From b9b173fea3a99f36641b897aaf858a6ca85cc5c80c2a84923c7b66ad690e2838 Mon Sep 17 00:00:00 2001 From: Matthias Gerstner Date: Tue, 18 Jul 2017 11:15:11 +0000 Subject: [PATCH] update to new upstream version 1.9.6: - removed following patches, because they're now included upstream: * tboot-grub2-fix-menu-in-xen-host-server.patch * tboot-grub2-fix-xen-submenu-name.patch * tboot-grub2-suse.patch - Changes in this version: * GCC7 fix, adds generic FALLTHROUGH notations to avoid warnings appearing on GCC7 * Ensure Tboot never overwrites modules in the process of moving them. * Add support to x2APIC, which uses 32 bit APIC ID. * Fix S3 secrets sealing/unsealing failures * Support OpenSSL 1.1.0+ for ECDSA signature verification. * Support OpenSSL 1.1.0+ for RSA key manipulation. * Adds additional checks to prevent the kernel image from being overwritten. * Added TCG TPM event log support. * Pass through the EFI memory map that's provided by grub2. * Fix a null pointer dereference bug when Intel TXT is disabled in BIOS. * Adjust KERNEL_CMDLINE_OFFSET from 0x9000 to 0x8D00. * Bounds checking on the kernel_cmdline string. OBS-URL: https://build.opensuse.org/package/show/security/tboot?expand=0&rev=64 --- reproducible.patch | 13 --- tboot-1.9.5.tar.gz | 3 - tboot-1.9.6.tar.gz | 3 + tboot-gcc7.patch | 86 ------------------- tboot-grub2-fix-menu-in-xen-host-server.patch | 12 +-- tboot-grub2-fix-xen-submenu-name.patch | 8 +- tboot-grub2-suse.patch | 26 ------ tboot.changes | 24 ++++++ tboot.spec | 10 +-- 9 files changed, 39 insertions(+), 146 deletions(-) delete mode 100644 reproducible.patch delete mode 100644 tboot-1.9.5.tar.gz create mode 100644 tboot-1.9.6.tar.gz delete mode 100644 tboot-gcc7.patch delete mode 100644 tboot-grub2-suse.patch diff --git a/reproducible.patch b/reproducible.patch deleted file mode 100644 index fc882a4..0000000 --- a/reproducible.patch +++ /dev/null @@ -1,13 +0,0 @@ -Index: tboot-1.9.5/tboot/Makefile -=================================================================== ---- tboot-1.9.5.orig/tboot/Makefile -+++ tboot-1.9.5/tboot/Makefile -@@ -32,7 +32,7 @@ OBJS := $(obj-y) - TARGET_LDS := $(CURDIR)/common/tboot.lds - - $(TARGET).gz : $(TARGET) -- gzip -f -9 < $< > $@ -+ gzip -n -f -9 < $< > $@ - - $(TARGET) : $(OBJS) $(TARGET_LDS) - $(LD) $(LDFLAGS) -T $(TARGET_LDS) -N $(OBJS) -o $(@D)/.$(@F).0 diff --git a/tboot-1.9.5.tar.gz b/tboot-1.9.5.tar.gz deleted file mode 100644 index f15668c..0000000 --- a/tboot-1.9.5.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:c7032e367ac0129493c9bb1fcd1437f400ff5533c970119ddce281ff4d58a13f -size 685460 diff --git a/tboot-1.9.6.tar.gz b/tboot-1.9.6.tar.gz new file mode 100644 index 0000000..3e931c0 --- /dev/null +++ b/tboot-1.9.6.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1b55eed6ca8196b2a003936594248a242888ac34ff970eda651e7660c4772a39 +size 693564 diff --git a/tboot-gcc7.patch b/tboot-gcc7.patch deleted file mode 100644 index b59936f..0000000 --- a/tboot-gcc7.patch +++ /dev/null @@ -1,86 +0,0 @@ -Index: tboot-1.9.5/tboot/common/tboot.c -=================================================================== ---- tboot-1.9.5.orig/tboot/common/tboot.c -+++ tboot-1.9.5/tboot/common/tboot.c -@@ -501,11 +501,13 @@ static void shutdown_system(uint32_t shu - /* write our S3 resume vector to ACPI resume addr */ - set_s3_resume_vector(&_tboot_shared.acpi_sinfo, TBOOT_S3_WAKEUP_ADDR); - /* fall through for rest of Sx handling */ -+ /* FALLTHROUGH */ - case TB_SHUTDOWN_S4: - case TB_SHUTDOWN_S5: - machine_sleep(&_tboot_shared.acpi_sinfo); - /* if machine_sleep() fails, fall through to reset */ - -+ /* FALLTHROUGH */ - case TB_SHUTDOWN_REBOOT: - if ( txt_is_powercycle_required() ) { - /* powercycle by writing 0x0a+0x0e to port 0xcf9 */ -@@ -524,6 +526,7 @@ static void shutdown_system(uint32_t shu - outb(0xcf9, 0x06); - } - -+ /* FALLTHROUGH */ - case TB_SHUTDOWN_HALT: - default: - while ( true ) -Index: tboot-1.9.5/tboot/common/vsprintf.c -=================================================================== ---- tboot-1.9.5.orig/tboot/common/vsprintf.c -+++ tboot-1.9.5/tboot/common/vsprintf.c -@@ -404,6 +404,7 @@ handle_width: - case 'p': - mods.flag |= PREFIX; /* print prefix 0x for %p */ - mods.flag_long = LONG; -+ /* FALLTHROUGH */ - case 'x': - mods.base = 16; - buf_pos = write_number_to_buffer(buf, size, buf_pos, mods); -Index: tboot-1.9.5/tboot/common/tpm.c -=================================================================== ---- tboot-1.9.5.orig/tboot/common/tpm.c -+++ tboot-1.9.5/tboot/common/tpm.c -@@ -117,14 +117,14 @@ static bool tpm_send_cmd_ready_status_cr - #endif - - if ( reg_ctrl_sts.tpmidle== 1) { -- reg_ctrl_request._raw[0] = 0; -+ memset(®_ctrl_request,0,sizeof(reg_ctrl_request)); - reg_ctrl_request.cmdReady = 1; - write_tpm_reg(locality, TPM_CRB_CTRL_REQ, ®_ctrl_request); - - return true; - } - -- reg_ctrl_request._raw[0] = 0; -+ memset(®_ctrl_request,0,sizeof(reg_ctrl_request)); - reg_ctrl_request.goIdle = 1; - write_tpm_reg(locality, TPM_CRB_CTRL_REQ, ®_ctrl_request); - -@@ -158,7 +158,7 @@ static bool tpm_send_cmd_ready_status_cr - printk(TBOOT_INFO"2. reg_ctrl_sts.tpmsts: 0x%x\n", reg_ctrl_sts.tpmsts); - #endif - -- reg_ctrl_request._raw[0] = 0; -+ memset(®_ctrl_request,0,sizeof(reg_ctrl_request)); - reg_ctrl_request.cmdReady = 1; - write_tpm_reg(locality, TPM_CRB_CTRL_REQ, ®_ctrl_request); - -@@ -724,7 +724,7 @@ bool tpm_relinquish_locality_crb(uint32_ - if ( reg_loc_state.loc_assigned == 0 ) return true; - - /* make inactive by writing a 1 */ -- reg_loc_ctrl._raw[0] = 0; -+ memset(®_loc_ctrl,0,sizeof(reg_loc_ctrl)); - reg_loc_ctrl.relinquish = 1; - write_tpm_reg(locality, TPM_REG_LOC_CTRL, ®_loc_ctrl); - -@@ -778,7 +778,7 @@ bool tpm_request_locality_crb(uint32_t l - tpm_reg_loc_state_t reg_loc_state; - tpm_reg_loc_ctrl_t reg_loc_ctrl; - /* request access to the TPM from locality N */ -- reg_loc_ctrl._raw[0] = 0; -+ memset(®_loc_ctrl,0,sizeof(reg_loc_ctrl)); - reg_loc_ctrl.requestAccess = 1; - write_tpm_reg(locality, TPM_REG_LOC_CTRL, ®_loc_ctrl); - diff --git a/tboot-grub2-fix-menu-in-xen-host-server.patch b/tboot-grub2-fix-menu-in-xen-host-server.patch index fd4f44d..c524670 100644 --- a/tboot-grub2-fix-menu-in-xen-host-server.patch +++ b/tboot-grub2-fix-menu-in-xen-host-server.patch @@ -23,10 +23,10 @@ v3: References: bnc#865815 Porting to tboot in order to fix duplicated xen entries -Index: tboot-1.9.4/tboot/20_linux_tboot +Index: tboot-1.9.6/tboot/20_linux_tboot =================================================================== ---- tboot-1.9.4.orig/tboot/20_linux_tboot -+++ tboot-1.9.4/tboot/20_linux_tboot +--- tboot-1.9.6.orig/tboot/20_linux_tboot ++++ tboot-1.9.6/tboot/20_linux_tboot @@ -225,6 +225,49 @@ while [ "x${tboot_list}" != "x" ] && [ " break fi @@ -77,10 +77,10 @@ Index: tboot-1.9.4/tboot/20_linux_tboot if test -n "${initrd}" ; then echo "Found initrd image: ${dirname}/${initrd}" >&2 else -Index: tboot-1.9.4/tboot/20_linux_xen_tboot +Index: tboot-1.9.6/tboot/20_linux_xen_tboot =================================================================== ---- tboot-1.9.4.orig/tboot/20_linux_xen_tboot -+++ tboot-1.9.4/tboot/20_linux_xen_tboot +--- tboot-1.9.6.orig/tboot/20_linux_xen_tboot ++++ tboot-1.9.6/tboot/20_linux_xen_tboot @@ -52,6 +52,12 @@ fi export TEXTDOMAIN=grub export TEXTDOMAINDIR=${prefix}/share/locale diff --git a/tboot-grub2-fix-xen-submenu-name.patch b/tboot-grub2-fix-xen-submenu-name.patch index 712d720..6d6c70f 100644 --- a/tboot-grub2-fix-xen-submenu-name.patch +++ b/tboot-grub2-fix-xen-submenu-name.patch @@ -4,13 +4,13 @@ Subject: fix xen submenu name to show tboot version References: bnc#865815 Patch-Mainline: no -Index: tboot-1.9.5/tboot/20_linux_xen_tboot +Index: tboot-1.9.6/tboot/20_linux_xen_tboot =================================================================== ---- tboot-1.9.5.orig/tboot/20_linux_xen_tboot -+++ tboot-1.9.5/tboot/20_linux_xen_tboot +--- tboot-1.9.6.orig/tboot/20_linux_xen_tboot ++++ tboot-1.9.6/tboot/20_linux_xen_tboot @@ -232,7 +232,7 @@ while [ "x${xen_list}" != "x" ] ; do rel_tboot_dirname=`make_system_path_relative_to_its_root $tboot_dirname` - tboot_version="1.9.5" + tboot_version="1.9.6" list="${linux_list}" - echo "submenu \"Xen ${xen_version}\" \"Tboot ${tboot_version}\"{" + echo "submenu \"Xen ${xen_version} with Tboot ${tboot_version}\"{" diff --git a/tboot-grub2-suse.patch b/tboot-grub2-suse.patch deleted file mode 100644 index 22a652e..0000000 --- a/tboot-grub2-suse.patch +++ /dev/null @@ -1,26 +0,0 @@ -Index: tboot-1.9.4/tboot/20_linux_tboot -=================================================================== ---- tboot-1.9.4.orig/tboot/20_linux_tboot -+++ tboot-1.9.4/tboot/20_linux_tboot -@@ -24,6 +24,8 @@ libdir=${exec_prefix}/lib - sysconfdir=/etc - if test -e /usr/share/grub/grub-mkconfig_lib; then - . /usr/share/grub/grub-mkconfig_lib -+elif test -e /usr/share/grub2/grub-mkconfig_lib; then -+ . /usr/share/grub2/grub-mkconfig_lib - elif test -e ${libdir}/grub/grub-mkconfig_lib; then - . ${libdir}/grub/grub-mkconfig_lib - fi -Index: tboot-1.9.4/tboot/20_linux_xen_tboot -=================================================================== ---- tboot-1.9.4.orig/tboot/20_linux_xen_tboot -+++ tboot-1.9.4/tboot/20_linux_xen_tboot -@@ -24,6 +24,8 @@ libdir=${exec_prefix}/lib - sysconfdir=/etc - if test -e /usr/share/grub/grub-mkconfig_lib; then - . /usr/share/grub/grub-mkconfig_lib -+elif test -e /usr/share/grub2/grub-mkconfig_lib; then -+ . /usr/share/grub2/grub-mkconfig_lib - elif test -e ${libdir}/grub/grub-mkconfig_lib; then - . ${libdir}/grub/grub-mkconfig_lib - fi diff --git a/tboot.changes b/tboot.changes index ddf0378..211c390 100644 --- a/tboot.changes +++ b/tboot.changes @@ -1,3 +1,27 @@ +------------------------------------------------------------------- +Tue Jul 18 11:10:29 UTC 2017 - matthias.gerstner@suse.com + +update to new upstream version 1.9.6: + +- removed following patches, because they're now included upstream: + * tboot-grub2-fix-menu-in-xen-host-server.patch + * tboot-grub2-fix-xen-submenu-name.patch + * tboot-grub2-suse.patch + +- Changes in this version: + * GCC7 fix, adds generic FALLTHROUGH notations to avoid warnings appearing on GCC7 + * Ensure Tboot never overwrites modules in the process of moving them. + * Add support to x2APIC, which uses 32 bit APIC ID. + * Fix S3 secrets sealing/unsealing failures + * Support OpenSSL 1.1.0+ for ECDSA signature verification. + * Support OpenSSL 1.1.0+ for RSA key manipulation. + * Adds additional checks to prevent the kernel image from being overwritten. + * Added TCG TPM event log support. + * Pass through the EFI memory map that's provided by grub2. + * Fix a null pointer dereference bug when Intel TXT is disabled in BIOS. + * Adjust KERNEL_CMDLINE_OFFSET from 0x9000 to 0x8D00. + * Bounds checking on the kernel_cmdline string. + ------------------------------------------------------------------- Sun Jun 4 08:43:14 UTC 2017 - meissner@suse.com diff --git a/tboot.spec b/tboot.spec index 3563ee9..ef8ca2e 100644 --- a/tboot.spec +++ b/tboot.spec @@ -17,20 +17,17 @@ Name: tboot -%define ver 1.9.5 -Version: 20160518_1.9.4 +%define ver 1.9.6 +Version: 20170711_1.9.6 Release: 0 Summary: Performs a verified launch using Intel(R) TXT License: BSD-3-Clause Group: Productivity/Security Url: http://sourceforge.net/projects/tboot/ Source0: http://downloads.sourceforge.net/project/tboot/tboot/tboot-%{ver}.tar.gz -Patch1: tboot-grub2-suse.patch Patch3: tboot-grub2-fix-menu-in-xen-host-server.patch Patch4: tboot-grub2-fix-xen-submenu-name.patch # PATCH-FIX-UPSTREAM -- https://sourceforge.net/p/tboot/code/merge-requests/1/ -Patch5: reproducible.patch -Patch6: tboot-gcc7.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: openssl-devel BuildRequires: trousers-devel @@ -43,11 +40,8 @@ verified launch of an OS kernel/VMM. %prep %setup -q -n %name-%ver -%patch1 -p1 %patch3 -p1 %patch4 -p1 -%patch5 -p1 -%patch6 -p1 %build export CFLAGS="%{optflags}"