commit 431d7c228c28b6ace0b8ee3b5ac232c56a301f809c782c2cf74f6562e680d400 Author: Marcus Meissner Date: Thu Aug 3 08:13:01 2017 +0000 Accepting request 514156 from home:mgerstner:branches:security New package tpm2.0-abrmd containing a new implementation of Intel's tpm 2.0 resource manager. The old one is currently delivered by way of package tpm-2-0-tss. This submission is coupled with updates for tpm2-0-tss and tpm2.0-tools which I will submit right after. OBS-URL: https://build.opensuse.org/request/show/514156 OBS-URL: https://build.opensuse.org/package/show/security/tpm2.0-abrmd?expand=0&rev=1 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/tpm2-abrmd-1.1.0.tar.gz b/tpm2-abrmd-1.1.0.tar.gz new file mode 100644 index 0000000..0f319c0 --- /dev/null +++ b/tpm2-abrmd-1.1.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:06d7c3f4cdade756515cb130b7e67ebbcbc9c4a283601307908400b6ea9ce3a0 +size 151233 diff --git a/tpm2.0-abrmd.changes b/tpm2.0-abrmd.changes new file mode 100644 index 0000000..ef5d7d9 --- /dev/null +++ b/tpm2.0-abrmd.changes @@ -0,0 +1,6 @@ +------------------------------------------------------------------- +Thu Jul 20 13:04:41 UTC 2017 - matthias.gerstner@suse.com + +- first version of the new arbmd resource manager from Intel's tpm2 stack. + This will replace the old resourcemgr previously shipped with the + tpm2-0-tss package. diff --git a/tpm2.0-abrmd.spec b/tpm2.0-abrmd.spec new file mode 100644 index 0000000..3cff8fb --- /dev/null +++ b/tpm2.0-abrmd.spec @@ -0,0 +1,143 @@ +# +# spec file for package tpm2-0-tss +# +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# + + +Name: tpm2.0-abrmd +Version: 1.1.0 +Release: 0 +Summary: Intel's TCG Software Stack Access Broker & Resource Manager for TPM 2.0 chips +License: BSD-2-Clause +Group: Productivity/Security +Url: https://github.com/01org/tpm2-abrmd +Source0: https://github.com/01org/tpm2-abrmd/archive/tpm2-abrmd-%{version}.tar.gz +BuildRequires: autoconf-archive +BuildRequires: automake +BuildRequires: gcc-c++ +BuildRequires: libtool +BuildRequires: pkg-config +BuildRequires: pkgconfig(dbus-1) +BuildRequires: pkgconfig(gio-unix-2.0) +BuildRequires: pkgconfig(sapi) +BuildRequires: systemd-rpm-macros +Requires(pre): pwdutils +BuildRoot: %{_tmppath}/%{name}-%{version}-build + +%description +The tpm2.0-abrmd package provides the TPM2 Access Broker & Resource Manager. +This is a daemon service that coordinates requests to the TPM2 chip via +Intel's TPM 2.0 software stack. + +%package devel +Summary: Development headers the Access Broker & Resource Manager for TPM 2.0 chips +Group: Development/Libraries/C and C++ +Requires: tpm2.0-abrmd = %{version} +Requires: glibc-devel +Requires: libtcti-tabrmd0 = %{version} + +%description devel +This package provides the development files for the Access Broker & Resource +Manager for coordinating access to TPM 2.0 chips. + +%package -n libtcti-tabrmd0 +Summary: Client interface library for tpm2-abrmd +Group: System/Libraries + +%description -n libtcti-tabrmd0 +This library allows to interact with the tpm2-abrmd daemon. It is intended for +use with the SAPI library (libsapi) like any other TCTI. + +%post -n libtcti-tabrmd0 -p /sbin/ldconfig +%postun -n libtcti-tabrmd0 -p /sbin/ldconfig + +%prep +%setup -q -n tpm2-abrmd-%{version} +# %%patch0 -p1 + +%build +bash bootstrap +export CFLAGS="%optflags -fPIE" +export LDFLAGS="-pie -fPIE" +%configure --disable-static --with-udevrulesdir=%{_udevrulesdir} --with-systemdsystemunitdir=%{_unitdir} +make %{?_smp_mflags} PTHREAD_LDFLAGS=-pthread + +# TODO: add the tss user again +%install +%make_install +# don't package libtool files as is best practice +find %{buildroot} -type f -name "*.la" -delete -print +# rename the rules file to have a numbered prefix as all others have, too +%define udev_rule_file 90-tpm.rules +mv %{buildroot}%{_udevrulesdir}/tpm-udev.rules %{buildroot}%{_udevrulesdir}/%{udev_rule_file} +ln -sv %{_sbindir}/service %{buildroot}%{_sbindir}/rctpm2-abrmd + +%pre +# the same user is employed by trousers (and was employed by the old +# resourcemgr shipped with the tpm2-0-tss package): +# +# trousers just needs those accounts for dropping privileges to. The service +# starts as root and uses set*id to drop to tss, after the tpm device has been +# opened. +# +# tpm2-abrmd has no set*id handling and thus requires /dev/tpm to be owned +# by the tss user. Therefore we also need to install a udev rule file. +# +# trousers was here first and created the user like this, also giving it a +# home in /var/lib/tpm. I don't think the home directory is used by any of +# both packages ATM. Trousers is keeping state there, but the directory is +# owned by root and files are opened before dropping privileges. The passwd +# entry seems not to be evaluated. +# +# so I guess we can share the account between the two packages for now. +%_bindir/getent group tss >/dev/null || %{_sbindir}/groupadd -g 98 tss +%_bindir/getent passwd tss >/dev/null || \ + %{_sbindir}/useradd -u 98 -o -g tss -s /bin/false -c "TSS daemon" \ + -d %{_localstatedir}/lib/tpm tss +%service_add_pre tpm2-abrmd.service + +%post +%service_add_post tpm2-abrmd.service + +%postun +%service_del_postun tpm2-abrmd.service + +%preun +%service_del_preun tpm2-abrmd.service + +%files +%defattr(-,root,root) +%doc *.md LICENSE +%{_udevrulesdir}/%{udev_rule_file} +%{_mandir}/man7/tcti-* +%{_mandir}/man8/tpm2-* +%{_sbindir}/tpm2-abrmd +%{_sbindir}/rctpm2-abrmd +%{_unitdir}/tpm2-abrmd.service +%config %{_sysconfdir}/dbus-1/system.d/tpm2-abrmd.conf + +%files devel +%defattr(-,root,root) +%{_includedir}/tcti +%{_libdir}/*.so +%{_libdir}/*.so.0 +%{_libdir}/pkgconfig/*.pc +%{_mandir}/man3/tss2_* + +%files -n libtcti-tabrmd0 +%defattr(-,root,root) +%{_libdir}/libtcti-tabrmd.so.0.0.0 + +%changelog