Accepting request 620450 from security

please handle together with sr#620445, sr#620444 - Trying to fix build on older distros that fail because of a missing or broken autoconf valgrind detection macro. Removing autoreconf to hopefully fix this. - add fix_dlopen.patch: fixes an issue with dlopen()'ing the tcti-device library from tpm2-0-tss. See https://github.com/tpm2-software/tpm2-abrmd/issues/486. - update to major version 2.0.0: - support_dbus_activation.diff: removed, is not contained upstream - the tpm2 stack introduces an incompatible ABI to the previous version with this update. There is no compatibility layer, libraries have new names etc. - upstream changelog: ## 2.0.0 - 2018-06-22 ### Added - Integration test script and build support to execute integration tests against a physical TPM2 device on the build platform. - Implementation of dynamic TCTI initialization mechanism. - configure option `--enable-integration` to enable integration tests. The simulator executable must be on PATH. - Support for version 2.0 of tpm2-tss libraries. ### Changed - 'max-transient-objects' command line option renamted to 'max-transients'. - Added -Wextra for more strict checks at compile time. - Install location of headers to $(includedir)/tss2. ### Fixed - Added missing checks for NULL parameters identified by the check-build. - Bug in session continuation logic. - Off by one error in HandleMap. OBS-URL: https://build.opensuse.org/request/show/620450 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tpm2.0-abrmd?expand=0&rev=6
2018-07-06 08:41:17 +00:00 · 2018-07-06 08:41:17 +00:00 · 1de8f4ed3b
commit 1de8f4ed3b
parent a6159bc70d 63a9433b38
6 changed files with 110 additions and 82 deletions
--- a/fix_dlopen.patch
+++ b/fix_dlopen.patch
@ -0,0 +1,13 @@
+Index: tpm2-abrmd-2.0.0/src/tcti-util.c
+===================================================================
+--- tpm2-abrmd-2.0.0.orig/src/tcti-util.c
+++ tpm2-abrmd-2.0.0/src/tcti-util.c
+@@ -53,7 +53,7 @@ tcti_util_discover_info (const char *fil
+     if (*tcti_dl_handle == NULL) {
+         size = snprintf (filename_xfrm,
+                          sizeof (filename_xfrm),
+-                         "libtss2-tcti-%s.so.0",
+                         "%s.0",
+                          filename);
+         if (size >= sizeof (filename_xfrm)) {
+             g_critical ("TCTI name truncated in transform.");
--- a/support_dbus_activation.diff
+++ b/support_dbus_activation.diff
@ -1,30 +0,0 @@
-Index: tpm2-abrmd-1.2.0/Makefile.am
-===================================================================
--- tpm2-abrmd-1.2.0.orig/Makefile.am
-+++ tpm2-abrmd-1.2.0/Makefile.am
-@@ -125,6 +125,7 @@ EXTRA_DIST = \
-     dist/tpm2-abrmd.preset \
-     dist/tpm2-abrmd.service.in \
-     dist/tpm-udev.rules \
-+    dist/com.intel.tss2.Tabrmd.service \
-     scripts/int-log-compiler.sh \
-     CHANGELOG.md \
-     CONTRIBUTING.md \
-@@ -152,6 +153,8 @@ dbuspolicy_DATA  = dist/tpm2-abrmd.conf
- udevrules_DATA   = dist/tpm-udev.rules
- if HAVE_SYSTEMD
- systemdsystemunit_DATA = dist/tpm2-abrmd.service
-+dbusservicedir = $(datadir)/dbus-1/system-services
-+dbusservice_DATA = dist/com.intel.tss2.Tabrmd.service
- endif # HAVE_SYSTEMD
- systemdpreset_DATA = dist/tpm2-abrmd.preset
- 
-Index: tpm2-abrmd-1.2.0/dist/com.intel.tss2.Tabrmd.service
-===================================================================
--- /dev/null
-+++ tpm2-abrmd-1.2.0/dist/com.intel.tss2.Tabrmd.service
-@@ -0,0 +1,4 @@
-+[D-BUS Service]
-+Name=com.intel.tss2.Tabrmd
-+Exec=/bin/false
-+SystemdService=tpm2-abrmd.service
--- a/tpm2-abrmd-1.2.0.tar.gz
+++ b/tpm2-abrmd-1.2.0.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:e20d2796c3097f9eec8410cec6a99d1532769d1cc138d6d9331c8ee1f0d305a4
-size 537312
--- a/tpm2-abrmd-2.0.0.tar.gz
+++ b/tpm2-abrmd-2.0.0.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:adbb0a5410016e0ffa76dc968223720bfaa45266ef9cac65a76df5bd668e129f
+size 554820
--- a/tpm2.0-abrmd.changes
+++ b/tpm2.0-abrmd.changes
@ -1,3 +1,67 @@
+-------------------------------------------------------------------
+Tue Jul  3 09:15:27 UTC 2018 - matthias.gerstner@suse.com
+
+- Trying to fix build on older distros that fail because of a missing or
+  broken autoconf valgrind detection macro. Removing  autoreconf to hopefully
+  fix this.
+
+-------------------------------------------------------------------
+Mon Jul  2 09:27:43 UTC 2018 - matthias.gerstner@suse.com
+
+- add fix_dlopen.patch: fixes an issue with dlopen()'ing the tcti-device
+  library from tpm2-0-tss. See
+  https://github.com/tpm2-software/tpm2-abrmd/issues/486.
+
+-------------------------------------------------------------------
+Fri Jun 29 11:43:08 UTC 2018 - matthias.gerstner@suse.com
+
+- update to major version 2.0.0:
+  - support_dbus_activation.diff: removed, is not contained upstream
+  - the tpm2 stack introduces an incompatible ABI to the previous version with
+    this update. There is no compatibility layer, libraries have new names
+etc.
+  - upstream changelog:
+    ## 2.0.0 - 2018-06-22
+    ### Added
+    - Integration test script and build support to execute integration tests
+    against a physical TPM2 device on the build platform.
+    - Implementation of dynamic TCTI initialization mechanism.
+    - configure option `--enable-integration` to enable integration tests.
+    The simulator executable must be on PATH.
+    - Support for version 2.0 of tpm2-tss libraries.
+    ### Changed
+    - 'max-transient-objects' command line option renamted to 'max-transients'.
+    - Added -Wextra for more strict checks at compile time.
+    - Install location of headers to $(includedir)/tss2.
+    ### Fixed
+    - Added missing checks for NULL parameters identified by the check-build.
+    - Bug in session continuation logic.
+    - Off by one error in HandleMap.
+    - Memory leak and uninitialized variable issues in unit tests.
+    ### Removed
+    - Command line option --fail-on-loaded-trans.
+    - udev rules for TPM device node. This now lives in the tpm2-tss repo.
+    - Remove legacy TCTI initialization functions.
+    - configure option `--with-simulatorbin`.
+    
+    ## 1.3.1 - 2018-03-18
+    ### Fixed
+    - Distribute systemd preset template instead of the generated file.
+    
+    ## 1.3.0 - 2018-03-02
+    ### Added
+    - New configure option (--test-hwtpm) to run integration tests against a
+    physical TPM2 device on the build platform.
+    - Install systemd service file to allow on-demand systemd unit activation.
+    ### Changed
+    - Converted some inappropriate uses of g_error to critical / warning instead.
+    - Removed use of gen_require from SELinux policy, use dbus_stub instead.
+    - udev rules now give tss group read / write access to the TPM device node.
+    - udev rules now give tss user and group read / write access to kernel RM
+    node.
+    ### Fixed
+    - Memory leak on an error path in the AccessBroker.
+
 -------------------------------------------------------------------
 Thu Feb 22 11:34:51 UTC 2018 - matthias.gerstner@suse.com

--- a/tpm2.0-abrmd.spec
+++ b/tpm2.0-abrmd.spec
@ -17,13 +17,13 @@


 Name:           tpm2.0-abrmd
-Version:        1.2.0
+Version:        2.0.0
 Release:        0
 Summary:        Intel's TCG Software Stack Access Broker & Resource Manager for TPM 2.0 chips
 License:        BSD-2-Clause
 Group:          Productivity/Security
-Url:            https://github.com/01org/tpm2-abrmd
-Source0:        https://github.com/01org/tpm2-abrmd/releases/download/1.2.0/tpm2-abrmd-%{version}.tar.gz
+Url:            https://github.com/tpm2-software/tpm2-abrmd
+Source0:        https://github.com/tpm2-software/tpm2-abrmd/releases/download/2.0.0/tpm2-abrmd-%{version}.tar.gz
 BuildRequires:  autoconf-archive
 BuildRequires:  automake
 BuildRequires:  gcc-c++
@ -32,10 +32,14 @@ BuildRequires:  pkg-config
 BuildRequires:  systemd-rpm-macros
 BuildRequires:  pkgconfig(dbus-1)
 BuildRequires:  pkgconfig(gio-unix-2.0)
-BuildRequires:  pkgconfig(sapi)
+BuildRequires:  pkgconfig(tss2-sys)
 Requires(pre):  pwdutils
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
-Patch1:         support_dbus_activation.diff
+Patch0:         fix_dlopen.patch
+# the auto activation is not whitelisted for <= SLE12-SP3
+%if 0%{?sle_version} > 120300 || 0%{?is_opensuse}
+%define install_dbus_files 1
+%endif

 %description
 The tpm2.0-abrmd package provides the TPM2 Access Broker & Resource Manager.
@ -46,35 +50,32 @@ Intel's TPM 2.0 software stack.
 Summary:        Development headers the Access Broker & Resource Manager for TPM 2.0 chips
 Group:          Development/Libraries/C and C++
 Requires:       glibc-devel
-Requires:       libtcti-tabrmd0 = %{version}
+Requires:       libtss2-tcti-tabrmd0 = %{version}
 Requires:       tpm2.0-abrmd = %{version}

 %description devel
 This package provides the development files for the Access Broker & Resource
 Manager for coordinating access to TPM 2.0 chips.

-%package -n libtcti-tabrmd0
+%package -n libtss2-tcti-tabrmd0
 Summary:        Client interface library for tpm2-abrmd
 Group:          System/Libraries

-%description -n libtcti-tabrmd0
+%description -n libtss2-tcti-tabrmd0
 This library allows to interact with the tpm2-abrmd daemon. It is intended for
-use with the SAPI library (libsapi) like any other TCTI.
+use with the SAPI library (libtss2-sys) like any other TCTI.

-%post -n libtcti-tabrmd0 -p /sbin/ldconfig
-%postun -n libtcti-tabrmd0 -p /sbin/ldconfig
+%post -n libtss2-tcti-tabrmd0 -p /sbin/ldconfig
+%postun -n libtss2-tcti-tabrmd0 -p /sbin/ldconfig

 %prep
 %setup -q -n tpm2-abrmd-%{version}
-# can't apply that at the moment, because a whitelisting in rpmlint is missing
-# for the given service name
-#%patch1 -p1
+%patch0 -p1

 %build
 export CFLAGS="%optflags -fPIE"
 export LDFLAGS="-pie -fPIE"
-autoreconf
-%configure --disable-static --with-udevrulesdir=%{_udevrulesdir} --with-systemdsystemunitdir=%{_unitdir}
+%configure --disable-static --with-systemdsystemunitdir=%{_unitdir}
 make %{?_smp_mflags} PTHREAD_LDFLAGS=-pthread

 # TODO: add the tss user again
@ -82,41 +83,20 @@ make %{?_smp_mflags} PTHREAD_LDFLAGS=-pthread
 %make_install
 # don't package libtool files as is best practice
 find %{buildroot} -type f -name "*.la" -delete -print
-# rename the rules file to have a numbered prefix as all others have, too
-%define udev_rule_file 90-tpm.rules
-mv %{buildroot}%{_udevrulesdir}/tpm-udev.rules %{buildroot}%{_udevrulesdir}/%{udev_rule_file}
 ln -sv %{_sbindir}/service %{buildroot}%{_sbindir}/rctpm2-abrmd
 # don't install the systemd preset, our presets are handled by
 # systemd-presets-* packages
 rm %{buildroot}/usr/lib*/systemd/system-preset/tpm2-abrmd.preset
+%if ! 0%{?install_dbus_files}
+rm %{buildroot}/%{_sysconfdir}/dbus-1/system.d/tpm2-abrmd.conf
+rm %{buildroot}/%{_datadir}/dbus-1/system-services/com.intel.tss2.Tabrmd.service
+%endif

 %pre
-# the same user is employed by trousers (and was employed by the old
-# resourcemgr shipped with the tpm2-0-tss package):
-#
-# trousers just needs those accounts for dropping privileges to. The service
-# starts as root and uses set*id to drop to tss, after the tpm device has been
-# opened.
-#
-# tpm2-abrmd has no set*id handling and thus requires /dev/tpm to be owned
-# by the tss user. Therefore we also need to install a udev rule file.
-#
-# trousers was here first and created the user like this, also giving it a
-# home in /var/lib/tpm. I don't think the home directory is used by any of
-# both packages ATM. Trousers is keeping state there, but the directory is
-# owned by root and files are opened before dropping privileges. The passwd
-# entry seems not to be evaluated.
-#
-# so I guess we can share the account between the two packages for now.
-%_bindir/getent group tss >/dev/null || %{_sbindir}/groupadd -g 98 tss
-%_bindir/getent passwd tss >/dev/null || \
-	%{_sbindir}/useradd -u 98 -o -g tss -s /bin/false -c "TSS daemon" \
-	-d %{_localstatedir}/lib/tpm tss
 %service_add_pre tpm2-abrmd.service

 %post
 %service_add_post tpm2-abrmd.service
-%_bindir/udevadm trigger -s tpm || :

 %postun
 %service_del_postun tpm2-abrmd.service
@ -127,25 +107,26 @@ rm %{buildroot}/usr/lib*/systemd/system-preset/tpm2-abrmd.preset
 %files
 %defattr(-,root,root)
 %doc *.md LICENSE
-%{_udevrulesdir}/%{udev_rule_file}
-%{_mandir}/man7/tcti-*
+%{_mandir}/man7/tss2-*
 %{_mandir}/man8/tpm2-*
 %{_sbindir}/tpm2-abrmd
 %{_sbindir}/rctpm2-abrmd
 %{_unitdir}/tpm2-abrmd.service
+%if 0%{?install_dbus_files}
+# the auto activation is not whitelisted for <= SLE12-SP3
 %config %{_sysconfdir}/dbus-1/system.d/tpm2-abrmd.conf
-# see patch1
-#%{_datadir}/dbus-1/system-services/com.intel.tss2.Tabrmd.service
+%{_datadir}/dbus-1/system-services/com.intel.tss2.Tabrmd.service
+%endif

 %files devel
 %defattr(-,root,root)
-%{_includedir}/tcti
+%{_includedir}/tss2
 %{_libdir}/*.so
 %{_libdir}/pkgconfig/*.pc
-%{_mandir}/man3/tss2_*
+%{_mandir}/man3/Tss2*

-%files -n libtcti-tabrmd0
+%files -n libtss2-tcti-tabrmd0
 %defattr(-,root,root)
-%{_libdir}/libtcti-tabrmd.so.*
+%{_libdir}/libtss2-tcti-tabrmd.so.*

 %changelog