Sync from SUSE:SLFO:Main tpm2.0-abrmd revision 613f1638190d809896a915be6acbcd2a

This commit is contained in:
Adrian Schröter 2024-05-04 01:27:52 +02:00
commit 692ed4d24c
9 changed files with 665 additions and 0 deletions

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

11
README.SUSE Normal file
View File

@ -0,0 +1,11 @@
The tpm2-abrmd by upstream default allows every local users in the system to
access the TPM chip and modify its settings (bsc#1197532). Upstream suggests
to use the TPM's internal security features (e.g. password protection) to
prevent local users from manipulating the chip without authorization. Still
the default behaviour that every user in the system can access TPM features
without any authentication could come as a surprise to end users and system
integrators alike.
For this reason on SUSE only members of the 'tss' group are allowed to access
the tpm2-abrmd D-Bus interface, thereby mirroring the access permissions of
the /dev/tpm0 and /dev/tpmrm0 character devices.

View File

@ -0,0 +1,22 @@
Index: tpm2-abrmd-2.4.0/dist/tpm2-abrmd.service.in
===================================================================
--- tpm2-abrmd-2.4.0.orig/dist/tpm2-abrmd.service.in
+++ tpm2-abrmd-2.4.0/dist/tpm2-abrmd.service.in
@@ -6,6 +6,17 @@ After=dev-tpm0.device
Requires=dev-tpm0.device
[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=read-only
+ProtectHostname=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
Type=dbus
BusName=com.intel.tss2.Tabrmd
ExecStart=@SBINDIR@/tpm2-abrmd

BIN
tpm2-abrmd-3.0.0.tar.gz (Stored with Git LFS) Normal file

Binary file not shown.

View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEW0grjj4Z2nyXjh0BbeLpB44fUMEFAmOOF5wACgkQbeLpB44f
UMEA7RAAkJDLBahV1hRcBXwM3dbtknHlSC26GgVtw3Q16eXI4e+Hbesjoc0KPrns
unWUnGYK+5/KG1FeGMS/4qWIvIKBfBg0KbIWi5AkYNGcjYV7f7rFK/yrYAkfv7AA
BcRr0AHH7vl5jNDSejWGwbc0lIl0zC9cjrgkfK20qoR7t4H38m0MkmiHyaiJkYU9
GocoEqMO1xAnrWdQ2Ky1fIrKpQHXDxPUWX/YeA5Agqh54EE6Us7kcqTy+umojFkY
h2+8GkrxJznMKTC4iChnw2m2/LhpX7KkFuOr5CdAEoMJmRnILx2nvk/Cnrdw1LCV
AygFbR+sDQgKE3GmtW3s+VHuTZt06QNJwjO+iriFKi1fFhG4wMdtc6eA09y7+/mo
GeWEdTijiLYyIwCUkrPNC+taOzXrTadOteekZEzSrHwgr0Pvbhp/8uxAjH8Oc+NP
7R7di1EBPEAACm01wYCKZIH2EqQyToyQ1hP0lZ5GwOLlZkyTDHUMHmtYsRYXRbtV
99NqtSuh9hW+s8QZlXTB4VXrp+iMdWw8G/MXAd2Jsbcl9Wnx+LAbuExlp/U2BHtc
JnBYh7/7HUvn0wWAN/qXrKwjMm1jppxXEnpjhAKQKG38HkUPTUDYTbcwfx8GOGbY
bWr2dTLOlqnncNoz/V7MGP2gxRyLW16wmwZwcK4uAS9daLspfLU=
=VUqS
-----END PGP SIGNATURE-----

51
tpm2-abrmd.keyring Normal file
View File

@ -0,0 +1,51 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFik3GUBEADYDYbSXH3UTr9oCNCI3UxC1hiLH7cM+QIbMtWiwfAbT3G8wrTa
NPj00qNvI4wQ/Xm3h0hB7kri7vP0FqIjIwsTdM6ZpFdVHHKW1m4P8fkOcxqmLN0g
V36MN5fgoGWf2K94aS7ItoweRMcuHnwWawe6aAtbKSYVqhWhoB/3grgd0xhE61AS
o8fJ7uRYNEAYVeOKlC2j+qKfoJbCa6yqZejFwOOzB6qxNRA7JYvckEf8yJ4+Y16m
qPyZ1ErHzpql3+b5ha+g+9g8WzxAbSfGYZTwaQxyePNjXuq2tdEXf9XnESvoaoN4
pQhiu/0BJEkXPxl1zso65g4Mn22xEELhUnwPDo5YdLlWEZ8xhELLvdJc3Z0nTR5A
4/YaZvvzf7pOD1cwpB6IrRf8n9rOe1aDxh/A//zX9PpIOV25p5kqlE88Ya5VXrnA
Ayfs19RZmK3+FuaI0ij79CRokG9BrI6TXT0pRTDIRu7GvAo2q13MELRvFddyRT2G
mNjsHYcqEbraYTh3LHEiwfWp4ZgDtk8jj3iRabHQUHk9V8vSFzj+wp1E8HzO8Vp3
BxMDIOG1VPdLi81DP+LbZI1h30ZG63ulqkKIhwx5/h2v4VCYPatVtGqVf37tLstj
Wrs0DkBykuZrecp+AJ5ZJ+UVvR8ajO2ncAoOugNwoj9Wuvz0fVTiJIhuNQARAQAB
tDxXaWxsaWFtIFJvYmVydHMgKEJpbGwgUm9iZXJ0cykgPHdpbGxpYW0uYy5yb2Jl
cnRzQGludGVsLmNvbT6JAjgEEwECACIFAlik3GUCGwMGCwkIBwMCBhUIAgkKCwQW
AgMBAh4BAheAAAoJEG3i6QeOH1DBibEQAL4EwEzegkc8NyHiW0mntwDoCv3tkUlG
fprp/g7GWfrP+L+pN5yexg3Zm/CgVN/tTNCEr5XtP+sdds8xBF6ReJ8QPO7EiMiM
asPXh8zlODrySXCGHmpa7IzuUC2wgD3Wq7WjniMvnBmqBdL0+8nqA6NFxOOklvK1
ub7bqLrHKfUfciFOfYAi+C0Bh8kdZtMjfY9sqlJA3sVK2UxVXq9D+oHbL1o454N6
VzV0rDtsK47GSSCXT75kulPdfOCopTgxPgNsK4VnXgMOL5JMURPJa3rBzmBRFed1
ynrqwFdmYdMepsUgt/JS2I/23QChqp6AdVDjtGLKS71hox+vdE4S0DoRnMHwHkkt
B6bqQci3RlUP+wcHHRCUXUubxMSlYJqhBdEOclo6N0X0LseLcdAMGda8ZnqbHlyg
hPLmJrM3C5zTLjDb2YJXCy6RVNwqAnU3o33SZCnHqo/zUjEtR03Ztk1DzSeCjo5w
zLac1VFq5S3QdgZUwmPhyeoigqOvHu6Z1s2eL8Aw7Hn8i6MWLz5sOXAtyC9NPwK/
qbp1a+GQXzNW4rvKl7ZEFKrBKyj8AiRoVLSRKcqZtFT56ltXQjrwKjsWDTEOzjnm
XCSM96xfay6asQH5fw+haC3RIErwyNV0uUDIVC0xDTZ6NgJEBkp8liwNeHE7eHoN
8qWSZZO2syf7uQINBFik3GUBEAC7V2o1kBsLFSKwmgsCuGfW0oBIQiaCcakT6D2X
rKBjmzBvh/UIdXQwl9+vPKtWX3T/7g6UBvezV3uc2ZqrigGmFemoQI3sW7wFk0L9
/QTUWCMfZtyrWgqyetmPYS+i2PnsEPinsgsEHWf3iu/ew1A7npZwINwMdOSOVw2u
JqYyW2tZCErWKVe31ziYUpXA+HaRm9zoVr0F0sE2GYGWbMVYtqxN9TSYcIAHxB71
Y31dcY77ln/1JAH4Yzqc063w/lNYogEbbQY7WNgcKdPP+aovpV7kS3TKwsdb9/xT
pj67nnlvjLTMRoW3Ez0PcIDFhuube9uOQupYG4rC4grLeVLwL/ekVmn6TxRN1hG7
6zYXWiwWi16uAO++eBNt127FwCOVZsPO0ye3/XpOpCdpUadguxF2gGt6xY0gtetj
Vdv6S4kCdSx8NMrO2epS/1pgklxN9R/xl7Wu+JPUuVX4Jy0ycmw7TCWxdK2fuFy6
6aLCXWWEjRSp06oeVJoVV2py+rYaoau7JG7Zgx1A3gYTm6MLFysfROaQgmfRozIH
0boYh3IA1WWzk4I6ew129ynC5zGXg/+UCnKKwn8Tsh9neq9noRDAonWI7jOCipwF
l51py82093M87zjz9o/qxnB8p00jByQ+MunUykaZrkQKHAsiyIF6cUIeQiy/AL7n
wwSPQQARAQABiQIfBBgBAgAJBQJYpNxlAhsMAAoJEG3i6QeOH1DBtO8P/1D98sl3
oz/0oSSz0u9nzgOh93UkLbXpjSR4U+g7Wl2ppxQyGSFeWwRwT5BT74EVP2IcrraX
V9c7l+s8PYqnUdX2XAqGMv06523cCrNUU93kUUNjAo3FxGSn7i2kHIvMkDbUoeVk
jyWKfIvyy2sKcVB9GQxfMrbnTR5/Z6fCyGHNqMFb9e9TUWclLzMIhvtkvLuKmf52
TKKxKQt/wero5zb0fynOttIjuhmOP9CFTiYjdj7qSmQapW8VFdYjyzL+OOFk9gCL
S3mIk1LdkfWah7trmMUTXdmiEibvARAQ3Yjr+Hz9yU1gzEJSPUUugNguqgS5kN+T
3TdwUHAP9whVD2IvN/Mfn29bmFFVfzu3ftJIa1zJmOdZy7KWb6MWVhw3SJ65luPB
qxKWRqFDOSpqzBm6bYQ/Oka49Jl7/dCImSm+7bCC7LDK9hXa3AIlDtWvG4iiL18T
wUOrgXPysB/D/NQaRxT/vSPUOB4WrQzIKIf4vJdyuPdtOtIWm97KUw8r/jDqd4I3
B62qknrrR+FPcz8ACM9fXkpbBEcjFV8EkoOae106Vxjo/lu5LVBbwiKviMMwoK5o
YE7FfCwLBbLTYMeetHo8jGBRonTEOKMtPlp/fCMOp9w7CgMDuvfEwuTsA1ux4uAb
tZZIbipcKcZmsU7Su4+oeyh61giG++M5rL2D
=xdFJ
-----END PGP PUBLIC KEY BLOCK-----

340
tpm2.0-abrmd.changes Normal file
View File

@ -0,0 +1,340 @@
-------------------------------------------------------------------
Tue May 23 12:31:21 UTC 2023 - Alberto Planas Dominguez <aplanas@suse.com>
- Cover ALP via the %{suse_version} macro
-------------------------------------------------------------------
Thu Dec 8 15:07:28 UTC 2022 - Alberto Planas Dominguez <aplanas@suse.com>
- Version 3.0.0
+ Fixed
* A bug in special command processing in TPM2_GetCapability when
an audit session is in use cuased tpm2-abrmd to abort.
+ Added
* New SELinux interfaces for communication with keylime
+ Changed
* DBUS permissions in tpm2-abrmd.conf to match the in-kernel RM,
ie /dev/tpmrm0, permissions. Now users MUST be in the tss group
to send to tpm2-abrmd over DBUS.
- Drop dbus-access.patch (merged in PR#805)
-------------------------------------------------------------------
Fri Jul 8 08:43:16 UTC 2022 - Alberto Planas Dominguez <aplanas@suse.com>
- Version 2.4.1
+ Added
Contributor Covenant Code of Conduct.
+ Fixed
* superflous warning messages about tcti status.
WARNING **: 11:00:56.205: tcti_conf before: "(null)"
WARNING **: 11:00:56.205: tcti_conf after: "mssim"
* GCC 11 build error: error: argument 2 of __atomic_load discards
'volatile' qualifier
* Initialize gerror pointer variable to NULL to fix use of
unitialized memory and segfault.
* Updated missing defaults in manpage.
* Port CI to composite actions in tpm2-software/ci.
+ Removed
Dependency on 'which' utility in configure.ac.
ubuntu-16.04 from CI.
-------------------------------------------------------------------
Mon Apr 4 10:45:24 UTC 2022 - Matthias Gerstner <matthias.gerstner@suse.com>
- dbus-access.patch: restrict D-Bus access to tpm2-abrmd to members of the tss
group (bsc#1197532). This prevents arbitrary users from meddling with TPM
state and thus potential denial-of-service vectors.
-------------------------------------------------------------------
Wed Dec 8 16:50:13 UTC 2021 - Alberto Planas Dominguez <aplanas@suse.com>
- Version 2.4.0
+ remover syslog deprecation warning (bsc#1185154)
+ cover update to 2.3.3 (jsc#SLE-17366)
+ contains reload fix (bsc#1166936)
+ fix tcti loading using short / long names (bsc#1159176)
-------------------------------------------------------------------
Mon Nov 29 12:54:02 UTC 2021 - Alberto Planas Dominguez <aplanas@suse.com>
- Warp selinux into a bcond
-------------------------------------------------------------------
Thu Nov 25 09:16:32 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
* harden_tpm2-abrmd.service.patch
-------------------------------------------------------------------
Sat Jul 17 21:04:13 UTC 2021 - Callum Farmer <gmbr3@opensuse.org>
- Move selinux devel file to devel subpackage
-------------------------------------------------------------------
Wed Jul 14 13:41:59 UTC 2021 - Callum Farmer <gmbr3@opensuse.org>
- Update to version 2.4.0:
- Service start depends on systemd device unit: dev-tpm0.device.
- Numerous memory leaks.
- udev settle service deprecation warnings.
- StandardOutput=syslog deprecation warnings.
- Add selinux module files
- Move dbus files out of /etc
-------------------------------------------------------------------
Wed Jun 9 09:37:38 UTC 2021 - Alberto Planas Dominguez <aplanas@suse.com>
- Requires libtss2-tcti-{device0,tabrmd0} (bsc#1187077).
In MicroOS systems the recommendations are not installed, making the
service fail to initialize: Failed to instantiate TCTI
-------------------------------------------------------------------
Thu Oct 22 12:15:24 UTC 2020 - Matthias Gerstner <matthias.gerstner@suse.com>
- update to version 2.3.3:
- changes in version 2.3.1:
- Fixed handle resource leak exhausting TPM resources.
- changes in version 2.3.2:
- Added cirrus CI specific config files to enable FreeBSD builds.
- Changed test scripts to be more portable.
- Changed include header paths specific to FreeBSD.
- changes in version 2.3.1:
- Provide meaningful exit codes on initialization failures.
- Prevent systemd from starting the daemon before udev changes ownership
of the TPM device node.
- Prevent systemd from starting the daemon if there is no TPM device node.
- Prevent systemd from restarting the daemon if it fails.
- Add SELinux policy to allow daemon to resolve names.
- Add SELinux policy boolean (disabled by default) to allow daemon to
connect to all unreserved ports.
-------------------------------------------------------------------
Wed Dec 11 11:55:13 UTC 2019 - matthias.gerstner@suse.com
- update to version 2.3.0:
- changes in version 2.3.0:
- Add '--enable-debug' flag to configure script to simplify debug builds.
This relies on the AX_CHECK_ENABLE_DEBUG autoconf archive macro.
- Replaced custom dynamic TCTI loading code with libtss2-tctildr from
upstream tpm2-tss repo. (requires tpm2-0-tss version 2.3.0)
- Explicitly set '-O2' optimization when using FORTIFY_SOURCE as required.
- changes in version 2.2.0:
- New configuration option `--disable-defaultflags/ added. This is
for use for packaging for targets that do not support the default
compilation / linking flags.
- Use private dependencies properly in pkg-config metadata for TCTI.
- Refactor daemon main module to enable better handling of error
conditions and enable more thorough unit testing.
- Updated dependencies to ensure compatibility with pkg-config fixes
in tpm2-tss.
- Fixed bug causing TCTI to block when used by libtss2-sys built with
partial reads enabled.
- Removed unnecessary libs / flags for pthreads in the TCTI pkg-config.
- Output from configure script now accurately describes the state of the
flags that govern the integration tests.
- drop fix_dlopen.patch: no longer necessary since abrmd not uses the tctildr
shared library. This one hopefully now does the right thing.
-------------------------------------------------------------------
Mon Aug 26 06:49:37 UTC 2019 - mgerstner <matthias.gerstner@suse.com>
- update to version 2.1.1:
- changes in version 2.1.1:
- Unit tests accessing dbus have been fixed to use mock functions. Unit
tests no longer depend on dbus.
- Race condition between client connections and dbus proxy object
creation by registering bus name after instantiation of the proxy object.
-------------------------------------------------------------------
Fri Apr 26 10:35:51 UTC 2019 - mvetter@suse.com
- bsc#1130588: Require shadow instead of old pwdutils
-------------------------------------------------------------------
Wed Mar 6 10:36:46 UTC 2019 - matthias.gerstner@suse.com
- update to version 2.1.0:
- changes in version 2.1.0:
- `-Wstrict-overflow=5` now used in default CFLAGS.
- Handling of `TPM2_RC_CONTEXT_GAP` on behalf of users.
- Convert `TPM2_PT_CONTEXT_GAP_MAX` response from lower layer to
`UINT32_MAX`
- travis-ci now uses 'xenial' builder
- Significant refactoring of TCTI handling code.
- `--install` added to ACLOCAL_AMFLAGS to install aclocal required macros
instead of using the default symlinks
- Launch `dbus-run-session` in the automake test environment to
automagically set up a dbus session bus instance when one isn't present.
- Bug caused by unloading of `libtss2-tcti-tabrmd.so` on dlclose. GLib
does not support reloading a second time.
- Bug causing `-fstack-protector-all` to be used on systems with core
libraries (i.e. libc) that do not support it. This caused failures at
link-time.
- Unnecessary symbols from libtest utility library no longer included in
TCTI library.
- changes in version 2.0.3:
- Update build to account for upstream change to glib '.pc' files
described in: https://gitlab.gnome.org/GNOME/glib/issues/1521
- added _service file for syncing with upstream tags
-------------------------------------------------------------------
Thu Oct 25 09:00:40 UTC 2018 - matthias.gerstner@suse.com
- add a Requires towards tpm2-0-tss, because that main package holds the udev
rules and logic for setting up the tss user. Without this the daemon can't
start up correctly.
-------------------------------------------------------------------
Tue Oct 23 15:46:28 UTC 2018 - matthias.gerstner@suse.com
- fix broken build due to newer glib dependency that reports a full path for
gdbus-codegen, breaking the configure check.
-------------------------------------------------------------------
Wed Sep 26 15:51:01 UTC 2018 - matthias.gerstner@suse.com
- update to version 2.0.2 (FATE#326270):
- --enable-integration option to configure script now works as documented.
- Format specifier with wrong size in util module.
- Initialize TCTI context to 0 before setting values. This will cause all
members that aren't explicitly initialized by be 0.
-------------------------------------------------------------------
Tue Sep 18 09:05:24 UTC 2018 - matthias.gerstner@suse.com
- add recommends to the tcti-device and tcti-abrmd. Otherwise they're not
installed right away, rendering the abrmd quite unusable.
-------------------------------------------------------------------
Fri Aug 10 10:02:21 UTC 2018 - matthias.gerstner@suse.com
- Update to version 2.0.1:
* SessionList: Fix Connection object reference leak.
* source/sink: Organize ControlMessage processing.
* CommandSource: Replace 'connection-removed' signal with ControlMessage.
* SessionList: Remove all locking.
* ConnectionManager: Remove 'connection-removed' signal.
* ci: Build 'check' target when CC is gcc.
* build: Fix bad URLs in configure script.
* CHANGELOG.md: Add version number and date for 2.0.1 release.
* Replace references to drand48_r family of functions for portability
* Fix for type-punned pointer reported in newer compilers that enforce strict aliasing
-------------------------------------------------------------------
Tue Jul 3 09:15:27 UTC 2018 - matthias.gerstner@suse.com
- Trying to fix build on older distros that fail because of a missing or
broken autoconf valgrind detection macro. Removing autoreconf to hopefully
fix this.
-------------------------------------------------------------------
Mon Jul 2 09:27:43 UTC 2018 - matthias.gerstner@suse.com
- add fix_dlopen.patch: fixes an issue with dlopen()'ing the tcti-device
library from tpm2-0-tss. See
https://github.com/tpm2-software/tpm2-abrmd/issues/486.
-------------------------------------------------------------------
Fri Jun 29 11:43:08 UTC 2018 - matthias.gerstner@suse.com
- update to major version 2.0.0:
- support_dbus_activation.diff: removed, is not contained upstream
- the tpm2 stack introduces an incompatible ABI to the previous version with
this update. There is no compatibility layer, libraries have new names
etc.
- upstream changelog:
## 2.0.0 - 2018-06-22
### Added
- Integration test script and build support to execute integration tests
against a physical TPM2 device on the build platform.
- Implementation of dynamic TCTI initialization mechanism.
- configure option `--enable-integration` to enable integration tests.
The simulator executable must be on PATH.
- Support for version 2.0 of tpm2-tss libraries.
### Changed
- 'max-transient-objects' command line option renamted to 'max-transients'.
- Added -Wextra for more strict checks at compile time.
- Install location of headers to $(includedir)/tss2.
### Fixed
- Added missing checks for NULL parameters identified by the check-build.
- Bug in session continuation logic.
- Off by one error in HandleMap.
- Memory leak and uninitialized variable issues in unit tests.
### Removed
- Command line option --fail-on-loaded-trans.
- udev rules for TPM device node. This now lives in the tpm2-tss repo.
- Remove legacy TCTI initialization functions.
- configure option `--with-simulatorbin`.
## 1.3.1 - 2018-03-18
### Fixed
- Distribute systemd preset template instead of the generated file.
## 1.3.0 - 2018-03-02
### Added
- New configure option (--test-hwtpm) to run integration tests against a
physical TPM2 device on the build platform.
- Install systemd service file to allow on-demand systemd unit activation.
### Changed
- Converted some inappropriate uses of g_error to critical / warning instead.
- Removed use of gen_require from SELinux policy, use dbus_stub instead.
- udev rules now give tss group read / write access to the TPM device node.
- udev rules now give tss user and group read / write access to kernel RM
node.
### Fixed
- Memory leak on an error path in the AccessBroker.
-------------------------------------------------------------------
Thu Feb 22 11:34:51 UTC 2018 - matthias.gerstner@suse.com
- update to upstream version 1.2.0:
- Limit maximum number of active sessions per connection with '--max-sessions'.
- Flush all transient objects and sessions on daemon start with '--flush-all'.
- Allow passing of sessions across connections with ContextSave / Load.
- Unref the GUnixFDList returned by GIO / dbus in the TCTI init function.
This fixes a memory leak in the TCTI library.
- correctly trigger udev to update /dev/tpm* permissions after package
installation. (bnc#1078687)
- prepared support_dbus_activation.diff patch which adds D-Bus activation, but
can't use it yet due to rpmlint
-------------------------------------------------------------------
Wed Nov 15 11:43:19 UTC 2017 - matthias.gerstner@suse.com
- fix_service_paths.diff: fixed broken systemd service unit (bnc#1066123). the
service unit file in the upstream distribution tarball is already configured
and looks for binaries and configuration files in the /usr/local prefix
which is wrong.
-------------------------------------------------------------------
Fri Sep 1 14:37:48 UTC 2017 - matthias.gerstner@suse.com
- package version symlink correctly, belongs into the lib package itself, not
the -devel.
-------------------------------------------------------------------
Wed Aug 30 08:29:07 UTC 2017 - matthias.gerstner@suse.com
- update to upstream version 1.1.1 which fixes some local denial-of-service
security issues among other things:
- Replace use of sigaction with g_unix_signal_* stuff from glib.
- Rewrite of INSTALL.md including info on custom configure script options.
- Default value for --with-simulatorbin configure option has been removed.
New default behavior is to disable integration tests.
- CommandSource will no longer reject commands without parameters.
- Unit tests updated to use cmocka v1.0.0 API.
- Integration tests now run daemon under valgrind memcheck and fail when
errors are found.
- CommandSource now tracks max FD in set of client FDs to prevent unnecessary
iterations over FD_SETSIZE fds.
- no longer call bootstrap and switch to the release upstream tarball which
has now been fixed to contain all necessary files
-------------------------------------------------------------------
Thu Jul 20 13:04:41 UTC 2017 - matthias.gerstner@suse.com
- first version of the new arbmd resource manager from Intel's tpm2 stack.
This will replace the old resourcemgr previously shipped with the
tpm2-0-tss package.

1
tpm2.0-abrmd.rpmlintrc Normal file
View File

@ -0,0 +1 @@
addFilter("shared-lib-calls-exit */usr/lib64/libtss2-tcti-tabrmd.so*")

198
tpm2.0-abrmd.spec Normal file
View File

@ -0,0 +1,198 @@
#
# spec file for package tpm2.0-abrmd
#
# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%global selinuxtype targeted
%global modulename tabrmd
# the auto activation is not whitelisted for <= SLE12-SP3 (includes
# ALP in the with %{suse_version}
%if 0%{?sle_version} > 120300 || 0%{?is_opensuse} || 0%{?suse_version} >= 1600
%define install_dbus_files 1
%endif
# selinux only for Tumbleweed for now
%if 0%{?suse_version} >= 1550 && 0%{?is_opensuse}
%bcond_without selinux
%else
%bcond_with selinux
%endif
Name: tpm2.0-abrmd
Version: 3.0.0
Release: 0
Summary: Intel's TCG Software Stack Access Broker & Resource Manager for TPM 2.0 chips
License: BSD-2-Clause
Group: Productivity/Security
URL: https://github.com/tpm2-software/tpm2-abrmd
Source0: https://github.com/tpm2-software/tpm2-abrmd/releases/download/%{version}/tpm2-abrmd-%{version}.tar.gz
Source1: https://github.com/tpm2-software/tpm2-abrmd/releases/download/%{version}/tpm2-abrmd-%{version}.tar.gz.asc
# curl https://github.com/williamcroberts.gpg > tpm2-abrmd.keyring
Source2: tpm2-abrmd.keyring
Source3: tpm2.0-abrmd.rpmlintrc
Source4: README.SUSE
Patch0: harden_tpm2-abrmd.service.patch
BuildRequires: autoconf-archive
BuildRequires: automake
BuildRequires: checkpolicy
BuildRequires: gcc-c++
BuildRequires: libtool
BuildRequires: pkgconfig
BuildRequires: policycoreutils
BuildRequires: systemd-rpm-macros
BuildRequires: pkgconfig(dbus-1)
BuildRequires: pkgconfig(gio-unix-2.0)
BuildRequires: pkgconfig(tss2-sys)
Requires: libtss2-tcti-device0
Requires: libtss2-tcti-tabrmd0
Requires: tpm2-0-tss
Requires(pre): user(tss)
%if %{with selinux}
BuildRequires: selinux-policy-devel
BuildRequires: selinux-policy-targeted
BuildRequires: pkgconfig(systemd)
Requires: (%{name}-selinux if selinux-policy-base)
%endif
%description
The tpm2.0-abrmd package provides the TPM2 Access Broker & Resource Manager.
This is a daemon service that coordinates requests to the TPM2 chip via
Intel's TPM 2.0 software stack.
%package devel
Summary: Development headers the Access Broker & Resource Manager for TPM 2.0 chips
Group: Development/Libraries/C and C++
Requires: glibc-devel
Requires: libtss2-tcti-tabrmd0 = %{version}
Requires: tpm2.0-abrmd = %{version}
%description devel
This package provides the development files for the Access Broker & Resource
Manager for coordinating access to TPM 2.0 chips.
%if %{with selinux}
%package selinux
Summary: SELinux module for the Access Broker & Resource Manager for TPM 2.0 chips
Group: System/Management
Requires: tpm2.0-abrmd = %{version}
BuildArch: noarch
%{selinux_requires}
%description selinux
This package provides the SELinux module for the Access Broker & Resource Manager for TPM 2.0 chips.
%endif
%package -n libtss2-tcti-tabrmd0
Summary: Client interface library for tpm2-abrmd
Group: System/Libraries
%description -n libtss2-tcti-tabrmd0
This library allows to interact with the tpm2-abrmd daemon. It is intended for
use with the SAPI library (libtss2-sys) like any other TCTI.
%post -n libtss2-tcti-tabrmd0 -p /sbin/ldconfig
%postun -n libtss2-tcti-tabrmd0 -p /sbin/ldconfig
%prep
%autosetup -n tpm2-abrmd-%{version} -p1
%build
export CFLAGS="%{optflags} -fPIE"
export LDFLAGS="$LDFLAGS -pie"
%configure \
--disable-static \
%{?with_selinux: --with-sepolicy=yes} \
--with-systemdsystemunitdir=%{_unitdir} \
--with-dbuspolicydir=%{_datadir}/dbus-1/system.d
%make_build PTHREAD_LDFLAGS=-pthread
%install
%make_install
# don't package libtool files as is best practice
find %{buildroot} -type f -name "*.la" -delete -print
ln -sv %{_sbindir}/service %{buildroot}%{_sbindir}/rctpm2-abrmd
# don't install the systemd preset, our presets are handled by
# systemd-presets-* packages
rm %{buildroot}%{_prefix}/lib*/systemd/system-preset/tpm2-abrmd.preset
cp %{SOURCE4} .
%if ! 0%{?install_dbus_files}
rm %{buildroot}/%{_sysconfdir}/dbus-1/system.d/tpm2-abrmd.conf
rm %{buildroot}/%{_datadir}/dbus-1/system-services/com.intel.tss2.Tabrmd.service
%endif
%if %{with selinux}
mkdir %{buildroot}%{_datadir}/selinux/packages/targeted
mv %{buildroot}%{_datadir}/selinux/packages/tab* %{buildroot}%{_datadir}/selinux/packages/targeted
%endif
%pre
%service_add_pre tpm2-abrmd.service
%post
%service_add_post tpm2-abrmd.service
%postun
%service_del_postun tpm2-abrmd.service
%preun
%service_del_preun tpm2-abrmd.service
%if %{with selinux}
%pre selinux
%{selinux_relabel_pre -s %{selinuxtype}}
%post selinux
%{selinux_modules_install -s %{selinuxtype} -p 200 %{_datadir}/selinux/packages/targeted/%{modulename}.pp.bz2}
%postun selinux
if [ $1 -eq 0 ]; then
%{selinux_modules_uninstall -s %{selinuxtype} -p 200 %{modulename}}
fi
%posttrans selinux
%{selinux_relabel_post -s %{selinuxtype}}
%endif
%files
%doc *.md README.SUSE
%license LICENSE
%{_mandir}/man7/tss2-*
%{_mandir}/man8/tpm2-*
%{_sbindir}/tpm2-abrmd
%{_sbindir}/rctpm2-abrmd
%{_unitdir}/tpm2-abrmd.service
%if 0%{?install_dbus_files}
# the auto activation is not whitelisted for <= SLE12-SP3
%{_datadir}/dbus-1/system.d/tpm2-abrmd.conf
%{_datadir}/dbus-1/system-services/com.intel.tss2.Tabrmd.service
%endif
%if %{with selinux}
%files selinux
%{_datadir}/selinux/packages/targeted/tabrmd.pp.bz2
%ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
%endif
%files devel
%{_includedir}/tss2
%{_libdir}/*.so
%{_libdir}/pkgconfig/*.pc
%{_mandir}/man3/Tss2*
%if %{with selinux}
%{_datadir}/selinux/devel/include/contrib/tabrmd.if
%endif
%files -n libtss2-tcti-tabrmd0
%{_libdir}/libtss2-tcti-tabrmd.so.*
%changelog