From 8a1ac1c06eece7ea2282203d30a5f8701ec6f6199eb842a9b56cc5ee54c75e86 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Sat, 4 May 2024 01:31:20 +0200 Subject: [PATCH] Sync from SUSE:SLFO:Main trousers revision 6530ee62fde3356279be534a3d5fff2c --- .gitattributes | 23 +++ 91-trousers.rules | 1 + baselibs.conf | 1 + fix-lto.patch | 10 + tcsd.service | 21 ++ trousers-0.3.15.tar.gz | 3 + trousers.changes | 433 +++++++++++++++++++++++++++++++++++++++++ trousers.spec | 166 ++++++++++++++++ 8 files changed, 658 insertions(+) create mode 100644 .gitattributes create mode 100644 91-trousers.rules create mode 100644 baselibs.conf create mode 100644 fix-lto.patch create mode 100644 tcsd.service create mode 100644 trousers-0.3.15.tar.gz create mode 100644 trousers.changes create mode 100644 trousers.spec diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/91-trousers.rules b/91-trousers.rules new file mode 100644 index 0000000..f9f9a4a --- /dev/null +++ b/91-trousers.rules @@ -0,0 +1 @@ +KERNEL=="tpm[0-9]*", MODE="0660", OWNER="tss" diff --git a/baselibs.conf b/baselibs.conf new file mode 100644 index 0000000..51d223a --- /dev/null +++ b/baselibs.conf @@ -0,0 +1 @@ +libtspi1 diff --git a/fix-lto.patch b/fix-lto.patch new file mode 100644 index 0000000..5b42852 --- /dev/null +++ b/fix-lto.patch @@ -0,0 +1,10 @@ +Index: trousers-0.3.14/src/tddl/Makefile.am +=================================================================== +--- trousers-0.3.14.orig/src/tddl/Makefile.am ++++ trousers-0.3.14/src/tddl/Makefile.am +@@ -1,4 +1,4 @@ + lib_LIBRARIES=libtddl.a + + libtddl_a_SOURCES=tddl.c +-libtddl_a_CFLAGS=-DAPPID=\"TCSD\ TDDL\" -I${top_srcdir}/src/include -fPIE -DPIE ++libtddl_a_CFLAGS=-ffat-lto-objects -DAPPID=\"TCSD\ TDDL\" -I${top_srcdir}/src/include -fPIE -DPIE diff --git a/tcsd.service b/tcsd.service new file mode 100644 index 0000000..ac117b0 --- /dev/null +++ b/tcsd.service @@ -0,0 +1,21 @@ +[Unit] +Description=TCG Core Services Daemon + +[Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +ProtectHostname=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions +Type=forking +ExecStart=/usr/sbin/tcsd +User=tss + +[Install] +WantedBy=multi-user.target diff --git a/trousers-0.3.15.tar.gz b/trousers-0.3.15.tar.gz new file mode 100644 index 0000000..72ce1c4 --- /dev/null +++ b/trousers-0.3.15.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1e5be93e518372acf1d92d2f567d01a46fdb0b730487e544e6fb896c59cac77f +size 4699936 diff --git a/trousers.changes b/trousers.changes new file mode 100644 index 0000000..2b93bc3 --- /dev/null +++ b/trousers.changes @@ -0,0 +1,433 @@ +------------------------------------------------------------------- +Mon Aug 22 08:16:58 UTC 2022 - Dominique Leuenberger + +- BuildRequire pkgconfig(udev) instead of udev: allow OBS to + shortcut through the -mini flavors. + +------------------------------------------------------------------- +Tue Apr 12 13:58:28 UTC 2022 - Marcus Meissner + +- changed urls to https (except main URL which has no https) + +------------------------------------------------------------------- +Thu Nov 25 15:00:17 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Modified: + * tcsd.service + +------------------------------------------------------------------- +Tue Oct 5 09:41:43 UTC 2021 - Matthias Gerstner + +- move libraries to /usr/lib (bsc#1191102) + +------------------------------------------------------------------- +Thu Nov 5 10:34:19 UTC 2020 - Matthias Gerstner + +- update to new upstream version 0.3.15: + - Corrected mutliple security issues that existed if the tcsd is started by + root instead of the tss user. CVE-2020-24332, CVE-2020-24330, CVE-2020-24331 + - Replaced use of _no_optimize with asm memory barrier + - Fixed multiple potential instances of use after free memory handling + - Removed unused global variables which caused build issue on some distros +- drop gcc-10.patch: now contained in upstream tarball +- drop bsc1164472.patch: now contained in upstream tarball +- adjusted %setup macro invocation which seemed to be wrong + +------------------------------------------------------------------- +Mon Jul 27 08:13:14 UTC 2020 - matthias.gerstner@suse.com + +- In a previous commit the Requires line for the tss user got accidentally + dropped. This change reintroduces it. + +------------------------------------------------------------------- +Tue Jun 2 10:23:53 UTC 2020 - Matthias Gerstner + +- add gcc-10.patch: fixes the build on gcc 10 by removing unused global + variables. This patch was posted on the TrouSerS mailing list [1]. + + [1]: https://sourceforge.net/p/trousers/mailman/message/36951419/ + +------------------------------------------------------------------- +Wed May 20 10:05:51 UTC 2020 - Matthias Gerstner + +- get rid of %pre/%post logic that fixes the old packaging bug. Turns out + %pretrans and %posttrans had their purpose before, because the logic needed + to run before old files owned by the package got deleted. But I'm not + reimplementing this strange logic in Lua ... users that didn't get the fix + yet will have to live with it. + +------------------------------------------------------------------- +Wed May 20 08:59:54 UTC 2020 - Matthias Gerstner + +- fix a potential tss user to root privilege escalation when running tcsd + (bsc#1164472). To do this run tcsd as the 'tss' user right away to prevent + badly designed privilege drop and initialization code to run. +- add bsc1164472.patch: additionally harden operation of tcsd when running as + root. No longer follow symlinks in /var/lib/tpm. Drop gid to tss main group. + require /etc/tcsd.conf to be owned by root:tss mode 0640. + +------------------------------------------------------------------- +Wed May 13 12:14:32 UTC 2020 - matthias.gerstner@suse.com + +- add correct Requires(pre) and change %pretrans and %posttrans into %pre and + %post. %pretrans can't have any dependencies and therefore can only be + %implemented in lua. This currently leads to build errors "/bin/sh: no such + file or directory". + +------------------------------------------------------------------- +Wed Feb 19 12:48:19 UTC 2020 - Matthias Gerstner + +- leave creation of /var/lib/tpm to the new system-user-tss package. Otherwise + we're getting conflicts in packages depending on trousers (bsc#1162360). + +------------------------------------------------------------------- +Fri Jan 31 11:51:03 UTC 2020 - Michal Suchanek + +- Use system-users for tss user creation (boo#1162360). + +------------------------------------------------------------------- +Tue Nov 26 09:14:39 UTC 2019 - matthias.gerstner@suse.com + +- Fix a local symlink attack problem with the %posttrans scriptlet + (bsc#1157651, CVE-2019-18898). A rogue tss user could have used this attack + to gain ownership of arbitrary files in the system during + installation/update of the trousers package. + +------------------------------------------------------------------- +Mon Sep 9 14:12:22 UTC 2019 - mgerstner + +- add fix-lto.patch: This fixes the rpmlint error: + + trousers-devel.x86_64: E: lto-no-text-in-archive (Badness: 10000) /usr/lib64/libtddl.a + + objcopy/strip seem not to support the LTO linking and discard the actual + text section from libtddl.a. By passing -ffat-lto-objects the object format + is kept compatible with unaware tools and fixes the error. + +------------------------------------------------------------------- +Fri Apr 26 10:33:38 UTC 2019 - mvetter@suse.com + +- bsc#1130588: Require shadow instead of old pwdutils + +------------------------------------------------------------------- +Fri Oct 26 11:13:37 UTC 2018 - matthias.gerstner@suse.com + +- fix mode of /var/lib/tpm, was missing the execute bit in the previous + version. +- implement a backup and restore logic for /var/lib/tpm/system.data.* to + prevent removal of validly stored trousers state during update. See previous + comment for the packaging error that leads to this requirement. + +------------------------------------------------------------------- +Wed Oct 24 12:42:13 UTC 2018 - matthias.gerstner@suse.com + +- fix wrong installation of system.data.{auth,noauth} into /var/lib/tpm. These + files are only sample files that *can* be used to fake that ownership was + already taken by trousers, when other TPM stacks did that already. These + files should not be there by default. Therefore install them into + /usr/share/trousers instead, to allow the user to use them at his own + discretion (fixes bsc#1111381). + +------------------------------------------------------------------- +Sun Jan 1 05:15:50 UTC 2017 - mailaender@opensuse.org + +- Update to version 0.3.14 (see ChangeLog) (FATE#321450) + +------------------------------------------------------------------- +Fri May 6 20:15:13 UTC 2016 - jengelh@inai.de + +- Check for user/group existence before attempting to add them, + and remove error suppression from these calls. +- Avoid runtime dependency on systemd, the macros can all deal with + its absence. + +------------------------------------------------------------------- +Fri Jun 19 15:51:08 UTC 2015 - crrodriguez@opensuse.org + +- Force GNU inline semantics, fixes build with GCC5 + +------------------------------------------------------------------- +Thu Apr 2 13:18:08 UTC 2015 - mpluskal@suse.com + +- Cleanup spec-file with spec-cleaner +- Update prerequires +- Use systemd unit file + * replace tcsd.init with tcsd.service + +------------------------------------------------------------------- +Tue Jun 3 13:04:45 UTC 2014 - meissner@suse.com + +- updated to trousers 0.3.13 (bnc#881095 LTC#111124) + - Changed exported functions which had a name too common, to avoid + collision + - Assessed daemon security using manual techniques and coverity + - Fixed major security bugs and memory leaks + - Added debug support to run tcsd with a different user/group + - Daemon now properly closes sockets before shutting down + +* TROUSERS_0_3_12 + - Added new network code for RPC, which supports IPv6 + - Users of client applications can configure the hostname of the tcsd + server they want to connect through the TSS_TCSD_HOSTNAME env var + (only works if application didn't set a hostname in the context) + - Added disable_ipv4 and disable_ipv6 config options for server + +- removed trousers-wrap_large_key_overflow.patch: upstream +- removed trousers-0.3.11.2.diff: solved upstream now + +------------------------------------------------------------------- +Wed Mar 19 12:54:21 UTC 2014 - meissner@suse.com + +- trousers-wrap_large_key_overflow.patch: Do not wrap keys larger than + 2048 bit, as the space on the TPM is limited to that amount. (bnc#868933) + +------------------------------------------------------------------- +Tue Jan 14 10:42:23 UTC 2014 - meissner@suse.com + +- Updated to trousers 0.3.11.2 + - license changed to BSD-3-Clause + - various bug and manpage fixes +- trousers-0.3.10.diff renamed and rebased to trousers-0.3.11.2.diff + +------------------------------------------------------------------- +Fri Sep 28 14:45:51 UTC 2012 - meissner@suse.com + +- updated to trousers 0.3.10 + - bugfixes + - context checking + +------------------------------------------------------------------- +Fri May 18 11:04:43 CEST 2012 - meissner@suse.de + +- Updated to trousers 0.3.9 + - lots of bugfixes + +------------------------------------------------------------------- +Wed Mar 28 17:01:59 CEST 2012 - meissner@suse.de + +- Updated to TROUSERS_0_3_8 + - Fix ssl_ui.c overflow + - Handling of TPM_CERTIFY_INFO2 structure special case + - Fix possible obfuscation of obj_migdata.c errors. + - Make 1.2 keys respect the TPM_PCRIGNOREDONREAD flag. + - PCRInfo member allocation in Trspi_Unload_CERTIFY_INFO. + - Add functions for deserializing NVRAM related data structures + - Add NVRAM specific error messages + - Fix spec file so one can build an rpm + - Initialize the tcsd_config_file with NULL. + - support for -c command line option + - Establish a .gitignore file + - ENDIAN_H and htole definition fix + +------------------------------------------------------------------- +Tue Mar 13 08:30:18 UTC 2012 - cfarrell@suse.com + +- license update: CPL-1.0 + SPDX format + +------------------------------------------------------------------- +Sat Nov 19 20:46:59 UTC 2011 - coolo@suse.com + +- add libtool as buildrequire to avoid implicit dependency + +------------------------------------------------------------------- +Mon Jun 20 11:57:28 CEST 2011 - meissner@suse.de + +- Updated to TROUSERS_0_3_7 + - bugfixes + - obj_policy_is_secret_set added + +------------------------------------------------------------------- +Mon Sep 27 01:38:35 CEST 2010 - ro@suse.de + +- fix patch to apply + +------------------------------------------------------------------- +Wed Aug 11 10:57:44 CEST 2010 - meissner@suse.de + +- Updated to TROUNSERS_0_3_6 + - Fixed a number of warnings during a build with --debug regarding THREAD ID + definition + - Removed htole() dependency, which was included only in glibc 2.9 + +- Updated to TROUSERS_0_3_5 + - Allowed TCD Daemon to run with reduced privileges In Solaris. + - Fixing previous kfreebsd build patch conflict with the current tree. + - TCSD error handling improvements. + - mutex init inclusion. + - pthread_t portability fix + - Owner Evict keys load fix. + - Big- endian issues. + - Memory leak fix. + - Adding missing #include . + - kfreebsd build fixes. + - Fixed usage of syslog(). + - 64bits clean + - Fixes the TCP UN and IN socket connection attempt handling + - Fixes logic on opening a hardware TPM. + - Added communication through TCP to software TPMs in TrouSerS. + - Fixed conflicting defines + - Adds missing free() + - Fixed fread() return value check. + - Made the previous fix cleaner and more robust. + - Added missing check in order to avoid freeing buffer that's out of Tspi_Data_Seal() scope. + - Fixed Tspi_TPM_GetRandom 4kb output limit. + +------------------------------------------------------------------- +Mon Jun 21 18:36:48 UTC 2010 - cristian.rodriguez@opensuse.org + +- move library to %/{_lib} fix build of rng-tools + +------------------------------------------------------------------- +Thu Mar 18 11:28:51 CET 2010 - meissner@suse.de + +- Updated to TROUSERS_0_3_4 + - Fixed TrouSerS mishandling of TPM auth sessions + - Enabled hosttable.c "_init" and "_fini" functions to work on Solaris + - Included Solaris in BSD_CONST definition conditional + - Made the init script LSB compliant + - make distcheck improved +- TROUSERS_0_3_3_2 + - Fixed logic when filling up RSA keys objects. +- TROUSERS_0_3_3_1 + - TCSD now runs as tss and has a better signal handling + - Fixed many memory handling issues +- TROUSERS_0_3_3 + - Tspi_ChangeAuth fixed for popup secret use case. + - Prefixed exported functions with common names. + - Fixed issues with accessing the utmp database. + - Migrated the bios parser file handler from open to fopen. + +------------------------------------------------------------------- +Mon Feb 1 12:35:28 UTC 2010 - jengelh@medozas.de + +- package baselibs.conf + +------------------------------------------------------------------- +Thu Aug 27 15:36:08 CEST 2009 - meissner@suse.de + +- updated to 0.3.2. + - Added IMA log parser in conformance with format introduced in linux kernel 2.6.30 + - Fixed memory handling issues in src/tspi/tspi_quote2.c and tspi_tick.c + - Fixed memory handling issues in tcs/rpc/tcstp/rpc_tick.c + - Fixed logic when releasing auth handles, now the TPM won't become out of + resources due too many unreleased auth handles there. + - Fixed compilation problems when building trousers in Fedora with + -fstack-protector & gcc 4.4 + - Fixed the legacy usage of a deprecated 1.1 TPM command, now auth sessions + can be closed fine. + - Fixed key memory cache when evicting keys, invalid key handles were evicted + when shouldn't. + - Fixed authsess_xsap_init call with wrong handle + - Fixed authsess_callback_hmac return code + - Fixed validateReturnAuth return value + - Added consistency to avoid multiple double free() and bound checks to avoid SEGV + - Moved from flock to fcntl since the first isn't supported in multi-thread applications + - Added necessary free() and consistency necessary in tspi/tsp_delegate.c to avoid SEGV + - Typecast added in trousers.c in the UNICODE conversion functions + - Fixed wrong return code in Tspi_NV_ReleaseSpace + - Fixed digest computation in Tspi_NV_ReleaseSpace + - Fixed tpm_rsp_parse, it previously checked for an additional TPM_AUTH blob, resulting in a incorrect data blog unload. + - Added #include to remove INT_MAX undeclared error + during build. Files updated: trspi/crypto/openssl/symmetric.c, + tspi/tspi_aik.c and tspi/tsp_ps.c + - Added bounds checking in the data parsing routines of the TCSD's tcstp RPC code, preventing attacks from malicious clients. + - Removed commented out code in src/tcs/rpc/tcstp/rpc.c + - Commented out old OSAP code, its now unused + - Fixed bug in tcsi_bind.c, one too few params were passed to the function parsing the TPM blob. + - Fixed lots of erroneous TSPERR and TCSERR calls + - Added support for logging all error return codes when debug is on + - Check that parent auth is loaded in the load key path outside the mem_cache_lock, if a thread sleeps holding it, we deadlock + - Added support for dynamically growing the table that holds sleeping threads inside the auth manager + - In tcs_auth_mgr.c, fixed the release handle path, which didn't check if the handle was swapped out before calling to the TPM. + - Updates throughout the code supporting the modular build. + +------------------------------------------------------------------- +Sun Jun 14 18:33:36 CEST 2009 - meissner@suse.de + +- included to fix glibc 2.10 build issues + +------------------------------------------------------------------- +Sat Apr 18 22:19:55 CEST 2009 - crrodriguez@suse.de + +- remove static libtspi + +------------------------------------------------------------------- +Tue Sep 2 13:51:20 CEST 2008 - meissner@suse.de + +- fixed 64bit build issue + +------------------------------------------------------------------- +Fri Aug 22 13:28:38 CEST 2008 - meissner@suse.de + +- upgraded to 0.3.1 + - TPM 1.2 support throughout the code, see ChangeLog + - lots of new features + - lots of bugfixes +- dropped secondary TPM support patches. is either already + upstream (differently), or will be. + +------------------------------------------------------------------- +Tue Apr 15 15:08:29 CEST 2008 - ro@suse.de + +- added baselibs.conf file for multilib support + +------------------------------------------------------------------- +Tue Apr 15 11:20:37 CEST 2008 - meissner@suse.de + +- fixed glibc 2.8 build issues + +------------------------------------------------------------------- +Fri Mar 28 08:56:30 CET 2008 - meissner@suse.de + +- merged from buildservice +- lots of build cleanups for rpmlint warnings + +------------------------------------------------------------------- +Mon Nov 29 13:17:00 CET 2007 - ramunno@polito.it + +- configured to remove dependencies from GTK + +------------------------------------------------------------------- +Mon Nov 26 18:57:45 CET 2007 - draht@suse.de + +- manual mutual dependencies added: libtspi1 <-> trousers + +------------------------------------------------------------------- +Mon Nov 26 18:41:12 CET 2007 - draht@suse.de + +- system.data.*auth files added to /var/lib/tpm/. Note: tcsd expects + /var/lib/tpm/system.data . RTFM... + +------------------------------------------------------------------- +Mon Nov 26 18:27:32 CET 2007 - draht@suse.de + +- init file mode'd 755 in %install. + +------------------------------------------------------------------- +Thu Oct 25 13:57:17 CEST 2007 - skh@suse.de + +- added trousers_0.2.9-tpm_1.2_dual_v20070206 and its documentation + +------------------------------------------------------------------- +Mon Aug 13 17:50:26 CEST 2007 - skh@suse.de + +- initial build service import with version 0.2.9.1 +- split off package libtspi1 to conform to shared library packaging + policy + +------------------------------------------------------------------- +Wed Jan 11 14:07:25 CET 2006 - draht@suse.de + +- #137913: Fix config file permissions and ownership to 0600 tss.tss + +------------------------------------------------------------------- +Wed Nov 9 00:39:23 CET 2005 - draht@suse.de + +- file list changes, split into trousers and -devel. + +------------------------------------------------------------------- +Wed Nov 2 00:11:04 CET 2005 - draht@suse.de + +- initial build of the package. + diff --git a/trousers.spec b/trousers.spec new file mode 100644 index 0000000..f16af90 --- /dev/null +++ b/trousers.spec @@ -0,0 +1,166 @@ +# +# spec file for package trousers +# +# Copyright (c) 2023 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%define tpmstatedir %{_localstatedir}/lib/tpm +Name: trousers +Version: 0.3.15 +Release: 0 +Summary: TSS (TCG Software Stack) access daemon for a TPM chip +License: BSD-3-Clause +Group: Productivity/Security +URL: http://trousers.sourceforge.net/ +Source0: https://downloads.sf.net/trousers/%{name}-%{version}.tar.gz +Source1: tcsd.service +Source2: baselibs.conf +Source3: 91-trousers.rules +Patch0: fix-lto.patch +BuildRequires: gtk2-devel +BuildRequires: libtool +BuildRequires: openssl-devel +BuildRequires: pkg-config +BuildRequires: systemd-rpm-macros +BuildRequires: pkgconfig(udev) +Requires(pre): user(tss) +BuildRoot: %{_tmppath}/%{name}-%{version}-build + +%description +The trousers package provides a TSS implementation through the help of +a user-space daemon, the tcsd, and a library Trousers aims to be +compliant to the 1.1b and 1.2 TSS specifications as available from the +Trusted Computing website https://www.trustedcomputinggroup.org/. + +The package needs the /dev/tpm device file to be present on your +system. It is a character device file major 10 minor 224, 0600 tss:tss. + +%package devel +Summary: TSS (TCG Software Stack) access daemon for a TPM chip +Group: Development/Libraries/C and C++ +Requires: glibc-devel +Requires: libopenssl-devel +Requires: libtspi1 = %{version} +Requires: trousers = %{version} + +%description devel +The trousers package provides a TSS implementation through the help of +a user-space daemon, the tcsd, and a library Trousers aims to be +compliant to the 1.1b and 1.2 TSS specifications as available from the +Trusted Computing website https://www.trustedcomputinggroup.org/. + +The package needs the /dev/tpm device file to be present on your +system. It is a character device file major 10 minor 224, 0600 tss:tss. + +%package -n libtspi1 +Summary: TSS (TCG Software Stack) access daemon for a TPM chip +Group: Productivity/Security +Requires: trousers + +%description -n libtspi1 +The trousers package provides a TSS implementation through the help of +a user-space daemon, the tcsd, and a library Trousers aims to be +compliant to the 1.1b and 1.2 TSS specifications as available from the +Trusted Computing website https://www.trustedcomputinggroup.org/. + +The package needs the /dev/tpm device file to be present on your +system. It is a character device file major 10 minor 224, 0600 tss:tss. + +%prep +%setup -q -n %{name}-%{version} +%patch0 -p1 + +%build + CC=gcc +CFLAGS="%{optflags} -Wall -fno-strict-aliasing -fgnu89-inline -ffat-lto-objects" + SHARE=%{_prefix}/share + DOC=%{_defaultdocdir} +export CC CFLAGS +autoreconf -i -f +%configure --libdir=/%{_libdir} --disable-static --with-pic --with-gui=none +make %{?_smp_mflags} + +%install +%define trousers_data %{buildroot}%{_datadir}/%{name} +make DESTDIR=%{buildroot} install %{?_smp_mflags} +install -D -m 0644 %{SOURCE1} %{buildroot}/%{_unitdir}/tcsd.service +ln -sv %{_sbindir}/service %{buildroot}%{_sbindir}/rctcsd +# these files can be used to fake trousers ownership of a TPM if the ownership +# was already taken by some other stack. they are sample files. +mkdir -p %{trousers_data} +cp -a dist/system.data* %{trousers_data} + +mkdir -p %{buildroot}%{_libdir} +rm -v %{buildroot}/%{_libdir}/libtspi.la + +# we want to run tcsd as tss user right away. therefore we need to install a +# suitable udev rule file. this conflicts somewhat with tpm2-0-tss, but both +# rules files are compatible at the moment. trousers has a lower priority than +# tpm2-0-tss in case both should be installed. The tss user is shared between +# both packages anyways already. +mkdir -p %{buildroot}%{_udevrulesdir} +install -m 0644 %{SOURCE3} %{buildroot}%{_udevrulesdir} + +%pre +%service_add_pre tcsd.service + +%post +%service_add_post tcsd.service +%_bindir/udevadm trigger -s tpm || : + +# bsc#1164472: adjust potential root ownership to allow tcsd to open the file +# as unprivileged user. Be careful not to follow a symlink target. +system_data=%{tpmstatedir}/system.data + +if [ -e "${system_data}" ]; then + chown --no-dereference tss:tss %{tpmstatedir}/system.data +fi + +%postun +%service_del_postun tcsd.service + +%preun +%service_del_preun tcsd.service + +%post -n libtspi1 -p /sbin/ldconfig + +%postun -n libtspi1 -p /sbin/ldconfig + +%files +%defattr(-,root,root) +%config(noreplace) %attr(640,root,tss) %{_sysconfdir}/tcsd.conf +%doc README README.selinux AUTHORS ChangeLog LICENSE NICETOHAVES TODO doc/* +%{_mandir}/man5/* +%{_mandir}/man8/* +%{_datadir}/%{name} +%{_sbindir}/tcsd +%{_sbindir}/rctcsd +%{_unitdir}/tcsd.service +%{_udevrulesdir}/91-trousers.rules + +%files devel +%defattr(-,root,root) +%{_includedir}/trousers +%{_includedir}/tss +%{_mandir}/man3/* +%{_libdir}/*.so +#only available in static form +%{_libdir}/libtddl.a + +%files -n libtspi1 +%defattr(-,root,root) +/%{_libdir}/*.so.* + +%changelog