From 194d43dcd8ed46d8a9854b0801cd7b20b15770c8 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 17 May 2022 06:25:06 -0400 Subject: [PATCH] import tboot-1.10.2-6.el9 --- .gitignore | 1 + .tboot.metadata | 1 + ...deprecated-declarations-to-Config.mk.patch | 30 +++ ...move-call-to-EVP_PKEY_set_alias_type.patch | 63 +++++ ...-sha256-as-default-hashing-algorithm.patch | 58 +++++ SPECS/tboot.spec | 219 ++++++++++++++++++ 6 files changed, 372 insertions(+) create mode 100644 .gitignore create mode 100644 .tboot.metadata create mode 100644 SOURCES/0001-Add-Wno-error-deprecated-declarations-to-Config.mk.patch create mode 100644 SOURCES/0002-lcputils.c-remove-call-to-EVP_PKEY_set_alias_type.patch create mode 100644 SOURCES/0003-Use-sha256-as-default-hashing-algorithm.patch create mode 100644 SPECS/tboot.spec diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..988c5ab --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/tboot-1.10.2.tar.gz diff --git a/.tboot.metadata b/.tboot.metadata new file mode 100644 index 0000000..4c6680b --- /dev/null +++ b/.tboot.metadata @@ -0,0 +1 @@ +f11ed63c38588fe17ac6674efc115122dd2fc737 SOURCES/tboot-1.10.2.tar.gz diff --git a/SOURCES/0001-Add-Wno-error-deprecated-declarations-to-Config.mk.patch b/SOURCES/0001-Add-Wno-error-deprecated-declarations-to-Config.mk.patch new file mode 100644 index 0000000..14bd490 --- /dev/null +++ b/SOURCES/0001-Add-Wno-error-deprecated-declarations-to-Config.mk.patch @@ -0,0 +1,30 @@ +From fb1b10586f293a39523cec835a8d2f102375bd0d Mon Sep 17 00:00:00 2001 +From: Tony Camuso +Date: Wed, 2 Jun 2021 06:57:41 -0400 +Subject: [PATCH] Add -Wno-error=deprecated-declarations to Config.mk + +For SSL3 build compatability. In the future, the code needs to be +made SSL3 compatable. + +Signed-off-by: Tony Camuso +--- + Config.mk | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/Config.mk b/Config.mk +index ba997b0..764e725 100644 +--- a/Config.mk ++++ b/Config.mk +@@ -43,7 +43,8 @@ CFLAGS_WARN = -Wall -Wformat-security -Werror -Wstrict-prototypes \ + -Wextra -Winit-self -Wswitch-default -Wunused-parameter \ + -Wwrite-strings \ + $(call cc-option,$(CC),-Wlogical-op,) \ +- -Wno-missing-field-initializers -Wno-address-of-packed-member ++ -Wno-missing-field-initializers -Wno-address-of-packed-member \ ++ -Wno-deprecated-declarations + + AS ?= as + LD ?= ld +-- +2.31.1 + diff --git a/SOURCES/0002-lcputils.c-remove-call-to-EVP_PKEY_set_alias_type.patch b/SOURCES/0002-lcputils.c-remove-call-to-EVP_PKEY_set_alias_type.patch new file mode 100644 index 0000000..1290a34 --- /dev/null +++ b/SOURCES/0002-lcputils.c-remove-call-to-EVP_PKEY_set_alias_type.patch @@ -0,0 +1,63 @@ +From 8486ee675c00c2662d261fbbf26cf013ccd118fd Mon Sep 17 00:00:00 2001 +From: Tony Camuso +Date: Wed, 23 Jun 2021 08:01:54 -0400 +Subject: [PATCH] lcputils.c: remove call to EVP_PKEY_set_alias_type + +This function was previously needed as a workaround for SM2. With +OpenSSL 3.0, this key type is internally recognized so the workaround +is no longer needed. + +Signed-off-by: Tony Camuso +--- + lcptools-v2/lcputils.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/lcptools-v2/lcputils.c b/lcptools-v2/lcputils.c +index 9d4b976..4dbb2fc 100644 +--- a/lcptools-v2/lcputils.c ++++ b/lcptools-v2/lcputils.c +@@ -775,6 +775,11 @@ bool verify_ec_signature(sized_buffer *data, sized_buffer *pubkey_x, + result = 0; + goto EXIT; + } ++// SSL3 removed function EVP_PKEY_set_alias_type ++// This function was previously needed as a workaround for SM2. ++// With OpenSSL 3.0, this key type is internally recognized so ++// the workaround is no longer needed. ++#if 0 + if (sigalg == TPM_ALG_SM2) { + result = EVP_PKEY_set_alias_type(evp_key, EVP_PKEY_SM2); + if (result <= 0) { +@@ -782,6 +787,7 @@ bool verify_ec_signature(sized_buffer *data, sized_buffer *pubkey_x, + goto OPENSSL_ERROR; + } + } ++#endif + pctx = EVP_PKEY_CTX_new(evp_key, NULL); + if (pctx == NULL) { + ERROR("Error: failed to generate key context.\n"); +@@ -915,6 +921,11 @@ bool ec_sign_data(sized_buffer *data, sized_buffer *r, sized_buffer *s, uint16_t + goto OPENSSL_ERROR; + } + ++// SSL3 removed function EVP_PKEY_set_alias_type ++// This function was previously needed as a workaround for SM2. ++// With OpenSSL 3.0, this key type is internally recognized so ++// the workaround is no longer needed. ++#if 0 + if (sigalg == TPM_ALG_SM2) { + result = EVP_PKEY_set_alias_type(evp_key, EVP_PKEY_SM2); + if (result <= 0) { +@@ -922,7 +933,8 @@ bool ec_sign_data(sized_buffer *data, sized_buffer *r, sized_buffer *s, uint16_t + goto OPENSSL_ERROR; + } + } +- ++#endif ++ + pctx = EVP_PKEY_CTX_new(evp_key, NULL); + if (pctx == NULL) { + ERROR("Error: failed to allocate pkey context.\n"); +-- +2.31.1 + diff --git a/SOURCES/0003-Use-sha256-as-default-hashing-algorithm.patch b/SOURCES/0003-Use-sha256-as-default-hashing-algorithm.patch new file mode 100644 index 0000000..e0d4c76 --- /dev/null +++ b/SOURCES/0003-Use-sha256-as-default-hashing-algorithm.patch @@ -0,0 +1,58 @@ +# HG changeset patch +# User Lukasz Hawrylko +# Date 1631717614 -7200 +# Wed Sep 15 16:53:34 2021 +0200 +# Node ID 5bf5c12411d3a4a7e0a552203b40bfe59d5c7789 +# Parent 4cdcf97e4723647b6fac761565c0be13f7e31009 +Use sha256 as default hashing algorithm in lcp2_mlehash and tb_polgen + +Signed-off-by: Lukasz Hawrylko + +diff -r 4cdcf97e4723 -r 5bf5c12411d3 docs/man/tb_polgen.8 +--- a/docs/man/tb_polgen.8 Thu Aug 26 14:12:44 2021 +0200 ++++ b/docs/man/tb_polgen.8 Wed Sep 15 16:53:34 2021 +0200 +@@ -21,6 +21,9 @@ + \fR[\fB\-\-ctrl \fIpolicy-control-value\fR] + The default value 1 is to extend policy into PCR 17. + .TP ++\fR[\fB\-\-alg \fIsha1 \fR|\fI sha256 \fR|\fI sha384 \fR|\fI sha512\fR] ++Policy hashing algorithm. ++.TP + \fIpolicy-file\fR + .RE + .TP +diff -r 4cdcf97e4723 -r 5bf5c12411d3 lcptools-v2/mlehash.c +--- a/lcptools-v2/mlehash.c Thu Aug 26 14:12:44 2021 +0200 ++++ b/lcptools-v2/mlehash.c Wed Sep 15 16:53:34 2021 +0200 +@@ -70,8 +70,8 @@ + + + bool verbose = false; +-char alg_name[32] = "sha1"; +-uint16_t alg_type = TPM_ALG_SHA1; ++char alg_name[32] = "sha256"; ++uint16_t alg_type = TPM_ALG_SHA256; + + static struct option long_opts[] = + { +diff -r 4cdcf97e4723 -r 5bf5c12411d3 tb_polgen/param.c +--- a/tb_polgen/param.c Thu Aug 26 14:12:44 2021 +0200 ++++ b/tb_polgen/param.c Wed Sep 15 16:53:34 2021 +0200 +@@ -51,7 +51,7 @@ + + static const char *help[] = { + "tb_polgen --create --type nonfatal|continue|halt\n", +- " [--alg sha1 (default)|sha256|sha384|sha512]\n", ++ " [--alg sha1|sha256 (default)|sha384|sha512]\n", + " [--ctrl ]\n", + " [--verbose]\n", + " \n", +@@ -330,7 +330,7 @@ + params->cmd = POLGEN_CMD_NONE; + params->mod_num = -1; + params->pcr = -1; +- params->hash_alg = TB_HALG_SHA1; ++ params->hash_alg = TB_HALG_SHA256; + params->policy_type = -1; + params->policy_control = TB_POLCTL_EXTEND_PCR17; + params->hash_type = -1; diff --git a/SPECS/tboot.spec b/SPECS/tboot.spec new file mode 100644 index 0000000..efaff33 --- /dev/null +++ b/SPECS/tboot.spec @@ -0,0 +1,219 @@ +Summary: Performs a verified launch using Intel TXT +Name: tboot +Version: 1.10.2 +Release: 6%{?dist} +Epoch: 1 + +License: BSD +URL: http://sourceforge.net/projects/tboot/ +Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz + +Patch0: 0001-Add-Wno-error-deprecated-declarations-to-Config.mk.patch +Patch1: 0002-lcputils.c-remove-call-to-EVP_PKEY_set_alias_type.patch +Patch2: 0003-Use-sha256-as-default-hashing-algorithm.patch + +BuildRequires: make +BuildRequires: gcc +BuildRequires: perl +BuildRequires: openssl-devel +BuildRequires: zlib-devel +ExclusiveArch: %{ix86} x86_64 + +%description +Trusted Boot (tboot) is an open source, pre-kernel/VMM module that uses +Intel Trusted Execution Technology (Intel TXT) to perform a measured +and verified launch of an OS kernel/VMM. + +%prep +%autosetup -p1 -n %{name}-%{version} + +%build +CFLAGS="%{optflags}"; export CFLAGS +LDFLAGS="%{build_ldflags}"; export LDFLAGS +make debug=y %{?_smp_mflags} + +%install +make debug=y DISTDIR=$RPM_BUILD_ROOT install + +%files +%doc README.md COPYING docs/* lcptools-v2/lcptools.txt +%config %{_sysconfdir}/grub.d/20_linux_tboot +%config %{_sysconfdir}/grub.d/20_linux_xen_tboot +%{_sbindir}/txt-acminfo +%{_sbindir}/lcp2_crtpol +%{_sbindir}/lcp2_crtpolelt +%{_sbindir}/lcp2_crtpollist +%{_sbindir}/lcp2_mlehash +%{_sbindir}/txt-parse_err +%{_sbindir}/tb_polgen +%{_sbindir}/txt-stat +%{_mandir}/man8/txt-acminfo.8.gz +%{_mandir}/man8/tb_polgen.8.gz +%{_mandir}/man8/txt-stat.8.gz +%{_mandir}/man8/lcp2_crtpol.8.gz +%{_mandir}/man8/lcp2_crtpolelt.8.gz +%{_mandir}/man8/lcp2_crtpollist.8.gz +%{_mandir}/man8/lcp2_mlehash.8.gz +%{_mandir}/man8/txt-parse_err.8.gz +/boot/tboot.gz +/boot/tboot-syms + +%changelog +* Thu Sep 30 2021 Tony Camuso - 1:1.10.2-6 +- Use sha256 as default hashing algorithm + Resolves: rhbz#1935448 + +* Tue Aug 10 2021 Mohan Boddu - 1:1.10.2-5 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Wed Jul 28 2021 Tony Camuso - 1:1.10.2-4 +- From Miroslave Vadkerti: + Onboarding tests to RHEL9 in BaseOS CI requires action, adding + test configuration in our "dispatcher" configuration for RHEL9: + https://gitlab.cee.redhat.com/baseos-qe/citool-config/blob/production/brew-dispatcher-rhel9.yaml + Test config was added for tboot in the following MR. + https://gitlab.cee.redhat.com/baseos-qe/citool-config/-/merge_requests/2686 + Resolves: rhbz#1922002 + +* Tue Jul 27 2021 Tony Camuso - 1:1.10.2-3 +- Add the %{optflags} and %{build_ldflags} macros to assure the + build meets RHEL security requirements. + Resolves: rhbz#1922002 + +* Thu Jul 22 2021 Tony Camuso - 1:1.10.2-2 +- Bump the NVR as a result of including the gating.yaml file in + the git repo. + Resolves: rhbz#1922002 + +* Mon Jun 21 2021 Tony Camuso - 1:1.10.2-1 +- The patches are for SSL3 compatibility. These can probably be + removed when upstream tboot fully implements SSL3. +- Upgrade to latest upstream. +- Remove trousers dependency. + Resolves: rhbz#1922002 + Resolves: rhbz#1870520 + Resolves: rhbz#1927374 + +* Wed Jun 16 2021 Mohan Boddu - 1:1.9.11-9 +- Rebuilt for RHEL 9 BETA for openssl 3.0 + Related: rhbz#1971065 + +* Thu May 27 2021 Tony Camuso - 1:1.9.11-8 +- Add -Wno-error=deprecated-declarations to the Config.mk patch + Resolves: rhbz#1958031 + +* Fri Apr 16 2021 Mohan Boddu - 1:1.9.11-7 +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 + +* Wed Jan 27 2021 Fedora Release Engineering - 1:1.9.11-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Fri Oct 30 2020 Jeff Law - 1:1.9.11-5 +- Re-enable -Wstringop-overflow and instead make the problematical + pointer volatile to avoid the false positive diagnostic + +* Thu Oct 29 2020 Jeff Law - 1:1.9.11-4 +- Fix buglet exposed by gcc-11 -Warray-parameter +- Temporarily disable -Wstringop-overflow due to false positive in gcc-11 + +* Wed Jul 29 2020 Jeff Law - 1:1.9.11-3 +- Explicitly allow uninitialized variables in a few places that do it +- on purpose + +* Wed Jul 29 2020 Fedora Release Engineering - 1:1.9.11-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Sun Apr 19 2020 Filipe Rosset - 1:1.9.11-1 +- Update to 1.9.11 + +* Fri Jan 31 2020 Fedora Release Engineering - 1:1.9.10-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Sat Jul 27 2019 Fedora Release Engineering - 1:1.9.10-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Tue May 14 2019 Yunying Sun - 1:1.9.10-1 +- Add patch to fix package build error +- Add build dependency to zlib-devel +- Update to latest release 1.9.10 + +* Sun Feb 03 2019 Fedora Release Engineering - 1:1.9.8-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Wed Oct 31 2018 Yunying Sun - 1:1.9.8-1 +- Updated to upstream 1.9.8 release + +* Tue Sep 4 2018 Yunying Sun - 1:1.9.7-1 +- Updated to upstream 1.9.7 release +- Removed the patch for openssl 1.1 as it is included in 1.9.7 already + +* Sat Jul 14 2018 Fedora Release Engineering - 1:1.9.6-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Tue Feb 06 2018 Tomáš Mráz - 1:1.9.6-2 +- Patch to build with OpenSSL-1.1.x + +* Sun Feb 04 2018 Filipe Rosset - 1:1.9.6-1 +- Upgrade to latest upstream version + +* Thu Aug 03 2017 Fedora Release Engineering - 1:1.8.2-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 1:1.8.2-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Sat Feb 11 2017 Fedora Release Engineering - 1:1.8.2-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Fri Feb 05 2016 Fedora Release Engineering - 1:1.8.2-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Fri Jun 19 2015 Fedora Release Engineering - 1:1.8.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Mon Aug 18 2014 Fedora Release Engineering - 1:1.8.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Wed Jul 30 2014 Gang Wei - 1:1.8.2-1 +- Upgrade to latest upstream version which provided security fix for: + tboot:argument measurement vulnerablity for GRUB2+ELF kernels + +* Wed Jun 18 2014 Gang Wei - 1:1.8.1-1 +- Upgrade to latest upstream version + +* Sun Jun 08 2014 Fedora Release Engineering - 1:1.7.3-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Sun Aug 04 2013 Fedora Release Engineering - 1:1.7.3-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Tue Apr 02 2013 Gang Wei - 1:1.7.3-3 +- Fix for breaking grub2-mkconfig operation in 32bit case(#929384) + +* Wed Feb 20 2013 Gang Wei - 1:1.7.3-2 +- Fix version string in log + +* Wed Jan 30 2013 David Cantrell - 1:1.7.3-1 +- Upgrade to latest upstream version (#902653) + +* Wed Aug 22 2012 Gang Wei - 1:1.7.0-2 +- Fix build error with zlib 1.2.7 + +* Sat Jul 21 2012 Fedora Release Engineering - 1:1.7.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Sun Jan 15 2012 Gang Wei - 1:1.7.0 +- 1.7.0 release + +* Sat Jan 14 2012 Fedora Release Engineering - 20110429-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Fri Apr 29 2011 Gang Wei - 20110429-1 +- Pull upstream changeset 255, rebuilt in F15 + +* Wed Feb 09 2011 Fedora Release Engineering - 20101005-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Wed Dec 1 2010 Joseph Cihula - 20101005-1.fc13 +- Initial import