rpm: Add subpackage for push-attestation agent

ansasaki · ansasaki · commit 9a77b84f9020 · 2025-08-06T07:28:54.000-04:00
Add a subpackage that install the push-attestation agent to the RPMs
built on Copr.

Install the service for push-attestation agent in `make install`.

Signed-off-by: Anderson Toshiyuki Sasaki &lt;ansasaki@redhat.com&gt;
diff --git a/GNUmakefile b/GNUmakefile
@@ -39,6 +39,7 @@ install: all
 		install -D -t ${DESTDIR}/usr/bin "$$f"; \
 	done
 	install -D -m 644 -t ${DESTDIR}$(systemdsystemunitdir) dist/systemd/system/keylime_agent.service
+	install -D -m 644 -t ${DESTDIR}$(systemdsystemunitdir) dist/systemd/system/keylime_push_model_agent.service
 	install -D -m 644 -t ${DESTDIR}$(systemdsystemunitdir) dist/systemd/system/var-lib-keylime-secure.mount
 	# Remove when https://github.com/keylime/rust-keylime/issues/325 is fixed
 	install -D -t ${DESTDIR}/usr/libexec/keylime keylime-agent/tests/actions/shim.py
diff --git a/dist/systemd/system/keylime_push_model_agent.service b/dist/systemd/system/keylime_push_model_agent.service
@@ -0,0 +1,24 @@
+[Unit]
+Description=The Keylime push model agent
+StartLimitInterval=10s
+StartLimitBurst=5
+After=network-online.target
+Wants=network-online.target
+Wants=tpm2-abrmd.service
+After=tpm2-abrmd.service
+# If the service should start only when hardware TPMs are available, uncomment the below lines
+#ConditionPathExistsGlob=/dev/tpm[0-9]*
+#ConditionPathExistsGlob=/dev/tpmrm[0-9]*
+
+[Service]
+ExecStart=/usr/bin/keylime_push_model_agent
+TimeoutSec=60s
+Restart=on-failure
+RestartSec=120s
+Environment="RUST_LOG=keylime_push_model_agent=info,keylime=info"
+# If using swtpm with tpm2-abrmd service, uncomment the line below to set TCTI
+# variable on the service environment
+#Environment="TCTI=tabrmd:"
+
+[Install]
+WantedBy=default.target
diff --git a/rpm/centos/keylime-agent-rust.spec b/rpm/centos/keylime-agent-rust.spec
@@ -30,7 +30,7 @@ Summary:        Rust agent for Keylime
 #   Unlicense or MIT
 #   zlib or ASL 2.0 or MIT
 #
-License:        ASL 2.0 and BSD and MIT
+License: (Apache-2.0 OR MIT) AND BSD-3-Clause AND (MIT OR Apache-2.0) AND Unicode-DFS-2016 AND (Apache-2.0 OR Apache-2.0 WITH LLVM-exception OR MIT) AND (Apache-2.0 OR BSL-1.0) AND (Apache-2.0 OR MIT) AND (Apache-2.0 OR MIT OR Zlib) AND Apache-2.0 WITH LLVM-exception AND ISC AND MIT AND (MIT OR Unlicense)
 URL:            https://github.com/keylime/rust-keylime/
 Source0:        rust-keylime-v%{version}.tar.gz
 # The vendor tarball is created using cargo-vendor-filterer to remove Windows
@@ -45,6 +45,8 @@ Source0:        rust-keylime-v%{version}.tar.gz
 #       --exclude-crate-path "libloading#tests"
 #   tar jcf rust-keylime-%%{version}-vendor.tar.xz vendor
 Source1:        rust-keylime-vendor.tar.xz
+# Drop deprecated features and workaround unavailable components
+Patch0:         rust-keylime-metadata.patch
 
 ExclusiveArch:  %{rust_arches}
 
@@ -63,16 +65,34 @@ BuildRequires:  tpm2-tss-devel
 BuildRequires:  clang
 BuildRequires:  rust-toolset
 
-# Virtual Provides to support swapping between Python and Rust implementation
+# Virtual Provides to support swapping between different agent implementations
 Provides:       keylime-agent
 Conflicts:      keylime-agent
 
 %description
 Rust agent for Keylime
 
+%package push
+Summary:        Rust push-model agent for Keylime
+Requires:       tpm2-tss
+Requires:       util-linux-core
+
+# The keylime-base package provides the keylime user creation. It is available
+# from Fedora 36
+%if 0%{?fedora} >= 36 || 0%{?rhel} >= 9
+Requires:       keylime-base
+%endif
+
+# Virtual Provides to support swapping between pull and push model agents
+Provides:       keylime-agent
+Conflicts:      keylime-agent
+
+%description push
+Rust push-model agent for Keylime
+
 %prep
 %autosetup -n rust-keylime-%{version} -N
-%autopatch -m 100 -p1
+%autopatch -p1
 # Source1 is vendored dependencies
 %cargo_prep -V 1
 
@@ -100,6 +120,9 @@ install -Dpm 644 ./dist/systemd/system/keylime_agent.service \
 install -Dpm 644 ./dist/systemd/system/var-lib-keylime-secure.mount \
     %{buildroot}%{_unitdir}/var-lib-keylime-secure.mount
 
+install -Dpm 644 ./dist/systemd/system/keylime_push_model_agent.service \
+    %{buildroot}%{_unitdir}/keylime_push_model_agent.service
+
 # Setting up the agent to use keylime:keylime user/group after dropping privileges.
 cat > %{buildroot}/%{_sysconfdir}/keylime/agent.conf.d/001-run_as.conf << EOF
 [agent]
@@ -112,6 +135,9 @@ install -Dpm 0755 \
 install -Dpm 0755 \
     -t %{buildroot}%{_bindir} \
     ./target/release/keylime_ima_emulator
+install -Dpm 0755 \
+    -t %{buildroot}%{_bindir} \
+    ./target/release/keylime_push_model_agent
 
 %posttrans
 chmod 500 %{_sysconfdir}/keylime/agent.conf.d
@@ -142,6 +168,12 @@ chown -R keylime:keylime %{_sysconfdir}/keylime
 %{_bindir}/keylime_agent
 %{_bindir}/keylime_ima_emulator
 
+%files push
+%license LICENSE
+%doc README.md
+%{_bindir}/keylime_push_model_agent
+%{_unitdir}/keylime_push_model_agent.service
+
 %if %{with check}
 %check
 %cargo_test
diff --git a/rpm/centos/rust-keylime-metadata.patch b/rpm/centos/rust-keylime-metadata.patch
@@ -0,0 +1,94 @@
+--- a/keylime/Cargo.toml	2025-08-06 10:04:19.246120602 +0200
++++ b/keylime/Cargo.toml	2025-08-06 10:12:12.694471716 +0200
+@@ -40,14 +40,11 @@
+ tokio.workspace = true
+ uuid.workspace = true
+ zip.workspace = true
+-zmq = {version = "0.9.2", optional = true}
+
+ [dev-dependencies]
+ tempfile.workspace = true
+ actix-rt.workspace = true
+-wiremock = {version = "0.6"}
+
+ [features]
++default = []
+ testing = []
+-# This feature is deprecated and will be removed on next major release
+-with-zmq = ["zmq"]
+--- a/keylime-agent/Cargo.toml	2025-08-06 10:08:23.650703421 +0200
++++ b/keylime-agent/Cargo.toml	2025-08-06 10:09:30.080590640 +0200
+@@ -32,7 +32,6 @@
+ thiserror.workspace = true
+ uuid.workspace = true
+ zip.workspace = true
+-zmq = {version = "0.9.2", optional = true}
+
+ [dev-dependencies]
+ actix-rt.workspace = true
+@@ -41,18 +40,6 @@
+ # The features enabled by default
+ default = []
+ testing = []
+-# Whether the agent should be compiled with support to listen for notification
+-# messages on ZeroMQ
+-#
+-# This feature is deprecated and will be removed on next major release
+-with-zmq = ["zmq"]
+-# Whether the agent should be compiled with support for python revocation
+-# actions loaded as modules, which is the only kind supported by the python
+-# agent (unless the enhancement-55 is implemented). See:
+-# https://github.com/keylime/enhancements/blob/master/55_revocation_actions_without_python.md
+-#
+-# This feature is deprecated and will be removed on next major release
+-legacy-python-actions = []
+
+ [package.metadata.deb]
+ section = "net"
+--- a/keylime-push-model-agent/Cargo.toml	2025-08-06 10:13:43.759016863 +0200
++++ b/keylime-push-model-agent/Cargo.toml	2025-08-06 10:14:02.665288860 +0200
+@@ -28,14 +28,12 @@
+ [dev-dependencies]
+ actix-rt.workspace = true
+ tempfile.workspace = true
+-wiremock = {version = "0.6"}
+
+
+ [features]
+ # The features enabled by default
+ default = []
+ testing = []
+-legacy-python-actions = []
+
+ [package.metadata.deb]
+ section = "net"
+--- a/keylime-push-model-agent/src/state_machine.rs	2025-08-06 10:16:06.677153521 +0200
++++ b/keylime-push-model-agent/src/state_machine.rs	2025-08-06 10:18:49.944060220 +0200
+@@ -229,6 +229,7 @@
+
+ #[cfg(test)]
+ #[cfg(feature = "testing")]
++#[cfg(feature = "with-wiremock")]
+ mod tpm_tests {
+     use super::*;
+     use crate::attestation::{AttestationClient, NegotiationConfig};
+--- a/keylime-push-model-agent/src/attestation.rs	2025-08-06 10:21:35.514185935 +0200
++++ b/keylime-push-model-agent/src/attestation.rs	2025-08-06 10:22:19.399032540 +0200
+@@ -210,6 +210,7 @@
+ }
+
+ #[cfg(test)]
++#[cfg(feature = "with-wiremock")]
+ mod tests {
+     use super::*;
+     use std::fs::File;
+--- a/keylime/src/resilient_client.rs	2025-08-06 11:11:57.994406294 +0200
++++ b/keylime/src/resilient_client.rs	2025-08-06 11:12:25.077633103 +0200
+@@ -137,6 +137,7 @@
+ }
+
+ #[cfg(test)]
++#[cfg(feature = "with-wiremock")]
+ mod tests {
+     use super::*;
+     use reqwest::header;
diff --git a/rpm/fedora/keylime-agent-rust.spec b/rpm/fedora/keylime-agent-rust.spec
@@ -4,11 +4,7 @@
 
 %global crate keylime_agent
 
-# On Fedora-38 and current Rawhide, it is not possible to build due to missing
-# dependency base64 version 0.13 (required by rust-tss-esapi)
-# Also due to https://github.com/tpm2-software/tpm2-tools/issues/3210,
-# tpm2-tools is currently broken.
-# Use vendored dependencies for all Fedora versions.
+# Use vendored dependencies for all Fedora versions when building in Copr.
 %global bundled_rust_deps 1
 
 %global __brp_mangle_shebangs_exclude_from ^/usr/src/debug/.*$
@@ -35,7 +31,7 @@ Summary:        Rust agent for Keylime
 #   Unlicense or MIT
 #   zlib or ASL 2.0 or MIT
 #
-License:        ASL 2.0 and BSD and MIT
+License: (Apache-2.0 OR MIT) AND BSD-3-Clause AND (MIT OR Apache-2.0) AND Unicode-DFS-2016 AND (Apache-2.0 OR Apache-2.0 WITH LLVM-exception OR MIT) AND (Apache-2.0 OR BSL-1.0) AND (Apache-2.0 OR MIT) AND (Apache-2.0 OR MIT OR Zlib) AND Apache-2.0 WITH LLVM-exception AND ISC AND MIT AND (MIT OR Unlicense)
 URL:            https://github.com/keylime/rust-keylime/
 Source0:        rust-keylime-v%{version}.tar.gz
 # The vendor tarball is created using cargo-vendor-filterer to remove Windows
@@ -50,10 +46,11 @@ Source0:        rust-keylime-v%{version}.tar.gz
 #       --exclude-crate-path "libloading#tests"
 #   tar jcf rust-keylime-%%{version}-vendor.tar.xz vendor
 Source1:        rust-keylime-vendor.tar.xz
-## Patches for building from system Rust libraries (Fedora)
-# Fix picky-asn1-der and picky-asn1-x509 to use available versions
-# Drop completely the legacy-python-actions feature
-Patch1:         rust-keylime-metadata.patch
+## (0-99) General patches
+# Drop deprecated features and workaround unavailable components
+Patch0:         rust-keylime-metadata.patch
+## (100-199) Patches for building from system Rust libraries (Fedora)
+## (200+) Patches for building from vendored Rust libraries (RHEL)
 
 ExclusiveArch:  %{rust_arches}
 
@@ -62,7 +59,7 @@ Requires: util-linux-core
 
 # The keylime-base package provides the keylime user creation. It is available
 # from Fedora 36
-%if 0%{?fedora} >= 36
+%if 0%{?fedora} >= 36 || 0%{?rhel} >= 9
 Requires: keylime-base
 %endif
 
@@ -72,23 +69,44 @@ BuildRequires:  tpm2-tss-devel
 BuildRequires:  clang
 BuildRequires:  rust-packaging >= 21-2
 
-# Virtual Provides to support swapping between Python and Rust implementation
+# Virtual Provides to support swapping between different agent implementations
 Provides:       keylime-agent
 Conflicts:      keylime-agent
 
 %description
 Rust agent for Keylime
 
+%package push
+Summary:        Rust push-model agent for Keylime
+Requires:       tpm2-tss
+Requires:       util-linux-core
+
+# The keylime-base package provides the keylime user creation. It is available
+# from Fedora 36
+%if 0%{?fedora} >= 36 || 0%{?rhel} >= 9
+Requires:       keylime-base
+%endif
+
+# Virtual Provides to support swapping between pull and push model agents
+Provides:       keylime-agent
+Conflicts:      keylime-agent
+
+%description push
+Rust push-model agent for Keylime
+
 %prep
 %autosetup -n rust-keylime-%{version} -N %{?bundled_rust_deps:-a1}
+%autopatch -M 99 -p1
 %if 0%{?bundled_rust_deps}
-%autopatch -m 100 -p1
-# Source1 contains vendored dependencies
+# Source1 is vendored dependencies
 %cargo_prep -v vendor
-%cargo_generate_buildrequires
+# Add back if any patch added to the range, do not forget the %
+# autopatch -m 200 -p1
 %else
-%autopatch -M 99 -p1
+# Add back if any patch added to the range, do not forget the %
+# autopatch -m 100 -M 199 -p1
 %cargo_prep
+%generate_buildrequires
 %cargo_generate_buildrequires
 %endif
 
@@ -117,6 +135,9 @@ install -Dpm 644 ./dist/systemd/system/keylime_agent.service \
 install -Dpm 644 ./dist/systemd/system/var-lib-keylime-secure.mount \
     %{buildroot}%{_unitdir}/var-lib-keylime-secure.mount
 
+install -Dpm 644 ./dist/systemd/system/keylime_push_model_agent.service \
+    %{buildroot}%{_unitdir}/keylime_push_model_agent.service
+
 # Setting up the agent to use keylime:keylime user/group after dropping privileges.
 cat > %{buildroot}/%{_sysconfdir}/keylime/agent.conf.d/001-run_as.conf << EOF
 [agent]
@@ -129,6 +150,9 @@ install -Dpm 0755 \
 install -Dpm 0755 \
     -t %{buildroot}%{_bindir} \
     ./target/release/keylime_ima_emulator
+install -Dpm 0755 \
+    -t %{buildroot}%{_bindir} \
+    ./target/release/keylime_push_model_agent
 
 %posttrans
 chmod 500 %{_sysconfdir}/keylime/agent.conf.d
@@ -161,6 +185,14 @@ chown -R keylime:keylime %{_sysconfdir}/keylime
 %{_bindir}/keylime_agent
 %{_bindir}/keylime_ima_emulator
 
+%files push
+%license LICENSE
+%license LICENSE.dependencies
+%license cargo-vendor.txt
+%doc README.md
+%{_bindir}/keylime_push_model_agent
+%{_unitdir}/keylime_push_model_agent.service
+
 %if %{with check}
 %check
 %cargo_test
diff --git a/rpm/fedora/rust-keylime-metadata.patch b/rpm/fedora/rust-keylime-metadata.patch
