Backport upstream fixes
Includes fixes for CVE-2024-29038 and CVE-2024-29039. Resolves: RHEL-23198 Resolves: RHEL-41031 Resolves: RHEL-41035 Signed-off-by: Štěpán Horáček <shoracek@redhat.com>
This commit is contained in:
parent
53479d9612
commit
acfe6b50eb
131
0001-tpm2_sessionconfig-fix-usage-of-disable-continuesess.patch
Normal file
131
0001-tpm2_sessionconfig-fix-usage-of-disable-continuesess.patch
Normal file
@ -0,0 +1,131 @@
|
||||
From c2dff7cfac16a857fcd5161d6e171483221ab003 Mon Sep 17 00:00:00 2001
|
||||
From: Juergen Repp <juergen_repp@web.de>
|
||||
Date: Sun, 17 Dec 2023 09:53:01 +0100
|
||||
Subject: [PATCH 1/6] tpm2_sessionconfig fix usage of --disable-continuesession
|
||||
|
||||
Conflicts: context change due to missing 6169d8c22
|
||||
|
||||
If continue session was disabled a error did occur in the function for
|
||||
restoring the session context.
|
||||
Now after usage of an session with continue session disabled the
|
||||
context will not be saved and the session context file will be
|
||||
deleted.
|
||||
In one integration test continue session is now disabled and the
|
||||
flush for this session is removed.
|
||||
|
||||
Fixes: #3295
|
||||
|
||||
Signed-off-by: Juergen Repp <juergen_repp@web.de>
|
||||
---
|
||||
lib/tpm2_session.c | 45 +++++++++++++++++++++++---------
|
||||
test/integration/tests/unseal.sh | 7 +++--
|
||||
2 files changed, 37 insertions(+), 15 deletions(-)
|
||||
|
||||
diff --git a/lib/tpm2_session.c b/lib/tpm2_session.c
|
||||
index 60b8643b..3e5503db 100644
|
||||
--- a/lib/tpm2_session.c
|
||||
+++ b/lib/tpm2_session.c
|
||||
@@ -35,6 +35,7 @@ struct tpm2_session {
|
||||
char *path;
|
||||
ESYS_CONTEXT *ectx;
|
||||
bool is_final;
|
||||
+ bool delete;
|
||||
} internal;
|
||||
};
|
||||
|
||||
@@ -290,18 +291,23 @@ tool_rc tpm2_session_restore(ESYS_CONTEXT *ctx, const char *path, bool is_final,
|
||||
dup_path = NULL;
|
||||
|
||||
TPMA_SESSION attrs = 0;
|
||||
+ s->internal.delete = false;
|
||||
+ s->internal.is_final = is_final;
|
||||
+ *session = s;
|
||||
|
||||
if (ctx) {
|
||||
-
|
||||
/* hack this in here, should be done when starting the session */
|
||||
tmp_rc = tpm2_sess_get_attributes(ctx, handle, &attrs);
|
||||
- UNUSED(tmp_rc);
|
||||
+ if (tmp_rc != tool_rc_success) {
|
||||
+ rc = tmp_rc;
|
||||
+ LOG_ERR("Can't get session attributes.");
|
||||
+ goto out;
|
||||
+ }
|
||||
+ if ((attrs & TPMA_SESSION_CONTINUESESSION) == 0) {
|
||||
+ s->internal.delete = true;
|
||||
+ }
|
||||
}
|
||||
|
||||
- s->internal.is_final = is_final;
|
||||
-
|
||||
- *session = s;
|
||||
-
|
||||
LOG_INFO("Restored session: ESYS_TR(0x%x) attrs(0x%x)", handle, attrs);
|
||||
|
||||
rc = tool_rc_success;
|
||||
@@ -341,22 +347,35 @@ tool_rc tpm2_session_close(tpm2_session **s) {
|
||||
}
|
||||
|
||||
const char *path = session->internal.path;
|
||||
- FILE *session_file = path ? fopen(path, "w+b") : NULL;
|
||||
- if (path && !session_file) {
|
||||
- LOG_ERR("Could not open path \"%s\", due to error: \"%s\"", path,
|
||||
- strerror(errno));
|
||||
- rc = tool_rc_general_error;
|
||||
- goto out;
|
||||
- }
|
||||
|
||||
bool flush = path ? session->internal.is_final : true;
|
||||
if (flush) {
|
||||
rc = tpm2_flush_context(session->internal.ectx,
|
||||
session->output.session_handle);
|
||||
/* done, use rc to indicate status */
|
||||
+ goto out2;
|
||||
+ }
|
||||
+
|
||||
+ if ((*s)->internal.delete && path) {
|
||||
+ if (remove(path)) {
|
||||
+ LOG_ERR("File \"%s\" can't be deleted.", path);
|
||||
+ rc = tool_rc_general_error;
|
||||
+ goto out2;
|
||||
+ } else {
|
||||
+ rc = tool_rc_success;
|
||||
+ goto out2;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ FILE *session_file = path ? fopen(path, "w+b") : NULL;
|
||||
+ if (path && !session_file) {
|
||||
+ LOG_ERR("Could not open path \"%s\", due to error: \"%s\"", path,
|
||||
+ strerror(errno));
|
||||
+ rc = tool_rc_general_error;
|
||||
goto out;
|
||||
}
|
||||
|
||||
+
|
||||
/*
|
||||
* Now write the session_type, handle and auth hash data to disk
|
||||
*/
|
||||
diff --git a/test/integration/tests/unseal.sh b/test/integration/tests/unseal.sh
|
||||
index dd6c2bc6..d0f7104f 100644
|
||||
--- a/test/integration/tests/unseal.sh
|
||||
+++ b/test/integration/tests/unseal.sh
|
||||
@@ -152,10 +152,13 @@ tpm2 sessionconfig enc_session.ctx --disable-encrypt
|
||||
tpm2 create -Q -C prim.ctx -u seal_key.pub -r seal_key.priv -c seal_key.ctx \
|
||||
-p sealkeypass -i- <<< $secret -S enc_session.ctx
|
||||
|
||||
-tpm2 sessionconfig enc_session.ctx --enable-encrypt
|
||||
+tpm2 sessionconfig enc_session.ctx --enable-encrypt --disable-continuesession
|
||||
unsealed=`tpm2 unseal -c seal_key.ctx -p sealkeypass -S enc_session.ctx`
|
||||
test "$unsealed" == "$secret"
|
||||
|
||||
-tpm2 flushcontext enc_session.ctx
|
||||
+if [ -e enc_session.ctx ]; then
|
||||
+ echo "enc_session.ctx was not deleted.";
|
||||
+ exit 1
|
||||
+fi
|
||||
|
||||
exit 0
|
||||
--
|
||||
2.45.2
|
||||
|
28
0002-tpm2_tool.c-Fix-missing-include-for-basename.patch
Normal file
28
0002-tpm2_tool.c-Fix-missing-include-for-basename.patch
Normal file
@ -0,0 +1,28 @@
|
||||
From 2e4d5da9a5e8808b1b075e0bde11c13fdd4c60b3 Mon Sep 17 00:00:00 2001
|
||||
From: Juergen Repp <juergen_repp@web.de>
|
||||
Date: Tue, 19 Dec 2023 17:24:26 +0100
|
||||
Subject: [PATCH 2/6] tpm2_tool.c Fix missing include for basename.
|
||||
|
||||
tpm2_tool.c did not compile without the include libgen.h on netbsd.
|
||||
Fixes: #3321
|
||||
|
||||
Signed-off-by: Juergen Repp <juergen_repp@web.de>
|
||||
---
|
||||
tools/tpm2_tool.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/tools/tpm2_tool.c b/tools/tpm2_tool.c
|
||||
index edd04c83..f59e316a 100644
|
||||
--- a/tools/tpm2_tool.c
|
||||
+++ b/tools/tpm2_tool.c
|
||||
@@ -3,6 +3,7 @@
|
||||
#include <stdbool.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
+#include <libgen.h>
|
||||
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/evp.h>
|
||||
--
|
||||
2.45.2
|
||||
|
63
0003-tpm2_nvread-fix-input-handling-no-nv-index.patch
Normal file
63
0003-tpm2_nvread-fix-input-handling-no-nv-index.patch
Normal file
@ -0,0 +1,63 @@
|
||||
From 5b5dd6263f1f2d41f08abd60134396a12756c5e7 Mon Sep 17 00:00:00 2001
|
||||
From: Bill Roberts <bill.c.roberts+gh@gmail.com>
|
||||
Date: Sun, 10 Dec 2023 10:26:33 -0600
|
||||
Subject: [PATCH 3/6] tpm2_nvread: fix input handling no nv index
|
||||
|
||||
Fixes:
|
||||
./tools/tpm2 nvread
|
||||
WARN: Reading full size of the NV index
|
||||
ERROR: object string is empty
|
||||
ERROR: Invalid handle authorization.
|
||||
ERROR: Unable to run nvread
|
||||
|
||||
with:
|
||||
./tools/tpm2 nvread
|
||||
ERROR: Must specify NV index argument
|
||||
Usage: nvread [<options>] <arguments>
|
||||
Where <options> are:
|
||||
[ -C | --hierarchy=<value>] [ -o | --output=<value>] [ -s | --size=<value>] [ --offset=<value>]
|
||||
[ --cphash=<value>] [ --rphash=<value>] [ -n | --name=<value>] [ -P | --auth=<value>]
|
||||
[ -S | --session=<value>] [ --print-yaml]
|
||||
|
||||
Signed-off-by: Bill Roberts <bill.c.roberts+gh@gmail.com>
|
||||
---
|
||||
tools/tpm2_nvread.c | 9 ++++++++-
|
||||
1 file changed, 8 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/tools/tpm2_nvread.c b/tools/tpm2_nvread.c
|
||||
index f64d00c1..8f9c61cc 100644
|
||||
--- a/tools/tpm2_nvread.c
|
||||
+++ b/tools/tpm2_nvread.c
|
||||
@@ -24,6 +24,7 @@ struct tpm_nvread_ctx {
|
||||
TPM2B_NAME precalc_nvname;
|
||||
UINT32 size_to_read;
|
||||
UINT32 offset;
|
||||
+ bool nv_specified;
|
||||
|
||||
/*
|
||||
* Outputs
|
||||
@@ -192,6 +193,11 @@ static tool_rc check_options(tpm2_option_flags flags) {
|
||||
return tool_rc_option_error;
|
||||
}
|
||||
|
||||
+ if(!ctx.nv_specified) {
|
||||
+ LOG_ERR("Must specify NV index argument");
|
||||
+ return tool_rc_option_error;
|
||||
+ }
|
||||
+
|
||||
/*
|
||||
* Peculiar to this and some other tools, the object (nvindex) name must
|
||||
* be specified when only calculating the cpHash.
|
||||
@@ -266,7 +272,8 @@ static bool on_arg(int argc, char **argv) {
|
||||
if (!ctx.auth_hierarchy.ctx_path) {
|
||||
ctx.auth_hierarchy.ctx_path = argv[0];
|
||||
}
|
||||
- return on_arg_nv_index(argc, argv, &ctx.nv_index);
|
||||
+
|
||||
+ return ctx.nv_specified = on_arg_nv_index(argc, argv, &ctx.nv_index);
|
||||
}
|
||||
|
||||
static bool on_option(char key, char *value) {
|
||||
--
|
||||
2.45.2
|
||||
|
86
0004-tpm2_checkquote-Add-comparison-of-pcr-selection.patch
Normal file
86
0004-tpm2_checkquote-Add-comparison-of-pcr-selection.patch
Normal file
@ -0,0 +1,86 @@
|
||||
From 7076608db4b8a2cdcab6ff4bc47c23c935618e3b Mon Sep 17 00:00:00 2001
|
||||
From: Juergen Repp <juergen_repp@web.de>
|
||||
Date: Tue, 5 Mar 2024 22:11:38 +0100
|
||||
Subject: [PATCH 4/6] tpm2_checkquote: Add comparison of pcr selection.
|
||||
|
||||
The pcr selection which is passed with the --pcr parameter it not
|
||||
compared with the attest. So it's possible to fake a valid
|
||||
attestation.
|
||||
|
||||
Fixes: CVE-2024-29039
|
||||
|
||||
Signed-off-by: Juergen Repp <juergen_repp@web.de>
|
||||
Signed-off-by: Andreas Fuchs <andreas.fuchs@infineon.com>
|
||||
---
|
||||
tools/misc/tpm2_checkquote.c | 41 +++++++++++++++++++++++++++++++++++-
|
||||
1 file changed, 40 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/tools/misc/tpm2_checkquote.c b/tools/misc/tpm2_checkquote.c
|
||||
index 6ce086f8..8a2a154e 100644
|
||||
--- a/tools/misc/tpm2_checkquote.c
|
||||
+++ b/tools/misc/tpm2_checkquote.c
|
||||
@@ -54,6 +54,37 @@ static tpm2_verifysig_ctx ctx = {
|
||||
.pcr_hash = TPM2B_TYPE_INIT(TPM2B_DIGEST, buffer),
|
||||
};
|
||||
|
||||
+static bool compare_pcr_selection(TPML_PCR_SELECTION *attest_sel, TPML_PCR_SELECTION *pcr_sel) {
|
||||
+ if (attest_sel->count != pcr_sel->count) {
|
||||
+ LOG_ERR("Selection sizes do not match.");
|
||||
+ return false;
|
||||
+ }
|
||||
+ for (uint32_t i = 0; i < attest_sel->count; i++) {
|
||||
+ for (uint32_t j = 0; j < pcr_sel->count; j++) {
|
||||
+ if (attest_sel->pcrSelections[i].hash ==
|
||||
+ pcr_sel->pcrSelections[j].hash) {
|
||||
+ if (attest_sel->pcrSelections[i].sizeofSelect !=
|
||||
+ pcr_sel->pcrSelections[j].sizeofSelect) {
|
||||
+ LOG_ERR("Bitmask size does not match");
|
||||
+ return false;
|
||||
+ }
|
||||
+ if (memcmp(&attest_sel->pcrSelections[i].pcrSelect[0],
|
||||
+ &pcr_sel->pcrSelections[j].pcrSelect[0],
|
||||
+ attest_sel->pcrSelections[i].sizeofSelect) != 0) {
|
||||
+ LOG_ERR("Selection bitmasks do not match");
|
||||
+ return false;
|
||||
+ }
|
||||
+ break;
|
||||
+ }
|
||||
+ if (j == pcr_sel->count - 1) {
|
||||
+ LOG_ERR("Hash selections to not match.");
|
||||
+ return false;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ return true;
|
||||
+}
|
||||
+
|
||||
static bool verify(void) {
|
||||
|
||||
bool result = false;
|
||||
@@ -374,7 +405,7 @@ static tool_rc init(void) {
|
||||
}
|
||||
|
||||
TPM2B_ATTEST *msg = NULL;
|
||||
- TPML_PCR_SELECTION pcr_select;
|
||||
+ TPML_PCR_SELECTION pcr_select = { 0 };
|
||||
tpm2_pcrs *pcrs;
|
||||
tpm2_pcrs temp_pcrs = {};
|
||||
tool_rc return_value = tool_rc_general_error;
|
||||
@@ -537,6 +568,14 @@ static tool_rc init(void) {
|
||||
goto err;
|
||||
}
|
||||
|
||||
+ if (ctx.flags.pcr) {
|
||||
+ if (!compare_pcr_selection(&ctx.attest.attested.quote.pcrSelect,
|
||||
+ &pcr_select)) {
|
||||
+ LOG_ERR("PCR selection does not match PCR slection from attest!");
|
||||
+ goto err;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
// Figure out the digest for this message
|
||||
res = tpm2_openssl_hash_compute_data(ctx.halg, msg->attestationData,
|
||||
msg->size, &ctx.msg_hash);
|
||||
--
|
||||
2.45.2
|
||||
|
38
0005-tpm2_checkquote-Fix-check-of-magic-number.patch
Normal file
38
0005-tpm2_checkquote-Fix-check-of-magic-number.patch
Normal file
@ -0,0 +1,38 @@
|
||||
From 0f122ba3f7bdee12f8ee725db41d90e737fb3e49 Mon Sep 17 00:00:00 2001
|
||||
From: Juergen Repp <juergen_repp@web.de>
|
||||
Date: Tue, 31 Oct 2023 11:29:50 +0100
|
||||
Subject: [PATCH 5/6] tpm2_checkquote: Fix check of magic number.
|
||||
|
||||
It was not checked whether the magic number in the
|
||||
attest is equal to TPM2_GENERATED_VALUE.
|
||||
So an malicious attacker could generate arbitrary quote data
|
||||
which was not detected by tpm2 checkquote.
|
||||
|
||||
Fixes: CVE-2024-29038
|
||||
|
||||
Signed-off-by: Juergen Repp <juergen_repp@web.de>
|
||||
---
|
||||
tools/misc/tpm2_checkquote.c | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/tools/misc/tpm2_checkquote.c b/tools/misc/tpm2_checkquote.c
|
||||
index 8a2a154e..5083d855 100644
|
||||
--- a/tools/misc/tpm2_checkquote.c
|
||||
+++ b/tools/misc/tpm2_checkquote.c
|
||||
@@ -146,6 +146,13 @@ static bool verify(void) {
|
||||
goto err;
|
||||
}
|
||||
|
||||
+ // check magic
|
||||
+ if (ctx.attest.magic != TPM2_GENERATED_VALUE) {
|
||||
+ LOG_ERR("Bad magic, got: 0x%x, expected: 0x%x",
|
||||
+ ctx.attest.magic, TPM2_GENERATED_VALUE);
|
||||
+ return false;
|
||||
+ }
|
||||
+
|
||||
// Also ensure digest from quote matches PCR digest
|
||||
if (ctx.flags.pcr) {
|
||||
if (!tpm2_util_verify_digests(&ctx.attest.attested.quote.pcrDigest,
|
||||
--
|
||||
2.45.2
|
||||
|
28
0006-tpm2_setprimarypolicy-Fix-resource-leak.patch
Normal file
28
0006-tpm2_setprimarypolicy-Fix-resource-leak.patch
Normal file
@ -0,0 +1,28 @@
|
||||
From d7c541d839d6c470fbd273d0c482091a1fe59fe6 Mon Sep 17 00:00:00 2001
|
||||
From: rpm-build <rpm-build>
|
||||
Date: Tue, 18 Jun 2024 15:42:13 +0200
|
||||
Subject: [PATCH 6/6] tpm2_setprimarypolicy: Fix resource leak
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Signed-off-by: Štěpán Horáček <shoracek@redhat.com>
|
||||
---
|
||||
tools/tpm2_setprimarypolicy.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/tools/tpm2_setprimarypolicy.c b/tools/tpm2_setprimarypolicy.c
|
||||
index 140a8083..459d3d03 100644
|
||||
--- a/tools/tpm2_setprimarypolicy.c
|
||||
+++ b/tools/tpm2_setprimarypolicy.c
|
||||
@@ -134,6 +134,7 @@ static tool_rc process_setprimarypolicy_input(ESYS_CONTEXT *ectx,
|
||||
(*auth_policy)->buffer, &((*auth_policy)->size));
|
||||
if (!result) {
|
||||
LOG_ERR("Failed loading policy digest from path");
|
||||
+ free(*auth_policy);
|
||||
return tool_rc_general_error;
|
||||
}
|
||||
}
|
||||
--
|
||||
2.45.2
|
||||
|
@ -2,7 +2,7 @@
|
||||
|
||||
Name: tpm2-tools
|
||||
Version: 5.2
|
||||
Release: 3%{?candidate:.%{candidate}}%{?dist}
|
||||
Release: 4%{?candidate:.%{candidate}}%{?dist}
|
||||
Summary: A bunch of TPM testing toolS build upon tpm2-tss
|
||||
|
||||
License: BSD
|
||||
@ -38,6 +38,12 @@ Patch115: 0015-tpm-errata-switch-to-twos-complement.patch
|
||||
Patch116: 0016-tpm2_eventlog.c-Fix-pcr-extension-for-EV_NO_ACTION.patch
|
||||
Patch117: 0017-kdfa.c-Fix-problem-with-FORTIFY_SOURCE-on-Fedora.patch
|
||||
Patch118: add_pregenerated_doc.patch
|
||||
Patch201: 0001-tpm2_sessionconfig-fix-usage-of-disable-continuesess.patch
|
||||
Patch202: 0002-tpm2_tool.c-Fix-missing-include-for-basename.patch
|
||||
Patch203: 0003-tpm2_nvread-fix-input-handling-no-nv-index.patch
|
||||
Patch204: 0004-tpm2_checkquote-Add-comparison-of-pcr-selection.patch
|
||||
Patch205: 0005-tpm2_checkquote-Fix-check-of-magic-number.patch
|
||||
Patch206: 0006-tpm2_setprimarypolicy-Fix-resource-leak.patch
|
||||
|
||||
BuildRequires: git
|
||||
BuildRequires: make
|
||||
@ -89,6 +95,15 @@ autoreconf -i
|
||||
%{_mandir}/man1/tss2_*.1.gz
|
||||
|
||||
%changelog
|
||||
* Wed Jun 19 2024 Štěpán Horáček <shoracek@redhat.com> - 5.2-4
|
||||
- Backport upstream fixes.
|
||||
- tpm2_checkquote: Fix check of magic number. (CVE-2024-29038)
|
||||
- tpm2_checkquote: Add comparison of pcr selection. (CVE-2024-29039)
|
||||
- Fix check of magic number.
|
||||
Resolves: RHEL-23198
|
||||
Resolves: RHEL-41031
|
||||
Resolves: RHEL-41035
|
||||
|
||||
* Wed May 24 2023 Štěpán Horáček <shoracek@redhat.com> - 5.2-3
|
||||
- Backport fixes.
|
||||
- Add tpm2_encodeobject tool.
|
||||
|
Loading…
Reference in New Issue
Block a user