diff --git a/SOURCES/0001-man-manpage-cleanup.patch b/SOURCES/0001-man-manpage-cleanup.patch new file mode 100644 index 0000000..10e147a --- /dev/null +++ b/SOURCES/0001-man-manpage-cleanup.patch @@ -0,0 +1,232 @@ +From 65ca7418b9a884bb5271e602cf63fc8845397988 Mon Sep 17 00:00:00 2001 +From: Jerry Snitselaar +Date: Sun, 27 Jan 2019 21:55:19 -0700 +Subject: [PATCH] man: manpage cleanup + +tpm_restrictsrk and tpm_unsealdata are missing manpages. +Add missing options to tpm_nvdefine and tpm_setpresence. + +Signed-off-by: Jerry Snitselaar +--- + man/man1/Makefile.am | 1 + + man/man1/tpm_unsealdata.1 | 60 +++++++++++++++++++++++++++++++++ + man/man8/Makefile.am | 1 + + man/man8/tpm_nvdefine.8 | 13 ++++++-- + man/man8/tpm_restrictsrk.8 | 68 ++++++++++++++++++++++++++++++++++++++ + man/man8/tpm_setpresence.8 | 3 ++ + 6 files changed, 144 insertions(+), 2 deletions(-) + create mode 100644 man/man1/tpm_unsealdata.1 + create mode 100644 man/man8/tpm_restrictsrk.8 + +diff --git a/man/man1/Makefile.am b/man/man1/Makefile.am +index ff8b571..f833363 100644 +--- a/man/man1/Makefile.am ++++ b/man/man1/Makefile.am +@@ -22,6 +22,7 @@ + # + + man1_MANS = tpm_sealdata.1 \ ++ tpm_unsealdata.1 \ + tpm_version.1 + if P11_SUPPORT + man1_MANS += tpmtoken_init.1 \ +diff --git a/man/man1/tpm_unsealdata.1 b/man/man1/tpm_unsealdata.1 +new file mode 100644 +index 0000000..80e8f12 +--- /dev/null ++++ b/man/man1/tpm_unsealdata.1 +@@ -0,0 +1,60 @@ ++.\" Copyright (C) 2019 International Business Machines Corporation ++.\" ++.de Sh \" Subsection ++.br ++.if t .Sp ++.ne 5 ++.PP ++\fB\\$1\fR ++.PP ++.. ++.de Sp \" Vertical space (when we can't use .PP) ++.if t .sp .5v ++.if n .sp ++.. ++.de Ip \" List item ++.br ++.ie \\n(.$>=3 .ne \\$3 ++.el .ne 3 ++.IP "\\$1" \\$2 ++.. ++.TH "tpm_unsealdata" 1 "2019-01-27" "TPM Management" ++.ce 1 ++TPM Management - tpm_unsealdata ++.SH NAME ++tpm_unsealdata \- unseal input data with the SRK of the system's TPM ++.SH "SYNOPSIS" ++.ad l ++.hy 0 ++.B tpm_unsealdata ++.RB [ OPTION ] ++ ++.SH "DESCRIPTION" ++.PP ++\fBtpm_unsealdata\fR unseals sensitive data that was sealed the SRK of the system's TPM. ++ ++.TP ++\fB\-h\fR, \fB\-\-help\fR ++Display command usage info. ++.TP ++\fB-v\fR, \fB\-\-version\fR ++Display command version info. ++.TP ++\fB-l\fR, \fB\-\-log\fR [none|error|info|debug] ++Set logging level. ++.TP ++\fB-i\fR, \fB\-\-infile FILE\fR ++File containing data to unseal. ++.TP ++\fB-o\fR, \fB\-\-outfile FILE\fR ++Filename to write unsealed data to. Default is STDOUT. ++.TP ++\fB-z\fR, \fB\-\-well-known\fR ++Use TSS_WELL_KNOWN_SECRET (20 zero bytes) as the SRK password. You will not be prompted for the SRK password with this option. ++ ++.SH "SEE ALSO" ++.PP ++\fBtpm_sealdata\fR(1), \fBtpmUnsealFile\fR(3) ++ ++.SH "REPORTING BUGS" ++Report bugs to +diff --git a/man/man8/Makefile.am b/man/man8/Makefile.am +index b38ac18..487a4c8 100644 +--- a/man/man8/Makefile.am ++++ b/man/man8/Makefile.am +@@ -36,6 +36,7 @@ man8_MANS = tpm_changeownerauth.8 \ + tpm_createek.8 \ + tpm_getpubek.8 \ + tpm_restrictpubek.8 \ ++ tpm_restrictsrk.8 \ + tpm_selftest.8 \ + tpm_setactive.8 \ + tpm_setclearable.8 \ +diff --git a/man/man8/tpm_nvdefine.8 b/man/man8/tpm_nvdefine.8 +index 13edb78..0eecc2a 100644 +--- a/man/man8/tpm_nvdefine.8 ++++ b/man/man8/tpm_nvdefine.8 +@@ -161,8 +161,8 @@ using \s-1TSS\s0 popup boxes + .IP "\fB\-y, \-\-owner\-well\-known\fR" 4 + .IX Item "-y, --owner-well-known" + Use a secret of all zeros (20 bytes of zeros) as the owner's secret. +-.IP "\fB\-z, \-\-area\-well\-known\fR" 4 +-.IX Item "-z, --area-well-known" ++.IP "\fB\-z, \-\-data\-well\-known\fR" 4 ++.IX Item "-z, --data-well-known" + Use a secret of all zeros (20 bytes of zeros) as the \s-1NVRAM\s0 area's secret. + .IP "\fB\-o, \-\-pwdo\fR (optional parameter)" 4 + .IX Item "-o, --pwdo (optional parameter)" +@@ -189,6 +189,15 @@ To select the \s-1NVRAM\s0 area with index 0x100, the command line parameter sho + .IX Item "-s, --size" + The size of the \s-1NVRAM\s0 area. + The parameter must either be a decimal number or a hexadecimal number starting with '0x'. ++.IP "\fB\-r, \-\-rpcsr\fR" 4 ++.IX Item "-r, --rpcrs" ++PCRs to seal the NVRAM area to for reading (use multiple times) ++.IP "\fB\-w, \-\-wpcrs\fR" 4 ++.IX Item "-w, --wpcrs" ++PCRs to seal the NVRAM area to for writing (use multiple times) ++.IP "\fB\-f, \-\-filename\fR" 4 ++.IX Item "-f, --filename" ++File containing PCR info for the NVRAM area. + .IP "\fB\-p, \-\-permissions\fR" 4 + .IX Item "-p, --permissions" + The access permissions associated with the \s-1NVRAM\s0 area. +diff --git a/man/man8/tpm_restrictsrk.8 b/man/man8/tpm_restrictsrk.8 +new file mode 100644 +index 0000000..7935b7b +--- /dev/null ++++ b/man/man8/tpm_restrictsrk.8 +@@ -0,0 +1,68 @@ ++.\" Copyright (C) 2019 International Business Machines Corporation ++.\" ++.de Sh \" Subsection ++.br ++.if t .Sp ++.ne 5 ++.PP ++\fB\\$1\fR ++.PP ++.. ++.de Sp \" Vertical space (when we can't use .PP) ++.if t .sp .5v ++.if n .sp ++.. ++.de Ip \" List item ++.br ++.ie \\n(.$>=3 .ne \\$3 ++.el .ne 3 ++.IP "\\$1" \\$2 ++.. ++.TH "tpm_restrictsrk" 8 "2019-01-27" "TPM Management" ++.ce 1 ++TPM Management - tpm_restrictsrk ++.SH NAME ++tpm_restrictsrk \- restrict the ability to access the Storage Root Key ++.SH "SYNOPSIS" ++.ad l ++.hy 0 ++.B tpm_restrictsrk ++.RB [ OPTION ] ++ ++.SH "DESCRIPTION" ++.PP ++\fBtpm_restrictsrk\fR reports the status of who can access the Storage Root Key. This is the default behavior and also available with the \fB\-\-status\fR option. ++This operation will be in effect until the owner is cleared and prompts for the owner passord. With the \fB\-\-restrict\fR option, the ability to access the Storage Root Key is resticted to the owner. ++The command prompts for the owner password to complete the operation. The \fB\-\-allow\fR and \fB\-\-restrict\fR options are mutually exclusive and the last one on the command line will be carried out. ++ ++.TP ++\fB\-h\fR, \fB\-\-help\fR ++Display command usage info. ++.TP ++\fB-v\fR, \fB\-\-version\fR ++Display command version info. ++.TP ++\fB-l\fR, \fB\-\-log\fR [none|error|info|debug] ++Set logging level. ++.TP ++\fB-u\fR, \fB\-\-unicode\fR ++Use TSS UNICODE encoding for passwords to comply with applications using TSS popup boxes ++.TP ++\fB-a\fR, \fB\-\-allow\fR ++Allow SRK read access using SRK auth ++.TP ++\fB-s\fR, \fB\-\-status\fR ++Display the status of who can access the Storage Root Key ++.TP ++\fB-r\fR, \fB\-\-restrict\fR ++Restrict SRK read to owner only ++.TP ++\fB-z\fR, \fB\-\-well-known\fR ++Authenticate using 20 bytes of zeros as owner password (the default TSS Well Known Secret), instead of prompting for an owner password. ++ ++.SH "SEE ALSO" ++.PP ++\fBtpm_version\fR(1), \fBtpm_takeownership\fR(8), \fBtcsd\fR(8) ++ ++.SH "REPORTING BUGS" ++Report bugs to +diff --git a/man/man8/tpm_setpresence.8 b/man/man8/tpm_setpresence.8 +index a04c70f..96670e0 100644 +--- a/man/man8/tpm_setpresence.8 ++++ b/man/man8/tpm_setpresence.8 +@@ -46,6 +46,9 @@ Set logging level. + \fB-u\fR, \fB\-\-unicode\fR + Use TSS UNICODE encoding for passwords to comply with applications using TSS popup boxes + .TP ++\fB-s\fR, \fB\-\-status\fR ++Report current physical presence states. ++.TP + \fB-a\fR, \fB\-\-assert\fR + Assert that an admin is physically present at the machine. + .TP +-- +2.20.1.98.gecbdaf0899 + diff --git a/SOURCES/0001-tpm-tools-fix-outdated-function-signature-in-tpmUnse.patch b/SOURCES/0001-tpm-tools-fix-outdated-function-signature-in-tpmUnse.patch new file mode 100644 index 0000000..e032344 --- /dev/null +++ b/SOURCES/0001-tpm-tools-fix-outdated-function-signature-in-tpmUnse.patch @@ -0,0 +1,29 @@ +From d11a2d62797e6794105470c1dd5f99017d9484e3 Mon Sep 17 00:00:00 2001 +From: Jerry Snitselaar +Date: Sun, 27 Jan 2019 23:17:02 -0700 +Subject: [PATCH] tpm-tools: fix outdated function signature in tpmUnsealFile + manpage + +The tpmUnsealFile manpage hasn't been updated with changes to tpmUnsealFile. + +Signed-off-by: Jerry Snitselaar +--- + man/man3/tpmUnsealFile.3 | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/man/man3/tpmUnsealFile.3 b/man/man3/tpmUnsealFile.3 +index 1fda48f..c362298 100644 +--- a/man/man3/tpmUnsealFile.3 ++++ b/man/man3/tpmUnsealFile.3 +@@ -28,7 +28,7 @@ tpmUnsealFile, tpmUnsealShred, tpmUnsealStrerror - unseal routines + .hy 0 + .B #include + .sp +-.B int tpmUnsealFile(char* file, char** data, int* size); ++.B int tpmUnsealFile(char* fname, char** tss_data, int* tss_size, BOOL srkWellKnown); + .br + .B void tpmUnsealShred(char* data, int size); + .br +-- +2.20.1.98.gecbdaf0899 + diff --git a/SOURCES/0001-tpm_version-avoid-outputting-NULL-bytes-from-tpmVend.patch b/SOURCES/0001-tpm_version-avoid-outputting-NULL-bytes-from-tpmVend.patch new file mode 100644 index 0000000..e39ae8d --- /dev/null +++ b/SOURCES/0001-tpm_version-avoid-outputting-NULL-bytes-from-tpmVend.patch @@ -0,0 +1,54 @@ +From c927f67f36a4719bd15b8a535efb6980f1e87a6b Mon Sep 17 00:00:00 2001 +From: Matthias Gerstner +Date: Fri, 30 Nov 2018 12:48:37 +0100 +Subject: [PATCH] tpm_version: avoid outputting NULL bytes from tpmVendorID + +When the vendor ID contains null bytes then '^@' characters appear in +the tpm_version output. This can confuse users and it also causes e.g. +'grep' to treat the input as binary. Example: + + TPM Vendor ID: WEC\000 + +This change copies the vendor ID bytes over into a local string object. +This makes the code more independent of the vendor ID dimension and also +avoids NULL bytes being printed. +--- + src/tpm_mgmt/tpm_version.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/src/tpm_mgmt/tpm_version.c b/src/tpm_mgmt/tpm_version.c +index 1019b71..78b78e8 100644 +--- a/src/tpm_mgmt/tpm_version.c ++++ b/src/tpm_mgmt/tpm_version.c +@@ -133,6 +133,7 @@ int cmdVersion(const char *a_szCmd) + UINT64 offset; + TSS_RESULT uiResult; + TPM_CAP_VERSION_INFO versionInfo; ++ char vendor_id[sizeof(versionInfo.tpmVendorID)+1]; + char *errbuf = NULL; // Buffer containing what was sent to stderr during getCapability. + + /* Disable logging to of "Bad Mode" during this call. +@@ -169,15 +170,17 @@ int cmdVersion(const char *a_szCmd) + goto out_close; + } + ++ // copy over the individual characters into a regular string. ++ // This avoids that null bytes are written to stdout. ++ snprintf ( vendor_id, sizeof(vendor_id), "%s", (const char*)versionInfo.tpmVendorID ); ++ + logMsg(_(" TPM 1.2 Version Info:\n")); + logMsg(_(" Chip Version: %hhu.%hhu.%hhu.%hhu\n"), + versionInfo.version.major, versionInfo.version.minor, + versionInfo.version.revMajor, versionInfo.version.revMinor); + logMsg(_(" Spec Level: %hu\n"), versionInfo.specLevel); + logMsg(_(" Errata Revision: %hhu\n"), versionInfo.errataRev); +- logMsg(_(" TPM Vendor ID: %c%c%c%c\n"), +- versionInfo.tpmVendorID[0], versionInfo.tpmVendorID[1], +- versionInfo.tpmVendorID[2], versionInfo.tpmVendorID[3]); ++ logMsg(_(" TPM Vendor ID: %s\n"), vendor_id); + + if (versionInfo.vendorSpecificSize) { + logMsg(_(" Vendor Specific data: ")); +-- +2.18.1 + diff --git a/SOURCES/0001-tpm_version-avoid-outputting-undefined-data-on-stder.patch b/SOURCES/0001-tpm_version-avoid-outputting-undefined-data-on-stder.patch new file mode 100644 index 0000000..949b58e --- /dev/null +++ b/SOURCES/0001-tpm_version-avoid-outputting-undefined-data-on-stder.patch @@ -0,0 +1,38 @@ +From f0f30ff3e3b08751ebb8524303d80b6e94882134 Mon Sep 17 00:00:00 2001 +From: Matthias Gerstner +Date: Fri, 30 Nov 2018 13:17:01 +0100 +Subject: [PATCH] tpm_version: avoid outputting undefined data on stderr + +If there was no data written to the temporary file then memsize == 1, no +data will be read from the file into the buffer and the buffer will not +be null terminated. This can cause random data to be output later on to +the original stderr like: + +'#precedence ::ffff:0:0/' + +or + +'xl?8?' + +Fix this by making sure the buffer is always zero terminated. +--- + src/tpm_mgmt/tpm_version.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/tpm_mgmt/tpm_version.c b/src/tpm_mgmt/tpm_version.c +index 78b78e8..e563a8c 100644 +--- a/src/tpm_mgmt/tpm_version.c ++++ b/src/tpm_mgmt/tpm_version.c +@@ -99,6 +99,9 @@ char* end_capture_stderr(int olderr) + perror("read()"); + } + ++ // make sure the buffer is null terminated. ++ buf[st.st_size] = '\0'; ++ + // Restore stderr. + errout: + if (0 > dup2(olderr, STDERR_FILENO)) { +-- +2.18.1 + diff --git a/SOURCES/tpm-tools-1.3.9-memset.patch b/SOURCES/tpm-tools-1.3.9-memset.patch new file mode 100644 index 0000000..cdd2406 --- /dev/null +++ b/SOURCES/tpm-tools-1.3.9-memset.patch @@ -0,0 +1,30 @@ +diff -ur tpm-tools-1.3.9/include/tpm_utils.h tpm-tools-1.3.9-new/include/tpm_utils.h +--- tpm-tools-1.3.9/include/tpm_utils.h 2014-07-23 13:37:12.000000000 -0700 ++++ tpm-tools-1.3.9-new/include/tpm_utils.h 2019-06-05 11:13:55.474783996 -0700 +@@ -71,7 +71,7 @@ + #define __no_optimize + #endif + +-void * __no_optimize __memset(void *s, int c, size_t n); ++void * __memset(void *s, int c, size_t n); + + typedef int (*CmdOptParser)( const int aOpt, const char *aOptArg ); + typedef void (*CmdHelpFunction)( const char *aCmd ); +diff -ur tpm-tools-1.3.9/lib/tpm_utils.c tpm-tools-1.3.9-new/lib/tpm_utils.c +--- tpm-tools-1.3.9/lib/tpm_utils.c 2014-07-23 13:37:12.000000000 -0700 ++++ tpm-tools-1.3.9-new/lib/tpm_utils.c 2019-06-05 11:13:41.570968364 -0700 +@@ -134,10 +134,12 @@ + return 0; + } + +-void * __no_optimize ++void * + __memset(void *s, int c, size_t n) + { +- return memset(s, c, n); ++ memset(s, c, n); ++ asm volatile("" ::: "memory"); ++ return s; + } + + /* diff --git a/SPECS/tpm-tools.spec b/SPECS/tpm-tools.spec index da5c69e..d0ded9f 100644 --- a/SPECS/tpm-tools.spec +++ b/SPECS/tpm-tools.spec @@ -1,7 +1,7 @@ Name: tpm-tools Summary: Management tools for the TPM hardware Version: 1.3.9 -Release: 4%{?dist} +Release: 7%{?dist} License: CPL URL: http://trousers.sourceforge.net Source0: http://downloads.sourceforge.net/trousers/%{name}-%{version}.tar.gz @@ -9,6 +9,13 @@ BuildRequires: trousers-devel openssl-devel opencryptoki-devel Patch0001: 0001-Fix-build-with-OpenSSL-1.1-due-to-EVP_PKEY-being-an-.patch Patch0002: 0002-Fix-build-with-OpenSSL-1.1-due-to-RSA-being-an-opaqu.patch Patch0003: 0003-Allocate-OpenSSL-cipher-contexts-for-seal-unseal.patch +# Patches 4 & 5 submitted upstream by SUSE +Patch0004: 0001-tpm_version-avoid-outputting-NULL-bytes-from-tpmVend.patch +Patch0005: 0001-tpm_version-avoid-outputting-undefined-data-on-stder.patch +# submitted upstream +Patch0006: 0001-man-manpage-cleanup.patch +Patch0007: 0001-tpm-tools-fix-outdated-function-signature-in-tpmUnse.patch +Patch0008: tpm-tools-1.3.9-memset.patch %description tpm-tools is a group of tools to manage and utilize the Trusted Computing @@ -45,6 +52,10 @@ for developing tpm-tools applications. %install %make_install INSTALL="install -p" rm -f $RPM_BUILD_ROOT/%{_libdir}/libtpm_unseal.la +# autoreconf is not happy on rhel8 with tpm-tools, so temp +# work around to get new manpages in place +cp -p man/man1/tpm_unsealdata.1 %{buildroot}/%{_mandir}/man1 +cp -p man/man8/tpm_restrictsrk.8 %{buildroot}/%{_mandir}/man8 %post -p /sbin/ldconfig @@ -71,6 +82,19 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libtpm_unseal.la %{_mandir}/man3/tpmUnseal* %changelog +* Wed Jun 12 2019 Jerry Snitselaar - 1.3.9-7 +- Make sure new manpages get installed. +resolves: rhbz#1669892 + +* Wed Jun 05 2019 Jerry Snitselaar - 1.3.9-6 +- Fix annocheck warning +resolves: rhbz#1624180 + +* Wed May 22 2019 Jerry Snitselaar - 1.3.9-5 +- Add CI gating support +- tpm_version: remove garbled text +resolves: rhbz#1669892 + * Fri Feb 09 2018 Fedora Release Engineering - 1.3.9-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild