Accepting request 1190897 from home:rrahl0

- update to 0.9.0: - fixes: boo#1226398 - swtpm: - Use umask() to create/truncated state file rather than fchmod() - Use fchmod to set mode bits provided by user - Replace mkstemp with g_mkstemp_full (Coverity) - fix typo in help message - cuse: Fix Coverity complaints regarding locks - Fix double free in error path - Close fd after main loop - Restore logging to stderr on log open failure - swtpm_setup: - Fail --pcr-banks without --tpm2 - Fail --decryption or --allow-signing without --tpm2 - Initialized argv in get_swtpm_capabilities() - Flush spk after persisting to create room for another key - Refactor duplicate code into swtpm_tpm2_write_cert_nvram - Move persisting of certificate into tpm2_persist_certificate - Pass key_type to function creating filename for key - Add scheme parameter before curveid to createprimary_ecc - Rename is_ek to preserve for future extension - Mask-out EK and plaform certificate flags and set cert_flags - Move common code into new function read_certificate_file() - Exit with '0' upon --version rather than '1' - Close file descriptors passed to swtpm process on parent side - Make stdout unbuffered - Use medium duration on TSC_PhysicalPresence to avoid timeouts - Add poll() after write() and before read() to detect errors - swtpm_localca: - Add support for up to 20 bytes serial numbers OBS-URL: https://build.opensuse.org/request/show/1190897 OBS-URL: https://build.opensuse.org/package/show/security/swtpm?expand=0&rev=44
2024-08-01 18:11:21 +00:00 · 2024-08-01 18:11:21 +00:00 · 0686c8dbaf
commit 0686c8dbaf
8 changed files with 689 additions and 0 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
+.osc
--- a/swtpm-0.8.1.tar.gz
+++ b/swtpm-0.8.1.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7bba52aa41090f75087034fac5fe8daed10c3e7e7234df7c9558849318927f41
+size 364169
--- a/swtpm-0.9.0.tar.gz
+++ b/swtpm-0.9.0.tar.gz
--- a/swtpm-fix-build.patch
+++ b/swtpm-fix-build.patch
@ -0,0 +1,19 @@
+Index: swtpm-0.8.0/configure.ac
+===================================================================
+--- swtpm-0.8.0.orig/configure.ac
+++ swtpm-0.8.0/configure.ac
+@@ -418,11 +418,11 @@ if test "x$enable_hardening" != "xno"; t
+ 	# Some versions of gcc fail with -Wstack-protector,
+ 	# some with -Wstack-protector-strong enabled
+ 	if ! $CC -fstack-protector-strong -Wstack-protector $srcdir/include/swtpm/tpm_ioctl.h 2>/dev/null; then
+-		if $CC -fstack-protector -Wstack-protector $srcdir/include/swtpm/tpm_ioctl.h 2>/dev/null; then
+-			HARDENING_CFLAGS="-fstack-protector -Wstack-protector"
+		if $CC -fstack-protector $srcdir/include/swtpm/tpm_ioctl.h 2>/dev/null; then
+			HARDENING_CFLAGS="-fstack-protector"
+ 		fi
+ 	else
+-		HARDENING_CFLAGS="-fstack-protector-strong -Wstack-protector"
+		HARDENING_CFLAGS="-fstack-protector-strong"
+ 	fi
+ 
+ 	dnl Only support -D_FORTIFY_SOURCE=2 and have higher levels passed in by user
--- a/2
+++ b/2
@ -0,0 +1,2 @@
+# This is the correct location
+addFilter(r'arch-dependent-file-in-usr-share .* /usr/share/swtpm/swtpm-localca')
--- a/swtpm.changes
+++ b/swtpm.changes
@ -0,0 +1,460 @@
+-------------------------------------------------------------------
+Thu Aug  1 07:23:27 UTC 2024 - Richard Rahl <rrahl0@opensuse.org>
+
+- update to 0.9.0:
+  - fixes: boo#1226398
+  - swtpm:
+    - Use umask() to create/truncated state file rather than fchmod()
+    - Use fchmod to set mode bits provided by user
+    - Replace mkstemp with g_mkstemp_full (Coverity)
+    - fix typo in help message
+    - cuse: Fix Coverity complaints regarding locks
+    - Fix double free in error path
+    - Close fd after main loop
+    - Restore logging to stderr on log open failure
+  - swtpm_setup:
+    - Fail --pcr-banks without --tpm2
+    - Fail --decryption or --allow-signing without --tpm2
+    - Initialized argv in get_swtpm_capabilities()
+    - Flush spk after persisting to create room for another key
+    - Refactor duplicate code into swtpm_tpm2_write_cert_nvram
+    - Move persisting of certificate into tpm2_persist_certificate
+    - Pass key_type to function creating filename for key
+    - Add scheme parameter before curveid to createprimary_ecc
+    - Rename is_ek to preserve for future extension
+    - Mask-out EK and plaform certificate flags and set cert_flags
+    - Move common code into new function read_certificate_file()
+    - Exit with '0' upon --version rather than '1'
+    - Close file descriptors passed to swtpm process on parent side
+    - Make stdout unbuffered
+    - Use medium duration on TSC_PhysicalPresence to avoid timeouts
+    - Add poll() after write() and before read() to detect errors
+  - swtpm_localca:
+    - Add support for up to 20 bytes serial numbers
+    - Introduce --key as more generic alias for --ek
+    - Add missing NULL option to end of array
+    - Make stdout unbuffered
+  - swtpm_cert:
+    - Add support for serial numbers up to 20 bytes long
+  - swtpm_ioctl:
+    - Separate return code from flags
+    - Repeatedly call PTM_GET_INFO for long responses
+  - selinux:
+    - Re-add rule for svirt_tcg_t and user_tmp_t:sock_file (virt-install)
+    - New SELinux policy that requires Fedora 40 or later
+  - tests:
+    - Fixed occurrences of stray '' before '-'
+    - Rearrange order of test cases to run some also as 'root'
+    - Add tests for command line options and combinations of options
+    - Add softhsm_setup to shellcheck'ed files and fix issues
+    - Add missing 'exit 1' on unexpected file size on --reconfigure
+    - Add test cases for swtpm_cert with max serial number
+    - Fix spelling mistakes
+    - reformat regexs for easier readability and extension
+    - ibmtss2: Add patch to disable x509 test with older libtpms
+    - Upgrade to ibmtss2 v2.0.1
+    - Fixed several issues detected by shellcheck
+  - build-sys:
+    - Add support for --disable-tests to disable tests
+    - Display GMP_LIBS and GMP_CFLAGS
+    - Only display warning if pkg-config for gmp fails
+    - Add gmp library and devel package as dependency
+    - use PKG_CHECK_MODULES to check libtpms version
+
+-------------------------------------------------------------------
+Thu Oct 19 00:43:29 UTC 2023 - William Brown <william.brown@suse.com>
+
+- Add missing requires for certtool
+
+-------------------------------------------------------------------
+Sat Sep 16 10:10:45 UTC 2023 - Marcus Meissner <meissner@suse.com>
+
+- Update to version 0.8.1:
+  - swtpm:
+    -   Restore logging to stderr on log open failure
+  - swtpm_setup:
+    -   Exit with '0' upon --version rather than '1'.
+    -   Initialized @argv in get_swtpm_capabilities()
+  - swtpm_localca:
+    -   Add missing NULL option to end of array
+  - SELinux:
+    -   Add rules for user_tpm_t:sockfile to allow unlink
+    -   Add rules for sock_file on user_tmp_t
+
+-------------------------------------------------------------------
+Fri Jun 16 11:32:11 UTC 2023 - Manfred Hollstein <manfred.h@gmx.net>
+
+- Make selinux optional to allow building this package for Leap, too.
+
+-------------------------------------------------------------------
+Tue May  2 09:55:28 UTC 2023 - Marcus Meissner <meissner@suse.com>
+
+- remove python3 dependency, no longer needed after rewrite (bsc#1211010)
+
+-------------------------------------------------------------------
+Tue Mar 21 12:45:54 UTC 2023 - Marcus Meissner <meissner@suse.com>
+
+- swtpm-fix-build.patch: disable -Wstack-protector, it fails on s390x
+  bsc#1209117
+
+-------------------------------------------------------------------
+Mon Mar  6 20:21:50 UTC 2023 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Drop trousers requirement
+
+-------------------------------------------------------------------
+Mon Mar  6 16:34:33 UTC 2023 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Update to version 0.8.0:
+  * swtpm:
+    + Implement release-lock-outgoing parameter for --migration option
+    + Introduce --migration option and 'incoming' parameter
+    + Implement terminate parameter for ctrl channel loss
+    + Add a chroot option
+    + Introduce disable-auto-shutdown flag for --flags option
+    + If necessary send TPM2_Shutdown() before TPMLIB_Terminate()
+    + Add some more recent syscalls to seccomp profile
+    + Disable OpenSSL FIPS mode to avoid libtpms failures
+    + Avoid locking directory multiple times
+    + Remove support for pre-v0.1 state files without header
+    + Use uint64_t in tlv_data_append() to avoid integer overflows
+    + Use uint64_t to avoid integer wrap-around when adding a uint32_t
+    + Do not chdir(/) when using --daemon
+    + Check header size indicator against expected size (CVE-2022-23645 bsc#1196240)
+    + Fixes for gcc 12.2.1 -fanalyzer
+  * build-sys:
+    + Fix configure script to support _FORTIFY_SOURCE=3
+    + Define __USE_LINUX_IOCTL_DEFS in header file (Cygwin)
+  * swtpm-localca:
+    + Re-implement variable resolution for swtpm-localca.conf
+    + Test for available issuercert before creating CA
+  * swtpm_setup:
+    + Configure swtpm to log to stdout/err if needed (glib >=2.74)
+  * tests:
+    + Use ${WORKDIR} in config files to test env. var replacement
+    + Patch IBM TSS2 test suite for OpenSSL 3.x
+  * build-sys:
+    + Add probing for -fstack-protector
+
+-------------------------------------------------------------------
+Fri Apr 29 07:41:51 UTC 2022 - Marcus Meissner <meissner@suse.com>
+
+- Updated to version 0.7.3:
+  - swtpm:
+    - Use uint64_t in tlv_data_append() to avoid integer overflows
+    - Use uint64_t to avoid integer wrap-around when adding a uint32_t
+- removed allow-FORTIFY_SOURCE=3.patch (upstreamed)
+
+-------------------------------------------------------------------
+Wed Apr  6 07:55:48 UTC 2022 - Martin Liška <mliska@suse.cz>
+
+- Cheery-pick upstream patch allow-FORTIFY_SOURCE=3.patch.
+
+-------------------------------------------------------------------
+Wed Mar  9 14:07:03 UTC 2022 - Wolfgang Frisch <wolfgang.frisch@suse.com>
+
+- Update to version 0.7.2:
+  - swtpm:
+    - Do not chdir(/) when using --daemon
+  - swtpm-localca:
+    - Re-implement variable resolution for swtpm-localca.conf
+  - tests:
+    - Use ${WORKDIR} in config files to test env. var replacement
+  - man pages:
+    - Add missing .config directory to path description when using ${HOME}
+  - build-sys:
+    - Add probing for -fstack-protector 
+
+-------------------------------------------------------------------
+Mon Feb 21 12:04:56 UTC 2022 - Marcus Meissner <meissner@suse.com>
+
+- Update to version 0.7.1:
+  - swtpm:
+    - Check header size indicator against expected size (CVE-2022-23645 bsc#1196240)
+  - swtpm_localca:
+    - Test for available issuercert before creating CA
+
+-------------------------------------------------------------------
+Wed Nov 10 08:49:00 UTC 2021 - Marcus Meissner <meissner@suse.com>
+
+- Update to version 0.7.0:
+  - swtpm:
+    - Support for linear file storage backend (file://)
+    - Report 'tpm-1.2' & 'tpm-2.0' in --print-capabilities depending what
+      libtpms supports
+    - Add implementation of SWTPM_HMAC using OpenSSL 3.0 APIs
+    - Wipe keys from stack and heap
+    - Many other small changes
+    - Make --daemon not racy
+  - swtpm_setup:
+    - Only activate SHA256 PCR bank, not SHA1 bank anymore by default
+    - Support for linear file storage backend (file://)
+    - Implement option --create-config-files to create config files
+    - Use non-deprecated APIs to contruct RSA key (OSSL 3)
+    - Report stderr as returned by external tool (swtpm-localcal)
+    - Replace '+' and ',' characters in VMId's to make work with
+      common name in X509 subject
+    - Add support for --reconfigure flag to change active PCR banks
+  - swtpm_localca:
+    - Created certificates for CAs and TPM that do not expire
+  - swtpm_cert:
+    - Allow passing -1 for days to get a non-expiring certificate
+  - test:
+    - ASAN-related test changes and skipping of tests if ASAN is used
+    - Fix tests using tpm2-abrmd by preventing concurrency
+    - Skip chardev related tests after checking for chardev support
+    - exit with error code if mktemp fails
+    - OSSL 3: Make TPM 1.2 test compile; skip IBM TSS 2 test
+  - build-sys:
+    - Introduce --enable-sanitizers to configure
+    - Remove check for pip3 that was used by python swtpm_setup
+    - Allow passing of aditional CFLAGS during build
+
+-------------------------------------------------------------------
+Wed Sep 22 09:33:29 UTC 2021 - Marcus Meissner <meissner@suse.com>
+
+- Update to version 0.6.1:
+  - swtpm:
+    - Clear keys from stack and heap
+  - swtpm-localca:
+    - Add missing else branch for pkcs11 and PIN
+  - swtpm_setup:
+    - Initialize Gerror and free it
+    - Replace '\\s' in regex with [[:space:]] to fix cygwin
+  - tests:
+    - Kill tpm2-abrmd with SIGKILL rather SIGTERM
+  - build-sys:
+    - Use -DOPENSSL_SUPPRESS_DEPRECATED to suppress deprecation warnings (OSSL 3)
+    - Enable configuring with CFLAGS and passing additional CFLAGS on build
+
+-------------------------------------------------------------------
+Sat Aug  7 15:02:40 UTC 2021 - Callum Farmer <gmbr3@opensuse.org>
+
+- Update to version 0.6.0:
+  - Addressed potential symlink attack issue (CVE-2020-28407)
+  - Rewritten in 'C'; needs json-glib
+  - Use timeouts for communicating with swtpm (Unix socket)
+  - Fix --print-capabilities for 'swtpm chardev'
+  - Various cleanups and fixes (coverity)
+- Enable selinux support
+- Removed swtpm-rename_deprecated_libtasn1_types.patch: upstream
+- Fix rpmlint errors
+
+-------------------------------------------------------------------
+Thu May 20 06:56:39 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
+
+- swtpm_cert: rename deprecated libtasn1 types.
+  * https://github.com/stefanberger/swtpm/pull/443
+  * Add swtpm-rename_deprecated_libtasn1_types.patch
+
+-------------------------------------------------------------------
+Sun Dec 27 11:42:50 UTC 2020 - Marcus Meissner <meissner@suse.com>
+
+- Update to version 0.5.2
+  - swtpm:
+    - Fix potential buffer overflow related to largely unused data hashing
+      function in control channel
+    - swtpm: Unconditionally close fd if writing of pidfile fails (coverity)
+  - swtpm_setup:
+    - Increase timeout from 10s to 30s for slower machines
+  - Travis:
+    - Not building on OS X anymore due to additional costs
+
+-------------------------------------------------------------------
+Tue Dec 22 07:53:04 UTC 2020 - Gary Ching-Pang Lin <glin@suse.com>
+
+- Use "Requires user(tss)" for the "tss" user and group
+
+-------------------------------------------------------------------
+Tue Dec 22 04:06:10 UTC 2020 - Gary Ching-Pang Lin <glin@suse.com>
+
+- Create /var/lib/swtpm-localca to store the keys created by
+  swtpm-localca (bsc#1179811)
+- Replace net-tools-deprecated with iproute2 since the scripts in
+  swtpm now can use 'ss' instead of 'netstat'
+
+-------------------------------------------------------------------
+Sun Nov 22 03:16:13 UTC 2020 - Kai Liu <kai.liu@suse.com>
+
+- Update to version 0.5.1
+  * swtpm & swtpm_setup:
+    - Addressed potential symlink attack issue (CVE-2020-28407)
+  * build-sys:
+    - Fix configure python cryptography error message
+
+- Misc. spec file changes.
+
+-------------------------------------------------------------------
+Tue Oct 13 14:57:25 UTC 2020 - Kai Liu <kai.liu@suse.com>
+
+- Update Requires and BuildRequires for changes since 0.4.0.
+
+- Remove patch files that are no longer needed:
+  * swtpm-adjust-seccomp-path.patch
+  * swtpm-setup-tcsd-path.patch
+  * swtpm-tpm-tools-path.patch
+
+- Update to version 0.5.0
+  * swtpm:
+    - Write files atomically using a temp file and then renaming
+  * swtpm_setup:
+    - Removed remaining 'c' wrapper program
+    - Do not truncate logfile when testing write-access (regression)
+    - Remove TPM state file in case error occurred
+  * swtpm-localca:
+    - Rewrite in python
+    - Allow passing pkcs11 PIN using signingkey_password
+    - Allow passing environment variables needed for pkcs11 modules using
+      swtpm-localca.conf and format 'env:VARNAME=VALUE'.
+  * build-sys:
+    - Add python-install and python-uninstall targets
+    - Add configure option to disable installation of Python module
+    - Use -Wl,-z,relro and -Wl,-z,now only when linking (clang)
+    - Use AC_LINK_IFELSE to check whether support for hardening flags
+
+- Changes from version 0.4.1
+  * swtpm_setup:
+    - Do not hardcode '/etc' but use SYSCONFDIR
+    - Fix support for -h and -? options
+    - Add missing .config path when using ${HOME}
+  * swtpm-localca:
+    - Apply password for signing key when creating platform cert
+    - Properly apply passwords for localca signing key
+
+- Changes from version 0.4.0
+  * swtpm:
+    - Invoke print capabilities after choosing TPM version
+    - Add some recent syscalls to seccomp blacklist
+  * swtpm_cert:
+    - Support --ecc-curveid option to pass curve id
+  * swtpm_setup & related scripts:
+    - Rewrite swtpm_setup.sh in python with TPM 1.2 not requiring tcsd
+      and TPM tools anymore; new dependencies:
+      - python3: pip, cryptography, setuptools
+      dropped dependencies for swtpm_setup:
+      - tcsd, expect, tpm-tools (some still needed for pkcs11 tests)
+    - Added support for RSA 3072 keys (for libtpms-0.8.0) and moved to
+      ECC NIST P384 curve; default RSA key size is still 2048
+    - Added support for --rsa-keysize option
+    - Extend script to create a CA using a TPM 2 for signing
+  * tests:
+    - Use the IBM TSS2 v1.5.0's test suite
+    - Add test case for loading of an NVRAM completely full with keys
+    - Have softhsm_setup use temporary directory for softhsm config & state
+    - various other improvements
+  * man pages:
+    - Improvements
+  * build-sys:
+    - clang: properly test for linker flag 'now' and 'relro'
+    - Gentoo: explicitly link libswtpm_libtpms with -lcrypto
+    - Ownership of /var/lib/swtpm-localca is now tss:root and
+      mode flags 0750.
+
+-------------------------------------------------------------------
+Thu Aug 13 01:37:06 UTC 2020 - Kai Liu <kai.liu@suse.com>
+
+- Update to version 0.3.4:
+  * swtpm:
+    - Fix compilation for cygwin
+  * swtpm_setup & swtpm-localca:
+    - Get rid of bash's eval when invoking external tools to avoid abuse.
+      Only use eval for 'resolving' variables.
+  * tests:
+    - Various fixes of minor issues
+
+-------------------------------------------------------------------
+Thu Jul 30 14:14:22 UTC 2020 - Kai Liu <kai.liu@suse.com>
+
+- Update to version 0.3.3:
+  * swtpm_setup:
+    - openSUSE: Support tcsd configuration where tss user != tss group,
+                such as root/tss; Fedora & Ubuntu for example use tss/tss
+  * build-sys:
+    - Check whether tss user and group are available
+
+- Add tss user & group build flags per upstream instruction. This
+  together with v0.3.3 fixed the bug with TPM 1.2 emulation.
+  Related upstream bug:
+    https://github.com/stefanberger/swtpm/issues/284
+
+-------------------------------------------------------------------
+Sat Jul 11 08:31:54 UTC 2020 - Kai Liu <kai.liu@suse.com>
+
+- Update to 0.3.2:
+  + swtpm:
+    + Remove unnecessary #include <seccomp.h> (fixes SuSE build)
+    + Make coverity happy by handling default case in case
+      statement
+  + swtpm_setup:
+    + bugfix: Create ECC storage primary key in owner hierarchy
+    + bugfix: remove tpm2_stirrandom and tpm2_changeeps
+  + tests:
+    + Adjusted pcrUpdateCounter in tests to succeed with PCR TCB
+      group fixes in libtpms TPM 2 code
+
+-------------------------------------------------------------------
+Wed Apr 22 03:25:36 UTC 2020 - Gary Ching-Pang Lin <glin@suse.com>
+
+- Update to 0.3.1
+  + swtpm: Fix vtpm proxy case without startup flags
+  + swtpm: Only call memcpy if tocopy != 0 (coverity)
+  + man: Document new startup options and capabilities
+    advertisement
+  + swtpm: Enable sending startup commands before processing
+    commands
+  + swtpm_cert: Accept serial numbers that use up to 64bits
+  + swtpm_cert: Use getopt_long_only to parse options
+  + swtpm_cert: Add support for --print-capabilities option
+  + swtpm_cert: Allow passing signing key and parent key via new
+    option
+  + swtpm_setup: Enable spaces in paths and other variables
+  + swtpm_ioctl: Calculate strlen(input) only once
+  + swtpm_ioctl: Block SIGPIPE so we can get EPIPE on write()
+  + swtpm_bios: Block SIGPIPE so we can get EPIPE on write()
+  + swtpm: Only accept() new client ctrl connection if we have none
+  + swtpm_setup: Do not fail on future PCR banks' hashes
+  + swtpm_setup: Use 1st part of SWTPM_EXE/SWTPM_IOCTL to determine
+    executable
+  + swtpm_setup: Keep reserved range of file descriptors for
+    swtpm_setup.sh
+  + swtpm_setup: Log about encryption and fix c&p error in err msg
+  + swtpm: Add --print-capabilities to help screen of
+    'swtpm chardev'
+  + swtpm_ioctl: Fix uninitialized variable 'pgi'
+  + swtpm_cert: Use gnutls_x509_crt_get_subject_key_id API call for
+    subj keyId
+  + swtpm_cert: Fix OIDs for TPM 2 platforms data
+  + swtpm: Fix typo in error report: HMAC instead of hash
+  + swtpm: Use writev_full rather than writev; fixes --vtpm-proxy
+    EIO error
+- Refresh swtpm-setup-tcsd-path.patch
+
+-------------------------------------------------------------------
+Fri Jan  3 01:52:45 UTC 2020 - Gary Ching-Pang Lin <glin@suse.com>
+
+- Amend swtpm-adjust-seccomp-path.patch to add the missing seccomp
+  paths
+- Adjust the conditional check of net-tools-deprecated for SLE15
+  and SLE15-SP1
+
+-------------------------------------------------------------------
+Thu Sep  5 08:00:27 UTC 2019 - Gary Ching-Pang Lin <glin@suse.com>
+
+- Update to 0.2.0
+  +Linux: swtpm now runs with a seccomp profile (blacklist) if
+           compiled with libseccomp support
+  + Added subpport for passing key and passphrase via file
+    descriptor
+  + TPM 2 commands can now be prefixed by 'the TCG header' and
+    responses will have a 4-byte prefix and 4-byte suffix.
+  + Added --print-capabilities command line option
+  + Proper handling on EINTR on read, poll, and write
+- Patches to adjust the pathes
+  + swtpm-tpm-tools-path.patch
+  + swtpm-setup-tcsd-path.patch
+  + swtpm-adjust-seccomp-path.patch
+
+-------------------------------------------------------------------
+Tue May 15 08:37:16 UTC 2018 - glin@suse.com
+
+- Initial import: 0.1.0-dev2
--- a/swtpm.spec
+++ b/swtpm.spec
@ -0,0 +1,178 @@
+#
+# spec file for package swtpm
+#
+# Copyright (c) 2024 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+%if 0%{?suse_version} > 01500
+%bcond_without use_selinux
+%else
+%bcond_with use_selinux
+%endif
+
+# Scripts in this package are python3
+%define skip_python2 1
+# SELinux
+%define selinuxtype targeted
+%define modulename1 swtpm
+%define modulename2 swtpm_svirt
+%define modulename3 swtpmcuse
+Name:           swtpm
+Version:        0.9.0
+Release:        0
+Summary:        Software TPM emulator
+License:        BSD-3-Clause
+Group:          System/Base
+URL:            https://github.com/stefanberger/swtpm
+Source0:        %{url}/archive/v%{version}/%{name}-%{version}.tar.gz
+Source100:      swtpm-rpmlintrc
+Patch0:         swtpm-fix-build.patch
+BuildRequires:  autoconf
+BuildRequires:  automake
+BuildRequires:  expect
+BuildRequires:  fuse-devel
+BuildRequires:  glib2-devel
+BuildRequires:  gmp-devel
+BuildRequires:  gnutls
+BuildRequires:  iproute2
+BuildRequires:  libgnutls-devel
+BuildRequires:  libopenssl-devel
+BuildRequires:  libseccomp-devel
+BuildRequires:  libtasn1-devel
+BuildRequires:  libtool
+BuildRequires:  libtpms-devel
+BuildRequires:  pkgconfig
+%if %{with use_selinux}
+BuildRequires:  selinux-policy-devel
+BuildRequires:  selinux-policy-targeted
+%endif
+BuildRequires:  socat
+BuildRequires:  pkgconfig(json-glib-1.0)
+BuildRequires:  pkgconfig(systemd)
+# Required for certtool, which is used by swtpm-localca
+Requires:       gnutls
+Requires:       iproute2
+%if %{with use_selinux}
+Requires:       (%{name}-selinux if selinux-policy-base)
+%endif
+Requires(pre):  user(tss)
+
+%description
+The SWTPM package provides TPM emulators with different front-end interfaces
+to libtpms. TPM emulators provide socket interfaces (TCP/IP) and the Linux
+CUSE interface for the creation of multiple native /dev/vtpm* devices.
+Those can be the targets of multiple QEMU cuse-tpm instances.
+
+%package        devel
+Summary:        Development files for swtpm
+Group:          Development/Libraries/C and C++
+Requires:       %{name} = %{version}
+Requires:       glib2-devel
+Requires:       libopenssl-devel
+Requires:       libseccomp-devel
+Requires:       libtpms-devel
+
+%description    devel
+The development files for SWTPM
+
+%if %{with use_selinux}
+%package        selinux
+Summary:        SELinux module for the Software TPM emulator
+Group:          System/Management
+Requires:       %{name} = %{version}
+BuildArch:      noarch
+%{selinux_requires}
+
+%description    selinux
+This package provides the SELinux module for the Software TPM emulator.
+%endif
+
+%prep
+%autosetup
+
+%build
+mkdir m4
+autoreconf -fiv
+# configure looks for semodule on PATH
+export PATH="$PATH:%{_sbindir}"
+%configure --with-openssl --disable-static \
+     --with-tss-user=root --with-tss-group=tss \
+%if %{with use_selinux}
+     --with-selinux
+%else
+
+%endif
+%make_build
+
+%install
+%make_install
+find %{buildroot} -type f -name "*.la" -delete -print
+%if %{with use_selinux}
+mkdir %{buildroot}%{_datadir}/selinux/packages/targeted
+mv %{buildroot}%{_datadir}/selinux/packages/*.pp %{buildroot}%{_datadir}/selinux/packages/targeted
+%endif
+mkdir -p %{buildroot}%{_localstatedir}/lib/swtpm-localca
+sed -e 's|#!/usr/bin/env |#!/usr/bin/|g' -i %{buildroot}%{_datadir}/swtpm/swtpm-create-tpmca
+sed -e 's|#!/usr/bin/env |#!/usr/bin/|g' -i %{buildroot}%{_datadir}/swtpm/swtpm-create-user-config-files
+
+%post -p /sbin/ldconfig
+%postun -p /sbin/ldconfig
+
+%if %{with use_selinux}
+%pre selinux
+%selinux_relabel_pre -s %{selinuxtype}
+
+%post selinux
+%selinux_modules_install -s %{selinuxtype} -p 200 %{_datadir}/selinux/packages/targeted/%{modulename1}.pp
+%selinux_modules_install -s %{selinuxtype} -p 200 %{_datadir}/selinux/packages/targeted/%{modulename2}.pp
+%selinux_modules_install -s %{selinuxtype} -p 200 %{_datadir}/selinux/packages/targeted/%{modulename3}.pp
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+    %selinux_modules_uninstall -s %{selinuxtype} -p 200 %{modulename1}
+    %selinux_modules_uninstall -s %{selinuxtype} -p 200 %{modulename2}
+    %selinux_modules_uninstall -s %{selinuxtype} -p 200 %{modulename3}
+fi
+
+%posttrans selinux
+%selinux_relabel_post -s %{selinuxtype}
+%endif
+
+%files
+%doc CHANGES README TODO
+%license LICENSE
+%{_bindir}/swtpm*
+%config %{_sysconfdir}/swtpm*
+%{_datadir}/swtpm
+%dir %{_libdir}/swtpm
+%{_libdir}/swtpm/*.so.*
+%{_mandir}/man5/swtpm*%{?ext_man}
+%{_mandir}/man8/swtpm*%{?ext_man}
+%dir %attr(0750,tss,root) %{_localstatedir}/lib/swtpm-localca
+
+%files devel
+%{_libdir}/swtpm/*.so
+%{_includedir}/swtpm
+%{_mandir}/man3/swtpm*%{?ext_man}
+
+%if %{with use_selinux}
+%files selinux
+%{_datadir}/selinux/packages/targeted/*.pp
+%ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename1}
+%ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename2}
+%ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename3}
+%endif
+
+%changelog