SOURCES/0001-swtpm-Disable-OpenSSL-FIPS-mode-to-avoid-libtpms-fai.patch

@@ -0,0 +1,279 @@
+From a39c3792ba5677f25fea903b9f1a43740a5f2c0c Mon Sep 17 00:00:00 2001
+From: Stefan Berger <stefanb@linux.ibm.com>
+Date: Wed, 8 Jun 2022 09:19:07 -0400
+Subject: [PATCH] swtpm: Disable OpenSSL FIPS mode to avoid libtpms failures
+
+While libtpms does not provide any means to disable FIPS-disabled crypto
+algorithms from being used, work around the issue by simply disabling the
+FIPS mode of OpenSSL if it is enabled. If it cannot be disabled, exit
+swtpm with a failure message that it cannot be disabled. If FIPS mode
+was successfully disabled, print out a message as well.
+
+Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=2090219
+Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
+---
+ configure.ac              |   9 ++++
+ src/swtpm/Makefile.am     |   2 +
+ src/swtpm/cuse_tpm.c      |   5 ++
+ src/swtpm/fips.c          | 100 ++++++++++++++++++++++++++++++++++++++
+ src/swtpm/fips.h          |  43 ++++++++++++++++
+ src/swtpm/swtpm.c         |   3 ++
+ src/swtpm/swtpm_chardev.c |   3 ++
+ src/swtpm/utils.h         |   2 +
+ 8 files changed, 167 insertions(+)
+ create mode 100644 src/swtpm/fips.c
+ create mode 100644 src/swtpm/fips.h
+
+diff --git a/configure.ac b/configure.ac
+index ad3054e..30288c7 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -156,6 +156,15 @@ openssl)
+ 	AC_MSG_RESULT([Building with openssl crypto library])
+ 	LIBCRYPTO_LIBS=$(pkg-config --libs libcrypto)
+ 	AC_SUBST([LIBCRYPTO_LIBS])
++	AC_CHECK_HEADERS([openssl/fips.h],
++	                 [AC_DEFINE_UNQUOTED([HAVE_OPENSSL_FIPS_H], 1,
++	                                     [whether openssl/fips.h is available])]
++	                 )
++	AC_CHECK_LIB(crypto,
++		     [FIPS_mode_set],
++		     [AC_DEFINE_UNQUOTED([HAVE_OPENSSL_FIPS_MODE_SET_API], 1,
++		                         [whether FIPS_mode_set API is available])]
++		     )
+ 	;;
+ esac
+ 
+diff --git a/src/swtpm/Makefile.am b/src/swtpm/Makefile.am
+index 5454a6f..2a65950 100644
+--- a/src/swtpm/Makefile.am
++++ b/src/swtpm/Makefile.am
+@@ -11,6 +11,7 @@ noinst_HEADERS = \
+ 	capabilities.h \
+ 	common.h \
+ 	ctrlchannel.h \
++	fips.h \
+ 	key.h \
+ 	locality.h \
+ 	logging.h \
+@@ -40,6 +41,7 @@ libswtpm_libtpms_la_SOURCES = \
+ 	capabilities.c \
+ 	common.c \
+ 	ctrlchannel.c \
++	fips.c \
+ 	key.c \
+ 	logging.c \
+ 	mainloop.c \
+diff --git a/src/swtpm/cuse_tpm.c b/src/swtpm/cuse_tpm.c
+index 9dbc00d..3026e26 100644
+--- a/src/swtpm/cuse_tpm.c
++++ b/src/swtpm/cuse_tpm.c
+@@ -1695,6 +1695,11 @@ int swtpm_cuse_main(int argc, char **argv, const char *prgname, const char *ifac
+         goto exit;
+     }
+ 
++    if (disable_fips_mode() < 0) {
++        ret = -1;
++        goto exit;
++    }
++
+     if (tpmlib_register_callbacks(&cbs) != TPM_SUCCESS) {
+         ret = -1;
+         goto exit;
+diff --git a/src/swtpm/fips.c b/src/swtpm/fips.c
+new file mode 100644
+index 0000000..eeb2a0c
+--- /dev/null
++++ b/src/swtpm/fips.c
+@@ -0,0 +1,100 @@
++/*
++ * fips.c -- FIPS mode related functions
++ *
++ * (c) Copyright IBM Corporation 2022.
++ *
++ * Author: Stefan Berger <stefanb@us.ibm.com>
++ *
++ * All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions are
++ * met:
++ *
++ * Redistributions of source code must retain the above copyright notice,
++ * this list of conditions and the following disclaimer.
++ *
++ * Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ *
++ * Neither the names of the IBM Corporation nor the names of its
++ * contributors may be used to endorse or promote products derived from
++ * this software without specific prior written permission.
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
++ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
++ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
++ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
++ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
++ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
++ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
++ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
++ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++ */
++
++#include "config.h"
++
++#include "fips.h"
++#include "logging.h"
++
++#if defined(HAVE_OPENSSL_FIPS_H)
++# include <openssl/fips.h>
++#elif defined(HAVE_OPENSSL_FIPS_MODE_SET_API)
++/* Cygwin has no fips.h but API exists */
++extern int FIPS_mode(void);
++extern int FIPS_mode_set(int);
++#endif
++
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++# include <openssl/evp.h>
++#endif
++
++#include <openssl/err.h>
++
++/*
++ * disable_fips_mode: If possible, disable FIPS mode to avoid libtpms failures
++ *
++ * While libtpms does not provide a solution to disable deactivated algorithms
++ * avoid libtpms failures due to FIPS mode enablement by disabling FIPS mode.
++ *
++ * Returns < 0 on error, 0 otherwise.
++ */
++#if defined(HAVE_OPENSSL_FIPS_H) || defined(HAVE_OPENSSL_FIPS_MODE_SET_API)
++int disable_fips_mode(void)
++{
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++    int mode = EVP_default_properties_is_fips_enabled(NULL);
++#else
++    int mode = FIPS_mode();
++#endif
++    int ret = 0;
++
++    if (mode != 0) {
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++        int rc = EVP_default_properties_enable_fips(NULL, 0);
++#else
++        int rc = FIPS_mode_set(0);
++#endif
++        if (rc == 1) {
++            logprintf(STDOUT_FILENO,
++                      "Warning: Disabled OpenSSL FIPS mode\n");
++        } else {
++            unsigned long err = ERR_get_error();
++            logprintf(STDERR_FILENO,
++                      "Failed to disable OpenSSL FIPS mode: %s\n",
++                      ERR_error_string(err, NULL));
++            ret = -1;
++        }
++    }
++    return ret;
++}
++#else
++/* OpenBSD & DragonFlyBSD case */
++int disable_fips_mode(void)
++{
++    return 0;
++}
++#endif
+diff --git a/src/swtpm/fips.h b/src/swtpm/fips.h
+new file mode 100644
+index 0000000..14d4e9f
+--- /dev/null
++++ b/src/swtpm/fips.h
+@@ -0,0 +1,43 @@
++/*
++ * fips.h -- FIPS mode related functions
++ *
++ * (c) Copyright IBM Corporation 2015.
++ *
++ * Author: Stefan Berger <stefanb@us.ibm.com>
++ *
++ * All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions are
++ * met:
++ *
++ * Redistributions of source code must retain the above copyright notice,
++ * this list of conditions and the following disclaimer.
++ *
++ * Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ *
++ * Neither the names of the IBM Corporation nor the names of its
++ * contributors may be used to endorse or promote products derived from
++ * this software without specific prior written permission.
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
++ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
++ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
++ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
++ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
++ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
++ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
++ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
++ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++ */
++
++#ifndef _SWTPM_UTILS_H_
++#define _SWTPM_UTILS_H_
++
++int disable_fips_mode(void);
++
++#endif /* _SWTPM_UTILS_H_ */
+diff --git a/src/swtpm/swtpm.c b/src/swtpm/swtpm.c
+index 722a743..e618c56 100644
+--- a/src/swtpm/swtpm.c
++++ b/src/swtpm/swtpm.c
+@@ -521,6 +521,9 @@ int swtpm_main(int argc, char **argv, const char *prgname, const char *iface)
+         daemonize_finish();
+     }
+ 
++    if (disable_fips_mode() < 0)
++        goto error_seccomp_profile;
++
+     rc = mainLoop(&mlp, notify_fd[0]);
+ 
+ error_seccomp_profile:
+diff --git a/src/swtpm/swtpm_chardev.c b/src/swtpm/swtpm_chardev.c
+index 9710927..ab6d8fd 100644
+--- a/src/swtpm/swtpm_chardev.c
++++ b/src/swtpm/swtpm_chardev.c
+@@ -573,6 +573,9 @@ int swtpm_chardev_main(int argc, char **argv, const char *prgname, const char *i
+         daemonize_finish();
+     }
+ 
++    if (disable_fips_mode() < 0)
++        goto error_seccomp_profile;
++
+     rc = mainLoop(&mlp, notify_fd[0]);
+ 
+ error_seccomp_profile:
+diff --git a/src/swtpm/utils.h b/src/swtpm/utils.h
+index 7502442..b8acd89 100644
+--- a/src/swtpm/utils.h
++++ b/src/swtpm/utils.h
+@@ -71,4 +71,6 @@ ssize_t writev_full(int fd, const struct iovec *iov, int iovcnt);
+ 
+ ssize_t read_eintr(int fd, void *buffer, size_t buflen);
+ 
++int disable_fips_mode(void);
++
+ #endif /* _SWTPM_UTILS_H_ */
+-- 
+2.36.1
+

SOURCES/0001-swtpm_localca-Test-for-available-issuercert-before-c.patch

@@ -0,0 +1,65 @@
+From b6b0611704047b8632b328d48502f3b3f9fe4fe2 Mon Sep 17 00:00:00 2001
+From: Stefan Berger <stefanb@linux.ibm.com>
+Date: Tue, 1 Feb 2022 12:40:06 -0500
+Subject: [PATCH] swtpm_localca: Test for available issuercert before creating
+ CA
+
+Avoid trying to create TPM certificates while the issuer certificate has
+not been created, yet (in a 2nd step).
+
+To resolve this do not just test for availability of the signing key, which
+is created first, but also test for the issuer certifcate, which is created
+in a 2nd step when the local CA is created. If either one is missing,
+attempt to create the CA.
+
+Resolves: https://github.com/stefanberger/swtpm/issues/644
+Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
+---
+ src/swtpm_localca/swtpm_localca.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/src/swtpm_localca/swtpm_localca.c b/src/swtpm_localca/swtpm_localca.c
+index 037bfd5266bb..089e4e0db4ce 100644
+--- a/src/swtpm_localca/swtpm_localca.c
++++ b/src/swtpm_localca/swtpm_localca.c
+@@ -117,7 +117,7 @@ static int create_localca_cert(const gchar *lockfile, const gchar *statedir,
+             goto error;
+     }
+ 
+-    if (access(signkey, R_OK) != 0) {
++    if (access(signkey, R_OK) != 0 || access(issuercert, R_OK) != 0) {
+         g_autofree gchar *directory = g_path_get_dirname(signkey);
+         g_autofree gchar *cakey = g_strjoin(G_DIR_SEPARATOR_S, directory, "swtpm-localca-rootca-privkey.pem", NULL);
+         g_autofree gchar *cacert = g_strjoin(G_DIR_SEPARATOR_S, directory, "swtpm-localca-rootca-cert.pem", NULL);
+@@ -808,13 +808,28 @@ int main(int argc, char *argv[])
+         if (ret != 0)
+             goto error;
+     } else {
++        int create_certs = 0;
++
++        /* create certificate if either the signing key or issuer cert are missing */
+         if (access(signkey, R_OK) != 0) {
+             if (stat(signkey, &statbuf) == 0) {
+                 logerr(gl_LOGFILE, "Need read rights on signing key %s for user %s.\n",
+                        signkey, curr_user ? curr_user->pw_name : "<unknown>");
+                 goto error;
+             }
++            create_certs = 1;
++        }
++
++        if (access(issuercert, R_OK) != 0) {
++            if (stat(issuercert, &statbuf) == 0) {
++                logerr(gl_LOGFILE, "Need read rights on issuer certificate %s for user %s.\n",
++                       issuercert, curr_user ? curr_user->pw_name : "<unknown>");
++                goto error;
++            }
++            create_certs = 1;
++        }
+ 
++        if (create_certs) {
+             logit(gl_LOGFILE, "Creating root CA and a local CA's signing key and issuer cert.\n");
+             if (create_localca_cert(lockfile, statedir, signkey, signkey_password,
+                                     issuercert) != 0) {
+-- 
+2.37.0.rc0
+

SPECS/swtpm.spec

@@ -12,11 +12,14 @@
 Summary: TPM Emulator
 Name:           swtpm
 Version:        0.7.0
-Release:        2.%{gitdate}git%{gitshortcommit}%{?dist}
+Release:        4.%{gitdate}git%{gitshortcommit}%{?dist}
 License:        BSD
 Url:            http://github.com/stefanberger/swtpm
 Source0:        %{url}/archive/%{gitcommit}/%{name}-%{gitshortcommit}.tar.gz
+ExcludeArch:    i686
 Patch0001:      0001-swtpm-Check-header-size-indicator-against-expected-s.patch
+Patch0002:      0001-swtpm-Disable-OpenSSL-FIPS-mode-to-avoid-libtpms-fai.patch
+Patch0003:      0001-swtpm_localca-Test-for-available-issuercert-before-c.patch
 
 BuildRequires: make
 BuildRequires:  git-core
@@ -40,7 +43,7 @@ BuildRequires:  libtasn1
 BuildRequires:  selinux-policy-devel
 BuildRequires:  gcc
 BuildRequires:  libseccomp-devel
-BuildRequires:  tpm2-pkcs11 tpm2-pkcs11-tools tpm2-tools tpm2-abrmd
+BuildRequires:  tpm2-tools tpm2-abrmd
 BuildRequires:  python3-devel
 
 Requires:       %{name}-libs = %{version}-%{release}
@@ -78,7 +81,7 @@ Tools for the TPM emulator from the swtpm package
 Summary:        Tools for creating a local CA based on a TPM pkcs11 device
 License:        BSD
 Requires:       swtpm-tools = %{version}-%{release}
-Requires:       tpm2-pkcs11 tpm2-pkcs11-tools tpm2-tools tpm2-abrmd
+Requires:       tpm2-tools tpm2-abrmd
 Requires:       expect gnutls-utils
 
 %description   tools-pkcs11
@@ -97,7 +100,7 @@ NOCONFIGURE=1 ./autogen.sh
         --without-cuse \
         --without-tpm1
 
-%make_build
+%make_build V=1
 
 %check
 make %{?_smp_mflags} check VERBOSE=1
@@ -179,104 +182,55 @@ fi
 %{_datadir}/swtpm/swtpm-create-tpmca
 
 %changelog
+* Mon Jul 18 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.0-4.20211109gitb79fd91
+- swtpm_localca: Test for available issuercert before creating CA
+  Resolves: rhbz#2100508
+
+* Mon Jun 20 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.0-3.20211109gitb79fd91
+- Disable OpenSSL FIPS mode to avoid libtpms failures
+  Resolves: rhbz#2097947
+
 * Mon Feb 21 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.0-2.20211109gitb79fd91
 - Add fix for CVE-2022-23645.
-  Resolves: rhbz#2056518
+  Resolves: rhbz#2056517
 
-* Fri Nov 12 2021 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.0-1.20211109gitb79fd91
-- Update to v0.7.0 release
-  Resolves: rhbz#2021580 & rhbz#1990153
+* Tue Jan 04 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.0-1.20211109gitb79fd91
+- Rebase to 0.7.0, disable TPM 1.2.
+  Resovles: rhbz#2029612
 
-* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 0.6.0-3.20210607gitea627b3
-- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
-  Related: rhbz#1991688
+* Thu Sep 16 2021 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.6.0-2.20210607gitea627b3
+- rebuilt with missing CFLAGS fix.
 
-* Mon Jul 12 2021 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.6.0-2.20210607gitea627b3
-- rebuilt with AM_* flags patch 
+* Mon Jun 28 2021 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.6.0-1.20210607gitea627b3
+- Update to 0.6.0.
+  Resolves: rhbz#1972783
 
-* Wed Jun 16 2021 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.6.0-1.20210607gitea627b3
-- new version
-- Fixes: rhbz#1972785
+* Tue Dec  1 20:40:07 +04 2020 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.4.2-1.20201201git2df14e3
+- Update to 0.4.2, to address potential symlink vulnerabilities (CVE-2020-28407).
+  Resolves: rhbz#1906043
 
-* Wed Jun 16 2021 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.5.2-7.20201226gite59c0c1
-- Removed trouser dependency (used for vTPM 1.2, unsupported)
-- Fixes: rhbz#1967919
+* Thu Sep 24 2020 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.4.0-3.20200828git0c238a2
+- swtpm_setup: Add missing .config path when using ${HOME}. Resolves: rhbz#1881418
 
-* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.5.2-6.20201226gite59c0c1
-- Rebuilt for RHEL 9 BETA for openssl 3.0
-  Related: rhbz#1971065
+* Thu Sep 17 2020 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.4.0-2.20200828git0c238a2
+- Backport fixes from 0.4.0 stable branch. Resolves: rhbz#1868375
+  (fixes usage of swtpm-localca with passwords when signing keys)
 
-* Tue May 18 2021 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.5.2-5.20201226gite59c0c1
-- Add -Wno-error=deprecated-declarations to fix build with OpenSSL 3.0.
-- Fixes: rhbz#1958033
+* Sat Sep 12 2020 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.4.0-1.20200828git0c238a2
+- Update to v0.4.0. Resolves: rhbz#1868375
 
-* Tue Apr 20 2021 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.5.2-4.20201226gite59c0c1
-- Remove unnecessary twisted dependency.
-- Fixes: rhbz#1935825
+* Thu May 28 2020 Marc-André Lureau <marcandre.lureau@gmail.com> - 0.3.0-1.20200218git74ae43b
+- Update to v0.3.0. Fixes rhbz#1809778
+- exclude i686 build
 
-* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.5.2-3.20201226gite59c0c1
-- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+* Mon Jan 27 2020 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.2.0-2.20200127gitff5a83b
+- Update to latest 0.2-stable branch, fix random test failure. rhbz#1782451
 
-* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.5.2-2.20201226gite59c0c1
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+* Fri Oct 18 2019 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.2.0-1.20191018git9227cf4
+- rebuilt
 
-* Sat Dec 26 2020 Stefan Berger <stefanb@linux.ibm.com> - 0.5.2-1.20201226gite59c0c1a
-- Bugfixes for stable release
-
-* Mon Dec 07 2020 Jeff Law <law@redhat.com> - 0.5.1-3.20201117git96f5a04c
-- Avoid diagnostic from gcc-11
-
-* Fri Nov 13 2020 Stefan Berger <stefanb@linux.ibm.com> - 0.5.1-2.20201117git96f5a04c
-- Another build of v0.5.1 after more fixes
-
-* Fri Nov 13 2020 Stefan Berger <stefanb@linux.ibm.com> - 0.5.1-1.20201007git390f5bd4
-- Update to v0.5.1 addressing potential symlink attack issue (CVE-2020-28407)
-
-* Wed Oct 7 2020 Stefan Berger <stefanb@linux.ibm.com> - 0.5.0-1.20201007gitb931e109
-- Update to v0.5.0 release
-
-* Fri Aug 28 2020 Stefan Berger <stefanb@linux.ibm.com> - 0.4.0-1.20200828git0c238a2
-- Update to v0.4.0 release
-
-* Thu Aug 27 2020 Stefan Berger <stefanb@linux.ibm.com> - 0.3.4-2.20200711git80f0418
-- Disable pkcs11 related test case running into GnuTLS locking bug
-
-* Tue Aug 11 2020 Stefan Berger <stefanb@linux.ibm.com> - 0.3.4-1.20200711git80f0418
-- Update to v0.3.4 release
-
-* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.3.0-3.20200218git74ae43b
-- Second attempt - Rebuilt for
-  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.3.0-2.20200218git74ae43b
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Mon Feb 24 2020 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.3.0-1.20200218git74ae43b
-- Update to v0.3.0 release
-
-* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.2.0-7.20191115git8dae4b3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
-
-* Fri Nov 15 2019 Stefan Berger <stefanb@linux.ibm.com> - 0.2.0-6.20191018git8dae4b3
-- follow stable-0.2.0 branch with fix of GnuTLS API call to get subject key ID
-
-* Fri Oct 18 2019 Stefan Berger <stefanb@linux.ibm.com> - 0.2.0-5.20191018git9227cf4
-- follow stable-0.2.0 branch with swtpm_cert OID bugfix for TPM 2
-
-* Tue Aug 13 2019 Stefan Berger <stefanb@linux.ibm.com> - 0.2.0-4.20190801git13536aa
-- run 'restorecon' on swtpm in post to get SELinux label on first install
-
-* Thu Aug 01 2019 Stefan Berger <stefanb@linux.ibm.com> - 0.2.0-3.20190801git13536aa
-- follow stable-0.2.0 branch with some bug fixes
-
-* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.2.0-2.20190723gitf0b4137
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
-* Tue Jul 23 2019 Stefan Berger <stefanb@linux.ibm.com> - 0.2.0-1.20190723gitf0b4137
-- follow stable-0.2.0 branch with some bug fixes
-
-* Tue Jul 16 2019 Stefan Berger <stefanb@linux.ibm.com> - 0.2.0-0.20190716git374b669
-- (tentative) v0.2.0 release of swtpm
+* Tue Aug 13 2019 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.1.0-1.20190425gitca85606.1
+- Fix SELinux labels on /usr/bin/swtpm installation rhbz#1739994
 
 * Thu Apr 25 2019 Stefan Berger <stefanb@linux.ibm.com> - 0.1.0-0.20190425gitca85606
 - pick up bug fixes