Accepting request 620450 from security

please handle together with sr#620445, sr#620444 - Trying to fix build on older distros that fail because of a missing or broken autoconf valgrind detection macro. Removing autoreconf to hopefully fix this. - add fix_dlopen.patch: fixes an issue with dlopen()'ing the tcti-device library from tpm2-0-tss. See https://github.com/tpm2-software/tpm2-abrmd/issues/486. - update to major version 2.0.0: - support_dbus_activation.diff: removed, is not contained upstream - the tpm2 stack introduces an incompatible ABI to the previous version with this update. There is no compatibility layer, libraries have new names etc. - upstream changelog: ## 2.0.0 - 2018-06-22 ### Added - Integration test script and build support to execute integration tests against a physical TPM2 device on the build platform. - Implementation of dynamic TCTI initialization mechanism. - configure option `--enable-integration` to enable integration tests. The simulator executable must be on PATH. - Support for version 2.0 of tpm2-tss libraries. ### Changed - 'max-transient-objects' command line option renamted to 'max-transients'. - Added -Wextra for more strict checks at compile time. - Install location of headers to $(includedir)/tss2. ### Fixed - Added missing checks for NULL parameters identified by the check-build. - Bug in session continuation logic. - Off by one error in HandleMap. OBS-URL: https://build.opensuse.org/request/show/620450 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tpm2.0-abrmd?expand=0&rev=6
2018-07-06 08:41:17 +00:00 · 2018-07-06 08:41:17 +00:00 · 1de8f4ed3b
commit 1de8f4ed3b
parent a6159bc70d 63a9433b38
6 changed files with 110 additions and 82 deletions
--- a/fix_dlopen.patch
+++ b/fix_dlopen.patch
@ -0,0 +1,13 @@
 Index: tpm2-abrmd-2.0.0/src/tcti-util.c
 ===================================================================
 --- tpm2-abrmd-2.0.0.orig/src/tcti-util.c
 +++ tpm2-abrmd-2.0.0/src/tcti-util.c
@@ -53,7 +53,7 @@ tcti_util_discover_info (const char *fil
     if (*tcti_dl_handle == NULL) {
         size = snprintf (filename_xfrm,
                          sizeof (filename_xfrm),
 -                         "libtss2-tcti-%s.so.0",
 +                         "%s.0",
                          filename);
         if (size >= sizeof (filename_xfrm)) {
             g_critical ("TCTI name truncated in transform.");
--- a/support_dbus_activation.diff
+++ b/support_dbus_activation.diff
@ -1,30 +0,0 @@
 Index: tpm2-abrmd-1.2.0/Makefile.am
 ===================================================================
 --- tpm2-abrmd-1.2.0.orig/Makefile.am
 +++ tpm2-abrmd-1.2.0/Makefile.am
@@ -125,6 +125,7 @@ EXTRA_DIST = \
     dist/tpm2-abrmd.preset \
     dist/tpm2-abrmd.service.in \
     dist/tpm-udev.rules \
 +    dist/com.intel.tss2.Tabrmd.service \
     scripts/int-log-compiler.sh \
     CHANGELOG.md \
     CONTRIBUTING.md \
@@ -152,6 +153,8 @@ dbuspolicy_DATA  = dist/tpm2-abrmd.conf
 udevrules_DATA   = dist/tpm-udev.rules
 if HAVE_SYSTEMD
 systemdsystemunit_DATA = dist/tpm2-abrmd.service
 +dbusservicedir = $(datadir)/dbus-1/system-services
 +dbusservice_DATA = dist/com.intel.tss2.Tabrmd.service
 endif # HAVE_SYSTEMD
 systemdpreset_DATA = dist/tpm2-abrmd.preset
 Index: tpm2-abrmd-1.2.0/dist/com.intel.tss2.Tabrmd.service
 ===================================================================
 --- /dev/null
 +++ tpm2-abrmd-1.2.0/dist/com.intel.tss2.Tabrmd.service
@@ -0,0 +1,4 @@
 +[D-BUS Service]
 +Name=com.intel.tss2.Tabrmd
 +Exec=/bin/false
 +SystemdService=tpm2-abrmd.service
--- a/tpm2-abrmd-1.2.0.tar.gz
+++ b/tpm2-abrmd-1.2.0.tar.gz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:e20d2796c3097f9eec8410cec6a99d1532769d1cc138d6d9331c8ee1f0d305a4
 size 537312
--- a/tpm2-abrmd-2.0.0.tar.gz
+++ b/tpm2-abrmd-2.0.0.tar.gz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:adbb0a5410016e0ffa76dc968223720bfaa45266ef9cac65a76df5bd668e129f
 size 554820
--- a/tpm2.0-abrmd.changes
+++ b/tpm2.0-abrmd.changes
@ -1,3 +1,67 @@
 -------------------------------------------------------------------
 Tue Jul  3 09:15:27 UTC 2018 - matthias.gerstner@suse.com
 - Trying to fix build on older distros that fail because of a missing or
  broken autoconf valgrind detection macro. Removing  autoreconf to hopefully
  fix this.
 -------------------------------------------------------------------
 Mon Jul  2 09:27:43 UTC 2018 - matthias.gerstner@suse.com
 - add fix_dlopen.patch: fixes an issue with dlopen()'ing the tcti-device
  library from tpm2-0-tss. See
  https://github.com/tpm2-software/tpm2-abrmd/issues/486.
 -------------------------------------------------------------------
 Fri Jun 29 11:43:08 UTC 2018 - matthias.gerstner@suse.com
 - update to major version 2.0.0:
  - support_dbus_activation.diff: removed, is not contained upstream
  - the tpm2 stack introduces an incompatible ABI to the previous version with
    this update. There is no compatibility layer, libraries have new names
 etc.
  - upstream changelog:
    ## 2.0.0 - 2018-06-22
    ### Added
    - Integration test script and build support to execute integration tests
    against a physical TPM2 device on the build platform.
    - Implementation of dynamic TCTI initialization mechanism.
    - configure option `--enable-integration` to enable integration tests.
    The simulator executable must be on PATH.
    - Support for version 2.0 of tpm2-tss libraries.
    ### Changed
    - 'max-transient-objects' command line option renamted to 'max-transients'.
    - Added -Wextra for more strict checks at compile time.
    - Install location of headers to $(includedir)/tss2.
    ### Fixed
    - Added missing checks for NULL parameters identified by the check-build.
    - Bug in session continuation logic.
    - Off by one error in HandleMap.
    - Memory leak and uninitialized variable issues in unit tests.
    ### Removed
    - Command line option --fail-on-loaded-trans.
    - udev rules for TPM device node. This now lives in the tpm2-tss repo.
    - Remove legacy TCTI initialization functions.
    - configure option `--with-simulatorbin`.
    ## 1.3.1 - 2018-03-18
    ### Fixed
    - Distribute systemd preset template instead of the generated file.
    ## 1.3.0 - 2018-03-02
    ### Added
    - New configure option (--test-hwtpm) to run integration tests against a
    physical TPM2 device on the build platform.
    - Install systemd service file to allow on-demand systemd unit activation.
    ### Changed
    - Converted some inappropriate uses of g_error to critical / warning instead.
    - Removed use of gen_require from SELinux policy, use dbus_stub instead.
    - udev rules now give tss group read / write access to the TPM device node.
    - udev rules now give tss user and group read / write access to kernel RM
    node.
    ### Fixed
    - Memory leak on an error path in the AccessBroker.
 -------------------------------------------------------------------
 Thu Feb 22 11:34:51 UTC 2018 - matthias.gerstner@suse.com
--- a/tpm2.0-abrmd.spec
+++ b/tpm2.0-abrmd.spec
@ -17,13 +17,13 @@
 Name:           tpm2.0-abrmd
-Version:        1.2.0
+Version:        2.0.0
 Release:        0
 Summary:        Intel's TCG Software Stack Access Broker & Resource Manager for TPM 2.0 chips
 License:        BSD-2-Clause
 Group:          Productivity/Security
-Url:            https://github.com/01org/tpm2-abrmd
+Url:            https://github.com/tpm2-software/tpm2-abrmd
-Source0:        https://github.com/01org/tpm2-abrmd/releases/download/1.2.0/tpm2-abrmd-%{version}.tar.gz
+Source0:        https://github.com/tpm2-software/tpm2-abrmd/releases/download/2.0.0/tpm2-abrmd-%{version}.tar.gz
 BuildRequires:  autoconf-archive
 BuildRequires:  automake
 BuildRequires:  gcc-c++
@ -32,10 +32,14 @@ BuildRequires:  pkg-config
 BuildRequires:  systemd-rpm-macros
 BuildRequires:  pkgconfig(dbus-1)
 BuildRequires:  pkgconfig(gio-unix-2.0)
-BuildRequires:  pkgconfig(sapi)
+BuildRequires:  pkgconfig(tss2-sys)
 Requires(pre):  pwdutils
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
-Patch1:         support_dbus_activation.diff
+Patch0:         fix_dlopen.patch
 # the auto activation is not whitelisted for <= SLE12-SP3
 %if 0%{?sle_version} > 120300 || 0%{?is_opensuse}
 %define install_dbus_files 1
 %endif
 %description
 The tpm2.0-abrmd package provides the TPM2 Access Broker & Resource Manager.
@ -46,35 +50,32 @@ Intel's TPM 2.0 software stack.
 Summary:        Development headers the Access Broker & Resource Manager for TPM 2.0 chips
 Group:          Development/Libraries/C and C++
 Requires:       glibc-devel
-Requires:       libtcti-tabrmd0 = %{version}
+Requires:       libtss2-tcti-tabrmd0 = %{version}
 Requires:       tpm2.0-abrmd = %{version}
 %description devel
 This package provides the development files for the Access Broker & Resource
 Manager for coordinating access to TPM 2.0 chips.
-%package -n libtcti-tabrmd0
+%package -n libtss2-tcti-tabrmd0
 Summary:        Client interface library for tpm2-abrmd
 Group:          System/Libraries
-%description -n libtcti-tabrmd0
+%description -n libtss2-tcti-tabrmd0
 This library allows to interact with the tpm2-abrmd daemon. It is intended for
-use with the SAPI library (libsapi) like any other TCTI.
+use with the SAPI library (libtss2-sys) like any other TCTI.
-%post -n libtcti-tabrmd0 -p /sbin/ldconfig
+%post -n libtss2-tcti-tabrmd0 -p /sbin/ldconfig
-%postun -n libtcti-tabrmd0 -p /sbin/ldconfig
+%postun -n libtss2-tcti-tabrmd0 -p /sbin/ldconfig
 %prep
 %setup -q -n tpm2-abrmd-%{version}
-# can't apply that at the moment, because a whitelisting in rpmlint is missing
+%patch0 -p1
 # for the given service name
 #%patch1 -p1
 %build
 export CFLAGS="%optflags -fPIE"
 export LDFLAGS="-pie -fPIE"
-autoreconf
+%configure --disable-static --with-systemdsystemunitdir=%{_unitdir}
 %configure --disable-static --with-udevrulesdir=%{_udevrulesdir} --with-systemdsystemunitdir=%{_unitdir}
 make %{?_smp_mflags} PTHREAD_LDFLAGS=-pthread
 # TODO: add the tss user again
@ -82,41 +83,20 @@ make %{?_smp_mflags} PTHREAD_LDFLAGS=-pthread
 %make_install
 # don't package libtool files as is best practice
 find %{buildroot} -type f -name "*.la" -delete -print
 # rename the rules file to have a numbered prefix as all others have, too
 %define udev_rule_file 90-tpm.rules
 mv %{buildroot}%{_udevrulesdir}/tpm-udev.rules %{buildroot}%{_udevrulesdir}/%{udev_rule_file}
 ln -sv %{_sbindir}/service %{buildroot}%{_sbindir}/rctpm2-abrmd
 # don't install the systemd preset, our presets are handled by
 # systemd-presets-* packages
 rm %{buildroot}/usr/lib*/systemd/system-preset/tpm2-abrmd.preset
 %if ! 0%{?install_dbus_files}
 rm %{buildroot}/%{_sysconfdir}/dbus-1/system.d/tpm2-abrmd.conf
 rm %{buildroot}/%{_datadir}/dbus-1/system-services/com.intel.tss2.Tabrmd.service
 %endif
 %pre
 # the same user is employed by trousers (and was employed by the old
 # resourcemgr shipped with the tpm2-0-tss package):
 #
 # trousers just needs those accounts for dropping privileges to. The service
 # starts as root and uses set*id to drop to tss, after the tpm device has been
 # opened.
 #
 # tpm2-abrmd has no set*id handling and thus requires /dev/tpm to be owned
 # by the tss user. Therefore we also need to install a udev rule file.
 #
 # trousers was here first and created the user like this, also giving it a
 # home in /var/lib/tpm. I don't think the home directory is used by any of
 # both packages ATM. Trousers is keeping state there, but the directory is
 # owned by root and files are opened before dropping privileges. The passwd
 # entry seems not to be evaluated.
 #
 # so I guess we can share the account between the two packages for now.
 %_bindir/getent group tss >/dev/null || %{_sbindir}/groupadd -g 98 tss
 %_bindir/getent passwd tss >/dev/null || \
 	%{_sbindir}/useradd -u 98 -o -g tss -s /bin/false -c "TSS daemon" \
 	-d %{_localstatedir}/lib/tpm tss
 %service_add_pre tpm2-abrmd.service
 %post
 %service_add_post tpm2-abrmd.service
 %_bindir/udevadm trigger -s tpm || :
 %postun
 %service_del_postun tpm2-abrmd.service
@ -127,25 +107,26 @@ rm %{buildroot}/usr/lib*/systemd/system-preset/tpm2-abrmd.preset
 %files
 %defattr(-,root,root)
 %doc *.md LICENSE
-%{_udevrulesdir}/%{udev_rule_file}
+%{_mandir}/man7/tss2-*
 %{_mandir}/man7/tcti-*
 %{_mandir}/man8/tpm2-*
 %{_sbindir}/tpm2-abrmd
 %{_sbindir}/rctpm2-abrmd
 %{_unitdir}/tpm2-abrmd.service
 %if 0%{?install_dbus_files}
 # the auto activation is not whitelisted for <= SLE12-SP3
 %config %{_sysconfdir}/dbus-1/system.d/tpm2-abrmd.conf
-# see patch1
+%{_datadir}/dbus-1/system-services/com.intel.tss2.Tabrmd.service
-#%{_datadir}/dbus-1/system-services/com.intel.tss2.Tabrmd.service
+%endif
 %files devel
 %defattr(-,root,root)
-%{_includedir}/tcti
+%{_includedir}/tss2
 %{_libdir}/*.so
 %{_libdir}/pkgconfig/*.pc
-%{_mandir}/man3/tss2_*
+%{_mandir}/man3/Tss2*
-%files -n libtcti-tabrmd0
+%files -n libtss2-tcti-tabrmd0
 %defattr(-,root,root)
-%{_libdir}/libtcti-tabrmd.so.*
+%{_libdir}/libtss2-tcti-tabrmd.so.*
 %changelog