11 changed files with 662 additions and 494 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-swtpm-0.9.0.tar.gz
+SOURCES/swtpm-b79fd91.tar.gz
--- a/.swtpm.metadata
+++ b/.swtpm.metadata
@ -0,0 +1 @@
 b79a2d005663868139f0678cddeecf70278ec219 SOURCES/swtpm-b79fd91.tar.gz
--- a/SOURCES/0001-swtpm-Check-header-size-indicator-against-expected-s.patch
+++ b/SOURCES/0001-swtpm-Check-header-size-indicator-against-expected-s.patch
@ -0,0 +1,54 @@
 From 9f740868fc36761de27df3935513bdebf8852d19 Mon Sep 17 00:00:00 2001
 From: Stefan Berger <stefanb@linux.ibm.com>
 Date: Wed, 16 Feb 2022 11:17:47 -0500
 Subject: [PATCH] swtpm: Check header size indicator against expected size (CID
 375869)
 This fix addresses Coverity issue CID 375869.
 Check the header size indicated in the header of the state against the
 expected size and return an error code in case the header size indicator
 is different. There was only one header size so far since blobheader was
 introduced, so we don't need to deal with different sizes.
 Without this fix a specially craft header could have cause out-of-bounds
 accesses on the byte array containing the swtpm's state.
 Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
 ---
 src/swtpm/swtpm_nvstore.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)
 diff --git a/src/swtpm/swtpm_nvstore.c b/src/swtpm/swtpm_nvstore.c
 index 437088370e11..144d8975ec54 100644
 --- a/src/swtpm/swtpm_nvstore.c
 +++ b/src/swtpm/swtpm_nvstore.c
@@ -1075,6 +1075,7 @@ SWTPM_NVRAM_CheckHeader(unsigned char *data, uint32_t length,
                         uint8_t *hdrversion, bool quiet)
 {
     blobheader *bh = (blobheader *)data;
 +    uint16_t hdrsize;
     if (length < sizeof(bh)) {
         if (!quiet)
@@ -1100,8 +1101,16 @@ SWTPM_NVRAM_CheckHeader(unsigned char *data, uint32_t length,
         return TPM_BAD_VERSION;
     }
 +    hdrsize = ntohs(bh->hdrsize);
 +    if (hdrsize != sizeof(blobheader)) {
 +        logprintf(STDERR_FILENO,
 +                  "bad header size: %u != %zu\n",
 +                  hdrsize, sizeof(blobheader));
 +        return TPM_BAD_DATASIZE;
 +    }
 +
     *hdrversion = bh->version;
 -    *dataoffset = ntohs(bh->hdrsize);
 +    *dataoffset = hdrsize;
     *hdrflags = ntohs(bh->flags);
     return TPM_SUCCESS;
 -- 
 2.34.1.428.gdcc0cd074f0c
--- a/SOURCES/0001-swtpm-Disable-OpenSSL-FIPS-mode-to-avoid-libtpms-fai.patch
+++ b/SOURCES/0001-swtpm-Disable-OpenSSL-FIPS-mode-to-avoid-libtpms-fai.patch
@ -0,0 +1,279 @@
 From a39c3792ba5677f25fea903b9f1a43740a5f2c0c Mon Sep 17 00:00:00 2001
 From: Stefan Berger <stefanb@linux.ibm.com>
 Date: Wed, 8 Jun 2022 09:19:07 -0400
 Subject: [PATCH] swtpm: Disable OpenSSL FIPS mode to avoid libtpms failures
 While libtpms does not provide any means to disable FIPS-disabled crypto
 algorithms from being used, work around the issue by simply disabling the
 FIPS mode of OpenSSL if it is enabled. If it cannot be disabled, exit
 swtpm with a failure message that it cannot be disabled. If FIPS mode
 was successfully disabled, print out a message as well.
 Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=2090219
 Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
 ---
 configure.ac              |   9 ++++
 src/swtpm/Makefile.am     |   2 +
 src/swtpm/cuse_tpm.c      |   5 ++
 src/swtpm/fips.c          | 100 ++++++++++++++++++++++++++++++++++++++
 src/swtpm/fips.h          |  43 ++++++++++++++++
 src/swtpm/swtpm.c         |   3 ++
 src/swtpm/swtpm_chardev.c |   3 ++
 src/swtpm/utils.h         |   2 +
 8 files changed, 167 insertions(+)
 create mode 100644 src/swtpm/fips.c
 create mode 100644 src/swtpm/fips.h
 diff --git a/configure.ac b/configure.ac
 index ad3054e..30288c7 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -156,6 +156,15 @@ openssl)
 	AC_MSG_RESULT([Building with openssl crypto library])
 	LIBCRYPTO_LIBS=$(pkg-config --libs libcrypto)
 	AC_SUBST([LIBCRYPTO_LIBS])
 +	AC_CHECK_HEADERS([openssl/fips.h],
 +	                 [AC_DEFINE_UNQUOTED([HAVE_OPENSSL_FIPS_H], 1,
 +	                                     [whether openssl/fips.h is available])]
 +	                 )
 +	AC_CHECK_LIB(crypto,
 +		     [FIPS_mode_set],
 +		     [AC_DEFINE_UNQUOTED([HAVE_OPENSSL_FIPS_MODE_SET_API], 1,
 +		                         [whether FIPS_mode_set API is available])]
 +		     )
 	;;
 esac
 diff --git a/src/swtpm/Makefile.am b/src/swtpm/Makefile.am
 index 5454a6f..2a65950 100644
 --- a/src/swtpm/Makefile.am
 +++ b/src/swtpm/Makefile.am
@@ -11,6 +11,7 @@ noinst_HEADERS = \
 	capabilities.h \
 	common.h \
 	ctrlchannel.h \
 +	fips.h \
 	key.h \
 	locality.h \
 	logging.h \
@@ -40,6 +41,7 @@ libswtpm_libtpms_la_SOURCES = \
 	capabilities.c \
 	common.c \
 	ctrlchannel.c \
 +	fips.c \
 	key.c \
 	logging.c \
 	mainloop.c \
 diff --git a/src/swtpm/cuse_tpm.c b/src/swtpm/cuse_tpm.c
 index 9dbc00d..3026e26 100644
 --- a/src/swtpm/cuse_tpm.c
 +++ b/src/swtpm/cuse_tpm.c
@@ -1695,6 +1695,11 @@ int swtpm_cuse_main(int argc, char **argv, const char *prgname, const char *ifac
         goto exit;
     }
 +    if (disable_fips_mode() < 0) {
 +        ret = -1;
 +        goto exit;
 +    }
 +
     if (tpmlib_register_callbacks(&cbs) != TPM_SUCCESS) {
         ret = -1;
         goto exit;
 diff --git a/src/swtpm/fips.c b/src/swtpm/fips.c
 new file mode 100644
 index 0000000..eeb2a0c
 --- /dev/null
 +++ b/src/swtpm/fips.c
@@ -0,0 +1,100 @@
 +/*
 + * fips.c -- FIPS mode related functions
 + *
 + * (c) Copyright IBM Corporation 2022.
 + *
 + * Author: Stefan Berger <stefanb@us.ibm.com>
 + *
 + * All rights reserved.
 + *
 + * Redistribution and use in source and binary forms, with or without
 + * modification, are permitted provided that the following conditions are
 + * met:
 + *
 + * Redistributions of source code must retain the above copyright notice,
 + * this list of conditions and the following disclaimer.
 + *
 + * Redistributions in binary form must reproduce the above copyright
 + * notice, this list of conditions and the following disclaimer in the
 + * documentation and/or other materials provided with the distribution.
 + *
 + * Neither the names of the IBM Corporation nor the names of its
 + * contributors may be used to endorse or promote products derived from
 + * this software without specific prior written permission.
 + *
 + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
 + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 + * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 + */
 +
 +#include "config.h"
 +
 +#include "fips.h"
 +#include "logging.h"
 +
 +#if defined(HAVE_OPENSSL_FIPS_H)
 +# include <openssl/fips.h>
 +#elif defined(HAVE_OPENSSL_FIPS_MODE_SET_API)
 +/* Cygwin has no fips.h but API exists */
 +extern int FIPS_mode(void);
 +extern int FIPS_mode_set(int);
 +#endif
 +
 +#if OPENSSL_VERSION_NUMBER >= 0x30000000L
 +# include <openssl/evp.h>
 +#endif
 +
 +#include <openssl/err.h>
 +
 +/*
 + * disable_fips_mode: If possible, disable FIPS mode to avoid libtpms failures
 + *
 + * While libtpms does not provide a solution to disable deactivated algorithms
 + * avoid libtpms failures due to FIPS mode enablement by disabling FIPS mode.
 + *
 + * Returns < 0 on error, 0 otherwise.
 + */
 +#if defined(HAVE_OPENSSL_FIPS_H) || defined(HAVE_OPENSSL_FIPS_MODE_SET_API)
 +int disable_fips_mode(void)
 +{
 +#if OPENSSL_VERSION_NUMBER >= 0x30000000L
 +    int mode = EVP_default_properties_is_fips_enabled(NULL);
 +#else
 +    int mode = FIPS_mode();
 +#endif
 +    int ret = 0;
 +
 +    if (mode != 0) {
 +#if OPENSSL_VERSION_NUMBER >= 0x30000000L
 +        int rc = EVP_default_properties_enable_fips(NULL, 0);
 +#else
 +        int rc = FIPS_mode_set(0);
 +#endif
 +        if (rc == 1) {
 +            logprintf(STDOUT_FILENO,
 +                      "Warning: Disabled OpenSSL FIPS mode\n");
 +        } else {
 +            unsigned long err = ERR_get_error();
 +            logprintf(STDERR_FILENO,
 +                      "Failed to disable OpenSSL FIPS mode: %s\n",
 +                      ERR_error_string(err, NULL));
 +            ret = -1;
 +        }
 +    }
 +    return ret;
 +}
 +#else
 +/* OpenBSD & DragonFlyBSD case */
 +int disable_fips_mode(void)
 +{
 +    return 0;
 +}
 +#endif
 diff --git a/src/swtpm/fips.h b/src/swtpm/fips.h
 new file mode 100644
 index 0000000..14d4e9f
 --- /dev/null
 +++ b/src/swtpm/fips.h
@@ -0,0 +1,43 @@
 +/*
 + * fips.h -- FIPS mode related functions
 + *
 + * (c) Copyright IBM Corporation 2015.
 + *
 + * Author: Stefan Berger <stefanb@us.ibm.com>
 + *
 + * All rights reserved.
 + *
 + * Redistribution and use in source and binary forms, with or without
 + * modification, are permitted provided that the following conditions are
 + * met:
 + *
 + * Redistributions of source code must retain the above copyright notice,
 + * this list of conditions and the following disclaimer.
 + *
 + * Redistributions in binary form must reproduce the above copyright
 + * notice, this list of conditions and the following disclaimer in the
 + * documentation and/or other materials provided with the distribution.
 + *
 + * Neither the names of the IBM Corporation nor the names of its
 + * contributors may be used to endorse or promote products derived from
 + * this software without specific prior written permission.
 + *
 + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
 + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 + * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 + */
 +
 +#ifndef _SWTPM_UTILS_H_
 +#define _SWTPM_UTILS_H_
 +
 +int disable_fips_mode(void);
 +
 +#endif /* _SWTPM_UTILS_H_ */
 diff --git a/src/swtpm/swtpm.c b/src/swtpm/swtpm.c
 index 722a743..e618c56 100644
 --- a/src/swtpm/swtpm.c
 +++ b/src/swtpm/swtpm.c
@@ -521,6 +521,9 @@ int swtpm_main(int argc, char **argv, const char *prgname, const char *iface)
         daemonize_finish();
     }
 +    if (disable_fips_mode() < 0)
 +        goto error_seccomp_profile;
 +
     rc = mainLoop(&mlp, notify_fd[0]);
 error_seccomp_profile:
 diff --git a/src/swtpm/swtpm_chardev.c b/src/swtpm/swtpm_chardev.c
 index 9710927..ab6d8fd 100644
 --- a/src/swtpm/swtpm_chardev.c
 +++ b/src/swtpm/swtpm_chardev.c
@@ -573,6 +573,9 @@ int swtpm_chardev_main(int argc, char **argv, const char *prgname, const char *i
         daemonize_finish();
     }
 +    if (disable_fips_mode() < 0)
 +        goto error_seccomp_profile;
 +
     rc = mainLoop(&mlp, notify_fd[0]);
 error_seccomp_profile:
 diff --git a/src/swtpm/utils.h b/src/swtpm/utils.h
 index 7502442..b8acd89 100644
 --- a/src/swtpm/utils.h
 +++ b/src/swtpm/utils.h
@@ -71,4 +71,6 @@ ssize_t writev_full(int fd, const struct iovec *iov, int iovcnt);
 ssize_t read_eintr(int fd, void *buffer, size_t buflen);
 +int disable_fips_mode(void);
 +
 #endif /* _SWTPM_UTILS_H_ */
 -- 
 2.36.1
--- a/SOURCES/0001-swtpm_localca-Test-for-available-issuercert-before-c.patch
+++ b/SOURCES/0001-swtpm_localca-Test-for-available-issuercert-before-c.patch
@ -0,0 +1,65 @@
 From b6b0611704047b8632b328d48502f3b3f9fe4fe2 Mon Sep 17 00:00:00 2001
 From: Stefan Berger <stefanb@linux.ibm.com>
 Date: Tue, 1 Feb 2022 12:40:06 -0500
 Subject: [PATCH] swtpm_localca: Test for available issuercert before creating
 CA
 Avoid trying to create TPM certificates while the issuer certificate has
 not been created, yet (in a 2nd step).
 To resolve this do not just test for availability of the signing key, which
 is created first, but also test for the issuer certifcate, which is created
 in a 2nd step when the local CA is created. If either one is missing,
 attempt to create the CA.
 Resolves: https://github.com/stefanberger/swtpm/issues/644
 Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
 ---
 src/swtpm_localca/swtpm_localca.c | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)
 diff --git a/src/swtpm_localca/swtpm_localca.c b/src/swtpm_localca/swtpm_localca.c
 index 037bfd5266bb..089e4e0db4ce 100644
 --- a/src/swtpm_localca/swtpm_localca.c
 +++ b/src/swtpm_localca/swtpm_localca.c
@@ -117,7 +117,7 @@ static int create_localca_cert(const gchar *lockfile, const gchar *statedir,
             goto error;
     }
 -    if (access(signkey, R_OK) != 0) {
 +    if (access(signkey, R_OK) != 0 || access(issuercert, R_OK) != 0) {
         g_autofree gchar *directory = g_path_get_dirname(signkey);
         g_autofree gchar *cakey = g_strjoin(G_DIR_SEPARATOR_S, directory, "swtpm-localca-rootca-privkey.pem", NULL);
         g_autofree gchar *cacert = g_strjoin(G_DIR_SEPARATOR_S, directory, "swtpm-localca-rootca-cert.pem", NULL);
@@ -808,13 +808,28 @@ int main(int argc, char *argv[])
         if (ret != 0)
             goto error;
     } else {
 +        int create_certs = 0;
 +
 +        /* create certificate if either the signing key or issuer cert are missing */
         if (access(signkey, R_OK) != 0) {
             if (stat(signkey, &statbuf) == 0) {
                 logerr(gl_LOGFILE, "Need read rights on signing key %s for user %s.\n",
                        signkey, curr_user ? curr_user->pw_name : "<unknown>");
                 goto error;
             }
 +            create_certs = 1;
 +        }
 +
 +        if (access(issuercert, R_OK) != 0) {
 +            if (stat(issuercert, &statbuf) == 0) {
 +                logerr(gl_LOGFILE, "Need read rights on issuer certificate %s for user %s.\n",
 +                       issuercert, curr_user ? curr_user->pw_name : "<unknown>");
 +                goto error;
 +            }
 +            create_certs = 1;
 +        }
 +        if (create_certs) {
             logit(gl_LOGFILE, "Creating root CA and a local CA's signing key and issuer cert.\n");
             if (create_localca_cert(lockfile, statedir, signkey, signkey_password,
                                     issuercert) != 0) {
 -- 
 2.37.0.rc0
--- a/SPECS/swtpm.spec
+++ b/SPECS/swtpm.spec
@ -0,0 +1,262 @@
 %bcond_without gnutls
 %global gitdate     20211109
 %global gitcommit   b79fd91c4b4a74c9c5027b517c5036952c5525db
 %global gitshortcommit  %(c=%{gitcommit}; echo ${c:0:7})
 # Macros needed by SELinux
 %global selinuxtype targeted
 %global moduletype  contrib
 %global modulename  swtpm
 Summary: TPM Emulator
 Name:           swtpm
 Version:        0.7.0
 Release:        4.%{gitdate}git%{gitshortcommit}%{?dist}
 License:        BSD
 Url:            http://github.com/stefanberger/swtpm
 Source0:        %{url}/archive/%{gitcommit}/%{name}-%{gitshortcommit}.tar.gz
 ExcludeArch:    i686
 Patch0001:      0001-swtpm-Check-header-size-indicator-against-expected-s.patch
 Patch0002:      0001-swtpm-Disable-OpenSSL-FIPS-mode-to-avoid-libtpms-fai.patch
 Patch0003:      0001-swtpm_localca-Test-for-available-issuercert-before-c.patch
 BuildRequires: make
 BuildRequires:  git-core
 BuildRequires:  automake
 BuildRequires:  autoconf
 BuildRequires:  libtool
 BuildRequires:  libtpms-devel >= 0.6.0
 BuildRequires:  expect
 BuildRequires:  net-tools
 BuildRequires:  openssl-devel
 BuildRequires:  socat
 BuildRequires:  softhsm
 BuildRequires:  json-glib-devel
 %if %{with gnutls}
 BuildRequires:  gnutls >= 3.4.0
 BuildRequires:  gnutls-devel
 BuildRequires:  gnutls-utils
 BuildRequires:  libtasn1-devel
 BuildRequires:  libtasn1
 %endif
 BuildRequires:  selinux-policy-devel
 BuildRequires:  gcc
 BuildRequires:  libseccomp-devel
 BuildRequires:  tpm2-tools tpm2-abrmd
 BuildRequires:  python3-devel
 Requires:       %{name}-libs = %{version}-%{release}
 Requires:       libtpms >= 0.6.0
 %{?selinux_requires}
 %description
 TPM emulator built on libtpms providing TPM functionality for QEMU VMs
 %package        libs
 Summary:        Private libraries for swtpm TPM emulators
 License:        BSD
 %description    libs
 A private library with callback functions for libtpms based swtpm TPM emulator
 %package        devel
 Summary:        Include files for the TPM emulator's CUSE interface for usage by clients
 License:        BSD
 Requires:       %{name}-libs%{?_isa} = %{version}-%{release}
 %description    devel
 Include files for the TPM emulator's CUSE interface.
 %package        tools
 Summary:        Tools for the TPM emulator
 License:        BSD
 Requires:       swtpm = %{version}-%{release}
 Requires:       bash gnutls-utils
 %description    tools
 Tools for the TPM emulator from the swtpm package
 %package        tools-pkcs11
 Summary:        Tools for creating a local CA based on a TPM pkcs11 device
 License:        BSD
 Requires:       swtpm-tools = %{version}-%{release}
 Requires:       tpm2-tools tpm2-abrmd
 Requires:       expect gnutls-utils
 %description   tools-pkcs11
 Tools for creating a local CA based on a pkcs11 device
 %prep
 %autosetup -S git -n %{name}-%{gitcommit} -p1
 %build
 NOCONFIGURE=1 ./autogen.sh
 %configure \
 %if %{with gnutls}
        --with-gnutls \
 %endif
        --without-cuse \
        --without-tpm1
 %make_build V=1
 %check
 make %{?_smp_mflags} check VERBOSE=1
 %install
 %make_install
 rm -f $RPM_BUILD_ROOT%{_libdir}/%{name}/*.{a,la,so}
 %post
 for pp in /usr/share/selinux/packages/swtpm.pp \
          /usr/share/selinux/packages/swtpm_svirt.pp; do
  %selinux_modules_install -s %{selinuxtype} ${pp}
 done
 restorecon %{_bindir}/swtpm
 %postun
 if [ $1 -eq  0 ]; then
  for p in swtpm swtpm_svirt; do
    %selinux_modules_uninstall -s %{selinuxtype} $p
  done
 fi
 %posttrans
 %selinux_relabel_post -s %{selinuxtype}
 %ldconfig_post libs
 %ldconfig_postun libs
 %files
 %license LICENSE
 %doc README
 %{_bindir}/swtpm
 %{_mandir}/man8/swtpm.8*
 %{_datadir}/selinux/packages/swtpm.pp
 %{_datadir}/selinux/packages/swtpm_svirt.pp
 %files libs
 %license LICENSE
 %doc README
 %dir %{_libdir}/%{name}
 %{_libdir}/%{name}/libswtpm_libtpms.so.0
 %{_libdir}/%{name}/libswtpm_libtpms.so.0.0.0
 %files devel
 %dir %{_includedir}/%{name}
 %{_includedir}/%{name}/*.h
 %{_mandir}/man3/swtpm_ioctls.3*
 %files tools
 %doc README
 %{_bindir}/swtpm_bios
 %if %{with gnutls}
 %{_bindir}/swtpm_cert
 %endif
 %{_bindir}/swtpm_setup
 %{_bindir}/swtpm_ioctl
 %{_bindir}/swtpm_localca
 %{_mandir}/man8/swtpm_bios.8*
 %{_mandir}/man8/swtpm_cert.8*
 %{_mandir}/man8/swtpm_ioctl.8*
 %{_mandir}/man8/swtpm-localca.conf.8*
 %{_mandir}/man8/swtpm-localca.options.8*
 %{_mandir}/man8/swtpm-localca.8*
 %{_mandir}/man8/swtpm_localca.8*
 %{_mandir}/man8/swtpm_setup.8*
 %{_mandir}/man8/swtpm_setup.conf.8*
 %config(noreplace) %{_sysconfdir}/swtpm_setup.conf
 %config(noreplace) %{_sysconfdir}/swtpm-localca.options
 %config(noreplace) %{_sysconfdir}/swtpm-localca.conf
 %dir %{_datadir}/swtpm
 %{_datadir}/swtpm/swtpm-localca
 %{_datadir}/swtpm/swtpm-create-user-config-files
 %attr( 750, tss, root) %{_localstatedir}/lib/swtpm-localca
 %files tools-pkcs11
 %{_mandir}/man8/swtpm-create-tpmca.8*
 %{_datadir}/swtpm/swtpm-create-tpmca
 %changelog
 * Mon Jul 18 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.0-4.20211109gitb79fd91
 - swtpm_localca: Test for available issuercert before creating CA
  Resolves: rhbz#2100508
 * Mon Jun 20 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.0-3.20211109gitb79fd91
 - Disable OpenSSL FIPS mode to avoid libtpms failures
  Resolves: rhbz#2097947
 * Mon Feb 21 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.0-2.20211109gitb79fd91
 - Add fix for CVE-2022-23645.
  Resolves: rhbz#2056517
 * Tue Jan 04 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.0-1.20211109gitb79fd91
 - Rebase to 0.7.0, disable TPM 1.2.
  Resovles: rhbz#2029612
 * Thu Sep 16 2021 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.6.0-2.20210607gitea627b3
 - rebuilt with missing CFLAGS fix.
 * Mon Jun 28 2021 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.6.0-1.20210607gitea627b3
 - Update to 0.6.0.
  Resolves: rhbz#1972783
 * Tue Dec  1 20:40:07 +04 2020 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.4.2-1.20201201git2df14e3
 - Update to 0.4.2, to address potential symlink vulnerabilities (CVE-2020-28407).
  Resolves: rhbz#1906043
 * Thu Sep 24 2020 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.4.0-3.20200828git0c238a2
 - swtpm_setup: Add missing .config path when using ${HOME}. Resolves: rhbz#1881418
 * Thu Sep 17 2020 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.4.0-2.20200828git0c238a2
 - Backport fixes from 0.4.0 stable branch. Resolves: rhbz#1868375
  (fixes usage of swtpm-localca with passwords when signing keys)
 * Sat Sep 12 2020 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.4.0-1.20200828git0c238a2
 - Update to v0.4.0. Resolves: rhbz#1868375
 * Thu May 28 2020 Marc-André Lureau <marcandre.lureau@gmail.com> - 0.3.0-1.20200218git74ae43b
 - Update to v0.3.0. Fixes rhbz#1809778
 - exclude i686 build
 * Mon Jan 27 2020 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.2.0-2.20200127gitff5a83b
 - Update to latest 0.2-stable branch, fix random test failure. rhbz#1782451
 * Fri Oct 18 2019 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.2.0-1.20191018git9227cf4
 - rebuilt
 * Tue Aug 13 2019 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.1.0-1.20190425gitca85606.1
 - Fix SELinux labels on /usr/bin/swtpm installation rhbz#1739994
 * Thu Apr 25 2019 Stefan Berger <stefanb@linux.ibm.com> - 0.1.0-0.20190425gitca85606
 - pick up bug fixes
 * Mon Feb 04 2019 Stefan Berger <stefanb@linux.ibm.com> - 0.1.0-0.20190204git2c25d13.1
 - v0.1.0 release of swtpm
 * Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.0-0.20181212git8b9484a.1
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
 * Wed Dec 12 2018 Stefan Berger <stefanb@linux.ibm.com> - 0.1.0-0.20181212git8b9484a
 - Follow improvements in swtpm repo primarily related to fixes for 'ubsan'
 * Tue Nov 06 2018 Stefan Berger <stefanb@linux.ibm.com> - 0.1.0-0.20181106git05d8160
 - Follow improvements in swtpm repo
 - Remove ownership change of swtpm_setup.sh; have root own the file as required
 * Wed Oct 31 2018 Stefan Berger <stefanb@linux.ibm.com> - 0.1.0-0.20181031gitc782a85
 - Follow improvements and fixes in swtpm
 * Tue Oct 02 2018 Stefan Berger <stefanb@linux.vnet.ibm.com> - 0.1.0-0.20181002git0143c41
 - Fixes to SELinux policy
 - Improvements on various other parts
 * Tue Sep 25 2018 Stefan Berger <stefanb@linux.vnet.ibm.com> - 0.1.0-0.20180924gitce13edf
 - Initial Fedora build
 * Mon Sep 17 2018 Stefan Berger <stefanb@linux.vnet.ibm.com> - 0.1.0-0.20180918git67d7ea3
 - Created initial version of rpm spec files
 - Version is now 0.1.0
 - Bugzilla for this spec: https://bugzilla.redhat.com/show_bug.cgi?id=1611829
--- a/openssl-swtpm.cnf
+++ b/openssl-swtpm.cnf
@ -1,4 +0,0 @@
 .include /etc/ssl/openssl.cnf
 [evp_properties]
 rh-allow-sha1-signatures = yes
--- a/selinux.patch
+++ b/selinux.patch
@ -1,72 +0,0 @@
 From 816c9ef66eaec230f9dd89e1deebfadc7359aa60 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
 Date: Sat, 13 Jul 2024 13:37:29 +0400
 Subject: [PATCH] selinux
 ---
 src/selinux/swtpm.te       | 12 +++++++++++-
 src/selinux/swtpm_svirt.te |  4 ++++
 2 files changed, 15 insertions(+), 1 deletion(-)
 diff --git a/src/selinux/swtpm.te b/src/selinux/swtpm.te
 index 2327721..c35056e 100644
 --- a/src/selinux/swtpm.te
 +++ b/src/selinux/swtpm.te
@@ -11,6 +11,8 @@ require {
 	type virt_var_lib_t;
 	type virtqemud_t;
 	type virtqemud_tmp_t;
 +        class file map;
 +        tunable virt_use_nfs;
 }
 attribute_role swtpm_roles;
@@ -30,10 +32,11 @@ allow swtpm_t qemu_var_run_t:dir { add_name remove_name write };
 allow swtpm_t qemu_var_run_t:sock_file { create setattr unlink };
 allow swtpm_t var_log_t:file open;
 allow swtpm_t virt_var_lib_t:dir { add_name remove_name write };
 -allow swtpm_t virt_var_lib_t:file { create rename setattr unlink write };
 +allow swtpm_t virt_var_lib_t:file { create rename setattr unlink write map };
 allow swtpm_t virtqemud_t:unix_stream_socket { read write getattr };
 allow swtpm_t virtqemud_tmp_t:file { open write };
 +virt_read_log(swtpm_t)
 domain_use_interactive_fds(swtpm_t)
@@ -42,3 +45,10 @@ files_read_etc_files(swtpm_t)
 auth_use_nsswitch(swtpm_t)
 miscfiles_read_localization(swtpm_t)
 +
 +tunable_policy(`virt_use_nfs',`
 +    fs_manage_nfs_dirs(swtpm_t)
 +    fs_manage_nfs_files(swtpm_t)
 +    fs_read_nfs_symlinks(swtpm_t)
 +    fs_mmap_nfs_files(swtpm_t)
 +')
 diff --git a/src/selinux/swtpm_svirt.te b/src/selinux/swtpm_svirt.te
 index f7b886c..424efa7 100644
 --- a/src/selinux/swtpm_svirt.te
 +++ b/src/selinux/swtpm_svirt.te
@@ -13,6 +13,7 @@ require {
 	type user_tmp_t;
 	type virtd_t;
 	type virtqemud_t;
 +	type virt_var_run_t;
 }
 swtpm_domtrans(svirt_t)
@@ -27,6 +28,9 @@ allow svirt_t user_tmp_t:sock_file { create setattr unlink };
 allow svirt_t virtd_t:dir search;
 allow svirt_t virtd_t:fifo_file write;
 allow svirt_t virtqemud_t:fifo_file write;
 +allow svirt_t virt_var_run_t:dir { write add_name remove_name };
 +allow svirt_t virt_var_run_t:file { create write setattr unlink };
 +allow svirt_t virt_var_run_t:sock_file { create write setattr unlink };
 # For virt-install (see https://bugzilla.redhat.com/show_bug.cgi?id=2283878 )
 allow svirt_tcg_t user_tmp_t:sock_file { create setattr unlink };
 -- 
 2.47.0
--- a/1
+++ b/1
@ -1 +0,0 @@
 SHA512 (swtpm-0.9.0.tar.gz) = 4f1723679b85218e80ea6aacdffa687e541ee309ddab9bcb8d8e5aa0b461ee431c880f2e300f1dcae112646f3636593005a342ee0cb762ec115aa599369e111c
--- a/swtpm-custom-openssl.patch
+++ b/swtpm-custom-openssl.patch
@ -1,12 +0,0 @@
 Binary files swtpm-0.9.0/.git/index and swtpm-0.9.0.new/.git/index differ
 diff -rup swtpm-0.9.0/src/swtpm/main.c swtpm-0.9.0.new/src/swtpm/main.c
 --- swtpm-0.9.0/src/swtpm/main.c	2024-07-08 09:34:00.488080859 +0100
 +++ swtpm-0.9.0.new/src/swtpm/main.c	2024-07-08 09:33:40.057884795 +0100
@@ -70,6 +70,7 @@ int main(int argc, char **argv)
         fprintf(stderr, "Missing TPM interface type.\n");
         return 1;
     }
 +    setenv("OPENSSL_CONF", "/etc/ssl/openssl-swtpm.cnf", 1);
     if (!strcmp(argv[1], "socket")) {
         return swtpm_main(argc-1, &argv[1], argv[0], "socket");
 #ifdef WITH_CHARDEV
--- a/swtpm.spec
+++ b/swtpm.spec
@ -1,404 +0,0 @@
 %bcond_without gnutls
 # Macros needed by SELinux
 %global selinuxtype targeted
 %global moduletype  contrib
 %global modulename  swtpm
 Summary: TPM Emulator
 Name:           swtpm
 Version:        0.9.0
 Release:        5%{?dist}
 License:        BSD-3-Clause
 Url:            https://github.com/stefanberger/swtpm
 Source0:        https://github.com/stefanberger/swtpm/archive/v%{version}/%{name}-%{version}.tar.gz
 Source1:        openssl-swtpm.cnf
 # Prevent crypto policies disabling SHA-1.
 # swtpm algorithm list is unconditional. Since it advertizes
 # SHA-1, we MUST always provide a working SHA-1 impl
 Patch0002:      swtpm-custom-openssl.patch
 Patch0003:      selinux.patch
 BuildRequires: make
 BuildRequires:  git-core
 BuildRequires:  automake
 BuildRequires:  autoconf
 BuildRequires:  libtool
 BuildRequires:  libtpms-devel >= 0.6.0
 BuildRequires:  expect
 BuildRequires:  net-tools
 BuildRequires:  openssl-devel
 BuildRequires:  socat
 BuildRequires:  tpm2-tss
 BuildRequires:  softhsm
 BuildRequires:  json-glib-devel
 %if %{with gnutls}
 BuildRequires:  gnutls >= 3.4.0
 BuildRequires:  gnutls-devel
 BuildRequires:  gnutls-utils
 BuildRequires:  libtasn1-devel
 BuildRequires:  libtasn1
 %endif
 BuildRequires:  selinux-policy-devel
 BuildRequires:  gcc
 BuildRequires:  libseccomp-devel
 BuildRequires:  tpm2-pkcs11 tpm2-pkcs11-tools tpm2-tools tpm2-abrmd
 BuildRequires:  python3-devel
 BuildRequires:  gmp-devel
 Requires:       %{name}-libs = %{version}-%{release}
 Requires:       libtpms >= 0.6.0
 Requires:       (%{name}-selinux if selinux-policy-targeted)
 %description
 TPM emulator built on libtpms providing TPM functionality for QEMU VMs
 %package        libs
 Summary:        Private libraries for swtpm TPM emulators
 License:        BSD-3-Clause
 %description    libs
 A private library with callback functions for libtpms based swtpm TPM emulator
 %package        devel
 Summary:        Include files for the TPM emulator's CUSE interface for usage by clients
 License:        BSD-3-Clause
 Requires:       %{name}-libs%{?_isa} = %{version}-%{release}
 %description    devel
 Include files for the TPM emulator's CUSE interface.
 %package        tools
 Summary:        Tools for the TPM emulator
 License:        BSD-3-Clause
 Requires:       swtpm = %{version}-%{release}
 # tpm2-tss for tss account
 Requires:       tpm2-tss bash gnutls-utils
 %description    tools
 Tools for the TPM emulator from the swtpm package
 %package        tools-pkcs11
 Summary:        Tools for creating a local CA based on a TPM pkcs11 device
 License:        BSD-3-Clause
 Requires:       swtpm-tools = %{version}-%{release}
 Requires:       tpm2-pkcs11 tpm2-pkcs11-tools tpm2-tools tpm2-abrmd
 Requires:       expect gnutls-utils
 %description   tools-pkcs11
 Tools for creating a local CA based on a pkcs11 device
 %package        selinux
 Summary:        SELinux security policy for swtpm
 Requires(post): swtpm = %{version}-%{release}
 BuildArch:      noarch
 %if ! 0%{?flatpak}
 %{?selinux_requires}
 %endif
 %description    selinux
 SELinux security policy for swtpm.
 %prep
 %autosetup -S git -n %{name}-%{version} -p1
 %build
 NOCONFIGURE=1 ./autogen.sh
 %configure \
 %if %{with gnutls}
        --with-gnutls \
 %endif
        --without-cuse
 %make_build
 %check
 make %{?_smp_mflags} check VERBOSE=1
 %install
 %make_install
 rm -f $RPM_BUILD_ROOT%{_libdir}/%{name}/*.{a,la,so}
 %__install -d %{buildroot}%{_sysconfdir}/ssl
 cp %{SOURCE1} %{buildroot}/%{_sysconfdir}/ssl/
 %post selinux
 for pp in /usr/share/selinux/packages/swtpm.pp \
          /usr/share/selinux/packages/swtpm_svirt.pp \
          /usr/share/selinux/packages/swtpm_libvirt.pp; do
  %selinux_modules_install -s %{selinuxtype} ${pp}
 done
 restorecon %{_bindir}/swtpm
 %postun selinux
 if [ $1 -eq  0 ]; then
  for p in swtpm_libvirt swtpm swtpm_svirt; do
    %selinux_modules_uninstall -s %{selinuxtype} $p
  done
 fi
 %posttrans selinux
 %selinux_relabel_post -s %{selinuxtype}
 %ldconfig_post libs
 %ldconfig_postun libs
 %files
 %license LICENSE
 %doc README
 %{_bindir}/swtpm
 %{_mandir}/man8/swtpm.8*
 %files selinux
 %{_datadir}/selinux/packages/swtpm.pp
 %{_datadir}/selinux/packages/swtpm_libvirt.pp
 %{_datadir}/selinux/packages/swtpm_svirt.pp
 %{_sysconfdir}/ssl/openssl-swtpm.cnf
 %files libs
 %license LICENSE
 %doc README
 %dir %{_libdir}/%{name}
 %{_libdir}/%{name}/libswtpm_libtpms.so.0
 %{_libdir}/%{name}/libswtpm_libtpms.so.0.0.0
 %files devel
 %dir %{_includedir}/%{name}
 %{_includedir}/%{name}/*.h
 %{_mandir}/man3/swtpm_ioctls.3*
 %files tools
 %doc README
 %{_bindir}/swtpm_bios
 %if %{with gnutls}
 %{_bindir}/swtpm_cert
 %endif
 %{_bindir}/swtpm_setup
 %{_bindir}/swtpm_ioctl
 %{_bindir}/swtpm_localca
 %{_mandir}/man5/swtpm-localca.conf.5*
 %{_mandir}/man5/swtpm-localca.options.5*
 %{_mandir}/man5/swtpm_setup.conf.5*
 %{_mandir}/man8/swtpm_bios.8*
 %{_mandir}/man8/swtpm_cert.8*
 %{_mandir}/man8/swtpm_ioctl.8*
 %{_mandir}/man8/swtpm-localca.8*
 %{_mandir}/man8/swtpm_localca.8*
 %{_mandir}/man8/swtpm_setup.8*
 %exclude %{_mandir}/man8/swtpm_cuse.8.gz
 %config(noreplace) %{_sysconfdir}/swtpm_setup.conf
 %config(noreplace) %{_sysconfdir}/swtpm-localca.options
 %config(noreplace) %{_sysconfdir}/swtpm-localca.conf
 %dir %{_datadir}/swtpm
 %{_datadir}/swtpm/swtpm-localca
 %{_datadir}/swtpm/swtpm-create-user-config-files
 %attr( 750, tss, root) %{_localstatedir}/lib/swtpm-localca
 %files tools-pkcs11
 %{_mandir}/man8/swtpm-create-tpmca.8*
 %{_datadir}/swtpm/swtpm-create-tpmca
 %changelog
 * Tue Jan 14 2025 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.9.0-5
 - Add extra SELinux policies.
  https://github.com/stefanberger/swtpm/issues/970
  Resolves: RHEL-70835
  Resolves: RHEL-73809
 * Mon Nov 04 2024 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.9.0-4
 - Add extra SELinux policies.
  Related: RHEL-53967
 - Fix FTBFS, add gmp-devel
  Resolves: RHEL-65460
 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 0.9.0-3
 - Bump release for October 2024 mass rebuild:
  Resolves: RHEL-64018
 * Wed Jul 17 2024 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.9.0-2
 - Add extra SELinux policies.
  Resolves: RHEL-47273
 * Tue Jul 09 2024 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.9.0-1
 - Update to v0.9.0 release
  Resolves: RHEL-42590
 - Fix SHA-1 algorithm availability
  Resolves: RHEL-46754
 * Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 0.8.1-6
 - Bump release for June 2024 mass rebuild
 * Sun Jan 28 2024 Peter Robinson <pbrobinson@fedoraproject.org> - 0.8.1-5
 - Use tpm2-tss to provide tss account
 * Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.1-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
 * Wed Aug 16 2023 Stefan Berger <stefanb@linux.ibm.com> - 0.8.1-3
 - Build for i686 again since dependency issue resolved
 * Tue Aug 15 2023 Stefan Berger <stefanb@linux.ibm.com> - 0.8.1-2
 - Don't build tools-pkcs11 for i686 since python-tpm2-pytss is not built for it
 - Set license to BSD-3-Clause for all packages
 * Tue Aug 15 2023 Stefan Berger <stefanb@linux.ibm.com> - 0.8.1-1
 - Update to v0.8.1 release
 * Sat Jul 22 2023 Adam Williamson <awilliam@redhat.com> - 0.8.0-7
 - Make swtpm-selinux Requires(post) swtpm (#2223276)
 * Thu Jul 20 2023 Stefan Berger <stefanb@linux.ibm.com> - 0.8.0-6
 - Added a 'Requires' on swtpm for swtpm-selinux package
 * Wed Jul 19 2023 Stefan Berger <stefanb@linux.ibm.com> - 0.8.0-4
 - Split off SELinux policy into swtpm-selinux
 * Mon May 15 2023 Yaakov Selkowitz <yselkowi@redhat.com> - 0.8.0-4
 - Remove trousers dependency from RHEL builds
 * Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.0-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
 * Thu Nov 10 2022 Stefan Berger <stefanb@linux.ibm.com> - 0.8.0-2
 - Adding patch needed on Rawhide build servers only
 * Thu Nov 10 2022 Stefan Berger <stefanb@linux.ibm.com> - 0.8.0-1
 - Update to v0.8.0 release
 * Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.3-2.20220427gitf2268ee
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
 * Wed Apr 27 2022 Stefan Berger <stefanb@linux.ibm.com> - 0.7.3-1.20220427gitf2268ee
 - Update to v0.7.3 release
 * Mon Mar 07 2022 Stefan Berger <stefanb@linux.ibm.com> - 0.7.2-1.20220307git21c90c1
 - Update to v0.7.2 release
 * Fri Feb 18 2022 Stefan Berger <stefanb@linux.ibm.com> - 0.7.1-1.20220218git92a7035
 - Update to v0.7.1 release
 * Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.0-2.20211109gitb79fd91
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
 * Tue Nov 09 2021 Stefan Berger <stefanb@linux.ibm.com> - 0.7.0-1.20211109gitb79fd91
 - Update to v0.7.0 release
 * Tue Sep 21 2021 Stefan Berger <stefanb@linux.ibm.com> - 0.6.1-1.20210921git98187d2
 - Update to v0.6.1 release
 * Thu Sep 16 2021 Stefan Berger <stefanb@linux.ibm.com> - 0.6.1-0.20210916gita0ca7c3
 - Build upcoming v0.6.1 that has patch to build with OpenSSL 3.0.0
 * Thu Sep 16 2021 Stefan Berger <stefanb@linux.ibm.com.> - 0.6.0-5.20210607gitea627b3
 - Applied patch with -Wno-deprecated-declarations for build with OpenSSL 3.0.0
 * Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 0.6.0-4.20210607gitea627b3
 - Rebuilt with OpenSSL 3.0.0
 * Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.6.0-3.20210607gitea627b3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
 * Tue Jul 13 2021 Davide Cavalca <dcavalca@fedoraproject.org> - 0.6.0-2.20210706gitea627b
 - Add an explicit BuildRequires for python3-devel
 * Mon Jun 07 2021 Stefan Berger <stefanb@linux.ibm.com> - 0.6.0-1.20210706gitea627b
 - Update to v0.6.0 release
 * Fri Jun 04 2021 Python Maint <python-maint@redhat.com> - 0.5.2-4.20201226gite59c0c1
 - Rebuilt for Python 3.10
 * Wed Apr 07 2021 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.5.2-3.20201226gite59c0c1
 - Remove unnecessary python3-twisted dependency
 * Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.5.2-2.20201226gite59c0c1
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
 * Sat Dec 26 2020 Stefan Berger <stefanb@linux.ibm.com> - 0.5.2-1.20201226gite59c0c1a
 - Bugfixes for stable release
 * Mon Dec 07 2020 Jeff Law <law@redhat.com> - 0.5.1-3.20201117git96f5a04c
 - Avoid diagnostic from gcc-11
 * Fri Nov 13 2020 Stefan Berger <stefanb@linux.ibm.com> - 0.5.1-2.20201117git96f5a04c
 - Another build of v0.5.1 after more fixes
 * Fri Nov 13 2020 Stefan Berger <stefanb@linux.ibm.com> - 0.5.1-1.20201007git390f5bd4
 - Update to v0.5.1 addressing potential symlink attack issue (CVE-2020-28407)
 * Wed Oct 7 2020 Stefan Berger <stefanb@linux.ibm.com> - 0.5.0-1.20201007gitb931e109
 - Update to v0.5.0 release
 * Fri Aug 28 2020 Stefan Berger <stefanb@linux.ibm.com> - 0.4.0-1.20200828git0c238a2
 - Update to v0.4.0 release
 * Thu Aug 27 2020 Stefan Berger <stefanb@linux.ibm.com> - 0.3.4-2.20200711git80f0418
 - Disable pkcs11 related test case running into GnuTLS locking bug
 * Tue Aug 11 2020 Stefan Berger <stefanb@linux.ibm.com> - 0.3.4-1.20200711git80f0418
 - Update to v0.3.4 release
 * Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.3.0-3.20200218git74ae43b
 - Second attempt - Rebuilt for
  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 * Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.3.0-2.20200218git74ae43b
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 * Mon Feb 24 2020 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.3.0-1.20200218git74ae43b
 - Update to v0.3.0 release
 * Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.2.0-7.20191115git8dae4b3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
 * Fri Nov 15 2019 Stefan Berger <stefanb@linux.ibm.com> - 0.2.0-6.20191018git8dae4b3
 - follow stable-0.2.0 branch with fix of GnuTLS API call to get subject key ID
 * Fri Oct 18 2019 Stefan Berger <stefanb@linux.ibm.com> - 0.2.0-5.20191018git9227cf4
 - follow stable-0.2.0 branch with swtpm_cert OID bugfix for TPM 2
 * Tue Aug 13 2019 Stefan Berger <stefanb@linux.ibm.com> - 0.2.0-4.20190801git13536aa
 - run 'restorecon' on swtpm in post to get SELinux label on first install
 * Thu Aug 01 2019 Stefan Berger <stefanb@linux.ibm.com> - 0.2.0-3.20190801git13536aa
 - follow stable-0.2.0 branch with some bug fixes
 * Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.2.0-2.20190723gitf0b4137
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
 * Tue Jul 23 2019 Stefan Berger <stefanb@linux.ibm.com> - 0.2.0-1.20190723gitf0b4137
 - follow stable-0.2.0 branch with some bug fixes
 * Tue Jul 16 2019 Stefan Berger <stefanb@linux.ibm.com> - 0.2.0-0.20190716git374b669
 - (tentative) v0.2.0 release of swtpm
 * Thu Apr 25 2019 Stefan Berger <stefanb@linux.ibm.com> - 0.1.0-0.20190425gitca85606
 - pick up bug fixes
 * Mon Feb 04 2019 Stefan Berger <stefanb@linux.ibm.com> - 0.1.0-0.20190204git2c25d13.1
 - v0.1.0 release of swtpm
 * Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.0-0.20181212git8b9484a.1
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
 * Wed Dec 12 2018 Stefan Berger <stefanb@linux.ibm.com> - 0.1.0-0.20181212git8b9484a
 - Follow improvements in swtpm repo primarily related to fixes for 'ubsan'
 * Tue Nov 06 2018 Stefan Berger <stefanb@linux.ibm.com> - 0.1.0-0.20181106git05d8160
 - Follow improvements in swtpm repo
 - Remove ownership change of swtpm_setup.sh; have root own the file as required
 * Wed Oct 31 2018 Stefan Berger <stefanb@linux.ibm.com> - 0.1.0-0.20181031gitc782a85
 - Follow improvements and fixes in swtpm
 * Tue Oct 02 2018 Stefan Berger <stefanb@linux.vnet.ibm.com> - 0.1.0-0.20181002git0143c41
 - Fixes to SELinux policy
 - Improvements on various other parts
 * Tue Sep 25 2018 Stefan Berger <stefanb@linux.vnet.ibm.com> - 0.1.0-0.20180924gitce13edf
 - Initial Fedora build
 * Mon Sep 17 2018 Stefan Berger <stefanb@linux.vnet.ibm.com> - 0.1.0-0.20180918git67d7ea3
 - Created initial version of rpm spec files
 - Version is now 0.1.0
 - Bugzilla for this spec: https://bugzilla.redhat.com/show_bug.cgi?id=1611829
`@ -1 +1 @@`
	`swtpm-0.9.0.tar.gz`	`SOURCES/swtpm-b79fd91.tar.gz`
		`@ -0,0 +1 @@`
							`b79a2d005663868139f0678cddeecf70278ec219 SOURCES/swtpm-b79fd91.tar.gz`
		`@ -1 +0,0 @@`
			`SHA512 (swtpm-0.9.0.tar.gz) = 4f1723679b85218e80ea6aacdffa687e541ee309ddab9bcb8d8e5aa0b461ee431c880f2e300f1dcae112646f3636593005a342ee0cb762ec115aa599369e111c`