rpms/tpm2-tss
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import UBI tpm2-tss-4.1.3-6.el10

Browse Source
This commit is contained in:
AlmaLinux RelEng Bot 2026-05-19 18:43:47 -04:00
parent 6991d86c3e
commit be3f5ffed8
22 changed files with 2357 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1122
0001-ESYS-FAPI-Fix-order-of-calloc-parameters.patch Normal file
View File

File diff suppressed because it is too large Load Diff

87
0002-FAPI-Add-check-whether-auth-values-exist-for-hierarc.patch Normal file
View File

@ -0,0 +1,87 @@
From 86ff2ee77eb19558e8ae133ad78dcd2d6f59eef1 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Fri, 3 May 2024 11:57:43 +0200
Subject: [PATCH 02/22] FAPI: Add check whether auth values exist for
hierarchies.
Currently FAPI provisioning tries to create the EK and SRK with the
NULL auth value for the hierarchies.
Now first the corresponding flag in TPM2_CAP_TPM_PROPERTIES with
the property TPM2_PT_PERMANENT is checked. If an auth value is used
for the hierarchy the auth value callback will be called.
The "retry" code in the BAD_AUTH case is removed.
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
src/tss2-fapi/api/Fapi_Provision.c | 10 ++++++++++
src/tss2-fapi/fapi_util.c | 32 +-----------------------------
2 files changed, 11 insertions(+), 31 deletions(-)
diff --git a/src/tss2-fapi/api/Fapi_Provision.c b/src/tss2-fapi/api/Fapi_Provision.c
index 3046b90b..87e0f505 100644
--- a/src/tss2-fapi/api/Fapi_Provision.c
+++ b/src/tss2-fapi/api/Fapi_Provision.c
@@ -512,6 +512,16 @@ Fapi_Provision_Finish(FAPI_CONTEXT *context)
command->auth_state = (*capabilityData)->data.tpmProperties.tpmProperty[0].value;
SAFE_FREE(*capabilityData);
+ if (command->auth_state & TPMA_PERMANENT_ENDORSEMENTAUTHSET) {
+ hierarchy_he->misc.hierarchy.with_auth = TPM2_YES;
+ }
+ if (command->auth_state & TPMA_PERMANENT_OWNERAUTHSET) {
+ hierarchy_hs->misc.hierarchy.with_auth = TPM2_YES;
+ }
+ if (command->auth_state & TPMA_PERMANENT_LOCKOUTAUTHSET) {
+ hierarchy_lockout->misc.hierarchy.with_auth = TPM2_YES;
+ }
+
/* Check the TPM capabilities for the persistent handle. */
if (command->public_templ.persistent_handle) {
r = Esys_GetCapability_Async(context->esys,
diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c
index 82d0d0fa..740d5e4a 100644
--- a/src/tss2-fapi/fapi_util.c
+++ b/src/tss2-fapi/fapi_util.c
@@ -760,38 +760,8 @@ ifapi_init_primary_finish(FAPI_CONTEXT *context, TSS2_KEY_TYPE ktype, IFAPI_OBJE
if (base_rc(r) == TSS2_BASE_RC_TRY_AGAIN)
return TSS2_FAPI_RC_TRY_AGAIN;
- /* Retry with authorization callback after trial with null auth */
- if (number_rc(r) == TPM2_RC_BAD_AUTH
- && hierarchy->misc.hierarchy.with_auth == TPM2_NO) {
- char *description;
- r = ifapi_get_description(hierarchy, &description);
- return_if_error(r, "Get description");
+ goto_if_error_reset_state(r, "FAPI Provision", error_cleanup);
- r = ifapi_set_auth(context, hierarchy, description);
- SAFE_FREE(description);
- goto_if_error_reset_state(r, "CreatePrimary", error_cleanup);
-
- r = Esys_CreatePrimary_Async(context->esys, hierarchy->public.handle,
- (context->session1 == ESYS_TR_NONE) ?
- ESYS_TR_PASSWORD : context->session1,
- ESYS_TR_NONE, ESYS_TR_NONE,
- &context->cmd.Provision.inSensitive,
- &context->cmd.Provision.public_templ.public,
- &context->cmd.Provision.outsideInfo,
- &context->cmd.Provision.creationPCR);
- goto_if_error_reset_state(r, "CreatePrimary", error_cleanup);
-
- if (ktype == TSS2_EK) {
- context->state = PROVISION_AUTH_EK_AUTH_SENT;
- } else {
- context->state = PROVISION_AUTH_SRK_AUTH_SENT;
- }
- hierarchy->misc.hierarchy.with_auth = TPM2_YES;
- return TSS2_FAPI_RC_TRY_AGAIN;
-
- } else {
- goto_if_error_reset_state(r, "FAPI Provision", error_cleanup);
- }
/* Set EK or SRK handle in context. */
if (ktype == TSS2_EK) {
context->ek_handle = primaryHandle;
--
2.51.0

42
0003-FAPI-Improve-the-error-message-for-self-signed-EK-ce.patch Normal file
View File

@ -0,0 +1,42 @@
From 661a0b0ef63c015106bc28827c9fac484b0b719d Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Fri, 10 May 2024 19:15:37 +0200
Subject: [PATCH 03/22] FAPI: Improve the error message for self signed EK
certificates.
The error message
"curl_url_set for CURUPART_URL failed: Unsupported URL scheme"
was displayed if a self signed EK certificate was stored in the TPM.
Now a better error message is displayed to explain that FAPI can
be used if "ek_cert_less" is set to "yes" in the FAPI config file.
Addresses: #2833
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
src/tss2-fapi/ifapi_curl.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/src/tss2-fapi/ifapi_curl.c b/src/tss2-fapi/ifapi_curl.c
index 976f36d0..9827afcd 100644
--- a/src/tss2-fapi/ifapi_curl.c
+++ b/src/tss2-fapi/ifapi_curl.c
@@ -175,6 +175,16 @@ ifapi_curl_verify_ek_cert(
goto_if_null2(ek_cert, "Failed to convert PEM certificate to DER.",
r, TSS2_FAPI_RC_BAD_VALUE, cleanup);
+ if (is_self_signed(ek_cert)) {
+ /* A self signed certificate was stored in the TPM and ek_cert_less was not set.*/
+ goto_error(r, TSS2_FAPI_RC_NO_CERT,
+ "A self signed EK certifcate for current crypto profile was found. "
+ "You may want to switch the profile in fapi-config or "
+ "set the ek_cert_less or ek_cert_file options in fapi-config. "
+ "See also https://tpm2-software.github.io/2020/07/22/Fapi_Crypto_Profiles.html",
+ cleanup);
+ }
+
if (intermed_cert_pem) {
intermed_cert = get_X509_from_pem(intermed_cert_pem);
goto_if_null2(intermed_cert, "Failed to convert PEM certificate to DER.",
--
2.51.0

34
0004-TCTI-Fix-leak-produced-in-Tss2_TctiLdr_Initialize_Ex.patch Normal file
View File

@ -0,0 +1,34 @@
From 90d20f92a0da1e1d783419928a43fa850e2f9533 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Sat, 18 May 2024 20:21:14 +0200
Subject: [PATCH 04/22] TCTI: Fix leak produced in Tss2_TctiLdr_Initialize_Ex
The return code of tctildr_init_context_data was not checked in
Tss2_TctiLdr_Initialize_Ex. The cleanup part of this function was
not executed and so a leak was produced.
Fixes #2842
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
src/tss2-tcti/tctildr.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/tss2-tcti/tctildr.c b/src/tss2-tcti/tctildr.c
index 4f380ceb..af913193 100644
--- a/src/tss2-tcti/tctildr.c
+++ b/src/tss2-tcti/tctildr.c
@@ -524,7 +524,10 @@ Tss2_TctiLdr_Initialize_Ex (const char *name,
}
*tctiContext = (TSS2_TCTI_CONTEXT *) ldr_ctx;
- return tctildr_init_context_data(*tctiContext, local_name, local_conf);
+ rc = tctildr_init_context_data(*tctiContext, local_name, local_conf);
+ if (rc == TSS2_RC_SUCCESS) {
+ return rc;
+ }
err:
if (*tctiContext != NULL) {
--
2.51.0

74
0005-FAPI-Fix-usage-of-external-PEM-keys-for-PolicyAuthor.patch Normal file
View File

@ -0,0 +1,74 @@
From 17802f7911562779830daa4cb49dbb07a94964ac Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Sun, 2 Jun 2024 14:28:18 +0200
Subject: [PATCH 05/22] FAPI: Fix usage of external PEM keys for
PolicyAuthorize.
* PolicyAuthorize with an external imported PEM key did not work if
the default nameAlg for the imported key (sha1) was not equal to
the default nameAlg in the current fapi profile.
The nameAlg from the profile is now used for the imported key.
* To prevent a possible double free after cleanup of a policy
the NULL pointer is set for the reference to this policy.
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
src/tss2-fapi/api/Fapi_Import.c | 2 ++
src/tss2-fapi/fapi_crypto.c | 4 ++--
src/tss2-fapi/ifapi_policy_callbacks.c | 4 +++-
3 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/src/tss2-fapi/api/Fapi_Import.c b/src/tss2-fapi/api/Fapi_Import.c
index 2aa5ed79..33f5e69a 100644
--- a/src/tss2-fapi/api/Fapi_Import.c
+++ b/src/tss2-fapi/api/Fapi_Import.c
@@ -194,6 +194,8 @@ Fapi_Import_Async(
&extPubKey->public);
goto_if_error(r, "Convert PEM public key into TPM public key.", cleanup_error);
+ extPubKey->public.publicArea.nameAlg = context->profiles.default_profile.nameAlg;
+
command->new_object = *object;
if (strncmp("/", path, 1) == 0)
pos = 1;
diff --git a/src/tss2-fapi/fapi_crypto.c b/src/tss2-fapi/fapi_crypto.c
index 43b1bbbb..28385ad3 100644
--- a/src/tss2-fapi/fapi_crypto.c
+++ b/src/tss2-fapi/fapi_crypto.c
@@ -122,7 +122,7 @@ static const TPM2B_PUBLIC templateRsaSign = {
.size = 0,
.publicArea = {
.type = TPM2_ALG_RSA,
- .nameAlg = TPM2_ALG_SHA1,
+ .nameAlg = TPM2_ALG_SHA256,
.objectAttributes = ( TPMA_OBJECT_SIGN_ENCRYPT ),
.authPolicy = {
.size = 0,
@@ -153,7 +153,7 @@ static const TPM2B_PUBLIC templateEccSign = {
.size = 0,
.publicArea = {
.type = TPM2_ALG_ECC,
- .nameAlg = TPM2_ALG_SHA1,
+ .nameAlg = TPM2_ALG_SHA256,
.objectAttributes = ( TPMA_OBJECT_SIGN_ENCRYPT ),
.authPolicy = {
.size = 0,
diff --git a/src/tss2-fapi/ifapi_policy_callbacks.c b/src/tss2-fapi/ifapi_policy_callbacks.c
index 10d591bb..9c52088d 100644
--- a/src/tss2-fapi/ifapi_policy_callbacks.c
+++ b/src/tss2-fapi/ifapi_policy_callbacks.c
@@ -1466,8 +1466,10 @@ ifapi_exec_auth_policy(
cleanup:
SAFE_FREE(names);
/* Check whether cleanup was executed. */
- if (fapi_ctx->policy.policyutil_stack)
+ if (fapi_ctx->policy.policyutil_stack) {
cleanup_policy_list(current_policy->policy_list);
+ current_policy->policy_list = NULL;
+ }
return r;
}
--
2.51.0

29
0006-FAPI-Fix-wrong-format-directive-in-ifap_set_auth.patch Normal file
View File

@ -0,0 +1,29 @@
From 379d53c62a7f5e8db828f94b518ff6cbfa2289e6 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Wed, 26 Jun 2024 16:47:28 +0200
Subject: [PATCH 06/22] FAPI: Fix wrong format directive in ifap_set_auth
%u was used for a 16 bit unsigned integer and %lu for sizeof.
Fixes: #2856
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
src/tss2-fapi/fapi_util.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c
index 740d5e4a..d73e50f1 100644
--- a/src/tss2-fapi/fapi_util.c
+++ b/src/tss2-fapi/fapi_util.c
@@ -441,7 +441,7 @@ ifapi_set_auth(
if (auth != NULL) {
authValue.size = strlen(auth);
if (authValue.size > sizeof(TPMU_HA)) {
- return_error2(TSS2_FAPI_RC_BAD_VALUE, "Size of auth value %u > %lu",
+ return_error2(TSS2_FAPI_RC_BAD_VALUE, "Size of auth value %"PRIu16" > %zu",
authValue.size, sizeof(TPMU_HA));
}
memcpy(&authValue.buffer[0], auth, authValue.size);
--
2.51.0

35
0007-fapi-fix-PolicyTemplate-policyDigest-calculation.patch Normal file
View File

@ -0,0 +1,35 @@
From fd21afd65ee7007c0eabbbfbed4cde6b6ec64fbc Mon Sep 17 00:00:00 2001
From: Johannes Holland <johannes.holland@infineon.de>
Date: Mon, 15 Jul 2024 14:51:11 +0200
Subject: [PATCH 07/22] fapi: fix PolicyTemplate policyDigest calculation.
We forgot to input the old policyDigest for the hash calculation of the
new policyDigest.
Bug was not caught due to missing return code assignment in
policy-execute, see 80ffbf825f127.
Fixes: #2862
Signed-off-by: Johannes Holland <johannes.holland@infineon.de>
---
src/tss2-fapi/ifapi_policy_calculate.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/tss2-fapi/ifapi_policy_calculate.c b/src/tss2-fapi/ifapi_policy_calculate.c
index 92fc812c..073ab0eb 100644
--- a/src/tss2-fapi/ifapi_policy_calculate.c
+++ b/src/tss2-fapi/ifapi_policy_calculate.c
@@ -1269,6 +1269,9 @@ ifapi_calculate_policy_template(
r = ifapi_crypto_hash_start(&cryptoContext, current_hash_alg);
return_if_error(r, "crypto hash start");
+ HASH_UPDATE_BUFFER(cryptoContext,
+ &current_digest->digests[digest_idx].digest, hash_size,
+ r, cleanup);
HASH_UPDATE(cryptoContext, TPM2_CC, TPM2_CC_PolicyTemplate, r,
cleanup);
HASH_UPDATE_BUFFER(cryptoContext, &used_template_hash->buffer[0],
--
2.51.0

145
0008-FAPI-Fix-unnecessary-writes-to-keystore.patch Normal file
View File

@ -0,0 +1,145 @@
From 1ea2ff7a2779b584bd6e5a95f839187019edd66a Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Fri, 2 Aug 2024 20:31:19 +0200
Subject: [PATCH 08/22] FAPI: Fix unnecessary writes to keystore.
* A duplicate write operation to the keystore was executed by
Fapi_NvWrite.
* A write operation to the keystore was only needed after the
first call of Fapi_NvWrite because the NV_WRITTEN bit was set.
* A write operation to the keystore by Fapi_ChangeAuth was only needed
if the value of the attribute with_auth was changed.
Addresses: #2881
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
src/tss2-fapi/api/Fapi_ChangeAuth.c | 26 ++++++++++++++++++++++----
src/tss2-fapi/api/Fapi_NvWrite.c | 24 ------------------------
src/tss2-fapi/fapi_util.c | 13 +++++++++++++
3 files changed, 35 insertions(+), 28 deletions(-)
diff --git a/src/tss2-fapi/api/Fapi_ChangeAuth.c b/src/tss2-fapi/api/Fapi_ChangeAuth.c
index 42e994c2..9aaf2d39 100644
--- a/src/tss2-fapi/api/Fapi_ChangeAuth.c
+++ b/src/tss2-fapi/api/Fapi_ChangeAuth.c
@@ -413,10 +413,19 @@ Fapi_ChangeAuth_Finish(
empty authorization or an actual password. */
object = command->key_object;
- if (strlen(command->authValue) > 0)
+ if (strlen(command->authValue) > 0) {
+ if (object->misc.key.with_auth == TPM2_YES) {
+ context->state = ENTITY_CHANGE_AUTH_CLEANUP;
+ return TSS2_FAPI_RC_TRY_AGAIN;
+ }
object->misc.key.with_auth = TPM2_YES;
- else
+ } else {
+ if (object->misc.key.with_auth == TPM2_NO) {
+ context->state = ENTITY_CHANGE_AUTH_CLEANUP;
+ return TSS2_FAPI_RC_TRY_AGAIN;
+ }
object->misc.key.with_auth = TPM2_NO;
+ }
fallthrough;
statecase(context->state, ENTITY_CHANGE_AUTH_WRITE_PREPARE)
@@ -496,10 +505,19 @@ Fapi_ChangeAuth_Finish(
/* Update the information about whether the new Auth is an empty
authorization or an actual password. */
- if (strlen(command->authValue) > 0)
+ if (strlen(command->authValue) > 0) {
+ if (object->misc.key.with_auth == TPM2_YES) {
+ context->state = ENTITY_CHANGE_AUTH_CLEANUP;
+ return TSS2_FAPI_RC_TRY_AGAIN;
+ }
object->misc.nv.with_auth = TPM2_YES;
- else
+ } else {
+ if (object->misc.key.with_auth == TPM2_NO) {
+ context->state = ENTITY_CHANGE_AUTH_CLEANUP;
+ return TSS2_FAPI_RC_TRY_AGAIN;
+ }
object->misc.nv.with_auth = TPM2_NO;
+ }
/* Jump over to the AUTH_WRITE_PREPARE state for storing the
new metadata to the keystore. */
diff --git a/src/tss2-fapi/api/Fapi_NvWrite.c b/src/tss2-fapi/api/Fapi_NvWrite.c
index c8df7cdf..b9d16313 100644
--- a/src/tss2-fapi/api/Fapi_NvWrite.c
+++ b/src/tss2-fapi/api/Fapi_NvWrite.c
@@ -252,10 +252,6 @@ Fapi_NvWrite_Finish(
switch (context->state) {
statecase(context->state, NV_WRITE_READ);
- /* First check whether the file in object store can be updated. */
- r = ifapi_keystore_check_writeable(&context->keystore, command->nvPath);
- goto_if_error_reset_state(r, "Check whether update object store is possible.", error_cleanup);
-
/* Write to the NV index. */
r = ifapi_nv_write(context, command->nvPath, command->offset,
command->data, command->numBytes);
@@ -263,26 +259,6 @@ Fapi_NvWrite_Finish(
return_try_again(r);
goto_if_error_reset_state(r, " FAPI NV Write", error_cleanup);
-
- /* Perform esys serialization if necessary */
- r = ifapi_esys_serialize_object(context->esys, &command->nv_object);
- goto_if_error(r, "Prepare serialization", error_cleanup);
-
- /* Start writing the NV object to the key store */
- r = ifapi_keystore_store_async(&context->keystore, &context->io,
- command->nvPath,
- &command->nv_object);
- goto_if_error_reset_state(r, "Could not open: %sh", error_cleanup,
- command->nvPath);
-
- fallthrough;
-
- statecase(context->state, NV_WRITE_WRITE);
- /* Finish writing the NV object to the key store */
- r = ifapi_keystore_store_finish(&context->io);
- return_try_again(r);
- return_if_error_reset_state(r, "write_finish failed");
-
fallthrough;
statecase(context->state, NV_WRITE_CLEANUP)
diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c
index d73e50f1..4b147ff9 100644
--- a/src/tss2-fapi/fapi_util.c
+++ b/src/tss2-fapi/fapi_util.c
@@ -2322,6 +2322,13 @@ ifapi_nv_write(
context->nv_cmd.esys_handle = nv_index;
context->nv_cmd.nv_obj = object->misc.nv;
+ /* Check whether the file in object store can be updated if necessary */
+ if (!(context->nv_cmd.nv_object.misc.nv.public.nvPublic.attributes &
+ TPMA_NV_WRITTEN) ){
+ r = ifapi_keystore_check_writeable(&context->keystore, nvPath);
+ goto_if_error_reset_state(r, "Check whether update object store is possible.", error_cleanup);
+ }
+
/* Determine the object which will be uses for authorization. */
if (object->misc.nv.public.nvPublic.attributes & TPMA_NV_PPWRITE) {
ifapi_init_hierarchy_object(auth_object, ESYS_TR_RH_PLATFORM);
@@ -2443,6 +2450,12 @@ ifapi_nv_write(
return TSS2_FAPI_RC_TRY_AGAIN;
}
+ if (context->nv_cmd.nv_object.misc.nv.public.nvPublic.attributes &
+ TPMA_NV_WRITTEN) {
+ LOG_DEBUG("success");
+ r = TSS2_RC_SUCCESS;
+ break;
+ }
fallthrough;
statecase(context->nv_cmd.nv_write_state, NV2_WRITE_WRITE_PREPARE);
--
2.51.0

50
0009-FAPI-Fix-segfault-if-json-field-is-null.patch Normal file
View File

@ -0,0 +1,50 @@
From 4be439941693b223244ef5fd33a46e80861a429c Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Wed, 31 Jul 2024 22:37:07 +0200
Subject: [PATCH 09/22] FAPI: Fix segfault if json field is null.
The function json_object_object_get_ex does not create a
json object for the parameter value in the case "key":null.
This caused a segfault in json deserialization.
Fixes: #2878
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
src/tss2-fapi/tpm_json_deserialize.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/src/tss2-fapi/tpm_json_deserialize.c b/src/tss2-fapi/tpm_json_deserialize.c
index 1b27a83f..02a72592 100644
--- a/src/tss2-fapi/tpm_json_deserialize.c
+++ b/src/tss2-fapi/tpm_json_deserialize.c
@@ -231,13 +231,25 @@ ifapi_get_sub_object(json_object *jso, char *name, json_object **sub_jso)
{
int i;
if (json_object_object_get_ex(jso, name, sub_jso)) {
- return true;
+ if (*sub_jso) {
+ return true;
+ } else {
+ return false;
+ }
} else {
char name2[strlen(name) + 1];
for (i = 0; name[i]; i++)
name2[i] = tolower(name[i]);
name2[strlen(name)] = '\0';
- return json_object_object_get_ex(jso, name2, sub_jso);
+ if (json_object_object_get_ex(jso, name2, sub_jso)) {
+ if (*sub_jso) {
+ return true;
+ } else {
+ return false;
+ }
+ } else {
+ return false;
+ }
}
}
--
2.51.0

39
0010-FAPI-Fix-Fapi_ChangeAuth-for-keys.patch Normal file
View File

@ -0,0 +1,39 @@
From 236c9c61cecf478cf4ae86606495a9f93535a27a Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Wed, 21 Aug 2024 18:56:02 +0200
Subject: [PATCH 10/22] FAPI: Fix Fapi_ChangeAuth for keys.
The keystore has to be updated after Fapi_ChangeAuth for key
objects because the private field is changed.
If not an HMAC error is produced when this key is used.
Fixes: #2890
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
src/tss2-fapi/api/Fapi_ChangeAuth.c | 8 --------
1 file changed, 8 deletions(-)
diff --git a/src/tss2-fapi/api/Fapi_ChangeAuth.c b/src/tss2-fapi/api/Fapi_ChangeAuth.c
index 9aaf2d39..d9003920 100644
--- a/src/tss2-fapi/api/Fapi_ChangeAuth.c
+++ b/src/tss2-fapi/api/Fapi_ChangeAuth.c
@@ -414,16 +414,8 @@ Fapi_ChangeAuth_Finish(
object = command->key_object;
if (strlen(command->authValue) > 0) {
- if (object->misc.key.with_auth == TPM2_YES) {
- context->state = ENTITY_CHANGE_AUTH_CLEANUP;
- return TSS2_FAPI_RC_TRY_AGAIN;
- }
object->misc.key.with_auth = TPM2_YES;
} else {
- if (object->misc.key.with_auth == TPM2_NO) {
- context->state = ENTITY_CHANGE_AUTH_CLEANUP;
- return TSS2_FAPI_RC_TRY_AGAIN;
- }
object->misc.key.with_auth = TPM2_NO;
}
fallthrough;
--
2.51.0

48
0011-tcti-msim-Fix-call-of-socket_xmit_buf-in-send_sim_se.patch Normal file
View File

@ -0,0 +1,48 @@
From 67d21f1c0b66b802230a4710d056759d3c707e11 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Mon, 2 Dec 2024 20:33:43 +0100
Subject: [PATCH 11/22] tcti-msim: Fix call of socket_xmit_buf in
send_sim_session_end.
* socket_xmit_buf was not called after successful marshalling.
* The result of the write function was not set in the wrapper function for
write in the teardown function.
Fixes: #2915
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
src/tss2-tcti/tcti-mssim.c | 2 +-
test/unit/tcti-mssim.c | 3 +++
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/tss2-tcti/tcti-mssim.c b/src/tss2-tcti/tcti-mssim.c
index a0afa9fd..cf6f4208 100644
--- a/src/tss2-tcti/tcti-mssim.c
+++ b/src/tss2-tcti/tcti-mssim.c
@@ -134,7 +134,7 @@ send_sim_session_end (
TSS2_RC rc;
rc = Tss2_MU_UINT32_Marshal (TPM_SESSION_END, buf, sizeof (buf), NULL);
- if (rc == TSS2_RC_SUCCESS) {
+ if (rc != TSS2_RC_SUCCESS) {
return rc;
}
return socket_xmit_buf (sock, buf, sizeof (buf));
diff --git a/test/unit/tcti-mssim.c b/test/unit/tcti-mssim.c
index bafcb743..90e97c5f 100644
--- a/test/unit/tcti-mssim.c
+++ b/test/unit/tcti-mssim.c
@@ -337,6 +337,9 @@ tcti_socket_teardown (void **state)
{
TSS2_TCTI_CONTEXT *ctx = (TSS2_TCTI_CONTEXT*)*state;
+ will_return (__wrap_write, 4);
+ will_return (__wrap_write, 4);
+
Tss2_Tcti_Finalize (ctx);
free (ctx);
return 0;
--
2.51.0

42
0012-FAPI-Fix-missing-scanf-checks.patch Normal file
View File

@ -0,0 +1,42 @@
From 159d5cfc8058fa654d614d8108919806dca091b5 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Sat, 19 Oct 2024 13:21:20 +0200
Subject: [PATCH 12/22] FAPI: Fix missing scanf checks.
In several cases the return value of scanf was not checked.
Thus afterwards acces to variables not initialized was possible.
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
src/tss2-fapi/ifapi_helpers.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/tss2-fapi/ifapi_helpers.c b/src/tss2-fapi/ifapi_helpers.c
index bd6e2dab..a651af42 100644
--- a/src/tss2-fapi/ifapi_helpers.c
+++ b/src/tss2-fapi/ifapi_helpers.c
@@ -84,8 +84,8 @@ ifapi_set_key_flags(const char *type, bool policy, IFAPI_KEY_TEMPLATE *template)
} else if (strcasecmp(flag, "noda") == 0) {
attributes |= TPMA_OBJECT_NODA;
} else if (strncmp(flag, "0x", 2) == 0) {
- sscanf(&flag[2], "%"SCNx32 "%n", &handle, &pos);
- if ((size_t)pos != strlen(flag) - 2) {
+ if (sscanf(&flag[2], "%"SCNx32 "%n", &handle, &pos) < 1 ||
+ (size_t)pos != strlen(flag) - 2) {
goto_error(r, TSS2_FAPI_RC_BAD_VALUE, "Invalid flag: %s",
error, flag);
}
@@ -181,8 +181,8 @@ ifapi_set_nv_flags(const char *type, IFAPI_NV_TEMPLATE *template,
} else if (strcasecmp(flag, "noda") == 0) {
attributes |= TPMA_NV_NO_DA;
} else if (strncmp(flag, "0x", 2) == 0) {
- sscanf(&flag[2], "%"SCNx32 "%n", &handle, &pos);
- if ((size_t)pos != strlen(flag) - 2) {
+ if (sscanf(&flag[2], "%"SCNx32 "%n", &handle, &pos) < 1 ||
+ (size_t)pos != strlen(flag) - 2) {
goto_error(r, TSS2_FAPI_RC_BAD_VALUE, "Invalid flag: %s",
error, flag);
}
--
2.51.0

92
0013-FAPI-Fix-Local-variable-address-stored-in-non-local-.patch Normal file
View File

@ -0,0 +1,92 @@
From 639cb917cb020b0aeb849054e538ddf7a41c497c Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Sat, 19 Oct 2024 14:03:43 +0200
Subject: [PATCH 13/22] FAPI: Fix Local variable address stored in non-local
memory.
The corresponding local array is now created with malloc and
freed after the execution of Fapi_WriteAuthorizeNv_Finish.
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
src/tss2-fapi/api/Fapi_WriteAuthorizeNV.c | 15 ++++++++++-----
src/tss2-fapi/fapi_int.h | 1 +
2 files changed, 11 insertions(+), 5 deletions(-)
diff --git a/src/tss2-fapi/api/Fapi_WriteAuthorizeNV.c b/src/tss2-fapi/api/Fapi_WriteAuthorizeNV.c
index 8e346e80..1a133188 100644
--- a/src/tss2-fapi/api/Fapi_WriteAuthorizeNV.c
+++ b/src/tss2-fapi/api/Fapi_WriteAuthorizeNV.c
@@ -227,7 +227,6 @@ Fapi_WriteAuthorizeNv_Finish(
TSS2_RC r;
const size_t maxNvSize = sizeof(TPMU_HA) + sizeof(TPMI_ALG_HASH);
- BYTE nvBuffer[maxNvSize];
size_t offset = 0;
/* Check for NULL parameters */
@@ -242,6 +241,7 @@ Fapi_WriteAuthorizeNv_Finish(
switch (context->state) {
statecase(context->state, WRITE_AUTHORIZE_NV_READ_NV)
+ nvCmd->nv_buffer = NULL;
/* First check whether the file in object store can be updated. */
r = ifapi_keystore_check_writeable(&context->keystore, nvCmd->nvPath);
goto_if_error_reset_state(r,
@@ -275,25 +275,29 @@ Fapi_WriteAuthorizeNv_Finish(
statecase(context->state, WRITE_AUTHORIZE_NV_WRITE_NV_RAM_PREPARE)
+ nvCmd->nv_buffer = malloc(maxNvSize);
+ if (!nvCmd->nv_buffer) {
+ goto_error(r, TSS2_FAPI_RC_MEMORY, "Out of memory", error_cleanup);
+ }
+
/* Copy hash alg followed by digest into a buffer to be written to NV ram */
r = Tss2_MU_TPMI_ALG_HASH_Marshal(
object->misc.nv.public.nvPublic.nameAlg,
- &nvBuffer[0], maxNvSize, &offset);
+ &nvCmd->nv_buffer[0], maxNvSize, &offset);
goto_if_error_reset_state(r, "FAPI marshal hash alg", error_cleanup);
void * currentDigest =
&policy->policyDigests.digests[command->digest_idx].digest;
- memcpy(&nvBuffer[offset], currentDigest, command->hash_size);
+ memcpy(&nvCmd->nv_buffer[offset], currentDigest, command->hash_size);
/* Store these data in the context to be used for re-entry on nv_write. */
- nvCmd->data = &nvBuffer[0];
nvCmd->numBytes = command->hash_size + sizeof(TPMI_ALG_HASH);
fallthrough;
statecase(context->state, WRITE_AUTHORIZE_NV_WRITE_NV_RAM)
/* Perform the actual NV Write operation. */
r = ifapi_nv_write(context, nvCmd->nvPath, 0,
- nvCmd->data, context->nv_cmd.numBytes);
+ nvCmd->nv_buffer, context->nv_cmd.numBytes);
return_try_again(r);
goto_if_error_reset_state(r, " FAPI NV Write", error_cleanup);
@@ -345,6 +349,7 @@ error_cleanup:
/* Cleanup any intermediate results and state stored in the context. */
SAFE_FREE(command->policyPath);
SAFE_FREE(nvCmd->nvPath);
+ SAFE_FREE(nvCmd->nv_buffer);
ifapi_session_clean(context);
ifapi_cleanup_policy(policy);
ifapi_cleanup_ifapi_object(&context->loadKey.auth_object);
diff --git a/src/tss2-fapi/fapi_int.h b/src/tss2-fapi/fapi_int.h
index 84352684..06f69c5c 100644
--- a/src/tss2-fapi/fapi_int.h
+++ b/src/tss2-fapi/fapi_int.h
@@ -233,6 +233,7 @@ typedef struct {
UINT16 offset; /**< Offset in TPM memory TPM */
size_t data_idx; /**< Offset in the read buffer */
const uint8_t *data; /**< Buffer for data to be written */
+ uint8_t *nv_buffer; /**< Buffer for data to be written */
uint8_t *rdata; /**< Buffer for data to be read */
size_t size; /**< size of rdata */
IFAPI_OBJECT auth_object; /**< Object used for authentication */
--
2.51.0

29
0014-FAPI-Fix-misleading-error-message.patch Normal file
View File

@ -0,0 +1,29 @@
From 4f0a1fa7055652a93fb49b4960b074d40656fb30 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Wed, 11 Dec 2024 12:30:40 +0100
Subject: [PATCH 14/22] FAPI: Fix misleading error message.
The error message "key not found" was misleading for the case when
a NV object was not found.
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
src/tss2-fapi/ifapi_keystore.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tss2-fapi/ifapi_keystore.c b/src/tss2-fapi/ifapi_keystore.c
index 8d47b1e8..293df979 100644
--- a/src/tss2-fapi/ifapi_keystore.c
+++ b/src/tss2-fapi/ifapi_keystore.c
@@ -1158,7 +1158,7 @@ keystore_search_obj(
statecase(keystore->key_search.state, KSEARCH_SEARCH_OBJECT)
/* Use the next object in the path list */
if (keystore->key_search.path_idx == 0) {
- goto_error(r, TSS2_FAPI_RC_PATH_NOT_FOUND, "Key not found.", cleanup);
+ goto_error(r, TSS2_FAPI_RC_PATH_NOT_FOUND, "Key or NV object not found.", cleanup);
}
keystore->key_search.path_idx -= 1;
path_idx = keystore->key_search.path_idx;
--
2.51.0

174
0015-FAPI-Fix-file-io-if-d_type-of-dirent-is-not-supporte.patch Normal file
View File

@ -0,0 +1,174 @@
From a76999637a7880124f84b02196f7fe17716b91a7 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Mon, 16 Dec 2024 22:35:20 +0100
Subject: [PATCH 15/22] FAPI: Fix file io if d_type of dirent is not supported.
It is not guaranteed that d-type of the structure dirent contains the
type of a file entry. It is possible that d_type has the value DT_UNKNOWN
or d_type is not supported at all.
To fix this problem, the functions is_regular_file and is_directory are
defined.
Fixes #2927
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
src/tss2-fapi/ifapi_io.c | 101 +++++++++++++++++++++++++++++++++++++--
1 file changed, 98 insertions(+), 3 deletions(-)
diff --git a/src/tss2-fapi/ifapi_io.c b/src/tss2-fapi/ifapi_io.c
index 97ad7952..4f138a2e 100644
--- a/src/tss2-fapi/ifapi_io.c
+++ b/src/tss2-fapi/ifapi_io.c
@@ -31,6 +31,88 @@
#include "util/log.h"
#include "util/aux_util.h"
+/** Determine if a sub file in directory is also a directory
+ *
+ * @param[in] directory The directory containing the file
+ * @param[in] entry The dirent entry of the file.
+ * @param[out] isdir The flag whether file is a directory.
+ * @retval TSS2_RC_SUCCESS: if the function call was a success.
+ * @retval TSS2_FAPI_RC_IO_ERROR: if an I/O error was encountered; such as the file was not found.
+ * @retval TSS2_FAPI_RC_MEMORY: if memory could not be allocated to hold the read data.
+ */
+static TSS2_RC
+is_directory(const char* dir_name, struct dirent *entry, bool *isdir) {
+ TSS2_RC r;
+ char *path;
+
+#ifdef _DIRENT_HAVE_D_TYPE
+ if (entry->d_type == DT_DIR) {
+ *isdir = true;
+ return TSS2_RC_SUCCESS;
+ } else if (entry->d_type != DT_UNKNOWN) {
+ *isdir = false;
+ return TSS2_RC_SUCCESS;
+ }
+#endif
+ /* stat is used if d_type is not supported or unknown. */
+ struct stat file_stat;
+ r = ifapi_asprintf(&path, "%s/%s", dir_name, entry->d_name);
+ return_if_error(r, "Out of memory");
+
+ if (stat(path, &file_stat) == -1) {
+ free(path);
+ return_error(TSS2_FAPI_RC_IO_ERROR, "stat failed.");
+ }
+ if (S_ISDIR(file_stat.st_mode)) {
+ *isdir = true;
+ } else {
+ *isdir = false;
+ }
+ free(path);
+ return TSS2_RC_SUCCESS;
+}
+
+/** Determine if a sub file in directory is a regular file.
+ *
+ * @param[in] directory The directory containing the file
+ * @param[in] entry The dirent entry of the file.
+ * @param[out] isreg The flag whether file is a regular file.
+ * @retval TSS2_RC_SUCCESS: if the function call was a success.
+ * @retval TSS2_FAPI_RC_IO_ERROR: if an I/O error was encountered; such as the file was not found.
+ * @retval TSS2_FAPI_RC_MEMORY: if memory could not be allocated to hold the read data.
+ */
+static TSS2_RC
+is_regular_file(const char* dir_name, struct dirent *entry, bool *isreg) {
+ TSS2_RC r;
+ char *path;
+
+#ifdef _DIRENT_HAVE_D_TYPE
+ if (entry->d_type == DT_REG) {
+ *isreg = true;
+ return TSS2_RC_SUCCESS;
+ } else if (entry->d_type != DT_UNKNOWN){
+ *isreg = false;
+ return TSS2_RC_SUCCESS;
+ }
+#endif
+ /* stat is used if d_type is not supported or unknown. */
+ struct stat file_stat;
+ r = ifapi_asprintf(&path, "%s/%s", dir_name, entry->d_name);
+ return_if_error(r, "Out of memory");
+
+ if (stat(path, &file_stat) == -1) {
+ free(path);
+ return_error(TSS2_FAPI_RC_IO_ERROR, "stat failed.");
+ }
+ if (S_ISREG(file_stat.st_mode)) {
+ *isreg = true;
+ } else {
+ *isreg = false;
+ }
+ free(path);
+ return TSS2_RC_SUCCESS;
+}
+
/** Start reading a file's complete content into memory in an asynchronous way.
*
* @param[in,out] io The input/output context being used for file I/O.
@@ -392,6 +474,7 @@ ifapi_io_remove_directories(
TSS2_RC r;
char *path;
size_t len_kstore_path, len_dir_path, diff_len, pos;
+ bool is_dir;
LOG_TRACE("Removing directory: %s", dirname);
@@ -409,7 +492,10 @@ ifapi_io_remove_directories(
continue;
/* If an entry is a directory then we call ourself recursively to remove those */
- if (entry->d_type == DT_DIR) {
+ r = is_directory(dirname, entry, &is_dir);
+ goto_if_error(r, "directory check", error_cleanup);
+
+ if (is_dir) {
r = ifapi_asprintf(&path, "%s/%s", dirname, entry->d_name);
goto_if_error(r, "Out of memory", error_cleanup);
@@ -482,6 +568,8 @@ ifapi_io_dirfiles(
int numentries = 0;
struct dirent **namelist;
size_t numpaths = 0;
+ bool is_reg_file;
+ TSS2_RC r;
check_not_null(dirname);
check_not_null(files);
check_not_null(numfiles);
@@ -500,7 +588,10 @@ ifapi_io_dirfiles(
/* Iterating through the list of entries inside the directory. */
for (size_t i = 0; i < (size_t) numentries; i++) {
LOG_TRACE("Looking at %s", namelist[i]->d_name);
- if (namelist[i]->d_type != DT_REG)
+
+ r = is_regular_file(dirname, namelist[i], &is_reg_file);
+ if (r) goto error_oom;
+ if (!is_reg_file)
continue;
paths[numpaths] = strdup(namelist[i]->d_name);
@@ -551,6 +642,7 @@ dirfiles_all(const char *dir_name, NODE_OBJECT_T **list, size_t *n)
TSS2_RC r;
char *path;
NODE_OBJECT_T *second;
+ bool is_dir;
if (!(dir = opendir(dir_name))) {
return TSS2_RC_SUCCESS;
@@ -559,7 +651,10 @@ dirfiles_all(const char *dir_name, NODE_OBJECT_T **list, size_t *n)
/* Iterating through the list of entries inside the directory. */
while ((entry = readdir(dir)) != NULL) {
path = NULL;
- if (entry->d_type == DT_DIR) {
+ r = is_directory(dir_name, entry, &is_dir);
+ return_if_error(r, "directory check failed");
+
+ if (is_dir) {
/* Recursive call for sub directories */
if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0)
continue;
--
2.51.0

67
0016-SAPI-Allow-state-CMD_STAGE_SEND_COMMAND-for-Tss2_Sys.patch Normal file
View File

@ -0,0 +1,67 @@
From 2af808f554a815e20482d9405ff3f9f36539c428 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Sat, 25 Jan 2025 12:25:20 +0100
Subject: [PATCH 16/22] SAPI: Allow state CMD_STAGE_SEND_COMMAND for
Tss2_Sys_GetCpBuffer.
The CP buffer should still be available before Tss2_ExecuteFinish is
called.
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
src/tss2-sys/api/Tss2_Sys_GetCpBuffer.c | 2 +-
test/tpmclient/tpmclient.int.c | 18 +++++++++---------
2 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/src/tss2-sys/api/Tss2_Sys_GetCpBuffer.c b/src/tss2-sys/api/Tss2_Sys_GetCpBuffer.c
index d054ac45..7b227789 100644
--- a/src/tss2-sys/api/Tss2_Sys_GetCpBuffer.c
+++ b/src/tss2-sys/api/Tss2_Sys_GetCpBuffer.c
@@ -22,7 +22,7 @@ TSS2_RC Tss2_Sys_GetCpBuffer(
if (!ctx || !cpBufferUsedSize || !cpBuffer)
return TSS2_SYS_RC_BAD_REFERENCE;
- if (ctx->previousStage != CMD_STAGE_PREPARE)
+ if (ctx->previousStage != CMD_STAGE_PREPARE && ctx->previousStage != CMD_STAGE_SEND_COMMAND)
return TSS2_SYS_RC_BAD_SEQUENCE;
*cpBuffer = ctx->cpBuffer;
diff --git a/test/tpmclient/tpmclient.int.c b/test/tpmclient/tpmclient.int.c
index 537050d2..25965d34 100644
--- a/test/tpmclient/tpmclient.int.c
+++ b/test/tpmclient/tpmclient.int.c
@@ -2101,14 +2101,7 @@ retry:
rval = Tss2_Sys_SetDecryptParam( sysContext, 10, (uint8_t *)4 );
CheckFailed( rval, TSS2_SYS_RC_BAD_SEQUENCE ); /* #12 */
- /*
- * NOTE: Stick test for BAD_SEQUENCE for GetCpBuffer here, just
- * because it's easier to do this way.
- */
- rval = Tss2_Sys_GetCpBuffer( sysContext, (size_t *)4, &cpBuffer );
- CheckFailed( rval, TSS2_SYS_RC_BAD_SEQUENCE ); /* #13 */
-
- /*
+ /*
* Now finish the write command so that TPM isn't stuck trying
* to send a response.
*/
@@ -2117,7 +2110,14 @@ retry:
LOG_INFO ("got TPM2_RC_RETRY, trying again");
goto retry;
}
- CheckPassed( rval ); /* #14 */
+ CheckPassed( rval ); /* #13 */
+
+ /*
+ * NOTE: Stick test for BAD_SEQUENCE for GetCpBuffer here, just
+ * because it's easier to do this way.
+ */
+ rval = Tss2_Sys_GetCpBuffer( sysContext, (size_t *)4, &cpBuffer );
+ CheckFailed( rval, TSS2_SYS_RC_BAD_SEQUENCE ); /* #14 */
/* Test GetEncryptParam for no encrypt param case. */
rval = Tss2_Sys_GetEncryptParam( sysContext, &encryptParamSize, &encryptParamBuffer );
--
2.51.0

65
0017-FAPI-Add-missing-EFI-events.patch Normal file
View File

@ -0,0 +1,65 @@
From 134aba7994e6a8d799d38cbe1090581f7a8d7903 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Mon, 17 Feb 2025 19:50:07 +0100
Subject: [PATCH 17/22] FAPI: Add missing EFI events.
Now all events which are implemented in the tpm2 tool command
tpm2_eventlog are implemented in FAPI.
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
src/tss2-fapi/efi_event.h | 3 +++
src/tss2-fapi/ifapi_json_eventlog_serialize.c | 9 +++++++++
2 files changed, 12 insertions(+)
diff --git a/src/tss2-fapi/efi_event.h b/src/tss2-fapi/efi_event.h
index 7c6b9184..b602b06d 100644
--- a/src/tss2-fapi/efi_event.h
+++ b/src/tss2-fapi/efi_event.h
@@ -43,6 +43,9 @@
#define EV_EFI_ACTION EV_EFI_EVENT_BASE + 0x7
#define EV_EFI_PLATFORM_FIRMWARE_BLOB EV_EFI_EVENT_BASE + 0x8
#define EV_EFI_HANDOFF_TABLES EV_EFI_EVENT_BASE + 0x9
+#define EV_EFI_PLATFORM_FIRMWARE_BLOB2 EV_EFI_EVENT_BASE + 0xa
+#define EV_EFI_HANDOFF_TABLES2 EV_EFI_EVENT_BASE + 0xb
+#define EV_EFI_VARIABLE_BOOT2 EV_EFI_EVENT_BASE + 0xc
#define EV_EFI_HCRTM_EVENT EV_EFI_EVENT_BASE + 0x10
#define EV_EFI_VARIABLE_AUTHORITY EV_EFI_EVENT_BASE + 0xe0
diff --git a/src/tss2-fapi/ifapi_json_eventlog_serialize.c b/src/tss2-fapi/ifapi_json_eventlog_serialize.c
index c875568c..b4abeb19 100644
--- a/src/tss2-fapi/ifapi_json_eventlog_serialize.c
+++ b/src/tss2-fapi/ifapi_json_eventlog_serialize.c
@@ -124,6 +124,13 @@ char const *eventtype_to_string (UINT32 event_type) {
return "EV_EFI_HCRTM_EVENT";
case EV_EFI_VARIABLE_AUTHORITY:
return "EV_EFI_VARIABLE_AUTHORITY";
+ case EV_EFI_PLATFORM_FIRMWARE_BLOB2:
+ return "EV_EFI_PLATFORM_FIRMWARE_BLOB2";
+ case EV_EFI_HANDOFF_TABLES2:
+ return "EV_EFI_HANDOFF_TABLES2";
+ case EV_EFI_VARIABLE_BOOT2:
+ return "EV_EFI_VARIABLE_BOOT2";
+
default:
return "Unknown event type";
}
@@ -341,6 +348,7 @@ TSS2_RC ifapi_json_TCG_EVENT2_serialize(const TCG_EVENT2 *in, UINT32 event_type,
/* TCG PC Client FPF section 9.2.6 */
case EV_EFI_VARIABLE_DRIVER_CONFIG:
case EV_EFI_VARIABLE_BOOT:
+ case EV_EFI_VARIABLE_BOOT2:
case EV_EFI_VARIABLE_AUTHORITY:
{
#if (MAXLOGLEVEL != LOGL_NONE)
@@ -389,6 +397,7 @@ TSS2_RC ifapi_json_TCG_EVENT2_serialize(const TCG_EVENT2 *in, UINT32 event_type,
/* TCG PC Client FPF section 9.2.5 */
case EV_S_CRTM_CONTENTS:
case EV_EFI_PLATFORM_FIRMWARE_BLOB:
+ case EV_EFI_PLATFORM_FIRMWARE_BLOB2:
{
UEFI_PLATFORM_FIRMWARE_BLOB *data =
(UEFI_PLATFORM_FIRMWARE_BLOB*)in->Event;
--
2.51.0

46
0018-FAPI-Add-Intel-ODCA-Root-Certificate.patch Normal file
View File

@ -0,0 +1,46 @@
From 40e6166f5baea4369dd980dd9b62319e6cdac6eb Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Wed, 12 Feb 2025 14:27:24 +0100
Subject: [PATCH 18/22] FAPI: Add Intel ODCA Root Certificate.
This certificate will be needed for Intel TPM's where the
intermediate certificates are stored in NV ram.
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
src/tss2-fapi/fapi_certificates.h | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/src/tss2-fapi/fapi_certificates.h b/src/tss2-fapi/fapi_certificates.h
index a59e46aa..37b3dbc9 100644
--- a/src/tss2-fapi/fapi_certificates.h
+++ b/src/tss2-fapi/fapi_certificates.h
@@ -592,6 +592,25 @@ static char * root_cert_list[] = {
"7r+i6q84W2nJdd+BoQQv4sk5GeuN2j2u4k1a8DkRPsVPc2I9QTtbzekchTK1GCXW\n"
"ki3DKGkZUEuaoaa60Kgw55Q5rt1eK7HKEG5npmR8aEod7BDLWy4CMTNAWR5iabCW\n"
"/KX28JbJL6Phau9j\n"
+ "-----END CERTIFICATE-----\n",
+
+ /* Intel ODCA Root Certificate */
+ "-----BEGIN CERTIFICATE-----\n"
+ "MIICujCCAj6gAwIBAgIUPLLiHTrwySRtWxR4lxKLlu7MJ7wwDAYIKoZIzj0EAwMF\n"
+ "ADCBiTELMAkGA1UEBgwCVVMxCzAJBgNVBAgMAkNBMRQwEgYDVQQHDAtTYW50YSBD\n"
+ "bGFyYTEaMBgGA1UECgwRSW50ZWwgQ29ycG9yYXRpb24xIzAhBgNVBAsMGk9uRGll\n"
+ "IENBIFJvb3QgQ2VydCBTaWduaW5nMRYwFAYDVQQDDA13d3cuaW50ZWwuY29tMB4X\n"
+ "DTE5MDQwMzAwMDAwMFoXDTQ5MTIzMTIzNTk1OVowgYkxCzAJBgNVBAYMAlVTMQsw\n"
+ "CQYDVQQIDAJDQTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExGjAYBgNVBAoMEUludGVs\n"
+ "IENvcnBvcmF0aW9uMSMwIQYDVQQLDBpPbkRpZSBDQSBSb290IENlcnQgU2lnbmlu\n"
+ "ZzEWMBQGA1UEAwwNd3d3LmludGVsLmNvbTB2MBAGByqGSM49AgEGBSuBBAAiA2IA\n"
+ "BK8SfB2UflvXZqb5Kc3+lokrABHWazvNER2axPURP64HILkXChPB0OEX5hLB7Okw\n"
+ "7Dy6oFqB5tQVDupgfvUX/SgYBEaDdG5rCVFrGAis6HX5TA2ewQmj14r2ncHBgnpp\n"
+ "B6NjMGEwHwYDVR0jBBgwFoAUtFjJ9uQIQKPyWMg5eG6ujgqNnDgwDwYDVR0TAQH/\n"
+ "BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFLRYyfbkCECj8ljIOXhu\n"
+ "ro4KjZw4MAwGCCqGSM49BAMDBQADaAAwZQIxAP9B4lFF86uvpHmkcp61cWaU565a\n"
+ "yE3p7ezu9haLE/lPLh5hFQfmTi1nm/sG3JEXMQIwNpKfHoDmUTrUyezhhfv3GG+1\n"
+ "CqBXstmCYH40buj9jKW3pHWc71s9arEmPWli7I8U\n"
"-----END CERTIFICATE-----\n"
};
--
2.51.0

29
0020-FAPI-Fix-leak-in-Fapi_Sign.patch Normal file
View File

@ -0,0 +1,29 @@
From 5a69b211ed087e9b2e2eaa36d411cb54b2a3fd6c Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Mon, 2 Jun 2025 14:40:03 +0200
Subject: [PATCH 20/22] FAPI: Fix leak in Fapi_Sign
Fapi_Sign causes a memory leak when the optional public key output parameter
is not provided. Fixes: #2962
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
src/tss2-fapi/api/Fapi_Sign.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tss2-fapi/api/Fapi_Sign.c b/src/tss2-fapi/api/Fapi_Sign.c
index 52b3c9c6..2ec43172 100644
--- a/src/tss2-fapi/api/Fapi_Sign.c
+++ b/src/tss2-fapi/api/Fapi_Sign.c
@@ -296,7 +296,7 @@ Fapi_Sign_Finish(
/* Perform the signing operation using a helper. */
r = ifapi_key_sign(context, command->key_object,
command->padding, &command->digest, &command->tpm_signature,
- &command->publicKey,
+ publicKey ? &command->publicKey : NULL,
(certificate) ? &command->certificate : NULL);
return_try_again(r);
goto_if_error(r, "Fapi sign.", cleanup);
--
2.51.0

40
0021-FAPI-Fix-instantiation-of-policyduplication-select.patch Normal file
View File

@ -0,0 +1,40 @@
From 00d96269ac8797317f07b8e362c59f315ccb70b0 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Tue, 29 Jul 2025 07:28:20 +0200
Subject: [PATCH 21/22] FAPI: Fix instantiation of policyduplication select.
The instantiation of the policy did only work when a object path was used
in the policy definition. Now also the object name or the public data
of the object can be used.
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
src/tss2-fapi/ifapi_policy_instantiate.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/src/tss2-fapi/ifapi_policy_instantiate.c b/src/tss2-fapi/ifapi_policy_instantiate.c
index 014d4166..f6ada249 100644
--- a/src/tss2-fapi/ifapi_policy_instantiate.c
+++ b/src/tss2-fapi/ifapi_policy_instantiate.c
@@ -333,9 +333,18 @@ ifapi_policyeval_instantiate_finish(
break;
case POLICYDUPLICATIONSELECT:
+ if (pol_element->element.PolicyDuplicationSelect.newParentName.size) {
+ break;
+ }
if (pol_element->element.PolicyDuplicationSelect.newParentPublic.type) {
/* public data is already set in policy. Path will not be needed. */
SAFE_FREE(pol_element->element.PolicyDuplicationSelect.newParentPath);
+ r = ifapi_get_name(
+ &pol_element->element.PolicyDuplicationSelect.newParentPublic,
+ &pol_element->element.PolicyDuplicationSelect.newParentName);
+ return_if_error(r, "Compute object name");
+
+ pol_element->element.PolicyDuplicationSelect.newParentPublic.type = 0;
break;
}
--
2.51.0

41
0022-FAPI-Fix-nv-object-authorization-for-policy-authoriz.patch Normal file
View File

@ -0,0 +1,41 @@
From 876ea76879d60e03920e0a8d47b76d13ee82ea2f Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Fri, 22 Aug 2025 15:36:02 +0200
Subject: [PATCH 22/22] FAPI: Fix nv object authorization for policy authorize
nv.
The cleanup function for the nv object to be authorized was called before
authorization, and the wrong object was used for authorization.
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
src/tss2-fapi/ifapi_policy_callbacks.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/tss2-fapi/ifapi_policy_callbacks.c b/src/tss2-fapi/ifapi_policy_callbacks.c
index 9c52088d..99748176 100644
--- a/src/tss2-fapi/ifapi_policy_callbacks.c
+++ b/src/tss2-fapi/ifapi_policy_callbacks.c
@@ -1570,7 +1570,6 @@ ifapi_exec_auth_nv_policy(
goto_if_error(r, "Initialize NV object", cleanup);
current_policy->nv_index = cb_ctx->object.public.handle;
- ifapi_cleanup_ifapi_object(&cb_ctx->object);
get_nv_auth_object(&cb_ctx->object,
current_policy->nv_index,
&current_policy->auth_objectNV,
@@ -1579,8 +1578,10 @@ ifapi_exec_auth_nv_policy(
statecase(cb_ctx->cb_state, POL_CB_AUTHORIZE_OBJECT)
/* Authorize the NV object with the corresponding auth object. */
- r = ifapi_authorize_object(fapi_ctx, &cb_ctx->auth_object, &cb_ctx->session);
+ r = ifapi_authorize_object(fapi_ctx, &current_policy->auth_objectNV, &cb_ctx->session);
return_try_again(r);
+
+ ifapi_cleanup_ifapi_object(&cb_ctx->object);
goto_if_error(r, "Authorize object.", cleanup);
/* Prepare the reading of the NV index from TPM. */
--
2.51.0

30
tpm2-tss.spec
View File

@ -5,7 +5,7 @@
Name: tpm2-tss
Version: 4.1.3
Release: 5%{?candidate:.%{candidate}}%{?dist}
Release: 6%{?candidate:.%{candidate}}%{?dist}
Summary: TPM2.0 Software Stack
# The entire source code is under BSD except implementation.h and tpmb.h which
@ -17,15 +17,35 @@ Source1: tpm2-tss-systemd-sysusers.conf
# doxygen crash
Patch0: tpm2-tss-3.0.0-doxygen.patch
Patch1: 0001-Remove-OpenSSL-engine-API-dependency.patch
Patch101: 0001-ESYS-FAPI-Fix-order-of-calloc-parameters.patch
Patch102: 0002-FAPI-Add-check-whether-auth-values-exist-for-hierarc.patch
Patch103: 0003-FAPI-Improve-the-error-message-for-self-signed-EK-ce.patch
Patch104: 0004-TCTI-Fix-leak-produced-in-Tss2_TctiLdr_Initialize_Ex.patch
Patch105: 0005-FAPI-Fix-usage-of-external-PEM-keys-for-PolicyAuthor.patch
Patch106: 0006-FAPI-Fix-wrong-format-directive-in-ifap_set_auth.patch
Patch107: 0007-fapi-fix-PolicyTemplate-policyDigest-calculation.patch
Patch108: 0008-FAPI-Fix-unnecessary-writes-to-keystore.patch
Patch109: 0009-FAPI-Fix-segfault-if-json-field-is-null.patch
Patch110: 0010-FAPI-Fix-Fapi_ChangeAuth-for-keys.patch
Patch111: 0011-tcti-msim-Fix-call-of-socket_xmit_buf-in-send_sim_se.patch
Patch112: 0012-FAPI-Fix-missing-scanf-checks.patch
Patch113: 0013-FAPI-Fix-Local-variable-address-stored-in-non-local-.patch
Patch114: 0014-FAPI-Fix-misleading-error-message.patch
Patch115: 0015-FAPI-Fix-file-io-if-d_type-of-dirent-is-not-supporte.patch
Patch116: 0016-SAPI-Allow-state-CMD_STAGE_SEND_COMMAND-for-Tss2_Sys.patch
Patch117: 0017-FAPI-Add-missing-EFI-events.patch
Patch118: 0018-FAPI-Add-Intel-ODCA-Root-Certificate.patch
Patch120: 0020-FAPI-Fix-leak-in-Fapi_Sign.patch
Patch121: 0021-FAPI-Fix-instantiation-of-policyduplication-select.patch
Patch122: 0022-FAPI-Fix-nv-object-authorization-for-policy-authoriz.patch
%global udevrules_prefix 60-
%if %{with rc}
BuildRequires: autoconf
BuildRequires: autoconf-archive
BuildRequires: automake
BuildRequires: libtool
%endif
BuildRequires: make
BuildRequires: doxygen
BuildRequires: gcc
@ -155,6 +175,10 @@ use tpm2-tss.
%changelog
* Fri Sep 5 2025 Štěpán Horáček <shoracek@redhat.com> - 4.1.3-6
- Backport upstream fixes
Resolves: RHEL-94936
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 4.1.3-5
- Bump release for October 2024 mass rebuild:
Resolves: RHEL-64018