Move IAK and IDevID code to a dedicated module #886
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Move the IAK/IDevID initialization code to the dedicated module 'device_id'. The module implements the builder pattern to set the parameters set through configuration. The goal is to simplify the code in main. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
This makes the tests/run.sh script to generate the IAK and IDevID certificates if the tpm2-openssl provider is available. The added test is executed only if both the IAK and IDevID certificates are available. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
ansasaki
force-pushed
the
modular_idevid
branch
5 times, most recently
from
72cbe78 to
2f2f4e0
Compare
ansasaki
force-pushed
the
modular_idevid
branch
4 times, most recently
from
de7c314 to
d9b28d4
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files
Flags with carried forward coverage won't be shown. Click here to find out more.
|
Contributor
Author
|
Hopefully, the fix in the CI image will be sufficient for the current test failure: keylime/keylime#1699 |
Instead of invoking docker ourselves, set the github job to run in the CI container directly. This also adds a workaround for: actions/runner#2033 Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
ansasaki
force-pushed
the
modular_idevid
branch
from
9ee8ab1 to
1e90317
Compare
Contributor
Author
|
The |
Isaac-Matthews
suggested changes
Dec 11, 2024
keylime-bot
assigned
ansasaki and unassigned
ueno,
aplanas,
stringlytyped,
THS-on,
Isaac-Matthews and
sergio-correia
When IAK/IDevID are enabled, but the paths to the certificates are explicitly configured as the empty string, continue normally and register without IAK and IDevID certificates. This is to make it possible to use IAK and IDevID without the certificates, in case the user does the public key matching check separately. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Isaac-Matthews
approved these changes
Dec 11, 2024
Contributor
Isaac-Matthews
left a comment
Isaac-Matthews
left a comment
There was a problem hiding this comment.
Thanks for the changes, looks good.
keylime-bot
assigned
ueno,
sergio-correia,
THS-on,
aplanas and
stringlytyped and unassigned
ansasaki
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This moves the code from the
main.rsfile to a new dedicated module inkeylimelibrary,keylime::device_id.The new module implements the builder pattern in
DeviceIDBuilderto setup the arguments and then generate an instance of theDeviceIDstructure.This modifies the
tests/run.shscript to generate the IAK and IDevID certificates using the TPM state placed intest-data/tpm-state(which is generated if not present) and place the resulting certificates inkeylime/test-data/iak-idevid-certs