Merge pull request keylime#957 from THS-on/remove-stub-support

maugustosilva · web-flow · commit c325e00cc7f9 · 2022-04-06T09:53:54.000-03:00
Remove stubbing support for TPM, VTPM and IMA
diff --git a/doc/stub-tpm-notes.md b/doc/stub-tpm-notes.md
diff --git a/keylime/config.py b/keylime/config.py
@@ -22,8 +22,6 @@
     from yaml import SafeLoader
 from yaml.reader import ReaderError
 
-from keylime import json
-
 
 def convert(data):
     if isinstance(data, bytes):
@@ -50,22 +48,6 @@ def environ_bool(env_name, default):
         f"{val} (use either on/true/1 or off/false/0)")
 
 
-# SET STUB_TPM TO True TO ALLOW ALL TPM Operations to be stubbed out
-# If STUB_TPM=True, TPM_CANNED_VALUES_PATH file must be provided (canned inputs)
-# Canned input values can be generated by running with STUB_TPM=False and
-#   specifying a TPM_CANNED_VALUES_PATH filename
-STUB_TPM = False
-TPM_CANNED_VALUES_PATH = None
-
-# SET TO TRUE TO STUB A VTPM
-STUB_VTPM = False
-# force stub tpm if vtpm true
-if STUB_VTPM:
-    STUB_TPM = True
-
-# Enable TPM benchmarking (output timing data to given file)
-TPM_BENCHMARK_PATH = None
-
 # set to False to enable keylime to run from the CWD and not require
 # root access.  for testing purposes only
 # all processes will log to the CWD in keylime-all.log
@@ -77,12 +59,6 @@ def environ_bool(env_name, default):
 # allow the emuatlor to not have an ekcert even if check ekcert is true
 DISABLE_EK_CERT_CHECK_EMULATOR = False
 
-# stub out IMA functionality
-STUB_IMA = False
-
-if STUB_TPM:
-    STUB_IMA = True
-
 # allow testing mode
 TEST_MODE = os.getenv('KEYLIME_TEST', 'False')
 if TEST_MODE.upper() == 'TRUE':
@@ -93,19 +69,6 @@ def environ_bool(env_name, default):
 # whether to use tpmfs or not
 MOUNT_SECURE = True
 
-# load in JSON canned values if we're in stub mode (and JSON file given)
-TPM_CANNED_VALUES = None
-if STUB_TPM and TPM_CANNED_VALUES_PATH is not None:
-    with open(TPM_CANNED_VALUES_PATH, "rb") as can:
-        print(f"WARNING: using canned values in stub mode from file '{TPM_CANNED_VALUES_PATH}'")
-        # Read in JSON and strip trailing extraneous commas
-        jsonInTxt = can.read().rstrip(',\r\n')
-        # Saved JSON is missing surrounding braces, so add them here
-        TPM_CANNED_VALUES = json.loads('{' + jsonInTxt + '}')
-elif STUB_TPM:
-    raise Exception(
-        'STUB_TPM=True but required TPM_CANNED_VALUES_PATH not provided!')
-
 
 if not REQUIRE_ROOT:
     MOUNT_SECURE = False
@@ -174,10 +137,7 @@ def yaml_to_dict(arry, add_newlines=True, logger=None) -> Optional[dict]:
     return None
 
 
-if STUB_IMA:
-    IMA_ML = '../scripts/ima/ascii_runtime_measurements'
-else:
-    IMA_ML = '/sys/kernel/security/ima/ascii_runtime_measurements'
+IMA_ML = '/sys/kernel/security/ima/ascii_runtime_measurements'
 
 IMA_PCR = 10
 
diff --git a/keylime/ima.py b/keylime/ima.py
@@ -393,8 +393,6 @@ def process_allowlists(allowlist, exclude):
 def read_allowlist(al_path=None, checksum="", gpg_sig_file=None, gpg_key_file=None):
     if al_path is None:
         al_path = config.get('tenant', 'ima_allowlist')
-        if config.STUB_IMA:
-            al_path = '../scripts/ima/allowlist.txt'
 
     # If user only wants signatures then an allowlist is not required
     if al_path is None or al_path == '':
@@ -483,8 +481,6 @@ def read_allowlist(al_path=None, checksum="", gpg_sig_file=None, gpg_key_file=No
 def read_excllist(exclude_path=None):
     if exclude_path is None:
         exclude_path = config.get('tenant', 'ima_excludelist')
-        if config.STUB_IMA:
-            exclude_path = '../scripts/ima/exclude.txt'
 
     excl_list = []
     if os.path.exists(exclude_path):
diff --git a/keylime/keylime_agent.py b/keylime/keylime_agent.py
@@ -738,16 +738,6 @@ def main():
     if not validators.valid_agent_id(agent_uuid):
         raise RuntimeError("The agent ID set via agent uuid parameter use invalid characters")
 
-    if config.STUB_VTPM and config.TPM_CANNED_VALUES is not None:
-        # Use canned values for stubbing
-        jsonIn = config.TPM_CANNED_VALUES
-        if "add_vtpm_to_group" in jsonIn:
-            # The value we're looking for has been canned!
-            agent_uuid = jsonIn['add_vtpm_to_group']['retout']
-        else:
-            # Our command hasn't been canned!
-            raise Exception("Command add_vtpm_to_group not found in canned json!")
-
     logger.info("Agent UUID: %s", agent_uuid)
 
     serveraddr = (config.get('cloud_agent', 'cloudagent_ip'),
diff --git a/keylime/registrar_common.py b/keylime/registrar_common.py
@@ -21,7 +21,6 @@
 from keylime.common import validators
 from keylime.db.registrar_db import RegistrarMain
 from keylime.db.keylime_db import DBEngineManager, SessionManager
-from keylime import config
 from keylime import crypto
 from keylime import json
 from keylime.tpm import tpm2_objects
@@ -466,7 +465,8 @@ def do_PUT(self):
                 logger.error('SQLAlchemy Error: %s', e)
                 raise
 
-            if config.STUB_TPM:
+            ex_mac = crypto.do_hmac(agent.key.encode(), agent_id)
+            if ex_mac == auth_tag:
                 try:
                     session.query(RegistrarMain).filter(RegistrarMain.agent_id == agent_id).update(
                         {'active': int(True)})
@@ -475,18 +475,8 @@ def do_PUT(self):
                     logger.error('SQLAlchemy Error: %s', e)
                     raise
             else:
-                ex_mac = crypto.do_hmac(agent.key.encode(), agent_id)
-                if ex_mac == auth_tag:
-                    try:
-                        session.query(RegistrarMain).filter(RegistrarMain.agent_id == agent_id).update(
-                            {'active': int(True)})
-                        session.commit()
-                    except SQLAlchemyError as e:
-                        logger.error('SQLAlchemy Error: %s', e)
-                        raise
-                else:
-                    raise Exception(
-                        f"Auth tag {auth_tag} does not match expected value {ex_mac}")
+                raise Exception(
+                    f"Auth tag {auth_tag} does not match expected value {ex_mac}")
 
             web_util.echo_json_response(self, 200, "Success")
             logger.info('PUT activated: %s', agent_id)
diff --git a/keylime/tenant.py b/keylime/tenant.py
@@ -532,9 +532,7 @@ def check_ek(self, ekcert):
             [type] -- [description]
         """
         if config.getboolean('tenant', 'require_ek_cert'):
-            if config.STUB_TPM:
-                logger.debug("Not checking ekcert due to STUB_TPM mode")
-            elif ekcert == 'emulator' and config.DISABLE_EK_CERT_CHECK_EMULATOR:
+            if ekcert == 'emulator' and config.DISABLE_EK_CERT_CHECK_EMULATOR:
                 logger.info("Not checking ekcert of TPM emulator")
             elif ekcert is None:
                 logger.warning("No EK cert provided, require_ek_cert option in config set to True")
@@ -576,7 +574,7 @@ def validate_tpm_quote(self, public_key, quote, hash_alg):
         if self.registrar_data['regcount'] > 1:
             logger.warning("WARNING: This UUID had more than one ek-ekcert registered to it! This might indicate that your system is misconfigured. Run 'regdelete' for this agent and restart")
 
-        if not config.STUB_TPM and (not config.getboolean('tenant', 'require_ek_cert') and config.get('tenant', 'ek_check_script') == ""):
+        if not config.getboolean('tenant', 'require_ek_cert') and config.get('tenant', 'ek_check_script') == "":
             logger.warning(
                 "DANGER: EK cert checking is disabled and no additional checks on EKs have been specified with ek_check_script option. Keylime is not secure!!")
 
@@ -1355,15 +1353,6 @@ def main(argv=sys.argv):  #pylint: disable=dangerous-default-value
         logger.warning("Using default UUID d432fbb3-d2f1-4a97-9ef7-75bd81c00000")
         mytenant.agent_uuid = "d432fbb3-d2f1-4a97-9ef7-75bd81c00000"
 
-    if config.STUB_VTPM and config.TPM_CANNED_VALUES is not None:
-        # Use canned values for agent UUID
-        jsonIn = config.TPM_CANNED_VALUES
-        if "add_vtpm_to_group" in jsonIn:
-            mytenant.agent_uuid = jsonIn['add_vtpm_to_group']['retout']
-        else:
-            # Our command hasn't been canned!
-            raise UserError("Command add_vtpm_to_group not found in canned JSON!")
-
     if args.verifier_id is not None:
         mytenant.verifier_id = args.verifier_id
     if args.verifier_ip is not None:
diff --git a/keylime/tpm/tpm_abstract.py b/keylime/tpm/tpm_abstract.py
@@ -202,9 +202,6 @@ def __check_ima(agentAttestState, pcrval, ima_measurement_list, allowlist,
                     ima_keyrings, boot_aggregates, hash_alg):
         failure = Failure(Component.IMA)
         logger.info("Checking IMA measurement list on agent: %s", agentAttestState.get_agent_id())
-        if config.STUB_IMA:
-            pcrval = None
-
         _, ima_failure = ima.process_measurement_list(agentAttestState, ima_measurement_list.split('\n'), allowlist,
                                                       pcrval=pcrval, ima_keyrings=ima_keyrings,
                                                       boot_aggregates=boot_aggregates, hash_alg=hash_alg)
@@ -253,10 +250,6 @@ def check_pcrs(self, agentAttestState, tpm_policy, pcrs, data, virtual, ima_meas
         pcrs = AbstractTPM.__parse_pcrs(pcrs, virtual)
         pcr_nums = set(pcrs.keys())
 
-        # Skip validation if TPM is stubbed.
-        if config.STUB_TPM:
-            return failure
-
         # Validate data PCR
         if config.TPM_DATA_PCR in pcr_nums and data is not None:
             expectedval = self.sim_extend(data, hash_alg=hash_alg)
diff --git a/keylime/tpm/tpm_main.py b/keylime/tpm/tpm_main.py
