rpms/tboot
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import tboot-1.10.2-6.el9

Browse Source
This commit is contained in:
CentOS Sources 2022-05-17 06:25:06 -04:00 committed by Stepan Oksanichenko
commit 194d43dcd8
6 changed files with 372 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
SOURCES/tboot-1.10.2.tar.gz

1
.tboot.metadata Normal file
View File

@ -0,0 +1 @@
f11ed63c38588fe17ac6674efc115122dd2fc737 SOURCES/tboot-1.10.2.tar.gz

30
SOURCES/0001-Add-Wno-error-deprecated-declarations-to-Config.mk.patch Normal file
View File

@ -0,0 +1,30 @@
From fb1b10586f293a39523cec835a8d2f102375bd0d Mon Sep 17 00:00:00 2001
From: Tony Camuso <tcamuso@redhat.com>
Date: Wed, 2 Jun 2021 06:57:41 -0400
Subject: [PATCH] Add -Wno-error=deprecated-declarations to Config.mk
For SSL3 build compatability. In the future, the code needs to be
made SSL3 compatable.
Signed-off-by: Tony Camuso <tcamuso@redhat.com>
---
Config.mk | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/Config.mk b/Config.mk
index ba997b0..764e725 100644
--- a/Config.mk
+++ b/Config.mk
@@ -43,7 +43,8 @@ CFLAGS_WARN = -Wall -Wformat-security -Werror -Wstrict-prototypes \
-Wextra -Winit-self -Wswitch-default -Wunused-parameter \
-Wwrite-strings \
$(call cc-option,$(CC),-Wlogical-op,) \
- -Wno-missing-field-initializers -Wno-address-of-packed-member
+ -Wno-missing-field-initializers -Wno-address-of-packed-member \
+ -Wno-deprecated-declarations
AS ?= as
LD ?= ld
--
2.31.1

63
SOURCES/0002-lcputils.c-remove-call-to-EVP_PKEY_set_alias_type.patch Normal file
View File

@ -0,0 +1,63 @@
From 8486ee675c00c2662d261fbbf26cf013ccd118fd Mon Sep 17 00:00:00 2001
From: Tony Camuso <tcamuso@redhat.com>
Date: Wed, 23 Jun 2021 08:01:54 -0400
Subject: [PATCH] lcputils.c: remove call to EVP_PKEY_set_alias_type
This function was previously needed as a workaround for SM2. With
OpenSSL 3.0, this key type is internally recognized so the workaround
is no longer needed.
Signed-off-by: Tony Camuso <tcamuso@redhat.com>
---
lcptools-v2/lcputils.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/lcptools-v2/lcputils.c b/lcptools-v2/lcputils.c
index 9d4b976..4dbb2fc 100644
--- a/lcptools-v2/lcputils.c
+++ b/lcptools-v2/lcputils.c
@@ -775,6 +775,11 @@ bool verify_ec_signature(sized_buffer *data, sized_buffer *pubkey_x,
result = 0;
goto EXIT;
}
+// SSL3 removed function EVP_PKEY_set_alias_type
+// This function was previously needed as a workaround for SM2.
+// With OpenSSL 3.0, this key type is internally recognized so
+// the workaround is no longer needed.
+#if 0
if (sigalg == TPM_ALG_SM2) {
result = EVP_PKEY_set_alias_type(evp_key, EVP_PKEY_SM2);
if (result <= 0) {
@@ -782,6 +787,7 @@ bool verify_ec_signature(sized_buffer *data, sized_buffer *pubkey_x,
goto OPENSSL_ERROR;
}
}
+#endif
pctx = EVP_PKEY_CTX_new(evp_key, NULL);
if (pctx == NULL) {
ERROR("Error: failed to generate key context.\n");
@@ -915,6 +921,11 @@ bool ec_sign_data(sized_buffer *data, sized_buffer *r, sized_buffer *s, uint16_t
goto OPENSSL_ERROR;
}
+// SSL3 removed function EVP_PKEY_set_alias_type
+// This function was previously needed as a workaround for SM2.
+// With OpenSSL 3.0, this key type is internally recognized so
+// the workaround is no longer needed.
+#if 0
if (sigalg == TPM_ALG_SM2) {
result = EVP_PKEY_set_alias_type(evp_key, EVP_PKEY_SM2);
if (result <= 0) {
@@ -922,7 +933,8 @@ bool ec_sign_data(sized_buffer *data, sized_buffer *r, sized_buffer *s, uint16_t
goto OPENSSL_ERROR;
}
}
-
+#endif
+
pctx = EVP_PKEY_CTX_new(evp_key, NULL);
if (pctx == NULL) {
ERROR("Error: failed to allocate pkey context.\n");
--
2.31.1

58
SOURCES/0003-Use-sha256-as-default-hashing-algorithm.patch Normal file
View File

@ -0,0 +1,58 @@
# HG changeset patch
# User Lukasz Hawrylko <lukasz.hawrylko@intel.com>
# Date 1631717614 -7200
# Wed Sep 15 16:53:34 2021 +0200
# Node ID 5bf5c12411d3a4a7e0a552203b40bfe59d5c7789
# Parent 4cdcf97e4723647b6fac761565c0be13f7e31009
Use sha256 as default hashing algorithm in lcp2_mlehash and tb_polgen
Signed-off-by: Lukasz Hawrylko <lukasz.hawrylko@intel.com>
diff -r 4cdcf97e4723 -r 5bf5c12411d3 docs/man/tb_polgen.8
--- a/docs/man/tb_polgen.8 Thu Aug 26 14:12:44 2021 +0200
+++ b/docs/man/tb_polgen.8 Wed Sep 15 16:53:34 2021 +0200
@@ -21,6 +21,9 @@
\fR[\fB\-\-ctrl \fIpolicy-control-value\fR]
The default value 1 is to extend policy into PCR 17.
.TP
+\fR[\fB\-\-alg \fIsha1 \fR|\fI sha256 \fR|\fI sha384 \fR|\fI sha512\fR]
+Policy hashing algorithm.
+.TP
\fIpolicy-file\fR
.RE
.TP
diff -r 4cdcf97e4723 -r 5bf5c12411d3 lcptools-v2/mlehash.c
--- a/lcptools-v2/mlehash.c Thu Aug 26 14:12:44 2021 +0200
+++ b/lcptools-v2/mlehash.c Wed Sep 15 16:53:34 2021 +0200
@@ -70,8 +70,8 @@
bool verbose = false;
-char alg_name[32] = "sha1";
-uint16_t alg_type = TPM_ALG_SHA1;
+char alg_name[32] = "sha256";
+uint16_t alg_type = TPM_ALG_SHA256;
static struct option long_opts[] =
{
diff -r 4cdcf97e4723 -r 5bf5c12411d3 tb_polgen/param.c
--- a/tb_polgen/param.c Thu Aug 26 14:12:44 2021 +0200
+++ b/tb_polgen/param.c Wed Sep 15 16:53:34 2021 +0200
@@ -51,7 +51,7 @@
static const char *help[] = {
"tb_polgen --create --type nonfatal|continue|halt\n",
- " [--alg sha1 (default)|sha256|sha384|sha512]\n",
+ " [--alg sha1|sha256 (default)|sha384|sha512]\n",
" [--ctrl <policy control value>]\n",
" [--verbose]\n",
" <policy file name>\n",
@@ -330,7 +330,7 @@
params->cmd = POLGEN_CMD_NONE;
params->mod_num = -1;
params->pcr = -1;
- params->hash_alg = TB_HALG_SHA1;
+ params->hash_alg = TB_HALG_SHA256;
params->policy_type = -1;
params->policy_control = TB_POLCTL_EXTEND_PCR17;
params->hash_type = -1;

219
SPECS/tboot.spec Normal file
View File

@ -0,0 +1,219 @@
Summary: Performs a verified launch using Intel TXT
Name: tboot
Version: 1.10.2
Release: 6%{?dist}
Epoch: 1
License: BSD
URL: http://sourceforge.net/projects/tboot/
Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz
Patch0: 0001-Add-Wno-error-deprecated-declarations-to-Config.mk.patch
Patch1: 0002-lcputils.c-remove-call-to-EVP_PKEY_set_alias_type.patch
Patch2: 0003-Use-sha256-as-default-hashing-algorithm.patch
BuildRequires: make
BuildRequires: gcc
BuildRequires: perl
BuildRequires: openssl-devel
BuildRequires: zlib-devel
ExclusiveArch: %{ix86} x86_64
%description
Trusted Boot (tboot) is an open source, pre-kernel/VMM module that uses
Intel Trusted Execution Technology (Intel TXT) to perform a measured
and verified launch of an OS kernel/VMM.
%prep
%autosetup -p1 -n %{name}-%{version}
%build
CFLAGS="%{optflags}"; export CFLAGS
LDFLAGS="%{build_ldflags}"; export LDFLAGS
make debug=y %{?_smp_mflags}
%install
make debug=y DISTDIR=$RPM_BUILD_ROOT install
%files
%doc README.md COPYING docs/* lcptools-v2/lcptools.txt
%config %{_sysconfdir}/grub.d/20_linux_tboot
%config %{_sysconfdir}/grub.d/20_linux_xen_tboot
%{_sbindir}/txt-acminfo
%{_sbindir}/lcp2_crtpol
%{_sbindir}/lcp2_crtpolelt
%{_sbindir}/lcp2_crtpollist
%{_sbindir}/lcp2_mlehash
%{_sbindir}/txt-parse_err
%{_sbindir}/tb_polgen
%{_sbindir}/txt-stat
%{_mandir}/man8/txt-acminfo.8.gz
%{_mandir}/man8/tb_polgen.8.gz
%{_mandir}/man8/txt-stat.8.gz
%{_mandir}/man8/lcp2_crtpol.8.gz
%{_mandir}/man8/lcp2_crtpolelt.8.gz
%{_mandir}/man8/lcp2_crtpollist.8.gz
%{_mandir}/man8/lcp2_mlehash.8.gz
%{_mandir}/man8/txt-parse_err.8.gz
/boot/tboot.gz
/boot/tboot-syms
%changelog
* Thu Sep 30 2021 Tony Camuso <tcamuso@redhat.com> - 1:1.10.2-6
- Use sha256 as default hashing algorithm
Resolves: rhbz#1935448
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 1:1.10.2-5
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Wed Jul 28 2021 Tony Camuso <tcamuso@redhat.com> - 1:1.10.2-4
- From Miroslave Vadkerti:
Onboarding tests to RHEL9 in BaseOS CI requires action, adding
test configuration in our "dispatcher" configuration for RHEL9:
https://gitlab.cee.redhat.com/baseos-qe/citool-config/blob/production/brew-dispatcher-rhel9.yaml
Test config was added for tboot in the following MR.
https://gitlab.cee.redhat.com/baseos-qe/citool-config/-/merge_requests/2686
Resolves: rhbz#1922002
* Tue Jul 27 2021 Tony Camuso <tcamuso@redhat.com> - 1:1.10.2-3
- Add the %{optflags} and %{build_ldflags} macros to assure the
build meets RHEL security requirements.
Resolves: rhbz#1922002
* Thu Jul 22 2021 Tony Camuso <tcamuso@redhat.com> - 1:1.10.2-2
- Bump the NVR as a result of including the gating.yaml file in
the git repo.
Resolves: rhbz#1922002
* Mon Jun 21 2021 Tony Camuso <tcamuso@redhat.com> - 1:1.10.2-1
- The patches are for SSL3 compatibility. These can probably be
removed when upstream tboot fully implements SSL3.
- Upgrade to latest upstream.
- Remove trousers dependency.
Resolves: rhbz#1922002
Resolves: rhbz#1870520
Resolves: rhbz#1927374
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 1:1.9.11-9
- Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
* Thu May 27 2021 Tony Camuso <tcamuso@redhat.com> - 1:1.9.11-8
- Add -Wno-error=deprecated-declarations to the Config.mk patch
Resolves: rhbz#1958031
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1:1.9.11-7
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.9.11-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Fri Oct 30 2020 Jeff Law <law@redhat.com> - 1:1.9.11-5
- Re-enable -Wstringop-overflow and instead make the problematical
pointer volatile to avoid the false positive diagnostic
* Thu Oct 29 2020 Jeff Law <law@redhat.com> - 1:1.9.11-4
- Fix buglet exposed by gcc-11 -Warray-parameter
- Temporarily disable -Wstringop-overflow due to false positive in gcc-11
* Wed Jul 29 2020 Jeff Law <law@redhat.com> - 1:1.9.11-3
- Explicitly allow uninitialized variables in a few places that do it
- on purpose
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.9.11-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Sun Apr 19 2020 Filipe Rosset <rosset.filipe@gmail.com> - 1:1.9.11-1
- Update to 1.9.11
* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.9.10-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.9.10-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Tue May 14 2019 Yunying Sun <yunying.sun@intel.com> - 1:1.9.10-1
- Add patch to fix package build error
- Add build dependency to zlib-devel
- Update to latest release 1.9.10
* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.9.8-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Wed Oct 31 2018 Yunying Sun <yunying.sun@intel.com> - 1:1.9.8-1
- Updated to upstream 1.9.8 release
* Tue Sep 4 2018 Yunying Sun <yunying.sun@intel.com> - 1:1.9.7-1
- Updated to upstream 1.9.7 release
- Removed the patch for openssl 1.1 as it is included in 1.9.7 already
* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.9.6-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Tue Feb 06 2018 Tomáš Mráz <tmraz@redhat.com> - 1:1.9.6-2
- Patch to build with OpenSSL-1.1.x
* Sun Feb 04 2018 Filipe Rosset <rosset.filipe@gmail.com> - 1:1.9.6-1
- Upgrade to latest upstream version
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.8.2-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.8.2-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.8.2-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Fri Feb 05 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.8.2-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Fri Jun 19 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:1.8.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Mon Aug 18 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:1.8.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Wed Jul 30 2014 Gang Wei <gang.wei@intel.com> - 1:1.8.2-1
- Upgrade to latest upstream version which provided security fix for:
tboot:argument measurement vulnerablity for GRUB2+ELF kernels
* Wed Jun 18 2014 Gang Wei <gang.wei@intel.com> - 1:1.8.1-1
- Upgrade to latest upstream version
* Sun Jun 08 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:1.7.3-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Sun Aug 04 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:1.7.3-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
* Tue Apr 02 2013 Gang Wei <gang.wei@intel.com> - 1:1.7.3-3
- Fix for breaking grub2-mkconfig operation in 32bit case(#929384)
* Wed Feb 20 2013 Gang Wei <gang.wei@intel.com> - 1:1.7.3-2
- Fix version string in log
* Wed Jan 30 2013 David Cantrell <dcantrell@redhat.com> - 1:1.7.3-1
- Upgrade to latest upstream version (#902653)
* Wed Aug 22 2012 Gang Wei <gang.wei@intel.com> - 1:1.7.0-2
- Fix build error with zlib 1.2.7
* Sat Jul 21 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:1.7.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
* Sun Jan 15 2012 Gang Wei <gang.wei@intel.com> - 1:1.7.0
- 1.7.0 release
* Sat Jan 14 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 20110429-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
* Fri Apr 29 2011 Gang Wei <gang.wei@intel.com> - 20110429-1
- Pull upstream changeset 255, rebuilt in F15
* Wed Feb 09 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 20101005-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
* Wed Dec 1 2010 Joseph Cihula <joseph.cihula@intel.com> - 20101005-1.fc13
- Initial import