diff --git a/.gitignore b/.gitignore index 84bb1b2..0104f8b 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ /tboot-1.10.5.tar.gz +/tboot-1.11.1.tar.gz diff --git a/0001-fix-typo-in-lcp2_crtpollist-manpage.patch b/0001-fix-typo-in-lcp2_crtpollist-manpage.patch deleted file mode 100644 index 1f8a20b..0000000 --- a/0001-fix-typo-in-lcp2_crtpollist-manpage.patch +++ /dev/null @@ -1,20 +0,0 @@ -# HG changeset patch -# User Pawel Randzio -# Date 1646837604 -3600 -# Wed Mar 09 15:53:24 2022 +0100 -# Node ID 9cda8c127b0a7bb11561befbaa9ecf1130763fcf -# Parent 5941842afb661f0e78085cb1317781d362583a38 -Fixed a typo in man page for lcp2_crtpollist - -diff -r 5941842afb66 -r 9cda8c127b0a docs/man/lcp2_crtpollist.8 ---- a/docs/man/lcp2_crtpollist.8 Fri Mar 04 11:14:35 2022 +0100 -+++ b/docs/man/lcp2_crtpollist.8 Wed Mar 09 15:53:24 2022 +0100 -@@ -36,7 +36,7 @@ - support rsapss and ecdsa. - .TP \w'\fB--hashalg\ \fI\fP'u+1n - \fB--hashalg\ \fI\fP --Hash algorightm used for signing a list. Lists version 0x100 only support SHA1. -+Hash algorithm used for signing a list. Lists version 0x100 only support SHA1. - .TP - \fB--pub\ \fIfile\fP - Public key to use, must be in PEM format. diff --git a/0002-check-for-client-server-match.patch b/0002-check-for-client-server-match.patch deleted file mode 100644 index db71d65..0000000 --- a/0002-check-for-client-server-match.patch +++ /dev/null @@ -1,133 +0,0 @@ -# HG changeset patch -# User Timo Lindfors -# Date 1646900891 -7200 -# Thu Mar 10 10:28:11 2022 +0200 -# Node ID 9c625ab2035bae1fc38787025f74d2937600223b -# Parent 9cda8c127b0a7bb11561befbaa9ecf1130763fcf -txt-acminfo: Map TXT heap using mmap -Without this patch - -txt-acminfo 5th_gen_i5_i7_SINIT_79.BIN - -segfaults. This issue was introduced in - -o changeset: 627:d8a8e17f6d41 -| user: Lukasz Hawrylko -| date: Thu May 13 16:04:27 2021 +0200 -| summary: Check for client/server match when selecting SINIT - -Signed-off-by: Timo Lindfors - -diff -r 9cda8c127b0a -r 9c625ab2035b tboot/common/loader.c ---- a/tboot/common/loader.c Wed Mar 09 15:53:24 2022 +0100 -+++ b/tboot/common/loader.c Thu Mar 10 10:28:11 2022 +0200 -@@ -1792,7 +1792,7 @@ - void *base2 = (void *)m->mod_start; - uint32_t size2 = m->mod_end - (unsigned long)(base2); - if ( is_racm_acmod(base2, size2, false) && -- does_acmod_match_platform((acm_hdr_t *)base2) ) { -+ does_acmod_match_platform((acm_hdr_t *)base2, NULL) ) { - if ( base != NULL ) - *base = base2; - if ( size != NULL ) -@@ -1837,7 +1837,7 @@ - void *base2 = (void *)m->mod_start; - uint32_t size2 = m->mod_end - (unsigned long)(base2); - if ( is_sinit_acmod(base2, size2, false) && -- does_acmod_match_platform((acm_hdr_t *)base2) ) { -+ does_acmod_match_platform((acm_hdr_t *)base2, NULL) ) { - if ( base != NULL ) - *base = base2; - if ( size != NULL ) -diff -r 9cda8c127b0a -r 9c625ab2035b tboot/include/txt/acmod.h ---- a/tboot/include/txt/acmod.h Wed Mar 09 15:53:24 2022 +0100 -+++ b/tboot/include/txt/acmod.h Thu Mar 10 10:28:11 2022 +0200 -@@ -37,6 +37,8 @@ - #ifndef __TXT_ACMOD_H__ - #define __TXT_ACMOD_H__ - -+typedef void txt_heap_t; -+ - /* - * authenticated code (AC) module header (ver 0.0) - */ -@@ -179,7 +181,7 @@ - extern acm_hdr_t *copy_racm(const acm_hdr_t *racm); - extern bool verify_racm(const acm_hdr_t *acm_hdr); - extern bool is_sinit_acmod(const void *acmod_base, uint32_t acmod_size, bool quiet); --extern bool does_acmod_match_platform(const acm_hdr_t* hdr); -+extern bool does_acmod_match_platform(const acm_hdr_t* hdr, const txt_heap_t* txt_heap); - extern acm_hdr_t *copy_sinit(const acm_hdr_t *sinit); - extern bool verify_acmod(const acm_hdr_t *acm_hdr); - extern uint32_t get_supported_os_sinit_data_ver(const acm_hdr_t* hdr); -diff -r 9cda8c127b0a -r 9c625ab2035b tboot/txt/acmod.c ---- a/tboot/txt/acmod.c Wed Mar 09 15:53:24 2022 +0100 -+++ b/tboot/txt/acmod.c Thu Mar 10 10:28:11 2022 +0200 -@@ -576,7 +576,7 @@ - return true; - } - --bool does_acmod_match_platform(const acm_hdr_t* hdr) -+bool does_acmod_match_platform(const acm_hdr_t* hdr, const txt_heap_t *txt_heap) - { - /* used to ensure we don't print chipset/proc info for each module */ - static bool printed_host_info; -@@ -587,7 +587,8 @@ - return false; - - /* verify client/server platform match */ -- txt_heap_t *txt_heap = get_txt_heap(); -+ if (txt_heap == NULL) -+ txt_heap = get_txt_heap(); - bios_data_t *bios_data = get_bios_data_start(txt_heap); - if (info_table->version >= 5 && bios_data->version >= 6) { - uint32_t bios_type = bios_data->flags.bits.mle.platform_type; -@@ -713,7 +714,7 @@ - - /* is it a valid SINIT module? */ - if ( !is_sinit_acmod(sinit_region_base, bios_data->bios_sinit_size, false) || -- !does_acmod_match_platform((acm_hdr_t *)sinit_region_base) ) -+ !does_acmod_match_platform((acm_hdr_t *)sinit_region_base, NULL) ) - return NULL; - - return (acm_hdr_t *)sinit_region_base; -diff -r 9cda8c127b0a -r 9c625ab2035b utils/txt-acminfo.c ---- a/utils/txt-acminfo.c Wed Mar 09 15:53:24 2022 +0100 -+++ b/utils/txt-acminfo.c Thu Mar 10 10:28:11 2022 +0200 -@@ -203,15 +203,31 @@ - close(fd_mem); - return false; - } -- else { -- if ( does_acmod_match_platform(hdr) ) -- printf("ACM matches platform\n"); -- else -- printf("ACM does not match platform\n"); - -+ uint64_t txt_heap_size = *(volatile uint64_t *)(pub_config_base + TXTCR_HEAP_SIZE); -+ if (txt_heap_size == 0) { -+ printf("ERROR: No TXT heap is available\n"); - munmap(pub_config_base, TXT_CONFIG_REGS_SIZE); -+ close(fd_mem); -+ return false; - } - -+ uint64_t txt_heap_base = *(volatile uint64_t *)(pub_config_base + TXTCR_HEAP_BASE); -+ txt_heap_t *txt_heap = mmap(NULL, txt_heap_size, PROT_READ, MAP_PRIVATE, -+ fd_mem, txt_heap_base); -+ if ( txt_heap == MAP_FAILED ) { -+ printf("ERROR: cannot map TXT heap by mmap()\n"); -+ munmap(pub_config_base, TXT_CONFIG_REGS_SIZE); -+ close(fd_mem); -+ return false; -+ } -+ if ( does_acmod_match_platform(hdr, txt_heap) ) -+ printf("ACM matches platform\n"); -+ else -+ printf("ACM does not match platform\n"); -+ -+ munmap(txt_heap, txt_heap_size); -+ munmap(pub_config_base, TXT_CONFIG_REGS_SIZE); - close(fd_mem); - return true; - } diff --git a/sources b/sources index 4f99b6f..b0703bf 100644 --- a/sources +++ b/sources @@ -1 +1,2 @@ SHA512 (tboot-1.10.5.tar.gz) = 01a039e5612b6cca6f7558e93673ba50edfcfbf3f65e390ac64f4aa6ae0859a314676b20d722dcd41a7a3c940473fe7982e823c800a75bd26a5e8f956528f223 +SHA512 (tboot-1.11.1.tar.gz) = 6708bd2169d2b5beb6a1123b2712693d2bdc614a1a5a5a1f3858c47462cdeb3e05da3848f082e264c4d1be5f35f7ca5637bc56ebbaaff80f322bf5f4c29e4ab5 diff --git a/tboot.spec b/tboot.spec index a9200d3..3d7810e 100644 --- a/tboot.spec +++ b/tboot.spec @@ -1,7 +1,7 @@ Summary: Performs a verified launch using Intel TXT Name: tboot -Version: 1.10.5 -Release: 2%{?dist} +Version: 1.11.1 +Release: 1%{?dist} Epoch: 1 Group: System Environment/Base @@ -14,9 +14,6 @@ BuildRequires: perl ExclusiveArch: %{ix86} x86_64 Requires: grub2-efi-x64-modules -Patch01: 0001-fix-typo-in-lcp2_crtpollist-manpage.patch -Patch02: 0002-check-for-client-server-match.patch - %description Trusted Boot (tboot) is an open source, pre-kernel/VMM module that uses Intel Trusted Execution Technology (Intel TXT) to perform a measured @@ -95,6 +92,10 @@ make debug=y DISTDIR=$RPM_BUILD_ROOT install /boot/tboot-syms %changelog +* Wed Jun 14 2023 Tony Camuso tcamuso@redhat.com> - 1:1.11.1-1 +- Backport upstream fixes and updates. + Resolves: rhbz#2188433 + * Fri Aug 26 2022 Tony Camuso - 1:1.10.5-2 - The install scriptlet in %post was not choosing the correct grubenv directory. In RHEL8, the efi and legacy bios grubenv