Backport upstream fixes and updates for 1.11.1-1

- The install scriptlet in %post was choosing the first grub.cfg
  file it encountered, which was /boot/efi/EFI/redhat/grub.cfg.
  This is a stub that defines grub boot disk UUID necessary for
  proper grubenv setup, and it must not be overwritten or changed.
- Modify the scriptlet to target /boot/grub2/grub.cfg
- Additionally, remove any wrongly created /boot/grub2/x86_64-efi
  directory and recreate the correct /boot/efi/EFI/redhat/grub.cfg
  stub file.
- Added a %postun section to cleanup when removing tboot with
  dnf erase.
- Thanks to Lenny Szubowicz for the bash code to recreate the
  /boot/efi/EFI/redhat/grub.cfg stub file.

Resolves: rhbz#2112236

Signed-off-by: Tony Camuso <tcamuso@redhat.com>

.gitignore

@@ -1 +1,4 @@
-/tboot-1.9.*.tar.gz
+*.swp
+.*
+tboot*/
+/tboot-*.tar.gz

.tboot.metadata

@@ -0,0 +1,2 @@
+687bb5c0453b0256d64c8b1aa538a49703f9737a tboot-1.10.5.tar.gz
+1090f125e9886afa804c778b0aee9c8856f26b10 tboot-1.11.1.tar.gz

disable-address-of-packed-member-warning.patch

@@ -1,25 +0,0 @@
-From 1cf1c3e6af1f43555de7ec89cd1e8bc3ea0aaefe Mon Sep 17 00:00:00 2001
-From: Yunying Sun <yunying.sun@intel.com>
-Date: Mon, 13 May 2019 17:26:13 +0800
-Subject: [PATCH] disable address of packed member warning
-
----
- Config.mk | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/Config.mk b/Config.mk
-index 6a64d1a..27bce1b 100644
---- a/Config.mk
-+++ b/Config.mk
-@@ -43,7 +43,7 @@ CFLAGS_WARN       = -Wall -Wformat-security -Werror -Wstrict-prototypes \
- 	            -Wextra -Winit-self -Wswitch-default -Wunused-parameter \
- 	            -Wwrite-strings \
- 	            $(call cc-option,$(CC),-Wlogical-op,) \
--	            -Wno-missing-field-initializers
-+	            -Wno-missing-field-initializers -Wno-address-of-packed-member -Wno-error=deprecated-declarations
- 
- AS         = as
- LD         = ld
--- 
-2.21.0
-

gating.yaml

@@ -0,0 +1,6 @@
+--- !Policy
+product_versions:
+  - rhel-9
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}

sources

@@ -1 +1,2 @@
-SHA512 (tboot-1.9.11.tar.gz) = 5c2466438ad3ab95ca66fe4d460f4e6b31ccd3c6ac79221b129883df4180fce4878dd07a5f180bb79fae13b59fa90c05aeda7339159d1d950011a59645024b8a
+SHA512 (tboot-1.10.5.tar.gz) = 01a039e5612b6cca6f7558e93673ba50edfcfbf3f65e390ac64f4aa6ae0859a314676b20d722dcd41a7a3c940473fe7982e823c800a75bd26a5e8f956528f223
+SHA512 (tboot-1.11.1.tar.gz) = 6708bd2169d2b5beb6a1123b2712693d2bdc614a1a5a5a1f3858c47462cdeb3e05da3848f082e264c4d1be5f35f7ca5637bc56ebbaaff80f322bf5f4c29e4ab5

tboot-gcc11.patch

@@ -1,82 +0,0 @@
-diff --git a/tboot/common/tpm_12.c b/tboot/common/tpm_12.c
-index a62e570..504b874 100644
---- a/tboot/common/tpm_12.c
-+++ b/tboot/common/tpm_12.c
-@@ -766,6 +766,8 @@ static uint32_t tpm12_osap(uint32_t locality, tpm_entity_type_t ent_type,
-                          tpm_authhandle_t *hauth, tpm_nonce_t *nonce_even,
-                          tpm_nonce_t *even_osap)
- {
-+#pragma GCC diagnostic push
-+#pragma GCC diagnostic ignored "-Wmaybe-uninitialized"
-     uint32_t ret, offset, out_size;
- 
-     if ( odd_osap == NULL || hauth == NULL ||
-@@ -801,6 +803,7 @@ static uint32_t tpm12_osap(uint32_t locality, tpm_entity_type_t ent_type,
-     LOAD_BLOB_TYPE(WRAPPER_OUT_BUF, offset, even_osap);
- 
-     return ret;
-+#pragma GCC diagnostic pop
- }
- 
- static uint32_t _tpm12_seal(uint32_t locality, tpm_key_handle_t hkey,
-@@ -1044,6 +1047,8 @@ static uint32_t _tpm12_wrap_seal(uint32_t locality,
- static uint32_t _tpm12_wrap_unseal(uint32_t locality, const uint8_t *in_data,
-                                  uint32_t *secret_size, uint8_t *secret)
- {
-+#pragma GCC diagnostic push
-+#pragma GCC diagnostic ignored "-Wmaybe-uninitialized"
-     uint32_t ret;
-     tpm_nonce_t odd_osap, even_osap;
-     tpm_nonce_t nonce_even, nonce_odd, nonce_even_d, nonce_odd_d;
-@@ -1116,6 +1121,7 @@ static uint32_t _tpm12_wrap_unseal(uint32_t locality, const uint8_t *in_data,
-     /* skip check for res_auth */
- 
-     return ret;
-+#pragma GCC diagnostic pop
- }
- 
- static bool init_pcr_info(uint32_t locality,
-@@ -1948,6 +1954,8 @@ static bool tpm12_get_random(struct tpm_if *ti, uint32_t locality,
- 
- static bool tpm12_cap_pcrs(struct tpm_if *ti, u32 locality, int pcr)
- {
-+#pragma GCC diagnostic push
-+#pragma GCC diagnostic ignored "-Wmaybe-uninitialized"
-     bool was_capped[TPM_NR_PCRS] = {false};
-     tpm_pcr_value_t cap_val;   /* use whatever val is on stack */
- 
-@@ -1976,6 +1984,7 @@ static bool tpm12_cap_pcrs(struct tpm_if *ti, u32 locality, int pcr)
- 
-     printk(TBOOT_INFO"cap'ed dynamic PCRs\n");
-     return true;
-+#pragma GCC diagnostic pop
- }
- 
- static bool tpm12_check(void)
-diff --git a/tboot/include/rijndael.h b/tboot/include/rijndael.h
-index 2974602..8dbcc7c 100644
---- a/tboot/include/rijndael.h
-+++ b/tboot/include/rijndael.h
-@@ -52,7 +52,7 @@ void	 rijndael_encrypt(rijndael_ctx *, const u_char *, u_char *);
- 
- int	rijndaelKeySetupEnc(unsigned int [], const unsigned char [], int);
- int	rijndaelKeySetupDec(unsigned int [], const unsigned char [], int);
--void	rijndaelEncrypt(const unsigned int [], int, const unsigned char [],
--	    unsigned char []);
-+void	rijndaelEncrypt(const unsigned int [], int, const unsigned char [16],
-+	    unsigned char [16]);
- 
- #endif /* __RIJNDAEL_H */
-diff --git a/tboot/common/loader.c b/tboot/common/loader.c
-index cbb7def..6169564 100644
---- a/tboot/common/loader.c
-+++ b/tboot/common/loader.c
-@@ -59,7 +59,7 @@
- #include <tpm.h>
- 
- /* copy of kernel/VMM command line so that can append 'tboot=0x1234' */
--static char *new_cmdline = (char *)TBOOT_KERNEL_CMDLINE_ADDR;
-+static char * volatile new_cmdline = (char *)TBOOT_KERNEL_CMDLINE_ADDR;
- 
- /* MLE/kernel shared data page (in boot.S) */
- extern tboot_shared_t _tboot_shared;

tboot.spec

@@ -1,22 +1,20 @@
 Summary:        Performs a verified launch using Intel TXT
 Name:           tboot
-Version:        1.9.11
-Release:        9%{?dist}
+Version:        1.11.1
+Release:        1%{?dist}
 Epoch:          1
 
 License:        BSD
 URL:            http://sourceforge.net/projects/tboot/
 Source0:        http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz
 
-Patch0:         disable-address-of-packed-member-warning.patch
-Patch1:         tboot-gcc11.patch
-
-BuildRequires: make
+BuildRequires:  make
 BuildRequires:  gcc
-BuildRequires:  trousers-devel
+BuildRequires:  perl
 BuildRequires:  openssl-devel
 BuildRequires:  zlib-devel
 ExclusiveArch:  %{ix86} x86_64
+Requires:  	grub2-efi-x64-modules
 
 %description
 Trusted Boot (tboot) is an open source, pre-kernel/VMM module that uses
@@ -27,46 +25,138 @@ and verified launch of an OS kernel/VMM.
 %autosetup -p1 -n %{name}-%{version}
 
 %build
-CFLAGS="$RPM_OPT_FLAGS"; export CFLAGS
+CFLAGS="%{optflags}"; export CFLAGS
+LDFLAGS="%{build_ldflags}"; export LDFLAGS
 make debug=y %{?_smp_mflags}
 
+%post
+# Rmove the grub efi modules if they had been placed in the wrong directory by
+# a previous install.
+[ -d /boot/efi/EFI/redhat/x86_64-efi ] && rm -rf /boot/efi/EFI/redhat/x86_64-efi
+# create the tboot grub entry
+grub2-mkconfig -o /boot/grub2/grub.cfg
+
+# For EFI based machines ...
+if [ -d /sys/firmware/efi ]; then
+	echo "EFI detected .."
+	[ -d /boot/grub2/x86_64-efi ] || mkdir -pv /boot/grub2/x86_64-efi
+	cp -vf /usr/lib/grub/x86_64-efi/relocator.mod /boot/grub2/x86_64-efi/
+	cp -vf /usr/lib/grub/x86_64-efi/multiboot2.mod /boot/grub2/x86_64-efi/
+
+	# If there were a previous install of tboot that overwrote the
+	# originally installed /boot/efi/EFI/redhat/grub.cfg stub, then
+	# recreate it.
+	if grep -q -m1 tboot /boot/efi/EFI/redhat/grub.cfg; then
+cat << EOF > /boot/efi/EFI/redhat/grub.cfg
+search --no-floppy --fs-uuid --set=dev \
+	$(lsblk -no UUID $(df -P /boot/grub2 | awk 'END{print $1}'))
+set prefix=(\$dev)/grub2
+export \$prefix
+configfile \$prefix/grub.cfg
+EOF
+		chown root:root /boot/efi/EFI/redhat/grub.cfg
+		chmod u=rwx,go= /boot/efi/EFI/redhat/grub.cfg
+	fi
+fi
+
+%postun
+# Remove residual grub efi modules.
+[ -d /boot/grub2/x86_64-efi ] && rm -rf /boot/grub2/x86_64-efi
+[ -d /boot/efi/EFI/redhat/x86_64-efi ] && rm -rf /boot/efi/EFI/redhat/x86_64-efi
+grub2-mkconfig -o /etc/grub2.cfg
+
 %install
 make debug=y DISTDIR=$RPM_BUILD_ROOT install
 
-
 %files
-%doc README COPYING docs/* lcptools/Linux_LCP_Tools_User_Manual.pdf
+%doc README.md COPYING docs/* lcptools-v2/lcptools.txt
 %config %{_sysconfdir}/grub.d/20_linux_tboot
 %config %{_sysconfdir}/grub.d/20_linux_xen_tboot
-%{_sbindir}/acminfo
-%{_sbindir}/lcp_readpol
-%{_sbindir}/lcp_writepol
+%{_sbindir}/txt-acminfo
 %{_sbindir}/lcp2_crtpol
 %{_sbindir}/lcp2_crtpolelt
 %{_sbindir}/lcp2_crtpollist
 %{_sbindir}/lcp2_mlehash
-%{_sbindir}/parse_err
+%{_sbindir}/txt-parse_err
 %{_sbindir}/tb_polgen
-%{_sbindir}/tpmnv_defindex
-%{_sbindir}/tpmnv_getcap
-%{_sbindir}/tpmnv_lock
-%{_sbindir}/tpmnv_relindex
 %{_sbindir}/txt-stat
-%{_mandir}/man8/acminfo.8.gz
-%{_mandir}/man8/lcp_crtpconf.8.gz
-%{_mandir}/man8/lcp_crtpol.8.gz
-%{_mandir}/man8/lcp_crtpol2.8.gz
-%{_mandir}/man8/lcp_crtpolelt.8.gz
-%{_mandir}/man8/lcp_crtpollist.8.gz
-%{_mandir}/man8/lcp_mlehash.8.gz
-%{_mandir}/man8/lcp_readpol.8.gz
-%{_mandir}/man8/lcp_writepol.8.gz
+%{_mandir}/man8/txt-acminfo.8.gz
 %{_mandir}/man8/tb_polgen.8.gz
 %{_mandir}/man8/txt-stat.8.gz
+%{_mandir}/man8/lcp2_crtpol.8.gz
+%{_mandir}/man8/lcp2_crtpolelt.8.gz
+%{_mandir}/man8/lcp2_crtpollist.8.gz
+%{_mandir}/man8/lcp2_mlehash.8.gz
+%{_mandir}/man8/txt-parse_err.8.gz
 /boot/tboot.gz
 /boot/tboot-syms
 
 %changelog
+* Wed Apr 12 2023 Tony Camuso tcamuso@redhat.com> - 1:1.11.1-1
+- Backport upstream fixes and updates.
+  Resolves: rhbz#2186308
+
+* Thu Aug 18 2022 Tony Camuso <tcamuso@redhat.com> - 1:1.10.5-2
+- The install scriptlet in %post was choosing the first grub.cfg
+  file it encountered, which was /boot/efi/EFI/redhat/grub.cfg.
+  This is a stub that defines grub boot disk UUID necessary for
+  proper grubenv setup, and it must not be overwritten or changed.
+  Modify the scriptlet to target /boot/grub2/grub.cfg
+  Additionally, remove any wrongly created /boot/grub2/x86_64-efi
+  directory and recreate the correct /boot/efi/EFI/redhat/grub.cfg
+  stub file.
+  Added a %postun section to cleanup when removing tboot with
+  dnf erase.
+  Thanks to Lenny Szubowicz for the bash code to recreate the
+  /boot/efi/EFI/redhat/grub.cfg stub file.
+  Resolves: rhbz#2112236
+
+* Wed May 04 2022 Tony Camuso <tcamuso@redhat.com> - 1:1.10.5-1
+- Upgrade to tboot-1.10.5-1 for fixes and updates.
+- Added a Requires line to install grub2-efi-x64-modules
+- Added a scriptlet to the tboot.spec file to automatically install
+  grub2-efi-x64-modules and move them to the correct directory.
+- Removed three patches that are no longer needed.
+- Added two patches from upstream, one for a fix, the other cosemetic.
+- Resolves: rhbz#2041766
+  Resolves: rhbz#2040083
+
+* Thu Sep 30 2021 Tony Camuso <tcamuso@redhat.com> - 1:1.10.2-6
+- Use sha256 as default hashing algorithm
+  Resolves: rhbz#1935448
+
+* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 1:1.10.2-5
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
+
+* Wed Jul 28 2021 Tony Camuso <tcamuso@redhat.com> - 1:1.10.2-4
+- From Miroslave Vadkerti:
+  Onboarding tests to RHEL9 in BaseOS CI requires action, adding
+  test configuration in our "dispatcher" configuration for RHEL9:
+  https://gitlab.cee.redhat.com/baseos-qe/citool-config/blob/production/brew-dispatcher-rhel9.yaml
+  Test config was added for tboot in the following MR.
+  https://gitlab.cee.redhat.com/baseos-qe/citool-config/-/merge_requests/2686
+  Resolves: rhbz#1922002
+
+* Tue Jul 27 2021 Tony Camuso <tcamuso@redhat.com> - 1:1.10.2-3
+- Add the %{optflags} and %{build_ldflags} macros to assure the
+  build meets RHEL security requirements.
+  Resolves: rhbz#1922002
+
+* Thu Jul 22 2021 Tony Camuso <tcamuso@redhat.com> - 1:1.10.2-2
+- Bump the NVR as a result of including the gating.yaml file in
+  the git repo.
+  Resolves: rhbz#1922002
+
+* Mon Jun 21 2021 Tony Camuso <tcamuso@redhat.com> - 1:1.10.2-1
+- The patches are for SSL3 compatibility. These can probably be
+  removed when upstream tboot fully implements SSL3.
+- Upgrade to latest upstream.
+- Remove trousers dependency.
+  Resolves: rhbz#1922002
+  Resolves: rhbz#1870520
+  Resolves: rhbz#1927374
+
 * Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 1:1.9.11-9
 - Rebuilt for RHEL 9 BETA for openssl 3.0
   Related: rhbz#1971065