rpms/tpm2-tools
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Backport upstream fixes

Browse Source 
Resolves: RHEL-72772

Signed-off-by: Štěpán Horáček <shoracek@redhat.com>
This commit is contained in:
Štěpán Horáček 2025-04-23 16:53:32 +02:00
parent bf85ff7d7a
commit 2615e3458d
9 changed files with 536 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
0001-Fix-handling-of-testResult-in-tpm2_gettestresult.patch Normal file
View File

@ -0,0 +1,26 @@
From ff26c05d928519f9ae8442d9fd6458fbebb3c518 Mon Sep 17 00:00:00 2001
From: "wenxin.leong" <wenxin.leong@infineon.com>
Date: Wed, 15 May 2024 18:58:21 -0700
Subject: [PATCH 1/8] Fix handling of testResult in tpm2_gettestresult
Signed-off-by: wenxin.leong <wenxin.leong@infineon.com>
---
tools/tpm2_gettestresult.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/tools/tpm2_gettestresult.c b/tools/tpm2_gettestresult.c
index 24a5caf6..29f913a3 100644
--- a/tools/tpm2_gettestresult.c
+++ b/tools/tpm2_gettestresult.c
@@ -35,8 +35,6 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
tpm2_tool_output("status: ");
print_yaml_indent(1);
- status &= TPM2_RC_TESTING;
-
switch (status) {
case TPM2_RC_SUCCESS:
tpm2_tool_output("success");
--
2.49.0

35
0002-tpm2_evictcontrol.c-Fix-segfault-for-output-of-handl.patch Normal file
View File

@ -0,0 +1,35 @@
From 2be6ae25b564a7cf1c50404cd293e452c5a8f4a5 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Thu, 23 May 2024 11:40:14 +0200
Subject: [PATCH 2/8] tpm2_evictcontrol.c: Fix segfault for output of handle
ESYS_TR_NONE
If the -o parameter was used when a persistent handle should be
evicted a segfault did occur.
Now the object is evicted an a warning is displayed.
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
tools/tpm2_evictcontrol.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/tools/tpm2_evictcontrol.c b/tools/tpm2_evictcontrol.c
index 8199be39..3fd7ee03 100644
--- a/tools/tpm2_evictcontrol.c
+++ b/tools/tpm2_evictcontrol.c
@@ -190,7 +190,11 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
tpm2_tool_output("action: %s\n", evicted ? "evicted" : "persisted");
tool_rc tmp_rc = tool_rc_success;
if (ctx.output_arg) {
- tmp_rc = files_save_ESYS_TR(ectx, out_tr, ctx.output_arg);
+ if (out_tr == ESYS_TR_NONE) {
+ LOG_WARN("The parameter --output can't be used if a persistent object will be evicted");
+ } else {
+ tmp_rc = files_save_ESYS_TR(ectx, out_tr, ctx.output_arg);
+ }
}
if (!evicted) {
--
2.49.0

35
0003-Fix-calloc-argument-order.patch Normal file
View File

@ -0,0 +1,35 @@
From a9ef4c986984cce821260f46d44d31fd88591c36 Mon Sep 17 00:00:00 2001
From: dzil123 <5725958+dzil123@users.noreply.github.com>
Date: Tue, 4 Jun 2024 22:33:02 -0700
Subject: [PATCH 3/8] Fix calloc argument order
Signed-off-by: dzil123 <5725958+dzil123@users.noreply.github.com>
---
lib/tpm2_openssl.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/tpm2_openssl.c b/lib/tpm2_openssl.c
index ad43c8e1..79e80a5e 100644
--- a/lib/tpm2_openssl.c
+++ b/lib/tpm2_openssl.c
@@ -422,7 +422,7 @@ static bool do_open_file(FILE *f, const char *path, char **pass) {
goto out;
}
- char *tmp = calloc(sizeof(char), file_size + 1);
+ char *tmp = calloc(file_size + 1, sizeof(char));
if (!tmp) {
LOG_ERR("oom");
goto out;
@@ -477,7 +477,7 @@ static bool do_stdin(const char *passin, char **pass) {
UNUSED(passin);
- void *buf = calloc(sizeof(BYTE), UINT16_MAX + 1);
+ void *buf = calloc(UINT16_MAX + 1, sizeof(BYTE));
if (!buf) {
LOG_ERR("oom");
return false;
--
2.49.0

63
0004-tpm2_createpolicy-flush-session-for-trial-policy.patch Normal file
View File

@ -0,0 +1,63 @@
From 596dc33f0093735254cd3dd086a8375fbf56fd47 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Sat, 12 Oct 2024 12:04:15 +0200
Subject: [PATCH 4/8] tpm2_createpolicy: flush session for trial policy.
The created session is flushed if a trial policy is only used to compute
the policy digest.
Fixes: #3427
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
tools/tpm2_createpolicy.c | 21 +++++++++++++++++----
1 file changed, 17 insertions(+), 4 deletions(-)
diff --git a/tools/tpm2_createpolicy.c b/tools/tpm2_createpolicy.c
index b5686e05..48c039e8 100644
--- a/tools/tpm2_createpolicy.c
+++ b/tools/tpm2_createpolicy.c
@@ -54,6 +54,9 @@ static create_policy_ctx pctx = {
static tool_rc parse_policy_type_specific_command(ESYS_CONTEXT *ectx) {
+ tool_rc rc;
+ TSS2_RC rval;
+
if (!pctx.common_policy_options.policy_type.policy_pcr) {
LOG_ERR("Only PCR policy is currently supported!");
return tool_rc_option_error;
@@ -71,7 +74,7 @@ static tool_rc parse_policy_type_specific_command(ESYS_CONTEXT *ectx) {
tpm2_session **s = &pctx.common_policy_options.policy_session;
- tool_rc rc = tpm2_session_open(ectx, session_data, s);
+ rc = tpm2_session_open(ectx, session_data, s);
if (rc != tool_rc_success) {
return rc;
}
@@ -91,9 +94,19 @@ static tool_rc parse_policy_type_specific_command(ESYS_CONTEXT *ectx) {
return rc;
}
- return tpm2_policy_tool_finish(ectx,
- pctx.common_policy_options.policy_session,
- pctx.common_policy_options.policy_file);
+ rc = tpm2_policy_tool_finish(ectx,
+ pctx.common_policy_options.policy_session,
+ pctx.common_policy_options.policy_file);
+ if (rc != tool_rc_success) {
+ return rc;
+ }
+ if (pctx.common_policy_options.policy_session_type == TPM2_SE_TRIAL) {
+ rval = Esys_FlushContext(ectx, tpm2_session_get_handle(*s));
+ if (rval != TPM2_RC_SUCCESS) {
+ return tool_rc_general_error;
+ }
+ }
+ return rc;
}
static bool on_option(char key, char *value) {
--
2.49.0

275
0005-Support-high-range-NV-indexes-in-getekcert.patch Normal file
View File

@ -0,0 +1,275 @@
From a7468cf7deaf5cf608da32923b5797cdb497cde1 Mon Sep 17 00:00:00 2001
From: "loic.sikidi" <loic.sikidi@s3ns.io>
Date: Mon, 9 Dec 2024 23:47:25 +0100
Subject: [PATCH 5/8] Support high range NV indexes in getekcert
Signed-off-by: loic.sikidi <loic.sikidi@gmail.com>
---
test/integration/tests/getekcertificate.sh | 38 ++++++
tools/tpm2_getekcertificate.c | 141 +++++++++++++++++++--
2 files changed, 168 insertions(+), 11 deletions(-)
diff --git a/test/integration/tests/getekcertificate.sh b/test/integration/tests/getekcertificate.sh
index 96e92cc0..14c32c2d 100644
--- a/test/integration/tests/getekcertificate.sh
+++ b/test/integration/tests/getekcertificate.sh
@@ -80,6 +80,8 @@ diff test_ecc_ek.pem test_ek.pem
# Retrieve EK certificates from NV indices
RSA_EK_CERT_NV_INDEX=0x01C00002
ECC_EK_CERT_NV_INDEX=0x01C0000A
+RSA_3072_EK_CERT_NV_INDEX=0x01C0001C
+ECC_NIST_P384_EK_CERT_NV_INDEX=0x01C00016
define_ek_cert_nv_index() {
file_size=`ls -l $1 | awk {'print $5'}`
@@ -120,4 +122,40 @@ tpm2 getekcertificate -o nv_rsa_ek_cert.der -o nv_ecc_ek_cert.der
diff nv_rsa_ek_cert.der rsa_ek_cert.der
diff nv_ecc_ek_cert.der ecc_ek_cert.der
+rm nv_rsa_ek_cert.der rsa_ek_cert.der nv_ecc_ek_cert.der ecc_ek_cert.der -f
+
+## RSA & ECC self-signed EK certs stored in high range NV indexes
+tpm2 nvundefine -C p $RSA_EK_CERT_NV_INDEX
+tpm2 nvundefine -C p $ECC_EK_CERT_NV_INDEX
+
+create_self_signed_ek_cert(){
+ case "$1" in
+ *rsa_3072)
+ openssl genpkey -algorithm RSA -out priv_key.pem \
+ -pkeyopt rsa_keygen_bits:3072 > /dev/null 2>&1
+ openssl req -new -key priv_key.pem -x509 -days 1 \
+ -subj "/" -outform DER -out $2
+ ;;
+ *ecc_nist_p384)
+ openssl ecparam -name secp384r1 -genkey -out priv_key.pem > /dev/null 2>&1
+ openssl req -new -key priv_key.pem -x509 -days 1 \
+ -subj "/" -outform DER -out $2
+ ;;
+ *) echo "Unsupported key type $1"; return 1;;
+ esac
+}
+
+create_self_signed_ek_cert rsa_3072 rsa_ek_cert.der
+create_self_signed_ek_cert ecc_nist_p384 ecc_ek_cert.der
+
+define_ek_cert_nv_index rsa_ek_cert.der $RSA_3072_EK_CERT_NV_INDEX
+define_ek_cert_nv_index ecc_ek_cert.der $ECC_NIST_P384_EK_CERT_NV_INDEX
+
+tpm2 getekcertificate -o nv_rsa_ek_cert.der -o nv_ecc_ek_cert.der
+
+diff nv_rsa_ek_cert.der rsa_ek_cert.der
+diff nv_ecc_ek_cert.der ecc_ek_cert.der
+
+rm nv_rsa_ek_cert.der rsa_ek_cert.der nv_ecc_ek_cert.der ecc_ek_cert.der priv_key.pem -f
+
exit 0
diff --git a/tools/tpm2_getekcertificate.c b/tools/tpm2_getekcertificate.c
index f0d1ca36..3c9bddeb 100644
--- a/tools/tpm2_getekcertificate.c
+++ b/tools/tpm2_getekcertificate.c
@@ -20,6 +20,71 @@
#include "tpm2_nv_util.h"
#include "tpm2_tool.h"
+
+/*
+ * Sourced from TCG Vendor ID Registry v1.06:
+ * https://trustedcomputinggroup.org/resource/vendor-id-registry/
+ *
+ */
+
+typedef enum tpm_manufacturer tpm_manufacturer;
+enum tpm_manufacturer {
+ VENDOR_AMD = 0x414D4400,
+ VENDOR_ATMEL = 0x41544D4C,
+ VENDOR_BROADCOM = 0x4252434D,
+ VENDOR_CISCO = 0x4353434F,
+ VENDOR_FLYSLICE = 0x464C5953,
+ VENDOR_ROCKCHIP = 0x524F4343,
+ VENDOR_GOOGLE = 0x474F4F47,
+ VENDOR_HPE = 0x48504500,
+ VENDOR_HUAWEI = 0x48495349,
+ VENDOR_IBM = 0x49424D00,
+ VENDOR_IBMSIM = 0x49424D20, // Used only by mssim/ibmswtpm2
+ VENDOR_INFINEON = 0x49465800,
+ VENDOR_INTEL = 0x494E5443,
+ VENDOR_LENOVO = 0x4C454E00,
+ VENDOR_MICROSOFT = 0x4D534654,
+ VENDOR_NSM = 0x4E534D20,
+ VENDOR_NATIONZ = 0x4E545A00,
+ VENDOR_NUVOTON = 0x4E544300,
+ VENDOR_QUALCOMM = 0x51434F4D,
+ VENDOR_SAMSUNG = 0x534D534E,
+ VENDOR_SINOSUN = 0x534E5300,
+ VENDOR_SMSC = 0x534D5343,
+ VENDOR_STM = 0x53544D20,
+ VENDOR_TXN = 0x54584E00,
+ VENDOR_WINBOND = 0x57454300,
+};
+
+typedef enum pubkey_enc_mode pubkey_enc_mode;
+enum pubkey_enc_mode {
+ ENC_AUTO = 0,
+ ENC_INTEL = 1,
+ ENC_AMD = 2,
+};
+
+/*
+ * Sourced from TCG PC Client Platform TPM Profile Specification v1.05 rev 14:
+ * https://trustedcomputinggroup.org/resource/pc-client-platform-tpm-profile-ptp-specification/
+ *
+ */
+
+typedef enum ek_nv_index ek_nv_index;
+enum ek_nv_index {
+ RSA_EK_CERT_NV_INDEX = 0x01C00002,
+ ECC_EK_CERT_NV_INDEX = 0x01C0000A,
+ RSA_2048_EK_CERT_NV_INDEX = 0x01C00012,
+ RSA_3072_EK_CERT_NV_INDEX = 0x01C0001C,
+ RSA_4096_EK_CERT_NV_INDEX = 0x01C0001E,
+ ECC_NIST_P256_EK_CERT_NV_INDEX = 0x01C00014,
+ ECC_NIST_P384_EK_CERT_NV_INDEX = 0x01C00016,
+ ECC_NIST_P521_EK_CERT_NV_INDEX = 0x01C00018,
+ ECC_SM2_P256_EK_CERT_NV_INDEX = 0x01C0001A,
+};
+
+#define EK_SERVER_INTEL "https://ekop.intel.com/ekcertservice/"
+#define EK_SERVER_AMD "https://ftpm.amd.com/pki/aia/"
+
typedef struct tpm_getekcertificate_ctx tpm_getekcertificate_ctx;
struct tpm_getekcertificate_ctx {
// TPM Device properties
@@ -28,6 +93,8 @@ struct tpm_getekcertificate_ctx {
bool is_intc_cert;
bool is_rsa_ek_cert_nv_location_defined;
bool is_ecc_ek_cert_nv_location_defined;
+ ek_nv_index rsa_ek_cert_nv_location;
+ ek_nv_index ecc_ek_cert_nv_location;
bool is_tpmgeneratedeps;
// Certficate data handling
uint8_t cert_count;
@@ -55,6 +122,46 @@ static tpm_getekcertificate_ctx ctx = {
.cert_count = 0,
};
+
+typedef enum key_type key_type;
+enum key_type {
+ KTYPE_RSA = 0,
+ KTYPE_ECC = 1,
+};
+
+typedef struct ek_index_map ek_index_map;
+struct ek_index_map
+{
+ const char *name;
+ key_type key_type;
+ ek_nv_index index;
+ TPMI_ALG_HASH hash_alg;
+};
+
+static ek_index_map ek_index_maps[] = {
+ {"rsa", KTYPE_RSA, RSA_EK_CERT_NV_INDEX, TPM2_ALG_SHA256},
+ {"rsa2048", KTYPE_RSA, RSA_2048_EK_CERT_NV_INDEX, TPM2_ALG_SHA256},
+ {"rsa3072", KTYPE_RSA, RSA_3072_EK_CERT_NV_INDEX, TPM2_ALG_SHA384},
+ {"rsa4096", KTYPE_RSA, RSA_4096_EK_CERT_NV_INDEX, TPM2_ALG_SHA512},
+ {"ecc", KTYPE_ECC, ECC_EK_CERT_NV_INDEX, TPM2_ALG_SHA256},
+ {"ecc_nist_p256", KTYPE_ECC, ECC_NIST_P256_EK_CERT_NV_INDEX, TPM2_ALG_SHA256},
+ {"ecc_nist_p384", KTYPE_ECC, ECC_NIST_P384_EK_CERT_NV_INDEX, TPM2_ALG_SHA384},
+ {"ecc_nist_p521", KTYPE_ECC, ECC_NIST_P521_EK_CERT_NV_INDEX, TPM2_ALG_SHA512},
+ {"ecc_sm2_p256", KTYPE_ECC, ECC_SM2_P256_EK_CERT_NV_INDEX, TPM2_ALG_SM3_256},
+};
+
+static const ek_index_map *lookup_ek_index_map(const TPMI_RH_NV_INDEX index) {
+ size_t i;
+
+ for (i = 0; i < ARRAY_LEN(ek_index_maps); i++)
+ {
+ if (index == ek_index_maps[i].index) {
+ return &ek_index_maps[i];
+ }
+ }
+ return NULL;
+}
+
static unsigned char *hash_ek_public(void) {
unsigned char *hash = (unsigned char*) malloc(SHA256_DIGEST_LENGTH);
@@ -387,11 +494,20 @@ tool_rc get_tpm_properties(ESYS_CONTEXT *ectx) {
UINT32 i;
for (i = 0; i < capability_data->data.handles.count; i++) {
TPMI_RH_NV_INDEX index = capability_data->data.handles.handle[i];
- if (index == RSA_EK_CERT_NV_INDEX) {
+ const ek_index_map *m = lookup_ek_index_map(index);
+ if (!m) {
+ continue;
+ }
+
+ if (m->key_type == KTYPE_RSA) {
+ LOG_INFO("Found pre-provisioned RSA EK certificate at %u [type=%s]", index, m->name);
ctx.is_rsa_ek_cert_nv_location_defined = true;
+ ctx.rsa_ek_cert_nv_location = m->index;
}
- if (index == ECC_EK_CERT_NV_INDEX) {
+ if (m->key_type == KTYPE_ECC) {
+ LOG_INFO("Found pre-provisioned ECC EK certificate at %u [type=%s]", index, m->name);
ctx.is_ecc_ek_cert_nv_location_defined = true;
+ ctx.ecc_ek_cert_nv_location = m->index;
}
}
@@ -412,12 +528,15 @@ static tool_rc nv_read(ESYS_CONTEXT *ectx, TPMI_RH_NV_INDEX nv_index) {
* with attributes:
* ppwrite|ppread|ownerread|authread|no_da|written|platformcreate
*/
- char index_string[11];
- if (nv_index == RSA_EK_CERT_NV_INDEX) {
- strcpy(index_string, "0x01C00002");
- } else {
- strcpy(index_string, "0x01C0000A");
+ const ek_index_map *m = lookup_ek_index_map(nv_index);
+ if (!m) {
+ LOG_ERR("Unsupported NV INDEX, got \"%u\"", nv_index);
+ return tool_rc_unsupported;
}
+
+ const bool is_rsa = m->key_type == KTYPE_RSA;
+ char index_string[11];
+ snprintf(index_string, sizeof(index_string), "%u", m->index);
tpm2_loaded_object object;
tool_rc tmp_rc = tool_rc_success;
tool_rc rc = tpm2_util_object_load_auth(ectx, index_string, NULL, &object,
@@ -431,11 +550,11 @@ static tool_rc nv_read(ESYS_CONTEXT *ectx, TPMI_RH_NV_INDEX nv_index) {
rc = nv_index == RSA_EK_CERT_NV_INDEX ?
tpm2_util_nv_read(ectx, nv_index, 0, 0, &object, &ctx.rsa_cert_buffer,
- &ctx.rsa_cert_buffer_size, &cp_hash, &rp_hash, TPM2_ALG_SHA256, 0,
+ &ctx.rsa_cert_buffer_size, &cp_hash, &rp_hash, m->hash_alg, 0,
ESYS_TR_NONE, ESYS_TR_NONE) :
tpm2_util_nv_read(ectx, nv_index, 0, 0, &object, &ctx.ecc_cert_buffer,
- &ctx.ecc_cert_buffer_size, &cp_hash, &rp_hash, TPM2_ALG_SHA256, 0,
+ &ctx.ecc_cert_buffer_size, &cp_hash, &rp_hash, m->hash_alg, 0,
ESYS_TR_NONE, ESYS_TR_NONE);
nv_read_out:
@@ -475,14 +594,14 @@ static tool_rc get_nv_ek_certificate(ESYS_CONTEXT *ectx) {
tool_rc rc = tool_rc_success;
if (ctx.is_rsa_ek_cert_nv_location_defined) {
- rc = nv_read(ectx, RSA_EK_CERT_NV_INDEX);
+ rc = nv_read(ectx, ctx.rsa_ek_cert_nv_location);
if (rc != tool_rc_success) {
return rc;
}
}
if (ctx.is_ecc_ek_cert_nv_location_defined) {
- rc = nv_read(ectx, ECC_EK_CERT_NV_INDEX);
+ rc = nv_read(ectx, ctx.ecc_ek_cert_nv_location);
}
return rc;
--
2.49.0

29
0006-tpm2_getrandom-Fix-force-parameter.patch Normal file
View File

@ -0,0 +1,29 @@
From 97960847562fb6350f4b8a8807f169ce37ea2864 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Thu, 16 Jan 2025 11:15:56 +0100
Subject: [PATCH 6/8] tpm2_getrandom: Fix --force parameter
The --force parameter did require an argument but was always set
to true if used. Now no_argument is used in the option table.
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
tools/tpm2_getrandom.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/tpm2_getrandom.c b/tools/tpm2_getrandom.c
index edfc0068..f4b064d9 100644
--- a/tools/tpm2_getrandom.c
+++ b/tools/tpm2_getrandom.c
@@ -323,7 +323,7 @@ static bool tpm2_tool_onstart(tpm2_options **opts) {
const struct option topts[] = {
{ "output", required_argument, NULL, 'o' },
- { "force", required_argument, NULL, 'f' },
+ { "force", no_argument, NULL, 'f' },
{ "hex", no_argument, NULL, 0 },
{ "session", required_argument, NULL, 'S' },
{ "cphash", required_argument, NULL, 1 },
--
2.49.0

30
0007-tpm2_eventlog_yaml.c-Fix-output-of-BlobDescription.patch Normal file
View File

@ -0,0 +1,30 @@
From 8dbb135c14392e61111a4dfcceffe990148b68fd Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Sat, 8 Feb 2025 19:59:01 +0100
Subject: [PATCH 7/8] tpm2_eventlog_yaml.c Fix output of BlobDescription.
The last byte of the BlobDescription for an EV_EFI_PLATFORM_FIRMWARE_BLOB2
event was not displayed.
Fixes: #3455.
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
lib/tpm2_eventlog_yaml.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/tpm2_eventlog_yaml.c b/lib/tpm2_eventlog_yaml.c
index 59a5d8fc..343fb658 100644
--- a/lib/tpm2_eventlog_yaml.c
+++ b/lib/tpm2_eventlog_yaml.c
@@ -582,7 +582,7 @@ bool yaml_uefi_platfwblob2(UEFI_PLATFORM_FIRMWARE_BLOB2 *data) {
return false;
}
- bytes_to_str (data->BlobDescription, blobdescsize, eventdesc, 2*blobdescsize);
+ bytes_to_str (data->BlobDescription, blobdescsize, eventdesc, 2*blobdescsize + 1);
tpm2_tool_output(" Event:\n"
" BlobDescriptionSize: %d\n"
--
2.49.0

30
0008-tpm2_encode-Fix-setting-emptyAuth-in-generated-pem-f.patch Normal file
View File

@ -0,0 +1,30 @@
From e20f7a0bb6febb61d9f82430e27a4ce4aed64399 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Mon, 17 Feb 2025 18:04:49 +0100
Subject: [PATCH 8/8] tpm2_encode: Fix setting emptyAuth in generated pem file.
emptyAuth was set to 1 if an auth value for the input key was
used and to 0 if an auth value was used.
Fixes: #3458
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
tools/misc/tpm2_encodeobject.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/misc/tpm2_encodeobject.c b/tools/misc/tpm2_encodeobject.c
index 80de14f5..74675b06 100644
--- a/tools/misc/tpm2_encodeobject.c
+++ b/tools/misc/tpm2_encodeobject.c
@@ -195,7 +195,7 @@ encode(void)
goto error;
}
- tpk->emptyAuth = ctx.object.needs_auth;
+ tpk->emptyAuth = !ctx.object.needs_auth;
if ((ctx.parent.object.handle >> TPM2_HR_SHIFT) == TPM2_HT_PERSISTENT) {
ASN1_INTEGER_set(tpk->parent, ctx.parent.object.handle);
--
2.49.0

14
tpm2-tools.spec
View File

@ -2,7 +2,7 @@
Name: tpm2-tools
Version: 5.2
Release: 5%{?candidate:.%{candidate}}%{?dist}
Release: 6%{?candidate:.%{candidate}}%{?dist}
Summary: A bunch of TPM testing toolS build upon tpm2-tss
License: BSD
@ -46,6 +46,14 @@ Patch205: 0005-tpm2_checkquote-Fix-check-of-magic-number.patch
Patch206: 0006-tpm2_setprimarypolicy-Fix-resource-leak.patch
# tpm2_eventlog: add support for replay with different StartupLocality
Patch207: %{url}/commit/576a31bcc910da517067b29667f45fbe78e812e0.patch
Patch301: 0001-Fix-handling-of-testResult-in-tpm2_gettestresult.patch
Patch302: 0002-tpm2_evictcontrol.c-Fix-segfault-for-output-of-handl.patch
Patch303: 0003-Fix-calloc-argument-order.patch
Patch304: 0004-tpm2_createpolicy-flush-session-for-trial-policy.patch
Patch305: 0005-Support-high-range-NV-indexes-in-getekcert.patch
Patch306: 0006-tpm2_getrandom-Fix-force-parameter.patch
Patch307: 0007-tpm2_eventlog_yaml.c-Fix-output-of-BlobDescription.patch
Patch308: 0008-tpm2_encode-Fix-setting-emptyAuth-in-generated-pem-f.patch
BuildRequires: git
BuildRequires: make
@ -97,6 +105,10 @@ autoreconf -i
%{_mandir}/man1/tss2_*.1.gz
%changelog
* Wed Apr 24 2025 Štěpán Horáček <shoracek@redhat.com> - 5.2-6
- Backport upstream fixes.
Resolves: RHEL-72772
* Fri Mar 21 2025 Davide Cavalca <dcavalca@centosproject.org> - 5.2-5
- Backport upstream bugfix for tpm2_eventlog
Resolves: RHEL-83453