From 5dd6fb4eeaee56dff314296223916e182a28b449 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Tue, 1 Apr 2025 10:05:41 +0000 Subject: [PATCH] import CS swtpm-0.9.0-5.el10 --- .gitignore | 2 +- .swtpm.metadata | 1 - ...er-size-indicator-against-expected-s.patch | 54 --- ...enSSL-FIPS-mode-to-avoid-libtpms-fai.patch | 279 ------------ ...st-for-available-issuercert-before-c.patch | 65 --- SPECS/swtpm.spec | 262 ------------ openssl-swtpm.cnf | 4 + selinux.patch | 72 ++++ sources | 1 + swtpm-custom-openssl.patch | 12 + swtpm.spec | 404 ++++++++++++++++++ 11 files changed, 494 insertions(+), 662 deletions(-) delete mode 100644 .swtpm.metadata delete mode 100644 SOURCES/0001-swtpm-Check-header-size-indicator-against-expected-s.patch delete mode 100644 SOURCES/0001-swtpm-Disable-OpenSSL-FIPS-mode-to-avoid-libtpms-fai.patch delete mode 100644 SOURCES/0001-swtpm_localca-Test-for-available-issuercert-before-c.patch delete mode 100644 SPECS/swtpm.spec create mode 100644 openssl-swtpm.cnf create mode 100644 selinux.patch create mode 100644 sources create mode 100644 swtpm-custom-openssl.patch create mode 100644 swtpm.spec diff --git a/.gitignore b/.gitignore index 3f1ad53..4f63af5 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/swtpm-b79fd91.tar.gz +swtpm-0.9.0.tar.gz diff --git a/.swtpm.metadata b/.swtpm.metadata deleted file mode 100644 index e279db9..0000000 --- a/.swtpm.metadata +++ /dev/null @@ -1 +0,0 @@ -b79a2d005663868139f0678cddeecf70278ec219 SOURCES/swtpm-b79fd91.tar.gz diff --git a/SOURCES/0001-swtpm-Check-header-size-indicator-against-expected-s.patch b/SOURCES/0001-swtpm-Check-header-size-indicator-against-expected-s.patch deleted file mode 100644 index 9a962c3..0000000 --- a/SOURCES/0001-swtpm-Check-header-size-indicator-against-expected-s.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 9f740868fc36761de27df3935513bdebf8852d19 Mon Sep 17 00:00:00 2001 -From: Stefan Berger -Date: Wed, 16 Feb 2022 11:17:47 -0500 -Subject: [PATCH] swtpm: Check header size indicator against expected size (CID - 375869) - -This fix addresses Coverity issue CID 375869. - -Check the header size indicated in the header of the state against the -expected size and return an error code in case the header size indicator -is different. There was only one header size so far since blobheader was -introduced, so we don't need to deal with different sizes. - -Without this fix a specially craft header could have cause out-of-bounds -accesses on the byte array containing the swtpm's state. - -Signed-off-by: Stefan Berger ---- - src/swtpm/swtpm_nvstore.c | 11 ++++++++++- - 1 file changed, 10 insertions(+), 1 deletion(-) - -diff --git a/src/swtpm/swtpm_nvstore.c b/src/swtpm/swtpm_nvstore.c -index 437088370e11..144d8975ec54 100644 ---- a/src/swtpm/swtpm_nvstore.c -+++ b/src/swtpm/swtpm_nvstore.c -@@ -1075,6 +1075,7 @@ SWTPM_NVRAM_CheckHeader(unsigned char *data, uint32_t length, - uint8_t *hdrversion, bool quiet) - { - blobheader *bh = (blobheader *)data; -+ uint16_t hdrsize; - - if (length < sizeof(bh)) { - if (!quiet) -@@ -1100,8 +1101,16 @@ SWTPM_NVRAM_CheckHeader(unsigned char *data, uint32_t length, - return TPM_BAD_VERSION; - } - -+ hdrsize = ntohs(bh->hdrsize); -+ if (hdrsize != sizeof(blobheader)) { -+ logprintf(STDERR_FILENO, -+ "bad header size: %u != %zu\n", -+ hdrsize, sizeof(blobheader)); -+ return TPM_BAD_DATASIZE; -+ } -+ - *hdrversion = bh->version; -- *dataoffset = ntohs(bh->hdrsize); -+ *dataoffset = hdrsize; - *hdrflags = ntohs(bh->flags); - - return TPM_SUCCESS; --- -2.34.1.428.gdcc0cd074f0c - diff --git a/SOURCES/0001-swtpm-Disable-OpenSSL-FIPS-mode-to-avoid-libtpms-fai.patch b/SOURCES/0001-swtpm-Disable-OpenSSL-FIPS-mode-to-avoid-libtpms-fai.patch deleted file mode 100644 index 815608d..0000000 --- a/SOURCES/0001-swtpm-Disable-OpenSSL-FIPS-mode-to-avoid-libtpms-fai.patch +++ /dev/null @@ -1,279 +0,0 @@ -From a39c3792ba5677f25fea903b9f1a43740a5f2c0c Mon Sep 17 00:00:00 2001 -From: Stefan Berger -Date: Wed, 8 Jun 2022 09:19:07 -0400 -Subject: [PATCH] swtpm: Disable OpenSSL FIPS mode to avoid libtpms failures - -While libtpms does not provide any means to disable FIPS-disabled crypto -algorithms from being used, work around the issue by simply disabling the -FIPS mode of OpenSSL if it is enabled. If it cannot be disabled, exit -swtpm with a failure message that it cannot be disabled. If FIPS mode -was successfully disabled, print out a message as well. - -Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=2090219 -Signed-off-by: Stefan Berger ---- - configure.ac | 9 ++++ - src/swtpm/Makefile.am | 2 + - src/swtpm/cuse_tpm.c | 5 ++ - src/swtpm/fips.c | 100 ++++++++++++++++++++++++++++++++++++++ - src/swtpm/fips.h | 43 ++++++++++++++++ - src/swtpm/swtpm.c | 3 ++ - src/swtpm/swtpm_chardev.c | 3 ++ - src/swtpm/utils.h | 2 + - 8 files changed, 167 insertions(+) - create mode 100644 src/swtpm/fips.c - create mode 100644 src/swtpm/fips.h - -diff --git a/configure.ac b/configure.ac -index ad3054e..30288c7 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -156,6 +156,15 @@ openssl) - AC_MSG_RESULT([Building with openssl crypto library]) - LIBCRYPTO_LIBS=$(pkg-config --libs libcrypto) - AC_SUBST([LIBCRYPTO_LIBS]) -+ AC_CHECK_HEADERS([openssl/fips.h], -+ [AC_DEFINE_UNQUOTED([HAVE_OPENSSL_FIPS_H], 1, -+ [whether openssl/fips.h is available])] -+ ) -+ AC_CHECK_LIB(crypto, -+ [FIPS_mode_set], -+ [AC_DEFINE_UNQUOTED([HAVE_OPENSSL_FIPS_MODE_SET_API], 1, -+ [whether FIPS_mode_set API is available])] -+ ) - ;; - esac - -diff --git a/src/swtpm/Makefile.am b/src/swtpm/Makefile.am -index 5454a6f..2a65950 100644 ---- a/src/swtpm/Makefile.am -+++ b/src/swtpm/Makefile.am -@@ -11,6 +11,7 @@ noinst_HEADERS = \ - capabilities.h \ - common.h \ - ctrlchannel.h \ -+ fips.h \ - key.h \ - locality.h \ - logging.h \ -@@ -40,6 +41,7 @@ libswtpm_libtpms_la_SOURCES = \ - capabilities.c \ - common.c \ - ctrlchannel.c \ -+ fips.c \ - key.c \ - logging.c \ - mainloop.c \ -diff --git a/src/swtpm/cuse_tpm.c b/src/swtpm/cuse_tpm.c -index 9dbc00d..3026e26 100644 ---- a/src/swtpm/cuse_tpm.c -+++ b/src/swtpm/cuse_tpm.c -@@ -1695,6 +1695,11 @@ int swtpm_cuse_main(int argc, char **argv, const char *prgname, const char *ifac - goto exit; - } - -+ if (disable_fips_mode() < 0) { -+ ret = -1; -+ goto exit; -+ } -+ - if (tpmlib_register_callbacks(&cbs) != TPM_SUCCESS) { - ret = -1; - goto exit; -diff --git a/src/swtpm/fips.c b/src/swtpm/fips.c -new file mode 100644 -index 0000000..eeb2a0c ---- /dev/null -+++ b/src/swtpm/fips.c -@@ -0,0 +1,100 @@ -+/* -+ * fips.c -- FIPS mode related functions -+ * -+ * (c) Copyright IBM Corporation 2022. -+ * -+ * Author: Stefan Berger -+ * -+ * All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions are -+ * met: -+ * -+ * Redistributions of source code must retain the above copyright notice, -+ * this list of conditions and the following disclaimer. -+ * -+ * Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * -+ * Neither the names of the IBM Corporation nor the names of its -+ * contributors may be used to endorse or promote products derived from -+ * this software without specific prior written permission. -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -+ */ -+ -+#include "config.h" -+ -+#include "fips.h" -+#include "logging.h" -+ -+#if defined(HAVE_OPENSSL_FIPS_H) -+# include -+#elif defined(HAVE_OPENSSL_FIPS_MODE_SET_API) -+/* Cygwin has no fips.h but API exists */ -+extern int FIPS_mode(void); -+extern int FIPS_mode_set(int); -+#endif -+ -+#if OPENSSL_VERSION_NUMBER >= 0x30000000L -+# include -+#endif -+ -+#include -+ -+/* -+ * disable_fips_mode: If possible, disable FIPS mode to avoid libtpms failures -+ * -+ * While libtpms does not provide a solution to disable deactivated algorithms -+ * avoid libtpms failures due to FIPS mode enablement by disabling FIPS mode. -+ * -+ * Returns < 0 on error, 0 otherwise. -+ */ -+#if defined(HAVE_OPENSSL_FIPS_H) || defined(HAVE_OPENSSL_FIPS_MODE_SET_API) -+int disable_fips_mode(void) -+{ -+#if OPENSSL_VERSION_NUMBER >= 0x30000000L -+ int mode = EVP_default_properties_is_fips_enabled(NULL); -+#else -+ int mode = FIPS_mode(); -+#endif -+ int ret = 0; -+ -+ if (mode != 0) { -+#if OPENSSL_VERSION_NUMBER >= 0x30000000L -+ int rc = EVP_default_properties_enable_fips(NULL, 0); -+#else -+ int rc = FIPS_mode_set(0); -+#endif -+ if (rc == 1) { -+ logprintf(STDOUT_FILENO, -+ "Warning: Disabled OpenSSL FIPS mode\n"); -+ } else { -+ unsigned long err = ERR_get_error(); -+ logprintf(STDERR_FILENO, -+ "Failed to disable OpenSSL FIPS mode: %s\n", -+ ERR_error_string(err, NULL)); -+ ret = -1; -+ } -+ } -+ return ret; -+} -+#else -+/* OpenBSD & DragonFlyBSD case */ -+int disable_fips_mode(void) -+{ -+ return 0; -+} -+#endif -diff --git a/src/swtpm/fips.h b/src/swtpm/fips.h -new file mode 100644 -index 0000000..14d4e9f ---- /dev/null -+++ b/src/swtpm/fips.h -@@ -0,0 +1,43 @@ -+/* -+ * fips.h -- FIPS mode related functions -+ * -+ * (c) Copyright IBM Corporation 2015. -+ * -+ * Author: Stefan Berger -+ * -+ * All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions are -+ * met: -+ * -+ * Redistributions of source code must retain the above copyright notice, -+ * this list of conditions and the following disclaimer. -+ * -+ * Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * -+ * Neither the names of the IBM Corporation nor the names of its -+ * contributors may be used to endorse or promote products derived from -+ * this software without specific prior written permission. -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -+ */ -+ -+#ifndef _SWTPM_UTILS_H_ -+#define _SWTPM_UTILS_H_ -+ -+int disable_fips_mode(void); -+ -+#endif /* _SWTPM_UTILS_H_ */ -diff --git a/src/swtpm/swtpm.c b/src/swtpm/swtpm.c -index 722a743..e618c56 100644 ---- a/src/swtpm/swtpm.c -+++ b/src/swtpm/swtpm.c -@@ -521,6 +521,9 @@ int swtpm_main(int argc, char **argv, const char *prgname, const char *iface) - daemonize_finish(); - } - -+ if (disable_fips_mode() < 0) -+ goto error_seccomp_profile; -+ - rc = mainLoop(&mlp, notify_fd[0]); - - error_seccomp_profile: -diff --git a/src/swtpm/swtpm_chardev.c b/src/swtpm/swtpm_chardev.c -index 9710927..ab6d8fd 100644 ---- a/src/swtpm/swtpm_chardev.c -+++ b/src/swtpm/swtpm_chardev.c -@@ -573,6 +573,9 @@ int swtpm_chardev_main(int argc, char **argv, const char *prgname, const char *i - daemonize_finish(); - } - -+ if (disable_fips_mode() < 0) -+ goto error_seccomp_profile; -+ - rc = mainLoop(&mlp, notify_fd[0]); - - error_seccomp_profile: -diff --git a/src/swtpm/utils.h b/src/swtpm/utils.h -index 7502442..b8acd89 100644 ---- a/src/swtpm/utils.h -+++ b/src/swtpm/utils.h -@@ -71,4 +71,6 @@ ssize_t writev_full(int fd, const struct iovec *iov, int iovcnt); - - ssize_t read_eintr(int fd, void *buffer, size_t buflen); - -+int disable_fips_mode(void); -+ - #endif /* _SWTPM_UTILS_H_ */ --- -2.36.1 - diff --git a/SOURCES/0001-swtpm_localca-Test-for-available-issuercert-before-c.patch b/SOURCES/0001-swtpm_localca-Test-for-available-issuercert-before-c.patch deleted file mode 100644 index 201620b..0000000 --- a/SOURCES/0001-swtpm_localca-Test-for-available-issuercert-before-c.patch +++ /dev/null @@ -1,65 +0,0 @@ -From b6b0611704047b8632b328d48502f3b3f9fe4fe2 Mon Sep 17 00:00:00 2001 -From: Stefan Berger -Date: Tue, 1 Feb 2022 12:40:06 -0500 -Subject: [PATCH] swtpm_localca: Test for available issuercert before creating - CA - -Avoid trying to create TPM certificates while the issuer certificate has -not been created, yet (in a 2nd step). - -To resolve this do not just test for availability of the signing key, which -is created first, but also test for the issuer certifcate, which is created -in a 2nd step when the local CA is created. If either one is missing, -attempt to create the CA. - -Resolves: https://github.com/stefanberger/swtpm/issues/644 -Signed-off-by: Stefan Berger ---- - src/swtpm_localca/swtpm_localca.c | 17 ++++++++++++++++- - 1 file changed, 16 insertions(+), 1 deletion(-) - -diff --git a/src/swtpm_localca/swtpm_localca.c b/src/swtpm_localca/swtpm_localca.c -index 037bfd5266bb..089e4e0db4ce 100644 ---- a/src/swtpm_localca/swtpm_localca.c -+++ b/src/swtpm_localca/swtpm_localca.c -@@ -117,7 +117,7 @@ static int create_localca_cert(const gchar *lockfile, const gchar *statedir, - goto error; - } - -- if (access(signkey, R_OK) != 0) { -+ if (access(signkey, R_OK) != 0 || access(issuercert, R_OK) != 0) { - g_autofree gchar *directory = g_path_get_dirname(signkey); - g_autofree gchar *cakey = g_strjoin(G_DIR_SEPARATOR_S, directory, "swtpm-localca-rootca-privkey.pem", NULL); - g_autofree gchar *cacert = g_strjoin(G_DIR_SEPARATOR_S, directory, "swtpm-localca-rootca-cert.pem", NULL); -@@ -808,13 +808,28 @@ int main(int argc, char *argv[]) - if (ret != 0) - goto error; - } else { -+ int create_certs = 0; -+ -+ /* create certificate if either the signing key or issuer cert are missing */ - if (access(signkey, R_OK) != 0) { - if (stat(signkey, &statbuf) == 0) { - logerr(gl_LOGFILE, "Need read rights on signing key %s for user %s.\n", - signkey, curr_user ? curr_user->pw_name : ""); - goto error; - } -+ create_certs = 1; -+ } -+ -+ if (access(issuercert, R_OK) != 0) { -+ if (stat(issuercert, &statbuf) == 0) { -+ logerr(gl_LOGFILE, "Need read rights on issuer certificate %s for user %s.\n", -+ issuercert, curr_user ? curr_user->pw_name : ""); -+ goto error; -+ } -+ create_certs = 1; -+ } - -+ if (create_certs) { - logit(gl_LOGFILE, "Creating root CA and a local CA's signing key and issuer cert.\n"); - if (create_localca_cert(lockfile, statedir, signkey, signkey_password, - issuercert) != 0) { --- -2.37.0.rc0 - diff --git a/SPECS/swtpm.spec b/SPECS/swtpm.spec deleted file mode 100644 index 181a689..0000000 --- a/SPECS/swtpm.spec +++ /dev/null @@ -1,262 +0,0 @@ -%bcond_without gnutls - -%global gitdate 20211109 -%global gitcommit b79fd91c4b4a74c9c5027b517c5036952c5525db -%global gitshortcommit %(c=%{gitcommit}; echo ${c:0:7}) - -# Macros needed by SELinux -%global selinuxtype targeted -%global moduletype contrib -%global modulename swtpm - -Summary: TPM Emulator -Name: swtpm -Version: 0.7.0 -Release: 4.%{gitdate}git%{gitshortcommit}%{?dist} -License: BSD -Url: http://github.com/stefanberger/swtpm -Source0: %{url}/archive/%{gitcommit}/%{name}-%{gitshortcommit}.tar.gz -ExcludeArch: i686 -Patch0001: 0001-swtpm-Check-header-size-indicator-against-expected-s.patch -Patch0002: 0001-swtpm-Disable-OpenSSL-FIPS-mode-to-avoid-libtpms-fai.patch -Patch0003: 0001-swtpm_localca-Test-for-available-issuercert-before-c.patch - -BuildRequires: make -BuildRequires: git-core -BuildRequires: automake -BuildRequires: autoconf -BuildRequires: libtool -BuildRequires: libtpms-devel >= 0.6.0 -BuildRequires: expect -BuildRequires: net-tools -BuildRequires: openssl-devel -BuildRequires: socat -BuildRequires: softhsm -BuildRequires: json-glib-devel -%if %{with gnutls} -BuildRequires: gnutls >= 3.4.0 -BuildRequires: gnutls-devel -BuildRequires: gnutls-utils -BuildRequires: libtasn1-devel -BuildRequires: libtasn1 -%endif -BuildRequires: selinux-policy-devel -BuildRequires: gcc -BuildRequires: libseccomp-devel -BuildRequires: tpm2-tools tpm2-abrmd -BuildRequires: python3-devel - -Requires: %{name}-libs = %{version}-%{release} -Requires: libtpms >= 0.6.0 -%{?selinux_requires} - -%description -TPM emulator built on libtpms providing TPM functionality for QEMU VMs - -%package libs -Summary: Private libraries for swtpm TPM emulators -License: BSD - -%description libs -A private library with callback functions for libtpms based swtpm TPM emulator - -%package devel -Summary: Include files for the TPM emulator's CUSE interface for usage by clients -License: BSD -Requires: %{name}-libs%{?_isa} = %{version}-%{release} - -%description devel -Include files for the TPM emulator's CUSE interface. - -%package tools -Summary: Tools for the TPM emulator -License: BSD -Requires: swtpm = %{version}-%{release} -Requires: bash gnutls-utils - -%description tools -Tools for the TPM emulator from the swtpm package - -%package tools-pkcs11 -Summary: Tools for creating a local CA based on a TPM pkcs11 device -License: BSD -Requires: swtpm-tools = %{version}-%{release} -Requires: tpm2-tools tpm2-abrmd -Requires: expect gnutls-utils - -%description tools-pkcs11 -Tools for creating a local CA based on a pkcs11 device - -%prep -%autosetup -S git -n %{name}-%{gitcommit} -p1 - -%build - -NOCONFIGURE=1 ./autogen.sh -%configure \ -%if %{with gnutls} - --with-gnutls \ -%endif - --without-cuse \ - --without-tpm1 - -%make_build V=1 - -%check -make %{?_smp_mflags} check VERBOSE=1 - -%install - -%make_install -rm -f $RPM_BUILD_ROOT%{_libdir}/%{name}/*.{a,la,so} - -%post -for pp in /usr/share/selinux/packages/swtpm.pp \ - /usr/share/selinux/packages/swtpm_svirt.pp; do - %selinux_modules_install -s %{selinuxtype} ${pp} -done -restorecon %{_bindir}/swtpm - -%postun -if [ $1 -eq 0 ]; then - for p in swtpm swtpm_svirt; do - %selinux_modules_uninstall -s %{selinuxtype} $p - done -fi - -%posttrans -%selinux_relabel_post -s %{selinuxtype} - -%ldconfig_post libs -%ldconfig_postun libs - -%files -%license LICENSE -%doc README -%{_bindir}/swtpm -%{_mandir}/man8/swtpm.8* -%{_datadir}/selinux/packages/swtpm.pp -%{_datadir}/selinux/packages/swtpm_svirt.pp - -%files libs -%license LICENSE -%doc README - -%dir %{_libdir}/%{name} -%{_libdir}/%{name}/libswtpm_libtpms.so.0 -%{_libdir}/%{name}/libswtpm_libtpms.so.0.0.0 - -%files devel -%dir %{_includedir}/%{name} -%{_includedir}/%{name}/*.h -%{_mandir}/man3/swtpm_ioctls.3* - -%files tools -%doc README -%{_bindir}/swtpm_bios -%if %{with gnutls} -%{_bindir}/swtpm_cert -%endif -%{_bindir}/swtpm_setup -%{_bindir}/swtpm_ioctl -%{_bindir}/swtpm_localca -%{_mandir}/man8/swtpm_bios.8* -%{_mandir}/man8/swtpm_cert.8* -%{_mandir}/man8/swtpm_ioctl.8* -%{_mandir}/man8/swtpm-localca.conf.8* -%{_mandir}/man8/swtpm-localca.options.8* -%{_mandir}/man8/swtpm-localca.8* -%{_mandir}/man8/swtpm_localca.8* -%{_mandir}/man8/swtpm_setup.8* -%{_mandir}/man8/swtpm_setup.conf.8* -%config(noreplace) %{_sysconfdir}/swtpm_setup.conf -%config(noreplace) %{_sysconfdir}/swtpm-localca.options -%config(noreplace) %{_sysconfdir}/swtpm-localca.conf -%dir %{_datadir}/swtpm -%{_datadir}/swtpm/swtpm-localca -%{_datadir}/swtpm/swtpm-create-user-config-files -%attr( 750, tss, root) %{_localstatedir}/lib/swtpm-localca - -%files tools-pkcs11 -%{_mandir}/man8/swtpm-create-tpmca.8* -%{_datadir}/swtpm/swtpm-create-tpmca - -%changelog -* Mon Jul 18 2022 Marc-André Lureau - 0.7.0-4.20211109gitb79fd91 -- swtpm_localca: Test for available issuercert before creating CA - Resolves: rhbz#2100508 - -* Mon Jun 20 2022 Marc-André Lureau - 0.7.0-3.20211109gitb79fd91 -- Disable OpenSSL FIPS mode to avoid libtpms failures - Resolves: rhbz#2097947 - -* Mon Feb 21 2022 Marc-André Lureau - 0.7.0-2.20211109gitb79fd91 -- Add fix for CVE-2022-23645. - Resolves: rhbz#2056517 - -* Tue Jan 04 2022 Marc-André Lureau - 0.7.0-1.20211109gitb79fd91 -- Rebase to 0.7.0, disable TPM 1.2. - Resovles: rhbz#2029612 - -* Thu Sep 16 2021 Marc-André Lureau - 0.6.0-2.20210607gitea627b3 -- rebuilt with missing CFLAGS fix. - -* Mon Jun 28 2021 Marc-André Lureau - 0.6.0-1.20210607gitea627b3 -- Update to 0.6.0. - Resolves: rhbz#1972783 - -* Tue Dec 1 20:40:07 +04 2020 Marc-André Lureau - 0.4.2-1.20201201git2df14e3 -- Update to 0.4.2, to address potential symlink vulnerabilities (CVE-2020-28407). - Resolves: rhbz#1906043 - -* Thu Sep 24 2020 Marc-André Lureau - 0.4.0-3.20200828git0c238a2 -- swtpm_setup: Add missing .config path when using ${HOME}. Resolves: rhbz#1881418 - -* Thu Sep 17 2020 Marc-André Lureau - 0.4.0-2.20200828git0c238a2 -- Backport fixes from 0.4.0 stable branch. Resolves: rhbz#1868375 - (fixes usage of swtpm-localca with passwords when signing keys) - -* Sat Sep 12 2020 Marc-André Lureau - 0.4.0-1.20200828git0c238a2 -- Update to v0.4.0. Resolves: rhbz#1868375 - -* Thu May 28 2020 Marc-André Lureau - 0.3.0-1.20200218git74ae43b -- Update to v0.3.0. Fixes rhbz#1809778 -- exclude i686 build - -* Mon Jan 27 2020 Marc-André Lureau - 0.2.0-2.20200127gitff5a83b -- Update to latest 0.2-stable branch, fix random test failure. rhbz#1782451 - -* Fri Oct 18 2019 Marc-André Lureau - 0.2.0-1.20191018git9227cf4 -- rebuilt - -* Tue Aug 13 2019 Marc-André Lureau - 0.1.0-1.20190425gitca85606.1 -- Fix SELinux labels on /usr/bin/swtpm installation rhbz#1739994 - -* Thu Apr 25 2019 Stefan Berger - 0.1.0-0.20190425gitca85606 -- pick up bug fixes - -* Mon Feb 04 2019 Stefan Berger - 0.1.0-0.20190204git2c25d13.1 -- v0.1.0 release of swtpm - -* Sun Feb 03 2019 Fedora Release Engineering - 0.1.0-0.20181212git8b9484a.1 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild - -* Wed Dec 12 2018 Stefan Berger - 0.1.0-0.20181212git8b9484a -- Follow improvements in swtpm repo primarily related to fixes for 'ubsan' - -* Tue Nov 06 2018 Stefan Berger - 0.1.0-0.20181106git05d8160 -- Follow improvements in swtpm repo -- Remove ownership change of swtpm_setup.sh; have root own the file as required - -* Wed Oct 31 2018 Stefan Berger - 0.1.0-0.20181031gitc782a85 -- Follow improvements and fixes in swtpm - -* Tue Oct 02 2018 Stefan Berger - 0.1.0-0.20181002git0143c41 -- Fixes to SELinux policy -- Improvements on various other parts -* Tue Sep 25 2018 Stefan Berger - 0.1.0-0.20180924gitce13edf -- Initial Fedora build -* Mon Sep 17 2018 Stefan Berger - 0.1.0-0.20180918git67d7ea3 -- Created initial version of rpm spec files -- Version is now 0.1.0 -- Bugzilla for this spec: https://bugzilla.redhat.com/show_bug.cgi?id=1611829 diff --git a/openssl-swtpm.cnf b/openssl-swtpm.cnf new file mode 100644 index 0000000..6195ecb --- /dev/null +++ b/openssl-swtpm.cnf @@ -0,0 +1,4 @@ +.include /etc/ssl/openssl.cnf + +[evp_properties] +rh-allow-sha1-signatures = yes diff --git a/selinux.patch b/selinux.patch new file mode 100644 index 0000000..7e69bc2 --- /dev/null +++ b/selinux.patch @@ -0,0 +1,72 @@ +From 816c9ef66eaec230f9dd89e1deebfadc7359aa60 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Sat, 13 Jul 2024 13:37:29 +0400 +Subject: [PATCH] selinux + +--- + src/selinux/swtpm.te | 12 +++++++++++- + src/selinux/swtpm_svirt.te | 4 ++++ + 2 files changed, 15 insertions(+), 1 deletion(-) + +diff --git a/src/selinux/swtpm.te b/src/selinux/swtpm.te +index 2327721..c35056e 100644 +--- a/src/selinux/swtpm.te ++++ b/src/selinux/swtpm.te +@@ -11,6 +11,8 @@ require { + type virt_var_lib_t; + type virtqemud_t; + type virtqemud_tmp_t; ++ class file map; ++ tunable virt_use_nfs; + } + + attribute_role swtpm_roles; +@@ -30,10 +32,11 @@ allow swtpm_t qemu_var_run_t:dir { add_name remove_name write }; + allow swtpm_t qemu_var_run_t:sock_file { create setattr unlink }; + allow swtpm_t var_log_t:file open; + allow swtpm_t virt_var_lib_t:dir { add_name remove_name write }; +-allow swtpm_t virt_var_lib_t:file { create rename setattr unlink write }; ++allow swtpm_t virt_var_lib_t:file { create rename setattr unlink write map }; + allow swtpm_t virtqemud_t:unix_stream_socket { read write getattr }; + allow swtpm_t virtqemud_tmp_t:file { open write }; + ++virt_read_log(swtpm_t) + + domain_use_interactive_fds(swtpm_t) + +@@ -42,3 +45,10 @@ files_read_etc_files(swtpm_t) + auth_use_nsswitch(swtpm_t) + + miscfiles_read_localization(swtpm_t) ++ ++tunable_policy(`virt_use_nfs',` ++ fs_manage_nfs_dirs(swtpm_t) ++ fs_manage_nfs_files(swtpm_t) ++ fs_read_nfs_symlinks(swtpm_t) ++ fs_mmap_nfs_files(swtpm_t) ++') +diff --git a/src/selinux/swtpm_svirt.te b/src/selinux/swtpm_svirt.te +index f7b886c..424efa7 100644 +--- a/src/selinux/swtpm_svirt.te ++++ b/src/selinux/swtpm_svirt.te +@@ -13,6 +13,7 @@ require { + type user_tmp_t; + type virtd_t; + type virtqemud_t; ++ type virt_var_run_t; + } + + swtpm_domtrans(svirt_t) +@@ -27,6 +28,9 @@ allow svirt_t user_tmp_t:sock_file { create setattr unlink }; + allow svirt_t virtd_t:dir search; + allow svirt_t virtd_t:fifo_file write; + allow svirt_t virtqemud_t:fifo_file write; ++allow svirt_t virt_var_run_t:dir { write add_name remove_name }; ++allow svirt_t virt_var_run_t:file { create write setattr unlink }; ++allow svirt_t virt_var_run_t:sock_file { create write setattr unlink }; + + # For virt-install (see https://bugzilla.redhat.com/show_bug.cgi?id=2283878 ) + allow svirt_tcg_t user_tmp_t:sock_file { create setattr unlink }; +-- +2.47.0 + diff --git a/sources b/sources new file mode 100644 index 0000000..bf51d1a --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (swtpm-0.9.0.tar.gz) = 4f1723679b85218e80ea6aacdffa687e541ee309ddab9bcb8d8e5aa0b461ee431c880f2e300f1dcae112646f3636593005a342ee0cb762ec115aa599369e111c diff --git a/swtpm-custom-openssl.patch b/swtpm-custom-openssl.patch new file mode 100644 index 0000000..6bd1b40 --- /dev/null +++ b/swtpm-custom-openssl.patch @@ -0,0 +1,12 @@ +Binary files swtpm-0.9.0/.git/index and swtpm-0.9.0.new/.git/index differ +diff -rup swtpm-0.9.0/src/swtpm/main.c swtpm-0.9.0.new/src/swtpm/main.c +--- swtpm-0.9.0/src/swtpm/main.c 2024-07-08 09:34:00.488080859 +0100 ++++ swtpm-0.9.0.new/src/swtpm/main.c 2024-07-08 09:33:40.057884795 +0100 +@@ -70,6 +70,7 @@ int main(int argc, char **argv) + fprintf(stderr, "Missing TPM interface type.\n"); + return 1; + } ++ setenv("OPENSSL_CONF", "/etc/ssl/openssl-swtpm.cnf", 1); + if (!strcmp(argv[1], "socket")) { + return swtpm_main(argc-1, &argv[1], argv[0], "socket"); + #ifdef WITH_CHARDEV diff --git a/swtpm.spec b/swtpm.spec new file mode 100644 index 0000000..e46b88a --- /dev/null +++ b/swtpm.spec @@ -0,0 +1,404 @@ +%bcond_without gnutls + +# Macros needed by SELinux +%global selinuxtype targeted +%global moduletype contrib +%global modulename swtpm + +Summary: TPM Emulator +Name: swtpm +Version: 0.9.0 +Release: 5%{?dist} +License: BSD-3-Clause +Url: https://github.com/stefanberger/swtpm +Source0: https://github.com/stefanberger/swtpm/archive/v%{version}/%{name}-%{version}.tar.gz +Source1: openssl-swtpm.cnf +# Prevent crypto policies disabling SHA-1. +# swtpm algorithm list is unconditional. Since it advertizes +# SHA-1, we MUST always provide a working SHA-1 impl +Patch0002: swtpm-custom-openssl.patch +Patch0003: selinux.patch + +BuildRequires: make +BuildRequires: git-core +BuildRequires: automake +BuildRequires: autoconf +BuildRequires: libtool +BuildRequires: libtpms-devel >= 0.6.0 +BuildRequires: expect +BuildRequires: net-tools +BuildRequires: openssl-devel +BuildRequires: socat +BuildRequires: tpm2-tss +BuildRequires: softhsm +BuildRequires: json-glib-devel +%if %{with gnutls} +BuildRequires: gnutls >= 3.4.0 +BuildRequires: gnutls-devel +BuildRequires: gnutls-utils +BuildRequires: libtasn1-devel +BuildRequires: libtasn1 +%endif +BuildRequires: selinux-policy-devel +BuildRequires: gcc +BuildRequires: libseccomp-devel +BuildRequires: tpm2-pkcs11 tpm2-pkcs11-tools tpm2-tools tpm2-abrmd +BuildRequires: python3-devel +BuildRequires: gmp-devel + +Requires: %{name}-libs = %{version}-%{release} +Requires: libtpms >= 0.6.0 +Requires: (%{name}-selinux if selinux-policy-targeted) + +%description +TPM emulator built on libtpms providing TPM functionality for QEMU VMs + +%package libs +Summary: Private libraries for swtpm TPM emulators +License: BSD-3-Clause + +%description libs +A private library with callback functions for libtpms based swtpm TPM emulator + +%package devel +Summary: Include files for the TPM emulator's CUSE interface for usage by clients +License: BSD-3-Clause +Requires: %{name}-libs%{?_isa} = %{version}-%{release} + +%description devel +Include files for the TPM emulator's CUSE interface. + +%package tools +Summary: Tools for the TPM emulator +License: BSD-3-Clause +Requires: swtpm = %{version}-%{release} +# tpm2-tss for tss account +Requires: tpm2-tss bash gnutls-utils + +%description tools +Tools for the TPM emulator from the swtpm package + +%package tools-pkcs11 +Summary: Tools for creating a local CA based on a TPM pkcs11 device +License: BSD-3-Clause +Requires: swtpm-tools = %{version}-%{release} +Requires: tpm2-pkcs11 tpm2-pkcs11-tools tpm2-tools tpm2-abrmd +Requires: expect gnutls-utils + +%description tools-pkcs11 +Tools for creating a local CA based on a pkcs11 device + +%package selinux +Summary: SELinux security policy for swtpm +Requires(post): swtpm = %{version}-%{release} +BuildArch: noarch +%if ! 0%{?flatpak} +%{?selinux_requires} +%endif + +%description selinux +SELinux security policy for swtpm. + +%prep +%autosetup -S git -n %{name}-%{version} -p1 + +%build + +NOCONFIGURE=1 ./autogen.sh +%configure \ +%if %{with gnutls} + --with-gnutls \ +%endif + --without-cuse + +%make_build + +%check +make %{?_smp_mflags} check VERBOSE=1 + +%install + +%make_install +rm -f $RPM_BUILD_ROOT%{_libdir}/%{name}/*.{a,la,so} + +%__install -d %{buildroot}%{_sysconfdir}/ssl +cp %{SOURCE1} %{buildroot}/%{_sysconfdir}/ssl/ + +%post selinux +for pp in /usr/share/selinux/packages/swtpm.pp \ + /usr/share/selinux/packages/swtpm_svirt.pp \ + /usr/share/selinux/packages/swtpm_libvirt.pp; do + %selinux_modules_install -s %{selinuxtype} ${pp} +done +restorecon %{_bindir}/swtpm + +%postun selinux +if [ $1 -eq 0 ]; then + for p in swtpm_libvirt swtpm swtpm_svirt; do + %selinux_modules_uninstall -s %{selinuxtype} $p + done +fi + +%posttrans selinux +%selinux_relabel_post -s %{selinuxtype} + +%ldconfig_post libs +%ldconfig_postun libs + +%files +%license LICENSE +%doc README +%{_bindir}/swtpm +%{_mandir}/man8/swtpm.8* + +%files selinux +%{_datadir}/selinux/packages/swtpm.pp +%{_datadir}/selinux/packages/swtpm_libvirt.pp +%{_datadir}/selinux/packages/swtpm_svirt.pp +%{_sysconfdir}/ssl/openssl-swtpm.cnf + +%files libs +%license LICENSE +%doc README + +%dir %{_libdir}/%{name} +%{_libdir}/%{name}/libswtpm_libtpms.so.0 +%{_libdir}/%{name}/libswtpm_libtpms.so.0.0.0 + +%files devel +%dir %{_includedir}/%{name} +%{_includedir}/%{name}/*.h +%{_mandir}/man3/swtpm_ioctls.3* + +%files tools +%doc README +%{_bindir}/swtpm_bios +%if %{with gnutls} +%{_bindir}/swtpm_cert +%endif +%{_bindir}/swtpm_setup +%{_bindir}/swtpm_ioctl +%{_bindir}/swtpm_localca +%{_mandir}/man5/swtpm-localca.conf.5* +%{_mandir}/man5/swtpm-localca.options.5* +%{_mandir}/man5/swtpm_setup.conf.5* +%{_mandir}/man8/swtpm_bios.8* +%{_mandir}/man8/swtpm_cert.8* +%{_mandir}/man8/swtpm_ioctl.8* +%{_mandir}/man8/swtpm-localca.8* +%{_mandir}/man8/swtpm_localca.8* +%{_mandir}/man8/swtpm_setup.8* +%exclude %{_mandir}/man8/swtpm_cuse.8.gz +%config(noreplace) %{_sysconfdir}/swtpm_setup.conf +%config(noreplace) %{_sysconfdir}/swtpm-localca.options +%config(noreplace) %{_sysconfdir}/swtpm-localca.conf +%dir %{_datadir}/swtpm +%{_datadir}/swtpm/swtpm-localca +%{_datadir}/swtpm/swtpm-create-user-config-files +%attr( 750, tss, root) %{_localstatedir}/lib/swtpm-localca + +%files tools-pkcs11 +%{_mandir}/man8/swtpm-create-tpmca.8* +%{_datadir}/swtpm/swtpm-create-tpmca + +%changelog +* Tue Jan 14 2025 Marc-André Lureau - 0.9.0-5 +- Add extra SELinux policies. + https://github.com/stefanberger/swtpm/issues/970 + Resolves: RHEL-70835 + Resolves: RHEL-73809 + +* Mon Nov 04 2024 Marc-André Lureau - 0.9.0-4 +- Add extra SELinux policies. + Related: RHEL-53967 +- Fix FTBFS, add gmp-devel + Resolves: RHEL-65460 + +* Tue Oct 29 2024 Troy Dawson - 0.9.0-3 +- Bump release for October 2024 mass rebuild: + Resolves: RHEL-64018 + +* Wed Jul 17 2024 Marc-André Lureau - 0.9.0-2 +- Add extra SELinux policies. + Resolves: RHEL-47273 + +* Tue Jul 09 2024 Marc-André Lureau - 0.9.0-1 +- Update to v0.9.0 release + Resolves: RHEL-42590 +- Fix SHA-1 algorithm availability + Resolves: RHEL-46754 + +* Mon Jun 24 2024 Troy Dawson - 0.8.1-6 +- Bump release for June 2024 mass rebuild + +* Sun Jan 28 2024 Peter Robinson - 0.8.1-5 +- Use tpm2-tss to provide tss account + +* Sat Jan 27 2024 Fedora Release Engineering - 0.8.1-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Wed Aug 16 2023 Stefan Berger - 0.8.1-3 +- Build for i686 again since dependency issue resolved + +* Tue Aug 15 2023 Stefan Berger - 0.8.1-2 +- Don't build tools-pkcs11 for i686 since python-tpm2-pytss is not built for it +- Set license to BSD-3-Clause for all packages + +* Tue Aug 15 2023 Stefan Berger - 0.8.1-1 +- Update to v0.8.1 release + +* Sat Jul 22 2023 Adam Williamson - 0.8.0-7 +- Make swtpm-selinux Requires(post) swtpm (#2223276) + +* Thu Jul 20 2023 Stefan Berger - 0.8.0-6 +- Added a 'Requires' on swtpm for swtpm-selinux package + +* Wed Jul 19 2023 Stefan Berger - 0.8.0-4 +- Split off SELinux policy into swtpm-selinux + +* Mon May 15 2023 Yaakov Selkowitz - 0.8.0-4 +- Remove trousers dependency from RHEL builds + +* Sat Jan 21 2023 Fedora Release Engineering - 0.8.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Thu Nov 10 2022 Stefan Berger - 0.8.0-2 +- Adding patch needed on Rawhide build servers only + +* Thu Nov 10 2022 Stefan Berger - 0.8.0-1 +- Update to v0.8.0 release + +* Sat Jul 23 2022 Fedora Release Engineering - 0.7.3-2.20220427gitf2268ee +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Wed Apr 27 2022 Stefan Berger - 0.7.3-1.20220427gitf2268ee +- Update to v0.7.3 release + +* Mon Mar 07 2022 Stefan Berger - 0.7.2-1.20220307git21c90c1 +- Update to v0.7.2 release + +* Fri Feb 18 2022 Stefan Berger - 0.7.1-1.20220218git92a7035 +- Update to v0.7.1 release + +* Sat Jan 22 2022 Fedora Release Engineering - 0.7.0-2.20211109gitb79fd91 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Tue Nov 09 2021 Stefan Berger - 0.7.0-1.20211109gitb79fd91 +- Update to v0.7.0 release + +* Tue Sep 21 2021 Stefan Berger - 0.6.1-1.20210921git98187d2 +- Update to v0.6.1 release + +* Thu Sep 16 2021 Stefan Berger - 0.6.1-0.20210916gita0ca7c3 +- Build upcoming v0.6.1 that has patch to build with OpenSSL 3.0.0 + +* Thu Sep 16 2021 Stefan Berger - 0.6.0-5.20210607gitea627b3 +- Applied patch with -Wno-deprecated-declarations for build with OpenSSL 3.0.0 + +* Tue Sep 14 2021 Sahana Prasad - 0.6.0-4.20210607gitea627b3 +- Rebuilt with OpenSSL 3.0.0 + +* Fri Jul 23 2021 Fedora Release Engineering - 0.6.0-3.20210607gitea627b3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Tue Jul 13 2021 Davide Cavalca - 0.6.0-2.20210706gitea627b +- Add an explicit BuildRequires for python3-devel + +* Mon Jun 07 2021 Stefan Berger - 0.6.0-1.20210706gitea627b +- Update to v0.6.0 release + +* Fri Jun 04 2021 Python Maint - 0.5.2-4.20201226gite59c0c1 +- Rebuilt for Python 3.10 + +* Wed Apr 07 2021 Marc-André Lureau - 0.5.2-3.20201226gite59c0c1 +- Remove unnecessary python3-twisted dependency + +* Wed Jan 27 2021 Fedora Release Engineering - 0.5.2-2.20201226gite59c0c1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Sat Dec 26 2020 Stefan Berger - 0.5.2-1.20201226gite59c0c1a +- Bugfixes for stable release + +* Mon Dec 07 2020 Jeff Law - 0.5.1-3.20201117git96f5a04c +- Avoid diagnostic from gcc-11 + +* Fri Nov 13 2020 Stefan Berger - 0.5.1-2.20201117git96f5a04c +- Another build of v0.5.1 after more fixes + +* Fri Nov 13 2020 Stefan Berger - 0.5.1-1.20201007git390f5bd4 +- Update to v0.5.1 addressing potential symlink attack issue (CVE-2020-28407) + +* Wed Oct 7 2020 Stefan Berger - 0.5.0-1.20201007gitb931e109 +- Update to v0.5.0 release + +* Fri Aug 28 2020 Stefan Berger - 0.4.0-1.20200828git0c238a2 +- Update to v0.4.0 release + +* Thu Aug 27 2020 Stefan Berger - 0.3.4-2.20200711git80f0418 +- Disable pkcs11 related test case running into GnuTLS locking bug + +* Tue Aug 11 2020 Stefan Berger - 0.3.4-1.20200711git80f0418 +- Update to v0.3.4 release + +* Sat Aug 01 2020 Fedora Release Engineering - 0.3.0-3.20200218git74ae43b +- Second attempt - Rebuilt for + https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Wed Jul 29 2020 Fedora Release Engineering - 0.3.0-2.20200218git74ae43b +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Mon Feb 24 2020 Marc-André Lureau - 0.3.0-1.20200218git74ae43b +- Update to v0.3.0 release + +* Fri Jan 31 2020 Fedora Release Engineering - 0.2.0-7.20191115git8dae4b3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Fri Nov 15 2019 Stefan Berger - 0.2.0-6.20191018git8dae4b3 +- follow stable-0.2.0 branch with fix of GnuTLS API call to get subject key ID + +* Fri Oct 18 2019 Stefan Berger - 0.2.0-5.20191018git9227cf4 +- follow stable-0.2.0 branch with swtpm_cert OID bugfix for TPM 2 + +* Tue Aug 13 2019 Stefan Berger - 0.2.0-4.20190801git13536aa +- run 'restorecon' on swtpm in post to get SELinux label on first install + +* Thu Aug 01 2019 Stefan Berger - 0.2.0-3.20190801git13536aa +- follow stable-0.2.0 branch with some bug fixes + +* Sat Jul 27 2019 Fedora Release Engineering - 0.2.0-2.20190723gitf0b4137 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Tue Jul 23 2019 Stefan Berger - 0.2.0-1.20190723gitf0b4137 +- follow stable-0.2.0 branch with some bug fixes + +* Tue Jul 16 2019 Stefan Berger - 0.2.0-0.20190716git374b669 +- (tentative) v0.2.0 release of swtpm + +* Thu Apr 25 2019 Stefan Berger - 0.1.0-0.20190425gitca85606 +- pick up bug fixes + +* Mon Feb 04 2019 Stefan Berger - 0.1.0-0.20190204git2c25d13.1 +- v0.1.0 release of swtpm + +* Sun Feb 03 2019 Fedora Release Engineering - 0.1.0-0.20181212git8b9484a.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Wed Dec 12 2018 Stefan Berger - 0.1.0-0.20181212git8b9484a +- Follow improvements in swtpm repo primarily related to fixes for 'ubsan' + +* Tue Nov 06 2018 Stefan Berger - 0.1.0-0.20181106git05d8160 +- Follow improvements in swtpm repo +- Remove ownership change of swtpm_setup.sh; have root own the file as required + +* Wed Oct 31 2018 Stefan Berger - 0.1.0-0.20181031gitc782a85 +- Follow improvements and fixes in swtpm + +* Tue Oct 02 2018 Stefan Berger - 0.1.0-0.20181002git0143c41 +- Fixes to SELinux policy +- Improvements on various other parts +* Tue Sep 25 2018 Stefan Berger - 0.1.0-0.20180924gitce13edf +- Initial Fedora build +* Mon Sep 17 2018 Stefan Berger - 0.1.0-0.20180918git67d7ea3 +- Created initial version of rpm spec files +- Version is now 0.1.0 +- Bugzilla for this spec: https://bugzilla.redhat.com/show_bug.cgi?id=1611829