------------------------------------------------------------------- Wed Dec 11 13:29:12 UTC 2019 - matthias.gerstner@suse.com - add fix_bad_bufsize.patch: fixes findings from compile time fread() checks that indicate bad buffer size specification. - add fix_bogus_warning.patch: fixes `maybe-unitialized` warnings that are bogus, since the variables in questions will be initialized in any case later on. ------------------------------------------------------------------- Wed Dec 11 12:35:52 UTC 2019 - matthias.gerstner@suse.com - update to major version 4.1: - changes in version 4.1: * tpm2_certifycreation: New tool enabling command TPM2_CertifyCreation. * tpm2_checkquote: - Fix YAML output bug. - -g option for specifying hash algorithm is optional and defaults to sha256. * tpm2_changeeps: A new tool for changing the Endorsement hierarchy primary seed. * tpm2_changepps: A new tool for changing the Platform hierarchy primary seed. * tpm2_clockrateadjust: Add a new tool for modifying the period on the TPM. * tpm2_create: Add tool options for specifying output data for use in certification - --creation-data to save the creation data - --creation-ticket or -t to save the creation ticket - --creation-hash or -d to save the creation hash - --template-data for saving the template data of the key - --outside-info or -q for specifying unique data to include in creation data. - --pcr-list or -l Add option to specify pcr list to add to creation data. * tpm2_createprimary: Add tool options for specifying output data for use in certification - --creation-data to save the creation data - --creation-ticket or -t to save the creation ticket - --creation-hash or -d to save the creation hash - --template-data for saving the template data of the key - --outside-info or -q for specifying unique data to include in creation data. - --pcr-list or -l Add option to specify pcr list to add to creation data. * tpm2_evictcontrol: - Fix bug in automatic persistent handle selection when hierarchy is platform. - Fix bug in YAML key action where action was wrong when using ESYS_TR. * tpm2_getcap: clean up remanenats of -c option in manpages and tool output. * tpm2_gettime: Add a new tool for retrieving a signed timestamp from a TPM. * tpm2_nvcertify: Add a new tool for certifying the contents of an NV index. * tpm2_nvdefine: - Support default set of attributes so -a is not mandatory. - Support searching for free index if an index isn't specified. * tpm2_nvextend: Add a new tool for extending an NV index similair to a PCR. * tpm2_nvreadpublic: - Support specifying nv index to read public data from as argument. * tpm2_nvsetbits: Add a new tool for setting the values of PCR with type "bits". * tpm2_nvundefine: Add support for deleting NV indices with attribute `TPMA_NV_POLICY_DELETE` set using NV Undefine Special command. * tpm2_nvwritelock: Add a new tool for setting a write lock on an NV index or globally locking nv indices with TPMA_NV_GLOBALLOCK. * tpm2_policyauthorizenv: New tool enabling signed, revocable policies. * tpm2_policyauthvalue: New tool enabling authorization to be bound to the authorization of another object. * tpm2_policycountertimer: Add a new tool for enabling policy bound to TPM clock or timer values. * tpm2_policynamehash: Add a new tool for specifying policy based on object name. * tpm2_policynv: Add a new tool for specifying policy based on NV contents. * tpm2_nvwritten: Add a new tool for specifying policy based on whether or not an NV index was written to. * tpm2_policysecret: Add tool options for specifying - --expiration or -t - --ticket - --timeout - --nonce-tpm or -x - --qualification or -q * tpm2_policysigned: New tool enabling policy command TPM2_PolicySigned. * tpm2_policytemplate: New tool enabling policy command TPM2_PolicyTemplate. * tpm2_policyticket: New tool enabling policy command TPM2_PolicyTicket. * tpm2_readclock: Add a new tool for reading the TPM clock. * tpm2_setclock: Add a new tool for setting the TPM clock. * tpm2_setprimarypolicy: New tool setting policy on hierarchies. * tpm2_shutdown: Add a new tool for issuing a TPM shutdown command. * misc: - Support "tpmt" as a public key output format that only saves the TPMT structure. - Qualifying data or extra data in many tools can be hex array string or binary file. - Add support for specifying NV index type when specifying NV attributes. - Support added for tools to run on FreeBSD. - Skip and notify of action that man pages will not install if the package pandoc is missing. - Fix precedence issue with bitwise operator order int tpm2_getcap - travis: bump abrmd version 2.3.0 - tpm2_util.c: Fix an issue int variable size was checked against uint - pcr.c: Fix buffer length issue to support all defined hash algorithm - changes in version 4.0.1: * tpm2_checkquote: Fix YAML output bug. - changes in version 4.0: * tpm2_activatecredential: - --context is now --credentialedkey-context. - --key-context is now --credentialkey-context. - --Password is now --credentialedkey-auth. - --endorse-passwd is now --credentialkey-auth. - --in-file is now --credential-secret. - --out-file is now --certinfo-data. - -f becomes -i. - -k becomes -C. - -e becomes -E. * tpm2_certify: - --halg is now --hash-algorithm. - --obj-context is now --certifiedkey-context. - --key-context is now --signingkey-context. - --pwdo is now --certifiedkey-auth. - --pwdk is now --signingkey-auth. - -a becomes -o. - -k becomes -p. - -c becomes -C. - -k becomes -K. * tpm2_changeauth: - New tool for changing the authorization values of: - Hierarchies - NV - Objects - Replaces tpm2_takeownership with more generic functionality. * tpm2_checkquote: - --halg is now --hash-algorithm. - --pcr-input-file is now --pcr. - --pubfile is now --public. - --qualify-data is now --qualification. - -f becomes -F. - -F becomes -f. - -G becomes -g. * tpm2_clear: - --lockout-passwd is now --auth-lockout. * tpm2_clearcontrol: - New tool for enabling or disabling tpm2_clear commands. * tpm2_create - --object-attributes is now --attributes. - --pwdp is now --parent-auth. - --pwdo is now --key-auth. - --in-file is now --sealing-input. - --policy-file is now --policy. - --pubfile is now --public. - --privfile is now --private. - --out-context is now --key-context. - --halg is now --hash-algorithm. - --kalg is now --key-algorithm. - -o becomes -c. - -K becomes -p. - -A becomes -b. - -I becomes -i. - -g becomes an optional option. - -G becomes an optional option. - Supports TPM command CreateLoaded via -c. * tpm2_createak: - Renamed from tpm2_getpubak * tpm2_createek: - renamed from tpm2_getpubek * tpm2_createpolicy: - --out-policy-file is now --policy. - --policy-digest-alg is now --policy-algorithm. - --auth-policy-session is now --policy-session. - -L becomes -l. - -F becomes -f. - -f becomes -o. - Removed option --set-list with short option -L. - Removed option --pcr-input-file with short option -F. - Pcr policy options replaced with pcr password mini language. - Removed short option a for specifying auth session. Use long option --policy-session. - Removed short option -P for specifying pcr policy. Use long option --policy-pcr. * tpm2_createprimary: - --object-attributes is now --attributes. - -o is now -c - --pwdp is now --hierarchy-auth. - --pwdk is now --key-auth. - --halg is now --hash-algorithm. - --kalg is now --key-algorithm. - --context-object is now --key-context. - --policy-file is now --policy. - support for unique field when creating objects via -u - saves a context file for the generated primary's handle to disk via -c. - -A becomes -a. - -K becomes -p. - -H becomes -C. - -g becomes optional. - -G becomes optional. * tpm2_dictionarylockout: - --lockout-passwd is now --auth. - -P becomes -p. * tpm2_duplicate: - New tool for duplicating TPM objects. * tpm2_encryptdecrypt: - --pwdk is now --auth. - --out-file is now --output. - -D becomes -d. - -I becomes an argument. - -P becomes -p. - Support IVs via -t or --iv. - Support modes via -G. - Support padding via -e or --pad. - Supports input and output to stdin and stdout respectively. * tpm2_evictcontrol: - --auth is now --hierarchy. - --context is now --object-context. - --pwda is now --auth. - --persistent with short option -S is now an argument. - -A becomes -C. - Added option --output -o to serialize handle to disk. - Removed option --handle with short option -H. - Raw object-handles and object-contexts are commonly handled with object handling logic. - Removed option --input-session-handle with short option -i. - Authorization session is now part of password mini language. * tpm2_getcap: - -c becomes an argument. - Most instances of value replaced with raw in YAML output. - TPM2_PT_MANUFACTURER displays string value and raw value. - Supports --pcr option for listing hash algorithms and bank numbers. * tpm2_getekcertificate: - Renamed from tpm2_getmanufec * tpm2_getmanufec: - Renamed the tool to tpm2_getekcertificate. - Removed ek key creation and management logic. - Added option for getting ek cert for offline platform via -x. - Support for ECC keys. - --ec-cert is now --ek-certificate, - --untrusted is now --allow-unverified, - --output is now --ek-public, - -U is now -X. - -O is now -x. - -f becomes -o. - Removed option -P or --endorse-passwd. - Removed option -p or --ek-passwd. - Removed option -w or --owner-passwd. - Removed option -H or --persistent-handle. - Removed option -G or --key-algorithm. - Removed option -N or --non-persistent. - Removed option -O or --offline. * tpm2_getpubak: - renamed to tpm2_createak. - -f becomes -p and -f is used for format of public key output. - --auth-endorse is now --eh-auth. - --auth-ak is now --ak-auth. - --halg is now --hash-algorithm. - --kalg is now --key-algorithm. - -e becomes -P. - -P becomes -p. - -D becomes -g. - -p becomes -u. - --context becomes --ak-context. - --algorithm becomes --kalg. - --digest-alg becomes --halg. - --privfile becomes --private. - remove -k persistant option. Use tpm2_evictcontrol. - Fix -o option to -w. - now saves a context file for the generated primary's handle to disk. - -E becomes -e. - -g changes to -G. - support for non-persistent AK generation. * tpm2_getpubek: - renamed to tpm2_createek - --endorse-passwd is now --eh-auth. - --owner-passwd is now --owner-auth. - --ek-passwd is now --ek-auth. - --file is now --public. - --context is now --ek-context. - --algorithm is now --key-algorithm. - -e is now -P. - -P is now -p. - -p is now -u. - -o is now -w. - -g is now -G. - Support for saving a context file for the generated primary keys handle to disk. - support for non-persistent EK generation. - -f is now -p. - -f support for format of public key output. * tpm2_getrandom: - change default output to binary. - add --hex option for output to hex format. - --out-file is now --output. - bound input request on max hash size per spec, allow -f to override this. * tpm_gettestresult: - new tool for getting test results. * tpm2_hash: - add --hex for specifying hex output. - default output of hash to stdout. - default output of hash as binary. - remove output of ticket to stdout. - --halg is now --hash-algorithm. - --out-file is now --output. - -a is now -C. - -H is now -a. * tpm2_hmac: - add -t option for specifying ticket result. - --out-file is now --output. - --auth-key is now --auth. ---algorithm is now --hash-algorithm. - --pwdk is now --auth-key. - -C is now -c. - -P is now -p. * tpm2_hierarchycontrol: - new tool added for enabling or disabling the use of a hierarchy and its associated NV storage. * tpm2_import: - --object-attributes is now --attributes. - --auth-parent is now --parent-auth. - --auth-key is now --key-auth. - --algorithm is now --key-algorithm. - --in-file is now --input. - --parent-key is now --parent-context. - --privfile is now --private. - --pubfile is now --public. - --halg is now --hash-algorithm. - --policy-file is now --policy. - --sym-alg-file is now --encryption-key. - -A is now -b. - -k is now -i. - support OSSL style -passin argument as --passin for PEM file passwords. - support additional import key types: - RSA1024/2048. - AES128/192/256. - -q changes to -u to align with tpm2_loads public/private output arguments. - Supports setting object name algorithm via -g. - support specifying parent key with a context file. - --parent-key-handle/-H becomes --parent-key/-C - Parent public data option is optional and changes from `-K` to `-U`. - Supports importing external RSA 2048 keys via pem files. - Supports ECC Parent keys. * tpm2_incrementalselftest: - Add tool to test support of specific algorithms. * tpm2_listpersistent: - deleted as tpm2_getcap and tpm2_readpublic can be used instead. * tpm2_load: - -o is now -c. - --context-parent is now --parent-context. - --auth-parent is now --auth. - --pubfile is now --public. - --privfile is now --private. - --out-context is now --key-context. - now saves a context file for the generated primary's handle to disk. - Option `--pwdp` changes to `--auth-parent`. * tpm2_loadexternal: - --object-attributes is now --attributes. - -o is now -c - --key-alg is now --key-algorithm. - --pubfile is now --public. - --privfile is now --private. - --auth-key is now --auth. - --policy-file is now --policy. - --halg is now --hash-algorithm. - --out-context is now --key-context. - Remove unused -P option. - -H is now -a. - Fix -A option to -b for attributes. - now saves a context file for the generated primary's handle to disk. - support OSSL style -passin argument as --passin for PEM file passwords. - name output to file and stdout. Changes YAML stdout output. - ECC Public and Private PEM support. - AES Public and Private "raw file" support. - RSA Public and Private PEM support. - Object Attribute support. - Object authorization support. - Default hierarchy changes to the *null* hierarchy. * tpm2_makecredential: - --out-file is now --credential-blob - --enckey is now --encryption-key. - Option `--sec` changes to `--secret`. * tpm2_nvdefine: - --handle-passwd is now --hierarchy-auth. - --index-passwd is now --index-auth. - --policy-file is now --policy. - --auth-handle is now --hierarchy. - -a becomes -C. - -t becomes -a. - -I becomes -p. - Removed option --index with short option -x. It is now an argument. - Removed option --input-session-handle with short option -S. - Authorization session is now part of password mini language. * tpm2_nvincrement: - New tool to increment value of a Non-Volatile (NV) index setup as a counter. * tpm2_nvlist: - tpm2_nvlist is now tpm2_nvreadpublic. * tpm2_nvread: - --handle-passwd is now --auth. - --auth-handle is now --hierarchy. - -a becomes -C. - Removed option --index with short option -x. It is now an argument. - Removed short option -o for specifying offset. Use long option --offset. - Removed option --input-session-handle with short option -S. - Authorization session is now part of password mini language. - Removed option --set-list with short option -L. - Removed option --pcr-input-file with short option -F. - Pcr policy options replaced with pcr password mini language. - fix a buffer overflow. * tpm2_nvreadlock: - --handle-passwd is now --auth. - --auth-handle is now --hierarchy. - -a becomes -C. - Removed option --index with short option -x. It is now an argument. - Removed option --input-session-handle with short option -S. - Authorization session is now part of password mini language. * tpm2_nvwrite: - --handle-passwd is now --auth. - --auth-handle is now --hierarchy. - -a becomes -C. - Removed option --index with short option -x. It is now an argument. - Removed short option -o for specifying offset. Use long option --offset. - Removed option --input-session-handle with short option -S. - Authorization session is now part of password mini language. - Removed option --set-list with short option -L. - Removed option --pcr-input-file with short option -F. - Pcr policy options replaced with pcr password mini language. * tpm2_nvrelease: - --handle-passwd is now --auth. - --auth-handle is now --hierarchy. - -a becomes -C. - Removed option --index with short option -x. It is now an argument. - Removed option --input-session-handle with short option -S. - Authorization session is now part of password mini language. * tpm2_nvundefine: - Renamed from tpm2_nvrelease. * tpm2_pcrallocate: - New tool for changing the allocated PCRs of a TPM. * tpm2_pcrevent: - --password is now --auth. - Removed option --pcr-index with short option -i. - PCR index is now specified as an argument. - Removed option --input-session-handle with short option -S. - Authorization session is now part of password mini language. * tpm2_pcrlist: - -gls options go away with -g and -l becoming a single argument. * tpm2_pcrread: - Renamed from tpm2_pcrlist. * tpm2_print: - New tool that decodes a TPM data structure and prints enclosed elements to stdout as YAML. * tpm2_policyauthorize: - New tool that allows for policies to change by associating the policy to a signing authority essentially allowing the auth policy to change. * tpm2_policycommandcode: - New tool to restricts TPM object authorization to specific TPM commands. * tpm2_policyduplicationselect: - New tool for creating a policy to restrict duplication to a new parent and or duplicable object. * tpm2_policylocality: - New tool for creating a policy restricted to a locality. * tpm2_policypcr: - New tool to generate a pcr policy event that bounds auth to specific PCR values in user defined pcr banks and indices. * tpm2_policyor: - New tool to compound multiple policies in a logical OR fashion to allow multiple auth methods using a policy session. * tpm2_policypassword: - New tool to mandate specifying of the object password in clear using a policy session. * tpm2_policysecret: - New tool to associate auth of a reference object as the auth of the new object using a policy session. * tpm2_quote: - --ak-context is now --key-context. - --ak-password is now --auth. - --sel-list is now --pcr-list. - --qualify-data is now --qualification-data. - --pcrs is now --pcr. - --sig-hash-algorithm is now --hash-algorithm. - -P becomes -p - -L becomes -l. - -p becomes -o. - -G becomes -g. - -g becomes optional. - Removed option --id-list with short option -l. - Removed option --ak-handle with short option -k. - Raw object-handles and object-contexts are commonly handled with object handling logic. * tpm2_readpublic: - --opu is now --output. - --context-object is now --object-context. - Removed option --object with short option -H. - Raw object-handles and object-contexts are commonly handled with object handling logic. - Added --serialized-handle for saving serialized ESYS_TR handle to disk. - Added --name with short option -n for saving the binary name. - Supports ECC pem and der file generation. * tpm2_rsadecrypt: - --pwdk is now --auth. - --out-file is now --output. - -P becomes -p. - Added --label with short option -l for specifying label. - Added --scheme with short option -s for specifying encryption scheme. - Removed option -I or in-file input option and make argument. - Removed option --key-handle with short option -k. - Raw object-handles and object-contexts are commonly handled with object handling logic. - Removed option --input-session-handle with short option -S. - Authorization session is now part of password mini language. * tpm2_rsaencrypt: - --out-file is now --output. - Added --scheme with short option -s for specifying encryption scheme. - Added --label with -l for specifying label. - Removed option --key-handle with short option -k. - Raw object-handles and object-contexts are commonly handled with object handling logic. - make output binary either stdout or file based on -o. * tpm2_selftest: - New tool for invoking tpm selftest. * tpm2_send: - --out-file is now --output. * tpm2_sign: - --pwdk is now --auth. - --halg is now --hash-algorithm. - --sig is now --signature. - -P becomes -p. - -s becomes -o. - Added --digest with short option -d. - Added --scheme with short option -s. - Supports rsapss. - Removed option --key-handle with short option -k. - Raw object-handles and object-contexts are commonly handled with object handling logic. - Removed option --msg with short option -m. - Make -d toggle if input is a digest. - Removed option --input-session-handle with short option -S. - Authorization session is now part of password mini language. - Supports signing a pre-computed hash via -d. * tpm2_startauthsession: - New tool to start/save a trial-policy-session (default) or policy- authorization-session with command line option --policy-session. * tpm2_stirrandom: - new command for injecting entropy into the TPM. * tpm2_takeownership: - split into tpm2_clear and tpm2_changeauth * tpm2_testparms: - new tool for querying tpm for supported algorithms. * tpm2_unseal: - --pwdk is now --auth. - --outfile is now --output. - --item-context is now --object-context. - -P becomes -p - Removed option --item with short option -H. - Raw object-handles and object-contexts are commonly handled with object handling logic. - Removed option --input-session-handle with short option -S. - Authorization session is now part of password mini language. - Removed option --set-list with short option -L. - Removed option --pcr-input-file with short option -F. - Pcr policy options replaced with pcr password mini language. * tpm2_verifysignature: - --halg is now --hash-algorithm. - --msg is now --message. - --sig is now --signature. - -D becomes -d. - -t becomes optional. - Issue warning when ticket is specified for a NULL hierarchy. - Added option --format with short option -f. - Removed option --raw with short option -r. - Removed option --key-handle with short option -k. - Raw object-handles and object-contexts are commonly handled with object handling logic. - Support routines for OpenSSL compatible format of public keys (PEM, DER) and plain signature data without TSS specific headers. * misc: - cmac algorithm support. - Add support for reading authorisation passwords from a file. - Ported all tools from SAPI to ESAPI. - Load TCTI's by SONAME, not raw .so file. - system tests are now run with make check when --enable-unit is used in configure. - Libre SSL builds fixed. - Dynamic TCTIS. Support for pluggable TCTI modules via the -T or --tcti options. - test: system testing scripts moved into subordinate test directory. - configure: enable code coverage option. - env: add TPM2TOOLS_ENABLE_ERRATA to control the -Z or errata option. affects all tools. - Fix parsing bug in PCR mini-language. - Fix misspelling of TPM2_PT_HR constants which effects tpm2_getcap output. - configure option --with-bashcompdir for specifying bash completion directory. - changes in version 3.2.1: * Fix invalid memcpy when extracting ECDSA plain signatures. * Fix resource leak on FILE * in hashing routine. * Correct PCR logic to prevent memory corruption bug. * Errata handler fix. - changes in version 3.2.0: * fix configure bug for linking against libmu. * tpm2_changeauth: Support changing platform hierarchy auth. * tpm2_flushcontext: Introduce new tool for flushing handles from the TPM. * tpm2_checkquote: Introduce new tool for checking validity of quotes. * tpm2_quote: Add ability to output PCR values for quotes. * tpm2_makecredential: add support for executing tool off-TPM. * tpm2_pcrreset: introduce new tool for resetting PCRs. * tpm2_quote: Fix AK auth password not being used. ------------------------------------------------------------------- Mon Aug 26 07:42:52 UTC 2019 - matthias.gerstner@suse.com - update to minor version 3.1.4: * Fix various man pages * tpm2_getmanufec: fix OSSL build warnings * Fix broken -T option * Various build compatibility fixes * Fix some unit tests * Update build for recent autoconf-archive versions * Install m4 files ------------------------------------------------------------------- Wed Mar 6 10:44:52 UTC 2019 - matthias.gerstner@suse.com - update to minor version 3.1.3: - Restore support for the TPM2TOOLS_* env vars for TCTI configuration, in addition to supporting the new unified TPM2TOOLS_ENV_TCTI - Fix tpm2_getcap to print properties with the TPM_PT prefix, rather than TPM2_PT - Make test_tpm2_activecredential Python 3 compatible - Fix tpm2_takeownership to only attempt to change the specified hierarchies - use a _service file to sync with upstream tags ------------------------------------------------------------------- Wed Sep 26 16:02:46 UTC 2018 - matthias.gerstner@suse.com - update to minor version 3.1.2 (FATE#326270): - Revert the change to use user supplied object attributes exclusively. This is an inappropriate behavioural change for a MINOR version number increment. - Fix inclusion of object attribute specifiers section in tpm2_create and tpm2_createprimary man pages. - Use better object attribute defaults for authentication, preventing an empty password being used for authentication when a policy is set. ------------------------------------------------------------------- Wed Aug 22 09:05:14 UTC 2018 - matthias.gerstner@suse.com - update to minor version 3.1.1: - Allow man page installation without pandoc being available ------------------------------------------------------------------- Fri Jun 29 12:03:48 UTC 2018 - matthias.gerstner@suse.com - update to major version 3.1.0: - the tpm2 stack introduces an incompatible ABI to the previous version with this update. There is no compatibility layer, libraries have new names - install-man.patch: dropped, because we don't really need it - tpm2.0-tools-fix-hardening.patch: contained in upstream tarball now s etc. - upstream changelog: * tpm2_unseal: -P becomes -p * tpm2_sign: -P becomes -p * tpm2_nvreadlock: long form for -P is now --auth-hierarchy * tpm2_rsadecrypt: -P becomes -p * tpm2_nvrelease: long-form of -P becomes --auth-hierarchy * tpm2_nvdefine: -I becomes -p * tpm2_encryptdecrypt: -P becomes -p * tpm2_dictionarylockout: -P becomes -p * tpm2_createprimary: -K becomes -p * tpm2_createak: -E becomes -e * tpm2_certify: -k becomes -p * tpm2_hash: -g changes to -G * tpm2_encryptdecrypt: Support IVs via -i and algorithm modes via -G. * tpm2_hmac: drop -g, just use the algorithm associated with the object. * tpm2_getmanufec: -g changes to -G * tpm2_createek: -g changes to -G * tpm2_createak: -g changes to -G * tpm2_verifysignature: -g becomes -G * tpm2_sign: -g becomes -G * tpm2_import: support specifying parent key with a context file, --parent-key-handle/-H becomes --parent-key/-C * tpm2_nvwrite and tpm2_nvread: when -P is "index" -a is optional and defaults to the NV_INDEX value passed to -x. * Load TCTI's by SONAME, not raw .so file * tpm2_activatecredential: -e becomes -E * tpm2_activatecredential: -e becomes -E * tpm2_certify: -c and -C are swapped, -k becomes -K * tpm2_createprimary: -K becomes -k * tpm2_encryptdecrypt: supports input and output to stdin and stdout respectively. * tpm2_create: -g/-G become optional options. * tpm2_createprimary: -g/-G become optional options. * tpm2_verifysignature - Option `-r` changes to `-f` and supports signature format "rsa". * tpm2_import - Parent public data option, `-K` is optional. * tpm2_import - Supports importing external RSA 2048 keys via pem files. * tpm2_pcrlist: Option `--algorithm` changes to `--halg`, which is in line with other tools. * tpm2_verifysignature: Option `-r` and `--raw` have been removed. This were unused within the tool. * tpm2_hmac: Option `--algorithm` changes to `--halg`, which is in line with the manpage. * tpm2_makecredential: Option `--sec` changes to `--secret`. * tpm2_activatecredential: Option `--Password` changes to `--auth-key`. * system tests are now run with make check when --enable-unit is used in configure. * tpm2_unseal: Option `--pwdk` changes to `--auth-key`. * tpm2_sign: Option `--pwdk` changes to `--auth-key`. * tpm2_rsadecrypt: Option `--pwdk` changes to `--auth-key`. * tpm2_quote: Option `--ak-passwd` changes to `--auth-ak` * tpm2_pcrevent: Option `--passwd` changes to `--auth-pcr` * tpm2_nvwrite: Options `--authhandle` and `--handle-passwd` changes to `--hierarchy` and `--auth-hierarchy` respectively. * tpm2_nvread: Options `--authhandle` and `--handle-passwd` changes to `--hierarchy` and `--auth-hierarchy` respectively. * tpm2_nvdefine: Options `--authhandle`, `--handle-passwd` and `--index-passwd` changes to `--hierarchy`, `--auth-hierarchy` and `--auth-index` respectively. * tpm2_loadexternal: `-H` changes to `-a` for specifying hierarchy. * tpm2_load: Option `--pwdp` changes to `--auth-parent`. * tpm2_hmac: Option `--pwdk` changes to `--auth-key`. * tpm2_hash: `-H` changes to `-a` for specifying hierarchy. * tpm2_getmanufec: Options `--owner-passwd`, `--endorse-passwd` * and `--ek-passwd`change to `--auth-owner`, `--auth-endorse` and `--auth-ek` respectively. * tpm2_evictcontrol: Option group `-A` and `--auth` changes to `-a` and `--hierarchy` Option `--pwda` changes to `--auth-hierarchy` * tpm2_encryptdecrypt: Option `--pwdk` changes to `--auth-key`. * tpm2_dictionarylockout: Option `--lockout-passwd` changes to `--auth-lockout` * tpm2_createprimary: Options `--pwdp` and `--pwdk` change to `--auth-hierarchy` and `--auth-object` respectively. * tpm2_createek: Options `--owner-passwd`, `--endorse-passwd` * and `--ek-passwd`change to `--auth-owner`, `--auth-endorse` and `--auth-ek` respectively. * tpm2_createak: Options `--owner-passwd`, `--endorse-passwd` * and `--ak-passwd`change to `--auth-owner`, `--auth-endorse` and `--auth-ak` respectively. * tpm2_create: Options `--pwdo` and `--pwdk` change to `--auth-object` and `--auth-key` respectively. * tpm2_clearlock: Option `--lockout-passwd` changes to `--auth-lockout` * tpm2_clear: Option `--lockout-passwd` changes to `--auth-lockout` * tpm2_changeauth: Options, `--old-owner-passwd`, `--old-endorse-passwd`, and `--old-lockout-passwd` go to `--old-auth-owner`, `--old-auth-endorse`, and `--old-auth-lockout` respectively. * tpm2_certify: Options `--pwdo` and `--pwdk` change to `--auth-object` and `--auth-key` respectively. * tpm2_createprimary: `-H` changes to `-a` for specifying hierarchy. * tpm2_createak: support for non-persistent AK generation. * tpm2_createek: support for non-persistent EK generation. * tpm2_getpubak renamed to tpm2_createak, -f becomes -p and -f is used for format of public key output. * tpm2_getpubek renamed to tpm2_createek, -f becomes -p and -f is used for format of public key output. * Libre SSL builds fixed. * Dynamic TCTIS. Support for pluggable TCTI modules via the -T or --tcti options. * tpm2_sign: supports signing a pre-computed hash via -D * tpm2_clearlock: tool added * test: system testing scripts moved into subordinate test directory. * fix a buffer overflow in nvread/write tools. * configure: enable code coverage option. * tpm2_takeownership: split into tpm2_clear and tpm2_changeauth * env: add TPM2TOOLS_ENABLE_ERRATA to control the -Z or errata option. ------------------------------------------------------------------- Tue Jun 5 09:55:43 UTC 2018 - matthias.gerstner@suse.com - fix build after adding install-man.patch: autoreconf is needed again (sigh!) ------------------------------------------------------------------- Wed May 2 12:09:22 UTC 2018 - matthias.gerstner@suse.com - install-man.patch: even after update to 3.0.4 the man pages are not installed correctly. This patch fixes it locally. ------------------------------------------------------------------- Wed May 2 11:02:07 UTC 2018 - matthias.gerstner@suse.com - update to version 3.0.4: - Fix save and load for TPM2B_PRIVATE object. - Use a default buffer size for tpm2_nv{read,write} if the TPM reports a 0 size. - Fix --verbose and --version options crossover. - Generate man pages from markdown and include them in the distribution tarball. - Print usage summary if tools are executed with no options or man page can't be displayed. - man pages will be shipped for SLE version now, too (pandoc dependency was removed) ------------------------------------------------------------------- Wed Mar 7 15:44:14 UTC 2018 - matthias.gerstner@suse.com - disable pandoc for all but openSUSE, since pandoc never was on SLE ------------------------------------------------------------------- Wed Mar 7 14:29:10 UTC 2018 - matthias.gerstner@suse.com - disable pandoc/man pages generation on SLE-15, because pandoc is not available there (and adding it would require two dozen additional haskell packages) ------------------------------------------------------------------- Thu Feb 22 11:08:19 UTC 2018 - matthias.gerstner@suse.com - update to version 3.0.3: - various changes in tool options - man pages are now in section 1 (formerly in section 8) - tools are now installed in /usr/bin (formerly /usr/sbin) ------------------------------------------------------------------- Thu Nov 9 11:00:33 UTC 2017 - vcizek@suse.com - update to version 2.1.1 * Potential memory leak fix when tcti/sapi initialization fails. * tpm2_listpcrs: use TPM2_GetCapability to determine PCRs to read * listpcrs: remove one redundant call to tpm get cap * listpcrs: fix for unsupported/disabled alg in -L * build: use supported comment to suppress GCC7 fallthrough warning * kdfa: allow to build with OpenSSL 1.1.x (bsc#1067392) - drop patches (upstream) * 0001-tpm2_listpcrs-use-TPM2_GetCapability-to-determine-PC.patch * tpm2.0-tools-fix-gcc7.patch ------------------------------------------------------------------- Mon Aug 21 14:32:13 UTC 2017 - matthias.gerstner@suse.com - update to version 2.1.0: - dropped 0002-kdfa-use-openssl-for-hmac-not-tpm.patch, was backported upstream in commit 788a17abbe0000c560935ef9f31c9a6892d9ea33 - this version now can interact with the new resource manager tpm2.0-abrmd - Upstream changes: * Fix readx and writex on multiple EINTR returns. * Add support for the tabrmd TCTI. This is the new default. * Change default socket port from 2323 (the old resourcemgr) to 2321 (default simulator port). * Cherry-pick fix for CVE-2017-7524. * Fix tpm2_listpcr command line option handling. * Fix tpm2_getmanufec memory issues. ------------------------------------------------------------------- Thu Jul 20 13:50:28 UTC 2017 - matthias.gerstner@suse.com - added the new abrmd package to recommends, because the tools will otherwise not function ------------------------------------------------------------------- Thu Jun 29 09:45:45 UTC 2017 - matthias.gerstner@suse.com - 0002-kdfa-use-openssl-for-hmac-not-tpm.patch: fixed unexpected leak of cleartext password into the tpm when generating an HMAC in the context of tpm_kdfa() (key derivation function) (bnc#1046402, CVE-2017-7524) ------------------------------------------------------------------- Tue Jun 20 08:35:29 UTC 2017 - matthias.gerstner@suse.com - 0001-tpm2_listpcrs-use-TPM2_GetCapability-to-determine-PC.patch: fixed tpm2_listpcrs aborting saying "too much pcrs to get!" (bnc#1044419) ------------------------------------------------------------------- Fri Jun 2 07:16:45 UTC 2017 - meissner@suse.com - tpm2.0-tools-fix-hardening.patch: do not disable fortify, do not use -Wstack-protector as it warns also for non-utilized functions and then -Werror fails. - tpm2.0-tools-fix-gcc7.patch: fixed gcc7 case fallthrough errors ------------------------------------------------------------------- Wed May 10 11:52:40 UTC 2017 - matthias.gerstner@suse.com - Major update to 2.0.0 - dropped fixes.patch, now part of the upstream version - a set of man pages have been added to the package - Upstream changes: * Tracked on the milestone: https://github.com/01org/tpm2.0-tools/milestone/2 * Reworked all the tools to support configurable TCTIs, based on build time configuration, one can specify the tcti via the --tcti (-T) option to all tools. * tpm2_getrandom interface made -s a positional argument. * Numerous bug fixes. ------------------------------------------------------------------- Mon Mar 6 16:23:15 UTC 2017 - meissner@suse.com - buildrequire pkgconfig ------------------------------------------------------------------- Wed Mar 1 15:33:46 UTC 2017 - meissner@suse.com - Updated to 1.1.0 / 016-11-04 (FATE#321509) - Added * travis ci support. * Allow for unit tests to be enabled selectively. * tpm2_rc_decode tool: Decode TPM_RC error codes. * Android Make file * tpm2_listpersistent: list all persistent objects * test scripts for tpm2-tools * tpm2_nvreadlock * tpm2_getmanufec: retrieve EC from tpm manufacturer server. * Copy 'common' and 'sample' code from the TPM2.0-TSS repo. - Modified * tpm2_takeownership: update option -c to use lockout password to clear. * tpm2_listpcrs: add options -L and -s, rewrite to increase performance. * tpm2_quote: added -L option to support selection of multiple banks. * tpm2_quote: add -q option to get qualifying data. * configure: Use pkg-config to get info about libcurl and libcrypto. * configure: Use pkg-config to locate SAPI and TCTI headers / libraries. * tpm2_x: Add -X option to enable password input in Hex format. * tpm2_nvdefine: Change -X option to -I. * tpm2-nvwrite: fix for unable to write 1024B+ data. * tpm2_getmanufec: Fix base64 encoding. * tpm2_x: fixed a lot of TPM2B failures caused by wrong initialization. * tpm2_getmanufec: let configure handle libs. * tpm2_getmanufec: Convert from dos to unix format. * build: Check for TSS2 library @ configure time. * build: Detect required TSS2 and TCTI headers. * build: Use libtool to build the common library * build: Install all binaries into sbin. * build: Build common sources into library. * build: Move all source files to 'src'. * Makefile.am: Move all build rules into single Makefile.am. * everything: Use new TCTI headers and fixup API calls. * everything: Update source to cope with sapi header cleanup. * tpm2_activatecredential: Updated to support TCG compatible EK * tpm2_getpubak: Updated to use TCG compatible EK * tpm2_getpubek: fix ek creation to follow TCG EK profile spec. - Removed * Windows related code * depenedency on the TPM2.0-TSS repo source code - 1.0-alpha_0.zip: removed, use tpm2-0-tss directly. - tpm2-install-binaries.patch: not needed anymore. - fixes.patch: fixed random return build errors. ------------------------------------------------------------------- Mon Aug 22 12:02:01 UTC 2016 - meissner@suse.com - update description ------------------------------------------------------------------- Thu Mar 24 12:42:04 UTC 2016 - meissner@suse.com - initial import of tpm2.0-tools