Skip to content

Commit 6f41aa8

Browse files
sarroutbiansasaki
sarroutbi
authored and
ansasaki
committed
Remove disabled_signing_algorithms configuration
- Changes made: - Configuration removal: Removed disabled_signing_algorithms field from AgentConfig and PushModelConfig structs - Default cleanup: Removed DEFAULT_DISABLED_SIGNING_ALGORITHMS constant and its default value ["ecschnorr"] - Algorithm context updates: Removed disabled_signing_algorithms from AlgorithmConfiguration, AlgorithmConfigurationString, and ContextInfo structs - Logic simplification: Updated get_supported_signing_schemes() to return all TPM-supported signing algorithms without filtering - Test updates: Removed disabled_signing_algorithms field initialization from all test cases across multiple modules - Configuration parsing: Removed handling of disabled_signing_algorithms from config override functionality - Impact: - Signing algorithm support is now determined solely by TPM capabilities rather than configuration filtering - Simplifies configuration management by removing an unnecessary configuration option - All previously disabled algorithms (like ecschnorr) will now be available if supported by the TPM Signed-off-by: Sergio Arroutbi <[email protected]>
1 parent ef2ca1a commit 6f41aa8

File tree

8 files changed

+2
-63
lines changed

8 files changed

+2
-63
lines changed

keylime-push-model-agent/src/context_info_handler.rs

Lines changed: 0 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -26,11 +26,6 @@ pub fn init_context_info(avoid_tpm: bool) -> Result<()> {
2626
tpm_hash_alg: config.tpm_hash_alg().to_string(),
2727
tpm_signing_alg: config.tpm_signing_alg().to_string(),
2828
agent_data_path: config.agent_data_path().to_string(),
29-
disabled_signing_algorithms: config
30-
.disabled_signing_algorithms()
31-
.iter()
32-
.map(|e| e.to_string())
33-
.collect(),
3429
})
3530
.map_err(|e| e.to_string())?;
3631

keylime-push-model-agent/src/registration.rs

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -126,7 +126,6 @@ mod tests {
126126
tpm_hash_alg: "sha256".to_string(),
127127
tpm_signing_alg: "rsassa".to_string(),
128128
agent_data_path: "".to_string(),
129-
disabled_signing_algorithms: vec![],
130129
};
131130
config.exponential_backoff_initial_delay = None;
132131
config.exponential_backoff_max_retries = None;

keylime-push-model-agent/src/state_machine.rs

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -412,7 +412,6 @@ mod tpm_tests {
412412
tpm_hash_alg: keylime::algorithms::HashAlgorithm::Sha256,
413413
tpm_signing_alg: keylime::algorithms::SignAlgorithm::RsaSsa,
414414
agent_data_path: "".to_string(),
415-
disabled_signing_algorithms: vec![],
416415
},
417416
) {
418417
Ok(ctx) => ctx,
@@ -653,7 +652,6 @@ mod tpm_tests {
653652
tpm_hash_alg: keylime::algorithms::HashAlgorithm::Sha256,
654653
tpm_signing_alg: keylime::algorithms::SignAlgorithm::RsaSsa,
655654
agent_data_path: "".to_string(),
656-
disabled_signing_algorithms: vec![],
657655
})
658656
.expect("This test requires TPM access with proper permissions");
659657
let _ = registration::check_registration(Some(context_info.clone()))

keylime-push-model-agent/src/struct_filler.rs

Lines changed: 0 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -341,7 +341,6 @@ mod tests {
341341
tpm_hash_alg: "sha256".to_string(),
342342
tpm_signing_alg: "rsassa".to_string(),
343343
agent_data_path: "".to_string(),
344-
disabled_signing_algorithms: vec![],
345344
},
346345
);
347346

@@ -371,7 +370,6 @@ mod tests {
371370
tpm_hash_alg: "sha256".to_string(),
372371
tpm_signing_alg: "rsassa".to_string(),
373372
agent_data_path: "".to_string(),
374-
disabled_signing_algorithms: vec![],
375373
},
376374
);
377375

@@ -444,7 +442,6 @@ mod tests {
444442
tpm_hash_alg: "sha256".to_string(),
445443
tpm_signing_alg: "rsassa".to_string(),
446444
agent_data_path: "".to_string(),
447-
disabled_signing_algorithms: vec![],
448445
},
449446
);
450447

@@ -475,7 +472,6 @@ mod tests {
475472
tpm_hash_alg: "sha256".to_string(),
476473
tpm_signing_alg: "rsassa".to_string(),
477474
agent_data_path: "".to_string(),
478-
disabled_signing_algorithms: vec![],
479475
},
480476
);
481477

@@ -565,7 +561,6 @@ mod tests {
565561
tpm_hash_alg: "sha256".to_string(),
566562
tpm_signing_alg: "rsassa".to_string(),
567563
agent_data_path: "".to_string(),
568-
disabled_signing_algorithms: vec![],
569564
},
570565
);
571566

@@ -648,7 +643,6 @@ mod tests {
648643
tpm_hash_alg: "sha256".to_string(),
649644
tpm_signing_alg: "rsassa".to_string(),
650645
agent_data_path: "".to_string(),
651-
disabled_signing_algorithms: vec![],
652646
},
653647
);
654648

@@ -684,7 +678,6 @@ mod tests {
684678
tpm_hash_alg: "sha256".to_string(),
685679
tpm_signing_alg: "rsassa".to_string(),
686680
agent_data_path: "".to_string(),
687-
disabled_signing_algorithms: vec![],
688681
},
689682
);
690683

@@ -734,7 +727,6 @@ mod tests {
734727
tpm_hash_alg: "sha256".to_string(),
735728
tpm_signing_alg: "rsassa".to_string(),
736729
agent_data_path: "".to_string(),
737-
disabled_signing_algorithms: vec![],
738730
},
739731
);
740732

keylime/src/config/base.rs

Lines changed: 0 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -84,7 +84,6 @@ pub static DEFAULT_SERVER_KEY_PASSWORD: &str = "";
8484
pub static DEFAULT_TRUSTED_CLIENT_CA: &str = "cv_ca/cacert.crt";
8585

8686
// Push attestation agent option defaults
87-
pub const DEFAULT_DISABLED_SIGNING_ALGORITHMS: &[&str] = &["ecschnorr"];
8887
pub const DEFAULT_IMA_ML_DIRECTORY_PATH: &str = "/sys/kernel/security/ima";
8988
pub const DEFAULT_IMA_ML_COUNT_FILE: &str =
9089
"/sys/kernel/security/ima/measurements";
@@ -108,7 +107,6 @@ pub static DEFAULT_VERIFIER_URL: &str = "https://localhost:8881";
108107
pub struct AgentConfig {
109108
pub agent_data_path: String,
110109
pub api_versions: String,
111-
pub disabled_signing_algorithms: Vec<String>,
112110
pub ek_handle: String,
113111
pub exponential_backoff_max_delay: Option<u64>,
114112
pub exponential_backoff_max_retries: Option<u32>,
@@ -261,10 +259,6 @@ impl Default for AgentConfig {
261259
contact_ip: DEFAULT_CONTACT_IP.to_string(),
262260
contact_port: DEFAULT_CONTACT_PORT,
263261
dec_payload_file: DEFAULT_DEC_PAYLOAD_FILE.to_string(),
264-
disabled_signing_algorithms: DEFAULT_DISABLED_SIGNING_ALGORITHMS
265-
.iter()
266-
.map(|s| s.to_string())
267-
.collect(),
268262
ek_handle: DEFAULT_EK_HANDLE.to_string(),
269263
enable_agent_mtls: DEFAULT_ENABLE_AGENT_MTLS,
270264
enable_iak_idevid: DEFAULT_ENABLE_IAK_IDEVID,

keylime/src/config/push_model.rs

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -36,7 +36,6 @@ pub struct PushModelConfig {
3636
certification_keys_server_identifier: String,
3737
contact_ip: String,
3838
contact_port: u32,
39-
disabled_signing_algorithms: Vec<String>,
4039
exponential_backoff_max_delay: Option<u64>,
4140
exponential_backoff_max_retries: Option<u32>,
4241
exponential_backoff_initial_delay: Option<u64>,

keylime/src/config/testing.rs

Lines changed: 0 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -67,11 +67,6 @@ fn apply_config_overrides(
6767
"ima_ml_path" => config.ima_ml_path = value,
6868
"agent_data_path" => config.agent_data_path = value,
6969
"api_versions" => config.api_versions = value,
70-
"disabled_signing_algorithms" => {
71-
// Parse as comma-separated list
72-
config.disabled_signing_algorithms =
73-
value.split(',').map(|s| s.trim().to_string()).collect();
74-
}
7570
"ek_handle" => config.ek_handle = value,
7671
"exponential_backoff_max_delay" => {
7772
config.exponential_backoff_max_delay = value.parse().ok();
@@ -324,16 +319,11 @@ mod tests {
324319

325320
overrides.insert("ip".to_string(), "192.168.1.1".to_string());
326321
overrides.insert("enable_iak_idevid".to_string(), "true".to_string());
327-
overrides.insert(
328-
"disabled_signing_algorithms".to_string(),
329-
"rsa,ecdsa".to_string(),
330-
);
331322

332323
apply_config_overrides(&mut config, overrides);
333324

334325
assert_eq!(config.ip, "192.168.1.1");
335326
assert!(config.enable_iak_idevid);
336-
assert_eq!(config.disabled_signing_algorithms, vec!["rsa", "ecdsa"]);
337327
}
338328

339329
#[test]

keylime/src/context_info.rs

Lines changed: 2 additions & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -80,7 +80,6 @@ pub struct AlgorithmConfiguration {
8080
pub tpm_hash_alg: algorithms::HashAlgorithm,
8181
pub tpm_signing_alg: algorithms::SignAlgorithm,
8282
pub agent_data_path: String,
83-
pub disabled_signing_algorithms: Vec<String>,
8483
}
8584

8685
#[derive(Debug, Clone)]
@@ -89,7 +88,6 @@ pub struct AlgorithmConfigurationString {
8988
pub tpm_hash_alg: String,
9089
pub tpm_signing_alg: String,
9190
pub agent_data_path: String,
92-
pub disabled_signing_algorithms: Vec<String>,
9391
}
9492

9593
#[derive(Clone, Debug)]
@@ -103,7 +101,6 @@ pub struct ContextInfo {
103101
pub ek_handle: KeyHandle,
104102
pub ak: tpm::AKResult,
105103
pub ak_handle: KeyHandle,
106-
pub disabled_signing_algorithms: Vec<String>,
107104
}
108105

109106
impl ContextInfo {
@@ -124,9 +121,6 @@ impl ContextInfo {
124121
tpm_hash_alg,
125122
tpm_signing_alg,
126123
agent_data_path: config.agent_data_path,
127-
disabled_signing_algorithms: config
128-
.disabled_signing_algorithms
129-
.clone(),
130124
})
131125
}
132126

@@ -236,9 +230,6 @@ impl ContextInfo {
236230
ek_handle,
237231
ak,
238232
ak_handle,
239-
disabled_signing_algorithms: config
240-
.disabled_signing_algorithms
241-
.clone(),
242233
})
243234
}
244235

@@ -284,14 +275,9 @@ impl ContextInfo {
284275
pub fn get_supported_signing_schemes(
285276
&mut self,
286277
) -> Result<Vec<String>, ContextInfoError> {
287-
let mut supported_algs = self
278+
Ok(self
288279
.tpm_context
289-
.get_supported_signing_algorithms_as_strings()?;
290-
let disabled_signing_algorithms =
291-
self.disabled_signing_algorithms.clone();
292-
supported_algs
293-
.retain(|alg| !disabled_signing_algorithms.contains(alg));
294-
Ok(supported_algs)
280+
.get_supported_signing_algorithms_as_strings()?)
295281
}
296282

297283
pub fn get_key_algorithm(&self) -> String {
@@ -624,7 +610,6 @@ mod tests {
624610
tpm_hash_alg: "sha256".to_string(),
625611
tpm_signing_alg: "rsassa".to_string(),
626612
agent_data_path: "".to_string(),
627-
disabled_signing_algorithms: vec![],
628613
};
629614
let mut context_info = ContextInfo::new_from_str(config)
630615
.expect("Failed to create context from string");
@@ -640,7 +625,6 @@ mod tests {
640625
tpm_hash_alg: "sha256".to_string(),
641626
tpm_signing_alg: "rsassa".to_string(),
642627
agent_data_path: "".to_string(), // Don't use persistence for this test
643-
disabled_signing_algorithms: vec![],
644628
};
645629
let mut context_info = ContextInfo::new_from_str(config)
646630
.expect("Failed to create context from string");
@@ -674,7 +658,6 @@ mod tests {
674658
tpm_hash_alg: "sha256".to_string(),
675659
tpm_signing_alg: "rsassa".to_string(),
676660
agent_data_path: data_path.to_str().unwrap().to_string(), //#[allow_ci]
677-
disabled_signing_algorithms: vec![],
678661
};
679662

680663
// First run: should create and store the AK
@@ -710,7 +693,6 @@ mod tests {
710693
tpm_hash_alg: "sha256".to_string(),
711694
tpm_signing_alg: "rsassa".to_string(),
712695
agent_data_path: "".to_string(),
713-
disabled_signing_algorithms: vec![],
714696
};
715697
let r = ContextInfo::new_from_str(config);
716698
assert!(r.is_err());
@@ -725,7 +707,6 @@ mod tests {
725707
tpm_hash_alg: "bad-hash".to_string(),
726708
tpm_signing_alg: "rsassa".to_string(),
727709
agent_data_path: "".to_string(),
728-
disabled_signing_algorithms: vec![],
729710
};
730711
let r = ContextInfo::new_from_str(config);
731712
assert!(r.is_err());
@@ -739,7 +720,6 @@ mod tests {
739720
tpm_hash_alg: "sha256".to_string(),
740721
tpm_signing_alg: "bad-signing-alg".to_string(),
741722
agent_data_path: "".to_string(),
742-
disabled_signing_algorithms: vec![],
743723
};
744724
let r = ContextInfo::new_from_str(config);
745725
assert!(r.is_err());
@@ -753,7 +733,6 @@ mod tests {
753733
tpm_hash_alg: "sha256".to_string(),
754734
tpm_signing_alg: "rsassa".to_string(),
755735
agent_data_path: "".to_string(),
756-
disabled_signing_algorithms: vec![],
757736
};
758737
let mut context_info = ContextInfo::new_from_str(config)
759738
.expect("Failed to create context from string");
@@ -782,7 +761,6 @@ mod tests {
782761
tpm_hash_alg: "sha256".to_string(),
783762
tpm_signing_alg: "rsassa".to_string(),
784763
agent_data_path: data_path.to_str().unwrap().to_string(), //#[allow_ci]
785-
disabled_signing_algorithms: vec![],
786764
};
787765
let ak_name_1 = {
788766
let mut context_info_1 =
@@ -799,7 +777,6 @@ mod tests {
799777
tpm_hash_alg: "sha384".to_string(),
800778
tpm_signing_alg: "rsassa".to_string(),
801779
agent_data_path: data_path.to_str().unwrap().to_string(), //#[allow_ci]
802-
disabled_signing_algorithms: vec![],
803780
};
804781
let ak_name_2 = {
805782
let mut context_info_2 =
@@ -829,7 +806,6 @@ mod tests {
829806
tpm_hash_alg: "sha256".to_string(),
830807
tpm_signing_alg: "rsassa".to_string(),
831808
agent_data_path: data_path.to_str().unwrap().to_string(), //#[allow_ci]
832-
disabled_signing_algorithms: vec![],
833809
};
834810

835811
// The creation should not fail, but gracefully create a new key.
@@ -853,7 +829,6 @@ mod tests {
853829
tpm_hash_alg: "sha256".to_string(),
854830
tpm_signing_alg: "rsassa".to_string(),
855831
agent_data_path: "".to_string(),
856-
disabled_signing_algorithms: vec![],
857832
};
858833
let context_result = ContextInfo::new_from_str(config);
859834
assert!(context_result.is_ok());
@@ -908,7 +883,6 @@ mod tests {
908883
tpm_hash_alg: "sha256".to_string(),
909884
tpm_signing_alg: "rsassa".to_string(),
910885
agent_data_path: "".to_string(),
911-
disabled_signing_algorithms: vec![],
912886
};
913887

914888
let context_result = ContextInfo::new_from_str(config);
@@ -944,7 +918,6 @@ mod tests {
944918
tpm_hash_alg: "sha256".to_string(),
945919
tpm_signing_alg: "rsassa".to_string(),
946920
agent_data_path: "".to_string(),
947-
disabled_signing_algorithms: vec![],
948921
};
949922

950923
let context_result = ContextInfo::new_from_str(config);
@@ -983,7 +956,6 @@ mod tests {
983956
tpm_hash_alg: "sha256".to_string(),
984957
tpm_signing_alg: "rsassa".to_string(),
985958
agent_data_path: "".to_string(),
986-
disabled_signing_algorithms: vec![],
987959
};
988960

989961
let context_result = ContextInfo::new_from_str(config);

0 commit comments

Comments
 (0)