From 2dec5107b8f6f1014f163805b31e4116d8dcaed1e573fc05ddb3fc3e996ae9d0 Mon Sep 17 00:00:00 2001 From: Alberto Planas Dominguez Date: Wed, 13 Jul 2022 12:35:56 +0000 Subject: [PATCH] Accepting request 989000 from home:aplanas:branches:security - Add patch to fix leakage of TPM simulator process add_missing_shut_down_call_on_cleanup.patch - Add patch to fix fapi-quote-verify[_ecc].sh test fix_check_of_qualifying_data.patch - Enable test execution by default OBS-URL: https://build.opensuse.org/request/show/989000 OBS-URL: https://build.opensuse.org/package/show/security/tpm2.0-tools?expand=0&rev=93 --- add_missing_shut_down_call_on_cleanup.patch | 70 ++++++++ fix_check_of_qualifying_data.patch | 167 ++++++++++++++++++++ tpm2.0-tools.changes | 9 ++ tpm2.0-tools.spec | 8 +- 4 files changed, 252 insertions(+), 2 deletions(-) create mode 100644 add_missing_shut_down_call_on_cleanup.patch create mode 100644 fix_check_of_qualifying_data.patch diff --git a/add_missing_shut_down_call_on_cleanup.patch b/add_missing_shut_down_call_on_cleanup.patch new file mode 100644 index 0000000..f3368af --- /dev/null +++ b/add_missing_shut_down_call_on_cleanup.patch @@ -0,0 +1,70 @@ +From db6aa7ac5094a04168e60256e154786c0c7e7c1c Mon Sep 17 00:00:00 2001 +From: Alberto Planas +Date: Wed, 13 Jul 2022 13:35:19 +0200 +Subject: [PATCH] test: add missing shut_down call on cleanup + +The tests "gettime", "readclock" and "symlink" are not calling +"shut_down" during the "cleanup" stage, making the TPM simulator to keep +their process during the "make check". Somehow this produces problems +when the tests are executed in parallel under certain conditions, with +the effect of "make" not ending and waiting to those process to die. + +This commit and the mising call in the "cleanup" stage. + +Fix #3042 + +Signed-off-by: Alberto Planas +--- + test/integration/tests/gettime.sh | 5 ++++- + test/integration/tests/readclock.sh | 5 ++++- + test/integration/tests/symlink.sh | 5 ++++- + 3 files changed, 12 insertions(+), 3 deletions(-) + +diff --git a/test/integration/tests/gettime.sh b/test/integration/tests/gettime.sh +index 5a91210a7..054bef864 100644 +--- a/test/integration/tests/gettime.sh ++++ b/test/integration/tests/gettime.sh +@@ -3,7 +3,10 @@ + source helpers.sh + + cleanup() { +- rm -f attest.sig attest.data ++ rm -f attest.sig attest.data ++ if [ "$1" != "no-shut-down" ]; then ++ shut_down ++ fi + } + trap cleanup EXIT + +diff --git a/test/integration/tests/readclock.sh b/test/integration/tests/readclock.sh +index 56a4c8622..2c59dad09 100644 +--- a/test/integration/tests/readclock.sh ++++ b/test/integration/tests/readclock.sh +@@ -3,7 +3,10 @@ + source helpers.sh + + cleanup() { +- rm -f clock.yaml ++ rm -f clock.yaml ++ if [ "$1" != "no-shut-down" ]; then ++ shut_down ++ fi + } + trap cleanup EXIT + +diff --git a/test/integration/tests/symlink.sh b/test/integration/tests/symlink.sh +index d1c800ad0..b61349eef 100644 +--- a/test/integration/tests/symlink.sh ++++ b/test/integration/tests/symlink.sh +@@ -4,7 +4,10 @@ source helpers.sh + + TMP="$(mktemp -d)" + cleanup() { +- rm -rf "$TMP" ++ rm -rf "$TMP" ++ if [ "$1" != "no-shut-down" ]; then ++ shut_down ++ fi + } + trap cleanup EXIT + diff --git a/fix_check_of_qualifying_data.patch b/fix_check_of_qualifying_data.patch new file mode 100644 index 0000000..670555c --- /dev/null +++ b/fix_check_of_qualifying_data.patch @@ -0,0 +1,167 @@ +From 3b1f00301350848e9454c7adf0487c1a14738236 Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Sat, 8 Jan 2022 13:43:00 +0100 +Subject: [PATCH] test/fapi/fapi-quote-verify.sh Fix check of qualifying data. + +Because of a bug in Fapi_VerifyQuote the qualifying data was not checked correctly. +Errors that were not recognized before occur now. +The order of the tests was cleaned up and for every quote and verify quote now +the correct combination of the qualifying data and quote info containing the nonce +is used. + +Signed-off-by: Juergen Repp +--- + test/integration/fapi/fapi-quote-verify.sh | 38 ++++++++++++---------- + 1 file changed, 20 insertions(+), 18 deletions(-) + +diff --git a/test/integration/fapi/fapi-quote-verify.sh b/test/integration/fapi/fapi-quote-verify.sh +index ad4ade3a1..497d4337f 100644 +--- a/test/integration/fapi/fapi-quote-verify.sh ++++ b/test/integration/fapi/fapi-quote-verify.sh +@@ -18,6 +18,7 @@ KEY_PATH=HS/SRK/quotekey + NONCE_FILE=$TEMP_DIR/nonce.file + PUBLIC_QUOTE_KEY=$TEMP_DIR/public_quote.key + QUOTE_INFO=$TEMP_DIR/quote.info ++QUOTE_EMPTY_INFO=$TEMP_DIR/quote_empty.info + SIGNATURE_FILE=$TEMP_DIR/signature.file + CERTIFICATE_FILE=$TEMP_DIR/certificate.file + PCR_LOG=$TEMP_DIR/pcr.log +@@ -35,14 +36,32 @@ tss2 provision + + tss2 createkey --path=$KEY_PATH --type="noDa, restricted, sign" --authValue="" + ++tss2 exportkey --pathOfKeyToDuplicate=$KEY_PATH --exportedData=$PUBLIC_QUOTE_KEY --force ++tss2 import --path="ext/myNewParent" --importData=$PUBLIC_QUOTE_KEY ++ ++ + tss2 quote --keyPath=$KEY_PATH --pcrList="11, 12, 13, 14, 15, 16" --qualifyingData=$NONCE_FILE \ + --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG \ + --certificate=$CERTIFICATE_FILE --quoteInfo=$QUOTE_INFO --force + ++tss2 verifyquote --publicKeyPath="ext/myNewParent" \ ++ --qualifyingData=$NONCE_FILE --quoteInfo=$QUOTE_INFO \ ++ --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG ++ + echo "tss2 quote with EMPTY_FILE" # Expected to succeed + tss2 quote --keyPath=$KEY_PATH --pcrList="11, 12, 13, 14, 15, 16" \ + --qualifyingData=$EMPTY_FILE --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG \ +- --certificate=$CERTIFICATE_FILE --quoteInfo=$QUOTE_INFO --force ++ --certificate=$CERTIFICATE_FILE --quoteInfo=$QUOTE_EMPTY_INFO --force ++ ++echo "tss2 verifyquote with EMPTY_FILE qualifyingData" # Expected to succeed ++tss2 verifyquote --publicKeyPath="ext/myNewParent" \ ++ --qualifyingData=$EMPTY_FILE --quoteInfo=$QUOTE_EMPTY_INFO \ ++ --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG ++ ++# Try with missing qualifyingData ++tss2 verifyquote --publicKeyPath="ext/myNewParent" \ ++ --quoteInfo=$QUOTE_EMPTY_INFO \ ++ --signature=$SIGNATURE_FILE + + echo "tss2 quote with BIG_FILE" # Expected to fail + expect < + +- Add patch to fix leakage of TPM simulator process + add_missing_shut_down_call_on_cleanup.patch +- Add patch to fix fapi-quote-verify[_ecc].sh test + fix_check_of_qualifying_data.patch +- Enable test execution by default + ------------------------------------------------------------------- Fri Jul 8 07:51:37 UTC 2022 - Alberto Planas Dominguez diff --git a/tpm2.0-tools.spec b/tpm2.0-tools.spec index 8cf3e5f..3512039 100644 --- a/tpm2.0-tools.spec +++ b/tpm2.0-tools.spec @@ -17,7 +17,7 @@ %define _lto_cflags %{nil} -%bcond_with test +%bcond_without test Name: tpm2.0-tools Version: 5.2 Release: 0 @@ -32,6 +32,10 @@ Source2: tpm2-tools.keyring Patch0: fix_bogus_warning.patch # PATCH-FIX-UPSTREAM 0001-tests-getekcertificate.sh-Skip-the-test-if-curl-is-n.patch -- based on PR#3041 Patch1: 0001-tests-getekcertificate.sh-Skip-the-test-if-curl-is-n.patch +# PATCH-FIX-UPSTREAM add_missing_shut_down_call_on_cleanup.patch -- based on PR#3047 +Patch2: add_missing_shut_down_call_on_cleanup.patch +# PATCH-FIX-UPSTREAM fix_check_of_qualifying_data.patch -- already merged +Patch3: fix_check_of_qualifying_data.patch BuildRequires: gcc-c++ BuildRequires: libcurl-devel BuildRequires: libopenssl-devel @@ -102,7 +106,7 @@ find %{buildroot} -type f -name "*.la" -delete -print %check # Do the tests sequentially to kill all tpm_server instances # https://github.com/tpm2-software/tpm2-tools/issues/3042 -%make_build -j1 check +%make_build check %endif %changelog