File CVE-2025-13609.patch of Package keylime.42222

diff --git a/registrar_common.py b/registrar_common.py
index 2e7a2a3..f007336 100644
--- keylime-v6.3.2.orig/keylime/registrar_common.py
+++ keylime-v6.3.2/keylime/registrar_common.py
@@ -347,11 +347,26 @@ class UnprotectedHandler(BaseHTTPRequestHandler, SessionManager):
 
             if agent is not None:
 
-                # keep track of how many ek-ekcerts have registered on this uuid
+                # check if the same agent was registered with a differen TPM identity
                 regcount = agent.regcount
-                if agent.ek_tpm != ek_tpm or agent.ekcert != ekcert:
-                    logger.warning('WARNING: Overwriting previous registration for this UUID with new ek-ekcert pair!')
-                    regcount += 1
+                if agent.ek_tpm != ek_tpm or agent.ekcert != ekcert or agent.aik_tpm != aik_tpm:
+                    logger.warning(
+                        "SECURITY: Rejected attempt to re-register agent '%s' with different TPM identity. "
+                        "This indicates a potential UUID spoofing attack. "
+                        "The existing agent must be deleted before registering with a new TPM. "
+                        "If this is unexpected, investigate for compromise.",
+                        agent_id,
+                    )
+                    # We stop increasing regcount, as now we forbid
+                    # the registration of mutiple TPM indetities for
+                    # the same agent.  The tenant warning that advise
+                    # for 'regdelete' the fake identities will not be
+                    # showed.
+                    web_util.echo_json_response(
+                        self, 403,
+                        "Agent re-registration with different TPM identity is forbidden for security reasons"
+                    )
+                    return
 
                 # force overwrite
                 logger.info('Overwriting previous registration for this UUID.')