Update SELinux modules dir as macro to allow root path move
As discussed before we are going to move SELinux modules from /var/lib/selinux to /etc/selinux (bsc#1221342). This small change allows you to build your packages dynamically (not depending on selinux-package version) and us to change module directory macro in upcoming versions of selinux-policy package without interfering with other packages using custom SELinux modules. (forwarded request 1318580 from djz88)
OBS-URL: https://build.opensuse.org/request/show/1318598
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/swtpm?expand=0&rev=25
Update SELinux modules dir as macro to allow root path move
As discussed before we are going to move SELinux modules from /var/lib/selinux to /etc/selinux (bsc#1221342). This small change allows you to build your packages dynamically (not depending on selinux-package version) and us to change module directory macro in upcoming versions of selinux-policy package without interfering with other packages using custom SELinux modules.
OBS-URL: https://build.opensuse.org/request/show/1318580
OBS-URL: https://build.opensuse.org/package/show/security/swtpm?expand=0&rev=56
- Update to version 0.10.1:
+ swtpm: Fix build error on 32bit systems due to inconsistent
_FILE_OFFSET_BITS.
+ swtpm_setup:
- Use DISTRO_PROFILES_DIR when listing profiles (fix path
issue).
- Do not pass a TPM 2 profile to swtpm when reconfiguring.
+ selinux:
- Add rule for swtpm to be able to read password from pipe.
- allow to map state file.
- add NFS permissions for swtpm_t.
- Add rule to allow swtpm_t opening of virt_log_t files.
- Drop 1229131-fix-swtpm-selinux-policy-mismatch.patch: fixed
upstream.
- Add 1027.patch: tests: Retry NVWrite command after 0x922 return
code and inc lockout counter.
OBS-URL: https://build.opensuse.org/request/show/1286045
OBS-URL: https://build.opensuse.org/package/show/security/swtpm?expand=0&rev=52
- Update to 0.10.0:
+ swtpm:
* Requires libtpms v0.10.0
* Display tpmstate-opt-lock as a new capability
* Add support for lock option parameter to tpmstate option
* nvstore_linear: Add support for file-backend locking
* Remove broken logic to check for neither dir nor file backend
* Use ptm_cap_n to build PTM_GET_CAPABILITY response
* Define a structure to return PTM_GET_CAPABILITY result
* Implement --print-info to run TPMLIB_GetInfo with flags
* Support --profile fd= to read profile from file descriptor
* Support --profile file= to read profile from file
* Ignore remove-disabled parameter on non-'custom' profile
* Check for good entropy source in chroot environment
* Implement a check for HMAC+sha1 for testing future restriction
* Implement function to check whether a crypto algorithm is
disabled
* Print cmdarg-print-profiles as part of capabilities
* Check whether SHA1 signature support is disabled in profile
* Use TPMLIB_WasManufactured to check whether profile was applied
* Determine whether OpenSSL needs to be configured (FIPs, SHA1
signature)
* Add support for --print-profiles option
* Print profile names as part of capabilities JSON
* Display new capability to allow setting a profile
* Add support for --profile option to set a profile on TPM 2
+ swtpm_setup:
* Comment flags for storage primary key and deprecate --create-spk
* Implement --print-profiles to display all profile
* Add profile entries to swtpm_setup.conf written by swtpm_setup
* Add support for --profile-name option
* Accept profiles with name starting with 'custom:'
* Support default profile from file in swtpm_setup.conf
* Support --profile-file-fd to read profile from file descriptor
* Support --profile-file to read profile from file
* Always log the active profile
* Implement --profile-remove-fips-disabled option
* Read default profile from swtpm_setup.conf
* Print profile names as part of capabilities JSON
* Add support for --profile parameter
* Get default rsa keysize from setup_setup.conf if not given
+ swtpm_ioctl:
* Use ptm_cap_n for non-CUSE PTM_GET_CAPABILITY response
+ selinux:
* Change write to append for appending to log
* Add rule for logging to svirt_image_t labeled files from swtpm_t
+ tests:
* Update IBMTSS2 test suite to v2.4.0
* Test activation of PCR banks when not all are available
* Enable SWTPM_TEST_PROFILE for running test_tpm2_ibmtss2 with
profile
* Add a check for OPENSSL_ENABLE_SHA1_SIGNATURES in log file
* Consolidate custom profile test cases and check for
StateFormatLevel
* Convert test_samples_create_tpmca to run installed
* Mention test_tpm2_libtpms_versions_profiles requiring
env. variables
* allow running ibmtss2 tests against installed version
* Derive support for CUSE from SWTPM_EXE help screen
* Set OPENSSL_ENABLE_SHA1_SIGNATURES=1 for IBMTSS2 test
* Extend test case testing across libtpms versions
* Add test case for testing profiles across libtpms versions
* Test the --profile option of swtpm_setup and swtpm
* teach them to run installed
* add installed-runner.sh
* install tests on the system
* lookup system binaries if INSTALLED is set
+ build-sys:
* enable 64-bit file API on 32-bit systems
* Add -Wshadow to the CFLAGS
* Require that libtpms v0.10 is available for TPMLIB_SetProfile (forwarded request 1228302 from aplanas)
OBS-URL: https://build.opensuse.org/request/show/1228304
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/swtpm?expand=0&rev=21
- Update to 0.10.0:
+ swtpm:
* Requires libtpms v0.10.0
* Display tpmstate-opt-lock as a new capability
* Add support for lock option parameter to tpmstate option
* nvstore_linear: Add support for file-backend locking
* Remove broken logic to check for neither dir nor file backend
* Use ptm_cap_n to build PTM_GET_CAPABILITY response
* Define a structure to return PTM_GET_CAPABILITY result
* Implement --print-info to run TPMLIB_GetInfo with flags
* Support --profile fd= to read profile from file descriptor
* Support --profile file= to read profile from file
* Ignore remove-disabled parameter on non-'custom' profile
* Check for good entropy source in chroot environment
* Implement a check for HMAC+sha1 for testing future restriction
* Implement function to check whether a crypto algorithm is
disabled
* Print cmdarg-print-profiles as part of capabilities
* Check whether SHA1 signature support is disabled in profile
* Use TPMLIB_WasManufactured to check whether profile was applied
* Determine whether OpenSSL needs to be configured (FIPs, SHA1
signature)
* Add support for --print-profiles option
* Print profile names as part of capabilities JSON
* Display new capability to allow setting a profile
* Add support for --profile option to set a profile on TPM 2
+ swtpm_setup:
* Comment flags for storage primary key and deprecate --create-spk
* Implement --print-profiles to display all profile
* Add profile entries to swtpm_setup.conf written by swtpm_setup
* Add support for --profile-name option
* Accept profiles with name starting with 'custom:'
* Support default profile from file in swtpm_setup.conf
* Support --profile-file-fd to read profile from file descriptor
* Support --profile-file to read profile from file
* Always log the active profile
* Implement --profile-remove-fips-disabled option
* Read default profile from swtpm_setup.conf
* Print profile names as part of capabilities JSON
* Add support for --profile parameter
* Get default rsa keysize from setup_setup.conf if not given
+ swtpm_ioctl:
* Use ptm_cap_n for non-CUSE PTM_GET_CAPABILITY response
+ selinux:
* Change write to append for appending to log
* Add rule for logging to svirt_image_t labeled files from swtpm_t
+ tests:
* Update IBMTSS2 test suite to v2.4.0
* Test activation of PCR banks when not all are available
* Enable SWTPM_TEST_PROFILE for running test_tpm2_ibmtss2 with
profile
* Add a check for OPENSSL_ENABLE_SHA1_SIGNATURES in log file
* Consolidate custom profile test cases and check for
StateFormatLevel
* Convert test_samples_create_tpmca to run installed
* Mention test_tpm2_libtpms_versions_profiles requiring
env. variables
* allow running ibmtss2 tests against installed version
* Derive support for CUSE from SWTPM_EXE help screen
* Set OPENSSL_ENABLE_SHA1_SIGNATURES=1 for IBMTSS2 test
* Extend test case testing across libtpms versions
* Add test case for testing profiles across libtpms versions
* Test the --profile option of swtpm_setup and swtpm
* teach them to run installed
* add installed-runner.sh
* install tests on the system
* lookup system binaries if INSTALLED is set
+ build-sys:
* enable 64-bit file API on 32-bit systems
* Add -Wshadow to the CFLAGS
* Require that libtpms v0.10 is available for TPMLIB_SetProfile
OBS-URL: https://build.opensuse.org/request/show/1228302
OBS-URL: https://build.opensuse.org/package/show/security/swtpm?expand=0&rev=48
- update to 0.9.0:
- fixes: boo#1226398
- swtpm:
- Use umask() to create/truncated state file rather than fchmod()
- Use fchmod to set mode bits provided by user
- Replace mkstemp with g_mkstemp_full (Coverity)
- fix typo in help message
- cuse: Fix Coverity complaints regarding locks
- Fix double free in error path
- Close fd after main loop
- Restore logging to stderr on log open failure
- swtpm_setup:
- Fail --pcr-banks without --tpm2
- Fail --decryption or --allow-signing without --tpm2
- Initialized argv in get_swtpm_capabilities()
- Flush spk after persisting to create room for another key
- Refactor duplicate code into swtpm_tpm2_write_cert_nvram
- Move persisting of certificate into tpm2_persist_certificate
- Pass key_type to function creating filename for key
- Add scheme parameter before curveid to createprimary_ecc
- Rename is_ek to preserve for future extension
- Mask-out EK and plaform certificate flags and set cert_flags
- Move common code into new function read_certificate_file()
- Exit with '0' upon --version rather than '1'
- Close file descriptors passed to swtpm process on parent side
- Make stdout unbuffered
- Use medium duration on TSC_PhysicalPresence to avoid timeouts
- Add poll() after write() and before read() to detect errors
- swtpm_localca:
- Add support for up to 20 bytes serial numbers
OBS-URL: https://build.opensuse.org/request/show/1190897
OBS-URL: https://build.opensuse.org/package/show/security/swtpm?expand=0&rev=44
- Update to version 0.8.1:
- swtpm:
- Restore logging to stderr on log open failure
- swtpm_setup:
- Exit with '0' upon --version rather than '1'.
- Initialized @argv in get_swtpm_capabilities()
- swtpm_localca:
- Add missing NULL option to end of array
- SELinux:
- Add rules for user_tpm_t:sockfile to allow unlink
- Add rules for sock_file on user_tmp_t (forwarded request 1111637 from msmeissn)
OBS-URL: https://build.opensuse.org/request/show/1111638
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/swtpm?expand=0&rev=17
- Update to version 0.8.1:
- swtpm:
- Restore logging to stderr on log open failure
- swtpm_setup:
- Exit with '0' upon --version rather than '1'.
- Initialized @argv in get_swtpm_capabilities()
- swtpm_localca:
- Add missing NULL option to end of array
- SELinux:
- Add rules for user_tpm_t:sockfile to allow unlink
- Add rules for sock_file on user_tmp_t
OBS-URL: https://build.opensuse.org/request/show/1111637
OBS-URL: https://build.opensuse.org/package/show/security/swtpm?expand=0&rev=40
- Drop trousers requirement
- Update to version 0.8.0:
* swtpm:
+ Implement release-lock-outgoing parameter for --migration option
+ Introduce --migration option and 'incoming' parameter
+ Implement terminate parameter for ctrl channel loss
+ Add a chroot option
+ Introduce disable-auto-shutdown flag for --flags option
+ If necessary send TPM2_Shutdown() before TPMLIB_Terminate()
+ Add some more recent syscalls to seccomp profile
+ Disable OpenSSL FIPS mode to avoid libtpms failures
+ Avoid locking directory multiple times
+ Remove support for pre-v0.1 state files without header
+ Use uint64_t in tlv_data_append() to avoid integer overflows
+ Use uint64_t to avoid integer wrap-around when adding a uint32_t
+ Do not chdir(/) when using --daemon
+ Check header size indicator against expected size (CVE-2022-23645 bsc#1196240)
+ Fixes for gcc 12.2.1 -fanalyzer
* build-sys:
+ Fix configure script to support _FORTIFY_SOURCE=3
+ Define __USE_LINUX_IOCTL_DEFS in header file (Cygwin)
* swtpm-localca:
+ Re-implement variable resolution for swtpm-localca.conf
+ Test for available issuercert before creating CA
* swtpm_setup:
+ Configure swtpm to log to stdout/err if needed (glib >=2.74)
* tests:
+ Use ${WORKDIR} in config files to test env. var replacement
+ Patch IBM TSS2 test suite for OpenSSL 3.x
OBS-URL: https://build.opensuse.org/request/show/1069861
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/swtpm?expand=0&rev=13
- Drop trousers requirement
- Update to version 0.8.0:
* swtpm:
+ Implement release-lock-outgoing parameter for --migration option
+ Introduce --migration option and 'incoming' parameter
+ Implement terminate parameter for ctrl channel loss
+ Add a chroot option
+ Introduce disable-auto-shutdown flag for --flags option
+ If necessary send TPM2_Shutdown() before TPMLIB_Terminate()
+ Add some more recent syscalls to seccomp profile
+ Disable OpenSSL FIPS mode to avoid libtpms failures
+ Avoid locking directory multiple times
+ Remove support for pre-v0.1 state files without header
+ Use uint64_t in tlv_data_append() to avoid integer overflows
+ Use uint64_t to avoid integer wrap-around when adding a uint32_t
+ Do not chdir(/) when using --daemon
+ Check header size indicator against expected size (CVE-2022-23645)
+ Fixes for gcc 12.2.1 -fanalyzer
* build-sys:
+ Fix configure script to support _FORTIFY_SOURCE=3
+ Define __USE_LINUX_IOCTL_DEFS in header file (Cygwin)
* swtpm-localca:
+ Re-implement variable resolution for swtpm-localca.conf
+ Test for available issuercert before creating CA
* swtpm_setup:
+ Configure swtpm to log to stdout/err if needed (glib >=2.74)
* tests:
+ Use ${WORKDIR} in config files to test env. var replacement
+ Patch IBM TSS2 test suite for OpenSSL 3.x
OBS-URL: https://build.opensuse.org/request/show/1069732
OBS-URL: https://build.opensuse.org/package/show/security/swtpm?expand=0&rev=30
- Update to version 0.7.2:
- swtpm:
- Do not chdir(/) when using --daemon
- swtpm-localca:
- Re-implement variable resolution for swtpm-localca.conf
- tests:
- Use ${WORKDIR} in config files to test env. var replacement
- man pages:
- Add missing .config directory to path description when using ${HOME}
- build-sys:
- Add probing for -fstack-protector (forwarded request 960501 from wfrisch)
OBS-URL: https://build.opensuse.org/request/show/960503
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/swtpm?expand=0&rev=10
- Update to version 0.7.2:
- swtpm:
- Do not chdir(/) when using --daemon
- swtpm-localca:
- Re-implement variable resolution for swtpm-localca.conf
- tests:
- Use ${WORKDIR} in config files to test env. var replacement
- man pages:
- Add missing .config directory to path description when using ${HOME}
- build-sys:
- Add probing for -fstack-protector
OBS-URL: https://build.opensuse.org/request/show/960501
OBS-URL: https://build.opensuse.org/package/show/security/swtpm?expand=0&rev=24
- Update to version 0.7.0:
- swtpm:
- Support for linear file storage backend (file://)
- Report 'tpm-1.2' & 'tpm-2.0' in --print-capabilities depending what
libtpms supports
- Add implementation of SWTPM_HMAC using OpenSSL 3.0 APIs
- Wipe keys from stack and heap
- Many other small changes
- Make --daemon not racy
- swtpm_setup:
- Only activate SHA256 PCR bank, not SHA1 bank anymore by default
- Support for linear file storage backend (file://)
- Implement option --create-config-files to create config files
- Use non-deprecated APIs to contruct RSA key (OSSL 3)
- Report stderr as returned by external tool (swtpm-localcal)
- Replace '+' and ',' characters in VMId's to make work with
common name in X509 subject
- Add support for --reconfigure flag to change active PCR banks
- swtpm_localca:
- Created certificates for CAs and TPM that do not expire
- swtpm_cert:
- Allow passing -1 for days to get a non-expiring certificate
- test:
- ASAN-related test changes and skipping of tests if ASAN is used
- Fix tests using tpm2-abrmd by preventing concurrency
- Skip chardev related tests after checking for chardev support
- exit with error code if mktemp fails
- OSSL 3: Make TPM 1.2 test compile; skip IBM TSS 2 test
- build-sys:
- Introduce --enable-sanitizers to configure
OBS-URL: https://build.opensuse.org/request/show/930649
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/swtpm?expand=0&rev=8
- swtpm:
- Support for linear file storage backend (file://)
- Report 'tpm-1.2' & 'tpm-2.0' in --print-capabilities depending what
libtpms supports
- Add implementation of SWTPM_HMAC using OpenSSL 3.0 APIs
- Wipe keys from stack and heap
- Many other small changes
- Make --daemon not racy
- swtpm_setup:
- Only activate SHA256 PCR bank, not SHA1 bank anymore by default
- Support for linear file storage backend (file://)
- Implement option --create-config-files to create config files
- Use non-deprecated APIs to contruct RSA key (OSSL 3)
- Report stderr as returned by external tool (swtpm-localcal)
- Replace '+' and ',' characters in VMId's to make work with
common name in X509 subject
- Add support for --reconfigure flag to change active PCR banks
- swtpm_localca:
- Created certificates for CAs and TPM that do not expire
- swtpm_cert:
- Allow passing -1 for days to get a non-expiring certificate
- test:
- ASAN-related test changes and skipping of tests if ASAN is used
- Fix tests using tpm2-abrmd by preventing concurrency
- Skip chardev related tests after checking for chardev support
- exit with error code if mktemp fails
- OSSL 3: Make TPM 1.2 test compile; skip IBM TSS 2 test
- build-sys:
- Introduce --enable-sanitizers to configure
OBS-URL: https://build.opensuse.org/package/show/security/swtpm?expand=0&rev=22
- Update to version 0.6.1:
- swtpm:
- Clear keys from stack and heap
- swtpm-localca:
- Add missing else branch for pkcs11 and PIN
- swtpm_setup:
- Initialize Gerror and free it
- Replace '\\s' in regex with [[:space:]] to fix cygwin
- tests:
- Kill tpm2-abrmd with SIGKILL rather SIGTERM
- build-sys:
- Use -DOPENSSL_SUPPRESS_DEPRECATED to suppress deprecation warnings (OSSL 3)
- Enable configuring with CFLAGS and passing additional CFLAGS on build
OBS-URL: https://build.opensuse.org/request/show/920852
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/swtpm?expand=0&rev=7
- swtpm:
- Clear keys from stack and heap
- swtpm-localca:
- Add missing else branch for pkcs11 and PIN
- swtpm_setup:
- Initialize Gerror and free it
- Replace '\\s' in regex with [[:space:]] to fix cygwin
- tests:
- Kill tpm2-abrmd with SIGKILL rather SIGTERM
- build-sys:
- Use -DOPENSSL_SUPPRESS_DEPRECATED to suppress deprecation warnings (OSSL 3)
- Enable configuring with CFLAGS and passing additional CFLAGS on build
OBS-URL: https://build.opensuse.org/package/show/security/swtpm?expand=0&rev=21
- Update to version 0.5.2
- swtpm:
- Fix potential buffer overflow related to largely unused data hashing
function in control channel
- swtpm: Unconditionally close fd if writing of pidfile fails (coverity)
- swtpm_setup:
- Increase timeout from 10s to 30s for slower machines
- Travis:
- Not building on OS X anymore due to additional costs
OBS-URL: https://build.opensuse.org/request/show/858841
OBS-URL: https://build.opensuse.org/package/show/security/swtpm?expand=0&rev=14
