Compare commits
No commits in common. "c8" and "c9-beta" have entirely different histories.
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/tpm2-tools-4.1.1.tar.gz
|
||||
SOURCES/tpm2-tools-5.2.tar.gz
|
||||
|
@ -1 +1 @@
|
||||
d097d321237983435f05c974533ad90e6f20acef SOURCES/tpm2-tools-4.1.1.tar.gz
|
||||
00dc3b052d3b4ea44aeda95a9b3a6809ee471358 SOURCES/tpm2-tools-5.2.tar.gz
|
||||
|
@ -1,80 +0,0 @@
|
||||
From e607f78a054acfdbe119499c3608bdb2a44423d9 Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Fuchs <andreas.fuchs@sit.fraunhofer.de>
|
||||
Date: Thu, 7 May 2020 11:51:17 +0200
|
||||
Subject: [PATCH] Fix ESYS_TR hierarchy transition
|
||||
|
||||
Fix those cases of TPM2_RH_ to ESYS_TR_RH_ translations that were missed in
|
||||
780800c0be69a49b9097f8eae653cdb0623d2100
|
||||
|
||||
Signed-off-by: Andreas Fuchs <andreas.fuchs@sit.fraunhofer.de>
|
||||
---
|
||||
lib/tpm2.c | 20 ++++++++++++++------
|
||||
1 file changed, 14 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/lib/tpm2.c b/lib/tpm2.c
|
||||
index e7ff77047bef..909a4422339d 100644
|
||||
--- a/lib/tpm2.c
|
||||
+++ b/lib/tpm2.c
|
||||
@@ -656,6 +656,12 @@ uint32_t fix_esys_hierarchy(TPMI_RH_HIERARCHY hierarchy)
|
||||
{
|
||||
#if defined(ESYS_3_0)
|
||||
switch (hierarchy) {
|
||||
+ case ESYS_TR_RH_NULL:
|
||||
+ case ESYS_TR_RH_OWNER:
|
||||
+ case ESYS_TR_RH_ENDORSEMENT:
|
||||
+ case ESYS_TR_RH_PLATFORM:
|
||||
+ case ESYS_TR_RH_PLATFORM_NV:
|
||||
+ return hierarchy;
|
||||
case TPM2_RH_NULL:
|
||||
return ESYS_TR_RH_NULL;
|
||||
case TPM2_RH_OWNER:
|
||||
@@ -664,14 +670,16 @@ uint32_t fix_esys_hierarchy(TPMI_RH_HIERARCHY hierarchy)
|
||||
return ESYS_TR_RH_ENDORSEMENT;
|
||||
case TPM2_RH_PLATFORM:
|
||||
return ESYS_TR_RH_PLATFORM;
|
||||
+ case TPM2_RH_PLATFORM_NV:
|
||||
+ return ESYS_TR_RH_PLATFORM_NV;
|
||||
default:
|
||||
- return TSS2_ESYS_RC_BAD_VALUE;
|
||||
+ LOG_ERR("An unknown hierarchy handle was passed: 0x%08x", hierarchy);
|
||||
+ return 0xffffffff;
|
||||
}
|
||||
#elif defined(ESYS_2_3)
|
||||
return hierarchy;
|
||||
#else
|
||||
- UNUSED(hierarchy);
|
||||
- return TSS2_ESYS_RC_BAD_VALUE;
|
||||
+#error "Need to define either ESYS_3_0 or ESYS_2_3"
|
||||
#endif
|
||||
}
|
||||
|
||||
@@ -1154,7 +1162,7 @@ tool_rc tpm2_hierarchycontrol(ESYS_CONTEXT *esys_context,
|
||||
}
|
||||
|
||||
TSS2_RC rval = Esys_HierarchyControl(esys_context, auth_hierarchy->tr_handle,
|
||||
- shandle, ESYS_TR_NONE, ESYS_TR_NONE, enable, state);
|
||||
+ shandle, ESYS_TR_NONE, ESYS_TR_NONE, fix_esys_hierarchy(enable), state);
|
||||
if (rval != TPM2_RC_SUCCESS && rval != TPM2_RC_INITIALIZE) {
|
||||
LOG_PERR(Esys_HierarchyControl, rval);
|
||||
return tool_rc_from_tpm(rval);
|
||||
@@ -1251,7 +1259,7 @@ tool_rc tpm2_hmac_sequencecomplete(ESYS_CONTEXT *esys_context,
|
||||
|
||||
TPM2_RC rval = Esys_SequenceComplete(esys_context, sequence_handle,
|
||||
hmac_key_obj_shandle, ESYS_TR_NONE, ESYS_TR_NONE, input_buffer,
|
||||
- TPM2_RH_NULL, result, validation);
|
||||
+ fix_esys_hierarchy(TPM2_RH_NULL), result, validation);
|
||||
if (rval != TSS2_RC_SUCCESS) {
|
||||
LOG_PERR(Esys_HMAC, rval);
|
||||
return tool_rc_from_tpm(rval);
|
||||
@@ -1907,7 +1915,7 @@ tool_rc tpm2_loadexternal(ESYS_CONTEXT *ectx, const TPM2B_SENSITIVE *private,
|
||||
|
||||
TSS2_RC rval = Esys_LoadExternal(ectx,
|
||||
ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
|
||||
- private, public, hierarchy,
|
||||
+ private, public, fix_esys_hierarchy(hierarchy),
|
||||
object_handle);
|
||||
if (rval != TSS2_RC_SUCCESS) {
|
||||
LOG_PERR(Esys_LoadExternal, rval);
|
||||
--
|
||||
2.27.0
|
||||
|
62
SOURCES/0001-Fix-nv_readpublic.patch
Normal file
62
SOURCES/0001-Fix-nv_readpublic.patch
Normal file
@ -0,0 +1,62 @@
|
||||
From 4dffb4295392f69f00003b2879f60bd36076f22d Mon Sep 17 00:00:00 2001
|
||||
From: Imran Desai <imran.desai@intel.com>
|
||||
Date: Tue, 7 Dec 2021 13:21:58 -0700
|
||||
Subject: [PATCH 01/17] Fix nv_readpublic
|
||||
|
||||
Based on 4af3e6b4 tpm2_nvreadpublic: Add option to output cpHash
|
||||
---
|
||||
lib/tpm2.c | 11 +++++++++--
|
||||
lib/tpm2_nv_util.h | 14 +-------------
|
||||
2 files changed, 10 insertions(+), 15 deletions(-)
|
||||
|
||||
diff --git a/lib/tpm2.c b/lib/tpm2.c
|
||||
index 4ee27c8c..d91072ae 100644
|
||||
--- a/lib/tpm2.c
|
||||
+++ b/lib/tpm2.c
|
||||
@@ -101,9 +101,16 @@ tool_rc tpm2_close(ESYS_CONTEXT *esys_context, ESYS_TR *rsrc_handle) {
|
||||
tool_rc tpm2_nv_readpublic(ESYS_CONTEXT *esys_context, ESYS_TR nv_index,
|
||||
TPM2B_NV_PUBLIC **nv_public, TPM2B_NAME **nv_name) {
|
||||
|
||||
- TSS2_RC rval = Esys_NV_ReadPublic(esys_context, nv_index,
|
||||
- ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, nv_public, nv_name);
|
||||
+ ESYS_TR esys_tr_nv_index;
|
||||
+ TSS2_RC rval = Esys_TR_FromTPMPublic(esys_context, nv_index, ESYS_TR_NONE,
|
||||
+ ESYS_TR_NONE, ESYS_TR_NONE, &esys_tr_nv_index);
|
||||
+ if (rval != TPM2_RC_SUCCESS) {
|
||||
+ LOG_PERR(Esys_TR_FromTPMPublic, rval);
|
||||
+ return tool_rc_from_tpm(rval);
|
||||
+ }
|
||||
|
||||
+ rval = Esys_NV_ReadPublic(esys_context, esys_tr_nv_index,
|
||||
+ ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, nv_public, nv_name);
|
||||
if (rval != TSS2_RC_SUCCESS) {
|
||||
LOG_PERR(Esys_NV_ReadPublic, rval);
|
||||
return tool_rc_from_tpm(rval);
|
||||
diff --git a/lib/tpm2_nv_util.h b/lib/tpm2_nv_util.h
|
||||
index 99843156..daf8b624 100644
|
||||
--- a/lib/tpm2_nv_util.h
|
||||
+++ b/lib/tpm2_nv_util.h
|
||||
@@ -28,19 +28,7 @@
|
||||
static inline tool_rc tpm2_util_nv_read_public(ESYS_CONTEXT *context,
|
||||
TPMI_RH_NV_INDEX nv_index, TPM2B_NV_PUBLIC **nv_public) {
|
||||
|
||||
- ESYS_TR tr_object;
|
||||
- tool_rc rc = tpm2_from_tpm_public(context, nv_index, ESYS_TR_NONE,
|
||||
- ESYS_TR_NONE, ESYS_TR_NONE, &tr_object);
|
||||
- if (rc != tool_rc_success) {
|
||||
- return rc;
|
||||
- }
|
||||
-
|
||||
- rc = tpm2_nv_readpublic(context, tr_object, nv_public, NULL);
|
||||
- tool_rc tmp_rc = tpm2_close(context, &tr_object);
|
||||
- if (tmp_rc != tool_rc_success) {
|
||||
- rc = tmp_rc;
|
||||
- }
|
||||
- return rc;
|
||||
+ return tpm2_nv_readpublic(context, nv_index, nv_public, 0);
|
||||
}
|
||||
|
||||
/**
|
||||
--
|
||||
2.40.1
|
||||
|
@ -1,211 +0,0 @@
|
||||
From 2e7839b905f7a493f739d36e3e550e0cee30049e Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Fuchs <andreas.fuchs@sit.fraunhofer.de>
|
||||
Date: Thu, 7 May 2020 19:12:36 +0200
|
||||
Subject: [PATCH] Refactor fix_esys_hierarchies()
|
||||
|
||||
Refactor fix_esys_hierarchies() to return an actual TSS2_RC return code
|
||||
and have an output parameter.
|
||||
|
||||
Signed-off-by: Andreas Fuchs <andreas.fuchs@sit.fraunhofer.de>
|
||||
---
|
||||
lib/tpm2.c | 88 +++++++++++++++++++++++++++++----------
|
||||
lib/tpm2.h | 2 +-
|
||||
tools/tpm2_loadexternal.c | 9 +++-
|
||||
3 files changed, 75 insertions(+), 24 deletions(-)
|
||||
|
||||
diff --git a/lib/tpm2.c b/lib/tpm2.c
|
||||
index 909a4422339d..744fed8c529f 100644
|
||||
--- a/lib/tpm2.c
|
||||
+++ b/lib/tpm2.c
|
||||
@@ -645,39 +645,51 @@ tool_rc tpm2_evictcontrol(ESYS_CONTEXT *esys_context,
|
||||
}
|
||||
|
||||
/* This function addresses ESAPI change that changes parameter type from
|
||||
- * Esys_TR to TPMI_RH_HIERARCHY and breaks backwards compatibility.
|
||||
+ * Esys_TR to TPMI_RH_HIERARCHY or TPMI_RH_ENABLES and breaks backwards
|
||||
+ * compatibility.
|
||||
* To keep the tools parameters consistent after v4.0 release we need to
|
||||
* map the values to appropriate type based on the version of the ESYS API.
|
||||
* Note: the mapping is based on the ESYS version recognized at compile time.
|
||||
* The TSS change can be found here:
|
||||
* https://github.com/tpm2-software/tpm2-tss/pull/1531
|
||||
*/
|
||||
-uint32_t fix_esys_hierarchy(TPMI_RH_HIERARCHY hierarchy)
|
||||
+TSS2_RC fix_esys_hierarchy(uint32_t in, uint32_t *out)
|
||||
{
|
||||
#if defined(ESYS_3_0)
|
||||
- switch (hierarchy) {
|
||||
+ switch (in) {
|
||||
case ESYS_TR_RH_NULL:
|
||||
+ /* FALLTHRU */
|
||||
case ESYS_TR_RH_OWNER:
|
||||
+ /* FALLTHRU */
|
||||
case ESYS_TR_RH_ENDORSEMENT:
|
||||
+ /* FALLTHRU */
|
||||
case ESYS_TR_RH_PLATFORM:
|
||||
+ /* FALLTHRU */
|
||||
case ESYS_TR_RH_PLATFORM_NV:
|
||||
- return hierarchy;
|
||||
+ *out = in;
|
||||
+ return TSS2_RC_SUCCESS;
|
||||
case TPM2_RH_NULL:
|
||||
- return ESYS_TR_RH_NULL;
|
||||
+ *out = ESYS_TR_RH_NULL;
|
||||
+ return TSS2_RC_SUCCESS;
|
||||
case TPM2_RH_OWNER:
|
||||
- return ESYS_TR_RH_OWNER;
|
||||
+ *out = ESYS_TR_RH_OWNER;
|
||||
+ return TSS2_RC_SUCCESS;
|
||||
case TPM2_RH_ENDORSEMENT:
|
||||
- return ESYS_TR_RH_ENDORSEMENT;
|
||||
+ *out = ESYS_TR_RH_ENDORSEMENT;
|
||||
+ return TSS2_RC_SUCCESS;
|
||||
case TPM2_RH_PLATFORM:
|
||||
- return ESYS_TR_RH_PLATFORM;
|
||||
+ *out = ESYS_TR_RH_PLATFORM;
|
||||
+ return TSS2_RC_SUCCESS;
|
||||
case TPM2_RH_PLATFORM_NV:
|
||||
- return ESYS_TR_RH_PLATFORM_NV;
|
||||
+ *out = ESYS_TR_RH_PLATFORM_NV;
|
||||
+ return TSS2_RC_SUCCESS;
|
||||
default:
|
||||
- LOG_ERR("An unknown hierarchy handle was passed: 0x%08x", hierarchy);
|
||||
- return 0xffffffff;
|
||||
+ LOG_ERR("An unknown hierarchy handle was passed: 0x%08x", in);
|
||||
+ return TSS2_ESYS_RC_BAD_VALUE;
|
||||
}
|
||||
#elif defined(ESYS_2_3)
|
||||
- return hierarchy;
|
||||
+ *out = in;
|
||||
+ return TSS2_RC_SUCCESS;
|
||||
#else
|
||||
#error "Need to define either ESYS_3_0 or ESYS_2_3"
|
||||
#endif
|
||||
@@ -688,8 +700,14 @@ tool_rc tpm2_hash(ESYS_CONTEXT *esys_context, ESYS_TR shandle1, ESYS_TR shandle2
|
||||
TPMI_RH_HIERARCHY hierarchy, TPM2B_DIGEST **out_hash,
|
||||
TPMT_TK_HASHCHECK **validation) {
|
||||
|
||||
- TSS2_RC rval = Esys_Hash(esys_context, shandle1, shandle2, shandle3, data,
|
||||
- hash_alg, fix_esys_hierarchy(hierarchy), out_hash, validation);
|
||||
+ TSS2_RC rval = fix_esys_hierarchy(hierarchy, &hierarchy);
|
||||
+ if (rval != TSS2_RC_SUCCESS) {
|
||||
+ LOG_ERR("Unknown hierarchy");
|
||||
+ return tool_rc_from_tpm(rval);
|
||||
+ }
|
||||
+
|
||||
+ rval = Esys_Hash(esys_context, shandle1, shandle2, shandle3, data,
|
||||
+ hash_alg, hierarchy, out_hash, validation);
|
||||
if (rval != TSS2_RC_SUCCESS) {
|
||||
LOG_PERR(Esys_Hash, rval);
|
||||
return tool_rc_from_tpm(rval);
|
||||
@@ -729,9 +747,15 @@ tool_rc tpm2_sequence_complete(ESYS_CONTEXT *esys_context,
|
||||
TPMI_RH_HIERARCHY hierarchy, TPM2B_DIGEST **result,
|
||||
TPMT_TK_HASHCHECK **validation) {
|
||||
|
||||
- TSS2_RC rval = Esys_SequenceComplete(esys_context, sequence_handle,
|
||||
+ TSS2_RC rval = fix_esys_hierarchy(hierarchy, &hierarchy);
|
||||
+ if (rval != TSS2_RC_SUCCESS) {
|
||||
+ LOG_ERR("Unknown hierarchy");
|
||||
+ return tool_rc_from_tpm(rval);
|
||||
+ }
|
||||
+
|
||||
+ rval = Esys_SequenceComplete(esys_context, sequence_handle,
|
||||
ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE, buffer,
|
||||
- fix_esys_hierarchy(hierarchy), result, validation);
|
||||
+ hierarchy, result, validation);
|
||||
if (rval != TSS2_RC_SUCCESS) {
|
||||
LOG_PERR(Esys_SequenceComplete, rval);
|
||||
return tool_rc_from_tpm(rval);
|
||||
@@ -1161,8 +1185,14 @@ tool_rc tpm2_hierarchycontrol(ESYS_CONTEXT *esys_context,
|
||||
return rc;
|
||||
}
|
||||
|
||||
- TSS2_RC rval = Esys_HierarchyControl(esys_context, auth_hierarchy->tr_handle,
|
||||
- shandle, ESYS_TR_NONE, ESYS_TR_NONE, fix_esys_hierarchy(enable), state);
|
||||
+ TSS2_RC rval = fix_esys_hierarchy(enable, &enable);
|
||||
+ if (rval != TSS2_RC_SUCCESS) {
|
||||
+ LOG_ERR("Unknown hierarchy");
|
||||
+ return tool_rc_from_tpm(rval);
|
||||
+ }
|
||||
+
|
||||
+ rval = Esys_HierarchyControl(esys_context, auth_hierarchy->tr_handle,
|
||||
+ shandle, ESYS_TR_NONE, ESYS_TR_NONE, enable, state);
|
||||
if (rval != TPM2_RC_SUCCESS && rval != TPM2_RC_INITIALIZE) {
|
||||
LOG_PERR(Esys_HierarchyControl, rval);
|
||||
return tool_rc_from_tpm(rval);
|
||||
@@ -1257,9 +1287,17 @@ tool_rc tpm2_hmac_sequencecomplete(ESYS_CONTEXT *esys_context,
|
||||
return rc;
|
||||
}
|
||||
|
||||
- TPM2_RC rval = Esys_SequenceComplete(esys_context, sequence_handle,
|
||||
+ uint32_t hierarchy;
|
||||
+
|
||||
+ TSS2_RC rval = fix_esys_hierarchy(TPM2_RH_NULL, &hierarchy);
|
||||
+ if (rval != TSS2_RC_SUCCESS) {
|
||||
+ LOG_ERR("Unknown hierarchy");
|
||||
+ return tool_rc_from_tpm(rval);
|
||||
+ }
|
||||
+
|
||||
+ rval = Esys_SequenceComplete(esys_context, sequence_handle,
|
||||
hmac_key_obj_shandle, ESYS_TR_NONE, ESYS_TR_NONE, input_buffer,
|
||||
- fix_esys_hierarchy(TPM2_RH_NULL), result, validation);
|
||||
+ hierarchy, result, validation);
|
||||
if (rval != TSS2_RC_SUCCESS) {
|
||||
LOG_PERR(Esys_HMAC, rval);
|
||||
return tool_rc_from_tpm(rval);
|
||||
@@ -1913,9 +1951,15 @@ tool_rc tpm2_loadexternal(ESYS_CONTEXT *ectx, const TPM2B_SENSITIVE *private,
|
||||
const TPM2B_PUBLIC *public, TPMI_RH_HIERARCHY hierarchy,
|
||||
ESYS_TR *object_handle) {
|
||||
|
||||
- TSS2_RC rval = Esys_LoadExternal(ectx,
|
||||
+ TSS2_RC rval = fix_esys_hierarchy(hierarchy, &hierarchy);
|
||||
+ if (rval != TSS2_RC_SUCCESS) {
|
||||
+ LOG_ERR("Unknown hierarchy");
|
||||
+ return tool_rc_from_tpm(rval);
|
||||
+ }
|
||||
+
|
||||
+ rval = Esys_LoadExternal(ectx,
|
||||
ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
|
||||
- private, public, fix_esys_hierarchy(hierarchy),
|
||||
+ private, public, hierarchy,
|
||||
object_handle);
|
||||
if (rval != TSS2_RC_SUCCESS) {
|
||||
LOG_PERR(Esys_LoadExternal, rval);
|
||||
diff --git a/lib/tpm2.h b/lib/tpm2.h
|
||||
index a37e05606c7a..2e4ae5e7dddc 100644
|
||||
--- a/lib/tpm2.h
|
||||
+++ b/lib/tpm2.h
|
||||
@@ -389,7 +389,7 @@ tool_rc tpm2_policy_nv_written(ESYS_CONTEXT *esys_context,
|
||||
ESYS_TR policy_session, ESYS_TR shandle1, ESYS_TR shandle2,
|
||||
ESYS_TR shandle3, TPMI_YES_NO written_set);
|
||||
|
||||
-uint32_t fix_esys_hierarchy(TPMI_RH_HIERARCHY hierarchy);
|
||||
+TSS2_RC fix_esys_hierarchy(uint32_t in, uint32_t *out);
|
||||
|
||||
tool_rc tpm2_certifycreation(ESYS_CONTEXT *esys_context,
|
||||
tpm2_loaded_object *signingkey_obj, tpm2_loaded_object *certifiedkey_obj,
|
||||
diff --git a/tools/tpm2_loadexternal.c b/tools/tpm2_loadexternal.c
|
||||
index 70fb72877aae..4127ca1b524b 100644
|
||||
--- a/tools/tpm2_loadexternal.c
|
||||
+++ b/tools/tpm2_loadexternal.c
|
||||
@@ -48,9 +48,16 @@ static tpm_loadexternal_ctx ctx = {
|
||||
static tool_rc load_external(ESYS_CONTEXT *ectx, TPM2B_PUBLIC *pub,
|
||||
TPM2B_SENSITIVE *priv, bool has_priv, TPM2B_NAME **name) {
|
||||
|
||||
+ uint32_t hierarchy;
|
||||
+ TSS2_RC rval = fix_esys_hierarchy(ctx.hierarchy_value, &hierarchy);
|
||||
+ if (rval != TSS2_RC_SUCCESS) {
|
||||
+ LOG_ERR("Unknown hierarchy");
|
||||
+ return tool_rc_from_tpm(rval);
|
||||
+ }
|
||||
+
|
||||
tool_rc rc = tpm2_loadexternal(ectx,
|
||||
has_priv ? priv : NULL, pub,
|
||||
- fix_esys_hierarchy(ctx.hierarchy_value), &ctx.handle);
|
||||
+ hierarchy, &ctx.handle);
|
||||
if (rc != tool_rc_success) {
|
||||
return rc;
|
||||
}
|
||||
--
|
||||
2.27.0
|
||||
|
@ -1,26 +0,0 @@
|
||||
From 012249ad9d06d7534a94690a33638691f5104839 Mon Sep 17 00:00:00 2001
|
||||
From: Radoslav Gerganov <rgerganov@vmware.com>
|
||||
Date: Wed, 26 Feb 2020 10:40:26 +0200
|
||||
Subject: [PATCH] lib/files: fix an error message in files_load_##name
|
||||
|
||||
Signed-off-by: Radoslav Gerganov <rgerganov@vmware.com>
|
||||
---
|
||||
lib/files.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/files.c b/lib/files.c
|
||||
index a6beea5b8ff2..ef2170b079e1 100644
|
||||
--- a/lib/files.c
|
||||
+++ b/lib/files.c
|
||||
@@ -687,7 +687,7 @@ tool_rc files_save_ESYS_TR(ESYS_CONTEXT *ectx, ESYS_TR handle, const char *path)
|
||||
size_t offset = 0; \
|
||||
TSS2_RC rc = Tss2_MU_##type##_Unmarshal(buffer, size, &offset, name); \
|
||||
if (rc != TSS2_RC_SUCCESS) { \
|
||||
- LOG_ERR("Error serializing "str(name)" structure: 0x%x", rc); \
|
||||
+ LOG_ERR("Error deserializing "str(name)" structure: 0x%x", rc); \
|
||||
LOG_ERR("The input file needs to be a valid "xstr(type)" data structure"); \
|
||||
return false; \
|
||||
} \
|
||||
--
|
||||
2.31.0
|
||||
|
@ -1,42 +0,0 @@
|
||||
From a20415d6f1d3fa09300ff1181646fe7e1785fd15 Mon Sep 17 00:00:00 2001
|
||||
From: Imran Desai <imran.desai@intel.com>
|
||||
Date: Sun, 29 Mar 2020 10:14:28 -0700
|
||||
Subject: [PATCH] lib/files.c: Fix an issue where execution could not reach
|
||||
function return
|
||||
|
||||
Signed-off-by: Imran Desai <imran.desai@intel.com>
|
||||
---
|
||||
lib/files.c | 8 +++-----
|
||||
1 file changed, 3 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/lib/files.c b/lib/files.c
|
||||
index ef2170b079e1..501f88d11b48 100644
|
||||
--- a/lib/files.c
|
||||
+++ b/lib/files.c
|
||||
@@ -607,9 +607,7 @@ bool files_load_bytes_from_buffer_or_file_or_stdin(const char *input_buffer,
|
||||
return true;
|
||||
}
|
||||
|
||||
-// printf("Reading file: %s\n", path);
|
||||
-// printf("size: %u\n", *size);
|
||||
-
|
||||
+ bool retval = true;
|
||||
/* Read from stdin */
|
||||
if (!input_buffer && !path) {
|
||||
UINT16 read_bytes = 0;
|
||||
@@ -640,10 +638,10 @@ bool files_load_bytes_from_buffer_or_file_or_stdin(const char *input_buffer,
|
||||
return true;
|
||||
}
|
||||
} else if (path) {
|
||||
- return files_load_bytes_from_path(path, buf, size);
|
||||
+ retval = files_load_bytes_from_path(path, buf, size);
|
||||
}
|
||||
|
||||
- return false;
|
||||
+ return retval;
|
||||
}
|
||||
|
||||
tool_rc files_save_ESYS_TR(ESYS_CONTEXT *ectx, ESYS_TR handle, const char *path) {
|
||||
--
|
||||
2.31.0
|
||||
|
@ -0,0 +1,26 @@
|
||||
From 4351d850bb664941f88463229758171c2603080a Mon Sep 17 00:00:00 2001
|
||||
From: Erik Larsson <who+github@cnackers.org>
|
||||
Date: Mon, 4 Oct 2021 10:21:49 +0200
|
||||
Subject: [PATCH 1/9] lib/tpm2_eventlog_yaml: use char16_t for UEFI characters
|
||||
|
||||
Signed-off-by: Erik Larsson <who+github@cnackers.org>
|
||||
---
|
||||
lib/tpm2_eventlog_yaml.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/tpm2_eventlog_yaml.c b/lib/tpm2_eventlog_yaml.c
|
||||
index 6e6923e5..9b048db1 100644
|
||||
--- a/lib/tpm2_eventlog_yaml.c
|
||||
+++ b/lib/tpm2_eventlog_yaml.c
|
||||
@@ -475,7 +475,7 @@ static bool yaml_uefi_var(UEFI_VARIABLE_DATA *data, size_t size, UINT32 type,
|
||||
tpm2_tool_output(" Description: \"");
|
||||
int i;
|
||||
for (i = 0; (wchar_t)loadopt->Description[i] != 0; i++) {
|
||||
- wchar_t c = (wchar_t)loadopt->Description[i];
|
||||
+ char16_t c = (char16_t)loadopt->Description[i];
|
||||
tpm2_tool_output("%lc", c);
|
||||
}
|
||||
tpm2_tool_output("\"\n");
|
||||
--
|
||||
2.37.3
|
||||
|
34
SOURCES/0001-testparms-fix-condition-for-negative-test.patch
Normal file
34
SOURCES/0001-testparms-fix-condition-for-negative-test.patch
Normal file
@ -0,0 +1,34 @@
|
||||
From 0789bf264a108c4718875a050d00b1fdee4478b7 Mon Sep 17 00:00:00 2001
|
||||
From: Jonas Witschel <git@diabonas.de>
|
||||
Date: Wed, 29 Sep 2021 17:08:07 +0200
|
||||
Subject: [PATCH] testparms: fix condition for negative test
|
||||
Content-type: text/plain
|
||||
|
||||
Commit e858dec76686bb4c42e74e0984b433231e530f93 ("testparms: ensure curve not
|
||||
supported before negative test") is supposed to ensure that the negative test
|
||||
is run only if ecc521 is *not* supported, but instead it runs the negative test
|
||||
if ecc521 is *available*. This worked anyway for libtpms < 0.9.0 because camellia
|
||||
was not supported, but since libtpms 0.9.0 added support for this algorithm, the
|
||||
test suite fails now with swtpm.
|
||||
|
||||
Signed-off-by: Jonas Witschel <git@diabonas.de>
|
||||
---
|
||||
test/integration/tests/testparms.sh | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/test/integration/tests/testparms.sh b/test/integration/tests/testparms.sh
|
||||
index 8c3548e58f39..a587a60a34cf 100644
|
||||
--- a/test/integration/tests/testparms.sh
|
||||
+++ b/test/integration/tests/testparms.sh
|
||||
@@ -63,7 +63,7 @@ else
|
||||
fi
|
||||
|
||||
# Attempt to specify a suite that is not supported (error from TPM)
|
||||
-if tpm2 getcap ecc-curves | grep -q TPM2_ECC_NIST_P521; then
|
||||
+if ! tpm2 getcap ecc-curves | grep -q TPM2_ECC_NIST_P521; then
|
||||
if tpm2 testparms "ecc521:ecdsa:camellia" &>/dev/null; then
|
||||
echo "tpm2 testparms succeeded while it shouldn't or TPM failed"
|
||||
exit 1
|
||||
--
|
||||
2.35.3
|
||||
|
@ -1,63 +0,0 @@
|
||||
From 77d4592e3eec9ec2c7932586f41f925b43ecc5ba Mon Sep 17 00:00:00 2001
|
||||
From: Imran Desai <imran.desai@intel.com>
|
||||
Date: Sun, 29 Mar 2020 10:22:42 -0700
|
||||
Subject: [PATCH] tools/tpm2_nvcertify.c: Fix incompatible pointer cast that
|
||||
may cause memory leak
|
||||
|
||||
Pointer "&ctx.size" and "&ctx.offset" points to an object whose effective type is
|
||||
"unsigned short" (16 bits, unsigned) but is dereferenced as a wider
|
||||
"unsigned int" (32 bits, unsigned). This may lead to memory corruption.
|
||||
|
||||
Signed-off-by: Imran Desai <imran.desai@intel.com>
|
||||
---
|
||||
tools/tpm2_nvcertify.c | 17 +++++++++++++++--
|
||||
1 file changed, 15 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/tools/tpm2_nvcertify.c b/tools/tpm2_nvcertify.c
|
||||
index b49f38dbff20..414cbea85574 100644
|
||||
--- a/tools/tpm2_nvcertify.c
|
||||
+++ b/tools/tpm2_nvcertify.c
|
||||
@@ -80,6 +80,7 @@ static bool set_signature_format(char *value) {
|
||||
static bool on_option(char key, char *value) {
|
||||
|
||||
bool result = true;
|
||||
+ uint32_t input_value;
|
||||
|
||||
switch (key) {
|
||||
case 'C':
|
||||
@@ -110,18 +111,30 @@ static bool on_option(char key, char *value) {
|
||||
ctx.policy_qualifier_arg = value;
|
||||
break;
|
||||
case 0:
|
||||
- result = tpm2_util_string_to_uint32(value, (uint32_t*)&ctx.size);
|
||||
+ result = tpm2_util_string_to_uint32(value, &input_value);
|
||||
if (!result) {
|
||||
LOG_ERR("Could not convert size to number, got: \"%s\"", value);
|
||||
return false;
|
||||
}
|
||||
+ if (input_value > UINT16_MAX) {
|
||||
+ LOG_ERR("Specified size is larger than that allowed by command");
|
||||
+ return false;
|
||||
+ } else {
|
||||
+ ctx.size = input_value;
|
||||
+ }
|
||||
break;
|
||||
case 1:
|
||||
- result = tpm2_util_string_to_uint32(value, (uint32_t*)&ctx.offset);
|
||||
+ result = tpm2_util_string_to_uint32(value, &input_value);
|
||||
if (!result) {
|
||||
LOG_ERR("Could not convert offset to number, got: \"%s\"", value);
|
||||
return false;
|
||||
}
|
||||
+ if (input_value > UINT16_MAX) {
|
||||
+ LOG_ERR("Specified offset is larger than that allowed by command");
|
||||
+ return false;
|
||||
+ } else {
|
||||
+ ctx.offset = input_value;
|
||||
+ }
|
||||
break;
|
||||
case 2:
|
||||
ctx.certify_info_path = value;
|
||||
--
|
||||
2.31.0
|
||||
|
@ -1,25 +0,0 @@
|
||||
From 023ec5c0eafe8dfb5b71e400cb0c2c337fb8c108 Mon Sep 17 00:00:00 2001
|
||||
From: Imran Desai <imran.desai@intel.com>
|
||||
Date: Sun, 29 Mar 2020 10:49:12 -0700
|
||||
Subject: [PATCH] tools/tpm2_nvreadpublic: Fix resource leak
|
||||
|
||||
Signed-off-by: Imran Desai <imran.desai@intel.com>
|
||||
---
|
||||
tools/tpm2_nvreadpublic.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/tools/tpm2_nvreadpublic.c b/tools/tpm2_nvreadpublic.c
|
||||
index 7f8e46cbf863..eca1fd715a79 100644
|
||||
--- a/tools/tpm2_nvreadpublic.c
|
||||
+++ b/tools/tpm2_nvreadpublic.c
|
||||
@@ -41,6 +41,7 @@ static tool_rc print_nv_public(ESYS_CONTEXT *context, TPMI_RH_NV_INDEX index, TP
|
||||
rc = tpm2_tr_get_name(context, tr_handle,
|
||||
&name);
|
||||
if (rc != tool_rc_success) {
|
||||
+ free(attrs);
|
||||
return rc;
|
||||
}
|
||||
|
||||
--
|
||||
2.31.0
|
||||
|
@ -1,28 +0,0 @@
|
||||
From c28932caef2036039901a91cf55eb7ff093c70f5 Mon Sep 17 00:00:00 2001
|
||||
From: Imran Desai <imran.desai@intel.com>
|
||||
Date: Fri, 24 Jan 2020 15:53:39 -0700
|
||||
Subject: [PATCH] tpm2_alg_util.c: fix a bug where the string rsa3072 wasnt
|
||||
being parsed
|
||||
|
||||
Signed-off-by: Imran Desai <imran.desai@intel.com>
|
||||
---
|
||||
lib/tpm2_alg_util.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/lib/tpm2_alg_util.c b/lib/tpm2_alg_util.c
|
||||
index b83c387a05bd..fcad480e0c3d 100644
|
||||
--- a/lib/tpm2_alg_util.c
|
||||
+++ b/lib/tpm2_alg_util.c
|
||||
@@ -301,6 +301,9 @@ static alg_parser_rc handle_rsa(const char *ext, TPM2B_PUBLIC *public) {
|
||||
} else if (!strncmp(ext, "4096", 4)) {
|
||||
r->keyBits = 4096;
|
||||
ext += 4;
|
||||
+ } else if (!strncmp(ext, "3072", 4)) {
|
||||
+ r->keyBits = 3072;
|
||||
+ ext += 4;
|
||||
} else {
|
||||
r->keyBits = 2048;
|
||||
}
|
||||
--
|
||||
2.27.0
|
||||
|
@ -1,186 +0,0 @@
|
||||
From 696a17861c38b38fb2acf888119d918eb9c12329 Mon Sep 17 00:00:00 2001
|
||||
From: Imran Desai <imran.desai@intel.com>
|
||||
Date: Thu, 21 May 2020 11:31:43 -0700
|
||||
Subject: [PATCH] tpm2_create.c: Fix an issue where userwithauth attr cleared
|
||||
if policy specified
|
||||
|
||||
Fixes #2037
|
||||
|
||||
Signed-off-by: Imran Desai <imran.desai@intel.com>
|
||||
---
|
||||
man/tpm2_create.1.md | 9 +++-
|
||||
test/integration/tests/import_tpm.sh | 78 +++++++++++++++++-----------
|
||||
tools/tpm2_create.c | 10 ++--
|
||||
3 files changed, 60 insertions(+), 37 deletions(-)
|
||||
|
||||
diff --git a/man/tpm2_create.1.md b/man/tpm2_create.1.md
|
||||
index e8e5eaac49c3..9a7ba33e6017 100644
|
||||
--- a/man/tpm2_create.1.md
|
||||
+++ b/man/tpm2_create.1.md
|
||||
@@ -13,7 +13,7 @@
|
||||
**tpm2_create**(1) - Create a child object. The object can either be a key or
|
||||
a sealing object. A sealing object allows to seal user data to the TPM, with a
|
||||
maximum size of 256 bytes. Additionally it will load the created object if the
|
||||
-**-o** is specified.
|
||||
+**-c** is specified.
|
||||
|
||||
# OPTIONS
|
||||
|
||||
@@ -55,6 +55,13 @@ These options for creating the TPM entity:
|
||||
and unsealing. I.e. one cannot use an object for sealing and cryptography
|
||||
operations.
|
||||
|
||||
+ When **-L** is specified for adding policy based authorization information
|
||||
+ AND no string password is specified, the attribute `TPMA_OBJECT_USERWITHAUTH`
|
||||
+ is cleared unless an explicit choice is made by setting of the attribute
|
||||
+ with **-a** option. This prevents creation of objects with inadvertant auth
|
||||
+ model where in user intended to enforce a policy but inadvertantly created
|
||||
+ an object with empty auth which can be used instead of policy authorization.
|
||||
+
|
||||
* **-i**, **\--sealing-input**=_FILE_ or _STDIN_:
|
||||
|
||||
The data file to be sealed, optional. If file is -, read from stdin.
|
||||
diff --git a/test/integration/tests/import_tpm.sh b/test/integration/tests/import_tpm.sh
|
||||
index ff48185aba70..3d1e10820844 100755
|
||||
--- a/test/integration/tests/import_tpm.sh
|
||||
+++ b/test/integration/tests/import_tpm.sh
|
||||
@@ -54,8 +54,13 @@ load_new_parent() {
|
||||
create_load_duplicatee() {
|
||||
# Create the key we want to duplicate
|
||||
create_policy dpolicy.dat TPM2_CC_Duplicate
|
||||
- tpm2_create -Q -C primary.ctx -g sha256 -G $1 -p foo -r key.prv -u key.pub \
|
||||
- -L dpolicy.dat -a "sensitivedataorigin|decrypt|userwithauth"
|
||||
+ if [ -z "$2" ];then
|
||||
+ tpm2_create -Q -C primary.ctx -g sha256 -G $1 -r key.prv \
|
||||
+ -u key.pub -L dpolicy.dat -a "sensitivedataorigin|decrypt|userwithauth"
|
||||
+ else
|
||||
+ tpm2_create -Q -C primary.ctx -g sha256 -G $1 -p "$2" -r key.prv \
|
||||
+ -u key.pub -L dpolicy.dat -a "sensitivedataorigin|decrypt|userwithauth"
|
||||
+ fi
|
||||
# Load the key
|
||||
tpm2_load -Q -C primary.ctx -r key.prv -u key.pub -c key.ctx
|
||||
# Extract the public part for import later
|
||||
@@ -113,34 +118,45 @@ for dup_key_type in aes rsa ecc; do
|
||||
done
|
||||
done
|
||||
|
||||
-# Part 2 :
|
||||
-# Create a rsa key (Kd)
|
||||
-# Encrypt a message using Kd
|
||||
-# Duplicate Kd
|
||||
-# Import & Load Kd
|
||||
-# Decrypt the message and verify
|
||||
-tpm2_createprimary -Q -C o -g sha256 -G rsa -c primary.ctx
|
||||
-# New parent ...
|
||||
-create_load_new_parent
|
||||
-# Key to be duplicated
|
||||
-create_load_duplicatee rsa
|
||||
-# Encrypt a secret message
|
||||
-echo "Mary had a little lamb ..." > plain.txt
|
||||
-tpm2_rsaencrypt -Q -c key.ctx -o cipher.txt plain.txt
|
||||
-# Duplicate the key
|
||||
-do_duplication null
|
||||
-# Remove, we're done with it
|
||||
-rm new_parent.ctx
|
||||
-# Load the full thing this time
|
||||
-load_new_parent
|
||||
-# Import & load the duplicate
|
||||
-do_import_load null
|
||||
-# Decrypt the secret message using duplicated key
|
||||
-tpm2_rsadecrypt -Q -p foo -c dup.ctx -o recovered.txt cipher.txt
|
||||
-# Check we got it right ...
|
||||
-diff recovered.txt plain.txt
|
||||
-# Cleanup
|
||||
-rm plain.txt recovered.txt cipher.txt
|
||||
-cleanup "no-shut-down"
|
||||
+test_key_usage() {
|
||||
+ # Part 2 :
|
||||
+ # Create a rsa key (Kd)
|
||||
+ # Encrypt a message using Kd
|
||||
+ # Duplicate Kd
|
||||
+ # Import & Load Kd
|
||||
+ # Decrypt the message and verify
|
||||
+ tpm2_createprimary -Q -C o -g sha256 -G rsa -c primary.ctx
|
||||
+ # New parent ...
|
||||
+ create_load_new_parent
|
||||
+ # Key to be duplicated
|
||||
+ create_load_duplicatee rsa "$1"
|
||||
+ # Encrypt a secret message
|
||||
+ echo "Mary had a little lamb ..." > plain.txt
|
||||
+ tpm2_rsaencrypt -Q -c key.ctx -o cipher.txt plain.txt
|
||||
+ # Duplicate the key
|
||||
+ do_duplication null
|
||||
+ # Remove, we're done with it
|
||||
+ rm new_parent.ctx
|
||||
+ # Load the full thing this time
|
||||
+ load_new_parent
|
||||
+ # Import & load the duplicate
|
||||
+ do_import_load null
|
||||
+ # Decrypt the secret message using duplicated key
|
||||
+ if [ -z "$1" ];then
|
||||
+ tpm2_rsadecrypt -Q -c dup.ctx -o recovered.txt cipher.txt
|
||||
+ else
|
||||
+ tpm2_rsadecrypt -Q -p "$1" -c dup.ctx -o recovered.txt cipher.txt
|
||||
+ fi
|
||||
+ # Check we got it right ...
|
||||
+ diff recovered.txt plain.txt
|
||||
+ # Cleanup
|
||||
+ rm plain.txt recovered.txt cipher.txt
|
||||
+ cleanup "no-shut-down"
|
||||
+}
|
||||
+
|
||||
+#Test key with password
|
||||
+test_key_usage foo
|
||||
+#Test key without password
|
||||
+test_key_usage
|
||||
|
||||
exit 0
|
||||
diff --git a/tools/tpm2_create.c b/tools/tpm2_create.c
|
||||
index 941b77655f55..8e92cc747e17 100644
|
||||
--- a/tools/tpm2_create.c
|
||||
+++ b/tools/tpm2_create.c
|
||||
@@ -47,7 +47,7 @@ struct tpm_create_ctx {
|
||||
TPML_PCR_SELECTION creation_pcr;
|
||||
|
||||
struct {
|
||||
- UINT8 b :1;
|
||||
+ UINT8 a :1;
|
||||
UINT8 i :1;
|
||||
UINT8 L :1;
|
||||
UINT8 u :1;
|
||||
@@ -224,7 +224,7 @@ static bool on_option(char key, char *value) {
|
||||
break;
|
||||
case 'a':
|
||||
ctx.object.attrs = value;
|
||||
- ctx.flags.b = 1;
|
||||
+ ctx.flags.a = 1;
|
||||
break;
|
||||
case 'i':
|
||||
ctx.object.sealed_data = strcmp("-", value) ? value : NULL;
|
||||
@@ -346,12 +346,12 @@ tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
|
||||
|
||||
ctx.object.alg = "keyedhash";
|
||||
|
||||
- if (!ctx.flags.b) {
|
||||
+ if (!ctx.flags.a) {
|
||||
attrs &= ~TPMA_OBJECT_SIGN_ENCRYPT;
|
||||
attrs &= ~TPMA_OBJECT_DECRYPT;
|
||||
attrs &= ~TPMA_OBJECT_SENSITIVEDATAORIGIN;
|
||||
}
|
||||
- } else if (!ctx.flags.b && !strncmp("hmac", ctx.object.alg, 4)) {
|
||||
+ } else if (!ctx.flags.a && !strncmp("hmac", ctx.object.alg, 4)) {
|
||||
attrs &= ~TPMA_OBJECT_DECRYPT;
|
||||
}
|
||||
|
||||
@@ -362,7 +362,7 @@ tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
|
||||
return tool_rc_general_error;
|
||||
}
|
||||
|
||||
- if (ctx.flags.L && !ctx.object.auth_str) {
|
||||
+ if (!ctx.flags.a && ctx.flags.L && !ctx.object.auth_str) {
|
||||
ctx.object.public.publicArea.objectAttributes &=
|
||||
~TPMA_OBJECT_USERWITHAUTH;
|
||||
}
|
||||
--
|
||||
2.27.0
|
||||
|
@ -1,49 +0,0 @@
|
||||
From 8c72f7402d8977807f531b08976760d62676cf8a Mon Sep 17 00:00:00 2001
|
||||
From: Imran Desai <imran.desai@intel.com>
|
||||
Date: Thu, 23 Jan 2020 11:21:58 -0700
|
||||
Subject: [PATCH] tpm2_getekcertificate: add default web address
|
||||
|
||||
Currently only Intel (R) PTT certificates are hosted online.
|
||||
A default web address pointing to the endorsement key certificate
|
||||
hosting will help reduce user input.
|
||||
|
||||
Signed-off-by: Imran Desai <imran.desai@intel.com>
|
||||
---
|
||||
test/integration/tests/getekcertificate.sh | 6 ++----
|
||||
tools/tpm2_getekcertificate.c | 1 +
|
||||
2 files changed, 3 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/test/integration/tests/getekcertificate.sh b/test/integration/tests/getekcertificate.sh
|
||||
index 33f4f8b2e4c0..e8c521756d2a 100755
|
||||
--- a/test/integration/tests/getekcertificate.sh
|
||||
+++ b/test/integration/tests/getekcertificate.sh
|
||||
@@ -38,12 +38,10 @@ else
|
||||
fi
|
||||
fi
|
||||
|
||||
-tpm2_getekcertificate -u test_ek.pub -x -X -o ECcert.bin \
|
||||
-https://ekop.intel.com/ekcertservice/
|
||||
+tpm2_getekcertificate -u test_ek.pub -x -X -o ECcert.bin
|
||||
|
||||
# Test that stdoutput is the same
|
||||
-tpm2_getekcertificate -u test_ek.pub -x https://ekop.intel.com/ekcertservice/ \
|
||||
--X > ECcert2.bin
|
||||
+tpm2_getekcertificate -u test_ek.pub -x -X > ECcert2.bin
|
||||
|
||||
# stdout file should match -E file.
|
||||
cmp ECcert.bin ECcert2.bin
|
||||
diff --git a/tools/tpm2_getekcertificate.c b/tools/tpm2_getekcertificate.c
|
||||
index 233d04d8b3d7..6a8fe894bb1c 100644
|
||||
--- a/tools/tpm2_getekcertificate.c
|
||||
+++ b/tools/tpm2_getekcertificate.c
|
||||
@@ -32,6 +32,7 @@ struct tpm_getekcertificate_ctx {
|
||||
|
||||
static tpm_getekcertificate_ctx ctx = {
|
||||
.is_tpm2_device_active = true,
|
||||
+ .ek_server_addr = "https://ekop.intel.com/ekcertservice/",
|
||||
};
|
||||
|
||||
static unsigned char *hash_ek_public(void) {
|
||||
--
|
||||
2.31.0
|
||||
|
@ -1,37 +0,0 @@
|
||||
From 334b4c739fa575fb4ea58f92df6de87c38e59e15 Mon Sep 17 00:00:00 2001
|
||||
From: Imran Desai <imran.desai@intel.com>
|
||||
Date: Thu, 23 Jan 2020 08:06:56 -0700
|
||||
Subject: [PATCH] tpm2_hierarchycontrol: Fixed bug where hierarchycontrol
|
||||
operation failed silently
|
||||
|
||||
Fixes #1841
|
||||
|
||||
Signed-off-by: Imran Desai <imran.desai@intel.com>
|
||||
---
|
||||
tools/tpm2_hierarchycontrol.c | 10 ++++++++--
|
||||
1 file changed, 8 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/tools/tpm2_hierarchycontrol.c b/tools/tpm2_hierarchycontrol.c
|
||||
index 0baf2ca487d3..7e9e2c657544 100644
|
||||
--- a/tools/tpm2_hierarchycontrol.c
|
||||
+++ b/tools/tpm2_hierarchycontrol.c
|
||||
@@ -32,8 +32,14 @@ static tool_rc hierarchycontrol(ESYS_CONTEXT *ectx) {
|
||||
ctx.enable == TPM2_RH_ENDORSEMENT ? "ehEnable" : "phEnableNV",
|
||||
ctx.state ? "SET" : "CLEAR");
|
||||
|
||||
- return tpm2_hierarchycontrol(ectx, &ctx.auth_hierarchy.object, ctx.enable,
|
||||
- ctx.state);
|
||||
+ tool_rc rc = tpm2_hierarchycontrol(ectx, &ctx.auth_hierarchy.object,
|
||||
+ ctx.enable, ctx.state);
|
||||
+
|
||||
+ if (rc != tool_rc_success) {
|
||||
+ LOG_ERR("Failed hierarchycontrol operation.");
|
||||
+ }
|
||||
+
|
||||
+ return rc;
|
||||
}
|
||||
|
||||
bool on_arg(int argc, char **argv) {
|
||||
--
|
||||
2.27.0
|
||||
|
@ -1,46 +0,0 @@
|
||||
From c069e4f179d5e6653a84fb236816c375dca82515 Mon Sep 17 00:00:00 2001
|
||||
From: William Roberts <william.c.roberts@intel.com>
|
||||
Date: Fri, 21 May 2021 12:22:31 -0500
|
||||
Subject: [PATCH] tpm2_import: fix fixed AES key CVE-2021-3565
|
||||
|
||||
tpm2_import used a fixed AES key for the inner wrapper, which means that
|
||||
a MITM attack would be able to unwrap the imported key. Even the
|
||||
use of an encrypted session will not prevent this. The TPM only
|
||||
encrypts the first parameter which is the fixed symmetric key.
|
||||
|
||||
To fix this, ensure the key size is 16 bytes or bigger and use
|
||||
OpenSSL to generate a secure random AES key.
|
||||
|
||||
Fixes: #2738
|
||||
|
||||
Signed-off-by: William Roberts <william.c.roberts@intel.com>
|
||||
---
|
||||
tools/tpm2_import.c | 12 +++++++++++-
|
||||
1 file changed, 11 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/tools/tpm2_import.c b/tools/tpm2_import.c
|
||||
index cfb6f207ba9c..f44326c87e7e 100644
|
||||
--- a/tools/tpm2_import.c
|
||||
+++ b/tools/tpm2_import.c
|
||||
@@ -118,7 +118,17 @@ static tool_rc key_import(ESYS_CONTEXT *ectx, TPM2B_PUBLIC *parent_pub,
|
||||
TPM2B_DATA enc_sensitive_key = {
|
||||
.size = parent_pub->publicArea.parameters.rsaDetail.symmetric.keyBits.sym / 8
|
||||
};
|
||||
- memset(enc_sensitive_key.buffer, 0xFF, enc_sensitive_key.size);
|
||||
+
|
||||
+ if(enc_sensitive_key.size < 16) {
|
||||
+ LOG_ERR("Calculated wrapping keysize is less than 16 bytes, got: %u", enc_sensitive_key.size);
|
||||
+ return tool_rc_general_error;
|
||||
+ }
|
||||
+
|
||||
+ int ossl_rc = RAND_bytes(enc_sensitive_key.buffer, enc_sensitive_key.size);
|
||||
+ if (ossl_rc != 1) {
|
||||
+ LOG_ERR("RAND_bytes failed: %s", ERR_error_string(ERR_get_error(), NULL));
|
||||
+ return tool_rc_general_error;
|
||||
+ }
|
||||
|
||||
/*
|
||||
* Calculate the object name.
|
||||
--
|
||||
2.31.0
|
||||
|
@ -1,31 +0,0 @@
|
||||
From 652322f7278ec8c384fde9ec2204b06d084a24e4 Mon Sep 17 00:00:00 2001
|
||||
From: Imran Desai <imran.desai@intel.com>
|
||||
Date: Thu, 23 Jan 2020 07:54:58 -0700
|
||||
Subject: [PATCH] tpm2_nvdefine.c: Fixed error reporting message
|
||||
|
||||
Fixes #1861
|
||||
|
||||
NV define failure error message had the wording to suggest NV index
|
||||
was successfully defined.
|
||||
|
||||
Signed-off-by: Imran Desai <imran.desai@intel.com>
|
||||
---
|
||||
tools/tpm2_nvdefine.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/tools/tpm2_nvdefine.c b/tools/tpm2_nvdefine.c
|
||||
index cb2949c4dddc..71203cb6c80d 100644
|
||||
--- a/tools/tpm2_nvdefine.c
|
||||
+++ b/tools/tpm2_nvdefine.c
|
||||
@@ -65,7 +65,7 @@ static tool_rc nv_space_define(ESYS_CONTEXT *ectx) {
|
||||
tool_rc rc = tpm2_nv_definespace(ectx, &ctx.auth_hierarchy.object,
|
||||
&ctx.nv_auth, &public_info);
|
||||
if (rc != tool_rc_success) {
|
||||
- LOG_INFO("Success to define NV area at index 0x%x.", ctx.nv_index);
|
||||
+ LOG_ERR("Failed to create NV index 0x%x.", ctx.nv_index);
|
||||
return rc;
|
||||
}
|
||||
|
||||
--
|
||||
2.27.0
|
||||
|
@ -1,28 +0,0 @@
|
||||
From e556da0a2099573f82391c16477fba08584a7a12 Mon Sep 17 00:00:00 2001
|
||||
From: Imran Desai <imran.desai@intel.com>
|
||||
Date: Tue, 10 Mar 2020 09:15:55 -0700
|
||||
Subject: [PATCH] tpm2_policy.c: restrict policy digest size
|
||||
|
||||
Fixes #1916
|
||||
|
||||
Signed-off-by: Imran Desai <imran.desai@intel.com>
|
||||
---
|
||||
lib/tpm2_policy.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/tpm2_policy.c b/lib/tpm2_policy.c
|
||||
index 6c352b2b41ae..01387ba01645 100644
|
||||
--- a/lib/tpm2_policy.c
|
||||
+++ b/lib/tpm2_policy.c
|
||||
@@ -163,7 +163,7 @@ tool_rc tpm2_policy_build_policyauthorize(ESYS_CONTEXT *ectx,
|
||||
bool result = true;
|
||||
TPM2B_DIGEST approved_policy = { .size = 0 };
|
||||
if (policy_digest_path) {
|
||||
- approved_policy.size = UINT16_MAX;
|
||||
+ approved_policy.size = sizeof(TPMU_HA);
|
||||
result = files_load_bytes_from_path(policy_digest_path,
|
||||
approved_policy.buffer, &approved_policy.size);
|
||||
}
|
||||
--
|
||||
2.31.0
|
||||
|
@ -1,30 +0,0 @@
|
||||
From cab7b3edcc6a44aece0642c0c2621a4bb70d449b Mon Sep 17 00:00:00 2001
|
||||
From: Imran Desai <imran.desai@intel.com>
|
||||
Date: Tue, 10 Mar 2020 18:19:04 -0700
|
||||
Subject: [PATCH] tpm2_policycountertimer: Fix an issue where operandB array
|
||||
was reversed
|
||||
|
||||
Signed-off-by: Imran Desai <imran.desai@intel.com>
|
||||
---
|
||||
tools/tpm2_policycountertimer.c | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/tools/tpm2_policycountertimer.c b/tools/tpm2_policycountertimer.c
|
||||
index 1c72d525dab7..170a544f2203 100644
|
||||
--- a/tools/tpm2_policycountertimer.c
|
||||
+++ b/tools/tpm2_policycountertimer.c
|
||||
@@ -81,7 +81,10 @@ static bool convert_keyvalue_to_operand_buffer(const char *value,
|
||||
}
|
||||
|
||||
ctx.operand_b.size = size;
|
||||
- memcpy(ctx.operand_b.buffer, &data.b, size);
|
||||
+ size_t i = 0;
|
||||
+ for (i = 0; i < size; i++) {
|
||||
+ ctx.operand_b.buffer[i] = *(&data.b + size - i - 1);
|
||||
+ }
|
||||
|
||||
return true;
|
||||
}
|
||||
--
|
||||
2.31.0
|
||||
|
@ -1,26 +0,0 @@
|
||||
From 44d0d2d17dc693e029e0557ec985c9b68c3efeb5 Mon Sep 17 00:00:00 2001
|
||||
From: Imran Desai <imran.desai@intel.com>
|
||||
Date: Wed, 22 Jan 2020 14:15:48 -0700
|
||||
Subject: [PATCH] tpm2_policyor: Silent failure bug fix for invalid/unspecified
|
||||
policy digest alg
|
||||
|
||||
Signed-off-by: Imran Desai <imran.desai@intel.com>
|
||||
---
|
||||
lib/tpm2_policy.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/lib/tpm2_policy.c b/lib/tpm2_policy.c
|
||||
index 3d9b5491f9ce..8460bd1d9ae9 100644
|
||||
--- a/lib/tpm2_policy.c
|
||||
+++ b/lib/tpm2_policy.c
|
||||
@@ -588,6 +588,7 @@ bool tpm2_policy_parse_policy_list(char *str, TPML_DIGEST *policy_list) {
|
||||
hash = tpm2_alg_util_from_optarg(subtoken,
|
||||
tpm2_alg_util_flags_hash);
|
||||
if (hash == TPM2_ALG_ERROR) {
|
||||
+ LOG_ERR("Invalid/ Unspecified policy digest algorithm.");
|
||||
return false;
|
||||
}
|
||||
}
|
||||
--
|
||||
2.27.0
|
||||
|
@ -0,0 +1,131 @@
|
||||
From c2dff7cfac16a857fcd5161d6e171483221ab003 Mon Sep 17 00:00:00 2001
|
||||
From: Juergen Repp <juergen_repp@web.de>
|
||||
Date: Sun, 17 Dec 2023 09:53:01 +0100
|
||||
Subject: [PATCH 1/6] tpm2_sessionconfig fix usage of --disable-continuesession
|
||||
|
||||
Conflicts: context change due to missing 6169d8c22
|
||||
|
||||
If continue session was disabled a error did occur in the function for
|
||||
restoring the session context.
|
||||
Now after usage of an session with continue session disabled the
|
||||
context will not be saved and the session context file will be
|
||||
deleted.
|
||||
In one integration test continue session is now disabled and the
|
||||
flush for this session is removed.
|
||||
|
||||
Fixes: #3295
|
||||
|
||||
Signed-off-by: Juergen Repp <juergen_repp@web.de>
|
||||
---
|
||||
lib/tpm2_session.c | 45 +++++++++++++++++++++++---------
|
||||
test/integration/tests/unseal.sh | 7 +++--
|
||||
2 files changed, 37 insertions(+), 15 deletions(-)
|
||||
|
||||
diff --git a/lib/tpm2_session.c b/lib/tpm2_session.c
|
||||
index 60b8643b..3e5503db 100644
|
||||
--- a/lib/tpm2_session.c
|
||||
+++ b/lib/tpm2_session.c
|
||||
@@ -35,6 +35,7 @@ struct tpm2_session {
|
||||
char *path;
|
||||
ESYS_CONTEXT *ectx;
|
||||
bool is_final;
|
||||
+ bool delete;
|
||||
} internal;
|
||||
};
|
||||
|
||||
@@ -290,18 +291,23 @@ tool_rc tpm2_session_restore(ESYS_CONTEXT *ctx, const char *path, bool is_final,
|
||||
dup_path = NULL;
|
||||
|
||||
TPMA_SESSION attrs = 0;
|
||||
+ s->internal.delete = false;
|
||||
+ s->internal.is_final = is_final;
|
||||
+ *session = s;
|
||||
|
||||
if (ctx) {
|
||||
-
|
||||
/* hack this in here, should be done when starting the session */
|
||||
tmp_rc = tpm2_sess_get_attributes(ctx, handle, &attrs);
|
||||
- UNUSED(tmp_rc);
|
||||
+ if (tmp_rc != tool_rc_success) {
|
||||
+ rc = tmp_rc;
|
||||
+ LOG_ERR("Can't get session attributes.");
|
||||
+ goto out;
|
||||
+ }
|
||||
+ if ((attrs & TPMA_SESSION_CONTINUESESSION) == 0) {
|
||||
+ s->internal.delete = true;
|
||||
+ }
|
||||
}
|
||||
|
||||
- s->internal.is_final = is_final;
|
||||
-
|
||||
- *session = s;
|
||||
-
|
||||
LOG_INFO("Restored session: ESYS_TR(0x%x) attrs(0x%x)", handle, attrs);
|
||||
|
||||
rc = tool_rc_success;
|
||||
@@ -341,22 +347,35 @@ tool_rc tpm2_session_close(tpm2_session **s) {
|
||||
}
|
||||
|
||||
const char *path = session->internal.path;
|
||||
- FILE *session_file = path ? fopen(path, "w+b") : NULL;
|
||||
- if (path && !session_file) {
|
||||
- LOG_ERR("Could not open path \"%s\", due to error: \"%s\"", path,
|
||||
- strerror(errno));
|
||||
- rc = tool_rc_general_error;
|
||||
- goto out;
|
||||
- }
|
||||
|
||||
bool flush = path ? session->internal.is_final : true;
|
||||
if (flush) {
|
||||
rc = tpm2_flush_context(session->internal.ectx,
|
||||
session->output.session_handle);
|
||||
/* done, use rc to indicate status */
|
||||
+ goto out2;
|
||||
+ }
|
||||
+
|
||||
+ if ((*s)->internal.delete && path) {
|
||||
+ if (remove(path)) {
|
||||
+ LOG_ERR("File \"%s\" can't be deleted.", path);
|
||||
+ rc = tool_rc_general_error;
|
||||
+ goto out2;
|
||||
+ } else {
|
||||
+ rc = tool_rc_success;
|
||||
+ goto out2;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ FILE *session_file = path ? fopen(path, "w+b") : NULL;
|
||||
+ if (path && !session_file) {
|
||||
+ LOG_ERR("Could not open path \"%s\", due to error: \"%s\"", path,
|
||||
+ strerror(errno));
|
||||
+ rc = tool_rc_general_error;
|
||||
goto out;
|
||||
}
|
||||
|
||||
+
|
||||
/*
|
||||
* Now write the session_type, handle and auth hash data to disk
|
||||
*/
|
||||
diff --git a/test/integration/tests/unseal.sh b/test/integration/tests/unseal.sh
|
||||
index dd6c2bc6..d0f7104f 100644
|
||||
--- a/test/integration/tests/unseal.sh
|
||||
+++ b/test/integration/tests/unseal.sh
|
||||
@@ -152,10 +152,13 @@ tpm2 sessionconfig enc_session.ctx --disable-encrypt
|
||||
tpm2 create -Q -C prim.ctx -u seal_key.pub -r seal_key.priv -c seal_key.ctx \
|
||||
-p sealkeypass -i- <<< $secret -S enc_session.ctx
|
||||
|
||||
-tpm2 sessionconfig enc_session.ctx --enable-encrypt
|
||||
+tpm2 sessionconfig enc_session.ctx --enable-encrypt --disable-continuesession
|
||||
unsealed=`tpm2 unseal -c seal_key.ctx -p sealkeypass -S enc_session.ctx`
|
||||
test "$unsealed" == "$secret"
|
||||
|
||||
-tpm2 flushcontext enc_session.ctx
|
||||
+if [ -e enc_session.ctx ]; then
|
||||
+ echo "enc_session.ctx was not deleted.";
|
||||
+ exit 1
|
||||
+fi
|
||||
|
||||
exit 0
|
||||
--
|
||||
2.45.2
|
||||
|
@ -0,0 +1,151 @@
|
||||
From 2558005814e4a64f8941216b9dc3d3c3a9b35c51 Mon Sep 17 00:00:00 2001
|
||||
From: George Almasi <gheorghe@us.ibm.com>
|
||||
Date: Fri, 8 Apr 2022 15:27:05 +0000
|
||||
Subject: [PATCH 2/9] Patch set for handling of new event types in
|
||||
tpm2_eventlog: EV_EFI_PLATFORM_FIRMWARE_BLOB2, EV_EFI_HANDOFF_TABLES2,
|
||||
EV_EFI_VARIABLE_BOOT2
|
||||
|
||||
Signed-off-by: George Almasi <gheorghe@us.ibm.com>
|
||||
---
|
||||
lib/efi_event.h | 11 ++++++++
|
||||
lib/tpm2_eventlog_yaml.c | 42 ++++++++++++++++++++++++++++-
|
||||
test/unit/test_tpm2_eventlog_yaml.c | 6 +++++
|
||||
3 files changed, 58 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/efi_event.h b/lib/efi_event.h
|
||||
index 0136e32b..cc2ffc98 100644
|
||||
--- a/lib/efi_event.h
|
||||
+++ b/lib/efi_event.h
|
||||
@@ -41,6 +41,10 @@
|
||||
#define EV_EFI_ACTION EV_EFI_EVENT_BASE + 0x7
|
||||
#define EV_EFI_PLATFORM_FIRMWARE_BLOB EV_EFI_EVENT_BASE + 0x8
|
||||
#define EV_EFI_HANDOFF_TABLES EV_EFI_EVENT_BASE + 0x9
|
||||
+#define EV_EFI_PLATFORM_FIRMWARE_BLOB2 EV_EFI_EVENT_BASE + 0xa
|
||||
+#define EV_EFI_HANDOFF_TABLES2 EV_EFI_EVENT_BASE + 0xb
|
||||
+#define EV_EFI_VARIABLE_BOOT2 EV_EFI_EVENT_BASE + 0xc
|
||||
+
|
||||
#define EV_EFI_VARIABLE_AUTHORITY EV_EFI_EVENT_BASE + 0xe0
|
||||
|
||||
#ifndef PACKED
|
||||
@@ -96,6 +100,13 @@ typedef struct {
|
||||
UINT64 BlobLength;
|
||||
} PACKED UEFI_PLATFORM_FIRMWARE_BLOB;
|
||||
|
||||
+
|
||||
+typedef struct {
|
||||
+ UINT8 BlobDescriptionSize;
|
||||
+ BYTE BlobDescription[];
|
||||
+ /* UEFI_PLATFORM_FIRMWARE_BLOB comes next */
|
||||
+} PACKED UEFI_PLATFORM_FIRMWARE_BLOB2;
|
||||
+
|
||||
typedef struct {
|
||||
UINT32 pcrIndex;
|
||||
UINT32 eventType;
|
||||
diff --git a/lib/tpm2_eventlog_yaml.c b/lib/tpm2_eventlog_yaml.c
|
||||
index 9b048db1..d2d4aefe 100644
|
||||
--- a/lib/tpm2_eventlog_yaml.c
|
||||
+++ b/lib/tpm2_eventlog_yaml.c
|
||||
@@ -90,6 +90,12 @@ char const *eventtype_to_string (UINT32 event_type) {
|
||||
return "EV_EFI_PLATFORM_FIRMWARE_BLOB";
|
||||
case EV_EFI_HANDOFF_TABLES:
|
||||
return "EV_EFI_HANDOFF_TABLES";
|
||||
+ case EV_EFI_PLATFORM_FIRMWARE_BLOB2:
|
||||
+ return "EV_EFI_PLATFORM_FIRMWARE_BLOB2";
|
||||
+ case EV_EFI_HANDOFF_TABLES2:
|
||||
+ return "EV_EFI_HANDOFF_TABLES2";
|
||||
+ case EV_EFI_VARIABLE_BOOT2:
|
||||
+ return "EV_EFI_VARIABLE_BOOT2";
|
||||
case EV_EFI_VARIABLE_AUTHORITY:
|
||||
return "EV_EFI_VARIABLE_AUTHORITY";
|
||||
default:
|
||||
@@ -433,7 +439,7 @@ static bool yaml_uefi_var(UEFI_VARIABLE_DATA *data, size_t size, UINT32 type,
|
||||
uuidstr, sdata);
|
||||
free(sdata);
|
||||
return true;
|
||||
- } else if (type == EV_EFI_VARIABLE_BOOT) {
|
||||
+ } else if (type == EV_EFI_VARIABLE_BOOT || type == EV_EFI_VARIABLE_BOOT2) {
|
||||
if ((strlen(ret) == 9 && strncmp(ret, "BootOrder", 9) == 0)) {
|
||||
free(ret);
|
||||
tpm2_tool_output(" VariableData:\n");
|
||||
@@ -526,6 +532,37 @@ bool yaml_uefi_platfwblob(UEFI_PLATFORM_FIRMWARE_BLOB *data) {
|
||||
data->BlobLength);
|
||||
return true;
|
||||
}
|
||||
+
|
||||
+/* TCG PC Client PFP (02 dec 2020) section 10.2.5 */
|
||||
+bool yaml_uefi_platfwblob2(UEFI_PLATFORM_FIRMWARE_BLOB2 *data) {
|
||||
+ UINT8 blobdescsize = data->BlobDescriptionSize;
|
||||
+ UEFI_PLATFORM_FIRMWARE_BLOB * data2 = (UEFI_PLATFORM_FIRMWARE_BLOB *)((UINT8 *)data + sizeof(UINT8) + blobdescsize);
|
||||
+
|
||||
+ char * eventdesc = (char *)calloc (1, 2*blobdescsize+1);
|
||||
+ if (!eventdesc) {
|
||||
+ LOG_ERR("failed to allocate memory: %s\n", strerror(errno));
|
||||
+ return false;
|
||||
+ }
|
||||
+
|
||||
+ bytes_to_str (data->BlobDescription, blobdescsize, eventdesc, 2*blobdescsize);
|
||||
+
|
||||
+ tpm2_tool_output(" Event:\n"
|
||||
+ " BlobDescriptionSize: %d\n"
|
||||
+ " BlobDescription: \"%.*s\"\n"
|
||||
+ " BlobBase: 0x%" PRIx64 "\n"
|
||||
+ " BlobLength: 0x%" PRIx64 "\n",
|
||||
+ blobdescsize,
|
||||
+ 2*blobdescsize,
|
||||
+ eventdesc,
|
||||
+ data2->BlobBase,
|
||||
+ data2->BlobLength);
|
||||
+
|
||||
+ free(eventdesc);
|
||||
+ return true;
|
||||
+}
|
||||
+
|
||||
+
|
||||
+
|
||||
/* TCG PC Client PFP section 9.4.4 */
|
||||
bool yaml_uefi_action(UINT8 const *action, size_t size) {
|
||||
|
||||
@@ -713,6 +750,7 @@ bool yaml_event2data(TCG_EVENT2 const *event, UINT32 type, uint32_t eventlog_ver
|
||||
switch (type) {
|
||||
case EV_EFI_VARIABLE_DRIVER_CONFIG:
|
||||
case EV_EFI_VARIABLE_BOOT:
|
||||
+ case EV_EFI_VARIABLE_BOOT2:
|
||||
case EV_EFI_VARIABLE_AUTHORITY:
|
||||
return yaml_uefi_var((UEFI_VARIABLE_DATA*)event->Event,
|
||||
event->EventSize, type, eventlog_version);
|
||||
@@ -721,6 +759,8 @@ bool yaml_event2data(TCG_EVENT2 const *event, UINT32 type, uint32_t eventlog_ver
|
||||
case EV_S_CRTM_CONTENTS:
|
||||
case EV_EFI_PLATFORM_FIRMWARE_BLOB:
|
||||
return yaml_uefi_platfwblob((UEFI_PLATFORM_FIRMWARE_BLOB*)event->Event);
|
||||
+ case EV_EFI_PLATFORM_FIRMWARE_BLOB2:
|
||||
+ return yaml_uefi_platfwblob2((UEFI_PLATFORM_FIRMWARE_BLOB2*)event->Event);
|
||||
case EV_EFI_ACTION:
|
||||
return yaml_uefi_action(event->Event, event->EventSize);
|
||||
case EV_IPL:
|
||||
diff --git a/test/unit/test_tpm2_eventlog_yaml.c b/test/unit/test_tpm2_eventlog_yaml.c
|
||||
index d4e30b0e..6881703b 100644
|
||||
--- a/test/unit/test_tpm2_eventlog_yaml.c
|
||||
+++ b/test/unit/test_tpm2_eventlog_yaml.c
|
||||
@@ -47,6 +47,9 @@ def_eventtype_to_string(EV_EFI_GPT_EVENT)
|
||||
def_eventtype_to_string(EV_EFI_ACTION)
|
||||
def_eventtype_to_string(EV_EFI_PLATFORM_FIRMWARE_BLOB)
|
||||
def_eventtype_to_string(EV_EFI_HANDOFF_TABLES)
|
||||
+def_eventtype_to_string(EV_EFI_PLATFORM_FIRMWARE_BLOB2)
|
||||
+def_eventtype_to_string(EV_EFI_HANDOFF_TABLES2)
|
||||
+def_eventtype_to_string(EV_EFI_VARIABLE_BOOT2)
|
||||
def_eventtype_to_string(EV_EFI_VARIABLE_AUTHORITY)
|
||||
|
||||
static void eventtype_to_string_default(void **state) {
|
||||
@@ -141,6 +144,9 @@ int main(void) {
|
||||
cmocka_unit_test(eventtype_to_string_EV_EFI_ACTION),
|
||||
cmocka_unit_test(eventtype_to_string_EV_EFI_PLATFORM_FIRMWARE_BLOB),
|
||||
cmocka_unit_test(eventtype_to_string_EV_EFI_HANDOFF_TABLES),
|
||||
+ cmocka_unit_test(eventtype_to_string_EV_EFI_PLATFORM_FIRMWARE_BLOB2),
|
||||
+ cmocka_unit_test(eventtype_to_string_EV_EFI_HANDOFF_TABLES2),
|
||||
+ cmocka_unit_test(eventtype_to_string_EV_EFI_VARIABLE_BOOT2),
|
||||
cmocka_unit_test(eventtype_to_string_EV_EFI_VARIABLE_AUTHORITY),
|
||||
cmocka_unit_test(eventtype_to_string_default),
|
||||
cmocka_unit_test(test_yaml_event2hdr_callback),
|
||||
--
|
||||
2.37.3
|
||||
|
@ -0,0 +1,385 @@
|
||||
From ba7682dc511f4ef6bbb8a15ca3bb0edf67ec39ce Mon Sep 17 00:00:00 2001
|
||||
From: Daiki Ueno <ueno@gnu.org>
|
||||
Date: Fri, 17 Sep 2021 07:14:20 +0200
|
||||
Subject: [PATCH 02/17] tpm2_encodeobject: New tool to encode TPM2 object
|
||||
|
||||
This adds a new tool tpm2_encodeobject in tools/misc. It takes
|
||||
public and private portions of an object and encode them in a combined
|
||||
PEM form used by tpm2-tss-engine and other applications.
|
||||
|
||||
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
||||
---
|
||||
Makefile.am | 2 +
|
||||
man/tpm2_encodeobject.1.md | 92 +++++++++++++
|
||||
tools/misc/tpm2_encodeobject.c | 240 +++++++++++++++++++++++++++++++++
|
||||
3 files changed, 334 insertions(+)
|
||||
create mode 100644 man/tpm2_encodeobject.1.md
|
||||
create mode 100644 tools/misc/tpm2_encodeobject.c
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index 71322159..e1a51ebf 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -103,6 +103,7 @@ tools_tpm2_SOURCES = \
|
||||
tpm2_tools = \
|
||||
tools/misc/tpm2_certifyX509certutil.c \
|
||||
tools/misc/tpm2_checkquote.c \
|
||||
+ tools/misc/tpm2_encodeobject.c \
|
||||
tools/misc/tpm2_eventlog.c \
|
||||
tools/misc/tpm2_print.c \
|
||||
tools/misc/tpm2_rc_decode.c \
|
||||
@@ -376,6 +377,7 @@ if HAVE_MAN_PAGES
|
||||
man/man1/tpm2_createprimary.1 \
|
||||
man/man1/tpm2_dictionarylockout.1 \
|
||||
man/man1/tpm2_duplicate.1 \
|
||||
+ man/man1/tpm2_encodeobject.1 \
|
||||
man/man1/tpm2_getcap.1 \
|
||||
man/man1/tpm2_encryptdecrypt.1 \
|
||||
man/man1/tpm2_eventlog.1 \
|
||||
diff --git a/man/tpm2_encodeobject.1.md b/man/tpm2_encodeobject.1.md
|
||||
new file mode 100644
|
||||
index 00000000..791eafbd
|
||||
--- /dev/null
|
||||
+++ b/man/tpm2_encodeobject.1.md
|
||||
@@ -0,0 +1,92 @@
|
||||
+% tpm2_encodeobject(1) tpm2-tools | General Commands Manual
|
||||
+
|
||||
+# NAME
|
||||
+
|
||||
+**tpm2_encodeobject**(1) - Encode an object into a combined PEM format.
|
||||
+
|
||||
+# SYNOPSIS
|
||||
+
|
||||
+**tpm2_encodeobject** [*OPTIONS*]
|
||||
+
|
||||
+# DESCRIPTION
|
||||
+
|
||||
+**tpm2_encodeobject**(1) - Encode both the private and public portions of an
|
||||
+object into a combined PEM format used by tpm2-tss-engine.
|
||||
+
|
||||
+The tool reads private and public portions of an object and encodes it
|
||||
+into a combined PEM format used by tpm2-tss-engine and other
|
||||
+applications.
|
||||
+
|
||||
+**NOTE**: Both private and public portions of the tpm key must be specified.
|
||||
+
|
||||
+# OPTIONS
|
||||
+
|
||||
+ * **-C**, **\--parent-context**=_OBJECT_:
|
||||
+
|
||||
+ The parent object.
|
||||
+
|
||||
+ * **-P**, **\--auth**=_AUTH_:
|
||||
+
|
||||
+ The authorization value of the parent object specified by **-C**.
|
||||
+
|
||||
+ * **-u**, **\--public**=_FILE_:
|
||||
+
|
||||
+ A file containing the public portion of the object.
|
||||
+
|
||||
+ * **-r**, **\--private**=_FILE_:
|
||||
+
|
||||
+ A file containing the sensitive portion of the object.
|
||||
+
|
||||
+ * **-o**, **\--output**=_FILE_:
|
||||
+
|
||||
+ The output file path, recording the public portion of the object.
|
||||
+
|
||||
+## References
|
||||
+
|
||||
+[context object format](common/ctxobj.md) details the methods for specifying
|
||||
+_OBJECT_.
|
||||
+
|
||||
+[authorization formatting](common/authorizations.md) details the methods for
|
||||
+specifying _AUTH_.
|
||||
+
|
||||
+[common options](common/options.md) collection of common options that provide
|
||||
+information many users may expect.
|
||||
+
|
||||
+[common tcti options](common/tcti.md) collection of options used to configure
|
||||
+the various known TCTI modules.
|
||||
+
|
||||
+# EXAMPLES
|
||||
+
|
||||
+## Setup
|
||||
+To load an object you first must create an object under a primary object. So the
|
||||
+first step is to create the primary object.
|
||||
+
|
||||
+```bash
|
||||
+tpm2_createprimary -c primary.ctx
|
||||
+```
|
||||
+
|
||||
+Step 2 is to create an object under the primary object.
|
||||
+
|
||||
+```bash
|
||||
+tpm2_create -C primary.ctx -u key.pub -r key.priv -f pem -o pub.pem
|
||||
+```
|
||||
+
|
||||
+This creates the private and public portions of the TPM object. With these
|
||||
+object portions, it is now possible to load that object into the TPM for
|
||||
+subsequent use.
|
||||
+
|
||||
+## Encoding an Object into a combined PEM format
|
||||
+
|
||||
+The final step, is encoding the public and private portions of the object into a
|
||||
+PEM format.
|
||||
+
|
||||
+```bash
|
||||
+tpm2_encodeobject -C primary.ctx -u key.pub -r key.priv -c priv.pem
|
||||
+```
|
||||
+
|
||||
+The generated `priv.pem` can be used together with `pub.pem` created in the
|
||||
+step 2 of Setup section.
|
||||
+
|
||||
+[returns](common/returns.md)
|
||||
+
|
||||
+[footer](common/footer.md)
|
||||
diff --git a/tools/misc/tpm2_encodeobject.c b/tools/misc/tpm2_encodeobject.c
|
||||
new file mode 100644
|
||||
index 00000000..2341c3a1
|
||||
--- /dev/null
|
||||
+++ b/tools/misc/tpm2_encodeobject.c
|
||||
@@ -0,0 +1,240 @@
|
||||
+/* SPDX-License-Identifier: BSD-3-Clause */
|
||||
+
|
||||
+/*
|
||||
+ * Part of this file is copied from tpm2-tss-engine.
|
||||
+ *
|
||||
+ * Copyright 2017-2018, Fraunhofer SIT sponsored by Infineon Technologies AG
|
||||
+ * All rights reserved.
|
||||
+ * Copyright (c) 2019, Wind River Systems.
|
||||
+ * All rights reserved.
|
||||
+ */
|
||||
+
|
||||
+#include <inttypes.h>
|
||||
+#include <stdbool.h>
|
||||
+#include <stdio.h>
|
||||
+#include <string.h>
|
||||
+#include <openssl/asn1.h>
|
||||
+#include <openssl/asn1t.h>
|
||||
+#include <openssl/pem.h>
|
||||
+#include <tss2/tss2_mu.h>
|
||||
+
|
||||
+#include "files.h"
|
||||
+#include "log.h"
|
||||
+#include "tpm2.h"
|
||||
+#include "tpm2_options.h"
|
||||
+#include "tpm2_tool.h"
|
||||
+
|
||||
+#define OID_loadableKey "2.23.133.10.1.3"
|
||||
+
|
||||
+typedef struct {
|
||||
+ ASN1_OBJECT *type;
|
||||
+ ASN1_BOOLEAN emptyAuth;
|
||||
+ ASN1_INTEGER *parent;
|
||||
+ ASN1_OCTET_STRING *pubkey;
|
||||
+ ASN1_OCTET_STRING *privkey;
|
||||
+} TSSPRIVKEY;
|
||||
+
|
||||
+DECLARE_ASN1_FUNCTIONS(TSSPRIVKEY);
|
||||
+DECLARE_PEM_write_bio(TSSPRIVKEY, TSSPRIVKEY);
|
||||
+
|
||||
+ASN1_SEQUENCE(TSSPRIVKEY) = {
|
||||
+ ASN1_SIMPLE(TSSPRIVKEY, type, ASN1_OBJECT),
|
||||
+ ASN1_EXP_OPT(TSSPRIVKEY, emptyAuth, ASN1_BOOLEAN, 0),
|
||||
+ ASN1_SIMPLE(TSSPRIVKEY, parent, ASN1_INTEGER),
|
||||
+ ASN1_SIMPLE(TSSPRIVKEY, pubkey, ASN1_OCTET_STRING),
|
||||
+ ASN1_SIMPLE(TSSPRIVKEY, privkey, ASN1_OCTET_STRING)
|
||||
+} ASN1_SEQUENCE_END(TSSPRIVKEY)
|
||||
+
|
||||
+#define TSSPRIVKEY_PEM_STRING "TSS2 PRIVATE KEY"
|
||||
+
|
||||
+IMPLEMENT_ASN1_FUNCTIONS(TSSPRIVKEY);
|
||||
+IMPLEMENT_PEM_write_bio(TSSPRIVKEY, TSSPRIVKEY, TSSPRIVKEY_PEM_STRING, TSSPRIVKEY);
|
||||
+IMPLEMENT_PEM_read_bio(TSSPRIVKEY, TSSPRIVKEY, TSSPRIVKEY_PEM_STRING, TSSPRIVKEY);
|
||||
+
|
||||
+typedef struct tpm_encodeobject_ctx tpm_encodeobject_ctx;
|
||||
+struct tpm_encodeobject_ctx {
|
||||
+ struct {
|
||||
+ const char *ctx_path;
|
||||
+ const char *auth_str;
|
||||
+ tpm2_loaded_object object;
|
||||
+ } parent;
|
||||
+
|
||||
+ struct {
|
||||
+ const char *pubpath;
|
||||
+ TPM2B_PUBLIC public;
|
||||
+ const char *privpath;
|
||||
+ TPM2B_PRIVATE private;
|
||||
+ ESYS_TR handle;
|
||||
+ } object;
|
||||
+
|
||||
+ char *output_path;
|
||||
+};
|
||||
+
|
||||
+static tpm_encodeobject_ctx ctx;
|
||||
+
|
||||
+static bool on_option(char key, char *value) {
|
||||
+ switch (key) {
|
||||
+ case 'P':
|
||||
+ ctx.parent.auth_str = value;
|
||||
+ break;
|
||||
+ case 'u':
|
||||
+ ctx.object.pubpath = value;
|
||||
+ break;
|
||||
+ case 'r':
|
||||
+ ctx.object.privpath = value;
|
||||
+ break;
|
||||
+ case 'C':
|
||||
+ ctx.parent.ctx_path = value;
|
||||
+ break;
|
||||
+ case 'o':
|
||||
+ ctx.output_path = value;
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ return true;
|
||||
+}
|
||||
+
|
||||
+static bool tpm2_tool_onstart(tpm2_options **opts) {
|
||||
+ const struct option topts[] = {
|
||||
+ { "auth", required_argument, NULL, 'P' },
|
||||
+ { "public", required_argument, NULL, 'u' },
|
||||
+ { "private", required_argument, NULL, 'r' },
|
||||
+ { "parent-context", required_argument, NULL, 'C' },
|
||||
+ { "output", required_argument, NULL, 'o' },
|
||||
+ };
|
||||
+
|
||||
+ *opts = tpm2_options_new("P:u:r:C:o:", ARRAY_LEN(topts), topts, on_option,
|
||||
+ NULL, 0);
|
||||
+
|
||||
+ return *opts != NULL;
|
||||
+}
|
||||
+
|
||||
+static tool_rc check_opts(void) {
|
||||
+ tool_rc rc = tool_rc_success;
|
||||
+ if (!ctx.parent.ctx_path) {
|
||||
+ LOG_ERR("Expected parent object via -C");
|
||||
+ rc = tool_rc_option_error;
|
||||
+ }
|
||||
+
|
||||
+ if (!ctx.object.pubpath) {
|
||||
+ LOG_ERR("Expected public object portion via -u");
|
||||
+ rc = tool_rc_option_error;
|
||||
+ }
|
||||
+
|
||||
+ if (!ctx.object.privpath) {
|
||||
+ LOG_ERR("Expected private object portion via -r");
|
||||
+ rc = tool_rc_option_error;
|
||||
+ }
|
||||
+
|
||||
+ if (!ctx.output_path) {
|
||||
+ LOG_ERR("Expected output file path via -o");
|
||||
+ rc = tool_rc_option_error;
|
||||
+ }
|
||||
+
|
||||
+ return rc;
|
||||
+}
|
||||
+
|
||||
+static tool_rc init(ESYS_CONTEXT *ectx) {
|
||||
+ bool res = files_load_public(ctx.object.pubpath, &ctx.object.public);
|
||||
+ if (!res) {
|
||||
+ return tool_rc_general_error;
|
||||
+ }
|
||||
+
|
||||
+ res = files_load_private(ctx.object.privpath, &ctx.object.private);
|
||||
+ if (!res) {
|
||||
+ return tool_rc_general_error;
|
||||
+ }
|
||||
+
|
||||
+ return tpm2_util_object_load_auth(ectx, ctx.parent.ctx_path,
|
||||
+ ctx.parent.auth_str, &ctx.parent.object, false,
|
||||
+ TPM2_HANDLE_ALL_W_NV);
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+encode(void)
|
||||
+{
|
||||
+ TSS2_RC rc;
|
||||
+ BIO *bio = NULL;
|
||||
+ TSSPRIVKEY *tpk = NULL;
|
||||
+
|
||||
+ uint8_t private_buf[sizeof(ctx.object.private)];
|
||||
+ uint8_t public_buf[sizeof(ctx.object.public)];
|
||||
+ size_t private_len = 0, public_len = 0;
|
||||
+
|
||||
+ rc = Tss2_MU_TPM2B_PRIVATE_Marshal(&ctx.object.private, private_buf,
|
||||
+ sizeof(private_buf), &private_len);
|
||||
+ if (rc) {
|
||||
+ LOG_ERR("Error serializing private portion of object");
|
||||
+ goto error;
|
||||
+ }
|
||||
+
|
||||
+ rc = Tss2_MU_TPM2B_PUBLIC_Marshal(&ctx.object.public, public_buf,
|
||||
+ sizeof(public_buf), &public_len);
|
||||
+ if (rc) {
|
||||
+ LOG_ERR("Error serializing public portion of object");
|
||||
+ goto error;
|
||||
+ }
|
||||
+
|
||||
+ tpk = TSSPRIVKEY_new();
|
||||
+ if (!tpk) {
|
||||
+ LOG_ERR("oom");
|
||||
+ goto error;
|
||||
+ }
|
||||
+
|
||||
+ tpk->type = OBJ_txt2obj(OID_loadableKey, 1);
|
||||
+ tpk->parent = ASN1_INTEGER_new();
|
||||
+ tpk->privkey = ASN1_OCTET_STRING_new();
|
||||
+ tpk->pubkey = ASN1_OCTET_STRING_new();
|
||||
+ if (!tpk->type || !tpk->privkey || !tpk->pubkey || !tpk->parent) {
|
||||
+ LOG_ERR("oom");
|
||||
+ goto error;
|
||||
+ }
|
||||
+
|
||||
+ tpk->emptyAuth = ctx.parent.auth_str == NULL ? 0xFF : 0;
|
||||
+
|
||||
+ if ((ctx.parent.object.handle >> TPM2_HR_SHIFT) == TPM2_HT_PERSISTENT) {
|
||||
+ ASN1_INTEGER_set(tpk->parent, ctx.parent.object.handle);
|
||||
+ } else {
|
||||
+ /* Indicate that the parent is a primary object generated on the fly. */
|
||||
+ ASN1_INTEGER_set(tpk->parent, TPM2_RH_OWNER);
|
||||
+ }
|
||||
+
|
||||
+ ASN1_STRING_set(tpk->privkey, private_buf, private_len);
|
||||
+ ASN1_STRING_set(tpk->pubkey, public_buf, public_len);
|
||||
+
|
||||
+ if ((bio = BIO_new_file(ctx.output_path, "w")) == NULL) {
|
||||
+ LOG_ERR("Could not open file: \"%s\"", ctx.output_path);
|
||||
+ goto error;
|
||||
+ }
|
||||
+
|
||||
+ PEM_write_bio_TSSPRIVKEY(bio, tpk);
|
||||
+ TSSPRIVKEY_free(tpk);
|
||||
+ BIO_free(bio);
|
||||
+
|
||||
+ return tool_rc_success;
|
||||
+ error:
|
||||
+ if (bio)
|
||||
+ BIO_free(bio);
|
||||
+ if (tpk)
|
||||
+ TSSPRIVKEY_free(tpk);
|
||||
+ return tool_rc_general_error;
|
||||
+}
|
||||
+
|
||||
+static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
|
||||
+ UNUSED(flags);
|
||||
+
|
||||
+ tool_rc rc = check_opts();
|
||||
+ if (rc != tool_rc_success) {
|
||||
+ return rc;
|
||||
+ }
|
||||
+
|
||||
+ rc = init(ectx);
|
||||
+ if (rc != tool_rc_success) {
|
||||
+ return rc;
|
||||
+ }
|
||||
+
|
||||
+ return encode();
|
||||
+}
|
||||
+
|
||||
+// Register this tool with tpm2_tool.c
|
||||
+TPM2_TOOL_REGISTER("encodeobject", tpm2_tool_onstart, tpm2_tool_onrun, NULL, NULL)
|
||||
--
|
||||
2.40.1
|
||||
|
@ -0,0 +1,28 @@
|
||||
From 2e4d5da9a5e8808b1b075e0bde11c13fdd4c60b3 Mon Sep 17 00:00:00 2001
|
||||
From: Juergen Repp <juergen_repp@web.de>
|
||||
Date: Tue, 19 Dec 2023 17:24:26 +0100
|
||||
Subject: [PATCH 2/6] tpm2_tool.c Fix missing include for basename.
|
||||
|
||||
tpm2_tool.c did not compile without the include libgen.h on netbsd.
|
||||
Fixes: #3321
|
||||
|
||||
Signed-off-by: Juergen Repp <juergen_repp@web.de>
|
||||
---
|
||||
tools/tpm2_tool.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/tools/tpm2_tool.c b/tools/tpm2_tool.c
|
||||
index edd04c83..f59e316a 100644
|
||||
--- a/tools/tpm2_tool.c
|
||||
+++ b/tools/tpm2_tool.c
|
||||
@@ -3,6 +3,7 @@
|
||||
#include <stdbool.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
+#include <libgen.h>
|
||||
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/evp.h>
|
||||
--
|
||||
2.45.2
|
||||
|
@ -0,0 +1,27 @@
|
||||
From 18f211c7f28d204e5676a30480b681519316d87f Mon Sep 17 00:00:00 2001
|
||||
From: George Almasi <gheorghe@us.ibm.com>
|
||||
Date: Mon, 11 Apr 2022 12:12:45 +0000
|
||||
Subject: [PATCH 3/9] Code clarity fix for calculation of data member addresses
|
||||
when printing out UEFI_PLATFORM_FIRMWARE_BLOB2 structures.
|
||||
|
||||
Signed-off-by: George Almasi <gheorghe@us.ibm.com>
|
||||
---
|
||||
lib/tpm2_eventlog_yaml.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/tpm2_eventlog_yaml.c b/lib/tpm2_eventlog_yaml.c
|
||||
index d2d4aefe..647a2225 100644
|
||||
--- a/lib/tpm2_eventlog_yaml.c
|
||||
+++ b/lib/tpm2_eventlog_yaml.c
|
||||
@@ -536,7 +536,7 @@ bool yaml_uefi_platfwblob(UEFI_PLATFORM_FIRMWARE_BLOB *data) {
|
||||
/* TCG PC Client PFP (02 dec 2020) section 10.2.5 */
|
||||
bool yaml_uefi_platfwblob2(UEFI_PLATFORM_FIRMWARE_BLOB2 *data) {
|
||||
UINT8 blobdescsize = data->BlobDescriptionSize;
|
||||
- UEFI_PLATFORM_FIRMWARE_BLOB * data2 = (UEFI_PLATFORM_FIRMWARE_BLOB *)((UINT8 *)data + sizeof(UINT8) + blobdescsize);
|
||||
+ UEFI_PLATFORM_FIRMWARE_BLOB * data2 = (UEFI_PLATFORM_FIRMWARE_BLOB *)((UINT8 *)data + sizeof(data->BlobDescriptionSize) + blobdescsize);
|
||||
|
||||
char * eventdesc = (char *)calloc (1, 2*blobdescsize+1);
|
||||
if (!eventdesc) {
|
||||
--
|
||||
2.37.3
|
||||
|
@ -0,0 +1,104 @@
|
||||
From be8b4cb178332f24fb06f30d3211a24ea3c9e632 Mon Sep 17 00:00:00 2001
|
||||
From: Imran Desai <imran.desai@intel.com>
|
||||
Date: Fri, 3 Sep 2021 11:24:31 -0700
|
||||
Subject: [PATCH 03/17] tools/tpm2_evictconrol: fix for call to Esys_TR_Close
|
||||
on bad handle
|
||||
|
||||
Fixes #2254
|
||||
|
||||
Signed-off-by: Imran Desai <imran.desai@intel.com>
|
||||
---
|
||||
tools/tpm2_evictcontrol.c | 36 +++++++++++++++---------------------
|
||||
1 file changed, 15 insertions(+), 21 deletions(-)
|
||||
|
||||
diff --git a/tools/tpm2_evictcontrol.c b/tools/tpm2_evictcontrol.c
|
||||
index 0ae4edc6..8199be39 100644
|
||||
--- a/tools/tpm2_evictcontrol.c
|
||||
+++ b/tools/tpm2_evictcontrol.c
|
||||
@@ -106,20 +106,18 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
|
||||
bool evicted = false;
|
||||
|
||||
/* load up the object/handle to work on */
|
||||
- tool_rc tmp_rc = tpm2_util_object_load(ectx, ctx.to_persist_key.ctx_path,
|
||||
- &ctx.to_persist_key.object, TPM2_HANDLE_ALL_W_NV);
|
||||
- if (tmp_rc != tool_rc_success) {
|
||||
- rc = tmp_rc;
|
||||
- goto out;
|
||||
+ rc = tpm2_util_object_load(ectx, ctx.to_persist_key.ctx_path,
|
||||
+ &ctx.to_persist_key.object, TPM2_HANDLE_ALL_W_NV);
|
||||
+ if (rc != tool_rc_success) {
|
||||
+ return rc;
|
||||
}
|
||||
|
||||
/* load up the auth hierarchy */
|
||||
- tmp_rc = tpm2_util_object_load_auth(ectx, ctx.auth_hierarchy.ctx_path,
|
||||
+ rc = tpm2_util_object_load_auth(ectx, ctx.auth_hierarchy.ctx_path,
|
||||
ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, false,
|
||||
TPM2_HANDLE_FLAGS_O | TPM2_HANDLE_FLAGS_P);
|
||||
- if (tmp_rc != tool_rc_success) {
|
||||
- rc = tmp_rc;
|
||||
- goto out;
|
||||
+ if (rc != tool_rc_success) {
|
||||
+ return rc;
|
||||
}
|
||||
|
||||
if (ctx.to_persist_key.object.handle >> TPM2_HR_SHIFT
|
||||
@@ -136,11 +134,10 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
|
||||
*/
|
||||
if (ctx.flags.c && !ctx.flags.p) {
|
||||
bool is_platform = ctx.auth_hierarchy.object.handle == TPM2_RH_PLATFORM;
|
||||
- tmp_rc = tpm2_capability_find_vacant_persistent_handle(ectx,
|
||||
+ rc = tpm2_capability_find_vacant_persistent_handle(ectx,
|
||||
is_platform, &ctx.persist_handle);
|
||||
- if (tmp_rc != tool_rc_success) {
|
||||
- rc = tmp_rc;
|
||||
- goto out;
|
||||
+ if (rc != tool_rc_success) {
|
||||
+ return rc;
|
||||
}
|
||||
/* we searched and found a persistent handle, so mark that peristent handle valid */
|
||||
ctx.flags.p = 1;
|
||||
@@ -148,7 +145,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
|
||||
|
||||
if (ctx.flags.o && !ctx.flags.p) {
|
||||
LOG_ERR("Cannot specify -o without using a persistent handle");
|
||||
- goto out;
|
||||
+ return tool_rc_option_error;
|
||||
}
|
||||
|
||||
ESYS_TR out_tr;
|
||||
@@ -175,7 +172,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
|
||||
rc = tpm2_evictcontrol(ectx, &ctx.auth_hierarchy.object,
|
||||
&ctx.to_persist_key.object, ctx.persist_handle, &out_tr, NULL);
|
||||
if (rc != tool_rc_success) {
|
||||
- goto out;
|
||||
+ return rc;
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -191,19 +188,16 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
|
||||
evicted = out_tr == ESYS_TR_NONE;
|
||||
tpm2_tool_output("persistent-handle: 0x%x\n", ctx.persist_handle);
|
||||
tpm2_tool_output("action: %s\n", evicted ? "evicted" : "persisted");
|
||||
-
|
||||
+ tool_rc tmp_rc = tool_rc_success;
|
||||
if (ctx.output_arg) {
|
||||
- rc = files_save_ESYS_TR(ectx, out_tr, ctx.output_arg);
|
||||
- } else {
|
||||
- rc = tool_rc_success;
|
||||
+ tmp_rc = files_save_ESYS_TR(ectx, out_tr, ctx.output_arg);
|
||||
}
|
||||
|
||||
-out:
|
||||
if (!evicted) {
|
||||
rc = tpm2_close(ectx, &out_tr);
|
||||
}
|
||||
|
||||
- return rc;
|
||||
+ return (tmp_rc == tool_rc_success) ? rc : tmp_rc;
|
||||
}
|
||||
|
||||
static tool_rc tpm2_tool_onstop(ESYS_CONTEXT *ectx) {
|
||||
--
|
||||
2.40.1
|
||||
|
@ -0,0 +1,63 @@
|
||||
From 5b5dd6263f1f2d41f08abd60134396a12756c5e7 Mon Sep 17 00:00:00 2001
|
||||
From: Bill Roberts <bill.c.roberts+gh@gmail.com>
|
||||
Date: Sun, 10 Dec 2023 10:26:33 -0600
|
||||
Subject: [PATCH 3/6] tpm2_nvread: fix input handling no nv index
|
||||
|
||||
Fixes:
|
||||
./tools/tpm2 nvread
|
||||
WARN: Reading full size of the NV index
|
||||
ERROR: object string is empty
|
||||
ERROR: Invalid handle authorization.
|
||||
ERROR: Unable to run nvread
|
||||
|
||||
with:
|
||||
./tools/tpm2 nvread
|
||||
ERROR: Must specify NV index argument
|
||||
Usage: nvread [<options>] <arguments>
|
||||
Where <options> are:
|
||||
[ -C | --hierarchy=<value>] [ -o | --output=<value>] [ -s | --size=<value>] [ --offset=<value>]
|
||||
[ --cphash=<value>] [ --rphash=<value>] [ -n | --name=<value>] [ -P | --auth=<value>]
|
||||
[ -S | --session=<value>] [ --print-yaml]
|
||||
|
||||
Signed-off-by: Bill Roberts <bill.c.roberts+gh@gmail.com>
|
||||
---
|
||||
tools/tpm2_nvread.c | 9 ++++++++-
|
||||
1 file changed, 8 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/tools/tpm2_nvread.c b/tools/tpm2_nvread.c
|
||||
index f64d00c1..8f9c61cc 100644
|
||||
--- a/tools/tpm2_nvread.c
|
||||
+++ b/tools/tpm2_nvread.c
|
||||
@@ -24,6 +24,7 @@ struct tpm_nvread_ctx {
|
||||
TPM2B_NAME precalc_nvname;
|
||||
UINT32 size_to_read;
|
||||
UINT32 offset;
|
||||
+ bool nv_specified;
|
||||
|
||||
/*
|
||||
* Outputs
|
||||
@@ -192,6 +193,11 @@ static tool_rc check_options(tpm2_option_flags flags) {
|
||||
return tool_rc_option_error;
|
||||
}
|
||||
|
||||
+ if(!ctx.nv_specified) {
|
||||
+ LOG_ERR("Must specify NV index argument");
|
||||
+ return tool_rc_option_error;
|
||||
+ }
|
||||
+
|
||||
/*
|
||||
* Peculiar to this and some other tools, the object (nvindex) name must
|
||||
* be specified when only calculating the cpHash.
|
||||
@@ -266,7 +272,8 @@ static bool on_arg(int argc, char **argv) {
|
||||
if (!ctx.auth_hierarchy.ctx_path) {
|
||||
ctx.auth_hierarchy.ctx_path = argv[0];
|
||||
}
|
||||
- return on_arg_nv_index(argc, argv, &ctx.nv_index);
|
||||
+
|
||||
+ return ctx.nv_specified = on_arg_nv_index(argc, argv, &ctx.nv_index);
|
||||
}
|
||||
|
||||
static bool on_option(char key, char *value) {
|
||||
--
|
||||
2.45.2
|
||||
|
@ -0,0 +1,45 @@
|
||||
From f365a0adca8379ce89ff86fdf740082cf6a56f1b Mon Sep 17 00:00:00 2001
|
||||
From: Tien-Ren Chen <trchen1033@gmail.com>
|
||||
Date: Thu, 25 Nov 2021 12:41:52 -0500
|
||||
Subject: [PATCH 04/17] Fix argument parsing in tpm2_policylocality
|
||||
|
||||
This patch fixes a bug that caused tpm2_policylocality to almost
|
||||
always generate PolicyLocality(0).
|
||||
|
||||
There was a logical inversion that caused almost any argument
|
||||
(including invalid ones) to be interpreted as zero, except "zero"
|
||||
would be interpreted as one.
|
||||
|
||||
Signed-off-by: Tien-Ren Chen <trchen1033@gmail.com>
|
||||
---
|
||||
tools/tpm2_policylocality.c | 10 +++++-----
|
||||
1 file changed, 5 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/tools/tpm2_policylocality.c b/tools/tpm2_policylocality.c
|
||||
index 81edbe65..b1d43d02 100644
|
||||
--- a/tools/tpm2_policylocality.c
|
||||
+++ b/tools/tpm2_policylocality.c
|
||||
@@ -54,15 +54,15 @@ static bool on_arg(int argc, char **argv) {
|
||||
return false;
|
||||
}
|
||||
|
||||
- if (strcmp(argv[0], "zero")) {
|
||||
+ if (strcmp(argv[0], "zero") == 0) {
|
||||
ctx.locality = TPMA_LOCALITY_TPM2_LOC_ZERO;
|
||||
- } else if (strcmp(argv[0], "one")) {
|
||||
+ } else if (strcmp(argv[0], "one") == 0) {
|
||||
ctx.locality = TPMA_LOCALITY_TPM2_LOC_ONE;
|
||||
- } else if (strcmp(argv[0], "two")) {
|
||||
+ } else if (strcmp(argv[0], "two") == 0) {
|
||||
ctx.locality = TPMA_LOCALITY_TPM2_LOC_TWO;
|
||||
- } else if (strcmp(argv[0], "three")) {
|
||||
+ } else if (strcmp(argv[0], "three") == 0) {
|
||||
ctx.locality = TPMA_LOCALITY_TPM2_LOC_THREE;
|
||||
- } else if (strcmp(argv[0], "four")) {
|
||||
+ } else if (strcmp(argv[0], "four") == 0) {
|
||||
ctx.locality = TPMA_LOCALITY_TPM2_LOC_FOUR;
|
||||
} else {
|
||||
bool result = tpm2_util_string_to_uint8(argv[0], &ctx.locality);
|
||||
--
|
||||
2.40.1
|
||||
|
@ -0,0 +1,86 @@
|
||||
From 7076608db4b8a2cdcab6ff4bc47c23c935618e3b Mon Sep 17 00:00:00 2001
|
||||
From: Juergen Repp <juergen_repp@web.de>
|
||||
Date: Tue, 5 Mar 2024 22:11:38 +0100
|
||||
Subject: [PATCH 4/6] tpm2_checkquote: Add comparison of pcr selection.
|
||||
|
||||
The pcr selection which is passed with the --pcr parameter it not
|
||||
compared with the attest. So it's possible to fake a valid
|
||||
attestation.
|
||||
|
||||
Fixes: CVE-2024-29039
|
||||
|
||||
Signed-off-by: Juergen Repp <juergen_repp@web.de>
|
||||
Signed-off-by: Andreas Fuchs <andreas.fuchs@infineon.com>
|
||||
---
|
||||
tools/misc/tpm2_checkquote.c | 41 +++++++++++++++++++++++++++++++++++-
|
||||
1 file changed, 40 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/tools/misc/tpm2_checkquote.c b/tools/misc/tpm2_checkquote.c
|
||||
index 6ce086f8..8a2a154e 100644
|
||||
--- a/tools/misc/tpm2_checkquote.c
|
||||
+++ b/tools/misc/tpm2_checkquote.c
|
||||
@@ -54,6 +54,37 @@ static tpm2_verifysig_ctx ctx = {
|
||||
.pcr_hash = TPM2B_TYPE_INIT(TPM2B_DIGEST, buffer),
|
||||
};
|
||||
|
||||
+static bool compare_pcr_selection(TPML_PCR_SELECTION *attest_sel, TPML_PCR_SELECTION *pcr_sel) {
|
||||
+ if (attest_sel->count != pcr_sel->count) {
|
||||
+ LOG_ERR("Selection sizes do not match.");
|
||||
+ return false;
|
||||
+ }
|
||||
+ for (uint32_t i = 0; i < attest_sel->count; i++) {
|
||||
+ for (uint32_t j = 0; j < pcr_sel->count; j++) {
|
||||
+ if (attest_sel->pcrSelections[i].hash ==
|
||||
+ pcr_sel->pcrSelections[j].hash) {
|
||||
+ if (attest_sel->pcrSelections[i].sizeofSelect !=
|
||||
+ pcr_sel->pcrSelections[j].sizeofSelect) {
|
||||
+ LOG_ERR("Bitmask size does not match");
|
||||
+ return false;
|
||||
+ }
|
||||
+ if (memcmp(&attest_sel->pcrSelections[i].pcrSelect[0],
|
||||
+ &pcr_sel->pcrSelections[j].pcrSelect[0],
|
||||
+ attest_sel->pcrSelections[i].sizeofSelect) != 0) {
|
||||
+ LOG_ERR("Selection bitmasks do not match");
|
||||
+ return false;
|
||||
+ }
|
||||
+ break;
|
||||
+ }
|
||||
+ if (j == pcr_sel->count - 1) {
|
||||
+ LOG_ERR("Hash selections to not match.");
|
||||
+ return false;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ return true;
|
||||
+}
|
||||
+
|
||||
static bool verify(void) {
|
||||
|
||||
bool result = false;
|
||||
@@ -374,7 +405,7 @@ static tool_rc init(void) {
|
||||
}
|
||||
|
||||
TPM2B_ATTEST *msg = NULL;
|
||||
- TPML_PCR_SELECTION pcr_select;
|
||||
+ TPML_PCR_SELECTION pcr_select = { 0 };
|
||||
tpm2_pcrs *pcrs;
|
||||
tpm2_pcrs temp_pcrs = {};
|
||||
tool_rc return_value = tool_rc_general_error;
|
||||
@@ -537,6 +568,14 @@ static tool_rc init(void) {
|
||||
goto err;
|
||||
}
|
||||
|
||||
+ if (ctx.flags.pcr) {
|
||||
+ if (!compare_pcr_selection(&ctx.attest.attested.quote.pcrSelect,
|
||||
+ &pcr_select)) {
|
||||
+ LOG_ERR("PCR selection does not match PCR slection from attest!");
|
||||
+ goto err;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
// Figure out the digest for this message
|
||||
res = tpm2_openssl_hash_compute_data(ctx.halg, msg->attestationData,
|
||||
msg->size, &ctx.msg_hash);
|
||||
--
|
||||
2.45.2
|
||||
|
55
SOURCES/0004-tpm2_eventlog-clean-up-some-magic-numbers.patch
Normal file
55
SOURCES/0004-tpm2_eventlog-clean-up-some-magic-numbers.patch
Normal file
@ -0,0 +1,55 @@
|
||||
From 2781de8cb60d0e8efb72d57eb1178f2f6df9415c Mon Sep 17 00:00:00 2001
|
||||
From: Jerry Snitselaar <jsnitsel@redhat.com>
|
||||
Date: Tue, 2 Aug 2022 11:59:06 -0700
|
||||
Subject: [PATCH 4/9] tpm2_eventlog: clean up some magic numbers
|
||||
|
||||
Make the code a bit clearer by making it clear
|
||||
we are subtracting the size of the EFI_GUID member
|
||||
from the EFI_SIGNATURE_DATA size.
|
||||
|
||||
Signed-off-by: Jerry Snitselaar <jsnitsel@redhat.com>
|
||||
---
|
||||
lib/tpm2_eventlog_yaml.c | 12 ++++++------
|
||||
1 file changed, 6 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/lib/tpm2_eventlog_yaml.c b/lib/tpm2_eventlog_yaml.c
|
||||
index 647a2225..fee78027 100644
|
||||
--- a/lib/tpm2_eventlog_yaml.c
|
||||
+++ b/lib/tpm2_eventlog_yaml.c
|
||||
@@ -374,13 +374,13 @@ static bool yaml_uefi_var(UEFI_VARIABLE_DATA *data, size_t size, UINT32 type,
|
||||
for (i = 0; i < signatures; i++) {
|
||||
EFI_SIGNATURE_DATA *s = (EFI_SIGNATURE_DATA *)signature;
|
||||
char *sdata = calloc (1,
|
||||
- BYTES_TO_HEX_STRING_SIZE(slist->SignatureSize-16));
|
||||
+ BYTES_TO_HEX_STRING_SIZE(slist->SignatureSize - sizeof(EFI_GUID)));
|
||||
if (sdata == NULL) {
|
||||
LOG_ERR("Failled to allocate data: %s\n", strerror(errno));
|
||||
return false;
|
||||
}
|
||||
- bytes_to_str(s->SignatureData, slist->SignatureSize-16,
|
||||
- sdata, BYTES_TO_HEX_STRING_SIZE(slist->SignatureSize-16));
|
||||
+ bytes_to_str(s->SignatureData, slist->SignatureSize - sizeof(EFI_GUID),
|
||||
+ sdata, BYTES_TO_HEX_STRING_SIZE(slist->SignatureSize - sizeof(EFI_GUID)));
|
||||
guid_unparse_lower(s->SignatureOwner, uuidstr);
|
||||
tpm2_tool_output(" - SignatureOwner: %s\n"
|
||||
" SignatureData: %s\n",
|
||||
@@ -426,13 +426,13 @@ static bool yaml_uefi_var(UEFI_VARIABLE_DATA *data, size_t size, UINT32 type,
|
||||
EFI_SIGNATURE_DATA *s= (EFI_SIGNATURE_DATA *)&data->UnicodeName[
|
||||
data->UnicodeNameLength];
|
||||
char *sdata = calloc (1,
|
||||
- BYTES_TO_HEX_STRING_SIZE(data->VariableDataLength - 16));
|
||||
+ BYTES_TO_HEX_STRING_SIZE(data->VariableDataLength - sizeof(EFI_GUID)));
|
||||
if (sdata == NULL) {
|
||||
LOG_ERR("Failled to allocate data: %s\n", strerror(errno));
|
||||
return false;
|
||||
}
|
||||
- bytes_to_str(s->SignatureData, data->VariableDataLength - 16,
|
||||
- sdata, BYTES_TO_HEX_STRING_SIZE(data->VariableDataLength - 16));
|
||||
+ bytes_to_str(s->SignatureData, data->VariableDataLength - sizeof(EFI_GUID),
|
||||
+ sdata, BYTES_TO_HEX_STRING_SIZE(data->VariableDataLength - sizeof(EFI_GUID)));
|
||||
guid_unparse_lower(s->SignatureOwner, uuidstr);
|
||||
tpm2_tool_output(" - SignatureOwner: %s\n"
|
||||
" SignatureData: %s\n",
|
||||
--
|
||||
2.37.3
|
||||
|
@ -0,0 +1,82 @@
|
||||
From 221d8e557ab5a00246f7b09746377819cfbaec5e Mon Sep 17 00:00:00 2001
|
||||
From: Imran Desai <imran.desai@intel.com>
|
||||
Date: Wed, 9 Mar 2022 10:24:45 -0700
|
||||
Subject: [PATCH 05/17] tools/tpm2_tool.c: Fix an issue where LOG_WARN is
|
||||
always displayed
|
||||
|
||||
Despite setting the 'quiet' flag with -Q the warning messages were
|
||||
always displayed.
|
||||
|
||||
Signed-off-by: Imran Desai <imran.desai@intel.com>
|
||||
---
|
||||
lib/tpm2_options.c | 12 +++++++++---
|
||||
tools/tpm2_makecredential.c | 9 ++++++---
|
||||
2 files changed, 15 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/lib/tpm2_options.c b/lib/tpm2_options.c
|
||||
index 8c8af2af..1238e440 100644
|
||||
--- a/lib/tpm2_options.c
|
||||
+++ b/lib/tpm2_options.c
|
||||
@@ -456,12 +456,16 @@ tpm2_option_code tpm2_handle_options(int argc, char **argv,
|
||||
|
||||
/* tool doesn't request a sapi, don't initialize one */
|
||||
if (flags->tcti_none && is_optional_sapi) {
|
||||
- LOG_WARN("Tool optionally uses SAPI. Continuing with tcti=none");
|
||||
+ if (!flags->quiet) {
|
||||
+ LOG_WARN("Tool optionally uses SAPI. Continuing with tcti=none");
|
||||
+ }
|
||||
goto none;
|
||||
}
|
||||
|
||||
if (flags->tcti_none && is_no_sapi) {
|
||||
- LOG_WARN("Tool does not use SAPI. Continuing with tcti=none");
|
||||
+ if (!flags->quiet) {
|
||||
+ LOG_WARN("Tool does not use SAPI. Continuing with tcti=none");
|
||||
+ }
|
||||
goto none;
|
||||
}
|
||||
|
||||
@@ -481,7 +485,9 @@ tpm2_option_code tpm2_handle_options(int argc, char **argv,
|
||||
bool is_optional_fake_tcti = (flags->tcti_none && tool_opts &&
|
||||
tool_opts->flags & TPM2_OPTIONS_OPTIONAL_SAPI_AND_FAKE_TCTI);
|
||||
if (is_optional_fake_tcti) {
|
||||
- LOG_WARN("Tool optionally uses SAPI. Continuing with tcti=fake");
|
||||
+ if (!flags->quiet) {
|
||||
+ LOG_WARN("Tool optionally uses SAPI. Continuing with tcti=fake");
|
||||
+ }
|
||||
*tcti = (TSS2_TCTI_CONTEXT *)&fake_tcti;
|
||||
goto none;
|
||||
}
|
||||
diff --git a/tools/tpm2_makecredential.c b/tools/tpm2_makecredential.c
|
||||
index 0b0fa123..5bd5b484 100644
|
||||
--- a/tools/tpm2_makecredential.c
|
||||
+++ b/tools/tpm2_makecredential.c
|
||||
@@ -310,11 +310,14 @@ static void set_default_TCG_EK_template(TPMI_ALG_PUBLIC alg) {
|
||||
ctx.public.publicArea.nameAlg = TPM2_ALG_SHA256;
|
||||
}
|
||||
|
||||
-static tool_rc process_input(void) {
|
||||
+static tool_rc process_input(tpm2_option_flags flags) {
|
||||
|
||||
TPMI_ALG_PUBLIC alg = TPM2_ALG_NULL;
|
||||
if (ctx.key_type) {
|
||||
- LOG_WARN("Because **-G** is specified, assuming input encryption public key is in PEM format.");
|
||||
+ if (!flags.quiet) {
|
||||
+ LOG_WARN("Because **-G** is specified, assuming input encryption "
|
||||
+ "public key is in PEM format.");
|
||||
+ }
|
||||
alg = tpm2_alg_util_from_optarg(ctx.key_type,
|
||||
tpm2_alg_util_flags_asymmetric);
|
||||
if (alg == TPM2_ALG_ERROR ||
|
||||
@@ -379,7 +382,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
|
||||
|
||||
UNUSED(flags);
|
||||
|
||||
- tool_rc rc = process_input();
|
||||
+ tool_rc rc = process_input(flags);
|
||||
if (rc != tool_rc_success) {
|
||||
return rc;
|
||||
}
|
||||
--
|
||||
2.40.1
|
||||
|
38
SOURCES/0005-tpm2_checkquote-Fix-check-of-magic-number.patch
Normal file
38
SOURCES/0005-tpm2_checkquote-Fix-check-of-magic-number.patch
Normal file
@ -0,0 +1,38 @@
|
||||
From 0f122ba3f7bdee12f8ee725db41d90e737fb3e49 Mon Sep 17 00:00:00 2001
|
||||
From: Juergen Repp <juergen_repp@web.de>
|
||||
Date: Tue, 31 Oct 2023 11:29:50 +0100
|
||||
Subject: [PATCH 5/6] tpm2_checkquote: Fix check of magic number.
|
||||
|
||||
It was not checked whether the magic number in the
|
||||
attest is equal to TPM2_GENERATED_VALUE.
|
||||
So an malicious attacker could generate arbitrary quote data
|
||||
which was not detected by tpm2 checkquote.
|
||||
|
||||
Fixes: CVE-2024-29038
|
||||
|
||||
Signed-off-by: Juergen Repp <juergen_repp@web.de>
|
||||
---
|
||||
tools/misc/tpm2_checkquote.c | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/tools/misc/tpm2_checkquote.c b/tools/misc/tpm2_checkquote.c
|
||||
index 8a2a154e..5083d855 100644
|
||||
--- a/tools/misc/tpm2_checkquote.c
|
||||
+++ b/tools/misc/tpm2_checkquote.c
|
||||
@@ -146,6 +146,13 @@ static bool verify(void) {
|
||||
goto err;
|
||||
}
|
||||
|
||||
+ // check magic
|
||||
+ if (ctx.attest.magic != TPM2_GENERATED_VALUE) {
|
||||
+ LOG_ERR("Bad magic, got: 0x%x, expected: 0x%x",
|
||||
+ ctx.attest.magic, TPM2_GENERATED_VALUE);
|
||||
+ return false;
|
||||
+ }
|
||||
+
|
||||
// Also ensure digest from quote matches PCR digest
|
||||
if (ctx.flags.pcr) {
|
||||
if (!tpm2_util_verify_digests(&ctx.attest.attested.quote.pcrDigest,
|
||||
--
|
||||
2.45.2
|
||||
|
@ -0,0 +1,209 @@
|
||||
From cef0317b83e06fdca25ef52a8bfd59b74d318e5a Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
|
||||
Date: Thu, 29 Sep 2022 10:48:36 -0400
|
||||
Subject: [PATCH 5/9] tpm2_eventlog_yaml: fix malformed YAML for EV_IPL data
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The code for printing EV_IPL data was fairly crude and often
|
||||
did not generate valid YAML syntax. Some problems
|
||||
|
||||
* Data starting with a space would result in invalid
|
||||
indentation, a leading space requires a quoted string
|
||||
* Non-printable cahracters must generally be escaped,
|
||||
using a quoted string
|
||||
* Embedded NUL bytes were turned into newlines, which
|
||||
mangled any UTF16 encoded data.
|
||||
|
||||
This change attempts to make the YAML output much safer. It
|
||||
is not pefect as it just processes the data bytewise and
|
||||
thus could potentially emit invalid UTF-8 bytes. In practice
|
||||
this won't be a problem for known bootloader emitting EV_IPL
|
||||
events.
|
||||
|
||||
This changes the formatting slightly
|
||||
|
||||
- All strings are now surrounded with double quotes
|
||||
|
||||
- All NUL bytes, including the final trailing NUL
|
||||
are displayed in escaped format.
|
||||
|
||||
- Non-printable ASCII chars are escaped, including
|
||||
the tab character, per YAML recommendations
|
||||
|
||||
A much better long term solution would be to switch to
|
||||
using libyaml for generating the output which would give
|
||||
a strong guarantee of correct formatting.
|
||||
|
||||
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
|
||||
---
|
||||
lib/tpm2_eventlog_yaml.c | 141 ++++++++++++++++++++++++++++++++++++---
|
||||
1 file changed, 130 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/lib/tpm2_eventlog_yaml.c b/lib/tpm2_eventlog_yaml.c
|
||||
index fee78027..66a20701 100644
|
||||
--- a/lib/tpm2_eventlog_yaml.c
|
||||
+++ b/lib/tpm2_eventlog_yaml.c
|
||||
@@ -571,6 +571,125 @@ bool yaml_uefi_action(UINT8 const *action, size_t size) {
|
||||
|
||||
return true;
|
||||
}
|
||||
+
|
||||
+
|
||||
+/*
|
||||
+ * The yaml_ipl description is received as raw bytes, but the
|
||||
+ * data will represent a printable string. Unfortunately we
|
||||
+ * are not told its encoding, and this can vary. For example,
|
||||
+ * grub will use UTF8, while sd-boot will UTF16LE.
|
||||
+ *
|
||||
+ * We need to emit YAML with some rules:
|
||||
+ *
|
||||
+ * - No leading ' ' without quoting it
|
||||
+ * - Escape non-printable ascii chars
|
||||
+ * - Double quotes if using escape sequences
|
||||
+ * - Valid UTF8 string
|
||||
+ *
|
||||
+ * This method will ignore the question of original data
|
||||
+ * encoding and apply a few simple rules to make the data
|
||||
+ * mostly YAML compliant. Where it falls down is not
|
||||
+ * guaranteeing valid UTF8, if the input was not already
|
||||
+ * valid UTF8. In practice this limitation shouldn't be
|
||||
+ * a problem given expected measured data.
|
||||
+ *
|
||||
+ * Note: one consequence of this approach is that most
|
||||
+ * UTF16LE data will be rendered with lots of \0 bytes
|
||||
+ * escaped.
|
||||
+ *
|
||||
+ * For ease of output reading, the data is also split on newlines
|
||||
+ */
|
||||
+char **yaml_split_escape_string(UINT8 const *description, size_t size)
|
||||
+{
|
||||
+ char **lines = NULL, **tmp;
|
||||
+ size_t nlines = 0;
|
||||
+ size_t i, j, k;
|
||||
+ size_t len;
|
||||
+ UINT8 *nl;
|
||||
+
|
||||
+ i = 0;
|
||||
+ do {
|
||||
+ nl = memchr(description + i, '\n', size - i);
|
||||
+ len = nl ? (size_t)(nl - (description + i)) : size - i;
|
||||
+
|
||||
+ tmp = realloc(lines, sizeof(char *) * (nlines + 2));
|
||||
+ if (!tmp) {
|
||||
+ LOG_ERR("failed to allocate memory for description lines: %s\n",
|
||||
+ strerror(errno));
|
||||
+ goto error;
|
||||
+ }
|
||||
+ lines = tmp;
|
||||
+ lines[nlines + 1] = NULL;
|
||||
+ k = 0;
|
||||
+
|
||||
+ /* Worst case: every byte needs escaping, plus start/end quotes, plus nul */
|
||||
+ lines[nlines] = calloc(1, (len * 2) + 2 + 1);
|
||||
+ if (!lines[nlines]) {
|
||||
+ LOG_ERR("failed to allocate memory for escaped string: %s\n",
|
||||
+ strerror(errno));
|
||||
+ goto error;
|
||||
+ }
|
||||
+
|
||||
+ lines[nlines][k++] = '"';
|
||||
+ for (j = i; j < (i + len); j++) {
|
||||
+ char escape = '\0';
|
||||
+
|
||||
+ switch (description[j]) {
|
||||
+ case '\0':
|
||||
+ escape = '0';
|
||||
+ break;
|
||||
+ case '\a':
|
||||
+ escape = 'a';
|
||||
+ break;
|
||||
+ case '\b':
|
||||
+ escape = 'b';
|
||||
+ break;
|
||||
+ case '\t':
|
||||
+ escape = 't';
|
||||
+ break;
|
||||
+ case '\v':
|
||||
+ escape = 'v';
|
||||
+ break;
|
||||
+ case '\f':
|
||||
+ escape = 'f';
|
||||
+ break;
|
||||
+ case '\r':
|
||||
+ escape = 'r';
|
||||
+ break;
|
||||
+ case '\e':
|
||||
+ escape = 'e';
|
||||
+ break;
|
||||
+ case '\'':
|
||||
+ escape = '\'';
|
||||
+ break;
|
||||
+ case '\\':
|
||||
+ escape = '\\';
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ if (escape == '\0') {
|
||||
+ lines[nlines][k++] = description[j];
|
||||
+ } else {
|
||||
+ lines[nlines][k++] = '\\';
|
||||
+ lines[nlines][k++] = escape;
|
||||
+ }
|
||||
+ }
|
||||
+ lines[nlines][k++] = '"';
|
||||
+
|
||||
+ nlines++;
|
||||
+ i += len + 1;
|
||||
+ } while (i < size);
|
||||
+
|
||||
+ return lines;
|
||||
+
|
||||
+ error:
|
||||
+ for (i = 0; lines != NULL && lines[i] != NULL; i++) {
|
||||
+ free(lines[i]);
|
||||
+ }
|
||||
+ free(lines);
|
||||
+ return NULL;
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* TCG PC Client PFP section 9.4.1
|
||||
* This event type is extensively used by the Shim and Grub on a wide varities
|
||||
@@ -578,21 +697,21 @@ bool yaml_uefi_action(UINT8 const *action, size_t size) {
|
||||
* the loading of grub, kernel, and initrd images.
|
||||
*/
|
||||
bool yaml_ipl(UINT8 const *description, size_t size) {
|
||||
-
|
||||
+ char **lines = NULL;
|
||||
+ size_t i;
|
||||
tpm2_tool_output(" Event:\n"
|
||||
" String: |-\n");
|
||||
|
||||
- /* We need to handle when description contains multiple lines. */
|
||||
- size_t i, j;
|
||||
- for (i = 0; i < size; i++) {
|
||||
- for (j = i; j < size; j++) {
|
||||
- if (description[j] == '\n' || description[j] == '\0') {
|
||||
- break;
|
||||
- }
|
||||
- }
|
||||
- tpm2_tool_output(" %.*s\n", (int)(j - i), description+i);
|
||||
- i = j;
|
||||
+ lines = yaml_split_escape_string(description, size);
|
||||
+ if (!lines) {
|
||||
+ return false;
|
||||
+ }
|
||||
+
|
||||
+ for (i = 0; lines[i] != NULL; i++) {
|
||||
+ tpm2_tool_output(" %s\n", lines[i]);
|
||||
+ free(lines[i]);
|
||||
}
|
||||
+ free(lines);
|
||||
|
||||
return true;
|
||||
}
|
||||
--
|
||||
2.37.3
|
||||
|
100
SOURCES/0006-import-fix-bug-on-using-scheme.patch
Normal file
100
SOURCES/0006-import-fix-bug-on-using-scheme.patch
Normal file
@ -0,0 +1,100 @@
|
||||
From acc82191f519f8bcdfcc0827faf024dcd2f56f78 Mon Sep 17 00:00:00 2001
|
||||
From: William Roberts <william.c.roberts@intel.com>
|
||||
Date: Fri, 20 May 2022 10:49:04 -0500
|
||||
Subject: [PATCH 06/17] import: fix bug on using scheme
|
||||
|
||||
When scheme is specified in the template, the openssl load functions
|
||||
clobber the scheme value and set it to TPM2_ALG_NULL. Only set the
|
||||
algorithm to NULL if zero value is specified.
|
||||
|
||||
Fixes: #2997
|
||||
|
||||
Signed-off-by: William Roberts <william.c.roberts@intel.com>
|
||||
---
|
||||
lib/tpm2_openssl.c | 24 ++++++++++++++++++------
|
||||
test/integration/tests/import.sh | 13 +++++++++----
|
||||
2 files changed, 27 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/lib/tpm2_openssl.c b/lib/tpm2_openssl.c
|
||||
index 01bfc9ef..ad43c8e1 100644
|
||||
--- a/lib/tpm2_openssl.c
|
||||
+++ b/lib/tpm2_openssl.c
|
||||
@@ -534,9 +534,15 @@ static bool load_public_RSA_from_key(EVP_PKEY *key, TPM2B_PUBLIC *pub) {
|
||||
pt->type = TPM2_ALG_RSA;
|
||||
|
||||
TPMS_RSA_PARMS *rdetail = &pub->publicArea.parameters.rsaDetail;
|
||||
- rdetail->scheme.scheme = TPM2_ALG_NULL;
|
||||
- rdetail->symmetric.algorithm = TPM2_ALG_NULL;
|
||||
- rdetail->scheme.details.anySig.hashAlg = TPM2_ALG_NULL;
|
||||
+ /*
|
||||
+ * If the scheme is not TPM2_ALG_ERROR (0),
|
||||
+ * its a valid scheme so don't set it to NULL scheme
|
||||
+ */
|
||||
+ if (rdetail->scheme.scheme == TPM2_ALG_ERROR) {
|
||||
+ rdetail->scheme.scheme = TPM2_ALG_NULL;
|
||||
+ rdetail->symmetric.algorithm = TPM2_ALG_NULL;
|
||||
+ rdetail->scheme.details.anySig.hashAlg = TPM2_ALG_NULL;
|
||||
+ }
|
||||
|
||||
/* NULL out sym details */
|
||||
TPMT_SYM_DEF_OBJECT *sym = &rdetail->symmetric;
|
||||
@@ -809,9 +815,15 @@ static bool load_public_ECC_from_key(EVP_PKEY *key, TPM2B_PUBLIC *pub) {
|
||||
* no kdf - not sure what this should be
|
||||
*/
|
||||
pp->kdf.scheme = TPM2_ALG_NULL;
|
||||
- pp->scheme.scheme = TPM2_ALG_NULL;
|
||||
- pp->symmetric.algorithm = TPM2_ALG_NULL;
|
||||
- pp->scheme.details.anySig.hashAlg = TPM2_ALG_NULL;
|
||||
+
|
||||
+ /*
|
||||
+ * If the scheme is not TPM2_ALG_ERROR (0),
|
||||
+ * its a valid scheme so don't set it to NULL scheme
|
||||
+ */
|
||||
+ if (pp->scheme.scheme == TPM2_ALG_ERROR) {
|
||||
+ pp->scheme.scheme = TPM2_ALG_NULL;
|
||||
+ pp->scheme.details.anySig.hashAlg = TPM2_ALG_NULL;
|
||||
+ }
|
||||
|
||||
/* NULL out sym details */
|
||||
TPMT_SYM_DEF_OBJECT *sym = &pp->symmetric;
|
||||
diff --git a/test/integration/tests/import.sh b/test/integration/tests/import.sh
|
||||
index 9f6a474e..9cb6096f 100644
|
||||
--- a/test/integration/tests/import.sh
|
||||
+++ b/test/integration/tests/import.sh
|
||||
@@ -4,8 +4,8 @@ source helpers.sh
|
||||
|
||||
cleanup() {
|
||||
rm -f import_key.ctx import_key.name import_key.priv import_key.pub \
|
||||
- parent.ctx plain.dec.ssl plain.enc plain.txt sym.key import_rsa_key.pub \
|
||||
- import_rsa_key.priv import_rsa_key.ctx import_rsa_key.name private.pem \
|
||||
+ parent.ctx plain.dec.ssl plain.enc plain.txt sym.key import_rsa_key*.pub \
|
||||
+ import_rsa_key*.priv import_rsa_key.ctx import_rsa_key.name private.pem \
|
||||
public.pem plain.rsa.enc plain.rsa.dec public.pem data.in.raw \
|
||||
data.in.digest data.out.signed ticket.out ecc.pub ecc.priv ecc.name \
|
||||
ecc.ctx private.ecc.pem public.ecc.pem passfile aes.key policy.dat \
|
||||
@@ -67,6 +67,10 @@ run_rsa_import_test() {
|
||||
tpm2 import -Q -G rsa -g "$name_alg" -i private.pem -C $1 \
|
||||
-u import_rsa_key.pub -r import_rsa_key.priv
|
||||
|
||||
+ # test in import with scheme and discard
|
||||
+ tpm2 import -G rsa:rsassa-sha256 -g "$name_alg" -i private.pem -C $1 \
|
||||
+ -u import_rsa_key2.pub -r import_rsa_key2.priv | grep -q 'rsassa'
|
||||
+
|
||||
tpm2 load -Q -C $1 -u import_rsa_key.pub -r import_rsa_key.priv \
|
||||
-n import_rsa_key.name -c import_rsa_key.ctx
|
||||
|
||||
@@ -118,8 +122,9 @@ run_ecc_import_test() {
|
||||
shasum -a 256 data.in.raw | awk '{ print "000000 " $1 }' | xxd -r -c 32 > \
|
||||
data.in.digest
|
||||
|
||||
- tpm2 import -Q -G ecc -g "$name_alg" -i private.ecc.pem -C $1 -u ecc.pub \
|
||||
- -r ecc.priv
|
||||
+ # test import with scheme
|
||||
+ tpm2 import -G ecc:ecdsa-sha256 -g "$name_alg" -i private.ecc.pem -C $1 -u ecc.pub \
|
||||
+ -r ecc.priv | grep -q 'ecdsa'
|
||||
|
||||
tpm2 load -Q -C $1 -u ecc.pub -r ecc.priv -n ecc.name -c ecc.ctx
|
||||
|
||||
--
|
||||
2.40.1
|
||||
|
5678
SOURCES/0006-test-track-expected-YAML-output-for-eventlog.patch
Normal file
5678
SOURCES/0006-test-track-expected-YAML-output-for-eventlog.patch
Normal file
File diff suppressed because one or more lines are too long
28
SOURCES/0006-tpm2_setprimarypolicy-Fix-resource-leak.patch
Normal file
28
SOURCES/0006-tpm2_setprimarypolicy-Fix-resource-leak.patch
Normal file
@ -0,0 +1,28 @@
|
||||
From d7c541d839d6c470fbd273d0c482091a1fe59fe6 Mon Sep 17 00:00:00 2001
|
||||
From: rpm-build <rpm-build>
|
||||
Date: Tue, 18 Jun 2024 15:42:13 +0200
|
||||
Subject: [PATCH 6/6] tpm2_setprimarypolicy: Fix resource leak
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Signed-off-by: Štěpán Horáček <shoracek@redhat.com>
|
||||
---
|
||||
tools/tpm2_setprimarypolicy.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/tools/tpm2_setprimarypolicy.c b/tools/tpm2_setprimarypolicy.c
|
||||
index 140a8083..459d3d03 100644
|
||||
--- a/tools/tpm2_setprimarypolicy.c
|
||||
+++ b/tools/tpm2_setprimarypolicy.c
|
||||
@@ -134,6 +134,7 @@ static tool_rc process_setprimarypolicy_input(ESYS_CONTEXT *ectx,
|
||||
(*auth_policy)->buffer, &((*auth_policy)->size));
|
||||
if (!result) {
|
||||
LOG_ERR("Failed loading policy digest from path");
|
||||
+ free(*auth_policy);
|
||||
return tool_rc_general_error;
|
||||
}
|
||||
}
|
||||
--
|
||||
2.45.2
|
||||
|
@ -0,0 +1,92 @@
|
||||
From c26464eb59b71b40bea11b4829b2a848343081f2 Mon Sep 17 00:00:00 2001
|
||||
From: Thore Sommer <mail@thson.de>
|
||||
Date: Sat, 8 Oct 2022 21:29:18 +0300
|
||||
Subject: [PATCH 7/9] tpm2_eventlog_yaml: fix parsing for MokListTrusted
|
||||
|
||||
Not all data in events of the EV_EFI_VARIABLE_AUTHORITY are
|
||||
EFI_SIGNATURE_DATA. The entry for MokListTrusted is a boolean
|
||||
encoded as an integer similar to SecureBoot variable.
|
||||
|
||||
Fixes #3050
|
||||
|
||||
Signed-off-by: Thore Sommer <mail@thson.de>
|
||||
---
|
||||
lib/tpm2_eventlog_yaml.c | 60 +++++++++++++++++++++++++++-------------
|
||||
1 file changed, 41 insertions(+), 19 deletions(-)
|
||||
|
||||
diff --git a/lib/tpm2_eventlog_yaml.c b/lib/tpm2_eventlog_yaml.c
|
||||
index 66a20701..0b1d0318 100644
|
||||
--- a/lib/tpm2_eventlog_yaml.c
|
||||
+++ b/lib/tpm2_eventlog_yaml.c
|
||||
@@ -418,27 +418,49 @@ static bool yaml_uefi_var(UEFI_VARIABLE_DATA *data, size_t size, UINT32 type,
|
||||
}
|
||||
return true;
|
||||
}
|
||||
- /* Other variables will be printed as a hex string */
|
||||
} else if (type == EV_EFI_VARIABLE_AUTHORITY) {
|
||||
- free(ret);
|
||||
- tpm2_tool_output(" VariableData:\n");
|
||||
-
|
||||
- EFI_SIGNATURE_DATA *s= (EFI_SIGNATURE_DATA *)&data->UnicodeName[
|
||||
- data->UnicodeNameLength];
|
||||
- char *sdata = calloc (1,
|
||||
- BYTES_TO_HEX_STRING_SIZE(data->VariableDataLength - sizeof(EFI_GUID)));
|
||||
- if (sdata == NULL) {
|
||||
- LOG_ERR("Failled to allocate data: %s\n", strerror(errno));
|
||||
- return false;
|
||||
+ /* The MokListTrusted is boolean option, not a EFI_SIGNATURE_DATA*/
|
||||
+ if ((strlen(ret) == 14 && strncmp(ret, "MokListTrusted", 14) == 0)) {
|
||||
+ free(ret);
|
||||
+ tpm2_tool_output(" VariableData:\n"
|
||||
+ " Enabled: ");
|
||||
+ if (data->VariableDataLength == 0) {
|
||||
+ tpm2_tool_output("'No'\n");
|
||||
+ } else if (data->VariableDataLength > 1) {
|
||||
+ LOG_ERR("MokListTrusted value length %" PRIu64 " is unexpectedly > 1\n",
|
||||
+ data->VariableDataLength);
|
||||
+ return false;
|
||||
+ } else {
|
||||
+ uint8_t *variable_data = (uint8_t *)&data->UnicodeName[
|
||||
+ data->UnicodeNameLength];
|
||||
+ if (*variable_data == 0) {
|
||||
+ tpm2_tool_output("'No'\n");
|
||||
+ } else {
|
||||
+ tpm2_tool_output("'Yes'\n");
|
||||
+ }
|
||||
+ }
|
||||
+ return true;
|
||||
+ } else {
|
||||
+ /* Other variables will be printed as a hex string */
|
||||
+ free(ret);
|
||||
+ tpm2_tool_output(" VariableData:\n");
|
||||
+ EFI_SIGNATURE_DATA *s= (EFI_SIGNATURE_DATA *)&data->UnicodeName[
|
||||
+ data->UnicodeNameLength];
|
||||
+ char *sdata = calloc (1,
|
||||
+ BYTES_TO_HEX_STRING_SIZE(data->VariableDataLength - sizeof(EFI_GUID)));
|
||||
+ if (sdata == NULL) {
|
||||
+ LOG_ERR("Failled to allocate data: %s\n", strerror(errno));
|
||||
+ return false;
|
||||
+ }
|
||||
+ bytes_to_str(s->SignatureData, data->VariableDataLength - sizeof(EFI_GUID),
|
||||
+ sdata, BYTES_TO_HEX_STRING_SIZE(data->VariableDataLength - sizeof(EFI_GUID)));
|
||||
+ guid_unparse_lower(s->SignatureOwner, uuidstr);
|
||||
+ tpm2_tool_output(" - SignatureOwner: %s\n"
|
||||
+ " SignatureData: %s\n",
|
||||
+ uuidstr, sdata);
|
||||
+ free(sdata);
|
||||
+ return true;
|
||||
}
|
||||
- bytes_to_str(s->SignatureData, data->VariableDataLength - sizeof(EFI_GUID),
|
||||
- sdata, BYTES_TO_HEX_STRING_SIZE(data->VariableDataLength - sizeof(EFI_GUID)));
|
||||
- guid_unparse_lower(s->SignatureOwner, uuidstr);
|
||||
- tpm2_tool_output(" - SignatureOwner: %s\n"
|
||||
- " SignatureData: %s\n",
|
||||
- uuidstr, sdata);
|
||||
- free(sdata);
|
||||
- return true;
|
||||
} else if (type == EV_EFI_VARIABLE_BOOT || type == EV_EFI_VARIABLE_BOOT2) {
|
||||
if ((strlen(ret) == 9 && strncmp(ret, "BootOrder", 9) == 0)) {
|
||||
free(ret);
|
||||
--
|
||||
2.37.3
|
||||
|
85
SOURCES/0007-tpm2_policyor-fix-unallocated-policy-list.patch
Normal file
85
SOURCES/0007-tpm2_policyor-fix-unallocated-policy-list.patch
Normal file
@ -0,0 +1,85 @@
|
||||
From d35bff8cf06cec386afd24bdbed9828caf063a2f Mon Sep 17 00:00:00 2001
|
||||
From: William Roberts <william.c.roberts@intel.com>
|
||||
Date: Mon, 18 Jul 2022 11:31:51 -0500
|
||||
Subject: [PATCH 07/17] tpm2_policyor: fix unallocated policy list
|
||||
|
||||
The TPML_DIGEST policy list was calloc'd for some reason, however it
|
||||
could just be statically allocated in the context. The side effect is
|
||||
that when no options or arguments were given a NPD occured when checking
|
||||
the count of the policy list. TO fix this, just statically allocate it.
|
||||
|
||||
Signed-off-by: William Roberts <william.c.roberts@intel.com>
|
||||
---
|
||||
tools/tpm2_policyor.c | 15 ++++++---------
|
||||
1 file changed, 6 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/tools/tpm2_policyor.c b/tools/tpm2_policyor.c
|
||||
index e4f6541b..d27fff8b 100644
|
||||
--- a/tools/tpm2_policyor.c
|
||||
+++ b/tools/tpm2_policyor.c
|
||||
@@ -14,7 +14,7 @@ struct tpm2_policyor_ctx {
|
||||
//File path for the session context data
|
||||
const char *session_path;
|
||||
//List of policy digests that will be compounded
|
||||
- TPML_DIGEST *policy_list;
|
||||
+ TPML_DIGEST policy_list;
|
||||
//File path for storing the policy digest output
|
||||
const char *out_policy_dgst_path;
|
||||
|
||||
@@ -36,8 +36,7 @@ static bool on_option(char key, char *value) {
|
||||
ctx.session_path = value;
|
||||
break;
|
||||
case 'l':
|
||||
- ctx.policy_list = calloc(1, sizeof(TPML_DIGEST));
|
||||
- result = tpm2_policy_parse_policy_list(value, ctx.policy_list);
|
||||
+ result = tpm2_policy_parse_policy_list(value, &ctx.policy_list);
|
||||
if (!result) {
|
||||
return false;
|
||||
}
|
||||
@@ -54,8 +53,7 @@ static bool on_arg(int argc, char **argv) {
|
||||
return false;
|
||||
}
|
||||
|
||||
- ctx.policy_list = calloc(1, sizeof(TPML_DIGEST));
|
||||
- bool result = tpm2_policy_parse_policy_list(argv[0], ctx.policy_list);
|
||||
+ bool result = tpm2_policy_parse_policy_list(argv[0], &ctx.policy_list);
|
||||
if (!result) {
|
||||
return false;
|
||||
}
|
||||
@@ -85,7 +83,7 @@ static bool is_input_option_args_valid(void) {
|
||||
}
|
||||
|
||||
//Minimum two policies needed to be specified for compounding
|
||||
- if (ctx.policy_list->count < 1) {
|
||||
+ if (ctx.policy_list.count < 1) {
|
||||
LOG_ERR("Must specify at least 2 policy digests for compounding.");
|
||||
return false;
|
||||
}
|
||||
@@ -109,14 +107,14 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
|
||||
}
|
||||
|
||||
/* Policy digest hash alg should match that of the session */
|
||||
- if (ctx.policy_list->digests[0].size
|
||||
+ if (ctx.policy_list.digests[0].size
|
||||
!= tpm2_alg_util_get_hash_size(
|
||||
tpm2_session_get_authhash(ctx.session))) {
|
||||
LOG_ERR("Policy digest hash alg should match that of the session.");
|
||||
return tool_rc_general_error;
|
||||
}
|
||||
|
||||
- rc = tpm2_policy_build_policyor(ectx, ctx.session, ctx.policy_list);
|
||||
+ rc = tpm2_policy_build_policyor(ectx, ctx.session, &ctx.policy_list);
|
||||
if (rc != tool_rc_success) {
|
||||
LOG_ERR("Could not build policyor TPM");
|
||||
return rc;
|
||||
@@ -127,7 +125,6 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
|
||||
|
||||
static tool_rc tpm2_tool_onstop(ESYS_CONTEXT *ectx) {
|
||||
UNUSED(ectx);
|
||||
- free(ctx.policy_list);
|
||||
free(ctx.policy_digest);
|
||||
return tpm2_session_close(&ctx.session);
|
||||
}
|
||||
--
|
||||
2.40.1
|
||||
|
@ -0,0 +1,35 @@
|
||||
From cfb18410e8f706646adce2bd9f6cffecbd363d2b Mon Sep 17 00:00:00 2001
|
||||
From: Imran Desai <imran.desai@intel.com>
|
||||
Date: Thu, 21 Jul 2022 15:19:36 -0700
|
||||
Subject: [PATCH 08/17] lib/tpm2_alg_util.c: Fix potential null pointer
|
||||
dereference
|
||||
|
||||
Must test ext_alg_str before dereferencing in
|
||||
tpm2_alg_util_handle_rsa_ext_alg
|
||||
|
||||
char *ext_alg_str = calloc(1, strlen(alg_spec) + strlen("rsa") +
|
||||
RSA_KEYBITS_STRLEN)
|
||||
|
||||
Signed-off-by: Imran Desai <imran.desai@intel.com>
|
||||
---
|
||||
lib/tpm2_alg_util.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/lib/tpm2_alg_util.c b/lib/tpm2_alg_util.c
|
||||
index 1e984d74..580f41cb 100644
|
||||
--- a/lib/tpm2_alg_util.c
|
||||
+++ b/lib/tpm2_alg_util.c
|
||||
@@ -601,6 +601,10 @@ tool_rc tpm2_alg_util_handle_rsa_ext_alg(const char *alg_spec,
|
||||
#define RSA_KEYBITS_STRLEN 6
|
||||
char *ext_alg_str = calloc(1, strlen(alg_spec) + strlen("rsa") +
|
||||
RSA_KEYBITS_STRLEN);
|
||||
+ if (ext_alg_str == NULL) {
|
||||
+ LOG_ERR("oom");
|
||||
+ return tool_rc_general_error;
|
||||
+ }
|
||||
|
||||
strcat(ext_alg_str, "rsa");
|
||||
switch(public->publicArea.parameters.rsaDetail.keyBits) {
|
||||
--
|
||||
2.40.1
|
||||
|
1462
SOURCES/0008-tests-add-eventlog-for-parsing-MokListTrusted.patch
Normal file
1462
SOURCES/0008-tests-add-eventlog-for-parsing-MokListTrusted.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,87 @@
|
||||
From e05d4ac57960b9aa81943254f5757405a5217616 Mon Sep 17 00:00:00 2001
|
||||
From: Thore Sommer <mail@thson.de>
|
||||
Date: Tue, 11 Oct 2022 08:44:44 +0300
|
||||
Subject: [PATCH 9/9] tpm2_eventlog_yaml: use defines for Unicode variables
|
||||
|
||||
The used variables and their length are defined as the following:
|
||||
|
||||
- Name: NAME_{VARIABLE_NAME}
|
||||
- Length: NAME_{VARIABLE_NAME}_LEN
|
||||
|
||||
Signed-off-by: Thore Sommer <mail@thson.de>
|
||||
---
|
||||
lib/tpm2_eventlog_yaml.c | 30 +++++++++++++++++++++++-------
|
||||
1 file changed, 23 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/lib/tpm2_eventlog_yaml.c b/lib/tpm2_eventlog_yaml.c
|
||||
index 0b1d0318..59a5d8fc 100644
|
||||
--- a/lib/tpm2_eventlog_yaml.c
|
||||
+++ b/lib/tpm2_eventlog_yaml.c
|
||||
@@ -23,6 +23,22 @@
|
||||
#include <efivar/efivar.h>
|
||||
#endif
|
||||
|
||||
+/* Valid variable unicode names and their length */
|
||||
+#define NAME_DB "db"
|
||||
+#define NAME_DB_LEN 2
|
||||
+#define NAME_DBX "dbx"
|
||||
+#define NAME_DBX_LEN 3
|
||||
+#define NAME_KEK "KEK"
|
||||
+#define NAME_KEK_LEN 3
|
||||
+#define NAME_PK "PK"
|
||||
+#define NAME_PK_LEN 2
|
||||
+#define NAME_MOKLISTTRUSTED "MokListTrusted"
|
||||
+#define NAME_MOKLISTTRUSTED_LEN 14
|
||||
+#define NAME_SECUREBOOT "SecureBoot"
|
||||
+#define NAME_SECUREBOOT_LEN 10
|
||||
+#define NAME_BOOTORDER "BootOrder"
|
||||
+#define NAME_BOOTORDER_LEN 9
|
||||
+
|
||||
static void guid_unparse_lower(EFI_GUID guid, char guid_buf[37]) {
|
||||
|
||||
snprintf(guid_buf, 37, "%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x",
|
||||
@@ -321,10 +337,10 @@ static bool yaml_uefi_var(UEFI_VARIABLE_DATA *data, size_t size, UINT32 type,
|
||||
* respectively.
|
||||
*/
|
||||
if (type == EV_EFI_VARIABLE_DRIVER_CONFIG) {
|
||||
- if ((strlen(ret) == 2 && strncmp(ret, "PK", 2) == 0) ||
|
||||
- (strlen(ret) == 3 && strncmp(ret, "KEK", 3) == 0) ||
|
||||
- (strlen(ret) == 2 && strncmp(ret, "db", 2) == 0) ||
|
||||
- (strlen(ret) == 3 && strncmp(ret, "dbx", 3) == 0)) {
|
||||
+ if ((strlen(ret) == NAME_PK_LEN && strncmp(ret, NAME_PK, NAME_PK_LEN) == 0) ||
|
||||
+ (strlen(ret) == NAME_KEK_LEN && strncmp(ret, NAME_KEK, NAME_KEK_LEN) == 0) ||
|
||||
+ (strlen(ret) == NAME_DB_LEN && strncmp(ret, NAME_DB, NAME_DB_LEN) == 0) ||
|
||||
+ (strlen(ret) == NAME_DBX_LEN && strncmp(ret, NAME_DBX, NAME_DBX_LEN) == 0)) {
|
||||
|
||||
free(ret);
|
||||
tpm2_tool_output(" VariableData:\n");
|
||||
@@ -397,7 +413,7 @@ static bool yaml_uefi_var(UEFI_VARIABLE_DATA *data, size_t size, UINT32 type,
|
||||
variable_data += slist->SignatureListSize;
|
||||
}
|
||||
return true;
|
||||
- } else if ((strlen(ret) == 10 && strncmp(ret, "SecureBoot", 10) == 0)) {
|
||||
+ } else if ((strlen(ret) == NAME_SECUREBOOT_LEN && strncmp(ret, NAME_SECUREBOOT, NAME_SECUREBOOT_LEN) == 0)) {
|
||||
free(ret);
|
||||
tpm2_tool_output(" VariableData:\n"
|
||||
" Enabled: ");
|
||||
@@ -420,7 +436,7 @@ static bool yaml_uefi_var(UEFI_VARIABLE_DATA *data, size_t size, UINT32 type,
|
||||
}
|
||||
} else if (type == EV_EFI_VARIABLE_AUTHORITY) {
|
||||
/* The MokListTrusted is boolean option, not a EFI_SIGNATURE_DATA*/
|
||||
- if ((strlen(ret) == 14 && strncmp(ret, "MokListTrusted", 14) == 0)) {
|
||||
+ if ((strlen(ret) == NAME_MOKLISTTRUSTED_LEN && strncmp(ret, NAME_MOKLISTTRUSTED, NAME_MOKLISTTRUSTED_LEN) == 0)) {
|
||||
free(ret);
|
||||
tpm2_tool_output(" VariableData:\n"
|
||||
" Enabled: ");
|
||||
@@ -462,7 +478,7 @@ static bool yaml_uefi_var(UEFI_VARIABLE_DATA *data, size_t size, UINT32 type,
|
||||
return true;
|
||||
}
|
||||
} else if (type == EV_EFI_VARIABLE_BOOT || type == EV_EFI_VARIABLE_BOOT2) {
|
||||
- if ((strlen(ret) == 9 && strncmp(ret, "BootOrder", 9) == 0)) {
|
||||
+ if ((strlen(ret) == NAME_BOOTORDER_LEN && strncmp(ret, NAME_BOOTORDER, NAME_BOOTORDER_LEN) == 0)) {
|
||||
free(ret);
|
||||
tpm2_tool_output(" VariableData:\n");
|
||||
|
||||
--
|
||||
2.37.3
|
||||
|
30
SOURCES/0009-tss2_provision-fix-usage-of-L-parameter.patch
Normal file
30
SOURCES/0009-tss2_provision-fix-usage-of-L-parameter.patch
Normal file
@ -0,0 +1,30 @@
|
||||
From d783e7962e268b45c13ad800fca636bb922005fa Mon Sep 17 00:00:00 2001
|
||||
From: Juergen Repp <juergen_repp@web.de>
|
||||
Date: Tue, 18 Oct 2022 10:32:43 +0200
|
||||
Subject: [PATCH 09/17] tss2_provision: fix usage of -L parameter.
|
||||
|
||||
The -L short parameter was not marked as parameter with required
|
||||
arg in the short opt list.
|
||||
Fixes #3147.
|
||||
|
||||
Signed-off-by: Juergen Repp <juergen_repp@web.de>
|
||||
---
|
||||
tools/fapi/tss2_provision.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/tools/fapi/tss2_provision.c b/tools/fapi/tss2_provision.c
|
||||
index 5be7b4dc..7edf2dd3 100644
|
||||
--- a/tools/fapi/tss2_provision.c
|
||||
+++ b/tools/fapi/tss2_provision.c
|
||||
@@ -33,7 +33,7 @@ static bool tss2_tool_onstart(tpm2_options **opts) {
|
||||
{"authValueSh", required_argument, NULL, 'S'},
|
||||
{"authValueLockout", required_argument, NULL, 'L'},
|
||||
};
|
||||
- return (*opts = tpm2_options_new ("E:S:L",
|
||||
+ return (*opts = tpm2_options_new ("E:S:L:",
|
||||
ARRAY_LEN(topts), topts, on_option, NULL, 0)) != NULL;
|
||||
}
|
||||
|
||||
--
|
||||
2.40.1
|
||||
|
26
SOURCES/0010-tpm2_encodeobject-fix-formatting.patch
Normal file
26
SOURCES/0010-tpm2_encodeobject-fix-formatting.patch
Normal file
@ -0,0 +1,26 @@
|
||||
From 0582b619c3a2c407bf5eace8d83d832688781789 Mon Sep 17 00:00:00 2001
|
||||
From: William Roberts <william.c.roberts@intel.com>
|
||||
Date: Mon, 24 Oct 2022 10:31:05 -0500
|
||||
Subject: [PATCH 10/17] tpm2_encodeobject: fix formatting
|
||||
|
||||
Signed-off-by: William Roberts <william.c.roberts@intel.com>
|
||||
---
|
||||
tools/misc/tpm2_encodeobject.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/tools/misc/tpm2_encodeobject.c b/tools/misc/tpm2_encodeobject.c
|
||||
index 2341c3a1..ccbd0e01 100644
|
||||
--- a/tools/misc/tpm2_encodeobject.c
|
||||
+++ b/tools/misc/tpm2_encodeobject.c
|
||||
@@ -87,7 +87,7 @@ static bool on_option(char key, char *value) {
|
||||
ctx.parent.ctx_path = value;
|
||||
break;
|
||||
case 'o':
|
||||
- ctx.output_path = value;
|
||||
+ ctx.output_path = value;
|
||||
break;
|
||||
}
|
||||
|
||||
--
|
||||
2.40.1
|
||||
|
99
SOURCES/0011-tpm2_encodeobject-fix-auth-boolean-flag.patch
Normal file
99
SOURCES/0011-tpm2_encodeobject-fix-auth-boolean-flag.patch
Normal file
@ -0,0 +1,99 @@
|
||||
From 579bb674b5bdf2a0d50e8d3a3d6f5391d233bdff Mon Sep 17 00:00:00 2001
|
||||
From: William Roberts <william.c.roberts@intel.com>
|
||||
Date: Mon, 24 Oct 2022 10:48:18 -0500
|
||||
Subject: [PATCH 11/17] tpm2_encodeobject: fix auth boolean flag
|
||||
|
||||
The flag for wether or not a key needs a password was being set based on
|
||||
if the parent needed a password or not when it should be set based on if
|
||||
the child object needs a password or not.
|
||||
|
||||
Correct this by adding a -p/--key-auth option to indicate the value of
|
||||
this boolean.
|
||||
|
||||
$ tpm2 encodeobject -C 0x81000000 -u key.pub -r key.priv -o key.pem
|
||||
$ openssl asn1parse -dump -inform PEM -in key.pem
|
||||
<snip>
|
||||
14:d=2 hl=2 l= 1 prim: BOOLEAN :0
|
||||
</snip>
|
||||
|
||||
$ tpm2 encodeobject -C 0x81000000 -u key.pub -r key.priv -o key.pem -p
|
||||
$ openssl asn1parse -dump -inform PEM -in key.pem
|
||||
<snip>
|
||||
14:d=2 hl=2 l= 1 prim: BOOLEAN :1
|
||||
</snip>
|
||||
|
||||
A workaround would be manually modifying the ASN1 PEM file boolean flag
|
||||
OR creating the same parent key but with a password and specifying the
|
||||
password via `-P`. Note that a primary key is the same given the same
|
||||
inputs and password doesn't change the generated key.
|
||||
|
||||
Fixes: #3152
|
||||
|
||||
Signed-off-by: William Roberts <william.c.roberts@intel.com>
|
||||
---
|
||||
man/tpm2_encodeobject.1.md | 5 +++++
|
||||
tools/misc/tpm2_encodeobject.c | 9 +++++++--
|
||||
2 files changed, 12 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/man/tpm2_encodeobject.1.md b/man/tpm2_encodeobject.1.md
|
||||
index 791eafbd..2e83fa7d 100644
|
||||
--- a/man/tpm2_encodeobject.1.md
|
||||
+++ b/man/tpm2_encodeobject.1.md
|
||||
@@ -37,6 +37,11 @@ applications.
|
||||
|
||||
A file containing the sensitive portion of the object.
|
||||
|
||||
+ * **-p**, **\--key-auth**:
|
||||
+
|
||||
+ Indicates if an authorization value is needed for the object specified by
|
||||
+ **-r** and **-u**.
|
||||
+
|
||||
* **-o**, **\--output**=_FILE_:
|
||||
|
||||
The output file path, recording the public portion of the object.
|
||||
diff --git a/tools/misc/tpm2_encodeobject.c b/tools/misc/tpm2_encodeobject.c
|
||||
index ccbd0e01..80de14f5 100644
|
||||
--- a/tools/misc/tpm2_encodeobject.c
|
||||
+++ b/tools/misc/tpm2_encodeobject.c
|
||||
@@ -65,6 +65,7 @@ struct tpm_encodeobject_ctx {
|
||||
const char *privpath;
|
||||
TPM2B_PRIVATE private;
|
||||
ESYS_TR handle;
|
||||
+ bool needs_auth;
|
||||
} object;
|
||||
|
||||
char *output_path;
|
||||
@@ -89,6 +90,9 @@ static bool on_option(char key, char *value) {
|
||||
case 'o':
|
||||
ctx.output_path = value;
|
||||
break;
|
||||
+ case 'p':
|
||||
+ ctx.object.needs_auth = true;
|
||||
+ break;
|
||||
}
|
||||
|
||||
return true;
|
||||
@@ -101,9 +105,10 @@ static bool tpm2_tool_onstart(tpm2_options **opts) {
|
||||
{ "private", required_argument, NULL, 'r' },
|
||||
{ "parent-context", required_argument, NULL, 'C' },
|
||||
{ "output", required_argument, NULL, 'o' },
|
||||
+ { "key-auth", no_argument, NULL, 'p' },
|
||||
};
|
||||
|
||||
- *opts = tpm2_options_new("P:u:r:C:o:", ARRAY_LEN(topts), topts, on_option,
|
||||
+ *opts = tpm2_options_new("P:u:r:C:o:p", ARRAY_LEN(topts), topts, on_option,
|
||||
NULL, 0);
|
||||
|
||||
return *opts != NULL;
|
||||
@@ -190,7 +195,7 @@ encode(void)
|
||||
goto error;
|
||||
}
|
||||
|
||||
- tpk->emptyAuth = ctx.parent.auth_str == NULL ? 0xFF : 0;
|
||||
+ tpk->emptyAuth = ctx.object.needs_auth;
|
||||
|
||||
if ((ctx.parent.object.handle >> TPM2_HR_SHIFT) == TPM2_HT_PERSISTENT) {
|
||||
ASN1_INTEGER_set(tpk->parent, ctx.parent.object.handle);
|
||||
--
|
||||
2.40.1
|
||||
|
@ -0,0 +1,30 @@
|
||||
From 3848000b934b9e2546a506ab0922c028491d2284 Mon Sep 17 00:00:00 2001
|
||||
From: mayuanchen <94815698+mayuanchenma@users.noreply.github.com>
|
||||
Date: Thu, 1 Dec 2022 21:44:22 +0800
|
||||
Subject: [PATCH 12/17] bugfix: fix convert sm2 public key in openssl3.
|
||||
|
||||
Signed-off-by: mayuanchen <94815698+mayuanchenma@users.noreply.github.com>
|
||||
---
|
||||
lib/tpm2_convert.c | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/tpm2_convert.c b/lib/tpm2_convert.c
|
||||
index 1bba370f..edb9bed0 100644
|
||||
--- a/lib/tpm2_convert.c
|
||||
+++ b/lib/tpm2_convert.c
|
||||
@@ -335,7 +335,11 @@ EVP_PKEY *convert_pubkey_ECC(TPMT_PUBLIC *public) {
|
||||
goto out;
|
||||
}
|
||||
|
||||
- ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL);
|
||||
+ if (nid == NID_sm2) {
|
||||
+ ctx = EVP_PKEY_CTX_new_from_name(NULL, "SM2", NULL);
|
||||
+ } else {
|
||||
+ ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL);
|
||||
+ }
|
||||
if (!ctx) {
|
||||
print_ssl_error("Failed to allocate EC key context");
|
||||
goto out;
|
||||
--
|
||||
2.40.1
|
||||
|
@ -0,0 +1,46 @@
|
||||
From 62f6cdaa36e1c9e8f39e1ca60d8e3049de6860bf Mon Sep 17 00:00:00 2001
|
||||
From: William Roberts <william.c.roberts@intel.com>
|
||||
Date: Mon, 27 Feb 2023 15:32:55 -0600
|
||||
Subject: [PATCH 13/17] readpublic: fix reading and writing serialized trs
|
||||
|
||||
Fix reading and writing a serialized persistent ESYS_TR handles. This
|
||||
occurs becuase the TPM2_HANDLE is never set after loading and decisions
|
||||
are made on it.
|
||||
|
||||
Fixes:
|
||||
tpm2_readpublic -t handle2.tr -c handle.tr
|
||||
ERROR: Can only output a serialized handle for persistent object handles
|
||||
ERROR: Unable to run tpm2_readpublic
|
||||
|
||||
Signed-off-by: William Roberts <william.c.roberts@intel.com>
|
||||
---
|
||||
lib/object.c | 13 ++++++++++++-
|
||||
1 file changed, 12 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/object.c b/lib/object.c
|
||||
index c186a820..1279a8e5 100644
|
||||
--- a/lib/object.c
|
||||
+++ b/lib/object.c
|
||||
@@ -15,7 +15,18 @@ static tool_rc do_ctx_file(ESYS_CONTEXT *ctx, const char *objectstr, FILE *f,
|
||||
/* assign a dummy transient handle */
|
||||
outobject->handle = TPM2_TRANSIENT_FIRST;
|
||||
outobject->path = objectstr;
|
||||
- return files_load_tpm_context_from_file(ctx, &outobject->tr_handle, f);
|
||||
+ tool_rc rc = files_load_tpm_context_from_file(ctx, &outobject->tr_handle, f);
|
||||
+ if (rc != tool_rc_success) {
|
||||
+ return rc;
|
||||
+ }
|
||||
+
|
||||
+ TSS2_RC rval = Esys_TR_GetTpmHandle(ctx, outobject->tr_handle, &outobject->handle);
|
||||
+ if (rval != TPM2_RC_SUCCESS) {
|
||||
+ LOG_ERR("Failed to acquire SAPI handle");
|
||||
+ return tool_rc_general_error;
|
||||
+ }
|
||||
+
|
||||
+ return tool_rc_success;
|
||||
}
|
||||
|
||||
static tool_rc tpm2_util_object_load2(ESYS_CONTEXT *ctx, const char *objectstr,
|
||||
--
|
||||
2.40.1
|
||||
|
29
SOURCES/0014-fix-wrong-function-name-of-Esys_Load.patch
Normal file
29
SOURCES/0014-fix-wrong-function-name-of-Esys_Load.patch
Normal file
@ -0,0 +1,29 @@
|
||||
From f1515918ebba36a540432425f7cd01ca3c44aaac Mon Sep 17 00:00:00 2001
|
||||
From: yuxiaojun <yuxiaojun@uniontech.com>
|
||||
Date: Wed, 1 Feb 2023 11:47:40 +0800
|
||||
Subject: [PATCH 14/17] fix:wrong function name of "Esys_Load"
|
||||
|
||||
LOG_PERR(Eys_Load, rval);
|
||||
The first parameter in the function should be Esys_Load.
|
||||
|
||||
Signed-off-by: yuxiaojun <yuxiaojun@uniontech.com>
|
||||
---
|
||||
lib/tpm2.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/tpm2.c b/lib/tpm2.c
|
||||
index d91072ae..27f101e9 100644
|
||||
--- a/lib/tpm2.c
|
||||
+++ b/lib/tpm2.c
|
||||
@@ -1921,7 +1921,7 @@ tpm2_load_free_name1:
|
||||
parent_object_session_handle, ESYS_TR_NONE, ESYS_TR_NONE, in_private,
|
||||
in_public, object_handle);
|
||||
if (rval != TPM2_RC_SUCCESS) {
|
||||
- LOG_PERR(Eys_Load, rval);
|
||||
+ LOG_PERR(Esys_Load, rval);
|
||||
return tool_rc_from_tpm(rval);
|
||||
}
|
||||
|
||||
--
|
||||
2.40.1
|
||||
|
224
SOURCES/0015-tpm-errata-switch-to-twos-complement.patch
Normal file
224
SOURCES/0015-tpm-errata-switch-to-twos-complement.patch
Normal file
@ -0,0 +1,224 @@
|
||||
From 510d570d9c4f34d4768af3453dcfcc4f74006e32 Mon Sep 17 00:00:00 2001
|
||||
From: Juergen Repp <juergen_repp@web.de>
|
||||
Date: Fri, 7 Apr 2023 14:02:33 +0200
|
||||
Subject: [PATCH 15/17] tpm errata: switch to twos-complement.
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Errata TCG Trusted Platform Module Library Revision 1.59 Version 1.4,
|
||||
Section 2.5 TPM_EO – two’s complement states:
|
||||
"The signed arithmetic operations are performed using twos-complement."
|
||||
The tests policynv and policycountertimer were adapted to work with the
|
||||
complement representation of signed numbers. If the tests return the error 0x126
|
||||
the test will be skipped.
|
||||
|
||||
Signed-off-by: Juergen Repp <juergen_repp@web.de>
|
||||
---
|
||||
.../tests/abrmd_policycountertimer.sh | 35 +++++++--
|
||||
test/integration/tests/abrmd_policynv.sh | 75 +++++++++++++------
|
||||
2 files changed, 78 insertions(+), 32 deletions(-)
|
||||
|
||||
diff --git a/test/integration/tests/abrmd_policycountertimer.sh b/test/integration/tests/abrmd_policycountertimer.sh
|
||||
index 58fcf1b9..80afc541 100644
|
||||
--- a/test/integration/tests/abrmd_policycountertimer.sh
|
||||
+++ b/test/integration/tests/abrmd_policycountertimer.sh
|
||||
@@ -11,6 +11,27 @@ cleanup() {
|
||||
fi
|
||||
}
|
||||
|
||||
+call_policy_countertimer () {
|
||||
+ trap - ERR
|
||||
+ output=$(tpm2 policycountertimer $@ 2>&1)
|
||||
+ result=$?
|
||||
+
|
||||
+ if [ $result != 0 ] && echo $output | grep "ErrorCode.*0126" > /dev/null
|
||||
+ then
|
||||
+ echo "This test failed due to a TPM bug regarding signed comparison as described"
|
||||
+ echo "in TCG's Errata for TCG Trusted Platform Module Library Revision 1.59 Version 1.4,"
|
||||
+ echo "Section 2.5 TPM_EO – two’s complement"
|
||||
+ tpm2 flushcontext session.ctx
|
||||
+ skip_test
|
||||
+ else
|
||||
+ if [ $result != 0 ]; then
|
||||
+ tpm2 flushcontext session.ctx
|
||||
+ exit 1
|
||||
+ fi
|
||||
+ fi
|
||||
+ trap onerror ERR
|
||||
+}
|
||||
+
|
||||
trap cleanup EXIT
|
||||
|
||||
start_up
|
||||
@@ -25,8 +46,7 @@ tpm2 clear
|
||||
#
|
||||
tpm2 startauthsession -S session.ctx
|
||||
|
||||
-tpm2 policycountertimer -S session.ctx -L policy.countertimer.minute --ult \
|
||||
-60000
|
||||
+call_policy_countertimer -S session.ctx -L policy.countertimer.minute --ult 60000
|
||||
|
||||
tpm2 flushcontext session.ctx
|
||||
|
||||
@@ -42,8 +62,7 @@ tpm2 create -Q -u key.pub -r key.priv -i- -C prim.ctx \
|
||||
#
|
||||
tpm2 startauthsession -S session.ctx --policy-session
|
||||
|
||||
-tpm2 policycountertimer -S session.ctx -L policy.countertimer.minute --ult \
|
||||
-60000
|
||||
+call_policy_countertimer -S session.ctx -L policy.countertimer.minute --ult 60000
|
||||
|
||||
tpm2 unseal -c key.ctx -p session:session.ctx
|
||||
|
||||
@@ -54,7 +73,7 @@ tpm2 flushcontext session.ctx
|
||||
#
|
||||
tpm2 clear
|
||||
tpm2 startauthsession -S session.ctx --policy-session
|
||||
-tpm2 policycountertimer -S session.ctx --ult clock=60000
|
||||
+call_policy_countertimer -S session.ctx --ult clock=60000
|
||||
tpm2 flushcontext session.ctx
|
||||
|
||||
#
|
||||
@@ -63,7 +82,7 @@ tpm2 flushcontext session.ctx
|
||||
#
|
||||
tpm2 clear
|
||||
tpm2 startauthsession -S session.ctx --policy-session
|
||||
-tpm2 policycountertimer -S session.ctx safe
|
||||
+call_policy_countertimer -S session.ctx safe
|
||||
tpm2 flushcontext session.ctx
|
||||
|
||||
#
|
||||
@@ -72,7 +91,7 @@ tpm2 flushcontext session.ctx
|
||||
#
|
||||
tpm2 clear
|
||||
tpm2 startauthsession -S session.ctx --policy-session
|
||||
-tpm2 policycountertimer -S session.ctx resets=0
|
||||
+call_policy_countertimer -S session.ctx resets=0
|
||||
tpm2 flushcontext session.ctx
|
||||
|
||||
#
|
||||
@@ -81,7 +100,7 @@ tpm2 flushcontext session.ctx
|
||||
#
|
||||
tpm2 clear
|
||||
tpm2 startauthsession -S session.ctx --policy-session
|
||||
-tpm2 policycountertimer -S session.ctx restarts=0
|
||||
+call_policy_countertimer -S session.ctx restarts=0
|
||||
tpm2 flushcontext session.ctx
|
||||
|
||||
exit 0
|
||||
diff --git a/test/integration/tests/abrmd_policynv.sh b/test/integration/tests/abrmd_policynv.sh
|
||||
index b75cabb8..220edec0 100644
|
||||
--- a/test/integration/tests/abrmd_policynv.sh
|
||||
+++ b/test/integration/tests/abrmd_policynv.sh
|
||||
@@ -36,10 +36,34 @@ evaluate_failing_test_case() {
|
||||
}
|
||||
|
||||
evaluate_passing_test_case() {
|
||||
- tpm2 startauthsession -S session.ctx --policy-session
|
||||
- echo $operandB | xxd -r -p | \
|
||||
- tpm2 policynv -S session.ctx -i- -P nvpass $nv_test_index $1
|
||||
- tpm2 flushcontext session.ctx
|
||||
+ tpm2 startauthsession -S session.ctx --policy-session
|
||||
+ if [[ ${1:0:1} == "s" ]]; then
|
||||
+ echo "Test sign: $1 $operandA $operandB"
|
||||
+ # check whether sign compare fails with 0x126
|
||||
+ trap - ERR
|
||||
+ output=$(echo $operandB | xxd -r -p | \
|
||||
+ tpm2 policynv -S session.ctx -i- -P nvpass $nv_test_index $1 2>&1)
|
||||
+ result=$?
|
||||
+ if [ $result != 0 ] && echo $output | grep "ErrorCode.*0126" > /dev/null
|
||||
+ then
|
||||
+ echo "This test failed due to a TPM bug regarding signed comparison as described"
|
||||
+ echo "in TCG's Errata for TCG Trusted Platform Module Library Revision 1.59 Version 1.4,"
|
||||
+ echo "Section 2.5 TPM_EO – two’s complement"
|
||||
+ tpm2 flushcontext session.ctx
|
||||
+ skip_test
|
||||
+ else
|
||||
+ if [ $result != 0 ]; then
|
||||
+ tpm2 flushcontext session.ctx
|
||||
+ exit 1
|
||||
+ fi
|
||||
+ fi
|
||||
+ tpm2 flushcontext session.ctx
|
||||
+ trap onerror ERR
|
||||
+ else
|
||||
+ echo $operandB | xxd -r -p | \
|
||||
+ tpm2 policynv -S session.ctx -i- -P nvpass $nv_test_index $1
|
||||
+ tpm2 flushcontext session.ctx
|
||||
+ fi
|
||||
}
|
||||
|
||||
trap cleanup EXIT
|
||||
@@ -70,40 +94,20 @@ evaluate_passing_test_case eq
|
||||
operandB=0x80
|
||||
evaluate_passing_test_case neq
|
||||
|
||||
-# Perform comparison operation "sgt"
|
||||
-operandB=0x82
|
||||
-evaluate_passing_test_case sgt
|
||||
-
|
||||
# Perform comparison operation "ugt"
|
||||
operandB=0x80
|
||||
evaluate_passing_test_case ugt
|
||||
|
||||
-# Perform comparison operation "slt"
|
||||
-operandB=0x80
|
||||
-evaluate_passing_test_case slt
|
||||
-
|
||||
# Perform comparison operation "ult"
|
||||
operandB=0x82
|
||||
evaluate_passing_test_case ult
|
||||
|
||||
-# Perform comparison operation "sge"
|
||||
-operandB=0x82
|
||||
-evaluate_passing_test_case sge
|
||||
-operandB=0x81
|
||||
-evaluate_passing_test_case sge
|
||||
-
|
||||
# Perform comparison operation "uge"
|
||||
operandB=0x80
|
||||
evaluate_passing_test_case uge
|
||||
operandB=0x81
|
||||
evaluate_passing_test_case uge
|
||||
|
||||
-# Perform comparison operation "sle"
|
||||
-operandB=0x80
|
||||
-evaluate_passing_test_case sle
|
||||
-operandB=0x81
|
||||
-evaluate_passing_test_case sle
|
||||
-
|
||||
# Perform comparison operation "ule"
|
||||
operandB=0x82
|
||||
evaluate_passing_test_case ule
|
||||
@@ -118,4 +122,27 @@ evaluate_passing_test_case bs
|
||||
operandB=0x7E
|
||||
evaluate_passing_test_case bc
|
||||
|
||||
+operandA=0xfe # -1
|
||||
+echo $operandA | xxd -r -p | tpm2 nvwrite -P nvpass -i- $nv_test_index
|
||||
+
|
||||
+# Perform comparison operation "sgt"
|
||||
+operandB=0xfd # -2
|
||||
+evaluate_passing_test_case sgt
|
||||
+
|
||||
+# Perform comparison operation "slt"
|
||||
+operandB=0xff # 0
|
||||
+evaluate_passing_test_case slt
|
||||
+
|
||||
+# Perform comparison operation "sle"
|
||||
+operandB=0xff #0
|
||||
+evaluate_passing_test_case sle
|
||||
+operandB=0xfe # -1
|
||||
+evaluate_passing_test_case sle
|
||||
+
|
||||
+# Perform comparison operation "sge"
|
||||
+operandB=0xfd # -2
|
||||
+evaluate_passing_test_case sge
|
||||
+operandB=0xfe # -1
|
||||
+evaluate_passing_test_case sge
|
||||
+
|
||||
exit 0
|
||||
--
|
||||
2.40.1
|
||||
|
@ -0,0 +1,159 @@
|
||||
From 2f6a737efddce480803c02a5e3b65ce739c6acf2 Mon Sep 17 00:00:00 2001
|
||||
From: Juergen Repp <juergen_repp@web.de>
|
||||
Date: Tue, 28 Mar 2023 17:29:36 +0200
|
||||
Subject: [PATCH 16/17] tpm2_eventlog.c Fix pcr extension for EV_NO_ACTION
|
||||
|
||||
EV_NO_ACTION events should not be extended to PCR registers.
|
||||
Fixes: #3224
|
||||
|
||||
Signed-off-by: Juergen Repp <juergen_repp@web.de>
|
||||
---
|
||||
lib/tpm2_eventlog.c | 14 +++++++++-----
|
||||
lib/tpm2_eventlog.h | 2 +-
|
||||
test/unit/test_tpm2_eventlog.c | 15 ++++++++-------
|
||||
3 files changed, 18 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/lib/tpm2_eventlog.c b/lib/tpm2_eventlog.c
|
||||
index 1b59eeeb..e2e27f02 100644
|
||||
--- a/lib/tpm2_eventlog.c
|
||||
+++ b/lib/tpm2_eventlog.c
|
||||
@@ -30,7 +30,8 @@ bool digest2_accumulator_callback(TCG_DIGEST2 const *digest, size_t size,
|
||||
* hold the digest. The size of the digest is passed to the callback in the
|
||||
* 'size' parameter.
|
||||
*/
|
||||
-bool foreach_digest2(tpm2_eventlog_context *ctx, unsigned pcr_index, TCG_DIGEST2 const *digest, size_t count, size_t size) {
|
||||
+bool foreach_digest2(tpm2_eventlog_context *ctx, UINT32 eventType, unsigned pcr_index,
|
||||
+ TCG_DIGEST2 const *digest, size_t count, size_t size) {
|
||||
|
||||
if (digest == NULL) {
|
||||
LOG_ERR("digest cannot be NULL");
|
||||
@@ -80,7 +81,8 @@ bool foreach_digest2(tpm2_eventlog_context *ctx, unsigned pcr_index, TCG_DIGEST2
|
||||
LOG_WARN("PCR%d algorithm %d unsupported", pcr_index, alg);
|
||||
}
|
||||
|
||||
- if (pcr && !tpm2_openssl_pcr_extend(alg, pcr, digest->Digest, alg_size)) {
|
||||
+ if (eventType != EV_NO_ACTION && pcr &&
|
||||
+ !tpm2_openssl_pcr_extend(alg, pcr, digest->Digest, alg_size)) {
|
||||
LOG_ERR("PCR%d extend failed", pcr_index);
|
||||
return false;
|
||||
}
|
||||
@@ -179,7 +181,8 @@ bool parse_event2(TCG_EVENT_HEADER2 const *eventhdr, size_t buf_size,
|
||||
.data = digests_size,
|
||||
.digest2_cb = digest2_accumulator_callback,
|
||||
};
|
||||
- ret = foreach_digest2(&ctx, eventhdr->PCRIndex,
|
||||
+ ret = foreach_digest2(&ctx, eventhdr->EventType,
|
||||
+ eventhdr->PCRIndex,
|
||||
eventhdr->Digests, eventhdr->DigestCount,
|
||||
buf_size - sizeof(*eventhdr));
|
||||
if (ret != true) {
|
||||
@@ -216,7 +219,7 @@ bool parse_sha1_log_event(tpm2_eventlog_context *ctx, TCG_EVENT const *event, si
|
||||
*event_size = sizeof(*event);
|
||||
|
||||
pcr = ctx->sha1_pcrs[ event->pcrIndex];
|
||||
- if (pcr) {
|
||||
+ if (event->eventType != EV_NO_ACTION && pcr) {
|
||||
tpm2_openssl_pcr_extend(TPM2_ALG_SHA1, pcr, &event->digest[0], 20);
|
||||
ctx->sha1_used |= (1 << event->pcrIndex);
|
||||
}
|
||||
@@ -451,7 +454,8 @@ bool foreach_event2(tpm2_eventlog_context *ctx, TCG_EVENT_HEADER2 const *eventhd
|
||||
}
|
||||
|
||||
/* digest callback foreach digest */
|
||||
- ret = foreach_digest2(ctx, eventhdr->PCRIndex, eventhdr->Digests, eventhdr->DigestCount, digests_size);
|
||||
+ ret = foreach_digest2(ctx, eventhdr->EventType, eventhdr->PCRIndex,
|
||||
+ eventhdr->Digests, eventhdr->DigestCount, digests_size);
|
||||
if (ret != true) {
|
||||
return false;
|
||||
}
|
||||
diff --git a/lib/tpm2_eventlog.h b/lib/tpm2_eventlog.h
|
||||
index 2a91ed60..f141e806 100644
|
||||
--- a/lib/tpm2_eventlog.h
|
||||
+++ b/lib/tpm2_eventlog.h
|
||||
@@ -44,7 +44,7 @@ bool digest2_accumulator_callback(TCG_DIGEST2 const *digest, size_t size,
|
||||
void *data);
|
||||
|
||||
bool parse_event2body(TCG_EVENT2 const *event, UINT32 type);
|
||||
-bool foreach_digest2(tpm2_eventlog_context *ctx, unsigned pcr_index,
|
||||
+bool foreach_digest2(tpm2_eventlog_context *ctx, UINT32 eventType, unsigned pcr_index,
|
||||
TCG_DIGEST2 const *event_hdr, size_t count, size_t size);
|
||||
bool parse_event2(TCG_EVENT_HEADER2 const *eventhdr, size_t buf_size,
|
||||
size_t *event_size, size_t *digests_size);
|
||||
diff --git a/test/unit/test_tpm2_eventlog.c b/test/unit/test_tpm2_eventlog.c
|
||||
index ebf50e80..e48404d8 100644
|
||||
--- a/test/unit/test_tpm2_eventlog.c
|
||||
+++ b/test/unit/test_tpm2_eventlog.c
|
||||
@@ -27,7 +27,7 @@ static void test_foreach_digest2_null(void **state){
|
||||
(void)state;
|
||||
tpm2_eventlog_context ctx = {0};
|
||||
|
||||
- assert_false(foreach_digest2(&ctx, 0, NULL, 0, sizeof(TCG_DIGEST2)));
|
||||
+ assert_false(foreach_digest2(&ctx, 0, 0, NULL, 0, sizeof(TCG_DIGEST2)));
|
||||
}
|
||||
static void test_foreach_digest2_size(void **state) {
|
||||
|
||||
@@ -36,7 +36,7 @@ static void test_foreach_digest2_size(void **state) {
|
||||
TCG_DIGEST2 *digest = (TCG_DIGEST2*)buf;
|
||||
tpm2_eventlog_context ctx = { .digest2_cb = foreach_digest2_test_callback };
|
||||
|
||||
- assert_false(foreach_digest2(&ctx, 0, digest, 1, sizeof(TCG_DIGEST2) - 1));
|
||||
+ assert_false(foreach_digest2(&ctx, 0, 0, digest, 1, sizeof(TCG_DIGEST2) - 1));
|
||||
}
|
||||
static void test_foreach_digest2(void **state) {
|
||||
|
||||
@@ -47,7 +47,7 @@ static void test_foreach_digest2(void **state) {
|
||||
will_return(foreach_digest2_test_callback, true);
|
||||
|
||||
tpm2_eventlog_context ctx = { .digest2_cb = foreach_digest2_test_callback };
|
||||
- assert_true(foreach_digest2(&ctx, 0, digest, 1, TCG_DIGEST2_SHA1_SIZE));
|
||||
+ assert_true(foreach_digest2(&ctx, 0, 0, digest, 1, TCG_DIGEST2_SHA1_SIZE));
|
||||
}
|
||||
static void test_foreach_digest2_cbnull(void **state){
|
||||
|
||||
@@ -56,7 +56,7 @@ static void test_foreach_digest2_cbnull(void **state){
|
||||
TCG_DIGEST2* digest = (TCG_DIGEST2*)buf;
|
||||
|
||||
tpm2_eventlog_context ctx = {0};
|
||||
- assert_true(foreach_digest2(&ctx, 0, digest, 1, TCG_DIGEST2_SHA1_SIZE));
|
||||
+ assert_true(foreach_digest2(&ctx, 0, 0, digest, 1, TCG_DIGEST2_SHA1_SIZE));
|
||||
}
|
||||
static void test_sha1(void **state){
|
||||
|
||||
@@ -73,7 +73,7 @@ static void test_sha1(void **state){
|
||||
memcpy(digest->Digest, "the magic words are:", TPM2_SHA1_DIGEST_SIZE);
|
||||
|
||||
tpm2_eventlog_context ctx = {0};
|
||||
- assert_true(foreach_digest2(&ctx, pcr_index, digest, 1, TCG_DIGEST2_SHA1_SIZE));
|
||||
+ assert_true(foreach_digest2(&ctx, 0, pcr_index, digest, 1, TCG_DIGEST2_SHA1_SIZE));
|
||||
assert_memory_equal(ctx.sha1_pcrs[pcr_index], sha1sum, sizeof(sha1sum));
|
||||
}
|
||||
static void test_sha256(void **state){
|
||||
@@ -93,7 +93,7 @@ static void test_sha256(void **state){
|
||||
memcpy(digest->Digest, "The Magic Words are Squeamish Ossifrage, for RSA-129 (from 1977)", TPM2_SHA256_DIGEST_SIZE);
|
||||
|
||||
tpm2_eventlog_context ctx = {0};
|
||||
- assert_true(foreach_digest2(&ctx, pcr_index, digest, 1, TCG_DIGEST2_SHA256_SIZE));
|
||||
+ assert_true(foreach_digest2(&ctx, 0, pcr_index, digest, 1, TCG_DIGEST2_SHA256_SIZE));
|
||||
assert_memory_equal(ctx.sha256_pcrs[pcr_index], sha256sum, sizeof(sha256sum));
|
||||
}
|
||||
static void test_foreach_digest2_cbfail(void **state){
|
||||
@@ -105,7 +105,7 @@ static void test_foreach_digest2_cbfail(void **state){
|
||||
will_return(foreach_digest2_test_callback, false);
|
||||
|
||||
tpm2_eventlog_context ctx = { .digest2_cb = foreach_digest2_test_callback };
|
||||
- assert_false(foreach_digest2(&ctx, 0, digest, 1, TCG_DIGEST2_SHA1_SIZE));
|
||||
+ assert_false(foreach_digest2(&ctx, 0, 0, digest, 1, TCG_DIGEST2_SHA1_SIZE));
|
||||
}
|
||||
static void test_digest2_accumulator_callback(void **state) {
|
||||
|
||||
@@ -292,6 +292,7 @@ static void test_foreach_event2_parse_event2body_fail(void **state){
|
||||
|
||||
eventhdr->DigestCount = 1;
|
||||
eventhdr->EventType = EV_EFI_VARIABLE_BOOT;
|
||||
+ eventhdr->PCRIndex = 0;
|
||||
digest->AlgorithmId = TPM2_ALG_SHA1;
|
||||
event->EventSize = 1;
|
||||
|
||||
--
|
||||
2.40.1
|
||||
|
@ -0,0 +1,52 @@
|
||||
From 72b6a5497df8757987dfedd6263346154adb921e Mon Sep 17 00:00:00 2001
|
||||
From: Juergen Repp <juergen_repp@web.de>
|
||||
Date: Mon, 6 Mar 2023 12:16:05 +0100
|
||||
Subject: [PATCH 17/17] kdfa.c Fix problem with FORTIFY_SOURCE on Fedora
|
||||
|
||||
The original kdfa implementation did produce an error caused by the flags
|
||||
-flto -_FORTIFY_SOURCE=3 on Fedora rawhide.
|
||||
This error can be avoided by switching off the optimization with pragma.
|
||||
Fixes: #3210.
|
||||
|
||||
Signed-off-by: Juergen Repp <juergen_repp@web.de>
|
||||
---
|
||||
lib/tpm2_kdfa.c | 19 +++++++++++++++++++
|
||||
1 file changed, 19 insertions(+)
|
||||
|
||||
diff --git a/lib/tpm2_kdfa.c b/lib/tpm2_kdfa.c
|
||||
index 5eb8d558..e97c06f6 100644
|
||||
--- a/lib/tpm2_kdfa.c
|
||||
+++ b/lib/tpm2_kdfa.c
|
||||
@@ -13,6 +13,15 @@
|
||||
#include "tpm2_kdfa.h"
|
||||
#include "tpm2_openssl.h"
|
||||
|
||||
+/*
|
||||
+ * Disable optimization because of an error in FORTIFY_SOURCE
|
||||
+ */
|
||||
+
|
||||
+#ifdef _FORTIFY_SOURCE
|
||||
+#pragma GCC push_options
|
||||
+#pragma GCC optimize ("O0")
|
||||
+#endif
|
||||
+
|
||||
TSS2_RC tpm2_kdfa(TPMI_ALG_HASH hash_alg, TPM2B *key, char *label,
|
||||
TPM2B *context_u, TPM2B *context_v, UINT16 bits,
|
||||
TPM2B_MAX_BUFFER *result_key) {
|
||||
@@ -139,3 +148,13 @@ err:
|
||||
|
||||
return rval;
|
||||
}
|
||||
+#ifdef _FORTIFY_SOURCE
|
||||
+
|
||||
+#endif
|
||||
+
|
||||
+#ifdef _FORTIFY_SOURCE
|
||||
+#pragma GCC pop_options
|
||||
+#endif
|
||||
+
|
||||
+
|
||||
+
|
||||
--
|
||||
2.40.1
|
||||
|
32
SOURCES/0019-build-Use-hardcoded-version-variable.patch
Normal file
32
SOURCES/0019-build-Use-hardcoded-version-variable.patch
Normal file
@ -0,0 +1,32 @@
|
||||
From 395651f059ceb21d56c44cddda05e055caa0fd19 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20Hor=C3=A1=C4=8Dek?=
|
||||
<shoracek@redhat.com>
|
||||
Date: Mon, 18 Oct 2021 19:04:54 +0200
|
||||
Subject: [PATCH] build: Use hardcoded version variable
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Before this commit the version was generated from git tag/commit hash.
|
||||
This caused problems with having empty version variable while building
|
||||
outside of git. Fix this by hardcoding the variable.
|
||||
|
||||
Signed-off-by: Štěpán Horáček <shoracek@redhat.com>
|
||||
---
|
||||
configure.ac | 3 +--
|
||||
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 9561fa86..2bf3a790 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -1,5 +1,4 @@
|
||||
-AC_INIT([tpm2-tools],
|
||||
- [m4_esyscmd_s([git describe --tags --always --dirty])])
|
||||
+AC_INIT([tpm2-tools], [5.2])
|
||||
AC_CONFIG_MACRO_DIR([m4])
|
||||
|
||||
AX_IS_RELEASE([dash-version])
|
||||
--
|
||||
2.31.1
|
||||
|
434
SOURCES/add_pregenerated_doc.patch
Normal file
434
SOURCES/add_pregenerated_doc.patch
Normal file
@ -0,0 +1,434 @@
|
||||
diff --git a/man/man1/tpm2_encodeobject.1 b/man/man1/tpm2_encodeobject.1
|
||||
new file mode 100644
|
||||
index 00000000..9b616bb0
|
||||
--- /dev/null
|
||||
+++ b/man/man1/tpm2_encodeobject.1
|
||||
@@ -0,0 +1,428 @@
|
||||
+.\" Automatically generated by Pandoc 2.5
|
||||
+.\"
|
||||
+.TH "tpm2_encodeobject" "1" "" "tpm2\-tools" "General Commands Manual"
|
||||
+.hy
|
||||
+.SH NAME
|
||||
+.PP
|
||||
+\f[B]tpm2_encodeobject\f[R](1) \- Encode an object into a combined PEM
|
||||
+format.
|
||||
+.SH SYNOPSIS
|
||||
+.PP
|
||||
+\f[B]tpm2_encodeobject\f[R] [\f[I]OPTIONS\f[R]]
|
||||
+.SH DESCRIPTION
|
||||
+.PP
|
||||
+\f[B]tpm2_encodeobject\f[R](1) \- Encode both the private and public
|
||||
+portions of an object into a combined PEM format used by
|
||||
+tpm2\-tss\-engine.
|
||||
+.PP
|
||||
+The tool reads private and public portions of an object and encodes it
|
||||
+into a combined PEM format used by tpm2\-tss\-engine and other
|
||||
+applications.
|
||||
+.PP
|
||||
+\f[B]NOTE\f[R]: Both private and public portions of the tpm key must be
|
||||
+specified.
|
||||
+.SH OPTIONS
|
||||
+.IP \[bu] 2
|
||||
+\f[B]\-C\f[R], \f[B]\-\-parent\-context\f[R]=\f[I]OBJECT\f[R]:
|
||||
+.RS 2
|
||||
+.PP
|
||||
+The parent object.
|
||||
+.RE
|
||||
+.IP \[bu] 2
|
||||
+\f[B]\-P\f[R], \f[B]\-\-auth\f[R]=\f[I]AUTH\f[R]:
|
||||
+.RS 2
|
||||
+.PP
|
||||
+The authorization value of the parent object specified by \f[B]\-C\f[R].
|
||||
+.RE
|
||||
+.IP \[bu] 2
|
||||
+\f[B]\-u\f[R], \f[B]\-\-public\f[R]=\f[I]FILE\f[R]:
|
||||
+.RS 2
|
||||
+.PP
|
||||
+A file containing the public portion of the object.
|
||||
+.RE
|
||||
+.IP \[bu] 2
|
||||
+\f[B]\-r\f[R], \f[B]\-\-private\f[R]=\f[I]FILE\f[R]:
|
||||
+.RS 2
|
||||
+.PP
|
||||
+A file containing the sensitive portion of the object.
|
||||
+.RE
|
||||
+.IP \[bu] 2
|
||||
+\f[B]\-p\f[R], \f[B]\-\-key\-auth\f[R]:
|
||||
+.RS 2
|
||||
+.PP
|
||||
+Indicates if an authorization value is needed for the object specified
|
||||
+by \f[B]\-r\f[R] and \f[B]\-u\f[R].
|
||||
+.RE
|
||||
+.IP \[bu] 2
|
||||
+\f[B]\-o\f[R], \f[B]\-\-output\f[R]=\f[I]FILE\f[R]:
|
||||
+.RS 2
|
||||
+.PP
|
||||
+The output file path, recording the public portion of the object.
|
||||
+.RE
|
||||
+.SS References
|
||||
+.SH Context Object Format
|
||||
+.PP
|
||||
+The type of a context object, whether it is a handle or file name, is
|
||||
+determined according to the following logic \f[I]in\-order\f[R]:
|
||||
+.IP \[bu] 2
|
||||
+If the argument is a file path, then the file is loaded as a restored
|
||||
+TPM transient object.
|
||||
+.IP \[bu] 2
|
||||
+If the argument is a \f[I]prefix\f[R] match on one of:
|
||||
+.RS 2
|
||||
+.IP \[bu] 2
|
||||
+owner: the owner hierarchy
|
||||
+.IP \[bu] 2
|
||||
+platform: the platform hierarchy
|
||||
+.IP \[bu] 2
|
||||
+endorsement: the endorsement hierarchy
|
||||
+.IP \[bu] 2
|
||||
+lockout: the lockout control persistent object
|
||||
+.RE
|
||||
+.IP \[bu] 2
|
||||
+If the argument argument can be loaded as a number it will be treat as a
|
||||
+handle, e.g.\ 0x81010013 and used directly._OBJECT_.
|
||||
+.SH Authorization Formatting
|
||||
+.PP
|
||||
+Authorization for use of an object in TPM2.0 can come in 3 different
|
||||
+forms: 1.
|
||||
+Password 2.
|
||||
+HMAC 3.
|
||||
+Sessions
|
||||
+.PP
|
||||
+\f[B]NOTE:\f[R] \[lq]Authorizations default to the \f[B]EMPTY
|
||||
+PASSWORD\f[R] when not specified\[rq].
|
||||
+.SS Passwords
|
||||
+.PP
|
||||
+Passwords are interpreted in the following forms below using prefix
|
||||
+identifiers.
|
||||
+.PP
|
||||
+\f[B]Note\f[R]: By default passwords are assumed to be in the string
|
||||
+form when they do not have a prefix.
|
||||
+.SS String
|
||||
+.PP
|
||||
+A string password, specified by prefix \[lq]str:\[rq] or it\[cq]s
|
||||
+absence (raw string without prefix) is not interpreted, and is directly
|
||||
+used for authorization.
|
||||
+.SS Examples
|
||||
+.IP
|
||||
+.nf
|
||||
+\f[C]
|
||||
+foobar
|
||||
+str:foobar
|
||||
+\f[R]
|
||||
+.fi
|
||||
+.SS Hex\-string
|
||||
+.PP
|
||||
+A hex\-string password, specified by prefix \[lq]hex:\[rq] is converted
|
||||
+from a hexidecimal form into a byte array form, thus allowing passwords
|
||||
+with non\-printable and/or terminal un\-friendly characters.
|
||||
+.SS Example
|
||||
+.IP
|
||||
+.nf
|
||||
+\f[C]
|
||||
+hex:1122334455667788
|
||||
+\f[R]
|
||||
+.fi
|
||||
+.SS File
|
||||
+.PP
|
||||
+A file based password, specified be prefix \[lq]file:\[rq] should be the
|
||||
+path of a file containing the password to be read by the tool or a
|
||||
+\[lq]\-\[rq] to use stdin.
|
||||
+Storing passwords in files prevents information leakage, passwords
|
||||
+passed as options can be read from the process list or common shell
|
||||
+history features.
|
||||
+.SS Examples
|
||||
+.IP
|
||||
+.nf
|
||||
+\f[C]
|
||||
+# to use stdin and be prompted
|
||||
+file:\-
|
||||
+
|
||||
+# to use a file from a path
|
||||
+file:path/to/password/file
|
||||
+
|
||||
+# to echo a password via stdin:
|
||||
+echo foobar | tpm2_tool \-p file:\-
|
||||
+
|
||||
+# to use a bash here\-string via stdin:
|
||||
+
|
||||
+tpm2_tool \-p file:\- <<< foobar
|
||||
+\f[R]
|
||||
+.fi
|
||||
+.SS Sessions
|
||||
+.PP
|
||||
+When using a policy session to authorize the use of an object, prefix
|
||||
+the option argument with the \f[I]session\f[R] keyword.
|
||||
+Then indicate a path to a session file that was created with
|
||||
+tpm2_startauthsession(1).
|
||||
+Optionally, if the session requires an auth value to be sent with the
|
||||
+session handle (eg policy password), then append a + and a string as
|
||||
+described in the \f[B]Passwords\f[R] section.
|
||||
+.SS Examples
|
||||
+.PP
|
||||
+To use a session context file called \f[I]session.ctx\f[R].
|
||||
+.IP
|
||||
+.nf
|
||||
+\f[C]
|
||||
+session:session.ctx
|
||||
+\f[R]
|
||||
+.fi
|
||||
+.PP
|
||||
+To use a session context file called \f[I]session.ctx\f[R] \f[B]AND\f[R]
|
||||
+send the authvalue mypassword.
|
||||
+.IP
|
||||
+.nf
|
||||
+\f[C]
|
||||
+session:session.ctx+mypassword
|
||||
+\f[R]
|
||||
+.fi
|
||||
+.PP
|
||||
+To use a session context file called \f[I]session.ctx\f[R] \f[B]AND\f[R]
|
||||
+send the \f[I]HEX\f[R] authvalue 0x11223344.
|
||||
+.IP
|
||||
+.nf
|
||||
+\f[C]
|
||||
+session:session.ctx+hex:11223344
|
||||
+\f[R]
|
||||
+.fi
|
||||
+.SS PCR Authorizations
|
||||
+.PP
|
||||
+You can satisfy a PCR policy using the \[lq]pcr:\[rq] prefix and the PCR
|
||||
+minilanguage.
|
||||
+The PCR minilanguage is as follows:
|
||||
+\f[C]<pcr\-spec>=<raw\-pcr\-file>\f[R]
|
||||
+.PP
|
||||
+The PCR spec is documented in in the section \[lq]PCR bank
|
||||
+specifiers\[rq].
|
||||
+.PP
|
||||
+The \f[C]raw\-pcr\-file\f[R] is an \f[B]optional\f[R] argument that
|
||||
+contains the output of the raw PCR contents as returned by
|
||||
+\f[I]tpm2_pcrread(1)\f[R].
|
||||
+.PP
|
||||
+PCR bank specifiers (pcr.md)
|
||||
+.SS Examples
|
||||
+.PP
|
||||
+To satisfy a PCR policy of sha256 on banks 0, 1, 2 and 3 use a specifier
|
||||
+of:
|
||||
+.IP
|
||||
+.nf
|
||||
+\f[C]
|
||||
+pcr:sha256:0,1,2,3
|
||||
+\f[R]
|
||||
+.fi
|
||||
+.PP
|
||||
+specifying \f[I]AUTH\f[R].
|
||||
+.SH COMMON OPTIONS
|
||||
+.PP
|
||||
+This collection of options are common to many programs and provide
|
||||
+information that many users may expect.
|
||||
+.IP \[bu] 2
|
||||
+\f[B]\-h\f[R], \f[B]\-\-help=[man|no\-man]\f[R]: Display the tools
|
||||
+manpage.
|
||||
+By default, it attempts to invoke the manpager for the tool, however, on
|
||||
+failure will output a short tool summary.
|
||||
+This is the same behavior if the \[lq]man\[rq] option argument is
|
||||
+specified, however if explicit \[lq]man\[rq] is requested, the tool will
|
||||
+provide errors from man on stderr.
|
||||
+If the \[lq]no\-man\[rq] option if specified, or the manpager fails, the
|
||||
+short options will be output to stdout.
|
||||
+.RS 2
|
||||
+.PP
|
||||
+To successfully use the manpages feature requires the manpages to be
|
||||
+installed or on \f[I]MANPATH\f[R], See man(1) for more details.
|
||||
+.RE
|
||||
+.IP \[bu] 2
|
||||
+\f[B]\-v\f[R], \f[B]\-\-version\f[R]: Display version information for
|
||||
+this tool, supported tctis and exit.
|
||||
+.IP \[bu] 2
|
||||
+\f[B]\-V\f[R], \f[B]\-\-verbose\f[R]: Increase the information that the
|
||||
+tool prints to the console during its execution.
|
||||
+When using this option the file and line number are printed.
|
||||
+.IP \[bu] 2
|
||||
+\f[B]\-Q\f[R], \f[B]\-\-quiet\f[R]: Silence normal tool output to
|
||||
+stdout.
|
||||
+.IP \[bu] 2
|
||||
+\f[B]\-Z\f[R], \f[B]\-\-enable\-errata\f[R]: Enable the application of
|
||||
+errata fixups.
|
||||
+Useful if an errata fixup needs to be applied to commands sent to the
|
||||
+TPM.
|
||||
+Defining the environment TPM2TOOLS_ENABLE_ERRATA is equivalent.
|
||||
+information many users may expect.
|
||||
+.SH TCTI Configuration
|
||||
+.PP
|
||||
+The TCTI or \[lq]Transmission Interface\[rq] is the communication
|
||||
+mechanism with the TPM.
|
||||
+TCTIs can be changed for communication with TPMs across different
|
||||
+mediums.
|
||||
+.PP
|
||||
+To control the TCTI, the tools respect:
|
||||
+.IP "1." 3
|
||||
+The command line option \f[B]\-T\f[R] or \f[B]\-\-tcti\f[R]
|
||||
+.IP "2." 3
|
||||
+The environment variable: \f[I]TPM2TOOLS_TCTI\f[R].
|
||||
+.PP
|
||||
+\f[B]Note:\f[R] The command line option always overrides the environment
|
||||
+variable.
|
||||
+.PP
|
||||
+The current known TCTIs are:
|
||||
+.IP \[bu] 2
|
||||
+tabrmd \- The resource manager, called
|
||||
+tabrmd (https://github.com/tpm2-software/tpm2-abrmd).
|
||||
+Note that tabrmd and abrmd as a tcti name are synonymous.
|
||||
+.IP \[bu] 2
|
||||
+mssim \- Typically used for communicating to the TPM software simulator.
|
||||
+.IP \[bu] 2
|
||||
+device \- Used when talking directly to a TPM device file.
|
||||
+.IP \[bu] 2
|
||||
+none \- Do not initalize a connection with the TPM.
|
||||
+Some tools allow for off\-tpm options and thus support not using a TCTI.
|
||||
+Tools that do not support it will error when attempted to be used
|
||||
+without a TCTI connection.
|
||||
+Does not support \f[I]ANY\f[R] options and \f[I]MUST BE\f[R] presented
|
||||
+as the exact text of \[lq]none\[rq].
|
||||
+.PP
|
||||
+The arguments to either the command line option or the environment
|
||||
+variable are in the form:
|
||||
+.PP
|
||||
+\f[C]<tcti\-name>:<tcti\-option\-config>\f[R]
|
||||
+.PP
|
||||
+Specifying an empty string for either the \f[C]<tcti\-name>\f[R] or
|
||||
+\f[C]<tcti\-option\-config>\f[R] results in the default being used for
|
||||
+that portion respectively.
|
||||
+.SS TCTI Defaults
|
||||
+.PP
|
||||
+When a TCTI is not specified, the default TCTI is searched for using
|
||||
+\f[I]dlopen(3)\f[R] semantics.
|
||||
+The tools will search for \f[I]tabrmd\f[R], \f[I]device\f[R] and
|
||||
+\f[I]mssim\f[R] TCTIs \f[B]IN THAT ORDER\f[R] and \f[B]USE THE FIRST ONE
|
||||
+FOUND\f[R].
|
||||
+You can query what TCTI will be chosen as the default by using the
|
||||
+\f[B]\-v\f[R] option to print the version information.
|
||||
+The \[lq]default\-tcti\[rq] key\-value pair will indicate which of the
|
||||
+aforementioned TCTIs is the default.
|
||||
+.SS Custom TCTIs
|
||||
+.PP
|
||||
+Any TCTI that implements the dynamic TCTI interface can be loaded.
|
||||
+The tools internally use \f[I]dlopen(3)\f[R], and the raw
|
||||
+\f[I]tcti\-name\f[R] value is used for the lookup.
|
||||
+Thus, this could be a path to the shared library, or a library name as
|
||||
+understood by \f[I]dlopen(3)\f[R] semantics.
|
||||
+.SH TCTI OPTIONS
|
||||
+.PP
|
||||
+This collection of options are used to configure the various known TCTI
|
||||
+modules available:
|
||||
+.IP \[bu] 2
|
||||
+\f[B]device\f[R]: For the device TCTI, the TPM character device file for
|
||||
+use by the device TCTI can be specified.
|
||||
+The default is \f[I]/dev/tpm0\f[R].
|
||||
+.RS 2
|
||||
+.PP
|
||||
+Example: \f[B]\-T device:/dev/tpm0\f[R] or \f[B]export
|
||||
+\f[BI]TPM2TOOLS_TCTI\f[B]=\[lq]device:/dev/tpm0\[rq]\f[R]
|
||||
+.RE
|
||||
+.IP \[bu] 2
|
||||
+\f[B]mssim\f[R]: For the mssim TCTI, the domain name or IP address and
|
||||
+port number used by the simulator can be specified.
|
||||
+The default are 127.0.0.1 and 2321.
|
||||
+.RS 2
|
||||
+.PP
|
||||
+Example: \f[B]\-T mssim:host=localhost,port=2321\f[R] or \f[B]export
|
||||
+\f[BI]TPM2TOOLS_TCTI\f[B]=\[lq]mssim:host=localhost,port=2321\[rq]\f[R]
|
||||
+.RE
|
||||
+.IP \[bu] 2
|
||||
+\f[B]abrmd\f[R]: For the abrmd TCTI, the configuration string format is
|
||||
+a series of simple key value pairs separated by a `,' character.
|
||||
+Each key and value string are separated by a `=' character.
|
||||
+.RS 2
|
||||
+.IP \[bu] 2
|
||||
+TCTI abrmd supports two keys:
|
||||
+.RS 2
|
||||
+.IP "1." 3
|
||||
+`bus_name' : The name of the tabrmd service on the bus (a string).
|
||||
+.IP "2." 3
|
||||
+`bus_type' : The type of the dbus instance (a string) limited to
|
||||
+`session' and `system'.
|
||||
+.RE
|
||||
+.PP
|
||||
+Specify the tabrmd tcti name and a config string of
|
||||
+\f[C]bus_name=com.example.FooBar\f[R]:
|
||||
+.IP
|
||||
+.nf
|
||||
+\f[C]
|
||||
+\[rs]\-\-tcti=tabrmd:bus_name=com.example.FooBar
|
||||
+\f[R]
|
||||
+.fi
|
||||
+.PP
|
||||
+Specify the default (abrmd) tcti and a config string of
|
||||
+\f[C]bus_type=session\f[R]:
|
||||
+.IP
|
||||
+.nf
|
||||
+\f[C]
|
||||
+\[rs]\-\-tcti:bus_type=session
|
||||
+\f[R]
|
||||
+.fi
|
||||
+.PP
|
||||
+\f[B]NOTE\f[R]: abrmd and tabrmd are synonymous.
|
||||
+the various known TCTI modules.
|
||||
+.RE
|
||||
+.SH EXAMPLES
|
||||
+.SS Setup
|
||||
+.PP
|
||||
+To load an object you first must create an object under a primary
|
||||
+object.
|
||||
+So the first step is to create the primary object.
|
||||
+.IP
|
||||
+.nf
|
||||
+\f[C]
|
||||
+tpm2_createprimary \-c primary.ctx
|
||||
+\f[R]
|
||||
+.fi
|
||||
+.PP
|
||||
+Step 2 is to create an object under the primary object.
|
||||
+.IP
|
||||
+.nf
|
||||
+\f[C]
|
||||
+tpm2_create \-C primary.ctx \-u key.pub \-r key.priv \-f pem \-o pub.pem
|
||||
+\f[R]
|
||||
+.fi
|
||||
+.PP
|
||||
+This creates the private and public portions of the TPM object.
|
||||
+With these object portions, it is now possible to load that object into
|
||||
+the TPM for subsequent use.
|
||||
+.SS Encoding an Object into a combined PEM format
|
||||
+.PP
|
||||
+The final step, is encoding the public and private portions of the
|
||||
+object into a PEM format.
|
||||
+.IP
|
||||
+.nf
|
||||
+\f[C]
|
||||
+tpm2_encodeobject \-C primary.ctx \-u key.pub \-r key.priv \-o priv.pem
|
||||
+\f[R]
|
||||
+.fi
|
||||
+.PP
|
||||
+The generated \f[C]priv.pem\f[R] can be used together with
|
||||
+\f[C]pub.pem\f[R] created in the step 2 of Setup section.
|
||||
+.SH Returns
|
||||
+.PP
|
||||
+Tools can return any of the following codes:
|
||||
+.IP \[bu] 2
|
||||
+0 \- Success.
|
||||
+.IP \[bu] 2
|
||||
+1 \- General non\-specific error.
|
||||
+.IP \[bu] 2
|
||||
+2 \- Options handling error.
|
||||
+.IP \[bu] 2
|
||||
+3 \- Authentication error.
|
||||
+.IP \[bu] 2
|
||||
+4 \- TCTI related error.
|
||||
+.IP \[bu] 2
|
||||
+5 \- Non supported scheme.
|
||||
+Applicable to tpm2_testparams.
|
||||
+.SH BUGS
|
||||
+.PP
|
||||
+Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
|
||||
+.SH HELP
|
||||
+.PP
|
||||
+See the Mailing
|
||||
+List (https://lists.linuxfoundation.org/mailman/listinfo/tpm2)
|
12
SOURCES/test-fixup.patch
Normal file
12
SOURCES/test-fixup.patch
Normal file
@ -0,0 +1,12 @@
|
||||
diff -ur tpm2-tools-5.2/test/integration/helpers.sh tpm2-tools-5.2-new/test/integration/helpers.sh
|
||||
--- tpm2-tools-5.2/test/integration/helpers.sh 2021-08-23 09:47:20.000000000 -0700
|
||||
+++ tpm2-tools-5.2-new/test/integration/helpers.sh 2022-05-31 16:06:07.939025537 -0700
|
||||
@@ -409,7 +409,7 @@
|
||||
echo "Starting tpm2-abrmd"
|
||||
# Start tpm2-abrmd
|
||||
start_abrmd || exit 1
|
||||
- run_startup=false
|
||||
+ # run_startup=false
|
||||
else
|
||||
echo "not starting abrmd"
|
||||
fi
|
@ -1,31 +1,55 @@
|
||||
Name: tpm2-tools
|
||||
Version: 4.1.1
|
||||
Release: 5%{?dist}
|
||||
Summary: A TPM2.0 testing tool build upon TPM2.0-TSS
|
||||
#global candidate rc2
|
||||
|
||||
Name: tpm2-tools
|
||||
Version: 5.2
|
||||
Release: 4%{?candidate:.%{candidate}}%{?dist}
|
||||
Summary: A bunch of TPM testing toolS build upon tpm2-tss
|
||||
|
||||
License: BSD
|
||||
URL: https://github.com/tpm2-software/tpm2-tools
|
||||
Source0: https://github.com/tpm2-software/tpm2-tools/releases/download/%{version}/%{name}-%{version}.tar.gz
|
||||
Patch0: 0001-tpm2_hierarchycontrol-Fixed-bug-where-hierarchycontr.patch
|
||||
Patch1: 0001-tpm2_nvdefine.c-Fixed-error-reporting-message.patch
|
||||
Patch2: 0001-tpm2_policyor-Silent-failure-bug-fix-for-invalid-uns.patch
|
||||
Patch3: 0001-tpm2_alg_util.c-fix-a-bug-where-the-string-rsa3072-w.patch
|
||||
Patch4: 0001-Fix-ESYS_TR-hierarchy-transition.patch
|
||||
Patch5: 0001-Refactor-fix_esys_hierarchies.patch
|
||||
Patch6: 0001-tpm2_create.c-Fix-an-issue-where-userwithauth-attr-c.patch
|
||||
Patch7: 0001-tpm2_getekcertificate-add-default-web-address.patch
|
||||
Patch8: 0001-lib-files-fix-an-error-message-in-files_load_-name.patch
|
||||
Patch9: 0001-tpm2_policy.c-restrict-policy-digest-size.patch
|
||||
Patch10: 0001-tpm2_policycountertimer-Fix-an-issue-where-operandB-.patch
|
||||
Patch11: 0001-tools-tpm2_nvcertify.c-Fix-incompatible-pointer-cast.patch
|
||||
Patch12: 0001-tools-tpm2_nvreadpublic-Fix-resource-leak.patch
|
||||
Patch13: 0001-lib-files.c-Fix-an-issue-where-execution-could-not-r.patch
|
||||
Patch14: 0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch
|
||||
Source0: https://github.com/tpm2-software/tpm2-tools/releases/download/%{version}%{?candidate:-%{candidate}}/%{name}-%{version}%{?candidate:-%{candidate}}.tar.gz
|
||||
Patch0: 0019-build-Use-hardcoded-version-variable.patch
|
||||
Patch1: test-fixup.patch
|
||||
Patch2: 0001-testparms-fix-condition-for-negative-test.patch
|
||||
Patch3: 0001-lib-tpm2_eventlog_yaml-use-char16_t-for-UEFI-charact.patch
|
||||
Patch4: 0002-Patch-set-for-handling-of-new-event-types-in-tpm2_ev.patch
|
||||
Patch5: 0003-Code-clarity-fix-for-calculation-of-data-member-addr.patch
|
||||
Patch6: 0004-tpm2_eventlog-clean-up-some-magic-numbers.patch
|
||||
Patch7: 0005-tpm2_eventlog_yaml-fix-malformed-YAML-for-EV_IPL-dat.patch
|
||||
Patch8: 0006-test-track-expected-YAML-output-for-eventlog.patch
|
||||
Patch9: 0007-tpm2_eventlog_yaml-fix-parsing-for-MokListTrusted.patch
|
||||
Patch10: 0008-tests-add-eventlog-for-parsing-MokListTrusted.patch
|
||||
Patch11: 0009-tpm2_eventlog_yaml-use-defines-for-Unicode-variables.patch
|
||||
Patch101: 0001-Fix-nv_readpublic.patch
|
||||
Patch102: 0002-tpm2_encodeobject-New-tool-to-encode-TPM2-object.patch
|
||||
Patch103: 0003-tools-tpm2_evictconrol-fix-for-call-to-Esys_TR_Close.patch
|
||||
Patch104: 0004-Fix-argument-parsing-in-tpm2_policylocality.patch
|
||||
Patch105: 0005-tools-tpm2_tool.c-Fix-an-issue-where-LOG_WARN-is-alw.patch
|
||||
Patch106: 0006-import-fix-bug-on-using-scheme.patch
|
||||
Patch107: 0007-tpm2_policyor-fix-unallocated-policy-list.patch
|
||||
Patch108: 0008-lib-tpm2_alg_util.c-Fix-potential-null-pointer-deref.patch
|
||||
Patch109: 0009-tss2_provision-fix-usage-of-L-parameter.patch
|
||||
Patch110: 0010-tpm2_encodeobject-fix-formatting.patch
|
||||
Patch111: 0011-tpm2_encodeobject-fix-auth-boolean-flag.patch
|
||||
Patch112: 0012-bugfix-fix-convert-sm2-public-key-in-openssl3.patch
|
||||
Patch113: 0013-readpublic-fix-reading-and-writing-serialized-trs.patch
|
||||
Patch114: 0014-fix-wrong-function-name-of-Esys_Load.patch
|
||||
Patch115: 0015-tpm-errata-switch-to-twos-complement.patch
|
||||
Patch116: 0016-tpm2_eventlog.c-Fix-pcr-extension-for-EV_NO_ACTION.patch
|
||||
Patch117: 0017-kdfa.c-Fix-problem-with-FORTIFY_SOURCE-on-Fedora.patch
|
||||
Patch118: add_pregenerated_doc.patch
|
||||
Patch201: 0001-tpm2_sessionconfig-fix-usage-of-disable-continuesess.patch
|
||||
Patch202: 0002-tpm2_tool.c-Fix-missing-include-for-basename.patch
|
||||
Patch203: 0003-tpm2_nvread-fix-input-handling-no-nv-index.patch
|
||||
Patch204: 0004-tpm2_checkquote-Add-comparison-of-pcr-selection.patch
|
||||
Patch205: 0005-tpm2_checkquote-Fix-check-of-magic-number.patch
|
||||
Patch206: 0006-tpm2_setprimarypolicy-Fix-resource-leak.patch
|
||||
|
||||
BuildRequires: git
|
||||
BuildRequires: make
|
||||
BuildRequires: gcc-c++
|
||||
BuildRequires: libtool
|
||||
BuildRequires: autoconf-archive
|
||||
BuildRequires: pandoc
|
||||
BuildRequires: pkgconfig(cmocka)
|
||||
BuildRequires: pkgconfig(libcurl)
|
||||
BuildRequires: pkgconfig(openssl)
|
||||
@ -33,94 +57,182 @@ BuildRequires: pkgconfig(openssl)
|
||||
BuildRequires: pkgconfig(tss2-mu)
|
||||
BuildRequires: pkgconfig(tss2-sys)
|
||||
BuildRequires: pkgconfig(tss2-esys)
|
||||
BuildRequires: pkgconfig(uuid)
|
||||
|
||||
# tpm2-tools is heavily depending on TPM2.0-TSS project, matched tss is required
|
||||
Requires: tpm2-tss%{?_isa} >= 2.3.2-1%{?dist}
|
||||
|
||||
# tpm2-tools project changed the install path for binaries and man page section
|
||||
Obsoletes: tpm2-tools <= 2.1.1-2
|
||||
Requires: tpm2-tss%{?_isa} >= 2.3.1
|
||||
|
||||
%description
|
||||
tpm2-tools is a batch of testing tools for tpm2.0. It is based on tpm2-tss.
|
||||
tpm2-tools is a batch of tools for tpm2.0. It is based on tpm2-tss.
|
||||
|
||||
%prep
|
||||
%autosetup -p1 -n %{name}-%{version}
|
||||
%autosetup -S git -p1 -n %{name}-%{version}%{?candidate:-%{candidate}}
|
||||
|
||||
%build
|
||||
%configure --prefix=/usr --disable-static --disable-silent-rules
|
||||
autoreconf -i
|
||||
# LTO exposes a latent uninitialized variable "value" in the function # "nt".
|
||||
# This has been reported to the maintainer (Yunying), but they have not
|
||||
# responded and I am not comfortable enough with the code to know if a trivial
|
||||
# initialization to zero is appropriate/safe. So LTO is disabled for now.
|
||||
%define _lto_cflags %{nil}
|
||||
%configure --prefix=/usr --disable-static --disable-silent-rules CFLAGS="%{optflags} -Wno-error=deprecated-declarations"
|
||||
%make_build
|
||||
|
||||
%install
|
||||
%make_install
|
||||
|
||||
%files
|
||||
%doc README.md CHANGELOG.md
|
||||
%license LICENSE
|
||||
%license doc/LICENSE
|
||||
%doc doc/README.md doc/CHANGELOG.md
|
||||
%{_bindir}/tpm2
|
||||
%{_bindir}/tpm2_*
|
||||
%{_bindir}/tss2
|
||||
%{_bindir}/tss2_*
|
||||
%{_datadir}/bash-completion/completions/tpm2*
|
||||
%{_datadir}/bash-completion/completions/tss2*
|
||||
%{_mandir}/man1/tpm2_*.1.gz
|
||||
%{_mandir}/man1/tpm2.1.gz
|
||||
%{_mandir}/man1/tss2_*.1.gz
|
||||
|
||||
%changelog
|
||||
* Mon Aug 09 2021 Jerry Snitselaar <jsnitsel@redhat.com> - 4.1.1-5
|
||||
- Bump nvr to trigger osci.
|
||||
resolves: rhbz#1965981
|
||||
* Wed Jun 19 2024 Štěpán Horáček <shoracek@redhat.com> - 5.2-4
|
||||
- Backport upstream fixes.
|
||||
- tpm2_checkquote: Fix check of magic number. (CVE-2024-29038)
|
||||
- tpm2_checkquote: Add comparison of pcr selection. (CVE-2024-29039)
|
||||
- Fix check of magic number.
|
||||
Resolves: RHEL-23198
|
||||
Resolves: RHEL-41031
|
||||
Resolves: RHEL-41035
|
||||
|
||||
* Tue Jun 01 2021 Jerry Snitselaar <jsnitsel@redhat.com> - 4.1.1-4
|
||||
- Fix CVE-2021-3565
|
||||
resolves: rhbz#1965981
|
||||
* Wed May 24 2023 Štěpán Horáček <shoracek@redhat.com> - 5.2-3
|
||||
- Backport fixes.
|
||||
- Add tpm2_encodeobject tool.
|
||||
Resolves: rhbz#2160304
|
||||
Resolves: rhbz#2047342
|
||||
|
||||
* Fri May 14 2021 Jerry Snitselaar <jsnitsel@redhat.com> - 4.1.1-3
|
||||
- Fix resource leak.
|
||||
- Fix to restrict policy digest size.
|
||||
- Fix incompatible pointer cast.
|
||||
- Fix error message in files_load_##name
|
||||
- Fix issue where execution couldn't reach function return.
|
||||
resolves: rhbz#1920821
|
||||
* Wed Oct 19 2022 Štěpán Horáček <shoracek@redhat.com> - 5.2-2
|
||||
- Fix eventlog output.
|
||||
Resolves: rhbz#2136215
|
||||
|
||||
* Mon Nov 16 2020 Jerry Snitselaar <jsnitsel@redhat.com> - 4.1.1-2
|
||||
- Fix ESYS_TR hierarchy transition.
|
||||
- Refactor fix_esys_hierarchies to return actual TSS2_RC return code.
|
||||
- tpm2_alg_util.c: fix a bug where the string rsa3072 wasn't being parsed.
|
||||
- tpm2_create.c: Fix an issue where userwithauth attr cleared if policy specified.
|
||||
- tpm2_hierarchycontrol: Fix bug where hierarchycontrol operation failed silently.
|
||||
- tpm2_nvdefine.c: Fix error reporting message.
|
||||
- tpm2_policyor: Fix silent failure for invalid/unspecified policy digest alg.
|
||||
resolves: rhbz#1854774
|
||||
* Tue May 31 2022 Jerry Snitselaar <jsnitsel@redhat.com> - 5.2-1
|
||||
- Rebase to 5.2 release.
|
||||
Resolves: rhbz#2090748
|
||||
|
||||
* Wed Apr 29 2020 Jerry Snitselaar <jsnitsel@redhat.com> - 4.1.1-1
|
||||
- Update to 4.1.1 release
|
||||
resolves: rhbz#1789682
|
||||
* Mon Oct 25 2021 Štěpán Horáček <shoracek@redhat.com> - 5.0-10
|
||||
- Fix the version not being reported
|
||||
Resolves: rhbz#2015941
|
||||
|
||||
* Tue Oct 22 2019 Jerry Snitselaar <jsnitsel@redhat.com> - 3.2.1-1
|
||||
- Update to 3.2.1 release
|
||||
resolves: rhbz#1725714
|
||||
* Fri Oct 1 2021 Štěpán Horáček <shoracek@redhat.com> - 5.0-9
|
||||
- Fix a segfault on ppc64le and add support for OpenSSL 3
|
||||
Resolves: rhbz#1989617
|
||||
|
||||
* Tue May 28 2019 Jerry Snitselaar <jsnitsel@redhat.com> - 3.1.4-5
|
||||
- Another dependency needed for CI gating
|
||||
resolves: rhbz#1682417
|
||||
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 5.0-8
|
||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||
Related: rhbz#1991688
|
||||
|
||||
* Tue May 28 2019 Jerry Snitselaar <jsnitsel@redhat.com> - 3.1.4-4
|
||||
- Fix CI dependency
|
||||
resolves: rhbz#1682417
|
||||
* Mon Jun 28 2021 Jerry Snitselaar <jsnitsel@redhat.com> - 5.0-7
|
||||
- Fix for CVE-2021-3565
|
||||
Resolves: rhbz#1965982
|
||||
|
||||
* Tue May 28 2019 Jerry Snitselaar <jsnitsel@redhat.com> - 3.1.4-3
|
||||
- Add CI gating test
|
||||
resolves: rhbz#1682417
|
||||
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 5.0-6
|
||||
- Rebuilt for RHEL 9 BETA for openssl 3.0
|
||||
Related: rhbz#1971065
|
||||
|
||||
* Tue May 14 2019 Jerry Snitselaar <jsnitsel@redhat.com> - 3.1.4-2
|
||||
- Add initial CI gating support
|
||||
resolves: rhbz#1682417
|
||||
* Mon May 24 2021 Jerry Snitselaar <jsnitsel@redhat.com> - 5.0-5
|
||||
- Remove pandoc dependency. Related: rhbz#1943528
|
||||
|
||||
* Tue Apr 30 2019 Jerry Snitselaar <jsnitsel@redhat.com> - 3.1.4-1
|
||||
- Rebase to 3.1.4 release.
|
||||
resolves: rhbz#1664498
|
||||
* Wed May 19 2021 Jerry Snitselaar <jsnitsel@redhat.com> - 5.0-4
|
||||
- Work around for openssl 3.0 update. Related: rhbz#1958029
|
||||
|
||||
* Thu Nov 08 2018 Jerry Snitselaar <jsnitsel@redhat.com> - 3.1.1-4
|
||||
- lib/tpm2_options: restore TCTI configuration environment variables
|
||||
- tpm2_getcap: restore tool output to print properties with TPM_PT prefix
|
||||
resolves: rhbz#1648001
|
||||
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 5.0-3
|
||||
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
||||
|
||||
* Sat Jul 14 2018 Javier Martinez Canillas <javierm@redhat.com> - - 3.1.1-3
|
||||
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 5.0-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||
|
||||
* Mon Nov 23 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 5.0-1
|
||||
- Update tp tpm2-tools 5.0
|
||||
|
||||
* Sat Aug 29 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 4.3.0-1
|
||||
- Update to 4.3.0
|
||||
|
||||
* Mon Aug 10 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 4.2.1-4
|
||||
- Rebuild for tpm2-tss 3.0
|
||||
|
||||
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 4.2.1-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||
|
||||
* Tue Jun 30 2020 Jeff Law <law@redhat.com> - 4.2.1-2
|
||||
- Disable LTO due to latent uninitialized variable exposed by LTO
|
||||
|
||||
* Wed May 27 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 4.2.1-1
|
||||
- Update to 4.2.1
|
||||
|
||||
* Tue Apr 14 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 4.2-1
|
||||
- Update to 4.2
|
||||
|
||||
* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 4.1-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
||||
|
||||
* Thu Nov 28 2019 Yunying Sun <yunying.sun@intel.com> - 4.1-1
|
||||
- Update to 4.1 release
|
||||
|
||||
* Tue Oct 29 2019 Yunying Sun <yunying.sun@intel.com> - 4.0.1-1
|
||||
- Update to 4.0.1 release
|
||||
|
||||
* Tue Sep 10 2019 Peter Robinson <pbrobinson@fedoraproject.org> 4.0-1
|
||||
- Update to 4.0
|
||||
|
||||
* Fri Sep 6 2019 Javier Martinez Canillas <javierm@redhat.com> 4.0-0.4-rc2
|
||||
- Use a release tarball instead of a source code tarball
|
||||
|
||||
* Fri Sep 6 2019 Peter Robinson <pbrobinson@fedoraproject.org> 4.0-0.3-rc2
|
||||
- Update to 4.0 RC2
|
||||
|
||||
* Tue Aug 27 2019 Peter Robinson <pbrobinson@fedoraproject.org> 4.0-0.2-rc1
|
||||
- Update to 4.0 RC1
|
||||
|
||||
* Tue Aug 20 2019 Peter Robinson <pbrobinson@fedoraproject.org> 4.0-0.1-rc0
|
||||
- Update to 4.0 RC0
|
||||
|
||||
* Thu Aug 1 2019 Peter Robinson <pbrobinson@fedoraproject.org> 3.2.0-3
|
||||
- Fix for crash for max PCRs available
|
||||
|
||||
* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.2.0-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
||||
|
||||
* Fri Jun 21 2019 Yunying Sun <yunying.sun@intel.com> - 3.2.0-1
|
||||
- Update to 3.2.0 release
|
||||
- Removed patches since all have been included in 3.2.0 release
|
||||
|
||||
* Fri May 10 2019 Javier Martinez Canillas <javierm@redhat.com> - 3.1.4-2
|
||||
- Allow tpm2_makecredential to run without a TPM (jetwhiz)
|
||||
- Add tpm2_pcrreset and tpm2_checkquote tools (jetwhiz)
|
||||
|
||||
* Fri Mar 15 2019 Yunying Sun <yunying.sun@intel.com> - 3.1.4-1
|
||||
- Update to 3.1.4 release
|
||||
- Removed the 4 patches since all have been included in 3.1.4 release
|
||||
|
||||
* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.1.3-4
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
||||
|
||||
* Mon Jan 7 2019 Javier Martinez Canillas <javierm@redhat.com> - 3.1.3-3
|
||||
- Fix broken -T option when passing additional arguments
|
||||
|
||||
* Mon Jan 7 2019 Javier Martinez Canillas <javierm@redhat.com> - 3.1.3-2
|
||||
- Fix broken -T option and a couple of minor fixes
|
||||
- Add pandoc BuildRequires
|
||||
|
||||
* Wed Nov 7 2018 Yunying Sun <yunying.sun@intel.com> - 3.1.3-1
|
||||
- Update to 3.1.3 release
|
||||
|
||||
* Wed Sep 12 2018 Javier Martinez Canillas <javierm@redhat.com> - 3.1.2-1
|
||||
- Update to 3.1.2 release
|
||||
- Restore TCTI configuration environment for tools
|
||||
- Restore tpm2_getcap tool properties output
|
||||
Resolves: rhbz#1625647
|
||||
|
||||
* Sat Jul 14 2018 Javier Martinez Canillas <javierm@redhat.com> - 3.1.1-3
|
||||
- Revert backward incompatible change that removes default object attributes
|
||||
|
||||
* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.1.1-2
|
||||
|
Loading…
Reference in New Issue
Block a user