:
+        AGENT_SERVICE: PushAgent
+/pull:
+    environment:
+        AGENT_SERVICE: Agent
+    id: a416a48b-3fd6-447f-82a7-6a305b6f7bc6

functional/measured-boot-swtpm-sanity/test.sh

@@ -3,6 +3,8 @@
 . /usr/share/beakerlib/beakerlib.sh || exit 1
 
 AGENT_ID="d432fbb3-d2f1-4a97-9ef7-75bd81c00000"
+TENANT_ARGS=""
+[ "${AGENT_SERVICE}" == "PushAgent" ] && TENANT_ARGS="--push-model"
 
 rlJournalStart
 
@@ -38,12 +40,20 @@ rlJournalStart
         rlRun "limeUpdateConf verifier measured_boot_policy_name accept-all"
         rlRun "limeUpdateConf revocations enabled_revocation_notifications '[]'"
         rlRun "limeUpdateConf agent enable_revocation_notifications false"
+
+        # configure push attestation
+	if [ "${AGENT_SERVICE}" == "PushAgent" ]; then
+            # Set the verifier to run in PUSH mode
+            rlRun "limeUpdateConf verifier mode 'push'"
+            rlRun "limeUpdateConf verifier challenge_lifetime 1800"
+        fi
+
         # start keylime_verifier
         rlRun "limeStartVerifier"
         rlRun "limeWaitForVerifier"
         rlRun "limeStartRegistrar"
         rlRun "limeWaitForRegistrar"
-        rlRun "limeStartAgent"
+        rlRun "limeStart${AGENT_SERVICE}"
         rlRun "limeWaitForAgentRegistration ${AGENT_ID}"
         # create allowlist and excludelist
         limeCreateTestPolicy
@@ -52,12 +62,12 @@ rlJournalStart
     rlPhaseStartTest "Try adding agent with PRC15 configured in tpm_policy"
         TPM_POLICY='{"15":["0000000000000000000000000000000000000000","0000000000000000000000000000000000000000000000000000000000000000","000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"]}'
         rlRun "echo '{}' > mb_refstate.txt"
-        rlRun -s "keylime_tenant -u $AGENT_ID --verify --tpm_policy '${TPM_POLICY}' --runtime-policy policy.json -f /etc/hostname -c add --mb-policy mb_refstate.txt" 1
+        rlRun -s "keylime_tenant -u $AGENT_ID --verify --tpm_policy '${TPM_POLICY}' --runtime-policy policy.json -f /etc/hostname -c add --mb-policy mb_refstate.txt ${TENANT_ARGS}" 1
         rlAssertGrep 'ERROR - WARNING: PCR 15 is specified in "tpm_policy", but will in fact be used by measured boot. Please remove it from policy' $rlRun_LOG
     rlPhaseEnd
 
     rlPhaseStartTest "Add agent with empty tpm_policy"
-        rlRun -s "keylime_tenant -u $AGENT_ID --verify --tpm_policy '{}' --runtime-policy policy.json -f /etc/hostname -c add --mb-policy mb_refstate.txt"
+        rlRun -s "keylime_tenant -u $AGENT_ID --verify --tpm_policy '{}' --runtime-policy policy.json -f /etc/hostname -c add --mb-policy mb_refstate.txt ${TENANT_ARGS}"
         rlRun "limeWaitForAgentStatus $AGENT_ID 'Get Quote'"
         rlRun -s "keylime_tenant -c cvlist"
         rlAssertGrep "{'code': 200, 'status': 'Success', 'results': {'uuids':.*'$AGENT_ID'" $rlRun_LOG -E
@@ -66,13 +76,13 @@ rlJournalStart
     rlPhaseStartTest "Configure verifier to use elchecking/example measured boot policy, restart and re-register agent"
         rlRun "keylime_tenant -u $AGENT_ID -c delete"
         rlRun "keylime_tenant -u $AGENT_ID -c regdelete"
-        rlRun "limeStopAgent"
+        rlRun "limeStop${AGENT_SERVICE}"
         rlRun "limeStopVerifier"
         sleep 5
         rlRun "limeUpdateConf verifier measured_boot_policy_name example"
         rlRun "limeStartVerifier"
         rlRun "limeWaitForVerifier"
-        rlRun "limeStartAgent"
+        rlRun "limeStart${AGENT_SERVICE}"
         rlRun "limeWaitForAgentRegistration ${AGENT_ID}"
     rlPhaseEnd
 
@@ -87,7 +97,7 @@ rlJournalStart
     rlPhaseEnd
 
     rlPhaseStartTest "Add agent with tpm_policy generated by create_mb_refstate script and incorrect PCR banks"
-        rlRun -s "keylime_tenant -u $AGENT_ID --verify --tpm_policy '{}' --runtime-policy policy.json -f /etc/hostname -c add --mb-policy mb_refstate2.txt" 1
+        rlRun -s "keylime_tenant -u $AGENT_ID --verify --tpm_policy '{}' --runtime-policy policy.json -f /etc/hostname -c add --mb-policy mb_refstate2.txt ${TENANT_ARGS}" 1
         rlRun "limeWaitForAgentStatus $AGENT_ID 'Tenant Quote Failed'"
         rlAssertGrep "keylime.tpm - ERROR - For PCR 0 and hash sha256 the boot event log has value '.*' but the agent .*returned '.*'" $(limeVerifierLogfile) -E
     rlPhaseEnd
@@ -100,17 +110,17 @@ rlJournalStart
         rlPhaseStartTest "Restart services and re-register agent"
             rlRun "keylime_tenant -u $AGENT_ID -c delete"
             rlRun "keylime_tenant -u $AGENT_ID -c regdelete"
-            rlRun "limeStopAgent"
+            rlRun "limeStop${AGENT_SERVICE}"
             rlRun "limeStopVerifier"
             sleep 5
             rlRun "limeStartVerifier"
             rlRun "limeWaitForVerifier"
-            rlRun "limeStartAgent"
+            rlRun "limeStart${AGENT_SERVICE}"
             rlRun "limeWaitForAgentRegistration ${AGENT_ID}"
         rlPhaseEnd
 
         rlPhaseStartTest "Add agent with tpm_policy generated by different tools and correct PCR banks"
-            rlRun -s "keylime_tenant -u $AGENT_ID --verify --tpm_policy '{}' --runtime-policy policy.json -f /etc/hostname -c add --mb-policy $mb_policy"
+            rlRun -s "keylime_tenant -u $AGENT_ID --verify --tpm_policy '{}' --runtime-policy policy.json -f /etc/hostname -c add --mb-policy $mb_policy ${TENANT_ARGS}"
             rlRun "limeWaitForAgentStatus $AGENT_ID 'Get Quote'"
         rlPhaseEnd
     done
@@ -151,7 +161,7 @@ rlJournalStart
     rlPhaseStartTest "Add an agent with a mbpolicy but without a name and verify UUID as the name of the policy in mbpolicy DB."
         rlRun "keylime_tenant -u $AGENT_ID -c delete"
         sleep 5
-        rlRun -s "keylime_tenant -u $AGENT_ID -f /etc/hostname -c add --mb-policy mb_refstate.txt"
+        rlRun -s "keylime_tenant -u $AGENT_ID -f /etc/hostname -c add --mb-policy mb_refstate.txt ${TENANT_ARGS}"
         rlRun -s "keylime_tenant -c showmbpolicy --mb-policy-name $AGENT_ID"
         rlAssertGrep "{'code': 200, 'status': 'Success', 'results': {'name': '$AGENT_ID', 'mb_policy': '{}'}}" "$rlRun_LOG"
     rlPhaseEnd
@@ -187,12 +197,12 @@ rlJournalStart
     rlPhaseEnd
 
     rlPhaseStartTest "Add an agent with a non-existing named mbpolicy."
-        rlRun -s "keylime_tenant -u $AGENT_ID -f /etc/hostname -c add --mb-policy-name non_existing_policy" 1
+        rlRun -s "keylime_tenant -u $AGENT_ID -f /etc/hostname -c add --mb-policy-name non_existing_policy ${TENANT_ARGS}" 1
         rlAssertGrep "{\"code\": 404, \"status\": \"Could not find mb_policy with name non_existing_policy!\", \"results\": {}}" "$rlRun_LOG"
     rlPhaseEnd
 
     rlPhaseStartCleanup "Do the keylime cleanup"
-        rlRun "limeStopAgent"
+        rlRun "limeStop${AGENT_SERVICE}"
         rlRun "limeStopRegistrar"
         rlRun "limeStopVerifier"
         rlRun "limeStopIMAEmulator"

functional/push-attestation-on-localhost/main.fmf

@@ -0,0 +1,25 @@
+summary: Basic push attestation test on localhost
+description: |
+    Test basic push model attestation functionality
+    Running all services on localhost.
+    Uses certificates generated by keylime.
+
+    Enrolls agent using simple runtime policy.
+    Verifiers that system passed attestation.
+    Make changes on the system and verifies that the attestation fails.
+contact: Anderson Sasaki <ansasaki@redhat.com>
+component:
+  - keylime
+test: ./test.sh
+framework: beakerlib
+tag:
+  - CI-Tier-1
+require:
+  - yum
+  - expect
+recommend:
+  - keylime
+  - python3-tomli
+duration: 10m
+enabled: true
+id: 77f1f100-a165-477b-b81d-40540f9c2762