1072b4fb36
- add gcc16-compat.patch (bsc#1256989): gcc16 complains about an unused variable in strpbrk_s. It seems the slen parameter is not enforced at all. The patch changes that, hopefully without causing regressions.
Matthias Gerstner2026-01-21 09:59:57 +00:00
9c3cddcdfa
Accepting request 1294047 from security
Ana Guerrero2025-07-17 15:26:43 +00:00
f7f61265a8
- updated to version 20250417: v1.11.10 - Fix the issue causing tboot to hang during waking up processors from txt sleep on DMR simics - add .gpg signature and tboot.keyring - tboot-cet.patch: add a missing ENDBR64 instruction when kernel is using CET (bsc#1246573)
Matthias Gerstner2025-07-17 08:07:34 +00:00
bc81fe3e8f
Accepting request 1293792 from home:msmeissn:branches:security
Matthias Gerstner2025-07-17 08:07:34 +00:00
468bce527d
Accepting request 1247027 from security
Ana Guerrero2025-02-20 15:36:48 +00:00
b30a3f80f6
Accepting request 1247027 from security
Ana Guerrero2025-02-20 15:36:48 +00:00
c9f47e683e
- update to version 1.11.9 : - Merge TXT Protected Range support branch. - Remove unncessary OPENSSL_free from lcputils.c and add a functionality to move ACM modules from the address range below TBOOT to above TBOOT, to allow the usage of ACMs bigger than 256KB. - Restore call to configure_vtd. - refresh and adjust tboot-bsc#1207833-copy-mbi.patch - refresh tboot-distributor.patch - refresh tboot-fix-alloc-size-warning.patch - refresh tboot-grub2-fix-menu-in-xen-host-server.patch - refresh tboot-grub2-fix-xen-submenu-name.patch - refresh tboot-grub2-refuse-secure-boot.patch
Matthias Gerstner2025-02-19 11:03:00 +00:00
c0d06989dd
- update to version 1.11.9 : - Merge TXT Protected Range support branch. - Remove unncessary OPENSSL_free from lcputils.c and add a functionality to move ACM modules from the address range below TBOOT to above TBOOT, to allow the usage of ACMs bigger than 256KB. - Restore call to configure_vtd. - refresh and adjust tboot-bsc#1207833-copy-mbi.patch - refresh tboot-distributor.patch - refresh tboot-fix-alloc-size-warning.patch - refresh tboot-grub2-fix-menu-in-xen-host-server.patch - refresh tboot-grub2-fix-xen-submenu-name.patch - refresh tboot-grub2-refuse-secure-boot.patch
Matthias Gerstner2025-02-19 11:03:00 +00:00
3f42461b8c
- add tboot-fix-alloc-size-warning.patch: newest GCC spits out this error: `` pconf_legacy.c: In function ‘create’: pconf_legacy.c:327:16: error: allocation of insufficient size ‘20’ for type ‘tb_hash_t’ with size ‘64’ [-Werror=alloc-size] 327 | digest = malloc(SHA1_DIGEST_SIZE); | ^ `` There's a union data type behind this. It's not an actual error. To get rid of the warning, the patch allocates the full union size, thereby wasting a bit of memory.
Matthias Gerstner2024-08-28 08:45:07 +00:00
ea51742ebe
- add tboot-fix-alloc-size-warning.patch: newest GCC spits out this error: `` pconf_legacy.c: In function ‘create’: pconf_legacy.c:327:16: error: allocation of insufficient size ‘20’ for type ‘tb_hash_t’ with size ‘64’ [-Werror=alloc-size] 327 | digest = malloc(SHA1_DIGEST_SIZE); | ^ `` There's a union data type behind this. It's not an actual error. To get rid of the warning, the patch allocates the full union size, thereby wasting a bit of memory.
Matthias Gerstner2024-08-28 08:45:07 +00:00
c3c47a7eef
Accepting request 1183112 from security
Ana Guerrero2024-06-25 21:08:38 +00:00
3fe3f9bb16
Accepting request 1183112 from security
Ana Guerrero2024-06-25 21:08:38 +00:00
d464f59886
- add tboot-bsc#1207833-copy-mbi.patch: correctly move MBI from a lower address above tboot (bsc#1207833). This fixes a broken boot situation in some configurations stopping with log line "TBOOT: loader context was moved from 0x<address> to 0x<address>". this patch syncs the Factory package with the SLE package. For some reason I forgot to add the patch to Factory first. Also upstream did not react to the patch, that I posted to their mailing list, so it's not contained in the upstream tarball.
Matthias Gerstner2024-06-25 07:38:05 +00:00
434a524ed8
- add tboot-bsc#1207833-copy-mbi.patch: correctly move MBI from a lower address above tboot (bsc#1207833). This fixes a broken boot situation in some configurations stopping with log line "TBOOT: loader context was moved from 0x<address> to 0x<address>". this patch syncs the Factory package with the SLE package. For some reason I forgot to add the patch to Factory first. Also upstream did not react to the patch, that I posted to their mailing list, so it's not contained in the upstream tarball.
Matthias Gerstner2024-06-25 07:38:05 +00:00
6b0e346afb
Accepting request 1181402 from security
Ana Guerrero2024-06-18 20:51:40 +00:00
cd8e442ddd
Accepting request 1181402 from security
Ana Guerrero2024-06-18 20:51:40 +00:00
1c971e8e8b
- add tboot.rpmlintrc: suppress warning about missing %check section. There's no testsuite for tboot. - mark grub.d snippets as %config (noreplace) to satisfy rpmlint warning (the grub2 package itself marks its snippets this way, so it seems to be common standard to do so). - update to v1.11.4: * v1.11.4 Increase the TBOOT log size from 32 KB to 64 KB. For some Intel server platforms, it was noticed that TBOOT_SERIAL_LOG memory section was too small to hold all of the print logs, produced by TBOOT. Due to this reason TBOOT log section memory size had to be increase to 64KB. * v1.11.3 Fix the hanging TBOOT issue, which appeared during the RLPs wakeup process on the Intel's multisocket platform. This problem appeared during the AP stacks allocations for these RLPs. TBOOT allocated memory for them depending on the woken-up CPUs X2 APIC values. When some of them exceeded the NR_CPUS (1024), then the RLP wakeup process execution halted. For the current moment, the maximal X2 APID value was increased from 1024 to 8192. This kind of solution fixed the given problem. * v1.11.2 Fix the RAM memory allocation algorithm for the initrd.
Matthias Gerstner2024-06-17 13:15:36 +00:00
bc94cb96ee
- add tboot.rpmlintrc: suppress warning about missing %check section. There's no testsuite for tboot. - mark grub.d snippets as %config (noreplace) to satisfy rpmlint warning (the grub2 package itself marks its snippets this way, so it seems to be common standard to do so). - update to v1.11.4: * v1.11.4 Increase the TBOOT log size from 32 KB to 64 KB. For some Intel server platforms, it was noticed that TBOOT_SERIAL_LOG memory section was too small to hold all of the print logs, produced by TBOOT. Due to this reason TBOOT log section memory size had to be increase to 64KB. * v1.11.3 Fix the hanging TBOOT issue, which appeared during the RLPs wakeup process on the Intel's multisocket platform. This problem appeared during the AP stacks allocations for these RLPs. TBOOT allocated memory for them depending on the woken-up CPUs X2 APIC values. When some of them exceeded the NR_CPUS (1024), then the RLP wakeup process execution halted. For the current moment, the maximal X2 APID value was increased from 1024 to 8192. This kind of solution fixed the given problem. * v1.11.2 Fix the RAM memory allocation algorithm for the initrd.
Matthias Gerstner2024-06-17 13:15:36 +00:00
57a0bdcf1d
rpmlintrc: filter out warning about missing check section
Matthias Gerstner2024-06-17 13:08:27 +00:00
af8cc6b263
rpmlintrc: filter out warning about missing check section
Matthias Gerstner2024-06-17 13:08:27 +00:00
c703ba81f8
- required update due to openSSL 3.0 deprecation errors in current version - updated to v1.11.1 / 20230125: 20230125: v1.11.1 - Revert log memory range extension (caused memory overlaps and boot failures) 20221223: v1.11.0 - Fixed TPM handling to flush objects after integrity measurement (Intel PTT limitations) - Exteded low memory range for logs (HCC CPUs had issue with not enough memory) - "agile" removed from PCR Extend policy options (requested deprecation) - Added handling for flexible ACM Info Table format - lcptools: CPPFLAGS use by environment in build - lcptools: removed __DATE__ refs to make build reproducible - Only platform-matchin SINIT modules can be selected - txt-acminfo: Map TXT heap using mmap - Typo fix in man page 20220304: v1.10.5 - Fixed mlehash.c to bring back functionality and make it GCC12 compliant - Reverted change for replacing EFI memory to bring back Tboot in-memory logs 20220224: v1.10.4 - Fix hash printing for SHA384, SHA512 and SM3 - Touch ups for GCC12 - Set GDT to map CS and DS to 4GB before jumping to Linux - make efi_memmap_reserve handle gaps like e820_protect_region - Ensure that growth of Multiboot tags does not go beyond original area - Replace EFI memory map in Multiboot2 info - Fix endianness of pcr_info->pcr_selection.size_of_select - Don't ignore locality in PCR file - Fix composite hashing algorithm for PCONF elements to match lcptools-1 20211210: v1.10.3 - Add UNI-VGA license information - Remove poly1305 object files on clean
Matthias Gerstner2023-02-06 10:59:21 +00:00
8ecb1d8928
- required update due to openSSL 3.0 deprecation errors in current version - updated to v1.11.1 / 20230125: 20230125: v1.11.1 - Revert log memory range extension (caused memory overlaps and boot failures) 20221223: v1.11.0 - Fixed TPM handling to flush objects after integrity measurement (Intel PTT limitations) - Exteded low memory range for logs (HCC CPUs had issue with not enough memory) - "agile" removed from PCR Extend policy options (requested deprecation) - Added handling for flexible ACM Info Table format - lcptools: CPPFLAGS use by environment in build - lcptools: removed __DATE__ refs to make build reproducible - Only platform-matchin SINIT modules can be selected - txt-acminfo: Map TXT heap using mmap - Typo fix in man page 20220304: v1.10.5 - Fixed mlehash.c to bring back functionality and make it GCC12 compliant - Reverted change for replacing EFI memory to bring back Tboot in-memory logs 20220224: v1.10.4 - Fix hash printing for SHA384, SHA512 and SM3 - Touch ups for GCC12 - Set GDT to map CS and DS to 4GB before jumping to Linux - make efi_memmap_reserve handle gaps like e820_protect_region - Ensure that growth of Multiboot tags does not go beyond original area - Replace EFI memory map in Multiboot2 info - Fix endianness of pcr_info->pcr_selection.size_of_select - Don't ignore locality in PCR file - Fix composite hashing algorithm for PCONF elements to match lcptools-1 20211210: v1.10.3 - Add UNI-VGA license information - Remove poly1305 object files on clean
Matthias Gerstner2023-02-06 10:59:21 +00:00
7e7325de13
- no longer needs TrouSerS dependency due to deprecation
Matthias Gerstner2021-01-19 14:39:35 +00:00
971aa5d3ed
- no longer needs TrouSerS dependency due to deprecation
Matthias Gerstner2021-01-19 14:39:35 +00:00
34c030a2c0
- release 1.10.0 ramifications: - README is now README.md - acminfo and parse_err now are called txt-acminfo and txt-parse_err - lcptools are deprecated (tpm 1.2, TrouSerS dependency) and are no longer packaged. - update to new upstream release 1.10.0:
Matthias Gerstner2021-01-19 14:37:07 +00:00
2d67f24f7f
- release 1.10.0 ramifications: - README is now README.md - acminfo and parse_err now are called txt-acminfo and txt-parse_err - lcptools are deprecated (tpm 1.2, TrouSerS dependency) and are no longer packaged. - update to new upstream release 1.10.0:
Matthias Gerstner2021-01-19 14:37:07 +00:00
9bf0655b2e
- tboot-grub2-fix-menu-in-xen-host-server.patch: refreshed to match new upstream version. - tboot-grub2-fix-xen-submenu-name.patch: refreshed to match new upstream version.
Matthias Gerstner2021-01-19 14:02:23 +00:00
850225889f
- tboot-grub2-fix-menu-in-xen-host-server.patch: refreshed to match new upstream version. - tboot-grub2-fix-xen-submenu-name.patch: refreshed to match new upstream version.
Matthias Gerstner2021-01-19 14:02:23 +00:00
61bba470d2
- update to new upstream erlease 1.10.0: - Rename TXT related tools to have 'txt-' prefix - Clarify license issues - Fix issues reported by Coverity Scan - Ensure txt-acminfo does not print false information if msr is not loaded - Fix issue with multiboot(1) booting - infinite loop during boot - Fix issue with TPM1.2 - invalid default policy - Unmask NMI# after returning from SINIT - Update GRUB scripts to use multiboot2 only - Enable VGA logging for EFI platforms - Add warning when using SHA1 as hashing algorithm - Add Doxygen documentation - Replace VMAC with Poly1305 - Validate TPM NV index attributes - Move old lcptool to deprecated folder and exclude from build - TrouSerS is not longer required to build - lcptools-v2: meet requirements from MLE DG rev16 - lcptools-v2: Implement SM2 signing and SM2 signature verification - lcptools-v2: Set aux_hash_alg_mask to 0 when policy version != 0x300
Matthias Gerstner2021-01-19 13:41:44 +00:00
8f8ba7cb23
- update to new upstream erlease 1.10.0: - Rename TXT related tools to have 'txt-' prefix - Clarify license issues - Fix issues reported by Coverity Scan - Ensure txt-acminfo does not print false information if msr is not loaded - Fix issue with multiboot(1) booting - infinite loop during boot - Fix issue with TPM1.2 - invalid default policy - Unmask NMI# after returning from SINIT - Update GRUB scripts to use multiboot2 only - Enable VGA logging for EFI platforms - Add warning when using SHA1 as hashing algorithm - Add Doxygen documentation - Replace VMAC with Poly1305 - Validate TPM NV index attributes - Move old lcptool to deprecated folder and exclude from build - TrouSerS is not longer required to build - lcptools-v2: meet requirements from MLE DG rev16 - lcptools-v2: Implement SM2 signing and SM2 signature verification - lcptools-v2: Set aux_hash_alg_mask to 0 when policy version != 0x300
Matthias Gerstner2021-01-19 13:41:44 +00:00
21fd0c099e
- add tboot-grub2-refuse-secure-boot.patch: don't generate tboot menu entries in grub when the system is running with UEFI Secure Boot (bsc#1175114). This prevents hard to understand error messages when trying to boot tboot in this context.
Matthias Gerstner2020-11-12 12:21:14 +00:00
262a904f86
- add tboot-grub2-refuse-secure-boot.patch: don't generate tboot menu entries in grub when the system is running with UEFI Secure Boot (bsc#1175114). This prevents hard to understand error messages when trying to boot tboot in this context.
Matthias Gerstner2020-11-12 12:21:14 +00:00
ce270e1582
- update to new upstream release 1.9.12: - changes from 1.9.12: - Release localities in S3 flow for CRB interface - Config.mk, safestringlib/makefile : allow tool overrides - safestringlib: fix warnings with GCC 6.4.0 - Strip executable file before generating tboot.gz - Add support for EFI memory map parse/modification - Add SHA384 and SHA512 digest algorithms - lcptools-v2: add pconf2 policy element support - tb_polgen: Add SHA384 and SHA512 support - Disable GCC9 address-of-packed-member warning - Fix warnings after "Avoid unsafe functions" scan - Use SHA256 as default hashing algorithm - changes from 1.9.11: - tb_polgen: Add support for SHA256 - Configure IOMMU before executing GETSEC[SENTER] - SINIT ACM can have padding, handle that when checking size - disable-address-of-packed-member-warning.patch: now contained upstream - tboot-grub2-fix-xen-submenu-name.patch: refreshed
Matthias Gerstner2020-09-28 12:21:37 +00:00
ff000dc19b
- update to new upstream release 1.9.12: - changes from 1.9.12: - Release localities in S3 flow for CRB interface - Config.mk, safestringlib/makefile : allow tool overrides - safestringlib: fix warnings with GCC 6.4.0 - Strip executable file before generating tboot.gz - Add support for EFI memory map parse/modification - Add SHA384 and SHA512 digest algorithms - lcptools-v2: add pconf2 policy element support - tb_polgen: Add SHA384 and SHA512 support - Disable GCC9 address-of-packed-member warning - Fix warnings after "Avoid unsafe functions" scan - Use SHA256 as default hashing algorithm - changes from 1.9.11: - tb_polgen: Add support for SHA256 - Configure IOMMU before executing GETSEC[SENTER] - SINIT ACM can have padding, handle that when checking size - disable-address-of-packed-member-warning.patch: now contained upstream - tboot-grub2-fix-xen-submenu-name.patch: refreshed
Matthias Gerstner2020-09-28 12:21:37 +00:00
ec6bd55c12
- explicitly disable gcc9 link time optimization to fix the build and avoid trouble in low level tboot code.
Matthias Gerstner2019-07-11 08:07:22 +00:00
8a52f8ef33
- explicitly disable gcc9 link time optimization to fix the build and avoid trouble in low level tboot code.
Matthias Gerstner2019-07-11 08:07:22 +00:00
dea1af16fd
- add disable-address-of-packed-member-warning.patch: taken over patch found in the Fedora package to disable a new gcc-9 warning that breaks the build.
Matthias Gerstner2019-05-28 08:19:57 +00:00
6a9ce7fdb1
- add disable-address-of-packed-member-warning.patch: taken over patch found in the Fedora package to disable a new gcc-9 warning that breaks the build.
Matthias Gerstner2019-05-28 08:19:57 +00:00
a0b0d20006
- update to new upstream release 1.9.10: - changes from 1.9.10: - lcp-gen2: update with latest version (wxWidgets wildcard bugfix) - print latest tag in logs - add support for 64bit framebuffer address - changes from 1.9.9: - tools: fix some dereference-NULL issues reported by klocwork - tools: replace banned mem/str fns with corresponding ones in safestringlib - Add safestringlib code to support replacement of banned mem/str fns - lcptools: remove tools supporting platforms before 2008 - tboot: update string/memory fn name to differentiate from c lib - Fix a harmless overflow caused by wrong loop limits - rebased patches to match new upstream version
Matthias Gerstner2019-05-20 11:24:27 +00:00
ed44a45d0a
- update to new upstream release 1.9.10: - changes from 1.9.10: - lcp-gen2: update with latest version (wxWidgets wildcard bugfix) - print latest tag in logs - add support for 64bit framebuffer address - changes from 1.9.9: - tools: fix some dereference-NULL issues reported by klocwork - tools: replace banned mem/str fns with corresponding ones in safestringlib - Add safestringlib code to support replacement of banned mem/str fns - lcptools: remove tools supporting platforms before 2008 - tboot: update string/memory fn name to differentiate from c lib - Fix a harmless overflow caused by wrong loop limits - rebased patches to match new upstream version
Matthias Gerstner2019-05-20 11:24:27 +00:00
f76889e9c2
- update to new upstream release 1.9.8: - Skip tboot launch error index read/write when ignore prev err option is true - s3-fix: fix a stack overflow caused by enlarged tb_hash_t union - S3 fix: revert the mis-changed type casting in changeset 522:8e881a07c059 - S3-fix: Adding option save_vtd=true to opt-in the vtd table restore - rebased patches to match new upstream version
Matthias Gerstner2018-10-24 08:50:05 +00:00
561c9bb790
- update to new upstream release 1.9.8: - Skip tboot launch error index read/write when ignore prev err option is true - s3-fix: fix a stack overflow caused by enlarged tb_hash_t union - S3 fix: revert the mis-changed type casting in changeset 522:8e881a07c059 - S3-fix: Adding option save_vtd=true to opt-in the vtd table restore - rebased patches to match new upstream version
Matthias Gerstner2018-10-24 08:50:05 +00:00
44b06a9f83
Accepting request 635703 from security
Yuchen Lin2018-09-15 13:41:16 +00:00
3378b51b6f
Accepting request 635703 from security
Yuchen Lin2018-09-15 13:41:16 +00:00
455f7d802f
Accepting request 633980 from home:jengelh:branches:security
Matthias Gerstner2018-09-07 08:38:51 +00:00
91f89b44f6
Accepting request 633980 from home:jengelh:branches:security
Matthias Gerstner2018-09-07 08:38:51 +00:00
28959a1d8c
- package new upstream tarball for 1.9.7. It seems the tarball was replaced upstream without notice, because some version numbers have not been incremented.
Matthias Gerstner2018-09-03 10:12:42 +00:00
b3734cfe7a
- package new upstream tarball for 1.9.7. It seems the tarball was replaced upstream without notice, because some version numbers have not been incremented.
Matthias Gerstner2018-09-03 10:12:42 +00:00
Ana Guerrero
Matthias Gerstner
Dominique Leuenberger
Marcus Meissner
Richard Brown
Yuchen Lin