From 7468cdf8a68cf9bd200465b8125a146f21112ee60620f252e774cc044a71c8de Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Thu, 19 Sep 2024 14:01:38 +0000 Subject: [PATCH] - Fix swtpm custom module (bsc#1229131) - Add patch: 1229131-fix-swtpm-selinux-policy-mismatch.patch - this can be removed once swtpm upstream sorts out their custom selinux module. see: https://github.com/stefanberger/swtpm/issues/885 there were a couple changes in the selinux-policy libvirt handling which causes the logfile in /var/log/swtpm/libvirt/qemu/*.log to be labeled virt_log_t instead of var_log_t. this patch allows swtpm_t to open the virt_log_t OBS-URL: https://build.opensuse.org/package/show/security/swtpm?expand=0&rev=46 --- .gitattributes | 23 + .gitignore | 1 + ...31-fix-swtpm-selinux-policy-mismatch.patch | 20 + swtpm-0.8.1.tar.gz | 3 + swtpm-0.9.0.tar.gz | 3 + swtpm-fix-build.patch | 19 + swtpm-rpmlintrc | 2 + swtpm.changes | 471 ++++++++++++++++++ swtpm.spec | 186 +++++++ 9 files changed, 728 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 1229131-fix-swtpm-selinux-policy-mismatch.patch create mode 100644 swtpm-0.8.1.tar.gz create mode 100644 swtpm-0.9.0.tar.gz create mode 100644 swtpm-fix-build.patch create mode 100644 swtpm-rpmlintrc create mode 100644 swtpm.changes create mode 100644 swtpm.spec diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/1229131-fix-swtpm-selinux-policy-mismatch.patch b/1229131-fix-swtpm-selinux-policy-mismatch.patch new file mode 100644 index 0000000..81698c0 --- /dev/null +++ b/1229131-fix-swtpm-selinux-policy-mismatch.patch @@ -0,0 +1,20 @@ +Index: swtpm-0.9.0/src/selinux/swtpm.te +=================================================================== +--- swtpm-0.9.0.orig/src/selinux/swtpm.te ++++ swtpm-0.9.0/src/selinux/swtpm.te +@@ -8,6 +8,7 @@ policy_module(swtpm, 1.0.0) + require { + type qemu_var_run_t; + type var_log_t; ++ type virt_log_t; + type virt_var_lib_t; + type virtqemud_t; + type virtqemud_tmp_t; +@@ -29,6 +30,7 @@ allow swtpm_t qemu_var_run_t:file { crea + allow swtpm_t qemu_var_run_t:dir { add_name remove_name write }; + allow swtpm_t qemu_var_run_t:sock_file { create setattr unlink }; + allow swtpm_t var_log_t:file open; ++allow swtpm_t virt_log_t:file open; + allow swtpm_t virt_var_lib_t:dir { add_name remove_name write }; + allow swtpm_t virt_var_lib_t:file { create rename setattr unlink write }; + allow swtpm_t virtqemud_t:unix_stream_socket { read write getattr }; diff --git a/swtpm-0.8.1.tar.gz b/swtpm-0.8.1.tar.gz new file mode 100644 index 0000000..33ea5b7 --- /dev/null +++ b/swtpm-0.8.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7bba52aa41090f75087034fac5fe8daed10c3e7e7234df7c9558849318927f41 +size 364169 diff --git a/swtpm-0.9.0.tar.gz b/swtpm-0.9.0.tar.gz new file mode 100644 index 0000000..89c5df7 --- /dev/null +++ b/swtpm-0.9.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9679ca171e8aaa3c4e4053e8bc1d10c8dabf0220bd4b16aba78743511c25f731 +size 370942 diff --git a/swtpm-fix-build.patch b/swtpm-fix-build.patch new file mode 100644 index 0000000..e0e0351 --- /dev/null +++ b/swtpm-fix-build.patch @@ -0,0 +1,19 @@ +Index: swtpm-0.8.0/configure.ac +=================================================================== +--- swtpm-0.8.0.orig/configure.ac ++++ swtpm-0.8.0/configure.ac +@@ -418,11 +418,11 @@ if test "x$enable_hardening" != "xno"; t + # Some versions of gcc fail with -Wstack-protector, + # some with -Wstack-protector-strong enabled + if ! $CC -fstack-protector-strong -Wstack-protector $srcdir/include/swtpm/tpm_ioctl.h 2>/dev/null; then +- if $CC -fstack-protector -Wstack-protector $srcdir/include/swtpm/tpm_ioctl.h 2>/dev/null; then +- HARDENING_CFLAGS="-fstack-protector -Wstack-protector" ++ if $CC -fstack-protector $srcdir/include/swtpm/tpm_ioctl.h 2>/dev/null; then ++ HARDENING_CFLAGS="-fstack-protector" + fi + else +- HARDENING_CFLAGS="-fstack-protector-strong -Wstack-protector" ++ HARDENING_CFLAGS="-fstack-protector-strong" + fi + + dnl Only support -D_FORTIFY_SOURCE=2 and have higher levels passed in by user diff --git a/swtpm-rpmlintrc b/swtpm-rpmlintrc new file mode 100644 index 0000000..1cd2fdb --- /dev/null +++ b/swtpm-rpmlintrc @@ -0,0 +1,2 @@ +# This is the correct location +addFilter(r'arch-dependent-file-in-usr-share .* /usr/share/swtpm/swtpm-localca') diff --git a/swtpm.changes b/swtpm.changes new file mode 100644 index 0000000..1474887 --- /dev/null +++ b/swtpm.changes @@ -0,0 +1,471 @@ +------------------------------------------------------------------- +Thu Sep 19 10:55:54 UTC 2024 - Cathy Hu + +- Fix swtpm custom module (bsc#1229131) + - Add patch: 1229131-fix-swtpm-selinux-policy-mismatch.patch + - this can be removed once swtpm upstream sorts out their custom selinux module. + see: https://github.com/stefanberger/swtpm/issues/885 + there were a couple changes in the selinux-policy libvirt handling + which causes the logfile in /var/log/swtpm/libvirt/qemu/*.log to be labeled + virt_log_t instead of var_log_t. this patch allows swtpm_t to open the virt_log_t + +------------------------------------------------------------------- +Thu Aug 1 07:23:27 UTC 2024 - Richard Rahl + +- update to 0.9.0: + - fixes: boo#1226398 + - swtpm: + - Use umask() to create/truncated state file rather than fchmod() + - Use fchmod to set mode bits provided by user + - Replace mkstemp with g_mkstemp_full (Coverity) + - fix typo in help message + - cuse: Fix Coverity complaints regarding locks + - Fix double free in error path + - Close fd after main loop + - Restore logging to stderr on log open failure + - swtpm_setup: + - Fail --pcr-banks without --tpm2 + - Fail --decryption or --allow-signing without --tpm2 + - Initialized argv in get_swtpm_capabilities() + - Flush spk after persisting to create room for another key + - Refactor duplicate code into swtpm_tpm2_write_cert_nvram + - Move persisting of certificate into tpm2_persist_certificate + - Pass key_type to function creating filename for key + - Add scheme parameter before curveid to createprimary_ecc + - Rename is_ek to preserve for future extension + - Mask-out EK and plaform certificate flags and set cert_flags + - Move common code into new function read_certificate_file() + - Exit with '0' upon --version rather than '1' + - Close file descriptors passed to swtpm process on parent side + - Make stdout unbuffered + - Use medium duration on TSC_PhysicalPresence to avoid timeouts + - Add poll() after write() and before read() to detect errors + - swtpm_localca: + - Add support for up to 20 bytes serial numbers + - Introduce --key as more generic alias for --ek + - Add missing NULL option to end of array + - Make stdout unbuffered + - swtpm_cert: + - Add support for serial numbers up to 20 bytes long + - swtpm_ioctl: + - Separate return code from flags + - Repeatedly call PTM_GET_INFO for long responses + - selinux: + - Re-add rule for svirt_tcg_t and user_tmp_t:sock_file (virt-install) + - New SELinux policy that requires Fedora 40 or later + - tests: + - Fixed occurrences of stray '' before '-' + - Rearrange order of test cases to run some also as 'root' + - Add tests for command line options and combinations of options + - Add softhsm_setup to shellcheck'ed files and fix issues + - Add missing 'exit 1' on unexpected file size on --reconfigure + - Add test cases for swtpm_cert with max serial number + - Fix spelling mistakes + - reformat regexs for easier readability and extension + - ibmtss2: Add patch to disable x509 test with older libtpms + - Upgrade to ibmtss2 v2.0.1 + - Fixed several issues detected by shellcheck + - build-sys: + - Add support for --disable-tests to disable tests + - Display GMP_LIBS and GMP_CFLAGS + - Only display warning if pkg-config for gmp fails + - Add gmp library and devel package as dependency + - use PKG_CHECK_MODULES to check libtpms version + +------------------------------------------------------------------- +Thu Oct 19 00:43:29 UTC 2023 - William Brown + +- Add missing requires for certtool + +------------------------------------------------------------------- +Sat Sep 16 10:10:45 UTC 2023 - Marcus Meissner + +- Update to version 0.8.1: + - swtpm: + - Restore logging to stderr on log open failure + - swtpm_setup: + - Exit with '0' upon --version rather than '1'. + - Initialized @argv in get_swtpm_capabilities() + - swtpm_localca: + - Add missing NULL option to end of array + - SELinux: + - Add rules for user_tpm_t:sockfile to allow unlink + - Add rules for sock_file on user_tmp_t + +------------------------------------------------------------------- +Fri Jun 16 11:32:11 UTC 2023 - Manfred Hollstein + +- Make selinux optional to allow building this package for Leap, too. + +------------------------------------------------------------------- +Tue May 2 09:55:28 UTC 2023 - Marcus Meissner + +- remove python3 dependency, no longer needed after rewrite (bsc#1211010) + +------------------------------------------------------------------- +Tue Mar 21 12:45:54 UTC 2023 - Marcus Meissner + +- swtpm-fix-build.patch: disable -Wstack-protector, it fails on s390x + bsc#1209117 + +------------------------------------------------------------------- +Mon Mar 6 20:21:50 UTC 2023 - Alberto Planas Dominguez + +- Drop trousers requirement + +------------------------------------------------------------------- +Mon Mar 6 16:34:33 UTC 2023 - Alberto Planas Dominguez + +- Update to version 0.8.0: + * swtpm: + + Implement release-lock-outgoing parameter for --migration option + + Introduce --migration option and 'incoming' parameter + + Implement terminate parameter for ctrl channel loss + + Add a chroot option + + Introduce disable-auto-shutdown flag for --flags option + + If necessary send TPM2_Shutdown() before TPMLIB_Terminate() + + Add some more recent syscalls to seccomp profile + + Disable OpenSSL FIPS mode to avoid libtpms failures + + Avoid locking directory multiple times + + Remove support for pre-v0.1 state files without header + + Use uint64_t in tlv_data_append() to avoid integer overflows + + Use uint64_t to avoid integer wrap-around when adding a uint32_t + + Do not chdir(/) when using --daemon + + Check header size indicator against expected size (CVE-2022-23645 bsc#1196240) + + Fixes for gcc 12.2.1 -fanalyzer + * build-sys: + + Fix configure script to support _FORTIFY_SOURCE=3 + + Define __USE_LINUX_IOCTL_DEFS in header file (Cygwin) + * swtpm-localca: + + Re-implement variable resolution for swtpm-localca.conf + + Test for available issuercert before creating CA + * swtpm_setup: + + Configure swtpm to log to stdout/err if needed (glib >=2.74) + * tests: + + Use ${WORKDIR} in config files to test env. var replacement + + Patch IBM TSS2 test suite for OpenSSL 3.x + * build-sys: + + Add probing for -fstack-protector + +------------------------------------------------------------------- +Fri Apr 29 07:41:51 UTC 2022 - Marcus Meissner + +- Updated to version 0.7.3: + - swtpm: + - Use uint64_t in tlv_data_append() to avoid integer overflows + - Use uint64_t to avoid integer wrap-around when adding a uint32_t +- removed allow-FORTIFY_SOURCE=3.patch (upstreamed) + +------------------------------------------------------------------- +Wed Apr 6 07:55:48 UTC 2022 - Martin Liška + +- Cheery-pick upstream patch allow-FORTIFY_SOURCE=3.patch. + +------------------------------------------------------------------- +Wed Mar 9 14:07:03 UTC 2022 - Wolfgang Frisch + +- Update to version 0.7.2: + - swtpm: + - Do not chdir(/) when using --daemon + - swtpm-localca: + - Re-implement variable resolution for swtpm-localca.conf + - tests: + - Use ${WORKDIR} in config files to test env. var replacement + - man pages: + - Add missing .config directory to path description when using ${HOME} + - build-sys: + - Add probing for -fstack-protector + +------------------------------------------------------------------- +Mon Feb 21 12:04:56 UTC 2022 - Marcus Meissner + +- Update to version 0.7.1: + - swtpm: + - Check header size indicator against expected size (CVE-2022-23645 bsc#1196240) + - swtpm_localca: + - Test for available issuercert before creating CA + +------------------------------------------------------------------- +Wed Nov 10 08:49:00 UTC 2021 - Marcus Meissner + +- Update to version 0.7.0: + - swtpm: + - Support for linear file storage backend (file://) + - Report 'tpm-1.2' & 'tpm-2.0' in --print-capabilities depending what + libtpms supports + - Add implementation of SWTPM_HMAC using OpenSSL 3.0 APIs + - Wipe keys from stack and heap + - Many other small changes + - Make --daemon not racy + - swtpm_setup: + - Only activate SHA256 PCR bank, not SHA1 bank anymore by default + - Support for linear file storage backend (file://) + - Implement option --create-config-files to create config files + - Use non-deprecated APIs to contruct RSA key (OSSL 3) + - Report stderr as returned by external tool (swtpm-localcal) + - Replace '+' and ',' characters in VMId's to make work with + common name in X509 subject + - Add support for --reconfigure flag to change active PCR banks + - swtpm_localca: + - Created certificates for CAs and TPM that do not expire + - swtpm_cert: + - Allow passing -1 for days to get a non-expiring certificate + - test: + - ASAN-related test changes and skipping of tests if ASAN is used + - Fix tests using tpm2-abrmd by preventing concurrency + - Skip chardev related tests after checking for chardev support + - exit with error code if mktemp fails + - OSSL 3: Make TPM 1.2 test compile; skip IBM TSS 2 test + - build-sys: + - Introduce --enable-sanitizers to configure + - Remove check for pip3 that was used by python swtpm_setup + - Allow passing of aditional CFLAGS during build + +------------------------------------------------------------------- +Wed Sep 22 09:33:29 UTC 2021 - Marcus Meissner + +- Update to version 0.6.1: + - swtpm: + - Clear keys from stack and heap + - swtpm-localca: + - Add missing else branch for pkcs11 and PIN + - swtpm_setup: + - Initialize Gerror and free it + - Replace '\\s' in regex with [[:space:]] to fix cygwin + - tests: + - Kill tpm2-abrmd with SIGKILL rather SIGTERM + - build-sys: + - Use -DOPENSSL_SUPPRESS_DEPRECATED to suppress deprecation warnings (OSSL 3) + - Enable configuring with CFLAGS and passing additional CFLAGS on build + +------------------------------------------------------------------- +Sat Aug 7 15:02:40 UTC 2021 - Callum Farmer + +- Update to version 0.6.0: + - Addressed potential symlink attack issue (CVE-2020-28407) + - Rewritten in 'C'; needs json-glib + - Use timeouts for communicating with swtpm (Unix socket) + - Fix --print-capabilities for 'swtpm chardev' + - Various cleanups and fixes (coverity) +- Enable selinux support +- Removed swtpm-rename_deprecated_libtasn1_types.patch: upstream +- Fix rpmlint errors + +------------------------------------------------------------------- +Thu May 20 06:56:39 UTC 2021 - Pedro Monreal + +- swtpm_cert: rename deprecated libtasn1 types. + * https://github.com/stefanberger/swtpm/pull/443 + * Add swtpm-rename_deprecated_libtasn1_types.patch + +------------------------------------------------------------------- +Sun Dec 27 11:42:50 UTC 2020 - Marcus Meissner + +- Update to version 0.5.2 + - swtpm: + - Fix potential buffer overflow related to largely unused data hashing + function in control channel + - swtpm: Unconditionally close fd if writing of pidfile fails (coverity) + - swtpm_setup: + - Increase timeout from 10s to 30s for slower machines + - Travis: + - Not building on OS X anymore due to additional costs + +------------------------------------------------------------------- +Tue Dec 22 07:53:04 UTC 2020 - Gary Ching-Pang Lin + +- Use "Requires user(tss)" for the "tss" user and group + +------------------------------------------------------------------- +Tue Dec 22 04:06:10 UTC 2020 - Gary Ching-Pang Lin + +- Create /var/lib/swtpm-localca to store the keys created by + swtpm-localca (bsc#1179811) +- Replace net-tools-deprecated with iproute2 since the scripts in + swtpm now can use 'ss' instead of 'netstat' + +------------------------------------------------------------------- +Sun Nov 22 03:16:13 UTC 2020 - Kai Liu + +- Update to version 0.5.1 + * swtpm & swtpm_setup: + - Addressed potential symlink attack issue (CVE-2020-28407) + * build-sys: + - Fix configure python cryptography error message + +- Misc. spec file changes. + +------------------------------------------------------------------- +Tue Oct 13 14:57:25 UTC 2020 - Kai Liu + +- Update Requires and BuildRequires for changes since 0.4.0. + +- Remove patch files that are no longer needed: + * swtpm-adjust-seccomp-path.patch + * swtpm-setup-tcsd-path.patch + * swtpm-tpm-tools-path.patch + +- Update to version 0.5.0 + * swtpm: + - Write files atomically using a temp file and then renaming + * swtpm_setup: + - Removed remaining 'c' wrapper program + - Do not truncate logfile when testing write-access (regression) + - Remove TPM state file in case error occurred + * swtpm-localca: + - Rewrite in python + - Allow passing pkcs11 PIN using signingkey_password + - Allow passing environment variables needed for pkcs11 modules using + swtpm-localca.conf and format 'env:VARNAME=VALUE'. + * build-sys: + - Add python-install and python-uninstall targets + - Add configure option to disable installation of Python module + - Use -Wl,-z,relro and -Wl,-z,now only when linking (clang) + - Use AC_LINK_IFELSE to check whether support for hardening flags + +- Changes from version 0.4.1 + * swtpm_setup: + - Do not hardcode '/etc' but use SYSCONFDIR + - Fix support for -h and -? options + - Add missing .config path when using ${HOME} + * swtpm-localca: + - Apply password for signing key when creating platform cert + - Properly apply passwords for localca signing key + +- Changes from version 0.4.0 + * swtpm: + - Invoke print capabilities after choosing TPM version + - Add some recent syscalls to seccomp blacklist + * swtpm_cert: + - Support --ecc-curveid option to pass curve id + * swtpm_setup & related scripts: + - Rewrite swtpm_setup.sh in python with TPM 1.2 not requiring tcsd + and TPM tools anymore; new dependencies: + - python3: pip, cryptography, setuptools + dropped dependencies for swtpm_setup: + - tcsd, expect, tpm-tools (some still needed for pkcs11 tests) + - Added support for RSA 3072 keys (for libtpms-0.8.0) and moved to + ECC NIST P384 curve; default RSA key size is still 2048 + - Added support for --rsa-keysize option + - Extend script to create a CA using a TPM 2 for signing + * tests: + - Use the IBM TSS2 v1.5.0's test suite + - Add test case for loading of an NVRAM completely full with keys + - Have softhsm_setup use temporary directory for softhsm config & state + - various other improvements + * man pages: + - Improvements + * build-sys: + - clang: properly test for linker flag 'now' and 'relro' + - Gentoo: explicitly link libswtpm_libtpms with -lcrypto + - Ownership of /var/lib/swtpm-localca is now tss:root and + mode flags 0750. + +------------------------------------------------------------------- +Thu Aug 13 01:37:06 UTC 2020 - Kai Liu + +- Update to version 0.3.4: + * swtpm: + - Fix compilation for cygwin + * swtpm_setup & swtpm-localca: + - Get rid of bash's eval when invoking external tools to avoid abuse. + Only use eval for 'resolving' variables. + * tests: + - Various fixes of minor issues + +------------------------------------------------------------------- +Thu Jul 30 14:14:22 UTC 2020 - Kai Liu + +- Update to version 0.3.3: + * swtpm_setup: + - openSUSE: Support tcsd configuration where tss user != tss group, + such as root/tss; Fedora & Ubuntu for example use tss/tss + * build-sys: + - Check whether tss user and group are available + +- Add tss user & group build flags per upstream instruction. This + together with v0.3.3 fixed the bug with TPM 1.2 emulation. + Related upstream bug: + https://github.com/stefanberger/swtpm/issues/284 + +------------------------------------------------------------------- +Sat Jul 11 08:31:54 UTC 2020 - Kai Liu + +- Update to 0.3.2: + + swtpm: + + Remove unnecessary #include (fixes SuSE build) + + Make coverity happy by handling default case in case + statement + + swtpm_setup: + + bugfix: Create ECC storage primary key in owner hierarchy + + bugfix: remove tpm2_stirrandom and tpm2_changeeps + + tests: + + Adjusted pcrUpdateCounter in tests to succeed with PCR TCB + group fixes in libtpms TPM 2 code + +------------------------------------------------------------------- +Wed Apr 22 03:25:36 UTC 2020 - Gary Ching-Pang Lin + +- Update to 0.3.1 + + swtpm: Fix vtpm proxy case without startup flags + + swtpm: Only call memcpy if tocopy != 0 (coverity) + + man: Document new startup options and capabilities + advertisement + + swtpm: Enable sending startup commands before processing + commands + + swtpm_cert: Accept serial numbers that use up to 64bits + + swtpm_cert: Use getopt_long_only to parse options + + swtpm_cert: Add support for --print-capabilities option + + swtpm_cert: Allow passing signing key and parent key via new + option + + swtpm_setup: Enable spaces in paths and other variables + + swtpm_ioctl: Calculate strlen(input) only once + + swtpm_ioctl: Block SIGPIPE so we can get EPIPE on write() + + swtpm_bios: Block SIGPIPE so we can get EPIPE on write() + + swtpm: Only accept() new client ctrl connection if we have none + + swtpm_setup: Do not fail on future PCR banks' hashes + + swtpm_setup: Use 1st part of SWTPM_EXE/SWTPM_IOCTL to determine + executable + + swtpm_setup: Keep reserved range of file descriptors for + swtpm_setup.sh + + swtpm_setup: Log about encryption and fix c&p error in err msg + + swtpm: Add --print-capabilities to help screen of + 'swtpm chardev' + + swtpm_ioctl: Fix uninitialized variable 'pgi' + + swtpm_cert: Use gnutls_x509_crt_get_subject_key_id API call for + subj keyId + + swtpm_cert: Fix OIDs for TPM 2 platforms data + + swtpm: Fix typo in error report: HMAC instead of hash + + swtpm: Use writev_full rather than writev; fixes --vtpm-proxy + EIO error +- Refresh swtpm-setup-tcsd-path.patch + +------------------------------------------------------------------- +Fri Jan 3 01:52:45 UTC 2020 - Gary Ching-Pang Lin + +- Amend swtpm-adjust-seccomp-path.patch to add the missing seccomp + paths +- Adjust the conditional check of net-tools-deprecated for SLE15 + and SLE15-SP1 + +------------------------------------------------------------------- +Thu Sep 5 08:00:27 UTC 2019 - Gary Ching-Pang Lin + +- Update to 0.2.0 + +Linux: swtpm now runs with a seccomp profile (blacklist) if + compiled with libseccomp support + + Added subpport for passing key and passphrase via file + descriptor + + TPM 2 commands can now be prefixed by 'the TCG header' and + responses will have a 4-byte prefix and 4-byte suffix. + + Added --print-capabilities command line option + + Proper handling on EINTR on read, poll, and write +- Patches to adjust the pathes + + swtpm-tpm-tools-path.patch + + swtpm-setup-tcsd-path.patch + + swtpm-adjust-seccomp-path.patch + +------------------------------------------------------------------- +Tue May 15 08:37:16 UTC 2018 - glin@suse.com + +- Initial import: 0.1.0-dev2 diff --git a/swtpm.spec b/swtpm.spec new file mode 100644 index 0000000..5968d96 --- /dev/null +++ b/swtpm.spec @@ -0,0 +1,186 @@ +# +# spec file for package swtpm +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%if 0%{?suse_version} > 01500 +%bcond_without use_selinux +%else +%bcond_with use_selinux +%endif + +# Scripts in this package are python3 +%define skip_python2 1 +# SELinux +%define selinuxtype targeted +%define modulename1 swtpm +%define modulename2 swtpm_svirt +%define modulename3 swtpmcuse +Name: swtpm +Version: 0.9.0 +Release: 0 +Summary: Software TPM emulator +License: BSD-3-Clause +Group: System/Base +URL: https://github.com/stefanberger/swtpm +Source0: %{url}/archive/v%{version}/%{name}-%{version}.tar.gz +Source100: swtpm-rpmlintrc +Patch0: swtpm-fix-build.patch +# 19-09-24 cahu bsc#1229131 +# this can be removed once swtpm upstream sorts out their custom selinux module +# see: https://github.com/stefanberger/swtpm/issues/885 +# there were a couple changes in the selinux-policy libvirt handling +# which causes the logfile in /var/log/swtpm/libvirt/qemu/*.log to be labeled +# virt_log_t instead of var_log_t. +# this patch allows swtpm_t to open the virt_log_t +Patch1: 1229131-fix-swtpm-selinux-policy-mismatch.patch +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: expect +BuildRequires: fuse-devel +BuildRequires: glib2-devel +BuildRequires: gmp-devel +BuildRequires: gnutls +BuildRequires: iproute2 +BuildRequires: libgnutls-devel +BuildRequires: libopenssl-devel +BuildRequires: libseccomp-devel +BuildRequires: libtasn1-devel +BuildRequires: libtool +BuildRequires: libtpms-devel +BuildRequires: pkgconfig +%if %{with use_selinux} +BuildRequires: selinux-policy-devel +BuildRequires: selinux-policy-targeted +%endif +BuildRequires: socat +BuildRequires: pkgconfig(json-glib-1.0) +BuildRequires: pkgconfig(systemd) +# Required for certtool, which is used by swtpm-localca +Requires: gnutls +Requires: iproute2 +%if %{with use_selinux} +Requires: (%{name}-selinux if selinux-policy-base) +%endif +Requires(pre): user(tss) + +%description +The SWTPM package provides TPM emulators with different front-end interfaces +to libtpms. TPM emulators provide socket interfaces (TCP/IP) and the Linux +CUSE interface for the creation of multiple native /dev/vtpm* devices. +Those can be the targets of multiple QEMU cuse-tpm instances. + +%package devel +Summary: Development files for swtpm +Group: Development/Libraries/C and C++ +Requires: %{name} = %{version} +Requires: glib2-devel +Requires: libopenssl-devel +Requires: libseccomp-devel +Requires: libtpms-devel + +%description devel +The development files for SWTPM + +%if %{with use_selinux} +%package selinux +Summary: SELinux module for the Software TPM emulator +Group: System/Management +Requires: %{name} = %{version} +BuildArch: noarch +%{selinux_requires} + +%description selinux +This package provides the SELinux module for the Software TPM emulator. +%endif + +%prep +%autosetup -p1 + +%build +mkdir m4 +autoreconf -fiv +# configure looks for semodule on PATH +export PATH="$PATH:%{_sbindir}" +%configure --with-openssl --disable-static \ + --with-tss-user=root --with-tss-group=tss \ +%if %{with use_selinux} + --with-selinux +%else + +%endif +%make_build + +%install +%make_install +find %{buildroot} -type f -name "*.la" -delete -print +%if %{with use_selinux} +mkdir %{buildroot}%{_datadir}/selinux/packages/targeted +mv %{buildroot}%{_datadir}/selinux/packages/*.pp %{buildroot}%{_datadir}/selinux/packages/targeted +%endif +mkdir -p %{buildroot}%{_localstatedir}/lib/swtpm-localca +sed -e 's|#!/usr/bin/env |#!/usr/bin/|g' -i %{buildroot}%{_datadir}/swtpm/swtpm-create-tpmca +sed -e 's|#!/usr/bin/env |#!/usr/bin/|g' -i %{buildroot}%{_datadir}/swtpm/swtpm-create-user-config-files + +%post -p /sbin/ldconfig +%postun -p /sbin/ldconfig + +%if %{with use_selinux} +%pre selinux +%selinux_relabel_pre -s %{selinuxtype} + +%post selinux +%selinux_modules_install -s %{selinuxtype} -p 200 %{_datadir}/selinux/packages/targeted/%{modulename1}.pp +%selinux_modules_install -s %{selinuxtype} -p 200 %{_datadir}/selinux/packages/targeted/%{modulename2}.pp +%selinux_modules_install -s %{selinuxtype} -p 200 %{_datadir}/selinux/packages/targeted/%{modulename3}.pp + +%postun selinux +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} -p 200 %{modulename1} + %selinux_modules_uninstall -s %{selinuxtype} -p 200 %{modulename2} + %selinux_modules_uninstall -s %{selinuxtype} -p 200 %{modulename3} +fi + +%posttrans selinux +%selinux_relabel_post -s %{selinuxtype} +%endif + +%files +%doc CHANGES README TODO +%license LICENSE +%{_bindir}/swtpm* +%config %{_sysconfdir}/swtpm* +%{_datadir}/swtpm +%dir %{_libdir}/swtpm +%{_libdir}/swtpm/*.so.* +%{_mandir}/man5/swtpm*%{?ext_man} +%{_mandir}/man8/swtpm*%{?ext_man} +%dir %attr(0750,tss,root) %{_localstatedir}/lib/swtpm-localca + +%files devel +%{_libdir}/swtpm/*.so +%{_includedir}/swtpm +%{_mandir}/man3/swtpm*%{?ext_man} + +%if %{with use_selinux} +%files selinux +%{_datadir}/selinux/packages/targeted/*.pp +%ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename1} +%ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename2} +%ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename3} +%endif + +%changelog