Compare commits

...

No commits in common. "c10s" and "c8" have entirely different histories.
c10s ... c8

10 changed files with 397 additions and 379 deletions

3
.gitignore vendored
View File

@ -1,2 +1 @@
/tboot-*.tar.gz SOURCES/tboot-1.10.5.tar.gz
.*

1
.tboot.metadata Normal file
View File

@ -0,0 +1 @@
687bb5c0453b0256d64c8b1aa538a49703f9737a SOURCES/tboot-1.10.5.tar.gz

View File

@ -0,0 +1,20 @@
# HG changeset patch
# User Pawel Randzio <pawel.randzio@intel.com>
# Date 1646837604 -3600
# Wed Mar 09 15:53:24 2022 +0100
# Node ID 9cda8c127b0a7bb11561befbaa9ecf1130763fcf
# Parent 5941842afb661f0e78085cb1317781d362583a38
Fixed a typo in man page for lcp2_crtpollist
diff -r 5941842afb66 -r 9cda8c127b0a docs/man/lcp2_crtpollist.8
--- a/docs/man/lcp2_crtpollist.8 Fri Mar 04 11:14:35 2022 +0100
+++ b/docs/man/lcp2_crtpollist.8 Wed Mar 09 15:53:24 2022 +0100
@@ -36,7 +36,7 @@
support rsapss and ecdsa.
.TP \w'\fB--hashalg\ \fI<sha1|sha256|sha384|sha512|sm2>\fP'u+1n
\fB--hashalg\ \fI<sha1|sha256|sha384|sha512|sm2>\fP
-Hash algorightm used for signing a list. Lists version 0x100 only support SHA1.
+Hash algorithm used for signing a list. Lists version 0x100 only support SHA1.
.TP
\fB--pub\ \fIfile\fP
Public key to use, must be in PEM format.

View File

@ -0,0 +1,133 @@
# HG changeset patch
# User Timo Lindfors <timo.lindfors@iki.fi>
# Date 1646900891 -7200
# Thu Mar 10 10:28:11 2022 +0200
# Node ID 9c625ab2035bae1fc38787025f74d2937600223b
# Parent 9cda8c127b0a7bb11561befbaa9ecf1130763fcf
txt-acminfo: Map TXT heap using mmap
Without this patch
txt-acminfo 5th_gen_i5_i7_SINIT_79.BIN
segfaults. This issue was introduced in
o changeset: 627:d8a8e17f6d41
| user: Lukasz Hawrylko <lukas...@in...>
| date: Thu May 13 16:04:27 2021 +0200
| summary: Check for client/server match when selecting SINIT
Signed-off-by: Timo Lindfors <timo.lindfors@iki.fi>
diff -r 9cda8c127b0a -r 9c625ab2035b tboot/common/loader.c
--- a/tboot/common/loader.c Wed Mar 09 15:53:24 2022 +0100
+++ b/tboot/common/loader.c Thu Mar 10 10:28:11 2022 +0200
@@ -1792,7 +1792,7 @@
void *base2 = (void *)m->mod_start;
uint32_t size2 = m->mod_end - (unsigned long)(base2);
if ( is_racm_acmod(base2, size2, false) &&
- does_acmod_match_platform((acm_hdr_t *)base2) ) {
+ does_acmod_match_platform((acm_hdr_t *)base2, NULL) ) {
if ( base != NULL )
*base = base2;
if ( size != NULL )
@@ -1837,7 +1837,7 @@
void *base2 = (void *)m->mod_start;
uint32_t size2 = m->mod_end - (unsigned long)(base2);
if ( is_sinit_acmod(base2, size2, false) &&
- does_acmod_match_platform((acm_hdr_t *)base2) ) {
+ does_acmod_match_platform((acm_hdr_t *)base2, NULL) ) {
if ( base != NULL )
*base = base2;
if ( size != NULL )
diff -r 9cda8c127b0a -r 9c625ab2035b tboot/include/txt/acmod.h
--- a/tboot/include/txt/acmod.h Wed Mar 09 15:53:24 2022 +0100
+++ b/tboot/include/txt/acmod.h Thu Mar 10 10:28:11 2022 +0200
@@ -37,6 +37,8 @@
#ifndef __TXT_ACMOD_H__
#define __TXT_ACMOD_H__
+typedef void txt_heap_t;
+
/*
* authenticated code (AC) module header (ver 0.0)
*/
@@ -179,7 +181,7 @@
extern acm_hdr_t *copy_racm(const acm_hdr_t *racm);
extern bool verify_racm(const acm_hdr_t *acm_hdr);
extern bool is_sinit_acmod(const void *acmod_base, uint32_t acmod_size, bool quiet);
-extern bool does_acmod_match_platform(const acm_hdr_t* hdr);
+extern bool does_acmod_match_platform(const acm_hdr_t* hdr, const txt_heap_t* txt_heap);
extern acm_hdr_t *copy_sinit(const acm_hdr_t *sinit);
extern bool verify_acmod(const acm_hdr_t *acm_hdr);
extern uint32_t get_supported_os_sinit_data_ver(const acm_hdr_t* hdr);
diff -r 9cda8c127b0a -r 9c625ab2035b tboot/txt/acmod.c
--- a/tboot/txt/acmod.c Wed Mar 09 15:53:24 2022 +0100
+++ b/tboot/txt/acmod.c Thu Mar 10 10:28:11 2022 +0200
@@ -576,7 +576,7 @@
return true;
}
-bool does_acmod_match_platform(const acm_hdr_t* hdr)
+bool does_acmod_match_platform(const acm_hdr_t* hdr, const txt_heap_t *txt_heap)
{
/* used to ensure we don't print chipset/proc info for each module */
static bool printed_host_info;
@@ -587,7 +587,8 @@
return false;
/* verify client/server platform match */
- txt_heap_t *txt_heap = get_txt_heap();
+ if (txt_heap == NULL)
+ txt_heap = get_txt_heap();
bios_data_t *bios_data = get_bios_data_start(txt_heap);
if (info_table->version >= 5 && bios_data->version >= 6) {
uint32_t bios_type = bios_data->flags.bits.mle.platform_type;
@@ -713,7 +714,7 @@
/* is it a valid SINIT module? */
if ( !is_sinit_acmod(sinit_region_base, bios_data->bios_sinit_size, false) ||
- !does_acmod_match_platform((acm_hdr_t *)sinit_region_base) )
+ !does_acmod_match_platform((acm_hdr_t *)sinit_region_base, NULL) )
return NULL;
return (acm_hdr_t *)sinit_region_base;
diff -r 9cda8c127b0a -r 9c625ab2035b utils/txt-acminfo.c
--- a/utils/txt-acminfo.c Wed Mar 09 15:53:24 2022 +0100
+++ b/utils/txt-acminfo.c Thu Mar 10 10:28:11 2022 +0200
@@ -203,15 +203,31 @@
close(fd_mem);
return false;
}
- else {
- if ( does_acmod_match_platform(hdr) )
- printf("ACM matches platform\n");
- else
- printf("ACM does not match platform\n");
+ uint64_t txt_heap_size = *(volatile uint64_t *)(pub_config_base + TXTCR_HEAP_SIZE);
+ if (txt_heap_size == 0) {
+ printf("ERROR: No TXT heap is available\n");
munmap(pub_config_base, TXT_CONFIG_REGS_SIZE);
+ close(fd_mem);
+ return false;
}
+ uint64_t txt_heap_base = *(volatile uint64_t *)(pub_config_base + TXTCR_HEAP_BASE);
+ txt_heap_t *txt_heap = mmap(NULL, txt_heap_size, PROT_READ, MAP_PRIVATE,
+ fd_mem, txt_heap_base);
+ if ( txt_heap == MAP_FAILED ) {
+ printf("ERROR: cannot map TXT heap by mmap()\n");
+ munmap(pub_config_base, TXT_CONFIG_REGS_SIZE);
+ close(fd_mem);
+ return false;
+ }
+ if ( does_acmod_match_platform(hdr, txt_heap) )
+ printf("ACM matches platform\n");
+ else
+ printf("ACM does not match platform\n");
+
+ munmap(txt_heap, txt_heap_size);
+ munmap(pub_config_base, TXT_CONFIG_REGS_SIZE);
close(fd_mem);
return true;
}

242
SPECS/tboot.spec Normal file
View File

@ -0,0 +1,242 @@
Summary: Performs a verified launch using Intel TXT
Name: tboot
Version: 1.10.5
Release: 2%{?dist}
Epoch: 1
Group: System Environment/Base
License: BSD
URL: http://sourceforge.net/projects/tboot/
Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz
BuildRequires: openssl-devel
BuildRequires: perl
ExclusiveArch: %{ix86} x86_64
Requires: grub2-efi-x64-modules
Patch01: 0001-fix-typo-in-lcp2_crtpollist-manpage.patch
Patch02: 0002-check-for-client-server-match.patch
%description
Trusted Boot (tboot) is an open source, pre-kernel/VMM module that uses
Intel Trusted Execution Technology (Intel TXT) to perform a measured
and verified launch of an OS kernel/VMM.
%prep
%autosetup -S git
# do not override OPTFLAGS
sed -i -e 's/-march=i686//' Config.mk
%build
CFLAGS="$RPM_OPT_FLAGS"; export CFLAGS
LDFLAGS="$RPM_LD_FLAGS"; export LDFLAGS
make debug=y %{?_smp_mflags}
%post
# create the tboot entry and copy the modules to the grubenvdir
grublib='/usr/lib/grub/x86_64-efi/'
if [ -d /sys/firmware/efi ]; then
echo "EFI detected .."
grubenvdir='/boot/efi/EFI/redhat'
else
echo "Legacy BIOS detected .."
grubenvdir='/boot/grub2'
# If previous install put the modules in the wrong dir
[ -d /boot/efi/EFI/redhat/x86_64-efi ] && rm -rf /boot/efi/EFI/redhat/x86_64-efi
fi
grub2-mkconfig -o $grubenvdir/grub.cfg
[ -d $grubenvdir/x86_64-efi ] || mkdir -pv $grubenvdir/x86_64-efi
cp -vf $grublib/relocator.mod $grubenvdir/x86_64-efi/
cp -vf $grublib/multiboot2.mod $grubenvdir/x86_64-efi/
%postun
# Cleanup all tboot files
# Remove residual grub efi modules.
if [ -d /sys/firmware/efi ]; then
echo "EFI detected .."
grubenvdir='/boot/efi/EFI/redhat'
else
echo "Legacy BIOS detected .."
grubenvdir='/boot/grub2'
fi
[ -d $grubenvdir/x86_64-efi ] && rm -rf $grubenvdir/x86_64-efi
grub2-mkconfig -o $grubenvdir/grub.cfg
%install
echo "installing tboot"
make debug=y DISTDIR=$RPM_BUILD_ROOT install
%files
%doc README.md COPYING docs/* lcptools-v2/lcptools.txt
%config %{_sysconfdir}/grub.d/20_linux_tboot
%config %{_sysconfdir}/grub.d/20_linux_xen_tboot
%{_sbindir}/txt-acminfo
%{_sbindir}/lcp2_crtpol
%{_sbindir}/lcp2_crtpolelt
%{_sbindir}/lcp2_crtpollist
%{_sbindir}/lcp2_mlehash
%{_sbindir}/txt-parse_err
%{_sbindir}/tb_polgen
%{_sbindir}/txt-stat
%{_mandir}/man8/txt-acminfo.8.gz
%{_mandir}/man8/tb_polgen.8.gz
%{_mandir}/man8/txt-stat.8.gz
%{_mandir}/man8/lcp2_crtpol.8.gz
%{_mandir}/man8/lcp2_crtpolelt.8.gz
%{_mandir}/man8/lcp2_crtpollist.8.gz
%{_mandir}/man8/lcp2_mlehash.8.gz
%{_mandir}/man8/txt-parse_err.8.gz
/boot/tboot.gz
/boot/tboot-syms
%changelog
* Fri Aug 26 2022 Tony Camuso <tcamuso@redhat.com> - 1:1.10.5-2
- The install scriptlet in %post was not choosing the correct
grubenv directory. In RHEL8, the efi and legacy bios grubenv
directories are different. This change assures that the
correct directory is used for grub.cfg and related modules.
Added a %postun section to cleanup when removing tboot with
dnf erase.
Resolves: rhbz#2121836
* Wed Apr 20 2022 Tony Camuso <tcamuso@redhat.com> - 1:1.10.5-1
Upgrade to tboot-1.10.5-1 for fixes and updates.
Added a scriptlet to the tboot.spec file to automatically install
grub2-efi-x64-modules and move them to the correct directory.
Resolves: rhbz#2040082
Resolves: rhbz#2041759
* Thu Jun 10 2021 Tony Camuso <tcamuso@redhat.com> - 1:1.10.1-1
Upgrade to tboot-1.10.2-1 provides some bug fixes and updates.
Remove 0001-Do-not-install-man-pages-for-deprecated-tools.patch
from the git repo, since it is no longer needed.
Resolves: rhbz#1857068
Resolves: rhbz#1873296
Resolves: rhbz#1920386
* Mon Feb 22 2021 Tony Camuso <tcamuso@redhat.com> - 1:1.10.0-1
Need to add BuildRequires: perl, since it has beem moved
from BuildRoot.
See: https://fedoraproject.org/wiki/Packaging:Perl#Build_Dependencies
Resolves: rhbz#1857068
* Mon Feb 22 2021 Tony Camuso <tcamuso@redhat.com> - 1:1.10.0-1
Build problem creating directory for grub modules. We can't
know if the modules are there, so it's up to the end user to
find the modules and copy them to the correct location.
Specifically, for systems booting from EFI, the
/boot/efi/EFI/redhat/x86_64-efi/multiboot2.mod file, if it
exists, must be copied to the /boot/efi/EFI/redhat/x86_64-efi/
directory. If that file does not exist, then the system has
the wrong version of grub for using tboot in an EFI system.
Resolves: rhbz#1857068
* Fri Dec 11 2020 Tony Camuso <tcamuso@redhat.com> - 1:1.10.0-0
Upgrade to latest upstream version
Added upstream patch to remove deprecated man pages
Resolves: rhbz#1857068
* Tue Jun 23 2020 Tony Camuso <tcamuso@redhat.com> - 1:1.9.12-2
- Fix build issues with one upstream patch.
This patch also reverts the previous patch concerning the
-Wno-address-of-packed-member cflag.
Resolves: rhbz#1847938
* Fri Jun 12 2020 Tony Camuso <tcamuso@redhat.com> - 1:1.9.12-1
- Add patch to revert "Disable GCC9 address-of-packed-member warning"
While it was able to build locally with 'rhpkg local', the brew
build failed, because the compiler on the brew systems did not
recognized the new GCC9 command line flag:
-Wno-address-of-packed-member
* Fri May 29 2020 Tony Camuso <tcamuso@redhat.com> - 1:1.9.12-1
- Upgrade to latest upstream version
Resolves: rhbz#1790169
* Fri Nov 15 2019 Tony Camuso <tcamuso@redhat.com> - 1:1.9.10-1
- Rebase to the lastest upstream version.
Resolves: rhbz#1725661
* Fri Sep 7 2018 Tony Camuso <tcamuso@redhat.com> - 1:1.9.7-1
- Rebase to the latest upstream version.
Resolves: rhbz#1511799
- Do not override OPTFLAGS in the make
Resolves: rhbz#1620070
* Fri Jul 20 2018 Tony Camuso <tcamuso@redhat.com> - 1:1.9.6-3
- Incorporate latest upstream patches, including a newer version
of the OpenSSL patch in 1.9.6-2
Resolves: rhbz#1492771
Resolves: rhbz#1499435
* Tue Feb 06 2018 Tomáš Mráz <tmraz@redhat.com> - 1:1.9.6-2
- Patch to build with OpenSSL-1.1.x
* Sun Feb 04 2018 Filipe Rosset <rosset.filipe@gmail.com> - 1:1.9.6-1
- Upgrade to latest upstream version
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.8.2-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.8.2-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.8.2-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Fri Feb 05 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.8.2-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Fri Jun 19 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:1.8.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Mon Aug 18 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:1.8.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Wed Jul 30 2014 Gang Wei <gang.wei@intel.com> - 1:1.8.2-1
- Upgrade to latest upstream version which provided security fix for:
tboot:argument measurement vulnerablity for GRUB2+ELF kernels
* Wed Jun 18 2014 Gang Wei <gang.wei@intel.com> - 1:1.8.1-1
- Upgrade to latest upstream version
* Sun Jun 08 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:1.7.3-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Sun Aug 04 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:1.7.3-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
* Tue Apr 02 2013 Gang Wei <gang.wei@intel.com> - 1:1.7.3-3
- Fix for breaking grub2-mkconfig operation in 32bit case(#929384)
* Wed Feb 20 2013 Gang Wei <gang.wei@intel.com> - 1:1.7.3-2
- Fix version string in log
* Wed Jan 30 2013 David Cantrell <dcantrell@redhat.com> - 1:1.7.3-1
- Upgrade to latest upstream version (#902653)
* Wed Aug 22 2012 Gang Wei <gang.wei@intel.com> - 1:1.7.0-2
- Fix build error with zlib 1.2.7
* Sat Jul 21 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:1.7.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
* Sun Jan 15 2012 Gang Wei <gang.wei@intel.com> - 1:1.7.0
- 1.7.0 release
* Sat Jan 14 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 20110429-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
* Fri Apr 29 2011 Gang Wei <gang.wei@intel.com> - 20110429-1
- Pull upstream changeset 255, rebuilt in F15
* Wed Feb 09 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 20101005-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
* Wed Dec 1 2010 Joseph Cihula <joseph.cihula@intel.com> - 20101005-1.fc13
- Initial import

View File

@ -1,6 +0,0 @@
--- !Policy
product_versions:
- rhel-10
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}

View File

@ -1,2 +0,0 @@
SHA512 (tboot-1.11.3.tar.gz) = 777026cdfb31041dd7d9dd4d208c888e6fe8259171d1340ea7936f22053362ac1ec64017319626dbcb6a9a1283c8819c9a8fe1107b9b2f3898380fd0abcc047b
SHA512 (tboot-1.11.9.tar.gz) = d737ad08df22f3b017e213ea67d9c1f2012e5b47a990e5c3e9e454f85d7c06c3f8a4701b6c350ccece0c947447ab7fde9c0b2ed08beb51603b83e5d03f712401

View File

@ -1,17 +0,0 @@
Suppress GCC 14 allocation size warning in lcptools-v2/pconf_legacy.c
Submitted upstream: <https://sourceforge.net/p/tboot/mailman/message/58730242/>
diff --git a/lcptools-v2/pconf_legacy.c b/lcptools-v2/pconf_legacy.c
index 443b5cd5525b9fe1..5ebc6c451f7008b1 100644
--- a/lcptools-v2/pconf_legacy.c
+++ b/lcptools-v2/pconf_legacy.c
@@ -324,7 +324,7 @@ static lcp_policy_element_t *create(void)
ERROR("Error: no pcrs were selected.\n");
return NULL;
}
- digest = malloc(SHA1_DIGEST_SIZE);
+ digest = malloc(sizeof(*digest));
if (digest == NULL) {
ERROR("Error: failed to allocate memory for digest buffer.\n");
return NULL;

View File

@ -1,57 +0,0 @@
diff -up tboot-1.11.3/lcptools-v2/crtpol.c.no-engine tboot-1.11.3/lcptools-v2/crtpol.c
--- tboot-1.11.3/lcptools-v2/crtpol.c.no-engine 2024-08-13 18:03:43.003697657 +0200
+++ tboot-1.11.3/lcptools-v2/crtpol.c 2024-08-13 18:04:49.315001612 +0200
@@ -43,7 +43,10 @@
#include <errno.h>
#include <string.h>
#include <openssl/rsa.h>
+#include <openssl/opensslconf.h>
+#ifndef OPENSSL_NO_ENGINE
#include <openssl/engine.h>
+#endif
#include <openssl/pem.h>
#include <openssl/err.h>
#include <openssl/bn.h>
diff -up tboot-1.11.3/lcptools-v2/crtpollist.c.no-engine tboot-1.11.3/lcptools-v2/crtpollist.c
--- tboot-1.11.3/lcptools-v2/crtpollist.c.no-engine 2024-08-13 18:03:43.005697697 +0200
+++ tboot-1.11.3/lcptools-v2/crtpollist.c 2024-08-13 18:04:58.324178771 +0200
@@ -44,7 +44,10 @@
#include <errno.h>
#include <string.h>
#include <openssl/rsa.h>
+#include <openssl/opensslconf.h>
+#ifndef OPENSSL_NO_ENGINE
#include <openssl/engine.h>
+#endif
#include <openssl/pem.h>
#include <openssl/err.h>
#include <openssl/bn.h>
diff -up tboot-1.11.3/lcptools-v2/lcputils.c.no-engine tboot-1.11.3/lcptools-v2/lcputils.c
--- tboot-1.11.3/lcptools-v2/lcputils.c.no-engine 2024-08-13 18:03:43.004697677 +0200
+++ tboot-1.11.3/lcptools-v2/lcputils.c 2024-08-13 18:04:53.293079838 +0200
@@ -43,7 +43,10 @@
#include <errno.h>
#include <string.h>
#include <openssl/rsa.h>
+#include <openssl/opensslconf.h>
+#ifndef OPENSSL_NO_ENGINE
#include <openssl/engine.h>
+#endif
#include <openssl/pem.h>
#include <openssl/err.h>
#include <openssl/bn.h>
diff -up tboot-1.11.3/lcptools-v2/pollist2.c.no-engine tboot-1.11.3/lcptools-v2/pollist2.c
--- tboot-1.11.3/lcptools-v2/pollist2.c.no-engine 2024-08-13 18:03:43.002697637 +0200
+++ tboot-1.11.3/lcptools-v2/pollist2.c 2024-08-13 18:04:45.813932767 +0200
@@ -41,7 +41,10 @@
#include <string.h>
#include <safe_lib.h>
#include <openssl/rsa.h>
+#include <openssl/opensslconf.h>
+#ifndef OPENSSL_NO_ENGINE
#include <openssl/engine.h>
+#endif
#include <openssl/pem.h>
#include <openssl/err.h>
#include <openssl/bn.h>

View File

@ -1,295 +0,0 @@
Summary: Performs a verified launch using Intel TXT
Name: tboot
Version: 1.11.9
Release: 1%{?dist}
Epoch: 1
License: BSD-3-Clause
URL: http://sourceforge.net/projects/tboot/
Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz
Patch0: tboot-gcc14.patch
Patch1: tboot-no-engine.patch
BuildRequires: make
BuildRequires: gcc
BuildRequires: perl
BuildRequires: openssl-devel
BuildRequires: zlib-devel
Requires: grub2-efi-x64-modules
ExclusiveArch: %{ix86} x86_64
%description
Trusted Boot (tboot) is an open source, pre-kernel/VMM module that uses
Intel Trusted Execution Technology (Intel TXT) to perform a measured
and verified launch of an OS kernel/VMM.
%prep
%autosetup -p1 -n %{name}-%{version}
%build
%make_build debug=y
%install
%make_install debug=y
%post
# create the tboot grub entry
grub2-mkconfig -o /boot/grub2/grub.cfg
# For EFI based machines ...
# Rmove the grub efi modules if they had been placed in the wrong directory by
# a previous install.
[ -d /boot/efi/EFI/redhat/x86_64-efi ] && rm -rf /boot/efi/EFI/redhat/x86_64-efi
# create the tboot grub entry
grub2-mkconfig -o /boot/grub2/grub.cfg
# For EFI based machines ...
if [ -d /sys/firmware/efi ]; then
echo "EFI detected .."
[ -d /boot/grub2/x86_64-efi ] || mkdir -pv /boot/grub2/x86_64-efi
cp -vf /usr/lib/grub/x86_64-efi/relocator.mod /boot/grub2/x86_64-efi/
cp -vf /usr/lib/grub/x86_64-efi/multiboot2.mod /boot/grub2/x86_64-efi/
cp -vf /usr/lib/grub/x86_64-efi/elf.mod /boot/grub2/x86_64-efi/
# If there were a previous install of tboot that overwrote the
# originally installed /boot/efi/EFI/redhat/grub.cfg stub, then
# recreate it.
if grep -q -m1 tboot /boot/efi/EFI/redhat/grub.cfg; then
cat << EOF > /boot/efi/EFI/redhat/grub.cfg
search --no-floppy --fs-uuid --set=dev \
$(lsblk -no UUID $(df -P /boot/grub2 | awk 'END{print $1}'))
set prefix=(\$dev)/grub2
export \$prefix
configfile \$prefix/grub.cfg
EOF
chown root:root /boot/efi/EFI/redhat/grub.cfg
chmod u=rwx,go= /boot/efi/EFI/redhat/grub.cfg
fi
fi
%postun
# Remove residual grub efi modules.
[ -d /boot/grub2/x86_64-efi ] && rm -rf /boot/grub2/x86_64-efi
[ -d /boot/efi/EFI/redhat/x86_64-efi ] && rm -rf /boot/efi/EFI/redhat/x86_64-efi
grub2-mkconfig -o /etc/grub2.cfg
%files
%license COPYING
%doc docs/*
%config %{_sysconfdir}/grub.d/20_linux_tboot
%config %{_sysconfdir}/grub.d/20_linux_xen_tboot
%{_sbindir}/lcp2_crtpol
%{_sbindir}/lcp2_crtpolelt
%{_sbindir}/lcp2_crtpollist
%{_sbindir}/lcp2_mlehash
%{_sbindir}/tb_polgen
%{_sbindir}/txt-acminfo
%{_sbindir}/txt-parse_err
%{_sbindir}/txt-stat
%{_mandir}/man8/lcp2_crtpol.8.gz
%{_mandir}/man8/lcp2_crtpolelt.8.gz
%{_mandir}/man8/lcp2_crtpollist.8.gz
%{_mandir}/man8/lcp2_mlehash.8.gz
%{_mandir}/man8/tb_polgen.8.gz
%{_mandir}/man8/txt-acminfo.8.gz
%{_mandir}/man8/txt-parse_err.8.gz
%{_mandir}/man8/txt-stat.8.gz
/boot/tboot.gz
/boot/tboot-syms
%changelog
* Thu Dec 12 2024 Tony Camuso <tcamuso@redhat.com> - 1:1.11.9-1
- Update to latest upstream.
Resolves: RHEL-71190
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 1:1.11.3-4
- Bump release for October 2024 mass rebuild:
Resolves: RHEL-64018
* Thu Aug 15 2024 Tony Camuso <tcamuso@redhat.com> - 1:1.11.3-3
- Add gating.yaml
Resolves: RHEL-54412
* Tue Aug 13 2024 Tony Camuso <tcamuso@redhat.com> - 1:1.11.3-2
- Stop using OpenSSL ENGINE API in tboot
Resolves: RHEL-54172
* Tue Jun 25 2024 Tony Camuso <tcamuso@redhat.com> - 1:1.11.3-1
- Latest version of tboot.
Resolves: RHEL-34500
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 1:1.11.1-7
- Bump release for June 2024 mass rebuild
* Mon Jan 29 2024 Florian Weimer <fweimer@redhat.com> - 1:1.11.1-6
- Suppress GCC 14 allocation size warning
* Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.11.1-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Wed Nov 01 2023 Yaakov Selkowitz <yselkowi@redhat.com> - 1:1.11.1-4
- Add grub2-efi-x64-modules dependency and scriplet
* Fri Sep 22 2023 David Cantrell <dcantrell@redhat.com> - 1:1.11.1-3
- Use %%license for the COPYING file in the %%files section
- Convert the License tag to an SPDX expression
* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.11.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Sun May 07 2023 Jun Miao <jun.miao@intel.com> - 1:1.11.1-1
- Update to v1.11.1 release
* Sun Apr 23 2023 Jun Miao <jun.miao@intel.com> - 1:1.11.0-2
- Update code sources with the v1.11.0
* Mon Feb 27 2023 Jun Miao <jun.miao@intel.com> - 1:1.11.0-1
- Update to v1.11.0 release
* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.10.5-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.10.5-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Wed Apr 20 2022 Jun Miao <jun.miao@intel.com> - 1:1.10.5-1
- Update to v1.10.5 release
* Fri Feb 25 2022 Jun Miao jun.miao@intel.com - 1:1.10.4-2
- Update the tboot-1.10.4.tar.gz source
* Fri Feb 25 2022 Jun Miao <jun.miao@intel.com> - 1:1.10.4-1
- Updated to upstream 1.10.4 release
- Fix the GCC12 build error
* Thu Dec 23 2021 Yunying Sun <yunying.sun@intel.com> - 1:1.10.3-1
- Updated to 1.10.3 which added OpenSSL 3.0.0 support
- Bugzilla 2021901 is fixed with this updated release
- Removed obsolete patch files
* Fri Dec 3 2021 Yunying Sun <yunying.sun@intel.com> - 1:1.10.2-4
- Rebuilt again with OpenSSL 3.0.0 fix patch
* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 1:1.10.2-3
- Rebuilt with OpenSSL 3.0.0
* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.10.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Tue Jun 15 2021 Yunying Sun <yunying.sun@intel.com> - 1:1.10.2-1
- Updated to upstream 1.10.2 release
- Removed standalone patches as both are fixed in 1.10.2
- Adjusted dependencies, removed trousers and added perl
- Updated packaged file list
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.9.11-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Fri Oct 30 2020 Jeff Law <law@redhat.com> - 1:1.9.11-5
- Re-enable -Wstringop-overflow and instead make the problematical
pointer volatile to avoid the false positive diagnostic
* Thu Oct 29 2020 Jeff Law <law@redhat.com> - 1:1.9.11-4
- Fix buglet exposed by gcc-11 -Warray-parameter
- Temporarily disable -Wstringop-overflow due to false positive in gcc-11
* Wed Jul 29 2020 Jeff Law <law@redhat.com> - 1:1.9.11-3
- Explicitly allow uninitialized variables in a few places that do it
- on purpose
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.9.11-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Sun Apr 19 2020 Filipe Rosset <rosset.filipe@gmail.com> - 1:1.9.11-1
- Update to 1.9.11
* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.9.10-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.9.10-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Tue May 14 2019 Yunying Sun <yunying.sun@intel.com> - 1:1.9.10-1
- Add patch to fix package build error
- Add build dependency to zlib-devel
- Update to latest release 1.9.10
* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.9.8-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Wed Oct 31 2018 Yunying Sun <yunying.sun@intel.com> - 1:1.9.8-1
- Updated to upstream 1.9.8 release
* Tue Sep 4 2018 Yunying Sun <yunying.sun@intel.com> - 1:1.9.7-1
- Updated to upstream 1.9.7 release
- Removed the patch for openssl 1.1 as it is included in 1.9.7 already
* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.9.6-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Tue Feb 06 2018 Tomáš Mráz <tmraz@redhat.com> - 1:1.9.6-2
- Patch to build with OpenSSL-1.1.x
* Sun Feb 04 2018 Filipe Rosset <rosset.filipe@gmail.com> - 1:1.9.6-1
- Upgrade to latest upstream version
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.8.2-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.8.2-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.8.2-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Fri Feb 05 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.8.2-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Fri Jun 19 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:1.8.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Mon Aug 18 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:1.8.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Wed Jul 30 2014 Gang Wei <gang.wei@intel.com> - 1:1.8.2-1
- Upgrade to latest upstream version which provided security fix for:
tboot:argument measurement vulnerablity for GRUB2+ELF kernels
* Wed Jun 18 2014 Gang Wei <gang.wei@intel.com> - 1:1.8.1-1
- Upgrade to latest upstream version
* Sun Jun 08 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:1.7.3-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Sun Aug 04 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:1.7.3-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
* Tue Apr 02 2013 Gang Wei <gang.wei@intel.com> - 1:1.7.3-3
- Fix for breaking grub2-mkconfig operation in 32bit case(#929384)
* Wed Feb 20 2013 Gang Wei <gang.wei@intel.com> - 1:1.7.3-2
- Fix version string in log
* Wed Jan 30 2013 David Cantrell <dcantrell@redhat.com> - 1:1.7.3-1
- Upgrade to latest upstream version (#902653)
* Wed Aug 22 2012 Gang Wei <gang.wei@intel.com> - 1:1.7.0-2
- Fix build error with zlib 1.2.7
* Sat Jul 21 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:1.7.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
* Sun Jan 15 2012 Gang Wei <gang.wei@intel.com> - 1:1.7.0
- 1.7.0 release
* Sat Jan 14 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 20110429-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
* Fri Apr 29 2011 Gang Wei <gang.wei@intel.com> - 20110429-1
- Pull upstream changeset 255, rebuilt in F15
* Wed Feb 09 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 20101005-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
* Wed Dec 1 2010 Joseph Cihula <joseph.cihula@intel.com> - 20101005-1.fc13
- Initial import