diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..65ccee6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +/tpm2-tools-4.1.1.tar.gz diff --git a/0001-Fix-ESYS_TR-hierarchy-transition.patch b/0001-Fix-ESYS_TR-hierarchy-transition.patch new file mode 100644 index 0000000..ff6b2cb --- /dev/null +++ b/0001-Fix-ESYS_TR-hierarchy-transition.patch @@ -0,0 +1,80 @@ +From e607f78a054acfdbe119499c3608bdb2a44423d9 Mon Sep 17 00:00:00 2001 +From: Andreas Fuchs +Date: Thu, 7 May 2020 11:51:17 +0200 +Subject: [PATCH] Fix ESYS_TR hierarchy transition + +Fix those cases of TPM2_RH_ to ESYS_TR_RH_ translations that were missed in +780800c0be69a49b9097f8eae653cdb0623d2100 + +Signed-off-by: Andreas Fuchs +--- + lib/tpm2.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +diff --git a/lib/tpm2.c b/lib/tpm2.c +index e7ff77047bef..909a4422339d 100644 +--- a/lib/tpm2.c ++++ b/lib/tpm2.c +@@ -656,6 +656,12 @@ uint32_t fix_esys_hierarchy(TPMI_RH_HIERARCHY hierarchy) + { + #if defined(ESYS_3_0) + switch (hierarchy) { ++ case ESYS_TR_RH_NULL: ++ case ESYS_TR_RH_OWNER: ++ case ESYS_TR_RH_ENDORSEMENT: ++ case ESYS_TR_RH_PLATFORM: ++ case ESYS_TR_RH_PLATFORM_NV: ++ return hierarchy; + case TPM2_RH_NULL: + return ESYS_TR_RH_NULL; + case TPM2_RH_OWNER: +@@ -664,14 +670,16 @@ uint32_t fix_esys_hierarchy(TPMI_RH_HIERARCHY hierarchy) + return ESYS_TR_RH_ENDORSEMENT; + case TPM2_RH_PLATFORM: + return ESYS_TR_RH_PLATFORM; ++ case TPM2_RH_PLATFORM_NV: ++ return ESYS_TR_RH_PLATFORM_NV; + default: +- return TSS2_ESYS_RC_BAD_VALUE; ++ LOG_ERR("An unknown hierarchy handle was passed: 0x%08x", hierarchy); ++ return 0xffffffff; + } + #elif defined(ESYS_2_3) + return hierarchy; + #else +- UNUSED(hierarchy); +- return TSS2_ESYS_RC_BAD_VALUE; ++#error "Need to define either ESYS_3_0 or ESYS_2_3" + #endif + } + +@@ -1154,7 +1162,7 @@ tool_rc tpm2_hierarchycontrol(ESYS_CONTEXT *esys_context, + } + + TSS2_RC rval = Esys_HierarchyControl(esys_context, auth_hierarchy->tr_handle, +- shandle, ESYS_TR_NONE, ESYS_TR_NONE, enable, state); ++ shandle, ESYS_TR_NONE, ESYS_TR_NONE, fix_esys_hierarchy(enable), state); + if (rval != TPM2_RC_SUCCESS && rval != TPM2_RC_INITIALIZE) { + LOG_PERR(Esys_HierarchyControl, rval); + return tool_rc_from_tpm(rval); +@@ -1251,7 +1259,7 @@ tool_rc tpm2_hmac_sequencecomplete(ESYS_CONTEXT *esys_context, + + TPM2_RC rval = Esys_SequenceComplete(esys_context, sequence_handle, + hmac_key_obj_shandle, ESYS_TR_NONE, ESYS_TR_NONE, input_buffer, +- TPM2_RH_NULL, result, validation); ++ fix_esys_hierarchy(TPM2_RH_NULL), result, validation); + if (rval != TSS2_RC_SUCCESS) { + LOG_PERR(Esys_HMAC, rval); + return tool_rc_from_tpm(rval); +@@ -1907,7 +1915,7 @@ tool_rc tpm2_loadexternal(ESYS_CONTEXT *ectx, const TPM2B_SENSITIVE *private, + + TSS2_RC rval = Esys_LoadExternal(ectx, + ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, +- private, public, hierarchy, ++ private, public, fix_esys_hierarchy(hierarchy), + object_handle); + if (rval != TSS2_RC_SUCCESS) { + LOG_PERR(Esys_LoadExternal, rval); +-- +2.27.0 + diff --git a/0001-Refactor-fix_esys_hierarchies.patch b/0001-Refactor-fix_esys_hierarchies.patch new file mode 100644 index 0000000..9e76674 --- /dev/null +++ b/0001-Refactor-fix_esys_hierarchies.patch @@ -0,0 +1,211 @@ +From 2e7839b905f7a493f739d36e3e550e0cee30049e Mon Sep 17 00:00:00 2001 +From: Andreas Fuchs +Date: Thu, 7 May 2020 19:12:36 +0200 +Subject: [PATCH] Refactor fix_esys_hierarchies() + +Refactor fix_esys_hierarchies() to return an actual TSS2_RC return code +and have an output parameter. + +Signed-off-by: Andreas Fuchs +--- + lib/tpm2.c | 88 +++++++++++++++++++++++++++++---------- + lib/tpm2.h | 2 +- + tools/tpm2_loadexternal.c | 9 +++- + 3 files changed, 75 insertions(+), 24 deletions(-) + +diff --git a/lib/tpm2.c b/lib/tpm2.c +index 909a4422339d..744fed8c529f 100644 +--- a/lib/tpm2.c ++++ b/lib/tpm2.c +@@ -645,39 +645,51 @@ tool_rc tpm2_evictcontrol(ESYS_CONTEXT *esys_context, + } + + /* This function addresses ESAPI change that changes parameter type from +- * Esys_TR to TPMI_RH_HIERARCHY and breaks backwards compatibility. ++ * Esys_TR to TPMI_RH_HIERARCHY or TPMI_RH_ENABLES and breaks backwards ++ * compatibility. + * To keep the tools parameters consistent after v4.0 release we need to + * map the values to appropriate type based on the version of the ESYS API. + * Note: the mapping is based on the ESYS version recognized at compile time. + * The TSS change can be found here: + * https://github.com/tpm2-software/tpm2-tss/pull/1531 + */ +-uint32_t fix_esys_hierarchy(TPMI_RH_HIERARCHY hierarchy) ++TSS2_RC fix_esys_hierarchy(uint32_t in, uint32_t *out) + { + #if defined(ESYS_3_0) +- switch (hierarchy) { ++ switch (in) { + case ESYS_TR_RH_NULL: ++ /* FALLTHRU */ + case ESYS_TR_RH_OWNER: ++ /* FALLTHRU */ + case ESYS_TR_RH_ENDORSEMENT: ++ /* FALLTHRU */ + case ESYS_TR_RH_PLATFORM: ++ /* FALLTHRU */ + case ESYS_TR_RH_PLATFORM_NV: +- return hierarchy; ++ *out = in; ++ return TSS2_RC_SUCCESS; + case TPM2_RH_NULL: +- return ESYS_TR_RH_NULL; ++ *out = ESYS_TR_RH_NULL; ++ return TSS2_RC_SUCCESS; + case TPM2_RH_OWNER: +- return ESYS_TR_RH_OWNER; ++ *out = ESYS_TR_RH_OWNER; ++ return TSS2_RC_SUCCESS; + case TPM2_RH_ENDORSEMENT: +- return ESYS_TR_RH_ENDORSEMENT; ++ *out = ESYS_TR_RH_ENDORSEMENT; ++ return TSS2_RC_SUCCESS; + case TPM2_RH_PLATFORM: +- return ESYS_TR_RH_PLATFORM; ++ *out = ESYS_TR_RH_PLATFORM; ++ return TSS2_RC_SUCCESS; + case TPM2_RH_PLATFORM_NV: +- return ESYS_TR_RH_PLATFORM_NV; ++ *out = ESYS_TR_RH_PLATFORM_NV; ++ return TSS2_RC_SUCCESS; + default: +- LOG_ERR("An unknown hierarchy handle was passed: 0x%08x", hierarchy); +- return 0xffffffff; ++ LOG_ERR("An unknown hierarchy handle was passed: 0x%08x", in); ++ return TSS2_ESYS_RC_BAD_VALUE; + } + #elif defined(ESYS_2_3) +- return hierarchy; ++ *out = in; ++ return TSS2_RC_SUCCESS; + #else + #error "Need to define either ESYS_3_0 or ESYS_2_3" + #endif +@@ -688,8 +700,14 @@ tool_rc tpm2_hash(ESYS_CONTEXT *esys_context, ESYS_TR shandle1, ESYS_TR shandle2 + TPMI_RH_HIERARCHY hierarchy, TPM2B_DIGEST **out_hash, + TPMT_TK_HASHCHECK **validation) { + +- TSS2_RC rval = Esys_Hash(esys_context, shandle1, shandle2, shandle3, data, +- hash_alg, fix_esys_hierarchy(hierarchy), out_hash, validation); ++ TSS2_RC rval = fix_esys_hierarchy(hierarchy, &hierarchy); ++ if (rval != TSS2_RC_SUCCESS) { ++ LOG_ERR("Unknown hierarchy"); ++ return tool_rc_from_tpm(rval); ++ } ++ ++ rval = Esys_Hash(esys_context, shandle1, shandle2, shandle3, data, ++ hash_alg, hierarchy, out_hash, validation); + if (rval != TSS2_RC_SUCCESS) { + LOG_PERR(Esys_Hash, rval); + return tool_rc_from_tpm(rval); +@@ -729,9 +747,15 @@ tool_rc tpm2_sequence_complete(ESYS_CONTEXT *esys_context, + TPMI_RH_HIERARCHY hierarchy, TPM2B_DIGEST **result, + TPMT_TK_HASHCHECK **validation) { + +- TSS2_RC rval = Esys_SequenceComplete(esys_context, sequence_handle, ++ TSS2_RC rval = fix_esys_hierarchy(hierarchy, &hierarchy); ++ if (rval != TSS2_RC_SUCCESS) { ++ LOG_ERR("Unknown hierarchy"); ++ return tool_rc_from_tpm(rval); ++ } ++ ++ rval = Esys_SequenceComplete(esys_context, sequence_handle, + ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE, buffer, +- fix_esys_hierarchy(hierarchy), result, validation); ++ hierarchy, result, validation); + if (rval != TSS2_RC_SUCCESS) { + LOG_PERR(Esys_SequenceComplete, rval); + return tool_rc_from_tpm(rval); +@@ -1161,8 +1185,14 @@ tool_rc tpm2_hierarchycontrol(ESYS_CONTEXT *esys_context, + return rc; + } + +- TSS2_RC rval = Esys_HierarchyControl(esys_context, auth_hierarchy->tr_handle, +- shandle, ESYS_TR_NONE, ESYS_TR_NONE, fix_esys_hierarchy(enable), state); ++ TSS2_RC rval = fix_esys_hierarchy(enable, &enable); ++ if (rval != TSS2_RC_SUCCESS) { ++ LOG_ERR("Unknown hierarchy"); ++ return tool_rc_from_tpm(rval); ++ } ++ ++ rval = Esys_HierarchyControl(esys_context, auth_hierarchy->tr_handle, ++ shandle, ESYS_TR_NONE, ESYS_TR_NONE, enable, state); + if (rval != TPM2_RC_SUCCESS && rval != TPM2_RC_INITIALIZE) { + LOG_PERR(Esys_HierarchyControl, rval); + return tool_rc_from_tpm(rval); +@@ -1257,9 +1287,17 @@ tool_rc tpm2_hmac_sequencecomplete(ESYS_CONTEXT *esys_context, + return rc; + } + +- TPM2_RC rval = Esys_SequenceComplete(esys_context, sequence_handle, ++ uint32_t hierarchy; ++ ++ TSS2_RC rval = fix_esys_hierarchy(TPM2_RH_NULL, &hierarchy); ++ if (rval != TSS2_RC_SUCCESS) { ++ LOG_ERR("Unknown hierarchy"); ++ return tool_rc_from_tpm(rval); ++ } ++ ++ rval = Esys_SequenceComplete(esys_context, sequence_handle, + hmac_key_obj_shandle, ESYS_TR_NONE, ESYS_TR_NONE, input_buffer, +- fix_esys_hierarchy(TPM2_RH_NULL), result, validation); ++ hierarchy, result, validation); + if (rval != TSS2_RC_SUCCESS) { + LOG_PERR(Esys_HMAC, rval); + return tool_rc_from_tpm(rval); +@@ -1913,9 +1951,15 @@ tool_rc tpm2_loadexternal(ESYS_CONTEXT *ectx, const TPM2B_SENSITIVE *private, + const TPM2B_PUBLIC *public, TPMI_RH_HIERARCHY hierarchy, + ESYS_TR *object_handle) { + +- TSS2_RC rval = Esys_LoadExternal(ectx, ++ TSS2_RC rval = fix_esys_hierarchy(hierarchy, &hierarchy); ++ if (rval != TSS2_RC_SUCCESS) { ++ LOG_ERR("Unknown hierarchy"); ++ return tool_rc_from_tpm(rval); ++ } ++ ++ rval = Esys_LoadExternal(ectx, + ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, +- private, public, fix_esys_hierarchy(hierarchy), ++ private, public, hierarchy, + object_handle); + if (rval != TSS2_RC_SUCCESS) { + LOG_PERR(Esys_LoadExternal, rval); +diff --git a/lib/tpm2.h b/lib/tpm2.h +index a37e05606c7a..2e4ae5e7dddc 100644 +--- a/lib/tpm2.h ++++ b/lib/tpm2.h +@@ -389,7 +389,7 @@ tool_rc tpm2_policy_nv_written(ESYS_CONTEXT *esys_context, + ESYS_TR policy_session, ESYS_TR shandle1, ESYS_TR shandle2, + ESYS_TR shandle3, TPMI_YES_NO written_set); + +-uint32_t fix_esys_hierarchy(TPMI_RH_HIERARCHY hierarchy); ++TSS2_RC fix_esys_hierarchy(uint32_t in, uint32_t *out); + + tool_rc tpm2_certifycreation(ESYS_CONTEXT *esys_context, + tpm2_loaded_object *signingkey_obj, tpm2_loaded_object *certifiedkey_obj, +diff --git a/tools/tpm2_loadexternal.c b/tools/tpm2_loadexternal.c +index 70fb72877aae..4127ca1b524b 100644 +--- a/tools/tpm2_loadexternal.c ++++ b/tools/tpm2_loadexternal.c +@@ -48,9 +48,16 @@ static tpm_loadexternal_ctx ctx = { + static tool_rc load_external(ESYS_CONTEXT *ectx, TPM2B_PUBLIC *pub, + TPM2B_SENSITIVE *priv, bool has_priv, TPM2B_NAME **name) { + ++ uint32_t hierarchy; ++ TSS2_RC rval = fix_esys_hierarchy(ctx.hierarchy_value, &hierarchy); ++ if (rval != TSS2_RC_SUCCESS) { ++ LOG_ERR("Unknown hierarchy"); ++ return tool_rc_from_tpm(rval); ++ } ++ + tool_rc rc = tpm2_loadexternal(ectx, + has_priv ? priv : NULL, pub, +- fix_esys_hierarchy(ctx.hierarchy_value), &ctx.handle); ++ hierarchy, &ctx.handle); + if (rc != tool_rc_success) { + return rc; + } +-- +2.27.0 + diff --git a/0001-lib-files-fix-an-error-message-in-files_load_-name.patch b/0001-lib-files-fix-an-error-message-in-files_load_-name.patch new file mode 100644 index 0000000..0e0ccb2 --- /dev/null +++ b/0001-lib-files-fix-an-error-message-in-files_load_-name.patch @@ -0,0 +1,26 @@ +From 012249ad9d06d7534a94690a33638691f5104839 Mon Sep 17 00:00:00 2001 +From: Radoslav Gerganov +Date: Wed, 26 Feb 2020 10:40:26 +0200 +Subject: [PATCH] lib/files: fix an error message in files_load_##name + +Signed-off-by: Radoslav Gerganov +--- + lib/files.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/files.c b/lib/files.c +index a6beea5b8ff2..ef2170b079e1 100644 +--- a/lib/files.c ++++ b/lib/files.c +@@ -687,7 +687,7 @@ tool_rc files_save_ESYS_TR(ESYS_CONTEXT *ectx, ESYS_TR handle, const char *path) + size_t offset = 0; \ + TSS2_RC rc = Tss2_MU_##type##_Unmarshal(buffer, size, &offset, name); \ + if (rc != TSS2_RC_SUCCESS) { \ +- LOG_ERR("Error serializing "str(name)" structure: 0x%x", rc); \ ++ LOG_ERR("Error deserializing "str(name)" structure: 0x%x", rc); \ + LOG_ERR("The input file needs to be a valid "xstr(type)" data structure"); \ + return false; \ + } \ +-- +2.31.0 + diff --git a/0001-lib-files.c-Fix-an-issue-where-execution-could-not-r.patch b/0001-lib-files.c-Fix-an-issue-where-execution-could-not-r.patch new file mode 100644 index 0000000..2039f11 --- /dev/null +++ b/0001-lib-files.c-Fix-an-issue-where-execution-could-not-r.patch @@ -0,0 +1,42 @@ +From a20415d6f1d3fa09300ff1181646fe7e1785fd15 Mon Sep 17 00:00:00 2001 +From: Imran Desai +Date: Sun, 29 Mar 2020 10:14:28 -0700 +Subject: [PATCH] lib/files.c: Fix an issue where execution could not reach + function return + +Signed-off-by: Imran Desai +--- + lib/files.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/lib/files.c b/lib/files.c +index ef2170b079e1..501f88d11b48 100644 +--- a/lib/files.c ++++ b/lib/files.c +@@ -607,9 +607,7 @@ bool files_load_bytes_from_buffer_or_file_or_stdin(const char *input_buffer, + return true; + } + +-// printf("Reading file: %s\n", path); +-// printf("size: %u\n", *size); +- ++ bool retval = true; + /* Read from stdin */ + if (!input_buffer && !path) { + UINT16 read_bytes = 0; +@@ -640,10 +638,10 @@ bool files_load_bytes_from_buffer_or_file_or_stdin(const char *input_buffer, + return true; + } + } else if (path) { +- return files_load_bytes_from_path(path, buf, size); ++ retval = files_load_bytes_from_path(path, buf, size); + } + +- return false; ++ return retval; + } + + tool_rc files_save_ESYS_TR(ESYS_CONTEXT *ectx, ESYS_TR handle, const char *path) { +-- +2.31.0 + diff --git a/0001-tools-tpm2_nvcertify.c-Fix-incompatible-pointer-cast.patch b/0001-tools-tpm2_nvcertify.c-Fix-incompatible-pointer-cast.patch new file mode 100644 index 0000000..509e6dc --- /dev/null +++ b/0001-tools-tpm2_nvcertify.c-Fix-incompatible-pointer-cast.patch @@ -0,0 +1,63 @@ +From 77d4592e3eec9ec2c7932586f41f925b43ecc5ba Mon Sep 17 00:00:00 2001 +From: Imran Desai +Date: Sun, 29 Mar 2020 10:22:42 -0700 +Subject: [PATCH] tools/tpm2_nvcertify.c: Fix incompatible pointer cast that + may cause memory leak + +Pointer "&ctx.size" and "&ctx.offset" points to an object whose effective type is +"unsigned short" (16 bits, unsigned) but is dereferenced as a wider +"unsigned int" (32 bits, unsigned). This may lead to memory corruption. + +Signed-off-by: Imran Desai +--- + tools/tpm2_nvcertify.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/tools/tpm2_nvcertify.c b/tools/tpm2_nvcertify.c +index b49f38dbff20..414cbea85574 100644 +--- a/tools/tpm2_nvcertify.c ++++ b/tools/tpm2_nvcertify.c +@@ -80,6 +80,7 @@ static bool set_signature_format(char *value) { + static bool on_option(char key, char *value) { + + bool result = true; ++ uint32_t input_value; + + switch (key) { + case 'C': +@@ -110,18 +111,30 @@ static bool on_option(char key, char *value) { + ctx.policy_qualifier_arg = value; + break; + case 0: +- result = tpm2_util_string_to_uint32(value, (uint32_t*)&ctx.size); ++ result = tpm2_util_string_to_uint32(value, &input_value); + if (!result) { + LOG_ERR("Could not convert size to number, got: \"%s\"", value); + return false; + } ++ if (input_value > UINT16_MAX) { ++ LOG_ERR("Specified size is larger than that allowed by command"); ++ return false; ++ } else { ++ ctx.size = input_value; ++ } + break; + case 1: +- result = tpm2_util_string_to_uint32(value, (uint32_t*)&ctx.offset); ++ result = tpm2_util_string_to_uint32(value, &input_value); + if (!result) { + LOG_ERR("Could not convert offset to number, got: \"%s\"", value); + return false; + } ++ if (input_value > UINT16_MAX) { ++ LOG_ERR("Specified offset is larger than that allowed by command"); ++ return false; ++ } else { ++ ctx.offset = input_value; ++ } + break; + case 2: + ctx.certify_info_path = value; +-- +2.31.0 + diff --git a/0001-tools-tpm2_nvreadpublic-Fix-resource-leak.patch b/0001-tools-tpm2_nvreadpublic-Fix-resource-leak.patch new file mode 100644 index 0000000..7d53c71 --- /dev/null +++ b/0001-tools-tpm2_nvreadpublic-Fix-resource-leak.patch @@ -0,0 +1,25 @@ +From 023ec5c0eafe8dfb5b71e400cb0c2c337fb8c108 Mon Sep 17 00:00:00 2001 +From: Imran Desai +Date: Sun, 29 Mar 2020 10:49:12 -0700 +Subject: [PATCH] tools/tpm2_nvreadpublic: Fix resource leak + +Signed-off-by: Imran Desai +--- + tools/tpm2_nvreadpublic.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/tpm2_nvreadpublic.c b/tools/tpm2_nvreadpublic.c +index 7f8e46cbf863..eca1fd715a79 100644 +--- a/tools/tpm2_nvreadpublic.c ++++ b/tools/tpm2_nvreadpublic.c +@@ -41,6 +41,7 @@ static tool_rc print_nv_public(ESYS_CONTEXT *context, TPMI_RH_NV_INDEX index, TP + rc = tpm2_tr_get_name(context, tr_handle, + &name); + if (rc != tool_rc_success) { ++ free(attrs); + return rc; + } + +-- +2.31.0 + diff --git a/0001-tpm2_alg_util.c-fix-a-bug-where-the-string-rsa3072-w.patch b/0001-tpm2_alg_util.c-fix-a-bug-where-the-string-rsa3072-w.patch new file mode 100644 index 0000000..2869652 --- /dev/null +++ b/0001-tpm2_alg_util.c-fix-a-bug-where-the-string-rsa3072-w.patch @@ -0,0 +1,28 @@ +From c28932caef2036039901a91cf55eb7ff093c70f5 Mon Sep 17 00:00:00 2001 +From: Imran Desai +Date: Fri, 24 Jan 2020 15:53:39 -0700 +Subject: [PATCH] tpm2_alg_util.c: fix a bug where the string rsa3072 wasnt + being parsed + +Signed-off-by: Imran Desai +--- + lib/tpm2_alg_util.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/lib/tpm2_alg_util.c b/lib/tpm2_alg_util.c +index b83c387a05bd..fcad480e0c3d 100644 +--- a/lib/tpm2_alg_util.c ++++ b/lib/tpm2_alg_util.c +@@ -301,6 +301,9 @@ static alg_parser_rc handle_rsa(const char *ext, TPM2B_PUBLIC *public) { + } else if (!strncmp(ext, "4096", 4)) { + r->keyBits = 4096; + ext += 4; ++ } else if (!strncmp(ext, "3072", 4)) { ++ r->keyBits = 3072; ++ ext += 4; + } else { + r->keyBits = 2048; + } +-- +2.27.0 + diff --git a/0001-tpm2_create.c-Fix-an-issue-where-userwithauth-attr-c.patch b/0001-tpm2_create.c-Fix-an-issue-where-userwithauth-attr-c.patch new file mode 100644 index 0000000..fbc402e --- /dev/null +++ b/0001-tpm2_create.c-Fix-an-issue-where-userwithauth-attr-c.patch @@ -0,0 +1,186 @@ +From 696a17861c38b38fb2acf888119d918eb9c12329 Mon Sep 17 00:00:00 2001 +From: Imran Desai +Date: Thu, 21 May 2020 11:31:43 -0700 +Subject: [PATCH] tpm2_create.c: Fix an issue where userwithauth attr cleared + if policy specified + +Fixes #2037 + +Signed-off-by: Imran Desai +--- + man/tpm2_create.1.md | 9 +++- + test/integration/tests/import_tpm.sh | 78 +++++++++++++++++----------- + tools/tpm2_create.c | 10 ++-- + 3 files changed, 60 insertions(+), 37 deletions(-) + +diff --git a/man/tpm2_create.1.md b/man/tpm2_create.1.md +index e8e5eaac49c3..9a7ba33e6017 100644 +--- a/man/tpm2_create.1.md ++++ b/man/tpm2_create.1.md +@@ -13,7 +13,7 @@ + **tpm2_create**(1) - Create a child object. The object can either be a key or + a sealing object. A sealing object allows to seal user data to the TPM, with a + maximum size of 256 bytes. Additionally it will load the created object if the +-**-o** is specified. ++**-c** is specified. + + # OPTIONS + +@@ -55,6 +55,13 @@ These options for creating the TPM entity: + and unsealing. I.e. one cannot use an object for sealing and cryptography + operations. + ++ When **-L** is specified for adding policy based authorization information ++ AND no string password is specified, the attribute `TPMA_OBJECT_USERWITHAUTH` ++ is cleared unless an explicit choice is made by setting of the attribute ++ with **-a** option. This prevents creation of objects with inadvertant auth ++ model where in user intended to enforce a policy but inadvertantly created ++ an object with empty auth which can be used instead of policy authorization. ++ + * **-i**, **\--sealing-input**=_FILE_ or _STDIN_: + + The data file to be sealed, optional. If file is -, read from stdin. +diff --git a/test/integration/tests/import_tpm.sh b/test/integration/tests/import_tpm.sh +index ff48185aba70..3d1e10820844 100755 +--- a/test/integration/tests/import_tpm.sh ++++ b/test/integration/tests/import_tpm.sh +@@ -54,8 +54,13 @@ load_new_parent() { + create_load_duplicatee() { + # Create the key we want to duplicate + create_policy dpolicy.dat TPM2_CC_Duplicate +- tpm2_create -Q -C primary.ctx -g sha256 -G $1 -p foo -r key.prv -u key.pub \ +- -L dpolicy.dat -a "sensitivedataorigin|decrypt|userwithauth" ++ if [ -z "$2" ];then ++ tpm2_create -Q -C primary.ctx -g sha256 -G $1 -r key.prv \ ++ -u key.pub -L dpolicy.dat -a "sensitivedataorigin|decrypt|userwithauth" ++ else ++ tpm2_create -Q -C primary.ctx -g sha256 -G $1 -p "$2" -r key.prv \ ++ -u key.pub -L dpolicy.dat -a "sensitivedataorigin|decrypt|userwithauth" ++ fi + # Load the key + tpm2_load -Q -C primary.ctx -r key.prv -u key.pub -c key.ctx + # Extract the public part for import later +@@ -113,34 +118,45 @@ for dup_key_type in aes rsa ecc; do + done + done + +-# Part 2 : +-# Create a rsa key (Kd) +-# Encrypt a message using Kd +-# Duplicate Kd +-# Import & Load Kd +-# Decrypt the message and verify +-tpm2_createprimary -Q -C o -g sha256 -G rsa -c primary.ctx +-# New parent ... +-create_load_new_parent +-# Key to be duplicated +-create_load_duplicatee rsa +-# Encrypt a secret message +-echo "Mary had a little lamb ..." > plain.txt +-tpm2_rsaencrypt -Q -c key.ctx -o cipher.txt plain.txt +-# Duplicate the key +-do_duplication null +-# Remove, we're done with it +-rm new_parent.ctx +-# Load the full thing this time +-load_new_parent +-# Import & load the duplicate +-do_import_load null +-# Decrypt the secret message using duplicated key +-tpm2_rsadecrypt -Q -p foo -c dup.ctx -o recovered.txt cipher.txt +-# Check we got it right ... +-diff recovered.txt plain.txt +-# Cleanup +-rm plain.txt recovered.txt cipher.txt +-cleanup "no-shut-down" ++test_key_usage() { ++ # Part 2 : ++ # Create a rsa key (Kd) ++ # Encrypt a message using Kd ++ # Duplicate Kd ++ # Import & Load Kd ++ # Decrypt the message and verify ++ tpm2_createprimary -Q -C o -g sha256 -G rsa -c primary.ctx ++ # New parent ... ++ create_load_new_parent ++ # Key to be duplicated ++ create_load_duplicatee rsa "$1" ++ # Encrypt a secret message ++ echo "Mary had a little lamb ..." > plain.txt ++ tpm2_rsaencrypt -Q -c key.ctx -o cipher.txt plain.txt ++ # Duplicate the key ++ do_duplication null ++ # Remove, we're done with it ++ rm new_parent.ctx ++ # Load the full thing this time ++ load_new_parent ++ # Import & load the duplicate ++ do_import_load null ++ # Decrypt the secret message using duplicated key ++ if [ -z "$1" ];then ++ tpm2_rsadecrypt -Q -c dup.ctx -o recovered.txt cipher.txt ++ else ++ tpm2_rsadecrypt -Q -p "$1" -c dup.ctx -o recovered.txt cipher.txt ++ fi ++ # Check we got it right ... ++ diff recovered.txt plain.txt ++ # Cleanup ++ rm plain.txt recovered.txt cipher.txt ++ cleanup "no-shut-down" ++} ++ ++#Test key with password ++test_key_usage foo ++#Test key without password ++test_key_usage + + exit 0 +diff --git a/tools/tpm2_create.c b/tools/tpm2_create.c +index 941b77655f55..8e92cc747e17 100644 +--- a/tools/tpm2_create.c ++++ b/tools/tpm2_create.c +@@ -47,7 +47,7 @@ struct tpm_create_ctx { + TPML_PCR_SELECTION creation_pcr; + + struct { +- UINT8 b :1; ++ UINT8 a :1; + UINT8 i :1; + UINT8 L :1; + UINT8 u :1; +@@ -224,7 +224,7 @@ static bool on_option(char key, char *value) { + break; + case 'a': + ctx.object.attrs = value; +- ctx.flags.b = 1; ++ ctx.flags.a = 1; + break; + case 'i': + ctx.object.sealed_data = strcmp("-", value) ? value : NULL; +@@ -346,12 +346,12 @@ tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { + + ctx.object.alg = "keyedhash"; + +- if (!ctx.flags.b) { ++ if (!ctx.flags.a) { + attrs &= ~TPMA_OBJECT_SIGN_ENCRYPT; + attrs &= ~TPMA_OBJECT_DECRYPT; + attrs &= ~TPMA_OBJECT_SENSITIVEDATAORIGIN; + } +- } else if (!ctx.flags.b && !strncmp("hmac", ctx.object.alg, 4)) { ++ } else if (!ctx.flags.a && !strncmp("hmac", ctx.object.alg, 4)) { + attrs &= ~TPMA_OBJECT_DECRYPT; + } + +@@ -362,7 +362,7 @@ tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { + return tool_rc_general_error; + } + +- if (ctx.flags.L && !ctx.object.auth_str) { ++ if (!ctx.flags.a && ctx.flags.L && !ctx.object.auth_str) { + ctx.object.public.publicArea.objectAttributes &= + ~TPMA_OBJECT_USERWITHAUTH; + } +-- +2.27.0 + diff --git a/0001-tpm2_getekcertificate-add-default-web-address.patch b/0001-tpm2_getekcertificate-add-default-web-address.patch new file mode 100644 index 0000000..0183c76 --- /dev/null +++ b/0001-tpm2_getekcertificate-add-default-web-address.patch @@ -0,0 +1,49 @@ +From 8c72f7402d8977807f531b08976760d62676cf8a Mon Sep 17 00:00:00 2001 +From: Imran Desai +Date: Thu, 23 Jan 2020 11:21:58 -0700 +Subject: [PATCH] tpm2_getekcertificate: add default web address + +Currently only Intel (R) PTT certificates are hosted online. +A default web address pointing to the endorsement key certificate +hosting will help reduce user input. + +Signed-off-by: Imran Desai +--- + test/integration/tests/getekcertificate.sh | 6 ++---- + tools/tpm2_getekcertificate.c | 1 + + 2 files changed, 3 insertions(+), 4 deletions(-) + +diff --git a/test/integration/tests/getekcertificate.sh b/test/integration/tests/getekcertificate.sh +index 33f4f8b2e4c0..e8c521756d2a 100755 +--- a/test/integration/tests/getekcertificate.sh ++++ b/test/integration/tests/getekcertificate.sh +@@ -38,12 +38,10 @@ else + fi + fi + +-tpm2_getekcertificate -u test_ek.pub -x -X -o ECcert.bin \ +-https://ekop.intel.com/ekcertservice/ ++tpm2_getekcertificate -u test_ek.pub -x -X -o ECcert.bin + + # Test that stdoutput is the same +-tpm2_getekcertificate -u test_ek.pub -x https://ekop.intel.com/ekcertservice/ \ +--X > ECcert2.bin ++tpm2_getekcertificate -u test_ek.pub -x -X > ECcert2.bin + + # stdout file should match -E file. + cmp ECcert.bin ECcert2.bin +diff --git a/tools/tpm2_getekcertificate.c b/tools/tpm2_getekcertificate.c +index 233d04d8b3d7..6a8fe894bb1c 100644 +--- a/tools/tpm2_getekcertificate.c ++++ b/tools/tpm2_getekcertificate.c +@@ -32,6 +32,7 @@ struct tpm_getekcertificate_ctx { + + static tpm_getekcertificate_ctx ctx = { + .is_tpm2_device_active = true, ++ .ek_server_addr = "https://ekop.intel.com/ekcertservice/", + }; + + static unsigned char *hash_ek_public(void) { +-- +2.31.0 + diff --git a/0001-tpm2_hierarchycontrol-Fixed-bug-where-hierarchycontr.patch b/0001-tpm2_hierarchycontrol-Fixed-bug-where-hierarchycontr.patch new file mode 100644 index 0000000..0d4b89b --- /dev/null +++ b/0001-tpm2_hierarchycontrol-Fixed-bug-where-hierarchycontr.patch @@ -0,0 +1,37 @@ +From 334b4c739fa575fb4ea58f92df6de87c38e59e15 Mon Sep 17 00:00:00 2001 +From: Imran Desai +Date: Thu, 23 Jan 2020 08:06:56 -0700 +Subject: [PATCH] tpm2_hierarchycontrol: Fixed bug where hierarchycontrol + operation failed silently + +Fixes #1841 + +Signed-off-by: Imran Desai +--- + tools/tpm2_hierarchycontrol.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/tools/tpm2_hierarchycontrol.c b/tools/tpm2_hierarchycontrol.c +index 0baf2ca487d3..7e9e2c657544 100644 +--- a/tools/tpm2_hierarchycontrol.c ++++ b/tools/tpm2_hierarchycontrol.c +@@ -32,8 +32,14 @@ static tool_rc hierarchycontrol(ESYS_CONTEXT *ectx) { + ctx.enable == TPM2_RH_ENDORSEMENT ? "ehEnable" : "phEnableNV", + ctx.state ? "SET" : "CLEAR"); + +- return tpm2_hierarchycontrol(ectx, &ctx.auth_hierarchy.object, ctx.enable, +- ctx.state); ++ tool_rc rc = tpm2_hierarchycontrol(ectx, &ctx.auth_hierarchy.object, ++ ctx.enable, ctx.state); ++ ++ if (rc != tool_rc_success) { ++ LOG_ERR("Failed hierarchycontrol operation."); ++ } ++ ++ return rc; + } + + bool on_arg(int argc, char **argv) { +-- +2.27.0 + diff --git a/0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch b/0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch new file mode 100644 index 0000000..53814a4 --- /dev/null +++ b/0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch @@ -0,0 +1,46 @@ +From c069e4f179d5e6653a84fb236816c375dca82515 Mon Sep 17 00:00:00 2001 +From: William Roberts +Date: Fri, 21 May 2021 12:22:31 -0500 +Subject: [PATCH] tpm2_import: fix fixed AES key CVE-2021-3565 + +tpm2_import used a fixed AES key for the inner wrapper, which means that +a MITM attack would be able to unwrap the imported key. Even the +use of an encrypted session will not prevent this. The TPM only +encrypts the first parameter which is the fixed symmetric key. + +To fix this, ensure the key size is 16 bytes or bigger and use +OpenSSL to generate a secure random AES key. + +Fixes: #2738 + +Signed-off-by: William Roberts +--- + tools/tpm2_import.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/tools/tpm2_import.c b/tools/tpm2_import.c +index cfb6f207ba9c..f44326c87e7e 100644 +--- a/tools/tpm2_import.c ++++ b/tools/tpm2_import.c +@@ -118,7 +118,17 @@ static tool_rc key_import(ESYS_CONTEXT *ectx, TPM2B_PUBLIC *parent_pub, + TPM2B_DATA enc_sensitive_key = { + .size = parent_pub->publicArea.parameters.rsaDetail.symmetric.keyBits.sym / 8 + }; +- memset(enc_sensitive_key.buffer, 0xFF, enc_sensitive_key.size); ++ ++ if(enc_sensitive_key.size < 16) { ++ LOG_ERR("Calculated wrapping keysize is less than 16 bytes, got: %u", enc_sensitive_key.size); ++ return tool_rc_general_error; ++ } ++ ++ int ossl_rc = RAND_bytes(enc_sensitive_key.buffer, enc_sensitive_key.size); ++ if (ossl_rc != 1) { ++ LOG_ERR("RAND_bytes failed: %s", ERR_error_string(ERR_get_error(), NULL)); ++ return tool_rc_general_error; ++ } + + /* + * Calculate the object name. +-- +2.31.0 + diff --git a/0001-tpm2_nvdefine.c-Fixed-error-reporting-message.patch b/0001-tpm2_nvdefine.c-Fixed-error-reporting-message.patch new file mode 100644 index 0000000..da77107 --- /dev/null +++ b/0001-tpm2_nvdefine.c-Fixed-error-reporting-message.patch @@ -0,0 +1,31 @@ +From 652322f7278ec8c384fde9ec2204b06d084a24e4 Mon Sep 17 00:00:00 2001 +From: Imran Desai +Date: Thu, 23 Jan 2020 07:54:58 -0700 +Subject: [PATCH] tpm2_nvdefine.c: Fixed error reporting message + +Fixes #1861 + +NV define failure error message had the wording to suggest NV index +was successfully defined. + +Signed-off-by: Imran Desai +--- + tools/tpm2_nvdefine.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/tpm2_nvdefine.c b/tools/tpm2_nvdefine.c +index cb2949c4dddc..71203cb6c80d 100644 +--- a/tools/tpm2_nvdefine.c ++++ b/tools/tpm2_nvdefine.c +@@ -65,7 +65,7 @@ static tool_rc nv_space_define(ESYS_CONTEXT *ectx) { + tool_rc rc = tpm2_nv_definespace(ectx, &ctx.auth_hierarchy.object, + &ctx.nv_auth, &public_info); + if (rc != tool_rc_success) { +- LOG_INFO("Success to define NV area at index 0x%x.", ctx.nv_index); ++ LOG_ERR("Failed to create NV index 0x%x.", ctx.nv_index); + return rc; + } + +-- +2.27.0 + diff --git a/0001-tpm2_policy.c-restrict-policy-digest-size.patch b/0001-tpm2_policy.c-restrict-policy-digest-size.patch new file mode 100644 index 0000000..c481309 --- /dev/null +++ b/0001-tpm2_policy.c-restrict-policy-digest-size.patch @@ -0,0 +1,28 @@ +From e556da0a2099573f82391c16477fba08584a7a12 Mon Sep 17 00:00:00 2001 +From: Imran Desai +Date: Tue, 10 Mar 2020 09:15:55 -0700 +Subject: [PATCH] tpm2_policy.c: restrict policy digest size + +Fixes #1916 + +Signed-off-by: Imran Desai +--- + lib/tpm2_policy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/tpm2_policy.c b/lib/tpm2_policy.c +index 6c352b2b41ae..01387ba01645 100644 +--- a/lib/tpm2_policy.c ++++ b/lib/tpm2_policy.c +@@ -163,7 +163,7 @@ tool_rc tpm2_policy_build_policyauthorize(ESYS_CONTEXT *ectx, + bool result = true; + TPM2B_DIGEST approved_policy = { .size = 0 }; + if (policy_digest_path) { +- approved_policy.size = UINT16_MAX; ++ approved_policy.size = sizeof(TPMU_HA); + result = files_load_bytes_from_path(policy_digest_path, + approved_policy.buffer, &approved_policy.size); + } +-- +2.31.0 + diff --git a/0001-tpm2_policycountertimer-Fix-an-issue-where-operandB-.patch b/0001-tpm2_policycountertimer-Fix-an-issue-where-operandB-.patch new file mode 100644 index 0000000..ea4bab1 --- /dev/null +++ b/0001-tpm2_policycountertimer-Fix-an-issue-where-operandB-.patch @@ -0,0 +1,30 @@ +From cab7b3edcc6a44aece0642c0c2621a4bb70d449b Mon Sep 17 00:00:00 2001 +From: Imran Desai +Date: Tue, 10 Mar 2020 18:19:04 -0700 +Subject: [PATCH] tpm2_policycountertimer: Fix an issue where operandB array + was reversed + +Signed-off-by: Imran Desai +--- + tools/tpm2_policycountertimer.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/tools/tpm2_policycountertimer.c b/tools/tpm2_policycountertimer.c +index 1c72d525dab7..170a544f2203 100644 +--- a/tools/tpm2_policycountertimer.c ++++ b/tools/tpm2_policycountertimer.c +@@ -81,7 +81,10 @@ static bool convert_keyvalue_to_operand_buffer(const char *value, + } + + ctx.operand_b.size = size; +- memcpy(ctx.operand_b.buffer, &data.b, size); ++ size_t i = 0; ++ for (i = 0; i < size; i++) { ++ ctx.operand_b.buffer[i] = *(&data.b + size - i - 1); ++ } + + return true; + } +-- +2.31.0 + diff --git a/0001-tpm2_policyor-Silent-failure-bug-fix-for-invalid-uns.patch b/0001-tpm2_policyor-Silent-failure-bug-fix-for-invalid-uns.patch new file mode 100644 index 0000000..c6a5e86 --- /dev/null +++ b/0001-tpm2_policyor-Silent-failure-bug-fix-for-invalid-uns.patch @@ -0,0 +1,26 @@ +From 44d0d2d17dc693e029e0557ec985c9b68c3efeb5 Mon Sep 17 00:00:00 2001 +From: Imran Desai +Date: Wed, 22 Jan 2020 14:15:48 -0700 +Subject: [PATCH] tpm2_policyor: Silent failure bug fix for invalid/unspecified + policy digest alg + +Signed-off-by: Imran Desai +--- + lib/tpm2_policy.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/tpm2_policy.c b/lib/tpm2_policy.c +index 3d9b5491f9ce..8460bd1d9ae9 100644 +--- a/lib/tpm2_policy.c ++++ b/lib/tpm2_policy.c +@@ -588,6 +588,7 @@ bool tpm2_policy_parse_policy_list(char *str, TPML_DIGEST *policy_list) { + hash = tpm2_alg_util_from_optarg(subtoken, + tpm2_alg_util_flags_hash); + if (hash == TPM2_ALG_ERROR) { ++ LOG_ERR("Invalid/ Unspecified policy digest algorithm."); + return false; + } + } +-- +2.27.0 + diff --git a/EMPTY b/EMPTY deleted file mode 100644 index 0519ecb..0000000 --- a/EMPTY +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/sources b/sources new file mode 100644 index 0000000..f1d5167 --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (tpm2-tools-4.1.1.tar.gz) = 25952cf947f0acd16b1a8dbd3ac8573bce85ff970a7e24c290c4f9cd29418e77a3e48ac82c932fbd250887a9303ab301ff92db594c2fffaba47b873382444d26 diff --git a/tpm2-tools.spec b/tpm2-tools.spec new file mode 100644 index 0000000..65f2e6f --- /dev/null +++ b/tpm2-tools.spec @@ -0,0 +1,227 @@ +Name: tpm2-tools +Version: 4.1.1 +Release: 5%{?dist} +Summary: A TPM2.0 testing tool build upon TPM2.0-TSS + +License: BSD +URL: https://github.com/tpm2-software/tpm2-tools +Source0: https://github.com/tpm2-software/tpm2-tools/releases/download/%{version}/%{name}-%{version}.tar.gz +Patch0: 0001-tpm2_hierarchycontrol-Fixed-bug-where-hierarchycontr.patch +Patch1: 0001-tpm2_nvdefine.c-Fixed-error-reporting-message.patch +Patch2: 0001-tpm2_policyor-Silent-failure-bug-fix-for-invalid-uns.patch +Patch3: 0001-tpm2_alg_util.c-fix-a-bug-where-the-string-rsa3072-w.patch +Patch4: 0001-Fix-ESYS_TR-hierarchy-transition.patch +Patch5: 0001-Refactor-fix_esys_hierarchies.patch +Patch6: 0001-tpm2_create.c-Fix-an-issue-where-userwithauth-attr-c.patch +Patch7: 0001-tpm2_getekcertificate-add-default-web-address.patch +Patch8: 0001-lib-files-fix-an-error-message-in-files_load_-name.patch +Patch9: 0001-tpm2_policy.c-restrict-policy-digest-size.patch +Patch10: 0001-tpm2_policycountertimer-Fix-an-issue-where-operandB-.patch +Patch11: 0001-tools-tpm2_nvcertify.c-Fix-incompatible-pointer-cast.patch +Patch12: 0001-tools-tpm2_nvreadpublic-Fix-resource-leak.patch +Patch13: 0001-lib-files.c-Fix-an-issue-where-execution-could-not-r.patch +Patch14: 0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch + +BuildRequires: gcc-c++ +BuildRequires: libtool +BuildRequires: autoconf-archive +BuildRequires: pandoc +BuildRequires: pkgconfig(cmocka) +BuildRequires: pkgconfig(libcurl) +BuildRequires: pkgconfig(openssl) +# tpm2-tss-devel provides tss2-mu/sys/esys package config +BuildRequires: pkgconfig(tss2-mu) +BuildRequires: pkgconfig(tss2-sys) +BuildRequires: pkgconfig(tss2-esys) + +# tpm2-tools is heavily depending on TPM2.0-TSS project, matched tss is required +Requires: tpm2-tss%{?_isa} >= 2.3.2-1%{?dist} + +# tpm2-tools project changed the install path for binaries and man page section +Obsoletes: tpm2-tools <= 2.1.1-2 + +%description +tpm2-tools is a batch of testing tools for tpm2.0. It is based on tpm2-tss. + +%prep +%autosetup -p1 -n %{name}-%{version} + +%build +%configure --prefix=/usr --disable-static --disable-silent-rules +%make_build + +%install +%make_install + +%files +%doc README.md CHANGELOG.md +%license LICENSE +%{_bindir}/tpm2_* +%{_datadir}/bash-completion/completions/tpm2* +%{_mandir}/man1/tpm2_*.1.gz + +%changelog +* Mon Aug 09 2021 Jerry Snitselaar - 4.1.1-5 +- Bump nvr to trigger osci. +resolves: rhbz#1965981 + +* Tue Jun 01 2021 Jerry Snitselaar - 4.1.1-4 +- Fix CVE-2021-3565 +resolves: rhbz#1965981 + +* Fri May 14 2021 Jerry Snitselaar - 4.1.1-3 +- Fix resource leak. +- Fix to restrict policy digest size. +- Fix incompatible pointer cast. +- Fix error message in files_load_##name +- Fix issue where execution couldn't reach function return. +resolves: rhbz#1920821 + +* Mon Nov 16 2020 Jerry Snitselaar - 4.1.1-2 +- Fix ESYS_TR hierarchy transition. +- Refactor fix_esys_hierarchies to return actual TSS2_RC return code. +- tpm2_alg_util.c: fix a bug where the string rsa3072 wasn't being parsed. +- tpm2_create.c: Fix an issue where userwithauth attr cleared if policy specified. +- tpm2_hierarchycontrol: Fix bug where hierarchycontrol operation failed silently. +- tpm2_nvdefine.c: Fix error reporting message. +- tpm2_policyor: Fix silent failure for invalid/unspecified policy digest alg. +resolves: rhbz#1854774 + +* Wed Apr 29 2020 Jerry Snitselaar - 4.1.1-1 +- Update to 4.1.1 release +resolves: rhbz#1789682 + +* Tue Oct 22 2019 Jerry Snitselaar - 3.2.1-1 +- Update to 3.2.1 release +resolves: rhbz#1725714 + +* Tue May 28 2019 Jerry Snitselaar - 3.1.4-5 +- Another dependency needed for CI gating +resolves: rhbz#1682417 + +* Tue May 28 2019 Jerry Snitselaar - 3.1.4-4 +- Fix CI dependency +resolves: rhbz#1682417 + +* Tue May 28 2019 Jerry Snitselaar - 3.1.4-3 +- Add CI gating test +resolves: rhbz#1682417 + +* Tue May 14 2019 Jerry Snitselaar - 3.1.4-2 +- Add initial CI gating support +resolves: rhbz#1682417 + +* Tue Apr 30 2019 Jerry Snitselaar - 3.1.4-1 +- Rebase to 3.1.4 release. +resolves: rhbz#1664498 + +* Thu Nov 08 2018 Jerry Snitselaar - 3.1.1-4 +- lib/tpm2_options: restore TCTI configuration environment variables +- tpm2_getcap: restore tool output to print properties with TPM_PT prefix +resolves: rhbz#1648001 + +* Sat Jul 14 2018 Javier Martinez Canillas - - 3.1.1-3 +- Revert backward incompatible change that removes default object attributes + +* Sat Jul 14 2018 Fedora Release Engineering - 3.1.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Thu Jul 12 2018 Yunying Sun - 3.1.1-1 +- Update to 3.1.1 release + +* Thu Jul 5 2018 Yunying Sun - 3.1.0-1 +- Update Requires version of tpm2-tss to 2.0.0 +- Remove BuildRequires for tcti-abrmd since it is optional +- Remove BuildRequires for tcti-{device,mssim} as it is now dynamically loaded +- Update to 3.1.0 release + +* Mon Apr 30 2018 Javier Martinez Canillas - 3.0.4-1 +- Update URLs to point to the new project location +- Update to 3.0.4 release + +* Wed Feb 21 2018 Javier Martinez Canillas - 3.0.3-3 +- Remove ExclusiveArch: x86_64 directive + +* Fri Feb 09 2018 Fedora Release Engineering - 3.0.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Tue Jan 16 2018 Javier Martinez Canillas - 3.0.3-1 +- Update to 3.0.3 release + +* Mon Dec 18 2017 Javier Martinez Canillas - 3.0.2-1 +- Update to 3.0.2 release + +* Tue Dec 12 2017 Javier Martinez Canillas - 3.0.1-1 +- Update to 3.0.1 release (RHBZ#1512743) +- Download the generated tarball provided instead of the source code tarball + +* Fri Dec 08 2017 Javier Martinez Canillas - 3.0-1 +- Update to 3.0 release + +* Wed Nov 29 2017 Javier Martinez Canillas - 3.0-0.1.rc1 +- Update to 3.0 release candidate 1 +- Update URLs to point to the new project location +- Make the package to obsolete version 2.1.1 + +* Wed Nov 01 2017 Javier Martinez Canillas - 2.1.1-1 +- Rename remaining tpm2.0-tools prefixes to tpm2-tools +- Remove global pkg_prefix since now the upstream repo and package names match +- Remove downstream patches since now these are in the latest upstream release +- Update to 2.1.1 release (RHBZ#1504438) + +* Thu Oct 19 2017 Jerry Snitselaar - 2.1.0-7 +- Clean up potential memleak (RHBZ#1503959) + +* Thu Oct 05 2017 Javier Martinez Canillas - 2.1.0-6 +- Add tpm2-abrmd-devel BuildRequires so tools have abrmd support (RHBZ#1498909) + +* Fri Aug 18 2017 Javier Martinez Canillas - 2.1.0-5 +- Remove unneeded source tarballs (RHBZ#1482830) + +* Tue Aug 15 2017 Sun Yunying - 2.1.0-4 +- Add patch to fix build error when openssl-devel is installed(RHBZ#1481236) + +* Thu Aug 03 2017 Fedora Release Engineering - 2.1.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Mon Jul 31 2017 Sun Yunying - 2.1.0-2 +- Add patch to fix gcc7 complaining about implicit-fallthrough cases + +* Fri Jul 28 2017 Sun Yunying - 2.1.0-1 +- Update to latest upstream release 2.1.0 + +* Fri Jul 28 2017 Sun Yunying - 1.1.0-9 +- Update Requires dependency so that tpm2-tss update won't break tpm2-tools + +* Thu Jul 27 2017 Fedora Release Engineering - 1.1.0-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Wed May 10 2017 Sun Yunying - 1.1.0-7 +- Only update release version to make fedpkg build works for f26 + +* Wed Mar 1 2017 Sun Yunying - 1.1.0-6 +- Update tpm2-tss version to 1.0-3 to fix broken dependency on f26 + +* Sat Feb 11 2017 Fedora Release Engineering - 1.1.0-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Fri Jan 20 2017 Sun Yunying - 1.1.0-4 +- Dependency check failed for Requires again, here to fix this +- Update release version and changelog + +* Thu Jan 19 2017 Sun Yunying - 1.1.0-3 +- Change spec file permission to 644 to avoid rpmlint complain +- Update Requires to fix dependency check error reported in Bodhi +- Remove tpm2-tss-devel version in BuildRequires comment +- Update release version and changelog + +* Wed Dec 21 2016 Sun Yunying - 1.1.0-2 +- Remove pkg_version to avoid dupliate use of version +- Remove redundant BuildRequires for autoconf/automake/pkgconfig +- Add comments for BuildRequires of sapi/tcti-device/tcti-socket +- Use ExclusiveArch instead of ExcludeArch +- Requires tpm2-tss version updated to 1.0-2 +- Updated release version and changelog + +* Fri Dec 2 2016 Sun Yunying - 1.1.0-1 +- Initial version of the package