import tpm2-tools-4.1.1-2.el8

This commit is contained in:
CentOS Sources 2021-03-30 06:38:09 -04:00 committed by Stepan Oksanichenko
parent 5374e8e55e
commit 1dc0c74749
8 changed files with 617 additions and 1 deletions

View File

@ -0,0 +1,80 @@
From e607f78a054acfdbe119499c3608bdb2a44423d9 Mon Sep 17 00:00:00 2001
From: Andreas Fuchs <andreas.fuchs@sit.fraunhofer.de>
Date: Thu, 7 May 2020 11:51:17 +0200
Subject: [PATCH] Fix ESYS_TR hierarchy transition
Fix those cases of TPM2_RH_ to ESYS_TR_RH_ translations that were missed in
780800c0be69a49b9097f8eae653cdb0623d2100
Signed-off-by: Andreas Fuchs <andreas.fuchs@sit.fraunhofer.de>
---
lib/tpm2.c | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/lib/tpm2.c b/lib/tpm2.c
index e7ff77047bef..909a4422339d 100644
--- a/lib/tpm2.c
+++ b/lib/tpm2.c
@@ -656,6 +656,12 @@ uint32_t fix_esys_hierarchy(TPMI_RH_HIERARCHY hierarchy)
{
#if defined(ESYS_3_0)
switch (hierarchy) {
+ case ESYS_TR_RH_NULL:
+ case ESYS_TR_RH_OWNER:
+ case ESYS_TR_RH_ENDORSEMENT:
+ case ESYS_TR_RH_PLATFORM:
+ case ESYS_TR_RH_PLATFORM_NV:
+ return hierarchy;
case TPM2_RH_NULL:
return ESYS_TR_RH_NULL;
case TPM2_RH_OWNER:
@@ -664,14 +670,16 @@ uint32_t fix_esys_hierarchy(TPMI_RH_HIERARCHY hierarchy)
return ESYS_TR_RH_ENDORSEMENT;
case TPM2_RH_PLATFORM:
return ESYS_TR_RH_PLATFORM;
+ case TPM2_RH_PLATFORM_NV:
+ return ESYS_TR_RH_PLATFORM_NV;
default:
- return TSS2_ESYS_RC_BAD_VALUE;
+ LOG_ERR("An unknown hierarchy handle was passed: 0x%08x", hierarchy);
+ return 0xffffffff;
}
#elif defined(ESYS_2_3)
return hierarchy;
#else
- UNUSED(hierarchy);
- return TSS2_ESYS_RC_BAD_VALUE;
+#error "Need to define either ESYS_3_0 or ESYS_2_3"
#endif
}
@@ -1154,7 +1162,7 @@ tool_rc tpm2_hierarchycontrol(ESYS_CONTEXT *esys_context,
}
TSS2_RC rval = Esys_HierarchyControl(esys_context, auth_hierarchy->tr_handle,
- shandle, ESYS_TR_NONE, ESYS_TR_NONE, enable, state);
+ shandle, ESYS_TR_NONE, ESYS_TR_NONE, fix_esys_hierarchy(enable), state);
if (rval != TPM2_RC_SUCCESS && rval != TPM2_RC_INITIALIZE) {
LOG_PERR(Esys_HierarchyControl, rval);
return tool_rc_from_tpm(rval);
@@ -1251,7 +1259,7 @@ tool_rc tpm2_hmac_sequencecomplete(ESYS_CONTEXT *esys_context,
TPM2_RC rval = Esys_SequenceComplete(esys_context, sequence_handle,
hmac_key_obj_shandle, ESYS_TR_NONE, ESYS_TR_NONE, input_buffer,
- TPM2_RH_NULL, result, validation);
+ fix_esys_hierarchy(TPM2_RH_NULL), result, validation);
if (rval != TSS2_RC_SUCCESS) {
LOG_PERR(Esys_HMAC, rval);
return tool_rc_from_tpm(rval);
@@ -1907,7 +1915,7 @@ tool_rc tpm2_loadexternal(ESYS_CONTEXT *ectx, const TPM2B_SENSITIVE *private,
TSS2_RC rval = Esys_LoadExternal(ectx,
ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
- private, public, hierarchy,
+ private, public, fix_esys_hierarchy(hierarchy),
object_handle);
if (rval != TSS2_RC_SUCCESS) {
LOG_PERR(Esys_LoadExternal, rval);
--
2.27.0

View File

@ -0,0 +1,211 @@
From 2e7839b905f7a493f739d36e3e550e0cee30049e Mon Sep 17 00:00:00 2001
From: Andreas Fuchs <andreas.fuchs@sit.fraunhofer.de>
Date: Thu, 7 May 2020 19:12:36 +0200
Subject: [PATCH] Refactor fix_esys_hierarchies()
Refactor fix_esys_hierarchies() to return an actual TSS2_RC return code
and have an output parameter.
Signed-off-by: Andreas Fuchs <andreas.fuchs@sit.fraunhofer.de>
---
lib/tpm2.c | 88 +++++++++++++++++++++++++++++----------
lib/tpm2.h | 2 +-
tools/tpm2_loadexternal.c | 9 +++-
3 files changed, 75 insertions(+), 24 deletions(-)
diff --git a/lib/tpm2.c b/lib/tpm2.c
index 909a4422339d..744fed8c529f 100644
--- a/lib/tpm2.c
+++ b/lib/tpm2.c
@@ -645,39 +645,51 @@ tool_rc tpm2_evictcontrol(ESYS_CONTEXT *esys_context,
}
/* This function addresses ESAPI change that changes parameter type from
- * Esys_TR to TPMI_RH_HIERARCHY and breaks backwards compatibility.
+ * Esys_TR to TPMI_RH_HIERARCHY or TPMI_RH_ENABLES and breaks backwards
+ * compatibility.
* To keep the tools parameters consistent after v4.0 release we need to
* map the values to appropriate type based on the version of the ESYS API.
* Note: the mapping is based on the ESYS version recognized at compile time.
* The TSS change can be found here:
* https://github.com/tpm2-software/tpm2-tss/pull/1531
*/
-uint32_t fix_esys_hierarchy(TPMI_RH_HIERARCHY hierarchy)
+TSS2_RC fix_esys_hierarchy(uint32_t in, uint32_t *out)
{
#if defined(ESYS_3_0)
- switch (hierarchy) {
+ switch (in) {
case ESYS_TR_RH_NULL:
+ /* FALLTHRU */
case ESYS_TR_RH_OWNER:
+ /* FALLTHRU */
case ESYS_TR_RH_ENDORSEMENT:
+ /* FALLTHRU */
case ESYS_TR_RH_PLATFORM:
+ /* FALLTHRU */
case ESYS_TR_RH_PLATFORM_NV:
- return hierarchy;
+ *out = in;
+ return TSS2_RC_SUCCESS;
case TPM2_RH_NULL:
- return ESYS_TR_RH_NULL;
+ *out = ESYS_TR_RH_NULL;
+ return TSS2_RC_SUCCESS;
case TPM2_RH_OWNER:
- return ESYS_TR_RH_OWNER;
+ *out = ESYS_TR_RH_OWNER;
+ return TSS2_RC_SUCCESS;
case TPM2_RH_ENDORSEMENT:
- return ESYS_TR_RH_ENDORSEMENT;
+ *out = ESYS_TR_RH_ENDORSEMENT;
+ return TSS2_RC_SUCCESS;
case TPM2_RH_PLATFORM:
- return ESYS_TR_RH_PLATFORM;
+ *out = ESYS_TR_RH_PLATFORM;
+ return TSS2_RC_SUCCESS;
case TPM2_RH_PLATFORM_NV:
- return ESYS_TR_RH_PLATFORM_NV;
+ *out = ESYS_TR_RH_PLATFORM_NV;
+ return TSS2_RC_SUCCESS;
default:
- LOG_ERR("An unknown hierarchy handle was passed: 0x%08x", hierarchy);
- return 0xffffffff;
+ LOG_ERR("An unknown hierarchy handle was passed: 0x%08x", in);
+ return TSS2_ESYS_RC_BAD_VALUE;
}
#elif defined(ESYS_2_3)
- return hierarchy;
+ *out = in;
+ return TSS2_RC_SUCCESS;
#else
#error "Need to define either ESYS_3_0 or ESYS_2_3"
#endif
@@ -688,8 +700,14 @@ tool_rc tpm2_hash(ESYS_CONTEXT *esys_context, ESYS_TR shandle1, ESYS_TR shandle2
TPMI_RH_HIERARCHY hierarchy, TPM2B_DIGEST **out_hash,
TPMT_TK_HASHCHECK **validation) {
- TSS2_RC rval = Esys_Hash(esys_context, shandle1, shandle2, shandle3, data,
- hash_alg, fix_esys_hierarchy(hierarchy), out_hash, validation);
+ TSS2_RC rval = fix_esys_hierarchy(hierarchy, &hierarchy);
+ if (rval != TSS2_RC_SUCCESS) {
+ LOG_ERR("Unknown hierarchy");
+ return tool_rc_from_tpm(rval);
+ }
+
+ rval = Esys_Hash(esys_context, shandle1, shandle2, shandle3, data,
+ hash_alg, hierarchy, out_hash, validation);
if (rval != TSS2_RC_SUCCESS) {
LOG_PERR(Esys_Hash, rval);
return tool_rc_from_tpm(rval);
@@ -729,9 +747,15 @@ tool_rc tpm2_sequence_complete(ESYS_CONTEXT *esys_context,
TPMI_RH_HIERARCHY hierarchy, TPM2B_DIGEST **result,
TPMT_TK_HASHCHECK **validation) {
- TSS2_RC rval = Esys_SequenceComplete(esys_context, sequence_handle,
+ TSS2_RC rval = fix_esys_hierarchy(hierarchy, &hierarchy);
+ if (rval != TSS2_RC_SUCCESS) {
+ LOG_ERR("Unknown hierarchy");
+ return tool_rc_from_tpm(rval);
+ }
+
+ rval = Esys_SequenceComplete(esys_context, sequence_handle,
ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE, buffer,
- fix_esys_hierarchy(hierarchy), result, validation);
+ hierarchy, result, validation);
if (rval != TSS2_RC_SUCCESS) {
LOG_PERR(Esys_SequenceComplete, rval);
return tool_rc_from_tpm(rval);
@@ -1161,8 +1185,14 @@ tool_rc tpm2_hierarchycontrol(ESYS_CONTEXT *esys_context,
return rc;
}
- TSS2_RC rval = Esys_HierarchyControl(esys_context, auth_hierarchy->tr_handle,
- shandle, ESYS_TR_NONE, ESYS_TR_NONE, fix_esys_hierarchy(enable), state);
+ TSS2_RC rval = fix_esys_hierarchy(enable, &enable);
+ if (rval != TSS2_RC_SUCCESS) {
+ LOG_ERR("Unknown hierarchy");
+ return tool_rc_from_tpm(rval);
+ }
+
+ rval = Esys_HierarchyControl(esys_context, auth_hierarchy->tr_handle,
+ shandle, ESYS_TR_NONE, ESYS_TR_NONE, enable, state);
if (rval != TPM2_RC_SUCCESS && rval != TPM2_RC_INITIALIZE) {
LOG_PERR(Esys_HierarchyControl, rval);
return tool_rc_from_tpm(rval);
@@ -1257,9 +1287,17 @@ tool_rc tpm2_hmac_sequencecomplete(ESYS_CONTEXT *esys_context,
return rc;
}
- TPM2_RC rval = Esys_SequenceComplete(esys_context, sequence_handle,
+ uint32_t hierarchy;
+
+ TSS2_RC rval = fix_esys_hierarchy(TPM2_RH_NULL, &hierarchy);
+ if (rval != TSS2_RC_SUCCESS) {
+ LOG_ERR("Unknown hierarchy");
+ return tool_rc_from_tpm(rval);
+ }
+
+ rval = Esys_SequenceComplete(esys_context, sequence_handle,
hmac_key_obj_shandle, ESYS_TR_NONE, ESYS_TR_NONE, input_buffer,
- fix_esys_hierarchy(TPM2_RH_NULL), result, validation);
+ hierarchy, result, validation);
if (rval != TSS2_RC_SUCCESS) {
LOG_PERR(Esys_HMAC, rval);
return tool_rc_from_tpm(rval);
@@ -1913,9 +1951,15 @@ tool_rc tpm2_loadexternal(ESYS_CONTEXT *ectx, const TPM2B_SENSITIVE *private,
const TPM2B_PUBLIC *public, TPMI_RH_HIERARCHY hierarchy,
ESYS_TR *object_handle) {
- TSS2_RC rval = Esys_LoadExternal(ectx,
+ TSS2_RC rval = fix_esys_hierarchy(hierarchy, &hierarchy);
+ if (rval != TSS2_RC_SUCCESS) {
+ LOG_ERR("Unknown hierarchy");
+ return tool_rc_from_tpm(rval);
+ }
+
+ rval = Esys_LoadExternal(ectx,
ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
- private, public, fix_esys_hierarchy(hierarchy),
+ private, public, hierarchy,
object_handle);
if (rval != TSS2_RC_SUCCESS) {
LOG_PERR(Esys_LoadExternal, rval);
diff --git a/lib/tpm2.h b/lib/tpm2.h
index a37e05606c7a..2e4ae5e7dddc 100644
--- a/lib/tpm2.h
+++ b/lib/tpm2.h
@@ -389,7 +389,7 @@ tool_rc tpm2_policy_nv_written(ESYS_CONTEXT *esys_context,
ESYS_TR policy_session, ESYS_TR shandle1, ESYS_TR shandle2,
ESYS_TR shandle3, TPMI_YES_NO written_set);
-uint32_t fix_esys_hierarchy(TPMI_RH_HIERARCHY hierarchy);
+TSS2_RC fix_esys_hierarchy(uint32_t in, uint32_t *out);
tool_rc tpm2_certifycreation(ESYS_CONTEXT *esys_context,
tpm2_loaded_object *signingkey_obj, tpm2_loaded_object *certifiedkey_obj,
diff --git a/tools/tpm2_loadexternal.c b/tools/tpm2_loadexternal.c
index 70fb72877aae..4127ca1b524b 100644
--- a/tools/tpm2_loadexternal.c
+++ b/tools/tpm2_loadexternal.c
@@ -48,9 +48,16 @@ static tpm_loadexternal_ctx ctx = {
static tool_rc load_external(ESYS_CONTEXT *ectx, TPM2B_PUBLIC *pub,
TPM2B_SENSITIVE *priv, bool has_priv, TPM2B_NAME **name) {
+ uint32_t hierarchy;
+ TSS2_RC rval = fix_esys_hierarchy(ctx.hierarchy_value, &hierarchy);
+ if (rval != TSS2_RC_SUCCESS) {
+ LOG_ERR("Unknown hierarchy");
+ return tool_rc_from_tpm(rval);
+ }
+
tool_rc rc = tpm2_loadexternal(ectx,
has_priv ? priv : NULL, pub,
- fix_esys_hierarchy(ctx.hierarchy_value), &ctx.handle);
+ hierarchy, &ctx.handle);
if (rc != tool_rc_success) {
return rc;
}
--
2.27.0

View File

@ -0,0 +1,28 @@
From c28932caef2036039901a91cf55eb7ff093c70f5 Mon Sep 17 00:00:00 2001
From: Imran Desai <imran.desai@intel.com>
Date: Fri, 24 Jan 2020 15:53:39 -0700
Subject: [PATCH] tpm2_alg_util.c: fix a bug where the string rsa3072 wasnt
being parsed
Signed-off-by: Imran Desai <imran.desai@intel.com>
---
lib/tpm2_alg_util.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/lib/tpm2_alg_util.c b/lib/tpm2_alg_util.c
index b83c387a05bd..fcad480e0c3d 100644
--- a/lib/tpm2_alg_util.c
+++ b/lib/tpm2_alg_util.c
@@ -301,6 +301,9 @@ static alg_parser_rc handle_rsa(const char *ext, TPM2B_PUBLIC *public) {
} else if (!strncmp(ext, "4096", 4)) {
r->keyBits = 4096;
ext += 4;
+ } else if (!strncmp(ext, "3072", 4)) {
+ r->keyBits = 3072;
+ ext += 4;
} else {
r->keyBits = 2048;
}
--
2.27.0

View File

@ -0,0 +1,186 @@
From 696a17861c38b38fb2acf888119d918eb9c12329 Mon Sep 17 00:00:00 2001
From: Imran Desai <imran.desai@intel.com>
Date: Thu, 21 May 2020 11:31:43 -0700
Subject: [PATCH] tpm2_create.c: Fix an issue where userwithauth attr cleared
if policy specified
Fixes #2037
Signed-off-by: Imran Desai <imran.desai@intel.com>
---
man/tpm2_create.1.md | 9 +++-
test/integration/tests/import_tpm.sh | 78 +++++++++++++++++-----------
tools/tpm2_create.c | 10 ++--
3 files changed, 60 insertions(+), 37 deletions(-)
diff --git a/man/tpm2_create.1.md b/man/tpm2_create.1.md
index e8e5eaac49c3..9a7ba33e6017 100644
--- a/man/tpm2_create.1.md
+++ b/man/tpm2_create.1.md
@@ -13,7 +13,7 @@
**tpm2_create**(1) - Create a child object. The object can either be a key or
a sealing object. A sealing object allows to seal user data to the TPM, with a
maximum size of 256 bytes. Additionally it will load the created object if the
-**-o** is specified.
+**-c** is specified.
# OPTIONS
@@ -55,6 +55,13 @@ These options for creating the TPM entity:
and unsealing. I.e. one cannot use an object for sealing and cryptography
operations.
+ When **-L** is specified for adding policy based authorization information
+ AND no string password is specified, the attribute `TPMA_OBJECT_USERWITHAUTH`
+ is cleared unless an explicit choice is made by setting of the attribute
+ with **-a** option. This prevents creation of objects with inadvertant auth
+ model where in user intended to enforce a policy but inadvertantly created
+ an object with empty auth which can be used instead of policy authorization.
+
* **-i**, **\--sealing-input**=_FILE_ or _STDIN_:
The data file to be sealed, optional. If file is -, read from stdin.
diff --git a/test/integration/tests/import_tpm.sh b/test/integration/tests/import_tpm.sh
index ff48185aba70..3d1e10820844 100755
--- a/test/integration/tests/import_tpm.sh
+++ b/test/integration/tests/import_tpm.sh
@@ -54,8 +54,13 @@ load_new_parent() {
create_load_duplicatee() {
# Create the key we want to duplicate
create_policy dpolicy.dat TPM2_CC_Duplicate
- tpm2_create -Q -C primary.ctx -g sha256 -G $1 -p foo -r key.prv -u key.pub \
- -L dpolicy.dat -a "sensitivedataorigin|decrypt|userwithauth"
+ if [ -z "$2" ];then
+ tpm2_create -Q -C primary.ctx -g sha256 -G $1 -r key.prv \
+ -u key.pub -L dpolicy.dat -a "sensitivedataorigin|decrypt|userwithauth"
+ else
+ tpm2_create -Q -C primary.ctx -g sha256 -G $1 -p "$2" -r key.prv \
+ -u key.pub -L dpolicy.dat -a "sensitivedataorigin|decrypt|userwithauth"
+ fi
# Load the key
tpm2_load -Q -C primary.ctx -r key.prv -u key.pub -c key.ctx
# Extract the public part for import later
@@ -113,34 +118,45 @@ for dup_key_type in aes rsa ecc; do
done
done
-# Part 2 :
-# Create a rsa key (Kd)
-# Encrypt a message using Kd
-# Duplicate Kd
-# Import & Load Kd
-# Decrypt the message and verify
-tpm2_createprimary -Q -C o -g sha256 -G rsa -c primary.ctx
-# New parent ...
-create_load_new_parent
-# Key to be duplicated
-create_load_duplicatee rsa
-# Encrypt a secret message
-echo "Mary had a little lamb ..." > plain.txt
-tpm2_rsaencrypt -Q -c key.ctx -o cipher.txt plain.txt
-# Duplicate the key
-do_duplication null
-# Remove, we're done with it
-rm new_parent.ctx
-# Load the full thing this time
-load_new_parent
-# Import & load the duplicate
-do_import_load null
-# Decrypt the secret message using duplicated key
-tpm2_rsadecrypt -Q -p foo -c dup.ctx -o recovered.txt cipher.txt
-# Check we got it right ...
-diff recovered.txt plain.txt
-# Cleanup
-rm plain.txt recovered.txt cipher.txt
-cleanup "no-shut-down"
+test_key_usage() {
+ # Part 2 :
+ # Create a rsa key (Kd)
+ # Encrypt a message using Kd
+ # Duplicate Kd
+ # Import & Load Kd
+ # Decrypt the message and verify
+ tpm2_createprimary -Q -C o -g sha256 -G rsa -c primary.ctx
+ # New parent ...
+ create_load_new_parent
+ # Key to be duplicated
+ create_load_duplicatee rsa "$1"
+ # Encrypt a secret message
+ echo "Mary had a little lamb ..." > plain.txt
+ tpm2_rsaencrypt -Q -c key.ctx -o cipher.txt plain.txt
+ # Duplicate the key
+ do_duplication null
+ # Remove, we're done with it
+ rm new_parent.ctx
+ # Load the full thing this time
+ load_new_parent
+ # Import & load the duplicate
+ do_import_load null
+ # Decrypt the secret message using duplicated key
+ if [ -z "$1" ];then
+ tpm2_rsadecrypt -Q -c dup.ctx -o recovered.txt cipher.txt
+ else
+ tpm2_rsadecrypt -Q -p "$1" -c dup.ctx -o recovered.txt cipher.txt
+ fi
+ # Check we got it right ...
+ diff recovered.txt plain.txt
+ # Cleanup
+ rm plain.txt recovered.txt cipher.txt
+ cleanup "no-shut-down"
+}
+
+#Test key with password
+test_key_usage foo
+#Test key without password
+test_key_usage
exit 0
diff --git a/tools/tpm2_create.c b/tools/tpm2_create.c
index 941b77655f55..8e92cc747e17 100644
--- a/tools/tpm2_create.c
+++ b/tools/tpm2_create.c
@@ -47,7 +47,7 @@ struct tpm_create_ctx {
TPML_PCR_SELECTION creation_pcr;
struct {
- UINT8 b :1;
+ UINT8 a :1;
UINT8 i :1;
UINT8 L :1;
UINT8 u :1;
@@ -224,7 +224,7 @@ static bool on_option(char key, char *value) {
break;
case 'a':
ctx.object.attrs = value;
- ctx.flags.b = 1;
+ ctx.flags.a = 1;
break;
case 'i':
ctx.object.sealed_data = strcmp("-", value) ? value : NULL;
@@ -346,12 +346,12 @@ tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
ctx.object.alg = "keyedhash";
- if (!ctx.flags.b) {
+ if (!ctx.flags.a) {
attrs &= ~TPMA_OBJECT_SIGN_ENCRYPT;
attrs &= ~TPMA_OBJECT_DECRYPT;
attrs &= ~TPMA_OBJECT_SENSITIVEDATAORIGIN;
}
- } else if (!ctx.flags.b && !strncmp("hmac", ctx.object.alg, 4)) {
+ } else if (!ctx.flags.a && !strncmp("hmac", ctx.object.alg, 4)) {
attrs &= ~TPMA_OBJECT_DECRYPT;
}
@@ -362,7 +362,7 @@ tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
return tool_rc_general_error;
}
- if (ctx.flags.L && !ctx.object.auth_str) {
+ if (!ctx.flags.a && ctx.flags.L && !ctx.object.auth_str) {
ctx.object.public.publicArea.objectAttributes &=
~TPMA_OBJECT_USERWITHAUTH;
}
--
2.27.0

View File

@ -0,0 +1,37 @@
From 334b4c739fa575fb4ea58f92df6de87c38e59e15 Mon Sep 17 00:00:00 2001
From: Imran Desai <imran.desai@intel.com>
Date: Thu, 23 Jan 2020 08:06:56 -0700
Subject: [PATCH] tpm2_hierarchycontrol: Fixed bug where hierarchycontrol
operation failed silently
Fixes #1841
Signed-off-by: Imran Desai <imran.desai@intel.com>
---
tools/tpm2_hierarchycontrol.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/tools/tpm2_hierarchycontrol.c b/tools/tpm2_hierarchycontrol.c
index 0baf2ca487d3..7e9e2c657544 100644
--- a/tools/tpm2_hierarchycontrol.c
+++ b/tools/tpm2_hierarchycontrol.c
@@ -32,8 +32,14 @@ static tool_rc hierarchycontrol(ESYS_CONTEXT *ectx) {
ctx.enable == TPM2_RH_ENDORSEMENT ? "ehEnable" : "phEnableNV",
ctx.state ? "SET" : "CLEAR");
- return tpm2_hierarchycontrol(ectx, &ctx.auth_hierarchy.object, ctx.enable,
- ctx.state);
+ tool_rc rc = tpm2_hierarchycontrol(ectx, &ctx.auth_hierarchy.object,
+ ctx.enable, ctx.state);
+
+ if (rc != tool_rc_success) {
+ LOG_ERR("Failed hierarchycontrol operation.");
+ }
+
+ return rc;
}
bool on_arg(int argc, char **argv) {
--
2.27.0

View File

@ -0,0 +1,31 @@
From 652322f7278ec8c384fde9ec2204b06d084a24e4 Mon Sep 17 00:00:00 2001
From: Imran Desai <imran.desai@intel.com>
Date: Thu, 23 Jan 2020 07:54:58 -0700
Subject: [PATCH] tpm2_nvdefine.c: Fixed error reporting message
Fixes #1861
NV define failure error message had the wording to suggest NV index
was successfully defined.
Signed-off-by: Imran Desai <imran.desai@intel.com>
---
tools/tpm2_nvdefine.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/tpm2_nvdefine.c b/tools/tpm2_nvdefine.c
index cb2949c4dddc..71203cb6c80d 100644
--- a/tools/tpm2_nvdefine.c
+++ b/tools/tpm2_nvdefine.c
@@ -65,7 +65,7 @@ static tool_rc nv_space_define(ESYS_CONTEXT *ectx) {
tool_rc rc = tpm2_nv_definespace(ectx, &ctx.auth_hierarchy.object,
&ctx.nv_auth, &public_info);
if (rc != tool_rc_success) {
- LOG_INFO("Success to define NV area at index 0x%x.", ctx.nv_index);
+ LOG_ERR("Failed to create NV index 0x%x.", ctx.nv_index);
return rc;
}
--
2.27.0

View File

@ -0,0 +1,26 @@
From 44d0d2d17dc693e029e0557ec985c9b68c3efeb5 Mon Sep 17 00:00:00 2001
From: Imran Desai <imran.desai@intel.com>
Date: Wed, 22 Jan 2020 14:15:48 -0700
Subject: [PATCH] tpm2_policyor: Silent failure bug fix for invalid/unspecified
policy digest alg
Signed-off-by: Imran Desai <imran.desai@intel.com>
---
lib/tpm2_policy.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/lib/tpm2_policy.c b/lib/tpm2_policy.c
index 3d9b5491f9ce..8460bd1d9ae9 100644
--- a/lib/tpm2_policy.c
+++ b/lib/tpm2_policy.c
@@ -588,6 +588,7 @@ bool tpm2_policy_parse_policy_list(char *str, TPML_DIGEST *policy_list) {
hash = tpm2_alg_util_from_optarg(subtoken,
tpm2_alg_util_flags_hash);
if (hash == TPM2_ALG_ERROR) {
+ LOG_ERR("Invalid/ Unspecified policy digest algorithm.");
return false;
}
}
--
2.27.0

View File

@ -1,11 +1,18 @@
Name: tpm2-tools Name: tpm2-tools
Version: 4.1.1 Version: 4.1.1
Release: 1%{?dist} Release: 2%{?dist}
Summary: A TPM2.0 testing tool build upon TPM2.0-TSS Summary: A TPM2.0 testing tool build upon TPM2.0-TSS
License: BSD License: BSD
URL: https://github.com/tpm2-software/tpm2-tools URL: https://github.com/tpm2-software/tpm2-tools
Source0: https://github.com/tpm2-software/tpm2-tools/releases/download/%{version}/%{name}-%{version}.tar.gz Source0: https://github.com/tpm2-software/tpm2-tools/releases/download/%{version}/%{name}-%{version}.tar.gz
Patch0: 0001-tpm2_hierarchycontrol-Fixed-bug-where-hierarchycontr.patch
Patch1: 0001-tpm2_nvdefine.c-Fixed-error-reporting-message.patch
Patch2: 0001-tpm2_policyor-Silent-failure-bug-fix-for-invalid-uns.patch
Patch3: 0001-tpm2_alg_util.c-fix-a-bug-where-the-string-rsa3072-w.patch
Patch4: 0001-Fix-ESYS_TR-hierarchy-transition.patch
Patch5: 0001-Refactor-fix_esys_hierarchies.patch
Patch6: 0001-tpm2_create.c-Fix-an-issue-where-userwithauth-attr-c.patch
BuildRequires: gcc-c++ BuildRequires: gcc-c++
BuildRequires: libtool BuildRequires: libtool
@ -46,6 +53,16 @@ tpm2-tools is a batch of testing tools for tpm2.0. It is based on tpm2-tss.
%{_mandir}/man1/tpm2_*.1.gz %{_mandir}/man1/tpm2_*.1.gz
%changelog %changelog
* Mon Nov 16 2020 Jerry Snitselaar <jsnitsel@redhat.com> - 4.1.1-2
- Fix ESYS_TR hierarchy transition.
- Refactor fix_esys_hierarchies to return actual TSS2_RC return code.
- tpm2_alg_util.c: fix a bug where the string rsa3072 wasn't being parsed.
- tpm2_create.c: Fix an issue where userwithauth attr cleared if policy specified.
- tpm2_hierarchycontrol: Fix bug where hierarchycontrol operation failed silently.
- tpm2_nvdefine.c: Fix error reporting message.
- tpm2_policyor: Fix silent failure for invalid/unspecified policy digest alg.
resolves: rhbz#1854774
* Wed Apr 29 2020 Jerry Snitselaar <jsnitsel@redhat.com> - 4.1.1-1 * Wed Apr 29 2020 Jerry Snitselaar <jsnitsel@redhat.com> - 4.1.1-1
- Update to 4.1.1 release - Update to 4.1.1 release
resolves: rhbz#1789682 resolves: rhbz#1789682