Security update for keylime
| Announcement ID: | SUSE-SU-2025:21194-1 |
|---|---|
| Release Date: | 2025-12-12T09:46:14Z |
| Rating: | critical |
| References: | |
| Cross-References: | |
| CVSS scores: |
|
| Affected Products: |
|
An update that solves two vulnerabilities can now be installed.
Description:
This update for keylime fixes the following issues:
Update to version 7.13.0+40.
Security issues fixed:
- CVE-2025-13609: possible agent identity takeover due to registrar allowing the registration of agents with duplicate UUIDs (bsc#1254199).
- CVE-2025-1057: registrar denial-of-service due to backward incompatibility in database type handling (bsc#1237153).
Other issues fixed and changes:
- Version 7.13.0+40:
- Include new attestation information fields (#1818)
- Fix Database race conditions and SQLAlchemy 2.0 compatibility (#1823)
- push-model: require HTTPS for authentication and attestation endpoints
- Fix operational_state tracking in push mode attestations
- templates: add push model authentication config options to 2.5 templates
- Security: Hash authentication tokens in logs
- Fix stale IMA policy cache in verification
- Fix authentication behavior on failed attestations for push mode
- Add shared memory infrastructure for multiprocess communication
- Add agent authentication (challenge/response) protocol for push mode
- Add agent-driven (push) attestation protocol with PULL mode regression fixes (#1814)
- docs: Fix man page RST formatting for rst2man compatibility (#1813)
- Apply limit on keylime-policy workers
- tpm: fix ECC signature parsing to support variable-length coordinates
- tpm: fix ECC P-521 credential activation with consistent marshaling
- tpm: fix ECC P-521 coordinate validation
- Remove deprecated disabled_signing_algorithms configuration option (#1804)
- algorithms: add support for specific RSA algorithms
- algorithms: add support for specific ECC curve algorithms
- Created manpage for keylime-policy and edited manpages for keylime verifier, registrar, agent
- Manpage for keylime agent
- Manpage for keylime verifier
- Manpage for keylime registrar
- Use constants for timeout and max retries defaults
- verifier: Use timeout from
request_timeoutconfig option - revocation_notifier: Use timeout setting from config file
- tenant: Set timeout when getting version from agent
- verify/evidence: SEV-SNP evidence type/verifier
-
verify/evidence: Add evidence type to request JSON
-
Version v7.13.0:
- Avoid re-encoding certificate stored in DB
- Revert "models: Do not re-encode certificate stored in DB"
- Revert "registrar_agent: Use pyasn1 to parse PEM"
- policy/sign: use print() when writing to /dev/stdout
- registrar_agent: Use pyasn1 to parse PEM
- models: Do not re-encode certificate stored in DB
- mba: normalize vendor_db in EV_EFI_VARIABLE_AUTHORITY events
- mb: support vendor_db as logged by newer shim versions
- mb: support EV_EFI_HANDOFF_TABLES events on PCR1
- Remove unnecessary configuration values
- cloud_verifier_tornado: handle exception in notify_error()
- requests_client: close the session at the end of the resource manager
- Manpage for keylime_tenant (#1786)
- Add 2.5 templates including Push Model changes
- Initial version of verify evidence API
- db: Do not read pool size and max overflow for sqlite
- Use context managers to close DB sessions
- revocations: Try to send notifications on shutdown
- verifier: Gracefully shutdown on signal
- Use
forkasmultiprocessingstart method - Fix inaccuracy in threat model and add reference to SBAT
- Explain TPM properties and expand vTPM discussion
- Fix invalid RST and update TOC
- Expand threat model page to include adversarial model
- Add --push-model option to avoid requests to agents
- templates: duplicate str_to_version() in the adjust script
- policy: fix mypy issues with rpm_repo
- revocation_notifier: fix mypy issue by replacing deprecated call
- Fix create_runtime_policy in python < 3.12
- Fix after review
- fixed CONSTANT names C0103 errors
- Extend meta_data field in verifierdb
- docs: update issue templates
- docs: add GitHub PR template with documentation reminders
- tpm_util: fix quote signature extraction for ECDSA
- registrar: Log API versions during startup
- Remove excessive logging on exception
-
scripts: Fix coverage information downloading script
-
Version v7.12.1:
- models: Add Base64Bytes type to read and write from the database
-
Simplify response check from registrar
-
Version v7.12.0:
- API: Add /version endpoint to registrar
- scripts: Download coverage data directly from Testing Farm
- docs: Add separate documentation for each API version
- scripts/create_runtime_policy.sh: fix path for the exclude list
- docs: add documentation for keylime-policy
- templates: Add the new agent.conf option 'api_versions'
- Enable autocompletion using argcomplete
- build(deps): bump codecov/codecov-action from 5.1.1 to 5.1.2
- Configure EPEL-10 repo in packit-ci.fmf
- build(deps): bump codecov/codecov-action from 5.0.2 to 5.1.1
- build(deps): bump pypa/gh-action-pypi-publish from 1.12.0 to 1.12.3
- build(deps): bump docker/metadata-action from 5.5.1 to 5.6.1
- build(deps): bump docker/build-push-action from 6.9.0 to 6.10.0
- keylime-policy: improve error handling when provided a bad key (sign)
- keylime-policy: exit with status 1 when the commands failed
- keylime-policy: use Certificate() from models.base to validate certs
- keylime-policy: check for valid cert file when using x509 backend (sign)
- keylime-policy: fix help for "keylime-policy sign" verb
- tenant: Correctly log number of tries when deleting
- update TCTI environment variable usage
- build(deps): bump codecov/codecov-action from 4.6.0 to 5.0.2
- keylime-policy: add `create measured-boot' subcommand
- keylime-policy: add `sign runtime' subcommand
- keylime-policy: add logger to use with the policy tool
- installer.sh: Restore execution permission
- installer: Fix string comparison
- build(deps): bump docker/build-push-action from 6.7.0 to 6.9.0
- build(deps): bump codecov/codecov-action from 4.5.0 to 4.6.0
- build(deps): bump pypa/gh-action-pypi-publish from 1.11.0 to 1.12.0
- build(deps): bump actions/setup-python from 5.2.0 to 5.3.0
- installer.sh: updated EPEL, PEP668 Fix, logic fix
- build(deps): bump pypa/gh-action-pypi-publish from 1.10.3 to 1.11.0
- build(deps): bump actions/checkout from 4.2.1 to 4.2.2
- postgresql support for docker using psycopg2
- installer.sh: update package list, add workaround for PEP 668
- build(deps): bump actions/checkout from 4.2.0 to 4.2.1
- keylime.conf: full removal
- Drop pending SPDX-License-Identifier headers
- create_runtime_policy: Validate algorithm from IMA measurement log
- create-runtime-policy: Deal with SHA-256 and SM3_256 ambiguity
- create_runtime_policy: drop commment with test data
- create_runtime_policy: Use a common method to guess algorithm
- keylime-policy: rename tool to keylime-policy instead of keylime_policy
- keylime_policy: create runtime: remove --use-ima-measurement-list
- keylime_policy: use consistent arg names for create_runtime_policy
- build(deps): bump pypa/gh-action-pypi-publish from 1.10.2 to 1.10.3
- build(deps): bump actions/checkout from 4.1.7 to 4.2.0
- elchecking/example: workaround empty PK, KEK, db and dbx
- elchecking: add handling for EV_EFI_PLATFORM_FIRMWARE_BLOB2
- create_runtime_policy: Fix log level for debug messages
- build(deps): bump pypa/gh-action-pypi-publish from 1.10.1 to 1.10.2
- build(deps): bump peter-evans/create-pull-request from 6.1.0 to 7.0.5
- pylintrc: Ignore too-many-positional-arguments check
- keylime/web/base/controller: Move TypeAlias definition out of class
- create_runtime_policy: Calculate digests in multiple threads
- create_runtime_policy: Allow rootfs to be in any directory
- keylime_policy: Calculate digests from each source separately
- create_runtime_policy: Simplify boot_aggregate parsing
- ima: Validate JSON when loading IMA Keyring from string
- docs: include IDevID page also in the sidebar
- docs: point to installation guide from RHEL and SLE Micro
- build(deps): bump actions/setup-python from 5.1.1 to 5.2.0
- build(deps): bump pypa/gh-action-pypi-publish from 1.9.0 to 1.10.1
- change check_tpm_origin_check to a warning that does not prevent registration
- docs: Fix Runtime Policy JSON schema to reflect the reality
- Sets absolute path for files inside a rootfs dir
- policy/create_runtime_policy: fix handling of empty lines in exclude list
- keylime_policy: setting 'log_hash_alg' to 'sha1' (template-hash algo)
- codestyle: Assign CERTIFICATE_PRIVATE_KEY_TYPES directly (pyright)
- codestyle: convert bytearrays to bytes to get expected type (pyright)
- codestyle: Use new variables after changing datatype (pyright)
- cert_utils: add description why loading using cryptography might fail
- ima: list names of the runtime policies
- build(deps): bump docker/build-push-action from 6.6.1 to 6.7.0
- tox: Use python 3.10 instead of 3.6
- revocation_notifier: Use web_util to generate TLS context
- mba: Add a skip custom policies option when loading mba.
- build(deps): bump docker/build-push-action from 6.5.0 to 6.6.1
- build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1
- cmd/keylime_policy: add tool to handle keylime policies
- cert_utils: add is_x509_cert()
- common/algorithms: transform Encrypt and Sign class into enums
- common/algorithms: add method to calculate digest of a file
- build(deps): bump docker/build-push-action from 4.2.1 to 6.5.0
- build(deps): bump docker/login-action from 3.2.0 to 3.3.0
- build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1
- build(deps): bump docker/login-action from 3.2.0 to 3.3.0
- build(deps): bump docker/build-push-action from 6.4.1 to 6.5.0
- build(deps): bump docker/build-push-action from 4.2.1 to 6.4.1
- build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1
- build(deps): bump pre-commit/action from 3.0.0 to 3.0.1
- tpm: Replace KDFs and ECDH implementations with python-cryptography
- build(deps): bump codecov/codecov-action from 2.1.0 to 4.5.0
- build(deps): bump docker/login-action from 2.2.0 to 3.2.0
- build(deps): bump actions/setup-python from 2.3.4 to 5.1.1
- build(deps): bump actions/first-interaction
- build(deps): bump actions/checkout from 2.7.0 to 4.1.7
- revocation_notifier: Explicitly add CA certificate bundle
- Introduce new REST API framework and refactor registrar implementation
- mba: Support named measured boot policies
- tenant: add friendlier error message if mTLS CA is wrongly configured
- ca_impl_openssl: Mark extensions as critical following RFC 5280
- Include Authority Key Identifier in KL-generated certs
- verifier, tenant: make payload for agent completely optional
Patch Instructions:
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
-
SUSE Linux Enterprise Server 16.0
zypper in -t patch SUSE-SLES-16.0-104=1 -
SUSE Linux Enterprise Server for SAP Applications 16.0
zypper in -t patch SUSE-SLES-16.0-104=1
Package List:
-
SUSE Linux Enterprise Server 16.0 (noarch)
- keylime-verifier-7.13.0+40-160000.1.1
- keylime-logrotate-7.13.0+40-160000.1.1
- python313-keylime-7.13.0+40-160000.1.1
- keylime-registrar-7.13.0+40-160000.1.1
- keylime-config-7.13.0+40-160000.1.1
- keylime-tpm_cert_store-7.13.0+40-160000.1.1
- keylime-tenant-7.13.0+40-160000.1.1
- keylime-firewalld-7.13.0+40-160000.1.1
-
SUSE Linux Enterprise Server for SAP Applications 16.0 (noarch)
- keylime-verifier-7.13.0+40-160000.1.1
- keylime-logrotate-7.13.0+40-160000.1.1
- python313-keylime-7.13.0+40-160000.1.1
- keylime-registrar-7.13.0+40-160000.1.1
- keylime-config-7.13.0+40-160000.1.1
- keylime-tpm_cert_store-7.13.0+40-160000.1.1
- keylime-tenant-7.13.0+40-160000.1.1
- keylime-firewalld-7.13.0+40-160000.1.1