Accepting request 1041869 from home:aplanas:branches:security

- Update to version 5.4 + Added: * tpm2_policyrestart: Added option --cphash to output the cpHash for the command PM2_CC_PolicyRestart. * tpm2_policynvwritten: Added option --cphash to output the cpHash for the command TPM2_CC_PolicyNvWritten. * tpm2_policylocality: Added option --cphash to output the cpHash for the command TPM2_CC_PolicyLocality. * tpm2_policycountertimer: Added option --cphash to output the cpHash for the command TPM2_CC_PolicyCounterTimer. * tpm2_policycommandcode: Added option --cphash to output the cpHash for the command TPM2_CC_PolicyCommandCode. * tpm2_policypassword: Added option --cphash to output the cpHash for the command TPM2_CC_PolicyPassword. * tpm2_policyauthvalue: Added option --cphash to output the cpHash for the command TPM2_CC_PolicyAuthValue. * tpm2_policyauthorize: Added option --cphash to output the cpHash for the command TPM2_CC_PolicyAuthorize. * tpm2_print: Support printing serialized ESYS_TR's * tpm2_create: Add a clarifying message to usage of -c when TPM2_CreateLoaded is not supported. * tpm2_getcap: Add support for vendor agnostic capabilites. Requires tpm2-tss version 4.0 and higher to enable. * Add a script, check_endorsement_cert.sh, to validate the endorsement certificate chain. It takes two inputs - A TPM2B_PUBLIC format EKpublic and a PEM format EKcertificate specified in that order as arguments. - Update to version 5.3 + Features: * lib/tpm2_tool.c: add --help=no-man for tpm2 option. Prior to this change the tool parsed no-man as an unrecognized option and errored out. Now it lists all the available tool options. * tpm2_encodeobject: New tool to encode TPM2 object. It takes public and private portions of an object and encode them in a combined PEM form called tssprivkey used by tpm2-tss-engine and other applications. * Support alternative ECC curves for which default EK templates exist (NIST_P256, NIST_P384, NIST_P521, and SM2_P256). * tools/misc/tpm2_checkquote: add sm2 verification of signature. * crypto: support the TPM2_ECC_SM2_P256 curveID. * fapi: add new command to enable the use of fapi objects for tpm2 tools. The new command tss2_gettpm2object was added. With this command context files which can be used for tpm2 tool commands can be created. * Support for sign and verify with sm2 algorithms. * tools/tpm2_startauthsession: add sym-algorithm argument for supported symmetric algorithm. * Attestation (certify, command audit, sessionaudit and quote): add scheme argument for supported signature schemes. This also enable support for SM signing. * tpm2_flushcontext: support all options at a time. Support the -t/-l/-s options all at once so folks don't have to call it multiple times. * tools/tpm2_nvread: add human readable output for NV content Enable parsing and YAML-style output for the different NV index types. * New event types in tpm2_eventlog: EV_EFI_PLATFORM_FIRMWARE_BLOB2, EV_EFI_HANDOFF_TABLES2, EV_EFI_VARIABLE_BOOT2 * VERSION: add version file - Generate the version file with bootstrap and include in the DIST tarball so endusers can call autoreconf on a dist tarball which doesn't have git. This alleviates git describe errors on release tarballs in the autoreconf case. * import: support restricted parents - Support a restricted parent with an aes128cfb symmetric parameter. * tpm2_load - Added capability to load pem files in TSS2-Private-Key format for interoperability with tpm2-tss-engine, tpm2-openssl provider tpm2-pkcs11, and tpm2-pytss. * tpm2_print - Added capability to parse out and print the public portion of a TSS Private Key in the PEM format with the arg option TSSPRIVKEY_OBJ. * tpm2_loadexternal: Added support to tpm2_loadexternal for parsing and loading the public portion of a TSS2 Privkey PEM file. The path to the PEM file must be specified using the -r option while skipping the -G option for key type. * Support added for calculating cpHash, rpHash, sessions for parameter encryption and auditing in: tpm2_nvwrite, tpm2_nvcertify, tpm2_nvincrement, tpm2_nvwritelock, tpm2_nvreadlock, tpm2_nvundefine and tpm2_nvreadpublic. * Support added for calculating cpHash in: tpm2_clear, tpm2_dictionarylockout, tpm2_clearcontrol, tpm2_sign, tpm2_setprimarypolicy, tpm2_setclock, tpm2_rsadecrypt, tpm2_duplicate, tpm2_clockrateadjust, tpm2_createprimary, tpm2_quote, tpm2_policysecret, tpm2_policynv, tpm2_policyauthorizenv, tpm2_import, tpm2_hmac, tpm2_hierarchycontrol, tpm2_load, tpm2_gettime, tpm2_evictcontrol, tpm2_encryptdecrypt, tpm2_getpolicydigest, tpm2_loadexternal, tpm2_commit, tpm2_ecdhkeygen, tpm2_ecdhzgen, tpm2_ecephemeral, tpm2_geteccparameters, tpm2_flushcontext, tpm2_pcrallocate, tpm2_pcrevent, tpm2_pcrreset, tpm2_pcrread. * Support for using tcti=none for cpHash calculations to avoid invoking checks for active TPM in: tpm2_nvreadpublic, tpm2_nvundefine, tpm2_nvreadlock, tpm2_nvwritelock, tpm2_nvincrement, tpm2_nvcertify, tpm2_nvdefine, tpm2_nvwrite. + Known issue: * FAPI tools will not work on 32bit user-static qemu on 64bit host because readdir returns NULL. Follow the issue on https://gitlab.com/qemu-project/qemu/-/issues/263 + Bug fixes: * tools/tpm2_pcrreset.c: fix build errors in 32bit systems. * Fix tssprivkey formatted PEM generation and load errors on 32 bit systems. * CI: Add testing of 32bit systems with multiarch/qemu-user-static containers. * tools/tpm2_evictcontrol: fix for calls to Esys_TR_Close on bad handles. * tools/tpm2_nvextend: fix for ESYS_TR handle not being used in calculating the object name. * tools/tpm2_nvwrite, tools/tpm2_nvread: Policy authorization must be re-instantiated on each iteration of the read/ write when size exceeds the allowed operating size (TPM2_PT_NV_BUFFER_MAX). However, information on the compounded policies cannot be retrieved from the only policy digest read from the session and hence the session cannot be re-instantiated. To avoid this scenario only a single iteration is allowed when policy authorization is in use. * Fix argument parsing in tpm2_policylocality to fix an issue causing almost always to generate PolicyLocality(0). There was a logical inversion that caused almost any argument (including invalid ones) to be interpreted as zero, except “zero" would be interpreted as one. * test/fapi/fapi-quote-verify.sh Fix check of qualifying data. Because of a bug in Fapi_VerifyQuote the qualifying data was not checked correctly. Errors that were not recognized before occur now. The order of the tests was cleaned up and for every quote and verify quote now the correct combination of the qualifying data and quote info containing the nonce is used. * tpm2_nvdefine: set TPMA_NV_PLATFORMCREATE when authenticating with the platform hierarchy. * tools/tpm2_getekcertificate: fixed the url link to ekop.intel.com. There were two places where the fix was needed: o In the tool source code where a forward slash was always appended irrespective of it already being part of the link specified by the user and o In the integration test where curl tests the link to the ekop.intel.com backend. It now requires the full link to include the base64 encoded ek pub hash. * tools/tpm2_tool.c: Fix an issue where LOG_WARN is always displayed Despite setting the 'quiet' flag with -Q. * fapi: fix usage of parameter pcrLog for tss2_quote. pcrLog is an optional parameter. If pcrLog is not used as parameter currently the pcr log is still calculated in Fapi_Quote. To avoid this calculation a NULL pointer will be passed to Fapi_Quote if the parameter pcrLog is not passed. So tss2_quote can be executed for a user which has no access rights to the files with the system measurements. * import: fix bug on using scheme wherein if scheme is specified in the template, the openssl load functions clobber the scheme value and set it to TPM2_ALG_NULL. * tools/tpm2_sign and tpm2_verifysignature: fix sm2 sign and verifysignature bugs : (1.) sm2 sign could not get output signature. (2.) sm2 verify tss format signature failed. * lib/tpm2.c: added workaround for a system api bug where in the flush handle is erroneously placed in the handle area instead of the parameter area. * nvreadpublic: drop ntoh on attributes The attributes get marshalled to correct endianess by libmu and don’t need to be changed again. * Removing unused '-i' option from tpm2_print * tpm2_policyor: fix unallocated policy list The TPML_DIGEST policy list was calloc'd for some reason, however it could just be statically allocated in the context. The side effect is that when no options or arguments were given a NPD occured when checking the count of the policy list. * tools/tpm2_certify: fix man page for short options and add tests The short options for the signing-key-auth and certified-key-auth were swapped. The case fix in the man page makes it less intuitive but have to go through with the change so that we don't break any existing scripts. This change does not affect the long options. Tests have been added to ensure the functionality. + CI: * ci: add ubuntu-22.04. This also requires the min tpm2-tss version to be at 3.2.0 to support the openSSL major version 3. * cirrus.yml: update freebsd version to 13.1 * .ci/download-deps.sh: update tpm2-abrmd dependency version to 2.4.1 - Drop 0001-tests-getekcertificate.sh-Skip-the-test-if-curl-is-n.patch (merged) - Drop add_missing_shut_down_call_on_cleanup.patch (merged) - Drop fix_check_of_qualifying_data.patch (merged) OBS-URL: https://build.opensuse.org/request/show/1041869 OBS-URL: https://build.opensuse.org/package/show/security/tpm2.0-tools?expand=0&rev=96
2022-12-09 13:26:20 +00:00 · 2022-12-09 13:26:20 +00:00 · d9a849d22f
commit d9a849d22f
parent cb919fb8ac
10 changed files with 235 additions and 293 deletions
--- a/0001-tests-getekcertificate.sh-Skip-the-test-if-curl-is-n.patch
+++ b/0001-tests-getekcertificate.sh-Skip-the-test-if-curl-is-n.patch
@ -1,23 +0,0 @@
-From a10fd03a8d62226e798b8338c6caf73195e64557 Mon Sep 17 00:00:00 2001
-From: Alberto Planas <aplanas@suse.com>
-Date: Fri, 8 Jul 2022 10:09:24 +0200
-Subject: [PATCH 1/1] tests/getekcertificate.sh: Skip the test if curl is not
- present
-
-Signed-off-by: Alberto Planas <aplanas@suse.com>
---
- test/integration/tests/getekcertificate.sh | 1 +
- 1 file changed, 1 insertion(+)
-
-Index: tpm2-tools-5.2/test/integration/tests/getekcertificate.sh
-===================================================================
--- tpm2-tools-5.2.orig/test/integration/tests/getekcertificate.sh
-+++ tpm2-tools-5.2/test/integration/tests/getekcertificate.sh
-@@ -19,6 +19,7 @@ start_up
- # Check connectivity
- if [ -z "$(curl -V 2>/dev/null)" ]; then
-     echo "curl is not not installed. Skipping connection check."
-+    exit 077
- else
-     if [ "$(curl --silent --output /dev/null --write-out %{http_code} \
-     'https://ekop.intel.com/')" != '200' ]; then
--- a/add_missing_shut_down_call_on_cleanup.patch
+++ b/add_missing_shut_down_call_on_cleanup.patch
@ -1,70 +0,0 @@
-From db6aa7ac5094a04168e60256e154786c0c7e7c1c Mon Sep 17 00:00:00 2001
-From: Alberto Planas <aplanas@suse.com>
-Date: Wed, 13 Jul 2022 13:35:19 +0200
-Subject: [PATCH] test: add missing shut_down call on cleanup
-
-The tests "gettime", "readclock" and "symlink" are not calling
-"shut_down" during the "cleanup" stage, making the TPM simulator to keep
-their process during the "make check".  Somehow this produces problems
-when the tests are executed in parallel under certain conditions, with
-the effect of "make" not ending and waiting to those process to die.
-
-This commit and the mising call in the "cleanup" stage.
-
-Fix #3042
-
-Signed-off-by: Alberto Planas <aplanas@suse.com>
---
- test/integration/tests/gettime.sh   | 5 ++++-
- test/integration/tests/readclock.sh | 5 ++++-
- test/integration/tests/symlink.sh   | 5 ++++-
- 3 files changed, 12 insertions(+), 3 deletions(-)
-
-diff --git a/test/integration/tests/gettime.sh b/test/integration/tests/gettime.sh
-index 5a91210a7..054bef864 100644
--- a/test/integration/tests/gettime.sh
-+++ b/test/integration/tests/gettime.sh
-@@ -3,7 +3,10 @@
- source helpers.sh
- 
- cleanup() {
-	rm -f attest.sig attest.data
-+    rm -f attest.sig attest.data
-+    if [ "$1" != "no-shut-down" ]; then
-+	shut_down
-+    fi
- }
- trap cleanup EXIT
- 
-diff --git a/test/integration/tests/readclock.sh b/test/integration/tests/readclock.sh
-index 56a4c8622..2c59dad09 100644
--- a/test/integration/tests/readclock.sh
-+++ b/test/integration/tests/readclock.sh
-@@ -3,7 +3,10 @@
- source helpers.sh
- 
- cleanup() {
-	rm -f clock.yaml
-+    rm -f clock.yaml
-+    if [ "$1" != "no-shut-down" ]; then
-+	shut_down
-+    fi
- }
- trap cleanup EXIT
- 
-diff --git a/test/integration/tests/symlink.sh b/test/integration/tests/symlink.sh
-index d1c800ad0..b61349eef 100644
--- a/test/integration/tests/symlink.sh
-+++ b/test/integration/tests/symlink.sh
-@@ -4,7 +4,10 @@ source helpers.sh
- 
- TMP="$(mktemp -d)"
- cleanup() {
-	rm -rf "$TMP"
-+    rm -rf "$TMP"
-+    if [ "$1" != "no-shut-down" ]; then
-+	shut_down
-+    fi
- }
- trap cleanup EXIT
- 
--- a/echo_tcti_call_python3_binary.patch
+++ b/echo_tcti_call_python3_binary.patch
@ -0,0 +1,23 @@
+From d191b1f3cd66e9334d000c622bc6cc4bdc63304e Mon Sep 17 00:00:00 2001
+From: Alberto Planas <aplanas@suse.com>
+Date: Thu, 8 Dec 2022 15:23:50 +0100
+Subject: [PATCH] echo_tcti: call python3 binary
+
+Most distributions are now in Python3.  The binary for Python3 is still
+called `python3`.
+
+Signed-off-by: Alberto Planas <aplanas@suse.com>
+---
+ test/scripts/echo_tcti.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/test/scripts/echo_tcti.py b/test/scripts/echo_tcti.py
+index 3e4c1f462..325e35315 100755
+--- a/test/scripts/echo_tcti.py
+++ b/test/scripts/echo_tcti.py
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env python
+#!/usr/bin/env python3
+ 
+ #
+ # This TCTI is designed to use with the subprocess TCTI and echo the contents
--- a/fix_check_of_qualifying_data.patch
+++ b/fix_check_of_qualifying_data.patch
@ -1,167 +0,0 @@
-From 3b1f00301350848e9454c7adf0487c1a14738236 Mon Sep 17 00:00:00 2001
-From: Juergen Repp <juergen.repp@sit.fraunhofer.de>
-Date: Sat, 8 Jan 2022 13:43:00 +0100
-Subject: [PATCH] test/fapi/fapi-quote-verify.sh Fix check of qualifying data.
-
-Because of a bug in Fapi_VerifyQuote the qualifying data was not checked correctly.
-Errors that were not recognized before occur now.
-The order of the tests was cleaned up and for every quote and verify quote now
-the correct combination of the qualifying data and quote info containing the nonce
-is used.
-
-Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
---
- test/integration/fapi/fapi-quote-verify.sh | 38 ++++++++++++----------
- 1 file changed, 20 insertions(+), 18 deletions(-)
-
-diff --git a/test/integration/fapi/fapi-quote-verify.sh b/test/integration/fapi/fapi-quote-verify.sh
-index ad4ade3a1..497d4337f 100644
--- a/test/integration/fapi/fapi-quote-verify.sh
-+++ b/test/integration/fapi/fapi-quote-verify.sh
-@@ -18,6 +18,7 @@ KEY_PATH=HS/SRK/quotekey
- NONCE_FILE=$TEMP_DIR/nonce.file
- PUBLIC_QUOTE_KEY=$TEMP_DIR/public_quote.key
- QUOTE_INFO=$TEMP_DIR/quote.info
-+QUOTE_EMPTY_INFO=$TEMP_DIR/quote_empty.info
- SIGNATURE_FILE=$TEMP_DIR/signature.file
- CERTIFICATE_FILE=$TEMP_DIR/certificate.file
- PCR_LOG=$TEMP_DIR/pcr.log
-@@ -35,14 +36,32 @@ tss2 provision
- 
- tss2 createkey --path=$KEY_PATH --type="noDa, restricted, sign" --authValue=""
- 
-+tss2 exportkey --pathOfKeyToDuplicate=$KEY_PATH --exportedData=$PUBLIC_QUOTE_KEY --force
-+tss2 import --path="ext/myNewParent" --importData=$PUBLIC_QUOTE_KEY
-+
-+
- tss2 quote --keyPath=$KEY_PATH --pcrList="11, 12, 13, 14, 15, 16" --qualifyingData=$NONCE_FILE \
-     --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG \
-     --certificate=$CERTIFICATE_FILE --quoteInfo=$QUOTE_INFO --force
- 
-+tss2 verifyquote --publicKeyPath="ext/myNewParent" \
-+    --qualifyingData=$NONCE_FILE --quoteInfo=$QUOTE_INFO \
-+    --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG
-+
- echo "tss2 quote with EMPTY_FILE" # Expected to succeed
- tss2 quote --keyPath=$KEY_PATH --pcrList="11, 12, 13, 14, 15, 16" \
-     --qualifyingData=$EMPTY_FILE --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG \
-    --certificate=$CERTIFICATE_FILE --quoteInfo=$QUOTE_INFO --force
-+    --certificate=$CERTIFICATE_FILE --quoteInfo=$QUOTE_EMPTY_INFO --force
-+
-+echo "tss2 verifyquote with EMPTY_FILE qualifyingData" # Expected to succeed
-+tss2 verifyquote --publicKeyPath="ext/myNewParent" \
-+    --qualifyingData=$EMPTY_FILE --quoteInfo=$QUOTE_EMPTY_INFO \
-+    --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG
-+
-+# Try with missing qualifyingData
-+tss2 verifyquote --publicKeyPath="ext/myNewParent" \
-+    --quoteInfo=$QUOTE_EMPTY_INFO \
-+    --signature=$SIGNATURE_FILE
- 
- echo "tss2 quote with BIG_FILE" # Expected to fail
- expect <<EOF
-@@ -65,18 +84,6 @@ if [[ "`cat $LOG_FILE`" == $SANITIZER_FILTER ]]; then
-   exit 1
- fi
- 
-tss2 exportkey --pathOfKeyToDuplicate=$KEY_PATH --exportedData=$PUBLIC_QUOTE_KEY --force
-tss2 import --path="ext/myNewParent" --importData=$PUBLIC_QUOTE_KEY
-
-tss2 verifyquote --publicKeyPath="ext/myNewParent" \
-    --qualifyingData=$NONCE_FILE --quoteInfo=$QUOTE_INFO \
-    --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG
-
-echo "tss2 verifyquote with EMPTY_FILE qualifyingData" # Expected to succeed
-tss2 verifyquote --publicKeyPath="ext/myNewParent" \
-    --qualifyingData=$EMPTY_FILE --quoteInfo=$QUOTE_INFO \
-    --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG
-
- echo "tss2 verifyquote with BIG_FILE qualifyingData" # Expected to fail
- expect <<EOF
- spawn sh -c "tss2 verifyquote --publicKeyPath=\"ext/myNewParent\" \
-@@ -537,9 +544,4 @@ if {[lindex \$ret 2] || [lindex \$ret 3] != 1} {
- }
- EOF
- 
-# Try with missing qualifyingData
-tss2 verifyquote --publicKeyPath="ext/myNewParent" \
-    --quoteInfo=$QUOTE_INFO \
-    --signature=$SIGNATURE_FILE
-
- exit 0
-
-diff --git a/test/integration/fapi/fapi-quote-verify.sh b/test/integration/fapi/fapi-quote-verify_ecc.sh
-index ad4ade3a1..497d4337f 100644
--- a/test/integration/fapi/fapi-quote-verify_ecc.sh
-+++ b/test/integration/fapi/fapi-quote-verify_ecc.sh
-@@ -18,6 +18,7 @@ KEY_PATH=HS/SRK/quotekey
- NONCE_FILE=$TEMP_DIR/nonce.file
- PUBLIC_QUOTE_KEY=$TEMP_DIR/public_quote.key
- QUOTE_INFO=$TEMP_DIR/quote.info
-+QUOTE_EMPTY_INFO=$TEMP_DIR/quote_empty.info
- SIGNATURE_FILE=$TEMP_DIR/signature.file
- CERTIFICATE_FILE=$TEMP_DIR/certificate.file
- PCR_LOG=$TEMP_DIR/pcr.log
-@@ -35,14 +36,32 @@ tss2 provision
- 
- tss2 createkey --path=$KEY_PATH --type="noDa, restricted, sign" --authValue=""
- 
-+tss2 exportkey --pathOfKeyToDuplicate=$KEY_PATH --exportedData=$PUBLIC_QUOTE_KEY --force
-+tss2 import --path="ext/myNewParent" --importData=$PUBLIC_QUOTE_KEY
-+
-+
- tss2 quote --keyPath=$KEY_PATH --pcrList="11, 12, 13, 14, 15, 16" --qualifyingData=$NONCE_FILE \
-     --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG \
-     --certificate=$CERTIFICATE_FILE --quoteInfo=$QUOTE_INFO --force
- 
-+tss2 verifyquote --publicKeyPath="ext/myNewParent" \
-+    --qualifyingData=$NONCE_FILE --quoteInfo=$QUOTE_INFO \
-+    --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG
-+
- echo "tss2 quote with EMPTY_FILE" # Expected to succeed
- tss2 quote --keyPath=$KEY_PATH --pcrList="11, 12, 13, 14, 15, 16" \
-     --qualifyingData=$EMPTY_FILE --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG \
-    --certificate=$CERTIFICATE_FILE --quoteInfo=$QUOTE_INFO --force
-+    --certificate=$CERTIFICATE_FILE --quoteInfo=$QUOTE_EMPTY_INFO --force
-+
-+echo "tss2 verifyquote with EMPTY_FILE qualifyingData" # Expected to succeed
-+tss2 verifyquote --publicKeyPath="ext/myNewParent" \
-+    --qualifyingData=$EMPTY_FILE --quoteInfo=$QUOTE_EMPTY_INFO \
-+    --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG
-+
-+# Try with missing qualifyingData
-+tss2 verifyquote --publicKeyPath="ext/myNewParent" \
-+    --quoteInfo=$QUOTE_EMPTY_INFO \
-+    --signature=$SIGNATURE_FILE
- 
- echo "tss2 quote with BIG_FILE" # Expected to fail
- expect <<EOF
-@@ -65,18 +84,6 @@ if [[ "`cat $LOG_FILE`" == $SANITIZER_FILTER ]]; then
-   exit 1
- fi
- 
-tss2 exportkey --pathOfKeyToDuplicate=$KEY_PATH --exportedData=$PUBLIC_QUOTE_KEY --force
-tss2 import --path="ext/myNewParent" --importData=$PUBLIC_QUOTE_KEY
-
-tss2 verifyquote --publicKeyPath="ext/myNewParent" \
-    --qualifyingData=$NONCE_FILE --quoteInfo=$QUOTE_INFO \
-    --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG
-
-echo "tss2 verifyquote with EMPTY_FILE qualifyingData" # Expected to succeed
-tss2 verifyquote --publicKeyPath="ext/myNewParent" \
-    --qualifyingData=$EMPTY_FILE --quoteInfo=$QUOTE_INFO \
-    --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG
-
- echo "tss2 verifyquote with BIG_FILE qualifyingData" # Expected to fail
- expect <<EOF
- spawn sh -c "tss2 verifyquote --publicKeyPath=\"ext/myNewParent\" \
-@@ -537,9 +544,4 @@ if {[lindex \$ret 2] || [lindex \$ret 3] != 1} {
- }
- EOF
- 
-# Try with missing qualifyingData
-tss2 verifyquote --publicKeyPath="ext/myNewParent" \
-    --quoteInfo=$QUOTE_INFO \
-    --signature=$SIGNATURE_FILE
-
- exit 0
--- a/tpm2-tools-5.2.tar.gz
+++ b/tpm2-tools-5.2.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:c0b402f6a7b3456e8eb2445211e2d41c46c7e769e05fe4d8909ff64119f7a630
-size 1072078
--- a/tpm2-tools-5.2.tar.gz.asc
+++ b/tpm2-tools-5.2.tar.gz.asc
@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEYxPm3EGq/DFah2CkFJhvaUSx9ysFAmFTUS4ACgkQFJhvaUSx
-9ysklQ/+JOGFQ3gNPcOsBRhXf/3FYDf3codr1LnmXGdosWL7VzP33zePGf7xr3rc
-c8qqbDHO9JHsFd2920oPawqlIBC22kT3fuX6g4pu+mcLeCzSFo5qr2A66mryRQpd
-xYeufu6mDlYmjs18xt2qtRu/uWxx6E0RH8cLVstfhHMfOUlG2xtWO70eXcS/R0z7
-6E/U5ezBTcw/7nErlR8YIaLKUnlOYPObeL2oF+1tJVCEzP5ZS+0RcRKQGB9tMYui
-WSXVGU8G4OslRnebG99OS45tQZgz3cdj371N9/b0DTrgrv+YLEVdAfCxfwdxC54q
-DDmB0e/KpVpQ04A/zeUaNTBZxIXrR0XzSSoF9c/bdjCGB/qCw/psHvGOgKLkTJGw
-8TlvaBftPSbR08aiKY0eSJPivQWMqOh6a1XLlGaMj9UbMYtbzKQTo9mkEZsNTq5q
-NJ06pEfRdjCSKeflLzJt9jLunksKnSviIYLhHPZGT7eqq3yVF/XAqNf28I3614aW
-bZmkJ35VxieIBy2h2oyg93Jqejjvx2+zEwOIQL6+HbqNmxhjeot7fFxVHNLQFfZS
-mQ3mUqkLMVo08tcDkTbd36i7mQExpspXXnC4wOm8mNW8idV+ElepskiL9zSdkt1K
-elTe2AvtVrS4XqTJmJyz6bShC1LBzJXeCxcimAMdYc0DyY5lWDM=
-=M5xM
-----END PGP SIGNATURE-----
--- a/tpm2-tools-5.4.tar.gz
+++ b/tpm2-tools-5.4.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f63571d23edd96d024a2245326bcb9a36fac2cf89aef5a6c05a3b0852d292c99
+size 1241132
--- a/tpm2-tools-5.4.tar.gz.asc
+++ b/tpm2-tools-5.4.tar.gz.asc
@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEW0grjj4Z2nyXjh0BbeLpB44fUMEFAmOOFpAACgkQbeLpB44f
+UMF1NA/+PCDoLvrwPb2nkN/CvF8yCA8Q0AWqK9oKvStctLGRNRV1FI+S7IXwK77W
+IADbb8QXgahIGHwE4vLGn2ayy8KSRWjsfAKG7eZ43ZbZFQpc33uG47OG8oKTyqAk
+2mLFdzeFz8O+ZZ3/3D4DAZKtJCn8C3UOfHYjl5Tn3dWyaRHs6QHJZgc77GxRqDuk
+jypbF6b5gP83nl63iFTBRhQttOMT1auP/zp9Gen2sy8tR0IIgHFkt9JO8riTLer1
+/Cgg71sRTxxjpPPEV1gWAgb7gHBGbFlsZLzFVvczqe2IB+rwxeXSzUS6nuYRangn
+/wiYxBCzHySvGYINLVQI0bSyc9pFIPNF16sovyCCtRFDCXvJSyUZGGds0Ckcv5zy
+DT6Cgpp3gkAq1kLMd0FHGPZUwdtYVSQuBMp3EP3lQpDJVG0sgITFe83+K06ySo8d
+3knJclrpyiDZYMNywLkeFfAeBeVCfDX5FR9RMsdcQNo/WlpIlafgphOnKUE7p6wV
+bWH2c0fQwnk3E3Dfuf3hUeBvVInQW4jhFMhRzuFeeTUX8PH1WKdBvCVBS18z8UTU
+Jup4Q/Ybqn4aWayjGSRvpi5hfxzEqiF+vqddgbnt13xvKeOzkZP2SQsX+ccjKwSW
+k+0Rku48PN3wKlrov8kxOqyBrhEJWLLAgERl9thIoTwu1hkZy5w=
+=7O/x
+-----END PGP SIGNATURE-----
--- a/tpm2.0-tools.changes
+++ b/tpm2.0-tools.changes
@ -1,3 +1,191 @@
+-------------------------------------------------------------------
+Thu Dec  8 12:51:17 UTC 2022 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Update to version 5.4
+  + Added:
+    * tpm2_policyrestart: Added option --cphash to output the cpHash
+      for the command PM2_CC_PolicyRestart.
+    * tpm2_policynvwritten: Added option --cphash to output the cpHash
+      for the command TPM2_CC_PolicyNvWritten.
+    * tpm2_policylocality: Added option --cphash to output the cpHash
+      for the command TPM2_CC_PolicyLocality.
+    * tpm2_policycountertimer: Added option --cphash to output the
+      cpHash for the command TPM2_CC_PolicyCounterTimer.
+    * tpm2_policycommandcode: Added option --cphash to output the
+      cpHash for the command TPM2_CC_PolicyCommandCode.
+    * tpm2_policypassword: Added option --cphash to output the cpHash
+      for the command TPM2_CC_PolicyPassword.
+    * tpm2_policyauthvalue: Added option --cphash to output the cpHash
+      for the command TPM2_CC_PolicyAuthValue.
+    * tpm2_policyauthorize: Added option --cphash to output the cpHash
+      for the command TPM2_CC_PolicyAuthorize.
+    * tpm2_print: Support printing serialized ESYS_TR's
+    * tpm2_create: Add a clarifying message to usage of -c when
+      TPM2_CreateLoaded is not supported.
+    * tpm2_getcap: Add support for vendor agnostic
+      capabilites. Requires tpm2-tss version 4.0 and higher to enable.
+    * Add a script, check_endorsement_cert.sh, to validate the
+      endorsement certificate chain. It takes two inputs - A
+      TPM2B_PUBLIC format EKpublic and a PEM format EKcertificate
+      specified in that order as arguments.
+
+- Update to version 5.3
+  +  Features:
+    * lib/tpm2_tool.c: add --help=no-man for tpm2 option. Prior to
+      this change the tool parsed no-man as an unrecognized option and
+      errored out. Now it lists all the available tool options.
+    * tpm2_encodeobject: New tool to encode TPM2 object. It takes
+      public and private portions of an object and encode them in a
+      combined PEM form called tssprivkey used by tpm2-tss-engine and
+      other applications.
+    * Support alternative ECC curves for which default EK templates
+      exist (NIST_P256, NIST_P384, NIST_P521, and SM2_P256).
+    * tools/misc/tpm2_checkquote: add sm2 verification of signature.
+    * crypto: support the TPM2_ECC_SM2_P256 curveID.
+    * fapi: add new command to enable the use of fapi objects for tpm2
+      tools. The new command tss2_gettpm2object was added. With this
+      command context files which can be used for tpm2 tool commands
+      can be created.
+    * Support for sign and verify with sm2 algorithms.
+    * tools/tpm2_startauthsession: add sym-algorithm argument for
+      supported symmetric algorithm.
+    * Attestation (certify, command audit, sessionaudit and quote):
+      add scheme argument for supported signature schemes. This also
+      enable support for SM signing.
+    * tpm2_flushcontext: support all options at a time. Support the
+      -t/-l/-s options all at once so folks don't have to call it
+      multiple times.
+    * tools/tpm2_nvread: add human readable output for NV content
+      Enable parsing and YAML-style output for the different NV index
+      types.
+    * New event types in tpm2_eventlog:
+      EV_EFI_PLATFORM_FIRMWARE_BLOB2, EV_EFI_HANDOFF_TABLES2,
+      EV_EFI_VARIABLE_BOOT2
+    * VERSION: add version file - Generate the version file with
+      bootstrap and include in the DIST tarball so endusers can call
+      autoreconf on a dist tarball which doesn't have git. This
+      alleviates git describe errors on release tarballs in the
+      autoreconf case.
+    * import: support restricted parents - Support a restricted parent
+      with an aes128cfb symmetric parameter.
+    * tpm2_load - Added capability to load pem files in
+      TSS2-Private-Key format for interoperability with
+      tpm2-tss-engine, tpm2-openssl provider tpm2-pkcs11, and
+      tpm2-pytss.
+    * tpm2_print - Added capability to parse out and print the public
+      portion of a TSS Private Key in the PEM format with the arg
+      option TSSPRIVKEY_OBJ.
+    * tpm2_loadexternal: Added support to tpm2_loadexternal for
+      parsing and loading the public portion of a TSS2 Privkey PEM
+      file. The path to the PEM file must be specified using the -r
+      option while skipping the -G option for key type.
+    * Support added for calculating cpHash, rpHash, sessions for
+      parameter encryption and auditing in: tpm2_nvwrite,
+      tpm2_nvcertify, tpm2_nvincrement, tpm2_nvwritelock,
+      tpm2_nvreadlock, tpm2_nvundefine and tpm2_nvreadpublic.
+    * Support added for calculating cpHash in: tpm2_clear,
+      tpm2_dictionarylockout, tpm2_clearcontrol, tpm2_sign,
+      tpm2_setprimarypolicy, tpm2_setclock, tpm2_rsadecrypt,
+      tpm2_duplicate, tpm2_clockrateadjust, tpm2_createprimary,
+      tpm2_quote, tpm2_policysecret, tpm2_policynv,
+      tpm2_policyauthorizenv, tpm2_import, tpm2_hmac,
+      tpm2_hierarchycontrol, tpm2_load, tpm2_gettime,
+      tpm2_evictcontrol, tpm2_encryptdecrypt, tpm2_getpolicydigest,
+      tpm2_loadexternal, tpm2_commit, tpm2_ecdhkeygen, tpm2_ecdhzgen,
+      tpm2_ecephemeral, tpm2_geteccparameters, tpm2_flushcontext,
+      tpm2_pcrallocate, tpm2_pcrevent, tpm2_pcrreset, tpm2_pcrread.
+    * Support for using tcti=none for cpHash calculations to avoid
+      invoking checks for active TPM in: tpm2_nvreadpublic,
+      tpm2_nvundefine, tpm2_nvreadlock, tpm2_nvwritelock,
+      tpm2_nvincrement, tpm2_nvcertify, tpm2_nvdefine, tpm2_nvwrite.
+  + Known issue:
+    * FAPI tools will not work on 32bit user-static qemu on 64bit host
+      because readdir returns NULL. Follow the issue on
+      https://gitlab.com/qemu-project/qemu/-/issues/263
+  + Bug fixes:
+    * tools/tpm2_pcrreset.c: fix build errors in 32bit systems.
+    * Fix tssprivkey formatted PEM generation and load errors on 32
+      bit systems.
+    * CI: Add testing of 32bit systems with multiarch/qemu-user-static
+      containers.
+    * tools/tpm2_evictcontrol: fix for calls to Esys_TR_Close on bad
+      handles.
+    * tools/tpm2_nvextend: fix for ESYS_TR handle not being used in
+      calculating the object name.
+    * tools/tpm2_nvwrite, tools/tpm2_nvread: Policy authorization must
+      be re-instantiated on each iteration of the read/ write when
+      size exceeds the allowed operating size
+      (TPM2_PT_NV_BUFFER_MAX). However, information on the compounded
+      policies cannot be retrieved from the only policy digest read
+      from the session and hence the session cannot be
+      re-instantiated. To avoid this scenario only a single iteration
+      is allowed when policy authorization is in use.
+    * Fix argument parsing in tpm2_policylocality to fix an issue
+      causing almost always to generate PolicyLocality(0). There was a
+      logical inversion that caused almost any argument (including
+      invalid ones) to be interpreted as zero, except “zero" would be
+      interpreted as one.
+    * test/fapi/fapi-quote-verify.sh Fix check of qualifying
+      data. Because of a bug in Fapi_VerifyQuote the qualifying data
+      was not checked correctly. Errors that were not recognized
+      before occur now. The order of the tests was cleaned up and for
+      every quote and verify quote now the correct combination of the
+      qualifying data and quote info containing the nonce is used.
+    * tpm2_nvdefine: set TPMA_NV_PLATFORMCREATE when authenticating
+      with the platform hierarchy.
+    * tools/tpm2_getekcertificate: fixed the url link to
+      ekop.intel.com. There were two places where the fix was needed:
+      o In the tool source code where a forward slash was always
+        appended irrespective of it already being part of the link
+        specified by the user and
+      o In the integration test where curl tests the link to the
+        ekop.intel.com backend. It now requires the full link to
+        include the base64 encoded ek pub hash.
+    * tools/tpm2_tool.c: Fix an issue where LOG_WARN is always
+      displayed Despite setting the 'quiet' flag with -Q.
+    * fapi: fix usage of parameter pcrLog for tss2_quote. pcrLog is an
+      optional parameter. If pcrLog is not used as parameter currently
+      the pcr log is still calculated in Fapi_Quote. To avoid this
+      calculation a NULL pointer will be passed to Fapi_Quote if the
+      parameter pcrLog is not passed. So tss2_quote can be executed
+      for a user which has no access rights to the files with the
+      system measurements.
+    * import: fix bug on using scheme wherein if scheme is specified
+      in the template, the openssl load functions clobber the scheme
+      value and set it to TPM2_ALG_NULL.
+    * tools/tpm2_sign and tpm2_verifysignature: fix sm2 sign and
+      verifysignature bugs : (1.) sm2 sign could not get output
+      signature. (2.) sm2 verify tss format signature failed.
+    * lib/tpm2.c: added workaround for a system api bug where in the
+      flush handle is erroneously placed in the handle area instead of
+      the parameter area.
+    * nvreadpublic: drop ntoh on attributes The attributes get
+      marshalled to correct endianess by libmu and don’t need to be
+      changed again.
+    * Removing unused '-i' option from tpm2_print
+    * tpm2_policyor: fix unallocated policy list The TPML_DIGEST
+      policy list was calloc'd for some reason, however it could just
+      be statically allocated in the context. The side effect is that
+      when no options or arguments were given a NPD occured when
+      checking the count of the policy list.
+    * tools/tpm2_certify: fix man page for short options and add tests
+      The short options for the signing-key-auth and
+      certified-key-auth were swapped. The case fix in the man page
+      makes it less intuitive but have to go through with the change
+      so that we don't break any existing scripts. This change does
+      not affect the long options. Tests have been added to ensure the
+      functionality.
+  + CI:
+    * ci: add ubuntu-22.04. This also requires the min tpm2-tss
+      version to be at 3.2.0 to support the openSSL major version 3.
+    * cirrus.yml: update freebsd version to 13.1
+    * .ci/download-deps.sh: update tpm2-abrmd dependency version to
+      2.4.1
+- Drop 0001-tests-getekcertificate.sh-Skip-the-test-if-curl-is-n.patch
+  (merged)
+- Drop add_missing_shut_down_call_on_cleanup.patch (merged)
+- Drop fix_check_of_qualifying_data.patch (merged)
+
 -------------------------------------------------------------------
 Thu Jul 14 09:49:39 UTC 2022 - Alberto Planas Dominguez <aplanas@suse.com>

--- a/tpm2.0-tools.spec
+++ b/tpm2.0-tools.spec
@ -17,14 +17,9 @@


 %define _lto_cflags %{nil}
-%ifarch %{ix86} x86_64 aarch64 %{arm} ppc64le
 %bcond_without  test
-%else
-# ppc ppc64 s390x
-%bcond_with     test
-%endif
 Name:           tpm2.0-tools
-Version:        5.2
+Version:        5.4
 Release:        0
 Summary:        Trusted Platform Module (TPM) 2.0 administration tools
 License:        BSD-3-Clause
@ -35,12 +30,8 @@ Source1:        https://github.com/tpm2-software/tpm2-tools/releases/download/%{
 # git show william-roberts-pub javier-martinez-pub joshua-lock-pub idesai-pub > tpm2-tools.keyring
 Source2:        tpm2-tools.keyring
 Patch0:         fix_bogus_warning.patch
-# PATCH-FIX-UPSTREAM 0001-tests-getekcertificate.sh-Skip-the-test-if-curl-is-n.patch -- based on PR#3041
-Patch1:         0001-tests-getekcertificate.sh-Skip-the-test-if-curl-is-n.patch
-# PATCH-FIX-UPSTREAM add_missing_shut_down_call_on_cleanup.patch -- based on PR#3047
-Patch2:         add_missing_shut_down_call_on_cleanup.patch
-# PATCH-FIX-UPSTREAM fix_check_of_qualifying_data.patch -- already merged
-Patch3:         fix_check_of_qualifying_data.patch
+# PATCH-FIX-UPSTREAM add_missing_shut_down_call_on_cleanup.patch -- based on PR#3176
+Patch1:         echo_tcti_call_python3_binary.patch
 BuildRequires:  gcc-c++
 BuildRequires:  libcurl-devel
 BuildRequires:  libopenssl-devel
@ -97,8 +88,8 @@ export PATH=$PATH:/usr/sbin:/usr/libexec/ibmtss
 find %{buildroot} -type f -name "*.la" -delete -print

 %files
-%doc doc/README.md doc/CHANGELOG.md
-%license doc/LICENSE
+%doc docs/README.md docs/CHANGELOG.md
+%license docs/LICENSE
 %{_bindir}/tpm2*
 %{_bindir}/tss2*
 %{_mandir}/man1/tpm2*