From 03f012d66d118e2f86d7052b4d7dd00f163e5421 Mon Sep 17 00:00:00 2001 From: Tony Camuso Date: Wed, 12 Apr 2023 15:05:42 -0400 Subject: [PATCH] Backport upstream fixes and updates for 1.11.1-1 Resolves: rhbz#2186308 deleted: 0001-fix-typo-in-lcp2_crtpollist-manpage.patch deleted: 0002-check-for-client-server-match.patch modified: sources deleted: tboot-gcc11.patch modified: tboot.spec Signed-off-by: Tony Camuso --- ...-fix-typo-in-lcp2_crtpollist-manpage.patch | 20 --- 0002-check-for-client-server-match.patch | 133 ------------------ sources | 1 + tboot-gcc11.patch | 82 ----------- tboot.spec | 11 +- 5 files changed, 7 insertions(+), 240 deletions(-) delete mode 100644 0001-fix-typo-in-lcp2_crtpollist-manpage.patch delete mode 100644 0002-check-for-client-server-match.patch delete mode 100644 tboot-gcc11.patch diff --git a/0001-fix-typo-in-lcp2_crtpollist-manpage.patch b/0001-fix-typo-in-lcp2_crtpollist-manpage.patch deleted file mode 100644 index 1f8a20b..0000000 --- a/0001-fix-typo-in-lcp2_crtpollist-manpage.patch +++ /dev/null @@ -1,20 +0,0 @@ -# HG changeset patch -# User Pawel Randzio -# Date 1646837604 -3600 -# Wed Mar 09 15:53:24 2022 +0100 -# Node ID 9cda8c127b0a7bb11561befbaa9ecf1130763fcf -# Parent 5941842afb661f0e78085cb1317781d362583a38 -Fixed a typo in man page for lcp2_crtpollist - -diff -r 5941842afb66 -r 9cda8c127b0a docs/man/lcp2_crtpollist.8 ---- a/docs/man/lcp2_crtpollist.8 Fri Mar 04 11:14:35 2022 +0100 -+++ b/docs/man/lcp2_crtpollist.8 Wed Mar 09 15:53:24 2022 +0100 -@@ -36,7 +36,7 @@ - support rsapss and ecdsa. - .TP \w'\fB--hashalg\ \fI\fP'u+1n - \fB--hashalg\ \fI\fP --Hash algorightm used for signing a list. Lists version 0x100 only support SHA1. -+Hash algorithm used for signing a list. Lists version 0x100 only support SHA1. - .TP - \fB--pub\ \fIfile\fP - Public key to use, must be in PEM format. diff --git a/0002-check-for-client-server-match.patch b/0002-check-for-client-server-match.patch deleted file mode 100644 index db71d65..0000000 --- a/0002-check-for-client-server-match.patch +++ /dev/null @@ -1,133 +0,0 @@ -# HG changeset patch -# User Timo Lindfors -# Date 1646900891 -7200 -# Thu Mar 10 10:28:11 2022 +0200 -# Node ID 9c625ab2035bae1fc38787025f74d2937600223b -# Parent 9cda8c127b0a7bb11561befbaa9ecf1130763fcf -txt-acminfo: Map TXT heap using mmap -Without this patch - -txt-acminfo 5th_gen_i5_i7_SINIT_79.BIN - -segfaults. This issue was introduced in - -o changeset: 627:d8a8e17f6d41 -| user: Lukasz Hawrylko -| date: Thu May 13 16:04:27 2021 +0200 -| summary: Check for client/server match when selecting SINIT - -Signed-off-by: Timo Lindfors - -diff -r 9cda8c127b0a -r 9c625ab2035b tboot/common/loader.c ---- a/tboot/common/loader.c Wed Mar 09 15:53:24 2022 +0100 -+++ b/tboot/common/loader.c Thu Mar 10 10:28:11 2022 +0200 -@@ -1792,7 +1792,7 @@ - void *base2 = (void *)m->mod_start; - uint32_t size2 = m->mod_end - (unsigned long)(base2); - if ( is_racm_acmod(base2, size2, false) && -- does_acmod_match_platform((acm_hdr_t *)base2) ) { -+ does_acmod_match_platform((acm_hdr_t *)base2, NULL) ) { - if ( base != NULL ) - *base = base2; - if ( size != NULL ) -@@ -1837,7 +1837,7 @@ - void *base2 = (void *)m->mod_start; - uint32_t size2 = m->mod_end - (unsigned long)(base2); - if ( is_sinit_acmod(base2, size2, false) && -- does_acmod_match_platform((acm_hdr_t *)base2) ) { -+ does_acmod_match_platform((acm_hdr_t *)base2, NULL) ) { - if ( base != NULL ) - *base = base2; - if ( size != NULL ) -diff -r 9cda8c127b0a -r 9c625ab2035b tboot/include/txt/acmod.h ---- a/tboot/include/txt/acmod.h Wed Mar 09 15:53:24 2022 +0100 -+++ b/tboot/include/txt/acmod.h Thu Mar 10 10:28:11 2022 +0200 -@@ -37,6 +37,8 @@ - #ifndef __TXT_ACMOD_H__ - #define __TXT_ACMOD_H__ - -+typedef void txt_heap_t; -+ - /* - * authenticated code (AC) module header (ver 0.0) - */ -@@ -179,7 +181,7 @@ - extern acm_hdr_t *copy_racm(const acm_hdr_t *racm); - extern bool verify_racm(const acm_hdr_t *acm_hdr); - extern bool is_sinit_acmod(const void *acmod_base, uint32_t acmod_size, bool quiet); --extern bool does_acmod_match_platform(const acm_hdr_t* hdr); -+extern bool does_acmod_match_platform(const acm_hdr_t* hdr, const txt_heap_t* txt_heap); - extern acm_hdr_t *copy_sinit(const acm_hdr_t *sinit); - extern bool verify_acmod(const acm_hdr_t *acm_hdr); - extern uint32_t get_supported_os_sinit_data_ver(const acm_hdr_t* hdr); -diff -r 9cda8c127b0a -r 9c625ab2035b tboot/txt/acmod.c ---- a/tboot/txt/acmod.c Wed Mar 09 15:53:24 2022 +0100 -+++ b/tboot/txt/acmod.c Thu Mar 10 10:28:11 2022 +0200 -@@ -576,7 +576,7 @@ - return true; - } - --bool does_acmod_match_platform(const acm_hdr_t* hdr) -+bool does_acmod_match_platform(const acm_hdr_t* hdr, const txt_heap_t *txt_heap) - { - /* used to ensure we don't print chipset/proc info for each module */ - static bool printed_host_info; -@@ -587,7 +587,8 @@ - return false; - - /* verify client/server platform match */ -- txt_heap_t *txt_heap = get_txt_heap(); -+ if (txt_heap == NULL) -+ txt_heap = get_txt_heap(); - bios_data_t *bios_data = get_bios_data_start(txt_heap); - if (info_table->version >= 5 && bios_data->version >= 6) { - uint32_t bios_type = bios_data->flags.bits.mle.platform_type; -@@ -713,7 +714,7 @@ - - /* is it a valid SINIT module? */ - if ( !is_sinit_acmod(sinit_region_base, bios_data->bios_sinit_size, false) || -- !does_acmod_match_platform((acm_hdr_t *)sinit_region_base) ) -+ !does_acmod_match_platform((acm_hdr_t *)sinit_region_base, NULL) ) - return NULL; - - return (acm_hdr_t *)sinit_region_base; -diff -r 9cda8c127b0a -r 9c625ab2035b utils/txt-acminfo.c ---- a/utils/txt-acminfo.c Wed Mar 09 15:53:24 2022 +0100 -+++ b/utils/txt-acminfo.c Thu Mar 10 10:28:11 2022 +0200 -@@ -203,15 +203,31 @@ - close(fd_mem); - return false; - } -- else { -- if ( does_acmod_match_platform(hdr) ) -- printf("ACM matches platform\n"); -- else -- printf("ACM does not match platform\n"); - -+ uint64_t txt_heap_size = *(volatile uint64_t *)(pub_config_base + TXTCR_HEAP_SIZE); -+ if (txt_heap_size == 0) { -+ printf("ERROR: No TXT heap is available\n"); - munmap(pub_config_base, TXT_CONFIG_REGS_SIZE); -+ close(fd_mem); -+ return false; - } - -+ uint64_t txt_heap_base = *(volatile uint64_t *)(pub_config_base + TXTCR_HEAP_BASE); -+ txt_heap_t *txt_heap = mmap(NULL, txt_heap_size, PROT_READ, MAP_PRIVATE, -+ fd_mem, txt_heap_base); -+ if ( txt_heap == MAP_FAILED ) { -+ printf("ERROR: cannot map TXT heap by mmap()\n"); -+ munmap(pub_config_base, TXT_CONFIG_REGS_SIZE); -+ close(fd_mem); -+ return false; -+ } -+ if ( does_acmod_match_platform(hdr, txt_heap) ) -+ printf("ACM matches platform\n"); -+ else -+ printf("ACM does not match platform\n"); -+ -+ munmap(txt_heap, txt_heap_size); -+ munmap(pub_config_base, TXT_CONFIG_REGS_SIZE); - close(fd_mem); - return true; - } diff --git a/sources b/sources index 4f99b6f..b0703bf 100644 --- a/sources +++ b/sources @@ -1 +1,2 @@ SHA512 (tboot-1.10.5.tar.gz) = 01a039e5612b6cca6f7558e93673ba50edfcfbf3f65e390ac64f4aa6ae0859a314676b20d722dcd41a7a3c940473fe7982e823c800a75bd26a5e8f956528f223 +SHA512 (tboot-1.11.1.tar.gz) = 6708bd2169d2b5beb6a1123b2712693d2bdc614a1a5a5a1f3858c47462cdeb3e05da3848f082e264c4d1be5f35f7ca5637bc56ebbaaff80f322bf5f4c29e4ab5 diff --git a/tboot-gcc11.patch b/tboot-gcc11.patch deleted file mode 100644 index f4ea667..0000000 --- a/tboot-gcc11.patch +++ /dev/null @@ -1,82 +0,0 @@ -diff --git a/tboot/common/tpm_12.c b/tboot/common/tpm_12.c -index a62e570..504b874 100644 ---- a/tboot/common/tpm_12.c -+++ b/tboot/common/tpm_12.c -@@ -766,6 +766,8 @@ static uint32_t tpm12_osap(uint32_t locality, tpm_entity_type_t ent_type, - tpm_authhandle_t *hauth, tpm_nonce_t *nonce_even, - tpm_nonce_t *even_osap) - { -+#pragma GCC diagnostic push -+#pragma GCC diagnostic ignored "-Wmaybe-uninitialized" - uint32_t ret, offset, out_size; - - if ( odd_osap == NULL || hauth == NULL || -@@ -801,6 +803,7 @@ static uint32_t tpm12_osap(uint32_t locality, tpm_entity_type_t ent_type, - LOAD_BLOB_TYPE(WRAPPER_OUT_BUF, offset, even_osap); - - return ret; -+#pragma GCC diagnostic pop - } - - static uint32_t _tpm12_seal(uint32_t locality, tpm_key_handle_t hkey, -@@ -1044,6 +1047,8 @@ static uint32_t _tpm12_wrap_seal(uint32_t locality, - static uint32_t _tpm12_wrap_unseal(uint32_t locality, const uint8_t *in_data, - uint32_t *secret_size, uint8_t *secret) - { -+#pragma GCC diagnostic push -+#pragma GCC diagnostic ignored "-Wmaybe-uninitialized" - uint32_t ret; - tpm_nonce_t odd_osap, even_osap; - tpm_nonce_t nonce_even, nonce_odd, nonce_even_d, nonce_odd_d; -@@ -1116,6 +1121,7 @@ static uint32_t _tpm12_wrap_unseal(uint32_t locality, const uint8_t *in_data, - /* skip check for res_auth */ - - return ret; -+#pragma GCC diagnostic pop - } - - static bool init_pcr_info(uint32_t locality, -@@ -1948,6 +1954,8 @@ static bool tpm12_get_random(struct tpm_if *ti, uint32_t locality, - - static bool tpm12_cap_pcrs(struct tpm_if *ti, u32 locality, int pcr) - { -+#pragma GCC diagnostic push -+#pragma GCC diagnostic ignored "-Wmaybe-uninitialized" - bool was_capped[TPM_NR_PCRS] = {false}; - tpm_pcr_value_t cap_val; /* use whatever val is on stack */ - -@@ -1976,6 +1984,7 @@ static bool tpm12_cap_pcrs(struct tpm_if *ti, u32 locality, int pcr) - - printk(TBOOT_INFO"cap'ed dynamic PCRs\n"); - return true; -+#pragma GCC diagnostic pop - } - - static bool tpm12_check(void) -diff --git a/tboot/include/rijndael.h b/tboot/include/rijndael.h -index 2974602..8dbcc7c 100644 ---- a/tboot/include/rijndael.h -+++ b/tboot/include/rijndael.h -@@ -52,7 +52,7 @@ void rijndael_encrypt(rijndael_ctx *, const u_char *, u_char *); - - int rijndaelKeySetupEnc(unsigned int [], const unsigned char [], int); - int rijndaelKeySetupDec(unsigned int [], const unsigned char [], int); --void rijndaelEncrypt(const unsigned int [], int, const unsigned char [], -- unsigned char []); -+void rijndaelEncrypt(const unsigned int [], int, const unsigned char [16], -+ unsigned char [16]); - - #endif /* __RIJNDAEL_H */ -diff --git a/tboot/common/loader.c b/tboot/common/loader.c -index cbb7def..6169564 100644 ---- a/tboot/common/loader.c -+++ b/tboot/common/loader.c -@@ -59,7 +59,7 @@ - #include - - /* copy of kernel/VMM command line so that can append 'tboot=0x1234' */ --static char *new_cmdline = (char *)TBOOT_KERNEL_CMDLINE_ADDR; -+static char * volatile new_cmdline = (char *)TBOOT_KERNEL_CMDLINE_ADDR; - - /* MLE/kernel shared data page (in boot.S) */ - extern tboot_shared_t _tboot_shared; diff --git a/tboot.spec b/tboot.spec index cdaa802..4ad0ab2 100644 --- a/tboot.spec +++ b/tboot.spec @@ -1,16 +1,13 @@ Summary: Performs a verified launch using Intel TXT Name: tboot -Version: 1.10.5 -Release: 2%{?dist} +Version: 1.11.1 +Release: 1%{?dist} Epoch: 1 License: BSD URL: http://sourceforge.net/projects/tboot/ Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz -Patch01: 0001-fix-typo-in-lcp2_crtpollist-manpage.patch -Patch02: 0002-check-for-client-server-match.patch - BuildRequires: make BuildRequires: gcc BuildRequires: perl @@ -95,6 +92,10 @@ make debug=y DISTDIR=$RPM_BUILD_ROOT install /boot/tboot-syms %changelog +* Wed Apr 12 2023 Tony Camuso tcamuso@redhat.com> - 1:1.11.1-1 +- Backport upstream fixes and updates. + Resolves: rhbz#2186308 + * Thu Aug 18 2022 Tony Camuso - 1:1.10.5-2 - The install scriptlet in %post was choosing the first grub.cfg file it encountered, which was /boot/efi/EFI/redhat/grub.cfg.