rpm/tboot
SHA256
1
0
Fork 0
forked from pool/tboot
Code Pull Requests Activity

- update to upstream version 1.9.7. This in mainly a bugfix release:

Browse Source 
Fix a lot of issues in tools reported by klocwork scan.
        Fix a lot of issues in tboot module reported by klocwork scan.
        Remove a redundant tboot option
        Fix indent in heap.c
        Fix 4 issues along with extpol=agile option
        Mitigations for tpm interposer attacks
        Add an option in tboot to force SINIT to use the legacy TPM2 log format.
        Add support for appending to a TPM2 TCG style event log.
        Ensure tboot log is available even when measured launch is skipped.
        Add centos7 instructions for Use in EFI boot mode.
        Fix memory leak and invalid reads and writes issues.
        Fix TPM 1.2 locality selection issue.
        Fix a null pointer dereference bug when Intel TXT is disabled.
        Optimize tboot docs installation.
        Fix security vulnerabilities rooted in tpm_if structure and g_tpm variable.
        The size field of the MB2 tag is the size of the tag header + the size
        Fix openssl-1.0.2 double frees
        Make policy element stm_elt use unique type name
        lcptools-v2 utilities fixes
        port to openssl-1.1.0
        Reset debug PCR16 to zero.
        Fix a logical error in function bool evtlog_append(...).
- removed tboot-CVE-2017-16837.patch: now contained in tarball
- removed tboot-openssl-1-1-0.patch: now contained in tarball
- removed tboot-signature-segfault.patch: now contained in tarball
- removed tboot-ssl-broken.patch: now contained in tarball

OBS-URL: https://build.opensuse.org/package/show/security/tboot?expand=0&rev=78
This commit is contained in:
Matthias Gerstner 2018-08-31 14:26:49 +00:00 committed by Git OBS Bridge
parent 3c807b07f3
commit 0fc84d36ec
8 changed files with 36 additions and 1456 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
tboot-1.9.6.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:1b55eed6ca8196b2a003936594248a242888ac34ff970eda651e7660c4772a39
size 693564

3
tboot-1.9.7.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:8b641c9b0e80e4a01d6a83dc4c17745a06f37adc72d3a020eefb77b97fd562bb
size 662608

1059
tboot-CVE-2017-16837.patch
View File

File diff suppressed because it is too large Load Diff

32
tboot-openssl-1-1-0.patch
View File

@ -1,32 +0,0 @@
changeset: 503:2bb331ec268d
user: Ning Sun <ning.sun@intel.com>
date: Mon Aug 28 02:10:28 2017 -0700
summary: port to openssl-1.1.0
diff -r e57efe410a90 -r 2bb331ec268d lcptools/hash.c
--- a/lcptools/hash.c Mon Jul 24 05:34:17 2017 -0700
+++ b/lcptools/hash.c Mon Aug 28 02:10:28 2017 -0700
@@ -74,13 +74,18 @@
return false;
if ( hash_alg == TB_HALG_SHA1_LG ) {
- EVP_MD_CTX ctx;
+ EVP_MD_CTX *ctx = EVP_MD_CTX_create();
+ if (ctx == NULL) {
+ fprintf(stderr, "%s(): EVP_MD_CTX_create() failed.\n", __func__);
+ return false;
+ }
const EVP_MD *md;
md = EVP_sha1();
- EVP_DigestInit(&ctx, md);
- EVP_DigestUpdate(&ctx, buf, size);
- EVP_DigestFinal(&ctx, hash->sha1, NULL);
+ EVP_DigestInit(ctx, md);
+ EVP_DigestUpdate(ctx, buf, size);
+ EVP_DigestFinal(ctx, hash->sha1, NULL);
+ EVP_MD_CTX_destroy(ctx);
return true;
}
else

80
tboot-signature-segfault.patch
View File

@ -1,80 +0,0 @@
changeset: 506:09fae64a7515
user: Ning Sun <ning.sun@intel.com>
date: Sat Sep 02 01:40:15 2017 -0700
summary: Fix openssl-1.0.2 double frees
Index: tboot-1.9.6/lcptools-v2/crtpollist.c
===================================================================
--- tboot-1.9.6.orig/lcptools-v2/crtpollist.c
+++ tboot-1.9.6/lcptools-v2/crtpollist.c
@@ -160,15 +160,14 @@ static lcp_signature_t2 *read_rsa_pubkey
memset(sig, 0, sizeof(lcp_rsa_signature_t) + 2*keysize);
sig->rsa_signature.pubkey_size = keysize;
-
- BIGNUM *modulus = BN_new();
-
+
/* OpenSSL Version 1.1.0 and later don't allow direct access to RSA
stuct */
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ BIGNUM *modulus = BN_new();
RSA_get0_key(pubkey, (const BIGNUM **)&modulus, NULL, NULL);
#else
- modulus = pubkey->n;
+ BIGNUM *modulus = BN_dup(pubkey->n);
#endif
unsigned char key[keysize];
Index: tboot-1.9.6/lcptools-v2/lcputils.c
===================================================================
--- tboot-1.9.6.orig/lcptools-v2/lcputils.c
+++ tboot-1.9.6/lcptools-v2/lcputils.c
@@ -384,8 +384,8 @@ bool verify_signature(const uint8_t *dat
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
RSA_set0_key(rsa_pubkey, modulus, exponent, NULL);
#else
- rsa_pubkey->n = modulus;
- rsa_pubkey->e = exponent;
+ rsa_pubkey->n = BN_dup(modulus);
+ rsa_pubkey->e = BN_dup(exponent);
rsa_pubkey->d = rsa_pubkey->p = rsa_pubkey->q = NULL;
#endif
Index: tboot-1.9.6/lcptools/crtpollist.c
===================================================================
--- tboot-1.9.6.orig/lcptools/crtpollist.c
+++ tboot-1.9.6/lcptools/crtpollist.c
@@ -155,14 +155,14 @@ static lcp_signature_t *read_pubkey_file
memset(sig, 0, sizeof(*sig) + 2*keysize);
sig->pubkey_size = keysize;
-
- BIGNUM *modulus = BN_new();
+
/* OpenSSL Version 1.1.0 and later don't allow direct access to RSA
stuct */
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ BIGNUM *modulus = BN_new();
RSA_get0_key(pubkey, (const BIGNUM **)&modulus, NULL, NULL);
#else
- modulus = pubkey->n;
+ BIGNUM *modulus = BN_dup(pubkey->n);
#endif
unsigned char key[keysize];
BN_bn2bin(modulus, key);
Index: tboot-1.9.6/lcptools/lcputils2.c
===================================================================
--- tboot-1.9.6.orig/lcptools/lcputils2.c
+++ tboot-1.9.6/lcptools/lcputils2.c
@@ -288,8 +288,8 @@ bool verify_signature(const uint8_t *dat
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
RSA_set0_key(rsa_pubkey, modulus, exponent, NULL);
#else
- rsa_pubkey->n = modulus;
- rsa_pubkey->e = exponent;
+ rsa_pubkey->n = BN_dup(modulus);
+ rsa_pubkey->e = BN_dup(exponent);
rsa_pubkey->d = rsa_pubkey->p = rsa_pubkey->q = NULL;
#endif

268
tboot-ssl-broken.patch
View File

@ -1,268 +0,0 @@
Index: tboot-1.9.6/lcptools-v2/crtpollist.c
===================================================================
--- tboot-1.9.6.orig/lcptools-v2/crtpollist.c
+++ tboot-1.9.6/lcptools-v2/crtpollist.c
@@ -132,6 +132,7 @@ static lcp_signature_t2 *read_rsa_pubkey
if ( fp == NULL ) {
ERROR("Error: failed to open .pem file %s: %s\n", file,
strerror(errno));
+ fclose(fp);
return NULL;
}
@@ -141,6 +142,7 @@ static lcp_signature_t2 *read_rsa_pubkey
ERROR("Error: failed to read .pem file %s: %s\n", file,
ERR_error_string(ERR_get_error(), NULL));
ERR_free_strings();
+ fclose(fp);
return NULL;
}
@@ -148,6 +150,7 @@ static lcp_signature_t2 *read_rsa_pubkey
if ( keysize == 0 ) {
ERROR("Error: public key size is 0\n");
RSA_free(pubkey);
+ fclose(fp);
return NULL;
}
@@ -155,19 +158,20 @@ static lcp_signature_t2 *read_rsa_pubkey
if ( sig == NULL ) {
ERROR("Error: failed to allocate sig\n");
RSA_free(pubkey);
+ fclose(fp);
return NULL;
}
memset(sig, 0, sizeof(lcp_rsa_signature_t) + 2*keysize);
sig->rsa_signature.pubkey_size = keysize;
+ const BIGNUM *modulus = NULL;
/* OpenSSL Version 1.1.0 and later don't allow direct access to RSA
stuct */
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
- BIGNUM *modulus = BN_new();
- RSA_get0_key(pubkey, (const BIGNUM **)&modulus, NULL, NULL);
+ RSA_get0_key(pubkey, &modulus, NULL, NULL);
#else
- BIGNUM *modulus = BN_dup(pubkey->n);
+ modulus = pubkey->n;
#endif
unsigned char key[keysize];
@@ -183,8 +187,8 @@ static lcp_signature_t2 *read_rsa_pubkey
}
LOG("read rsa pubkey succeed!\n");
- BN_free(modulus);
RSA_free(pubkey);
+ fclose(fp);
return sig;
}
@@ -386,13 +390,13 @@ static bool ecdsa_sign_tpm20_list_data(l
return false;
}
- BIGNUM *r = BN_new();
- BIGNUM *s = BN_new();
-
+ const BIGNUM *r = NULL;
+ const BIGNUM *s = NULL;
+
/* OpenSSL Version 1.1.0 and later don't allow direct access to
ECDSA_SIG stuct */
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
- ECDSA_SIG_get0(ecdsasig, (const BIGNUM **)&r, (const BIGNUM **)&s);
+ ECDSA_SIG_get0(ecdsasig, &r, &s);
#else
r = ecdsasig->r;
s = ecdsasig->s;
@@ -415,8 +419,7 @@ static bool ecdsa_sign_tpm20_list_data(l
display_tpm20_signature(" ", sig, pollist->sig_alg, false);
}
- BN_free(r);
- BN_free(s);
+ ECDSA_SIG_free(ecdsasig);
return true;
}
return false;
Index: tboot-1.9.6/lcptools-v2/lcputils.c
===================================================================
--- tboot-1.9.6.orig/lcptools-v2/lcputils.c
+++ tboot-1.9.6/lcptools-v2/lcputils.c
@@ -371,9 +371,8 @@ bool verify_signature(const uint8_t *dat
return false;
}
- BIGNUM *modulus = BN_new();
+ BIGNUM *modulus = BN_bin2bn(key, pubkey_size, NULL);
BIGNUM *exponent = BN_new();
- modulus = BN_bin2bn(key, pubkey_size, NULL);
/* uses fixed exponent (LCP_SIG_EXPONENT) */
char exp[32];
@@ -384,8 +383,8 @@ bool verify_signature(const uint8_t *dat
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
RSA_set0_key(rsa_pubkey, modulus, exponent, NULL);
#else
- rsa_pubkey->n = BN_dup(modulus);
- rsa_pubkey->e = BN_dup(exponent);
+ rsa_pubkey->n = modulus;
+ rsa_pubkey->e = exponent;
rsa_pubkey->d = rsa_pubkey->p = rsa_pubkey->q = NULL;
#endif
@@ -407,8 +406,6 @@ bool verify_signature(const uint8_t *dat
tb_hash_t digest;
if ( !hash_buffer(data, data_size, &digest, hashalg) ) {
ERROR("Error: failed to hash list\n");
- BN_free(modulus);
- BN_free(exponent);
RSA_free(rsa_pubkey);
return false;
}
@@ -451,8 +448,6 @@ bool verify_signature(const uint8_t *dat
ERROR("Error: failed to verify list: %s\n",
ERR_error_string(ERR_get_error(), NULL));
ERR_free_strings();
- BN_free(modulus);
- BN_free(exponent);
RSA_free(rsa_pubkey);
return false;
}
@@ -467,8 +462,6 @@ bool verify_signature(const uint8_t *dat
ERROR("Error: failed to verify list: %s\n",
ERR_error_string(ERR_get_error(), NULL));
ERR_free_strings();
- BN_free(modulus);
- BN_free(exponent);
RSA_free(rsa_pubkey);
return false;
}
@@ -483,8 +476,6 @@ bool verify_signature(const uint8_t *dat
ERROR("Error: failed to verify list: %s\n",
ERR_error_string(ERR_get_error(), NULL));
ERR_free_strings();
- BN_free(modulus);
- BN_free(exponent);
RSA_free(rsa_pubkey);
return false;
}
@@ -499,8 +490,6 @@ bool verify_signature(const uint8_t *dat
ERROR("Error: failed to verify list: %s\n",
ERR_error_string(ERR_get_error(), NULL));
ERR_free_strings();
- BN_free(modulus);
- BN_free(exponent);
RSA_free(rsa_pubkey);
return false;
}
@@ -508,13 +497,10 @@ bool verify_signature(const uint8_t *dat
default :
LOG("unknown hash alg\n");
- BN_free(modulus);
- BN_free(exponent);
+ RSA_free(rsa_pubkey);
return false;
}
- BN_free(modulus);
- BN_free(exponent);
RSA_free(rsa_pubkey);
return true;
}
Index: tboot-1.9.6/lcptools/crtpollist.c
===================================================================
--- tboot-1.9.6.orig/lcptools/crtpollist.c
+++ tboot-1.9.6/lcptools/crtpollist.c
@@ -156,13 +156,14 @@ static lcp_signature_t *read_pubkey_file
memset(sig, 0, sizeof(*sig) + 2*keysize);
sig->pubkey_size = keysize;
+ const BIGNUM *modulus = NULL;
+
/* OpenSSL Version 1.1.0 and later don't allow direct access to RSA
stuct */
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
- BIGNUM *modulus = BN_new();
- RSA_get0_key(pubkey, (const BIGNUM **)&modulus, NULL, NULL);
+ RSA_get0_key(pubkey, &modulus, NULL, NULL);
#else
- BIGNUM *modulus = BN_dup(pubkey->n);
+ modulus = pubkey->n;
#endif
unsigned char key[keysize];
BN_bn2bin(modulus, key);
@@ -175,8 +176,7 @@ static lcp_signature_t *read_pubkey_file
LOG("signature:\n");
display_signature(" ", sig, false);
}
-
- BN_free(modulus);
+
RSA_free(pubkey);
return sig;
}
Index: tboot-1.9.6/lcptools/lcputils2.c
===================================================================
--- tboot-1.9.6.orig/lcptools/lcputils2.c
+++ tboot-1.9.6/lcptools/lcputils2.c
@@ -274,31 +274,29 @@ bool verify_signature(const uint8_t *dat
ERROR("Error: failed to allocate key\n");
return false;
}
- BIGNUM *modulus = BN_new();
+
+ BIGNUM *modulus = BN_bin2bn(key, pubkey_size, NULL);
BIGNUM *exponent = BN_new();
- modulus = BN_bin2bn(key, pubkey_size, NULL);
/* uses fixed exponent (LCP_SIG_EXPONENT) */
char exp[32];
snprintf(exp, sizeof(exp), "%u", LCP_SIG_EXPONENT);
BN_dec2bn(&exponent, exp);
-
+
/* OpenSSL Version 1.1.0 and later don't allow direct access to RSA
stuct */
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
- RSA_set0_key(rsa_pubkey, modulus, exponent, NULL);
+ RSA_set0_key(rsa_pubkey, modulus, exponent, NULL);
#else
- rsa_pubkey->n = BN_dup(modulus);
- rsa_pubkey->e = BN_dup(exponent);
- rsa_pubkey->d = rsa_pubkey->p = rsa_pubkey->q = NULL;
+ rsa_pubkey->n = modulus;
+ rsa_pubkey->e = exponent;
+ rsa_pubkey->d = rsa_pubkey->p = rsa_pubkey->q = NULL;
#endif
/* first create digest of data */
tb_hash_t digest;
if ( !hash_buffer(data, data_size, &digest, TB_HALG_SHA1_LG) ) {
ERROR("Error: failed to hash list\n");
- BN_free(modulus);
- BN_free(exponent);
RSA_free(rsa_pubkey);
return false;
}
@@ -339,14 +337,10 @@ bool verify_signature(const uint8_t *dat
ERROR("Error: failed to verify list: %s\n",
ERR_error_string(ERR_get_error(), NULL));
ERR_free_strings();
- BN_free(modulus);
- BN_free(exponent);
- RSA_free(rsa_pubkey);
+ RSA_free(rsa_pubkey);
return false;
}
-
- BN_free(modulus);
- BN_free(exponent);
+
RSA_free(rsa_pubkey);
return true;
}

31
tboot.changes
View File

@ -1,3 +1,34 @@
-------------------------------------------------------------------
Fri Aug 31 14:23:48 UTC 2018 - matthias.gerstner@suse.com
- update to upstream version 1.9.7. This in mainly a bugfix release:
Fix a lot of issues in tools reported by klocwork scan.
Fix a lot of issues in tboot module reported by klocwork scan.
Remove a redundant tboot option
Fix indent in heap.c
Fix 4 issues along with extpol=agile option
Mitigations for tpm interposer attacks
Add an option in tboot to force SINIT to use the legacy TPM2 log format.
Add support for appending to a TPM2 TCG style event log.
Ensure tboot log is available even when measured launch is skipped.
Add centos7 instructions for Use in EFI boot mode.
Fix memory leak and invalid reads and writes issues.
Fix TPM 1.2 locality selection issue.
Fix a null pointer dereference bug when Intel TXT is disabled.
Optimize tboot docs installation.
Fix security vulnerabilities rooted in tpm_if structure and g_tpm variable.
The size field of the MB2 tag is the size of the tag header + the size
Fix openssl-1.0.2 double frees
Make policy element stm_elt use unique type name
lcptools-v2 utilities fixes
port to openssl-1.1.0
Reset debug PCR16 to zero.
Fix a logical error in function bool evtlog_append(...).
- removed tboot-CVE-2017-16837.patch: now contained in tarball
- removed tboot-openssl-1-1-0.patch: now contained in tarball
- removed tboot-signature-segfault.patch: now contained in tarball
- removed tboot-ssl-broken.patch: now contained in tarball
-------------------------------------------------------------------
Thu Mar 15 09:49:03 UTC 2018 - matthias.gerstner@suse.com

16
tboot.spec
View File

@ -17,8 +17,8 @@
Name: tboot
%define ver 1.9.6
Version: 20170711_1.9.6
%define ver 1.9.7
Version: 20170711_%{ver}
Release: 0
Summary: Performs a verified launch using Intel(R) TXT
License: BSD-3-Clause
@ -27,15 +27,7 @@ Url: http://sourceforge.net/projects/tboot/
Source0: http://downloads.sourceforge.net/project/tboot/tboot/tboot-%{ver}.tar.gz
Patch3: tboot-grub2-fix-menu-in-xen-host-server.patch
Patch4: tboot-grub2-fix-xen-submenu-name.patch
Patch5: tboot-openssl-1-1-0.patch
Patch6: tboot-CVE-2017-16837.patch
Patch7: tboot-distributor.patch
# a stark history regarding SSL: ssl functions never really worked in tboot,
# even the signature-segfault upstream fix didn't fix the root causes.
# ssl-broken.patch is my own patch that I have published on the tboot-devel
# mailing list, but no response so far.
Patch8: tboot-signature-segfault.patch
Patch9: tboot-ssl-broken.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
ExclusiveArch: %{ix86} x86_64
BuildRequires: openssl-devel
@ -60,11 +52,7 @@ verified launch of an OS kernel/VMM.
%setup -q -n %name-%ver
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%build
export CFLAGS="%{optflags}"