1852 lines
85 KiB
Plaintext
1852 lines
85 KiB
Plaintext
-------------------------------------------------------------------
|
||
Wed May 17 14:14:44 UTC 2023 - Alberto Planas Dominguez <aplanas@suse.com>
|
||
|
||
- Disable tests. Some tests randomly fails, maybe dependening on the
|
||
OBS worker assigned during the build (not confirmed)
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Feb 16 14:28:55 UTC 2023 - Alberto Planas Dominguez <aplanas@suse.com>
|
||
|
||
- Update to version 5.5
|
||
+ Added:
|
||
* tpm2_createek: SM2 EK Support
|
||
* misc: SM2 support to internal OSSL format key routines. Fixes
|
||
--format flags for conversions.
|
||
+ Fixed:
|
||
* echo_tcti.py: set to use python3 named executable in shebang.
|
||
- Drop already merged patches
|
||
+ fix_bogus_warning.patch
|
||
+ echo_tcti_call_python3_binary.patch
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Jan 4 12:56:09 UTC 2023 - Alberto Planas Dominguez <aplanas@suse.com>
|
||
|
||
- Re-disable tests in PPC, PPC64 and S390X and reference issues about
|
||
endianness unsafe API
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Dec 8 12:51:17 UTC 2022 - Alberto Planas Dominguez <aplanas@suse.com>
|
||
|
||
- Update to version 5.4
|
||
+ Added:
|
||
* tpm2_policyrestart: Added option --cphash to output the cpHash
|
||
for the command PM2_CC_PolicyRestart.
|
||
* tpm2_policynvwritten: Added option --cphash to output the cpHash
|
||
for the command TPM2_CC_PolicyNvWritten.
|
||
* tpm2_policylocality: Added option --cphash to output the cpHash
|
||
for the command TPM2_CC_PolicyLocality.
|
||
* tpm2_policycountertimer: Added option --cphash to output the
|
||
cpHash for the command TPM2_CC_PolicyCounterTimer.
|
||
* tpm2_policycommandcode: Added option --cphash to output the
|
||
cpHash for the command TPM2_CC_PolicyCommandCode.
|
||
* tpm2_policypassword: Added option --cphash to output the cpHash
|
||
for the command TPM2_CC_PolicyPassword.
|
||
* tpm2_policyauthvalue: Added option --cphash to output the cpHash
|
||
for the command TPM2_CC_PolicyAuthValue.
|
||
* tpm2_policyauthorize: Added option --cphash to output the cpHash
|
||
for the command TPM2_CC_PolicyAuthorize.
|
||
* tpm2_print: Support printing serialized ESYS_TR's
|
||
* tpm2_create: Add a clarifying message to usage of -c when
|
||
TPM2_CreateLoaded is not supported.
|
||
* tpm2_getcap: Add support for vendor agnostic
|
||
capabilites. Requires tpm2-tss version 4.0 and higher to enable.
|
||
* Add a script, check_endorsement_cert.sh, to validate the
|
||
endorsement certificate chain. It takes two inputs - A
|
||
TPM2B_PUBLIC format EKpublic and a PEM format EKcertificate
|
||
specified in that order as arguments.
|
||
|
||
- Update to version 5.3
|
||
+ Features:
|
||
* lib/tpm2_tool.c: add --help=no-man for tpm2 option. Prior to
|
||
this change the tool parsed no-man as an unrecognized option and
|
||
errored out. Now it lists all the available tool options.
|
||
* tpm2_encodeobject: New tool to encode TPM2 object. It takes
|
||
public and private portions of an object and encode them in a
|
||
combined PEM form called tssprivkey used by tpm2-tss-engine and
|
||
other applications.
|
||
* Support alternative ECC curves for which default EK templates
|
||
exist (NIST_P256, NIST_P384, NIST_P521, and SM2_P256).
|
||
* tools/misc/tpm2_checkquote: add sm2 verification of signature.
|
||
* crypto: support the TPM2_ECC_SM2_P256 curveID.
|
||
* fapi: add new command to enable the use of fapi objects for tpm2
|
||
tools. The new command tss2_gettpm2object was added. With this
|
||
command context files which can be used for tpm2 tool commands
|
||
can be created.
|
||
* Support for sign and verify with sm2 algorithms.
|
||
* tools/tpm2_startauthsession: add sym-algorithm argument for
|
||
supported symmetric algorithm.
|
||
* Attestation (certify, command audit, sessionaudit and quote):
|
||
add scheme argument for supported signature schemes. This also
|
||
enable support for SM signing.
|
||
* tpm2_flushcontext: support all options at a time. Support the
|
||
-t/-l/-s options all at once so folks don't have to call it
|
||
multiple times.
|
||
* tools/tpm2_nvread: add human readable output for NV content
|
||
Enable parsing and YAML-style output for the different NV index
|
||
types.
|
||
* New event types in tpm2_eventlog:
|
||
EV_EFI_PLATFORM_FIRMWARE_BLOB2, EV_EFI_HANDOFF_TABLES2,
|
||
EV_EFI_VARIABLE_BOOT2
|
||
* VERSION: add version file - Generate the version file with
|
||
bootstrap and include in the DIST tarball so endusers can call
|
||
autoreconf on a dist tarball which doesn't have git. This
|
||
alleviates git describe errors on release tarballs in the
|
||
autoreconf case.
|
||
* import: support restricted parents - Support a restricted parent
|
||
with an aes128cfb symmetric parameter.
|
||
* tpm2_load - Added capability to load pem files in
|
||
TSS2-Private-Key format for interoperability with
|
||
tpm2-tss-engine, tpm2-openssl provider tpm2-pkcs11, and
|
||
tpm2-pytss.
|
||
* tpm2_print - Added capability to parse out and print the public
|
||
portion of a TSS Private Key in the PEM format with the arg
|
||
option TSSPRIVKEY_OBJ.
|
||
* tpm2_loadexternal: Added support to tpm2_loadexternal for
|
||
parsing and loading the public portion of a TSS2 Privkey PEM
|
||
file. The path to the PEM file must be specified using the -r
|
||
option while skipping the -G option for key type.
|
||
* Support added for calculating cpHash, rpHash, sessions for
|
||
parameter encryption and auditing in: tpm2_nvwrite,
|
||
tpm2_nvcertify, tpm2_nvincrement, tpm2_nvwritelock,
|
||
tpm2_nvreadlock, tpm2_nvundefine and tpm2_nvreadpublic.
|
||
* Support added for calculating cpHash in: tpm2_clear,
|
||
tpm2_dictionarylockout, tpm2_clearcontrol, tpm2_sign,
|
||
tpm2_setprimarypolicy, tpm2_setclock, tpm2_rsadecrypt,
|
||
tpm2_duplicate, tpm2_clockrateadjust, tpm2_createprimary,
|
||
tpm2_quote, tpm2_policysecret, tpm2_policynv,
|
||
tpm2_policyauthorizenv, tpm2_import, tpm2_hmac,
|
||
tpm2_hierarchycontrol, tpm2_load, tpm2_gettime,
|
||
tpm2_evictcontrol, tpm2_encryptdecrypt, tpm2_getpolicydigest,
|
||
tpm2_loadexternal, tpm2_commit, tpm2_ecdhkeygen, tpm2_ecdhzgen,
|
||
tpm2_ecephemeral, tpm2_geteccparameters, tpm2_flushcontext,
|
||
tpm2_pcrallocate, tpm2_pcrevent, tpm2_pcrreset, tpm2_pcrread.
|
||
* Support for using tcti=none for cpHash calculations to avoid
|
||
invoking checks for active TPM in: tpm2_nvreadpublic,
|
||
tpm2_nvundefine, tpm2_nvreadlock, tpm2_nvwritelock,
|
||
tpm2_nvincrement, tpm2_nvcertify, tpm2_nvdefine, tpm2_nvwrite.
|
||
+ Known issue:
|
||
* FAPI tools will not work on 32bit user-static qemu on 64bit host
|
||
because readdir returns NULL. Follow the issue on
|
||
https://gitlab.com/qemu-project/qemu/-/issues/263
|
||
+ Bug fixes:
|
||
* tools/tpm2_pcrreset.c: fix build errors in 32bit systems.
|
||
* Fix tssprivkey formatted PEM generation and load errors on 32
|
||
bit systems.
|
||
* CI: Add testing of 32bit systems with multiarch/qemu-user-static
|
||
containers.
|
||
* tools/tpm2_evictcontrol: fix for calls to Esys_TR_Close on bad
|
||
handles.
|
||
* tools/tpm2_nvextend: fix for ESYS_TR handle not being used in
|
||
calculating the object name.
|
||
* tools/tpm2_nvwrite, tools/tpm2_nvread: Policy authorization must
|
||
be re-instantiated on each iteration of the read/ write when
|
||
size exceeds the allowed operating size
|
||
(TPM2_PT_NV_BUFFER_MAX). However, information on the compounded
|
||
policies cannot be retrieved from the only policy digest read
|
||
from the session and hence the session cannot be
|
||
re-instantiated. To avoid this scenario only a single iteration
|
||
is allowed when policy authorization is in use.
|
||
* Fix argument parsing in tpm2_policylocality to fix an issue
|
||
causing almost always to generate PolicyLocality(0). There was a
|
||
logical inversion that caused almost any argument (including
|
||
invalid ones) to be interpreted as zero, except “zero" would be
|
||
interpreted as one.
|
||
* test/fapi/fapi-quote-verify.sh Fix check of qualifying
|
||
data. Because of a bug in Fapi_VerifyQuote the qualifying data
|
||
was not checked correctly. Errors that were not recognized
|
||
before occur now. The order of the tests was cleaned up and for
|
||
every quote and verify quote now the correct combination of the
|
||
qualifying data and quote info containing the nonce is used.
|
||
* tpm2_nvdefine: set TPMA_NV_PLATFORMCREATE when authenticating
|
||
with the platform hierarchy.
|
||
* tools/tpm2_getekcertificate: fixed the url link to
|
||
ekop.intel.com. There were two places where the fix was needed:
|
||
o In the tool source code where a forward slash was always
|
||
appended irrespective of it already being part of the link
|
||
specified by the user and
|
||
o In the integration test where curl tests the link to the
|
||
ekop.intel.com backend. It now requires the full link to
|
||
include the base64 encoded ek pub hash.
|
||
* tools/tpm2_tool.c: Fix an issue where LOG_WARN is always
|
||
displayed Despite setting the 'quiet' flag with -Q.
|
||
* fapi: fix usage of parameter pcrLog for tss2_quote. pcrLog is an
|
||
optional parameter. If pcrLog is not used as parameter currently
|
||
the pcr log is still calculated in Fapi_Quote. To avoid this
|
||
calculation a NULL pointer will be passed to Fapi_Quote if the
|
||
parameter pcrLog is not passed. So tss2_quote can be executed
|
||
for a user which has no access rights to the files with the
|
||
system measurements.
|
||
* import: fix bug on using scheme wherein if scheme is specified
|
||
in the template, the openssl load functions clobber the scheme
|
||
value and set it to TPM2_ALG_NULL.
|
||
* tools/tpm2_sign and tpm2_verifysignature: fix sm2 sign and
|
||
verifysignature bugs : (1.) sm2 sign could not get output
|
||
signature. (2.) sm2 verify tss format signature failed.
|
||
* lib/tpm2.c: added workaround for a system api bug where in the
|
||
flush handle is erroneously placed in the handle area instead of
|
||
the parameter area.
|
||
* nvreadpublic: drop ntoh on attributes The attributes get
|
||
marshalled to correct endianess by libmu and don’t need to be
|
||
changed again.
|
||
* Removing unused '-i' option from tpm2_print
|
||
* tpm2_policyor: fix unallocated policy list The TPML_DIGEST
|
||
policy list was calloc'd for some reason, however it could just
|
||
be statically allocated in the context. The side effect is that
|
||
when no options or arguments were given a NPD occured when
|
||
checking the count of the policy list.
|
||
* tools/tpm2_certify: fix man page for short options and add tests
|
||
The short options for the signing-key-auth and
|
||
certified-key-auth were swapped. The case fix in the man page
|
||
makes it less intuitive but have to go through with the change
|
||
so that we don't break any existing scripts. This change does
|
||
not affect the long options. Tests have been added to ensure the
|
||
functionality.
|
||
+ CI:
|
||
* ci: add ubuntu-22.04. This also requires the min tpm2-tss
|
||
version to be at 3.2.0 to support the openSSL major version 3.
|
||
* cirrus.yml: update freebsd version to 13.1
|
||
* .ci/download-deps.sh: update tpm2-abrmd dependency version to
|
||
2.4.1
|
||
- Drop 0001-tests-getekcertificate.sh-Skip-the-test-if-curl-is-n.patch
|
||
(merged)
|
||
- Drop add_missing_shut_down_call_on_cleanup.patch (merged)
|
||
- Drop fix_check_of_qualifying_data.patch (merged)
|
||
- Add echo_tcti_call_python3_binary.patch (upstreamed)
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Jul 14 09:49:39 UTC 2022 - Alberto Planas Dominguez <aplanas@suse.com>
|
||
|
||
- Disable tests in some architectures (ppc, ppc64, s390x)
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Jul 13 11:50:11 UTC 2022 - Alberto Planas Dominguez <aplanas@suse.com>
|
||
|
||
- Add patch to fix leakage of TPM simulator process
|
||
add_missing_shut_down_call_on_cleanup.patch
|
||
- Add patch to fix fapi-quote-verify[_ecc].sh test
|
||
fix_check_of_qualifying_data.patch
|
||
- Enable test execution by default
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Jul 8 07:51:37 UTC 2022 - Alberto Planas Dominguez <aplanas@suse.com>
|
||
|
||
- Add missing dependencies for testing.
|
||
- Add patch to properly skip getekcertificate if curl is missing
|
||
0001-tests-getekcertificate.sh-Skip-the-test-if-curl-is-n.patch
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Jul 7 15:14:37 UTC 2022 - Alberto Planas Dominguez <aplanas@suse.com>
|
||
|
||
- Disable LTO for 5.2, to fix tpm2_makecredential with "-T none"
|
||
(bsc#1201291)
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Dec 8 16:37:28 UTC 2021 - Alberto Planas Dominguez <aplanas@suse.com>
|
||
|
||
- The update to 5.2 fill also jsc#SLE-9515 (4.1) and jsc#SLE-17366 (4.3.0)
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Nov 29 10:27:08 UTC 2021 - Alberto Planas Dominguez <aplanas@suse.com>
|
||
|
||
- Fix python3-PyYAML requirement
|
||
- Move the tests inside a bcond. Disabled by default.
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Oct 20 08:53:37 UTC 2021 - Alberto Planas Dominguez <aplanas@suse.com>
|
||
|
||
- Update to version 5.2:
|
||
+ tpm2_nvextend:
|
||
* Added option -n, --name to specify the name of the nvindex in
|
||
hex bytes. This is used when cpHash ought to be calculated
|
||
without dispatching the TPM2_NV_Extend command to the TPM.
|
||
+ tpm2_nvread:
|
||
* Added option --rphash=FILE to specify ile path to record the
|
||
hash of the response parameters. This is commonly termed as
|
||
rpHash.
|
||
* Added option -n, --name to specify the name of the nvindex in
|
||
hex bytes. This is used when cpHash ought to be calculated
|
||
without dispatching the TPM2_NVRead command to the TPM.
|
||
* Added option -S, --session to specify to specify an auxiliary
|
||
session for auditing and or encryption/decryption of the
|
||
parameters.
|
||
+ tpm2_nvsetbits:
|
||
* Added option --rphash=FILE to specify file path to record the
|
||
hash of the response parameters. This is commonly termed as
|
||
rpHash.
|
||
* Added option -S, --session to specify to specify an auxiliary
|
||
session for auditing and or encryption/decryption of the
|
||
parameters.
|
||
* Added option -n, --name to specify the name of the nvindex in
|
||
hex bytes. This is used when cpHash ought to be calculated
|
||
without dispatching the TPM2_NV_SetBits command to the TPM.
|
||
+ tpm2_createprimary:
|
||
* Support public-key output at creation time in various public-key
|
||
formats.
|
||
+ tpm2_create:
|
||
* Support public-key output at creation time in various public-key
|
||
formats.
|
||
+ tpm2_print:
|
||
* Support outputing public key in various public key formats over
|
||
the default YAML output. Supports taking -u output from
|
||
tpm2_create and converting it to a PEM or DER file format.
|
||
+ tpm2_import:
|
||
* Add support for importing keys with sealed-data-blobs.
|
||
+ tpm2_rsaencrypt, tpm2_rsadecrypt:
|
||
* Add support for specifying the hash algorithm with oaep.
|
||
+ tpm2_pcrread, tpm2_quote:
|
||
* Add option -F, --pcrs_format to specify PCR format selection for
|
||
the binary blob in the PCR output file. 'values' will output a
|
||
binary blob of the PCR values. 'serialized' will output a binary
|
||
blob of the PCR values in the form of serialized data structure
|
||
in little endian format.
|
||
+ tpm2_eventlog:
|
||
* Add support for decoding StartupLocality.
|
||
* Add support for printing the partition information.
|
||
* Add support for reading eventlogs longer than 64kb including
|
||
from /sys/kernel/security/tpm0/binary_bios-measurements.
|
||
+ tpm2_duplicate:
|
||
* Add option -L, --policy to specify an authorization policy to be
|
||
associated with the duplicated object.
|
||
* Added support for external key duplication without needing the
|
||
TCTI.
|
||
+ tools:
|
||
* Enhance error message on invalid passwords when sessions cannot
|
||
be used.
|
||
+ lib/tpm2_options:
|
||
* Add option to specify fake tcti which is required in cases where
|
||
sapi ctx is required to be initialized for retrieving command
|
||
parameters without invoking the tcti to talk to the TPM.
|
||
+ openssl:
|
||
* Dropped support for OpenSSL < 1.1.0
|
||
* Add support for OpenSSL 3.0.0
|
||
+ Support added to make the repository documentation and man pages
|
||
available live on readthedocs.
|
||
+ Bug-fixes:
|
||
* tpm2_import: Don't allow setting passwords for imported object
|
||
with -p option as the tool doesn't modify the TPM2B_SENSITIVE
|
||
structure. Added appropriate logging to indicate using
|
||
tpm2_changeauth after import.
|
||
* lib/tpm2_util.c: The function to calculate pHash algorithm
|
||
returned error when input session is a password session and the
|
||
only session in the command.
|
||
* lib/tpm2_alg_util.c: Fix an error where oaep was parsed under
|
||
ECC.
|
||
* tpm2_sign: Fix segfaults when tool does not find TPM resources
|
||
(TPM or RM).
|
||
* tpm2_makecredential: Fix an issue where reading input from stdin
|
||
could result in unsupported data size larger than the largest
|
||
digest size.
|
||
* tpm2_loadexternal: Fix an issue where restricted attribute could
|
||
not be set.
|
||
* lib/tpm2_nv_util.h: The NV index size is dependent on different
|
||
data sets read from the GetCapability structures because there
|
||
is a dependency on the NV operation type: Define vs Read vs
|
||
Write vs Extend. Fix a sane default in the case where
|
||
GetCapability fails or fails to report the specific property/
|
||
data set. This is especially true because some properties are
|
||
TPM implementation dependent.
|
||
* tpm2_createpolicy: Fix an issue where tool exited silently
|
||
without reporting an error if wrong pcr string is specified.
|
||
* lib/tpm2_alg_util: add error message on public init to prevent
|
||
tools from dying silently, add an error message.
|
||
* tpm2_import: fix an issue where an imported hmac object scheme
|
||
was NULL. While allowed, it was inconsistent with other tools
|
||
like tpm2_create which set the scheme as hmac->sha256 when
|
||
generating a keyedhash object.
|
||
|
||
- Drop patches already in upstream:
|
||
+ 0001-tpm2_checkquote-fix-uninitialized-variable.patch
|
||
+ 0001-tpm2_eventlog-fix-buffer-offset-when-reading-the-eve.patch
|
||
+ 0001-tpm2_eventlog-read-eventlog-file-in-chunks.patch
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Jul 29 14:15:11 UTC 2021 - Alberto Planas Dominguez <aplanas@suse.com>
|
||
|
||
- Add 0001-tpm2_eventlog-fix-buffer-offset-when-reading-the-eve.patch to
|
||
fix the offset of the read buffer
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Jul 8 09:07:05 UTC 2021 - Matthias Gerstner <matthias.gerstner@suse.com>
|
||
|
||
- prepare running the test suite via %check, but leave it commented out,
|
||
because it is broken due to LTO linking.
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Jun 28 09:09:46 UTC 2021 - Fabian Vogt <fvogt@suse.com>
|
||
|
||
- update to version 5.1.1:
|
||
- tpm2_import: fix fixed AES key CVE-2021-3565
|
||
- tpm2_import used a fixed AES key for the inner wrapper, which means that
|
||
a MITM attack would be able to unwrap the imported key. To fix this,
|
||
ensure the key size is 16 bytes or bigger and use OpenSSL to generate a
|
||
secure random AES key.
|
||
- Avoid pandoc build dependency, use prebuilt man pages everywhere
|
||
- Drop 0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch, now upstream
|
||
- Drop _service, unused
|
||
- Drop unused unzip build dependency
|
||
- Drop autoreconfigure call, no longer necessary
|
||
- Use %autosetup
|
||
- Verify tarball signature
|
||
- Build against efivar
|
||
- Drop %check section, tests weren't built, so that was a noop
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Jun 18 14:44:25 UTC 2021 - Alberto Planas Dominguez <aplanas@suse.com>
|
||
|
||
- Add 0001-tpm2_eventlog-read-eventlog-file-in-chunks.patch to fix the
|
||
tpm2_eventlog command (boo#1187360)
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Jun 17 09:26:42 UTC 2021 - Alberto Planas Dominguez <aplanas@suse.com>
|
||
|
||
- Add 0001-tpm2_checkquote-fix-uninitialized-variable.patch for a better
|
||
fix of boo#1187316
|
||
- Re-enable lto
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Jun 15 09:36:37 UTC 2021 - Alberto Planas Dominguez <aplanas@suse.com>
|
||
|
||
- Disable lto to fix tpm2_checkquote error (boo#1187316)
|
||
- Update service file to point to the correct revision
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Jun 7 12:50:22 UTC 2021 - Dominique Leuenberger <dimstar@opensuse.org>
|
||
|
||
- Do not BuildRequire pandoc on ix86 architectures: the haskell
|
||
stack is not supported on intel 32bit archs.
|
||
|
||
-------------------------------------------------------------------
|
||
Fri May 28 10:24:21 UTC 2021 - Matthias Gerstner <matthias.gerstner@suse.com>
|
||
|
||
- add 0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch: no longer use a
|
||
fixed AES key in the context of the tpm2_import command. Fixes CVE-2021-3565
|
||
(bsc#1186490).
|
||
- drop fix_pie_linking.patch: now contained in upstream tarball
|
||
- drop fix_warnings.patch: now contained in upstream tarball
|
||
- update to upstream version 5.1:
|
||
- Minimum tpm2-tss version dependency bumped to 3.1.0
|
||
- Minimum tpm2-abrmd version dependency bumped to 2.4.0
|
||
- tss2:
|
||
- Support in tools for PolicyRef inclusion in policy search per latest TSS.
|
||
- Support to use TPM objects protected by a policy with PolicySigned.
|
||
- Enable backward compatibility to old Fapi callback API.
|
||
- Fix PCR selection for tss2 quote.
|
||
- Support policy signed policies by implementing Fapi_SetSignCB.
|
||
- Command/ response parameter support for auditing and pHash policies:
|
||
- lib/tpm2_util.c: Add method to determine hashing alg for cp/rphash
|
||
- Add support to calculate rphash for tpm2_create, tpm2_activatecredential,
|
||
tpm2_certify, tpm2_certifycreation, tpm2_changeauth, tpm2_changeeps,
|
||
tpm2_changepps, tpm2_nvdefine, tpm2_nvextend, tpm2_unseal
|
||
- Add support to calculate cphash for tpm2_changeeps, tpm2_changepps.
|
||
- Session-support:
|
||
- tpm2_sessionconfig: Add tool to display and configure session attributes.
|
||
- tpm2_getrandom: Fix— session input was hardcoded for audit-only
|
||
- tpm2_startauthsession: Add option to specify the bind object and its
|
||
authorization value.
|
||
- tpm2_startauthsession: support for bounded-only session.
|
||
- tpm2_startauthsession: support for salted-only session.
|
||
- tpm2_startauthsession: add option to specify an hmac session type.
|
||
- Add support for specifying non-authorization sessions for audit and
|
||
parameter encryption for tpm2_getrandom, tpm2_create, tpm2_nvextend,
|
||
tpm2_nvdefine, tpm2_unseal, tpm2_activatecredential, tpm2_certify,
|
||
tpm2_certifycreation, tpm2_changeauth, tpm2_changeeps, tpm2_changepps.
|
||
- tpm2_eventlog:
|
||
- Support for event type: EV_IPL extensively used by the Shim and Grub.
|
||
- Support for event type: EV_EFI_GPT_EVENT to parse.
|
||
UEFI_PARTITION_TABLE_HEADER and UEFI_PARTITION_ENTRY.
|
||
- Support for event type: EFI_SIGNATURE_LIST, which contains one or more
|
||
EFI_SIGNATURE_DATA.
|
||
- Support for event type EV_EFI_VARIABLE_AUTHORITY.
|
||
- Parse UEFI_PLATFORM_FIRMWARE_BLOB structure that the CRTM MUST put into
|
||
the Event Log entry TCG_PCR_EVENT2.event field for event types
|
||
EV_POST_CODE, EV_S_CRTM_CONTENTS, and EV_EFI_PLATFORM_FIRMWARE_BLOB.
|
||
- Parse secureboot variable to indicate enable as 'Yes'.
|
||
- Parse BootOrder variable to a more readable format.
|
||
- Parse Boot variables per EFI_LOAD_OPTION described in more details in
|
||
UEFI Spec Section 3.1.3
|
||
- Parse Device-path in a readable format using the efivar library.
|
||
- Support for logs longer than 64 kilobytes.
|
||
- Perform verification for event types where digest can be verified from
|
||
their event payload.
|
||
- Better support for multiline strings.
|
||
- Fix handling of event log EV_POST_CODE data where field is empty and len
|
||
is specified.
|
||
- scripts/utils: Add a utility to read the cert chain of embedded CA.
|
||
- tpm2_getekcertificate: Fix tool failing to return error/non-zero for HTTP
|
||
404.
|
||
- tpm2_nvdefine: allow setting hash algorithm by command line parameter for NV
|
||
indices set in extend mode.
|
||
- tpm2_duplicate, tpm2_import: support duplicating non-TPM keys to a remote
|
||
TPM without first requiring them to be loaded to a local TPM.
|
||
- tpm2_dictionarylockout: Fix issue where setting value for one parameter
|
||
caused to reset the others.
|
||
- tpm2_getpolicydigest: Add new tool to enable TPM2_CC_PolicyGetDigest.
|
||
- Fix segfault where optind > argc.
|
||
- tools/tpm2_checkquote: fix missing initializer
|
||
- tpm2_convert: fix EVP_EncodeUpdate usage for OSSL < 1.1.0
|
||
- openssl: fix EVP_ENCODE_CTX_(new|free)
|
||
- test: Add support for swTPM simulator to the testing framework and make it
|
||
the default if mssim isn't available.
|
||
- tpm2_unseal:
|
||
- Added option **\--rphash**=_FILE_ to specify ile path to record the hash
|
||
of the response parameters. This is commonly termed as rpHash.
|
||
- tpm2_nvextend:
|
||
- Added option **\--rphash**=_FILE_ to specify ile path to record the hash
|
||
of the response parameters. This is commonly termed as rpHash.
|
||
- tpm2_nvdefine:
|
||
- Added option **\--rphash**=_FILE_ to specify ile path to record the hash
|
||
of the response parameters. This is commonly termed as rpHash.
|
||
- tpm2_changepps:
|
||
- Added option **\--cphash**=_FILE_ to specify ile path to record the hash
|
||
of the command parameters. This is commonly termed as cpHash.
|
||
- Added option **\--rphash**=_FILE_ to specify ile path to record the hash
|
||
- Added option **-S**, **\--session** to specify to specify an auxiliary
|
||
session for auditing and or encryption/decryption of the parameters.
|
||
- tpm2_changeeps:
|
||
- Added option **\--cphash**=_FILE_ to specify ile path to record the hash
|
||
of the command parameters. This is commonly termed as cpHash.
|
||
- Added option **\--rphash**=_FILE_ to specify ile path to record the hash
|
||
of the response parameters. This is commonly termed as rpHash.
|
||
- Added option **-S**, **\--session** to specify to specify an auxiliary
|
||
session for auditing and or encryption/decryption of the parameters.
|
||
- tpm2_changeauth:
|
||
- Added option **\--rphash**=_FILE_ to specify ile path to record the hash
|
||
of the response parameters. This is commonly termed as rpHash.
|
||
- Added option **-S**, **\--session** to specify to specify an auxiliary
|
||
session for auditing and or encryption/decryption of the parameters.
|
||
- tpm2_certifycreation:
|
||
- Added option **\--rphash**=_FILE_ to specify ile path to record the hash
|
||
of the response parameters. This is commonly termed as rpHash.
|
||
- Added option **-S**, **\--session** to specify to specify an auxiliary
|
||
session for auditing and or encryption/decryption of the parameters.
|
||
- tpm2_certify:
|
||
- Added option **\--rphash**=_FILE_ to specify ile path to record the hash
|
||
of the response parameters. This is commonly termed as rpHash.
|
||
- Added option **-S**, **\--session** to specify to specify an auxiliary
|
||
session for auditing and or encryption/decryption of the parameters.
|
||
- tpm2_activatecredential:
|
||
- Added option **\--rphash**=_FILE_ to specify ile path to record the hash
|
||
of the response parameters. This is commonly termed as rpHash.
|
||
- Added option **-S**, **\--session** to specify to specify an auxiliary
|
||
session for auditing and or encryption/decryption of the parameters.
|
||
- tpm2_create:
|
||
- Added option **\--rphash**=_FILE_ to specify ile path to record the hash
|
||
of the response parameters. This is commonly termed as rpHash.
|
||
- tpm2_unseal:
|
||
- Added option **-S**, **--session** to specify auxiliary sessions for
|
||
audit and encryption.
|
||
- tpm2_nvdefine:
|
||
- Added option **-S**, **--session** to specify auxiliary sessions for
|
||
audit and encryption.
|
||
- tpm2_nvextend:
|
||
- Added option **-S**, **--session** to specify auxilary sessions for
|
||
audit and encryption.
|
||
|
||
-------------------------------------------------------------------
|
||
Tue May 4 08:55:06 UTC 2021 - Matthias Gerstner <matthias.gerstner@suse.com>
|
||
|
||
- fix `--version` output of tools. Since now autoreconf is called and
|
||
configure.ac attempts to fetch the version from git (which we don't have
|
||
during building), the version was empty. Fix this by replacing the git
|
||
invocation in configure.ac.
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Jan 28 09:49:06 UTC 2021 - Matthias Gerstner <matthias.gerstner@suse.com>
|
||
|
||
- add fix_warnings.patch: fixes a couple of build errors resulting from LTO
|
||
linking and -Werror.
|
||
- add fix_pie_linking.patch: fixes an error in the build system that causes
|
||
the tss2 binary to be linked without passed LDFLAGS (like -pie), which
|
||
causes the binary not to be position independent.
|
||
- update to major version 5.0:
|
||
- Non Backwards Compatible Changes
|
||
* Default hash algorithm is now sha256. Prior versions claimed sha1, but were
|
||
inconsistent in choice. Best practice is to specify the hash algorithm to
|
||
avoid surprises.
|
||
|
||
* tpm2_tools and tss2_tools are now a busybox style commandlet. Ie
|
||
tpm2_getrandom becomes tpm2 getrandom. make install will install symlinks
|
||
to the old tool names and the tpm2 commandlet will interrogate argv[0] for
|
||
the command to run. This will provide backwards compatibility if they are
|
||
installed. If you wish to use the old names not installed system wide, set
|
||
DESTDIR during install to a separate path and set the proper directory on
|
||
PATH.
|
||
|
||
* tpm2_eventlog's output changed to be YAML compliant. The output before
|
||
was intended to be YAML compliant but was never properly checked and
|
||
tested.
|
||
|
||
* umask set to 0117 for all tools.
|
||
|
||
* tpm2_getekcertificate now outputs the INTC EK certificates in PEM format
|
||
by default. In order to output the URL safe variant of base64 encoded
|
||
output of the INTC EK certificate use the added option --raw.
|
||
|
||
- Dependency update
|
||
* Update tpm2-tss dependency version to 3.0.1
|
||
|
||
* Update tpm2-abrmd dependency version to 2.3.3
|
||
|
||
- New tools and features
|
||
* tpm2_zgen2phase: Add new tool to support command TPM2_CC_ZGen_2Phase.
|
||
* tpm2_ecdhzgen: Add new tool to support command TPM2_CC_ECDH_ZGen.
|
||
* tpm2_ecdhkeygen: Add new tool to support command TPM2_CC_ECDH_KeyGen.
|
||
* tpm2_commit: Add new tool to support command TPM2_CC_Commit.
|
||
* tpm2_ecephemeral: Add new tool to support command TPM2_CC_EC_Ephemeral.
|
||
* tpm2_geteccparameters: Add new tool to support command TPM2_CC_ECC_Parameters.
|
||
* tpm2_setcommandauditstatus: Added new tool to support command TPM2_CC_SetCommandCodeAuditStatus.
|
||
* tpm2_getcommandauditstatus: Added new tool to support command TPM2_CC_GetCommandAuditDigest.
|
||
* tpm2_getsessionauditdigest: Added new tool to support command TPM2_CC_GetSessionAuditDigest.
|
||
* tpm2_certifyX509certutil: Added new tool for creating partial x509 certificates required to support
|
||
the TPM2_CC_CertifyX509 command.
|
||
* tpm2_policysigned:
|
||
Added option --cphash-input to specify the command parameter hash
|
||
(cpHashA), enforcing the TPM command to be authorized as well as its
|
||
handle and parameter values.
|
||
* tpm2_createprimary:
|
||
Added option to specify the unique data from the stdin by adding
|
||
provision for specifying the option value for unique file as -.
|
||
* tpm2_startauthsession:
|
||
Added new feature/option --audit-session to start an HMAC session to
|
||
be used as an audit session.
|
||
* tpm2_getrandom:
|
||
- Added new feature/option -S, --session to specify a HMAC session
|
||
to be used as an audit session. This adds support for auditing the
|
||
command using an audit session.
|
||
- Added new feature/option --rphash to specify file path to record the
|
||
hash of the response parameters. This is commonly termed as rpHash.
|
||
- Added new feature/option --cphash to specify a file path to record
|
||
the hash of the command parameters. This is commonly termed as cpHash.
|
||
NOTE: In absence of --rphash option, when this option is selected,
|
||
The tool will not actually execute the command, it simply returns a
|
||
cpHash.
|
||
* tpm2_getcap: tpm2_getcap was missing raw on a property TPM2_PT_REVISION,
|
||
and it should always be specified.
|
||
* tpm2_sign:
|
||
- Add option --commit-index to specify the commit index to use when
|
||
performing an ECDAA signature.
|
||
- Add support for ECDAA signature.
|
||
* tpm2_getekcertificate:
|
||
- Add option --raw to output EK certificate in URL safe variant base64
|
||
encoded format. By default it outputs a PEM formatted certificate.
|
||
- The tool can now output INTC and non INTC EK certificates from NV
|
||
indices specified by the TCG EK profile specification.
|
||
* tpm2_activatecredential:
|
||
- The secret data input can now be specified as stdin with -s option.
|
||
- The public key used for encryption can be specified as -u to make it
|
||
similar to rest of the tools specifying a public key. The old -e
|
||
option is retained for backwards compatibility.
|
||
- Add option to specify the key algorithm when the input public key is in
|
||
PEM format using the new option -G, --key-algorithm. Can specify
|
||
either RSA/ECC. When this option is used, input public key is expected
|
||
to be in PEM format and the default TCG EK template is used for the key
|
||
properties.
|
||
* tpm2_checkqoute:
|
||
- Add EC support.
|
||
- Support loading tss signatures.
|
||
- Support loading tpm2 pcrread PCR values by specifying the PCR
|
||
selection using the new option -l, --pcr-list.
|
||
- Added support for automatically detecting the signature format. With
|
||
this -F, --format option is retained for backwards compatibility but
|
||
it is deprecated.
|
||
* tpm2_createak: add option to output qualified name with new option
|
||
-q, --ak-qualified-name.
|
||
* tpm2_policypcr: Add option for specifying cumulative hash of PCR's as an argument.
|
||
* tpm2_readpublic: Add option to output qualified name using the new option
|
||
-q, --qualified-name.
|
||
* tpm2_print:
|
||
- Support printing TPM2B_PUBLIC data structures.
|
||
- Support printing TPMT_PUBLIC data structures.
|
||
* tpm2_send: Add support for handling sending and receiving command and
|
||
response buffer for multiple commands.
|
||
* tpm2_verifysignature: Added support for verifying RSA-PSS signatures.
|
||
* tpm2_eventlog:
|
||
- Add handling of sha1 log format.
|
||
- Add fixes for eventlog output to be proper YAML.
|
||
- Add support for sha384, sha512, sm3_256 PCR hash algorithms.
|
||
- Add support for computing PCR values based on the events.
|
||
* tpm2_tools (all):
|
||
- Set stdin/stdout to non-buffering.
|
||
- Added changes for FreeBSD portability.
|
||
|
||
- Bug fixes
|
||
|
||
* Fix printing short options when no ascii character is used.
|
||
|
||
* OpenSSL: Fix deprecated OpenSSL functions. ECC Functions with suffix
|
||
GFp will become deprecated (DEPRECATED_1_2_0).
|
||
|
||
* tpm2_eventlog: output EV_POST_CODE as string not firmware blob to be
|
||
compliant with TCG PC Client FPF section 2.3.4.1 and 9.4.12.3.4.1
|
||
|
||
* Fix missing handle maps for ESY3 handle breaks. See #1994.
|
||
|
||
* tpm2_rsaencrypt: fix OAEP RSA encryption failing to invalid hash selection.
|
||
|
||
* tpm2_rsadecrypt: fix OAEP RSA decryption failing to invalid hash selection.
|
||
|
||
* tpm2_sign: fix for signing failures with restricted signing keys when
|
||
input data to sign is not a digest, rather the full message. The
|
||
validation ticket creation process defaults to the owner hierarchy and
|
||
so in order to choose other hierarchies the tpm2_hash tool should be
|
||
used instead.
|
||
|
||
* tpm2_print: fix segfault when -t option is omitted by appropriately
|
||
warning of the required option.
|
||
|
||
* tpm2_nvdefine: fix for default size when size is not specified by
|
||
invoking TPM2_CC_GetCapability.
|
||
|
||
* Fix for an issue where the return code for unsupported algorithms was
|
||
tool_rc_general instead of tool_rc_unsupported in tpm2_create and
|
||
tpm2_createprimary tools.
|
||
|
||
* Fix for an issue where RSA_PSS signature verification caused failures.
|
||
|
||
* tpm2_nvreadpublic, tpm2_kdfa, tpm2_checkquote, tpm2_quote:
|
||
Fixes for issues with interoperability of the attestation tools between
|
||
big and little endian platforms.
|
||
|
||
* tss2_*:
|
||
- Fix bash-completion for tss2_pcrextend and tss2_verifysignature
|
||
- Add force option to tss2_list
|
||
- Make force option consistent in all fapi tools
|
||
- Do not decode non-TPM errors
|
||
- Enhance integration tests to test changes of optional/mandatory parameters
|
||
- Add --hex parameter to tss2_getrandom
|
||
- Fix autocompletion issue
|
||
- Switch tss2_* to with-"="-style
|
||
- Add size parameter to tss2_createseal
|
||
- References to the cryptographic profile (fapi-profile(5)) and config file
|
||
- (fapi-config(5)) man pages from all relevant tss2_* man pages.
|
||
- Fix policy branch selection menu item from 1 to 0.
|
||
- Documentation
|
||
* wiki pages have been removed and data has been migrated to
|
||
tpm2-software.github.io portal's tutorial section.
|
||
|
||
* Fix the problem with man and no-man help output for tools were not
|
||
correctly displayed.
|
||
|
||
* man:
|
||
|
||
- tpm2_create: Correct max seal data size from 256 bytes to 128 bytes.
|
||
|
||
- tpm2_nvread: Fix manpage example.
|
||
|
||
- tpm2_nvwrite: Added missing information on how to specify the NV index as
|
||
an argument.
|
||
|
||
- tpm2_unseal: Add end-to-end example.
|
||
|
||
- tpm2_nvincrement: Fix incorrect commands in example section.
|
||
|
||
- tpm2_hmac: Fix the example section.
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Oct 22 11:58:16 UTC 2020 - Matthias Gerstner <matthias.gerstner@suse.com>
|
||
|
||
- update to version 4.3:
|
||
- changes in version 4.3:
|
||
- tss2_*: Fix double-free errors in commands asking for password authorization
|
||
- tss2_*: Fix shorthand command -f that was falsely requiring an argument
|
||
- tss2_*: Update tss2_encrypt to the new FAPI interface
|
||
- The argument 'policyPath' is removed which was never read anyway
|
||
- tss2_*: Remove the additional '\n' that was appended when redirecting to stdout
|
||
- tss2_*: Update mandatory vs optional treatment of arguments according to latest Fapi spec
|
||
- tss2_*: tss2_getinfo now retrieves the correct FAPI version from Fapi_GetInfo
|
||
- tss2_*: Fix the error handling in case of multiple inputs and/or outputs from stdin/stdout
|
||
- tss2_*: Fix syntax errors and update content of man pages according to latest Fapi spec
|
||
- tss2_*: Add parameter types to all man page
|
||
- tss2_*: tss2_setappdata now reads from file or stdin allowing to store also binary data
|
||
- tss2_*: Memory leaks are fixed in cases when a returned empty non-char output value was passed to file output
|
||
- tss2_pcrextend: fix extending PCR 0
|
||
- tss2_quote: fix unused TSS2_RC in LOG_ERR
|
||
- changes in 4.2.1:
|
||
- Fix missing handle maps for ESY3 handle breaks. See #1994.
|
||
- Bump ESYS minimum dependency version from 2.3.0 to 2.4.0.
|
||
- Fix for loop declarations build error.
|
||
- changes in 4.2:
|
||
- Fix various issues reported by static analysis tools.
|
||
- Add integration test for ECC based getekcertificate.
|
||
- Fix for issue #1959 where ARM builds were failing.
|
||
- Add a check in autotools to add "expect" as a package dependency for fapi tools.
|
||
- tpm2_createek: Drop the unused -p or --ek-auth option
|
||
- tpm2_policyor: List of policy files should be specified as an argument
|
||
- instead of -l option. The -l option is still retained for backwards
|
||
- compatibility. See issue#1894.
|
||
- tpm2_eventlog: add a tool for parsing and displaying the event log.
|
||
- tpm2_createek: Fix an issue where the template option looked for args
|
||
- tpm2_hierarchycontrol: Fixed bug where tool operation failed silently
|
||
- tpm2_nvdefine: Fixed an issue where text output suggested failures as passes
|
||
- tpm2_certify: Add an example usage in man page
|
||
- tpm2_policyor: Fix a bug where tool failed silently when no input were given
|
||
- tpm2_getekcertificate: Intel (R) PTT EK cert web portal is set as default address
|
||
- tpm2_alg_util.c: Fix a bug where string rsa3072 was not parsed
|
||
- .ci/download-deps.sh: Change tss dependency to 2.4.0 to acquire SAPI handles for cpHash calculations
|
||
- tpm2_policycphash: Add a tool to implement enhanced authorization with cpHash of a command
|
||
- Add options to tools to enable cpHash outputs: tpm2_nvsetbits, tpm2_nvextend,
|
||
tpm2_nvincrement, tpm2_nvread, tpm2_nvreadlock, tpm2_writelock, tpm2_nvdefine,
|
||
tpm2_nvundefine, tpm2_nvcertify, tpm2_policynv, tpm2_policyauthorizenv,
|
||
tpm2_policysecret, tpm2_create, tpm2_load, tpm2_activatecredential, tpm2_unseal,
|
||
tpm2_changeauth, tpm2_duplicate, tpm2_import, tpm2_rsadecrypt, tpm2_certify,
|
||
tpm2_certifycreation, tpm2_hierarchycontrol, tpm2_setprimarypolicy, tpm2_clearcontrol,
|
||
tpm2_dictionarylockout, tpm2_evictcontrol, tpm2_setclock, tpm2_clockrateadjust,
|
||
tpm2_clear, tpm2_nvwrite, tpm2_encryptdecrypt, tpm2_hmac.
|
||
- tpm2_import: Fix an issue where the imported key always required to have a policy
|
||
- tpm2_policysecret: Fix an issue where authorization model was fixed to password only
|
||
- Feature API (FAPI) tools added. These additional set of tools implement utilities
|
||
- using the FAPI which was added to the tpm2-tss v2.4.4:
|
||
tss2_decrypt, tss2_encrypt, tss2_list, tss2_changeauth, tss2_delete,
|
||
tss2_import, tss2_getinfo, tss2_createkey, tss2_createseal, tss2_exportkey,
|
||
tss2_getcertificate, tss2_getplatformcertificates, tss2_gettpmblobs,
|
||
tss2_getappdata, tss2_setappdata, tss2_setcertificate, tss2_sign,
|
||
tss2_verifysignature, tss2_verifyquote, tss2_createnv, tss2_nvextend,
|
||
tss2_nvincrement, tss2_nvread, tss2_nvsetbits, tss2_nvwrite,
|
||
tss2_getdescription, tss2_setdescription, tss2_pcrextend, tss2_quote,
|
||
tss2_pcrread, tss2_authorizepolicy, tss2_exportpolicy, tss2_import,
|
||
tss2_provision, tss2_getrandom, tss2_unseal, tss2_writeauthorizenv
|
||
- tpm2_policycountertimer: Fix an issue where operandB array was reversed causing faulty comparisons.
|
||
- changes in 4.1.1:
|
||
- tpm2_certify: Fix output of attestation data including size field. Now outputs just bytes.
|
||
- tpm2_certifycreation: Fix tool to match manpage where the code had the -C and -c options reversed.
|
||
- tpm2_gettime: Fix output of attestation data including size field. Now outputs just bytes.
|
||
- tpm2_nvcertify: Fix output of attestation data including size field. Now outputs just bytes.
|
||
- tpm2_nvreadpublic: add name hash output.
|
||
- tpm2_import: Support object policies when importing raw key material.
|
||
- Fix overflow in pcrs.h where sizeof() was used instead of ARRAY_LEN().
|
||
- build:
|
||
- Fix compilation issue: lib/tpm2_hash.c:17:19: note: 'left' was declared here.
|
||
- man:
|
||
- Fix manpage examples that have "sha" instead of "sha1"
|
||
- tpm2_shutdown manpage was missing, add it to build.
|
||
- Fix manpage example for tpm2_createak's tpm2_evictcontrol example.
|
||
- Remove fix_bad_bufsize.patch: is now contained in upstream tarball
|
||
- Adjust fix_bogus_warning.patch: one hunk no longer applies, upstream code
|
||
changed.
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Dec 11 13:29:12 UTC 2019 - matthias.gerstner@suse.com
|
||
|
||
- add fix_bad_bufsize.patch: fixes findings from compile time fread() checks
|
||
that indicate bad buffer size specification.
|
||
- add fix_bogus_warning.patch: fixes `maybe-unitialized` warnings that are
|
||
bogus, since the variables in questions will be initialized in any case
|
||
later on.
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Dec 11 12:35:52 UTC 2019 - matthias.gerstner@suse.com
|
||
|
||
- update to major version 4.1:
|
||
- changes in version 4.1:
|
||
* tpm2_certifycreation: New tool enabling command TPM2_CertifyCreation.
|
||
|
||
* tpm2_checkquote:
|
||
- Fix YAML output bug.
|
||
- -g option for specifying hash algorithm is optional and defaults to
|
||
sha256.
|
||
|
||
* tpm2_changeeps: A new tool for changing the Endorsement hierarchy
|
||
primary seed.
|
||
|
||
* tpm2_changepps: A new tool for changing the Platform hierarchy primary seed.
|
||
|
||
* tpm2_clockrateadjust: Add a new tool for modifying the period on the TPM.
|
||
|
||
* tpm2_create: Add tool options for specifying output data for use in
|
||
certification
|
||
- --creation-data to save the creation data
|
||
- --creation-ticket or -t to save the creation ticket
|
||
- --creation-hash or -d to save the creation hash
|
||
- --template-data for saving the template data of the key
|
||
- --outside-info or -q for specifying unique data to include in creation data.
|
||
- --pcr-list or -l Add option to specify pcr list to add to creation data.
|
||
|
||
* tpm2_createprimary: Add tool options for specifying output data for use
|
||
in certification
|
||
- --creation-data to save the creation data
|
||
- --creation-ticket or -t to save the creation ticket
|
||
- --creation-hash or -d to save the creation hash
|
||
- --template-data for saving the template data of the key
|
||
- --outside-info or -q for specifying unique data to include in creation data.
|
||
- --pcr-list or -l Add option to specify pcr list to add to creation data.
|
||
|
||
* tpm2_evictcontrol:
|
||
- Fix bug in automatic persistent handle selection when
|
||
hierarchy is platform.
|
||
- Fix bug in YAML key action where action was wrong when using ESYS_TR.
|
||
|
||
* tpm2_getcap: clean up remanenats of -c option in manpages and tool output.
|
||
|
||
* tpm2_gettime: Add a new tool for retrieving a signed timestamp from a TPM.
|
||
|
||
* tpm2_nvcertify: Add a new tool for certifying the contents of an NV index.
|
||
|
||
* tpm2_nvdefine:
|
||
- Support default set of attributes so -a is not mandatory.
|
||
- Support searching for free index if an index isn't specified.
|
||
|
||
* tpm2_nvextend: Add a new tool for extending an NV index similair to a PCR.
|
||
|
||
* tpm2_nvreadpublic:
|
||
- Support specifying nv index to read public data from as argument.
|
||
|
||
* tpm2_nvsetbits: Add a new tool for setting the values of PCR with type
|
||
"bits".
|
||
|
||
* tpm2_nvundefine: Add support for deleting NV indices with attribute
|
||
`TPMA_NV_POLICY_DELETE` set using NV Undefine Special command.
|
||
|
||
* tpm2_nvwritelock: Add a new tool for setting a write lock on an NV index
|
||
or globally locking nv indices with TPMA_NV_GLOBALLOCK.
|
||
|
||
* tpm2_policyauthorizenv: New tool enabling signed, revocable policies.
|
||
|
||
* tpm2_policyauthvalue: New tool enabling authorization to be bound to the
|
||
authorization of another object.
|
||
|
||
* tpm2_policycountertimer: Add a new tool for enabling policy bound to TPM
|
||
clock or timer values.
|
||
|
||
* tpm2_policynamehash: Add a new tool for specifying policy based on object
|
||
name.
|
||
|
||
* tpm2_policynv: Add a new tool for specifying policy based on NV contents.
|
||
|
||
* tpm2_nvwritten: Add a new tool for specifying policy based on whether or not
|
||
an NV index was written to.
|
||
|
||
* tpm2_policysecret: Add tool options for specifying
|
||
- --expiration or -t
|
||
- --ticket
|
||
- --timeout
|
||
- --nonce-tpm or -x
|
||
- --qualification or -q
|
||
|
||
* tpm2_policysigned: New tool enabling policy command TPM2_PolicySigned.
|
||
|
||
* tpm2_policytemplate: New tool enabling policy command TPM2_PolicyTemplate.
|
||
|
||
* tpm2_policyticket: New tool enabling policy command TPM2_PolicyTicket.
|
||
|
||
* tpm2_readclock: Add a new tool for reading the TPM clock.
|
||
|
||
* tpm2_setclock: Add a new tool for setting the TPM clock.
|
||
|
||
* tpm2_setprimarypolicy: New tool setting policy on hierarchies.
|
||
|
||
* tpm2_shutdown: Add a new tool for issuing a TPM shutdown command.
|
||
|
||
* misc:
|
||
- Support "tpmt" as a public key output format that only saves the TPMT
|
||
structure.
|
||
- Qualifying data or extra data in many tools can be hex array string or
|
||
binary file.
|
||
- Add support for specifying NV index type when specifying NV attributes.
|
||
- Support added for tools to run on FreeBSD.
|
||
- Skip and notify of action that man pages will not install if the package
|
||
pandoc is missing.
|
||
- Fix precedence issue with bitwise operator order int tpm2_getcap
|
||
- travis: bump abrmd version 2.3.0
|
||
- tpm2_util.c: Fix an issue int variable size was checked against uint
|
||
- pcr.c: Fix buffer length issue to support all defined hash algorithm
|
||
|
||
- changes in version 4.0.1:
|
||
|
||
* tpm2_checkquote: Fix YAML output bug.
|
||
|
||
- changes in version 4.0:
|
||
|
||
* tpm2_activatecredential:
|
||
- --context is now --credentialedkey-context.
|
||
- --key-context is now --credentialkey-context.
|
||
- --Password is now --credentialedkey-auth.
|
||
- --endorse-passwd is now --credentialkey-auth.
|
||
- --in-file is now --credential-secret.
|
||
- --out-file is now --certinfo-data.
|
||
- -f becomes -i.
|
||
- -k becomes -C.
|
||
- -e becomes -E.
|
||
|
||
* tpm2_certify:
|
||
- --halg is now --hash-algorithm.
|
||
- --obj-context is now --certifiedkey-context.
|
||
- --key-context is now --signingkey-context.
|
||
- --pwdo is now --certifiedkey-auth.
|
||
- --pwdk is now --signingkey-auth.
|
||
- -a becomes -o.
|
||
- -k becomes -p.
|
||
- -c becomes -C.
|
||
- -k becomes -K.
|
||
|
||
* tpm2_changeauth:
|
||
- New tool for changing the authorization values of:
|
||
- Hierarchies
|
||
- NV
|
||
- Objects
|
||
- Replaces tpm2_takeownership with more generic functionality.
|
||
|
||
* tpm2_checkquote:
|
||
- --halg is now --hash-algorithm.
|
||
- --pcr-input-file is now --pcr.
|
||
- --pubfile is now --public.
|
||
- --qualify-data is now --qualification.
|
||
- -f becomes -F.
|
||
- -F becomes -f.
|
||
- -G becomes -g.
|
||
|
||
* tpm2_clear:
|
||
- --lockout-passwd is now --auth-lockout.
|
||
|
||
* tpm2_clearcontrol:
|
||
- New tool for enabling or disabling tpm2_clear commands.
|
||
|
||
* tpm2_create
|
||
- --object-attributes is now --attributes.
|
||
- --pwdp is now --parent-auth.
|
||
- --pwdo is now --key-auth.
|
||
- --in-file is now --sealing-input.
|
||
- --policy-file is now --policy.
|
||
- --pubfile is now --public.
|
||
- --privfile is now --private.
|
||
- --out-context is now --key-context.
|
||
- --halg is now --hash-algorithm.
|
||
- --kalg is now --key-algorithm.
|
||
- -o becomes -c.
|
||
- -K becomes -p.
|
||
- -A becomes -b.
|
||
- -I becomes -i.
|
||
- -g becomes an optional option.
|
||
- -G becomes an optional option.
|
||
- Supports TPM command CreateLoaded via -c.
|
||
|
||
* tpm2_createak:
|
||
- Renamed from tpm2_getpubak
|
||
|
||
* tpm2_createek:
|
||
- renamed from tpm2_getpubek
|
||
|
||
* tpm2_createpolicy:
|
||
- --out-policy-file is now --policy.
|
||
- --policy-digest-alg is now --policy-algorithm.
|
||
- --auth-policy-session is now --policy-session.
|
||
- -L becomes -l.
|
||
- -F becomes -f.
|
||
- -f becomes -o.
|
||
- Removed option --set-list with short option -L.
|
||
- Removed option --pcr-input-file with short option -F.
|
||
- Pcr policy options replaced with pcr password mini language.
|
||
- Removed short option a for specifying auth session. Use long option --policy-session.
|
||
- Removed short option -P for specifying pcr policy. Use long option --policy-pcr.
|
||
|
||
* tpm2_createprimary:
|
||
- --object-attributes is now --attributes.
|
||
- -o is now -c
|
||
- --pwdp is now --hierarchy-auth.
|
||
- --pwdk is now --key-auth.
|
||
- --halg is now --hash-algorithm.
|
||
- --kalg is now --key-algorithm.
|
||
- --context-object is now --key-context.
|
||
- --policy-file is now --policy.
|
||
- support for unique field when creating objects via -u
|
||
- saves a context file for the generated primary's handle to disk via -c.
|
||
- -A becomes -a.
|
||
- -K becomes -p.
|
||
- -H becomes -C.
|
||
- -g becomes optional.
|
||
- -G becomes optional.
|
||
|
||
* tpm2_dictionarylockout:
|
||
- --lockout-passwd is now --auth.
|
||
- -P becomes -p.
|
||
|
||
* tpm2_duplicate:
|
||
- New tool for duplicating TPM objects.
|
||
|
||
* tpm2_encryptdecrypt:
|
||
- --pwdk is now --auth.
|
||
- --out-file is now --output.
|
||
- -D becomes -d.
|
||
- -I becomes an argument.
|
||
- -P becomes -p.
|
||
- Support IVs via -t or --iv.
|
||
- Support modes via -G.
|
||
- Support padding via -e or --pad.
|
||
- Supports input and output to stdin and stdout respectively.
|
||
|
||
* tpm2_evictcontrol:
|
||
- --auth is now --hierarchy.
|
||
- --context is now --object-context.
|
||
- --pwda is now --auth.
|
||
- --persistent with short option -S is now an argument.
|
||
- -A becomes -C.
|
||
- Added option --output -o to serialize handle to disk.
|
||
- Removed option --handle with short option -H.
|
||
- Raw object-handles and object-contexts are commonly handled with object
|
||
handling logic.
|
||
- Removed option --input-session-handle with short option -i.
|
||
- Authorization session is now part of password mini language.
|
||
|
||
* tpm2_getcap:
|
||
- -c becomes an argument.
|
||
- Most instances of value replaced with raw in YAML output.
|
||
- TPM2_PT_MANUFACTURER displays string value and raw value.
|
||
- Supports --pcr option for listing hash algorithms and bank numbers.
|
||
|
||
* tpm2_getekcertificate:
|
||
- Renamed from tpm2_getmanufec
|
||
|
||
* tpm2_getmanufec:
|
||
- Renamed the tool to tpm2_getekcertificate.
|
||
- Removed ek key creation and management logic.
|
||
- Added option for getting ek cert for offline platform via -x.
|
||
- Support for ECC keys.
|
||
- --ec-cert is now --ek-certificate,
|
||
- --untrusted is now --allow-unverified,
|
||
- --output is now --ek-public,
|
||
- -U is now -X.
|
||
- -O is now -x.
|
||
- -f becomes -o.
|
||
- Removed option -P or --endorse-passwd.
|
||
- Removed option -p or --ek-passwd.
|
||
- Removed option -w or --owner-passwd.
|
||
- Removed option -H or --persistent-handle.
|
||
- Removed option -G or --key-algorithm.
|
||
- Removed option -N or --non-persistent.
|
||
- Removed option -O or --offline.
|
||
|
||
* tpm2_getpubak:
|
||
- renamed to tpm2_createak.
|
||
- -f becomes -p and -f is used for format of public key output.
|
||
- --auth-endorse is now --eh-auth.
|
||
- --auth-ak is now --ak-auth.
|
||
- --halg is now --hash-algorithm.
|
||
- --kalg is now --key-algorithm.
|
||
- -e becomes -P.
|
||
- -P becomes -p.
|
||
- -D becomes -g.
|
||
- -p becomes -u.
|
||
- --context becomes --ak-context.
|
||
- --algorithm becomes --kalg.
|
||
- --digest-alg becomes --halg.
|
||
- --privfile becomes --private.
|
||
- remove -k persistant option. Use tpm2_evictcontrol.
|
||
- Fix -o option to -w.
|
||
- now saves a context file for the generated primary's handle to disk.
|
||
- -E becomes -e.
|
||
- -g changes to -G.
|
||
- support for non-persistent AK generation.
|
||
|
||
* tpm2_getpubek:
|
||
- renamed to tpm2_createek
|
||
- --endorse-passwd is now --eh-auth.
|
||
- --owner-passwd is now --owner-auth.
|
||
- --ek-passwd is now --ek-auth.
|
||
- --file is now --public.
|
||
- --context is now --ek-context.
|
||
- --algorithm is now --key-algorithm.
|
||
- -e is now -P.
|
||
- -P is now -p.
|
||
- -p is now -u.
|
||
- -o is now -w.
|
||
- -g is now -G.
|
||
- Support for saving a context file for the generated primary keys handle
|
||
to disk.
|
||
- support for non-persistent EK generation.
|
||
- -f is now -p.
|
||
- -f support for format of public key output.
|
||
|
||
* tpm2_getrandom:
|
||
- change default output to binary.
|
||
- add --hex option for output to hex format.
|
||
- --out-file is now --output.
|
||
- bound input request on max hash size per spec, allow -f to override this.
|
||
|
||
* tpm_gettestresult:
|
||
- new tool for getting test results.
|
||
|
||
* tpm2_hash:
|
||
- add --hex for specifying hex output.
|
||
- default output of hash to stdout.
|
||
- default output of hash as binary.
|
||
- remove output of ticket to stdout.
|
||
- --halg is now --hash-algorithm.
|
||
- --out-file is now --output.
|
||
- -a is now -C.
|
||
- -H is now -a.
|
||
|
||
* tpm2_hmac:
|
||
- add -t option for specifying ticket result.
|
||
- --out-file is now --output.
|
||
- --auth-key is now --auth.
|
||
---algorithm is now --hash-algorithm.
|
||
- --pwdk is now --auth-key.
|
||
- -C is now -c.
|
||
- -P is now -p.
|
||
|
||
* tpm2_hierarchycontrol:
|
||
- new tool added for enabling or disabling the use
|
||
of a hierarchy and its associated NV storage.
|
||
|
||
* tpm2_import:
|
||
- --object-attributes is now --attributes.
|
||
- --auth-parent is now --parent-auth.
|
||
- --auth-key is now --key-auth.
|
||
- --algorithm is now --key-algorithm.
|
||
- --in-file is now --input.
|
||
- --parent-key is now --parent-context.
|
||
- --privfile is now --private.
|
||
- --pubfile is now --public.
|
||
- --halg is now --hash-algorithm.
|
||
- --policy-file is now --policy.
|
||
- --sym-alg-file is now --encryption-key.
|
||
- -A is now -b.
|
||
- -k is now -i.
|
||
- support OSSL style -passin argument as --passin for PEM file passwords.
|
||
- support additional import key types:
|
||
- RSA1024/2048.
|
||
- AES128/192/256.
|
||
- -q changes to -u to align with tpm2_loads public/private output arguments.
|
||
- Supports setting object name algorithm via -g.
|
||
- support specifying parent key with a context file.
|
||
- --parent-key-handle/-H becomes --parent-key/-C
|
||
- Parent public data option is optional and changes from `-K` to `-U`.
|
||
- Supports importing external RSA 2048 keys via pem files.
|
||
- Supports ECC Parent keys.
|
||
|
||
* tpm2_incrementalselftest:
|
||
- Add tool to test support of specific algorithms.
|
||
|
||
* tpm2_listpersistent:
|
||
- deleted as tpm2_getcap and tpm2_readpublic can be used instead.
|
||
|
||
* tpm2_load:
|
||
- -o is now -c.
|
||
- --context-parent is now --parent-context.
|
||
- --auth-parent is now --auth.
|
||
- --pubfile is now --public.
|
||
- --privfile is now --private.
|
||
- --out-context is now --key-context.
|
||
- now saves a context file for the generated primary's handle to disk.
|
||
- Option `--pwdp` changes to `--auth-parent`.
|
||
|
||
* tpm2_loadexternal:
|
||
- --object-attributes is now --attributes.
|
||
- -o is now -c
|
||
- --key-alg is now --key-algorithm.
|
||
- --pubfile is now --public.
|
||
- --privfile is now --private.
|
||
- --auth-key is now --auth.
|
||
- --policy-file is now --policy.
|
||
- --halg is now --hash-algorithm.
|
||
- --out-context is now --key-context.
|
||
- Remove unused -P option.
|
||
- -H is now -a.
|
||
- Fix -A option to -b for attributes.
|
||
- now saves a context file for the generated primary's handle to disk.
|
||
- support OSSL style -passin argument as --passin for PEM file passwords.
|
||
- name output to file and stdout. Changes YAML stdout output.
|
||
- ECC Public and Private PEM support.
|
||
- AES Public and Private "raw file" support.
|
||
- RSA Public and Private PEM support.
|
||
- Object Attribute support.
|
||
- Object authorization support.
|
||
- Default hierarchy changes to the *null* hierarchy.
|
||
|
||
* tpm2_makecredential:
|
||
- --out-file is now --credential-blob
|
||
- --enckey is now --encryption-key.
|
||
- Option `--sec` changes to `--secret`.
|
||
|
||
* tpm2_nvdefine:
|
||
- --handle-passwd is now --hierarchy-auth.
|
||
- --index-passwd is now --index-auth.
|
||
- --policy-file is now --policy.
|
||
- --auth-handle is now --hierarchy.
|
||
- -a becomes -C.
|
||
- -t becomes -a.
|
||
- -I becomes -p.
|
||
- Removed option --index with short option -x. It is now an argument.
|
||
- Removed option --input-session-handle with short option -S.
|
||
- Authorization session is now part of password mini language.
|
||
|
||
* tpm2_nvincrement:
|
||
- New tool to increment value of a Non-Volatile (NV) index setup as a
|
||
counter.
|
||
|
||
* tpm2_nvlist:
|
||
- tpm2_nvlist is now tpm2_nvreadpublic.
|
||
|
||
* tpm2_nvread:
|
||
- --handle-passwd is now --auth.
|
||
- --auth-handle is now --hierarchy.
|
||
- -a becomes -C.
|
||
- Removed option --index with short option -x. It is now an argument.
|
||
- Removed short option -o for specifying offset. Use long option --offset.
|
||
- Removed option --input-session-handle with short option -S.
|
||
- Authorization session is now part of password mini language.
|
||
- Removed option --set-list with short option -L.
|
||
- Removed option --pcr-input-file with short option -F.
|
||
- Pcr policy options replaced with pcr password mini language.
|
||
- fix a buffer overflow.
|
||
|
||
* tpm2_nvreadlock:
|
||
- --handle-passwd is now --auth.
|
||
- --auth-handle is now --hierarchy.
|
||
- -a becomes -C.
|
||
- Removed option --index with short option -x. It is now an argument.
|
||
- Removed option --input-session-handle with short option -S.
|
||
- Authorization session is now part of password mini language.
|
||
|
||
* tpm2_nvwrite:
|
||
- --handle-passwd is now --auth.
|
||
- --auth-handle is now --hierarchy.
|
||
- -a becomes -C.
|
||
- Removed option --index with short option -x. It is now an argument.
|
||
- Removed short option -o for specifying offset. Use long option --offset.
|
||
- Removed option --input-session-handle with short option -S.
|
||
- Authorization session is now part of password mini language.
|
||
- Removed option --set-list with short option -L.
|
||
- Removed option --pcr-input-file with short option -F.
|
||
- Pcr policy options replaced with pcr password mini language.
|
||
|
||
* tpm2_nvrelease:
|
||
- --handle-passwd is now --auth.
|
||
- --auth-handle is now --hierarchy.
|
||
- -a becomes -C.
|
||
- Removed option --index with short option -x. It is now an argument.
|
||
- Removed option --input-session-handle with short option -S.
|
||
- Authorization session is now part of password mini language.
|
||
|
||
* tpm2_nvundefine:
|
||
- Renamed from tpm2_nvrelease.
|
||
|
||
* tpm2_pcrallocate:
|
||
- New tool for changing the allocated PCRs of a TPM.
|
||
|
||
* tpm2_pcrevent:
|
||
- --password is now --auth.
|
||
- Removed option --pcr-index with short option -i.
|
||
- PCR index is now specified as an argument.
|
||
- Removed option --input-session-handle with short option -S.
|
||
- Authorization session is now part of password mini language.
|
||
|
||
* tpm2_pcrlist:
|
||
- -gls options go away with -g and -l becoming a single argument.
|
||
|
||
* tpm2_pcrread:
|
||
- Renamed from tpm2_pcrlist.
|
||
|
||
* tpm2_print:
|
||
- New tool that decodes a TPM data structure and prints enclosed elements
|
||
to stdout as YAML.
|
||
|
||
* tpm2_policyauthorize:
|
||
- New tool that allows for policies to change by associating the policy to
|
||
a signing authority essentially allowing the auth policy to change.
|
||
|
||
* tpm2_policycommandcode:
|
||
- New tool to restricts TPM object authorization to specific TPM commands.
|
||
|
||
* tpm2_policyduplicationselect:
|
||
- New tool for creating a policy to restrict duplication to a new parent
|
||
and or duplicable object.
|
||
|
||
* tpm2_policylocality:
|
||
- New tool for creating a policy restricted to a locality.
|
||
|
||
* tpm2_policypcr:
|
||
- New tool to generate a pcr policy event that bounds auth to specific PCR
|
||
values in user defined pcr banks and indices.
|
||
|
||
* tpm2_policyor:
|
||
- New tool to compound multiple policies in a logical OR fashion to allow
|
||
multiple auth methods using a policy session.
|
||
|
||
* tpm2_policypassword:
|
||
- New tool to mandate specifying of the object password in clear using a
|
||
policy session.
|
||
|
||
* tpm2_policysecret:
|
||
- New tool to associate auth of a reference object as the auth of the new
|
||
object using a policy session.
|
||
|
||
* tpm2_quote:
|
||
- --ak-context is now --key-context.
|
||
- --ak-password is now --auth.
|
||
- --sel-list is now --pcr-list.
|
||
- --qualify-data is now --qualification-data.
|
||
- --pcrs is now --pcr.
|
||
- --sig-hash-algorithm is now --hash-algorithm.
|
||
- -P becomes -p
|
||
- -L becomes -l.
|
||
- -p becomes -o.
|
||
- -G becomes -g.
|
||
- -g becomes optional.
|
||
- Removed option --id-list with short option -l.
|
||
- Removed option --ak-handle with short option -k.
|
||
- Raw object-handles and object-contexts are commonly handled with object
|
||
handling logic.
|
||
|
||
* tpm2_readpublic:
|
||
- --opu is now --output.
|
||
- --context-object is now --object-context.
|
||
- Removed option --object with short option -H.
|
||
- Raw object-handles and object-contexts are commonly handled with object
|
||
handling logic.
|
||
- Added --serialized-handle for saving serialized ESYS_TR handle to disk.
|
||
- Added --name with short option -n for saving the binary name.
|
||
- Supports ECC pem and der file generation.
|
||
|
||
* tpm2_rsadecrypt:
|
||
- --pwdk is now --auth.
|
||
- --out-file is now --output.
|
||
- -P becomes -p.
|
||
- Added --label with short option -l for specifying label.
|
||
- Added --scheme with short option -s for specifying encryption scheme.
|
||
- Removed option -I or in-file input option and make argument.
|
||
- Removed option --key-handle with short option -k.
|
||
- Raw object-handles and object-contexts are commonly handled with object
|
||
handling logic.
|
||
- Removed option --input-session-handle with short option -S.
|
||
- Authorization session is now part of password mini language.
|
||
|
||
* tpm2_rsaencrypt:
|
||
- --out-file is now --output.
|
||
- Added --scheme with short option -s for specifying encryption scheme.
|
||
- Added --label with -l for specifying label.
|
||
- Removed option --key-handle with short option -k.
|
||
- Raw object-handles and object-contexts are commonly handled with object
|
||
handling logic.
|
||
- make output binary either stdout or file based on -o.
|
||
|
||
* tpm2_selftest:
|
||
- New tool for invoking tpm selftest.
|
||
|
||
* tpm2_send:
|
||
- --out-file is now --output.
|
||
|
||
* tpm2_sign:
|
||
- --pwdk is now --auth.
|
||
- --halg is now --hash-algorithm.
|
||
- --sig is now --signature.
|
||
- -P becomes -p.
|
||
- -s becomes -o.
|
||
- Added --digest with short option -d.
|
||
- Added --scheme with short option -s.
|
||
- Supports rsapss.
|
||
- Removed option --key-handle with short option -k.
|
||
- Raw object-handles and object-contexts are commonly handled with object
|
||
handling logic.
|
||
- Removed option --msg with short option -m.
|
||
- Make -d toggle if input is a digest.
|
||
- Removed option --input-session-handle with short option -S.
|
||
- Authorization session is now part of password mini language.
|
||
- Supports signing a pre-computed hash via -d.
|
||
|
||
* tpm2_startauthsession:
|
||
- New tool to start/save a trial-policy-session (default) or policy-
|
||
authorization-session with command line option --policy-session.
|
||
|
||
* tpm2_stirrandom:
|
||
- new command for injecting entropy into the TPM.
|
||
|
||
* tpm2_takeownership:
|
||
- split into tpm2_clear and tpm2_changeauth
|
||
|
||
* tpm2_testparms:
|
||
- new tool for querying tpm for supported algorithms.
|
||
|
||
* tpm2_unseal:
|
||
- --pwdk is now --auth.
|
||
- --outfile is now --output.
|
||
- --item-context is now --object-context.
|
||
- -P becomes -p
|
||
- Removed option --item with short option -H.
|
||
- Raw object-handles and object-contexts are commonly handled with object
|
||
handling logic.
|
||
- Removed option --input-session-handle with short option -S.
|
||
- Authorization session is now part of password mini language.
|
||
- Removed option --set-list with short option -L.
|
||
- Removed option --pcr-input-file with short option -F.
|
||
- Pcr policy options replaced with pcr password mini language.
|
||
|
||
|
||
* tpm2_verifysignature:
|
||
- --halg is now --hash-algorithm.
|
||
- --msg is now --message.
|
||
- --sig is now --signature.
|
||
- -D becomes -d.
|
||
- -t becomes optional.
|
||
- Issue warning when ticket is specified for a NULL hierarchy.
|
||
- Added option --format with short option -f.
|
||
- Removed option --raw with short option -r.
|
||
- Removed option --key-handle with short option -k.
|
||
- Raw object-handles and object-contexts are commonly handled with object
|
||
handling logic.
|
||
- Support routines for OpenSSL compatible format of public keys (PEM, DER) and
|
||
plain signature data without TSS specific headers.
|
||
|
||
* misc:
|
||
- cmac algorithm support.
|
||
- Add support for reading authorisation passwords from a file.
|
||
- Ported all tools from SAPI to ESAPI.
|
||
- Load TCTI's by SONAME, not raw .so file.
|
||
- system tests are now run with make check when --enable-unit is used in configure.
|
||
- Libre SSL builds fixed.
|
||
- Dynamic TCTIS. Support for pluggable TCTI modules via the -T or --tcti
|
||
options.
|
||
- test: system testing scripts moved into subordinate test directory.
|
||
- configure: enable code coverage option.
|
||
- env: add TPM2TOOLS_ENABLE_ERRATA to control the -Z or errata option.
|
||
affects all tools.
|
||
- Fix parsing bug in PCR mini-language.
|
||
- Fix misspelling of TPM2_PT_HR constants which effects tpm2_getcap output.
|
||
- configure option --with-bashcompdir for specifying bash completion
|
||
directory.
|
||
|
||
- changes in version 3.2.1:
|
||
|
||
* Fix invalid memcpy when extracting ECDSA plain signatures.
|
||
* Fix resource leak on FILE * in hashing routine.
|
||
* Correct PCR logic to prevent memory corruption bug.
|
||
* Errata handler fix.
|
||
|
||
- changes in version 3.2.0:
|
||
|
||
* fix configure bug for linking against libmu.
|
||
* tpm2_changeauth: Support changing platform hierarchy auth.
|
||
* tpm2_flushcontext: Introduce new tool for flushing handles from the TPM.
|
||
* tpm2_checkquote: Introduce new tool for checking validity of quotes.
|
||
* tpm2_quote: Add ability to output PCR values for quotes.
|
||
* tpm2_makecredential: add support for executing tool off-TPM.
|
||
* tpm2_pcrreset: introduce new tool for resetting PCRs.
|
||
* tpm2_quote: Fix AK auth password not being used.
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Aug 26 07:42:52 UTC 2019 - matthias.gerstner@suse.com
|
||
|
||
- update to minor version 3.1.4:
|
||
* Fix various man pages
|
||
* tpm2_getmanufec: fix OSSL build warnings
|
||
* Fix broken -T option
|
||
* Various build compatibility fixes
|
||
* Fix some unit tests
|
||
* Update build for recent autoconf-archive versions
|
||
* Install m4 files
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Mar 6 10:44:52 UTC 2019 - matthias.gerstner@suse.com
|
||
|
||
- update to minor version 3.1.3:
|
||
- Restore support for the TPM2TOOLS_* env vars for TCTI configuration, in
|
||
addition to supporting the new unified TPM2TOOLS_ENV_TCTI
|
||
- Fix tpm2_getcap to print properties with the TPM_PT prefix, rather than
|
||
TPM2_PT
|
||
- Make test_tpm2_activecredential Python 3 compatible
|
||
- Fix tpm2_takeownership to only attempt to change the specified hierarchies
|
||
- use a _service file to sync with upstream tags
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Sep 26 16:02:46 UTC 2018 - matthias.gerstner@suse.com
|
||
|
||
- update to minor version 3.1.2 (FATE#326270):
|
||
- Revert the change to use user supplied object attributes exclusively. This
|
||
is an inappropriate behavioural change for a MINOR version number
|
||
increment.
|
||
- Fix inclusion of object attribute specifiers section in tpm2_create and
|
||
tpm2_createprimary man pages.
|
||
- Use better object attribute defaults for authentication, preventing an
|
||
empty password being used for authentication when a policy is set.
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Aug 22 09:05:14 UTC 2018 - matthias.gerstner@suse.com
|
||
|
||
- update to minor version 3.1.1:
|
||
- Allow man page installation without pandoc being available
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Jun 29 12:03:48 UTC 2018 - matthias.gerstner@suse.com
|
||
|
||
- update to major version 3.1.0:
|
||
- the tpm2 stack introduces an incompatible ABI to the previous version with
|
||
this update. There is no compatibility layer, libraries have new names
|
||
- install-man.patch: dropped, because we don't really need it
|
||
- tpm2.0-tools-fix-hardening.patch: contained in upstream tarball now
|
||
s etc.
|
||
- upstream changelog:
|
||
* tpm2_unseal: -P becomes -p
|
||
* tpm2_sign: -P becomes -p
|
||
* tpm2_nvreadlock: long form for -P is now --auth-hierarchy
|
||
* tpm2_rsadecrypt: -P becomes -p
|
||
* tpm2_nvrelease: long-form of -P becomes --auth-hierarchy
|
||
* tpm2_nvdefine: -I becomes -p
|
||
* tpm2_encryptdecrypt: -P becomes -p
|
||
* tpm2_dictionarylockout: -P becomes -p
|
||
* tpm2_createprimary: -K becomes -p
|
||
* tpm2_createak: -E becomes -e
|
||
* tpm2_certify: -k becomes -p
|
||
* tpm2_hash: -g changes to -G
|
||
* tpm2_encryptdecrypt: Support IVs via -i and algorithm modes via -G.
|
||
* tpm2_hmac: drop -g, just use the algorithm associated with the object.
|
||
* tpm2_getmanufec: -g changes to -G
|
||
* tpm2_createek: -g changes to -G
|
||
* tpm2_createak: -g changes to -G
|
||
* tpm2_verifysignature: -g becomes -G
|
||
* tpm2_sign: -g becomes -G
|
||
* tpm2_import: support specifying parent key with a context file,
|
||
--parent-key-handle/-H becomes --parent-key/-C
|
||
* tpm2_nvwrite and tpm2_nvread: when -P is "index" -a is optional and defaults to
|
||
the NV_INDEX value passed to -x.
|
||
* Load TCTI's by SONAME, not raw .so file
|
||
* tpm2_activatecredential: -e becomes -E
|
||
* tpm2_activatecredential: -e becomes -E
|
||
* tpm2_certify: -c and -C are swapped, -k becomes -K
|
||
* tpm2_createprimary: -K becomes -k
|
||
* tpm2_encryptdecrypt: supports input and output to stdin and stdout respectively.
|
||
* tpm2_create: -g/-G become optional options.
|
||
* tpm2_createprimary: -g/-G become optional options.
|
||
* tpm2_verifysignature - Option `-r` changes to `-f` and supports signature format "rsa".
|
||
* tpm2_import - Parent public data option, `-K` is optional.
|
||
* tpm2_import - Supports importing external RSA 2048 keys via pem files.
|
||
* tpm2_pcrlist: Option `--algorithm` changes to `--halg`, which is in line with other tools.
|
||
* tpm2_verifysignature: Option `-r` and `--raw` have been removed. This were unused within the tool.
|
||
* tpm2_hmac: Option `--algorithm` changes to `--halg`, which is in line with the manpage.
|
||
* tpm2_makecredential: Option `--sec` changes to `--secret`.
|
||
* tpm2_activatecredential: Option `--Password` changes to `--auth-key`.
|
||
* system tests are now run with make check when --enable-unit is used in configure.
|
||
* tpm2_unseal: Option `--pwdk` changes to `--auth-key`.
|
||
* tpm2_sign: Option `--pwdk` changes to `--auth-key`.
|
||
* tpm2_rsadecrypt: Option `--pwdk` changes to `--auth-key`.
|
||
* tpm2_quote: Option `--ak-passwd` changes to `--auth-ak`
|
||
* tpm2_pcrevent: Option `--passwd` changes to `--auth-pcr`
|
||
* tpm2_nvwrite: Options `--authhandle` and `--handle-passwd`
|
||
changes to `--hierarchy` and `--auth-hierarchy` respectively.
|
||
* tpm2_nvread: Options `--authhandle` and `--handle-passwd`
|
||
changes to `--hierarchy` and `--auth-hierarchy` respectively.
|
||
* tpm2_nvdefine: Options `--authhandle`, `--handle-passwd` and `--index-passwd`
|
||
changes to `--hierarchy`, `--auth-hierarchy` and `--auth-index`
|
||
respectively.
|
||
* tpm2_loadexternal: `-H` changes to `-a` for specifying hierarchy.
|
||
* tpm2_load: Option `--pwdp` changes to `--auth-parent`.
|
||
* tpm2_hmac: Option `--pwdk` changes to `--auth-key`.
|
||
* tpm2_hash: `-H` changes to `-a` for specifying hierarchy.
|
||
* tpm2_getmanufec: Options `--owner-passwd`, `--endorse-passwd`
|
||
* and `--ek-passwd`change to `--auth-owner`, `--auth-endorse`
|
||
and `--auth-ek` respectively.
|
||
* tpm2_evictcontrol: Option group `-A` and `--auth` changes to `-a` and `--hierarchy`
|
||
Option `--pwda` changes to `--auth-hierarchy`
|
||
* tpm2_encryptdecrypt: Option `--pwdk` changes to `--auth-key`.
|
||
* tpm2_dictionarylockout: Option `--lockout-passwd` changes to `--auth-lockout`
|
||
* tpm2_createprimary: Options `--pwdp` and `--pwdk` change to
|
||
`--auth-hierarchy` and `--auth-object` respectively.
|
||
* tpm2_createek: Options `--owner-passwd`, `--endorse-passwd`
|
||
* and `--ek-passwd`change to `--auth-owner`, `--auth-endorse`
|
||
and `--auth-ek` respectively.
|
||
* tpm2_createak: Options `--owner-passwd`, `--endorse-passwd`
|
||
* and `--ak-passwd`change to `--auth-owner`, `--auth-endorse`
|
||
and `--auth-ak` respectively.
|
||
* tpm2_create: Options `--pwdo` and `--pwdk` change to `--auth-object` and
|
||
`--auth-key` respectively.
|
||
* tpm2_clearlock: Option `--lockout-passwd` changes to `--auth-lockout`
|
||
* tpm2_clear: Option `--lockout-passwd` changes to `--auth-lockout`
|
||
* tpm2_changeauth: Options, `--old-owner-passwd`, `--old-endorse-passwd`,
|
||
and `--old-lockout-passwd` go to `--old-auth-owner`, `--old-auth-endorse`,
|
||
and `--old-auth-lockout` respectively.
|
||
* tpm2_certify: Options `--pwdo` and `--pwdk` change to `--auth-object` and
|
||
`--auth-key` respectively.
|
||
* tpm2_createprimary: `-H` changes to `-a` for specifying hierarchy.
|
||
* tpm2_createak: support for non-persistent AK generation.
|
||
* tpm2_createek: support for non-persistent EK generation.
|
||
* tpm2_getpubak renamed to tpm2_createak, -f becomes -p and -f is used for format of public key
|
||
output.
|
||
* tpm2_getpubek renamed to tpm2_createek, -f becomes -p and -f is used for format of public key
|
||
output.
|
||
* Libre SSL builds fixed.
|
||
* Dynamic TCTIS. Support for pluggable TCTI modules via the -T or --tcti options.
|
||
* tpm2_sign: supports signing a pre-computed hash via -D
|
||
* tpm2_clearlock: tool added
|
||
* test: system testing scripts moved into subordinate test directory.
|
||
* fix a buffer overflow in nvread/write tools.
|
||
* configure: enable code coverage option.
|
||
* tpm2_takeownership: split into tpm2_clear and tpm2_changeauth
|
||
* env: add TPM2TOOLS_ENABLE_ERRATA to control the -Z or errata option.
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Jun 5 09:55:43 UTC 2018 - matthias.gerstner@suse.com
|
||
|
||
- fix build after adding install-man.patch: autoreconf is needed again (sigh!)
|
||
|
||
-------------------------------------------------------------------
|
||
Wed May 2 12:09:22 UTC 2018 - matthias.gerstner@suse.com
|
||
|
||
- install-man.patch: even after update to 3.0.4 the man pages are not
|
||
installed correctly. This patch fixes it locally.
|
||
|
||
-------------------------------------------------------------------
|
||
Wed May 2 11:02:07 UTC 2018 - matthias.gerstner@suse.com
|
||
|
||
- update to version 3.0.4:
|
||
- Fix save and load for TPM2B_PRIVATE object.
|
||
- Use a default buffer size for tpm2_nv{read,write} if the TPM reports a 0 size.
|
||
- Fix --verbose and --version options crossover.
|
||
- Generate man pages from markdown and include them in the distribution tarball.
|
||
- Print usage summary if tools are executed with no options or man page can't be displayed.
|
||
- man pages will be shipped for SLE version now, too (pandoc dependency was removed)
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Mar 7 15:44:14 UTC 2018 - matthias.gerstner@suse.com
|
||
|
||
- disable pandoc for all but openSUSE, since pandoc never was on SLE
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Mar 7 14:29:10 UTC 2018 - matthias.gerstner@suse.com
|
||
|
||
- disable pandoc/man pages generation on SLE-15, because pandoc is not
|
||
available there (and adding it would require two dozen additional haskell
|
||
packages)
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Feb 22 11:08:19 UTC 2018 - matthias.gerstner@suse.com
|
||
|
||
- update to version 3.0.3:
|
||
- various changes in tool options
|
||
- man pages are now in section 1 (formerly in section 8)
|
||
- tools are now installed in /usr/bin (formerly /usr/sbin)
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Nov 9 11:00:33 UTC 2017 - vcizek@suse.com
|
||
|
||
- update to version 2.1.1
|
||
* Potential memory leak fix when tcti/sapi initialization fails.
|
||
* tpm2_listpcrs: use TPM2_GetCapability to determine PCRs to read
|
||
* listpcrs: remove one redundant call to tpm get cap
|
||
* listpcrs: fix for unsupported/disabled alg in -L
|
||
* build: use supported comment to suppress GCC7 fallthrough warning
|
||
* kdfa: allow to build with OpenSSL 1.1.x (bsc#1067392)
|
||
- drop patches (upstream)
|
||
* 0001-tpm2_listpcrs-use-TPM2_GetCapability-to-determine-PC.patch
|
||
* tpm2.0-tools-fix-gcc7.patch
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Aug 21 14:32:13 UTC 2017 - matthias.gerstner@suse.com
|
||
|
||
- update to version 2.1.0:
|
||
- dropped 0002-kdfa-use-openssl-for-hmac-not-tpm.patch, was backported
|
||
upstream in commit 788a17abbe0000c560935ef9f31c9a6892d9ea33
|
||
- this version now can interact with the new resource manager tpm2.0-abrmd
|
||
- Upstream changes:
|
||
* Fix readx and writex on multiple EINTR returns.
|
||
* Add support for the tabrmd TCTI. This is the new default.
|
||
* Change default socket port from 2323 (the old resourcemgr) to 2321
|
||
(default simulator port).
|
||
* Cherry-pick fix for CVE-2017-7524.
|
||
* Fix tpm2_listpcr command line option handling.
|
||
* Fix tpm2_getmanufec memory issues.
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Jul 20 13:50:28 UTC 2017 - matthias.gerstner@suse.com
|
||
|
||
- added the new abrmd package to recommends, because the tools will otherwise
|
||
not function
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Jun 29 09:45:45 UTC 2017 - matthias.gerstner@suse.com
|
||
|
||
- 0002-kdfa-use-openssl-for-hmac-not-tpm.patch: fixed unexpected leak of
|
||
cleartext password into the tpm when generating an HMAC in the context of
|
||
tpm_kdfa() (key derivation function) (bnc#1046402, CVE-2017-7524)
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Jun 20 08:35:29 UTC 2017 - matthias.gerstner@suse.com
|
||
|
||
- 0001-tpm2_listpcrs-use-TPM2_GetCapability-to-determine-PC.patch: fixed
|
||
tpm2_listpcrs aborting saying "too much pcrs to get!" (bnc#1044419)
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Jun 2 07:16:45 UTC 2017 - meissner@suse.com
|
||
|
||
- tpm2.0-tools-fix-hardening.patch: do not disable fortify,
|
||
do not use -Wstack-protector as it warns also for non-utilized
|
||
functions and then -Werror fails.
|
||
- tpm2.0-tools-fix-gcc7.patch: fixed gcc7 case fallthrough errors
|
||
|
||
-------------------------------------------------------------------
|
||
Wed May 10 11:52:40 UTC 2017 - matthias.gerstner@suse.com
|
||
|
||
- Major update to 2.0.0
|
||
- dropped fixes.patch, now part of the upstream version
|
||
- a set of man pages have been added to the package
|
||
- Upstream changes:
|
||
* Tracked on the milestone: https://github.com/01org/tpm2.0-tools/milestone/2
|
||
* Reworked all the tools to support configurable TCTIs, based on build time
|
||
configuration, one can specify the tcti via the --tcti (-T) option to all
|
||
tools.
|
||
* tpm2_getrandom interface made -s a positional argument.
|
||
* Numerous bug fixes.
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Mar 6 16:23:15 UTC 2017 - meissner@suse.com
|
||
|
||
- buildrequire pkgconfig
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Mar 1 15:33:46 UTC 2017 - meissner@suse.com
|
||
|
||
- Updated to 1.1.0 / 016-11-04 (FATE#321509)
|
||
- Added
|
||
* travis ci support.
|
||
* Allow for unit tests to be enabled selectively.
|
||
* tpm2_rc_decode tool: Decode TPM_RC error codes.
|
||
* Android Make file
|
||
* tpm2_listpersistent: list all persistent objects
|
||
* test scripts for tpm2-tools
|
||
* tpm2_nvreadlock
|
||
* tpm2_getmanufec: retrieve EC from tpm manufacturer server.
|
||
* Copy 'common' and 'sample' code from the TPM2.0-TSS repo.
|
||
|
||
- Modified
|
||
* tpm2_takeownership: update option -c to use lockout password to clear.
|
||
* tpm2_listpcrs: add options -L and -s, rewrite to increase performance.
|
||
* tpm2_quote: added -L option to support selection of multiple banks.
|
||
* tpm2_quote: add -q option to get qualifying data.
|
||
* configure: Use pkg-config to get info about libcurl and libcrypto.
|
||
* configure: Use pkg-config to locate SAPI and TCTI headers / libraries.
|
||
* tpm2_x: Add -X option to enable password input in Hex format.
|
||
* tpm2_nvdefine: Change -X option to -I.
|
||
* tpm2-nvwrite: fix for unable to write 1024B+ data.
|
||
* tpm2_getmanufec: Fix base64 encoding.
|
||
* tpm2_x: fixed a lot of TPM2B failures caused by wrong initialization.
|
||
* tpm2_getmanufec: let configure handle libs.
|
||
* tpm2_getmanufec: Convert from dos to unix format.
|
||
* build: Check for TSS2 library @ configure time.
|
||
* build: Detect required TSS2 and TCTI headers.
|
||
* build: Use libtool to build the common library
|
||
* build: Install all binaries into sbin.
|
||
* build: Build common sources into library.
|
||
* build: Move all source files to 'src'.
|
||
* Makefile.am: Move all build rules into single Makefile.am.
|
||
* everything: Use new TCTI headers and fixup API calls.
|
||
* everything: Update source to cope with sapi header cleanup.
|
||
* tpm2_activatecredential: Updated to support TCG compatible EK
|
||
* tpm2_getpubak: Updated to use TCG compatible EK
|
||
* tpm2_getpubek: fix ek creation to follow TCG EK profile spec.
|
||
|
||
- Removed
|
||
* Windows related code
|
||
* depenedency on the TPM2.0-TSS repo source code
|
||
|
||
- 1.0-alpha_0.zip: removed, use tpm2-0-tss directly.
|
||
- tpm2-install-binaries.patch: not needed anymore.
|
||
- fixes.patch: fixed random return build errors.
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Aug 22 12:02:01 UTC 2016 - meissner@suse.com
|
||
|
||
- update description
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Mar 24 12:42:04 UTC 2016 - meissner@suse.com
|
||
|
||
- initial import of tpm2.0-tools
|
||
|