commit 7fa9a4afecb055914863e6060b606ed22e0341b868e83e2e5c2c96c3403c9e79
Author: Alberto Planas Dominguez <aplanas@suse.com>
Date:   Thu Aug 1 10:50:21 2024 +0000

    Accepting request 1190938 from home:jsegitz:branches:security
    
    - Update harden_tpm2-abrmd.service.patch to contain necessary SELinux
      changes (bsc#1209831)
    
    OBS-URL: https://build.opensuse.org/request/show/1190938
    OBS-URL: https://build.opensuse.org/package/show/security/tpm2.0-abrmd?expand=0&rev=76

diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 0000000..9b03811
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..57affb6
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+.osc
diff --git a/README.SUSE b/README.SUSE
new file mode 100644
index 0000000..c30e66b
--- /dev/null
+++ b/README.SUSE
@@ -0,0 +1,11 @@
+The tpm2-abrmd by upstream default allows every local users in the system to
+access the TPM chip and modify its settings (bsc#1197532). Upstream suggests
+to use the TPM's internal security features (e.g. password protection) to
+prevent local users from manipulating the chip without authorization. Still
+the default behaviour that every user in the system can access TPM features
+without any authentication could come as a surprise to end users and system
+integrators alike.
+
+For this reason on SUSE only members of the 'tss' group are allowed to access
+the tpm2-abrmd D-Bus interface, thereby mirroring the access permissions of
+the /dev/tpm0 and /dev/tpmrm0 character devices.
diff --git a/harden_tpm2-abrmd.service.patch b/harden_tpm2-abrmd.service.patch
new file mode 100644
index 0000000..a0cf1c5
--- /dev/null
+++ b/harden_tpm2-abrmd.service.patch
@@ -0,0 +1,35 @@
+Index: tpm2-abrmd-3.0.0/dist/tpm2-abrmd.service.in
+===================================================================
+--- tpm2-abrmd-3.0.0.orig/dist/tpm2-abrmd.service.in
++++ tpm2-abrmd-3.0.0/dist/tpm2-abrmd.service.in
+@@ -6,6 +6,17 @@ After=dev-tpm0.device
+ Requires=dev-tpm0.device
+ 
+ [Service]
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectSystem=full
++ProtectHome=read-only
++ProtectHostname=true
++ProtectKernelTunables=true
++ProtectKernelModules=true
++ProtectKernelLogs=true
++ProtectControlGroups=true
++RestrictRealtime=true
++# end of automatic additions 
+ Type=dbus
+ BusName=com.intel.tss2.Tabrmd
+ ExecStart=@SBINDIR@/tpm2-abrmd
+Index: tpm2-abrmd-3.0.0/selinux/tabrmd.te
+===================================================================
+--- tpm2-abrmd-3.0.0.orig/selinux/tabrmd.te
++++ tpm2-abrmd-3.0.0/selinux/tabrmd.te
+@@ -9,7 +9,7 @@ gen_tunable(`tabrmd_connect_all_unreserv
+ 
+ type tabrmd_t;
+ type tabrmd_exec_t;
+-init_daemon_domain(tabrmd_t, tabrmd_exec_t)
++init_nnp_daemon_domain(tabrmd_t, tabrmd_exec_t)
+ 
+ allow tabrmd_t self:unix_dgram_socket { create_socket_perms };
+ 
diff --git a/tpm2-abrmd-3.0.0.tar.gz b/tpm2-abrmd-3.0.0.tar.gz
new file mode 100644
index 0000000..846af5d
--- /dev/null
+++ b/tpm2-abrmd-3.0.0.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d59aff34164aa705b05155b86607f6b66918a433104f754a3fcf76216dd9f465
+size 576822
diff --git a/tpm2-abrmd-3.0.0.tar.gz.asc b/tpm2-abrmd-3.0.0.tar.gz.asc
new file mode 100644
index 0000000..03c75a2
--- /dev/null
+++ b/tpm2-abrmd-3.0.0.tar.gz.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEW0grjj4Z2nyXjh0BbeLpB44fUMEFAmOOF5wACgkQbeLpB44f
+UMEA7RAAkJDLBahV1hRcBXwM3dbtknHlSC26GgVtw3Q16eXI4e+Hbesjoc0KPrns
+unWUnGYK+5/KG1FeGMS/4qWIvIKBfBg0KbIWi5AkYNGcjYV7f7rFK/yrYAkfv7AA
+BcRr0AHH7vl5jNDSejWGwbc0lIl0zC9cjrgkfK20qoR7t4H38m0MkmiHyaiJkYU9
+GocoEqMO1xAnrWdQ2Ky1fIrKpQHXDxPUWX/YeA5Agqh54EE6Us7kcqTy+umojFkY
+h2+8GkrxJznMKTC4iChnw2m2/LhpX7KkFuOr5CdAEoMJmRnILx2nvk/Cnrdw1LCV
+AygFbR+sDQgKE3GmtW3s+VHuTZt06QNJwjO+iriFKi1fFhG4wMdtc6eA09y7+/mo
+GeWEdTijiLYyIwCUkrPNC+taOzXrTadOteekZEzSrHwgr0Pvbhp/8uxAjH8Oc+NP
+7R7di1EBPEAACm01wYCKZIH2EqQyToyQ1hP0lZ5GwOLlZkyTDHUMHmtYsRYXRbtV
+99NqtSuh9hW+s8QZlXTB4VXrp+iMdWw8G/MXAd2Jsbcl9Wnx+LAbuExlp/U2BHtc
+JnBYh7/7HUvn0wWAN/qXrKwjMm1jppxXEnpjhAKQKG38HkUPTUDYTbcwfx8GOGbY
+bWr2dTLOlqnncNoz/V7MGP2gxRyLW16wmwZwcK4uAS9daLspfLU=
+=VUqS
+-----END PGP SIGNATURE-----
diff --git a/tpm2-abrmd.keyring b/tpm2-abrmd.keyring
new file mode 100644
index 0000000..0f0421b
--- /dev/null
+++ b/tpm2-abrmd.keyring
@@ -0,0 +1,51 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBFik3GUBEADYDYbSXH3UTr9oCNCI3UxC1hiLH7cM+QIbMtWiwfAbT3G8wrTa
+NPj00qNvI4wQ/Xm3h0hB7kri7vP0FqIjIwsTdM6ZpFdVHHKW1m4P8fkOcxqmLN0g
+V36MN5fgoGWf2K94aS7ItoweRMcuHnwWawe6aAtbKSYVqhWhoB/3grgd0xhE61AS
+o8fJ7uRYNEAYVeOKlC2j+qKfoJbCa6yqZejFwOOzB6qxNRA7JYvckEf8yJ4+Y16m
+qPyZ1ErHzpql3+b5ha+g+9g8WzxAbSfGYZTwaQxyePNjXuq2tdEXf9XnESvoaoN4
+pQhiu/0BJEkXPxl1zso65g4Mn22xEELhUnwPDo5YdLlWEZ8xhELLvdJc3Z0nTR5A
+4/YaZvvzf7pOD1cwpB6IrRf8n9rOe1aDxh/A//zX9PpIOV25p5kqlE88Ya5VXrnA
+Ayfs19RZmK3+FuaI0ij79CRokG9BrI6TXT0pRTDIRu7GvAo2q13MELRvFddyRT2G
+mNjsHYcqEbraYTh3LHEiwfWp4ZgDtk8jj3iRabHQUHk9V8vSFzj+wp1E8HzO8Vp3
+BxMDIOG1VPdLi81DP+LbZI1h30ZG63ulqkKIhwx5/h2v4VCYPatVtGqVf37tLstj
+Wrs0DkBykuZrecp+AJ5ZJ+UVvR8ajO2ncAoOugNwoj9Wuvz0fVTiJIhuNQARAQAB
+tDxXaWxsaWFtIFJvYmVydHMgKEJpbGwgUm9iZXJ0cykgPHdpbGxpYW0uYy5yb2Jl
+cnRzQGludGVsLmNvbT6JAjgEEwECACIFAlik3GUCGwMGCwkIBwMCBhUIAgkKCwQW
+AgMBAh4BAheAAAoJEG3i6QeOH1DBibEQAL4EwEzegkc8NyHiW0mntwDoCv3tkUlG
+fprp/g7GWfrP+L+pN5yexg3Zm/CgVN/tTNCEr5XtP+sdds8xBF6ReJ8QPO7EiMiM
+asPXh8zlODrySXCGHmpa7IzuUC2wgD3Wq7WjniMvnBmqBdL0+8nqA6NFxOOklvK1
+ub7bqLrHKfUfciFOfYAi+C0Bh8kdZtMjfY9sqlJA3sVK2UxVXq9D+oHbL1o454N6
+VzV0rDtsK47GSSCXT75kulPdfOCopTgxPgNsK4VnXgMOL5JMURPJa3rBzmBRFed1
+ynrqwFdmYdMepsUgt/JS2I/23QChqp6AdVDjtGLKS71hox+vdE4S0DoRnMHwHkkt
+B6bqQci3RlUP+wcHHRCUXUubxMSlYJqhBdEOclo6N0X0LseLcdAMGda8ZnqbHlyg
+hPLmJrM3C5zTLjDb2YJXCy6RVNwqAnU3o33SZCnHqo/zUjEtR03Ztk1DzSeCjo5w
+zLac1VFq5S3QdgZUwmPhyeoigqOvHu6Z1s2eL8Aw7Hn8i6MWLz5sOXAtyC9NPwK/
+qbp1a+GQXzNW4rvKl7ZEFKrBKyj8AiRoVLSRKcqZtFT56ltXQjrwKjsWDTEOzjnm
+XCSM96xfay6asQH5fw+haC3RIErwyNV0uUDIVC0xDTZ6NgJEBkp8liwNeHE7eHoN
+8qWSZZO2syf7uQINBFik3GUBEAC7V2o1kBsLFSKwmgsCuGfW0oBIQiaCcakT6D2X
+rKBjmzBvh/UIdXQwl9+vPKtWX3T/7g6UBvezV3uc2ZqrigGmFemoQI3sW7wFk0L9
+/QTUWCMfZtyrWgqyetmPYS+i2PnsEPinsgsEHWf3iu/ew1A7npZwINwMdOSOVw2u
+JqYyW2tZCErWKVe31ziYUpXA+HaRm9zoVr0F0sE2GYGWbMVYtqxN9TSYcIAHxB71
+Y31dcY77ln/1JAH4Yzqc063w/lNYogEbbQY7WNgcKdPP+aovpV7kS3TKwsdb9/xT
+pj67nnlvjLTMRoW3Ez0PcIDFhuube9uOQupYG4rC4grLeVLwL/ekVmn6TxRN1hG7
+6zYXWiwWi16uAO++eBNt127FwCOVZsPO0ye3/XpOpCdpUadguxF2gGt6xY0gtetj
+Vdv6S4kCdSx8NMrO2epS/1pgklxN9R/xl7Wu+JPUuVX4Jy0ycmw7TCWxdK2fuFy6
+6aLCXWWEjRSp06oeVJoVV2py+rYaoau7JG7Zgx1A3gYTm6MLFysfROaQgmfRozIH
+0boYh3IA1WWzk4I6ew129ynC5zGXg/+UCnKKwn8Tsh9neq9noRDAonWI7jOCipwF
+l51py82093M87zjz9o/qxnB8p00jByQ+MunUykaZrkQKHAsiyIF6cUIeQiy/AL7n
+wwSPQQARAQABiQIfBBgBAgAJBQJYpNxlAhsMAAoJEG3i6QeOH1DBtO8P/1D98sl3
+oz/0oSSz0u9nzgOh93UkLbXpjSR4U+g7Wl2ppxQyGSFeWwRwT5BT74EVP2IcrraX
+V9c7l+s8PYqnUdX2XAqGMv06523cCrNUU93kUUNjAo3FxGSn7i2kHIvMkDbUoeVk
+jyWKfIvyy2sKcVB9GQxfMrbnTR5/Z6fCyGHNqMFb9e9TUWclLzMIhvtkvLuKmf52
+TKKxKQt/wero5zb0fynOttIjuhmOP9CFTiYjdj7qSmQapW8VFdYjyzL+OOFk9gCL
+S3mIk1LdkfWah7trmMUTXdmiEibvARAQ3Yjr+Hz9yU1gzEJSPUUugNguqgS5kN+T
+3TdwUHAP9whVD2IvN/Mfn29bmFFVfzu3ftJIa1zJmOdZy7KWb6MWVhw3SJ65luPB
+qxKWRqFDOSpqzBm6bYQ/Oka49Jl7/dCImSm+7bCC7LDK9hXa3AIlDtWvG4iiL18T
+wUOrgXPysB/D/NQaRxT/vSPUOB4WrQzIKIf4vJdyuPdtOtIWm97KUw8r/jDqd4I3
+B62qknrrR+FPcz8ACM9fXkpbBEcjFV8EkoOae106Vxjo/lu5LVBbwiKviMMwoK5o
+YE7FfCwLBbLTYMeetHo8jGBRonTEOKMtPlp/fCMOp9w7CgMDuvfEwuTsA1ux4uAb
+tZZIbipcKcZmsU7Su4+oeyh61giG++M5rL2D
+=xdFJ
+-----END PGP PUBLIC KEY BLOCK-----
\ No newline at end of file
diff --git a/tpm2.0-abrmd.changes b/tpm2.0-abrmd.changes
new file mode 100644
index 0000000..32923e2
--- /dev/null
+++ b/tpm2.0-abrmd.changes
@@ -0,0 +1,346 @@
+-------------------------------------------------------------------
+Thu Aug  1 09:39:15 UTC 2024 - Johannes Segitz <jsegitz@suse.com>
+
+- Update harden_tpm2-abrmd.service.patch to contain necessary SELinux
+  changes (bsc#1209831)
+
+-------------------------------------------------------------------
+Tue May 23 12:31:21 UTC 2023 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Cover ALP via the %{suse_version} macro
+
+-------------------------------------------------------------------
+Thu Dec  8 15:07:28 UTC 2022 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Version 3.0.0
+  + Fixed
+    * A bug in special command processing in TPM2_GetCapability when
+      an audit session is in use cuased tpm2-abrmd to abort.
+  + Added
+    * New SELinux interfaces for communication with keylime
+  + Changed
+    * DBUS permissions in tpm2-abrmd.conf to match the in-kernel RM,
+      ie /dev/tpmrm0, permissions. Now users MUST be in the tss group
+      to send to tpm2-abrmd over DBUS.
+- Drop dbus-access.patch (merged in PR#805)
+
+-------------------------------------------------------------------
+Fri Jul  8 08:43:16 UTC 2022 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Version 2.4.1
+  + Added
+    Contributor Covenant Code of Conduct.
+  + Fixed
+    * superflous warning messages about tcti status.
+        WARNING **: 11:00:56.205: tcti_conf before: "(null)"
+        WARNING **: 11:00:56.205: tcti_conf after: "mssim"
+    * GCC 11 build error: error: argument 2 of __atomic_load’ discards
+      'volatile' qualifier
+    * Initialize gerror pointer variable to NULL to fix use of
+      unitialized memory and segfault.
+    * Updated missing defaults in manpage.
+    * Port CI to composite actions in tpm2-software/ci.
+  + Removed
+    Dependency on 'which' utility in configure.ac.
+    ubuntu-16.04 from CI.
+
+-------------------------------------------------------------------
+Mon Apr  4 10:45:24 UTC 2022 - Matthias Gerstner <matthias.gerstner@suse.com>
+
+- dbus-access.patch: restrict D-Bus access to tpm2-abrmd to members of the tss
+  group (bsc#1197532). This prevents arbitrary users from meddling with TPM
+  state and thus potential denial-of-service vectors.
+
+-------------------------------------------------------------------
+Wed Dec  8 16:50:13 UTC 2021 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Version 2.4.0
+  + remover syslog deprecation warning (bsc#1185154)
+  + cover update to 2.3.3 (jsc#SLE-17366)
+  + contains reload fix (bsc#1166936)
+  + fix tcti loading using short / long names (bsc#1159176)
+
+-------------------------------------------------------------------
+Mon Nov 29 12:54:02 UTC 2021 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Warp selinux into a bcond
+
+-------------------------------------------------------------------
+Thu Nov 25 09:16:32 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_tpm2-abrmd.service.patch
+
+-------------------------------------------------------------------
+Sat Jul 17 21:04:13 UTC 2021 - Callum Farmer <gmbr3@opensuse.org>
+
+- Move selinux devel file to devel subpackage
+
+-------------------------------------------------------------------
+Wed Jul 14 13:41:59 UTC 2021 - Callum Farmer <gmbr3@opensuse.org>
+
+- Update to version 2.4.0:
+  - Service start depends on systemd device unit: dev-tpm0.device.
+  - Numerous memory leaks.
+  - udev settle service deprecation warnings.
+  - StandardOutput=syslog deprecation warnings.
+- Add selinux module files
+- Move dbus files out of /etc
+
+-------------------------------------------------------------------
+Wed Jun  9 09:37:38 UTC 2021 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Requires libtss2-tcti-{device0,tabrmd0} (bsc#1187077).
+  In MicroOS systems the recommendations are not installed, making the
+  service fail to initialize: Failed to instantiate TCTI
+
+-------------------------------------------------------------------
+Thu Oct 22 12:15:24 UTC 2020 - Matthias Gerstner <matthias.gerstner@suse.com>
+
+- update to version 2.3.3:
+  - changes in version 2.3.1:
+    - Fixed handle resource leak exhausting TPM resources.
+  - changes in version 2.3.2:
+    - Added cirrus CI specific config files to enable FreeBSD builds.
+    - Changed test scripts to be more portable.
+    - Changed include header paths specific to FreeBSD.
+  - changes in version 2.3.1:
+    - Provide meaningful exit codes on initialization failures.
+    - Prevent systemd from starting the daemon before udev changes ownership
+      of the TPM device node.
+    - Prevent systemd from starting the daemon if there is no TPM device node.
+    - Prevent systemd from restarting the daemon if it fails.
+    - Add SELinux policy to allow daemon to resolve names.
+    - Add SELinux policy boolean (disabled by default) to allow daemon to
+      connect to all unreserved ports.
+
+-------------------------------------------------------------------
+Wed Dec 11 11:55:13 UTC 2019 - matthias.gerstner@suse.com
+
+- update to version 2.3.0:
+  - changes in version 2.3.0:
+    - Add '--enable-debug' flag to configure script to simplify debug builds.
+      This relies on the AX_CHECK_ENABLE_DEBUG autoconf archive macro.
+    - Replaced custom dynamic TCTI loading code with libtss2-tctildr from
+      upstream tpm2-tss repo. (requires tpm2-0-tss version 2.3.0)
+    - Explicitly set '-O2' optimization when using FORTIFY_SOURCE as required.
+  - changes in version 2.2.0:
+    - New configuration option `--disable-defaultflags/ added. This is
+      for use for packaging for targets that do not support the default
+      compilation / linking flags.
+    - Use private dependencies properly in pkg-config metadata for TCTI.
+    - Refactor daemon main module to enable better handling of error
+      conditions and enable more thorough unit testing.
+    - Updated dependencies to ensure compatibility with pkg-config fixes
+      in tpm2-tss.
+    - Fixed bug causing TCTI to block when used by libtss2-sys built with
+      partial reads enabled.
+    - Removed unnecessary libs / flags for pthreads in the TCTI pkg-config.
+    - Output from configure script now accurately describes the state of the
+      flags that govern the integration tests.
+- drop fix_dlopen.patch: no longer necessary since abrmd not uses the tctildr
+  shared library. This one hopefully now does the right thing.
+
+-------------------------------------------------------------------
+Mon Aug 26 06:49:37 UTC 2019 - mgerstner <matthias.gerstner@suse.com>
+
+- update to version 2.1.1:
+  - changes in version 2.1.1:
+    - Unit tests accessing dbus have been fixed to use mock functions. Unit
+    tests no longer depend on dbus.
+    - Race condition between client connections and dbus proxy object
+    creation by registering bus name after instantiation of the proxy object.
+
+-------------------------------------------------------------------
+Fri Apr 26 10:35:51 UTC 2019 - mvetter@suse.com
+
+- bsc#1130588: Require shadow instead of old pwdutils
+
+-------------------------------------------------------------------
+Wed Mar  6 10:36:46 UTC 2019 - matthias.gerstner@suse.com
+
+- update to version 2.1.0:
+  - changes in version 2.1.0:
+    - `-Wstrict-overflow=5` now used in default CFLAGS.
+    - Handling of `TPM2_RC_CONTEXT_GAP` on behalf of users.
+    - Convert `TPM2_PT_CONTEXT_GAP_MAX` response from lower layer to
+      `UINT32_MAX`
+    - travis-ci now uses 'xenial' builder
+    - Significant refactoring of TCTI handling code.
+    - `--install` added to ACLOCAL_AMFLAGS to install aclocal required macros
+      instead of using the default symlinks
+    - Launch `dbus-run-session` in the automake test environment to
+      automagically set up a dbus session bus instance when one isn't present.
+    - Bug caused by unloading of `libtss2-tcti-tabrmd.so` on dlclose. GLib
+    does not support reloading a second time.
+    - Bug causing `-fstack-protector-all` to be used on systems with core
+      libraries (i.e. libc) that do not support it. This caused failures at
+      link-time.
+    - Unnecessary symbols from libtest utility library no longer included in
+      TCTI library.
+  - changes  in version 2.0.3:
+    - Update build to account for upstream change to glib '.pc' files
+      described in: https://gitlab.gnome.org/GNOME/glib/issues/1521
+- added _service file for syncing with upstream tags
+
+-------------------------------------------------------------------
+Thu Oct 25 09:00:40 UTC 2018 - matthias.gerstner@suse.com
+
+- add a Requires towards tpm2-0-tss, because that main package holds the udev
+  rules and logic for setting up the tss user. Without this the daemon can't
+  start up correctly.
+
+-------------------------------------------------------------------
+Tue Oct 23 15:46:28 UTC 2018 - matthias.gerstner@suse.com
+
+- fix broken build due to newer glib dependency that reports a full path for
+  gdbus-codegen, breaking the configure check.
+
+-------------------------------------------------------------------
+Wed Sep 26 15:51:01 UTC 2018 - matthias.gerstner@suse.com
+
+- update to version 2.0.2 (FATE#326270):
+  - --enable-integration option to configure script now works as documented.
+  - Format specifier with wrong size in util module.
+  - Initialize TCTI context to 0 before setting values. This will cause all
+    members that aren't explicitly initialized by be 0.
+
+-------------------------------------------------------------------
+Tue Sep 18 09:05:24 UTC 2018 - matthias.gerstner@suse.com
+
+- add recommends to the tcti-device and tcti-abrmd. Otherwise they're not
+  installed right away, rendering the abrmd quite unusable.
+
+-------------------------------------------------------------------
+Fri Aug 10 10:02:21 UTC 2018 - matthias.gerstner@suse.com
+
+- Update to version 2.0.1:
+  * SessionList: Fix Connection object reference leak.
+  * source/sink: Organize ControlMessage processing.
+  * CommandSource: Replace 'connection-removed' signal with ControlMessage.
+  * SessionList: Remove all locking.
+  * ConnectionManager: Remove 'connection-removed' signal.
+  * ci: Build 'check' target when CC is gcc.
+  * build: Fix bad URLs in configure script.
+  * CHANGELOG.md: Add version number and date for 2.0.1 release.
+  * Replace references to drand48_r family of functions for portability
+  * Fix for type-punned pointer reported in newer compilers that enforce strict aliasing
+
+-------------------------------------------------------------------
+Tue Jul  3 09:15:27 UTC 2018 - matthias.gerstner@suse.com
+
+- Trying to fix build on older distros that fail because of a missing or
+  broken autoconf valgrind detection macro. Removing  autoreconf to hopefully
+  fix this.
+
+-------------------------------------------------------------------
+Mon Jul  2 09:27:43 UTC 2018 - matthias.gerstner@suse.com
+
+- add fix_dlopen.patch: fixes an issue with dlopen()'ing the tcti-device
+  library from tpm2-0-tss. See
+  https://github.com/tpm2-software/tpm2-abrmd/issues/486.
+
+-------------------------------------------------------------------
+Fri Jun 29 11:43:08 UTC 2018 - matthias.gerstner@suse.com
+
+- update to major version 2.0.0:
+  - support_dbus_activation.diff: removed, is not contained upstream
+  - the tpm2 stack introduces an incompatible ABI to the previous version with
+    this update. There is no compatibility layer, libraries have new names
+etc.
+  - upstream changelog:
+    ## 2.0.0 - 2018-06-22
+    ### Added
+    - Integration test script and build support to execute integration tests
+    against a physical TPM2 device on the build platform.
+    - Implementation of dynamic TCTI initialization mechanism.
+    - configure option `--enable-integration` to enable integration tests.
+    The simulator executable must be on PATH.
+    - Support for version 2.0 of tpm2-tss libraries.
+    ### Changed
+    - 'max-transient-objects' command line option renamted to 'max-transients'.
+    - Added -Wextra for more strict checks at compile time.
+    - Install location of headers to $(includedir)/tss2.
+    ### Fixed
+    - Added missing checks for NULL parameters identified by the check-build.
+    - Bug in session continuation logic.
+    - Off by one error in HandleMap.
+    - Memory leak and uninitialized variable issues in unit tests.
+    ### Removed
+    - Command line option --fail-on-loaded-trans.
+    - udev rules for TPM device node. This now lives in the tpm2-tss repo.
+    - Remove legacy TCTI initialization functions.
+    - configure option `--with-simulatorbin`.
+    
+    ## 1.3.1 - 2018-03-18
+    ### Fixed
+    - Distribute systemd preset template instead of the generated file.
+    
+    ## 1.3.0 - 2018-03-02
+    ### Added
+    - New configure option (--test-hwtpm) to run integration tests against a
+    physical TPM2 device on the build platform.
+    - Install systemd service file to allow on-demand systemd unit activation.
+    ### Changed
+    - Converted some inappropriate uses of g_error to critical / warning instead.
+    - Removed use of gen_require from SELinux policy, use dbus_stub instead.
+    - udev rules now give tss group read / write access to the TPM device node.
+    - udev rules now give tss user and group read / write access to kernel RM
+    node.
+    ### Fixed
+    - Memory leak on an error path in the AccessBroker.
+
+-------------------------------------------------------------------
+Thu Feb 22 11:34:51 UTC 2018 - matthias.gerstner@suse.com
+
+- update to upstream version 1.2.0:
+  - Limit maximum number of active sessions per connection with '--max-sessions'.
+  - Flush all transient objects and sessions on daemon start with '--flush-all'.
+  - Allow passing of sessions across connections with ContextSave / Load.
+  - Unref the GUnixFDList returned by GIO / dbus in the TCTI init function.
+    This fixes a memory leak in the TCTI library.
+- correctly trigger udev to update /dev/tpm* permissions after package
+  installation. (bnc#1078687)
+- prepared support_dbus_activation.diff patch which adds D-Bus activation, but
+  can't use it yet due to rpmlint
+
+-------------------------------------------------------------------
+Wed Nov 15 11:43:19 UTC 2017 - matthias.gerstner@suse.com
+
+- fix_service_paths.diff: fixed broken systemd service unit (bnc#1066123). the
+  service unit file in the upstream distribution tarball is already configured
+  and looks for binaries and configuration files in the /usr/local prefix
+  which is wrong.
+
+-------------------------------------------------------------------
+Fri Sep  1 14:37:48 UTC 2017 - matthias.gerstner@suse.com
+
+- package version symlink correctly, belongs into the lib package itself, not
+  the -devel.
+
+-------------------------------------------------------------------
+Wed Aug 30 08:29:07 UTC 2017 - matthias.gerstner@suse.com
+
+- update to upstream version 1.1.1 which fixes some local denial-of-service
+  security issues among other things:
+
+  - Replace use of sigaction with g_unix_signal_* stuff from glib.
+  - Rewrite of INSTALL.md including info on custom configure script options.
+  - Default value for --with-simulatorbin configure option has been removed.
+  New default behavior is to disable integration tests.
+  - CommandSource will no longer reject commands without parameters.
+  - Unit tests updated to use cmocka v1.0.0 API.
+  - Integration tests now run daemon under valgrind memcheck and fail when
+  errors are found.
+  - CommandSource now tracks max FD in set of client FDs to prevent unnecessary
+  iterations over FD_SETSIZE fds.
+
+- no longer call bootstrap and switch to the release upstream tarball which
+  has now been fixed to contain all necessary files
+
+-------------------------------------------------------------------
+Thu Jul 20 13:04:41 UTC 2017 - matthias.gerstner@suse.com
+
+- first version of the new arbmd resource manager from Intel's tpm2 stack.
+  This will replace the old resourcemgr previously shipped with the
+  tpm2-0-tss package.
diff --git a/tpm2.0-abrmd.rpmlintrc b/tpm2.0-abrmd.rpmlintrc
new file mode 100644
index 0000000..7c3fc28
--- /dev/null
+++ b/tpm2.0-abrmd.rpmlintrc
@@ -0,0 +1 @@
+addFilter("shared-lib-calls-exit */usr/lib64/libtss2-tcti-tabrmd.so*")
diff --git a/tpm2.0-abrmd.spec b/tpm2.0-abrmd.spec
new file mode 100644
index 0000000..8e07b0b
--- /dev/null
+++ b/tpm2.0-abrmd.spec
@@ -0,0 +1,198 @@
+#
+# spec file for package tpm2.0-abrmd
+#
+# Copyright (c) 2024 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+%global selinuxtype targeted
+%global modulename tabrmd
+# the auto activation is not whitelisted for <= SLE12-SP3 (includes
+# ALP in the with %{suse_version}
+%if 0%{?sle_version} > 120300 || 0%{?is_opensuse} || 0%{?suse_version} >= 1600
+%define install_dbus_files 1
+%endif
+# selinux only for Tumbleweed for now
+%if 0%{?suse_version} >= 1550 && 0%{?is_opensuse}
+%bcond_without selinux
+%else
+%bcond_with selinux
+%endif
+Name:           tpm2.0-abrmd
+Version:        3.0.0
+Release:        0
+Summary:        Intel's TCG Software Stack Access Broker & Resource Manager for TPM 2.0 chips
+License:        BSD-2-Clause
+Group:          Productivity/Security
+URL:            https://github.com/tpm2-software/tpm2-abrmd
+Source0:        https://github.com/tpm2-software/tpm2-abrmd/releases/download/%{version}/tpm2-abrmd-%{version}.tar.gz
+Source1:        https://github.com/tpm2-software/tpm2-abrmd/releases/download/%{version}/tpm2-abrmd-%{version}.tar.gz.asc
+# curl https://github.com/williamcroberts.gpg > tpm2-abrmd.keyring
+Source2:        tpm2-abrmd.keyring
+Source3:        tpm2.0-abrmd.rpmlintrc
+Source4:        README.SUSE
+Patch0:         harden_tpm2-abrmd.service.patch
+BuildRequires:  autoconf-archive
+BuildRequires:  automake
+BuildRequires:  checkpolicy
+BuildRequires:  gcc-c++
+BuildRequires:  libtool
+BuildRequires:  pkgconfig
+BuildRequires:  policycoreutils
+BuildRequires:  systemd-rpm-macros
+BuildRequires:  pkgconfig(dbus-1)
+BuildRequires:  pkgconfig(gio-unix-2.0)
+BuildRequires:  pkgconfig(tss2-sys)
+Requires:       libtss2-tcti-device0
+Requires:       libtss2-tcti-tabrmd0
+Requires:       tpm2-0-tss
+Requires(pre):  user(tss)
+%if %{with selinux}
+BuildRequires:  selinux-policy-devel
+BuildRequires:  selinux-policy-targeted
+BuildRequires:  pkgconfig(systemd)
+Requires:       (%{name}-selinux if selinux-policy-base)
+%endif
+
+%description
+The tpm2.0-abrmd package provides the TPM2 Access Broker & Resource Manager.
+This is a daemon service that coordinates requests to the TPM2 chip via
+Intel's TPM 2.0 software stack.
+
+%package devel
+Summary:        Development headers the Access Broker & Resource Manager for TPM 2.0 chips
+Group:          Development/Libraries/C and C++
+Requires:       glibc-devel
+Requires:       libtss2-tcti-tabrmd0 = %{version}
+Requires:       tpm2.0-abrmd = %{version}
+
+%description devel
+This package provides the development files for the Access Broker & Resource
+Manager for coordinating access to TPM 2.0 chips.
+
+%if %{with selinux}
+%package selinux
+Summary:        SELinux module for the Access Broker & Resource Manager for TPM 2.0 chips
+Group:          System/Management
+Requires:       tpm2.0-abrmd = %{version}
+BuildArch:      noarch
+%{selinux_requires}
+
+%description selinux
+This package provides the SELinux module for the Access Broker & Resource Manager for TPM 2.0 chips.
+%endif
+
+%package -n libtss2-tcti-tabrmd0
+Summary:        Client interface library for tpm2-abrmd
+Group:          System/Libraries
+
+%description -n libtss2-tcti-tabrmd0
+This library allows to interact with the tpm2-abrmd daemon. It is intended for
+use with the SAPI library (libtss2-sys) like any other TCTI.
+
+%post -n libtss2-tcti-tabrmd0 -p /sbin/ldconfig
+%postun -n libtss2-tcti-tabrmd0 -p /sbin/ldconfig
+
+%prep
+%autosetup -n tpm2-abrmd-%{version} -p1
+
+%build
+export CFLAGS="%{optflags} -fPIE"
+export LDFLAGS="$LDFLAGS -pie"
+%configure \
+    --disable-static \
+    %{?with_selinux: --with-sepolicy=yes} \
+    --with-systemdsystemunitdir=%{_unitdir} \
+    --with-dbuspolicydir=%{_datadir}/dbus-1/system.d
+%make_build PTHREAD_LDFLAGS=-pthread
+
+%install
+%make_install
+# don't package libtool files as is best practice
+find %{buildroot} -type f -name "*.la" -delete -print
+ln -sv %{_sbindir}/service %{buildroot}%{_sbindir}/rctpm2-abrmd
+# don't install the systemd preset, our presets are handled by
+# systemd-presets-* packages
+rm %{buildroot}%{_prefix}/lib*/systemd/system-preset/tpm2-abrmd.preset
+cp %{SOURCE4} .
+%if ! 0%{?install_dbus_files}
+rm %{buildroot}/%{_sysconfdir}/dbus-1/system.d/tpm2-abrmd.conf
+rm %{buildroot}/%{_datadir}/dbus-1/system-services/com.intel.tss2.Tabrmd.service
+%endif
+%if %{with selinux}
+mkdir %{buildroot}%{_datadir}/selinux/packages/targeted
+mv %{buildroot}%{_datadir}/selinux/packages/tab* %{buildroot}%{_datadir}/selinux/packages/targeted
+%endif
+
+%pre
+%service_add_pre tpm2-abrmd.service
+
+%post
+%service_add_post tpm2-abrmd.service
+
+%postun
+%service_del_postun tpm2-abrmd.service
+
+%preun
+%service_del_preun tpm2-abrmd.service
+
+%if %{with selinux}
+%pre selinux
+%{selinux_relabel_pre -s %{selinuxtype}}
+
+%post selinux
+%{selinux_modules_install -s %{selinuxtype} -p 200 %{_datadir}/selinux/packages/targeted/%{modulename}.pp.bz2}
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+    %{selinux_modules_uninstall -s %{selinuxtype} -p 200 %{modulename}}
+fi
+
+%posttrans selinux
+%{selinux_relabel_post -s %{selinuxtype}}
+%endif
+
+%files
+%doc *.md README.SUSE
+%license LICENSE
+%{_mandir}/man7/tss2-*
+%{_mandir}/man8/tpm2-*
+%{_sbindir}/tpm2-abrmd
+%{_sbindir}/rctpm2-abrmd
+%{_unitdir}/tpm2-abrmd.service
+%if 0%{?install_dbus_files}
+# the auto activation is not whitelisted for <= SLE12-SP3
+%{_datadir}/dbus-1/system.d/tpm2-abrmd.conf
+%{_datadir}/dbus-1/system-services/com.intel.tss2.Tabrmd.service
+%endif
+
+%if %{with selinux}
+%files selinux
+%{_datadir}/selinux/packages/targeted/tabrmd.pp.bz2
+%ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
+%endif
+
+%files devel
+%{_includedir}/tss2
+%{_libdir}/*.so
+%{_libdir}/pkgconfig/*.pc
+%{_mandir}/man3/Tss2*
+%if %{with selinux}
+%{_datadir}/selinux/devel/include/contrib/tabrmd.if
+%endif
+
+%files -n libtss2-tcti-tabrmd0
+%{_libdir}/libtss2-tcti-tabrmd.so.*
+
+%changelog