Compare commits

...

1 Commits
c8 ... c10-beta

Author SHA1 Message Date
ffdfe39f8c import RHEL 10 Beta tpm2-tools-5.7-2.el10 2024-11-20 13:51:21 +00:00
20 changed files with 314 additions and 1137 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/tpm2-tools-4.1.1.tar.gz tpm2-tools-5.7.tar.gz

View File

@ -1 +0,0 @@
d097d321237983435f05c974533ad90e6f20acef SOURCES/tpm2-tools-4.1.1.tar.gz

View File

@ -1,80 +0,0 @@
From e607f78a054acfdbe119499c3608bdb2a44423d9 Mon Sep 17 00:00:00 2001
From: Andreas Fuchs <andreas.fuchs@sit.fraunhofer.de>
Date: Thu, 7 May 2020 11:51:17 +0200
Subject: [PATCH] Fix ESYS_TR hierarchy transition
Fix those cases of TPM2_RH_ to ESYS_TR_RH_ translations that were missed in
780800c0be69a49b9097f8eae653cdb0623d2100
Signed-off-by: Andreas Fuchs <andreas.fuchs@sit.fraunhofer.de>
---
lib/tpm2.c | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/lib/tpm2.c b/lib/tpm2.c
index e7ff77047bef..909a4422339d 100644
--- a/lib/tpm2.c
+++ b/lib/tpm2.c
@@ -656,6 +656,12 @@ uint32_t fix_esys_hierarchy(TPMI_RH_HIERARCHY hierarchy)
{
#if defined(ESYS_3_0)
switch (hierarchy) {
+ case ESYS_TR_RH_NULL:
+ case ESYS_TR_RH_OWNER:
+ case ESYS_TR_RH_ENDORSEMENT:
+ case ESYS_TR_RH_PLATFORM:
+ case ESYS_TR_RH_PLATFORM_NV:
+ return hierarchy;
case TPM2_RH_NULL:
return ESYS_TR_RH_NULL;
case TPM2_RH_OWNER:
@@ -664,14 +670,16 @@ uint32_t fix_esys_hierarchy(TPMI_RH_HIERARCHY hierarchy)
return ESYS_TR_RH_ENDORSEMENT;
case TPM2_RH_PLATFORM:
return ESYS_TR_RH_PLATFORM;
+ case TPM2_RH_PLATFORM_NV:
+ return ESYS_TR_RH_PLATFORM_NV;
default:
- return TSS2_ESYS_RC_BAD_VALUE;
+ LOG_ERR("An unknown hierarchy handle was passed: 0x%08x", hierarchy);
+ return 0xffffffff;
}
#elif defined(ESYS_2_3)
return hierarchy;
#else
- UNUSED(hierarchy);
- return TSS2_ESYS_RC_BAD_VALUE;
+#error "Need to define either ESYS_3_0 or ESYS_2_3"
#endif
}
@@ -1154,7 +1162,7 @@ tool_rc tpm2_hierarchycontrol(ESYS_CONTEXT *esys_context,
}
TSS2_RC rval = Esys_HierarchyControl(esys_context, auth_hierarchy->tr_handle,
- shandle, ESYS_TR_NONE, ESYS_TR_NONE, enable, state);
+ shandle, ESYS_TR_NONE, ESYS_TR_NONE, fix_esys_hierarchy(enable), state);
if (rval != TPM2_RC_SUCCESS && rval != TPM2_RC_INITIALIZE) {
LOG_PERR(Esys_HierarchyControl, rval);
return tool_rc_from_tpm(rval);
@@ -1251,7 +1259,7 @@ tool_rc tpm2_hmac_sequencecomplete(ESYS_CONTEXT *esys_context,
TPM2_RC rval = Esys_SequenceComplete(esys_context, sequence_handle,
hmac_key_obj_shandle, ESYS_TR_NONE, ESYS_TR_NONE, input_buffer,
- TPM2_RH_NULL, result, validation);
+ fix_esys_hierarchy(TPM2_RH_NULL), result, validation);
if (rval != TSS2_RC_SUCCESS) {
LOG_PERR(Esys_HMAC, rval);
return tool_rc_from_tpm(rval);
@@ -1907,7 +1915,7 @@ tool_rc tpm2_loadexternal(ESYS_CONTEXT *ectx, const TPM2B_SENSITIVE *private,
TSS2_RC rval = Esys_LoadExternal(ectx,
ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
- private, public, hierarchy,
+ private, public, fix_esys_hierarchy(hierarchy),
object_handle);
if (rval != TSS2_RC_SUCCESS) {
LOG_PERR(Esys_LoadExternal, rval);
--
2.27.0

View File

@ -1,211 +0,0 @@
From 2e7839b905f7a493f739d36e3e550e0cee30049e Mon Sep 17 00:00:00 2001
From: Andreas Fuchs <andreas.fuchs@sit.fraunhofer.de>
Date: Thu, 7 May 2020 19:12:36 +0200
Subject: [PATCH] Refactor fix_esys_hierarchies()
Refactor fix_esys_hierarchies() to return an actual TSS2_RC return code
and have an output parameter.
Signed-off-by: Andreas Fuchs <andreas.fuchs@sit.fraunhofer.de>
---
lib/tpm2.c | 88 +++++++++++++++++++++++++++++----------
lib/tpm2.h | 2 +-
tools/tpm2_loadexternal.c | 9 +++-
3 files changed, 75 insertions(+), 24 deletions(-)
diff --git a/lib/tpm2.c b/lib/tpm2.c
index 909a4422339d..744fed8c529f 100644
--- a/lib/tpm2.c
+++ b/lib/tpm2.c
@@ -645,39 +645,51 @@ tool_rc tpm2_evictcontrol(ESYS_CONTEXT *esys_context,
}
/* This function addresses ESAPI change that changes parameter type from
- * Esys_TR to TPMI_RH_HIERARCHY and breaks backwards compatibility.
+ * Esys_TR to TPMI_RH_HIERARCHY or TPMI_RH_ENABLES and breaks backwards
+ * compatibility.
* To keep the tools parameters consistent after v4.0 release we need to
* map the values to appropriate type based on the version of the ESYS API.
* Note: the mapping is based on the ESYS version recognized at compile time.
* The TSS change can be found here:
* https://github.com/tpm2-software/tpm2-tss/pull/1531
*/
-uint32_t fix_esys_hierarchy(TPMI_RH_HIERARCHY hierarchy)
+TSS2_RC fix_esys_hierarchy(uint32_t in, uint32_t *out)
{
#if defined(ESYS_3_0)
- switch (hierarchy) {
+ switch (in) {
case ESYS_TR_RH_NULL:
+ /* FALLTHRU */
case ESYS_TR_RH_OWNER:
+ /* FALLTHRU */
case ESYS_TR_RH_ENDORSEMENT:
+ /* FALLTHRU */
case ESYS_TR_RH_PLATFORM:
+ /* FALLTHRU */
case ESYS_TR_RH_PLATFORM_NV:
- return hierarchy;
+ *out = in;
+ return TSS2_RC_SUCCESS;
case TPM2_RH_NULL:
- return ESYS_TR_RH_NULL;
+ *out = ESYS_TR_RH_NULL;
+ return TSS2_RC_SUCCESS;
case TPM2_RH_OWNER:
- return ESYS_TR_RH_OWNER;
+ *out = ESYS_TR_RH_OWNER;
+ return TSS2_RC_SUCCESS;
case TPM2_RH_ENDORSEMENT:
- return ESYS_TR_RH_ENDORSEMENT;
+ *out = ESYS_TR_RH_ENDORSEMENT;
+ return TSS2_RC_SUCCESS;
case TPM2_RH_PLATFORM:
- return ESYS_TR_RH_PLATFORM;
+ *out = ESYS_TR_RH_PLATFORM;
+ return TSS2_RC_SUCCESS;
case TPM2_RH_PLATFORM_NV:
- return ESYS_TR_RH_PLATFORM_NV;
+ *out = ESYS_TR_RH_PLATFORM_NV;
+ return TSS2_RC_SUCCESS;
default:
- LOG_ERR("An unknown hierarchy handle was passed: 0x%08x", hierarchy);
- return 0xffffffff;
+ LOG_ERR("An unknown hierarchy handle was passed: 0x%08x", in);
+ return TSS2_ESYS_RC_BAD_VALUE;
}
#elif defined(ESYS_2_3)
- return hierarchy;
+ *out = in;
+ return TSS2_RC_SUCCESS;
#else
#error "Need to define either ESYS_3_0 or ESYS_2_3"
#endif
@@ -688,8 +700,14 @@ tool_rc tpm2_hash(ESYS_CONTEXT *esys_context, ESYS_TR shandle1, ESYS_TR shandle2
TPMI_RH_HIERARCHY hierarchy, TPM2B_DIGEST **out_hash,
TPMT_TK_HASHCHECK **validation) {
- TSS2_RC rval = Esys_Hash(esys_context, shandle1, shandle2, shandle3, data,
- hash_alg, fix_esys_hierarchy(hierarchy), out_hash, validation);
+ TSS2_RC rval = fix_esys_hierarchy(hierarchy, &hierarchy);
+ if (rval != TSS2_RC_SUCCESS) {
+ LOG_ERR("Unknown hierarchy");
+ return tool_rc_from_tpm(rval);
+ }
+
+ rval = Esys_Hash(esys_context, shandle1, shandle2, shandle3, data,
+ hash_alg, hierarchy, out_hash, validation);
if (rval != TSS2_RC_SUCCESS) {
LOG_PERR(Esys_Hash, rval);
return tool_rc_from_tpm(rval);
@@ -729,9 +747,15 @@ tool_rc tpm2_sequence_complete(ESYS_CONTEXT *esys_context,
TPMI_RH_HIERARCHY hierarchy, TPM2B_DIGEST **result,
TPMT_TK_HASHCHECK **validation) {
- TSS2_RC rval = Esys_SequenceComplete(esys_context, sequence_handle,
+ TSS2_RC rval = fix_esys_hierarchy(hierarchy, &hierarchy);
+ if (rval != TSS2_RC_SUCCESS) {
+ LOG_ERR("Unknown hierarchy");
+ return tool_rc_from_tpm(rval);
+ }
+
+ rval = Esys_SequenceComplete(esys_context, sequence_handle,
ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE, buffer,
- fix_esys_hierarchy(hierarchy), result, validation);
+ hierarchy, result, validation);
if (rval != TSS2_RC_SUCCESS) {
LOG_PERR(Esys_SequenceComplete, rval);
return tool_rc_from_tpm(rval);
@@ -1161,8 +1185,14 @@ tool_rc tpm2_hierarchycontrol(ESYS_CONTEXT *esys_context,
return rc;
}
- TSS2_RC rval = Esys_HierarchyControl(esys_context, auth_hierarchy->tr_handle,
- shandle, ESYS_TR_NONE, ESYS_TR_NONE, fix_esys_hierarchy(enable), state);
+ TSS2_RC rval = fix_esys_hierarchy(enable, &enable);
+ if (rval != TSS2_RC_SUCCESS) {
+ LOG_ERR("Unknown hierarchy");
+ return tool_rc_from_tpm(rval);
+ }
+
+ rval = Esys_HierarchyControl(esys_context, auth_hierarchy->tr_handle,
+ shandle, ESYS_TR_NONE, ESYS_TR_NONE, enable, state);
if (rval != TPM2_RC_SUCCESS && rval != TPM2_RC_INITIALIZE) {
LOG_PERR(Esys_HierarchyControl, rval);
return tool_rc_from_tpm(rval);
@@ -1257,9 +1287,17 @@ tool_rc tpm2_hmac_sequencecomplete(ESYS_CONTEXT *esys_context,
return rc;
}
- TPM2_RC rval = Esys_SequenceComplete(esys_context, sequence_handle,
+ uint32_t hierarchy;
+
+ TSS2_RC rval = fix_esys_hierarchy(TPM2_RH_NULL, &hierarchy);
+ if (rval != TSS2_RC_SUCCESS) {
+ LOG_ERR("Unknown hierarchy");
+ return tool_rc_from_tpm(rval);
+ }
+
+ rval = Esys_SequenceComplete(esys_context, sequence_handle,
hmac_key_obj_shandle, ESYS_TR_NONE, ESYS_TR_NONE, input_buffer,
- fix_esys_hierarchy(TPM2_RH_NULL), result, validation);
+ hierarchy, result, validation);
if (rval != TSS2_RC_SUCCESS) {
LOG_PERR(Esys_HMAC, rval);
return tool_rc_from_tpm(rval);
@@ -1913,9 +1951,15 @@ tool_rc tpm2_loadexternal(ESYS_CONTEXT *ectx, const TPM2B_SENSITIVE *private,
const TPM2B_PUBLIC *public, TPMI_RH_HIERARCHY hierarchy,
ESYS_TR *object_handle) {
- TSS2_RC rval = Esys_LoadExternal(ectx,
+ TSS2_RC rval = fix_esys_hierarchy(hierarchy, &hierarchy);
+ if (rval != TSS2_RC_SUCCESS) {
+ LOG_ERR("Unknown hierarchy");
+ return tool_rc_from_tpm(rval);
+ }
+
+ rval = Esys_LoadExternal(ectx,
ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
- private, public, fix_esys_hierarchy(hierarchy),
+ private, public, hierarchy,
object_handle);
if (rval != TSS2_RC_SUCCESS) {
LOG_PERR(Esys_LoadExternal, rval);
diff --git a/lib/tpm2.h b/lib/tpm2.h
index a37e05606c7a..2e4ae5e7dddc 100644
--- a/lib/tpm2.h
+++ b/lib/tpm2.h
@@ -389,7 +389,7 @@ tool_rc tpm2_policy_nv_written(ESYS_CONTEXT *esys_context,
ESYS_TR policy_session, ESYS_TR shandle1, ESYS_TR shandle2,
ESYS_TR shandle3, TPMI_YES_NO written_set);
-uint32_t fix_esys_hierarchy(TPMI_RH_HIERARCHY hierarchy);
+TSS2_RC fix_esys_hierarchy(uint32_t in, uint32_t *out);
tool_rc tpm2_certifycreation(ESYS_CONTEXT *esys_context,
tpm2_loaded_object *signingkey_obj, tpm2_loaded_object *certifiedkey_obj,
diff --git a/tools/tpm2_loadexternal.c b/tools/tpm2_loadexternal.c
index 70fb72877aae..4127ca1b524b 100644
--- a/tools/tpm2_loadexternal.c
+++ b/tools/tpm2_loadexternal.c
@@ -48,9 +48,16 @@ static tpm_loadexternal_ctx ctx = {
static tool_rc load_external(ESYS_CONTEXT *ectx, TPM2B_PUBLIC *pub,
TPM2B_SENSITIVE *priv, bool has_priv, TPM2B_NAME **name) {
+ uint32_t hierarchy;
+ TSS2_RC rval = fix_esys_hierarchy(ctx.hierarchy_value, &hierarchy);
+ if (rval != TSS2_RC_SUCCESS) {
+ LOG_ERR("Unknown hierarchy");
+ return tool_rc_from_tpm(rval);
+ }
+
tool_rc rc = tpm2_loadexternal(ectx,
has_priv ? priv : NULL, pub,
- fix_esys_hierarchy(ctx.hierarchy_value), &ctx.handle);
+ hierarchy, &ctx.handle);
if (rc != tool_rc_success) {
return rc;
}
--
2.27.0

View File

@ -1,26 +0,0 @@
From 012249ad9d06d7534a94690a33638691f5104839 Mon Sep 17 00:00:00 2001
From: Radoslav Gerganov <rgerganov@vmware.com>
Date: Wed, 26 Feb 2020 10:40:26 +0200
Subject: [PATCH] lib/files: fix an error message in files_load_##name
Signed-off-by: Radoslav Gerganov <rgerganov@vmware.com>
---
lib/files.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/files.c b/lib/files.c
index a6beea5b8ff2..ef2170b079e1 100644
--- a/lib/files.c
+++ b/lib/files.c
@@ -687,7 +687,7 @@ tool_rc files_save_ESYS_TR(ESYS_CONTEXT *ectx, ESYS_TR handle, const char *path)
size_t offset = 0; \
TSS2_RC rc = Tss2_MU_##type##_Unmarshal(buffer, size, &offset, name); \
if (rc != TSS2_RC_SUCCESS) { \
- LOG_ERR("Error serializing "str(name)" structure: 0x%x", rc); \
+ LOG_ERR("Error deserializing "str(name)" structure: 0x%x", rc); \
LOG_ERR("The input file needs to be a valid "xstr(type)" data structure"); \
return false; \
} \
--
2.31.0

View File

@ -1,42 +0,0 @@
From a20415d6f1d3fa09300ff1181646fe7e1785fd15 Mon Sep 17 00:00:00 2001
From: Imran Desai <imran.desai@intel.com>
Date: Sun, 29 Mar 2020 10:14:28 -0700
Subject: [PATCH] lib/files.c: Fix an issue where execution could not reach
function return
Signed-off-by: Imran Desai <imran.desai@intel.com>
---
lib/files.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/lib/files.c b/lib/files.c
index ef2170b079e1..501f88d11b48 100644
--- a/lib/files.c
+++ b/lib/files.c
@@ -607,9 +607,7 @@ bool files_load_bytes_from_buffer_or_file_or_stdin(const char *input_buffer,
return true;
}
-// printf("Reading file: %s\n", path);
-// printf("size: %u\n", *size);
-
+ bool retval = true;
/* Read from stdin */
if (!input_buffer && !path) {
UINT16 read_bytes = 0;
@@ -640,10 +638,10 @@ bool files_load_bytes_from_buffer_or_file_or_stdin(const char *input_buffer,
return true;
}
} else if (path) {
- return files_load_bytes_from_path(path, buf, size);
+ retval = files_load_bytes_from_path(path, buf, size);
}
- return false;
+ return retval;
}
tool_rc files_save_ESYS_TR(ESYS_CONTEXT *ectx, ESYS_TR handle, const char *path) {
--
2.31.0

View File

@ -1,63 +0,0 @@
From 77d4592e3eec9ec2c7932586f41f925b43ecc5ba Mon Sep 17 00:00:00 2001
From: Imran Desai <imran.desai@intel.com>
Date: Sun, 29 Mar 2020 10:22:42 -0700
Subject: [PATCH] tools/tpm2_nvcertify.c: Fix incompatible pointer cast that
may cause memory leak
Pointer "&ctx.size" and "&ctx.offset" points to an object whose effective type is
"unsigned short" (16 bits, unsigned) but is dereferenced as a wider
"unsigned int" (32 bits, unsigned). This may lead to memory corruption.
Signed-off-by: Imran Desai <imran.desai@intel.com>
---
tools/tpm2_nvcertify.c | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/tools/tpm2_nvcertify.c b/tools/tpm2_nvcertify.c
index b49f38dbff20..414cbea85574 100644
--- a/tools/tpm2_nvcertify.c
+++ b/tools/tpm2_nvcertify.c
@@ -80,6 +80,7 @@ static bool set_signature_format(char *value) {
static bool on_option(char key, char *value) {
bool result = true;
+ uint32_t input_value;
switch (key) {
case 'C':
@@ -110,18 +111,30 @@ static bool on_option(char key, char *value) {
ctx.policy_qualifier_arg = value;
break;
case 0:
- result = tpm2_util_string_to_uint32(value, (uint32_t*)&ctx.size);
+ result = tpm2_util_string_to_uint32(value, &input_value);
if (!result) {
LOG_ERR("Could not convert size to number, got: \"%s\"", value);
return false;
}
+ if (input_value > UINT16_MAX) {
+ LOG_ERR("Specified size is larger than that allowed by command");
+ return false;
+ } else {
+ ctx.size = input_value;
+ }
break;
case 1:
- result = tpm2_util_string_to_uint32(value, (uint32_t*)&ctx.offset);
+ result = tpm2_util_string_to_uint32(value, &input_value);
if (!result) {
LOG_ERR("Could not convert offset to number, got: \"%s\"", value);
return false;
}
+ if (input_value > UINT16_MAX) {
+ LOG_ERR("Specified offset is larger than that allowed by command");
+ return false;
+ } else {
+ ctx.offset = input_value;
+ }
break;
case 2:
ctx.certify_info_path = value;
--
2.31.0

View File

@ -1,25 +0,0 @@
From 023ec5c0eafe8dfb5b71e400cb0c2c337fb8c108 Mon Sep 17 00:00:00 2001
From: Imran Desai <imran.desai@intel.com>
Date: Sun, 29 Mar 2020 10:49:12 -0700
Subject: [PATCH] tools/tpm2_nvreadpublic: Fix resource leak
Signed-off-by: Imran Desai <imran.desai@intel.com>
---
tools/tpm2_nvreadpublic.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/tools/tpm2_nvreadpublic.c b/tools/tpm2_nvreadpublic.c
index 7f8e46cbf863..eca1fd715a79 100644
--- a/tools/tpm2_nvreadpublic.c
+++ b/tools/tpm2_nvreadpublic.c
@@ -41,6 +41,7 @@ static tool_rc print_nv_public(ESYS_CONTEXT *context, TPMI_RH_NV_INDEX index, TP
rc = tpm2_tr_get_name(context, tr_handle,
&name);
if (rc != tool_rc_success) {
+ free(attrs);
return rc;
}
--
2.31.0

View File

@ -1,28 +0,0 @@
From c28932caef2036039901a91cf55eb7ff093c70f5 Mon Sep 17 00:00:00 2001
From: Imran Desai <imran.desai@intel.com>
Date: Fri, 24 Jan 2020 15:53:39 -0700
Subject: [PATCH] tpm2_alg_util.c: fix a bug where the string rsa3072 wasnt
being parsed
Signed-off-by: Imran Desai <imran.desai@intel.com>
---
lib/tpm2_alg_util.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/lib/tpm2_alg_util.c b/lib/tpm2_alg_util.c
index b83c387a05bd..fcad480e0c3d 100644
--- a/lib/tpm2_alg_util.c
+++ b/lib/tpm2_alg_util.c
@@ -301,6 +301,9 @@ static alg_parser_rc handle_rsa(const char *ext, TPM2B_PUBLIC *public) {
} else if (!strncmp(ext, "4096", 4)) {
r->keyBits = 4096;
ext += 4;
+ } else if (!strncmp(ext, "3072", 4)) {
+ r->keyBits = 3072;
+ ext += 4;
} else {
r->keyBits = 2048;
}
--
2.27.0

View File

@ -1,186 +0,0 @@
From 696a17861c38b38fb2acf888119d918eb9c12329 Mon Sep 17 00:00:00 2001
From: Imran Desai <imran.desai@intel.com>
Date: Thu, 21 May 2020 11:31:43 -0700
Subject: [PATCH] tpm2_create.c: Fix an issue where userwithauth attr cleared
if policy specified
Fixes #2037
Signed-off-by: Imran Desai <imran.desai@intel.com>
---
man/tpm2_create.1.md | 9 +++-
test/integration/tests/import_tpm.sh | 78 +++++++++++++++++-----------
tools/tpm2_create.c | 10 ++--
3 files changed, 60 insertions(+), 37 deletions(-)
diff --git a/man/tpm2_create.1.md b/man/tpm2_create.1.md
index e8e5eaac49c3..9a7ba33e6017 100644
--- a/man/tpm2_create.1.md
+++ b/man/tpm2_create.1.md
@@ -13,7 +13,7 @@
**tpm2_create**(1) - Create a child object. The object can either be a key or
a sealing object. A sealing object allows to seal user data to the TPM, with a
maximum size of 256 bytes. Additionally it will load the created object if the
-**-o** is specified.
+**-c** is specified.
# OPTIONS
@@ -55,6 +55,13 @@ These options for creating the TPM entity:
and unsealing. I.e. one cannot use an object for sealing and cryptography
operations.
+ When **-L** is specified for adding policy based authorization information
+ AND no string password is specified, the attribute `TPMA_OBJECT_USERWITHAUTH`
+ is cleared unless an explicit choice is made by setting of the attribute
+ with **-a** option. This prevents creation of objects with inadvertant auth
+ model where in user intended to enforce a policy but inadvertantly created
+ an object with empty auth which can be used instead of policy authorization.
+
* **-i**, **\--sealing-input**=_FILE_ or _STDIN_:
The data file to be sealed, optional. If file is -, read from stdin.
diff --git a/test/integration/tests/import_tpm.sh b/test/integration/tests/import_tpm.sh
index ff48185aba70..3d1e10820844 100755
--- a/test/integration/tests/import_tpm.sh
+++ b/test/integration/tests/import_tpm.sh
@@ -54,8 +54,13 @@ load_new_parent() {
create_load_duplicatee() {
# Create the key we want to duplicate
create_policy dpolicy.dat TPM2_CC_Duplicate
- tpm2_create -Q -C primary.ctx -g sha256 -G $1 -p foo -r key.prv -u key.pub \
- -L dpolicy.dat -a "sensitivedataorigin|decrypt|userwithauth"
+ if [ -z "$2" ];then
+ tpm2_create -Q -C primary.ctx -g sha256 -G $1 -r key.prv \
+ -u key.pub -L dpolicy.dat -a "sensitivedataorigin|decrypt|userwithauth"
+ else
+ tpm2_create -Q -C primary.ctx -g sha256 -G $1 -p "$2" -r key.prv \
+ -u key.pub -L dpolicy.dat -a "sensitivedataorigin|decrypt|userwithauth"
+ fi
# Load the key
tpm2_load -Q -C primary.ctx -r key.prv -u key.pub -c key.ctx
# Extract the public part for import later
@@ -113,34 +118,45 @@ for dup_key_type in aes rsa ecc; do
done
done
-# Part 2 :
-# Create a rsa key (Kd)
-# Encrypt a message using Kd
-# Duplicate Kd
-# Import & Load Kd
-# Decrypt the message and verify
-tpm2_createprimary -Q -C o -g sha256 -G rsa -c primary.ctx
-# New parent ...
-create_load_new_parent
-# Key to be duplicated
-create_load_duplicatee rsa
-# Encrypt a secret message
-echo "Mary had a little lamb ..." > plain.txt
-tpm2_rsaencrypt -Q -c key.ctx -o cipher.txt plain.txt
-# Duplicate the key
-do_duplication null
-# Remove, we're done with it
-rm new_parent.ctx
-# Load the full thing this time
-load_new_parent
-# Import & load the duplicate
-do_import_load null
-# Decrypt the secret message using duplicated key
-tpm2_rsadecrypt -Q -p foo -c dup.ctx -o recovered.txt cipher.txt
-# Check we got it right ...
-diff recovered.txt plain.txt
-# Cleanup
-rm plain.txt recovered.txt cipher.txt
-cleanup "no-shut-down"
+test_key_usage() {
+ # Part 2 :
+ # Create a rsa key (Kd)
+ # Encrypt a message using Kd
+ # Duplicate Kd
+ # Import & Load Kd
+ # Decrypt the message and verify
+ tpm2_createprimary -Q -C o -g sha256 -G rsa -c primary.ctx
+ # New parent ...
+ create_load_new_parent
+ # Key to be duplicated
+ create_load_duplicatee rsa "$1"
+ # Encrypt a secret message
+ echo "Mary had a little lamb ..." > plain.txt
+ tpm2_rsaencrypt -Q -c key.ctx -o cipher.txt plain.txt
+ # Duplicate the key
+ do_duplication null
+ # Remove, we're done with it
+ rm new_parent.ctx
+ # Load the full thing this time
+ load_new_parent
+ # Import & load the duplicate
+ do_import_load null
+ # Decrypt the secret message using duplicated key
+ if [ -z "$1" ];then
+ tpm2_rsadecrypt -Q -c dup.ctx -o recovered.txt cipher.txt
+ else
+ tpm2_rsadecrypt -Q -p "$1" -c dup.ctx -o recovered.txt cipher.txt
+ fi
+ # Check we got it right ...
+ diff recovered.txt plain.txt
+ # Cleanup
+ rm plain.txt recovered.txt cipher.txt
+ cleanup "no-shut-down"
+}
+
+#Test key with password
+test_key_usage foo
+#Test key without password
+test_key_usage
exit 0
diff --git a/tools/tpm2_create.c b/tools/tpm2_create.c
index 941b77655f55..8e92cc747e17 100644
--- a/tools/tpm2_create.c
+++ b/tools/tpm2_create.c
@@ -47,7 +47,7 @@ struct tpm_create_ctx {
TPML_PCR_SELECTION creation_pcr;
struct {
- UINT8 b :1;
+ UINT8 a :1;
UINT8 i :1;
UINT8 L :1;
UINT8 u :1;
@@ -224,7 +224,7 @@ static bool on_option(char key, char *value) {
break;
case 'a':
ctx.object.attrs = value;
- ctx.flags.b = 1;
+ ctx.flags.a = 1;
break;
case 'i':
ctx.object.sealed_data = strcmp("-", value) ? value : NULL;
@@ -346,12 +346,12 @@ tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
ctx.object.alg = "keyedhash";
- if (!ctx.flags.b) {
+ if (!ctx.flags.a) {
attrs &= ~TPMA_OBJECT_SIGN_ENCRYPT;
attrs &= ~TPMA_OBJECT_DECRYPT;
attrs &= ~TPMA_OBJECT_SENSITIVEDATAORIGIN;
}
- } else if (!ctx.flags.b && !strncmp("hmac", ctx.object.alg, 4)) {
+ } else if (!ctx.flags.a && !strncmp("hmac", ctx.object.alg, 4)) {
attrs &= ~TPMA_OBJECT_DECRYPT;
}
@@ -362,7 +362,7 @@ tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
return tool_rc_general_error;
}
- if (ctx.flags.L && !ctx.object.auth_str) {
+ if (!ctx.flags.a && ctx.flags.L && !ctx.object.auth_str) {
ctx.object.public.publicArea.objectAttributes &=
~TPMA_OBJECT_USERWITHAUTH;
}
--
2.27.0

View File

@ -1,49 +0,0 @@
From 8c72f7402d8977807f531b08976760d62676cf8a Mon Sep 17 00:00:00 2001
From: Imran Desai <imran.desai@intel.com>
Date: Thu, 23 Jan 2020 11:21:58 -0700
Subject: [PATCH] tpm2_getekcertificate: add default web address
Currently only Intel (R) PTT certificates are hosted online.
A default web address pointing to the endorsement key certificate
hosting will help reduce user input.
Signed-off-by: Imran Desai <imran.desai@intel.com>
---
test/integration/tests/getekcertificate.sh | 6 ++----
tools/tpm2_getekcertificate.c | 1 +
2 files changed, 3 insertions(+), 4 deletions(-)
diff --git a/test/integration/tests/getekcertificate.sh b/test/integration/tests/getekcertificate.sh
index 33f4f8b2e4c0..e8c521756d2a 100755
--- a/test/integration/tests/getekcertificate.sh
+++ b/test/integration/tests/getekcertificate.sh
@@ -38,12 +38,10 @@ else
fi
fi
-tpm2_getekcertificate -u test_ek.pub -x -X -o ECcert.bin \
-https://ekop.intel.com/ekcertservice/
+tpm2_getekcertificate -u test_ek.pub -x -X -o ECcert.bin
# Test that stdoutput is the same
-tpm2_getekcertificate -u test_ek.pub -x https://ekop.intel.com/ekcertservice/ \
--X > ECcert2.bin
+tpm2_getekcertificate -u test_ek.pub -x -X > ECcert2.bin
# stdout file should match -E file.
cmp ECcert.bin ECcert2.bin
diff --git a/tools/tpm2_getekcertificate.c b/tools/tpm2_getekcertificate.c
index 233d04d8b3d7..6a8fe894bb1c 100644
--- a/tools/tpm2_getekcertificate.c
+++ b/tools/tpm2_getekcertificate.c
@@ -32,6 +32,7 @@ struct tpm_getekcertificate_ctx {
static tpm_getekcertificate_ctx ctx = {
.is_tpm2_device_active = true,
+ .ek_server_addr = "https://ekop.intel.com/ekcertservice/",
};
static unsigned char *hash_ek_public(void) {
--
2.31.0

View File

@ -1,37 +0,0 @@
From 334b4c739fa575fb4ea58f92df6de87c38e59e15 Mon Sep 17 00:00:00 2001
From: Imran Desai <imran.desai@intel.com>
Date: Thu, 23 Jan 2020 08:06:56 -0700
Subject: [PATCH] tpm2_hierarchycontrol: Fixed bug where hierarchycontrol
operation failed silently
Fixes #1841
Signed-off-by: Imran Desai <imran.desai@intel.com>
---
tools/tpm2_hierarchycontrol.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/tools/tpm2_hierarchycontrol.c b/tools/tpm2_hierarchycontrol.c
index 0baf2ca487d3..7e9e2c657544 100644
--- a/tools/tpm2_hierarchycontrol.c
+++ b/tools/tpm2_hierarchycontrol.c
@@ -32,8 +32,14 @@ static tool_rc hierarchycontrol(ESYS_CONTEXT *ectx) {
ctx.enable == TPM2_RH_ENDORSEMENT ? "ehEnable" : "phEnableNV",
ctx.state ? "SET" : "CLEAR");
- return tpm2_hierarchycontrol(ectx, &ctx.auth_hierarchy.object, ctx.enable,
- ctx.state);
+ tool_rc rc = tpm2_hierarchycontrol(ectx, &ctx.auth_hierarchy.object,
+ ctx.enable, ctx.state);
+
+ if (rc != tool_rc_success) {
+ LOG_ERR("Failed hierarchycontrol operation.");
+ }
+
+ return rc;
}
bool on_arg(int argc, char **argv) {
--
2.27.0

View File

@ -1,46 +0,0 @@
From c069e4f179d5e6653a84fb236816c375dca82515 Mon Sep 17 00:00:00 2001
From: William Roberts <william.c.roberts@intel.com>
Date: Fri, 21 May 2021 12:22:31 -0500
Subject: [PATCH] tpm2_import: fix fixed AES key CVE-2021-3565
tpm2_import used a fixed AES key for the inner wrapper, which means that
a MITM attack would be able to unwrap the imported key. Even the
use of an encrypted session will not prevent this. The TPM only
encrypts the first parameter which is the fixed symmetric key.
To fix this, ensure the key size is 16 bytes or bigger and use
OpenSSL to generate a secure random AES key.
Fixes: #2738
Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
tools/tpm2_import.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/tools/tpm2_import.c b/tools/tpm2_import.c
index cfb6f207ba9c..f44326c87e7e 100644
--- a/tools/tpm2_import.c
+++ b/tools/tpm2_import.c
@@ -118,7 +118,17 @@ static tool_rc key_import(ESYS_CONTEXT *ectx, TPM2B_PUBLIC *parent_pub,
TPM2B_DATA enc_sensitive_key = {
.size = parent_pub->publicArea.parameters.rsaDetail.symmetric.keyBits.sym / 8
};
- memset(enc_sensitive_key.buffer, 0xFF, enc_sensitive_key.size);
+
+ if(enc_sensitive_key.size < 16) {
+ LOG_ERR("Calculated wrapping keysize is less than 16 bytes, got: %u", enc_sensitive_key.size);
+ return tool_rc_general_error;
+ }
+
+ int ossl_rc = RAND_bytes(enc_sensitive_key.buffer, enc_sensitive_key.size);
+ if (ossl_rc != 1) {
+ LOG_ERR("RAND_bytes failed: %s", ERR_error_string(ERR_get_error(), NULL));
+ return tool_rc_general_error;
+ }
/*
* Calculate the object name.
--
2.31.0

View File

@ -1,31 +0,0 @@
From 652322f7278ec8c384fde9ec2204b06d084a24e4 Mon Sep 17 00:00:00 2001
From: Imran Desai <imran.desai@intel.com>
Date: Thu, 23 Jan 2020 07:54:58 -0700
Subject: [PATCH] tpm2_nvdefine.c: Fixed error reporting message
Fixes #1861
NV define failure error message had the wording to suggest NV index
was successfully defined.
Signed-off-by: Imran Desai <imran.desai@intel.com>
---
tools/tpm2_nvdefine.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/tpm2_nvdefine.c b/tools/tpm2_nvdefine.c
index cb2949c4dddc..71203cb6c80d 100644
--- a/tools/tpm2_nvdefine.c
+++ b/tools/tpm2_nvdefine.c
@@ -65,7 +65,7 @@ static tool_rc nv_space_define(ESYS_CONTEXT *ectx) {
tool_rc rc = tpm2_nv_definespace(ectx, &ctx.auth_hierarchy.object,
&ctx.nv_auth, &public_info);
if (rc != tool_rc_success) {
- LOG_INFO("Success to define NV area at index 0x%x.", ctx.nv_index);
+ LOG_ERR("Failed to create NV index 0x%x.", ctx.nv_index);
return rc;
}
--
2.27.0

View File

@ -1,28 +0,0 @@
From e556da0a2099573f82391c16477fba08584a7a12 Mon Sep 17 00:00:00 2001
From: Imran Desai <imran.desai@intel.com>
Date: Tue, 10 Mar 2020 09:15:55 -0700
Subject: [PATCH] tpm2_policy.c: restrict policy digest size
Fixes #1916
Signed-off-by: Imran Desai <imran.desai@intel.com>
---
lib/tpm2_policy.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/tpm2_policy.c b/lib/tpm2_policy.c
index 6c352b2b41ae..01387ba01645 100644
--- a/lib/tpm2_policy.c
+++ b/lib/tpm2_policy.c
@@ -163,7 +163,7 @@ tool_rc tpm2_policy_build_policyauthorize(ESYS_CONTEXT *ectx,
bool result = true;
TPM2B_DIGEST approved_policy = { .size = 0 };
if (policy_digest_path) {
- approved_policy.size = UINT16_MAX;
+ approved_policy.size = sizeof(TPMU_HA);
result = files_load_bytes_from_path(policy_digest_path,
approved_policy.buffer, &approved_policy.size);
}
--
2.31.0

View File

@ -1,30 +0,0 @@
From cab7b3edcc6a44aece0642c0c2621a4bb70d449b Mon Sep 17 00:00:00 2001
From: Imran Desai <imran.desai@intel.com>
Date: Tue, 10 Mar 2020 18:19:04 -0700
Subject: [PATCH] tpm2_policycountertimer: Fix an issue where operandB array
was reversed
Signed-off-by: Imran Desai <imran.desai@intel.com>
---
tools/tpm2_policycountertimer.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/tools/tpm2_policycountertimer.c b/tools/tpm2_policycountertimer.c
index 1c72d525dab7..170a544f2203 100644
--- a/tools/tpm2_policycountertimer.c
+++ b/tools/tpm2_policycountertimer.c
@@ -81,7 +81,10 @@ static bool convert_keyvalue_to_operand_buffer(const char *value,
}
ctx.operand_b.size = size;
- memcpy(ctx.operand_b.buffer, &data.b, size);
+ size_t i = 0;
+ for (i = 0; i < size; i++) {
+ ctx.operand_b.buffer[i] = *(&data.b + size - i - 1);
+ }
return true;
}
--
2.31.0

View File

@ -1,26 +0,0 @@
From 44d0d2d17dc693e029e0557ec985c9b68c3efeb5 Mon Sep 17 00:00:00 2001
From: Imran Desai <imran.desai@intel.com>
Date: Wed, 22 Jan 2020 14:15:48 -0700
Subject: [PATCH] tpm2_policyor: Silent failure bug fix for invalid/unspecified
policy digest alg
Signed-off-by: Imran Desai <imran.desai@intel.com>
---
lib/tpm2_policy.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/lib/tpm2_policy.c b/lib/tpm2_policy.c
index 3d9b5491f9ce..8460bd1d9ae9 100644
--- a/lib/tpm2_policy.c
+++ b/lib/tpm2_policy.c
@@ -588,6 +588,7 @@ bool tpm2_policy_parse_policy_list(char *str, TPML_DIGEST *policy_list) {
hash = tpm2_alg_util_from_optarg(subtoken,
tpm2_alg_util_flags_hash);
if (hash == TPM2_ALG_ERROR) {
+ LOG_ERR("Invalid/ Unspecified policy digest algorithm.");
return false;
}
}
--
2.27.0

View File

@ -1,227 +0,0 @@
Name: tpm2-tools
Version: 4.1.1
Release: 5%{?dist}
Summary: A TPM2.0 testing tool build upon TPM2.0-TSS
License: BSD
URL: https://github.com/tpm2-software/tpm2-tools
Source0: https://github.com/tpm2-software/tpm2-tools/releases/download/%{version}/%{name}-%{version}.tar.gz
Patch0: 0001-tpm2_hierarchycontrol-Fixed-bug-where-hierarchycontr.patch
Patch1: 0001-tpm2_nvdefine.c-Fixed-error-reporting-message.patch
Patch2: 0001-tpm2_policyor-Silent-failure-bug-fix-for-invalid-uns.patch
Patch3: 0001-tpm2_alg_util.c-fix-a-bug-where-the-string-rsa3072-w.patch
Patch4: 0001-Fix-ESYS_TR-hierarchy-transition.patch
Patch5: 0001-Refactor-fix_esys_hierarchies.patch
Patch6: 0001-tpm2_create.c-Fix-an-issue-where-userwithauth-attr-c.patch
Patch7: 0001-tpm2_getekcertificate-add-default-web-address.patch
Patch8: 0001-lib-files-fix-an-error-message-in-files_load_-name.patch
Patch9: 0001-tpm2_policy.c-restrict-policy-digest-size.patch
Patch10: 0001-tpm2_policycountertimer-Fix-an-issue-where-operandB-.patch
Patch11: 0001-tools-tpm2_nvcertify.c-Fix-incompatible-pointer-cast.patch
Patch12: 0001-tools-tpm2_nvreadpublic-Fix-resource-leak.patch
Patch13: 0001-lib-files.c-Fix-an-issue-where-execution-could-not-r.patch
Patch14: 0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch
BuildRequires: gcc-c++
BuildRequires: libtool
BuildRequires: autoconf-archive
BuildRequires: pandoc
BuildRequires: pkgconfig(cmocka)
BuildRequires: pkgconfig(libcurl)
BuildRequires: pkgconfig(openssl)
# tpm2-tss-devel provides tss2-mu/sys/esys package config
BuildRequires: pkgconfig(tss2-mu)
BuildRequires: pkgconfig(tss2-sys)
BuildRequires: pkgconfig(tss2-esys)
# tpm2-tools is heavily depending on TPM2.0-TSS project, matched tss is required
Requires: tpm2-tss%{?_isa} >= 2.3.2-1%{?dist}
# tpm2-tools project changed the install path for binaries and man page section
Obsoletes: tpm2-tools <= 2.1.1-2
%description
tpm2-tools is a batch of testing tools for tpm2.0. It is based on tpm2-tss.
%prep
%autosetup -p1 -n %{name}-%{version}
%build
%configure --prefix=/usr --disable-static --disable-silent-rules
%make_build
%install
%make_install
%files
%doc README.md CHANGELOG.md
%license LICENSE
%{_bindir}/tpm2_*
%{_datadir}/bash-completion/completions/tpm2*
%{_mandir}/man1/tpm2_*.1.gz
%changelog
* Mon Aug 09 2021 Jerry Snitselaar <jsnitsel@redhat.com> - 4.1.1-5
- Bump nvr to trigger osci.
resolves: rhbz#1965981
* Tue Jun 01 2021 Jerry Snitselaar <jsnitsel@redhat.com> - 4.1.1-4
- Fix CVE-2021-3565
resolves: rhbz#1965981
* Fri May 14 2021 Jerry Snitselaar <jsnitsel@redhat.com> - 4.1.1-3
- Fix resource leak.
- Fix to restrict policy digest size.
- Fix incompatible pointer cast.
- Fix error message in files_load_##name
- Fix issue where execution couldn't reach function return.
resolves: rhbz#1920821
* Mon Nov 16 2020 Jerry Snitselaar <jsnitsel@redhat.com> - 4.1.1-2
- Fix ESYS_TR hierarchy transition.
- Refactor fix_esys_hierarchies to return actual TSS2_RC return code.
- tpm2_alg_util.c: fix a bug where the string rsa3072 wasn't being parsed.
- tpm2_create.c: Fix an issue where userwithauth attr cleared if policy specified.
- tpm2_hierarchycontrol: Fix bug where hierarchycontrol operation failed silently.
- tpm2_nvdefine.c: Fix error reporting message.
- tpm2_policyor: Fix silent failure for invalid/unspecified policy digest alg.
resolves: rhbz#1854774
* Wed Apr 29 2020 Jerry Snitselaar <jsnitsel@redhat.com> - 4.1.1-1
- Update to 4.1.1 release
resolves: rhbz#1789682
* Tue Oct 22 2019 Jerry Snitselaar <jsnitsel@redhat.com> - 3.2.1-1
- Update to 3.2.1 release
resolves: rhbz#1725714
* Tue May 28 2019 Jerry Snitselaar <jsnitsel@redhat.com> - 3.1.4-5
- Another dependency needed for CI gating
resolves: rhbz#1682417
* Tue May 28 2019 Jerry Snitselaar <jsnitsel@redhat.com> - 3.1.4-4
- Fix CI dependency
resolves: rhbz#1682417
* Tue May 28 2019 Jerry Snitselaar <jsnitsel@redhat.com> - 3.1.4-3
- Add CI gating test
resolves: rhbz#1682417
* Tue May 14 2019 Jerry Snitselaar <jsnitsel@redhat.com> - 3.1.4-2
- Add initial CI gating support
resolves: rhbz#1682417
* Tue Apr 30 2019 Jerry Snitselaar <jsnitsel@redhat.com> - 3.1.4-1
- Rebase to 3.1.4 release.
resolves: rhbz#1664498
* Thu Nov 08 2018 Jerry Snitselaar <jsnitsel@redhat.com> - 3.1.1-4
- lib/tpm2_options: restore TCTI configuration environment variables
- tpm2_getcap: restore tool output to print properties with TPM_PT prefix
resolves: rhbz#1648001
* Sat Jul 14 2018 Javier Martinez Canillas <javierm@redhat.com> - - 3.1.1-3
- Revert backward incompatible change that removes default object attributes
* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.1.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Thu Jul 12 2018 Yunying Sun <yunying.sun@intel.com> - 3.1.1-1
- Update to 3.1.1 release
* Thu Jul 5 2018 Yunying Sun <yunying.sun@intel.com> - 3.1.0-1
- Update Requires version of tpm2-tss to 2.0.0
- Remove BuildRequires for tcti-abrmd since it is optional
- Remove BuildRequires for tcti-{device,mssim} as it is now dynamically loaded
- Update to 3.1.0 release
* Mon Apr 30 2018 Javier Martinez Canillas <javierm@redhat.com> - 3.0.4-1
- Update URLs to point to the new project location
- Update to 3.0.4 release
* Wed Feb 21 2018 Javier Martinez Canillas <javierm@redhat.com> - 3.0.3-3
- Remove ExclusiveArch: x86_64 directive
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Tue Jan 16 2018 Javier Martinez Canillas <javierm@redhat.com> - 3.0.3-1
- Update to 3.0.3 release
* Mon Dec 18 2017 Javier Martinez Canillas <javierm@redhat.com> - 3.0.2-1
- Update to 3.0.2 release
* Tue Dec 12 2017 Javier Martinez Canillas <javierm@redhat.com> - 3.0.1-1
- Update to 3.0.1 release (RHBZ#1512743)
- Download the generated tarball provided instead of the source code tarball
* Fri Dec 08 2017 Javier Martinez Canillas <javierm@redhat.com> - 3.0-1
- Update to 3.0 release
* Wed Nov 29 2017 Javier Martinez Canillas <javierm@redhat.com> - 3.0-0.1.rc1
- Update to 3.0 release candidate 1
- Update URLs to point to the new project location
- Make the package to obsolete version 2.1.1
* Wed Nov 01 2017 Javier Martinez Canillas <javierm@redhat.com> - 2.1.1-1
- Rename remaining tpm2.0-tools prefixes to tpm2-tools
- Remove global pkg_prefix since now the upstream repo and package names match
- Remove downstream patches since now these are in the latest upstream release
- Update to 2.1.1 release (RHBZ#1504438)
* Thu Oct 19 2017 Jerry Snitselaar <jsnitsel@redhat.com> - 2.1.0-7
- Clean up potential memleak (RHBZ#1503959)
* Thu Oct 05 2017 Javier Martinez Canillas <javierm@redhat.com> - 2.1.0-6
- Add tpm2-abrmd-devel BuildRequires so tools have abrmd support (RHBZ#1498909)
* Fri Aug 18 2017 Javier Martinez Canillas <javierm@redhat.com> - 2.1.0-5
- Remove unneeded source tarballs (RHBZ#1482830)
* Tue Aug 15 2017 Sun Yunying <yunying.sun@intel.com> - 2.1.0-4
- Add patch to fix build error when openssl-devel is installed(RHBZ#1481236)
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Mon Jul 31 2017 Sun Yunying <yunying.sun@intel.com> - 2.1.0-2
- Add patch to fix gcc7 complaining about implicit-fallthrough cases
* Fri Jul 28 2017 Sun Yunying <yunying.sun@intel.com> - 2.1.0-1
- Update to latest upstream release 2.1.0
* Fri Jul 28 2017 Sun Yunying <yunying.sun@intel.com> - 1.1.0-9
- Update Requires dependency so that tpm2-tss update won't break tpm2-tools
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.0-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Wed May 10 2017 Sun Yunying <yunying.sun@intel.com> - 1.1.0-7
- Only update release version to make fedpkg build works for f26
* Wed Mar 1 2017 Sun Yunying <yunying.sun@intel.com> - 1.1.0-6
- Update tpm2-tss version to 1.0-3 to fix broken dependency on f26
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.0-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Fri Jan 20 2017 Sun Yunying <yunying.sun@intel.com> - 1.1.0-4
- Dependency check failed for Requires again, here to fix this
- Update release version and changelog
* Thu Jan 19 2017 Sun Yunying <yunying.sun@intel.com> - 1.1.0-3
- Change spec file permission to 644 to avoid rpmlint complain
- Update Requires to fix dependency check error reported in Bodhi
- Remove tpm2-tss-devel version in BuildRequires comment
- Update release version and changelog
* Wed Dec 21 2016 Sun Yunying <yunying.sun@intel.com> - 1.1.0-2
- Remove pkg_version to avoid dupliate use of version
- Remove redundant BuildRequires for autoconf/automake/pkgconfig
- Add comments for BuildRequires of sapi/tcti-device/tcti-socket
- Use ExclusiveArch instead of ExcludeArch
- Requires tpm2-tss version updated to 1.0-2
- Updated release version and changelog
* Fri Dec 2 2016 Sun Yunying <yunying.sun@intel.com> - 1.1.0-1
- Initial version of the package

1
sources Normal file
View File

@ -0,0 +1 @@
SHA512 (tpm2-tools-5.7.tar.gz) = 629b0b1826815877f452935285f7b3fe0f32bd24fe9130eb169a2dc9b7b254a737797043af9eea68be706b87c32ab2b7189151360c9c00bc5c31dce62a799670

312
tpm2-tools.spec Normal file
View File

@ -0,0 +1,312 @@
#global candidate rc1
Name: tpm2-tools
Version: 5.7
Release: 2%{?candidate:.%{candidate}}%{?dist}
Summary: A bunch of TPM testing toolS build upon tpm2-tss
License: BSD-3-Clause
URL: https://github.com/tpm2-software/tpm2-tools
Source0: https://github.com/tpm2-software/tpm2-tools/releases/download/%{version}%{?candidate:-%{candidate}}/%{name}-%{version}%{?candidate:-%{candidate}}.tar.gz
BuildRequires: make
BuildRequires: gcc-c++
BuildRequires: libtool
BuildRequires: autoconf-archive
%if ! 0%{?rhel}
BuildRequires: pandoc
%endif
BuildRequires: pkgconfig(cmocka)
BuildRequires: pkgconfig(libcurl)
BuildRequires: pkgconfig(openssl)
# tpm2-tss-devel provides tss2-mu/sys/esys package config
BuildRequires: pkgconfig(tss2-mu) >= 3.1.0
BuildRequires: pkgconfig(tss2-sys) >= 3.1.0
BuildRequires: pkgconfig(tss2-esys) >= 3.1.0
BuildRequires: pkgconfig(uuid)
# tpm2-tools is heavily depending on TPM2.0-TSS project, matched tss is required
Requires: tpm2-tss%{?_isa} >= 3.1.0
%description
tpm2-tools is a batch of tools for tpm2.0. It is based on tpm2-tss.
%prep
%autosetup -p1 -n %{name}-%{version}%{?candidate:-%{candidate}}
%build
%configure --prefix=/usr --disable-static --disable-silent-rules
%make_build
%install
%make_install
%files
%license docs/LICENSE
%doc docs/README.md docs/CHANGELOG.md
%{_bindir}/tpm2
%{_bindir}/tpm2_*
%{_bindir}/tss2
%{_bindir}/tss2_*
%{_datadir}/bash-completion/completions/tpm2*
%{_datadir}/bash-completion/completions/tss2*
%{_mandir}/man1/tpm2_*.1.gz
%{_mandir}/man1/tpm2.1.gz
%{_mandir}/man1/tss2_*.1.gz
%changelog
* Wed May 22 2024 Štěpán Horáček <shoracek@redhat.com> - 5.7-2
- Rebuild for gating
Resolves: RHEL-23199
* Tue May 14 2024 Štěpán Horáček <shoracek@redhat.com> - 5.7-1
- Update to 5.7
Resolves: RHEL-23199
* Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 5.6-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Sun Nov 12 2023 Peter Robinson <pbrobinson@fedoraproject.org> - 5.6-1
- Update to 5.6
* Tue Sep 26 2023 Štěpán Horáček <shoracek@redhat.com> - 5.5-5
- Migrate license to SPDX
* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 5.5-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Mon Apr 17 2023 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 5.5-3
- Disable compiler optimization to fix LTO + FORTIFY_SOURCE=3 issue
Resolves rhbz#2171376
* Tue Feb 21 2023 Yaakov Selkowitz <yselkowi@redhat.com> - 5.5-2
- Disable manpage regeneration in RHEL/ELN builds
* Thu Feb 16 2023 Peter Robinson <pbrobinson@fedoraproject.org> - 5.5-1
- Update to 5.5
* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 5.5-0.2.rc1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Mon Dec 19 2022 Peter Robinson <pbrobinson@fedoraproject.org> - 5.5-0.1.rc1
- Update to 5.5-RC1
- Enable LTO (RHBZ#1986628)
* Thu Dec 08 2022 Peter Robinson <pbrobinson@fedoraproject.org> - 5.4-1
- Update to 5.4
* Wed Sep 28 2022 Peter Robinson <pbrobinson@fedoraproject.org> - 5.3-1
- Update to 5.3
* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 5.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 5.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Sat Oct 02 2021 Peter Robinson <pbrobinson@fedoraproject.org> - 5.2-1
- Update to 5.2
* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 5.1.1-3
- Rebuilt with OpenSSL 3.0.0
* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 5.1.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Mon Jun 21 2021 Peter Robinson <pbrobinson@fedoraproject.org> - 5.1.1-1
- Update to 5.1.1
- Fixes CVE-2021-3565 (rhbz 1964428)
* Tue May 25 2021 Peter Robinson <pbrobinson@fedoraproject.org> - 5.1-1
- Update to 5.1
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 5.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Mon Nov 23 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 5.0-1
- Update tp tpm2-tools 5.0
* Sat Aug 29 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 4.3.0-1
- Update to 4.3.0
* Mon Aug 10 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 4.2.1-4
- Rebuild for tpm2-tss 3.0
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 4.2.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jun 30 2020 Jeff Law <law@redhat.com> - 4.2.1-2
- Disable LTO due to latent uninitialized variable exposed by LTO
* Wed May 27 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 4.2.1-1
- Update to 4.2.1
* Tue Apr 14 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 4.2-1
- Update to 4.2
* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 4.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Thu Nov 28 2019 Yunying Sun <yunying.sun@intel.com> - 4.1-1
- Update to 4.1 release
* Tue Oct 29 2019 Yunying Sun <yunying.sun@intel.com> - 4.0.1-1
- Update to 4.0.1 release
* Tue Sep 10 2019 Peter Robinson <pbrobinson@fedoraproject.org> 4.0-1
- Update to 4.0
* Fri Sep 6 2019 Javier Martinez Canillas <javierm@redhat.com> 4.0-0.4-rc2
- Use a release tarball instead of a source code tarball
* Fri Sep 6 2019 Peter Robinson <pbrobinson@fedoraproject.org> 4.0-0.3-rc2
- Update to 4.0 RC2
* Tue Aug 27 2019 Peter Robinson <pbrobinson@fedoraproject.org> 4.0-0.2-rc1
- Update to 4.0 RC1
* Tue Aug 20 2019 Peter Robinson <pbrobinson@fedoraproject.org> 4.0-0.1-rc0
- Update to 4.0 RC0
* Thu Aug 1 2019 Peter Robinson <pbrobinson@fedoraproject.org> 3.2.0-3
- Fix for crash for max PCRs available
* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.2.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Fri Jun 21 2019 Yunying Sun <yunying.sun@intel.com> - 3.2.0-1
- Update to 3.2.0 release
- Removed patches since all have been included in 3.2.0 release
* Fri May 10 2019 Javier Martinez Canillas <javierm@redhat.com> - 3.1.4-2
- Allow tpm2_makecredential to run without a TPM (jetwhiz)
- Add tpm2_pcrreset and tpm2_checkquote tools (jetwhiz)
* Fri Mar 15 2019 Yunying Sun <yunying.sun@intel.com> - 3.1.4-1
- Update to 3.1.4 release
- Removed the 4 patches since all have been included in 3.1.4 release
* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.1.3-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Mon Jan 7 2019 Javier Martinez Canillas <javierm@redhat.com> - 3.1.3-3
- Fix broken -T option when passing additional arguments
* Mon Jan 7 2019 Javier Martinez Canillas <javierm@redhat.com> - 3.1.3-2
- Fix broken -T option and a couple of minor fixes
- Add pandoc BuildRequires
* Wed Nov 7 2018 Yunying Sun <yunying.sun@intel.com> - 3.1.3-1
- Update to 3.1.3 release
* Wed Sep 12 2018 Javier Martinez Canillas <javierm@redhat.com> - 3.1.2-1
- Update to 3.1.2 release
- Restore TCTI configuration environment for tools
- Restore tpm2_getcap tool properties output
Resolves: rhbz#1625647
* Sat Jul 14 2018 Javier Martinez Canillas <javierm@redhat.com> - 3.1.1-3
- Revert backward incompatible change that removes default object attributes
* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.1.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Thu Jul 12 2018 Yunying Sun <yunying.sun@intel.com> - 3.1.1-1
- Update to 3.1.1 release
* Thu Jul 5 2018 Yunying Sun <yunying.sun@intel.com> - 3.1.0-1
- Update Requires version of tpm2-tss to 2.0.0
- Remove BuildRequires for tcti-abrmd since it is optional
- Remove BuildRequires for tcti-{device,mssim} as it is now dynamically loaded
- Update to 3.1.0 release
* Mon Apr 30 2018 Javier Martinez Canillas <javierm@redhat.com> - 3.0.4-1
- Update URLs to point to the new project location
- Update to 3.0.4 release
* Wed Feb 21 2018 Javier Martinez Canillas <javierm@redhat.com> - 3.0.3-3
- Remove ExclusiveArch: x86_64 directive
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Tue Jan 16 2018 Javier Martinez Canillas <javierm@redhat.com> - 3.0.3-1
- Update to 3.0.3 release
* Mon Dec 18 2017 Javier Martinez Canillas <javierm@redhat.com> - 3.0.2-1
- Update to 3.0.2 release
* Tue Dec 12 2017 Javier Martinez Canillas <javierm@redhat.com> - 3.0.1-1
- Update to 3.0.1 release (RHBZ#1512743)
- Download the generated tarball provided instead of the source code tarball
* Fri Dec 08 2017 Javier Martinez Canillas <javierm@redhat.com> - 3.0-1
- Update to 3.0 release
* Wed Nov 29 2017 Javier Martinez Canillas <javierm@redhat.com> - 3.0-0.1.rc1
- Update to 3.0 release candidate 1
- Update URLs to point to the new project location
- Make the package to obsolete version 2.1.1
* Wed Nov 01 2017 Javier Martinez Canillas <javierm@redhat.com> - 2.1.1-1
- Rename remaining tpm2.0-tools prefixes to tpm2-tools
- Remove global pkg_prefix since now the upstream repo and package names match
- Remove downstream patches since now these are in the latest upstream release
- Update to 2.1.1 release (RHBZ#1504438)
* Thu Oct 19 2017 Jerry Snitselaar <jsnitsel@redhat.com> - 2.1.0-7
- Clean up potential memleak (RHBZ#1503959)
* Thu Oct 05 2017 Javier Martinez Canillas <javierm@redhat.com> - 2.1.0-6
- Add tpm2-abrmd-devel BuildRequires so tools have abrmd support (RHBZ#1498909)
* Fri Aug 18 2017 Javier Martinez Canillas <javierm@redhat.com> - 2.1.0-5
- Remove unneeded source tarballs (RHBZ#1482830)
* Tue Aug 15 2017 Sun Yunying <yunying.sun@intel.com> - 2.1.0-4
- Add patch to fix build error when openssl-devel is installed(RHBZ#1481236)
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Mon Jul 31 2017 Sun Yunying <yunying.sun@intel.com> - 2.1.0-2
- Add patch to fix gcc7 complaining about implicit-fallthrough cases
* Fri Jul 28 2017 Sun Yunying <yunying.sun@intel.com> - 2.1.0-1
- Update to latest upstream release 2.1.0
* Fri Jul 28 2017 Sun Yunying <yunying.sun@intel.com> - 1.1.0-9
- Update Requires dependency so that tpm2-tss update won't break tpm2-tools
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.0-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Wed May 10 2017 Sun Yunying <yunying.sun@intel.com> - 1.1.0-7
- Only update release version to make fedpkg build works for f26
* Wed Mar 1 2017 Sun Yunying <yunying.sun@intel.com> - 1.1.0-6
- Update tpm2-tss version to 1.0-3 to fix broken dependency on f26
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.0-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Fri Jan 20 2017 Sun Yunying <yunying.sun@intel.com> - 1.1.0-4
- Dependency check failed for Requires again, here to fix this
- Update release version and changelog
* Thu Jan 19 2017 Sun Yunying <yunying.sun@intel.com> - 1.1.0-3
- Change spec file permission to 644 to avoid rpmlint complain
- Update Requires to fix dependency check error reported in Bodhi
- Remove tpm2-tss-devel version in BuildRequires comment
- Update release version and changelog
* Wed Dec 21 2016 Sun Yunying <yunying.sun@intel.com> - 1.1.0-2
- Remove pkg_version to avoid dupliate use of version
- Remove redundant BuildRequires for autoconf/automake/pkgconfig
- Add comments for BuildRequires of sapi/tcti-device/tcti-socket
- Use ExclusiveArch instead of ExcludeArch
- Requires tpm2-tss version updated to 1.0-2
- Updated release version and changelog
* Fri Dec 2 2016 Sun Yunying <yunying.sun@intel.com> - 1.1.0-1
- Initial version of the package