373 lines
15 KiB
Plaintext
373 lines
15 KiB
Plaintext
|
-------------------------------------------------------------------
|
||
|
Tue May 2 09:55:28 UTC 2023 - Marcus Meissner <meissner@suse.com>
|
||
|
|
||
|
- remove python3 dependency, no longer needed after rewrite (bsc#1211010)
|
||
|
|
||
|
-------------------------------------------------------------------
|
||
|
Tue Mar 21 12:45:54 UTC 2023 - Marcus Meissner <meissner@suse.com>
|
||
|
|
||
|
- swtpm-fix-build.patch: disable -Wstack-protector, it fails on s390x
|
||
|
bsc#1209117
|
||
|
|
||
|
-------------------------------------------------------------------
|
||
|
Mon Mar 6 20:21:50 UTC 2023 - Alberto Planas Dominguez <aplanas@suse.com>
|
||
|
|
||
|
- Drop trousers requirement
|
||
|
|
||
|
-------------------------------------------------------------------
|
||
|
Mon Mar 6 16:34:33 UTC 2023 - Alberto Planas Dominguez <aplanas@suse.com>
|
||
|
|
||
|
- Update to version 0.8.0:
|
||
|
* swtpm:
|
||
|
+ Implement release-lock-outgoing parameter for --migration option
|
||
|
+ Introduce --migration option and 'incoming' parameter
|
||
|
+ Implement terminate parameter for ctrl channel loss
|
||
|
+ Add a chroot option
|
||
|
+ Introduce disable-auto-shutdown flag for --flags option
|
||
|
+ If necessary send TPM2_Shutdown() before TPMLIB_Terminate()
|
||
|
+ Add some more recent syscalls to seccomp profile
|
||
|
+ Disable OpenSSL FIPS mode to avoid libtpms failures
|
||
|
+ Avoid locking directory multiple times
|
||
|
+ Remove support for pre-v0.1 state files without header
|
||
|
+ Use uint64_t in tlv_data_append() to avoid integer overflows
|
||
|
+ Use uint64_t to avoid integer wrap-around when adding a uint32_t
|
||
|
+ Do not chdir(/) when using --daemon
|
||
|
+ Check header size indicator against expected size (CVE-2022-23645 bsc#1196240)
|
||
|
+ Fixes for gcc 12.2.1 -fanalyzer
|
||
|
* build-sys:
|
||
|
+ Fix configure script to support _FORTIFY_SOURCE=3
|
||
|
+ Define __USE_LINUX_IOCTL_DEFS in header file (Cygwin)
|
||
|
* swtpm-localca:
|
||
|
+ Re-implement variable resolution for swtpm-localca.conf
|
||
|
+ Test for available issuercert before creating CA
|
||
|
* swtpm_setup:
|
||
|
+ Configure swtpm to log to stdout/err if needed (glib >=2.74)
|
||
|
* tests:
|
||
|
+ Use ${WORKDIR} in config files to test env. var replacement
|
||
|
+ Patch IBM TSS2 test suite for OpenSSL 3.x
|
||
|
* build-sys:
|
||
|
+ Add probing for -fstack-protector
|
||
|
|
||
|
-------------------------------------------------------------------
|
||
|
Fri Apr 29 07:41:51 UTC 2022 - Marcus Meissner <meissner@suse.com>
|
||
|
|
||
|
- Updated to version 0.7.3:
|
||
|
- swtpm:
|
||
|
- Use uint64_t in tlv_data_append() to avoid integer overflows
|
||
|
- Use uint64_t to avoid integer wrap-around when adding a uint32_t
|
||
|
- removed allow-FORTIFY_SOURCE=3.patch (upstreamed)
|
||
|
|
||
|
-------------------------------------------------------------------
|
||
|
Wed Apr 6 07:55:48 UTC 2022 - Martin Liška <mliska@suse.cz>
|
||
|
|
||
|
- Cheery-pick upstream patch allow-FORTIFY_SOURCE=3.patch.
|
||
|
|
||
|
-------------------------------------------------------------------
|
||
|
Wed Mar 9 14:07:03 UTC 2022 - Wolfgang Frisch <wolfgang.frisch@suse.com>
|
||
|
|
||
|
- Update to version 0.7.2:
|
||
|
- swtpm:
|
||
|
- Do not chdir(/) when using --daemon
|
||
|
- swtpm-localca:
|
||
|
- Re-implement variable resolution for swtpm-localca.conf
|
||
|
- tests:
|
||
|
- Use ${WORKDIR} in config files to test env. var replacement
|
||
|
- man pages:
|
||
|
- Add missing .config directory to path description when using ${HOME}
|
||
|
- build-sys:
|
||
|
- Add probing for -fstack-protector
|
||
|
|
||
|
-------------------------------------------------------------------
|
||
|
Mon Feb 21 12:04:56 UTC 2022 - Marcus Meissner <meissner@suse.com>
|
||
|
|
||
|
- Update to version 0.7.1:
|
||
|
- swtpm:
|
||
|
- Check header size indicator against expected size (CVE-2022-23645 bsc#1196240)
|
||
|
- swtpm_localca:
|
||
|
- Test for available issuercert before creating CA
|
||
|
|
||
|
-------------------------------------------------------------------
|
||
|
Wed Nov 10 08:49:00 UTC 2021 - Marcus Meissner <meissner@suse.com>
|
||
|
|
||
|
- Update to version 0.7.0:
|
||
|
- swtpm:
|
||
|
- Support for linear file storage backend (file://)
|
||
|
- Report 'tpm-1.2' & 'tpm-2.0' in --print-capabilities depending what
|
||
|
libtpms supports
|
||
|
- Add implementation of SWTPM_HMAC using OpenSSL 3.0 APIs
|
||
|
- Wipe keys from stack and heap
|
||
|
- Many other small changes
|
||
|
- Make --daemon not racy
|
||
|
- swtpm_setup:
|
||
|
- Only activate SHA256 PCR bank, not SHA1 bank anymore by default
|
||
|
- Support for linear file storage backend (file://)
|
||
|
- Implement option --create-config-files to create config files
|
||
|
- Use non-deprecated APIs to contruct RSA key (OSSL 3)
|
||
|
- Report stderr as returned by external tool (swtpm-localcal)
|
||
|
- Replace '+' and ',' characters in VMId's to make work with
|
||
|
common name in X509 subject
|
||
|
- Add support for --reconfigure flag to change active PCR banks
|
||
|
- swtpm_localca:
|
||
|
- Created certificates for CAs and TPM that do not expire
|
||
|
- swtpm_cert:
|
||
|
- Allow passing -1 for days to get a non-expiring certificate
|
||
|
- test:
|
||
|
- ASAN-related test changes and skipping of tests if ASAN is used
|
||
|
- Fix tests using tpm2-abrmd by preventing concurrency
|
||
|
- Skip chardev related tests after checking for chardev support
|
||
|
- exit with error code if mktemp fails
|
||
|
- OSSL 3: Make TPM 1.2 test compile; skip IBM TSS 2 test
|
||
|
- build-sys:
|
||
|
- Introduce --enable-sanitizers to configure
|
||
|
- Remove check for pip3 that was used by python swtpm_setup
|
||
|
- Allow passing of aditional CFLAGS during build
|
||
|
|
||
|
-------------------------------------------------------------------
|
||
|
Wed Sep 22 09:33:29 UTC 2021 - Marcus Meissner <meissner@suse.com>
|
||
|
|
||
|
- Update to version 0.6.1:
|
||
|
- swtpm:
|
||
|
- Clear keys from stack and heap
|
||
|
- swtpm-localca:
|
||
|
- Add missing else branch for pkcs11 and PIN
|
||
|
- swtpm_setup:
|
||
|
- Initialize Gerror and free it
|
||
|
- Replace '\\s' in regex with [[:space:]] to fix cygwin
|
||
|
- tests:
|
||
|
- Kill tpm2-abrmd with SIGKILL rather SIGTERM
|
||
|
- build-sys:
|
||
|
- Use -DOPENSSL_SUPPRESS_DEPRECATED to suppress deprecation warnings (OSSL 3)
|
||
|
- Enable configuring with CFLAGS and passing additional CFLAGS on build
|
||
|
|
||
|
-------------------------------------------------------------------
|
||
|
Sat Aug 7 15:02:40 UTC 2021 - Callum Farmer <gmbr3@opensuse.org>
|
||
|
|
||
|
- Update to version 0.6.0:
|
||
|
- Addressed potential symlink attack issue (CVE-2020-28407)
|
||
|
- Rewritten in 'C'; needs json-glib
|
||
|
- Use timeouts for communicating with swtpm (Unix socket)
|
||
|
- Fix --print-capabilities for 'swtpm chardev'
|
||
|
- Various cleanups and fixes (coverity)
|
||
|
- Enable selinux support
|
||
|
- Removed swtpm-rename_deprecated_libtasn1_types.patch: upstream
|
||
|
- Fix rpmlint errors
|
||
|
|
||
|
-------------------------------------------------------------------
|
||
|
Thu May 20 06:56:39 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
|
||
|
|
||
|
- swtpm_cert: rename deprecated libtasn1 types.
|
||
|
* https://github.com/stefanberger/swtpm/pull/443
|
||
|
* Add swtpm-rename_deprecated_libtasn1_types.patch
|
||
|
|
||
|
-------------------------------------------------------------------
|
||
|
Sun Dec 27 11:42:50 UTC 2020 - Marcus Meissner <meissner@suse.com>
|
||
|
|
||
|
- Update to version 0.5.2
|
||
|
- swtpm:
|
||
|
- Fix potential buffer overflow related to largely unused data hashing
|
||
|
function in control channel
|
||
|
- swtpm: Unconditionally close fd if writing of pidfile fails (coverity)
|
||
|
- swtpm_setup:
|
||
|
- Increase timeout from 10s to 30s for slower machines
|
||
|
- Travis:
|
||
|
- Not building on OS X anymore due to additional costs
|
||
|
|
||
|
-------------------------------------------------------------------
|
||
|
Tue Dec 22 07:53:04 UTC 2020 - Gary Ching-Pang Lin <glin@suse.com>
|
||
|
|
||
|
- Use "Requires user(tss)" for the "tss" user and group
|
||
|
|
||
|
-------------------------------------------------------------------
|
||
|
Tue Dec 22 04:06:10 UTC 2020 - Gary Ching-Pang Lin <glin@suse.com>
|
||
|
|
||
|
- Create /var/lib/swtpm-localca to store the keys created by
|
||
|
swtpm-localca (bsc#1179811)
|
||
|
- Replace net-tools-deprecated with iproute2 since the scripts in
|
||
|
swtpm now can use 'ss' instead of 'netstat'
|
||
|
|
||
|
-------------------------------------------------------------------
|
||
|
Sun Nov 22 03:16:13 UTC 2020 - Kai Liu <kai.liu@suse.com>
|
||
|
|
||
|
- Update to version 0.5.1
|
||
|
* swtpm & swtpm_setup:
|
||
|
- Addressed potential symlink attack issue (CVE-2020-28407)
|
||
|
* build-sys:
|
||
|
- Fix configure python cryptography error message
|
||
|
|
||
|
- Misc. spec file changes.
|
||
|
|
||
|
-------------------------------------------------------------------
|
||
|
Tue Oct 13 14:57:25 UTC 2020 - Kai Liu <kai.liu@suse.com>
|
||
|
|
||
|
- Update Requires and BuildRequires for changes since 0.4.0.
|
||
|
|
||
|
- Remove patch files that are no longer needed:
|
||
|
* swtpm-adjust-seccomp-path.patch
|
||
|
* swtpm-setup-tcsd-path.patch
|
||
|
* swtpm-tpm-tools-path.patch
|
||
|
|
||
|
- Update to version 0.5.0
|
||
|
* swtpm:
|
||
|
- Write files atomically using a temp file and then renaming
|
||
|
* swtpm_setup:
|
||
|
- Removed remaining 'c' wrapper program
|
||
|
- Do not truncate logfile when testing write-access (regression)
|
||
|
- Remove TPM state file in case error occurred
|
||
|
* swtpm-localca:
|
||
|
- Rewrite in python
|
||
|
- Allow passing pkcs11 PIN using signingkey_password
|
||
|
- Allow passing environment variables needed for pkcs11 modules using
|
||
|
swtpm-localca.conf and format 'env:VARNAME=VALUE'.
|
||
|
* build-sys:
|
||
|
- Add python-install and python-uninstall targets
|
||
|
- Add configure option to disable installation of Python module
|
||
|
- Use -Wl,-z,relro and -Wl,-z,now only when linking (clang)
|
||
|
- Use AC_LINK_IFELSE to check whether support for hardening flags
|
||
|
|
||
|
- Changes from version 0.4.1
|
||
|
* swtpm_setup:
|
||
|
- Do not hardcode '/etc' but use SYSCONFDIR
|
||
|
- Fix support for -h and -? options
|
||
|
- Add missing .config path when using ${HOME}
|
||
|
* swtpm-localca:
|
||
|
- Apply password for signing key when creating platform cert
|
||
|
- Properly apply passwords for localca signing key
|
||
|
|
||
|
- Changes from version 0.4.0
|
||
|
* swtpm:
|
||
|
- Invoke print capabilities after choosing TPM version
|
||
|
- Add some recent syscalls to seccomp blacklist
|
||
|
* swtpm_cert:
|
||
|
- Support --ecc-curveid option to pass curve id
|
||
|
* swtpm_setup & related scripts:
|
||
|
- Rewrite swtpm_setup.sh in python with TPM 1.2 not requiring tcsd
|
||
|
and TPM tools anymore; new dependencies:
|
||
|
- python3: pip, cryptography, setuptools
|
||
|
dropped dependencies for swtpm_setup:
|
||
|
- tcsd, expect, tpm-tools (some still needed for pkcs11 tests)
|
||
|
- Added support for RSA 3072 keys (for libtpms-0.8.0) and moved to
|
||
|
ECC NIST P384 curve; default RSA key size is still 2048
|
||
|
- Added support for --rsa-keysize option
|
||
|
- Extend script to create a CA using a TPM 2 for signing
|
||
|
* tests:
|
||
|
- Use the IBM TSS2 v1.5.0's test suite
|
||
|
- Add test case for loading of an NVRAM completely full with keys
|
||
|
- Have softhsm_setup use temporary directory for softhsm config & state
|
||
|
- various other improvements
|
||
|
* man pages:
|
||
|
- Improvements
|
||
|
* build-sys:
|
||
|
- clang: properly test for linker flag 'now' and 'relro'
|
||
|
- Gentoo: explicitly link libswtpm_libtpms with -lcrypto
|
||
|
- Ownership of /var/lib/swtpm-localca is now tss:root and
|
||
|
mode flags 0750.
|
||
|
|
||
|
-------------------------------------------------------------------
|
||
|
Thu Aug 13 01:37:06 UTC 2020 - Kai Liu <kai.liu@suse.com>
|
||
|
|
||
|
- Update to version 0.3.4:
|
||
|
* swtpm:
|
||
|
- Fix compilation for cygwin
|
||
|
* swtpm_setup & swtpm-localca:
|
||
|
- Get rid of bash's eval when invoking external tools to avoid abuse.
|
||
|
Only use eval for 'resolving' variables.
|
||
|
* tests:
|
||
|
- Various fixes of minor issues
|
||
|
|
||
|
-------------------------------------------------------------------
|
||
|
Thu Jul 30 14:14:22 UTC 2020 - Kai Liu <kai.liu@suse.com>
|
||
|
|
||
|
- Update to version 0.3.3:
|
||
|
* swtpm_setup:
|
||
|
- openSUSE: Support tcsd configuration where tss user != tss group,
|
||
|
such as root/tss; Fedora & Ubuntu for example use tss/tss
|
||
|
* build-sys:
|
||
|
- Check whether tss user and group are available
|
||
|
|
||
|
- Add tss user & group build flags per upstream instruction. This
|
||
|
together with v0.3.3 fixed the bug with TPM 1.2 emulation.
|
||
|
Related upstream bug:
|
||
|
https://github.com/stefanberger/swtpm/issues/284
|
||
|
|
||
|
-------------------------------------------------------------------
|
||
|
Sat Jul 11 08:31:54 UTC 2020 - Kai Liu <kai.liu@suse.com>
|
||
|
|
||
|
- Update to 0.3.2:
|
||
|
+ swtpm:
|
||
|
+ Remove unnecessary #include <seccomp.h> (fixes SuSE build)
|
||
|
+ Make coverity happy by handling default case in case
|
||
|
statement
|
||
|
+ swtpm_setup:
|
||
|
+ bugfix: Create ECC storage primary key in owner hierarchy
|
||
|
+ bugfix: remove tpm2_stirrandom and tpm2_changeeps
|
||
|
+ tests:
|
||
|
+ Adjusted pcrUpdateCounter in tests to succeed with PCR TCB
|
||
|
group fixes in libtpms TPM 2 code
|
||
|
|
||
|
-------------------------------------------------------------------
|
||
|
Wed Apr 22 03:25:36 UTC 2020 - Gary Ching-Pang Lin <glin@suse.com>
|
||
|
|
||
|
- Update to 0.3.1
|
||
|
+ swtpm: Fix vtpm proxy case without startup flags
|
||
|
+ swtpm: Only call memcpy if tocopy != 0 (coverity)
|
||
|
+ man: Document new startup options and capabilities
|
||
|
advertisement
|
||
|
+ swtpm: Enable sending startup commands before processing
|
||
|
commands
|
||
|
+ swtpm_cert: Accept serial numbers that use up to 64bits
|
||
|
+ swtpm_cert: Use getopt_long_only to parse options
|
||
|
+ swtpm_cert: Add support for --print-capabilities option
|
||
|
+ swtpm_cert: Allow passing signing key and parent key via new
|
||
|
option
|
||
|
+ swtpm_setup: Enable spaces in paths and other variables
|
||
|
+ swtpm_ioctl: Calculate strlen(input) only once
|
||
|
+ swtpm_ioctl: Block SIGPIPE so we can get EPIPE on write()
|
||
|
+ swtpm_bios: Block SIGPIPE so we can get EPIPE on write()
|
||
|
+ swtpm: Only accept() new client ctrl connection if we have none
|
||
|
+ swtpm_setup: Do not fail on future PCR banks' hashes
|
||
|
+ swtpm_setup: Use 1st part of SWTPM_EXE/SWTPM_IOCTL to determine
|
||
|
executable
|
||
|
+ swtpm_setup: Keep reserved range of file descriptors for
|
||
|
swtpm_setup.sh
|
||
|
+ swtpm_setup: Log about encryption and fix c&p error in err msg
|
||
|
+ swtpm: Add --print-capabilities to help screen of
|
||
|
'swtpm chardev'
|
||
|
+ swtpm_ioctl: Fix uninitialized variable 'pgi'
|
||
|
+ swtpm_cert: Use gnutls_x509_crt_get_subject_key_id API call for
|
||
|
subj keyId
|
||
|
+ swtpm_cert: Fix OIDs for TPM 2 platforms data
|
||
|
+ swtpm: Fix typo in error report: HMAC instead of hash
|
||
|
+ swtpm: Use writev_full rather than writev; fixes --vtpm-proxy
|
||
|
EIO error
|
||
|
- Refresh swtpm-setup-tcsd-path.patch
|
||
|
|
||
|
-------------------------------------------------------------------
|
||
|
Fri Jan 3 01:52:45 UTC 2020 - Gary Ching-Pang Lin <glin@suse.com>
|
||
|
|
||
|
- Amend swtpm-adjust-seccomp-path.patch to add the missing seccomp
|
||
|
paths
|
||
|
- Adjust the conditional check of net-tools-deprecated for SLE15
|
||
|
and SLE15-SP1
|
||
|
|
||
|
-------------------------------------------------------------------
|
||
|
Thu Sep 5 08:00:27 UTC 2019 - Gary Ching-Pang Lin <glin@suse.com>
|
||
|
|
||
|
- Update to 0.2.0
|
||
|
+Linux: swtpm now runs with a seccomp profile (blacklist) if
|
||
|
compiled with libseccomp support
|
||
|
+ Added subpport for passing key and passphrase via file
|
||
|
descriptor
|
||
|
+ TPM 2 commands can now be prefixed by 'the TCG header' and
|
||
|
responses will have a 4-byte prefix and 4-byte suffix.
|
||
|
+ Added --print-capabilities command line option
|
||
|
+ Proper handling on EINTR on read, poll, and write
|
||
|
- Patches to adjust the pathes
|
||
|
+ swtpm-tpm-tools-path.patch
|
||
|
+ swtpm-setup-tcsd-path.patch
|
||
|
+ swtpm-adjust-seccomp-path.patch
|
||
|
|
||
|
-------------------------------------------------------------------
|
||
|
Tue May 15 08:37:16 UTC 2018 - glin@suse.com
|
||
|
|
||
|
- Initial import: 0.1.0-dev2
|