Compare commits
10 Commits
dce2b25ea1
...
1ca39b9a8b
Author | SHA1 | Date |
---|---|---|
Tony Camuso | 1ca39b9a8b | |
Tony Camuso | 0891de6e6c | |
Tony Camuso | 26f7e15a83 | |
Tony Camuso | ef23ce2f9a | |
Mohan Boddu | 860105e1bd | |
Tony Camuso | 715d5bbe85 | |
Tony Camuso | 152d9753e1 | |
Tony Camuso | 973429b029 | |
Aleksandra Fedorova | e5e6b29481 | |
Tony Camuso | 57f0c72c75 |
|
@ -1 +1,4 @@
|
|||
/tboot-1.9.*.tar.gz
|
||||
*.swp
|
||||
.*
|
||||
tboot*/
|
||||
/tboot-*.tar.gz
|
||||
|
|
|
@ -0,0 +1,2 @@
|
|||
687bb5c0453b0256d64c8b1aa538a49703f9737a tboot-1.10.5.tar.gz
|
||||
1090f125e9886afa804c778b0aee9c8856f26b10 tboot-1.11.1.tar.gz
|
|
@ -1,25 +0,0 @@
|
|||
From 1cf1c3e6af1f43555de7ec89cd1e8bc3ea0aaefe Mon Sep 17 00:00:00 2001
|
||||
From: Yunying Sun <yunying.sun@intel.com>
|
||||
Date: Mon, 13 May 2019 17:26:13 +0800
|
||||
Subject: [PATCH] disable address of packed member warning
|
||||
|
||||
---
|
||||
Config.mk | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/Config.mk b/Config.mk
|
||||
index 6a64d1a..27bce1b 100644
|
||||
--- a/Config.mk
|
||||
+++ b/Config.mk
|
||||
@@ -43,7 +43,7 @@ CFLAGS_WARN = -Wall -Wformat-security -Werror -Wstrict-prototypes \
|
||||
-Wextra -Winit-self -Wswitch-default -Wunused-parameter \
|
||||
-Wwrite-strings \
|
||||
$(call cc-option,$(CC),-Wlogical-op,) \
|
||||
- -Wno-missing-field-initializers
|
||||
+ -Wno-missing-field-initializers -Wno-address-of-packed-member -Wno-error=deprecated-declarations
|
||||
|
||||
AS = as
|
||||
LD = ld
|
||||
--
|
||||
2.21.0
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
--- !Policy
|
||||
product_versions:
|
||||
- rhel-9
|
||||
decision_context: osci_compose_gate
|
||||
rules:
|
||||
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
|
3
sources
3
sources
|
@ -1 +1,2 @@
|
|||
SHA512 (tboot-1.9.11.tar.gz) = 5c2466438ad3ab95ca66fe4d460f4e6b31ccd3c6ac79221b129883df4180fce4878dd07a5f180bb79fae13b59fa90c05aeda7339159d1d950011a59645024b8a
|
||||
SHA512 (tboot-1.10.5.tar.gz) = 01a039e5612b6cca6f7558e93673ba50edfcfbf3f65e390ac64f4aa6ae0859a314676b20d722dcd41a7a3c940473fe7982e823c800a75bd26a5e8f956528f223
|
||||
SHA512 (tboot-1.11.1.tar.gz) = 6708bd2169d2b5beb6a1123b2712693d2bdc614a1a5a5a1f3858c47462cdeb3e05da3848f082e264c4d1be5f35f7ca5637bc56ebbaaff80f322bf5f4c29e4ab5
|
||||
|
|
|
@ -1,82 +0,0 @@
|
|||
diff --git a/tboot/common/tpm_12.c b/tboot/common/tpm_12.c
|
||||
index a62e570..504b874 100644
|
||||
--- a/tboot/common/tpm_12.c
|
||||
+++ b/tboot/common/tpm_12.c
|
||||
@@ -766,6 +766,8 @@ static uint32_t tpm12_osap(uint32_t locality, tpm_entity_type_t ent_type,
|
||||
tpm_authhandle_t *hauth, tpm_nonce_t *nonce_even,
|
||||
tpm_nonce_t *even_osap)
|
||||
{
|
||||
+#pragma GCC diagnostic push
|
||||
+#pragma GCC diagnostic ignored "-Wmaybe-uninitialized"
|
||||
uint32_t ret, offset, out_size;
|
||||
|
||||
if ( odd_osap == NULL || hauth == NULL ||
|
||||
@@ -801,6 +803,7 @@ static uint32_t tpm12_osap(uint32_t locality, tpm_entity_type_t ent_type,
|
||||
LOAD_BLOB_TYPE(WRAPPER_OUT_BUF, offset, even_osap);
|
||||
|
||||
return ret;
|
||||
+#pragma GCC diagnostic pop
|
||||
}
|
||||
|
||||
static uint32_t _tpm12_seal(uint32_t locality, tpm_key_handle_t hkey,
|
||||
@@ -1044,6 +1047,8 @@ static uint32_t _tpm12_wrap_seal(uint32_t locality,
|
||||
static uint32_t _tpm12_wrap_unseal(uint32_t locality, const uint8_t *in_data,
|
||||
uint32_t *secret_size, uint8_t *secret)
|
||||
{
|
||||
+#pragma GCC diagnostic push
|
||||
+#pragma GCC diagnostic ignored "-Wmaybe-uninitialized"
|
||||
uint32_t ret;
|
||||
tpm_nonce_t odd_osap, even_osap;
|
||||
tpm_nonce_t nonce_even, nonce_odd, nonce_even_d, nonce_odd_d;
|
||||
@@ -1116,6 +1121,7 @@ static uint32_t _tpm12_wrap_unseal(uint32_t locality, const uint8_t *in_data,
|
||||
/* skip check for res_auth */
|
||||
|
||||
return ret;
|
||||
+#pragma GCC diagnostic pop
|
||||
}
|
||||
|
||||
static bool init_pcr_info(uint32_t locality,
|
||||
@@ -1948,6 +1954,8 @@ static bool tpm12_get_random(struct tpm_if *ti, uint32_t locality,
|
||||
|
||||
static bool tpm12_cap_pcrs(struct tpm_if *ti, u32 locality, int pcr)
|
||||
{
|
||||
+#pragma GCC diagnostic push
|
||||
+#pragma GCC diagnostic ignored "-Wmaybe-uninitialized"
|
||||
bool was_capped[TPM_NR_PCRS] = {false};
|
||||
tpm_pcr_value_t cap_val; /* use whatever val is on stack */
|
||||
|
||||
@@ -1976,6 +1984,7 @@ static bool tpm12_cap_pcrs(struct tpm_if *ti, u32 locality, int pcr)
|
||||
|
||||
printk(TBOOT_INFO"cap'ed dynamic PCRs\n");
|
||||
return true;
|
||||
+#pragma GCC diagnostic pop
|
||||
}
|
||||
|
||||
static bool tpm12_check(void)
|
||||
diff --git a/tboot/include/rijndael.h b/tboot/include/rijndael.h
|
||||
index 2974602..8dbcc7c 100644
|
||||
--- a/tboot/include/rijndael.h
|
||||
+++ b/tboot/include/rijndael.h
|
||||
@@ -52,7 +52,7 @@ void rijndael_encrypt(rijndael_ctx *, const u_char *, u_char *);
|
||||
|
||||
int rijndaelKeySetupEnc(unsigned int [], const unsigned char [], int);
|
||||
int rijndaelKeySetupDec(unsigned int [], const unsigned char [], int);
|
||||
-void rijndaelEncrypt(const unsigned int [], int, const unsigned char [],
|
||||
- unsigned char []);
|
||||
+void rijndaelEncrypt(const unsigned int [], int, const unsigned char [16],
|
||||
+ unsigned char [16]);
|
||||
|
||||
#endif /* __RIJNDAEL_H */
|
||||
diff --git a/tboot/common/loader.c b/tboot/common/loader.c
|
||||
index cbb7def..6169564 100644
|
||||
--- a/tboot/common/loader.c
|
||||
+++ b/tboot/common/loader.c
|
||||
@@ -59,7 +59,7 @@
|
||||
#include <tpm.h>
|
||||
|
||||
/* copy of kernel/VMM command line so that can append 'tboot=0x1234' */
|
||||
-static char *new_cmdline = (char *)TBOOT_KERNEL_CMDLINE_ADDR;
|
||||
+static char * volatile new_cmdline = (char *)TBOOT_KERNEL_CMDLINE_ADDR;
|
||||
|
||||
/* MLE/kernel shared data page (in boot.S) */
|
||||
extern tboot_shared_t _tboot_shared;
|
144
tboot.spec
144
tboot.spec
|
@ -1,22 +1,20 @@
|
|||
Summary: Performs a verified launch using Intel TXT
|
||||
Name: tboot
|
||||
Version: 1.9.11
|
||||
Release: 9%{?dist}
|
||||
Version: 1.11.1
|
||||
Release: 1%{?dist}
|
||||
Epoch: 1
|
||||
|
||||
License: BSD
|
||||
URL: http://sourceforge.net/projects/tboot/
|
||||
Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz
|
||||
|
||||
Patch0: disable-address-of-packed-member-warning.patch
|
||||
Patch1: tboot-gcc11.patch
|
||||
|
||||
BuildRequires: make
|
||||
BuildRequires: make
|
||||
BuildRequires: gcc
|
||||
BuildRequires: trousers-devel
|
||||
BuildRequires: perl
|
||||
BuildRequires: openssl-devel
|
||||
BuildRequires: zlib-devel
|
||||
ExclusiveArch: %{ix86} x86_64
|
||||
Requires: grub2-efi-x64-modules
|
||||
|
||||
%description
|
||||
Trusted Boot (tboot) is an open source, pre-kernel/VMM module that uses
|
||||
|
@ -27,46 +25,138 @@ and verified launch of an OS kernel/VMM.
|
|||
%autosetup -p1 -n %{name}-%{version}
|
||||
|
||||
%build
|
||||
CFLAGS="$RPM_OPT_FLAGS"; export CFLAGS
|
||||
CFLAGS="%{optflags}"; export CFLAGS
|
||||
LDFLAGS="%{build_ldflags}"; export LDFLAGS
|
||||
make debug=y %{?_smp_mflags}
|
||||
|
||||
%post
|
||||
# Rmove the grub efi modules if they had been placed in the wrong directory by
|
||||
# a previous install.
|
||||
[ -d /boot/efi/EFI/redhat/x86_64-efi ] && rm -rf /boot/efi/EFI/redhat/x86_64-efi
|
||||
# create the tboot grub entry
|
||||
grub2-mkconfig -o /boot/grub2/grub.cfg
|
||||
|
||||
# For EFI based machines ...
|
||||
if [ -d /sys/firmware/efi ]; then
|
||||
echo "EFI detected .."
|
||||
[ -d /boot/grub2/x86_64-efi ] || mkdir -pv /boot/grub2/x86_64-efi
|
||||
cp -vf /usr/lib/grub/x86_64-efi/relocator.mod /boot/grub2/x86_64-efi/
|
||||
cp -vf /usr/lib/grub/x86_64-efi/multiboot2.mod /boot/grub2/x86_64-efi/
|
||||
|
||||
# If there were a previous install of tboot that overwrote the
|
||||
# originally installed /boot/efi/EFI/redhat/grub.cfg stub, then
|
||||
# recreate it.
|
||||
if grep -q -m1 tboot /boot/efi/EFI/redhat/grub.cfg; then
|
||||
cat << EOF > /boot/efi/EFI/redhat/grub.cfg
|
||||
search --no-floppy --fs-uuid --set=dev \
|
||||
$(lsblk -no UUID $(df -P /boot/grub2 | awk 'END{print $1}'))
|
||||
set prefix=(\$dev)/grub2
|
||||
export \$prefix
|
||||
configfile \$prefix/grub.cfg
|
||||
EOF
|
||||
chown root:root /boot/efi/EFI/redhat/grub.cfg
|
||||
chmod u=rwx,go= /boot/efi/EFI/redhat/grub.cfg
|
||||
fi
|
||||
fi
|
||||
|
||||
%postun
|
||||
# Remove residual grub efi modules.
|
||||
[ -d /boot/grub2/x86_64-efi ] && rm -rf /boot/grub2/x86_64-efi
|
||||
[ -d /boot/efi/EFI/redhat/x86_64-efi ] && rm -rf /boot/efi/EFI/redhat/x86_64-efi
|
||||
grub2-mkconfig -o /etc/grub2.cfg
|
||||
|
||||
%install
|
||||
make debug=y DISTDIR=$RPM_BUILD_ROOT install
|
||||
|
||||
|
||||
%files
|
||||
%doc README COPYING docs/* lcptools/Linux_LCP_Tools_User_Manual.pdf
|
||||
%doc README.md COPYING docs/* lcptools-v2/lcptools.txt
|
||||
%config %{_sysconfdir}/grub.d/20_linux_tboot
|
||||
%config %{_sysconfdir}/grub.d/20_linux_xen_tboot
|
||||
%{_sbindir}/acminfo
|
||||
%{_sbindir}/lcp_readpol
|
||||
%{_sbindir}/lcp_writepol
|
||||
%{_sbindir}/txt-acminfo
|
||||
%{_sbindir}/lcp2_crtpol
|
||||
%{_sbindir}/lcp2_crtpolelt
|
||||
%{_sbindir}/lcp2_crtpollist
|
||||
%{_sbindir}/lcp2_mlehash
|
||||
%{_sbindir}/parse_err
|
||||
%{_sbindir}/txt-parse_err
|
||||
%{_sbindir}/tb_polgen
|
||||
%{_sbindir}/tpmnv_defindex
|
||||
%{_sbindir}/tpmnv_getcap
|
||||
%{_sbindir}/tpmnv_lock
|
||||
%{_sbindir}/tpmnv_relindex
|
||||
%{_sbindir}/txt-stat
|
||||
%{_mandir}/man8/acminfo.8.gz
|
||||
%{_mandir}/man8/lcp_crtpconf.8.gz
|
||||
%{_mandir}/man8/lcp_crtpol.8.gz
|
||||
%{_mandir}/man8/lcp_crtpol2.8.gz
|
||||
%{_mandir}/man8/lcp_crtpolelt.8.gz
|
||||
%{_mandir}/man8/lcp_crtpollist.8.gz
|
||||
%{_mandir}/man8/lcp_mlehash.8.gz
|
||||
%{_mandir}/man8/lcp_readpol.8.gz
|
||||
%{_mandir}/man8/lcp_writepol.8.gz
|
||||
%{_mandir}/man8/txt-acminfo.8.gz
|
||||
%{_mandir}/man8/tb_polgen.8.gz
|
||||
%{_mandir}/man8/txt-stat.8.gz
|
||||
%{_mandir}/man8/lcp2_crtpol.8.gz
|
||||
%{_mandir}/man8/lcp2_crtpolelt.8.gz
|
||||
%{_mandir}/man8/lcp2_crtpollist.8.gz
|
||||
%{_mandir}/man8/lcp2_mlehash.8.gz
|
||||
%{_mandir}/man8/txt-parse_err.8.gz
|
||||
/boot/tboot.gz
|
||||
/boot/tboot-syms
|
||||
|
||||
%changelog
|
||||
* Wed Apr 12 2023 Tony Camuso tcamuso@redhat.com> - 1:1.11.1-1
|
||||
- Backport upstream fixes and updates.
|
||||
Resolves: rhbz#2186308
|
||||
|
||||
* Thu Aug 18 2022 Tony Camuso <tcamuso@redhat.com> - 1:1.10.5-2
|
||||
- The install scriptlet in %post was choosing the first grub.cfg
|
||||
file it encountered, which was /boot/efi/EFI/redhat/grub.cfg.
|
||||
This is a stub that defines grub boot disk UUID necessary for
|
||||
proper grubenv setup, and it must not be overwritten or changed.
|
||||
Modify the scriptlet to target /boot/grub2/grub.cfg
|
||||
Additionally, remove any wrongly created /boot/grub2/x86_64-efi
|
||||
directory and recreate the correct /boot/efi/EFI/redhat/grub.cfg
|
||||
stub file.
|
||||
Added a %postun section to cleanup when removing tboot with
|
||||
dnf erase.
|
||||
Thanks to Lenny Szubowicz for the bash code to recreate the
|
||||
/boot/efi/EFI/redhat/grub.cfg stub file.
|
||||
Resolves: rhbz#2112236
|
||||
|
||||
* Wed May 04 2022 Tony Camuso <tcamuso@redhat.com> - 1:1.10.5-1
|
||||
- Upgrade to tboot-1.10.5-1 for fixes and updates.
|
||||
- Added a Requires line to install grub2-efi-x64-modules
|
||||
- Added a scriptlet to the tboot.spec file to automatically install
|
||||
grub2-efi-x64-modules and move them to the correct directory.
|
||||
- Removed three patches that are no longer needed.
|
||||
- Added two patches from upstream, one for a fix, the other cosemetic.
|
||||
- Resolves: rhbz#2041766
|
||||
Resolves: rhbz#2040083
|
||||
|
||||
* Thu Sep 30 2021 Tony Camuso <tcamuso@redhat.com> - 1:1.10.2-6
|
||||
- Use sha256 as default hashing algorithm
|
||||
Resolves: rhbz#1935448
|
||||
|
||||
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 1:1.10.2-5
|
||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||
Related: rhbz#1991688
|
||||
|
||||
* Wed Jul 28 2021 Tony Camuso <tcamuso@redhat.com> - 1:1.10.2-4
|
||||
- From Miroslave Vadkerti:
|
||||
Onboarding tests to RHEL9 in BaseOS CI requires action, adding
|
||||
test configuration in our "dispatcher" configuration for RHEL9:
|
||||
https://gitlab.cee.redhat.com/baseos-qe/citool-config/blob/production/brew-dispatcher-rhel9.yaml
|
||||
Test config was added for tboot in the following MR.
|
||||
https://gitlab.cee.redhat.com/baseos-qe/citool-config/-/merge_requests/2686
|
||||
Resolves: rhbz#1922002
|
||||
|
||||
* Tue Jul 27 2021 Tony Camuso <tcamuso@redhat.com> - 1:1.10.2-3
|
||||
- Add the %{optflags} and %{build_ldflags} macros to assure the
|
||||
build meets RHEL security requirements.
|
||||
Resolves: rhbz#1922002
|
||||
|
||||
* Thu Jul 22 2021 Tony Camuso <tcamuso@redhat.com> - 1:1.10.2-2
|
||||
- Bump the NVR as a result of including the gating.yaml file in
|
||||
the git repo.
|
||||
Resolves: rhbz#1922002
|
||||
|
||||
* Mon Jun 21 2021 Tony Camuso <tcamuso@redhat.com> - 1:1.10.2-1
|
||||
- The patches are for SSL3 compatibility. These can probably be
|
||||
removed when upstream tboot fully implements SSL3.
|
||||
- Upgrade to latest upstream.
|
||||
- Remove trousers dependency.
|
||||
Resolves: rhbz#1922002
|
||||
Resolves: rhbz#1870520
|
||||
Resolves: rhbz#1927374
|
||||
|
||||
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 1:1.9.11-9
|
||||
- Rebuilt for RHEL 9 BETA for openssl 3.0
|
||||
Related: rhbz#1971065
|
||||
|
|
Loading…
Reference in New Issue