diff --git a/.gitignore b/.gitignore index fc61607..7aa942e 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/tboot-1.10.5.tar.gz +tboot-1.11.9.tar.gz diff --git a/.tboot.metadata b/.tboot.metadata deleted file mode 100644 index 7a9d72e..0000000 --- a/.tboot.metadata +++ /dev/null @@ -1 +0,0 @@ -687bb5c0453b0256d64c8b1aa538a49703f9737a SOURCES/tboot-1.10.5.tar.gz diff --git a/SOURCES/0001-fix-typo-in-lcp2_crtpollist-manpage.patch b/SOURCES/0001-fix-typo-in-lcp2_crtpollist-manpage.patch deleted file mode 100644 index 1f8a20b..0000000 --- a/SOURCES/0001-fix-typo-in-lcp2_crtpollist-manpage.patch +++ /dev/null @@ -1,20 +0,0 @@ -# HG changeset patch -# User Pawel Randzio -# Date 1646837604 -3600 -# Wed Mar 09 15:53:24 2022 +0100 -# Node ID 9cda8c127b0a7bb11561befbaa9ecf1130763fcf -# Parent 5941842afb661f0e78085cb1317781d362583a38 -Fixed a typo in man page for lcp2_crtpollist - -diff -r 5941842afb66 -r 9cda8c127b0a docs/man/lcp2_crtpollist.8 ---- a/docs/man/lcp2_crtpollist.8 Fri Mar 04 11:14:35 2022 +0100 -+++ b/docs/man/lcp2_crtpollist.8 Wed Mar 09 15:53:24 2022 +0100 -@@ -36,7 +36,7 @@ - support rsapss and ecdsa. - .TP \w'\fB--hashalg\ \fI\fP'u+1n - \fB--hashalg\ \fI\fP --Hash algorightm used for signing a list. Lists version 0x100 only support SHA1. -+Hash algorithm used for signing a list. Lists version 0x100 only support SHA1. - .TP - \fB--pub\ \fIfile\fP - Public key to use, must be in PEM format. diff --git a/SOURCES/0002-check-for-client-server-match.patch b/SOURCES/0002-check-for-client-server-match.patch deleted file mode 100644 index db71d65..0000000 --- a/SOURCES/0002-check-for-client-server-match.patch +++ /dev/null @@ -1,133 +0,0 @@ -# HG changeset patch -# User Timo Lindfors -# Date 1646900891 -7200 -# Thu Mar 10 10:28:11 2022 +0200 -# Node ID 9c625ab2035bae1fc38787025f74d2937600223b -# Parent 9cda8c127b0a7bb11561befbaa9ecf1130763fcf -txt-acminfo: Map TXT heap using mmap -Without this patch - -txt-acminfo 5th_gen_i5_i7_SINIT_79.BIN - -segfaults. This issue was introduced in - -o changeset: 627:d8a8e17f6d41 -| user: Lukasz Hawrylko -| date: Thu May 13 16:04:27 2021 +0200 -| summary: Check for client/server match when selecting SINIT - -Signed-off-by: Timo Lindfors - -diff -r 9cda8c127b0a -r 9c625ab2035b tboot/common/loader.c ---- a/tboot/common/loader.c Wed Mar 09 15:53:24 2022 +0100 -+++ b/tboot/common/loader.c Thu Mar 10 10:28:11 2022 +0200 -@@ -1792,7 +1792,7 @@ - void *base2 = (void *)m->mod_start; - uint32_t size2 = m->mod_end - (unsigned long)(base2); - if ( is_racm_acmod(base2, size2, false) && -- does_acmod_match_platform((acm_hdr_t *)base2) ) { -+ does_acmod_match_platform((acm_hdr_t *)base2, NULL) ) { - if ( base != NULL ) - *base = base2; - if ( size != NULL ) -@@ -1837,7 +1837,7 @@ - void *base2 = (void *)m->mod_start; - uint32_t size2 = m->mod_end - (unsigned long)(base2); - if ( is_sinit_acmod(base2, size2, false) && -- does_acmod_match_platform((acm_hdr_t *)base2) ) { -+ does_acmod_match_platform((acm_hdr_t *)base2, NULL) ) { - if ( base != NULL ) - *base = base2; - if ( size != NULL ) -diff -r 9cda8c127b0a -r 9c625ab2035b tboot/include/txt/acmod.h ---- a/tboot/include/txt/acmod.h Wed Mar 09 15:53:24 2022 +0100 -+++ b/tboot/include/txt/acmod.h Thu Mar 10 10:28:11 2022 +0200 -@@ -37,6 +37,8 @@ - #ifndef __TXT_ACMOD_H__ - #define __TXT_ACMOD_H__ - -+typedef void txt_heap_t; -+ - /* - * authenticated code (AC) module header (ver 0.0) - */ -@@ -179,7 +181,7 @@ - extern acm_hdr_t *copy_racm(const acm_hdr_t *racm); - extern bool verify_racm(const acm_hdr_t *acm_hdr); - extern bool is_sinit_acmod(const void *acmod_base, uint32_t acmod_size, bool quiet); --extern bool does_acmod_match_platform(const acm_hdr_t* hdr); -+extern bool does_acmod_match_platform(const acm_hdr_t* hdr, const txt_heap_t* txt_heap); - extern acm_hdr_t *copy_sinit(const acm_hdr_t *sinit); - extern bool verify_acmod(const acm_hdr_t *acm_hdr); - extern uint32_t get_supported_os_sinit_data_ver(const acm_hdr_t* hdr); -diff -r 9cda8c127b0a -r 9c625ab2035b tboot/txt/acmod.c ---- a/tboot/txt/acmod.c Wed Mar 09 15:53:24 2022 +0100 -+++ b/tboot/txt/acmod.c Thu Mar 10 10:28:11 2022 +0200 -@@ -576,7 +576,7 @@ - return true; - } - --bool does_acmod_match_platform(const acm_hdr_t* hdr) -+bool does_acmod_match_platform(const acm_hdr_t* hdr, const txt_heap_t *txt_heap) - { - /* used to ensure we don't print chipset/proc info for each module */ - static bool printed_host_info; -@@ -587,7 +587,8 @@ - return false; - - /* verify client/server platform match */ -- txt_heap_t *txt_heap = get_txt_heap(); -+ if (txt_heap == NULL) -+ txt_heap = get_txt_heap(); - bios_data_t *bios_data = get_bios_data_start(txt_heap); - if (info_table->version >= 5 && bios_data->version >= 6) { - uint32_t bios_type = bios_data->flags.bits.mle.platform_type; -@@ -713,7 +714,7 @@ - - /* is it a valid SINIT module? */ - if ( !is_sinit_acmod(sinit_region_base, bios_data->bios_sinit_size, false) || -- !does_acmod_match_platform((acm_hdr_t *)sinit_region_base) ) -+ !does_acmod_match_platform((acm_hdr_t *)sinit_region_base, NULL) ) - return NULL; - - return (acm_hdr_t *)sinit_region_base; -diff -r 9cda8c127b0a -r 9c625ab2035b utils/txt-acminfo.c ---- a/utils/txt-acminfo.c Wed Mar 09 15:53:24 2022 +0100 -+++ b/utils/txt-acminfo.c Thu Mar 10 10:28:11 2022 +0200 -@@ -203,15 +203,31 @@ - close(fd_mem); - return false; - } -- else { -- if ( does_acmod_match_platform(hdr) ) -- printf("ACM matches platform\n"); -- else -- printf("ACM does not match platform\n"); - -+ uint64_t txt_heap_size = *(volatile uint64_t *)(pub_config_base + TXTCR_HEAP_SIZE); -+ if (txt_heap_size == 0) { -+ printf("ERROR: No TXT heap is available\n"); - munmap(pub_config_base, TXT_CONFIG_REGS_SIZE); -+ close(fd_mem); -+ return false; - } - -+ uint64_t txt_heap_base = *(volatile uint64_t *)(pub_config_base + TXTCR_HEAP_BASE); -+ txt_heap_t *txt_heap = mmap(NULL, txt_heap_size, PROT_READ, MAP_PRIVATE, -+ fd_mem, txt_heap_base); -+ if ( txt_heap == MAP_FAILED ) { -+ printf("ERROR: cannot map TXT heap by mmap()\n"); -+ munmap(pub_config_base, TXT_CONFIG_REGS_SIZE); -+ close(fd_mem); -+ return false; -+ } -+ if ( does_acmod_match_platform(hdr, txt_heap) ) -+ printf("ACM matches platform\n"); -+ else -+ printf("ACM does not match platform\n"); -+ -+ munmap(txt_heap, txt_heap_size); -+ munmap(pub_config_base, TXT_CONFIG_REGS_SIZE); - close(fd_mem); - return true; - } diff --git a/SPECS/tboot.spec b/SPECS/tboot.spec deleted file mode 100644 index a9200d3..0000000 --- a/SPECS/tboot.spec +++ /dev/null @@ -1,242 +0,0 @@ -Summary: Performs a verified launch using Intel TXT -Name: tboot -Version: 1.10.5 -Release: 2%{?dist} -Epoch: 1 - -Group: System Environment/Base -License: BSD -URL: http://sourceforge.net/projects/tboot/ -Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz - -BuildRequires: openssl-devel -BuildRequires: perl -ExclusiveArch: %{ix86} x86_64 -Requires: grub2-efi-x64-modules - -Patch01: 0001-fix-typo-in-lcp2_crtpollist-manpage.patch -Patch02: 0002-check-for-client-server-match.patch - -%description -Trusted Boot (tboot) is an open source, pre-kernel/VMM module that uses -Intel Trusted Execution Technology (Intel TXT) to perform a measured -and verified launch of an OS kernel/VMM. - -%prep -%autosetup -S git - -# do not override OPTFLAGS -sed -i -e 's/-march=i686//' Config.mk - -%build -CFLAGS="$RPM_OPT_FLAGS"; export CFLAGS -LDFLAGS="$RPM_LD_FLAGS"; export LDFLAGS -make debug=y %{?_smp_mflags} - -%post -# create the tboot entry and copy the modules to the grubenvdir -grublib='/usr/lib/grub/x86_64-efi/' - -if [ -d /sys/firmware/efi ]; then - echo "EFI detected .." - grubenvdir='/boot/efi/EFI/redhat' -else - echo "Legacy BIOS detected .." - grubenvdir='/boot/grub2' - # If previous install put the modules in the wrong dir - [ -d /boot/efi/EFI/redhat/x86_64-efi ] && rm -rf /boot/efi/EFI/redhat/x86_64-efi -fi - -grub2-mkconfig -o $grubenvdir/grub.cfg -[ -d $grubenvdir/x86_64-efi ] || mkdir -pv $grubenvdir/x86_64-efi -cp -vf $grublib/relocator.mod $grubenvdir/x86_64-efi/ -cp -vf $grublib/multiboot2.mod $grubenvdir/x86_64-efi/ - -%postun -# Cleanup all tboot files - -# Remove residual grub efi modules. -if [ -d /sys/firmware/efi ]; then - echo "EFI detected .." - grubenvdir='/boot/efi/EFI/redhat' -else - echo "Legacy BIOS detected .." - grubenvdir='/boot/grub2' -fi - -[ -d $grubenvdir/x86_64-efi ] && rm -rf $grubenvdir/x86_64-efi -grub2-mkconfig -o $grubenvdir/grub.cfg - -%install -echo "installing tboot" -make debug=y DISTDIR=$RPM_BUILD_ROOT install - -%files -%doc README.md COPYING docs/* lcptools-v2/lcptools.txt -%config %{_sysconfdir}/grub.d/20_linux_tboot -%config %{_sysconfdir}/grub.d/20_linux_xen_tboot -%{_sbindir}/txt-acminfo -%{_sbindir}/lcp2_crtpol -%{_sbindir}/lcp2_crtpolelt -%{_sbindir}/lcp2_crtpollist -%{_sbindir}/lcp2_mlehash -%{_sbindir}/txt-parse_err -%{_sbindir}/tb_polgen -%{_sbindir}/txt-stat -%{_mandir}/man8/txt-acminfo.8.gz -%{_mandir}/man8/tb_polgen.8.gz -%{_mandir}/man8/txt-stat.8.gz -%{_mandir}/man8/lcp2_crtpol.8.gz -%{_mandir}/man8/lcp2_crtpolelt.8.gz -%{_mandir}/man8/lcp2_crtpollist.8.gz -%{_mandir}/man8/lcp2_mlehash.8.gz -%{_mandir}/man8/txt-parse_err.8.gz -/boot/tboot.gz -/boot/tboot-syms - -%changelog -* Fri Aug 26 2022 Tony Camuso - 1:1.10.5-2 -- The install scriptlet in %post was not choosing the correct - grubenv directory. In RHEL8, the efi and legacy bios grubenv - directories are different. This change assures that the - correct directory is used for grub.cfg and related modules. - Added a %postun section to cleanup when removing tboot with - dnf erase. - Resolves: rhbz#2121836 - -* Wed Apr 20 2022 Tony Camuso - 1:1.10.5-1 - Upgrade to tboot-1.10.5-1 for fixes and updates. - Added a scriptlet to the tboot.spec file to automatically install - grub2-efi-x64-modules and move them to the correct directory. - Resolves: rhbz#2040082 - Resolves: rhbz#2041759 - -* Thu Jun 10 2021 Tony Camuso - 1:1.10.1-1 - Upgrade to tboot-1.10.2-1 provides some bug fixes and updates. - Remove 0001-Do-not-install-man-pages-for-deprecated-tools.patch - from the git repo, since it is no longer needed. - Resolves: rhbz#1857068 - Resolves: rhbz#1873296 - Resolves: rhbz#1920386 - -* Mon Feb 22 2021 Tony Camuso - 1:1.10.0-1 - Need to add BuildRequires: perl, since it has beem moved - from BuildRoot. - See: https://fedoraproject.org/wiki/Packaging:Perl#Build_Dependencies - Resolves: rhbz#1857068 - -* Mon Feb 22 2021 Tony Camuso - 1:1.10.0-1 - Build problem creating directory for grub modules. We can't - know if the modules are there, so it's up to the end user to - find the modules and copy them to the correct location. - Specifically, for systems booting from EFI, the - /boot/efi/EFI/redhat/x86_64-efi/multiboot2.mod file, if it - exists, must be copied to the /boot/efi/EFI/redhat/x86_64-efi/ - directory. If that file does not exist, then the system has - the wrong version of grub for using tboot in an EFI system. - Resolves: rhbz#1857068 - -* Fri Dec 11 2020 Tony Camuso - 1:1.10.0-0 - Upgrade to latest upstream version - Added upstream patch to remove deprecated man pages - Resolves: rhbz#1857068 - -* Tue Jun 23 2020 Tony Camuso - 1:1.9.12-2 -- Fix build issues with one upstream patch. - This patch also reverts the previous patch concerning the - -Wno-address-of-packed-member cflag. - Resolves: rhbz#1847938 - -* Fri Jun 12 2020 Tony Camuso - 1:1.9.12-1 -- Add patch to revert "Disable GCC9 address-of-packed-member warning" - While it was able to build locally with 'rhpkg local', the brew - build failed, because the compiler on the brew systems did not - recognized the new GCC9 command line flag: - -Wno-address-of-packed-member - -* Fri May 29 2020 Tony Camuso - 1:1.9.12-1 -- Upgrade to latest upstream version - Resolves: rhbz#1790169 - -* Fri Nov 15 2019 Tony Camuso - 1:1.9.10-1 -- Rebase to the lastest upstream version. - Resolves: rhbz#1725661 - -* Fri Sep 7 2018 Tony Camuso - 1:1.9.7-1 -- Rebase to the latest upstream version. - Resolves: rhbz#1511799 -- Do not override OPTFLAGS in the make - Resolves: rhbz#1620070 - -* Fri Jul 20 2018 Tony Camuso - 1:1.9.6-3 -- Incorporate latest upstream patches, including a newer version - of the OpenSSL patch in 1.9.6-2 - Resolves: rhbz#1492771 - Resolves: rhbz#1499435 - -* Tue Feb 06 2018 Tomáš Mráz - 1:1.9.6-2 -- Patch to build with OpenSSL-1.1.x - -* Sun Feb 04 2018 Filipe Rosset - 1:1.9.6-1 -- Upgrade to latest upstream version - -* Thu Aug 03 2017 Fedora Release Engineering - 1:1.8.2-7 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild - -* Thu Jul 27 2017 Fedora Release Engineering - 1:1.8.2-6 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild - -* Sat Feb 11 2017 Fedora Release Engineering - 1:1.8.2-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild - -* Fri Feb 05 2016 Fedora Release Engineering - 1:1.8.2-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild - -* Fri Jun 19 2015 Fedora Release Engineering - 1:1.8.2-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild - -* Mon Aug 18 2014 Fedora Release Engineering - 1:1.8.2-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild - -* Wed Jul 30 2014 Gang Wei - 1:1.8.2-1 -- Upgrade to latest upstream version which provided security fix for: - tboot:argument measurement vulnerablity for GRUB2+ELF kernels - -* Wed Jun 18 2014 Gang Wei - 1:1.8.1-1 -- Upgrade to latest upstream version - -* Sun Jun 08 2014 Fedora Release Engineering - 1:1.7.3-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild - -* Sun Aug 04 2013 Fedora Release Engineering - 1:1.7.3-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild - -* Tue Apr 02 2013 Gang Wei - 1:1.7.3-3 -- Fix for breaking grub2-mkconfig operation in 32bit case(#929384) - -* Wed Feb 20 2013 Gang Wei - 1:1.7.3-2 -- Fix version string in log - -* Wed Jan 30 2013 David Cantrell - 1:1.7.3-1 -- Upgrade to latest upstream version (#902653) - -* Wed Aug 22 2012 Gang Wei - 1:1.7.0-2 -- Fix build error with zlib 1.2.7 - -* Sat Jul 21 2012 Fedora Release Engineering - 1:1.7.0-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild - -* Sun Jan 15 2012 Gang Wei - 1:1.7.0 -- 1.7.0 release - -* Sat Jan 14 2012 Fedora Release Engineering - 20110429-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild - -* Fri Apr 29 2011 Gang Wei - 20110429-1 -- Pull upstream changeset 255, rebuilt in F15 - -* Wed Feb 09 2011 Fedora Release Engineering - 20101005-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild - -* Wed Dec 1 2010 Joseph Cihula - 20101005-1.fc13 -- Initial import diff --git a/sources b/sources new file mode 100644 index 0000000..498e3f7 --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (tboot-1.11.9.tar.gz) = d737ad08df22f3b017e213ea67d9c1f2012e5b47a990e5c3e9e454f85d7c06c3f8a4701b6c350ccece0c947447ab7fde9c0b2ed08beb51603b83e5d03f712401 diff --git a/tboot-gcc14.patch b/tboot-gcc14.patch new file mode 100644 index 0000000..9b6ff83 --- /dev/null +++ b/tboot-gcc14.patch @@ -0,0 +1,17 @@ +Suppress GCC 14 allocation size warning in lcptools-v2/pconf_legacy.c + +Submitted upstream: + +diff --git a/lcptools-v2/pconf_legacy.c b/lcptools-v2/pconf_legacy.c +index 443b5cd5525b9fe1..5ebc6c451f7008b1 100644 +--- a/lcptools-v2/pconf_legacy.c ++++ b/lcptools-v2/pconf_legacy.c +@@ -324,7 +324,7 @@ static lcp_policy_element_t *create(void) + ERROR("Error: no pcrs were selected.\n"); + return NULL; + } +- digest = malloc(SHA1_DIGEST_SIZE); ++ digest = malloc(sizeof(*digest)); + if (digest == NULL) { + ERROR("Error: failed to allocate memory for digest buffer.\n"); + return NULL; diff --git a/tboot-no-engine.patch b/tboot-no-engine.patch new file mode 100644 index 0000000..747657d --- /dev/null +++ b/tboot-no-engine.patch @@ -0,0 +1,57 @@ +diff -up tboot-1.11.3/lcptools-v2/crtpol.c.no-engine tboot-1.11.3/lcptools-v2/crtpol.c +--- tboot-1.11.3/lcptools-v2/crtpol.c.no-engine 2024-08-13 18:03:43.003697657 +0200 ++++ tboot-1.11.3/lcptools-v2/crtpol.c 2024-08-13 18:04:49.315001612 +0200 +@@ -43,7 +43,10 @@ + #include + #include + #include ++#include ++#ifndef OPENSSL_NO_ENGINE + #include ++#endif + #include + #include + #include +diff -up tboot-1.11.3/lcptools-v2/crtpollist.c.no-engine tboot-1.11.3/lcptools-v2/crtpollist.c +--- tboot-1.11.3/lcptools-v2/crtpollist.c.no-engine 2024-08-13 18:03:43.005697697 +0200 ++++ tboot-1.11.3/lcptools-v2/crtpollist.c 2024-08-13 18:04:58.324178771 +0200 +@@ -44,7 +44,10 @@ + #include + #include + #include ++#include ++#ifndef OPENSSL_NO_ENGINE + #include ++#endif + #include + #include + #include +diff -up tboot-1.11.3/lcptools-v2/lcputils.c.no-engine tboot-1.11.3/lcptools-v2/lcputils.c +--- tboot-1.11.3/lcptools-v2/lcputils.c.no-engine 2024-08-13 18:03:43.004697677 +0200 ++++ tboot-1.11.3/lcptools-v2/lcputils.c 2024-08-13 18:04:53.293079838 +0200 +@@ -43,7 +43,10 @@ + #include + #include + #include ++#include ++#ifndef OPENSSL_NO_ENGINE + #include ++#endif + #include + #include + #include +diff -up tboot-1.11.3/lcptools-v2/pollist2.c.no-engine tboot-1.11.3/lcptools-v2/pollist2.c +--- tboot-1.11.3/lcptools-v2/pollist2.c.no-engine 2024-08-13 18:03:43.002697637 +0200 ++++ tboot-1.11.3/lcptools-v2/pollist2.c 2024-08-13 18:04:45.813932767 +0200 +@@ -41,7 +41,10 @@ + #include + #include + #include ++#include ++#ifndef OPENSSL_NO_ENGINE + #include ++#endif + #include + #include + #include + diff --git a/tboot.spec b/tboot.spec new file mode 100644 index 0000000..f74b29b --- /dev/null +++ b/tboot.spec @@ -0,0 +1,295 @@ +Summary: Performs a verified launch using Intel TXT +Name: tboot +Version: 1.11.9 +Release: 1%{?dist} +Epoch: 1 + +License: BSD-3-Clause +URL: http://sourceforge.net/projects/tboot/ +Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz +Patch0: tboot-gcc14.patch +Patch1: tboot-no-engine.patch + +BuildRequires: make +BuildRequires: gcc +BuildRequires: perl +BuildRequires: openssl-devel +BuildRequires: zlib-devel +Requires: grub2-efi-x64-modules +ExclusiveArch: %{ix86} x86_64 + +%description +Trusted Boot (tboot) is an open source, pre-kernel/VMM module that uses +Intel Trusted Execution Technology (Intel TXT) to perform a measured +and verified launch of an OS kernel/VMM. + +%prep +%autosetup -p1 -n %{name}-%{version} + +%build +%make_build debug=y + +%install +%make_install debug=y + +%post +# create the tboot grub entry +grub2-mkconfig -o /boot/grub2/grub.cfg + +# For EFI based machines ... +# Rmove the grub efi modules if they had been placed in the wrong directory by +# a previous install. +[ -d /boot/efi/EFI/redhat/x86_64-efi ] && rm -rf /boot/efi/EFI/redhat/x86_64-efi +# create the tboot grub entry +grub2-mkconfig -o /boot/grub2/grub.cfg + +# For EFI based machines ... +if [ -d /sys/firmware/efi ]; then + echo "EFI detected .." + [ -d /boot/grub2/x86_64-efi ] || mkdir -pv /boot/grub2/x86_64-efi + cp -vf /usr/lib/grub/x86_64-efi/relocator.mod /boot/grub2/x86_64-efi/ + cp -vf /usr/lib/grub/x86_64-efi/multiboot2.mod /boot/grub2/x86_64-efi/ + cp -vf /usr/lib/grub/x86_64-efi/elf.mod /boot/grub2/x86_64-efi/ + + # If there were a previous install of tboot that overwrote the + # originally installed /boot/efi/EFI/redhat/grub.cfg stub, then + # recreate it. + if grep -q -m1 tboot /boot/efi/EFI/redhat/grub.cfg; then +cat << EOF > /boot/efi/EFI/redhat/grub.cfg +search --no-floppy --fs-uuid --set=dev \ + $(lsblk -no UUID $(df -P /boot/grub2 | awk 'END{print $1}')) +set prefix=(\$dev)/grub2 +export \$prefix +configfile \$prefix/grub.cfg +EOF + chown root:root /boot/efi/EFI/redhat/grub.cfg + chmod u=rwx,go= /boot/efi/EFI/redhat/grub.cfg + fi +fi + +%postun +# Remove residual grub efi modules. +[ -d /boot/grub2/x86_64-efi ] && rm -rf /boot/grub2/x86_64-efi +[ -d /boot/efi/EFI/redhat/x86_64-efi ] && rm -rf /boot/efi/EFI/redhat/x86_64-efi +grub2-mkconfig -o /etc/grub2.cfg + +%files +%license COPYING +%doc docs/* +%config %{_sysconfdir}/grub.d/20_linux_tboot +%config %{_sysconfdir}/grub.d/20_linux_xen_tboot +%{_sbindir}/lcp2_crtpol +%{_sbindir}/lcp2_crtpolelt +%{_sbindir}/lcp2_crtpollist +%{_sbindir}/lcp2_mlehash +%{_sbindir}/tb_polgen +%{_sbindir}/txt-acminfo +%{_sbindir}/txt-parse_err +%{_sbindir}/txt-stat +%{_mandir}/man8/lcp2_crtpol.8.gz +%{_mandir}/man8/lcp2_crtpolelt.8.gz +%{_mandir}/man8/lcp2_crtpollist.8.gz +%{_mandir}/man8/lcp2_mlehash.8.gz +%{_mandir}/man8/tb_polgen.8.gz +%{_mandir}/man8/txt-acminfo.8.gz +%{_mandir}/man8/txt-parse_err.8.gz +%{_mandir}/man8/txt-stat.8.gz +/boot/tboot.gz +/boot/tboot-syms + +%changelog +* Thu Dec 12 2024 Tony Camuso - 1:1.11.9-1 +- Update to latest upstream. + Resolves: RHEL-71190 + +* Tue Oct 29 2024 Troy Dawson - 1:1.11.3-4 +- Bump release for October 2024 mass rebuild: + Resolves: RHEL-64018 + +* Thu Aug 15 2024 Tony Camuso - 1:1.11.3-3 +- Add gating.yaml + Resolves: RHEL-54412 + +* Tue Aug 13 2024 Tony Camuso - 1:1.11.3-2 +- Stop using OpenSSL ENGINE API in tboot + Resolves: RHEL-54172 + +* Tue Jun 25 2024 Tony Camuso - 1:1.11.3-1 +- Latest version of tboot. + Resolves: RHEL-34500 + +* Mon Jun 24 2024 Troy Dawson - 1:1.11.1-7 +- Bump release for June 2024 mass rebuild + +* Mon Jan 29 2024 Florian Weimer - 1:1.11.1-6 +- Suppress GCC 14 allocation size warning + +* Sat Jan 27 2024 Fedora Release Engineering - 1:1.11.1-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Wed Nov 01 2023 Yaakov Selkowitz - 1:1.11.1-4 +- Add grub2-efi-x64-modules dependency and scriplet + +* Fri Sep 22 2023 David Cantrell - 1:1.11.1-3 +- Use %%license for the COPYING file in the %%files section +- Convert the License tag to an SPDX expression + +* Sat Jul 22 2023 Fedora Release Engineering - 1:1.11.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Sun May 07 2023 Jun Miao - 1:1.11.1-1 +- Update to v1.11.1 release + +* Sun Apr 23 2023 Jun Miao - 1:1.11.0-2 +- Update code sources with the v1.11.0 + +* Mon Feb 27 2023 Jun Miao - 1:1.11.0-1 +- Update to v1.11.0 release + +* Sat Jan 21 2023 Fedora Release Engineering - 1:1.10.5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Sat Jul 23 2022 Fedora Release Engineering - 1:1.10.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Wed Apr 20 2022 Jun Miao - 1:1.10.5-1 +- Update to v1.10.5 release + +* Fri Feb 25 2022 Jun Miao jun.miao@intel.com - 1:1.10.4-2 +- Update the tboot-1.10.4.tar.gz source + +* Fri Feb 25 2022 Jun Miao - 1:1.10.4-1 +- Updated to upstream 1.10.4 release +- Fix the GCC12 build error + +* Thu Dec 23 2021 Yunying Sun - 1:1.10.3-1 +- Updated to 1.10.3 which added OpenSSL 3.0.0 support +- Bugzilla 2021901 is fixed with this updated release +- Removed obsolete patch files + +* Fri Dec 3 2021 Yunying Sun - 1:1.10.2-4 +- Rebuilt again with OpenSSL 3.0.0 fix patch + +* Tue Sep 14 2021 Sahana Prasad - 1:1.10.2-3 +- Rebuilt with OpenSSL 3.0.0 + +* Fri Jul 23 2021 Fedora Release Engineering - 1:1.10.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Tue Jun 15 2021 Yunying Sun - 1:1.10.2-1 +- Updated to upstream 1.10.2 release +- Removed standalone patches as both are fixed in 1.10.2 +- Adjusted dependencies, removed trousers and added perl +- Updated packaged file list + +* Wed Jan 27 2021 Fedora Release Engineering - 1:1.9.11-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Fri Oct 30 2020 Jeff Law - 1:1.9.11-5 +- Re-enable -Wstringop-overflow and instead make the problematical + pointer volatile to avoid the false positive diagnostic + +* Thu Oct 29 2020 Jeff Law - 1:1.9.11-4 +- Fix buglet exposed by gcc-11 -Warray-parameter +- Temporarily disable -Wstringop-overflow due to false positive in gcc-11 + +* Wed Jul 29 2020 Jeff Law - 1:1.9.11-3 +- Explicitly allow uninitialized variables in a few places that do it +- on purpose + +* Wed Jul 29 2020 Fedora Release Engineering - 1:1.9.11-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Sun Apr 19 2020 Filipe Rosset - 1:1.9.11-1 +- Update to 1.9.11 + +* Fri Jan 31 2020 Fedora Release Engineering - 1:1.9.10-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Sat Jul 27 2019 Fedora Release Engineering - 1:1.9.10-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Tue May 14 2019 Yunying Sun - 1:1.9.10-1 +- Add patch to fix package build error +- Add build dependency to zlib-devel +- Update to latest release 1.9.10 + +* Sun Feb 03 2019 Fedora Release Engineering - 1:1.9.8-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Wed Oct 31 2018 Yunying Sun - 1:1.9.8-1 +- Updated to upstream 1.9.8 release + +* Tue Sep 4 2018 Yunying Sun - 1:1.9.7-1 +- Updated to upstream 1.9.7 release +- Removed the patch for openssl 1.1 as it is included in 1.9.7 already + +* Sat Jul 14 2018 Fedora Release Engineering - 1:1.9.6-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Tue Feb 06 2018 Tomáš Mráz - 1:1.9.6-2 +- Patch to build with OpenSSL-1.1.x + +* Sun Feb 04 2018 Filipe Rosset - 1:1.9.6-1 +- Upgrade to latest upstream version + +* Thu Aug 03 2017 Fedora Release Engineering - 1:1.8.2-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 1:1.8.2-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Sat Feb 11 2017 Fedora Release Engineering - 1:1.8.2-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Fri Feb 05 2016 Fedora Release Engineering - 1:1.8.2-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Fri Jun 19 2015 Fedora Release Engineering - 1:1.8.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Mon Aug 18 2014 Fedora Release Engineering - 1:1.8.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Wed Jul 30 2014 Gang Wei - 1:1.8.2-1 +- Upgrade to latest upstream version which provided security fix for: + tboot:argument measurement vulnerablity for GRUB2+ELF kernels + +* Wed Jun 18 2014 Gang Wei - 1:1.8.1-1 +- Upgrade to latest upstream version + +* Sun Jun 08 2014 Fedora Release Engineering - 1:1.7.3-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Sun Aug 04 2013 Fedora Release Engineering - 1:1.7.3-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Tue Apr 02 2013 Gang Wei - 1:1.7.3-3 +- Fix for breaking grub2-mkconfig operation in 32bit case(#929384) + +* Wed Feb 20 2013 Gang Wei - 1:1.7.3-2 +- Fix version string in log + +* Wed Jan 30 2013 David Cantrell - 1:1.7.3-1 +- Upgrade to latest upstream version (#902653) + +* Wed Aug 22 2012 Gang Wei - 1:1.7.0-2 +- Fix build error with zlib 1.2.7 + +* Sat Jul 21 2012 Fedora Release Engineering - 1:1.7.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Sun Jan 15 2012 Gang Wei - 1:1.7.0 +- 1.7.0 release + +* Sat Jan 14 2012 Fedora Release Engineering - 20110429-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Fri Apr 29 2011 Gang Wei - 20110429-1 +- Pull upstream changeset 255, rebuilt in F15 + +* Wed Feb 09 2011 Fedora Release Engineering - 20101005-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Wed Dec 1 2010 Joseph Cihula - 20101005-1.fc13 +- Initial import