SLFO-pool/tboot
SHA256
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: SLFO-pool:main
Branches Tags
SLFO-pool:main SLFO-pool:1.1
...
pull from: SLFO-pool:1.1
Branches Tags
SLFO-pool:main SLFO-pool:1.1

1 Commits
main ... 1.1

Author SHA256 Message Date
Adrian Schröter
4556738b53 Sync from SUSE:SLFO:1.1 tboot revision 64f224abbf0d4d8655985b63e041b3d7 2025-04-16 04:11:45 +02:00
11 changed files with 36 additions and 157 deletions
Expand all files Collapse all files

BIN
tboot-1.11.1.tar.gz LFS Normal file
View File

Binary file not shown.

BIN
tboot-1.11.9.tar.gz LFS
View File

Binary file not shown.

34
tboot-bsc#1207833-copy-mbi.patch
View File

@@ -1,34 +0,0 @@
Index: tboot-1.11.9/tboot/common/loader.c
===================================================================
--- tboot-1.11.9.orig/tboot/common/loader.c
+++ tboot-1.11.9/tboot/common/loader.c
@@ -1100,15 +1100,21 @@ void move_modules(loader_ctx *lctx)
if ( below_tboot(lowest) )
from = lowest;
- else
+
+ /*
+ * if MBI is below tboot & the lowest module, make sure it gets
+ * copied, too!
+ */
+ if ( below_tboot((unsigned long)lctx->addr) &&
+ (unsigned long)lctx->addr < lowest )
+ {
+ from = (unsigned long)lctx->addr;
+ }
+
+ if (from == 0)
{
- if ( below_tboot((unsigned long)lctx->addr) )
- from = (unsigned long)lctx->addr;
- else
- {
- printk(TBOOT_INFO"No module below tboot, all good.\n");
- return;
- }
+ printk(TBOOT_INFO"No module below tboot, all good.\n");
+ return;
}
unsigned long highest = get_highest_mod_end(lctx);

16
tboot-distributor.patch
View File

@@ -1,8 +1,8 @@
Index: tboot-1.11.9/tboot/20_linux_tboot
Index: tboot-1.9.8/tboot/20_linux_tboot
===================================================================
--- tboot-1.11.9.orig/tboot/20_linux_tboot
+++ tboot-1.11.9/tboot/20_linux_tboot
@@ -60,7 +60,7 @@ CLASS="--class gnu-linux --class gnu --c
--- tboot-1.9.8.orig/tboot/20_linux_tboot
+++ tboot-1.9.8/tboot/20_linux_tboot
@@ -72,7 +72,7 @@ CLASS="--class gnu-linux --class gnu --c
if [ "x${GRUB_DISTRIBUTOR}" = "x" ] ; then
OS=GNU/Linux
else
@@ -11,11 +11,11 @@ Index: tboot-1.11.9/tboot/20_linux_tboot
CLASS="--class $(echo ${GRUB_DISTRIBUTOR} | tr '[A-Z]' '[a-z]' | cut -d' ' -f1) ${CLASS}"
fi
Index: tboot-1.11.9/tboot/20_linux_xen_tboot
Index: tboot-1.9.8/tboot/20_linux_xen_tboot
===================================================================
--- tboot-1.11.9.orig/tboot/20_linux_xen_tboot
+++ tboot-1.11.9/tboot/20_linux_xen_tboot
@@ -69,7 +69,7 @@ CLASS="--class gnu-linux --class gnu --c
--- tboot-1.9.8.orig/tboot/20_linux_xen_tboot
+++ tboot-1.9.8/tboot/20_linux_xen_tboot
@@ -63,7 +63,7 @@ CLASS="--class gnu-linux --class gnu --c
if [ "x${GRUB_DISTRIBUTOR}" = "x" ] ; then
OS=GNU/Linux
else

13
tboot-fix-alloc-size-warning.patch
View File

@@ -1,13 +0,0 @@
Index: tboot-1.11.9/lcptools-v2/pconf_legacy.c
===================================================================
--- tboot-1.11.9.orig/lcptools-v2/pconf_legacy.c
+++ tboot-1.11.9/lcptools-v2/pconf_legacy.c
@@ -324,7 +324,7 @@ static lcp_policy_element_t *create(void
ERROR("Error: no pcrs were selected.\n");
return NULL;
}
- digest = malloc(SHA1_DIGEST_SIZE);
+ digest = malloc(sizeof(*digest));
if (digest == NULL) {
ERROR("Error: failed to allocate memory for digest buffer.\n");
return NULL;

12
tboot-grub2-fix-menu-in-xen-host-server.patch
View File

@@ -23,10 +23,10 @@ v3:
References: bnc#865815
Porting to tboot in order to fix duplicated xen entries
Index: tboot-1.11.9/tboot/20_linux_tboot
Index: tboot-1.11.1/tboot/20_linux_tboot
===================================================================
--- tboot-1.11.9.orig/tboot/20_linux_tboot
+++ tboot-1.11.9/tboot/20_linux_tboot
--- tboot-1.11.1.orig/tboot/20_linux_tboot
+++ tboot-1.11.1/tboot/20_linux_tboot
@@ -219,6 +219,49 @@ while [ "x${tboot_list}" != "x" ] && [ "
break
fi
@@ -77,10 +77,10 @@ Index: tboot-1.11.9/tboot/20_linux_tboot
if test -n "${initrd}" ; then
echo "Found initrd image: ${dirname}/${initrd}" >&2
else
Index: tboot-1.11.9/tboot/20_linux_xen_tboot
Index: tboot-1.11.1/tboot/20_linux_xen_tboot
===================================================================
--- tboot-1.11.9.orig/tboot/20_linux_xen_tboot
+++ tboot-1.11.9/tboot/20_linux_xen_tboot
--- tboot-1.11.1.orig/tboot/20_linux_xen_tboot
+++ tboot-1.11.1/tboot/20_linux_xen_tboot
@@ -58,6 +58,12 @@ fi
export TEXTDOMAIN=grub
export TEXTDOMAINDIR=${prefix}/share/locale

8
tboot-grub2-fix-xen-submenu-name.patch
View File

@@ -4,13 +4,13 @@ Subject: fix xen submenu name to show tboot version
References: bnc#865815
Patch-Mainline: no
Index: tboot-1.11.9/tboot/20_linux_xen_tboot
Index: tboot-1.11.1/tboot/20_linux_xen_tboot
===================================================================
--- tboot-1.11.9.orig/tboot/20_linux_xen_tboot
+++ tboot-1.11.9/tboot/20_linux_xen_tboot
--- tboot-1.11.1.orig/tboot/20_linux_xen_tboot
+++ tboot-1.11.1/tboot/20_linux_xen_tboot
@@ -246,7 +246,7 @@ while [ "x${xen_list}" != "x" ] ; do
rel_tboot_dirname=`make_system_path_relative_to_its_root $tboot_dirname`
tboot_version="1.11.9"
tboot_version="1.11.1"
list="${linux_list}"
- echo "submenu \"Xen ${xen_version}\" \"Tboot ${tboot_version}\"{"
+ echo "submenu \"Xen ${xen_version} with Tboot ${tboot_version}\"{"

12
tboot-grub2-refuse-secure-boot.patch
View File

@@ -1,7 +1,7 @@
Index: tboot-1.11.9/tboot/20_linux_tboot
Index: tboot-1.9.12/tboot/20_linux_tboot
===================================================================
--- tboot-1.11.9.orig/tboot/20_linux_tboot
+++ tboot-1.11.9/tboot/20_linux_tboot
--- tboot-1.9.12.orig/tboot/20_linux_tboot
+++ tboot-1.9.12/tboot/20_linux_tboot
@@ -34,6 +34,28 @@ if test -e ${sysconfdir}/default/grub-tb
. ${sysconfdir}/default/grub-tboot
fi
@@ -31,10 +31,10 @@ Index: tboot-1.11.9/tboot/20_linux_tboot
# Set the following variables in /etc/default/grub-tboot to customize command lines
# (empty values are treated as if the variables were unset).
[ -z "${GRUB_CMDLINE_TBOOT}" ] && unset GRUB_CMDLINE_TBOOT
Index: tboot-1.11.9/tboot/20_linux_xen_tboot
Index: tboot-1.9.12/tboot/20_linux_xen_tboot
===================================================================
--- tboot-1.11.9.orig/tboot/20_linux_xen_tboot
+++ tboot-1.11.9/tboot/20_linux_xen_tboot
--- tboot-1.9.12.orig/tboot/20_linux_xen_tboot
+++ tboot-1.9.12/tboot/20_linux_xen_tboot
@@ -34,6 +34,28 @@ if test -e ${sysconfdir}/default/grub-tb
. ${sysconfdir}/default/grub-tboot
fi

70
tboot.changes
View File

@@ -1,73 +1,3 @@
-------------------------------------------------------------------
Wed Feb 19 10:43:54 UTC 2025 - Matthias Gerstner <matthias.gerstner@suse.com>
- update to version 1.11.9 :
- Merge TXT Protected Range support branch.
- Remove unncessary OPENSSL_free from lcputils.c and add a functionality to
move ACM modules from the address range below TBOOT to above TBOOT, to
allow the usage of ACMs bigger than 256KB.
- Restore call to configure_vtd.
- refresh and adjust tboot-bsc#1207833-copy-mbi.patch
- refresh tboot-distributor.patch
- refresh tboot-fix-alloc-size-warning.patch
- refresh tboot-grub2-fix-menu-in-xen-host-server.patch
- refresh tboot-grub2-fix-xen-submenu-name.patch
- refresh tboot-grub2-refuse-secure-boot.patch
-------------------------------------------------------------------
Wed Aug 28 08:27:34 UTC 2024 - Matthias Gerstner <matthias.gerstner@suse.com>
- add tboot-fix-alloc-size-warning.patch: newest GCC spits out this error:
```
pconf_legacy.c: In function create:
pconf_legacy.c:327:16: error: allocation of insufficient size 20 for type tb_hash_t with size 64 [-Werror=alloc-size]
327 | digest = malloc(SHA1_DIGEST_SIZE);
| ^
```
There's a union data type behind this. It's not an actual error. To get rid
of the warning, the patch allocates the full union size, thereby wasting a
bit of memory.
-------------------------------------------------------------------
Tue Jun 25 07:34:57 UTC 2024 - Matthias Gerstner <matthias.gerstner@suse.com>
- add tboot-bsc#1207833-copy-mbi.patch: correctly move MBI from a lower
address above tboot (bsc#1207833). This fixes a broken boot situation in
some configurations stopping with log line "TBOOT: loader context was moved
from 0x<address> to 0x<address>".
this patch syncs the Factory package with the SLE package. For some reason I
forgot to add the patch to Factory first. Also upstream did not react to the
patch, that I posted to their mailing list, so it's not contained in the
upstream tarball.
-------------------------------------------------------------------
Mon Jun 17 13:09:34 UTC 2024 - Matthias Gerstner <matthias.gerstner@suse.com>
- add tboot.rpmlintrc: suppress warning about missing %check section. There's
no testsuite for tboot.
- mark grub.d snippets as %config (noreplace) to satisfy rpmlint warning
(the grub2 package itself marks its snippets this way, so it seems to be
common standard to do so).
- update to v1.11.4:
* v1.11.4
Increase the TBOOT log size from 32 KB to 64 KB. For some Intel server
platforms, it was noticed that TBOOT_SERIAL_LOG memory section was too
small to hold all of the print logs, produced by TBOOT. Due to this
reason TBOOT log section memory size had to be increase to 64KB.
* v1.11.3
Fix the hanging TBOOT issue, which appeared during the RLPs wakeup process
on the Intel's multisocket platform. This problem appeared during the AP
stacks allocations for these RLPs. TBOOT allocated memory for them depending
on the woken-up CPUs X2 APIC values. When some of them exceeded the NR_CPUS (1024),
then the RLP wakeup process execution halted. For the current moment,
the maximal X2 APID value was increased from 1024 to 8192. This kind of
solution fixed the given problem.
* v1.11.2
Fix the RAM memory allocation algorithm for the initrd.
-------------------------------------------------------------------
Mon Feb 6 10:52:29 UTC 2023 - Matthias Gerstner <matthias.gerstner@suse.com>

1
tboot.rpmlintrc
View File

@@ -1 +0,0 @@
addFilter("no-%check-section")

21
tboot.spec
View File

@@ -1,7 +1,7 @@
#
# spec file for package tboot
#
# Copyright (c) 2025 SUSE LLC
# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -17,21 +17,18 @@
Name: tboot
%define ver 1.11.9
Version: 20250219_%{ver}
%define ver 1.11.1
Version: 20210614_%{ver}
Release: 0
Summary: Program for performing a verified launch using Intel TXT
License: BSD-3-Clause
Group: Productivity/Security
URL: https://sourceforge.net/projects/tboot/
Source0: https://downloads.sourceforge.net/project/tboot/tboot/tboot-%{ver}.tar.gz
Source1: tboot.rpmlintrc
Patch1: tboot-grub2-fix-menu-in-xen-host-server.patch
Patch2: tboot-grub2-fix-xen-submenu-name.patch
Patch3: tboot-distributor.patch
Patch4: tboot-grub2-refuse-secure-boot.patch
Patch5: tboot-bsc#1207833-copy-mbi.patch
Patch6: tboot-fix-alloc-size-warning.patch
Patch3: tboot-grub2-fix-menu-in-xen-host-server.patch
Patch4: tboot-grub2-fix-xen-submenu-name.patch
Patch7: tboot-distributor.patch
Patch8: tboot-grub2-refuse-secure-boot.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
ExclusiveArch: %{ix86} x86_64
BuildRequires: openssl-devel
@@ -82,8 +79,8 @@ make debug=y install DISTDIR="%{buildroot}" MANPATH="%{buildroot}/%{_mandir}"
/boot/tboot-syms
%{_mandir}/man8/*
%dir %{_sysconfdir}/grub.d/
%config(noreplace) %{_sysconfdir}/grub.d/20_linux_tboot
%config(noreplace) %{_sysconfdir}/grub.d/20_linux_xen_tboot
%{_sysconfdir}/grub.d/20_linux_tboot
%{_sysconfdir}/grub.d/20_linux_xen_tboot
%post
%if 0%{?update_bootloader_check_type_reinit_post:1}