From 3f42461b8ce154335668251a4d7bea424b560ddfda0ad4f4e188df2786cc724b Mon Sep 17 00:00:00 2001 From: Matthias Gerstner Date: Wed, 28 Aug 2024 08:45:07 +0000 Subject: [PATCH] =?UTF-8?q?-=20add=20tboot-fix-alloc-size-warning.patch:?= =?UTF-8?q?=20newest=20GCC=20spits=20out=20this=20error:=20=20=20```=20=20?= =?UTF-8?q?=20pconf=5Flegacy.c:=20In=20function=20=E2=80=98create=E2=80=99?= =?UTF-8?q?:=20=20=20pconf=5Flegacy.c:327:16:=20error:=20allocation=20of?= =?UTF-8?q?=20insufficient=20size=20=E2=80=9820=E2=80=99=20for=20type=20?= =?UTF-8?q?=E2=80=98tb=5Fhash=5Ft=E2=80=99=20with=20size=20=E2=80=9864?= =?UTF-8?q?=E2=80=99=20[-Werror=3Dalloc-size]=20=20=20327=20|=20=20=20=20?= =?UTF-8?q?=20=20=20=20=20digest=20=3D=20malloc(SHA1=5FDIGEST=5FSIZE);=20?= =?UTF-8?q?=20=20=20=20=20=20|=20=20=20=20=20=20=20=20=20=20=20=20=20=20?= =?UTF-8?q?=20=20^=20=20=20```=20=20=20There's=20a=20union=20data=20type?= =?UTF-8?q?=20behind=20this.=20It's=20not=20an=20actual=20error.=20To=20ge?= =?UTF-8?q?t=20rid=20=20=20of=20the=20warning,=20the=20patch=20allocates?= =?UTF-8?q?=20the=20full=20union=20size,=20thereby=20wasting=20a=20=20=20b?= =?UTF-8?q?it=20of=20memory.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit OBS-URL: https://build.opensuse.org/package/show/security/tboot?expand=0&rev=120 --- .gitattributes | 23 + .gitignore | 1 + tboot-1.11.4.tar.gz | 3 + tboot-bsc#1207833-copy-mbi.patch | 24 + tboot-distributor.patch | 26 + tboot-fix-alloc-size-warning.patch | 13 + tboot-grub2-fix-menu-in-xen-host-server.patch | 117 ++++ tboot-grub2-fix-xen-submenu-name.patch | 19 + tboot-grub2-refuse-secure-boot.patch | 66 ++ tboot.changes | 644 ++++++++++++++++++ tboot.rpmlintrc | 1 + tboot.spec | 108 +++ 12 files changed, 1045 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 tboot-1.11.4.tar.gz create mode 100644 tboot-bsc#1207833-copy-mbi.patch create mode 100644 tboot-distributor.patch create mode 100644 tboot-fix-alloc-size-warning.patch create mode 100644 tboot-grub2-fix-menu-in-xen-host-server.patch create mode 100644 tboot-grub2-fix-xen-submenu-name.patch create mode 100644 tboot-grub2-refuse-secure-boot.patch create mode 100644 tboot.changes create mode 100644 tboot.rpmlintrc create mode 100644 tboot.spec diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/tboot-1.11.4.tar.gz b/tboot-1.11.4.tar.gz new file mode 100644 index 0000000..de9597e --- /dev/null +++ b/tboot-1.11.4.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:559c79b621159bdb8ca3986084408c0cad7e9af6dfc6f0f508a4f66f9e8a70f5 +size 910230 diff --git a/tboot-bsc#1207833-copy-mbi.patch b/tboot-bsc#1207833-copy-mbi.patch new file mode 100644 index 0000000..639cf45 --- /dev/null +++ b/tboot-bsc#1207833-copy-mbi.patch @@ -0,0 +1,24 @@ +--- tboot-1.10.2/tboot/common/loader.c.orig 2023-05-31 01:49:45.935321582 -0500 ++++ tboot-1.10.2/tboot/common/loader.c 2023-05-31 01:57:27.914405762 -0500 +@@ -1099,11 +1099,17 @@ move_modules(loader_ctx *lctx) + + if ( below_tboot(lowest) ) + from = lowest; +- else +- if ( below_tboot((unsigned long)lctx->addr) ) ++ ++ /* ++ * if MBI is below tboot & the lowest module, make sure it gets ++ * copied, too! ++ */ ++ if ( below_tboot((unsigned long)lctx->addr) && ++ (unsigned long)lctx->addr < lowest ) + from = (unsigned long)lctx->addr; +- else +- return; ++ ++ if (from == 0) ++ return; + + unsigned long highest = get_highest_mod_end(lctx); + unsigned long to = PAGE_UP(highest); diff --git a/tboot-distributor.patch b/tboot-distributor.patch new file mode 100644 index 0000000..55aae19 --- /dev/null +++ b/tboot-distributor.patch @@ -0,0 +1,26 @@ +Index: tboot-1.9.8/tboot/20_linux_tboot +=================================================================== +--- tboot-1.9.8.orig/tboot/20_linux_tboot ++++ tboot-1.9.8/tboot/20_linux_tboot +@@ -72,7 +72,7 @@ CLASS="--class gnu-linux --class gnu --c + if [ "x${GRUB_DISTRIBUTOR}" = "x" ] ; then + OS=GNU/Linux + else +- OS="${GRUB_DISTRIBUTOR} GNU/Linux" ++ OS="${GRUB_DISTRIBUTOR}" + CLASS="--class $(echo ${GRUB_DISTRIBUTOR} | tr '[A-Z]' '[a-z]' | cut -d' ' -f1) ${CLASS}" + fi + +Index: tboot-1.9.8/tboot/20_linux_xen_tboot +=================================================================== +--- tboot-1.9.8.orig/tboot/20_linux_xen_tboot ++++ tboot-1.9.8/tboot/20_linux_xen_tboot +@@ -63,7 +63,7 @@ CLASS="--class gnu-linux --class gnu --c + if [ "x${GRUB_DISTRIBUTOR}" = "x" ] ; then + OS=GNU/Linux + else +- OS="${GRUB_DISTRIBUTOR} GNU/Linux" ++ OS="${GRUB_DISTRIBUTOR}" + CLASS="--class $(echo ${GRUB_DISTRIBUTOR} | tr 'A-Z' 'a-z' | cut -d' ' -f1) ${CLASS}" + fi + diff --git a/tboot-fix-alloc-size-warning.patch b/tboot-fix-alloc-size-warning.patch new file mode 100644 index 0000000..d36c731 --- /dev/null +++ b/tboot-fix-alloc-size-warning.patch @@ -0,0 +1,13 @@ +Index: tboot-1.11.4/lcptools-v2/pconf_legacy.c +=================================================================== +--- tboot-1.11.4.orig/lcptools-v2/pconf_legacy.c ++++ tboot-1.11.4/lcptools-v2/pconf_legacy.c +@@ -324,7 +324,7 @@ static lcp_policy_element_t *create(void + ERROR("Error: no pcrs were selected.\n"); + return NULL; + } +- digest = malloc(SHA1_DIGEST_SIZE); ++ digest = malloc(sizeof(*digest)); + if (digest == NULL) { + ERROR("Error: failed to allocate memory for digest buffer.\n"); + return NULL; diff --git a/tboot-grub2-fix-menu-in-xen-host-server.patch b/tboot-grub2-fix-menu-in-xen-host-server.patch new file mode 100644 index 0000000..fa1af80 --- /dev/null +++ b/tboot-grub2-fix-menu-in-xen-host-server.patch @@ -0,0 +1,117 @@ +From: Michael Chang +Subject: [PATCH] fix menu in xen host server + +References: bnc#771689, bnc#757895 +Patch-Mainline: no + +When system is configred as "Xen Virtual Machines Host Server", the +grub2 menu is not well organized. We could see some issues on it. + + - Many duplicated xen entries generated by links to xen hypervisor + - Non bootable kernel entries trying to boot xen kernel natively + - The -dbg xen hypervisor takes precedence over release version + +This patch fixes above three issues. + +v2: +References: bnc#877040 +Create only hypervisor pointed by /boot/xen.gz symlink to not clutter +the menu with multiple versions and also not include -dbg. Use custom.cfg +if you need any other custom entries. + +v3: +References: bnc#865815 +Porting to tboot in order to fix duplicated xen entries + +Index: tboot-1.11.1/tboot/20_linux_tboot +=================================================================== +--- tboot-1.11.1.orig/tboot/20_linux_tboot ++++ tboot-1.11.1/tboot/20_linux_tboot +@@ -219,6 +219,49 @@ while [ "x${tboot_list}" != "x" ] && [ " + break + fi + done ++ ++ config= ++ for i in "${dirname}/config-${version}" "${dirname}/config-${alt_version}" "/etc/kernels/kernel-config-${version}" ; do ++ if test -e "${i}" ; then ++ config="${i}" ++ break ++ fi ++ done ++ ++ # try to get the kernel config if $linux is a symlink ++ if test -z "${config}" ; then ++ lnk_version=`basename \`readlink -f $linux\` | sed -e "s,^[^0-9]*-,,g"` ++ if (test -n ${lnk_version} && test -e "${dirname}/config-${lnk_version}") ; then ++ config="${dirname}/config-${lnk_version}" ++ fi ++ fi ++ ++ # check if we are in xen domU ++ if [ ! -e /proc/xen/xsd_port -a -e /proc/xen ]; then ++ # we're running on xen domU guest ++ dmi=/sys/class/dmi/id ++ if [ -r "${dmi}/product_name" -a -r "${dmi}/sys_vendor" ]; then ++ product_name=`cat ${dmi}/product_name` ++ sys_vendor=`cat ${dmi}/sys_vendor` ++ if test "${sys_vendor}" = "Xen" -a "${product_name}" = "HVM domU"; then ++ # xen HVM guest ++ xen_pv_domU=false ++ fi ++ fi ++ else ++ # we're running on baremetal or xen dom0 ++ xen_pv_domU=false ++ fi ++ ++ if test "$xen_pv_domU" = "false" ; then ++ # prevent xen kernel without pv_opt support from booting ++ if (grep -qx "CONFIG_XEN=y" "${config}" 2> /dev/null && ! grep -qx "CONFIG_PARAVIRT=y" "${config}" 2> /dev/null); then ++ echo "Skip xenlinux kernel $linux" >&2 ++ list=`echo $list | tr ' ' '\n' | grep -vx $linux | tr '\n' ' '` ++ continue ++ fi ++ fi ++ + if test -n "${initrd}" ; then + echo "Found initrd image: ${dirname}/${initrd}" >&2 + else +Index: tboot-1.11.1/tboot/20_linux_xen_tboot +=================================================================== +--- tboot-1.11.1.orig/tboot/20_linux_xen_tboot ++++ tboot-1.11.1/tboot/20_linux_xen_tboot +@@ -58,6 +58,12 @@ fi + export TEXTDOMAIN=grub + export TEXTDOMAINDIR=${prefix}/share/locale + ++if [ ! -e /proc/xen/xsd_port -a -e /proc/xen ]; then ++# we're running on xen domU guest ++# prevent setting up nested virt on HVM or PV domU guest ++ exit 0 ++fi ++ + CLASS="--class gnu-linux --class gnu --class os --class xen" + + if [ "x${GRUB_DISTRIBUTOR}" = "x" ] ; then +@@ -191,9 +197,17 @@ linux_list=`for i in /boot/vmlinu[xz]-* + if [ "x${linux_list}" = "x" ] ; then + exit 0 + fi +-xen_list=`for i in /boot/xen*; do +- if grub_file_is_not_garbage "$i" ; then echo -n "$i " ; fi +- done` ++# bnc#877040 - Duplicate entries for boot menu created ++# only create /boot/xen.gz symlink boot entry ++if test -L /boot/xen.gz; then ++ xen_list=`readlink -f /boot/xen.gz` ++else ++ # bnc#757895 - Grub2 menu items incorrect when "Xen Virtual Machines Host Server" selected ++ # wildcard expasion with correct suffix (.gz) for not generating many duplicated menu entries ++ xen_list=`for i in /boot/xen*.gz; do ++ if grub_file_is_not_garbage "$i" && file_is_not_sym "$i" ; then echo -n "$i " ; fi ++ done` ++fi + tboot_list=`for i in /boot/tboot*.gz; do + if grub_file_is_not_garbage "$i" ; then echo -n "$i " ; fi + done` diff --git a/tboot-grub2-fix-xen-submenu-name.patch b/tboot-grub2-fix-xen-submenu-name.patch new file mode 100644 index 0000000..ad761a8 --- /dev/null +++ b/tboot-grub2-fix-xen-submenu-name.patch @@ -0,0 +1,19 @@ +From: Michael Chang +Subject: fix xen submenu name to show tboot version + +References: bnc#865815 +Patch-Mainline: no + +Index: tboot-1.11.4/tboot/20_linux_xen_tboot +=================================================================== +--- tboot-1.11.4.orig/tboot/20_linux_xen_tboot ++++ tboot-1.11.4/tboot/20_linux_xen_tboot +@@ -246,7 +246,7 @@ while [ "x${xen_list}" != "x" ] ; do + rel_tboot_dirname=`make_system_path_relative_to_its_root $tboot_dirname` + tboot_version="1.11.4" + list="${linux_list}" +- echo "submenu \"Xen ${xen_version}\" \"Tboot ${tboot_version}\"{" ++ echo "submenu \"Xen ${xen_version} with Tboot ${tboot_version}\"{" + while [ "x$list" != "x" ] ; do + linux=`version_find_latest $list` + echo "Found linux image: $linux" >&2 diff --git a/tboot-grub2-refuse-secure-boot.patch b/tboot-grub2-refuse-secure-boot.patch new file mode 100644 index 0000000..7f690ed --- /dev/null +++ b/tboot-grub2-refuse-secure-boot.patch @@ -0,0 +1,66 @@ +Index: tboot-1.9.12/tboot/20_linux_tboot +=================================================================== +--- tboot-1.9.12.orig/tboot/20_linux_tboot ++++ tboot-1.9.12/tboot/20_linux_tboot +@@ -34,6 +34,28 @@ if test -e ${sysconfdir}/default/grub-tb + . ${sysconfdir}/default/grub-tboot + fi + ++secureBootActive() ++{ ++ for secboot_var in /sys/firmware/efi/efivars/SecureBoot-*; do ++ [ ! -e "$secboot_var" ] && continue ++ ++ # this variable contains a '1' byte at the end if secure boot is enabled ++ local secboot_byte=`od --address-radix=n --format=u1 "$secboot_var" | tr -d ' \n' | tail -c 1` ++ ++ [ "$secboot_byte" = "1" ] && return 0 ++ done ++ ++ return 1 ++} ++ ++if secureBootActive; then ++ cat >&2 << EOF ++Not generating tboot menu entries, because UEFI Secure Boot is active. ++tboot is not compatible with UEFI Secure Boot. ++EOF ++ exit 0 ++fi ++ + # Set the following variables in /etc/default/grub-tboot to customize command lines + # (empty values are treated as if the variables were unset). + [ -z "${GRUB_CMDLINE_TBOOT}" ] && unset GRUB_CMDLINE_TBOOT +Index: tboot-1.9.12/tboot/20_linux_xen_tboot +=================================================================== +--- tboot-1.9.12.orig/tboot/20_linux_xen_tboot ++++ tboot-1.9.12/tboot/20_linux_xen_tboot +@@ -34,6 +34,28 @@ if test -e ${sysconfdir}/default/grub-tb + . ${sysconfdir}/default/grub-tboot + fi + ++secureBootActive() ++{ ++ for secboot_var in /sys/firmware/efi/efivars/SecureBoot-*; do ++ [ ! -e "$secboot_var" ] && continue ++ ++ # this variable contains a '1' byte at the end if secure boot is enabled ++ local secboot_byte=`od --address-radix=n --format=u1 "$secboot_var" | tr -d ' \n' | tail -c 1` ++ ++ [ "$secboot_byte" = "1" ] && return 0 ++ done ++ ++ return 1 ++} ++ ++if secureBootActive; then ++ cat >&2 << EOF ++Not generating tboot menu entries, because UEFI Secure Boot is active. ++tboot is not compatible with UEFI Secure Boot. ++EOF ++ exit 0 ++fi ++ + # Set the following variables in /etc/default/grub-tboot to customize command lines + # (empty values are treated as if the variables were unset). + [ -z "${GRUB_CMDLINE_TBOOT}" ] && unset GRUB_CMDLINE_TBOOT diff --git a/tboot.changes b/tboot.changes new file mode 100644 index 0000000..4b920d4 --- /dev/null +++ b/tboot.changes @@ -0,0 +1,644 @@ +------------------------------------------------------------------- +Wed Aug 28 08:27:34 UTC 2024 - Matthias Gerstner + +- add tboot-fix-alloc-size-warning.patch: newest GCC spits out this error: + + ``` + pconf_legacy.c: In function ‘create’: + pconf_legacy.c:327:16: error: allocation of insufficient size ‘20’ for type ‘tb_hash_t’ with size ‘64’ [-Werror=alloc-size] + 327 | digest = malloc(SHA1_DIGEST_SIZE); + | ^ + ``` + + There's a union data type behind this. It's not an actual error. To get rid + of the warning, the patch allocates the full union size, thereby wasting a + bit of memory. + +------------------------------------------------------------------- +Tue Jun 25 07:34:57 UTC 2024 - Matthias Gerstner + +- add tboot-bsc#1207833-copy-mbi.patch: correctly move MBI from a lower + address above tboot (bsc#1207833). This fixes a broken boot situation in + some configurations stopping with log line "TBOOT: loader context was moved + from 0x
to 0x
". + + this patch syncs the Factory package with the SLE package. For some reason I + forgot to add the patch to Factory first. Also upstream did not react to the + patch, that I posted to their mailing list, so it's not contained in the + upstream tarball. + +------------------------------------------------------------------- +Mon Jun 17 13:09:34 UTC 2024 - Matthias Gerstner + +- add tboot.rpmlintrc: suppress warning about missing %check section. There's + no testsuite for tboot. +- mark grub.d snippets as %config (noreplace) to satisfy rpmlint warning + (the grub2 package itself marks its snippets this way, so it seems to be + common standard to do so). +- update to v1.11.4: + * v1.11.4 + Increase the TBOOT log size from 32 KB to 64 KB. For some Intel server + platforms, it was noticed that TBOOT_SERIAL_LOG memory section was too + small to hold all of the print logs, produced by TBOOT. Due to this + reason TBOOT log section memory size had to be increase to 64KB. + * v1.11.3 + Fix the hanging TBOOT issue, which appeared during the RLPs wakeup process + on the Intel's multisocket platform. This problem appeared during the AP + stacks allocations for these RLPs. TBOOT allocated memory for them depending + on the woken-up CPUs X2 APIC values. When some of them exceeded the NR_CPUS (1024), + then the RLP wakeup process execution halted. For the current moment, + the maximal X2 APID value was increased from 1024 to 8192. This kind of + solution fixed the given problem. + * v1.11.2 + Fix the RAM memory allocation algorithm for the initrd. + +------------------------------------------------------------------- +Mon Feb 6 10:52:29 UTC 2023 - Matthias Gerstner + +- required update due to openSSL 3.0 deprecation errors in current version +- updated to v1.11.1 / 20230125: + 20230125: v1.11.1 + - Revert log memory range extension (caused memory overlaps and boot failures) + 20221223: v1.11.0 + - Fixed TPM handling to flush objects after integrity measurement (Intel PTT limitations) + - Exteded low memory range for logs (HCC CPUs had issue with not enough memory) + - "agile" removed from PCR Extend policy options (requested deprecation) + - Added handling for flexible ACM Info Table format + - lcptools: CPPFLAGS use by environment in build + - lcptools: removed __DATE__ refs to make build reproducible + - Only platform-matchin SINIT modules can be selected + - txt-acminfo: Map TXT heap using mmap + - Typo fix in man page + 20220304: v1.10.5 + - Fixed mlehash.c to bring back functionality and make it GCC12 compliant + - Reverted change for replacing EFI memory to bring back Tboot in-memory logs + 20220224: v1.10.4 + - Fix hash printing for SHA384, SHA512 and SM3 + - Touch ups for GCC12 + - Set GDT to map CS and DS to 4GB before jumping to Linux + - make efi_memmap_reserve handle gaps like e820_protect_region + - Ensure that growth of Multiboot tags does not go beyond original area + - Replace EFI memory map in Multiboot2 info + - Fix endianness of pcr_info->pcr_selection.size_of_select + - Don't ignore locality in PCR file + - Fix composite hashing algorithm for PCONF elements to match lcptools-1 + 20211210: v1.10.3 + - Add UNI-VGA license information + - Remove poly1305 object files on clean + - Support higher resolution monitors + - Use SHA256 as default hashing algorithm in lcp2_mlehash and tb_polgen + - Add OpenSSL 3.0.0 support in lcptools-v2 + - Increase number of supported CPUs to 1024 to accomodate for larger units +- tboot-grub2-fix-menu-in-xen-host-server.patch: refreshed to match new + upstream version. +- tboot-grub2-fix-xen-submenu-name.patch: refreshed to match new upstream + version. + +------------------------------------------------------------------- +Fri Jun 11 07:29:02 UTC 2021 - Marcus Meissner + +- updated to v1.10.2 / 20210614 + Fix ACM chipset/processor list validation + Check for client/server match when selecting SINIT + Fix issues when building with GCC11 + Default to D/A mapping when TPM1.2 and CBnT platform +- updated to 1.10.1 / 20210330 + + - Indicate to SINIT that CBnT is supported by TBOOT + - lcptools: Fix issues from static code analysis + +------------------------------------------------------------------- +Tue Jan 19 14:35:38 UTC 2021 - Matthias Gerstner + +- release 1.10.0 ramifications: + - README is now README.md + - acminfo and parse_err now are called txt-acminfo and txt-parse_err + - lcptools are deprecated (tpm 1.2, TrouSerS dependency) and are no longer + packaged. + - no longer needs TrouSerS dependency due to deprecation + +------------------------------------------------------------------- +Tue Jan 19 14:00:53 UTC 2021 - Matthias Gerstner + +- tboot-grub2-fix-menu-in-xen-host-server.patch: refreshed to match new + upstream version. +- tboot-grub2-fix-xen-submenu-name.patch: refreshed to match new upstream + version. + +------------------------------------------------------------------- +Tue Jan 19 13:35:07 UTC 2021 - Matthias Gerstner + +- update to new upstream release 1.10.0: + - Rename TXT related tools to have 'txt-' prefix + - Clarify license issues + - Fix issues reported by Coverity Scan + - Ensure txt-acminfo does not print false information if msr is not loaded + - Fix issue with multiboot(1) booting - infinite loop during boot + - Fix issue with TPM1.2 - invalid default policy + - Unmask NMI# after returning from SINIT + - Update GRUB scripts to use multiboot2 only + - Enable VGA logging for EFI platforms + - Add warning when using SHA1 as hashing algorithm + - Add Doxygen documentation + - Replace VMAC with Poly1305 + - Validate TPM NV index attributes + - Move old lcptool to deprecated folder and exclude from build + - TrouSerS is not longer required to build + - lcptools-v2: meet requirements from MLE DG rev16 + - lcptools-v2: Implement SM2 signing and SM2 signature verification + - lcptools-v2: Set aux_hash_alg_mask to 0 when policy version != 0x300 +- dropped tboot-Unmask-NMI-after-returning-from-SINIT.patch (upstream) + +------------------------------------------------------------------- +Thu Nov 12 12:19:51 UTC 2020 - Matthias Gerstner + +- add tboot-grub2-refuse-secure-boot.patch: don't generate tboot menu entries + in grub when the system is running with UEFI Secure Boot (bsc#1175114). This + prevents hard to understand error messages when trying to boot tboot in this + context. + +------------------------------------------------------------------- +Mon Sep 28 12:14:22 UTC 2020 - matthias.gerstner@suse.com + +- update to new upstream release 1.9.12: + - changes from 1.9.12: + - Release localities in S3 flow for CRB interface + - Config.mk, safestringlib/makefile : allow tool overrides + - safestringlib: fix warnings with GCC 6.4.0 + - Strip executable file before generating tboot.gz + - Add support for EFI memory map parse/modification + - Add SHA384 and SHA512 digest algorithms + - lcptools-v2: add pconf2 policy element support + - tb_polgen: Add SHA384 and SHA512 support + - Disable GCC9 address-of-packed-member warning + - Fix warnings after "Avoid unsafe functions" scan + - Use SHA256 as default hashing algorithm + - changes from 1.9.11: + - tb_polgen: Add support for SHA256 + - Configure IOMMU before executing GETSEC[SENTER] + - SINIT ACM can have padding, handle that when checking size + - disable-address-of-packed-member-warning.patch: now contained upstream + - tboot-grub2-fix-xen-submenu-name.patch: refreshed +- dropped tboot-Release-localities-in-S3-flow-for-CRB-interface.patch (upstream) +- dropped tboot-Configure-IOMMU-before-executing-GETSEC-SENTER.patch (upstream) +- dropped tboot-Do-not-try-to-read-EFI-mem-map-when-booted-with-mult.patch (upstream) +- dropped tboot-Release-localities-in-S3-flow-for-CRB-interface.patch (upstream) +- dropped tboot-support-sinit-padding.patch (upstream) +- dropped tboot-Add-support-for-EFI-memory-map-parse-modification.patch +- dropped tboot-fix-memmap1-boot-issues.patch +- dropped tboot-Add-more-mbi-validation.patch + +------------------------------------------------------------------- +Fri Jul 12 16:24:27 UTC 2019 - Martin Liška + +- Disable LTO in more elegant way (boo#1141323). + +------------------------------------------------------------------- +Thu Jul 11 08:06:42 UTC 2019 - mgerstner + +- explicitly disable gcc9 link time optimization to fix the build and avoid + trouble in low level tboot code. + +------------------------------------------------------------------- +Tue May 28 08:19:14 UTC 2019 - mgerstner + +- add disable-address-of-packed-member-warning.patch: taken over patch found + in the Fedora package to disable a new gcc-9 warning that breaks the build. + +------------------------------------------------------------------- +Mon May 20 11:21:46 UTC 2019 - mgerstner + +- update to new upstream release 1.9.10: + - changes from 1.9.10: + - lcp-gen2: update with latest version (wxWidgets wildcard bugfix) + - print latest tag in logs + - add support for 64bit framebuffer address + - changes from 1.9.9: + - tools: fix some dereference-NULL issues reported by klocwork + - tools: replace banned mem/str fns with corresponding ones in safestringlib + - Add safestringlib code to support replacement of banned mem/str fns + - lcptools: remove tools supporting platforms before 2008 + - tboot: update string/memory fn name to differentiate from c lib + - Fix a harmless overflow caused by wrong loop limits +- rebased patches to match new upstream version + +------------------------------------------------------------------- +Wed Oct 24 08:44:04 UTC 2018 - matthias.gerstner@suse.com + +- update to new upstream release 1.9.8 (FATE#324359): + - Skip tboot launch error index read/write when ignore prev err option is true + - s3-fix: fix a stack overflow caused by enlarged tb_hash_t union + - S3 fix: revert the mis-changed type casting in changeset 522:8e881a07c059 + - S3-fix: Adding option save_vtd=true to opt-in the vtd table restore +- rebased patches to match new upstream version + +------------------------------------------------------------------- +Fri Sep 7 08:30:20 UTC 2018 - Jan Engelhardt + +- Use noun phrase in summary. + +------------------------------------------------------------------- +Mon Sep 3 10:11:39 UTC 2018 - matthias.gerstner@suse.com + +- package new upstream tarball for 1.9.7. It seems the tarball was replaced + upstream without notice, because some version numbers have not been + incremented. +- tboot-grub2-fix-menu-in-xen-host-server.patch: rebased +- tboot-grub2-fix-xen-submenu-name.patch: rebased + +------------------------------------------------------------------- +Fri Aug 31 14:23:48 UTC 2018 - matthias.gerstner@suse.com + +- update to upstream version 1.9.7. This in mainly a bugfix release: + Fix a lot of issues in tools reported by klocwork scan. + Fix a lot of issues in tboot module reported by klocwork scan. + Remove a redundant tboot option + Fix indent in heap.c + Fix 4 issues along with extpol=agile option + Mitigations for tpm interposer attacks + Add an option in tboot to force SINIT to use the legacy TPM2 log format. + Add support for appending to a TPM2 TCG style event log. + Ensure tboot log is available even when measured launch is skipped. + Add centos7 instructions for Use in EFI boot mode. + Fix memory leak and invalid reads and writes issues. + Fix TPM 1.2 locality selection issue. + Fix a null pointer dereference bug when Intel TXT is disabled. + Optimize tboot docs installation. + Fix security vulnerabilities rooted in tpm_if structure and g_tpm variable. + The size field of the MB2 tag is the size of the tag header + the size + Fix openssl-1.0.2 double frees + Make policy element stm_elt use unique type name + lcptools-v2 utilities fixes + port to openssl-1.1.0 + Reset debug PCR16 to zero. + Fix a logical error in function bool evtlog_append(...). +- removed tboot-CVE-2017-16837.patch: now contained in tarball +- removed tboot-openssl-1-1-0.patch: now contained in tarball +- removed tboot-signature-segfault.patch: now contained in tarball +- removed tboot-ssl-broken.patch: now contained in tarball + +------------------------------------------------------------------- +Thu Mar 15 09:49:03 UTC 2018 - matthias.gerstner@suse.com + +- tboot-signature-segfault.patch: Intermediate patch necessary for + tboot-ssl-broken.patch. Upstream tried to fix OpenSSL issues here, but + failed to do so. +- tboot-ssl-broken.patch: Fixed memory corruption when using OpenSSL + functionality like in lcp2_crtpollist (bnc#1083693). Fix has not yet been + commented on by upstream (posted on tboot-devel mailing list). + +------------------------------------------------------------------- +Wed Feb 21 12:26:10 UTC 2018 - matthias.gerstner@suse.com + +- Also cover cleanup of bootloader configuration after package removal. + (bnc#1078262) + +------------------------------------------------------------------- +Mon Feb 12 13:27:20 UTC 2018 - matthias.gerstner@suse.com + +- tboot-distributor.patch: don't add GNU/Linux to grub menu entries. SUSE's + grub2 itself doesn't do it as well. (bnc#1078262) +- perform update of bootloader configuration after installation via + %posttrans. (bnc#1078262) + +------------------------------------------------------------------- +Thu Nov 16 09:49:48 UTC 2017 - matthias.gerstner@suse.com + +- tboot-CVE-2017-16837.patch: fix a major security issue in tboot. tboot + failed to validate a number of immutable function pointers, which could + allow an attacker to bypass the chain of trust and execute arbitrary code + (bnc#1068390, CVE-2017-16837). + +------------------------------------------------------------------- +Thu Nov 9 14:08:59 UTC 2017 - matthias.gerstner@suse.com + +- tboot-openssl-1-1-0.patch: make package compatible with OpenSSL 1.1.0. + There's no upstream release containing this patch yet. The patch builds + against OpenSSL 1.0.x as well. This is for SLE-15 support (bnc#1067229). + +------------------------------------------------------------------- +Tue Jul 18 11:10:29 UTC 2017 - matthias.gerstner@suse.com + +update to new upstream version 1.9.6: + +- removed following patches, because they're now included upstream: + * reproducible.patch + * tboot-grub2-suse.patch + * tboot-gcc7.patch + +- Changes in this version: + * GCC7 fix, adds generic FALLTHROUGH notations to avoid warnings appearing on GCC7 + * Ensure Tboot never overwrites modules in the process of moving them. + * Add support to x2APIC, which uses 32 bit APIC ID. + * Fix S3 secrets sealing/unsealing failures + * Support OpenSSL 1.1.0+ for ECDSA signature verification. + * Support OpenSSL 1.1.0+ for RSA key manipulation. + * Adds additional checks to prevent the kernel image from being overwritten. + * Added TCG TPM event log support. + * Pass through the EFI memory map that's provided by grub2. + * Fix a null pointer dereference bug when Intel TXT is disabled in BIOS. + * Adjust KERNEL_CMDLINE_OFFSET from 0x9000 to 0x8D00. + * Bounds checking on the kernel_cmdline string. + +------------------------------------------------------------------- +Sun Jun 4 08:43:14 UTC 2017 - meissner@suse.com + +- tboot-gcc7.patch: fix some gcc7 warnings that lead to errors. (bsc#1041264) + +------------------------------------------------------------------- +Sun Apr 30 05:29:57 UTC 2017 - bwiedemann@suse.com + +- Add reproducible.patch to call gzip -n to make build fully reproducible + +------------------------------------------------------------------- +Fri Feb 10 16:56:03 UTC 2017 - jengelh@inai.de + +- Trim filler words from description; use modern macros over + shell vars. + +------------------------------------------------------------------- +Wed Feb 8 13:11:50 UTC 2017 - meissner@suse.com + +- Updated to 20161216: v1.9.5 (FATE#321510) + + Add 2nd generation of LCP creation tool source codes for TPM 2.0 platforms. + + Add user guide for 2nd generation LCP creation tool + + Provide workaround for Intel PTT(Platform Trust Technology) & Linux PTT driver. + + Add new fields in Linux kernel header struct to accommodate Linux kernel new capabilities. + + Fix a pointer dereference regression in the tboot native Linux loader which manifests itself as a system reset. + + Fix the issue of overwriting tboot when the loaded elf kernel is located below tboot. + + Add support to release TPM localities when tboot exits to linux kernel. + + Fix the evtlog dump function for tpm2 case. + + Initiaize kernel header comdline buffer before copying kernel cmdline arguments to the buffer to avoid random + + data at end of the original cmdline contents. + + Move tpm_detect() to an earlier stage so as to get tpm interface initialized before checking TXT platform capabilities. + + +------------------------------------------------------------------- +Wed Jun 22 06:37:53 UTC 2016 - mchang@suse.com + +- Fix wrong pvops kernel config matching (bsc#981948) + * modified tboot-grub2-fix-menu-in-xen-host-server.patch + +------------------------------------------------------------------- +Wed Jun 1 09:29:32 UTC 2016 - meissner@suse.com + +- tboot-grub2-suse.patch: fixed bad if/elif + +------------------------------------------------------------------- +Thu May 19 10:35:27 UTC 2016 - meissner@suse.com + +- Updated to 1.9.4/20160518 (FATE#320665) + Added TPM 2.0 CRB support + Increased BSP and AP stacks to avoid stack overflow + Added an ACPI_RSDP structure g_rsdp in tboot to avoid potential memory overwritten issue on TPM 2.0 UEFI platforms + Added support to both Intel TPM nv index set and TCG TPM nv index set + grub2: tboot doesn't skip first argument any more + grub2: sanitize whitespace in command lines + grub2: Allow addition of policy data in grub.cfg + grub2 support: allow the user to customize the command line + Mitigated S3 resume delay by adjusting LZ_MAX_OFFSET to 5000 in lz.c. + Added SGX TPM nv index support + Add 64 bit ELF object support + Gentoo Hardened, which uses the GRSecurity and PaX patch sets + Disable -fstack-check in CFLAG for compatibility with Gentoo Linux. + Enhanced tboot compatiblity running on non-Intel TXT platform with a fix of is_launched() + LCP documentation improvements +- tboot-grub2-suse.patch: refreshed +- tboot-grub2-fix-xen-submenu-name.patch: refreshed +- tboot-fix-stackoverflow.patch: upstream in 1.9.4 + +------------------------------------------------------------------- +Wed Apr 6 09:41:06 UTC 2016 - meissner@suse.com + +- tboot-fix-stackoverflow.patch: fix a excessive stack usage pattern + that could lead to resets/crashes (bsc#967441) + +------------------------------------------------------------------- +Fri May 8 12:08:52 UTC 2015 - meissner@suse.com + +- Updated to 1.8.3/20140728 FATE#318542 + * Added verified launch control policy user guide + * Fixed a bug about var MTRR settings to follow the rule that each VAR MTRR base must be a multiple of that MTRR's size. + * Access tpm sts reg with 3-byte width in v1.2 case and 4-byte width in v2.0 case + * Bugfix: lcp2_mlehash get wrong hash if the cmdline string length > 7 + * Optimized tboot log processing flow to avoid log buffer overflow by adopting lz Compress/Uncompress algorithms + * Added SGX support for Skylake platform + * tpm2: use the primary object in NULL Hierarchy instead of Platform Hierarchy for seal/unseal usage + * Fixed a bug for lcp2_mlehash tool + * Fixed system hang issue caused by TXT disable, TPM disable or SINIT ACM not correctly provided in EFI booting mode + * Fixed bug for wrong assumption on the way how GRUB2 load modules + * Fixed MB2 tags mess issue caused by moving shorter module cmdline to head + * Fixed compile issue when debug=y +- fixes a boot issue on Skylake (bsc#964408) +- refreshed tboot-grub2-fix-xen-submenu-name.patch + +------------------------------------------------------------------- +Mon Jul 28 12:14:12 UTC 2014 - meissner@suse.com + +- updated to 1.8.2/20140728 + Security Fix: TBOOT Argument Measurement Vulnerability for GRUB2 + ELF Kernels + fix werror in 32 bit build environment +- tboot-fix.patch: removed, fixed differently upstream. + +------------------------------------------------------------------- +Mon May 19 11:11:10 UTC 2014 - meissner@suse.com + +- updated to 1.8.1/20140516 + Fix build error "may be used uninitialized" + Reset eventlog when S3 + Update tboot version to 1.8.1 in grub title + Fix grub cfg file generation scripts for SLES12 + Fix seal failure issue + tpm2 lcptools + Restore local apic base for AP + Fix typo in hash_alg_to_string() + Change to create primary object only once + Add prepare_tpm call in S3 path to ensure locality 0 was released before senter + Fix possible dead loop in print_bios_data when bios_data version 4 + Fix possible null pointer dereference in loader.c + Fix possible null pointer dereference in tpm_12.c and tpm_20.c + Avoid buffer overrun when append tpm12 eventlog + Fix possible NULL pointer dereference + Fix one event log issue caused by wrong append and print operation + Fix error "unsupported hash alg" for agile extend policy + Fix warning "ACM info_table version mismatch" + Update the tpm family detection with a general way + Fix a lcp tools issue caused by redefining TB_HALG_SHA1 from 0 to 4 + Assign g_tpm a value for no tpm case to avoid NULL checks + Fix crash when TPM is missing + Fix infinite loop in determine_multiboot_type() + Fix typo in tpm20_init() and remove unused variable + Allow the to-be-measured nv to be protected by AUTHWRITE + Check cpu vendor id to avoid unexpected behavior in non-intel cpu + Change to detect TPM family only once + Fix some typos caused by copy-paste + +- removed tboot-cs381.patch: upstream + +------------------------------------------------------------------- +Fri May 16 06:10:17 UTC 2014 - mchang@suse.com + +- fix grub2 boot menu after installing lots of kernels (bnc#865815) +- add tboot-grub2-fix-menu-in-xen-host-server.patch +- add tboot-grub2-fix-xen-submenu-name.patch + +------------------------------------------------------------------- +Wed Apr 30 08:42:27 UTC 2014 - meissner@suse.com + +- tboot-cs381.patch: generate tboot entries correctly, from Intel. + bnc#875581 + +------------------------------------------------------------------- +Wed Feb 19 16:05:10 UTC 2014 - meissner@suse.com + +- fixed path for /usr/share/grub2/grub-mkconfig_lib in our grub2 + snippets. (bnc#864633) + +------------------------------------------------------------------- +Thu Jan 30 21:59:46 UTC 2014 - meissner@suse.com + +- updated to 1.8.0/20130705 + Update README for TPM2 support + tpm2 support + Adding sha256 algorithm implementation + Update README for TPM NV measuring + Update README for EFI support + Fix typo in tboot/Makefile + Increase the supported maximum number of cpus from 256 to 512 + Extend tboot policy supporting measuring TPM NV + EFI support via multiboot2 changes + Fix typo in common/hash.c + Fix verification for extended data elements in txt heap + +------------------------------------------------------------------- +Thu Aug 8 11:56:45 UTC 2013 - meissner@suse.com + +- updated to 1.7.4/20130705 + Fix possible empty submenu block in generated grub.cfg + Add a call_racm=check option for easy RACM launch result check + Fix type check for revocation ACM. + +------------------------------------------------------------------- +Tue Jan 8 15:26:59 UTC 2013 - meissner@suse.com + +- updated to 1.7.3/20121228 + Update README with updated code repository url. + Fix grub2 scripts to be compatible with more distros. + Update README for RACM launch support + Add a new option "call_racm=true|false" for revocation acm(RACM) launch + Fix potential buffer overrun & memory leak in crtpconf.c + Fix a potential buffer overrun in lcptools/lock.c + Print cmdline in multi-lines + Optional print TXT.ERRORCODE under level error or info + Fix side effects of tboot log level macros in tools + Update readme for the new detail log level + Classify all logs into different log levels + Add detail log level and the macros defined for log level + Fix acmod_error_t type to correctly align all bits in 4bytes + +------------------------------------------------------------------- +Wed Oct 10 15:31:57 UTC 2012 - meissner@suse.com + +- updated to 1.7.2/20120929 + Add Makefile for docs to install man pages. + Add man pages for tools + Add grub-mkconfig helper scripts for tboot case in GRUB2 + Fix for deb build in ubuntu + Fix S3 issue brought by c/s 308 + Fix a S4 hang issue and a potential shutdown reset issue + Fix build with new zlib 1.2.7. + Initialize event log when S3 + Update README to change upstream repo url from bughost.org to sf.net. + +- updated to 1.7.1/20120427 + Fix cmdline size in tb_polgen + Add description for option min_ram in README. + new tboot cmdline option "min_ram=0xXXXXXX" + Update test-patches/tpm-test.patch to fit in latest code. +- zlib patch upstreamed. +- spec file adjustments +- tboot-fix.patch: fixed printf type mismatch + +------------------------------------------------------------------- +Thu May 31 13:20:57 CEST 2012 - meissner@suse.de + +- adjust to changed zlib api + +------------------------------------------------------------------- +Wed Apr 25 23:16:20 CEST 2012 - meissner@suse.de + +- reenable exclusivearch to avoid building it on ppc and arm. + +------------------------------------------------------------------- +Tue Feb 28 14:03:52 UTC 2012 - meissner@suse.com + +- updated to 1.7.0 + Print version number while changeset info unavailable + Document DA changes in README + Add event log for PCR extends in tboot + Follow details / authorities PCR mapping style in tboot + Support details / authorities PCR mapping + Support TPM event log + fix build issue for txt-stat in 64 bit environment. + update README for mwait AP wakeup mechanism + tboot: provide a new AP wakeup way for OS/VMM - mwait then memory write + Original txt-stat.c doesn't display TXT heap info by default. Add + command line options to display help info and optionally enable + displaying heap info. + Fix a shutdown issue on heavily throttled large server + Adjust mle_hdr.{mle|cmdline}_{start|end}_off according to CS285,286 + changes to give lcp_mlehash correct info to produce hash value. + Fix boot issue caused by including mle page table into tboot memory + Fix for possible overwritting to mle page table by GRUB2 + Add PAGE_UP() fn that rounds things up/donw to a page. + Update get_mbi_mem_end() with a accurate, safer calculating way + ACPI fix and sanity check + Add some sanity check before using mods_count in a count-down loop + TPM: add waiting on expect==0 before issue tpmGo + txt-stat: Don't show heap info by default. + Exchange definitions for TBOOT_BASE_ADDR & TBOOT_START + Add const qualifier for suibable parms of all possible fns. + fix possible mbi overwrite issue for Linux with grub2 + enhance print_mbi() to print more mbi info for debug purpose + Fix for GRUB2 loading elf image such as Xen. + Move apply_policy() call into txt_post_launch() + Don't zap s3_key in tboot shared page if sealing failed due to tpm + unowned + Update the explanation of signed lists to make it clearer. + tboot: add a fall back for reboot via keyboard reset vector + tboot: revise README to explain how to configure GRUB2 config file for + tboot + tboot: rewrite acpi reg access fns to refer to bit_width instead of + access_width + tboot: change reboot mechanism to use keyboard reset vector + tboot: handle mis-programmed TXT config regs and TXT heap gracefully + tboot: add warning when TPM timeout values are wrong + all PM1_CNT accesses should be 16bit. + Enlarge NR_CPUS from 64 to 256 + Add support for SBIOS policy element type (LCP_SBIOS_ELEMENT) to + lcp_crtpolelt + Fix processor id list matching between platform and acmod + Make lcp_crtpollist support empty lists (i.e. with no elements) + print a bit more error reasons in txt-stat + Fix segmentation fault in txt-stat on some systems + +------------------------------------------------------------------- +Thu Jan 12 11:31:12 UTC 2012 - coolo@suse.com + +- change license to be in spdx.org format + +------------------------------------------------------------------- +Tue May 24 14:48:45 UTC 2011 - idonmez@novell.com + +- Update to changeset 261 + + gcc 4.6 fixes + + Fix segmentation fault in txt-stat on some systems + + Add support for TXT heap extended data elements and BiosData version 4 + + Add support for AC Module chipset info table version 4 (ProcessorIDList) + + Removed no_usb command line parameter and SMI disabling + + Support MAXPHYADDR > 36b + +------------------------------------------------------------------- +Wed Apr 27 18:38:23 CEST 2011 - meissner@suse.de + +- initial import of current intel trusted boot loader diff --git a/tboot.rpmlintrc b/tboot.rpmlintrc new file mode 100644 index 0000000..d658310 --- /dev/null +++ b/tboot.rpmlintrc @@ -0,0 +1 @@ +addFilter("no-%check-section") diff --git a/tboot.spec b/tboot.spec new file mode 100644 index 0000000..4a30ddb --- /dev/null +++ b/tboot.spec @@ -0,0 +1,108 @@ +# +# spec file for package tboot +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: tboot +%define ver 1.11.4 +Version: 20210614_%{ver} +Release: 0 +Summary: Program for performing a verified launch using Intel TXT +License: BSD-3-Clause +Group: Productivity/Security +URL: https://sourceforge.net/projects/tboot/ +Source0: https://downloads.sourceforge.net/project/tboot/tboot/tboot-%{ver}.tar.gz +Source1: tboot.rpmlintrc +Patch3: tboot-grub2-fix-menu-in-xen-host-server.patch +Patch4: tboot-grub2-fix-xen-submenu-name.patch +Patch7: tboot-distributor.patch +Patch8: tboot-grub2-refuse-secure-boot.patch +Patch9: tboot-bsc#1207833-copy-mbi.patch +Patch10: tboot-fix-alloc-size-warning.patch +BuildRoot: %{_tmppath}/%{name}-%{version}-build +ExclusiveArch: %{ix86} x86_64 +BuildRequires: openssl-devel +BuildRequires: zlib-devel + +%if 0%{?suse_version} > 1320 +BuildRequires: update-bootloader-rpm-macros +%endif + +%if 0%{?update_bootloader_requires:1} +%update_bootloader_requires +%else +Requires: perl-Bootloader +%endif + +%description +Trusted Boot (tboot) is a pre-kernel/VMM module that uses Intel +Trusted Execution Technology (Intel(R) TXT) to perform a measured and +verified launch of an OS kernel/VMM. + +%prep +%setup -q -n %name-%ver +%autopatch -p1 + +%build +# Tumbleweed now uses -flto=3 by default which gives us trouble with the +# statically linked C and assembler code in tboot. Better to be conservative +# here since tboot is low level stuff -> disable LTO for us (boo#1141323). +%define _lto_cflags %{nil} +export TBOOT_CFLAGS="$CFLAGS" +make debug=y %{?_smp_mflags} + +%install +make debug=y install DISTDIR="%{buildroot}" MANPATH="%{buildroot}/%{_mandir}" + +%files +%defattr(-,root,root,-) +%doc README.md COPYING docs/* lcptools-v2/lcptools.txt +%{_sbindir}/txt-acminfo +%{_sbindir}/txt-parse_err +%{_sbindir}/tb_polgen +%{_sbindir}/txt-stat +%{_sbindir}/lcp2_crtpol +%{_sbindir}/lcp2_crtpolelt +%{_sbindir}/lcp2_crtpollist +%{_sbindir}/lcp2_mlehash +/boot/tboot.gz +/boot/tboot-syms +%{_mandir}/man8/* +%dir %{_sysconfdir}/grub.d/ +%config(noreplace) %{_sysconfdir}/grub.d/20_linux_tboot +%config(noreplace) %{_sysconfdir}/grub.d/20_linux_xen_tboot + +%post +%if 0%{?update_bootloader_check_type_reinit_post:1} +%update_bootloader_check_type_reinit_post grub2 grub2-efi +%else +/sbin/update-bootloader --reinit || true +%endif + +%postun +%if 0%{?update_bootloader_check_type_reinit_post:1} +# there is no clean solution for refresh during package removal at the moment. +# %%posttrans is not executed during package removal. +%update_bootloader_check_type_reinit_post grub2 grub2-efi +%update_bootloader_posttrans +%else +/sbin/update-bootloader --reinit || true +%endif + +%posttrans +%{?update_bootloader_posttrans} + +%changelog