SLFO-pool/tboot
SHA256
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: SLFO-pool:1.1
Branches Tags
SLFO-pool:main SLFO-pool:1.1
..
compare: SLFO-pool:main
Branches Tags
SLFO-pool:main SLFO-pool:1.1

1 Commits
1.1 ... main

Author SHA256 Message Date
Adrian Schröter
b7c2bfad42 Sync from SUSE:SLFO:Main tboot revision e6bb174234c5df801b1d0f2ca770128d 2025-07-25 22:55:22 +02:00
14 changed files with 235 additions and 37 deletions
Expand all files Collapse all files

BIN
tboot-1.11.1.tar.gz LFS
View File

Binary file not shown.

BIN
tboot-1.11.10.tar.gz LFS Normal file
View File

Binary file not shown.

BIN
tboot-1.11.10.tar.gz.gpg Normal file
View File

Binary file not shown.

34
tboot-bsc#1207833-copy-mbi.patch Normal file
View File

@@ -0,0 +1,34 @@
Index: tboot-1.11.9/tboot/common/loader.c
===================================================================
--- tboot-1.11.9.orig/tboot/common/loader.c
+++ tboot-1.11.9/tboot/common/loader.c
@@ -1100,15 +1100,21 @@ void move_modules(loader_ctx *lctx)
if ( below_tboot(lowest) )
from = lowest;
- else
+
+ /*
+ * if MBI is below tboot & the lowest module, make sure it gets
+ * copied, too!
+ */
+ if ( below_tboot((unsigned long)lctx->addr) &&
+ (unsigned long)lctx->addr < lowest )
+ {
+ from = (unsigned long)lctx->addr;
+ }
+
+ if (from == 0)
{
- if ( below_tboot((unsigned long)lctx->addr) )
- from = (unsigned long)lctx->addr;
- else
- {
- printk(TBOOT_INFO"No module below tboot, all good.\n");
- return;
- }
+ printk(TBOOT_INFO"No module below tboot, all good.\n");
+ return;
}
unsigned long highest = get_highest_mod_end(lctx);

12
tboot-cet.patch Normal file
View File

@@ -0,0 +1,12 @@
Index: tboot-1.11.10/tboot/common/shutdown.S
===================================================================
--- tboot-1.11.10.orig/tboot/common/shutdown.S
+++ tboot-1.11.10/tboot/common/shutdown.S
@@ -116,6 +116,7 @@ shutdown_entry32:
*/
ENTRY(shutdown_entry)
.code64
+ endbr64
cli
wbinvd

16
tboot-distributor.patch
View File

@@ -1,8 +1,8 @@
Index: tboot-1.9.8/tboot/20_linux_tboot
Index: tboot-1.11.9/tboot/20_linux_tboot
===================================================================
--- tboot-1.9.8.orig/tboot/20_linux_tboot
+++ tboot-1.9.8/tboot/20_linux_tboot
@@ -72,7 +72,7 @@ CLASS="--class gnu-linux --class gnu --c
--- tboot-1.11.9.orig/tboot/20_linux_tboot
+++ tboot-1.11.9/tboot/20_linux_tboot
@@ -60,7 +60,7 @@ CLASS="--class gnu-linux --class gnu --c
if [ "x${GRUB_DISTRIBUTOR}" = "x" ] ; then
OS=GNU/Linux
else
@@ -11,11 +11,11 @@ Index: tboot-1.9.8/tboot/20_linux_tboot
CLASS="--class $(echo ${GRUB_DISTRIBUTOR} | tr '[A-Z]' '[a-z]' | cut -d' ' -f1) ${CLASS}"
fi
Index: tboot-1.9.8/tboot/20_linux_xen_tboot
Index: tboot-1.11.9/tboot/20_linux_xen_tboot
===================================================================
--- tboot-1.9.8.orig/tboot/20_linux_xen_tboot
+++ tboot-1.9.8/tboot/20_linux_xen_tboot
@@ -63,7 +63,7 @@ CLASS="--class gnu-linux --class gnu --c
--- tboot-1.11.9.orig/tboot/20_linux_xen_tboot
+++ tboot-1.11.9/tboot/20_linux_xen_tboot
@@ -69,7 +69,7 @@ CLASS="--class gnu-linux --class gnu --c
if [ "x${GRUB_DISTRIBUTOR}" = "x" ] ; then
OS=GNU/Linux
else

13
tboot-fix-alloc-size-warning.patch Normal file
View File

@@ -0,0 +1,13 @@
Index: tboot-1.11.9/lcptools-v2/pconf_legacy.c
===================================================================
--- tboot-1.11.9.orig/lcptools-v2/pconf_legacy.c
+++ tboot-1.11.9/lcptools-v2/pconf_legacy.c
@@ -324,7 +324,7 @@ static lcp_policy_element_t *create(void
ERROR("Error: no pcrs were selected.\n");
return NULL;
}
- digest = malloc(SHA1_DIGEST_SIZE);
+ digest = malloc(sizeof(*digest));
if (digest == NULL) {
ERROR("Error: failed to allocate memory for digest buffer.\n");
return NULL;

12
tboot-grub2-fix-menu-in-xen-host-server.patch
View File

@@ -23,10 +23,10 @@ v3:
References: bnc#865815
Porting to tboot in order to fix duplicated xen entries
Index: tboot-1.11.1/tboot/20_linux_tboot
Index: tboot-1.11.9/tboot/20_linux_tboot
===================================================================
--- tboot-1.11.1.orig/tboot/20_linux_tboot
+++ tboot-1.11.1/tboot/20_linux_tboot
--- tboot-1.11.9.orig/tboot/20_linux_tboot
+++ tboot-1.11.9/tboot/20_linux_tboot
@@ -219,6 +219,49 @@ while [ "x${tboot_list}" != "x" ] && [ "
break
fi
@@ -77,10 +77,10 @@ Index: tboot-1.11.1/tboot/20_linux_tboot
if test -n "${initrd}" ; then
echo "Found initrd image: ${dirname}/${initrd}" >&2
else
Index: tboot-1.11.1/tboot/20_linux_xen_tboot
Index: tboot-1.11.9/tboot/20_linux_xen_tboot
===================================================================
--- tboot-1.11.1.orig/tboot/20_linux_xen_tboot
+++ tboot-1.11.1/tboot/20_linux_xen_tboot
--- tboot-1.11.9.orig/tboot/20_linux_xen_tboot
+++ tboot-1.11.9/tboot/20_linux_xen_tboot
@@ -58,6 +58,12 @@ fi
export TEXTDOMAIN=grub
export TEXTDOMAINDIR=${prefix}/share/locale

8
tboot-grub2-fix-xen-submenu-name.patch
View File

@@ -4,13 +4,13 @@ Subject: fix xen submenu name to show tboot version
References: bnc#865815
Patch-Mainline: no
Index: tboot-1.11.1/tboot/20_linux_xen_tboot
Index: tboot-1.11.10/tboot/20_linux_xen_tboot
===================================================================
--- tboot-1.11.1.orig/tboot/20_linux_xen_tboot
+++ tboot-1.11.1/tboot/20_linux_xen_tboot
--- tboot-1.11.10.orig/tboot/20_linux_xen_tboot
+++ tboot-1.11.10/tboot/20_linux_xen_tboot
@@ -246,7 +246,7 @@ while [ "x${xen_list}" != "x" ] ; do
rel_tboot_dirname=`make_system_path_relative_to_its_root $tboot_dirname`
tboot_version="1.11.1"
tboot_version="1.11.10"
list="${linux_list}"
- echo "submenu \"Xen ${xen_version}\" \"Tboot ${tboot_version}\"{"
+ echo "submenu \"Xen ${xen_version} with Tboot ${tboot_version}\"{"

12
tboot-grub2-refuse-secure-boot.patch
View File

@@ -1,7 +1,7 @@
Index: tboot-1.9.12/tboot/20_linux_tboot
Index: tboot-1.11.9/tboot/20_linux_tboot
===================================================================
--- tboot-1.9.12.orig/tboot/20_linux_tboot
+++ tboot-1.9.12/tboot/20_linux_tboot
--- tboot-1.11.9.orig/tboot/20_linux_tboot
+++ tboot-1.11.9/tboot/20_linux_tboot
@@ -34,6 +34,28 @@ if test -e ${sysconfdir}/default/grub-tb
. ${sysconfdir}/default/grub-tboot
fi
@@ -31,10 +31,10 @@ Index: tboot-1.9.12/tboot/20_linux_tboot
# Set the following variables in /etc/default/grub-tboot to customize command lines
# (empty values are treated as if the variables were unset).
[ -z "${GRUB_CMDLINE_TBOOT}" ] && unset GRUB_CMDLINE_TBOOT
Index: tboot-1.9.12/tboot/20_linux_xen_tboot
Index: tboot-1.11.9/tboot/20_linux_xen_tboot
===================================================================
--- tboot-1.9.12.orig/tboot/20_linux_xen_tboot
+++ tboot-1.9.12/tboot/20_linux_xen_tboot
--- tboot-1.11.9.orig/tboot/20_linux_xen_tboot
+++ tboot-1.11.9/tboot/20_linux_xen_tboot
@@ -34,6 +34,28 @@ if test -e ${sysconfdir}/default/grub-tb
. ${sysconfdir}/default/grub-tboot
fi

80
tboot.changes
View File

@@ -1,3 +1,83 @@
-------------------------------------------------------------------
Wed Jul 16 09:04:58 UTC 2025 - Marcus Meissner <meissner@suse.com>
- updated to version 20250417: v1.11.10
- Fix the issue causing tboot to hang during waking up processors from
txt sleep on DMR simics
- add .gpg signature and tboot.keyring
- tboot-cet.patch: add a missing ENDBR64 instruction when kernel is
using CET (bsc#1246573)
-------------------------------------------------------------------
Wed Feb 19 10:43:54 UTC 2025 - Matthias Gerstner <matthias.gerstner@suse.com>
- update to version 1.11.9 :
- Merge TXT Protected Range support branch.
- Remove unncessary OPENSSL_free from lcputils.c and add a functionality to
move ACM modules from the address range below TBOOT to above TBOOT, to
allow the usage of ACMs bigger than 256KB.
- Restore call to configure_vtd.
- refresh and adjust tboot-bsc#1207833-copy-mbi.patch
- refresh tboot-distributor.patch
- refresh tboot-fix-alloc-size-warning.patch
- refresh tboot-grub2-fix-menu-in-xen-host-server.patch
- refresh tboot-grub2-fix-xen-submenu-name.patch
- refresh tboot-grub2-refuse-secure-boot.patch
-------------------------------------------------------------------
Wed Aug 28 08:27:34 UTC 2024 - Matthias Gerstner <matthias.gerstner@suse.com>
- add tboot-fix-alloc-size-warning.patch: newest GCC spits out this error:
```
pconf_legacy.c: In function create:
pconf_legacy.c:327:16: error: allocation of insufficient size 20 for type tb_hash_t with size 64 [-Werror=alloc-size]
327 | digest = malloc(SHA1_DIGEST_SIZE);
| ^
```
There's a union data type behind this. It's not an actual error. To get rid
of the warning, the patch allocates the full union size, thereby wasting a
bit of memory.
-------------------------------------------------------------------
Tue Jun 25 07:34:57 UTC 2024 - Matthias Gerstner <matthias.gerstner@suse.com>
- add tboot-bsc#1207833-copy-mbi.patch: correctly move MBI from a lower
address above tboot (bsc#1207833). This fixes a broken boot situation in
some configurations stopping with log line "TBOOT: loader context was moved
from 0x<address> to 0x<address>".
this patch syncs the Factory package with the SLE package. For some reason I
forgot to add the patch to Factory first. Also upstream did not react to the
patch, that I posted to their mailing list, so it's not contained in the
upstream tarball.
-------------------------------------------------------------------
Mon Jun 17 13:09:34 UTC 2024 - Matthias Gerstner <matthias.gerstner@suse.com>
- add tboot.rpmlintrc: suppress warning about missing %check section. There's
no testsuite for tboot.
- mark grub.d snippets as %config (noreplace) to satisfy rpmlint warning
(the grub2 package itself marks its snippets this way, so it seems to be
common standard to do so).
- update to v1.11.4:
* v1.11.4
Increase the TBOOT log size from 32 KB to 64 KB. For some Intel server
platforms, it was noticed that TBOOT_SERIAL_LOG memory section was too
small to hold all of the print logs, produced by TBOOT. Due to this
reason TBOOT log section memory size had to be increase to 64KB.
* v1.11.3
Fix the hanging TBOOT issue, which appeared during the RLPs wakeup process
on the Intel's multisocket platform. This problem appeared during the AP
stacks allocations for these RLPs. TBOOT allocated memory for them depending
on the woken-up CPUs X2 APIC values. When some of them exceeded the NR_CPUS (1024),
then the RLP wakeup process execution halted. For the current moment,
the maximal X2 APID value was increased from 1024 to 8192. This kind of
solution fixed the given problem.
* v1.11.2
Fix the RAM memory allocation algorithm for the initrd.
-------------------------------------------------------------------
Mon Feb 6 10:52:29 UTC 2023 - Matthias Gerstner <matthias.gerstner@suse.com>

52
tboot.keyring Normal file
View File

@@ -0,0 +1,52 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGgA9v0BEAC/OIa4Ux9X+fdjAyx5xsEGlJUEOpxI5gtY+Sz3dzgzhOmbTpja
Ufo5VpnMc36ft4Mf1FXa/joOL+hZkdf/N9J9LN2QDmH3hIV/eIZFoExmLVmEh58W
Ewrpt/Zqinm71dtM35TVNc3sjfnpfjpZ5nSUUUbjwJuVJmrwkwxBOzzVCOVzo0cS
YJbA6ME4gKTGSt6GxWJstcF9mRuDhwyXLzb/5Me+2jocdMuyWFS4udZI7CyeZi9X
AmNhr1/bMgY/PeJTJZE+aTl8mwZZejn7wyVmAN+824K3hrRh/AcCXmuq5hCIVlFz
KeOueenwDszXH2muD/0overPEG9uOWzBNO12sleOKSQMnfKLlEV5X9hB5iWGTuEH
AciZBbVCCT2MTZFWNqS+fT48kgIKOCD8H7LS/8ulvLQb1bI1TKlwJJ9Oa9SP3K38
PdK8kQCgKSR/CBGZtWpAEgUR999yFM4v3oAwKsTLzak7Q08X6iJa4VsI2+mi1Xq3
c6AVfF7HFBWDgarlooeqmRwQk8T+SZluCVDObDbhjpgXoo0l2sqaejdG+BnCN00T
Ns0FYEwvMxqdXjwM6TZI/db/GzyEK/7xUjpMRdDp9ZwXTmI00ySNJ2Hi+WwmjkfY
O/BBjQbiCtRAYBKLUKwIwSv6NierdDJyEDqtWwqFFnLJtWKOPwwzLWz8bQARAQAB
tChBZGFtIFBhd2xpY2tpIDxhZGFteC5wYXdsaWNraUBpbnRlbC5jb20+iQJRBBMB
CAA7FiEEiDJcg/9Le8WUOb5SHR1ZWILxq+4FAmgA9v0CGwMFCwkIBwICIgIGFQoJ
CAsCBBYCAwECHgcCF4AACgkQHR1ZWILxq+7Fzg//XCUdfzCuJCY+ZdKF1FMwMsmK
cfpt/q33EQuHn6wu1ibkr2Hc2U+v9vBE5Ac3r/f4kx1gOlByucky3y1ZbrVx3KlB
sMqJttMFhJffvUGISCb0tNXjZVjwHi1lz/7bhpGboiFi83+P86NvWnQP4eNs/u/n
1m8/BeewynBNCdqpYwBk8l7sMJQ9KdFqLv4K8F00G3qaL1mS2P80S5Z0K7wOB5YS
4k6eAMqxTeP3CoZM55Hua4hscmdbfLzm53z2vn2Vk9+qdOT3mAes60LOujo6adUJ
/odftuaRLMP9qvoCAAINF/1y9jLiIm2N6R/QxEmkS6ij5xVK4+Sh80tFqqD4qnsU
P83bwDnfq3oDR3MvrQg0JZN3BbWadbFmgdtAE1M9hBP0YeDkDLAA77cswZsnfVxK
0gtfPf3ttwrG5EC2IleOJQ3iUjjvEm+nuXxhRxk0t/ECULAoC5/d9noNIGRSOYRl
8TWMJEZHYgcOfjd9VqX67ZbFYCDD+jD9RmzkY/xDPoUjfQOngzIrSOAiFuMS6HKh
28U3RbBLzICx3ks/Ibaa6GkC0Tt7L2GhTPM4trxMI/ap/DpBIg+04zhJDdvSLlA4
PRptLGQ39N6ZL0xKKabPHlWdStXksT91GqHvVZdGW+HhKoEz938VckcWwnS7M21q
vC55ZCazIF1JoFSOMBC5Ag0EaAD2/QEQAMUYCcXei1T8cpAY4yOhT3V5ZEt+iyPW
DatvvVssc/vUzqLkEXpQU7DWHPFuhtUi0GISZY+o90BO0+Kzl/6iCy7QL/vFT39l
DHD1GzwRtJY6Ah6Vbvt2gY1JBsLHcAyFkYnwaPble/PzuSCgG6U44S0F6Fz0td0A
u3iggf8SRWly1zgStGahJQ60gzsbWb0fBQ0Fu84Zw/l8APmmwMgY5yUmJ6lq2/FD
LbD8NJEa54naGKfV5jTRj1UvTfd5jMV+7kkgY5RNcmL1y6X08vh7styy4ze4jwGU
l9p/ans6gD3gxHPuLgxGebZ6Z2PrifN8P3UAbbjvzCIRYmOwePobZZDkxTAiXl66
dACilhxYDby2e1HiCd0z2O1CsoaMXYrrV1b1F2m/KFvgfuWC2ZxEd4+rioZvBBCd
93DoLwxV1ZltzO3FQnFhK55Z/kiuMloS6zR/0FsRF5emmQbm0/IRgBXKCBbrUoou
Y362nKCXuAPj4CC8TN4T9PiERDxXLfkpBMHC76CB9gvaommTVXo+6JVrIbszAuFZ
juJjpWSlnoJ78f1FvDE+jYdTUwbiFGnNszl79Q2go4G4NpdsvO48O2CQ8MnJWBJt
y3mTX549z5FTJWCNg9ZvNag405PqZ1zLUF7QfYgFxnjSOHL8F5CwTuWckaVhswCs
C7LJeCM/kWFzABEBAAGJAjYEGAEIACAWIQSIMlyD/0t7xZQ5vlIdHVlYgvGr7gUC
aAD2/QIbDAAKCRAdHVlYgvGr7kOmD/9N0pmD5kH3L4VDElH5uQWkAU6AV6i4kRA3
1At/tu4AVMRRpHrADjz+9L22eiSoGMgZluPlaYxO3i/7DLRWd2dioo1XsnkbVS6+
6kdV6FJuVIEP5Y/K+0lY7LkS+kwHydNas0RFhXZh5d7R9OIefAWE9FPIVqK6O+6l
AJoMk36zcoTlLbXkFBiqV66PmTYI3N/159KIq9jFjgsxHnwDbxFX2RQju6eKEa47
cheMsc6VBcMpZ30U3tm5cJR6UH+2k37YVcMKyAi+8ss3VAuw71dSD/iD1CBdNQ3a
LUxo5Qn7GaakEiSr5oJQQ51RCbVsSvUfcJjdU2ETz6bf9ZO8Ezc0duDerc+appZG
N0+ZvICuDdXhG2h9WB+0wD+u3yPh3Xkh7JnrDiEQSLkljlc2dTX1vksLfz8X41eD
4AeOdK6DxAynELx49RIVfF3OczE6eD2mRoHS/MjfZwbOy4WW7Dq5tTW5/x+PXFMP
bIzn0uOiOz9glsblh4BLtEtJvh1+r/i0Ht0il6GabZuz+j/USSFz+tR0HTp4Cw9u
WE0r6qDsekXm3r16q6KyzthpVr8MzUbuCetZJoCH/1ibLuXnjaZ3PVve9mS7Yx87
X6GMdTZQz+YDmRq/09ijjaB5ygCPxCeW/uYU6ZlrGquygBBoViHapknGTYyKic6Q
1ujrWxDByg==
=erCM
-----END PGP PUBLIC KEY BLOCK-----

1
tboot.rpmlintrc Normal file
View File

@@ -0,0 +1 @@
addFilter("no-%check-section")

26
tboot.spec
View File

@@ -1,7 +1,7 @@
#
# spec file for package tboot
#
# Copyright (c) 2023 SUSE LLC
# Copyright (c) 2025 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -17,18 +17,24 @@
Name: tboot
%define ver 1.11.1
Version: 20210614_%{ver}
%define ver 1.11.10
Version: 20250417_%{ver}
Release: 0
Summary: Program for performing a verified launch using Intel TXT
License: BSD-3-Clause
Group: Productivity/Security
URL: https://sourceforge.net/projects/tboot/
Source0: https://downloads.sourceforge.net/project/tboot/tboot/tboot-%{ver}.tar.gz
Patch3: tboot-grub2-fix-menu-in-xen-host-server.patch
Patch4: tboot-grub2-fix-xen-submenu-name.patch
Patch7: tboot-distributor.patch
Patch8: tboot-grub2-refuse-secure-boot.patch
Source0: https://downloads.sourceforge.net/project/tboot/tboot-%{ver}.tar.gz
Source2: https://downloads.sourceforge.net/project/tboot/tboot-%{ver}.tar.gz.gpg
Source3: https://downloads.sourceforge.net/project/tboot/tboot-1.11.0-pub-key.key#/tboot.keyring
Source1: tboot.rpmlintrc
Patch1: tboot-grub2-fix-menu-in-xen-host-server.patch
Patch2: tboot-grub2-fix-xen-submenu-name.patch
Patch3: tboot-distributor.patch
Patch4: tboot-grub2-refuse-secure-boot.patch
Patch5: tboot-bsc#1207833-copy-mbi.patch
Patch6: tboot-fix-alloc-size-warning.patch
Patch7: tboot-cet.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
ExclusiveArch: %{ix86} x86_64
BuildRequires: openssl-devel
@@ -79,8 +85,8 @@ make debug=y install DISTDIR="%{buildroot}" MANPATH="%{buildroot}/%{_mandir}"
/boot/tboot-syms
%{_mandir}/man8/*
%dir %{_sysconfdir}/grub.d/
%{_sysconfdir}/grub.d/20_linux_tboot
%{_sysconfdir}/grub.d/20_linux_xen_tboot
%config(noreplace) %{_sysconfdir}/grub.d/20_linux_tboot
%config(noreplace) %{_sysconfdir}/grub.d/20_linux_xen_tboot
%post
%if 0%{?update_bootloader_check_type_reinit_post:1}