From 8fc985afbe12f873060632b5e3b96a1e4a4db6a9768b4c218fb043d8245e7672 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Sat, 4 May 2024 01:28:12 +0200 Subject: [PATCH] Sync from SUSE:SLFO:Main tpm2.0-tools revision 5846abeb273a4c1cf61e085301bdd018 --- .gitattributes | 23 + tpm2-tools-5.5.tar.gz | 3 + tpm2-tools-5.5.tar.gz.asc | 16 + tpm2-tools.keyring | 233 +++++ tpm2.0-tools.changes | 1851 +++++++++++++++++++++++++++++++++++++ tpm2.0-tools.spec | 115 +++ 6 files changed, 2241 insertions(+) create mode 100644 .gitattributes create mode 100644 tpm2-tools-5.5.tar.gz create mode 100644 tpm2-tools-5.5.tar.gz.asc create mode 100644 tpm2-tools.keyring create mode 100644 tpm2.0-tools.changes create mode 100644 tpm2.0-tools.spec diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/tpm2-tools-5.5.tar.gz b/tpm2-tools-5.5.tar.gz new file mode 100644 index 0000000..71008a1 --- /dev/null +++ b/tpm2-tools-5.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1fdb49c730537bfdaed088884881a61e3bfd121e957ec0bdceeec0261236c123 +size 1241390 diff --git a/tpm2-tools-5.5.tar.gz.asc b/tpm2-tools-5.5.tar.gz.asc new file mode 100644 index 0000000..b9ca12a --- /dev/null +++ b/tpm2-tools-5.5.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEW0grjj4Z2nyXjh0BbeLpB44fUMEFAmPqU7MACgkQbeLpB44f +UMEaug//TgtRx9sfZBdtAQpKw/pc3wBBmUfRNC2FF6XYXC63j/iiiDRGyilw/awu +457DE/bnRpO9LGVRGBh6u34/sJEXXlkAowy4nfCW+PoB4uClC2Cgu9h5znC8t0ZA +FB5x4hGY3PvbGgaZKqUs3ktGrC74dbXOXaHOee1UnD+PPs9GZqLXoQewY/PhXFLR +ap2Ny0omW/TUEjksZEaCMvKiCf6F8UPEFoWVf/z+J9O7Qt+SUXb50Oxus6nh1OFL +ewqJyiFZRwHqFF1BfuTn5nBEt/8bBeW4RVMdc/srSg/Dx0bhZIf7NiUxw/7oD2/x +wmyJHASBZTN3Af0Ji9D5kyGOeEAfSf+Vwl+UGcAjZ5jJh/le31Cz0d71XSkGEeO2 +Fo0t5ArAhS9mpTeyXOIwiF9SpaBhoEjRwEBxvukfhYalUY16X7McUwxOzPsPZetW +Iu+s3qhsRgxx3Lw0n3ayK8CV1El8WEyaiOcc7f2TQIm7MeVxo5CQu5oEeUb1I9py +Pm8MLzm/DUWX0x6ElCeYVUIEpudKxVcM1JA+w+zGmnb1bKnr1IydWneCQmt6L6cq +uqaON66rNFrFpzNtf2kHqUpkb1DIFHWnIgaqJkP9IayKI17mbvqalaqnOc/1z6/G +FQ7CNbbIkAdGzHZHVFuWrlJ008kdg01r7AracSoW/oeQsSyWIOs= +=DW/Z +-----END PGP SIGNATURE----- diff --git a/tpm2-tools.keyring b/tpm2-tools.keyring new file mode 100644 index 0000000..8bb5fa2 --- /dev/null +++ b/tpm2-tools.keyring @@ -0,0 +1,233 @@ +tag william-roberts-pub +Tagger: William Roberts +Date: Wed Feb 15 15:12:03 2017 -0800 + +Signing key for maintainer: +william.c.roberts@intel.com +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1 + +mQINBFik3GUBEADYDYbSXH3UTr9oCNCI3UxC1hiLH7cM+QIbMtWiwfAbT3G8wrTa +NPj00qNvI4wQ/Xm3h0hB7kri7vP0FqIjIwsTdM6ZpFdVHHKW1m4P8fkOcxqmLN0g +V36MN5fgoGWf2K94aS7ItoweRMcuHnwWawe6aAtbKSYVqhWhoB/3grgd0xhE61AS +o8fJ7uRYNEAYVeOKlC2j+qKfoJbCa6yqZejFwOOzB6qxNRA7JYvckEf8yJ4+Y16m +qPyZ1ErHzpql3+b5ha+g+9g8WzxAbSfGYZTwaQxyePNjXuq2tdEXf9XnESvoaoN4 +pQhiu/0BJEkXPxl1zso65g4Mn22xEELhUnwPDo5YdLlWEZ8xhELLvdJc3Z0nTR5A +4/YaZvvzf7pOD1cwpB6IrRf8n9rOe1aDxh/A//zX9PpIOV25p5kqlE88Ya5VXrnA +Ayfs19RZmK3+FuaI0ij79CRokG9BrI6TXT0pRTDIRu7GvAo2q13MELRvFddyRT2G +mNjsHYcqEbraYTh3LHEiwfWp4ZgDtk8jj3iRabHQUHk9V8vSFzj+wp1E8HzO8Vp3 +BxMDIOG1VPdLi81DP+LbZI1h30ZG63ulqkKIhwx5/h2v4VCYPatVtGqVf37tLstj +Wrs0DkBykuZrecp+AJ5ZJ+UVvR8ajO2ncAoOugNwoj9Wuvz0fVTiJIhuNQARAQAB +tDxXaWxsaWFtIFJvYmVydHMgKEJpbGwgUm9iZXJ0cykgPHdpbGxpYW0uYy5yb2Jl +cnRzQGludGVsLmNvbT6JAjgEEwECACIFAlik3GUCGwMGCwkIBwMCBhUIAgkKCwQW +AgMBAh4BAheAAAoJEG3i6QeOH1DBibEQAL4EwEzegkc8NyHiW0mntwDoCv3tkUlG +fprp/g7GWfrP+L+pN5yexg3Zm/CgVN/tTNCEr5XtP+sdds8xBF6ReJ8QPO7EiMiM +asPXh8zlODrySXCGHmpa7IzuUC2wgD3Wq7WjniMvnBmqBdL0+8nqA6NFxOOklvK1 +ub7bqLrHKfUfciFOfYAi+C0Bh8kdZtMjfY9sqlJA3sVK2UxVXq9D+oHbL1o454N6 +VzV0rDtsK47GSSCXT75kulPdfOCopTgxPgNsK4VnXgMOL5JMURPJa3rBzmBRFed1 +ynrqwFdmYdMepsUgt/JS2I/23QChqp6AdVDjtGLKS71hox+vdE4S0DoRnMHwHkkt +B6bqQci3RlUP+wcHHRCUXUubxMSlYJqhBdEOclo6N0X0LseLcdAMGda8ZnqbHlyg +hPLmJrM3C5zTLjDb2YJXCy6RVNwqAnU3o33SZCnHqo/zUjEtR03Ztk1DzSeCjo5w +zLac1VFq5S3QdgZUwmPhyeoigqOvHu6Z1s2eL8Aw7Hn8i6MWLz5sOXAtyC9NPwK/ +qbp1a+GQXzNW4rvKl7ZEFKrBKyj8AiRoVLSRKcqZtFT56ltXQjrwKjsWDTEOzjnm +XCSM96xfay6asQH5fw+haC3RIErwyNV0uUDIVC0xDTZ6NgJEBkp8liwNeHE7eHoN +8qWSZZO2syf7uQINBFik3GUBEAC7V2o1kBsLFSKwmgsCuGfW0oBIQiaCcakT6D2X +rKBjmzBvh/UIdXQwl9+vPKtWX3T/7g6UBvezV3uc2ZqrigGmFemoQI3sW7wFk0L9 +/QTUWCMfZtyrWgqyetmPYS+i2PnsEPinsgsEHWf3iu/ew1A7npZwINwMdOSOVw2u +JqYyW2tZCErWKVe31ziYUpXA+HaRm9zoVr0F0sE2GYGWbMVYtqxN9TSYcIAHxB71 +Y31dcY77ln/1JAH4Yzqc063w/lNYogEbbQY7WNgcKdPP+aovpV7kS3TKwsdb9/xT +pj67nnlvjLTMRoW3Ez0PcIDFhuube9uOQupYG4rC4grLeVLwL/ekVmn6TxRN1hG7 +6zYXWiwWi16uAO++eBNt127FwCOVZsPO0ye3/XpOpCdpUadguxF2gGt6xY0gtetj +Vdv6S4kCdSx8NMrO2epS/1pgklxN9R/xl7Wu+JPUuVX4Jy0ycmw7TCWxdK2fuFy6 +6aLCXWWEjRSp06oeVJoVV2py+rYaoau7JG7Zgx1A3gYTm6MLFysfROaQgmfRozIH +0boYh3IA1WWzk4I6ew129ynC5zGXg/+UCnKKwn8Tsh9neq9noRDAonWI7jOCipwF +l51py82093M87zjz9o/qxnB8p00jByQ+MunUykaZrkQKHAsiyIF6cUIeQiy/AL7n +wwSPQQARAQABiQIfBBgBAgAJBQJYpNxlAhsMAAoJEG3i6QeOH1DBtO8P/1D98sl3 +oz/0oSSz0u9nzgOh93UkLbXpjSR4U+g7Wl2ppxQyGSFeWwRwT5BT74EVP2IcrraX +V9c7l+s8PYqnUdX2XAqGMv06523cCrNUU93kUUNjAo3FxGSn7i2kHIvMkDbUoeVk +jyWKfIvyy2sKcVB9GQxfMrbnTR5/Z6fCyGHNqMFb9e9TUWclLzMIhvtkvLuKmf52 +TKKxKQt/wero5zb0fynOttIjuhmOP9CFTiYjdj7qSmQapW8VFdYjyzL+OOFk9gCL +S3mIk1LdkfWah7trmMUTXdmiEibvARAQ3Yjr+Hz9yU1gzEJSPUUugNguqgS5kN+T +3TdwUHAP9whVD2IvN/Mfn29bmFFVfzu3ftJIa1zJmOdZy7KWb6MWVhw3SJ65luPB +qxKWRqFDOSpqzBm6bYQ/Oka49Jl7/dCImSm+7bCC7LDK9hXa3AIlDtWvG4iiL18T +wUOrgXPysB/D/NQaRxT/vSPUOB4WrQzIKIf4vJdyuPdtOtIWm97KUw8r/jDqd4I3 +B62qknrrR+FPcz8ACM9fXkpbBEcjFV8EkoOae106Vxjo/lu5LVBbwiKviMMwoK5o +YE7FfCwLBbLTYMeetHo8jGBRonTEOKMtPlp/fCMOp9w7CgMDuvfEwuTsA1ux4uAb +tZZIbipcKcZmsU7Su4+oeyh61giG++M5rL2D +=xdFJ +-----END PGP PUBLIC KEY BLOCK----- + +tag javier-martinez-pub +Tagger: Javier Martinez Canillas +Date: Mon Apr 30 11:11:25 2018 +0200 + +Signing key for maintainer: +javierm@redhat.com +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFm5I3sBEACnneVfhNlq+yVeTRpYlt9/2k9istJhozy4y8fuZuaqxwm5Tpjo +c1YqejLBCG1WRmNiJ1DgkI07IxUNQhx8oENYtzYPbFlk/t7fUgWOb3jME69zUs56 +sG410oFmSU+EHrLy6vk6jVgia8uCLeJ6X43boT2VMqzcbUQEv/ORf+J72ZK9wIYf +gPj32S77NV4pBEOeDp+3bV/2Qs8CPbSXJJa3SFTwt3h4U+CszekhlH1wMAK1aaSC +MKlYvkEuKG8vgp8hJ+wA2kTEg8io7WKOJP567eMs3l/EJ/zAnZByulKWr1BtD3n7 +OIMWFXQxvUr6SVScFNpRw3N9hiN+hjImbaTGHcxselXMNTQeyID42ckHaVm6mACq +g3QOVlolqKYnQgRNCuPVObDe6IhzdF+OhXfhYIDRvQ2+nFbGO/A6mt11bIP9BPNJ +pyw1JoIjLIcZJKwfh2FdzjQpzJ9StfX3eR9opXoD8mNyJ0EtvRVth0wp2mwuv42Q +BuVPtVZLGdxvnzMEMkl3QeWE+uiidurbTNZ4iFUNHd+r7alPBn2ItFNSpFj4+FaZ +u5eOyt/E3tcUdIoYHjpo5DkK4bwd7bX6L0VMzFr3qwBqDmHBylhwXMU6MR+a7zRU +CgoQt9xb2hJQnNWPdcWDXxQJfBrLRMjkpo5hD/sBYzrlyqHkM8PILIi6SQARAQAB +tC1KYXZpZXIgTWFydGluZXogQ2FuaWxsYXMgPGphdmllcm1AcmVkaGF0LmNvbT6J +Ak4EEwEIADgWIQTXXteqJOUM1kXG9FfHUeWQ1j89aQUCWbkjewIbAwULCQgHAgYV +CAkKCwIEFgIDAQIeAQIXgAAKCRDHUeWQ1j89aVNQD/9ESnrFxkZGg82WxD7fO6Oi +Zca1aq+4kQQlk4hjA4cLg0o3kZ28htjYR/jVw/wSNE3c2S9fnl7ZQcFEXntswLIc +fvrjlF6D8UA4sbxfve3fDF6SafbJXMAq+e+aOw5BwCKxn1a/j5b4eIY8hKA5G34H +L9Ypj7DEI90BZ7t4/xZ4UtCLyxWg4grT0IHNc8FL9NoHCo4kW8M7iQry14HfeieK +0psUWT5uKO0mhXiMau4KUQeF8agyfYTRdoIl6ObzHwYSZFCk8mPUsuDg8qVuc+jy +xKr+yOmY2Iu+4AFeQPSXJGiFmVlop2B+6jUnRUFCs2vyW6uW2Ya0eCKBJvRE7gyg +coL3deBIbs1OwNOZJFMAGZ+Zb+cKvRVArTnQ42Aktc2ayKiixJ/mJ/rxdEnhmMJX +WzKuEloDGH1wRhSwprQJRe1lIvVZmIggQ+OoY7P8hn2it4agSf5Cyd1JDc5wd5ZI +6+lzVRiwyVruIV/j5ku9HYnYsEHQ3ZttnYqk3dUenTWSsDNWc/bANWeGl2+2U+Mo +QFRvudOSjpWd1K2Chj4orUt5wy+cm8MZT6agHpJ1WZZrK0al4esoa0cR2cBvpgxP +eHtn8ajFGmyYS/B+tncfPH9kuMRGjv2Ao9BmikneHkYX/dXP6sNluiw0HqJXFC6d +sDz0s0d8Jpv3cGv8OCjPdbkCDQRZuSN7ARAAvy5lVu0Dw1+pSsRwb/5Ki6ovFxYO +RYymelvIc89DMA0zZ7TrBiTg+gI+UPJiouWk7GzZTVNthcIGT7ZN8G+/f1ba5Bkr +kY5/j/1chyJbW+KUgVYhDWJMH69cfPMpwha/HU8Yc+XmvRGyTE8EW96vIIqcAEqF +gkHh6EiWLFyF+rQNVRTQOsx/HdYmEQ3uu8JMEr1UmhE031gcEaECAk+dkQv97g+s +ONSxaMzC4BL9xVbOniEeY+pbnZ9pHwhB8ehZfBoHv/mcHJQKKSyK5ArQ2h2GMiY1 +31KXtP+GiuOpS7kjUW/mWok9gzTDE/k1sLLi9fOxpEHBia7TqKeSGJDFqM5TkFY4 +paOGohNH3Kzev/lwUu+Sf7kZ8q192/8xm/S1mbBO+AsFhMx1GbOCPfcklA1yZJXf +9ShR1poPVRNW15WgO/lIJm1SVjelmH6S2RfHous+Ij7u82K0vgzPKvAKJqoauaW5 +tmMrZuwCNQlhfm+59cacs9F6aueonw23iMaFGOHUVoTMzKvIWf6gYeqQiGPP/KnW +1HsdWmSjdE9wsRwDd5Dxnx76SAy+eTVfpL8qazNnX9nfTEtfwfo2t//LBB182Z+6 +azCSORNyvo8Uiwhi6c1lzlMngbq0RiCVqYswSsHvIcmN1MqZodJ4FMZrgZcbMHx4 +5Mv+JzopI2EGfzkAEQEAAYkCNgQYAQgAIBYhBNde16ok5QzWRcb0V8dR5ZDWPz1p +BQJZuSN7AhsMAAoJEMdR5ZDWPz1p6XgP/AuPr0IzbSvPhVOu1rqfBBldxeStSIYI +Fbw4Yll1iM0cpeiQ4x6TIH8GNx0HhnFps7hENbXoDyOVEMG1ju5MFj8cLZQKuBlB +jDSPza3jZ1ZQmQMBxcsQwrATTaceo8SI/Xx7orBzrtsfBgcnc2vp1zhqiiiLbB4M +GHdIBuOczGEhlZPq5o1Ld0fJggpPXJdZ45d545rErqyMlf5YLGjkDsdjBX3KVZyh +QCH+l9VRqTGEqQrVA2QkdfheoQ5k+g7TwwQfYoV4WbP/kbuEqOYhYEllr2Nhzl5U +3F+SI7gP80BYFxqqfccAQgcJZeQUrQ9YL0qB/sJkbi6fRydDQqpV3MrAp4FeZkSn +jgcKZgD6thILaWtI7yh6hdLUtLQmsOfxJKFspayWY+QBbJKu0WTGyWJ2bYCbDLQ5 +oOcCW0O2ShA4YFTAI2yI2g3IAYOCJiucIWz+q3h1Gt2cwmRBUUGKBoCm0Q3Pjm+T +hdbLXoPzZICuCT1iTZrhuwndH2sbM/itkDm1BaNEvWJqQd2PkqqPUF8lew4Eo4hP +JEz4k9v/LMaZpp8qRTqMpnYhvHDxb3OEPyDNor7VfPeAMAwP0MI7SxgFoiUAoL6q +wiKDPpqVHgRaCOAj6a/+p/ozXVrFGRelvRDZQ8g/tfIBLlHbZPa/VXjt+j//mvF8 +yX/+AfLZXs79 +=h4wr +-----END PGP PUBLIC KEY BLOCK----- + +tag joshua-lock-pub +Tagger: Joshua Lock +Date: Fri Jun 8 14:24:19 2018 +0100 + +Signing key for maintainer: +joshua.g.lock@intel.com +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFsagX0BEAC7QZhd0+McfBrI6CgLTpsLWTYrJZP/ABpVw2tzfgN+A+uCglml +Yg2VhfSr5AZWCOWbccrrB59kPnXIOqIshNC2We4ecpKHAWiw5KlboejnWP6Si+4F +3iZMF01M8AggVHx+iBPYPN0KiM45kRbTMDbKgqEpWntoUFHU3am9umfr2dPh8hpL +VaFzm3nThgsyckHar+DHZPo8tpOYFQSWzR6FfdrkjFfYTwkgEg2fyZVwfI4r2qO0 +H+Tx0FaHJN6shUN2uH1XowKdtOGi8GZl6xkeXvszp+q4kLCsDMzACMW3T9BIMykS +W7oUjrdYt5Wej0pAeImWZNU+N3cbGGYkq3DMRFMA7U9BQHZZLLEryQlfJq9GwW// +hfrkN70eepDldO8wWevsad3PUdSCMeUQFrWwZvCjeY8UOOiKhVVyHDWEM1wL41ek +C7G2c41L5yPw2jMj0pu+FmflD8UGLbGxQo08jxkWgmPGpm+WABT9bU9DIzLY5g2t +rzkgHxWHnEBzKZTJ7kQjuWjd+Kx0CtN6Msz8tc5JDgb6B9HBhYDLU0AZgLBDHh9W +BvVablpYb6rgDoA8LRzkKarg0KceQsBEXVphCnO80+0M6FzkRkNQTpqj/B6kXD+D +pIU5yCdJb+UDQbf7ouBwL0HjBz0J5e9DyQ877EYAshIatp1wtTJxcO5YjwARAQAB +tCVKb3NodWEgTG9jayA8am9zaHVhLmcubG9ja0BpbnRlbC5jb20+iQI+BBMBAgAo +BQJbGoF9AhsDBQkFo5qABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBJvK5U +Q//8NO2qD/9CZriVb7BNuGohcRkZTLNz+batciFaeRmpxp3yTztvIzsKxhzBI6o1 +GNASXUbYHWvICwtFxocn3QPmKQuB4FFyiDCv9ed0bdR8ohl+cAGa2xd83iSOrEgm +wp2QcHzej3JYitZzEB9oEathn+1fDuOFajeGMCOGIxW7zsFCmb0NGaj1QWye7OAt +ZrXcYeW0DDykVDx879n3uqVZwQsfXaKTfDCPxhFCG8Zo/s5QSvDPc7CAhDRrvhsR +yGEjhcs9FgDVzhuXVExSNSTk3TqgmtqoD7bN9l4QPlZqJZwlECY9pbmZ3XG8oxyH +OLcpSKwBGnvXmUKmjwIhhFdcWv8s0nvn03al72GqtOxyKdwjQZzvJEIv5FApR++Y +57gmc5wYsH/ECBzYTGxfEPTt+wU7rJp28JxVs6c0GMXG8fXclyFi3x2oyBelX6rN +KmwTU9uivN/ar5pHRUNshc8ElZBbMjZc9npmiUKSNwW6kcA7DumFdZefe1OCgTQS +6p2cYPYCZS3xvsi7rhdKFzKrpibPQz+vvBOcapJHgH/0pLdRA3aFq5gNKHbhJJVo +pzFxsB4cJ0vMnIwrQM55m0Xlh5d3LeiZQf9BSg8ZUVqTGaGdHCpfDgWLzpNEqhO+ +plFSDQ6JMqAi3st4iaJUt1l/lrJ5DWFJ5GYmNy8FWeQ4NOA9Vjq94LkCDQRbGoF9 +ARAArSYEZko1GKSB1H+7cnLrqKeVovnWqczuSNl1cIBwYlCOPhG5Uzm7bxHVWhqL +AZ8Fmv4BkKQ5Q/GXUwQvI5GhYVrPQru0wd5Uq3J3NiDUPV+QtGtKDixtqJAkpmJt +vfopRzyIEjGeepTSzxaJzvxGSIZNY4HfZzdaOK5W83c9w0f3OP6Stj/dFtw7I1tW +ar5nz98+FyzkncD6Igr0ZxONMBo/+1LCbfa5l+zAPtOgTIhSqVgxbjwRGHq6RtH/ +dmapx7I6ntMqKVWQC1tuiuwrZjC23yU72QY0Bn1An0bMI/IKZzHAIj0VTpq99+x7 +pAuTb5gJ+Bv2gXJuXaBVXGxmlmv24VU9w5YhAcmIuD+xphAnUy/ojzHC/Z+tOlEJ +blQ4iDOWo6Ed8wFPJx8anKZBDfIBRSnBqsDwszAp1OAtMLoxH8byFGlE61YuiUvE +6miikGL2HxSljZYy65t5ev6ZL4KBr4Qc704ORCz+TB844jakg7m52aR1L51e0HCs +g+bQ8vF2oiuePCMx/KYXZzLKgU70bh24nOEjLtb8f25kHhwlUr7Z4Q8LNaswBanX +fAFp+nwXj2gHsOYL9nMAdHtCHiH7dVd8G1bQrsUxgB3DjCDp5OWdRjI8CRxsjIPq +8HsQ5Ee4j0M3dJse3HGi24R6TUBCTvHG9/3IXfbf9dkMQ0sAEQEAAYkCJQQYAQIA +DwUCWxqBfQIbDAUJBaOagAAKCRBJvK5UQ//8NCIZD/0UotJ5uuJddFpKDnHxuM7m +eCVakQHmVHYTzq/B0+e6O/ac6EOteljOTf9Vh5ikGMuMTQg0b3XTC+Z/Z3C9zWYi +VAn6/TC2z+tQ6OfgMC7iBTcirsBpnsCB5UUAMIYCirelr5AecIxdy8oPitlRJa4k +teJnVeqFW6xsmk0i2B4aPkDO4NrYVSxlUe9rMObed851Dq8vb2BuVBqMbQ9NxmS6 +pACO8z1Gbn6ZBXj0Zg0AZnq9y9Ff1+vTmbjON9jwkYVPM9W+Nn3w6s3FvRO/aQcf +ac+p1wJw7o+q9wtfANjiRysM2NL4Gq6qtiDtxFrB/gqN6En7Mc0LYUwMydp1vSPw +ThjoXKGm+f/SgjEIaJo7ChA2uXQ6f2+aD9WVxOX1BvGfUZOofVF99rII/dO0nJbL +68z2pwESeOKKUWX+pPgm9kcEJeyorugfArMHgi9zFDpqWm26UgmlIuMv7iMUiynZ +YHaj724RJ+Bh/vTGbu5409c+R8UJvlhnmdf0gXN1bherzMQDvKEtg7GT8mRN+A4O +yERtOiAqZtDexzYVAYvVtJNiFQjkhvIvuvYcghjhjNzhnErPepnYj4vpRKyrwhmZ +MR1sWYuKXcq02CHDAjnloHMrLWMdtZXHsdRAuBtP+56brpns4WoFpPwn1O43DqM5 +SLZfOoNW1VlWexTY9ymjuA== +=G+yU +-----END PGP PUBLIC KEY BLOCK----- + +tag idesai-pub +Tagger: Imran Desai +Date: Mon Aug 26 11:03:41 2019 -0700 + +Desai, Imran GPG public key +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBF1kFXIBEACeHCYibXuMWOVYJ6O33q37zu/OinwnXKGVOCGJ6a+95KuZHENv +q3zjMOCoeNdW7jGl5n4BaDlmCEY+rDfPca5Fqz3Y/PTvkyk9mMIh2SCERLyYvwBE +QAQ6OQIFSRF8RyIy9EmTRylX7ms0b86Gx/Jhz9+pnN3+5gRlkbPK5O5Ab6Ei/PlS +f3NLm8+TTR/as6dLq0khS8hhBT1vZphMBT61zICAUxjIV/bDB+EfOB3kiZ6UNtim +cbCU3Lve5L1JLayFBRIw2DnGXZOAwsWn0AdRqxPX0FEWL/lEGFk9j0SrdNsUIwia +hbEheTxXbGZ/hhUMSulxCSWchLP7+i3u8RouUm7Iy4md1xMNy1DPiBKVItvO9nwz +ECp7dm1a4tO9FAtbeSGTa8alqZR6MHD5bMBxoI5gtC+RXZ0/EbuJBZVuM4vld1dO +OkB6L5Q+Ktttq8G6KeWYAOmJ8kZpNR/Qb1HMO8jRMGOPSV5cdmJEsUZp4KeWESjw +QLOH3tH4sU+3mnOifPl2tNjfP3CBpQTFmB+IdpCq1HfxVsKa0Ba2rcwkOHCj2E65 +7RI3Els5wgsnTT5p/oWIVIb1PQQZ8R0f9WoLYPlggUzeg8SKem+nX0ZIgbJPUwVn +f5q70GCMJEKmAGk+8U4TraQ+x/8dbKL1J5R88g48Jj3dqji5EsXVziD7LwARAQAB +tDhEZXNhaSwgSW1yYW4gKGlkZXNhaS1naXRodWItZ3BnKSA8aW1yYW4uZGVzYWlA +aW50ZWwuY29tPokCTgQTAQoAOBYhBGMT5txBqvwxWodgpBSYb2lEsfcrBQJdZBVy +AhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEBSYb2lEsfcrcaYP/A38JygC +xj7AN5EChMbtJVrK+nNGwRGHFK7uf+XPI4bdFSUdF3CEG5gl7+2lh85z8xzMezGQ +Ozhr9rWVzLxQ2J0HPD1EW1WjkFpo154lhFgdz1fmlTgkXTnX5Zqsv7EEfL4lvXt+ +5uzTwvOMcyLHnD5oiS8gbaVZvrvQHXwMOeLrCniCZboFemYOnCA/sFa+WhhjBGVf +knMgMtnJWjEmJ4TNTO5cU5yK9o0QWAA+PIKt+5aaNXf59kcUsFsnhrWQzBiGV3Tw +Qczj51vyeSoOCpM4Rh5JMET9wfLIeVKsdGbhwe4BqHDC+DxxdO03bevd5FY+5zJ1 +Gr8f43dC1/MaBlV6TjBSTB6eYEyPcA4kDI7E9DRq0tFnhTz1pSu5qUslLS8O04il +vLaoBvDjkUvNJRJS7uY0w08LqZ7sgKi3z9W92NrVE+ra689fwh1mpRN+P2D+sz5w +gWZYMlrBc8udyHDhwQ9Yy0CX8LoOVkN4Ji9gr4xCez0O1W+IqIFA2wT7t1pwyHGC +25E1TkqxhOxKaSZUQNz1iNrTGHKurYhAKG9ECfTEiEVKTEuKn+PcnXRXjpDUaypH +GPoIpTSo5iaZceT/vAxb8xJsdg+OqVaVVe9t1mBPIUHOy6JMx4eZya9GOCI/gi8F +gRmcHctHXEh9GgmYxPxrsZiPyh7CE5L9PewSuQINBF1kFXIBEADHbS4HAqgRqZFK +1i+Df1VdBThASn2N069/YwNuxwP3chPenUNHHcTINbctYmfl9yZPLCmr9UBFOQJl +/QyjHH4BnMG94Kwq62qJ0zuYlbq4TkiSeyJhHOOH1MlKbw+UPmsrmTyFKi9/F2uF +ZebqKpOs7CxC1npWIRA1Vt13Lk/HoVJQwPBGBQzazuavc9vXr5ftFA1YraEieSgL +yk5YMb5lXH0CnsjmaVUVXX+GWFLHO/72P8/mK1i9aiu0E7PEIXWzAlVftrsmz/iG +7ktWvptHI08MaOC5ifjwO44uXEaUqET3qX6gHNP5bAJENu4prwSrrl8Clc7J535Q +Byk7wLchR0CxC6kJFlsYos0xU3Rc1C0Sw1xL2iTiRVVxzQYfckVj7j0Ptko36THh +veu7PQm+KLHS55OPYbbfLiiihVjjXZlDzipT5dFzGpJ0lqQit4LzTuqOOhn1qBwQ +hgorSkNXv+shLY3nbG8c0oZXf6Ef5r0qPYQIpSs6MwSQMPy40pEhFri6ZaVjMsIf +TkxlnJnv4EfK/iRFgsHxtboPtf6I3QqMPgEa+pk+KPABHUS8+vOGdUTEmXGnmSIT +TlO9nO2GQBTwWeYJkaQYWdfwpNYDEieGPI8optsqs6jnZGieYgqlsnpb+z9bU7Pa +taEzyINjfWTnpa5BkE/tfApRnHmhvwARAQABiQI2BBgBCgAgFiEEYxPm3EGq/DFa +h2CkFJhvaUSx9ysFAl1kFXICGwwACgkQFJhvaUSx9ys8SBAAlixQR1yOLvuJ3eBp +nEdxqpvh3GLbS83QSVox1uJXZFHfBLl23FACqeiY7WP8+6m/BH2T1TC92MAu6+CO ++12wEXk/IooOHRBy6lsjAFYlgeWOKKPg7WbI8jiyjqIb4THlnhu+61tVOZTTxNYi +iBU8Skc4d8rPi/vAbiQXRKpIUxEziCsruJm1sEMH5AHGB+OAyM6vywfc6ZR5Sk0+ +LP++b7yL1joPgdH934dfgeCMF25JqChk7S4uAbOnICItutLVyEfqLjXZFYjnUuqE +lysOUpiGCTyK7UxL4MhFoblCbZwo/7hZrb82TpJOf9ttKJ/twql1JZhuGH5DTdjc +GbpyRhtemMb/oFEKGem7Ch/cEtjxonmRGzKdaFed2WizXoXL93mytxayUvRO/uVa +9BDOU02/lB0z68NkaaNMeKwiPMh3EyjShMZnBjIn+LtSM2241h9jHq2dy7YA5Avh +Teo8xpCOBxXHVAbWrAUU8WT2b/z8DLxTl926C+YWQouzDZX7AD5xHcuhmNYqqTBO +MVuwsBDdugW1fn7AH1EKXZY2dc7EFSNO+mG4XJqzT+Biq5pumoaT7c/29RqpnM+N +1BYk8ULSMJZ2Pu1DhxeSLti0KHamxt7NAyM7J/NLROLBL28gmqHmro+Qf170HYZc +qvbCulq4dMyalS/ez4xSC00X5wg= +=kpvR +-----END PGP PUBLIC KEY BLOCK----- diff --git a/tpm2.0-tools.changes b/tpm2.0-tools.changes new file mode 100644 index 0000000..bbb638a --- /dev/null +++ b/tpm2.0-tools.changes @@ -0,0 +1,1851 @@ +------------------------------------------------------------------- +Wed May 17 14:14:44 UTC 2023 - Alberto Planas Dominguez + +- Disable tests. Some tests randomly fails, maybe dependening on the + OBS worker assigned during the build (not confirmed) + +------------------------------------------------------------------- +Thu Feb 16 14:28:55 UTC 2023 - Alberto Planas Dominguez + +- Update to version 5.5 + + Added: + * tpm2_createek: SM2 EK Support + * misc: SM2 support to internal OSSL format key routines. Fixes + --format flags for conversions. + + Fixed: + * echo_tcti.py: set to use python3 named executable in shebang. +- Drop already merged patches + + fix_bogus_warning.patch + + echo_tcti_call_python3_binary.patch + +------------------------------------------------------------------- +Wed Jan 4 12:56:09 UTC 2023 - Alberto Planas Dominguez + +- Re-disable tests in PPC, PPC64 and S390X and reference issues about + endianness unsafe API + +------------------------------------------------------------------- +Thu Dec 8 12:51:17 UTC 2022 - Alberto Planas Dominguez + +- Update to version 5.4 + + Added: + * tpm2_policyrestart: Added option --cphash to output the cpHash + for the command PM2_CC_PolicyRestart. + * tpm2_policynvwritten: Added option --cphash to output the cpHash + for the command TPM2_CC_PolicyNvWritten. + * tpm2_policylocality: Added option --cphash to output the cpHash + for the command TPM2_CC_PolicyLocality. + * tpm2_policycountertimer: Added option --cphash to output the + cpHash for the command TPM2_CC_PolicyCounterTimer. + * tpm2_policycommandcode: Added option --cphash to output the + cpHash for the command TPM2_CC_PolicyCommandCode. + * tpm2_policypassword: Added option --cphash to output the cpHash + for the command TPM2_CC_PolicyPassword. + * tpm2_policyauthvalue: Added option --cphash to output the cpHash + for the command TPM2_CC_PolicyAuthValue. + * tpm2_policyauthorize: Added option --cphash to output the cpHash + for the command TPM2_CC_PolicyAuthorize. + * tpm2_print: Support printing serialized ESYS_TR's + * tpm2_create: Add a clarifying message to usage of -c when + TPM2_CreateLoaded is not supported. + * tpm2_getcap: Add support for vendor agnostic + capabilites. Requires tpm2-tss version 4.0 and higher to enable. + * Add a script, check_endorsement_cert.sh, to validate the + endorsement certificate chain. It takes two inputs - A + TPM2B_PUBLIC format EKpublic and a PEM format EKcertificate + specified in that order as arguments. + +- Update to version 5.3 + + Features: + * lib/tpm2_tool.c: add --help=no-man for tpm2 option. Prior to + this change the tool parsed no-man as an unrecognized option and + errored out. Now it lists all the available tool options. + * tpm2_encodeobject: New tool to encode TPM2 object. It takes + public and private portions of an object and encode them in a + combined PEM form called tssprivkey used by tpm2-tss-engine and + other applications. + * Support alternative ECC curves for which default EK templates + exist (NIST_P256, NIST_P384, NIST_P521, and SM2_P256). + * tools/misc/tpm2_checkquote: add sm2 verification of signature. + * crypto: support the TPM2_ECC_SM2_P256 curveID. + * fapi: add new command to enable the use of fapi objects for tpm2 + tools. The new command tss2_gettpm2object was added. With this + command context files which can be used for tpm2 tool commands + can be created. + * Support for sign and verify with sm2 algorithms. + * tools/tpm2_startauthsession: add sym-algorithm argument for + supported symmetric algorithm. + * Attestation (certify, command audit, sessionaudit and quote): + add scheme argument for supported signature schemes. This also + enable support for SM signing. + * tpm2_flushcontext: support all options at a time. Support the + -t/-l/-s options all at once so folks don't have to call it + multiple times. + * tools/tpm2_nvread: add human readable output for NV content + Enable parsing and YAML-style output for the different NV index + types. + * New event types in tpm2_eventlog: + EV_EFI_PLATFORM_FIRMWARE_BLOB2, EV_EFI_HANDOFF_TABLES2, + EV_EFI_VARIABLE_BOOT2 + * VERSION: add version file - Generate the version file with + bootstrap and include in the DIST tarball so endusers can call + autoreconf on a dist tarball which doesn't have git. This + alleviates git describe errors on release tarballs in the + autoreconf case. + * import: support restricted parents - Support a restricted parent + with an aes128cfb symmetric parameter. + * tpm2_load - Added capability to load pem files in + TSS2-Private-Key format for interoperability with + tpm2-tss-engine, tpm2-openssl provider tpm2-pkcs11, and + tpm2-pytss. + * tpm2_print - Added capability to parse out and print the public + portion of a TSS Private Key in the PEM format with the arg + option TSSPRIVKEY_OBJ. + * tpm2_loadexternal: Added support to tpm2_loadexternal for + parsing and loading the public portion of a TSS2 Privkey PEM + file. The path to the PEM file must be specified using the -r + option while skipping the -G option for key type. + * Support added for calculating cpHash, rpHash, sessions for + parameter encryption and auditing in: tpm2_nvwrite, + tpm2_nvcertify, tpm2_nvincrement, tpm2_nvwritelock, + tpm2_nvreadlock, tpm2_nvundefine and tpm2_nvreadpublic. + * Support added for calculating cpHash in: tpm2_clear, + tpm2_dictionarylockout, tpm2_clearcontrol, tpm2_sign, + tpm2_setprimarypolicy, tpm2_setclock, tpm2_rsadecrypt, + tpm2_duplicate, tpm2_clockrateadjust, tpm2_createprimary, + tpm2_quote, tpm2_policysecret, tpm2_policynv, + tpm2_policyauthorizenv, tpm2_import, tpm2_hmac, + tpm2_hierarchycontrol, tpm2_load, tpm2_gettime, + tpm2_evictcontrol, tpm2_encryptdecrypt, tpm2_getpolicydigest, + tpm2_loadexternal, tpm2_commit, tpm2_ecdhkeygen, tpm2_ecdhzgen, + tpm2_ecephemeral, tpm2_geteccparameters, tpm2_flushcontext, + tpm2_pcrallocate, tpm2_pcrevent, tpm2_pcrreset, tpm2_pcrread. + * Support for using tcti=none for cpHash calculations to avoid + invoking checks for active TPM in: tpm2_nvreadpublic, + tpm2_nvundefine, tpm2_nvreadlock, tpm2_nvwritelock, + tpm2_nvincrement, tpm2_nvcertify, tpm2_nvdefine, tpm2_nvwrite. + + Known issue: + * FAPI tools will not work on 32bit user-static qemu on 64bit host + because readdir returns NULL. Follow the issue on + https://gitlab.com/qemu-project/qemu/-/issues/263 + + Bug fixes: + * tools/tpm2_pcrreset.c: fix build errors in 32bit systems. + * Fix tssprivkey formatted PEM generation and load errors on 32 + bit systems. + * CI: Add testing of 32bit systems with multiarch/qemu-user-static + containers. + * tools/tpm2_evictcontrol: fix for calls to Esys_TR_Close on bad + handles. + * tools/tpm2_nvextend: fix for ESYS_TR handle not being used in + calculating the object name. + * tools/tpm2_nvwrite, tools/tpm2_nvread: Policy authorization must + be re-instantiated on each iteration of the read/ write when + size exceeds the allowed operating size + (TPM2_PT_NV_BUFFER_MAX). However, information on the compounded + policies cannot be retrieved from the only policy digest read + from the session and hence the session cannot be + re-instantiated. To avoid this scenario only a single iteration + is allowed when policy authorization is in use. + * Fix argument parsing in tpm2_policylocality to fix an issue + causing almost always to generate PolicyLocality(0). There was a + logical inversion that caused almost any argument (including + invalid ones) to be interpreted as zero, except “zero" would be + interpreted as one. + * test/fapi/fapi-quote-verify.sh Fix check of qualifying + data. Because of a bug in Fapi_VerifyQuote the qualifying data + was not checked correctly. Errors that were not recognized + before occur now. The order of the tests was cleaned up and for + every quote and verify quote now the correct combination of the + qualifying data and quote info containing the nonce is used. + * tpm2_nvdefine: set TPMA_NV_PLATFORMCREATE when authenticating + with the platform hierarchy. + * tools/tpm2_getekcertificate: fixed the url link to + ekop.intel.com. There were two places where the fix was needed: + o In the tool source code where a forward slash was always + appended irrespective of it already being part of the link + specified by the user and + o In the integration test where curl tests the link to the + ekop.intel.com backend. It now requires the full link to + include the base64 encoded ek pub hash. + * tools/tpm2_tool.c: Fix an issue where LOG_WARN is always + displayed Despite setting the 'quiet' flag with -Q. + * fapi: fix usage of parameter pcrLog for tss2_quote. pcrLog is an + optional parameter. If pcrLog is not used as parameter currently + the pcr log is still calculated in Fapi_Quote. To avoid this + calculation a NULL pointer will be passed to Fapi_Quote if the + parameter pcrLog is not passed. So tss2_quote can be executed + for a user which has no access rights to the files with the + system measurements. + * import: fix bug on using scheme wherein if scheme is specified + in the template, the openssl load functions clobber the scheme + value and set it to TPM2_ALG_NULL. + * tools/tpm2_sign and tpm2_verifysignature: fix sm2 sign and + verifysignature bugs : (1.) sm2 sign could not get output + signature. (2.) sm2 verify tss format signature failed. + * lib/tpm2.c: added workaround for a system api bug where in the + flush handle is erroneously placed in the handle area instead of + the parameter area. + * nvreadpublic: drop ntoh on attributes The attributes get + marshalled to correct endianess by libmu and don’t need to be + changed again. + * Removing unused '-i' option from tpm2_print + * tpm2_policyor: fix unallocated policy list The TPML_DIGEST + policy list was calloc'd for some reason, however it could just + be statically allocated in the context. The side effect is that + when no options or arguments were given a NPD occured when + checking the count of the policy list. + * tools/tpm2_certify: fix man page for short options and add tests + The short options for the signing-key-auth and + certified-key-auth were swapped. The case fix in the man page + makes it less intuitive but have to go through with the change + so that we don't break any existing scripts. This change does + not affect the long options. Tests have been added to ensure the + functionality. + + CI: + * ci: add ubuntu-22.04. This also requires the min tpm2-tss + version to be at 3.2.0 to support the openSSL major version 3. + * cirrus.yml: update freebsd version to 13.1 + * .ci/download-deps.sh: update tpm2-abrmd dependency version to + 2.4.1 +- Drop 0001-tests-getekcertificate.sh-Skip-the-test-if-curl-is-n.patch + (merged) +- Drop add_missing_shut_down_call_on_cleanup.patch (merged) +- Drop fix_check_of_qualifying_data.patch (merged) +- Add echo_tcti_call_python3_binary.patch (upstreamed) + +------------------------------------------------------------------- +Thu Jul 14 09:49:39 UTC 2022 - Alberto Planas Dominguez + +- Disable tests in some architectures (ppc, ppc64, s390x) + +------------------------------------------------------------------- +Wed Jul 13 11:50:11 UTC 2022 - Alberto Planas Dominguez + +- Add patch to fix leakage of TPM simulator process + add_missing_shut_down_call_on_cleanup.patch +- Add patch to fix fapi-quote-verify[_ecc].sh test + fix_check_of_qualifying_data.patch +- Enable test execution by default + +------------------------------------------------------------------- +Fri Jul 8 07:51:37 UTC 2022 - Alberto Planas Dominguez + +- Add missing dependencies for testing. +- Add patch to properly skip getekcertificate if curl is missing + 0001-tests-getekcertificate.sh-Skip-the-test-if-curl-is-n.patch + +------------------------------------------------------------------- +Thu Jul 7 15:14:37 UTC 2022 - Alberto Planas Dominguez + +- Disable LTO for 5.2, to fix tpm2_makecredential with "-T none" + (bsc#1201291) + +------------------------------------------------------------------- +Wed Dec 8 16:37:28 UTC 2021 - Alberto Planas Dominguez + +- The update to 5.2 fill also jsc#SLE-9515 (4.1) and jsc#SLE-17366 (4.3.0) + +------------------------------------------------------------------- +Mon Nov 29 10:27:08 UTC 2021 - Alberto Planas Dominguez + +- Fix python3-PyYAML requirement +- Move the tests inside a bcond. Disabled by default. + +------------------------------------------------------------------- +Wed Oct 20 08:53:37 UTC 2021 - Alberto Planas Dominguez + +- Update to version 5.2: + + tpm2_nvextend: + * Added option -n, --name to specify the name of the nvindex in + hex bytes. This is used when cpHash ought to be calculated + without dispatching the TPM2_NV_Extend command to the TPM. + + tpm2_nvread: + * Added option --rphash=FILE to specify ile path to record the + hash of the response parameters. This is commonly termed as + rpHash. + * Added option -n, --name to specify the name of the nvindex in + hex bytes. This is used when cpHash ought to be calculated + without dispatching the TPM2_NVRead command to the TPM. + * Added option -S, --session to specify to specify an auxiliary + session for auditing and or encryption/decryption of the + parameters. + + tpm2_nvsetbits: + * Added option --rphash=FILE to specify file path to record the + hash of the response parameters. This is commonly termed as + rpHash. + * Added option -S, --session to specify to specify an auxiliary + session for auditing and or encryption/decryption of the + parameters. + * Added option -n, --name to specify the name of the nvindex in + hex bytes. This is used when cpHash ought to be calculated + without dispatching the TPM2_NV_SetBits command to the TPM. + + tpm2_createprimary: + * Support public-key output at creation time in various public-key + formats. + + tpm2_create: + * Support public-key output at creation time in various public-key + formats. + + tpm2_print: + * Support outputing public key in various public key formats over + the default YAML output. Supports taking -u output from + tpm2_create and converting it to a PEM or DER file format. + + tpm2_import: + * Add support for importing keys with sealed-data-blobs. + + tpm2_rsaencrypt, tpm2_rsadecrypt: + * Add support for specifying the hash algorithm with oaep. + + tpm2_pcrread, tpm2_quote: + * Add option -F, --pcrs_format to specify PCR format selection for + the binary blob in the PCR output file. 'values' will output a + binary blob of the PCR values. 'serialized' will output a binary + blob of the PCR values in the form of serialized data structure + in little endian format. + + tpm2_eventlog: + * Add support for decoding StartupLocality. + * Add support for printing the partition information. + * Add support for reading eventlogs longer than 64kb including + from /sys/kernel/security/tpm0/binary_bios-measurements. + + tpm2_duplicate: + * Add option -L, --policy to specify an authorization policy to be + associated with the duplicated object. + * Added support for external key duplication without needing the + TCTI. + + tools: + * Enhance error message on invalid passwords when sessions cannot + be used. + + lib/tpm2_options: + * Add option to specify fake tcti which is required in cases where + sapi ctx is required to be initialized for retrieving command + parameters without invoking the tcti to talk to the TPM. + + openssl: + * Dropped support for OpenSSL < 1.1.0 + * Add support for OpenSSL 3.0.0 + + Support added to make the repository documentation and man pages + available live on readthedocs. + + Bug-fixes: + * tpm2_import: Don't allow setting passwords for imported object + with -p option as the tool doesn't modify the TPM2B_SENSITIVE + structure. Added appropriate logging to indicate using + tpm2_changeauth after import. + * lib/tpm2_util.c: The function to calculate pHash algorithm + returned error when input session is a password session and the + only session in the command. + * lib/tpm2_alg_util.c: Fix an error where oaep was parsed under + ECC. + * tpm2_sign: Fix segfaults when tool does not find TPM resources + (TPM or RM). + * tpm2_makecredential: Fix an issue where reading input from stdin + could result in unsupported data size larger than the largest + digest size. + * tpm2_loadexternal: Fix an issue where restricted attribute could + not be set. + * lib/tpm2_nv_util.h: The NV index size is dependent on different + data sets read from the GetCapability structures because there + is a dependency on the NV operation type: Define vs Read vs + Write vs Extend. Fix a sane default in the case where + GetCapability fails or fails to report the specific property/ + data set. This is especially true because some properties are + TPM implementation dependent. + * tpm2_createpolicy: Fix an issue where tool exited silently + without reporting an error if wrong pcr string is specified. + * lib/tpm2_alg_util: add error message on public init to prevent + tools from dying silently, add an error message. + * tpm2_import: fix an issue where an imported hmac object scheme + was NULL. While allowed, it was inconsistent with other tools + like tpm2_create which set the scheme as hmac->sha256 when + generating a keyedhash object. + +- Drop patches already in upstream: + + 0001-tpm2_checkquote-fix-uninitialized-variable.patch + + 0001-tpm2_eventlog-fix-buffer-offset-when-reading-the-eve.patch + + 0001-tpm2_eventlog-read-eventlog-file-in-chunks.patch + +------------------------------------------------------------------- +Thu Jul 29 14:15:11 UTC 2021 - Alberto Planas Dominguez + +- Add 0001-tpm2_eventlog-fix-buffer-offset-when-reading-the-eve.patch to +fix the offset of the read buffer + +------------------------------------------------------------------- +Thu Jul 8 09:07:05 UTC 2021 - Matthias Gerstner + +- prepare running the test suite via %check, but leave it commented out, + because it is broken due to LTO linking. + +------------------------------------------------------------------- +Mon Jun 28 09:09:46 UTC 2021 - Fabian Vogt + +- update to version 5.1.1: + - tpm2_import: fix fixed AES key CVE-2021-3565 + - tpm2_import used a fixed AES key for the inner wrapper, which means that + a MITM attack would be able to unwrap the imported key. To fix this, + ensure the key size is 16 bytes or bigger and use OpenSSL to generate a + secure random AES key. +- Avoid pandoc build dependency, use prebuilt man pages everywhere +- Drop 0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch, now upstream +- Drop _service, unused +- Drop unused unzip build dependency +- Drop autoreconfigure call, no longer necessary +- Use %autosetup +- Verify tarball signature +- Build against efivar +- Drop %check section, tests weren't built, so that was a noop + +------------------------------------------------------------------- +Fri Jun 18 14:44:25 UTC 2021 - Alberto Planas Dominguez + +- Add 0001-tpm2_eventlog-read-eventlog-file-in-chunks.patch to fix the + tpm2_eventlog command (boo#1187360) + +------------------------------------------------------------------- +Thu Jun 17 09:26:42 UTC 2021 - Alberto Planas Dominguez + +- Add 0001-tpm2_checkquote-fix-uninitialized-variable.patch for a better + fix of boo#1187316 +- Re-enable lto + +------------------------------------------------------------------- +Tue Jun 15 09:36:37 UTC 2021 - Alberto Planas Dominguez + +- Disable lto to fix tpm2_checkquote error (boo#1187316) +- Update service file to point to the correct revision + +------------------------------------------------------------------- +Mon Jun 7 12:50:22 UTC 2021 - Dominique Leuenberger + +- Do not BuildRequire pandoc on ix86 architectures: the haskell + stack is not supported on intel 32bit archs. + +------------------------------------------------------------------- +Fri May 28 10:24:21 UTC 2021 - Matthias Gerstner + +- add 0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch: no longer use a + fixed AES key in the context of the tpm2_import command. Fixes CVE-2021-3565 + (bsc#1186490). +- drop fix_pie_linking.patch: now contained in upstream tarball +- drop fix_warnings.patch: now contained in upstream tarball +- update to upstream version 5.1: + - Minimum tpm2-tss version dependency bumped to 3.1.0 + - Minimum tpm2-abrmd version dependency bumped to 2.4.0 + - tss2: + - Support in tools for PolicyRef inclusion in policy search per latest TSS. + - Support to use TPM objects protected by a policy with PolicySigned. + - Enable backward compatibility to old Fapi callback API. + - Fix PCR selection for tss2 quote. + - Support policy signed policies by implementing Fapi_SetSignCB. + - Command/ response parameter support for auditing and pHash policies: + - lib/tpm2_util.c: Add method to determine hashing alg for cp/rphash + - Add support to calculate rphash for tpm2_create, tpm2_activatecredential, + tpm2_certify, tpm2_certifycreation, tpm2_changeauth, tpm2_changeeps, + tpm2_changepps, tpm2_nvdefine, tpm2_nvextend, tpm2_unseal + - Add support to calculate cphash for tpm2_changeeps, tpm2_changepps. + - Session-support: + - tpm2_sessionconfig: Add tool to display and configure session attributes. + - tpm2_getrandom: Fix— session input was hardcoded for audit-only + - tpm2_startauthsession: Add option to specify the bind object and its + authorization value. + - tpm2_startauthsession: support for bounded-only session. + - tpm2_startauthsession: support for salted-only session. + - tpm2_startauthsession: add option to specify an hmac session type. + - Add support for specifying non-authorization sessions for audit and + parameter encryption for tpm2_getrandom, tpm2_create, tpm2_nvextend, + tpm2_nvdefine, tpm2_unseal, tpm2_activatecredential, tpm2_certify, + tpm2_certifycreation, tpm2_changeauth, tpm2_changeeps, tpm2_changepps. + - tpm2_eventlog: + - Support for event type: EV_IPL extensively used by the Shim and Grub. + - Support for event type: EV_EFI_GPT_EVENT to parse. + UEFI_PARTITION_TABLE_HEADER and UEFI_PARTITION_ENTRY. + - Support for event type: EFI_SIGNATURE_LIST, which contains one or more + EFI_SIGNATURE_DATA. + - Support for event type EV_EFI_VARIABLE_AUTHORITY. + - Parse UEFI_PLATFORM_FIRMWARE_BLOB structure that the CRTM MUST put into + the Event Log entry TCG_PCR_EVENT2.event field for event types + EV_POST_CODE, EV_S_CRTM_CONTENTS, and EV_EFI_PLATFORM_FIRMWARE_BLOB. + - Parse secureboot variable to indicate enable as 'Yes'. + - Parse BootOrder variable to a more readable format. + - Parse Boot variables per EFI_LOAD_OPTION described in more details in + UEFI Spec Section 3.1.3 + - Parse Device-path in a readable format using the efivar library. + - Support for logs longer than 64 kilobytes. + - Perform verification for event types where digest can be verified from + their event payload. + - Better support for multiline strings. + - Fix handling of event log EV_POST_CODE data where field is empty and len + is specified. + - scripts/utils: Add a utility to read the cert chain of embedded CA. + - tpm2_getekcertificate: Fix tool failing to return error/non-zero for HTTP + 404. + - tpm2_nvdefine: allow setting hash algorithm by command line parameter for NV + indices set in extend mode. + - tpm2_duplicate, tpm2_import: support duplicating non-TPM keys to a remote + TPM without first requiring them to be loaded to a local TPM. + - tpm2_dictionarylockout: Fix issue where setting value for one parameter + caused to reset the others. + - tpm2_getpolicydigest: Add new tool to enable TPM2_CC_PolicyGetDigest. + - Fix segfault where optind > argc. + - tools/tpm2_checkquote: fix missing initializer + - tpm2_convert: fix EVP_EncodeUpdate usage for OSSL < 1.1.0 + - openssl: fix EVP_ENCODE_CTX_(new|free) + - test: Add support for swTPM simulator to the testing framework and make it + the default if mssim isn't available. + - tpm2_unseal: + - Added option **\--rphash**=_FILE_ to specify ile path to record the hash + of the response parameters. This is commonly termed as rpHash. + - tpm2_nvextend: + - Added option **\--rphash**=_FILE_ to specify ile path to record the hash + of the response parameters. This is commonly termed as rpHash. + - tpm2_nvdefine: + - Added option **\--rphash**=_FILE_ to specify ile path to record the hash + of the response parameters. This is commonly termed as rpHash. + - tpm2_changepps: + - Added option **\--cphash**=_FILE_ to specify ile path to record the hash + of the command parameters. This is commonly termed as cpHash. + - Added option **\--rphash**=_FILE_ to specify ile path to record the hash + - Added option **-S**, **\--session** to specify to specify an auxiliary + session for auditing and or encryption/decryption of the parameters. + - tpm2_changeeps: + - Added option **\--cphash**=_FILE_ to specify ile path to record the hash + of the command parameters. This is commonly termed as cpHash. + - Added option **\--rphash**=_FILE_ to specify ile path to record the hash + of the response parameters. This is commonly termed as rpHash. + - Added option **-S**, **\--session** to specify to specify an auxiliary + session for auditing and or encryption/decryption of the parameters. + - tpm2_changeauth: + - Added option **\--rphash**=_FILE_ to specify ile path to record the hash + of the response parameters. This is commonly termed as rpHash. + - Added option **-S**, **\--session** to specify to specify an auxiliary + session for auditing and or encryption/decryption of the parameters. + - tpm2_certifycreation: + - Added option **\--rphash**=_FILE_ to specify ile path to record the hash + of the response parameters. This is commonly termed as rpHash. + - Added option **-S**, **\--session** to specify to specify an auxiliary + session for auditing and or encryption/decryption of the parameters. + - tpm2_certify: + - Added option **\--rphash**=_FILE_ to specify ile path to record the hash + of the response parameters. This is commonly termed as rpHash. + - Added option **-S**, **\--session** to specify to specify an auxiliary + session for auditing and or encryption/decryption of the parameters. + - tpm2_activatecredential: + - Added option **\--rphash**=_FILE_ to specify ile path to record the hash + of the response parameters. This is commonly termed as rpHash. + - Added option **-S**, **\--session** to specify to specify an auxiliary + session for auditing and or encryption/decryption of the parameters. + - tpm2_create: + - Added option **\--rphash**=_FILE_ to specify ile path to record the hash + of the response parameters. This is commonly termed as rpHash. + - tpm2_unseal: + - Added option **-S**, **--session** to specify auxiliary sessions for + audit and encryption. + - tpm2_nvdefine: + - Added option **-S**, **--session** to specify auxiliary sessions for + audit and encryption. + - tpm2_nvextend: + - Added option **-S**, **--session** to specify auxilary sessions for + audit and encryption. + +------------------------------------------------------------------- +Tue May 4 08:55:06 UTC 2021 - Matthias Gerstner + +- fix `--version` output of tools. Since now autoreconf is called and + configure.ac attempts to fetch the version from git (which we don't have + during building), the version was empty. Fix this by replacing the git + invocation in configure.ac. + +------------------------------------------------------------------- +Thu Jan 28 09:49:06 UTC 2021 - Matthias Gerstner + +- add fix_warnings.patch: fixes a couple of build errors resulting from LTO + linking and -Werror. +- add fix_pie_linking.patch: fixes an error in the build system that causes + the tss2 binary to be linked without passed LDFLAGS (like -pie), which + causes the binary not to be position independent. +- update to major version 5.0: + - Non Backwards Compatible Changes + * Default hash algorithm is now sha256. Prior versions claimed sha1, but were + inconsistent in choice. Best practice is to specify the hash algorithm to + avoid surprises. + + * tpm2_tools and tss2_tools are now a busybox style commandlet. Ie + tpm2_getrandom becomes tpm2 getrandom. make install will install symlinks + to the old tool names and the tpm2 commandlet will interrogate argv[0] for + the command to run. This will provide backwards compatibility if they are + installed. If you wish to use the old names not installed system wide, set + DESTDIR during install to a separate path and set the proper directory on + PATH. + + * tpm2_eventlog's output changed to be YAML compliant. The output before + was intended to be YAML compliant but was never properly checked and + tested. + + * umask set to 0117 for all tools. + + * tpm2_getekcertificate now outputs the INTC EK certificates in PEM format + by default. In order to output the URL safe variant of base64 encoded + output of the INTC EK certificate use the added option --raw. + + - Dependency update + * Update tpm2-tss dependency version to 3.0.1 + + * Update tpm2-abrmd dependency version to 2.3.3 + + - New tools and features + * tpm2_zgen2phase: Add new tool to support command TPM2_CC_ZGen_2Phase. + * tpm2_ecdhzgen: Add new tool to support command TPM2_CC_ECDH_ZGen. + * tpm2_ecdhkeygen: Add new tool to support command TPM2_CC_ECDH_KeyGen. + * tpm2_commit: Add new tool to support command TPM2_CC_Commit. + * tpm2_ecephemeral: Add new tool to support command TPM2_CC_EC_Ephemeral. + * tpm2_geteccparameters: Add new tool to support command TPM2_CC_ECC_Parameters. + * tpm2_setcommandauditstatus: Added new tool to support command TPM2_CC_SetCommandCodeAuditStatus. + * tpm2_getcommandauditstatus: Added new tool to support command TPM2_CC_GetCommandAuditDigest. + * tpm2_getsessionauditdigest: Added new tool to support command TPM2_CC_GetSessionAuditDigest. + * tpm2_certifyX509certutil: Added new tool for creating partial x509 certificates required to support + the TPM2_CC_CertifyX509 command. + * tpm2_policysigned: + Added option --cphash-input to specify the command parameter hash + (cpHashA), enforcing the TPM command to be authorized as well as its + handle and parameter values. + * tpm2_createprimary: + Added option to specify the unique data from the stdin by adding + provision for specifying the option value for unique file as -. + * tpm2_startauthsession: + Added new feature/option --audit-session to start an HMAC session to + be used as an audit session. + * tpm2_getrandom: + - Added new feature/option -S, --session to specify a HMAC session + to be used as an audit session. This adds support for auditing the + command using an audit session. + - Added new feature/option --rphash to specify file path to record the + hash of the response parameters. This is commonly termed as rpHash. + - Added new feature/option --cphash to specify a file path to record + the hash of the command parameters. This is commonly termed as cpHash. + NOTE: In absence of --rphash option, when this option is selected, + The tool will not actually execute the command, it simply returns a + cpHash. + * tpm2_getcap: tpm2_getcap was missing raw on a property TPM2_PT_REVISION, + and it should always be specified. + * tpm2_sign: + - Add option --commit-index to specify the commit index to use when + performing an ECDAA signature. + - Add support for ECDAA signature. + * tpm2_getekcertificate: + - Add option --raw to output EK certificate in URL safe variant base64 + encoded format. By default it outputs a PEM formatted certificate. + - The tool can now output INTC and non INTC EK certificates from NV + indices specified by the TCG EK profile specification. + * tpm2_activatecredential: + - The secret data input can now be specified as stdin with -s option. + - The public key used for encryption can be specified as -u to make it + similar to rest of the tools specifying a public key. The old -e + option is retained for backwards compatibility. + - Add option to specify the key algorithm when the input public key is in + PEM format using the new option -G, --key-algorithm. Can specify + either RSA/ECC. When this option is used, input public key is expected + to be in PEM format and the default TCG EK template is used for the key + properties. + * tpm2_checkqoute: + - Add EC support. + - Support loading tss signatures. + - Support loading tpm2 pcrread PCR values by specifying the PCR + selection using the new option -l, --pcr-list. + - Added support for automatically detecting the signature format. With + this -F, --format option is retained for backwards compatibility but + it is deprecated. + * tpm2_createak: add option to output qualified name with new option + -q, --ak-qualified-name. + * tpm2_policypcr: Add option for specifying cumulative hash of PCR's as an argument. + * tpm2_readpublic: Add option to output qualified name using the new option + -q, --qualified-name. + * tpm2_print: + - Support printing TPM2B_PUBLIC data structures. + - Support printing TPMT_PUBLIC data structures. + * tpm2_send: Add support for handling sending and receiving command and + response buffer for multiple commands. + * tpm2_verifysignature: Added support for verifying RSA-PSS signatures. + * tpm2_eventlog: + - Add handling of sha1 log format. + - Add fixes for eventlog output to be proper YAML. + - Add support for sha384, sha512, sm3_256 PCR hash algorithms. + - Add support for computing PCR values based on the events. + * tpm2_tools (all): + - Set stdin/stdout to non-buffering. + - Added changes for FreeBSD portability. + + - Bug fixes + + * Fix printing short options when no ascii character is used. + + * OpenSSL: Fix deprecated OpenSSL functions. ECC Functions with suffix + GFp will become deprecated (DEPRECATED_1_2_0). + + * tpm2_eventlog: output EV_POST_CODE as string not firmware blob to be + compliant with TCG PC Client FPF section 2.3.4.1 and 9.4.12.3.4.1 + + * Fix missing handle maps for ESY3 handle breaks. See #1994. + + * tpm2_rsaencrypt: fix OAEP RSA encryption failing to invalid hash selection. + + * tpm2_rsadecrypt: fix OAEP RSA decryption failing to invalid hash selection. + + * tpm2_sign: fix for signing failures with restricted signing keys when + input data to sign is not a digest, rather the full message. The + validation ticket creation process defaults to the owner hierarchy and + so in order to choose other hierarchies the tpm2_hash tool should be + used instead. + + * tpm2_print: fix segfault when -t option is omitted by appropriately + warning of the required option. + + * tpm2_nvdefine: fix for default size when size is not specified by + invoking TPM2_CC_GetCapability. + + * Fix for an issue where the return code for unsupported algorithms was + tool_rc_general instead of tool_rc_unsupported in tpm2_create and + tpm2_createprimary tools. + + * Fix for an issue where RSA_PSS signature verification caused failures. + + * tpm2_nvreadpublic, tpm2_kdfa, tpm2_checkquote, tpm2_quote: + Fixes for issues with interoperability of the attestation tools between + big and little endian platforms. + + * tss2_*: + - Fix bash-completion for tss2_pcrextend and tss2_verifysignature + - Add force option to tss2_list + - Make force option consistent in all fapi tools + - Do not decode non-TPM errors + - Enhance integration tests to test changes of optional/mandatory parameters + - Add --hex parameter to tss2_getrandom + - Fix autocompletion issue + - Switch tss2_* to with-"="-style + - Add size parameter to tss2_createseal + - References to the cryptographic profile (fapi-profile(5)) and config file + - (fapi-config(5)) man pages from all relevant tss2_* man pages. + - Fix policy branch selection menu item from 1 to 0. + - Documentation + * wiki pages have been removed and data has been migrated to + tpm2-software.github.io portal's tutorial section. + + * Fix the problem with man and no-man help output for tools were not + correctly displayed. + + * man: + + - tpm2_create: Correct max seal data size from 256 bytes to 128 bytes. + + - tpm2_nvread: Fix manpage example. + + - tpm2_nvwrite: Added missing information on how to specify the NV index as + an argument. + + - tpm2_unseal: Add end-to-end example. + + - tpm2_nvincrement: Fix incorrect commands in example section. + + - tpm2_hmac: Fix the example section. + +------------------------------------------------------------------- +Thu Oct 22 11:58:16 UTC 2020 - Matthias Gerstner + +- update to version 4.3: + - changes in version 4.3: + - tss2_*: Fix double-free errors in commands asking for password authorization + - tss2_*: Fix shorthand command -f that was falsely requiring an argument + - tss2_*: Update tss2_encrypt to the new FAPI interface + - The argument 'policyPath' is removed which was never read anyway + - tss2_*: Remove the additional '\n' that was appended when redirecting to stdout + - tss2_*: Update mandatory vs optional treatment of arguments according to latest Fapi spec + - tss2_*: tss2_getinfo now retrieves the correct FAPI version from Fapi_GetInfo + - tss2_*: Fix the error handling in case of multiple inputs and/or outputs from stdin/stdout + - tss2_*: Fix syntax errors and update content of man pages according to latest Fapi spec + - tss2_*: Add parameter types to all man page + - tss2_*: tss2_setappdata now reads from file or stdin allowing to store also binary data + - tss2_*: Memory leaks are fixed in cases when a returned empty non-char output value was passed to file output + - tss2_pcrextend: fix extending PCR 0 + - tss2_quote: fix unused TSS2_RC in LOG_ERR + - changes in 4.2.1: + - Fix missing handle maps for ESY3 handle breaks. See #1994. + - Bump ESYS minimum dependency version from 2.3.0 to 2.4.0. + - Fix for loop declarations build error. + - changes in 4.2: + - Fix various issues reported by static analysis tools. + - Add integration test for ECC based getekcertificate. + - Fix for issue #1959 where ARM builds were failing. + - Add a check in autotools to add "expect" as a package dependency for fapi tools. + - tpm2_createek: Drop the unused -p or --ek-auth option + - tpm2_policyor: List of policy files should be specified as an argument + - instead of -l option. The -l option is still retained for backwards + - compatibility. See issue#1894. + - tpm2_eventlog: add a tool for parsing and displaying the event log. + - tpm2_createek: Fix an issue where the template option looked for args + - tpm2_hierarchycontrol: Fixed bug where tool operation failed silently + - tpm2_nvdefine: Fixed an issue where text output suggested failures as passes + - tpm2_certify: Add an example usage in man page + - tpm2_policyor: Fix a bug where tool failed silently when no input were given + - tpm2_getekcertificate: Intel (R) PTT EK cert web portal is set as default address + - tpm2_alg_util.c: Fix a bug where string rsa3072 was not parsed + - .ci/download-deps.sh: Change tss dependency to 2.4.0 to acquire SAPI handles for cpHash calculations + - tpm2_policycphash: Add a tool to implement enhanced authorization with cpHash of a command + - Add options to tools to enable cpHash outputs: tpm2_nvsetbits, tpm2_nvextend, + tpm2_nvincrement, tpm2_nvread, tpm2_nvreadlock, tpm2_writelock, tpm2_nvdefine, + tpm2_nvundefine, tpm2_nvcertify, tpm2_policynv, tpm2_policyauthorizenv, + tpm2_policysecret, tpm2_create, tpm2_load, tpm2_activatecredential, tpm2_unseal, + tpm2_changeauth, tpm2_duplicate, tpm2_import, tpm2_rsadecrypt, tpm2_certify, + tpm2_certifycreation, tpm2_hierarchycontrol, tpm2_setprimarypolicy, tpm2_clearcontrol, + tpm2_dictionarylockout, tpm2_evictcontrol, tpm2_setclock, tpm2_clockrateadjust, + tpm2_clear, tpm2_nvwrite, tpm2_encryptdecrypt, tpm2_hmac. + - tpm2_import: Fix an issue where the imported key always required to have a policy + - tpm2_policysecret: Fix an issue where authorization model was fixed to password only + - Feature API (FAPI) tools added. These additional set of tools implement utilities + - using the FAPI which was added to the tpm2-tss v2.4.4: + tss2_decrypt, tss2_encrypt, tss2_list, tss2_changeauth, tss2_delete, + tss2_import, tss2_getinfo, tss2_createkey, tss2_createseal, tss2_exportkey, + tss2_getcertificate, tss2_getplatformcertificates, tss2_gettpmblobs, + tss2_getappdata, tss2_setappdata, tss2_setcertificate, tss2_sign, + tss2_verifysignature, tss2_verifyquote, tss2_createnv, tss2_nvextend, + tss2_nvincrement, tss2_nvread, tss2_nvsetbits, tss2_nvwrite, + tss2_getdescription, tss2_setdescription, tss2_pcrextend, tss2_quote, + tss2_pcrread, tss2_authorizepolicy, tss2_exportpolicy, tss2_import, + tss2_provision, tss2_getrandom, tss2_unseal, tss2_writeauthorizenv + - tpm2_policycountertimer: Fix an issue where operandB array was reversed causing faulty comparisons. + - changes in 4.1.1: + - tpm2_certify: Fix output of attestation data including size field. Now outputs just bytes. + - tpm2_certifycreation: Fix tool to match manpage where the code had the -C and -c options reversed. + - tpm2_gettime: Fix output of attestation data including size field. Now outputs just bytes. + - tpm2_nvcertify: Fix output of attestation data including size field. Now outputs just bytes. + - tpm2_nvreadpublic: add name hash output. + - tpm2_import: Support object policies when importing raw key material. + - Fix overflow in pcrs.h where sizeof() was used instead of ARRAY_LEN(). + - build: + - Fix compilation issue: lib/tpm2_hash.c:17:19: note: 'left' was declared here. + - man: + - Fix manpage examples that have "sha" instead of "sha1" + - tpm2_shutdown manpage was missing, add it to build. + - Fix manpage example for tpm2_createak's tpm2_evictcontrol example. +- Remove fix_bad_bufsize.patch: is now contained in upstream tarball +- Adjust fix_bogus_warning.patch: one hunk no longer applies, upstream code + changed. + +------------------------------------------------------------------- +Wed Dec 11 13:29:12 UTC 2019 - matthias.gerstner@suse.com + +- add fix_bad_bufsize.patch: fixes findings from compile time fread() checks + that indicate bad buffer size specification. +- add fix_bogus_warning.patch: fixes `maybe-unitialized` warnings that are + bogus, since the variables in questions will be initialized in any case + later on. + +------------------------------------------------------------------- +Wed Dec 11 12:35:52 UTC 2019 - matthias.gerstner@suse.com + +- update to major version 4.1: + - changes in version 4.1: + * tpm2_certifycreation: New tool enabling command TPM2_CertifyCreation. + + * tpm2_checkquote: + - Fix YAML output bug. + - -g option for specifying hash algorithm is optional and defaults to + sha256. + + * tpm2_changeeps: A new tool for changing the Endorsement hierarchy + primary seed. + + * tpm2_changepps: A new tool for changing the Platform hierarchy primary seed. + + * tpm2_clockrateadjust: Add a new tool for modifying the period on the TPM. + + * tpm2_create: Add tool options for specifying output data for use in + certification + - --creation-data to save the creation data + - --creation-ticket or -t to save the creation ticket + - --creation-hash or -d to save the creation hash + - --template-data for saving the template data of the key + - --outside-info or -q for specifying unique data to include in creation data. + - --pcr-list or -l Add option to specify pcr list to add to creation data. + + * tpm2_createprimary: Add tool options for specifying output data for use + in certification + - --creation-data to save the creation data + - --creation-ticket or -t to save the creation ticket + - --creation-hash or -d to save the creation hash + - --template-data for saving the template data of the key + - --outside-info or -q for specifying unique data to include in creation data. + - --pcr-list or -l Add option to specify pcr list to add to creation data. + + * tpm2_evictcontrol: + - Fix bug in automatic persistent handle selection when + hierarchy is platform. + - Fix bug in YAML key action where action was wrong when using ESYS_TR. + + * tpm2_getcap: clean up remanenats of -c option in manpages and tool output. + + * tpm2_gettime: Add a new tool for retrieving a signed timestamp from a TPM. + + * tpm2_nvcertify: Add a new tool for certifying the contents of an NV index. + + * tpm2_nvdefine: + - Support default set of attributes so -a is not mandatory. + - Support searching for free index if an index isn't specified. + + * tpm2_nvextend: Add a new tool for extending an NV index similair to a PCR. + + * tpm2_nvreadpublic: + - Support specifying nv index to read public data from as argument. + + * tpm2_nvsetbits: Add a new tool for setting the values of PCR with type + "bits". + + * tpm2_nvundefine: Add support for deleting NV indices with attribute + `TPMA_NV_POLICY_DELETE` set using NV Undefine Special command. + + * tpm2_nvwritelock: Add a new tool for setting a write lock on an NV index + or globally locking nv indices with TPMA_NV_GLOBALLOCK. + + * tpm2_policyauthorizenv: New tool enabling signed, revocable policies. + + * tpm2_policyauthvalue: New tool enabling authorization to be bound to the + authorization of another object. + + * tpm2_policycountertimer: Add a new tool for enabling policy bound to TPM + clock or timer values. + + * tpm2_policynamehash: Add a new tool for specifying policy based on object + name. + + * tpm2_policynv: Add a new tool for specifying policy based on NV contents. + + * tpm2_nvwritten: Add a new tool for specifying policy based on whether or not + an NV index was written to. + + * tpm2_policysecret: Add tool options for specifying + - --expiration or -t + - --ticket + - --timeout + - --nonce-tpm or -x + - --qualification or -q + + * tpm2_policysigned: New tool enabling policy command TPM2_PolicySigned. + + * tpm2_policytemplate: New tool enabling policy command TPM2_PolicyTemplate. + + * tpm2_policyticket: New tool enabling policy command TPM2_PolicyTicket. + + * tpm2_readclock: Add a new tool for reading the TPM clock. + + * tpm2_setclock: Add a new tool for setting the TPM clock. + + * tpm2_setprimarypolicy: New tool setting policy on hierarchies. + + * tpm2_shutdown: Add a new tool for issuing a TPM shutdown command. + + * misc: + - Support "tpmt" as a public key output format that only saves the TPMT + structure. + - Qualifying data or extra data in many tools can be hex array string or + binary file. + - Add support for specifying NV index type when specifying NV attributes. + - Support added for tools to run on FreeBSD. + - Skip and notify of action that man pages will not install if the package + pandoc is missing. + - Fix precedence issue with bitwise operator order int tpm2_getcap + - travis: bump abrmd version 2.3.0 + - tpm2_util.c: Fix an issue int variable size was checked against uint + - pcr.c: Fix buffer length issue to support all defined hash algorithm + + - changes in version 4.0.1: + + * tpm2_checkquote: Fix YAML output bug. + + - changes in version 4.0: + + * tpm2_activatecredential: + - --context is now --credentialedkey-context. + - --key-context is now --credentialkey-context. + - --Password is now --credentialedkey-auth. + - --endorse-passwd is now --credentialkey-auth. + - --in-file is now --credential-secret. + - --out-file is now --certinfo-data. + - -f becomes -i. + - -k becomes -C. + - -e becomes -E. + + * tpm2_certify: + - --halg is now --hash-algorithm. + - --obj-context is now --certifiedkey-context. + - --key-context is now --signingkey-context. + - --pwdo is now --certifiedkey-auth. + - --pwdk is now --signingkey-auth. + - -a becomes -o. + - -k becomes -p. + - -c becomes -C. + - -k becomes -K. + + * tpm2_changeauth: + - New tool for changing the authorization values of: + - Hierarchies + - NV + - Objects + - Replaces tpm2_takeownership with more generic functionality. + + * tpm2_checkquote: + - --halg is now --hash-algorithm. + - --pcr-input-file is now --pcr. + - --pubfile is now --public. + - --qualify-data is now --qualification. + - -f becomes -F. + - -F becomes -f. + - -G becomes -g. + + * tpm2_clear: + - --lockout-passwd is now --auth-lockout. + + * tpm2_clearcontrol: + - New tool for enabling or disabling tpm2_clear commands. + + * tpm2_create + - --object-attributes is now --attributes. + - --pwdp is now --parent-auth. + - --pwdo is now --key-auth. + - --in-file is now --sealing-input. + - --policy-file is now --policy. + - --pubfile is now --public. + - --privfile is now --private. + - --out-context is now --key-context. + - --halg is now --hash-algorithm. + - --kalg is now --key-algorithm. + - -o becomes -c. + - -K becomes -p. + - -A becomes -b. + - -I becomes -i. + - -g becomes an optional option. + - -G becomes an optional option. + - Supports TPM command CreateLoaded via -c. + + * tpm2_createak: + - Renamed from tpm2_getpubak + + * tpm2_createek: + - renamed from tpm2_getpubek + + * tpm2_createpolicy: + - --out-policy-file is now --policy. + - --policy-digest-alg is now --policy-algorithm. + - --auth-policy-session is now --policy-session. + - -L becomes -l. + - -F becomes -f. + - -f becomes -o. + - Removed option --set-list with short option -L. + - Removed option --pcr-input-file with short option -F. + - Pcr policy options replaced with pcr password mini language. + - Removed short option a for specifying auth session. Use long option --policy-session. + - Removed short option -P for specifying pcr policy. Use long option --policy-pcr. + + * tpm2_createprimary: + - --object-attributes is now --attributes. + - -o is now -c + - --pwdp is now --hierarchy-auth. + - --pwdk is now --key-auth. + - --halg is now --hash-algorithm. + - --kalg is now --key-algorithm. + - --context-object is now --key-context. + - --policy-file is now --policy. + - support for unique field when creating objects via -u + - saves a context file for the generated primary's handle to disk via -c. + - -A becomes -a. + - -K becomes -p. + - -H becomes -C. + - -g becomes optional. + - -G becomes optional. + + * tpm2_dictionarylockout: + - --lockout-passwd is now --auth. + - -P becomes -p. + + * tpm2_duplicate: + - New tool for duplicating TPM objects. + + * tpm2_encryptdecrypt: + - --pwdk is now --auth. + - --out-file is now --output. + - -D becomes -d. + - -I becomes an argument. + - -P becomes -p. + - Support IVs via -t or --iv. + - Support modes via -G. + - Support padding via -e or --pad. + - Supports input and output to stdin and stdout respectively. + + * tpm2_evictcontrol: + - --auth is now --hierarchy. + - --context is now --object-context. + - --pwda is now --auth. + - --persistent with short option -S is now an argument. + - -A becomes -C. + - Added option --output -o to serialize handle to disk. + - Removed option --handle with short option -H. + - Raw object-handles and object-contexts are commonly handled with object + handling logic. + - Removed option --input-session-handle with short option -i. + - Authorization session is now part of password mini language. + + * tpm2_getcap: + - -c becomes an argument. + - Most instances of value replaced with raw in YAML output. + - TPM2_PT_MANUFACTURER displays string value and raw value. + - Supports --pcr option for listing hash algorithms and bank numbers. + + * tpm2_getekcertificate: + - Renamed from tpm2_getmanufec + + * tpm2_getmanufec: + - Renamed the tool to tpm2_getekcertificate. + - Removed ek key creation and management logic. + - Added option for getting ek cert for offline platform via -x. + - Support for ECC keys. + - --ec-cert is now --ek-certificate, + - --untrusted is now --allow-unverified, + - --output is now --ek-public, + - -U is now -X. + - -O is now -x. + - -f becomes -o. + - Removed option -P or --endorse-passwd. + - Removed option -p or --ek-passwd. + - Removed option -w or --owner-passwd. + - Removed option -H or --persistent-handle. + - Removed option -G or --key-algorithm. + - Removed option -N or --non-persistent. + - Removed option -O or --offline. + + * tpm2_getpubak: + - renamed to tpm2_createak. + - -f becomes -p and -f is used for format of public key output. + - --auth-endorse is now --eh-auth. + - --auth-ak is now --ak-auth. + - --halg is now --hash-algorithm. + - --kalg is now --key-algorithm. + - -e becomes -P. + - -P becomes -p. + - -D becomes -g. + - -p becomes -u. + - --context becomes --ak-context. + - --algorithm becomes --kalg. + - --digest-alg becomes --halg. + - --privfile becomes --private. + - remove -k persistant option. Use tpm2_evictcontrol. + - Fix -o option to -w. + - now saves a context file for the generated primary's handle to disk. + - -E becomes -e. + - -g changes to -G. + - support for non-persistent AK generation. + + * tpm2_getpubek: + - renamed to tpm2_createek + - --endorse-passwd is now --eh-auth. + - --owner-passwd is now --owner-auth. + - --ek-passwd is now --ek-auth. + - --file is now --public. + - --context is now --ek-context. + - --algorithm is now --key-algorithm. + - -e is now -P. + - -P is now -p. + - -p is now -u. + - -o is now -w. + - -g is now -G. + - Support for saving a context file for the generated primary keys handle + to disk. + - support for non-persistent EK generation. + - -f is now -p. + - -f support for format of public key output. + + * tpm2_getrandom: + - change default output to binary. + - add --hex option for output to hex format. + - --out-file is now --output. + - bound input request on max hash size per spec, allow -f to override this. + + * tpm_gettestresult: + - new tool for getting test results. + + * tpm2_hash: + - add --hex for specifying hex output. + - default output of hash to stdout. + - default output of hash as binary. + - remove output of ticket to stdout. + - --halg is now --hash-algorithm. + - --out-file is now --output. + - -a is now -C. + - -H is now -a. + + * tpm2_hmac: + - add -t option for specifying ticket result. + - --out-file is now --output. + - --auth-key is now --auth. + ---algorithm is now --hash-algorithm. + - --pwdk is now --auth-key. + - -C is now -c. + - -P is now -p. + + * tpm2_hierarchycontrol: + - new tool added for enabling or disabling the use + of a hierarchy and its associated NV storage. + + * tpm2_import: + - --object-attributes is now --attributes. + - --auth-parent is now --parent-auth. + - --auth-key is now --key-auth. + - --algorithm is now --key-algorithm. + - --in-file is now --input. + - --parent-key is now --parent-context. + - --privfile is now --private. + - --pubfile is now --public. + - --halg is now --hash-algorithm. + - --policy-file is now --policy. + - --sym-alg-file is now --encryption-key. + - -A is now -b. + - -k is now -i. + - support OSSL style -passin argument as --passin for PEM file passwords. + - support additional import key types: + - RSA1024/2048. + - AES128/192/256. + - -q changes to -u to align with tpm2_loads public/private output arguments. + - Supports setting object name algorithm via -g. + - support specifying parent key with a context file. + - --parent-key-handle/-H becomes --parent-key/-C + - Parent public data option is optional and changes from `-K` to `-U`. + - Supports importing external RSA 2048 keys via pem files. + - Supports ECC Parent keys. + + * tpm2_incrementalselftest: + - Add tool to test support of specific algorithms. + + * tpm2_listpersistent: + - deleted as tpm2_getcap and tpm2_readpublic can be used instead. + + * tpm2_load: + - -o is now -c. + - --context-parent is now --parent-context. + - --auth-parent is now --auth. + - --pubfile is now --public. + - --privfile is now --private. + - --out-context is now --key-context. + - now saves a context file for the generated primary's handle to disk. + - Option `--pwdp` changes to `--auth-parent`. + + * tpm2_loadexternal: + - --object-attributes is now --attributes. + - -o is now -c + - --key-alg is now --key-algorithm. + - --pubfile is now --public. + - --privfile is now --private. + - --auth-key is now --auth. + - --policy-file is now --policy. + - --halg is now --hash-algorithm. + - --out-context is now --key-context. + - Remove unused -P option. + - -H is now -a. + - Fix -A option to -b for attributes. + - now saves a context file for the generated primary's handle to disk. + - support OSSL style -passin argument as --passin for PEM file passwords. + - name output to file and stdout. Changes YAML stdout output. + - ECC Public and Private PEM support. + - AES Public and Private "raw file" support. + - RSA Public and Private PEM support. + - Object Attribute support. + - Object authorization support. + - Default hierarchy changes to the *null* hierarchy. + + * tpm2_makecredential: + - --out-file is now --credential-blob + - --enckey is now --encryption-key. + - Option `--sec` changes to `--secret`. + + * tpm2_nvdefine: + - --handle-passwd is now --hierarchy-auth. + - --index-passwd is now --index-auth. + - --policy-file is now --policy. + - --auth-handle is now --hierarchy. + - -a becomes -C. + - -t becomes -a. + - -I becomes -p. + - Removed option --index with short option -x. It is now an argument. + - Removed option --input-session-handle with short option -S. + - Authorization session is now part of password mini language. + + * tpm2_nvincrement: + - New tool to increment value of a Non-Volatile (NV) index setup as a + counter. + + * tpm2_nvlist: + - tpm2_nvlist is now tpm2_nvreadpublic. + + * tpm2_nvread: + - --handle-passwd is now --auth. + - --auth-handle is now --hierarchy. + - -a becomes -C. + - Removed option --index with short option -x. It is now an argument. + - Removed short option -o for specifying offset. Use long option --offset. + - Removed option --input-session-handle with short option -S. + - Authorization session is now part of password mini language. + - Removed option --set-list with short option -L. + - Removed option --pcr-input-file with short option -F. + - Pcr policy options replaced with pcr password mini language. + - fix a buffer overflow. + + * tpm2_nvreadlock: + - --handle-passwd is now --auth. + - --auth-handle is now --hierarchy. + - -a becomes -C. + - Removed option --index with short option -x. It is now an argument. + - Removed option --input-session-handle with short option -S. + - Authorization session is now part of password mini language. + + * tpm2_nvwrite: + - --handle-passwd is now --auth. + - --auth-handle is now --hierarchy. + - -a becomes -C. + - Removed option --index with short option -x. It is now an argument. + - Removed short option -o for specifying offset. Use long option --offset. + - Removed option --input-session-handle with short option -S. + - Authorization session is now part of password mini language. + - Removed option --set-list with short option -L. + - Removed option --pcr-input-file with short option -F. + - Pcr policy options replaced with pcr password mini language. + + * tpm2_nvrelease: + - --handle-passwd is now --auth. + - --auth-handle is now --hierarchy. + - -a becomes -C. + - Removed option --index with short option -x. It is now an argument. + - Removed option --input-session-handle with short option -S. + - Authorization session is now part of password mini language. + + * tpm2_nvundefine: + - Renamed from tpm2_nvrelease. + + * tpm2_pcrallocate: + - New tool for changing the allocated PCRs of a TPM. + + * tpm2_pcrevent: + - --password is now --auth. + - Removed option --pcr-index with short option -i. + - PCR index is now specified as an argument. + - Removed option --input-session-handle with short option -S. + - Authorization session is now part of password mini language. + + * tpm2_pcrlist: + - -gls options go away with -g and -l becoming a single argument. + + * tpm2_pcrread: + - Renamed from tpm2_pcrlist. + + * tpm2_print: + - New tool that decodes a TPM data structure and prints enclosed elements + to stdout as YAML. + + * tpm2_policyauthorize: + - New tool that allows for policies to change by associating the policy to + a signing authority essentially allowing the auth policy to change. + + * tpm2_policycommandcode: + - New tool to restricts TPM object authorization to specific TPM commands. + + * tpm2_policyduplicationselect: + - New tool for creating a policy to restrict duplication to a new parent + and or duplicable object. + + * tpm2_policylocality: + - New tool for creating a policy restricted to a locality. + + * tpm2_policypcr: + - New tool to generate a pcr policy event that bounds auth to specific PCR + values in user defined pcr banks and indices. + + * tpm2_policyor: + - New tool to compound multiple policies in a logical OR fashion to allow + multiple auth methods using a policy session. + + * tpm2_policypassword: + - New tool to mandate specifying of the object password in clear using a + policy session. + + * tpm2_policysecret: + - New tool to associate auth of a reference object as the auth of the new + object using a policy session. + + * tpm2_quote: + - --ak-context is now --key-context. + - --ak-password is now --auth. + - --sel-list is now --pcr-list. + - --qualify-data is now --qualification-data. + - --pcrs is now --pcr. + - --sig-hash-algorithm is now --hash-algorithm. + - -P becomes -p + - -L becomes -l. + - -p becomes -o. + - -G becomes -g. + - -g becomes optional. + - Removed option --id-list with short option -l. + - Removed option --ak-handle with short option -k. + - Raw object-handles and object-contexts are commonly handled with object + handling logic. + + * tpm2_readpublic: + - --opu is now --output. + - --context-object is now --object-context. + - Removed option --object with short option -H. + - Raw object-handles and object-contexts are commonly handled with object + handling logic. + - Added --serialized-handle for saving serialized ESYS_TR handle to disk. + - Added --name with short option -n for saving the binary name. + - Supports ECC pem and der file generation. + + * tpm2_rsadecrypt: + - --pwdk is now --auth. + - --out-file is now --output. + - -P becomes -p. + - Added --label with short option -l for specifying label. + - Added --scheme with short option -s for specifying encryption scheme. + - Removed option -I or in-file input option and make argument. + - Removed option --key-handle with short option -k. + - Raw object-handles and object-contexts are commonly handled with object + handling logic. + - Removed option --input-session-handle with short option -S. + - Authorization session is now part of password mini language. + + * tpm2_rsaencrypt: + - --out-file is now --output. + - Added --scheme with short option -s for specifying encryption scheme. + - Added --label with -l for specifying label. + - Removed option --key-handle with short option -k. + - Raw object-handles and object-contexts are commonly handled with object + handling logic. + - make output binary either stdout or file based on -o. + + * tpm2_selftest: + - New tool for invoking tpm selftest. + + * tpm2_send: + - --out-file is now --output. + + * tpm2_sign: + - --pwdk is now --auth. + - --halg is now --hash-algorithm. + - --sig is now --signature. + - -P becomes -p. + - -s becomes -o. + - Added --digest with short option -d. + - Added --scheme with short option -s. + - Supports rsapss. + - Removed option --key-handle with short option -k. + - Raw object-handles and object-contexts are commonly handled with object + handling logic. + - Removed option --msg with short option -m. + - Make -d toggle if input is a digest. + - Removed option --input-session-handle with short option -S. + - Authorization session is now part of password mini language. + - Supports signing a pre-computed hash via -d. + + * tpm2_startauthsession: + - New tool to start/save a trial-policy-session (default) or policy- + authorization-session with command line option --policy-session. + + * tpm2_stirrandom: + - new command for injecting entropy into the TPM. + + * tpm2_takeownership: + - split into tpm2_clear and tpm2_changeauth + + * tpm2_testparms: + - new tool for querying tpm for supported algorithms. + + * tpm2_unseal: + - --pwdk is now --auth. + - --outfile is now --output. + - --item-context is now --object-context. + - -P becomes -p + - Removed option --item with short option -H. + - Raw object-handles and object-contexts are commonly handled with object + handling logic. + - Removed option --input-session-handle with short option -S. + - Authorization session is now part of password mini language. + - Removed option --set-list with short option -L. + - Removed option --pcr-input-file with short option -F. + - Pcr policy options replaced with pcr password mini language. + + + * tpm2_verifysignature: + - --halg is now --hash-algorithm. + - --msg is now --message. + - --sig is now --signature. + - -D becomes -d. + - -t becomes optional. + - Issue warning when ticket is specified for a NULL hierarchy. + - Added option --format with short option -f. + - Removed option --raw with short option -r. + - Removed option --key-handle with short option -k. + - Raw object-handles and object-contexts are commonly handled with object + handling logic. + - Support routines for OpenSSL compatible format of public keys (PEM, DER) and + plain signature data without TSS specific headers. + + * misc: + - cmac algorithm support. + - Add support for reading authorisation passwords from a file. + - Ported all tools from SAPI to ESAPI. + - Load TCTI's by SONAME, not raw .so file. + - system tests are now run with make check when --enable-unit is used in configure. + - Libre SSL builds fixed. + - Dynamic TCTIS. Support for pluggable TCTI modules via the -T or --tcti + options. + - test: system testing scripts moved into subordinate test directory. + - configure: enable code coverage option. + - env: add TPM2TOOLS_ENABLE_ERRATA to control the -Z or errata option. + affects all tools. + - Fix parsing bug in PCR mini-language. + - Fix misspelling of TPM2_PT_HR constants which effects tpm2_getcap output. + - configure option --with-bashcompdir for specifying bash completion + directory. + + - changes in version 3.2.1: + + * Fix invalid memcpy when extracting ECDSA plain signatures. + * Fix resource leak on FILE * in hashing routine. + * Correct PCR logic to prevent memory corruption bug. + * Errata handler fix. + + - changes in version 3.2.0: + + * fix configure bug for linking against libmu. + * tpm2_changeauth: Support changing platform hierarchy auth. + * tpm2_flushcontext: Introduce new tool for flushing handles from the TPM. + * tpm2_checkquote: Introduce new tool for checking validity of quotes. + * tpm2_quote: Add ability to output PCR values for quotes. + * tpm2_makecredential: add support for executing tool off-TPM. + * tpm2_pcrreset: introduce new tool for resetting PCRs. + * tpm2_quote: Fix AK auth password not being used. + +------------------------------------------------------------------- +Mon Aug 26 07:42:52 UTC 2019 - matthias.gerstner@suse.com + +- update to minor version 3.1.4: + * Fix various man pages + * tpm2_getmanufec: fix OSSL build warnings + * Fix broken -T option + * Various build compatibility fixes + * Fix some unit tests + * Update build for recent autoconf-archive versions + * Install m4 files + +------------------------------------------------------------------- +Wed Mar 6 10:44:52 UTC 2019 - matthias.gerstner@suse.com + +- update to minor version 3.1.3: + - Restore support for the TPM2TOOLS_* env vars for TCTI configuration, in + addition to supporting the new unified TPM2TOOLS_ENV_TCTI + - Fix tpm2_getcap to print properties with the TPM_PT prefix, rather than + TPM2_PT + - Make test_tpm2_activecredential Python 3 compatible + - Fix tpm2_takeownership to only attempt to change the specified hierarchies +- use a _service file to sync with upstream tags + +------------------------------------------------------------------- +Wed Sep 26 16:02:46 UTC 2018 - matthias.gerstner@suse.com + +- update to minor version 3.1.2 (FATE#326270): + - Revert the change to use user supplied object attributes exclusively. This + is an inappropriate behavioural change for a MINOR version number + increment. + - Fix inclusion of object attribute specifiers section in tpm2_create and + tpm2_createprimary man pages. + - Use better object attribute defaults for authentication, preventing an + empty password being used for authentication when a policy is set. + +------------------------------------------------------------------- +Wed Aug 22 09:05:14 UTC 2018 - matthias.gerstner@suse.com + +- update to minor version 3.1.1: + - Allow man page installation without pandoc being available + +------------------------------------------------------------------- +Fri Jun 29 12:03:48 UTC 2018 - matthias.gerstner@suse.com + +- update to major version 3.1.0: + - the tpm2 stack introduces an incompatible ABI to the previous version with + this update. There is no compatibility layer, libraries have new names + - install-man.patch: dropped, because we don't really need it + - tpm2.0-tools-fix-hardening.patch: contained in upstream tarball now +s etc. + - upstream changelog: + * tpm2_unseal: -P becomes -p + * tpm2_sign: -P becomes -p + * tpm2_nvreadlock: long form for -P is now --auth-hierarchy + * tpm2_rsadecrypt: -P becomes -p + * tpm2_nvrelease: long-form of -P becomes --auth-hierarchy + * tpm2_nvdefine: -I becomes -p + * tpm2_encryptdecrypt: -P becomes -p + * tpm2_dictionarylockout: -P becomes -p + * tpm2_createprimary: -K becomes -p + * tpm2_createak: -E becomes -e + * tpm2_certify: -k becomes -p + * tpm2_hash: -g changes to -G + * tpm2_encryptdecrypt: Support IVs via -i and algorithm modes via -G. + * tpm2_hmac: drop -g, just use the algorithm associated with the object. + * tpm2_getmanufec: -g changes to -G + * tpm2_createek: -g changes to -G + * tpm2_createak: -g changes to -G + * tpm2_verifysignature: -g becomes -G + * tpm2_sign: -g becomes -G + * tpm2_import: support specifying parent key with a context file, + --parent-key-handle/-H becomes --parent-key/-C + * tpm2_nvwrite and tpm2_nvread: when -P is "index" -a is optional and defaults to + the NV_INDEX value passed to -x. + * Load TCTI's by SONAME, not raw .so file + * tpm2_activatecredential: -e becomes -E + * tpm2_activatecredential: -e becomes -E + * tpm2_certify: -c and -C are swapped, -k becomes -K + * tpm2_createprimary: -K becomes -k + * tpm2_encryptdecrypt: supports input and output to stdin and stdout respectively. + * tpm2_create: -g/-G become optional options. + * tpm2_createprimary: -g/-G become optional options. + * tpm2_verifysignature - Option `-r` changes to `-f` and supports signature format "rsa". + * tpm2_import - Parent public data option, `-K` is optional. + * tpm2_import - Supports importing external RSA 2048 keys via pem files. + * tpm2_pcrlist: Option `--algorithm` changes to `--halg`, which is in line with other tools. + * tpm2_verifysignature: Option `-r` and `--raw` have been removed. This were unused within the tool. + * tpm2_hmac: Option `--algorithm` changes to `--halg`, which is in line with the manpage. + * tpm2_makecredential: Option `--sec` changes to `--secret`. + * tpm2_activatecredential: Option `--Password` changes to `--auth-key`. + * system tests are now run with make check when --enable-unit is used in configure. + * tpm2_unseal: Option `--pwdk` changes to `--auth-key`. + * tpm2_sign: Option `--pwdk` changes to `--auth-key`. + * tpm2_rsadecrypt: Option `--pwdk` changes to `--auth-key`. + * tpm2_quote: Option `--ak-passwd` changes to `--auth-ak` + * tpm2_pcrevent: Option `--passwd` changes to `--auth-pcr` + * tpm2_nvwrite: Options `--authhandle` and `--handle-passwd` + changes to `--hierarchy` and `--auth-hierarchy` respectively. + * tpm2_nvread: Options `--authhandle` and `--handle-passwd` + changes to `--hierarchy` and `--auth-hierarchy` respectively. + * tpm2_nvdefine: Options `--authhandle`, `--handle-passwd` and `--index-passwd` + changes to `--hierarchy`, `--auth-hierarchy` and `--auth-index` + respectively. + * tpm2_loadexternal: `-H` changes to `-a` for specifying hierarchy. + * tpm2_load: Option `--pwdp` changes to `--auth-parent`. + * tpm2_hmac: Option `--pwdk` changes to `--auth-key`. + * tpm2_hash: `-H` changes to `-a` for specifying hierarchy. + * tpm2_getmanufec: Options `--owner-passwd`, `--endorse-passwd` + * and `--ek-passwd`change to `--auth-owner`, `--auth-endorse` + and `--auth-ek` respectively. + * tpm2_evictcontrol: Option group `-A` and `--auth` changes to `-a` and `--hierarchy` + Option `--pwda` changes to `--auth-hierarchy` + * tpm2_encryptdecrypt: Option `--pwdk` changes to `--auth-key`. + * tpm2_dictionarylockout: Option `--lockout-passwd` changes to `--auth-lockout` + * tpm2_createprimary: Options `--pwdp` and `--pwdk` change to + `--auth-hierarchy` and `--auth-object` respectively. + * tpm2_createek: Options `--owner-passwd`, `--endorse-passwd` + * and `--ek-passwd`change to `--auth-owner`, `--auth-endorse` + and `--auth-ek` respectively. + * tpm2_createak: Options `--owner-passwd`, `--endorse-passwd` + * and `--ak-passwd`change to `--auth-owner`, `--auth-endorse` + and `--auth-ak` respectively. + * tpm2_create: Options `--pwdo` and `--pwdk` change to `--auth-object` and + `--auth-key` respectively. + * tpm2_clearlock: Option `--lockout-passwd` changes to `--auth-lockout` + * tpm2_clear: Option `--lockout-passwd` changes to `--auth-lockout` + * tpm2_changeauth: Options, `--old-owner-passwd`, `--old-endorse-passwd`, + and `--old-lockout-passwd` go to `--old-auth-owner`, `--old-auth-endorse`, + and `--old-auth-lockout` respectively. + * tpm2_certify: Options `--pwdo` and `--pwdk` change to `--auth-object` and + `--auth-key` respectively. + * tpm2_createprimary: `-H` changes to `-a` for specifying hierarchy. + * tpm2_createak: support for non-persistent AK generation. + * tpm2_createek: support for non-persistent EK generation. + * tpm2_getpubak renamed to tpm2_createak, -f becomes -p and -f is used for format of public key + output. + * tpm2_getpubek renamed to tpm2_createek, -f becomes -p and -f is used for format of public key + output. + * Libre SSL builds fixed. + * Dynamic TCTIS. Support for pluggable TCTI modules via the -T or --tcti options. + * tpm2_sign: supports signing a pre-computed hash via -D + * tpm2_clearlock: tool added + * test: system testing scripts moved into subordinate test directory. + * fix a buffer overflow in nvread/write tools. + * configure: enable code coverage option. + * tpm2_takeownership: split into tpm2_clear and tpm2_changeauth + * env: add TPM2TOOLS_ENABLE_ERRATA to control the -Z or errata option. + +------------------------------------------------------------------- +Tue Jun 5 09:55:43 UTC 2018 - matthias.gerstner@suse.com + +- fix build after adding install-man.patch: autoreconf is needed again (sigh!) + +------------------------------------------------------------------- +Wed May 2 12:09:22 UTC 2018 - matthias.gerstner@suse.com + +- install-man.patch: even after update to 3.0.4 the man pages are not + installed correctly. This patch fixes it locally. + +------------------------------------------------------------------- +Wed May 2 11:02:07 UTC 2018 - matthias.gerstner@suse.com + +- update to version 3.0.4: + - Fix save and load for TPM2B_PRIVATE object. + - Use a default buffer size for tpm2_nv{read,write} if the TPM reports a 0 size. + - Fix --verbose and --version options crossover. + - Generate man pages from markdown and include them in the distribution tarball. + - Print usage summary if tools are executed with no options or man page can't be displayed. +- man pages will be shipped for SLE version now, too (pandoc dependency was removed) + +------------------------------------------------------------------- +Wed Mar 7 15:44:14 UTC 2018 - matthias.gerstner@suse.com + +- disable pandoc for all but openSUSE, since pandoc never was on SLE + +------------------------------------------------------------------- +Wed Mar 7 14:29:10 UTC 2018 - matthias.gerstner@suse.com + +- disable pandoc/man pages generation on SLE-15, because pandoc is not + available there (and adding it would require two dozen additional haskell + packages) + +------------------------------------------------------------------- +Thu Feb 22 11:08:19 UTC 2018 - matthias.gerstner@suse.com + +- update to version 3.0.3: + - various changes in tool options + - man pages are now in section 1 (formerly in section 8) + - tools are now installed in /usr/bin (formerly /usr/sbin) + +------------------------------------------------------------------- +Thu Nov 9 11:00:33 UTC 2017 - vcizek@suse.com + +- update to version 2.1.1 + * Potential memory leak fix when tcti/sapi initialization fails. + * tpm2_listpcrs: use TPM2_GetCapability to determine PCRs to read + * listpcrs: remove one redundant call to tpm get cap + * listpcrs: fix for unsupported/disabled alg in -L + * build: use supported comment to suppress GCC7 fallthrough warning + * kdfa: allow to build with OpenSSL 1.1.x (bsc#1067392) +- drop patches (upstream) + * 0001-tpm2_listpcrs-use-TPM2_GetCapability-to-determine-PC.patch + * tpm2.0-tools-fix-gcc7.patch + +------------------------------------------------------------------- +Mon Aug 21 14:32:13 UTC 2017 - matthias.gerstner@suse.com + +- update to version 2.1.0: + - dropped 0002-kdfa-use-openssl-for-hmac-not-tpm.patch, was backported + upstream in commit 788a17abbe0000c560935ef9f31c9a6892d9ea33 + - this version now can interact with the new resource manager tpm2.0-abrmd + - Upstream changes: + * Fix readx and writex on multiple EINTR returns. + * Add support for the tabrmd TCTI. This is the new default. + * Change default socket port from 2323 (the old resourcemgr) to 2321 + (default simulator port). + * Cherry-pick fix for CVE-2017-7524. + * Fix tpm2_listpcr command line option handling. + * Fix tpm2_getmanufec memory issues. + +------------------------------------------------------------------- +Thu Jul 20 13:50:28 UTC 2017 - matthias.gerstner@suse.com + +- added the new abrmd package to recommends, because the tools will otherwise + not function + +------------------------------------------------------------------- +Thu Jun 29 09:45:45 UTC 2017 - matthias.gerstner@suse.com + +- 0002-kdfa-use-openssl-for-hmac-not-tpm.patch: fixed unexpected leak of + cleartext password into the tpm when generating an HMAC in the context of + tpm_kdfa() (key derivation function) (bnc#1046402, CVE-2017-7524) + +------------------------------------------------------------------- +Tue Jun 20 08:35:29 UTC 2017 - matthias.gerstner@suse.com + +- 0001-tpm2_listpcrs-use-TPM2_GetCapability-to-determine-PC.patch: fixed + tpm2_listpcrs aborting saying "too much pcrs to get!" (bnc#1044419) + +------------------------------------------------------------------- +Fri Jun 2 07:16:45 UTC 2017 - meissner@suse.com + +- tpm2.0-tools-fix-hardening.patch: do not disable fortify, + do not use -Wstack-protector as it warns also for non-utilized + functions and then -Werror fails. +- tpm2.0-tools-fix-gcc7.patch: fixed gcc7 case fallthrough errors + +------------------------------------------------------------------- +Wed May 10 11:52:40 UTC 2017 - matthias.gerstner@suse.com + +- Major update to 2.0.0 + - dropped fixes.patch, now part of the upstream version + - a set of man pages have been added to the package + - Upstream changes: + * Tracked on the milestone: https://github.com/01org/tpm2.0-tools/milestone/2 + * Reworked all the tools to support configurable TCTIs, based on build time + configuration, one can specify the tcti via the --tcti (-T) option to all + tools. + * tpm2_getrandom interface made -s a positional argument. + * Numerous bug fixes. + +------------------------------------------------------------------- +Mon Mar 6 16:23:15 UTC 2017 - meissner@suse.com + +- buildrequire pkgconfig + +------------------------------------------------------------------- +Wed Mar 1 15:33:46 UTC 2017 - meissner@suse.com + +- Updated to 1.1.0 / 016-11-04 (FATE#321509) + - Added + * travis ci support. + * Allow for unit tests to be enabled selectively. + * tpm2_rc_decode tool: Decode TPM_RC error codes. + * Android Make file + * tpm2_listpersistent: list all persistent objects + * test scripts for tpm2-tools + * tpm2_nvreadlock + * tpm2_getmanufec: retrieve EC from tpm manufacturer server. + * Copy 'common' and 'sample' code from the TPM2.0-TSS repo. + + - Modified + * tpm2_takeownership: update option -c to use lockout password to clear. + * tpm2_listpcrs: add options -L and -s, rewrite to increase performance. + * tpm2_quote: added -L option to support selection of multiple banks. + * tpm2_quote: add -q option to get qualifying data. + * configure: Use pkg-config to get info about libcurl and libcrypto. + * configure: Use pkg-config to locate SAPI and TCTI headers / libraries. + * tpm2_x: Add -X option to enable password input in Hex format. + * tpm2_nvdefine: Change -X option to -I. + * tpm2-nvwrite: fix for unable to write 1024B+ data. + * tpm2_getmanufec: Fix base64 encoding. + * tpm2_x: fixed a lot of TPM2B failures caused by wrong initialization. + * tpm2_getmanufec: let configure handle libs. + * tpm2_getmanufec: Convert from dos to unix format. + * build: Check for TSS2 library @ configure time. + * build: Detect required TSS2 and TCTI headers. + * build: Use libtool to build the common library + * build: Install all binaries into sbin. + * build: Build common sources into library. + * build: Move all source files to 'src'. + * Makefile.am: Move all build rules into single Makefile.am. + * everything: Use new TCTI headers and fixup API calls. + * everything: Update source to cope with sapi header cleanup. + * tpm2_activatecredential: Updated to support TCG compatible EK + * tpm2_getpubak: Updated to use TCG compatible EK + * tpm2_getpubek: fix ek creation to follow TCG EK profile spec. + + - Removed + * Windows related code + * depenedency on the TPM2.0-TSS repo source code + +- 1.0-alpha_0.zip: removed, use tpm2-0-tss directly. +- tpm2-install-binaries.patch: not needed anymore. +- fixes.patch: fixed random return build errors. + +------------------------------------------------------------------- +Mon Aug 22 12:02:01 UTC 2016 - meissner@suse.com + +- update description + +------------------------------------------------------------------- +Thu Mar 24 12:42:04 UTC 2016 - meissner@suse.com + +- initial import of tpm2.0-tools + diff --git a/tpm2.0-tools.spec b/tpm2.0-tools.spec new file mode 100644 index 0000000..9aa966f --- /dev/null +++ b/tpm2.0-tools.spec @@ -0,0 +1,115 @@ +# +# spec file for package tpm2.0-tools +# +# Copyright (c) 2023 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%define _lto_cflags %{nil} +%ifarch %{ix86} x86_64 aarch64 %{arm} ppc64le +# Disable the tests for now in all architectures +%bcond_with test +%else +# ppc ppc64 s390x: some code (tpm2_command_header_from_bytes) depend +# on the endianness of the architecture: +# gh#tpm2-software/tpm2-tools#3055 +# gh#tpm2-software/tpm2-tools#3060 +# gh#tpm2-software/tpm2-tools#3061 +%bcond_with test +%endif +Name: tpm2.0-tools +Version: 5.5 +Release: 0 +Summary: Trusted Platform Module (TPM) 2.0 administration tools +License: BSD-3-Clause +Group: Productivity/Security +URL: https://github.com/tpm2-software/tpm2-tools/releases +Source0: https://github.com/tpm2-software/tpm2-tools/releases/download/%{version}/tpm2-tools-%{version}.tar.gz +Source1: https://github.com/tpm2-software/tpm2-tools/releases/download/%{version}/tpm2-tools-%{version}.tar.gz.asc +# git show william-roberts-pub javier-martinez-pub joshua-lock-pub idesai-pub > tpm2-tools.keyring +Source2: tpm2-tools.keyring +BuildRequires: gcc-c++ +BuildRequires: libcurl-devel +BuildRequires: libopenssl-devel +BuildRequires: libtool +BuildRequires: libuuid-devel +BuildRequires: pkgconfig +BuildRequires: tpm2-0-tss-devel +BuildRequires: tpm2.0-abrmd-devel +BuildRequires: pkgconfig(efivar) +Recommends: tpm2.0-abrmd +# Pandoc is used for generating the man pages, but since 3.0.4 prebuilt man +# pages are shipped with the distribution tarball and we don't need to generate +# them any more. Pandoc is only available on openSUSE (not 32-bit x86) and not +# in Ring 1 (no haskell), so can't be used as build dependency here. +%if 0 +%if 0%{?is_opensuse} +%ifnarch %{ix86} +BuildRequires: pandoc +%endif +%endif +%endif +%if %{with test} +# requirements for unit test suite (configure --enable-unit) +BuildRequires: dbus-1-daemon +BuildRequires: expect +BuildRequires: ibmswtpm2 +BuildRequires: iproute2 +BuildRequires: libcmocka-devel +BuildRequires: python3-PyYAML +BuildRequires: tpm2.0-abrmd +# for xxd, which is also required by the tests +BuildRequires: vim +%endif + +%description +Trusted Computing is a set of specifications published by the Trusted +Computing Group (TCG). The Trusted Platform Module (TPM) is the +hardware component for Trusted Computing. The tpm2.0-tools package +provides tools for enablement and configuration of the TPM 2.0 and +associated interfaces. + +%prep +%autosetup -p1 -n tpm2-tools-%{version} + +%build +# help configure find required executables for testing +export PATH=$PATH:/usr/sbin:/usr/libexec/ibmtss +%configure --disable-static \ + %{?with_test: --enable-unit} +%make_build + +%install +%make_install +find %{buildroot} -type f -name "*.la" -delete -print + +%if %{with test} +%check +# Do the tests sequentially to kill all tpm_server instances +# https://github.com/tpm2-software/tpm2-tools/issues/3042 +%make_build check +%endif + +%files +%doc docs/README.md docs/CHANGELOG.md +%license docs/LICENSE +%{_bindir}/tpm2* +%{_bindir}/tss2* +%{_mandir}/man1/tpm2* +%{_mandir}/man1/tss2* +%dir %{_datadir}/bash-completion +%dir %{_datadir}/bash-completion/completions +%{_datadir}/bash-completion/completions/* + +%changelog