import tboot-1.10.5-1.el9

This commit is contained in:
CentOS Sources 2022-11-15 01:56:30 -05:00 committed by Stepan Oksanichenko
parent 194d43dcd8
commit 5c8c6daab0
8 changed files with 181 additions and 158 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/tboot-1.10.2.tar.gz SOURCES/tboot-1.10.5.tar.gz

View File

@ -1 +1 @@
f11ed63c38588fe17ac6674efc115122dd2fc737 SOURCES/tboot-1.10.2.tar.gz 687bb5c0453b0256d64c8b1aa538a49703f9737a SOURCES/tboot-1.10.5.tar.gz

View File

@ -1,30 +0,0 @@
From fb1b10586f293a39523cec835a8d2f102375bd0d Mon Sep 17 00:00:00 2001
From: Tony Camuso <tcamuso@redhat.com>
Date: Wed, 2 Jun 2021 06:57:41 -0400
Subject: [PATCH] Add -Wno-error=deprecated-declarations to Config.mk
For SSL3 build compatability. In the future, the code needs to be
made SSL3 compatable.
Signed-off-by: Tony Camuso <tcamuso@redhat.com>
---
Config.mk | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/Config.mk b/Config.mk
index ba997b0..764e725 100644
--- a/Config.mk
+++ b/Config.mk
@@ -43,7 +43,8 @@ CFLAGS_WARN = -Wall -Wformat-security -Werror -Wstrict-prototypes \
-Wextra -Winit-self -Wswitch-default -Wunused-parameter \
-Wwrite-strings \
$(call cc-option,$(CC),-Wlogical-op,) \
- -Wno-missing-field-initializers -Wno-address-of-packed-member
+ -Wno-missing-field-initializers -Wno-address-of-packed-member \
+ -Wno-deprecated-declarations
AS ?= as
LD ?= ld
--
2.31.1

View File

@ -0,0 +1,20 @@
# HG changeset patch
# User Pawel Randzio <pawel.randzio@intel.com>
# Date 1646837604 -3600
# Wed Mar 09 15:53:24 2022 +0100
# Node ID 9cda8c127b0a7bb11561befbaa9ecf1130763fcf
# Parent 5941842afb661f0e78085cb1317781d362583a38
Fixed a typo in man page for lcp2_crtpollist
diff -r 5941842afb66 -r 9cda8c127b0a docs/man/lcp2_crtpollist.8
--- a/docs/man/lcp2_crtpollist.8 Fri Mar 04 11:14:35 2022 +0100
+++ b/docs/man/lcp2_crtpollist.8 Wed Mar 09 15:53:24 2022 +0100
@@ -36,7 +36,7 @@
support rsapss and ecdsa.
.TP \w'\fB--hashalg\ \fI<sha1|sha256|sha384|sha512|sm2>\fP'u+1n
\fB--hashalg\ \fI<sha1|sha256|sha384|sha512|sm2>\fP
-Hash algorightm used for signing a list. Lists version 0x100 only support SHA1.
+Hash algorithm used for signing a list. Lists version 0x100 only support SHA1.
.TP
\fB--pub\ \fIfile\fP
Public key to use, must be in PEM format.

View File

@ -0,0 +1,133 @@
# HG changeset patch
# User Timo Lindfors <timo.lindfors@iki.fi>
# Date 1646900891 -7200
# Thu Mar 10 10:28:11 2022 +0200
# Node ID 9c625ab2035bae1fc38787025f74d2937600223b
# Parent 9cda8c127b0a7bb11561befbaa9ecf1130763fcf
txt-acminfo: Map TXT heap using mmap
Without this patch
txt-acminfo 5th_gen_i5_i7_SINIT_79.BIN
segfaults. This issue was introduced in
o changeset: 627:d8a8e17f6d41
| user: Lukasz Hawrylko <lukas...@in...>
| date: Thu May 13 16:04:27 2021 +0200
| summary: Check for client/server match when selecting SINIT
Signed-off-by: Timo Lindfors <timo.lindfors@iki.fi>
diff -r 9cda8c127b0a -r 9c625ab2035b tboot/common/loader.c
--- a/tboot/common/loader.c Wed Mar 09 15:53:24 2022 +0100
+++ b/tboot/common/loader.c Thu Mar 10 10:28:11 2022 +0200
@@ -1792,7 +1792,7 @@
void *base2 = (void *)m->mod_start;
uint32_t size2 = m->mod_end - (unsigned long)(base2);
if ( is_racm_acmod(base2, size2, false) &&
- does_acmod_match_platform((acm_hdr_t *)base2) ) {
+ does_acmod_match_platform((acm_hdr_t *)base2, NULL) ) {
if ( base != NULL )
*base = base2;
if ( size != NULL )
@@ -1837,7 +1837,7 @@
void *base2 = (void *)m->mod_start;
uint32_t size2 = m->mod_end - (unsigned long)(base2);
if ( is_sinit_acmod(base2, size2, false) &&
- does_acmod_match_platform((acm_hdr_t *)base2) ) {
+ does_acmod_match_platform((acm_hdr_t *)base2, NULL) ) {
if ( base != NULL )
*base = base2;
if ( size != NULL )
diff -r 9cda8c127b0a -r 9c625ab2035b tboot/include/txt/acmod.h
--- a/tboot/include/txt/acmod.h Wed Mar 09 15:53:24 2022 +0100
+++ b/tboot/include/txt/acmod.h Thu Mar 10 10:28:11 2022 +0200
@@ -37,6 +37,8 @@
#ifndef __TXT_ACMOD_H__
#define __TXT_ACMOD_H__
+typedef void txt_heap_t;
+
/*
* authenticated code (AC) module header (ver 0.0)
*/
@@ -179,7 +181,7 @@
extern acm_hdr_t *copy_racm(const acm_hdr_t *racm);
extern bool verify_racm(const acm_hdr_t *acm_hdr);
extern bool is_sinit_acmod(const void *acmod_base, uint32_t acmod_size, bool quiet);
-extern bool does_acmod_match_platform(const acm_hdr_t* hdr);
+extern bool does_acmod_match_platform(const acm_hdr_t* hdr, const txt_heap_t* txt_heap);
extern acm_hdr_t *copy_sinit(const acm_hdr_t *sinit);
extern bool verify_acmod(const acm_hdr_t *acm_hdr);
extern uint32_t get_supported_os_sinit_data_ver(const acm_hdr_t* hdr);
diff -r 9cda8c127b0a -r 9c625ab2035b tboot/txt/acmod.c
--- a/tboot/txt/acmod.c Wed Mar 09 15:53:24 2022 +0100
+++ b/tboot/txt/acmod.c Thu Mar 10 10:28:11 2022 +0200
@@ -576,7 +576,7 @@
return true;
}
-bool does_acmod_match_platform(const acm_hdr_t* hdr)
+bool does_acmod_match_platform(const acm_hdr_t* hdr, const txt_heap_t *txt_heap)
{
/* used to ensure we don't print chipset/proc info for each module */
static bool printed_host_info;
@@ -587,7 +587,8 @@
return false;
/* verify client/server platform match */
- txt_heap_t *txt_heap = get_txt_heap();
+ if (txt_heap == NULL)
+ txt_heap = get_txt_heap();
bios_data_t *bios_data = get_bios_data_start(txt_heap);
if (info_table->version >= 5 && bios_data->version >= 6) {
uint32_t bios_type = bios_data->flags.bits.mle.platform_type;
@@ -713,7 +714,7 @@
/* is it a valid SINIT module? */
if ( !is_sinit_acmod(sinit_region_base, bios_data->bios_sinit_size, false) ||
- !does_acmod_match_platform((acm_hdr_t *)sinit_region_base) )
+ !does_acmod_match_platform((acm_hdr_t *)sinit_region_base, NULL) )
return NULL;
return (acm_hdr_t *)sinit_region_base;
diff -r 9cda8c127b0a -r 9c625ab2035b utils/txt-acminfo.c
--- a/utils/txt-acminfo.c Wed Mar 09 15:53:24 2022 +0100
+++ b/utils/txt-acminfo.c Thu Mar 10 10:28:11 2022 +0200
@@ -203,15 +203,31 @@
close(fd_mem);
return false;
}
- else {
- if ( does_acmod_match_platform(hdr) )
- printf("ACM matches platform\n");
- else
- printf("ACM does not match platform\n");
+ uint64_t txt_heap_size = *(volatile uint64_t *)(pub_config_base + TXTCR_HEAP_SIZE);
+ if (txt_heap_size == 0) {
+ printf("ERROR: No TXT heap is available\n");
munmap(pub_config_base, TXT_CONFIG_REGS_SIZE);
+ close(fd_mem);
+ return false;
}
+ uint64_t txt_heap_base = *(volatile uint64_t *)(pub_config_base + TXTCR_HEAP_BASE);
+ txt_heap_t *txt_heap = mmap(NULL, txt_heap_size, PROT_READ, MAP_PRIVATE,
+ fd_mem, txt_heap_base);
+ if ( txt_heap == MAP_FAILED ) {
+ printf("ERROR: cannot map TXT heap by mmap()\n");
+ munmap(pub_config_base, TXT_CONFIG_REGS_SIZE);
+ close(fd_mem);
+ return false;
+ }
+ if ( does_acmod_match_platform(hdr, txt_heap) )
+ printf("ACM matches platform\n");
+ else
+ printf("ACM does not match platform\n");
+
+ munmap(txt_heap, txt_heap_size);
+ munmap(pub_config_base, TXT_CONFIG_REGS_SIZE);
close(fd_mem);
return true;
}

View File

@ -1,63 +0,0 @@
From 8486ee675c00c2662d261fbbf26cf013ccd118fd Mon Sep 17 00:00:00 2001
From: Tony Camuso <tcamuso@redhat.com>
Date: Wed, 23 Jun 2021 08:01:54 -0400
Subject: [PATCH] lcputils.c: remove call to EVP_PKEY_set_alias_type
This function was previously needed as a workaround for SM2. With
OpenSSL 3.0, this key type is internally recognized so the workaround
is no longer needed.
Signed-off-by: Tony Camuso <tcamuso@redhat.com>
---
lcptools-v2/lcputils.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/lcptools-v2/lcputils.c b/lcptools-v2/lcputils.c
index 9d4b976..4dbb2fc 100644
--- a/lcptools-v2/lcputils.c
+++ b/lcptools-v2/lcputils.c
@@ -775,6 +775,11 @@ bool verify_ec_signature(sized_buffer *data, sized_buffer *pubkey_x,
result = 0;
goto EXIT;
}
+// SSL3 removed function EVP_PKEY_set_alias_type
+// This function was previously needed as a workaround for SM2.
+// With OpenSSL 3.0, this key type is internally recognized so
+// the workaround is no longer needed.
+#if 0
if (sigalg == TPM_ALG_SM2) {
result = EVP_PKEY_set_alias_type(evp_key, EVP_PKEY_SM2);
if (result <= 0) {
@@ -782,6 +787,7 @@ bool verify_ec_signature(sized_buffer *data, sized_buffer *pubkey_x,
goto OPENSSL_ERROR;
}
}
+#endif
pctx = EVP_PKEY_CTX_new(evp_key, NULL);
if (pctx == NULL) {
ERROR("Error: failed to generate key context.\n");
@@ -915,6 +921,11 @@ bool ec_sign_data(sized_buffer *data, sized_buffer *r, sized_buffer *s, uint16_t
goto OPENSSL_ERROR;
}
+// SSL3 removed function EVP_PKEY_set_alias_type
+// This function was previously needed as a workaround for SM2.
+// With OpenSSL 3.0, this key type is internally recognized so
+// the workaround is no longer needed.
+#if 0
if (sigalg == TPM_ALG_SM2) {
result = EVP_PKEY_set_alias_type(evp_key, EVP_PKEY_SM2);
if (result <= 0) {
@@ -922,7 +933,8 @@ bool ec_sign_data(sized_buffer *data, sized_buffer *r, sized_buffer *s, uint16_t
goto OPENSSL_ERROR;
}
}
-
+#endif
+
pctx = EVP_PKEY_CTX_new(evp_key, NULL);
if (pctx == NULL) {
ERROR("Error: failed to allocate pkey context.\n");
--
2.31.1

View File

@ -1,58 +0,0 @@
# HG changeset patch
# User Lukasz Hawrylko <lukasz.hawrylko@intel.com>
# Date 1631717614 -7200
# Wed Sep 15 16:53:34 2021 +0200
# Node ID 5bf5c12411d3a4a7e0a552203b40bfe59d5c7789
# Parent 4cdcf97e4723647b6fac761565c0be13f7e31009
Use sha256 as default hashing algorithm in lcp2_mlehash and tb_polgen
Signed-off-by: Lukasz Hawrylko <lukasz.hawrylko@intel.com>
diff -r 4cdcf97e4723 -r 5bf5c12411d3 docs/man/tb_polgen.8
--- a/docs/man/tb_polgen.8 Thu Aug 26 14:12:44 2021 +0200
+++ b/docs/man/tb_polgen.8 Wed Sep 15 16:53:34 2021 +0200
@@ -21,6 +21,9 @@
\fR[\fB\-\-ctrl \fIpolicy-control-value\fR]
The default value 1 is to extend policy into PCR 17.
.TP
+\fR[\fB\-\-alg \fIsha1 \fR|\fI sha256 \fR|\fI sha384 \fR|\fI sha512\fR]
+Policy hashing algorithm.
+.TP
\fIpolicy-file\fR
.RE
.TP
diff -r 4cdcf97e4723 -r 5bf5c12411d3 lcptools-v2/mlehash.c
--- a/lcptools-v2/mlehash.c Thu Aug 26 14:12:44 2021 +0200
+++ b/lcptools-v2/mlehash.c Wed Sep 15 16:53:34 2021 +0200
@@ -70,8 +70,8 @@
bool verbose = false;
-char alg_name[32] = "sha1";
-uint16_t alg_type = TPM_ALG_SHA1;
+char alg_name[32] = "sha256";
+uint16_t alg_type = TPM_ALG_SHA256;
static struct option long_opts[] =
{
diff -r 4cdcf97e4723 -r 5bf5c12411d3 tb_polgen/param.c
--- a/tb_polgen/param.c Thu Aug 26 14:12:44 2021 +0200
+++ b/tb_polgen/param.c Wed Sep 15 16:53:34 2021 +0200
@@ -51,7 +51,7 @@
static const char *help[] = {
"tb_polgen --create --type nonfatal|continue|halt\n",
- " [--alg sha1 (default)|sha256|sha384|sha512]\n",
+ " [--alg sha1|sha256 (default)|sha384|sha512]\n",
" [--ctrl <policy control value>]\n",
" [--verbose]\n",
" <policy file name>\n",
@@ -330,7 +330,7 @@
params->cmd = POLGEN_CMD_NONE;
params->mod_num = -1;
params->pcr = -1;
- params->hash_alg = TB_HALG_SHA1;
+ params->hash_alg = TB_HALG_SHA256;
params->policy_type = -1;
params->policy_control = TB_POLCTL_EXTEND_PCR17;
params->hash_type = -1;

View File

@ -1,16 +1,15 @@
Summary: Performs a verified launch using Intel TXT Summary: Performs a verified launch using Intel TXT
Name: tboot Name: tboot
Version: 1.10.2 Version: 1.10.5
Release: 6%{?dist} Release: 1%{?dist}
Epoch: 1 Epoch: 1
License: BSD License: BSD
URL: http://sourceforge.net/projects/tboot/ URL: http://sourceforge.net/projects/tboot/
Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz
Patch0: 0001-Add-Wno-error-deprecated-declarations-to-Config.mk.patch Patch01: 0001-fix-typo-in-lcp2_crtpollist-manpage.patch
Patch1: 0002-lcputils.c-remove-call-to-EVP_PKEY_set_alias_type.patch Patch02: 0002-check-for-client-server-match.patch
Patch2: 0003-Use-sha256-as-default-hashing-algorithm.patch
BuildRequires: make BuildRequires: make
BuildRequires: gcc BuildRequires: gcc
@ -18,6 +17,7 @@ BuildRequires: perl
BuildRequires: openssl-devel BuildRequires: openssl-devel
BuildRequires: zlib-devel BuildRequires: zlib-devel
ExclusiveArch: %{ix86} x86_64 ExclusiveArch: %{ix86} x86_64
Requires: grub2-efi-x64-modules
%description %description
Trusted Boot (tboot) is an open source, pre-kernel/VMM module that uses Trusted Boot (tboot) is an open source, pre-kernel/VMM module that uses
@ -32,6 +32,17 @@ CFLAGS="%{optflags}"; export CFLAGS
LDFLAGS="%{build_ldflags}"; export LDFLAGS LDFLAGS="%{build_ldflags}"; export LDFLAGS
make debug=y %{?_smp_mflags} make debug=y %{?_smp_mflags}
%post
efidir=$(find /boot -type d -name EFI)
if [ -n "$efidir" ]; then
echo "EFI detected .."
mkdir -pv /boot/efi/EFI/redhat/x86_64-efi
cp -vf /usr/lib/grub/x86_64-efi/relocator.mod /boot/efi/EFI/redhat/x86_64-efi/
cp -vf /usr/lib/grub/x86_64-efi/multiboot2.mod /boot/efi/EFI/redhat/x86_64-efi/
gcfg=$(find /boot -name grub.cfg -print -quit)
[ -n "$gcfg" ] && grub2-mkconfig -o "$gcfg"
fi
%install %install
make debug=y DISTDIR=$RPM_BUILD_ROOT install make debug=y DISTDIR=$RPM_BUILD_ROOT install
@ -59,6 +70,16 @@ make debug=y DISTDIR=$RPM_BUILD_ROOT install
/boot/tboot-syms /boot/tboot-syms
%changelog %changelog
* Wed May 04 2022 Tony Camuso <tcamuso@redhat.com> - 1:1.10.5-1
- Upgrade to tboot-1.10.5-1 for fixes and updates.
- Added a Requires line to install grub2-efi-x64-modules
- Added a scriptlet to the tboot.spec file to automatically install
grub2-efi-x64-modules and move them to the correct directory.
- Removed three patches that are no longer needed.
- Added two patches from upstream, one for a fix, the other cosemetic.
- Resolves: rhbz#2041766
Resolves: rhbz#2040083
* Thu Sep 30 2021 Tony Camuso <tcamuso@redhat.com> - 1:1.10.2-6 * Thu Sep 30 2021 Tony Camuso <tcamuso@redhat.com> - 1:1.10.2-6
- Use sha256 as default hashing algorithm - Use sha256 as default hashing algorithm
Resolves: rhbz#1935448 Resolves: rhbz#1935448