From b7544e0e41afe42d468d3849b5419d70ca2eab60 Mon Sep 17 00:00:00 2001 From: Vikram Narayanan Date: Sat, 23 Sep 2023 17:15:14 -0600 Subject: [PATCH 1/2] remove zmq revocation actions feature Revocation through zmq is scheduled to be removed for the next major release and is already marked as deprecated. Signed-off-by: Vikram Narayanan --- Cargo.lock | 48 +------- README.md | 8 +- docker/fedora/keylime_rust.Dockerfile | 3 +- keylime-agent.conf | 19 ---- keylime-agent/Cargo.toml | 6 - keylime-agent/src/config.rs | 153 -------------------------- keylime-agent/src/error.rs | 3 - keylime-agent/src/main.rs | 31 ------ keylime-agent/src/payloads.rs | 39 ------- keylime-agent/src/revocation.rs | 145 +----------------------- 10 files changed, 5 insertions(+), 450 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index cff272fc..7acc21e0 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -526,7 +526,7 @@ dependencies = [ "nom", "pathdiff", "serde", - "toml 0.5.9", + "toml", ] [[package]] @@ -665,12 +665,6 @@ dependencies = [ "libc", ] -[[package]] -name = "error-chain" -version = "0.10.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d9435d864e017c3c6afeac1654189b06cdb491cf2ff73dbf0d73b0f292f42ff8" - [[package]] name = "event-listener" version = "2.5.3" @@ -1151,7 +1145,6 @@ dependencies = [ "tss-esapi", "uuid", "wiremock", - "zmq", ] [[package]] @@ -1265,17 +1258,6 @@ version = "2.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "2dffe52ecf27772e601905b7522cb4ef790d2cc203488bbd0e2fe85fcb74566d" -[[package]] -name = "metadeps" -version = "1.1.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "73b122901b3a675fac8cecf68dcb2f0d3036193bc861d1ac0e1c337f7d5254c2" -dependencies = [ - "error-chain", - "pkg-config", - "toml 0.2.1", -] - [[package]] name = "mime" version = "0.3.16" @@ -2226,12 +2208,6 @@ dependencies = [ "tracing", ] -[[package]] -name = "toml" -version = "0.2.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "736b60249cb25337bc196faa43ee12c705e426f3d55c214d73a4e7be06f92cb4" - [[package]] name = "toml" version = "0.5.9" @@ -2698,25 +2674,3 @@ dependencies = [ "syn 1.0.100", "synstructure", ] - -[[package]] -name = "zmq" -version = "0.9.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "aad98a7a617d608cd9e1127147f630d24af07c7cd95ba1533246d96cbdd76c66" -dependencies = [ - "bitflags 1.3.2", - "libc", - "log", - "zmq-sys", -] - -[[package]] -name = "zmq-sys" -version = "0.11.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d33a2c51dde24d5b451a2ed4b488266df221a5eaee2ee519933dc46b9a9b3648" -dependencies = [ - "libc", - "metadeps", -] diff --git a/README.md b/README.md index 6ab9d335..2a505698 100644 --- a/README.md +++ b/README.md @@ -36,11 +36,10 @@ The following packages are required for building: * `libarchive-devel` * `openssl-devel` * `tpm2-tss-devel` -* (optional for the `with-zmq` feature): `zeromq-devel` To install, use the following command: ``` -$ dnf install clang libarchive-devel openssl-devel tpm2-tss-devel zeromq-devel +$ dnf install clang libarchive-devel openssl-devel tpm2-tss-devel ``` For runtime, the following packages are required: @@ -50,7 +49,6 @@ For runtime, the following packages are required: * `tpm2-tss` * `systemd` (to run as systemd service) * `util-linux-core` (for the `mount` command) -* (optional for the `with-zmq` feature): `zeromq` #### Debian and Ubuntu @@ -61,12 +59,11 @@ For Debian and Ubuntu, use the following packages are required: * `libssl-dev` * `libtss2-dev` * `pkg-config` -* (optional for the `with-zmq` feature): `libzmq3-dev` To install, use the following command: ``` -$ apt-get install libarchive-dev libclang-dev libssl-dev libtss2-dev libzmq3-dev pkg-config +$ apt-get install libarchive-dev libclang-dev libssl-dev libtss2-dev pkg-config ``` For runtime, the following packages are required: @@ -75,7 +72,6 @@ For runtime, the following packages are required: * `libarchive` * `libssl` * `libtss2-esys-3.0.2-0` -* (optional for the `with-zmq` feature): `libzmq3` * `systemd` (to run as systemd service) ### Rust diff --git a/docker/fedora/keylime_rust.Dockerfile b/docker/fedora/keylime_rust.Dockerfile index f097087b..2b7c12a2 100644 --- a/docker/fedora/keylime_rust.Dockerfile +++ b/docker/fedora/keylime_rust.Dockerfile @@ -50,8 +50,7 @@ tpm2-abrmd \ tpm2-tools \ tpm2-tss \ tpm2-tss-devel \ -uthash-devel \ -czmq-devel" +uthash-devel" RUN dnf makecache && \ dnf -y install $PKGS_DEPS && \ diff --git a/keylime-agent.conf b/keylime-agent.conf index a8d0203d..7131e945 100644 --- a/keylime-agent.conf +++ b/keylime-agent.conf @@ -127,14 +127,6 @@ secure_size = "1m" # environment variable. extract_payload_zip = true -# Whether to listen for revocation notifications from the verifier via zeromq. -# Note: The agent supports receiving revocation notifications via REST API -# regardless of the value set here. -# -# To override enable_revocation_notifications, set -# KEYLIME_AGENT_ENABLE_REVOCATION_NOTIFICATIONS environment variable. -enable_revocation_notifications = false - # The path to the directory containing the pre-installed revocation action # scripts. Ideally should point to an fixed/immutable location subject to # attestation. The default is /usr/libexec/keylime. @@ -143,17 +135,6 @@ enable_revocation_notifications = false # environment variable. revocation_actions_dir = "/usr/libexec/keylime" -# Revocation IP & Port used by the agent to receive revocation -# notifications from the verifier via zeromq. -# This is optional and used only when 'enable_revocation_notifications' is 'true'. -# -# To override revocation_notification_ip, set -# KEYLIME_AGENT_REVOCATION_NOTIFICATION_IP environment variable. -# To override revocation_notification_port, set -# KEYLIME_AGENT_REVOCATION_NOTIFICATION_PORT environment variable. -revocation_notification_ip = "127.0.0.1" -revocation_notification_port = 8992 - # The path to the certificate to verify revocation messages received from the # verifier. The path is relative to keylime_dir unless an absolute path is # provided (i.e. starts with '/'). diff --git a/keylime-agent/Cargo.toml b/keylime-agent/Cargo.toml index d3c843c0..4db1cb12 100644 --- a/keylime-agent/Cargo.toml +++ b/keylime-agent/Cargo.toml @@ -34,7 +34,6 @@ tokio = {version = "1.24", features = ["rt", "sync", "macros"]} tss-esapi = {version = "7.2.0", features = ["generate-bindings"]} thiserror = "1.0" uuid = {version = "1.3", features = ["v4"]} -zmq = {version = "0.9.2", optional = true} # wiremock was moved to be a regular dependency because optional # dev-dependencies are not supported # see: https://github.com/rust-lang/cargo/issues/1596 @@ -48,11 +47,6 @@ actix-rt = "2" default = [] # this should change to dev-dependencies when we have integration testing testing = ["wiremock"] -# Whether the agent should be compiled with support to listen for notification -# messages on ZeroMQ -# -# This feature is deprecated and will be removed on next major release -with-zmq = ["zmq"] # Whether the agent should be compiled with support for python revocation # actions loaded as modules, which is the only kind supported by the python # agent (unless the enhancement-55 is implemented). See: diff --git a/keylime-agent/src/config.rs b/keylime-agent/src/config.rs index f6fd3e95..3be4c64c 100644 --- a/keylime-agent/src/config.rs +++ b/keylime-agent/src/config.rs @@ -41,10 +41,7 @@ pub static DEFAULT_DEC_PAYLOAD_FILE: &str = "decrypted_payload"; pub static DEFAULT_SECURE_SIZE: &str = "1m"; pub static DEFAULT_TPM_OWNERPASSWORD: &str = ""; pub static DEFAULT_EXTRACT_PAYLOAD_ZIP: bool = true; -pub static DEFAULT_ENABLE_REVOCATION_NOTIFICATIONS: bool = false; pub static DEFAULT_REVOCATION_ACTIONS_DIR: &str = "/usr/libexec/keylime"; -pub static DEFAULT_REVOCATION_NOTIFICATION_IP: &str = "127.0.0.1"; -pub static DEFAULT_REVOCATION_NOTIFICATION_PORT: u32 = 8992; // Note: The revocation certificate name is generated inside the Python tenant and the // certificate(s) can be generated by running the tenant with the --cert flag. For more // information, check the README: https://github.com/keylime/keylime/#using-keylime-ca @@ -89,10 +86,7 @@ pub(crate) struct EnvConfig { pub secure_size: Option, pub tpm_ownerpassword: Option, pub extract_payload_zip: Option, - pub enable_revocation_notifications: Option, pub revocation_actions_dir: Option, - pub revocation_notification_ip: Option, - pub revocation_notification_port: Option, pub revocation_cert: Option, pub revocation_actions: Option, pub payload_script: Option, @@ -133,10 +127,7 @@ pub(crate) struct AgentConfig { pub secure_size: String, pub tpm_ownerpassword: String, pub extract_payload_zip: bool, - pub enable_revocation_notifications: bool, pub revocation_actions_dir: String, - pub revocation_notification_ip: String, - pub revocation_notification_port: u32, pub revocation_cert: String, pub revocation_actions: String, pub payload_script: String, @@ -236,28 +227,12 @@ impl EnvConfig { if let Some(v) = self.extract_payload_zip { _ = agent.insert("extract_payload_zip".to_string(), v.into()); } - if let Some(v) = self.enable_revocation_notifications { - _ = agent.insert( - "enable_revocation_notifications".to_string(), - v.into(), - ); - } if let Some(ref v) = self.revocation_actions_dir { _ = agent.insert( "revocation_actions_dir".to_string(), v.to_string().into(), ); } - if let Some(ref v) = self.revocation_notification_ip { - _ = agent.insert( - "revocation_notification_ip".to_string(), - v.to_string().into(), - ); - } - if let Some(v) = self.revocation_notification_port { - _ = agent - .insert("revocation_notification_port".to_string(), v.into()); - } if let Some(ref v) = self.revocation_cert { _ = agent .insert("revocation_cert".to_string(), v.to_string().into()); @@ -439,25 +414,10 @@ impl Source for KeylimeConfig { "extract_payload_zip".to_string(), self.agent.extract_payload_zip.to_string().into(), ); - _ = m.insert( - "enable_revocation_notifications".to_string(), - self.agent - .enable_revocation_notifications - .to_string() - .into(), - ); _ = m.insert( "revocation_actions_dir".to_string(), self.agent.revocation_actions_dir.to_string().into(), ); - _ = m.insert( - "revocation_notification_ip".to_string(), - self.agent.revocation_notification_ip.to_string().into(), - ); - _ = m.insert( - "revocation_notification_port".to_string(), - self.agent.revocation_notification_port.into(), - ); _ = m.insert( "revocation_cert".to_string(), self.agent.revocation_cert.to_string().into(), @@ -549,13 +509,7 @@ impl Default for AgentConfig { tpm_encryption_alg: DEFAULT_TPM_ENCRYPTION_ALG.to_string(), tpm_signing_alg: DEFAULT_TPM_SIGNING_ALG.to_string(), agent_data_path: "default".to_string(), - enable_revocation_notifications: - DEFAULT_ENABLE_REVOCATION_NOTIFICATIONS, revocation_cert: "default".to_string(), - revocation_notification_ip: DEFAULT_REVOCATION_NOTIFICATION_IP - .to_string(), - revocation_notification_port: - DEFAULT_REVOCATION_NOTIFICATION_PORT, secure_size: DEFAULT_SECURE_SIZE.to_string(), payload_script: DEFAULT_PAYLOAD_SCRIPT.to_string(), dec_payload_file: DEFAULT_DEC_PAYLOAD_FILE.to_string(), @@ -766,27 +720,6 @@ fn config_translate_keywords( s => s.to_string(), }; - // Validate the configuration - - // If revocation notifications is enabled, verify all the required options for revocation - if config.agent.enable_revocation_notifications { - if config.agent.revocation_notification_ip.is_empty() { - error!("The option 'enable_revocation_notifications' is set as 'true' but 'revocation_notification_ip' was set as empty"); - return Err(Error::Configuration("The option 'enable_revocation_notifications' is set as 'true' but 'revocation_notification_ip' was set as empty".to_string())); - } - if config.agent.revocation_cert.is_empty() { - error!("The option 'enable_revocation_notifications' is set as 'true' 'revocation_cert' was set as empty"); - return Err(Error::Configuration("The option 'enable_revocation_notifications' is set as 'true' but 'revocation_notification_cert' was set as empty".to_string())); - } - let actions_dir = match config.agent.revocation_actions_dir.as_ref() { - "" => { - error!("The option 'enable_revocation_notifications' is set as 'true' but the revocation actions directory was set as empty in 'revocation_actions_dir'"); - return Err(Error::Configuration("The option 'enable_revocation_notifications' is set as 'true' but 'revocation_actions_dir' was set as empty".to_string())); - } - dir => dir.to_string(), - }; - } - let mut revocation_cert = config_get_file_path( "revocation_cert", &config.agent.revocation_cert, @@ -930,86 +863,6 @@ mod tests { assert_eq!(revocation_cert_path, expected); } - #[test] - fn get_revocation_notification_ip_empty() { - let mut test_config = KeylimeConfig { - agent: AgentConfig { - enable_revocation_notifications: true, - revocation_notification_ip: "".to_string(), - ..Default::default() - }, - }; - let result = config_translate_keywords(&test_config); - // Due to enable_revocation_notifications being set - assert!(result.is_err()); - let mut test_config = KeylimeConfig { - agent: AgentConfig { - enable_revocation_notifications: false, - revocation_notification_ip: "".to_string(), - ..Default::default() - }, - }; - - // Now unset enable_revocation_notifications and check that is allowed - let result = config_translate_keywords(&test_config); - assert!(result.is_ok()); - let test_config = result.unwrap(); //#[allow_ci] - assert_eq!( - test_config.agent.revocation_notification_ip, - "".to_string() - ); - } - - #[test] - fn get_revocation_cert_empty() { - let mut test_config = KeylimeConfig { - agent: AgentConfig { - enable_revocation_notifications: true, - revocation_cert: "".to_string(), - ..Default::default() - }, - }; - let result = config_translate_keywords(&test_config); - // Due to enable_revocation_notifications being set - assert!(result.is_err()); - let mut test_config = KeylimeConfig { - agent: AgentConfig { - enable_revocation_notifications: false, - revocation_cert: "".to_string(), - ..Default::default() - }, - }; - - // Now unset enable_revocation_notifications and check that is allowed - let result = config_translate_keywords(&test_config); - assert!(result.is_ok()); - } - - #[test] - fn get_revocation_actions_dir_empty() { - let mut test_config = KeylimeConfig { - agent: AgentConfig { - enable_revocation_notifications: true, - revocation_actions_dir: "".to_string(), - ..Default::default() - }, - }; - let result = config_translate_keywords(&test_config); - // Due to enable_revocation_notifications being set - assert!(result.is_err()); - let mut test_config = KeylimeConfig { - agent: AgentConfig { - enable_revocation_notifications: false, - revocation_actions_dir: "".to_string(), - ..Default::default() - }, - }; - - // Now unset enable_revocation_notifications and check that is allowed - let result = config_translate_keywords(&test_config); - assert!(result.is_ok()); - } - #[test] fn test_get_uuid() { assert_eq!(get_uuid("hash_ek"), "hash_ek"); @@ -1050,13 +903,7 @@ mod tests { ("SECURE_SIZE", "override_secure_size"), ("TPM_OWNERPASSWORD", "override_tpm_ownerpassword"), ("EXTRACT_PAYLOAD_ZIP", "false"), - ("ENABLE_REVOCATION_NOTIFICATIONS", "false"), ("REVOCATION_ACTIONS_DIR", "override_revocation_actions_dir"), - ( - "REVOCATION_NOTIFICATION_IP", - "override_revocation_notification_ip", - ), - ("REVOCATION_NOTIFICATION_PORT", "9999"), ("REVOCATION_CERT", "override_revocation_cert"), ("REVOCATION_ACTIONS", "override_revocation_actions"), ("PAYLOAD_SCRIPT", "override_payload_script"), diff --git a/keylime-agent/src/error.rs b/keylime-agent/src/error.rs index 7da4078f..e154fc4f 100644 --- a/keylime-agent/src/error.rs +++ b/keylime-agent/src/error.rs @@ -62,9 +62,6 @@ pub(crate) enum Error { NumParse(#[from] std::num::ParseIntError), #[error("Crypto error: {0}")] Crypto(#[from] openssl::error::ErrorStack), - #[cfg(feature = "with-zmq")] - #[error("ZMQ error: {0}")] - Zmq(#[from] zmq::Error), #[error("base64 decode error: {0}")] Base64(#[from] base64::DecodeError), #[error("parse bool error: {0}")] diff --git a/keylime-agent/src/main.rs b/keylime-agent/src/main.rs index 57401424..ae00a534 100644 --- a/keylime-agent/src/main.rs +++ b/keylime-agent/src/main.rs @@ -710,9 +710,6 @@ async fn main() -> Result<()> { let (mut revocation_tx, mut revocation_rx) = mpsc::channel::(1); - #[cfg(feature = "with-zmq")] - let (mut zmq_tx, mut zmq_rx) = mpsc::channel::(1); - let revocation_cert = match config.agent.revocation_cert.as_ref() { "" => { error!( @@ -890,8 +887,6 @@ async fn main() -> Result<()> { PathBuf::from(&mount), payload_rx, revocation_tx.clone(), - #[cfg(feature = "with-zmq")] - zmq_tx.clone(), )) .map_err(Error::from); @@ -903,25 +898,6 @@ async fn main() -> Result<()> { )) .map_err(Error::from); - // If with-zmq feature is enabled, run the service listening for ZeroMQ messages - #[cfg(feature = "with-zmq")] - let zmq_task = if config.agent.enable_revocation_notifications { - warn!("The support for ZeroMQ revocation notifications is deprecated and will be removed on next major release"); - - let zmq_ip = config.agent.revocation_notification_ip; - let zmq_port = config.agent.revocation_notification_port; - - rt::spawn(revocation::zmq_worker( - zmq_rx, - revocation_tx.clone(), - zmq_ip, - zmq_port, - )) - .map_err(Error::from) - } else { - rt::spawn(ok(())).map_err(Error::from) - }; - let shutdown_task = rt::spawn(async move { let mut sigint = signal(SignalKind::interrupt()).unwrap(); //#[allow_ci] let mut sigterm = signal(SignalKind::terminate()).unwrap(); //#[allow_ci] @@ -942,9 +918,6 @@ async fn main() -> Result<()> { payload_tx.send(payloads::PayloadMessage::Shutdown); keys_tx.send((keys_handler::KeyMessage::Shutdown, None)); - #[cfg(feature = "with-zmq")] - zmq_tx.send(revocation::ZmqMessage::Shutdown); - revocation_tx.send(revocation::RevocationMessage::Shutdown); // Await tasks shutdown @@ -952,10 +925,6 @@ async fn main() -> Result<()> { }) .map_err(Error::from); - // If with-zmq feature is enabled, wait for the service listening for ZeroMQ messages - #[cfg(feature = "with-zmq")] - try_join!(zmq_task)?; - let result = try_join!( server_task, payload_task, diff --git a/keylime-agent/src/payloads.rs b/keylime-agent/src/payloads.rs index e190e3ac..22fb8be3 100644 --- a/keylime-agent/src/payloads.rs +++ b/keylime-agent/src/payloads.rs @@ -8,9 +8,6 @@ use crate::{ Error, Result, }; -#[cfg(feature = "with-zmq")] -use crate::revocation::ZmqMessage; - use compress_tools::*; use log::*; use serde::{Deserialize, Serialize}; @@ -191,7 +188,6 @@ async fn run_encrypted_payload( config: &config::KeylimeConfig, mount: &Path, revocation_tx: Sender, - #[cfg(feature = "with-zmq")] zmq_tx: Sender, ) -> Result<()> { let dec_payload = decrypt_payload(&symm_key, payload)?; @@ -257,14 +253,6 @@ async fn run_encrypted_payload( warn!("Failed to send PayloadDecrypted mesage to revocation worker"); }; - #[cfg(feature = "with-zmq")] - { - debug!("Sending StartListening message to ZMQ worker"); - if let Err(e) = zmq_tx.send(ZmqMessage::StartListening).await { - warn!("Failed to send StartListening mesage to ZMQ worker"); - }; - } - Ok(()) } @@ -273,7 +261,6 @@ pub(crate) async fn worker( mount: impl AsRef, mut payload_rx: Receiver, mut revocation_tx: Sender, - #[cfg(feature = "with-zmq")] mut zmq_tx: Sender, ) -> Result<()> { debug!("Starting payloads worker"); @@ -292,8 +279,6 @@ pub(crate) async fn worker( &config, mount.as_ref(), revocation_tx.clone(), - #[cfg(feature = "with-zmq")] - zmq_tx.clone(), ) .await { @@ -465,9 +450,6 @@ echo hello > test-output let (mut revocation_tx, mut revocation_rx) = mpsc::channel::(1); - #[cfg(feature = "with-zmq")] - let (mut zmq_tx, mut zmq_rx) = mpsc::channel::(1); - let (k, payload) = setup_key_and_payload(AES_128_KEY_LEN); run_encrypted_payload( @@ -476,8 +458,6 @@ echo hello > test-output &test_config, &secure_mount, revocation_tx, - #[cfg(feature = "with-zmq")] - zmq_tx, ) .await; @@ -485,13 +465,6 @@ echo hello > test-output assert!(msg == Some(RevocationMessage::PayloadDecrypted)); revocation_rx.close(); - #[cfg(feature = "with-zmq")] - { - let msg = zmq_rx.recv().await; - assert!(msg == Some(ZmqMessage::StartListening)); - zmq_rx.close(); - } - let timestamp_path = temp_workdir.path().join("timestamp"); assert!(timestamp_path.exists()); } @@ -516,9 +489,6 @@ echo hello > test-output let (mut revocation_tx, mut revocation_rx) = mpsc::channel::(1); - #[cfg(feature = "with-zmq")] - let (mut zmq_tx, mut zmq_rx) = mpsc::channel::(1); - let script = PathBuf::from( &secure_mount.join(format!("unzipped/{DEFAULT_PAYLOAD_SCRIPT}")), ); @@ -530,8 +500,6 @@ echo hello > test-output secure_mount, payload_rx, revocation_tx, - #[cfg(feature = "with-zmq")] - zmq_tx, ) .await; @@ -561,13 +529,6 @@ echo hello > test-output assert!(msg == Some(RevocationMessage::PayloadDecrypted)); revocation_rx.close(); - #[cfg(feature = "with-zmq")] - { - let msg = zmq_rx.recv().await; - assert!(msg == Some(ZmqMessage::StartListening)); - zmq_rx.close(); - } - let result = payload_tx.send(PayloadMessage::Shutdown).await; assert!(result.is_ok()); drop(payload_tx); diff --git a/keylime-agent/src/revocation.rs b/keylime-agent/src/revocation.rs index 025a9299..71809e14 100644 --- a/keylime-agent/src/revocation.rs +++ b/keylime-agent/src/revocation.rs @@ -33,12 +33,6 @@ pub(crate) struct Revocation { pub(crate) signature: String, } -#[derive(Debug, Deserialize, Serialize, PartialEq)] -pub(crate) enum ZmqMessage { - StartListening, - Shutdown, -} - #[derive(Debug, Deserialize, Serialize, PartialEq)] pub(crate) enum RevocationMessage { PayloadDecrypted, @@ -248,7 +242,7 @@ fn run_revocation_actions( Ok(outputs) } -/// Process revocation message received from REST API or 0mq +/// Process revocation message received from REST API fn process_revocation( revocation: Revocation, revocation_cert: &openssl::x509::X509, @@ -302,143 +296,6 @@ fn process_revocation( } } -#[cfg(feature = "with-zmq")] -fn listen_zmq( - mut revocation_tx: Sender, - ip: String, - port: u32, - mut shutdown_rx: oneshot::Receiver, -) -> Result>> { - // Connect to the service via 0mq - let context = zmq::Context::new(); - let mysock = context.socket(zmq::SUB)?; - - mysock.set_subscribe(b"")?; - - let endpoint = format!("tcp://{ip}:{port}"); - - info!( - "Connecting to revocation notification endpoint at {}...", - endpoint - ); - - mysock.connect(endpoint.as_str())?; - - info!("Waiting for revocation messages on 0mq {}", endpoint); - - Ok(rt::spawn(async move { - // Main revocation service loop. If a message is malformed or - // can not be verified the loop continues. - loop { - if shutdown_rx.try_recv().is_ok() { - // Received shutdowm message - break; - }; - match mysock.get_events() { - Ok(v) => { - if v.contains(zmq::POLLIN) { - match mysock.recv_string(0) { - Ok(r) => { - match r { - Ok(raw_body) => { - if let Ok(r) = serde_json::from_str( - raw_body.as_ref(), - ) { - match revocation_tx.send(RevocationMessage::Revocation(r)).await { - Ok(_) => { - debug!("Sent Revocation message to revocation worker"); - } - Err(e) => { - warn!("Failed to send Revocation message to revocation worker"); - continue; - } - } - } else { - warn!("JSON decode error on 0mq message"); - continue; - }; - } - Err(_) => { - warn!( - "Unable to read message from 0mq" - ); - continue; - } - } - } - Err(_) => { - warn!("Unable to read message from 0mq"); - continue; - } - } - } - } - Err(e) => { - warn!("Unable to poll 0mq events"); - continue; - } - }; - sleep(Duration::from_millis(100)).await; - } - info!("Stop waiting for revocation messages on 0mq {}", endpoint); - Ok(()) - })) -} - -/// Handles revocation messages via 0mq -/// See: -/// - URL: https://github.com/keylime/keylime/blob/master/keylime/revocation_notifier.py -/// Function: await_notifications -#[cfg(feature = "with-zmq")] -pub(crate) async fn zmq_worker( - mut zmq_rx: Receiver, - mut revocation_tx: Sender, - ip: String, - port: u32, -) -> Result<()> { - debug!("Starting ZMQ revocation listener worker"); - - let mut task: Option>> = None; - let mut shutdown_tx: Option> = None; - - // Receive message - while let Some(message) = zmq_rx.recv().await { - match message { - ZmqMessage::Shutdown => { - zmq_rx.close(); - } - ZmqMessage::StartListening => { - if task.is_some() { - warn!("Another ZeroMQ revocation listening service is running"); - continue; - } - let (tx, rx) = oneshot::channel::(); - shutdown_tx = Some(tx); - task = match listen_zmq( - revocation_tx.clone(), - ip.clone(), - port, - rx, - ) { - Ok(t) => Some(t), - Err(e) => { - warn!("Failed to start ZeroMQ revocation listener worker"); - None - } - } - } - } - } - - debug!("Shutting down ZMQ revocation listener worker"); - if let Some(tx) = shutdown_tx { - tx.send("shutdown".to_string()); - } - - if let Some(t) = &task {} - Ok(()) -} - pub(crate) async fn worker( mut revocation_rx: Receiver, revocation_cert_path: impl AsRef, From f789280aa663488a24f8fa89d0e838594341bd49 Mon Sep 17 00:00:00 2001 From: Vikram Narayanan Date: Sat, 23 Sep 2023 20:12:49 -0600 Subject: [PATCH 2/2] update fedora patch to remove zmq Signed-off-by: Vikram Narayanan --- rpm/fedora/rust-keylime-metadata.patch | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/rpm/fedora/rust-keylime-metadata.patch b/rpm/fedora/rust-keylime-metadata.patch index 26599d5c..f8b23944 100644 --- a/rpm/fedora/rust-keylime-metadata.patch +++ b/rpm/fedora/rust-keylime-metadata.patch @@ -1,5 +1,5 @@ diff --git a/keylime-agent/Cargo.toml b/keylime-agent/Cargo.toml -index 0cc1385..286e807 100644 +index 4db1cb1..c45a30d 100644 --- a/keylime-agent/Cargo.toml +++ b/keylime-agent/Cargo.toml @@ -21,8 +21,8 @@ keylime = { path = "../keylime" } @@ -16,21 +16,16 @@ index 0cc1385..286e807 100644 @@ -31,7 +31,7 @@ serde_json = { version = "1.0", features = ["raw_value"] } static_assertions = "1" tempfile = "3.4.0" - tokio = {version = "1.24", features = ["rt", "sync"]} + tokio = {version = "1.24", features = ["rt", "sync", "macros"]} -tss-esapi = {version = "7.2.0", features = ["generate-bindings"]} +tss-esapi = {version = "7", features = ["generate-bindings"]} thiserror = "1.0" uuid = {version = "1.3", features = ["v4"]} - zmq = {version = "0.9.2", optional = true} -@@ -48,18 +48,6 @@ actix-rt = "2" + # wiremock was moved to be a regular dependency because optional +@@ -47,13 +47,6 @@ actix-rt = "2" default = [] # this should change to dev-dependencies when we have integration testing testing = ["wiremock"] --# Whether the agent should be compiled with support to listen for notification --# messages on ZeroMQ --# --# This feature is deprecated and will be removed on next major release --with-zmq = ["zmq"] -# Whether the agent should be compiled with support for python revocation -# actions loaded as modules, which is the only kind supported by the python -# agent (unless the enhancement-55 is implemented). See: