import UBI tpm2-tss-3.2.3-1.el9
This commit is contained in:
parent
d5501a5995
commit
f3e2c2f687
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
|||||||
SOURCES/tpm2-tss-3.2.2.tar.gz
|
SOURCES/tpm2-tss-3.2.3.tar.gz
|
||||||
|
@ -1 +1 @@
|
|||||||
6ebd166443d782e270b3f408e1489284e30dd608 SOURCES/tpm2-tss-3.2.2.tar.gz
|
79248e4597db1424d981c93af278bb7d141c6a12 SOURCES/tpm2-tss-3.2.3.tar.gz
|
||||||
|
@ -1,65 +0,0 @@
|
|||||||
From eb2fd8b436688377a20d24a467fd03e62d3e6c06 Mon Sep 17 00:00:00 2001
|
|
||||||
From: William Roberts <william.c.roberts@intel.com>
|
|
||||||
Date: Tue, 24 Jan 2023 10:01:23 -0600
|
|
||||||
Subject: [PATCH 01/10] tss2-rc: fix unknown layer handler dropping bits
|
|
||||||
|
|
||||||
The commit (on 4.0.1 and master):
|
|
||||||
- 49107d65d5c7 tss2_rc: ensure layer number is in bounds
|
|
||||||
|
|
||||||
Introduces a bug where the right shift by 8 drops the lower byte going
|
|
||||||
into the unknown_layer handler function. This will effectively drop rc
|
|
||||||
error bits for unknown layers. The largest impact will be on windows
|
|
||||||
where their resource manager is not a registered handler.
|
|
||||||
|
|
||||||
Fix this by just dumping all the bytes and not get fancy with masking
|
|
||||||
things out.
|
|
||||||
|
|
||||||
Fixes: #2550
|
|
||||||
|
|
||||||
Signed-off-by: William Roberts <william.c.roberts@intel.com>
|
|
||||||
---
|
|
||||||
src/tss2-rc/tss2_rc.c | 4 ++--
|
|
||||||
test/unit/test_tss2_rc.c | 4 ++--
|
|
||||||
2 files changed, 4 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/tss2-rc/tss2_rc.c b/src/tss2-rc/tss2_rc.c
|
|
||||||
index 7e668a46..6de7d6f3 100644
|
|
||||||
--- a/src/tss2-rc/tss2_rc.c
|
|
||||||
+++ b/src/tss2-rc/tss2_rc.c
|
|
||||||
@@ -985,9 +985,9 @@ Tss2_RC_Decode(TSS2_RC rc)
|
|
||||||
} else {
|
|
||||||
/*
|
|
||||||
* we don't want to drop any bits if we don't know what to do with it
|
|
||||||
- * so drop the layer byte since we we already have that.
|
|
||||||
+ * so just send the whole thing.
|
|
||||||
*/
|
|
||||||
- const char *e = unknown_layer_handler(rc >> 8);
|
|
||||||
+ const char *e = unknown_layer_handler(rc);
|
|
||||||
assert(e);
|
|
||||||
catbuf(buf, "%s", e);
|
|
||||||
}
|
|
||||||
diff --git a/test/unit/test_tss2_rc.c b/test/unit/test_tss2_rc.c
|
|
||||||
index 0b0f57c6..e5051c85 100644
|
|
||||||
--- a/test/unit/test_tss2_rc.c
|
|
||||||
+++ b/test/unit/test_tss2_rc.c
|
|
||||||
@@ -199,7 +199,7 @@ test_custom_handler(void **state)
|
|
||||||
* Test an unknown layer
|
|
||||||
*/
|
|
||||||
e = Tss2_RC_Decode(rc);
|
|
||||||
- assert_string_equal(e, "1:0x100");
|
|
||||||
+ assert_string_equal(e, "1:0x1002A");
|
|
||||||
}
|
|
||||||
|
|
||||||
static void
|
|
||||||
@@ -288,7 +288,7 @@ test_all_FFs(void **state)
|
|
||||||
(void) state;
|
|
||||||
|
|
||||||
const char *e = Tss2_RC_Decode(0xFFFFFFFF);
|
|
||||||
- assert_string_equal(e, "255:0xFFFFFF");
|
|
||||||
+ assert_string_equal(e, "255:0xFFFFFFFF");
|
|
||||||
}
|
|
||||||
|
|
||||||
static void
|
|
||||||
--
|
|
||||||
2.41.0
|
|
||||||
|
|
@ -1,65 +0,0 @@
|
|||||||
From 6e4f8823ca6f7f062df3cd4ee88e397fac9adc37 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Juergen Repp <juergen_repp@web.de>
|
|
||||||
Date: Thu, 9 Feb 2023 15:22:08 +0100
|
|
||||||
Subject: [PATCH 02/10] MU: Fix unneeded size check in TPM2B unmarshaling
|
|
||||||
|
|
||||||
There is a size check for the destination object whether the size is zero.
|
|
||||||
If the memory of the destination object is no cleared this might cause
|
|
||||||
a race conditions.
|
|
||||||
Unneeded tests from the integration test tpmclient were removed.
|
|
||||||
Fixes: #2564
|
|
||||||
|
|
||||||
Signed-off-by: Juergen Repp <juergen_repp@web.de>
|
|
||||||
---
|
|
||||||
src/tss2-mu/tpm2b-types.c | 6 +-----
|
|
||||||
test/tpmclient/tpmclient.int.c | 9 ---------
|
|
||||||
2 files changed, 1 insertion(+), 14 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/tss2-mu/tpm2b-types.c b/src/tss2-mu/tpm2b-types.c
|
|
||||||
index 2e10f487..6e8915f6 100644
|
|
||||||
--- a/src/tss2-mu/tpm2b-types.c
|
|
||||||
+++ b/src/tss2-mu/tpm2b-types.c
|
|
||||||
@@ -248,11 +248,7 @@ TSS2_RC Tss2_MU_##type##_Unmarshal(uint8_t const buffer[], size_t buffer_size, \
|
|
||||||
sizeof(size)); \
|
|
||||||
return TSS2_MU_RC_INSUFFICIENT_BUFFER; \
|
|
||||||
} \
|
|
||||||
- if (dest && dest->size != 0) { \
|
|
||||||
- LOG_WARNING("Size not zero"); \
|
|
||||||
- return TSS2_SYS_RC_BAD_VALUE; \
|
|
||||||
- } \
|
|
||||||
-\
|
|
||||||
+ \
|
|
||||||
rc = Tss2_MU_UINT16_Unmarshal(buffer, buffer_size, &local_offset, &size); \
|
|
||||||
if (rc) \
|
|
||||||
return rc; \
|
|
||||||
diff --git a/test/tpmclient/tpmclient.int.c b/test/tpmclient/tpmclient.int.c
|
|
||||||
index deedcfb7..16443955 100644
|
|
||||||
--- a/test/tpmclient/tpmclient.int.c
|
|
||||||
+++ b/test/tpmclient/tpmclient.int.c
|
|
||||||
@@ -847,12 +847,6 @@ static void TestHierarchyControl()
|
|
||||||
rval = Tss2_Sys_NV_DefineSpace( sysContext, TPM2_RH_PLATFORM, &sessionsData, &nvAuth, &publicInfo, 0 );
|
|
||||||
CheckPassed( rval );
|
|
||||||
|
|
||||||
- /* Test SYS for case where nvPublic.size != 0 */
|
|
||||||
- nvPublic.size = 0xff;
|
|
||||||
- INIT_SIMPLE_TPM2B_SIZE( nvName );
|
|
||||||
- rval = Tss2_Sys_NV_ReadPublic( sysContext, TPM20_INDEX_TEST1, 0, &nvPublic, &nvName, 0 );
|
|
||||||
- CheckFailed( rval, TSS2_SYS_RC_BAD_VALUE );
|
|
||||||
-
|
|
||||||
nvPublic.size = 0;
|
|
||||||
INIT_SIMPLE_TPM2B_SIZE( nvName );
|
|
||||||
rval = Tss2_Sys_NV_ReadPublic( sysContext, TPM20_INDEX_TEST1, 0, &nvPublic, &nvName, 0 );
|
|
||||||
@@ -2135,10 +2129,7 @@ static void EcEphemeralTest()
|
|
||||||
|
|
||||||
LOG_INFO("EC Ephemeral TESTS:" );
|
|
||||||
|
|
||||||
- /* Test SYS for case of Q size field not being set to 0. */
|
|
||||||
INIT_SIMPLE_TPM2B_SIZE( Q );
|
|
||||||
- rval = Tss2_Sys_EC_Ephemeral( sysContext, 0, TPM2_ECC_BN_P256, &Q, &counter, 0 );
|
|
||||||
- CheckFailed( rval, TSS2_SYS_RC_BAD_VALUE );
|
|
||||||
|
|
||||||
Q.size = 0;
|
|
||||||
rval = Tss2_Sys_EC_Ephemeral( sysContext, 0, TPM2_ECC_BN_P256, &Q, &counter, 0 );
|
|
||||||
--
|
|
||||||
2.41.0
|
|
||||||
|
|
@ -1,78 +0,0 @@
|
|||||||
From d486edf730d652c8ab2fc50eb00e45223b43628f Mon Sep 17 00:00:00 2001
|
|
||||||
From: Juergen Repp <juergen_repp@web.de>
|
|
||||||
Date: Tue, 14 Feb 2023 19:52:28 +0100
|
|
||||||
Subject: [PATCH 03/10] FAPI: Fix parameter encryption for provisioning
|
|
||||||
|
|
||||||
Currently no parameter encryption was made during provisioning.
|
|
||||||
Now the EK es used as tpmkey for the create primary session of
|
|
||||||
the SRK and the SRK is used for parameter encryption of the
|
|
||||||
other command executed during provisioning.
|
|
||||||
|
|
||||||
Signed-off-by: Juergen Repp <juergen_repp@web.de>
|
|
||||||
---
|
|
||||||
src/tss2-fapi/api/Fapi_Provision.c | 6 ++++--
|
|
||||||
src/tss2-fapi/fapi_int.h | 7 ++++---
|
|
||||||
src/tss2-fapi/fapi_util.c | 5 ++++-
|
|
||||||
3 files changed, 12 insertions(+), 6 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/tss2-fapi/api/Fapi_Provision.c b/src/tss2-fapi/api/Fapi_Provision.c
|
|
||||||
index 97c25828..48f2fd3b 100644
|
|
||||||
--- a/src/tss2-fapi/api/Fapi_Provision.c
|
|
||||||
+++ b/src/tss2-fapi/api/Fapi_Provision.c
|
|
||||||
@@ -884,7 +884,8 @@ Fapi_Provision_Finish(FAPI_CONTEXT *context)
|
|
||||||
statecase(context->state, PROVISION_INIT_SRK);
|
|
||||||
/* Create session which will be used for SRK generation. */
|
|
||||||
context->srk_handle = context->ek_handle;
|
|
||||||
- r = ifapi_get_sessions_async(context, IFAPI_SESSION1, 0, 0);
|
|
||||||
+ r = ifapi_get_sessions_async(context, IFAPI_SESSION_USE_SRK | IFAPI_SESSION1,
|
|
||||||
+ TPMA_SESSION_DECRYPT, 0);
|
|
||||||
goto_if_error_reset_state(r, "Create sessions", error_cleanup);
|
|
||||||
|
|
||||||
fallthrough;
|
|
||||||
@@ -1084,7 +1085,8 @@ Fapi_Provision_Finish(FAPI_CONTEXT *context)
|
|
||||||
try_again_or_error_goto(r, "Cleanup", error_cleanup);
|
|
||||||
|
|
||||||
/* Create session which will be used for parameter encryption. */
|
|
||||||
- r = ifapi_get_sessions_async(context, IFAPI_SESSION1, 0, 0);
|
|
||||||
+ r = ifapi_get_sessions_async(context, IFAPI_SESSION_USE_SRK | IFAPI_SESSION1,
|
|
||||||
+ TPMA_SESSION_DECRYPT, 0);
|
|
||||||
goto_if_error_reset_state(r, "Create sessions", error_cleanup);
|
|
||||||
|
|
||||||
fallthrough;
|
|
||||||
diff --git a/src/tss2-fapi/fapi_int.h b/src/tss2-fapi/fapi_int.h
|
|
||||||
index 5f666a75..8533112a 100644
|
|
||||||
--- a/src/tss2-fapi/fapi_int.h
|
|
||||||
+++ b/src/tss2-fapi/fapi_int.h
|
|
||||||
@@ -55,9 +55,10 @@ typedef UINT32 TSS2_KEY_TYPE;
|
|
||||||
#define MAX_PLATFORM_CERT_HANDLE 0x01C0FFFF
|
|
||||||
|
|
||||||
typedef UINT8 IFAPI_SESSION_TYPE;
|
|
||||||
-#define IFAPI_SESSION_GENEK 0x01
|
|
||||||
-#define IFAPI_SESSION1 0x02
|
|
||||||
-#define IFAPI_SESSION2 0x04
|
|
||||||
+#define IFAPI_SESSION_GENEK 0x01
|
|
||||||
+#define IFAPI_SESSION1 0x02
|
|
||||||
+#define IFAPI_SESSION2 0x04
|
|
||||||
+#define IFAPI_SESSION_USE_SRK 0x08
|
|
||||||
|
|
||||||
#define IFAPI_POLICY_PATH "policy"
|
|
||||||
#define IFAPI_NV_PATH "nv"
|
|
||||||
diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c
|
|
||||||
index 44dd4168..ded0d247 100644
|
|
||||||
--- a/src/tss2-fapi/fapi_util.c
|
|
||||||
+++ b/src/tss2-fapi/fapi_util.c
|
|
||||||
@@ -1327,7 +1327,10 @@ ifapi_get_sessions_async(FAPI_CONTEXT *context,
|
|
||||||
context->session2_attribute_flags = attribute_flags2;
|
|
||||||
char *file = NULL;
|
|
||||||
|
|
||||||
- if (!(session_flags & IFAPI_SESSION_GENEK)) {
|
|
||||||
+ if (session_flags & IFAPI_SESSION_USE_SRK) {
|
|
||||||
+ context->session_state = SESSION_CREATE_SESSION;
|
|
||||||
+ return TSS2_RC_SUCCESS;
|
|
||||||
+ } else if (!(session_flags & IFAPI_SESSION_GENEK)) {
|
|
||||||
context->srk_handle = ESYS_TR_NONE;
|
|
||||||
context->session_state = SESSION_CREATE_SESSION;
|
|
||||||
return TSS2_RC_SUCCESS;
|
|
||||||
--
|
|
||||||
2.41.0
|
|
||||||
|
|
@ -1,101 +0,0 @@
|
|||||||
From 6bb79f17b89592909830f872dc47d09c0e5dadda Mon Sep 17 00:00:00 2001
|
|
||||||
From: Juergen Repp <juergen_repp@web.de>
|
|
||||||
Date: Fri, 3 Mar 2023 11:17:43 +0100
|
|
||||||
Subject: [PATCH 04/10] FAPI: Fix missing parameter encryption for policy
|
|
||||||
sessions.
|
|
||||||
|
|
||||||
The parameter encryption for policy sessions was not enabled.
|
|
||||||
Now the parameter encryption is enabled and the auth value of
|
|
||||||
objects is added to the session key.
|
|
||||||
One exception is the cp hash policy. In this case the
|
|
||||||
the cp hash check forced by this policy would fail with an
|
|
||||||
encrypted parameter.
|
|
||||||
|
|
||||||
Signed-off-by: Juergen Repp <juergen_repp@web.de>
|
|
||||||
---
|
|
||||||
src/tss2-fapi/fapi_util.c | 28 ++++++++++++------------
|
|
||||||
src/tss2-fapi/ifapi_policy_execute.c | 5 +++++
|
|
||||||
src/tss2-fapi/ifapi_policyutil_execute.c | 4 ++++
|
|
||||||
3 files changed, 23 insertions(+), 14 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c
|
|
||||||
index ded0d247..55ce3327 100644
|
|
||||||
--- a/src/tss2-fapi/fapi_util.c
|
|
||||||
+++ b/src/tss2-fapi/fapi_util.c
|
|
||||||
@@ -2110,21 +2110,20 @@ ifapi_authorize_object(FAPI_CONTEXT *context, IFAPI_OBJECT *object, ESYS_TR *ses
|
|
||||||
statecase(object->authorization_state, AUTH_INIT)
|
|
||||||
LOG_TRACE("**STATE** AUTH_INIT");
|
|
||||||
|
|
||||||
- if (!policy_digest_size(object)) {
|
|
||||||
- /* No policy used authorization callbacks have to be called if necessary. */
|
|
||||||
- if (object_with_auth(object)) {
|
|
||||||
- /* Check whether hierarchy was already authorized. */
|
|
||||||
- if (object->objectType != IFAPI_HIERARCHY_OBJ ||
|
|
||||||
- !object->misc.hierarchy.authorized) {
|
|
||||||
- char *description = NULL;
|
|
||||||
- r = ifapi_get_description(object, &description);
|
|
||||||
- return_if_error(r, "Get description");
|
|
||||||
-
|
|
||||||
- r = ifapi_set_auth(context, object, description);
|
|
||||||
- SAFE_FREE(description);
|
|
||||||
- return_if_error(r, "Set auth value");
|
|
||||||
- }
|
|
||||||
+ if (object_with_auth(object)) {
|
|
||||||
+ /* Check whether hierarchy was already authorized. */
|
|
||||||
+ if (object->objectType != IFAPI_HIERARCHY_OBJ ||
|
|
||||||
+ !object->misc.hierarchy.authorized) {
|
|
||||||
+ char *description = NULL;
|
|
||||||
+ r = ifapi_get_description(object, &description);
|
|
||||||
+ return_if_error(r, "Get description");
|
|
||||||
+
|
|
||||||
+ r = ifapi_set_auth(context, object, description);
|
|
||||||
+ SAFE_FREE(description);
|
|
||||||
+ return_if_error(r, "Set auth value");
|
|
||||||
}
|
|
||||||
+ }
|
|
||||||
+ if (!policy_digest_size(object)) {
|
|
||||||
/* No policy session needed current fapi session can be used */
|
|
||||||
if (context->session1 && context->session1 != ESYS_TR_NONE)
|
|
||||||
*session = context->session1;
|
|
||||||
@@ -2133,6 +2132,7 @@ ifapi_authorize_object(FAPI_CONTEXT *context, IFAPI_OBJECT *object, ESYS_TR *ses
|
|
||||||
*session = ESYS_TR_PASSWORD;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
/* Save current object to be authorized in context. */
|
|
||||||
context->current_auth_object = object;
|
|
||||||
r = ifapi_policyutil_execute_prepare(context, get_name_alg(context, object),
|
|
||||||
diff --git a/src/tss2-fapi/ifapi_policy_execute.c b/src/tss2-fapi/ifapi_policy_execute.c
|
|
||||||
index c2ce3301..0e7de316 100644
|
|
||||||
--- a/src/tss2-fapi/ifapi_policy_execute.c
|
|
||||||
+++ b/src/tss2-fapi/ifapi_policy_execute.c
|
|
||||||
@@ -1245,6 +1245,11 @@ execute_policy_cp_hash(
|
|
||||||
r = Esys_PolicyCpHash_Finish(esys_ctx);
|
|
||||||
try_again_or_error(r, "Execute PolicyCpHash_Finish.");
|
|
||||||
|
|
||||||
+ /* Disable encryption to enable check of cp hash defined in
|
|
||||||
+ policy cp. */
|
|
||||||
+ r = Esys_TRSess_SetAttributes(esys_ctx, current_policy->session,
|
|
||||||
+ 0, 0xff);
|
|
||||||
+
|
|
||||||
current_policy->state = POLICY_EXECUTE_INIT;
|
|
||||||
return r;
|
|
||||||
|
|
||||||
diff --git a/src/tss2-fapi/ifapi_policyutil_execute.c b/src/tss2-fapi/ifapi_policyutil_execute.c
|
|
||||||
index 997fb504..0e2823cb 100644
|
|
||||||
--- a/src/tss2-fapi/ifapi_policyutil_execute.c
|
|
||||||
+++ b/src/tss2-fapi/ifapi_policyutil_execute.c
|
|
||||||
@@ -119,6 +119,10 @@ create_session(
|
|
||||||
r = Esys_StartAuthSession_Finish(context->esys, session);
|
|
||||||
if (r != TSS2_RC_SUCCESS)
|
|
||||||
return r;
|
|
||||||
+
|
|
||||||
+ r = Esys_TRSess_SetAttributes(context->esys, *session,
|
|
||||||
+ TPMA_SESSION_ENCRYPT | TPMA_SESSION_DECRYPT,
|
|
||||||
+ 0xff);
|
|
||||||
context->policy.create_session_state = CREATE_SESSION_INIT;
|
|
||||||
break;
|
|
||||||
|
|
||||||
--
|
|
||||||
2.41.0
|
|
||||||
|
|
@ -1,59 +0,0 @@
|
|||||||
From c7cd976e7152e3f5aaa813aaebf4ab1e5d9b1f3e Mon Sep 17 00:00:00 2001
|
|
||||||
From: Juergen Repp <juergen_repp@web.de>
|
|
||||||
Date: Sun, 5 Mar 2023 19:19:22 +0100
|
|
||||||
Subject: [PATCH 05/10] FAPI: Fix missing parameter encryption for some HMAC
|
|
||||||
sessions.
|
|
||||||
|
|
||||||
* For Fapi_CreateNv and Fap_NvSetBits the parameter encryption was not enabled.
|
|
||||||
* For Fapi_Unseal the response description was not enabled.
|
|
||||||
|
|
||||||
Signed-off-by: Juergen Repp <juergen_repp@web.de>
|
|
||||||
---
|
|
||||||
src/tss2-fapi/api/Fapi_CreateNv.c | 2 +-
|
|
||||||
src/tss2-fapi/api/Fapi_NvSetBits.c | 2 +-
|
|
||||||
src/tss2-fapi/fapi_util.c | 3 ++-
|
|
||||||
3 files changed, 4 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/tss2-fapi/api/Fapi_CreateNv.c b/src/tss2-fapi/api/Fapi_CreateNv.c
|
|
||||||
index 45e72e33..8160b99d 100644
|
|
||||||
--- a/src/tss2-fapi/api/Fapi_CreateNv.c
|
|
||||||
+++ b/src/tss2-fapi/api/Fapi_CreateNv.c
|
|
||||||
@@ -399,7 +399,7 @@ Fapi_CreateNv_Finish(
|
|
||||||
context->primary_state = PRIMARY_INIT;
|
|
||||||
r = ifapi_get_sessions_async(context,
|
|
||||||
IFAPI_SESSION_GENEK | IFAPI_SESSION1,
|
|
||||||
- 0, 0);
|
|
||||||
+ TPMA_SESSION_DECRYPT, 0);
|
|
||||||
goto_if_error_reset_state(r, "Create sessions", error_cleanup);
|
|
||||||
fallthrough;
|
|
||||||
|
|
||||||
diff --git a/src/tss2-fapi/api/Fapi_NvSetBits.c b/src/tss2-fapi/api/Fapi_NvSetBits.c
|
|
||||||
index 0615aa12..adf332e0 100644
|
|
||||||
--- a/src/tss2-fapi/api/Fapi_NvSetBits.c
|
|
||||||
+++ b/src/tss2-fapi/api/Fapi_NvSetBits.c
|
|
||||||
@@ -282,7 +282,7 @@ Fapi_NvSetBits_Finish(
|
|
||||||
/* Prepare session for authorization */
|
|
||||||
r = ifapi_get_sessions_async(context,
|
|
||||||
IFAPI_SESSION_GENEK | IFAPI_SESSION1,
|
|
||||||
- 0, 0);
|
|
||||||
+ TPMA_SESSION_DECRYPT, 0);
|
|
||||||
goto_if_error_reset_state(r, "Create sessions", error_cleanup);
|
|
||||||
|
|
||||||
fallthrough;
|
|
||||||
diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c
|
|
||||||
index 55ce3327..ef4a92d0 100644
|
|
||||||
--- a/src/tss2-fapi/fapi_util.c
|
|
||||||
+++ b/src/tss2-fapi/fapi_util.c
|
|
||||||
@@ -2743,7 +2743,8 @@ ifapi_load_key(
|
|
||||||
/* Prepare the session creation. */
|
|
||||||
r = ifapi_get_sessions_async(context,
|
|
||||||
IFAPI_SESSION_GENEK | IFAPI_SESSION1,
|
|
||||||
- TPMA_SESSION_DECRYPT, 0);
|
|
||||||
+ TPMA_SESSION_DECRYPT | TPMA_SESSION_ENCRYPT,
|
|
||||||
+ 0);
|
|
||||||
goto_if_error_reset_state(r, "Create sessions", error_cleanup);
|
|
||||||
fallthrough;
|
|
||||||
|
|
||||||
--
|
|
||||||
2.41.0
|
|
||||||
|
|
@ -1,61 +0,0 @@
|
|||||||
From db8ccb1df778dc92d1be88a88ddcd9d6c92c3e63 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Juergen Repp <juergen_repp@web.de>
|
|
||||||
Date: Mon, 3 Apr 2023 21:21:55 +0200
|
|
||||||
Subject: [PATCH 06/10] FAPI: Fix usage of persistent handles.
|
|
||||||
|
|
||||||
* Evict control for persistent keys created with Fapi_CreateKey was
|
|
||||||
called with the wrong handle.
|
|
||||||
* If Fapi_Quote was executed with a primary key for this key flush
|
|
||||||
context was called.
|
|
||||||
|
|
||||||
Signed-off-by: Juergen Repp <juergen_repp@web.de>
|
|
||||||
---
|
|
||||||
src/tss2-fapi/api/Fapi_Quote.c | 14 +++++++++-----
|
|
||||||
src/tss2-fapi/fapi_util.c | 1 +
|
|
||||||
2 files changed, 10 insertions(+), 5 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/tss2-fapi/api/Fapi_Quote.c b/src/tss2-fapi/api/Fapi_Quote.c
|
|
||||||
index b71267a7..61e4e3db 100644
|
|
||||||
--- a/src/tss2-fapi/api/Fapi_Quote.c
|
|
||||||
+++ b/src/tss2-fapi/api/Fapi_Quote.c
|
|
||||||
@@ -392,16 +392,20 @@ Fapi_Quote_Finish(
|
|
||||||
goto_if_error(r, "Error: PCR_Quote", error_cleanup);
|
|
||||||
|
|
||||||
/* Flush the key used for the quote. */
|
|
||||||
- r = Esys_FlushContext_Async(context->esys, command->handle);
|
|
||||||
- goto_if_error(r, "Error: FlushContext", error_cleanup);
|
|
||||||
+ if (!command->key_object->misc.key.persistent_handle) {
|
|
||||||
+ r = Esys_FlushContext_Async(context->esys, command->handle);
|
|
||||||
+ goto_if_error(r, "Error: FlushContext", error_cleanup);
|
|
||||||
+ }
|
|
||||||
command->handle = ESYS_TR_NONE;
|
|
||||||
|
|
||||||
fallthrough;
|
|
||||||
|
|
||||||
statecase(context->state, PCR_QUOTE_WAIT_FOR_FLUSH);
|
|
||||||
- r = Esys_FlushContext_Finish(context->esys);
|
|
||||||
- return_try_again(r);
|
|
||||||
- goto_if_error(r, "Error: Sign", error_cleanup);
|
|
||||||
+ if (!command->key_object->misc.key.persistent_handle) {
|
|
||||||
+ r = Esys_FlushContext_Finish(context->esys);
|
|
||||||
+ return_try_again(r);
|
|
||||||
+ goto_if_error(r, "Error: Sign", error_cleanup);
|
|
||||||
+ }
|
|
||||||
|
|
||||||
sig_key_object = command->key_object;
|
|
||||||
/* Convert the TPM-encoded signature into something useful for the caller. */
|
|
||||||
diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c
|
|
||||||
index ef4a92d0..49f7dd07 100644
|
|
||||||
--- a/src/tss2-fapi/fapi_util.c
|
|
||||||
+++ b/src/tss2-fapi/fapi_util.c
|
|
||||||
@@ -4746,6 +4746,7 @@ ifapi_create_primary(
|
|
||||||
|
|
||||||
statecase(context->cmd.Key_Create.state, KEY_CREATE_PRIMARY_WAIT_FOR_AUTHORIZE2);
|
|
||||||
if (template->persistent_handle) {
|
|
||||||
+ object->misc.key.persistent_handle = template->persistent_handle;
|
|
||||||
r = ifapi_authorize_object(context, hierarchy, &auth_session);
|
|
||||||
FAPI_SYNC(r, "Authorize hierarchy.", error_cleanup);
|
|
||||||
|
|
||||||
--
|
|
||||||
2.41.0
|
|
||||||
|
|
@ -1,62 +0,0 @@
|
|||||||
From e46840f3ec5932f3f9206f3eab903d82b7a977db Mon Sep 17 00:00:00 2001
|
|
||||||
From: Juergen Repp <juergen_repp@web.de>
|
|
||||||
Date: Mon, 27 Feb 2023 18:00:54 +0100
|
|
||||||
Subject: [PATCH 07/10] build: Fix failed build with --disable-vendor
|
|
||||||
|
|
||||||
The compilation of the marshaling functions for TPML_INTEL_PTT_PROPERTY
|
|
||||||
is now disabled for builds with --disable-vendor.
|
|
||||||
Fixes: #2571
|
|
||||||
|
|
||||||
Signed-off-by: Juergen Repp <juergen_repp@web.de>
|
|
||||||
---
|
|
||||||
include/tss2/tss2_tpm2_types.h | 2 ++
|
|
||||||
src/tss2-mu/tpml-types.c | 2 ++
|
|
||||||
tss2-dlopen/tss2-dlopen-mu.c | 2 ++
|
|
||||||
3 files changed, 6 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/include/tss2/tss2_tpm2_types.h b/include/tss2/tss2_tpm2_types.h
|
|
||||||
index 96286fb7..39a6978c 100644
|
|
||||||
--- a/include/tss2/tss2_tpm2_types.h
|
|
||||||
+++ b/include/tss2/tss2_tpm2_types.h
|
|
||||||
@@ -63,7 +63,9 @@
|
|
||||||
#define TPM2_PRIVATE_VENDOR_SPECIFIC_BYTES ((TPM2_MAX_RSA_KEY_BYTES / 2) * (3 + 2))
|
|
||||||
|
|
||||||
/* Vendor Specific Defines */
|
|
||||||
+#ifndef DISABLE_VENDOR
|
|
||||||
#define TPM2_MAX_PTT_PROPERTIES (TPM2_MAX_CAP_BUFFER / sizeof(UINT32))
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
/* Attached Component Capabilities */
|
|
||||||
#define TPM2_MAX_AC_CAPABILITIES (TPM2_MAX_CAP_BUFFER / sizeof(TPMS_AC_OUTPUT))
|
|
||||||
diff --git a/src/tss2-mu/tpml-types.c b/src/tss2-mu/tpml-types.c
|
|
||||||
index 60f85a8c..1df9bbb8 100644
|
|
||||||
--- a/src/tss2-mu/tpml-types.c
|
|
||||||
+++ b/src/tss2-mu/tpml-types.c
|
|
||||||
@@ -175,8 +175,10 @@ TPML_MARSHAL(TPML_PCR_SELECTION, Tss2_MU_TPMS_PCR_SELECTION_Marshal, pcrSelectio
|
|
||||||
TPML_UNMARSHAL(TPML_PCR_SELECTION, Tss2_MU_TPMS_PCR_SELECTION_Unmarshal, pcrSelections)
|
|
||||||
TPML_MARSHAL(TPML_DIGEST_VALUES, Tss2_MU_TPMT_HA_Marshal, digests, ADDR)
|
|
||||||
TPML_UNMARSHAL(TPML_DIGEST_VALUES, Tss2_MU_TPMT_HA_Unmarshal, digests)
|
|
||||||
+#ifndef DISABLE_VENDOR
|
|
||||||
TPML_MARSHAL(TPML_INTEL_PTT_PROPERTY, Tss2_MU_UINT32_Marshal, property, VAL)
|
|
||||||
TPML_UNMARSHAL(TPML_INTEL_PTT_PROPERTY, Tss2_MU_UINT32_Unmarshal, property)
|
|
||||||
+#endif
|
|
||||||
TPML_MARSHAL(TPML_AC_CAPABILITIES, Tss2_MU_TPMS_AC_OUTPUT_Marshal, acCapabilities, ADDR)
|
|
||||||
TPML_UNMARSHAL(TPML_AC_CAPABILITIES, Tss2_MU_TPMS_AC_OUTPUT_Unmarshal, acCapabilities)
|
|
||||||
TPML_MARSHAL(TPML_TAGGED_POLICY, Tss2_MU_TPMS_TAGGED_POLICY_Marshal, policies, ADDR)
|
|
||||||
diff --git a/tss2-dlopen/tss2-dlopen-mu.c b/tss2-dlopen/tss2-dlopen-mu.c
|
|
||||||
index 2297818b..21cd1123 100644
|
|
||||||
--- a/tss2-dlopen/tss2-dlopen-mu.c
|
|
||||||
+++ b/tss2-dlopen/tss2-dlopen-mu.c
|
|
||||||
@@ -254,7 +254,9 @@ MAKE_MU_STRUCT(TPML_ALG_PROPERTY);
|
|
||||||
MAKE_MU_STRUCT(TPML_ECC_CURVE);
|
|
||||||
MAKE_MU_STRUCT(TPML_TAGGED_PCR_PROPERTY);
|
|
||||||
MAKE_MU_STRUCT(TPML_TAGGED_TPM_PROPERTY);
|
|
||||||
+#ifndef DISABLE_VENDOR
|
|
||||||
MAKE_MU_STRUCT(TPML_INTEL_PTT_PROPERTY);
|
|
||||||
+#endif
|
|
||||||
MAKE_MU_STRUCT(TPML_AC_CAPABILITIES);
|
|
||||||
MAKE_MU_STRUCT(TPML_TAGGED_POLICY);
|
|
||||||
MAKE_MU_STRUCT(TPML_ACT_DATA);
|
|
||||||
--
|
|
||||||
2.41.0
|
|
||||||
|
|
@ -1,35 +0,0 @@
|
|||||||
From acb274ee0c59d6159b66e2df08aaf410e179f5f9 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Juergen Repp <juergen_repp@web.de>
|
|
||||||
Date: Mon, 10 Apr 2023 20:20:24 +0200
|
|
||||||
Subject: [PATCH 08/10] FAPI: Fapi_GetInfo display warning for SHA3 hash algs.
|
|
||||||
|
|
||||||
Currenlty FAPI_GetInfo did produce errors if the TPM implements
|
|
||||||
SHA3 hash algs. Now a warning is displayed.
|
|
||||||
|
|
||||||
Signed-off-by: Juergen Repp <juergen_repp@web.de>
|
|
||||||
---
|
|
||||||
src/tss2-fapi/tpm_json_serialize.c | 8 ++++++++
|
|
||||||
1 file changed, 8 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/tss2-fapi/tpm_json_serialize.c b/src/tss2-fapi/tpm_json_serialize.c
|
|
||||||
index 1eaa4eb2..65320da6 100644
|
|
||||||
--- a/src/tss2-fapi/tpm_json_serialize.c
|
|
||||||
+++ b/src/tss2-fapi/tpm_json_serialize.c
|
|
||||||
@@ -1558,6 +1558,14 @@ ifapi_json_TPMS_ALG_PROPERTY_serialize(const TPMS_ALG_PROPERTY *in, json_object
|
|
||||||
return_if_null(in, "Bad reference.", TSS2_FAPI_RC_BAD_REFERENCE);
|
|
||||||
|
|
||||||
TSS2_RC r;
|
|
||||||
+
|
|
||||||
+ if ((in->alg == TPM2_ALG_SHA3_256 ||
|
|
||||||
+ in->alg == TPM2_ALG_SHA3_384 ||
|
|
||||||
+ in->alg == TPM2_ALG_SHA3_512)) {
|
|
||||||
+ LOG_WARNING("SHA3 hash algs are not supported by TSS");
|
|
||||||
+ return TSS2_RC_SUCCESS;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
json_object *jso2;
|
|
||||||
if (*jso == NULL)
|
|
||||||
*jso = json_object_new_object ();
|
|
||||||
--
|
|
||||||
2.41.0
|
|
||||||
|
|
@ -1,39 +0,0 @@
|
|||||||
From e43323dd5c089ed6af0a6a77b30f97350e1fbb6a Mon Sep 17 00:00:00 2001
|
|
||||||
From: Juergen Repp <juergen_repp@web.de>
|
|
||||||
Date: Sun, 9 Apr 2023 08:38:56 +0200
|
|
||||||
Subject: [PATCH 09/10] FAPI: Skip provisioning test for nv ext and profile
|
|
||||||
paths.
|
|
||||||
|
|
||||||
The provisioning test in ifapi_check_provisioned will be skipped
|
|
||||||
for ext nv and profile paths. The test did produce inappropriate
|
|
||||||
error messages if the corresponding paths did not exist in keystore.
|
|
||||||
The test is only needed for pathnames starting with the profile.
|
|
||||||
Fixes: #2596
|
|
||||||
|
|
||||||
Signed-off-by: Juergen Repp <juergen_repp@web.de>
|
|
||||||
---
|
|
||||||
src/tss2-fapi/ifapi_keystore.c | 8 ++++++++
|
|
||||||
1 file changed, 8 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/tss2-fapi/ifapi_keystore.c b/src/tss2-fapi/ifapi_keystore.c
|
|
||||||
index 7e50ee1e..38c2f7fd 100644
|
|
||||||
--- a/src/tss2-fapi/ifapi_keystore.c
|
|
||||||
+++ b/src/tss2-fapi/ifapi_keystore.c
|
|
||||||
@@ -1772,6 +1772,14 @@ ifapi_check_provisioned(
|
|
||||||
|
|
||||||
*ok = false;
|
|
||||||
|
|
||||||
+ /* No profile in path, test can be skipped. */
|
|
||||||
+ if (ifapi_path_type_p(rel_path, IFAPI_NV_PATH) ||
|
|
||||||
+ ifapi_path_type_p(rel_path, IFAPI_POLICY_PATH) ||
|
|
||||||
+ ifapi_path_type_p(rel_path, IFAPI_EXT_PATH)) {
|
|
||||||
+ *ok = true;
|
|
||||||
+ return TSS2_RC_SUCCESS;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
/* First expand path in user directory */
|
|
||||||
r = expand_path(keystore, rel_path, &directory);
|
|
||||||
goto_if_error(r, "Expand path", cleanup);
|
|
||||||
--
|
|
||||||
2.41.0
|
|
||||||
|
|
@ -1,30 +0,0 @@
|
|||||||
From 12519626a221f0e4c20e66ec101429fc0f321c6f Mon Sep 17 00:00:00 2001
|
|
||||||
From: Juergen Repp <juergen_repp@web.de>
|
|
||||||
Date: Fri, 12 May 2023 09:30:53 +0200
|
|
||||||
Subject: [PATCH 10/10] FAPI: Fix wrong allocation of pcr policy.
|
|
||||||
|
|
||||||
The list of pcr registers was was allocated with the wrong size in the
|
|
||||||
function copy_policy_element which caused a segfault if more than one
|
|
||||||
pcr was used.
|
|
||||||
|
|
||||||
Signed-off-by: Juergen Repp <juergen_repp@web.de>
|
|
||||||
---
|
|
||||||
src/tss2-fapi/ifapi_helpers.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/tss2-fapi/ifapi_helpers.c b/src/tss2-fapi/ifapi_helpers.c
|
|
||||||
index e1c4220b..5c574717 100644
|
|
||||||
--- a/src/tss2-fapi/ifapi_helpers.c
|
|
||||||
+++ b/src/tss2-fapi/ifapi_helpers.c
|
|
||||||
@@ -1343,7 +1343,7 @@ copy_policy_element(const TPMT_POLICYELEMENT *from_policy, TPMT_POLICYELEMENT *t
|
|
||||||
case POLICYPCR:
|
|
||||||
to_policy->element.PolicyPCR.pcrs =
|
|
||||||
calloc(1, sizeof(TPML_PCRVALUES) +
|
|
||||||
- from_policy->element.PolicyPCR.pcrs->count + sizeof(TPMS_PCRVALUE));
|
|
||||||
+ from_policy->element.PolicyPCR.pcrs->count * sizeof(TPMS_PCRVALUE));
|
|
||||||
goto_if_null2(to_policy->element.PolicyPCR.pcrs, "Out of memory.",
|
|
||||||
r, TSS2_FAPI_RC_MEMORY, error);
|
|
||||||
to_policy->element.PolicyPCR.pcrs->count
|
|
||||||
--
|
|
||||||
2.41.0
|
|
||||||
|
|
@ -1,6 +1,6 @@
|
|||||||
Name: tpm2-tss
|
Name: tpm2-tss
|
||||||
Version: 3.2.2
|
Version: 3.2.3
|
||||||
Release: 2%{?dist}
|
Release: 1%{?dist}
|
||||||
Summary: TPM2.0 Software Stack
|
Summary: TPM2.0 Software Stack
|
||||||
|
|
||||||
License: BSD
|
License: BSD
|
||||||
@ -10,16 +10,6 @@ Source1: tpm2-tss-systemd-sysusers.conf
|
|||||||
# doxygen patch
|
# doxygen patch
|
||||||
Patch0: tpm2-tss-3.0.0-doxygen.patch
|
Patch0: tpm2-tss-3.0.0-doxygen.patch
|
||||||
Patch2: 0001-esys_iutil-fix-possible-NPD.patch
|
Patch2: 0001-esys_iutil-fix-possible-NPD.patch
|
||||||
Patch3: 0001-tss2-rc-fix-unknown-layer-handler-dropping-bits.patch
|
|
||||||
Patch4: 0002-MU-Fix-unneeded-size-check-in-TPM2B-unmarshaling.patch
|
|
||||||
Patch5: 0003-FAPI-Fix-parameter-encryption-for-provisioning.patch
|
|
||||||
Patch6: 0004-FAPI-Fix-missing-parameter-encryption-for-policy-ses.patch
|
|
||||||
Patch7: 0005-FAPI-Fix-missing-parameter-encryption-for-some-HMAC-.patch
|
|
||||||
Patch8: 0006-FAPI-Fix-usage-of-persistent-handles.patch
|
|
||||||
Patch11: 0007-build-Fix-failed-build-with-disable-vendor.patch
|
|
||||||
Patch12: 0008-FAPI-Fapi_GetInfo-display-warning-for-SHA3-hash-algs.patch
|
|
||||||
Patch13: 0009-FAPI-Skip-provisioning-test-for-nv-ext-and-profile-p.patch
|
|
||||||
Patch14: 0010-FAPI-Fix-wrong-allocation-of-pcr-policy.patch
|
|
||||||
|
|
||||||
%global udevrules_prefix 60-
|
%global udevrules_prefix 60-
|
||||||
|
|
||||||
@ -125,6 +115,10 @@ use tpm2-tss.
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu May 30 2024 Štěpán Horáček <shoracek@redhat.com> - 3.2.3-1
|
||||||
|
- Rebase to 3.2.3
|
||||||
|
Resolves: RHEL-23206
|
||||||
|
|
||||||
* Mon Jul 3 2023 Štěpán Horáček <shoracek@redhat.com> - 3.2.2-2
|
* Mon Jul 3 2023 Štěpán Horáček <shoracek@redhat.com> - 3.2.2-2
|
||||||
- Remove misapplied license
|
- Remove misapplied license
|
||||||
Resolves: rhbz#2160307
|
Resolves: rhbz#2160307
|
||||||
|
Loading…
Reference in New Issue
Block a user