rpms/tpm2-tss
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Rebase to 3.2.3

Browse Source 
Resolves: RHEL-23206

Signed-off-by: Štěpán Horáček <shoracek@redhat.com>
This commit is contained in:
Štěpán Horáček 2024-05-30 11:04:14 +02:00
parent fda97b14b5
commit e6c5fa659a
12 changed files with 7 additions and 608 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
0001-tss2-rc-fix-unknown-layer-handler-dropping-bits.patch
View File

@ -1,65 +0,0 @@
From eb2fd8b436688377a20d24a467fd03e62d3e6c06 Mon Sep 17 00:00:00 2001
From: William Roberts <william.c.roberts@intel.com>
Date: Tue, 24 Jan 2023 10:01:23 -0600
Subject: [PATCH 01/10] tss2-rc: fix unknown layer handler dropping bits
The commit (on 4.0.1 and master):
- 49107d65d5c7 tss2_rc: ensure layer number is in bounds
Introduces a bug where the right shift by 8 drops the lower byte going
into the unknown_layer handler function. This will effectively drop rc
error bits for unknown layers. The largest impact will be on windows
where their resource manager is not a registered handler.
Fix this by just dumping all the bytes and not get fancy with masking
things out.
Fixes: #2550
Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
src/tss2-rc/tss2_rc.c | 4 ++--
test/unit/test_tss2_rc.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/tss2-rc/tss2_rc.c b/src/tss2-rc/tss2_rc.c
index 7e668a46..6de7d6f3 100644
--- a/src/tss2-rc/tss2_rc.c
+++ b/src/tss2-rc/tss2_rc.c
@@ -985,9 +985,9 @@ Tss2_RC_Decode(TSS2_RC rc)
} else {
/*
* we don't want to drop any bits if we don't know what to do with it
- * so drop the layer byte since we we already have that.
+ * so just send the whole thing.
*/
- const char *e = unknown_layer_handler(rc >> 8);
+ const char *e = unknown_layer_handler(rc);
assert(e);
catbuf(buf, "%s", e);
}
diff --git a/test/unit/test_tss2_rc.c b/test/unit/test_tss2_rc.c
index 0b0f57c6..e5051c85 100644
--- a/test/unit/test_tss2_rc.c
+++ b/test/unit/test_tss2_rc.c
@@ -199,7 +199,7 @@ test_custom_handler(void **state)
* Test an unknown layer
*/
e = Tss2_RC_Decode(rc);
- assert_string_equal(e, "1:0x100");
+ assert_string_equal(e, "1:0x1002A");
}
static void
@@ -288,7 +288,7 @@ test_all_FFs(void **state)
(void) state;
const char *e = Tss2_RC_Decode(0xFFFFFFFF);
- assert_string_equal(e, "255:0xFFFFFF");
+ assert_string_equal(e, "255:0xFFFFFFFF");
}
static void
--
2.41.0

65
0002-MU-Fix-unneeded-size-check-in-TPM2B-unmarshaling.patch
View File

@ -1,65 +0,0 @@
From 6e4f8823ca6f7f062df3cd4ee88e397fac9adc37 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Thu, 9 Feb 2023 15:22:08 +0100
Subject: [PATCH 02/10] MU: Fix unneeded size check in TPM2B unmarshaling
There is a size check for the destination object whether the size is zero.
If the memory of the destination object is no cleared this might cause
a race conditions.
Unneeded tests from the integration test tpmclient were removed.
Fixes: #2564
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
src/tss2-mu/tpm2b-types.c | 6 +-----
test/tpmclient/tpmclient.int.c | 9 ---------
2 files changed, 1 insertion(+), 14 deletions(-)
diff --git a/src/tss2-mu/tpm2b-types.c b/src/tss2-mu/tpm2b-types.c
index 2e10f487..6e8915f6 100644
--- a/src/tss2-mu/tpm2b-types.c
+++ b/src/tss2-mu/tpm2b-types.c
@@ -248,11 +248,7 @@ TSS2_RC Tss2_MU_##type##_Unmarshal(uint8_t const buffer[], size_t buffer_size, \
sizeof(size)); \
return TSS2_MU_RC_INSUFFICIENT_BUFFER; \
} \
- if (dest && dest->size != 0) { \
- LOG_WARNING("Size not zero"); \
- return TSS2_SYS_RC_BAD_VALUE; \
- } \
-\
+ \
rc = Tss2_MU_UINT16_Unmarshal(buffer, buffer_size, &local_offset, &size); \
if (rc) \
return rc; \
diff --git a/test/tpmclient/tpmclient.int.c b/test/tpmclient/tpmclient.int.c
index deedcfb7..16443955 100644
--- a/test/tpmclient/tpmclient.int.c
+++ b/test/tpmclient/tpmclient.int.c
@@ -847,12 +847,6 @@ static void TestHierarchyControl()
rval = Tss2_Sys_NV_DefineSpace( sysContext, TPM2_RH_PLATFORM, &sessionsData, &nvAuth, &publicInfo, 0 );
CheckPassed( rval );
- /* Test SYS for case where nvPublic.size != 0 */
- nvPublic.size = 0xff;
- INIT_SIMPLE_TPM2B_SIZE( nvName );
- rval = Tss2_Sys_NV_ReadPublic( sysContext, TPM20_INDEX_TEST1, 0, &nvPublic, &nvName, 0 );
- CheckFailed( rval, TSS2_SYS_RC_BAD_VALUE );
-
nvPublic.size = 0;
INIT_SIMPLE_TPM2B_SIZE( nvName );
rval = Tss2_Sys_NV_ReadPublic( sysContext, TPM20_INDEX_TEST1, 0, &nvPublic, &nvName, 0 );
@@ -2135,10 +2129,7 @@ static void EcEphemeralTest()
LOG_INFO("EC Ephemeral TESTS:" );
- /* Test SYS for case of Q size field not being set to 0. */
INIT_SIMPLE_TPM2B_SIZE( Q );
- rval = Tss2_Sys_EC_Ephemeral( sysContext, 0, TPM2_ECC_BN_P256, &Q, &counter, 0 );
- CheckFailed( rval, TSS2_SYS_RC_BAD_VALUE );
Q.size = 0;
rval = Tss2_Sys_EC_Ephemeral( sysContext, 0, TPM2_ECC_BN_P256, &Q, &counter, 0 );
--
2.41.0

78
0003-FAPI-Fix-parameter-encryption-for-provisioning.patch
View File

@ -1,78 +0,0 @@
From d486edf730d652c8ab2fc50eb00e45223b43628f Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Tue, 14 Feb 2023 19:52:28 +0100
Subject: [PATCH 03/10] FAPI: Fix parameter encryption for provisioning
Currently no parameter encryption was made during provisioning.
Now the EK es used as tpmkey for the create primary session of
the SRK and the SRK is used for parameter encryption of the
other command executed during provisioning.
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
src/tss2-fapi/api/Fapi_Provision.c | 6 ++++--
src/tss2-fapi/fapi_int.h | 7 ++++---
src/tss2-fapi/fapi_util.c | 5 ++++-
3 files changed, 12 insertions(+), 6 deletions(-)
diff --git a/src/tss2-fapi/api/Fapi_Provision.c b/src/tss2-fapi/api/Fapi_Provision.c
index 97c25828..48f2fd3b 100644
--- a/src/tss2-fapi/api/Fapi_Provision.c
+++ b/src/tss2-fapi/api/Fapi_Provision.c
@@ -884,7 +884,8 @@ Fapi_Provision_Finish(FAPI_CONTEXT *context)
statecase(context->state, PROVISION_INIT_SRK);
/* Create session which will be used for SRK generation. */
context->srk_handle = context->ek_handle;
- r = ifapi_get_sessions_async(context, IFAPI_SESSION1, 0, 0);
+ r = ifapi_get_sessions_async(context, IFAPI_SESSION_USE_SRK | IFAPI_SESSION1,
+ TPMA_SESSION_DECRYPT, 0);
goto_if_error_reset_state(r, "Create sessions", error_cleanup);
fallthrough;
@@ -1084,7 +1085,8 @@ Fapi_Provision_Finish(FAPI_CONTEXT *context)
try_again_or_error_goto(r, "Cleanup", error_cleanup);
/* Create session which will be used for parameter encryption. */
- r = ifapi_get_sessions_async(context, IFAPI_SESSION1, 0, 0);
+ r = ifapi_get_sessions_async(context, IFAPI_SESSION_USE_SRK | IFAPI_SESSION1,
+ TPMA_SESSION_DECRYPT, 0);
goto_if_error_reset_state(r, "Create sessions", error_cleanup);
fallthrough;
diff --git a/src/tss2-fapi/fapi_int.h b/src/tss2-fapi/fapi_int.h
index 5f666a75..8533112a 100644
--- a/src/tss2-fapi/fapi_int.h
+++ b/src/tss2-fapi/fapi_int.h
@@ -55,9 +55,10 @@ typedef UINT32 TSS2_KEY_TYPE;
#define MAX_PLATFORM_CERT_HANDLE 0x01C0FFFF
typedef UINT8 IFAPI_SESSION_TYPE;
-#define IFAPI_SESSION_GENEK 0x01
-#define IFAPI_SESSION1 0x02
-#define IFAPI_SESSION2 0x04
+#define IFAPI_SESSION_GENEK 0x01
+#define IFAPI_SESSION1 0x02
+#define IFAPI_SESSION2 0x04
+#define IFAPI_SESSION_USE_SRK 0x08
#define IFAPI_POLICY_PATH "policy"
#define IFAPI_NV_PATH "nv"
diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c
index 44dd4168..ded0d247 100644
--- a/src/tss2-fapi/fapi_util.c
+++ b/src/tss2-fapi/fapi_util.c
@@ -1327,7 +1327,10 @@ ifapi_get_sessions_async(FAPI_CONTEXT *context,
context->session2_attribute_flags = attribute_flags2;
char *file = NULL;
- if (!(session_flags & IFAPI_SESSION_GENEK)) {
+ if (session_flags & IFAPI_SESSION_USE_SRK) {
+ context->session_state = SESSION_CREATE_SESSION;
+ return TSS2_RC_SUCCESS;
+ } else if (!(session_flags & IFAPI_SESSION_GENEK)) {
context->srk_handle = ESYS_TR_NONE;
context->session_state = SESSION_CREATE_SESSION;
return TSS2_RC_SUCCESS;
--
2.41.0

101
0004-FAPI-Fix-missing-parameter-encryption-for-policy-ses.patch
View File

@ -1,101 +0,0 @@
From 6bb79f17b89592909830f872dc47d09c0e5dadda Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Fri, 3 Mar 2023 11:17:43 +0100
Subject: [PATCH 04/10] FAPI: Fix missing parameter encryption for policy
sessions.
The parameter encryption for policy sessions was not enabled.
Now the parameter encryption is enabled and the auth value of
objects is added to the session key.
One exception is the cp hash policy. In this case the
the cp hash check forced by this policy would fail with an
encrypted parameter.
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
src/tss2-fapi/fapi_util.c | 28 ++++++++++++------------
src/tss2-fapi/ifapi_policy_execute.c | 5 +++++
src/tss2-fapi/ifapi_policyutil_execute.c | 4 ++++
3 files changed, 23 insertions(+), 14 deletions(-)
diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c
index ded0d247..55ce3327 100644
--- a/src/tss2-fapi/fapi_util.c
+++ b/src/tss2-fapi/fapi_util.c
@@ -2110,21 +2110,20 @@ ifapi_authorize_object(FAPI_CONTEXT *context, IFAPI_OBJECT *object, ESYS_TR *ses
statecase(object->authorization_state, AUTH_INIT)
LOG_TRACE("**STATE** AUTH_INIT");
- if (!policy_digest_size(object)) {
- /* No policy used authorization callbacks have to be called if necessary. */
- if (object_with_auth(object)) {
- /* Check whether hierarchy was already authorized. */
- if (object->objectType != IFAPI_HIERARCHY_OBJ ||
- !object->misc.hierarchy.authorized) {
- char *description = NULL;
- r = ifapi_get_description(object, &description);
- return_if_error(r, "Get description");
-
- r = ifapi_set_auth(context, object, description);
- SAFE_FREE(description);
- return_if_error(r, "Set auth value");
- }
+ if (object_with_auth(object)) {
+ /* Check whether hierarchy was already authorized. */
+ if (object->objectType != IFAPI_HIERARCHY_OBJ ||
+ !object->misc.hierarchy.authorized) {
+ char *description = NULL;
+ r = ifapi_get_description(object, &description);
+ return_if_error(r, "Get description");
+
+ r = ifapi_set_auth(context, object, description);
+ SAFE_FREE(description);
+ return_if_error(r, "Set auth value");
}
+ }
+ if (!policy_digest_size(object)) {
/* No policy session needed current fapi session can be used */
if (context->session1 && context->session1 != ESYS_TR_NONE)
*session = context->session1;
@@ -2133,6 +2132,7 @@ ifapi_authorize_object(FAPI_CONTEXT *context, IFAPI_OBJECT *object, ESYS_TR *ses
*session = ESYS_TR_PASSWORD;
break;
}
+
/* Save current object to be authorized in context. */
context->current_auth_object = object;
r = ifapi_policyutil_execute_prepare(context, get_name_alg(context, object),
diff --git a/src/tss2-fapi/ifapi_policy_execute.c b/src/tss2-fapi/ifapi_policy_execute.c
index c2ce3301..0e7de316 100644
--- a/src/tss2-fapi/ifapi_policy_execute.c
+++ b/src/tss2-fapi/ifapi_policy_execute.c
@@ -1245,6 +1245,11 @@ execute_policy_cp_hash(
r = Esys_PolicyCpHash_Finish(esys_ctx);
try_again_or_error(r, "Execute PolicyCpHash_Finish.");
+ /* Disable encryption to enable check of cp hash defined in
+ policy cp. */
+ r = Esys_TRSess_SetAttributes(esys_ctx, current_policy->session,
+ 0, 0xff);
+
current_policy->state = POLICY_EXECUTE_INIT;
return r;
diff --git a/src/tss2-fapi/ifapi_policyutil_execute.c b/src/tss2-fapi/ifapi_policyutil_execute.c
index 997fb504..0e2823cb 100644
--- a/src/tss2-fapi/ifapi_policyutil_execute.c
+++ b/src/tss2-fapi/ifapi_policyutil_execute.c
@@ -119,6 +119,10 @@ create_session(
r = Esys_StartAuthSession_Finish(context->esys, session);
if (r != TSS2_RC_SUCCESS)
return r;
+
+ r = Esys_TRSess_SetAttributes(context->esys, *session,
+ TPMA_SESSION_ENCRYPT | TPMA_SESSION_DECRYPT,
+ 0xff);
context->policy.create_session_state = CREATE_SESSION_INIT;
break;
--
2.41.0

59
0005-FAPI-Fix-missing-parameter-encryption-for-some-HMAC-.patch
View File

@ -1,59 +0,0 @@
From c7cd976e7152e3f5aaa813aaebf4ab1e5d9b1f3e Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Sun, 5 Mar 2023 19:19:22 +0100
Subject: [PATCH 05/10] FAPI: Fix missing parameter encryption for some HMAC
sessions.
* For Fapi_CreateNv and Fap_NvSetBits the parameter encryption was not enabled.
* For Fapi_Unseal the response description was not enabled.
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
src/tss2-fapi/api/Fapi_CreateNv.c | 2 +-
src/tss2-fapi/api/Fapi_NvSetBits.c | 2 +-
src/tss2-fapi/fapi_util.c | 3 ++-
3 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/tss2-fapi/api/Fapi_CreateNv.c b/src/tss2-fapi/api/Fapi_CreateNv.c
index 45e72e33..8160b99d 100644
--- a/src/tss2-fapi/api/Fapi_CreateNv.c
+++ b/src/tss2-fapi/api/Fapi_CreateNv.c
@@ -399,7 +399,7 @@ Fapi_CreateNv_Finish(
context->primary_state = PRIMARY_INIT;
r = ifapi_get_sessions_async(context,
IFAPI_SESSION_GENEK | IFAPI_SESSION1,
- 0, 0);
+ TPMA_SESSION_DECRYPT, 0);
goto_if_error_reset_state(r, "Create sessions", error_cleanup);
fallthrough;
diff --git a/src/tss2-fapi/api/Fapi_NvSetBits.c b/src/tss2-fapi/api/Fapi_NvSetBits.c
index 0615aa12..adf332e0 100644
--- a/src/tss2-fapi/api/Fapi_NvSetBits.c
+++ b/src/tss2-fapi/api/Fapi_NvSetBits.c
@@ -282,7 +282,7 @@ Fapi_NvSetBits_Finish(
/* Prepare session for authorization */
r = ifapi_get_sessions_async(context,
IFAPI_SESSION_GENEK | IFAPI_SESSION1,
- 0, 0);
+ TPMA_SESSION_DECRYPT, 0);
goto_if_error_reset_state(r, "Create sessions", error_cleanup);
fallthrough;
diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c
index 55ce3327..ef4a92d0 100644
--- a/src/tss2-fapi/fapi_util.c
+++ b/src/tss2-fapi/fapi_util.c
@@ -2743,7 +2743,8 @@ ifapi_load_key(
/* Prepare the session creation. */
r = ifapi_get_sessions_async(context,
IFAPI_SESSION_GENEK | IFAPI_SESSION1,
- TPMA_SESSION_DECRYPT, 0);
+ TPMA_SESSION_DECRYPT | TPMA_SESSION_ENCRYPT,
+ 0);
goto_if_error_reset_state(r, "Create sessions", error_cleanup);
fallthrough;
--
2.41.0

61
0006-FAPI-Fix-usage-of-persistent-handles.patch
View File

@ -1,61 +0,0 @@
From db8ccb1df778dc92d1be88a88ddcd9d6c92c3e63 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Mon, 3 Apr 2023 21:21:55 +0200
Subject: [PATCH 06/10] FAPI: Fix usage of persistent handles.
* Evict control for persistent keys created with Fapi_CreateKey was
called with the wrong handle.
* If Fapi_Quote was executed with a primary key for this key flush
context was called.
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
src/tss2-fapi/api/Fapi_Quote.c | 14 +++++++++-----
src/tss2-fapi/fapi_util.c | 1 +
2 files changed, 10 insertions(+), 5 deletions(-)
diff --git a/src/tss2-fapi/api/Fapi_Quote.c b/src/tss2-fapi/api/Fapi_Quote.c
index b71267a7..61e4e3db 100644
--- a/src/tss2-fapi/api/Fapi_Quote.c
+++ b/src/tss2-fapi/api/Fapi_Quote.c
@@ -392,16 +392,20 @@ Fapi_Quote_Finish(
goto_if_error(r, "Error: PCR_Quote", error_cleanup);
/* Flush the key used for the quote. */
- r = Esys_FlushContext_Async(context->esys, command->handle);
- goto_if_error(r, "Error: FlushContext", error_cleanup);
+ if (!command->key_object->misc.key.persistent_handle) {
+ r = Esys_FlushContext_Async(context->esys, command->handle);
+ goto_if_error(r, "Error: FlushContext", error_cleanup);
+ }
command->handle = ESYS_TR_NONE;
fallthrough;
statecase(context->state, PCR_QUOTE_WAIT_FOR_FLUSH);
- r = Esys_FlushContext_Finish(context->esys);
- return_try_again(r);
- goto_if_error(r, "Error: Sign", error_cleanup);
+ if (!command->key_object->misc.key.persistent_handle) {
+ r = Esys_FlushContext_Finish(context->esys);
+ return_try_again(r);
+ goto_if_error(r, "Error: Sign", error_cleanup);
+ }
sig_key_object = command->key_object;
/* Convert the TPM-encoded signature into something useful for the caller. */
diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c
index ef4a92d0..49f7dd07 100644
--- a/src/tss2-fapi/fapi_util.c
+++ b/src/tss2-fapi/fapi_util.c
@@ -4746,6 +4746,7 @@ ifapi_create_primary(
statecase(context->cmd.Key_Create.state, KEY_CREATE_PRIMARY_WAIT_FOR_AUTHORIZE2);
if (template->persistent_handle) {
+ object->misc.key.persistent_handle = template->persistent_handle;
r = ifapi_authorize_object(context, hierarchy, &auth_session);
FAPI_SYNC(r, "Authorize hierarchy.", error_cleanup);
--
2.41.0

62
0007-build-Fix-failed-build-with-disable-vendor.patch
View File

@ -1,62 +0,0 @@
From e46840f3ec5932f3f9206f3eab903d82b7a977db Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Mon, 27 Feb 2023 18:00:54 +0100
Subject: [PATCH 07/10] build: Fix failed build with --disable-vendor
The compilation of the marshaling functions for TPML_INTEL_PTT_PROPERTY
is now disabled for builds with --disable-vendor.
Fixes: #2571
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
include/tss2/tss2_tpm2_types.h | 2 ++
src/tss2-mu/tpml-types.c | 2 ++
tss2-dlopen/tss2-dlopen-mu.c | 2 ++
3 files changed, 6 insertions(+)
diff --git a/include/tss2/tss2_tpm2_types.h b/include/tss2/tss2_tpm2_types.h
index 96286fb7..39a6978c 100644
--- a/include/tss2/tss2_tpm2_types.h
+++ b/include/tss2/tss2_tpm2_types.h
@@ -63,7 +63,9 @@
#define TPM2_PRIVATE_VENDOR_SPECIFIC_BYTES ((TPM2_MAX_RSA_KEY_BYTES / 2) * (3 + 2))
/* Vendor Specific Defines */
+#ifndef DISABLE_VENDOR
#define TPM2_MAX_PTT_PROPERTIES (TPM2_MAX_CAP_BUFFER / sizeof(UINT32))
+#endif
/* Attached Component Capabilities */
#define TPM2_MAX_AC_CAPABILITIES (TPM2_MAX_CAP_BUFFER / sizeof(TPMS_AC_OUTPUT))
diff --git a/src/tss2-mu/tpml-types.c b/src/tss2-mu/tpml-types.c
index 60f85a8c..1df9bbb8 100644
--- a/src/tss2-mu/tpml-types.c
+++ b/src/tss2-mu/tpml-types.c
@@ -175,8 +175,10 @@ TPML_MARSHAL(TPML_PCR_SELECTION, Tss2_MU_TPMS_PCR_SELECTION_Marshal, pcrSelectio
TPML_UNMARSHAL(TPML_PCR_SELECTION, Tss2_MU_TPMS_PCR_SELECTION_Unmarshal, pcrSelections)
TPML_MARSHAL(TPML_DIGEST_VALUES, Tss2_MU_TPMT_HA_Marshal, digests, ADDR)
TPML_UNMARSHAL(TPML_DIGEST_VALUES, Tss2_MU_TPMT_HA_Unmarshal, digests)
+#ifndef DISABLE_VENDOR
TPML_MARSHAL(TPML_INTEL_PTT_PROPERTY, Tss2_MU_UINT32_Marshal, property, VAL)
TPML_UNMARSHAL(TPML_INTEL_PTT_PROPERTY, Tss2_MU_UINT32_Unmarshal, property)
+#endif
TPML_MARSHAL(TPML_AC_CAPABILITIES, Tss2_MU_TPMS_AC_OUTPUT_Marshal, acCapabilities, ADDR)
TPML_UNMARSHAL(TPML_AC_CAPABILITIES, Tss2_MU_TPMS_AC_OUTPUT_Unmarshal, acCapabilities)
TPML_MARSHAL(TPML_TAGGED_POLICY, Tss2_MU_TPMS_TAGGED_POLICY_Marshal, policies, ADDR)
diff --git a/tss2-dlopen/tss2-dlopen-mu.c b/tss2-dlopen/tss2-dlopen-mu.c
index 2297818b..21cd1123 100644
--- a/tss2-dlopen/tss2-dlopen-mu.c
+++ b/tss2-dlopen/tss2-dlopen-mu.c
@@ -254,7 +254,9 @@ MAKE_MU_STRUCT(TPML_ALG_PROPERTY);
MAKE_MU_STRUCT(TPML_ECC_CURVE);
MAKE_MU_STRUCT(TPML_TAGGED_PCR_PROPERTY);
MAKE_MU_STRUCT(TPML_TAGGED_TPM_PROPERTY);
+#ifndef DISABLE_VENDOR
MAKE_MU_STRUCT(TPML_INTEL_PTT_PROPERTY);
+#endif
MAKE_MU_STRUCT(TPML_AC_CAPABILITIES);
MAKE_MU_STRUCT(TPML_TAGGED_POLICY);
MAKE_MU_STRUCT(TPML_ACT_DATA);
--
2.41.0

35
0008-FAPI-Fapi_GetInfo-display-warning-for-SHA3-hash-algs.patch
View File

@ -1,35 +0,0 @@
From acb274ee0c59d6159b66e2df08aaf410e179f5f9 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Mon, 10 Apr 2023 20:20:24 +0200
Subject: [PATCH 08/10] FAPI: Fapi_GetInfo display warning for SHA3 hash algs.
Currenlty FAPI_GetInfo did produce errors if the TPM implements
SHA3 hash algs. Now a warning is displayed.
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
src/tss2-fapi/tpm_json_serialize.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/tss2-fapi/tpm_json_serialize.c b/src/tss2-fapi/tpm_json_serialize.c
index 1eaa4eb2..65320da6 100644
--- a/src/tss2-fapi/tpm_json_serialize.c
+++ b/src/tss2-fapi/tpm_json_serialize.c
@@ -1558,6 +1558,14 @@ ifapi_json_TPMS_ALG_PROPERTY_serialize(const TPMS_ALG_PROPERTY *in, json_object
return_if_null(in, "Bad reference.", TSS2_FAPI_RC_BAD_REFERENCE);
TSS2_RC r;
+
+ if ((in->alg == TPM2_ALG_SHA3_256 ||
+ in->alg == TPM2_ALG_SHA3_384 ||
+ in->alg == TPM2_ALG_SHA3_512)) {
+ LOG_WARNING("SHA3 hash algs are not supported by TSS");
+ return TSS2_RC_SUCCESS;
+ }
+
json_object *jso2;
if (*jso == NULL)
*jso = json_object_new_object ();
--
2.41.0

39
0009-FAPI-Skip-provisioning-test-for-nv-ext-and-profile-p.patch
View File

@ -1,39 +0,0 @@
From e43323dd5c089ed6af0a6a77b30f97350e1fbb6a Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Sun, 9 Apr 2023 08:38:56 +0200
Subject: [PATCH 09/10] FAPI: Skip provisioning test for nv ext and profile
paths.
The provisioning test in ifapi_check_provisioned will be skipped
for ext nv and profile paths. The test did produce inappropriate
error messages if the corresponding paths did not exist in keystore.
The test is only needed for pathnames starting with the profile.
Fixes: #2596
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
src/tss2-fapi/ifapi_keystore.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/tss2-fapi/ifapi_keystore.c b/src/tss2-fapi/ifapi_keystore.c
index 7e50ee1e..38c2f7fd 100644
--- a/src/tss2-fapi/ifapi_keystore.c
+++ b/src/tss2-fapi/ifapi_keystore.c
@@ -1772,6 +1772,14 @@ ifapi_check_provisioned(
*ok = false;
+ /* No profile in path, test can be skipped. */
+ if (ifapi_path_type_p(rel_path, IFAPI_NV_PATH) ||
+ ifapi_path_type_p(rel_path, IFAPI_POLICY_PATH) ||
+ ifapi_path_type_p(rel_path, IFAPI_EXT_PATH)) {
+ *ok = true;
+ return TSS2_RC_SUCCESS;
+ }
+
/* First expand path in user directory */
r = expand_path(keystore, rel_path, &directory);
goto_if_error(r, "Expand path", cleanup);
--
2.41.0

30
0010-FAPI-Fix-wrong-allocation-of-pcr-policy.patch
View File

@ -1,30 +0,0 @@
From 12519626a221f0e4c20e66ec101429fc0f321c6f Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Fri, 12 May 2023 09:30:53 +0200
Subject: [PATCH 10/10] FAPI: Fix wrong allocation of pcr policy.
The list of pcr registers was was allocated with the wrong size in the
function copy_policy_element which caused a segfault if more than one
pcr was used.
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
src/tss2-fapi/ifapi_helpers.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tss2-fapi/ifapi_helpers.c b/src/tss2-fapi/ifapi_helpers.c
index e1c4220b..5c574717 100644
--- a/src/tss2-fapi/ifapi_helpers.c
+++ b/src/tss2-fapi/ifapi_helpers.c
@@ -1343,7 +1343,7 @@ copy_policy_element(const TPMT_POLICYELEMENT *from_policy, TPMT_POLICYELEMENT *t
case POLICYPCR:
to_policy->element.PolicyPCR.pcrs =
calloc(1, sizeof(TPML_PCRVALUES) +
- from_policy->element.PolicyPCR.pcrs->count + sizeof(TPMS_PCRVALUE));
+ from_policy->element.PolicyPCR.pcrs->count * sizeof(TPMS_PCRVALUE));
goto_if_null2(to_policy->element.PolicyPCR.pcrs, "Out of memory.",
r, TSS2_FAPI_RC_MEMORY, error);
to_policy->element.PolicyPCR.pcrs->count
--
2.41.0

2
sources
View File

@ -1 +1 @@
SHA512 (tpm2-tss-3.2.2.tar.gz) = efa71d04de907f74cf0e451a55124cb6fa804fddc2530ecc728a76030e0ae1e8597048c81cd4316397318f273e95754cf85745fc49966208b60babd398989aa6
SHA512 (tpm2-tss-3.2.3.tar.gz) = 0a06f07718a1a9622bbd35f960c9d71dc54267c477fa67f885e358a95716b475eedc83559952058ac4140df4cf8516e0154c0e017086e6b8a7dce26735c87acf

18
tpm2-tss.spec
View File

@ -1,6 +1,6 @@
Name: tpm2-tss
Version: 3.2.2
Release: 2%{?dist}
Version: 3.2.3
Release: 1%{?dist}
Summary: TPM2.0 Software Stack
License: BSD
@ -10,16 +10,6 @@ Source1: tpm2-tss-systemd-sysusers.conf
# doxygen patch
Patch0: tpm2-tss-3.0.0-doxygen.patch
Patch2: 0001-esys_iutil-fix-possible-NPD.patch
Patch3: 0001-tss2-rc-fix-unknown-layer-handler-dropping-bits.patch
Patch4: 0002-MU-Fix-unneeded-size-check-in-TPM2B-unmarshaling.patch
Patch5: 0003-FAPI-Fix-parameter-encryption-for-provisioning.patch
Patch6: 0004-FAPI-Fix-missing-parameter-encryption-for-policy-ses.patch
Patch7: 0005-FAPI-Fix-missing-parameter-encryption-for-some-HMAC-.patch
Patch8: 0006-FAPI-Fix-usage-of-persistent-handles.patch
Patch11: 0007-build-Fix-failed-build-with-disable-vendor.patch
Patch12: 0008-FAPI-Fapi_GetInfo-display-warning-for-SHA3-hash-algs.patch
Patch13: 0009-FAPI-Skip-provisioning-test-for-nv-ext-and-profile-p.patch
Patch14: 0010-FAPI-Fix-wrong-allocation-of-pcr-policy.patch
%global udevrules_prefix 60-
@ -125,6 +115,10 @@ use tpm2-tss.
%changelog
* Thu May 30 2024 Štěpán Horáček <shoracek@redhat.com> - 3.2.3-1
- Rebase to 3.2.3
Resolves: RHEL-23206
* Mon Jul 3 2023 Štěpán Horáček <shoracek@redhat.com> - 3.2.2-2
- Remove misapplied license
Resolves: rhbz#2160307