Sync from SUSE:SLFO:Main tboot revision 64f224abbf0d4d8655985b63e041b3d7
This commit is contained in:
commit
56307bbf31
23
.gitattributes
vendored
Normal file
23
.gitattributes
vendored
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
## Default LFS
|
||||||
|
*.7z filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.bsp filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.bz2 filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.gem filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.gz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.jar filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.lz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.lzma filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.obscpio filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.oxt filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.pdf filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.png filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.rpm filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.tbz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.tbz2 filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.tgz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.ttf filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.txz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.whl filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.xz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.zip filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.zst filter=lfs diff=lfs merge=lfs -text
|
BIN
tboot-1.11.1.tar.gz
(Stored with Git LFS)
Normal file
BIN
tboot-1.11.1.tar.gz
(Stored with Git LFS)
Normal file
Binary file not shown.
26
tboot-distributor.patch
Normal file
26
tboot-distributor.patch
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
Index: tboot-1.9.8/tboot/20_linux_tboot
|
||||||
|
===================================================================
|
||||||
|
--- tboot-1.9.8.orig/tboot/20_linux_tboot
|
||||||
|
+++ tboot-1.9.8/tboot/20_linux_tboot
|
||||||
|
@@ -72,7 +72,7 @@ CLASS="--class gnu-linux --class gnu --c
|
||||||
|
if [ "x${GRUB_DISTRIBUTOR}" = "x" ] ; then
|
||||||
|
OS=GNU/Linux
|
||||||
|
else
|
||||||
|
- OS="${GRUB_DISTRIBUTOR} GNU/Linux"
|
||||||
|
+ OS="${GRUB_DISTRIBUTOR}"
|
||||||
|
CLASS="--class $(echo ${GRUB_DISTRIBUTOR} | tr '[A-Z]' '[a-z]' | cut -d' ' -f1) ${CLASS}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
Index: tboot-1.9.8/tboot/20_linux_xen_tboot
|
||||||
|
===================================================================
|
||||||
|
--- tboot-1.9.8.orig/tboot/20_linux_xen_tboot
|
||||||
|
+++ tboot-1.9.8/tboot/20_linux_xen_tboot
|
||||||
|
@@ -63,7 +63,7 @@ CLASS="--class gnu-linux --class gnu --c
|
||||||
|
if [ "x${GRUB_DISTRIBUTOR}" = "x" ] ; then
|
||||||
|
OS=GNU/Linux
|
||||||
|
else
|
||||||
|
- OS="${GRUB_DISTRIBUTOR} GNU/Linux"
|
||||||
|
+ OS="${GRUB_DISTRIBUTOR}"
|
||||||
|
CLASS="--class $(echo ${GRUB_DISTRIBUTOR} | tr 'A-Z' 'a-z' | cut -d' ' -f1) ${CLASS}"
|
||||||
|
fi
|
||||||
|
|
117
tboot-grub2-fix-menu-in-xen-host-server.patch
Normal file
117
tboot-grub2-fix-menu-in-xen-host-server.patch
Normal file
@ -0,0 +1,117 @@
|
|||||||
|
From: Michael Chang <mchang@suse.com>
|
||||||
|
Subject: [PATCH] fix menu in xen host server
|
||||||
|
|
||||||
|
References: bnc#771689, bnc#757895
|
||||||
|
Patch-Mainline: no
|
||||||
|
|
||||||
|
When system is configred as "Xen Virtual Machines Host Server", the
|
||||||
|
grub2 menu is not well organized. We could see some issues on it.
|
||||||
|
|
||||||
|
- Many duplicated xen entries generated by links to xen hypervisor
|
||||||
|
- Non bootable kernel entries trying to boot xen kernel natively
|
||||||
|
- The -dbg xen hypervisor takes precedence over release version
|
||||||
|
|
||||||
|
This patch fixes above three issues.
|
||||||
|
|
||||||
|
v2:
|
||||||
|
References: bnc#877040
|
||||||
|
Create only hypervisor pointed by /boot/xen.gz symlink to not clutter
|
||||||
|
the menu with multiple versions and also not include -dbg. Use custom.cfg
|
||||||
|
if you need any other custom entries.
|
||||||
|
|
||||||
|
v3:
|
||||||
|
References: bnc#865815
|
||||||
|
Porting to tboot in order to fix duplicated xen entries
|
||||||
|
|
||||||
|
Index: tboot-1.11.1/tboot/20_linux_tboot
|
||||||
|
===================================================================
|
||||||
|
--- tboot-1.11.1.orig/tboot/20_linux_tboot
|
||||||
|
+++ tboot-1.11.1/tboot/20_linux_tboot
|
||||||
|
@@ -219,6 +219,49 @@ while [ "x${tboot_list}" != "x" ] && [ "
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
+
|
||||||
|
+ config=
|
||||||
|
+ for i in "${dirname}/config-${version}" "${dirname}/config-${alt_version}" "/etc/kernels/kernel-config-${version}" ; do
|
||||||
|
+ if test -e "${i}" ; then
|
||||||
|
+ config="${i}"
|
||||||
|
+ break
|
||||||
|
+ fi
|
||||||
|
+ done
|
||||||
|
+
|
||||||
|
+ # try to get the kernel config if $linux is a symlink
|
||||||
|
+ if test -z "${config}" ; then
|
||||||
|
+ lnk_version=`basename \`readlink -f $linux\` | sed -e "s,^[^0-9]*-,,g"`
|
||||||
|
+ if (test -n ${lnk_version} && test -e "${dirname}/config-${lnk_version}") ; then
|
||||||
|
+ config="${dirname}/config-${lnk_version}"
|
||||||
|
+ fi
|
||||||
|
+ fi
|
||||||
|
+
|
||||||
|
+ # check if we are in xen domU
|
||||||
|
+ if [ ! -e /proc/xen/xsd_port -a -e /proc/xen ]; then
|
||||||
|
+ # we're running on xen domU guest
|
||||||
|
+ dmi=/sys/class/dmi/id
|
||||||
|
+ if [ -r "${dmi}/product_name" -a -r "${dmi}/sys_vendor" ]; then
|
||||||
|
+ product_name=`cat ${dmi}/product_name`
|
||||||
|
+ sys_vendor=`cat ${dmi}/sys_vendor`
|
||||||
|
+ if test "${sys_vendor}" = "Xen" -a "${product_name}" = "HVM domU"; then
|
||||||
|
+ # xen HVM guest
|
||||||
|
+ xen_pv_domU=false
|
||||||
|
+ fi
|
||||||
|
+ fi
|
||||||
|
+ else
|
||||||
|
+ # we're running on baremetal or xen dom0
|
||||||
|
+ xen_pv_domU=false
|
||||||
|
+ fi
|
||||||
|
+
|
||||||
|
+ if test "$xen_pv_domU" = "false" ; then
|
||||||
|
+ # prevent xen kernel without pv_opt support from booting
|
||||||
|
+ if (grep -qx "CONFIG_XEN=y" "${config}" 2> /dev/null && ! grep -qx "CONFIG_PARAVIRT=y" "${config}" 2> /dev/null); then
|
||||||
|
+ echo "Skip xenlinux kernel $linux" >&2
|
||||||
|
+ list=`echo $list | tr ' ' '\n' | grep -vx $linux | tr '\n' ' '`
|
||||||
|
+ continue
|
||||||
|
+ fi
|
||||||
|
+ fi
|
||||||
|
+
|
||||||
|
if test -n "${initrd}" ; then
|
||||||
|
echo "Found initrd image: ${dirname}/${initrd}" >&2
|
||||||
|
else
|
||||||
|
Index: tboot-1.11.1/tboot/20_linux_xen_tboot
|
||||||
|
===================================================================
|
||||||
|
--- tboot-1.11.1.orig/tboot/20_linux_xen_tboot
|
||||||
|
+++ tboot-1.11.1/tboot/20_linux_xen_tboot
|
||||||
|
@@ -58,6 +58,12 @@ fi
|
||||||
|
export TEXTDOMAIN=grub
|
||||||
|
export TEXTDOMAINDIR=${prefix}/share/locale
|
||||||
|
|
||||||
|
+if [ ! -e /proc/xen/xsd_port -a -e /proc/xen ]; then
|
||||||
|
+# we're running on xen domU guest
|
||||||
|
+# prevent setting up nested virt on HVM or PV domU guest
|
||||||
|
+ exit 0
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
CLASS="--class gnu-linux --class gnu --class os --class xen"
|
||||||
|
|
||||||
|
if [ "x${GRUB_DISTRIBUTOR}" = "x" ] ; then
|
||||||
|
@@ -191,9 +197,17 @@ linux_list=`for i in /boot/vmlinu[xz]-*
|
||||||
|
if [ "x${linux_list}" = "x" ] ; then
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
-xen_list=`for i in /boot/xen*; do
|
||||||
|
- if grub_file_is_not_garbage "$i" ; then echo -n "$i " ; fi
|
||||||
|
- done`
|
||||||
|
+# bnc#877040 - Duplicate entries for boot menu created
|
||||||
|
+# only create /boot/xen.gz symlink boot entry
|
||||||
|
+if test -L /boot/xen.gz; then
|
||||||
|
+ xen_list=`readlink -f /boot/xen.gz`
|
||||||
|
+else
|
||||||
|
+ # bnc#757895 - Grub2 menu items incorrect when "Xen Virtual Machines Host Server" selected
|
||||||
|
+ # wildcard expasion with correct suffix (.gz) for not generating many duplicated menu entries
|
||||||
|
+ xen_list=`for i in /boot/xen*.gz; do
|
||||||
|
+ if grub_file_is_not_garbage "$i" && file_is_not_sym "$i" ; then echo -n "$i " ; fi
|
||||||
|
+ done`
|
||||||
|
+fi
|
||||||
|
tboot_list=`for i in /boot/tboot*.gz; do
|
||||||
|
if grub_file_is_not_garbage "$i" ; then echo -n "$i " ; fi
|
||||||
|
done`
|
19
tboot-grub2-fix-xen-submenu-name.patch
Normal file
19
tboot-grub2-fix-xen-submenu-name.patch
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
From: Michael Chang <mchang@suse.com>
|
||||||
|
Subject: fix xen submenu name to show tboot version
|
||||||
|
|
||||||
|
References: bnc#865815
|
||||||
|
Patch-Mainline: no
|
||||||
|
|
||||||
|
Index: tboot-1.11.1/tboot/20_linux_xen_tboot
|
||||||
|
===================================================================
|
||||||
|
--- tboot-1.11.1.orig/tboot/20_linux_xen_tboot
|
||||||
|
+++ tboot-1.11.1/tboot/20_linux_xen_tboot
|
||||||
|
@@ -246,7 +246,7 @@ while [ "x${xen_list}" != "x" ] ; do
|
||||||
|
rel_tboot_dirname=`make_system_path_relative_to_its_root $tboot_dirname`
|
||||||
|
tboot_version="1.11.1"
|
||||||
|
list="${linux_list}"
|
||||||
|
- echo "submenu \"Xen ${xen_version}\" \"Tboot ${tboot_version}\"{"
|
||||||
|
+ echo "submenu \"Xen ${xen_version} with Tboot ${tboot_version}\"{"
|
||||||
|
while [ "x$list" != "x" ] ; do
|
||||||
|
linux=`version_find_latest $list`
|
||||||
|
echo "Found linux image: $linux" >&2
|
66
tboot-grub2-refuse-secure-boot.patch
Normal file
66
tboot-grub2-refuse-secure-boot.patch
Normal file
@ -0,0 +1,66 @@
|
|||||||
|
Index: tboot-1.9.12/tboot/20_linux_tboot
|
||||||
|
===================================================================
|
||||||
|
--- tboot-1.9.12.orig/tboot/20_linux_tboot
|
||||||
|
+++ tboot-1.9.12/tboot/20_linux_tboot
|
||||||
|
@@ -34,6 +34,28 @@ if test -e ${sysconfdir}/default/grub-tb
|
||||||
|
. ${sysconfdir}/default/grub-tboot
|
||||||
|
fi
|
||||||
|
|
||||||
|
+secureBootActive()
|
||||||
|
+{
|
||||||
|
+ for secboot_var in /sys/firmware/efi/efivars/SecureBoot-*; do
|
||||||
|
+ [ ! -e "$secboot_var" ] && continue
|
||||||
|
+
|
||||||
|
+ # this variable contains a '1' byte at the end if secure boot is enabled
|
||||||
|
+ local secboot_byte=`od --address-radix=n --format=u1 "$secboot_var" | tr -d ' \n' | tail -c 1`
|
||||||
|
+
|
||||||
|
+ [ "$secboot_byte" = "1" ] && return 0
|
||||||
|
+ done
|
||||||
|
+
|
||||||
|
+ return 1
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+if secureBootActive; then
|
||||||
|
+ cat >&2 << EOF
|
||||||
|
+Not generating tboot menu entries, because UEFI Secure Boot is active.
|
||||||
|
+tboot is not compatible with UEFI Secure Boot.
|
||||||
|
+EOF
|
||||||
|
+ exit 0
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
# Set the following variables in /etc/default/grub-tboot to customize command lines
|
||||||
|
# (empty values are treated as if the variables were unset).
|
||||||
|
[ -z "${GRUB_CMDLINE_TBOOT}" ] && unset GRUB_CMDLINE_TBOOT
|
||||||
|
Index: tboot-1.9.12/tboot/20_linux_xen_tboot
|
||||||
|
===================================================================
|
||||||
|
--- tboot-1.9.12.orig/tboot/20_linux_xen_tboot
|
||||||
|
+++ tboot-1.9.12/tboot/20_linux_xen_tboot
|
||||||
|
@@ -34,6 +34,28 @@ if test -e ${sysconfdir}/default/grub-tb
|
||||||
|
. ${sysconfdir}/default/grub-tboot
|
||||||
|
fi
|
||||||
|
|
||||||
|
+secureBootActive()
|
||||||
|
+{
|
||||||
|
+ for secboot_var in /sys/firmware/efi/efivars/SecureBoot-*; do
|
||||||
|
+ [ ! -e "$secboot_var" ] && continue
|
||||||
|
+
|
||||||
|
+ # this variable contains a '1' byte at the end if secure boot is enabled
|
||||||
|
+ local secboot_byte=`od --address-radix=n --format=u1 "$secboot_var" | tr -d ' \n' | tail -c 1`
|
||||||
|
+
|
||||||
|
+ [ "$secboot_byte" = "1" ] && return 0
|
||||||
|
+ done
|
||||||
|
+
|
||||||
|
+ return 1
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+if secureBootActive; then
|
||||||
|
+ cat >&2 << EOF
|
||||||
|
+Not generating tboot menu entries, because UEFI Secure Boot is active.
|
||||||
|
+tboot is not compatible with UEFI Secure Boot.
|
||||||
|
+EOF
|
||||||
|
+ exit 0
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
# Set the following variables in /etc/default/grub-tboot to customize command lines
|
||||||
|
# (empty values are treated as if the variables were unset).
|
||||||
|
[ -z "${GRUB_CMDLINE_TBOOT}" ] && unset GRUB_CMDLINE_TBOOT
|
590
tboot.changes
Normal file
590
tboot.changes
Normal file
@ -0,0 +1,590 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Feb 6 10:52:29 UTC 2023 - Matthias Gerstner <matthias.gerstner@suse.com>
|
||||||
|
|
||||||
|
- required update due to openSSL 3.0 deprecation errors in current version
|
||||||
|
- updated to v1.11.1 / 20230125:
|
||||||
|
20230125: v1.11.1
|
||||||
|
- Revert log memory range extension (caused memory overlaps and boot failures)
|
||||||
|
20221223: v1.11.0
|
||||||
|
- Fixed TPM handling to flush objects after integrity measurement (Intel PTT limitations)
|
||||||
|
- Exteded low memory range for logs (HCC CPUs had issue with not enough memory)
|
||||||
|
- "agile" removed from PCR Extend policy options (requested deprecation)
|
||||||
|
- Added handling for flexible ACM Info Table format
|
||||||
|
- lcptools: CPPFLAGS use by environment in build
|
||||||
|
- lcptools: removed __DATE__ refs to make build reproducible
|
||||||
|
- Only platform-matchin SINIT modules can be selected
|
||||||
|
- txt-acminfo: Map TXT heap using mmap
|
||||||
|
- Typo fix in man page
|
||||||
|
20220304: v1.10.5
|
||||||
|
- Fixed mlehash.c to bring back functionality and make it GCC12 compliant
|
||||||
|
- Reverted change for replacing EFI memory to bring back Tboot in-memory logs
|
||||||
|
20220224: v1.10.4
|
||||||
|
- Fix hash printing for SHA384, SHA512 and SM3
|
||||||
|
- Touch ups for GCC12
|
||||||
|
- Set GDT to map CS and DS to 4GB before jumping to Linux
|
||||||
|
- make efi_memmap_reserve handle gaps like e820_protect_region
|
||||||
|
- Ensure that growth of Multiboot tags does not go beyond original area
|
||||||
|
- Replace EFI memory map in Multiboot2 info
|
||||||
|
- Fix endianness of pcr_info->pcr_selection.size_of_select
|
||||||
|
- Don't ignore locality in PCR file
|
||||||
|
- Fix composite hashing algorithm for PCONF elements to match lcptools-1
|
||||||
|
20211210: v1.10.3
|
||||||
|
- Add UNI-VGA license information
|
||||||
|
- Remove poly1305 object files on clean
|
||||||
|
- Support higher resolution monitors
|
||||||
|
- Use SHA256 as default hashing algorithm in lcp2_mlehash and tb_polgen
|
||||||
|
- Add OpenSSL 3.0.0 support in lcptools-v2
|
||||||
|
- Increase number of supported CPUs to 1024 to accomodate for larger units
|
||||||
|
- tboot-grub2-fix-menu-in-xen-host-server.patch: refreshed to match new
|
||||||
|
upstream version.
|
||||||
|
- tboot-grub2-fix-xen-submenu-name.patch: refreshed to match new upstream
|
||||||
|
version.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Jun 11 07:29:02 UTC 2021 - Marcus Meissner <meissner@suse.com>
|
||||||
|
|
||||||
|
- updated to v1.10.2 / 20210614
|
||||||
|
Fix ACM chipset/processor list validation
|
||||||
|
Check for client/server match when selecting SINIT
|
||||||
|
Fix issues when building with GCC11
|
||||||
|
Default to D/A mapping when TPM1.2 and CBnT platform
|
||||||
|
- updated to 1.10.1 / 20210330
|
||||||
|
|
||||||
|
- Indicate to SINIT that CBnT is supported by TBOOT
|
||||||
|
- lcptools: Fix issues from static code analysis
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Jan 19 14:35:38 UTC 2021 - Matthias Gerstner <matthias.gerstner@suse.com>
|
||||||
|
|
||||||
|
- release 1.10.0 ramifications:
|
||||||
|
- README is now README.md
|
||||||
|
- acminfo and parse_err now are called txt-acminfo and txt-parse_err
|
||||||
|
- lcptools are deprecated (tpm 1.2, TrouSerS dependency) and are no longer
|
||||||
|
packaged.
|
||||||
|
- no longer needs TrouSerS dependency due to deprecation
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Jan 19 14:00:53 UTC 2021 - Matthias Gerstner <matthias.gerstner@suse.com>
|
||||||
|
|
||||||
|
- tboot-grub2-fix-menu-in-xen-host-server.patch: refreshed to match new
|
||||||
|
upstream version.
|
||||||
|
- tboot-grub2-fix-xen-submenu-name.patch: refreshed to match new upstream
|
||||||
|
version.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Jan 19 13:35:07 UTC 2021 - Matthias Gerstner <matthias.gerstner@suse.com>
|
||||||
|
|
||||||
|
- update to new upstream release 1.10.0:
|
||||||
|
- Rename TXT related tools to have 'txt-' prefix
|
||||||
|
- Clarify license issues
|
||||||
|
- Fix issues reported by Coverity Scan
|
||||||
|
- Ensure txt-acminfo does not print false information if msr is not loaded
|
||||||
|
- Fix issue with multiboot(1) booting - infinite loop during boot
|
||||||
|
- Fix issue with TPM1.2 - invalid default policy
|
||||||
|
- Unmask NMI# after returning from SINIT
|
||||||
|
- Update GRUB scripts to use multiboot2 only
|
||||||
|
- Enable VGA logging for EFI platforms
|
||||||
|
- Add warning when using SHA1 as hashing algorithm
|
||||||
|
- Add Doxygen documentation
|
||||||
|
- Replace VMAC with Poly1305
|
||||||
|
- Validate TPM NV index attributes
|
||||||
|
- Move old lcptool to deprecated folder and exclude from build
|
||||||
|
- TrouSerS is not longer required to build
|
||||||
|
- lcptools-v2: meet requirements from MLE DG rev16
|
||||||
|
- lcptools-v2: Implement SM2 signing and SM2 signature verification
|
||||||
|
- lcptools-v2: Set aux_hash_alg_mask to 0 when policy version != 0x300
|
||||||
|
- dropped tboot-Unmask-NMI-after-returning-from-SINIT.patch (upstream)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Nov 12 12:19:51 UTC 2020 - Matthias Gerstner <matthias.gerstner@suse.com>
|
||||||
|
|
||||||
|
- add tboot-grub2-refuse-secure-boot.patch: don't generate tboot menu entries
|
||||||
|
in grub when the system is running with UEFI Secure Boot (bsc#1175114). This
|
||||||
|
prevents hard to understand error messages when trying to boot tboot in this
|
||||||
|
context.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Sep 28 12:14:22 UTC 2020 - matthias.gerstner@suse.com
|
||||||
|
|
||||||
|
- update to new upstream release 1.9.12:
|
||||||
|
- changes from 1.9.12:
|
||||||
|
- Release localities in S3 flow for CRB interface
|
||||||
|
- Config.mk, safestringlib/makefile : allow tool overrides
|
||||||
|
- safestringlib: fix warnings with GCC 6.4.0
|
||||||
|
- Strip executable file before generating tboot.gz
|
||||||
|
- Add support for EFI memory map parse/modification
|
||||||
|
- Add SHA384 and SHA512 digest algorithms
|
||||||
|
- lcptools-v2: add pconf2 policy element support
|
||||||
|
- tb_polgen: Add SHA384 and SHA512 support
|
||||||
|
- Disable GCC9 address-of-packed-member warning
|
||||||
|
- Fix warnings after "Avoid unsafe functions" scan
|
||||||
|
- Use SHA256 as default hashing algorithm
|
||||||
|
- changes from 1.9.11:
|
||||||
|
- tb_polgen: Add support for SHA256
|
||||||
|
- Configure IOMMU before executing GETSEC[SENTER]
|
||||||
|
- SINIT ACM can have padding, handle that when checking size
|
||||||
|
- disable-address-of-packed-member-warning.patch: now contained upstream
|
||||||
|
- tboot-grub2-fix-xen-submenu-name.patch: refreshed
|
||||||
|
- dropped tboot-Release-localities-in-S3-flow-for-CRB-interface.patch (upstream)
|
||||||
|
- dropped tboot-Configure-IOMMU-before-executing-GETSEC-SENTER.patch (upstream)
|
||||||
|
- dropped tboot-Do-not-try-to-read-EFI-mem-map-when-booted-with-mult.patch (upstream)
|
||||||
|
- dropped tboot-Release-localities-in-S3-flow-for-CRB-interface.patch (upstream)
|
||||||
|
- dropped tboot-support-sinit-padding.patch (upstream)
|
||||||
|
- dropped tboot-Add-support-for-EFI-memory-map-parse-modification.patch
|
||||||
|
- dropped tboot-fix-memmap1-boot-issues.patch
|
||||||
|
- dropped tboot-Add-more-mbi-validation.patch
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Jul 12 16:24:27 UTC 2019 - Martin Liška <mliska@suse.cz>
|
||||||
|
|
||||||
|
- Disable LTO in more elegant way (boo#1141323).
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Jul 11 08:06:42 UTC 2019 - mgerstner <matthias.gerstner@suse.com>
|
||||||
|
|
||||||
|
- explicitly disable gcc9 link time optimization to fix the build and avoid
|
||||||
|
trouble in low level tboot code.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue May 28 08:19:14 UTC 2019 - mgerstner <matthias.gerstner@suse.com>
|
||||||
|
|
||||||
|
- add disable-address-of-packed-member-warning.patch: taken over patch found
|
||||||
|
in the Fedora package to disable a new gcc-9 warning that breaks the build.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon May 20 11:21:46 UTC 2019 - mgerstner <matthias.gerstner@suse.com>
|
||||||
|
|
||||||
|
- update to new upstream release 1.9.10:
|
||||||
|
- changes from 1.9.10:
|
||||||
|
- lcp-gen2: update with latest version (wxWidgets wildcard bugfix)
|
||||||
|
- print latest tag in logs
|
||||||
|
- add support for 64bit framebuffer address
|
||||||
|
- changes from 1.9.9:
|
||||||
|
- tools: fix some dereference-NULL issues reported by klocwork
|
||||||
|
- tools: replace banned mem/str fns with corresponding ones in safestringlib
|
||||||
|
- Add safestringlib code to support replacement of banned mem/str fns
|
||||||
|
- lcptools: remove tools supporting platforms before 2008
|
||||||
|
- tboot: update string/memory fn name to differentiate from c lib
|
||||||
|
- Fix a harmless overflow caused by wrong loop limits
|
||||||
|
- rebased patches to match new upstream version
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Oct 24 08:44:04 UTC 2018 - matthias.gerstner@suse.com
|
||||||
|
|
||||||
|
- update to new upstream release 1.9.8 (FATE#324359):
|
||||||
|
- Skip tboot launch error index read/write when ignore prev err option is true
|
||||||
|
- s3-fix: fix a stack overflow caused by enlarged tb_hash_t union
|
||||||
|
- S3 fix: revert the mis-changed type casting in changeset 522:8e881a07c059
|
||||||
|
- S3-fix: Adding option save_vtd=true to opt-in the vtd table restore
|
||||||
|
- rebased patches to match new upstream version
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Sep 7 08:30:20 UTC 2018 - Jan Engelhardt <jengelh@inai.de>
|
||||||
|
|
||||||
|
- Use noun phrase in summary.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Sep 3 10:11:39 UTC 2018 - matthias.gerstner@suse.com
|
||||||
|
|
||||||
|
- package new upstream tarball for 1.9.7. It seems the tarball was replaced
|
||||||
|
upstream without notice, because some version numbers have not been
|
||||||
|
incremented.
|
||||||
|
- tboot-grub2-fix-menu-in-xen-host-server.patch: rebased
|
||||||
|
- tboot-grub2-fix-xen-submenu-name.patch: rebased
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Aug 31 14:23:48 UTC 2018 - matthias.gerstner@suse.com
|
||||||
|
|
||||||
|
- update to upstream version 1.9.7. This in mainly a bugfix release:
|
||||||
|
Fix a lot of issues in tools reported by klocwork scan.
|
||||||
|
Fix a lot of issues in tboot module reported by klocwork scan.
|
||||||
|
Remove a redundant tboot option
|
||||||
|
Fix indent in heap.c
|
||||||
|
Fix 4 issues along with extpol=agile option
|
||||||
|
Mitigations for tpm interposer attacks
|
||||||
|
Add an option in tboot to force SINIT to use the legacy TPM2 log format.
|
||||||
|
Add support for appending to a TPM2 TCG style event log.
|
||||||
|
Ensure tboot log is available even when measured launch is skipped.
|
||||||
|
Add centos7 instructions for Use in EFI boot mode.
|
||||||
|
Fix memory leak and invalid reads and writes issues.
|
||||||
|
Fix TPM 1.2 locality selection issue.
|
||||||
|
Fix a null pointer dereference bug when Intel TXT is disabled.
|
||||||
|
Optimize tboot docs installation.
|
||||||
|
Fix security vulnerabilities rooted in tpm_if structure and g_tpm variable.
|
||||||
|
The size field of the MB2 tag is the size of the tag header + the size
|
||||||
|
Fix openssl-1.0.2 double frees
|
||||||
|
Make policy element stm_elt use unique type name
|
||||||
|
lcptools-v2 utilities fixes
|
||||||
|
port to openssl-1.1.0
|
||||||
|
Reset debug PCR16 to zero.
|
||||||
|
Fix a logical error in function bool evtlog_append(...).
|
||||||
|
- removed tboot-CVE-2017-16837.patch: now contained in tarball
|
||||||
|
- removed tboot-openssl-1-1-0.patch: now contained in tarball
|
||||||
|
- removed tboot-signature-segfault.patch: now contained in tarball
|
||||||
|
- removed tboot-ssl-broken.patch: now contained in tarball
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Mar 15 09:49:03 UTC 2018 - matthias.gerstner@suse.com
|
||||||
|
|
||||||
|
- tboot-signature-segfault.patch: Intermediate patch necessary for
|
||||||
|
tboot-ssl-broken.patch. Upstream tried to fix OpenSSL issues here, but
|
||||||
|
failed to do so.
|
||||||
|
- tboot-ssl-broken.patch: Fixed memory corruption when using OpenSSL
|
||||||
|
functionality like in lcp2_crtpollist (bnc#1083693). Fix has not yet been
|
||||||
|
commented on by upstream (posted on tboot-devel mailing list).
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Feb 21 12:26:10 UTC 2018 - matthias.gerstner@suse.com
|
||||||
|
|
||||||
|
- Also cover cleanup of bootloader configuration after package removal.
|
||||||
|
(bnc#1078262)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Feb 12 13:27:20 UTC 2018 - matthias.gerstner@suse.com
|
||||||
|
|
||||||
|
- tboot-distributor.patch: don't add GNU/Linux to grub menu entries. SUSE's
|
||||||
|
grub2 itself doesn't do it as well. (bnc#1078262)
|
||||||
|
- perform update of bootloader configuration after installation via
|
||||||
|
%posttrans. (bnc#1078262)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Nov 16 09:49:48 UTC 2017 - matthias.gerstner@suse.com
|
||||||
|
|
||||||
|
- tboot-CVE-2017-16837.patch: fix a major security issue in tboot. tboot
|
||||||
|
failed to validate a number of immutable function pointers, which could
|
||||||
|
allow an attacker to bypass the chain of trust and execute arbitrary code
|
||||||
|
(bnc#1068390, CVE-2017-16837).
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Nov 9 14:08:59 UTC 2017 - matthias.gerstner@suse.com
|
||||||
|
|
||||||
|
- tboot-openssl-1-1-0.patch: make package compatible with OpenSSL 1.1.0.
|
||||||
|
There's no upstream release containing this patch yet. The patch builds
|
||||||
|
against OpenSSL 1.0.x as well. This is for SLE-15 support (bnc#1067229).
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Jul 18 11:10:29 UTC 2017 - matthias.gerstner@suse.com
|
||||||
|
|
||||||
|
update to new upstream version 1.9.6:
|
||||||
|
|
||||||
|
- removed following patches, because they're now included upstream:
|
||||||
|
* reproducible.patch
|
||||||
|
* tboot-grub2-suse.patch
|
||||||
|
* tboot-gcc7.patch
|
||||||
|
|
||||||
|
- Changes in this version:
|
||||||
|
* GCC7 fix, adds generic FALLTHROUGH notations to avoid warnings appearing on GCC7
|
||||||
|
* Ensure Tboot never overwrites modules in the process of moving them.
|
||||||
|
* Add support to x2APIC, which uses 32 bit APIC ID.
|
||||||
|
* Fix S3 secrets sealing/unsealing failures
|
||||||
|
* Support OpenSSL 1.1.0+ for ECDSA signature verification.
|
||||||
|
* Support OpenSSL 1.1.0+ for RSA key manipulation.
|
||||||
|
* Adds additional checks to prevent the kernel image from being overwritten.
|
||||||
|
* Added TCG TPM event log support.
|
||||||
|
* Pass through the EFI memory map that's provided by grub2.
|
||||||
|
* Fix a null pointer dereference bug when Intel TXT is disabled in BIOS.
|
||||||
|
* Adjust KERNEL_CMDLINE_OFFSET from 0x9000 to 0x8D00.
|
||||||
|
* Bounds checking on the kernel_cmdline string.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Sun Jun 4 08:43:14 UTC 2017 - meissner@suse.com
|
||||||
|
|
||||||
|
- tboot-gcc7.patch: fix some gcc7 warnings that lead to errors. (bsc#1041264)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Sun Apr 30 05:29:57 UTC 2017 - bwiedemann@suse.com
|
||||||
|
|
||||||
|
- Add reproducible.patch to call gzip -n to make build fully reproducible
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Feb 10 16:56:03 UTC 2017 - jengelh@inai.de
|
||||||
|
|
||||||
|
- Trim filler words from description; use modern macros over
|
||||||
|
shell vars.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Feb 8 13:11:50 UTC 2017 - meissner@suse.com
|
||||||
|
|
||||||
|
- Updated to 20161216: v1.9.5 (FATE#321510)
|
||||||
|
+ Add 2nd generation of LCP creation tool source codes for TPM 2.0 platforms.
|
||||||
|
+ Add user guide for 2nd generation LCP creation tool
|
||||||
|
+ Provide workaround for Intel PTT(Platform Trust Technology) & Linux PTT driver.
|
||||||
|
+ Add new fields in Linux kernel header struct to accommodate Linux kernel new capabilities.
|
||||||
|
+ Fix a pointer dereference regression in the tboot native Linux loader which manifests itself as a system reset.
|
||||||
|
+ Fix the issue of overwriting tboot when the loaded elf kernel is located below tboot.
|
||||||
|
+ Add support to release TPM localities when tboot exits to linux kernel.
|
||||||
|
+ Fix the evtlog dump function for tpm2 case.
|
||||||
|
+ Initiaize kernel header comdline buffer before copying kernel cmdline arguments to the buffer to avoid random
|
||||||
|
+ data at end of the original cmdline contents.
|
||||||
|
+ Move tpm_detect() to an earlier stage so as to get tpm interface initialized before checking TXT platform capabilities.
|
||||||
|
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Jun 22 06:37:53 UTC 2016 - mchang@suse.com
|
||||||
|
|
||||||
|
- Fix wrong pvops kernel config matching (bsc#981948)
|
||||||
|
* modified tboot-grub2-fix-menu-in-xen-host-server.patch
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Jun 1 09:29:32 UTC 2016 - meissner@suse.com
|
||||||
|
|
||||||
|
- tboot-grub2-suse.patch: fixed bad if/elif
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu May 19 10:35:27 UTC 2016 - meissner@suse.com
|
||||||
|
|
||||||
|
- Updated to 1.9.4/20160518 (FATE#320665)
|
||||||
|
Added TPM 2.0 CRB support
|
||||||
|
Increased BSP and AP stacks to avoid stack overflow
|
||||||
|
Added an ACPI_RSDP structure g_rsdp in tboot to avoid potential memory overwritten issue on TPM 2.0 UEFI platforms
|
||||||
|
Added support to both Intel TPM nv index set and TCG TPM nv index set
|
||||||
|
grub2: tboot doesn't skip first argument any more
|
||||||
|
grub2: sanitize whitespace in command lines
|
||||||
|
grub2: Allow addition of policy data in grub.cfg
|
||||||
|
grub2 support: allow the user to customize the command line
|
||||||
|
Mitigated S3 resume delay by adjusting LZ_MAX_OFFSET to 5000 in lz.c.
|
||||||
|
Added SGX TPM nv index support
|
||||||
|
Add 64 bit ELF object support
|
||||||
|
Gentoo Hardened, which uses the GRSecurity and PaX patch sets
|
||||||
|
Disable -fstack-check in CFLAG for compatibility with Gentoo Linux.
|
||||||
|
Enhanced tboot compatiblity running on non-Intel TXT platform with a fix of is_launched()
|
||||||
|
LCP documentation improvements
|
||||||
|
- tboot-grub2-suse.patch: refreshed
|
||||||
|
- tboot-grub2-fix-xen-submenu-name.patch: refreshed
|
||||||
|
- tboot-fix-stackoverflow.patch: upstream in 1.9.4
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Apr 6 09:41:06 UTC 2016 - meissner@suse.com
|
||||||
|
|
||||||
|
- tboot-fix-stackoverflow.patch: fix a excessive stack usage pattern
|
||||||
|
that could lead to resets/crashes (bsc#967441)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri May 8 12:08:52 UTC 2015 - meissner@suse.com
|
||||||
|
|
||||||
|
- Updated to 1.8.3/20140728 FATE#318542
|
||||||
|
* Added verified launch control policy user guide
|
||||||
|
* Fixed a bug about var MTRR settings to follow the rule that each VAR MTRR base must be a multiple of that MTRR's size.
|
||||||
|
* Access tpm sts reg with 3-byte width in v1.2 case and 4-byte width in v2.0 case
|
||||||
|
* Bugfix: lcp2_mlehash get wrong hash if the cmdline string length > 7
|
||||||
|
* Optimized tboot log processing flow to avoid log buffer overflow by adopting lz Compress/Uncompress algorithms
|
||||||
|
* Added SGX support for Skylake platform
|
||||||
|
* tpm2: use the primary object in NULL Hierarchy instead of Platform Hierarchy for seal/unseal usage
|
||||||
|
* Fixed a bug for lcp2_mlehash tool
|
||||||
|
* Fixed system hang issue caused by TXT disable, TPM disable or SINIT ACM not correctly provided in EFI booting mode
|
||||||
|
* Fixed bug for wrong assumption on the way how GRUB2 load modules
|
||||||
|
* Fixed MB2 tags mess issue caused by moving shorter module cmdline to head
|
||||||
|
* Fixed compile issue when debug=y
|
||||||
|
- fixes a boot issue on Skylake (bsc#964408)
|
||||||
|
- refreshed tboot-grub2-fix-xen-submenu-name.patch
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Jul 28 12:14:12 UTC 2014 - meissner@suse.com
|
||||||
|
|
||||||
|
- updated to 1.8.2/20140728
|
||||||
|
Security Fix: TBOOT Argument Measurement Vulnerability for GRUB2 + ELF Kernels
|
||||||
|
fix werror in 32 bit build environment
|
||||||
|
- tboot-fix.patch: removed, fixed differently upstream.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon May 19 11:11:10 UTC 2014 - meissner@suse.com
|
||||||
|
|
||||||
|
- updated to 1.8.1/20140516
|
||||||
|
Fix build error "may be used uninitialized"
|
||||||
|
Reset eventlog when S3
|
||||||
|
Update tboot version to 1.8.1 in grub title
|
||||||
|
Fix grub cfg file generation scripts for SLES12
|
||||||
|
Fix seal failure issue
|
||||||
|
tpm2 lcptools
|
||||||
|
Restore local apic base for AP
|
||||||
|
Fix typo in hash_alg_to_string()
|
||||||
|
Change to create primary object only once
|
||||||
|
Add prepare_tpm call in S3 path to ensure locality 0 was released before senter
|
||||||
|
Fix possible dead loop in print_bios_data when bios_data version 4
|
||||||
|
Fix possible null pointer dereference in loader.c
|
||||||
|
Fix possible null pointer dereference in tpm_12.c and tpm_20.c
|
||||||
|
Avoid buffer overrun when append tpm12 eventlog
|
||||||
|
Fix possible NULL pointer dereference
|
||||||
|
Fix one event log issue caused by wrong append and print operation
|
||||||
|
Fix error "unsupported hash alg" for agile extend policy
|
||||||
|
Fix warning "ACM info_table version mismatch"
|
||||||
|
Update the tpm family detection with a general way
|
||||||
|
Fix a lcp tools issue caused by redefining TB_HALG_SHA1 from 0 to 4
|
||||||
|
Assign g_tpm a value for no tpm case to avoid NULL checks
|
||||||
|
Fix crash when TPM is missing
|
||||||
|
Fix infinite loop in determine_multiboot_type()
|
||||||
|
Fix typo in tpm20_init() and remove unused variable
|
||||||
|
Allow the to-be-measured nv to be protected by AUTHWRITE
|
||||||
|
Check cpu vendor id to avoid unexpected behavior in non-intel cpu
|
||||||
|
Change to detect TPM family only once
|
||||||
|
Fix some typos caused by copy-paste
|
||||||
|
|
||||||
|
- removed tboot-cs381.patch: upstream
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri May 16 06:10:17 UTC 2014 - mchang@suse.com
|
||||||
|
|
||||||
|
- fix grub2 boot menu after installing lots of kernels (bnc#865815)
|
||||||
|
- add tboot-grub2-fix-menu-in-xen-host-server.patch
|
||||||
|
- add tboot-grub2-fix-xen-submenu-name.patch
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Apr 30 08:42:27 UTC 2014 - meissner@suse.com
|
||||||
|
|
||||||
|
- tboot-cs381.patch: generate tboot entries correctly, from Intel.
|
||||||
|
bnc#875581
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Feb 19 16:05:10 UTC 2014 - meissner@suse.com
|
||||||
|
|
||||||
|
- fixed path for /usr/share/grub2/grub-mkconfig_lib in our grub2
|
||||||
|
snippets. (bnc#864633)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Jan 30 21:59:46 UTC 2014 - meissner@suse.com
|
||||||
|
|
||||||
|
- updated to 1.8.0/20130705
|
||||||
|
Update README for TPM2 support
|
||||||
|
tpm2 support
|
||||||
|
Adding sha256 algorithm implementation
|
||||||
|
Update README for TPM NV measuring
|
||||||
|
Update README for EFI support
|
||||||
|
Fix typo in tboot/Makefile
|
||||||
|
Increase the supported maximum number of cpus from 256 to 512
|
||||||
|
Extend tboot policy supporting measuring TPM NV
|
||||||
|
EFI support via multiboot2 changes
|
||||||
|
Fix typo in common/hash.c
|
||||||
|
Fix verification for extended data elements in txt heap
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Aug 8 11:56:45 UTC 2013 - meissner@suse.com
|
||||||
|
|
||||||
|
- updated to 1.7.4/20130705
|
||||||
|
Fix possible empty submenu block in generated grub.cfg
|
||||||
|
Add a call_racm=check option for easy RACM launch result check
|
||||||
|
Fix type check for revocation ACM.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Jan 8 15:26:59 UTC 2013 - meissner@suse.com
|
||||||
|
|
||||||
|
- updated to 1.7.3/20121228
|
||||||
|
Update README with updated code repository url.
|
||||||
|
Fix grub2 scripts to be compatible with more distros.
|
||||||
|
Update README for RACM launch support
|
||||||
|
Add a new option "call_racm=true|false" for revocation acm(RACM) launch
|
||||||
|
Fix potential buffer overrun & memory leak in crtpconf.c
|
||||||
|
Fix a potential buffer overrun in lcptools/lock.c
|
||||||
|
Print cmdline in multi-lines
|
||||||
|
Optional print TXT.ERRORCODE under level error or info
|
||||||
|
Fix side effects of tboot log level macros in tools
|
||||||
|
Update readme for the new detail log level
|
||||||
|
Classify all logs into different log levels
|
||||||
|
Add detail log level and the macros defined for log level
|
||||||
|
Fix acmod_error_t type to correctly align all bits in 4bytes
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Oct 10 15:31:57 UTC 2012 - meissner@suse.com
|
||||||
|
|
||||||
|
- updated to 1.7.2/20120929
|
||||||
|
Add Makefile for docs to install man pages.
|
||||||
|
Add man pages for tools
|
||||||
|
Add grub-mkconfig helper scripts for tboot case in GRUB2
|
||||||
|
Fix for deb build in ubuntu
|
||||||
|
Fix S3 issue brought by c/s 308
|
||||||
|
Fix a S4 hang issue and a potential shutdown reset issue
|
||||||
|
Fix build with new zlib 1.2.7.
|
||||||
|
Initialize event log when S3
|
||||||
|
Update README to change upstream repo url from bughost.org to sf.net.
|
||||||
|
|
||||||
|
- updated to 1.7.1/20120427
|
||||||
|
Fix cmdline size in tb_polgen
|
||||||
|
Add description for option min_ram in README.
|
||||||
|
new tboot cmdline option "min_ram=0xXXXXXX"
|
||||||
|
Update test-patches/tpm-test.patch to fit in latest code.
|
||||||
|
- zlib patch upstreamed.
|
||||||
|
- spec file adjustments
|
||||||
|
- tboot-fix.patch: fixed printf type mismatch
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu May 31 13:20:57 CEST 2012 - meissner@suse.de
|
||||||
|
|
||||||
|
- adjust to changed zlib api
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Apr 25 23:16:20 CEST 2012 - meissner@suse.de
|
||||||
|
|
||||||
|
- reenable exclusivearch to avoid building it on ppc and arm.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Feb 28 14:03:52 UTC 2012 - meissner@suse.com
|
||||||
|
|
||||||
|
- updated to 1.7.0
|
||||||
|
Print version number while changeset info unavailable
|
||||||
|
Document DA changes in README
|
||||||
|
Add event log for PCR extends in tboot
|
||||||
|
Follow details / authorities PCR mapping style in tboot
|
||||||
|
Support details / authorities PCR mapping
|
||||||
|
Support TPM event log
|
||||||
|
fix build issue for txt-stat in 64 bit environment.
|
||||||
|
update README for mwait AP wakeup mechanism
|
||||||
|
tboot: provide a new AP wakeup way for OS/VMM - mwait then memory write
|
||||||
|
Original txt-stat.c doesn't display TXT heap info by default. Add
|
||||||
|
command line options to display help info and optionally enable
|
||||||
|
displaying heap info.
|
||||||
|
Fix a shutdown issue on heavily throttled large server
|
||||||
|
Adjust mle_hdr.{mle|cmdline}_{start|end}_off according to CS285,286
|
||||||
|
changes to give lcp_mlehash correct info to produce hash value.
|
||||||
|
Fix boot issue caused by including mle page table into tboot memory
|
||||||
|
Fix for possible overwritting to mle page table by GRUB2
|
||||||
|
Add PAGE_UP() fn that rounds things up/donw to a page.
|
||||||
|
Update get_mbi_mem_end() with a accurate, safer calculating way
|
||||||
|
ACPI fix and sanity check
|
||||||
|
Add some sanity check before using mods_count in a count-down loop
|
||||||
|
TPM: add waiting on expect==0 before issue tpmGo
|
||||||
|
txt-stat: Don't show heap info by default.
|
||||||
|
Exchange definitions for TBOOT_BASE_ADDR & TBOOT_START
|
||||||
|
Add const qualifier for suibable parms of all possible fns.
|
||||||
|
fix possible mbi overwrite issue for Linux with grub2
|
||||||
|
enhance print_mbi() to print more mbi info for debug purpose
|
||||||
|
Fix for GRUB2 loading elf image such as Xen.
|
||||||
|
Move apply_policy() call into txt_post_launch()
|
||||||
|
Don't zap s3_key in tboot shared page if sealing failed due to tpm
|
||||||
|
unowned
|
||||||
|
Update the explanation of signed lists to make it clearer.
|
||||||
|
tboot: add a fall back for reboot via keyboard reset vector
|
||||||
|
tboot: revise README to explain how to configure GRUB2 config file for
|
||||||
|
tboot
|
||||||
|
tboot: rewrite acpi reg access fns to refer to bit_width instead of
|
||||||
|
access_width
|
||||||
|
tboot: change reboot mechanism to use keyboard reset vector
|
||||||
|
tboot: handle mis-programmed TXT config regs and TXT heap gracefully
|
||||||
|
tboot: add warning when TPM timeout values are wrong
|
||||||
|
all PM1_CNT accesses should be 16bit.
|
||||||
|
Enlarge NR_CPUS from 64 to 256
|
||||||
|
Add support for SBIOS policy element type (LCP_SBIOS_ELEMENT) to
|
||||||
|
lcp_crtpolelt
|
||||||
|
Fix processor id list matching between platform and acmod
|
||||||
|
Make lcp_crtpollist support empty lists (i.e. with no elements)
|
||||||
|
print a bit more error reasons in txt-stat
|
||||||
|
Fix segmentation fault in txt-stat on some systems
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Jan 12 11:31:12 UTC 2012 - coolo@suse.com
|
||||||
|
|
||||||
|
- change license to be in spdx.org format
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue May 24 14:48:45 UTC 2011 - idonmez@novell.com
|
||||||
|
|
||||||
|
- Update to changeset 261
|
||||||
|
+ gcc 4.6 fixes
|
||||||
|
+ Fix segmentation fault in txt-stat on some systems
|
||||||
|
+ Add support for TXT heap extended data elements and BiosData version 4
|
||||||
|
+ Add support for AC Module chipset info table version 4 (ProcessorIDList)
|
||||||
|
+ Removed no_usb command line parameter and SMI disabling
|
||||||
|
+ Support MAXPHYADDR > 36b
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Apr 27 18:38:23 CEST 2011 - meissner@suse.de
|
||||||
|
|
||||||
|
- initial import of current intel trusted boot loader
|
105
tboot.spec
Normal file
105
tboot.spec
Normal file
@ -0,0 +1,105 @@
|
|||||||
|
#
|
||||||
|
# spec file for package tboot
|
||||||
|
#
|
||||||
|
# Copyright (c) 2023 SUSE LLC
|
||||||
|
#
|
||||||
|
# All modifications and additions to the file contributed by third parties
|
||||||
|
# remain the property of their copyright owners, unless otherwise agreed
|
||||||
|
# upon. The license for this file, and modifications and additions to the
|
||||||
|
# file, is the same license as for the pristine package itself (unless the
|
||||||
|
# license for the pristine package is not an Open Source License, in which
|
||||||
|
# case the license is the MIT License). An "Open Source License" is a
|
||||||
|
# license that conforms to the Open Source Definition (Version 1.9)
|
||||||
|
# published by the Open Source Initiative.
|
||||||
|
|
||||||
|
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
||||||
|
#
|
||||||
|
|
||||||
|
|
||||||
|
Name: tboot
|
||||||
|
%define ver 1.11.1
|
||||||
|
Version: 20210614_%{ver}
|
||||||
|
Release: 0
|
||||||
|
Summary: Program for performing a verified launch using Intel TXT
|
||||||
|
License: BSD-3-Clause
|
||||||
|
Group: Productivity/Security
|
||||||
|
URL: https://sourceforge.net/projects/tboot/
|
||||||
|
Source0: https://downloads.sourceforge.net/project/tboot/tboot/tboot-%{ver}.tar.gz
|
||||||
|
Patch3: tboot-grub2-fix-menu-in-xen-host-server.patch
|
||||||
|
Patch4: tboot-grub2-fix-xen-submenu-name.patch
|
||||||
|
Patch7: tboot-distributor.patch
|
||||||
|
Patch8: tboot-grub2-refuse-secure-boot.patch
|
||||||
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
|
ExclusiveArch: %{ix86} x86_64
|
||||||
|
BuildRequires: openssl-devel
|
||||||
|
BuildRequires: zlib-devel
|
||||||
|
|
||||||
|
%if 0%{?suse_version} > 1320
|
||||||
|
BuildRequires: update-bootloader-rpm-macros
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%if 0%{?update_bootloader_requires:1}
|
||||||
|
%update_bootloader_requires
|
||||||
|
%else
|
||||||
|
Requires: perl-Bootloader
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%description
|
||||||
|
Trusted Boot (tboot) is a pre-kernel/VMM module that uses Intel
|
||||||
|
Trusted Execution Technology (Intel(R) TXT) to perform a measured and
|
||||||
|
verified launch of an OS kernel/VMM.
|
||||||
|
|
||||||
|
%prep
|
||||||
|
%setup -q -n %name-%ver
|
||||||
|
%autopatch -p1
|
||||||
|
|
||||||
|
%build
|
||||||
|
# Tumbleweed now uses -flto=3 by default which gives us trouble with the
|
||||||
|
# statically linked C and assembler code in tboot. Better to be conservative
|
||||||
|
# here since tboot is low level stuff -> disable LTO for us (boo#1141323).
|
||||||
|
%define _lto_cflags %{nil}
|
||||||
|
export TBOOT_CFLAGS="$CFLAGS"
|
||||||
|
make debug=y %{?_smp_mflags}
|
||||||
|
|
||||||
|
%install
|
||||||
|
make debug=y install DISTDIR="%{buildroot}" MANPATH="%{buildroot}/%{_mandir}"
|
||||||
|
|
||||||
|
%files
|
||||||
|
%defattr(-,root,root,-)
|
||||||
|
%doc README.md COPYING docs/* lcptools-v2/lcptools.txt
|
||||||
|
%{_sbindir}/txt-acminfo
|
||||||
|
%{_sbindir}/txt-parse_err
|
||||||
|
%{_sbindir}/tb_polgen
|
||||||
|
%{_sbindir}/txt-stat
|
||||||
|
%{_sbindir}/lcp2_crtpol
|
||||||
|
%{_sbindir}/lcp2_crtpolelt
|
||||||
|
%{_sbindir}/lcp2_crtpollist
|
||||||
|
%{_sbindir}/lcp2_mlehash
|
||||||
|
/boot/tboot.gz
|
||||||
|
/boot/tboot-syms
|
||||||
|
%{_mandir}/man8/*
|
||||||
|
%dir %{_sysconfdir}/grub.d/
|
||||||
|
%{_sysconfdir}/grub.d/20_linux_tboot
|
||||||
|
%{_sysconfdir}/grub.d/20_linux_xen_tboot
|
||||||
|
|
||||||
|
%post
|
||||||
|
%if 0%{?update_bootloader_check_type_reinit_post:1}
|
||||||
|
%update_bootloader_check_type_reinit_post grub2 grub2-efi
|
||||||
|
%else
|
||||||
|
/sbin/update-bootloader --reinit || true
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%postun
|
||||||
|
%if 0%{?update_bootloader_check_type_reinit_post:1}
|
||||||
|
# there is no clean solution for refresh during package removal at the moment.
|
||||||
|
# %%posttrans is not executed during package removal.
|
||||||
|
%update_bootloader_check_type_reinit_post grub2 grub2-efi
|
||||||
|
%update_bootloader_posttrans
|
||||||
|
%else
|
||||||
|
/sbin/update-bootloader --reinit || true
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%posttrans
|
||||||
|
%{?update_bootloader_posttrans}
|
||||||
|
|
||||||
|
%changelog
|
Loading…
Reference in New Issue
Block a user