Sync from SUSE:SLFO:Main tpm2.0-abrmd revision 613f1638190d809896a915be6acbcd2a
This commit is contained in:
commit
692ed4d24c
23
.gitattributes
vendored
Normal file
23
.gitattributes
vendored
Normal file
@ -0,0 +1,23 @@
|
||||
## Default LFS
|
||||
*.7z filter=lfs diff=lfs merge=lfs -text
|
||||
*.bsp filter=lfs diff=lfs merge=lfs -text
|
||||
*.bz2 filter=lfs diff=lfs merge=lfs -text
|
||||
*.gem filter=lfs diff=lfs merge=lfs -text
|
||||
*.gz filter=lfs diff=lfs merge=lfs -text
|
||||
*.jar filter=lfs diff=lfs merge=lfs -text
|
||||
*.lz filter=lfs diff=lfs merge=lfs -text
|
||||
*.lzma filter=lfs diff=lfs merge=lfs -text
|
||||
*.obscpio filter=lfs diff=lfs merge=lfs -text
|
||||
*.oxt filter=lfs diff=lfs merge=lfs -text
|
||||
*.pdf filter=lfs diff=lfs merge=lfs -text
|
||||
*.png filter=lfs diff=lfs merge=lfs -text
|
||||
*.rpm filter=lfs diff=lfs merge=lfs -text
|
||||
*.tbz filter=lfs diff=lfs merge=lfs -text
|
||||
*.tbz2 filter=lfs diff=lfs merge=lfs -text
|
||||
*.tgz filter=lfs diff=lfs merge=lfs -text
|
||||
*.ttf filter=lfs diff=lfs merge=lfs -text
|
||||
*.txz filter=lfs diff=lfs merge=lfs -text
|
||||
*.whl filter=lfs diff=lfs merge=lfs -text
|
||||
*.xz filter=lfs diff=lfs merge=lfs -text
|
||||
*.zip filter=lfs diff=lfs merge=lfs -text
|
||||
*.zst filter=lfs diff=lfs merge=lfs -text
|
11
README.SUSE
Normal file
11
README.SUSE
Normal file
@ -0,0 +1,11 @@
|
||||
The tpm2-abrmd by upstream default allows every local users in the system to
|
||||
access the TPM chip and modify its settings (bsc#1197532). Upstream suggests
|
||||
to use the TPM's internal security features (e.g. password protection) to
|
||||
prevent local users from manipulating the chip without authorization. Still
|
||||
the default behaviour that every user in the system can access TPM features
|
||||
without any authentication could come as a surprise to end users and system
|
||||
integrators alike.
|
||||
|
||||
For this reason on SUSE only members of the 'tss' group are allowed to access
|
||||
the tpm2-abrmd D-Bus interface, thereby mirroring the access permissions of
|
||||
the /dev/tpm0 and /dev/tpmrm0 character devices.
|
22
harden_tpm2-abrmd.service.patch
Normal file
22
harden_tpm2-abrmd.service.patch
Normal file
@ -0,0 +1,22 @@
|
||||
Index: tpm2-abrmd-2.4.0/dist/tpm2-abrmd.service.in
|
||||
===================================================================
|
||||
--- tpm2-abrmd-2.4.0.orig/dist/tpm2-abrmd.service.in
|
||||
+++ tpm2-abrmd-2.4.0/dist/tpm2-abrmd.service.in
|
||||
@@ -6,6 +6,17 @@ After=dev-tpm0.device
|
||||
Requires=dev-tpm0.device
|
||||
|
||||
[Service]
|
||||
+# added automatically, for details please see
|
||||
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
|
||||
+ProtectSystem=full
|
||||
+ProtectHome=read-only
|
||||
+ProtectHostname=true
|
||||
+ProtectKernelTunables=true
|
||||
+ProtectKernelModules=true
|
||||
+ProtectKernelLogs=true
|
||||
+ProtectControlGroups=true
|
||||
+RestrictRealtime=true
|
||||
+# end of automatic additions
|
||||
Type=dbus
|
||||
BusName=com.intel.tss2.Tabrmd
|
||||
ExecStart=@SBINDIR@/tpm2-abrmd
|
BIN
tpm2-abrmd-3.0.0.tar.gz
(Stored with Git LFS)
Normal file
BIN
tpm2-abrmd-3.0.0.tar.gz
(Stored with Git LFS)
Normal file
Binary file not shown.
16
tpm2-abrmd-3.0.0.tar.gz.asc
Normal file
16
tpm2-abrmd-3.0.0.tar.gz.asc
Normal file
@ -0,0 +1,16 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCgAdFiEEW0grjj4Z2nyXjh0BbeLpB44fUMEFAmOOF5wACgkQbeLpB44f
|
||||
UMEA7RAAkJDLBahV1hRcBXwM3dbtknHlSC26GgVtw3Q16eXI4e+Hbesjoc0KPrns
|
||||
unWUnGYK+5/KG1FeGMS/4qWIvIKBfBg0KbIWi5AkYNGcjYV7f7rFK/yrYAkfv7AA
|
||||
BcRr0AHH7vl5jNDSejWGwbc0lIl0zC9cjrgkfK20qoR7t4H38m0MkmiHyaiJkYU9
|
||||
GocoEqMO1xAnrWdQ2Ky1fIrKpQHXDxPUWX/YeA5Agqh54EE6Us7kcqTy+umojFkY
|
||||
h2+8GkrxJznMKTC4iChnw2m2/LhpX7KkFuOr5CdAEoMJmRnILx2nvk/Cnrdw1LCV
|
||||
AygFbR+sDQgKE3GmtW3s+VHuTZt06QNJwjO+iriFKi1fFhG4wMdtc6eA09y7+/mo
|
||||
GeWEdTijiLYyIwCUkrPNC+taOzXrTadOteekZEzSrHwgr0Pvbhp/8uxAjH8Oc+NP
|
||||
7R7di1EBPEAACm01wYCKZIH2EqQyToyQ1hP0lZ5GwOLlZkyTDHUMHmtYsRYXRbtV
|
||||
99NqtSuh9hW+s8QZlXTB4VXrp+iMdWw8G/MXAd2Jsbcl9Wnx+LAbuExlp/U2BHtc
|
||||
JnBYh7/7HUvn0wWAN/qXrKwjMm1jppxXEnpjhAKQKG38HkUPTUDYTbcwfx8GOGbY
|
||||
bWr2dTLOlqnncNoz/V7MGP2gxRyLW16wmwZwcK4uAS9daLspfLU=
|
||||
=VUqS
|
||||
-----END PGP SIGNATURE-----
|
51
tpm2-abrmd.keyring
Normal file
51
tpm2-abrmd.keyring
Normal file
@ -0,0 +1,51 @@
|
||||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
|
||||
mQINBFik3GUBEADYDYbSXH3UTr9oCNCI3UxC1hiLH7cM+QIbMtWiwfAbT3G8wrTa
|
||||
NPj00qNvI4wQ/Xm3h0hB7kri7vP0FqIjIwsTdM6ZpFdVHHKW1m4P8fkOcxqmLN0g
|
||||
V36MN5fgoGWf2K94aS7ItoweRMcuHnwWawe6aAtbKSYVqhWhoB/3grgd0xhE61AS
|
||||
o8fJ7uRYNEAYVeOKlC2j+qKfoJbCa6yqZejFwOOzB6qxNRA7JYvckEf8yJ4+Y16m
|
||||
qPyZ1ErHzpql3+b5ha+g+9g8WzxAbSfGYZTwaQxyePNjXuq2tdEXf9XnESvoaoN4
|
||||
pQhiu/0BJEkXPxl1zso65g4Mn22xEELhUnwPDo5YdLlWEZ8xhELLvdJc3Z0nTR5A
|
||||
4/YaZvvzf7pOD1cwpB6IrRf8n9rOe1aDxh/A//zX9PpIOV25p5kqlE88Ya5VXrnA
|
||||
Ayfs19RZmK3+FuaI0ij79CRokG9BrI6TXT0pRTDIRu7GvAo2q13MELRvFddyRT2G
|
||||
mNjsHYcqEbraYTh3LHEiwfWp4ZgDtk8jj3iRabHQUHk9V8vSFzj+wp1E8HzO8Vp3
|
||||
BxMDIOG1VPdLi81DP+LbZI1h30ZG63ulqkKIhwx5/h2v4VCYPatVtGqVf37tLstj
|
||||
Wrs0DkBykuZrecp+AJ5ZJ+UVvR8ajO2ncAoOugNwoj9Wuvz0fVTiJIhuNQARAQAB
|
||||
tDxXaWxsaWFtIFJvYmVydHMgKEJpbGwgUm9iZXJ0cykgPHdpbGxpYW0uYy5yb2Jl
|
||||
cnRzQGludGVsLmNvbT6JAjgEEwECACIFAlik3GUCGwMGCwkIBwMCBhUIAgkKCwQW
|
||||
AgMBAh4BAheAAAoJEG3i6QeOH1DBibEQAL4EwEzegkc8NyHiW0mntwDoCv3tkUlG
|
||||
fprp/g7GWfrP+L+pN5yexg3Zm/CgVN/tTNCEr5XtP+sdds8xBF6ReJ8QPO7EiMiM
|
||||
asPXh8zlODrySXCGHmpa7IzuUC2wgD3Wq7WjniMvnBmqBdL0+8nqA6NFxOOklvK1
|
||||
ub7bqLrHKfUfciFOfYAi+C0Bh8kdZtMjfY9sqlJA3sVK2UxVXq9D+oHbL1o454N6
|
||||
VzV0rDtsK47GSSCXT75kulPdfOCopTgxPgNsK4VnXgMOL5JMURPJa3rBzmBRFed1
|
||||
ynrqwFdmYdMepsUgt/JS2I/23QChqp6AdVDjtGLKS71hox+vdE4S0DoRnMHwHkkt
|
||||
B6bqQci3RlUP+wcHHRCUXUubxMSlYJqhBdEOclo6N0X0LseLcdAMGda8ZnqbHlyg
|
||||
hPLmJrM3C5zTLjDb2YJXCy6RVNwqAnU3o33SZCnHqo/zUjEtR03Ztk1DzSeCjo5w
|
||||
zLac1VFq5S3QdgZUwmPhyeoigqOvHu6Z1s2eL8Aw7Hn8i6MWLz5sOXAtyC9NPwK/
|
||||
qbp1a+GQXzNW4rvKl7ZEFKrBKyj8AiRoVLSRKcqZtFT56ltXQjrwKjsWDTEOzjnm
|
||||
XCSM96xfay6asQH5fw+haC3RIErwyNV0uUDIVC0xDTZ6NgJEBkp8liwNeHE7eHoN
|
||||
8qWSZZO2syf7uQINBFik3GUBEAC7V2o1kBsLFSKwmgsCuGfW0oBIQiaCcakT6D2X
|
||||
rKBjmzBvh/UIdXQwl9+vPKtWX3T/7g6UBvezV3uc2ZqrigGmFemoQI3sW7wFk0L9
|
||||
/QTUWCMfZtyrWgqyetmPYS+i2PnsEPinsgsEHWf3iu/ew1A7npZwINwMdOSOVw2u
|
||||
JqYyW2tZCErWKVe31ziYUpXA+HaRm9zoVr0F0sE2GYGWbMVYtqxN9TSYcIAHxB71
|
||||
Y31dcY77ln/1JAH4Yzqc063w/lNYogEbbQY7WNgcKdPP+aovpV7kS3TKwsdb9/xT
|
||||
pj67nnlvjLTMRoW3Ez0PcIDFhuube9uOQupYG4rC4grLeVLwL/ekVmn6TxRN1hG7
|
||||
6zYXWiwWi16uAO++eBNt127FwCOVZsPO0ye3/XpOpCdpUadguxF2gGt6xY0gtetj
|
||||
Vdv6S4kCdSx8NMrO2epS/1pgklxN9R/xl7Wu+JPUuVX4Jy0ycmw7TCWxdK2fuFy6
|
||||
6aLCXWWEjRSp06oeVJoVV2py+rYaoau7JG7Zgx1A3gYTm6MLFysfROaQgmfRozIH
|
||||
0boYh3IA1WWzk4I6ew129ynC5zGXg/+UCnKKwn8Tsh9neq9noRDAonWI7jOCipwF
|
||||
l51py82093M87zjz9o/qxnB8p00jByQ+MunUykaZrkQKHAsiyIF6cUIeQiy/AL7n
|
||||
wwSPQQARAQABiQIfBBgBAgAJBQJYpNxlAhsMAAoJEG3i6QeOH1DBtO8P/1D98sl3
|
||||
oz/0oSSz0u9nzgOh93UkLbXpjSR4U+g7Wl2ppxQyGSFeWwRwT5BT74EVP2IcrraX
|
||||
V9c7l+s8PYqnUdX2XAqGMv06523cCrNUU93kUUNjAo3FxGSn7i2kHIvMkDbUoeVk
|
||||
jyWKfIvyy2sKcVB9GQxfMrbnTR5/Z6fCyGHNqMFb9e9TUWclLzMIhvtkvLuKmf52
|
||||
TKKxKQt/wero5zb0fynOttIjuhmOP9CFTiYjdj7qSmQapW8VFdYjyzL+OOFk9gCL
|
||||
S3mIk1LdkfWah7trmMUTXdmiEibvARAQ3Yjr+Hz9yU1gzEJSPUUugNguqgS5kN+T
|
||||
3TdwUHAP9whVD2IvN/Mfn29bmFFVfzu3ftJIa1zJmOdZy7KWb6MWVhw3SJ65luPB
|
||||
qxKWRqFDOSpqzBm6bYQ/Oka49Jl7/dCImSm+7bCC7LDK9hXa3AIlDtWvG4iiL18T
|
||||
wUOrgXPysB/D/NQaRxT/vSPUOB4WrQzIKIf4vJdyuPdtOtIWm97KUw8r/jDqd4I3
|
||||
B62qknrrR+FPcz8ACM9fXkpbBEcjFV8EkoOae106Vxjo/lu5LVBbwiKviMMwoK5o
|
||||
YE7FfCwLBbLTYMeetHo8jGBRonTEOKMtPlp/fCMOp9w7CgMDuvfEwuTsA1ux4uAb
|
||||
tZZIbipcKcZmsU7Su4+oeyh61giG++M5rL2D
|
||||
=xdFJ
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
340
tpm2.0-abrmd.changes
Normal file
340
tpm2.0-abrmd.changes
Normal file
@ -0,0 +1,340 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue May 23 12:31:21 UTC 2023 - Alberto Planas Dominguez <aplanas@suse.com>
|
||||
|
||||
- Cover ALP via the %{suse_version} macro
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Dec 8 15:07:28 UTC 2022 - Alberto Planas Dominguez <aplanas@suse.com>
|
||||
|
||||
- Version 3.0.0
|
||||
+ Fixed
|
||||
* A bug in special command processing in TPM2_GetCapability when
|
||||
an audit session is in use cuased tpm2-abrmd to abort.
|
||||
+ Added
|
||||
* New SELinux interfaces for communication with keylime
|
||||
+ Changed
|
||||
* DBUS permissions in tpm2-abrmd.conf to match the in-kernel RM,
|
||||
ie /dev/tpmrm0, permissions. Now users MUST be in the tss group
|
||||
to send to tpm2-abrmd over DBUS.
|
||||
- Drop dbus-access.patch (merged in PR#805)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Jul 8 08:43:16 UTC 2022 - Alberto Planas Dominguez <aplanas@suse.com>
|
||||
|
||||
- Version 2.4.1
|
||||
+ Added
|
||||
Contributor Covenant Code of Conduct.
|
||||
+ Fixed
|
||||
* superflous warning messages about tcti status.
|
||||
WARNING **: 11:00:56.205: tcti_conf before: "(null)"
|
||||
WARNING **: 11:00:56.205: tcti_conf after: "mssim"
|
||||
* GCC 11 build error: error: argument 2 of __atomic_load’ discards
|
||||
'volatile' qualifier
|
||||
* Initialize gerror pointer variable to NULL to fix use of
|
||||
unitialized memory and segfault.
|
||||
* Updated missing defaults in manpage.
|
||||
* Port CI to composite actions in tpm2-software/ci.
|
||||
+ Removed
|
||||
Dependency on 'which' utility in configure.ac.
|
||||
ubuntu-16.04 from CI.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Apr 4 10:45:24 UTC 2022 - Matthias Gerstner <matthias.gerstner@suse.com>
|
||||
|
||||
- dbus-access.patch: restrict D-Bus access to tpm2-abrmd to members of the tss
|
||||
group (bsc#1197532). This prevents arbitrary users from meddling with TPM
|
||||
state and thus potential denial-of-service vectors.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Dec 8 16:50:13 UTC 2021 - Alberto Planas Dominguez <aplanas@suse.com>
|
||||
|
||||
- Version 2.4.0
|
||||
+ remover syslog deprecation warning (bsc#1185154)
|
||||
+ cover update to 2.3.3 (jsc#SLE-17366)
|
||||
+ contains reload fix (bsc#1166936)
|
||||
+ fix tcti loading using short / long names (bsc#1159176)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Nov 29 12:54:02 UTC 2021 - Alberto Planas Dominguez <aplanas@suse.com>
|
||||
|
||||
- Warp selinux into a bcond
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Nov 25 09:16:32 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
|
||||
|
||||
- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
|
||||
* harden_tpm2-abrmd.service.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sat Jul 17 21:04:13 UTC 2021 - Callum Farmer <gmbr3@opensuse.org>
|
||||
|
||||
- Move selinux devel file to devel subpackage
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jul 14 13:41:59 UTC 2021 - Callum Farmer <gmbr3@opensuse.org>
|
||||
|
||||
- Update to version 2.4.0:
|
||||
- Service start depends on systemd device unit: dev-tpm0.device.
|
||||
- Numerous memory leaks.
|
||||
- udev settle service deprecation warnings.
|
||||
- StandardOutput=syslog deprecation warnings.
|
||||
- Add selinux module files
|
||||
- Move dbus files out of /etc
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jun 9 09:37:38 UTC 2021 - Alberto Planas Dominguez <aplanas@suse.com>
|
||||
|
||||
- Requires libtss2-tcti-{device0,tabrmd0} (bsc#1187077).
|
||||
In MicroOS systems the recommendations are not installed, making the
|
||||
service fail to initialize: Failed to instantiate TCTI
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Oct 22 12:15:24 UTC 2020 - Matthias Gerstner <matthias.gerstner@suse.com>
|
||||
|
||||
- update to version 2.3.3:
|
||||
- changes in version 2.3.1:
|
||||
- Fixed handle resource leak exhausting TPM resources.
|
||||
- changes in version 2.3.2:
|
||||
- Added cirrus CI specific config files to enable FreeBSD builds.
|
||||
- Changed test scripts to be more portable.
|
||||
- Changed include header paths specific to FreeBSD.
|
||||
- changes in version 2.3.1:
|
||||
- Provide meaningful exit codes on initialization failures.
|
||||
- Prevent systemd from starting the daemon before udev changes ownership
|
||||
of the TPM device node.
|
||||
- Prevent systemd from starting the daemon if there is no TPM device node.
|
||||
- Prevent systemd from restarting the daemon if it fails.
|
||||
- Add SELinux policy to allow daemon to resolve names.
|
||||
- Add SELinux policy boolean (disabled by default) to allow daemon to
|
||||
connect to all unreserved ports.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Dec 11 11:55:13 UTC 2019 - matthias.gerstner@suse.com
|
||||
|
||||
- update to version 2.3.0:
|
||||
- changes in version 2.3.0:
|
||||
- Add '--enable-debug' flag to configure script to simplify debug builds.
|
||||
This relies on the AX_CHECK_ENABLE_DEBUG autoconf archive macro.
|
||||
- Replaced custom dynamic TCTI loading code with libtss2-tctildr from
|
||||
upstream tpm2-tss repo. (requires tpm2-0-tss version 2.3.0)
|
||||
- Explicitly set '-O2' optimization when using FORTIFY_SOURCE as required.
|
||||
- changes in version 2.2.0:
|
||||
- New configuration option `--disable-defaultflags/ added. This is
|
||||
for use for packaging for targets that do not support the default
|
||||
compilation / linking flags.
|
||||
- Use private dependencies properly in pkg-config metadata for TCTI.
|
||||
- Refactor daemon main module to enable better handling of error
|
||||
conditions and enable more thorough unit testing.
|
||||
- Updated dependencies to ensure compatibility with pkg-config fixes
|
||||
in tpm2-tss.
|
||||
- Fixed bug causing TCTI to block when used by libtss2-sys built with
|
||||
partial reads enabled.
|
||||
- Removed unnecessary libs / flags for pthreads in the TCTI pkg-config.
|
||||
- Output from configure script now accurately describes the state of the
|
||||
flags that govern the integration tests.
|
||||
- drop fix_dlopen.patch: no longer necessary since abrmd not uses the tctildr
|
||||
shared library. This one hopefully now does the right thing.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Aug 26 06:49:37 UTC 2019 - mgerstner <matthias.gerstner@suse.com>
|
||||
|
||||
- update to version 2.1.1:
|
||||
- changes in version 2.1.1:
|
||||
- Unit tests accessing dbus have been fixed to use mock functions. Unit
|
||||
tests no longer depend on dbus.
|
||||
- Race condition between client connections and dbus proxy object
|
||||
creation by registering bus name after instantiation of the proxy object.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Apr 26 10:35:51 UTC 2019 - mvetter@suse.com
|
||||
|
||||
- bsc#1130588: Require shadow instead of old pwdutils
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Mar 6 10:36:46 UTC 2019 - matthias.gerstner@suse.com
|
||||
|
||||
- update to version 2.1.0:
|
||||
- changes in version 2.1.0:
|
||||
- `-Wstrict-overflow=5` now used in default CFLAGS.
|
||||
- Handling of `TPM2_RC_CONTEXT_GAP` on behalf of users.
|
||||
- Convert `TPM2_PT_CONTEXT_GAP_MAX` response from lower layer to
|
||||
`UINT32_MAX`
|
||||
- travis-ci now uses 'xenial' builder
|
||||
- Significant refactoring of TCTI handling code.
|
||||
- `--install` added to ACLOCAL_AMFLAGS to install aclocal required macros
|
||||
instead of using the default symlinks
|
||||
- Launch `dbus-run-session` in the automake test environment to
|
||||
automagically set up a dbus session bus instance when one isn't present.
|
||||
- Bug caused by unloading of `libtss2-tcti-tabrmd.so` on dlclose. GLib
|
||||
does not support reloading a second time.
|
||||
- Bug causing `-fstack-protector-all` to be used on systems with core
|
||||
libraries (i.e. libc) that do not support it. This caused failures at
|
||||
link-time.
|
||||
- Unnecessary symbols from libtest utility library no longer included in
|
||||
TCTI library.
|
||||
- changes in version 2.0.3:
|
||||
- Update build to account for upstream change to glib '.pc' files
|
||||
described in: https://gitlab.gnome.org/GNOME/glib/issues/1521
|
||||
- added _service file for syncing with upstream tags
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Oct 25 09:00:40 UTC 2018 - matthias.gerstner@suse.com
|
||||
|
||||
- add a Requires towards tpm2-0-tss, because that main package holds the udev
|
||||
rules and logic for setting up the tss user. Without this the daemon can't
|
||||
start up correctly.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Oct 23 15:46:28 UTC 2018 - matthias.gerstner@suse.com
|
||||
|
||||
- fix broken build due to newer glib dependency that reports a full path for
|
||||
gdbus-codegen, breaking the configure check.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Sep 26 15:51:01 UTC 2018 - matthias.gerstner@suse.com
|
||||
|
||||
- update to version 2.0.2 (FATE#326270):
|
||||
- --enable-integration option to configure script now works as documented.
|
||||
- Format specifier with wrong size in util module.
|
||||
- Initialize TCTI context to 0 before setting values. This will cause all
|
||||
members that aren't explicitly initialized by be 0.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Sep 18 09:05:24 UTC 2018 - matthias.gerstner@suse.com
|
||||
|
||||
- add recommends to the tcti-device and tcti-abrmd. Otherwise they're not
|
||||
installed right away, rendering the abrmd quite unusable.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Aug 10 10:02:21 UTC 2018 - matthias.gerstner@suse.com
|
||||
|
||||
- Update to version 2.0.1:
|
||||
* SessionList: Fix Connection object reference leak.
|
||||
* source/sink: Organize ControlMessage processing.
|
||||
* CommandSource: Replace 'connection-removed' signal with ControlMessage.
|
||||
* SessionList: Remove all locking.
|
||||
* ConnectionManager: Remove 'connection-removed' signal.
|
||||
* ci: Build 'check' target when CC is gcc.
|
||||
* build: Fix bad URLs in configure script.
|
||||
* CHANGELOG.md: Add version number and date for 2.0.1 release.
|
||||
* Replace references to drand48_r family of functions for portability
|
||||
* Fix for type-punned pointer reported in newer compilers that enforce strict aliasing
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Jul 3 09:15:27 UTC 2018 - matthias.gerstner@suse.com
|
||||
|
||||
- Trying to fix build on older distros that fail because of a missing or
|
||||
broken autoconf valgrind detection macro. Removing autoreconf to hopefully
|
||||
fix this.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Jul 2 09:27:43 UTC 2018 - matthias.gerstner@suse.com
|
||||
|
||||
- add fix_dlopen.patch: fixes an issue with dlopen()'ing the tcti-device
|
||||
library from tpm2-0-tss. See
|
||||
https://github.com/tpm2-software/tpm2-abrmd/issues/486.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Jun 29 11:43:08 UTC 2018 - matthias.gerstner@suse.com
|
||||
|
||||
- update to major version 2.0.0:
|
||||
- support_dbus_activation.diff: removed, is not contained upstream
|
||||
- the tpm2 stack introduces an incompatible ABI to the previous version with
|
||||
this update. There is no compatibility layer, libraries have new names
|
||||
etc.
|
||||
- upstream changelog:
|
||||
## 2.0.0 - 2018-06-22
|
||||
### Added
|
||||
- Integration test script and build support to execute integration tests
|
||||
against a physical TPM2 device on the build platform.
|
||||
- Implementation of dynamic TCTI initialization mechanism.
|
||||
- configure option `--enable-integration` to enable integration tests.
|
||||
The simulator executable must be on PATH.
|
||||
- Support for version 2.0 of tpm2-tss libraries.
|
||||
### Changed
|
||||
- 'max-transient-objects' command line option renamted to 'max-transients'.
|
||||
- Added -Wextra for more strict checks at compile time.
|
||||
- Install location of headers to $(includedir)/tss2.
|
||||
### Fixed
|
||||
- Added missing checks for NULL parameters identified by the check-build.
|
||||
- Bug in session continuation logic.
|
||||
- Off by one error in HandleMap.
|
||||
- Memory leak and uninitialized variable issues in unit tests.
|
||||
### Removed
|
||||
- Command line option --fail-on-loaded-trans.
|
||||
- udev rules for TPM device node. This now lives in the tpm2-tss repo.
|
||||
- Remove legacy TCTI initialization functions.
|
||||
- configure option `--with-simulatorbin`.
|
||||
|
||||
## 1.3.1 - 2018-03-18
|
||||
### Fixed
|
||||
- Distribute systemd preset template instead of the generated file.
|
||||
|
||||
## 1.3.0 - 2018-03-02
|
||||
### Added
|
||||
- New configure option (--test-hwtpm) to run integration tests against a
|
||||
physical TPM2 device on the build platform.
|
||||
- Install systemd service file to allow on-demand systemd unit activation.
|
||||
### Changed
|
||||
- Converted some inappropriate uses of g_error to critical / warning instead.
|
||||
- Removed use of gen_require from SELinux policy, use dbus_stub instead.
|
||||
- udev rules now give tss group read / write access to the TPM device node.
|
||||
- udev rules now give tss user and group read / write access to kernel RM
|
||||
node.
|
||||
### Fixed
|
||||
- Memory leak on an error path in the AccessBroker.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Feb 22 11:34:51 UTC 2018 - matthias.gerstner@suse.com
|
||||
|
||||
- update to upstream version 1.2.0:
|
||||
- Limit maximum number of active sessions per connection with '--max-sessions'.
|
||||
- Flush all transient objects and sessions on daemon start with '--flush-all'.
|
||||
- Allow passing of sessions across connections with ContextSave / Load.
|
||||
- Unref the GUnixFDList returned by GIO / dbus in the TCTI init function.
|
||||
This fixes a memory leak in the TCTI library.
|
||||
- correctly trigger udev to update /dev/tpm* permissions after package
|
||||
installation. (bnc#1078687)
|
||||
- prepared support_dbus_activation.diff patch which adds D-Bus activation, but
|
||||
can't use it yet due to rpmlint
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Nov 15 11:43:19 UTC 2017 - matthias.gerstner@suse.com
|
||||
|
||||
- fix_service_paths.diff: fixed broken systemd service unit (bnc#1066123). the
|
||||
service unit file in the upstream distribution tarball is already configured
|
||||
and looks for binaries and configuration files in the /usr/local prefix
|
||||
which is wrong.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Sep 1 14:37:48 UTC 2017 - matthias.gerstner@suse.com
|
||||
|
||||
- package version symlink correctly, belongs into the lib package itself, not
|
||||
the -devel.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Aug 30 08:29:07 UTC 2017 - matthias.gerstner@suse.com
|
||||
|
||||
- update to upstream version 1.1.1 which fixes some local denial-of-service
|
||||
security issues among other things:
|
||||
|
||||
- Replace use of sigaction with g_unix_signal_* stuff from glib.
|
||||
- Rewrite of INSTALL.md including info on custom configure script options.
|
||||
- Default value for --with-simulatorbin configure option has been removed.
|
||||
New default behavior is to disable integration tests.
|
||||
- CommandSource will no longer reject commands without parameters.
|
||||
- Unit tests updated to use cmocka v1.0.0 API.
|
||||
- Integration tests now run daemon under valgrind memcheck and fail when
|
||||
errors are found.
|
||||
- CommandSource now tracks max FD in set of client FDs to prevent unnecessary
|
||||
iterations over FD_SETSIZE fds.
|
||||
|
||||
- no longer call bootstrap and switch to the release upstream tarball which
|
||||
has now been fixed to contain all necessary files
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Jul 20 13:04:41 UTC 2017 - matthias.gerstner@suse.com
|
||||
|
||||
- first version of the new arbmd resource manager from Intel's tpm2 stack.
|
||||
This will replace the old resourcemgr previously shipped with the
|
||||
tpm2-0-tss package.
|
1
tpm2.0-abrmd.rpmlintrc
Normal file
1
tpm2.0-abrmd.rpmlintrc
Normal file
@ -0,0 +1 @@
|
||||
addFilter("shared-lib-calls-exit */usr/lib64/libtss2-tcti-tabrmd.so*")
|
198
tpm2.0-abrmd.spec
Normal file
198
tpm2.0-abrmd.spec
Normal file
@ -0,0 +1,198 @@
|
||||
#
|
||||
# spec file for package tpm2.0-abrmd
|
||||
#
|
||||
# Copyright (c) 2023 SUSE LLC
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
# upon. The license for this file, and modifications and additions to the
|
||||
# file, is the same license as for the pristine package itself (unless the
|
||||
# license for the pristine package is not an Open Source License, in which
|
||||
# case the license is the MIT License). An "Open Source License" is a
|
||||
# license that conforms to the Open Source Definition (Version 1.9)
|
||||
# published by the Open Source Initiative.
|
||||
|
||||
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
||||
#
|
||||
|
||||
|
||||
%global selinuxtype targeted
|
||||
%global modulename tabrmd
|
||||
# the auto activation is not whitelisted for <= SLE12-SP3 (includes
|
||||
# ALP in the with %{suse_version}
|
||||
%if 0%{?sle_version} > 120300 || 0%{?is_opensuse} || 0%{?suse_version} >= 1600
|
||||
%define install_dbus_files 1
|
||||
%endif
|
||||
# selinux only for Tumbleweed for now
|
||||
%if 0%{?suse_version} >= 1550 && 0%{?is_opensuse}
|
||||
%bcond_without selinux
|
||||
%else
|
||||
%bcond_with selinux
|
||||
%endif
|
||||
Name: tpm2.0-abrmd
|
||||
Version: 3.0.0
|
||||
Release: 0
|
||||
Summary: Intel's TCG Software Stack Access Broker & Resource Manager for TPM 2.0 chips
|
||||
License: BSD-2-Clause
|
||||
Group: Productivity/Security
|
||||
URL: https://github.com/tpm2-software/tpm2-abrmd
|
||||
Source0: https://github.com/tpm2-software/tpm2-abrmd/releases/download/%{version}/tpm2-abrmd-%{version}.tar.gz
|
||||
Source1: https://github.com/tpm2-software/tpm2-abrmd/releases/download/%{version}/tpm2-abrmd-%{version}.tar.gz.asc
|
||||
# curl https://github.com/williamcroberts.gpg > tpm2-abrmd.keyring
|
||||
Source2: tpm2-abrmd.keyring
|
||||
Source3: tpm2.0-abrmd.rpmlintrc
|
||||
Source4: README.SUSE
|
||||
Patch0: harden_tpm2-abrmd.service.patch
|
||||
BuildRequires: autoconf-archive
|
||||
BuildRequires: automake
|
||||
BuildRequires: checkpolicy
|
||||
BuildRequires: gcc-c++
|
||||
BuildRequires: libtool
|
||||
BuildRequires: pkgconfig
|
||||
BuildRequires: policycoreutils
|
||||
BuildRequires: systemd-rpm-macros
|
||||
BuildRequires: pkgconfig(dbus-1)
|
||||
BuildRequires: pkgconfig(gio-unix-2.0)
|
||||
BuildRequires: pkgconfig(tss2-sys)
|
||||
Requires: libtss2-tcti-device0
|
||||
Requires: libtss2-tcti-tabrmd0
|
||||
Requires: tpm2-0-tss
|
||||
Requires(pre): user(tss)
|
||||
%if %{with selinux}
|
||||
BuildRequires: selinux-policy-devel
|
||||
BuildRequires: selinux-policy-targeted
|
||||
BuildRequires: pkgconfig(systemd)
|
||||
Requires: (%{name}-selinux if selinux-policy-base)
|
||||
%endif
|
||||
|
||||
%description
|
||||
The tpm2.0-abrmd package provides the TPM2 Access Broker & Resource Manager.
|
||||
This is a daemon service that coordinates requests to the TPM2 chip via
|
||||
Intel's TPM 2.0 software stack.
|
||||
|
||||
%package devel
|
||||
Summary: Development headers the Access Broker & Resource Manager for TPM 2.0 chips
|
||||
Group: Development/Libraries/C and C++
|
||||
Requires: glibc-devel
|
||||
Requires: libtss2-tcti-tabrmd0 = %{version}
|
||||
Requires: tpm2.0-abrmd = %{version}
|
||||
|
||||
%description devel
|
||||
This package provides the development files for the Access Broker & Resource
|
||||
Manager for coordinating access to TPM 2.0 chips.
|
||||
|
||||
%if %{with selinux}
|
||||
%package selinux
|
||||
Summary: SELinux module for the Access Broker & Resource Manager for TPM 2.0 chips
|
||||
Group: System/Management
|
||||
Requires: tpm2.0-abrmd = %{version}
|
||||
BuildArch: noarch
|
||||
%{selinux_requires}
|
||||
|
||||
%description selinux
|
||||
This package provides the SELinux module for the Access Broker & Resource Manager for TPM 2.0 chips.
|
||||
%endif
|
||||
|
||||
%package -n libtss2-tcti-tabrmd0
|
||||
Summary: Client interface library for tpm2-abrmd
|
||||
Group: System/Libraries
|
||||
|
||||
%description -n libtss2-tcti-tabrmd0
|
||||
This library allows to interact with the tpm2-abrmd daemon. It is intended for
|
||||
use with the SAPI library (libtss2-sys) like any other TCTI.
|
||||
|
||||
%post -n libtss2-tcti-tabrmd0 -p /sbin/ldconfig
|
||||
%postun -n libtss2-tcti-tabrmd0 -p /sbin/ldconfig
|
||||
|
||||
%prep
|
||||
%autosetup -n tpm2-abrmd-%{version} -p1
|
||||
|
||||
%build
|
||||
export CFLAGS="%{optflags} -fPIE"
|
||||
export LDFLAGS="$LDFLAGS -pie"
|
||||
%configure \
|
||||
--disable-static \
|
||||
%{?with_selinux: --with-sepolicy=yes} \
|
||||
--with-systemdsystemunitdir=%{_unitdir} \
|
||||
--with-dbuspolicydir=%{_datadir}/dbus-1/system.d
|
||||
%make_build PTHREAD_LDFLAGS=-pthread
|
||||
|
||||
%install
|
||||
%make_install
|
||||
# don't package libtool files as is best practice
|
||||
find %{buildroot} -type f -name "*.la" -delete -print
|
||||
ln -sv %{_sbindir}/service %{buildroot}%{_sbindir}/rctpm2-abrmd
|
||||
# don't install the systemd preset, our presets are handled by
|
||||
# systemd-presets-* packages
|
||||
rm %{buildroot}%{_prefix}/lib*/systemd/system-preset/tpm2-abrmd.preset
|
||||
cp %{SOURCE4} .
|
||||
%if ! 0%{?install_dbus_files}
|
||||
rm %{buildroot}/%{_sysconfdir}/dbus-1/system.d/tpm2-abrmd.conf
|
||||
rm %{buildroot}/%{_datadir}/dbus-1/system-services/com.intel.tss2.Tabrmd.service
|
||||
%endif
|
||||
%if %{with selinux}
|
||||
mkdir %{buildroot}%{_datadir}/selinux/packages/targeted
|
||||
mv %{buildroot}%{_datadir}/selinux/packages/tab* %{buildroot}%{_datadir}/selinux/packages/targeted
|
||||
%endif
|
||||
|
||||
%pre
|
||||
%service_add_pre tpm2-abrmd.service
|
||||
|
||||
%post
|
||||
%service_add_post tpm2-abrmd.service
|
||||
|
||||
%postun
|
||||
%service_del_postun tpm2-abrmd.service
|
||||
|
||||
%preun
|
||||
%service_del_preun tpm2-abrmd.service
|
||||
|
||||
%if %{with selinux}
|
||||
%pre selinux
|
||||
%{selinux_relabel_pre -s %{selinuxtype}}
|
||||
|
||||
%post selinux
|
||||
%{selinux_modules_install -s %{selinuxtype} -p 200 %{_datadir}/selinux/packages/targeted/%{modulename}.pp.bz2}
|
||||
|
||||
%postun selinux
|
||||
if [ $1 -eq 0 ]; then
|
||||
%{selinux_modules_uninstall -s %{selinuxtype} -p 200 %{modulename}}
|
||||
fi
|
||||
|
||||
%posttrans selinux
|
||||
%{selinux_relabel_post -s %{selinuxtype}}
|
||||
%endif
|
||||
|
||||
%files
|
||||
%doc *.md README.SUSE
|
||||
%license LICENSE
|
||||
%{_mandir}/man7/tss2-*
|
||||
%{_mandir}/man8/tpm2-*
|
||||
%{_sbindir}/tpm2-abrmd
|
||||
%{_sbindir}/rctpm2-abrmd
|
||||
%{_unitdir}/tpm2-abrmd.service
|
||||
%if 0%{?install_dbus_files}
|
||||
# the auto activation is not whitelisted for <= SLE12-SP3
|
||||
%{_datadir}/dbus-1/system.d/tpm2-abrmd.conf
|
||||
%{_datadir}/dbus-1/system-services/com.intel.tss2.Tabrmd.service
|
||||
%endif
|
||||
|
||||
%if %{with selinux}
|
||||
%files selinux
|
||||
%{_datadir}/selinux/packages/targeted/tabrmd.pp.bz2
|
||||
%ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
|
||||
%endif
|
||||
|
||||
%files devel
|
||||
%{_includedir}/tss2
|
||||
%{_libdir}/*.so
|
||||
%{_libdir}/pkgconfig/*.pc
|
||||
%{_mandir}/man3/Tss2*
|
||||
%if %{with selinux}
|
||||
%{_datadir}/selinux/devel/include/contrib/tabrmd.if
|
||||
%endif
|
||||
|
||||
%files -n libtss2-tcti-tabrmd0
|
||||
%{_libdir}/libtss2-tcti-tabrmd.so.*
|
||||
|
||||
%changelog
|
Loading…
Reference in New Issue
Block a user