From f3e2c2f68721edde449911ac8b8653010911c6b6 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Tue, 12 Nov 2024 10:56:18 +0000 Subject: [PATCH] import UBI tpm2-tss-3.2.3-1.el9 --- .gitignore | 2 +- .tpm2-tss.metadata | 2 +- ...-unknown-layer-handler-dropping-bits.patch | 65 ----------- ...ded-size-check-in-TPM2B-unmarshaling.patch | 65 ----------- ...arameter-encryption-for-provisioning.patch | 78 -------------- ...-parameter-encryption-for-policy-ses.patch | 101 ------------------ ...-parameter-encryption-for-some-HMAC-.patch | 59 ---------- ...FAPI-Fix-usage-of-persistent-handles.patch | 61 ----------- ...Fix-failed-build-with-disable-vendor.patch | 62 ----------- ...o-display-warning-for-SHA3-hash-algs.patch | 35 ------ ...ioning-test-for-nv-ext-and-profile-p.patch | 39 ------- ...I-Fix-wrong-allocation-of-pcr-policy.patch | 30 ------ SPECS/tpm2-tss.spec | 18 ++-- 13 files changed, 8 insertions(+), 609 deletions(-) delete mode 100644 SOURCES/0001-tss2-rc-fix-unknown-layer-handler-dropping-bits.patch delete mode 100644 SOURCES/0002-MU-Fix-unneeded-size-check-in-TPM2B-unmarshaling.patch delete mode 100644 SOURCES/0003-FAPI-Fix-parameter-encryption-for-provisioning.patch delete mode 100644 SOURCES/0004-FAPI-Fix-missing-parameter-encryption-for-policy-ses.patch delete mode 100644 SOURCES/0005-FAPI-Fix-missing-parameter-encryption-for-some-HMAC-.patch delete mode 100644 SOURCES/0006-FAPI-Fix-usage-of-persistent-handles.patch delete mode 100644 SOURCES/0007-build-Fix-failed-build-with-disable-vendor.patch delete mode 100644 SOURCES/0008-FAPI-Fapi_GetInfo-display-warning-for-SHA3-hash-algs.patch delete mode 100644 SOURCES/0009-FAPI-Skip-provisioning-test-for-nv-ext-and-profile-p.patch delete mode 100644 SOURCES/0010-FAPI-Fix-wrong-allocation-of-pcr-policy.patch diff --git a/.gitignore b/.gitignore index e2bb401..a97f57a 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/tpm2-tss-3.2.2.tar.gz +SOURCES/tpm2-tss-3.2.3.tar.gz diff --git a/.tpm2-tss.metadata b/.tpm2-tss.metadata index 8e53ba5..c3672bb 100644 --- a/.tpm2-tss.metadata +++ b/.tpm2-tss.metadata @@ -1 +1 @@ -6ebd166443d782e270b3f408e1489284e30dd608 SOURCES/tpm2-tss-3.2.2.tar.gz +79248e4597db1424d981c93af278bb7d141c6a12 SOURCES/tpm2-tss-3.2.3.tar.gz diff --git a/SOURCES/0001-tss2-rc-fix-unknown-layer-handler-dropping-bits.patch b/SOURCES/0001-tss2-rc-fix-unknown-layer-handler-dropping-bits.patch deleted file mode 100644 index 0c7930d..0000000 --- a/SOURCES/0001-tss2-rc-fix-unknown-layer-handler-dropping-bits.patch +++ /dev/null @@ -1,65 +0,0 @@ -From eb2fd8b436688377a20d24a467fd03e62d3e6c06 Mon Sep 17 00:00:00 2001 -From: William Roberts -Date: Tue, 24 Jan 2023 10:01:23 -0600 -Subject: [PATCH 01/10] tss2-rc: fix unknown layer handler dropping bits - -The commit (on 4.0.1 and master): - - 49107d65d5c7 tss2_rc: ensure layer number is in bounds - -Introduces a bug where the right shift by 8 drops the lower byte going -into the unknown_layer handler function. This will effectively drop rc -error bits for unknown layers. The largest impact will be on windows -where their resource manager is not a registered handler. - -Fix this by just dumping all the bytes and not get fancy with masking -things out. - -Fixes: #2550 - -Signed-off-by: William Roberts ---- - src/tss2-rc/tss2_rc.c | 4 ++-- - test/unit/test_tss2_rc.c | 4 ++-- - 2 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/src/tss2-rc/tss2_rc.c b/src/tss2-rc/tss2_rc.c -index 7e668a46..6de7d6f3 100644 ---- a/src/tss2-rc/tss2_rc.c -+++ b/src/tss2-rc/tss2_rc.c -@@ -985,9 +985,9 @@ Tss2_RC_Decode(TSS2_RC rc) - } else { - /* - * we don't want to drop any bits if we don't know what to do with it -- * so drop the layer byte since we we already have that. -+ * so just send the whole thing. - */ -- const char *e = unknown_layer_handler(rc >> 8); -+ const char *e = unknown_layer_handler(rc); - assert(e); - catbuf(buf, "%s", e); - } -diff --git a/test/unit/test_tss2_rc.c b/test/unit/test_tss2_rc.c -index 0b0f57c6..e5051c85 100644 ---- a/test/unit/test_tss2_rc.c -+++ b/test/unit/test_tss2_rc.c -@@ -199,7 +199,7 @@ test_custom_handler(void **state) - * Test an unknown layer - */ - e = Tss2_RC_Decode(rc); -- assert_string_equal(e, "1:0x100"); -+ assert_string_equal(e, "1:0x1002A"); - } - - static void -@@ -288,7 +288,7 @@ test_all_FFs(void **state) - (void) state; - - const char *e = Tss2_RC_Decode(0xFFFFFFFF); -- assert_string_equal(e, "255:0xFFFFFF"); -+ assert_string_equal(e, "255:0xFFFFFFFF"); - } - - static void --- -2.41.0 - diff --git a/SOURCES/0002-MU-Fix-unneeded-size-check-in-TPM2B-unmarshaling.patch b/SOURCES/0002-MU-Fix-unneeded-size-check-in-TPM2B-unmarshaling.patch deleted file mode 100644 index f6b7d65..0000000 --- a/SOURCES/0002-MU-Fix-unneeded-size-check-in-TPM2B-unmarshaling.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 6e4f8823ca6f7f062df3cd4ee88e397fac9adc37 Mon Sep 17 00:00:00 2001 -From: Juergen Repp -Date: Thu, 9 Feb 2023 15:22:08 +0100 -Subject: [PATCH 02/10] MU: Fix unneeded size check in TPM2B unmarshaling - -There is a size check for the destination object whether the size is zero. -If the memory of the destination object is no cleared this might cause -a race conditions. -Unneeded tests from the integration test tpmclient were removed. -Fixes: #2564 - -Signed-off-by: Juergen Repp ---- - src/tss2-mu/tpm2b-types.c | 6 +----- - test/tpmclient/tpmclient.int.c | 9 --------- - 2 files changed, 1 insertion(+), 14 deletions(-) - -diff --git a/src/tss2-mu/tpm2b-types.c b/src/tss2-mu/tpm2b-types.c -index 2e10f487..6e8915f6 100644 ---- a/src/tss2-mu/tpm2b-types.c -+++ b/src/tss2-mu/tpm2b-types.c -@@ -248,11 +248,7 @@ TSS2_RC Tss2_MU_##type##_Unmarshal(uint8_t const buffer[], size_t buffer_size, \ - sizeof(size)); \ - return TSS2_MU_RC_INSUFFICIENT_BUFFER; \ - } \ -- if (dest && dest->size != 0) { \ -- LOG_WARNING("Size not zero"); \ -- return TSS2_SYS_RC_BAD_VALUE; \ -- } \ --\ -+ \ - rc = Tss2_MU_UINT16_Unmarshal(buffer, buffer_size, &local_offset, &size); \ - if (rc) \ - return rc; \ -diff --git a/test/tpmclient/tpmclient.int.c b/test/tpmclient/tpmclient.int.c -index deedcfb7..16443955 100644 ---- a/test/tpmclient/tpmclient.int.c -+++ b/test/tpmclient/tpmclient.int.c -@@ -847,12 +847,6 @@ static void TestHierarchyControl() - rval = Tss2_Sys_NV_DefineSpace( sysContext, TPM2_RH_PLATFORM, &sessionsData, &nvAuth, &publicInfo, 0 ); - CheckPassed( rval ); - -- /* Test SYS for case where nvPublic.size != 0 */ -- nvPublic.size = 0xff; -- INIT_SIMPLE_TPM2B_SIZE( nvName ); -- rval = Tss2_Sys_NV_ReadPublic( sysContext, TPM20_INDEX_TEST1, 0, &nvPublic, &nvName, 0 ); -- CheckFailed( rval, TSS2_SYS_RC_BAD_VALUE ); -- - nvPublic.size = 0; - INIT_SIMPLE_TPM2B_SIZE( nvName ); - rval = Tss2_Sys_NV_ReadPublic( sysContext, TPM20_INDEX_TEST1, 0, &nvPublic, &nvName, 0 ); -@@ -2135,10 +2129,7 @@ static void EcEphemeralTest() - - LOG_INFO("EC Ephemeral TESTS:" ); - -- /* Test SYS for case of Q size field not being set to 0. */ - INIT_SIMPLE_TPM2B_SIZE( Q ); -- rval = Tss2_Sys_EC_Ephemeral( sysContext, 0, TPM2_ECC_BN_P256, &Q, &counter, 0 ); -- CheckFailed( rval, TSS2_SYS_RC_BAD_VALUE ); - - Q.size = 0; - rval = Tss2_Sys_EC_Ephemeral( sysContext, 0, TPM2_ECC_BN_P256, &Q, &counter, 0 ); --- -2.41.0 - diff --git a/SOURCES/0003-FAPI-Fix-parameter-encryption-for-provisioning.patch b/SOURCES/0003-FAPI-Fix-parameter-encryption-for-provisioning.patch deleted file mode 100644 index 955acd1..0000000 --- a/SOURCES/0003-FAPI-Fix-parameter-encryption-for-provisioning.patch +++ /dev/null @@ -1,78 +0,0 @@ -From d486edf730d652c8ab2fc50eb00e45223b43628f Mon Sep 17 00:00:00 2001 -From: Juergen Repp -Date: Tue, 14 Feb 2023 19:52:28 +0100 -Subject: [PATCH 03/10] FAPI: Fix parameter encryption for provisioning - -Currently no parameter encryption was made during provisioning. -Now the EK es used as tpmkey for the create primary session of -the SRK and the SRK is used for parameter encryption of the -other command executed during provisioning. - -Signed-off-by: Juergen Repp ---- - src/tss2-fapi/api/Fapi_Provision.c | 6 ++++-- - src/tss2-fapi/fapi_int.h | 7 ++++--- - src/tss2-fapi/fapi_util.c | 5 ++++- - 3 files changed, 12 insertions(+), 6 deletions(-) - -diff --git a/src/tss2-fapi/api/Fapi_Provision.c b/src/tss2-fapi/api/Fapi_Provision.c -index 97c25828..48f2fd3b 100644 ---- a/src/tss2-fapi/api/Fapi_Provision.c -+++ b/src/tss2-fapi/api/Fapi_Provision.c -@@ -884,7 +884,8 @@ Fapi_Provision_Finish(FAPI_CONTEXT *context) - statecase(context->state, PROVISION_INIT_SRK); - /* Create session which will be used for SRK generation. */ - context->srk_handle = context->ek_handle; -- r = ifapi_get_sessions_async(context, IFAPI_SESSION1, 0, 0); -+ r = ifapi_get_sessions_async(context, IFAPI_SESSION_USE_SRK | IFAPI_SESSION1, -+ TPMA_SESSION_DECRYPT, 0); - goto_if_error_reset_state(r, "Create sessions", error_cleanup); - - fallthrough; -@@ -1084,7 +1085,8 @@ Fapi_Provision_Finish(FAPI_CONTEXT *context) - try_again_or_error_goto(r, "Cleanup", error_cleanup); - - /* Create session which will be used for parameter encryption. */ -- r = ifapi_get_sessions_async(context, IFAPI_SESSION1, 0, 0); -+ r = ifapi_get_sessions_async(context, IFAPI_SESSION_USE_SRK | IFAPI_SESSION1, -+ TPMA_SESSION_DECRYPT, 0); - goto_if_error_reset_state(r, "Create sessions", error_cleanup); - - fallthrough; -diff --git a/src/tss2-fapi/fapi_int.h b/src/tss2-fapi/fapi_int.h -index 5f666a75..8533112a 100644 ---- a/src/tss2-fapi/fapi_int.h -+++ b/src/tss2-fapi/fapi_int.h -@@ -55,9 +55,10 @@ typedef UINT32 TSS2_KEY_TYPE; - #define MAX_PLATFORM_CERT_HANDLE 0x01C0FFFF - - typedef UINT8 IFAPI_SESSION_TYPE; --#define IFAPI_SESSION_GENEK 0x01 --#define IFAPI_SESSION1 0x02 --#define IFAPI_SESSION2 0x04 -+#define IFAPI_SESSION_GENEK 0x01 -+#define IFAPI_SESSION1 0x02 -+#define IFAPI_SESSION2 0x04 -+#define IFAPI_SESSION_USE_SRK 0x08 - - #define IFAPI_POLICY_PATH "policy" - #define IFAPI_NV_PATH "nv" -diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c -index 44dd4168..ded0d247 100644 ---- a/src/tss2-fapi/fapi_util.c -+++ b/src/tss2-fapi/fapi_util.c -@@ -1327,7 +1327,10 @@ ifapi_get_sessions_async(FAPI_CONTEXT *context, - context->session2_attribute_flags = attribute_flags2; - char *file = NULL; - -- if (!(session_flags & IFAPI_SESSION_GENEK)) { -+ if (session_flags & IFAPI_SESSION_USE_SRK) { -+ context->session_state = SESSION_CREATE_SESSION; -+ return TSS2_RC_SUCCESS; -+ } else if (!(session_flags & IFAPI_SESSION_GENEK)) { - context->srk_handle = ESYS_TR_NONE; - context->session_state = SESSION_CREATE_SESSION; - return TSS2_RC_SUCCESS; --- -2.41.0 - diff --git a/SOURCES/0004-FAPI-Fix-missing-parameter-encryption-for-policy-ses.patch b/SOURCES/0004-FAPI-Fix-missing-parameter-encryption-for-policy-ses.patch deleted file mode 100644 index 28b2a3d..0000000 --- a/SOURCES/0004-FAPI-Fix-missing-parameter-encryption-for-policy-ses.patch +++ /dev/null @@ -1,101 +0,0 @@ -From 6bb79f17b89592909830f872dc47d09c0e5dadda Mon Sep 17 00:00:00 2001 -From: Juergen Repp -Date: Fri, 3 Mar 2023 11:17:43 +0100 -Subject: [PATCH 04/10] FAPI: Fix missing parameter encryption for policy - sessions. - -The parameter encryption for policy sessions was not enabled. -Now the parameter encryption is enabled and the auth value of -objects is added to the session key. -One exception is the cp hash policy. In this case the -the cp hash check forced by this policy would fail with an -encrypted parameter. - -Signed-off-by: Juergen Repp ---- - src/tss2-fapi/fapi_util.c | 28 ++++++++++++------------ - src/tss2-fapi/ifapi_policy_execute.c | 5 +++++ - src/tss2-fapi/ifapi_policyutil_execute.c | 4 ++++ - 3 files changed, 23 insertions(+), 14 deletions(-) - -diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c -index ded0d247..55ce3327 100644 ---- a/src/tss2-fapi/fapi_util.c -+++ b/src/tss2-fapi/fapi_util.c -@@ -2110,21 +2110,20 @@ ifapi_authorize_object(FAPI_CONTEXT *context, IFAPI_OBJECT *object, ESYS_TR *ses - statecase(object->authorization_state, AUTH_INIT) - LOG_TRACE("**STATE** AUTH_INIT"); - -- if (!policy_digest_size(object)) { -- /* No policy used authorization callbacks have to be called if necessary. */ -- if (object_with_auth(object)) { -- /* Check whether hierarchy was already authorized. */ -- if (object->objectType != IFAPI_HIERARCHY_OBJ || -- !object->misc.hierarchy.authorized) { -- char *description = NULL; -- r = ifapi_get_description(object, &description); -- return_if_error(r, "Get description"); -- -- r = ifapi_set_auth(context, object, description); -- SAFE_FREE(description); -- return_if_error(r, "Set auth value"); -- } -+ if (object_with_auth(object)) { -+ /* Check whether hierarchy was already authorized. */ -+ if (object->objectType != IFAPI_HIERARCHY_OBJ || -+ !object->misc.hierarchy.authorized) { -+ char *description = NULL; -+ r = ifapi_get_description(object, &description); -+ return_if_error(r, "Get description"); -+ -+ r = ifapi_set_auth(context, object, description); -+ SAFE_FREE(description); -+ return_if_error(r, "Set auth value"); - } -+ } -+ if (!policy_digest_size(object)) { - /* No policy session needed current fapi session can be used */ - if (context->session1 && context->session1 != ESYS_TR_NONE) - *session = context->session1; -@@ -2133,6 +2132,7 @@ ifapi_authorize_object(FAPI_CONTEXT *context, IFAPI_OBJECT *object, ESYS_TR *ses - *session = ESYS_TR_PASSWORD; - break; - } -+ - /* Save current object to be authorized in context. */ - context->current_auth_object = object; - r = ifapi_policyutil_execute_prepare(context, get_name_alg(context, object), -diff --git a/src/tss2-fapi/ifapi_policy_execute.c b/src/tss2-fapi/ifapi_policy_execute.c -index c2ce3301..0e7de316 100644 ---- a/src/tss2-fapi/ifapi_policy_execute.c -+++ b/src/tss2-fapi/ifapi_policy_execute.c -@@ -1245,6 +1245,11 @@ execute_policy_cp_hash( - r = Esys_PolicyCpHash_Finish(esys_ctx); - try_again_or_error(r, "Execute PolicyCpHash_Finish."); - -+ /* Disable encryption to enable check of cp hash defined in -+ policy cp. */ -+ r = Esys_TRSess_SetAttributes(esys_ctx, current_policy->session, -+ 0, 0xff); -+ - current_policy->state = POLICY_EXECUTE_INIT; - return r; - -diff --git a/src/tss2-fapi/ifapi_policyutil_execute.c b/src/tss2-fapi/ifapi_policyutil_execute.c -index 997fb504..0e2823cb 100644 ---- a/src/tss2-fapi/ifapi_policyutil_execute.c -+++ b/src/tss2-fapi/ifapi_policyutil_execute.c -@@ -119,6 +119,10 @@ create_session( - r = Esys_StartAuthSession_Finish(context->esys, session); - if (r != TSS2_RC_SUCCESS) - return r; -+ -+ r = Esys_TRSess_SetAttributes(context->esys, *session, -+ TPMA_SESSION_ENCRYPT | TPMA_SESSION_DECRYPT, -+ 0xff); - context->policy.create_session_state = CREATE_SESSION_INIT; - break; - --- -2.41.0 - diff --git a/SOURCES/0005-FAPI-Fix-missing-parameter-encryption-for-some-HMAC-.patch b/SOURCES/0005-FAPI-Fix-missing-parameter-encryption-for-some-HMAC-.patch deleted file mode 100644 index fd385af..0000000 --- a/SOURCES/0005-FAPI-Fix-missing-parameter-encryption-for-some-HMAC-.patch +++ /dev/null @@ -1,59 +0,0 @@ -From c7cd976e7152e3f5aaa813aaebf4ab1e5d9b1f3e Mon Sep 17 00:00:00 2001 -From: Juergen Repp -Date: Sun, 5 Mar 2023 19:19:22 +0100 -Subject: [PATCH 05/10] FAPI: Fix missing parameter encryption for some HMAC - sessions. - -* For Fapi_CreateNv and Fap_NvSetBits the parameter encryption was not enabled. -* For Fapi_Unseal the response description was not enabled. - -Signed-off-by: Juergen Repp ---- - src/tss2-fapi/api/Fapi_CreateNv.c | 2 +- - src/tss2-fapi/api/Fapi_NvSetBits.c | 2 +- - src/tss2-fapi/fapi_util.c | 3 ++- - 3 files changed, 4 insertions(+), 3 deletions(-) - -diff --git a/src/tss2-fapi/api/Fapi_CreateNv.c b/src/tss2-fapi/api/Fapi_CreateNv.c -index 45e72e33..8160b99d 100644 ---- a/src/tss2-fapi/api/Fapi_CreateNv.c -+++ b/src/tss2-fapi/api/Fapi_CreateNv.c -@@ -399,7 +399,7 @@ Fapi_CreateNv_Finish( - context->primary_state = PRIMARY_INIT; - r = ifapi_get_sessions_async(context, - IFAPI_SESSION_GENEK | IFAPI_SESSION1, -- 0, 0); -+ TPMA_SESSION_DECRYPT, 0); - goto_if_error_reset_state(r, "Create sessions", error_cleanup); - fallthrough; - -diff --git a/src/tss2-fapi/api/Fapi_NvSetBits.c b/src/tss2-fapi/api/Fapi_NvSetBits.c -index 0615aa12..adf332e0 100644 ---- a/src/tss2-fapi/api/Fapi_NvSetBits.c -+++ b/src/tss2-fapi/api/Fapi_NvSetBits.c -@@ -282,7 +282,7 @@ Fapi_NvSetBits_Finish( - /* Prepare session for authorization */ - r = ifapi_get_sessions_async(context, - IFAPI_SESSION_GENEK | IFAPI_SESSION1, -- 0, 0); -+ TPMA_SESSION_DECRYPT, 0); - goto_if_error_reset_state(r, "Create sessions", error_cleanup); - - fallthrough; -diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c -index 55ce3327..ef4a92d0 100644 ---- a/src/tss2-fapi/fapi_util.c -+++ b/src/tss2-fapi/fapi_util.c -@@ -2743,7 +2743,8 @@ ifapi_load_key( - /* Prepare the session creation. */ - r = ifapi_get_sessions_async(context, - IFAPI_SESSION_GENEK | IFAPI_SESSION1, -- TPMA_SESSION_DECRYPT, 0); -+ TPMA_SESSION_DECRYPT | TPMA_SESSION_ENCRYPT, -+ 0); - goto_if_error_reset_state(r, "Create sessions", error_cleanup); - fallthrough; - --- -2.41.0 - diff --git a/SOURCES/0006-FAPI-Fix-usage-of-persistent-handles.patch b/SOURCES/0006-FAPI-Fix-usage-of-persistent-handles.patch deleted file mode 100644 index b1b2df0..0000000 --- a/SOURCES/0006-FAPI-Fix-usage-of-persistent-handles.patch +++ /dev/null @@ -1,61 +0,0 @@ -From db8ccb1df778dc92d1be88a88ddcd9d6c92c3e63 Mon Sep 17 00:00:00 2001 -From: Juergen Repp -Date: Mon, 3 Apr 2023 21:21:55 +0200 -Subject: [PATCH 06/10] FAPI: Fix usage of persistent handles. - -* Evict control for persistent keys created with Fapi_CreateKey was - called with the wrong handle. -* If Fapi_Quote was executed with a primary key for this key flush - context was called. - -Signed-off-by: Juergen Repp ---- - src/tss2-fapi/api/Fapi_Quote.c | 14 +++++++++----- - src/tss2-fapi/fapi_util.c | 1 + - 2 files changed, 10 insertions(+), 5 deletions(-) - -diff --git a/src/tss2-fapi/api/Fapi_Quote.c b/src/tss2-fapi/api/Fapi_Quote.c -index b71267a7..61e4e3db 100644 ---- a/src/tss2-fapi/api/Fapi_Quote.c -+++ b/src/tss2-fapi/api/Fapi_Quote.c -@@ -392,16 +392,20 @@ Fapi_Quote_Finish( - goto_if_error(r, "Error: PCR_Quote", error_cleanup); - - /* Flush the key used for the quote. */ -- r = Esys_FlushContext_Async(context->esys, command->handle); -- goto_if_error(r, "Error: FlushContext", error_cleanup); -+ if (!command->key_object->misc.key.persistent_handle) { -+ r = Esys_FlushContext_Async(context->esys, command->handle); -+ goto_if_error(r, "Error: FlushContext", error_cleanup); -+ } - command->handle = ESYS_TR_NONE; - - fallthrough; - - statecase(context->state, PCR_QUOTE_WAIT_FOR_FLUSH); -- r = Esys_FlushContext_Finish(context->esys); -- return_try_again(r); -- goto_if_error(r, "Error: Sign", error_cleanup); -+ if (!command->key_object->misc.key.persistent_handle) { -+ r = Esys_FlushContext_Finish(context->esys); -+ return_try_again(r); -+ goto_if_error(r, "Error: Sign", error_cleanup); -+ } - - sig_key_object = command->key_object; - /* Convert the TPM-encoded signature into something useful for the caller. */ -diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c -index ef4a92d0..49f7dd07 100644 ---- a/src/tss2-fapi/fapi_util.c -+++ b/src/tss2-fapi/fapi_util.c -@@ -4746,6 +4746,7 @@ ifapi_create_primary( - - statecase(context->cmd.Key_Create.state, KEY_CREATE_PRIMARY_WAIT_FOR_AUTHORIZE2); - if (template->persistent_handle) { -+ object->misc.key.persistent_handle = template->persistent_handle; - r = ifapi_authorize_object(context, hierarchy, &auth_session); - FAPI_SYNC(r, "Authorize hierarchy.", error_cleanup); - --- -2.41.0 - diff --git a/SOURCES/0007-build-Fix-failed-build-with-disable-vendor.patch b/SOURCES/0007-build-Fix-failed-build-with-disable-vendor.patch deleted file mode 100644 index 5ff29c9..0000000 --- a/SOURCES/0007-build-Fix-failed-build-with-disable-vendor.patch +++ /dev/null @@ -1,62 +0,0 @@ -From e46840f3ec5932f3f9206f3eab903d82b7a977db Mon Sep 17 00:00:00 2001 -From: Juergen Repp -Date: Mon, 27 Feb 2023 18:00:54 +0100 -Subject: [PATCH 07/10] build: Fix failed build with --disable-vendor - -The compilation of the marshaling functions for TPML_INTEL_PTT_PROPERTY -is now disabled for builds with --disable-vendor. -Fixes: #2571 - -Signed-off-by: Juergen Repp ---- - include/tss2/tss2_tpm2_types.h | 2 ++ - src/tss2-mu/tpml-types.c | 2 ++ - tss2-dlopen/tss2-dlopen-mu.c | 2 ++ - 3 files changed, 6 insertions(+) - -diff --git a/include/tss2/tss2_tpm2_types.h b/include/tss2/tss2_tpm2_types.h -index 96286fb7..39a6978c 100644 ---- a/include/tss2/tss2_tpm2_types.h -+++ b/include/tss2/tss2_tpm2_types.h -@@ -63,7 +63,9 @@ - #define TPM2_PRIVATE_VENDOR_SPECIFIC_BYTES ((TPM2_MAX_RSA_KEY_BYTES / 2) * (3 + 2)) - - /* Vendor Specific Defines */ -+#ifndef DISABLE_VENDOR - #define TPM2_MAX_PTT_PROPERTIES (TPM2_MAX_CAP_BUFFER / sizeof(UINT32)) -+#endif - - /* Attached Component Capabilities */ - #define TPM2_MAX_AC_CAPABILITIES (TPM2_MAX_CAP_BUFFER / sizeof(TPMS_AC_OUTPUT)) -diff --git a/src/tss2-mu/tpml-types.c b/src/tss2-mu/tpml-types.c -index 60f85a8c..1df9bbb8 100644 ---- a/src/tss2-mu/tpml-types.c -+++ b/src/tss2-mu/tpml-types.c -@@ -175,8 +175,10 @@ TPML_MARSHAL(TPML_PCR_SELECTION, Tss2_MU_TPMS_PCR_SELECTION_Marshal, pcrSelectio - TPML_UNMARSHAL(TPML_PCR_SELECTION, Tss2_MU_TPMS_PCR_SELECTION_Unmarshal, pcrSelections) - TPML_MARSHAL(TPML_DIGEST_VALUES, Tss2_MU_TPMT_HA_Marshal, digests, ADDR) - TPML_UNMARSHAL(TPML_DIGEST_VALUES, Tss2_MU_TPMT_HA_Unmarshal, digests) -+#ifndef DISABLE_VENDOR - TPML_MARSHAL(TPML_INTEL_PTT_PROPERTY, Tss2_MU_UINT32_Marshal, property, VAL) - TPML_UNMARSHAL(TPML_INTEL_PTT_PROPERTY, Tss2_MU_UINT32_Unmarshal, property) -+#endif - TPML_MARSHAL(TPML_AC_CAPABILITIES, Tss2_MU_TPMS_AC_OUTPUT_Marshal, acCapabilities, ADDR) - TPML_UNMARSHAL(TPML_AC_CAPABILITIES, Tss2_MU_TPMS_AC_OUTPUT_Unmarshal, acCapabilities) - TPML_MARSHAL(TPML_TAGGED_POLICY, Tss2_MU_TPMS_TAGGED_POLICY_Marshal, policies, ADDR) -diff --git a/tss2-dlopen/tss2-dlopen-mu.c b/tss2-dlopen/tss2-dlopen-mu.c -index 2297818b..21cd1123 100644 ---- a/tss2-dlopen/tss2-dlopen-mu.c -+++ b/tss2-dlopen/tss2-dlopen-mu.c -@@ -254,7 +254,9 @@ MAKE_MU_STRUCT(TPML_ALG_PROPERTY); - MAKE_MU_STRUCT(TPML_ECC_CURVE); - MAKE_MU_STRUCT(TPML_TAGGED_PCR_PROPERTY); - MAKE_MU_STRUCT(TPML_TAGGED_TPM_PROPERTY); -+#ifndef DISABLE_VENDOR - MAKE_MU_STRUCT(TPML_INTEL_PTT_PROPERTY); -+#endif - MAKE_MU_STRUCT(TPML_AC_CAPABILITIES); - MAKE_MU_STRUCT(TPML_TAGGED_POLICY); - MAKE_MU_STRUCT(TPML_ACT_DATA); --- -2.41.0 - diff --git a/SOURCES/0008-FAPI-Fapi_GetInfo-display-warning-for-SHA3-hash-algs.patch b/SOURCES/0008-FAPI-Fapi_GetInfo-display-warning-for-SHA3-hash-algs.patch deleted file mode 100644 index 14aa2b5..0000000 --- a/SOURCES/0008-FAPI-Fapi_GetInfo-display-warning-for-SHA3-hash-algs.patch +++ /dev/null @@ -1,35 +0,0 @@ -From acb274ee0c59d6159b66e2df08aaf410e179f5f9 Mon Sep 17 00:00:00 2001 -From: Juergen Repp -Date: Mon, 10 Apr 2023 20:20:24 +0200 -Subject: [PATCH 08/10] FAPI: Fapi_GetInfo display warning for SHA3 hash algs. - -Currenlty FAPI_GetInfo did produce errors if the TPM implements -SHA3 hash algs. Now a warning is displayed. - -Signed-off-by: Juergen Repp ---- - src/tss2-fapi/tpm_json_serialize.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/src/tss2-fapi/tpm_json_serialize.c b/src/tss2-fapi/tpm_json_serialize.c -index 1eaa4eb2..65320da6 100644 ---- a/src/tss2-fapi/tpm_json_serialize.c -+++ b/src/tss2-fapi/tpm_json_serialize.c -@@ -1558,6 +1558,14 @@ ifapi_json_TPMS_ALG_PROPERTY_serialize(const TPMS_ALG_PROPERTY *in, json_object - return_if_null(in, "Bad reference.", TSS2_FAPI_RC_BAD_REFERENCE); - - TSS2_RC r; -+ -+ if ((in->alg == TPM2_ALG_SHA3_256 || -+ in->alg == TPM2_ALG_SHA3_384 || -+ in->alg == TPM2_ALG_SHA3_512)) { -+ LOG_WARNING("SHA3 hash algs are not supported by TSS"); -+ return TSS2_RC_SUCCESS; -+ } -+ - json_object *jso2; - if (*jso == NULL) - *jso = json_object_new_object (); --- -2.41.0 - diff --git a/SOURCES/0009-FAPI-Skip-provisioning-test-for-nv-ext-and-profile-p.patch b/SOURCES/0009-FAPI-Skip-provisioning-test-for-nv-ext-and-profile-p.patch deleted file mode 100644 index 4fe97d2..0000000 --- a/SOURCES/0009-FAPI-Skip-provisioning-test-for-nv-ext-and-profile-p.patch +++ /dev/null @@ -1,39 +0,0 @@ -From e43323dd5c089ed6af0a6a77b30f97350e1fbb6a Mon Sep 17 00:00:00 2001 -From: Juergen Repp -Date: Sun, 9 Apr 2023 08:38:56 +0200 -Subject: [PATCH 09/10] FAPI: Skip provisioning test for nv ext and profile - paths. - -The provisioning test in ifapi_check_provisioned will be skipped -for ext nv and profile paths. The test did produce inappropriate -error messages if the corresponding paths did not exist in keystore. -The test is only needed for pathnames starting with the profile. -Fixes: #2596 - -Signed-off-by: Juergen Repp ---- - src/tss2-fapi/ifapi_keystore.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/src/tss2-fapi/ifapi_keystore.c b/src/tss2-fapi/ifapi_keystore.c -index 7e50ee1e..38c2f7fd 100644 ---- a/src/tss2-fapi/ifapi_keystore.c -+++ b/src/tss2-fapi/ifapi_keystore.c -@@ -1772,6 +1772,14 @@ ifapi_check_provisioned( - - *ok = false; - -+ /* No profile in path, test can be skipped. */ -+ if (ifapi_path_type_p(rel_path, IFAPI_NV_PATH) || -+ ifapi_path_type_p(rel_path, IFAPI_POLICY_PATH) || -+ ifapi_path_type_p(rel_path, IFAPI_EXT_PATH)) { -+ *ok = true; -+ return TSS2_RC_SUCCESS; -+ } -+ - /* First expand path in user directory */ - r = expand_path(keystore, rel_path, &directory); - goto_if_error(r, "Expand path", cleanup); --- -2.41.0 - diff --git a/SOURCES/0010-FAPI-Fix-wrong-allocation-of-pcr-policy.patch b/SOURCES/0010-FAPI-Fix-wrong-allocation-of-pcr-policy.patch deleted file mode 100644 index 2e83a61..0000000 --- a/SOURCES/0010-FAPI-Fix-wrong-allocation-of-pcr-policy.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 12519626a221f0e4c20e66ec101429fc0f321c6f Mon Sep 17 00:00:00 2001 -From: Juergen Repp -Date: Fri, 12 May 2023 09:30:53 +0200 -Subject: [PATCH 10/10] FAPI: Fix wrong allocation of pcr policy. - -The list of pcr registers was was allocated with the wrong size in the -function copy_policy_element which caused a segfault if more than one -pcr was used. - -Signed-off-by: Juergen Repp ---- - src/tss2-fapi/ifapi_helpers.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/tss2-fapi/ifapi_helpers.c b/src/tss2-fapi/ifapi_helpers.c -index e1c4220b..5c574717 100644 ---- a/src/tss2-fapi/ifapi_helpers.c -+++ b/src/tss2-fapi/ifapi_helpers.c -@@ -1343,7 +1343,7 @@ copy_policy_element(const TPMT_POLICYELEMENT *from_policy, TPMT_POLICYELEMENT *t - case POLICYPCR: - to_policy->element.PolicyPCR.pcrs = - calloc(1, sizeof(TPML_PCRVALUES) + -- from_policy->element.PolicyPCR.pcrs->count + sizeof(TPMS_PCRVALUE)); -+ from_policy->element.PolicyPCR.pcrs->count * sizeof(TPMS_PCRVALUE)); - goto_if_null2(to_policy->element.PolicyPCR.pcrs, "Out of memory.", - r, TSS2_FAPI_RC_MEMORY, error); - to_policy->element.PolicyPCR.pcrs->count --- -2.41.0 - diff --git a/SPECS/tpm2-tss.spec b/SPECS/tpm2-tss.spec index 09f7c07..44e2d70 100644 --- a/SPECS/tpm2-tss.spec +++ b/SPECS/tpm2-tss.spec @@ -1,6 +1,6 @@ Name: tpm2-tss -Version: 3.2.2 -Release: 2%{?dist} +Version: 3.2.3 +Release: 1%{?dist} Summary: TPM2.0 Software Stack License: BSD @@ -10,16 +10,6 @@ Source1: tpm2-tss-systemd-sysusers.conf # doxygen patch Patch0: tpm2-tss-3.0.0-doxygen.patch Patch2: 0001-esys_iutil-fix-possible-NPD.patch -Patch3: 0001-tss2-rc-fix-unknown-layer-handler-dropping-bits.patch -Patch4: 0002-MU-Fix-unneeded-size-check-in-TPM2B-unmarshaling.patch -Patch5: 0003-FAPI-Fix-parameter-encryption-for-provisioning.patch -Patch6: 0004-FAPI-Fix-missing-parameter-encryption-for-policy-ses.patch -Patch7: 0005-FAPI-Fix-missing-parameter-encryption-for-some-HMAC-.patch -Patch8: 0006-FAPI-Fix-usage-of-persistent-handles.patch -Patch11: 0007-build-Fix-failed-build-with-disable-vendor.patch -Patch12: 0008-FAPI-Fapi_GetInfo-display-warning-for-SHA3-hash-algs.patch -Patch13: 0009-FAPI-Skip-provisioning-test-for-nv-ext-and-profile-p.patch -Patch14: 0010-FAPI-Fix-wrong-allocation-of-pcr-policy.patch %global udevrules_prefix 60- @@ -125,6 +115,10 @@ use tpm2-tss. %changelog +* Thu May 30 2024 Štěpán Horáček - 3.2.3-1 +- Rebase to 3.2.3 + Resolves: RHEL-23206 + * Mon Jul 3 2023 Štěpán Horáček - 3.2.2-2 - Remove misapplied license Resolves: rhbz#2160307