From 692ed4d24c3752f2e85dc0b53107a242728335632dd3e37fb649a21690193b54 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Sat, 4 May 2024 01:27:52 +0200 Subject: [PATCH] Sync from SUSE:SLFO:Main tpm2.0-abrmd revision 613f1638190d809896a915be6acbcd2a --- .gitattributes | 23 +++ README.SUSE | 11 ++ harden_tpm2-abrmd.service.patch | 22 +++ tpm2-abrmd-3.0.0.tar.gz | 3 + tpm2-abrmd-3.0.0.tar.gz.asc | 16 ++ tpm2-abrmd.keyring | 51 +++++ tpm2.0-abrmd.changes | 340 ++++++++++++++++++++++++++++++++ tpm2.0-abrmd.rpmlintrc | 1 + tpm2.0-abrmd.spec | 198 +++++++++++++++++++ 9 files changed, 665 insertions(+) create mode 100644 .gitattributes create mode 100644 README.SUSE create mode 100644 harden_tpm2-abrmd.service.patch create mode 100644 tpm2-abrmd-3.0.0.tar.gz create mode 100644 tpm2-abrmd-3.0.0.tar.gz.asc create mode 100644 tpm2-abrmd.keyring create mode 100644 tpm2.0-abrmd.changes create mode 100644 tpm2.0-abrmd.rpmlintrc create mode 100644 tpm2.0-abrmd.spec diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/README.SUSE b/README.SUSE new file mode 100644 index 0000000..c30e66b --- /dev/null +++ b/README.SUSE @@ -0,0 +1,11 @@ +The tpm2-abrmd by upstream default allows every local users in the system to +access the TPM chip and modify its settings (bsc#1197532). Upstream suggests +to use the TPM's internal security features (e.g. password protection) to +prevent local users from manipulating the chip without authorization. Still +the default behaviour that every user in the system can access TPM features +without any authentication could come as a surprise to end users and system +integrators alike. + +For this reason on SUSE only members of the 'tss' group are allowed to access +the tpm2-abrmd D-Bus interface, thereby mirroring the access permissions of +the /dev/tpm0 and /dev/tpmrm0 character devices. diff --git a/harden_tpm2-abrmd.service.patch b/harden_tpm2-abrmd.service.patch new file mode 100644 index 0000000..7720a35 --- /dev/null +++ b/harden_tpm2-abrmd.service.patch @@ -0,0 +1,22 @@ +Index: tpm2-abrmd-2.4.0/dist/tpm2-abrmd.service.in +=================================================================== +--- tpm2-abrmd-2.4.0.orig/dist/tpm2-abrmd.service.in ++++ tpm2-abrmd-2.4.0/dist/tpm2-abrmd.service.in +@@ -6,6 +6,17 @@ After=dev-tpm0.device + Requires=dev-tpm0.device + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=read-only ++ProtectHostname=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Type=dbus + BusName=com.intel.tss2.Tabrmd + ExecStart=@SBINDIR@/tpm2-abrmd diff --git a/tpm2-abrmd-3.0.0.tar.gz b/tpm2-abrmd-3.0.0.tar.gz new file mode 100644 index 0000000..846af5d --- /dev/null +++ b/tpm2-abrmd-3.0.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d59aff34164aa705b05155b86607f6b66918a433104f754a3fcf76216dd9f465 +size 576822 diff --git a/tpm2-abrmd-3.0.0.tar.gz.asc b/tpm2-abrmd-3.0.0.tar.gz.asc new file mode 100644 index 0000000..03c75a2 --- /dev/null +++ b/tpm2-abrmd-3.0.0.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEW0grjj4Z2nyXjh0BbeLpB44fUMEFAmOOF5wACgkQbeLpB44f +UMEA7RAAkJDLBahV1hRcBXwM3dbtknHlSC26GgVtw3Q16eXI4e+Hbesjoc0KPrns +unWUnGYK+5/KG1FeGMS/4qWIvIKBfBg0KbIWi5AkYNGcjYV7f7rFK/yrYAkfv7AA +BcRr0AHH7vl5jNDSejWGwbc0lIl0zC9cjrgkfK20qoR7t4H38m0MkmiHyaiJkYU9 +GocoEqMO1xAnrWdQ2Ky1fIrKpQHXDxPUWX/YeA5Agqh54EE6Us7kcqTy+umojFkY +h2+8GkrxJznMKTC4iChnw2m2/LhpX7KkFuOr5CdAEoMJmRnILx2nvk/Cnrdw1LCV +AygFbR+sDQgKE3GmtW3s+VHuTZt06QNJwjO+iriFKi1fFhG4wMdtc6eA09y7+/mo +GeWEdTijiLYyIwCUkrPNC+taOzXrTadOteekZEzSrHwgr0Pvbhp/8uxAjH8Oc+NP +7R7di1EBPEAACm01wYCKZIH2EqQyToyQ1hP0lZ5GwOLlZkyTDHUMHmtYsRYXRbtV +99NqtSuh9hW+s8QZlXTB4VXrp+iMdWw8G/MXAd2Jsbcl9Wnx+LAbuExlp/U2BHtc +JnBYh7/7HUvn0wWAN/qXrKwjMm1jppxXEnpjhAKQKG38HkUPTUDYTbcwfx8GOGbY +bWr2dTLOlqnncNoz/V7MGP2gxRyLW16wmwZwcK4uAS9daLspfLU= +=VUqS +-----END PGP SIGNATURE----- diff --git a/tpm2-abrmd.keyring b/tpm2-abrmd.keyring new file mode 100644 index 0000000..0f0421b --- /dev/null +++ b/tpm2-abrmd.keyring @@ -0,0 +1,51 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFik3GUBEADYDYbSXH3UTr9oCNCI3UxC1hiLH7cM+QIbMtWiwfAbT3G8wrTa +NPj00qNvI4wQ/Xm3h0hB7kri7vP0FqIjIwsTdM6ZpFdVHHKW1m4P8fkOcxqmLN0g +V36MN5fgoGWf2K94aS7ItoweRMcuHnwWawe6aAtbKSYVqhWhoB/3grgd0xhE61AS +o8fJ7uRYNEAYVeOKlC2j+qKfoJbCa6yqZejFwOOzB6qxNRA7JYvckEf8yJ4+Y16m +qPyZ1ErHzpql3+b5ha+g+9g8WzxAbSfGYZTwaQxyePNjXuq2tdEXf9XnESvoaoN4 +pQhiu/0BJEkXPxl1zso65g4Mn22xEELhUnwPDo5YdLlWEZ8xhELLvdJc3Z0nTR5A +4/YaZvvzf7pOD1cwpB6IrRf8n9rOe1aDxh/A//zX9PpIOV25p5kqlE88Ya5VXrnA +Ayfs19RZmK3+FuaI0ij79CRokG9BrI6TXT0pRTDIRu7GvAo2q13MELRvFddyRT2G +mNjsHYcqEbraYTh3LHEiwfWp4ZgDtk8jj3iRabHQUHk9V8vSFzj+wp1E8HzO8Vp3 +BxMDIOG1VPdLi81DP+LbZI1h30ZG63ulqkKIhwx5/h2v4VCYPatVtGqVf37tLstj +Wrs0DkBykuZrecp+AJ5ZJ+UVvR8ajO2ncAoOugNwoj9Wuvz0fVTiJIhuNQARAQAB +tDxXaWxsaWFtIFJvYmVydHMgKEJpbGwgUm9iZXJ0cykgPHdpbGxpYW0uYy5yb2Jl +cnRzQGludGVsLmNvbT6JAjgEEwECACIFAlik3GUCGwMGCwkIBwMCBhUIAgkKCwQW +AgMBAh4BAheAAAoJEG3i6QeOH1DBibEQAL4EwEzegkc8NyHiW0mntwDoCv3tkUlG +fprp/g7GWfrP+L+pN5yexg3Zm/CgVN/tTNCEr5XtP+sdds8xBF6ReJ8QPO7EiMiM +asPXh8zlODrySXCGHmpa7IzuUC2wgD3Wq7WjniMvnBmqBdL0+8nqA6NFxOOklvK1 +ub7bqLrHKfUfciFOfYAi+C0Bh8kdZtMjfY9sqlJA3sVK2UxVXq9D+oHbL1o454N6 +VzV0rDtsK47GSSCXT75kulPdfOCopTgxPgNsK4VnXgMOL5JMURPJa3rBzmBRFed1 +ynrqwFdmYdMepsUgt/JS2I/23QChqp6AdVDjtGLKS71hox+vdE4S0DoRnMHwHkkt +B6bqQci3RlUP+wcHHRCUXUubxMSlYJqhBdEOclo6N0X0LseLcdAMGda8ZnqbHlyg +hPLmJrM3C5zTLjDb2YJXCy6RVNwqAnU3o33SZCnHqo/zUjEtR03Ztk1DzSeCjo5w +zLac1VFq5S3QdgZUwmPhyeoigqOvHu6Z1s2eL8Aw7Hn8i6MWLz5sOXAtyC9NPwK/ +qbp1a+GQXzNW4rvKl7ZEFKrBKyj8AiRoVLSRKcqZtFT56ltXQjrwKjsWDTEOzjnm +XCSM96xfay6asQH5fw+haC3RIErwyNV0uUDIVC0xDTZ6NgJEBkp8liwNeHE7eHoN +8qWSZZO2syf7uQINBFik3GUBEAC7V2o1kBsLFSKwmgsCuGfW0oBIQiaCcakT6D2X +rKBjmzBvh/UIdXQwl9+vPKtWX3T/7g6UBvezV3uc2ZqrigGmFemoQI3sW7wFk0L9 +/QTUWCMfZtyrWgqyetmPYS+i2PnsEPinsgsEHWf3iu/ew1A7npZwINwMdOSOVw2u +JqYyW2tZCErWKVe31ziYUpXA+HaRm9zoVr0F0sE2GYGWbMVYtqxN9TSYcIAHxB71 +Y31dcY77ln/1JAH4Yzqc063w/lNYogEbbQY7WNgcKdPP+aovpV7kS3TKwsdb9/xT +pj67nnlvjLTMRoW3Ez0PcIDFhuube9uOQupYG4rC4grLeVLwL/ekVmn6TxRN1hG7 +6zYXWiwWi16uAO++eBNt127FwCOVZsPO0ye3/XpOpCdpUadguxF2gGt6xY0gtetj +Vdv6S4kCdSx8NMrO2epS/1pgklxN9R/xl7Wu+JPUuVX4Jy0ycmw7TCWxdK2fuFy6 +6aLCXWWEjRSp06oeVJoVV2py+rYaoau7JG7Zgx1A3gYTm6MLFysfROaQgmfRozIH +0boYh3IA1WWzk4I6ew129ynC5zGXg/+UCnKKwn8Tsh9neq9noRDAonWI7jOCipwF +l51py82093M87zjz9o/qxnB8p00jByQ+MunUykaZrkQKHAsiyIF6cUIeQiy/AL7n +wwSPQQARAQABiQIfBBgBAgAJBQJYpNxlAhsMAAoJEG3i6QeOH1DBtO8P/1D98sl3 +oz/0oSSz0u9nzgOh93UkLbXpjSR4U+g7Wl2ppxQyGSFeWwRwT5BT74EVP2IcrraX +V9c7l+s8PYqnUdX2XAqGMv06523cCrNUU93kUUNjAo3FxGSn7i2kHIvMkDbUoeVk +jyWKfIvyy2sKcVB9GQxfMrbnTR5/Z6fCyGHNqMFb9e9TUWclLzMIhvtkvLuKmf52 +TKKxKQt/wero5zb0fynOttIjuhmOP9CFTiYjdj7qSmQapW8VFdYjyzL+OOFk9gCL +S3mIk1LdkfWah7trmMUTXdmiEibvARAQ3Yjr+Hz9yU1gzEJSPUUugNguqgS5kN+T +3TdwUHAP9whVD2IvN/Mfn29bmFFVfzu3ftJIa1zJmOdZy7KWb6MWVhw3SJ65luPB +qxKWRqFDOSpqzBm6bYQ/Oka49Jl7/dCImSm+7bCC7LDK9hXa3AIlDtWvG4iiL18T +wUOrgXPysB/D/NQaRxT/vSPUOB4WrQzIKIf4vJdyuPdtOtIWm97KUw8r/jDqd4I3 +B62qknrrR+FPcz8ACM9fXkpbBEcjFV8EkoOae106Vxjo/lu5LVBbwiKviMMwoK5o +YE7FfCwLBbLTYMeetHo8jGBRonTEOKMtPlp/fCMOp9w7CgMDuvfEwuTsA1ux4uAb +tZZIbipcKcZmsU7Su4+oeyh61giG++M5rL2D +=xdFJ +-----END PGP PUBLIC KEY BLOCK----- \ No newline at end of file diff --git a/tpm2.0-abrmd.changes b/tpm2.0-abrmd.changes new file mode 100644 index 0000000..cb861a8 --- /dev/null +++ b/tpm2.0-abrmd.changes @@ -0,0 +1,340 @@ +------------------------------------------------------------------- +Tue May 23 12:31:21 UTC 2023 - Alberto Planas Dominguez + +- Cover ALP via the %{suse_version} macro + +------------------------------------------------------------------- +Thu Dec 8 15:07:28 UTC 2022 - Alberto Planas Dominguez + +- Version 3.0.0 + + Fixed + * A bug in special command processing in TPM2_GetCapability when + an audit session is in use cuased tpm2-abrmd to abort. + + Added + * New SELinux interfaces for communication with keylime + + Changed + * DBUS permissions in tpm2-abrmd.conf to match the in-kernel RM, + ie /dev/tpmrm0, permissions. Now users MUST be in the tss group + to send to tpm2-abrmd over DBUS. +- Drop dbus-access.patch (merged in PR#805) + +------------------------------------------------------------------- +Fri Jul 8 08:43:16 UTC 2022 - Alberto Planas Dominguez + +- Version 2.4.1 + + Added + Contributor Covenant Code of Conduct. + + Fixed + * superflous warning messages about tcti status. + WARNING **: 11:00:56.205: tcti_conf before: "(null)" + WARNING **: 11:00:56.205: tcti_conf after: "mssim" + * GCC 11 build error: error: argument 2 of __atomic_load’ discards + 'volatile' qualifier + * Initialize gerror pointer variable to NULL to fix use of + unitialized memory and segfault. + * Updated missing defaults in manpage. + * Port CI to composite actions in tpm2-software/ci. + + Removed + Dependency on 'which' utility in configure.ac. + ubuntu-16.04 from CI. + +------------------------------------------------------------------- +Mon Apr 4 10:45:24 UTC 2022 - Matthias Gerstner + +- dbus-access.patch: restrict D-Bus access to tpm2-abrmd to members of the tss + group (bsc#1197532). This prevents arbitrary users from meddling with TPM + state and thus potential denial-of-service vectors. + +------------------------------------------------------------------- +Wed Dec 8 16:50:13 UTC 2021 - Alberto Planas Dominguez + +- Version 2.4.0 + + remover syslog deprecation warning (bsc#1185154) + + cover update to 2.3.3 (jsc#SLE-17366) + + contains reload fix (bsc#1166936) + + fix tcti loading using short / long names (bsc#1159176) + +------------------------------------------------------------------- +Mon Nov 29 12:54:02 UTC 2021 - Alberto Planas Dominguez + +- Warp selinux into a bcond + +------------------------------------------------------------------- +Thu Nov 25 09:16:32 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_tpm2-abrmd.service.patch + +------------------------------------------------------------------- +Sat Jul 17 21:04:13 UTC 2021 - Callum Farmer + +- Move selinux devel file to devel subpackage + +------------------------------------------------------------------- +Wed Jul 14 13:41:59 UTC 2021 - Callum Farmer + +- Update to version 2.4.0: + - Service start depends on systemd device unit: dev-tpm0.device. + - Numerous memory leaks. + - udev settle service deprecation warnings. + - StandardOutput=syslog deprecation warnings. +- Add selinux module files +- Move dbus files out of /etc + +------------------------------------------------------------------- +Wed Jun 9 09:37:38 UTC 2021 - Alberto Planas Dominguez + +- Requires libtss2-tcti-{device0,tabrmd0} (bsc#1187077). + In MicroOS systems the recommendations are not installed, making the + service fail to initialize: Failed to instantiate TCTI + +------------------------------------------------------------------- +Thu Oct 22 12:15:24 UTC 2020 - Matthias Gerstner + +- update to version 2.3.3: + - changes in version 2.3.1: + - Fixed handle resource leak exhausting TPM resources. + - changes in version 2.3.2: + - Added cirrus CI specific config files to enable FreeBSD builds. + - Changed test scripts to be more portable. + - Changed include header paths specific to FreeBSD. + - changes in version 2.3.1: + - Provide meaningful exit codes on initialization failures. + - Prevent systemd from starting the daemon before udev changes ownership + of the TPM device node. + - Prevent systemd from starting the daemon if there is no TPM device node. + - Prevent systemd from restarting the daemon if it fails. + - Add SELinux policy to allow daemon to resolve names. + - Add SELinux policy boolean (disabled by default) to allow daemon to + connect to all unreserved ports. + +------------------------------------------------------------------- +Wed Dec 11 11:55:13 UTC 2019 - matthias.gerstner@suse.com + +- update to version 2.3.0: + - changes in version 2.3.0: + - Add '--enable-debug' flag to configure script to simplify debug builds. + This relies on the AX_CHECK_ENABLE_DEBUG autoconf archive macro. + - Replaced custom dynamic TCTI loading code with libtss2-tctildr from + upstream tpm2-tss repo. (requires tpm2-0-tss version 2.3.0) + - Explicitly set '-O2' optimization when using FORTIFY_SOURCE as required. + - changes in version 2.2.0: + - New configuration option `--disable-defaultflags/ added. This is + for use for packaging for targets that do not support the default + compilation / linking flags. + - Use private dependencies properly in pkg-config metadata for TCTI. + - Refactor daemon main module to enable better handling of error + conditions and enable more thorough unit testing. + - Updated dependencies to ensure compatibility with pkg-config fixes + in tpm2-tss. + - Fixed bug causing TCTI to block when used by libtss2-sys built with + partial reads enabled. + - Removed unnecessary libs / flags for pthreads in the TCTI pkg-config. + - Output from configure script now accurately describes the state of the + flags that govern the integration tests. +- drop fix_dlopen.patch: no longer necessary since abrmd not uses the tctildr + shared library. This one hopefully now does the right thing. + +------------------------------------------------------------------- +Mon Aug 26 06:49:37 UTC 2019 - mgerstner + +- update to version 2.1.1: + - changes in version 2.1.1: + - Unit tests accessing dbus have been fixed to use mock functions. Unit + tests no longer depend on dbus. + - Race condition between client connections and dbus proxy object + creation by registering bus name after instantiation of the proxy object. + +------------------------------------------------------------------- +Fri Apr 26 10:35:51 UTC 2019 - mvetter@suse.com + +- bsc#1130588: Require shadow instead of old pwdutils + +------------------------------------------------------------------- +Wed Mar 6 10:36:46 UTC 2019 - matthias.gerstner@suse.com + +- update to version 2.1.0: + - changes in version 2.1.0: + - `-Wstrict-overflow=5` now used in default CFLAGS. + - Handling of `TPM2_RC_CONTEXT_GAP` on behalf of users. + - Convert `TPM2_PT_CONTEXT_GAP_MAX` response from lower layer to + `UINT32_MAX` + - travis-ci now uses 'xenial' builder + - Significant refactoring of TCTI handling code. + - `--install` added to ACLOCAL_AMFLAGS to install aclocal required macros + instead of using the default symlinks + - Launch `dbus-run-session` in the automake test environment to + automagically set up a dbus session bus instance when one isn't present. + - Bug caused by unloading of `libtss2-tcti-tabrmd.so` on dlclose. GLib + does not support reloading a second time. + - Bug causing `-fstack-protector-all` to be used on systems with core + libraries (i.e. libc) that do not support it. This caused failures at + link-time. + - Unnecessary symbols from libtest utility library no longer included in + TCTI library. + - changes in version 2.0.3: + - Update build to account for upstream change to glib '.pc' files + described in: https://gitlab.gnome.org/GNOME/glib/issues/1521 +- added _service file for syncing with upstream tags + +------------------------------------------------------------------- +Thu Oct 25 09:00:40 UTC 2018 - matthias.gerstner@suse.com + +- add a Requires towards tpm2-0-tss, because that main package holds the udev + rules and logic for setting up the tss user. Without this the daemon can't + start up correctly. + +------------------------------------------------------------------- +Tue Oct 23 15:46:28 UTC 2018 - matthias.gerstner@suse.com + +- fix broken build due to newer glib dependency that reports a full path for + gdbus-codegen, breaking the configure check. + +------------------------------------------------------------------- +Wed Sep 26 15:51:01 UTC 2018 - matthias.gerstner@suse.com + +- update to version 2.0.2 (FATE#326270): + - --enable-integration option to configure script now works as documented. + - Format specifier with wrong size in util module. + - Initialize TCTI context to 0 before setting values. This will cause all + members that aren't explicitly initialized by be 0. + +------------------------------------------------------------------- +Tue Sep 18 09:05:24 UTC 2018 - matthias.gerstner@suse.com + +- add recommends to the tcti-device and tcti-abrmd. Otherwise they're not + installed right away, rendering the abrmd quite unusable. + +------------------------------------------------------------------- +Fri Aug 10 10:02:21 UTC 2018 - matthias.gerstner@suse.com + +- Update to version 2.0.1: + * SessionList: Fix Connection object reference leak. + * source/sink: Organize ControlMessage processing. + * CommandSource: Replace 'connection-removed' signal with ControlMessage. + * SessionList: Remove all locking. + * ConnectionManager: Remove 'connection-removed' signal. + * ci: Build 'check' target when CC is gcc. + * build: Fix bad URLs in configure script. + * CHANGELOG.md: Add version number and date for 2.0.1 release. + * Replace references to drand48_r family of functions for portability + * Fix for type-punned pointer reported in newer compilers that enforce strict aliasing + +------------------------------------------------------------------- +Tue Jul 3 09:15:27 UTC 2018 - matthias.gerstner@suse.com + +- Trying to fix build on older distros that fail because of a missing or + broken autoconf valgrind detection macro. Removing autoreconf to hopefully + fix this. + +------------------------------------------------------------------- +Mon Jul 2 09:27:43 UTC 2018 - matthias.gerstner@suse.com + +- add fix_dlopen.patch: fixes an issue with dlopen()'ing the tcti-device + library from tpm2-0-tss. See + https://github.com/tpm2-software/tpm2-abrmd/issues/486. + +------------------------------------------------------------------- +Fri Jun 29 11:43:08 UTC 2018 - matthias.gerstner@suse.com + +- update to major version 2.0.0: + - support_dbus_activation.diff: removed, is not contained upstream + - the tpm2 stack introduces an incompatible ABI to the previous version with + this update. There is no compatibility layer, libraries have new names +etc. + - upstream changelog: + ## 2.0.0 - 2018-06-22 + ### Added + - Integration test script and build support to execute integration tests + against a physical TPM2 device on the build platform. + - Implementation of dynamic TCTI initialization mechanism. + - configure option `--enable-integration` to enable integration tests. + The simulator executable must be on PATH. + - Support for version 2.0 of tpm2-tss libraries. + ### Changed + - 'max-transient-objects' command line option renamted to 'max-transients'. + - Added -Wextra for more strict checks at compile time. + - Install location of headers to $(includedir)/tss2. + ### Fixed + - Added missing checks for NULL parameters identified by the check-build. + - Bug in session continuation logic. + - Off by one error in HandleMap. + - Memory leak and uninitialized variable issues in unit tests. + ### Removed + - Command line option --fail-on-loaded-trans. + - udev rules for TPM device node. This now lives in the tpm2-tss repo. + - Remove legacy TCTI initialization functions. + - configure option `--with-simulatorbin`. + + ## 1.3.1 - 2018-03-18 + ### Fixed + - Distribute systemd preset template instead of the generated file. + + ## 1.3.0 - 2018-03-02 + ### Added + - New configure option (--test-hwtpm) to run integration tests against a + physical TPM2 device on the build platform. + - Install systemd service file to allow on-demand systemd unit activation. + ### Changed + - Converted some inappropriate uses of g_error to critical / warning instead. + - Removed use of gen_require from SELinux policy, use dbus_stub instead. + - udev rules now give tss group read / write access to the TPM device node. + - udev rules now give tss user and group read / write access to kernel RM + node. + ### Fixed + - Memory leak on an error path in the AccessBroker. + +------------------------------------------------------------------- +Thu Feb 22 11:34:51 UTC 2018 - matthias.gerstner@suse.com + +- update to upstream version 1.2.0: + - Limit maximum number of active sessions per connection with '--max-sessions'. + - Flush all transient objects and sessions on daemon start with '--flush-all'. + - Allow passing of sessions across connections with ContextSave / Load. + - Unref the GUnixFDList returned by GIO / dbus in the TCTI init function. + This fixes a memory leak in the TCTI library. +- correctly trigger udev to update /dev/tpm* permissions after package + installation. (bnc#1078687) +- prepared support_dbus_activation.diff patch which adds D-Bus activation, but + can't use it yet due to rpmlint + +------------------------------------------------------------------- +Wed Nov 15 11:43:19 UTC 2017 - matthias.gerstner@suse.com + +- fix_service_paths.diff: fixed broken systemd service unit (bnc#1066123). the + service unit file in the upstream distribution tarball is already configured + and looks for binaries and configuration files in the /usr/local prefix + which is wrong. + +------------------------------------------------------------------- +Fri Sep 1 14:37:48 UTC 2017 - matthias.gerstner@suse.com + +- package version symlink correctly, belongs into the lib package itself, not + the -devel. + +------------------------------------------------------------------- +Wed Aug 30 08:29:07 UTC 2017 - matthias.gerstner@suse.com + +- update to upstream version 1.1.1 which fixes some local denial-of-service + security issues among other things: + + - Replace use of sigaction with g_unix_signal_* stuff from glib. + - Rewrite of INSTALL.md including info on custom configure script options. + - Default value for --with-simulatorbin configure option has been removed. + New default behavior is to disable integration tests. + - CommandSource will no longer reject commands without parameters. + - Unit tests updated to use cmocka v1.0.0 API. + - Integration tests now run daemon under valgrind memcheck and fail when + errors are found. + - CommandSource now tracks max FD in set of client FDs to prevent unnecessary + iterations over FD_SETSIZE fds. + +- no longer call bootstrap and switch to the release upstream tarball which + has now been fixed to contain all necessary files + +------------------------------------------------------------------- +Thu Jul 20 13:04:41 UTC 2017 - matthias.gerstner@suse.com + +- first version of the new arbmd resource manager from Intel's tpm2 stack. + This will replace the old resourcemgr previously shipped with the + tpm2-0-tss package. diff --git a/tpm2.0-abrmd.rpmlintrc b/tpm2.0-abrmd.rpmlintrc new file mode 100644 index 0000000..7c3fc28 --- /dev/null +++ b/tpm2.0-abrmd.rpmlintrc @@ -0,0 +1 @@ +addFilter("shared-lib-calls-exit */usr/lib64/libtss2-tcti-tabrmd.so*") diff --git a/tpm2.0-abrmd.spec b/tpm2.0-abrmd.spec new file mode 100644 index 0000000..3062bc9 --- /dev/null +++ b/tpm2.0-abrmd.spec @@ -0,0 +1,198 @@ +# +# spec file for package tpm2.0-abrmd +# +# Copyright (c) 2023 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%global selinuxtype targeted +%global modulename tabrmd +# the auto activation is not whitelisted for <= SLE12-SP3 (includes +# ALP in the with %{suse_version} +%if 0%{?sle_version} > 120300 || 0%{?is_opensuse} || 0%{?suse_version} >= 1600 +%define install_dbus_files 1 +%endif +# selinux only for Tumbleweed for now +%if 0%{?suse_version} >= 1550 && 0%{?is_opensuse} +%bcond_without selinux +%else +%bcond_with selinux +%endif +Name: tpm2.0-abrmd +Version: 3.0.0 +Release: 0 +Summary: Intel's TCG Software Stack Access Broker & Resource Manager for TPM 2.0 chips +License: BSD-2-Clause +Group: Productivity/Security +URL: https://github.com/tpm2-software/tpm2-abrmd +Source0: https://github.com/tpm2-software/tpm2-abrmd/releases/download/%{version}/tpm2-abrmd-%{version}.tar.gz +Source1: https://github.com/tpm2-software/tpm2-abrmd/releases/download/%{version}/tpm2-abrmd-%{version}.tar.gz.asc +# curl https://github.com/williamcroberts.gpg > tpm2-abrmd.keyring +Source2: tpm2-abrmd.keyring +Source3: tpm2.0-abrmd.rpmlintrc +Source4: README.SUSE +Patch0: harden_tpm2-abrmd.service.patch +BuildRequires: autoconf-archive +BuildRequires: automake +BuildRequires: checkpolicy +BuildRequires: gcc-c++ +BuildRequires: libtool +BuildRequires: pkgconfig +BuildRequires: policycoreutils +BuildRequires: systemd-rpm-macros +BuildRequires: pkgconfig(dbus-1) +BuildRequires: pkgconfig(gio-unix-2.0) +BuildRequires: pkgconfig(tss2-sys) +Requires: libtss2-tcti-device0 +Requires: libtss2-tcti-tabrmd0 +Requires: tpm2-0-tss +Requires(pre): user(tss) +%if %{with selinux} +BuildRequires: selinux-policy-devel +BuildRequires: selinux-policy-targeted +BuildRequires: pkgconfig(systemd) +Requires: (%{name}-selinux if selinux-policy-base) +%endif + +%description +The tpm2.0-abrmd package provides the TPM2 Access Broker & Resource Manager. +This is a daemon service that coordinates requests to the TPM2 chip via +Intel's TPM 2.0 software stack. + +%package devel +Summary: Development headers the Access Broker & Resource Manager for TPM 2.0 chips +Group: Development/Libraries/C and C++ +Requires: glibc-devel +Requires: libtss2-tcti-tabrmd0 = %{version} +Requires: tpm2.0-abrmd = %{version} + +%description devel +This package provides the development files for the Access Broker & Resource +Manager for coordinating access to TPM 2.0 chips. + +%if %{with selinux} +%package selinux +Summary: SELinux module for the Access Broker & Resource Manager for TPM 2.0 chips +Group: System/Management +Requires: tpm2.0-abrmd = %{version} +BuildArch: noarch +%{selinux_requires} + +%description selinux +This package provides the SELinux module for the Access Broker & Resource Manager for TPM 2.0 chips. +%endif + +%package -n libtss2-tcti-tabrmd0 +Summary: Client interface library for tpm2-abrmd +Group: System/Libraries + +%description -n libtss2-tcti-tabrmd0 +This library allows to interact with the tpm2-abrmd daemon. It is intended for +use with the SAPI library (libtss2-sys) like any other TCTI. + +%post -n libtss2-tcti-tabrmd0 -p /sbin/ldconfig +%postun -n libtss2-tcti-tabrmd0 -p /sbin/ldconfig + +%prep +%autosetup -n tpm2-abrmd-%{version} -p1 + +%build +export CFLAGS="%{optflags} -fPIE" +export LDFLAGS="$LDFLAGS -pie" +%configure \ + --disable-static \ + %{?with_selinux: --with-sepolicy=yes} \ + --with-systemdsystemunitdir=%{_unitdir} \ + --with-dbuspolicydir=%{_datadir}/dbus-1/system.d +%make_build PTHREAD_LDFLAGS=-pthread + +%install +%make_install +# don't package libtool files as is best practice +find %{buildroot} -type f -name "*.la" -delete -print +ln -sv %{_sbindir}/service %{buildroot}%{_sbindir}/rctpm2-abrmd +# don't install the systemd preset, our presets are handled by +# systemd-presets-* packages +rm %{buildroot}%{_prefix}/lib*/systemd/system-preset/tpm2-abrmd.preset +cp %{SOURCE4} . +%if ! 0%{?install_dbus_files} +rm %{buildroot}/%{_sysconfdir}/dbus-1/system.d/tpm2-abrmd.conf +rm %{buildroot}/%{_datadir}/dbus-1/system-services/com.intel.tss2.Tabrmd.service +%endif +%if %{with selinux} +mkdir %{buildroot}%{_datadir}/selinux/packages/targeted +mv %{buildroot}%{_datadir}/selinux/packages/tab* %{buildroot}%{_datadir}/selinux/packages/targeted +%endif + +%pre +%service_add_pre tpm2-abrmd.service + +%post +%service_add_post tpm2-abrmd.service + +%postun +%service_del_postun tpm2-abrmd.service + +%preun +%service_del_preun tpm2-abrmd.service + +%if %{with selinux} +%pre selinux +%{selinux_relabel_pre -s %{selinuxtype}} + +%post selinux +%{selinux_modules_install -s %{selinuxtype} -p 200 %{_datadir}/selinux/packages/targeted/%{modulename}.pp.bz2} + +%postun selinux +if [ $1 -eq 0 ]; then + %{selinux_modules_uninstall -s %{selinuxtype} -p 200 %{modulename}} +fi + +%posttrans selinux +%{selinux_relabel_post -s %{selinuxtype}} +%endif + +%files +%doc *.md README.SUSE +%license LICENSE +%{_mandir}/man7/tss2-* +%{_mandir}/man8/tpm2-* +%{_sbindir}/tpm2-abrmd +%{_sbindir}/rctpm2-abrmd +%{_unitdir}/tpm2-abrmd.service +%if 0%{?install_dbus_files} +# the auto activation is not whitelisted for <= SLE12-SP3 +%{_datadir}/dbus-1/system.d/tpm2-abrmd.conf +%{_datadir}/dbus-1/system-services/com.intel.tss2.Tabrmd.service +%endif + +%if %{with selinux} +%files selinux +%{_datadir}/selinux/packages/targeted/tabrmd.pp.bz2 +%ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} +%endif + +%files devel +%{_includedir}/tss2 +%{_libdir}/*.so +%{_libdir}/pkgconfig/*.pc +%{_mandir}/man3/Tss2* +%if %{with selinux} +%{_datadir}/selinux/devel/include/contrib/tabrmd.if +%endif + +%files -n libtss2-tcti-tabrmd0 +%{_libdir}/libtss2-tcti-tabrmd.so.* + +%changelog