Compare commits

..

No commits in common. "c8s-stream-rhel" and "c9-beta" have entirely different histories.

7 changed files with 151 additions and 462 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/swtpm-b79fd91.tar.gz SOURCES/swtpm-0.8.0.tar.gz

View File

@ -1 +1 @@
b79a2d005663868139f0678cddeecf70278ec219 SOURCES/swtpm-b79fd91.tar.gz 742e598ae731d3aa7283b104153cfabdc3b73643 SOURCES/swtpm-0.8.0.tar.gz

View File

@ -1,54 +0,0 @@
From 9f740868fc36761de27df3935513bdebf8852d19 Mon Sep 17 00:00:00 2001
From: Stefan Berger <stefanb@linux.ibm.com>
Date: Wed, 16 Feb 2022 11:17:47 -0500
Subject: [PATCH] swtpm: Check header size indicator against expected size (CID
375869)
This fix addresses Coverity issue CID 375869.
Check the header size indicated in the header of the state against the
expected size and return an error code in case the header size indicator
is different. There was only one header size so far since blobheader was
introduced, so we don't need to deal with different sizes.
Without this fix a specially craft header could have cause out-of-bounds
accesses on the byte array containing the swtpm's state.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
src/swtpm/swtpm_nvstore.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/src/swtpm/swtpm_nvstore.c b/src/swtpm/swtpm_nvstore.c
index 437088370e11..144d8975ec54 100644
--- a/src/swtpm/swtpm_nvstore.c
+++ b/src/swtpm/swtpm_nvstore.c
@@ -1075,6 +1075,7 @@ SWTPM_NVRAM_CheckHeader(unsigned char *data, uint32_t length,
uint8_t *hdrversion, bool quiet)
{
blobheader *bh = (blobheader *)data;
+ uint16_t hdrsize;
if (length < sizeof(bh)) {
if (!quiet)
@@ -1100,8 +1101,16 @@ SWTPM_NVRAM_CheckHeader(unsigned char *data, uint32_t length,
return TPM_BAD_VERSION;
}
+ hdrsize = ntohs(bh->hdrsize);
+ if (hdrsize != sizeof(blobheader)) {
+ logprintf(STDERR_FILENO,
+ "bad header size: %u != %zu\n",
+ hdrsize, sizeof(blobheader));
+ return TPM_BAD_DATASIZE;
+ }
+
*hdrversion = bh->version;
- *dataoffset = ntohs(bh->hdrsize);
+ *dataoffset = hdrsize;
*hdrflags = ntohs(bh->flags);
return TPM_SUCCESS;
--
2.34.1.428.gdcc0cd074f0c

View File

@ -1,279 +0,0 @@
From a39c3792ba5677f25fea903b9f1a43740a5f2c0c Mon Sep 17 00:00:00 2001
From: Stefan Berger <stefanb@linux.ibm.com>
Date: Wed, 8 Jun 2022 09:19:07 -0400
Subject: [PATCH] swtpm: Disable OpenSSL FIPS mode to avoid libtpms failures
While libtpms does not provide any means to disable FIPS-disabled crypto
algorithms from being used, work around the issue by simply disabling the
FIPS mode of OpenSSL if it is enabled. If it cannot be disabled, exit
swtpm with a failure message that it cannot be disabled. If FIPS mode
was successfully disabled, print out a message as well.
Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=2090219
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
configure.ac | 9 ++++
src/swtpm/Makefile.am | 2 +
src/swtpm/cuse_tpm.c | 5 ++
src/swtpm/fips.c | 100 ++++++++++++++++++++++++++++++++++++++
src/swtpm/fips.h | 43 ++++++++++++++++
src/swtpm/swtpm.c | 3 ++
src/swtpm/swtpm_chardev.c | 3 ++
src/swtpm/utils.h | 2 +
8 files changed, 167 insertions(+)
create mode 100644 src/swtpm/fips.c
create mode 100644 src/swtpm/fips.h
diff --git a/configure.ac b/configure.ac
index ad3054e..30288c7 100644
--- a/configure.ac
+++ b/configure.ac
@@ -156,6 +156,15 @@ openssl)
AC_MSG_RESULT([Building with openssl crypto library])
LIBCRYPTO_LIBS=$(pkg-config --libs libcrypto)
AC_SUBST([LIBCRYPTO_LIBS])
+ AC_CHECK_HEADERS([openssl/fips.h],
+ [AC_DEFINE_UNQUOTED([HAVE_OPENSSL_FIPS_H], 1,
+ [whether openssl/fips.h is available])]
+ )
+ AC_CHECK_LIB(crypto,
+ [FIPS_mode_set],
+ [AC_DEFINE_UNQUOTED([HAVE_OPENSSL_FIPS_MODE_SET_API], 1,
+ [whether FIPS_mode_set API is available])]
+ )
;;
esac
diff --git a/src/swtpm/Makefile.am b/src/swtpm/Makefile.am
index 5454a6f..2a65950 100644
--- a/src/swtpm/Makefile.am
+++ b/src/swtpm/Makefile.am
@@ -11,6 +11,7 @@ noinst_HEADERS = \
capabilities.h \
common.h \
ctrlchannel.h \
+ fips.h \
key.h \
locality.h \
logging.h \
@@ -40,6 +41,7 @@ libswtpm_libtpms_la_SOURCES = \
capabilities.c \
common.c \
ctrlchannel.c \
+ fips.c \
key.c \
logging.c \
mainloop.c \
diff --git a/src/swtpm/cuse_tpm.c b/src/swtpm/cuse_tpm.c
index 9dbc00d..3026e26 100644
--- a/src/swtpm/cuse_tpm.c
+++ b/src/swtpm/cuse_tpm.c
@@ -1695,6 +1695,11 @@ int swtpm_cuse_main(int argc, char **argv, const char *prgname, const char *ifac
goto exit;
}
+ if (disable_fips_mode() < 0) {
+ ret = -1;
+ goto exit;
+ }
+
if (tpmlib_register_callbacks(&cbs) != TPM_SUCCESS) {
ret = -1;
goto exit;
diff --git a/src/swtpm/fips.c b/src/swtpm/fips.c
new file mode 100644
index 0000000..eeb2a0c
--- /dev/null
+++ b/src/swtpm/fips.c
@@ -0,0 +1,100 @@
+/*
+ * fips.c -- FIPS mode related functions
+ *
+ * (c) Copyright IBM Corporation 2022.
+ *
+ * Author: Stefan Berger <stefanb@us.ibm.com>
+ *
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * Neither the names of the IBM Corporation nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#include "fips.h"
+#include "logging.h"
+
+#if defined(HAVE_OPENSSL_FIPS_H)
+# include <openssl/fips.h>
+#elif defined(HAVE_OPENSSL_FIPS_MODE_SET_API)
+/* Cygwin has no fips.h but API exists */
+extern int FIPS_mode(void);
+extern int FIPS_mode_set(int);
+#endif
+
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+# include <openssl/evp.h>
+#endif
+
+#include <openssl/err.h>
+
+/*
+ * disable_fips_mode: If possible, disable FIPS mode to avoid libtpms failures
+ *
+ * While libtpms does not provide a solution to disable deactivated algorithms
+ * avoid libtpms failures due to FIPS mode enablement by disabling FIPS mode.
+ *
+ * Returns < 0 on error, 0 otherwise.
+ */
+#if defined(HAVE_OPENSSL_FIPS_H) || defined(HAVE_OPENSSL_FIPS_MODE_SET_API)
+int disable_fips_mode(void)
+{
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ int mode = EVP_default_properties_is_fips_enabled(NULL);
+#else
+ int mode = FIPS_mode();
+#endif
+ int ret = 0;
+
+ if (mode != 0) {
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ int rc = EVP_default_properties_enable_fips(NULL, 0);
+#else
+ int rc = FIPS_mode_set(0);
+#endif
+ if (rc == 1) {
+ logprintf(STDOUT_FILENO,
+ "Warning: Disabled OpenSSL FIPS mode\n");
+ } else {
+ unsigned long err = ERR_get_error();
+ logprintf(STDERR_FILENO,
+ "Failed to disable OpenSSL FIPS mode: %s\n",
+ ERR_error_string(err, NULL));
+ ret = -1;
+ }
+ }
+ return ret;
+}
+#else
+/* OpenBSD & DragonFlyBSD case */
+int disable_fips_mode(void)
+{
+ return 0;
+}
+#endif
diff --git a/src/swtpm/fips.h b/src/swtpm/fips.h
new file mode 100644
index 0000000..14d4e9f
--- /dev/null
+++ b/src/swtpm/fips.h
@@ -0,0 +1,43 @@
+/*
+ * fips.h -- FIPS mode related functions
+ *
+ * (c) Copyright IBM Corporation 2015.
+ *
+ * Author: Stefan Berger <stefanb@us.ibm.com>
+ *
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * Neither the names of the IBM Corporation nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef _SWTPM_UTILS_H_
+#define _SWTPM_UTILS_H_
+
+int disable_fips_mode(void);
+
+#endif /* _SWTPM_UTILS_H_ */
diff --git a/src/swtpm/swtpm.c b/src/swtpm/swtpm.c
index 722a743..e618c56 100644
--- a/src/swtpm/swtpm.c
+++ b/src/swtpm/swtpm.c
@@ -521,6 +521,9 @@ int swtpm_main(int argc, char **argv, const char *prgname, const char *iface)
daemonize_finish();
}
+ if (disable_fips_mode() < 0)
+ goto error_seccomp_profile;
+
rc = mainLoop(&mlp, notify_fd[0]);
error_seccomp_profile:
diff --git a/src/swtpm/swtpm_chardev.c b/src/swtpm/swtpm_chardev.c
index 9710927..ab6d8fd 100644
--- a/src/swtpm/swtpm_chardev.c
+++ b/src/swtpm/swtpm_chardev.c
@@ -573,6 +573,9 @@ int swtpm_chardev_main(int argc, char **argv, const char *prgname, const char *i
daemonize_finish();
}
+ if (disable_fips_mode() < 0)
+ goto error_seccomp_profile;
+
rc = mainLoop(&mlp, notify_fd[0]);
error_seccomp_profile:
diff --git a/src/swtpm/utils.h b/src/swtpm/utils.h
index 7502442..b8acd89 100644
--- a/src/swtpm/utils.h
+++ b/src/swtpm/utils.h
@@ -71,4 +71,6 @@ ssize_t writev_full(int fd, const struct iovec *iov, int iovcnt);
ssize_t read_eintr(int fd, void *buffer, size_t buflen);
+int disable_fips_mode(void);
+
#endif /* _SWTPM_UTILS_H_ */
--
2.36.1

View File

@ -1,65 +0,0 @@
From b6b0611704047b8632b328d48502f3b3f9fe4fe2 Mon Sep 17 00:00:00 2001
From: Stefan Berger <stefanb@linux.ibm.com>
Date: Tue, 1 Feb 2022 12:40:06 -0500
Subject: [PATCH] swtpm_localca: Test for available issuercert before creating
CA
Avoid trying to create TPM certificates while the issuer certificate has
not been created, yet (in a 2nd step).
To resolve this do not just test for availability of the signing key, which
is created first, but also test for the issuer certifcate, which is created
in a 2nd step when the local CA is created. If either one is missing,
attempt to create the CA.
Resolves: https://github.com/stefanberger/swtpm/issues/644
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
src/swtpm_localca/swtpm_localca.c | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/src/swtpm_localca/swtpm_localca.c b/src/swtpm_localca/swtpm_localca.c
index 037bfd5266bb..089e4e0db4ce 100644
--- a/src/swtpm_localca/swtpm_localca.c
+++ b/src/swtpm_localca/swtpm_localca.c
@@ -117,7 +117,7 @@ static int create_localca_cert(const gchar *lockfile, const gchar *statedir,
goto error;
}
- if (access(signkey, R_OK) != 0) {
+ if (access(signkey, R_OK) != 0 || access(issuercert, R_OK) != 0) {
g_autofree gchar *directory = g_path_get_dirname(signkey);
g_autofree gchar *cakey = g_strjoin(G_DIR_SEPARATOR_S, directory, "swtpm-localca-rootca-privkey.pem", NULL);
g_autofree gchar *cacert = g_strjoin(G_DIR_SEPARATOR_S, directory, "swtpm-localca-rootca-cert.pem", NULL);
@@ -808,13 +808,28 @@ int main(int argc, char *argv[])
if (ret != 0)
goto error;
} else {
+ int create_certs = 0;
+
+ /* create certificate if either the signing key or issuer cert are missing */
if (access(signkey, R_OK) != 0) {
if (stat(signkey, &statbuf) == 0) {
logerr(gl_LOGFILE, "Need read rights on signing key %s for user %s.\n",
signkey, curr_user ? curr_user->pw_name : "<unknown>");
goto error;
}
+ create_certs = 1;
+ }
+
+ if (access(issuercert, R_OK) != 0) {
+ if (stat(issuercert, &statbuf) == 0) {
+ logerr(gl_LOGFILE, "Need read rights on issuer certificate %s for user %s.\n",
+ issuercert, curr_user ? curr_user->pw_name : "<unknown>");
+ goto error;
+ }
+ create_certs = 1;
+ }
+ if (create_certs) {
logit(gl_LOGFILE, "Creating root CA and a local CA's signing key and issuer cert.\n");
if (create_localca_cert(lockfile, statedir, signkey, signkey_password,
issuercert) != 0) {
--
2.37.0.rc0

View File

@ -0,0 +1,37 @@
From 95cd8db3dc822d8f741b90d560e50f44841f9d29 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Date: Tue, 22 Nov 2022 11:24:57 +0400
Subject: [PATCH] swtpm_setup: fix -Werror=maybe-uninitialized
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
/usr/include/glib-2.0/glib/glib-autocleanups.h:30:3: error: argv may be used uninitialized [-Werror=maybe-uninitialized]
30 | g_free (*pp);
| ^~~~~~~~~~~~
swtpm_setup.c: In function get_swtpm_capabilities.constprop.0:
swtpm_setup.c:940:24: note: argv was declared here
940 | g_autofree gchar **argv;
| ^~~~
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
---
src/swtpm_setup/swtpm_setup.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/swtpm_setup/swtpm_setup.c b/src/swtpm_setup/swtpm_setup.c
index 1b528c8..3570235 100644
--- a/src/swtpm_setup/swtpm_setup.c
+++ b/src/swtpm_setup/swtpm_setup.c
@@ -937,7 +937,7 @@ static int get_swtpm_capabilities(gchar **swtpm_prg_l, gboolean is_tpm2,
gchar *my_argv[] = { "--print-capabilities", is_tpm2 ? "--tpm2" : NULL, NULL };
g_autofree gchar *logop = NULL;
g_autoptr(GError) error = NULL;
- g_autofree gchar **argv;
+ g_autofree gchar **argv = NULL;
int exit_status = 0;
gboolean success;
int ret = 1;
--
2.38.1

View File

@ -1,9 +1,5 @@
%bcond_without gnutls %bcond_without gnutls
%global gitdate 20211109
%global gitcommit b79fd91c4b4a74c9c5027b517c5036952c5525db
%global gitshortcommit %(c=%{gitcommit}; echo ${c:0:7})
# Macros needed by SELinux # Macros needed by SELinux
%global selinuxtype targeted %global selinuxtype targeted
%global moduletype contrib %global moduletype contrib
@ -11,15 +7,12 @@
Summary: TPM Emulator Summary: TPM Emulator
Name: swtpm Name: swtpm
Version: 0.7.0 Version: 0.8.0
Release: 4.%{gitdate}git%{gitshortcommit}%{?dist} Release: 1%{?dist}
License: BSD License: BSD
Url: http://github.com/stefanberger/swtpm Url: https://github.com/stefanberger/swtpm
Source0: %{url}/archive/%{gitcommit}/%{name}-%{gitshortcommit}.tar.gz Source0: %{url}/archive/v%{version}/%{name}-%{version}.tar.gz
ExcludeArch: i686 Patch0001: 0001-swtpm_setup-fix-Werror-maybe-uninitialized.patch
Patch0001: 0001-swtpm-Check-header-size-indicator-against-expected-s.patch
Patch0002: 0001-swtpm-Disable-OpenSSL-FIPS-mode-to-avoid-libtpms-fai.patch
Patch0003: 0001-swtpm_localca-Test-for-available-issuercert-before-c.patch
BuildRequires: make BuildRequires: make
BuildRequires: git-core BuildRequires: git-core
@ -27,12 +20,13 @@ BuildRequires: automake
BuildRequires: autoconf BuildRequires: autoconf
BuildRequires: libtool BuildRequires: libtool
BuildRequires: libtpms-devel >= 0.6.0 BuildRequires: libtpms-devel >= 0.6.0
BuildRequires: glib2-devel
BuildRequires: json-glib-devel
BuildRequires: expect BuildRequires: expect
BuildRequires: net-tools BuildRequires: net-tools
BuildRequires: openssl-devel BuildRequires: openssl-devel
BuildRequires: socat BuildRequires: socat
BuildRequires: softhsm BuildRequires: softhsm
BuildRequires: json-glib-devel
%if %{with gnutls} %if %{with gnutls}
BuildRequires: gnutls >= 3.4.0 BuildRequires: gnutls >= 3.4.0
BuildRequires: gnutls-devel BuildRequires: gnutls-devel
@ -43,8 +37,7 @@ BuildRequires: libtasn1
BuildRequires: selinux-policy-devel BuildRequires: selinux-policy-devel
BuildRequires: gcc BuildRequires: gcc
BuildRequires: libseccomp-devel BuildRequires: libseccomp-devel
BuildRequires: tpm2-tools tpm2-abrmd BuildRequires: tpm2-pkcs11 tpm2-pkcs11-tools tpm2-tools tpm2-abrmd
BuildRequires: python3-devel
Requires: %{name}-libs = %{version}-%{release} Requires: %{name}-libs = %{version}-%{release}
Requires: libtpms >= 0.6.0 Requires: libtpms >= 0.6.0
@ -78,17 +71,17 @@ Requires: bash gnutls-utils
Tools for the TPM emulator from the swtpm package Tools for the TPM emulator from the swtpm package
%package tools-pkcs11 %package tools-pkcs11
Summary: Tools for creating a local CA based on a TPM pkcs11 device Summary: Tools for creating a local CA based on a pkcs11 device
License: BSD License: BSD
Requires: swtpm-tools = %{version}-%{release} Requires: swtpm-tools = %{version}-%{release}
Requires: tpm2-tools tpm2-abrmd Requires: tpm2-pkcs11 tpm2-pkcs11-tools tpm2-tools tpm2-abrmd
Requires: expect gnutls-utils Requires: expect gnutls-utils
%description tools-pkcs11 %description tools-pkcs11
Tools for creating a local CA based on a pkcs11 device Tools for creating a local CA based on a pkcs11 device
%prep %prep
%autosetup -S git -n %{name}-%{gitcommit} -p1 %autosetup -S git -p1
%build %build
@ -97,10 +90,9 @@ NOCONFIGURE=1 ./autogen.sh
%if %{with gnutls} %if %{with gnutls}
--with-gnutls \ --with-gnutls \
%endif %endif
--without-cuse \ --without-cuse
--without-tpm1
%make_build V=1 %make_build
%check %check
make %{?_smp_mflags} check VERBOSE=1 make %{?_smp_mflags} check VERBOSE=1
@ -109,6 +101,7 @@ make %{?_smp_mflags} check VERBOSE=1
%make_install %make_install
rm -f $RPM_BUILD_ROOT%{_libdir}/%{name}/*.{a,la,so} rm -f $RPM_BUILD_ROOT%{_libdir}/%{name}/*.{a,la,so}
rm $RPM_BUILD_ROOT%{_mandir}/man8/swtpm_cuse.8*
%post %post
for pp in /usr/share/selinux/packages/swtpm.pp \ for pp in /usr/share/selinux/packages/swtpm.pp \
@ -163,12 +156,12 @@ fi
%{_mandir}/man8/swtpm_bios.8* %{_mandir}/man8/swtpm_bios.8*
%{_mandir}/man8/swtpm_cert.8* %{_mandir}/man8/swtpm_cert.8*
%{_mandir}/man8/swtpm_ioctl.8* %{_mandir}/man8/swtpm_ioctl.8*
%{_mandir}/man8/swtpm-localca.conf.8* %{_mandir}/man5/swtpm-localca.conf.5*
%{_mandir}/man8/swtpm-localca.options.8* %{_mandir}/man5/swtpm-localca.options.5*
%{_mandir}/man8/swtpm-localca.8* %{_mandir}/man8/swtpm-localca.8*
%{_mandir}/man8/swtpm_localca.8* %{_mandir}/man8/swtpm_localca.8*
%{_mandir}/man8/swtpm_setup.8* %{_mandir}/man8/swtpm_setup.8*
%{_mandir}/man8/swtpm_setup.conf.8* %{_mandir}/man5/swtpm_setup.conf.5*
%config(noreplace) %{_sysconfdir}/swtpm_setup.conf %config(noreplace) %{_sysconfdir}/swtpm_setup.conf
%config(noreplace) %{_sysconfdir}/swtpm-localca.options %config(noreplace) %{_sysconfdir}/swtpm-localca.options
%config(noreplace) %{_sysconfdir}/swtpm-localca.conf %config(noreplace) %{_sysconfdir}/swtpm-localca.conf
@ -182,55 +175,112 @@ fi
%{_datadir}/swtpm/swtpm-create-tpmca %{_datadir}/swtpm/swtpm-create-tpmca
%changelog %changelog
* Mon Jul 18 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.0-4.20211109gitb79fd91 * Tue Nov 22 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.8.0-1
- swtpm_localca: Test for available issuercert before creating CA - Update to v0.8.0 release
Resolves: rhbz#2100508 Resolves: rhbz#2092944
* Mon Jun 20 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.0-3.20211109gitb79fd91 * Fri Jun 17 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.0-3.20211109gitb79fd91
- Disable OpenSSL FIPS mode to avoid libtpms failures - Disable OpenSSL FIPS mode to avoid libtpms failures
Resolves: rhbz#2097947 Resolves: rhbz#2090219
* Mon Feb 21 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.0-2.20211109gitb79fd91 * Mon Feb 21 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.0-2.20211109gitb79fd91
- Add fix for CVE-2022-23645. - Add fix for CVE-2022-23645.
Resolves: rhbz#2056517 Resolves: rhbz#2056518
* Tue Jan 04 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.0-1.20211109gitb79fd91 * Fri Nov 12 2021 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.0-1.20211109gitb79fd91
- Rebase to 0.7.0, disable TPM 1.2. - Update to v0.7.0 release
Resovles: rhbz#2029612 Resolves: rhbz#2021580 & rhbz#1990153
* Thu Sep 16 2021 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.6.0-2.20210607gitea627b3 * Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 0.6.0-3.20210607gitea627b3
- rebuilt with missing CFLAGS fix. - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Mon Jun 28 2021 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.6.0-1.20210607gitea627b3 * Mon Jul 12 2021 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.6.0-2.20210607gitea627b3
- Update to 0.6.0. - rebuilt with AM_* flags patch
Resolves: rhbz#1972783
* Tue Dec 1 20:40:07 +04 2020 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.4.2-1.20201201git2df14e3 * Wed Jun 16 2021 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.6.0-1.20210607gitea627b3
- Update to 0.4.2, to address potential symlink vulnerabilities (CVE-2020-28407). - new version
Resolves: rhbz#1906043 - Fixes: rhbz#1972785
* Thu Sep 24 2020 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.4.0-3.20200828git0c238a2 * Wed Jun 16 2021 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.5.2-7.20201226gite59c0c1
- swtpm_setup: Add missing .config path when using ${HOME}. Resolves: rhbz#1881418 - Removed trouser dependency (used for vTPM 1.2, unsupported)
- Fixes: rhbz#1967919
* Thu Sep 17 2020 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.4.0-2.20200828git0c238a2 * Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.5.2-6.20201226gite59c0c1
- Backport fixes from 0.4.0 stable branch. Resolves: rhbz#1868375 - Rebuilt for RHEL 9 BETA for openssl 3.0
(fixes usage of swtpm-localca with passwords when signing keys) Related: rhbz#1971065
* Sat Sep 12 2020 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.4.0-1.20200828git0c238a2 * Tue May 18 2021 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.5.2-5.20201226gite59c0c1
- Update to v0.4.0. Resolves: rhbz#1868375 - Add -Wno-error=deprecated-declarations to fix build with OpenSSL 3.0.
- Fixes: rhbz#1958033
* Thu May 28 2020 Marc-André Lureau <marcandre.lureau@gmail.com> - 0.3.0-1.20200218git74ae43b * Tue Apr 20 2021 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.5.2-4.20201226gite59c0c1
- Update to v0.3.0. Fixes rhbz#1809778 - Remove unnecessary twisted dependency.
- exclude i686 build - Fixes: rhbz#1935825
* Mon Jan 27 2020 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.2.0-2.20200127gitff5a83b * Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.5.2-3.20201226gite59c0c1
- Update to latest 0.2-stable branch, fix random test failure. rhbz#1782451 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Fri Oct 18 2019 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.2.0-1.20191018git9227cf4 * Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.5.2-2.20201226gite59c0c1
- rebuilt - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Tue Aug 13 2019 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.1.0-1.20190425gitca85606.1 * Sat Dec 26 2020 Stefan Berger <stefanb@linux.ibm.com> - 0.5.2-1.20201226gite59c0c1a
- Fix SELinux labels on /usr/bin/swtpm installation rhbz#1739994 - Bugfixes for stable release
* Mon Dec 07 2020 Jeff Law <law@redhat.com> - 0.5.1-3.20201117git96f5a04c
- Avoid diagnostic from gcc-11
* Fri Nov 13 2020 Stefan Berger <stefanb@linux.ibm.com> - 0.5.1-2.20201117git96f5a04c
- Another build of v0.5.1 after more fixes
* Fri Nov 13 2020 Stefan Berger <stefanb@linux.ibm.com> - 0.5.1-1.20201007git390f5bd4
- Update to v0.5.1 addressing potential symlink attack issue (CVE-2020-28407)
* Wed Oct 7 2020 Stefan Berger <stefanb@linux.ibm.com> - 0.5.0-1.20201007gitb931e109
- Update to v0.5.0 release
* Fri Aug 28 2020 Stefan Berger <stefanb@linux.ibm.com> - 0.4.0-1.20200828git0c238a2
- Update to v0.4.0 release
* Thu Aug 27 2020 Stefan Berger <stefanb@linux.ibm.com> - 0.3.4-2.20200711git80f0418
- Disable pkcs11 related test case running into GnuTLS locking bug
* Tue Aug 11 2020 Stefan Berger <stefanb@linux.ibm.com> - 0.3.4-1.20200711git80f0418
- Update to v0.3.4 release
* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.3.0-3.20200218git74ae43b
- Second attempt - Rebuilt for
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.3.0-2.20200218git74ae43b
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Mon Feb 24 2020 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.3.0-1.20200218git74ae43b
- Update to v0.3.0 release
* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.2.0-7.20191115git8dae4b3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Fri Nov 15 2019 Stefan Berger <stefanb@linux.ibm.com> - 0.2.0-6.20191018git8dae4b3
- follow stable-0.2.0 branch with fix of GnuTLS API call to get subject key ID
* Fri Oct 18 2019 Stefan Berger <stefanb@linux.ibm.com> - 0.2.0-5.20191018git9227cf4
- follow stable-0.2.0 branch with swtpm_cert OID bugfix for TPM 2
* Tue Aug 13 2019 Stefan Berger <stefanb@linux.ibm.com> - 0.2.0-4.20190801git13536aa
- run 'restorecon' on swtpm in post to get SELinux label on first install
* Thu Aug 01 2019 Stefan Berger <stefanb@linux.ibm.com> - 0.2.0-3.20190801git13536aa
- follow stable-0.2.0 branch with some bug fixes
* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.2.0-2.20190723gitf0b4137
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Tue Jul 23 2019 Stefan Berger <stefanb@linux.ibm.com> - 0.2.0-1.20190723gitf0b4137
- follow stable-0.2.0 branch with some bug fixes
* Tue Jul 16 2019 Stefan Berger <stefanb@linux.ibm.com> - 0.2.0-0.20190716git374b669
- (tentative) v0.2.0 release of swtpm
* Thu Apr 25 2019 Stefan Berger <stefanb@linux.ibm.com> - 0.1.0-0.20190425gitca85606 * Thu Apr 25 2019 Stefan Berger <stefanb@linux.ibm.com> - 0.1.0-0.20190425gitca85606
- pick up bug fixes - pick up bug fixes