🔴 Critical   ⏱ 15–90 min  Last verified: 25 May 2026
Affected versions: openSUSE Tumbleweed

📖 ~4 min read  •  Source: SUSE advisory SUSE-SU-2022:2658-1 (see also SUSE bugzilla)

Related CVEs: CVE-2022-1053 CVE-2021-43310 CVE-2022-31250 CVE-2022-23948 CVE-2022-23949 CVE-2022-23950 CVE-2022-23952 CVE-2022-23951

Upstream summary: Keylime does not enforce that the agent registrar data is the same when the tenant uses it for validation of the EK and identity quote and the verifier for validating the integrity quote. This allows an attacker to use one AK, EK pair from a real TPM to pass EK validation and give the verifier an AK of a software TPM. A successful attack breaks the entire chain of trust because a not validated AK is used by the verifier. This issue is worse if the validation happens first and

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

On openSUSE Tumbleweed hosts that have keylime-agent installed, administrators report behaviour consistent with SUSE advisory SUSE-SU-2022:2658-1: zypper dup --dry-run shows pending rolling updates, services backed by keylime-agent fail or restart unexpectedly, AppArmor profile warnings appear in journalctl -k — and for security-rated advisories the host is exposed to the vulnerability set above. Impact ranges from a single service-restart loop to wider availability incidents whenever keylime-agent sits on the serving path.

Environment & Reproduction

Reproduction targets openSUSE Tumbleweed. Confirm release and installed package:

cat /etc/os-release
rpm -q keylime-agent
zypper info keylime-agent | head -20
zypper lr -E                              # enabled repositories

Trigger the workflow that exposes keylime-agent — multiple vulnerabilities (8 CVEs) — patch and remediation guide while collecting:

sudo journalctl -u keylime-agent -b --no-pager | tail -200
sudo journalctl -xe --no-pager | tail -200
sudo tail -200 /var/log/zypp/history
sudo journalctl -k | grep -i apparmor | tail -100
# Bundle evidence for SUSE / community support:
sudo supportconfig -R /var/tmp -B keylime-agent

Root Cause Analysis

Root cause is documented in SUSE advisory SUSE-SU-2022:2658-1. openSUSE security maintainers shipped fixes in the corresponding keylime-agent update for openSUSE Tumbleweed; running an outdated build leaves the host exposed to the failure modes described in the advisory. Correlate zypper history with system logs:

sudo zypper history | grep keylime-agent
sudo zypper history --since='-7 days' | tail -40
sudo journalctl -k | grep -i apparmor | tail -100
cat /proc/sys/kernel/tainted   # non-zero = tainted kernel / out-of-tree modules
snapper list | tail -20         # snapshots taken around each zypper transaction

Quick Triage

Run these on openSUSE Tumbleweed to capture the current state of keylime-agent:

rpm -q keylime-agent                              # installed NVR
rpm -V keylime-agent                              # verify shipped files
sudo zypper ref                            # refresh repos
sudo zypper dup --dry-run                  # pending rolling updates
systemctl --failed --no-pager
sudo firewall-cmd --list-all
sudo aa-status                             # AppArmor profiles
# If keylime-agent ships a systemd unit (unit name may differ from pkg name, e.g.
# bind→named, postgresql-server→postgresql, php-fpm→php-fpm):
systemctl list-unit-files | grep -i keylime | head

Step-by-Step Diagnosis

  1. List failed systemd units.

    systemctl --failed --no-pager

  2. Tail the journal for keylime-agent and the system bus.

    sudo journalctl -u keylime-agent -f --no-pager
sudo journalctl -xe -f --no-pager

  3. Inspect firewall posture (firewalld is the default on openSUSE).

    sudo firewall-cmd --list-all-zones --permanent
sudo nft list ruleset 2>/dev/null | head -50

  4. Surface AppArmor denials and switch the profile to complain mode if needed.

    sudo journalctl -k | grep -i 'apparmor="DENIED"' | tail -30
sudo aa-status
sudo aa-complain /etc/apparmor.d/usr.sbin.keylime-agent 2>/dev/null || true

  5. Verify keylime-agent integrity and reinstall if anything is altered.

    sudo rpm -V keylime-agent
sudo zypper verify
sudo zypper install --force keylime-agent

  6. Inspect Snapper snapshots to know exactly which transaction introduced the regression.

    sudo snapper list | tail -20
sudo snapper status <pre-id>..<post-id>

  7. Correlate findings with /var/log/zypp/history, zypper history, and SUSE advisory SUSE-SU-2022:2658-1 to pin the change that introduced keylime-agent — multiple vulnerabilities (8 CVEs) — patch and remediation guide.

Solution – Primary Fix

Apply the corrective zypper transaction referenced by SUSE advisory SUSE-SU-2022:2658-1, then reload affected systemd units:

sudo zypper ref                                      # refresh repos
# Tumbleweed is a rolling release — use 'dup', not 'patch':
sudo zypper dup --no-allow-vendor-change             # rolling distribution upgrade
# To target only the affected package while still on rolling:
sudo zypper dup --no-allow-vendor-change keylime-agent
sudo systemctl daemon-reload
# Unit name may differ from pkg name; check first:
systemctl list-unit-files | grep -i keylime | head
sudo systemctl restart keylime-agent
rpm -q keylime-agent                                          # confirm new NVR
systemctl is-active keylime-agent 2>/dev/null                 # confirm running (if a unit exists)

For kernel / glibc / systemd / openssl rolls a reboot is required. Tumbleweed does not ship Live Patching, so plan a maintenance window or use Snapper to roll back if a regression appears:

sudo zypper ps -s                      # services using deleted libs
sudo snapper list | tail -5            # confirm pre/post snapshots exist
sudo systemctl reboot                  # or: sudo shutdown -r now

Need help rolling this patch across an openSUSE fleet? Our IT Solutions & Services team supports openSUSE Leap and Tumbleweed estates with snapper-backed rollback workflows and salt-driven patching. Get in touch for a free consultation.

Solution – Alternative Approaches

If the primary fix is not viable, choose from these:

  • Roll back via Snapper (Btrfs snapshots are taken automatically before zypper transactions on openSUSE Tumbleweed). This is the primary safety net for openSUSE administrators:

    sudo snapper list
sudo snapper status <pre-id>..<post-id>   # diff between two snapshot numbers
sudo snapper undochange <pre-id>..<post-id>
sudo snapper rollback <pre-id>            # boot the host into the chosen snapshot
sudo systemctl reboot

  • Lock the package so zypper cannot upgrade it:

    sudo zypper al keylime-agent                   # add lock
zypper ll | grep keylime-agent                 # list locks
sudo zypper rl keylime-agent                   # remove lock

  • Install an older NVR if a regression is suspected:

    zypper se -s keylime-agent                     # show all available versions
sudo zypper install --oldpackage keylime-agent-<older-NVR>

  • Disable the AppArmor profile briefly to confirm policy is the cause, then re-enable:

    sudo aa-disable /etc/apparmor.d/usr.sbin.keylime-agent
# reproduce, capture denials in the journal:
sudo journalctl -k | grep apparmor | tail
sudo aa-enforce /etc/apparmor.d/usr.sbin.keylime-agent

  • Pin Tumbleweed to a known-good snapshot from the openSUSE history server while you investigate. This keeps the rolling release reproducible across a fleet:

    # Edit /etc/zypp/repos.d/repo-oss.repo and point baseurl at
#   http://download.opensuse.org/history/<YYYYMMDD>/tumbleweed/repo/oss/
sudo zypper ref
sudo zypper dup --no-allow-vendor-change

Verification & Acceptance Criteria

All of these should pass after the fix:

rpm -q keylime-agent                                            # expected fixed NVR
sudo zypper dup --dry-run                                # no pending rolls expected
systemctl is-active keylime-agent 2>/dev/null
sudo journalctl -u keylime-agent --since "5 minutes ago" --no-pager | grep -iE "error|fail" || echo OK
sudo firewall-cmd --list-services
sudo aa-status | head -5
sudo zypper ps -s                                        # any services still using deleted libs

The original reproduction for keylime-agent — multiple vulnerabilities (8 CVEs) — patch and remediation guide must not trigger across two consecutive runs.

Rollback Plan

Capture state before any change. On openSUSE, Snapper is the canonical rollback path:

rpm -qa > /root/rpm-pre.txt
sudo zypper history list > /root/zypper-history-pre.txt
# Snapper takes pre/post snapshots automatically on Btrfs root.
sudo snapper create -d 'pre-patch-keylime-agent'   # explicit named snapshot
sudo snapper list | head

To revert if the patch / roll is bad:

# Preferred on Btrfs root — boot the prior snapshot:
sudo snapper list
sudo snapper rollback <pre-id>
sudo systemctl reboot
# Or downgrade just the package:
sudo zypper install --oldpackage keylime-agent-<older-NVR>
sudo systemctl daemon-reload
sudo systemctl restart keylime-agent
# Custom AppArmor profile cleanup:
sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.keylime-agent

Prevention & Hardening

Reduce the chance of this recurring on openSUSE Tumbleweed:

  • Run rolling upgrades on a schedule — Tumbleweed receives a snapshot most weekdays. Stagger across the fleet so any regression is caught early:

    sudo zypper ref
sudo zypper dup --no-allow-vendor-change
# Optional: drive from salt/ansible with a maintenance window per host group.

  • Subscribe to opensuse-security-announce and watch suse.com/support/update.

  • Lock sensitive packages so they cannot be auto-upgraded:

    sudo zypper al keylime-agent

  • Ensure Snapper is enabled on the root subvolume and pre/post hooks run for every zypper transaction. This is the cornerstone of safe openSUSE patching:

    sudo snapper -c root get-config | head
# Default zypper plugin: /usr/lib/zypp/plugins/commit/snapper.zypp-commit-plugin
sudo snapper list | tail -10

  • Monitor file integrity with AIDE:

    sudo zypper install -y aide
sudo aide --init && sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
sudo aide --check

  • Keep AppArmor profiles in enforce; review /etc/apparmor.d/ after every package upgrade.

  • Apply CIS / openSUSE hardening guidance and use salt or ansible to enforce baseline state across the fleet.

Issues that commonly surface alongside keylime-agent — multiple vulnerabilities (8 CVEs) — patch and remediation guide: zypper lock contention, systemd unit ordering cycles, AppArmor denials, firewalld zone drift, and kernel taint flags. Useful triage:

sudo zypper ps -s
systemd-analyze critical-chain
sudo journalctl -k | grep apparmor | tail
sudo firewall-cmd --get-active-zones
cat /proc/sys/kernel/tainted
sudo snapper list | tail

View all opensuse-tumbleweed tutorials on the Tutorials Hub →

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Primary reference: SUSE advisory SUSE-SU-2022:2658-1 (see also SUSE bugzilla). Manual pages useful on openSUSE Tumbleweed:

man zypper
man zypper.conf
man systemctl
man journalctl
man firewall-cmd
man snapper
man apparmor
man aa-status

Other resources: openSUSE documentation, suse.com/security, openSUSE security portal, and per-package notes in /usr/share/doc/packages/keylime-agent/ for components implicated in keylime-agent — multiple vulnerabilities (8 CVEs) — patch and remediation guide.


View all openSUSE Tumbleweed tutorials on the Tutorials Hub →