pool/tpm2.0-tools
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 926512 from home:aplanas:branches:security

Browse Source 
- Update to version 5.2:
  + tpm2_nvextend:
    * Added option -n, --name to specify the name of the nvindex in
      hex bytes. This is used when cpHash ought to be calculated
      without dispatching the TPM2_NV_Extend command to the TPM.
  + tpm2_nvread:
    * Added option --rphash=FILE to specify ile path to record the
      hash of the response parameters. This is commonly termed as
      rpHash.
    * Added option -n, --name to specify the name of the nvindex in
      hex bytes. This is used when cpHash ought to be calculated
      without dispatching the TPM2_NVRead command to the TPM.
    * Added option -S, --session to specify to specify an auxiliary
      session for auditing and or encryption/decryption of the
      parameters.
  + tpm2_nvsetbits:
    * Added option --rphash=FILE to specify file path to record the
      hash of the response parameters. This is commonly termed as
      rpHash.
    * Added option -S, --session to specify to specify an auxiliary
      session for auditing and or encryption/decryption of the
      parameters.
    * Added option -n, --name to specify the name of the nvindex in
      hex bytes. This is used when cpHash ought to be calculated
      without dispatching the TPM2_NV_SetBits command to the TPM.
  + tpm2_createprimary:
    * Support public-key output at creation time in various public-key
      formats.
  + tpm2_create:
    * Support public-key output at creation time in various public-key
      formats.
  + tpm2_print:
    * Support outputing public key in various public key formats over
      the default YAML output. Supports taking -u output from
      tpm2_create and converting it to a PEM or DER file format.
  + tpm2_import:
    * Add support for importing keys with sealed-data-blobs.
  + tpm2_rsaencrypt, tpm2_rsadecrypt:
    * Add support for specifying the hash algorithm with oaep.
  + tpm2_pcrread, tpm2_quote:
    * Add option -F, --pcrs_format to specify PCR format selection for
      the binary blob in the PCR output file. 'values' will output a
      binary blob of the PCR values. 'serialized' will output a binary
      blob of the PCR values in the form of serialized data structure
      in little endian format.
  + tpm2_eventlog:
    * Add support for decoding StartupLocality.
    * Add support for printing the partition information.
    * Add support for reading eventlogs longer than 64kb including
      from /sys/kernel/security/tpm0/binary_bios-measurements.
  + tpm2_duplicate:
    * Add option -L, --policy to specify an authorization policy to be
      associated with the duplicated object.
    * Added support for external key duplication without needing the
      TCTI.
  + tools:
    * Enhance error message on invalid passwords when sessions cannot
      be used.
  + lib/tpm2_options:
    * Add option to specify fake tcti which is required in cases where
      sapi ctx is required to be initialized for retrieving command
      parameters without invoking the tcti to talk to the TPM.
  + openssl:
    * Dropped support for OpenSSL < 1.1.0
    * Add support for OpenSSL 3.0.0
  + Support added to make the repository documentation and man pages
    available live on readthedocs.
  + Bug-fixes:
    * tpm2_import: Don't allow setting passwords for imported object
      with -p option as the tool doesn't modify the TPM2B_SENSITIVE
      structure. Added appropriate logging to indicate using
      tpm2_changeauth after import.
    * lib/tpm2_util.c: The function to calculate pHash algorithm
      returned error when input session is a password session and the
      only session in the command.
    * lib/tpm2_alg_util.c: Fix an error where oaep was parsed under
      ECC.
    * tpm2_sign: Fix segfaults when tool does not find TPM resources
      (TPM or RM).
    * tpm2_makecredential: Fix an issue where reading input from stdin
      could result in unsupported data size larger than the largest
      digest size.
    * tpm2_loadexternal: Fix an issue where restricted attribute could
      not be set.
    * lib/tpm2_nv_util.h: The NV index size is dependent on different
      data sets read from the GetCapability structures because there
      is a dependency on the NV operation type: Define vs Read vs
      Write vs Extend. Fix a sane default in the case where
      GetCapability fails or fails to report the specific property/
      data set. This is especially true because some properties are
      TPM implementation dependent.
    * tpm2_createpolicy: Fix an issue where tool exited silently
      without reporting an error if wrong pcr string is specified.
    * lib/tpm2_alg_util: add error message on public init to prevent
      tools from dying silently, add an error message.
    * tpm2_import: fix an issue where an imported hmac object scheme
      was NULL. While allowed, it was inconsistent with other tools
      like tpm2_create which set the scheme as hmac->sha256 when
      generating a keyedhash object.
- Drop patches already in upstream:
  + 0001-tpm2_checkquote-fix-uninitialized-variable.patch
  + 0001-tpm2_eventlog-fix-buffer-offset-when-reading-the-eve.patch
  + 0001-tpm2_eventlog-read-eventlog-file-in-chunks.patch

OBS-URL: https://build.opensuse.org/request/show/926512
OBS-URL: https://build.opensuse.org/package/show/security/tpm2.0-tools?expand=0&rev=84
This commit is contained in:
Matthias Gerstner 2021-10-20 10:13:52 +00:00 committed by Git OBS Bridge
parent 2daa4759e2
commit a9b849d596
9 changed files with 129 additions and 241 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
0001-tpm2_checkquote-fix-uninitialized-variable.patch
View File

@ -1,37 +0,0 @@
From 3d7edb1c70cba6c34c71c9b856c07b8adcebb15c Mon Sep 17 00:00:00 2001
From: Alberto Planas <aplanas@suse.com>
Date: Thu, 17 Jun 2021 11:07:25 +0200
Subject: [PATCH] tpm2_checkquote: fix uninitialized variable
The variable `temp_pcrs` is uninitialized, and later partially
uninitialized when reading the selection data from file.
When activating lto optimizations, this bug presents itself showing an
error during the read of the quote:
ERROR: Malformed PCR file, pcr count cannot be greater than 32, got: ...
Fixes: #2767
Co-authored-by: Martin Liska <marxin.liska@gmail.com>
Signed-off-by: Alberto Planas <aplanas@suse.com>
---
tools/misc/tpm2_checkquote.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/misc/tpm2_checkquote.c b/tools/misc/tpm2_checkquote.c
index 53150857..8d780f11 100644
--- a/tools/misc/tpm2_checkquote.c
+++ b/tools/misc/tpm2_checkquote.c
@@ -376,7 +376,7 @@ static tool_rc init(void) {
TPM2B_ATTEST *msg = NULL;
TPML_PCR_SELECTION pcr_select;
tpm2_pcrs *pcrs;
- tpm2_pcrs temp_pcrs;
+ tpm2_pcrs temp_pcrs = {};
tool_rc return_value = tool_rc_general_error;
msg = message_from_file(ctx.msg_file_path);
--
2.32.0

35
0001-tpm2_eventlog-fix-buffer-offset-when-reading-the-eve.patch
View File

@ -1,35 +0,0 @@
From 24e193412eac3985baea5e83e3245a4315c86ebe Mon Sep 17 00:00:00 2001
From: Alberto Planas <aplanas@suse.com>
Date: Thu, 29 Jul 2021 16:02:50 +0200
Subject: [PATCH 1/1] tpm2_eventlog: fix buffer offset when reading the event
log
The event log is read in chunks of CHUNK_SIZE blocks (16KB), always
checking when the EOF is reached, so it is compatible with virtual files
that lives in securityfs and we do not know the full size. The current
code is not taking care of adjusting the offset when the next chunk is
read.
This patch add "size" to the base buffer where the event log is stored
in memory.
Fix #2778
Signed-off-by: Alberto Planas <aplanas@suse.com>
---
tools/misc/tpm2_eventlog.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: tpm2-tools-5.1.1/tools/misc/tpm2_eventlog.c
===================================================================
--- tpm2-tools-5.1.1.orig/tools/misc/tpm2_eventlog.c
+++ tpm2-tools-5.1.1/tools/misc/tpm2_eventlog.c
@@ -90,7 +90,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONT
}
unsigned long size = 0;
- while (files_read_bytes_chunk(fileptr, eventlog, CHUNK_SIZE, &size)) {
+ while (files_read_bytes_chunk(fileptr, eventlog + size, CHUNK_SIZE, &size)) {
UINT8 *eventlog_tmp = realloc(eventlog, size + CHUNK_SIZE);
if (eventlog_tmp == NULL){
LOG_ERR("failed to allocate %lu bytes: %s", size + CHUNK_SIZE, strerror(errno));

145
0001-tpm2_eventlog-read-eventlog-file-in-chunks.patch
View File

@ -1,145 +0,0 @@
From b95e41bccc64e488ca9c824e632b8ca5bc87db55 Mon Sep 17 00:00:00 2001
From: Alberto Planas <aplanas@suse.com>
Date: Fri, 18 Jun 2021 15:54:22 +0200
Subject: [PATCH] tpm2_eventlog: read eventlog file in chunks
The eventlog file lives is securityfs, that do not return the file size.
The current implementation first try to do a "fseek(fp, 0, SEEK_END)"
for this file, and this will always return 0.
This generate an error, and tpm2_eventlog exit with:
ERROR: Unable to run tpm2_eventlog
This patch replace the reading logic, now reading in chunks of 16KB and
reallocating the buffer if needed. Also introduces a new function in
files.c ("files_read_bytes_chunk") that helps counting the total read
size, that now is different from the ammount of allocated memory.
Fixes #2775
Signed-off-by: Alberto Planas <aplanas@suse.com>
---
lib/files.c | 9 +++++++++
lib/files.h | 15 ++++++++++++++
tools/misc/tpm2_eventlog.c | 40 +++++++++++++++++++-------------------
3 files changed, 44 insertions(+), 20 deletions(-)
diff --git a/lib/files.c b/lib/files.c
index 884dd23c..7f0fb39f 100644
--- a/lib/files.c
+++ b/lib/files.c
@@ -564,6 +564,15 @@ bool files_read_bytes(FILE *out, UINT8 bytes[], size_t len) {
return (readx(out, bytes, len) == len);
}
+bool files_read_bytes_chunk(FILE *out, UINT8 bytes[], size_t len, size_t *read_len) {
+
+ BAIL_ON_NULL("FILE", out);
+ BAIL_ON_NULL("bytes", bytes);
+ size_t chunk_len = readx(out, bytes, len);
+ *read_len += chunk_len;
+ return (chunk_len == len);
+}
+
bool files_write_bytes(FILE *out, uint8_t bytes[], size_t len) {
BAIL_ON_NULL("FILE", out);
diff --git a/lib/files.h b/lib/files.h
index 33022cbd..684b7eef 100644
--- a/lib/files.h
+++ b/lib/files.h
@@ -571,6 +571,21 @@ bool files_read_64(FILE *out, UINT64 *data);
*/
bool files_read_bytes(FILE *out, UINT8 data[], size_t size);
+/**
+ * Reads len bytes from a file and set the read length.
+ * @param out
+ * The file to read from.
+ * @param data
+ * The buffer to read into, only valid on a True return.
+ * @param size
+ * The number of bytes to read.
+ * @param read_size
+ * Total number of bytes readed.
+ * @return
+ * True on success, False otherwise.
+ */
+bool files_read_bytes_chunk(FILE *out, UINT8 data[], size_t size, size_t *read_size);
+
/**
* Converts a TPM2B_ATTEST to a TPMS_ATTEST using libmu.
* @param quoted
diff --git a/tools/misc/tpm2_eventlog.c b/tools/misc/tpm2_eventlog.c
index b51089bd..64ce6add 100644
--- a/tools/misc/tpm2_eventlog.c
+++ b/tools/misc/tpm2_eventlog.c
@@ -12,6 +12,8 @@
#include "tpm2_eventlog_yaml.h"
#include "tpm2_tool.h"
+#define CHUNK_SIZE 16384
+
static char *filename = NULL;
/* Set the default YAML version */
@@ -72,37 +74,35 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
return tool_rc_option_error;
}
- /* Get file size */
- unsigned long size = 0;
- bool ret = files_get_file_size_path(filename, &size);
- if (!ret || !size) {
+ /* Read the file in chunks. Usually the file will reside in
+ securityfs, and those files do not have a public file size */
+ tool_rc rc = tool_rc_success;
+ FILE *fileptr = fopen(filename, "rb");
+ if (!fileptr) {
return tool_rc_general_error;
}
- /* Allocate buffer to read file data */
- UINT8 *eventlog = calloc(1, size);
+ /* Reserve the buffer for the first chunk */
+ UINT8 *eventlog = calloc(1, CHUNK_SIZE);
if (eventlog == NULL){
- LOG_ERR("failed to allocate %lu bytes: %s", size, strerror(errno));
+ LOG_ERR("failed to allocate %d bytes: %s", CHUNK_SIZE, strerror(errno));
return tool_rc_general_error;
}
- /* Load buffer with file data */
- tool_rc rc = tool_rc_success;
- FILE *fileptr = fopen(filename, "rb");
- if (!fileptr) {
- rc = tool_rc_general_error;
- goto out;
+ unsigned long size = 0;
+ while (files_read_bytes_chunk(fileptr, eventlog, CHUNK_SIZE, &size)) {
+ UINT8 *eventlog_tmp = realloc(eventlog, size + CHUNK_SIZE);
+ if (eventlog_tmp == NULL){
+ LOG_ERR("failed to allocate %lu bytes: %s", size + CHUNK_SIZE, strerror(errno));
+ rc = tool_rc_general_error;
+ goto out;
+ }
+ eventlog = eventlog_tmp;
}
-
- ret = files_read_bytes(fileptr, eventlog, size);
fclose(fileptr);
- if (!ret) {
- rc = tool_rc_general_error;
- goto out;
- }
/* Parse eventlog data */
- ret = yaml_eventlog(eventlog, size, eventlog_version);
+ bool ret = yaml_eventlog(eventlog, size, eventlog_version);
if (!ret) {
LOG_ERR("failed to parse tpm2 eventlog");
rc = tool_rc_general_error;
--
2.32.0

3
tpm2-tools-5.1.1.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:5500810f7af999391babb13216d75843bee9f3f9d1544feed5e503d801174a3b
size 1044427

16
tpm2-tools-5.1.1.tar.gz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEW0grjj4Z2nyXjh0BbeLpB44fUMEFAmDQoIoACgkQbeLpB44f
UMEidhAAqmjQ+JUI5dlp4hsU78cKpZpIC3ivS2vobHekdOrzlDqe9/GhFXQEo07O
M7RI1zgguaXXGlNNatx+xU3vHZD3CjtwRxjt4OFEwL0yH8/8/5YDMgTbujmuprbu
sF3uQ3+RUmY6UQPqXH5UTV6sri50psY0JSQg4CKSfu/KGAzu74dfkcq6k6zFwaTl
Odj7orMw+5tzygeF6L308o07jIM0Z0Uiuf0nAkKAQX8iSrJDZZK89gfSLr5+rcBB
ihAAWE087Mfkd7WgMi54Ozja5YfZ9RF9CNMqETLB1YEseu1Q8LqmR39DDUANAMGb
eJx9ZP1+r3MPp2EqUjt6DWDvp9KUEepg6ZQfarhvBknJU4cXxpoK/qV9/QD8NaEP
YY2SGOkb4O9OxENrCNGKKAW1yI+sx4kjxqVVq1Gz+nFDOhd6wOWxLOfOFrQTy0o8
H76Zs3cJodgrSYTO690hLJzX4pEVn2qrtFq+eDmRmD6IktJXaU4dK7SlXRW3yfkH
sSdsHy+HZ1tBsvEbLGRDJLFrt4rVyl42n1dl+yynliQ0Np/i6TMwPfoTUsZGqSbA
ifMLZW774d204FDwZZzmAbRtILHNUDNKwyMVMFMHbZtjep5MwW3x3sC89tOgkCtM
LLlxoiaHzhS7coAYDBUxYiL/wzsbIFYDyDLplxgoLfqzJCl8unY=
=KI3b
-----END PGP SIGNATURE-----

3
tpm2-tools-5.2.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:c0b402f6a7b3456e8eb2445211e2d41c46c7e769e05fe4d8909ff64119f7a630
size 1072078

16
tpm2-tools-5.2.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEYxPm3EGq/DFah2CkFJhvaUSx9ysFAmFTUS4ACgkQFJhvaUSx
9ysklQ/+JOGFQ3gNPcOsBRhXf/3FYDf3codr1LnmXGdosWL7VzP33zePGf7xr3rc
c8qqbDHO9JHsFd2920oPawqlIBC22kT3fuX6g4pu+mcLeCzSFo5qr2A66mryRQpd
xYeufu6mDlYmjs18xt2qtRu/uWxx6E0RH8cLVstfhHMfOUlG2xtWO70eXcS/R0z7
6E/U5ezBTcw/7nErlR8YIaLKUnlOYPObeL2oF+1tJVCEzP5ZS+0RcRKQGB9tMYui
WSXVGU8G4OslRnebG99OS45tQZgz3cdj371N9/b0DTrgrv+YLEVdAfCxfwdxC54q
DDmB0e/KpVpQ04A/zeUaNTBZxIXrR0XzSSoF9c/bdjCGB/qCw/psHvGOgKLkTJGw
8TlvaBftPSbR08aiKY0eSJPivQWMqOh6a1XLlGaMj9UbMYtbzKQTo9mkEZsNTq5q
NJ06pEfRdjCSKeflLzJt9jLunksKnSviIYLhHPZGT7eqq3yVF/XAqNf28I3614aW
bZmkJ35VxieIBy2h2oyg93Jqejjvx2+zEwOIQL6+HbqNmxhjeot7fFxVHNLQFfZS
mQ3mUqkLMVo08tcDkTbd36i7mQExpspXXnC4wOm8mNW8idV+ElepskiL9zSdkt1K
elTe2AvtVrS4XqTJmJyz6bShC1LBzJXeCxcimAMdYc0DyY5lWDM=
=M5xM
-----END PGP SIGNATURE-----

108
tpm2.0-tools.changes
View File

@ -1,3 +1,111 @@
-------------------------------------------------------------------
Wed Oct 20 08:53:37 UTC 2021 - Alberto Planas Dominguez <aplanas@suse.com>
- Update to version 5.2:
+ tpm2_nvextend:
* Added option -n, --name to specify the name of the nvindex in
hex bytes. This is used when cpHash ought to be calculated
without dispatching the TPM2_NV_Extend command to the TPM.
+ tpm2_nvread:
* Added option --rphash=FILE to specify ile path to record the
hash of the response parameters. This is commonly termed as
rpHash.
* Added option -n, --name to specify the name of the nvindex in
hex bytes. This is used when cpHash ought to be calculated
without dispatching the TPM2_NVRead command to the TPM.
* Added option -S, --session to specify to specify an auxiliary
session for auditing and or encryption/decryption of the
parameters.
+ tpm2_nvsetbits:
* Added option --rphash=FILE to specify file path to record the
hash of the response parameters. This is commonly termed as
rpHash.
* Added option -S, --session to specify to specify an auxiliary
session for auditing and or encryption/decryption of the
parameters.
* Added option -n, --name to specify the name of the nvindex in
hex bytes. This is used when cpHash ought to be calculated
without dispatching the TPM2_NV_SetBits command to the TPM.
+ tpm2_createprimary:
* Support public-key output at creation time in various public-key
formats.
+ tpm2_create:
* Support public-key output at creation time in various public-key
formats.
+ tpm2_print:
* Support outputing public key in various public key formats over
the default YAML output. Supports taking -u output from
tpm2_create and converting it to a PEM or DER file format.
+ tpm2_import:
* Add support for importing keys with sealed-data-blobs.
+ tpm2_rsaencrypt, tpm2_rsadecrypt:
* Add support for specifying the hash algorithm with oaep.
+ tpm2_pcrread, tpm2_quote:
* Add option -F, --pcrs_format to specify PCR format selection for
the binary blob in the PCR output file. 'values' will output a
binary blob of the PCR values. 'serialized' will output a binary
blob of the PCR values in the form of serialized data structure
in little endian format.
+ tpm2_eventlog:
* Add support for decoding StartupLocality.
* Add support for printing the partition information.
* Add support for reading eventlogs longer than 64kb including
from /sys/kernel/security/tpm0/binary_bios-measurements.
+ tpm2_duplicate:
* Add option -L, --policy to specify an authorization policy to be
associated with the duplicated object.
* Added support for external key duplication without needing the
TCTI.
+ tools:
* Enhance error message on invalid passwords when sessions cannot
be used.
+ lib/tpm2_options:
* Add option to specify fake tcti which is required in cases where
sapi ctx is required to be initialized for retrieving command
parameters without invoking the tcti to talk to the TPM.
+ openssl:
* Dropped support for OpenSSL < 1.1.0
* Add support for OpenSSL 3.0.0
+ Support added to make the repository documentation and man pages
available live on readthedocs.
+ Bug-fixes:
* tpm2_import: Don't allow setting passwords for imported object
with -p option as the tool doesn't modify the TPM2B_SENSITIVE
structure. Added appropriate logging to indicate using
tpm2_changeauth after import.
* lib/tpm2_util.c: The function to calculate pHash algorithm
returned error when input session is a password session and the
only session in the command.
* lib/tpm2_alg_util.c: Fix an error where oaep was parsed under
ECC.
* tpm2_sign: Fix segfaults when tool does not find TPM resources
(TPM or RM).
* tpm2_makecredential: Fix an issue where reading input from stdin
could result in unsupported data size larger than the largest
digest size.
* tpm2_loadexternal: Fix an issue where restricted attribute could
not be set.
* lib/tpm2_nv_util.h: The NV index size is dependent on different
data sets read from the GetCapability structures because there
is a dependency on the NV operation type: Define vs Read vs
Write vs Extend. Fix a sane default in the case where
GetCapability fails or fails to report the specific property/
data set. This is especially true because some properties are
TPM implementation dependent.
* tpm2_createpolicy: Fix an issue where tool exited silently
without reporting an error if wrong pcr string is specified.
* lib/tpm2_alg_util: add error message on public init to prevent
tools from dying silently, add an error message.
* tpm2_import: fix an issue where an imported hmac object scheme
was NULL. While allowed, it was inconsistent with other tools
like tpm2_create which set the scheme as hmac->sha256 when
generating a keyedhash object.
- Drop patches already in upstream:
+ 0001-tpm2_checkquote-fix-uninitialized-variable.patch
+ 0001-tpm2_eventlog-fix-buffer-offset-when-reading-the-eve.patch
+ 0001-tpm2_eventlog-read-eventlog-file-in-chunks.patch
-------------------------------------------------------------------
Thu Jul 29 14:15:11 UTC 2021 - Alberto Planas Dominguez <aplanas@suse.com>

7
tpm2.0-tools.spec
View File

@ -17,7 +17,7 @@
Name: tpm2.0-tools
Version: 5.1.1
Version: 5.2
Release: 0
Summary: Trusted Platform Module (TPM) 2.0 administration tools
License: BSD-3-Clause
@ -28,9 +28,6 @@ Source1: https://github.com/tpm2-software/tpm2-tools/releases/download/%{
# git show william-roberts-pub javier-martinez-pub joshua-lock-pub idesai-pub > tpm2-tools.keyring
Source2: tpm2-tools.keyring
Patch0: fix_bogus_warning.patch
Patch2: 0001-tpm2_checkquote-fix-uninitialized-variable.patch
Patch3: 0001-tpm2_eventlog-read-eventlog-file-in-chunks.patch
Patch4: 0001-tpm2_eventlog-fix-buffer-offset-when-reading-the-eve.patch
BuildRequires: gcc-c++
BuildRequires: libcurl-devel
BuildRequires: libopenssl-devel
@ -83,7 +80,7 @@ find %{buildroot} -type f -name "*.la" -delete -print
%files
%defattr(-,root,root)
%doc README.md doc/CHANGELOG.md
%doc doc/README.md doc/CHANGELOG.md
%license doc/LICENSE
/usr/bin/tpm2*
/usr/bin/tss2*