From 2615e3458d44fc5d1083577604c81ebd72c5ab42 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20Hor=C3=A1=C4=8Dek?= Date: Wed, 23 Apr 2025 16:53:32 +0200 Subject: [PATCH] Backport upstream fixes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Resolves: RHEL-72772 Signed-off-by: Štěpán Horáček --- ...-of-testResult-in-tpm2_gettestresult.patch | 26 ++ ...l.c-Fix-segfault-for-output-of-handl.patch | 35 +++ 0003-Fix-calloc-argument-order.patch | 35 +++ ...olicy-flush-session-for-trial-policy.patch | 63 ++++ ...t-high-range-NV-indexes-in-getekcert.patch | 275 ++++++++++++++++++ 0006-tpm2_getrandom-Fix-force-parameter.patch | 29 ++ ...yaml.c-Fix-output-of-BlobDescription.patch | 30 ++ ...setting-emptyAuth-in-generated-pem-f.patch | 30 ++ tpm2-tools.spec | 14 +- 9 files changed, 536 insertions(+), 1 deletion(-) create mode 100644 0001-Fix-handling-of-testResult-in-tpm2_gettestresult.patch create mode 100644 0002-tpm2_evictcontrol.c-Fix-segfault-for-output-of-handl.patch create mode 100644 0003-Fix-calloc-argument-order.patch create mode 100644 0004-tpm2_createpolicy-flush-session-for-trial-policy.patch create mode 100644 0005-Support-high-range-NV-indexes-in-getekcert.patch create mode 100644 0006-tpm2_getrandom-Fix-force-parameter.patch create mode 100644 0007-tpm2_eventlog_yaml.c-Fix-output-of-BlobDescription.patch create mode 100644 0008-tpm2_encode-Fix-setting-emptyAuth-in-generated-pem-f.patch diff --git a/0001-Fix-handling-of-testResult-in-tpm2_gettestresult.patch b/0001-Fix-handling-of-testResult-in-tpm2_gettestresult.patch new file mode 100644 index 0000000..e119e8d --- /dev/null +++ b/0001-Fix-handling-of-testResult-in-tpm2_gettestresult.patch @@ -0,0 +1,26 @@ +From ff26c05d928519f9ae8442d9fd6458fbebb3c518 Mon Sep 17 00:00:00 2001 +From: "wenxin.leong" +Date: Wed, 15 May 2024 18:58:21 -0700 +Subject: [PATCH 1/8] Fix handling of testResult in tpm2_gettestresult + +Signed-off-by: wenxin.leong +--- + tools/tpm2_gettestresult.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/tools/tpm2_gettestresult.c b/tools/tpm2_gettestresult.c +index 24a5caf6..29f913a3 100644 +--- a/tools/tpm2_gettestresult.c ++++ b/tools/tpm2_gettestresult.c +@@ -35,8 +35,6 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { + tpm2_tool_output("status: "); + print_yaml_indent(1); + +- status &= TPM2_RC_TESTING; +- + switch (status) { + case TPM2_RC_SUCCESS: + tpm2_tool_output("success"); +-- +2.49.0 + diff --git a/0002-tpm2_evictcontrol.c-Fix-segfault-for-output-of-handl.patch b/0002-tpm2_evictcontrol.c-Fix-segfault-for-output-of-handl.patch new file mode 100644 index 0000000..98ca9b6 --- /dev/null +++ b/0002-tpm2_evictcontrol.c-Fix-segfault-for-output-of-handl.patch @@ -0,0 +1,35 @@ +From 2be6ae25b564a7cf1c50404cd293e452c5a8f4a5 Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Thu, 23 May 2024 11:40:14 +0200 +Subject: [PATCH 2/8] tpm2_evictcontrol.c: Fix segfault for output of handle + ESYS_TR_NONE + +If the -o parameter was used when a persistent handle should be +evicted a segfault did occur. +Now the object is evicted an a warning is displayed. + +Signed-off-by: Juergen Repp +--- + tools/tpm2_evictcontrol.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/tools/tpm2_evictcontrol.c b/tools/tpm2_evictcontrol.c +index 8199be39..3fd7ee03 100644 +--- a/tools/tpm2_evictcontrol.c ++++ b/tools/tpm2_evictcontrol.c +@@ -190,7 +190,11 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { + tpm2_tool_output("action: %s\n", evicted ? "evicted" : "persisted"); + tool_rc tmp_rc = tool_rc_success; + if (ctx.output_arg) { +- tmp_rc = files_save_ESYS_TR(ectx, out_tr, ctx.output_arg); ++ if (out_tr == ESYS_TR_NONE) { ++ LOG_WARN("The parameter --output can't be used if a persistent object will be evicted"); ++ } else { ++ tmp_rc = files_save_ESYS_TR(ectx, out_tr, ctx.output_arg); ++ } + } + + if (!evicted) { +-- +2.49.0 + diff --git a/0003-Fix-calloc-argument-order.patch b/0003-Fix-calloc-argument-order.patch new file mode 100644 index 0000000..c5f3862 --- /dev/null +++ b/0003-Fix-calloc-argument-order.patch @@ -0,0 +1,35 @@ +From a9ef4c986984cce821260f46d44d31fd88591c36 Mon Sep 17 00:00:00 2001 +From: dzil123 <5725958+dzil123@users.noreply.github.com> +Date: Tue, 4 Jun 2024 22:33:02 -0700 +Subject: [PATCH 3/8] Fix calloc argument order + +Signed-off-by: dzil123 <5725958+dzil123@users.noreply.github.com> +--- + lib/tpm2_openssl.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/tpm2_openssl.c b/lib/tpm2_openssl.c +index ad43c8e1..79e80a5e 100644 +--- a/lib/tpm2_openssl.c ++++ b/lib/tpm2_openssl.c +@@ -422,7 +422,7 @@ static bool do_open_file(FILE *f, const char *path, char **pass) { + goto out; + } + +- char *tmp = calloc(sizeof(char), file_size + 1); ++ char *tmp = calloc(file_size + 1, sizeof(char)); + if (!tmp) { + LOG_ERR("oom"); + goto out; +@@ -477,7 +477,7 @@ static bool do_stdin(const char *passin, char **pass) { + + UNUSED(passin); + +- void *buf = calloc(sizeof(BYTE), UINT16_MAX + 1); ++ void *buf = calloc(UINT16_MAX + 1, sizeof(BYTE)); + if (!buf) { + LOG_ERR("oom"); + return false; +-- +2.49.0 + diff --git a/0004-tpm2_createpolicy-flush-session-for-trial-policy.patch b/0004-tpm2_createpolicy-flush-session-for-trial-policy.patch new file mode 100644 index 0000000..adba763 --- /dev/null +++ b/0004-tpm2_createpolicy-flush-session-for-trial-policy.patch @@ -0,0 +1,63 @@ +From 596dc33f0093735254cd3dd086a8375fbf56fd47 Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Sat, 12 Oct 2024 12:04:15 +0200 +Subject: [PATCH 4/8] tpm2_createpolicy: flush session for trial policy. + +The created session is flushed if a trial policy is only used to compute +the policy digest. +Fixes: #3427 + +Signed-off-by: Juergen Repp +--- + tools/tpm2_createpolicy.c | 21 +++++++++++++++++---- + 1 file changed, 17 insertions(+), 4 deletions(-) + +diff --git a/tools/tpm2_createpolicy.c b/tools/tpm2_createpolicy.c +index b5686e05..48c039e8 100644 +--- a/tools/tpm2_createpolicy.c ++++ b/tools/tpm2_createpolicy.c +@@ -54,6 +54,9 @@ static create_policy_ctx pctx = { + + static tool_rc parse_policy_type_specific_command(ESYS_CONTEXT *ectx) { + ++ tool_rc rc; ++ TSS2_RC rval; ++ + if (!pctx.common_policy_options.policy_type.policy_pcr) { + LOG_ERR("Only PCR policy is currently supported!"); + return tool_rc_option_error; +@@ -71,7 +74,7 @@ static tool_rc parse_policy_type_specific_command(ESYS_CONTEXT *ectx) { + + tpm2_session **s = &pctx.common_policy_options.policy_session; + +- tool_rc rc = tpm2_session_open(ectx, session_data, s); ++ rc = tpm2_session_open(ectx, session_data, s); + if (rc != tool_rc_success) { + return rc; + } +@@ -91,9 +94,19 @@ static tool_rc parse_policy_type_specific_command(ESYS_CONTEXT *ectx) { + return rc; + } + +- return tpm2_policy_tool_finish(ectx, +- pctx.common_policy_options.policy_session, +- pctx.common_policy_options.policy_file); ++ rc = tpm2_policy_tool_finish(ectx, ++ pctx.common_policy_options.policy_session, ++ pctx.common_policy_options.policy_file); ++ if (rc != tool_rc_success) { ++ return rc; ++ } ++ if (pctx.common_policy_options.policy_session_type == TPM2_SE_TRIAL) { ++ rval = Esys_FlushContext(ectx, tpm2_session_get_handle(*s)); ++ if (rval != TPM2_RC_SUCCESS) { ++ return tool_rc_general_error; ++ } ++ } ++ return rc; + } + + static bool on_option(char key, char *value) { +-- +2.49.0 + diff --git a/0005-Support-high-range-NV-indexes-in-getekcert.patch b/0005-Support-high-range-NV-indexes-in-getekcert.patch new file mode 100644 index 0000000..4892a16 --- /dev/null +++ b/0005-Support-high-range-NV-indexes-in-getekcert.patch @@ -0,0 +1,275 @@ +From a7468cf7deaf5cf608da32923b5797cdb497cde1 Mon Sep 17 00:00:00 2001 +From: "loic.sikidi" +Date: Mon, 9 Dec 2024 23:47:25 +0100 +Subject: [PATCH 5/8] Support high range NV indexes in getekcert + +Signed-off-by: loic.sikidi +--- + test/integration/tests/getekcertificate.sh | 38 ++++++ + tools/tpm2_getekcertificate.c | 141 +++++++++++++++++++-- + 2 files changed, 168 insertions(+), 11 deletions(-) + +diff --git a/test/integration/tests/getekcertificate.sh b/test/integration/tests/getekcertificate.sh +index 96e92cc0..14c32c2d 100644 +--- a/test/integration/tests/getekcertificate.sh ++++ b/test/integration/tests/getekcertificate.sh +@@ -80,6 +80,8 @@ diff test_ecc_ek.pem test_ek.pem + # Retrieve EK certificates from NV indices + RSA_EK_CERT_NV_INDEX=0x01C00002 + ECC_EK_CERT_NV_INDEX=0x01C0000A ++RSA_3072_EK_CERT_NV_INDEX=0x01C0001C ++ECC_NIST_P384_EK_CERT_NV_INDEX=0x01C00016 + + define_ek_cert_nv_index() { + file_size=`ls -l $1 | awk {'print $5'}` +@@ -120,4 +122,40 @@ tpm2 getekcertificate -o nv_rsa_ek_cert.der -o nv_ecc_ek_cert.der + diff nv_rsa_ek_cert.der rsa_ek_cert.der + diff nv_ecc_ek_cert.der ecc_ek_cert.der + ++rm nv_rsa_ek_cert.der rsa_ek_cert.der nv_ecc_ek_cert.der ecc_ek_cert.der -f ++ ++## RSA & ECC self-signed EK certs stored in high range NV indexes ++tpm2 nvundefine -C p $RSA_EK_CERT_NV_INDEX ++tpm2 nvundefine -C p $ECC_EK_CERT_NV_INDEX ++ ++create_self_signed_ek_cert(){ ++ case "$1" in ++ *rsa_3072) ++ openssl genpkey -algorithm RSA -out priv_key.pem \ ++ -pkeyopt rsa_keygen_bits:3072 > /dev/null 2>&1 ++ openssl req -new -key priv_key.pem -x509 -days 1 \ ++ -subj "/" -outform DER -out $2 ++ ;; ++ *ecc_nist_p384) ++ openssl ecparam -name secp384r1 -genkey -out priv_key.pem > /dev/null 2>&1 ++ openssl req -new -key priv_key.pem -x509 -days 1 \ ++ -subj "/" -outform DER -out $2 ++ ;; ++ *) echo "Unsupported key type $1"; return 1;; ++ esac ++} ++ ++create_self_signed_ek_cert rsa_3072 rsa_ek_cert.der ++create_self_signed_ek_cert ecc_nist_p384 ecc_ek_cert.der ++ ++define_ek_cert_nv_index rsa_ek_cert.der $RSA_3072_EK_CERT_NV_INDEX ++define_ek_cert_nv_index ecc_ek_cert.der $ECC_NIST_P384_EK_CERT_NV_INDEX ++ ++tpm2 getekcertificate -o nv_rsa_ek_cert.der -o nv_ecc_ek_cert.der ++ ++diff nv_rsa_ek_cert.der rsa_ek_cert.der ++diff nv_ecc_ek_cert.der ecc_ek_cert.der ++ ++rm nv_rsa_ek_cert.der rsa_ek_cert.der nv_ecc_ek_cert.der ecc_ek_cert.der priv_key.pem -f ++ + exit 0 +diff --git a/tools/tpm2_getekcertificate.c b/tools/tpm2_getekcertificate.c +index f0d1ca36..3c9bddeb 100644 +--- a/tools/tpm2_getekcertificate.c ++++ b/tools/tpm2_getekcertificate.c +@@ -20,6 +20,71 @@ + #include "tpm2_nv_util.h" + #include "tpm2_tool.h" + ++ ++/* ++ * Sourced from TCG Vendor ID Registry v1.06: ++ * https://trustedcomputinggroup.org/resource/vendor-id-registry/ ++ * ++ */ ++ ++typedef enum tpm_manufacturer tpm_manufacturer; ++enum tpm_manufacturer { ++ VENDOR_AMD = 0x414D4400, ++ VENDOR_ATMEL = 0x41544D4C, ++ VENDOR_BROADCOM = 0x4252434D, ++ VENDOR_CISCO = 0x4353434F, ++ VENDOR_FLYSLICE = 0x464C5953, ++ VENDOR_ROCKCHIP = 0x524F4343, ++ VENDOR_GOOGLE = 0x474F4F47, ++ VENDOR_HPE = 0x48504500, ++ VENDOR_HUAWEI = 0x48495349, ++ VENDOR_IBM = 0x49424D00, ++ VENDOR_IBMSIM = 0x49424D20, // Used only by mssim/ibmswtpm2 ++ VENDOR_INFINEON = 0x49465800, ++ VENDOR_INTEL = 0x494E5443, ++ VENDOR_LENOVO = 0x4C454E00, ++ VENDOR_MICROSOFT = 0x4D534654, ++ VENDOR_NSM = 0x4E534D20, ++ VENDOR_NATIONZ = 0x4E545A00, ++ VENDOR_NUVOTON = 0x4E544300, ++ VENDOR_QUALCOMM = 0x51434F4D, ++ VENDOR_SAMSUNG = 0x534D534E, ++ VENDOR_SINOSUN = 0x534E5300, ++ VENDOR_SMSC = 0x534D5343, ++ VENDOR_STM = 0x53544D20, ++ VENDOR_TXN = 0x54584E00, ++ VENDOR_WINBOND = 0x57454300, ++}; ++ ++typedef enum pubkey_enc_mode pubkey_enc_mode; ++enum pubkey_enc_mode { ++ ENC_AUTO = 0, ++ ENC_INTEL = 1, ++ ENC_AMD = 2, ++}; ++ ++/* ++ * Sourced from TCG PC Client Platform TPM Profile Specification v1.05 rev 14: ++ * https://trustedcomputinggroup.org/resource/pc-client-platform-tpm-profile-ptp-specification/ ++ * ++ */ ++ ++typedef enum ek_nv_index ek_nv_index; ++enum ek_nv_index { ++ RSA_EK_CERT_NV_INDEX = 0x01C00002, ++ ECC_EK_CERT_NV_INDEX = 0x01C0000A, ++ RSA_2048_EK_CERT_NV_INDEX = 0x01C00012, ++ RSA_3072_EK_CERT_NV_INDEX = 0x01C0001C, ++ RSA_4096_EK_CERT_NV_INDEX = 0x01C0001E, ++ ECC_NIST_P256_EK_CERT_NV_INDEX = 0x01C00014, ++ ECC_NIST_P384_EK_CERT_NV_INDEX = 0x01C00016, ++ ECC_NIST_P521_EK_CERT_NV_INDEX = 0x01C00018, ++ ECC_SM2_P256_EK_CERT_NV_INDEX = 0x01C0001A, ++}; ++ ++#define EK_SERVER_INTEL "https://ekop.intel.com/ekcertservice/" ++#define EK_SERVER_AMD "https://ftpm.amd.com/pki/aia/" ++ + typedef struct tpm_getekcertificate_ctx tpm_getekcertificate_ctx; + struct tpm_getekcertificate_ctx { + // TPM Device properties +@@ -28,6 +93,8 @@ struct tpm_getekcertificate_ctx { + bool is_intc_cert; + bool is_rsa_ek_cert_nv_location_defined; + bool is_ecc_ek_cert_nv_location_defined; ++ ek_nv_index rsa_ek_cert_nv_location; ++ ek_nv_index ecc_ek_cert_nv_location; + bool is_tpmgeneratedeps; + // Certficate data handling + uint8_t cert_count; +@@ -55,6 +122,46 @@ static tpm_getekcertificate_ctx ctx = { + .cert_count = 0, + }; + ++ ++typedef enum key_type key_type; ++enum key_type { ++ KTYPE_RSA = 0, ++ KTYPE_ECC = 1, ++}; ++ ++typedef struct ek_index_map ek_index_map; ++struct ek_index_map ++{ ++ const char *name; ++ key_type key_type; ++ ek_nv_index index; ++ TPMI_ALG_HASH hash_alg; ++}; ++ ++static ek_index_map ek_index_maps[] = { ++ {"rsa", KTYPE_RSA, RSA_EK_CERT_NV_INDEX, TPM2_ALG_SHA256}, ++ {"rsa2048", KTYPE_RSA, RSA_2048_EK_CERT_NV_INDEX, TPM2_ALG_SHA256}, ++ {"rsa3072", KTYPE_RSA, RSA_3072_EK_CERT_NV_INDEX, TPM2_ALG_SHA384}, ++ {"rsa4096", KTYPE_RSA, RSA_4096_EK_CERT_NV_INDEX, TPM2_ALG_SHA512}, ++ {"ecc", KTYPE_ECC, ECC_EK_CERT_NV_INDEX, TPM2_ALG_SHA256}, ++ {"ecc_nist_p256", KTYPE_ECC, ECC_NIST_P256_EK_CERT_NV_INDEX, TPM2_ALG_SHA256}, ++ {"ecc_nist_p384", KTYPE_ECC, ECC_NIST_P384_EK_CERT_NV_INDEX, TPM2_ALG_SHA384}, ++ {"ecc_nist_p521", KTYPE_ECC, ECC_NIST_P521_EK_CERT_NV_INDEX, TPM2_ALG_SHA512}, ++ {"ecc_sm2_p256", KTYPE_ECC, ECC_SM2_P256_EK_CERT_NV_INDEX, TPM2_ALG_SM3_256}, ++}; ++ ++static const ek_index_map *lookup_ek_index_map(const TPMI_RH_NV_INDEX index) { ++ size_t i; ++ ++ for (i = 0; i < ARRAY_LEN(ek_index_maps); i++) ++ { ++ if (index == ek_index_maps[i].index) { ++ return &ek_index_maps[i]; ++ } ++ } ++ return NULL; ++} ++ + static unsigned char *hash_ek_public(void) { + + unsigned char *hash = (unsigned char*) malloc(SHA256_DIGEST_LENGTH); +@@ -387,11 +494,20 @@ tool_rc get_tpm_properties(ESYS_CONTEXT *ectx) { + UINT32 i; + for (i = 0; i < capability_data->data.handles.count; i++) { + TPMI_RH_NV_INDEX index = capability_data->data.handles.handle[i]; +- if (index == RSA_EK_CERT_NV_INDEX) { ++ const ek_index_map *m = lookup_ek_index_map(index); ++ if (!m) { ++ continue; ++ } ++ ++ if (m->key_type == KTYPE_RSA) { ++ LOG_INFO("Found pre-provisioned RSA EK certificate at %u [type=%s]", index, m->name); + ctx.is_rsa_ek_cert_nv_location_defined = true; ++ ctx.rsa_ek_cert_nv_location = m->index; + } +- if (index == ECC_EK_CERT_NV_INDEX) { ++ if (m->key_type == KTYPE_ECC) { ++ LOG_INFO("Found pre-provisioned ECC EK certificate at %u [type=%s]", index, m->name); + ctx.is_ecc_ek_cert_nv_location_defined = true; ++ ctx.ecc_ek_cert_nv_location = m->index; + } + } + +@@ -412,12 +528,15 @@ static tool_rc nv_read(ESYS_CONTEXT *ectx, TPMI_RH_NV_INDEX nv_index) { + * with attributes: + * ppwrite|ppread|ownerread|authread|no_da|written|platformcreate + */ +- char index_string[11]; +- if (nv_index == RSA_EK_CERT_NV_INDEX) { +- strcpy(index_string, "0x01C00002"); +- } else { +- strcpy(index_string, "0x01C0000A"); ++ const ek_index_map *m = lookup_ek_index_map(nv_index); ++ if (!m) { ++ LOG_ERR("Unsupported NV INDEX, got \"%u\"", nv_index); ++ return tool_rc_unsupported; + } ++ ++ const bool is_rsa = m->key_type == KTYPE_RSA; ++ char index_string[11]; ++ snprintf(index_string, sizeof(index_string), "%u", m->index); + tpm2_loaded_object object; + tool_rc tmp_rc = tool_rc_success; + tool_rc rc = tpm2_util_object_load_auth(ectx, index_string, NULL, &object, +@@ -431,11 +550,11 @@ static tool_rc nv_read(ESYS_CONTEXT *ectx, TPMI_RH_NV_INDEX nv_index) { + rc = nv_index == RSA_EK_CERT_NV_INDEX ? + + tpm2_util_nv_read(ectx, nv_index, 0, 0, &object, &ctx.rsa_cert_buffer, +- &ctx.rsa_cert_buffer_size, &cp_hash, &rp_hash, TPM2_ALG_SHA256, 0, ++ &ctx.rsa_cert_buffer_size, &cp_hash, &rp_hash, m->hash_alg, 0, + ESYS_TR_NONE, ESYS_TR_NONE) : + + tpm2_util_nv_read(ectx, nv_index, 0, 0, &object, &ctx.ecc_cert_buffer, +- &ctx.ecc_cert_buffer_size, &cp_hash, &rp_hash, TPM2_ALG_SHA256, 0, ++ &ctx.ecc_cert_buffer_size, &cp_hash, &rp_hash, m->hash_alg, 0, + ESYS_TR_NONE, ESYS_TR_NONE); + + nv_read_out: +@@ -475,14 +594,14 @@ static tool_rc get_nv_ek_certificate(ESYS_CONTEXT *ectx) { + + tool_rc rc = tool_rc_success; + if (ctx.is_rsa_ek_cert_nv_location_defined) { +- rc = nv_read(ectx, RSA_EK_CERT_NV_INDEX); ++ rc = nv_read(ectx, ctx.rsa_ek_cert_nv_location); + if (rc != tool_rc_success) { + return rc; + } + } + + if (ctx.is_ecc_ek_cert_nv_location_defined) { +- rc = nv_read(ectx, ECC_EK_CERT_NV_INDEX); ++ rc = nv_read(ectx, ctx.ecc_ek_cert_nv_location); + } + + return rc; +-- +2.49.0 + diff --git a/0006-tpm2_getrandom-Fix-force-parameter.patch b/0006-tpm2_getrandom-Fix-force-parameter.patch new file mode 100644 index 0000000..342965a --- /dev/null +++ b/0006-tpm2_getrandom-Fix-force-parameter.patch @@ -0,0 +1,29 @@ +From 97960847562fb6350f4b8a8807f169ce37ea2864 Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Thu, 16 Jan 2025 11:15:56 +0100 +Subject: [PATCH 6/8] tpm2_getrandom: Fix --force parameter + +The --force parameter did require an argument but was always set +to true if used. Now no_argument is used in the option table. + +Signed-off-by: Juergen Repp +--- + tools/tpm2_getrandom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/tpm2_getrandom.c b/tools/tpm2_getrandom.c +index edfc0068..f4b064d9 100644 +--- a/tools/tpm2_getrandom.c ++++ b/tools/tpm2_getrandom.c +@@ -323,7 +323,7 @@ static bool tpm2_tool_onstart(tpm2_options **opts) { + + const struct option topts[] = { + { "output", required_argument, NULL, 'o' }, +- { "force", required_argument, NULL, 'f' }, ++ { "force", no_argument, NULL, 'f' }, + { "hex", no_argument, NULL, 0 }, + { "session", required_argument, NULL, 'S' }, + { "cphash", required_argument, NULL, 1 }, +-- +2.49.0 + diff --git a/0007-tpm2_eventlog_yaml.c-Fix-output-of-BlobDescription.patch b/0007-tpm2_eventlog_yaml.c-Fix-output-of-BlobDescription.patch new file mode 100644 index 0000000..e77f22c --- /dev/null +++ b/0007-tpm2_eventlog_yaml.c-Fix-output-of-BlobDescription.patch @@ -0,0 +1,30 @@ +From 8dbb135c14392e61111a4dfcceffe990148b68fd Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Sat, 8 Feb 2025 19:59:01 +0100 +Subject: [PATCH 7/8] tpm2_eventlog_yaml.c Fix output of BlobDescription. + +The last byte of the BlobDescription for an EV_EFI_PLATFORM_FIRMWARE_BLOB2 +event was not displayed. +Fixes: #3455. + +Signed-off-by: Juergen Repp +--- + lib/tpm2_eventlog_yaml.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/tpm2_eventlog_yaml.c b/lib/tpm2_eventlog_yaml.c +index 59a5d8fc..343fb658 100644 +--- a/lib/tpm2_eventlog_yaml.c ++++ b/lib/tpm2_eventlog_yaml.c +@@ -582,7 +582,7 @@ bool yaml_uefi_platfwblob2(UEFI_PLATFORM_FIRMWARE_BLOB2 *data) { + return false; + } + +- bytes_to_str (data->BlobDescription, blobdescsize, eventdesc, 2*blobdescsize); ++ bytes_to_str (data->BlobDescription, blobdescsize, eventdesc, 2*blobdescsize + 1); + + tpm2_tool_output(" Event:\n" + " BlobDescriptionSize: %d\n" +-- +2.49.0 + diff --git a/0008-tpm2_encode-Fix-setting-emptyAuth-in-generated-pem-f.patch b/0008-tpm2_encode-Fix-setting-emptyAuth-in-generated-pem-f.patch new file mode 100644 index 0000000..28e1528 --- /dev/null +++ b/0008-tpm2_encode-Fix-setting-emptyAuth-in-generated-pem-f.patch @@ -0,0 +1,30 @@ +From e20f7a0bb6febb61d9f82430e27a4ce4aed64399 Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Mon, 17 Feb 2025 18:04:49 +0100 +Subject: [PATCH 8/8] tpm2_encode: Fix setting emptyAuth in generated pem file. + +emptyAuth was set to 1 if an auth value for the input key was +used and to 0 if an auth value was used. +Fixes: #3458 + +Signed-off-by: Juergen Repp +--- + tools/misc/tpm2_encodeobject.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/misc/tpm2_encodeobject.c b/tools/misc/tpm2_encodeobject.c +index 80de14f5..74675b06 100644 +--- a/tools/misc/tpm2_encodeobject.c ++++ b/tools/misc/tpm2_encodeobject.c +@@ -195,7 +195,7 @@ encode(void) + goto error; + } + +- tpk->emptyAuth = ctx.object.needs_auth; ++ tpk->emptyAuth = !ctx.object.needs_auth; + + if ((ctx.parent.object.handle >> TPM2_HR_SHIFT) == TPM2_HT_PERSISTENT) { + ASN1_INTEGER_set(tpk->parent, ctx.parent.object.handle); +-- +2.49.0 + diff --git a/tpm2-tools.spec b/tpm2-tools.spec index 414add3..a01804c 100644 --- a/tpm2-tools.spec +++ b/tpm2-tools.spec @@ -2,7 +2,7 @@ Name: tpm2-tools Version: 5.2 -Release: 5%{?candidate:.%{candidate}}%{?dist} +Release: 6%{?candidate:.%{candidate}}%{?dist} Summary: A bunch of TPM testing toolS build upon tpm2-tss License: BSD @@ -46,6 +46,14 @@ Patch205: 0005-tpm2_checkquote-Fix-check-of-magic-number.patch Patch206: 0006-tpm2_setprimarypolicy-Fix-resource-leak.patch # tpm2_eventlog: add support for replay with different StartupLocality Patch207: %{url}/commit/576a31bcc910da517067b29667f45fbe78e812e0.patch +Patch301: 0001-Fix-handling-of-testResult-in-tpm2_gettestresult.patch +Patch302: 0002-tpm2_evictcontrol.c-Fix-segfault-for-output-of-handl.patch +Patch303: 0003-Fix-calloc-argument-order.patch +Patch304: 0004-tpm2_createpolicy-flush-session-for-trial-policy.patch +Patch305: 0005-Support-high-range-NV-indexes-in-getekcert.patch +Patch306: 0006-tpm2_getrandom-Fix-force-parameter.patch +Patch307: 0007-tpm2_eventlog_yaml.c-Fix-output-of-BlobDescription.patch +Patch308: 0008-tpm2_encode-Fix-setting-emptyAuth-in-generated-pem-f.patch BuildRequires: git BuildRequires: make @@ -97,6 +105,10 @@ autoreconf -i %{_mandir}/man1/tss2_*.1.gz %changelog +* Wed Apr 24 2025 Štěpán Horáček - 5.2-6 +- Backport upstream fixes. + Resolves: RHEL-72772 + * Fri Mar 21 2025 Davide Cavalca - 5.2-5 - Backport upstream bugfix for tpm2_eventlog Resolves: RHEL-83453