Accepting request 841653 from home:kailiu:branches:security

- Update Requires and BuildRequires for changes since 0.4.0. - Remove patch files that are no longer needed: * swtpm-adjust-seccomp-path.patch * swtpm-setup-tcsd-path.patch * swtpm-tpm-tools-path.patch - Update to version 0.5.0 OBS-URL: https://build.opensuse.org/request/show/841653 OBS-URL: https://build.opensuse.org/package/show/security/swtpm?expand=0&rev=7
2020-10-14 03:33:47 +00:00 · 2020-10-14 03:33:47 +00:00 · 95cbe02092
commit 95cbe02092
parent 20862cca74
7 changed files with 80 additions and 72 deletions
--- a/swtpm-adjust-seccomp-path.patch
+++ b/swtpm-adjust-seccomp-path.patch
@ -1,33 +0,0 @@
-From 8a3e012e509efcc3a7d8fb4b73ecf761577c0cf2 Mon Sep 17 00:00:00 2001
-From: Gary Lin <glin@suse.com>
-Date: Tue, 16 Jul 2019 17:03:26 +0800
-Subject: [PATCH] Adjust seccomp.h path
-
-Signed-off-by: Gary Lin <glin@suse.com>
---
- src/swtpm/swtpm.c         | 2 +-
- src/swtpm/swtpm_chardev.c | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-Index: swtpm-0.2.0/src/swtpm/Makefile.am
-===================================================================
--- swtpm-0.2.0.orig/src/swtpm/Makefile.am
-+++ swtpm-0.2.0/src/swtpm/Makefile.am
-@@ -94,6 +94,7 @@ swtpm_CFLAGS = \
- 	$(HARDENING_CFLAGS) \
- 	$(GLIB_CFLAGS) \
- 	$(LIBFUSE_CFLAGS) \
-+	$(LIBSECCOMP_CFLAGS) \
- 	-DHAVE_SWTPM_CUSE_MAIN
- 
- swtpm_LDADD = \
-@@ -101,7 +102,8 @@ swtpm_LDADD = \
- 	$(LIBFUSE_LIBS) \
- 	$(GLIB_LIBS) \
- 	$(GTHREAD_LIBS) \
-	$(LIBTPMS_LIBS)
-+	$(LIBTPMS_LIBS) \
-+	$(LIBSECCOMP_LIBS)
- 
- swtpm_cuse_DEPENDENCIES = $(privlib_LTLIBRARIES)
- 
--- a/swtpm-setup-tcsd-path.patch
+++ b/swtpm-setup-tcsd-path.patch
@ -1,13 +0,0 @@
-Index: swtpm-0.3.1/src/swtpm_setup/swtpm_setup.sh.in
-===================================================================
--- swtpm-0.3.1.orig/src/swtpm_setup/swtpm_setup.sh.in
-+++ swtpm-0.3.1/src/swtpm_setup/swtpm_setup.sh.in
-@@ -2296,7 +2296,7 @@ main()
- 	fi
- 
- 	if [ $((flags & SETUP_TPM2_F)) -eq 0 ]; then
-		TCSD=$(type -P tcsd)
-+		TCSD=$(type -P /usr/sbin/tcsd)
- 		if [ -z "$TCSD" ]; then
- 			logerr "tcsd program not found. (PATH=$PATH)"
- 			exit 1
--- a/swtpm-tpm-tools-path.patch
+++ b/swtpm-tpm-tools-path.patch
@ -1,13 +0,0 @@
-Index: swtpm-0.1.0-tpm2/configure.ac
-===================================================================
--- swtpm-0.1.0-tpm2.orig/configure.ac
-+++ swtpm-0.1.0-tpm2/configure.ac
-@@ -160,7 +160,7 @@ AC_SUBST([LIBTPMS_LIBS])
- AC_CHECK_LIB(c, clock_gettime, LIBRT_LIBS="", LIBRT_LIBS="-lrt")
- AC_SUBST([LIBRT_LIBS])
- 
-AC_PATH_PROG([TPM_NVDEFINE], tpm_nvdefine)
-+AC_PATH_PROG([TPM_NVDEFINE], tpm_nvdefine, path = '/usr/sbin/')
- if test "x$TPM_NVDEFINE" = "x"; then
-     have_tcsd=no
-     AC_MSG_WARN([NVRAM area tools are needed for TPM 1.2 certificate injection: tpm-tools package])
--- a/swtpm.changes
+++ b/swtpm.changes
@ -1,3 +1,69 @@
+-------------------------------------------------------------------
+Tue Oct 13 14:57:25 UTC 2020 - Kai Liu <kai.liu@suse.com>
+
+- Update Requires and BuildRequires for changes since 0.4.0.
+
+- Remove patch files that are no longer needed:
+  * swtpm-adjust-seccomp-path.patch
+  * swtpm-setup-tcsd-path.patch
+  * swtpm-tpm-tools-path.patch
+
+- Update to version 0.5.0
+  * swtpm:
+    - Write files atomically using a temp file and then renaming
+  * swtpm_setup:
+    - Removed remaining 'c' wrapper program
+    - Do not truncate logfile when testing write-access (regression)
+    - Remove TPM state file in case error occurred
+  * swtpm-localca:
+    - Rewrite in python
+    - Allow passing pkcs11 PIN using signingkey_password
+    - Allow passing environment variables needed for pkcs11 modules using
+      swtpm-localca.conf and format 'env:VARNAME=VALUE'.
+  * build-sys:
+    - Add python-install and python-uninstall targets
+    - Add configure option to disable installation of Python module
+    - Use -Wl,-z,relro and -Wl,-z,now only when linking (clang)
+    - Use AC_LINK_IFELSE to check whether support for hardening flags
+
+- Changes from version 0.4.1
+  * swtpm_setup:
+    - Do not hardcode '/etc' but use SYSCONFDIR
+    - Fix support for -h and -? options
+    - Add missing .config path when using ${HOME}
+  * swtpm-localca:
+    - Apply password for signing key when creating platform cert
+    - Properly apply passwords for localca signing key
+
+- Changes from version 0.4.0
+  * swtpm:
+    - Invoke print capabilities after choosing TPM version
+    - Add some recent syscalls to seccomp blacklist
+  * swtpm_cert:
+    - Support --ecc-curveid option to pass curve id
+  * swtpm_setup & related scripts:
+    - Rewrite swtpm_setup.sh in python with TPM 1.2 not requiring tcsd
+      and TPM tools anymore; new dependencies:
+      - python3: pip, cryptography, setuptools
+      dropped dependencies for swtpm_setup:
+      - tcsd, expect, tpm-tools (some still needed for pkcs11 tests)
+    - Added support for RSA 3072 keys (for libtpms-0.8.0) and moved to
+      ECC NIST P384 curve; default RSA key size is still 2048
+    - Added support for --rsa-keysize option
+    - Extend script to create a CA using a TPM 2 for signing
+  * tests:
+    - Use the IBM TSS2 v1.5.0's test suite
+    - Add test case for loading of an NVRAM completely full with keys
+    - Have softhsm_setup use temporary directory for softhsm config & state
+    - various other improvements
+  * man pages:
+    - Improvements
+  * build-sys:
+    - clang: properly test for linker flag 'now' and 'relro'
+    - Gentoo: explicitly link libswtpm_libtpms with -lcrypto
+    - Ownership of /var/lib/swtpm-localca is now tss:root and
+      mode flags 0750.
+
 -------------------------------------------------------------------
 Thu Aug 13 01:37:06 UTC 2020 - Kai Liu <kai.liu@suse.com>

--- a/swtpm.spec
+++ b/swtpm.spec
@ -16,16 +16,13 @@
 #

 Name:           swtpm
-Version:        0.3.4
+Version:        0.5.0
 Release:        0
 Summary:        Software TPM emulator
 License:        BSD-3-Clause
 Group:          System/Base
 Url:            https://github.com/stefanberger/swtpm
 Source:         https://github.com/stefanberger/swtpm/archive/v%{version}.tar.gz
-Patch1:         swtpm-tpm-tools-path.patch
-Patch2:         swtpm-setup-tcsd-path.patch
-Patch3:         swtpm-adjust-seccomp-path.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  expect
@ -38,17 +35,16 @@ BuildRequires:  libopenssl-devel
 BuildRequires:  libseccomp-devel
 BuildRequires:  libtasn1-devel
 BuildRequires:  libtpms-devel
-BuildRequires:  python3-Twisted
+BuildRequires:  python3-cryptography
 BuildRequires:  socat
-BuildRequires:  tpm-tools
 %if 0%{?suse_version} >= 1500 
 BuildRequires:  net-tools-deprecated
 %endif
-Requires:       tpm-tools
 Requires:       trousers
 %if 0%{?suse_version} >= 1500 
 Requires:       net-tools-deprecated
 %endif
+Requires:       python3-cryptography
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build

 %description
@ -71,9 +67,6 @@ The development files for SWTPM

 %prep
 %setup -q -n %{name}-%{version}
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1

 %build
 ./autogen.sh
@ -97,6 +90,14 @@ make %{?_smp_mflags}
 %dir %{_libdir}/swtpm
 %{_libdir}/swtpm/*.so.*
 %{_mandir}/man8/swtpm*
+%dir %{python_sitelib}/py_swtpm_localca
+%dir %{python_sitelib}/py_swtpm_setup
+%pycache_only %{python_sitelib}/py_swtpm_localca/__pycache__
+%pycache_only %{python_sitelib}/py_swtpm_setup/__pycache__
+%{python_sitelib}/py_swtpm_localca/*.py
+%{python_sitelib}/py_swtpm_setup/*.py
+%{python_sitelib}/swtpm_localca*
+%{python_sitelib}/swtpm_setup*

 %files devel
 %{_libdir}/swtpm/*.so
--- a/v0.3.4.tar.gz
+++ b/v0.3.4.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:923ff1c317fc90681ebcfdec5f723ec9ea6a7972269eefc7f9bd0214466df137
-size 310183
--- a/v0.5.0.tar.gz
+++ b/v0.5.0.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:55d93fc3ba6643b1ca1d11018f86b917cd36a7e57bfe103614aed0a0c0360a0f
+size 309011