Sync from SUSE:SLFO:Main tboot revision 64f224abbf0d4d8655985b63e041b3d7

This commit is contained in:
Adrian Schröter 2024-05-04 01:04:42 +02:00
commit 56307bbf31
8 changed files with 949 additions and 0 deletions

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

BIN
tboot-1.11.1.tar.gz (Stored with Git LFS) Normal file

Binary file not shown.

26
tboot-distributor.patch Normal file
View File

@ -0,0 +1,26 @@
Index: tboot-1.9.8/tboot/20_linux_tboot
===================================================================
--- tboot-1.9.8.orig/tboot/20_linux_tboot
+++ tboot-1.9.8/tboot/20_linux_tboot
@@ -72,7 +72,7 @@ CLASS="--class gnu-linux --class gnu --c
if [ "x${GRUB_DISTRIBUTOR}" = "x" ] ; then
OS=GNU/Linux
else
- OS="${GRUB_DISTRIBUTOR} GNU/Linux"
+ OS="${GRUB_DISTRIBUTOR}"
CLASS="--class $(echo ${GRUB_DISTRIBUTOR} | tr '[A-Z]' '[a-z]' | cut -d' ' -f1) ${CLASS}"
fi
Index: tboot-1.9.8/tboot/20_linux_xen_tboot
===================================================================
--- tboot-1.9.8.orig/tboot/20_linux_xen_tboot
+++ tboot-1.9.8/tboot/20_linux_xen_tboot
@@ -63,7 +63,7 @@ CLASS="--class gnu-linux --class gnu --c
if [ "x${GRUB_DISTRIBUTOR}" = "x" ] ; then
OS=GNU/Linux
else
- OS="${GRUB_DISTRIBUTOR} GNU/Linux"
+ OS="${GRUB_DISTRIBUTOR}"
CLASS="--class $(echo ${GRUB_DISTRIBUTOR} | tr 'A-Z' 'a-z' | cut -d' ' -f1) ${CLASS}"
fi

View File

@ -0,0 +1,117 @@
From: Michael Chang <mchang@suse.com>
Subject: [PATCH] fix menu in xen host server
References: bnc#771689, bnc#757895
Patch-Mainline: no
When system is configred as "Xen Virtual Machines Host Server", the
grub2 menu is not well organized. We could see some issues on it.
- Many duplicated xen entries generated by links to xen hypervisor
- Non bootable kernel entries trying to boot xen kernel natively
- The -dbg xen hypervisor takes precedence over release version
This patch fixes above three issues.
v2:
References: bnc#877040
Create only hypervisor pointed by /boot/xen.gz symlink to not clutter
the menu with multiple versions and also not include -dbg. Use custom.cfg
if you need any other custom entries.
v3:
References: bnc#865815
Porting to tboot in order to fix duplicated xen entries
Index: tboot-1.11.1/tboot/20_linux_tboot
===================================================================
--- tboot-1.11.1.orig/tboot/20_linux_tboot
+++ tboot-1.11.1/tboot/20_linux_tboot
@@ -219,6 +219,49 @@ while [ "x${tboot_list}" != "x" ] && [ "
break
fi
done
+
+ config=
+ for i in "${dirname}/config-${version}" "${dirname}/config-${alt_version}" "/etc/kernels/kernel-config-${version}" ; do
+ if test -e "${i}" ; then
+ config="${i}"
+ break
+ fi
+ done
+
+ # try to get the kernel config if $linux is a symlink
+ if test -z "${config}" ; then
+ lnk_version=`basename \`readlink -f $linux\` | sed -e "s,^[^0-9]*-,,g"`
+ if (test -n ${lnk_version} && test -e "${dirname}/config-${lnk_version}") ; then
+ config="${dirname}/config-${lnk_version}"
+ fi
+ fi
+
+ # check if we are in xen domU
+ if [ ! -e /proc/xen/xsd_port -a -e /proc/xen ]; then
+ # we're running on xen domU guest
+ dmi=/sys/class/dmi/id
+ if [ -r "${dmi}/product_name" -a -r "${dmi}/sys_vendor" ]; then
+ product_name=`cat ${dmi}/product_name`
+ sys_vendor=`cat ${dmi}/sys_vendor`
+ if test "${sys_vendor}" = "Xen" -a "${product_name}" = "HVM domU"; then
+ # xen HVM guest
+ xen_pv_domU=false
+ fi
+ fi
+ else
+ # we're running on baremetal or xen dom0
+ xen_pv_domU=false
+ fi
+
+ if test "$xen_pv_domU" = "false" ; then
+ # prevent xen kernel without pv_opt support from booting
+ if (grep -qx "CONFIG_XEN=y" "${config}" 2> /dev/null && ! grep -qx "CONFIG_PARAVIRT=y" "${config}" 2> /dev/null); then
+ echo "Skip xenlinux kernel $linux" >&2
+ list=`echo $list | tr ' ' '\n' | grep -vx $linux | tr '\n' ' '`
+ continue
+ fi
+ fi
+
if test -n "${initrd}" ; then
echo "Found initrd image: ${dirname}/${initrd}" >&2
else
Index: tboot-1.11.1/tboot/20_linux_xen_tboot
===================================================================
--- tboot-1.11.1.orig/tboot/20_linux_xen_tboot
+++ tboot-1.11.1/tboot/20_linux_xen_tboot
@@ -58,6 +58,12 @@ fi
export TEXTDOMAIN=grub
export TEXTDOMAINDIR=${prefix}/share/locale
+if [ ! -e /proc/xen/xsd_port -a -e /proc/xen ]; then
+# we're running on xen domU guest
+# prevent setting up nested virt on HVM or PV domU guest
+ exit 0
+fi
+
CLASS="--class gnu-linux --class gnu --class os --class xen"
if [ "x${GRUB_DISTRIBUTOR}" = "x" ] ; then
@@ -191,9 +197,17 @@ linux_list=`for i in /boot/vmlinu[xz]-*
if [ "x${linux_list}" = "x" ] ; then
exit 0
fi
-xen_list=`for i in /boot/xen*; do
- if grub_file_is_not_garbage "$i" ; then echo -n "$i " ; fi
- done`
+# bnc#877040 - Duplicate entries for boot menu created
+# only create /boot/xen.gz symlink boot entry
+if test -L /boot/xen.gz; then
+ xen_list=`readlink -f /boot/xen.gz`
+else
+ # bnc#757895 - Grub2 menu items incorrect when "Xen Virtual Machines Host Server" selected
+ # wildcard expasion with correct suffix (.gz) for not generating many duplicated menu entries
+ xen_list=`for i in /boot/xen*.gz; do
+ if grub_file_is_not_garbage "$i" && file_is_not_sym "$i" ; then echo -n "$i " ; fi
+ done`
+fi
tboot_list=`for i in /boot/tboot*.gz; do
if grub_file_is_not_garbage "$i" ; then echo -n "$i " ; fi
done`

View File

@ -0,0 +1,19 @@
From: Michael Chang <mchang@suse.com>
Subject: fix xen submenu name to show tboot version
References: bnc#865815
Patch-Mainline: no
Index: tboot-1.11.1/tboot/20_linux_xen_tboot
===================================================================
--- tboot-1.11.1.orig/tboot/20_linux_xen_tboot
+++ tboot-1.11.1/tboot/20_linux_xen_tboot
@@ -246,7 +246,7 @@ while [ "x${xen_list}" != "x" ] ; do
rel_tboot_dirname=`make_system_path_relative_to_its_root $tboot_dirname`
tboot_version="1.11.1"
list="${linux_list}"
- echo "submenu \"Xen ${xen_version}\" \"Tboot ${tboot_version}\"{"
+ echo "submenu \"Xen ${xen_version} with Tboot ${tboot_version}\"{"
while [ "x$list" != "x" ] ; do
linux=`version_find_latest $list`
echo "Found linux image: $linux" >&2

View File

@ -0,0 +1,66 @@
Index: tboot-1.9.12/tboot/20_linux_tboot
===================================================================
--- tboot-1.9.12.orig/tboot/20_linux_tboot
+++ tboot-1.9.12/tboot/20_linux_tboot
@@ -34,6 +34,28 @@ if test -e ${sysconfdir}/default/grub-tb
. ${sysconfdir}/default/grub-tboot
fi
+secureBootActive()
+{
+ for secboot_var in /sys/firmware/efi/efivars/SecureBoot-*; do
+ [ ! -e "$secboot_var" ] && continue
+
+ # this variable contains a '1' byte at the end if secure boot is enabled
+ local secboot_byte=`od --address-radix=n --format=u1 "$secboot_var" | tr -d ' \n' | tail -c 1`
+
+ [ "$secboot_byte" = "1" ] && return 0
+ done
+
+ return 1
+}
+
+if secureBootActive; then
+ cat >&2 << EOF
+Not generating tboot menu entries, because UEFI Secure Boot is active.
+tboot is not compatible with UEFI Secure Boot.
+EOF
+ exit 0
+fi
+
# Set the following variables in /etc/default/grub-tboot to customize command lines
# (empty values are treated as if the variables were unset).
[ -z "${GRUB_CMDLINE_TBOOT}" ] && unset GRUB_CMDLINE_TBOOT
Index: tboot-1.9.12/tboot/20_linux_xen_tboot
===================================================================
--- tboot-1.9.12.orig/tboot/20_linux_xen_tboot
+++ tboot-1.9.12/tboot/20_linux_xen_tboot
@@ -34,6 +34,28 @@ if test -e ${sysconfdir}/default/grub-tb
. ${sysconfdir}/default/grub-tboot
fi
+secureBootActive()
+{
+ for secboot_var in /sys/firmware/efi/efivars/SecureBoot-*; do
+ [ ! -e "$secboot_var" ] && continue
+
+ # this variable contains a '1' byte at the end if secure boot is enabled
+ local secboot_byte=`od --address-radix=n --format=u1 "$secboot_var" | tr -d ' \n' | tail -c 1`
+
+ [ "$secboot_byte" = "1" ] && return 0
+ done
+
+ return 1
+}
+
+if secureBootActive; then
+ cat >&2 << EOF
+Not generating tboot menu entries, because UEFI Secure Boot is active.
+tboot is not compatible with UEFI Secure Boot.
+EOF
+ exit 0
+fi
+
# Set the following variables in /etc/default/grub-tboot to customize command lines
# (empty values are treated as if the variables were unset).
[ -z "${GRUB_CMDLINE_TBOOT}" ] && unset GRUB_CMDLINE_TBOOT

590
tboot.changes Normal file
View File

@ -0,0 +1,590 @@
-------------------------------------------------------------------
Mon Feb 6 10:52:29 UTC 2023 - Matthias Gerstner <matthias.gerstner@suse.com>
- required update due to openSSL 3.0 deprecation errors in current version
- updated to v1.11.1 / 20230125:
20230125: v1.11.1
- Revert log memory range extension (caused memory overlaps and boot failures)
20221223: v1.11.0
- Fixed TPM handling to flush objects after integrity measurement (Intel PTT limitations)
- Exteded low memory range for logs (HCC CPUs had issue with not enough memory)
- "agile" removed from PCR Extend policy options (requested deprecation)
- Added handling for flexible ACM Info Table format
- lcptools: CPPFLAGS use by environment in build
- lcptools: removed __DATE__ refs to make build reproducible
- Only platform-matchin SINIT modules can be selected
- txt-acminfo: Map TXT heap using mmap
- Typo fix in man page
20220304: v1.10.5
- Fixed mlehash.c to bring back functionality and make it GCC12 compliant
- Reverted change for replacing EFI memory to bring back Tboot in-memory logs
20220224: v1.10.4
- Fix hash printing for SHA384, SHA512 and SM3
- Touch ups for GCC12
- Set GDT to map CS and DS to 4GB before jumping to Linux
- make efi_memmap_reserve handle gaps like e820_protect_region
- Ensure that growth of Multiboot tags does not go beyond original area
- Replace EFI memory map in Multiboot2 info
- Fix endianness of pcr_info->pcr_selection.size_of_select
- Don't ignore locality in PCR file
- Fix composite hashing algorithm for PCONF elements to match lcptools-1
20211210: v1.10.3
- Add UNI-VGA license information
- Remove poly1305 object files on clean
- Support higher resolution monitors
- Use SHA256 as default hashing algorithm in lcp2_mlehash and tb_polgen
- Add OpenSSL 3.0.0 support in lcptools-v2
- Increase number of supported CPUs to 1024 to accomodate for larger units
- tboot-grub2-fix-menu-in-xen-host-server.patch: refreshed to match new
upstream version.
- tboot-grub2-fix-xen-submenu-name.patch: refreshed to match new upstream
version.
-------------------------------------------------------------------
Fri Jun 11 07:29:02 UTC 2021 - Marcus Meissner <meissner@suse.com>
- updated to v1.10.2 / 20210614
Fix ACM chipset/processor list validation
Check for client/server match when selecting SINIT
Fix issues when building with GCC11
Default to D/A mapping when TPM1.2 and CBnT platform
- updated to 1.10.1 / 20210330
- Indicate to SINIT that CBnT is supported by TBOOT
- lcptools: Fix issues from static code analysis
-------------------------------------------------------------------
Tue Jan 19 14:35:38 UTC 2021 - Matthias Gerstner <matthias.gerstner@suse.com>
- release 1.10.0 ramifications:
- README is now README.md
- acminfo and parse_err now are called txt-acminfo and txt-parse_err
- lcptools are deprecated (tpm 1.2, TrouSerS dependency) and are no longer
packaged.
- no longer needs TrouSerS dependency due to deprecation
-------------------------------------------------------------------
Tue Jan 19 14:00:53 UTC 2021 - Matthias Gerstner <matthias.gerstner@suse.com>
- tboot-grub2-fix-menu-in-xen-host-server.patch: refreshed to match new
upstream version.
- tboot-grub2-fix-xen-submenu-name.patch: refreshed to match new upstream
version.
-------------------------------------------------------------------
Tue Jan 19 13:35:07 UTC 2021 - Matthias Gerstner <matthias.gerstner@suse.com>
- update to new upstream release 1.10.0:
- Rename TXT related tools to have 'txt-' prefix
- Clarify license issues
- Fix issues reported by Coverity Scan
- Ensure txt-acminfo does not print false information if msr is not loaded
- Fix issue with multiboot(1) booting - infinite loop during boot
- Fix issue with TPM1.2 - invalid default policy
- Unmask NMI# after returning from SINIT
- Update GRUB scripts to use multiboot2 only
- Enable VGA logging for EFI platforms
- Add warning when using SHA1 as hashing algorithm
- Add Doxygen documentation
- Replace VMAC with Poly1305
- Validate TPM NV index attributes
- Move old lcptool to deprecated folder and exclude from build
- TrouSerS is not longer required to build
- lcptools-v2: meet requirements from MLE DG rev16
- lcptools-v2: Implement SM2 signing and SM2 signature verification
- lcptools-v2: Set aux_hash_alg_mask to 0 when policy version != 0x300
- dropped tboot-Unmask-NMI-after-returning-from-SINIT.patch (upstream)
-------------------------------------------------------------------
Thu Nov 12 12:19:51 UTC 2020 - Matthias Gerstner <matthias.gerstner@suse.com>
- add tboot-grub2-refuse-secure-boot.patch: don't generate tboot menu entries
in grub when the system is running with UEFI Secure Boot (bsc#1175114). This
prevents hard to understand error messages when trying to boot tboot in this
context.
-------------------------------------------------------------------
Mon Sep 28 12:14:22 UTC 2020 - matthias.gerstner@suse.com
- update to new upstream release 1.9.12:
- changes from 1.9.12:
- Release localities in S3 flow for CRB interface
- Config.mk, safestringlib/makefile : allow tool overrides
- safestringlib: fix warnings with GCC 6.4.0
- Strip executable file before generating tboot.gz
- Add support for EFI memory map parse/modification
- Add SHA384 and SHA512 digest algorithms
- lcptools-v2: add pconf2 policy element support
- tb_polgen: Add SHA384 and SHA512 support
- Disable GCC9 address-of-packed-member warning
- Fix warnings after "Avoid unsafe functions" scan
- Use SHA256 as default hashing algorithm
- changes from 1.9.11:
- tb_polgen: Add support for SHA256
- Configure IOMMU before executing GETSEC[SENTER]
- SINIT ACM can have padding, handle that when checking size
- disable-address-of-packed-member-warning.patch: now contained upstream
- tboot-grub2-fix-xen-submenu-name.patch: refreshed
- dropped tboot-Release-localities-in-S3-flow-for-CRB-interface.patch (upstream)
- dropped tboot-Configure-IOMMU-before-executing-GETSEC-SENTER.patch (upstream)
- dropped tboot-Do-not-try-to-read-EFI-mem-map-when-booted-with-mult.patch (upstream)
- dropped tboot-Release-localities-in-S3-flow-for-CRB-interface.patch (upstream)
- dropped tboot-support-sinit-padding.patch (upstream)
- dropped tboot-Add-support-for-EFI-memory-map-parse-modification.patch
- dropped tboot-fix-memmap1-boot-issues.patch
- dropped tboot-Add-more-mbi-validation.patch
-------------------------------------------------------------------
Fri Jul 12 16:24:27 UTC 2019 - Martin Liška <mliska@suse.cz>
- Disable LTO in more elegant way (boo#1141323).
-------------------------------------------------------------------
Thu Jul 11 08:06:42 UTC 2019 - mgerstner <matthias.gerstner@suse.com>
- explicitly disable gcc9 link time optimization to fix the build and avoid
trouble in low level tboot code.
-------------------------------------------------------------------
Tue May 28 08:19:14 UTC 2019 - mgerstner <matthias.gerstner@suse.com>
- add disable-address-of-packed-member-warning.patch: taken over patch found
in the Fedora package to disable a new gcc-9 warning that breaks the build.
-------------------------------------------------------------------
Mon May 20 11:21:46 UTC 2019 - mgerstner <matthias.gerstner@suse.com>
- update to new upstream release 1.9.10:
- changes from 1.9.10:
- lcp-gen2: update with latest version (wxWidgets wildcard bugfix)
- print latest tag in logs
- add support for 64bit framebuffer address
- changes from 1.9.9:
- tools: fix some dereference-NULL issues reported by klocwork
- tools: replace banned mem/str fns with corresponding ones in safestringlib
- Add safestringlib code to support replacement of banned mem/str fns
- lcptools: remove tools supporting platforms before 2008
- tboot: update string/memory fn name to differentiate from c lib
- Fix a harmless overflow caused by wrong loop limits
- rebased patches to match new upstream version
-------------------------------------------------------------------
Wed Oct 24 08:44:04 UTC 2018 - matthias.gerstner@suse.com
- update to new upstream release 1.9.8 (FATE#324359):
- Skip tboot launch error index read/write when ignore prev err option is true
- s3-fix: fix a stack overflow caused by enlarged tb_hash_t union
- S3 fix: revert the mis-changed type casting in changeset 522:8e881a07c059
- S3-fix: Adding option save_vtd=true to opt-in the vtd table restore
- rebased patches to match new upstream version
-------------------------------------------------------------------
Fri Sep 7 08:30:20 UTC 2018 - Jan Engelhardt <jengelh@inai.de>
- Use noun phrase in summary.
-------------------------------------------------------------------
Mon Sep 3 10:11:39 UTC 2018 - matthias.gerstner@suse.com
- package new upstream tarball for 1.9.7. It seems the tarball was replaced
upstream without notice, because some version numbers have not been
incremented.
- tboot-grub2-fix-menu-in-xen-host-server.patch: rebased
- tboot-grub2-fix-xen-submenu-name.patch: rebased
-------------------------------------------------------------------
Fri Aug 31 14:23:48 UTC 2018 - matthias.gerstner@suse.com
- update to upstream version 1.9.7. This in mainly a bugfix release:
Fix a lot of issues in tools reported by klocwork scan.
Fix a lot of issues in tboot module reported by klocwork scan.
Remove a redundant tboot option
Fix indent in heap.c
Fix 4 issues along with extpol=agile option
Mitigations for tpm interposer attacks
Add an option in tboot to force SINIT to use the legacy TPM2 log format.
Add support for appending to a TPM2 TCG style event log.
Ensure tboot log is available even when measured launch is skipped.
Add centos7 instructions for Use in EFI boot mode.
Fix memory leak and invalid reads and writes issues.
Fix TPM 1.2 locality selection issue.
Fix a null pointer dereference bug when Intel TXT is disabled.
Optimize tboot docs installation.
Fix security vulnerabilities rooted in tpm_if structure and g_tpm variable.
The size field of the MB2 tag is the size of the tag header + the size
Fix openssl-1.0.2 double frees
Make policy element stm_elt use unique type name
lcptools-v2 utilities fixes
port to openssl-1.1.0
Reset debug PCR16 to zero.
Fix a logical error in function bool evtlog_append(...).
- removed tboot-CVE-2017-16837.patch: now contained in tarball
- removed tboot-openssl-1-1-0.patch: now contained in tarball
- removed tboot-signature-segfault.patch: now contained in tarball
- removed tboot-ssl-broken.patch: now contained in tarball
-------------------------------------------------------------------
Thu Mar 15 09:49:03 UTC 2018 - matthias.gerstner@suse.com
- tboot-signature-segfault.patch: Intermediate patch necessary for
tboot-ssl-broken.patch. Upstream tried to fix OpenSSL issues here, but
failed to do so.
- tboot-ssl-broken.patch: Fixed memory corruption when using OpenSSL
functionality like in lcp2_crtpollist (bnc#1083693). Fix has not yet been
commented on by upstream (posted on tboot-devel mailing list).
-------------------------------------------------------------------
Wed Feb 21 12:26:10 UTC 2018 - matthias.gerstner@suse.com
- Also cover cleanup of bootloader configuration after package removal.
(bnc#1078262)
-------------------------------------------------------------------
Mon Feb 12 13:27:20 UTC 2018 - matthias.gerstner@suse.com
- tboot-distributor.patch: don't add GNU/Linux to grub menu entries. SUSE's
grub2 itself doesn't do it as well. (bnc#1078262)
- perform update of bootloader configuration after installation via
%posttrans. (bnc#1078262)
-------------------------------------------------------------------
Thu Nov 16 09:49:48 UTC 2017 - matthias.gerstner@suse.com
- tboot-CVE-2017-16837.patch: fix a major security issue in tboot. tboot
failed to validate a number of immutable function pointers, which could
allow an attacker to bypass the chain of trust and execute arbitrary code
(bnc#1068390, CVE-2017-16837).
-------------------------------------------------------------------
Thu Nov 9 14:08:59 UTC 2017 - matthias.gerstner@suse.com
- tboot-openssl-1-1-0.patch: make package compatible with OpenSSL 1.1.0.
There's no upstream release containing this patch yet. The patch builds
against OpenSSL 1.0.x as well. This is for SLE-15 support (bnc#1067229).
-------------------------------------------------------------------
Tue Jul 18 11:10:29 UTC 2017 - matthias.gerstner@suse.com
update to new upstream version 1.9.6:
- removed following patches, because they're now included upstream:
* reproducible.patch
* tboot-grub2-suse.patch
* tboot-gcc7.patch
- Changes in this version:
* GCC7 fix, adds generic FALLTHROUGH notations to avoid warnings appearing on GCC7
* Ensure Tboot never overwrites modules in the process of moving them.
* Add support to x2APIC, which uses 32 bit APIC ID.
* Fix S3 secrets sealing/unsealing failures
* Support OpenSSL 1.1.0+ for ECDSA signature verification.
* Support OpenSSL 1.1.0+ for RSA key manipulation.
* Adds additional checks to prevent the kernel image from being overwritten.
* Added TCG TPM event log support.
* Pass through the EFI memory map that's provided by grub2.
* Fix a null pointer dereference bug when Intel TXT is disabled in BIOS.
* Adjust KERNEL_CMDLINE_OFFSET from 0x9000 to 0x8D00.
* Bounds checking on the kernel_cmdline string.
-------------------------------------------------------------------
Sun Jun 4 08:43:14 UTC 2017 - meissner@suse.com
- tboot-gcc7.patch: fix some gcc7 warnings that lead to errors. (bsc#1041264)
-------------------------------------------------------------------
Sun Apr 30 05:29:57 UTC 2017 - bwiedemann@suse.com
- Add reproducible.patch to call gzip -n to make build fully reproducible
-------------------------------------------------------------------
Fri Feb 10 16:56:03 UTC 2017 - jengelh@inai.de
- Trim filler words from description; use modern macros over
shell vars.
-------------------------------------------------------------------
Wed Feb 8 13:11:50 UTC 2017 - meissner@suse.com
- Updated to 20161216: v1.9.5 (FATE#321510)
+ Add 2nd generation of LCP creation tool source codes for TPM 2.0 platforms.
+ Add user guide for 2nd generation LCP creation tool
+ Provide workaround for Intel PTT(Platform Trust Technology) & Linux PTT driver.
+ Add new fields in Linux kernel header struct to accommodate Linux kernel new capabilities.
+ Fix a pointer dereference regression in the tboot native Linux loader which manifests itself as a system reset.
+ Fix the issue of overwriting tboot when the loaded elf kernel is located below tboot.
+ Add support to release TPM localities when tboot exits to linux kernel.
+ Fix the evtlog dump function for tpm2 case.
+ Initiaize kernel header comdline buffer before copying kernel cmdline arguments to the buffer to avoid random
+ data at end of the original cmdline contents.
+ Move tpm_detect() to an earlier stage so as to get tpm interface initialized before checking TXT platform capabilities.
-------------------------------------------------------------------
Wed Jun 22 06:37:53 UTC 2016 - mchang@suse.com
- Fix wrong pvops kernel config matching (bsc#981948)
* modified tboot-grub2-fix-menu-in-xen-host-server.patch
-------------------------------------------------------------------
Wed Jun 1 09:29:32 UTC 2016 - meissner@suse.com
- tboot-grub2-suse.patch: fixed bad if/elif
-------------------------------------------------------------------
Thu May 19 10:35:27 UTC 2016 - meissner@suse.com
- Updated to 1.9.4/20160518 (FATE#320665)
Added TPM 2.0 CRB support
Increased BSP and AP stacks to avoid stack overflow
Added an ACPI_RSDP structure g_rsdp in tboot to avoid potential memory overwritten issue on TPM 2.0 UEFI platforms
Added support to both Intel TPM nv index set and TCG TPM nv index set
grub2: tboot doesn't skip first argument any more
grub2: sanitize whitespace in command lines
grub2: Allow addition of policy data in grub.cfg
grub2 support: allow the user to customize the command line
Mitigated S3 resume delay by adjusting LZ_MAX_OFFSET to 5000 in lz.c.
Added SGX TPM nv index support
Add 64 bit ELF object support
Gentoo Hardened, which uses the GRSecurity and PaX patch sets
Disable -fstack-check in CFLAG for compatibility with Gentoo Linux.
Enhanced tboot compatiblity running on non-Intel TXT platform with a fix of is_launched()
LCP documentation improvements
- tboot-grub2-suse.patch: refreshed
- tboot-grub2-fix-xen-submenu-name.patch: refreshed
- tboot-fix-stackoverflow.patch: upstream in 1.9.4
-------------------------------------------------------------------
Wed Apr 6 09:41:06 UTC 2016 - meissner@suse.com
- tboot-fix-stackoverflow.patch: fix a excessive stack usage pattern
that could lead to resets/crashes (bsc#967441)
-------------------------------------------------------------------
Fri May 8 12:08:52 UTC 2015 - meissner@suse.com
- Updated to 1.8.3/20140728 FATE#318542
* Added verified launch control policy user guide
* Fixed a bug about var MTRR settings to follow the rule that each VAR MTRR base must be a multiple of that MTRR's size.
* Access tpm sts reg with 3-byte width in v1.2 case and 4-byte width in v2.0 case
* Bugfix: lcp2_mlehash get wrong hash if the cmdline string length > 7
* Optimized tboot log processing flow to avoid log buffer overflow by adopting lz Compress/Uncompress algorithms
* Added SGX support for Skylake platform
* tpm2: use the primary object in NULL Hierarchy instead of Platform Hierarchy for seal/unseal usage
* Fixed a bug for lcp2_mlehash tool
* Fixed system hang issue caused by TXT disable, TPM disable or SINIT ACM not correctly provided in EFI booting mode
* Fixed bug for wrong assumption on the way how GRUB2 load modules
* Fixed MB2 tags mess issue caused by moving shorter module cmdline to head
* Fixed compile issue when debug=y
- fixes a boot issue on Skylake (bsc#964408)
- refreshed tboot-grub2-fix-xen-submenu-name.patch
-------------------------------------------------------------------
Mon Jul 28 12:14:12 UTC 2014 - meissner@suse.com
- updated to 1.8.2/20140728
Security Fix: TBOOT Argument Measurement Vulnerability for GRUB2 + ELF Kernels
fix werror in 32 bit build environment
- tboot-fix.patch: removed, fixed differently upstream.
-------------------------------------------------------------------
Mon May 19 11:11:10 UTC 2014 - meissner@suse.com
- updated to 1.8.1/20140516
Fix build error "may be used uninitialized"
Reset eventlog when S3
Update tboot version to 1.8.1 in grub title
Fix grub cfg file generation scripts for SLES12
Fix seal failure issue
tpm2 lcptools
Restore local apic base for AP
Fix typo in hash_alg_to_string()
Change to create primary object only once
Add prepare_tpm call in S3 path to ensure locality 0 was released before senter
Fix possible dead loop in print_bios_data when bios_data version 4
Fix possible null pointer dereference in loader.c
Fix possible null pointer dereference in tpm_12.c and tpm_20.c
Avoid buffer overrun when append tpm12 eventlog
Fix possible NULL pointer dereference
Fix one event log issue caused by wrong append and print operation
Fix error "unsupported hash alg" for agile extend policy
Fix warning "ACM info_table version mismatch"
Update the tpm family detection with a general way
Fix a lcp tools issue caused by redefining TB_HALG_SHA1 from 0 to 4
Assign g_tpm a value for no tpm case to avoid NULL checks
Fix crash when TPM is missing
Fix infinite loop in determine_multiboot_type()
Fix typo in tpm20_init() and remove unused variable
Allow the to-be-measured nv to be protected by AUTHWRITE
Check cpu vendor id to avoid unexpected behavior in non-intel cpu
Change to detect TPM family only once
Fix some typos caused by copy-paste
- removed tboot-cs381.patch: upstream
-------------------------------------------------------------------
Fri May 16 06:10:17 UTC 2014 - mchang@suse.com
- fix grub2 boot menu after installing lots of kernels (bnc#865815)
- add tboot-grub2-fix-menu-in-xen-host-server.patch
- add tboot-grub2-fix-xen-submenu-name.patch
-------------------------------------------------------------------
Wed Apr 30 08:42:27 UTC 2014 - meissner@suse.com
- tboot-cs381.patch: generate tboot entries correctly, from Intel.
bnc#875581
-------------------------------------------------------------------
Wed Feb 19 16:05:10 UTC 2014 - meissner@suse.com
- fixed path for /usr/share/grub2/grub-mkconfig_lib in our grub2
snippets. (bnc#864633)
-------------------------------------------------------------------
Thu Jan 30 21:59:46 UTC 2014 - meissner@suse.com
- updated to 1.8.0/20130705
Update README for TPM2 support
tpm2 support
Adding sha256 algorithm implementation
Update README for TPM NV measuring
Update README for EFI support
Fix typo in tboot/Makefile
Increase the supported maximum number of cpus from 256 to 512
Extend tboot policy supporting measuring TPM NV
EFI support via multiboot2 changes
Fix typo in common/hash.c
Fix verification for extended data elements in txt heap
-------------------------------------------------------------------
Thu Aug 8 11:56:45 UTC 2013 - meissner@suse.com
- updated to 1.7.4/20130705
Fix possible empty submenu block in generated grub.cfg
Add a call_racm=check option for easy RACM launch result check
Fix type check for revocation ACM.
-------------------------------------------------------------------
Tue Jan 8 15:26:59 UTC 2013 - meissner@suse.com
- updated to 1.7.3/20121228
Update README with updated code repository url.
Fix grub2 scripts to be compatible with more distros.
Update README for RACM launch support
Add a new option "call_racm=true|false" for revocation acm(RACM) launch
Fix potential buffer overrun & memory leak in crtpconf.c
Fix a potential buffer overrun in lcptools/lock.c
Print cmdline in multi-lines
Optional print TXT.ERRORCODE under level error or info
Fix side effects of tboot log level macros in tools
Update readme for the new detail log level
Classify all logs into different log levels
Add detail log level and the macros defined for log level
Fix acmod_error_t type to correctly align all bits in 4bytes
-------------------------------------------------------------------
Wed Oct 10 15:31:57 UTC 2012 - meissner@suse.com
- updated to 1.7.2/20120929
Add Makefile for docs to install man pages.
Add man pages for tools
Add grub-mkconfig helper scripts for tboot case in GRUB2
Fix for deb build in ubuntu
Fix S3 issue brought by c/s 308
Fix a S4 hang issue and a potential shutdown reset issue
Fix build with new zlib 1.2.7.
Initialize event log when S3
Update README to change upstream repo url from bughost.org to sf.net.
- updated to 1.7.1/20120427
Fix cmdline size in tb_polgen
Add description for option min_ram in README.
new tboot cmdline option "min_ram=0xXXXXXX"
Update test-patches/tpm-test.patch to fit in latest code.
- zlib patch upstreamed.
- spec file adjustments
- tboot-fix.patch: fixed printf type mismatch
-------------------------------------------------------------------
Thu May 31 13:20:57 CEST 2012 - meissner@suse.de
- adjust to changed zlib api
-------------------------------------------------------------------
Wed Apr 25 23:16:20 CEST 2012 - meissner@suse.de
- reenable exclusivearch to avoid building it on ppc and arm.
-------------------------------------------------------------------
Tue Feb 28 14:03:52 UTC 2012 - meissner@suse.com
- updated to 1.7.0
Print version number while changeset info unavailable
Document DA changes in README
Add event log for PCR extends in tboot
Follow details / authorities PCR mapping style in tboot
Support details / authorities PCR mapping
Support TPM event log
fix build issue for txt-stat in 64 bit environment.
update README for mwait AP wakeup mechanism
tboot: provide a new AP wakeup way for OS/VMM - mwait then memory write
Original txt-stat.c doesn't display TXT heap info by default. Add
command line options to display help info and optionally enable
displaying heap info.
Fix a shutdown issue on heavily throttled large server
Adjust mle_hdr.{mle|cmdline}_{start|end}_off according to CS285,286
changes to give lcp_mlehash correct info to produce hash value.
Fix boot issue caused by including mle page table into tboot memory
Fix for possible overwritting to mle page table by GRUB2
Add PAGE_UP() fn that rounds things up/donw to a page.
Update get_mbi_mem_end() with a accurate, safer calculating way
ACPI fix and sanity check
Add some sanity check before using mods_count in a count-down loop
TPM: add waiting on expect==0 before issue tpmGo
txt-stat: Don't show heap info by default.
Exchange definitions for TBOOT_BASE_ADDR & TBOOT_START
Add const qualifier for suibable parms of all possible fns.
fix possible mbi overwrite issue for Linux with grub2
enhance print_mbi() to print more mbi info for debug purpose
Fix for GRUB2 loading elf image such as Xen.
Move apply_policy() call into txt_post_launch()
Don't zap s3_key in tboot shared page if sealing failed due to tpm
unowned
Update the explanation of signed lists to make it clearer.
tboot: add a fall back for reboot via keyboard reset vector
tboot: revise README to explain how to configure GRUB2 config file for
tboot
tboot: rewrite acpi reg access fns to refer to bit_width instead of
access_width
tboot: change reboot mechanism to use keyboard reset vector
tboot: handle mis-programmed TXT config regs and TXT heap gracefully
tboot: add warning when TPM timeout values are wrong
all PM1_CNT accesses should be 16bit.
Enlarge NR_CPUS from 64 to 256
Add support for SBIOS policy element type (LCP_SBIOS_ELEMENT) to
lcp_crtpolelt
Fix processor id list matching between platform and acmod
Make lcp_crtpollist support empty lists (i.e. with no elements)
print a bit more error reasons in txt-stat
Fix segmentation fault in txt-stat on some systems
-------------------------------------------------------------------
Thu Jan 12 11:31:12 UTC 2012 - coolo@suse.com
- change license to be in spdx.org format
-------------------------------------------------------------------
Tue May 24 14:48:45 UTC 2011 - idonmez@novell.com
- Update to changeset 261
+ gcc 4.6 fixes
+ Fix segmentation fault in txt-stat on some systems
+ Add support for TXT heap extended data elements and BiosData version 4
+ Add support for AC Module chipset info table version 4 (ProcessorIDList)
+ Removed no_usb command line parameter and SMI disabling
+ Support MAXPHYADDR > 36b
-------------------------------------------------------------------
Wed Apr 27 18:38:23 CEST 2011 - meissner@suse.de
- initial import of current intel trusted boot loader

105
tboot.spec Normal file
View File

@ -0,0 +1,105 @@
#
# spec file for package tboot
#
# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
Name: tboot
%define ver 1.11.1
Version: 20210614_%{ver}
Release: 0
Summary: Program for performing a verified launch using Intel TXT
License: BSD-3-Clause
Group: Productivity/Security
URL: https://sourceforge.net/projects/tboot/
Source0: https://downloads.sourceforge.net/project/tboot/tboot/tboot-%{ver}.tar.gz
Patch3: tboot-grub2-fix-menu-in-xen-host-server.patch
Patch4: tboot-grub2-fix-xen-submenu-name.patch
Patch7: tboot-distributor.patch
Patch8: tboot-grub2-refuse-secure-boot.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
ExclusiveArch: %{ix86} x86_64
BuildRequires: openssl-devel
BuildRequires: zlib-devel
%if 0%{?suse_version} > 1320
BuildRequires: update-bootloader-rpm-macros
%endif
%if 0%{?update_bootloader_requires:1}
%update_bootloader_requires
%else
Requires: perl-Bootloader
%endif
%description
Trusted Boot (tboot) is a pre-kernel/VMM module that uses Intel
Trusted Execution Technology (Intel(R) TXT) to perform a measured and
verified launch of an OS kernel/VMM.
%prep
%setup -q -n %name-%ver
%autopatch -p1
%build
# Tumbleweed now uses -flto=3 by default which gives us trouble with the
# statically linked C and assembler code in tboot. Better to be conservative
# here since tboot is low level stuff -> disable LTO for us (boo#1141323).
%define _lto_cflags %{nil}
export TBOOT_CFLAGS="$CFLAGS"
make debug=y %{?_smp_mflags}
%install
make debug=y install DISTDIR="%{buildroot}" MANPATH="%{buildroot}/%{_mandir}"
%files
%defattr(-,root,root,-)
%doc README.md COPYING docs/* lcptools-v2/lcptools.txt
%{_sbindir}/txt-acminfo
%{_sbindir}/txt-parse_err
%{_sbindir}/tb_polgen
%{_sbindir}/txt-stat
%{_sbindir}/lcp2_crtpol
%{_sbindir}/lcp2_crtpolelt
%{_sbindir}/lcp2_crtpollist
%{_sbindir}/lcp2_mlehash
/boot/tboot.gz
/boot/tboot-syms
%{_mandir}/man8/*
%dir %{_sysconfdir}/grub.d/
%{_sysconfdir}/grub.d/20_linux_tboot
%{_sysconfdir}/grub.d/20_linux_xen_tboot
%post
%if 0%{?update_bootloader_check_type_reinit_post:1}
%update_bootloader_check_type_reinit_post grub2 grub2-efi
%else
/sbin/update-bootloader --reinit || true
%endif
%postun
%if 0%{?update_bootloader_check_type_reinit_post:1}
# there is no clean solution for refresh during package removal at the moment.
# %%posttrans is not executed during package removal.
%update_bootloader_check_type_reinit_post grub2 grub2-efi
%update_bootloader_posttrans
%else
/sbin/update-bootloader --reinit || true
%endif
%posttrans
%{?update_bootloader_posttrans}
%changelog